Policy enforcement engine

The policy enforcement engine is thehardware element in the switch that manages QoS, mirroring, and ACL policies, as well as other software features, using the rules that you configure. Resource usage in the policy enforcement engine is based on how these features are configured on the switch:

• Resource usage by dynamic port ACLs is determined as follows:

  • Dynamic port ACLs configured by a RADIUS server for an authenticated client determine the current resource consumption for this feature on a specified slot. When a client session ends, the resources in use for that client become available for other uses.

• When the following features are configured globally or per-VLAN, resource usage is applied across all port groups or all slots with installed modules:

  • ACLs

  • QoS configurations that use the following commands:

    • QoS device priority (IP address) through the CLI using the qos device-priority command

    • QoS application port through the CLI using qos tcp-port or qos udp-port

    • VLAN QoS policies through the CLI using service-policy

  • Management VLAN configuration

  • DHCP snooping

  • Dynamic ARP protection

  • Remote mirroring endpoint configuration

  • Mirror policies per VLAN through the CLI using monitor service

  • Jumbo IP-MTU

• When the following features are configured per-port, resource usage is applied only to the slot or port group on which the feature is configured:

  • ACLs or QoS applied per-port or per-user through RADIUS authentication

  • ACLs applied per-port through the CLI using the ip access-group or ipv6 traffic-filter commands

  • QoS policies applied per port through the CLI using the service-policy command

  • Mirror policies applied per-port through the CLI using the monitor all service and service-policycommands

  • ICMP rate-limiting through the CLI using the rate-limit icmp command