7-18
Configuring RADIUS Server Support for Switch Services
Configuring and Using Dynamic (RADIUS-Assigned) Access Control Lists
Caution Regarding
the Use of IPv4
Source Routing
IPv4 source routing is enabled by default on the switch and can be used to
override IPv4 ACLs. For this reason, if you are using IPv4 ACLs to enhance
network security, the recommended action is to use the no ip source-route
command to disable source routing on the switch. (If source routing is
disabled in the running-config file, the show running command includes “no ip
source-route” in the running-config file listing.)
A given RADIUS-assigned ACL operates on a port to filter
only the IP traffic entering the switch from the authenticated
client corresponding to that ACL, and does not filter IP traffic
inbound from other authenticated clients.(The traffic source
is not a configurable setting.)
An RACL applied to inbound traffic on a VLAN filters routed
IPv4 traffic entering the switch through a port on that VLAN,
as well as any inbound traffic having a DA on the switch
itself. An RACL can be applied to outbound IPv4 traffic on a
VLAN to filters routed IPv4 traffic leaving the switch through
a port on that VLAN (and includes routed IPv4 traffic
generated by the switch itself).
A VACL can be applied on a VLAN to filter either IPv4 or IPv6
traffic entering the switch through a port on that VLAN.
A static port ACL can be applied on a port to filters either
IPv4 or IPv6 traffic entering the switch through that port.
Requires client authentication by a RADIUS server
configured to dynamically assign an ACL to a client on a
switch port, based on client credentials.
No client authentication requirement.
ACEs allow a counter (cnt) option that causes a counter to
increment when there is a packet match.
Beginning with software release K.14.01, the show statistics
command includes options for displaying the packet match
count. (Refer to “Monitoring Static ACL Performance” on
page 10-117.)
Also, ACEs allow a log option that generates a log message
whenever there is a packet match with a “deny” ACE.
RADIUS-Assigned ACLs Static Port and VLAN ACLs
To Next Page
Loading...
Need help?
General
