Hello David
Indeed some of these restrictions do seem somewhat arbitrary, however there are explanations for each.
- Concerning no outbound filtering support: This has to do with the internal design of a switch, and the ASICs that are used for hardware processing. On a Layer 2 interface, traffic is typically already in the “switching path” once it reaches egress. Applying a PACL on outbound traffic would require the ASIC to re-analyze packets after the forwarding decision has been made, resulting in less efficiency. In general, switches prioritize ingress processing by design for speed/efficiency. Outbound filtering would require additional TCAM/CAM entries and logic.
- Concerning control packets such as CDP, VTP, DTP etc… : This is not so much a limitation of the hardware, but a design choice. The reason is that the data plane and control plane packet filtering must remain independent and separate. If you want to filter control plane packets, you can use CoPP, even for L2 protocols, but again, check the restrictions that CoPP may have in such cases. The reasoning is similar to why ACLs don’t filter traffic generated by the router itself.
- Concerning not supporting IPv6, ARP, or MPLS: This has to do with what the specific platform supports. Some support it while others don’t, as you suggested in your edit…
I hope this has been helpful!
Laz