set policy rule
Usage
An admin rule can be used to map incoming tagged frames to a policy role (profile). There can be
only one admin rule configured per system (stack). Typically, this rule is used to implement the
"User + IP phone" feature. Refer to "Configuring Multi‐User Authentication (User + IP phone)" on
page 23‐33 for more information. You would configure a policy profile/role for IP phones (for
example, assigning the traffic to a "voice" VLAN), then associate that policy profile with the
admin rule, and associate the admin rule with the desired ports. Users authenticating over the
same port will typically use a dynamically assigned policy role.
A policy classification rule has two main parts: Traffic Description and Actions. The Traffic
Description identifies the type of traffic to which the rule will pertain. Actions specify whether
that traffic will be assigned class of service, assigned to a VLAN, or both.
Table
11‐3 provides the set policy rule data values that can be entered for a particular parameter,
and the mask bits that can be entered for each classifier associated with that parameter.
Table 11-3 Valid Values for Policy Classification Rules
Classification Rule Parameter
ether
icmptype
ipproto
Destination or Source IP Address:
ipdestsocket
ipsourcesocket
iptos
Destination or Source MAC:
macdest
macsource
Destination or Source TCP port:
tcpdestport
tcpsourceport
Destination or Source UDP port:
udpsourceport
udpdestport
vlantag
Examples
This example shows how to use Table
Ethernet II Type 1526 frames to VLAN 7:
C2(su)->set policy rule 3 ether 1526 vlan 7
This example shows how to use Table
UDP packets from source port 45:
C2(su)->set policy rule 5 udpportsource 45 forward
11-12 Policy Classification Configuration
data value
Type field in Ethernet II packet:
1536 - 65535 or 0x600 - 0xFFFF
ICMP Type: a.b
Protocol field in IP packet:
0 - 255 or 0 - 0xFF
IP Address in dotted decimal
format: 000.000.000.000 and
(Optional) post-fixed port: 0 -
65535
Type of Service field in IP packet:
0 - 252 or 0 - 0xFC
MAC Address: 00-00-00-00-00-
00
TCP Port Number:
0 - 65535 or 0 - 0xFFFF
UDP Port Number:
0 - 65535 or 0 - 0xFFFF
VLAN tag: 1- 4094
11‐3 to assign a rule to policy profile 3 that will filter
11‐3 to assign a rule to policy profile 5 that will forward
mask bits
Not applicable.
Not applicable.
Not applicable.
1 - 48
Not applicable.
1 - 48
1 - 16
1 - 16
Not applicable.