Specifications

ManualsBrandsEnterasys ManualsComputer equipmentN Standalone (NSA) Series

211

212

213

214

215

216

217

218

219

220

Policy Configuration Example

May 18, 2009 Page 22 of 32

Roles

Theexampledefinesthefollowingroles:

• guest‐Usedasthedefaultpolicyforallunauthenticatedports.ConnectsaPCtothenetwork

providinginternetonlyaccesstothenetwork.Providesguestaccesstoalimitednumberof

N3portstobeusedspecificallyfor internetonlyaccess.Policyisapplied

usingtheportlevel

defaultconfiguration,orbyauthentication,inthecaseoftheN3portinternetonlyaccessPCs.

• student‐ConnectsadormroomPCtothenetworkthrougha“Student”SecureStackC3port.

AconfiguredCoSratelimitsthePC.Configuredrulesdenyaccesstoadministrativeand

facultyservers.

ThePCauthenticatesusingRADIUS.Hybridauthenticationisenabled.The

studentpolicyroleisappliedusingthefilter‐IDattribute.ThebaseVLANisappliedusingthe

tunnelattributesreturnedintheRADIUSresponsemessage.Ifallrulesaremissed,the

settingsconfiguredinthestudentpolicyprofileareapplied.

• phoneSS‐ConnectsadormroomorfacultyofficeVoIPphonetothenetworkusinga

SecureStackport.AconfiguredCoSratelimitsthephoneandappliesahighpriority.The

phoneauthenticatesusingRADIUS.Hybridauthenticationisenabled.Policyisappliedusing

thefilter‐IDreturnedintheRADIUSresponse

message.ThebaseVLANisappliedusingthe

tunnelattributesreturnedintheRADIUSresponsemessage.Ifallrulesaremissed,the

settingsconfiguredinthephoneSSpolicyprofileareapplied.

• faculty‐ConnectsafacultyofficePCtothe networkthrougha“Faculty”SecureStackC3port.

AconfiguredCoSratelimits

thePC.Aconfiguredruledeniesaccesstotheadministrative

servers.ThePCauthenticatesusingRADIUS.Hybridauthenticationisenabled.Thefaculty

policyroleisappliedusingthefilter‐IDattribute.ThebaseVLANisappliedusingthetunnel

attributesreturnedintheRADIUSresponsemessagefortheauthenticatinguser.

Ifallrules

aremissed,thesettingsconfiguredinthefacultypolicyprofileareapplied.

• phoneN3‐ConnectsaservicesVoIPphonetothenetworkusinganN3port.Aconfigured

CoSratelimitsthephoneforbothsetupandpayload,andappliesahighpriority.Thephone

authenticatesusingRADIUS.

Tunnelauthenticationisenabled.ThebaseVLANisapplied

usingthetunnelattributesreturnedintheRADIUSresponsemessage.Policyisappliedusing

amaptableconfiguration.Ifallrulesaremissed,thesettingsconfiguredinthephoneN3

policyprofileareapplied.

• services‐ConnectsaservicesPCtothenetworkthroughan

N3port.AconfiguredCoSrate

limitsthePC.Services aredeniedaccesstoboththestudentandfacultyservers.ThePC

authenticatesusingRADIUS.ThebaseVLANisappliedusingthetunnelattributesreturned

intheRADIUSresp onsemessagefortheauthenticatinguser.Theservicespolicyroleis

applied

usingapolicymaptablesetting.Thepolicyaccounting,syslog,invalidactionand TCI

overwriteenhancedpoliciesareenabledforthisrole.Ifallrulesaremissed,thesettings

configuredintheservicespolicyprofileareapplied.

• distribution‐TheDistributionpolicyroleisappliedatthedistributionlayerprovidingrate

limiting.

Policy Domains

Itisusefultobreakuppolicyimplementationintologicaldomainsforeaseofunderstandingand

configuration.Forthisexample,itisusefultoconsiderfourdomains:basicedge,standardedgeon

theSecureStacks,premiumedgeontheN3,andpremiumdistribution.