Specifications

ManualsBrandsEnterasys ManualsComputer equipmentN Standalone (NSA) Series

221

222

223

224

225

226

227

228

229

230

Policy Configuration Example

May 18, 2009 Page 28 of 32

•AnameofphoneN3

•AdefaultportVLANof0

•AdefaultCoSof4

BecauseVLANscanbeappliedtoN3portsusingtheappropriatetrafficclassification,theexplicit

denyallPVID0willbeappliedatpolicycreation.Separateratelimitscanbeappliedtothephone

setupandpayload

portsontheN3usingpolicyrules.AdefaultCoSof4willbeappliedatpolicy

rolecreation.

ServicesN3(rw)->set policy profile 5 name phoneN3 pvid-status enable pvid 0

cos-status enable cos 4

Assigning Traffic Classification Rules

ForwardtrafficonUDPsourceportforIPaddressrequest(68)andandforwardtrafficonUDP

destinationportsforprotocolsDHCP(67)andDNS(53)onthephoneVLAN,tofacilitatephone

autoconfigurationand IPaddressassignment.DroptrafficforprotocolsSNMP(161),SSH(22),

Telnet(23)andFTP

(20and21)onthephoneVLAN.

ServicesN3(rw)->set policy rule 5 udpsourceport 68 mask 16 forward

ServicesN3(rw)->set policy rule 5 udpdestportIP 67 mask 16 forward

ServicesN3(rw)->set policy rule 5 udpdestportIP 53 mask 16 forward

ServicesN3(rw)->set policy rule 5 udpdestportIP 161 mask 16 drop

ServicesN3(rw)->set policy rule 5 tcpdestportIP 22 mask 16 drop

ServicesN3(rw)->set policy rule 5 tcpdestportIP 23 mask 16 drop

ServicesN3(rw)->set policy rule 5 tcpdestportIP 20 mask 16 drop

ServicesN3(rw)->set policy rule 5 tcpdestportIP 21 mask 16 drop

ApplyaCoS9tophonesetupdataonVLAN11,ratelimitingthedatato5ppswithahighpriority

of7onport2427.

ApplyaCoS10tophonepayloaddataonVLAN11,ratelimitingthedatato100kbpswithahigh

priorityof7

forbothsourceanddestinationonport5004.

ServicesN3(rw)->set policy rule 5 upddestIP 2427 mask 16 vlan 11 cos 9

ServicesN3(rw)->set policy rule 5 updsourceIP 5004 mask 16 vlan 11 cos 10

ServicesN3(rw)->set policy rule 5 upddestIP 5004 mask 16 vlan 11 cos 10

Assigning the VLAN-to-Policy Association

Thenatureofservicesrelateddevicesthatmightconnecttoaswitchportisnotasstaticaswith

thestudentorfacultyroles.Servicesrelatednetworkneedscanrunthegamutfromtemporary

multimediaeventstostandardofficeusers.TheremaybemultipleVLANandpolicyrole

associationsthattake

careofservicesrelatedneeds,dependingupontheconnecteduser.Thismay

includetherequirementformultipleservicesrelatedroles.

Forservices,thenetworkadministratordesiresgreaterresourceusageflexibilityinassigningthe

policytoVLANassociation.Authenticationinthiscasewillreturnonlythetunnelattributesin

theresponse

messagebasedupontherequirementsoftheauthenticatinguser.Settingthe

VLAN‐to‐policyassociationwillbehandledbythemaptableconfiguration,allowingforeasein

changingthepolicyassociatedwithaVLANontheflyusingPolicyManager.Specifythatthe

tunnelattributesreturnedintheRADIUSresponsemessagewill

beusedbytheauthenticating

user.AssociateVLAN11withpolicyrole5usingthesetpolicymaptablecommand.

ServicesN3(rw)->set policy maptable response tunnel

ServicesN3(rw)->set policy maptable 11 5