The services role is configured with:
ServicesES(rw)->set policy profile 6 name services pvid-status enable pvid 0 cos-status enable cos 4 tci-overwrite enable
Setting the VLAN-to-policy association will be handled by the policy maptable setting, allowing for ease in changing the policy associated with a VLAN on the fly using Policy Manager. Specify that the tunnel attributes returned in the RADIUS response message will be used by the authenticating user. Associate VLAN 10 with policy role 6 using the set policy maptable command.
ServicesES(rw)->set policy maptable response tunnel ServicesES(rw)->set policy maptable 10 6
Forward traffic on UDP source port for IP address request (68) and forward traffic on UDP destination ports for protocols DHCP (67) and DNS (53) on the data VLAN, to facilitate PC auto configuration and IP address assignment. Drop traffic for protocols SNMP (161), SSH (22), Telnet (23) and FTP (20 and 21) on the phone VLAN.
ServicesES(rw)->set policy rule 6 udpsourceportIP 68 mask 16 vlan 10 forward ServicesES(rw)->set policy rule 6 udpdestportIP 67 mask 16 vlan 10 forward ServicesES(rw)->set policy rule 6 udpdestportIP 53 mask 16 vlan 10 forward ServicesES(rw)->set policy rule 6 udpdestportIP 67 mask 16 vlan 10 drop ServicesES(rw)->set policy rule 6 udpdestportIP 53 mask 16 vlan 10 drop ServicesES(rw)->set policy rule 6 udpdestportIP 161 mask 16 drop ServicesES(rw)->set policy rule 6 tcpdestportIP 22 mask 16 drop ServicesES(rw)->set policy rule 6 tcpdestportIP 23 mask 16 drop ServicesES(rw)->set policy rule 6 tcpdestportIP 20 mask 16 drop ServicesES(rw)->set policy rule 6 tcpdestportIP 21 mask 16 drop
Apply a CoS 8 to data VLAN 10 and configure it to rate-limit traffic to 1M and moderate priority of 5 for services IP subnet 10.10.30.0 mask 28. We will also enable traps and syslog for this subnet.
ServicesES(rw)->set policy rule 6 ipsourcesocket 10.10.30.0 mask 28 syslog enable trap enable vlan 10 cos 8
Services should only be allowed access to the services server (subnet 10.10.50.0/24) and should be denied access to the faculty servers (subnet 10.10.70.0/24) and administrative servers (subnet 10.10.60.0/24).
ServicesES(rw)->set policy rule 6 ipdestsocket 10.10.60.0 mask 24 drop ServicesES(rw)->set policy rule 6 ipdestsocket 10.10.70.0 mask 24 drop
The Services Edge Switch platform supports a number of enhanced capabilities not available on the Fixed Switch platforms. The following enhanced policy capabilities are enabled: policy accounting to flag the occurrence of a rule hit, syslog rule usage set to machine-readable for enterprise specific backend syslog statistics gathering, an invalid action set to default policy should an invalid policy occur, TCI overwrite enabled to allow for Type of Service (ToS) overwrite for the VoIP phone.
ServicesES(rw)->set policy accounting enable ServicesES(rw)->set policy syslog machine-readable ServicesES(rw)->set policy invalid action default-policy ServicesES(rw)->set port tcioverwrite ge.1.1-10
Print
this page
Email this topic
Feedback
View PDF
Download EPUB