Policy Enforce Preview

Use the Enforce Preview window in the Policy tab to view the information you are writing to your devices, before you actually enforce. Use this window when enforcing to devices that only support certain aspects of policy management. For example, some devices support only the policy features of policy management; some devices support the policy features and classification rules, but do not support VLAN forwarding for certain classification rules; and some devices fully support all policy management features, including policy, classification rules, and VLAN forwarding for all classification rules.

The Enforce Preview window appears in the Policy tab by selecting Open/Manage Domain(s) > Enforce Preview, or selecting the enforce icon in the left panel and selecting Enforce Preview. You can control whether this view automatically appears when you select Enforce with the Show on Enforce checkbox.

What you see in the window depends on whether you are enforcing to all devices or to a subset of devices. The title bar indicates the devices to which the enforce applies. After viewing the information in this window, you can either select Close to back out and make changes, or Enforce to go ahead with the enforce.

You can view device support for specific roles, services, and rules on the Roles & Rules tab. Refer to the ExtremeCloud IQ Site Engine Firmware Support matrix for complete information on device support for Policy features, and VLAN and Priority classification rules.

Show on Enforce: When this checkbox is checked, the Enforce Preview window appears any time you enforce, before the actual enforcement takes place.

Left Panel

The left panel of the Enforce Preview window displays folders for different device types. Expand the folders to see your network devices and device groups organized according to device type. The warning icon () alerts you that ExtremeCloud IQ Site Engine is not writing a staged change to this device type (e.g. rules not supported on a device).

Show all device types: Select the checkbox in the left panel to display all device types in the left panel. When the checkbox is not selected, only the devices you are changing by enforcing are displayed.

Select a specific device type to display the information ExtremeCloud IQ Site Engine is writing to those devices when you enforce in the right panel.

Right Panel

The right panel provides information about whether certain policy management features are supported and/or enabled for the device type selected in the left panel.

Additional Warnings - If there are additional problems detected with the enforce, you will be directed to see the Event Log for details.
GVRP - Shows whether GVRP is Enabled, Disabled, or Ignored. You can change GVRP status for the domain via the Edit menu.
Dynamic Egress - Shows whether Dynamic Egress is Supported or Not Supported.

Device Stats & Info Tab

Displays the devices for the device type selected in the left panel and provides information about each device. If the number of roles in the domain exceeds the supported number of roles on a device, the enforce fails.

# of Roles Supported - The maximum number of roles supported by the device.

	NOTE:	OnExtremeXOS/Switch Engine devices, the maximum number of rules supported is the sum of the maximum L2, MAC and IPv4 rule types reported by the device. In ACL Rule mode, the maximum number of rules supported is reported by the device. Each type (L2, MAC and IPv4) is allocated from the same shared pool of slices for ACLs.

Domain Role Count Supported - This column says "No" if the number of roles in the domain exceeds the supported number of roles on the device. A "Yes" in this column indicates that the number of roles on the device is equal to or less than the maximum number of supported roles.

Role Statistics - Lists information about each role:

Number of Rules - The number of traffic classification rules the role includes.
Number of Unique Masks - The number of masks defined for the rules included in the role.

There are six tabs that provide specific information about the Roles, Classification Rules, VLANs, Classes of Service, and Mappings that will be enforced. The information displayed depends on the device type you've selected in the left panel, and whether you have the Show All or the Show Errors and Warnings Only radio button selected. In addition, select a role in the Roles tab to filter the information for just that role.

Roles Tab

Incomplete - Lists any roles with unsupported classification rules. These roles will be written to the devices, but without the unsupported rules.
Complete - Lists any roles which do not include unsupported classification rules. These roles will be written to the devices as defined.

	NOTE:	Select a Role to display only those classification rules and VLANs associated with the selected role.

Classification Rules Tab

Excluded - Lists any unsupported classification rules that have been applied to a role. These rules will not be included when the associated roles are written to the devices.
Included - Lists any supported classification rules that have been applied to a role. These rules will be included when the associated roles are written to the devices.

	NOTE:	On N-Series Platinum devices, range classification rules are achieved through applying subnet masks to values. As such, in order to achieve a user-specified range, the device may need multiple rules with subnets applied to encompass that range. So, although the user created only one rule with a range, this list may show multiple instances of that rule with the name of the rule followed by the portion of the over-all range it applies to.

VLAN Tab: Excluded - Lists any VLANs associated with unsupported classification rules, or VLANs that are not supported by the device. These VLANs will not be written to the devices.
Included - Lists any VLANs associated with supported classification rules and VLANs associated with roles. These will be written to the devices.

Classes of Service Tab

Class of Service Mode - Lists the Class of Service mode that will be written to the devices.
Classes of Service Subtab - Lists the classes of service that will be written to the devices:

Class of Service - The name of the class of service.
802.1p Priority - The priority associated with the class of service.
ToS Value - The IP Type of Service value associated with this class of service, if any.
Drop Prec - The drop precedence associated with this class of service, if any.
TxQueue Index - The transmit queue index associated with the class of service.
IRL Index - The role-based inbound rate limit index associated with the class of service.
ORL Index - The role-based outbound rate limit index associated with the class of service.

For more information, see Getting Started with Class of Service and How to Create a Class of Service.

Inbound/Outbound Role-Based Rate Limit Mappings Subtabs

Device - The device where the rate limit mapping will be in effect.
IRL/ORL Port Grp - The name of the port group that contains the rate limit mapping.
IRL/ORL Index - The logical inbound rate limit (IRL) or outbound rate limit (ORL) index number. This index number is specified in a class of service and dictates the rate limiting behavior for incoming packets.
Rate Limit - The actual rate limit that the IRL/ORL index is mapped to.
IRL/ORL Port Type - The type of ports included in the port group. Port type is based on the number of rate limits the ports support (for example, 8-rate limit ports and 32-rate limit ports).
Information - Information about mapping support.

Transmit Queue/Rate Shaper Mappings Subtab - Lists the transmit queue rate shaper mappings that will be written to the devices:

Device - The device where the transmit queue rate shaper mapping will be in effect.
TxQ Port Grp - The name of the port group that contains the transmit queue rate shaper mapping.
TxQ Index - The logical transmit queue rate shaper index number. This index number is specified in a class of service and dictates the transmit queue and rate shaper behavior for incoming packets.
Physical Transmit Queue / Rate Shaper - The actual transmit queue rate shaper that the index is mapped to.
TxQ Port Type - The type of ports included in the port group. Port type is based on the number of transmit queues the ports support (for example, 4-transmit queue ports and 16-transmit queue ports).
Information - Information about mapping support.

Mappings Tab

	WARNING:	Enforcing port-level MAC to Role mappings could potentially remove rules created as an intrusion detection response.

MAC to Role Mapping

Device/Port Level - indicates whether the mapping is a device-level mapping (all devices) or a port-level mapping (IP address and port description). Port-level mappings on frozen ports will be enforced.
MAC Address - the MAC address mapped to the role. Masking a MAC address is only supported on N-Series Platinum devices.
Mask - the mask associated with the MAC address.
Role - the role mapped to the MAC address.

IP to Role Mapping - Lists the device-level mappings that will be written to the devices:

IP Address - the IP address mapped to the role.
Mask - the mask associated with each IP address. Masking an IP address is only supported on N-Series Gold and Platinum devices.
Role - the role mapped to the IP address.

Tagged Packet VLAN to Role Mapping - Lists the device-level and port-level mappings that will be written to the devices:

Device/Port Level - indicates whether the mapping is a device-level mapping (all devices) or a port-level mapping (IP address and port description). Port-level mappings on frozen ports will be enforced.
VLAN - the VLAN mapped to the role.
Role - the role mapped to the VLAN.

Authentication Based VLAN (RFC 3580) to Role Mapping - Lists the mappings that will be written to the devices:

VLAN - the VLAN mapped to the role.
Role - the role mapped to the VLAN.

Event Log Button: Opens the Events tab filtered to display events with an Event Type of Policy.

Enforce Button: Enforces the roles, classification rules and VLANs in the current data file to the devices, based on the level of support available on the devices as indicated in the Enforce Preview window.

Related Information

For information on related help topics:

Enforcing