Policy Configuration Overview
Fixed Switch Configuration Guide 16-7
Examples
This example assigns a rule to policy profile 3 that will filter Ethernet II Type 1526 frames to
VLAN 7:
C5(su)->set policy rule 3 ether 1526 vlan 7
This example assigns a rule to policy profile 5 that will forward UDP packets from source port 45:
C5(su)->set policy rule 5 udpsourceport 45 forward
This example assigns a rule to policy profile 1 that will drop IP source traffic from IP address
1.2.3.4, UDP port 123.
C5(su)->set policy rule 1 ipsourcesocket 1.2.3.4:123 mask 48 drop
Applying Policy
Once policy profiles and rules have been configured, you can apply them to ports and users
(devices). When you assign a policy profile to a port with the set policy port command, the policy
is called a Default policy. Only one default policy can be applied to a port.
Also, admin rules can be used to map VLAN-tagged frames to an existing policy. As part of
creating an admin rule, you can optionally specify the ingress ports to which the rule will apply,
which also sets those ports as tagged egress ports for the VLAN. If no ports are specified, the rule
is applied globally, but VLAN tagged egress will not be set for any ports. You would then need to
configure VLAN egress by some other method, such as dynamic egress, static VLAN egress, or
policy, for example. Note that only one global admin rule can exist per system (stack).
When a policy profile is assigned to a user through the authentication process, it is called dynamic
policy assignment. Information is returned as part of authentication that allows the switch to
assign an existing policy to the user.
A typical scenario for using default policy assignment and dynamic policy assignment in a
network might include applying a restrictive default policy to all user ports and then, when users
authenticate, dynamically applying a different policy profile appropriate to their role.
For example, assume you configure three policy profiles:
• A default policy for ports that allows access only to the Internet (DHCP, DNS, HTTP). See
“Configuring Guest Policy on Edge Platforms” on page 16-15 for an example of configuring
such a policy.
• A policy for employees with the role of “sales” that allows authenticated sales employees to
have access to the network resources needed by the sales team. See “Configuring Policy for
the Edge Student Fixed Switch” on page 16-15 for an example of configuring such a policy.
• A policy for employees with the role of “admin” that allows authenticated network
administrators to have access to all network resources.
The restrictive default policy is applied to a port. When a guest or visitor logs in through that port,
they will not be able to authenticate to the network and therefore will use the default policy.
When an employee from the sales team logs in on the same port and authenticates to the network,
the “sales” policy is dynamically applied, giving the employee access to the network resources
needed by the sales team.
When a network administrator logs in on the same port and authenticates to the network, the
“admin” policy is dynamically applied.
All three users are on the same port at the same time, but they have different levels of access to the
network, different VLANs, and different CoS.
To Next Page
Loading...
Need help?
General