KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

161

162

163

164

165

166

167

168

169

170

configure the last entry in an ACL as an explicit deny or permit statement with a log

statement included, and apply the ACL to an appropriate VLAN.

• A detailed event will be logged for the first packet that matches a “deny” or “permit” ACL

logged entry with the appropriate action specified.

Subsequent packets matching ACL logged entries will generate a new event that summarizes

the number of packets that matched each specific entry (with the time period).

• Logging enables you to selectively test specific devices or groups. However, excessive

logging can affect switch performance. For this reason, HP recommends that you remove

the logging option from ACEs for which you do not have a present need.

Also, avoid configuring logging where it does not serve an immediate purpose. (ACL

logging is not designed to function as an accounting method.)

See the latest Management and Configuration Guide for your switch.

• When configuring logging, you can reduce excessive resource use by configuring the

appropriate ACEs to match with specific hosts instead of entire subnets. For more

information on resource usage, see page 164.

Minimum number of ACEs in an IPv6 ACL.

An IPv6 ACL must include at least one ACE to enable traffic screening. An IPv6 ACL can be

created "empty", that is, without any ACEs. However, if an empty ACL is applied to an interface,

the Implicit Deny function does not operate, and the ACL has no effect on traffic.

Monitoring shared resources.

Applied ACLs share internal switch resources with several other features. However, if the internal

resources become fully subscribed, additional ACLs cannot be applied until the necessary

resources are released from other applications. For information on determining current resource

availability and usage, see the latest Management and Configuration Guide for your switch.

Protocol support.

ACL criteria does not include use of MAC address information or QoS.

Replacing or adding to an active IPv6 ACL policy.

If you assign an IPv6 ACL to an interface and subsequently add or replace ACEs in that ACL,

each new ACE becomes active when you enter it. If the ACL is configured on multiple interfaces

when the change occurs, the switch resources must accommodate all applications of the ACL.

If there are insufficient resources to accommodate one of several ACL applications affected by

the change, the change is not applied to any of the interfaces and the previous version of the

ACL remains in effect. See “Monitoring shared resources” (page 164).

"Strict" IPv6 TCP and UDP.

When the IPv6 ACL configuration includes TCP or UDP options, the switch operates in "strict"

TCP and UDP mode for increased control. In this case, the switch compares all IPv6 TCP and

UDP packets against the IPv6 ACLs.

Connection-rate ACLs.

As of software release K.13.01, this ACL connection-rate ACLs? are supported for IPv4 ACLs,

but not for IPv6 ACLs.

Unable to Delete an ACL in the Running Configuration

Attempting to delete an ACL that is currently assigned to an interface removes all configured ACEs

from the ACL, but leaves an "empty" ACL in the configuration. To delete an ACL that is currently

assigned to an interface, do the following:

1. In the interface context, use the no ipv6 access-group command to remove the ACL from

the interface.

2. Use the no ipv6 access-list name-str command to delete the ACL.

164 IPv6 Access Control Lists (ACLs)