Specifications

ManualsBrandsEnterasys ManualsComputer equipmentN Standalone (NSA) Series

191

192

193

194

195

196

197

198

199

200

Policy Overview

May 18, 2009 Page 4 of 32

networkaccess andresourceusagealignwiththesecurityrequirements,networkcapabilities,and

legitimateuserneedsasdefinedbythenetworkadministra tor.

The Policy Role

Arole,suchassales,admin,orengineering,isfirstidentifiedanddefinedintheabstractasthe

basisforconfiguringapolicyrole.Oncearoleisdefined,apolicyroleisconfiguredandappliedto

theappropriatecontextusingasetofrulesthatcancontrolandprioritizevarious

typesofnetwork

traffic.Therulesthatmakeupapolicyrolecontainbothclassificationdefinitionsandactionstobe

enforcedwhenaclassificationismatched.ClassificationsincludeLayer2,Layer3,andLayer4

packetfields.PolicyactionsthatcanbeenforcedincludeVLANassignment,filtering,inbound

ratelimiting,

outboundrateshaping,priorityclassmappingandlogging.

Policy Roles

Defining a Policy Role

Thepolicyroleisacontainerthatholdsallaspectsofpolicyconfigurationforaspecificrole.Policy

rolesareidentifiedbyanumericprofile‐indexvaluebetween1andthemaximumnumberofroles

supportedontheplatform.Pleaseseeyourdevice’sfirmwarereleasenotesforthemaximum

numberof

rolessupported.Policyrolesareconfiguredusingthesetpolicyprofilecommand.

Policyconfigurationiseitherdirectlyspecifiedwiththesetpolicyprofilecommandoris

associatedwiththerolebyspecifyingtheprofile‐indexvaluewithinthecommandsyntaxwhere

thegivenpolicyoptionisconfigured.Forexample,when

configuringapolicymaptableentry

usingthesetpolicymaptablecommand(seeVLAN‐to‐PolicyMappingonpage 5),thecommand

syntaxrequiresthatyouidentifythepolicyrolethemaptableentrywillbeassociatedwith,by

specifyingtheprofile‐index value.

Whenmodifyinganexistingpolicyrolethedefaultbehavioris

toreplacetheexistingrolewiththe

newpolicyroleconfiguration.Usetheappendoptiontolimitthechangetotheexistingpolicy

roletotheoptionsspecifiedintheenteredcommand.

Apolicyrolecanalso beidentifiedbyatextnameofbetween1and64characters.Thisname

value

isusedbytheRADIUSfilter‐IDattributetoidentifythepolicyroletobeapplied bytheswitch

withasuccessfulauthentication.

Setting a Default VLAN for this Role

AdefaultVLANcanbeconfiguredforapolicyrole.AdefaultVLANwillonlybeusedwhen

eitheraVLANisnotspecificallyassignedbyaclassificationruleorallpolicyroleclassification

rulesaremissed.ToconfigureadefaultVLAN,enablepvid‐statusandspecifytheportVLANto



beused.pvid‐statusisdisabledbydefault.

Note: Enterasys supports the assignment of port VLAN-IDs 1 - 4094 (4093 on the SecureStack

switch). VLAN-IDs 0 and 4095 can not be assigned as port VLAN-IDs, but do have special

meanings within a policy context and can be assigned to the pvid parameter (See the Configuring

VLANs feature guide at http://secure.enterasys.com/support/manuals/ for further information on

these two VLAN-IDs. Within a policy context:

• 0 - Specifies an explicit deny all

• 4095 - Specifies an explicit permit all