Questions to EXOS access-lists

  • 0
  • 1
  • Question
  • Updated 9 months ago
  • Answered
I am working with Extreme ACLs based on current EXOS Firmware - 16.2 or 21.1. i have some question during the daily business tasks with ACLs.

If i do a changes on the .pol file, how can i do a reload of the new policy file - how let the changes go active?
Currently i unconfigure these ACL from all ports and re-configure it again. I am looking for a smarter way.

How can i get a policy/ACL on several switches equal if some changes are necessary? I play aroud with copy the files via WinSCP (later via Netsight scripts) but this has some strange effects. (For example if i overwrite an existing file). Any suggestions?

I use an ACL for mirroring specific traffic to a port. One rule have "mirror;" as action-modifier. And then i "enable mirror to port x".
That works fine - i have only one instance per switch to mirror.
But what can i do if i want to have 2 or more independent ACL-based mirrors on the same switch? The ACL action "mirror" have no clue to a specific mirror instance. Are there a special trick - or is this a current EXOS limitation ?

Thanks a lot for anybody who can help me to my questions.


Regards,
Matthias
Photo of M.Nees

M.Nees, Embassador

  • 9,126 Points 5k badge 2x thumb

Posted 9 months ago

  • 0
  • 1
Photo of Brandon Clay

Brandon Clay, Escalation Support Engineer

  • 13,086 Points 10k badge 2x thumb
Hi Matthias,

To reload the policy file, you can do 'refresh policy <policy_name>'.

For the mirroring via ACL to multiple mirror instances, you can create the mirror instances with 'create mirror <name>', then use 'mirror <name>' in the policy file to mirror to a specific instance.

Regarding syncing policy files between switches, I don't have a great answer for that one. SCP/tftp would probably be the easiest solution. I would suggest opening up a GTAC case regarding the strange effects you see with copying via WinSCP so we can further investigate that.
Photo of M.Nees

M.Nees, Embassador

  • 9,126 Points 5k badge 2x thumb
Hi Brandon,

in some older emails i found a tool from Extreme Networks, called "Extreme Networks Policy Manager" to manage ACLs.
Do you know that tool ?
If yes, is this official supported?
Is it working with current 16.x and 2x.x EXOS Versions.

Regards,
Matthias
Photo of Alexandr P

Alexandr P, Embassador

  • 12,040 Points 10k badge 2x thumb
Hi, Matthias!

If I understand right - policy manager its part of NMS NetSight where you can map policy to many managing switches.

Also (as workaround) you can copy 1 policy file to all switches and enable this policy file with script which run it at the same time.

Thank you!
Photo of M.Nees

M.Nees, Embassador

  • 9,126 Points 5k badge 2x thumb
Hi Alexandr,

we have to be very careful with the name "policy" and "policy manager".

Extreme Policies are the ACL (of Summit and BD) which i ask above. But they can currently not be distributed by Netsight Policy Manager.

Extreme ONEPolicy are the legacy Enterasys Polcies which can be distributed by Netsight PM very easy and smooth. But ONEPolicies have very often HW Limits which avoid extensive ruleset and it is NOT able to get a logging for troubleshooting. This disadvantages are not given (at that level) with the original Extreme Policies = ACL - so i prefer them.

I found the old Extreme Policy Manager (before Extreme and Enterasys Merger) which support my needs for smooth deployment of ACL rules to several switches.
https://extremenetworks-ua.com/assets/files/EPM/Extreme-Networks-Policy-Manager.pdf

But i have still the question - is this software working and supported with recent EXOS.


Regards,
Matthias
Photo of Bin

Bin, Employee

  • 5,350 Points 5k badge 2x thumb
Hello Matthias,
Access List Manager has been removed from Extreme Management Center (Netsight) from 8.0x.

https://community.extremenetworks.com/extreme/topics/cant-find-access-list-manager-editor-in-emc-8-0...

Best regards,
Bin
Photo of M.Nees

M.Nees, Embassador

  • 9,126 Points 5k badge 2x thumb
Hi Ben,

you for clarification.

The ACL Manager you mean - which was part of legacy netsight java tools till V8.0 can only handle EOS (=Enterasys) VLAN ACLs or maybe Cisco ACLs.
Not original Extreme ACLs (Policies).

Regards,
Matthias