Applying A Default Policy; Applying Policies Dynamically; Blocking Non-Edge Protocols At The Edge Network Layer; Non-Edge Protocols - Enterasys C5G124-24 Configuration Manual

Policy Configuration Overview

Applying a Default Policy

The following example assigns a default policy with index 100 to all user ports (ge.1.1 through
ge.1.22) on a switch:
System(su)-> set policy port ge.1.1-22 100

Applying Policies Dynamically

Dynamic policy assignment requires that users authenticate through a RADIUS server.
Information is returned in the RADIUS Access-Accept response message that tells the switch that
the user has successfully authenticated and what policy profile to assign to the user.
The RADIUS server can return a Filter-ID attribute that specifies the name of the policy to apply to
the authenticated user. Alternatively, the RADIUS server can return VLAN-tunnel-attributes that
can be used to assign the user to a VLAN and/or a policy.
Refer to
about configuring dynamic policy assignment as part of the authentication process.

Blocking Non-Edge Protocols at the Edge Network Layer

Edge clients should be prevented from acting as servers for a number of IP services. If non-edge IP
services accidently or maliciously attach to the edge of the network, they are capable of disrupting
network operation. IP services should only be allowed where and when your network design
requires.
allowing them is part of your network architecture. See
page 16-16 for an example of how to configure a subset of these recommended IP services to drop
traffic at the edge.
Table 16-4 Non-Edge Protocols
Protocol
DHCP Server Protocol
DNS Server Protocol
Routing Topology Protocols
Router Source MAC and Router
Source IP Address
SMTP/POP Server Protocols
SNMP Protocol
FTP and TFTP Server Protocols
16-8 Configuring Policy
"Remote Authentication Dial-In Service
Table 16-4 identifies several IP Services you should consider blocking at the edge unless
(RADIUS)" on page 10-7 for more information
"Assigning Traffic Classification
Policy Effect
Every network needs DHCP. Automatically mitigate the accidental
or malicious connection of a DHCP server to the edge of your
network to prevent DoS or data integrity issues, by blocking DHCP
on the source port for this device.
DNS is critical to network operations. Automatically protect your
name servers from malicious attack or unauthorized spoofing and
redirection, by blocking DNS on the source port for this device.
RIP, OSPF, and BGP topology protocols should only originate
from authorized router connection points to ensure reliable
network operations.
Routers and default gateways should not be moving around your
network without approved change processes being authorized.
Prevent DoS, spoofing, data integrity and other router security
issues by blocking router source MAC and router source IP
addresses at the edge.
Prevent data theft and worm propagation by blocking SMTP at the
edge.
Only approved management stations or management data
collection points need to be speaking SNMP. Prevent
unauthorized users from using SNMP to view, read, or write
management information.
Ensure file transfers and firmware upgrades are only originating
from authorized file and configuration management servers.
Rules" on