Specify the type of traffic to filter.
ip
Applies the ACE to all IP traffic from the authenticated client.
ip-protocol-value
Applies the ACE to the type of IP traffic specified by either a protocol number or by tcp , udp ,
icmp, or (for IPv4-only) igmp. The range of protocol numbers is 0-255. (Protocol numbers are defined
in RFC 2780. For a complete list, see "Protocol Registries" on the Web site of the Internet Assigned
Numbers Authority at( http:\\www.iana.com.) Examples of protocol numbers:
1=ICMP, 2=IGMP (IPv4 only), 6=TCP, 17=UDP, 41=IPv6
from any
Required keywords specifying the (authenticated) client source. (Note that a RADIUS-assigned ACL
assigned to a port filters only the inbound traffic having a source MAC address matching the MAC
address of the client whose authentication invoked the ACL assignment.)
to
Required destination keyword.
any
• Specifies any IPv4 destination address if one of the following is true:
The ACE uses the standard attribute ( Nas-filter-Rule) and the IPv6 VSA (
HP-Nas-Rules-IPv6) is not included the ACL. For example:
Nas-filter-Rule="permit in tcp from any to any 23"
•
Nas-filter-Rule+="permit in ip from any to 10.10.10.1/24"
Nas-filter-Rule+="deny in ip from any to any"
• The ACE uses the standard attribute ( Nas-filter-Rule) and the IPv6 VSA (
HP-Nas-Rules-IPv6) is included in the ACL with an integer setting of 2. For example, all
the following destinations are for IPv4 traffic:
HP-Nas-Rules-IPv6=2
Nas-filter-Rule="permit in tcp from any to any 23"
Nas-filter-Rule+="permit in ip from any to 10.10.10.1/24"
Nas-filter-Rule+="deny in ip from any to any"
• The HP-Nas-Filter-Rule VSA is used instead of either of the above options. For example, all
the following destinations are for IPv4 traffic:
HP-Nas-filter-Rule="permit in tcp from any to any 23"
HP-Nas-filter-Rule+="permit in ip from any to 10.10.10.1/24"
HP-Nas-filter-Rule+="deny in ip from any to any"
• Specifies any IPv4 or IPv6 destination address if the ACL uses the HP-Nas-Rules-IPv6 VSA with
an integer setting of 1. See “Nas-Filter-Rule Attribute Options” (page 42). For example, the any
destinations in the following ACL apply to both IPv4 and IPv6 traffic:
HP-Nas-Rules-IPv6=1
Nas-filter-Rule="permit in tcp from any to any 23"
Nas-filter-Rule+="permit in ip from any to 10.10.10.1/24"
Nas-filter-Rule+="permit in ip from any to fe80::d1:1/120"
Nas-filter-Rule+="deny in ip from any to any"
host <ipv4-addr>
Specifies a single destination IPv4 address.
<ipv4-addr/<mask >
Specifies a series of contiguous destination addresses or all destination addresses in a subnet. The
< mask > is CIDR notation for the number of leftmost bits in a packet's destination IPv4 address
that must match the corresponding bits in the destination IPv4 address listed in the ACE. For example,
a destination of 10.100.17.1/24 in the ACE means that a match occurs when an inbound packet
Configuring RADIUS server support for switch services 45
To Next Page
Loading...
Need help?
General
