Specifications

ManualsBrandsEnterasys ManualsComputer equipmentN Standalone (NSA) Series

221

222

223

224

225

226

227

228

229

230

Policy Configuration Example

May 18, 2009 Page 27 of 32

Configuring Policy for the Edge Faculty SecureStack C3

Configuring the Policy Role

Thefacultyroleisconfiguredwith:

•Aprofile‐indexvalueof4

•Anameoffaculty

•AportVLANof10

•ACoSof8

CreateapolicyrolethatappliesaCoS8todataVLAN10andconfiguresittorate‐limittrafficto

1Mwithamoderatepriorityof5.

FacultyC3(rw)->set policy profile 4 name faculty pvid-status enable pvid 10

cos-status enable cos 8

Assigning Hybrid Authentication

ConfiguretheRADIUSserveruseraccountswiththeappropriatetunnelinformationusingVLAN

authorizationandpolicyfilter‐IDforfacultyrolemembersanddevices.Enablehybrid

authentication.SetaVLAN‐to‐policymapping.ThismappingisignorediftheRADIUSfilter‐ID

attributeispresentintheRADIUSresponsemessage.

StudentC3(rw)->set policy maptable response both

StudentC3(rw)->set policy maptable 10 4

Assigning Traffic Classification Rules

ForwardtrafficonUDPsourceportforIPaddressrequest(68),andUDPdestinationportsfor

protocolsDHCP(67)andDNS(53).DroptrafficonUDPsourceportsforprotocolsDHCP(67)and 

DNS(53).DroptrafficforprotocolsSNMP(161),SSH(22),Telnet(23)andFTP(20and21)on

both

thedataandphoneVLANs.

FacultyC3(rw)->set policy rule 4 udpsourceport 68 mask 16 forward

FacultyC3(rw)->set policy rule 4 udpdestport 67 mask 16 forward

FacultyC3(rw)->set policy rule 4 udpdestport 53 mask 16 forward

FacultyC3(rw)->set policy rule 4 udpsourceportIP 67 mask 16 drop

FacultyC3(rw)->set policy rule 4 udpsourceportIP 53 mask 16 drop

FacultyC3(rw)->set policy rule 4 udpdestportIP 16 mask 16 drop

FacultyC3(rw)->set policy rule 4 tcpdestportIP 22 mask 16 drop

FacultyC3(rw)->set policy rule 4 tcpdestportIP 23 mask 16 drop

FacultyC3(rw)->set policy rule 4 tcpdestportIP 20 mask 16 drop

FacultyC3(rw)->set policy rule 4 tcpdestportIP 21 mask 16 drop

Facultyshouldonlybeallowedaccesstotheservices(subnet10.10.50.0/24)andthefacultyservers

(subnet10.10.70.0/24)andshouldbe deniedaccesstotheadministrativeserver(subnet

10.10.60.0/24).

FacultyC3(rw)->set policy rule 4 ipdestsocket 10.10.60.0 mask 24 drop

Configuring PhoneN3 Policy for the Edge N-Series N3

Configuring the Policy Role

ThephoneN3roleisconfiguredontheservicesN3with:

•Aprofile‐indexof5