RADIUS Authentication and Accounting
Configuring a RADIUS Server To Specify Per-Port CoS and Rate-Limiting Services
â– The sequence of ACEs is significant. When the switch uses an ACL to
determine whether to permit or deny a packet on a particular VLAN,
it compares the packet to the criteria specified in the individual
Access Control Entries (ACEs) in the ACL, beginning with the first
ACE in the list and proceeding sequentially until a match is found.
When a match is found, the switch applies the indicated action (permit
or deny) to the packet. This is significant because, when a match is
found for a packet, subsequent ACEs in the same ACL will not be used
for that packet, regardless of whether they match the packet.
â– Inbound Traffic Only: RADIUS-based ACLs filter only the inbound
IP traffic from an authenticated client for which an ACL has been
configured on the appropriate RADIUS server.
â– Result of an ACE/Packet Match: The first match of a given packet
to an ACE dictates the action for that packet. Any subsequent match
possibilities are ignored.
â– Explicitly Permitting Any IP Traffic: Entering a permit in ip from
any to any (permit any any) ACE in an ACL permits all IP traffic not
previously permitted or denied by that ACL. Any ACEs listed after that
point do not have any effect.
â– Explicitly Denying Any IP Traffic: Entering a deny in ip from any to
any ACE in an ACL denies all IP traffic not previously permitted or
denied by that ACL. Any ACEs listed after that point have no effect.
â– Implicitly Denying Any IP Traffic: For any packet being filtered
by an ACL, there will always be a match. Included in every ACL is an
implicit deny in ip from any to any. This means that the ACL denies any
IP packet it filters that does not have a match with an explicitly
configured ACE. Thus, if you want an ACL to permit any packets that
are not explicitly denied, you must configure permit in ip from any to
any as the last explicit ACE in the ACL. Because, for a given packet,
the switch sequentially applies the ACEs in an ACL until it finds a
match, any packet that reaches the permit in ip from any to any entry
will be permitted, and will not reach the implicit deny in ip from any to
any ACE that is included at the end of the ACL.
â– Determine the order in which you want the individual ACEs in the
ACL to filter inbound traffic from a client. A general guideline is to
arrange the ACEs in the expected order of decreasing application
frequency. This will result in the most prevalent traffic types finding
a match earlier in the ACL than traffic types that are more infrequent,
thus saving processing cycles.
6-35
To Next Page
Loading...
Need help?
General