beautypg.com

HP 6200YL User Manual

Page 274

background image

IPv6 Access Control Lists (ACLs)
Testing and Troubleshooting ACLs

Using the topology in figure 8-44, a workstation at FE80::20:117 on port B2
attempting to ping and Telnet to the workstation at FE80::20:2 is filtered
through the PACL instance of the “V6-01” ACL assigned to port B2, resulting
in the following:

ProCurve# ping6 fe80::20:2%vlan20

fe80:0000:0000:0000:0000:0000:0020:0002 is alive, time = 5 ms

ProCurve# telnet fe80::20:2%vlan20

Telnet failed: Connection timed out.

ProCurve#

Figure 8-45. Ping and Telnet from FE80::20:117 to FE80::20:2 Filtered by the

Assignment of “V6-01” as a PACL on Port B2

ProCurve# show statistics aclv6 IP-01 port b2

Indicates permitted attempts to reach any accessible destination via the
instance of the “V6-01” PACL assignment on port B2.

Hit Counts for ACL IPV6-ACL

Total

(

1) 10 permit icmp fe80::20:3/128 fe80::20:2/128 128

(

5) 20 deny tcp ::/0 fe80::20:2/128 eq 23 log

(

4) 30 permit ipv6 ::/0 ::/0

ProCurve(config)#

Indicates denied attempts to Telnet to FE80::20:2 via the instance of the “V6­
01” PACL assignment on port B2.

Shows the successful ping permitted by ACE 10.

Figure 8-46. Resulting ACE Hits on ACL “V6-01”

N o t e

IPv4 ACE counters assigned as RACLs operate differently than described
above. For more information, refer to the following section.

IPv4 Counter Operation with Multiple Interface Assignments

Where the same IPv4 ACL is assigned to multiple interfaces as a VLAN ACL
(VACL) or port ACL (PACL), the switch maintains a separate instance of ACE
counters for each interface assignment. Thus, when there is a match with
traffic on one of the ACL’s VACL- or PACL -assigned interfaces, only the ACE
counter in the affected instance of the ACL is incremented. However, if an ACL

8-98

This manual is related to the following products: