One policy per switch ?

  • 1
  • Question
  • Updated 2 years ago
  • (Edited)
A basic question about network policy for  Aerohive switches  : what if all the switches  need setting up with different port configurations ? Does this mean separate policies for each ?

If all switches require subtly or substantially different ports (access/trunk/etc) then as per my understanding ; each of these require a different policy which ; in the real world would become quickly complicated to manage as compared to just hand crafting them on  a 'traditional' vendor. 

Am I missing something ? Just curious to find out how other deployments have gone so far .

Thanks in advance

anjanesh
Photo of Anjanesh Babu

Anjanesh Babu

  • 68 Posts
  • 7 Reply Likes
  • Perplexed

Posted 2 years ago

  • 1
Photo of James Saarikko

James Saarikko

  • 7 Posts
  • 3 Reply Likes
Anjanesh,
   You can have mutiple switches configured independent of one another with the use of Switch Templates. This will still give you the ability to have one network policy to use in your environment. 

Here is a link to provide you more information:

http://docs.aerohive.com/330000/docs/help/english/6.6r1/hm/full/help.htm#ref/deploy/switch.htm

Note: Templates are based on Device Models, so make sure that you identify the correct device model when adding the template to the network policy. If you misidentify the model (Example, you have a 2124P switch however select a 2024 model), switchport configurations will not be applied correctly.

Warm Regards
James
Photo of Anjanesh Babu

Anjanesh Babu

  • 68 Posts
  • 7 Reply Likes
Hi James,
Thanks for your reply - following your reply, I did have a proper look at device templates which seems to be a powerful feature now that I understand it  better. However, it would seem that the    configuration requirements would now  shift to  device templates than network policies.

So while the number of  network policies would be lower , the number of device templates would be higher  corresponding  to the number of combinations (each representing a  switch in our case) . Is this a correct assumption  ?

I am looking for is a larger container network policy and ability to change port configs at will  without affecting other switches .

thank you once again for pointing out the template as an option.
Anjanesh
(Edited)
Photo of BJ

BJ, Champ

  • 374 Posts
  • 45 Reply Likes
I use device tagging, then setup a template for each switch within the network policy. That way trunk ports, access ports, etc. are common within the network policy and then you assign those profiles to individual interfaces or agg ports, etc.

Best,
BJ 
Photo of Anjanesh Babu

Anjanesh Babu

  • 68 Posts
  • 7 Reply Likes
Hi BJ,
Thanks for your response - so this follows similar suggestion to James but applying an additional logic based on tags. Very useful to know - but from my understanding, this still  requires a large number of switch templates (as above) .

Appreciate the response, will have a look at these options.

Regards
anjanesh
(Edited)
Photo of BJ

BJ, Champ

  • 374 Posts
  • 45 Reply Likes
Anjanesh, 
That is exactly why we use device tagging. You have all your port types in one policy, then you can change interface configs on one device without affecting the others.

As far as large numbers of templates, I'm not aware of any other way to do it. From an old school standpoint, you would need to remember the names or addresses of all your individual switches to ssh/telnet into each one anyway. In my mind this is a more elegant way than previously.
 
In our situation, the tags are based upon switch names, "NYswitch3" or "5th_floor_SwitchB." You can simply take a template, clone it, and assign it to another device based upon it's name. 

The beauty is that all your interface configs are already configured in your policy, it's just a matter of assignment. I've also found it to be a safety net, ensuring the config change is being performed on the correct device. 

Best,
BJ 
Photo of Anjanesh Babu

Anjanesh Babu

  • 68 Posts
  • 7 Reply Likes
Hi BJ,
Interesting application of tagging and templates. There is chance that port types might vary for each switch which might complicate  the mix .

For the moment , this is a useful way to keen things going and perhaps in future, a switch level interface variation would be possible within the gui without affecting all the switches. 

thank you once again

anjanesh
Photo of Aaron Storey

Aaron Storey

  • 32 Posts
  • 8 Reply Likes
We have had this same issue where it would be nice to be able to from within the Device config page of the GUI to modify the configuration of an individual port rather than having to create a new template every time we need a slight modification to the switch. In a school environment especially we often will have new devices introduced in random places where we need to make a change. Perhaps it is different thinking coming from the CLI world of Switch config but it is must faster and simpler to apply a change to a specific port for a particular situation rather than having to go through multiple steps to set up a new template and apply a tag to a specific switch for one special situation.