Contrasting RADIUS-assigned and static ACLs

The following table highlights several key differences between the static ACLs configurable on switch VLANs and ports, and the dynamic ACLs that can be assigned by a RADIUS server to filter IP traffic from individual clients.

Contrasting dynamic (RADIUS-assigned) and static ACLs

RADIUS-assigned ACLs

Static port and VLAN ACLs

Configured in client accounts on a RADIUS server.

Configured on switch ports and VLANs.

Designed for use on the edge of the network where filtering of IP traffic entering the switch from individual, authenticated clients is most important and where clients with differing access requirements are likely to use the same port.

Designed for use where the filtering needs focus on static configurations covering:
  • switched IP traffic entering from multiple authenticated or unauthenticated sources (VACLs or static port ACLs)

  • routed IPv4 traffic (RACLs)

  • IP traffic from multiple sources and having a destination on the switch itself

Implementation requires client authentication.

Client authentication not a factor.

Identified by the credentials (username/password pair or the MAC address) of the specific client the ACL is intended to service.

Identified by a number in the range of 1-199 or an alphanumeric name.

Supports dynamic assignment to filter only the IP traffic entering the switch from an authenticated client on the port to which the client is connected. (IPv6 traffic can be switched; IPv4 traffic can be routed or switched. For either IP traffic family, includes traffic having a DA on the switch itself.)

Supports static assignments to filter:
  • switched IPv6 traffic entering the switch

  • switched or routed IPv4 traffic entering the switch, or routed IPv4 traffic leaving the switch.

When the authenticated client session ends, the switch removes the RADIUS-assigned ACL from the client port.

Remains statically assigned to the port or VLAN.

Allows one RADIUS-assigned ACL per authenticated client on a port. (Each such ACL filters traffic from a different, authenticated client.)Note: The switch provides ample resources for supporting RADIUS-assigned ACLs and other features. However, the actual number of ACLs supported depends on the switch current feature configuration and the related resource requirements. For more information, see the appendix titled "Monitoring Resources" in the management and configuration guide for your switch.

Simultaneously supports all of the following static assignments affecting a given port:
  • IPv4 traffic:
    • inbound RACL

    • outbound RACL

    • VACL

    • static port ACL

  • IPv6 traffic:
    • VACL

    • static port ACL

Supports IPv6 ACLs and IPv4 extended ACLs. “IPv6 Access Control Lists (ACLs)” in the IPv6 Configuration Guide for your switch.

Supports IPv6 ACLs and standard, extended, and connection-rate IPv4 ACLs

A given RADIUS-assigned ACL operates on a port to filter only the IP traffic entering the switch from the authenticated client corresponding to that ACL, and does not filter IP traffic inbound from other authenticated clients. (The traffic source is not a configurable setting.)

An RACL applied to inbound traffic on a VLAN filters routed IPv4 traffic entering the switch through a port on that VLAN, as well as any inbound traffic having a DA on the switch itself. An RACL can be applied to outbound IPv4 traffic on a VLAN to filters routed IPv4 traffic leaving the switch through a port on that VLAN (and includes routed IPv4 traffic generated by the switch itself). A VACL can be applied on a VLAN to filter either IPv4 or IPv6 traffic entering the switch through a port on that VLAN.A static port ACL can be applied on a port to filters either IPv4 or IPv6 traffic entering the switch through that port.

Requires client authentication by a RADIUS server configured to dynamically assign an ACL to a client on a switch port, based on client credentials.

No client authentication requirement.

ACEs allow a counter (cnt) option that causes a counter to increment when there is a packet match.

The show statistics command includes options for displaying the packet match count, see Monitoring static ACL performance. Also, ACEs allow a log option that generates a log message whenever there is a packet match.

CAUTION:

Regarding the Use of IPv4 Source Routing:

IPv4 source routing is enabled by default on the switch and can be used to override IPv4 ACLs. For this reason, if you are using IPv4 ACLs to enhance network security, the recommended action is to use the no ip source-route command to disable source routing on the switch. (If source routing is disabled in the running-config file, the show running command includes "no ip source-route" in the running-config file listing.)