RADIUS Authentication and Accounting
Configuring a RADIUS Server To Specify Per-Port CoS and Rate-Limiting Services
RADIUS-Based (Dynamic) ACLs VLAN-Based (Static) ACLs
Supports only extended ACLs. (Refer to Terminology.)
The ACL filters only the IP traffic it receives inbound from
the authenticated client corresponding to that ACL, and
does not filter traffic inbound from other authenticated
clients.(The traffic source is not a configurable setting.)
Can contain up to 30 ACEs.
Requires client authentication by a RADIUS server
configured to dynamically assign an ACL to the client port,
based on client credentials.
ACEs allow a counter (cnt) option that causes a counter to
increment when there is a packet match.
Supports standard, extended, and connection-rate ACLs,
and applies these ACLs to traffic on all ports belonging to
the VLAN.
An ACL applied inbound on a VLAN filters all IP traffic
received on any member port from any source in the same
VLAN, as long as the traffic is either routed by the switch to
another VLAN or subnet, or has a DA on the switch itself. An
ACL applied outbound on a VLAN filters all routed IP traffic
leaving the switch on any member port.
Can contain up to 1024 ACEs per 5300xl switch.
Configured in the switch and statically applied to filter IP
traffic on all ports in the specified VLAN, regardless of other
factors.
ACEs allow a log option that generates a log message
whenever there is a packet match with a “deny” ACE.
Terminology
ACE: See Access Control Entry, below.
Access Control Entry (ACE): An ACE is a policy consisting of a packet-
handling action and criteria to define the packets on which to apply the action.
For RADIUS-based ACLs, the elements composing the ACE include:
• permit or drop (action)
• in < ip-packet-type > from any (source)
• to < ip-address [/ mask ] | any > (destination)
• [ port-# ] (optional TCP or UDP application port numbers used when
the packet type is TCP or UDP)
ACL: See Access Control List, below.
Access Control List (ACL): A list (or set) consisting of one or more
explicitly configured Access Control Entries (ACEs) and terminating with an
implicit “deny” default which drops any packets that do not have a match with
any explicit ACE in the named ACL.
ACL Mask: Follows a destination IP address listed in an ACE. Defines which
bits in a packet’s corresponding IP addressing must exactly match the IP
addressing in the ACE, and which bits need not match (wildcards).
DA: The acronym for Destination IP Address. In an IP packet, this is the
destination IP address carried in the header, and identifies the destination
intended by the packet’s originator.
6-27
To Next Page
Loading...
