Extreme Networks EPICenter Guide Manual page 150

Policy Manager Overview
(netlogin / 802.1x). This differs from the static IP, VLAN and source port policies which apply the ACL
rules in a persistent manner on devices specified by the policy scope.
In the EPICenter Policy Manager, the endpoints of the traffic flow for Access-based Security policies are
defined as one or more services and users. The EPICenter Policy Manager lets you specify the endpoints
using named resources, such as user names or host names, or groups that include such resources. If you
specify a group resource as an endpoint, only the resources within the group (and its subgroups) that
can be mapped to an IP or subnet address will be used as policy endpoints on the network services
side.
The default traffic direction for Access-based Security policies is user to network resource(s), which
creates ACL rules with the source IP address as the user's IP address and the destination IP address as
the network resource IP addresse. This secures the network as the user is denied or permitted access to
the network resource(s). The bidirectional traffic setting is used when security policies grant access and
additionally provide quality of service. The quality of service for the traffic between the user and the
network resource(s) can be prioritized and guaranteed by the assignment of a specific quality profile on
a per user basis.
You can also further define the network resource-side traffic endpoints by specifying a named
application or service, which translates to a protocol and L4 port, by directly specifying a protocol and
L4 port range, or by using the Custom Applications group to collect a series of protocols and ports
under one application. The EPICenter Policy Manager currently supports TCP and UDP as L4 protocols.
In some cases you can also specify client-side L4 ports. The ICMP protocol is not currently supported.
The Policy Manager determines the traffic flows of interest based on the combination of endpoints and
direction you have specified, and creates a set of IP QoS rules that can be implemented on the
appropriate edge device (the login device).
Figure 66 shows the effects of a uni-directional Access-based Security policy specified between server
Iceberg and users A, B, and C. The policy domain includes only the two rightmost switches. The effect
of this policy is that Access-based Security QoS rules are implemented for one traffic flow through the
upper switch and two through the lower switch, from Users A, B and C to the server called Iceberg. No
rules are implemented on the intervening switches.
Although not shown in this diagram, you can specify multiple servers as well as multiple users.
150 EPICenter Concepts and Solutions Guide