Permitting traffic filtered through multiple ACLs (example)

On a given interface where multiple ACLs apply to the same traffic, a packet having a match with a deny ACE in any applicable ACL on the interface (including an implicit deny any any) is dropped.

For example, suppose the following is true:
  • Ports 10 and 12 belong to VLAN 100.

  • A static port ACL filtering inbound or outbound IPv6 traffic is configured on port 10.

  • A VACL (with a different set of ACEs) is configured on VLAN 100.

An inbound packet entering on port 10, with a destination on port 12, will be screened by the static port ACL and the VACL, regardless of a match with any permit or deny action. A match with a deny action (including an implicit deny) in either ACL will cause the switch to drop the packet. (If the packet has a match with explicit deny ACEs in multiple ACLs and the log option is included in these ACEs, then a separate log event will occur for each match.)

An inbound, switched packet entering on port 10, with a destination on port 12, will be screened first by the VACL and then by the static port ACL. A match with a deny action (including an implicit deny) in any of the applicable ACLs causes the switch to drop the packet. If the packet has a match with explicit deny ACEs in multiple ACLs and the log option is included in these ACEs, then a log event for that denied packet will occur in each ACL where there is an applicable “deny” ACE.

However, in this case, suppose that VLAN 2 in the following figure is configured with a VACL permitting IPv6 traffic having a destination on the 2001:db8:0:101:: subnet.

In this case, no routed IPv6 traffic received on the switch from clients on the 2001:db8:0:105:: subnet will reach the 2001:db8:0:101:: subnet, even though the VACL allows such traffic.

Figure 7: Order of application for multiple ACLs on an interface (example)
NOTE:

This software supports connection-rate ACLs for inbound IPv4 traffic, but not for IPv6 traffic.