KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

211

212

213

214

215

216

217

218

219

220

Rate-limit actions and restrictionsRate-limit assignment method

VSA 46 up to the port's physical capacity, unless the

available bandwidth on the port has been reduced

by a CLI-assigned per-port bandwidth limit.

Determines the maximum egress bandwidth

available on the port, unless there is also a

RADIUS-assigned per-port rate limit on the port.

CLI egress rate-limit per-port

rate-limit all out

Outbound

The most recent client to authenticate determines

the maximum egress bandwidth on the port for all

RADIUS egress rate-limit per client

VSA 48

outbound traffic, regardless of any CLI-assigned

per-port outbound rate-limit.

For example, suppose the CLI is used to configure a gigabit port to have an ingress rate limit of

500,000 Kbps (50% of available bandwidth), and is receiving 450,000 Kbps of traffic from

existing clients. If a RADIUS server then authenticates a new client with an ingress rate-limit of

100,000 Kbps, the maximum ingress rate limit actually available for the new client is 50,000

Kbps as long as the bandwidth usage by the other clients already on the port remains at 450,000

Kbps.

For more on static rate-limiting, see "Rate-Limiting" in the "Port Traffic Controls" in the Management

and Configuration Guide for your switch.

Configuring and using dynamic (RADIUS-assigned) access control lists

A RADIUS-assigned ACL is configured on a RADIUS server and dynamically assigned by the server

to filter IP traffic from a specific client after the client is authenticated by the server.

The information in this section describes how to apply RADIUS-assigned ACLs on the switch, and

assumes a general understanding of ACL structure and operation. If you need information on ACL

filtering criteria, design, and operation, see the following:

• “IPv4 Access Control Lists (ACLs)” (page 259)

• “IPv6 Access Control Lists (ACLs)" in the latest IPv6 Configuration Guide for your switch.

Overview of RADIUS-assigned, dynamic ACLs

RADIUS-assigned ACLs enhance network and switch management access security and traffic control

by permitting or denying authenticated client access to specific network resources and to the switch

management interface. This includes preventing clients from using TCP or UDP applications, ICMP

packet types, and IGMP (IPv4 only) if you do not want their access privileges to include these

capabilities.

Traffic applications

Beginning with software release K.14.01, the switch supports RADIUS-assigned ACLs for the

following traffic applications:

• Inbound IPv4 traffic only

• Inbound IPv4 and IPv6 traffic

This feature is designed for use on the network edge to accept RADIUS-assigned ACLs for Layer-3

filtering of IP traffic entering the switch from authenticated clients. A given RADIUS-assigned ACL

is identified by a unique username/password pair or client MAC address, and applies only to IP

traffic entering the switch from clients that authenticate with the required, unique credentials. The

switch allows multiple RADIUS-assigned ACLs on a given port, up to the maximum number of

authenticated clients allowed on the port. Also, a RADIUS-assigned ACL for a given client's traffic

can be assigned regardless of whether other ACLs assigned to the same port are statically configured

on the switch.

214 RADIUS server support for switch services