Specifications

ManualsBrandsEnterasys ManualsComputer equipmentN Standalone (NSA) Series

221

222

223

224

225

226

227

228

229

230

Policy Configuration Example

May 18, 2009 Page 29 of 32

Configuring Policy for the Edge Services N-Series N3

Configuring the Policy Role

Theservicesroleisconfiguredwith:

•Aprofile‐indexvalueof6

•Anameofservices

•AdefaultportVLANof0

•AdefaultCoSwhennoruleoverridesCoS

•TCIoverwriteenabled

ServicesN3(rw)->set policy profile 6 name services pvid-status enable pvid 0

cos-status enable cos 4 tci-overwrite enable

Assigning the VLAN-to-Policy Association

SettingtheVLAN‐to‐policyassociationwillbehandledbythepolicymaptablesetting,allowing

foreaseinchangingthepolicyassociatedwithaVLANontheflyusingPolicyManager.Specify

thatthetunnelattributesreturnedintheRADIUSresponsemessagewillbeusedbythe

authenticatinguser.AssociateVLAN

10withpolicyrole6usingthesetpolicymaptable

command.

ServicesN3(rw)->set policy maptable response tunnel

ServicesN3(rw)->set policy maptable 10 6

Assigning Traffic Classification Rules

ForwardtrafficonUDPsourceportforIPaddressrequest(68)andforwardtrafficonUDP

destinationportsforprotocolsDHCP(67)andDNS(53)onthedataVLAN,tofacilitatePCauto

configurationandIPaddressassignment.DroptrafficforprotocolsSNMP(161),SSH(22),Telnet

(23)andFTP(20

and21)onthephoneVLAN.

ServicesN3(rw)->set policy rule 6 udpsourceportIP 68 mask 16 vlan 10 forward

ServicesN3(rw)->set policy rule 6 udpdestportIP 67 mask 16 vlan 10 forward

ServicesN3(rw)->set policy rule 6 udpdestportIP 53 mask 16 vlan 10 forward

ServicesN3(rw)->set policy rule 6 udpdestportIP 67 mask 16 vlan 10 drop

ServicesN3(rw)->set policy rule 6 udpdestportIP 53 mask 16 vlan 10 drop

ServicesN3(rw)->set policy rule 6 udpdestportIP 161 mask 16 drop

ServicesN3(rw)->set policy rule 6 tcpdestportIP 22 mask 16 drop

ServicesN3(rw)->set policy rule 6 tcpdestportIP 23 mask 16 drop

ServicesN3(rw)->set policy rule 6 tcpdestportIP 20 mask 16 drop

ServicesN3(rw)->set policy rule 6 tcpdestportIP 21 mask 16 drop

ApplyaCoS8todataVLAN10andconfigureittorate‐limittrafficto1Mandmoderatepriority

of5forservicesIPsubnet10.10.30.0mask28.Wewillalsoenabletrapsandsyslogforthissubnet.

ServicesN3(rw)->set policy rule 6 ipsourcesocket 10.10.30.0 mask 28 syslog enable

trap enable vlan 10 cos 8

Servicesshouldonlybeallowedaccesstotheservicesserver(subnet10.10.50.0/24)and shouldbe

deniedaccesstothefacultyservers(subnet10.10.70.0/24)andadministrativeservers(subnet

10.10.60.0/24).

ServicesN3(rw)->set policy rule 6 ipdestsocket 10.10.60.0 mask 24 drop

ServicesN3(rw)->set policy rule 6 ipdestsocket 10.10.70.0 mask 24 drop