KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

211

212

213

214

215

216

217

218

219

220

A RADIUS-assigned ACL filters IP traffic entering the switch from the client whose authentication

caused the ACL assignment. Filter criteria is based on:

• Destination address

• IPv4 or IPv6 traffic type (such as TCP and UDP traffic)

Implementing the feature requires:

• RADIUS authentication using the 802.1X, web-based authentication, or MAC authentication

available on the switch to provide client authentication services

• Configuring one or more ACLs on a RADIUS server (instead of the switch), and assigning each

ACL to the username/password pair or MAC address of the client(s) you want the ACLs to

support

Using RADIUS to dynamically apply ACLs to clients on edge ports enables the switch to filter IP

traffic coming from outside the network, thus removing unwanted IP traffic as soon as possible and

helping to improve system performance. Also, applying RADIUS-assigned ACLs to the network

edge is likely to be less complex than configuring static port and VLAN-based ACLs in the network

core to filter unwanted IP traffic that could have been filtered at the edge.

NOTE: A RADIUS-assigned ACL filters inbound IP traffic on a given port from the client whose

authentication triggered the ACL assignment to the port.

A RADIUS-assigned ACL can be applied regardless of whether IP traffic on the port is already

being filtered by other, static ACLs that are already assigned. “Simultaneous ACL activity supported

per-port” (page 215) lists the supported per-port ACL assignment capacity.

ACLs enhance network security by blocking selected IP traffic, and can serve as one aspect of

network security. However, because ACLs do not protect from malicious manipulation of data

carried in IP packet transmissions, they should not be relied upon for a complete edge security

solution.

Depending on the ACL configuration in the RADIUS server, the ACLs described in this section filter

either IPv4 traffic only or both IPv4 and IPv6 traffic. These ACLs do not filter non-IP traffic such as

AppleTalk and IPX.

Table 20 Simultaneous ACL activity supported per-port

IPv6IPv4FunctionACL type

11Static ACL assignment to filter inbound IP traffic on a

specific VLAN.

VACL

11Static ACL assignment to filter inbound IP traffic on a

specific port.

Port ACL

1-32

Dynamic ACL assignment to filter inbound IP traffic from

a specific client on a given port.

RADIUS-assigned ACL

n/a1 in 1 outstatic ACL assignment to filter routed IPv4 traffic entering

or leaving the switch on a specific VLAN

RACL (IPv4 only)

n/a1Static ACL assignment for virus-throttling on a specific

port, see “Virus throttling (connection-rate filtering)”

(page 53).

Connection-Rate ACL

Subject to resource availability on the switch. For more information, see the appendix titled "Monitoring Resources" in

the latest Management and Configuration Guide for your switch.

One per authenticated client, up to a maximum of 32 clients per-port for 802.1X, web-based authenticationentication,

and MAC-Authentication methods combined.

ACLs enhance network security by blocking selected IP traffic, and can serve as one aspect of

network security. However, because ACLs do not protect from malicious manipulation of data

carried in IP packet transmissions, they should not be relied upon for a complete edge security

solution.

Overview 215