Extreme-Dynamic-ACL

On EAP-enabled ports, this attribute assigns a dynamic ACL for an EAP-enabled port. The dynamic behavior of the ACL depends on the EAP port state (MHMV or MHSA).

For more information, see RADIUS Dynamic User-Based Policies.

Examples

The following examples provide the RADIUS configuration for the corresponding CLI filter configuration. This example is for MAC 0a:0a:0a:0a:0a:0a on port 1/1 and EAP is in MHMV mode.

filter acl 1 type inPort 
filter acl port 1 1/1 
 
filter acl ace 1 1 name RadiusGuest-Rule01 
filter acl ace ethernet 1 1 src-mac eq 0a:0a:0a:0a:0a:0a 
filter acl ace ethernet 1 1 ether-type eq 0x800 
filter acl ace ip 1 1 ip-protocol-type eq 17 
filter acl ace protocol 1 1 dst-port eq 53 
filter acl ace 1 1 action permit 
filter acl ace 1 1 enable 
 
filter acl ace 1 2 name RadiusGuest-Rule02 
filter acl ace ethernet 1 2 src-mac eq 0a:0a:0a:0a:0a:0a 
filter acl ace ethernet 1 2 ether-type eq 0x800 
filter acl ace ip 1 2 dst-ip mask 192.0.2.1 24 
filter acl ace 1 2 action permit 
filter acl ace 1 2 enable 
 
filter acl ace 1 3 name RadiusGuest-Rule03 
filter acl ace ethernet 1 3 src-mac eq 0a:0a:0a:0a:0a:0a 
filter acl ace 1 3 action deny 
filter acl ace 1 3 enable 

The RADIUS VSA does not specify the MAC or the port number because they are already known at the EAP level.

Extreme-Dynamic-ACL = "CLIENT RadiusGuest", 
Extreme-Dynamic-ACL += "acl inPort", 
Extreme-Dynamic-ACL += “ace 1 sec ethernet ether-type eq 0x800 & ip ip-protocol-type eq 17 & protocol dst-port eq 53 action permit", 
Extreme-Dynamic-ACL += “ace 2 sec ethernet ether-type eq 0x800 & ip dst-ip mask 192.0.2.1 24 action permit", 
Extreme-Dynamic-ACL += “ace 3 sec action deny" 
The following example provides the ability to remark DSCP value for IP traffic (0x800):
Extreme-Dynamic-ACL = “ace 1 qos action  permit internal-qos 5 remark-dot1p 5  remark-dscp phbaf41 & ethernet ether-type eq 0x800”,
Extreme-Dynamic-ACL += “acl set default-action permit”