Two-Stage Policy Example

The following example policy demonstrates how these new tokens can be used to create “user profiles” where each user is identified by source MAC address:

twostage_example1.pol:
 # First stage rules:

 entry firststage_1 {
if{
    ethernet-source-address 00:00:00:00:00:01;
} then {
    class-id 7;
}}
entry firststage_2 {
if {
    ethernet-source-address 00:00:00:00:00:02;
} then {
    class-id 8;
}}entry firststage_3 {
if {
    ethernet-source-address 00:00:00:00:00:03;
} then {
    class-id 7;
}}

 # Second stage rules: 

entry secondstage_1 {
 if{ 
   class-id 7;
   destination-address 10.68.9.0/24;
} then {
    permit;
}}

entry secondstage_2 {
if {
    class-id 8;
    destination-address 10.68.0.0/16;
} then {
    permit;
}}entry secondstage_3 {
if {
} then 
{entry permit_arp {
if {
ethernet-type 0x0806;
} then {
permit;
}
}
   deny;
    }}
The above example policy would have the following resulting behavior:
  1. MAC addresses 00:00:00:00:00:01 and 00:00:00:00:00:03 would be permitted to access subnet 10.68.9.0/24
  2. MAC address 00:00:00:00:00:02 would be permitted to access subnet 10.68.0.0/16
  3. All other traffic would be dropped.