Intel® Blade Server Ethernet Switch Module IXM5414E 35
Before loading TCP/IP with an address acquired from the DHCP server, DHCP clients check for an
IP address conflict by sending an Address Resolution Protocol (ARP) request containing the
address. If a conflict is found, TCP/IP does not start, and the user receives an error message. The
conflicting address should be removed from the list of active leases, or it should be excluded until
the conflict is identified and resolved.
Security
IEEE 802.1X
Local Area Networks (LANs) are often deployed in environments that permit the attachment of
unauthorized devices. The networks also permit unauthorized users to attempt to access the LAN
through existing equipment. In such environments, you may want to restrict access to the services
offered by the LAN. This section introduces the concepts associated with the two forms of security
available on the IXM5414E switch module: Local Authentication and Remote Authentication Dial-
In User Service (RADIUS). These mechanisms are used to authenticate user access to the switch
module and conform to the specifications in IEEE 802.1X.
Port-based network access control makes use of the physical characteristics of LAN infrastructures
to provide a means of authenticating and authorizing devices attached to a LAN port. Port-based
network access control prevents access to the port in cases in which the authentication and
authorization process fails.
Access control is achieved by enforcing authentication of entities seeking access to a port on the
switch module. These entities are referred to as supplicants. The result of the authentication process
determines whether the supplicant is authorized to access services on that controlled port.
A Port Access Entity (PAE) can adopt two different roles in an access control interaction:
Authenticator
A port that enforces authentication before allowing access.
Supplicant A port that attempts to access services offered by an authenticator.
Additionally, there is a third role:
Authentication server
Performs the authentication function necessary to check the credentials of the
Supplicant on behalf of the Authenticator.
All three roles are required to complete the authentication process.
The IXM5414E switch module operates in the authenticator role only. The authenticator PAE is
responsible for submitting information received from the supplicant to the authentication server in
order for the credentials to be checked, which will determine the authorization state of the port. The
authenticator PAE controls the authorized/unauthorized state of the controlled port depending on the
outcome of the authentication process. Authentication messages use the Extensible Authentication
Protocol (EAP).
A port may take one of two states:
Controlled Traffic will only be exchanged if the port is in the Authorized state.
Uncontrolled
Allows the uncontrolled exchange of EAP over IEEE 802 LANs (EAPoL) PDUs
between the Authenticator and Supplicant.