Configuring RADIUS Server Support for Switch Services
Configuring and Using Dynamic (RADIUS-Assigned) Access Control Lists
7-12
•
RACL (IPv4 ACLs only): an ACL assigned to filter routed IPv4 traffic
entering or leaving the switch on a VLAN. (Separate assignments are
required for inbound and outbound traffic.)
•
RADIUS-Assigned ACL: dynamic ACL assigned by a RADIUS server
to filter inbound traffic from an authenticated client on a given port
ACL: See "Access Control Lists".
ACL Mask: Follows a destination IPv4 address listed in an ACE. Defines
which bits in a packet's corresponding IPv4 addressing must exactly
match the IPv4 addressing in the ACE, and which bits need not match
(wildcards). For the IPv6 equivalent, see "Prefix Length".
DA: The acronym for Destination Address. In an IP packet, this is the
destination address carried in the header, and identifies the destination
intended by the packet's originator.
Deny: An ACE configured with this action causes the switch to drop a packet
for which there is a match within an applicable ACL.
Deny Any Any: An abbreviated reference to the implicit deny statement,
which denies inbound IP traffic from any source to any destination. This
statement is the implicit, final statement in an ACL.
Dynamic ACL: See "RADIUS-assigned" ACL.
Extended ACL: This is an IPv4 access control list that uses layer-3 criteria
composed of source and destination IPv4 addresses and (optionally) TCP/
UDP port, ICMP, IGMP, precedence, or ToS criteria to determine whether
there is a match with an IP packet. Except for RADIUS-assigned ACLs,
which use client credentials for identifiers, extended ACLs require an
alphanumeric name or an identification number (ID) in the range of 100-
199. See also "Standard ACL".
Implicit Deny: If the switch finds no matches between an inbound packet
and the configured criteria in an applicable ACL, then the switch denies
(drops) the packet with an implicit "deny in ip any any" (IPv4) or "deny
in ipv6 any any" (IPv6) operation. You can preempt the implicit statement
in a given ACL by configuring permit in ip from any to any (IPv4) or permit
in ipv6 any any (IPv6) as the last explicit ACE in the ACL. Doing so permits
inbound IP packets that are not explicitly permitted or denied by other
ACEs configured sequentially earlier in the ACL.
Inbound Traffic: For the purpose of defining where the switch applies ACLs
to filter traffic, inbound traffic is any IP packet that enters the switch from
a given client on a given port.