Configuration Guide Configuring ACL
a switch without undergoing the access control, such as port security, Web authentication, 802.1x, and IP+MAC binding
check. A globally applied security channel takes effect on all interfaces except exclusive interfaces.
The deny ACEs in an ACL that is applied to a security channel do not take effect. In addition, this ACL does not contain
an implicit "deny all traffic" rule statement at the end of the ACL. If packets do not meet matching conditions of the
security channel, they are checked according to the access control rules in compliance with the relevant process.
You can configure up to eight exclusive interfaces for the global security channel. In addition, you cannot configure
interface-based security channel on these exclusive interfaces.
If a security channel is applied to an interface while a global security channel exists, this global security channel does
not take effect on this interface.
If both port-based migratable authentication mode and security channel are applied to an interface, the security channel
does not take effect.
An IPv6 ACL cannot be configured as a security channel.
Only switches support the security channel.
Related Configuration
 Configuring an ACL
Before configuring the security channel, configure an ACL. For details about how to configure an ACL, see the earlier
descriptions about ACL configuration.
 Adding ACEs to an ACL
For details about how to add ACEs to an ACL, see the earlier descriptions about the IP ACL, MAC extended ACL, or expert
extended ACL.
 Configuring a Security Channel on an Interface
By default, no security channel is configured on an interface of a device.
Run the security access-group {acl-id | acl-name } command in interface configuration mode to configure the security
channel on an interface.
 Configuring a Global Security Channel
By default, no global security channel is configured on a device.
Run the security global access-group {acl-id | acl-name } command in interface configuration mode to configure a global
security channel.
 Configuring an Exclusive Interface for the Global Security Channel
By default, no exclusive interface is configured for the global security channel on a device.
Run the security uplink enable command in interface configuration mode to configure a specified interface as the exclusive
interface of the global security channel.
To Next Page
Loading...
Need help?
General
