Table 15 Effect of the above ACL on inbound IPv6 traffic in the assigned VLAN (continued)
ActionLine #
Any packet from IPv6 source address 2001:db8::245:89 is denied (dropped), as this ACE discards all
packets received from 2001:db8::245:89. As the result, IPv6 traffic from that device is not allowed, and
packets from that device are not compared against any later entries in the list.
20
A TCP packet from SA 2001:db8::18:100 with a DA of 2001:db8::237:1 is permitted (forwarded). Since
no earlier ACEs in the list have filtered TCP packets from 2001:db8::18:100 with a destination of
30
2001:db8::237:1, the switch uses this ACE to evaluate such packets; any packets meeting these criteria
are forwarded. (Any packets that do not meet this TCP source-destination criteria are not affected by this
ACE.)
A TCP packet from source address 2001:db8::18:100 to
any
destination address is denied (dropped).
Since the intent of this example is to block TCP traffic from 2001:db8::18:100 to any destination
except
40
the destination stated in the ACE at line 30, this ACE must come after the ACE at line 30. (If their relative
positions were exchanged, all TCP traffic from 2001:db8::18:100 would be dropped, including the traffic
for the intended 2001:db8::237:1 destination.)
Any packet from any IPv6 source address to any IPv6 destination address is permitted (forwarded). The
only traffic filtered by this ACE is packets not specifically permitted or denied by the earlier ACEs.
50
The implicit deny (deny ipv6 any any) is a function the switch automatically adds as the last action in
all IPv6 ACLs. It denies (drops) traffic from any source to any destination that has not found a match with
n/a
earlier entries in the ACL. In this example, the ACE at line 50 permits (forwards) any traffic not already
permitted or denied by the earlier entries in the list, so no traffic remains for action by the implicit deny
function.
Defines the end of the ACL.exit
Allowing for the implied deny function
In any ACL having one or more ACEs, there is always a packet match because the switch
automatically applies the implicit deny as the last ACE in any ACL. This function is not visible in
ACL listings, but is always present (see Example 27 (page 77)). Thus if you configure the switch
to use an ACL for filtering either inbound or outbound traffic on a VLAN, any IPv6 packets not
specifically permitted or denied by the explicit entries you create is denied by the implicit deny
action. To preempt the implicit deny (so that IPv6 traffic not specifically addressed by earlier ACEs
in a given ACL is permitted), insert an explicit permit ipv6 any any as the last explicit ACE
in the ACL.
Assigning an ACL to an interface
The switch stores ACLs in the configuration file. Until you assign an ACL to an interface, it is present
in the configuration but is not used. (The ACL also does not use any of the monitored resources
described in the appendix "Monitoring Resources" in the latest version of the HP Switch Software
Management and Configuration Guide for your switch.)
Assigning an ACL name to an interface
In this case, if you subsequently create an ACL with that name, the switch automatically applies
each ACE as soon as you enter it in the running config file. Similarly, if you modify an existing
ACE in an ACL you already applied to an interface, the switch automatically implements the new
ACE as soon as you enter it. See “ACL operating notices” (page 107). The switch allows up to 2048
ACLs each for IPv4 and IPv6. For example, if you configure two ACLs, but assign only one of them
to a VLAN, the ACL total is two, for the two unique ACL names. If you then assign the name of an
empty ACL to a VLAN, the new ACL total is three, because the switch now has three unique ACL
names in its configuration.
78 Updates for the HP Switch Software IPv6 Configuration Guide
To Next Page
Loading...
Need help?
General
