Print this pagePrint this page

Email this topicEmail this topic

View PDFView PDF

Download EPUBDownload EPUB

Configuring Policy

This section presents configuration procedures and tables including command description and syntax in the following policy areas: profile, classification, and display.

Procedure 1 describes how to configure policy roles and related functionality.

Click to expand in new window

Procedure 1

Step Task Command(s)
1 Create a policy role.
  • name – (Optional) Specifies a name for this policy profile; used by the filter-ID attribute. This is a string from 1 to 64 characters.
  • pvid-status – (Optional) Enables or disables PVID override for this policy profile. If all the classification rules associated with this profile are missed, then this parameter, if specified, determines the default VLAN for this profile.
  • pvid – (Optional) Specifies the PVID to assign to packets, if PVID override is enabled and invoked as the default behavior.
  • cos-status – (Optional) Enables or disables Class of Service override for this policy profile. If all the classification rules associated with this profile are missed, then this parameter, if specified, determines the default CoS assignment.
  • cos – (Optional) Specifies a CoS value to assign to packets, if CoS override is enabled and invoked as the default behavior. Valid values are 0 to 255.
  • egress-vlans – (Optional) Specifies the port to which this policy profile is applied should be added to the egress list of the VLANs defined by egress-vlans. Packets will be formatted as tagged.
    Note: Egress policy is not supported in ExtremeXOS 16.1.
  • untagged-vlans – (Optional) Specifies the port to which this policy profile is applied should be added to the egress list of the VLANs defined by untagged-vlans. Packets will be formatted as untagged.
  • append – (Optional) Appends any egress, forbidden, or untagged specified VLANs to the existing list. If append is not specified, all previous settings for this VLAN list are replaced
  • clear – (Optional) Clears any egress, forbidden or untagged VLANs specified from the existing list.
  • tci-overwrite – (Optional) Enhanced policy that enables or disables TCI (Tag Control Information) overwrite for this profile. When enabled, rules configured for this profile are allowed to overwrite user priority and other classification information in the VLAN tag‘s TCI field.
configure policy profile profile-index [name name] [pvid-status {enable | disable}] [pvid pvid] [cos-status {enable | disable}] [cos cos] [egress-vlans egress-vlans] [untagged-vlans untagged-vlans] [append] [clear] [tci-overwrite {enable | disable}]
2 Optionally, for enhanced policy capable devices, assign the action the device will apply to an invalid or unknown policy.
  • default-policy – Instructs the device to ignore this result and search for the next policy assignment rule.
  • drop – Instructs the device to block traffic.
  • forward – Instructs the device to forward traffic.
 configure policy invalid action {default-policy | drop | forward}
3 Optionally, for enhanced policy capable devices, set a policy maptable entry that associates a VLAN with a policy profile. configure policy maptable {vlan-list profile-index}
4 Optionally, set a policy maptable response.
  • tunnel – Applies the VLAN tunnel attribute.
  • policy – Applies the policy specified in the filter-ID.
  • both – An enhanced policy option that applies either or all the filter-ID and VLAN tunnel attributes or the policy depending upon whether one or both are present.
configure policy maptable response {tunnel | policy | both}

Procedure 2 describes how to configure classification rules as an administrative profile or to assign policy rules to a policy role.

Click to expand in new window

Procedure 2

Step Task Command(s)
1 Optionally set an administrative profile to assign traffic classifications to a policy role. See Administrative Policy and Policy Rule Traffic Classifications for traffic classification-type descriptions and enhanced policy information. See the set policy rule command discussion in the command reference guide that comes with your device for traffic classification data and mask information.
  • port-string – Applies this administratively-assigned rule to a specific ingress port. The configure policy port command is also supported as an alternative way to administratively assign a profile rule to a port.
  • storage-type – (Optional) Adds or removes this entry from non-volatile storage.
  • admin-pid – Associates this administrative profile with a policy profile index ID. Valid values are 1 - 1023.
configure policy rule admin-profile {macsource | port} [data] [mask mask] port-string port-string [storage-type {non-volatile | volatile}] [admin-pid admin-pid]
2 Optionally configure policy rules to associate with a policy role. See Administrative Policy and Policy Rule Traffic Classifications for traffic classification-type descriptions and enhanced policy information. See the configure policy rule command discussion in the command reference guide that comes with your device for traffic classification data and mask information.
  • port-string – (Optional) Applies this policy rule to a specific ingress port. The set policy port command is also supported as an alternative way to assign a profile rule to a port.
  • storage-type – (Optional) Adds or removes this entry from non-volatile storage.
  • drop | forward – (Optional) Specifies that packets within this classification will be dropped or forwarded.
  • cos – (Optional) Specifies that this rule will classify to a Class-of-Service ID. Valid values are 0 - 255. A value of -1 indicates that no CoS forwarding behavior modification is desired.
 configure policy rule profile-index classification-type [data] [mask mask] [port-string port-string] [storage-type {non-volatile | volatile}] | [drop | forward] [admin-pid admin-pid] [cos cos]
3 Optionally, for enhanced policy capable devices, assign a policy role to a port. configure policy port <ports> admin-id admin_id

The following table describes how to display policy information and statistics.

Click to expand in new window

Displaying Policy Configuration and Statistics

Task Command(s)
Display policy role information. show policy profile {all | profile-index [-detail]}
Display the action the device should take if asked to apply an invalid or unknown policy, or the number of times the device has detected an invalid/unknown policy, or both action and count information. show policy invalid {action | count | all}
Display VLAN-ID to policy role mappings table. show policy maptable [vlan-list]
Display policy classification and admin rule information. show policy rule [classification-type] [data] [mask mask] [port-string port-string] [storage-type {non-volatile | volatile}] | [drop | forward] [dynamic-pid dynamic-pid] [cos cos] [admin-pid admin-pid] [-verbose] [-wide]
Display all policy classification capabilities for this device. show policy capability
Display a list of currently supported traffic rules applied to the administrative profile for one or more ports. show policy allowed-type ports [detail]
Display status of dynamically assigned roles. show policy dynamic override
Published March 2020prev | next

Email this topicEmail this topic

Print this pagePrint this page