Filter
Top Products
51
Enhancements
Release M.10.02 Enhancements
Example. Suppose the ACL in Figure 3 is assigned to filter the traffic from an authenticated client
on a given port in the switch:
Figure 3. Example of Sequential Comparison
As shown above, the ACL tries to apply the first ACE in the list. If there is not a match, it tries the
second ACE, and so on. When a match is found, the ACL invokes the configured action for that entry
(permit or drop the packet) and no further comparisons of the packet are made with the remaining
ACEs in the list. This means that when an ACE whose criteria matches a packet is found, the action
configured for that ACE is invoked, and any remaining ACEs in the ACL are ignored. Because of this
sequential processing, successfully implementing an ACL depends in part on configuring ACEs
in the correct order for the overall policy you want the ACL to enforce.
Note
Because only one ACL is allowed on a port, if a statically configured ACL already exists on a port, a
RADIUS-based ACL cannot be assigned to that port. In this case, if a client authenticates and the
RADIUS server is configured to assign a dynamic ACL to the port for that client, the client will then
be de-authenticated.
For an inbound packet with a destination
IP address of 18.28.156.3, the ACL:
1. Compares the packet to this ACE first.
2. Since there is not a match with the first
ACE, the ACL compares the packet to the
second ACE, where there is also not a
match.
3. The ACL compares the packet to the third
ACE. There is an exact match, so the ACL
denies (drops) the packet.
4. The packet is not compared to the fourth
ACE.
Permit in ip from any to 18.28.136.24
Permit in ip from any to 18.28.156.7
Deny in ip from any to 18.28.156.3
Deny in tcp from any to any 23
Permit in ip from any to any
(Deny in ip from any to any)
This line demonstrates the “deny any any” ACE implicit in every
RADIUS-based ACL. Any inbound ip traffic from the authenticated
client that does not have a match with any of the five explicit ACEs
in this ACL will be denied by the implicit “deny any any”.