Port-based Network Access and traffic control
51
EAPoL configuration guidelines
When configuring EAPoL, consider the following guidelines:
• The 802.1x port-based authentication is currently supported only in point-to-point configurations, that
is, with a single supplicant connected to an 802.1x-enabled switch port.
• When 802.1x is enabled, a port has to be in the authorized state before any other Layer 2 feature
can be operationally enabled. For example, the STG state of a port is operationally disabled while
the port is in the unauthorized state.
• The 802.1x supplicant capability is not supported. Therefore, none of its ports can connect
successfully to an 802.1x-enabled port of another device, such as another switch, which acts as an
authenticator, unless access control on the remote port is disabled or is configured in forced-
authorized mode. For example, if a HP 10GbE switch is connected to another HP 10GbE switch,
and if 802.1x is enabled on both switches, the two connected ports must be configured in force-
authorized mode.
• The 802.1x standard has optional provisions for supporting dynamic virtual LAN assignment via
RADIUS tunneling attributes, for example, Tunnel-Type (=VLAN), Tunnel-Medium-Type (=802), and
Tunnel-Private-Group-ID (=VLAN id). These attributes are not supported and might affect 802.1x
operations. Other unsupported attributes include Service-Type, Session-Timeout, and Termination-
Action.
RADIUS accounting service for 802.1x-authenticated devices or users is not supported.
Configuration changes performed using SNMP and the standard 802.1x MIB take effect immediately.
Port-based traffic control
Port-based traffic control prevents HP 10GbE switch ports from being disrupted by LAN storms. A LAN
storm occurs when data packets flood the LAN, which can cause the network to become congested and
slow down. Errors in the protocol-stack implementation or in the network configuration can cause a LAN
storm.
You can enable port-based traffic control separately for each of the following traffic types:
• Broadcast—packets with destination MAC address ff:ff:ff:ff:ff:ff
• Multicast—packets that have MAC addresses with the least significant bit of their first octet set to one
• Destination Lookup Failed (DLF)—packets with unknown destination MAC address, that are treated
like broadcast packets
With Port-based Traffic Control enabled, the port monitors incoming traffic of each type noted above. If
the traffic exceeds a configured threshold, the port blocks traffic that exceeds the threshold until the traffic
flow falls back within the threshold.
The HP 10GbE switch supports separate traffic-control thresholds for broadcast, multicast, and DLF traffic.
The traffic threshold is measured in number of frames per second.
NOTE: All ports that belong to a trunk must have the same traffic-control settings.
