EAC: Policy rule, do I need or not a any deny role?

  • 20 September 2019
  • 4 replies

Hello There

I'm just learning about configuring EAC, and I have a question about the configuring policy rule's.

I understand that to allow or deny traffic in a policy rule I must add the policy role's needed to the rule.
Now is my question, when I allow the needed traffic in the rule is there also an ANY DENY role needed in the rule to block al other traffic?

thank you for the answers



4 replies

Userlevel 6
Hi Rien,

Policy Role is a container for Classification Rules (in XMC they are contained within Services and/or Services Groups). Policy role defines default traffic handling behavior for a device (or I should say access port) that is enabled with that role (either statically or thru AAA). So this is something where you can consider "any deny" or "any allow" (or also other options from all the possibilities). Then, you override this behavior by classification rules that can do something else (e.g. role can deny all, rule can allow certain type of traffic - or still deny, but also mirror or syslog the packet, if the hardware supports this policy action).

You might also want to see EXOS User Guide for nice explanation of Policy operation from the hardware side:

And for clarity, Policy and EAC are two complementary features, but they are not strictly bound together. You can use Policy without NAC and NAC on non-policy (e.g. 3rd party) access devices.

Hope that helps,
Hello Tomasz

Thank you for your answer.

I understand that Policy's and EAC ( NAC) are two features, but I'm talking about the Policy's, rule and role in the EAC (NAC) appliance configured via the XMC application ( located in the XMC control module)

As I understand it correct. the role define in the rule overrides the basis role set of that rule.
So that means; when the basic role in the rule is DENY, and there is 1 role in the rule with "ALLOW ICMP" (as example) the rule will allow the ICMP traffic and block all other traffic.

is this correct?

If so than the answer on my first question will be: No there is no need of a DENY ANY role needed if the basic role in the rule is DENY.
is this correct understand?

thank you for your answers and help to understand the technology

regard Rien
Userlevel 6
Hello Rien,

In XMC Control menu the Policy tab is about Policy feature that is imminent to EOS and EXOS switches and ExtremeWireless. It's under the same Control menu as all the rest but this one is not unique to EAC. You can define roles and rules and apply them to your EXOS switches without EAC.

Regarding your second paragraph, I suppose we have mixed ourselves a bit between "role" and "rule". 😉 Please correct me if I'm wrong. The role defines default action for user traffic and rules override this default action for certain packet types. So if you have a rule e.g. "Reachability Testing Machine" and it has default action of Deny, it can have a rule assigned, which is about permitting ICMP. Then, all the traffic will be blocked except ICMP.

Yes, if you have a default action of deny for a user type (role), there is no need to do a rule to deny any. Please remember that it would also be impossible on EXOS/EOS switches, as Policy does not have processing order. I mean, multiple actions from different rules of a role can be taken if they are not mutually exclusive. Only if you enforce a policy domain to the wireless controller you will see some top-to-bottom order of rules as this is the way that controller works.

Hope that helps,
Hello Tomasz

thank you for your answers

Yes that helps.
I agree that I use the purport of rule and role wrong.
Thank you for the clarification it help a lot

regards Rien