Acl Configuration Factors; The Sequence Of Entries In An Acl Is Significant - HP 2530 Manual Supplement
Hide thumbs
Also See for 2530:
- Installation and getting started manual (93 pages) ,
- Quick setup manual (9 pages) ,
- Installation and getting started manual (101 pages)
Table of Contents
Advertisement
Table 14 Displayed ACL configuration example explanation (continued)
Line
Action
50
Denies UDP port 69 (TFTP) traffic sent from the host at 2001:db8:0:150::44 to the host at
2001:db8:0:120::19 with a destination port number in the range of 3680 to 3690 and causes a
log message to be generated when a match occurs.
60
Denies UDP traffic from any source to the host at 2001:db8:0:150::121 and causes a log message
to be generated when a match occurs.
70
Permits all IPv6 traffic with an SA prefix of 2001:db8:0:01/56 that is not already permitted or denied
by the preceding ACEs in the ACL.
NOTE:
An implicit deny IPv6 any any is automatically applied following the last line (70, in this case)
denying all IPv6 traffic not already permitted or denied by the ACEs in lines 10 through 70.
ACL configuration factors
The sequence of entries in an ACL is significant
When the switch uses an ACL to determine whether to permit or deny a packet, it compares the
packet to the criteria specified in the individual ACEs in the ACL, beginning with the first ACE in
the list and proceeding sequentially until a match is found. When a match is found, the switch
applies the indicated action (permit or deny) to the packet. Once a match is found for a packet,
subsequent ACEs in the same ACL are not applied to that packet, whether or not they match the
packet.
Example 27 ACE that permits all IPv6 traffic not implicitly denied
ipv6 access-list "Sample-List-2"
10 deny ipv6 2001:db8::235:10
20 deny ipv6 2001:db8::245:89/128 ::/0
30 permit tcp 2001:db8::18:100/128 2001:db8::237:1/128
40 deny tcp 2001:db8::18:100/128 ::/0
50 permit ipv6 ::/0 ::/0
(Implicit deny ipv6 any any)
exit
Source Address
1
Prefix length
2
Destination Address and Prefix Length (specifies any IPv6 destination)
3
After the last explicit ACE there is always an Implicit Deny. However, in this case it is not used
4
because the last permit ipv6 ACL permits all IPv6 packets that earlier ACEs have not
5
already permitted or denied.
Table 15 Effect of the above ACL on inbound IPv6 traffic in the assigned VLAN
Line #
Action
n/a
Shows IP type (IPv6) and ID (Sample-List-2).
10
A packet from source address 2001:db8:235:10 will be denied (dropped). This ACE filters out all packets
received from 2001:db8:235:10. Thus, IPv6 traffic from that device is not allowed, and packets from that
device are not compared against any later entries in the list.
1
2
/128
::/0
4
5
3
Configuring and assigning an ACL
77
- Quick Links:
- Dhcp Snooping
- Enabling Dhcp Snooping
Hide quick links:
Advertisement
Table of Contents
