378| Roles and Policies AOS-W 6.5.3.x| User Guide
Field Description
Action
(required)
The action that you want the switch to perform on a packet that matches the specified
criteria. This can be one of the following:
n permit: Permits traffic matching this rule.
n drop: Drops packets matching this rule without any notification.
n reject: Drops the packet and sends an ICMP notification to the traffic source.
n src-nat: Performs network address translation (NAT) on packets matching the rule.
When this option is selected, you need to select a NAT pool. (If this pool is not
configured, you configure a NAT pool by navigating to the Configuration >
Advanced > Security > Advanced > NAT Pools). Source IP changes to the
outgoing interface IP address (implied NAT pool) or from the pool configured
(manual NAT pool). This action functions in tunnel/decrypt-tunnel forwarding mode.
n dst-nat: This option redirects traffic to the configured IP address and destination
port. An example of this option is to redirect all HTTP packets to the captive portal
port on the Alcatel-Lucent switch as used in the pre-defined policy called
“captiveportal”. This action functions in tunnel/decrypt-tunnel forwarding mode.
User should configure the NAT pool in the switch.
n dual-nat: This option performs both source and destination NAT on packets
matching the rule. Forward packets from source network to destination; re-mark
them with destination IP of the target network. This action functions in
tunnel/decrypt-tunnel forwarding mode. User should configure the NAT pool in the
switch.
n redirect to tunnel: This option redirects traffic into a GRE tunnel. This option is used
primarily to redirect all guest traffic into a GRE tunnel to a DMZ router/switch.
n redirect to esi: This option redirects traffic to the specified ESI group. You also
specify the direction of traffic to be redirected: forward, reverse, or both directions.
Select a NAT Pool from the NAT Pool drop-down list to add a NAT-POOL for ESI
policy.
n route: Specify the next hop to which packets are routed, which can be one of the
following:
l Forward Regularly: Packets are forwarded to their next destination without
any changes.
l Forward to ipsec-map: Packets are forwarded through an IPsec tunnel
defined by the specified IPsec map.
l Forward to next-hop-list: packets are forwarded to the highest priority active
device on the selected next hop list. For more information on next-hop lists,
see Next-Hop Device lists on page 244.
l Forward to tunnel: Packets are forwarded through the tunnel with the
specified tunnel ID. For more information on GRE tunnels, see Configuring
GRE Tunnels on page 115.
l Forward to tunnel group: Packets are forwarded through the active tunnel in
a GRE tunnel group. For more information on tunnel groups, see Configuring
GRE Tunnel Groups on page 124.
Log (optional) Logs a match to this rule. This is recommended when a rule indicates a security
breach, such as a data packet on a policy that is meant only to be used for voice calls.
Mirror
(optional)
Mirrors session packets to datapath or remote destination.
Queue
(optional)
The queue in which a packet matching this rule should be placed.
Select High for higher priority data, such as voice, and Low for lower priority traffic.
To Next Page
Loading...