Enhancements

Release M.10.02 Enhancements

Example. Suppose the ACL in Figure 3 is assigned to filter the traffic from an authenticated client on a given port in the switch:

For an inbound packet with a destination IP address of 18.28.156.3, the ACL:

1.Compares the packet to this ACE first.

2.Since there is not a match with the first ACE, the ACL compares the packet to the second ACE, where there is also not a match.

3.The ACL compares the packet to the third ACE. There is an exact match, so the ACL denies (drops) the packet.

4.The packet is not compared to the fourth ACE.

Permit in ip from any to 18.28.136.24 Permit in ip from any to 18.28.156.7

Deny in ip from any to 18.28.156.3 Deny in tcp from any to any 23 Permit in ip from any to any (Deny in ip from any to any)

This line demonstrates the “deny any any” ACE implicit in every RADIUS-based ACL. Any inbound ip traffic from the authenticated client that does not have a match with any of the five explicit ACEs in this ACL will be denied by the implicit “deny any any”.

Figure 3. Example of Sequential Comparison

As shown above, the ACL tries to apply the first ACE in the list. If there is not a match, it tries the second ACE, and so on. When a match is found, the ACL invokes the configured action for that entry (permit or drop the packet) and no further comparisons of the packet are made with the remaining ACEs in the list. This means that when an ACE whose criteria matches a packet is found, the action configured for that ACE is invoked, and any remaining ACEs in the ACL are ignored. Because of this sequential processing, successfully implementing an ACL depends in part on configuring ACEs in the correct order for the overall policy you want the ACL to enforce.

N o t e

Because only one ACL is allowed on a port, if a statically configured ACL already exists on a port, a RADIUS-based ACL cannot be assigned to that port. In this case, if a client authenticates and the RADIUS server is configured to assign a dynamic ACL to the port for that client, the client will then be de-authenticated.

51

Page 61
Image 61
HP 3400CL-24G manual Example of Sequential Comparison