Header Only - DO NOT REMOVE - Extreme Networks

How many Policy Domains? One or many?


I wanted to get opinions on setting up Policy domains for our environment. We have a very simple set of requirements which boil down to this:
  • a set of policies for Edge Switches
  • a different set of policies with very little duplication for Top of Rack switches
  • a completely different set of policies for our Core Switches
What is the feeling? Is it better to have ONE policy domain for all switches and only apply the Rules to ports as needed? Or is it better to have three policy domains in our case?

None of the switches would qualify to be in more than one of the domains if we went the multiple domain route.

6 replies

I use the global rule container to make rules and use them between various policy domains. Also, depending on the capabilities of the equipment, it may be easier to have separate domains. We don't use policy at the ToR or Core, just at the edge.
Jeremy,
Thank you! That makes sense. I forgot about the Global rules. We also don't use policy very much on the core, our current use is a VERY special thing that we are looking to replace with better spanning tree implementations soon. As for our Top of Rack we do mix some connections - like having an HVAC unit on them - hence the mix of some of the rules.
Robert Fredette wrote:

Jeremy,
Thank you! That makes sense. I forgot about the Global rules. We also don't use policy very much on the core, our current use is a VERY special thing that we are looking to replace with better spanning tree implementations soon. As for our Top of Rack we do mix some connections - like having an HVAC unit on them - hence the mix of some of the rules.

Hmm... what are you doing at the core that is very special? Spanning tree is a pain in the rear!
Robert Fredette wrote:

Jeremy,
Thank you! That makes sense. I forgot about the Global rules. We also don't use policy very much on the core, our current use is a VERY special thing that we are looking to replace with better spanning tree implementations soon. As for our Top of Rack we do mix some connections - like having an HVAC unit on them - hence the mix of some of the rules.

Uhh... well we are using Policy to block BPDUs at the ports on the core from the edge switches. That makes each edge switch grouping it's own STP domain. We can still run edgeport and loop protect on the edge switches but don't suffer the big STP domain reconfigs.
Robert Fredette wrote:

Jeremy,
Thank you! That makes sense. I forgot about the Global rules. We also don't use policy very much on the core, our current use is a VERY special thing that we are looking to replace with better spanning tree implementations soon. As for our Top of Rack we do mix some connections - like having an HVAC unit on them - hence the mix of some of the rules.

Ahh, I see. Makes sense! I have heard of people doing that before, although it sounds like a nightmare if something goes wrong.
Userlevel 6
I believe the general rule here comes with answer for following question:
Do you need same roles in the edge in the ToR and in the Core?

if the answer is "yes we need every role everywhere" then you need one policy domain.

if the answer is "no the set of roles is not overlapping" then you need more policy domains.

if the answer is "some roles needs to be everywhere, but majority not" then you can use global services as was suggested by Jeremy.

IMHO the reason for more policy domains is related to the hardware limitations = if you have small amount of roles you can use one policy domain everywhere even if you do not need edge roles in the core...

Reply