Manualshelf

IPv6 Configuration Guide K/KA/KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch
919293949596979899100
chapter "Configuring RADIUS Server Support for Switch Services" in the latest Access Security
Guide for your switch.
To support authentication of IPv6 clients:
The VLAN to which the port belongs must be configured with an IPv6 address.
Connection to an IPv6-capable RADIUS server must be supported.
For 802.1X or MAC authentication methods, clients can authenticate regardless of their IP
version (IPv4 or IPv6).
For the web authentication method, clients must authenticate using IPv4. However, this does
not prevent the client from using a dual stack, or the port receiving a RADIUS-assigned ACL
configured with ACEs to filter IPv6 traffic.
The RADIUS server must support IPv4 and have an IPv4 address. RADIUS clients can be dual
stack, IPv6-only, or IPv4-only.
802.1X rules for client access apply to both IPv6 and IPv4 clients for RADIUS-assigned ACLs.
See “802.1X user-based and port-based applications” (page 96).
Multiple ACL assignments on an interface
The switch simultaneously supports IPv6, IPv4, and RADIUS-assigned ACLs on the same interface
(subject to internal resource availability.) This means that traffic on a port belonging to a given
VLAN "X" can simultaneously be subject to all of the ACLs listed in Table 11 (page 97).
Table 11 Per-interface multiple ACL assignments
ACL applicationACL type
One port-based ACL (for first client to authenticate on the port) or up to 32
user-based ACLs (one per authenticated client)
RADIUS-assigned (dynamic) ACLs
NOTE: If one or more user-based, RADIUS-assigned ACLs are assigned to a port,
the only traffic allowed inbound on the port is from authenticated clients.
One static VACL for IPv6 traffic for VLAN "X" entering the switch through the port.IPv6 static ACLs
One static port ACL for IPv6 traffic entering the switch on the port.
One inbound and one outbound RACL filtering routed IPv6 traffic moving through
the port for VLAN "X." (Also applies to inbound, switched traffic on VLAN "X" that
has a destination on the switch itself.)
One static VACL for IPv4 traffic for VLAN "X" entering the switch through the port.IPv4 static ACLs
One static port ACL for any IPv4 traffic entering the switch on the port.
One connection-rate ACL for inbound IPv4 traffic for VLAN "X" on the port (if the
port is configured for connection-rate filtering).
One inbound and one outbound RACL filtering routed IPv4 traffic moving through
the port for VLAN "X". (Also applies to inbound, switched traffic on VLAN "X" that
has a destination on the switch itself.)
About filtering inbound traffic with multiple ACLS
When traffic inbound on a port is subject to multiple ACL assignments, and a RADIUS-assigned,
user-based ACL is present, this traffic must satisfy the following conditions to be permitted on the
switch:
Originate with an authenticated client associated with the RADIUS-assigned ACL (if present).1
Be permitted by the RADIUS-assigned ACL (if present). Includes both IPv4 and IPv6
traffic—unless the ACL is configured to exclude (drop) IPv6 traffic.
2
For IPv4-only traffic, be permitted by connection-rate ACL filtering.3
Overview 97