Restrictions for IPv6 ACLs
IPv6 supports only named ACLs. With IPv4 ACLs, you can configure standard and extended numbered IP ACLs, named IP ACLs, and MAC ACLs.
The switch supports most Cisco IOS-supported IPv6 ACLs with some exceptions:
-
The switch does not support matching on these keywords: flowlabel, routing header, and undetermined-transport.
-
The switch does not support reflexive ACLs (the reflect keyword).
-
The vrf-also keyword is mutually exclusive of IPv6 access-class line command.
-
The switch does not apply MAC-based ACLs on IPv6 frames.
-
When configuring an ACL, there is no restriction on keywords that are entered in the ACL, regardless of whether they are supported or not on the platform. When you apply the ACL to an interface that requires hardware forwarding (physical ports or SVIs), the switch checks to determine whether ACL can be supported on the interface or not. If the ACL is not supported on the interface, the ACL is rejected.
-
If an ACL is applied to an interface and you attempt to add an access control entry (ACE) with an unsupported keyword, the switch does not allow the ACE to be added to the ACL that is currently attached to the interface.
-
When you apply a scale ACL to an interface that does not program TCAM for a protocol and the ACLs that have been unloaded, it can impact the existing normal movement of traffic for other protocols. The restriction is applicable to IPv4, IPv6, and MAC address traffic.
-
TCAM optimization is not supported on Cisco Catalyst 9600 Series Supervisor 2 Module.
-
Time-to-live (TTL) classification is not supported on ACLs.
-
On Cisco Catalyst 9600 Series Supervisor 2 Module, only a maximum of 126 IPv6 ACL IDs in ingress, and a maximum of 14 IPv6 ACL IDs in egress are supported.
In ingress, a maximum of 16 ACL IDs are shared among other features such as Security and QoS ACLs, while 1 ACL ID is shared among PBR and EPC ACLs each. While in egress, a maximum of 1 ACL ID is shared among Security and EPC ACLs each.
-
ACL for IPv6 next-header and fragmentation is not supported on Cisco Catalyst 9600 Series Supervisor 2 Module.
-
Modification of an ACL when it is applied, is supported on Cisco Catalyst 9600 Series Supervisor 2 Module.
-
Time-based ACL is supported on Cisco Catalyst 9600 Series Supervisor 2 Module.
-
If a downloadable ACL contains any type of duplicate entries, the entries are not auto merged. As a result, the 802.1X session authorization fails. Ensure that the downloadable ACL is optimized without any duplicate entries, for example port-based and name-based entries for the same port.
-
Egress ACL lookup is not supported for injected traffic that is forwarded by the software.
-
VLAN ACLs and Port ACLs are not supported on Cisco Catalyst 9600 Series Supervisor 2 Module.
-
Multicast control packets are not filtered by ACL on Cisco Catalyst 9600 Series Supervisor 2 Module.
-
ACLs support only Layer 3 interfaces (such as routed interfaces and VLAN interfaces), port channel interface, and subinterfaces.
There is no support on Layer 2 interfaces on Cisco Catalyst 9600 Series Supervisor 2 Module.
-
On Cisco Catalyst 9600 Series Supervisor 2 Module, per ACE statistics is supported only for Deny ACEs. Per ACE statistics for Permit ACE is not supported. If the same ACL is applied to multiple ports, the deny counters are cumulative of all the ports on which the corresponding ACL is attached.