Enhancements

Release M.10.02 Enhancements

Limits for RADIUS-Based ACLs, Associated ACEs, and Counters

Table 5 describes limits the switch supports in ACLs applied by a RADIUS server. Exceeding a limit causes the related client authentication to fail.

Table 5. Limits Affecting RADIUS-Based ACL Applications

Item

Limit

Notes

 

Maximum Number of

1

One RADIUS-based ACL can operate on a given port at a time. If an authenticated

Authenticated Client

 

client is already using a RADIUS-based ACL on a port and a second client

Sessions Per-Port Using

 

requiring a RADIUS-based ACL attempts to authenticate on the same port, the

RADIUS-based ACLs

 

attempt by the second client will fail.

 

 

 

 

Maximum Number of

Up to

Depending on how a RADIUS-assigned ACE is formed, it can consume multiple

(internal) ACEs Per-Port,

120*

internal ACEs. A RADIUS-assigned ACE that does not specify TCP or UDP port

and Maximum Number of

 

numbers uses one internal ACE. However, an ACE that includes TCP or UDP port

(internal) ACEs Per-ACL

 

numbers uses one or more internal ACE resources, depending on the port number

 

 

groupings. A single TCP or UDP port number or a series of contiguous port

 

 

numbers comprise one group. For example, “80” and “137-146” each form one

 

 

group. “135, 137-140, 143” in a given ACE form three groups. The following ACE

 

 

examples illustrate how the switch applies internal ACE usage.

 

 

 

Examples of Single and Multiple (Internal) ACEs Per-Port

Internal

 

 

 

ACEs

 

 

deny in ip from any to any

1

 

 

deny in tcp from any to any

1

 

 

deny in tcp from any to any 80

1

 

 

permit in tcp from any to any 135, 137-146, 445

3

 

 

permit in tcp from any to any 135-137, 139, 141, 143, 146, 445

6

 

 

permit in tcp from any to any 135-146, 445Note:

2

*Uses shared internal resources, which can affect the per-port availability of internal ACEs. Refer to the section titled “Planning an ACL Application on a Series 3400cl or 6400cl Switch” in the chapter titled “Access Control Lists (ACLs) for the Series 3400cl and 6400cl Switches” in the Advanced Traffic Management Guide for your switch model. Use the show access-list resources command to view the current resources available for the ports on the switch.

Maximum Number of

80 —

Characters in an ACE

 

Maximum Number of (optional) Internal Counters Used Per-ACL

32Depending on how an ACE is formed, using the cnt (counter) option consumes one or more internal counters. Using a counter in an ACE that does not specify TCP or UDP port numbers uses one counter. Using a counter in an ACE that includes TCP or UDP port numbers uses one or more counters, depending on the port number groupings. A single TCP or UDP port number or a series of contig- uous port numbers comprise one group. For example, “80” and “137-146” each form one group. “135, 137-140, 143” in a given ACE form three groups. The ACE examples below show how the switch calculates internal counter groups.

Examples of ACE Usage of Internal Counters

Counters

deny in ip from any to any cnt

1

deny in tcp from any to any cnt

1

deny in tcp from any to any 80 cnt

1

permit in tcp from any to any 135, 137-146, 445 cnt

3

permit in tcp from any to any 135-137, 139, 141, 143, 146, 445 cnt

6

permit in tcp from any to any 135-146, 445 cnt

2

57