HP E3800 Series, Руководство по обеспечению безопасности доступа

Страница: 503 / 732

10-123
IPv4 Access Control Lists (ACLs)
Enable ACL “Deny” Logging
Using the topology in figure 10-51, a workstation at FE80::20:117 on port B2
attempting to ping and Telnet to the workstation at FE80::20:2 is filtered
through the PACL instance of the “V6-01” ACL assigned to port 2, resulting in
the following:
Figure 10-52. Ping and Telnet from FE80::20:117 to FE80::20:2 Filtered by the
Assignment of “V6-01” as a PACL on Port B2
Figure 10-53. Resulting ACE Hits on ACL “V6-01”
N o t e
IPv4 ACE counters assigned as RACLs operate differently than described
above. For more information, refer to the following section.
IPv4 Counter Operation with Multiple Interface Assignments
Where the same IPv4 ACL is assigned to multiple interfaces as a VLAN ACL
(VACL) or port ACL (PACL), the switch maintains a separate instance of ACE
counters for each interface assignment. Thus, when there is a match with
traffic on one of the ACL’s VACL- or PACL -assigned interfaces, only the ACE
counter in the affected instance of the ACL is incremented. However, if an ACL
HP Switch# ping6 fe80::20:2%vlan20
fe80:0000:0000:0000:0000:0000:0020:0002 is alive, time = 5 ms
HP Switch# telnet fe80::20:2%vlan20
Telnet failed: Connection timed out.
HP Switch#
HP Switch# show statistics aclv6 IP-01 port 2
Hit Counts for ACL IPV6-ACL
Total
( 1) 10 permit icmp fe80::20:3/128 fe80::20:2/128 128
( 5) 20 deny tcp ::/0 fe80::20:2/128 eq 23 log
( 4) 30 permit ipv6 ::/0 ::/0
HP Switch(config)#
Indicates denied attempts to Telnet to FE80::20:2 via the instance of the “V6-
01” PACL assignment on port 2.
Shows the succesful ping permitted by ACE 10.
Indicates permitted attempts to reach any accessible destination via the
instance of the “V6-01” PACL assignment on port 2.