Cisco IE-4000 Software Configuration Manual page 785

Configuring IPv6 ACLs
This chapter provides details about configuring IPv6 access control lists (ACLs) on the Cisco Industrial Ethernet Switches,
hereafter referred to as switch.
When the switch is running the IP services image:

You can filter IPv6 traffic by creating IPv6 ACLs and applying them to interfaces

You can create and apply input router ACLs to filter Layer 3 management traffic
This chapter contains the following sections:

Information About IPv6 ACLs, page 781

Prerequisites, page 782

Guidelines and Limitations, page 782

Default Settings, page 783

Configuring IPv6 ACLs, page 783

Verifying IPv6 ACLs, page 787

Configuration Example, page 788
Information About IPv6 ACLs
A switch running the IP services image supports two types of IPv6 ACLs:

IPv6 router ACLs on outbound or inbound traffic on Layer 3 interfaces only, which can be routed ports, switch virtual
interfaces (SVIs), or Layer 3 EtherChannels.
IPv6 router ACLs apply only to routed IPv6 packets.

IPv6 port ACLs on inbound traffic on Layer 2 interfaces only. The switch applies IPv6 port ACLs to all IPv6 packets
entering the interface.
You can apply both IPv4 and IPv6 ACLs to an interface.
As with IPv4 ACLs, IPv6 port ACLs take precedence over router ACLs:

When an input router ACL and input port ACL exist in an SVI, packets received on ports to which a port ACL is applied
are filtered by the port ACL. Routed IP packets received on other ports are filtered by the router ACL. Other packets
are not filtered.

When an output router ACL and input port ACL exist in an SVI, packets received on the ports to which a port ACL is
applied are filtered by the port ACL. Outgoing routed IPv6 packets are filtered by the router ACL. Other packets are
not filtered.
Note: When you apply any port ACL (IPv4, IPv6, or MAC) to an interface, that port ACL filters packets, and ignores any
router ACLs attached to the SVI of the port VLAN.
Cisco Systems, Inc. www.cisco.com
781