Filtering inbound traffic with multiple ACLs
When traffic inbound on a port is subject to multiple ACL assignments, and a RADIUS-assigned, user-based ACL is present, this traffic must satisfy the following conditions to be permitted on the switch:
|
1 |
Originate with an authenticated client associated with the RADIUS-assigned ACL (if present). |
|
2 |
Be permitted by the RADIUS-assigned ACL (if present). Includes both IPv4 and IPv6 traffic—unless the ACL is configured to exclude (drop) IPv6 traffic. |
|
3 |
For IPv4-only traffic, be permitted by connection-rate ACL filtering. |
|
4 |
Be permitted by a VACL configured on a VLAN to which the port is assigned. |
|
5 |
Be permitted by a PACL assigned to the port.1 |
IPv4 VACLs and PACLs ignore IPv6 traffic, and the reverse.