Nas-filter-Rule attribute options

Nas-filter-Rule attribute options

Service

Control method and operating notes

ACLs Applied to Client Traffic Inbound to the Switch

Assigns a RADIUS-configured ACL to filter inbound packets received from a specific client authenticated on a switch port.

Standard Attribute: 92

This is the preferred attribute for use in RADIUS-assigned ACLs to configure ACEs to filter IPv4 and IPv6 traffic.

Entry for IPv4-Only ACE To Filter Client Traffic:

Nas-filter-Rule="< permit or deny ACE >"(Standard Attribute 92) For example:
Nas-filter-Rule=permit in tcp from any to any
Entries for IPv4/IPv6 ACE To Filter Client Traffic: HP-Nas-Rules-IPv6 <1 2> (VSA, where 1=IPv4 and IPv6 traffic, and 2=IPv4-only traffic.)
Nas-filter-Rule="<permit or deny ACE>"(Standard Attribute 92). For example:
HP-Nas-Rules-IPv6=1
Nas-filter-Rule="permit in tcp from any to any"
Note: If HP-Nas-Rules-IPv6 is set to 2 or is not present in the ACL, IPv6 traffic from the client will be dropped.

Set IP Mode

Used with the Nas-filter-Rule attribute described above to provide IPv6 traffic-filtering capability in an ACE.

HP-Nas-Rules-IPv6: 63 (Vendor-Specific Attribute)

When using the standard attribute (92) described above in a RADIUS-assigned ACL to support both IPv4 and IPv6 traffic inbound from an authenticated client, one instance of this VSA must be included in the ACL. Note that this attribute supports either of the following IP modes for Nas-filter-Rule ACEs:
  • Both IPv6 and IPv4 traffic

  • Only IPv4 traffic

vendor-specific ID: 11VSA: 63 (string=HP-Nas-Rules-IPv6)
  • IPv6 and IPv4 ACLs: integer = 1(Using this option causes the ACL to filter both IPv4 and IPv6 traffic.)

  • IPv4-only ACLs: integer=2 (Using this option causes the ACL to drop any IPv6 traffic received from the authenticated client.)

Setting: HP-Nas-Rules-IPv6=< 1 2 > Nas-filter-Rule "< permit or deny ACE >"
Note: When the configured integer option is "1", the any keyword used as a destination applies to both IPv4 and IPv6 destinations for the selected traffic type (such as Telnet). Thus, if you want the IPv4 and IPv6 versions of the selected traffic type to both go to their respective "any" destinations, then a single ACE is needed for the selected traffic type. For example:
HP-Nas-Rules-IPv6=1
Nas-filter-Rule="permit in tcp from any to any 23"
However, if you do not want both the IPv4 and IPv6 traffic of the selected type to go to their respective "any" destinations, then two ACEs with explicit destination addresses are needed. In this case, do one of the following:
  • Use 0.0.0.0/0 in one ACE to specify the "any" destination for IPv4 traffic, and use a specific IPv6 address for the destination in the other ACE.

  • Use ::/0 in one ACE to specify the "any" destination for IPv6 traffic, and use a specific IPv4 address for the destination in the other ACE.

For example, if you want to allow the IPv4 Telnet traffic from a client to go to any destination, but you want the IPv6 Telnet traffic from the same client to go only to a specific address or group of addresses, you will need to distinguish the separate destinations. This is done by using explicit addresses for the "any" destinations. For example:
HP-Nas-Rules-IPv6=1
Nas-filter-Rule="deny in tcp from any to 0.0.0.0/0 23"
Nas-filter-Rule="deny in tcp from any to fe80::b1 23"
The above example sends IPv4 Telnet traffic to its "any" destination, but allows IPv6 Telnet traffic only to fe80::b1 23. To reverse this example, you would configure ACEs such as the following:
HP-Nas-Rules-IPv6=1
Nas-filter-Rule="deny in tcp from any to 10.10.10.1 23"
Nas-filter-Rule="deny in tcp from any to ::/0 23"
In cases where you do not want the selected traffic type for either IPv4 or IPv6 to go to the "any" destination, you must use two ACEs to specify the destination addresses. For example:
HP-Nas-Rules-IPv6=1
Nas-filter-Rule="deny in tcp from any to 10.10.10.1 23"
Nas-filter-Rule="deny in tcp from any to fe80::23 23"
To use the IPv6 VSA while allowing only IPv4 traffic to be filtered, you would use a configuration such as the following:
HP-Nas-Rules-IPv6=2 Nas-filter-Rule="permit in tcp from any to any"

IPv4-only ACLs applied to client traffic inbound to the switch. (Assigns a RADIUS-configured IPv4 ACL to filter inbound IPv4 packets received from a specific client authenticated on a switch port.)

HP-Nas-filter-Rule (Vendor-Specific Attribute): 61

This attribute is maintained for legacy purposes. However, for new or updated configurations (and any configurations supporting IPv6 traffic filtering) Hewlett Packard Enterprise recommends using the Standard Attribute (92) described earlier in this table instead of the HP-Nas-filter-Rule attribute described here.vendor-specific ID: 11VSA: 61 (string=HP-Nas-filter-RuleSetting: HP-Nas-filter-Rule="< permit or deny ACE >"Note: An ACL applying this VSA to inbound traffic from an authenticated client drops any IPv6 traffic from the client.