7-16
Configuring RADIUS Server Support for Switch Services
Configuring and Using Dynamic (RADIUS-Assigned) Access Control Lists
switch to filter IP traffic coming from outside the network, thus removing 
unwanted IP traffic as soon as possible and helping to improve system 
performance. Also, applying RADIUS-assigned ACLs to the network edge is 
likely to be less complex than configuring static port and VLAN-based ACLs 
in the network core to filter unwanted IP traffic that could have been filtered 
at the edge.
Note A RADIUS-assigned ACL filters inbound IP traffic on a given port from the 
client whose authentication triggered the ACL assignment to the port. 
A RADIUS-assigned ACL can be applied regardless of whether IP traffic on 
the port is already being filtered by other, static ACLs that are already assigned. 
Table 7-6 lists the supported per-port ACL assignment capacity.
Table 7-6. Simultaneous ACL Activity Supported Per-Port
1
 
ACLs enhance network security by blocking selected IP traffic, and can serve 
as one aspect of network security. However, because ACLs do not protect from 
malicious manipulation of data carried in IP packet transmissions, they 
should not be relied upon for a complete edge security solution.
Depending on the ACL configuration in the RADIUS server, the ACLs 
described in this section filter either IPv4 traffic only or both IPv4 and IPv6 
traffic. These ACLs do not filter non-IP traffic such as AppleTalk and IPX.
ACL Type Function IPv4 IPv6
VACL  Static ACL assignment to filter inbound IP 
traffic on a specific VLAN.
11
Port ACL  Static ACL assignment to filter inbound IP 
traffic on a specific port.
11
RADIUS-assigned ACL  Dynamic ACL assignment to filter inbound IP 
traffic from a specific client on a given port.
1-32 
2
1-32 
2
RACL (IPv4 only) static ACL assignment to filter routed IPv4 
traffic entering or leaving the switch on a 
specific VLAN
1 in
1 out
n/a
Connection-Rate ACL  Static ACL assignment for virus-throttling on 
a specific port. (Refer to chapter 3, “Virus 
Throttling (Connection-Rate Filtering)” in this 
manual.)
1n/a
1
Subject to resource availability on the switch. For more information, refer to the appendix titled 
“Monitoring Resources” in the latest Management and Configuration Guide for your switch.
2
One per authenticated client, up to a maximum of 32 clients per-port for 802.1X, Web-Authentication, 
and MAC-Authentication methods combined.