Getting Started with Policy Manager gives you an overview of Policy Manager, and provides a quick tour of its components using a policy configuration demo file. It also includes a summary of the basic steps you must perform to create and configure policies with Policy Manager.
Because Getting Started is meant to be used side-by-side with Policy Manager, it will be most useful if you install Policy Manager first. Once Policy Manager is installed, you can use the steps and suggestions below as an aid in planning and implementing your network policy profiles using Policy Manager.
| TIP: | A Getting Started Wizard appears when you first launch Policy Manager
and can also be accessed from the Help menu (Help > Getting Started). The wizard
provides an overview of Policy Manager features and functionality. It also
provides a quick and easy way to access the actual windows where you perform basic
Policy Manager tasks, such as importing devices, and creating roles and
services. |
|---|
It is recommended that you read the following Policy Manager information in sequence before you implement Policy Manager on your network:
This guide includes the following information:
Policy Manager enables you to create policy profiles, called roles, that are assigned to the ports in your network. These roles are based on the existing business functions in your company, and consist of services that you create, made up of traffic classification rules. Roles provide four key policy features: traffic containment, traffic filtering, traffic security, and traffic prioritization.
Policy Manager provides authentication via a RADIUS server to identify users at the time they log in to the network. Only after users have been authenticated are they given customized access capabilities based on the role they are assigned.
The illustration below shows the Policy Manager relationship hierarchy, with Rules at the base to define specific packet handling behaviors, Roles at the top to identify specific job functions in the organization, and Services in the middle, providing the interface between the two layers.
Using Policy Manager wizards and configuration tools, you can create multiple roles
tailored to your specific needs, and set a default policy for some or all of your
network devices and ports. These policies can be deployed on multiple
devices throughout your switch fabric. Once the network infrastructure
has been empowered to enforce the relationship hierarchy, no further communication
with the Policy Manager application is needed.
The Quick Tour assumes that you have installed, but not yet opened, Policy Manager. You do not need to import real devices into Policy Manager in order to take the Quick Tour.
The Quick Tour covers the following features:
The first step in the Quick Tour will be to launch Policy Manager. When you do this, you will see the Getting Started Wizard, which allows you to access some of the basic Policy Manager operations. (You can also access the Getting Started Wizard from the Help Menu.) From there, you will open the Demo.pmd file and start exploring.
Note: If someone else has been using Policy Manager before you, the Demo.pmd or another .pmd file may open when you launch Policy Manager. You can tell what file is open by looking at the left side of the Status Bar at the bottom of the Policy Manager window. Even if Demo.pmd is open, it will be useful to go through the process of opening the file again.
Quick Tour: Opening the Demo.pmd file.
Launch Policy Manager.
From the left panel of the Getting Started Wizard, expand Basic Tasks and select Open the Demo.pmd. Click the Open Demo.pmd button.
In the Open window, navigate to Demo.pmd
(located at the top level of your Policy Manager installation directory) and
click OK.
The Demo.pmd file opens in the Policy Manager Main window.
Note: You may see a Read-Only Data File message, informing you that if you
add to this file, the only way to save it is to use the File > Save As menu
option. Click OK to close the message window.
Click on the various left-panel tabs to see the roles, services, network elements, and VLANs that make up the Demo.pmd policy configuration.
Now that you've opened the Demo.pmd file and viewed its left-panel tabs, we will explore Policy Manager in a little more depth.
Quick Tour: Checking out roles.
Click on the left-panel Roles tab in the Policy Manager Main window.
Click on the various roles listed in the left panel, and in the right-panel you'll see tabs that display specific information for each role. Click the right-panel tabs to see the information they contain.
Roles are assigned to users during the authentication process. When a user successfully authenticates, the port is opened, and if there was a role assigned to the user, that role is applied to the port. A role can also be directly assigned to a port as a default role for instances when authenticated users are not assigned a role. If an end user on a port was not assigned a role when logging in (authenticating), or if authentication is inactive on a port, then the port's default role will take effect. However, if a user is assigned a role upon login, then that role will override any default role on the port.
To create and define a role, you can use the Role Wizard or do it using the right-panel Role tabs.
| TIP: | You can also create a role directly from the Getting Started Wizard. From
the left panel of the wizard, expand the Roles and Services folder and select
Create a Role. |
|---|
Quick Tour: Creating a role.
In the Policy Manager left panel, select the Roles tab.
Right-click the Roles folder, and select Create Role.
Enter the role name Office
Assistant in the highlighted box and press Enter.
Manual services contain one or more traffic classification rules that define how a network access point will handle traffic for a particular network service or application. For example, you might create a Manual service called "Restricted Employee" that contains a classification rule that discards TCP HTTP traffic.
We will create a Manual service and add it to a role later on. Right now, we'll just take a look at the services in the Demo.pmd file.
Quick Tour: Checking out Services.
In the Demo.pmd:
Click on the left-panel Services tab in the Policy Manager Main window.
Expand the Services folder and the Manual Services folder, and view the list of services.
Expand a service or two to see the individual classification rules that make up the service.
Select a service or two in the left panel to see the right-panel tabs that display specific information for each service. Click the right-panel tabs to see the information they contain.
Quick Tour: Checking out Service Groups.
Click on the left-panel Services tab in the Policy Manager Main window.
Expand the Service Groups folder.
Expand the Acceptable Use Policy service group to see its services. Note that the services listed are also in the Services folder.
After you have defined and created your services, you can easily create a Service Group and then drag and drop your services into the group.
Quick Tour: Creating a Service Group.
In the Policy Manager left panel, select the Services tab.
Right-click the Service Groups folder, and select Create Service Group.
Enter the service group name
Trusted User in the
highlighted box and press Enter.
Drag and drop one or two of the existing Acceptable Use Policy services from the Acceptable Use Policy service group into the Trusted User service group. Notice that this makes a copy of the existing service in the new folder.
A Traffic Classification rule has two main parts: Traffic Description and Actions. The Traffic Description identifies the traffic classification type for the rule. The Actions specify how traffic matching that classification type will be assigned access control, class of service, or both.
You create a rule for a specific service, but a rule can be added to multiple services simply by using drag and drop to copy the rule from one service to another in the Services tab.
Quick Tour: Checking out Rules.
In the left-panel Services tab, expand the Acceptable Use Policy service group.
Expand the Deny Unsupported Protocol Access service and click on the Discard AppleTalk rule.
Click on the right-panel tabs to see the rule's Traffic Description and Actions.
Add a description to the General Tab, for example: AppleTalk not supported on this network.
Device lists are used to import devices into Policy Manager. They are text
files that list network devices and (optionally) their SNMP access
information. You can create a Device List using a text editor.
| NOTE: | There are special utility programs available that will create a device list for you based on your HP OpenView®, NetSight Switch and Topology Manager, or NetSight Element Manager device database. Contact Support for more information. |
|---|
Once you have created a device list, you can import the devices into the Policy Manager application. Later, you can import new devices or update device data using the same procedures.
Quick Tour: Creating and Importing a Device List.
Using a text editor, create and save a text file that contains
the following list of hypothetical devices:
10.20.30.40
10.20.30.50
10.20.30.60
Access the Import from Device List window by selecting File > Import > From Device List.
In the File name field, use the Browse button to navigate to the text file.
In the Format of Device Data area, specify that the device list is in IP Only Format.
In the Application of Imported Data area, select to append the new devices to existing devices.
Click OK. The devices will be imported into the Demo.pmd file and you can see them listed on the Network Elements tab under the Devices folder. Because the devices don't really exist, you won't be able to expand the devices and see any ports.
Once you have imported your devices into Policy Manager you can configure them for authentication, and group ports and devices into logical groups to facilitate defining services and roles.
| TIP: | You can also open the Import from Device List window directly from the Getting Started Wizard.
From the left panel of the wizard, expand the Basic Tasks folder and select
Import Devices. |
|---|
For more information:
Quick Tour: Viewing the Authentication Settings on a Device.
In the Policy Manager left panel, select the Network Elements tab.
Double-click the Devices folder and select a device.
Note: Because these devices don't really exist,
it may take several seconds to time out, and you may see some error messages as Policy Manager
tries to get the port information.
In the right panel, look at the Details View tab and scroll to the right. This is where, among other things, you would be able to see whether authentication were enabled on the device.
In the right panel, select the Authentication tab. This tab is where, among other things, you would be able to select either Web-based, MAC, or 802.1X authentication, enable or disable authentication on the selected device, and configure your authentication settings.
Select the RADIUS tab. On this tab you would be able to enable the device as a RADIUS client, and set up communication between the RADIUS client device and the RADIUS server.
Policy Manager provides three pre-defined device groups. When a device is created or imported, it automatically becomes a member of the appropriate pre-defined groups.
Quick Tour: Creating a Device Group.
Let's create a device group using the hypothetical devices we imported:
In the Policy Manager left panel, select the Network Elements tab.
Right-click the Grouped By folder, and select Create Device Group.
Enter the device group name Building Three in the highlighted
box and press Enter.
Drag and drop two devices into the device group. Notice that this makes a copy of the devices, and that they are still listed under the Devices folder.
For more information:
Because we are not using real devices, we will only view the location of the port configuration information, even though no actual ports will be displayed.
Quick Tour: Viewing Port Configuration Information.
Click on the left-panel Network Elements tab in the Policy Manager Main window.
Expand the Devices folder and select a device.
Note: Because these devices don't really exist, you may see some error messages as Policy Manager
tries to get the port information.
Even though no ports will show up, note the information available on the right-panel tabs for the ports on the device.
Quick Tour: Checking out Pre-Defined Port Groups.
Click on the left-panel Network Elements tab in the Policy Manager Main window.
Expand the Port Groups folder.
Expand the Pre-Defined Port Groups to see the groups.
Quick Tour: Creating a User-Defined Port Group.
Click on the left-panel Network Elements tab in the Policy Manager Main window.
Expand the Port Groups folder.
Right-click the User-Defined Port Groups folder, and select Create Port Group.
Type in a Port Group name in the highlighted box and press Enter.
Look at the General tab in the right panel. Notice that you can either add individual ports to the group, or specify ranges on all devices to comprise the port group.
When you open a new data file, the Global VLANs folder is prepopulated with the Default VLAN (not to be confused with a default VLAN that is assigned to a role, although the Default VLAN could be a default VLAN for a role). You can then create additional VLANs and assign them as default access control for a role and/or use them to define traffic classification rules. You can view the roles and services associated with a VLAN on the Roles and Services tabs that are displayed when you select the VLAN in the left panel. You can also make role and service changes from these tabs.
Local VLANs are used in Policy VLAN Islands, which enable you to deploy a policy across your network, while restricting user access to only selected local devices. You must select the Policy VLAN Islands Enabled checkbox (on the Edit Menu) to see the Local VLANs folder.
Quick Tour: Checking out VLANs.
Click on the left-panel VLANs tab in the Policy Manager Main window.
Expand the Global VLANs folder to see the individual VLANs.
Click on the Default VLAN listed and view the tabs in the right panel.
Quick Tour: Checking out Classes of Service.
Click on the left-panel Classes of Service tab in the Policy Manager Main window and expand the Classes of Service folder. This folder is pre-populated with classes of service that you can define, or you can create your own.
Select one of the classes of service, and view the tabs in the right panel. You can define the class of service and view how it is being used on these tabs.
Expand the CoS Components folder to see the potential components of a class of service: 802.1p Priorities; IP Type of Service Values; Rate Limits; and Transmit Queue configuration.
Expand the five folders in the CoS Components folder, explore the selections, noticing the right-panel tabs that are available for defining these elements or that provide information on them.
If you are creating roles, services, and rules, and configuring devices and ports from scratch, the wizards can be easier to use. Once you've created everything you need, you may find it easier to make changes and additions on the right-panel tabs, or you may still want to use the wizards, depending on the situation.
The wizards provided by Policy Manager include the Role Wizard, the Service Wizard, the Classification Rule Wizard, the Device Configuration Wizard, the Port Configuration Wizard, the Network Resources Wizard, and the Quarantine Role Wizard. The Service Wizard incorporates the elements of the Classification Rule Wizard, and the Role Wizard incorporates the elements of the Service Wizard, including the Classification Rule Wizard.
In the Quick Tour, we will use the Service Wizard to create a Manual service that includes one classification rule. We will then apply it to the role you created earlier in the Quick Tour.
Quick Tour: Creating a Service Using the
Service Wizard.
Let's create a service that discards TCP HTTP traffic.
In the Policy Manager left panel, select the Services tab.
Right-click the Services folder, and select Service Wizard.
Enter
Restricted Employee for the service name and click Next.
Make sure the Service Type selected is Manual, and click Next.
Enter
Discard HTTP
for the classification rule name and click Next.
Choose Enabled as the Rule Status.
Choose Layer 4 - Application Transport as the Traffic Classification Layer, and click Next.
Choose IP TCP Port Destination as the Traffic Classification Type and click Next.
Choose HTTP as the Rule and click Next.
View the Traffic Description Summary and click Next.
Click the Enable Access Control box.
Select the Deny Traffic.
Click Next.
View the Classification Rule Summary and click Finish.
| TIP: | You can also open the Service Wizard directly from the Getting Started Wizard.
From the left panel of the wizard, expand the Roles and Services folder and select
Create a Service. |
|---|
Quick Tour: Applying the Service to a Role.
Now that you've created the service, let's add it to the role you created
earlier.
In the Policy Manager left panel, select the Roles tab.
Select the role you created earlier (Office Assistant).
In the right panel, select the Services tab.
Click Add/Remove Services. If there is a potential for any rule conflicts, you will see a warning message. Read the message, then click OK to clear the message and go on.
In the left panel of the Add/Remove Services window, select the Restricted Employee service you just created and either double-click it or click Add.
Click OK.
Select the right-panel Roles tab for the service, and note that the role is now associated with the service.
Look at the right side of the Status Bar at the bottom of the window. The "arrow" icon means your new role and its service need to be enforced (written to the devices). We'll talk about that next.
| TIP: | You can also open the Add/Remove Services window directly from the Getting Started Wizard.
From the left panel of the wizard, expand the Roles and Services folder and select
Add/Remove Services. |
|---|
To enforce to all devices, you would use the Enforce button in the toolbar or the File > Enforce Role Set menu option. To enforce to a single device, you would right-click the device and select Enforce Role Set from the menu. If you have made any changes that need to be enforced, an "arrow" icon appears on the status bar at the bottom of the Policy Manager window as a reminder.
Quick Tour: Enforcing.
Although we currently have no real devices to enforce to, we'll run through the
procedure.
On the Menu bar, click Enforce. You will receive an error message, because there are no actual devices. If there had been real devices, the new role, its associated service (including the service's one rule and the access control you specified) would be written to all the devices.
Note: It is extremely important the you save and back up your .pmd files regularly, as they contain critical information about the state of your network.
To create a new .pmd file, you would use the File > New menu option. To save a data file that you've created, you would use File > Save, and to open a data file other than the one currently displayed you would use File > Open. You can also import policy configuration data from one data file into another data file using the Import from Data File window.
Right now we will just save the current policy configuration to a new .pmd file. This file will include all the data from the Demo.pmd, plus the new rule, service and role you've just created. (You would not be able to save your changes to Demo.pmd, because it is a read-only file.)
Quick Tour: Saving As.
Note that a "diskette" icon appears on the Status Bar. This is a reminder that you need to save data that you've entered in the .pmd file.
From the menu, select File > Save As.
In the Save As window, enter
test1.pmd
as the File name and click Save. You will see a message explaining the
ramifications of saving this file, and suggesting that it be saved in a secure
location.
After reading the message, click OK.
Note that the name of the new file now appears on the Status Bar.
Quick Tour: Verifying.
Let's assume that, when you enforced the role you added to the Demo.pmd file, it
was written to real devices. We will now re-open the Demo.pmd file, to which
the role you created was not saved. Then we will simulate using the Verify feature to determine if the roles currently in force
on the devices match the Demo.pmd file.
From the Menu bar, select File > Open and open the Demo.pmd file.
Use File > Import > From Device List to re-import your list of switches.
Click the Verify button on the toolbar. Since there are no actual devices, you will receive an error message. If there had been actual devices, you would receive a message letting you know which devices had roles on them that did not match the roles in the Demo.pmd. You could then Enforce the current .pmd file to the devices.
Quick Tour: Viewing the Event Log.
Click the Events button on the toolbar.
Scroll through the Event Log to see all the things you've done in the Quick Tour.
Try out the Find feature.
Click the File tab and see that you can select an earlier day's log.
Click the Filter tab and try out the filter combinations.
Click Close to exit the Event Log.
Quick Tour: Accessing Help.
Select Help >Help Topics from the menu bar. Note that all aspects of the Help system are available from the Table of Contents in the left panel.
Close the Help window by clicking the X in the upper right hand corner of the window.
Notice what tab is currently displayed in the right panel, then select Help >About This Window from the menu bar. Specific information about the particular tab is displayed, and all aspects of the Help system are still available.
Close the Help window.
In the left panel, select the VLANs tab, then right-click the Global VLANs folder and select Create VLAN.
Click the Help button in the Create VLAN window. Specific information about the Create VLAN window is displayed, and all aspects of the Help system are still available.
Click the Search (magnifying glass) tab in the left
panel
of the Help window, enter the search term dynamic, and press
Enter. A list of
the Help files containing that term appears, and the first instance in the first file
is highlighted in the right panel. Scroll down to see more instances, or select another
file to view instances of the search term in that file.
Close the Help window.
Use the following summary to guide you through the basic steps for using Policy Manager.
