IPv6 Configuration Guide K/KA/KB.15.15
Empty ACL An ACL that is not populated with any explicit ACEs, and functions only as a
placeholder. An ACL exists in this state if any one of the following occurs:
• An ACL identifier has been created in the running config file with the ipv6
access-list [ name-str ] command, but no explicit ACEs exist in the ACL.
• An ACL identifier has been assigned to an interface without first populating the
ACL with ACEs. If the empty ACL did not already exist in the running config file,
assigning the identifier to an interface automatically creates the empty ACL in the
running config file.
• An ACL configured with one or more explicit ACEs has been deleted from the
running config file while the ACL is still assigned to an interface.
Note that an empty ACL does not include an Implicit Deny and does not filter traffic.
However, if you configure any ACE in an empty ACL that is already assigned to an
interface, the ACL immediately begins filtering traffic, which includes application of
the Implicit Deny.
identifier A term used in ACL syntax statements to represent the alphanumeric name by which
the ACL can be accessed. An identifier can have up to 64 characters.
NOTE: RADIUS-assigned ACLs are identified by client authentication criteria and do
not use the identifiers described in this chapter.
See also name-str.
Implicit Deny If the switch finds no matches between an IPv6 packet and the configured criteria in
an applicable ACL, then the switch denies (drops) the packet with an implicit deny
ipv6 any any function. You can preempt the Implicit Deny in a given ACL by
configuring a permit ipv6 any any as the last explicit ACE in the ACL. Doing so
permits any packet that is not explicitly permitted or denied by other ACEs configured
sequentially earlier in the ACL.
NOTE: Beginning with software release K.14.01, any dynamically created ACL will
include an implicit deny for both Ipv4 and IPv6 traffic, regardless of the address family
capabilities of the server (see “RADIUS-assigned ACLs” (page 153)).
Inbound Traffic For the purpose of defining where the switch applies IPv6 ACLs to filter traffic, inbound
traffic is a packet that meets one of the following criteria:
Routed ACL (RACL)
Inbound traffic is a packet entering the switch on an IP routing interface (or a subnet
in a multinetted VLAN) with a destination IPv6 address (DA) that is for any of the
following:
• an external device on a different IP routing interface than the interface on
which it arrived
• an IPv6 address configured on the switch itself Inbound traffic having a
destination IPv6 address on the routing switch itself will be screened by an
IPv6 RACL that is configured to screen inbound traffic, regardless of whether
IPv6 routing is enabled. ACLs do not screen outbound traffic generated by
the routing switch itself.
VLAN ACL (VACL)
Inbound traffic is a packet entering the switch on a VLAN interface (or a subnet in
a multinetted VLAN).
Static Port ACL
Inbound traffic is a packet entering the switch on the port.
RADIUS-assigned ACL
Where a RADIUS server has authenticated a client and assigned an ACL to the
port to filter the client’s IPv6 traffic, inbound traffic is a packet entering the switch
from that client. (Note that IPv4 traffic-filtering is automatically included in a
RADIUSassigned ACL configured to filter IPv6 traffic.)
Introduction 91