Allowing for the implied deny function, Allowing for the implied deny function -39 – HP 6200YL User Manual
Page 215
IPv6 Access Control Lists (ACLs)
Configuring and Assigning an IPv6 ACL
Table 8-2.
Effect of the Above ACL on Inbound IPv6 Traffic in the Assigned VLAN
Line # Action
n/a
Shows IP type (IPv6) and ID (Sample-List-2).
10
A packet from source address 2001:db8:235:10 will be denied (dropped). This ACE filters out all packets received
from 2001:db8:235:10. As a result, IPv6 traffic from that device will not be allowed and packets from that device
will not be compared against any later entries in the list.
20
A packet from IPv6 source address 2001:db8::245:89 will be denied (dropped). This ACE filters out all packets
received from 2001:db8::245:89. As the result, IPv6 traffic from that device will not be allowed and packets from
that device will not be compared against any later entries in the list.
30
A TCP packet from SA 2001:db8::18:100 with a DA of 2001:db8::237:1 will be permitted (forwarded). Since no
earlier ACEs in the list have filtered TCP packets from 2001:db8::18:100 with a destination of 2001:db8::237:1, the
switch will use this ACE to evaluate such packets. Any packets that meet this criteria will be forwarded. (Any
packets that do not meet this TCP source-destination criteria are not affected by this ACE.)
40
A TCP packet from source address 2001:db8::18:100 to any destination address will be denied (dropped). Since,
in this example, the intent is to block TCP traffic from 2001:db8::18:100 to any destination except the destination
stated in the ACE at line 30, this ACE must follow the ACE at line 30. (If their relative positions were exchanged,
all TCP traffic from 2001:db8::18:100 would be dropped, including the traffic for the 2001:db8::237:1 destination.)
50
Any packet from any IPv6 source address to any IPv6 destination address will be permitted (forwarded). The
only traffic filtered by this ACE will be packets not specifically permitted or denied by the earlier ACEs.
n/a
The Implicit Deny (deny ipv6 any any) is a function the switch automatically adds as the last action in all IPv6
ACLs. It denies (drops) traffic from any source to any destination that has not found a match with earlier entries
in the ACL. In this example, the ACE at line 50 permits (forwards) any traffic not already permitted or denied by
the earlier entries in the list, so there is no traffic remaining for action by the Implicit Deny function.
exit
Defines the end of the ACL.
Allowing for the Implied Deny Function
In any ACL having one or more ACEs there will always be a packet match.
This is because the switch automatically applies the Implicit Deny as the last
ACE in any ACL. This function is not visible in ACL listings, but is always
present. (Refer to figure 8-9.) This means that if you configure the switch to
use an ACL for filtering either inbound or outbound traffic on a VLAN, any
IPv6 packets not specifically permitted or denied by the explicit entries you
create will be denied by the Implicit Deny action. If you want to preempt the
Implicit Deny (so that IPv6 traffic not specifically addressed by earlier ACEs
in a given ACL will be permitted), insert an explicit
permit ipv6 any any as the
last explicit ACE in the ACL.
8-39