Policy Manager Overview
EPICenter Concepts and Solutions Guide
174
traffic, in terms of the minimum and maximum bandwidth and traffic priority, may be different in each
switch because profile QP1 is configured differently in each switch.
Using Groups in Policy Definitions
In many cases, you may want to define multiple policies that should apply to the same set of endpoints,
or that should have the same set of devices as the policy domain or scope. The ability to create groups
of users, hosts, devices, ports, custom applications, and VLANs can make the definition of these policies
easier.
For example, you may want to define several Access List policies to prioritize traffic between several
different application servers and a specific set of users. To accomplish this easily, you could create a
group that contains those users, and then use the group as the user or client endpoint in the traffic
definition for each of the policies you create. Further, you may want to include the same set of network
devices in the scope for these policies. Again, you can create a group for these devices, and use that
group to define the scope for each of the policies.
You can use the Grouping Manager to define a group of users:
● Use the EPICenter Grouping Manager to define the user resources, either by entering them
individually through the GUI or by importing them.
● Ensure that a mapping relationship exists from each user to an IP address. This is necessary so that
the Policy Manager can use them to create identifiable traffic flows. User-host-IP address
relationships are often created as part of the import process. If Netlogin/DLCS is running on your
Extreme network devices, it may do this mapping for you. You can also create these relationships
directly through the Grouping Manager GUI. In the case of Access-based access-based Security
policies, the user IP is dynamically determined when the user logs into the system
● When you have your user resources set up and mapped to IP addresses, you can create a group and
add your users as members of the group.
To create a group for the devices you want to use for the policy scope, you have two options:
● You can create a Device Group in the Inventory Manager, and assign the devices to this group.
● You can add devices as members of a non-exclusive resource group through the Grouping Manager.
The same device can be a member of multiple groups of this type, so future grouping requirements
do not need to impact the group you set up for your policy scope purpose.
Regardless of how you set up your group, you can then use this group to specify the scope for the
policies you create.
There is one consideration in using a group of devices in a policy scope, which is that the same QoS
profile applies to the entire group. For example, if you specify a group in the policy scope, and assign
profile QP3 to that group, all devices included in the group will then use QP3 for that policy. The
configuration of QP3 may be different on each device, but the policy will always apply QP3, however it
is defined, to the traffic flow defined by the policy. (The Policy Manager does allow you to inspect the
QoS profiles and their association with policies on devices or device ports, and you can adjust the
settings if needed).
The Grouping Manager allows groups to contain members of different resource types, including other
groups. However, when you are setting up groups for use with the Policy Manager, it is recommended
that you create relatively simple groups that contain only the resources that you intend to use for a
single purpose.
To Next Page
Loading...
Need help?
General
