IBM Books

Access Integration Services Using and Configuring Features Version 3.3

Configuring and Monitoring the Policy Feature

This chapter describes the LDAP and policy commands provided by the policy feature for configuring and operating the router devices in a network. It includes the following sections:

Accessing the Policy Configuration Prompt

To enter policy configuration commands:

  1. Enter talk 6 at the OPCON (*) prompt.
  2. Enter feature policy at the Config> prompt.

The Policy config> prompt displays. You may now enter policy configuration commands.

Policy Configuration Commands

These commands enable you to configure the information contained in policies. Table 38 summarizes the policy configuration commands and the rest of this section describes them in detail. Enter these commands at the Policy config> prompt. You can either enter the command and options on one line, or enter only the command and respond to the prompts. To see a list of valid command options, enter the command with a question mark instead of options.

Table 38. Policy Configuration Commands
Command Function
? (Help) Displays all the commands available for this command level or lists the options for specific commands (if available). See "Getting Help".
Add Adds the information used to create a policy.
Change Changes the information making up a policy.
Copy Copies information from one policy into another.
Delete Deletes information from a policy.
Disable Disables a policy.
Enable Enables a policy.
List Displays the information in a policy.
Set Specifies a policy to be used as the default.
Exit Returns you to the previous command level. See "Exiting a Lower Level Environment".

Add

Use the add command to add information to a policy.

Syntax:  add 
diffserv-action
interface-pair
ipsec-action
ipsec-manual-tunn
ipsec-proposal
ipsec-transform
isakmp-action
isakmp-proposal
policy
profile
rsvp-action
user
validity-period

Diffserv-action
Prompts you for information about which DiffServ-action selections apply.

Name
The unique name of the DiffServ action for the policy.

permission-level
Specifies whether the router is to forward packets that match this DiffServ action.

1
Permit

2
Deny

Default value: 2

Queue-priority
The queue into which outgoing packets matching this DiffServ action are placed.

1
Premium (expedited forwarding)

2
Assured/Best Effort

Default value: 2

bwshare-type
The type of bandwidth share allocation.

1
Absolute (in Kbps)

2
Percentage (of total output bandwidth)

Default value: 2

bwshare
The bandwidth (in Kbps or as a percentage of output bandwidth) allocated to this service.

ds-bytemask
The mask to apply to transmitted ds bytes. This value designates which bits of a packet's TOS byte must be changed when the packet is transmitted. A zero in any bit position of this byte implies that the bit must not change.

Default value: (do not change any bits)

ds-bytemodify
The marking of the IP TOS byte that should be applied to packets be forwarded by this device. Zeros in the mask imply that the corresponding bit will not change. A one implies that the bit will be marked with the bit value in the mark byte. The operation is: newTOSByte = (Mask^ & receivedTOSByte) | (Mask&Mark) The ^ ^ ^ is a bit-based complement (Mask:Mark)

Example: 

11111101:00000001
Using this example, a received value 0x07 would be sent with a value of 0x03

Default value: X'00' (do not change any bit)

interface-pair
The interface pair associates a profile with a specific interface or set of interfaces. By default the profile object does not restrict the policy from being applied to any one interface. If that is necessary, you may add interface pairs to accomplish it. The interface pair specifies the IP address of the interface on which the traffic is to arrive and the IP address of the interface on which the traffic is to leave.

The following example shows two interface pairs with the same name, representing traffic coming in on any interface and going out on the public interface, and conversely. 

1) Group Name: inOutPublic
        In:Out=255.255.255.255 : 1.1.1.1	
        In:Out=1.1.1.1 : 255.255.255.255

Name
The name of the interface pair.

Ingress interface
IPv4 address of the input interface.

Default value: 255.255.255.255 (any)

Egress interface
IPv4 address of the output interface.

Default value: 255.255.255.255 (any)

IPSec-action
Prompts you for information for setting up the Phase 2 tunnel.

Name
The name of the IPSec action.

Action type
The action to apply to packets matching the profile of a policy containing this action.

1
Block (block connection).

2
Permit (Permit packets matching this action.) If an IPSec proposal does not exist, pass the packet; if an IPSec proposal exists, apply IPSec security processing to the packet.

Default value: 2

The following option is only available if you specify pass as the action type:

Traffic flow type
Type of traffic flow (secure tunnel or in the clear).

1
Clear

2
Secure Tunnel

Default value: 2

The following option is only available if you specify the traffic flow as secure:

Tunnel start point
IPv4 address of the tunnel start point.

Tunnel end point
IPv4 address of the tunnel end point. (0.0.0.0 for remote access)

Default value: 0.0.0.0

Tunnel-in-tunnel
Specifies whether the traffic being protected by this tunnel is to be further protected by another policy configured on this device.

Valid options: Yes or No

Default value: No

Percentage of SA lifesize/lifetime to accept
The minimum SA lifesize/lifetime (as a percentage) of the SA lifesize/lifetime. An SA lifesize/lifetime received with a value less than this is not accepted.

Default value: 75

SA refresh threshold
The percentage into the SA lifetime or lifesize value that the SA is to be refreshed automatically.

Default value: 85

DF-Bit-Setting
Specifies whether to copy the Don't Fragment bit from the original packet, and whether to set or clear it in the outer header of the IPSec packet if running in tunnel mode.

1
Copy

2
Set

3
Clear

Default value: 1

Replay-Prevention
Specifies whether IPSec is to enforce replay prevention for received IPSec packets. In this mode IPSec ensures that the sequence numbers are valid and not received more than once.

1
Enable

2
Disable

Default value: 2

Negotiate SA Automatically
Specifies whether the Phase 2 SA is negotiated automatically at system initialization.

Yes or No

Default value: No

IPSec proposal
The name of the IPSec proposal (you may specify up to five proposals) to be sent or checked during Phase 2. The order in which you specify them determines their priority, with the first one being the highest.

IPSec-manual-tunn
Prompts you for information for manually setting up the Phase 2 tunnel.

Tunnel name
The name of the IPSec manual tunnel.

Tunnel lifetime
The tunnel lifetime (in minutes).

Default value: 46080

Encapsulation mode
The encapsulation mode to use.

tunn
Tunnel mode

trans
Transport mode

Default value: tunn

Policy
The type of tunnel policy to use.

AH
Authentication Header

ESP
Encapsulating Security Payload

AH-ESP
For outbound packets, specifies that encryption runs before authentication.

ESP-AH
For outbound packets, specifies that authentication runs before encryption.

Default value: AH-ESP

Local IP address
The source IPv4 address.

Default value: 11.0.0.5

Local encryption SPI
The source security parameters index value.

Default value: 256

Local encryption algorithm
The source encryption algorithm.

Null
No encryption.

CDMF
Commercial Data Masking Facility.

DES-CBC
Data Encryption Standard and Cipher Block Chaining.

3DES
Triple Data Encryption Standard.

Default value: DES-CBC

Local encryption key
A 16-character key.

Padding
Additional padding for local encryption.

Default value: 0

Local ESP authentication
Specifies whether local ESP authentication is to be used.

Yes or No

Default value: Yes

Remote IP address
The destination IPv4 address.

Default value: 0.0.0.0

Remote encryption SPI
The destination security parameters index value.

Default value: 256

Remote encryption algorithm
The destination encryption algorithm.

Null
No encryption.

CDMF
Commercial Data Masking Facility.

DES-CBC
Data Encryption Standard and Cipher Block Chaining.

3DES
Triple Data Encryption Standard.

Default value: DES-CBC

Remote encryption key
A 16-character key.

Verify remote encryption padding.
Specifies whether to verify remote encryption padding.

Yes or No

Default value: No

Remote ESP authentication
Specifies whether remote ESP authentication is to be used.

Yes or No

Default value: Yes

DF bit
Specifies how to process the Don't Fragment bit.

Copy
Copies the DF bit.

Set
Sets the DF bit on.

Clear
Sets the DF bit off.

Default value: COPY

Enable tunnel
Specifies whether to enable the tunnel when it is created.

Yes or No

Default value: Yes

IPSec-proposal
Prompts you for information for creating an IPSec proposal.

IPSec proposal name
The name of the IPSec proposal.

Perfect forward secrecy
Specifies whether IKE is to be used, to prevent anyone from determining a current key from a previously compromised key.

Yes or No

Default value: No

Diffie Hellman Group ID
The type of Diffie Hellman group.

1
Diffie Hellman Group 1

2
Diffie Hellman Group 2

Default value: 1

AH transform
The name of the AH transform (you may specify up to five transforms) for this proposal. The order in which you specify them determines their priority, with the first one being the highest.

ESP transform
The name of the ESP transform (you may specify up to five proposals) for this proposal. The order in which you specify them determines their priority, with the first one being the highest.

IPSec-transform
Prompts you for information about IPSec transforms.

IPSec transform name
The name of the IPSec transform.

Protocol ID
The security protocol to use.

1
IPSec-AH

2
IPSec-ESP

Default value: 1

AH Authentication Algorithm
The AH authentication algorithm to use.

1
HMAC-MD5

2
HMAC-SHA

Default value: 1

Encapsulation mode
The encapsulation mode to use.

1
Tunnel

2
Transport

Default value: 1

ESP Authentication Algorithm
The ESP authentication algorithm to use.

0
None

1
HMAC-MD5

2
HMAC-SHA

Default value: 2

ESP cipher algorithm
The ESP cipher algorithm to use.

1
ESP DES

2
ESP 3DES

3
ESP CDMF

4
ESP Null (no encryption)

Default value: 1

SA lifesize
The lifesize (in Kb) of the SA for this proposal.

Default value: 50000

SA lifetime
The lifetime (in seconds) of the SA for this proposal.

Default value: 3600

ISAKMP-Action
Prompts you for information about which ISAKMP action to apply.

Name
The name of the ISAKMP action.

Exchange mode
The type of exchange mode for Phase 1 negotiations.

1
Main

2
Aggressive

Default value: 1

Percentage of Minimum SA lifesize/lifetime
The minimum SA lifesize/lifetime (as a percentage) of the SA lifesize/lifetime. An SA lifesize/lifetime with a value less than this is not accepted.

Default value: 75

ISAKMP connection lifesize
The lifesize (in Kb) of the Phase 1 connection. Once the Phase 1 connection expires, the next time the Phase 2 SA must refresh, Phase 1 completely renegotiates before Phase 2 can start.

Default value: 5000

ISAKMP connection lifetime
The lifetime (in seconds) of the Phase 1 connection. Once the Phase 1 connection expires, the next time Phase 2 must refresh, Phase 1 starts over completely.

Default value: 5000

Negotiate SA automatically
Specifies whether the SA is negotiated automatically at system initialization.

Yes or No

Default value: No

ISAKMP proposal
The name of the ISAKMP proposal (you may specify up to five proposals) to be sent or checked during Phase 2 quick mode. The order in which you specify them determines their priority, with the first one being the highest.

ISAKMP-Proposal
Prompts you for the ISAKMP proposal information used in the ISAKMP negotiations.

ISAKMP proposal name
The name of the ISAKMP proposal.

Authentication method
The type of authentication to use during ISAKMP Phase 1 negotiations.

1
Pre-Shared Key

2
RSA SIG (certificate mode)

Default value: 1

Hash algorithm
The type of hash algorithm to use during Phase 1 negotiations.

1
MD5

2
SHA

Default value: 1

Cipher algorithm
The type of cipher algorithm to use during Phase 1 negotiations.

1
DES

2
3DES

Default value: 1

Diffie Hellman Group ID
The type of Diffie Hellman group to use during Phase 1 negotiations.

1
Diffie Hellman Group 1

2
Diffie Hellman Group 2

Default value: 1

SA lifesize
The lifesize (in Kb) of the SA for this proposal.

Default value: 50000

SA lifetime
The lifetime (in seconds) of the SA for this proposal.

Default value: 5000

Policy
Prompts you for information about the policy configuration: Profile name (required), RSVP name (optional), DiffServ name (optional), IPSec name (optional), ISAKMP name (optional), and Validity Period Profile (optional). You must specify either DiffServ, IPSec, ISAKMP, or RSVP for the policy to be valid.

Default value: Valid all the time

Name
The name of the policy configuration

Priority
Relative priority of this policy to other policies (the higher the number, the higher the priority). This is used to resolve conflicts if multiple policies apply to a packet.

Default value: 5

Profile
The name of a previously configured data traffic profile to use for this policy.

Validity period
The name of a previously configured validity period to use for this policy.

IPSec action
If this policy will enforce an IPSec action, the name of a previously configured IPSec action to use for this policy. If you specify a secure IPSec action, you must also specify an ISAKMP action.

ISAKMP action
The name of a previously configured ISAKMP action to use for this policy. If you specify an ISAKMP action, you must also specify an IPSec action.

Diffserv action
If you want to map a DiffServ action to this policy, the name of a previously configured DiffServ action.

RSVP action
The name of an RSVP action for this policy to enforce.

Profile
Prompts you for information for defining a set of selectors (conditionals) for a policy profile on which to perform actions.

name
The name of the policy profile.

ipv4-src-address-format
The format of the IPv4 source address (range, netmask, single address).

ipv4-src-address
The IPv4 source address (low address if address format is range).

Default value: 0.0.0.0

ipv4-src-mask
The IPv4 source mask (high address if address format is range).

Default value: 255.0.0.0

ipv4-dest-address-format
The format of the IPv4 destination address (range, netmask, single address).

ipv4-dest-address
The IPv4 destination address (low address if address format is range).

Default value: 0.0.0.0

ipv4-dest-mask
The IPv4 destination mask (high address if address format is range).

Default value: 255.0.0.0

protocol-id
The protocol id on which to filter.

1
TCP

2
UDP

3
All protocols

4
Specify range

Default value: 3

src-port-start
The first port number of the source port number range.

Default value: 0

src-port-end
The last port number of the source port number range.

Default value: 65535

dest-port-start
The first port number of the destination port number range.

Default value: 0

dest-port-end
The last port number of the destination port number range.

Default value: 65535

src-id-type
The source ID type, which is sent to the remote. This value is used to determine which policy contains the ISAKMP information needed during ISAKMP Phase 1 negotiations. It is compared to the information in the identification payload of the ISAKMP packet. This information is needed if the remote peer must identify the device with a value other than IP address.

1
Local tunnel end point

2
Host fully qualified domain name

3
User fully qualified domain name

4
Key ID

any-user-access
Allow access for any user within the profile definition. If you specify No, then you are prompted for the name of the remote user group for this profile. This attribute is only required if you want to limit the access of remote access peers to a specific policy.

Yes or No

Default value: Yes

Received DS byte mask
The 8-bit mask to apply to an incoming packet's TOS byte.

Default value: 0

Received DS byte match
The 8-bit pattern to compare to the result of ANDing the incoming TOS byte with the Received DS byte mask value.

Default value: 0

Interface pairs
If this policy must restrict the traffic flows to specific interfaces, this is the name of the interface pair group.

RSVP-Action
Prompts you for information about which RSVP actions apply.

Name
The name of the RSVP action.

Permission
Specifies the permission level for RSVP sessions that match this action.

1
Permit

2
Deny

Default value: 2

Max token rate
The maximum amount of bandwidth (in Kbps) that RSVP is to allocate for an individual flow.

Default value: 100

Max duration
The maximum amount of time (in seconds) that a flow can last (0 implies forever).

Default value: 600

RSVP-to-DS
Specifies whether to map RSVP flows that match this action to a configured DiffServ action. RSVP uses the information from the DiffServ action to mark the TOS byte for the next DiffServ-enabled upstream device. This is for use in a network in which packets leave an RSVP-enabled network into a DiffServ-enabled network.

Yes or No

Default value: No

VALIDITY-PERIOD
Prompts you for information about the period during which the policy is valid, and creates a policy profile.

Name
The name of the validity period profile.

yyyymmddhhmmss:yyyymmddhhmmss
The period during which the policies containing this validity period profile are valid.

Example: 

19980101000000:19981231000000

Months
The months during which the policies containing this validity period profile are valid. You can specify any sequence of months, using the first three letters of each month (for example, jan or dec), with the months separated by a spaces, or you can specify all to signify every month of the year.

Days
The dates on which the policies containing this validity period profile are valid. You can specify any sequence of dates, using the first three letters of each day (for example, mon or fri), with the days separated by a spaces, or you can enter all to specify every day of the week.

Starting time
The time at which policies containing this validity period profile are valid. Specify this in the form hh:mm:ss or specify * if you want the policy to be valid all day.

Default value: *

Ending time
The time at which the validity of policies containing this validity period profile expires. Specify this in the form hh:mm:ss.

Default value: None

Change

Use the change command to change information in a policy object. See the description of the add command for the available objects.

Copy

Use the copy command to copy information from one policy object to another. See the description of the add command for the available objects. (The interface-pair, manual tunnel, and user options do not apply to the copy command.)

Delete

Use the delete command to delete information from a policy object. See the description of the add command for the available objects.

Disable

Use the disable command to disable a policy configuration.

Syntax:  disable 
policy

Policy
Prompts you for the name of the policy configuration to disable.

Enable

Use the enable command to enable a policy configuration.

Syntax:  enable 
policy

Policy
Prompts you for the name of the policy configuration to enable.

List

Use the list command to display any or all of the policy configuration information.

Syntax:  list 
all
default-policy
ldap
refresh

All
Displays all policy configuration information.

Default-policy
Displays the name of the default policy.

LDAP
Displays the names of the defined LDAP configurations.

Refresh
Lists the policy refresh status (Enable or Disable) and the refresh interval time.

LDAP Policy Server Configuration Commands

The LDAP policy server configuration commands enable you to specify LDAP server options for retrieving policy information. Table 39 summarizes the LDAP configuration commands, and the rest of this section describes them in detail. Enter them at the Policy config> prompt. You can either enter the command and options on one line, or enter only the command and respond to the prompts. To see a list of valid command options, enter the command with a question mark instead of options.

Table 39. LDAP Configuration Commands
Command Function
? (Help) Displays all the commands available for this command level or lists the options for specific commands (if available). See "Getting Help".
Disable ldap Disables LDAP configuration options.
Enable ldap Enables LDAP configuration options.
Set ldap Specifies LDAP configuration options.
Exit Returns you to the previous command level. See "Exiting a Lower Level Environment".

Disable LDAP

Use the disable ldap command to disable LDAP policy search functions in the directory.

Syntax:  disable ldap 
policy-search

policy-search
Disables LDAP from performing policy search functions in the directory.

Enable LDAP

Use the enable ldap command to enable LDAP policy search functions in the directory.

Syntax:  enable ldap 
policy-search

policy-search
Enables LDAP for performing policy search functions in the directory.

Set Default-Policy

Use the set default-policy command to specify the policy options to use while the policy database is being refreshed. The command sets the error handling options and the default security needed for accessing the LDAP policy server.

Syntax:  set 
default-policy

default-error-handling

default-security

default-error-handling
Specifies the error handling options to use while the policy database is being refreshed.
Note:The default error handling setting determines the behavior of the device if an error occurs while rebuilding the policy database. If an error occurs then you have the options for how the device is to behave. They are:

  1. Reset policy database to default security.

  2. Flush any rules read from LDAP, load local rules plus default security.

These settings are only valid if there was an error building the policy database. Either option inherits the default security of drop or pass when an error occurs. If you select option 2 then all traffic is dropped or passed unless it matches a locally defined policy. If the policy database builds successfully then this option is not used.

default-security
Specifies the security options to use while the policy database is being refreshed.
Note:Once the policy database has been built successfully, the default behavior is defined as pass. This means that if a packet does not match any policy rule then it will be passed in the clear. If you want packets that do not match a rule to be dropped globally or just for certain interfaces, then you must define a policy to do that.

1
Accept and forward all IP traffic.

2
Permit LDAP traffic, drop all other IP traffic.

If you select this option, then you are prompted for the local IP addresses on the device on which the LDAP traffic is to be sent and received.

3
Permit and secure LDAP traffic, drop all other IP traffic.

If you select this option, then you are prompted for the following information:

DHGroupId
The Diffie-Hellman Group Id to use during the ISAKMP Phase 1 negotiations.

1
DH Group 1.

2
DH Group 2.

Phase1-Hash-Algorithm
The hash algorithm to use during the Phase 1 negotiations. The hash algorithm provides the authentication of the Phase 1 messages.

1
MD5.

2
SHA.

Phase1-Cipher-Algorithm
The cipher algorithm to use during Phase 1 negotiations. The cipher algorithm provides encryption protection for the Phase 1 negotiations.

1
DES

2
3DES

Phase1-Authentication-Method
The authentication method to use with the remote peer. This specifies how ISAKMP determines whether the remote peer is actually the correct device with which to be negotiating.

1
Pre-shared key

2
Certificate (RSA SIG)

Pre-Shared-Key-Value
If you have specified the pre-shared key Phase 1 authentication method, then you are prompted to enter the key value in ASCII.

Phase2-ESP-Authentication-Algorithm
ESP is the only IPSec protocol allowed for the default security. You are prompted for the authentication algorithm to use during Phase 2 ISAKMP negotiations.

0
None

1
HMAC-MD5

2
HMAC-SHA

Phase2-ESP-Cipher-Algorithm
ESP is the only IPSec protocol allowed for the default security. You are prompted for the encryption algorithm to use during Phase 2 ISAKMP negotiations.

1
ESP DES

2
ESP 3DES

3
ESP CDMF

4
ESP NULL

Primary-Tunnel-Start
The IP address on the device that is to be used for the IKE and IPSec traffic between the device and the security gateway protecting the primary LDAP server.

Primary-Tunnel-End
The IP address on the remote security gateway protecting the primary LDAP server that are to be used for the IKE and IPSec traffic.

Secondary-Tunnel-Start
The IP address on the device that is to be used for the IKE and IPSec traffic between the device and the security gateway protecting the secondary LDAP server.

Secondary-Tunnel-End
The IP address on the remote security gateway protecting the secondary LDAP server that are to be used for the IKE and IPSec traffic.

Set LDAP

Use the set ldap command to configure the LDAP operating parameters.

Syntax:  set ldap 
anonymous-bind

yes

no
bind-name <name>
bind-pw <pw>
policy-base <string>
primary <ip-address>
secondary <ip-address>
version <value>

anonymous-bind [Yes or No]
Specifies whether you want to bind to the LDAP directory anonymously or with the bind name and bind password you have specified.

Default value: Yes

bind-name <name>
Prompts you for information needed to bind to the LDAP server before a search of its directory can be performed. The name parameter specifies the distinguished name that the router uses to identify itself. If you do not enter this parameter, then the bind is issued as an anonymous request.

bind-pw <pw>
Prompts you for information needed to bind to the LDAP server before a search of its directory can be performed. The pw parameter is the password related to the distinguished name. If you do not enter this parameter, then the bind is issued as an anonymous request.

policy-base <string>
Prompts you to enter a character string that is used to define the scope of the search for policies in the router's SRAM and the LDAP server. For example, you can use this option to return policies that only apply to router A, or for NHD, or for IBM-US. The policy-base is the distinguished name of the DeviceProfile object in the LDAP server.

primary <ip-address>
Prompts you for the IPv4 address of the LDAP server from which to retrieve policies.

secondary <ip-address>
Prompts you for the IPv4 address of a backup LDAP server that is used if the default server cannot be reached.

version <value>
Prompts you for the LDAP version number supported by the LDAP server.

Default value: 2 (The only acceptable values are 2 or 3.)

Set Refresh

Use the set refresh command to enable or disable automatic refresh of the policy database once each day. If enabled then the policy database automatically refreshes once a day at the specified time. This enables all policy-enabled routers in the network to incorporate automatically any policy changes that have occurred in the LDAP directory. To reset this parameter, use the policy feature's Talk 5 reset refresh command.

Syntax:  set refresh 

enabled

yes

no

<time>

enabled [yes or no]
Specifies whether to perform the automatic refresh.

<time>
If you specify enabled yes, designates the time of day (in 24-hour format) at which the refresh is to occur.

Accessing the Policy Monitoring Prompt

The policy console portion of the policy feature enables you to view policies that are in the policy database and to enable or disable individual policies. To access the Policy monitoring environment type talk 5 at the OPCON prompt (*): 

   * t 5

Then, enter the following command at the + prompt: 

   + feature policy
   Policy>

Policy Monitoring Commands

These commands enable you to view the profiles defined in the policy database and to enable or disable individual policies. Table 40 summarizes the policy monitoring commands and the rest of this section describes them. Enter the commands at the Policy console> prompt. You can either enter the command and options on one line, or enter only the command and respond to the prompts. To see a list of valid command options, enter the command with a question mark instead of options.

Table 40. Policy Monitoring Commands
Command Function
? (Help) Displays all the commands available for this command level or lists the options for specific commands (if available). See "Getting Help".
Disable Disables a policy that is loaded in the policy database.
Enable Enables a policy that is loaded in the policy database.
Reset Refreshes or resets policy-related criteria.
Search Tests or debugs activity between the LDAP client and server.
Status Displays information about the policy database.
List Displays information about the LDAP configuration and the policies defined.
Test Queries the policy engine and retrieves the rules that were selected
Exit Returns you to the previous command level. See "Exiting a Lower Level Environment".

Disable

Use the disable command to disable a policy that is currently loaded in the policy database. Any data packet that matches the criteria of a policy you disable will have default decisions applied to it.

Syntax:  disable 
<policy-name>

Enable

Use the enable command to enable a policy that is currently loaded in the policy database. Any data packet that matches the criteria of a policy you enable will have the decisions configured for the policy applied to it.

Syntax:  enable 
<policy-name>

Reset

Use the reset command to refresh or reset policy-related criteria.

Syntax:  reset 
ldap-config
policy-database
refresh-time

ldap-config
Dynamically loads the LDAP configuration (as specified in the set ldap command) into memory. Any changes become active for the next search operation. This command also forces a reset of the policy database and inactivates the policy database refresh time.

policy-database
Refreshes the policy database. Stops all tunnels, Phase 1 and Phase 2 SAs, resets RSVP and DiffServ data structures, and flushes the policy database. Then policies are loaded from the LDAP server and an autostart is done. While the database is being rebuilt, no packets will be allowed in to or out of the router except for packets to and from the LDAP server.

refresh-time
Sets the time at which the policy database will be refreshed automatically on a daily basis. If you have disabled the refresh time, then the database will not be refreshed until the router is rebooted or restarted.

Search

Use the search command to test or debug activity between the LDAP client and server. You can perform searches against the directory and have the results of the searches displayed in talk 5.

Syntax:  search 
filter
ipaddress

filter
Specifies a filter value for the search operation.

ipaddress
Specifies the IP address of the server.

Status

Use the status command to display information about the policy database.

Syntax:  status 

status
Displays the results of the most recent policy database refresh, the time that has elapsed since the refresh, and the time that the next refresh is scheduled.
Example: 
Policy>status
Status of Last Search:       Failed
Time since last refresh:     4 seconds
Next Policy Refresh not scheduled

List

Use the list command to display information about LDAP configurations and policies.

Syntax:  list 
default-policy
ldap
policy
refresh
rule
stats

default-policy
Lists the default policy used during policy database refreshes.

ldap
Lists the LDAP configurations in SRAM.

policy
basic
Lists policy components by logical policy name. You may select one policy or list all policies. The listing displays the names of the components of policies as they were entered in during configuration in Talk 6.
complete
Does the same as list policy basic, except that the listing displays a complete listing of all parameter values for each logical policy.
generated
Does the same as list policy basic, except that the listing displays the names of all the generated rules for each logical policy.

refresh
Lists the policy refresh status (Enable or Disable) and the refresh interval time.

rule
Lists information about generated rules according to the following options:
basic
Lists all the generated rules. You can select a rule from the list or list all rules. The listing displays the names of the components of the rules. The components are:
policy name
loaded from (LDAP or local)
state
priority
number of hits
profile
validity (followed by an action list consisting of the following)
IPSec (and, or)
ISAKMP (and, or)
DiffServ (and, or)
RSVP
complete
Does the same as rule basic, except that the listing displays the names of all the parameters for each component.

stats
Lists the rules that have been hit and the number of hits. A rule can have multiple actions and not all actions are hit, so this options also indicates which action of the rule was hit, and the number of times.

Test

Use the test command to verify the behavior of the policy database. It allows you to enter a selector set, which queries the policy engine and retrieves the rules that match. You are prompted for the source and destination addresses, source and destination ports, the protocol ID, and the TOS value. If a rule is matched, then the command returns the name of the rule. Otherwise it indicates No match found.

Syntax:  test 
forwarder
ISAKMP
IPSec
RSVP

forwarder
Simulates a database query from the IP forwarding engine and returns any policy decisions that would result from such a query. The type of policy returned could include DiffServ information, IKE Phase 1 and Phase 1 information, and IPSec manual tunnel IDs.

ISAKMP
Simulates a database query from IKE for Phase 1 policy information and returns any policy decisions that would result from such a query. If you use this option, you must set the source and destination addresses to the tunnel endpoint IP addresses, the protocol to 17, and the source and destination ports to 500.

IPSec
Simulates a database query from IKE for Phase 2 policy information and returns any policy decisions that would result from such a query. If you use this option, you must set the source and destination addresses to the tunnel endpoint IP addresses, the protocol to 17, and the source and destination ports to 500.

RSVP
Simulates a database query from RSVP and returns any RSVP policy decisions that would result from such a query.

[ Top of Page | Previous Page | Next Page | Table of Contents | Index ]