The dynamic policy access control lists (ACL) feature uses the existing RADIUS change of authorization (CoA) mechanism to override existing policy rules associated with a user by including a new vendor specific attribute (VSA) in the CoA. When a CoA request to apply a particular set of match conditions and actions (or an action-set) is received, a look-up is performed to determine which policy profile the specified user was authenticated in and the action-set ID specified in the CoA is applied in that user‘s profile.
Dynamic ACLs and Layer 7 policy share the slices not used by TCI overwrite enabled as one shared resource pool. Dynamic ACLs have a higher priority to override Layer 7 policy (DNS) entry matches.
ExtremeSwitching X450-G2, X460-G2, X670-G2, X440-G2, X465, X590, X620, X690, X870 series switches.
configure policy slices shared [{ shared } { l7GuaranteedPercentage l7GuaranteedPercentage } { dynAclGuaranteedPercentage dynAclGuaranteedPercentage}]
create policy access-list action-set set-id [{drop | forward} {cos cos} {mirror-destination control_index} {syslog}]
show policy access-list action-set {set_id}
delete policy access-list action-set set-id
The follow show command is changed to show configured guaranteed Layer 7 policy and dynamic ACL percentages:
show policy slices