Port-based Network Access and traffic control 42
EAPoL configuration guidelines
When configuring EAPoL, consider the following guidelines:
• The 802.1x port-based authentication is currently supported only in point-to-point configurations, that is, with a
single supplicant connected to an 802.1x-enabled switch port.
• When 802.1x is enabled, a port has to be in the authorized state before any other Layer 2 feature can be
operationally enabled. For example, the STG state of a port is operationally disabled while the port is in the
unauthorized state.
• The 802.1x supplicant capability is not supported. Therefore, none of its ports can connect successfully to an
802.1x-enabled port of another device, such as another switch, which acts as an authenticator, unless access
control on the remote port is disabled or is configured in forced-authorized mode. For example, if a GbE2c is
connected to another GbE2c, and if 802.1x is enabled on both switches, the two connected ports must be con-
figured in force-authorized mode.
• The 802.1x standard has optional provisions for supporting dynamic virtual LAN assignment via RADIUS
tunneling attributes, for example, Tunnel-Type (=VLAN), Tunnel-Medium-Type (=802), and Tunnel-Private-Group-
ID (=VLAN id). These attributes are not supported and might affect 802.1x operations. Other unsupported
attributes include Service-Type, Session-Timeout, and Termination-Action.
RADIUS accounting service for 802.1x-authenticated devices or users is not supported.
Configuration changes performed using SNMP and the standard 802.1x MIB take effect immediately.
Port-based traffic control
Port-based traffic control prevents GbE2c ports from being disrupted by LAN storms. A LAN storm occurs when data
packets flood the LAN, which can cause the network to become congested and slow down. Errors in the protocol-
stack implementation or in the network configuration can cause a LAN storm.
You can enable port-based traffic control separately for each of the following traffic types:
• Broadcast—packets with destination MAC address ff:ff:ff:ff:ff:ff
• Multicast—packets that have MAC addresses with the least significant bit of their first octet set to one
• Destination Lookup Failed (DLF)—packets with unknown destination MAC address, that are treated like
broadcast packets
With Port-based Traffic Control enabled, the port monitors incoming traffic of each type noted above. If the traffic
exceeds a configured threshold, the port blocks traffic that exceeds the threshold until the traffic flow falls back within
the threshold.
The GbE2c supports separate traffic-control thresholds for broadcast, multicast, and DLF traffic. The traffic threshold is
measured in number of frames per second.
NOTE: All ports that belong to a trunk must have the same traffic-control settings.
Configuring port-based traffic control
To configure a port for traffic control, perform the following steps:
1. Configure the traffic-control threshold and enable traffic control.
Main# /cfg/port 2
>> Port 2# brate 150000 (Set broadcast threshold)
>> Port 2# mrate 150000 (Set multicast threshold)
>> Port 2# drate 150000 (Set DLF threshold)
2. To disable a traffic-control threshold, use the following command:
>> Port 2# mrate dis (Disable multicast threshold)
3. Apply and save the configuration.
>> Port 2# apply (Apply the port configurations)
>> Port 2# save (Save the port configurations)
To Next Page
Loading...
Need help?
General