Enforce Preview Window

---

Use the Enforce Preview window to view the information that will be written to your devices, before you actually enforce. This feature is particularly useful if you have devices that only support certain aspects of policy management. For example, some devices support only the policy features of policy management; some devices support the policy features and classification rules, but do not support VLAN forwarding for certain classification rules; and some devices fully support all policy management features, including policy, classification rules, and VLAN forwarding for all classification rules.

The Enforce Preview window appears whenever you click the Enforce button, or select the File > Enforce Role Set menu option, or double-click the enforce icon on the status bar, so that you always get a chance to review the effects of enforcing prior to actually performing the enforce. You can control whether or not this view automatically appears with the Show this view on Enforce checkbox, or in Optional Views in the Options window.

You can also access this window from the File > Enforce Preview menu option, and from the Enforce Preview button on the confirmation message that appears when a verify has taken place.

What you see in the window depends on whether you would be enforcing to all devices or to a subset of devices. The title bar indicates the devices to which the enforce will apply. After viewing the information in this window, you can either click Cancel to back out and make fixes, or Enforce to go ahead with the enforce. (The Enforce button does not appear in this window when you use the File > Enforce Preview menu option to launch the window.)

You can view device support for specific roles, services, and rules on their Device Support tabs. Refer to the NetSight Firmware Support tables for complete information on device support for Policy Manager features, and VLAN and Priority classification rules.

Click the graphic for more information.

"Show" Radio Buttons

What you see in the right panel of the Enforce Preview window depends on which radio button you have selected at the top of the window.

All

Select this radio button to display what will and what will not be written to the devices when you enforce.

Errors and Warnings Only

Select this radio button to show only what will not be written to the devices when you enforce.

Left Panel

The left panel of the Enforce Preview window displays folders for different device types. Expand the folders to see your network devices and device groups organized according to device type. The   icon alerts you that there are certain things that will not be written to this device type that you might want to investigate prior to enforcing (e.g. rules that are not supported on a device).

Select a specific device type to display the information that will be written to those devices when you enforce.

Show this view on Enforce

When this checkbox is checked, the Enforce Preview window will appear any time you enforce, before the actual enforcement takes place. You can also turn this option on and off via Optional Views in the Options window.

Right Panel

The upper portion of the right panel provides information about whether certain policy management features are supported and/or enabled for the device type selected in the left panel.

• Additional Warnings - If there are additional problems detected with the enforce, you will be directed to see the Event Log for details.
• GVRP - Shows whether GVRP is Enabled, Disabled, or Ignored. You can change GVRP status for the domain via the Edit menu.
• Dynamic Egress - Shows whether Dynamic Egress is Supported or Not Supported.

There are six tabs that provide specific information about the Roles, Classification Rules, VLANs, Classes of Service, and Mappings that will be enforced. The information displayed depends on the device type you've selected in the left panel, and whether you have the Show All or the Show Errors and Warnings Only radio button selected. In addition, select a role in the Roles tab to filter the information for just that role.

Roles Tab

Incomplete - Lists any roles with unsupported classification rules. These roles will be written to the devices, but without the unsupported rules.
Complete - Lists any roles which do not include unsupported classification rules. These roles will be written to the devices as defined.

	NOTE:	Select a Role to display only those classification rules and VLANs associated with the selected role.

Classification Rules Tab

Excluded - Lists any unsupported classification rules that have been applied to a role. These rules will not be included when the associated roles are written to the devices.
Included - Lists any supported classification rules that have been applied to a role. These rules will be included when the associated roles are written to the devices.

	NOTE:	On N-Series Platinum devices, range classification rules are achieved through applying subnet masks to values. As such, in order to achieve a user-specified range, the device may need multiple rules with subnets applied to encompass that range. So, although the user created only one rule with a range, this list may show multiple instances of that rule with the name of the rule followed by the portion of the over-all range it applies to.

VLAN Tab

Excluded - Lists any VLANs associated with unsupported classification rules, or VLANs that are not supported by the device. These VLANs will not be written to the devices.
Included - Lists any VLANs associated with supported classification rules and VLANs associated with roles. These will be written to the devices.

Classes of Service Tab

Class of Service Mode - Lists the Class of Service mode that will be written to the devices.
Classes of Service Subtab - Lists the classes of service that will be written to the devices:

• Class of Service - the name of the class of service.
• 802.1p Priority - the priority associated with the class of service.
• ToS Value - the IP type of service value associated with this class of service, if any. See IP Type of Service for more information.
• Drop Prec - The drop precedence associated with this class of service, if any. See Drop Precedence for more information.
• TxQueue Index - the transmit queue index associated with the class of service.
• IRL Index - the role-based inbound rate limit index associated with the class of service.
• ORL Index - the role-based outbound rate limit index associated with the class of service.

 For more information, see Getting Started with Class of Service and How to Create a Class of Service.

 

Inbound/Outbound Role-Based Rate Limit Mappings Subtabs - Lists the rate limit mappings that will be written to the devices:

• Device - The device where the rate limit mapping will be in effect.
• IRL/ORL Port Grp - The name of the port group that contains the rate limit mapping.
• IRL/ORL Index - The logical inbound rate limit (IRL) or outbound rate limit (ORL) index number. This index number is specified in a class of service and dictates the rate limiting behavior for incoming packets.
• Rate Limit - The actual rate limit that the IRL/ORL index is mapped to.
• IRL/ORL Port Type - The type of ports included in the port group. Port type is based on the number of rate limits the ports support (for example, 8-rate limit ports and 32-rate limit ports).
• Information - Information about mapping support.

 Transmit Queue/Rate Shaper Mappings Subtab - Lists the transmit queue rate shaper mappings that will be written to the devices:

• Device - The device where the transmit queue rate shaper mapping will be in effect.
• TxQ Port Grp - The name of the port group that contains the transmit queue rate shaper mapping.
• TxQ Index - The logical transmit queue rate shaper index number. This index number is specified in a class of service and dictates the transmit queue and rate shaper behavior for incoming packets.
• Physical Transmit Queue / Rate Shaper - The actual transmit queue rate shaper that the index is mapped to.
• TxQ Port Type - The type of ports included in the port group. Port type is based on the number of transmit queues the ports support (for example, 4-transmit queue ports and 16-transmit queue ports).
• Information - Information about mapping support.

Mappings Tab

 

	WARNING:	Enforcing port-level MAC to Role mappings could potentially remove rules created by NetSight Automated Security Manager (ASM) as an intrusion detection response.

 

 MAC to Role Mapping - Lists the device-level and port-level mappings that will be written to the devices:

• Device/Port Level - indicates whether the mapping is a device-level mapping (all devices) or a port-level mapping (IP address and port description). Port-level mappings on frozen ports will be enforced.
• MAC Address - the MAC address mapped to the role. Masking a MAC address is only supported on N-Series Platinum devices.
• Mask - the mask associated with the MAC address.
• Role - the role mapped to the MAC address.

 IP to Role Mapping - Lists the device-level mappings that will be written to the devices:

• IP Address - the IP address mapped to the role.
• Mask - the mask associated with each IP address. Masking an IP address is only supported on N-Series Gold and Platinum devices.
• Role - the role mapped to the IP address.

 Tagged Packet VLAN to Role Mapping - Lists the device-level and port-level mappings that will be written to the devices:

• Device/Port Level - indicates whether the mapping is a device-level mapping (all devices) or a port-level mapping (IP address and port description). Port-level mappings on frozen ports will be enforced.
• VLAN - the VLAN mapped to the role.
• Role - the role mapped to the VLAN.

 Authentication Based VLAN (RFC 3580) to Role Mapping - Lists the mappings that will be written to the devices:

• VLAN - the VLAN mapped to the role.
• Role - the role mapped to the VLAN.

Statistics Tab

 

Device Statistics - Lists role count information about each device. If the number of roles in the domain exceeds the supported number of roles on a device, then enforce will fail.

• Supported # of Roles - The maximum number of roles supported by the device.
• Domain Role Count Supported - This column says "No" if the number of roles in the domain exceeds the supported number of roles on the device. A "Yes" in this column indicates that the number of roles on the device is equal to or less than the maximum number of supported roles.

 Role Statistics - Lists information about each role:

• Number of Rules - The number of traffic classification rules the role includes.
• Number of Unique Masks - The number of masks defined for the rules included in the role.

Enforce Button

Enforces the roles, classification rules and VLANs in the current data file to the devices, based on the level of support available on the devices as indicated in the Enforce Preview window. This button does not appear in this window when you use the File > Enforce Preview menu option to launch the window.

---

Related Information

For information on related concepts:

• Enforcing

For information on related windows:

• Device Support Tab (Role)
• Device Support Tab (Rule)
• Device Support Tab (Service)