HP 6200YL User Manual

IPv6 Access Control Lists (ACLs)
Overview

Dynamic (RADIUS-assigned) port ACLs are configured on RADIUS servers
and can be configured to filter IPv4 and IPv6 traffic inbound from clients
authenticated by such servers. For example, in figure 8-1, client “A” connects
to a given port and is authenticated by a RADIUS server. Because the server
is configured to assign a dynamic ACL to the port, the IPv4 and IPv6 traffic
inbound on the port from client “A” is filtered. (See also “Operating Notes for
IPv6 Applications” on page 8-17.)

Effect of RADIUS-Assigned ACLs When Multiple Clients Are Using
the Same Port.

Some network configurations may allow multiple clients to

authenticate through a single port where a RADIUS server assigns a separate,
RADIUS-assigned ACL in response to each client’s authentication on that port.
In such cases, a given client’s inbound traffic will be allowed only if the
RADIUS authentication response for that client includes a RADIUS-assigned
ACL. Clients authenticating without receiving a RADIUS-assigned ACL will
immediately be de-authenticated. For example, in figure 8-2, clients A through
D authenticate through the same port (B1) on a ProCurve switch running
software release K.14.01 or greater.

Unmanaged

Switch

RADIUS

Server

Client D

Client C

ProCurve Switch

Running K.14.01 or

Greater

Client A

Client B

LAN

Port B1

Figure 8-2. Multiple, Dual-Stack Clients Authenticating Through a Single Port

In this case, the RADIUS server must be configured to assign an ACL to port
B1 for any of the authorized clients authenticating on the port.

802.1X User-Based and Port-Based Applications. User-Based

802.1X

access control allows up to 32 individually authenticated clients on a given
port. Port-Based access control does not set a client limit, and requires only
one authenticated client to open a given port (and is recommended for
applications where only one client at a time can connect to the port).

8-16