Sharing Configurations between Packeteer Devices

Suppose you have two PacketShapers when you decide to solve a recent problem with your legacy applications. You will need to create a new traffic class and policy on both PacketShapers. Now imagine the same situation, but with 120 PacketShapers. Configuring your legacy solution now becomes a very tedious job without economy of scale. PolicyCenter solves this dilemma by allowing multiple units to share configurations, letting you to change something once instead of 120 times.

Note: This PolicyCenter solution assumes that you have a general understanding of PacketWise traffic classes, policies and partitions. If you need to review these concepts, please click on the links above and refer to those sections of PacketGuide.

A PolicyCenter configuration consists of traffic classes, partitions and policies, and basic configuration values, such as login passwords or shaping on/off. PolicyCenter allows you to share configurations between individual Packeteer units and unit groups. You can synchronize your units so that they all have the same traffic classes, partitions, policies, events, host lists, and reports - saving you from having to manually recreate or update a complex traffic configuration on each unit. With PolicyCenter, you can turn a single-unit configuration into a group configuration, copy configurations between groups and units, or even use an existing configuration to create a new unit or group.

Packeteer units running PacketWise software version 5.2 or later can be configured in either shared or local mode.

• Shared mode: Packeteer units in shared mode will use PolicyCenter for configuration information, deriving a configuration that combines shared values from a group configuration and the individual, or local, configuration values specific to that single unit. This combined configuration is stored both in the PolicyCenter server and on each unit's flash disk in the file config.ldi, so that units will continue to operate even if a network problem interrupts communication with the PolicyCenter server. In this combined configuration, any local configuration attributes will take precedence over those same attributes in the group configuration, even if those local changes were made after the unit joined PolicyCenter. Configuration attributes not specified in a unit's local configuration can be managed from that unit's PolicyCenter group.
  
  
• Local mode: Packeteer units in local mode use a configuration derived only from the files on the unit itself (the same way the unit ran before implementing PolicyCenter).

While in shared mode, the files in the unit's flash disk are continually updated to match the PolicyCenter configuration; therefore, if you switch from shared mode back to local, the local configuration will initially be the same as the last shared configuration.

PacketSeeker monitors traffic, but does not support the Packeteer traffic shaping features and cannot control the flow of traffic like PacketShaper. Therefore, if a PacketSeeker unit tries to inherit a group configuration with shaping turned on, a banner error message appears in the Web browser, indicating that the shaping mode "on" is unavailable. Turning shaping off for the PacketSeeker unit overrides the group configuration and clears the error.

Determine Your Group Configuration Strategy

Before you configure PolicyCenter groups, it is important to identify the traffic classes and configuration attributes that should be included in each group configuration, and thereby shared by all units in that group. Before you create a group of Packeteer units, you should ask yourself:

Are the individual unit configurations mostly the same, or mostly different?

• If the units are mostly the same, you should use a comprehensive group configuration strategy.
  
  
• If the units you want to group together have more differences than similarities, you should choose a selective group configuration strategy.

Comprehensive Group Configurations

This strategy is preferred when the traffic trees for every unit in a group are mostly the same, and only a few variances need to be independently specified on each unit. Organizations using this strategy often have branch offices with very similar types of network traffic, each with the same model of Packeteer unit.

As an example, imagine an company with four nearly identical branch offices. Although there is a heavy traffic load running over each network, the types and volumes of network traffic do not vary widely between each branch. Additionally, each branch has configured its PacketShaper with the same traffic classes, and set many policies and partitions to protect the network traffic that is considered mission-critical to all four branch offices. Because the networks are so similar, every significant change in the networks require that all four PacketShapers be individually reconfigured. The company finds this to be too time-consuming, and would like to be able to propagate all the changes at once.

Because the individual units in this example have such similar configurations, one PolicyCenter comprehensive group configuration could be used to control the entire traffic tree and other sharable attributes for each unit. In this case, you must first identify a primary unit, one unit whose configuration you would like to apply to all the units in a group. You should then create a comprehensive group configuration based upon that primary unit. If all the units have a truly identical configuration, it does not matter which unit you select to be the primary unit. If there are slight variances, select the unit that is the most representative of all others.

Turn the primary unit configuration into a sharable comprehensive group configuration by selecting the convert option when you first add the unit to PolicyCenter. The convert option allows this primary unit (or any unit) to retain its local configuration after it becomes part of a PolicyCenter group. If you add a unit to PolicyCenter without this option, any existing local unit configuration is cleared, and the unit will take its entire configuration from its group.

After the primary unit has been added to PolicyCenter with its local configuration intact, you can use the publish option to publish the unit's configuration to its group. The publish option:

• Copies the primary unit's combined (local and shared) configuration to its group
  
  
• Clears the primary unit local configuration

Why does the publish option clear the unit's local configuration? Simply put, the publish option clears the primary unit's local configuration so the unit can inherit its configuration from its group. Because local settings always override group settings, if the publish option did not clear the unit's local configuration, its local settings would completely supersede the shared configuration. As a result, the unit would not be able to be managed from a PolicyCenter group.

When you add other units to this PolicyCenter group (without the convert or publish options) these units will also inherit their entire configuration solely from the new group settings. As a result, all units in the group will have an identical configuration; a group configuration based upon the original local configuration of the first unit.

Use the following procedure to create a comprehensive group configuration:

1. Create a new PolicyCenter group.
2. Convert and publish the selected unit when you first subscribe it to PolicyCenter, changing its configuration from an individual unit configuration to a new sharable group configuration.
3. Move the unit from the default group into its new destination group
4. Add other units to PolicyCenter without the convert option, so the units will inherit their entire configuration solely from the new group settings.
5. Move the other units from the default group into their new destination group. You may return individual changes to the units at any time, and these individual changes will override the PolicyCenter sharable group configuration settings.

Selective Group Configurations

If you want to create a sharable group configuration for just a few key traffic classes or attributes (or you do not yet have any Packeteer units on your network) you can create a new PolicyCenter group and define values for just those most important traffic classes before you add any units to that group. This strategy also works well if traffic trees vary widely between each Packeteer unit, or you want to create a group configuration only for command scheduling, RADIUS Client or security settings (for example) instead of a sharable group traffic tree.

As an example, consider an organization with four branch sites, each with a PacketShaper 2500. Each branch site serves a different purpose in the organization, and as a result, the types of traffic considered to be mission-critical at each site varies widely:

Site 1 (sales): WebEx, ShoutCast, Citrix, Pop3, HTTP
Site 2 (product development): FTP, ActiveX, Citrix, Pop3, HTTP
Site 3 (corporate headquarters): Oracle, SAP, Citrix, Pop3, HTTP
Site 4 (manufacturing): IPX, GRE, Citrix, Pop3, HTTP

Let us also suppose that, in addition, all four sites are experiencing network slowdowns as employees download KaZaA music files off the network.

Because the network traffic requirements for each branch office is so different, it would be most efficient to create a selective group configuration that controls just the network traffic considered mission-critical to all branch sites (Citrix, Pop3, and HTTPS) and which also blocks the unwanted KaZaA traffic.

Why wouldn't a comprehensive group configuration work for this organization? Because a comprehensive group configuration would require too many individual changes to be an efficient use of PolicyCenter, or of your time. If this organization chose instead to create a comprehensive group configuration based on the local configuration of one of the units, it would later have to make a great number of changes to the configurations on the other three units. These changes would include both adding the required traffic classes that did not exist on first unit, and possibly removing group configuration policies and partitions that protect traffic not considered to be mission-critical at the other three sites. Clearly, this is more effort. With a selective group configuration, the units would all be added with the convert option, preserving their different individual local configurations so they don't have to be manually re-created.

Use the following procedure to create a selective group configuration:

1. Create a new group.
2. From the PolicyCenter manage tab, select the new group from the Group: drop-down list.
3. Add the required traffic classes to the new group, or click the Setup tab to change setup values for the group.
4. Add a unit to PolicyCenter, using the convert option to retain the unit’s class tree.
5. Move the unit from the default group into its new destination group.
6. Remove the local override classes on the unit, enabling it to inherit those few individual classes or settings specified in the group configuration.
7. Repeat steps 3-5 for any other units you want to add to the new group.

Manage Group Configurations in PolicyCenter

PolicyCenter allows both individual units and unit groups to share configurations. A configuration can be moved to a different unit or group, or copied and altered to create new a unit or group.

PacketGuide™ for PacketWise® Version 6.0