KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5412R-92G-PoE+/2SFP+ (No PSU) v2 zl2 Switch

151

152

153

154

155

156

157

158

159

160

• Filtering for TCP traffic based on whether the subject traffic is initiating a connection

("established" option)

• Optional DSCP (IP precedence and ToS) criteria

The switch allows up to 2048 ACLs each for IPv4 and IPv6 (with RADIUS-based ACL resources

drawn from the IPv4 allocation). The total is determined from the number of unique identifiers in

the configuration. For example, configuring two IPv6 ACLs results in an ACL total of two, even if

neither is assigned to an interface. If you then assign a nonexistent IPv6 ACL to an interface, the

new total is three, because the switch now has three unique IPv6 ACL names in its configuration.

For information on determining the current resource availability and usage, see the Management

and Configuration Guide for your switch.

For ACL resource limits, see the latest Management and Configuration Guide for your switch.

Commands to create, enter, and configure an ACL

For a match to occur with an ACE, a packet must have the source and destination IPv6 address

criteria specified by the ACE, as well as any IPv6 protocol-specific criteria included in the command.

Use the following general steps to create or add to an ACL:

1. Create and/or enter the context of a given ACL.

2. Enter the first ACE in a new ACL, or append an ACE to the end of an ACL.

PageTopic

125applying or removing an ACL on an interface

125deleting an ACL

155editing an ACL (inserting or removing ACEs from an existing ACL)

156sequence numbering in ACLs

129including remarks in an ACL

132viewing ACL configuration data

143creating or editing ACLs offline

157enabling ACL “Deny” logging

Example: IPv6 ACL configuration in a routed environment

Suppose that you want to implement these policies on a switch configured for IPv6 routing and

membership in VLANs 15, 14, and 13:

Policy A:

Permit IPv6 Telnet traffic from 2001:db8:0:1af::144 to 2001:db8:0:1ae::178.1.

Deny all other IPv6 traffic from network 2001:db8:0:1af::/64 (VLAN 15) to 2001:db8:0:1ae::/64 (VLAN 14).2.

Permit all other IPv6 traffic from 2001:db8:0:1af::/64 (VLAN 15) to any destination. See "A" in Figure 10 (page 155).3.

Policy B:

Permit FTP traffic from IPv6 address 2001:db8:0:1ae::100 (on VLAN 14) to 2001:db8:0:1ad::55 (on VLAN 13).

The TCP port number assigned for FTP traffic is "21".

Deny FTP traffic from other hosts on network 2001:db8:0:1ae::/64 to any destination.2.

Permit all other IPv6 traffic.3.

154 IPv6 Access Control Lists (ACLs)