KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

101

102

103

104

105

106

107

108

109

110

Permit/deny options

You can use the following criteria as options for permitting or denying a packet:

• Source IPv6 address

• Destination IPv6 address

• IPv6 protocol options:

All IPv6 traffic•

• IPv6 traffic of a specific protocol type (0 to 255)

• IPv6 traffic for a specific TCP port or range of ports, including:

Optional control of connection (established) traffic based on whether the initial request

should be allowed

•

• TCP flag (control bit) options

• IPv6 traffic for a specific UDP port or range of ports

• IPv6 traffic for a specific ICMP type and code

• Any of the above with specific DSCP precedence or ToS settings

Carefully plan ACL applications before configuring specific ACLs. For more information on this

topic, see “Configuring and assigning an IPv6 ACL” (page 109).

Overriding an implicit deny

If a packet does not have a match with the criteria in any of the ACEs in the ACL, the ACL denies

(drops) the packet. If you need to override the implicit deny so that a packet that does not have a

match will be permitted, configure permit ipv6 any any as the last ACE in the ACL. This

directs the ACL to permit (forward) packets that do not have a match with any earlier ACE listed

in the ACL and prevents these packets from being filtered by the implicit deny ipv6 any any.

Example 63 Overriding an implicit deny

Suppose the following ACL with five ACEs is assigned to filter the IPv6 traffic from

an authenticated client on a given port in the switch:

10 permit ipv6 ::/0 fe80::136:24/128

20 permit ipv6 ::/0 fe80::156:7/128

30 deny ipv6 ::/0 fe80::156:3/128

40 deny tcp ::/0 ::/0 eq 23

50 permit ipv6 ::/0 ::/0

(deny ipv6 ::/0 ::/0)

For an inbound packet with a destination IP address of FE80::156:3, the ACL:

1. Compares the packet to the first ACE first (line 10).

2. Since there is not a match with the first ACE, the ACL compares the packet to

the second ACE, where there is also not a match (line 20).

3. The ACL compares the packet to the third ACE. There is an exact match, so

the ACL denies (drops) the packet (line 30).

4. The packet is not compared to the fourth ACE (line 40).

5. The last line demonstrates the "deny any any" ACE implicit in every IPv6 ACL.

Inbound IPv6 traffic from an authenticated client that does not have a match

with any of the five explicit ACEs in this ACL will be denied by the implicit

"deny any any".

As shown above, the ACL tries to apply the first ACE in the list. If there is not a match, it tries the

second ACE, and so on. When a match is found, the ACL invokes the configured action for that

110 IPv6 Access Control Lists (ACLs)