Enhancements
Release M.10.02 Enhancements
The following syntax and operating information refers to ACLs configured in a RADIUS server
.
ACE Syntax: < permit deny > in < ip ip-protocol-value> from any to < ip-addr> [/< mask > ] any > [ tcp/udp-ports] [cnt ]
<permit deny >: Specifies whether to forward or drop the identified IP traffic type from the authenticated client.
in: Required keyword specifying that the ACL applies only to the traffic inbound from the authenticated client.
<ip ip-protocol-value>: Options for specifying the type of traffic to filter.
ip: This option applies the ACL to all IP traffic from the authenticated client.
ip-protocol-value:This option applies the ACL to the type of IP traffic specified by either a protocol number or by tcp or udp. The range of protocol numbers is 0-255, and you can substitute 6 for TCP or 17 for UDP. (Protocol numbers are defined in RFC 2780. For a complete listing, refer to “Protocol Numbers” under “Protocol Number Assignment Services” on the Web site of the Internet Assigned Numbers Authority at www.iana.com.) Some examples of protocol numbers include:
1 = ICMP | 6 = TCP | 41 = IPv6 |
2 = IGMP | 17 = UDP | |
from any: Required keywords specifying the (authenticated) client source. (Note that a RADIUS-Based ACL assigned to a port filters only the inbound traffic having a source MAC address that matches the MAC address of the client whose authentication invoked the ACL assignment.)
to : Required destination keyword.
<ip-addr>: Specifies a single destination IP address.
<ip-addr /<mask >: Specifies a series of contiguous destination IP addresses or all destination IP addresses in a subnet. The < mask > is CIDR notation for the number of leftmost bits in a packet’s destination IP address that must match the corre- sponding bits in the destination IP address listed in the ACE. For example, a destination of 10.100.17.1/24 in the ACE means that a match occurs when an inbound packet (of the designated IP type) from the authenticated client has a destination IP address where the first three octets are 10.100.17. (The fourth octet is a wildcard, and can be any value up to 255.)
any: Specifies any IP destination address. Use this option when you want the ACL action to apply to all traffic of the designated type, regardless of destination.
[ tcp/udp-ports]:Optional TCP or UDP port specifier. Used when the ACL is intended to filter client TCP or UDP traffic with one or more specific TCP or UDP destination port numbers. You can specify port numbers as individual values and/or ranges. For example, the following ACE denies any UDP traffic from an authenticated client that has a DA of any IP address and a UDP destination port of 135, 137-139, or 445:
deny in udp from any to any 135, 137-139, 445.
