This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How many Policy Domains? One or many?

How many Policy Domains? One or many?

Robert_Fredette
New Contributor

‎08-21-2017 05:57 PM

I wanted to get opinions on setting up Policy domains for our environment. We have a very simple set of requirements which boil down to this:
  • a set of policies for Edge Switches
  • a different set of policies with very little duplication for Top of Rack switches
  • a completely different set of policies for our Core Switches
What is the feeling? Is it better to have ONE policy domain for all switches and only apply the Rules to ports as needed? Or is it better to have three policy domains in our case?

None of the switches would qualify to be in more than one of the domains if we went the multiple domain route.
0 Kudos
6 REPLIES 6

Zdeněk_Pala
Extreme Employee

‎08-24-2017 10:21 AM

I believe the general rule here comes with answer for following question:
Do you need same roles in the edge in the ToR and in the Core?

if the answer is "yes we need every role everywhere" then you need one policy domain.

if the answer is "no the set of roles is not overlapping" then you need more policy domains.

if the answer is "some roles needs to be everywhere, but majority not" then you can use global services as was suggested by Jeremy.

IMHO the reason for more policy domains is related to the hardware limitations = if you have small amount of roles you can use one policy domain everywhere even if you do not need edge roles in the core...
Regards Zdeněk Pala
0 Kudos

Robert_Fredette
New Contributor

‎08-21-2017 06:20 PM

Jeremy,
Thank you! That makes sense. I forgot about the Global rules. We also don't use policy very much on the core, our current use is a VERY special thing that we are looking to replace with better spanning tree implementations soon. As for our Top of Rack we do mix some connections - like having an HVAC unit on them - hence the mix of some of the rules.

0 Kudos

Jeremy_Gibbs
Contributor
In response to Robert_Fredette

‎08-21-2017 06:20 PM

Ahh, I see. Makes sense! I have heard of people doing that before, although it sounds like a nightmare if something goes wrong.
0 Kudos

Robert_Fredette
New Contributor
In response to Robert_Fredette

‎08-21-2017 06:20 PM

Uhh... well we are using Policy to block BPDUs at the ports on the core from the edge switches. That makes each edge switch grouping it's own STP domain. We can still run edgeport and loop protect on the edge switches but don't suffer the big STP domain reconfigs.
0 Kudos
GTM-P2G8KFN