HP 3400CL-24G manual Planning the ACLs Needed To Enforce Traffic Policies

Enhancements

Release M.10.02 Enhancements

■Is it important to keep track of the number of matches for a particular client or ACE? If so, you can use the optional cnt (counter) feature in ACEs where you want to know this information. This is especially useful if you want to verify that the switch is denying unwanted client packets. (Note that configuring a high number of counters can exhaust the counter resources. Refer to Table 5 on page 57.)

C a u t i o n

ACLs can enhance network security by blocking selected IP traffic, and can serve as one aspect of maintaining network security. However, because ACLs do not provide user or device authentication, or protection from malicious manipulation of data carried in IP packet transmissions, they should not be relied upon for a complete security solution.

Planning the ACLs Needed To Enforce Traffic Policies

This section can help in understanding how to order the ACEs in a RADIUS-based ACL and in understanding how clients and the switch operate in this dynamic environment.

Guidelines for Structuring a RADIUS-Based ACL.

■The sequence of ACEs is significant. When the switch uses an ACL to determine whether to permit or deny a packet on a particular port, it compares the packet to the criteria specified in the individual Access Control Entries (ACEs) in the ACL, beginning with the first ACE in the list and proceeding sequentially until a match is found. When a match is found, the switch applies the indicated action (permit or deny) to the packet. This is significant because, when a match is found for a packet, subsequent ACEs in the same ACL will not be used for that packet, regardless of whether they match the packet.

■Inbound Traffic Only: RADIUS-based ACLs filter only the inbound IP traffic from an authenticated client for which an ACL has been configured on the appropriate RADIUS server.

■Result of an ACE/Packet Match: The first match of a given packet to an ACE dictates the action for that packet. Any subsequent match possibilities are ignored.

■Explicitly Permitting Any IP Traffic from the Authenticated Client: Entering a permit in ip from any to any (permit any any) ACE in a RADIUS-based ACL permits all IP traffic (from the authenticated client) that is not previously permitted or denied by that ACL. Any ACEs listed after that point do not have any effect. (While a RADIUS-based ACL is applied to a port, traffic inbound from sources other than the client whose authentication caused the ACL assignment is denied.)

55