Configuring Policy for the Services Edge Switch

Configuring the Policy Role

The services role is configured with:

  • A profile-index value of 6
  • A name of services
  • A default port VLAN of 0
  • A default CoS when no rule overrides CoS
  • TCI overwrite enabled
ServicesES->set policy profile 6 name services pvid-status enable pvid 0
cos-status enable cos 4 tci-overwrite enable

Assigning the VLAN-to-Policy Association

Setting the VLAN-to-policy association will be handled by the policy maptable setting, allowing for ease in changing the policy associated with a VLAN on the fly using Policy Manager. Specify that the tunnel attributes returned in the RADIUS response message will be used by the authenticating user. Associate VLAN 10 with policy role 6 using the set policy maptable command.

ServicesES->set policy maptable response tunnel
ServicesES->set policy maptable 10 6

Assigning Traffic Classification Rules

Forward traffic on UDP source port for IP address request (68) and forward traffic on UDP destination ports for protocols DHCP (67) and DNS (53) on the data VLAN, to facilitate PC auto configuration and IP address assignment. Drop traffic for protocols SNMP (161), SSH (22), Telnet (23) and FTP (20 and 21) on the phone VLAN.

ServicesES->configure policy rule 6 udpsourceportIP 68 mask 16 vlan 10 forward
ServicesES->configure policy rule 6 udpdestportIP 67 mask 16 vlan 10 forward
ServicesES->configure policy rule 6 udpdestportIP 53 mask 16 vlan 10 forward
ServicesES->configure policy rule 6 udpdestportIP 67 mask 16 vlan 10 drop
ServicesES->configure policy rule 6 udpdestportIP 53 mask 16 vlan 10 drop
ServicesES->configure policy rule 6 udpdestportIP 161 mask 16 drop
ServicesES->configure policy rule 6 tcpdestportIP 22 mask 16 drop
ServicesES->configure policy rule 6 tcpdestportIP 23 mask 16 drop
ServicesES->configure policy rule 6 tcpdestportIP 20 mask 16 drop
ServicesES->configure policy rule 6 tcpdestportIP 21 mask 16 drop

Apply a CoS 8 to data VLAN 10 and configure it to rate-limit traffic to 1M and moderate priority of 5 for services IP subnet 10.10.30.0 mask 28.

ServicesES->configure policy rule 6 ipsource 10.10.30.0 mask 28 vlan 10 cos 8

Services should only be allowed access to the services server (subnet 10.10.50.0/24) and should be denied access to the faculty servers (subnet 10.10.70.0/24) and administrative servers (subnet 10.10.60.0/24).

ServicesES->configure policy rule 6 ipdest 10.10.60.0 mask 24 drop
ServicesES->configure policy rule 6 ipdest 10.10.70.0 mask 24 drop

Enable Enhanced Edge Switch Capabilities on the Services Edge Switch Platform

The Services Edge Switch platform supports invalid action set to default policy should an invalid policy occur.

ServicesES->configure policy invalid action default-policy