HP ProCurve Series 3400cl Release Notes page 60

Procurve series

Hide thumbs Also See for ProCurve Series 3400cl:

Management manual (664 pages)

Management and configuration manual (508 pages)

Access security manual (404 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

page of 197

/ 197
Contents
Table of Contents
Bookmarks

Table of Contents

Enhancements

Release M.10.02 Enhancements

the client MAC address is the selection criteria, only the client having that MAC address can use the

corresponding ACL. When a RADIUS server authenticates a client, it also assigns the ACL configured

with that client's credentials to the port. The ACL then filters the client's inbound IP traffic and denies

(drops) any such traffic from the client that is not explicitly permitted by the ACL. (Every ACL ends

with an implicit deny in ip from any to any ("deny any any") ACE that denies IP traffic not specifically

permitted by the ACL.) When the client session ends, the switch removes the RADIUS-based ACL

from the client port.

When multiple clients supported by the same RADIUS server use the same credentials, they will all

be serviced by different instances of the same ACL. (The actual traffic inbound from any client on

the switch carries a source MAC address unique to that client. The RADIUS-based ACL uses this MAC

address to identify the traffic to be filtered.)

Notes

On any ACL assigned to a port, there is an implicit deny in ip from any to any ("deny any any") command

that results in a default action to deny any inbound IP traffic that is not specifically permitted by the

ACL. To reverse this default, use an explicit "permit any" as the last ACE in the ACL.

On a given port, RADIUS-based ACL filtering occurs only for the inbound traffic from the client whose

authentication caused a RADIUS-based ACL assignment. Inbound traffic from any other source,

including a second, authenticated client (on the same port) will be denied.

The Packet-filtering Process

Sequential Comparison and Action. When an ACL filters a packet from an authenticated client,

it sequentially compares each ACE's filtering criteria to the corresponding data in the packet until it

finds a match. The action indicated by the matching ACE (deny or permit) is then performed on the

packet.

Implicit Deny. If a packet from the authenticated client does not have a match with the criteria in

any of the ACEs in the ACL, the ACL denies (drops) the packet. If you need to override the implicit

deny so that a packet (from the authenticated client) that does not have a match will be permitted,

then you can use the "permit any" option as the last ACE in the ACL. This directs the ACL to permit

(forward) packets that do not have a match with any earlier ACE listed in the ACL, and prevents

these packets from being filtered by the implicit "deny any". (Note that the "permit any" option applies

only to packets from the client whose authentication caused the assignment of the ACL to the port.)

Table of Contents

This manual is also suitable for:

Procurve 3400cl-48g Procurve 6400cl-6xg Procurve 6410cl-6xg Procurve 3400cl-24g

HP ProCurve Series 3400cl Release Notes page 60

Related Manuals for HP ProCurve Series 3400cl

Related Products for HP ProCurve Series 3400cl

This manual is also suitable for:

Table of Contents