Specifications

ManualsBrandsEnterasys ManualsComputer equipmentN Standalone (NSA) Series

221

222

223

224

225

226

227

228

229

230

Policy Configuration Example

May 18, 2009 Page 26 of 32

Studentsshouldonlybeallowedaccesstotheservicesserver(subnet10.10.50.0/24)andshouldbe

deniedaccesstoboththeadministrative(subnet10.10.60.0/24)andfacultyservers(subnet

10.10.70.0/24).

StudentC3(rw)->set policy rule 2 ipdestsocket 10.10.60.0 mask 24 drop

StudentC3(rw)->set policy rule 2 ipdestsocket 10.10.70.0 mask 24 drop

Configuring PhoneSS Policy for the Edge SecureStack C3

Configuring the Policy Role

ThephoneSSroleisconfiguredonboththedormroomandfacultyofficeC3swith:

•Aprofile‐indexof3

•AnameofphoneSS

•AportVLANof11

•ACoSof10

BecausewecannotapplyseparateratelimitstothephonesetupandpayloadportsontheC3

usingpolicy

rules,applyCoS10withthehigherpayloadappropriateratelimitof100kbpsanda

highpriorityof6tothephoneSS role.

C3(rw)->set policy profile 3 name phoneSS pvid-status enable pvid 11 cos-status

enable cos 10

Assigning Traffic Classification Rules

DroptrafficforprotocolsSNMP(161),SSH(22),Telnet(23)andFTP(20and21)onthephone

VLAN.ForwardtrafficonUDPsourceportforIPaddressrequest(68)andforwardtrafficonUDP

destinationportsforprotocolsDHCP(67)andDNS(53)onthephoneVLAN,tofacilitatephone



autoconfigurationand IPaddressassignment.

C3(rw)->set policy rule 3 udpdestportIP 161 mask 16 drop

C3(rw)->set policy rule 3 tcpdestportIP 22 mask 16 drop

C3(rw)->set policy rule 3 tcpdestportIP 23 mask 16 drop

C3(rw)->set policy rule 3 tcpdestportIP 20 mask 16 drop

C3(rw)->set policy rule 3 tcpdestportIP 21 mask 16 drop

C3(rw)->set policy rule 3 udpsourceport 68 mask 16 forward

C3(rw)->set policy rule 3 udpdestportIP 67 mask 16 forward

C3(rw)->set policy rule 3 udpdestportIP 53 mask 16 forward

Assigning Hybrid Authentication

ConfiguretheRADIUSserveruseraccountswiththeappropriatetunnelinformationusingVLAN

authorizationandpolicyfilter‐IDforphoneSSrolemembersanddevices.Enablehybrid

authentication,allowingtheswitchtouseboththefilter‐IDandtunnelattributesintheRADIUS

responsemessage.SetaVLAN‐to‐policymapping as

backupincasetheresponsedoesnotinclude

theRADIUSfilter‐IDattribute.ThismappingisignoredifRADIUSfilter‐IDattributeispresentin

theRADIUSresponsemessage.

C3(rw)->set policy maptable response both

C3(rw)->set policy maptable 11 3