On EAP-enabled ports, this attribute assigns a dynamic ACL for an EAP-enabled port. The dynamic behavior of the ACL depends on the EAP port state (MHMV or MHSA).
defined under Extreme Networks vendor ID 1916 and uses the value 251
For more information, see RADIUS Dynamic User-Based Policies.
The following examples provide the RADIUS configuration for the corresponding CLI filter configuration. This example is for MAC 0a:0a:0a:0a:0a:0a on port 1/1 and EAP is in MHMV mode.
filter acl 1 type inPort filter acl port 1 1/1 filter acl ace 1 1 name RadiusGuest-Rule01 filter acl ace ethernet 1 1 src-mac eq 0a:0a:0a:0a:0a:0a filter acl ace ethernet 1 1 ether-type eq 0x800 filter acl ace ip 1 1 ip-protocol-type eq 17 filter acl ace protocol 1 1 dst-port eq 53 filter acl ace 1 1 action permit filter acl ace 1 1 enable filter acl ace 1 2 name RadiusGuest-Rule02 filter acl ace ethernet 1 2 src-mac eq 0a:0a:0a:0a:0a:0a filter acl ace ethernet 1 2 ether-type eq 0x800 filter acl ace ip 1 2 dst-ip mask 192.0.2.1 24 filter acl ace 1 2 action permit filter acl ace 1 2 enable filter acl ace 1 3 name RadiusGuest-Rule03 filter acl ace ethernet 1 3 src-mac eq 0a:0a:0a:0a:0a:0a filter acl ace 1 3 action deny filter acl ace 1 3 enable
The RADIUS VSA does not specify the MAC or the port number because they are already known at the EAP level.
Extreme-Dynamic-ACL = "CLIENT RadiusGuest", Extreme-Dynamic-ACL += "acl inPort", Extreme-Dynamic-ACL += “ace 1 sec ethernet ether-type eq 0x800 & ip ip-protocol-type eq 17 & protocol dst-port eq 53 action permit", Extreme-Dynamic-ACL += “ace 2 sec ethernet ether-type eq 0x800 & ip dst-ip mask 192.0.2.1 24 action permit", Extreme-Dynamic-ACL += “ace 3 sec action deny"
Extreme-Dynamic-ACL = “ace 1 qos action permit internal-qos 5 remark-dot1p 5 remark-dscp phbaf41 & ethernet ether-type eq 0x800”, Extreme-Dynamic-ACL += “acl set default-action permit”
The following examples provide both the list and expanded syntax for the same port configuration.
Extreme-Dynamic-ACL += 'ace 1 ethernet ether-type equal ip & ip ip-protocol-type eq tcp & protocol dst-port equal list 37, 38, 1427 & action permit',
Extreme-Dynamic-ACL += 'ace 1 ethernet ether-type equal ip & ip ip-protocol-type eq tcp & protocol dst-port equal 37 & action permit', Extreme-Dynamic-ACL += 'ace 2 ethernet ether-type equal ip & ip ip-protocol-type eq tcp & protocol dst-port equal 38 & action permit', Extreme-Dynamic-ACL += 'ace 3 ethernet ether-type equal ip & ip ip-protocol-type eq tcp & protocol dst-port equal 1427 & action permit',
The following examples provide both the list and expanded syntax for the same mask configuration.
Extreme-Dynamic-ACL += 'ace 1 ethernet ether-type equal ip & ip-protocol-type equal tcp & protocol source mask list 9100 0xFFFC, 9220 0xFFFE, 9290 0xFFFE, 49152 0xC000, 800 0xFFF8, 808 0xFFFE & ip dst mask 172.16.0.0 12 & action permit',
Extreme-Dynamic-ACL += 'ace 1 ethernet ether-type equal ip & ip-protocol-type equal tcp & protocol source mask 9100 0xFFFC & ip dst mask 172.16.0.0 12 & action permit', Extreme-Dynamic-ACL += 'ace 2 ethernet ether-type equal ip & ip-protocol-type equal tcp & protocol source mask 9220 0xFFFE & ip dst mask 172.16.0.0 12 & action permit', Extreme-Dynamic-ACL += 'ace 3 ethernet ether-type equal ip & ip-protocol-type equal tcp & protocol source mask 9290 0xFFFE & ip dst mask 172.16.0.0 12 & action permit', Extreme-Dynamic-ACL += 'ace 4 ethernet ether-type equal ip & ip-protocol-type equal tcp & protocol source mask 49152 0xC000 & ip dst mask 172.16.0.0 12 & action permit', Extreme-Dynamic-ACL += 'ace 5 ethernet ether-type equal ip & ip-protocol-type equal tcp & protocol source mask 800 0xFFF8 & ip dst mask 172.16.0.0 12 & action permit', Extreme-Dynamic-ACL += 'ace 6 ethernet ether-type equal ip & ip-protocol-type equal tcp & protocol source mask 808 0xFFFE & ip dst mask 172.16.0.0 12 & action permit',