HP 3500yl Series Access Security Manual page 343
Switch software
Hide thumbs
Also See for 3500yl Series:
- Release notes (219 pages) ,
- Specifications (16 pages) ,
- Features (6 pages)
Table of Contents
Advertisement
Service
Control Method and Operating Notes:
However, if you do not want both the IPv4 and IPv6 traffic of the selected type to go to their
respective "any" destinations, then two ACEs with explicit destination addresses are needed. In
this case, do one of the following:
• Use 0.0.0.0/0 in one ACE to specify the "any" destination for IPv4 traffic, and use a specific
• Use ::/0 in one ACE to specify the "any" destination for IPv6 traffic, and use a specific IPv4
For example, if you want to allow the IPv4 Telnet traffic from a client to go to any destination, but
you want the IPv6 Telnet traffic from the same client to go only to a specific address or group of
addresses, you will need to distinguish the separate destinations. This is done by using explicit
addresses for the "any" destinations. For example:
HP-Nas-Rules-IPv6=1
Nas-filter-Rule="deny in tcp from any to 0.0.0.0/0 23"
Nas-filter-Rule="deny in tcp from any to fe80::b1 23"
The above example sends IPv4 Telnet traffic to its "any" destination, but allows IPv6 Telnet traffic
only to fe80::b1 23.To reverse this example, you would configure ACEs such as the following:
HP-Nas-Rules-IPv6=1
Nas-filter-Rule="deny in tcp from any to 10.10.10.1 23"
Nas-filter-Rule="deny in tcp from any to ::/0 23"
In cases where you do not want the selected traffic type for either IPv4 or IPv6 to go to the "any"
destination, you must use two ACEs to specify the destination addresses. For example:
HP-Nas-Rules-IPv6=1
Nas-filter-Rule="deny in tcp from any to 10.10.10.1 23"
Nas-filter-Rule="deny in tcp from any to fe80::23 23"
To use the IPv6 VSA while allowing only IPv4 traffic to be filtered, you would use a configuration
such as the following:
HP-Nas-Rules-IPv6=2
Nas-filter-Rule="permit in tcp from any to any"
IPv4-Only ACLs
HP-Nas-Filter-Rule (Vendor-Specific Attribute): 61
Applied to Client
This attribute is maintained for legacy purposes (for configurations predating software release
Traffic Inbound to the
K.14.01) to support ACEs in RADIUS-assigned ACLs capable of filtering only IPv4 traffic. However,
Switch
for new or updated configurations (and any configurations supporting IPv6 traffic filtering) HP
Assigns a RADIUS-
recommends using the Standard Attribute (92) described earlier in this table instead of the HP-
configured IPv4 ACL
Nas-filter-Rule attribute described here.
to filter inbound IPv4
packets received from
HP vendor-specific ID: 11
a specific client
VSA: 61 (string = HP-Nas-Filter-Rule
authenticated on a
switch port.
Setting: HP-Nas-filter-Rule = "< permit or deny ACE >"
Note: An ACL applying this VSA to inbound traffic from an authenticated client drops any IPv6
traffic from the client.
Configuring and Using Dynamic (RADIUS-Assigned) Access Control Lists
IPv6 address for the destination in the other ACE.
address for the destination in the other ACE.
Configuring RADIUS Server Support for Switch Services
7-25
Hide quick links:
Advertisement
Chapters
Table of Contents
