The left panel of the Policy tab contains tabs that display hierarchical trees representing the roles, services, classes of service, VLANs, network resources, devices, and port groups involved in managing policies for your network. What you select in the left panel determines what is displayed in the right panel. When you first open the Policy tab, the Roles tab is displayed in the left panel, by default.
Features of the left panel include:
- Expanding and collapsing items in the hierarchy: Double-click the item or its icon, or select the turner to the left of the icon.
- Right-click menus: Right-click a folder or other item in the left panel, and a menu of the options you can perform on your selection appears.
Information on the left-panel tabs:
- Roles/Services Tab
- Class of Service Tab
- VLAN Tab
- Network Resources Configuration
- Devices/Port Groups Tab
Roles/Services Tab
This tab displays the Roles and Service Repository trees.
Roles Tree
The Roles tree lists the roles defined for the current domain. A role is a set of network access services that can be applied at various access points in a policy-enabled network.
- Roles Folder
- This folder contains the roles defined for the current domain. See How to Create a Role for more information.
- Role
- Individual roles are listed by name. Select a role
in the left panel, and view information about that role in the
right-panel tabs. Only
Quarantine roles are displayed
with a red icon
.
Service Repository Tree
The Service Repository tree displays your Local and Global services and service groups. Services are sets of rules that define how network traffic for a particular network service or application is handled by a network access device. Local Services are services unique to the current domain. Global Services are services common to all domains. The tab also displays your network resource groups.
- Local Services Folder
- Local Services are services unique to the current domain. This folder contains the local service groups and services defined for the current domain. For more information, see How to Create a Service Group.
- Global Services Folder
- Global Services are services that are common across all domains. This folder contains the global service groups and services shared by all domains. For more information, see How to Create a Service Group.
- Service Groups Folder
- The Policy tab lets you create categories (service groups) into which you can group services. This folder contains the defined service groups. For more information, see How to Create a Service Group.
- Service Group
- Individual service groups are listed by name. Expand the service group to see the services and service groups included in that group.
- Services Folder
- This folder contains the automated and manual services that have been defined. For more information, see How to Create a Service.
- Automated Service
- Individual Automated services are listed under the Services Folder or within a service group in the Service Groups folder.
- Manual Service
- Individual Manual services are listed under the Services Folder. Expand the service to see the rules associated with it.
- Rule
- Individual rules are listed by name.
If the rule is disabled, the rule icon displays a red X
. If
the rule is device-specific, the rule icon displays
a small switch
.
Class of Service Tab
The left panel Class of Service tab displays your Classes of Service defined for the current domain.
Classes of Service prioritize traffic with an 802.1p priority, and optionally an IP type of service (ToS/DSCP) value, rate limits, and transmit queue configuration. You can then assign the class of service as a classification rule action, as part of the definition of an Automated service, or as a role default. For more information, see Getting Started with Class of Service.
- Classes of Service Folder
- When you first access the Policy tab, the left-panel Classes of Service tab is pre-populated with eight classes of service, each associated with one of the 802.1p priorities (0-7). These are static classes of service and cannot be deleted. You can use these classes of service as is, or configure them to include ToS/DSCP, rate limit, and/or transmit queue values. You can also rename them, if desired. In addition, you can also create your own classes of service. After you have created and defined your classes of service, they are then available when you make a class of service selection for a rule action (Rule tab), a role default (General tab), or an automated service (General tab).
- Class of Service
- Select a Class of Service in the left panel, and view information about that service in the right-panel tabs. For more information, see How to Create a Class of Service.
- CoS Components Folder
- This folder contains subfolders of the possible components of a class of service (Rate Limits, Inbound Rate Limit Port Groups, Outbound Rate Limit Port Groups, and Transmit Queue Port Groups).
- Rate Limits Folder
- This folder contains the currently defined rate limits, listed in the order of precedence. For more information, see How to Define Rate Limits.
- Inbound Rate Limit Port Groups
- This folders contains the currently defined inbound rate limit port groups. Select a port group in the left panel and view information about that group in the right-panel tabs. For more information, see Creating Class of Service Port Groups.
- Outbound Rate Limit Port Groups
- These folders contain the currently defined outbound rate limit port groups. Select a port group in the left panel and view information about that group in the right-panel tabs. For more information, see Creating Class of Service Port Groups.
- Transmit Queue Port Groups Folder
- This folder contains the currently defined transmit queue port groups and the transmit queues defined for each group. For more information, see How to Configure Transmit Queues.
VLAN Tab
The left panel VLAN tab displays the Global VLANs for the current domain. If you have enabled Policy VLAN Islands, it also displays your Island VLANs and Policy VLAN Islands.
- Global VLANs Folder
- This folder contains your currently defined global VLANs for this domain.
- VLAN
- The VLAN icon
indicates the access control for the VLAN-- if it is a
Discard
VLAN, the icon displays a red X
.
Otherwise, it is a Contain VLAN.
- Island VLANs Folder
- This folder appears only when the Policy VLAN Islands feature is enabled, and contains your currently defined Island VLANs for this domain.
- Policy VLAN Islands Folder
- This folder appears only when the Policy VLAN Islands feature is enabled, and contains your currently defined VLAN islands and the devices that belong to them. When you enable Policy VLAN Islands, this folder is pre-populated with a Default Island containing all the devices in the domain.
- VLAN Island
- Select a VLAN island to see the devices associated with it listed in the right-panel Details View tab. The Default Island is created by the Policy tab when you enable Policy VLAN Islands, and it cannot be deleted.
Network Resources Configuration
The Network Resources left-panel tab displays the network resources and network resource topologies for the current domain.
- Network Resources Folder
- This folder contains any network resource groups you have created. For more information, see How to Create a Network Resource.
- Network Resource
- Individual network resource groups are listed by name. Select a resource in the left panel, and view information about that resource in the right-panel tabs.
- Global Network Resources Folder
- Global Network Resources are network resources that are common across all domains. For more information, see How to Create a Network Resource.
- Network Resource Topologies Folder
- This folder contains the network resource topologies currently defined for this domain.
- Network Resource Topology
- A network resource topology can be used to divide the devices in a domain into groups called islands. You can then define a unique network resource list for each island within that topology, allowing user access to resources on the network based on the physical location at which they authenticate. If you are not using custom topologies to group your devices, you will use the Domain Wide topology, which contains just one island for all your domain devices.
- Topology Island
- A topology island is a group of devices that have a unique network resource list, allowing you to set up network resource access based on the location where end users authenticate.
Devices/Port Groups Tab
This tab displays the Devices and Port Groups trees.
Devices Tree
The Devices tree displays the devices assigned to the current domain, organized into groups.
- Devices
- This tab contains all the devices assigned to the current domain. For information
on adding devices to the domain, see How to
Add and Delete Devices.
ExtremeControl > Policy supports Per-User ACLs (PU-ACL) from third-party vendors passed via RADIUS authentication requests. During a policy enforce, the roles and associated rules are translated into ACLs and pushes them to the appropriate Access Control Engines. You can manage ACL rules onExtremeXOS/Switch Engine devices on which version 30.5 or later is installed. By using ACLs, the access control entries (ACEs) can be ordered by the administrator, allowing for more flexibility in the configuration and better utilization of hardware resources on the device.
The Control > Policy > Devices/Port Groups > Devices tab includes ACL Rule Usage and Rule Hit Count details.
- Port Groups
- This tab contains the Pre-Defined and User-Defined Port Groups for the current domain. The Policy tab allows ports to be combined into groups, similar to the way devices are combined into device groups. Port groups enable you to configure multiple ports on the same device or on different devices simultaneously, or to retrieve port information from them. For more information, see How to Create a Port Group.
For information on related help topics:
