ExtremeSwitching (EXOS)

Expand all | Collapse all

Management of Policy Files in EXOS

  • 1.  Management of Policy Files in EXOS

    Posted 02-23-2018 18:44
    Hi there,

    Does anyone have any tips for managing .pol files on EXOS switches?

    I notice that there used to be a piece of software called EPM, Extreme Policy Manager (no relation to Enterasys Netsight Policy Manager) which helped with the management and editing of files but it seems this is a legacy product now.

    I am making extensive use of ACL's and UDP forwarding profiles and need the ability to manage these files on switches more effectively and am looking for some ideas.

    In the Cisco/Enterasys world this was easy as the ACL is stored in the config file. I held them all offline in text files, edited locally on our PC's and automatically pushed them up to switches blowing away the ACL and pushing the new ACL in. Quick and dirty but makes sure everything stays neat and tidy, gets backed up along with the config and no chance of it getting accidentally un-bound to the interface/VLAN.

    With EXOS this is more cumbersome as the file is only read on startup or refresh, i really don't want the guys editing them on switches with Vi as i know mistakes are going to be made and people are going to forget to back up or refresh them as well.

    The EXOS web based editor is okay but we really want centralised management, not browsing to individual switches. I have also found the web based editor does not always sync changes to .pol files across all switches in the stack, causing a policy file refresh to fail. If i go in via the CLI, edit and save with no changes it is refreshes with no issues.

    Because of all this I am seriously thinking about ditching local ACL files and using Management Centre (previously OneView / NetSight) and moving to do ACL's that way. We make extensive use of 802.1x and MAC auth anyway with NAC/Policy Manager so might just move to applying ACL's that route - enabling policy steals TCAM resource anyway 🙂.

    That would only leave me with UDP forwarding policies to manage, still annoying but i could deal with it as changes would be infrequent, and any mistakes would have little impact.

    Just wondered what some of you guys are doing, suggestions etc?

    Thanks,
    Mark.


  • 2.  RE: Management of Policy Files in EXOS

    Posted 05-07-2021 14:39

    Hi

     

      I’m struggeling with the exact same problem. Unfortunately, this 3 year old port without any replies is the most useful hit on Google.

     

    Being 2021 I’m looking for how to implement this with Ansible for a variety of reasons - version controlling, ability to generate custom ACL depending on a number of variables and Ansibles dry-run diff functionality.

     

    Any clues on how to progress with this?   I expected this to be trivial bread and butter functionality, but I’m stuck from the very beginning.

    Does the EXOS platform even support acting as a SCP _server_? I’ve done some rudimentary stuff with Ansible, but I’ve seen no evidence that the Ansible exos_* modules support handling the policy files which is handled outside of the general configuration. 

     

     

     



  • 3.  RE: Management of Policy Files in EXOS

    Posted 05-07-2021 20:20

    Hi,

     

    It is possible to use scp2 command on the switch to upload/download .pol files. It is also possible to invoke scp from the outside to the switch. For the former, EXOS Command Reference is great. For the latter, please see Security chapter of EXOS User Guide in Secure Socket Layer section: https://documentation.extremenetworks.com/exos_30.6/downloads/EXOS_User_Guide_30_6.pdf

     

    SFTP could also be used from the outside (later part of the same User Guide chapter):

     

    BTW if it’s about edge switches and XMC is in place as in the original question, has Policy feature been considered?

     

    Hope that helps,

    Tomasz



  • 4.  RE: Management of Policy Files in EXOS

    Posted 05-10-2021 14:34

    Thanks, this helped me progress a step.

    No idea what scp2 is in the Linux world, I used the ubiquitous OpenSSH scp client. In the Linux world, this will upload foo.pol to $HOME

    scp foo.pol ansible@192.168.1.249:./foo.pol

     

    Seems like removing the absolute path solved the problem:

     

    scp foo.pol ansible@192.168.1.249:foo.pol

     

    Files seems to end up in /usr/local/cfg so there is some magic happening behind the scenes.

     

    Using the builtin Ansible module copy does not work as Ansible tries to copy the file

    to a temp dir.

     

    I had better luck with ansible.netcommon.net_put    - the drawback is that this module does not support diff mode.

     

    Any best practice from others?  On Junos, this works fantastic.

     

    I have not really looked into using XMC for this - at first glimpse XMC does not have any possibility to generate the policy files from external sources like IPAM/inventory database.