Users Guide
Layer 2 Switching Commands 563
If a permit|deny clause is entered with the same sequence number as an
existing rule, the configuration is denied with an error message.
An implicit deny all condition is added by the system after the last MAC or
IP/IPv6 access group if no route-map is configured on the interface.
Every permit/deny rule that does not have a rate-limit parameter is assigned a
counter. If counter resources become exhausted, a warning is issued and the
rule is applied to the hardware without the counter.
If a permit|deny clause is entered with the same sequence number as an
existing rule, an error is displayed and the existing rule is not updated with
the new information.
Since ACLs have an implicit deny all at the end of the last access-group, IPv6
ACLs need an explicit permit icmp any any nd-na and permit icmp any any
nd-ns statements as match conditions. These additional conditions allow for
ICMPv6 neighbor discovery to occur.
For the N1100-ON/N1500/N2000/N2100-ON/N2200-ON/N3000-ON/N3100-
ON/N3200-ON series switches, for ingress (in) ACLs:
• The IPv6 ACL “fragment” keyword matches only on the first IPv6
extension header for the fragment header (next header code 44). If the
fragment header appears in the second or a subsequent header, it is not
matched.
• The IPv6 ACL “routing” keyword matches only on the first IPv6 extension
header for the routing header (next header code 43). If the fragment
header appears in the second or a subsequent header, it is not matched.
• For all series switches, port ranges are not supported on egress (out) ACLs.
Only the eq operator is supported in an egress ACL.
Command History
Updated in 6.3.0.1 firmware.
Example and description updated in the 6.4 release.
Example
The following example creates rules in an IPv6 ACL named "STOP_HTTP"
to discard any HTTP traffic from the 2001:DB8::0/32 network, but allow all
other traffic from that network: