3Com WX2200 3CRWX220095A Switch User Manual


 
390 CHAPTER 19: CONFIGURING AND MANAGING SECURITY ACLS
Clearing Security
ACLs
The clear security acl command removes the ACL from the edit buffer
only. To clear a security ACL, enter a specific ACL name, or enter all to
delete all security ACLs. To remove the security ACL from the running
configuration and nonvolatile storage, you must also use the commit
security acl command.
For example, the following command deletes acl-99 from the edit buffer:
WX1200# clear security acl acl-99
To clear acl-99 from the configuration, type the following command:
WX1200# commit security acl acl-99
success: change accepted
Mapping Security
ACLs
An ACL does not take effect until you commit it and map it to a user or
an interface.
User-based security ACLs are mapped to an IEEE 802.1X authenticated
session during the AAA process. You can specify that one of the
authorization attributes returned during authentication is a named
security ACL. The WX switch maps the named ACL automatically to the
user’s authenticated session.
Security ACLs can also be mapped statically to ports, VLANs, virtual ports,
or Distributed MAPs. User-based ACLs are processed before these ACLs,
because they are more specific and closer to the network edge.
Mapping User-Based
Security ACLs
When you configure administrator or user authentication, you can set a
Filter-Id authorization attribute at the RADIUS server or at the WX switch’s
local database. The Filter-Id attribute is a security ACL name (or two ACL
names) with the direction of the packets indicated. The security ACL
mapped by Filter-Id instructs the WX switch to use its local definition of
the ACL, including the flow direction, to filter packets for the
authenticated user.
The Filter-Id attribute is more often received by the WX through an
external AAA RADIUS server than applied through the local database.