configure policy rule

configure policy rule profile_index [{app-signature group group name name} | ether ether | icmp6type icmp6type | icmptype icmptype | ip6dest ip6dest |ipdestsocket ipdestsocket | ipfrag | ipproto ipproto | ipsourcesocket ipsourcesocket | iptos iptos | ipttl ipttl | macdest macdest | macsource macsource | port port | tcpdestportIP tcpdestportIP | tcpsourceportIP tcpsourceportIP | udpdestportIP udpdestportIP | udpsourceportIP udpsourceportIP ] {mask mask } {port-string [ port_string | all]} {storage-type [non-volatile | volatile]} {drop | forward} {syslog syslog} {trap trap} {cos cos } {mirror-destination control_index} {clear-mirror}

Description

Use this command to assign incoming untagged frames to a specific policy profile and to VLAN or CoS classification rules.

Syntax Description

port Port string.
port Port string - (data: 1; mask: 16).
app-signature Associates an application signature to a policy profile.
group Associates an application signature group to a policy profile
group Specifies the group name.
name Associates an application signature name to a policy profile.
name Specifies the display name assigned to the application signature. Maximum of 32 characters. To see name choices, use the show policy app-signature group {group {name name}} {built-in | custom {detail} | detail} command.
macsource MAC source address.
macsource MAC source address - (data: a-b-c-d-e-f; mask: 1-48).
macdest MAC destination address.
macdest MAC destination address - (data: a-b-c-d-e-f; mask: 1-48).
ip6dest IPv6 address.
ip6dest IPv6 address (data: aaaa::bbbb; mask 1-128).
ipsourcesocket Source IP address / Source IpSocket.
ipsourcesocket Source IP address (data: a.b.c.d[:ab (0-65535)[-cd (0-65535)]]; mask: 1-48, 64).
ipdestsocket Destination IP address / Destination IpSocket.
ipdestsocket Destination IP address (data: a.b.c.d[:ab (0-65535) [-cd (0-65535)]]; mask: 1-48,64).
ipfrag IP fragmentation flag.
tcpdestportIP TCP port dst with optional post-fix IPv4 address.
tcpdestportIP TCP port dst with optional post-fix IPv4 address - (data: ab[-cd][:c.d.e.f]); mask: 1-64).
udpdestportIP UDP port dst with optional post-fix IPv4 address.
udpdestportIP UDP port dst with optional post-fix IPv4 address - (data: ab[-cd][:c.d.e.f]); mask: 1-64.
tcpsourceportIP TCP port src with optional post-fix IPv4 address.
tcpsourceportIP TCP port src with optional post-fix IPv4 address - (data: ab[-cd][:c.d.e.f]); mask: 1-64.
udpsourceportIP UDP port src with optional post-fix IPv4 address.
udpsourceportIP UDP port src with optional post-fix IPv4 address - (data: ab[-cd][:c.d.e.f]); mask: 1-64.
ipttl IP time to live.
ipttl ipttl IP time to live (data: 0-255 or 0x0-0xFF; mask:1-8).
iptos IPv4 type of service / IPv6 traffic class field.
iptos ipproto Protocol field in IP packet - (data: 0-255 or 0x0-0xFF; mask: 1-8).
ipproto Protocol field in IP packet.
ipproto Protocol field in IP packet - (data: 0-255 or 0-0xFF; mask: 1-8).
ether Type field in Ethernet II packet.
ether Type field in Ethernet II packet - (data: 0-65535 or 0x0-0xFFFF; mask: 1-16).
icmp6type Specifies type code in ICMPv6 packet.
icmp6type ICMPv6 type code [(data: 123.456 (dotted-decimal) or AB-CD (dashed-hexadecimal)] mask: 1–16).
icmptype Specifies type code in ICMP packet.
icmptype ICMP type code (data: a.b; mask: 1–16).
cos Class of Service [0–255] or -1 for no CoS or forwarding behavior modification is desired
cos Class of Service [0–255] or -1 for no CoS or forwarding behavior modification is desired.
mirror-destination Specifies selecting a mirror destination control index.
mirror-destination Selects the mirror destination control index. Range is 1 to 4.
clear-mirror Clears mirroring on this rule.
syslog Specifies setting a Syslog action when rule is used.
syslog

Enable/disable/prohibit Syslog using event Policy.LogRuleHit on first rule use.

By default, a Syslog entry only occurs on the first use of the rule. You can change this using the configure policy syslog [machine-readable machine_readable | extended-format extended_format | every-time every_time] command.

trap Specifies setting a trap action when rule is first used.
trap Enable/disable/prohibit trap on first rule use.

Default

Usage Guidelines

Classification rules are automatically enabled when created.

Note

Note

ExtremeSwitching X440-G2 and X620 series switches do not support macsource, macdest, or ip6dest classification rule types. Example:
# configure policy rule 1 macsource 00-00-00-00-00-01 port-string 3 drop
ERROR: Set failed!
Note

Note

The ExtremeSwitching X870 does not support a port-string with the ip6dest classification rule type.

Example

This example shows how to create (and enable) a classification rule to associate with policy number 1. This rule will drop Ethernet II Type 1526 frames:
# configure policy rule 1 ether 1526 drop
This example shows how to create (and enable) a classification rule to associate with policy profile number 5. This rule specifies that UDP frames from source port 45 will be forwarded:
# configure policy rule 5 udpsourceportip 45 forward forward

The following example associates the application signature with group "Storage and name "mike1" to policy rule "2" to block traffic:

# configure policy rule 2 app-signature group "Storage" name "mike1" drop

History

This command was first available in ExtremeXOS 16.1.

ICMP and ICMPv6 rule types added in ExtremeXOS 22.5.

Applying mirrors to policies and Syslog/trap actions on rule use was added in ExtremeXOS 30.2.

Application signature capability was added in ExtremeXOS 30.4.

Platform Availability

This command is available on ExtremeSwitching 5320, 5420, 5520, and 5720 series switches.