Traffic applications
-
Inbound IPv4 traffic only
-
Inbound IPv4 and IPv6 traffic
This feature is designed for use on the network edge to accept RADIUS-assigned ACLs for Layer-3 filtering of IP traffic entering the switch from authenticated clients. A given RADIUS-assigned ACL is identified by a unique user name/password pair or client MAC address, and applies only to IP traffic entering the switch from clients that authenticate with the required, unique credentials. The switch allows multiple RADIUS-assigned ACLs on a given port, up to the maximum number of authenticated clients allowed on the port. Also, a RADIUS-assigned ACL for a given client traffic can be assigned regardless of whether other ACLs assigned to the same port are statically configured on the switch.
-
Destination address
-
IPv4 or IPv6 traffic type, such as TCP and UDP traffic
-
RADIUS authentication using the 802.1X, web-based authentication, or MAC authentication available on the switch to provide client authentication services.
-
Configuring one or more ACLs on a RADIUS server instead of the switch, and assigning each ACL to the user name/password pair or MAC address of the clients you want the ACLs to support
Using RADIUS to dynamically apply ACLs to clients on edge ports enables the switch to filter IP traffic coming from outside the network, thus removing unwanted IP traffic as soon as possible and helping to improve system performance. Also, applying RADIUS-assigned ACLs to the network edge is likely to be less complex than configuring static port and VLAN-based ACLs in the network core to filter unwanted IP traffic that could have been filtered at the edge.
A RADIUS-assigned ACL filters inbound IP traffic on a given port from the client whose authentication triggered the ACL assignment to the port.
A RADIUS-assigned ACL can be applied regardless of whether IP traffic on the port is already being filtered by other, static ACLs that are already assigned.
ACLs enhance network security by blocking selected IP traffic, and can serve as one aspect of network security. However, because ACLs do not protect from malicious manipulation of data carried in IP packet transmissions, they must not be relied upon for a complete edge security solution.
Depending on the ACL configuration in the RADIUS server, the ACLs described in this section filter either IPv4 traffic only or both IPv4 and IPv6 traffic. These ACLs do not filter non-IP traffic such as AppleTalk and IPX.
The following simultaneous ACL activity support is subject to resource availability on the switch. For more information, see "Monitoring Resources" in the latest management and configuration guide for your switch.
ACL type |
Function |
IPv4 |
IPv6 |
---|---|---|---|
VACL |
Static ACL assignment to filter inbound IP traffic on a specific VLAN. |
1 |
1 |
Port ACL |
Static ACL assignment to filter inbound IP traffic on a specific port. |
1 |
1 |
RADIUS-assigned ACL |
Dynamic ACL assignment to filter inbound IP traffic from a specific client on a given port. |
1-32 |
1-32 |
RACL (IPv4 only) |
Static ACL assignment to filter routed IPv4 traffic entering or leaving the switch on a specific VLAN. |
1 in 1 out |
n/a |
Connection-Rate ACL |
Static ACL assignment for virus-throttling on a specific port, see Virus throttling (connection-rate filtering). |
1 |
n/a |
ACLs enhance network security by blocking selected IP traffic, and can serve as one aspect of network security. However, because ACLs do not protect from malicious manipulation of data carried in IP packet transmissions, they must not be relied upon for a complete edge security solution.
Depending on the ACL configuration in the RADIUS server, the ACLs described in this section filter either IPv4 traffic only or both IPv4 and IPv6 traffic. These ACLs do not filter non-IP traffic such as AppleTalk and IPX.