KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

221

222

223

224

225

226

227

228

229

230

Table 22 Nas-Filter-Rule Attribute Options (continued)

Control method and operating notesService

This attribute is maintained for legacy purposes (for configurations predating

software release K.14.01) to support ACEs in RADIUS-assigned ACLs capable

Assigns a RADIUS-configured IPv4

ACL to filter inbound IPv4 packets

of filtering only IPv4 traffic. However, for new or updated configurations (andreceived from a specific client

authenticated on a switch port. any configurations supporting IPv6 traffic filtering) HP recommends using the

Standard Attribute (92) described earlier in this table instead of the

HP-Nas-filter-Rule attribute described here.

HP vendor-specific ID: 11

VSA: 61 (string=HP-Nas-Filter-Rule

Setting: HP-Nas-filter-Rule="< permit or deny ACE > "

Note: An ACL applying this VSA to inbound traffic from an authenticated client

drops any IPv6 traffic from the client.

ACE syntax in RADIUS servers

The following information describes ACE syntax configuration options in a RADIUS server.

Nas-filter-Rule =" <permit | permit> in <ip |

ip-protocol-value> from any to <any | host | <ip-addr> |

ACE syntax (standard

attribute-92)

ipv4-addr/mask | IPv6-address/prefix> [ <tcp/udp-port |

tcp/udp-port range> ] [cnt]

[ HP-Nas-Rules-IPv6= | <1 | 2> ]IPv6 VSA for standard attribute

For an example of how to apply this VSA, see “Configuring a FreeRADIUS server to

filter IPv4 and IPv6 traffic for a client with correct credentials.” (page 206) .

Nas-filter-Rule =" <permit | permit> in <ip |

ip-protocol-value> from any to <any | host | <ip-addr> |

ACE syntax (legacy VSA-61)

ipv4-addr/mask | IPv6-address/prefix> [ <tcp/udp-port |

tcp/udp-port range> ] [cnt"]

Nas-filter-Rule=

Standard attribute for filtering inbound IPv4 traffic from an authenticated client. When

used without the HP VSA option (below) for filtering inbound IPv6 traffic from the

client, drops the IPv6 traffic. See also “Nas-Filter-Rule Attribute Options” (page 220).

[ HP-Nas-Rules-IPv6= | <1 | 2> ]

HP VSA used in an ACL intended to filter IPv6 traffic. Settings include:

• 1: ACE filters both IPv4 and IPv6 traffic.

• 2: ACE filters IPv4 traffic and drops IPv6 traffic.

• VSA not used: ACE filters IPv4 traffic and drops IPv6 traffic.

This VSA must be present in an ACL where the Nas-filter-Rule= attribute is intended

to filter inbound IPv6 traffic from an authenticated client.

See also “Nas-Filter-Rule Attribute Options” (page 220).

HP-Nas-filter-Rule=

Legacy HP VSA for filtering inbound IPv4 traffic only from an authenticated client.

Drops inbound IPv6 traffic from the client. See also “Nas-Filter-Rule Attribute Options”

(page 220).

Must be used to enclose and identify a complete permit or deny ACE syntax statement.

For example:

Nas-filter-Rule="deny in tcp from any to 0.0.0.0/0 23"

< permit | deny >

222 RADIUS server support for switch services