Push dynamic ACL on a HP Comware 5130 switch

dgaikwad · ‎10-08-2018

Hello Experts,

I would like to push dACL from ISE to a HP Comware 5130 switch.
I am really not sure how this work for HP?

I have created an authorization policy and will be using attribute, nas-filter-rule from Radius dictionary.

Is this the correct method to push a dACL to HP switch, as you know its pretty easy to push a dACL to an Cisco switch.

Any pointers?

Nidhi · ‎10-09-2018

Hello Dinesh,

Create a separate NAD profile for HP Comware switch. you can make copy of the existing profile and edit the attribute for nas-filter-rule.

make sure you have the format of the acl correct.

for example -

Nas-filter-Rule="permit in tcp from any to any"

Also, please refer this document for your reference. - https://community.cisco.com/t5/security-documents/hpe-wired-xml/ta-p/3643636

Thanks,

Nidhi

dgaikwad · ‎10-09-2018

I checked and seems that this attribute has already been added to the HP dictionary.

So, I tried to run a test, seems that the ACL configured on the switch is getting applied, just that the rule that I sending via the filter-rule is not getting applied on switch.

How do I check if the ACL that I am sending via authz profile is getting applied on the switch?

Nidhi · ‎10-09-2018

Try show ip access-lists int <interface > - This is the command on cisco switches . Not sure if this will work. but I saw some documents where this command has been used for HP switches.

You will have to check in HP documents if this does not work.

Thanks,

Nidhi

dgaikwad · ‎10-11-2018

There is no such command on HP switch, I am referring HP document to find that out.

ldanny · ‎10-11-2018

You will need to research what syntax is used on HP switches

As far as im aware the equivalent of "show" commands in IOS is "display" on HP devices

For example

Cisco HP

show version ~ display version