RACL applications

RACLs filter routed IPv6 traffic entering or leaving the switch on VLANs configured with the "in" and/or "out" ACL option:


vlan vid ipv6 access-group identifier [in|out|vlan-in|vlan-out]

interface tunnel tunnel-id ipv6 access-group identifier [in|out]

RACL filter applications on routed IPv6 Traffic

In the following figure:
  • You would assign either an inbound ACL on VLAN 1 or an outbound ACL on VLAN 2 to filter a packet routed between subnets on different VLANs, that is, a packet sent from the workstation 2001:db8:0:111::2 on VLAN 1 to the server at 2001:db8:0:222::25 on VLAN 2. (An outbound ACL on VLAN 1 or an inbound ACL on VLAN 2 would not filter the packet.)

  • If the traffic source and destination IP addresses are on devices external to the switch where multiple subnets are configured on the same VLAN, you can use either inbound or outbound ACLs to filter routed IPv6 traffic between the subnets on the VLAN

Figure 4: RACL filter applications on routed IPv6 traffic

More information

The switch allows one inbound IPv6 RACL assignment and one outbound IPv6 RACL assignment configured per IP routing interface. This is in addition to any other IPv6 ACL assigned to the IP routing interface or to any ports on the VLAN. You can use the same RACL or different RACLs to filter inbound and outbound routed IPv6 traffic on an IP routing interface.

IPv6 RACLs do not filter traffic that remains in the same subnet from source to destination (switched traffic) unless the destination address (DA) or source address (SA) is on the switch itself.