KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

111

112

113

114

115

116

117

118

119

120

ActionLine #

Any packet from any IPv6 source address to any IPv6 destination address will be permitted (forwarded). The

only traffic filtered by this ACE will be packets not specifically permitted or denied by the earlier ACEs.

The implicit deny (deny ipv6 any any) is a function the switch automatically adds as the last action in all

IPv6 ACLs. It denies (drops) traffic from any source to any destination that has not found a match with earlier

N/A

entries in the ACL. In this example, the ACE at line 50 permits (forwards) any traffic not already permitted or

denied by the earlier entries in the list, so there is no traffic remaining for action by the implicit deny function.

Defines the end of the ACL.exit

Implied deny function

In any ACL having one or more ACEs, there is always a packet match. This is because the switch

automatically applies the implicit deny as the last ACE in any ACL. This function is not visible in

ACL listings, but is always present; see Example 65 (page 113). This means that if you configure

the switch to use an ACL for filtering either inbound or outbound traffic on a VLAN, any IPv6

packets not specifically permitted or denied by the explicit entries you create is denied by the

implicit deny action. If you want to preempt the implicit deny (so that IPv6 traffic not specifically

addressed by earlier ACEs in a given ACL is permitted), insert an explicit permit ipv6 any

any as the last explicit ACE in the ACL.

Assignment of an ACL to an interface

The switch stores ACLs in the configuration file. Until you actually assign an ACL to an interface,

it is present in the configuration, but not used (and does not use any of the monitored resources

described in the appendix "Monitoring Resources" in the latest version of the Management and

Configuration Guide for your switch.)

Assignment of an ACL name to an interface

In this case, if you subsequently create an ACL with that name, the switch automatically applies

each ACE as soon as you enter it in the running-config file. Similarly, if you modify an existing

ACE in an ACL you already applied to an interface, the switch automatically implements the new

ACE as soon as you enter it. The switch allows up to 2048 ACLs each for IPv4 and IPv6. For

example, if you configure two ACLs, but assign only one of them to a VLAN, the ACL total is two,

for the two unique ACL names. If you then assign the name of an empty ACL to a VLAN, the new

ACL total is three, because the switch now has three unique ACL names in its configuration.

(RADIUS-based ACL resources are drawn from the IPv4 allocation.)

Creating an ACL using the CLI

You can use either the switch CLI or an offline text editor to create an ACL. This section describes

the CLI method, which is recommended for creating short ACLs.

General ACE rules

These rules apply to all ACEs you create or edit using the CLI.

Adding or inserting an ACE in an ACL

To add an ACE to the end of an ACL:

1. Use the ipv6 access-list name-str command to enter the context for a specific IPv6

ACL. (If the ACL does not already exist in the switch configuration, this command creates it.)

114 IPv6 Access Control Lists (ACLs)