HP ProCurve Series 3400cl Release Notes page 67
Procurve series
Hide thumbs
Also See for ProCurve Series 3400cl:
- Management manual (664 pages) ,
- Management and configuration manual (508 pages) ,
- Access security manual (404 pages)
Table of Contents
Advertisement
Limits for RADIUS-Based ACLs, Associated ACEs, and Counters
Table 5
describes limits the switch supports in ACLs applied by a RADIUS server. Exceeding a limit
causes the related client authentication to fail.
Table 5. Limits Affecting RADIUS-Based ACL Applications
Item
Maximum Number of
Authenticated Client
Sessions Per-Port Using
RADIUS-based ACLs
Maximum Number of
(internal) ACEs Per-Port,
and Maximum Number of
(internal) ACEs Per-ACL
*Uses shared internal resources, which can affect the per-port availability of internal ACEs. Refer to the section
titled "Planning an ACL Application on a Series 3400cl or 6400cl Switch" in the chapter titled "Access Control Lists
(ACLs) for the Series 3400cl and 6400cl Switches" in the Advanced Traffic Management Guide for your switch model.
Use the show access-list resources command to view the current resources available for the ports on the switch.
Maximum Number of
Characters in an ACE
Maximum Number of
(optional) Internal Coun-
ters Used Per-ACL
Limit Notes
1
One RADIUS-based ACL can operate on a given port at a time. If an authenticated
client is already using a RADIUS-based ACL on a port and a second client
requiring a RADIUS-based ACL attempts to authenticate on the same port, the
attempt by the second client will fail.
Up to
Depending on how a RADIUS-assigned ACE is formed, it can consume multiple
120*
internal ACEs. A RADIUS-assigned ACE that does not specify TCP or UDP port
numbers uses one internal ACE. However, an ACE that includes TCP or UDP port
numbers uses one or more internal ACE resources, depending on the port number
groupings. A single TCP or UDP port number or a series of contiguous port
numbers comprise one group. For example, "80" and "137-146" each form one
group. "135, 137-140, 143" in a given ACE form three groups. The following ACE
examples illustrate how the switch applies internal ACE usage.
Examples of Single and Multiple (Internal) ACEs Per-Port
deny in ip from any to any
deny in tcp from any to any
deny in tcp from any to any 80
permit in tcp from any to any 135, 137-146, 445
permit in tcp from any to any 135-137, 139, 141, 143, 146, 445
permit in tcp from any to any 135-146, 445Note:
80
—
32
Depending on how an ACE is formed, using the cnt (counter) option consumes
one or more internal counters. Using a counter in an ACE that does not specify
TCP or UDP port numbers uses one counter. Using a counter in an ACE that
includes TCP or UDP port numbers uses one or more counters, depending on the
port number groupings. A single TCP or UDP port number or a series of contig-
uous port numbers comprise one group. For example, "80" and "137-146" each
form one group. "135, 137-140, 143" in a given ACE form three groups. The ACE
examples below show how the switch calculates internal counter groups.
Examples of ACE Usage of Internal Counters
deny in ip from any to any cnt
deny in tcp from any to any cnt
deny in tcp from any to any 80 cnt
permit in tcp from any to any 135, 137-146, 445 cnt
permit in tcp from any to any 135-137, 139, 141, 143, 146, 445 cnt
permit in tcp from any to any 135-146, 445 cnt
Enhancements
Release M.10.02 Enhancements
Internal
ACEs
1
1
1
3
6
2
Counters
1
1
1
3
6
2
57
Advertisement
Table of Contents
