Policy Configuration Overview
16-8 Configuring Policy
Applying a Default Policy
The following example assigns a default policy with index 100 to all user ports (ge.1.1 through
ge.1.22) on a switch:
System(su)-> set policy port ge.1.1-22 100
Applying Policies Dynamically
Dynamic policy assignment requires that users authenticate through a RADIUS server.
Information is returned in the RADIUS Access-Accept response message that tells the switch that
the user has successfully authenticated and what policy profile to assign to the user.
The RADIUS server can return a Filter-ID attribute that specifies the name of the policy to apply to
the authenticated user. Alternatively, the RADIUS server can return VLAN-tunnel-attributes that
can be used to assign the user to a VLAN and/or a policy.
Refer to “Remote Authentication Dial-In Service (RADIUS)” on page 10-7 for more information
about configuring dynamic policy assignment as part of the authentication process.
Blocking Non-Edge Protocols at the Edge Network Layer
Edge clients should be prevented from acting as servers for a number of IP services. If non-edge IP
services accidently or maliciously attach to the edge of the network, they are capable of disrupting
network operation. IP services should only be allowed where and when your network design
requires. Table 16-4 identifies several IP Services you should consider blocking at the edge unless
allowing them is part of your network architecture. See “Assigning Traffic Classification Rules” on
page 16-16 for an example of how to configure a subset of these recommended IP services to drop
traffic at the edge.
Table 16-4 Non-Edge Protocols
Protocol Policy Effect
DHCP Server Protocol Every network needs DHCP. Automatically mitigate the accidental
or malicious connection of a DHCP server to the edge of your
network to prevent DoS or data integrity issues, by blocking DHCP
on the source port for this device.
DNS Server Protocol DNS is critical to network operations. Automatically protect your
name servers from malicious attack or unauthorized spoofing and
redirection, by blocking DNS on the source port for this device.
Routing Topology Protocols RIP, OSPF, and BGP topology protocols should only originate
from authorized router connection points to ensure reliable
network operations.
Router Source MAC and Router
Source IP Address
Routers and default gateways should not be moving around your
network without approved change processes being authorized.
Prevent DoS, spoofing, data integrity and other router security
issues by blocking router source MAC and router source IP
addresses at the edge.
SMTP/POP Server Protocols Prevent data theft and worm propagation by blocking SMTP at the
edge.
SNMP Protocol Only approved management stations or management data
collection points need to be speaking SNMP. Prevent
unauthorized users from using SNMP to view, read, or write
management information.
FTP and TFTP Server Protocols Ensure file transfers and firmware upgrades are only originating
from authorized file and configuration management servers.
To Next Page
Loading...
Need help?
General