background image

True Action Selection Panel

Extreme Networks Policy Manager (EPM) 1.2 User Guide 

75

True Action Selection Panel

This panel allows you to select from a list of actions for the compare TRUE condition. If the match 
conditions are evaluated TRUE, then the actions specified here are executed.

Match Condition Selection Panel

This panel allows you to select from a list of match conditions.

permit

Changes the existing ACL to permit. All packets that match the conditional 
statements of the specified ACL are allowed to pass to their destinations.

deny

Changes the existing ACL to deny. All packets that match the conditional 
statements of the specified ACL are dropped.

qosprofile

Modifies an existing ACL to set the QoS profile for traffic that matches that 
rule.

mirror

This action modifies an existing ACL rule to mirror traffic that matches that 
rule, or to stop mirroring that traffic. The mirroring port must be enabled when 
mirroring on an ACL rule is turned on. This could be configured earlier, or use 
the CLI action to execute CLI commands to configure mirroring at the same 
time.

cli

This action executes a CLI command. There is no authentication or checking 
the validity of each command. If a command fails, the CLI will log a message 
in the EMS log. The message (FieldOne) must be placed in quotes. 

snmptrap

This action sends an SNMP trap message to the trap server, with a 
configurable ID and message string, when the rule is triggered. The message is 
sent periodically with interval <period> seconds. If <period> is 0, or if this 
optional parameter is not present, the message is sent only once when the rule 
is triggered. The interval must be a multiple of the rule sampling/evaluation 
interval, or the value will be rounded down to a multiple of the rule sampling/
evaluation interval. The message (FieldTwo) must be placed in quotes. 

syslog

This action sends log messages to the ExtremeXOS EMS sever. The possible 
values for message level are: DEBU, INFO, NOTI, WARN, ERRO, and CRIT. 
The message is sent periodically with interval <period> seconds. If <period> is 
0, or if this optional parameter is not present, the message is sent only once 
when the rule is triggered. The interval must be a multiple of the rule 
sampling/evaluation interval, or the value will be rounded down to a multiple of 
the rule sampling/evaluation interval. The messages are logged on both MSMs, 
so if the backup log is sent to the primary MSM, then the primary MSM will 
have duplicate log messages. The message (FieldOne) must be placed in 
quotes.

global-rule

The global-rule statement is optional and affects how the counters are treated. 
An ACL that defines counters can be applied to more than one interface. In 
the original release of CLEAR-Flow, however, any counters used in an 
expression were only evaluated for that particular interface that the CLEAR-
Flow rule was applied to. Beginning with the ExtremeXOS 11.2 release, you 
can specify the global-rule statement so that counters are evaluated for all the 
applied interfaces. For example, if a policy that defines a counter is applied to 
port 1:1 and 2:1, a CLEAR-Flow rule that used the global-rule statement would 
sum up the counts from both ports. Without the global-rule statement, the 
CLEAR-Flow rule would only look at the counts received on one port at a time.

Содержание Policy Manager

Страница 1: ...onroe Street Santa Clara California 95051 888 257 3000 408 579 2800 http www extremenetworks com Extreme Networks Policy Manager EPM Supervisor Edition User Guide Version 1 2 Published November 2007 P...

Страница 2: ...s or registered trademarks of Extreme Networks Inc or its subsidiaries in the United States and or other countries Adobe Flash and Macromedia are registered trademarks of Adobe Systems Incorporated in...

Страница 3: ...ies and Rules 15 Introduction 15 Opening the EPM 15 Configuring the EPM for use on a Switch 18 Description of the Windows and Menus 20 The EPM Desktop 20 Menu Bar 21 Toolbar 23 Status Panel 23 Status...

Страница 4: ...to an Activated Policy 47 Managing Global and Policy Variables 48 Organizing Rules 49 Deleting Policies 49 Managing Policy Activity 50 Activating and Deactivating a Policy 50 Disabling a Rule 52 Chap...

Страница 5: ...e Networks Policy Manager EPM 1 2 User Guide 5 Match Condition Selection Panel 75 Appendix B Troubleshooting 77 Introduction 77 Connectivity Problems 77 EXOS Compatibility Problems 77 Local Client Run...

Страница 6: ...Table of Contents Extreme Networks Policy Manager EPM 1 2 User Guide 6...

Страница 7: ...Local Area Networks and assumes a basic working knowledge of Local Area Networks LANs Ethernet concepts Ethernet switching and bridging concepts Routing concepts Access Control Lists ACLs CLEAR Flow N...

Страница 8: ...s manuals at http www extremenetworks com services documentation Table 2 Text Conventions Convention Description Screen displays This typeface represents information as it appears on the screen Screen...

Страница 9: ...tual LAN VLAN CLEAR Flow is an extension to ACLs that implements security monitoring and anomaly detection in Extreme XOS software ACL policy rules are created to count packets of interest CLEAR Flow...

Страница 10: ...xtreme Networks Policy Manager and the User Guide contents 2 Installing EPM Describes the hardware software and switch requirements and explains the installation process 3 Viewing Policies and Rules D...

Страница 11: ...s Summit X150 X250e X450 X450a and X450e series BlackDiamond 10808 BlackDiamond 12800 series NOTE Although the BlackDiamond 8800 and Summit switches listed above support the EPM they do not support CL...

Страница 12: ...primary b run update c enable ssh2 d enable clear flow for CLEAR Flow supported switches For additional information refer to the ExtremeXOS Command Reference Guide and the ExtremeXOS Concepts Guide A...

Страница 13: ...le click the installation bundle executable icon On Linux run the installation script sh file from an xterm window The Setup Wizard window is launched as shown below NOTE Installation on Linux uses th...

Страница 14: ...Networks Policy Manager EPM 1 2 User Guide 14 The Wizard then extracts and installs the files and displays e Notification of the file installation f The following Information window and g The followin...

Страница 15: ...Each policy is viewed and edited individually and only one policy can be open at a time If one policy is open in the program and the user attempts to open or create another the EPM prompts with a sav...

Страница 16: ...Viewing Policies and Rules Extreme Networks Policy Manager EPM 1 2 User Guide 16 The first time the EPM program is launched the following message is displayed...

Страница 17: ...pen and save local policies only a If it finds a TFTP server the following notice is displayed Refer to Configuring the EPM for use on a Switch on page 18 to set the policy staging directory b If it d...

Страница 18: ...m the menu A file Open box is displayed b Point to the TFTP server s root directory as shown below c Click Open The box closes and the file staging directory is set The local IP address is set To set...

Страница 19: ...reme Networks Policy Manager EPM 1 2 User Guide 19 The file search directory is pointing towards the policy files as shown below This is the default Choose Tools Properties Set file search directory t...

Страница 20: ...and the Rule Navigator window which is described on page 29 Some window elements are common to both the Rule Editor and the Rule Navigator windows The following screen identifies those common elements...

Страница 21: ...efer to Exporting Rules on page 42 Exit Closes the EPM View Shows and hides certain panels in the window When one or more is hidden the shown panels expand to fill the window Status Panel Shows and hi...

Страница 22: ...box to set the public side address of your NAT Network Address Translation if appropriate Set files search directory Sets the default directory for finding policy files when a policy is opened locall...

Страница 23: ...ese logs are described below with examples of the screens The Alerts tab displays the alerts log messages Alerts are warnings or notices about an action or error that may or may not have inhibited EPM...

Страница 24: ...capture lines for a log choose Tools Properties Message Capture Set Capture Size from the menu The Policy Information tab is displayed when a policy is opened and shows Information and Notes about tha...

Страница 25: ...resh button that manually updates any modified activity Status Bar The Status Bar displays the current activity of the EPM When it is not executing a function it reads Idle Otherwise it shows an expla...

Страница 26: ...el discussed on page 27 Rule Properties Panel discussed on page 28 Hide and Show the Panels The different window panels can be hidden or shown by Clicking the up down and side arrow points adjacent to...

Страница 27: ...ach rule in the policy If the rules are reordered the position numbers for the rules change accordingly Rank The rank number is used to indicate the order in which the rules are stored in the policy f...

Страница 28: ...the packet matches the match conditions the then permit or deny statement If the packet matches all the match conditions and if there is no action specified in the then statement permit is used by def...

Страница 29: ...CLEAR Flow Rules CF and CF Rule Detail The Access Control List ACL Rules panel displays the names of the ACL rules that are included in the policy that is open ACL Rule Detail displays the raw rule te...

Страница 30: ...version a Policy Version Notice box is displayed that requests more information a Click OK A Policy Version Selection box is displayed b From the Versions panel select an appropriate version based on...

Страница 31: ...s of the switch to which you want to connect b The Virtual Router on which the SSH server traffic is routed c The Admin Login ID d The associated Admin Password Then click OK An Operation Progress box...

Страница 32: ...when the program is connected to a switch and are either not displayed or not enabled in the local mode These include the following The Status Panel s Rule Activity tab is displayed only when connecte...

Страница 33: ...ocedure 1 In the text box located in the Toolbar type all or part of the desired rule name for instance ACK 2 Click the Find Rule icon The first rule in the Rule Editing and Viewing Panel that matches...

Страница 34: ...elect the features on which to search and in the text field type specific values For example In the first box select Match condition args and in the second box Contains In the text field type count Th...

Страница 35: ...rules from the policy select the rule and click the Delete command button CAUTION The Delete command button removes a rule from the policy completely not only in this action 10 If desired mark any ru...

Страница 36: ...the windows and panels For example in the screens below the rule ACL_ICMP_REP was selected by the user from the Tree Structure Panel The same selection appears automatically in all other rule viewing...

Страница 37: ...llowing procedure 1 From the Menu choose Policy New Policy or File New or click the icon The Policy Version Selection box opens 2 From the Versions panel select either 02 00 00 or 03 00 00 and click O...

Страница 38: ...box also displays information consistent with the selection 6 Click Next If applicable a dialog box opens for the next match condition Continue the process until arguments have been selected for each...

Страница 39: ...ave As Local The Save box opens 2 In the File Name field type a new policy name ending in pol and click Save A Validation Notice box is displayed that confirms the Policy rules were successfully saved...

Страница 40: ...he saved policy name is displayed in the Tree Structure Panel followed by the IP address of the switch NOTE A policy name must be an alpha numeric string between 1 and 32 characters in length ending i...

Страница 41: ...another policy source into the currently open policy target are merged or added to the rules already in the existing policy To import rules into a policy use the following procedure 1 Open the target...

Страница 42: ...e name NOTE Rules must be marked to be exported 2 From the Menu Bar choose File Export To Policy File The Save box opens 3 Select the target policy and click Save The Confirm Export box opens as shown...

Страница 43: ...page 45 Renaming a Rule Reclassifying a Rule Changing Rule Parameters Managing Global and Policy Variables on page 48 Organizing Rules on page 49 Deleting Policies on page 49 Managing Policy Activity...

Страница 44: ...within a policy Adding Rules Rules can be added to an existing policy in the following ways Create a new rule as described in Creating a New Rule for a Policy on page 37 The new rule can be positione...

Страница 45: ...sting rule Renaming a Rule To change the name of a rule use the following procedure 1 In the Rule Editing and Viewing Panel or the Rule Navigator window right click a rule and from the menu displayed...

Страница 46: ...l click the rule to be modified The parameters are shown in the Rule Properties Panel under the Rule Parameters tab as shown below Adding parameters to a rule a To add a new Match Condition Action or...

Страница 47: ...Yes The parameter is deleted from the rule Should the delete process be inconsistent with rule requirements a Parameter Notice is displayed that explains the requirements For example d Continue the pr...

Страница 48: ...Variables The following Global or Policy Variable Manager dialog box is displayed 2 To add a variable click the Add button To edit a variable select the variable that is to be edited and click the Edi...

Страница 49: ...se this command when rules have been added or deleted from an existing policy or when the original ranks were determined without using the algorithm Rearrange the rules according to rank by choosing P...

Страница 50: ...ing procedure 1 From the menu choose Policy Activity A Policy Activity Manager dialog box is displayed as shown below 2 To activate the policy on a port click the Activate Port command button The foll...

Страница 51: ...s that are activated for policies other than the policy that is currently loaded in the EPM All VLANs and ports that are active for the current policy are shown in black and all other active VLANs and...

Страница 52: ...one or more individual rules within a policy can be disabled by using the following procedure 1 In the Rule Editing and Viewing Panel or the Rule Navigator Window right click the rule to be disabled...

Страница 53: ...F_TCP_THRESHOLD 4 In the Rule Editor window set the following views as shown in the screen below a In the Tree Structure Panel click the Rules by Reference tab This shows that the two rules are connec...

Страница 54: ...more detail see To Save to a Switch on page 39 4 When the Policy Entry dialog box opens it prompts with the policy name that was used locally That name is accepted here by clicking OK For other optio...

Страница 55: ...e Activity tab is displayed in the Status Panel The Rule Editor window now appears as follows Activate the Policy on a Port Observe in the screen above under the Rule Activity tab of the Status Panel...

Страница 56: ...red stating that Recent changes have not been committed to the switch configuration Click the Commit command button A Commit Confirmation box opens 5 Click Yes The now disabled Commit command button i...

Страница 57: ...the argument of 100 packets for the count parameter is changed to 200 packets 1 Open the policy Example_TCP_Threshold pol 2 In the Rule Editing and Viewing Panel select the rule CF_TCP_THRESHOLD In t...

Страница 58: ...licy being changed is currently activated on a switch 8 Exit the EPM Example 2 Example_TCP_UDP_Balance pol This example uses two ACL rules and one CLEAR Flow rule to track the ratio of TCP to UCP pack...

Страница 59: ...find one or more that fit given criteria Suppose there are one or more particularly useful and workable rules that the user would like to use again perhaps with modifications in a new policy Rather t...

Страница 60: ...he text field Then click Search Two rules matching the criteria ACL_UDP and ACL_TCP are displayed in the lower left text box 4 Click one of the rules The raw rule text is displayed in the right box wi...

Страница 61: ...the export function simplifies the process Use the following procedure 1 In this example mark the rule either from the Search Policy box before closing or from the right click menu From the menu choos...

Страница 62: ...Running Extreme Networks Policy Manager Examples Extreme Networks Policy Manager EPM 1 2 User Guide 62...

Страница 63: ...ion Selection Panel on page 69 Action Modifier Selection Panel on page 70 True Action Selection Panel on page 75 Match Condition Selection Panel on page 75 Predefined CLEAR Flow System Counters Name T...

Страница 64: ...Excds counterreference sys_IcmpOutParmProbs counterreference sys_IcmpOutSrcQuenchs counterreference sys_IcmpOutRedirects counterreference sys_IcmpOutEchos counterreference sys_IcmpOutEchoReps counterr...

Страница 65: ...yslog Levels CRIT level syslog ACK TCP Flags 0x10 bitfield tcpflags FIN TCP Flags 0x01 bitfield tcpflags PUSH TCP Flags 0x08 bitfield tcpflags RST TCP Flags 0x04 bitfield tcpflags SYN TCP Flags 0x02 b...

Страница 66: ...errange port klogin Service Ports 543 numberrange port kpasswd Service Ports 761 numberrange port krb prop Service Ports 754 numberrange port krbupdate Service Ports 760 numberrange port kshell Servic...

Страница 67: ...v3 report IGMP Message Types 0x22 number igmptype v2 leave IGMP Message Types 0x17 number igmptype query IGMP Message Types 0x11 number igmptype echo reply ICMP Types 0 number icmptype echo request IC...

Страница 68: ...hibited ICMP Codes 10 number icmpcode destination host unknown ICMP Codes 7 number icmpcode destination network prohibited ICMP Codes 9 number icmpcode destination network unknown ICMP Codes 6 number...

Страница 69: ...ic value you can specify one of the following text synonyms the field values are also listed afs 1483 bgp 179 biff 512 bootpc 68 bootps 67 cmd 514 cvspserver 2401 DHCP 67 domain 53 eklogin 2105 ekshel...

Страница 70: ...ement 9 router solicit 10 source quench 4 timeexceeded 11 timestamp 13 timestamp reply 14 or unreachable 3 icmp code ICMP code field This value or keyword provides more specific information than the i...

Страница 71: ...y discard criterion sys_IpOutNoRoutes The number of IP packets discarded because no route could be found to transmit them to their destination Note that this counter includes any packets counted in ip...

Страница 72: ...s discovered within ICMP such as a lack of buffers This value should not include errors discovered outside the ICMP layer such as the inability of IP to route the resultant datagram In some implementa...

Страница 73: ...mpInReports The number of Host Membership Report messages that have been received on this interface for this group address sys_IgmpInLeaves The number of incoming IGMP leave requests sys_IgmpInErrors...

Страница 74: ...in the IP ARP cache otherwise the packet is forwarded normally Only fast path traffic can be redirected This capability can be used to implement Policy Based Routing You may want to create a static AR...

Страница 75: ...ameter is not present the message is sent only once when the rule is triggered The interval must be a multiple of the rule sampling evaluation interval or the value will be rounded down to a multiple...

Страница 76: ...eresis can be specified as floating point numbers and the ratio is computed as a floating point number The ratio statement specifies how to compare the ratio of two counters with its threshold The val...

Страница 77: ...e of a NAT Check that the TFTP server is running on the client and listing on port 69 Check that the file staging directory is set to the TFTP server s root directory Check that the user running the E...

Страница 78: ...Rule and Policy Version Problems When the policy does not support CLEAR Flow check the following Verify that the user specified version 3 when opening an external policy file If not reopen the policy...

Страница 79: ...ription 9 Rules panel 29 conventions text 8 creating new policies 37 new rule 37 D deactivate policies 51 deleting policies 49 rule parameters 47 rules 44 disable rules 52 E editing rule parameters 46...

Страница 80: ...27 Rule Editor Window 26 Rule Editing and Viewing Panel 27 Rule Properties Panel 28 Tree Structure Panel 27 Rule Information tab 28 Rule Navigator Window 29 Access Control List ACL Rules panel 29 CLE...

Страница 81: ...rence list 65 T TCNT definition 27 text conventions 7 TFTP server 12 toolbar icons 23 Tree Structure Panel 27 Trigger Count see TCNT Trivial File Transfer Protocol see TFTP troubleshooting 77 Type Sel...

Страница 82: ...Index Extreme Networks Policy Manager EPM 1 2 User Guide 82...

Отзывы: