Preface
- Text Conventions
- Platform-Dependent Conventions
- Providing Feedback to Us
- Getting Help
- Documentation and Training
About This Guide
- ABOUT THIS GUIDE
  - Notational Conventions
Introduction
- WiNG CLI Structure
User Exec Mode Commands
- USER EXEC MODE COMMANDS
  - user-exec-commands
Privileged Exec Mode Commands
- PRIVILEGED EXEC MODE COMMANDS
  - privileged-exec-commands
Global Configuration Mode Commands
- GLOBAL CONFIGURATION COMMANDS
  - global-config-commands
Common Commands
- COMMON COMMANDS
  - common-commands
    - clrscr
    - commit
    - exit
    - help
    - no
    - revert
    - service
    - show
    - write
Show Commands
- SHOW COMMANDS
  - show-commands
    - show
    - adoption
    - bluetooth
    - boot
    - bonjour
    - captive-portal
    - captive-portal-page-upload (show commands)
    - cdp
    - classify-url
    - clock
    - cluster
    - cmp-factory-certs
    - commands
    - context
    - critical-resources
    - crypto
    - database
    - device-upgrade
    - dot1x
    - dpi
    - environmental-sensor
    - event-history
    - event-system-policy
    - ex3500
    - extdev
    - fabric-attach
    - file
    - file-sync
    - firewall
    - global
    - gps (show command)
    - gre
    - guest-registration
    - interface
    - iot-device-type-imagotag
    - ip
    - ip-access-list-stats
    - ipv6
    - ipv6-access-list
    - l2tpv3
    - lacp
    - ldap-agent
    - licenses
    - lldp
    - logging
    - mac-access-list-stats
    - mac-address-table
    - macauth
    - mac-auth-clients
    - mint
    - ntp
    - password-encryption
    - pppoe-client
    - privilege
    - radius
    - reload
    - rf-domain-manager
    - role
    - route-maps
    - rtls
    - running-config
    - session-changes
    - session-config
    - sessions
    - site-config-diff
    - smart-rf
    - snmpv3 (show command)
    - spanning-tree
    - startup-config
    - t5
    - terminal
    - timezone
    - traffic-shape
    - tron (show command)
    - upgrade-status
    - version
    - vrrp
    - virtual-machine
    - wireless
    - web-filter
    - what
    - wwan
Profile Commands
- PROFILES
AAA Policy
- AAA-POLICY
  - aaa-policy-commands
Auto-Provisioning Policy
- AUTO-PROVISIONING-POLICY
  - auto-provisioning-policy-commands
Association-ACL Policy
- ASSOCIATION-ACL-POLICY
  - Association-acl-policy-commands
    - deny
    - permit
    - no
Access-List Policy
- ACCESS-LIST
DHCP Policy
- DHCP-SERVER-POLICY
  - dhcp-server-policy commands
  - dhcpv6-server-policy commands
Firewall Policy
- FIREWALL-POLICY
  - firewall-policy-commands
    - acl-logging
    - alg
    - clamp
    - dhcp-offer-convert
    - dns-snoop
    - firewall
    - flow
    - ip
    - ip-mac
    - ipv6
    - ipv6-mac
    - logging
    - proxy-arp
    - proxy-nd
    - stateful-packet-inspection-12
    - storm-control
    - virtual-defragmentation
    - no
MiNT Policy
- MINT-POLICY
  - mint-policy-commands
    - level
    - lsp
    - mtu
    - router
    - udp
    - no
Management Policy
- MANAGEMENT-POLICY
  - management-policy-commands
RADIUS Policy
- RADIUS-POLICY
  - radius-group
    - guest
    - policy
    - rate-limit
    - no
  - radius-server-policy
    - authentication
    - bypass
    - chase-referral
    - crl-check
    - ldap-agent
    - ldap-group-verification
    - ldap-server
    - local
    - nas
    - proxy
    - session-resumption
    - termination
    - use
    - no
  - radius-user-pool-policy
    - duration
    - user
    - no
Radio QoS Policy
- RADIO-QOS-POLICY
  - radio-qos-policy-commands
Role Policy
- ROLE-POLICY
  - role-policy-commands
Smart-RF Policy
- SMART-RF-POLICY
  - smart-rf-policy commands
WIPS Policy
- WIPS-POLICY
  - wips-policy-commands
WLAN QoS Policy
- WLAN-QOS-POLICY
  - WLAN-QOS-Policy commands
L2TPv3 Policy
- L2TPV3-POLICY
Router Mode Commands
- ROUTER-MODE
  - router-mode-commands
Routing Policy
- ROUTING-POLICY
  - routing-policy-commands
AAA_TACACS Policy
- AAA-TACACS-POLICY
  - aaa-tacacs-policy-commands
Meshpoint Policy
- MESHPOINT
Passpoint Policy
- PASSPOINT POLICY
  - passpoint-policy
Crypto-CMP Policy
- CRYPTO-CMP-POLICY
  - crypto-cmp-policy-instance
  - other-cmp-related-commands
    - use (other-cmp-related-commands)
    - show (other-cmp-related-commands)
Roaming-Assist Policy
- ROAMING ASSIST POLICY
  - roaming-assist-policy commands
Border Gateway Policy
- BORDER GATEWAY PROTOCOL
Controller Managed WLAN Use Case
- CREATING A FIRST CONTROLLER MANAGED WLAN

application-policy

When an application is recognized and classified by the WiNG application recognition engine, administrator defined actions can be applied to that specific application. An application policy defines the rules or actions executed on recognized applications (for example, Facebook) or application-categories (for example, social-networking). The following are the rules/actions that can be applied in an application policy:

Allow - Allows packets for a specific application or application category
Deny - Denies packets for a specific application or application category
Mark - Marks packets with DSCP/8021p value for a specific application or application category
Rate-limit - Rate limits packets from specific application types.

For each rule defined, a precedence is assigned to resolve conflicting rules for applications and categories. A deny rule is exclusive, as no other action can be combined with a deny. An allow rule is redundant with other actions, since the default action is allow. An allow rule is useful when wanting to deny packets for a category, but wanting to allow a few applications in the same category to proceed. In such a cases, add an allow rule for applications with a higher precedence then a deny rule for that category.

Mark actions mark packets for a recognized application and category with DSCP/8021p values used for QoS. Rate-limits create a rate-limiter applied to packets recognized for an application and category. Ingress and egress rates need to be specified for the rate-limiter, but both are not required. Mark and rate-limit are the only two actions that can be combined for an application and category. All other combinations are invalid.

Once created and configured, apply the application policy at the following levels within the network to enforce application assurance:

RADIUS CoA usage – In the device/profile configuration mode, use the application-policy > radius > <APPLICATION-POLICY-NAME> command to apply the policy to every user successfully authenticated by the RADIUS server.
User role – In the role-policy-user-role configuration mode, use the use > application-policy <APPLICATION-POLICY-NAME> command to apply the policy to all users assigned to the role.
WLAN – In the WLAN configuration mode, use the use > application-policy <APPLICATION-POLICY-NAME> command to apply the policy to all users accessing the WLAN.
Bridge VLAN – In the bridge VLAN configuration mode, use the use > application-policy <APPLICATION-POLICY-NAME> command to apply the policy for the traffic corresponding to the bridged VLAN.

Supported in the following platforms:

Access Points — AP-7522, AP 7532
Service Platforms — NX 5500, NX 7510, NX 95XX, NX 96XX, VX 9000

Syntax

application-policy <APPLICATION-POLICY-NAME>

Parameters

application-policy <APPLICATION-POLICY-NAME>

application-policy <APPLICATION-POLICY-NAME>

Specify the application policy name. If an application policy with the specified name does not exist, it is created. The name should not exceed 32 characters in length.

Examples

nx9500-6C8809(config)#application-policy TestAppliPolicy
nx9500-6C8809(config-app-policy-TestAppliPolicy)#?
Application Policy Mode commands:
  allow             Allow packets
  deny              Deny packets
  description       Application policy description
  enforcement-time  Configure policy enforcement based on time
  logging           Application recognition logging
  mark              Mark packets
  no                Negate a command or set its defaults
  rate-limit        Rate-limit packets

  clrscr            Clears the display screen
  commit            Commit all changes made in this session
  do                Run commands from Exec mode
  end               End current mode and change to EXEC mode
  exit              End current mode and down to previous mode
  help              Description of the interactive help system
  revert            Revert changes
  service           Service Commands
  show              Show running system information
  write             Write running configuration to memory or terminal

nx9500-6C8809(config-app-policy-TestAppliPolicy)#

Related Commands

no (global-config-mode)

Removes an existing application policy

Published June 2019prev | next

Email this topic

Print this page Print this page

Leave feedback Feedback