IPv6 ACL operation

An ACL is a list of one or more Access Control Entries (ACEs), where each ACE consists of a matching criteria and an action (permit or deny). An ACL applies only to the switch in which it is configured. ACLs operate on assigned ports and static trunks, and filter these traffic types:

  • Traffic entering the switch. (Note that ACLs do not screen traffic at any internal point where traffic moves between VLANs or subnets within the switch; only on inbound ports and static trunks.)

  • Switched or routed traffic entering the switch and having an IP address on the switch as the destination

You can apply one inbound ACL to each port and static trunk configured on the switch. The complete range of options includes:

  • No ACL assigned. (In this case, all traffic entering the switch on the interface does so without any ACL filtering, which is the default.)

  • One ACL assigned to filter the inbound traffic entering the switch on the interface.

  • Multiple Assignments for the same ACL. (The switch allows one ACL assignment to an interface, but you can assign the same ACL to multiple interfaces.)

NOTE:

On a given port or trunk, after you assign an ACL, the default action is to deny any traffic that is not specifically permitted by the ACL. (This applies only to the inbound traffic flow filtered by the ACL.)

An ACL is a list of one or more Access Control Entries (ACEs), where each ACE consists of a matching criteria and an action (permit or deny). An ACL applies only to the switch in which it is configured. ACLs operate on assigned interfaces, and offer these traffic filtering options:

  • IPv6 traffic inbound/outbound on a port.

  • IPv6 traffic inbound/outbound on a VLAN.

  • Routed IPv6 traffic entering or leaving the switch on a VLAN. (Note that ACLs do not screen traffic at the internal point where traffic moves between VLANs or subnets within the switch).

The following table lists the range of interface options:

Interface

ACL Application

Application Point

Filter Action

Port

Static Port ACL (switch configured) RADIUS-assigned ACL1

inbound/outbound on the switch port inbound/outbound on the switch port used by authenticated client

inbound/outbound IPv6 traffic inbound/outbound IPv6 traffic from the authenticated client

VLAN

VACL

entering or leaving the switch on the VLAN

inbound or outbound IPv6 traffic

NOTE:

After you assign an ACL to an interface, the default action on the interface is to implicitly deny any IPv6 traffic that is not specifically permitted by the ACL. (This applies only in the direction of traffic flow filtered by the ACL.)