Security Overview

Precedence of Security Options

Precedence of Security Options

This section explains how port-based security options, and client-based attributes used for authentication, get prioritized on the switch.

Precedence of Port-Based Security Options

Where the switch is running multiple security options, it implements network traffic security based on the OSI (Open Systems Interconnection model) precedence of the individual options, from the lowest to the highest. The following list shows the order in which the switch implements configured security features on traffic moving through a given port.

1.Disabled/Enabled physical port

2.MAC lockout (Applies to all ports on the switch.)

3.MAC lockdown

4.Port security

5.Authorized IP Managers

6.Application features at higher levels in the OSI model, such as SSH.

(The above list does not address the mutually exclusive relationship that exists among some security features.)

Precedence of Client-Based Authentication: Dynamic Configuration Arbiter

The Dynamic Configuration Arbiter (DCA) is implemented to determine the client-specific parameters that are assigned in an authentication session.

A client-specific authentication configuration is bound to the MAC address of a client device and may include the following parameters:

Untagged client VLAN ID

Tagged VLAN IDs

Per-port CoS (802.1p) priority

Per-port rate-limiting on inbound traffic

DCA allows client-specific parameters configured in any of the following ways to be applied and removed as needed in a specified hierarchy of precedence. When multiple values for an individual configuration parameter exist, the

1-17