Product guide
10-20
Access Control Lists (ACLs)
Overview
802.1X User-Based and Port-Based Applications. User-Based 802.1X
access control allows up to 32 individually authenticated clients on a given
port. However, port-based access control does not set a client limit, and
requires only one authenticated client to open a given port (and is recom-
mended for applications where only one client at a time can connect to the
port).
■ If you configure 802.1X user-based security on a port and the RADIUS
response includes a dynamic port ACL for at least one authenticated
client, then the RADIUS response for all other clients authenticated
on the port must also include a dynamic port ACL. Traffic on the port
from any client that authenticates without the RADIUS server
including a dynamic port ACL in its response will be dropped and the
client will be de-authenticated.
■ Using 802.1X port-based security on a port where the RADIUS
response includes a dynamic port ACL, only the first client to authen-
ticate can use the port. Traffic from other clients will be dropped.
Multiple ACLs on an Interface
Multiple ACL Assignments Allowed. The switch allows multiple ACL
applications on an interface (subject to internal resource availability). This
means that a port belonging to a given VLAN “X” can simultaneously be subject
to all of the following:
■ One VACL for any IP traffic for VLAN “X” entering the switch through
the port.
■ One static port ACL for any IP traffic entering the switch on the port.
■ One dynamic (RADIUS-assigned) port ACL applied to inbound IP
traffic for each authenticated client on the port
■ One connection-rate ACL for inbound IP traffic for VLAN “X” on the
port (if the port is configured for connection-rate filtering). (Refer to
chapter 3, “Virus Throttling”.)
■ ACL mirroring per VLAN, port, and trunk interface (Refer to “Local
and Remote Traffic Mirroring” in the appendix titled “Monitoring and
Analyzing Switch Operation” in the Management and Configuration
Guide for your switch.)