Traditional ONEPolicy architecture uses a hierarchical approach to rule precedence where rule type dictates precedence. In addition, rule look-ups occur per role, per action type. This means, for example, that triggering a forward/drop rule without an explicit Class of Service (CoS) action results in applying the forward/drop action, and then continuing searching until a rule with CoS action matches. This hierarchical approach is implemented in hardware by maintaining one list for forward/drop actions, and one list for CoS actions. This implementation often results in underused resources, because not every rule has both forward/drop and CoS actions.
With ACL Style Policy, a new mode of operation with a single ordered list per role is maintained. Rule look-ups occur in the provided ACL order per role. A match applies all actions specified, and the search stops. This approach can potentially double the advertised scale of classification rules as compared to the traditional model. It also provides a more standard approach to policy classification rules.
ACL Style Policy implements a new RESTful API for configuration of classification rules.
ExtremeSwitching X435 (tci-overwrite and app-signature are not supported), X450-G2, X460-G2, X670-G2, X440-G2, X465, X590, X620, X690, X870 series switches.
SNMP for configuration of ACL Style Policy classification rules is not supported.
configure policy rule-model [access-list | hierarchical]
create policy access-list list_dot_rule {matches [ {app-signature group group name name} {ether ether{mask ether_mask}} {icmp6type icmp6type {mask icmp6_mask}} {icmptype icmptype {mask icmp_mask}} {ipdestsocket ipdestsocket {mask ipdest_mask}} {ipfrag} {ipproto ipproto {mask ipproto_mask}} {ipsourcesocket ipsourcesocket {mask ipsrc_mask}} {iptos iptos {mask iptos_mask}} {ipttl ipttl {mask ipttl_mask} {tcpdestportIP tcpdestportIP {mask tcpdest_mask}} {tcpsourceportIP tcpsourceportIP {mask tcpsrc_mask}} {udpdestportIP udpdestportIP {mask udpdest_mask}} {udpsourceportIP udpsourceportIP {mask udpsrc_mask}} ] } {actions [ {cos cos} {drop | forward} {mirror-destination control_index} {syslog}]}
delete policy access-list [all-rules | list_dot_rule]
configure policy access-list [ rule-precedence [ list_dot_rule [ after member_rule | before member_rule | first | last ] ] ]
show policy access-list {list_dot_rule | profile-index profile_index} [ {matches [app-signature | ether | icmp6type | icmptype | ipdestsocket | ipfrag | ipproto | ipsourcesocket | iptos | ipttl | tcpdestportIP | tcpsourceportIP | udpdestportIP | udpsourceportIP ] {mask mask} {data data} } {actions [ {drop | forward {-1}} {cos cos} {mirror-destination control_index} {syslog ] } ] } {detail}
Changes are underlined.
configure policy profile profile_index {name name} {pvid pvid} {pvid-status pvid_status} {cos cos} {cos-status cos_status} {egress-vlans egress_vlan_list}{forbidden-vlans forbidden_vlans} {untagged-vlans untagged_vlans} {append | clear} {tci-overwrite tci_overwrite} {auth-override auth_override} {nsi [nsi | none]} {web-redirect web_redir_index} {access-list [unassigned | list_name | list_name_placeholder]}
The following show commands are changed to show ACL Style Policy information:
show policy state
show policy capability