KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

221

222

223

224

225

226

227

228

229

230

Table 22 Nas-Filter-Rule Attribute Options (continued)

Control method and operating notesService

one instance of this VSA must be included in the ACL. Note that this attribute

supports either of the following IP modes for Nas-filter-Rule ACEs:

• both IPv6 and IPv4 traffic

• only IPv4 traffic

HP vendor-specific ID: 11

VSA: 63 (string=HP-Nas-Rules-IPv6)

• IPv6 and IPv4 ACLs: integer = 1(Using this option causes the ACL to filter

both IPv4 and IPv6 traffic.)

• IPv4-only ACLs: integer=2 (Using this option causes the ACL to drop any IPv6

traffic received from the authenticated client.)

Setting: HP-Nas-Rules-IPv6=< 1

2 > Nas-filter-Rule "< permit or deny ACE > "

Note: When the configured integer option is "1", the any keyword used as a

destination applies to both IPv4 and IPv6 destinations for the selected traffic type

(such as Telnet). Thus, if you want the IPv4 and IPv6 versions of the selected

traffic type to both go to their respective "any" destinations, then a single ACE

is needed for the selected traffic type. For example:

HP-Nas-Rules-IPv6=1

Nas-filter-Rule="permit in tcp from any to any 23"

However, if you do not want both the IPv4 and IPv6 traffic of the selected type

to go to their respective "any" destinations, then two ACEs with explicit

destination addresses are needed. In this case, do one of the following:

• Use 0.0.0.0/0 in one ACE to specify the "any" destination for IPv4 traffic,

and use a specific IPv6 address for the destination in the other ACE.

• Use ::/0 in one ACE to specify the "any" destination for IPv6 traffic, and use

a specific IPv4 address for the destination in the other ACE.

For example, if you want to allow the IPv4 Telnet traffic from a client to go to

any destination, but you want the IPv6 Telnet traffic from the same client to go

only to a specific address or group of addresses, you will need to distinguish

the separate destinations. This is done by using explicit addresses for the "any"

destinations. For example:

HP-Nas-Rules-IPv6=1

Nas-filter-Rule="deny in tcp from any to 0.0.0.0/0 23"

Nas-filter-Rule="deny in tcp from any to fe80::b1 23"

The above example sends IPv4 Telnet traffic to its "any" destination, but allows

IPv6 Telnet traffic only to fe80::b1 23.To reverse this example, you would

configure ACEs such as the following:

HP-Nas-Rules-IPv6=1

Nas-filter-Rule="deny in tcp from any to 10.10.10.1 23"

Nas-filter-Rule="deny in tcp from any to ::/0 23"

In cases where you do not want the selected traffic type for either IPv4 or IPv6

to go to the "any" destination, you must use two ACEs to specify the destination

addresses. For example:

HP-Nas-Rules-IPv6=1

Nas-filter-Rule="deny in tcp from any to 10.10.10.1 23"

Nas-filter-Rule="deny in tcp from any to fe80::23 23"

To use the IPv6 VSA while allowing only IPv4 traffic to be filtered, you would

use a configuration such as the following:

HP-Nas-Rules-IPv6=2 Nas-filter-Rule="permit in tcp from

any to any"

HP-Nas-Filter-rule (Vendor-Specific Attribute): 61IPv4-only ACLs applied to client

traffic inbound to the switch

Overview 221