Application control policies (application policies) let you define rules that dictate how each traffic type is managed on your network. An application policy contains at least one application (Layer 7) rule.
An application rule leverages the AP's deep packet inspection (DPI) engine to detect the underlying application to which a frame or flow belongs. The rule then applies access control and quality of service actions to all the traffic associated with the application, not just traffic destined for specific IP addresses or ports. The control actions regulate both access control and traffic engineering (rate limit, marking, and prioritization) for applications and groups.
ExtremeCloud installs application policies with rules on the supported APs where enforcement occurs.
Note
Application policies are supported by ExtremeCloud-enabled APs only, not switches.Application policies consist of rules with match criteria, coupled with one or more actions to take when a packet matches the rule's criteria. The match criteria for an application usually is just the name of the application. Since cloud-enabled APs recognize thousands of applications, the ExtremeCloud user interface lets you first select a category of applications, resulting in a subset of applications to choose from. Additionally, you can create a single rule that applies to all traffic in the application category by selecting a category and then selecting 'any' as the specific application.
Custom application rules are rules that you create to recognize (match) applications that are not in the pre-defined set of application matches provided by ExtremeCloud. You create a custom application rule by defining a regular expression to match against host names. The rule's match criteria will be available as a match criteria for policy rules that you create in the future.
When the Action filter for the application rule is set to Deny, the first few packets of a flow must be allowed to pass through so that the Deep-Packet Inspection (DPI) engine can examine the contents and classify the packets. Once the packets are classified as Deny and the flow is blocked, the first few packets have already passed through the system. For typical web traffic, the leak is minimal for a long duration flow. However, for short duration flows, the Deny filter may not be effective.
Any flows that are not matched through classification are handled by the Default Action.
The Redirect action is only available for IPv4 traffic, not IPv6. The Allow, Deny, and Contain actions are available for IPv6.