beautypg.com

General steps for planning and configuring acls – HP 6200YL User Manual

Page 197

background image

IPv6 Access Control Lists (ACLs)

Overview

In any ACL, you can apply an ACL log function to ACEs that have an
explicit “deny” action. (The logging occurs when there is a match on
a “deny” ACE that includes the

log keyword.) The switch sends ACL

logging output to Syslog, if configured, and optionally, to a console
session.

You can create ACLs for the switch configuration using either the CLI or a text
editor. The text-editor method is recommended when you plan to create or
modify an ACL that has more entries than you can easily enter or edit using
the CLI alone. Refer to “Creating or Editing ACLs Offline” on page 8-84.

General Steps for Planning and Configuring ACLs

1. Identify the ACL action to apply. As part of this step, determine the best

points at which to apply specific ACL controls. For example, you can
improve network performance by filtering unwanted IPv6 traffic at the
edge of the network instead of in the core. Also, on the switch itself, you
can improve performance by filtering unwanted IPv6 traffic where it is
inbound to the switch instead of outbound.

Traffic Source

ACL Application

IPv6 traffic from a specific, authenticated RADIUS-assigned ACL for inbound IPv6
client

traffic from an authenticated client on a
port*

IPv6 traffic entering the switch on a

static port ACL (static-port assigned) for

specific port

inbound IPv6 traffic on a port from any
source

IPv6 traffic entering the switch on a

VACL (VLAN ACL)

specific VLAN

*For more on this option, refer to the chapter titled “Configuring RADIUS Server Support
for Switch Services” in the latest version of the Access Security Guide for your switch.
Refer also to the documentation for your RADIUS server.

2. Identify the IPv6 traffic types to filter:

The SA and/or the DA of IPv6 traffic you want to permit or deny. This
can be a single host, a group of hosts, a subnet, or all hosts.

IPv6 traffic of a specific protocol type (0-255)

TCP traffic (only) for a specific TCP port or range of ports, including
optional control of connection traffic based on whether the initial
request should be allowed

UDP traffic (only) or UDP traffic for a specific UDP port

ICMP traffic (only) or ICMP traffic of a specific type and code

Any of the above with specific DSCP settings

8-21

This manual is related to the following products:
See also other documents in the category HP Computer Accessories: