KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

211

212

213

214

215

216

217

218

219

220

Table 21 Contrasting dynamic (RADIUS-assigned) and static ACLs (continued)

Static port and VLAN ACLsRADIUS-assigned ACLs

A VACL can be applied on a VLAN to filter either IPv4 or

IPv6 traffic entering the switch through a port on that VLAN.

A static port ACL can be applied on a port to filters either

IPv4 or IPv6 traffic entering the switch through that port.

No client authentication requirement.Requires client authentication by a RADIUS server

configured to dynamically assign an ACL to a client on a

switch port, based on client credentials.

Beginning with software release K.14.01, the show

statistics command includes options for displaying the

ACEs allow a counter (cnt) option that causes a counter to

increment when there is a packet match.

packet match count, see “Monitoring static ACL

performance” (page 295).

Also, ACEs allow a log option that generates a log

message whenever there is a packet match with a "deny"

ACE.

CAUTION: Regarding the Use of IPv4 Source Routing:

IPv4 source routing is enabled by default on the switch and can be used to override IPv4 ACLs.

For this reason, if you are using IPv4 ACLs to enhance network security, the recommended action

is to use the no ip source-route command to disable source routing on the switch. (If source

routing is disabled in the running-config file, the show running command includes "no ip

source-route" in the running-config file listing.)

How a RADIUS server applies a RADIUS-assigned ACL to a client on a switch port

A RADIUS-assigned ACL configured on a RADIUS server is identified and invoked by the unique

credentials (username/password pair or a client MAC address) of the specific client the ACL is

intended to service. Where the username/password pair is the selection criteria, the corresponding

ACL can also be used for a group of clients that all require the same ACL policy and use the same

username/password pair. Where the client MAC address is the selection criteria, only the client

having that MAC address can use the corresponding ACL. When a RADIUS server authenticates

a client, it also assigns the ACL configured with that client's credentials to the client's port. The

ACL then filters the client's inbound IP traffic and denies (drops) any such traffic that is not explicitly

permitted by the ACL.

• If the filter rule used for a RADIUS-based ACL is one of the options that specifies only IPv4

traffic, then the ACL will implicitly deny any inbound IPv6 traffic from the authenticated client.

• If the filter rule used for a RADIUS-based ACL is the option for specifying both IPv4 and IPv6

traffic, then the ACL filter both IP traffic types according to the ACEs included in the

RADIUS-assigned ACL.

When the client session ends, the switch removes the RADIUS-assigned ACL from the client port.

Overview 217