305
DWS-1008 User’s Manual
D-Link Systems, Inc.
Configuring AAA for Network Users
Applying Security ACLs in a Location Policy Rule
When reassigning security ACL filters, specify whether the filter is an input filter or an output
filter, as follows:
•
Input filter - Use
inacl
inacl-name
to filter traffic that
enters
the switch from users via
a DWL-8220AP access port or wired authentication port, or from the network via a
network port.
•
Output filter - Use
outacl
outacl-name
to filter traffic sent
from
the switch to users via
a DWL-8220AP access port or wired authentication port, or from the network via a
network port.
For example, the following command authorizes users at *.ny.ourfirm.com to access the
bld4.tac
VLAN, and applies the security ACL
tac_24
to the traffic they receive:
DWS-1008#
set location policy permit vlan bld4.tac outacl tac_24 if user eq *.ny.
ourfirm.com
The following command authorizes access to users on VLANs with names matching
bld4.*
and applies security ACLs
svcs_2
to the traffic they send and
svcs_3
to the traffic they
receive:
DWS-1008#
set location policy permit inacl svcs_2 outacl svcs_3 if vlan eq bldg4.*
You can optionally add the suffixes
.in
and
.out
to
inacl-name
and
outacl-name
for consistency
with their usage in entries stored in the local DWS-1008 switch database.
Displaying and Positioning Location Policy Rules
The order of location policy rules is significant. MSS checks a location policy rule that is
higher in the list before those lower in the list. Rules are listed in the order in which you
create them, unless you move them.
To position location policy rules within the location policy, use
before
rule-number
and
modify
rule-number
in the
set location policy
command, or use the
clear location policy
rule-number
command.
For example, suppose you have configured the following location policy rules:
DWS-1008
show location policy
Id Clauses
----------------------------------------------------------------
1) deny if user eq *.theirfirm.com
2) permit vlan guest_1 if vlan neq *.ourfirm.com
3) permit vlan bld4.tac inacl tac_24.in if user eq *.ny.ourfirm.com
4) permit inacl svcs_2.in outacl svcs_3.out if vlan eq bldg4.*