Precedence Of Security Options; Precedence Of Port-Based Security Options; Precedence Of Client-Based Authentication: Dynamic Configuration Arbiter - HP ProCurve Switch 6120G/XG Manual

Precedence of Security Options

This section explains how port-based security options, and client-based
attributes used for authentication, get prioritized on the switch.

Precedence of Port-Based Security Options

Where the switch is running multiple security options, it implements network
traffic security based on the OSI (Open Systems Interconnection model)
precedence of the individual options, from the lowest to the highest. The
following list shows the order in which the switch implements configured
security features on traffic moving through a given port.
1. Disabled/Enabled physical port
2. MAC lockout (Applies to all ports on the switch.)
3. MAC lockdown
4. Port security
5. Authorized IP Managers
6. Application features at higher levels in the OSI model, such as SSH.
(The above list does not address the mutually exclusive relationship that
exists among some security features.)
Precedence of Client-Based Authentication:
Dynamic Configuration Arbiter
The Dynamic Configuration Arbiter (DCA) is implemented to determine the
client-specific parameters that are assigned in an authentication session.
A client-specific authentication configuration is bound to the MAC address of
a client device and may include the following parameters:
■ Untagged client VLAN ID
Tagged VLAN IDs
■
Per-port CoS (802.1p) priority
■
■ Per-port rate-limiting on inbound traffic
DCA allows client-specific parameters configured in any of the following ways
to be applied and removed as needed in a specified hierarchy of precedence.
When multiple values for an individual configuration parameter exist, the
Security Overview

Precedence of Security Options

1-17