HP 6200YL User Manual

IPv6 Access Control Lists (ACLs)
Configuration Commands

[established] — This option applies only where TCP is the
configured IPv6 protocol type. It blocks the synchronizing
packet associated with establishing a new TCP connection
while allowing all other IPv6 traffic for existing connections.
For example, a Telnet connect requires TCP traffic to move both
ways between a host and the target device. Simply applying a
deny to inbound Telnet traffic on a VLAN would prevent Telnet
sessions in either direction because responses to outbound
requests would be blocked. However, by using the

established

option, inbound Telnet traffic arriving in response to outbound
Telnet requests would be permitted, but inbound Telnet traffic
trying to establish a new connection would be denied. The
established and dscp options are mutually exclusive in a given
ACE. Configuring

established and any combination of TCP

control bits in the same ACE is supported, but

established must

precede any TCP control bits configured in the ACE.

TCP Control Bits. In a given ACE for filtering TCP traffic
you can configure one or more of these options:

[ ack ] — Acknowledgement.

[ fin ] — Sender finished.

[ rst ] — Connection reset.

[ syn ] — TCP control bit: sequence number synchronize.

For more on using TCP control bits, refer to RFC 793.

Options for Filtering ICMP Traffic.

This option allows configuring an

ACE to selectively permit some types of ICMP traffic while denying other
types. An ACE designed to permit or deny ICMP traffic can optionally include
an ICMP type and code value to permit or deny an individual type of ICMP
packet while not addressing other ICMP traffic types in the same ACE. As a
further option, the ACE can include the name of an ICMP packet type. (For a

8-54