[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: snmpconf pm issue #23 - policy termination



There's always the ever-popular method of adding a flag to the policy.  All 
you really need is a "re-evaluate this policy group when this policy 
becomes inactive".


-Matt

--On Tuesday, June 05, 2001 11:40 AM -0400 David Harrington 
<dbh@enterasys.com> wrote:

> Hi,
>
> I am concerned that for policies which may affect the security of the
> network, it may not be acceptable to wait until the next
> regularly-scheduled policy evaluation; a more immediate determination of
> the policy to apply may be necessary to ensure the viability of the
> security environment.
>
> OTOH, I also recognize that forcing a complete evaluation cycle to occur
> every time a policy becomes inactive may be problematic. Is there any
> way with the existing language and primitives to cause the evaluation to
> be done immediately when selected policies become inactive?
>
> dbh
>
> Steve Moulton wrote:
>>
>> I agree with the proposed text, but it raises a question.
>> When a policy is no longer active on an element, is another
>> policy evaluation done to ensure the proper policy
>> is in force?  This may have been discussed; but I don't recall the
>> resolution.
>>
>> My immediate reaction is to say "no, it happens when it happens,
>> lets not micromanage this thing".  Some cases:
>>
>> 1  A policy goes out of schedule.  At this point, since a
>>    "policy evaluation cycle" is taking place, the lower precedence
>>    policy will be enforced.
>>
>> 2  A policy is removed from service (via pmPolicyAdminStatus or
>>    pmPolicyRowStatus).  Since these require positive action
>>    by a manager, that manager should be responsible for
>>    the state of the elements governed by that policy.
>>    I'm not sure how this would be done, when it involves
>>    forcing a lower precedence policy evaluation to take place.
>>    Perhaps by temporarily changing the pmPolicyFilterMaxLatency
>>    for a short period of time on a policy the manager thinks
>>    should be in force.
>>
>> 3  The element has changed state in such a way as to no longer
>>    be managed by a given policy.   Should this just be caught
>>    on the next policy evaluation?
>>
>>         - Steve
>>
>> On Monday, June 4 2001, Steve Waldbusser <waldbusser@nextbeacon.com>
>> wrote:
>>
>> >
>> >
>> >   Issue: Jon writes: "There have been extensive discussions about
>> >   what to happen when a policy terminates. My recollection -
>> >   with help from David - is that if one wants a policy reset
>> >   after termination, a lower precedence policy should be in
>> >   the group that will take over. I have no issue with this as
>> >   the resolution, only that we need to document that this is
>> >   how this behavior is achieved."
>> >
>> >
>> > How's this text?
>> >
>> > "Note that if it is necessary to take certain actions after a policy is
>> > no longer active on an element, these actions should be included in a
>> > lower-precedence policy that is in the same policy group."
>> >
>>
>> ---
>> Steve Moulton        SNMP Research, Inc            voice: +1 865 573 1434
>> Sr Software Engineer 3001 Kimberlin Heights Rd.    fax: +1 865 573 9197
>> moulton@snmp.com     Knoxville, TN 37920-9716 USA  http://www.snmp.com
>
> --
> ---
> David Harrington            Network Management Standards Architect
> dbh@enterasys.com           Office of the CTO
> +1 603 337 2614 - voice     Enterasys Networks
> +1 603 332 1524 - fax       Rochester NH, USA
>