configure policy rule

configure policy rule profile_index [{app-signature group group name name} | ether ether | icmp6type icmp6type | icmptype icmptype | ip6dest ip6dest |ipdestsocket ipdestsocket | ipfrag | ipproto ipproto | ipsourcesocket ipsourcesocket | iptos iptos | ipttl ipttl | macdest macdest | macsource macsource | port port | tcpdestportIP tcpdestportIP | tcpsourceportIP tcpsourceportIP | udpdestportIP udpdestportIP | udpsourceportIP udpsourceportIP ] {mask mask } {port-string [ port_string | all]} {storage-type [non-volatile | volatile]} {drop | forward} {syslog syslog} {trap trap} {cos cos } {mirror-destination control_index} {clear-mirror}

Description

Use this command to assign incoming untagged frames to a specific policy profile and to VLAN or CoS classification rules.

Syntax Description


port	Port string.
`port`	Port string - (data: 1; mask: 16).
app-signature	Associates an application signature to a policy profile.
group	Associates an application signature group to a policy profile
`group`	Specifies the group name.
name	Associates an application signature name to a policy profile.
`name`	Specifies the display name assigned to the application signature. Maximum of 32 characters. To see name choices, use the show policy app-signature group {group {name name}} {built-in \| custom {detail} \| detail} command.
macsource	MAC source address.
`macsource`	MAC source address - (data: a-b-c-d-e-f; mask: 1-48).
macdest	MAC destination address.
`macdest`	MAC destination address - (data: a-b-c-d-e-f; mask: 1-48).
ip6dest	IPv6 address.
`ip6dest`	IPv6 address (data: aaaa::bbbb; mask 1-128).
ipsourcesocket	Source IP address / Source IpSocket.
`ipsourcesocket`	Source IP address (data: a.b.c.d[:ab (0-65535)[-cd (0-65535)]]; mask: 1-48, 64).
ipdestsocket	Destination IP address / Destination IpSocket.
`ipdestsocket`	Destination IP address (data: a.b.c.d[:ab (0-65535) [-cd (0-65535)]]; mask: 1-48,64).
ipfrag	IP fragmentation flag.
tcpdestportIP	TCP port dst with optional post-fix IPv4 address.
`tcpdestportIP`	TCP port dst with optional post-fix IPv4 address - (data: ab[-cd][:c.d.e.f]); mask: 1-64).
udpdestportIP	UDP port dst with optional post-fix IPv4 address.
`udpdestportIP`	UDP port dst with optional post-fix IPv4 address - (data: ab[-cd][:c.d.e.f]); mask: 1-64.
tcpsourceportIP	TCP port src with optional post-fix IPv4 address.
`tcpsourceportIP`	TCP port src with optional post-fix IPv4 address - (data: ab[-cd][:c.d.e.f]); mask: 1-64.
udpsourceportIP	UDP port src with optional post-fix IPv4 address.
`udpsourceportIP`	UDP port src with optional post-fix IPv4 address - (data: ab[-cd][:c.d.e.f]); mask: 1-64.
ipttl	IP time to live.
`ipttl`	ipttl IP time to live (data: 0-255 or 0x0-0xFF; mask:1-8).
iptos	IPv4 type of service / IPv6 traffic class field.
`iptos`	ipproto Protocol field in IP packet - (data: 0-255 or 0x0-0xFF; mask: 1-8).
ipproto	Protocol field in IP packet.
`ipproto`	Protocol field in IP packet - (data: 0-255 or 0-0xFF; mask: 1-8).
ether	Type field in Ethernet II packet.
`ether`	Type field in Ethernet II packet - (data: 0-65535 or 0x0-0xFFFF; mask: 1-16).
icmp6type	Specifies type code in ICMPv6 packet.
`icmp6type`	ICMPv6 type code [(data: 123.456 (dotted-decimal) or AB-CD (dashed-hexadecimal)] mask: 1–16).
icmptype	Specifies type code in ICMP packet.
`icmptype`	ICMP type code (data: a.b; mask: 1–16).
cos	Class of Service [0–255] or -1 for no CoS or forwarding behavior modification is desired
`cos`	Class of Service [0–255] or -1 for no CoS or forwarding behavior modification is desired.
mirror-destination	Specifies selecting a mirror destination control index.
`mirror-destination`	Selects the mirror destination control index. Range is 1 to 4.
clear-mirror	Clears mirroring on this rule.
syslog	Specifies setting a Syslog action when rule is used.
`syslog`	Enable/disable/prohibit Syslog using event Policy.LogRuleHit on first rule use. By default, a Syslog entry only occurs on the first use of the rule. You can change this using the configure policy syslog [machine-readable machine_readable \| extended-format extended_format \| every-time every_time] command.
trap	Specifies setting a trap action when rule is first used.
`trap`	Enable/disable/prohibit trap on first rule use.

Default

If mask is not specified, all data bits are considered relevant.
If port-string is not specified, rule is scoped to all ports.
By default, a Syslog or trap entry only occurs on the first use of the rule.

Usage Guidelines

Classification rules are automatically enabled when created.

Note

ExtremeSwitching X440-G2 series switches do not support macsource, macdest, or ip6dest classification rule types. Example:

# configure policy rule 1 macsource 00-00-00-00-00-01 port-string 3 drop
ERROR: Set failed!

Example

This example shows how to create (and enable) a classification rule to associate with policy number 1. This rule will drop Ethernet II Type 1526 frames:

# configure policy rule 1 ether 1526 drop

This example shows how to create (and enable) a classification rule to associate with policy profile number 5. This rule specifies that UDP frames from source port 45 will be forwarded:

# configure policy rule 5 udpsourceportip 45 forward forward

The following example associates the application signature with group "Storage and name "mike1" to policy rule "2" to block traffic:

# configure policy rule 2 app-signature group "Storage" name "mike1" drop

History

This command was first available in ExtremeXOS 16.1.

ICMP and ICMPv6 rule types added in ExtremeXOS 22.5.

Applying mirrors to policies and Syslog/trap actions on rule use was added in ExtremeXOS 30.2.

Application signature capability was added in ExtremeXOS 30.4.

Platform Availability

This command is available on ExtremeSwitching X435, X440-G2, X450-G2, X460-G2, X465, and X695 series switches.