[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: snmpconf pm issue #23 - policy termination
There's always the ever-popular method of adding a flag to the policy. All
you really need is a "re-evaluate this policy group when this policy
--On Tuesday, June 05, 2001 11:40 AM -0400 David Harrington
> I am concerned that for policies which may affect the security of the
> network, it may not be acceptable to wait until the next
> regularly-scheduled policy evaluation; a more immediate determination of
> the policy to apply may be necessary to ensure the viability of the
> security environment.
> OTOH, I also recognize that forcing a complete evaluation cycle to occur
> every time a policy becomes inactive may be problematic. Is there any
> way with the existing language and primitives to cause the evaluation to
> be done immediately when selected policies become inactive?
> Steve Moulton wrote:
>> I agree with the proposed text, but it raises a question.
>> When a policy is no longer active on an element, is another
>> policy evaluation done to ensure the proper policy
>> is in force? This may have been discussed; but I don't recall the
>> My immediate reaction is to say "no, it happens when it happens,
>> lets not micromanage this thing". Some cases:
>> 1 A policy goes out of schedule. At this point, since a
>> "policy evaluation cycle" is taking place, the lower precedence
>> policy will be enforced.
>> 2 A policy is removed from service (via pmPolicyAdminStatus or
>> pmPolicyRowStatus). Since these require positive action
>> by a manager, that manager should be responsible for
>> the state of the elements governed by that policy.
>> I'm not sure how this would be done, when it involves
>> forcing a lower precedence policy evaluation to take place.
>> Perhaps by temporarily changing the pmPolicyFilterMaxLatency
>> for a short period of time on a policy the manager thinks
>> should be in force.
>> 3 The element has changed state in such a way as to no longer
>> be managed by a given policy. Should this just be caught
>> on the next policy evaluation?
>> - Steve
>> On Monday, June 4 2001, Steve Waldbusser <email@example.com>
>> > Issue: Jon writes: "There have been extensive discussions about
>> > what to happen when a policy terminates. My recollection -
>> > with help from David - is that if one wants a policy reset
>> > after termination, a lower precedence policy should be in
>> > the group that will take over. I have no issue with this as
>> > the resolution, only that we need to document that this is
>> > how this behavior is achieved."
>> > How's this text?
>> > "Note that if it is necessary to take certain actions after a policy is
>> > no longer active on an element, these actions should be included in a
>> > lower-precedence policy that is in the same policy group."
>> Steve Moulton SNMP Research, Inc voice: +1 865 573 1434
>> Sr Software Engineer 3001 Kimberlin Heights Rd. fax: +1 865 573 9197
>> firstname.lastname@example.org Knoxville, TN 37920-9716 USA http://www.snmp.com
> David Harrington Network Management Standards Architect
> email@example.com Office of the CTO
> +1 603 337 2614 - voice Enterasys Networks
> +1 603 332 1524 - fax Rochester NH, USA