General steps for planning and configuring acls – HP 6200YL User Manual
Page 197
IPv6 Access Control Lists (ACLs)
Overview
■
In any ACL, you can apply an ACL log function to ACEs that have an
explicit “deny” action. (The logging occurs when there is a match on
a “deny” ACE that includes the
log keyword.) The switch sends ACL
logging output to Syslog, if configured, and optionally, to a console
session.
You can create ACLs for the switch configuration using either the CLI or a text
editor. The text-editor method is recommended when you plan to create or
modify an ACL that has more entries than you can easily enter or edit using
the CLI alone. Refer to “Creating or Editing ACLs Offline” on page 8-84.
General Steps for Planning and Configuring ACLs
1. Identify the ACL action to apply. As part of this step, determine the best
points at which to apply specific ACL controls. For example, you can
improve network performance by filtering unwanted IPv6 traffic at the
edge of the network instead of in the core. Also, on the switch itself, you
can improve performance by filtering unwanted IPv6 traffic where it is
inbound to the switch instead of outbound.
Traffic Source
ACL Application
IPv6 traffic from a specific, authenticated RADIUS-assigned ACL for inbound IPv6
client
traffic from an authenticated client on a
port*
IPv6 traffic entering the switch on a
static port ACL (static-port assigned) for
specific port
inbound IPv6 traffic on a port from any
source
IPv6 traffic entering the switch on a
VACL (VLAN ACL)
specific VLAN
*For more on this option, refer to the chapter titled “Configuring RADIUS Server Support
for Switch Services” in the latest version of the Access Security Guide for your switch.
Refer also to the documentation for your RADIUS server.
2. Identify the IPv6 traffic types to filter:
•
The SA and/or the DA of IPv6 traffic you want to permit or deny. This
can be a single host, a group of hosts, a subnet, or all hosts.
•
IPv6 traffic of a specific protocol type (0-255)
•
TCP traffic (only) for a specific TCP port or range of ports, including
optional control of connection traffic based on whether the initial
request should be allowed
•
UDP traffic (only) or UDP traffic for a specific UDP port
•
ICMP traffic (only) or ICMP traffic of a specific type and code
•
Any of the above with specific DSCP settings
8-21