Use this command to assign incoming untagged frames to a specific policy profile and to VLAN or Class-of-Service classification rules.
| admin-profile | profile-index | Specifies that this is an administrative rule or associates this classification rule with a policy profile index configured with the set policy profile command (set policy profile). Valid profile-index values are 1- 1023. Admin profiles can be assigned to a specific ingress port by specifying port-string and admin-pid values as described below. |
| application | Classifies based upon queries or responses/announcements from applications Link Local Multicast Name Resolution (LLMNR), Simple Service Discovery Protocol (SSDP) , or Multicast Domain Name System - Self Discovery (mDNS-SD). The data field can be entered using keywords:
|
| ether | Classifies based on type field in Ethernet II packet. |
| icmptype | Classifies based on ICMP type. |
| ip6dest | Classifies based on the IPv6 destination address with optional post-fixed port. Valid values are aaaa::bbbb[-ab (0..65535)]; mask 1-144). |
| ip6source | Classifies based on the IPv6 source address with optional post-fixed port. Valid values are aaaa::bbbb[-ab (0..65535)]; mask 1-144. |
| ipdest | Classifies based on destination IP address. |
| ipdestsocket | Classifies based on destination IP address with optional post-fixed port. |
| ipfrag | Classifies based on IP fragmentation value. |
| ipproto | Classifies based on protocol field in IP packet. |
| ipsource | Classifies based on source IP address. |
| ipsourcesocket | Classifies based on source IP address with optional post-fixed port. |
| iptos | Classifies based on Type of Service field in IP packet. |
| ipxclass | Classifies based on transmission control in IPX. |
| ipxdest | Classifies based on destination IPX address. |
| ipxsource | Classifies based on source IPX address. |
| ipxdestsocket | Classifies based on destination IPX socket. |
| ipxsourcesocket | Classifies based on source IPX socket. |
| ipxtype | Classifies based on IPX packet type. |
| llcDsapSsap | Classifies based on DSAP/SSAP pair in 802.3 type packet. |
| macdest | Classifies based on MAC destination address. |
| macsource | Classifies based on MAC source address. |
| tci | Classifies based on Tag Control Information. |
| port | Classifies based on data ingressing on the specified port-string. |
| tcpdestportip | Classifies based on TCP destination port with optional post-fix IP address. |
| tcpsourceportip | Classifies based on TCP source port optional post-fix IP address. |
| udpdestportip | Classifies based on UDP destination port optional post-fix IP address. |
| udpsourceportip | Classifies based on UDP source port optional post-fix IP address. |
| vlantag | Classifies based on VLAN tag. |
| data | (Not required for ipfrag classification.) Specifies the code for a predefined classifier. This value is dependent on the classification type entered. Refer to Valid Values for Policy Classification Rules for valid values for each classification type. |
| mask mask | (Optional) Specifies the number of significant bits to match, dependent on the data value entered. Refer to Valid Values for Policy Classification Rules for valid values for each classification type and data value. |
| port-string port-string | (Optional) Displays rule based on the port number on which this rule is applied. If the port parameter is specified, the specified port strings must be the same. |
| storage-type non-volatile | volatile | (Optional) Adds or removes this entry from non-volatile storage. |
| vlan vlan | (Optional) Classifies to a VLAN ID. |
| drop | forward | (Optional) Specifies that packets within this classification will be dropped or forwarded. |
| admin-pid admin-pid | (Optional) If admin-profile is specified, associates this rule with a policy profile index ID. Valid values are 1 - 1023. |
| cos cos | (Optional) Specifies that this rule will classify to a Class-of-Service ID. Valid values are 0 - 255, and can be configured using the set cos settings command as described in set cos settings. A value of -1 indicates that no CoS forwarding behavior modification is desired. |
| syslog enable | disable | prohibit | (Optional) Enables or disables sending of Syslog messages on first rule use. Prohibit - Prohibits lower precedence rules from sending syslog messages. |
| trap enable | disable | prohibit | (Optional) Enables or disables sending SNMP trap messages on first rule use. Prohibit - Prohibits lower precedence rules from sending trap messages. |
| disable-port enable | disable | prohibit | (Optional) Enables or disables the ability to disable the ingress port on first rule use. Prohibit - Prohibits lower precedence rules from disabling the ingress port. |
| tci-overwrite enable | disable | prohibit | (Optional) Enables or disables tci-overwrite, or prohibits lower precedence rules from overwriting the TCI. |
| quarantine-profile quarantine-profile | (Optional) Set the quarantine profile index for this rule. Valid values are 1 - 1024. |
| clear-quarantine- profile | (Optional) Clear the quarantine profile on this rule. |
| prohibit-quarantine- profile | (Optional) Prohibit quarantine on this rule. |
| mirror-destination mirror-destination- index | (Optional) Applies the specified mirror-destination to this rule. |
| clear-mirror | (Optional) Clears mirroring for this rule. |
| prohibit-mirror | (Optional) Prohibits mirroring for this rule. |
All command modes.
Classification rules are automatically enabled when created.
This example shows how to use Valid Values for Policy Classification Rules to create (and enable) a classification rule to associate with policy number 1. This rule will filter Ethernet II Type 1526 frames to VLAN 7:
System(rw)->set policy rule 1 ether 1526 vlan 7
This example shows how to use Valid Values for Policy Classification Rules to create (and enable) a classification rule to associate with policy profile number 5. This rule specifies that UDP frames from source port 45 will be filtered to VLAN 7:
System(rw)->set policy rule 5 udpportsourceip 45 vlan 7
This example shows how to configure classification rule 2 as an administrative profile and assign it to ingress port ge.1.1:
System(rw)->set policy rule admin-profile port ge.1.1 port-string ge.1.1 admin-pid 2
This example shows how to classify all Ethernet II Type 1526 frames to administrative policy profile 2:
System(rw)->set policy rule admin-profile ether 1526 admin-pid 2
Valid Values for Policy Classification Rules provides the set policy rule data values that can be entered for a particular classification type, and the mask bits that can be entered for each classifier associated with that parameter.
Valid Values for Policy Classification Rules
| Classification Rule Parameter | data value | mask bits |
|---|---|---|
| application | {llmnr| ssdp | mdns-sd} {query | response} | Not applicable. |
| ether | Type field in Ethernet II packet: 1536 - 65535 | 1- 16 |
| icmptype | ICMP Type: a.b | 1- 16 |
| Destination or Source IP Address: ipdestsocket ipsourcesocket | IP Address in dotted decimal format: 000.000.000.000 and (Optional) post-fixed port: 0 - 65535 | 1 - 48 |
| ipfrag | Not applicable. | Not applicable. |
| ipproto | Protocol field in IP packet: 0 - 255 | 1- 8 |
| iptos | Type of Service field in IP packet: 0 - 255 | 1- 8 |
| ipttl | Time-to-live (TTL) in IP packet: 0 - 255 | 1 - 8 |
| ipxclass | Transmission control (Class of Service) field in IPX: 0 - 255 | 1- 8 |
| Destination or Source IPX Network: ipxdest ipxsource | IPX Address: 0 - 0xffffffff | 1 - 32 |
| Destination or Source IPX Socket: ipxdestsocket ipxsourcesocket | IPX Socket Number: 0 - 65535 | 1 - 16 |
| ipxtype | IPX packet type field: 0 - 255 | 1 - 8 |
| llcDsapSsap | DSAP/SSAP/CTRL field in llc: a-b-c-ab | 1 - 40 |
| Destination or Source MAC: macdest macsource | MAC Address: 00-00-00-00-00-00 | 1 - 48 |
| port | Port string: Eg. ge.1.1 | 1 - 16 |
| tci | Tag Control Information: 0 - 65535 or 0xFFFF | 1 - 16 |
| Destination or Source TCP port: tcpdestportip tcpsourceportip | TCP Port Number with optional post-fix IP address: ab[:c.d.e.f] 0-65535:1.1.1.1; or 0-0xFFFF:1.1.1.1 | 1 - 48 |
| Destination or Source UDP port: udpsourceportip udpdestportip | UDP Port Number with optional post-fix IP address: ab[:c.d.e.f] 0-65535:1.1.1.1; or 0-0xFFFF:1.1.1.1 | 1 - 48 |
| vlantag | VLAN tag: 1- 4094 | 1 -12 |
Print
this page
Email this topic
Feedback
View PDF
Download EPUB