Policy Configuration Example
Fixed Switch Configuration Guide 16-13
Roles
The example defines the following roles:
• guest
– Used as the default policy for all unauthenticated ports. Connects a PC to the network
providing internet only access to the network. Provides guest access to a limited number of
the edge switch ports to be used specifically for internet only access. Policy is applied using
the port level default configuration.
• student
– Connects a dorm room PC to the network through a “Student” Fixed Switch port. A
configured CoS rate limits the PC. Configured rules deny access to administrative and faculty
servers. The PC authenticates using RADIUS. The student policy role is applied dynamically
using the Filter-ID attribute. If all rules are missed, the settings configured in the student
policy profile are applied.
• phoneFS
– Connects a dorm room or faculty office VoIP phone to the network using a
stackable fixed switch port. A configured CoS rate limits the phone and applies a high priority.
The phone authenticates using RADIUS. Policy is applied dynamically using the Filter-ID
returned in the RADIUS response message. If all rules are missed, the settings configured in
the phoneFS policy profile are applied.
• faculty
– Connects a faculty office PC to the network through a “Faculty” Fixed Switch port. A
configured CoS rate limits the PC. A configured rule denies access to the administrative
servers. The PC authenticates using RADIUS. The faculty policy role is applied dynamically
using the Filter-ID attribute. If all rules are missed, the settings configured in the faculty
policy profile are applied.
• phoneES
– Connects a services VoIP phone to the network using a Services Edge Switch port.
A configured CoS rate limits the phone for both setup and payload, and applies a high
priority. The phone authenticates using RADIUS. Tunnel authentication is enabled. The base
VLAN is applied using the tunnel attributes returned in the RADIUS response message.
Policy is applied using a maptable configuration. If all rules are missed, the settings
configured in the phoneES policy profile are applied.
• services
– Connects a services PC to the network through the Services Edge Switch port. A
configured CoS rate limits the PC. Services are denied access to both the student and faculty
servers. The PC authenticates using RADIUS. The base VLAN is applied using the tunnel
attributes returned in the RADIUS response message for the authenticating user. The services
policy role is applied using a policy maptable setting. The policy accounting, syslog, invalid
action and TCI overwrite are enabled for this role. If all rules are missed, the settings
configured in the services policy profile are applied.
• distribution
– The Distribution policy role is applied at the Distribution Switch providing rate
limiting.
Policy Domains
It is useful to break up policy implementation into logical domains for ease of understanding and
configuration. For this example, it is useful to consider four domains: basic edge, standard edge on
the Fixed Switch, premium edge on the Services Edge Switch, and premium distribution on the
Distribution Switch.
Basic Edge
Protocols not appropriate to the edge should be blocked. For this example we will block DHCP,
DNS, SNMP, SSH, Telnet and FTP at the edge on the data VLAN. We will forward destination port
DHCP and DNS and source port for IP address request to facilitate auto configuration and IP
address assignment. See “Blocking Non-Edge Protocols at the Edge Network Layer” on page 16-8
for a listing of protocols you should consider blocking at the edge.
To Next Page
Loading...
Need help?
General