Rule Precedence

Note

Note

When upgrading to ExtremeXOS 30.5 or later, any previously configured (before 30.5) policy profile precedence will be reset to the default rule precedence.

Static rules (MAC + port) have higher precedence than dynamic rules (Dot1x/Mac/Web VLAN authorization rules).

Example

# configure policy rule admin-profile macsource 00-00-00-00-00-01 mask 48 port-string 27 admin-pid 2 

configure policy profile 2 name "filter" pvid-status "enable" pvid 400 egress-vlans 200 untagged-vlans 400 tci-overwrite "enable"

configure policy maptable response both 
configure policy vlanauthorization enable 
enable policy 

In the above configuration, if a dot1x user is authenticated with Tunnel Private Group Id as "3000" and filter id as "filter" via Radius, the static macsource rule takes higher precedence and the client FDB learned on VLAN SYS_VLAN_0400 mentioned in the static rule rather than the tunnel ID sent by Radius.

# show fdb 
Mac                     Vlan      Age  Flags           Port / Virtual Port List
--------------------------------------------------------------------------------
00:00:00:00:00:01 SYS_VLAN_0400(0400) 0010 nd m     v     27

Modifying Rule Precedence Order

Starting with ExtremeXOS 31.4, you can modify the default precedence of ONEPolicy profile rules. You can configure the precedence for the rule types within each rule group. The rule groups currently supported are MAC, IPv6, IPv4, and Layer2.

The default precedence order is 1–2, 10, 29, 12, 32, 13, 33, 14–15, 34, 16, 35, 17, 36, 18, 37, 19, 23, 20–22, 25, 31.

MACSource (1), MACDest (2), IPv6Dest (10), Application (29), IPSource (12), IPSourceL4Range (32), IPDest (13), IPDestL4Range (33), IPFrag (14), UDPSrcPort (15), UDPSrcPortRange (34), UDPDestPort (16), UDPDestPortRange (35), TCPSrcPort (17), TCPSrcPortRange (36), TCPDestPort (18), TCPDestPortRange (37), ICMPType (19), ICMP6Type (23), TTL (20), IPTOS (21), IPProto (22), Ether (25), Port (31).

Rule types 1–2 come under MAC group.

Rule type 10 comes under IPv6 group.

Rule types 29, 12, 32, 13, 33, 14–15, 34, 16, 35, 17, 36, 18, 37, 19, 23, 20–22 come under IPv4 group.

Rule types 25 and 31 come under L2 group.

To modify the rule precedence order, use the following command with the precedence option:

configure policy profile profile_index {name name} {pvid pvid} {pvid-status pvid_status} {cos cos} {cos-status cos_status} {egress-vlans egress_vlan_list}{forbidden-vlans forbidden_vlans} {untagged-vlans untagged_vlans} {append | clear} {tci-overwrite tci_overwrite} {precedence [precedence | default]} {auth-override auth_override} {nsi [nsi | none]} {web-redirect web_redir_index} {access-list [unassigned | list_name | list_name_placeholder]}