Traffic applications
Inbound IPv4 traffic only
Inbound IPv4 and IPv6 traffic
This feature is designed for use on the network edge to accept RADIUS-assigned ACLs for Layer-3 filtering of IP traffic entering the switch from authenticated clients. A given RADIUS-assigned ACL is identified by a unique username/password pair or client MAC address, and applies only to IP traffic entering the switch from clients that authenticate with the required, unique credentials. The switch allows multiple RADIUS-assigned ACLs on a given port, up to the maximum number of authenticated clients allowed on the port. Also, a RADIUS-assigned ACL for a given client's traffic can be assigned regardless of whether other ACLs assigned to the same port are statically configured on the switch.
Destination address
IPv4 or IPv6 traffic type (such as TCP and UDP traffic)
RADIUS authentication using the 802.1X, web-based authentication, or MAC authentication available on the switch to provide client authentication services
Configuring one or more ACLs on a RADIUS server (instead of the switch), and assigning each ACL to the username/password pair or MAC address of the client(s) you want the ACLs to support
Using RADIUS to dynamically apply ACLs to clients on edge ports enables the switch to filter IP traffic coming from outside the network, thus removing unwanted IP traffic as soon as possible and helping to improve system performance. Also, applying RADIUS-assigned ACLs to the network edge is likely to be less complex than configuring static port and VLAN-based ACLs in the network core to filter unwanted IP traffic that could have been filtered at the edge.
A RADIUS-assigned ACL filters inbound IP traffic on a given port from the client whose authentication triggered the ACL assignment to the port.
A RADIUS-assigned ACL can be applied regardless of whether IP traffic on the port is already being filtered by other, static ACLs that are already assigned. The following table lists the supported per-port ACL assignment capacity (Subject to resource availability on the switch. For more information, see the appendix titled "Monitoring Resources" in the latest management and configuration guide.).
ACLs enhance network security by blocking selected IP traffic, and can serve as one aspect of network security. However, because ACLs do not protect from malicious manipulation of data carried in IP packet transmissions, they should not be relied upon for a complete edge security solution.
Depending on the ACL configuration in the RADIUS server, the ACLs described in this section filter either IPv4 traffic only or both IPv4 and IPv6 traffic. These ACLs do not filter non-IP traffic such as AppleTalk and IPX.
The values in the following table are subject to resource availability on the switch. For more information, see the appendix titled "Monitoring Resources" in the latest management and configuration guide for your switch.
ACL type |
Function |
IPv4 |
IPv6 |
---|---|---|---|
VACL |
Static ACL assignment to filter inbound IP traffic on a specific VLAN. |
1 in 1 out |
1 |
Port ACL |
Static ACL assignment to filter inbound IP traffic on a specific port. |
1 |
1 |
RADIUS-assigned ACL |
Dynamic ACL assignment to filter inbound IP traffic from a specific client on a given port. |
1-321 |
1-321 |
RACL (IPv4 only) |
static ACL assignment to filter routed IPv4 traffic entering or leaving the switch on a specific VLAN |
1 in 1 out |
n/a |
Connection-rate ACL |
Static ACL assignment for virus-throttling on a specific port |
1 |
n/a |
One per authenticated client, up to a maximum of 32 clients per-port for 802.1X, web-based authentication, and MAC-Authentication methods combined.
ACLs enhance network security by blocking selected IP traffic, and can serve as one aspect of network security. However, because ACLs do not protect from malicious manipulation of data carried in IP packet transmissions, they should not be relied upon for a complete edge security solution.
Depending on the ACL configuration in the RADIUS server, the ACLs described in this section filter either IPv4 traffic only or both IPv4 and IPv6 traffic. These ACLs do not filter non-IP traffic such as AppleTalk and IPX.