KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5412R-92G-PoE+/2SFP+ (No PSU) v2 zl2 Switch

151

152

153

154

155

156

157

158

159

160

RADIUS-assigned ACLs

A RADIUS-assigned ACL for filtering traffic from a specific client or group of clients is configured

on a RADIUS server. When the server authenticates a client associated with that ACL, the ACL is

assigned to filter the inbound IP traffic received from the authenticated client through the port on

which the client is connected to the switch. If the RADIUS server supports both IPv4 and IPv6 ACEs,

the ACL assigned by the server can be configured to filter both traffic types, or just the IPv4 traffic.

When the client session ends, the ACL is removed from the port. The switch allows as many

RADIUS-assigned ACLs on a port as it allows authenticated clients. For information on

RADIUS-assigned ACLs, see the latest Access Security Guide for your switch.

NOTE: This section describes the IPv6 ACL applications you can statically configure on the switch.

For information on static IPv4 ACL applications, see the latest Access Security Guide for your

switch.

Using CIDR notation to enter the IPv6 ACL prefix length

CIDR (classless inter-domain routing) notation is used to specify ACL prefix lengths. The switch

compares the address bits specified by a prefix length for an SA or DA in an ACE with the

corresponding address bits in a packet being filtered by the ACE. If the designated bits in the ACE

and in the packet have identical settings, the addresses match.

Table 14 Examples of CIDR notation for prefix lengths

MeaningResulting prefix length defining an address

match

SA or DA used in an ACL with CIDR notation

The leftmost 64 bits must

match. The remaining 64

bits are wildcards.

2620:0:a03:e1022620:0:a03:e102::/64

The leftmost 80 bits must

match. The remaining 48

bits are wildcards.

2620:0:a03:e102:2152620:0:a03:e102:215::/80

All 128 bits must match.

This specifies a single host

address.

2620:0:a03:e102:215:60ff:fe7a:adc02620:0:a03:e102:215:60ff:fe7a:adc0/128

The leftmost 112 bits must

match. The remaining 16

bits are wildcards.

2001:db8:a03:e102:0:ab4:1002001:db8:a03:e102:0:ab4:100::/112

Overview of IPv6 ACLs

IPv6 ACLs enable filtering on the following:

• Source and destination IPv6 addresses (required), in one of the following options:

Specific host IPv6•

• Subnet or contiguous set of IPv6 addresses

• Any IPv6 address

• Choice of any IPv6 protocol

• Optional packet-type criteria for ICMP traffic

• Optional source and/or destination TCP or UDP port, with a further option for comparison

operators

• TCP flag (control bit) options

Using CIDR notation to enter the IPv6 ACL prefix length 153