Filter
Top Products
1284 PowerConnect B-Series FCX Configuration Guide
53-1002266-01
Configuring multi-device port authentication
36
The dynamic IP ACL is active as long as the client is connected to the network. When the client
disconnects from the network, the IP ACL is no longer applied to the port. If an IP ACL had been
applied to the port prior to multi-device port authentication; it will be re-applied to the port.
NOTE
A dynamic IP ACL will take precedence over an IP ACL that is bound to a port (port ACL). When a client
authenticates with a dynamic IP ACL, the port ACL will not be applied. Also, future clients on the
same port will authenticate with a dynamic IP ACL or no IP ACL. If no clients on the port use dynamic
ACL, then the port ACL will be applied to all traffic.
The Dell PowerConnect device uses information in the Filter ID to apply an IP ACL on a per-user
basis. The Filter-ID attribute can specify the number of an existing IP ACL configured on the Dell
PowerConnect device. If the Filter-ID is an ACL number, the specified IP ACL is applied on a per-user
basis.
Multi-device port authentication with dynamic IP ACLs and
ACL-per-port-per-VLAN
The following features are supported:
• Multi-device port authentication and dynamic ACLs are supported on tagged, dual-mode, and
untagged ports, with or without virtual Interfaces.
Support is automatically enabled when all of the required conditions are met.
The following describes the conditions and feature limitations:
• On Layer 3 router code, dynamic IP ACLs are allowed on physical ports when
ACL-per-port-per-vlan is enabled.
• On Layer 3 router code, dynamic IP ACLs are allowed on tagged and dual-mode ports when
ACL-per-port-per-vlan is enabled. If ACL-per-port-per-vlan is not enabled, dynamic IP ACLs are
not allowed on tagged or dual-mode ports.
• Dynamic IP ACLs can be added to tagged/untagged ports in a VLAN with or without a VE, as
long as the tagged/untagged ports do not have configured ACLs assigned to them. The
following shows some example scenarios where dynamic IP ACLs would not apply:
• A port is a tagged/untagged member of VLAN 20, VLAN 20 includes VE 20, and an ACL is
bound to VE 20.
• A port is a tagged/untagged member of VLAN 20, VLAN 20 includes VE 20, and a
per-port-per-vlan ACL is bound to VE 20 and to a subset of ports in VE 20
In the above scenarios, dynamic IP ACL assignment would not apply in either instance,
because a configured ACL is bound to VE 20 on the port. Consequently, the MAC session
would fail.
Configuration considerations and guidelines
• Dynamic IP ACLs with multi-device port authentication are supported. Dynamic MAC address
filters with multi-device port authentication are not supported.
• In the Layer 2 switch code, dynamic IP ACLs are not supported when ACL-per-port-per-vlan is
enabled on a global-basis.
• The RADIUS Filter ID (type 11) attribute is supported. The Vendor-Specific (type 26) attribute is
not supported.