HP 6200YL User Manual
Page 200
IPv6 Access Control Lists (ACLs)
IPv6 ACL Operation
Implicit Deny.
If a packet does not have a match with the criteria in any of
the ACEs in the ACL, the ACL denies (drops) the packet. If you need to
override the implicit deny so that a packet that does not have a match will be
permitted, then configure
permit ipv6 any any as the last ACE in the ACL. This
directs the ACL to permit (forward) packets that do not have a match with
any earlier ACE listed in the ACL, and prevents these packets from being
filtered by the implicit
deny ipv6 any any.
Example.
Suppose the ACL in figure 8-3 is assigned to filter the IPv6 traffic
from an authenticated client on a given port in the switch:
For an inbound packet with a destination
IP address of FE80::156:3, the ACL:
1. Compares the packet to this ACE first.
2. Since there is not a match with the first
ACE, the ACL compares the packet to the
second ACE, where there is also not a
match.
3. The ACL compares the packet to the third
ACE. There is a exact match, so the ACL
denies (drops) the packet.
4.
The packet is not compared to the
fourth
ACE.
10 permit ipv6 ::/0 fe80::136:24/128
20 permit ipv6 ::/0 fe80::156:7/128
30 deny ipv6 ::/0 fe80::156:3/128
40 deny tcp ::/0 ::/0 eq 23
50 permit ipv6 ::/0 ::/0
(deny ipv6 ::/0 ::/0)
This line demonstrates the “deny any any” ACE implicit in every IPv6
ACL. Inbound IPv6 traffic from an authenticated client that does not
have a match with any of the five explicit ACEs in this ACL will be
denied by the implicit “deny any any”.
Figure 8-3. Example of Sequential Comparison
As shown above, the ACL tries to apply the first ACE in the list. If there is not
a match, it tries the second ACE, and so on. When a match is found, the ACL
invokes the configured action for that entry (permit or drop the packet) and
no further comparisons of the packet are made with the remaining ACEs in
the list. This means that when an ACE whose criteria matches a packet is
found, the action configured for that ACE is invoked, and any remaining ACEs
in the ACL are ignored. Because of this sequential processing, successfully
8-24