Policy Configuration Overview
Fixed Switch Configuration Guide 16-3
regardless of the number of moves, adds, or changes to the policy role, Policy Manager
automatically enforces roles on Enterasys security-enabled infrastructure devices.
This document presents policy configuration from the perspective of the Fixed Switch CLI.
Though it is possible to configure policy from the CLI, CLI policy configuration in even a small
network can be prohibitively complex from an operational point of view. It is highly
recommended that policy configuration be performed using the NetSight Policy Manager. The
NetSight Policy Manager provides:
• Ease of rule and policy role creation
• The ability to store and retrieve roles and policies
• The ability, with a single click, to enforce policy across multiple devices
The official Policy Manager documentation is accessed using online help from within the
application. This online documentation completely covers the configuration of policy in a Policy
Manager context. For access to the Policy Manager data sheet or to setup a demo of the product,
see http://www.enterasys.com/products/visibility-control/netsight-policy-manager.aspx.
Understanding Roles in a Secure Network
The capacity to define roles is directly derived from the ability of supported Enterasys devices to
inspect Layer 2, Layer 3, and Layer 4 packet fields while maintaining line rate. This capability
allows for the granular application of a policy. On the Fixed Switches, you can apply a policy to a:
• Specific user (MAC source address)
•Port
Because users, devices, and applications are all identifiable, a network administrator has the
capacity to define and control network access and usage by the actual role the user or device plays
in the network. The nature of the security challenge, application access, or amount of network
resource required by a given attached user or device, is very much dependent upon the “role” that
user or device plays in the enterprise. Defining and applying each role assures that network access
and resource usage align with the security requirements, network capabilities, and legitimate user
needs as defined by the network administrator.
The Policy Role
A role, such as sales, admin, or engineering, is first identified and defined in the abstract as the
basis for configuring a policy role. Once a role is defined, a policy role is configured and applied to
the appropriate context using a set of rules that can control and prioritize various types of network
traffic. The rules that make up a policy role contain both classification definitions and actions to be
enforced when a classification is matched. Classifications include Layer 2, Layer 3, and Layer 4
packet fields. Policy actions that can be enforced include VLAN assignment, filtering, inbound
rate limiting, L2 priority, and ToS/DSCP.
Defining Policy Roles
The policy role is a container that holds all aspects of policy configuration for a specific role. Policy
roles are identified by a numeric profile-index value between 1 and the maximum number of roles
supported on the platform. Please see your device’s firmware release notes for the maximum
number of roles supported. On the Fixed Switches, policy roles are configured using the set policy
profile command.
A policy role can also be identified by a text name of between 1 and 64 characters. This name value
is used by the RADIUS Filter-ID attribute to identify the policy role to be applied by the switch
with a successful authentication.
To Next Page
Loading...
Need help?
General