KB.15.15

The ACLs described in this chapter can filter IPv6 traffic to or from a host, a group of contiguous

hosts, or entire subnets.

CAUTION: The ACLs described in this chapter can enhance network security by blocking selected

IPv6 traffic and can serve as part of your network security program. However, because ACLs do

not provide user or device authentication or protection from malicious manipulation of data carried

in IPv6 packet transmissions, they should not be relied upon for a complete security solution.

Static IPv6 ACLs on the switches do not screen non-IPv6 traffic such as IPv4, AppleTalk, and IPX

packets.

For option information, see “Options for applying IPv6 ACLs on the switch” (page 152).

Command Summary for Configuring ACLs

154HP Switch(config)# ipv6 access-list name-strCreate an IPv6 ACL

HP Switch(config-ipv6-acl)# deny | permit

Add an ACE to the End of an

Existing IPv6 ACL

ipv6 | esp | ah | sctp | ipv6-protocol-nbr

any | host SA | SA/prefix-length

any | host DA | DA/prefix-length

tcp | udp

any | host SA | SA/prefix-length

[ comparison-operator value ]

any | host DA | DA/prefix-length

[ comparison-operator value ]

[ established ]

[ ack ] [ fin ] [ rst ] [ syn ]

icmp

any | host SA | SA/prefix-length

any | host DA | DA/prefix-length

[ 0 - 255 [ 0 - 255 ] | icmp-message ]

[dscp precedence | codepoint ]

[log]

125HP Switch(config)# ipv6 access-list name-str

HP Switch(config-ipv6-acl)# seq-# deny | permit |

remark

Insert an ACE or a remark by

Assigning a Sequence Number

The deny and permit keywords use the options shown above for "Create

an IPv6 ACL".

128HP Switch(config)# ipv6 access-listname-strDelete an ACE or a Remark (or

both) by Sequence Number

HP Switch(config-ipv6-acl)# no seq-# [remark]

NOTE: You can also delete an ACE by entering no permit|deny followed

by the settings explicitly configured for that ACE.

128HP Switch(config)# ipv6 access-list resequence name-str

starting-# increment

Resequence the ACEs in an ACL

88 IPv6 Access Control Lists (ACLs)