The following information provides general guidelines for configuring RADIUS servers, so that the features listed in CoS and rate-limiting services can be dynamically applied on ports that support authenticated clients.
CoS and rate-limiting services
| Service | Control method and operating notes | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 802.1p (CoS) Priority Assignments Per-User on Traffic Inbound to the Switch
Assigns a RADIUS-configured 802.1p priority to the inbound packets received from a specific client authenticated on a switch port.
|
Standard Attribute used in the RADIUS server: 59 (This is the preferred attribute for new or updated configurations.) Vendor-Specific Attribute used in the RADIUS server. (This attribute is maintained for legacy configurations.) HP vendor-specific ID:11 VSA: 40 Setting: User-Priority-Table=xxxxxxxx where: x=desired 802.1p priority
Requires a port-access authentication method (802.1X, Web Auth, or MAC Auth) configured on the client's port on the switch. For more on 802.1p priority levels, see "Quality of Service (QoS)" in the Advanced Traffic Management Guide for your switch. |
||||||||||||
|
Ingress (inbound) rate-limiting per-user Assigns a RADIUS-configured bandwidth limit to the inbound packets received from a specific client authenticated on a port.
|
Vendor-Specific Attribute used in the RADIUS server. HP vendor-specific ID:11 VSA: 46 Setting: HP-Bandwidth-Max-Egress=< bandwidth-in-Kbps >
Requires a port-access authentication method (802.1X, Web Auth, or MAC Auth) configured on the client's port on the switch. The actual bandwidth available for ingress traffic from an authenticated client can be affected by the total bandwidth available on the client port. See Per-port bandwidth override. |
||||||||||||
|
Egress (outbound) rate-limiting per-port Assigns a RADIUS-configured bandwidth limit to the outbound traffic sent to a switch port. |
Vendor-Specific Attribute used in the RADIUS server. HP vendor-specific ID:11 VSA: 48 (string=HP) Setting: HP-RATE-LIMIT= <
Requires a port-access authentication method (802.1X, Web Auth, or MAC Auth) configured on the client's port on the switch. The actual bandwidth available for egress traffic from an authenticated client can be affected by the total bandwidth available on the client port. See Per-port bandwidth override. |
![[NOTE: ]](images/note.gif)
To configure support for the services listed in CoS and rate-limiting services on a specific RADIUS server application, see the documentation provided with the RADIUS application.
Rate limits are applied incrementally on the HP switches, as determined by the RADIUS-applied rate. For any given bandwidth assignment, the switch applies the nearest rate increment that does not exceed the assigned value. The increments are in graduated steps, as described in RADIUS-assigned rate-limit increments.
RADIUS-assigned rate-limit increments
|
RADIUS-assigned bits-per-second rate limit |
Applied rate-limiting increment |
|---|---|
| 1 - 10,999,999 | 100 Kbps |
| 11,000,000 - 100,999,999 | 1 Mbps |
| 101,000,000 - 999,999,999 | 10 Mbps |
| 1,000,000,000 - 10 Gbps | 100 Mbps |
For example, some of the following RADIUS-assigned rates fall between their respective incremental values, resulting in applied rates lower than the RADIUS-assigned rates. However, others match their respective incremental values, resulting in no difference between the RADIUS-assigned rate limits and the applied rate limits.
Examples of assigned and applied rate limits
| RADIUS-assigned bandwidth (Kbps) | Applied increments | Applied rate limit (Kbps) | Difference/Kbps |
|---|---|---|---|
| 5,250 | 100 Kbps | 5,200 | 50 |
| 50,250 | 1 Mbps | 50,000 | 250 Kbps |
| 51,000 | 1 Mbps | 51,000 | 0 |
| 525,000 | 10 Mbps | 520,000 | 5,000 Kbps |
| 530,000 | 10 Mbps | 530,000 | 0 |
| 1,250,000 | 100 Mbps | 1,200,000 | 50,000 Kbps |
| 1,300,000 | 100 Mbps | 1,300,000 | 0 |
HP recommends that rate-limiting be configured either solely through RADIUS assignments or solely through static CLI configuration on the switch unless the potential for the override described below is specifically desired.
RADIUS-assigned ingress rate-limits are applied to individual clients instead of to the client's port. But if you use the CLI to configure a per-port ingress rate-limit on the same port where an authenticated client receives a RADIUS-assigned ingress rate-limit, the client's assigned ingress limit can be reduced by the CLI-configured port ingress limit. This occurs if the port reaches its CLI-configured rate-limit maximum before the client reaches its RADIUS-assigned rate-limit maximum, thus denying the client its intended maximum.
The most recent RADIUS-assigned egress rate-limit specifies the maximum egress rate-limit for a port, even if the CLI has also been used to configure an egress rate limit on the port.
| Rate-limit assignment method | Rate-limit actions and restrictions | |
|---|---|---|
| Inbound |
CLI ingress rate-limit per-port
|
Determines the maximum ingress bandwidth available on the port, regardless of any RADIUS-assigned per-client rate-limits dynamically assigned to the same port. |
|
RADIUS ingress rate-limit per-client
|
Each client is allowed the inbound bandwidth individually assigned to it by the RADIUS server, up to the port's physical capacity, unless the available bandwidth on the port has been reduced by a CLI-assigned per-port bandwidth limit. |
|
| Outbound |
CLI egress rate-limit per-port
|
Determines the maximum egress bandwidth available on the port, unless there is also a RADIUS-assigned per-port rate limit on the port. |
|
RADIUS egress rate-limit per client
|
The most recent client to authenticate determines the maximum egress bandwidth on the port for all outbound traffic, regardless of any CLI-assigned per-port outbound rate-limit. |
|
For example, suppose the CLI is used to configure a gigabit port to have an ingress rate limit of 500,000 Kbps (50% of available bandwidth), and is receiving 450,000 Kbps of traffic from existing clients. If a RADIUS server then authenticates a new client with an ingress rate-limit of 100,000 Kbps, the maximum ingress rate limit actually available for the new client is 50,000 Kbps as long as the bandwidth usage by the other clients already on the port remains at 450,000 Kbps.
For more on static rate-limiting, see "Rate-Limiting" in the "Port Traffic Controls" in the Management and Configuration Guide for your switch.
While a RADIUS-assigned client session is active on a given port, any RADIUS-imposed values for the settings listed in Application of RADIUS-assigned values are applied as shown:
Application of RADIUS-assigned values
| Dynamic RADIUS assignment options | Static per-port setting options | Application of dynamic RADIUS assignment |
|---|---|---|
| 802.1p Priority (CoS) |
|
Applies per-client; that is, only to client whose authentication triggered the assignment. (Up to 32 clients supported per-port.) |
| Inbound (Ingress) Rate-Limiting |
|
|
| Outbound (Egress) Rate-Limiting |
|
Applies per-port; that is, to all clients on the port. [a] |
|
[a] Uses the value assigned to the port by the most recent instance of client authentication. |
||
Syntax:
If the switch receives an 802.1p priority (CoS) and/or rate-limit setting(s) from a RADIUS server as the result of a client authentication on a port, the above commands display the assigned values while the client's session is active. When the session ends, the values for that client are no longer displayed.
The priority and inbound (ingress) rate-limit are applied only to the inbound traffic of the client whose authentication triggered the assignment. The outbound (egress) rate-limit applies to all outbound traffic on the port.
Displays, for a Web authenticated client (web-based authentication), the status of RADIUS-assignment details for that client.
Example:
Suppose port 4 has been statically configured from the CLI with the following:
802.1p priority: 7
Inbound rate-limit: 50 percent
Outbound rate-limit: 50 percent
The above, statically configured, per-port priority and inbound rate-limit settings will not apply to any clients who authenticate and receive different inbound priority and rate-limit settings from the RADIUS server. If the RADIUS server also assigns an outbound rate-limit setting, which is applied per-port instead of per-client, then the outbound traffic from the port to all connected clients will be rate-limited according to the value set by the server for the most recently authenticated client. Thus, if client "X" authenticates with web-based authentication on port 4 with a RADIUS server that assigns a priority of 3, an inbound rate-limit of 10,000 kbps, and an outbound rate-limit of 50,000 kbps, then:
The inbound traffic from client "X" will be subject to a priority of 3 and inbound rate-limit of 10,000 kbps. Traffic from other clients using the port will not be affected by these values.
The combined rate-limit outbound for all clients using the port will be 50,000 kbps until either all client sessions end, or another client authenticates and receives a different outbound rate-limit.
NOTE: Mixing CLI-configured and RADIUS-assigned rate-limiting on the same port can produce unexpected results. See Per-port bandwidth override.
Where multiple clients are currently authenticated on a given port where outbound (egress) rate-limiting values have been assigned by a RADIUS server, the port operates with the outbound rate-limit assigned by RADIUS for the most recently authenticated client. Any earlier outbound rate-limit values assigned on the same port for other authenticated client sessions that are still active are superseded by the most recent RADIUS-assigned value. For example, if client "X" is authenticated with an outbound rate-limit of 750 kbps, and client "Y" later becomes authenticated with an outbound rate-limit of 500 kbps while the session for client "X" is still active, then the port operates with an outbound rate-limit of 500 kbps for both clients.
