3) Full compliance between the name of the subscriber-service and the name of the service in the message from the AAA server
13.1 Policy-filter-list
13.4.5 Policy configuration for subscriber session
The subscriber-policy is used to filter traffic in subscriber session. Up to 10 such policies can be set for one session. The traffic will be subsequently processed by each poliicy in accordance with its sequence number.
Use the policy <NAME> command in configuration mode to create subscriber-policy where the <NAME> is the name of the entity created.
ecorouter(config)#subscriber-policy ? SUBSCRIBER_POLICY Subscriber policy name
After the subscriber-policy is created its context configuration mode is automatically entered.
ecorouter(config)#subscriber-policy subspolname ecorouter(config-sub-policy)#
The subscriber-poliicy parameters are shown in the table below.
Table 72
Parameter Description
<BANDWIDTH> Bandwidth in Mbit per sec, from 1 to 200
<DESCRIPTION> Subscriber-policy description
For each subscriber-policy 2 separate prosessing rules (filter-map policy) can be set: one for incoming (in) traffic) and one for outgoing (out) traffic. If no filter-map policy is set for direction the corresponding traffic will not be processed by this policy, and there will be no changes in this traffic.
Attention: without specifying the limitations in filter-map policy and assignement it to the same direction for subscriber-policy the traffic will not be limited to the bandwidth specified.
Use the set filter-map {in | out} <NAME> command in subscriber-policy context configuration mode to set the filter-map policy to traffic direction where <NAME> is filter-map policy name.
The example of subscriber-policy configuration (in this example is assumed that the filter-map policy with the name FMPname is already created and configured; creating and configuring filter-map policy are described below).
ecorouter(config)#subscriber-policy subspolname
ecorouter(config-sub-policy)#description Testsubscrpolicy ecorouter(config-sub-policy)#bandwidth in 200
ecorouter(config-sub-policy)#set filter-map in FMPname Filter-map policy creating and configuring
Use the map policy ipv4 <NAME> command in configuration mode to create filter-map policy where <NAME> is the filter-filter-map policy name.
ecorouter(config)#filter-map policy ipv4 ? FILTER_MAP_POLICY_IPV4 Filter map name
EcoRouter User Guide
163
After the filter-map policy is created its context configuration mode is automatically entered.
ecorouter(config)#filter-map policy ipv4 FMPname ecorouter(config-filter-map-policy-ipv4)#
Do the following steps to configure filter-map policy (as a result in the filter-map policy one rule will be created):
1. First line. Enter the filter-map policy ipv4 <FILTER_MAP_NAME>
[<SEQUENCE_NUMBER>] command where <FILTER_MAP_NAME> is filter-map name, <SEQUENCE_NUMBER> is the. The parameters described in the table below.
2. Second line. Specify the match <PROTOCOL>
<SRC_ADDRESS> [<PORT_CONDITION>] <DST_ADDRESS>
[<PORT_CONDITION>] [dscp <DSCPVALUE>] [<FLAG>] rule that the packets will be checked against. The parameters described in the table below.
3. Third line. Specify an action that will be applied to packages that meet the conditions of the rule, by set <ACTION>. The parameters described in the table below.
Each filter-map can contain multiple rules. Follow the steps described above to add the rule into filter-map. Specify the <FILTER_MAP_NAME> of the filter-map where the rule should be added. The rule must have a unique <SEQUENCE> number within the same filter-map policy.
The common parameters of filter-map policy are described in the table below.
Table 73
Parameter Description
DIRECTION Traffic direction, in - incoming traffic, out - outgoing traffic FILTER_MAP_NAME Filter-map name, an arbitrary value
SEQUENCE_NUMBER Execution priority number, value range 0-65535. If the value is not specified, the parameter for the created filter-map ethernet will automatically receive the subsequent free value by step 10
PROTOCOL Protocol field value. Can be specified from range 0-255 or one of the shown below:
ipinip;
icmp;
gre;
igmp;
pim;
rsvp;
ospf;
vrrp;
ipcomp;
any
udp (attention, for this protocol additional
parameters <PORT_CONDITION> are available);
EcoRouter User Guide
164
Parameter Description
tcp (attention, for this protocol additional
parameters <PORT_CONDITION> and <FLAG> are available) SRC_ADDRESS Source IP address, specified in one of the following formats:
A.B.C.D/M (IP-address with mask),
A.B.C.D K.L.M.N (IP-address with a wildcard mask), host A.B.C.D (if a single address should match the rule), any (if all addresses should match the rule)
DST_ADDRESS Destination IP address, specified in one of the following formats:
A.B.C.D/M (IP-address with mask),
A.B.C.D K.L.M.N (IP-address with a wildcard mask), host A.B.C.D (if a single address should match the rule), any (if all addresses should match the rule)
DSCPVALUE DSCP (Differentiated Services Code Point) value to check packet, integer from 0 to 63
set <ACTION>
set accept Allow the packet transit
set discard Disallow the packet transit without sending ICMP notification set redirect
<REDIRECTNAME>
Redirect the HTTP GET to the specific <REDIRECTNAME>, where
<REDIRECTNAME> is the name of the predefined URL (the redirection address must start with http://). An example of the redirection setting is shown below.
set reject Disallow the packet transit with sending ICMP notification
When specifying the udp protocol, the second line of the filter-map creation command will look like this: match udp <SRC_ADDRESS> [<PORT_CONDITION>] <DST_ADDRESS>
[<PORT_CONDITION>] [dscp <DSCPVALUE>].
The additional parameters related to the udp protocol are shown in the table below.
Table 74
Parameter Description
PORT_CONDITION Condition for the port value. One of the following values can be specified: {{eq | gt | lt} {tftp | bootp | 65535>} | range 65535> <0-65535>}
PORT_CONDITION values
eq Port number is equal to gt Port number is grearer than lt Port number is less than
tftp UDP(69)
bootp UDP(67)
<0-65535> Exact port number, any value from the specified range
EcoRouter User Guide
165
Parameter Description
range 65535> <0-65535>
Port number is in range
When specifying the tcp protocol, the second line of the filter-map creation command will
look like this: match
tcp <SRC_ADDRESS> [<PORT_CONDITION>] <DST_ADDRESS> [<PORT_CONDITION
>] [dscp <DSCPVALUE>] [<FLAG>].
The additional parameters related to the tcp protocol are shown in the table below.
Table 75
Parameter Description
PORT_CONDITION Condition for the port value. One of the following values can be specified: {{eq | gt | lt} {ftp | ssh | telnet | www | 65535>} | range <0-65535> <0-<0-65535>}
FLAG The values of the flag by which packet processing can be distinguished.
One of the following values can be specified (the not- prefix means that the specified flag is not set):
urg | urg | ack | ack | psh | psh | rst | rst | syn | syn | fin | not-fin
PORT_CONDITION values
eq Port number is equal to gt Port number is grearer than lt Port number is less than
ftp TCP(21)
ssh TCP(22)
telnet TCP(23)
www TCP(HTTP-80)
<0-65535> Exact port number, any value from the specified range range 65535>
<0-65535>
Port number is in range
Address for redirection specifying
ecorouter(config)#redirect-url SITEREDIRECT
ecorouter(config-redirect-url)#url http://forredirect.org Example of configuration for traffic processing in subscriber session In this example the static IPoE is configured.
As a result of the following settings, all incoming traffic of icmp type will be discarded at the input, incoming udp-traffic will be limited to 20 Mbps, incoming tcp-traffic will be skipped unchanged (by using filter-map policy named NAME1).
The outgoing traffic will be limited to 5 Mbps (by using filter-map policy named NAME2), outgoing tcp-traffic of port 80 will be redirected to the http://forredirect.org.
EcoRouter User Guide
166
!
filter-map policy ipv4 NAME1 10 match icmp any any
set discard
filter-map policy ipv4 NAME1 20 match udp any any
set accept
filter-map policy ipv4 NAME2 10 match tcp any any eq 80
set redirect SITEREDIRECT filter-map policy ipv4 NAME2 20 match any any any
set accept
!
subscriber-policy NAME bandwith in 20
set filter-map in NAME1 10 bandwith out 5
set filter-map out NAME2 10
!
subscriber-service NAME set policy NAME
!
ip prefix-list NAME seq 5 permit 10.10.10.100/32 eq 32
!
subscriber-map NAME 10
match static prefix-list NAME set service NAME
!
interface ipoe.1 ip mtu 1500
ip address 10.10.10.1/24
EcoRouter User Guide
167 14 Tunneling Configuration
Tunneling is a mechanism of transfering one protocol's packet inside the other's which allows to transfer data securely between two networks.
Tunnel are the logical connection point-to-point type which is defined by source tunnel point and destination tunnel point.
14.1 GRE
GRE (Generic Routing Encapsulation) is a protocol mechanism which uses IP (UDP) as a transport protocol and can be used for transmitting other protocols inside it.
For sending via GRE tunnel the IP packet gets an additional GRE header when goes through the interface. In the header the start tunnel point IP address and finish tunnel point IP address are specified as a source address and destination address. After the packet arrives to the destination of tunnel address interface the service GRE header will be omitted and the packet will be processed accordin to its native IP header.
Figure 20