Missing Policy rule precedence for classification type "IP socket"

Userlevel 2
Dear all.

I need to reorder the default policy rule precedence in our setup.
Our goal is, that rules match "ip destination socket" are handeled before "ip destination" then "tcp port destination" rules.

udpdestportIP 53: mask 48 forward
ipdestsocket mask 24 drop

Checking the default rule precedence, there is no parameter for "ip destination socket".

SSA Chassis(su)->show policy profile 5
Rule Precedence :1-2,29,3-19,23,20-22,25-28,31
:MACSource (1), MACDest (2), Application (29),
:IPXSource (3), IPXDest (4), IPXSrcSocket (5),
:IPXDstSocket (6), IPXClass (7), IPXType (8),
:IPv6Source (9), IPv6Dest (10), IPv6Flow (11),
:IPSource (12), IPDest (13), IPFrag (14),
:UDPSrcPort (15), UDPDestPort (16), TCPSrcPort (17),
:TCPDestPort (18), ICMPType (19), ICMP6Type (23),
:TTL (20), IPTOS (21), IPProto (22), Ether (25),
:LLCDSAPSSAP (26), VLANTag (27), TCI (28), Port (31)
Admin Profile Usage :ge.1.20
Oper Profile Usage :ge.1.20
Dynamic Profile Usage :none

Does anyone have an idea how to handle this?


Thanks and best regards

5 replies

Userlevel 4
Hi aloeffle,

Changing the policy precedence is generally discouraged. Could you explain your use case a bit more? Perhaps we can find a more elegant way to accomplish what you're looking to do.


Userlevel 2
Hi Alex,

IPDest (13) is what you are looking for...

S- K- and 7100-Series Configuration Guide Firmware Version 8.61

Table 155: Administrative Policy and Policy Rule Traffic Classifications

ipdestsocket Classifies based on destination IP address. 13

But there's no difference between ip destination and ip destination with post-fixed port.
Maybe it's help's that the ip destination rule has a shorter mask. So if you change the
precedence to 16,13,18 the order will be:

    udpdestportIP(data: ab[:c.d.e.f]; mask 1-48) ipdestsocket (data: a.b.c.d[:ab]; mask: 1-48) tcpdestportIP (data: ab[:c.d.e.f]; mask: 1-48)

(edit: never change the rule precedence....)
Userlevel 2
Dear Tyler, Patrick.

thanks for your help.
I notice, that I should find a different solution then changing the rule precedence.

My requirement is quiet basic.

Client Network "332" :
Clients should have Internet Access http & https
DNS & DHCP to internal network
No other communication

Internal Network:
Here we have the DHCP & DNS Server which serves Client Network 332.
And there are several other Server with http/https Web Management.

A Policy which

dns forward
arp forward
dhcp forward
http forward
ip drop

=> Clients can establish unwanted connections to the Web GUI of 3rd party Server in

A Policy which

dns forward
arp forward
dhcp forward
http forward drop

=> No more DNS/DHCP

Plan B:
With the recommendation not to change the precedence, I plan to apply an ACL which deny http traffic to the internal network.
(or changing the dns/dhcp design)

Best regards

Userlevel 4

This is actually a quite common deployment. I'm not sure of the exact CLI syntax on the switch, but since you have Management Center anyway, I would always recommend configuring policy from there.

From Management Center, you would create a policy that is very similar to what you have. The main difference is that you would specify the servers that are running DHCP and DNS by either a dedicated IP address or by using an Automated service. The example I have below shows a single server that's running DHCP and DNS in the private network. That takes precedence over dropping the IP range of a the private network. So in essence the priority would be:

Allow DHCP to (assumed server)
Allow DNS to
Deny IP to
Allow ARP
Allow HTTP

Let me know if that helps. I can provide more screenshots if you'd like or I can export the PMD file as well.



Userlevel 2
Hello Tyler.

Thanks for your detailed explanation. I am familiar with emc.

I did some tests in my lab and I can confirm what you said. IP Socket Destination has precedence over IP destination. It is not necessary (and obviously not possible) to change the rule precedence.

Thanks for your help!

Best regards