Policy Access Domain And Scope - Extreme Networks EPICenter Guide Manual

Policy Manager Overview
ports or ranges of ports. Custom Applications are entered into the EPICenter database using the
Grouping Manager.
Users (by name): These are entered into the EPICenter database through the Grouping Manager,
●
either using the Import capability or through the GUI. An individual User is typically mapped to a
Host by establishing a relationship within the Grouping Manager. User-Host relationships can be
specified through the Grouping Manager GUI or as part of the Import function. The Host is then in
turn mapped to an IP address and physical ports as described above. Users can be added as
members to groups through the Grouping Manager. For Security policies, user-host relationships are
established during netlogin/802.1x login and removed upon user logout.
Ports: Ports are entered into the EPICenter database through the Inventory Manager through the
●
Discovery or Add Devices functions. They can be specified individually as part of a policy traffic
definition, or they can be members of a group. Ports are added to groups through the Grouping
Manager.
VLANs: VLANs are detected by the Discovery or Add Device functions in the Inventory Manager,
●
and can also be created and modified using the EPICenter VLAN Manager. They can be specified
individually as part of a VLAN QoS policy traffic definition or they can be members of a group.
VLANs are added to groups through the Grouping Manager.
IP addresses/Subnets: IP addresses or subnet addresses are used in Security and IP QoS rules to
●
identify IP traffic flows. IP and subnet addresses can be determined by the Policy Manager from
mappings associated with named components such as users or hosts. They can also be entered
directly as endpoints in an IP policy traffic definition.
QoS Profiles: QoS profiles provide the definitions of traffic priority, and minimum and maximum
●
bandwidth that, when combined with a traffic flow specification, define a policy. QoS profiles are
predefined, but they can be reconfigured from within the Policy Manager.
The arrows shown in
and policy primitive components. The higher-level component at the start of the arrow can be mapped
by the Policy Manager to the component at the end of the arrow. Named components may map directly
to a primitive component, or they may map to another named component that in turn maps to a
primitive component. For example, the Policy Manager maps a Host component directly to an IP
address and a port. However, a User component specified as a traffic endpoint is mapped first to a
Host, and then to an IP address and port, which is used to create the policy rules that affect traffic from
that user.
The labels associated with the arrows depicts how the mapping relationship is created:
GUI indicates that the mapping may be created through the Grouping Manager user interface.
●
Netlogin/DLCS indicates that the mapping may be obtained through Netlogin or the Dynamic Link
●
Context System (DLCS) operating within Extreme Networks devices.
DNS indicates that the mapping may be obtained via a name lookup service such as DNS.
●
IMPORT indicates that the mapping relationship can be specified during the import process in the
●
EPICenter Grouping Manager.
SYSTEM indicates that the mapping is predefined, or is set up by the EPICenter server, such as
●
through the Discovery feature in the Inventory Manager.

Policy Access Domain and Scope

The policy type and policy traffic definitions specify how to identify a traffic flow of interest. The policy
access domain (Security policy) or scope (IP policy) definition specifies how to handle that traffic flow
172
Figure 77 indicate the mapping relationships between policy named components
EPICenter Concepts and Solutions Guide