You can define policy rules for a role to specify network access settings for a specific user role. Network policies are a set of rules, defined in a specific order, that determine how connections are authorized or denied. If you do not define policy rules for a role, the role's default action is applied to all traffic subject to that role. However, if you require user-specific filter definitions, then the filter ID configuration identifies the specific role that is applied to the user.
A role can have no rules if the default action is sufficient. Rules are used only to provide different treatments for different packet types to which a single role is applied.
Specify the OSI layer to which the rule pertains. The rule defines one or more actions to take on a packet matching criteria specified by the rule. The criteria could be the MAC address (L2) or the IP address or port number (L3 and L4).
The default action for all rules is Contain to VLAN, indicating that the rule applies to all traffic associated with the VLAN defined at the Role. This can be the Network default VLAN or a unique VLAN ID specified at the Role. The ability to specify the VLAN ID at the Role makes configuring network policy easier.
If the traffic is allowed, it can also be assigned a Class of Service (CoS) that can affect the priority and latency of that traffic. Only the rules in the policy assigned to a client are applied to a client's traffic.
Note
Rules in the Application Layer (L7) apply to application access and use different matching criteria.For additional information about Policy Rules Direction, see Understanding the Policy Rules Direction in the GTAC Knowledge Center.