Dynamic Access Control Lists (ACL)
The dynamic policy access control lists (ACL) feature uses the existing RADIUS
change of authorization (CoA) mechanism to override existing policy rules associated
with a user by including a new vendor specific attribute (VSA) in the CoA. When a CoA
request to apply a particular set of match conditions and actions (or an action-set) is
received, a look-up is performed to determine which policy profile the specified user
was authenticated in, and the action-set ID specified in the CoA is applied in that
user‘s profile.
Note
You must configure
VCAP partitioning to use dynamic ACL (see
VCAP Partitioning).
Dynamic ACLs and Layer 7 policy share the slices not used by TCI
overwrite-enabled as one shared resource pool (see VCAP Partitioning). Dynamic ACLs have a higher priority to override Layer 7 policy
(DNS) entry matches.
The following match conditions can be used:
- ipv4src ipv4source/mask-length
- ipv4dst ipv4dest/mask-length
- ipproto ipproto
(TCP or UDP)
- l4srcport l4sourceport/mask-length
(requires ipproto)
- l4dstport l4destport/mask-length
(requires ipproto)
The following actions can be used:
- CoS (not valid if “drop” is
specified)
- Drop (not valid if “forward” is
specified)
- Forward (not valid if “drop” is
specified)
- Syslog
- Mirror
Supported Platforms
ExtremeSwitching X450-G2,
X460-G2, X670-G2, X440-G2, X465, X590, X620, X690, X695, X870 series
switches.
Limitations
- ACL style policy must be
selected.
- Only a subset of the existing
policy rules is allowed.
- SNMP is not supported.
