Using and Configuring Features Version 3.4

Configuring and Monitoring the Policy Feature

This chapter describes the LDAP and policy commands provided by the policy feature for configuring and operating the router devices in a network. It includes the following sections:

• "Accessing the Policy Configuration Prompt"
• "Policy Configuration Commands"
• "LDAP Policy Server Configuration Commands"
• "Accessing the Policy Monitoring Prompt"
• "Policy Monitoring Commands"
• "Policy Dynamic Reconfiguration Support"

Accessing the Policy Configuration Prompt

To enter policy configuration commands:

1. Enter talk 6 at the OPCON (*) prompt.
2. Enter feature policy at the Config> prompt.

The Policy config> prompt displays. You may now enter policy configuration commands.

Policy Configuration Commands

These commands enable you to configure the information contained in policies. Table 39 summarizes the policy configuration commands and the rest of this section describes them in detail. Enter these commands at the Policy config> prompt. You can either enter the command and options on one line, or enter only the command and respond to the prompts. To see a list of valid command options, enter the command with a question mark instead of options.

Table 39. Policy Configuration Commands

Command	Function
? (Help)	Displays all the commands available for this command level or lists the options for specific commands (if available). See "Getting Help".
Add	Adds the information used to create a policy.
Change	Changes the information making up a policy.
Copy	Copies information from one policy into another.
Delete	Deletes information from a policy.
Disable	Disables a policy.
Enable	Enables a policy.
List	Displays the information in a policy.
Qconfig	Enables you to add a policy based on predefined templates.
refresh-templates	Enables you to install or remove the most current templates for the version of code running on a specific platform. This makes it easier for you to change between various software release and PTF levels, simplifying the decision to do so.
Exit	Returns you to the previous command level. See "Exiting a Lower Level Environment".

Add

Use the add command to add information to a policy.

Syntax:  add 

diffserv-action

interface-pair

ipsec-action

ipsec-manual-tunn

ipsec-proposal

ipsec-transform

isakmp-action

isakmp-proposal

policy

profile

rsvp-action

user

validity-period

diffserv-action

Prompts you for information about which DiffServ-action selections apply. See Using the Differentiated Services Feature and Configuring and Monitoring the Differentiated Services Feature for details.

name

The unique name of the DiffServ action for the policy.

permission level

Specifies whether the router is to forward packets that match this DiffServ action.

1

Permit

2

Deny

Default value: 2

queue number

The queue into which outgoing packets matching this DiffServ action are placed.

1

Premium (EF)

2

Assured (AF)/Best Effort

Default value: 2

bwshare type

The type of bandwidth share allocation.

1

Absolute (in kbps)

2

Percentage (of total output bandwidth)

Default value: 2

bwshare

The bandwidth (in kbps or as a percentage of output bandwidth) allocated to this service.

Assured Forwarding

Assured forwarding class

Specifies the assured forwarding class for outgoing packets matching this DiffServ action.

1

AF1 Class DS Byte

2

AF2 Class DS Byte

3

AF3 Class DS Byte

4

AF4 Class DS Byte

5

New Class

Assured forwarding policing type

Specifies the type of AF policing for outgoing packets matching this DiffServ action.

1

Single-rate, color-blind TCM

2

Single-rate, color-aware TCM

3

Two-rate, color-blind TCM

4

Two-rate, color-aware TCM

5

None

Single-Rate TCM Parameters

Committed information rate (CIR)

Specifies the committed information rate.

Committed burst size (CBS)

Specifies the committed burst size.

Excess burst size (EBS)

Specifies the excess burst size.

Notes:

1. Specify the CIR in bytes of IP packets per second. This includes the IP header, but not the link-specific header.

2. Specify the CBS and the EBS in bytes. These values must be configured so that at least one of them is larger than zero. It is recommended that when the value of the CBS or EBS is larger than zero, it is larger than, or equal to, the size of the largest possible IP packet in the stream.

Two-Rate TCM Parameters

Committed information rate (CIR)

Specifies the committed information rate.

Committed burst size (CBS)

Specifies the committed burst size.

Peak information rate (PIR)

Specifies the peak information rate.

Peak burst size (PBS)

Specifies the peak burst size.

Notes:

1. Specify the CIR and the PIR in bytes of IP packets per second. This includes the IP header, but not the link-specific header. The PIR value must be equal to or greater than the CIR.

2. Specify the CBS and PBS in bytes. Both must be configured to values larger than zero and larger than, or equal to, the size of the largest possible IP packet in the stream.

Expedited Forwarding

transmitted ds-byte mask

The mask to apply to transmitted ds bytes for expedited forwarding. This value designates which bits of a packet's DS byte must be changed when the packet is transmitted. A zero in any bit position of this byte implies that the bit must not change.

Default value: 00 (do not change any bits)

transmitted ds-byte modify value

The marking of the IP DS (TOS) byte for expedited forwarding that should be applied to packets to be forwarded by this device. Zeros in the mask imply that the corresponding bit will not change. A one implies that the bit will be marked with the bit value in the mark byte. The operation is: newTOSByte = (Mask^ & receivedTOSByte) | (Mask&Mark) The ^ ^ ^ is a bit-based complement (Mask:Mark)

Example:

11111101:00000001
 
 

Using this example, a received value 0x07 would be sent with a value of 0x03

Default value: X'00' (do not change any bit)

EF policing type

Specifies the expedited forwarding police configuration type.

1

Default config

The token rate and token bucket size parameters will be calculated from the bandwidth parameter configuration.

2

Custom config

Token Rate:

The token replenishment rate.

Token Bucket Size:

The token bucket size.

Notes:

1. Specify the token rate in bytes of IP packets per second. This includes the IP header, but not the link-specific headers.

2. Specify the token bucket size in bytes. The value must be greater than zero, and greater than or equal to the size of the largest IP packet in the stream.

interface-pair

The interface pair associates a profile with a specific interface or set of interfaces. By default, the profile object does not restrict the policy from being applied to any one interface. If that is necessary, you may add interface pairs to accomplish it. The interface pair specifies the IP address of the interface on which the traffic is to arrive and the IP address of the interface on which the traffic is to leave.

The following example shows two interface pairs with the same name, representing traffic coming in on any interface and going out on the public interface, and conversely.

1) Group Name: inOutPublic
        In:Out=255.255.255.255 : 1.1.1.1	
        In:Out=1.1.1.1 : 255.255.255.255
 
 

Name

The name of the interface pair.

Ingress interface

IPv4 address of the input interface.

Default value: 255.255.255.255 (any)

Egress interface

IPv4 address of the output interface.

Default value: 255.255.255.255 (any)

IPSec-action

Prompts you for information for setting up the Phase 2 tunnel.

Name

The name of the IPSec action.

Action type

The action to apply to packets matching the profile of a policy containing this action.

1

Block (block connection).

2

Permit (Permit packets matching this action.) If an IPSec proposal does not exist, pass the packet; if an IPSec proposal exists, apply IPSec security processing to the packet.

Default value: 2

The following option is only available if you specify pass as the action type:

Traffic flow type

Type of traffic flow (secure tunnel or in the clear).

1

Clear

2

Secure Tunnel

Default value: 2

The following option is only available if you specify the traffic flow as secure:

Tunnel start point

IPv4 address of the tunnel start point.

Tunnel end point

IPv4 address of the tunnel end point. (0.0.0.0 for remote access)

Default value: 0.0.0.0

Tunnel-in-tunnel

Specifies whether the traffic being protected by this tunnel is to be further protected by another policy configured on this device.

Valid options: Yes or No

Default value: No

Percentage of SA lifesize/lifetime to accept

The minimum SA lifesize/lifetime (as a percentage) of the SA lifesize/lifetime. An SA lifesize/lifetime received with a value less than this is not accepted.

Default value: 75

SA refresh threshold

The percentage into the SA lifetime or lifesize value that the SA is to be refreshed automatically.

Default value: 85

DF-Bit-Setting

Specifies whether to copy the Don't Fragment bit from the original packet, and whether to set or clear it in the outer header of the IPSec packet if running in tunnel mode.

1

Copy

2

Set

3

Clear

Default value: 1

Replay-Prevention

Specifies whether IPSec is to enforce replay prevention for received IPSec packets. In this mode IPSec ensures that the sequence numbers are valid and not received more than once.

1

Enable

2

Disable

Default value: 2

Negotiate SA Automatically

Specifies whether the Phase 2 SA is negotiated automatically at system initialization.

Yes or No

Default value: No

IPSec proposal

The name of the IPSec proposal (you may specify up to five proposals) to be sent or checked during Phase 2. The order in which you specify them determines their priority, with the first one being the highest.

IPSec-manual-tunn

Prompts you for information for manually setting up the Phase 2 tunnel.

Tunnel name

The name of the IPSec manual tunnel.

Tunnel lifetime

The tunnel lifetime (in minutes).

Default value: 46080

Encapsulation mode

The encapsulation mode to use.

tunn

Tunnel mode

trans

Transport mode

Default value: tunn

Policy

The type of tunnel policy to use.

AH

Authentication Header

ESP

Encapsulating Security Payload

AH-ESP

For outbound packets, specifies that encryption runs before authentication.

ESP-AH

For outbound packets, specifies that authentication runs before encryption.

Default value: AH-ESP

Local IP address

The source IPv4 address.

Default value: 11.0.0.5

Local encryption SPI

The source security parameters index value.

Default value: 256

Local encryption algorithm

The source encryption algorithm.

Null

No encryption.

CDMF

Commercial Data Masking Facility.

DES-CBC

Data Encryption Standard and Cipher Block Chaining.

3DES

Triple Data Encryption Standard.

Default value: DES-CBC

Local encryption key

A 16-character key.

Padding

Additional padding for local encryption.

Default value: 0

Local ESP authentication

Specifies whether local ESP authentication is to be used.

Yes or No

Default value: Yes

Remote IP address

The destination IPv4 address.

Default value: 0.0.0.0

Remote encryption SPI

The destination security parameters index value.

Default value: 256

Remote encryption algorithm

The destination encryption algorithm.

Null

No encryption.

CDMF

Commercial Data Masking Facility.

DES-CBC

Data Encryption Standard and Cipher Block Chaining.

3DES

Triple Data Encryption Standard.

Default value: DES-CBC

Remote encryption key

A 16-character key.

Verify remote encryption padding.

Specifies whether to verify remote encryption padding.

Yes or No

Default value: No

Remote ESP authentication

Specifies whether remote ESP authentication is to be used.

Yes or No

Default value: Yes

DF bit

Specifies how to process the Don't Fragment bit.

Copy

Copies the DF bit.

Set

Sets the DF bit on.

Clear

Sets the DF bit off.

Default value: COPY

Enable tunnel

Specifies whether to enable the tunnel when it is created.

Yes or No

Default value: Yes

IPSec-proposal

Prompts you for information for creating an IPSec proposal.

IPSec proposal name

The name of the IPSec proposal.

Perfect forward secrecy

Specifies whether IKE is to be used, to prevent anyone from determining a current key from a previously compromised key.

Yes or No

Default value: No

Diffie Hellman Group ID

The type of Diffie Hellman group.

1

Diffie Hellman Group 1

2

Diffie Hellman Group 2

Default value: 1

AH transform

The name of the AH transform (you may specify up to five transforms) for this proposal. The order in which you specify them determines their priority, with the first one being the highest.

ESP transform

The name of the ESP transform (you may specify up to five proposals) for this proposal. The order in which you specify them determines their priority, with the first one being the highest.

IPSec-transform

Prompts you for information about IPSec transforms.

IPSec transform name

The name of the IPSec transform.

Protocol ID

The security protocol to use.

1

IPSec-AH

2

IPSec-ESP

Default value: 1

AH Authentication Algorithm

The AH authentication algorithm to use.

1

HMAC-MD5

2

HMAC-SHA

Default value: 1

Encapsulation mode

The encapsulation mode to use.

1

Tunnel

2

Transport

Default value: 1

ESP Authentication Algorithm

The ESP authentication algorithm to use.

0

None

1

HMAC-MD5

2

HMAC-SHA

Default value: 2

ESP cipher algorithm

The ESP cipher algorithm to use.

1

ESP DES

2

ESP 3DES

3

ESP CDMF

4

ESP Null (no encryption)

Default value: 1

SA lifesize

The lifesize (in kb) of the SA for this proposal.

Default value: 50000

SA lifetime

The lifetime (in seconds) of the SA for this proposal.

Default value: 3600

ISAKMP-Action

Prompts you for information about which ISAKMP action to apply.

Name

The name of the ISAKMP action.

Exchange mode

The type of exchange mode for Phase 1 negotiations.

1

Main

2

Aggressive

Default value: 1

Percentage of Minimum SA lifesize/lifetime

The minimum SA lifesize/lifetime (as a percentage) of the SA lifesize/lifetime. An SA lifesize/lifetime with a value less than this is not accepted.

Default value: 75

ISAKMP connection lifesize

The lifesize (in kb) of the Phase 1 connection. Once the Phase 1 connection expires, the next time the Phase 2 SA must refresh, Phase 1 completely renegotiates before Phase 2 can start.

Default value: 5000

ISAKMP connection lifetime

The lifetime (in seconds) of the Phase 1 connection. Once the Phase 1 connection expires, the next time Phase 2 must refresh, Phase 1 starts over completely.

Default value: 5000

Negotiate SA automatically

Specifies whether the SA is negotiated automatically at system initialization.

Yes or No

Default value: No

ISAKMP proposal

The name of the ISAKMP proposal (you may specify up to five proposals) to be sent or checked during Phase 2 quick mode. The order in which you specify them determines their priority, with the first one being the highest.

ISAKMP-Proposal

Prompts you for the ISAKMP proposal information used in the ISAKMP negotiations.

ISAKMP proposal name

The name of the ISAKMP proposal.

Authentication method

The type of authentication to use during ISAKMP Phase 1 negotiations.

1

Pre-Shared Key

2

RSA SIG (certificate mode)

Default value: 1

Hash algorithm

The type of hash algorithm to use during Phase 1 negotiations.

1

MD5

2

SHA

Default value: 1

Cipher algorithm

The type of cipher algorithm to use during Phase 1 negotiations.

1

DES

2

3DES

Default value: 1

Diffie Hellman Group ID

The type of Diffie Hellman group to use during Phase 1 negotiations.

1

Diffie Hellman Group 1

2

Diffie Hellman Group 2

Default value: 1

SA lifesize

The lifesize (in kb) of the SA for this proposal.

Default value: 50000

SA lifetime

The lifetime (in seconds) of the SA for this proposal.

Default value: 5000

Policy

Prompts you for information about the policy configuration: Profile name (required), RSVP name (optional), DiffServ name (optional), IPSec name (optional), ISAKMP name (optional), and Validity Period Profile (optional). You must specify either DiffServ, IPSec, ISAKMP, or RSVP for the policy to be valid.

Default value: Valid all the time

Name

The name of the policy configuration

Priority

Relative priority of this policy to other policies (the higher the number, the higher the priority). This is used to resolve conflicts if multiple policies apply to a packet.

Default value: 5

Profile

The name of a previously configured data traffic profile to use for this policy.

Validity period

The name of a previously configured validity period to use for this policy.

IPSec action

If this policy will enforce an IPSec action, the name of a previously configured IPSec action to use for this policy. If you specify a secure IPSec action, you must also specify an ISAKMP action.

ISAKMP action

The name of a previously configured ISAKMP action to use for this policy. If you specify an ISAKMP action, you must also specify an IPSec action.

Diffserv action

If you want to map a DiffServ action to this policy, the name of a previously configured DiffServ action.

RSVP action

The name of an RSVP action for this policy to enforce.

Profile

Prompts you for information for defining a set of selectors (conditionals) for a policy profile on which to perform actions.

name

The name of the policy profile.

ipv4-src-address-format

The format of the IPv4 source address (range, netmask, single address).

ipv4-src-address

The IPv4 source address (low address if address format is range).

Default value: 0.0.0.0

ipv4-src-mask

The IPv4 source mask (high address if address format is range).

Default value: 255.0.0.0

ipv4-dest-address-format

The format of the IPv4 destination address (range, netmask, single address).

ipv4-dest-address

The IPv4 destination address (low address if address format is range).

Default value: 0.0.0.0

ipv4-dest-mask

The IPv4 destination mask (high address if address format is range).

Default value: 255.0.0.0

protocol-id

The protocol ID on which to filter.

1

TCP

2

UDP

3

All protocols

4

Specify range

Default value: 3

src-port-start

The first port number of the source port number range.

Default value: 0

src-port-end

The last port number of the source port number range.

Default value: 65535

dest-port-start

The first port number of the destination port number range.

Default value: 0

dest-port-end

The last port number of the destination port number range.

Default value: 65535

src-id-type

The source ID type, which is sent to the remote. This value is used to determine which policy contains the ISAKMP information needed during ISAKMP Phase 1 negotiations. It is compared to the information in the identification payload of the ISAKMP packet. This information is needed if the remote peer must identify the device with a value other than IP address.

1

Local tunnel end point

2

Host fully qualified domain name

3

User fully qualified domain name

4

Key ID

any-user-access

Allow access for any user within the profile definition. If you specify No, then you are prompted for the name of the remote user group for this profile. This attribute is only required if you want to limit the access of remote access peers to a specific policy.

Yes or No

Default value: Yes

Received DS byte mask

The 8-bit mask to apply to an incoming packet's DS (TOS) byte.

Default value: 0

Received DS byte match

The 8-bit pattern to compare to the result of ANDing the incoming DS (TOS) byte with the Received DS byte mask value.

Default value: 0

Interface pairs

If this policy must restrict the traffic flows to specific interfaces, this is the name of the interface pair group.

RSVP-Action

Prompts you for information about which RSVP actions apply.

Name

The name of the RSVP action.

Permission

Specifies the permission level for RSVP sessions that match this action.

1

Permit

2

Deny

Default value: 2

Max token rate

The maximum amount of bandwidth (in kbps) that RSVP is to allocate for an individual flow.

Default value: 100

Max duration

The maximum amount of time (in seconds) that a flow can last (0 implies forever).

Default value: 600

RSVP-to-DS

Specifies whether to map RSVP flows that match this action to a configured DiffServ action. RSVP uses the information from the DiffServ action to mark the TOS byte for the next DiffServ-enabled upstream device. This is for use in a network in which packets leave an RSVP-enabled network into a DiffServ-enabled network.

Yes or No

Default value: No

User

Prompts you for information about the user profile definition for the remote IKE peer. This information includes how the peer must identify itself during phase 1 negotiations, the authentication method to use for this peer, and, if the authentication mechanism is pre-shared key, the key value to use. If you use pre-shared key, you must define a user in order to associate the pre-shared key with an ID type and name. This command sets the key that is used in phase 1 negotiation for a particular user. The key is used in messages 1 and 5 for initiators and messages 2 and 6 for responders.

Identification

Identification of the user. For main mode authentication, the user identification type must be IP address. For aggressive mode authentication, the identification type should be one of the other types. The reason for this is that in main mode the IDs are not exchanged until messages 5 and 6, which is too late for the pre-shared key, thus the only look-up mechanism is through the IP address of the IKE peer. In aggressive mode, the IDs are exchanged in messages 1 and 2, thus the pre-shared key lookup can be done through the ID type and corresponding value.

1

IP address.

2

Fully qualified domain name.

3

User fully qualified domain name.

4

Key ID (any string).

Default value: 1

Group

Name of group in which to place this user.

Default value: none

Authentication

Authentication method to use with peer.

1

Pre-shared key.

1

Key in ASCII format.

Valid values: An even number of 2 to 128 characters

2

Key in hexadecimal format.

Valid values: An even number of 2 to 256 hexadecimal digits

2

Public certificate.

Default value: 1

VALIDITY-PERIOD

Prompts you for information about the period during which the policy is valid, and creates a policy profile.

Name

The name of the validity period profile.

yyyymmddhhmmss:yyyymmddhhmmss

The period during which the policies containing this validity period profile are valid.

Example:

  19980101000000:19981231000000
 
 

Months

The months during which the policies containing this validity period profile are valid. You can specify any sequence of months, using the first three letters of each month (for example, jan or dec), with the months separated by a spaces, or you can specify all to signify every month of the year.

Days

The dates on which the policies containing this validity period profile are valid. You can specify any sequence of dates, using the first three letters of each day (for example, mon or fri), with the days separated by a spaces, or you can enter all to specify every day of the week.

Starting time

The time at which policies containing this validity period profile are valid. Specify this in the form hh:mm:ss or specify * if you want the policy to be valid all day.

Default value: *

Ending time

The time at which the validity of policies containing this validity period profile expires. Specify this in the form hh:mm:ss.

Default value: None

Change

Use the change command to change information in a policy object. See the description of the add command for the available objects.

Copy

Use the copy command to copy information from one policy object to another. See the description of the add command for the available objects. (The interface-pair, manual tunnel, and user options do not apply to the copy command.)

Delete

Use the delete command to delete information from a policy object. See the description of the add command for the available objects.

Disable

Use the disable command to disable a policy configuration.

Syntax:  disable 

policy

Policy

Prompts you for the name of the policy configuration to disable.

Enable

Use the enable command to enable a policy configuration.

Syntax:  enable 

policy

Policy

Prompts you for the name of the policy configuration to enable.

List

Use the list command to display any or all of the policy configuration information.

Syntax:  list 

all

default-policy

ldap

refresh

All

Displays all policy configuration information.

Default-policy

Displays the name of the default policy.

LDAP

Displays the names of the defined LDAP configurations.

Refresh

Lists the policy refresh status (Enable or Disable) and the refresh interval time.

Qconfig

Use the qconfig command to quickly create security policies for a network device. Once you select a configuration scenario from a short list, the command displays a brief series of simple questions based on your selection. It then creates an entire policy using predefined scenario-related templates (whole sets of compatible policy options). This eliminates the need for you to specify every detail of the policy, reducing the time required to configure a policy and the chance of making a mistake.

This command prompts you to specify a security level for all scenarios except the Custom scenario.

Syntax:  qconfig 

policy-name

scenario

policy-name

Specifies a name (maximum of 29 characters) to assign to the policy.

Default value: A system-generated unique name.

scenario

Specifies the scenario for which to create a policy.

Default value: none

1

Branch office scenario.

This selection enables you to specify the policy options for a secured connection between two Security Gateways protecting local subnets.

The options are:

Local IP Subnet

Local IP Tunnel Endpoint

Remote IP Subnet

Remote IP Tunnel Endpoint

Ports and Protocols

Security Level

1: Strong Security. Select this option if you want security, performance, and flexibility. It negotiates a suite of proposals (without PFS) that includes combinations of SHA and MD5 authentication algorithms and DES and 3DES encryption algorithms. The strong proposals are negotiated first, followed by the stronger proposals, so as not to compromise performance.

2: Very Strong Security. Select this option if you require the highest level of security. It negotiates a small suite of proposals (with PFS, Grp 1) that includes combinations of SHA and MD5 authentication algorithms and 3DES encryption algorithms.

Authentication Method

1: Pre-shared Key - ASCII key

2: Certificate (RSA Signatures) - local ID

DiffServe Actions

0:Best Effort (No DiffServ)

1:EF

2:AF11

3:AF21

4:AF31

5:AF41

Any other locally-configured DiffServ actions also appear in this list.

Validity Periods

1. 1: allTheTime
2. 2: allTheTimeMonThruFri
3. 3: 9to5MonThruFri
4. 4: 5to9MonThruFri

Any other locally-configured validity periods also appear in this list.

Priority of Policy

2

Remote access user scenario (IPSec and L2TP).

This selection enables you to specify the policy options for a secured connection between a Security Gateway and remote access users. This scenario assumes that the remote access client has the capability of running L2TP on top of IPSec in transport mode.

L2TP sets up a point-to-point connection between the remote access client's public IP address and the security gateway's public IP address. UDP provides the transport layer connection, and the source and destination ports are 1701. It is important that L2TP be configured for fixed-udp-source-port on the router performing the security gateway function. IPSec provides the protection for the L2TP connection on these ports and protocols.

Once the configuration scenario has been completed, you must add users in the policy feature for anyone who will be authenticated using pre-shared key. For certificate authentication, you must configure the PKI parameters on the router and ensure that the appropriate certificates are loaded.

The options are:

IP address of secure interface.

Typically, this is the same value as the local IP tunnel endpoint. It represents the IP address of the interface on which packets are sent out secured and arrive secured.

Security Level

1: Strong Security

2: Very Strong Security

DiffServe Actions

0:Best Effort (No DiffServ)

1:EF

2:AF11

3:AF21

4:AF31

5:AF41

Any other locally-configured DiffServ actions also appear in this list.

Validity Periods

1. 1: allTheTime
2. 2: allTheTimeMonThruFri
3. 3: 9to5MonThruFri
4. 4: 5to9MonThruFri

Any other locally-configured validity periods also appear in this list.

Priority of Policy

3

Drop traffic not matched on untrusted interface. This scenario is needed for configurations in which the device is acting as a firewall. In many network configurations a firewall is in front of the security gateway and a drop rule is not needed. If you need a drop rule, then select this scenario.

The options are:

IP address of untrusted interface.

This is the IP address of the interface for which undesirable packets are dropped. Typically, it is the IP address of the connection to the public or untrusted network.

4

Custom scenario.

This selection provides the most flexibility in using qconfig to define a policy. You are prompted to select an encapsulation mode (either Tunnel or Transport). If you choose tunnel mode, you are presented with the same questions as in the Branch Office scenario. If you choose transport mode, you are presented with the Branch Office scenario questions except for those dealing with the local and remote subnets, because they are not applicable.

LDAP Policy Server Configuration Commands

The LDAP policy server configuration commands enable you to specify LDAP server options for retrieving policy information. Table 40 summarizes the LDAP configuration commands, and the rest of this section describes them in detail. Enter them at the Policy config> prompt. You can either enter the command and options on one line, or enter only the command and respond to the prompts. To see a list of valid command options, enter the command with a question mark instead of options.

Table 40. LDAP Configuration Commands

Command	Function
? (Help)	Displays all the commands available for this command level or lists the options for specific commands (if available). See "Getting Help".
Disable ldap	Disables LDAP configuration options.
Enable ldap	Enables LDAP configuration options.
Set ldap	Specifies LDAP configuration options.
Exit	Returns you to the previous command level. See "Exiting a Lower Level Environment".

Disable LDAP

Use the disable ldap command to disable LDAP policy search functions in the directory or from reading cached policies from the LDAP server into persistent storage.

Syntax:  disable ldap 

cached-search

policy-search

cached-search

Disables LDAP from reading cached policies from the server into persistent storage.

policy-search

Disables LDAP from performing policy search functions in the directory.

Enable LDAP

Use the enable ldap command to enable LDAP policy search functions in the directory or for reading cached policies from the LDAP server into persistent storage.

Syntax:  enable ldap 

cached-search

policy-search

cached-search

Enables LDAP for performing policy search functions in the directory or for reading cached policies from the LDAP server into persistent storage.

If you enable this option when the policy-search option is disabled, then the policy search engine only reads policies from the local cache. If you enable both the cached-search option and the policy-search option, then the policy search engine tries to read from the LDAP server first and if it is unsuccessful it reads from the cached LDAP policy objects. See the cache-ldap-polcys command at Policy Monitoring Commands for an explanation of how to cache the LDAP policies.

policy-search

Enables LDAP for performing policy search functions in the directory.

Set Default-Policy

Use the set default-policy command to specify the policy options to use while the policy database is being refreshed. The command sets the error handling options and the default security needed for accessing the LDAP policy server.

Syntax:  set 

default-policy

default-error-handling

default-security

default-error-handling

Specifies the error handling options to use while the policy database is being refreshed.

Note:

The default error handling setting determines the behavior of the device if an error occurs while rebuilding the policy database. If an error occurs then you have the options for how the device is to behave. They are: Reset policy database to default security. Flush any rules read from LDAP, load local rules plus default security. These settings are only valid if there was an error building the policy database. Either option inherits the default security of drop or pass when an error occurs. If you select option 2 then all traffic is dropped or passed unless it matches a locally defined policy. If the policy database builds successfully then this option is not used.

default-security

Specifies the security options to use while the policy database is being refreshed.

Note:

Once the policy database has been built successfully, the default behavior is defined as pass. This means that if a packet does not match any policy rule then it will be passed in the clear. If you want packets that do not match a rule to be dropped globally or just for certain interfaces, then you must define a policy to do that.

1

Accept and forward all IP traffic.

2

Permit LDAP traffic, drop all other IP traffic.

If you select this option, then you are prompted for the local IP addresses on the device on which the LDAP traffic is to be sent and received.

3

Permit and secure LDAP traffic, drop all other IP traffic.

If you select this option, then you are prompted for the following information:

DHGroupId

The Diffie-Hellman Group Id to use during the ISAKMP Phase 1 negotiations.

1

DH Group 1.

2

DH Group 2.

Phase1-Hash-Algorithm

The hash algorithm to use during the Phase 1 negotiations. The hash algorithm provides the authentication of the Phase 1 messages.

1

MD5.

2

SHA.

Phase1-Cipher-Algorithm

The cipher algorithm to use during Phase 1 negotiations. The cipher algorithm provides encryption protection for the Phase 1 negotiations.

1

DES

2

3DES

Phase1-Authentication-Method

The authentication method to use with the remote peer. This specifies how ISAKMP determines whether the remote peer is actually the correct device with which to be negotiating.

1

Pre-shared key

2

Certificate (RSA SIG)

Pre-Shared-Key-Value

If you have specified the pre-shared key Phase 1 authentication method, then you are prompted to enter the key value in ASCII.

Phase2-ESP-Authentication-Algorithm

ESP is the only IPSec protocol allowed for the default security. You are prompted for the authentication algorithm to use during Phase 2 ISAKMP negotiations.

0

None

1

HMAC-MD5

2

HMAC-SHA

Phase2-ESP-Cipher-Algorithm

ESP is the only IPSec protocol allowed for the default security. You are prompted for the encryption algorithm to use during Phase 2 ISAKMP negotiations.

1

ESP DES

2

ESP 3DES

3

ESP CDMF

4

ESP NULL

Primary-Tunnel-Start

The IP address on the device that is to be used for the IKE and IPSec traffic between the device and the security gateway protecting the primary LDAP server.

Primary-Tunnel-End

The IP address on the remote security gateway protecting the primary LDAP server that are to be used for the IKE and IPSec traffic.

Secondary-Tunnel-Start

The IP address on the device that is to be used for the IKE and IPSec traffic between the device and the security gateway protecting the secondary LDAP server.

Secondary-Tunnel-End

The IP address on the remote security gateway protecting the secondary LDAP server that are to be used for the IKE and IPSec traffic.

Set LDAP

Use the set ldap command to configure the LDAP operating parameters.

Syntax:  set ldap 

anonymous-bind

yes

no

bind-name <name>

bind-pw <pw>

policy-base <string>

primary <ip-address>

secondary <ip-address>

version <value>

anonymous-bind [Yes or No]

Specifies whether you want to bind to the LDAP directory anonymously or with the bind name and bind password you have specified.

Default value: Yes

bind-name <name>

Prompts you for information needed to bind to the LDAP server before a search of its directory can be performed. The name parameter specifies the distinguished name that the router uses to identify itself. If you do not enter this parameter, then the bind is issued as an anonymous request.

bind-pw <pw>

Prompts you for information needed to bind to the LDAP server before a search of its directory can be performed. The pw parameter is the password related to the distinguished name. If you do not enter this parameter, then the bind is issued as an anonymous request.

policy-base <string>

Prompts you to enter a character string that is used to define the scope of the search for policies in the router's SRAM and the LDAP server. For example, you can use this option to return policies that only apply to router A, or for NHD, or for IBM-US. The policy-base is the distinguished name of the DeviceProfile object in the LDAP server.

primary <ip-address>

Prompts you for the IPv4 address of the LDAP server from which to retrieve policies.

secondary <ip-address>

Prompts you for the IPv4 address of a backup LDAP server that is used if the default server cannot be reached.

version <value>

Prompts you for the LDAP version number supported by the LDAP server.

Default value: 2 (The only acceptable values are 2 or 3.)

Set Refresh

Use the set refresh command to enable or disable automatic refresh of the policy database once each day. If enabled then the policy database automatically refreshes once a day at the specified time. This enables all policy-enabled routers in the network to incorporate automatically any policy changes that have occurred in the LDAP directory. To reset this parameter, use the policy feature's Talk 5 reset refresh command.

Syntax:  set refresh 

enabled

yes

no

<time>

enabled [yes or no]

Specifies whether to perform the automatic refresh.

<time>

If you specify enabled yes, designates the time of day (in 24-hour format) at which the refresh is to occur.

Accessing the Policy Monitoring Prompt

The policy console portion of the policy feature enables you to view policies that are in the policy database and to enable or disable individual policies. To access the Policy monitoring environment type talk 5 at the OPCON prompt (*):

   * t 5
 
 

Then, enter the following command at the + prompt:

   + feature policy
   Policy>
 
 

Policy Monitoring Commands

These commands enable you to view the profiles defined in the policy database and to enable or disable individual policies. Table 41 summarizes the policy monitoring commands and the rest of this section describes them. Enter the commands at the Policy console> prompt. You can either enter the command and options on one line, or enter only the command and respond to the prompts. To see a list of valid command options, enter the command with a question mark instead of options.

Table 41. Policy Monitoring Commands

Command	Function
? (Help)	Displays all the commands available for this command level or lists the options for specific commands (if available). See "Getting Help".
Cache-ldap-plcys	Stores a copy of the most recent policy information read from the LDAP server into the router's persistent configuration storage.
Check-consistency	Checks for consistency within individual policies and between all configured policies.
Disable	Disables a policy that is loaded in the policy database.
Enable	Enables a policy that is loaded in the policy database.
Flush-cache	Clears the cached policy information out of the router's persistent configuration storage.
Reset	Refreshes or resets policy-related criteria.
Search	Tests or debugs activity between the LDAP client and server.
Status	Displays information about the policy database.
List	Displays information about the LDAP configuration and the policies defined.
Test	Queries the policy engine and retrieves the rules that were selected
Exit	Returns you to the previous command level. See "Exiting a Lower Level Environment".

Cache-LDAP-Plcys

Use the cache-ldap-plcys command to store a copy of the most recent policy information read from the LDAP server into the router's persistent configuration storage. This removes any existing cached policy information from persistent storage.

Syntax:  cache-policy 

Check-Consistency

Use the check-consistency command to check for potential inconsistencies between the options configured in an individual policy (internal), and between policies with overlapping definitions (external). You may then take corrective action to resolve any conflicts.

An internal inconsistency is one that exists between action objects within a single policy, for example, a policy with a DiffServ action type of Deny also has an IPSec action type of Permit. An external inconsistency is one that exists between separate policies that have overlapping profiles, for example, one policy has a DiffServ action type of Block, and another policy has an IPSec action type of Permit. Another example is if overlapping policies specify different IPSec action types.

Syntax:  check-consistency 

Assume that policies have been configured as follows:

Policy Name: dsDown

Loaded from: Local

State: Enabled and Valid

Priority: 5

Hits: 0

Profile: DSUP

Validity: always

DiffServ: dsDown

RSVP: rsvpActUp

Policy Name: ManualTunnel

Loaded from: Local

State: Enabled and Valid

Priority: 5

Hits: 0

Profile: DSUP

Validity: always

Tunnel ID: 1

Policy Name: ike

Loaded from: Local

State: Enabled and Valid

Priority: 30

Hits: 0

Profile: DSUP

Validity: always

IPSec: ipsecUP

ISAKMP: generalPhase1Action

The consistency-check command output would appear as follows:

Policy console>check-consistency
Checking for inconsistencies with a policy...
Rule dsDown contains two conflicting actions:
   RSVP Action is of type PERMIT
   DiffServ Action is of type BLOCK
 
Checking for inconsistencies among policies with overlapping profiles...
  Mismatching IPSec and DiffServ actions at Priority 181 between:
        Rule: ike.traffic     State: ENABLE  Prio: 5 IPSec Action: PERMIT 
        Rule: dsDown          State: ENABLE  Prio: 5 DiffServ Action: BLOCK 
 
  Two rules with IPSec actions:
        Rule: ike.traffic     State: ENABLE  Prio: 30 Action: PERMIT 
        Rule: Man             State: ENABLE  Prio: 5 Action: PERMIT 
 
   Two rules with IPSec actions:
        Rule: ike.inBoundTunnel State: ENABLE  Prio: 30 Action: PERMIT 
        Rule: Man.inBoundTunnel State: ENABLE  Prio: 5 Action: PERMIT 
 
   Two rules with IPSec actions:
        Rule: Man.inBoundTunnel State: ENABLE  Prio: 5 Action: PERMIT 
        Rule: ike.inBoundTunnel State: ENABLE  Prio: 30 Action: PERMIT 
 
   Two rules with IPSec actions:
        Rule: Man             State: ENABLE  Prio: 5 Action: PERMIT 
        Rule: ike.traffic     State: ENABLE  Prio: 30 Action: PERMIT 
 
   Mismatching IPSec and DiffServ actions at Priority 5 between:
        Rule: Man             State: ENABLE  Prio: 5 IPSec Action: PERMIT 
        Rule: dsDown          State: ENABLE  Prio: 5 DiffServ Action: BLOCK 
 
  Mismatching IPSec and DiffServ actions at Priority 5 between:
        Rule: dsDown          State: ENABLE  Prio: 5 DiffServ Action: BLOCK 
        Rule: ike.traffic     State: ENABLE  Prio: 30 IPSec Action: PERMIT 
 
  Mismatching IPSec and DiffServ actions at Priority 5 between:
        Rule: dsDown          State: ENABLE  Prio: 5 DiffServ Action: BLOCK 
        Rule: Man             State: ENABLE  Prio: 5 IPSec Action: PERMIT 
 
 

Disable

Use the disable command to disable a policy that is currently loaded in the policy database. Any data packet that matches the criteria of a policy you disable will have default decisions applied to it.

Syntax:  disable 

policy-name

Enable

Use the enable command to enable a policy that is currently loaded in the policy database. Any data packet that matches the criteria of a policy you enable will have the decisions configured for the policy applied to it.

Syntax:  enable 

policy-name

Flush-Cache

Use the flush-cache command to clear the most recently cached copy of the policy information read from the LDAP server out of the router's persistent configuration storage.

Syntax:  flush-cache 

Reset

Use the reset command to refresh or reset policy-related criteria.

Syntax:  reset 

ldap-config

policy-database

refresh-time

ldap-config

Dynamically loads the LDAP configuration (as specified in the set ldap command) into memory. Any changes become active for the next search operation. This command also forces a reset of the policy database and inactivates the policy database refresh time.

policy-database

Refreshes the policy database. Stops all tunnels, Phase 1 and Phase 2 SAs, resets RSVP and DiffServ data structures, and flushes the policy database. Then policies are loaded from the LDAP server and an autostart is done. While the database is being rebuilt, no packets will be allowed in to or out of the router except for packets to and from the LDAP server.

refresh-time

Sets the time at which the policy database will be refreshed automatically on a daily basis. If you have disabled the refresh time, then the database will not be refreshed until the router is rebooted or restarted.

Search

Use the search command to test or debug activity between the LDAP client and server. You can perform searches against the directory and have the results of the searches displayed in talk 5.

Syntax:  search 

filter

ipaddress

filter

Specifies a filter value for the search operation.

ipaddress

Specifies the IP address of the server.

Status

Use the status command to display information about the policy database.

Syntax:  status 

status

Displays the results of the most recent policy database refresh, the time that has elapsed since the refresh, and the time that the next refresh is scheduled.

Policy>status
Status of Last Search:       Failed
Time since last refresh:     4 seconds
Next Policy Refresh not scheduled
 
 

List

Use the list command to display information about LDAP configurations and policies.

Syntax:  list 

default-policy

ldap

policy

refresh

rule

stats

default-policy

Lists the default policy used during policy database refreshes.

ldap

Lists the LDAP configurations in SRAM.

policy

basic

Lists policy components by logical policy name. You may select one policy or list all policies. The listing displays the names of the components of policies as they were entered in during configuration in Talk 6.

complete

Does the same as list policy basic, except that the listing displays a complete listing of all parameter values for each logical policy.

generated

Does the same as list policy basic, except that the listing displays the names of all the generated rules for each logical policy.

refresh

Lists the policy refresh status (Enable or Disable) and the refresh interval time.

rule

Lists information about generated rules according to the following options:

basic

Lists all the generated rules. You can select a rule from the list or list all rules. The listing displays the names of the components of the rules. The components are:

policy name

loaded from (LDAP or local)

state

priority

number of hits

profile

validity (followed by an action list consisting of the following)

IPSec (and, or)

ISAKMP (and, or)

DiffServ (and, or)

RSVP

complete

Does the same as rule basic, except that the listing displays the names of all the parameters for each component.

stats

Lists the rules that have been hit and the number of hits. A rule can have multiple actions and not all actions are hit, so this options also indicates which action of the rule was hit, and the number of times.

Test

Use the test command to verify the behavior of the policy database. It allows you to enter a selector set, which queries the policy engine and retrieves the rules that match. You are prompted for the source and destination addresses, source and destination ports, the protocol ID, and the TOS value. If a rule is matched, then the command returns the name of the rule. Otherwise it indicates No match found.

Syntax:  test 

forwarder

ISAKMP

IPSec

RSVP

forwarder

Simulates a database query from the IP forwarding engine and returns any policy decisions that would result from such a query. The type of policy returned could include DiffServ information, IKE Phase 1 and Phase 1 information, and IPSec manual tunnel IDs.

ISAKMP

Simulates a database query from IKE for Phase 1 policy information and returns any policy decisions that would result from such a query. If you use this option, you must set the source and destination addresses to the tunnel endpoint IP addresses, the protocol to 17, and the source and destination ports to 500.

IPSec

Simulates a database query from IKE for Phase 2 policy information and returns any policy decisions that would result from such a query. If you use this option, you must set the source and destination addresses to the tunnel endpoint IP addresses, the protocol to 17, and the source and destination ports to 500.

RSVP

Simulates a database query from RSVP and returns any RSVP policy decisions that would result from such a query.

Policy Dynamic Reconfiguration Support

This section describes dynamic reconfiguration (DR) as it affects Talk 6 and Talk 5 commands.

CONFIG (Talk 6) Delete Interface

The policy feature does not support the CONFIG (Talk 6) delete interface command.

GWCON (Talk 5) Activate Interface

The GWCON (Talk 5) activate interface command is not applicable for the policy feature. The configuration for the policy feature determines the set of rules and subsequent actions that should be applied to IP traffic, which is independent of a particular interface.

GWCON (Talk 5) Reset Interface

The GWCON (Talk 5) reset interface command is not applicable for the policy feature. The configuration for the policy feature determines the set of rules and subsequent actions that should be applied to IP traffic, which is independent of a particular interface.

GWCON (Talk 5) Component Reset Commands

Policy Feature supports the following Policy Feature-specific GWCON (Talk 5) reset commands:

GWCON, Feature Policy, Reset, Database Command

Description:

All policies configured in the feature policy will be read from local configuration. If LDAP searching has been enabled, policies for this device will be read from the LDAP server. Any other changes to underlying policy objects such as DIFFSERV Actions, IPSec and IKE policy objects that are used by policies will be re-loaded from configuration as well.

Once all the policies have been read, the policy database will be built from the collection of rules that are generated from these policies. During the period while the policies are being read, a default database is created with the default rule configured in Talk 6, using thefeature policy, set default-policy command.

Network Effect:

During the period while the policy database is being built, IPv4 unicast traffic will be forwarded based on the default policy configured in Talk 6. The default policy either passes all traffic, drops all traffic except for LDAP traffic to and from the 2210, or drops all traffic except for LDAP traffic secured using IPSec to and from the 2210.

Limitations:

None.

The following table summarizes the Policy Feature configuration changes that are activated when the GWCON, feature policy, reset, database command is invoked:

Commands whose changes are activated by the GWCON, feature policy, reset, database command

CONFIG, feature policy, add, policy

CONFIG, feature policy, delete, policy

CONFIG, feature policy, change, policy

CONFIG, feature policy, disable, policy

CONFIG, feature policy, enable, policy

GWCON, Feature Policy, Reset, LDAP Command

Description:

The LDAP configuration parameters for the policy feature will be refreshed.

Network Effect:

The next time the policy database is refreshed, the new LDAP configuration parameters will be used to determine whether to search the server, and, if so, which parameters to use.

Limitations:

None.

The following table summarizes the Policy Feature configuration changes that are activated when the GWCON, feature policy, reset, ldap command is invoked:

Commands whose changes are activated by the GWCON, feature policy, reset, ldap command

CONFIG, feature policy, set, ldap, anonymous-bind

CONFIG, feature policy, set, ldap, bind-name

CONFIG, feature policy, set, ldap, bind-pw

CONFIG, feature policy, set, ldap, policy-base

CONFIG, feature policy, set, ldap, port

CONFIG, feature policy, set, ldap, primary-server

CONFIG, feature policy, set, ldap, retry-interval

CONFIG, feature policy, set, ldap, search-timeout

CONFIG, feature policy, set, ldap, secondary-server

CONFIG, feature policy, set, ldap, version

CONFIG, feature policy, enable, ldap, cached-search

CONFIG, feature policy, enable, ldap, policy-search

CONFIG, feature policy, disable, ldap, cached-search

CONFIG, feature policy, disable, ldap, policy-search

GWCON, Feature Policy, Reset, Refresh

Description:

The policy database refresh parameters will be reloaded. The refresh parameters determine whether the database should be automatically refreshed once a day and, if enabled, when during the day.

Network Effect:

If the policy refresh feature is enabled, then when the time event specified in the refresh configuration occurs, the policy database will be refreshed. This has the exact effect of manually performing a reset database command.

Limitations:

None.

The following table summarizes the Policy Feature configuration changes that are activated when the GWCON, feature policy, reset, refresh command is invoked:

Commands whose changes are activated by the GWCON, feature policy, reset, refresh command

CONFIG, feature policy, set, refresh

CONFIG (Talk 6) Immediate Change Commands

The policy feature supports the following CONFIG commands that immediately change the operational state of the device. These changes are saved and are preserved if the device is reloaded, restarted, or you execute a dynamically reconfigurable command.

Commands

CONFIG, feature policy, set, default-policy Note: The next time that the policy database is refreshed, the settings for the default policy will be used during the refresh period and to handle the error conditions that may occur when refreshing the policy database.

CONFIG, feature policy, add, user

CONFIG, feature policy, change, user Note: The pre-shared key defined for the user can be used immediately without restarting or reloading the device. If this user is part of a group associated with the remote user group of a profile, then the policy database must be reset before this association can be made.