Unified Policies
Unified Policies are QoS Policies that can be applied to wireless devices. Use the Unified Policies screen to display information about all of the configured Unified Policies. This screen also allows you to create, edit, and delete Unified Policies on the network. To access the Unified Policies screen, click on Network Access > Unified Access > Unified Policies under the “Configure” section of the OmniVista Cirrus Menu.
Creating a Unified Policy
The Create Unified Policy screen is used to configure the Unified Policy Settings and Network Assignment settings for a unified policy. To access the Create Unified Policy screen, click on Create Unified Policy at the top of the Unified Policies screen, as shown above.
The Create Unified Policy screen provides the following step-by-step process for creating an Unified Policy:
1. Unified Policy Settings
Basic Information
Policy Name - The name of the policy.
Precedence - The Precedence value of the Policy (0 - 65535).
Advanced Options
Click on Advanced options to display and configure the following options:
Default List - Adds the rule to the default policy list.
Enabled - Enables the policy.
Save List - Marks the policy rule so that it may be captured as part of the switch configuration.
Log Matches - Configures the switch to log messages about specific flows coming into the switch that match this policy rule.
Send Trap - Enables traps for the policy.
Reflexive - Enables support for Reflexive for the policy. Reflexive policies allow specific return connections that would normally be denied.
Conditions
A Unified Policy is applied to client traffic that matches the condition(s) configured for the policy. At least one condition is mandatory. When multiple conditions are specified, all conditions must match for the policy to be applied to the client traffic.
When you create a Condition, the Condition(s) you configure must be true before traffic is allowed to flow. Click on Add Condition and select the Condition you want to configure from the “Choose a condition” drop-down menu. The configuration options for the selected Condition will display.
A brief description of each Condition is provided below. Click the hyperlink for each Condition for detailed configuration instructions.
L2 MACs - Create a Condition that applies the policy to traffic originating from a MAC address/group or to traffic flowing to a MAC address/group. (Note that for APs, MAC Addresses cannot contain wildcard characters.)
L3 IPs - Create a Condition that applies the policy to traffic originating from an IP address/network group or to traffic flowing to an IP address/network group. (Note that any IP address can be masked).
L3 DSCP/TOS - Create a Condition that applies the policy to traffic with a specified value in either the DSCP (Differentiated Services Code Point) byte or in the IP TOS (IP Type of Service) byte. Both DSCP and IP TOS are mechanisms used to convey QoS information in the IP header of frames.
L4 Services- Create a Condition that applies the policy to traffic flowing between two TCP or UDP ports, or to all traffic originating from a TCP or UDP port, or to all traffic flowing to a TCP or UDP port. You can also create a Condition using an existing service/service group.
L2 MACs
A MAC Condition applies the Policy to traffic flowing from/to a MAC Address/Group. Note that Layer 2 Conditions (conditions that specify MAC Addresses) are "lost" when traffic passes through a router. For this reason, it may be advisable to specify other types of Conditions (such as a Layer 3 Condition, which specifies IP Addresses) when traffic is expected to travel more than one router hop.
When you select the L2 MACs condition, the following parameters to configure a single/group source MAC address or a single/group destination MAC address will display.
Select the parameter(s) you want to configure by selecting the applicable radio button. For Source/Destination MAC Address, click on Single Source/Destination MAC Address to configure a single MAC Address or click on Group Source/Destination MAC Address to configure a MAC Address Group. If you select the Group option, you will then be prompted to select an existing MAC Address Group or create a new group.
Not defined - This option specifies that there is no criteria for the policy.
Single Source MAC Address/Group - Configuring a Source MAC Address/Group Condition restricts the policy to traffic that flows from this MAC Address/Group only. If you do not select this option, you are effectively stating that the Source MAC Address/Group traffic is not a criterion for the policy.
Single Destination MAC Address/Group - Configuring a Destination MAC Address/Group Condition restricts the policy to traffic that flows to this MAC Address/Group only. If you do not select this option, you are effectively stating that the Destination MAC Address/Group traffic is not a criterion for the policy.
Notes:
Conditions that specify both a source and a destination MAC address may be rejected by some devices as invalid. However, if you wish to create policies for both source and destination traffic, you can create one policy for the source traffic and a second policy for the destination traffic.
MAC addresses may contain the wildcard character *. However, one * character must be entered for each individual hex digit in the MAC address: for example, 00435C:******, not 00435C:*.
The following MAC address ranges are assigned to Alcatel-Lucent Enterprise voice devices and Alcatel-Lucent Enterprise IP phones.
Voice Devices
00809F3A0000 - 00809F3AFFFF
00809F3B0000 - 00809F3BFFFF
00809F3C0000 - 00809F3CFFFF
IP Phones
00809F3D0000 - 00809F3DFFFF
Multi-Media Devices
00809F3E0000 - 00809F3EFFFF
00809F3F0000 - 00809F3FFFFF
L3 IPs
An IP Condition applies the Policy to traffic originating from, or flowing to, an IP Address/IP Network group. Any IP Address can be masked. Note that a Condition that specifies both a Source and Destination IP Address/Network Group will be rejected by the device as invalid. However, if you wish to create policies for both Source and Destination traffic, you can create one policy for the Source traffic and a second policy for the Destination traffic.
When you select the L3 IPs condition, the following parameters to configure a single/group source IP address or a single/group destination IP address will display.
Select the parameter(s) you want to configure by selecting the applicable radio button. For Source/Destination/Multicast IP Address, click on Single to configure a single IP Address (and Shorthand or Subnet Mask, if applicable), or click on Group to configure an IP Group. If you select the Group option, you will then be prompted to select an existing IP Group or create a new group.
Not defined - This option specifies that there is no criteria for the policy.
Single Source IP Address/Group - Configuring a Source IP Address/Group Condition restricts the policy to traffic that flows from this IP Address/Group only. If you do not select this option, you are effectively stating that the Source IP Address/Group traffic is not a criterion for the policy.
Single Destination IP Address/Group - Configuring a Destination IP Address/Group Condition restricts the policy to traffic that flows to this IP Address/Group only. If you do not select this option, you are effectively stating that the Destination IP Address/Group traffic is not a criterion for the policy.
Single Multicast IP Address/Group - Configuring a Multicast IP Address/Group Condition restricts the policy to traffic that flows to this IP Multicast Address Group only. If you do not select this option, you are effectively stating that the Destination IP Multicast Address or Subnet Mask/Group traffic is not a criterion for the policy.
When configuring an IP Address Condition, you can also click either the Shorthand Mask or Subnet Mask button to configure a Subnet Mask. If you are using a Shorthand Mask, select a value from the Shorthand Mask drop-down list. If you are using a full Subnet Mask, select a value from the Subnet Mask drop-down list. Note that the * wildcard character is not allowed in IP addresses.
Important Note: When creating an IP Condition for a NAT Action you must specify an IP Network Group in the Condition. NAT will only work when both the Condition and Action specify network groups. To create a "One-to-Many" Condition and action, create a Network Group with a single entry for the Condition.
L3 DSCP/TOS
A DSCP/TOS Condition applies the Policy to incoming traffic that has a specified value in either the DSCP (Differentiated Services Code Point) byte or in the TOS (Type of Service) byte. Both DSCP and TOS are mechanisms used to convey QoS information in the IP header of frames. DSCP and TOS are mutually exclusive - you can use either DSCP or TOS but not both.
When you select the L3 DSCP/TOS condition, the following parameters to configure a single/group source IP address or a single/group destination IP address will display.
Click on the applicable radio button (DSCP or TOS) and enter a value.
Not specified - There is no criteria for the policy.
Differentiated Service Code Point - Defines the QoS treatment a frame is to receive from each network device. This is referred to as per-hop behavior. If you are using DSCP, you can define any value in the range 0 - 63 as the DSCP value in the IP header of the frame. Traffic that contains this value will match this condition.
Type of Service Precedence- A TOS value creates a condition that applies the policy to traffic that has the specified TOS value in the IP header of frames. Enter any value from 0 - 7 to specify the value of the precedence field in the TOS byte that will match this condition. A value of 7 has the highest precedence and a value of 0 has the lowest.
L4 Services
A Service Condition applies the policy to Service Protocol traffic (TCP or UDP) flowing from/to two TCP or UDP ports, or to traffic flowing from/to a TCP or UDP Service or Service Group. When you select the L4 Services condition, the following parameters to configure the type of Service Condition will display:
Select a type of Service Condition you want to configure, then configure the parameter(s) as described below.
Note defined - This option specifies that there is no criteria for the policy.
Protocol Only - Select TCP or UDP to create a condition for a Service Protocol only.
Port(s) - To configure the Condition for a specific Service Port, select a Source and Destination Port from the drop-down menu to specify a specific port for the service you selected. You can also click on Add New to create new Service Ports.
Service - Select a Service from the drop-down menu. You can also click on Add New to create a new Service.
Service Group - Select a Service Group from the drop-down menu. You can also click on Add New to go create a new Service Group.
Actions
A Unified Policy Action enables you to specify the treatment traffic receives when it flows. This includes the priority the traffic will receive, its minimum and maximum output rates, and the values to which specified bits in the frame headers will be set upon egress from the device. When the conditions specified by the Unified Policy Condition are true, traffic will flow as specified by the Unified Policy Action.
A brief description of each Action is provided below. Click the hyperlink for each Action for detailed configuration instructions.
QoS - Create an Action to specify QoS actions to impose on traffic that meets the configured policy condition(s). When the conditions specified by the policy are true, traffic will flow as specified by the policy action.
TCM - Create an Action to specify Tri-Color Marking (TCM) actions to impose on traffic that meets the configured policy condition(s). TCM provides a mechanism for policing network traffic by limiting the rate at which traffic is sent or received on a device interface. TCM meters traffic based on user-configured packet rates and burst sizes and "marks" the metered packets as green, yellow, or red based on whether the traffic meets the configured rates. This "color marking" determines the packet's precedence when congestion occurs.
QoS - The QoS Policy Action option enables you to specify QoS actions to impose on traffic that meets the configured policy condition(s). When the conditions specified by the policy are true, traffic will flow as specified by the policy action.
Accessibility - Set the Action to Accept or Drop traffic that meets the configured condition(s).
Priority - Specify QoS priority the traffic will receive if it meets the configured condition(s).
Platinum priority provides the highest quality of service (and maps to a firmware priority of 7).
Gold provides the next-highest quality of service (and maps to a firmware priority of 5).
Silver provides the next-highest quality of service (and maps to a firmware priority of 3).
Bronze provides the same quality of service as best effort (and maps to a firmware priority of 1). A separate egress queue is maintained in the hardware for traffic of each different priority.
Max Output Rate - Specify the maximum amount of traffic, in kilobits-per-second, which is guaranteed to be transmitted. Even if no other traffic exists, the output will be limited to the rate specified here.
802.1p Priority Level - If you want outgoing packets tagged with an 802.1b priority level, set the 802.1p Priority Level field value between 0 to 7 to specify the desired outgoing 802.1p priority for the traffic. A value of 7 indicates the highest priority and a value of 0 indicates the lowest priority.
DSCP/TOS - Enable/Disable DSCP/TOS Precedence.
TCM (Three Color Marker) - The TCM Policy Action option enables you to specify Three-Color Marking (TCM) actions action to impose on traffic that meets the configured policy condition(s). TCM provides a mechanism for policing network traffic by limiting the rate at which traffic is sent or received on a switch interface.
Committed Information Rate - The guaranteed bandwidth in bits-per-second, for all traffic that ingresses on the port.
Peak Information Rate - The peak bandwidth in bits-per-second, for all traffic that ingresses on the port.
Validity Period
The Validity Period enables you to add a validity period to a condition by specifying the time periods when the policy is active and enforced.
Select a validity period for the Unified Policy.
All The Time - The policy will be enforced all days of the week, all months of the year, and all hours of the day.
Weekdays - The policy will be enforced on weekdays (Monday - Friday), all months of the year. Each weekday is 24 hours (midnight to midnight).
Weekends - The policy will be enforced on Saturday and Sunday, all months of the year. Each Saturday and Sunday is 24 hours (midnight to midnight).
Working Days - The policy will be enforced on weekdays (Monday - Friday), from 9:00 a.m. to 5:00 p.m., all months of the year.
Custom - Select to create a custom validity period by specifying specific days, months, and times.
Click on Next button to configure Network Assignments for the Unified policy.
2. Network Assignments
The Network Assignments tab is used to select the AP Group(s) within a Site(s) to which the Unified Policy will be applied to devices within those groups. Complete the network assignments as described below, then click on Create Unified Policy to create the Unified Policy.
Select Site to Filter Groups - Select the Site from which you want to select AP Group(s).
Select Access Point Groups - Select the Access Point Group(s) associated with the selected Site. The Access Role Profile is applied to devices in the AP Group(s).
Editing a Unified Policy
Select the policy in the Unified Policy list and click on the Edit icon to bring up the Edit Unified Policy screen.
Use one of the following methods to access the Edit Access Role Profile screen (as shown above):
Select the profile to edit by clicking on the checkbox next to the profile, click on Actions, then select Edit from the drop-down menu.
Click on the pencil icon under the “Actions” column next to the profile that you want to edit.
The following Edit Access Role Profile screen displays. Edit the fields as described above, then click on Save.
Deleting a Unified Policy
To delete an Unified Policy, use one of the following methods to select the policy you want to delete:
Select the profile to delete by clicking on the checkbox next to the profile, click on Actions, then select Delete from the drop-down menu.
Click on the trash can icon under the “Actions” column next to the profile that you want to delete.
When you select the profile you want to delete, the following confirmation prompt appears:
Click on Delete to confirm that you want to delete the Unified Policy.
View Additional Unified Policy Information
The Unified Policies list displays information for the configured Unified Policies. To display detailed information about a specific policy, select the policy and click on the Additional Information icon under the “Actions” column.