manualshive.com logo in svg

Extreme Networks Policy Manager, User Manual

"Extreme Networks Policy Manager comes with a comprehensive User Manual to help users navigate through the software seamlessly. You can download the manual for free from our website to maximize the potential of this powerful network management tool."

Share
Download
background image

Extreme Networks Policy Manager (EPM) 1.2 User Guide

9

1

Overview

Introduction 

This chapter describes the following sections: 

Description of the Extreme Networks Policy Manager on page 9

About This Manual on page 10

Editions of the EPM on page 10

Description of the Extreme Networks Policy Manager

The Extreme Networks Policy Manager (EPM) is a client application for the configuration and 
management of Access Control Lists (ACLs) and Continuous Learning, Examination, Action and 
Reporting of Flows (CLEAR-Flow or CF) on EXOS-based Extreme Networks switches. It is a GUI-based 
software download designed to simplify the management process. 

ACLs are used to perform packet filtering and forwarding decisions on traffic traversing the switch. 
Each packet arriving on an ingress port and/or VLAN is compared to the access list applied to that 
interface and is either permitted or denied. ACLs are typically applied to traffic that crosses Layer 3 
router boundaries, but is possible to use access lists within a Layer 2 virtual LAN (VLAN). 

CLEAR-Flow is an extension to ACLs that implements security, monitoring, and anomaly detection in 
Extreme XOS software. ACL policy rules are created to count packets of interest. CLEAR-Flow rules are 
added to the policy to monitor the ACL counter statistics for situations of interest in the individual 
network. Such situations can include: the cumulative value of a counter; the change to a counter over a 
sampling interval; the ratio of two counters; or even the ratio of the changes of two counters over an 
interval. For example, monitoring the ratio between TCP SYN and TCP packets might show an 
abnormally large ratio which may indicate a SYN attack. 

The counters used in CLEAR-Flow are either defined by the user in an ACL entry, or can be a 
predefined counter. Refer to a list and description of these counters in Appendix A 

on page 63

If the rule conditions are met, the CLEAR-Flow actions configured in the rule are executed. The switch 
can respond by modifying an ACL that will block, prioritize, or mirror the traffic, executing a set of CLI 
commands, or sending a report using a SNMP trap or EMS log message. 

For additional information about ACLs or CLEAR-Flow refer to the 

ExtremeXOS Concepts Guide.

 

Summary of Contents for Policy Manager

Page 1: ...onroe Street Santa Clara California 95051 888 257 3000 408 579 2800 http www extremenetworks com Extreme Networks Policy Manager EPM Supervisor Edition User Guide Version 1 2 Published November 2007 P...

Page 2: ...s or registered trademarks of Extreme Networks Inc or its subsidiaries in the United States and or other countries Adobe Flash and Macromedia are registered trademarks of Adobe Systems Incorporated in...

Page 3: ...ies and Rules 15 Introduction 15 Opening the EPM 15 Configuring the EPM for use on a Switch 18 Description of the Windows and Menus 20 The EPM Desktop 20 Menu Bar 21 Toolbar 23 Status Panel 23 Status...

Page 4: ...to an Activated Policy 47 Managing Global and Policy Variables 48 Organizing Rules 49 Deleting Policies 49 Managing Policy Activity 50 Activating and Deactivating a Policy 50 Disabling a Rule 52 Chap...

Page 5: ...e Networks Policy Manager EPM 1 2 User Guide 5 Match Condition Selection Panel 75 Appendix B Troubleshooting 77 Introduction 77 Connectivity Problems 77 EXOS Compatibility Problems 77 Local Client Run...

Page 6: ...Table of Contents Extreme Networks Policy Manager EPM 1 2 User Guide 6...

Page 7: ...Local Area Networks and assumes a basic working knowledge of Local Area Networks LANs Ethernet concepts Ethernet switching and bridging concepts Routing concepts Access Control Lists ACLs CLEAR Flow N...

Page 8: ...s manuals at http www extremenetworks com services documentation Table 2 Text Conventions Convention Description Screen displays This typeface represents information as it appears on the screen Screen...

Page 9: ...tual LAN VLAN CLEAR Flow is an extension to ACLs that implements security monitoring and anomaly detection in Extreme XOS software ACL policy rules are created to count packets of interest CLEAR Flow...

Page 10: ...xtreme Networks Policy Manager and the User Guide contents 2 Installing EPM Describes the hardware software and switch requirements and explains the installation process 3 Viewing Policies and Rules D...

Page 11: ...s Summit X150 X250e X450 X450a and X450e series BlackDiamond 10808 BlackDiamond 12800 series NOTE Although the BlackDiamond 8800 and Summit switches listed above support the EPM they do not support CL...

Page 12: ...primary b run update c enable ssh2 d enable clear flow for CLEAR Flow supported switches For additional information refer to the ExtremeXOS Command Reference Guide and the ExtremeXOS Concepts Guide A...

Page 13: ...le click the installation bundle executable icon On Linux run the installation script sh file from an xterm window The Setup Wizard window is launched as shown below NOTE Installation on Linux uses th...

Page 14: ...Networks Policy Manager EPM 1 2 User Guide 14 The Wizard then extracts and installs the files and displays e Notification of the file installation f The following Information window and g The followin...

Page 15: ...Each policy is viewed and edited individually and only one policy can be open at a time If one policy is open in the program and the user attempts to open or create another the EPM prompts with a sav...

Page 16: ...Viewing Policies and Rules Extreme Networks Policy Manager EPM 1 2 User Guide 16 The first time the EPM program is launched the following message is displayed...

Page 17: ...pen and save local policies only a If it finds a TFTP server the following notice is displayed Refer to Configuring the EPM for use on a Switch on page 18 to set the policy staging directory b If it d...

Page 18: ...m the menu A file Open box is displayed b Point to the TFTP server s root directory as shown below c Click Open The box closes and the file staging directory is set The local IP address is set To set...

Page 19: ...reme Networks Policy Manager EPM 1 2 User Guide 19 The file search directory is pointing towards the policy files as shown below This is the default Choose Tools Properties Set file search directory t...

Page 20: ...and the Rule Navigator window which is described on page 29 Some window elements are common to both the Rule Editor and the Rule Navigator windows The following screen identifies those common elements...

Page 21: ...efer to Exporting Rules on page 42 Exit Closes the EPM View Shows and hides certain panels in the window When one or more is hidden the shown panels expand to fill the window Status Panel Shows and hi...

Page 22: ...box to set the public side address of your NAT Network Address Translation if appropriate Set files search directory Sets the default directory for finding policy files when a policy is opened locall...

Page 23: ...ese logs are described below with examples of the screens The Alerts tab displays the alerts log messages Alerts are warnings or notices about an action or error that may or may not have inhibited EPM...

Page 24: ...capture lines for a log choose Tools Properties Message Capture Set Capture Size from the menu The Policy Information tab is displayed when a policy is opened and shows Information and Notes about tha...

Page 25: ...resh button that manually updates any modified activity Status Bar The Status Bar displays the current activity of the EPM When it is not executing a function it reads Idle Otherwise it shows an expla...

Page 26: ...el discussed on page 27 Rule Properties Panel discussed on page 28 Hide and Show the Panels The different window panels can be hidden or shown by Clicking the up down and side arrow points adjacent to...

Page 27: ...ach rule in the policy If the rules are reordered the position numbers for the rules change accordingly Rank The rank number is used to indicate the order in which the rules are stored in the policy f...

Page 28: ...the packet matches the match conditions the then permit or deny statement If the packet matches all the match conditions and if there is no action specified in the then statement permit is used by def...

Page 29: ...CLEAR Flow Rules CF and CF Rule Detail The Access Control List ACL Rules panel displays the names of the ACL rules that are included in the policy that is open ACL Rule Detail displays the raw rule te...

Page 30: ...version a Policy Version Notice box is displayed that requests more information a Click OK A Policy Version Selection box is displayed b From the Versions panel select an appropriate version based on...

Page 31: ...s of the switch to which you want to connect b The Virtual Router on which the SSH server traffic is routed c The Admin Login ID d The associated Admin Password Then click OK An Operation Progress box...

Page 32: ...when the program is connected to a switch and are either not displayed or not enabled in the local mode These include the following The Status Panel s Rule Activity tab is displayed only when connecte...

Page 33: ...ocedure 1 In the text box located in the Toolbar type all or part of the desired rule name for instance ACK 2 Click the Find Rule icon The first rule in the Rule Editing and Viewing Panel that matches...

Page 34: ...elect the features on which to search and in the text field type specific values For example In the first box select Match condition args and in the second box Contains In the text field type count Th...

Page 35: ...rules from the policy select the rule and click the Delete command button CAUTION The Delete command button removes a rule from the policy completely not only in this action 10 If desired mark any ru...

Page 36: ...the windows and panels For example in the screens below the rule ACL_ICMP_REP was selected by the user from the Tree Structure Panel The same selection appears automatically in all other rule viewing...

Page 37: ...llowing procedure 1 From the Menu choose Policy New Policy or File New or click the icon The Policy Version Selection box opens 2 From the Versions panel select either 02 00 00 or 03 00 00 and click O...

Page 38: ...box also displays information consistent with the selection 6 Click Next If applicable a dialog box opens for the next match condition Continue the process until arguments have been selected for each...

Page 39: ...ave As Local The Save box opens 2 In the File Name field type a new policy name ending in pol and click Save A Validation Notice box is displayed that confirms the Policy rules were successfully saved...

Page 40: ...he saved policy name is displayed in the Tree Structure Panel followed by the IP address of the switch NOTE A policy name must be an alpha numeric string between 1 and 32 characters in length ending i...

Page 41: ...another policy source into the currently open policy target are merged or added to the rules already in the existing policy To import rules into a policy use the following procedure 1 Open the target...

Page 42: ...e name NOTE Rules must be marked to be exported 2 From the Menu Bar choose File Export To Policy File The Save box opens 3 Select the target policy and click Save The Confirm Export box opens as shown...

Page 43: ...page 45 Renaming a Rule Reclassifying a Rule Changing Rule Parameters Managing Global and Policy Variables on page 48 Organizing Rules on page 49 Deleting Policies on page 49 Managing Policy Activity...

Page 44: ...within a policy Adding Rules Rules can be added to an existing policy in the following ways Create a new rule as described in Creating a New Rule for a Policy on page 37 The new rule can be positione...

Page 45: ...sting rule Renaming a Rule To change the name of a rule use the following procedure 1 In the Rule Editing and Viewing Panel or the Rule Navigator window right click a rule and from the menu displayed...

Page 46: ...l click the rule to be modified The parameters are shown in the Rule Properties Panel under the Rule Parameters tab as shown below Adding parameters to a rule a To add a new Match Condition Action or...

Page 47: ...Yes The parameter is deleted from the rule Should the delete process be inconsistent with rule requirements a Parameter Notice is displayed that explains the requirements For example d Continue the pr...

Page 48: ...Variables The following Global or Policy Variable Manager dialog box is displayed 2 To add a variable click the Add button To edit a variable select the variable that is to be edited and click the Edi...

Page 49: ...se this command when rules have been added or deleted from an existing policy or when the original ranks were determined without using the algorithm Rearrange the rules according to rank by choosing P...

Page 50: ...ing procedure 1 From the menu choose Policy Activity A Policy Activity Manager dialog box is displayed as shown below 2 To activate the policy on a port click the Activate Port command button The foll...

Page 51: ...s that are activated for policies other than the policy that is currently loaded in the EPM All VLANs and ports that are active for the current policy are shown in black and all other active VLANs and...

Page 52: ...one or more individual rules within a policy can be disabled by using the following procedure 1 In the Rule Editing and Viewing Panel or the Rule Navigator Window right click the rule to be disabled...

Page 53: ...F_TCP_THRESHOLD 4 In the Rule Editor window set the following views as shown in the screen below a In the Tree Structure Panel click the Rules by Reference tab This shows that the two rules are connec...

Page 54: ...more detail see To Save to a Switch on page 39 4 When the Policy Entry dialog box opens it prompts with the policy name that was used locally That name is accepted here by clicking OK For other optio...

Page 55: ...e Activity tab is displayed in the Status Panel The Rule Editor window now appears as follows Activate the Policy on a Port Observe in the screen above under the Rule Activity tab of the Status Panel...

Page 56: ...red stating that Recent changes have not been committed to the switch configuration Click the Commit command button A Commit Confirmation box opens 5 Click Yes The now disabled Commit command button i...

Page 57: ...the argument of 100 packets for the count parameter is changed to 200 packets 1 Open the policy Example_TCP_Threshold pol 2 In the Rule Editing and Viewing Panel select the rule CF_TCP_THRESHOLD In t...

Page 58: ...licy being changed is currently activated on a switch 8 Exit the EPM Example 2 Example_TCP_UDP_Balance pol This example uses two ACL rules and one CLEAR Flow rule to track the ratio of TCP to UCP pack...

Page 59: ...find one or more that fit given criteria Suppose there are one or more particularly useful and workable rules that the user would like to use again perhaps with modifications in a new policy Rather t...

Page 60: ...he text field Then click Search Two rules matching the criteria ACL_UDP and ACL_TCP are displayed in the lower left text box 4 Click one of the rules The raw rule text is displayed in the right box wi...

Page 61: ...the export function simplifies the process Use the following procedure 1 In this example mark the rule either from the Search Policy box before closing or from the right click menu From the menu choos...

Page 62: ...Running Extreme Networks Policy Manager Examples Extreme Networks Policy Manager EPM 1 2 User Guide 62...

Page 63: ...ion Selection Panel on page 69 Action Modifier Selection Panel on page 70 True Action Selection Panel on page 75 Match Condition Selection Panel on page 75 Predefined CLEAR Flow System Counters Name T...

Page 64: ...Excds counterreference sys_IcmpOutParmProbs counterreference sys_IcmpOutSrcQuenchs counterreference sys_IcmpOutRedirects counterreference sys_IcmpOutEchos counterreference sys_IcmpOutEchoReps counterr...

Page 65: ...yslog Levels CRIT level syslog ACK TCP Flags 0x10 bitfield tcpflags FIN TCP Flags 0x01 bitfield tcpflags PUSH TCP Flags 0x08 bitfield tcpflags RST TCP Flags 0x04 bitfield tcpflags SYN TCP Flags 0x02 b...

Page 66: ...errange port klogin Service Ports 543 numberrange port kpasswd Service Ports 761 numberrange port krb prop Service Ports 754 numberrange port krbupdate Service Ports 760 numberrange port kshell Servic...

Page 67: ...v3 report IGMP Message Types 0x22 number igmptype v2 leave IGMP Message Types 0x17 number igmptype query IGMP Message Types 0x11 number igmptype echo reply ICMP Types 0 number icmptype echo request IC...

Page 68: ...hibited ICMP Codes 10 number icmpcode destination host unknown ICMP Codes 7 number icmpcode destination network prohibited ICMP Codes 9 number icmpcode destination network unknown ICMP Codes 6 number...

Page 69: ...ic value you can specify one of the following text synonyms the field values are also listed afs 1483 bgp 179 biff 512 bootpc 68 bootps 67 cmd 514 cvspserver 2401 DHCP 67 domain 53 eklogin 2105 ekshel...

Page 70: ...ement 9 router solicit 10 source quench 4 timeexceeded 11 timestamp 13 timestamp reply 14 or unreachable 3 icmp code ICMP code field This value or keyword provides more specific information than the i...

Page 71: ...y discard criterion sys_IpOutNoRoutes The number of IP packets discarded because no route could be found to transmit them to their destination Note that this counter includes any packets counted in ip...

Page 72: ...s discovered within ICMP such as a lack of buffers This value should not include errors discovered outside the ICMP layer such as the inability of IP to route the resultant datagram In some implementa...

Page 73: ...mpInReports The number of Host Membership Report messages that have been received on this interface for this group address sys_IgmpInLeaves The number of incoming IGMP leave requests sys_IgmpInErrors...

Page 74: ...in the IP ARP cache otherwise the packet is forwarded normally Only fast path traffic can be redirected This capability can be used to implement Policy Based Routing You may want to create a static AR...

Page 75: ...ameter is not present the message is sent only once when the rule is triggered The interval must be a multiple of the rule sampling evaluation interval or the value will be rounded down to a multiple...

Page 76: ...eresis can be specified as floating point numbers and the ratio is computed as a floating point number The ratio statement specifies how to compare the ratio of two counters with its threshold The val...

Page 77: ...e of a NAT Check that the TFTP server is running on the client and listing on port 69 Check that the file staging directory is set to the TFTP server s root directory Check that the user running the E...

Page 78: ...Rule and Policy Version Problems When the policy does not support CLEAR Flow check the following Verify that the user specified version 3 when opening an external policy file If not reopen the policy...

Page 79: ...ription 9 Rules panel 29 conventions text 8 creating new policies 37 new rule 37 D deactivate policies 51 deleting policies 49 rule parameters 47 rules 44 disable rules 52 E editing rule parameters 46...

Page 80: ...27 Rule Editor Window 26 Rule Editing and Viewing Panel 27 Rule Properties Panel 28 Tree Structure Panel 27 Rule Information tab 28 Rule Navigator Window 29 Access Control List ACL Rules panel 29 CLE...

Page 81: ...rence list 65 T TCNT definition 27 text conventions 7 TFTP server 12 toolbar icons 23 Tree Structure Panel 27 Trigger Count see TCNT Trivial File Transfer Protocol see TFTP troubleshooting 77 Type Sel...

Page 82: ...Index Extreme Networks Policy Manager EPM 1 2 User Guide 82...

Reviews:

No comments

Related manuals for Policy Manager

Xerox C8 - DocuPrint Color Inkjet Printer User Manual preview
C8 - DocuPrint Color Inkjet Printer
Brand: Xerox Pages: 458
Xerox FreeFlow Important Installation Information preview
FreeFlow
Brand: Xerox Pages: 2
Xerox C8 - DocuPrint Color Inkjet Printer Manual preview
C8 - DocuPrint Color Inkjet Printer
Brand: Xerox Pages: 51
Juniper SECURITY THREAT RESPONSE MANAGER - LOG MANAGEMENT INSTALLATION REV 1 Installation Manual preview
SECURITY THREAT RESPONSE MANAGER - LOG MANAGEMENT INSTALLATION REV 1
Brand: Juniper Pages: 30
ALK CoPilot CoPilot Live Smartphone User Manual preview
CoPilot CoPilot Live Smartphone
Brand: ALK Pages: 42
Avaya CPSEE_TSP500 User Manual preview
CPSEE_TSP500
Brand: Avaya Pages: 216
TeleType GPS WoldNav User Manual preview
WoldNav
Brand: TeleType GPS Pages: 64
TeleNav GPS Navigator v4.1 User Manual preview
GPS Navigator v4.1
Brand: TeleNav Pages: 29
MMSOFT Design Pulseway User Manual preview
Pulseway
Brand: MMSOFT Design Pages: 85
Ulead BURN.NOW 1.5 User Manual preview
BURN.NOW 1.5
Brand: Ulead Pages: 60
DeLorme XMap 6 User Manual preview
XMap 6
Brand: DeLorme Pages: 437
Remote Reality OneShot360 User Manual preview
OneShot360
Brand: Remote Reality Pages: 61
F-SECURE MOBILE ANTI-VIRUS FOR SERIES 60 User Manual preview
MOBILE ANTI-VIRUS FOR SERIES 60
Brand: F-SECURE Pages: 90
Intel AFCSASRISER User Manual preview
AFCSASRISER
Brand: Intel Pages: 192
Autodesk 495B1-05A111-1301 - 3ds Max Design 2010 User Manual preview
495B1-05A111-1301 - 3ds Max Design 2010
Brand: Autodesk Pages: 916
Yamaha CL3 Installation Manual preview
CL3
Brand: Yamaha Pages: 8
Bay Networks Bay Dial VPN Configuration And Troubleshooting Manual preview
Bay Dial VPN
Brand: Bay Networks Pages: 186
IBC BoilerNet Interface Controller II User Manual preview
BoilerNet Interface Controller II
Brand: IBC Pages: 52

Brands by name

Popular brands

Load more brands