Comware Based
cancel
Showing results for 
Search instead for 
Did you mean: 

Can 3Com 4500 ACL + port-security work together?

 
machiAWS
Occasional Contributor

Can 3Com 4500 ACL + port-security work together?

Hi,

 

Is it possible that 3Com 4500 ACL + port-security working together.

 

I want to using ACL to control with IP can be access the port and port-security is using for limit the max number of MAC when can across to the port.  Disable the port otherwise.

 

Individual is work either port-security or ACL.  However, when done a test which is like the following confining

 

Problem:

- The IP address when did not listed in ACL can be across the port

 

see any advise from here.  Thanks!

 

#
 port-security enable                
 port-security timer disableport 30   

 

#

acl number 3001
 rule 0 deny IP                              
 rule 1 permit IP source 192.168.40 0    
 rule 2 permit IP source 192.168.41 0     

 rule 3 permit IP source 192.168.43 0  
#

 

 

interface Ethernet1/0/19
 port-security max-mac-count 3                
 port-security port-mode autolearn           
 port-security intrusion-mode disableport-temporarily       
 mac-address security 0d0c-29gd-01fc vlan 1           
 mac-address security 0d0c-29c3-2845 vlan 1
 mac-address security 7ccc-cb4e-59f4 vlan 1
 packet-filter inbound ip-group 3001 rule 0     
 packet-filter inbound ip-group 3001 rule 1     
 packet-filter inbound ip-group 3001 rule 2     
 packet-filter inbound ip-group 3001 rule 3    
#

 

P.S. This thread has been moved from Switches, Hubs, Modems (Legacy ITRC forum) to Comware-Based. -HP Forum Moderator

 

1 REPLY
Graham Hurst
Advisor

Re: Can 3Com 4500 ACL + port-security work together?

This is not a feature that is supported by the 4500 series switches, but is by the 5500 series. To apply dynamic ACLs, you need to define qos-profiles (that in turn reference packet-filters), ensure no qos-profiles or packet-filters are statically set on the port and use the Filter-Id RADIUS AVP to return the desired qos-profile's name in the Access-Accept.

 

Sorry!