Modifying Policy Objects in the Directory
This section shows how to modify policy groups by changing the policyGroup, policyList, and policyRule objects in the directory.
Once a policy is in use, we recommend that you do not modify the policy by deleting and recreating it. Doing so results in an error message being logged for each interface or active service session that currently uses the policy. If you delete a default policy that is running on an interface, the SRC software leaves the policy running and logs an error message. When a new interface that uses the policy as a default policy is created, every service activation for a service that uses the policy fails until the new definition of the policy is loaded. This condition lasts until DES polls the directory, detects the change, and provides the change to the policy engine.
Modifying Policy Groups
To modify an existing policyGroup and trigger the policy engine to update policies on JUNOSe routers:
- Make the required changes to the policyList and policyRule objects that are contained in the policyGroup entry.
- Make a modification to the policyGroup entry. For instance, change its description or set its deleted attribute to FALSE.
This step triggers the policy engine to reload the new policy definition. All interfaces that currently use the policy as a default policy are updated, and all active service sessions that use the policy are updated.
Adding Policy Groups
To add a policy group and load it onto the JUNOSe router:
- Make sure that a policyGroup object with the same name does not already already exist with its deleted attribute set to TRUE.
- Create the policyGroup, and set the deleted attribute to TRUE.
- Configure the policyGroup as desired, and configure its policyLists and policyRules.
- Trigger the policy engine to load the new policy by setting the deleted attribute in the policyGroup to FALSE.
Deleting and Purging Policy Groups from the Directory
To delete a policyGroup entry from the directory, make sure that the umcDeletionAuxClass is in the object class, and set the deleted attribute to TRUE. At the next DES polling interval, the policy is removed from the policy engine. As mentioned above, take care not to delete policyGroups that are in use.
After you set the deleted attribute in the policyGroup to TRUE, you can purge the policyLists and policyRules underneath the policyGroup. Once you are sure that the deletion of policyLists and policyRules is replicated to all directories and that the SAE has been triggered to make the change, you can purge the policyGroup.
We recommend that you purge only deleted policyGroups. You can perform this operation very infrequently (perhaps once a month). Before performing this operation, use SAE Web Admin to check each SAE to be sure that the policyGroups to be purged are not included in the SAE's memory. If a deleted policy remains in the SAE's memory, ensure that it has its deleted attribute set to TRUE or that it does not exist in the SAE's connected directory. If the deleted policy: