Access Security Guide K/KA/KB.15.15
Specifies whether to forward or drop the identified IP traffic type from the authenticated
client. (For information on explicitly permitting or denying all inbound IP traffic from
an authenticated client, or for implicitly denying all such IP traffic not already permitted
or denied, see “Configuration notes” (page 224).)
in
Required keyword specifying that the ACL applies only to the traffic inbound from
the authenticated client.
<ip | ip-protocol-value>
Options for specifying the type of traffic to filter.
ip
Applies the ACE to all IP traffic from the authenticated client.
ip-protocol-value
This option applies the ACE to the type of IP traffic specified by either a protocol
number or by tcp , udp ,icmp,or (for IPv4-only) igmp. The range of protocol numbers
is 0-255. (Protocol numbers are defined in RFC 2780. For a complete listing, see
"Protocol Registries" on the Web site of the Internet Assigned Numbers Authority at
( www.iana.com). Some examples of protocol numbers include:
1=ICMP 17=UDP
2=IGMP (IPv4 only) 41=IPv6
6=TCP
from any
Required keywords specifying the (authenticated) client source. (Note that a
RADIUS-assigned ACL assigned to a port filters only the inbound traffic having a
source MAC address that matches the MAC address of the client whose authentication
invoked the ACL assignment.)
to
Required destination keyword.
any
• Specifies any IPv4 destination address if one of the following is true:
the ACE uses the standard attribute ( Nas-filter-Rule) and the IPv6 VSA
( HP-Nas-Rules-IPv6) is not included the ACL. For example:
Nas-filter-Rule="permit in tcp from any to any 23"
•
Nas-filter-Rule+="permit in ip from any to 10.10.10.1/24"
Nas-filter-Rule+="deny in ip from any to any"
• the ACE uses the standard attribute ( Nas-filter-Rule)and the IPv6 VSA
( HP-Nas-Rules-IPv6) is included in the ACL with an integer setting of 2.
For example, all of the following destinations are for IPv4 traffic:
HP-Nas-Rules-IPv6=2
Nas-filter-Rule="permit in tcp from any to any 23"
Nas-filter-Rule+="permit in ip from any to 10.10.10.1/24"
Nas-filter-Rule+="deny in ip from any to any"
• the HP-Nas-Filter-Rule VSA is used instead of either of the above options. For
example, all of the following destinations are for IPv4 traffic:
HP-Nas-filter-Rule="permit in tcp from any to any 23"
HP-Nas-filter-Rule+="permit in ip from any to
10.10.10.1/24"
HP-Nas-filter-Rule+="deny in ip from any to any"
• Specifies any IPv4 or IPv6 destination address if the ACL uses the HP-Nas-Rules-IPv6
VSA with an integer setting of 1. See “Nas-Filter-Rule Attribute Options” (page 220).
Overview 223