SROS Command Line Interface Reference Guide
Global Configuration Mode Command Set
5991-2114
© Copyright 2007 Hewlett-Packard Development Company, L.P.
426
ip policy-class
<policyname>
Use the
ip policy-class
command to create an access control policy and enter the access control policy
command set. Use the
no
form of this command to delete an access policy and all the entries contained in
it.Variations of this command include:
ip policy-class
<policyname>
<action>
.
Syntax Description
<policyname>
Identifies the configured access policy by alphanumeric descriptor (maximum of
255 characters). All access policy descriptors are case-sensitive.
<action>
Specifies the action for the ACP as
allow
,
discard
, or
nat
).
allow list
All packets permitted by the access control list (ACL) will be allowed to enter the
interface to which the policy class is assigned and an association will be created
in the firewall. All associations created by the
allow list
are subject to the built-in
ip policy-timeout <protocol> <range> <port>
on page 433). All packets denied by the ACL will be processed by the
next policy class entry or implicitly discarded if no further policy class entries exist.
Possible
allow list
actions performed by the access policy are as follows:
allow list
<access control list name>
allow list
<access control list name>
stateless
allow list
<access control list name>
policy
<access policy name>
allow list
<access control list name>
policy
<access policy name>
stateless
allow list
<access control list name>
self
allow list
<access control list name>
self stateless
policy
<access policy name>
When the
policy
<access policy name>
is specified, the firewall attempts to
match the specified access policy with the access policy that is applied to the
packet's egress interface as determined by the routing table or policy-based
routing configuration. If there is a match, the firewall will process the packet. If
there is no match, the firewall will process the packet based on the next policy
class entry or implicitly discard it if no further policy class entries exist.
Note
Configured access policies will only be active if the
ip firewall
command has been entered
at the Global Configuration mode prompt to enable the SROS security features. All
configuration parameters are valid, but no security data processing will be attempted
unless the security features are enabled.
Caution
Before applying an access control policy to an interface, verify your Telnet connection will
not be affected by the policy. If a policy is applied to the interface you are connecting
through and it does not allow Telnet traffic, your connection will be lost.