A role is a policy profile consisting of a set of network access services that
you can apply at various access points in a
policy-enabled network. A port takes on a user's role when the user
authenticates.
There are two ways to create a role:
- Using the Role Wizard: The Role Wizard is a series of windows that
leads you through all the steps for creating a role, including the optional
selection and enabling of default access control (default VLAN) and/or class of service for the role, as well
as specifying
the existing services and service groups that will apply to the role. You can
also create new services in the Role Wizard, which encompasses the
Service Wizard. If you want to
associate a role with a default access control and/or class of service only, without any
services, it may be handier to create the role name with the Create a Role
menu option, and use the role General tab to set the defaults.
- Using the Role Tabs: Creating a role using the role tabs consists of creating a name for
the role with the Create Role menu option, then
defining its characteristics (default class of service, default access
control, and/or services)
using the role's right-panel tabs. It accomplishes the
same things as the Role Wizard, but enables you to do only those parts of the
procedure you want to do, when you want to do them. You might also use
this method if you are creating a role
for which there is default class of service and/or access control, but no services.
If you want to change the characteristics of a role, you can select the
role in the left panel and use the
right-panel tabs to modify it.
Instructions on:
The Role Wizard is a series of windows that
leads you through all the steps for creating a role, including the optional
selection and enabling of default access control and/or class of service for the role, as well
as specifying
the existing services and service groups that will apply to the role.
- In the Policy Manager left panel, click the Roles tab.
- Right-click on the Roles folder and select Role Wizard.
- In the Name window, enter the name of the role. The name can be
up to 64 characters in length, and special characters are allowed, with
the exception of colons (:) and semicolons (;). Duplicate names are not allowed, regardless of case. For example,
if you already have a role "Faculty" and you attempt to name
the new role "Faculty" or "faculty," Policy Manager
will create the role, but with the name "New Role," or
"New Role(n)" (where "n" is the sequence number, if there is
more than one "New Role"). You can then rename the new role. After entering the name, click Next.
- In the Role Priority window, you
can assign a default class of service to the role, if desired.
Select the Enable Default Class of Service checkbox, then select the
desired class of service in the list. If the priority for
the class of service includes a priority-based rate limit, this will be noted in the class of
service name
(see How to Create a Class of Service for more
information). Click Next.
| |
NOTE: |
If you select a CoS that is associated with a ToS/DSCP value, the ToS/DSCP
value will be ignored. This is because ToS/DSCP rewrite works only for certain
IP ToS classification rules, not as a role default. See
ToS/DSCP Rewrite for
more information.
|
| |
NOTE: |
Once a rate limit is applied to a port, that port's bandwidth will be rate
limited, even if the default or authenticated role that applied the rate limit
is no longer associated with the port.
|
- In the Role VLAN window, you can assign default
access control to
the role, if desired. Select the Enable Access
Control checkbox, then choose one of the following options. Click
Next.
- Permit (Using Existing Port VLAN) -
This option allows traffic to be forwarded with the port's assigned VID.
- Deny -
If this option is selected, traffic will automatically be sent to a
discard VLAN. Select a VLAN from the list. If no discard VLAN exists, or
if you want to
create a new discard VLAN to add to the list, click New.
- Contain -
This option contains traffic to a specific VLAN. Select the appropriate VLAN from the list. If you want to
create a new VLAN to add to the list, click New.
- In the Role Services window, select the services you want to apply
to this role. If you want to
create a new service to add to the list before selecting, click New.
Click Next.
| |
NOTE: |
Policy Manager checks for rule conflicts when more than one service is
added. See Conflict Checking for
more information.
|
- In the VLAN Egress window, you can add a VLAN
to the Role's Egress list. Click Add to open the
Selection View (Egress VLANs) window,
where you can select a VLAN and specify the egress forwarding state: Tagged
(frames will be forwarded as tagged), Untagged (frames will be forwarded as
untagged), or Forbid Forwarding (frames will not be forwarded; they will be
discarded). Ports that the selected role is active on will forward traffic
belonging to the listed VLANs according to the specified forwarding state. Both
the role's egress list and the VLAN egress list are checked for egress
information. If the lists have duplications, the Forbid Forwarding state takes
precedence. Click Next.
- In the Tagged Packet VLAN to Role Mapping window, you can
configure a list of VLANs to map to the role.
Packets arriving on a port tagged with the specified VLAN will be
assigned this role. Tagged Packet VLAN to Role Mapping provides a way to
let policy-enabled devices assign a role to network traffic, based on a VLAN
ID. (For
more information, see VLAN to Role
Mapping in the Concepts Help topic.) Click Add to open the
Selection View (VLANs) where you can select VLANs to add. Click
Next.
| |
NOTE: |
Tagged Packet VLAN to Role Mapping requires that the TCI Overwrite attribute
be enabled. TCI Overwrite allows the VLAN or class of service tag in a
received packet to be
overwritten by the VLAN (access control) and class of service characteristics
defined in the mapped role. You can enable TCI Overwrite on a
per-port basis in the port's General tab, or for an
individual role in the role's General tab.
|
- In the
MAC to Role Mapping window, you can configure a list of MAC
addresses to map to the role. Mapping a MAC address to a role provides a
way to assign a role to an end station based on its source MAC address.
This allows you to create a specific role for a group of end stations
(such as IP phones), and assign it to them based on their MAC address
and a MAC mask. When the end stations connect to the network, the device
identifies the source MAC address and applies the mapped role. Click
Add to open the Select MAC Address window, where you can select a MAC
address and a MAC mask to add to the table. Click Next.
| |
NOTE: |
A role assigned through MAC
to Role mapping takes precedence over an authenticated role or a default role. |
- In the
IP to Role Mapping window, you can configure a list of IP
addresses to map to the role. Mapping an IP address to a role provides a way to assign a
role to an end station based on its IP address. For example, in networks that
haven't deployed authentication, this would allow you to map an individual IP
address such as an administrator's laptop, to a specific role. When the end
station connects to the network, the policy-enabled device identifies the IP address and applies the mapped role. Click
Add to open the Select IP Address window, where you can select an IP
address and an IP mask to add to the table.
| |
NOTE: |
A role assigned through IP
to Role mapping takes precedence over an authenticated role or a default role. |
- Click Finish. Now that you have created the role, you can:
- Enforce to write the new information to the devices.
Creating a role using the role tabs consists of creating a name for
the role, then using the right-panel
role tabs to specify the characteristics of the role (default class of
service, default access control, and/or services).
- In the Policy Manager left panel, select the Roles tab.
- Right-click the Roles folder, and select Create Role.
- Type the role name in the highlighted box. The name can be up to
64 characters in length, and special characters are allowed, with the
exception of colons (:) and semicolons (;). Duplicate names are not allowed, regardless of case. For example,
if you already have a role "Faculty" and you attempt to name
the new role "Faculty" or "faculty," Policy Manager
will create the role, but with the name "New Role," or
"New Role(n)" (where "n" is the sequence number, if there is
more than one "New Role"). You can then rename the new role.
Press Enter after you've entered the name. (If
you don't press Enter, the name will remain "New Role.")
- To add a role description, assign a default class of service or access control
(VLAN) to the role, or enable TCI Overwrite, select the role and use the
General tab in the right panel.
- If you want to add services to the role, select the right panel
Services tab and click Add/Remove Services. This opens the
role Add/Remove Services
window.
| |
NOTE: |
Policy Manager checks for rule conflicts when more than one service is
added. See Conflict Checking for
more information.
|
- To add a VLAN to the Role's Egress list, select the role and use the
VLAN Egress tab in the right panel.
-
To configure MAC, IP, and VLAN to role mapping lists for the role,
select the role and use the Mappings
tab in the right panel.
- Now that you have created the role, you can:
- Enforce to write the new information to the devices.
Once you've created a role, you can change its characteristics
by selecting the role in the Policy Manager's left panel and using the associated tabs in the right panel.
Instructions on:
There are two ways to add services to roles:
- Access the role Services tab:
- If you are in the left panel Services tab, expand the Services
folder and click the service whose role(s) you want to modify.
Then, in the right panel, select the Roles
tab. Here you can view all the roles associated with this
service. Select a role, then click View/Edit Role. This
opens the left panel Roles tab with the role selected. You can
then access the Services tab in the right panel.
- If you are elsewhere in Policy Manager, select the left panel Roles
tab and expand the Roles folder. Select the role to which you
want to add services, then select the Services tab in the right panel.
- Click Add/Remove Services. This opens the Add/Remove Services
window.
- Make sure the role to which you wish to add services is displayed in the
Role selection box.
- In the Groups and Services panel, select the
services and/or service groups you wish to add to the role, and click Add.
To remove services, select them in the Selected Services panel and click Remove.
| |
NOTE: |
Policy Manager checks for rule conflicts when more than one service is
added. See Conflict Checking for
more information.
|
- If you wish, you can select another role, and add or remove services
from it.
- Click OK.
- Enforce to write the new information to the devices.
- In the Policy Manager left panel, select the Roles
tab and expand the Roles folder.
- Select the role from which you
want to remove services, then select the Services tab in the right
panel.
- Click Add/Remove Services. This opens the Add/Remove Services
window.
- Make sure the role from which you wish to remove services is displayed
in the Role selection box.
- In the Selected Services panel, select the
services and/or service groups you wish to remove from the role, and click
Remove. To add services, select them in the Groups and Services
panel and click Add.
- If you wish, you can select another role, and remove services from or
add services to it.
- Click OK.
- Enforce to write the new information to the devices.
Use the role's General tab to change its
default class of service settings. Be sure to
enforce to write the new information to the devices.
Use the role's General tab to change its
default access control. Be sure to enforce to write
the new information to the devices.
You can edit the description for the role on the role's General
tab. Click Save to save the change to the database.
You can view the ports for which a role is the default role on the
role's Ports
tab. You can then select a port and use the View/Add Port
button to get to the port's right-panel tabs, where you can change
the default role for a port or make changes to the port settings
themselves.
- In the Policy Manager left panel, click the Roles tab.
- Expand the Roles folder if necessary, and select the role whose
ports you want to view.
- In the right panel, select the Ports tab.
- Click Retrieve to update the table with the most current
information.
- Select a port to which you want to make changes.
- Click View/Add Port. This takes you to the port's
General
tab, where you can:
- Enforce to write the new information to the devices.
- In the left panel, click the Roles tab.
- Expand the Roles folder.
- Right-click the role you want to delete, and select Delete.
- Click Yes to confirm. After a few seconds, a message appears
reminding you of other tasks to perform if you are deleting a role.
- Read the reminder, then click OK.
- Click OK to clear the confirmation message.
- Click Enforce on the toolbar, review the effects of enforcing in
the Enforce Preview window (if it is
enabled), then click Enforce
on that window.
- Make sure you do the following, if they apply:
For information on related concepts:
For information on related tasks:
For information on related windows: