The device Role/Rule tab lets you configure invalid role action and a device-level role (Matrix C1 devices only) for the selected device. It also lets you enable and configure Rule Accounting on devices that support it, and view any ports on the device that have been disabled due to rule usage. To access this tab, select a device on the left panel's Network Elements tab and click the Role/Rule tab in the right panel.
Click the graphic for more information.
Invalid Role Action
For devices that support this feature, this area of the tab lets you specify what happens to a user that gets an unknown or invalid role.
- Invalid Role Action
- Select the action you would like taken if an authenticated user is
assigned an unknown or invalid role:
- Apply Default - Apply the port's default role to the user.
- Deny Traffic - Drop the packets for this user.
- Permit Traffic - Forward traffic with the port's assigned VID.
Device Level Role (C1 Devices Only)
On C1 devices, you can set a device-level role that configures the services and rules for all ports on the device. Due to a limitation of the C1 devices, services and rules from the role returned from authentication cannot be applied to the port. The services and rules from this device-level role will be used instead.
- Select
- Opens the Selection View (Roles) window where you can select a role to be the device-level role on the device.
Rule Accounting / Rule Hit Reporting
Rule accounting and rule hit reporting provide the ability to collect data on how policy rules are being used on your network. Use this section to enable rule accounting and configure rule accounting and reporting parameters for this device. Once you have configured the accounting and reporting functionality, you can view the rule usage data that is collected using the Rule Usage tabs or the Policy Rule Hit Reports. On devices that do not support rule accounting, this section will be grayed out. For more information on configuring rule accounting and reporting, and viewing rule usage data, see Rule Accounting and Rule Hit Reporting.
- Use Expanded Format for Rule Hit System Log Messages
- When enabled, the device will provide additional information in Policy Rule Hit syslog messages. For example, the additional information may include what actions may have been initiated by the rule (if any).
| NOTE: | Rule accounting is used to show if a given rule has
been used to classify traffic on a device, and on which port the rule hit occurred.
When a rule is used on a port, an entry is made in the rule hit table. Subsequent
rule hits do not alter this entry in the rule hit table,
however you can use the "clear rule usage" options discussed below
to customize the table to indicate how recently, or in
what context, these rule hits have occurred. You can specify that a rule hit
is cleared when the port link-status changes, when the role which defines
the rule is assigned via a Role Mapping, and/or according to a set interval.
Based on these options, you can determine how fresh your rule hit data is,
and/or what the rule hit data is within a specific session. For example, if
you specify a clear rule usage interval of 30 minutes, then you know that
any rule hits displayed in the Rule Usage tab (after you click Retrieve)
have been reported in the last 30 minutes. These clear rule usage options
also control the frequency that the syslog messages containing the rule hit
data are sent from the device for rule hit reporting. |
|---|
- Clear Rule Usage on Port Link-Status Change
- When enabled, this option clears rule usage data when the port has a link-status change when a user connects or disconnects. Ports must be listed in the Rule Usage Auto Clear Ports list (below) to be subject to this clear operation.
- Clear Rule Usage on Role Mapping Change
- If a role-mapping is defined and traffic comes onto the device and is mapped to the defined role, then all rules in that role will have their rule hit data cleared. This option should be enabled for Policy Rule Hit Reporting. It allows you to start a new data collection when the name of the role changes on the port, providing for a cleaner data presentation. Ports must be listed in the Rule Usage Auto Clear Ports list (below) to be subject to this clear operation.
- Enable Syslog Server
- When configuring Policy Rule Hit Reporting, select the Enable Syslog Server checkbox to set up the device to send syslog messages.
- Clear Rule Usage on Interval
- When enabled, this option clears the rule usage data at a set interval. This option should be enabled for Policy Rule Hit Reporting because it specifies the interval at which syslog messages will be sent to the server, thereby providing data samples at even intervals. Enter the desired interval (in minutes). Click Apply.
- Rule Usage Auto Clear Ports
- This list must contain all ports where you want rule accounting to take place. If you have enabled any of the clear rule usage options, this list must specify the ports on the device where the clear operations will be performed. Click Add/Remove to open the Add Ports window where you can select ports to add to the list. Click Apply to set any changes you have made.
Disabled Ports (Rule / Rate Limit Hit)
This table lists the ports that have been disabled due to rule usage or if a rate limit has been exceeded. For information on how to configure the disabling of a port, refer to the rule General tab or the rate limit General tab.
- Port
- Name of the port, constructed of the name or IP address of the device and either the port index number or the port interface name.
- Retrieve
- Retrieves a list of ports on the device that have been disabled due to a rule hit or a rate limit being exceeded.
- Clear
- Clears any selected disabled ports, and re-enables them. Keep in mind that if the port continues to receive traffic that matches the rule or exceeds the rate limit, and the rule or rate limit is still configured to disable the port, then the port will almost immediately reappear in the table.
For information on related tasks:
For information on related windows:
