Acl configuration and operating rules, Acl configuration and operating rules -30 – HP 6200YL User Manual
Page 206
IPv6 Access Control Lists (ACLs)
Planning an ACL Application
■
On any ACL, the switch implicitly denies IPv6 packets that are not
explicitly permitted or denied by the ACEs configured in the ACL. If
you want the switch to forward a packet for which there is not a match
in an ACL, append an ACE that enables Permit Any forwarding as the
last ACE in an ACL. This ensures that no packets reach the Implicit
Deny case for that ACL.
■
Generally, you should list ACEs from the most specific (individual
hosts) to the most general (subnets or groups of subnets) unless doing
so permits IPv6 traffic that you want dropped. For example, an ACE
allowing a series of workstations to use a specialized printer should
occur earlier in an ACL than an entry used to block widespread access
to the same printer.
ACL Configuration and Operating Rules
■
VACLs:
A VACL filters IPv6 traffic entering the switch on the
VLAN(s) to which it is assigned.
■
Static Port ACLs:
A static port ACL filters IPv6 traffic entering the
switch on the port(s) or trunk(s) to which it is assigned.
■
Per Switch ACL Limits for All ACL Types.
At a minimum an ACL
must have one, explicit “permit” or “deny” Access Control Entry. You
can configure up to 2048 ACLs (IPv4 and IPv6 combined). Total ACEs
in all ACLs depends on the combined resource usage by ACL and
other features (For more on this topic, refer to “Monitoring Shared
Resources” on page 8-103.)
■
Implicit Deny:
In any static ACL, the switch implicitly (automati
cally) applies an implicit
deny ipv6 any any that does not appear in show
listings. This means that the ACL denies any packet it encounters that
does not have a match with an entry in the ACL. Thus, if you want an
ACL to permit any IPv6 packets that you have not expressly denied,
you must enter a
permit ipv6 any any as the last ACE in an ACL.
Because, for a given packet, the switch sequentially applies the ACEs
in an ACL until it finds a match, any packet that reaches a
permit ipv6
any any entry will be permitted, and will not encounter the implicit
“Deny” ACE the switch automatically includes at the end of the ACL.
For an example, refer to figure 8-9 on page 8-38. For implicit deny
operation in RADIUS-assigned (dynamic) ACLs, refer to the chapter
titled “Configuring RADIUS Server Support for Switch Services” in
the latest Access Security Guide for your Switch.
8-30