Product guide

ManualsBrandsProCurve ManualsComputer equipment6200yl

211

212

213

214

215

216

217

218

219

220

7-9

Configuring RADIUS Server Support for Switch Services

Configuring and Using RADIUS-Assigned Access Control Lists

• RACL: an ACL assigned to filter routed traffic entering or leaving the

switch on a VLAN. (Separate assignments are required for inbound

and outbound traffic.)

• VACL: an ACL assigned to filter inbound traffic on a specific VLAN

configured on the switch

• Static Port ACL: an ACL assigned to filter inbound traffic on a specific

switch port

• Dynamic Port ACL: dynamic ACL assigned to a port by a RADIUS

server to filter inbound traffic from an authenticated client on that

port

An ACL can be configured on an interface as an RACL, VACL, or static

port ACL. (Dynamic port ACLs are configured on a RADIUS server.)

ACL Mask: Follows a destination IP address listed in an ACE. Defines which

bits in a packet’s corresponding IP addressing must exactly match the IP

addressing in the ACE, and which bits need not match (wildcards).

DA: The acronym for Destination IP Address. In an IP packet, this is the

destination IP address carried in the header, and identifies the destination

intended by the packet’s originator.

Deny: An ACE configured with this action causes the switch to drop a packet

for which there is a match within an applicable ACL.

Deny Any Any: An abbreviated form of deny in ip from any to any, which denies

any inbound IP traffic from any source to any destination.

Dynamic Port ACL: An ACL application type in which the ACL is assigned

by a RADIUS server to a port to filter all inbound IP traffic from a client

authenticated by the server for that port, regardless of whether the traffic

is switched or routed. Filtering can be specified to include all IP traffic or

specific IP applications or protocol types. Destination criteria can include

a single destination IP address, a group of contiguous IP addresses, an IP

subnet, or any IP destination. (Other, statically configured ACL applica-

tion types are described in the chapter titled “Access Control Lists (ACLs)”

in the Advanced Traffic Management Guide for your switch.

Implicit Deny: If the switch finds no matches between an inbound packet

and the configured criteria in an applicable ACL, then the switch denies

(drops) the packet with an implicit “deny IP any/any” operation. You can

preempt the implicit “deny IP any/any” in a given ACL by configuring

permit in ip from any to any as the last explicit ACE in the ACL. Doing so

permits any inbound IP packet that is not explicitly permitted or denied