IPv6 Configuration Guide K/KA/KB.15.15
Be permitted by a VACL configured on a VLAN to which the port is assigned.
1
4
Be permitted by a PACL assigned to the port.
1
5
For IPv4 traffic only, be permitted by a RACL assigned inbound to the port, if the traffic is
subject to RACL rules.Be permitted by a RACL assigned inbound to the port, if the traffic is
subject to RACL rules.
6
1
IPv4 VACLs and PACLs ignore IPv6 traffic, and the reverse.
Filtering outbound traffic
Outbound IPv4 traffic can be filtered only by a RACL assigned outbound on the port, and only if
the traffic is subject to RACL rules. (Software version K.14.01 does not support IPv6 RACLs.)
Permitting traffic filtered through multiple ACLs
On a given interface where multiple ACLs apply to the same traffic, a packet having a match with
a deny ACE in any applicable ACL on the interface (including an implicit deny any any) is
dropped.
For example, suppose the following is true:
• Ports 10 and 12 belong to VLAN 100.
• A static port ACL filtering inbound IPv6 traffic is configured on port 10.
• A VACL (with a different set of ACEs) is configured on VLAN 100.
• An RACL is also configured for inbound, routed traffic on VLAN 100.
An inbound, switched packet entering on port 10, with a destination on port 12, will be screened
first by the VACL and then by the static port ACL and the RACL. A match with a deny action
(including an implicit deny) in any of the applicable ACLs causes the switch to drop the packet. If
the packet has a match with explicit deny ACEs in multiple ACLs and the log option is included
in these ACEs, a log event for that denied packet occurs in each ACL where there is an applicable
"deny" ACE. Note that logging can also be enabled for matches with "permit" ACEs.
However, in this case, suppose that VLAN 2 in Figure 6 (page 98) is configured with the following:
• A VACL permitting IPv6 traffic having a destination on the 2001:db8:0:101:: subnet
• An RACL that denies inbound IPv6 traffic having a destination on the 2001:db8:0:101::
subnet
In this case, no routed IPv6 traffic received on the switch from clients on the 2001:db8:0:105::
subnet will reach the 2001:db8:0:101:: subnet, even though the VACL allows such traffic. This is
because the RACL is configured with a deny ACE that causes the switch to drop the traffic regardless
of whether the VACL permits the traffic.
Figure 6 Order of application for multiple ACLs on an interface
VLAN 1
2001:db8:0:101::1
(One Subnet)
VLAN 2 with a VACL
and an RACL
2001:db8:0:105::1
VLAN 3
(Multiple Subnets)
2001:db8:0:120::1
2001:db8:0:125::1
Switch with IPv6 Routing
Subnet Mask: /64
• RACL on VLAN2 denies IPv6
traffic having a destination on the
2001:db8:0:101:: subnet.
• VACL on VLAN2 permits IPv6
traffic having a destination on the
2001:db8:0:101:: subnet.
Because the RACL on VLAN 2
denies traffic entering the switch for
the 2001:db8:0:101:: subnet
destination, no IPv6 traffic received
inbound from clients on the
2001:db8:0:105:: subnet will reach
the 2001:db8:0:101:: subnet, even
though the VACL permits this traffic.
A
D
C
E
B
2001:db8:0:101:5
2001:db8:0:125::22
2001:db8:0:105:99
2001:db8:0:120:33
2001:db8:0:105:88
98 IPv6 Access Control Lists (ACLs)