Role-based ACLs
Beginning with Release 32.1, the dynamic ACL rule(s) can be user-based or role-based. User-based rules are treated as higher priority than any other statically provisioned rules. Policy roles and the DACLs associated with them are dynamically created as needed based on the incoming RADIUS Filter-Id attribute. This attribute is automatically deleted when the last authenticated user associated with the role is removed.
When a set of role-based rules is installed for a given role or profile, they cannot be changed until that role is no longer in use. Role-based rules are shared by any other user who authenticates to the same role or profile. While both user based and role-based DACLs can be used on the device at the same time, a mix of user based and role-based DACLs are not permitted for a given user.
A role-based operation has a type 'r' and requires a preceding add operation (a,r). Each role requires a profile pre-configured with a unique name and access-list configuration.
A role-based with create operation has a type 'c' and also requires a preceding add operation (a,rc). The role or profile is dynamically created if it does not already exist. If created dynamically, the role or profile will be deleted when no longer in use.
A delete-all operation has a type of 'da' and no match, action, or index fields are permitted. When used, the delete-all must be the first entry in the list. When present, this operation removes all existing rules associated with the user or role. Neither the action field nor the index field is permitted and will be ignored if present.
- ipv4src ipv4source/mask-length
- ipv4dst ipv4dest/mask-length
- ipproto ipproto (TCP, UDP, ICMP, or protocol number))(ICMP and protocol number as of Release 32.1)
- l4srcport l4sourceport-l4sourceportend/mask-length (requires ipproto; range is role-based only and no mask)
- l4dstport l4destport-l4destportend/mask-length (requires ipproto; range is role-based only and no mask)
- ether (role-based only)
- any (as of Release 32.1)
Supported Platforms
All ExtremeSwitching Universal platforms.
Limitations
- DNS is not supported on Extended Edge switches with Controlling Bridges on ExtremeSwitching 5420 and 5520 series switches.
- ACL style policy must be selected.
- Only a subset of the existing policy rules is allowed.
- SNMP is not supported.
- Not all rule types can be configured at the same time. For example, L4 port range rules with ether and other IP and masked L4 ports rules may not install correctly. This is the same limitation that applies to ACL Style Policy.