Policy Configuration Example
16-16 Configuring Policy
•A CoS of 8
Create a policy role that applies a CoS 8 to data VLAN 10 and configures it to rate-limit traffic to
200,000 kbps with a moderate priority of 5.
StudentFS(rw)->set policy profile 2 name student pvid-status enable pvid 10
cos-status enable cos 8
Assigning Traffic Classification Rules
Forward traffic on UDP source port for IP address request (68), and UDP destination ports for
protocols DHCP (67) and DNS (53). Drop traffic on UDP source ports for protocols DHCP (67) and
DNS (53). Drop traffic for protocols SNMP (161), SSH (22), Telnet (23) and FTP (20 and 21).
StudentFS(rw)->set policy rule 2 udpsourceport 68 mask 16 forward
StudentFS(rw)->set policy rule 2 udpdestport 67 mask 16 forward
StudentFS(rw)->set policy rule 2 udpdestport 53 mask 16 forward
StudentFS(rw)->set policy rule 2 udpsourceport 67 mask 16 drop
StudentFS(rw)->set policy rule 2 udpsourceport 53 mask 16 drop
StudentFS(rw)->set policy rule 2 udpdestport 16 mask 16 drop
StudentFS(rw)->set policy rule 2 tcpdestport 22 mask 16 drop
StudentFS(rw)->set policy rule 2 tcpdestport 23 mask 16 drop
StudentFS(rw)->set policy rule 2 tcpdestport 20 mask 16 drop
StudentFS(rw)->set policy rule 2 tcpdestport 21 mask 16 drop
Students should only be allowed access to the services server (subnet 10.10.50.0/24) and should be
denied access to both the administrative server (subnet 10.10.60.0/24) and the faculty server
(subnet 10.10.70.0/24).
StudentFS(rw)->set policy rule 2 ipdestsocket 10.10.60.0 mask 24 drop
StudentFS(rw)->set policy rule 2 ipdestsocket 10.10.70.0 mask 24 drop
Configuring Dynamic Policy Assignment
Configure the RADIUS server user accounts with the appropriate information using the Filter-ID
attribute for student role members and devices. When a student authenticates through the
RADIUS server, the name of the student policy is returned in the RADIUS Access-Accept
response message and that policy is applied by the switch to the student user.
Configuring PhoneFS Policy for the Edge Fixed Switch
Configuring the Policy Role
The phoneFS role is configured on both the dorm room and faculty office Fixed Switches with:
• A profile-index of 3
• A name of phoneFS
• A port VLAN of 11
•A CoS of 10
Because we can not apply separate rate limits to the phone setup and payload ports on the Fixed
Switch using policy rules, apply CoS 10 with the higher payload appropriate rate limit of 100k bps
and a high priority of 6 to the phoneFS role.
Fixed Switch(rw)->set policy profile 3 name phoneFS pvid-status enable pvid 11
cos-status enable cos 10
Assigning Traffic Classification Rules
Drop traffic for protocols SNMP (161), SSH (22), Telnet (23) and FTP (20 and 21) on the phone
VLAN. Forward traffic on UDP source port for IP address request (68) and forward traffic on UDP
To Next Page
Loading...
Need help?
General