Specifications

Mapping Security ACLs

15-14 Configuring and Managing Security ACLs

WhenassignedtheFilter‐Idattribute,anauthenticateduserwithacurrentsessionreceives

packetsbasedonthesecurityACL.Forexample,torestrictincomingpacketsforNatashato

thosespecifiedinacl‐222,typethefollowingcommand:

RBT-8100# set user Natasha attr filter-id acl-222.in

success: change accepted.

YoucanalsomapasecurityACLtoausergroup.Fordetails,see“AssigningaSecurityACLtoa

UseroraGroup”onpage 17‐48.Formoreinformationaboutauthenticatingand authorizing

users,see“AboutAdministrativeAccess”onpage 3‐4and“AAAToolsforNetworkUsers”

on

page 17‐8.

Mapping Security ACLs to VLANs, Virtual Ports, or

Distributed APs

SecurityACLscanbemappedtoVLANs,virtualports,andDistributedAPs.Usethefollowing

command:

set security acl map acl-name {vlan vlan-id | port port-list [tag tag-value] |

dap dap-num} {in | out}

SpecifythenameoftheACL,VLAN,tagvalue(s)ofthevirtualport,orthenumberofthe

DistributedAPtowhichtheACListobemapped,andthedirectionforpacketfiltering.For

virtualportsorDistri butedAPs,youcanspecifyasinglevalue,acomma‐separatedlistof

values,

ahyphen‐separatedrange,oranycombination,withnospaces.

Example

TomapsecurityACLacl‐222tovirtualports 1through3and5onport 2tofilterincomingpackets,

typethefollowingcommand:

RBT-8100# set security acl map acl-222 port 2 tag 1-3,5 in

success: change accepted.

PlanyoursecurityACLmapstoVLANs,virtualports,andDistributedAPssothatonlyone

securityACLfiltersaflowofpackets.IfmorethanonesecurityACLfi ltersthesametraffic,you

cannotguaranteetheorderinwhichtheACErulesareapplied.

User authenticated by a MAC address set mac-user username attr filter-id

acl-name.in

set mac-user username attr filter-id

acl-name.out

Mapping Target Commands