port-access policy
Syntax
port-access policy <POLICY-NAME>
[<SEQUENCE-NUMBER>]
class {ip|ipv6} <CLASS-NAME>
action {<REMARK-ACTIONS> | <POLICE-ACTIONS> | <OTHER-ACTIONS>}
[<SEQUENCE-NUMBER>]
comment ...Description
Creates or modifies policy and policy entries. A policy is made up of one or more policy entries ordered and prioritized by sequence numbers. Each entry has an IPv4/IPv6 class and one or more policy actions associated with it.
A policy must be applied to a role using the
associate policy command.
The
no form of the command can be used to delete either a policy (use
no with the policy command) or an individual policy entry (use
no with the sequence number).
Command context
config
The
policy command takes you into the
config-pa-policy context where you enter the policy entries.
Parameters
<POLICY-NAME>Specifies the name of the policy.
<SEQUENCE-NUMBER>Specifies a sequence number for the policy entry. Optional. Range: 1 to 4294967295.
commentSpecifies the description of an entry in the policy. Optional.
class {ip|ipv6} <CLASS-NAME>Specifies a type of class,
ipfor IPv4 andipv6for IPv6 policy. And specifies a class name.<REMARK-ACTIONS>Remark actions can be any of the following options:
{ip-precedence <IP-PRECEDENCE-VALUE> | dscp <DSCP-VALUE> | local-priority <LOCAL-PRIORITY-VALUE>}where:ip-precedence <IP-PRECEDENCE-VALUE>Specifies the numeric IP precedence value. Range: 0 to 7.
dscp <DSCP-VALUE>Specifies a Differentiated Services Code Point (DSCP) value. Enter either a numeric value (0 to 63) or a keyword as follows:
Keyword Status Syntax Description AF11Optional
Keyword
DSCP 10 (Assured Forwarding Class 1, low drop probability)
AF12Optional
Keyword
DSCP 12 (Assured Forwarding Class 1, medium drop probability)
AF13Optional
Keyword
DSCP 14 (Assured Forwarding Class 1, high drop probability)
AF21Optional
Keyword
DSCP 18 (Assured Forwarding Class 2, low drop probability)
AF22Optional
Keyword
DSCP 20 (Assured Forwarding Class 2, medium drop probability)
AF23Optional
Keyword
DSCP 22 (Assured Forwarding Class 2, high drop probability)
AF31Optional
Keyword
DSCP 26 (Assured Forwarding Class 3, low drop probability)
AF32Optional
Keyword
DSCP 28 (Assured Forwarding Class 3, medium drop probability)
AF33Optional
Keyword
DSCP 30 (Assured Forwarding Class 3, high drop probability)
AF41Optional
Keyword
DSCP 34 (Assured Forwarding Class 4, low drop probability)
AF42Optional
Keyword
DSCP 36 (Assured Forwarding Class 4, medium drop probability)
AF43Optional
Keyword
DSCP 38 (Assured Forwarding Class 4, high drop probability)
CS0Optional
Keyword
DSCP 0 (Class Selector 0: Default)
CS1Optional
Keyword
DSCP 8 (Class Selector 1: Scavenger)
CS2Optional
Keyword
DSCP 16 (Class Selector 2: OAM)
CS3Optional
Keyword
DSCP 24 (Class Selector 3: Signaling)
CS4Optional
Keyword
DSCP 32 (Class Selector 4: Real time)
CS5Optional
Keyword
DSCP 40 (Class Selector 5: Broadcast video)
CS6Optional
Keyword
DSCP 48 (Class Selector 6: Network control)
CS7Optional
Keyword
DSCP 56 (Class Selector 7)
EFOptional
Keyword
DSCP 46 (Expedited Forwarding)
local-priority <LOCAL-PRIORITY-VALUE>Specifies a local priority value. Range: 0 to 7.
<POLICE-ACTIONS>Police actions can be the following
{cir kbps <RATE-BPS> cbs <BYTES> exceed}where:cir kbps <RATE-BPS>Specifies a Committed Information Rate (CIR) value in Kilobits per second. Range: 1 to 4294967295.
cbs <BYTES>Specifies a Committed Burst Size (CBS) value in bytes. Range: 1 to 4294967295.
exceedSpecifies action to take on packets that exceed the rate limit.
<OTHER-ACTIONS>Other actions can be the following:
dropSpecifies drop traffic.
redirectSpecifies redirect all traffic to a captive portal server.
Authority
Administrators or local user group members with execution rights for this command.
Usage
An applied policy processes the packet sequentially against policy and class entries in the list, until either the last policy entry in the list has been evaluated or the packet matches an entry. If there is no match, the packet will be dropped by one of the implicit
deny allIPv4 and IPv6 entries.Entering an existing
<POLICY-NAME>value will cause the existing policy to be modified, with any new<SEQUENCE-NUMBER>value creating an additional policy entry, and any existing<SEQUENCE-NUMBER>value replacing the existing policy entry with the same sequence number.If no sequence number is specified, a new policy entry will be appended to the end of the entry list with a sequence number equal to the highest policy entry currently in the list plus 10. The sequence numbers may be reordered with the
port-access policy <POLICY-NAME> resequence <STARTING-SEQ-NUM> <INCREMENT>command.If a policy is configured without any action, the default action,
permit, is applied for that policy.
Examples
Creating a policy with several entries:
switch(config)# port-access policy CLEARPASS-REDIRECT
switch(config-pa-policy)# 10 class ip dns
switch(config-pa-policy)# 20 class ip dhcp
switch(config-pa-policy)# 30 class ip clearpass-web action cir kbps 1024 cbs 2048 exceed drop
switch(config-pa-policy)# 40 class ip web-traffic action redirect captive-portal
switch(config-pa-policy)# exit
switch(config)# show port-access policy
Access Policy Details:
======================
Policy Name : CLEARPASS-REDIRECT
Policy Type : Local
Policy Status : Applied
SEQUENCE CLASS TYPE ACTION
----------- ---------------------------- ---- ----------------------------------
10 dns ipv4 permit
20 dhcp ipv4 permit
30 clearpass-web ipv4 cir kbps 1024 cbs 2048
exceed drop
40 web-traffic ipv4 redirect captive-portal
Adding a comment to an existing policy entry:
switch(config)# port-access policy CLEARPASS-REDIRECT
switch(config-pa-policy)# 20 comment DHCP-PERMIT
switch(config-pa-policy)# exit
switch(config)# show port-access policy
Access Policy Details:
======================
Policy Name : CLEARPASS-REDIRECT
Policy Type : Local
Policy Status : Applied
SEQUENCE CLASS TYPE ACTION
----------- ---------------------------- ---- ----------------------------------
10 dns ipv4 permit
20 dhcp ipv4 permit
30 clearpass-web ipv4 cir kbps 1024 cbs 2048
exceed drop
40 web-traffic ipv4 redirect captive-portal
Removing a comment from an existing policy entry:
switch(config)# port-access policy CLEARPASS-REDIRECT
switch(config-pa-policy)# no 20 comment
switch(config-pa-policy)# exit
switch(config)# show port-access policy
Access Policy Details:
======================
Policy Name : CLEARPASS-REDIRECT
Policy Type : Local
Policy Status : Applied
SEQUENCE CLASS TYPE ACTION
----------- ---------------------------- ---- ----------------------------------
10 dns ipv4 permit
20 dhcp ipv4 permit
30 clearpass-web ipv4 cir kbps 1024 cbs 2048
exceed drop
40 web-traffic ipv4 redirect captive-portal
Modifying a policy by replacing one class with another at the same sequence number:
switch(config)# port-access policy CLEARPASS-REDIRECT
switch(config-pa-policy)# 10 class ip mds action dscp af21
switch(config-pa-policy)# exit
switch(config)# show port-access policy
Access Policy Details:
======================
Policy Name : CLEARPASS-REDIRECT
Policy Type : Local
Policy Status : Applied
SEQUENCE CLASS TYPE ACTION
----------- ---------------------------- ---- ----------------------------------
10 mds ipv4 dscp AF21
20 dhcp ipv4 permit
30 clearpass-web ipv4 cir kbps 1024 cbs 2048
exceed drop
40 web-traffic ipv4 redirect captive-portal
Removing a policy:
switch(config)# port-access policy CLEARPASS-REDIRECT
switch(config-pa-policy)# no 1
switch(config-pa-policy)# exit
switch(config)# show port-access policy
Access Policy Details:
======================
Policy Name : CLEARPASS-REDIRECT
Policy Type : Local
Policy Status : Applied
SEQUENCE CLASS TYPE ACTION
----------- ---------------------------- ---- ----------------------------------
2 dhcp ipv4 permit
3 clearpass-web ipv4 cir kbps 1024 cbs 2048
exceed drop
4 web-traffic ipv4 redirect captive-portal