Enterprise Software

Customize WAN Traffic Policies for your network

Novell includes a basic set of policies you can use with WAN Traffic Manager. If these policies don't suit your needs, you can customize them. John Sheesley shows you how in this Daily Drill Down.

NetWare’s WAN Traffic Manager (WTM) uses WAN Traffic Policies to control how NDS replicates on your network. WTM includes a basic set of WAN Traffic Policies that you can choose from, but they may not suit the specific needs of your network. In that case, you can modify existing policies or create new ones. In this Daily Drill Down, I’ll show you how it’s done.

What’s the WAN Traffic Manager?
The WAN Traffic Manager is a component of NetWare and NDS that controls how NDS replication information flows to NetWare servers at remote sites. For more information about WAN Traffic Manager, see the Daily Drill Down “Control NDS traffic using WAN Traffic Manager.”

Breaking down a WAN Traffic Policy
Novell has included a set of WAN Traffic Policies with NetWare that help get you on your way toward controlling NDS traffic to your remote sites. These policies include:
  • ·        1-3AM—This one only allows NDS traffic between 1 A.M. and 3 A.M.
  • ·        7AM-6PM—This policy only allows NDS traffic to occur between 7 A.M. and 6 P.M.
  • ·        COSTLT20—This policy limits NDS traffic that has a cost below 20. (I’ll explain cost a little later.)
  • ·        IPX—This policy allows only IPX traffic.
  • ·        NDSTTYPS—This policy only contains sample policies.
  • ·        ONOSPOOF—This restricts connections to only preexisting WAN connections.
  • ·        OPNSPOOF—This policy assumes that if a connection hasn't been used for 15 minutes, it has been spoofed by a hacker. WAN Traffic Manager then ignores future communication.
  • ·        SAMEAREA—This policy restricts traffic to servers in the same network area.
  • ·        TCPIP—This policy allows only TCP/IP traffic.
  • ·        TIMECOST—This policy only allows NDS traffic in remote locations to talk between 1 A.M. and 1:30 A.M. but allows servers in the same location to talk continuously.

As basic policies, these are good, but they may not suit your needs. If that’s the case, you can customize a policy using either ConsoleOne or NetWare Administrator. For the purposes of this Daily Drill Down, I’ll show you how to do so using NetWare Administrator.

You must be very careful when adding or modifying WAN Traffic Policies. If you make a mistake, you won’t destroy your NDS tree, but you could cause problems, such as slowing down NDS replication, flooding your network with replication traffic, or breaking replication entirely.

Before you can add or modify a policy, you must know how a policy is constructed and what the proper syntax for the policy is. Unfortunately, you won’t find any nice point-and-click utilities you can use to build a policy. You have to get your hands dirty and do a little bit of programming, at about the same level as writing complex login scripts.

As you can see by viewing a copy of the 1-3AM policy, a WAN policy consists of three sections: Declaration, Selector, and Provider. The Selector and Provider sections are signified in the policy with the headers SELECTOR and PROVIDER, respectively. Both the SELECTOR and PROVIDER headers must conclude with a line that says END.

The Declaration section defines the variables you’re going to use in the policy. You can’t use a variable in the Selector or Provider sections without defining it in the Declaration section first.

Each variable declaration must be separated by semicolons. Variable declarations are broken down into three parts: Scope, Type, and Value.

Variable Scope settings are REQUIRED, OPTIONAL, LOCAL, and SYSTEM. Required variables means just what it says. If the required value doesn’t exist, the policy won’t run. Optional variables must have values declared as their default. Local variables pull from the local system, and system variables pull from NDS.

Valid Types are INT, BOOLEAN, TIME, and NETADDRESS. Of these types, you can’t assign times to the TIME and NETADDRESS variables. NDS assigns the values for these two variables when you use them in the Selector or Provider sections.

Valid Values must be constants. You can’t assign the value of one variable to be equal to another, nor can a value be some function of another variable. For example, you can’t have a variable declaration that says LOCAL INT A:= B+2'. However, a variable declaration of LOCAL INT A:=5; is perfectly acceptable.

The Selector section helps WAN Traffic Manager decide which policy to run and in what order. WTM ranks policies from 0 to 100. WTM ignores any policy with a rank of 0. Setting a policy with a value of 100 forces WTM to use it. Rankings between 0 and 100 are used only if there’s no other policy that applies to the object with a higher value.

The only entry in the Selector section is a command called RETURN with the value you assign. If you don’t assign a value for RETURN, WTM ignores the policy.

The Provider section decides whether or not the policy will allow WAN Traffic to be sent. Your choices here are RETURN SEND; or RETURN DONT_SEND;. SEND tells NDS that it’s okay to send replication traffic; conversely, DONT_SEND blocks NDS from replicating. If you don’t enter a value for RETURN, NDS sets a default value of SEND.

Syntax for the Selector and Provider sections
The Selector and Provider sections have strict rules for syntax. You can use the following commands and operators to control how processing occurs:
  • ·        /* comment */—You can comment your policy by enclosing information within the /* */ characters on individual lines. You can also place comments within a line of code by using // before the comment.
  • ·        :=—You’ll use this character combination to assign values for variables. The variable name goes on the left of the character combination, and the assigned value goes on the right.
  • ·        Bitwise operators—Bitwise operators are used with INT variable types to return integer values. Valid bitwise operators are BITAND, BITOR, and BITNOT.
  • ·        IF-THEN—As in standard programming languages, you can use IF-THEN statements to insert conditions into your policy. You can include ELSE and ELSEIF conditions as part of your IF-THEN statement. IF-THEN statements must always end with an END command.
  • ·        Logical operators—Logical operators work to link multiple expressions together. You can use them to distinguish and compare values. Valid logical operators include AND, OR, NOT, <, >, and =.
  • ·        Math operators—WAN Traffic Policies can include mathematic operators in variable declarations, RETURN commands, and IF-THEN statements. Valid operators are + (Addition), - (Subtraction), * (Multiplication), / (Division), and MOD (Modula). You can only use math operators with INT variables. Be careful when using math operations to avoid results that exceed +/- 2147483648. Also, avoid division by zero.
  • ·        PRINT—The PRINT command sends text to the WAN Traffic Manager display screen and to the log file. When using the PRINT command, you must enclose literal strings in double quotes.
  • ·        Relational operators—As with math operators, you can include relational operators in IF-THEN statements. Relational operators compare values and variables. Valid operators include = (equal to), <> (not equal to), > (greater than), >= (greater than or equal to), < (less than), and <= (less than or equal to). All relational operators work with TIME and INT variable types. The <> and = operators work with the NET ADDRESS and BOOLEAN variable types.

As with any programming language, you can combine policy commands and operators into complex operations. When combining multiple operators and commands, WAN Traffic Manager executes in the following order:
  • ·        Parenthetical expressions
  • ·        BITNOT
  • ·        BITAND
  • ·        BITOR
  • ·        Multiplication, division, MOD
  • ·        Addition, subtraction
  • ·        Relational (>, >=, <, <=, =)
  • ·        NOT
  • ·        AND
  • ·        OR

Modifying WAN Traffic Policies
Remember that you apply WAN Traffic Policies to either Server objects or LAN Area objects. Start NetWare Administrator and navigate through the NDS tree until you find the container that contains the object using the policy you want to modify. Right-click the object and select Details.

When the Properties notebook for the object appears, click the WAN Policies tab. At first, it may appear that no policies are applied to the object because none appear on this page. To view the applied policies, click the Advanced button. You’ll see a Policy Group Load dialog box appear, warning you not to go further because you may negatively affect NDS performance. Read the warning and click OK.

You’ll then see the Policies window, shown in Figure A. Select the policy you want to modify in the bottom pane and click Edit. This will display the Policy Editor, shown in Figure B.

Figure A
You can view applied policies in the Policies window.

Figure B
The policy editor allows you to customize WAN Traffic Policies.

This is the screen you use to customize the policy to meet your needs. Make sure you carefully follow the rules listed above when constructing your policy. When you’re finished editing your policy, select Check Policy from the Policy menu. If there are no errors in the policy, you’ll see a No Errors message appear in the Policy Syntax Check window. If there are errors, the Policy Syntax Check window will display an error and the errors will appear in the bottom pane of the Policy Editor, as shown in Figure C.

Figure C
You can check the new policy for errors before applying it.

After you’ve checked the policy, close the Policy Editor. If you’ve made changes, Policy Editor will ask you whether you want to save your changes. Click Yes to save or No to abandon your changes. When you return to the Policies window, click Close.

Making a new WAN Traffic Policy
If you’re really brave, you can try creating your own WAN Traffic Policy. To create a new policy, follow the instructions in the previous section to get to the Policies page shown in Figure A. This time, rather than selecting a policy and clicking Edit, type the name for your new policy in the top field and click New.

You’ll then see the Policy Editor appear, but this time it will be completely empty. Following the syntax described above, enter the commands you want your policy to follow. Be careful to include the appropriate sections and enter the commands properly. As with editing policies, you should check for errors before saving the policy.

When you close the Policy Editor and save changes, your new policy will appear in the Policies menu. You can also apply your new policy to other LAN Area or Server objects.

Novell included a set of WAN Traffic Policies to help get you on your way to a quick start using the WAN Traffic Manager. The default policies are good but may not suit your individual needs. Understanding that, Novell gives you the ability to modify existing policies or create your own. A bit of a learning curve is involved with understanding and getting comfortable with the syntax, but after that, you’ll be able to tailor policies specific to your organization.

Editor's Picks