IPv6 Configuration Guide K/KA/KB.15.15
Example 108 IPv4 counter operation with multiple interface assignments
Suppose that an IPv4 ACL named "Test-1" is configured as shown in Example 109
(page 161) to block Telnet access to a server at 10.10.20.12 on VLAN 20, and
that the Test-1 ACL is assigned to VLANs as follows:
• VLAN 20: VACL
• VLAN 50: RACL
• VLAN 70: RACL
Example 109 ACL “Test-1” and interface assignment commands
HP Switch(config)# show access-list Test1 config
ip access-list extended "Test1"
10 deny tcp 0.0.0.0 255.255.255.255 10.10.20.12 0.0.0.0 eq 23
log
20 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
HP Switch(config)# vlan 20 ip access-group Test-1 vlan
1
HP Switch(config)# vlan 50 ip access-group Test-1 in
2
HP Switch(config)# vlan 70 ip access-group Test-1 in
3
1
Assigns the ACL as a VACL to VLAN 20
2
3
Assigns the ACL as an RACL to VLANs 50 and 70
Figure 12 Using the same IPv4 ACL for VACL and RACL applications
VLAN 20
10.10.20.1
VLAN 50
10.10.55.1
5400zl Switch
1
0
.
1
0
.
20.0
1
0
.
1
0
.
30.0
10.10.20.12
ACL "Test-1" assigned as an RACL
to both VLAN 50 and VLAN 70.
VLAN 70
10.10.70.1
1
0
.
1
0
.
70.0
ACL "Test-1" assigned as a
VACL to VLAN 20.
In the above case:
• Matches with ACEs 10 or 20 that originate on VLAN 20 increment only the
counters for the instances of these two ACEs in the Test-1 VACL assignment on
VLAN 20. The same counters in the instances of ACL Test-1 assigned to VLANs
50 and 70 are not incremented.
• Any Telnet requests to 10.10.20.12 that originate on VLANs 50 or 70 are
filtered by instances of Test-1 assigned as RACLs and increment the counters
for ACE 10 on both RACL instances of the Test-1 ACL.
IPv6 counter operation with multiple interface assignments 161