R3303-HP 6600/HSR6600 Routers Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP HSR6602-XG Router

141

142

143

144

145

146

147

148

149

150

133

Configuration guidelines

• If you specify both a VLAN and an interface in a portal-free rule, the interface must belong to the

VLAN. Otherwise, the rule does not take effect.

• You cannot configure two or more portal-free rules with the same filtering criteria. Otherwise, the

system prompts that the rule already exists.

• Regardless of whether portal authentication is enabled or not, you can only add or remove a

portal-free rule. You cannot modify it.

• A Layer 2 interface in an aggregation group cannot be specified as the source interface of a

portal-free rule, and the source interface of a portal-free rule cannot be added to an aggregation

group.

Configuration procedure

To configure a portal-free rule:

Ste

Command

1. Enter system view.

system-view

2. Configure a portal-free

rule.

portal free-rule rule-number { destination { any | ip { ip-address mask

{ mask-length | mask } | any } [ tcp tcp-port-number [ to tcp-port-number ] |

udp udp-port-number [ to udp-port-number ] ] } | source { any | [ interface

interface-type interface-number | ip { ip-address mask { mask-length | mask }

| any } [ tcp tcp-port-number [ to tcp-port-number ] | udp udp-port-number [ to

udp-port-number ] ] | mac mac-address | vlan vlan-id ] ] * } } *

Configuring an authentication source subnet

By configuring authentication source subnets, you specify that only HTTP packets from users on the

authentication source subnets can trigger portal authentication. If an unauthenticated user is not on any

authentication source subnet, the access device discards all the user's HTTP packets that do not match

any portal-free rule.

Configuration of authentication source subnets applies to only cross-subnet authentication. In direct

authentication mode, the authentication source subnet is 0.0.0.0/0. In re-DHCP authentication mode,

the authentication source subnet of an interface is the subnet to which the private IP address of the

interface belongs.

If both an authentication source subnet and destination subnet are configured on an interface, only the

authentication destination subnet takes effect.

To configure an authentication source subnet:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Enter interface

view.

interface interface-type interface-number N/A