This section presents configuration procedures and tables including command description and syntax in the following policy areas: profile, classification, and display.
Step | Task | Commands |
---|---|---|
1 | Create a policy role.
|
configure policy profile profile_index {name name} {pvid pvid} {pvid-status pvid_status} {cos cos} {cos-status cos_status} {egress-vlans egress_vlan_list}{forbidden-vlans forbidden_vlans} {untagged-vlans untagged_vlans} {append | clear} {tci-overwrite tci_overwrite} {precedence [precedence | default]} {auth-override auth_override} {nsi [nsi | none]} {web-redirect web_redir_index} {access-list [unassigned | list_name | list_name_placeholder]} |
2 | Optionally, for enhanced policy capable devices, assign the
action the device will apply to an invalid or unknown policy.
|
configure policy invalid action {default-policy | drop | forward} |
3 | Optionally, for enhanced policy capable devices, set a policy maptable entry that associates a VLAN with a policy profile. | configure policy maptable {vlan-list profile-index} |
4 | Optionally, set a policy maptable response.
|
configure policy maptable response {tunnel | policy | both} |
Step | Task | Command(s) |
---|---|---|
1 | Optionally set an administrative profile to assign traffic
classifications to a policy role. See Administrative Policy and Policy Rule Traffic Classifications for traffic classification-type descriptions and enhanced policy
information. See the set policy rule command discussion in the
command reference guide that comes with your device for traffic
classification data and mask information.
|
configure policy rule admin-profile [ macsource macsource | port port ] {mask mask } {port-string [port_string | all] } {storage-type [non-volatile | volatile]} {admin-pid admin_pid } |
2 | Optionally configure policy rules to
associate with a policy role. See Administrative Policy and Policy Rule Traffic Classifications for traffic classification-type
descriptions and enhanced policy information. See the configure policy rule
command discussion in the command reference guide that comes with
your device for traffic classification data and mask information.
|
configure policy rule profile_index [{app-signature group group name name} | ether ether | icmp6type icmp6type | icmptype icmptype | ip6dest ip6dest |ipdestsocket ipdestsocket | ipfrag | ipproto ipproto | ipsourcesocket ipsourcesocket | iptos iptos | ipttl ipttl | macdest macdest | macsource macsource | port port | tcpdestportIP tcpdestportIP | tcpsourceportIP tcpsourceportIP | udpdestportIP udpdestportIP | udpsourceportIP udpsourceportIP ] {mask mask } {port-string [ port_string | all]} {storage-type [non-volatile | volatile]} {drop | forward} {syslog syslog} {trap trap} {cos cos } {mirror-destination control_index} {clear-mirror} |
3 | Optionally, for enhanced policy capable devices, assign a policy role to a port. | configure policy port ports admin-id admin_id |
Step | Task | Command(s) |
---|---|---|
1 | Display policy role information. | show policy profile {all | profile-index [-detail]} |
2 | Display the action the device should take if asked to apply an invalid or unknown policy, or the number of times the device has detected an invalid/unknown policy, or both action and count information. | show policy invalid {action | count | all} |
3 | Display VLAN-ID to policy role mappings table. | show policy maptable [vlan-list] |
4 | Display policy classification and admin rule information. | show policy rule {all | app-signature | {profile-index profile_index | admin-profile} ether {ether} | icmp6type {icmp6type} | icmptype {icmptype} | ip6dest {ip6dest} | ipdest {ipdest} | ipfrag | ipproto {ipproto} | ipsource { ipsource } | iptos { iptos } | ipttl { ipttl } | macdest { macdest } | macsource { macsource } | port { port } | tcpdestportIP { tcpdestportIP } | tcpsourceportIP { tcpsourceportIP } | udpdestportIP { udpdestportIP } | udpsourceportIP { udpsourceportIP }} {mask mask } {port-string [ port_string | all]} {storage-type [non-volatile | volatile]} {drop | forward} {cos cos | admin-pid admin_pid }} {detail | wide} |
5 | Display all policy classification capabilities for this device. | show policy capability |
6 | Display a list of currently supported traffic rules applied to the administrative profile for one or more ports. | show policy allowed-type ports [detail] |
7 | Display status of dynamically assigned roles and the current status that the default of dynamically created rules will have in sending of Syslog messages or traps on rule applied. | show policy dynamic [override | syslog-default | trap-default ] |
8 | Display the Syslog parameters for policy rules. | show policy syslog {machine-readable} {extended-format} {every-time} |
9 | Display the interval at which the switch automatically clears rule usage statistics. | show policy autoclear interval |
10 | Display rule usage information when Syslog or trap actions have been set. | show policy rule port-hit {data} {detail} {wide} |
11 | Display captive portal settings. | show policy captive-portal {web-redirect {redirect_index | all} | listening | rule-use} |
12 | Display policy application signature information. | show policy app-signature group {group {name name}} {built-in | custom {detail} | detail} |
13 | Display the existing usage of policy slices. | show policy slices |
14 | Display access list information. | show policy access-list { [list_dot_ruleprofile-index profile_index ] | [ {matches [app-signature | ether | icmp6type | icmptype | ipdestsocket | ipfrag | ipproto | ipsourcesocket | iptos | ipttl | tcpdestportIP | tcpsourceportIP | udpdestportIP | udpsourceportIP ] {mask mask} {data data} } {actions [ {drop | forward } {cos cos} {-1} {mirror-destination control_index} {syslog ] } ] } {detail} |
15 | Shows the pre-defined action set for use in RADIUS Change of Authentication (CoA). | show policy access-list action-set {set_id} |
Step | Task | Command(s) |
---|---|---|
1 | Enable policy globally on the switch. | enable policy |
2 | Enable CEP detection globally on the switch. | configure policy convergence-endpoint [enable | disable] |
3 | Enable CEP detection type on one or more ports. | configure policy convergence-endpoint ports [<port_list> | all] [cisco | lldp-med] [enable | disable] |
4 | Configure a policy to apply to the detected CEP devices. | configure policy profile profile_index {name name} {pvid pvid} {pvid-status pvid_status} {cos cos} {cos-status cos_status} {egress-vlans egress_vlan_list}{forbidden-vlans forbidden_vlans} {untagged-vlans untagged_vlans} {append | clear} {tci-overwrite tci_overwrite} {precedence [precedence | default]} {auth-override auth_override} {nsi [nsi | none]} {web-redirect web_redir_index} {access-list [unassigned | list_name | list_name_placeholder]} |
5 | Assign the configured policy to the desired CEP detection type. | configure policy convergence-endpoint index index [cisco | lldp-med] |
Step | Task | Command(s) |
---|---|---|
1 | Define a role that has a valid captive portal web redirection class index. | configure policy profile profile_index {name name} {pvid pvid} {pvid-status pvid_status} {cos cos} {cos-status cos_status} {egress-vlans egress_vlan_list}{forbidden-vlans forbidden_vlans} {untagged-vlans untagged_vlans} {append | clear} {tci-overwrite tci_overwrite} {precedence [precedence | default]} {auth-override auth_override} {nsi [nsi | none]} {web-redirect web_redir_index} {access-list [unassigned | list_name | list_name_placeholder]} |
2 | Configure a captive portal server‘s HTTP redirect URL and enable it using the previously defined captive portal web redirection class index. | configure policy captive-portal web-redirect redirect_index server server_id {url redirect_url} {status} |
3 | Configure which L4 listening ports (sockets) to be redirected when a captive portal web-redirect is defined on a policy profile. | configure policy captive-portal listening socket_list |
4 | Set whether or not captive portal rules are programmed within the already reserved ACL rule space of ONEPolicy. | configure policy captive-portal rule-use [reserved | unreserved] |
Step | Task | Command(s) |
---|---|---|
1 | Create a "control group" (Mirror MIB) instance. | create mirror control_index |
2 |
Create one or more "physical" mirrors. Note:
MIB support (not CLI configured) adds a port to a mirror by the ports' Interface Index. In this case, the "physical" mirror is automatically created if there are resources and a matching "physical" mirror does not already exist. To assign a mirror with a remote-ip destination, the mirror must be configured before it can be added to a mirror control index. An interface index for the tunnel mirror is created at the time the tunnel mirror is created. This Interface Index can then be added to the mirror control_index. |
create mirror mirror_name {to [port port | port-list port_list loopback-port port] { remote-tag rtag } | {{ } {} { [ | ]}{ [ | ]} priority priority_value ]} {description mirror-desc} |
3 | Apply the physical mirrors to the control group instance using the add option. | configure mirror control_index [ add | delete ] mirror_name |
4 | Enable the control group (Mirror MIB) instance, and the physical mirrors. | enable mirror control_index {mirror mirror_name} |
5 | Apply the control group (Mirror MIB) instance to the desired policy using the control_index designator. | configure policy rule profile_index [{app-signature group group name name} | ether ether | icmp6type icmp6type | icmptype icmptype | ip6dest ip6dest |ipdestsocket ipdestsocket | ipfrag | ipproto ipproto | ipsourcesocket ipsourcesocket | iptos iptos | ipttl ipttl | macdest macdest | macsource macsource | port port | tcpdestportIP tcpdestportIP | tcpsourceportIP tcpsourceportIP | udpdestportIP udpdestportIP | udpsourceportIP udpsourceportIP ] {mask mask } {port-string [ port_string | all]} {storage-type [non-volatile | volatile]} {drop | forward} {syslog syslog} {trap trap} {cos cos } {mirror-destination control_index} {clear-mirror} |
Step | Task | Command(s) |
---|---|---|
1 | Configure a policy rule with a Syslog (syslog option) or trap (trap option) action. | configure policy rule profile_index [{app-signature group group name name} | ether ether | icmp6type icmp6type | icmptype icmptype | ip6dest ip6dest |ipdestsocket ipdestsocket | ipfrag | ipproto ipproto | ipsourcesocket ipsourcesocket | iptos iptos | ipttl ipttl | macdest macdest | macsource macsource | port port | tcpdestportIP tcpdestportIP | tcpsourceportIP tcpsourceportIP | udpdestportIP udpdestportIP | udpsourceportIP udpsourceportIP ] {mask mask } {port-string [ port_string | all]} {storage-type [non-volatile | volatile]} {drop | forward} {syslog syslog} {trap trap} {cos cos } {mirror-destination control_index} {clear-mirror} |
2 | Optionally, for Syslog, you can change the following
parameters:
|
configure policy syslog [machine-readable machine_readable | extended-format extended_format | every-time every_time] |
3 | Optionally, set the interval at which the switch automatically clears rule usage statistics. | configure policy autoclear {interval interval} |
4 | Optionally, clear the policy counters (rule usage) at any time. | clear counters policy |
Step | Task | Command(s) |
---|---|---|
1 | Configure the shared slice in the switch before enforcing additional configuration. | configure policy slices shared [{ shared } { l7GuaranteedPercentage l7GuaranteedPercentage } { dynAclGuaranteedPercentage dynAclGuaranteedPercentage}] |
2 | Configure a user-defined policy application signature. | configure policy app-signature group group name name [add | delete] pattern_list |
3 | Apply the signature to a policy rule using the app-signature, group, and name options. | configure policy rule profile_index [{app-signature group group name name} | ether ether | icmp6type icmp6type | icmptype icmptype | ip6dest ip6dest |ipdestsocket ipdestsocket | ipfrag | ipproto ipproto | ipsourcesocket ipsourcesocket | iptos iptos | ipttl ipttl | macdest macdest | macsource macsource | port port | tcpdestportIP tcpdestportIP | tcpsourceportIP tcpsourceportIP | udpdestportIP udpdestportIP | udpsourceportIP udpsourceportIP ] {mask mask } {port-string [ port_string | all]} {storage-type [non-volatile | volatile]} {drop | forward} {syslog syslog} {trap trap} {cos cos } {mirror-destination control_index} {clear-mirror} |
4 | Configure the number of slices that a profile with tci-overwrite-enabled uses. | configure policy slices {shared shared} {tci-overwrite slices} |
5 | Configure the number of slices used by shared features (Layer 7 policy and dynamic ACLs). | configure policy slices shared [{ shared } { l7GuaranteedPercentage l7GuaranteedPercentage } { dynAclGuaranteedPercentage dynAclGuaranteedPercentage}] |
6 | Optionally, configure the minimum time-to-live (TTL). | configure policy app-signature minimum-ttl [none | 1 | 5 | 10] |
Step | Task | Command(s) |
---|---|---|
1 | Enable ACL Style Policy. Select the rule model as access-list. | configure policy rule-model [access-list | hierarchical] |
2 | Create a policy access list and match criteria. Access list names are case sensitive. The list_dot_rule variable cannot match an existing one (using CLI namespace). At least 1, and no more than 5, match criteria can be selected, and at least 1 action must be selected. You cannot edit existing rules. You must delete and re-create rules if you need to make changes and want to use the same list_dot_rule name. Match conditions must be unique within an ACL and use them as a rule identifier in some cases, such as counters. For example create policy access-list ACL.ace produces an error when an ace entry that duplicates an existing "ace" exists in that ACL. Rules with the same match type with different data (IP/Port, etc.) within that the rule are accepted. ACL
Style Policy supports the following rule match types:
ACL rules can combine up to 5 match types in a
single rule. However, there are a few limitations for specified
combinations:
Actions: When forward/deny is not specified in the rule, the rule action is interpreted as "forward" by default. This is an implicit permit, since the rule is triggered. |
create policy access-list list_dot_rule {matches [ {app-signature group group name name} {ether ether {mask ether_mask}} {icmp6type icmp6type {mask icmp6_mask}} {icmptype icmptype {mask icmp_mask}} {ipdestsocket ipdestsocket {mask ipdest_mask}} {ipfrag} {ipproto ipproto {mask ipproto_mask}} {ipsourcesocket ipsourcesocket {mask ipsrc_mask}} {iptos iptos {mask iptos_mask}} {ipttl ipttl {mask ipttl_mask} {tcpdestportIP tcpdestportIP {mask tcpdest_mask}} {tcpsourceportIP tcpsourceportIP {mask tcpsrc_mask}} {udpdestportIP udpdestportIP {mask udpdest_mask}} {udpsourceportIP udpsourceportIP {mask udpsrc_mask}} ] } {actions [ {cos cos} {drop | forward} {mirror-destination control_index} {syslog}]} |
3 | Add rules and configure the rule precedence list for an access list. | configure policy access-list [rule-precedence [list_dot_rule [after member_rule | before member_rule | first | last ] ] ] |
4 | Assign access list to a profile using the
access-list option. Note: Use the unassigned option to remove an access
list.
You can configure the access list name when configuring the policy profile index and create access list rules for the access list later (step 2). An access list must contain at least one rule and is not active until it is assigned to a profile. Assigning a different access list to the same policy profile index overwrites any previous assignment. An access list cannot be assigned to more than one policy profile index. You must unassigned the access list from the current policy profile index before it can be associated with another policy profile index. |
configure policy profile profile_index {name name} {pvid pvid} {pvid-status pvid_status} {cos cos} {cos-status cos_status} {egress-vlans egress_vlan_list}{forbidden-vlans forbidden_vlans} {untagged-vlans untagged_vlans} {append | clear} {tci-overwrite tci_overwrite} {precedence [precedence | default]} {auth-override auth_override} {nsi [nsi | none]} {web-redirect web_redir_index} {access-list [unassigned | list_name | list_name_placeholder]} |
5 | (Optional) Delete policy access lists and/or rules. You can remove a specific rule or remove all the rules from an access list, or remove all access lists and their rules. |
delete policy access-list [all-rules | list_dot_rule] |