Nas-filter-Rule attribute options
Service |
Control method and operating notes |
---|---|
ACLs Applied to Client Traffic Inbound to the Switch Assigns a RADIUS-configured ACL to filter inbound packets received from a specific client authenticated on a switch port. |
Standard Attribute: 92 This is the preferred attribute for use in RADIUS-assigned ACLs to configure ACEs to filter IPv4 and IPv6 traffic. Entry for IPv4-Only ACE To Filter Client Traffic: Nas-filter-Rule="< permit or deny ACE >"(Standard Attribute 92) For example:
Nas-filter-Rule=permit in tcp from any to anyEntries for IPv4/IPv6 ACE To Filter Client Traffic: HP-Nas-Rules-IPv6 <1 2> (VSA, where 1=IPv4 and IPv6 traffic, and 2=IPv4-only traffic.)
Nas-filter-Rule="<permit or deny ACE>"(Standard Attribute 92). For example:
HP-Nas-Rules-IPv6=1 Nas-filter-Rule="permit in tcp from any to any"Note: If HP-Nas-Rules-IPv6 is set to 2 or is not present in the ACL, IPv6 traffic from the client will be dropped.
|
Set IP Mode Used with the Nas-filter-Rule attribute described above to provide IPv6 traffic-filtering capability in an ACE. |
HP-Nas-Rules-IPv6: 63 (Vendor-Specific Attribute) When using the standard attribute (92) described above in a RADIUS-assigned ACL to support both IPv4 and IPv6 traffic inbound from an authenticated client, one instance of this VSA must be included in the ACL. Note that this attribute supports either of the following IP modes for Nas-filter-Rule ACEs:
HP-Nas-Rules-IPv6=< 1 2 > Nas-filter-Rule "< permit or deny ACE >"
Note: When the configured integer option is "1", the
any keyword used as a destination applies to both IPv4 and IPv6 destinations for the selected traffic type (such as Telnet). Thus, if you want the IPv4 and IPv6 versions of the selected traffic type to both go to their respective "any" destinations, then a single ACE is needed for the selected traffic type. For example:
HP-Nas-Rules-IPv6=1 Nas-filter-Rule="permit in tcp from any to any 23"However, if you do not want both the IPv4 and IPv6 traffic of the selected type to go to their respective "any" destinations, then two ACEs with explicit destination addresses are needed. In this case, do one of the following:
HP-Nas-Rules-IPv6=1 Nas-filter-Rule="deny in tcp from any to 0.0.0.0/0 23" Nas-filter-Rule="deny in tcp from any to fe80::b1 23"The above example sends IPv4 Telnet traffic to its "any" destination, but allows IPv6 Telnet traffic only to fe80::b1 23. To reverse this example, you would configure ACEs such as the following: HP-Nas-Rules-IPv6=1 Nas-filter-Rule="deny in tcp from any to 10.10.10.1 23" Nas-filter-Rule="deny in tcp from any to ::/0 23"In cases where you do not want the selected traffic type for either IPv4 or IPv6 to go to the "any" destination, you must use two ACEs to specify the destination addresses. For example: HP-Nas-Rules-IPv6=1 Nas-filter-Rule="deny in tcp from any to 10.10.10.1 23" Nas-filter-Rule="deny in tcp from any to fe80::23 23"To use the IPv6 VSA while allowing only IPv4 traffic to be filtered, you would use a configuration such as the following: HP-Nas-Rules-IPv6=2 Nas-filter-Rule="permit in tcp from any to any" |
IPv4-only ACLs applied to client traffic inbound to the switch. (Assigns a RADIUS-configured IPv4 ACL to filter inbound IPv4 packets received from a specific client authenticated on a switch port.) |
HP-Nas-filter-Rule (Vendor-Specific Attribute): 61 This attribute is maintained for legacy purposes. However, for new or updated configurations (and any configurations supporting IPv6 traffic filtering) Hewlett Packard Enterprise recommends using the Standard Attribute (92) described earlier in this table instead of the HP-Nas-filter-Rule attribute described here.vendor-specific ID: 11VSA: 61 (string=HP-Nas-filter-RuleSetting: HP-Nas-filter-Rule="< permit or deny ACE >"Note: An ACL applying this VSA to inbound traffic from an authenticated client drops any IPv6 traffic from the client. |