KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5412R-92G-PoE+/2SFP+ (No PSU) v2 zl2 Switch

101

102

103

104

105

106

107

108

109

110

"Test-02" replaces VACL "Test-01" as the ACL to use. For example, if you assign an RACL

named "Test-01" to filter inbound routed IPv6 traffic on VLAN 20, but later you assign another

RACL named "Test-02" to filter inbound routed IPv6 traffic on this same VLAN, RACL "Test-02"

replaces RACL "Test-01" as the ACL to use.

Static port ACLs

These are applied per port, per port list, or per static trunk. Adding a port to a trunk applies

the trunk's ACL configuration to the new member. If a port is configured with an ACL, the ACL

must be removed before the port is added to the trunk. In addition, removing a port from an

ACL-configured trunk removes the ACL configuration from that port.

VACLs

These filter IPv6 traffic entering the switch through any port belonging to the designated VLAN.

VACLs do not filter IPv6 traffic leaving the switch or being routed from another VLAN.

VACLs operate on static VLANs

You can assign an ACL to any VLAN that is statically configured on the switch. ACLs do not

operate with dynamic VLANs.

VACLs and RACLs operate on static VLANs

You can assign an ACL to any VLAN that is statically configured on the switch. ACLs do not

operate with dynamic VLANs.

A VACL affects all physical ports in a static VLAN

A VACL assigned to a VLAN applies to all physical ports on the switch belonging to that VLAN,

including ports that have dynamically joined the VLAN.

A VACL or RACL affects all physical ports in a static VLAN

A VACL or RACL assigned to a VLAN applies to all physical ports on the switch belonging to

that VLAN, including ports that have dynamically joined the VLAN.

RACLs screen routed IPv6 traffic entering or leaving the switch on a given VLAN interface

This means that the following traffic is subject to ACL filtering:

• IPv6 traffic arriving on the switch through one VLAN and leaving the switch through another

VLAN.

• IPv6 traffic arriving on the switch through one subnet and leaving the switch through

another subnet within the same, multinetted VLAN.

Filtering the desired, routed IPv6 traffic requires assigning an RACL to screen IPv6 traffic

inbound or outbound on the appropriate VLANs. In the case of a multinetted VLAN, it

means that IPv6 traffic inbound from different subnets in the same VLAN is screened by

the same inbound RACL, and IPv6 traffic outbound from different subnets is screened by

the same outbound RACL. See Figure 3 (page 94).

RACLs do not filter switched IPv6 traffic unless the switch itself is the SA or DA

RACLs do not filter IPv6 traffic moving between ports belonging to the same VLAN or subnet

(in the case of a subnetted VLAN). (IPv6 traffic moving between ports in different subnets of

the same VLAN can be filtered by a RACL.)

NOTE: RACLs do filter routed or switched IPv6 traffic having an SA or DA on the switch itself.

How an ACE uses a prefix to screen packets for SA and DA matches

For an IPv6 ACL, a match with a packet occurs when both the protocol and the SA/DA configured

in a given ACE within the ACL are a match with the same criteria in a packet being filtered by the

ACL.

In IPv6 ACEs, prefixes define how many leading bits in the SA and DA to use for determining a

match. That is, the switch uses IPv6 prefixes in CIDR format to specify how many leading bits in a

Planning an ACL application 107