mark

application-policy

Creates a mark rule and configures the match criteria based on which packets are marked

Marks packets, matching a specified set of application categories or applications/protocols, with 802.1p priority level or DSCP ToS (type of service) code. Marking packets is a means of identifying them for specific actions, and is used to provide different levels of service to different traffic types.

Configured on WiNG 7.1.X controller and pushed to the following WiNG 5.9.X APs:

  • Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP8163, AP8543, AP8533
mark [app-category [<APP-CATEGORY-NAME>|all]|application <APPLICATION-NAME>] 
[8021p <0-7>|dscp <0-63>] schedule <SCHEDULE-POLICY-NAME> (precedence <1-256>)

Parameters

mark [app-category [<APP-CATEGORY-NAME>|all]|application <APPLICATION-NAME>] 
[8021p <0-7>|dscp <0-63>] schedule <SCHEDULE-POLICY-NAME> (precedence <1-256>)
mark Creates a mark rule and configures the match criteria. When applied, the rule marks packets, matching the criteria configured here, with 802.1p priority value or DSCP code. The match criteria options are: app-category and application.
app-category [<APP-CATEGORY-NAME>|all] Uses application category as the match criteria
  • <APP-CATEGORY-NAME> – Specify the application category. The options are: antivirus\ update, audio, business, conference, custom, database, file transfer, gaming, generic, im, mail, mobile, network\ management, other, p2p, remote_control, social\ networking, standard, streaming, tunnel, video, voip, and web. Each packet‘s app-category is matched with the value specified here. In case of a match, the system marks the packet.
  • all – The system marks all packets irrespective of the application category.
application <APPLICATION-NAME> Uses application name as the match criteria
  • <APPLICATION-NAME> – Specify the application name. Each packet‘s application is matched with the application name specified here. In case of a match, the system marks the packet.

The WiNG database provides approximately 309 canned applications. In addition to these, the database includes custom-made applications. These are application definitions created using the application command.

8021p <0-7> Marks packets matching the specified criteria with 802.1p priority value
  • <0-7> – Specify a value from 0 - 7.

The IEEE 802.1p signaling standard enables marking of layer 2 network traffic. Layer 2 network devices (such as switches), using 802.1p standards, group traffic into classes based on their 802.1p priority value, which is appended to the packet‘s MAC header. In case of traffic congestion, packets with higher priority get precedence over lower priority packets and are forwarded first.

dscp <0-63> Marks packets matching the specified criteria with DSCP ToS code
  • <0-63> – Specify a value from 0 - 63.

The DSCP protocol marks layer 3 network traffic. Layer 3 network devices (such as routers) using DSCP, mark each layer 3 packet with a six-bit DSCP code, which is appended to the packet‘s IP header. Each DSCP code is assigned a corresponding level of service, enabling packet prioritization.

schedule <SCHEDULE-POLICY-NAME> Schedules an enforcement time for this mark rule by associating a schedule policy with it. Use this parameter to apply rule-specific enforcement time.
  • schedule <SCHEDULE-POLICY-NAME> – Associates a schedule policy with the rule. When associated, the rule is enforced only on the days and time configured in the schedule policy. Without the association of a schedule policy, all rules within an application policy are enforced concurrently (defined by the application-policy > enforcement-time command). If scheduling a rule, ensure that the time configured in the schedule policy is a subset of the application policy‘s enforcement time. In other words the application policy should be active when the rule is being enforced. For example, if the application policy is enforced on Mondays from 10:00 to 22:00 hours and the schedule policy time-rule is set for Fridays, then this rule will never be hit. When enforcing rules at different times the best practice would be to keep the application policy active at all time (i.e., retain the default enforcement-time setting as ‘all‘).
    • <SCHEDULE-POLICY-NAME> – Specify the policy name (should be existing and configured). After applying a schedule policy, specify a precedence for the rule.

In case of no schedule policy being applied, the rule is enforced as per the enforcement-time configured in the application policy. For more information, see enforcement-time.

precedence <1-256> Assigns a precedence value for this mark rule. The precedence value differentiates between rules applicable to applications and the application categories they belong. The allow, deny, mark, rate-limit options are mutually exclusive. In other words, in an application policy, for a specific application or application category, you can create either an allow rule, or a deny rule, or a mark and rate-limit rule.

Let us consider application youtube belonging to app-category streaming.

The action required is: Allow youtube packets and deny all other applications belonging to app-category streaming.

The rules can be defined as:
#allow application youtube precedence 1
#deny app-category streaming precedence 2
The following configuration is incorrect:
#deny app-category streaming precedence 1
#allow application youtube precedence 2

Once the deny app-category streaming precedence 1 rule is hit, all streaming packets, including youtube, are dropped. Consequently, there are no packets left to apply the subsequent allow rule.

The mark and rate-limit rules are the only two actions that can be combined for a specific application or application category type.

Examples

nx9500-6C8809(config-app-policy-Bing)#mark app-category video dscp 9 precedence 4
nx9500-6C8809(config-app-policy-Bing)#mark application facetime dscp 10 precedence 5
nx9500-6C8809(config-app-policy-Bing)#show context
application-policy Bing
 description "This application policy allows Bing search engine packets"
 enforcement-time days weekdays start-time 12:30 end-time 20:00
 allow application Bing precedence 1
 allow app-category business precedence 2
 deny app-category "social networking" precedence 3
 mark app-category video dscp 9 precedence 4
 mark application facetime dscp 10 precedence 5
 logging level critical
nx9500-6C8809(config-app-policy-Bing)#

Related Commands

no Removes this mark rule from the application policy