Specifications

ManualsBrandsEnterasys ManualsComputer equipmentRoamAbout RBT-8100

301

302

303

304

305

306

307

308

309

310

About Security Access Control Lists

RoamAbout Mobility System Software Configuration Guide 15-3

YoucannotperformACLfunctionsthatincludepermitting,denying,ormarkingwithaClassof

Service(CoS)levelonpacketswithamulticastorbroadcastdestinationaddress.

Order in Which ACLs are Applied to Traffic

MSSprovidesdifferentscopes(levelsofgranularity)forACLs.YoucanapplyanACLtoanyof

thefollowingscopes:

•User

•VLAN

•Virtualport(physicalportsplusspecificVLANtags)

•PhysicalPort(networkportsorDistributedMPs)

MSSbeginscomparingtraffictoACLsintheorderthescopesarelistedabove.IfanACL

is

mappedtomorethanoneofthesescopes,thefirstACLthatmatchesthepacketisappliedand

MSSdoesnotcomparethepackettoanymoreACLs.Forexample,ifdifferentACLsaremapped

tobothauserandaVLAN,andauser’strafficcanmatchbothACLs,

onlytheACLmappedtothe

userisapplied.

Traffic Direction

AnACLcanbemappedatanyscopetoeithertheinboundtrafficdirectionortheoutboundtraffic

direction.ItisthereforepossiblefortwoACLstobeappliedtothesametrafficasittraversesthe

system:oneACLisappliedontheinbounddirectionandtheotherisapplied

ontheoutbound

direction.WhenyoumapanACLtooneofthescopeslistedabove,youalsospecifythetraffic

directiontowhichtheACLapplies.

Selection of User ACLs

Identity‐basedACLs(ACLsmappedtousers)takeprecedenceoverlocation‐basedACLs(ACLs

mappedtoVLANs,ports,virtualports,orDistributedMPs).

ACLscanbemappedtoauserinthefollowingways:

• Locationpolicy(inacloroutaclisconfiguredonthelocationpolicy)

•Usergroup(attrfilter‐idacl

‐name.inorattrfilter‐idacl‐name.outisconfiguredontheuser

group)

•Individualuserattribute(attrfilter‐idacl‐name.inorattrfilter‐idacl‐name.outisconfigured

ontheindividualuser)

•SSIDdefault(attrfilter‐idacl‐name.inorattrfilter‐idacl‐name.outis

configuredontheSSID’s

serviceprofile)

Theuser’sACLcomesfromonlyoneofthesesources.Thesourcesarelistedinorderfromhighest

precedencetolowestprecedence.Forexample,ifauserassociateswithanSSIDthathasadefault

ACLconfigured,butalocationpolicyisalsoapplicableto

theuser,theACLconfiguredonthe

locationpolicyisused.