General (Role)

---

The role General tab lets you assign default actions for a role applied to traffic not identified specifically by the set of access services contained in the role. You can also use this tab to enable TCI Overwrite functionality for the role, and enter or edit the description of the role.

The Services section displays a list of the services and service groups associated with the selected role, and provides buttons for adding and removing services, creating a new service, viewing and editing a service or service group, and showing conflicting rules. 

To access this tab, select a role in the left panel's Roles tab, then select the General tab in the right panel. Any additions or changes you make to this tab must be enforced in order to take effect.

Name

Name of the selected role.

Description

Use the Edit button to open a window where you can enter or modify a description of the role.

TCI Overwrite

Enable or disable TCI Overwrite functionality for the role. Enabling TCI Overwrite enables the VLAN (access control) and class of service characteristics defined in this role or any of its rules to overwrite the VLAN or class of service (CoS) tag in a received packet if that packet has already been tagged with VLAN or CoS information. If TCI Overwrite is not enabled, tagged packets will egress using the TCI data they already contain. You can also enable TCI Overwrite on a per-rule basis in the Rule Tab.

Default Actions

Default actions for a role are applied to traffic not identified specifically by the set of access services contained in the role.

Access Control

Use the drop-down list to choose a default access control (VLAN) for the role. You can select:

• None - No default access control specified.
• Permit Traffic - Enables traffic to be forwarded with the port's assigned VID.
• Deny Traffic - Traffic will be automatically discarded.
• Contain To VLAN - This option contains traffic to the VLAN specified. Use the drop-down list to the right to select the desired VLAN. You can also define the Service ID to extend the VLAN address space. The Service ID is the implementation of ExtremeCloud IQ Site Engine for the I-SID (also called Network Service Identifier = NSI), which increases the number of available VLANs.

	NOTE:	If Per-User-ACLs are in use for platforms running VOSS/Fabric Engine then the VLAN information is ignored and the Service ID is used. Untagged traffic egressing the port and ingress traffic is assigned the service directly without VLAN mapping. Example of radius attribute: FA-VLAN-ISID='0:1000042'

Class of Service

Use the drop-down list to choose a default class of service (priority) for the role, create a new class of service, or select None if no class of service is desired. The drop-down list displays all of the classes of service for the current domain and also enables you to edit a class of service using the Edit button .

System Log

When this option is enabled, a syslog message is generated as long as no matching rules specify that sending a syslog message is prohibited (that is, the rule's system log action is set to "Prohibited" on the Rule Tab). When the option is disabled, the system log setting is ignored.

Audit Trap

When this option is enabled, an audit trap is generated as long no matching rules specify that sending an audit trap is prohibited (that is, the rule's audit trap action is set to "Prohibited" on the Rule Tab). When the option is disabled, the audit trap setting is ignored.

Disable Port

When this option is enabled, the port is disabled as long no matching rules specify that disabling the port is prohibited (that is, the rule's disable port action is set to "Prohibited" on the Rule Tab). Ports that have been disabled due to this option are displayed in the device Role/Rule tab. When the option is disabled, the disable port setting is ignored.

Traffic Mirror

Use the drop-down list to specify port groups where mirrored traffic is sent for monitoring and analysis. Select View/Modify Port Groups to open the Port Groups tab where you can define user-defined port groups for selection.
To the right of the drop-down list is an option to mirror only the first (N) packets of a flow. This option is intended for use when mirroring traffic to an ExtremeAnalytics engine. The ExtremeAnalytics engine only needs the initial packets of a flow to properly identify the traffic, and setting this option will reduce network traffic overhead for the switch and engine. By default this number is set to 10, but can be changed by selecting the Edit button . Note that the value you set is used by all mirror actions in use in the current domain.

Services

Name

Lists the names of the services and service groups (local and global) associated with the selected role.

Also Used By Roles

List the other roles using this service. If the service is a global service, the domain name is also displayed if the role is in a different domain.

Add/Remove Services Button

Opens the role Add/Remove Services window, where you can add and remove services and service groups to and from any of the existing roles.

Show Details Button

Select a service or service group in the table and select this button to open the left-panel Services tab. The appropriate service or service group will be selected and you can access its right-panel tabs.

Show Conflicting Rules Button

If the rules in a Global service conflict with the rules in a Local service, the Name column will display a message indicating that the global rules will be overridden by the local rules. Select the Show Conflicting Rules button to open a window that displays the rule conflicts and shows specifically which rules will be used and which will be overridden. For more information, see Conflict Checking.

---

Related Information

For information on related help topics:

• How to Create a Role
• How to Create a Class of Service