Traffic Applications - HP 2530 Manual Supplement

Traffic applications

The switch supports RADIUS-assigned ACLs for the following traffic applications:
Inbound IPv4 traffic only
Inbound IPv4 and IPv6 traffic
This feature is designed for use on the network edge to accept RADIUS-assigned ACLs for Layer-3
filtering of IP traffic entering the switch from authenticated clients. A given RADIUS-assigned ACL
is identified by a unique username/password pair or client MAC address, and applies only to IP
traffic entering the switch from clients that authenticate with the required unique credentials. The
switch allows multiple RADIUS-assigned ACLs on a given port, up to the maximum number of
authenticated clients allowed on the port. Also, a RADIUS-assigned ACL for a given client's traffic
can be assigned regardless of whether other ACLs assigned to the same port are statically configured
on the switch.
A RADIUS-assigned ACL filters IP traffic entering the switch from the client whose authentication
caused the ACL assignment. Filter criteria are based on:
Destination address
IPv4 or IPv6 traffic type (such as TCP and UDP traffic)
Implementing the feature requires:
RADIUS authentication using the 802.1X, web-based authentication, or MAC authentication
available on the switch to provide client authentication services
Configuring one or more ACLs on a RADIUS server (instead of the switch), and assigning each
ACL to the username/password pair or MAC address of the clients you want the ACLs to
support
Using RADIUS to dynamically apply ACLs to clients on edge ports enables the switch to filter IP
traffic coming from outside the network, thus removing unwanted IP traffic as soon as possible and
helping improve system performance. Also, applying RADIUS-assigned ACLs to the network edge
is often less complex than configuring static port and VLAN-based ACLs in the network core to
filter unwanted IP traffic that could be filtered at the edge.
NOTE: A RADIUS-assigned ACL filters inbound IP traffic on a given port from the client whose
authentication triggered the ACL assignment to the port.
A RADIUS-assigned ACL can be applied regardless of whether IP traffic on the port is already
being filtered by already assigned static ACLs.
(page 38) lists supported per-port ACL assignment capacity.
ACLs enhance network security by blocking selected IP traffic, and are one aspect of network
security. However, because ACLs do not protect from malicious manipulation of data carried in IP
packet transmissions,do not rely on them for a complete edge security solution.
The ACLs described in this section do not filter non-IP traffic such as AppleTalk and IPX.
"Simultaneous ACL activity supported per-port"
Configuring RADIUS server support for switch services 37