Extreme Networks EPICenter Guide Manual page 173

on your network devices. The policy access domain or scope definition has three functions: It specifies
the network devices on which the policy should be implemented, what the treatment should be on each
device in the domain or scope.
You can specify the domain or scope by selecting individual devices, or you can specify groups to
●
include in the policy domain or scope.
You specify the QoS profile that will be associated with the policy traffic for each resource in the
●
domain or scope. If you specify a device individually, then you can also specify a QoS profile for
that individual device. However, if you specify a group as a resource, then the QoS profile you select
will apply to the policy traffic on all the devices in the group. If a device is specified more than once
in the domain or scope (for example, because it is a member of two different groups that are both
included in the domain), you can specify which QoS setting will take precedence.
You specify the times of validity using the scheduler tool associated with each policy. You can select
●
which days the policy will be active and you can specify start times and durations for each policy.
The following example illustrates some of the issues related to setting the scope for an IP policy. Since
the domain for Security policies is limited to the edge device to which the user is connected, many of
these issues are not relevant for Security policies.
Assume that you want to define an IP policy (Access List rule) applying to all TCP traffic (in both
directions) between Host1 and Host2. This defines two traffic flows for the policy:
From any L4 port on Host1 to any L4 port on Host2
●
From any L4 port on Host2 to any L4 port on Host1
●
Initially, you decide to define the scope as follows:
Include all the devices on your network (switches A, B, and C) in the scope
●
Set QP1 as the profile to be used on all three devices
●
This means that any time any of these switches detects TCP traffic with Host1 as the source and Host2
as the destination (or vice-versa), it will assign that traffic to profile QP1.
However, in your network it happens that traffic between Host1 and Host2 would never travel through
switch C, so implementing this policy on that switch is not necessary. Further, on switch B, profile QP1
is being used for some very high-priority, application-server traffic, so you want to give your TCP
traffic somewhat lower priority on that switch. You can accomplish this by changing the policy scope as
follows:
Include only switches A and B in your policy scope. This will leave switch C unaffected by this
●
policy.
Specify profile QP1 for switch A, but a different profile (for example, QP3) for switch B. On switch
●
B, you configure profile QP3 to have the appropriate parameters to accomplish the desired traffic
prioritization.
Alternatively, it might happen that the high priority traffic on switch B is not using QP1, so you can use
QP1 on both switches for the Host1-Host2 traffic. However, you may need to set the parameters for
QP1 on switch B differently from the parameters of QP1 on switch A, to accomplish the desired traffic
priorities on switch B.
It is very important to understand the relationship of the target traffic flow, the QoS profile, and the
profile configuration in each switch. The policy rules generated by the EPICenter Policy Manager
associate a QoS profile with a particular traffic flow, but the configuration of that profile (its bandwidth
and priority parameters) are defined in each individual switch. Therefore, you may create a policy that
always associates profile QP1 with the traffic between Host1 and Host2, but the actual treatment of that
EPICenter Concepts and Solutions Guide
Policy Access Domain and Scope
173