Policy enforcement engine
- Resource usage by dynamic port ACLs and VT is determined as follows:
Dynamic port ACLs configured by a RADIUS server for an authenticated client determine the current resource consumption for this feature on a specified slot. When a client session ends, the resources in use for that client become available for other uses.
A VT configuration (connection-rate filtering) on the switch does not affect switch resources unless traffic behavior has triggered either a throttling or blocking action on the traffic from one or more clients. When the throttling action ceases or a blocked client is unblocked, the resources used for that action are released.
- When the following features are configured globally or per-VLAN, resource usage is applied across all port groups or all slots with installed modules:
ACLs
- QoS configurations that use the following commands:
QoS device priority (IP address) through the CLI using the
qos device-priority
commandQoS application port through the CLI using
qos tcp-port
orqos udp-port
VLAN QoS policies through the CLI using
service-policy
Management VLAN configuration
DHCP snooping
Dynamic ARP protection
Remote mirroring endpoint configuration
Mirror policies per VLAN through the CLI using
monitor service
Jumbo IP-MTU
- When the following features are configured per-port, resource usage is applied only to the slot or port group on which the feature is configured:
ACLs or QoS applied per-port or per-user through RADIUS authentication
ACLs applied per-port through the CLI using the
ip access-group
oripv6 traffic-filter
commandsQoS policies applied per port through the CLI using the
service-policy
commandMirror policies applied per-port through the CLI using the
monitor all service
andservice-policy
commandsICMP rate-limiting through the CLI using the
rate-limit icmp
commandVT applied to any port (when a high-connection-rate client is being throttled or blocked)