3com WX1200 3CRWX120695A Manuel D’Utilisation
380
C
HAPTER
19: C
ONFIGURING
AND
M
ANAGING
S
ECURITY
ACL
S
Selection of User ACLs
Identity-based ACLs (ACLs mapped to users) take precedence over
location-based ACLs (ACLs mapped to VLANs, ports, virtual ports, or
Distributed MAPs).
location-based ACLs (ACLs mapped to VLANs, ports, virtual ports, or
Distributed MAPs).
ACLs can be mapped to a user in the following ways:
Location policy (inacl or outacl is configured on the location policy)
User group (attr filter-id acl-name.in or attr filter-id acl-name.out is
configured on the user group)
configured on the user group)
Individual user attribute (attr filter-id acl-name.in or attr filter-id
acl-name.out is configured on the individual user)
acl-name.out is configured on the individual user)
SSID default (attr filter-id acl-name.in or attr filter-id acl-name.out
is configured on the SSID’s service profile)
is configured on the SSID’s service profile)
The user’s ACL comes from only one of these sources. The sources are
listed in order from highest precedence to lowest precedence. For
example, if a user associates with an SSID that has a default ACL
configured, but a location policy is also applicable to the user, the ACL
configured on the location policy is used.
listed in order from highest precedence to lowest precedence. For
example, if a user associates with an SSID that has a default ACL
configured, but a location policy is also applicable to the user, the ACL
configured on the location policy is used.
Creating and
Committing a
Security ACL
Committing a
Security ACL
The security ACLs you create can filter packets by source address, IP
protocol, port type, and other characteristics. When you configure an
ACE for a security ACL, MSS stores the ACE in the edit buffer until you
commit the ACL to be saved to the permanent configuration. You must
commit a security ACL before you can apply it to an authenticated user’s
session or map it to a port, VLAN, virtual port, or Distributed MAP. Every
security ACL must have a name.
protocol, port type, and other characteristics. When you configure an
ACE for a security ACL, MSS stores the ACE in the edit buffer until you
commit the ACL to be saved to the permanent configuration. You must
commit a security ACL before you can apply it to an authenticated user’s
session or map it to a port, VLAN, virtual port, or Distributed MAP. Every
security ACL must have a name.
Setting a Source IP
ACL
You can create an ACE that filters packets based on the source IP address
and optionally applies CoS packet handling. (For CoS details, see “Class
of Service” on page 382.) You can also determine where the ACE is
placed in the security ACL by using the before editbuffer-index or
modify editbuffer-index variables with an index number. You can use the
hits counter to track how many packets the ACL filters.
and optionally applies CoS packet handling. (For CoS details, see “Class
of Service” on page 382.) You can also determine where the ACE is
placed in the security ACL by using the before editbuffer-index or
modify editbuffer-index variables with an index number. You can use the
hits counter to track how many packets the ACL filters.