KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

161

162

163

164

165

166

167

168

169

170

Example 113 Resulting ACE hits on the VLAN 30 IPv4 RACL assignment of the "Test-1" ACL

HP Switch(config)# show statistics aclv4 Test-1 vlan 50 in

Hit Counts for ACL Test-1

Total

( 6) 10 deny tcp 0.0.0.0 255.255.255.255 10.10.20.2 0.0.0.0 eq 23

log

( 1) 20 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

HP Switch(config)#

NOTE: The Total 6 Indicates the same type of data as shown in Example 111

(page 162)for the VACL assignment of the “Test-1” ACL. That is, the Ping attempt

incremented the counters for ACE 20 and the Telnet attempt incremented the counters

for ACE 10 in the VLAN 50 RACL instance of the ACL.

Example 114 Resulting ACE hits on the VLAN 70 IPv4 RACL assignment of the "Test-1" ACL

HP Switch(config)# show statistics aclv4 Test-1 vlan 70 in

HitCounts for ACL Test-1

Total

( 6) 10 deny tcp 0.0.0.0 255.255.255.255 10.10.20.2 0.0.0.0 eq 23

log

( 1) 20 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

HP Switch(config)#

NOTE: The Total 6 The ACE counters in the VLAN 70 RACL assignment of

“Test-1” are also incremented by the commands executed in Example 112 (page 162).

Note that the ACE counters for the VACL assignment of the "Test-1" ACL on VLAN

20 are not affected by ACE hits on the RACL assignments of the same ACL.

General ACL operating notes

ACLs do not provide DNS hostname support.

ACLs cannot be configured to screen hostname IP traffic between the switch and a DNS.

ACLs do not affect serial port access.

ACLs do not apply to the switch’s serial port.

ACL screening of IPv6 traffic generated by the switch.

Outbound IPv6 RACL applications on a switch do not screen IPv6 traffic (such as broadcasts,

Telnet, Ping, and ICMP replies) generated by the switch itself. All ACLs applied on the switch

do screen this type of traffic when other devices generate it. Similarly, all ACL applications

can screen responses from other devices to unscreened IPv6 traffic the switch generates.

ACL logging

• The ACL logging feature generates a message only when packets are explicitly denied as

the result of a match, and not when explicitly permitted or implicitly denied. To help test

ACL logging, configure the last entry in an ACL as an explicit deny statement with a log

statement included and apply the ACL to an appropriate port or VLAN.

• The ACL logging feature generates a message only when packets are explicitly denied or

permitted as the result of a match, and not when implicitly denied. To help test ACL logging,

General ACL operating notes 163