Both the administrative profile and policy rules are associated with the policy role by specifying the admin-pid option, in the case of an administrative profile, or a profile-index value, in the case of the policy rule. Administrative profiles and policy rules are configured using the configure policy rule command.
The administrative profile assigns a traffic classification to a policy role by using the admin-profile option of the configure policy rule command.
Note
Standard policy supports the VLAN tag traffic classification for administrative profiles. All other traffic classifications are enhanced policy in an administrative profile context.Note
When both admin-profile port and macsource rule are configured on the same port, macsource rule takes precedence and the VLAN classification and rules applicable to macsource are applied to the port.Note
When specifying an action without an explicit "forward" or "deny" option, this is interpreted as an implicit permit, since the rule conditions are met. This type of action configuration does not appear in the output of the show policy access-list { [list_dot_ruleprofile-index profile_index ] | [ {matches [app-signature | ether | icmp6type | icmptype | ipdestsocket | ipfrag | ipproto | ipsourcesocket | iptos | ipttl | tcpdestportIP | tcpsourceportIP | udpdestportIP | udpsourceportIP ] {mask mask} {data data} } {actions [ {drop | forward } {cos cos} {-1} {mirror-destination control_index} {syslog ] } ] } {detail} command.When admin-profile macsource rule is configured and the port is not added to a VLAN, then the traffic arriving on this port is mapped to the admin-pid configured profile based on the port string. To map it to macsource, add the port to a VLAN.
Policy rules are based on traffic classifications. Administrative Policy and Policy Rule Traffic Classifications provides the supported policy rule traffic classification command options and definitions. All other traffic classifications are supported by standard policy.
A detailed discussion of supported traffic classifications is available in the “Traffic Classification Rules” section of the Extreme Management Center Policy Manager online help.
Traffic Classification | Description | Attribute ID | Enhanced Rule |
---|---|---|---|
macsource | Classifies based on MAC source address. | 1 | |
macdest | Classifies based on MAC destination address. | 2 | |
ip6dest | Classifies based on destination IPv6 address. | 10 | |
ipsourcesocket | Classifies based on source IP address. | 12 | |
ipdestsocket | Classifies based on destination IP address. | 13 | |
ip frag | Classifies based on IP fragmentation value. | 14 | |
udpsourceportip | Classifies based on UDP source port and optional post-fix IP address. | 15 | |
udpdestportip | Classifies based on UDP destination port and optional post-fix IP address. | 16 | |
tcpsourceportip | Classifies based on TCP source port and optional post-fix IP address. | 17 | |
tcpdestportip | Classifies based on TCP destination port and optional post-fix IP address. | 18 | |
icmp | Classifies based on ICMP type code. | 19 | |
ipttl | Classifies based on TTL. | 20 | |
iptos | Classifies based on Type of Service field in IP packet. | 21 | |
ipproto | Classifies based on protocol field in IP packet. | 22 | |
icmp6 | Classifies based on ICMPv6 type code. | 23 | |
ether | Classifies based on type field in Ethernet II packet. | 25 | |
application | Classifies based on Layer 7 DNS snooping. | 29 | |
port | Classifies based on port-string. | 31 | |
IPSourceL4Range | Classifies based on source IP address with post-fixed port-range. | 32 | |
IPDestL4Range | Classifies based on destination IP address with post-fixed port-range. | 33 | |
UDPSrcPortRange | Classifies based on UDP source port-range with optional post-fix IPv4 address. | 34 | |
UDPDestPortRange | Classifies based on UDP destination port-range with optional post-fix IPv4 address. | 35 | |
TCPSrcPortRange | Classifies based on TCP source port-range with optional post-fix IPv4 address. | 36 | |
TCPDestPortRange | Classifies based on TCP destination port-range with optional post-fix IPv4 address. | 37 |
A data value is associated with most traffic classifications to identify the specific network element for that classification. For data value and associated mask details, see the “Syntax Description” table in the configure policy rule profile_index [{app-signature group group name name} | ether ether | icmp6type icmp6type | icmptype icmptype | ip6dest ip6dest |ipdestsocket ipdestsocket | ipfrag | ipproto ipproto | ipsourcesocket ipsourcesocket | iptos iptos | ipttl ipttl | macdest macdest | macsource macsource | port port | tcpdestportIP tcpdestportIP | tcpsourceportIP tcpsourceportIP | udpdestportIP udpdestportIP | udpsourceportIP udpsourceportIP ] {mask mask } {port-string [ port_string | all]} {storage-type [non-volatile | volatile]} {drop | forward} {syslog syslog} {trap trap} {cos cos } {mirror-destination control_index} {clear-mirror} command in the Switch Engine 32.2 Command Reference Guide .