This section presents configuration procedures and tables including command description and syntax in the following policy areas: profile, classification, and display.
The following table describes how to configure policy roles and related functionality.
Step | Task | Command(s) |
---|---|---|
1 | In any command mode, create a policy role.
|
set policy profile profile-index [name name] [pvid-status {enable | disable}] [pvid pvid] [cos-status {enable | disable}] [cos cos] [egress-vlans egress-vlans] [forbidden-vlans forbidden-vlans] [untagged-vlans untagged-vlans] [append] [clear] [tci-overwrite {enable | disable}] [precedence precedence-list] [mirror-destination mirror-index] | [clear-mirror] | [prohibit-mirror][syslog {enable | disable}] [trap {enable | disable}] [disable-port {enable | disable}] [fst class-index] [web-redirect redirect-index] (S-, K-Series) set policy profile profile-index [name name] [pvid-status {enable | disable}] [pvid pvid] [cos-status {enable | disable}] [cos cos] [egress-vlans egress-vlans] [forbidden-vlans forbidden-vlans] [untagged-vlans untagged-vlans] [append] [clear] [tci-overwrite {enable | disable}] (7100-Series) |
|
||
|
||
|
||
2 |
|
set policy invalid action {default-policy | drop | forward} |
3 | (Optional) Enable or disable the TCI overwrite function on one or more ports (S-, K-Series). TCI overwrite is always enabled on the 7100-Series. | set port tcioverwrite port-string {enable | disable} |
4 | (Optional) Enable or disable policy accounting, which flags classification rule hits (S-, K-Series). | set policy accounting {enable | disable} |
5 | (Optional) Set the rule usage and extended format syslog policy settings (S-, K-Series).
|
set policy syslog [machine-readable {enable | disable}] [extended-format {enable | disable}] |
6 | (Optional) Set a policy maptable entry that associates a VLAN with a policy profile. This option is also supported by the B3, C3, and G3 for releases 6.3 and greater. | set policy maptable {vlan-list profile-index} |
7 | Optionally, set a policy maptable response.
|
set policy maptable response {tunnel | policy | both} |
8 | Optionally, set up to three Captive Portal Redirection listening ports (S-, K-Series). | set policy captive-portal listening port-list |
9 | Optionally, enable a web-redirect class index specifying the server index and an absolute URL to the server including the TCP port (S-, K-Series). | set policy captive-portal web-redirect web-red-index server sever-index url http://server-ip-address:tcp-port/path status {enable | disable} |
The following table describes how to configure classification rules as an administrative profile or to assign policy rules to a policy role.
Step | Task | Command(s) |
---|---|---|
1 | In any command mode, optionally set an administrative profile to assign traffic classifications to a policy role. See Administrative Policy and Policy Rule Traffic Classifications for traffic classification-type descriptions. See the set policy rule command discussion in the command reference guide that comes with your device for traffic classification data and mask information.
|
set policy rule admin-profile classification-type [data] [mask mask] [port-string port-string] [storage-type {non-volatile | volatile}] [admin-pid admin-pid] [syslog {enable | disable | prohibit}] [trap {enable | disable | prohibit}] [disable-port {enable | disable | prohibit}] [tci-overwrite {enable | disable | prohibit}] [mirror-destination mirror-index] | clear-mirror] | [prohibit-mirror] (S-, K-Series) set policy rule admin-profile {macsource | port} [data] [mask mask] port-string port-string [storage-type {non-volatile | volatile}] [admin-pid admin-pid] (7100-Series) |
|
||
|
||
2 | In any command mode, optionally configure policy rules to associate with a policy role. See Administrative Policy and Policy Rule Traffic Classifications for traffic classification-type descriptions. See the set policy rule command discussion in the command reference guide that comes with your device for traffic classification data and mask information.
|
set policy rule profile-index classification-type [data] [mask mask] [port-string port-string] [storage-type {non-volatile | volatile}] [vlan vlan] | [drop | forward] [admin-pid admin-pid] [cos cos] [syslog {enable | disable}] [trap {enable | disable}] [disable-port {enable | disable}] [mirror-destination mirror-index] | [clear-mirror] | [prohibit-mirror] [quarantine-profile quarantine-profile] [clear-quarantine-profile] [prohibit-quarantine-profile] clear-mirror] | [prohibit-mirror] (S-, K-Series) set policy rule profile-index classification-type [data] [mask mask] [port-string port-string] [storage-type {non-volatile | volatile}] [vlan vlan] | [drop | forward] [admin-pid admin-pid] [cos cos] [quarantine-profile quarantine-profile] [clear-quarantine-profile] [prohibit-quarantine-profile] (7100-Series) |
|
||
3 | (Optional) Change the system resource allocation policy profile from default to router1 (7100-Series). | set system resource-alloc-policy {default | router1} |
4 | (Optional) Assigns a policy role to a port. | set policy port port-name admin-id |
5 | (Optional) Assigns a list of allowed traffic rules that can be applied to the admin profile for one or more ports(S-, K-Series). | set policy allowed-type port-string traffic-rule rule-list |
6 | (Optional) Enable or disable the the ability to clear rule usage information if operational status “up” is detected on any port (S-, K-Series). | set policy autoclear {[enable | disable] [interval interval] [profile {enable | disable}] [ports port-list [append | clear] |
7 | (Optional) Set the status of dynamically assigned policy role options (S-, K-Series). | set policy dynamic [syslog-default {enable | disable}] [trap-default {enable | disable}]} |
Displaying Policy Configuration and Statistics describes how to display policy information and statistics.
Task | Command(s) |
---|---|
In any command mode, display policy role information. | show policy profile {all | profile-index [consecutive-pids] [-verbose]} |
In any command mode, display the action the device should take if asked to apply an invalid or unknown policy, or the number of times the device has detected an invalid/unknown policy, or both action and count information. | show policy invalid {all | action | count} |
In any command mode, display VLAN-ID to policy role mappings table. | show policy maptable vlan-list |
In any command mode, display policy classification and admin rule information. | show policy rule classification-type [data] [mask mask] [port-string port-string] [rule-status {active | not-in-service | not-ready}] [storage-type {non-volatile | volatile}] [vlan vlan] | [drop | forward] [dynamic-pid dynamic-pid] [cos cos] [admin-pid admin-pid] [syslog {enable | disable | prohibit}] [-verbose] [trap {enable | disable | prohibit}] [disable-port {enable | disable | prohibit}] [usage-list] [display-if-used port-list] [tci-overwrite {enable | disable | prohibit}] [mirror-destination mirror-index] | [clear-mirror] | [prohibit-mirror] [-verbose] [-wide] (S-, K-Series) show policy rule classification-type [data] [mask mask] [port-string port-string] [storage-type {non-volatile | volatile}] | [drop | forward] [dynamic-pid dynamic-pid] [cos cos] [admin-pid admin-pid] [-verbose] [-wide] (7100-Series) |
In any command mode, display all policy classification capabilities for this device. | show policy capability |
In any command mode, display a list of currently supported traffic rules applied to the administrative profile for one or more ports. | show policy allowed-type port-string [-verbose] |
In any command mode, display a count of the number of times the device has dropped syslog or trap rule usage notifications on ports (S-, K-Series). | show policy dropped-notify |
In any command mode, display disabled ports for all rule entries (S-, K-Series). | show policy disabled-ports |
In any command mode, display the current state of the autoclear feature (S-, K-Series). | show policy autoclear {all | link | interval | profile | ports} |
In any command mode, display status of dynamically assigned roles. The syslog-default and trap-default options are available on the S- and K-Series platforms. | show policy dynamic {[syslog-default] [trap-default] [override]} |