configure policy rule

configure policy rule profile_index [{app-signature group group name name} | ether ether | icmp6type icmp6type | icmptype icmptype | ip6dest ip6dest |ipdestsocket ipdestsocket | ipfrag | ipproto ipproto | ipsourcesocket ipsourcesocket | iptos iptos | ipttl ipttl | macdest macdest | macsource macsource | port port | tcpdestportIP tcpdestportIP | tcpsourceportIP tcpsourceportIP | udpdestportIP udpdestportIP | udpsourceportIP udpsourceportIP ] {mask mask } {port-string [ port_string | all]} {storage-type [non-volatile | volatile]} {drop | forward} {syslog syslog} {trap trap} {cos cos } {mirror-destination control_index} {clear-mirror}

Description

Use this command to assign incoming untagged frames to a specific policy profile and to VLAN or CoS classification rules.

Syntax Description

port Port string.
port Port string - (data: 1; mask: 16).
app-signature Associates an application signature to a policy profile.
group Associates an application signature group to a policy profile
group Specifies the group name.
name Associates an application signature name to a policy profile.
name Specifies the display name assigned to the application signature. Maximum of 32 characters. To see name choices, use the show policy app-signature group {group {name name}} {built-in | custom {detail} | detail} command.
macsource MAC source address.
macsource MAC source address - (data: a-b-c-d-e-f; mask: 1-48).
macdest MAC destination address.
macdest MAC destination address - (data: a-b-c-d-e-f; mask: 1-48).
ip6dest IPv6 address.
ip6dest IPv6 address (data: aaaa::bbbb; mask 1-128).
ipsourcesocket Source IP address / Source IpSocket.
ipsourcesocket Source IP address (data: a.b.c.d[:ab (0-65535)[-cd (0-65535)]]; mask: 1-48, 64).
ipdestsocket Destination IP address / Destination IpSocket.
ipdestsocket Destination IP address (data: a.b.c.d[:ab (0-65535) [-cd (0-65535)]]; mask: 1-48,64).
ipfrag IP fragmentation flag.
tcpdestportIP TCP port dst with optional post-fix IPv4 address.
tcpdestportIP TCP port dst with optional post-fix IPv4 address - (data: ab[-cd][:c.d.e.f]); mask: 1-64).
udpdestportIP UDP port dst with optional post-fix IPv4 address.
udpdestportIP UDP port dst with optional post-fix IPv4 address - (data: ab[-cd][:c.d.e.f]); mask: 1-64.
tcpsourceportIP TCP port src with optional post-fix IPv4 address.
tcpsourceportIP TCP port src with optional post-fix IPv4 address - (data: ab[-cd][:c.d.e.f]); mask: 1-64.
udpsourceportIP UDP port src with optional post-fix IPv4 address.
udpsourceportIP UDP port src with optional post-fix IPv4 address - (data: ab[-cd][:c.d.e.f]); mask: 1-64.
ipttl IP time to live.
ipttl ipttl IP time to live (data: 0-255 or 0x0-0xFF; mask:1-8).
iptos IPv4 type of service / IPv6 traffic class field.
iptos ipproto Protocol field in IP packet - (data: 0-255 or 0x0-0xFF; mask: 1-8).
ipproto Protocol field in IP packet.
ipproto Protocol field in IP packet - (data: 0-255 or 0-0xFF; mask: 1-8).
ether Type field in Ethernet II packet.
ether Type field in Ethernet II packet - (data: 0-65535 or 0x0-0xFFFF; mask: 1-16).
icmp6type Specifies type code in ICMPv6 packet.
icmp6type ICMPv6 type code [(data: 123.456 (dotted-decimal) or AB-CD (dashed-hexadecimal)] mask: 1–16).
icmptype Specifies type code in ICMP packet.
icmptype ICMP type code (data: a.b; mask: 1–16).
cos Class of Service [0–255] or -1 for no CoS or forwarding behavior modification is desired
cos Class of Service [0–255] or -1 for no CoS or forwarding behavior modification is desired.
mirror-destination Specifies selecting a mirror destination control index.
mirror-destination Selects the mirror destination control index. Range is 1 to 4.
clear-mirror Clears mirroring on this rule.
syslog Specifies setting a Syslog action when rule is used.
syslog

Enable/disable/prohibit Syslog using event Policy.LogRuleHit on first rule use.

By default, a Syslog entry only occurs on the first use of the rule. You can change this using the configure policy syslog [machine-readable machine_readable | extended-format extended_format | every-time every_time] command.

trap Specifies setting a trap action when rule is first used.
trap Enable/disable/prohibit trap on first rule use.

Default

Usage Guidelines

Classification rules are automatically enabled when created.

Note

Note

ExtremeSwitching X440-G2 and X620 series switches do not support macsource, macdest, or ip6dest classification rule types. Example:
# configure policy rule 1 macsource 00-00-00-00-00-01 port-string 3 drop
ERROR: Set failed!

Example

This example shows how to create (and enable) a classification rule to associate with policy number 1. This rule will drop Ethernet II Type 1526 frames:
# configure policy rule 1 ether 1526 drop
This example shows how to create (and enable) a classification rule to associate with policy profile number 5. This rule specifies that UDP frames from source port 45 will be forwarded:
# configure policy rule 5 udpsourceportip 45 forward forward

The following example associates the application signature with group "Storage and name "mike1" to policy rule "2" to block traffic:

# configure policy rule 2 app-signature group "Storage" name "mike1" drop

History

This command was first available in ExtremeXOS 16.1.

ICMP and ICMPv6 rule types added in ExtremeXOS 22.5.

Applying mirrors to policies and Syslog/trap actions on rule use was added in ExtremeXOS 30.2.

Application signature capability was added in ExtremeXOS 30.4.

Platform Availability

This command is available on ExtremeSwitching X435, X440-G2, X450-G2, X460-G2, X465, X590, X620, and X695 series switches.