Manualshelf

Users Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch N1500 Series
291292293294295296297298299300
Authentication, Authorization, and Accounting 299
Dynamic ACL Creation
Send the following Cisco VSA (009/001) av-pair (26) attribute syntax from
the RADIUS server in the Access-Accept message to create an ACL that does
not exist on the switch. The ACL need not be statically preconfigured on the
port prior to RADIUS creating the ACL and authorizing the port. All
statically configured ACLs on a port are removed prior to configuring the
dynamic ACL. The ACL applied is considered state, not configuration and is
not shown in the running-config.
Syntax
ip:inacl[#number]={extended-access-control-list}
ipv6:inacl[#number]={ extended-access-control-list}
where ip indicates an IPv4 ACL definition follows the equals sign and ipv6
indicates an IPv6 ACL definition follows the equals sign.
#number is the ACL sequence number in decimal format. Range 1-
2147483647.
The tokens ip:inacl and ipv6:inacl are in lower case and are followed by an
equals sign with no intervening white space.
The token extended-access-control-list means a Dell EMC IPv4/IPv6
Extended ACL CLI rule definition beginning with the {permit|deny}
tokens followed by the protocol { eigrp | gre | icmp | igmp | ip | ipinip |
ospf | pim | tcp | udp | 0-55} et. seq., as described in the CLI Reference
Guide for the permit/deny commands.
Dynamic ACL Example (Extended syntax, for example, ip access-list
extended ...):
ip:inacl#100=permit ip any 209.165.0.0 0.0.255.255
ip:inacl#110=permit ip any 209.166.0.0 0.0.255.255
ip:inacl=permit ip any 209.167.0.0 0.0.255.255
Restrictions and Caveats
Only ingress ACLs are supported. Dynamic ACLs are supported only for ports
in General or Access mode when configured in 802.1X auto mode.
The processing of dynamic ACLs VSAs is controlled by the [no] radius server
vsa send authentication syntax. The default is disabled. No other VSAs (such
as, voice VLAN) are affected by this configuration.