Manualshelf

Access Security Guide K/KA/KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch
301302303304305306307308309310
NOTE: The switch allows one inbound RACL assignment and one outbound RACL assignment
configured per VLAN. This is in addition to any other ACL assigned to the VLAN or to any ports
on the VLAN. You can use the same RACL or different RACLs to filter inbound and outbound routed
traffic on a VLAN.
RACLs do not filter IPv4 traffic that remains in the same subnet from source to destination (switched
traffic) unless the destination address (DA) or source address (SA) is on the switch itself.
VACL applications
VACLs filter any IPv4 traffic entering the switch on a VLAN configured with the "VLAN" ACL option.
Syntax
vlan < vid> ip access-group < identifier> vlan
For example, in Figure 225 (page 308), you would assign a VACL to VLAN 2 to filter all inbound
switched or routed IPv4 traffic received from clients on the 10.28.20.0 network. In this instance,
routed traffic received on VLAN 2 from VLANs 1 or 3 would not be filtered by the VACL on VLAN
2.
Figure 225 VACL filter application to IPv4 traffic entering the switch
NOTE: The switch allows one VACL assignment configured per VLAN. This is in addition to any
other ACL applications assigned to the VLAN or to ports in the VLAN.
Static port ACL and RADIUS-assigned ACL applications
An IPv4 static port ACL filters any IPv4 traffic inbound on the designated port, regardless of whether
the traffic is switched or routed.
RADIUS-assigned (dynamic) port ACL applications
NOTE: Beginning with software release K.14.01, IPv6 support is available for RADIUS-assigned
port ACLs configured to filter inbound IPv4 and IPv6 traffic from an authenticated client. Also, the
implicit deny in RADIUS-assigned ACLs applies to both IPv4 and IPv6 traffic inbound from the client.
For information on enabling RADIUS-assigned ACLs, see “RADIUS server support for switch services”
(page 199).
Dynamic (RADIUS-assigned) port ACLs are configured on RADIUS servers and can be configured
to filter IPv4 and IPv6 traffic inbound from clients authenticated by such servers. For example, in
Figure 226 (page 309) client "A" connects to a given port and is authenticated by a RADIUS server.
Because the server is configured to assign a dynamic ACL to the port, the IPv4 and IPv6 traffic
inbound on the port from client "A" is filtered. See “Operating notes (page 309) for more details.
308 IPv4 Access Control Lists (ACLs)