configure policy rule

configure policy rule profile_index [{app-signature group group name name} | ether ether | icmp6type icmp6type | icmptype icmptype | ip6dest ip6dest |ipdestsocket ipdestsocket | ipfrag | ipproto ipproto | ipsourcesocket ipsourcesocket | iptos iptos | ipttl ipttl | macdest macdest | macsource macsource | port port | tcpdestportIP tcpdestportIP | tcpsourceportIP tcpsourceportIP | udpdestportIP udpdestportIP | udpsourceportIP udpsourceportIP ] {mask mask } {port-string [ port_string | all]} {storage-type [non-volatile | volatile]} {drop | forward} {syslog syslog} {trap trap} {cos cos } {mirror-destination control_index} {clear-mirror}

Description

Use this command to assign incoming untagged frames to a specific policy profile and to VLAN or CoS classification rules.

Syntax Description


port	Port string.
`port`	Port string - (data: 1; mask: 16).
app-signature	Associates an application signature to a policy profile.
group	Associates an application signature group to a policy profile
`group`	Specifies the group name.
name	Associates an application signature name to a policy profile.
`name`	Specifies the display name assigned to the application signature. Maximum of 32 characters. To see name choices, use the show policy app-signature group {group {name name}} {built-in \| custom {detail} \| detail} command.
macsource	MAC source address.
`macsource`	MAC source address - (data: a-b-c-d-e-f; mask: 1-48).
macdest	MAC destination address.
`macdest`	MAC destination address - (data: a-b-c-d-e-f; mask: 1-48).
ip6dest	IPv6 address.
`ip6dest`	IPv6 address (data: aaaa::bbbb; mask 1-128).
ipsourcesocket	Source IP address / Source IpSocket.
`ipsourcesocket`	Source IP address (data: a.b.c.d[:ab (0-65535)[-cd (0-65535)]]; mask: 1-48, 64).
ipdestsocket	Destination IP address / Destination IpSocket.
`ipdestsocket`	Destination IP address (data: a.b.c.d[:ab (0-65535) [-cd (0-65535)]]; mask: 1-48,64).
ipfrag	IP fragmentation flag.
tcpdestportIP	TCP port dst with optional post-fix IPv4 address.
`tcpdestportIP`	TCP port dst with optional post-fix IPv4 address - (data: ab[-cd][:c.d.e.f]); mask: 1-64).
udpdestportIP	UDP port dst with optional post-fix IPv4 address.
`udpdestportIP`	UDP port dst with optional post-fix IPv4 address - (data: ab[-cd][:c.d.e.f]); mask: 1-64.
tcpsourceportIP	TCP port src with optional post-fix IPv4 address.
`tcpsourceportIP`	TCP port src with optional post-fix IPv4 address - (data: ab[-cd][:c.d.e.f]); mask: 1-64.
udpsourceportIP	UDP port src with optional post-fix IPv4 address.
`udpsourceportIP`	UDP port src with optional post-fix IPv4 address - (data: ab[-cd][:c.d.e.f]); mask: 1-64.
ipttl	IP time to live.
`ipttl`	ipttl IP time to live (data: 0-255 or 0x0-0xFF; mask:1-8).
iptos	IPv4 type of service / IPv6 traffic class field.
`iptos`	ipproto Protocol field in IP packet - (data: 0-255 or 0x0-0xFF; mask: 1-8).
ipproto	Protocol field in IP packet.
`ipproto`	Protocol field in IP packet - (data: 0-255 or 0-0xFF; mask: 1-8).
ether	Type field in Ethernet II packet.
`ether`	Type field in Ethernet II packet - (data: 0-65535 or 0x0-0xFFFF; mask: 1-16).
icmp6type	Specifies type code in ICMPv6 packet.
`icmp6type`	ICMPv6 type code [(data: 123.456 (dotted-decimal) or AB-CD (dashed-hexadecimal)] mask: 1–16).
icmptype	Specifies type code in ICMP packet.
`icmptype`	ICMP type code (data: a.b; mask: 1–16).
cos	Class of Service [0–255] or -1 for no CoS or forwarding behavior modification is desired
`cos`	Class of Service [0–255] or -1 for no CoS or forwarding behavior modification is desired.
mirror-destination	Specifies selecting a mirror destination control index.
`mirror-destination`	Selects the mirror destination control index. Range is 1 to 4.
clear-mirror	Clears mirroring on this rule.
syslog	Specifies setting a Syslog action when rule is used.
`syslog`	Enable/disable/prohibit Syslog using event Policy.LogRuleHit on first rule use. By default, a Syslog entry only occurs on the first use of the rule. You can change this using the configure policy syslog [machine-readable machine_readable \| extended-format extended_format \| every-time every_time] command.
trap	Specifies setting a trap action when rule is first used.
`trap`	Enable/disable/prohibit trap on first rule use.

Default

If mask is not specified, all data bits are considered relevant.
If port-string is not specified, rule is scoped to all ports.
By default, a Syslog or trap entry only occurs on the first use of the rule.

Usage Guidelines

Classification rules are automatically enabled when created.

Note

ExtremeSwitching X440-G2 and X620 series switches do not support macsource, macdest, or ip6dest classification rule types. Example:

# configure policy rule 1 macsource 00-00-00-00-00-01 port-string 3 drop
ERROR: Set failed!

Note

The ExtremeSwitching X870 does not support a port-string with the ip6dest classification rule type.

Example

This example shows how to create (and enable) a classification rule to associate with policy number 1. This rule will drop Ethernet II Type 1526 frames:

# configure policy rule 1 ether 1526 drop

This example shows how to create (and enable) a classification rule to associate with policy profile number 5. This rule specifies that UDP frames from source port 45 will be forwarded:

# configure policy rule 5 udpsourceportip 45 forward forward

The following example associates the application signature with group "Storage and name "mike1" to policy rule "2" to block traffic:

# configure policy rule 2 app-signature group "Storage" name "mike1" drop

History

This command was first available in ExtremeXOS 16.1.

ICMP and ICMPv6 rule types added in ExtremeXOS 22.5.

Applying mirrors to policies and Syslog/trap actions on rule use was added in ExtremeXOS 30.2.

Application signature capability was added in ExtremeXOS 30.4.

Platform Availability

This command is available on ExtremeSwitching 5320, 5420, 5520, and 5720 series switches.