Dynamic Access Control Lists (ACL)

The dynamic policy access control lists (ACL) feature uses the existing RADIUS change of authorization (CoA) mechanism to override existing policy rules associated with a user by including a new vendor specific attribute (VSA) in the CoA. When a CoA request to apply a particular set of match conditions and actions (or an action-set) is received, a look-up is performed to determine which policy profile the specified user was authenticated in, and the action-set ID specified in the CoA is applied in that user‘s profile.
Note

Note

You must configure VCAP partitioning to use dynamic ACL (see VCAP Partitioning).

Dynamic ACLs and Layer 7 policy share the slices not used by TCI overwrite-enabled as one shared resource pool (see VCAP Partitioning). Dynamic ACLs have a higher priority to override Layer 7 policy (DNS) entry matches.

The following match conditions can be used:
The following actions can be used:

Supported Platforms

ExtremeSwitching X450-G2, X460-G2, X670-G2, X440-G2, X465, X590, X620, X690, X695, X870 series switches.

Limitations