Configuring Policy

This section presents configuration procedures and tables including command description and syntax in the following policy areas: profile, classification, and display.

The following table describes how to configure policy roles and related functionality.

Click to expand in new window

Configuring Policy Roles

Step Task Command(s)
1 In any command mode, create a policy role.
  • name – (Optional) Specifies a name for this policy profile; used by the filter-ID attribute. This is a string from 1 to 64 characters.
  • pvid-status – (Optional) Enables or disables PVID override for this policy profile. If all the classification rules associated with this profile are missed, then this parameter, if specified, determines the default VLAN for this profile.
  • pvid – (Optional) Specifies the PVID to assign to packets, if PVID override is enabled and invoked as the default behavior.
  • cos-status – (Optional) Enables or disables Class of Service override for this policy profile. If all the classification rules associated with this profile are missed, then this parameter, if specified, determines the default CoS assignment.
  • cos – (Optional) Specifies a CoS value to assign to packets, if CoS override is enabled and invoked as the default behavior. Valid values are 0 to 255.
  • egress-vlans – (Optional) Specifies the port to which this policy profile is applied should be added to the egress list of the VLANs defined by egress-vlans. Packets will be formatted as tagged.
  • forbidden-vlans – (Optional) Specifies the port to which this policy profile is applied should be added as forbidden to the egress list of the VLANs defined by forbidden-vlans. Packets from this port will not be allowed to participate in the listed VLANs.
set policy profile profile-index [name name] [pvid-status {enable | disable}] [pvid pvid] [cos-status {enable | disable}] [cos cos] [egress-vlans egress-vlans] [forbidden-vlans forbidden-vlans] [untagged-vlans untagged-vlans] [append] [clear] [tci-overwrite {enable | disable}] [precedence precedence-list] [mirror-destination mirror-index] | [clear-mirror] | [prohibit-mirror][syslog {enable | disable}] [trap {enable | disable}] [disable-port {enable | disable}] [fst class-index] [web-redirect redirect-index] (S-, K-Series)

set policy profile profile-index [name name] [pvid-status {enable | disable}] [pvid pvid] [cos-status {enable | disable}] [cos cos] [egress-vlans egress-vlans] [forbidden-vlans forbidden-vlans] [untagged-vlans untagged-vlans] [append] [clear] [tci-overwrite {enable | disable}] (7100-Series)

 
  • untagged-vlans – (Optional) Specifies the port to which this policy profile is applied should be added to the egress list of the VLANs defined by untagged-vlans. Packets will be formatted as untagged.
  • append – (Optional) Appends any egress, forbidden, or untagged specified VLANs to the existing list. If append is not specified, all previous settings for this VLAN list are replaced
  • clear – (Optional) Clears any egress, forbidden or untagged VLANs specified from the existing list.
 
 
  • tci-overwrite – (Optional) Enables or disables TCI (Tag Control Information) overwrite for this profile. When enabled, rules configured for this profile are allowed to overwrite user priority and other classification information in the VLAN tag‘s TCI field. If this parameter is used in a profile, TCI overwrite must be enabled on ports. See step 3 below. TCI overwrite is always enabled on the 7100-Series.
  • precedence – (Optional) Assigns a rule precedence to this profile. Lower values will be given higher precedence (S-, K-Series).
  • mirror-destination – (Optional) Applies the specified mirror destination index to this profile (S-, K-Series).
  • clear-mirror – (Optional) Clears mirroring on this profile (S-, K-Series).
  • prohibit-mirror – (Optional) Prohibits mirroring on this profile (S-, K-Series).
 
 
  • syslog – (Optional) Enables or disables syslog on this profile (S-, K-Series).
  • trap – (Optional) Enables or disables traps on this profile (S-, K-Series).
  • disable-port – (Optional) Enable or disables the disabling of ingress ports on profile use (S-, K-Series).
  • fst – (Optional) Specifies a flow limit class to apply to this profile (S-, K-Series).
  • web-redirect – (Optional) Specifies a web-redirect class index associated with this profile (S-, K-Series).
 
2
  • (Optional) Assign the action the device will apply to an invalid or unknown policy.
  • default-policy – Instructs the device to ignore this result and search for the next policy assignment rule.
  • drop – Instructs the device to block traffic.
  • forward – Instructs the device to forward traffic.
set policy invalid action {default-policy | drop | forward}
3 (Optional) Enable or disable the TCI overwrite function on one or more ports (S-, K-Series). TCI overwrite is always enabled on the 7100-Series. set port tcioverwrite port-string {enable | disable}
4 (Optional) Enable or disable policy accounting, which flags classification rule hits (S-, K-Series). set policy accounting {enable | disable}
5 (Optional) Set the rule usage and extended format syslog policy settings (S-, K-Series).
  • machine-readable - (Optional) Sets the formatting of rule usage messages to raw data that a user script can format according to the needs of the enterprise, otherwise message is set to human readable.
  • extended-format - (Optional) Sets the control to include additional information in the rule usage syslog messages, otherwise the original rule usage syslog message format is used.
set policy syslog [machine-readable {enable | disable}] [extended-format {enable | disable}]
6 (Optional) Set a policy maptable entry that associates a VLAN with a policy profile. This option is also supported by the B3, C3, and G3 for releases 6.3 and greater. set policy maptable {vlan-list profile-index}
7 Optionally, set a policy maptable response.
  • tunnel - Applies the VLAN tunnel attribute.
  • policy - Applies the policy specified in the filter-ID.
  • both - Applies either or all the filter-ID and VLAN tunnel attributes or the policy depending upon whether one or both are present.
set policy maptable response {tunnel | policy | both}
8 Optionally, set up to three Captive Portal Redirection listening ports (S-, K-Series). set policy captive-portal listening port-list
9 Optionally, enable a web-redirect class index specifying the server index and an absolute URL to the server including the TCP port (S-, K-Series). set policy captive-portal web-redirect web-red-index server sever-index url http://server-ip-address:tcp-port/path status {enable | disable}

The following table describes how to configure classification rules as an administrative profile or to assign policy rules to a policy role.

Click to expand in new window

Configuring Classification Rules

Step Task Command(s)
1 In any command mode, optionally set an administrative profile to assign traffic classifications to a policy role.

See Administrative Policy and Policy Rule Traffic Classifications for traffic classification-type descriptions.

See the set policy rule command discussion in the command reference guide that comes with your device for traffic classification data and mask information.

  • port-string - Applies this administratively-assigned rule to a specific ingress port. S- K- and 7100-Series devices with firmware versions 3.00.xx and higher also support the set policy port command as an alternative to administratively assign a profile rule to a port.
  • storage-type - (Optional) Adds or removes this entry from non-volatile storage.
  • admin-pid - Associates this administrative profile with a policy profile index ID. Valid values are 1 - 1023.
set policy rule admin-profile classification-type [data] [mask mask] [port-string port-string] [storage-type {non-volatile | volatile}] [admin-pid admin-pid] [syslog {enable | disable | prohibit}] [trap {enable | disable | prohibit}] [disable-port {enable | disable | prohibit}] [tci-overwrite {enable | disable | prohibit}] [mirror-destination mirror-index] | clear-mirror] | [prohibit-mirror] (S-, K-Series)

set policy rule admin-profile {macsource | port} [data] [mask mask] port-string port-string [storage-type {non-volatile | volatile}] [admin-pid admin-pid] (7100-Series)

 
  • syslog - (Optional) Enables or disables sending of syslog messages on first rule use (S-, K-Series).
  • trap - (Optional) Enables or disables sending SNMP trap messages on first rule use (S-, K-Series).
  • disable-port - (Optional) Enables or disables the ability to disable the ingress port on first rule use (S-, K-Series).
  • mirror-destination - (Optional) Applies the specified mirror destination index to this profile (S-, K-Series).
 
 
  • clear-mirror - (Optional) Clears mirroring on this profile (S-, K-Series).
  • prohibit-mirror - (Optional) Prohibits mirroring on this profile (S-, K-Series).
 
2 In any command mode, optionally configure policy rules to associate with a policy role.

See Administrative Policy and Policy Rule Traffic Classifications for traffic classification-type descriptions.

See the set policy rule command discussion in the command reference guide that comes with your device for traffic classification data and mask information.

  • port-string - (Optional) Applies this policy rule to a specific ingress port. S- K- and 7100-Series devices also support the set policy port command as an alternative way to assign a profile rule to a port.
  • storage-type - (Optional) Adds or removes this entry from non-volatile storage.
  • vlan - (Optional) Classifies this rule to a VLAN ID.
  • drop | forward - (Optional) Specifies that packets within this classification will be dropped or forwarded.
  • cos - (Optional) Specifies that this rule will classify to a Class-of-Service ID. Valid values are 0 - 255. A value of -1 indicates that no CoS forwarding behavior modification is desired.
set policy rule profile-index classification-type [data] [mask mask] [port-string port-string] [storage-type {non-volatile | volatile}] [vlan vlan] | [drop | forward] [admin-pid admin-pid] [cos cos] [syslog {enable | disable}] [trap {enable | disable}] [disable-port {enable | disable}] [mirror-destination mirror-index] | [clear-mirror] | [prohibit-mirror] [quarantine-profile quarantine-profile] [clear-quarantine-profile] [prohibit-quarantine-profile] clear-mirror] | [prohibit-mirror] (S-, K-Series)

set policy rule profile-index classification-type [data] [mask mask] [port-string port-string] [storage-type {non-volatile | volatile}] [vlan vlan] | [drop | forward] [admin-pid admin-pid] [cos cos] [quarantine-profile quarantine-profile] [clear-quarantine-profile] [prohibit-quarantine-profile] (7100-Series)

 
  • syslog - (Optional) Enables or disables sending of syslog messages on first rule use (S-, K-Series).
  • trap - (Optional) Enables or disables sending SNMP trap messages on first rule use (S-, K-Series).
  • disable-port - (Optional) Enables or disables the ability to disable the ingress port on first rule use (S-, K-Series).
  • mirror-destination - (Optional) Applies the specified mirror destination index to this profile (S-, K-Series).
  • clear-mirror - (Optional) Clears mirroring on this profile (S-, K-Series).
  • prohibit-mirror - (Optional) Prohibits mirroring on this profile (S-, K-Series).
 
3 (Optional) Change the system resource allocation policy profile from default to router1 (7100-Series). set system resource-alloc-policy {default | router1}
4 (Optional) Assigns a policy role to a port. set policy port port-name admin-id
5 (Optional) Assigns a list of allowed traffic rules that can be applied to the admin profile for one or more ports(S-, K-Series). set policy allowed-type port-string traffic-rule rule-list
6 (Optional) Enable or disable the the ability to clear rule usage information if operational status “up” is detected on any port (S-, K-Series). set policy autoclear {[enable | disable] [interval interval] [profile {enable | disable}] [ports port-list [append | clear]
7 (Optional) Set the status of dynamically assigned policy role options (S-, K-Series). set policy dynamic [syslog-default {enable | disable}] [trap-default {enable | disable}]}

Displaying Policy Configuration and Statistics describes how to display policy information and statistics.

Click to expand in new window

Displaying Policy Configuration and Statistics

Task Command(s)
In any command mode, display policy role information. show policy profile {all | profile-index [consecutive-pids] [-verbose]}
In any command mode, display the action the device should take if asked to apply an invalid or unknown policy, or the number of times the device has detected an invalid/unknown policy, or both action and count information. show policy invalid {all | action | count}
In any command mode, display VLAN-ID to policy role mappings table. show policy maptable vlan-list
In any command mode, display policy classification and admin rule information. show policy rule classification-type [data] [mask mask] [port-string port-string] [rule-status {active | not-in-service | not-ready}] [storage-type {non-volatile | volatile}] [vlan vlan] | [drop | forward] [dynamic-pid dynamic-pid] [cos cos] [admin-pid admin-pid] [syslog {enable | disable | prohibit}] [-verbose] [trap {enable | disable | prohibit}] [disable-port {enable | disable | prohibit}] [usage-list] [display-if-used port-list] [tci-overwrite {enable | disable | prohibit}] [mirror-destination mirror-index] | [clear-mirror] | [prohibit-mirror] [-verbose] [-wide] (S-, K-Series)

show policy rule classification-type [data] [mask mask] [port-string port-string] [storage-type {non-volatile | volatile}] | [drop | forward] [dynamic-pid dynamic-pid] [cos cos] [admin-pid admin-pid] [-verbose] [-wide] (7100-Series)

In any command mode, display all policy classification capabilities for this device. show policy capability
In any command mode, display a list of currently supported traffic rules applied to the administrative profile for one or more ports. show policy allowed-type port-string [-verbose]
In any command mode, display a count of the number of times the device has dropped syslog or trap rule usage notifications on ports (S-, K-Series). show policy dropped-notify
In any command mode, display disabled ports for all rule entries (S-, K-Series). show policy disabled-ports
In any command mode, display the current state of the autoclear feature (S-, K-Series). show policy autoclear {all | link | interval | profile | ports}
In any command mode, display status of dynamically assigned roles. The syslog-default and trap-default options are available on the S- and K-Series platforms. show policy dynamic {[syslog-default] [trap-default] [override]}