Guidelines and Limitations

Tip     If IPv6-ACLs are already configured in a Gigabit Ethernet interface, you cannot add this interface to a Ethernet PortChannel group. See the Security Configuration Guide, Cisco DCNM for SANfor information on configuring IPv6-ACLs.

Follow these guidelines when configuring IPv6-ACLs for Gigabit Ethernet interfaces:

• Only use Transmission Control Protocol (TCP) or Internet Control Message Protocol (ICMP).

Note     Other protocols such as User Datagram Protocol (UDP) and HTTP are not supported in Gigabit Ethernet interfaces. Applying an ACL that contains rules for these protocols to a Gigabit Ethernet interface is allowed but those rules have no effect.

• Apply IPv6-ACLs to the interface before you enable an interface. This ensures that the filters are in place before traffic starts flowing.
• Be aware of the following conditions:
• If you use the log-deny option, a maximum of 50 messages are logged per second.
• The established option is ignored when you apply IPv6-ACLs containing this option to Gigabit Ethernet interfaces.
• If an IPv6-ACL rule applies to a preexisting TCP connection, that rule is ignored. For example, if there is an existing TCP connection between A and B and an IPv6-ACL that specifies dropping all packets whose source is A and destination is B is subsequently applied, it will have no effect.

See the Security Configuration Guide, Cisco DCNM for SAN for information on applying IPv6-ACLs to an interface.

---

Copyright 2010-2013, Cisco Systems, Inc. All rights reserved.