Using and Configuring Features Version 3.3

Configuring and Monitoring the Policy Feature

This chapter describes the LDAP and policy commands provided by the policy feature for configuring and operating the router devices in a network. It includes the following sections:

"Accessing the Policy Configuration Prompt"
"Policy Configuration Commands"
"LDAP Policy Server Configuration Commands"
"Accessing the Policy Monitoring Prompt"
"Policy Monitoring Commands"

Accessing the Policy Configuration Prompt

To enter policy configuration commands:

Enter talk 6 at the OPCON (*) prompt.
Enter feature policy at the Config> prompt.

The Policy config> prompt displays. You may now enter policy configuration commands.

Policy Configuration Commands

These commands enable you to configure the information contained in policies. Table 39 summarizes the policy configuration commands and the rest of this section describes them in detail. Enter these commands at the Policy config> prompt. You can either enter the command and options on one line, or enter only the command and respond to the prompts. To see a list of valid command options, enter the command with a question mark instead of options.

Table 39. Policy Configuration Commands

Command Function
? (Help) Displays all the commands available for this command level or lists the options for specific commands (if available). See "Getting Help".
Add Adds the information used to create a policy.
Change Changes the information making up a policy.
Copy Copies information from one policy into another.
Delete Deletes information from a policy.
Disable Disables a policy.
Enable Enables a policy.
List Displays the information in a policy.
Set Specifies a policy to be used as the default.
Exit Returns you to the previous command level. See "Exiting a Lower Level Environment".

Command	Function
? (Help)	Displays all the commands available for this command level or lists the options for specific commands (if available). See "Getting Help".
Add	Adds the information used to create a policy.
Change	Changes the information making up a policy.
Copy	Copies information from one policy into another.
Delete	Deletes information from a policy.
Disable	Disables a policy.
Enable	Enables a policy.
List	Displays the information in a policy.
Set	Specifies a policy to be used as the default.
Exit	Returns you to the previous command level. See "Exiting a Lower Level Environment".

Add

Use the add command to add information to a policy.

Syntax: add: diffserv-action
: interface-pair
: ipsec-action
: ipsec-manual-tunn
: ipsec-proposal
: ipsec-transform
: isakmp-action
: isakmp-proposal
: policy
: profile
: rsvp-action
: user
: validity-period

Diffserv-action

Prompts you for information about which DiffServ-action selections apply.

Name

The unique name of the DiffServ action for the policy.

permission-level

Specifies whether the router is to forward packets that match this DiffServ action.

1: Permit
2: Deny

Default value: 2

Queue-priority

The queue into which outgoing packets matching this DiffServ action are placed.

1: Premium (expedited forwarding)
2: Assured/Best Effort

Default value: 2

bwshare-type

The type of bandwidth share allocation.

1: Absolute (in Kbps)
2: Percentage (of total output bandwidth)

Default value: 2

bwshare

The bandwidth (in Kbps or as a percentage of output bandwidth) allocated to this service.

ds-bytemask

The mask to apply to transmitted ds bytes. This value designates which bits of a packet's TOS byte must be changed when the packet is transmitted. A zero in any bit position of this byte implies that the bit must not change.

Default value:

(do not change any bits)

ds-bytemodify

The marking of the IP TOS byte that should be applied to packets be forwarded by this device. Zeros in the mask imply that the corresponding bit will not change. A one implies that the bit will be marked with the bit value in the mark byte. The operation is: newTOSByte = (Mask^ & receivedTOSByte) | (Mask&Mark) The ^ ^ ^ is a bit-based complement (Mask:Mark)

Example:

11111101:00000001

Using this example, a received value 0x07 would be sent with a value of 0x03

Default value: X'00' (do not change any bit)

interface-pair

The interface pair associates a profile with a specific interface or set of interfaces. By default the profile object does not restrict the policy from being applied to any one interface. If that is necessary, you may add interface pairs to accomplish it. The interface pair specifies the IP address of the interface on which the traffic is to arrive and the IP address of the interface on which the traffic is to leave.

The following example shows two interface pairs with the same name, representing traffic coming in on any interface and going out on the public interface, and conversely.

1) Group Name: inOutPublic
        In:Out=255.255.255.255 : 1.1.1.1	
        In:Out=1.1.1.1 : 255.255.255.255

Name

The name of the interface pair.

Ingress interface

IPv4 address of the input interface.

Default value: 255.255.255.255 (any)

Egress interface

IPv4 address of the output interface.

Default value: 255.255.255.255 (any)

IPSec-action

Prompts you for information for setting up the Phase 2 tunnel.

Name

The name of the IPSec action.

Action type

The action to apply to packets matching the profile of a policy containing this action.

1: Block (block connection).
2: Permit (Permit packets matching this action.) If an IPSec proposal does not exist, pass the packet; if an IPSec proposal exists, apply IPSec security processing to the packet.

Default value: 2

The following option is only available if you specify pass as the action type:

Traffic flow type

Type of traffic flow (secure tunnel or in the clear).

1: Clear
2: Secure Tunnel

Default value: 2

The following option is only available if you specify the traffic flow as secure:

Tunnel start point

IPv4 address of the tunnel start point.

Tunnel end point

IPv4 address of the tunnel end point. (0.0.0.0 for remote access)

Default value: 0.0.0.0

Tunnel-in-tunnel

Specifies whether the traffic being protected by this tunnel is to be further protected by another policy configured on this device.

Valid options: Yes or No

Default value: No

Percentage of SA lifesize/lifetime to accept

The minimum SA lifesize/lifetime (as a percentage) of the SA lifesize/lifetime. An SA lifesize/lifetime received with a value less than this is not accepted.

Default value: 75

SA refresh threshold

The percentage into the SA lifetime or lifesize value that the SA is to be refreshed automatically.

Default value: 85

DF-Bit-Setting

Specifies whether to copy the Don't Fragment bit from the original packet, and whether to set or clear it in the outer header of the IPSec packet if running in tunnel mode.

1: Copy
2: Set
3: Clear

Default value: 1

Replay-Prevention

Specifies whether IPSec is to enforce replay prevention for received IPSec packets. In this mode IPSec ensures that the sequence numbers are valid and not received more than once.

1: Enable
2: Disable

Default value: 2

Negotiate SA Automatically

Specifies whether the Phase 2 SA is negotiated automatically at system initialization.

Yes or No

Default value: No

IPSec proposal

The name of the IPSec proposal (you may specify up to five proposals) to be sent or checked during Phase 2. The order in which you specify them determines their priority, with the first one being the highest.

IPSec-manual-tunn

Prompts you for information for manually setting up the Phase 2 tunnel.

Tunnel name

The name of the IPSec manual tunnel.

Tunnel lifetime

The tunnel lifetime (in minutes).

Default value: 46080

Encapsulation mode

The encapsulation mode to use.

tunn: Tunnel mode
trans: Transport mode

Default value: tunn

Policy

The type of tunnel policy to use.

AH: Authentication Header
ESP: Encapsulating Security Payload
AH-ESP: For outbound packets, specifies that encryption runs before authentication.
ESP-AH: For outbound packets, specifies that authentication runs before encryption.

Default value: AH-ESP

Local IP address

The source IPv4 address.

Default value: 11.0.0.5

Local encryption SPI

The source security parameters index value.

Default value: 256

Local encryption algorithm

The source encryption algorithm.

Null: No encryption.
CDMF: Commercial Data Masking Facility.
DES-CBC: Data Encryption Standard and Cipher Block Chaining.
3DES: Triple Data Encryption Standard.

Default value: DES-CBC

Local encryption key

A 16-character key.

Padding

Additional padding for local encryption.

Default value: 0

Local ESP authentication

Specifies whether local ESP authentication is to be used.

Yes or No

Default value: Yes

Remote IP address

The destination IPv4 address.

Default value: 0.0.0.0

Remote encryption SPI

The destination security parameters index value.

Default value: 256

Remote encryption algorithm

The destination encryption algorithm.

Null: No encryption.
CDMF: Commercial Data Masking Facility.
DES-CBC: Data Encryption Standard and Cipher Block Chaining.
3DES: Triple Data Encryption Standard.

Default value: DES-CBC

Remote encryption key

A 16-character key.

Verify remote encryption padding.

Specifies whether to verify remote encryption padding.

Yes or No

Default value: No

Remote ESP authentication

Specifies whether remote ESP authentication is to be used.

Yes or No

Default value: Yes

DF bit

Specifies how to process the Don't Fragment bit.

Copy: Copies the DF bit.
Set: Sets the DF bit on.
Clear: Sets the DF bit off.

Default value: COPY

Enable tunnel

Specifies whether to enable the tunnel when it is created.

Yes or No

Default value: Yes

IPSec-proposal

Prompts you for information for creating an IPSec proposal.

IPSec proposal name

The name of the IPSec proposal.

Perfect forward secrecy

Specifies whether IKE is to be used, to prevent anyone from determining a current key from a previously compromised key.

Yes or No

Default value: No

Diffie Hellman Group ID

The type of Diffie Hellman group.

1: Diffie Hellman Group 1
2: Diffie Hellman Group 2

Default value: 1

AH transform

The name of the AH transform (you may specify up to five transforms) for this proposal. The order in which you specify them determines their priority, with the first one being the highest.

ESP transform

The name of the ESP transform (you may specify up to five proposals) for this proposal. The order in which you specify them determines their priority, with the first one being the highest.

IPSec-transform

Prompts you for information about IPSec transforms.

IPSec transform name

The name of the IPSec transform.

Protocol ID

The security protocol to use.

1: IPSec-AH
2: IPSec-ESP

Default value: 1

AH Authentication Algorithm

The AH authentication algorithm to use.

1: HMAC-MD5
2: HMAC-SHA

Default value: 1

Encapsulation mode

The encapsulation mode to use.

1: Tunnel
2: Transport

Default value: 1

ESP Authentication Algorithm

The ESP authentication algorithm to use.

0: None
1: HMAC-MD5
2: HMAC-SHA

Default value: 2

ESP cipher algorithm

The ESP cipher algorithm to use.

1: ESP DES
2: ESP 3DES
3: ESP CDMF
4: ESP Null (no encryption)

Default value: 1

SA lifesize

The lifesize (in Kb) of the SA for this proposal.

Default value: 50000

SA lifetime

The lifetime (in seconds) of the SA for this proposal.

Default value: 3600

ISAKMP-Action

Prompts you for information about which ISAKMP action to apply.

Name

The name of the ISAKMP action.

Exchange mode

The type of exchange mode for Phase 1 negotiations.

1: Main
2: Aggressive

Default value: 1

Percentage of Minimum SA lifesize/lifetime

The minimum SA lifesize/lifetime (as a percentage) of the SA lifesize/lifetime. An SA lifesize/lifetime with a value less than this is not accepted.

Default value: 75

ISAKMP connection lifesize

The lifesize (in Kb) of the Phase 1 connection. Once the Phase 1 connection expires, the next time the Phase 2 SA must refresh, Phase 1 completely renegotiates before Phase 2 can start.

Default value: 5000

ISAKMP connection lifetime

The lifetime (in seconds) of the Phase 1 connection. Once the Phase 1 connection expires, the next time Phase 2 must refresh, Phase 1 starts over completely.

Default value: 5000

Negotiate SA automatically

Specifies whether the SA is negotiated automatically at system initialization.

Yes or No

Default value: No

ISAKMP proposal

The name of the ISAKMP proposal (you may specify up to five proposals) to be sent or checked during Phase 2 quick mode. The order in which you specify them determines their priority, with the first one being the highest.

ISAKMP-Proposal

Prompts you for the ISAKMP proposal information used in the ISAKMP negotiations.

ISAKMP proposal name

The name of the ISAKMP proposal.

Authentication method

The type of authentication to use during ISAKMP Phase 1 negotiations.

1: Pre-Shared Key
2: RSA SIG (certificate mode)

Default value: 1

Hash algorithm

The type of hash algorithm to use during Phase 1 negotiations.

1: MD5
2: SHA

Default value: 1

Cipher algorithm

The type of cipher algorithm to use during Phase 1 negotiations.

1: DES
2: 3DES

Default value: 1

Diffie Hellman Group ID

The type of Diffie Hellman group to use during Phase 1 negotiations.

1: Diffie Hellman Group 1
2: Diffie Hellman Group 2

Default value: 1

SA lifesize

The lifesize (in Kb) of the SA for this proposal.

Default value: 50000

SA lifetime

The lifetime (in seconds) of the SA for this proposal.

Default value: 5000

Policy

Prompts you for information about the policy configuration: Profile name (required), RSVP name (optional), DiffServ name (optional), IPSec name (optional), ISAKMP name (optional), and Validity Period Profile (optional). You must specify either DiffServ, IPSec, ISAKMP, or RSVP for the policy to be valid.

Default value: Valid all the time

Name

The name of the policy configuration

Priority

Relative priority of this policy to other policies (the higher the number, the higher the priority). This is used to resolve conflicts if multiple policies apply to a packet.

Default value: 5

Profile

The name of a previously configured data traffic profile to use for this policy.

Validity period

The name of a previously configured validity period to use for this policy.

IPSec action

If this policy will enforce an IPSec action, the name of a previously configured IPSec action to use for this policy. If you specify a secure IPSec action, you must also specify an ISAKMP action.

ISAKMP action

The name of a previously configured ISAKMP action to use for this policy. If you specify an ISAKMP action, you must also specify an IPSec action.

Diffserv action

If you want to map a DiffServ action to this policy, the name of a previously configured DiffServ action.

RSVP action

The name of an RSVP action for this policy to enforce.

Profile

Prompts you for information for defining a set of selectors (conditionals) for a policy profile on which to perform actions.

name

The name of the policy profile.

ipv4-src-address-format

The format of the IPv4 source address (range, netmask, single address).

ipv4-src-address

The IPv4 source address (low address if address format is range).

Default value: 0.0.0.0

ipv4-src-mask

The IPv4 source mask (high address if address format is range).

Default value: 255.0.0.0

ipv4-dest-address-format

The format of the IPv4 destination address (range, netmask, single address).

ipv4-dest-address

The IPv4 destination address (low address if address format is range).

Default value: 0.0.0.0

ipv4-dest-mask

The IPv4 destination mask (high address if address format is range).

Default value: 255.0.0.0

protocol-id

The protocol id on which to filter.

1: TCP
2: UDP
3: All protocols
4: Specify range

Default value: 3

src-port-start

The first port number of the source port number range.

Default value: 0

src-port-end

The last port number of the source port number range.

Default value: 65535

dest-port-start

The first port number of the destination port number range.

Default value: 0

dest-port-end

The last port number of the destination port number range.

Default value: 65535

src-id-type

The source ID type, which is sent to the remote. This value is used to determine which policy contains the ISAKMP information needed during ISAKMP Phase 1 negotiations. It is compared to the information in the identification payload of the ISAKMP packet. This information is needed if the remote peer must identify the device with a value other than IP address.

1: Local tunnel end point
2: Host fully qualified domain name
3: User fully qualified domain name
4: Key ID

any-user-access

Allow access for any user within the profile definition. If you specify No, then you are prompted for the name of the remote user group for this profile. This attribute is only required if you want to limit the access of remote access peers to a specific policy.

Yes or No

Default value: Yes

Received DS byte mask

The 8-bit mask to apply to an incoming packet's TOS byte.

Default value: 0

Received DS byte match

The 8-bit pattern to compare to the result of ANDing the incoming TOS byte with the Received DS byte mask value.

Default value: 0

Interface pairs

If this policy must restrict the traffic flows to specific interfaces, this is the name of the interface pair group.

RSVP-Action

Prompts you for information about which RSVP actions apply.

Name

The name of the RSVP action.

Permission

Specifies the permission level for RSVP sessions that match this action.

1: Permit
2: Deny

Default value: 2

Max token rate

The maximum amount of bandwidth (in Kbps) that RSVP is to allocate for an individual flow.

Default value: 100

Max duration

The maximum amount of time (in seconds) that a flow can last (0 implies forever).

Default value: 600

RSVP-to-DS

Specifies whether to map RSVP flows that match this action to a configured DiffServ action. RSVP uses the information from the DiffServ action to mark the TOS byte for the next DiffServ-enabled upstream device. This is for use in a network in which packets leave an RSVP-enabled network into a DiffServ-enabled network.

Yes or No

Default value: No

VALIDITY-PERIOD

Prompts you for information about the period during which the policy is valid, and creates a policy profile.

Name

The name of the validity period profile.

yyyymmddhhmmss:yyyymmddhhmmss

The period during which the policies containing this validity period profile are valid.

Example:

19980101000000:19981231000000

Months

The months during which the policies containing this validity period profile are valid. You can specify any sequence of months, using the first three letters of each month (for example, jan or dec), with the months separated by a spaces, or you can specify all to signify every month of the year.

Days

The dates on which the policies containing this validity period profile are valid. You can specify any sequence of dates, using the first three letters of each day (for example, mon or fri), with the days separated by a spaces, or you can enter all to specify every day of the week.

Starting time

The time at which policies containing this validity period profile are valid. Specify this in the form hh:mm:ss or specify * if you want the policy to be valid all day.

Default value: *

Ending time

The time at which the validity of policies containing this validity period profile expires. Specify this in the form hh:mm:ss.

Default value: None

Change

Use the change command to change information in a policy object. See the description of the add command for the available objects.

Copy

Use the copy command to copy information from one policy object to another. See the description of the add command for the available objects. (The interface-pair, manual tunnel, and user options do not apply to the copy command.)

Delete

Use the delete command to delete information from a policy object. See the description of the add command for the available objects.

Disable

Use the disable command to disable a policy configuration.

Syntax: disable: policy

Policy: Prompts you for the name of the policy configuration to disable.

Enable

Use the enable command to enable a policy configuration.

Syntax: enable: policy

Policy: Prompts you for the name of the policy configuration to enable.

List

Use the list command to display any or all of the policy configuration information.

Syntax: list: all
: default-policy
: ldap
: refresh

All: Displays all policy configuration information.
Default-policy: Displays the name of the default policy.
LDAP: Displays the names of the defined LDAP configurations.
Refresh: Lists the policy refresh status (Enable or Disable) and the refresh interval time.

LDAP Policy Server Configuration Commands

The LDAP policy server configuration commands enable you to specify LDAP server options for retrieving policy information. Table 40 summarizes the LDAP configuration commands, and the rest of this section describes them in detail. Enter them at the Policy config> prompt. You can either enter the command and options on one line, or enter only the command and respond to the prompts. To see a list of valid command options, enter the command with a question mark instead of options.

Table 40. LDAP Configuration Commands

Command Function
? (Help) Displays all the commands available for this command level or lists the options for specific commands (if available). See "Getting Help".
Disable ldap Disables LDAP configuration options.
Enable ldap Enables LDAP configuration options.
Set ldap Specifies LDAP configuration options.
Exit Returns you to the previous command level. See "Exiting a Lower Level Environment".

Command	Function
? (Help)	Displays all the commands available for this command level or lists the options for specific commands (if available). See "Getting Help".
Disable ldap	Disables LDAP configuration options.
Enable ldap	Enables LDAP configuration options.
Set ldap	Specifies LDAP configuration options.
Exit	Returns you to the previous command level. See "Exiting a Lower Level Environment".

Disable LDAP

Use the disable ldap command to disable LDAP policy search functions in the directory.

Syntax: disable ldap: policy-search

policy-search: Disables LDAP from performing policy search functions in the directory.

Enable LDAP

Use the enable ldap command to enable LDAP policy search functions in the directory.

Syntax: enable ldap: policy-search

policy-search: Enables LDAP for performing policy search functions in the directory.

Set Default-Policy

Use the set default-policy command to specify the policy options to use while the policy database is being refreshed. The command sets the error handling options and the default security needed for accessing the LDAP policy server.

Syntax: set

default-policy

: default-error-handling
: default-security

default-error-handling

Specifies the error handling options to use while the policy database is being refreshed.

Note:

The default error handling setting determines the behavior of the device if an error occurs while rebuilding the policy database. If an error occurs then you have the options for how the device is to behave. They are:

Reset policy database to default security.
Flush any rules read from LDAP, load local rules plus default security.

These settings are only valid if there was an error building the policy database. Either option inherits the default security of drop or pass when an error occurs. If you select option 2 then all traffic is dropped or passed unless it matches a locally defined policy. If the policy database builds successfully then this option is not used.

default-security

Specifies the security options to use while the policy database is being refreshed.

Note:

Once the policy database has been built successfully, the default behavior is defined as pass. This means that if a packet does not match any policy rule then it will be passed in the clear. If you want packets that do not match a rule to be dropped globally or just for certain interfaces, then you must define a policy to do that.

1

Accept and forward all IP traffic.

2

Permit LDAP traffic, drop all other IP traffic.

If you select this option, then you are prompted for the local IP addresses on the device on which the LDAP traffic is to be sent and received.

3

Permit and secure LDAP traffic, drop all other IP traffic.

If you select this option, then you are prompted for the following information:

DHGroupId

The Diffie-Hellman Group Id to use during the ISAKMP Phase 1 negotiations.

1: DH Group 1.
2: DH Group 2.

Phase1-Hash-Algorithm

The hash algorithm to use during the Phase 1 negotiations. The hash algorithm provides the authentication of the Phase 1 messages.

1: MD5.
2: SHA.

Phase1-Cipher-Algorithm

The cipher algorithm to use during Phase 1 negotiations. The cipher algorithm provides encryption protection for the Phase 1 negotiations.

1: DES
2: 3DES

Phase1-Authentication-Method

The authentication method to use with the remote peer. This specifies how ISAKMP determines whether the remote peer is actually the correct device with which to be negotiating.

1: Pre-shared key
2: Certificate (RSA SIG)

Pre-Shared-Key-Value

If you have specified the pre-shared key Phase 1 authentication method, then you are prompted to enter the key value in ASCII.

Phase2-ESP-Authentication-Algorithm

ESP is the only IPSec protocol allowed for the default security. You are prompted for the authentication algorithm to use during Phase 2 ISAKMP negotiations.

0: None
1: HMAC-MD5
2: HMAC-SHA

Phase2-ESP-Cipher-Algorithm

ESP is the only IPSec protocol allowed for the default security. You are prompted for the encryption algorithm to use during Phase 2 ISAKMP negotiations.

1: ESP DES
2: ESP 3DES
3: ESP CDMF
4: ESP NULL

Primary-Tunnel-Start

The IP address on the device that is to be used for the IKE and IPSec traffic between the device and the security gateway protecting the primary LDAP server.

Primary-Tunnel-End

The IP address on the remote security gateway protecting the primary LDAP server that are to be used for the IKE and IPSec traffic.

Secondary-Tunnel-Start

The IP address on the device that is to be used for the IKE and IPSec traffic between the device and the security gateway protecting the secondary LDAP server.

Secondary-Tunnel-End

The IP address on the remote security gateway protecting the secondary LDAP server that are to be used for the IKE and IPSec traffic.

Set LDAP

Use the set ldap command to configure the LDAP operating parameters.

Syntax: set ldap

anonymous-bind

: yes
: no

bind-name <name>

bind-pw <pw>

policy-base <string>

primary <ip-address>

secondary <ip-address>

version <value>

anonymous-bind [Yes or No]

Specifies whether you want to bind to the LDAP directory anonymously or with the bind name and bind password you have specified.

Default value: Yes

bind-name <name>

Prompts you for information needed to bind to the LDAP server before a search of its directory can be performed. The name parameter specifies the distinguished name that the router uses to identify itself. If you do not enter this parameter, then the bind is issued as an anonymous request.

bind-pw <pw>

Prompts you for information needed to bind to the LDAP server before a search of its directory can be performed. The pw parameter is the password related to the distinguished name. If you do not enter this parameter, then the bind is issued as an anonymous request.

policy-base <string>

Prompts you to enter a character string that is used to define the scope of the search for policies in the router's SRAM and the LDAP server. For example, you can use this option to return policies that only apply to router A, or for NHD, or for IBM-US. The policy-base is the distinguished name of the DeviceProfile object in the LDAP server.

primary <ip-address>

Prompts you for the IPv4 address of the LDAP server from which to retrieve policies.

secondary <ip-address>

Prompts you for the IPv4 address of a backup LDAP server that is used if the default server cannot be reached.

version <value>

Prompts you for the LDAP version number supported by the LDAP server.

Default value: 2 (The only acceptable values are 2 or 3.)

Set Refresh

Use the set refresh command to enable or disable automatic refresh of the policy database once each day. If enabled then the policy database automatically refreshes once a day at the specified time. This enables all policy-enabled routers in the network to incorporate automatically any policy changes that have occurred in the LDAP directory. To reset this parameter, use the policy feature's Talk 5 reset refresh command.

Syntax: set refresh

enabled

: yes
: no

<time>

enabled [yes or no]: Specifies whether to perform the automatic refresh.
<time>: If you specify enabled yes, designates the time of day (in 24-hour format) at which the refresh is to occur.

Accessing the Policy Monitoring Prompt

The policy console portion of the policy feature enables you to view policies that are in the policy database and to enable or disable individual policies. To access the Policy monitoring environment type talk 5 at the OPCON prompt (*):

   * t 5

Then, enter the following command at the + prompt:

   + feature policy
   Policy>

Policy Monitoring Commands

These commands enable you to view the profiles defined in the policy database and to enable or disable individual policies. Table 41 summarizes the policy monitoring commands and the rest of this section describes them. Enter the commands at the Policy console> prompt. You can either enter the command and options on one line, or enter only the command and respond to the prompts. To see a list of valid command options, enter the command with a question mark instead of options.

Table 41. Policy Monitoring Commands

Command Function
? (Help) Displays all the commands available for this command level or lists the options for specific commands (if available). See "Getting Help".
Disable Disables a policy that is loaded in the policy database.
Enable Enables a policy that is loaded in the policy database.
Reset Refreshes or resets policy-related criteria.
Search Tests or debugs activity between the LDAP client and server.
Status Displays information about the policy database.
List Displays information about the LDAP configuration and the policies defined.
Test Queries the policy engine and retrieves the rules that were selected
Exit Returns you to the previous command level. See "Exiting a Lower Level Environment".

Command	Function
? (Help)	Displays all the commands available for this command level or lists the options for specific commands (if available). See "Getting Help".
Disable	Disables a policy that is loaded in the policy database.
Enable	Enables a policy that is loaded in the policy database.
Reset	Refreshes or resets policy-related criteria.
Search	Tests or debugs activity between the LDAP client and server.
Status	Displays information about the policy database.
List	Displays information about the LDAP configuration and the policies defined.
Test	Queries the policy engine and retrieves the rules that were selected
Exit	Returns you to the previous command level. See "Exiting a Lower Level Environment".

Disable

Use the disable command to disable a policy that is currently loaded in the policy database. Any data packet that matches the criteria of a policy you disable will have default decisions applied to it.

Syntax: disable: <policy-name>

Enable

Use the enable command to enable a policy that is currently loaded in the policy database. Any data packet that matches the criteria of a policy you enable will have the decisions configured for the policy applied to it.

Syntax: enable: <policy-name>

Reset

Use the reset command to refresh or reset policy-related criteria.

Syntax: reset: ldap-config
: policy-database
: refresh-time

ldap-config: Dynamically loads the LDAP configuration (as specified in the set ldap command) into memory. Any changes become active for the next search operation. This command also forces a reset of the policy database and inactivates the policy database refresh time.
policy-database: Refreshes the policy database. Stops all tunnels, Phase 1 and Phase 2 SAs, resets RSVP and DiffServ data structures, and flushes the policy database. Then policies are loaded from the LDAP server and an autostart is done. While the database is being rebuilt, no packets will be allowed in to or out of the router except for packets to and from the LDAP server.
refresh-time: Sets the time at which the policy database will be refreshed automatically on a daily basis. If you have disabled the refresh time, then the database will not be refreshed until the router is rebooted or restarted.

Search

Use the search command to test or debug activity between the LDAP client and server. You can perform searches against the directory and have the results of the searches displayed in talk 5.

Syntax: search: filter
: ipaddress

filter: Specifies a filter value for the search operation.
ipaddress: Specifies the IP address of the server.

Status

Use the status command to display information about the policy database.

Syntax: status

status: Displays the results of the most recent policy database refresh, the time that has elapsed since the refresh, and the time that the next refresh is scheduled.

Example:

Policy>status
Status of Last Search:       Failed
Time since last refresh:     4 seconds
Next Policy Refresh not scheduled

List

Use the list command to display information about LDAP configurations and policies.

Syntax: list: default-policy
: ldap
: policy
: refresh
: rule
: stats

default-policy

Lists the default policy used during policy database refreshes.

ldap

Lists the LDAP configurations in SRAM.

policy

basic: Lists policy components by logical policy name. You may select one policy or list all policies. The listing displays the names of the components of policies as they were entered in during configuration in Talk 6.
complete: Does the same as list policy basic, except that the listing displays a complete listing of all parameter values for each logical policy.
generated: Does the same as list policy basic, except that the listing displays the names of all the generated rules for each logical policy.

refresh

Lists the policy refresh status (Enable or Disable) and the refresh interval time.

rule

Lists information about generated rules according to the following options:

basic

Lists all the generated rules. You can select a rule from the list or list all rules. The listing displays the names of the components of the rules. The components are:

policy name
loaded from (LDAP or local)
state
priority
number of hits
profile
validity (followed by an action list consisting of the following): IPSec (and, or)
: ISAKMP (and, or)
: DiffServ (and, or)
: RSVP

complete

Does the same as rule basic, except that the listing displays the names of all the parameters for each component.

stats

Lists the rules that have been hit and the number of hits. A rule can have multiple actions and not all actions are hit, so this options also indicates which action of the rule was hit, and the number of times.

Test

Use the test command to verify the behavior of the policy database. It allows you to enter a selector set, which queries the policy engine and retrieves the rules that match. You are prompted for the source and destination addresses, source and destination ports, the protocol ID, and the TOS value. If a rule is matched, then the command returns the name of the rule. Otherwise it indicates No match found.

Syntax: test: forwarder
: ISAKMP
: IPSec
: RSVP

forwarder: Simulates a database query from the IP forwarding engine and returns any policy decisions that would result from such a query. The type of policy returned could include DiffServ information, IKE Phase 1 and Phase 1 information, and IPSec manual tunnel IDs.
ISAKMP: Simulates a database query from IKE for Phase 1 policy information and returns any policy decisions that would result from such a query. If you use this option, you must set the source and destination addresses to the tunnel endpoint IP addresses, the protocol to 17, and the source and destination ports to 500.
IPSec: Simulates a database query from IKE for Phase 2 policy information and returns any policy decisions that would result from such a query. If you use this option, you must set the source and destination addresses to the tunnel endpoint IP addresses, the protocol to 17, and the source and destination ports to 500.
RSVP: Simulates a database query from RSVP and returns any RSVP policy decisions that would result from such a query.

[ Top of Page | Previous Page | Next Page | Table of Contents | Index ]