| Oracle® Communications IP Service Activator QoS User’s Guide Release 7.2 E47716-01 |
|
|
PDF · Mobi · ePub |
| Oracle® Communications IP Service Activator QoS User’s Guide Release 7.2 E47716-01 |
|
|
PDF · Mobi · ePub |
This chapter describes the basic data you need to define before setting up a QoS or security policy for Oracle Communications IP Service Activator. This includes the following:
Importing policy files – a brief description of how to load optional files that provide values for standard IP Precedence codepoints and MPLS experimental bits, and sample policy rules, role assignment rules, and Per Hop Behavior (PHB) groups. See "Extending IP Service Activator with Configuration Policies" for detailed information on configuration policies.
Class of service (CoS) data – needed if you are setting up a QoS policy
Rule components – IP protocols, traffic types, classifications, and date and time templates (for devices supported by device driver technology only), used when setting up rules and classes of service
Accounts – optionally used to identify the users of services
Configuration policies are loaded through the same mechanism as other policy files. To use configuration policies, they must be pre-loaded. For details, see IP Service Activator Administrator's Guide.
Various policy files are available to load pre-configured QoS definitions. The default.policy and advanced.policy files provide standard values for IP Precedence codepoints and MPLS experimental bits.
For details on the objects created by a policy file, refer to the file itself. The default.policy file is located at:
ServiceActivatorHome\Oracle Communications\Service Activator\SamplePolicy
The default.policy file creates some basic policy data, including basic Gold, Silver and Bronze classes of service and their associated codepoints and traffic types. If you do not load this default data, you will have to create all the basic component data yourself. Do not import this policy file into a domain into which an older default.policy file or default.dscp.policy file has been imported.
This file should be loaded first, before other .policy files.
The default.policy file defines the Gold, Silver, and Bronze classes of service, shown in Table 2-1.
Table 2-1 The Default.Policy File Classes of Service
| CoS | Packet Marking | Codepoint Value |
|---|---|---|
|
Gold |
IP Precedence 5 |
40 |
|
Silver |
IP Precedence 3 |
24 |
|
Bronze |
IP Precedence 0 |
0 |
The default.dscp.policy file creates DSCP values when loaded. This file is a variant of the default.policy file and is compatible with IP Service Activator releases prior to 5.1.3. It may be more appropriate to be used when not using the network processor. Packet marking policies use DSCP values, instead of IP Precedence values. Do not import this policy file into a domain into which the new default.policy file has already been imported.
The advanced.policy file creates additional packet markings and classes of service, as well as classifications, classification groups and traffic types when loaded. This data is useful if your routers support the full range of DiffServ codepoints, IP Precedence value and/or MPLS experimental bits. Load the default.policy file before loading this file.
See "The advanced.policy File Details" for a list of standard DiffServ codepoints.
You can load the following files that provide sample policy rules, role assignment rules, and PHB groups. You can use these as a basis for creating your own rules and PHB groups:
Rule_and_PHB.policy file – creates some example policy rules, PHB groups and role assignment rules. Load the default.policy and advanced.policy files before loading this file.
Role_Assignment_Rules.policy file – defines a set of role assignment rules that allocate system-defined roles to devices and interfaces.
Additional policy files include:
juniper.policy file – for Juniper M-series devices; defines relevant MPLS packet markings, sets up classes of service based on these markings and creates an example PHB group with WRR configured. For more information, see IP Service Activator Juniper M-series Device Support Guide.
SharedPolicyData.policy file – loaded automatically at system startup. It defines a set of commonly-used IP protocols which are available in any domain you create. You only need to load this file if the IP protocols are deleted or edited incorrectly.
To load a policy configuration file:
On the Domain dialog box, select the Setup tab.
Click Browse to view the available configuration files in the SamplePolicy folder.
Select the file to load and click Open. A brief explanation of the file appears in the File Information panel.
Click Load to load the selected file and create the data. Note that these files must be loaded in the following order:
default.policy
advanced.policy
Rule_and_PHB.policy
Note:
Do not load Rule_and_PHB.policy if you have already created standard PHB groups.You must specify the device and interface roles to which these example standard PHB groups apply before using them. See "Using Roles in Policy Elements" for information on using roles in policy elements.
Classes of service define classes of traffic based on packet characteristics allowing traffic on the network to be identified. Specific QoS mechanisms, such as a guaranteed bandwidth or a particular queuing priority, can be applied to specific classes of traffic.
Traffic is allocated to a CoS according to how the CoS is defined. A CoS can be defined by various methods including packet marking, source/destination IP/MAC address, account or traffic type. Subsequent routers can apply differentiated QoS based on the class of service for traffic on a per-packet basis. For more information about Differentiated Service, see IP Service Activator Concepts.
The CoS data used by IP Service Activator is fundamental to establishing a policy-based QoS system. It consists of the following:
Packet Markings – these define the bit settings which identify the traffic class to which IP or MPLS packets belong. You can use Packet Markings to determine which class a packet belongs to, or to change its class by re-marking it.
The types of packet marking available are:
DiffServ codepoints – IP DiffServ codepoint bits in the DiffServ field of the IP packet header. Up to 64 DiffServ codepoints can be set up, each one corresponding to a different setting in the header of an IP packet
IP Precedence – IP Precedence bits in the IP Precedence field of the IP packet header. Up to eight IP Precedence values (0-7) can be defined, each one corresponding with a different setting in the header of an IP packet
MPLS experimental bits – CoS/experimental bits section of the MPLS header. Up to eight MPLS experimental bit values can be defined, each one corresponding to a CoS experimental bit value in the MPLS label
MPLS Topmost experimental bits – CoS/experimental bits section of the topmost MPLS header. Up to eight MPLS topmost experimental bit values can be defined, each one corresponding to a CoS experimental bit value in the topmost MPLS label
Frame Relay Discard Eligible (DE) bit – DE bit of the address field of the Frame Relay frame header. 0 or 1 in the Address field of the Frame Relay frame header
ATM Cell Loss Priority (CLP) bit – CLP bit in the ATM cell header. 0 or 1 in the ATM cell header
Discard-class – Defines an integer between 0 to 7, each one corresponding to a different setting indicating the type of traffic to be dropped when there is a congestion in the network.
Trust Type – specifies which CoS type is to be trusted. The options are: trust-cos, trust-ipprec, trust-dscp.
COS - Defines an integer between 0 to 7, used to set Layer 2 CoS for an outgoing packet.
COS Inner - Defines an integer between 0 to 7, used to mark inner CoS field in a bridged frame.
Note:
Packet markings that specify settings for the Frame Relay Discard Eligible bit and/or ATM Cell Loss Priority bit can only be used by classes of service associated with PHB groups.Classes of Service – define classification categories for identifying traffic on the network. Classes of service can be defined by packet marking (coarse grained), or by more detailed classifications such as source and/or destination IP address and traffic type (fine grained).
You can load the following policy configuration files which provide standard IP DiffServ codepoint values for IP Precedence codepoints and values for MPLS experimental bits:
The default.policy file – described in "The default.policy File Summary"
The advanced.policy file – described in "The advanced.policy File Summary"
The packet markings defined by these files are described in the following sections.
You can make changes to the packet markings created by these files if you wish:
You can rename existing codepoints, though we recommend that you do not change standard names
You can create new codepoints, though you should ensure that they can be recognized by devices
Each DiffServ codepoint corresponds to a setting in the IP Precedence/DiffServ codepoint section of the header of an IPv4 or IPv6 packet. The DiffServ standard defines a 6-bit field, allowing up to 64 codepoints. As a result, up to 64 classes of service may be defined.
Packets can be re-marked at any point in the network using classification rules or using MQC PHB groups. See "Classification Rules" for information on defining classification rules. See "Defining MQC PHB Groups" for more information on defining MQC PHB groups.
Note:
Before setting up a QoS policy, you need to know which codepoints are supported on the devices in your network – for example, whether they can recognize and mark with the full range of DiffServ codepoints or just the IP Precedence bits. To check the codepoints supported on a particular interface, see the appropriate Capabilities property page. For more information on viewing an interface's capabilities see IP Service Activator User's Guide.The codepoints that are defined in IP Service Activator are listed in the Packet Markings folder on the Policy tab. IP Service Activator includes a set of policy configuration files that you can load into IP Service Activator to set up basic standard codepoints; see "Importing QoS-related Policy Files" for more information. You can also define codepoints in the user interface.
Each IP Precedence value corresponds to a setting in the IP Precedence section of the header of an IPv4 or IPv6 packet. There are eight classes of services in IP Precedence. The classification range is 0-7 where 0 (zero) is the lowest and 7 is the highest priority.
For MPLS traffic, a label is attached to each IP packet at the ingress router to the Label Switched Path (LSP). This label is used by routers when forwarding packets along the path, and the IP packet header is not examined at any point along the LSP. The three IP Precedence bits are copied from the IP header into the three bits within the MPLS label known as the MPLS experimental bits or CoS experimental bits.
The application that generates the IPv4 or IPv6 packet controls the original IP Precedence value. However, some devices are able to reset this value, which can be useful if a precedence is set for a packet at the edge of the network and a service provider wants to override this value while the packet transits the core.
IP Service Activator is able to set the MPLS experimental bits where this is supported by devices.
Packets can be remarked at any point in the network using classification rules or MQC PHB groups. See "Classification Rules" for information on defining classification rules. See "Defining MQC PHB Groups" for more information on defining MQC PHB groups.
These are the same bits as the MPLS experimental bits, but set only on the topmost MPLS label on a packet. MPLS labels are added to IP packets on entry to an MPLS network. Typically, the three IP Precedence bits are copied from the IP header into these bits. Some devices are able to reset this value, which can enable the service provider to override a packet's precedence while it transits the core. Some devices also support setting and evaluating the MPLS experimental bits only on the Topmost MPLS label.
Packets can be remarked at any point in the network using classification rules or MQC PHB groups. The MPLS Topmost packet marking is used to mark the MPLS Experimental bits in only the topmost MPLS label of a packet. This Packet Marking is applicable only in MQC PHBs and only to perform policing and marking actions. Other actions will trigger the device to return errors which are then displayed in the Faults pane.
See "Classification Rules" for information on defining classification rules. See "Defining MQC PHB Groups" for more information on defining MQC PHB groups.
The Frame Relay DE bit is part of the Frame address field in the Frame Relay frame header. This bit is normally set to indicate that the frame has a lower importance than other frames. When congestion occurs, frames with the DE bit set will be dropped before frames whose DE bits are not set.
The ATM CLP bit is part of the ATM Cell header. This bit is normally set to indicate that the cell has a lower importance than other cells. When congestion occurs, cells with the CLP bit set will be dropped before frames whose CLP bits are not set.
You can use this command to specify the type of traffic that will be dropped when there is congestion.
This configures the trust state, which selects the value that QoS uses as the source of the internal DSCP value. For example, if Trust type is set to trust-ipprec, the ToS bits in the incoming packets contain an IP precedence value and derives the internal DSCP value from the IP precedence bits.
The advanced.policy file defines the IETF standard DiffServ Class Selector, Best Effort, Assured Forwarding and Expedited Forwarding codepoints. If you want to use the codepoints defined in this file, you need to load it into IP Service Activator. See "Importing QoS-related Policy Files" for more information.
The advanced.policy codepoints are defined in Table 2-2.
Table 2-2 Advanced.Policy Codepoints
| Codepoint Name | DiffServ Codepoint |
|---|---|
|
BE |
0 |
|
CS0 |
0 |
|
CS1 |
8 |
|
CS2 |
16 |
|
CS3 |
24 |
|
CS4 |
32 |
|
CS5 |
40 |
|
CS6 |
48 |
|
CS7 |
56 |
|
AF11 |
10 |
|
AF12 |
12 |
|
AF13 |
14 |
|
AF21 |
18 |
|
AF22 |
20 |
|
AF23 |
22 |
|
AF31 |
26 |
|
AF32 |
28 |
|
AF33 |
30 |
|
AF41 |
34 |
|
AF42 |
36 |
|
AF43 |
38 |
|
EF |
46 |
The COS values defined by the advanced.policy file are shown in Table 2-3.
Table 2-3 Advanced.Policy COS Values
| Name | COS Value |
|---|---|
|
COS 0 |
0 |
|
COS 1 |
1 |
|
COS 2 |
2 |
|
COS 3 |
3 |
|
COS 4 |
4 |
|
COS 5 |
5 |
|
COS 6 |
6 |
|
COS 7 |
7 |
The COS Inner values defined by the advanced.policy file are shown in Table 2-4.
Table 2-4 Advanced.Policy COS Inner Values
| Name | COS Inner Value |
|---|---|
|
COS Inner 0 |
0 |
|
COS Inner 1 |
1 |
|
COS Inner 2 |
2 |
|
COS Inner 3 |
3 |
|
COS Inner 4 |
4 |
|
COS Inner 5 |
5 |
|
COS Inner 6 |
6 |
|
COS Inner 7 |
7 |
The MPLS experimental bits defined by the advanced.policy file are shown in Table 2-5.
Table 2-5 Advanced.Policy MPLS Experimental Bit Values
| Name | MPLS Experimental Bit Value |
|---|---|
|
MPLS Exp 0 |
0 |
|
MPLS Exp 1 |
1 |
|
MPLS Exp 2 |
2 |
|
MPLS Exp 3 |
3 |
|
MPLS Exp 4 |
4 |
|
MPLS Exp 5 |
5 |
|
MPLS Exp 6 |
6 |
|
MPLS Exp 7 |
7 |
For details on exactly what objects are created by a policy file, refer to the file itself. The advanced.policy file is located in the Sample Policy folder in your IP Service Activator installation, found in:
ServiceActivatorHome\Oracle Communications\Service Activator\SamplePolicy
You create packet markings on the Policy tab.
To create a new packet marking:
On the Policy tab, select the Packet Markings folder.
Select Add Packet Marking from the pop-up menu.
The Packet Marking dialog box opens.
Enter the following details:
Name: an identifying name for the marking object
Marking: do one of the following:
Select DiffServ Codepoint and define the appropriate codepoint value in the range 0-63.
Select IP Precedence and define the appropriate value in the range 0-7.
Select MPLS - Experimental and define the appropriate bit value in the range 0-7.
Select MPLS - Topmost and define the appropriate bit value in the range 0-7.
Select Frame Relay Discard Eligible and specify either Enabled or Disabled.
Select ATM Cell Loss Priority and specify either Enabled or Disabled.
Select Discard class and define the appropriate value in the range 0-7.
Select Trust Types and choose a value from the options trust-cos, trust-ipprec, and trust-dscp.
Select COS and select a value in the range of 0-7.
Select COS Inner and select a value in the range of 0-7.
Click OK to close the dialog box.
Note:
If you have loaded the default.policy file and/or advanced.policy file, packet markings for some DiffServ codepoints and MPLS experimental bit values will already exist.Migrating from an IP Precedence-based configuration to a DSCP-based configuration is accomplished through changes to the IP Service Activator capabilities files. When this change is made, IP Service Activator is not able to replace the Precedence entries with the DSCP entries within IP extended access-lists. This is because once the capabilities of the device driver have been changed to support DSCP, the device driver no longer parses or removes existing IP Precedence values. In this case, both IP Precedence and DSCP entries remain in the access-lists.
Once the new DSCP based configuration is verified to be correct, the remaining IP Precedence entries must be manually removed. If they are not manually removed IP Service Activator will continually attempt to remove the IP Precedence values on every device configuration.
On cartridge-managed devices, DSCP and IP Precedence packet marking are equally supported within the object model. This allows configuration for IP Precedence and DSCP to co-exist on a single device.
The following options can be configured before and after deployment to define which packet marking type is used for the particular command:
cartridge.cisco.qos.policymap.setTosType
cartridge.cisco.qos.policymap.wredType
cartridge.cisco.qos.phbwfq.dropStrategy.wredType
cartridge.cisco.qos.interface.wredType
cartridge.cisco.qos.car.setTosType
cartridge.cisco.qos.acl.numbered.tosType
cartridge.cisco.qos.acl.named.tosType
cartridge.cisco.qos.policymap.police.tosType
cartridge.cisco.qos.classmap.tosType
See IP Service Activator Cisco IOS Cartridge Guide for more information on the possible values that can be set to determine the packet marking type.
A CoS is a logical grouping of traffic based on marking and classification rules for the purpose of providing differentiated QoS.
There are two policy configuration files you can load that pre-define classes of service:
The default.policy file – see "The default.policy File Summary"
The advanced.policy file – see "The advanced.policy File Summary"
See "Importing QoS-related Policy Files" for information on loading policy configuration files.
You associate classes of service with standard PHB groups and MQC PHB groups:
When associated with a standard PHB group, a CoS specifies the queuing mechanism, rate-limiting, and traffic shaping (ATM and FR) to be applied to a traffic class.
When associated with an MQC PHB group, a CoS allows a complete QoS policy to be applied to a traffic class including mechanisms for queuing, shaping, policing and re-marking.
A PHB group may have one or more classes of service associated with it. You can apply PHB groups to the network or specific devices and in this way specify how traffic in each CoS is treated.
A CoS can be defined in terms of the following:
One or more packet markings (coarse-grained)
A classification or classification group – classifications may be defined, for example, by source and/or destination IP address or account and traffic type (fine-grained)
Note:
A standard PHB group applies to a CoS characterized by a packet marking, while an MQC PHB group applies to a CoS defined by a classification or classification group. Each PHB group type ignores any irrelevant part of a CoS definition.Although it is possible to associate several markings with a CoS, they are normally matched on a one-to-one basis.
The classes of service that are defined in IP Service Activator are listed in the Policy tab's Classes of Service folder. IP Service Activator is shipped with a set of policy configuration files that you can load to set up basic standard classes. You can also define new classes of service in the user interface.
In addition, a Default Class of Service is created automatically. A default CoS refers to the CoS used when no other user-defined CoS is selected for a MQC, MQC PHB or policing rule. You can use the Default Class of Service when setting up PHB groups to define a default behavior for unmarked traffic. However, the default CoS can't be linked to either a codepoint or a classification object. The default behavior of this CoS is vendor specific.
You can edit the classes of service created by the configuration files if you wish. For example, you can:
Rename existing classes of service to something appropriate to your organization
Delete classes of service that you do not intend to use
You cannot delete the Default Class of Service, and you cannot delete a CoS that is used by a PHB group.
Create a new CoS
To create a new class of service:
On the Policy tab, select the Classes of Service folder.
Select Add Class of Service from the pop-up menu.
The Class of Service dialog box opens.
Specify an identifying name and a configured name for the CoS and click OK.
To associate a specific packet marking with a CoS:
Organize the display so that the relevant packet marking and CoS are both visible.
Packet markings and classes of service are listed on the Policy tab.
Drag the marking object on to the CoS.
IP Service Activator lists the associated packet marking on the CoS's Packet Marking property page.
or:
On the Policy tab, select the relevant CoS and select Properties from the pop-up menu.
The CoS dialog box opens.
Select the Packet Marking property page and select the check box associated with the relevant packet marking.
You can select a number of packet markings to associate with a CoS.
To associate a classification or classification group with a CoS:
Organize the display so that the relevant classification or classification group and CoS are both visible.
Classifications and classes of service are listed on the Policy tab.
Drag the classification or classification group object on to the CoS.
IP Service Activator displays the associated classification or classification group on the CoS's Classification property page.
or:
On the Policy tab, select the relevant CoS and select Properties from the pop-up menu.
The CoS dialog box opens.
Select the Classification property page, select a classification or classification group and click Apply.
You can only associate a single classification or classification group with a CoS.
Note:
A fine-grained CoS can only be associated with MQC PHB groups.To view a CoS's packet markings and classifications or classification groups:
On the Policy tab, double-click on the Classes of Service folder.
IP Service Activator lists details of the packet markings and classifications or classification groups associated with each CoS in the details pane.
Policy components are the standard definitions and templates that can be used when setting up policy rules and MQC PHB groups. These include:
Traffic types – define the network traffic that can be affected by rules and MQC PHB groups. If you have loaded the default configuration files, a number of traffic types are already included in IP Service Activator, defining traffic according to port number and CoS (Gold, Silver and Bronze). If you wish, you can define further traffic types that identify specific network traffic that you want to manage.
Classifications and classification groups – define network traffic by source and/or destination IP address or account and traffic type. If you have loaded the default configuration files, a number of classification groups are already included in IP Service Activator, defining traffic according to traffic type and source and destination IP address. If you wish, you can define further classifications and classification groups. Classifications and classification groups can be used with policy rules and with the classes of service associated with MQC PHB groups.
Date and time templates – specify the time periods during which rules are active, if they are only to apply at certain times. The use of date and time templates is optional – it is also possible to specify the effective dates and times manually when you set up the policy rule.
Note:
This is not supported on the network processor. Date and time templates can be applied on devices supported by device driver technology only.IP protocols – define the transport protocols that can be used when defining a traffic type by port and IP protocol.
You need to set up traffic types to identify the different categories of network traffic to which you want to apply a specific QoS or security policy using policy rules or MQC PHB groups.
You can set up traffic types based on a number of different methods of classifying traffic:
Port Traffic Type – Source or destination port number and/or IP protocol. This is the most common way of classifying traffic since it is supported on all devices.
Packet Marking – DiffServ codepoint, IP Precedence, MPLS experimental bits, Frame Relay DE bit, ATM CLP bit, Discard-class, COS, or COS Inner
Traffic types that use packet markings specifying settings for the Frame Relay Discard Eligible bit and/or ATM Cell Loss Priority bit can only be used by classifications associated with classes of service associated with PHB groups.
Domain Name – DNS domain name
Application – name of application protocol within the application, for example http
Sub-application – name of sub-application, for example H.323 video
URL – One URL or multiple URLs can be matched with the use of a wildcard (*)
For example, URL http://www.website.com/dir only matches files in the directory dir on www.website.com, whereas http://www.website.com/* would match all URLs under that website.
MIME – the MIME type returned by HTTP and, if supported, the minimum and maximum packet length
Input-Interface - name of interface
VLAN - VLAN identification number or ranges of identification numbers between 1 and 4095
For more information about the traffic types that are supported by the Cisco IOS and Juniper M-Series device drivers, see the applicable device driver guide.
The actual support for particular traffic classification methods is interface-specific. You should always check the capabilities of an interface before employing a traffic classification.
To view the classification capabilities of a specific interface, display its property pages. The Capabilities property page lists the device capabilities: select Classify under Access, Classification or Policing for details of the traffic types supported. For more information on viewing interface capabilities, see IP Service Activator User's Guide.
A number of default traffic types are set up when you load the default.policy configuration file. You can view these traffic types in the Policy tab's Traffic Types folder. This folder contains two subfolders:
The Standard Traffic Types folder includes traffic types that allow you to identify traffic by standard DiffServ codepoints – IP precedence values 0, 3 and 5 corresponding to the Bronze, Silver and Gold classes of service.
The Standard Port Numbers folder includes a number of traffic types identifying the most common TCP and UDP port numbers.
The default class of service (if selected) will match any type of traffic that is not already matched within the current context. This enables you to apply rules to all traffic that is not defined by another group.
Additional traffic types may be created by loading the advanced.policy configuration file. These traffic types are held in subfolders in the Policy tab's Traffic Types folder:
The DSCP Values folder includes traffic types that allow you to identify traffic by DiffServ codepoint values
The IP Precedence folder includes traffic types that allow you to identify traffic by IP Precedence values
The IP Protocols folder includes traffic types that allow you to identify traffic by IP protocol
The MPLS EXP Values folder includes traffic types that allow you to identify traffic by MPLS experimental bit value
You can edit the available traffic types in the following ways:
Set up additional traffic types to identify specific network traffic
Set up a compound traffic type when you need to identify traffic which combines two or more traffic types, for example, packets that are both from a particular port (defined by a port traffic type) and a specific URL (defined by URL traffic type).
You can also set up a traffic type group when you want to organize traffic types into a logical or hierarchical structure.
To set up a port-based traffic type:
On the Policy tab, select the Traffic Types folder.
Alternatively, to add a traffic type to an existing group, expand the Traffic Types folder and select the appropriate folder.
Select Add Port Traffic from the pop-up menu. The Port Traffic dialog box is displayed.
On the Traffic Type property page, specify the Name and Remarks.
On the Port Traffic property page, specify source and destination ports.
To specify a source port, select the Enable check box in the Source pane.
To specify a single source port, select the Single button, and then enter the number of the source port.
To specify a range of source ports, select the Range button and enter the start and end of the range of port numbers
On the Protocol Options property page, specify the TCP flags and select an ICMP option from Messages menu.
Click OK to close the dialog box.
For complete dialog box and property page descriptions, refer to IP Service Activator online Help.
To set up other traffic types:
On the Policy tab, select the Traffic Types folder.
Alternatively, to add a traffic type to an existing group, expand the Traffic Types folder and select the appropriate folder.
Select the appropriate Add... Traffic command from the pop-up menu. Choices include:
Add Port Traffic
Add Packet Marking Traffic
Add Domain Name Traffic
Add Application Traffic
Add Sub-application Traffic
Add MIME Traffic
Add URL Traffic
Add VLAN Traffic
Add Input-Interface
Add Traffic Group
Add Compound Traffic
For example, select Add Packet Marking Traffic to set up a new packet marking-based traffic type.
On the Traffic Type property page for the traffic type dialog box which displays, specify Name and Remarks.
Select the TrafficType Traffic property page to define further details for the traffic type. The information required depends on the traffic type being defined, as shown in Table 2-6.
Note:
For complete dialog box and property page descriptions, refer to the IP Service Activator online Help.Table 2-6 Defining Traffic Types
| To Define... | Do this... |
|---|---|
|
A packet marking-based traffic type |
On the Packet Marking Traffic property page of the Packet Marking Traffic dialog box select the check box of a packet marking type you require and specify a value. |
|
A domain name-based traffic type |
On the Domain Name Traffic property page of the Domain Name Traffic dialog box, in the Domain Name field, specify the DNS domain name. |
|
An application-based traffic type |
On the Application Traffic property page of the Application Traffic dialog box, in the Name field, specify the application protocol name, such as realaudio for the Real Audio Streaming Protocol. |
|
A sub-application-based traffic type |
On the Sub-application Traffic property page of the Sub-application Traffic dialog box, in the Name field, specify the sub-application protocol name. |
|
A URL-based traffic type |
On the URL Traffic property page of the URL Traffic dialog box, in the URL field, enter a text string to represent a URL. |
|
A MIME-based traffic type |
On the MIME Traffic property page of the MIME Traffic dialog box, in the MIME type field, enter the MIME type, such as audio. |
|
An Input-Interface traffic type |
On the Input-Interface Traffic property page of the Input Interface Traffic dialog box, in the Interface Name field, enter the interface name. |
|
A VLAN traffic type |
On the VLAN Traffic property page of the VLAN Traffic dialog box, enter a VLAN identification number in the VLAN Range start and end fields. If the VLAN end range field is empty, a single VLAN is assumed. |
Click OK to close the dialog box.
You can set up a compound traffic type when you need to identify traffic that combines two or more traffic types, for example, packets that are both from a particular port (defined by a port traffic type) and a specific URL (defined by a URL traffic type).
To set up a compound traffic type, create the traffic type and then define the types to be included.
To set up a compound traffic type:
On the Policy tab, select the Traffic Types folder.
Right-click and select Add Compound Traffic from the pop-up menu.
On the Traffic Type property page of the Compound Traffic Type dialog box, specify Name and Remarks.
To define the traffic types included in the compound traffic type, either:
Create members of the group directly, by right-clicking the compound traffic type and choosing the appropriate Add command from the pop-up menu.
or:
If the traffic type already exists, include it in the compound traffic type by dragging and dropping.
For complete dialog box and property page descriptions, refer to the IP Service Activator online Help.
Set up a traffic type group if you want to organize traffic types into a logical or hierarchical structure.
Traffic type groups are for administrative purposes only. You cannot apply policy to them.
To set up a traffic type group:
On the Policy tab, select the Traffic Types folder.
Alternatively, to add a traffic type group to an existing group, expand the Traffic Types folder and right-click the appropriate folder.
Select Add Traffic Group from the pop-up menu.
On the Traffic Type property page, enter details including Name and Remarks.
Click OK to close the dialog box.
To define the members of the group, either:
Create members of the group directly, by right-clicking the group and selecting the appropriate Add command from the pop-up menu.
or:
If the traffic type already exists, include it in the group by dragging and dropping.
For complete dialog box and property page descriptions, refer to the IP Service Activator online Help.
A classification is a method of categorizing traffic according to its source and/or destination and traffic type. This means, for example, that all traffic from New York can be assigned the same classification or subdivided by traffic type.
Classifications can also be collected into classification groups to create more complex criteria for classifying traffic. Classification groups enable you to group a number of traffic classifications – such as a set of routing protocols or application traffic – and apply the same class of service to them.
Classifications and classification groups can be:
Linked to a policy rule
The classification/classification group defines which traffic is acted on by the rule. Alternatively, you can create a one-off classification within the rule definition.
Linked to a CoS
A CoS that is linked to a classification/classification group can be associated with an MQC PHB group. The classification/classification group defines to which traffic the MQC PHB group's policy mechanisms apply.
It is possible to create a set of classifications and classification groups by loading the advanced.policy file. The file creates the following classification groups, held in the Classifications folder on the Policy tab:
The DSCP Values classification group holds a set of classifications based on DiffServ codepoint packet marking traffic types
The IP Precedence classification group holds a set of classifications based on IP Precedence packet marking traffic types
The MPLS EXP Values classification group holds a set of classifications based on MPLS experimental bit packet marking traffic types
See "Importing QoS-related Policy Files" for information on loading policy configuration files into IP Service Activator.
When deciding which classifications to create, we suggest you evaluate which source and destination and traffic type combinations need to have the same policy applied to them. Create a classification for each combination and, if necessary, group those classifications. You can then associate the group with the relevant rules.
See "Defining QoS and Access Control" for information on associating a classification with a rule. See "Using Classifications in Rules" for an example use of classifications and classification groups.
A classification/classification group may be linked to a CoS which, in turn, may be linked to an MQC PHB group. The treatment to be applied to traffic that belongs to the CoS is defined by the MQC PHB group. See Figure 2-1 for more details.
In order to explain the options IP Service Activator offers for classifications/classification groups, it is necessary to refer to the configuration that is installed on the device. This includes at least one class map, generated for the CoS.
A class map defines a traffic class. There are three main elements in a traffic class:
A name – taken from the CoS
One or more match statements, generated for the classification or classification group linked to the CoS; a match statement specifies a criterion for classifying packets.
An instruction on how to evaluate the match statements – match any or match all of the match statements (described in "Match Any or Match All").
For example, where a classification based on a packet marking traffic type is associated with a CoS, a class map is configured containing a single match statement for that packet marking. See Figure 2-2.
Only one classification or classification group may be associated with a CoS.
The class map generated for a CoS may contain a number of match statements.
If a CoS is linked to a classification group, you can specify how packets are evaluated against the match criteria – whether packets must match all of the match statements or match any.
A classification provides the lowest level of classification and the match criteria for a classification is therefore always match all. You cannot change this setting.
Named or Numbered Access Control Lists
Classifications based on source/destination IP address or port, and protocol result in one or more Access Control Lists (ACLs) being configured on the device. These ACLs are referenced by a match statement in the class map.
By default, IP Service Activator generates ACL identifiers automatically. However, you can override this and specify a name or number for an ACL.
By using aggregation – described in "Aggregation" – you can also control the number of ACLs that are configured.
IP Service Activator always configures a class map for the CoS. A nested class map may also be configured for a classification/classification group if both of the following apply:
The parent classification group's match criteria is match any
The child classification/classification group match criteria is match all and the classification/classification group can only be expressed with multiple match statements.
The number of match statements generated depends on whether match statements for the classification or group may be aggregated with other match statements at the same level. See "Aggregation" for more information.
A class map generated for a classification/classification group is nested by a reference in a match statement in the CoS's class map. This is illustrated in Figure 2-3.
IP Service Activator supports aggregation of commands into class maps, access groups, and ACLs. In aggregation, internal rules determine how commands are merged and promoted when the configuration statements are pushed to the device. You can specify whether match statements of the same type are aggregated into a single match statement within the parent class map.
A classification/classification group linked to a CoS may result in a number of match statements of the same type. For example, a classification group that groups classifications based on the packet marking traffic type (DiffServ codepoint).
IP Service Activator uses the following rules when applying aggregation:
If a classification/classification group is a child of a classification group, the aggregation setting of the parent classification group determines whether aggregation is applied to the match statements generated for the child.
If a child classification/classification group requires an ACL and its match statements are set to aggregate by a parent classification group, the ACL identifier is taken from the parent classification group.
A classification group set to match any may aggregate the match statements generated for a child classification group if:
The nested classification group is also set to match any
or:
The child classification group is set to match all but the classification can be expressed with a single match statement and any associated ACL has a single entry
A classification group set to match all cannot aggregate the match statements generated for a child classification/classification group
Figure 2-4 illustrates some of these rules.
In this example, the aggregation setting for the parent classification group Traffic is set to True. Where match statements of the same type are generated for its child classifications, they are aggregated into a single match statement. Note that the aggregation setting of the parent classification group overrides those of the child classifications.
Both child classifications result in ACLs as they are based on destination port. However, because they are to be aggregated into a single match statement, only one ACL is generated incorporating the filtering criteria for both classifications. Where an ACL is created for a classification that is aggregated at the parent classification group, the ACL identifier is taken from the parent classification group.
Note that aggregation also indirectly controls:
The number of ACLs created for relevant classifications
For instance, by changing the aggregation setting to False for the Traffic classification group in the above example, two ACL lists will be generated – one for the WWW classification and one for the SMTP classification
Whether nested class maps are generated
If a classification group is a child of another classification group but its match statements are aggregated into a single match statement, no class map needs to be generated for the nested classification group
For complete dialog box and property page descriptions, refer to the IP Service Activator online Help.
To set up a classification:
On the Policy tab, select the Classifications folder.
Alternatively, to add a classification to an existing group, click on the classification group.
Right-click and select Add Classification from the pop-up menu.
The Classification dialog box opens.
On the Details property page, specify Name and Remarks.
Select Address type (IPv4, IPv6, MAC) from the drop down list.
Select the Classification Match type (Include or Exclude).
Select the Classification Option (Log, Fragments).
On the IP Source/Destination property page specify the source and destination values to be included in the classification.
On the MAC Source/Destination property page specify the source and destination values to be included in the classification.
On the Traffic Type property page, select the traffic type to be classified.
If the classification will be used with an MQC PHB group, select the MQC property page and set the value of the Aggregate match statements check box. Specify a choice for the Acl Id. Choose from Auto Generate, Numbered, or Named. If you choose Numbered or Named, provide the number or name to use.
Click OK to close the dialog box.
To set up a classification group:
On the Policy tab, right-click the Classifications folder.
Select Add Classification Group from the pop-up menu. The Classification Group dialog box appears.
On the Details property page, specify Name and Remarks.
If the classification group will be used with an MQC PHB group, select the MQC property page and specify some or all of Match Any, Match All, Aggregate match statements, Auto Generate, Numbered, and Name.
Click OK.
Add classifications to the group by doing one of the following:
Dragging and dropping existing classifications on to the group
Creating new classifications within the group by right-clicking and selecting Add Classification from the group's pop-up menu
Note:
A classification group cannot be associated with more than eight DiffServ codepoint values, defined in classifications linked to the classification group. If a classification group based on more than eight codepoints is required, subclassification groups must be created and linked to a parent classification group.Strict aggregation takes place through classification groups and classifications to generate a hierarchy of class maps and access groups on the device, each containing one or more individual entries. Strict aggregation helps you elaborate complex hierarchies of objects and define process flows. Different actions are applied to different traffic flows. The classification hierarchies are composed of classifications and classification groups.
Strict aggregation makes provisioning predictable and simpler. When you select Enable strict classification aggregation, the resulting changes to the aggregated configuration statements are more predictable. This means that you can do away with one layer of class map in the hierarchy.
Promotion is a way to control entries generated under their current level as in their parent classification group. The entry is later translated to a class map or to an access group, if the entries are promoted at the higher level. Promotion is controlled by selecting or deselecting the Aggregate match statements on the MQC property page of Classification and Classification Group objects in IP Service Activator.
For a classification, selecting Aggregate match statements generates a class-map entry when applicable. Deselecting Aggregate match statements generates an ACL entry when applicable.
Merging involves grouping more than one entry into a single entity, for example, grouping multiple ”match ip dscp” statements into one ”match ip dscp” list. Merging is always applied on adjacent classification entries when applicable. Merging will occur when Match Any is selected for a Classification group. It cannot occur when Match All is selected. Merging happens to entries when the command type is the same, and with adjacent entries only.
To enable strict classification aggregation:
On the network map or from the Topology tab for the specific domain, right-click a device and select Properties.
The Device dialog box appears.
Click on the Management property page.
In the QoS section, select the Enable strict classification aggregation check box.
Click OK.
Commit the transaction.
The strict classification aggregation feature for the selected device is enabled.
A date and time template consists of a defined time period, which can apply on specified days between any two dates. For example, you could set up a template that applies from 9:00 a.m. to 5:00 p.m. every Monday to Friday or one that applies between 3:00 p.m. and 5:30 p.m. on Tuesdays only. You can associate date and time templates with policy rules to specify that the rules are only active during certain periods.
For complete dialog box and property page descriptions, refer to the IP Service Activator online Help.
Note:
Date and time templates can be applied on devices supported by device driver technology only.To set up a date and time template (for devices supported by device driver technology only):
On the Policy tab, select the Date and Time Templates folder.
Right-click and select Add Date and Time Template from the pop-up menu.
The Date and Time Template dialog box opens.
Enter details for Name, Active date range, Active part of day, and Active days
Click OK or Apply.
The defined time periods will repeat throughout the defined period of validity. For a template indicating a one-off time period, (such as 9:00 a.m. until 12:30 p.m. on 12th August) set the First and Last days to be the same. Times must be specified to the nearest five-minute boundary.
Dates and times are held in Co-ordinated Universal Time (UTC) throughout IP Service Activator. However, they are displayed in the local time for the workstation, adjusted for daylight savings where relevant. Remember that you may need to adjust times if rules are to apply to different time zones.
IP protocols are used when defining traffic types by port and IP protocol. A number of commonly-used IP protocols are included in IP Service Activator on installation.
You should not need to change these protocol definitions, but you can view them and, if necessary, set up additional protocols for classifying network traffic.
If the standard IP protocols are deleted by accident, you can restore them by reloading the SharedPolicyData.policy file. For complete dialog box and property page descriptions, refer to the IP Service Activator online Help.
To view an IP protocol:
On the Policy tab, expand the IP Protocols folder.
IP Service Activator lists the defined IP protocols.
To view a protocol's details, double-click the relevant protocol or right-click the protocol and select Properties from the pop-up menu.
The IP Protocol dialog box opens.
To add an IP protocol:
On the Policy tab, right-click the IP Protocols folder and select Add IP Protocol from the pop-up menu.
Specify details including Protocol name and Protocol number.
Click OK.
Accounts can be used to define the users of QoS and security services and act as the source and destination points for rules.
You can define the source and destination points between which a rule applies within the rule itself, or using classifications. For information on defining classification rules see "Classification Rules", for defining access rules see "Access Rules", and for policing rules see "Policing Rules". See "Setting Up a Classification" for information on defining classifications.
An account is always identified by an IP address, but may represent an individual user, a specific host computer or a subnet. You can also set up account groups that include a number of accounts of any type. You can use these groups to apply policy to several accounts simultaneously or use them for organizational purposes only. You can also create default account groups based on the sites you have created.
For complete dialog box and property page descriptions, refer to IP Service Activator online Help.
Set up a user account when you need to manage network traffic to or from a specific person. To set up an account for an individual user:
On the Accounts tab, select the Accounts folder.
Alternatively, to add a user to an existing account group, expand the Accounts folder and select the appropriate account group. See "Setting Up Accounts" for information on creating account groups.
Right-click and select Add User Account from the pop-up menu.
The User Account dialog box opens.
On the User Account property page, enter details including First Name, Last Name, User Id, Contact, and Location.
On the IP Address property page, enter a value for IP Address - the IP address of the user's workstation.
Note:
The user is identified by the workstation IP address. You can enter additional information if you wish, but it is not used by IP Service Activator.Click OK to close the dialog box.
You can set up a host account when you need to manage network traffic to or from a specific host computer. To set up an account for a host computer:
On the Accounts tab, select the Accounts folder.
Alternatively, to add a host to an existing account group, expand the Accounts folder and select the appropriate account group. See "Setting Up Accounts" for information on creating account groups.
Right-click and select Add Host Account from the pop-up menu.
On the Details property page, enter details including Name and Remarks.
On the Host Account property page, enter the IP address - the IP address of the workstation. Alternatively, you can enter the DNS name and click the DNS lookup button to look up the IP address.
Click OK to close the dialog box.
Set up a subnet account when you need to manage network traffic to or from an entire subnet. To set up an account for a subnet:
On the Accounts tab, select the Accounts folder.
Alternatively, to add a subnet account to an existing account group, expand the Accounts folder and select the appropriate account group. See "Setting Up Accounts" for information on creating account groups.
Right-click and select Add Subnet Account from the pop-up menu.
On the Details property page, enter details including Name and Remarks.
On the Subnet Account property page, enter details including Subnet Address and Subnet Mask.
Click OK to close the dialog box.
Set up an account group when you have a requirement to apply policy to a number of different individuals, host computers or subnets. You can also use account groups to create a hierarchical structure for organizational purposes or to represent the structure of a company.
Setting up an account group involves creating a named group and then defining its members. To set up an account group:
On the Accounts tab, select the Accounts folder.
Alternatively, to add a group as a subset of an existing account group, expand the Accounts folder and select the appropriate account group.
Right-click and select Add Group Account from the pop-up menu.
On the Details property page, enter details including Name and Remarks.
Click OK.
To define the members of the group, either:
Create members of the group directly, by right-clicking the group and selecting Add User Account, Add Host Account, or Add Subnet Account from the pop-up menu.
or:
If an account already exists, you can include it in the group by dragging and dropping.
You can automatically set up default account information for the sites you have created. Suitable account group, subnet accounts and host accounts will be created, which you can edit if required.
Note that you must have already set up all relevant sites and assigned the appropriate interfaces/devices to them. An account is created for a site if the site meets the following conditions:
The site contains a device with the Access role assigned to it, or no role assigned
The device has interfaces or sub-interfaces that have the role Local or Disabled assigned to them and they are not shut down
The interfaces have subnets connected to them
To define account groups automatically for defined sites:
From the Tools menu, select Create Site Accounts.
IP Service Activator examines all sites that are set up. For any access router associated with a site account, it examines the segments and hosts and attempts to create a set of meaningful accounts:
For each site, an account group is created. The group is given the same name as the site.
For each segment that has host systems defined, an account group is created. The group is given the name Segment IP address hosts. Within this group, a host account is created for each host system on the segment. The name of the host is used as the name of the account.
For a segment that does not have host systems defined, a subnet account is created. The IP address of the segment is used as the name of the account.
The new sites are listed on the Accounts tab beneath the Accounts folder.
|
 Copyright © 2012, 2013, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|
