This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Management of Policy Files in EXOS

Management of Policy Files in EXOS

Mark_Lamond
New Contributor III

‎02-23-2018 06:44 PM

Hi there,

Does anyone have any tips for managing .pol files on EXOS switches?

I notice that there used to be a piece of software called EPM, Extreme Policy Manager (no relation to Enterasys Netsight Policy Manager) which helped with the management and editing of files but it seems this is a legacy product now.

I am making extensive use of ACL's and UDP forwarding profiles and need the ability to manage these files on switches more effectively and am looking for some ideas.

In the Cisco/Enterasys world this was easy as the ACL is stored in the config file. I held them all offline in text files, edited locally on our PC's and automatically pushed them up to switches blowing away the ACL and pushing the new ACL in. Quick and dirty but makes sure everything stays neat and tidy, gets backed up along with the config and no chance of it getting accidentally un-bound to the interface/VLAN.

With EXOS this is more cumbersome as the file is only read on startup or refresh, i really don't want the guys editing them on switches with Vi as i know mistakes are going to be made and people are going to forget to back up or refresh them as well.

The EXOS web based editor is okay but we really want centralised management, not browsing to individual switches. I have also found the web based editor does not always sync changes to .pol files across all switches in the stack, causing a policy file refresh to fail. If i go in via the CLI, edit and save with no changes it is refreshes with no issues.

Because of all this I am seriously thinking about ditching local ACL files and using Management Centre (previously OneView / NetSight) and moving to do ACL's that way. We make extensive use of 802.1x and MAC auth anyway with NAC/Policy Manager so might just move to applying ACL's that route - enabling policy steals TCAM resource anyway .

That would only leave me with UDP forwarding policies to manage, still annoying but i could deal with it as changes would be infrequent, and any mistakes would have little impact.

Just wondered what some of you guys are doing, suggestions etc?

Thanks,
Mark.
3 REPLIES 3

svitsjemannen
New Contributor

‎05-10-2021 02:34 PM

Thanks, this helped me progress a step.

No idea what scp2 is in the Linux world, I used the ubiquitous OpenSSH scp client. In the Linux world, this will upload foo.pol to $HOME

scp foo.pol ansible@192.168.1.249:./foo.pol

 

Seems like removing the absolute path solved the problem:

 

scp foo.pol ansible@192.168.1.249:foo.pol

 

Files seems to end up in /usr/local/cfg so there is some magic happening behind the scenes.

 

Using the builtin Ansible module copy does not work as Ansible tries to copy the file

to a temp dir.

 

I had better luck with ansible.netcommon.net_put    - the drawback is that this module does not support diff mode.

 

Any best practice from others?  On Junos, this works fantastic.

 

I have not really looked into using XMC for this - at first glimpse XMC does not have any possibility to generate the policy files from external sources like IPAM/inventory database.

 

 

 

0 Kudos

Tomasz
Valued Contributor II

‎05-07-2021 08:20 PM

Hi,

 

It is possible to use scp2 command on the switch to upload/download .pol files. It is also possible to invoke scp from the outside to the switch. For the former, EXOS Command Reference is great. For the latter, please see Security chapter of EXOS User Guide in Secure Socket Layer section: https://documentation.extremenetworks.com/exos_30.6/downloads/EXOS_User_Guide_30_6.pdf

7c4f418660ba4ab1abb4dc2dcbcbdc2d_c75b67f6-4659-4570-bad0-aa9d19b617fe.png

 

SFTP could also be used from the outside (later part of the same User Guide chapter):

7c4f418660ba4ab1abb4dc2dcbcbdc2d_c29af9ed-1c41-44de-a1b4-d03a1b2988cb.png

 

BTW if it’s about edge switches and XMC is in place as in the original question, has Policy feature been considered?

 

Hope that helps,

Tomasz

0 Kudos

svitsjemannen
New Contributor

‎05-07-2021 02:39 PM

Hi

 

  I’m struggeling with the exact same problem. Unfortunately, this 3 year old port without any replies is the most useful hit on Google.

 

Being 2021 I’m looking for how to implement this with Ansible for a variety of reasons - version controlling, ability to generate custom ACL depending on a number of variables and Ansibles dry-run diff functionality.

 

Any clues on how to progress with this?   I expected this to be trivial bread and butter functionality, but I’m stuck from the very beginning.

Does the EXOS platform even support acting as a SCP _server_? I’ve done some rudimentary stuff with Ansible, but I’ve seen no evidence that the Ansible exos_* modules support handling the policy files which is handled outside of the general configuration. 

 

 

 

0 Kudos
GTM-P2G8KFN