Enhancements

Release M.10.02 Enhancements

Table 4. Contrasting Dynamic and Static ACLs

RADIUS-Based (Dynamic) ACLs

Port-Based (Static) ACLs

 

 

Operates on the 3400cl switches.

Configured in client accounts on a RADIUS server.

Designed for use on the edge of the network where filtering of inbound traffic is most important and where clients with differing access requirements are likely to use the same port at different times.

Implementation requires client authentication.

Instead of an ACL name or number, the ACL is defined by the credentials (username/password pair or the MAC address) of the specific client the ACL is intended to service. Thus, all ACEs configured in the RADIUS server with the same client identifiers comprise the ACL for the specified client.

Operates on both the 3400cl and 6400cl switches.

Configured in the switch itself.

Designed for general use where the filtering needs for the traffic to the switch from connected devices is predictable and largely static.

Client authentication not a factor.

Identified by a number in the range of 1-199 or an alphanumeric name.

Supports dynamic assignment to filter only the inbound IP traffic from an authenticated client on the port to which the client is connected. (Traffic can be routed or switched, and includes traffic having a DA on the switch itself.)

Supports static assignments to filter traffic from a connected device, and operates in applictions that may or may not include 802.1X or other types of client authentication.

When the authenticated client session ends, the switch removes the RADIUS-assigned ACL from the client port.

Supports one RADIUS-based ACL on a port.

The ACL filters the IP traffic received inbound from the client whose authentication resulted in the ACL assignment. Inbound traffic from any other source is denied.

Requires client authentication by a RADIUS server configured to dynamically assign an ACL to the client port, based on client credentials.

Remains statically assigned to the ports unless removed by a no interface < port-list> access-groupCLI command.

Supports one inbound ACL per-port.

An ACL applied inbound on a port filters all IP traffic received.

Configured in the switch and statically applied to filter all inbound IP traffic on the specified ports.

ACEs allow a counter (cnt) option that causes a counter to increment when there is a packet match.

ACEs allow a log option that generates a log message whenever there is a packet match with a “deny” ACE.

47