Extreme-Dynamic-ACL

On EAP-enabled ports, this attribute assigns a dynamic ACL for an EAP-enabled port. The dynamic behavior of the ACL depends on the EAP port state (MHMV or MHSA).

For more information, see RADIUS Dynamic User-Based Policies.

Examples

The following examples provide the RADIUS configuration for the corresponding CLI filter configuration. This example is for MAC 0a:0a:0a:0a:0a:0a on port 1/1 and EAP is in MHMV mode.

filter acl 1 type inPort 
filter acl port 1 1/1 
 
filter acl ace 1 1 name RadiusGuest-Rule01 
filter acl ace ethernet 1 1 src-mac eq 0a:0a:0a:0a:0a:0a 
filter acl ace ethernet 1 1 ether-type eq 0x800 
filter acl ace ip 1 1 ip-protocol-type eq 17 
filter acl ace protocol 1 1 dst-port eq 53 
filter acl ace 1 1 action permit 
filter acl ace 1 1 enable 
 
filter acl ace 1 2 name RadiusGuest-Rule02 
filter acl ace ethernet 1 2 src-mac eq 0a:0a:0a:0a:0a:0a 
filter acl ace ethernet 1 2 ether-type eq 0x800 
filter acl ace ip 1 2 dst-ip mask 192.0.2.1 24 
filter acl ace 1 2 action permit 
filter acl ace 1 2 enable 
 
filter acl ace 1 3 name RadiusGuest-Rule03 
filter acl ace ethernet 1 3 src-mac eq 0a:0a:0a:0a:0a:0a 
filter acl ace 1 3 action deny 
filter acl ace 1 3 enable 

The RADIUS VSA does not specify the MAC or the port number because they are already known at the EAP level.

Extreme-Dynamic-ACL = "CLIENT RadiusGuest", 
Extreme-Dynamic-ACL += "acl inPort", 
Extreme-Dynamic-ACL += “ace 1 sec ethernet ether-type eq 0x800 & ip ip-protocol-type eq 17 & protocol dst-port eq 53 action permit", 
Extreme-Dynamic-ACL += “ace 2 sec ethernet ether-type eq 0x800 & ip dst-ip mask 192.0.2.1 24 action permit", 
Extreme-Dynamic-ACL += “ace 3 sec action deny" 
The following example provides the ability to remark DSCP value for IP traffic (0x800):
Extreme-Dynamic-ACL = “ace 1 qos action  permit internal-qos 5 remark-dot1p 5  remark-dscp phbaf41 & ethernet ether-type eq 0x800”,
Extreme-Dynamic-ACL += “acl set default-action permit”

The following examples provide both the list and expanded syntax for the same port configuration.

Extreme-Dynamic-ACL += 'ace 1 ethernet ether-type equal ip & ip ip-protocol-type eq tcp & protocol dst-port equal list 37, 38, 1427 & action permit',
Extreme-Dynamic-ACL += 'ace 1 ethernet ether-type equal ip & ip ip-protocol-type eq tcp & protocol dst-port equal 37 & action permit',
Extreme-Dynamic-ACL += 'ace 2 ethernet ether-type equal ip & ip ip-protocol-type eq tcp & protocol dst-port equal 38 & action permit',
Extreme-Dynamic-ACL += 'ace 3 ethernet ether-type equal ip & ip ip-protocol-type eq tcp & protocol dst-port equal 1427 & action permit',

The following examples provide both the list and expanded syntax for the same mask configuration.

Extreme-Dynamic-ACL += 'ace 1 ethernet ether-type equal ip & ip-protocol-type equal tcp & protocol source mask list 9100 0xFFFC, 9220 0xFFFE, 9290 0xFFFE, 49152 0xC000, 800 0xFFF8, 808 0xFFFE & ip dst mask 172.16.0.0 12 & action permit',
Extreme-Dynamic-ACL += 'ace 1 ethernet ether-type equal ip & ip-protocol-type equal tcp & protocol source mask 9100 0xFFFC & ip dst mask 172.16.0.0 12 & action permit',
Extreme-Dynamic-ACL += 'ace 2 ethernet ether-type equal ip & ip-protocol-type equal tcp & protocol source mask 9220 0xFFFE & ip dst mask 172.16.0.0 12 & action permit',
Extreme-Dynamic-ACL += 'ace 3 ethernet ether-type equal ip & ip-protocol-type equal tcp & protocol source mask  9290 0xFFFE & ip dst mask 172.16.0.0 12 & action permit',
Extreme-Dynamic-ACL += 'ace 4 ethernet ether-type equal ip & ip-protocol-type equal tcp & protocol source mask 49152 0xC000 & ip dst mask 172.16.0.0 12 & action permit',
Extreme-Dynamic-ACL += 'ace 5 ethernet ether-type equal ip & ip-protocol-type equal tcp & protocol source mask 800 0xFFF8 & ip dst mask 172.16.0.0 12 & action permit',
Extreme-Dynamic-ACL += 'ace 6 ethernet ether-type equal ip & ip-protocol-type equal tcp & protocol source mask 808 0xFFFE & ip dst mask 172.16.0.0 12 & action permit',