Policy Management

Application that is identified based on the first packet

3-tuple information: An application is identified based on the server address, protocol type, and fixed port number.

Application that is identified by service awareness

Keyword: An application is identified based on the server address, protocol type, and unfixed port number.

3-tuple information and keyword: An application is identified through the server using the same port number to provide two or more services.

Viewing details about a customized application

You can view detailed information about a customized application.

1. On the Customized Application tab page, click in the row where you want to view details about a customized application.
2. In the expanded area, view details about the customized application.

Modifying a customized application

You cannot modify Application Name of a customized application that is being referenced by an application group.

1. On the Customized Application tab page, click in the Operation column of the customized application to be modified.
2. On the page that is displayed, modify the customized application.
3. Click OK.

Cloning a customized application

You can quickly create a customized application by simply modifying an existing customized application.

1. On the Customized Application tab page, click in the Operation column of the customized application to be cloned.
2. Modify the cloned customized application.
3. Click OK.

Deleting a customized application

You cannot delete a customized application that is being referenced by an application group.

1. On the Customized Application tab page, click in the Operation column of the customized application to be deleted.
2. Click Yes.

Name

Name of a user-defined application.

Description

Description of a user-defined application's function.

Application group

Application group. You can define an application and add it to an existing application group, or define an application group and add applications to it.

Rule

Name

Name of a rule defined for identifying application packets. A rule contains the protocol number and port number used by an application, and other basic attributes.

Description

Description of a rule.

Destination IP

Destination IP address of an application packet.

In most cases, the IP address of an application server is a fixed public IP address. This allows the system to identify the application packets based on a specified destination IP address.

Port number

Destination port number of an application packet.

Protocol

Transport layer protocol type of a user-defined application rule, which can be All, TCP, or UDP.

Signature

Signature

Signature information. Data packets of some applications contain the same character string, which is regarded as a signature.

Context

You can select the packet- or flow-based mode for signature identification:

• If you select the packet-based mode, the rule checks every packet in an application data flow.
• If you select the flow-based mode, the rule checks only the first packet in an application data flow. After detecting that the subsequent packets belong to the same data flow based on the quintuple information, the rule does not check the subsequent packets.

Direction

Direction of packets to be identified. You can configure a rule to identify the signatures only in request or response packets, or in both of them.

Plain-text String

Signature string, which is case-sensitive.

Viewing details about an application group

You can view detailed information about an application group.

1. Choose Policy > Application Management > Application Group from the main menu. Click in the row of the application group that you want to view.
2. In the expanded area, view details about the application group.

Modifying an application group

You cannot modify the name of a customized application that is being referenced by a traffic classifier template or application quality monitoring.

1. Choose Policy > Application Management > Application Group from the main menu. Click in the Operation column of the application group to be modified.
2. On the page that is displayed, modify the application group.
3. Click OK.

Deleting an application group

You cannot delete a customized application that is being referenced by a traffic classifier template or application quality monitoring.

1. Choose Policy > Application Management > Application Group from the main menu. Click in the Operation column of the application group to be deleted.
2. Click OK.

Name

Name of an application group.

Description

Description of an application, for example, video application software or social application software.

Applications

Predefined applications

SA signature database

SA signature database. Before selecting applications for FPI and SA, you need to select an SA signature database. There are two available signature databases: SA_H30071000 (6000+) and SA_H30071002 (500+). The numbers in parentheses represent the numbers of applications contained in the database. For example, SA_H30071000 (6000+) contains more than 6000 applications, while SA_H30071002 (500+) contains more than 500 applications. The options for FPI and SA vary according to the signature database.

FPI

Predefined applications for FPI. You can click Edit, select predefined applications, and add them to an application group.

SA

Predefined applications for SA. You can click Edit, select predefined applications, and add them to an application group.

FPI has higher requirements on packets than SA, so SA can identify more application. Against this backdrop. FPI applications are a subset of SA applications.

Customized Applications

User-defined application. You need to click Edit and select a configured user-defined application.

Modifying a traffic classifier template

The traffic classifier template referenced by a policy cannot be modified. Before modifying a traffic classifier template, you need to delete the traffic policy that is applied to the traffic classifier template or unbind the traffic classifier template from the traffic policy.

On the Traffic Classifier Template page, click in the Operation column of the traffic classifier template to be modified.

Deleting a traffic classifier template

The traffic classifier template referenced by a policy cannot be deleted. Before deleting a traffic classifier template, you need to delete the traffic policy that is applied to the traffic classifier template or unbind the traffic classifier template from the traffic policy.

On the Traffic Classifier Template page, select the traffic classifier template to be deleted, and click .

Cloning a traffic classifier template

You can quickly create a traffic classifier template by modifying an existing template. After you clone a traffic classifier template, the template exists only on iMaster NCE-Campus. To deliver the new policy to devices, you need to perform the Commit operation.

On the Traffic Classifier Template page, select the traffic classifier template to be cloned, and click .

Traffic classifier name

Name of a traffic classifier template

Operator

• The and parameter indicates that the relationship between the rules in the traffic classifier is AND, which means that:
  • If a traffic classifier contains ACL rules, packets match the traffic classifier only when the packets match one ACL rule and all the non-ACL rules.
  • If the traffic classifier does not contain any ACL rules, packets match the traffic classifier only when they match all the rules in the classifier.
• The or parameter that the relationship between the rules in the traffic classifier is OR. That is, packets match the traffic classifier if the packets match one or more rules in the traffic classifier.

By default, the relationship between rules in a traffic classifier is AND.

L3 ACL

Priority

ACL rule priority. Multiple Layer 3 ACL rules can be configured. Packets match the Layer 3 ACL rule with a higher priority first.

Source IP

Source IP address of the packet to be matched. If this parameter is not specified, packets with any source IP address are matched.

Destination IP

Destination IP address of the packet to be matched. If this parameter is not specified, packets with any destination IP address are matched.

DSCP

Differentiated Services Code Point (DSCP) value. The DSCP is a field in the IP header of a packet. It identifies the service class and priority of the packet to ensure the QoS level of the communication.

Protocol

Layer 3 protocol type of the packet to be matched.

• When the ACL type is IPV4, TCP/UDP/OSPF/IPinIP/IP/IGMP/ICMP/GRE protocols and protocols with customized protocol numbers are supported.

Source Port

Source port number of the packet to be matched. If this parameter is not specified, packets with any source port are matched.

Destination Port

Destination port number of the packet to be matched. If this parameter is not specified, packets with any destination port are matched.

Application groups

Application to which matched packets belong. Only an application group can be selected. Applications that are not added to an application group are not displayed, and you cannot select only some applications in an application group. Therefore, you need to plan application groups properly. You need to plan application groups properly.

Advance

VLAN ID

Start VLAN lD

Start VLAN ID in the outer tag of the VLAN packet to be matched.

End VLAN lD

End VLAN ID in the outer tag of the VLAN packet to be matched. End Vlan lD must be greater than Start Vlan lD. If End Vlan lD is not specified, only the packets carrying Start Vlan lD are matched.

802.1P

802.1P priority of the VLAN packet to be matched.

Source MAC

Source MAC address of the VLAN packet to be matched.

Destination MAC

Destination MAC address of the VLAN packet to be matched.

L2-Protocol

Layer 2 protocol type of the VLAN packet to be matched. Currently, ARP/IP/MPLS/RARP protocols and protocols with customized protocol numbers are supported.

Modifying an effective time template

Before modifying an effective time template, you need to delete the associated traffic policy or unbind the effective time template from the traffic policy. Otherwise, the effective time template cannot be modified.

On the Validity Period Template page, click in the Operation column of the effective time template to be modified.

Deleting an effective time template

Before deleting an effective time template, you need to delete the associated traffic policy or unbind the effective time template from the traffic policy. Otherwise, the effective time template cannot be deleted.

On the Validity Period Template page, select the effective time template to be deleted, and click .

Template name

Time range name.

Time type

• Daily: Periodic time segment. The time range is defined by day, indicating that the rule takes effect at an interval of one day (for example, from 8:00 to 12:00 every day).
• Weekly: Periodic time segment. The time range is defined by week, indicating that the rule takes effect at an interval of one week (for example, from 8:00 to 12:00 on Mondays).
• Scheduled: Absolute time segment, indicating that the rule takes effect in the time range from YYYY/MM/DD hh:mm to YYYY/MM/DD hh:mm.

Weekly

Date on which the time range takes effect. This parameter is available only when Time type is set to Weekly. The value can be one day (Monday to Sunday) or any day-of-week combinations.

Start time

Start time when a traffic policy takes effect.

End time

End time when a traffic policy takes effect.

Revoking the last operation on an ACL policy

You can revoke the operation performed on a policy that is not delivered to sites, namely, a policy on which the Commit operation is not performed (Committed not displayed in the Status column). You cannot revoke the operation performed on a committed policy. The revoke function can only revoke the last operation performed on a policy. For example, you can use this function to revoke the modification, creation, and deletion of a policy. After you revoke the last operation performed on a policy, only the configuration of the policy is rolled back. That is, the operation takes effect only on iMaster NCE-Campus, and does not take effect on devices.

On the ACL tab page, select the policy for which the last operation needs to be revoked, click Revoke, and select Revoke Selected.

Deleting an ACL policy

You can delete a policy regardless of whether it is delivered to sites. After you delete a policy, the policy is deleted only from iMaster NCE-Campus. To delete the policy from devices, you need to perform the Commit operation.

On the ACL tab page, select the ACL policy to be deleted and click Delete.

Modifying an ACL policy

You can modify a policy regardless of whether it is delivered to sites. After you modify a policy, the modification takes effect only on iMaster NCE-Campus. To modify the policy on devices, you need to perform the Commit operation.

1. On the ACL tab page, click in the Operation column of the ACL policy to be modified.
2. Modify the policy.
3. Click OK.

Cloning an ACL policy

You can clone an ACL policy. That is, you can quickly create a policy by modifying an existing policy. After you clone a policy, the policy exists only on iMaster NCE-Campus. To deliver the new policy to devices, you need to perform the Commit operation.

1. On the ACL tab page, click in the Operation column of the ACL policy to be cloned.
2. Modify the cloned policy.
3. Click OK.

Disabling/Enabling an ACL policy

• Disabling: You can disable a policy that does not need to be used currently. You can disable a policy regardless of whether it is delivered to sites. After you disable a policy, the policy is disabled only on iMaster NCE-Campus. To disable the policy on devices, you need to perform the Commit operation.
• Enabling: You can enable a policy that needs to be used. You can enable a policy regardless of whether it is delivered to sites. After you enable a policy, the policy is enabled only on iMaster NCE-Campus. To enable the policy on devices, you need to perform the Commit operation.

• Disabling: On the ACL tab page, click in the Operation column of the ACL policy to be disabled.
• Enabling: On the ACL tab page, click in the Operation column of the ACL policy to be enabled.

Binding an ACL policy in a site view

You can bind a new policy to a site.

1. On the ACL tab page, click Site View.
2. In the Site area, select a site.
3. Click Binding New Policy.
4. Select the policy to be bound to the selected site.
5. Click OK.

Configuring policies in batches in a site view

You can bind the policy that has been bound to a site to other sites to which no policy is bound so that different sites share the same policy.

1. On the ACL tab page, click Site View.
2. Click Batch Configure.
3. In the Clone from a site area, select a site with an ACL policy bound.
4. In the Site area, select the destination sites to which the same policy is to be bound.
5. Click OK.

Committing all the data in a site view

You can commit all the policies of a site.

1. On the ACL tab, click Site View.
2. In the Site area, select a site.
3. Click Commit All.
4. Click OK.

Revoking all the data in a site view

You can revoke all the policies of a site.

1. On the ACL tab, click Site View.
2. In the Site area, select a site.
3. Click Revoke All.
4. Click OK.

Policy name

ACL name.

Traffic classifier template

Traffic classifier template. The ACL specified by Policy name is applied to packets that match the traffic classifier template. The traffic classifier template that contains the application group cannot be selected for the Underlay ACL policy. Any traffic classifier template can be selected for an ACL on the overlay network.

Policy priority

ACL priority. When a packet is received, the CPE matches it against traffic classifier templates corresponding to ACLs in descending order of priorities. If a match is found, the action (traffic filtering) defined in the ACL is executed. If a mismatch is found, the CPE continues to match the packet against the traffic classifier template of the next ACL.

Interface

LAN

LAN interfaces exist only on the overlay network. All LAN-side Layer 3 interfaces for which the ACL is enabled, including Layer 3 interfaces, sub-interfaces, and VLANIF interfaces. For LAN-side interfaces, inbound traffic is sent from the intranet user to the CPE, and outbound traffic is sent from the CPE to the intranet user.

WAN

WAN interfaces exist only on the underlay network. All WAN-side interfaces for which the ACL is enabled. For WAN-side interfaces, inbound traffic is sent from the WAN to the CPE, and outbound traffic is sent from the CPE to the WAN.

Traffic filter

• Deny: Packets that do not match the traffic classifier template are denied.
• Permit: Packets that match the traffic classifier template are permitted.

Traffic direction

Traffic direction. This parameter is set to Inbound by default.

Effective time template

Time range defined in the template. The ACL takes effect only in the defined time range.

Revoking the last operation on an ACL policy

You can revoke the operation performed on a policy that is not delivered to sites, namely, a policy on which the Commit operation is not performed (Committed not displayed in the Status column). You cannot revoke the operation performed on a committed policy. The revoke function can only revoke the last operation perform ed on a policy. For example, you can use this function to revoke the modification, creation, and deletion of a policy. After you revoke the last operation performed on a policy, only the configuration of the policy is rolled back. That is, the operation takes effect only on iMaster NCE-Campus, and does not take effect on devices.

On the ACL tab page, select the policy for which the last operation needs to be revoked, click Revoke, and select Revoke Selected.

Deleting an ACL policy

You can delete a policy regardless of whether it is delivered to sites. After you delete a policy, the policy is deleted only from iMaster NCE-Campus. To delete the policy from devices, you need to perform the Commit operation.

On the ACL tab page, select the ACL policies to be deleted and click Delete.

Modifying an ACL policy

You can modify a policy regardless of whether it is delivered to sites. After you modify a policy, the modification takes effect only on iMaster NCE-Campus. To modify the policy on devices, you need to perform the Commit operation.

1. On the ACL tab page, click in the Operation column of the ACL policy to be modified.
2. Modify the policy.
3. Click OK.

Cloning an ACL policy

You can clone an ACL policy. That is, you can quickly create a policy by modifying an existing policy. After you clone a policy, the policy exists only on iMaster NCE-Campus. To deliver the new policy to devices, you need to perform the Commit operation.

1. On the ACL tab page, click in the Operation column of the ACL policy to be cloned.
2. Modify the cloned policy.
3. Click OK.

Disabling/Enabling an ACL policy

• Disabling: You can disable a policy that does not need to be used currently. You can disable a policy regardless of whether it is delivered to sites. After you disable a policy, the policy is disabled only on iMaster NCE-Campus. To disable the policy on devices, you need to perform the Commit operation.
• Enabling: You can enable a policy that needs to be used. You can enable a policy regardless of whether it is delivered to sites. After you enable a policy, the policy is enabled only on iMaster NCE-Campus. To enable the policy on devices, you need to perform the Commit operation.

• Disabling: On the ACL tab page, click in the Operation column of the ACL policy to be disabled.
• Enabling: On the ACL tab page, click in the Operation column of the ACL policy to be enabled.

Binding an ACL policy in a site view

You can bind a new policy to a site.

1. On the ACL tab page, click Site View.
2. In the Site area, select a site.
3. Click Binding New Policy.
4. Select the policy to be bound to the selected site.
5. Click OK.

Configuring policies in batches in a site view

You can bind the policy that has been bound to a site to other sites to which no policy is bound so that different sites share the same policy.

1. On the ACL tab page, click Site View.
2. Click Batch Configure.
3. In the Clone from a site area, select a site with an ACL policy bound.
4. In the Site area, select the destination sites to which the same policy is to be bound.
5. Click OK.

Committing all the data in a site view

You can commit all the policies of a site.

1. On the ACL tab, click Site View.
2. In the Site area, select a site.
3. Click Commit All.
4. Click OK.

Revoking all the data in a site view

You can revoke all the policies of a site.

1. On the ACL tab, click Site View.
2. In the Site area, select a site.
3. Click Revoke All.
4. Click OK.

Policy name

ACL name.

Traffic classifier template

Traffic classifier template. The ACL specified by Policy name is applied to packets that match the traffic classifier template. The traffic classifier template that contains the application group cannot be selected for the Underlay ACL policy. Any traffic classifier template can be selected for an ACL on the overlay network.

Policy priority

ACL priority. When a packet is received, the CPE matches it against traffic classifier templates corresponding to ACLs in descending order of priorities. If a match is found, the action (traffic filtering) defined in the ACL is executed. If a mismatch is found, the CPE continues to match the packet against the traffic classifier template of the next ACL.

Interface

LAN

LAN interfaces exist only on the overlay network. All LAN-side Layer 3 interfaces for which the ACL is enabled, including Layer 3 interfaces, sub-interfaces, and VLANIF interfaces. For LAN-side interfaces, inbound traffic is sent from the intranet user to the CPE, and outbound traffic is sent from the CPE to the intranet user.

WAN

WAN interfaces exist only on the underlay network. All WAN-side interfaces for which the ACL is enabled. For WAN-side interfaces, inbound traffic is sent from the WAN to the CPE, and outbound traffic is sent from the CPE to the WAN.

Traffic filter

• Deny: Packets that do not match the traffic classifier template are denied.
• Permit: Packets that match the traffic classifier template are permitted.

Traffic direction

Traffic direction. This parameter is set to Inbound by default.

Effective time template

Time range defined in the template. The ACL takes effect only in the defined time range.

Deleting a NAT policy

You can delete a NAT policy.

On the NAT tab page, select the NAT policy to be deleted and click Delete.

Modifying a NAT policy

You can modify any NAT policy.

1. On the NAT tab page, click in the Operation column of the NAT policy to be modified.
2. Modify the policy.
3. Click OK.

Policy name

Name of a dynamic NAT policy.

Device

Name of the CPE where the dynamic NAT policy needs to be deployed.

Interface name

WAN interface name of an underlay NAT policy.

NAT mode

NAT mode:

• Easy IP: The interface IP address is used as the IP address after NAT.
  NOTE:

  Only one dynamic NAT rule in Easy IP mode can be configured on each interface. In the Internet access configuration of a site, if NAT has been enabled, no NAT rule in Easy IP mode can be configured in the NAT policy. It is because that the NAT configuration in the Internet access configuration of the site is in Easy IP mode by default.

• PAT: Port translation is supported and address translation is in many-to-one mode.
• No-PAT: Port translation is not supported, and address translation is in one-to-one mode.

IP address group

Start IP address

IP address range after NAT. IP addresses in this range are public IP addresses in most cases. This parameter is configurable only when the NAT mode is set to PAT or No-PAT. The IP address range has the following restraints:

• The end IP address must be greater than or equal to the start IP address.
• The number of IP addresses cannot exceed 255.
• On the same interface, the IP address segments configured in different NAT policies cannot overlap.

End IP address

Match rules

Match rules

Matching rule. Multiple ACL rules can be defined in an ACL. For a packet matching an ACL rule, the CPE performs NAT on the source IP address and source port number.

Priority

Priority of an ACL rule. The ACL rule with a higher priority is matched preferentially, and the action defined by this rule is performed.

Action

Action:

• Permit: Packets that match the ACL rule are allowed to pass.
• Deny: Packets that match the ACL rule are not allowed to pass.

Protocol

Protocol of the packets that can match the ACL rule.

Source IP/Prefix Length

Source IP address of the packets that can match the ACL rule.

Destination IP/Prefix Length

Destination IP address of the packets that can match the ACL rule.

Source Port

Source port number of the packets that can match the ACL rule. This parameter is available only when the protocol is set to TCP or UDP.

Destination Port

Destination port number of the packets that can match the ACL rule. This parameter is available only when the protocol is set to TCP or UDP.

Policy name

Name of a static NAT policy.

Device

Name of the CPE where a static NAT policy needs to be deployed.

Interface name

WAN interface name of an underlay NAT policy.

External IP

IP address after NAT, which is a public IP address in most cases:

• IP address of the current interface
• User-defined IP address

Internal IP

IP address before NAT, which is a private IP address in most cases.

Translation type

• Address translation: NAT is performed on packets whose source IP addresses are internal IP addresses.
• Protocol translation: NAT is performed on packets based on packet protocols.

Protocol type

Protocol type, which is available only when the NAT type is set to protocol translation.

• TCP: NAT is performed on packets whose source IP addresses are internal IP addresses, source ports are internal ports, and protocol type is TCP. After NAT, internal IP addresses are translated into external IP addresses, and internal port numbers are translated to external port numbers.
• UDP: NAT is performed on packets whose source IP addresses are internal IP addresses, source ports are internal ports, and protocol type is UDP. After NAT, internal IP addresses are translated into external IP addresses, and internal port numbers are translated to external port numbers.
• ICMP: NAT is performed on packets whose source IP addresses are internal IP addresses and protocol type is ICMP. After NAT, internal IP addresses are translated into external IP addresses.

External port

Port number after NAT. This parameter is available only when the NAT type is set to protocol translation and the protocol type is set to TCP or UDP.

Internal port

Port number before NAT. This parameter is available only when the NAT type is set to protocol translation and the protocol type is set to TCP or UDP.

Advanced Settings

Direction

The default value is Bidirectional. You can specify whether to perform NAT in the direction of External to Internal or Internal to External as needed. For example, if an file server providing external services is deployed on the LAN side of a site and proactive access from Internet to intranet servers exists, you can set this value to Internal to External.

Match rules

Matching rule. If you need to specify the range of packets to be translated using static NAT, for example, if you require that NAT be performed on TCP packets with specified destination ports, you can configure an ACL rule to match the target packets.

For details, see matching rules in dynamic NAT.

Deleting a NAT policy

You can delete a NAT policy.

On the NAT tab page, select the NAT policy to be deleted and click Delete.

Modifying a NAT policy

You can modify any NAT policy.

1. On the NAT tab page, click in the Operation column of the NAT policy to be modified.
2. Modify the policy.
3. Click OK.

Dynamic NAT

Policy name

Name of a dynamic NAT policy.

Device

Name of the CPE where the dynamic NAT policy needs to be deployed.

Interface name

Interface on which the dynamic NAT policy needs to be enabled:

For an overlay NAT policy, interfaces on the overlay tunnel or LAN-side interfaces can be selected. If this policy is configured on the overlay tunnel, NAT is performed on all tunnel interfaces.

NAT mode

NAT mode:

• Easy IP: The interface IP address is used as the IP address after NAT.
  NOTE:

  Only one dynamic NAT rule in Easy IP mode can be configured on each interface. In the Internet access configuration of a site, if NAT has been enabled, no NAT rule in Easy IP mode can be configured in the NAT policy. It is because that the NAT configuration in the Internet access configuration of the site is in Easy IP mode by default.

• PAT: Port translation is supported and address translation is in many-to-one mode.
• No-PAT: Port translation is not supported, and address translation is in one-to-one mode.

IP address group

Start IP address

IP address range after NAT. IP addresses in this range are public IP addresses in most cases. This parameter is configurable only when the NAT mode is set to PAT or No-PAT. The IP address range has the following restraints:

• The end IP address must be greater than the start IP address.
• The number of IP addresses cannot exceed 255.
• On the same interface, the IP address segments configured in different NAT policies cannot overlap.

End IP address

Match rules

Match rules

Matching rule. Multiple ACL rules can be defined in an ACL. For a packet matching an ACL rule, the CPE performs NAT on the source IP address and source port number.

Priority

Priority of an ACL rule. The ACL rule with a higher priority is matched preferentially, and the action defined by this rule is performed.

Action

Action:

• Permit: Packets that match the ACL rule are allowed to pass.
• Deny: Packets that match the ACL rule are not allowed to pass.

Protocol

Protocol of the packets that can match the ACL rule.

Source IP address/Prefix length

Source IP address of the packets that can match the ACL rule.

Destination IP address/Prefix length

Destination IP address of the packets that can match the ACL rule.

Source port

Source port number of the packets that can match the ACL rule. This parameter is available only when the protocol is set to TCP or UDP.

Destination port

Destination port number of the packets that can match the ACL rule. This parameter is available only when the protocol is set to TCP or UDP.

Static NAT

Policy name

Name of a static NAT policy.

Device

Name of the CPE where a static NAT policy needs to be deployed.

Interface name

Interface on which a static NAT policy needs to be enabled:

For an overlay NAT policy, interfaces on the overlay tunnel or LAN-side interfaces can be selected. If this policy is configured on the overlay tunnel, NAT is performed on all tunnel interfaces.

External IP address

IP address after NAT, which is a public IP address in most cases:

• IP address of the current interface
• User-defined IP address

Internal IP address

IP address before NAT, which is a private IP address in most cases.

Translation type

• Address Translation: NAT is performed on packets whose source IP addresses are internal IP addresses.
• Protocol Translation: NAT is performed on packets based on packet protocols.

Protocol type

Protocol type, which is available only when the NAT type is set to protocol translation.

• TCP: NAT is performed on packets whose source IP addresses are internal IP addresses, source ports are internal ports, and protocol type is TCP. After NAT, internal IP addresses are translated into external IP addresses, and internal port numbers are translated to external port numbers.
• UDP: NAT is performed on packets whose source IP addresses are internal IP addresses, source ports are internal ports, and protocol type is UDP. After NAT, internal IP addresses are translated into external IP addresses, and internal port numbers are translated to external port numbers.
• ICMP: NAT is performed on packets whose source IP addresses are internal IP addresses and protocol type is ICMP. After NAT, internal IP addresses are translated into external IP addresses.

External port

Port number after NAT. This parameter is available only when the NAT type is set to protocol translation and the protocol type is set to TCP or UDP.

Internal port

Port number before NAT. This parameter is available only when the NAT type is set to protocol translation and the protocol type is set to TCP or UDP.

Advanced Settings

Direction

The default value is Bidirectional. You can specify whether to perform NAT in the direction of External to Internal or Internal to External as needed. For example, if an file server providing external services is deployed on the LAN side of a site and proactive access from Internet to intranet servers exists, you can set this value to Internal to External.

Match rules

Matching rule. If you need to specify the range of packets to be translated using static NAT, for example, if you require that NAT be performed on TCP packets with specified destination ports, you can configure an ACL rule to match the target packets.

For details, see matching rules in dynamic NAT.

Revoking the last operation performed on an intelligent traffic steering policy

You can revoke the operation performed on a policy that is not delivered to sites, namely, a policy on which the Commit operation is not performed (Committed not displayed in the Status column). You cannot revoke the operation performed on a committed policy. The revoke function can only revoke the last operation performed on a policy. For example, you can use this function to revoke the modification, creation, and deletion of a policy. After you revoke the last operation performed on a policy, only the configuration of the policy is rolled back. That is, the operation takes effect only on iMaster NCE-Campus, and does not take effect on devices.

On the Path Strategy tab page, select the intelligent traffic steering policy for which the last operation needs to be revoked, click Revoke, and then click Revoke Selected.

Deleting an intelligent traffic steering policy

You can delete a policy regardless of whether it is delivered to sites. After you delete a policy, the policy is deleted only from iMaster NCE-Campus. To delete the policy from devices, you need to perform the Commit operation.

On the Path Strategy tab page, select the intelligent traffic steering policy to be deleted, and click Delete.

Modifying an intelligent traffic steering policy

You can modify a policy regardless of whether it is delivered to sites. After you modify a policy, the modification takes effect only on iMaster NCE-Campus. To modify the policy on devices, you need to perform the Commit operation.

1. On the Path Strategy tab page, click in the Operation column of the policy to be modified.
2. Modify the policy.
3. Click OK.

Cloning an intelligent traffic steering policy

You can clone an intelligent traffic steering policy. That is, you can quickly create a policy by modifying an existing policy. After you clone a policy, the policy exists only on iMaster NCE-Campus. To deliver the new policy to devices, you need to perform the Commit operation.

1. On the Path Strategy tab page, click in the Operation column of the policy to be cloned.
2. Modify the cloned policy.
3. Click OK.

Disabling/Enabling an intelligent traffic steering policy

• Disabling: You can disable a policy that does not need to be used currently. You can disable a policy regardless of whether it is delivered to sites. After you disable a policy, the policy is disabled only on iMaster NCE-Campus. To disable the policy on devices, you need to perform the Commit operation.
• Enabling: You can enable a policy that needs to be used. You can enable a policy regardless of whether it is delivered to sites. After you enable a policy, the policy is enabled only on iMaster NCE-Campus. To enable the policy on devices, you need to perform the Commit operation.

• Disabling: On the Path Strategy tab page, click in the Operation column of the policy to be disabled.
• Enabling: On the Path Strategy tab page, click in the Operation column of the policy to be enabled.

Binding a new policy in a site view

You can bind a new policy to a site.

1. On the Path Strategy tab page, click Site View.
2. In the Site area, select a site.
3. Click Binding New Policy.
4. Select the policy to be bound to the selected site.
5. Click OK.

Configuring policies in batches in a site view

You can bind the policy that has been bound to a site to other sites to which no policy is bound so that different sites share the same policy.

1. On the Path Strategy tab page, click Site View.
2. Click Batch Configure.
3. In the Clone from a site area, select a site to which a policy is bound.
4. In the Site area, select the destination sites to which the same policy is to be bound.
5. Click OK.

Committing all the data in a site view

You can commit all the policies of a site.

1. On the Path Strategy tab page, click Site View.
2. In the Site area, select a site.
3. Click Commit All.
4. Click OK.

Revoking all the data in a site view

You can revoke all the policies of a site.

1. On the Path Strategy tab page, click Site View.
2. In the Site area, select a site.
3. Click Revoke All.
4. Click OK.

Policy name

Name of the intelligent traffic steering policy.

Traffic classifier template

Traffic classifier template. The intelligent traffic steering policy specified by Policy name is applied to packets that match the traffic classifier template.

Policy priority

Priority of the intelligent traffic steering policy. A data flow is matched against intelligent traffic steering policies in descending order of priority.

Switchover condition

Switchover condition

Switchover conditions include delay, jitter, and packet loss rate. Different services have different requirements on link quality. For example, voice and real-time-video services have low tolerance for delay and packet loss rate. CPEs use the IP Flow Performance Measurement (IP FPM) to monitor the delay, jitter, and packet loss rate of application traffic in real time. If one of the switchover conditions exceeds the threshold, a link switchover is triggered.

The system defines switchover conditions for Voice, Real-time-video, Low-latency-data, and Bulk-data services. You can directly select a service type, or customize switchover conditions based on service requirements. If this parameter value is set to Custom, you can set Delay, Jitter, and Packet loss rate as required.

Delay (ms)

Delay.

Jitter (ms)

Jitter.

Packet loss rate (‰)

Packet loss ratio threshold.

Transport Network Priority

Primary transport network list

Priority

Priority of the primary transport network. A numerically smaller value indicates a higher priority. The same priority can be configured for multiple transport networks.

Transport Network

You can configure multiple primary transport networks and specify their priorities. You can define the scheduling mode between different transport networks by setting Policy between TN.

• Transport networks with the same priority: It is recommended that the Loadbalance scheduling mode be selected.
• Transport networks with different priorities: It is recommended that the Prefer scheduling mode be selected. That is, the transport network with the highest priority is selected first for forwarding application traffic. If any of the switchover conditions exceeds the threshold or the bandwidth usage exceeds the threshold, the traffic is switched to another transport network with a lower priority.

Secondary transport network list

Secondary transport network. Secondary transport networks provide escape links. Application traffic is switched to a secondary transport network only when the primary transport network fails. The priority of this application traffic decreases to the lowest on this network. This ensures that the traffic which uses the secondary transport network as the primary transport network is not affected.

Advanced settings

Switch upper threshold (%)

In addition to delay, jitter, packet loss rate, you can select links to transmit application traffic based on link bandwidth usages. For example, if the bandwidth usage of a link reaches a specified threshold, new data flows of certain applications cannot be transmitted over this link, preventing application quality deterioration.

You can configure a link selection policy by setting Switch upper threshold and Switch lower threshold:

• Link bandwidth usage < Switch lower threshold: All application traffic, including new application traffic, is forwarded through the current transport network.
• Switch lower threshold < Link bandwidth usage < Switch upper threshold: Only the existing application traffic is forwarded through the current transport network, and new application traffic cannot be transmitted.
• Link bandwidth usage > Switch upper threshold: The existing application traffic is switched to another transport network for transmission, and new application traffic cannot be transmitted.

Switch lower threshold (%)

Bandwidth conditions list

Transport network

Bandwidth conditions for a transport network. You can configure this parameter in either of the following scenarios:

• Configuring Bandwidth upper limit and Bandwidth lower limit: By default, Switch upper threshold and Switch lower threshold are applied to all transport networks by default. If you need to customize configurations for a certain transport network, Bandwidth upper limit and Bandwidth lower limit can be configured in bandwidth conditions.
• Configuring Max. bandwidth for application and Min. bandwidth for application: Links are selected for traffic transmission based on the bandwidth usage of applications.

Bandwidth upper limit (%)

Link bandwidth usage. The value is the bandwidth occupied by all applications carried over links to the total bandwidth of the current transport network.

Bandwidth lower limit (%)

Bandwidth upper limit (Mbit/s)

Bandwidth upper limit and bandwidth lower limit of the numeral type.

Bandwidth lower limit (Mbit/s)

Max. bandwidth for application (%)

Application bandwidth usage. The value is the bandwidth occupied by applications specified in the traffic classifier template to the total bandwidth of the current transport network.

Min. bandwidth for application (%)

Max. bandwidth for application (Mbit/s)

Bandwidth upper limit for application and bandwidth lower limit for application of the numeral type.

Min. bandwidth for application (Mbit/s)

Action when conditions not met

Way that traffic is steered if the SLA of the primary transport network fails to meet the requirement or the bandwidth usage exceeds the threshold.

• ECMP: When Prefer and Load balance scheduling mode are selected, a link with a better quality is selected from the primary transport network based on the CMI algorithm.
• Random link selection: When the Load balance scheduling mode is selected, the system randomly selects a link to forward packets by searching the routing table.
• Discard: If a best-effort link is configured, packets will be forwarded through the best-effort link. If no best-effort link is configured, all packets will be discarded, which may interrupt services.

Switchover mode

Whether traffic can be switched back to the original link if the quality of the original link recovers or the bandwidth usage of the original link decreases. The link switchover consists of the switchover between the primary transport networks with different priorities and the switchover between primary and secondary transport networks.

Inter-TN Policy

The Prefer scheduling mode is used by default for transport networks with different priorities. You can also select the Load balance scheduling mode.

Priority

Application priority. A numerically smaller value has a higher priority. If service packets of different types are transmitted over the same link and packet congestion occurs, packets of high-priority applications are preferentially transmitted. This parameter is configurable only when Policy between TN is set to Loadbalance.

Effective time Template

Time range defined in the template. The intelligent traffic steering policy takes effect only in the defined time range.

Revoking the last operation on a QoS policy

You can revoke the operation performed on a policy that is not delivered to sites, namely, a policy on which the Commit operation is not performed (Committed not displayed in the Status column). You cannot revoke the operation performed on a committed policy. The revoke function can only revoke the last operation performed on a policy. For example, you can use this function to revoke the modification, creation, and deletion of a policy. After you revoke the last operation performed on a policy, only the configuration of the policy is rolled back. That is, the operation takes effect only on iMaster NCE-Campus, and does not take effect on devices.

On the QoS tab page, select the policy for which the last operation needs to be revoked, click Revoke, and select Revoke Selected.

Deleting a QoS policy

You can delete a policy regardless of whether it is delivered to sites. After you delete a policy, the policy is deleted only from iMaster NCE-Campus. To delete the policy from devices, you need to perform the Commit operation.

On the QoS tab page, select the QoS policy to be deleted and click Delete.

Modifying a QoS policy

You can modify a policy regardless of whether it is delivered to sites. After you modify a policy, the modification takes effect only on iMaster NCE-Campus. To modify the policy on devices, you need to perform the Commit operation.

1. On the QoS tab page, click in the Operation column of the QoS policy to be modified.
2. Modify the policy.
3. Click OK.

Cloning a QoS policy

You can clone a QoS policy. That is, you can quickly create a policy by modifying an existing policy. After you clone a policy, the policy exists only on iMaster NCE-Campus. To deliver the new policy to devices, you need to perform the Commit operation.

1. On the QoS tab page, click in the Operation column of the QoS policy to be cloned.
2. Modify the cloned policy.
3. Click OK.

Disabling/Enabling a QoS policy

• Disabling: You can disable a policy that does not need to be used currently. You can disable a policy regardless of whether it is delivered to sites. After you disable a policy, the policy is disabled only on iMaster NCE-Campus. To disable a policy on devices, you need to perform the Commit operation.
• Enabling: You can enable a policy that needs to be used. You can enable a policy regardless of whether it is delivered to sites. After you enable a policy, the policy is enabled only on iMaster NCE-Campus. To enable a policy on devices, you need to perform the Commit operation.

• Disabling: On the QoS tab page, click in the Operation column of the policy to be disabled.
• Enabling: On the QoS tab page, click in the Operation column of the policy to be enabled.

Binding a new policy in a site view

You can bind a new policy to a site.

1. On the QoS tab page, click Site View.
2. In the Site area, select a site.
3. Click Binding New Policy.
4. Select the policy to be bound to the selected site.
5. Click OK.

Configuring policies in batches in the site view

You can bind the policy that has been bound to a site to other sites to which no policy is bound so that different sites share the same policy.

1. On the QoS tab page, click Site View.
2. Click Batch Configure.
3. In the Clone from a site area, select a site to which a QoS policy is bound.
4. In the Site area, select the destination sites to which the same policy is to be bound.
5. Click OK.

Committing all policies in the site view

You can commit all policies bound to a site.

1. On the QoS tab page, click Site View.
2. In the Site area, select a site.
3. Click Commit All.
4. Click OK.

Revoking all data in the site view

You can revoke all policies bound to a site.

1. On the QoS tab page, click Site View.

1. In the Site area, select a site.
2. Click Revoke All.
3. Click OK.

Policy name

QoS policy name. Currently, a QoS policy can be applied only to the outbound direction of a WAN interface.

Traffic Classifier Template

Traffic classifier template. The QoS policy specified by Policy name is applied to packets that match the traffic classifier template.

Policy Priority

QoS policy priority.

LAN

LAN Re-mark DSCP

DSCP priority of IP packets. The value is in the range from 0 to 63. A larger value indicates a higher priority. If LAN is enabled, the CPE sets the DSCP field in the IP header of packets encapsulated in the overlay tunnel to the value of this parameter.

LAN Statistics

Enable the traffic statistics function on the LAN port. After traffic statistics collection is enabled, you can view statistics on the CPE.

WAN

Queue Priority

Queue Priority

Queue priority. You are advised to enable Queue Priority for key applications that need to be guaranteed. When Queue Priority is enabled, a CPE automatically sets queue types for identified packets based on the defined queue priorities.

Priority Level

QoS priority. When network congestion occurs, the system preferentially transmits packets of higher-priority applications. This parameter is available only when Queue Priority is enabled.

The following QoS priorities are supported:

• Medium: Assured Forwarding (AF) is used to ensure low drop probability of packets when the rate of outgoing service traffic does not exceed the minimum bandwidth.
• High: After packets matching traffic classification rules enter Expedited Forwarding (EF) queues, they are scheduled in Strict Priority (SP) mode. Packets in other queues are scheduled only after all the packets in EF queues are scheduled. In addition, EF queues can preempt the available bandwidth in AF or BE queues.
• Highest: Low Latency Queuing (LLQ) is used to schedule packets with the highest priority. LLQ queues are a special type of EF queues and are scheduled in SP mode. They can achieve lower latency than common EF queues and ensure the service quality of latency-sensitive applications, for example, VoIP services. LLQ queues do not preempt the available bandwidth in AF or BE queues.

Guaranteed bandwidth

Guaranteed bandwidth. This parameter is available only when Queue Priority is enabled.

For AF and EF queues, the guaranteed bandwidth is the minimum bandwidth that can be guaranteed. If traffic exceeds the guaranteed bandwidth, the available bandwidth can be preempted.

LLQ queues do not preempt the available bandwidth, and the guaranteed bandwidth is the maximum bandwidth that can be guaranteed. As a result, if traffic exceeds the guaranteed bandwidth, the excess traffic is discarded.

This parameter can be set to a specific bandwidth value or a percentage to the available bandwidth for a department (VPN) on an interface. If this parameter is set to a specific value, it cannot exceed the available bandwidth for a department.

For example, if the bandwidth of a WAN interface is 100 Mbit/s and the bandwidth available to VPN1 is 50 Mbit/s, value 20% of this parameter indicates that packets matching the traffic classifier can occupy 10 Mbit/s bandwidth (50 Mbit/s x 20%).

Traffic bandwidth limit

Traffic bandwidth limit

Whether to limit the traffic bandwidth. After Traffic bandwidth limit is enabled, packets matching a certain rule are forwarded at a low delay.

Limit type

This parameter is available only when Traffic bandwidth limit is enabled. The following types are supported:

• Traffic shaping: Traffic shaping is a measure to adjust the traffic rate sent from an interface. When the rate of an inbound interface on a downstream device is slower than that of an outbound interface on an upstream device or burst traffic occurs, traffic congestion may occur on the inbound interface of the downstream device. Traffic shaping can be configured on the outbound interface of the upstream device so that outgoing traffic is sent at even rates and congestion is avoided.
• Traffic policing: Traffic policing discards excess traffic to limit traffic within a proper range and to protect network resources and enterprise users' interests. Traffic policing is implemented using committed access rate (CAR).

Bandwidth limit

Bandwidth limit. When traffic exceeds the limit specified by this parameter, the excess traffic is cached and sent later (if traffic shaping is configured) or directly discarded (if traffic policing is configured).

Theoretically, the value of bandwidth limit must be greater than that of Guaranteed bandwidth. This parameter is available only when Traffic bandwidth limit is enabled.

Re-Mark DSCP

If this option is enabled, you need to specify a value for the DSCP field. The CPE replaces the value of the DSCP field in the outer IP header with the specified value.

DSCP priority of IP packets. When a packet arrives at a CPE, the CPE sets the DSCP field in the outer IP header of the packet to the value of this parameter. The value is in the range from 0 to 63. A larger value indicates a higher priority.

The DSCP value in the following packets are listed in descending order of priority: voice packets, video packets, and data packets.

Queue length

Maximum length of a queue. This parameter is configurable only when Queue Priority is set to High or Medium.

You can specify the maximum number of bytes that can be stored in a queue, the maximum number of packets that can be stored in a queue, or both of them. If both of them are specified, when the number of packets in a queue reaches the maximum value or the total number of bytes in a queue reaches the maximum value, the queue does not receive packets.

Re-mark 802.1p

Whether to re-mark the 802.1P priority of VLAN packets. A larger value indicates a higher priority. If a traffic policy is applied to the outbound direction on an interface, the CPE still processes outgoing packets based on the original priority but the downstream Layer 2 device processes the packets based on the re-marked priority.

Statistics collection

Whether to enable statistics collection. After this function is enabled, you can view traffic statistics on CPEs.

Effective Time Template

Time range defined in the template. The QoS policy takes effect only in the defined time range.

Device

Site device. In the single gateway scenario, there is only one site device. You can directly configure VAS connection on this device. In the dual-gateway scenario, the following situations may occur:

• Single egress: The WAN interface on the gateway supports Internet access. In this case, you only need to configure VAS connection on the gateway.
• Dual egresses: The WAN interfaces on both two gateways support Internet access. In this case, you need to configure VAS connection on both the two gateways.

Direction

VAS connection direction. In a VPN, two VAS connections need to be configured for a site device. One is in the ingress direction and the other is in the egress direction.

• Ingress: The Internet access traffic is sourced from site devices and destined to the ingress interface of the vFW.
• Egress: After the Internet access traffic is processed by the vFW, the traffic is transmitted from the egress interface of the vFW to site devices.

Description

Description of VAS connection.

Interface Configuration

Access type

Access type of an interface. VLAN and L3 interfaces are supported. Currently, the vFW can be connected to site devices only through VLANs, and the value L3 Interface is reserved. The following parameters for interface configuration need to be configured when Access type is set to VLAN.

VLAN ID

ID of the VLAN used for Layer 2 communication between the vFW and site devices when Access type is set to VLAN. The system automatically creates VLANIF interfaces based on VLAN IDs.

Interface

The options are Ingress and Egress. If this parameter is set to Ingress, you need to configure an ingress interface on the site device to connect to the ingress interface of the vFW in the ingress direction. If this parameter is set to Egress, you need to configure an egress interface on the site device to connect to the egress interface of the vFW in the egress direction.

The interface type and port number of the physical interface used by the site device to connect to the vFW need to be the same as those of the interface created on the vFW.

TAG mode

Whether to add VLAN tags to egress packets.

IP address

IP address of a VLANIF interface.

Trust mode

Type of the security domain. The options are Trust and Untrust. This parameter specifies whether the packets received on the interface belong to the trusted domain or untrusted domain. If this parameter is set to Untrust, the packets received on the interface need to be forwarded to the security policy module for processing. Currently, the interface is connected to the vFW created on the uCPE. The trust domain is recommended.

Route Configuration

Route protocol

Route protocol. OSPF and static routes are supported.

Static Route

Destination address/mask

Destination network segment in the egress static route. For example, for Internet access traffic, you need to configure a static route in the ingress direction. The destination network segment is 0.0.0.0 and the next hop is the IP address of the ingress interface of the vFW. For the backhaul service traffic, you need to configure a static route in the egress direction. The destination network segment is the address segment of a branch site in a VPN, and the next hop is the IP address of the egress interface of the vFW.

Next-hop type

Next-hop type of a static route. Currently, the next hop of a static route can only be set to a value in IP address format.

IP address

IP address of the next hop.

Priority

Priority of a static route. A smaller value indicates a higher priority.

Track

Whether to associate a static route with an NQA test instance.

Target

Destination address in a network quality analysis (NQA) test instance. If a static route is associated with an NQA test instance, only Internet Control Message Protocol (ICMP) test instances can be used to check whether there are reachable routes between the source and destination.

OSPF

Process ID

OSPF process ID. The OSPF process ID needs to be in the range from 60000 to 61000 for the OSPF routes planned for VAS connection.

Default route advertisement

Whether to advertise the default route to a common OSPF area. After this function is enabled, the device constantly advertises the default OSPF route.

Interface Parameters

Area ID

OSPF area ID.

Authentication Mode

Encryption mode

Encryption mode. This parameter is configurable when Authentication mode is set to Cryptographic. The options are MD5, HMAC-MD5, and HMAC-SHA256. MD5, and HMAC-MD5 authentication modes may pose potential security risks. As such, the HMAC-SHA256 authentication mode is recommended.

Key

Key for cipher-text authentication on an interface. This parameter is configurable only when Authentication mode is set to Cryptographic.

Password

Password for cipher-text authentication. This parameter is configurable only when Authentication mode is set to Simple or Cryptographic.

Deleting a QoS policy

You can delete a policy regardless of whether it is delivered to sites. After you delete a policy, the policy is deleted only from iMaster NCE-Campus. To delete the policy from devices, you need to perform the Commit operation.

On the QoS tab page, select the QoS policy to be deleted and click Delete.

Modifying a QoS policy

You can modify a policy regardless of whether it is delivered to sites. After you modify a policy, the modification takes effect only on iMaster NCE-Campus. To modify the policy on devices, you need to perform the Commit operation.

1. On the QoS tab page, click in the Operation column of the QoS policy to be modified.
2. Modify the policy.
3. Click OK.

Policy name

QoS policy name.

Traffic Classifier Template

Traffic classifier template. The QoS policy specified by Policy name is applied to packets that match the traffic classifier template.

Policy Priority

QoS policy priority.

Device

Device to be configured with a QoS policy.

Type

Interface type. WAN interface and LAN interface are supported.

• WAN: When service packets are sent from the LAN side to the WAN side through the Underlay network, the common WAN QoS policy is recommended.
• LAN: If dscp packets need to be modified, you are advised to use the Common LAN QoS policy.

Interface Name

Name of the interface to be configured. Currently, a QoS policy (mainly Queue Priority and Traffic bandwidth limit) can only be applied only to the outbound direction of WAN interfaces, whereas LAN interfaces can only be configured with Re-Mark DSCP.

Traffic Direction

Direction of traffic. This parameter is automatically set.

• This parameter is automatically set to outbound when Type is to set to WAN.
• This parameter is automatically set to inbound when Type is to set to LAN.

Queue Priority

Queue Priority

Queue priority. You are advised to enable Queue Priority for key applications that need to be guaranteed. When Queue Priority is enabled, a CPE automatically sets queue types for identified packets based on the defined queue priorities. This parameter is available only when Type is set to WAN.

Priority Level

QoS priority. When network congestion occurs, the system preferentially transmits packets of higher-priority applications. This parameter is available only when Queue Priority is enabled.

The following QoS priorities are supported:

• Medium: Assured Forwarding (AF) is used to ensure low drop probability of packets when the rate of outgoing service traffic does not exceed the minimum bandwidth.
• High: After packets matching traffic classification rules enter Expedited Forwarding (EF) queues, they are scheduled in Strict Priority (SP) mode. Packets in other queues are scheduled only after all the packets in EF queues are scheduled. In addition, EF queues can preempt the available bandwidth in AF or BE queues.
• Highest: Low Latency Queuing (LLQ) is used to schedule packets with the highest priority. LLQ queues are a special type of EF queues and are scheduled in SP mode. They can achieve lower latency than common EF queues and ensure the service quality of latency-sensitive applications, for example, VoIP services. LLQ queues do not preempt the available bandwidth in AF or BE queues.

Guaranteed bandwidth

Guaranteed bandwidth. This parameter is available only when Queue Priority is enabled.

For AF and EF queues, the guaranteed bandwidth is the minimum bandwidth that can be guaranteed. If traffic exceeds the guaranteed bandwidth, the available bandwidth can be preempted.

LLQ queues do not preempt the available bandwidth, and the guaranteed bandwidth is the maximum bandwidth that can be guaranteed. As a result, if traffic exceeds the guaranteed bandwidth, the excess traffic is discarded.

This parameter can be set to a specific bandwidth value or a percentage to the available bandwidth for a department (VPN) on an interface. If this parameter is set to a specific value, it cannot exceed the available bandwidth for a department.

For example, if the bandwidth of a WAN interface is 100 Mbit/s and the bandwidth available to VPN1 is 50 Mbit/s, value 20% of this parameter indicates that packets matching the traffic classifier can occupy 10 Mbit/s bandwidth (50 Mbit/s x 20%).

Traffic bandwidth limit

Traffic bandwidth limit

Whether to limit the traffic bandwidth. After Traffic bandwidth limit is enabled, packets matching a certain rule are forwarded at a low delay. This parameter is available only when Type is set to WAN.

Limit type

This parameter is available only when Traffic bandwidth limit is enabled. The following types are supported:

• Traffic shaping: Traffic shaping is a measure to adjust the traffic rate sent from an interface. When the rate of an inbound interface on a downstream device is slower than that of an outbound interface on an upstream device or burst traffic occurs, traffic congestion may occur on the inbound interface of the downstream device. Traffic shaping can be configured on the outbound interface of the upstream device so that outgoing traffic is sent at even rates and congestion is avoided.
• Traffic policing: Traffic policing discards excess traffic to limit traffic within a proper range and to protect network resources and enterprise users' interests. Traffic policing is implemented using committed access rate (CAR).

If Queue Priority is enabled and the priority is set to Highest or High, only Traffic policing can be selected.

Bandwidth limit

Bandwidth limit. When traffic exceeds the limit specified by this parameter, the excess traffic is cached and sent later (if traffic shaping is configured) or directly discarded (if traffic policing is configured).

Theoretically, the value of bandwidth limit must be greater than that of Guaranteed bandwidth. This parameter is available only when Traffic bandwidth limit is enabled.

Re-Mark DSCP

DSCP priority of IP packets. When a packet arrives at a CPE, the CPE sets the DSCP field in the outer IP header of the packet to the value of this parameter. The value is in the range from 0 to 63. A larger value indicates a higher priority.

The DSCP value in the following packets is listed in descending order of priority: voice packets, video packets, and data packets.

Queue length

Maximum length of a queue. This parameter is available only when Type is set to WAN. This parameter is configurable only when Queue Priority is set to High or Medium.

You can specify the maximum number of bytes that can be stored in a queue, the maximum number of packets that can be stored in a queue, or both of them. If both of them are specified, when the number of packets in a queue reaches the maximum value or the total number of bytes in a queue reaches the maximum value, the queue does not receive packets.

Re-mark 802.1p

Whether to re-mark the 802.1P priority of VLAN packets. This parameter is available only when Type is set to WAN. A larger value indicates a higher priority. If a traffic policy is applied to the outbound direction on an interface, the CPE still processes outgoing packets based on the original priority but the downstream Layer 2 device processes the packets based on the re-marked priority.

Statistics collection

Whether to enable statistics collection. After this function is enabled, you can view traffic statistics on CPEs.

Effective Time Template

Time range defined in the template. The QoS policy takes effect only in the defined time range.

dns

After DNS is enabled, the following elements can be translated:

IP and Port fields in a response packet.

ftp

After FTP is enabled, the following elements can be translated:

• IP and Port fields in payload of a Port request packet.
• IP and Port fields in payload of a Passive response packet.

rtsp

After RTSP is enabled, the following elements can be translated:

Port field in a setup/reply OK packet.

sip

After SIP is enabled, the following elements can be translated:

• Request line
• From
• To
• Contact
• Via
• O
• Connection information field (an IP address) and media description field (a port) in the Message body
• record-router

pptp

After PPTP is enabled, the following elements can be translated:

There are two scenarios:

• PPTP client on the private network and PPTP server on the public network: Client-Call-ID field.
• PPTP server on the private network and PPTP client on the public network: Server-Call-ID field.

Deleting a cloud security policy

You can delete a cloud security policy.

On the Cloud Security tab page, select the security policy to be deleted, and click Delete.

Modifying a cloud security policy.

You can modify any cloud security policy.

1. On the Cloud Security tab page, click in the Operation column of the cloud security policy to be modified.
2. Modify the policy.
3. Click OK.

Policy name

Name of a cloud security policy. This policy enables interconnection between CPEs and cloud access security agents through a GRE tunnel, ensuring the security of accessing network applications.

Traffic classifier template

Type of a cloud security traffic classifier template. Packets matching this template are forwarded through a GRE tunnel. In the cloud security policy scenario, traffic classifier templates containing application groups cannot be selected. The destination IP address of a traffic classifier template is often set to the IP address of a cloud access security agent.

Tunnel Information

Device name (ESN)

Name of a CPE connected to a cloud access security agent.

WAN link

WAN link of a CPE.

A WAN link can carry an active GRE tunnel and a standby GRE tunnel. If the active GRE tunnel fails, the traffic is switched to the standby GRE tunnel for transmission.

Active Tunnel

GRE tunnel source IP address

Source address of the active GRE tunnel.

GRE tunnel destination IP address

Destination IP address of the active GRE tunnel.

Cloud gateway IP address

IP address of the third-party secure cloud gateway connected to the GRE tunnel.

GRE Key

Key of the active GRE tunnel. You can configure a GRE tunnel key on both ends of a GRE tunnel to enhance security. This ensures that a device accepts packets sent from only valid tunnel interfaces and discards invalid packets. This parameter value must be the same as that of the GRE key of a cloud access security agent.

GRE checksum

Whether to enable end-to-end verification for encapsulated packets.

Standby Tunnel

GRE tunnel source IP address

Source address of the standby GRE tunnel.

GRE tunnel destination IP address

Destination IP address of the standby GRE tunnel.

Cloud gateway IP address

IP address of the third-party secure cloud gateway connected to the GRE tunnel.

GRE Key

Key of the standby GRE tunnel.

GRE checksum

Whether to enable end-to-end verification for encapsulated packets.

Packet Fragmentation

MTU

MTU on a tunnel interface. This parameter value takes effect on interfaces of both the active and standby GRE tunnels.

MSS

MSS of TCP packets on a tunnel interface. This parameter value takes effect on interfaces of both the active and standby GRE tunnels.

Keepalive

Period(s)

Interval at which a GRE tunnel sends Keepalive packets. The default value is 5 seconds. The unreachable counter increments by 1 each time a Keepalive packet is sent. If the counter value reaches the configured value of Retry Times, the peer end is considered unreachable. This parameter value takes effect on both the active and standby GRE tunnels.

Retries Times

Number of times Keepalive packets are sent, after which the peer end of a GRE tunnel is considered unreachable. The default value is 3. This parameter value takes effect on both the active and standby GRE tunnels.

Revoking a security policy

You can revoke the operation performed on a policy that is not delivered to sites, namely, a policy on which the Commit operation is not operated (Committed not displayed in the Status column). You cannot revoke the operation performed on a committed policy. The revoke function can only revoke the last operation performed on a policy. For example, you can use this function to revoke the modification, creation, and deletion of a policy. After you revoke the last operation performed on a policy, only the configuration of the policy is rolled back. That is, the operation takes effect only on iMaster NCE-Campus, and does not take effect on devices.

On the Security Policy tab page, select the policy on which the last operation performed needs to be revoked, click Revoke, and then click Revoke Selected.

Deleting a security policy

You can delete a policy regardless of whether it is delivered to sites. After you delete a policy, the policy is deleted only from iMaster NCE-Campus. To delete the policy from devices, you need to perform the Commit operation.

On the Security Policy tab page, select the security policy to be deleted, and click Delete.

Modifying a security policy

You can modify a policy regardless of whether it is delivered to sites. After you modify a policy, the modification takes effect only on iMaster NCE-Campus. To modify the policy on devices, you need to perform the Commit operation.

1. On the Security Policy tab page, click in the Operation column of the policy to be modified.
2. Modify the policy.
3. Click OK.

Cloning a security policy

You can clone a security policy. That is, you can quickly create a policy by modifying an existing policy. After you clone a policy, the policy exists only on iMaster NCE-Campus. To deliver the new policy to devices, you need to perform the Commit operation.

1. On the Security Policy tab page, click in the Operation column of the policy to be cloned.
2. Modify the cloned policy.
3. Click OK.

Disabling/Enabling a security policy

• Disabling: You can disable a policy that does not need to be used currently. You can disable a policy regardless of whether it is delivered to sites. After you disable a policy, the policy is disabled only on iMaster NCE-Campus. To disable the policy on devices, you need to perform the Commit operation.
• Enabling: You can enable a policy that needs to be used. You can enable a policy regardless of whether it is delivered to sites. After you enable a policy, the policy is enabled only on iMaster NCE-Campus. To enable the policy on devices, you need to perform the Commit operation.

• Disabling: On the Security Policy tab page, click in the Operation column of the policy to be disabled.
• Enabling: On the Security Policy tab page, click in the Operation column of the policy to be enabled.

Policy name

Name of a security policy.

Security Policy

URL policies

Policy Type

Action taken after URL filtering. After the device queries a URL category matching an HTTP request, it processes the HTTP request according to the action taken for the URL category. Currently, the following actions are supported:

• Black List
• White List

Black/White List

URL filter list.

• If a blacklist is added, URLs that are not in Black List can be accessed.
• If a whitelist is added, only URLs in White List can be accessed.

Enable pre-defined URL category

Whether to use the predefined URL category database to define the block action.

A predefined URL category database is preset on CPEs before delivery. It contains more than 40 URL categories, and each category contains multiple URLs.

Predefined URL filter level

Filter level. This parameter is available only when Enable pre-defined URL category is enabled. If actions are configured for each type of URL, the workload is heavy. To simplify user configurations, three filter levels are defined: high, medium, and low. If the three default filter levels do not meet your requirements, you can customize an action for each predefined application category. The following filter levels are supported:

• High: indicates that the access control is strict. For example, access to adult websites, illegal activities, social media websites, and video sharing websites is controlled.
• Medium: indicates that the access control is medium. For example, the access to all adult websites and illegal websites is controlled.
• Low: indicates that the access control is loose. For example, the access to adult websites is controlled.
• Customized: If you click Customized and then Set, you can customize an action (by clicking Permit or Deny) for each predefined application category in the displayed dialog box.

Firewall policies

Internet-to-User default action

Default action performed on inbound packets. The default action is taken for the data packets that do not match the inbound ACL. By default, all inbound packets are rejected. You can set the default action taken for inbound packets to permit. An inbound packet is sent from a low-priority zone to a high-priority zone.

Internet-to-User flow

Internet-to-User flow

Inbound ACL. Multiple ACL rules can be defined in the ACL.

Priority

Priority of an ACL rule. The ACL rule with a higher priority is matched preferentially, and the action defined by this rule is performed.

Action

Action:

• Permit: Inbound packets that match the ACL rule are allowed to pass.
• Deny: Inbound packets that match the ACL rule are denied.

Protocol

Protocol of the packets that can match the ACL rule.

Source IP

Source IP address of the packets that can match an ACL rule.

Source Port

Source port number of the packets that can match the ACL rule.

Destination IP

Destination IP address of the packets that can match the ACL rule.

Destination Port

Destination port number of the packets that can match the ACL rule.

User-to-Internet default action

Default action performed on outbound packets. The default action is taken for the data packets that do not match the outbound ACL. By default, all outbound packets are allowed to pass through. You can set the default action taken for inbound packets to deny. An outbound packet is sent from a high-priority zone to a low-priority zone.

User-to-Internet flow

User-to-Internet flow

Outbound ACL. Multiple ACL rules can be defined in the ACL.

Priority

Priority of an ACL rule. The ACL rule with a higher priority is matched preferentially, and the action defined by this rule is performed.

Action

Action:

• Permit: Outbound packets that match the ACL rule are allowed to pass.
• Deny: Outbound packets that match the ACL rule are denied.

Protocol

Protocol of the packets that can match the ACL rule.

Source IP

Source IP address of the packets that can match the ACL rule.

Source Port

Source port number of the packets that can match the ACL rule.

Destination IP

Destination IP address of the packets that can match the ACL rule.

Destination Port

Destination port number of the packets that can match the ACL rule.

IPS policies

Security configuration files

By default, iMaster NCE-Campus has multiple security configuration files for different application scenarios. The default security configuration files can be viewed or referenced by security policies. The following security configuration files are supported:

• strict: It contains all signatures and the action is block. It applies to all protocols and intrusion categories. This security configuration file applies to scenarios where all packets that match signatures need to be blocked.
• web_server: It contains all signatures and the default action is used. It applies to DNS, HTTP, and FTP protocols, as well as all intrusion categories. This security configuration file applies to scenarios where the device is deployed in front of a web server.
• file_server: It contains all signatures and the default action is used. It applies to the DNS, SMB, NFS, SunRPC, MSRPC, File, and Telnet protocols, as well as all intrusion categories. This security configuration file applies to scenarios where the device is deployed in front of a file server.
• dns_server: It contains all signatures and the default action is used. It applies to the DNS protocol and all intrusion categories. This security configuration file applies to scenarios where the device is deployed in front of a DNS server.
• mail_server: It contains all signatures and the default action is used. It applies to DNS, IMAP4, SMTP, and POP3 protocols, as well as all intrusion categories. This security configuration file applies to scenarios where the device is deployed in front of a mail server.
• inside_firewall: It contains all signatures and the default action is used. It applies to all protocols and intrusion categories. This security configuration file applies to scenarios where the device is deployed inside a firewall.
• dmz: It contains all signatures and the default action is used. It applies to all protocols except NFS, SMB, Telnet, and TFTP, as well as all intrusion categories. This security configuration file applies to scenarios where the device is deployed in front of the DMZ.
• outside_firewall: It contains all signatures and the default action is used. It applies to all protocols and intrusion categories except Scanner. This security configuration file applies to scenarios where the device is deployed outside a firewall.
• default: It contains all signatures and the default action is used. It applies to all protocols and intrusion categories. This security configuration file applies to scenarios where the device is deployed in IPS (in-line) mode.