Traffic applications

The switch supports RADIUS-assigned ACLs for the following traffic applications:
  • Inbound IPv4 traffic only

  • Inbound IPv4 and IPv6 traffic

This feature is designed for use on the network edge to accept RADIUS-assigned ACLs for Layer-3 filtering of IP traffic entering the switch from authenticated clients. A given RADIUS-assigned ACL is identified by a unique username/password pair or client MAC address, and applies only to IP traffic entering the switch from clients that authenticate with the required, unique credentials. The switch allows multiple RADIUS-assigned ACLs on a given port, up to the maximum number of authenticated clients allowed on the port. Also, a RADIUS-assigned ACL for a given client's traffic can be assigned regardless of whether other ACLs assigned to the same port are statically configured on the switch.

A RADIUS-assigned ACL filters IP traffic entering the switch from the client whose authentication caused the ACL assignment. Filter criteria is based on:
  • Destination address

  • IPv4 or IPv6 traffic type (such as TCP and UDP traffic)

Implementing the feature requires:
  • RADIUS authentication using the 802.1X, web-based authentication, or MAC authentication available on the switch to provide client authentication services

  • Configuring one or more ACLs on a RADIUS server (instead of the switch), and assigning each ACL to the username/password pair or MAC address of the client(s) you want the ACLs to support

Using RADIUS to dynamically apply ACLs to clients on edge ports enables the switch to filter IP traffic coming from outside the network, thus removing unwanted IP traffic as soon as possible and helping to improve system performance. Also, applying RADIUS-assigned ACLs to the network edge is likely to be less complex than configuring static port and VLAN-based ACLs in the network core to filter unwanted IP traffic that could have been filtered at the edge.

NOTE:

A RADIUS-assigned ACL filters inbound IP traffic on a given port from the client whose authentication triggered the ACL assignment to the port.

A RADIUS-assigned ACL can be applied regardless of whether IP traffic on the port is already being filtered by other, static ACLs that are already assigned. The following table lists the supported per-port ACL assignment capacity, subject to resource availability on the switch. For more information, see the appendix titled "Monitoring Resources" in the latest management and configuration guide for your switch.

ACLs enhance network security by blocking selected IP traffic, and can serve as one aspect of network security. However, because ACLs do not protect from malicious manipulation of data carried in IP packet transmissions, they should not be relied upon for a complete edge security solution.

Depending on the ACL configuration in the RADIUS server, the ACLs described in this section filter either IPv4 traffic only or both IPv4 and IPv6 traffic. These ACLs do not filter non-IP traffic such as AppleTalk and IPX.

Simultaneous ACL activity supported per-port

ACL type

Function

IPv4

IPv6

Port ACL

Static ACL assignment to filter inbound IP traffic on a specific port.

1

1

RADIUS-assigned ACL

Dynamic ACL assignment to filter inbound IP traffic from a specific client on a given port.

1-321

1-321

1

One per authenticated client, up to a maximum of 32 clients per-port for 802.1X, web-based authentication, and MAC-Authentication methods combined.