use

Configures an access list based firewall with this user role

A firewall is a mechanism enforcing access control, and is considered a first line of defense in protecting proprietary information within the network. The means by which this is accomplished varies, but in principle, firewalls are mechanisms both blocking and permitting data traffic based on inbound and outbound IP and MAC rules.

IP based firewall rules are specific to source and destination IP addresses and the unique rules and precedence orders assigned. Both IP and non-IP traffic on the same layer 2 interface can be filtered by applying both an IP ACL and a MAC.

A MAC firewall rule uses source and destination MAC addresses for matching operations, where the result is a typical allow, deny or mark designation to packet traffic.

Supported in the following platforms:

  • Access Points — AP505i, AP510i/e, AP560i/h
  • Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax

use [application-policy|bonjour-gw-discovery-policy|ip-access-list|ipv6-access-list|
mac-access-list|purview-application-policy|url-filter]
use [application-policy|bonjour-gw-discovery-policy|purview-application-policy]
use [ip-access-list|ipv6-access-list] [in|out] <IP/ipv6-ACCESS-LIST-NAME> 
precedence <1-100>
use mac-access-list [in|out] <MAC-ACCESS-LIST-NAME> precedence <1-100>
use url-filter <URL-FILTER-NAME>

Parameters

use [application-policy|bonjour-gw-discovery-policy|purview-application-policy]
application-policy <POLICY-NAME> Uses an existing Application policy with a user role. When associated, the Application policy enforces application assurance for all users using this role.
  • <POLICY-NAME> – Specify the Application policy name (should be existing and configured).
Note: For more information on Application policy, see application-policy.

bonjour-gw-discovery-policy <POLICY-NAME>

Uses an existing Bonjour GW Discovery policy with a user role. When associated, the Bonjour GW Discovery policy is applied for the Bonjour requests coming from this specific user roles.
  • <POLICY-NAME> – Specify the Bonjour GW Discovery policy name (should be existing and configured).
Note: Ror more information on Bonjour GW Discovery policy, see bonjour-gw-discovery-policy.
purview-application-policy <PURVIEW-APP-POLICY-NAME> Uses an existing Purview application policy with this user role. When associated, the application policy enforces application assurance for all users using this role.
  • <PURVIEW-APP-POLICY-NAME> – Specify the Application policy name (should be existing and configured).
Note: For more information on Purvoew application policy, see purview-application-policy.
use [ip-access-list|ipv6-access-list] [in|out] <IP/ipv6-ACCESS-LIST-NAME> 
precedence <1-100>

ip-access-list [in|out]

Uses an IPv4 or IPv6 ACL with this user role
  • in – Applies the rule to incoming packets

  • out – Applies the rule to outgoing packets

<IPv4/IPv6-ACCESS-LIST-NAME> Specify the IPv4/IPv6 access list name.

precedence <1-100>

After specifying the name of the access list, specify the precedence applied to it. Based on the packets received, a lower precedence value is evaluated first.

  • <1-100> – Sets a precedence from 1 - 100

use mac-access-list [in|out] <MAC-ACCESS-LIST-NAME> precedence <1-100>

mac-access-list [in|out]

Uses a MAC access list with this user role

  • in – Applies the rule to incoming packets

  • out – Applies the rule to outgoing packets

<MAC-ACCESS-LIST- NAME>

Specify the MAC access list name.

precedence <1-100>

After specifying the name of the access list, specify the precedence applied to it. Based on the packets received, a lower precedence value is evaluated first.

  • <1-100> – Sets a precedence from 1 - 100

use url-filter <URL-FILTER-NAME>
use url-filter <URL-FILTER-NAME> Uses an existing URL filter that acts as a Web content filter firewall rule.
  • <POLICY-NAME> – Specify the URL filter name (should be existing and configured).

Examples

nx9500-6C8809(config-role-policy-test-user-role-testing)#use ip-access-list in
test precedence 9
nx9500-6C8809(config-role-policy-test-user-role-testing)#show context
 user-role testing precedence 10
  ssid not-contains DevUser
  captive-portal authentication-state pre-login
  city exact SanJose
  company exact ExampleCompany
  country exact America
  department exact TnV
  emailid exact testing@examplecompany.com
  state exact active
  use ip-access-list in test precedence 9
nx9500-6C8809(config-role-policy-test-user-role-testing)#
nx9500-6C8809(config-role-policy-bonjour_test-user-role-bonjour_user1)#use bonjour-gw-discovery-policy role2
nx9500-6C8809(config-role-policy-bonjour_test-user-role-bonjour_user1)#show context
 user-role bonjour_user1 precedence 2
  use bonjour-gw-discovery-policy role2
nx9500-6C8809(config-role-policy-bonjour_test-user-role-bonjour_user1)#
nx9500-6C8809(config-role-policy-bonjour_test)#show context
role-policy bonjour_test
 user-role bonjour_user precedence 1
  mu-mac A4-D1-D2-BF-3D-19
  use bonjour-gw-discovery-policy role1
 user-role bonjour_user1 precedence 2
  mu-mac B0-65-BD-4B-BC-09
  use bonjour-gw-discovery-policy role2
................................................
nx9500-6C8809(config-role-policy-bonjour_test)#

Related Commands

no Removes an IP, MAC access list, or a Bonjour GW Discovery policy from use with a user role