Use this command to assign incoming untagged frames to a specific policy profile and to VLAN or CoS classification rules.
port | Port string. |
port | Port string - (data: 1; mask: 16). |
app-signature | Associates an application signature to a policy profile. |
group | Associates an application signature group to a policy profile |
group | Specifies the group name. |
name | Associates an application signature name to a policy profile. |
name | Specifies the display name assigned to the application signature. Maximum of 32 characters. To see name choices, use the show policy app-signature group {group {name name}} {built-in | custom {detail} | detail} command. |
macsource | MAC source address. |
macsource | MAC source address - (data: a-b-c-d-e-f; mask: 1-48). |
macdest | MAC destination address. |
macdest | MAC destination address - (data: a-b-c-d-e-f; mask: 1-48). |
ip6dest | IPv6 address. |
ip6dest | IPv6 address (data: aaaa::bbbb; mask 1-128). |
ipsourcesocket | Source IP address / Source IpSocket. |
ipsourcesocket | Source IP address (data: a.b.c.d[:ab (0-65535)[-cd (0-65535)]]; mask: 1-48, 64). |
ipdestsocket | Destination IP address / Destination IpSocket. |
ipdestsocket | Destination IP address (data: a.b.c.d[:ab (0-65535) [-cd (0-65535)]]; mask: 1-48,64). |
ipfrag | IP fragmentation flag. |
tcpdestportIP | TCP port dst with optional post-fix IPv4 address. |
tcpdestportIP | TCP port dst with optional post-fix IPv4 address - (data: ab[-cd][:c.d.e.f]); mask: 1-64). |
udpdestportIP | UDP port dst with optional post-fix IPv4 address. |
udpdestportIP | UDP port dst with optional post-fix IPv4 address - (data: ab[-cd][:c.d.e.f]); mask: 1-64. |
tcpsourceportIP | TCP port src with optional post-fix IPv4 address. |
tcpsourceportIP | TCP port src with optional post-fix IPv4 address - (data: ab[-cd][:c.d.e.f]); mask: 1-64. |
udpsourceportIP | UDP port src with optional post-fix IPv4 address. |
udpsourceportIP | UDP port src with optional post-fix IPv4 address - (data: ab[-cd][:c.d.e.f]); mask: 1-64. |
ipttl | IP time to live. |
ipttl | ipttl IP time to live (data: 0-255 or 0x0-0xFF; mask:1-8). |
iptos | IPv4 type of service / IPv6 traffic class field. |
iptos | ipproto Protocol field in IP packet - (data: 0-255 or 0x0-0xFF; mask: 1-8). |
ipproto | Protocol field in IP packet. |
ipproto | Protocol field in IP packet - (data: 0-255 or 0-0xFF; mask: 1-8). |
ether | Type field in Ethernet II packet. |
ether | Type field in Ethernet II packet - (data: 0-65535 or 0x0-0xFFFF; mask: 1-16). |
icmp6type | Specifies type code in ICMPv6 packet. |
icmp6type | ICMPv6 type code [(data: 123.456 (dotted-decimal) or AB-CD (dashed-hexadecimal)] mask: 1–16). |
icmptype | Specifies type code in ICMP packet. |
icmptype | ICMP type code (data: a.b; mask: 1–16). |
cos | Class of Service [0–255] or -1 for no CoS or forwarding behavior modification is desired |
cos | Class of Service [0–255] or -1 for no CoS or forwarding behavior modification is desired. |
mirror-destination | Specifies selecting a mirror destination control index. |
mirror-destination | Selects the mirror destination control index. Range is 1 to 4. |
clear-mirror | Clears mirroring on this rule. |
syslog | Specifies setting a Syslog action when rule is used. |
syslog |
Enable/disable/prohibit Syslog using event Policy.LogRuleHit on first rule use. By default, a Syslog entry only occurs on the first use of the rule. You can change this using the configure policy syslog [machine-readable machine_readable | extended-format extended_format | every-time every_time] command. |
trap | Specifies setting a trap action when rule is first used. |
trap | Enable/disable/prohibit trap on first rule use. |
Classification rules are automatically enabled when created.
Note
ExtremeSwitching X440-G2 and X620 series switches do not support macsource, macdest, or ip6dest classification rule types. Example:# configure policy rule 1 macsource 00-00-00-00-00-01 port-string 3 drop ERROR: Set failed!
# configure policy rule 1 ether 1526 dropThis example shows how to create (and enable) a classification rule to associate with policy profile number 5. This rule specifies that UDP frames from source port 45 will be forwarded:
# configure policy rule 5 udpsourceportip 45 forward forward
The following example associates the application signature with group "Storage and name "mike1" to policy rule "2" to block traffic:
# configure policy rule 2 app-signature group "Storage" name "mike1" drop
This command was first available in ExtremeXOS 16.1.
ICMP and ICMPv6 rule types added in ExtremeXOS 22.5.
Applying mirrors to policies and Syslog/trap actions on rule use was added in ExtremeXOS 30.2.
Application signature capability was added in ExtremeXOS 30.4.
This command is available on ExtremeSwitching X435, X440-G2, X450-G2, X460-G2, X465, X590, X620, and X695 series switches.