7-12
Configuring RADIUS Server Support for Switch Services
Configuring and Using Dynamic (RADIUS-Assigned) Access Control Lists
•
RACL (IPv4 ACLs only): an ACL assigned to filter routed IPv4 traffic
entering or leaving the switch on a VLAN. (Separate assignments are
required for inbound and outbound traffic.)
•
RADIUS-Assigned ACL: dynamic ACL assigned by a RADIUS server
to filter inbound traffic from an authenticated client on a given port
ACL:
See “Access Control Lists”.
ACL Mask:
Follows a destination IPv4 address listed in an ACE. Defines
which bits in a packet’s corresponding IPv4 addressing must exactly
match the IPv4 addressing in the ACE, and which bits need not match
(wildcards). For the IPv6 equivalent, see “Prefix Length”.
DA:
The acronym for
Destination Address
. In an IP packet, this is the
destination address carried in the header, and identifies the destination
intended by the packet’s originator.
Deny:
An ACE configured with this action causes the switch to drop a packet
for which there is a match within an applicable ACL.
Deny Any Any:
An abbreviated reference to the implicit deny statement,
which denies inbound IP traffic from any source to any destination. This
statement is the implicit, final statement in an ACL.
Dynamic ACL:
See “RADIUS-assigned” ACL.
Extended ACL:
This is an IPv4 access control list that uses layer-3 criteria
composed of source and destination IPv4 addresses and (optionally) TCP/
UDP port, ICMP, IGMP, precedence, or ToS criteria to determine whether
there is a match with an IP packet. Except for RADIUS-assigned ACLs,
which use client credentials for identifiers, extended ACLs require an
alphanumeric name or an identification number (ID) in the range of 100-
199. See also “Standard ACL”.
Implicit Deny:
If the switch finds no matches between an inbound packet
and the configured criteria in an applicable ACL, then the switch denies
(drops) the packet with an implicit “deny in ip any any” (IPv4) or “deny
in ipv6 any any” (IPv6) operation. You can preempt the implicit statement
in a given ACL by configuring
permit in ip from any to any
(IPv4) or
permit
in ipv6 any any
(IPv6) as the last explicit ACE in the ACL. Doing so permits
inbound IP packets that are not explicitly permitted or denied by other
ACEs configured sequentially earlier in the ACL.
Inbound Traffic:
For the purpose of defining where the switch applies ACLs
to filter traffic, inbound traffic is any IP packet that
enters the switch
from
a given client on a given port.
Содержание E3800 Series
Страница 1: ...HP Switch Software E3800 switches Software version KA 15 03 September 2011 Access Security Guide ...
Страница 2: ......
Страница 3: ...HP Networking E3800 Switches Access Security Guide September 2011 KA 15 03 ...
Страница 30: ...xxviii ...
Страница 86: ...2 36 Configuring Username and Password Security Password Recovery ...
Страница 186: ...4 72 Web and MAC Authentication Client Status ...
Страница 290: ...6 74 RADIUS Authentication Authorization and Accounting Dynamic Removal of Authentication Limits ...
Страница 364: ...8 32 Configuring Secure Shell SSH Messages Related to SSH Operation ...
Страница 510: ...10 130 IPv4 Access Control Lists ACLs General ACL Operating Notes ...
Страница 548: ...11 38 Configuring Advanced Threat Protection Using the Instrumentation Monitor ...
Страница 572: ...12 24 Traffic Security Filters and Monitors Configuring Traffic Security Filters ...
Страница 659: ...14 11 Configuring and Monitoring Port Security Port Security Figure 14 5 Examples of Show Mac Address Outputs ...
Страница 730: ...20 Index ...
Страница 731: ......