HP 3400CL-24G General Steps, Determining Traffic Policies

Enhancements

Release M.10.02 Enhancements

General Steps

These steps suggest a process for using ACLs to establish client access policies. The topics following this section provide details.

1.Determine the polices you want to enforce for client traffic inbound on the switch.

2.Plan ACLs to execute traffic policies:

•Apply ACLs on a per-client basis where individual clients need different traffic policies or where each client must have a different username/password pair or will authenticate using MAC authentication.

•Apply ACLs on a client group basis where all clients in a given group can use the same traffic policy and the same username/password pair.

3.Configure the ACLs on a RADIUS server accessible to the intended clients.

4.Configure the switch to use the desired RADIUS server and to support the desired client authentication scheme. Options include 802.1X, Web authentication, or MAC authentication. (Note that the switch supports the option of simultaneously using 802.1X with either Web or MAC authentication.)

5.Test client access on the network to ensure that your RADIUS-based ACL application is properly enforcing your policies.

Determining Traffic Policies

This section assumes that the RADIUS server needed by a client for authentication and ACL assignments is accessible from any switch that authorized clients may use.

Begin by defining the policies you want an ACL to enforce for a given client or group of clients. This includes the type of IP traffic permitted or not permitted from the client(s) and the areas of the network the client(s) are authorized or not authorized to use.

■What traffic should you permit for the client? In some cases you will need to explicitly identify permitted traffic. In other cases, depending on your policies, you can insert a permit in ip from any to any entry at the end of the ACL so that all IP traffic (from the authenticated client) that is not specifically matched by earlier entries in the list will be permitted. This may be the best choice for an ACL that begins by defining the inbound client IP traffic that should be dropped.

■What traffic must be explicitly blocked for the client or group? This can include requests to access to “off-limits” subnets, unauthorized access to the internet, access to sensitive data storage or restricted equipment, and preventing the use of specific TCP or UDP applications such as Telnet, SSH, and web browser access to the switch.

■What traffic can be blocked simply by relying on the implicit deny in ip from any to any that is automatically included at the end of every ACL? This can reduce the number of entries needed in an ACL.