Configuring Guest Policy on Edge Platforms

All edge ports will be set with a default guest policy using the configure policy port command. This guest policy provides for an internet only access to the network. Users on all ports will attempt to authenticate. If the authentication succeeds, the policy returned by authentication or, in the case of the Services Edge Switch configuration, the maptable setting, overrides the default port policy setting. If authentication fails, the guest policy is used. On the Services Edge Switch , five ports are used by PCs at locations throughout the campus, such as the library, to provide access to the internet. The PCs attached to these five ports will authenticate with the guest policy role. Public facing services would also be configured for guest status in a school or enterprise scenario. Public facing services are not part of this example.

Configuring the Policy Role

The guest role is configured with:
  • A profile-index value of 1
  • A name of guest
  • A PVID set to 0
  • A CoS set to 4

Create the guest policy profile on all platforms:

System ->configure policy profile 1 name guest pvid-status enable pvid 0 cos-status enable cos 4

Assigning Traffic Classification Rules

For cases where discovery must take place to assign an IP address, DNS and DHCP traffic must be allowed. Forwarding of traffic is allowed on UDP source port 68 (IP address request) and UDP destination ports 53 (DNS) and 67 (DHCP).

System ->configure policy rule 1 udpsourceport 68 mask 16 forward 
System->configure policy rule 1 udpdestportIP 53 mask 16 forward 
System ->configure policy rule 1 udpdestportIP 67 mask 16 forward

Guest policy allows internet traffic. TCP destination Ports 80, 8080, and 443 will be allowed traffic forwarding.

System->configure policy rule 1 tcpdestportIP 80 mask 16 forward
System->configure policy rule 1 tcpdestportIP 443 mask 16 forward
System->configure policy rule 1 tcpdestport 8080 mask 16 forward

ARP forwarding is required on ether port 0x806.

System->configure policy rule 1 ether 0x806 mask 16 forward

Assigning the Guest Policy Profile to All Edge Ports

Assign the guest policy profile to all Fixed Switch and Services Edge Switch ports.

System->configure policy port 1-47 1