Table 8 Simultaneous ACL activity supported per-port
1
IPv6IPv4FunctionACL type
11Static ACL assignment to filter inbound IP traffic on a
specific VLAN.
VACL
11Static ACL assignment to filter inbound IP traffic on a
specific port.
Port ACL
1-32
2
1-32
2
Dynamic ACL assignment to filter inbound IP traffic from
a specific client on a given port.
RADIUS-assigned ACL
1
Subject to resource availability on the switch. For more information, see the appendix titled "Monitoring Resources" in
the latest HP Switch Software Management and Configuration Guide for your switch.
2
One per authenticated client, up to a maximum of 32 clients per-port for 802.1X, web-based authentication, and
MAC-Authentication methods combined.
Contrasting RADIUS-assigned and static ACLs
Table 9 (page 38) highlights several key differences between the static ACLs configurable on switch
VLANs and ports, and the dynamic ACLs that can be assigned by a RADIUS server to filter IP traffic
from individual clients.
Table 9 Contrasting dynamic (RADIUS-assigned) and static ACLs
Static port and VLAN ACLsDynamic RADIUS-assigned ACLs
Configured on switch ports and VLANs.Configured in client accounts on a RADIUS server.
Designed for use where the filtering needs focus on static
configurations covering:
Designed for use on the edge of the network where filtering
of IP traffic entering the switch from individual,
authenticated clients is most important and where clients
• switched IP traffic entering from multiple authenticated
or unauthenticated sources (VACLs or static port ACLs)
with differing access requirements are likely to use the
same port.
• routed IPv4 traffic (RACLs)
• IP traffic from multiple sources with a destination on the
switch itself
Client authentication does not apply.Implementation requires client authentication.
Identified by a number in the range of 1-199 or an
alphanumeric name.
Identified by credentials (username/password pair or MAC
address) of the specific client the ACL is to service.
Supports static assignments to filter:Supports dynamic assignment to filter only IP traffic entering
the switch from an authenticated client on the port where
• switched IPv6 traffic entering the switch
the client is connected. (IPv6 traffic can be switched; IPv4
• switched or routed IPv4 traffic entering the switch, or
routed IPv4 traffic leaving the switch
traffic can be routed or switched. For either IP traffic family,
includes traffic having a DA on the switch itself.)
Remains statically assigned to the port or VLAN.When the authenticated client session ends, the switch
removes the RADIUS-assigned ACL from the client port.
Simultaneously supports all the following static assignments
affecting a given port:
Allows one RADIUS-assigned ACL per authenticated client
on a port. (Each such ACL filters traffic from a different,
authenticated client.)
• IPv4 traffic:
Note: The switch provides ample resources for supporting
RADIUS-assigned ACLs and other features. However, the
• inbound RACL
• outbound RACL
actual number of ACLs supported depends on the switch’s
current feature configuration and the related resource
• VACL
requirements. For more information, see the appendix titled
• static port ACL
"Monitoring Resources" in the HP Switch Software
Management and Configuration Guide for your switch.
• IPv6 traffic:
• VACL
• static port ACL
38 Updates for the HP Switch Software Access Security Guide
To Next Page
Loading...
Need help?
General
