KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

101

102

103

104

105

106

107

108

109

110

ACL configuration and operating rules

RACLs and routed IPv6 traffic

Except for IPv6 traffic with a DA on the switch itself, RACLs filter only routed IPv6 traffic that is

entering or leaving the switch on a given VLAN. Thus, if routing is not enabled on the switch,

there is no routed IPv6 traffic for RACLs to filter. For more information on IPv6 routing, see the

following:

• “IPv6 Routing Basics” (page 166)

• “IPv6 Static Routing” (page 180)

• “IPv6 Router Advertisements” (page 186)

• “DHCPv6-Relay” (page 203)

• “OSPFv3 Routing” (page 209)

• “IPv6 Tunneling Over IPv4 Using Manually Configured Tunnels” (page 262)

• “IPv6 Diagnostic and Troubleshooting” (page 277)

VACLs and switched or routed IPv6 traffic

A VACL filters IPv6 traffic entering the switch on the VLANs to which it is assigned.

VACLs

A VACL filters IPv6 traffic entering the switch on the VLANs to which it is assigned.

Static port ACLs

A static port ACL filters IPv6 traffic entering the switch on the ports or trunks to which it is

assigned.

Per switch ACL limits for all ACL types

At a minimum, an ACL must have one, explicit "permit" or "deny" ACE. You can configure up

to 2048 ACLs (IPv4 and IPv6 combined). Total ACEs in all ACLs depends on the combined

resource usage by ACL and other features.

Implicit deny

In any static ACL, the switch implicitly (automatically) applies an implicit deny ipv6 any any

that does not appear in show listings. This means that the ACL denies any packet it encounters

that does not have a match with an entry in the ACL. Thus, if you want an ACL to permit any

IPv6 packets that you have not expressly denied, you must enter a permit ipv6 any any

as the last ACE in an ACL. Because, for a given packet, the switch sequentially applies the

ACEs in an ACL until it finds a match, any packet that reaches a permit ipv6 any any

entry is permitted and does not encounter the implicit "Deny" ACE the switch automatically

includes at the end of the ACL.

For an example, see Example 65 (page 113). For implicit deny operation in RADIUS-assigned

(dynamic) ACLs, see chapter "Configuring RADIUS Server Support for Switch Services" in the

latest Access Security Guide for your switch.

Explicitly permitting IPv6 traffic

Entering a permit ipv6 any any ACE in an ACL permits the IPv6 traffic not previously

permitted or denied by that ACL. Any ACEs listed after that point do not have any effect.

Explicitly denying IPv6 traffic

Entering a deny ipv6 any any ACE in an ACL denies IPv6 traffic not previously permitted

or denied by that ACL. Any ACEs listed after that point have no effect.

Replacing one ACL with another of the same type

For a specific interface, the most recent ACL assignment using a given application replaces

any previous ACL assignment using the same application on the same interface. For example,

if you assign a VACL named "Test-01" to filter inbound IPv6 traffic on VLAN 20, but later you

assign another VACL named "Test-02" to filter inbound IPv6 traffic on this same VLAN, VACL

106 IPv6 Access Control Lists (ACLs)