Dynamic Policy Access Control Lists (ACLs)

The dynamic policy access control lists (ACL) feature uses the existing RADIUS change of authorization (CoA) mechanism to override existing policy rules associated with a user by including a new vendor specific attribute (VSA) in the CoA. When a CoA request to apply a particular set of match conditions and actions (or an action-set) is received, a look-up is performed to determine which policy profile the specified user was authenticated in and the action-set ID specified in the CoA is applied in that user‘s profile.

Dynamic ACLs and Layer 7 policy share the slices not used by TCI overwrite enabled as one shared resource pool. Dynamic ACLs have a higher priority to override Layer 7 policy (DNS) entry matches.

The following match conditions can be used:

ipv4src ipv4source/mask-length
ipv4dst ipv4dest/mask-length
ipproto ipproto (TCP or UDP)
l4srcport l4sourceport/mask-length (requires ipproto)
l4dstport l4destport/mask-length (requires ipproto)

The following actions can be used:

CoS (not valid if “drop” is specified)
Drop (not valid if “forward” is specified)
Forward (not valid if “drop” is specified)
Syslog
Mirror

Supported Platforms

ExtremeSwitching X450-G2, X460-G2, X670-G2, X440-G2, X465, X590, X620, X690, X870 series switches.

Limitations

ACL style policy must be selected.
Only a subset of the existing policy rules are allowed.
SNMP is not supported.

New CLI Commands

configure policy slices shared [{ shared } { l7GuaranteedPercentage l7GuaranteedPercentage } { dynAclGuaranteedPercentage dynAclGuaranteedPercentage}]

create policy access-list action-set set-id [{drop | forward} {cos cos} {mirror-destination control_index} {syslog}]

show policy access-list action-set {set_id}

delete policy access-list action-set set-id

Changed CLI Commands

The follow show command is changed to show configured guaranteed Layer 7 policy and dynamic ACL percentages:

show policy slices