HP 2530 Manual Supplement page 43

Table 10 Nas-Filter-Rule Attribute Options (continued)
Service
IPv4-only ACLs applied to client
traffic inbound to the switch
Assigns a RADIUS-configured IPv4
ACL to filter inbound IPv4 packets
received from a specific client
authenticated on a switch port.
Control method and operating notes
VSA: 63 (string=HP-Nas-Rules-IPv6)
IPv6 and IPv4 ACLs: integer = 1
Using this option causes the ACL to filter both IPv4 and IPv6 traffic.
IPv4-only ACLs: integer = 2
Using this option causes the ACL to drop any IPv6 traffic received from the
authenticated client.
Setting: HP-Nas-Rules-IPv6=< 1
2 > Nas-filter-Rule "< permit or deny ACE > "
Note: When the configured integer option is "1", the any keyword used as a
destination applies to both IPv4 and IPv6 destinations for the selected traffic type
(such as Telnet). Thus, for the IPv4 and IPv6 versions of the selected traffic type
to both go to their respective "any" destinations, a single ACE is needed for the
selected traffic type. For example:
HP-Nas-Rules-IPv6=1
Nas-filter-Rule="permit in tcp from any to any 23"
However, if you do not want both IPv4 and IPv6 traffic of the selected type to
go to their respective "any" destinations, then two ACEs with explicit destination
addresses are needed. In this case, do one of the following:
Use 0.0.0.0/0 in one ACE to specify the "any" destination for IPv4 traffic,
and use a specific IPv6 address for the destination in the other ACE.
Use ::/0 in one ACE to specify the "any" destination for IPv6 traffic, and use
a specific IPv4 address for the destination in the other ACE.
For example, to allow the IPv4 Telnet traffic from a client to go to any destination,
but the IPv6 Telnet traffic from the same client to go only to a specific address
or group of addresses, you must distinguish the separate destinations by using
explicit addresses for the "any" destinations. For example:
HP-Nas-Rules-IPv6=1
Nas-filter-Rule="deny in tcp from any to 0.0.0.0/0 23"
Nas-filter-Rule="deny in tcp from any to fe80::b1 23"
The above example sends IPv4 Telnet traffic to its "any" destination, but IPv6
Telnet traffic only to fe80::b1 23.To reverse this example, configure ACEs such
as the following:
HP-Nas-Rules-IPv6=1
Nas-filter-Rule="deny in tcp from any to 10.10.10.1 23"
Nas-filter-Rule="deny in tcp from any to ::/0 23"
Where you do not want the selected traffic type for either IPv4 or IPv6 to go to
the "any" destination, use two ACEs to specify the destination addresses. For
example:
HP-Nas-Rules-IPv6=1
Nas-filter-Rule="deny in tcp from any to 10.10.10.1 23"
Nas-filter-Rule="deny in tcp from any to fe80::23 23"
To use the IPv6 VSA while allowing only IPv4 traffic to be filtered, use a
configuration such as:
HP-Nas-Rules-IPv6=2 Nas-filter-Rule="permit in tcp from
any to any"
HP-Nas-Filter-rule (Vendor-Specific Attribute): 61
This attribute is maintained for legacy purposes (for configurations predating
software release K.14.01) to support ACEs in RADIUS-assigned ACLs that can
filter only IPv4 traffic. However, for new or updated configurations (and any
configurations supporting IPv6 traffic filtering), HP recommends using the Standard
Attribute (92) described earlier in this table instead of the HP-Nas-filter-Rule
attribute described here.
Configuring RADIUS server support for switch services 43