HP ProCurve Series 3400cl Release Notes page 66

Enhancements
Release M.10.02 Enhancements
Explicitly Denying Any IP Traffic: Entering a deny in ip from any to any ACE in an ACL
■
denies all IP traffic not previously permitted or denied by that ACL. Any ACEs listed after
that point have no effect.
Implicitly Denying Any IP Traffic: For any packet being filtered by an ACL, there will
■
always be a match. Included in every ACL is an implicit deny in ip from any to any. This means
that the ACL denies any IP packet it filters that does not have a match with an explicitly
configured ACE. Thus, if you want an ACL to permit any packets that are not explicitly
denied, you must configure permit in ip from any to any as the last explicit ACE in the ACL.
Because, for a given packet, the switch sequentially applies the ACEs in an ACL until it finds
a match, any packet that reaches the permit in ip from any to any entry will be permitted, and
will not reach the implicit deny in ip from any to any ACE that is included at the end of the ACL.
For an example, refer to
Determine the order in which you want the individual ACEs in the ACL to filter inbound
■
traffic from a client. A general guideline is to arrange the ACEs in the expected order of
decreasing application frequency. This will result in the most prevalent traffic types finding
a match earlier in the ACL than traffic types that are more infrequent, thus saving processing
cycles.
Operating Rules for RADIUS-Based ACLs
■ ACL Assignments Per-Port: One RADIUS-assigned ACL is allowed per-port.
Port Trunks Excluded: RADIUS-assigned ACLs cannot be assigned to a port trunk.
■
■ Relating a Client to a RADIUS-Based ACL: A RADIUS-based ACL for a particular client
must be configured in the RADIUS server under the authentication credentials the server
should expect for that client. (If the client must authenticate using 802.1X and/or Web
Authentication, the username/password pair forms the credential set. If authentication is
through MAC Authentication, then the client MAC address forms the credential set.) For
more on this topic, refer to
Multiple Clients Using the Same Username/Password Pair: Multiple clients using the
■
same username\password pair will use duplicate instances of the same ACL.
■ RADIUS-Based ACL Not Allowed on a Port that has a Statically-Configured ACL:
Where a RADIUS server is configured to assign an ACL when a given client authenticates, if
the port used by that client is already statically configured with a port-based ACL in the
switch configuration, then the RADIUS-based ACL is not accepted and the client is de-
authenticated.
■ A RADIUS-Based ACL Affects Only the Inbound Traffic from a Specific, Authenti-
cated Client: A RADIUS-based ACL assigned to a port as the result of a client authenticating
on that port applies only to the inbound traffic received on that port from that client. It does
not affect the traffic received from any other authenticated clients on that port, and does not
affect any outbound traffic on that port.
56
Figure 5 on page 53.
"Configuring an ACL in a RADIUS Server" on page 58.