ExtremeXOS® User Guide

Configuring Policy Roles and Related Functionality

Step	Task	Command(s)
1	Create a policy role. name – (Optional) Specifies a name for this policy profile; used by the filter-ID attribute. This is a string from 1 to 64 characters. pvid-status – (Optional) Enables or disables PVID override for this policy profile. If all the classification rules associated with this profile are missed, then this parameter, if specified, determines the default VLAN (Virtual LAN) for this profile. pvid – (Optional) Specifies the PVID to assign to packets, if PVID override is enabled and invoked as the default behavior. cos-status – (Optional) Enables or disables Class of Service override for this policy profile. If all the classification rules associated with this profile are missed, then this parameter, if specified, determines the default CoS (Class of Service) assignment. cos – (Optional) Specifies a CoS value to assign to packets, if CoS override is enabled and invoked as the default behavior. Valid values are 0 to 255. egress-vlans – (Optional) Specifies the port to which this policy profile is applied should be added to the egress list of the VLANs defined by egress-vlans. Packets will be formatted as tagged. Note: Egress policy is not supported in ExtremeXOS 16.1. forbidden-vlans - (Optional) Specifies the port to which this policy profile is applied should be added as forbidden to the egress list of the VLANs defined by forbidden-vlans. Packets from this port are not allowed to participate in the listed VLANs. untagged-vlans – (Optional) Specifies the port to which this policy profile is applied should be added to the egress list of the VLANs defined by untagged-vlans. Packets will be formatted as untagged. append – (Optional) Appends any egress, forbidden, or untagged specified VLANs to the existing list. If append is not specified, all previous settings for this VLAN list are replaced clear – (Optional) Clears any egress, forbidden or untagged VLANs specified from the existing list. tci-overwrite – (Optional) Enhanced policy that enables or disables TCI (Tag Control Information) overwrite for this profile. When enabled, rules configured for this profile are allowed to overwrite user priority and other classification information in the VLAN tag‘s TCI field. precedence - (Optional) Modify the default precedence of ONEPolicy profile rules. auth-override - (Optional) If a port has an active policy and the authentication override is enabled, all frames arriving on that port have that policy applied, and no further authentication occurs.	configure policy profile profile_index {name name} {pvid pvid} {pvid-status pvid_status} {cos cos} {cos-status cos_status} {egress-vlans egress_vlan_list}{forbidden-vlans forbidden_vlans} {untagged-vlans untagged_vlans} {append \| clear} {tci-overwrite tci_overwrite} {precedence [precedence \| default]} {auth-override auth_override} {nsi [nsi \| none]} {web-redirect web_redir_index}
2	Optionally, for enhanced policy capable devices, assign the action the device will apply to an invalid or unknown policy. default-policy – Instructs the device to ignore this result and search for the next policy assignment rule. drop – Instructs the device to block traffic. forward – Instructs the device to forward traffic.	configure policy invalid action {default-policy \| drop \| forward}
3	Optionally, for enhanced policy capable devices, set a policy maptable entry that associates a VLAN with a policy profile.	configure policy maptable {vlan-list profile-index}
4	Optionally, set a policy maptable response. tunnel – Applies the VLAN tunnel attribute. policy – Applies the policy specified in the filter-ID. both – An enhanced policy option that applies either or all the filter-ID and VLAN tunnel attributes or the policy depending upon whether one or both are present.	configure policy maptable response {tunnel \| policy \| both}

Configuring Classification Rules as an Administrative Profile or to Assign Policy Rules to a Policy Role

Step	Task	Command(s)
1	Optionally set an administrative profile to assign traffic classifications to a policy role. See Administrative Policy and Policy Rule Traffic Classifications for traffic classification-type descriptions and enhanced policy information. See the set policy rule command discussion in the command reference guide that comes with your device for traffic classification data and mask information. port-string – Applies this administratively-assigned rule to a specific ingress port. The configure policy port command is also supported as an alternative way to administratively assign a profile rule to a port. storage-type – (Optional) Adds or removes this entry from non-volatile storage. admin-pid – Associates this administrative profile with a policy profile index ID. Valid values are 1 - 1023.	configure policy rule admin-profile [ macsource macsource \| port port ] {mask mask } {port-string [port_string \| all] } {storage-type [non-volatile \| volatile]} {admin-pid admin_pid }
2	Optionally configure policy rules to associate with a policy role. See Administrative Policy and Policy Rule Traffic Classifications for traffic classification-type descriptions and enhanced policy information. See the configure policy rule command discussion in the command reference guide that comes with your device for traffic classification data and mask information. port-string – (Optional) Applies this policy rule to a specific ingress port. The set policy port command is also supported as an alternative way to assign a profile rule to a port. storage-type – (Optional) Adds or removes this entry from non-volatile storage. drop \| forward – (Optional) Specifies that packets within this classification will be dropped or forwarded. cos – (Optional) Specifies that this rule will classify to a Class-of-Service ID. Valid values are 0 - 255. A value of -1 indicates that no CoS forwarding behavior modification is desired.	configure policy rule profile_index [ether ether \| icmp6type icmp6type \| icmptype icmptype \| ip6dest ip6dest \|ipdestsocket ipdestsocket \| ipfrag \| ipproto ipproto \| ipsourcesocket ipsourcesocket \| iptos iptos \| ipttl ipttl \| macdest macdest \| macsource macsource \| port port \| tcpdestportIP tcpdestportIP \| tcpsourceportIP tcpsourceportIP \| udpdestportIP udpdestportIP \| udpsourceportIP udpsourceportIP ] {mask mask } {port-string [ port_string \| all]} {storage-type [non-volatile \| volatile]} {drop \| forward} {syslog syslog} {trap trap} {cos cos } {mirror-destination control_index} {clear-mirror}
3	Optionally, for enhanced policy capable devices, assign a policy role to a port.	configure policy port ports admin-id admin_id

Displaying Policy Information and Statistics

Step	Task	Command(s)
1	Display policy role information.	show policy profile {all \| profile-index [-detail]}
2	Display the action the device should take if asked to apply an invalid or unknown policy, or the number of times the device has detected an invalid/unknown policy, or both action and count information.	show policy invalid {action \| count \| all}
3	Display VLAN-ID to policy role mappings table.	show policy maptable [vlan-list]
4	Display policy classification and admin rule information.	show policy rule {all \| {profile-index profile_index \| admin-profile} ether {ether} \| icmp6type {icmp6type} \| icmptype {icmptype} \| ip6dest {ip6dest} \| ipdest {ipdest} \| ipfrag \| ipproto {ipproto} \| ipsource { ipsource } \| iptos { iptos } \| ipttl { ipttl } \| macdest { macdest } \| macsource { macsource } \| port { port } \| tcpdestportIP { tcpdestportIP } \| tcpsourceportIP { tcpsourceportIP } \| udpdestportIP { udpdestportIP } \| udpsourceportIP { udpsourceportIP }} {mask mask } {port-string [ port_string \| all]} {storage-type [non-volatile \| volatile]} {drop \| forward} {cos cos \| admin-pid admin_pid }} {detail \| wide}
5	Display all policy classification capabilities for this device.	show policy capability
6	Display a list of currently supported traffic rules applied to the administrative profile for one or more ports.	show policy allowed-type ports [detail]
7	Display status of dynamically assigned roles and the current status that the default of dynamically created rules will have in sending of Syslog messages or traps on rule applied.	show policy dynamic [override \| syslog-default \| trap-default ]
8	Display the Syslog parameters for policy rules.	show policy syslog {machine-readable} {extended-format} {every-time}
9	Display the interval at which the switch automatically clears rule usage statistics.	show policy autoclear interval
10	Display rule usage information when Syslog or trap actions have been set.	show policy rule port-hit {data} {detail} {wide}
11	Display captive portal settings.	show policy captive-portal {web-redirect {redirect_index \| all} \| listening \| rule-use}

Setting Up Convergence End Point (CEP) Detection

Step	Task	Command(s)
1	Enable policy globally on the switch.	enable policy
2	Enable CEP detection globally on the switch.	configure policy convergence-endpoint [enable \| disable]
3	Enable CEP detection type on one or more ports.	configure policy convergence-endpoint ports [<port_list> \| all] [cisco \| lldp-med] [enable \| disable]
4	Configure a policy to apply to the detected CEP devices.	configure policy profile profile_index {name name} {pvid pvid} {pvid-status pvid_status} {cos cos} {cos-status cos_status} {egress-vlans egress_vlan_list}{forbidden-vlans forbidden_vlans} {untagged-vlans untagged_vlans} {append \| clear} {tci-overwrite tci_overwrite} {precedence [precedence \| default]} {auth-override auth_override} {nsi [nsi \| none]} {web-redirect web_redir_index}
5	Assign the configured policy to the desired CEP detection type.	configure policy convergence-endpoint index index [cisco \| lldp-med]

Setting Up Captive Portal Redirection

Step	Task	Command(s)
1	Define a role that has a valid captive portal web redirection class index.	configure policy profile profile_index {name name} {pvid pvid} {pvid-status pvid_status} {cos cos} {cos-status cos_status} {egress-vlans egress_vlan_list}{forbidden-vlans forbidden_vlans} {untagged-vlans untagged_vlans} {append \| clear} {tci-overwrite tci_overwrite} {precedence [precedence \| default]} {auth-override auth_override} {nsi [nsi \| none]} {web-redirect web_redir_index}
2	Configure a captive portal server‘s HTTP redirect URL and enable it using the previously defined captive portal web redirection class index.	configure policy captive-portal web-redirect redirect_index server server_id {url redirect_url} {status}
3	Configure which L4 listening ports (sockets) to be redirected when a captive portal web-redirect is defined on a policy profile.	configure policy captive-portal listening socket_list
4	Set whether or not captive portal rules are programmed within the already reserved ACL rule space of ONEPolicy.	configure policy captive-portal rule-use [reserved \| unreserved]

Setting up Policy-Based Mirrors

Step	Task	Command(s)
1	Create a "control group" (Mirror MIB) instance.	create mirror control_index
2	Create one or more "physical" mirrors. Note: MIB support (not CLI configured) adds a port to a mirror by the ports' Interface Index. In this case, the "physical" mirror is automatically created if there are resources and a matching "physical" mirror does not already exist. To assign a mirror with a remote-ip destination, the mirror must be configured before it can be added to a mirror control index. An interface index for the tunnel mirror is created at the time the tunnel mirror is created. This Interface Index can then be added to the mirror control_index.	create mirror mirror_name {to [port port \| port-list port_list loopback-port port] { remote-tag rtag } \| remote-ip remote_ip_address {{ vr } {vr_name } {from [ source_ip_address \| auto-source-ip]}{ping-check [on \| off]} priority priority_value ]} {description mirror-desc}
3	Apply the physical mirrors to the control group instance using the add option.	configure mirror control_index [ add \| delete ] mirror_name
4	Enable the control group (Mirror MIB) instance, and the physical mirrors.	enable mirror control_index {mirror mirror_name}
5	Apply the control group (Mirror MIB) instance to the desired policy using the control_index designator.	configure policy rule profile_index [ether ether \| icmp6type icmp6type \| icmptype icmptype \| ip6dest ip6dest \|ipdestsocket ipdestsocket \| ipfrag \| ipproto ipproto \| ipsourcesocket ipsourcesocket \| iptos iptos \| ipttl ipttl \| macdest macdest \| macsource macsource \| port port \| tcpdestportIP tcpdestportIP \| tcpsourceportIP tcpsourceportIP \| udpdestportIP udpdestportIP \| udpsourceportIP udpsourceportIP ] {mask mask } {port-string [ port_string \| all]} {storage-type [non-volatile \| volatile]} {drop \| forward} {syslog syslog} {trap trap} {cos cos } {mirror-destination control_index} {clear-mirror}

Setting up Rule Trap and Syslog

Step	Task	Command(s)
1	Configure a policy rule with a Syslog (syslog option) or trap (trap option) action.	configure policy rule profile_index [ether ether \| icmp6type icmp6type \| icmptype icmptype \| ip6dest ip6dest \|ipdestsocket ipdestsocket \| ipfrag \| ipproto ipproto \| ipsourcesocket ipsourcesocket \| iptos iptos \| ipttl ipttl \| macdest macdest \| macsource macsource \| port port \| tcpdestportIP tcpdestportIP \| tcpsourceportIP tcpsourceportIP \| udpdestportIP udpdestportIP \| udpsourceportIP udpsourceportIP ] {mask mask } {port-string [ port_string \| all]} {storage-type [non-volatile \| volatile]} {drop \| forward} {syslog syslog} {trap trap} {cos cos } {mirror-destination control_index} {clear-mirror}
2	Optionally, for Syslog, you can change the following parameters: Hexadecimal versus decimal format (machine-readable) Extended format (extended-format) Syslog message sent only on first rule usage or every time the rule is used (every-time)	configure policy syslog [machine-readable machine_readable \| extended-format extended_format \| every-time every_time]
3	Optionally, set the interval at which the switch automatically clears rule usage statistics.	configure policy autoclear {interval interval}
4	Optionally, clear the policy counters (rule usage) at any time.	clear counters policy