KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

101

102

103

104

105

106

107

108

109

110

The following ACL, when assigned to filter inbound traffic on VLAN 100, supports

the above case:

Example 61 How an ACL filters packets

ipv6 access-list "Test-02"

10 permit ipv6 2001:db8:0:fb::11:42/128 ::/0

20 deny tcp 2001:db8:0:fb::11:101/128 eq 23 ::/0

30 permit ipv6 2001:db8:0:fb::11:101/128 ::/0

40 permit tcp 2001:db8:0:fb::11:33/128 ::/0 eq 23

Implicit Deny Any Any

Line 10

Permits IPv6 traffic from 2001:db8:0:fb::11:42. Packets matching this criterion

are permitted and will not be compared to any later ACE in the list. Packets not

matching this criterion will be compared to the next entry in the list.

Line 20

Denies IPv6 Telnet traffic from 2001:db8:0:fb::11:101. Packets matching this

criterion are dropped and are not compared to later criteria in the list. Packets

not matching this criterion are compared to the next entry in the list.

Line 30

Permits IPv6 traffic from 2001:db8:0:fb::11:101. Packets matching this criterion

will be permitted and will not be compared to any later criteria in the list.

Because this entry comes after the entry blocking Telnet traffic from this same

address, there will not be any Telnet packets to compare with this entry; they

have already been dropped as a result of matching the preceding entry.

Line 40

Permits IPv6 Telnet traffic from 2001:db8:0:fb::11:33. Packets matching this

criterion are permitted and are not compared to any later criteria in the list.

Packets not matching this criterion are compared to the next entry in the list.

“Implicit Deny Any Any”

This entry does not appear in an actual ACL, but is implicit as the last entry in

every IPv6 ACL. Any IPv6 packets that do not match any of the criteria in the

preceding ACL entries will be denied (dropped) from the VLAN.

It is important to remember that ACLs configurable on the switch include an implicit deny ipv6

any any. That is, IPv6 packets that the ACL does not explicitly permit or deny will be implicitly

denied, and therefore dropped instead of forwarded on the interface. If you want to preempt the

implicit deny so that packets not explicitly denied by other ACEs in the ACL will be permitted, insert

an explicit permit ipv6 any any as the last ACE in the ACL. Doing so permits any packet not

explicitly denied by earlier entries. (Note that this solution would not apply in the preceding

example, where the intention is for the switch to forward only the explicitly permitted packets

entering the switch on VLAN 100.)(Note that this solution does not apply in the preceding example,

where the intention is for the switch to forward only explicitly permitted packets routed on VLAN

12.)

Planning an ACL application

Before creating and implementing ACLs, define the policies you want your ACLs to enforce and

understand how the ACL assignments will impact your network users.

Planning an ACL application 103