SYSTEM ADMINISTRATOR GUIDE     1543-CRA 119 1170/1-V1 Uen C    

Application Traffic Management Configuration and Operation

© Ericsson AB 2009–2010. All rights reserved. No part of this document may be reproduced in any form without the written permission of the copyright owner.

Disclaimer

The contents of this document are subject to revision without notice due to continued progress in methodology, design and manufacturing. Ericsson shall have no liability for any error or damage of any kind resulting from the use of this document.

Trademark List

SmartEdge is a registered trademark of Telefonaktiebolaget LM Ericsson.
NetOp is a trademark of Telefonaktiebolaget LM Ericsson.

Contents

1Introduction

2

Aggregate and Control Application Traffic According to Class and Subscriber
2.1Configure a DPI ACL Policy
2.2Configure a DPI QoS Profile
2.3Configure a DPI Traffic Management Action Policy
2.4Configure a DPI Traffic Management Policy
2.5Configure a Default DPI Traffic Management Policy
2.6Assign a DPI Traffic Management Policy to a Subscriber
2.7Per Class Per Subscriber Level Traffic Management Example Configuration

3

Aggregate and Control Application Traffic According to Subscriber
3.1Configure a Subscriber DPI QoS Profile
3.2Add a Subscriber DPI QoS Profile to a DPI Traffic Management Policy
3.3Subscriber Level Traffic Management Example Configuration

4

Configure Traffic Handling for Security Service Resource Failure
4.1Configuration Tasks

5

Configure Logging and Reporting
5.1Enable Statistics Reporting
5.2Configure Statistics Interval
5.3Configuration Example

6

Display Application Traffic Management Information

7

Dynamically Update the P2P Signature File
7.1Download the Signature File
7.2Configure the Signature File

8

Configure Subscriber Session Limiting
8.1Configuration Tasks
8.2Configuration Example

9

Clear Subscriber Sessions

10

Clear Statistics

11

Enable Debug Messages

12

Sample Configuration

13

Command Hierarchy

Glossary

Reference List


1   Introduction

Note:  
In this document and in the CLI, the terms Deep Packet Inspection (DPI) is used interchangeably with application traffic management, and encompasses DPI and heuristics.

When the SmartEdge® router detects application traffic, you can configure the node to apply a DPI traffic management policy. A DPI traffic management policy classifies the traffic and maps it to one or more classes. Each class is associated with a set of actions that applies to all traffic mapping for that class.

You can also configure additional levels of aggregate traffic control to manipulate DPI traffic at more granular levels.

The following traffic control levels are supported:

Figure 1   DPI Aggregate Traffic Control Levels

Traffic management actions are applied first to classes within the subscriber traffic, and then to all traffic associated with a subscriber.

For detailed command descriptions and usage guidelines, see Reference [6]. For overview information on the concepts presented in this document, see Reference [7].

2   Aggregate and Control Application Traffic According to Class and Subscriber

Configure the SmartEdge router to capture and analyze application traffic and perform per class per subscriber level control actions on the traffic by performing the following steps:

  1. Configure a DPI traffic management policy.

    A DPI traffic management policy references a DPI ACL policy and DPI traffic management action policy; a DPI traffic management action policy references a DPI QoS profile.

    1. Create a DPI ACL policy.
    2. Create a DPI QoS profile.
    3. Create a DPI traffic management action policy.
    4. Create a DPI traffic management policy and a default DPI traffic management policy.
  2. Assign a DPI traffic management policy to a subscriber.

The following figure illustrates the configuration workflow.

Figure 2   Configuration Workflow

2.1   Configure a DPI ACL Policy

The DPI ACL policy maps the incoming traffic to a single class value. An ACL policy uses statements to define how packets are assigned to classes. The sequence seq-num construct defines the sequence of the statements; if this construct is not specified, the system assigns a sequence number. A packet that does not match the criteria of the first statement is subject to the criteria of the second statement, and so on, until the end of the ACL policy is reached. The default class defined in the DPI ACL policy is used to map all traffic that was not classified into one of the other classes.

Traffic can be classified based on application protocol or transport protocol, or on application protocol category. An application or protocol category groups together applications or protocols used for a similar purpose; for example, streaming, messaging, file transfer, and so on. If a category is specified, all applications defined in the category are included.

Each application or category can be qualified with the host network; for example, BitTorrent application from a host in network 1.1.1.0/24. The IP prefix specified as the network address is matched against the destination address for inbound traffic from the subscriber and against the source address for outbound traffic to the subscriber.

2.1.1   Configuration Tasks

To configure a DPI ACL policy, enter the following commands:

  1. Create a DPI ACL policy.

    (config)#dpi access-list acl-name

  2. Optional. Define a default class to which traffic is mapped if it is not classified into one of the classes defined in the DPI ACL policy.

    (dpi-acl)#default-class class-name

  3. Create ACL policy statements to classify packets that meet the specified criteria.

    (dpi-acl)#[seq sequence-number] protocol protocol {network network-prefix/prefix-length | any} {cond source-port | range source-start-port source-end-port} [cond dest-port | range dest-start-port dest-end-port] class class-name

    (dpi-acl)#[seq sequence-number] protocol protocol {network network-prefix/prefix-length} class class-name

    (dpi-acl)#[seq sequence-number] {application application-name | category category-name} [network network-prefix/prefix-length | any] class class-name

  4. Commit the transaction.

To view configured DPI ACLs policy, enter the following command in any mode:

> show dpi asp slot/asp-id access-list [list-name]

The ASE card has two ASPs, identified as 1 and 2. For information on ASE cards, ASP pools, and ASP groups, see Reference [4]. For configuration information, see Reference [2] and Reference [3].

2.1.2   Configuration Example

The following example configures the DPI ACL policy acl_01.

[local]Redback(config)#dpi access-list acl_01
[local]Redback(dpi-acl)#default-class cl_def
[local]Redback(dpi-acl)#seq 10 application bittorrent class cl_01
[local]Redback(dpi-acl)#seq 20 category streaming network 1.1.1.0/24 class cl_01
[local]Redback(dpi-acl)#seq 30 category gaming network 4.1.1.0/24 class cl_02
[local]Redback(dpi-acl)#seq 40 application skype class cl_03

2.2   Configure a DPI QoS Profile

QoS policies create and enforce Quality of Service (QoS) levels and bandwidth rates. A policy applies to only a particular class of packets; the class is configured using a DPI traffic management action policy, and this is referred to as a class-based action. For more information on ACLs and QoS class definitions, marking, and rate-limiting, see Reference [8].

A DPI QoS profile handles traffic by:

The above two actions are mutually exclusive. Only one marking instruction can be in effect at a time. Any succeeding marking or rate-limiting command supersedes the previous instruction.

2.2.1   Configuration Tasks

To configure a DPI QoS profile, enter the following commands:

  1. Create a DPI QoS profile.

    (config)#dpi qos profile profile-name [policing | metering]

    If you do not specify policing or metering, a bidirectional rate limiting QoS profile is implied.

  2. Optional. Mark packets associated with the policy with one of the following tasks:
  3. Optional. Set the policy rate for packets.

    (dpi-qos)#rate kbps {burst bytes | time-burst msec}

  4. Optional. Specify the treatment of packets that conform to the set rate with one of the following tasks:
  5. Optional. Specify the treatment of packets that exceed the set rate with one of the following tasks:
  6. Commit the transaction.

To view configured DPI QoS profiles, enter the following command in any mode:

> show dpi asp slot/asp-id qos profile [profile-name]

2.2.2   Configuration Example

The following example configures the DPI QoS profile qos_prof_01.

[local]Redback(config)#dpi qos profile qos_prof_01
[local]Redback(dpi-qos)#rate 64 burst 3000
[local]Redback(dpi-qos-rate)#conform mark dscp df
[local]Redback(dpi-qos-rate)#exceed drop

The following example configures the DPI QoS profile qos_prof_02.

[local]Redback(config)#dpi qos profile qos_prof_02
[local]Redback(dpi-qos)#mark dscp 7

The following example configures the DPI QoS profile qos_prof_03.

[local]Redback(config)#dpi qos profile qos_prof_03 policing
[local]Redback(dpi-qos)#rate 64 burst 2000
[local]Redback(dpi-qos-rate)#exceed mark dscp 6

The following example configures the DPI QoS profile qos_prof_04.

[local]Redback(config)#dpi qos profile qos_prof_04 metering
[local]Redback(dpi-qos)#rate 64 burst 1500
[local]Redback(dpi-qos-rate)#conform mark dscp df
[local]Redback(dpi-qos-rate)#exceed mark dscp 8

2.3   Configure a DPI Traffic Management Action Policy

A DPI traffic management action policy is a collection of class entries, with each class defining one or more actions for that class. Actions are applied to traffic mapped to the class through the DPI traffic management policy. Specify a class as default class to process traffic assigned to a class that is not defined in the action policy.

2.3.1   Configuration Tasks

To configure a DPI traffic management action policy, enter the following commands:

  1. Create a DPI traffic management action policy.

    (config)#dpi traffic-management action policy name

  2. Optional. Specify a class as the default class to process all traffic assigned to a class that is not defined in the action policy.

    (action)#default-class class-name

  3. Create a class entry to define actions to apply to traffic mapped to the class.

    (action)#class class-name

  4. Optional. Apply rate-limiting or traffic impairment by applying a DPI QoS profile to traffic mapped to the class.

    (class)#qos profile profile-name [policing | metering]

    You can apply one policing and one metering QoS profile to a single class. However, you cannot apply a policing or metering QoS profile together with a bidirectional profile.

  5. Optional. Generate a log when application traffic is detected in traffic mapped to the class.

    (class)#log detection

    A log is generated for every flow for every application for every subscriber, regardless of subscriber configuration. All detected flows are logged.

    Note:  
    Logging application traffic detection should only be enabled for debugging purposes; log generation may affect system performance.

  6. Optional. Drop traffic mapped to the class without rate-limiting.

    (class)#drop

  7. Commit the transaction.

To view configured DPI traffic management action policies, enter the following command in any mode:

> show dpi asp slot/asp-id traffic-management action policy [policy-name]

2.3.2   Configuration Example

The following example configures the DPI traffic management action policy acp_01.

[local]Redback(config)#dpi traffic-management action policy acp_01
[local]Redback(action)#default-class cl_def
[local]Redback(action)#class cl_def
[local]Redback(class)#qos profile qos_prof_01
[local]Redback(class)#log detection
[local]Redback(class)#exit
[local]Redback(action)#class cl_01
[local]Redback(class)#qos profile qos_prof_02
[local]Redback(class)#exit
[local]Redback(action)#class cl_02
[local]Redback(class)#exit
[local]Redback(action)#class cl_03
[local]Redback(class)#qos profile qos_prof_03 policing
[local]Redback(class)#qos profile qos_prof_04 metering

2.4   Configure a DPI Traffic Management Policy

A traffic management policy includes a reference to a DPI ACL policy and a traffic management action policy. The DPI ACL policy maps the traffic to a class, and each class is associated with a set of actions that applies to all traffic mapped to that class.

2.4.1   Configuration Tasks

To configure a DPI traffic management policy, enter the following commands:

  1. Configure a DPI traffic management policy.

    (config)#dpi traffic-management policy policy-name

  2. Associate the DPI traffic management policy with a DPI access-list.

    (config-dpi-policy)#access-group acl-name

  3. Associate the DPI traffic management policy with a DPI traffic management action policy.

    (config-dpi-policy)#action policy action-policy-name

  4. Commit the transaction.

To view configured DPI traffic management policies, enter the following command in any mode:

> show dpi asp slot/asp-id traffic-management policy [policy-name]

2.4.2   Configuration Example

The following example configures the DPI traffic management policy dpi_pol_01 and associates it with the DPI ACL policy acl_01 and the DPI traffic management action policy acp_01.

[local]Redback(config)#dpi traffic-management policy dpi_pol_01
[local]Redback(config-dpi-policy)#access-group acl_01
[local]Redback(config-dpi-policy)#action policy acp_01

2.5   Configure a Default DPI Traffic Management Policy

A global default traffic management policy is applied to traffic when the specified policy is not configured.

2.5.1   Configuration Tasks

To configure a default DPI traffic management policy, enter the following commands:

  1. Configure a global default DPI traffic management policy.

    (config)#dpi traffic-management policy default

  2. Associate the DPI traffic management policy with a DPI access-list.

    (config-dpi-policy)#access-group acl-name

  3. Associate the DPI traffic management policy with a DPI traffic management action policy.

    (config-dpi-policy)#action policy action-policy-name

  4. Commit the transaction.

To view configured DPI traffic management policies, enter the following command in any mode:

> show dpi asp slot/asp-id traffic-management policy [policy-name]

2.5.2   Configuration Example

The following example configures the DPI traffic management policy default and associates it with the DPI ACL policy acl_02 and the DPI traffic management action policy acp_02.

[local]Redback(config)#dpi traffic-management default
[local]Redback(config-dpi-policy)#access-group acl_02
[local]Redback(config-dpi-policy)#action policy acp_02

2.6   Assign a DPI Traffic Management Policy to a Subscriber

The DPI traffic management policy name can be obtained through RADIUS (VSA 203 Security-Service) or configured in the subscriber record; for more information, see RADIUS Attributes. During the subscriber session's lifetime, the DPI traffic management policy associated with an active subscriber can be changed through RADIUS reauthentication or through Change of Authorization (CoA).

There are two ways to configure DPI traffic management for a subscriber:

To apply application traffic management to a subscriber, associate the subscriber record with a DPI traffic management policy. Different subscribers can be mapped to different DPI traffic management policies; a single traffic management policy can be used with many subscribers. Only one DPI traffic management policy can be associated with each subscriber record.

Note:  
NAT and DPI traffic management policies are mutually exclusive and cannot be applied together for a subscriber; NAT takes precedence over ASE security services.

2.6.1   Configuration Tasks

To apply a DPI traffic management policy through the CLI to a subscriber, default subscriber, or subscriber profile, enter the following command in subscriber configuration mode:

(config-sub)# dpi traffic-management policy policy-name

For a reauth or CoA to activate the policy, you must also configure the Security-Service VSA for this in RADIUS.

To configure the Security-Service VSA in RADIUS, perform one or more of the following steps:

  1. To enable CoA or reauthorization for a DPI policy, configure RADIUS to send VSA 203 with the following format at initial logon for a subscriber session:

    Security-Service="dpi traffic-management enable-coa"

    This VSA must be sent at the time of initial subscriber login; else, it will not be possible to activate DPI services later on.

  2. To apply a DPI policy to a subscriber through CoA or reauthorization, configure RADIUS to add the following lines to the subscriber record:

    Security-Service="dpi traffic-management enable-coa"

    Security-Service+="dpi traffic-management policy policy-name"

  3. To associate a DPI policy to a subscriber without CoA or reauthorization support, configure RADIUS to add only the following line to the subscriber record:

    Security-Service="dpi traffic-management policy policy-name"

  4. To delete a DPI policy from a subscriber through CoA or reauthorization, configure RADIUS to send the following line:

    Security-Service="dpi traffic-management policy"

    Either an invalid policy name or no DPI policy name sent in this line causes the policy to be deleted from the subscriber record after reauthorization.

When a DPI traffic management policy change is applied, changes to the QoS profile take effect immediately on existing flows. Other changes to the contents of the DPI traffic management action policy or the DPI traffic management ACL take effect immediately for new flows.

Note:  
The subscriber's context must be enabled for advanced security services. See Reference [3] for information on the asp-group command.

2.6.2   Configuration Example

The following example applies the DPI traffic management policy dpi_pol_01 to subscriber joe.

[isp1]Redback(config-ctx)#subscriber name joe
[isp1]Redback(config-sub)#dpi traffic-management policy dpi_pol_01

2.7   Per Class Per Subscriber Level Traffic Management Example Configuration

The following example shows a full configuration of per class per subscriber level application traffic management, including a DPI ACL policy (acl_01), DPI QoS profiles (qos_prof_01, qos_prof_02, qos_prof_03), a DPI traffic management action policy (acp_01), and a DPI traffic management policy (dpi_pol_01). The policy is assigned to subscriber joe.

[local]Redback(config)#dpi access-list acl_01
[local]Redback(dpi-acl)#default-class cl_def
[local]Redback(dpi-acl)#seq 10 application bittorrent class cl_01
[local]Redback(dpi-acl)#seq 20 streaming network 1.1.1.0/24 class cl_02
[local]Redback(dpi-acl)#exit
[local]Redback(config)#dpi qos profile qos_prof_01
[local]Redback(dpi-qos)#rate 64 burst 3000
[local]Redback(dpi-qos-rate)#conform mark dscp df
[local]Redback(dpi-qos-rate)#exceed drop
[local]Redback(dpi-qos-rate)#exit
[local]Redback(dpi-qos)#exit
[local]Redback(config)#dpi qos profile qos_prof_02
[local]Redback(dpi-qos)#mark dscp 7
[local]Redback(dpi-qos)#exit
[local]Redback(config)#dpi qos profile qos_prof_03 policing
[local]Redback(dpi-qos)#rate 64 burst 2000
[local]Redback(dpi-qos-rate)#exceed mark dscp 6
[local]Redback(dpi-qos-rate)#exit
[local]Redback(dpi-qos)#exit
[local]Redback(config)#dpi qos profile qos_prof_04 metering
[local]Redback(dpi-qos)#rate 64 burst 1500
[local]Redback(dpi-qos-rate)#conform mark dscp df
[local]Redback(dpi-qos-rate)#exceed mark dscp 8
[local]Redback(dpi-qos-rate)#exit
[local]Redback(dpi-qos)#exit
[local]Redback(config)#dpi traffic-management action policy acp_01
[local]Redback(action)#default-class default
[local]Redback(action)#class cl_def
[local]Redback(class)#qos profile qos_prof_01
[local]Redback(class)#log detection
[local]Redback(class)#exit
[local]Redback(action)#class cl_01
[local]Redback(class)#qos profile qos_prof_02
[local]Redback(class)#exit
[local]Redback(action)#class cl_02
[local]Redback(class)#qos profile qos_prof_03 policing
[local]Redback(class)#qos profile qos_prof_04 metering
[local]Redback(class)#exit
[local]Redback(action)#class default
[local]Redback(action)#exit
[local]Redback(config)#dpi traffic-management policy dpi_pol_01
[local]Redback(config-dpi-policy)#access-group acl_01
[local]Redback(config-dpi-policy)#action policy acp_01
[local]Redback(config-dpi-policy)#exit
[local]Redback(config)#context isp1
[isp1]Redback(config-ctx)#subscriber name joe
[isp1]Redback(config-sub)#dpi traffic-management policy dpi_pol_01

3   Aggregate and Control Application Traffic According to Subscriber

In addition to configuring traffic management according to class and subscriber, you can configure a SmartEdge router to provide a QoS profile that applies traffic control actions to all traffic associated with a subscriber.

Configure the SmartEdge router to aggregate and perform subscriber level control actions on application traffic by performing the following steps:

  1. Verify that per class per subscriber level traffic management is configured on the node.

    A functional DPI traffic management policy that includes the following components is required before you can configure subscriber level traffic management:

    To verify the existence of a valid DPI traffic management policy, enter the following command in any mode:

    > show dpi asp slot/asp-id traffic-management action policy [policy-name]

    To view a valid per class per subscriber level traffic management configuration, see Section 12.

  2. Configure a Subscriber DPI QoS Profile.
  3. Add the Subscriber DPI QoS Profile to a Traffic Management Policy.

The following figure illustrates the configuration workflow:

Figure 3   Level 2 Configuration Workflow

3.1   Configure a Subscriber DPI QoS Profile

A subscriber DPI QoS profile refers to a DPI QoS profile that you apply to all traffic for a specified subscriber regardless of classification. For more information about DPI QoS profiles see Section 2.2.

3.1.1   Configuration Tasks

To configure a subscriber DPI QoS profile, follow the same procedure used to configure a DPI QoS profile. For a detailed description of the configuration tasks required to configure a DPI QoS profile, see Section 2.2.1. When you configure a subscriber DPI QoS profile, remember to consider that class level QoS actions are applied first followed by subscriber QoS actions. Before you configure a subscriber QoS profile, verify that the existing class level QoS actions coincide with your application traffic management strategy.

To view one or all DPI QoS profiles configured on the ASE card, enter the following command in any mode:

> show dpi asp slot/asp-id qos profile [profile-name]

3.1.2   Configuration Example

The following example configures the subscriber DPI QoS profile sub_qos1.

[local]Redback(config)#dpi qos profile sub_qos1
[local]Redback(dpi-qos)#rate 64 burst 3000
[local]Redback(dpi-qos-rate)#conform mark dscp df
[local]Redback(dpi-qos-rate)#exceed drop

3.2   Add a Subscriber DPI QoS Profile to a DPI Traffic Management Policy

When you add a subscriber DPI QoS profile to a DPI traffic management policy, you complete the required configuration for subscriber level traffic management. You can switch between per class per subscriber level and subscriber level traffic management at any time. To enable or disable traffic management according to subscriber, add or remove the subscriber DPI QoS profile configuration from the DPI traffic management policy.

3.2.1   Configuration Tasks

To add a subscriber DPI QoS profile to a DPI traffic management policy, enter the following command in DPI traffic-management policy configuration mode. One policing and one metering QoS profile can be applied to a single DPI traffic management policy. Neither policing nor metering QoS profiles can be applied together with a bidirectional QoS profile.

(config-dpi-policy)#qos profile profile-name [policing | metering]

Note:  
If the specified DPI QoS profile is not defined, the CLI is rejected.

3.2.2   Configuration Example

The following example adds the subscriber DPI QoS profile sub_qos1 to the DPI traffic management policy p1:

[local]Redback(config)#dpi traffic-management policy p1
[local]Redback(config-dpi-policy)#qos profile sub_qos1

The following example removes the subscriber DPI QoS profile sub_qos1 from the DPI traffic management policy p1, and disables subscriber level traffic management:

[local]Redback(config)#dpi traffic-management policy p1
[local]Redback(config-dpi-policy)#no qos profile sub_qos1

3.3   Subscriber Level Traffic Management Example Configuration

The following example shows a full configuration of subscriber level traffic management, including subscriber DPI QoS profile configuration. This example implies that the DPI traffic-management policy p1 includes a DPI ACL policy, DPI QoS profile, and a DPI traffic management action policy, and is also assigned to a subscriber. For a complete example describing how to configure per class per subscriber level traffic management, see Section 2.7.

[local]Redback(config)#dpi qos profile sub_qos1
[local]Redback(dpi-qos)#rate 64 burst 3000
[local]Redback(dpi-qos-rate)#conform mark dscp df
[local]Redback(dpi-qos-rate)#exceed drop
[local]Redback(dpi-qos-rate)#commit
[local]Redback(dpi-qos-rate)#exit
[local]Redback(dpi-qos)#exit
[local]Redback(config)#dpi traffic-management policy p1
[local]Redback(config-dpi-policy)#qos profile sub_qos1
[local]Redback(config-dpi-policy)#commit

4   Configure Traffic Handling for Security Service Resource Failure

Certain conditions can lead to a security service resource failure; for example, an ASP run-time failure can occur if the ASE card is physically removed or develops a hardware failure.

For information on the behavior of the Advanced Services Processor (ASP) during startup, failure, and recovery, see Reference [5].

4.1   Configuration Tasks

You can configure whether the security service application drops traffic or bypasses the ASP when a resource failure occurs; by default, traffic bypasses the failed ASP.

To drop application traffic in the event of a resource failure, enter the following command in global configuration mode:

(config)#dpi traffic-management resource-failure-action drop

5   Configure Logging and Reporting

Reporting for advanced services like application traffic management is based on log messages. Log messages can be sent to the console, or the NetOp Element Management System (EMS) log mediation server and integrated with a third-party reporting solution such as Q1 Labs (http://www.q1labs.com/) or used by proprietary reporting solutions to generate deployment-specific reports. Log messages are generated when application traffic protocols are detected and to report statistics information. For information on configuring the NetOp EMS log mediation server, see Reference [9].

You can configure statistics reports to be sent to an external server at regular intervals. The ASP reports only incremental packet and byte statistics with timestamp information; all traffic-rate calculations are performed by the reporting solution.

For information on configuring logging to an external server, see Reference [3].

5.1   Enable Statistics Reporting

Statistics reporting is disabled by default. To enable statistics reporting, enter the following command in global configuration mode:

(config)#dpi traffic-management statistics

Statistics are sent to the log forwarding server every 30 minutes by default.

Statistics are sent on a per-subscriber basis. One statistics message is sent for each application protocol detected within the configured interval. Several log messages could be sent for a subscriber at every interval.

5.2   Configure Statistics Interval

To configure the frequency that statistics are sent to a log forwarding server, enter the following command in global configuration mode:

(config)#dpi traffic-management statistics interim-interval [minutes]

5.3   Configuration Example

The following example configures logging to an external server, enables statistics reporting, and configures the frequency to send statistics.

[local]Redback(config)#asp security default
[local]Redback(config-asp-security-default)#log server 10.13.168.25 transport udp port 514
[local]Redback(config-asp-security-default)#log source 10.113.9.120
[local]Redback(config-asp-security-default)#commit
[local]Redback(config-asp-security-default)#exit
[local]Redback(config)#dpi traffic-management statistics interim-interval 30

6   Display Application Traffic Management Information

Show commands display a variety of information for application traffic management. Enter show commands in any mode.

Table 1    Application Traffic Management Show Commands

To display the following information...

Enter this command...

ACLs configured on the ASE card

show dpi asp slot/asp-id access-list [list-name]

One or all QoS profiles configured on the ASE card

show dpi asp slot/asp-id qos profile [profile-name]

DPI traffic management action policies configured on the ASE card

show dpi asp slot/asp-id traffic-management action policy [policy-name]

DPI traffic management policies configured on the ASE card

show dpi asp slot/asp-id traffic-management policy [policy-name]

Global traffic management statistics

show dpi asp slot/asp-id traffic-management statistics {sessions | packet [in | out] | protocol protocol-name | signature-file | subscriber}

Security service specific information per subscriber

show dpi circuit {agent-circuit-id agent-circuit-id | agent-remote-id agent-remote-id | slot/port[:chan-num[:sub-chan-num] [circuit-id] | username subscriber} traffic-management [sessions | statistics sessions | statistics [packet [in | out]] {class | protocol}]

Supported traffic management applications, categories, or signature file information on the XCRP controller card

show dpi traffic-management[signature-file sig-filename] [application | category [category-name]

Supported traffic management applications, categories, and their mapping on the ASP

show dpi asp slot/asp-id traffic-management [application | category [category-name]

Statistics for the ASE card, such as Rx and Tx SPI counters, system memory information, and so on

show security asp slot/asp-id statistics {packet slot | system}

System-level information stored on the ASP

show security asp slot/asp-id system

Signature file information stored on the ASP

show dpi asp slot/asp-id traffic-management signature-file

7   Dynamically Update the P2P Signature File

The P2P signature file is referenced during DPI protocol analysis to detect and identify known P2P application traffic. Each SEOS version contains a built-in signature file that is current as of the release date. As existing P2P applications evolve and new applications emerge, the built-in signature file becomes less effective. Keeping the signature file current between SEOS releases is therefore essential to performing comprehensive application traffic management.

A new signature file containing updated application information, categories, and RC4 encrypted signatures is created and made available every six to eight weeks. If there is no signature information update required, no file is released.

To keep the file current, perform the following steps:

  1. Manually download the latest signature file to the XCRP.
  2. Configure the signature file.

The configured signature file is saved to a protected memory area on the XCRP and the ASPs are notified of the signature file location. The ASPs download and validate the new file, then dynamically update their signature file definitions.

When you upgrade to a new SEOS version, a check is made to identify the current signature-file. If the signature-file packaged with the previous SEOS version is still being used, the new signature file with the new SEOS version is installed and the signature-file definition upgrade is forced on the ASPs. No configuration is required.

If it is determined that the signature file has been upgraded since the last SEOS version, verification is made to ensure the signature file in use is compatible with the new SEOS version. If the file is compatible, the signature file is not upgraded.

7.1   Download the Signature File

The signature file is available from an external server as a tarball which includes the signature file and associated release notes. The release notes specify SEOS compatibility and identify changes from the previous signature file.

To download the signature file tarball, you can use SFTP, FTP, or the SEOS copy command and copy the standalone signature file to the default XCRP directory.

For example:

copy scp://user@host/Signature-filename

The default directory for downloaded signature files is:

/flash/security/dpi/


7.2   Configure the Signature File

The command to configure the signature file consists of specifying the filename and path. The configuration command validates the specified file, makes a compatibility check for the SEOS release, verifies file integrity, then saves the file to the protected /flash directory for automatic download to the ASPs.

Note:  
If you have downloaded the signature file to the default directory on the XCRP, no path specification is required.

To configure the signature file, enter the following command in global configuration mode:

(config)#dpi traffic-management signature-file sig-filename

The validated signature file is automatically downloaded by each ASP that has the service security tag. The file is saved to the local ASE directory. The applications, categories and signatures are extracted and the new signature set activated. If the activation of the signature file fails on the ASP, the ASP reboots and a critical event log entry is sent to the XCRP. An ASP with service security requires a valid signature file.

The filename format of the signature file is as follows:

App-Name-Major-Minor.sdf

Where App-Name is P2P, Major is the DPI engine major number, and Minor is the signature file release number.

8   Configure Subscriber Session Limiting

The subscriber session limit refers to a single global value for the maximum number of TCP and UDP sessions allowed per subscriber. When you configure the subscriber session limit, you can specify whether packets associated with sessions that exceed the limit are dropped, or mapped to an action policy class. The sum of TCP and UDP sessions is limited to the configured value per subscriber. For example, if a session limit of 300 is configured, then the sum of the TCP and UDP sessions for a subscriber is limited to 300.

8.1   Configuration Tasks

Subscriber session limiting is not enabled by default. To configure subscriber session limiting, enter the following command in global configuration mode:

(config)#dpi traffic-management maximum session max-sessions [exceed class class-name]

When you enable session limiting, all packets associated with sessions that exceed the session limit are dropped by default. To map all packets associated with sessions that exceed the session limit to an action policy class, specify a class name with the exceed class class-name construct.

When you modify the session limit, changes to the class name on new and existing sessions take effect immediately. If you reduce the session limit value to below the existing session count, no new sessions are allowed until the session count drops below the new limit value. Existing sessions are not impacted.

8.2   Configuration Example

The following example configures a global subscriber session limit of 300. Packets associated with sessions that exceed this value are mapped to the action policy class cl_06.

[local] Redback(config)#dpi traffic-management maximum sessions 300 exceed class cl_06

9   Clear Subscriber Sessions

To clear subscriber traffic management sessions, enter the following command in exec mode:

[local]Redback# clear dpi circuit {agent-circuit-id agent-circuit-id | agent-remote-id agent-remote-id | slot/port[:chan-num[:sub-chan-num] circuit-id | username subscriber} traffic-management sessions

10   Clear Statistics

To clear all peak counters and all packet or byte counters, enter the following command in exec mode:

clear dpi asp slot/port traffic-management statistics

To clear all peak counters and all packet or byte counters for a specific subscriber, enter the following command in exec mode:

clear dpi circuit {agent-circuit-id agent-circuit-id | agent-remote-id agent-remote-id | slot/port[:chan-num[:sub-chan-num] circuit-id | username subscriber} traffic-management statistics

11   Enable Debug Messages

To enable the generation of debug messages for the traffic management application, enter the following command in exec mode:

[local]Redback#debug dpi asp slot/asp-id traffic-management message-type trace {buffer | console | external} [level level]

For troubleshooting information, see Reference [1].

12   Sample Configuration

For information on ASE cards, ASP pools, and ASP groups, see Reference [4]. For configuration information, see Reference [2] and Reference [3].

!
asp security default 
log server 10.172.55.55 transport udp port 514
log source 10.192.22.24

!
!
!
asp pool p2p-pool service security
 asp 13/1
 asp 13/2
asp group p2p-group
 pool p2p-pool
 asp-count 2
!
!
dpi qos profile p2p-qos_gold
  rate 2000 burst 5000
    exceed drop
!
dpi qos profile p2p-qos_markcs0
  mark dscp 0
!
dpi qos profile p2p-qos_markcs1
  mark dscp 8
!
dpi qos profile p2p-qos_markcs2
  mark dscp 16
!
dpi qos profile p2p-qos_markcs3
  mark dscp 24
!
dpi qos profile p2p-qos_markcs4
  mark dscp 32
!
dpi qos profile p2p-qos_markdf
  mark dscp 0
!
dpi qos profile p2p-qos_markef
  mark dscp 46
!
dpi qos profile p2p-qos_platinum
  rate 5000 burst 5000
    exceed drop
!
!
dpi qos profile p2p-qos_rtlimit100
  rate 100 burst 5000
    exceed drop
!
dpi qos profile p2p-qos_silver
  rate 1000 burst 5000
    exceed drop
!
dpi access-list p2p-acl-profiles
  default-class p2p-class_default
  seq 10 application skype class p2p-class_skype
  seq 20 application bit-torrent class 
  p2p-class_bittorrent
  seq 30 application edonkey class p2p-class_edonkey
  seq 40 application yahoo-messenger class p2p-class_ym
!
dpi access-list p2p-acl_monitor
  default-class p2p-class_default
  seq 10 application skype class p2p-class_skype
  seq 20 application bit-torrent class 
  p2p-class_bittorrent
  seq 30 application edonkey class p2p-class_edonkey
  seq 40 application yahoo-messenger class p2p-class_ym
  seq 50 application http class p2p-class_http
  seq 60 application gnutella class p2p-class_gnutella
  seq 70 application windows-live-messenger class 
  p2p-class_msn
  seq 80 application youtube class p2p-class_youtube
  seq 90 application imap class p2p-class_imap
  seq 100 application quick-time class p2p-class_qtime
  seq 110 protocol esp any class p2p-class_esp
  seq 120 protocol ahp any class p2p-class_ah
  seq 130 protocol esp any class p2p-class_esp
  seq 140 protocol tcp any eq 21 range 1 65535 class 
  p2p-class_ftp
  seq 150 protocol icmp any class p2p-class_icmp
  seq 160 protocol tcp any eq 21 range 1 65535 class 
  p2p-class_ftp21
  seq 170 category voip class p2p-class_voip
!
dpi access-list p2p-acl_monitor2
  seq 180 category gaming class p2p-class_gaming
  seq 190 category p2p class p2p-class_p2p
  seq 200 category file-transfer class p2p-class_ftp
  seq 210 category file-transfer 10.192.17.68/32 class 
  p2p-class_ftp-cebox
!
dpi traffic-management action policy p2p-action_gold
  class p2p-class_default
    qos profile p2p-qos_gold

  class p2p-class_p2p
    qos profile p2p-qos_gold
    log detection

  class p2p-class_skype
    log detection

!
dpi traffic-management action policy p2p-action_platinum
  class p2p-class_default
    qos profile p2p-qos_platinum

  class p2p-class_p2p
    qos profile p2p-qos_platinum
    log detection

!
dpi traffic-management action policy p2p-action_silver
  class p2p-class_bittorrent
    log detection
    drop

  class p2p-class_default
    qos profile p2p-qos_silver

  class p2p-class_edonkey
    log detection
    drop


  class p2p-class_p2p
    qos profile p2p-qos_silver
    log detection

  class p2p-class_skype
    log detection

  class p2p-class_ym
    log detection
    drop

!
dpi traffic-management action policy p2p-action_monitor
  default-class p2p-class_default
  class p2p-class_ah
    qos profile p2p-qos_markef
    log detection

  class p2p-class_bittorrent
    log detection

  class p2p-class_edonkey
    drop

  class p2p-class_esp
    qos profile p2p-qos_markcs0
    log detection

  class p2p-class_ftp
    qos profile p2p-qos_markcs1
    log detection

  class p2p-class_ftp-cebox
    log detection

  class p2p-class_ftp21
    qos profile p2p-qos_markcs3
    log detection

  class p2p-class_gaming
    log detection

  class p2p-class_gnutella
    log detection

  class p2p-class_http
    qos profile p2p-qos_markef
    log detection

  class p2p-class_icmp
    qos profile p2p-qos_markcs2
    log detection

  class p2p-class_imap
    log detection

  class p2p-class_msn
     log detection

  class p2p-class_p2p
    drop

  class p2p-class_qtime
    log detection

  class p2p-class_skype
    log detection

  class p2p-class_voip
    log detection

  class p2p-class_ym
    log detection

  class p2p-class_youtube
    log detection

!
!
dpi traffic-management statistics
!
dpi traffic-management policy p2p-pol_gold
  action policy p2p-action_gold
  access-group p2p-acl_gold
!
dpi traffic-management policy p2p-pol_monitor
  action policy p2p-action_monitor
  access-group p2p-acl_monitor
!
dpi traffic-management policy p2p-pol_platinum
  action policy p2p-action_platinum
  access-group p2p-acl_platinum
!
dpi traffic-management policy p2p-pol_silver
  action policy p2p-action_silver
  access-group p2p-acl_silver
context local
!
!
context p2p
!
 no ip domain-lookup
!
 interface subscriber multibind
  ip address 40.1.1.1/24
  ip pool 40.1.1.0/24 name pc_pool
!
 interface to_Cisco7200
  ip address 150.10.1.1/24
 logging console
!
 subscriber name joe
   password joe
   ip address pool name pc_pool
   dpi traffic-management policy p2p-pol_monitor
!
 ip route 0.0.0.0/0 150.10.1.2
 ip route 40.0.0.0/24 150.10.1.2
!


!
 asp-group p2p-group service security
!
! ** End Context **
!
!Ethernet connectivity fault management configuration
!
!
card ge3-4-port 4
!
port ethernet 4/1
 no shutdown
 bind interface to_Cisco7200 p2p
!
!
card ether-12-port 9
!
port ethernet 9/1
 no shutdown
 encapsulation pppoe
 bind authentication chap pap context p2p
!
card ase 13
!
!
no service console-break
!
service crash-dump-dram
!
no service auto-system-recovery
!

13   Command Hierarchy

config
  dpi access-list
    application
    category
    default-class
    protocol
  dpi qos profile
    mark
    mark dscp
    mark precedence
    mark priority
    rate
      conform mark dscp
      conform mark precedence
      conform mark priority
      exceed drop
      exceed mark dscp
      exceed mark precedence
      exceed mark priority
  dpi traffic-management action policy
    class
      drop
      log detection
      qos profile
    default class
  dpi traffic-management maximum sessions
  dpi traffic-management policy
    access-group
    action policy
    qos profile
  dpi traffic-management resource-failure-action
  dpi traffic-management statistics
  context
    subscriber
      dpi traffic-management policy

exec
  clear dpi asp
  clear dpi circuit traffic-management statistics
  clear dpi circuit traffic-management sessions
  debug dpi asp traffic-management

all modes
  show dpi asp access-list
  show dpi asp qos profile
  show dpi asp traffic-management action policy
  show dpi asp traffic-management policy
  show dpi asp traffic-management statistics
  show dpi circuit
  show dpi traffic-management
  show security asp statistics
  show security asp system


Glossary

ACL
Access Control List
 
ASP
Advanced Services Processor
 
CoA
Change of Authorization
 
DPI
Deep Packet Inspection
 
DSCP
Differentiated Services Code Point
 
QoS
Quality of Service

Reference List

[1] Advanced Services Fault Management Guide, 3/1543- CRA 119 1170/1.
[2] Advanced Services Configuration and Operation Using the NetOp EMS Software, 1553-CRA 119 1170/1.
[3] Advanced Services Configuration and Operation Using the SmartEdge OS CLI, 1/1543-CRA 119 1170/1.
[4] Advanced Services Infrastructure Overview, 1/221 02-CRA 119 1170/1.
[5] Advanced Services Startup, Failure and Recovery, 1/1553-CRA 119 1170/1.
[6] Application Traffic Management Command Reference, 190 80-CRA 119 1170/1.
[7] Application Traffic Management Overview, 221 02-CRA 119 1170/1.
[8] Configuring Rate-Limiting and Class-Limiting, 55/1543-CRA 119 1170/1.
[9] Log Mediation Server, 1/1553-CRA 119 1171/1.