An application rule leverages the AP's deep packet inspection (DPI) engine to detect the underlying application to which a frame or flow belongs. The rule then applies access control and quality of service actions to all the traffic associated with the application, not just traffic destined for specific IP addresses or ports. The control actions regulate both access control and traffic engineering (rate limit, marking, and prioritization) for applications and groups.
ExtremeCloud IQ Controller installs application policies with rules on the supported APs where enforcement occurs.
Note
Application policies are supported by ExtremeCloud IQ Controller-enabled APs only, not switches.Application policies consist of rules with matching criteria, coupled with one or more actions to take when a packet matches the rule's criteria. The matching criteria for an application is usually just the name of the application. The ExtremeCloud IQ Controller user interface lets you first select a category of applications, resulting in a subset of applications to choose from. Additionally, you can create a single rule that applies to all traffic in the application category by selecting a category and then selecting 'Wild Card' as the specific application.
Custom application rules are rules that you create to recognize (match) applications that are not in the pre-defined set of application matches provided by ExtremeCloud IQ Controller. You create a custom application rule by defining a regular expression to match against host names. The rule's match criteria will be available as a match criteria for policy rules that you create in the future.
When the Action filter for the application rule is set to Deny, the first few packets of a flow must be allowed to pass through so that the deep-packet inspection (DPI) engine can examine the contents and classify the packets. After the packets are classified as Deny and the flow is blocked, the first few packets have already passed through the system. For typical web traffic, the leak is minimal for a long duration flow. However, for short duration flows, the Deny filter may not be effective.
Any flows that are not matched through classification are handled by the Default Action.
The Redirect action is only available for IPv4 traffic, not IPv6. The Allow, Deny, and Contain actions are available for IPv6.