Skip to main content
Skip table of contents

Unified Policies

Unified Policies are QoS Policies that can be applied to devices. Use the Unified Policies screen to display information about all of the configured Unified Policies. This screen also allows you to create, edit, and delete Unified Policies on the network. To access the Unified Policies screen, click on Network Access > Unified Access > Unified Policies under the “Configure” section of the OmniVista Cirrus Menu.

Unified Policy - OmniVista Cirrus 10.4.3-20240709-103021.png

Creating a Unified Policy

The Create Unified Policy screen is used to configure the Unified Policy Settings and Network Assignment settings for a unified policy. To access the Create Unified Policy screen, click on Create Unified Policy at the top of the Unified Policies screen, as shown above.

Consider the following use cases when configuring Unified Policies:

  1. OmniVista Cirrus 10 does not use LDAP, so any Unified Policies created on a Switch via LDAP are not discovered; only policies configured through the Switch CLI are discovered. As a result, the Unified Policies screen displays only policies configured through the Switch CLI.

  2. Child policy profiles (action, condition, validity period) can be shared among policy rules.

Example:

  • policy rule r1 condition r1 action r1 validity-period r1

  • policy rule r2 condition r1 action r1 validity-period r1

In this complex case, when you try to delete policy rule r2, only rule r2 will be deleted on both OmniVista Cirrus devices and the applied Switch devices. The child profiles (condition r1, action r1, validity period r1) will be retained because they are used by policy rule r1. They will only be deleted when no policies are using them. If you edit the child profile of policy rule r1, policy rule r2 will be affected because they are sharing the child profile.

  1. If there are two policies with the same name but different child profiles between two Switch devices, there will be a mismatch between the profile template and device configuration.

Example:

  • Switch A has policy rule r1 condition r1 action r1 validity-period r1

  • Switch B has policy rule r1 condition r2 action r2 validity-period r2

Assuming that Switch A will report the polling data before Switch B, you should save the profile template of policy rule r1 with the child profile condition r1, action r1, and validity period r1. Subsequently, when Switch B reports the polling data for policy rule r1 but with a different child profile, you should only update the assignment for policy rule r1 instead of updating the profile with the new child profile. As a result, there will be a mismatch between policy rule r1 and Switch B. (Note: If rule r1 is edited without changing the device selection, the configuration on both Switch A and Switch B will be updated).

  1. There are two platform types for the Switch devices: QoS1 and QoS2.

    • The QoS1 platform includes the following models: OS6860, OS6865, and OS6900-TOR, which require at least one configuration when creating a policy condition.

    • The QoS2 platform includes the following models: OS9900, OS6860N, OS6900-Yukon, OS6560, OS6465, OS6360, and OS6570, which allow the creation of a policy condition without any configuration.

As a result, you cannot apply a policy condition without criteria on the QoS1 platform.

  1. The modification of Policy Rule which contains only a single L3 condition to another L3 condition is not allowed. If you want to add a condition with the existing condition, then first delete and re-create the policy with the new L3 condition.

  2. The Switch device does not allow combining the L3 Condition Multicast IP with L2 Condition Source MAC, L3 Condition Source IP, L3 Condition DSCP/TOS, L4 Condition Service, L4 Condition Service Group, or Policy Action CIR.

  3. OmniVista Cirrus 10 will only support configuring the L2 MAC Address with the Single MAC Address option. Thus, it will not support configuring the L3 IP Group and Group MAC address option.

The Create Unified Policy screen provides the following step-by-step process for creating an Unified Policy:

1. Unified Policy Settings

Basic Information

  • Policy Name - The name of the policy. The field must have at most 22 characters. The use of two special characters(/ or \) is not allowed for the Policy name.

  • Precedence - The Precedence value of the Policy (0 - 65535).

Advanced Options

Click on Advanced options to display and configure the following options:

  • Default List - Adds the rule to the default policy list.

  • Enabled - Enables the policy.

  • Save List - Marks the policy rule so that it may be captured as part of the switch configuration.

  • Log Matches - Configures the switch to log messages about specific flows coming into the switch that match this policy rule.

  • Send Trap - Enables or disables traps for the rule. By default, it is set to Ignore. Since the Switch devices no longer support this option, therefore enabling it will have no effect on the Switch devices.

  • Reflexive - Enables support for Reflexive for the policy. Reflexive policies allow specific return connections that would normally be denied. Since the Switch devices no longer support this option, therefore enabling it will have no effect on the Switch devices.

Conditions

A Unified Policy is applied to client traffic that matches the condition(s) configured for the policy. At least one condition is mandatory. When multiple conditions are specified, all conditions must match for the policy to be applied to the client traffic.

When you create a Condition, the Condition(s) you configure must be true before traffic is allowed to flow. Click on Add Condition and select the Condition you want to configure from the “Choose a condition” drop-down menu. The configuration options for the selected Condition will display.

A brief description of each Condition is provided below. Click the hyperlink for each Condition for detailed configuration instructions.

  • L2 MACs - Create a Condition that applies the policy to traffic originating from a MAC address/group or to traffic flowing to a MAC address/group. (Note that, MAC Addresses cannot contain wildcard characters for both Access Points and Switches).

  • L3 IPs - Create a Condition that applies the policy to traffic originating from an IP address/network group or to traffic flowing to an IP address/network group. (Note that any IP address can be masked).

  • L3 DSCP/TOS - Create a Condition that applies the policy to traffic with a specified value in either the DSCP (Differentiated Services Code Point) byte or in the IP TOS (IP Type of Service) byte. Both DSCP and IP TOS are mechanisms used to convey QoS information in the IP header of frames.

  • L4 Services- Create a Condition that applies the policy to traffic flowing between two TCP or UDP ports, or to all traffic originating from a TCP or UDP port, or to all traffic flowing to a TCP or UDP port. You can also create a Condition using an existing service/service group.

L2 MACs

A MAC Condition applies the Policy to traffic flowing from/to a MAC Address/Group. Note that Layer 2 Conditions (conditions that specify MAC Addresses) are "lost" when traffic passes through a router. For this reason, it may be advisable to specify other types of Conditions (such as a Layer 3 Condition, which specifies IP Addresses) when traffic is expected to travel more than one router hop.

When you select the L2 MACs condition, the following parameters to configure a single/group source MAC address or a single/group destination MAC address will display.

Select the parameter(s) you want to configure by selecting the applicable radio button. For Source/Destination MAC Address, click on Single Source/Destination MAC Address to configure a single MAC Address or click on Group Source/Destination MAC Address to configure a MAC Address Group. If you select the Group option, you will then be prompted to select an existing MAC Address Group or create a new group.

  • Not defined - This option specifies that there is no criteria for the policy.

  • Single Source MAC Address - Configuring a Source MAC Address Condition restricts the policy to traffic that flows from this MAC Address only. If you do not select this option, you are effectively stating that the Source MAC Address traffic is not a criterion for the policy.

  • Single Destination MAC Address - Configuring a Destination MAC Address Condition restricts the policy to traffic that flows to this MAC Address only. If you do not select this option, you are effectively stating that the Destination MAC Address traffic is not a criterion for the policy.

Notes:

  • Conditions that specify both a source and a destination MAC address may be rejected by some devices as invalid. However, if you wish to create policies for both source and destination traffic, you can create one policy for the source traffic and a second policy for the destination traffic.

  • The following MAC address ranges are assigned to Alcatel-Lucent Enterprise voice devices and Alcatel-Lucent Enterprise IP phones.

    • Voice Devices

      • 00809F3A0000 - 00809F3AFFFF

      • 00809F3B0000 - 00809F3BFFFF

      • 00809F3C0000 - 00809F3CFFFF

    • IP Phones

      • 00809F3D0000 - 00809F3DFFFF

    • Multi-Media Devices

      • 00809F3E0000 - 00809F3EFFFF

      • 00809F3F0000 - 00809F3FFFFF

L3 IPs

An IP Condition applies the Policy to traffic originating from, or flowing to, an IP Address/IP Network group. Any IP Address can be masked. Note that a Condition that specifies both a Source and Destination IP Address/Network Group will be rejected by the device as invalid. However, if you wish to create policies for both Source and Destination traffic, you can create one policy for the Source traffic and a second policy for the Destination traffic.

When you select the L3 IPs condition, the following parameters to configure a single/group source IP address or a single/group destination IP address will display.

Select the parameter(s) you want to configure by selecting the applicable radio button. For Source/Destination/Multicast IP Address, click on Single to configure a single IP Address (and Shorthand or Subnet Mask, if applicable), or click on Group to configure an IP Group. If you select the Group option, you will then be prompted to select an existing IP Group or create a new group.

  • Not defined - This option specifies that there is no criteria for the policy.

  • Single Source IP Address - Configuring a Source IP Address Condition restricts the policy to traffic that flows from this IP Address only. If you do not select this option, you are effectively stating that the Source IP Address/Group traffic is not a criterion for the policy.

  • Single Destination IP Address - Configuring a Destination IP Address Condition restricts the policy to traffic that flows to this IP Address only. If you do not select this option, you are effectively stating that the Destination IP Address traffic is not a criterion for the policy.

  • Single Multicast IP Address - Configuring a Multicast IP Address Condition restricts the policy to traffic that flows to this IP Multicast Address Group only. If you do not select this option, you are effectively stating that the Destination IP Multicast Address or Subnet Mask/Group traffic is not a criterion for the policy.

When configuring an IP Address Condition, you can also click either the Shorthand Mask or Subnet Mask button to configure a Subnet Mask. If you are using a Shorthand Mask, select a value from the Shorthand Mask drop-down list. If you are using a full Subnet Mask, select a value from the Subnet Mask drop-down list. Note that the * wildcard character is not allowed in IP addresses.

Important Note:

  1. When creating an IP Condition for a NAT Action you must specify an IP Network Group in the Condition. NAT will only work when both the Condition and Action specify network groups. To create a "One-to-Many" Condition and action, create a Network Group with a single entry for the Condition.

  2. If you are configuring L3 IP Conditions with Source IP Address Range and Destination IP Address Range as Short Hand Mask with Short hand Mask field value 0 then on Switch the Source or Destination IP address will be reflected as “ANY”.

L3 DSCP/TOS

A DSCP/TOS Condition applies the Policy to incoming traffic that has a specified value in either the DSCP (Differentiated Services Code Point) byte or in the TOS (Type of Service) byte. Both DSCP and TOS are mechanisms used to convey QoS information in the IP header of frames. DSCP and TOS are mutually exclusive - you can use either DSCP or TOS but not both.

When you select the L3 DSCP/TOS condition, the following parameters to configure a single/group source IP address or a single/group destination IP address will display.

Click on the applicable radio button (DSCP or TOS) and enter a value.

  • Not specified - There is no criteria for the policy.

  • Differentiated Service Code Point - Defines the QoS treatment a frame is to receive from each network device. This is referred to as per-hop behavior. If you are using DSCP, you can define any value in the range 0 - 63 as the DSCP value in the IP header of the frame. Traffic that contains this value will match this condition.

  • Type of Service Precedence- A TOS value creates a condition that applies the policy to traffic that has the specified TOS value in the IP header of frames. Enter any value from 0 - 7 to specify the value of the precedence field in the TOS byte that will match this condition. A value of 7 has the highest precedence and a value of 0 has the lowest.

L4 Services

A Service Condition applies the policy to Service Protocol traffic (TCP or UDP) flowing from/to two TCP or UDP ports, or to traffic flowing from/to a TCP or UDP Service or Service Group. When you select the L4 Services condition, the following parameters to configure the type of Service Condition will display:

Select a type of Service Condition you want to configure, then configure the parameter(s) as described below.

  • Note defined - This option specifies that there is no criteria for the policy.

  • Protocol Only - Select TCP or UDP to create a condition for a Service Protocol only.

  • Port(s) - To configure the Condition for a specific Service Port, select a Source and Destination Port from the drop-down menu to specify a specific port for the service you selected. You can also click on Add New to create new Service Ports.

  • Service - Select a Service from the drop-down menu. You can also click on Add New to create a new Service.

  • Service Group - Select a Service Group from the drop-down menu. You can also click on Add New to go create a new Service Group.

Note: Configuring the L4 Service and Service Group is not supported for this release.

Actions

A Unified Policy Action enables you to specify the treatment traffic receives when it flows. This includes the priority the traffic will receive, its minimum and maximum output rates, and the values to which specified bits in the frame headers will be set upon egress from the device. When the conditions specified by the Unified Policy Condition are true, traffic will flow as specified by the Unified Policy Action.

Create Unified Policy-Qos actions - OmniVista Cirrus 10.4.3-20240708-161908.png

A brief description of each Action is provided below. Click the hyperlink for each Action for detailed configuration instructions.

  • QoS - Create an Action to specify QoS actions to impose on traffic that meets the configured policy condition(s). When the conditions specified by the policy are true, traffic will flow as specified by the policy action.

  • TCM - Create an Action to specify Tri-Color Marking (TCM) actions to impose on traffic that meets the configured policy condition(s). TCM provides a mechanism for policing network traffic by limiting the rate at which traffic is sent or received on a device interface. TCM meters traffic based on user-configured packet rates and burst sizes and "marks" the metered packets as green, yellow, or red based on whether the traffic meets the configured rates. This "color marking" determines the packet's precedence when congestion occurs.

  • QoS - The QoS Policy Action option enables you to specify QoS actions to impose on traffic that meets the configured policy condition(s). When the conditions specified by the policy are true, traffic will flow as specified by the policy action.

    • Accessibility - Set the Action to Accept, Drop or Deny traffic that meets the configured condition(s). The Deny option will only be available for Switch devices.

      • Accept- Specifies that the switch should accept the flow.

      • Drop- Specifies that the switch should silently drop the flow.

      • Deny- Specifies that the switch should drop the flow and issue an ICMP message indicating the flow was dropped for administrative reasons. Currently this option will provide the same result as drop; that is, the flow is silently dropped.

    • Priority - Specify QoS priority the traffic will receive if it meets the configured condition(s).

      • Platinum priority provides the highest quality of service (and maps to a firmware priority of 7).

      • Gold provides the next-highest quality of service (and maps to a firmware priority of 5).

      • Silver provides the next-highest quality of service (and maps to a firmware priority of 3).

      • Bronze provides the same quality of service as best effort (and maps to a firmware priority of 1). A separate egress queue is maintained in the hardware for traffic of each different priority.

    • Max Output Rate - Specify the maximum amount of traffic, in kilobits-per-second, which is guaranteed to be transmitted. Even if no other traffic exists, the output will be limited to the rate specified here.

    • 802.1p Priority Level - If you want outgoing packets tagged with an 802.1b priority level, set the 802.1p Priority Level field value between 0 to 7 to specify the desired outgoing 802.1p priority for the traffic. A value of 7 indicates the highest priority and a value of 0 indicates the lowest priority.

    • DSCP/TOS - Enable/Disable DSCP/TOS Precedence.

  • TCM (Three Color Marker) - The TCM Policy Action option enables you to specify Three-Color Marking (TCM) actions action to impose on traffic that meets the configured policy condition(s). TCM provides a mechanism for policing network traffic by limiting the rate at which traffic is sent or received on a switch interface.

    • Committed Information Rate - The guaranteed bandwidth in bits-per-second, for all traffic that ingresses on the port.

    • Peak Information Rate - The peak bandwidth in bits-per-second, for all traffic that ingresses on the port.

Validity Period

The Validity Period enables you to add a validity period to a condition by specifying the time periods when the policy is active and enforced.

Select a validity period for the Unified Policy.

  • All The Time - The policy will be enforced all days of the week, all months of the year, and all hours of the day.

  • Weekdays - The policy will be enforced on weekdays (Monday - Friday), all months of the year. Each weekday is 24 hours (midnight to midnight).

  • Weekends - The policy will be enforced on Saturday and Sunday, all months of the year. Each Saturday and Sunday is 24 hours (midnight to midnight).

  • Working Days - The policy will be enforced on weekdays (Monday - Friday), from 9:00 a.m. to 5:00 p.m., all months of the year.

  • Custom - Select to create a custom validity period by specifying specific days, months, and times.

Click on Next button to configure Network Assignments for the Unified policy.

2. Network Assignments

The Network Assignments tab is used to select the AP Group(s) within a Site(s) and specific Switch devices to which the Unified Policy will be applied to devices within those groups. Complete the network assignments as described below, then click on Create to create the Unified Policy.

Network assignment-Unified policy create- OmniVista Cirrus 10.4.3-20240725-070515.png

  • Device Assignment - Select the specific set of Devices from the available list to assign the policy.

  • Group Assignment - Select the specific group of Devices from the available list to assign the policy. The Unified Policy will be applied to the selected group of devices from the list.

Note: In case of failing to apply an Unified Policy to devices, if you wants to re-apply the policy with no change in the configuration, you needs to edit the profile (or the profile that links to it and supports device assignment) to remove the devices then edit to re-add the devices into the device assignment tab.

Note: For the selection of an AP Group or Device, follow the below criteria:

  1. You can define a Unified Policy without selecting an AP Group or Device

  2. You can select only AP Groups to apply the Unified Policy

  3. You can select only Switch devices to apply the Unified Policy

  4. You can select both AP Groups and Switch devices to apply the Unified Policy

  5. You can filter the Switch devices based on labels.

  6. When you type characters in the device list field, the list of devices matching the typed characters will be displayed.

Editing a Unified Policy

Select the policy in the Unified Policy list and click on the Edit icon to bring up the Edit Unified Policy screen.

Unified Policy-edit - OmniVista Cirrus 10.4.2-20240419-060705.png

Use one of the following methods to access the Edit Access Role Profile screen (as shown above):

  • Select the profile to edit by clicking on the checkbox next to the profile, click on Actions, then select Edit from the drop-down menu.

  • Click on the pencil icon under the “Actions” column next to the profile that you want to edit.

The following Edit Access Role Profile screen displays. Edit the fields as described above, then click on Save.

Edit screen Unified Policy - OmniVista Cirrus 10.4.2-20240419-061503.png

Note: In case of failing to apply a Unified Profile to devices, if you want to re-apply the profile with no change in the configuration, you need to edit it (or the profile that links to it and supports device assignment) to remove the devices then edit to re-add the devices into the device assignment tab.

Deleting a Unified Policy

To delete an Unified Policy, use one of the following methods to select the policy you want to delete:

  • Select the profile to delete by clicking on the checkbox next to the profile, click on Actions, then select Delete from the drop-down menu.

  • Click on the trash can icon under the “Actions” column next to the profile that you want to delete.

Unified policy-delete Ov 10.4.2-20240419-060931.png

When you select the profile you want to delete, the following confirmation prompt appears:

Unified Policy-confirm delete - OmniVista Cirrus 10.4.2-20240419-061805.png

Click on Delete to confirm that you want to delete the Unified Policy.

View Additional Unified Policy Information

The Unified Policies list displays information for the configured Unified Policies. To display detailed information about a specific policy, select the policy and click on the Additional Information icon under the “Actions” column.

Unified policy list OV 10.4.2-20240419-061058.png
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close