Using and Configuring Features Version 3.4

Configuring and Monitoring the Policy Feature

This chapter describes the LDAP and policy commands provided by the policy feature for configuring and operating the router devices in a network. It includes the following sections:

• "Accessing the Policy Configuration Prompt"
• "Policy Configuration Commands"
• "LDAP Policy Server Configuration Commands"
• "Accessing the Policy Monitoring Prompt"
• "Policy Monitoring Commands"
• "Policy Dynamic Reconfiguration Support"

Accessing the Policy Configuration Prompt

To enter policy configuration commands:

1. Enter talk 6 at the OPCON (*) prompt.
2. Enter feature policy at the Config> prompt.

The Policy config> prompt displays. You may now enter policy configuration commands.

Policy Configuration Commands

These commands enable you to configure the information contained in policies. Table 44 summarizes the policy configuration commands and the rest of this section describes them in detail. Enter these commands at the Policy config> prompt. You can either enter the command and options on one line, or enter only the command and respond to the prompts. To see a list of valid command options, enter the command with a question mark instead of options.

Table 44. Policy Configuration Commands

Add

Use the add command to add information to a policy.

Syntax:  add 

diffserv-action

interface-pair

ipsec-action

ipsec-manual-tunn

ipsec-proposal

ipsec-transform

isakmp-action

isakmp-proposal

policy

profile

rsvp-action

user

validity-period

diffserv-action

Prompts you for information about which DiffServ-action selections apply. See Using the Differentiated Services Feature and Configuring and Monitoring the Differentiated Services Feature for details.

name

The unique name of the DiffServ action for the policy.

permission level

Specifies whether the router is to forward packets that match this DiffServ action.

1

Permit

2

Deny

Default value: 2

queue number

The queue into which outgoing packets matching this DiffServ action are placed.

1

Premium (EF)

2

Assured (AF)/Best Effort

Default value: 2

bwshare type

The type of bandwidth share allocation.

1

Absolute (in kbps)

2

Percentage (of total output bandwidth)

Default value: 2

bwshare

The bandwidth (in kbps or as a percentage of output bandwidth) allocated to this service.

Assured forwarding class

Specifies the assured forwarding class for outgoing packets matching this DiffServ action.

1

AF1 Class DS Byte

2

AF2 Class DS Byte

3

AF3 Class DS Byte

4

AF4 Class DS Byte

5

New Class

Assured forwarding policing type

Specifies the type of AF policing for outgoing packets matching this DiffServ action.

1

Single-rate, color-blind TCM

2

Single-rate, color-aware TCM

3

Two-rate, color-blind TCM

4

Two-rate, color-aware TCM

5

None

Single-Rate TCM Parameters

Committed information rate (CIR)

Specifies the committed information rate.

Committed burst size (CBS)

Specifies the committed burst size.

Excess burst size (EBS)

Specifies the excess burst size.

Notes:

1. Specify the CIR in bytes of IP packets per second. This includes the IP header, but not the link-specific header.

2. Specify the CBS and the EBS in bytes. These values must be configured so that at least one of them is larger than zero. It is recommended that when the value of the CBS or EBS is larger than zero, it is larger than, or equal to, the size of the largest possible IP packet in the stream.

Two-Rate TCM Parameters

Committed information rate (CIR)

Specifies the committed information rate.

Committed burst size (CBS)

Specifies the committed burst size.

Peak information rate (PIR)

Specifies the peak information rate.

Peak burst size (PBS)

Specifies the peak burst size.

Notes:

1. Specify the CIR and the PIR in bytes of IP packets per second. This includes the IP header, but not the link-specific header. The PIR value must be equal to or greater than the CIR.

2. Specify the CBS and PBS in bytes. Both must be configured to values larger than zero and larger than, or equal to, the size of the largest possible IP packet in the stream.

transmitted ds-byte mask

The mask to apply to transmitted ds bytes for expedited forwarding. This value designates which bits of a packet's DS byte must be changed when the packet is transmitted. A zero in any bit position of this byte implies that the bit must not change.

Default value: 00 (do not change any bits)

transmitted ds-byte modify value

The marking of the IP DS (TOS) byte for expedited forwarding that should be applied to packets to be forwarded by this device. Zeros in the mask imply that the corresponding bit will not change. A one implies that the bit will be marked with the bit value in the mark byte. The operation is: newTOSByte = (Mask^ & receivedTOSByte) | (Mask&Mark) The ^ ^ ^ is a bit-based complement (Mask:Mark)

Example:

11111101:00000001
 
 

Using this example, a received value 0x07 would be sent with a value of 0x03

Default value: X'00' (do not change any bit)

EF policing type

Specifies the expedited forwarding police configuration type.

1

Default config

The token rate and token bucket size parameters will be calculated from the bandwidth parameter configuration.

2

Custom config

Token Rate:

The token replenishment rate.

Token Bucket Size:

The token bucket size.

Notes:

1. Specify the token rate in bytes of IP packets per second. This includes the IP header, but not the link-specific headers.

2. Specify the token bucket size in bytes. The value must be greater than zero, and greater than or equal to the size of the largest IP packet in the stream.

interface-pair

The interface pair associates a profile with a specific interface or set of interfaces. By default, the profile object does not restrict the policy from being applied to any one interface. If that is necessary, you may add interface pairs to accomplish it. The interface pair specifies the IP address of the interface on which the traffic is to arrive and the IP address of the interface on which the traffic is to leave.

The following example shows two interface pairs with the same name, representing traffic coming in on any interface and going out on the public interface, and conversely.

1) Group Name: inOutPublic
        In:Out=255.255.255.255 : 1.1.1.1	
        In:Out=1.1.1.1 : 255.255.255.255
 
 

Name

The name of the interface pair.

Ingress interface

IPv4 address of the input interface.

Default value: 255.255.255.255 (any)

Egress interface

IPv4 address of the output interface.

Default value: 255.255.255.255 (any)

IPSec-action

Prompts you for information for setting up the Phase 2 tunnel.

Name

The name of the IPSec action.

Action type

The action to apply to packets matching the profile of a policy containing this action.

1

Block (block connection).

2

Permit (Permit packets matching this action.) If an IPSec proposal does not exist, pass the packet; if an IPSec proposal exists, apply IPSec security processing to the packet.

Default value: 2

The following option is only available if you specify pass as the action type:

Traffic flow type

Type of traffic flow (secure tunnel or in the clear).

1

Clear

2

Secure Tunnel

Default value: 2

The following option is only available if you specify the traffic flow as secure:

Tunnel start point

IPv4 address of the tunnel start point.

Tunnel end point

IPv4 address of the tunnel end point. (0.0.0.0 for remote access)

Default value: 0.0.0.0

Tunnel-in-tunnel

Specifies whether the traffic being protected by this tunnel is to be further protected by another policy configured on this device.

Valid options: Yes or No

Default value: No

Percentage of SA lifesize/lifetime to accept

The minimum SA lifesize/lifetime (as a percentage) of the SA lifesize/lifetime. An SA lifesize/lifetime received with a value less than this is not accepted.

Default value: 75

SA refresh threshold

The percentage into the SA lifetime or lifesize value that the SA is to be refreshed automatically.

Default value: 85

DF-Bit-Setting

Specifies whether to copy the Don't Fragment bit from the original packet, and whether to set or clear it in the outer header of the IPSec packet if running in tunnel mode.

1

Copy

2

Set

3

Clear

Default value: 1

Replay-Prevention

Specifies whether IPSec is to enforce replay prevention for received IPSec packets. In this mode IPSec ensures that the sequence numbers are valid and not received more than once.

1

Enable

2

Disable

Default value: 2

Negotiate SA Automatically

Specifies whether the Phase 2 SA is negotiated automatically at system initialization.

Yes or No

Default value: No

IPSec proposal

The name of the IPSec proposal (you may specify up to five proposals) to be sent or checked during Phase 2. The order in which you specify them determines their priority, with the first one being the highest.

IPSec-manual-tunn

Prompts you for information for manually setting up the Phase 2 tunnel.

Tunnel name

The name of the IPSec manual tunnel.

Tunnel lifetime

The tunnel lifetime (in minutes).

Default value: 46080

Encapsulation mode

The encapsulation mode to use.

tunn

Tunnel mode

trans

Transport mode

Default value: tunn

Policy

The type of tunnel policy to use.

AH

Authentication Header

ESP

Encapsulating Security Payload

AH-ESP

For outbound packets, specifies that encryption runs before authentication.

ESP-AH

For outbound packets, specifies that authentication runs before encryption.

Default value: AH-ESP

Local IP address

The source IPv4 address.

Default value: 11.0.0.5

Local encryption SPI

The source security parameters index value.

Default value: 256

Local encryption algorithm

The source encryption algorithm.

Null

No encryption.

CDMF

Commercial Data Masking Facility.

DES-CBC

Data Encryption Standard and Cipher Block Chaining.

3DES

Triple Data Encryption Standard.

Default value: DES-CBC

Local encryption key

A 16-character key.

Padding

Additional padding for local encryption.

Default value: 0

Local ESP authentication

Specifies whether local ESP authentication is to be used.

Yes or No

Default value: Yes

Remote IP address

The destination IPv4 address.

Default value: 0.0.0.0

Remote encryption SPI

The destination security parameters index value.

Default value: 256

Remote encryption algorithm

The destination encryption algorithm.

Null

No encryption.

CDMF

Commercial Data Masking Facility.

DES-CBC

Data Encryption Standard and Cipher Block Chaining.

3DES

Triple Data Encryption Standard.

Default value: DES-CBC

Remote encryption key

A 16-character key.

Verify remote encryption padding.

Specifies whether to verify remote encryption padding.

Yes or No

Default value: No

Remote ESP authentication

Specifies whether remote ESP authentication is to be used.

Yes or No

Default value: Yes

DF bit

Specifies how to process the Don't Fragment bit.

Copy

Copies the DF bit.

Set

Sets the DF bit on.

Clear

Sets the DF bit off.

Default value: COPY

Enable tunnel

Specifies whether to enable the tunnel when it is created.

Yes or No

Default value: Yes

IPSec-proposal

Prompts you for information for creating an IPSec proposal.

IPSec proposal name

The name of the IPSec proposal.

Perfect forward secrecy

Specifies whether IKE is to be used, to prevent anyone from determining a current key from a previously compromised key.

Yes or No

Default value: No

Diffie Hellman Group ID

The type of Diffie Hellman group.

1

Diffie Hellman Group 1

2

Diffie Hellman Group 2

Default value: 1

AH transform

The name of the AH transform (you may specify up to five transforms) for this proposal. The order in which you specify them determines their priority, with the first one being the highest.

ESP transform

The name of the ESP transform (you may specify up to five proposals) for this proposal. The order in which you specify them determines their priority, with the first one being the highest.

IPSec-transform

Prompts you for information about IPSec transforms.

IPSec transform name

The name of the IPSec transform.

Protocol ID

The security protocol to use.

1

IPSec-AH

2

IPSec-ESP

Default value: 1

AH Authentication Algorithm

The AH authentication algorithm to use.

1

HMAC-MD5

2

HMAC-SHA

Default value: 1

Encapsulation mode

The encapsulation mode to use.

1

Tunnel

2

Transport

Default value: 1

ESP Authentication Algorithm

The ESP authentication algorithm to use.

0

None

1

HMAC-MD5

2

HMAC-SHA

Default value: 2

ESP cipher algorithm

The ESP cipher algorithm to use.

1

ESP DES

2

ESP 3DES

3

ESP CDMF

4

ESP Null (no encryption)

Default value: 1

SA lifesize

The lifesize (in kb) of the SA for this proposal.

Default value: 50000

SA lifetime

The lifetime (in seconds) of the SA for this proposal.

Default value: 3600

ISAKMP-Action

Prompts you for information about which ISAKMP action to apply.

Name

The name of the ISAKMP action.

Exchange mode

The type of exchange mode for Phase 1 negotiations.

1

Main

2

Aggressive

Default value: 1

Percentage of Minimum SA lifesize/lifetime

The minimum SA lifesize/lifetime (as a percentage) of the SA lifesize/lifetime. An SA lifesize/lifetime with a value less than this is not accepted.

Default value: 75

ISAKMP connection lifesize

The lifesize (in kb) of the Phase 1 connection. Once the Phase 1 connection expires, the next time the Phase 2 SA must refresh, Phase 1 completely renegotiates before Phase 2 can start.

Default value: 5000

ISAKMP connection lifetime

The lifetime (in seconds) of the Phase 1 connection. Once the Phase 1 connection expires, the next time Phase 2 must refresh, Phase 1 starts over completely.

Default value: 5000

Negotiate SA automatically

Specifies whether the SA is negotiated automatically at system initialization.

Yes or No

Default value: No

ISAKMP proposal

The name of the ISAKMP proposal (you may specify up to five proposals) to be sent or checked during Phase 2 quick mode. The order in which you specify them determines their priority, with the first one being the highest.

ISAKMP-Proposal

Prompts you for the ISAKMP proposal information used in the ISAKMP negotiations.

ISAKMP proposal name

The name of the ISAKMP proposal.

Authentication method

The type of authentication to use during ISAKMP Phase 1 negotiations.

1

Pre-Shared Key

2

RSA SIG (certificate mode)

Default value: 1

Hash algorithm

The type of hash algorithm to use during Phase 1 negotiations.

1

MD5

2

SHA

Default value: 1

Cipher algorithm

The type of cipher algorithm to use during Phase 1 negotiations.

1

DES

2

3DES

Default value: 1

Diffie Hellman Group ID

The type of Diffie Hellman group to use during Phase 1 negotiations.

1

Diffie Hellman Group 1

2

Diffie Hellman Group 2

Default value: 1

SA lifesize

The lifesize (in kb) of the SA for this proposal.

Default value: 50000

SA lifetime

The lifetime (in seconds) of the SA for this proposal.

Default value: 5000

Policy

Prompts you for information about the policy configuration: Profile name (required), RSVP name (optional), DiffServ name (optional), IPSec name (optional), ISAKMP name (optional), and Validity Period Profile (optional). You must specify either DiffServ, IPSec, ISAKMP, or RSVP for the policy to be valid.

Default value: Valid all the time

Name

The name of the policy configuration

Priority

Relative priority of this policy to other policies (the higher the number, the higher the priority). This is used to resolve conflicts if multiple policies apply to a packet.

Default value: 5

Profile

The name of a previously configured data traffic profile to use for this policy.

Validity period

The name of a previously configured validity period to use for this policy.

IPSec action

If this policy will enforce an IPSec action, the name of a previously configured IPSec action to use for this policy. If you specify a secure IPSec action, you must also specify an ISAKMP action.

ISAKMP action

The name of a previously configured ISAKMP action to use for this policy. If you specify an ISAKMP action, you must also specify an IPSec action.

Diffserv action

If you want to map a DiffServ action to this policy, the name of a previously configured DiffServ action.

RSVP action

The name of an RSVP action for this policy to enforce.

Profile

Prompts you for information for defining a set of selectors (conditionals) for a policy profile on which to perform actions.

name

The name of the policy profile.

ipv4-src-address-format

The format of the IPv4 source address (range, netmask, single address).

ipv4-src-address

The IPv4 source address (low address if address format is range).

Default value: 0.0.0.0

ipv4-src-mask

The IPv4 source mask (high address if address format is range).

Default value: 255.0.0.0

ipv4-dest-address-format

The format of the IPv4 destination address (range, netmask, single address).

ipv4-dest-address

The IPv4 destination address (low address if address format is range).

Default value: 0.0.0.0

ipv4-dest-mask

The IPv4 destination mask (high address if address format is range).

Default value: 255.0.0.0

protocol-id

The protocol ID on which to filter.

1

TCP

2

UDP

3

All protocols

4

Specify range

Default value: 3

src-port-start

The first port number of the source port number range.

Default value: 0

src-port-end

The last port number of the source port number range.

Default value: 65535

dest-port-start

The first port number of the destination port number range.

Default value: 0

dest-port-end

The last port number of the destination port number range.

Default value: 65535

src-id-type

The source ID type, which is sent to the remote. This value is used to determine which policy contains the ISAKMP information needed during ISAKMP Phase 1 negotiations. It is compared to the information in the identification payload of the ISAKMP packet. This information is needed if the remote peer must identify the device with a value other than IP address.

1

Local tunnel end point

2

Host fully qualified domain name

3

User fully qualified domain name

4

Key ID

any-user-access

Allow access for any user within the profile definition. If you specify No, then you are prompted for the name of the remote user group for this profile. This attribute is only required if you want to limit the access of remote access peers to a specific policy.

Yes or No

Default value: Yes

Received DS byte mask

The 8-bit mask to apply to an incoming packet's DS (TOS) byte.

Default value: 0

Received DS byte match

The 8-bit pattern to compare to the result of ANDing the incoming DS (TOS) byte with the Received DS byte mask value.

Default value: 0

Interface pairs

If this policy must restrict the traffic flows to specific interfaces, this is the name of the interface pair group.

RSVP-Action

Prompts you for information about which RSVP actions apply.

Name

The name of the RSVP action.

Permission

Specifies the permission level for RSVP sessions that match this action.

1

Permit

2

Deny

Default value: 2

Max token rate

The maximum amount of bandwidth (in kbps) that RSVP is to allocate for an individual flow.

Default value: 100

Max duration

The maximum amount of time (in seconds) that a flow can last (0 implies forever).

Default value: 600

RSVP-to-DS

Specifies whether to map RSVP flows that match this action to a configured DiffServ action. RSVP uses the information from the DiffServ action to mark the TOS byte for the next DiffServ-enabled upstream device. This is for use in a network in which packets leave an RSVP-enabled network into a DiffServ-enabled network.

Yes or No

Default value: No

User

Prompts you for information about the user profile definition for the remote IKE peer. This information includes how the peer must identify itself during phase 1 negotiations, the authentication method to use for this peer, and, if the authentication mechanism is pre-shared key, the key value to use. If you use pre-shared key, you must define a user in order to associate the pre-shared key with an ID type and name. This command sets the key that is used in phase 1 negotiation for a particular user. The key is used in messages 1 and 5 for initiators and messages 2 and 6 for responders.

Identification

Identification of the user. For main mode authentication, the user identification type must be IP address. For aggressive mode authentication, the identification type should be one of the other types. The reason for this is that in main mode the IDs are not exchanged until messages 5 and 6, which is too late for the pre-shared key, thus the only look-up mechanism is through the IP address of the IKE peer. In aggressive mode, the IDs are exchanged in messages 1 and 2, thus the pre-shared key lookup can be done through the ID type and corresponding value.

1

IP address.

2

Fully qualified domain name.

3

User fully qualified domain name.

4

Key ID (any string).

Default value: 1

Group

Name of group in which to place this user.

Default value: none

Authentication

Authentication method to use with peer.

1

Pre-shared key.

1

Key in ASCII format.

Valid values: An even number of 2 to 128 characters

2

Key in hexadecimal format.

Valid values: An even number of 2 to 256 hexadecimal digits

2

Public certificate.

Default value: 1

VALIDITY-PERIOD

Prompts you for information about the period during which the policy is valid, and creates a policy profile.

Name

The name of the validity period profile.

yyyymmddhhmmss:yyyymmddhhmmss

The period during which the policies containing this validity period profile are valid.

Example:

  19980101000000:19981231000000
 
 

Months

The months during which the policies containing this validity period profile are valid. You can specify any sequence of months, using the first three letters of each month (for example, jan or dec), with the months separated by a spaces, or you can specify all to signify every month of the year.

Days

The dates on which the policies containing this validity period profile are valid. You can specify any sequence of dates, using the first three letters of each day (for example, mon or fri), with the days separated by a spaces, or you can enter all to specify every day of the week.

Starting time

The time at which policies containing this validity period profile are valid. Specify this in the form hh:mm:ss or specify * if you want the policy to be valid all day.

Default value: *

Ending time

The time at which the validity of policies containing this validity period profile expires. Specify this in the form hh:mm:ss.

Default value: None

Change

Use the change command to change information in a policy object. See the description of the add command for the available objects.

Copy

Use the copy command to copy information from one policy object to another. See the description of the add command for the available objects. (The interface-pair, manual tunnel, and user options do not apply to the copy command.)

Delete

Use the delete command to delete information from a policy object. See the description of the add command for the available objects.

Disable

Use the disable command to disable a policy configuration.

Syntax:  disable 

policy

Policy

Prompts you for the name of the policy configuration to disable.

Enable

Use the enable command to enable a policy configuration.

Syntax:  enable 

policy

Policy

Prompts you for the name of the policy configuration to enable.

List

Use the list command to display any or all of the policy configuration information.

Syntax:  list 

all

default-policy

ldap

refresh

All

Displays all policy configuration information.

Default-policy

Displays the name of the default policy.

LDAP

Displays the names of the defined LDAP configurations.

Refresh

Lists the policy refresh status (Enable or Disable) and the refresh interval time.

LDAP Policy Server Configuration Commands

The LDAP policy server configuration commands enable you to specify LDAP server options for retrieving policy information. Table 45 summarizes the LDAP configuration commands, and the rest of this section describes them in detail. Enter them at the Policy config> prompt. You can either enter the command and options on one line, or enter only the command and respond to the prompts. To see a list of valid command options, enter the command with a question mark instead of options.

Table 45. LDAP Configuration Commands

Disable LDAP

Enable LDAP

Set Default-Policy

Use the set default-policy command to specify the policy options to use while the policy database is being refreshed. The command sets the error handling options and the default security needed for accessing the LDAP policy server.

Syntax:  set 

default-policy

default-error-handling

default-security

default-error-handling

Specifies the error handling options to use while the policy database is being refreshed.

Note:

The default error handling setting determines the behavior of the device if an error occurs while rebuilding the policy database. If an error occurs then you have the options for how the device is to behave. They are: Reset policy database to default security. Flush any rules read from LDAP, load local rules plus default security. These settings are only valid if there was an error building the policy database. Either option inherits the default security of drop or pass when an error occurs. If you select option 2 then all traffic is dropped or passed unless it matches a locally defined policy. If the policy database builds successfully then this option is not used.

default-security

Specifies the security options to use while the policy database is being refreshed.

Note:

Once the policy database has been built successfully, the default behavior is defined as pass. This means that if a packet does not match any policy rule then it will be passed in the clear. If you want packets that do not match a rule to be dropped globally or just for certain interfaces, then you must define a policy to do that.

1

Accept and forward all IP traffic.

2

Permit LDAP traffic, drop all other IP traffic.

If you select this option, then you are prompted for the local IP addresses on the device on which the LDAP traffic is to be sent and received.

3

Permit and secure LDAP traffic, drop all other IP traffic.

If you select this option, then you are prompted for the following information:

DHGroupId

The Diffie-Hellman Group Id to use during the ISAKMP Phase 1 negotiations.

1

DH Group 1.

2

DH Group 2.

Phase1-Hash-Algorithm

The hash algorithm to use during the Phase 1 negotiations. The hash algorithm provides the authentication of the Phase 1 messages.

1

MD5.

2

SHA.

Phase1-Cipher-Algorithm

The cipher algorithm to use during Phase 1 negotiations. The cipher algorithm provides encryption protection for the Phase 1 negotiations.

1

DES

2

3DES

Phase1-Authentication-Method

The authentication method to use with the remote peer. This specifies how ISAKMP determines whether the remote peer is actually the correct device with which to be negotiating.

1

Pre-shared key

2

Certificate (RSA SIG)

Pre-Shared-Key-Value

If you have specified the pre-shared key Phase 1 authentication method, then you are prompted to enter the key value in ASCII.

Phase2-ESP-Authentication-Algorithm

ESP is the only IPSec protocol allowed for the default security. You are prompted for the authentication algorithm to use during Phase 2 ISAKMP negotiations.

0

None

1

HMAC-MD5

2

HMAC-SHA

Phase2-ESP-Cipher-Algorithm

ESP is the only IPSec protocol allowed for the default security. You are prompted for the encryption algorithm to use during Phase 2 ISAKMP negotiations.

1

ESP DES

2

ESP 3DES

3

ESP CDMF

4

ESP NULL

Primary-Tunnel-Start

The IP address on the device that is to be used for the IKE and IPSec traffic between the device and the security gateway protecting the primary LDAP server.

Primary-Tunnel-End

The IP address on the remote security gateway protecting the primary LDAP server that are to be used for the IKE and IPSec traffic.

Secondary-Tunnel-Start

The IP address on the device that is to be used for the IKE and IPSec traffic between the device and the security gateway protecting the secondary LDAP server.

Secondary-Tunnel-End

The IP address on the remote security gateway protecting the secondary LDAP server that are to be used for the IKE and IPSec traffic.

Set LDAP

Use the set ldap command to configure the LDAP operating parameters.

Syntax:  set ldap 

anonymous-bind

yes

no

bind-name <name>

bind-pw <pw>

policy-base <string>

primary <ip-address>

secondary <ip-address>

version <value>

anonymous-bind [Yes or No]

Specifies whether you want to bind to the LDAP directory anonymously or with the bind name and bind password you have specified.

Default value: Yes

bind-name <name>

Prompts you for information needed to bind to the LDAP server before a search of its directory can be performed. The name parameter specifies the distinguished name that the router uses to identify itself. If you do not enter this parameter, then the bind is issued as an anonymous request.

bind-pw <pw>

Prompts you for information needed to bind to the LDAP server before a search of its directory can be performed. The pw parameter is the password related to the distinguished name. If you do not enter this parameter, then the bind is issued as an anonymous request.

policy-base <string>

Prompts you to enter a character string that is used to define the scope of the search for policies in the router's SRAM and the LDAP server. For example, you can use this option to return policies that only apply to router A, or for NHD, or for IBM-US. The policy-base is the distinguished name of the DeviceProfile object in the LDAP server.

primary <ip-address>

Prompts you for the IPv4 address of the LDAP server from which to retrieve policies.

secondary <ip-address>

Prompts you for the IPv4 address of a backup LDAP server that is used if the default server cannot be reached.

version <value>

Prompts you for the LDAP version number supported by the LDAP server.

Default value: 2 (The only acceptable values are 2 or 3.)

Set Refresh

Use the set refresh command to enable or disable automatic refresh of the policy database once each day. If enabled then the policy database automatically refreshes once a day at the specified time. This enables all policy-enabled routers in the network to incorporate automatically any policy changes that have occurred in the LDAP directory. To reset this parameter, use the policy feature's Talk 5 reset refresh command.

Syntax:  set refresh 

enabled

yes

no

<time>

enabled [yes or no]

Specifies whether to perform the automatic refresh.

<time>

If you specify enabled yes, designates the time of day (in 24-hour format) at which the refresh is to occur.

Accessing the Policy Monitoring Prompt

The policy console portion of the policy feature enables you to view policies that are in the policy database and to enable or disable individual policies. To access the Policy monitoring environment type talk 5 at the OPCON prompt (*):

   * t 5
 
 

Then, enter the following command at the + prompt:

   + feature policy
   Policy>
 
 

Policy Monitoring Commands

These commands enable you to view the profiles defined in the policy database and to enable or disable individual policies. Table 46 summarizes the policy monitoring commands and the rest of this section describes them. Enter the commands at the Policy console> prompt. You can either enter the command and options on one line, or enter only the command and respond to the prompts. To see a list of valid command options, enter the command with a question mark instead of options.

Table 46. Policy Monitoring Commands

Policy console>check-consistency
Checking for inconsistencies with a policy...
Rule dsDown contains two conflicting actions:
   RSVP Action is of type PERMIT
   DiffServ Action is of type BLOCK
 
Checking for inconsistencies among policies with overlapping profiles...
  Mismatching IPSec and DiffServ actions at Priority 181 between:
        Rule: ike.traffic     State: ENABLE  Prio: 5 IPSec Action: PERMIT 
        Rule: dsDown          State: ENABLE  Prio: 5 DiffServ Action: BLOCK 
 
  Two rules with IPSec actions:
        Rule: ike.traffic     State: ENABLE  Prio: 30 Action: PERMIT 
        Rule: Man             State: ENABLE  Prio: 5 Action: PERMIT 
 
   Two rules with IPSec actions:
        Rule: ike.inBoundTunnel State: ENABLE  Prio: 30 Action: PERMIT 
        Rule: Man.inBoundTunnel State: ENABLE  Prio: 5 Action: PERMIT 
 
   Two rules with IPSec actions:
        Rule: Man.inBoundTunnel State: ENABLE  Prio: 5 Action: PERMIT 
        Rule: ike.inBoundTunnel State: ENABLE  Prio: 30 Action: PERMIT 
 
   Two rules with IPSec actions:
        Rule: Man             State: ENABLE  Prio: 5 Action: PERMIT 
        Rule: ike.traffic     State: ENABLE  Prio: 30 Action: PERMIT 
 
   Mismatching IPSec and DiffServ actions at Priority 5 between:
        Rule: Man             State: ENABLE  Prio: 5 IPSec Action: PERMIT 
        Rule: dsDown          State: ENABLE  Prio: 5 DiffServ Action: BLOCK 
 
  Mismatching IPSec and DiffServ actions at Priority 5 between:
        Rule: dsDown          State: ENABLE  Prio: 5 DiffServ Action: BLOCK 
        Rule: ike.traffic     State: ENABLE  Prio: 30 IPSec Action: PERMIT 
 
  Mismatching IPSec and DiffServ actions at Priority 5 between:
        Rule: dsDown          State: ENABLE  Prio: 5 DiffServ Action: BLOCK 
        Rule: Man             State: ENABLE  Prio: 5 IPSec Action: PERMIT 
 
 

Disable

Use the disable command to disable a policy that is currently loaded in the policy database. Any data packet that matches the criteria of a policy you disable will have default decisions applied to it.

Syntax:  disable 

policy-name

Enable

Use the enable command to enable a policy that is currently loaded in the policy database. Any data packet that matches the criteria of a policy you enable will have the decisions configured for the policy applied to it.

Syntax:  enable 

policy-name

Reset

Use the reset command to refresh or reset policy-related criteria.

Syntax:  reset 

ldap-config

policy-database

refresh-time

ldap-config

Dynamically loads the LDAP configuration (as specified in the set ldap command) into memory. Any changes become active for the next search operation. This command also forces a reset of the policy database and inactivates the policy database refresh time.

policy-database

Refreshes the policy database. Stops all tunnels, Phase 1 and Phase 2 SAs, resets RSVP and DiffServ data structures, and flushes the policy database. Then policies are loaded from the LDAP server and an autostart is done. While the database is being rebuilt, no packets will be allowed in to or out of the router except for packets to and from the LDAP server.

refresh-time

Sets the time at which the policy database will be refreshed automatically on a daily basis. If you have disabled the refresh time, then the database will not be refreshed until the router is rebooted or restarted.

Search

Use the search command to test or debug activity between the LDAP client and server. You can perform searches against the directory and have the results of the searches displayed in talk 5.

Syntax:  search 

filter

ipaddress

filter

Specifies a filter value for the search operation.

ipaddress

Specifies the IP address of the server.

Status

Use the status command to display information about the policy database.

Syntax:  status 

status

Displays the results of the most recent policy database refresh, the time that has elapsed since the refresh, and the time that the next refresh is scheduled.

Policy>status
Status of Last Search:       Failed
Time since last refresh:     4 seconds
Next Policy Refresh not scheduled
 
 

List

Use the list command to display information about LDAP configurations and policies.

Syntax:  list 

default-policy

ldap

policy

refresh

rule

stats

default-policy

Lists the default policy used during policy database refreshes.

ldap

Lists the LDAP configurations in SRAM.

policy

basic

Lists policy components by logical policy name. You may select one policy or list all policies. The listing displays the names of the components of policies as they were entered in during configuration in Talk 6.

complete

Does the same as list policy basic, except that the listing displays a complete listing of all parameter values for each logical policy.

generated

Does the same as list policy basic, except that the listing displays the names of all the generated rules for each logical policy.

refresh

Lists the policy refresh status (Enable or Disable) and the refresh interval time.

rule

Lists information about generated rules according to the following options:

basic

Lists all the generated rules. You can select a rule from the list or list all rules. The listing displays the names of the components of the rules. The components are:

policy name

loaded from (LDAP or local)

state

priority

number of hits

profile

validity (followed by an action list consisting of the following)

IPSec (and, or)

ISAKMP (and, or)

DiffServ (and, or)

RSVP

complete

Does the same as rule basic, except that the listing displays the names of all the parameters for each component.

stats

Lists the rules that have been hit and the number of hits. A rule can have multiple actions and not all actions are hit, so this options also indicates which action of the rule was hit, and the number of times.

Test

Use the test command to verify the behavior of the policy database. It allows you to enter a selector set, which queries the policy engine and retrieves the rules that match. You are prompted for the source and destination addresses, source and destination ports, the protocol ID, and the TOS value. If a rule is matched, then the command returns the name of the rule. Otherwise it indicates No match found.

Syntax:  test 

forwarder

ISAKMP

IPSec

RSVP

forwarder

Simulates a database query from the IP forwarding engine and returns any policy decisions that would result from such a query. The type of policy returned could include DiffServ information, IKE Phase 1 and Phase 1 information, and IPSec manual tunnel IDs.

ISAKMP

Simulates a database query from IKE for Phase 1 policy information and returns any policy decisions that would result from such a query. If you use this option, you must set the source and destination addresses to the tunnel endpoint IP addresses, the protocol to 17, and the source and destination ports to 500.

IPSec

Simulates a database query from IKE for Phase 2 policy information and returns any policy decisions that would result from such a query. If you use this option, you must set the source and destination addresses to the tunnel endpoint IP addresses, the protocol to 17, and the source and destination ports to 500.

RSVP

Simulates a database query from RSVP and returns any RSVP policy decisions that would result from such a query.