Contrasting RADIUS-assigned and static ACLs
RADIUS-assigned ACLs |
Static port and VLAN ACLs |
---|---|
Configured in client accounts on a RADIUS server. |
Configured on switch ports and VLANs. |
Designed for use on the edge of the network where filtering of IP traffic entering the switch from individual, authenticated clients is most important and where clients with differing access requirements are likely to use the same port. |
Designed for use where the filtering needs focus on static configurations covering:
|
Implementation requires client authentication. |
Client authentication not a factor. |
Identified by the credentials (user name/password pair or the MAC address) of the specific client the ACL is intended to service. |
Identified by a number in the range of 1-199 or an alphanumeric name. |
Supports dynamic assignment to filter only the IP traffic entering the switch from an authenticated client on the port to which the client is connected. (IPv6 traffic can be switched; IPv4 traffic can be routed or switched. For either IP traffic family, includes traffic having a DA on the switch itself.) |
Supports static assignments to filter:
|
When the authenticated client session ends, the switch removes the RADIUS-assigned ACL from the client port. |
Remains statically assigned to the port or VLAN. |
Allows one RADIUS-assigned ACL per authenticated client on a port. (Each such ACL filters traffic from a different, authenticated client.)
NOTE:
The switch provides ample resources for supporting RADIUS-assigned ACLs and other features. However, the actual number of ACLs supported depends on the switch current feature configuration and the related resource requirements. For more information, see the appendix titled "Monitoring Resources" in the management and configuration guide for your switch. |
Simultaneously supports all the following static assignments affecting a given port:
|
Supports IPv6 ACLs and IPv4 extended ACLs. “IPv6 Access Control Lists (ACLs)” in the IPv6 configuration guide for your switch. |
Supports IPv6 ACLs and standard, extended, and connection-rate IPv4 ACLs, see Applying connection-rate ACLs. |
A given RADIUS-assigned ACL operates on a port to filter only the IP traffic entering the switch from the authenticated client corresponding to that ACL, and does not filter IP traffic inbound from other authenticated clients. (The traffic source is not a configurable setting.) |
An RACL applied to inbound traffic on a VLAN filters routed IPv4 traffic entering the switch through a port on that VLAN, as well as any inbound traffic having a DA on the switch itself. An RACL can be applied to outbound IPv4 traffic on a VLAN to filters routed IPv4 traffic leaving the switch through a port on that VLAN (and includes routed IPv4 traffic generated by the switch itself). A VACL can be applied on a VLAN to filter either IPv4 or IPv6 traffic entering the switch through a port on that VLAN.A static port ACL can be applied on a port to filters either IPv4 or IPv6 traffic entering the switch through that port. |
Requires client authentication by a RADIUS server configured to dynamically assign an ACL to a client on a switch port, based on client credentials. |
No client authentication requirement. |
ACEs allow a counter ( |
The show statistics command includes options for displaying the packet match count, see Monitoring static ACL performance. Also, ACEs allow a log option that generates a log message whenever there is a packet match with a "deny" ACE. |
Regarding the Use of IPv4 Source Routing:
IPv4 source routing is enabled by default on the switch and can be used to override IPv4 ACLs. For this reason, if you are using IPv4 ACLs to enhance network security, the recommended action is to use the
no ip source-route
command to disable source routing on the switch. (If source routing is disabled in the running-config file, the show running
command includes "no ip source-route
" in the running-config file listing.)