Policy Plan
Traffic Policy Plan
Planning application groups
Precise identification of applications on a network is the prerequisite and basis for network services such as intelligent traffic steering, QoS, application optimization, and security. Service policies can be applied in subsequent service processes only after applications are identified.
When configuring policies, you need to select an application group before selecting an application.
When creating an application group, you need to add predefined or customized applications to the customized application group. An application can be added to only one application group. However, the following requirements must be met when you configure ACL policies, QoS policies, intelligent traffic steering policies, Internet access policies at a site, and application quality monitoring policies:
- Applications in application groups of traffic classifiers in ACL policies, QoS policies, and Internet access policies of the same site must be different.
- Applications in application groups of traffic classifiers must be different from each other between different ACL policies, QoS policies, intelligent traffic steering policies, application quality monitoring policies, or Internet access policies of the same site.
In this document, two application groups that contain the VoIP and Software_Update applications, respectively, are used as examples.
Parameter |
Value |
|
|---|---|---|
Name |
test_app_group_VoIP |
test_app_group_Software |
SA signature database |
SA_H30071002 (500+) |
SA_H30071002 (500+) |
Description |
- |
- |
Predefined application (FPI) |
- |
- |
Predefined application (SA) |
VoIP |
Software_Update |
Customized application |
- |
- |
Planning traffic classifiers
A traffic classifier defines a group of matching rules to classify packets. This ensures that a device processes packets matching the same traffic classifier identically.
When configuring a traffic policy, you need to use the created traffic classifier.
In this example, three traffic classifiers are created: one corresponding to the VoIP application group, one corresponding to the Software_Update application group, and one for LAN-side devices at branch sites to go online.
Parameter |
Value |
|||
|---|---|---|---|---|
Traffic classifier name |
test_traffic_VoIP |
test_traffic_Software |
test_ztp |
|
Operator |
And |
And |
And |
|
L3 ACL |
Priority |
- |
- |
1 |
Protocol |
- |
- |
IP |
|
Destination IP address |
- |
- |
10.1.1.0/24 |
|
Application group |
test_app_group_VoIP |
test_app_group_Software |
- |
|
Advanced Settings |
- |
- |
- |
|
Planning Internet access for sites
To ensure that LAN-side devices at branch sites can automatically register with iMaster NCE-Campus and go online during site deployment, enable the Internet access function for the sites on the VN.
Parameter |
Value |
|
|---|---|---|
VN |
VN-test |
|
Internet access mode |
Local Internet access |
|
Site |
Site_1, Site_2, and Site_3 |
|
VAS |
Disabled |
|
Policy |
By Application |
|
Shared track IP address |
10.1.1.1 |
|
Traffic classifier |
test_ztp |
|
WAN link |
Internet |
MPLS |
NAT |
Enabled |
Enabled |
Link priority |
1 |
2 |
Bandwidth allocation |
Disabled |
Disabled |
Planning intelligent traffic steering
After an intelligent traffic steering policy is configured, traffic can be automatically switched between the primary and secondary links when link congestion occurs and the requirements of a specified application cannot be met. This ensures the experience of key applications.
In this example, VoIP service traffic is preferentially transmitted over the MPLS link, and Software_Update service traffic is preferentially transmitted over the Internet link.
Parameter |
Value |
||||
|---|---|---|---|---|---|
Policy name |
test_policy_VoIP |
test_policy_Software |
|||
Traffic classifier |
test_traffic_VoIP |
test_traffic_Software |
|||
Policy priority |
10 |
20 |
|||
Switchover condition |
Voice |
Bulk Data |
|||
Primary transport network list |
Transport network |
MPLS |
Internet |
Internet |
MPLS |
Priority |
1 |
2 |
1 |
2 |
|
Secondary transport network |
Disabled |
Disabled |
|||
Advanced Settings |
Disabled |
Disabled |
|||
Effective time template |
- |
- |
|||
Site |
Hub_1, Hub_2, Site_1, Site_2, and Site_3 |
||||
Planning QoS
QoS is a mainstream function that implements differentiated services. Data packets are classified into different priorities or multiple classes of service (CoSs) through traffic classification. These priorities and CoSs are the prerequisite and basis for differentiating service models. Different traffic policies can be configured based on packet priorities and CoSs to provide different services.
In this example, QoS policies are configured for the overlay network based on queue priorities. VoIP service traffic is transmitted in the queue with the highest priority so that the traffic can be preferentially forwarded.
Parameter |
Value |
||
|---|---|---|---|
Policy name |
test_QoS_VoIP |
test_QoS_Software |
|
Traffic classifier |
test_traffic_VoIP |
test_traffic_Software |
|
Policy priority |
10 |
20 |
|
LAN |
Disabled |
Disabled |
|
WAN |
Enabled |
Enabled |
|
Queue priority |
Priority level |
Highest |
Medium |
Guaranteed bandwidth |
Percentage: 30% |
Percentage: 10% |
|
Site |
Hub_1, Hub_2, Site_1, Site_2, and Site_3 |
||
Security Policy Plan
URL filtering regulates online behaviors by controlling URLs that users can access and permitting or denying users' access to some web resources.
In this example, the access to the website www.xxx.com is denied.
Parameter |
Value |
|---|---|
Policy name |
test_security_policy1 |
Policy type |
Blacklist |
Blacklist |
www.xxx.com |
Site |
Hub_1, Hub_2, Site_1, Site_2, and Site_3 |