Restrictions for IPv6 ACLs
IPv6 supports only named ACLs. With IPv4 ACLs, you can configure standard and extended numbered IP ACLs, named IP ACLs, and MAC ACLs.
The switch supports most Cisco IOS-supported IPv6 ACLs with some exceptions:
-
The switch does not support matching on these keywords: flowlabel, routing header, and undetermined-transport.
-
The switch does not support reflexive ACLs (the reflect keyword).
-
The switch does not apply MAC-based ACLs on IPv6 frames.
-
When configuring an ACL, there is no restriction on keywords that are entered in the ACL, regardless of whether they are supported or not on the platform. When you apply the ACL to an interface that requires hardware forwarding (physical ports or SVIs), the switch checks to determine whether ACL can be supported on the interface or not. If the ACL is not supported on the interface, the ACL is rejected.
-
If an ACL is applied to an interface and you attempt to add an access control entry (ACE) with an unsupported keyword, the switch does not allow the ACE to be added to the ACL that is currently attached to the interface.
-
When you apply a scale ACL to an interface that does not program TCAM for a protocol and the ACLs that have been unloaded, it can impact the existing normal movement of traffic for other protocols. The restriction is applicable to IPv4, IPv6, and MAC address traffic.
-
Time-to-live (TTL) classification is not supported on ACLs.
-
If a downloadable ACL contains any type of duplicate entries, the entries are not auto merged. As a result, the 802.1X session authorization fails. Ensure that the downloadable ACL is optimized without any duplicate entries, for example port-based and name-based entries for the same port.
-
Egress ACL lookup is not supported for injected traffic that is forwarded by the software.