remote-download acl enable

Usage Scenario

If a carrier wants to change the user access authorities of a user group or of Layer 3 or L2VPN leased line users using dynamic UCLs (user ACLs) delivered by the RADIUS server, but not command configurations on the device, run the remote-download acl enable command.

The RADIUS server uses the HW-Data-Filter attribute to deliver classifier-behavior pairs. The delivered traffic classifier includes the classifier name, behavior name, and rule. The delivered traffic behavior includes the behavior name and actions.

Implementation Procedure

This command takes effect for subsequent login users and for CoA operations of online users.

After the remote-download acl enable command is run, if the RADIUS server delivers the HW-Data-Filter attribute in Access-Accept packets or CoA Request packets, dynamic ACLs are created, changed, or deleted.

If the undo remote-download acl enable command is run, the dynamic ACLs that have been created are not affected, whereas the device does not process the HW-Data-Filter attribute in subsequent RADIUS packets.

After all users using the same classifier-behavior pair of dynamic ACL are logged out, this classifier-behavior pair is deleted.

Configuration Impact

Before this command is run, the device does not process the HW-Data-Filter attribute in RADIUS Access-Accept packets or CoA Request packets. After this command is run, if the RADIUS server delivers the HW-Data-Filter attribute in RADIUS Access-Accept packets or CoA Request packets, dynamic ACLs are created, changed, or deleted.

Precautions

In VS mode, this command is supported only by the admin VS.