Set Condition

The Unified Policies Set Condition Screen contains a list of Conditions that you can configure for the Policy (e.g., MAC Condition, IP Condition). When you create a Condition, the Condition(s) you configure must be true before traffic is allowed to flow. Click on a Condition to display the configuration options for the Condition. (Click again on the Condition to close the configuration options.) When you have completed all of the parameters for the Condition(s), click the Next button at the bottom of the screen or click on Set Action on the left side of the screen to move to the next step. If necessary, you can also click the Back button to return to the screen.

Conditions

A brief description of each Condition is provided below. Click the hyperlink for each Condition for detailed configuration instructions.

L2 MACs - Create a Condition that applies the policy to traffic originating from a MAC address/group/range or to traffic flowing to a MAC address/group. (Note that for APs, MAC Addresses cannot contain wildcard characters).
L3 IPs - Create a Condition that applies the policy to traffic originating from an IP address/network group or to traffic flowing to an IP address/network group. (Note that any IP address can be masked).
L3 DSCP/TOS - Create a Condition that applies the policy to traffic with a specified value in either the DSCP (Differentiated Services Code Point) byte or in the IP TOS (IP Type of Service) byte. Both DSCP and IP TOS are mechanisms used to convey QoS information in the IP header of frames.
L4 Services - Create a Condition that applies the policy to traffic flowing between two TCP or UDP ports, or to all traffic originating from a TCP or UDP port, or to all traffic flowing to a TCP or UDP port. You can also create a Condition using an existing service/service group.
L7 Application Visibility - Create a Conditions that applies the policy to

Note: Some conditions are not supported on certain devices. Please refer to detailed notes of each condition below for supported conditions.

L2 MACs

A MAC Condition applies the Policy to traffic flowing from/to a MAC Address/Group. Note that Layer 2 Conditions (conditions that specify MAC Addresses) are "lost" when traffic passes through a router. For this reason, it may be advisable to specify other types of Conditions (such as a Layer 3 Condition, which specifies IP Addresses) when traffic is expected to travel more than one router hop.

Select the parameter(s) you want to configure by selecting the applicable checkbox. Click on Single to configure a single MAC Address or Group to configure a MAC Group, then enter a MAC address or select a MAC Group from the drop-down menu. (You can also click the Add icon to go to the Groups application and create a new MAC Group.)

Source MAC Address/MAC Group - Configuring a Source MAC Address/Group Condition restricts the policy to traffic that flows from this MAC Address/Group only. If you do not select this option, you are effectively stating that the Source MAC Address/Group traffic is not a criterion for the policy.
Destination MAC Address/MAC Group - Configuring a Destination MAC Address/Group Condition restricts the policy to traffic that flows to this MAC Address/Group only. If you do not select this option, you are effectively stating that the Destination MAC Address/Group traffic is not a criterion for the policy.
Source MAC Range - Configuring a Source MAC Range Condition restricts the policy to traffic that flows from this MAC Range only. If you do not select this option, you are effectively stating that the Source MAC Range traffic is not a criterion for the policy.
Notes:

Conditions that specify both a source and a destination MAC address may be rejected by some switch platforms as invalid. However, if you wish to create policies for both source and destination traffic, you can create one policy for the source traffic and a second policy for the destination traffic.

MAC addresses may contain the wildcard character *. However, one * character must be entered for each individual hex digit in the MAC address: for example, 00435C:******, not 00435C:*.

The following MAC address ranges are assigned to Alcatel-Lucent Enterprise voice devices and Alcatel-Lucent Enterprise IP phones. You can create Conditions specifying these address ranges using the MAC Address tab.

Voice Devices

00809F3A0000 - 00809F3AFFFF

00809F3B0000 - 00809F3BFFFF

00809F3C0000 - 00809F3CFFFF

IP Phones

00809F3D0000 - 00809F3DFFFF

Multi-Media Devices

00809F3E0000 - 00809F3EFFFF

00809F3F0000 - 00809F3FFFFF

MAC Range is not supported on APs and is ignored when applied to those devices.

L3 IPs

An IP Condition applies the Policy to traffic originating from, or flowing to, an IP Address/Network group. Any IP Address can be masked. Note that a Condition that specifies both a Source and Destination IP Address/Network Group will be rejected by the switch as invalid. However, if you wish to create policies for both Source and Destination traffic, you can create one policy for the Source traffic and a second policy for the Destination traffic.

Select the parameter(s) you want to configure by selecting the applicable checkbox. For Source/Destination IP Address, click on Single to configure a single IP Address (and Shorthand or Subnet Mask, if applicable), or click on Group to configure a Network Group, then enter an IP Address or select a Network Group from the drop-down menu. (You can also click the Add icon to go to the Groups application and create a new Network Group.)

Fragment (only available for AOS Switches) - Select this checkbox to restrict the policy to TCP packet fragments.
Source IP Address/Network Group - Configuring a Source IP Address/Network Group Condition restricts the policy to traffic that flows from this IP Address or Subnet Mask/Network Group only. If you do not select this option, you are effectively stating that the Source IP Address or Subnet Mask/Network Group traffic is not a criterion for the policy.
Destination IP Address/Network Group - Configuring a Destination IP Address/Network Group Condition restricts the policy to traffic that flows to this IP Address/Network Group only. If you do not select this option, you are effectively stating that the Destination IP Address or Subnet Mask/Network Group traffic is not a criterion for the policy.
Multicast IP Address Range - Configuring a Multicast IP Address/Group Condition restricts the policy to traffic that flows to this IP Multicast Address Group only. If you do not select this option, you are effectively stating that the Destination IP Multicast Address or Subnet Mask/Group traffic is not a criterion for the policy.

Notes:

When configuring an IP Address Condition, you can also click either the Shorthand Mask or Subnet Mask button to configure a Subnet Mask. If you are using a Shorthand Mask, select a value from the Shorthand Mask drop-down list. If you are using a full Subnet Mask, enter the mask in the IP Subnet Mask field. Note that the * wildcard character is not allowed in IP addresses.

APs only support IPv4 conditions.

Important Note: When creating an IP Condition for a NAT Action you must specify a Network Group in the Condition. NAT will only work when both the Condition and Action specify network groups. To create a "One-to-Many" Condition and action, create a Network Group with a single entry for the Condition.

L3 DSCP/TOS

A DSCP/TOS Condition applies the Policy to incoming traffic that has a specified value in either the DSCP (Differentiated Services Code Point) byte or in the TOS (Type of Service) byte. Both DSCP and TOS are mechanisms used to convey QoS information in the IP header of frames. DSCP and TOS are mutually exclusive - you can use either DSCP or TOS but not both. Click on the applicable button (DSCP or TOS) and enter a value.

DSCP - Defines the QoS treatment a frame is to receive from each network device. This is referred to as per-hop behavior. If you are using DSCP, you can define any value in the range 0 - 63 as the DSCP value in the IP header of the frame. Traffic that contains this value will match this condition.
TOS - A TOS value creates a condition that applies the policy to traffic that has the specified TOS value in the IP header of frames. Enter any value from 0 - 7 to specify the value of the precedence field in the TOS byte that will match this condition. A value of 7 has the highest precedence and a value of 0 has the lowest.

L4 Services

A Service Condition applies the policy to Service Protocol traffic (TCP or UDP) flowing from/to two TCP or UDP ports, or to traffic flowing from/to a TCP or UDP Service or Service Group. Select a type of Service Condition you want to configure, then configure the parameter(s) as described below.

Protocol Only - Select TCP or UDP to create a condition for a Service Protocol only.
Port(s) - To configure the Condition for a specific Service Port, select a Source and Destination Port from the drop-down menu to specify a specific port for the service you selected. You can also click on the Add icon to go to the Groups application and create new Service Ports.
Service - Select a Service from the drop-down menu. You can also click on the Add icon to go to the Groups application and create a new Service.
Service Group - Select a Service Group from the drop-down menu. You can also click on the Add icon to go to the Groups application and create a new Service Group.

L7 Application Visibility

An Application Visibility Condition applies the policy to traffic flowing to/from an Application Group or Application. Note that the drop-down menus are populated with the Application Groups/Applications contained in the Signature Profile for the selected switch. If you select multiple switches, only those Application Groups/Applications common to all switches will be displayed. Also note that the App Name button will not be displayed if you select any OS6900 Switches, as this option is not offered for these devices. If all of the selected switches are OS6860 devices, both the App Group and App Name buttons are displayed.

App Group - Select an Application Group from the drop-down menu.
App Name - Select an Application from the drop-down menu.