ACL configuration considerations

RACLs and routed IPv6 traffic

Except for IPv6 traffic with a DA on the switch itself, RACLs filter only routed IPv6 traffic that is entering or leaving the switch on a given VLAN. Thus, if routing is not enabled on the switch, there is no routed IPv6 traffic for RACLs to filter.

RACLs screen routed IPv6 traffic entering or leaving the switch on a given VLAN interface is subject to ACL filtering. This means that the following traffic:
  • IPv6 traffic arriving on the switch through one VLAN and leaving the switch through another VLAN.

  • IPv6 traffic arriving on the switch through one subnet and leaving the switch through another subnet within the same, multinetted VLAN.Filtering the desired, routed IPv6 traffic requires assigning an RACL to screen IPv6 traffic inbound or outbound on the appropriate VLANs. If a multinetted VLAN, it means that IPv6 traffic inbound from different subnets in the same VLAN is screened by the same inbound RACL, and IPv6 traffic outbound from different subnets is screened by the same outbound RACL. See Figure 4: RACL filter applications on routed IPv6 traffic.

RACLs do not filter switched IPv6 traffic unless the switch itself is the SA or DA

RACLs do not filter IPv6 traffic moving between ports belonging to the same VLAN or subnet (if a subnetted VLAN). (IPv6 traffic moving between ports in different subnets of the same VLAN can be filtered by a RACL.)

NOTE:

RACLs do filter routed or switched IPv6 traffic having an SA or DA on the switch itself.

VACLs and switched or routed IPv6 traffic

A VACL filters IPv6 traffic entering or leaving the switch on the VLANs to which it is assigned. These filter IPv6 traffic entering or leaving the switch through any port belonging to the designated VLAN. You can assign an ACL to any VLAN that is statically configured on the switch. ACLs do not operate with dynamic VLANs. A VACL assigned to a VLAN applies to all physical ports on the switch belonging to that VLAN, including ports that have dynamically joined the VLAN.

Per switch ACL limits for all ACL types

At a minimum, an ACL must have one, explicit "permit" or "deny" ACE. You can configure up to 2048 ACLs (IPv4 and IPv6 combined). Total ACEs in all ACLs depend on the combined resource usage by ACL and other features.

Implicit deny

In any static ACL, the switch implicitly (automatically) applies an implicit deny ipv6 any any that does not appear in show listings. This means that the ACL denies any packet it encounters that does not have a match with an entry in the ACL. Thus, if you want an ACL to permit any IPv6 packets that you have not expressly denied, you must enter a permit ipv6 any any as the last ACE in an ACL. Because, for a given packet, the switch sequentially applies the ACEs in an ACL until it finds a match. Any packet that reaches a permit ipv6 any any entry is permitted and does not encounter the implicit "Deny" ACE the switch automatically includes at the end of the ACL.

Explicitly permitting IPv6 traffic

Entering a permit ipv6 any any ACE in an ACL permits the IPv6 traffic not previously permitted or denied by that ACL. Any ACEs listed after that point are redundant.

Explicitly denying IPv6 traffic

Entering a deny ipv6 any any ACE in an ACL denies IPv6 traffic not previously permitted or denied by that ACL. Any ACEs listed after that point have no effect.

Replacing one ACL with another of the same type

For a specific interface, the most recent ACL assignment using a given application replaces any previous ACL assignment using the same application on the same interface. For example, if you assign a VACL named "Test-01" to filter inbound IPv6 traffic on VLAN 20, but later you assign another VACL named "Test-02" to filter inbound IPv6 traffic on this same VLAN, VACL "Test-02" replaces VACL "Test-01" as the ACL to use. For example, if you assign an RACL named "Test-01" to filter inbound routed IPv6 traffic on VLAN 20, but later you assign another RACL named "Test-02" to filter inbound routed IPv6 traffic on this same VLAN, RACL "Test-02" replaces RACL "Test-01" as the ACL to use.

Static port ACLs

These are applied per port, per port list, or per static trunk. Adding a port to a trunk applies the ACL trunk configuration to the new member. If a port is configured with an ACL, the ACL must be removed before the port is added to the trunk. In addition, removing a port from an ACL-configured trunk removes the ACL configuration from that port.