Policy Traffic Page - Extreme Networks EPICenter Software Installation Manual

Using the Policy Manager
This means that access list rules will be generated with the hosts listed on the network resources
side as the destinations, and users on the user side as the sources. (See "Policy Traffic Page" on
page 414 for an explanation of the traffic flows that this example generates.)
— The traffic specification for an Access-based Security policy also includes the specification of a
"network resource" on the network resource side, that can be used to define a protocol and an L4
port or port range, or a named application (which translates to a protocol and specific L4
port).You can define an L4 port for the userside as well, if needed.
— For an IP policy, the Policy Traffic section is similar to that for Access-based Security policies with
the substitution of "Servers" and "Clients", for "Network resources" and "Users" respectively. IP
policies default to bi-directional.
— For a Source Port or VLAN policy, the Policy Traffic section is much simpler, showing you either
the network resources that define the source physical ports or the VLANs that are used to define
the traffic flow for the policy. Flow direction is not a factor in Source Port or VLAN QoS Policy
specifications.
See "Creating a New Policy" on page 416 for detailed information on specifying the endpoints for
defining policy traffic.
The Policy Access Domain (Scope for IP policies) section displays the network devices on which the
policy rules should be implemented. The devices can be specified individually, or as groups whose
member devices or device ports will be included in the domain. The policy domain also specifies the
QoS profiles that are implemented on each device for the specified traffic flows.
The Policy Access Domain (Scope for IP policies) display includes:
• The resources (devices or groups that contain devices) on which the policy should be implemented
• The type of the resource (Device or Group)
• The QoS profile that will be used for the device or devices specified by this resource
• An optional comment entered when the QoS profile is selected for the resource
The resources are displayed in order of precedence. Because the domain/scope can include groups as
well as individual device resources, it is possible that a device could be included more than once in the
domain/scope (as a member of multiple groups, for example) and the QoS profile setting of each of
those occurrences could conflict. Therefore, the order of the list determines the precedence in case of
QoS profile conflicts—the first occurrence of a device in the list determines the QoS profile that will be
used on that device.
See "Creating a New Policy" on page 416 for detailed information on specifying scope resources for a
policy.

Policy Traffic Page

The Policy Traffic page shows the actual traffic patterns derived from the Policy Traffic specification as
defined on the Policy Description page. Access-based Security policy traffic will not show on this page
unless the user endpoint is specified as a fixed IP address. Otherwise, the traffic will only show when
the user is actively logged in over the network. The diagram below shows an example for an IP policy.
For an Access-based Security policy, this page may be blank except when the user is logged into the
network. In the case where a user is assigned a specific IP address however, the page will look the same
as it does for an IP policy.
Figure 202 show the traffic patterns generated for the IP policy from Figure 201.
414 EPICenter Software Installation and User Guide