KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

301

302

303

304

305

306

307

308

309

310

filter IPv6 traffic. (ACLs are based on the MAC address of the authenticating client.) See

“RADIUS server support for switch services” (page 199).

• To support authentication of IPv6 clients:

The VLAN to which the port belongs must be configured with an IPv6 address.◦

◦ Connection to an IPv6-capable RADIUS server must be supported.

◦ For 802.1X or MAC authentication methods, clients can authenticate regardless of their

IP version (IPv4 or IPv6).

◦ For the Web authentication method, clients must authenticate using IPv4. However, this

does not prevent the client from using adual stack, or the port receiving a RADIUS-assigned

ACL configured with ACEs to filter IPv6 traffic.

◦ The RADIUS server must support IPv4 and have an IPv4 address. (RADIUS clients can be

dual stack, IPv6 only, or IPv4 only.)

◦ 802.1X rules for client access apply to both IPv6 and IPv4 clients for RADIUS-assigned

ACLs. See “802.1X User-Based and Port-Based applications” (page 309).

Multiple ACLs on an interface

The switch allows multiple ACL applications on an interface (subject to internal resource availability).

This means that a port belonging to a given VLAN "X" can simultaneously be subject to all of the

following:

Table 29 Per-interface multiple ACL assignments

ACL applicationACL type

One port-based ACL (for first client to authenticate on the port) or up to

32 user-based ACLs (one per authenticated client)

Dynamic (RADIUS-assigned) ACLs

Note: If one or more user-based, dynamic ACLs are assigned to a port,

then the only traffic allowed inbound on the port is from authenticated

clients.

One static VACL for IPv6 traffic for VLAN "X" entering the switch through

the port.

One static port ACL for IPv6 traffic entering the switch on the port.

IPv6 static ACLs:

One inbound and one outbound RACL filtering routed IPv6 traffic moving

through the port for VLAN "X". (Also applies to inbound, switched traffic

on VLAN "X" that has a destination on the switch itself.

One static VACL for IPv4 traffic for VLAN "X" entering the switch through

the port.

IPv4 static ACLs:

One static port ACL for any IPv4 traffic entering the switch on the port

One connection-rate ACL for inbound IPv4 traffic for VLAN "X" on the port

(if the port is configured for connection-rate filtering). See “Virus throttling

(connection-rate filtering)” (page 53).

One inbound and one outbound RACL filtering routed IPv4 traffic moving

through the port for VLAN "X". This also applies to inbound, switched

traffic on VLAN "X" that has a destination on the switch itself.

310 IPv4 Access Control Lists (ACLs)