cancel
Showing results for 
Search instead for 
Did you mean: 

How many Policy Domains? One or many?

How many Policy Domains? One or many?

Robert_Fredette
New Contributor
I wanted to get opinions on setting up Policy domains for our environment. We have a very simple set of requirements which boil down to this:
  • a set of policies for Edge Switches
  • a different set of policies with very little duplication for Top of Rack switches
  • a completely different set of policies for our Core Switches
What is the feeling? Is it better to have ONE policy domain for all switches and only apply the Rules to ports as needed? Or is it better to have three policy domains in our case?

None of the switches would qualify to be in more than one of the domains if we went the multiple domain route.
6 REPLIES 6

Zdeněk_Pala
Extreme Employee
I believe the general rule here comes with answer for following question:
Do you need same roles in the edge in the ToR and in the Core?

if the answer is "yes we need every role everywhere" then you need one policy domain.

if the answer is "no the set of roles is not overlapping" then you need more policy domains.

if the answer is "some roles needs to be everywhere, but majority not" then you can use global services as was suggested by Jeremy.

IMHO the reason for more policy domains is related to the hardware limitations = if you have small amount of roles you can use one policy domain everywhere even if you do not need edge roles in the core...
Regards Zdeněk Pala

Robert_Fredette
New Contributor
Jeremy,
Thank you! That makes sense. I forgot about the Global rules. We also don't use policy very much on the core, our current use is a VERY special thing that we are looking to replace with better spanning tree implementations soon. As for our Top of Rack we do mix some connections - like having an HVAC unit on them - hence the mix of some of the rules.

Ahh, I see. Makes sense! I have heard of people doing that before, although it sounds like a nightmare if something goes wrong.

Uhh... well we are using Policy to block BPDUs at the ports on the core from the edge switches. That makes each edge switch grouping it's own STP domain. We can still run edgeport and loop protect on the edge switches but don't suffer the big STP domain reconfigs.
GTM-P2G8KFN