Netgear XCM8806 Chassis User Manual - Page 296
Checking Policies, Refreshing Policies, When the policy is refreshed, the new policy file is read
View all Netgear XCM8806 Chassis manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 296 highlights
NETGEAR 8800 User Manual tftp [ | ] {-v } [-g | -p] [{-l [internal-memory | memorycard | } {-r } | {-r } {-l [internal-memory | memorycard | ]}] Checking Policies A policy file can be checked to see if it is syntactically correct. To check the policy syntax, use the following command: check policy This command can only determine if the syntax of the policy file is correct and can be loaded into the policy manager database. Since a policy can be used by multiple applications, a particular application may have additional constraints on allowable policies. Refreshing Policies When a policy file is changed (such as adding, deleting an entry, adding/deleting/modifying a statement), the information in the policy database does not change until the policy is refreshed. The user must refresh the policy so that the latest copy of policy is used. When the policy is refreshed, the new policy file is read, processed, and stored in the server database. Any clients that use the policy are updated. To refresh the policy, use the following command: refresh policy For ACL policies only, during the time that an ACL policy is refreshed, packets on the interface are blackholed, by default. This is to protect the switch during the short time that the policy is being applied to the hardware. It is conceivable that an unwanted packet could be forwarded by the switch as the new ACL is being set up in the hardware. You can disable this behavior. To control the behavior of the switch during an ACL refresh, use the following commands: enable access-list refresh blackhole disable access-list refresh blackhole The policy manager uses Smart Refresh to update the ACLs. When a change is detected, only the ACL changes needed to modify the ACLs are sent to the hardware, and the unchanged entries remain. This behavior avoids having to blackhole packets because the ACLs have been momentarily cleared. Smart Refresh works well up for up to 200 changes. If the number of changes exceeds 200, you will see this message: Policy file has more than 200 new rules. Smart refresh can not be carried out. Following this message, you will see a prompt based on the current blackhole configuration. If blackhole is disabled you will see the following prompt: Note, the current setting for Access-list Refresh Blackhole is Disabled. WARNING: If a full refresh is performed, it is possible packets that should be denied may be forwarded through the switch during the time the access list is being installed. 296 | Chapter 12. Policy Manager