Netgear XCM8806 - 8800 SERIES 6-SLOT CHASSIS SWITCH 사용자 설명서
296
|
Chapter 12. Policy Manager
NETGEAR 8800 User Manual
tftp [<host-name> | <ip-address>] {-v <vr_name>} [-g | -p] [{-l [internal-memory
<local-file-internal> | memorycard <local-file-memcard> | <local-file>} {-r
<remote-file>} | {-r <remote-file>} {-l [internal-memory <local-file-internal>
| memorycard <local-file-memcard> | <local-file>]}]
Checking Policies
A policy file can be checked to see if it is syntactically correct. To check the policy syntax, use
the following command:
the following command:
check policy
This command can only determine if the syntax of the policy file is correct and can be loaded
into the policy manager database. Since a policy can be used by multiple applications, a
particular application may have additional constraints on allowable policies.
into the policy manager database. Since a policy can be used by multiple applications, a
particular application may have additional constraints on allowable policies.
Refreshing Policies
When a policy file is changed (such as adding, deleting an entry, adding/deleting/modifying a
statement), the information in the policy database does not change until the policy is
refreshed. The user must refresh the policy so that the latest copy of policy is used.
statement), the information in the policy database does not change until the policy is
refreshed. The user must refresh the policy so that the latest copy of policy is used.
When the policy is refreshed, the new policy file is read, processed, and stored in the server
database. Any clients that use the policy are updated. To refresh the policy, use the following
command:
database. Any clients that use the policy are updated. To refresh the policy, use the following
command:
refresh policy
For ACL policies only, during the time that an ACL policy is refreshed, packets on the
interface are blackholed, by default. This is to protect the switch during the short time that the
policy is being applied to the hardware. It is conceivable that an unwanted packet could be
forwarded by the switch as the new ACL is being set up in the hardware. You can disable this
behavior. To control the behavior of the switch during an ACL refresh, use the following
commands:
interface are blackholed, by default. This is to protect the switch during the short time that the
policy is being applied to the hardware. It is conceivable that an unwanted packet could be
forwarded by the switch as the new ACL is being set up in the hardware. You can disable this
behavior. To control the behavior of the switch during an ACL refresh, use the following
commands:
enable access-list refresh blackhole
disable access-list refresh blackhole
The policy manager uses Smart Refresh to update the ACLs. When a change is detected,
only the ACL changes needed to modify the ACLs are sent to the hardware, and the
unchanged entries remain. This behavior avoids having to blackhole packets because the
ACLs have been momentarily cleared. Smart Refresh works well up for up to 200 changes. If
the number of changes exceeds 200, you will see this message:
only the ACL changes needed to modify the ACLs are sent to the hardware, and the
unchanged entries remain. This behavior avoids having to blackhole packets because the
ACLs have been momentarily cleared. Smart Refresh works well up for up to 200 changes. If
the number of changes exceeds 200, you will see this message:
Policy file has more than
200 new rules. Smart refresh can not be carried out.
Following this message, you will
see a prompt based on the current blackhole configuration. If blackhole is disabled you will
see the following prompt:
see the following prompt:
Note, the current setting for Access-list Refresh Blackhole is Disabled.
WARNING: If a full refresh is performed, it is possible packets that should be
denied may be forwarded through the switch during the time the access list is
being installed.