Policy distribution
General Information
The NFM-P creates a global policy in Draft mode. This is the mode used to configure a policy before distributing it to the NEs. Once a policy is configured and ready for distribution, you change its configuration mode to Released. Whether you’re dealing with a new or existing policy, changing its mode to Released opens the Distribute window. If the policy was previously distributed to a group of NEs, then only those NEs are shown in the Distribute window. By default, all the NEs are selected in the window. You can deselect the NEs you want, or use the current selection to distribute the policy. If the policy was not previously distributed, or its local versions are non-existent (deleted either by a user or an NE), then the Distribute window displays a list of compatible NEs. You must then select which NEs to distribute the policy to. Alternatively, you can use the drop-down menu in the Distribute window to select a Policy Distribute Group for the distribution.
The NFM-P also supports the partial distribution of global policies. Before a global policy is distributed to the NEs, the NFM-P determines whether the global policy, policy properties, and the policy entries are applicable for each NE to which the policy is to be applied. If an NE does not support the policy, property, or entry defined in a global policy, the policy is partially distributed to the NE. The inapplicable policy, property, or entry is not distributed to the NE. An alarm is not raised if a policy is partially distributed. When you use the NFM-P GUI or OSS, failure of distribution to an NE does not affect distribution to other NEs.
You can monitor policy distribution either in the Distribute window or by using the Task Manager. The NFM-P saves the latest released version of the global policy. If you select a Policy Distribute Group, the NEs contained within the group will be shown in the Selected Objects panel once the distribution begins. This allows you to monitor the distribution progress at the individual NE level.
You can also interrupt or completely stop an ongoing policy distribution. See To stop a policy distribution currently in progress for more information.
Distribution considerations
Consider the following before distributing policies using the NFM-P:
-
A policy must first be released before it can be distributed to an NE.
-
The default behavior when you release a policy for distribution is that the Distribute window opens and allows you to select the NEs required for distribution. Alternatively, you can enable a parameter setting in the System Preferences that will upon release of the global policy, automatically distribute it to NEs that already have local versions of the policy. See the NSP System Administrator Guide for more information on the use of the Auto Distribute Global Policy when Released parameter.
-
Local NE versions of policies that use the Sync With Global distribution mode will allow the NE to receive the distribution of a global policy.
-
Local NE versions of policies that use the Local Edit Only distribution mode will not allow the NE to receive the distribution of a global policy. You must ensure that the policy distribution mode for the local policy is set to Sync With Global if you want the NE to receive the distribution of a global policy.
-
Local SR-family NE versions of policies that are changed using CLI can have their distribution modes automatically set to either Sync with Global or Local Edit Only. This is governed by the setting of the Switch Distribution Mode to Local Edit Only on CLI Change parameter in System Preferences. See the NSP System Administrator Guide for more information about the Local Edit Only function.
-
When you distribute a policy to a 7705 SAR, all values within that policy must be supported by that 7705 SAR; otherwise, the distribution of the policy to that 7705 SAR is blocked.
Scaling policy deployments
The NFM-P allows policies to be distributed to numerous NE sites in a single operation. To accomplish this effectively, the NFM-P can use multiple deployers to distribute the policies. A deployer in this context is a thread within the NFM-P that executes a task. Releasing a large global policy to multiple NEs using only one deployer may degrade system performance. Scaling policy deployments using multiple deployers helps to maintain system performance.
To avoid or minimize system degradation, an operator can configure the maximum number of managed objects that a single deployer is allowed to send during policy distribution. The default value is 10,000 managed objects per deployer. A managed object in this context is basically a configuration entry within a policy. For example, in an ACL IP filter policy, each IP filter entry is considered to be one managed object. Therefore a single global policy can often contain numerous managed objects.
When an operator sets the “policyDistributionMaxObjectsPerDeployer” parameter to a desired value, the NFM-P uses this value, along with the actual number of managed objects in the policy to be distributed, to calculate the maximum number of NE sites that can receive the policy per deployer. If the number of sites selected for the policy’s distribution exceeds this number, additional deployer requirements are automatically calculated and used by the NFM-P. This applies to the distribution of single as well as multiple global policies. For a single global policy, the values are calculated as follows:
Maximum number of NE sites allowed per deployer = Maximum number of objects per deployer / Number of objects in the global policy to be distributed
Number of deployers used to distribute the global policy = Total number of local NE sites to receive the global policy / Maximum number of sites per deployer
For the distribution of multiple policies, the number of deployers required is determined on a per policy basis.
Table 49-2, Example of policy deployment provides an example of deploying a single global policy that contains 1,000 managed objects. Note that if the maximum number of objects per deployer setting is less than the actual number of managed objects in the policy, the NFM-P will only use one deployer per site. However, if the setting for the maximum number of objects per deployer is very large, the NFM-P might use a single deployer for a very large number of sites, which could degrade system performance. See To configure the maximum number of policy objects per deployer for more information on configuring the maximum number of managed objects allowed per deployer.
Table 49-2: Example of policy deployment
Maximum number of managed objects allowed per deployer |
Number of managed objects in a single global policy |
Maximum number of NEs (sites) per deployer |
---|---|---|
0 |
— |
All sites |
1 |
— |
1 site |
500 |
1,000 |
1 site |
1,000 |
1,000 |
1 site |
5,000 |
1,000 |
5 sites |
10,000 |
1,000 |
10 sites |
100,000 |
1,000 |
100 sites |
When configuring the “policyDistributionMaxObjectsPerDeployer” parameter, the user also has the option to set the value to "0" or "1". A value of "0" means that only one deployer will be used for all NE sites that are to receive the policy. A value of “1” means that one deployer per site will be used. When distributing global policies with a large number of managed objects to a large number of NEs, Nokia recommends setting a value between 2,000 and 100,000 for this parameter.