HP 6200YL User Manual
Page 202
![background image](/manuals/98799/202/background.png)
IPv6 Access Control Lists (ACLs)
IPv6 ACL Operation
1. Permit inbound IPv6 traffic from 2001:db8:0:fb::11:42.
2. Deny only the inbound Telnet traffic from 2001:db8:0:fb::11:101.
3. Permit inbound IPv6 traffic from 2001:db8:0:fb::11:101.
4. Permit only inbound Telnet traffic from 2001:db8:0:fb::11:33.
5. Deny any other inbound IPv6 traffic.
The following ACL, when assigned to filter inbound traffic on VLAN 100,
supports the above case:
ipv6 access-list "Test-02"
4
1
2
3
5
10 permit ipv6 2001:db8:0:fb::11:42/128 ::/0
20 deny tcp 2001:db8:0:fb::11:101/128 eq 23 ::/0
30 permit ipv6 2001:db8:0:fb::11:101/128 ::/0
40 permit tcp 2001:db8:0:fb::11:33/128 ::/0 eq 23
< Implicit Deny Any Any >
1. Permits IPv6 traffic from 2001:db8:0:fb::11:42. Packets matching
4. Permits IPv6 Telnet traffic from 2001:db8:0:fb::11:33. Packets
this criterion are permitted and will not be compared to any later
matching this criterion are permitted and are not compared to
ACE in the list. Packets not matching this criterion will be
any later criteria in the list. Packets not matching this criterion
compared to the next entry in the list.
are compared to the next entry in the list.
2. Denies IPv6 Telnet traffic from 2001:db8:0:fb::11:101. Packets
5. This entry does not appear in an actual ACL, but is implicit as
matching this criterion are dropped and are not compared to
the last entry in every IPv6 ACL. Any IPv6 packets that do not
later criteria in the list. Packets not matching this criterion are
match any of the criteria in the preceding ACL entries will be
compared to the next entry in the list.
denied (dropped) from the VLAN.
3. Permits IPv6 traffic from 2001:db8:0:fb::11:101. Packets
matching this criterion will be permitted and will not be
compared to any later criteria in the list. Because this entry
comes after the entry blocking Telnet traffic from this same
address, there will not be any Telnet packets to compare with
this entry; they have already been dropped as a result of
matching the preceding entry.
Figure 8-5. Example of How an ACL Filters Packets
To assign the above ACL, you would use this command:
ProCurve(config)# vlan 100 ipv6 access-group Test-02 vlan
It is important to remember that ACLs configurable on the switch include an
implicit
deny ipv6 any any. That is, IPv6 packets that the ACL does not explicitly
permit or deny will be implicitly denied, and therefore dropped instead of
forwarded on the interface. If you want to preempt the implicit deny so that
packets not explicitly denied by other ACEs in the ACL will be permitted,
8-26