Policy enforcement engine

Cause
The policy enforcement engine is the hardware element in the switch that manages QoS, mirroring, and ACL policies, as well as other software features, using the rules that you configure. Resource usage in the policy enforcement engine is based on how these features are configured on the switch:
  • Resource usage by dynamic port ACLs and VT is determined as follows:
    • Dynamic port ACLs configured by a RADIUS server for an authenticated client determine the current resource consumption for this feature on a specified slot. When a client session ends, the resources in use for that client become available for other uses.

    • A VT configuration (connection-rate filtering) on the switch does not affect switch resources unless traffic behavior has triggered either a throttling or blocking action on the traffic from one or more clients. When the throttling action ceases or a blocked client is unblocked, the resources used for that action are released.

  • When the following features are configured globally or per-VLAN, resource usage is applied across all port groups or all slots with installed modules:
    • ACLs

    • QoS configurations that use the following commands:
      • QoS device priority (IP address) through the CLI using the qos device-priority command

      • QoS application port through the CLI using qos tcp-port or qos udp-port

      • VLAN QoS policies through the CLI using service-policy

    • Management VLAN configuration

    • DHCP snooping

    • Dynamic ARP protection

    • Remote mirroring endpoint configuration

    • Mirror policies per VLAN through the CLI using monitor service

    • Jumbo IP-MTU

  • When the following features are configured per-port, resource usage is applied only to the slot or port group on which the feature is configured:
    • ACLs or QoS applied per-port or per-user through RADIUS authentication

    • ACLs applied per-port through the CLI using the ip access-group or ipv6 traffic-filter commands

    • QoS policies applied per port through the CLI using the service-policycommand

    • Mirror policies applied per-port through the CLI using the monitor all service and service-policycommands

    • ICMP rate-limiting through the CLI using the rate-limit icmpcommand

    • VT applied to any port (when a high-connection-rate client is being throttled or blocked)