Role-based ACLs
Beginning with Release 32.1, the dynamic ACL rule(s) can be user-based or role-based. User-based rules are treated as higher priority than any other statically provisioned rules. Policy roles and the DACLs associated with them are dynamically created as needed based on the incoming RADIUS Filter-Id attribute. This attribute is automatically deleted when the last authenticated user associated with the role is removed.
When a set of role-based rules is installed for a given role or profile, they cannot be changed until that role is no longer in use. Role-based rules are shared by any other user who authenticates to the same role or profile. While both user based and role-based DACLs can be used on the device at the same time, a mix of user based and role-based DACLs are not permitted for a given user.
A role-based operation has a type 'r' and requires a preceding add operation (a,r). Each role requires a profile pre-configured with a unique name and access-list configuration.
A role-based with create operation has a type 'c' and also requires a preceding add operation (a,rc). The role or profile is dynamically created if it does not already exist. If created dynamically, the role or profile will be deleted when no longer in use.
A delete-all operation has a type of 'da' and no match, action, or index fields are permitted. When used, the delete-all must be the first entry in the list. When present, this operation removes all existing rules associated with the user or role. Neither the action field nor the index field is permitted and will be ignored if present.
- ipv4src ipv4source/mask-length
- ipv4dst ipv4dest/mask-length
- ipproto ipproto (TCP, UDP, ICMP, or protocol number)(ICMP and protocol number as of Release 32.1)
- l4srcport l4sourceport-l4sourceportend/mask-length (requires ipproto; range is role-based only and no mask)
- l4dstport l4destport-l4destportend/mask-length (requires ipproto; range is role-based only and no mask)
- ether (role-based only)
- any (as of Release 32.1)
Supported Platforms
All ExtremeSwitching X435, X450-G2, X460-G2, X440-G2, X465, X590, X620, X695 series switches.
Limitations
- TCI overwrite is not supported on X435 switches.
- Layer 7 policy (DNS) is not supported on X435 switches.
- Role-based Dynamic Access-List is supported on X435 switches, but without action set IDs mentioned in the VSA (Action-set ID CLI is not supported on X435).
- User-based ACLs, which requires slice sharing by running the configure policy slices shared number command, is not supported on X435.
- DNS is not supported on Extended Edge switches with Controlling Bridges on the ExtremeSwitching X695 series switch.
- ACL style policy must be selected.
- Only a subset of the existing policy rules is allowed.
- SNMP is not supported.
- Role-based ACLs are supported for Controlling Bridge, which does not support tci-overwrite profiles.
- User-based ACLs are not supported for Controlling Bridge, which does not support tci-overwrite policy profiles.