1. Manuals
  2. Brands
  3. Extreme Networks Manuals
  4. Software
  5. Policy Manager
  6. User manual

Extreme Networks Policy Manager User Manual

Supervisor edition
Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
Extreme Networks Policy Manager (EPM)
Supervisor Edition - User Guide
Version 1.2
Extreme Networks, Inc.
3585 Monroe Street
Santa Clara, California 95051
(888) 257-3000
(408) 579-2800
http://www.extremenetworks.com
Published: November 2007
Part number: 100260-00 Rev 04

Advertisement

Table of Contents
loading

Related Manuals for Extreme Networks Policy Manager

Summary of Contents for Extreme Networks Policy Manager

  • Page 1 Extreme Networks Policy Manager (EPM) Supervisor Edition - User Guide Version 1.2 Extreme Networks, Inc. 3585 Monroe Street Santa Clara, California 95051 (888) 257-3000 (408) 579-2800 http://www.extremenetworks.com Published: November 2007 Part number: 100260-00 Rev 04...
  • Page 2 Summit, SummitStack, Unified Access Architecture, Unified Access RF Manager, UniStack, UniStack Stacking, the Extreme Networks logo, the Alpine logo, the BlackDiamond logo, the Extreme Turbodrive logo, the Summit logos, the Powered by ExtremeXOS logo, and the Color Purple, among others, are trademarks or registered trademarks of Extreme Networks, Inc.

  • Page 3: Table Of Contents

    Introduction ..........................9 Description of the Extreme Networks Policy Manager ..............9 About This Manual ........................10 Editions of the EPM ........................10 Chapter 2: Installing The Extreme Networks Policy Manager............11 Introduction ..........................11 Hardware and Software Requirements ..................11 Switch Requirements ........................11 EPM Installation ........................13 Chapter 3: Viewing Policies and Rules ...................
  • Page 4 Organizing Rules ........................49 Deleting Policies ........................49 Managing Policy Activity ......................50 Activating and Deactivating a Policy..................50 Disabling a Rule........................52 Chapter 6: Running Extreme Networks Policy Manager Examples............. 53 Introduction ..........................53 Example 1—Example_TCP_Threshold.pol..................53 Open and View the Policy.....................53 Save to a Switch .........................54 Activate the Policy on a Port....................55...
  • Page 5 Introduction ..........................77 Connectivity Problems .......................77 EXOS Compatibility Problems.....................77 Local Client Runtime Problems ....................78 Rule and Policy Version Problems ....................78 SSH Problems ..........................78 Index ............................79 Extreme Networks Policy Manager (EPM) 1.2 User Guide Extreme Networks Policy Manager (EPM) 1.2 User Guide...
  • Page 6 Table of Contents Extreme Networks Policy Manager (EPM) 1.2 User Guide...

  • Page 7: Preface

    This preface introduces this user guide, describes guide conventions, and lists other useful publications. Introduction This guide provides the required information to use the Extreme Networks Policy Manager (EPM) - Supervisor Edition software. It is intended for use by network administrators who are responsible for...

  • Page 8: Related Publications

    Customers with a support contract can access the Technical Support pages at: http://www.extremenetworks.com/services/eSupport.asp The technical support pages provide the latest information on Extreme Networks software products, including the latest Release Notes, information on known problems, downloadable updates or patches as appropriate, and other useful information and resources.

  • Page 9: Chapter 1: Overview

    The Extreme Networks Policy Manager (EPM) is a client application for the configuration and management of Access Control Lists (ACLs) and Continuous Learning, Examination, Action and Reporting of Flows (CLEAR-Flow or CF) on EXOS-based Extreme Networks switches. It is a GUI-based software download designed to simplify the management process.

  • Page 10: About This Manual

    Currently, one edition of the EPM is available—the Supervisor Edition. The Supervisor Edition allows the user the capability to create, modify and save policies either locally or when connected to a switch. In this User Guide, the terms EPM and Extreme Networks Policy Manager always refer to the Supervisor Edition.

  • Page 11: Chapter 2: Installing The Extreme Networks Policy Manager

    Not required. The EPM is installed from a network download. from a network download. Switch Requirements The following apply to the switch used with the EPM. The EPM can be run on the following Extreme Networks switches: ● ® BlackDiamond 8800 series ■...
  • Page 12 Switch” on page 18 for information on setting the staging directory and other configuration procedures.) Ensure that the EPM user has read/write permission to the installation directory and the TFTP ● directory. Extreme Networks Policy Manager (EPM) 1.2 User Guide...

  • Page 13: Epm Installation

    The EPM is installed from a network download and utilizes a user interface installation Wizard. Use the following procedure: 1 Download the EPM program files from Extreme Networks’ Software Downloads web page. 2 On Windows, double click the installation bundle executable icon.
  • Page 14 The Wizard then extracts and installs the files, and displays e Notification of the file installation, The following Information window, and g The following finishing window. 4 Click Finish. The EPM is installed. Extreme Networks Policy Manager (EPM) 1.2 User Guide...

  • Page 15: Chapter 3: Viewing Policies And Rules

    ● Opening the EPM 1 Launch the EPM through Start > Programs > Extreme Networks Policy Manager > epm_supervisor or by using a desktop icon if one was selected during the installation process. The EPM opens to the Rule Editor window as shown below.
  • Page 16 Viewing Policies and Rules The first time the EPM program is launched, the following message is displayed Extreme Networks Policy Manager (EPM) 1.2 User Guide...
  • Page 17 4 Click OK to close the box. The EPM Rule Editor window remains. NOTE A notice regarding TFTP server availability is also displayed in the Status Panel under the Alerts tab. (Refer to “Status Panel” on page 23.) Extreme Networks Policy Manager (EPM) 1.2 User Guide...

  • Page 18: Configuring The Epm For Use On A Switch

    Choose Tools > Properties > Set NAT IP address from the menu. An Input dialog box is displayed. b Enter the address and click OK. NOTE Network Address Translation (NAT) is a method used by networking equipment such as routers to share an IP address. Extreme Networks Policy Manager (EPM) 1.2 User Guide...
  • Page 19 The file search directory is pointing towards the policy files as shown below. This is the default. ● Choose Tools > Properties > Set file search directory to check the file name in the file Open box. Extreme Networks Policy Manager (EPM) 1.2 User Guide...

  • Page 20: Description Of The Windows And Menus

    A Toolbar, discussed on page 23 ● A Status Panel, discussed on page 23 ● A Status Bar, discussed on page 25 ● A link icon to access the eSupport Website ● Extreme Networks Policy Manager (EPM) 1.2 User Guide...

  • Page 21: Menu Bar

    Refer to “Organizing Rules” on page Reorder rules by rank Places rules in order by rule rank when they have been recalculated. Refer to “Organizing Rules” on page Extreme Networks Policy Manager (EPM) 1.2 User Guide...
  • Page 22 In the Rule Editing and Viewing Panel and the Rule Navigator window, another menu is displayed when you right-click any rule in the list. For details about the functions of this menu, refer to the chapter, “Modifying Policies and Rules” on page Extreme Networks Policy Manager (EPM) 1.2 User Guide...

  • Page 23: Toolbar

    Rule Activity. A log is selected by clicking its panel tab. These logs are described below with examples of the screens. The Alerts tab displays the alerts log messages. Alerts are warnings or notices about an ● action or error that may or may not have inhibited EPM functions. Extreme Networks Policy Manager (EPM) 1.2 User Guide...
  • Page 24 To remove notes: a Highlight the text to be removed then press the keyboard’s Delete or Backspace key. The Apply Notes button is enabled. b Click the Apply Notes button. The text is removed. Extreme Networks Policy Manager (EPM) 1.2 User Guide...

  • Page 25: Status Bar

    When opening a file locally, the status bar reads “Operation 'OpenLocal' is in progress. (The ● operation should complete within '30' seconds.)” or When exiting the EPM, the status bar reads “Operation 'FlushLogsAndExit' is in progress (The ● operation should complete within '30' seconds.)” Extreme Networks Policy Manager (EPM) 1.2 User Guide...

  • Page 26: Rule Editor Window

    From the Menu Bar, selecting and deselecting the boxes from the View > Status Panel, Rule ● Properties Panel, and Tool Bar submenus When a panel is hidden using these methods, the remaining panels expand to fill the window. Extreme Networks Policy Manager (EPM) 1.2 User Guide...

  • Page 27: Tree Structure Panel

    Status displays whether a policy that was saved with the EPM has been modified without the EPM. When the policy has not been so modified, there is no entry in the column. When the policy has been so modified the status column entry is “Rule modified externally.” Extreme Networks Policy Manager (EPM) 1.2 User Guide...

  • Page 28: Rule Properties Panel

    Click the button when the entry in complete. To delete notes, highlight the text to be removed then strike the keyboard’s Delete or Backspace key. The Apply Notes button is enabled. Click the button. Extreme Networks Policy Manager (EPM) 1.2 User Guide...

  • Page 29: Rule Navigator Window

    CF Rule Detail displays the raw rule text for the CF rule that is selected. Above both the Access Control List Rules panel and the CLEAR-Flow Rules panel are the following two icons. Marks the selected rule Clears all marks Extreme Networks Policy Manager (EPM) 1.2 User Guide...

  • Page 30: Opening An Existing Policy

    Click OK. A Policy Version Selection box is displayed. b From the Versions: panel, select an appropriate version based on information in the Description panel and click OK. The Operation Progress box is displayed followed by a Validation Notice. Extreme Networks Policy Manager (EPM) 1.2 User Guide...

  • Page 31: Opening A Policy File From A Switch

    4 When there is a problem with the connection, the following box is displayed. Check the suggested reasons and make the necessary adjustments. For additional information, refer “Configuring the EPM for use on a Switch” on page Extreme Networks Policy Manager (EPM) 1.2 User Guide...

  • Page 32: Policy Parsing

    2 Click OK and the rule display in the rule viewing panels resembles the following: When the box is unchecked, the EPM responds with an invalid message and does not attempt to load the policy. Extreme Networks Policy Manager (EPM) 1.2 User Guide...

  • Page 33: Searching For Rules In A Policy

    When a rule is found and highlighted in the Rule Editing and Viewing Panel, it is also highlighted in the other rule listings in both the Rule Editor window and the Rule Navigator window. Extreme Networks Policy Manager (EPM) 1.2 User Guide...

  • Page 34: Search By Parameter

    Search. The list of rules is reduced as seen below. Note that in the script, both “count” and “U” are highlighted. NOTE The search function is not case-sensitive, but the highlighting function is. Extreme Networks Policy Manager (EPM) 1.2 User Guide...
  • Page 35 10 If desired, mark any rules using the “Mark” buttons. When the Search Policy window is closed, these marks are displayed in the main windows. 11 To remove the search results, click the Clear command button. Extreme Networks Policy Manager (EPM) 1.2 User Guide...

  • Page 36: Working Among The Windows And Panels

    This allows the user to make one selection and move throughout the program without having to make a matching selection. In the figure below, arrows point to the common rule selection and the raw rule text for the rule is circled. Extreme Networks Policy Manager (EPM) 1.2 User Guide...

  • Page 37: Chapter 4: Creating Policies And Rules

    Creating Policies and Rules Introduction The Extreme Networks Policy Manager (EPM) is used by first creating a policy and then populating it with ACL and CLEAR-Flow rules. Policies and Rules can be created locally, tested and verified, and then pushed to a switch.
  • Page 38 14 Click Finish. The new rule is added to the policy and displayed in all of the rule viewing panels. Extreme Networks Policy Manager (EPM) 1.2 User Guide...

  • Page 39: Saving A Policy

    3 In the Name text field, you have three options: a Use the policy name of the local file you are saving that EPM displays in the text field, or b TypeS a new policy name in the text field, or Extreme Networks Policy Manager (EPM) 1.2 User Guide...

  • Page 40: Validating And Checking A Policy

    Parse Exception ( Last Rule Line = 1, Last Rule = n/a, Last Metadata Line = 0 ) : Unable to ■ parse policy because policy selection is invalid. Any of the errors you would encounter running the check policy command line directly on ■ the switch. Extreme Networks Policy Manager (EPM) 1.2 User Guide...

  • Page 41: Importing And Exporting Rules Into A Policy

    4 Click the Use custom prefix for inserted rules box to add a prefix to the imported rules. Dup_ is the default prefix but another can be used. When the rule is of a different policy version, the EPM prompts the user as follows: Extreme Networks Policy Manager (EPM) 1.2 User Guide...

  • Page 42: Exporting Rules

    Notice box is displayed that confirms the Policy rules were successfully exported and the new policy is opened with all of the rules displayed. 4 Open the new policy again to see the final new policy displaying only the marked rules. Extreme Networks Policy Manager (EPM) 1.2 User Guide...

  • Page 43: Chapter 5: Modifying Policies And Rules

    Modifying Policies and Rules Introduction The Extreme Networks Policy Manager (EPM) provides the capability to easily edit and modify existing policies and rules. This chapter describes the following sections: Marking Rules on page 44 ● Adding and Deleting Rules in a Policy on page 44 ●...

  • Page 44: Marking Rules

    Navigator window. Use the following procedure to delete a single rule. 1 From either list, right-click the rule that is to be deleted. The rule is highlighted and a menu is displayed. Extreme Networks Policy Manager (EPM) 1.2 User Guide...

  • Page 45: Modifying Rules

    2 When <create a new class> is chosen, the following Class Entry Dialog box is displayed. 3 Enter a new class name and click OK. The new class is added to the rule viewing panels and the rule classification is changed. Extreme Networks Policy Manager (EPM) 1.2 User Guide...

  • Page 46: Changing Rule Parameters

    Click the Edit... icon to display the Edit arguments dialog box that is specific to the match condition or action being edited. For example, the Enter arguments for ‘count’: box is displayed below. Extreme Networks Policy Manager (EPM) 1.2 User Guide...

  • Page 47: Applying Changes To An Activated Policy

    3 Click Yes. An Operation Progress box is displayed followed by a Validation Notice stating that the "Policy has been refreshed." NOTE The submenu command, Refresh, is enabled only when the policy being changed is currently activated on a switch. Extreme Networks Policy Manager (EPM) 1.2 User Guide...

  • Page 48: Managing Global And Policy Variables

    Type dropdown menu. 4 Click Save. The new entries or modifications are displayed in the Policy or Global Manager Variable box. 5 Make any additional additions or edits, then click Close. Extreme Networks Policy Manager (EPM) 1.2 User Guide...

  • Page 49: Organizing Rules

    Deleting Policies Policies are deleted from the policy folder in the program files rather than through the EPM application. Extreme Networks Policy Manager (EPM) 1.2 User Guide...

  • Page 50: Managing Policy Activity

    Selected text box. Select additional ports as needed. Click the Ingress or Egress radio buttons and then Save and Close. The box closes and in the Active Ports panel, the port number, ingress or egress and the Policy name are displayed. Extreme Networks Policy Manager (EPM) 1.2 User Guide...
  • Page 51 2 The deactivate command buttons show the available options. Click the desired option (Deactivate Ingress, Deactivate Egress, Deactivate Selected, or Deactivate All) then click the Commit command button. The policies are deactivated. Extreme Networks Policy Manager (EPM) 1.2 User Guide...

  • Page 52: Disabling A Rule

    1 In the Rule Editing and Viewing Panel or the Rule Navigator Window, right-click the rule to be disabled and from the resulting menu, choose Disable. The rule appears in red. 2 To re-enable the rule, repeat the process in Step 1, selecting Enable from the menu. Extreme Networks Policy Manager (EPM) 1.2 User Guide...

  • Page 53: Chapter 6: Running Extreme Networks Policy Manager Examples

    Running Extreme Networks Policy Manager Examples Introduction This chapter describes some of the functionality of the Extreme Networks Policy Manager (EPM) using two examples. The examples use two sample policies that are included with the EPM application. NOTE Each of the following two examples consists of a series of connected procedures. Each procedure begins in the state where the previous one ended.

  • Page 54: Save To A Switch

    (This example is being run on a switch that does not support CLEAR-Flow. Therefore, a CLEAR- Flow Support Notice box opens with a reminder of that limitation and the question of whether to proceed. Yes is selected.) Extreme Networks Policy Manager (EPM) 1.2 User Guide...

  • Page 55: Activate The Policy On A Port

    1 From the menu, choose Policy > Activity..The Policy Activity Manager dialog box opens. 2 Click the Activate Port command button. The Policy Activity - Activate Port(s) dialog box opens as shown below. Extreme Networks Policy Manager (EPM) 1.2 User Guide...
  • Page 56 7 Click the Show All command button. As shown below, the current policy is shown in black, and all other ports and/or VLANs with activated policies are shown in red. Extreme Networks Policy Manager (EPM) 1.2 User Guide...

  • Page 57: Modify Rule Parameters

    3 In the Rule Parameters, under "Match Conditions" click "count TCP_COUNTER>100, period 5, hysteresis 0;" All the icons under the text panel are enabled. 4 Click the "Edit arguments of selected" icon . The Rule Parameter Editor dialog box is displayed as shown below. Extreme Networks Policy Manager (EPM) 1.2 User Guide...

  • Page 58: Example 2-Example_Tcp_Udp_Balance.pol

    4 Note from both views that the CLEAR-Flow rule is connected to both ACL rules and is ineffective without both. The screen below displays these features. Extreme Networks Policy Manager (EPM) 1.2 User Guide...

  • Page 59: Search For A Rule

    While the particular policy used here has only a few rules, the procedure is the same in a larger policy. Extreme Networks Policy Manager (EPM) 1.2 User Guide...
  • Page 60 UDP in the text field. Then click Search. The following screen is displayed showing both criteria highlighted. NOTE The search function is not case-sensitive, but the highlighting function is. 7 Close the Search Policy box. (The search procedure is not saved.) Extreme Networks Policy Manager (EPM) 1.2 User Guide...

  • Page 61: Incorporate Into A Policy

    2 When the new policy is complete, it can be validated. From the menu, choose Policy > Validate & Check. The EPM checks the policy and validates it or returns notice of problems. 3 Save the new policy to a switch when it is complete. 4 Exit the EPM. Extreme Networks Policy Manager (EPM) 1.2 User Guide...
  • Page 62 Running Extreme Networks Policy Manager Examples Extreme Networks Policy Manager (EPM) 1.2 User Guide...

  • Page 63: Appendix A: Help Messages

    Extreme Networks Policy Manager (EPM) 1.2 User Guide...
  • Page 64 SYS_IcmpOutProtoUnreachs counterreference sys_IcmpOutRouterAdv counterreference sys_IgmplnQueries counterreference sys_IgmplnReports counterreference sys_IgmplnLeaves counterreference sys_IgmplnErrors counterreference sys_IgmpOutQueries counterreference sys_IgmpOutReports counterreference sys_IgmpOutLeaves counterreference Extreme Networks Policy Manager (EPM) 1.2 User Guide...

  • Page 65: Synonyms Used For Rule Constants

    Protocols number-protocol Protocols number-protocol icmp Protocols number-protocol igmp Protocols number-protocol ipip Protocols number-protocol ipv6 Protocols number-protocol ospf Protocols number-protocol Protocols number-protocol rsvp Protocols number-protocol Protocols number-protocol Protocols number-protocol Service Ports 1483 numberrange-port Extreme Networks Policy Manager (EPM) 1.2 User Guide...
  • Page 66 Service Ports numberrange-port pptp Service Ports 1723 numberrange-port printer Service Ports numberrange-port radacct Service Ports 1813 numberrange-port radius Service Ports 1812 numberrange-port Service Ports numberrange-port rkinit Service Ports 2108 numberrange-port Extreme Networks Policy Manager (EPM) 1.2 User Guide...
  • Page 67 ICMP Types number-icmptype unreachable ICMP Types number-icmptype ip-header-bad ICMP Codes number-icmpcode required-option-missing ICMP Codes number-icmpcode redirect-for-host ICMP Codes number-icmpcode redirect-for-network ICMP Codes number-icmpcode redirect-for-tos-and-host ICMP Codes number-icmpcode redirect-for-tos-and-net ICMP Codes number-icmpcode Extreme Networks Policy Manager (EPM) 1.2 User Guide...

  • Page 68: Type Selection Panel

    ICMP echo request and unreachable packets, then create CLEAR-Flow rules to monitor the delta ratios for these counters. This collection of rules could be grouped under a class name of 'IcmpThreatRules' for instance. Extreme Networks Policy Manager (EPM) 1.2 User Guide...

  • Page 69: Match Condition Selection Panel

    In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): ACK(0x10), FIN(0x01), PUSH(0x08), RST(0x04), SYN(0x02), URG(0x20), SYN_ACK(0x12). igmp-msg-type: IGMP message type. Possible values and text synonyms: v1- report(0x12), v2-report(0x16), v3- report(0x22), V2-leave (0x17), or query(0x11). Extreme Networks Policy Manager (EPM) 1.2 User Guide...

  • Page 70: Action Modifier Selection Panel

    - The number of input IP packets discarded because the IP address in their IP header's destination field was not a valid address to be received at this entity. This count includes invalid addresses (for example, 0.0.0.0) and addresses of unsupported Classes (for example, Class E). Extreme Networks Policy Manager (EPM) 1.2 User Guide...
  • Page 71 - The total number of ICMP messages which the entity received. Note that this counter includes all those counted by icmpInErrors. sys_IcmpInErrors - The number of ICMP messages which the entity received but determined as having ICMP-specific errors (bad ICMP checksums, bad length, etc.). Extreme Networks Policy Manager (EPM) 1.2 User Guide...
  • Page 72 - The number of incoming ICMP packets addressed to a not-in-use/ unreachable/ invalid protocol. This message is in the general category of ICMP destination unreachable error messages. sys_IcmpInBadLen - The number of incoming bad ICMP length packets.b Extreme Networks Policy Manager (EPM) 1.2 User Guide...
  • Page 73 Modifies the S-COS value. In the field, the value must be a positive integer number. stag-ethertype: Modifies the VMAN Ethertype value, also called the S-Tag value. In the field, the value must be a positive integer number. Extreme Networks Policy Manager (EPM) 1.2 User Guide...
  • Page 74 Logs the packet header in hex format. meter: The meter keyword allows you to associate a meter with an ACL. The meter must be created outside of the EPM using the command line. Extreme Networks Policy Manager (EPM) 1.2 User Guide...

  • Page 75: True Action Selection Panel

    1:1 and 2:1, a CLEAR-Flow rule that used the global-rule statement would sum up the counts from both ports. Without the global-rule statement, the CLEAR-Flow rule would only look at the counts received on one port at a time. Extreme Networks Policy Manager (EPM) 1.2 User Guide...
  • Page 76 The REL_OPER is selected from the relational operators for greater than, greater than or equal to, less than, or less than or equal to (>, >=, <, <=). Extreme Networks Policy Manager (EPM) 1.2 User Guide...

  • Page 77: Appendix B: Troubleshooting

    Troubleshooting Introduction This appendix includes suggestions for dealing with problems that may occur when running the Extreme Networks Policy Manager (EPM). They are categorized as follows: Connectivity Problems on page 77 ● EXOS Compatibility Problems on page 77 ● Local Client Runtime Problems on page 78 ●...

  • Page 78: Local Client Runtime Problems

    To terminate SSH process on the switch 1 telnet/ssh to the switch terminate process exsshd graceful To terminate and restart SSH process during a software upgrade on the switch 1 telnet/ssh to the switch restart process exsshd Extreme Networks Policy Manager (EPM) 1.2 User Guide...

  • Page 79: Index

    39 Log tab, 24 deactivate policies, 51 deleting policies, 49 marking rules, 44 rule parameters, 47 Match Condition Selection Panel rules, 44 reference list, 69 disable rules, 52 menu bar, 21 Extreme Networks Policy Manager (EPM) 1.2 User Guide...
  • Page 80 Rule Activity tab, 25 #, 27 status, definition, 27 class, 27 switch mode name, 27 opening a policy, 31 rank, 27 saving a policy, 39 status, 27 switch requirements, 11 TCNT, 27 Extreme Networks Policy Manager (EPM) 1.2 User Guide...
  • Page 81 Tree Structure Panel, 27 Trigger Count see TCNT Trivial File Transfer Protocol see TFTP troubleshooting, 77 Type Selection Panel reference, 68 type, definition, 27 validate a policy, 40 variables global, 48 policy, 48 Extreme Networks Policy Manager (EPM) 1.2 User Guide...
  • Page 82 Index Extreme Networks Policy Manager (EPM) 1.2 User Guide...

This manual is also suitable for:

Policy manager supervisor edition 1.2

Table of Contents