Manualshelf

IPv6 Configuration Guide K/KA/KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5412R-92G-PoE+/2SFP+ (No PSU) v2 zl2 Switch
101102103104105106107108109110
Packet-filtering process
When an ACL filters a packet, it sequentially compares each ACE's filtering criteria to the
corresponding data in the packet until it finds a match. The action indicated by the matching ACE
(deny or permit) is then performed on the packet.
Figure 7 Packet-filtering process in an ACL with N entries (ACEs)
Is there a
match?
Perform action
(permit or deny).
(permit or deny).
(permit or deny).
No
Test a packet against
criteria in first ACE.
Yes
Yes
Yes
No
Deny the packet
(invoke an
Implicit Deny).
End
Perform action
End
End
Test the packet against
criteria in second ACE
Is there a
match?
Test packet against
criteria in Nth ACE.
Is there a
match?
No
End
Perform action
1. If a match is not found with
the first ACE in an ACL, the
switch proceeds to the next
ACE and so on.
2. If a match with an explicit
ACE is subsequently found,
the packet is either permit-
ted (forwarded) or denied
(dropped), depending on
the action specified in the
matching ACE. In this case
the switch ignores all sub-
sequent ACEs in the ACL.
3. If a match is not found with
any explicit ACE in the ACL,
the switch invokes the
Implicit Deny at the end of
every ACL, and drops the
packet.
Note: If the list includes an
ACE configured with
Permit Any forwarding, no
packets can reach the
Implicit Deny at the end of
the list. Also, placing an
ACE with Permit Any
forwarding at any point in
an ACL defeats the purpose
of any subsequent ACEs in
the list.
NOTE: The order in which an ACE occurs in an ACL is significant. For example, if an ACL
contains six ACEs, but the first ACE allows "Permit Any" forwarding, the ACL permits all IPv6 traffic,
and the remaining ACEs in the list do not apply, even if they have a match with any traffic permitted
by the first ACE.
Packet-filtering
Suppose you want to configure an ACL (with an ID of "Test-02") to invoke these
policies for IPv6 traffic entering the switch on VLAN 100:
1. Permit inbound IPv6 traffic from 2001:db8:0:fb::11:42.
2. Deny only the inbound Telnet traffic from 2001:db8:0:fb::11:101.
3. Permit inbound IPv6 traffic from 2001:db8:0:fb::11:101.
4. Permit only inbound Telnet traffic from 2001:db8:0:fb::11:33.
5. Deny any other inbound IPv6 traffic.
102 IPv6 Access Control Lists (ACLs)