Users Guide

Security Commands 1041

Default Configuration

By default, VSA Attribute 26, Vendor ID 9, and Sub-type 1 are not processed

by the switch.

Command Mode

Global Configuration mode

User Guidelines

This command does not affect processing of any VSA’s other than VSA

Attribute :q1 26, Vendor ID 9, Sub-type 1. It does not affect processing of

Voice VLAN or Admin/Login.

Predefined ACL Selection using VSA Attribute 26

This method selects an ACL that is already configured on the switch. The

extended-access-control-list-name is the name of an existing ACL pre-

configured on the switch. The ACL need not be statically pre-configured on

the port prior to RADIUS configuring the ACL on the port prior to

authorizing the port (it would be removed in any case as statically configured

ACLs on a port are removed prior to configuring a dynamic ACL).

ip:inacl={ extended-access-control-list-name }

ipv6:inacl={ extended-access-control-list-name }

• The ip token indicates an IPv4 ACL name follows the equals sign.

• The IPv6 token indicates an IPv6 ACL name follows the equals sign.

• The extended-access-control-list-name token identifies an IP/IPv6

Extended ACL Name of an existing ACL. The name is case sensitive.

• The tokens ip:inacl and ipv6:inacl are in lower case and are followed by an

equals sign with no intervening white space.

Different authentication sessions, as in the case of the data and voice VLAN

authenticating independently, may both have Dynamic ACLs. It is

recommended that the DACLs be carefully designed so that they work in

harmony, such as, at a minimum, no ACL numbers are duplicated across the

DACLs. DACLs are applied at the port level and are capable of affecting any

traffic ingressing the port.

Predefined ACL Examples

ip:inacl=Named_ACL