KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

101

102

103

104

105

106

107

108

109

110

of an ACL. This means that IPv6 traffic not specifically matched by earlier entries in the list

will be permitted.

Security

ACLs can enhance security by blocking IPv6 traffic carrying an unauthorized source IPv6 address.

This can include:

• Blocking access from specific devices or interfaces (port or VLAN)

• Blocking access to or from subnets in your network

• Blocking access to or from the internet

• Blocking access to sensitive data storage or restricted equipment

• Preventing specific TCP, UDP, and ICMP traffic types, including unauthorized access using

functions such as Telnet and SSH

You can also enhance switch management security by using ACLs to block IPv6 traffic that has the

switch itself as the DA.

CAUTION: ACLs can enhance network security by denying selected IPv6 traffic, and they can

serve as one aspect of maintaining network security. However, because ACLs do not provide user

or device authentication, or protection from malicious manipulation of data carried in IPv6 packet

transmissions, they should not be relied upon for a complete security solution.

NOTE: ACLs in the switches do not filter non-IPv6 traffic such as IPv4, AppleTalk, and IPX packets.

Guidelines for planning the structure of an ACL

After determining the ACL application (VACL or static port ACL) to use at a particular point in your

network, determine the order in which to apply individual ACEs to filter IPv6 traffic. After determining

the ACL application (RACL, VACL, or static port ACL) to use at a particular point in your network,

determine the order in which to apply individual ACEs to filter IPv6 traffic. For information on ACL

applications, see “IPv6 ACL applications” (page 93).

• The sequence of ACEs is significant.

When the switch uses an ACL to determine whether to permit or deny a packet on a particular

VLAN, it compares the packet to the criteria specified in the individual ACEs in the ACL,

beginning with the first ACE in the list and proceeding sequentially until a match is found.

When a match is found, the switch applies the indicated action (permit or deny) to the packet.

• The first match in an ACL dictates the action on a packet.

Subsequent matches in the same ACL are ignored. However, if a packet is permitted by one

ACL assigned to an interface, but denied by another ACL assigned to the same interface, the

packet will be denied on the interface.

• On any ACL, the switch implicitly denies IPv6 packets that are not explicitly permitted or denied

by the ACEs configured in the ACL.

If you want the switch to forward a packet for which there is not a match in an ACL, append

an ACE that enables permit any forwarding as the last ACE in an ACL. This ensures that no

packets reach the implicit deny case for that ACL.

• Generally, you should list ACEs from the most specific (individual hosts) to the most general

(subnets or groups of subnets), unless doing so permits IPv6 traffic that you want dropped.

For example, an ACE allowing a series of workstations to use a specialized printer should

occur earlier in an ACL than an entry used to block widespread access to the same printer.

Planning an ACL application 105