KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

221

222

223

224

225

226

227

228

229

230

For example, the any destinations in the following ACL apply to both IPv4 and

IPv6 traffic:

HP-Nas-Rules-IPv6=1Nas-filter-Rule="permit in tcp from any

to any 23"

Nas-filter-Rule+="permit in ip from any to 10.10.10.1/24"

Nas-filter-Rule+="permit in ip from any to fe80::d1:1/120"

Nas-filter-Rule+="deny in ip from any to any"

host <ipv4-addr>

Specifies a single destination IPv4 address.

<ipv4-addr/<mask >

Specifies a series of contiguous destination addresses or all destination addresses in

a subnet. The < mask > is CIDR notation for the number of leftmost bits in a packet's

destination IPv4 address that must match the corresponding bits in the destination

IPv4 address listed in the ACE. For example, a destination of 10.100.17.1/24 in

the ACE means that a match occurs when an inbound packet (of the designated IPv4

type) from the authenticated client has a destination IPv4 address where the first three

octets are 10.100.17. (The fourth octet is a wildcard, and can be any value up to

255.)

host <ipv6-addr>

Specifies a single destination IPv6 address.

Note: Filtering IPv6 traffic requires the Standard Attribute(Nas-Filter-Rule)with the

HP-Nas-Rules-IPv6 VSA set to 1. See “Nas-Filter-Rule Attribute Options” (page 220).

<ipv6-addr/<prefix>

Specifies a series of contiguous destination addresses or all destination addresses in

a subnet. The < prefix > specifies the number of leftmost bits in a packet's

destination IPv6 address that must match the corresponding bits in the destination

IPv6 address listed in the ACE. For example, a destination of FE80::1b:127/112 in

the ACE means that a match occurs when an inbound packet (of the designated IPv6

type) from the authenticated client has a destination IPv6 address where the first 112

are FE80::1b. (The last 16 bits in the address configured in the ACE form a

"wildcard", and can be any value from 0 to FFFF.) Also, see Note, above.

[ tcp/udp-port | tcp/udp-port-range ]

Optional TCP or UDP port specifier. Used when the ACE is intended to filter client

TCP or UDP traffic with one or more specific TCP or UDP destination port numbers.

You can specify port numbers as individual values and/or ranges. For example, the

following ACE shows two ways to deny any UDP traffic from an authenticated client

that has a DA of any address and a UDP destination port of 135, 137-139, or 445:

deny in udp from any to any 135, 137-139, 445

deny in 17 from any to any 135, 137-139, 445

[ icmp-type | icmpv6-type ]

Optional ICMP type specifier. This can be either a keyword or an ICMP type number.

For a listing of numbers and types, see Table 15 (page 210).

[ cnt ]

Optional counter specifier for a RADIUS-assigned ACE. When used, the counter

increments each time there is a "match" with the ACE. This option does not require

that you configure the switch for RADIUS accounting.

Configuration notes

Explicitly permit IPv4 and IPv6 traffic from an authenticated client

This option for ending a RADIUS-assigned ACL permits all of the client's inbound IPv4 and IPv6

traffic not previously permitted or denied.

224 RADIUS server support for switch services