This section presents configuration procedures and tables including command description and syntax in the following policy areas: profile, classification, and display.
Step | Task | Commands |
---|---|---|
1 | Create a policy role.
|
configure policy profile profile_index {name name} {pvid pvid} {pvid-status pvid_status} {cos cos} {cos-status cos_status} {egress-vlans egress_vlan_list}{forbidden-vlans forbidden_vlans} {untagged-vlans untagged_vlans} {append | clear} {tci-overwrite tci_overwrite} {precedence [precedence | default]} {auth-override auth_override} {nsi [nsi | none]} {web-redirect web_redir_index} {access-list [unassigned | list_name | list_name_placeholder]} |
2 | Optionally, for enhanced policy capable devices, assign the
action the device will apply to an invalid or unknown policy.
|
configure policy invalid action {default-policy | drop | forward} |
3 | Optionally, for enhanced policy capable devices, set a policy maptable entry that associates a VLAN with a policy profile. | configure policy maptable {vlan-list profile-index} |
4 | Optionally, set a policy maptable response.
|
configure policy maptable response {tunnel | policy | both} |
Step | Task | Command(s) |
---|---|---|
1 | Optionally set an administrative profile to assign traffic
classifications to a policy role. See Administrative Policy and Policy Rule Traffic Classifications for traffic classification-type descriptions and enhanced policy
information. See the set policy rule command discussion in the
command reference guide that comes with your device for traffic
classification data and mask information.
|
configure policy rule admin-profile [ macsource macsource | port port ] {mask mask } {port-string [port_string | all] } {storage-type [non-volatile | volatile]} {admin-pid admin_pid } |
2 | Optionally configure policy rules to
associate with a policy role. See Administrative Policy and Policy Rule Traffic Classifications for traffic classification-type
descriptions and enhanced policy information. See the configure policy rule
command discussion in the command reference guide that comes with
your device for traffic classification data and mask information.
|
configure policy rule profile_index [{app-signature group group name name} | ether ether | icmp6type icmp6type | icmptype icmptype | ip6dest ip6dest |ipdestsocket ipdestsocket | ipfrag | ipproto ipproto | ipsourcesocket ipsourcesocket | iptos iptos | ipttl ipttl | macdest macdest | macsource macsource | port port | tcpdestportIP tcpdestportIP | tcpsourceportIP tcpsourceportIP | udpdestportIP udpdestportIP | udpsourceportIP udpsourceportIP ] {mask mask } {port-string [ port_string | all]} {storage-type [non-volatile | volatile]} {drop | forward} {syslog syslog} {trap trap} {cos cos } {mirror-destination control_index} {clear-mirror} |
3 | Optionally, for enhanced policy capable devices, assign a policy role to a port. | configure policy port ports admin-id admin_id |
Step | Task | Command(s) |
---|---|---|
1 | Display policy role information. | show policy profile {all | profile-index [-detail]} |
2 | Display the action the device should take if asked to apply an invalid or unknown policy, or the number of times the device has detected an invalid/unknown policy, or both action and count information. | show policy invalid {action | count | all} |
3 | Display VLAN-ID to policy role mappings table. | show policy maptable [vlan-list] |
4 | Display policy classification and admin rule information. | show policy rule {all | app-signature | {profile-index profile_index | admin-profile} ether {ether} | icmp6type {icmp6type} | icmptype {icmptype} | ip6dest {ip6dest} | ipdest {ipdest} | ipfrag | ipproto {ipproto} | ipsource { ipsource } | iptos { iptos } | ipttl { ipttl } | macdest { macdest } | macsource { macsource } | port { port } | tcpdestportIP { tcpdestportIP } | tcpsourceportIP { tcpsourceportIP } | udpdestportIP { udpdestportIP } | udpsourceportIP { udpsourceportIP }} {mask mask } {port-string [ port_string | all]} {storage-type [non-volatile | volatile]} {drop | forward} {cos cos | admin-pid admin_pid }} {detail | wide} |
5 | Display all policy classification capabilities for this device. | show policy capability |
6 | Display a list of currently supported traffic rules applied to the administrative profile for one or more ports. | show policy allowed-type ports [detail] |
7 | Display status of dynamically assigned roles and the current status that the default of dynamically created rules will have in sending of Syslog messages or traps on rule applied. | show policy dynamic [override | syslog-default | trap-default ] |
8 | Display the Syslog parameters for policy rules. | show policy syslog {machine-readable} {extended-format} {every-time} |
9 | Display the interval at which the switch automatically clears rule usage statistics. | show policy autoclear interval |
10 | Display rule usage information when Syslog or trap actions have been set. | show policy rule port-hit {data} {detail} {wide} |
11 | Display captive portal settings. | show policy captive-portal {web-redirect {redirect_index | all} | listening | rule-use} |
12 | Display policy application signature information. | show policy app-signature group {group {name name}} {built-in | custom {detail} | detail} |
13 | Display the existing usage of policy slices. | show policy slices |
14 | Display access list information. |