Specifications

ManualsBrandsExtreme Networks ManualsComputer equipmentExtremeWare XOS Command

151

152

153

154

155

156

157

158

159

160

158 ExtremeWare XOS 11.0 Concepts Guide

Security

The following sections apply to creating and using policies:

• Creating Policies on page 158

• Policy File Syntax on page 158

• Policy Examples on page 163

• Using Policies on page 166

• Refreshing Policies on page 166

Creating Policies

Prior to release 11.0, all policies were created by writing a text file on a separate machine and then

downloading that file to the switch. Once on the switch, the file was then loaded into a policy database

to be applied where configured. With release 11.0, policy text files can be edited directly on the switch.

Policies are created by writing a text file containing a number of rule entries. Name the text file with the

policy name and use “.pol” as the filename extension. For example, the policy name “boundary” refers

to the text file “boundary.pol”.

A VI-like editor is available on the switch to edit policies. To edit a policy file on the switch by

launching the editor, use the following command:

edit policy <filename>

You can also edit policies on a separate machine. Any common text editor can be used to create a policy

file. The file is then transferred to the switch using TFTP, and then applied.

To transfer policy files to the switch, use the following command:

tftp [<host_name> | <ip_address>] {-v <vr_name>} [-g | -p] [{-l <local_file>} {-r

<remote_file>} | {-r <remote_file>} {-l <local_file>}]

Policy File Syntax

The policy file contains one or more policy entries. Each policy entry consists of:

• A policy entry name, unique within the same policy.

• Zero or one match type. If no type is specified, the match type is all, so all match conditions must be

satisfied.

• Zero or more match conditions. If no match condition is specified, all are matched.

• Zero or more actions. If no action is specified, the packet is permitted by default.

Each policy entry in the file uses the following syntax:

entry <entry-name>{

if <match-type> {

<match-conditions>;

} then {

<action>;

}

Here is an example of a policy entry:

entry ip_entry {

if match any {