The packet-filtering process

Sequential comparison and action: When an ACL filters a packet, it sequentially compares each ACE’s filtering criteria to the corresponding data in the packet until it finds a match. The action indicated by the matching ACE (deny or permit) is then performed on the packet.

Figure 8: Example of sequential comparison

As shown above, the ACL tries to apply the first ACE in the list. If there is not a match, it tries the second ACE, and so on. When a match is found, the ACL invokes the configured action for that entry (permit or drop the packet) and no further comparisons of the packet are made with the remaining ACEs in the list. This means that when an ACE whose criteria matches a packet is found, the action configured for that ACE is invoked, and any remaining ACEs in the ACL are ignored. Because of this sequential processing, successfully implementing an ACL depends in part on configuring ACEs in the correct order for the overall policy you want the ACL to enforce.

Implicit Deny: If a packet does not have a match with the criteria in any of the ACEs in the ACL, the ACL denies (drops) the packet. If you need to override the implicit deny so that a packet that does not have a match will be permitted, then configure permit ipv6 any any as the last ACE in the ACL. This directs the ACL to permit (forward) packets that do not have a match with any earlier ACE listed in the ACL, and prevents these packets from being filtered by the implicit deny ipv6 any any.

Figure 9: Packet-filtering process in an ACL with N entries (ACEs)
NOTE:

The order in which an ACE occurs in an ACL is significant. For example, if an ACL contains six ACEs, but the first ACE allows “Permit Any” forwarding, then the ACL permits all IPv6 traffic, and the remaining ACEs in the list do not apply, even if they have a match with any traffic permitted by the first ACE.

For example, suppose you want to configure an ACL (with an ID of “Test-02”) to invoke these policies for IPv6 traffic entering the switch on VLAN 100:

  1. Permit inbound IPv6 traffic from 2001:db8:0:fb::11:42.

  2. Deny only the inbound Telnet traffic from 2001:db8:0:fb::11:101.

  3. Permit inbound IPv6 traffic from 2001:db8:0:fb::11:101.

  4. Permit only inbound Telnet traffic from 2001:db8:0:fb::11:33.

  5. Deny any other inbound IPv6 traffic.

The following ACL, when assigned to filter inbound traffic on VLAN 100, supports the above case:

Figure 10: Example of how an ACL filters packets

To assign the above ACL, you would use this command:

Switch(config)# vlan 100 ipv6 access–group Test–02 <vlan-in|vlan-out>

For example, suppose you want to configure an ACL on the switch (with an ID of “Test-02”) to invoke these policies for IPv6 traffic entering the switch on VLAN 12:

The following ACL model, when assigned to inbound filtering on an interface, supports the above case:

It is important to remember that ACLs configurable on the switch include an implicit deny ipv6 any any. That is, IPv6 packets that the ACL does not explicitly permit or deny will be implicitly denied, and therefore dropped instead of forwarded on the interface. If you want to preempt the implicit deny so that packets not explicitly denied by other ACEs in the ACL will be permitted, insert an explicit permit ipv6 any any as the last ACE in the ACL. Doing so permits any packet not explicitly denied by earlier entries. (Note that this solution would not apply in the preceding example, where the intention is for the switch to forward only the explicitly permitted packets entering the switch on VLAN 100.) (Note that this solution does not apply in the preceding example, where the intention is for the switch to forward only explicitly permitted packets routed on VLAN 12.)