The switch allows you to view information about the current usage and availability of resources in the Policy Enforcement engine, including the following software features:
-
Quality-of-service (QoS), including device and application port priority, ICMP rate-limiting, and QoS policies
-
Dynamic assignment of per-port or per-user ACLs and QoS through RADIUS authentication designated as “IDM”, with or without the optional identity-driven management (IDM) application
-
Mirroring policies, including switch configuration as an endpoint for remote intelligent mirroring
The switch has ample resources for configuring features and supporting:
|
|
|
![[NOTE: ]](images/note.gif) |
NOTE: Virus throttling does not operate on IPv6 traffic. |
|
|
If the resources supporting these features become fully subscribed:
-
The current feature configuration, RADIUS-authenticated client sessions, and VT instances continue to operate normally.
-
The switch generates anevent log notice to say that current resources are fully subscribed.
-
Currently engaged resources must be released before any of the following actions are supported:
-
Modifying currently configured ACLs, IDM, VT, and other software features, such as Management VLAN, DHCP snooping, and dynamic ARP protection.
You can modify currently configured classifier-base QoS and mirroring policies if a policy has not been applied to an interface. However, sufficient resources must be available when you apply a configured policy to an interface.
-
Acceptance of new RADIUS-based client authentication requests (displayed as a new resource entry for IDM.)
Failure to authenticate a client that presents valid credentials may indicate that insufficient resources are available for the features configured for the client in the RADIUS server. To troubleshoot, check the event log.
-
Throttling or blocking of newly detected clients with high rate-of-connection requests (as defined by the current VT configuration.)
The switch continues to generate Event Log notifications (and SNMP trap notification, if configured) for new instances of high-connection-rate behavior detected by the VT feature.
-
The policy enforcement engine is the hardware element in the switch that manages QoS, mirroring, and ACL policies, as well as other software features, using the rules that you configure. Resource usage in the policy enforcement engine is based on how these features are configured on the switch:
-
Resource usage by dynamic port ACLs and VT is determined as follows:
-
Dynamic port ACLs configured by a RADIUS server (with or without the optional IDM application) for an authenticated client determine the current resource consumption for this feature on a specified slot. When a client session ends, the resources in use for that client become available for other uses.
-
A VT configuration (connection-rate filtering) on the switch does not affect switch resources unless traffic behavior has triggered either a throttling or blocking action on the traffic from one or more clients. When the throttling action ceases or a blocked client is unblocked, the resources used for that action are released.
-
-
When the following features are configured globally or per-VLAN, resource usage is applied across all port groups or all slots with installed modules:
-
When the following features are configured per-port, resource usage is applied only to the slot or port group on which the feature is configured:
-
ACLs or QoS applied per-port or per-user through RADIUS authentication
-
ACLs applied per-port through the CLI using the
ip access-grouporipv6 traffic-filtercommands -
QoS policies applied per port through the CLI using the
service-policycommand -
Mirror policies applied per-port through the CLI using the
monitor all serviceandservice-policycommands -
ICMP rate-limiting through the CLI using the
rate-limit icmpcommand -
VT applied to any port (when a high-connection-rate client is being throttled or blocked)
-
-
A 1:1 mapping of internal rules to configured policies in the switch does not necessarily exist. As a result, displaying current resource usage is the most reliable method for keeping track of available resources. Also, because some internal resources are used by multiple features, deleting a feature configuration may not increase the amount of available resources.
-
Resource usage includes resources actually in use or reserved for future use by the listed features.
-
"Internal dedicated-purpose resources" include the following features:
-
For chassis products (for example, the 5400zl or 8212zl switches), 'slots' are listed instead of 'ports,' with resources shown for all installed modules on the chassis.
-
The "Available" columns display the resources available for additional feature use.
-
The "IDM" column shows the resources used for RADIUS-based authentication with or without the IDM option.
-
"Meters" are used when applying either ICMP rate-limiting or a QoS policy with a rate-limit class action.