How To Guides > Integrating Exinda with a Captive Portal > Policies

Policies

Policies define what actions to perform on specific targeted traffic. The policies can specify whether to optimize the traffic (by bandwidth shaping, accelerating, or marking the packets), block the traffic (by discarding the packets), monitor the traffic (by ignoring the packets), or redirect the traffic to a specific URL.The traffic that the policy acts upon can be filtered by application or application group, by hosts or subnets, by hosts or subnets that are communicating with other specific hosts or subnets, by VLAN, by ToS/DSCP markings, and by time of day. Any combination of these filters can be applied. That is, the policy could be targeted to SAP traffic between a particular branch and headquarters, which have particular ToS markings on a particular VLAN during work hours. Furthermore, you can add more than one filter. That is, the policy could target a particular branch site for Netflix and the same branch site for Silverlight.

Version Info:

HTTP Redirect is available in 7.0.1 and above in the 7.0 firmware product line and in 6.4.5 and above in the 6.4 firmware product line.

When policies are created they are added to the policy library. Therefore, any changes made to a policy definition will affect all other virtual circuits that use that policy.

Policies are part of the policy tree. To learn how circuits, virtual circuits, and policies work together, see Policy Tree.

ClosedWhere do I find this functionality?

Go to Configuration > Traffic Policies > Optimizer > Optimizer, then click the Create Policy ... link at the bottom of each virtual circuit or edit an existing policy.

Or go to Configuration > Traffic Policies > Optimizer > Policies and create or edit a policy in the policy library.

ClosedTo create a policy
  1. Enter the Policy Name.
  2. Enter the VC Policy Number which is the order of the policy in the policy tree.
  3. Optionally, specify the Schedule.

    The default is ALWAYS. Schedules that have been defined will appear in the drop-down list. Schedules can be created via Configuration > Objects > Schedules.

  4. Specify the Action.
    • Optimize - Perform traffic shaping, acceleration, or packet marking on the traffic
    • Discard - Discard the packets effectively blocking the traffic
    • Ignore - Perform no action on the packets allowing them to pass through the appliance unaffected. This setting is effective for a monitor only mode. Note that this option should not be used for policies within a dynamic virtual circuit.
    • Return HTML Response - Present the webpage defined in the HTML response object to the source web browser.
    • HTTP Redirect - Redirect the packets to a specified URL effectively presenting the URL to the network client.

    Version Info:

    HTTP Redirect is available in 7.0.1 and above in the 7.0 firmware product line and in 6.4.5 and above in the 6.4 firmware product line.

  5. Specify additional details that present themselves for each of the action.
  6. Enter the Filter Rules. Any of the following fields may be used to specify how to filter the traffic.

    • VLAN - Select traffic based on 802.1Q VLAN ID and/or 802.iP VLAN priority tag using a pre-defined VLAN object.
    • Host/Direction/Host - Select traffic based on one end of the conversation belonging to a predefined network object (static or dynamic) or select traffic based on one way or two way conversations between two predefined network objects. For the first host, select a network object that filters for the initiation of a conversation. For the second host, select a network object that filters for the destination of the conversation. If hosts are not specified, ALL network objects are assumed. Traffic direction is relative to the Exinda appliance.
    • ToS/DSCP - Select traffic based on particular ToS/DSCP marks in the IP header.
    • Application - Select traffic based on a predefined application object or application group.

    Note

    • By default,initially only four filter rules can be created per policy. If more are required, fill out the first four rules, save the Policy, then edit the Policy and four more lines will become available.
    • To delete individual filter rules, set all the fields for that filter rule to blank.

  7. Click Add New Policy to add this policy to the policy tree.
    The policy will also be added to the policy library.

  8. In the policy tree, change the ranking order of the policy, if necessary, to ensure the policy is in the proper order relative to the other policies in the virtual circuit.
ClosedTo configure the policy to shape the bandwidth
  1. Select the Optimize action and check the bandwidth section for traffic shaping.

  2. Specify the Guaranteed Bandwidth for the policy specified as kbps or percentage of the parent virtual circuit's bandwidth.

    This is the amount of bandwidth that the policy will have available if needed. This is not reserved bandwidth. If the policy does not use the entire guaranteed bandwidth, the excess bandwidth will be made available for use by other policies in the virtual circuit.

    The guaranteed bandwidth of a single policy must not exceed the parent virtual circuit bandwidth.

    The sum of all guaranteed bandwidths for each policy within a virtual circuit must not exceed the virtual circuit bandwidth.

  3. Specify the Burst (Maximum) Bandwidth for the policy specified as kbps or percentage of the parent virtual circuit's bandwidth.

    This is the maximum amount of bandwidth that the policy can have access to if there is excess bandwidth available.

    The burst bandwidth must be greater than the guaranteed bandwidth, and less than or equal to the parent virtual circuit bandwidth.

  4. Specify the Burst Priority ranging from 1 (High) to 5 (Normal) to 10 (Low).

    If excess bandwidth is available, the burst priority is used to decide how excess bandwidth is distributed. Policies with a higher burst priority will be preferred when allocating excess bandwidth.

  5. Enter the Filter Rules.
ClosedTo configure the policy to accelerate traffic
  1. Select the Optimize action and check the Acceleration section to enable acceleration and reduction techniques.

  2. Specify the Acceleration technique to use to make the traffic faster.
    • Acceleration - Accelerate using TCP-based acceleration techniques. This is only available on x800 licensed appliances. Only outbound TCP traffic will be accelerated.
    • Edge Cache - Cache particular types of traffic so that when the same traffic is requested again, it can be served up locally from the cache. Edge Cache can be used with a single appliance.
  3. If acceleration was selected, specify the WAN memory (WM) Reduction Type to reduce the amount of traffic that needs to traverse the network.
    • None - Do not attempt to reduce the traffic. The traffic will still be accelerated via TCP-based acceleration techniques.

    • Compression - Compress the traffic using a network optimized LZ compression algorithm. The traffic will also be TCP-accelerated.

      Note

      If the compressed output is larger than the original, the appliance will send the original.

    • Disk - De-duplicate the traffic. The appliance's hard disk drive is used to store the de-duplication patterns.The traffic will also be compressed and will be TCP-accelerated.
  4. Enter the Filter Rules.
ClosedTo configure the policy to mark packets
  1. Select the Optimize action and check the Packet Marking section to mark individual packets matching this policy.

  2. Specify which ToS/DSCP Mark to put in the IP header of each packet.

    For more information, refer to the DSCP/ToS How to Guide.

    3. Note

    If you select the Optimize Action and then select the Packet Marking checkbox, the interface provides an opportunity to use a VLAN Rewrite feature by selecting an ID and a Priority from drop down lists. While the option is there, the feature has been disabled and will be removed in a future version of the software.
  3. Enter the Filter Rules.
ClosedTo configure the policy to discard (or block) traffic
  1. Select the Discard action and optionally check the Discard only the first packet of a connection option.

    This option can be used in conjunction with a uni-directional virtual circuit to discard connections originating from a specific side (WAN or LAN) of the appliance. For example, when used with an inbound Virtual Circuit, the first (SYN) packet will be discarded - effectively blocking connection establishment from the WAN but allowing traffic from  established connections.

  2. Enter the Filter Rules.
ClosedTo configure the policy to redirect HTTP traffic to an HTTP Response object webpage
  1. Select the Return HTTP Response action and select the HTML Response object.

    The HTML Response object allows you to "host" a webpage on the Exinda appliance. You create the HTML Response webpage on Configuration > Objects > HTML Response. See Configure HTML Response Object.

    Traffic matching this policy will be returns the HTTP webpage, which will cause the webpage to be presented to the client browser. This option is useful to notify users when they are no longer allowed to use the network for HTTP, HTTP-ALT, or HTTPS traffic.

  2. Enter the Filter Rules.

    Similar to other policy configurations, you can specify VLAN, Host/Direction/Host, ToS/DSCP, or Application. However, the only allowable applications are HTTP, HTTP-ALT, and HTTPS.

To learn more about common use cases for providing HTML responses, see Quota Enforcement Scenarios.

ClosedTo configure the policy to redirect HTTP traffic to a URL
  1. Select the HTTP Redirect action and specify the Redirect URL.

    Traffic matching this policy will be forwarded to the specified URL, which will cause the specified URL to be presented to the client. This option is useful to redirect a particular set of traffic to another URL, such as redirecting unauthenticated traffic to a login page, or redirecting traffic that exceeded it's bandwidth allotment to a URL that presents a message.

  2. Enter the Filter Rules.

    Similar to other policy configurations, you can specify VLAN, Host/Direction/Host, ToS/DSCP, or Application. However, the only allowable applications are HTTP, HTTP-ALT, and HTTPS.

To learn more about common use cases for redirecting HTTP traffic, such as, redirecting unauthenticated users to a login page of your captive portal, see Integrating Exinda with your Captive Portal, or such as, redirecting users who have exceeded their data usage quota, see Quota Enforcement Scenarios.

| Exinda.com

Using the help

Last Updated: Monday, February 1, 2016 at 12:24 PM

Exinda Management Center 2.0 ExOS 7.4.1 | Copyright © 2016 Exinda Networks, Inc.