NeDi Hilfe

System Policy

This is a premium module, only available with NeDi+. Find more details here

Make sure you understand how policy actions work! You can disable all network interfaces for example, if you don't know what you're doing!

Search for 'safety on!' in libmisc.pm and toggle commenting on the 2 '$clistat' lines, if you're confident!

This module lets you define conditions on device configurations, neighbors or learned MAC addresses and take action upon hit or miss.

The class of a policy determines where in the discovery it's processed. This is important, if you want to take action on neighbor names and learned MAC addresses for example, as only the last matching policy with an action will be executed.

Order	Class	Operator	Description
1	Neighbor Name	~ or !~	After collecting all LLDP, CDP or FDP neighbors their names are processed
2	Neighbor Type	~ or !~	Right after the names, their types are processed
3	MAC Address	~ or !~	After collecting the bridge-forward entries (MAC address table) they're processed
4	Connection Before	~ or !~	When writing the interfaces to the DB, the previous connection information is processed to detect device links gone down for example
-	Configuration	~ or !~	Configurations are processed with -b or -Bx, but this policy does not depend on the others above
-	Device Monitor	any	Add new devices to monitoring. If you enter - or no in target, it'll be added in maintenance mode. CPU & Mem thresholds are taken from .def, alert action is applied to target and does not create alerts itself
-	Total # of MACs	> or <	This policy refers to total # of learned MAC addresses (including those on uplinks).It does not depend on the others above as it's evaluated after writing nodes of a device
-	Packets, Bytes and Flows	> or <	Those policies are used by flowi.pl (on nfdump files) allowing for alerts on excessive or missing traffic

Order

Class

Operator

Description

Neighbor Name

~ or !~

After collecting all LLDP, CDP or FDP neighbors their names are processed

Neighbor Type

~ or !~

Right after the names, their types are processed

MAC Address

~ or !~

After collecting the bridge-forward entries (MAC address table) they're processed

Connection Before

~ or !~

When writing the interfaces to the DB, the previous connection information is processed to detect device links gone down for example

Configuration

~ or !~

Configurations are processed with -b or -Bx, but this policy does not depend on the others above

Device Monitor

any

Add new devices to monitoring. If you enter - or no in target, it'll be added in maintenance mode. CPU & Mem thresholds are taken from .def, alert action is applied to target and does not create alerts itself

Total # of MACs

> or <

This policy refers to total # of learned MAC addresses (including those on uplinks).It does not depend on the others above as it's evaluated after writing nodes of a device

Packets, Bytes and Flows

> or <

Those policies are used by flowi.pl (on nfdump files) allowing for alerts on excessive or missing traffic

Stolen Nodes

Click on

in Nodes-Status to create a MAC policy of that node

Adjust Alert setting or info text and click add

Everytime this MAC address is found, you'll be notified according to the alert setting

Configuration Compliance

Select "Configuration" from the class selectbox and enter regexp to match (e.g. 'snmp-server community public')

Alternatively you can change the operator to '!~' to get alerts on missing configuration statements

Narrow down the matches by specifying a regexp for device type, location or group for example

Adjust Alert setting and information text and click add

Device Monitor

Select "Device Monitor" from the class selectbox, enter "-" or "no" as target to set test to none or specify a test like "ping"

If you leave target blank it'll default to uptime for SNMP devices and icmp for non-SNMP ones

Narrow down the matches by specifying a regexp for device type, location or group for example

Adjust Alert setting for the monitored target (repeat options are not supported yet) and click add

Dependencies are not resolved automatically and should be configured in Monitoring-Setup

PoE Police

Add a Neighbor Policy with the "Skip Action" to allow Poe delivery to phones or controlled APs.

Add a MAC Policy to either match (~) on particular addresses or enter a '.' to match any

Narrow down the matches by specifying a regexp for device type, location or group for example

Optionally select an interface condition to only trigger if PoE was active in the previous discovery

Select 'PoE Disabled' Action and add a reset policy by selecting a timeframe after which PoE should be re-enabled

Upon the first discovery, when its timestamp is in the past, the reset policy is executed to restore PoE delivery

Adjust Alert setting and information text and click add

Link Alerts

Add a "Connection Before" Policy and enter "D$" to match regular devices

Select the "Status Change" condition

Alternatively you can select a connection type to match the current status (e.g. if someone replace a device with a phone)

Adjust Alert setting and information text and click add

Traffic

In Nodes-Traffic choose columns to aggregate (group), sorting, source and a filter then click Show

The System-Policy icon appears, click it

Set operator and a threshold, then specify how you want to get notified

This policy creates events with class 'sptr' (System-Policy-Traffic) using its id as source

General Topics

A policy cannot be edited, but copied by clicking on

and then added again

A policy can be disabled by clicking on

(and enabled respectively)

A policy can be removed by clicking on

The "Skip Action"

withelists a port, thus avoids any other action to be executed

You should add a reset action to recover disabled ports or re-enable PoE after a given time (they're added with status new and a timestamp set in the future, when the action takes place)

The reset action is performed, when its timestamp is in the past

If skippol or -S contains p or F no actions will take place, except those of reset policies

If skippol or -S contains P policies are completely ignored

Thoroughly test policies without actions before 'arming' them with one

Actions are supported on IOS and ProCurve devices at the moment (changed config is not saved to flash)

In case an error occured while getting device neighbors, the skip action is applied to concerned interfaces (inhibiing erratic actions)

The information text is used in events, emails and sms, but also serves as comment in the policy list (e.g. if no Alert is selected)

Actions commands are written to pol_ files in the cli folder and can be reviewed along with their logs in System-Files

By default a policy summary report is shown