Guidelines for planning the structure of an acl – HP 6200YL User Manual
Page 205
IPv6 Access Control Lists (ACLs)
Planning an ACL Application
■
blocking access to sensitive data storage or restricted equipment
■
preventing specific TCP, UDP, and ICMP traffic types, including unau
thorized access using functions such as Telnet, SSH, and web browser
You can also enhance switch management security by using ACLs to block
IPv6 traffic that has the switch itself as the destination address (DA).
C a u t i o n
ACLs can enhance network security by denying selected IPv6 traffic, and can
serve as one aspect of maintaining network security. However, because ACLs
do not provide user or device authentication, or protection from malicious
manipulation of data carried in IPv6 packet transmissions, they should not
be relied upon for a complete security solution
.
N o t e
ACLs in the switches covered by this guide do not filter non-IPv6 traffic such
as IPv4, AppleTalk, and IPX packets.
Guidelines for Planning the Structure of an ACL
After determining the ACL application (VACL or static port ACL) to use at a
particular point in your network, determine the order in which to apply
individual ACEs to filter IPv6 traffic. (For information on ACL applications,
refer to “IPv6 ACL Applications” on page 8-13.).
■
The sequence of ACEs is significant. When the switch uses an ACL to
determine whether to permit or deny a packet on a particular VLAN,
it compares the packet to the criteria specified in the individual
Access Control Entries (ACEs) in the ACL, beginning with the first
ACE in the list and proceeding sequentially until a match is found.
When a match is found, the switch applies the indicated action (permit
or deny) to the packet.
■
The first match in an ACL dictates the action on a packet. Subsequent
matches in the same ACL are ignored. However, if a packet is
permitted by one ACL assigned to an interface, but denied by another
ACL assigned to the same interface, the packet will be denied on the
interface.
8-29