KB.15.15

Example 59 RACL filter applications on routed IPv6 Traffic

In Figure 3 (page 94):

• You would assign either an inbound ACL on VLAN 1 or an outbound ACL on

VLAN 2 to filter a packet routed between subnets on different VLANs, that is,

a packet sent from the workstation 2001:db8:0:111::2 on VLAN 1 to the

server at 2001:db8:0:222::25 on VLAN 2. (An outbound ACL on VLAN 1 or

an inbound ACL on VLAN 2 would not filter the packet.)

• Where multiple subnets are configured on the same VLAN, you can use either

inbound or outbound ACLs to filter routed IPv6 traffic between the subnets on

the VLAN if the traffic source and destination IP addresses are on devices

external to the switch.

Figure 3 RACL filter applications on routed IPv6 Traffic

NOTE: The switch allows one inbound IPv6 RACL assignment and one outbound IPv6 RACL

assignment configured per IP routing interface. This is in addition to any other IPv6 ACL assigned

to the IP routing interface or to any ports on the VLAN. You can use the same RACL or different

RACLs to filter inbound and outbound routed IPv6 traffic on an IP routing interface.

IPv6 RACLs do not filter traffic that remains in the same subnet from source to destination (switched

traffic) unless the destination address (DA) or source address (SA) is on the switch itself.

VACL applications

IPv6 VACLs filter traffic entering the switch on a VLAN configured with the "VLAN" ACL option:

vlan vid ipv6 access-group vacl-identifier vlan

94 IPv6 Access Control Lists (ACLs)