(of the designated IPv4 type) from the authenticated client has a destination IPv4 address where
the first three octets are 10.100.17. (The fourth octet is a wildcard, and can be any value up to
255.)
host <ipv6-addr>
Specifies a single destination IPv6 address.
Note: Filtering IPv6 traffic requires the Standard Attribute(Nas-Filter-Rule) with the HP-Nas-Rules-IPv6
VSA set to 1. See “Nas-Filter-Rule Attribute Options” (page 42).
<ipv6-addr/<prefix>
Specifies a series of contiguous destination addresses or all destination addresses in a subnet. The
< prefix > specifies the number of leftmost bits in a packet's destination IPv6 address that must
match the corresponding bits in the destination IPv6 address listed in the ACE. For example, a
destination of FE80::1b:127/112 in the ACE means that a match occurs when an inbound packet
(of the designated IPv6 type) from the authenticated client has a destination IPv6 address where
the first 112 are FE80::1b. (The last 16 bits in the address configured in the ACE form a "wildcard",
and can be any value from 0 to FFFF.) See Note, above.
[ tcp/udp-port | tcp/udp-port-range ]
Optional TCP or UDP port specifier. Used when the ACE is intended to filter client TCP or UDP traffic
with one or more specific TCP or UDP destination port numbers. You can specify port numbers as
individual values and/or ranges. For example, the following ACE shows two ways to deny any
UDP traffic from an authenticated client with a DA of any address and a UDP destination port of
135, 137-139, or 445:
deny in udp from any to any 135, 137-139, 445
deny in 17 from any to any 135, 137-139, 445
[ icmp-type | icmpv6-type ]
Optional ICMP type specifier. This can be either a keyword or an ICMP type number. For a list of
numbers and types, see Table 11 (page 55).
[ cnt ]
Optional counter specifier for a RADIUS-assigned ACE. When used, the counter increments each
time there is a "match" with the ACE. This option does not require that you configure the switch for
RADIUS accounting.
Example using the standard attribute in an IPv4 ACL
The Standard Attribute (92), when used in an ACL without the HP-Nas-Rules-IPv6 VSA, filters IPv4
traffic inbound from the authenticated client. (Any IPv6 traffic inbound from the client is dropped.)
The following example illustrates configuring RADIUS-assigned IPv4 ACL support on FreeRADIUS
using the standard attribute for two different client identification methods (username/password
and MAC address).
1. Enter the ACL standard attribute in the FreeRADIUS dictionary.rfc4849 file as follows:
ATTRIBUTE Nas-FILTER-Rule 92
2. Enter the switch IP address, NAS (Network Attached Server) type, and the key used in the
FreeRADIUS clients.conf file. For example, if the switch IP address is 10.10.10.125
and the key ("secret") is "1234", you would enter the following in the server's clients.conf
file:
46 Updates for the HP Switch Software Access Security Guide
To Next Page
Loading...
Need help?
General
