Sharing Configurations between Packeteer Devices

Suppose you have two PacketShapers when you decide to solve a recent problem with your legacy applications. You will need to create a new traffic class and policy on both PacketShapers. Now imagine the same situation, but with 120 PacketShapers. Configuring your legacy solution now becomes a very tedious job without economy of scale. PolicyCenter solves this dilemma by allowing multiple units to share configurations, letting you change something once instead of 120 times.

Note: This PolicyCenter recommendation assumes that you have a general understanding of PacketWise traffic classes, policies and partitions. If you need to review these concepts, please click on the links above and refer to those sections of PacketGuide.

A PolicyCenter configuration consists of traffic classes, partitions and policies, and basic configuration values, such as login passwords and shaping on/off. Multiple PacketShapers can be assigned to a single PolicyCenter configuration, allowing those units to operate with identical configurations. When you change a configuration, either through PolicyCenter or through the browser or command-line interface of an individual unit, the change immediately affects all units assigned to that configuration. It is this capability of PolicyCenter that truly provides the economy of scale: one single change to a PolicyCenter configuration can result in an instant configuration update on up to 500 different PacketShapers.

PacketShapers running PacketWise software version 5.2 or later can be configured in either shared or local mode.

• Shared mode: Units configured in shared mode are assigned to a PolicyCenter configuration, and inherit settings from their PolicyCenter configuration. When a unit is in shared mode, PolicyCenter continually synchronizes the unit’s configuration on the PolicyCenter server with the configuration files on that unit’s flash disk; therefore, if you switch from shared mode back to local, (or the network connection to the PolicyCenter server is lost) the unit’s configuration in local mode will be the same as its last configuration in shared mode. Units in shared mode may be returned to local mode at any time.
  
  
• Local mode: A unit running in local mode functions independently from other units, and has its entire configuration stored directly on its flash disk. Once PolicyCenter is installed on a network, PacketShapers in local mode can be configured for shared mode and added to PolicyCenter simply by accessing the unit’s web browser interface, selecting the PolicyCenter access setup page, then entering the DNS name or IP address of the directory server, and the PolicyCenter password.

While in shared mode, the files in the unit's flash disk are continually updated to match the PolicyCenter configuration; therefore, if you switch from shared mode back to local, the local configuration will initially be the same as the last shared configuration.

Determine Your Group Configuration Strategy

Before you configure PolicyCenter groups, it is important to identify the traffic classes and configuration attributes that should be included in each group configuration, and thereby shared by all units in that group. Before you create a group of PacketShapers, you should ask yourself:

Are the individual unit configurations mostly the same, or mostly different? Do I want to use PolicyCenter to actively manage my unit’s configurations, or just to monitor them?

• If the units’ configurations are mostly the same, you can use a comprehensive PolicyCenter configuration strategy and manage your units’ configurations all together with a single parent configuration. With this strategy, each unit can retain its own individual child configuration if it needs to vary slightly from the settings it inherits from the parent comprehensive configuration. If you want all units to have completely identical configurations, you can also assign multiple units directly to the comprehensive configuration. See details on creating a comprehensive configuration.
  
  
• If the units you want to group together will have more differences than similarities, or if you do not yet have any units installed on your network, you may want to use a selective PolicyCenter configuration strategy. With this strategy, you will create a parent configuration that controls just the most important traffic classes or other key parts of the configuration, and maintain separate child configurations to manage the rest of your units’ individual settings. See details on creating a selective configuration.
  
  
• If you wish to use PolicyCenter only as a central location for viewing all your units’ configurations, you could use a functional configuration strategy to create a shallow configuration tree with a separate configuration for each unit. With this strategy, the individual units’ configurations could be grouped by location or function for easy reference, but would inherit few if any settings from their parent. This strategy allows you to view information for all your unit configurations from PolicyCenter (and avoids the complexities of configuring inheritable attributes and settings), yet requires you to separately manage each individual unit. See details on creating a functional configuration.

Keep in mind that the configuration strategies suggested here are just that—suggestions. You can use just one type of configuration to manage all your units, or create both comprehensive and selective configurations for different groups of units.

Comprehensive Configurations

This strategy is preferred when the traffic trees for every unit in a group are mostly the same, and only a few variances need to be independently specified on each unit. Organizations using this strategy often have branch offices with very similar types of network traffic, each with the same model of PacketShaper.

As an example, imagine an company with four nearly identical branch offices. Although there is a heavy traffic load running over each network, the types and volumes of network traffic do not vary widely between each branch. Additionally, each branch has configured its PacketShaper with the same traffic classes, and set many policies and partitions to protect the network traffic that is considered mission-critical to all four branch offices. Because the networks are so similar, every significant change in the networks require that all four PacketShapers be individually reconfigured. The company finds this to be too time-consuming, and would like to be able to propagate all the changes at once.

Because the individual units in this example have such similar configurations, all the units could be assigned to a single PolicyCenter comprehensive configuration that would manage the entire traffic tree and other sharable attributes. In this case, you should first identify a primary unit, one unit whose configuration you would like to apply to a group of units. You should then create a comprehensive configuration based upon that primary unit. If all the units have a truly identical configuration, it does not matter which unit you select to be the primary unit. If there are slight variances, select the unit that is the most representative of all others.

To create a comprehensive configuration based on the existing configuration of the primary unit, select the convert option when you first add the unit to PolicyCenter. With this option, the unit’s new PolicyCenter configuration will be based upon its previous local configuration, the unit will continue to operate with exactly the same settings as it did before. If you add a unit to PolicyCenter without this option, it’s new PolicyCenter configuration will have default settings only.

After the primary unit has been added to PolicyCenter with its local configuration intact, you can add the other units to PolicyCenter, without the convert option, this time. By omitting the convert configuration option, the units will lose any existing traffic classes and settings and will be assigned to a new PolicyCenter configuration with default settings only.

Once the new units have been added to PolicyCenter, you should decide whether you want to move their configurations under the comprehensive configuration, creating child configurations that will inherit settings from their new parent configuration, or whether you want to just assign the units directly to the comprehensive configuration.

If the unit’s sharable settings differ in any way from the comprehensive configuration, or you plan on making individual changes in the future, you should move a unit’s configurations under the parent configuration. In this way, you can made individual modifications on the child configuration, changing the settings on the unit without effecting changes on any of the other units.

If you want a unit to have exactly the same settings as the comprehensive configuration, you can assign the unit directly to that configuration. Note, however, that any changes you make to a unit assigned to that configuration will affect other units assigned to that configuration, and possibly affect units assigned to the child configurations as well.

Use the following procedure to create a comprehensive PolicyCenter configuration:

1. Convert the selected unit when you first subscribe it to PolicyCenter, changing its configuration from an individual unit configuration to a new PolicyCenter comprehensive configuration with the same classes and attributes.
2. Rename the comprehensive configuration. When a unit running PacketWise version 7.0 or later subscribes to PolicyCenter, PolicyCenter creates a unique configuration for that unit, then assigns the unit to that new configuration. These unique configurations are exclusive to unit for which they were created—no other unit can be assigned to these unique configurations unless the configurations are renamed, or moved to another location within the configuration tree.
3. Add other units to PolicyCenter without the convert option. By omitting the convert configuration option, the units will lose any existing traffic classes and settings and will be assigned to a new PolicyCenter configuration with default settings only.
4. Depending on how you decided to setup your comprehensive configuration, you can:
   Move the units' configurations under the parent comprehensive configuration. The unit's configurations will inherit sharable attributes and settings from the comprehensive configuration, but you can also make individual changes on the child configurations without affecting the comprehensive configuration.
   or
   Reassign the units from their own PolicyCenter configurations to the comprehensive configuration. Now all the units will share the same configuration settings, and can be managed from a single PolicyCenter configuration. Changes to one unit, however, will affect all units and child classes assigned to that configuration.
   

If you later want to make individual changes to some of the units, you can use the expand operation to create a separate configuration for each unit you want to change.

Selective Configurations

If you want to create a sharable configuration for just a few key traffic classes or attributes (or you do not yet have any PacketShapers on your network) you can create a new PolicyCenter configuration and define values for just those most important traffic classes. This strategy also works well if traffic trees vary widely between each PacketShaper, or you want to create a PolicyCenter configuration only for command scheduling, RADIUS Client or security settings (for example) instead of a complete traffic tree.

As an example, consider an organization with four branch sites, each with a PacketShaper 3500. Each branch site serves a different purpose in the organization, and as a result, the types of traffic considered to be mission-critical at each site varies widely:

Site 1 (sales): WebEx, ShoutCast, Citrix, Pop3, HTTP
Site 2 (product development): FTP, ActiveX, Citrix, Pop3, HTTP
Site 3 (corporate headquarters): Oracle, SAP, Citrix, Pop3, HTTP
Site 4 (manufacturing): IPX, GRE, Citrix, Pop3, HTTP

Let us also suppose that, in addition, all four sites are experiencing network slowdowns as employees download KaZaA music files off the network.

Because the network traffic requirements for each branch office is so different, it would be most efficient to create a selective configuration that controls just the network traffic considered mission-critical to all branch sites (Citrix, Pop3, and HTTPS) and which also blocks the unwanted KaZaA traffic.

Why wouldn't a comprehensive configuration work for this organization? Because a comprehensive group configuration would require you to configure too many individual child configurations with individual differences to be an efficient use of PolicyCenter, or of your time. If this organization did choose to create a comprehensive group configuration based on the local configuration of one of the units, it would later have to expand a separate child configuration for each of the other three units, adding the required traffic classes that did not exist on first unit, and possibly removing group configuration policies and partitions that protect traffic not considered to be mission-critical at the other three sites. Clearly, this is more effort. With a selective configuration, the units would all be added with the convert option, preserving their different individual local configurations so they don't have to be manually recreated.

Use the following procedure to create a selective PolicyCenter configuration:

1. Create a new configuration.
2. Add the required traffic classes to the new configuration, or click the setup tab and use the Setup pages to configure other non-default values for the configuration.
3. Add a unit to PolicyCenter, using the convert option to retain the unit’s class tree.
4. Move the unit's PolicyCenter configuration under the selective configuration. The unit's configuration will become a child configuration under the selective parent configuration.
5. Remove the local override classes on the unit, enabling it to inherit those few individual classes or settings specified in the parent configuration.
6. Repeat steps 3-5 for any other units you want to add to the new selective configuration.

Functional Group Configurations

Though one of the greatest benefits of PolicyCenter is the ability to simultaneously update multiple units, some network administrators use PolicyCenter only to monitor individual units, not to manage them together.

If you want to use PolicyCenter just as a central location for viewing each unit’s configuration, you can create a simple configuration tree with parent configurations that serve only as “folders” to identify groups of units by function or location, and then move each unit’s assigned configuration under the appropriate parent. This type of configuration strategy allows you to monitor and manage all your units from PolicyCenter, yet requires that each change to a unit configuration be done individually.

Suppose you have forty PacketShapers in five different areas of the country. Using this strategy, you would create a default parent configuration for each location, then add the units to PolicyCenter with the convert option so each unit maintains its current configuration settings. The units’ PolicyCenter configurations would then be moved under the appropriate parent.  show screen

Because the unit configurations wouldn’t inherit any settings from their parent configurations, the parent configurations would be used only to help locate and identify individual units within the configuration tree.

Use the following procedure to create a Functional PolicyCenter configuration:

1. Create one new configuration for each location. Give each configuration a name, but do not define any other settings.
2. Add a unit to PolicyCenter, using the convert option to retain the unit’s class tree.
3. Move the unit's PolicyCenter configuration under the functional configuration that corresponds to the unit's location. The unit's configuration will become a child configuration under the functional parent configuration "folder."
4. Repeat steps 2-3 for any other units you want to add to PolicyCenter.