Packet-filtering
Suppose that you want to configure an ACL (with an ID of "Test-02") to invoke these policies for IPv6 traffic entering the switch on VLAN 100:
The following ACL, when assigned to filter inbound traffic on VLAN 100, supports the above case:
How an ACL filters packets
ipv6 access-list "Test-02"
10 permit ipv6 2001:db8:0:fb::11:42/128 ::/0
20 deny tcp 2001:db8:0:fb::11:101/128 eq 23 ::/0
30 permit ipv6 2001:db8:0:fb::11:101/128 ::/0
40 permit tcp 2001:db8:0:fb::11:33/128 ::/0 eq 23
Implicit Deny Any Any
- Line
10
Permits IPv6 traffic from 2001:db8:0:fb::11:42. Packets matching this criterion are permitted and will not be compared to any later ACE in the list. Packets not matching this criterion will be compared to the next entry in the list.
- Line
20
Denies IPv6 Telnet traffic from 2001:db8:0:fb::11:101. Packets matching this criterion are dropped and are not compared to later criteria in the list. Packets not matching this criterion are compared to the next entry in the list.
- Line
30
Permits IPv6 traffic from 2001:db8:0:fb::11:101. Packets matching this criterion will be permitted and will not be compared to any later criteria in the list. Because this entry comes after the entry blocking Telnet traffic from this same address, there will not be any Telnet packets to compare with this entry; they have already been dropped as a result of matching the preceding entry.
- Line
40
Permits IPv6 Telnet traffic from 2001:db8:0:fb::11:33. Packets matching this criterion are permitted and are not compared to any later criteria in the list. Packets not matching this criterion are compared to the next entry in the list.
- Implicit Deny Any Any
This entry does not appear in an actual ACL, but is implicit as the last entry in every IPv6 ACL. Any IPv6 packets that do not match any of the criteria in the preceding ACL entries will be denied (dropped) from the VLAN.
It is important to remember that ACLs configurable on the switch include an implicit
deny ipv6 any any
. That is, IPv6 packets that the ACL does not explicitly permit or deny will be implicitly denied, and therefore dropped instead of forwarded on the interface. If you want to pre-empt the implicit deny so that packets not explicitly denied by other ACEs in the ACL will be permitted, insert an explicit
permit ipv6 any any
as the last ACE in the ACL. Doing so permits any packet not explicitly denied by earlier entries (this solution would not apply in the preceding example, where the intention is for the switch to forward only the explicitly permitted packets entering the switch on VLAN 100.)