HP ProCurve 6400cl Series Access Security Manual page 177
Hide thumbs
Also See for ProCurve 6400cl Series:
- Management and configuration manual (508 pages) ,
- Installation and getting started manual (84 pages) ,
- Management manual (664 pages)
Table of Contents
Advertisement
Item
Maximum Number of
Characters in a single
ACE
Maximum Number of
(optional) Internal
Counters Used Per-
Module
■
■
Configuring a RADIUS Server To Specify Per-Port CoS and Rate-Limiting Services
Limit Notes
Where two authenticated clients are using RADIUS-based ACLs on
the same port, the total number of ACEs in both active sessions
cannot exceed the maximum.
80
—
100
Depending on how an ACE is formed, using the cnt (counter) option consumes
one or more internal counters. Using a counter in an ACE that does not specify
TCP or UDP port numbers uses one counter. Using a counter in an ACE that
includes TCP or UDP port numbers uses one or more counters, depending on the
port number groupings. A single TCP or UDP port number or a series of contig-
uous port numbers comprise one group. For example, "80" and "137-146" each
form one group. "135, 137-140, 143" in a given ACE form three groups. The
following ACE examples illustrate how the switch calculates internal counter
groups.
Examples of ACEs Employing Counters
deny in ip from any to any cnt
deny in tcp from any to any cnt
deny in tcp from any to any 80 cnt
permit in tcp from any to any 135, 137-146, 445 cnt
permit in tcp from any to any 135-137, 139, 141, 143, 146, 445 cnt
permit in tcp from any to any 135-146, 445 cnt
Effect of VLAN-Based ACLs Configured on the Switch: A port
receiving a dynamic, RADIUS-based ACL assignment can also belong
to a VLAN for which there is an inbound ACL statically configured (on
the switch). In this case, an IP packet permitted by the RADIUS-based
ACL will also be filtered by the VLAN-based ACL if the inbound client
packets are routed or have a DA on the switch itself. If the RADIUS-
based ACL permits the packet, but the VLAN-based, inbound ACL
denies the packet, then the packet is dropped. If the RADIUS-based
ACL denies the packet, then the packet is dropped and does not reach
the VLAN-based, inbound ACL. (RADIUS-based ACLs operate only on
inbound IP traffic, and are not a factor for the traffic filtered by VLAN-
based, outbound ACLs.)
A RADIUS-Based ACL Affects Only the Inbound Traffic from a
Specific, Authenticated Client: A RADIUS-based ACL assigned to
a port as the result of a client authenticating on that port applies only
to the inbound traffic received on that port from that client. It does
not affect the traffic received from any other authenticated clients on
that port, and does not affect any outbound traffic on that port.
RADIUS Authentication and Accounting
Internal
Counters
1
1
1
3
6
2
6-37
Advertisement
Table of Contents
