Network service objects identify Layer 4 traffic by protocol and port number.
ExtremeCloud IQ provides a number of predefined services and you can create custom
network services to use when defining firewall policies (see Configure a Firewall Policy) and QoS
traffic classification and marking policies (see About Classifier Maps and Configure Marker Maps).
The Network Services table displays the following information about predefined and
custom network service objects:
- Name: The name of the network service object.
- Protocol Number: The type of protocol (followed by
its standard protocol number) that the service uses. Predefined services use
the following protocols:
- 1 : ICMP (Internet Control Message Protocol)
- 6: TCP (Transmission Control Protocol)
- 17: UDP (User Datagram Protocol)
- 89: OSPF (Open Shortest Path First)
- 119: SVP (SpectraLink Voice Priority)
- Port Number: The standard destination port number of
the service. The receiving device uses the port number to map the service to
a particular processor.
- Service Idle Timeout: The amount of time (in seconds)
after which the device terminates an inactive session using this service.
(For IP firewall policies, this field is only supported by APs.)
- ALG Type: An ALG (application layer gateway) links
certain port numbers to a service so that the device can apply the proper
QoS (Quality of Service) and firewall policies. For example, the TFTP
service has a control stream and data stream that each use different port
numbers. The port number for the TFTP control stream is static (port 69 by
default), but the port number for the TFTP data stream is dynamic and is
negotiated within the control session. The TFTP ALG links these two streams
together logically so that the device can apply the proper QoS and firewall
policies to both TFTP streams. You can apply different QoS settings to the
TFTP control and data sessions, for example, to ensure high reliability but
tolerate high latency, or to ensure accept a medium level of reliability but
require low latency.
- Description: An optional description for the object.
Descriptions can be very useful when troubleshooting or managing a complex
network.
- Virtual IQ : The name of the Virtual IQ (virtual
ExtremeCloud IQ ) to which the service belongs. All predefined services are
marked as global to indicate that they belong to all Virtual IQs. This
column only appears when you are logged in to "All Virtual IQs" with
super-user privileges.
Use the following procedure to configure a network service:
-
Select the plus sign.
-
Enter a name for the service.
-
Select a service idle timeout (for APs and routers only).
This is the amount of time (in seconds) after which the device terminates an
inactive session using this service.
-
Select an IP Protocol number.
The number of the protocol the service will use. Predefined services appear in
the drop-down list, or you can configure a custom protocol.
-
Enter the standard destination port number of the service.
For services that use TCP or UDP, you must set a destination port number,
which the receiving device uses to map the service to a specific processor. When
you use a custom protocol, a destination port number is not required because the
receiving device can use the protocol to map the service to the appropriate
processor.
-
Select an ALG type from the drop-down list.
ALG is supported for APs and routers only. If the service you are defining
needs to use an ALG, select DNS, FTP, HTTP, SIP, or TFTP, from the drop-down
list. Otherwise, leave this empty.