3Com WX2200 3CRWX220095A Switch User Manual


 
380 CHAPTER 19: CONFIGURING AND MANAGING SECURITY ACLS
Selection of User ACLs
Identity-based ACLs (ACLs mapped to users) take precedence over
location-based ACLs (ACLs mapped to VLANs, ports, virtual ports, or
Distributed MAPs).
ACLs can be mapped to a user in the following ways:
Location policy (inacl or outacl is configured on the location policy)
User group (attr filter-id acl-name.in or attr filter-id acl-name.out is
configured on the user group)
Individual user attribute (attr filter-id acl-name.in or attr filter-id
acl-name.out is configured on the individual user)
SSID default (attr filter-id acl-name.in or attr filter-id acl-name.out
is configured on the SSID’s service profile)
The user’s ACL comes from only one of these sources. The sources are
listed in order from highest precedence to lowest precedence. For
example, if a user associates with an SSID that has a default ACL
configured, but a location policy is also applicable to the user, the ACL
configured on the location policy is used.
Creating and
Committing a
Security ACL
The security ACLs you create can filter packets by source address, IP
protocol, port type, and other characteristics. When you configure an
ACE for a security ACL, MSS stores the ACE in the edit buffer until you
commit the ACL to be saved to the permanent configuration. You must
commit a security ACL before you can apply it to an authenticated user’s
session or map it to a port, VLAN, virtual port, or Distributed MAP. Every
security ACL must have a name.
Setting a Source IP
ACL
You can create an ACE that filters packets based on the source IP address
and optionally applies CoS packet handling. (For CoS details, see “Class
of Service” on page 382.) You can also determine where the ACE is
placed in the security ACL by using the before editbuffer-index or
modify editbuffer-index variables with an index number. You can use the
hits counter to track how many packets the ACL filters.