• If the hardware memory is full, packets are dropped on the interface and an unload error message is
logged.
Default Configuration for IPv6 ACLs
The default IPv6 ACL configuration is as follows:
Switch# show access-lists preauth_ipv6_acl
IPv6 access list preauth_ipv6_acl (per-user)
permit udp any any eq domain sequence 10
permit tcp any any eq domain sequence 20
permit icmp any any nd-ns sequence 30
permit icmp any any nd-na sequence 40
permit icmp any any router-solicitation sequence 50
permit icmp any any router-advertisement sequence 60
permit icmp any any redirect sequence 70
permit udp any eq 547 any eq 546 sequence 80
permit udp any eq 546 any eq 547 sequence 90
deny ipv6 any any sequence 100
Supported ACL Features
IPv6 ACLs on the switch have these characteristics:
• Fragmented frames (the fragments keyword as in IPv4) are supported.
• The same statistics supported in IPv4 are supported for IPv6 ACLs.
• If the switch runs out of TCAM space, packets associated with the ACL label are forwarded to the CPU,
and the ACLs are applied in software.
• Routed or bridged packets with hop-by-hop options have IPv6 ACLs applied in software.
• Logging is supported for router ACLs, but not for port ACLs.
IPv6 Port-Based Access Control List Support
The IPv6 PACL feature provides the ability to provide access control (permit or deny) on Layer 2 switch ports
for IPv6 traffic. IPv6 PACLs are similar to IPv4 PACLs, which provide access control on Layer 2 switch
ports for IPv4 traffic. They are supported only in the ingress direction and in hardware.
A PACL can filter ingress traffic on Layer 2 interfaces based on Layer 3 and Layer 4 header information or
non-IP Layer 2 information.
ACLs and Traffic Forwarding
The IPv6 ACL Extensions for Hop by Hop Filtering feature allows you to control IPv6 traffic that might
contain hop-by-hop extension headers. You can configure an access control list (ACL) to deny all hop-by-hop
traffic or to selectively permit traffic based on protocol.
IPv6 access control lists (ACLs) determine what traffic is blocked and what traffic is forwarded at device
interfaces. ACLs allow filtering based on source and destination addresses, inbound and outbound to a specific
interface. Use the ipv6 access-list command to define an IPv6 ACL, and the deny and permit commands
to configure its conditions.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(4)E (Catalyst 2960-X Switches)
Information About Configuring IPv6 ACLs
1221