mark (application-policy-config-mode)

• <APP-CATEGORY-NAME> – Specify the application category. The options are: antivirus\ update, audio, business, conference, custom, database, file transfer, gaming, generic, im, mail, mobile, network\ management, other, p2p, remote_control, social\ networking, standard, streaming, tunnel, video, voip, and web. Each packet‘s app-category is matched with the value specified here. In case of a match, the system marks the packet.
• all – The system marks all packets irrespective of the application category.

• <APPLICATION-NAME> – Specify the application name. Each packet‘s application is matched with the application name specified here. In case of a match, the system marks the packet.

The WiNG database provides approximately 309 canned applications. In addition to these, the database includes custom-made applications. These are application definitions created using the application command.

• <0-7> – Specify a value from 0 - 7.

The IEEE 802.1p signaling standard enables marking of layer 2 network traffic. Layer 2 network devices (such as switches), using 802.1p standards, group traffic into classes based on their 802.1p priority value, which is appended to the packet‘s MAC header. In case of traffic congestion, packets with higher priority get precedence over lower priority packets and are forwarded first.

• <0-63> – Specify a value from 0 - 63.

The DSCP protocol marks layer 3 network traffic. Layer 3 network devices (such as routers) using DSCP, mark each layer 3 packet with a six-bit DSCP code, which is appended to the packet‘s IP header. Each DSCP code is assigned a corresponding level of service, enabling packet prioritization.

• schedule <SCHEDULE-POLICY-NAME> – Associates a schedule policy with the rule. When associated, the rule is enforced only on the days and time configured in the schedule policy. Without the association of a schedule policy, all rules within an application policy are enforced concurrently (defined by the application-policy > enforcement-time command). If scheduling a rule, ensure that the time configured in the schedule policy is a subset of the application policy‘s enforcement time. In other words the application policy should be active when the rule is being enforced. For example, if the application policy is enforced on Mondays from 10:00 to 22:00 hours and the schedule policy time-rule is set for Fridays, then this rule will never be hit. When enforcing rules at different times the best practice would be to keep the application policy active at all time (i.e., retain the default enforcement-time setting as ‘all‘).
  • <SCHEDULE-POLICY-NAME> – Specify the policy name (should be existing and configured). After applying a schedule policy, specify a precedence for the rule.

In case of no schedule policy being applied, the rule is enforced as per the enforcement-time configured in the application policy. For more information, see enforcement-time.

Let us consider application youtube belonging to app-category streaming.

The action required is: Allow youtube packets and deny all other applications belonging to app-category streaming.

The rules can be defined as:

#allow application youtube precedence 1

#deny app-category streaming precedence 2

The following configuration is incorrect:

#deny app-category streaming precedence 1

#allow application youtube precedence 2

Once the deny app-category streaming precedence 1 rule is hit, all streaming packets, including youtube, are dropped. Consequently, there are no packets left to apply the subsequent allow rule.

The mark and rate-limit rules are the only two actions that can be combined for a specific application or application category type.