HP 6200YL User Manual

IPv6 Access Control Lists (ACLs)
IPv6 ACL Operation

1. Permit inbound IPv6 traffic from 2001:db8:0:fb::11:42.

2. Deny only the inbound Telnet traffic from 2001:db8:0:fb::11:101.

3. Permit inbound IPv6 traffic from 2001:db8:0:fb::11:101.

4. Permit only inbound Telnet traffic from 2001:db8:0:fb::11:33.

5. Deny any other inbound IPv6 traffic.

The following ACL, when assigned to filter inbound traffic on VLAN 100,
supports the above case:

ipv6 access-list "Test-02"

4

1

2

3

5

10 permit ipv6 2001:db8:0:fb::11:42/128 ::/0

20 deny tcp 2001:db8:0:fb::11:101/128 eq 23 ::/0

30 permit ipv6 2001:db8:0:fb::11:101/128 ::/0

40 permit tcp 2001:db8:0:fb::11:33/128 ::/0 eq 23

< Implicit Deny Any Any >

1. Permits IPv6 traffic from 2001:db8:0:fb::11:42. Packets matching

4. Permits IPv6 Telnet traffic from 2001:db8:0:fb::11:33. Packets

this criterion are permitted and will not be compared to any later

matching this criterion are permitted and are not compared to

ACE in the list. Packets not matching this criterion will be

any later criteria in the list. Packets not matching this criterion

compared to the next entry in the list.

are compared to the next entry in the list.

2. Denies IPv6 Telnet traffic from 2001:db8:0:fb::11:101. Packets

5. This entry does not appear in an actual ACL, but is implicit as

matching this criterion are dropped and are not compared to

the last entry in every IPv6 ACL. Any IPv6 packets that do not

later criteria in the list. Packets not matching this criterion are

match any of the criteria in the preceding ACL entries will be

compared to the next entry in the list.

denied (dropped) from the VLAN.

3. Permits IPv6 traffic from 2001:db8:0:fb::11:101. Packets

matching this criterion will be permitted and will not be
compared to any later criteria in the list. Because this entry
comes after the entry blocking Telnet traffic from this same
address, there will not be any Telnet packets to compare with
this entry; they have already been dropped as a result of
matching the preceding entry.

Figure 8-5. Example of How an ACL Filters Packets

To assign the above ACL, you would use this command:

ProCurve(config)# vlan 100 ipv6 access-group Test-02 vlan

It is important to remember that ACLs configurable on the switch include an
implicit

deny ipv6 any any. That is, IPv6 packets that the ACL does not explicitly

permit or deny will be implicitly denied, and therefore dropped instead of
forwarded on the interface. If you want to preempt the implicit deny so that
packets not explicitly denied by other ACEs in the ACL will be permitted,

8-26