beautypg.com

Acl configuration and operating rules, Acl configuration and operating rules -30 – HP 6200YL User Manual

Page 206

background image

IPv6 Access Control Lists (ACLs)
Planning an ACL Application

On any ACL, the switch implicitly denies IPv6 packets that are not
explicitly permitted or denied by the ACEs configured in the ACL. If
you want the switch to forward a packet for which there is not a match
in an ACL, append an ACE that enables Permit Any forwarding as the
last ACE in an ACL. This ensures that no packets reach the Implicit
Deny case for that ACL.

Generally, you should list ACEs from the most specific (individual
hosts) to the most general (subnets or groups of subnets) unless doing
so permits IPv6 traffic that you want dropped. For example, an ACE
allowing a series of workstations to use a specialized printer should
occur earlier in an ACL than an entry used to block widespread access
to the same printer.

ACL Configuration and Operating Rules

VACLs:

A VACL filters IPv6 traffic entering the switch on the

VLAN(s) to which it is assigned.

Static Port ACLs:

A static port ACL filters IPv6 traffic entering the

switch on the port(s) or trunk(s) to which it is assigned.

Per Switch ACL Limits for All ACL Types.

At a minimum an ACL

must have one, explicit “permit” or “deny” Access Control Entry. You
can configure up to 2048 ACLs (IPv4 and IPv6 combined). Total ACEs
in all ACLs depends on the combined resource usage by ACL and
other features (For more on this topic, refer to “Monitoring Shared
Resources” on page 8-103.)

Implicit Deny:

In any static ACL, the switch implicitly (automati­

cally) applies an implicit

deny ipv6 any any that does not appear in show

listings. This means that the ACL denies any packet it encounters that
does not have a match with an entry in the ACL. Thus, if you want an
ACL to permit any IPv6 packets that you have not expressly denied,
you must enter a

permit ipv6 any any as the last ACE in an ACL.

Because, for a given packet, the switch sequentially applies the ACEs
in an ACL until it finds a match, any packet that reaches a

permit ipv6

any any entry will be permitted, and will not encounter the implicit
“Deny” ACE the switch automatically includes at the end of the ACL.
For an example, refer to figure 8-9 on page 8-38. For implicit deny
operation in RADIUS-assigned (dynamic) ACLs, refer to the chapter
titled “Configuring RADIUS Server Support for Switch Services” in
the latest Access Security Guide for your Switch.

8-30

This manual is related to the following products:
See also other documents in the category HP Computer Accessories: