KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

431

432

433

434

435

436

437

438

439

440

3. MAC lockdown

4. Port security

5. Authorized IP Managers

6. Application features at higher levels in the OSI model, such as SSH.

The above list does not address the mutually exclusive relationship that exists among some security

features.

Precedence of Client-based authentication: Dynamic Configuration Arbiter

Starting in software release K.13.xx, the Dynamic Configuration Arbiter (DCA) is implemented to

determine the client-specific parameters that are assigned in an authentication session.

A client-specific authentication configuration is bound to the MAC address of a client device and

may include the following parameters:

• Untagged client VLAN ID

• Tagged VLAN IDs

• Per-port CoS (802.1p) priority

• Per-port rate-limiting on inbound traffic

• Client-based ACLs

DCA allows client-specific parameters configured in any of the following ways to be applied and

removed as needed in a specified hierarchy of precedence. When multiple values for an individual

configuration parameter exist, the value applied to a client session is determined in the following

order (from highest to lowest priority) in which a value configured with a higher priority overrides

a value configured with a lower priority:

1. Attribute profiles applied through the Network Immunity network-management application

using SNMP, see “HP E-Network Immunity Manager” (page 438)

2. 802.1X authentication parameters (RADIUS-assigned)

3. Web- or MAC-authentication parameters (RADIUS-assigned)

4. Local, statically-configured parameters

Although RADIUS-assigned settings are never applied to ports for non-authenticated clients, the

DCA allows configuring and assigning client-specific port configurations to non-authenticated

clients, provided that a client's MAC address is known in the switch in the forwarding database.

DCA arbitrates the assignment of attributes on both authenticated and non-authenticated ports.

DCA does not support the arbitration and assignment of client-specific attributes on trunk ports.

HP E-Network Immunity Manager

HP E-Network Immunity Manager (NIM) is a plug-in to HP PCM+ and a key component of the HP

E-Network Immunity security solution that provides comprehensive detection and per-port-response

to malicious traffic at the HP network edge. NIM allows you to apply policy-based actions to

minimize the negative impact of a client's behavior on the network. For example, using NIM you

can apply a client-specific profile that adds or modifies per-port rate-limiting and VLAN ID

assignments.

NOTE: NIM actions only support the configuration of per-port rate-limiting and VLAN ID

assignment; NIM does not support CoS (802.1p) priority assignment and ACL configuration.

NIM-applied parameters temporarily override RADIUS-configured and locally configured parameters

in an authentication session. When the NIM-applied action is removed, the previously applied

client-specific parameter (locally configured or RADIUS-assigned) is re-applied unless there have

been other configuration changes to the parameter. In this way, NIM allows you to minimize

network problems without manual intervention.

438 Traffic/Security Features and Monitors