HP ProCurve 6120G/XG Manual page 259

Hp procurve series 6120 blade switches access security guide
Hide thumbs Also See for ProCurve 6120G/XG:
Table of Contents

Advertisement

Nas-filter-Rule =
: Standard attribute for filtering inbound IPv4 traffic from an authenticated
client. Refer also to table 6-4, "Nas-Filter-Rule Attribute Options" on page 6-18.
Legacy HP VSA for filtering inbound IPv4 traffic from an authenticated
HP-Nas-filter-Rule = :
client. Refer also to table 6-4, "Nas-Filter-Rule Attribute Options" on page 6-18.
"
"
. . .
: Must be used to enclose and identifies a complete permit or deny ACE syntax
statement. For example:
< permit | deny >: Specifies whether to forward or drop the identified IP traffic type from the
authenticated client. (For information on explicitly permitting or denying all inbound IP
traffic from an authenticated client, or for implicitly denying all such IP traffic not already
permitted or denied, refer to "Configuration Notes" on page 6-24.)
in: Required keyword specifying that the ACL applies only to the traffic inbound from the
authenticated client.
< ip | ip-protocol-value >: Options for specifying the type of traffic to filter.
ip: Applies the ACE to all IP traffic from the authenticated client.
This option applies the ACE to the type of IP traffic specified by either
ip-protocol-value:
a protocol number or by
numbers is 0-255. (Protocol numbers are defined in RFC 2780. For a complete listing,
refer to "Protocol Registries" on the Web site of the Internet Assigned Numbers
Authority at www.iana.com.) Some examples of protocol numbers include:
1 = ICMP
2 = IGMP (IPv4 only)
6 = TCP*IPv4 traffic only.
from any: Required keywords specifying the (authenticated) client source. (Note that a
RADIUS-assigned ACL assigned to a port filters only the inbound traffic having a source
MAC address that matches the MAC address of the client whose authentication invoked the
ACL assignment.)
to: Required destination keyword.
any:
• Specifies any IPv4 destination address if one of the following is true:
– the ACE uses the standard attribute (Nas-filter-Rule). For example:
Nas-filter-Rule="permit in tcp from any to any 23"
Nas-filter-Rule+="permit in ip from any to 10.10.10.1/24"
Nas-filter-Rule+="deny in ip from any to any"
– the HP-Nas-Filter-Rule VSA is used instead of the above option. For example, all
of the following destinations are for IPv4 traffic:
HP-Nas-filter-Rule="permit in tcp from any to any 23"
HP-Nas-filter-Rule+="permit in ip from any to 10.10.10.1/24"
HP-Nas-filter-Rule+="deny in ip from any to any"
Configuring RADIUS Server Support for Switch Services
Configuring and Using RADIUS-Assigned Access Control Lists
Nas-filter-Rule="deny in tcp from any to 0.0.0.0/0 23"
,
,
, or (for IPv4-only)
tcp
udp
icmp
17 = UDP
The range of protocol
igmp.
6-19

Hide quick links:

Advertisement

Table of Contents
loading

This manual is also suitable for:

Procurve 6120xgProcurve 6120 series

Table of Contents