How many Policy Domains? One or many?

  • 0
  • 1
  • Question
  • Updated 10 months ago
  • Answered
I wanted to get opinions on setting up Policy domains for our environment.  We have a very simple set of requirements which boil down to this:
  • a set of policies for Edge Switches
  • a different set of policies with very little duplication for Top of Rack switches
  • a completely different set of policies for our Core Switches
What is the feeling?  Is it better to have ONE policy domain for all switches and only apply the Rules to ports as needed?  Or is it better to have three policy domains in our case?

None of the switches would qualify to be in more than one of the domains if we went the multiple domain route.
Photo of Robert Fredette

Robert Fredette

  • 114 Points 100 badge 2x thumb

Posted 10 months ago

  • 0
  • 1
Photo of Jeremy

Jeremy, Embassador

  • 9,788 Points 5k badge 2x thumb
I use the global rule container to make rules and use them between various policy domains.   Also, depending on the capabilities of the equipment, it may be easier to have separate domains.  We don't use policy at the ToR or Core, just at the edge.
Photo of Robert Fredette

Robert Fredette

  • 114 Points 100 badge 2x thumb
Jeremy,
Thank you!  That makes sense.  I forgot about the Global rules.  We also don't use policy very much on the core, our current use is a VERY special thing that we are looking to replace with better spanning tree implementations soon.  As for our Top of Rack we do mix some connections - like having an HVAC unit on them - hence the mix of some of the rules.
Photo of Jeremy

Jeremy, Embassador

  • 9,788 Points 5k badge 2x thumb
Hmm... what are you doing at the core that is very special?  Spanning tree is a pain in the rear! 
Photo of Robert Fredette

Robert Fredette

  • 114 Points 100 badge 2x thumb
Uhh... well we are using Policy to block BPDUs at the ports on the core from the edge switches.  That makes each edge switch grouping it's own STP domain.  We can still run edgeport and loop protect on the edge switches but don't suffer the big STP domain reconfigs.
Photo of Jeremy

Jeremy, Embassador

  • 9,788 Points 5k badge 2x thumb
Ahh, I see.  Makes sense!  I have heard of people doing that before, although it sounds like a nightmare if something goes wrong.
Photo of Pala, Zdenek

Pala, Zdenek, Employee

  • 8,474 Points 5k badge 2x thumb
I believe the general rule here comes with answer for following question:
Do you need same roles in the edge in the ToR and in the Core?

if the answer is "yes we need every role everywhere" then you need one policy domain.

if the answer is "no the set of roles is not overlapping" then you need more policy domains.

if the answer is "some roles needs to be everywhere, but majority not" then you can use global services as was suggested by Jeremy.

IMHO the reason for more policy domains is related to the hardware limitations = if you have small amount of roles you can use one policy domain everywhere even if you do not need edge roles in the core...