port-access policy
Syntax
port-access policy <POLICY-NAME>
[<SEQUENCE-NUMBER>]
class {ip|ipv6} <CLASS-NAME>
action {<REMARK-ACTIONS> | <POLICE-ACTIONS> | <OTHER-ACTIONS>}
[<SEQUENCE-NUMBER>]
comment ...
Description
Creates or modifies policy and policy entries. A policy is made up of one or more policy entries ordered and prioritized by sequence numbers. Each entry has an IPv4/IPv6 class and one or more policy actions associated with it.
A policy must be applied to a role using the
associate policy
command.
The
no
form of the command can be used to delete either a policy (use
no
with the policy command) or an individual policy entry (use
no
with the sequence number).
Command context
config
The
policy
command takes you into the
config-pa-policy
context where you enter the policy entries.
Parameters
<POLICY-NAME>
Specifies the name of the policy.
<SEQUENCE-NUMBER>
Specifies a sequence number for the policy entry. Optional. Range: 1 to 4294967295.
comment
Specifies the description of an entry in the policy. Optional.
class {ip|ipv6} <CLASS-NAME>
Specifies a type of class,
ip
for IPv4 andipv6
for IPv6 policy. And specifies a class name.<REMARK-ACTIONS>
Remark actions can be any of the following options:
{ip-precedence <IP-PRECEDENCE-VALUE> | dscp <DSCP-VALUE> | local-priority <LOCAL-PRIORITY-VALUE>}
where:ip-precedence <IP-PRECEDENCE-VALUE>
Specifies the numeric IP precedence value. Range: 0 to 7.
dscp <DSCP-VALUE>
Specifies a Differentiated Services Code Point (DSCP) value. Enter either a numeric value (0 to 63) or a keyword as follows:
Keyword Status Syntax Description AF11
Optional
Keyword
DSCP 10 (Assured Forwarding Class 1, low drop probability)
AF12
Optional
Keyword
DSCP 12 (Assured Forwarding Class 1, medium drop probability)
AF13
Optional
Keyword
DSCP 14 (Assured Forwarding Class 1, high drop probability)
AF21
Optional
Keyword
DSCP 18 (Assured Forwarding Class 2, low drop probability)
AF22
Optional
Keyword
DSCP 20 (Assured Forwarding Class 2, medium drop probability)
AF23
Optional
Keyword
DSCP 22 (Assured Forwarding Class 2, high drop probability)
AF31
Optional
Keyword
DSCP 26 (Assured Forwarding Class 3, low drop probability)
AF32
Optional
Keyword
DSCP 28 (Assured Forwarding Class 3, medium drop probability)
AF33
Optional
Keyword
DSCP 30 (Assured Forwarding Class 3, high drop probability)
AF41
Optional
Keyword
DSCP 34 (Assured Forwarding Class 4, low drop probability)
AF42
Optional
Keyword
DSCP 36 (Assured Forwarding Class 4, medium drop probability)
AF43
Optional
Keyword
DSCP 38 (Assured Forwarding Class 4, high drop probability)
CS0
Optional
Keyword
DSCP 0 (Class Selector 0: Default)
CS1
Optional
Keyword
DSCP 8 (Class Selector 1: Scavenger)
CS2
Optional
Keyword
DSCP 16 (Class Selector 2: OAM)
CS3
Optional
Keyword
DSCP 24 (Class Selector 3: Signaling)
CS4
Optional
Keyword
DSCP 32 (Class Selector 4: Real time)
CS5
Optional
Keyword
DSCP 40 (Class Selector 5: Broadcast video)
CS6
Optional
Keyword
DSCP 48 (Class Selector 6: Network control)
CS7
Optional
Keyword
DSCP 56 (Class Selector 7)
EF
Optional
Keyword
DSCP 46 (Expedited Forwarding)
local-priority <LOCAL-PRIORITY-VALUE>
Specifies a local priority value. Range: 0 to 7.
<POLICE-ACTIONS>
Police actions can be the following
{cir kbps <RATE-BPS> cbs <BYTES> exceed}
where:cir kbps <RATE-BPS>
Specifies a Committed Information Rate (CIR) value in Kilobits per second. Range: 1 to 4294967295.
cbs <BYTES>
Specifies a Committed Burst Size (CBS) value in bytes. Range: 1 to 4294967295.
exceed
Specifies action to take on packets that exceed the rate limit.
<OTHER-ACTIONS>
Other actions can be the following:
drop
Specifies drop traffic.
redirect
Specifies redirect all traffic to a captive portal server.
Authority
Administrators or local user group members with execution rights for this command.
Usage
An applied policy processes the packet sequentially against policy and class entries in the list, until either the last policy entry in the list has been evaluated or the packet matches an entry. If there is no match, the packet will be dropped by one of the implicit
deny all
IPv4 and IPv6 entries.Entering an existing
<POLICY-NAME>
value will cause the existing policy to be modified, with any new<SEQUENCE-NUMBER>
value creating an additional policy entry, and any existing<SEQUENCE-NUMBER>
value replacing the existing policy entry with the same sequence number.If no sequence number is specified, a new policy entry will be appended to the end of the entry list with a sequence number equal to the highest policy entry currently in the list plus 10. The sequence numbers may be reordered with the
port-access policy <POLICY-NAME> resequence <STARTING-SEQ-NUM> <INCREMENT>
command.If a policy is configured without any action, the default action,
permit
, is applied for that policy.
Examples
Creating a policy with several entries:
switch(config)# port-access policy CLEARPASS-REDIRECT switch(config-pa-policy)# 10 class ip dns switch(config-pa-policy)# 20 class ip dhcp switch(config-pa-policy)# 30 class ip clearpass-web action cir kbps 1024 cbs 2048 exceed drop switch(config-pa-policy)# 40 class ip web-traffic action redirect captive-portal switch(config-pa-policy)# exit switch(config)# show port-access policy Access Policy Details: ====================== Policy Name : CLEARPASS-REDIRECT Policy Type : Local Policy Status : Applied SEQUENCE CLASS TYPE ACTION ----------- ---------------------------- ---- ---------------------------------- 10 dns ipv4 permit 20 dhcp ipv4 permit 30 clearpass-web ipv4 cir kbps 1024 cbs 2048 exceed drop 40 web-traffic ipv4 redirect captive-portal
Adding a comment to an existing policy entry:
switch(config)# port-access policy CLEARPASS-REDIRECT switch(config-pa-policy)# 20 comment DHCP-PERMIT switch(config-pa-policy)# exit switch(config)# show port-access policy Access Policy Details: ====================== Policy Name : CLEARPASS-REDIRECT Policy Type : Local Policy Status : Applied SEQUENCE CLASS TYPE ACTION ----------- ---------------------------- ---- ---------------------------------- 10 dns ipv4 permit 20 dhcp ipv4 permit 30 clearpass-web ipv4 cir kbps 1024 cbs 2048 exceed drop 40 web-traffic ipv4 redirect captive-portal
Removing a comment from an existing policy entry:
switch(config)# port-access policy CLEARPASS-REDIRECT switch(config-pa-policy)# no 20 comment switch(config-pa-policy)# exit switch(config)# show port-access policy Access Policy Details: ====================== Policy Name : CLEARPASS-REDIRECT Policy Type : Local Policy Status : Applied SEQUENCE CLASS TYPE ACTION ----------- ---------------------------- ---- ---------------------------------- 10 dns ipv4 permit 20 dhcp ipv4 permit 30 clearpass-web ipv4 cir kbps 1024 cbs 2048 exceed drop 40 web-traffic ipv4 redirect captive-portal
Modifying a policy by replacing one class with another at the same sequence number:
switch(config)# port-access policy CLEARPASS-REDIRECT switch(config-pa-policy)# 10 class ip mds action dscp af21 switch(config-pa-policy)# exit switch(config)# show port-access policy Access Policy Details: ====================== Policy Name : CLEARPASS-REDIRECT Policy Type : Local Policy Status : Applied SEQUENCE CLASS TYPE ACTION ----------- ---------------------------- ---- ---------------------------------- 10 mds ipv4 dscp AF21 20 dhcp ipv4 permit 30 clearpass-web ipv4 cir kbps 1024 cbs 2048 exceed drop 40 web-traffic ipv4 redirect captive-portal
Removing a policy:
switch(config)# port-access policy CLEARPASS-REDIRECT switch(config-pa-policy)# no 1 switch(config-pa-policy)# exit switch(config)# show port-access policy Access Policy Details: ====================== Policy Name : CLEARPASS-REDIRECT Policy Type : Local Policy Status : Applied SEQUENCE CLASS TYPE ACTION ----------- ---------------------------- ---- ---------------------------------- 2 dhcp ipv4 permit 3 clearpass-web ipv4 cir kbps 1024 cbs 2048 exceed drop 4 web-traffic ipv4 redirect captive-portal