Secure Networks Policy Support
1-8 Introduction
Switch Configuration Using CLI Commands
TheCLIcommandsenableyoutoperformmorecompleteswitchconfiguration
managementtasks.
ForCLIcommandsetinformationandhowtoconfigurethemodule,refertotheEnterasys
MatrixDFE‐GoldSeriesConfigurationGuide.
Secure Networks Policy SupportPolicyEnabledNetworkingmanagestheallocationofnetworkinginfrastructure
resourcesinasecureandeffectivemanner.UsingSecureNetworksPolicy,anIT
AdministratorcanpredictablyassignappropriateresourcestotheUsers,Applications,
andServicesthatusethenetwork;whileblockingorcontainingaccessforinappropriate
orpotentiallydangerousnetworktraffic.Usingthistechnologyitispossible,forthefirst
time,toalignITserviceswiththeneedsofspecificusersandapplications,andtoleverage
thenetworkasakeycomponentoftheorganization’ssecuritystrategy.
TheSecureNetworksPolicyArchitectureconsistsof3components:ClassificationRules,
NetworkServices,andBehavioralProfiles.Thesearedefinedasfollows:
• ClassificationRulesdeterminehowspecifictrafficflows(identifiedbyLayer2,Layer
3,andLayer4informationinthedatapacket)aretreatedbyeachSwitchorRouter.In
general,ClassificationRulesareappliedtothenetworkinginfrastructureatthe
networkedge/ingresspoint.
•NetworkServicesarelogicalgroupsofClassificationRulesthatidentifyspecific
networkedapplicationsorservices.Usersmaybepermittedordeniedaccesstothese
servicesbasedontheirrolewithintheorganization.Priorityandbandwidthrate
limitingmayalsobecontrolledusingNetworkServices.
•BehavioralProfiles(orroles)areusedtoassignNetworkServicestogroupsofusers
whosharecommonneeds–forexampleExecutiveManagers,HumanResources
Personnel,orGuestUsers.Access,resources,andsecurityrestrictionsareappliedas
appropriatetoeachBehavioralProfile.Avarietyofauthenticationmethodsincluding
802.1X,EAP‐TLS,EAP‐TTLS,andPEAPmaybeusedtoclassifyandauthorizeeach
individualuser;andtheITAdministratormayalsodefineaBehavioralProfileto
applyintheabsenceofanauthenticationframework.
Standards CompatibilityTheDFEmodulesarefullycompliantwiththeIEEE802.3‐2002,802.3ae‐2002,802.1D‐
1998,802.3af‐2003,and802.1Q‐1998standards.TheDFEmodulesprovidesIEEE
802.1D‐1998SpanningTreeAlgorithm(STA)supporttoenhancetheoverallreliabilityof
thenetworkandprotectagainst“loop”conditions.