Configuring Access Guardian Configuring Port-Based Network Access Control
OmniSwitch AOS Release 8 Network Configuration Guide December 2017 page 28-46
• If the initial MAC authentication passes (Access-Accept), 802.1X authentication is bypassed for this
user and all EAP frames are ignored.
• If the initial MAC authentication fails (Access-Reject), 802.1X authentication is attempted for the user.
During this transition, the EAP frames are allowed and the switch must force the supplicant to restart a
fresh EAP session by sending a multicast Request Identity EAPOL on the port. This is because the
supplicant may have already sent an EAPOL Start.
Configuring UNP Port Bandwidth
The following two methods are available to configure and apply port bandwidth parameter values to UNP
ports that are assigned to a profile:
• QoS policy list rules. A QoS policy list assigned to a UNP profile applies policy rules to all traffic that
is classified into that profile. For example, the following commands create a QoS policy list with rules
to apply rate limiting parameters to all device ports assigned to the “UNP-1” profile:
-> policy condition ip_traffic2 source ip 10.10.5.3
-> policy action flowShape maximum bandwidth 10m
-> policy action burst maximum depth 1m
-> policy rule rule2 condition traffic2 action flowShape action burst
-> policy list rate-limit type unp
-> policy list rate-limit rules rule2
-> unp profile UNP-1
-> unp profile UNP-1 qos-policy-list rate-limit
-> unp profile UNP-1 map vlan 50
See “Configuring QoS Policy Lists” on page 28-61 for more information.
• Profile bandwidth parameters. Configurable bandwidth parameter values associated with a UNP
profile are applied to traffic that is classified into the profile. For example, the following commands
define profile bandwidth parameters to rate limit traffic on all device ports assigned to the “UNP-1”
profile.
-> unp profile UNP-1 maximum-ingress-bandwidth 10M
-> unp profile UNP-1 maximum-egress-bandwidth 10M
-> unp profile unp-1 maximum-ingress-depth 1
-> unp profile unp-1 maximum-egress-depth 1
See “Configuring UNP Profiles” on page 28-51 for more information.
Consider the following guidelines when configuring UNP port bandwidth:
• The maximum ingress and egress bandwidth values are configured in Kbps or Mbps.
• The maximum ingress and egress depth values are configured in Kbps.
• The default value for the maximum ingress and egress depth settings is calculated by dividing the
maximum ingress or egress bandwidth value by 25. For example, if the ingress bandwidth value is set
to 500K, then the ingress depth value defaults to 20K (500K/25=20K). However, if this calculation
results in a value of 0 or 1, then the default value is set to 2K.
• “Per user" bandwidth profiling is not supported. If multiple user devices are classified into different
profiles but learned on the same UNP port, the bandwidth parameter values obtained for the last user
learned are applied on the port. Parameter values applied through previously learned users are
overwritten.
• Runtime modification of UNP ingress or egress bandwidth is allowed; the modified values are then
applied to both new and already authenticated user devices learned on the profile. The new runtime
To Next Page
Loading...
