![]() |
SYSTEM ADMINISTRATOR GUIDE 1543-CRA 119 1170/1-V1 Uen C | ![]() |
Copyright
© Ericsson AB 2009–2010. All rights reserved. No part of this document may be reproduced in any form without the written permission of the copyright owner.
Disclaimer
The contents of this document are subject to revision without notice due to continued progress in methodology, design and manufacturing. Ericsson shall have no liability for any error or damage of any kind resulting from the use of this document.
Trademark List
SmartEdge | is a registered trademark of Telefonaktiebolaget LM Ericsson. | |
NetOp | is a trademark of Telefonaktiebolaget LM Ericsson. |
When the SmartEdge® router detects application traffic, you can configure the node to apply a DPI traffic management policy. A DPI traffic management policy classifies the traffic and maps it to one or more classes. Each class is associated with a set of actions that applies to all traffic mapping for that class.
You can also configure additional levels of aggregate traffic control to manipulate DPI traffic at more granular levels.
The following traffic control levels are supported:
Applies a set of actions to all traffic mapping to a particular class for a specified subscriber.
In addition to applying a set of actions to all traffic mapping to a particular class for a specified subscriber, applies traffic control actions for all traffic associated with the subscriber.
Traffic management actions are applied first to classes within the subscriber traffic, and then to all traffic associated with a subscriber.
For detailed command descriptions and usage guidelines, see Reference [6]. For overview information on the concepts presented in this document, see Reference [7].
Configure the SmartEdge router to capture and analyze application traffic and perform per class per subscriber level control actions on the traffic by performing the following steps:
A DPI traffic management policy references a DPI ACL policy and DPI traffic management action policy; a DPI traffic management action policy references a DPI QoS profile.
The following figure illustrates the configuration workflow.
The DPI ACL policy maps the incoming traffic to a single class value. An ACL policy uses statements to define how packets are assigned to classes. The sequence seq-num construct defines the sequence of the statements; if this construct is not specified, the system assigns a sequence number. A packet that does not match the criteria of the first statement is subject to the criteria of the second statement, and so on, until the end of the ACL policy is reached. The default class defined in the DPI ACL policy is used to map all traffic that was not classified into one of the other classes.
Traffic can be classified based on application protocol or transport protocol, or on application protocol category. An application or protocol category groups together applications or protocols used for a similar purpose; for example, streaming, messaging, file transfer, and so on. If a category is specified, all applications defined in the category are included.
Each application or category can be qualified with the host network; for example, BitTorrent application from a host in network 1.1.1.0/24. The IP prefix specified as the network address is matched against the destination address for inbound traffic from the subscriber and against the source address for outbound traffic to the subscriber.
To configure a DPI ACL policy, enter the following commands:
(config)#dpi access-list acl-name
(dpi-acl)#default-class class-name
(dpi-acl)#[seq sequence-number] protocol protocol {network network-prefix/prefix-length | any} {cond source-port | range source-start-port source-end-port} [cond dest-port | range dest-start-port dest-end-port] class class-name
(dpi-acl)#[seq sequence-number] protocol protocol {network network-prefix/prefix-length} class class-name
(dpi-acl)#[seq sequence-number] {application application-name | category category-name} [network network-prefix/prefix-length | any] class class-name
To view configured DPI ACLs policy, enter the following command in any mode:
> show dpi asp slot/asp-id access-list [list-name]
The ASE card has two ASPs, identified as 1 and 2. For information on ASE cards, ASP pools, and ASP groups, see Reference [4]. For configuration information, see Reference [2] and Reference [3].
The following example configures the DPI ACL policy acl_01.
[local]Redback(config)#dpi access-list acl_01 [local]Redback(dpi-acl)#default-class cl_def [local]Redback(dpi-acl)#seq 10 application bittorrent class cl_01 [local]Redback(dpi-acl)#seq 20 category streaming network 1.1.1.0/24 class cl_01 [local]Redback(dpi-acl)#seq 30 category gaming network 4.1.1.0/24 class cl_02 [local]Redback(dpi-acl)#seq 40 application skype class cl_03
QoS policies create and enforce Quality of Service (QoS) levels and bandwidth rates. A policy applies to only a particular class of packets; the class is configured using a DPI traffic management action policy, and this is referred to as a class-based action. For more information on ACLs and QoS class definitions, marking, and rate-limiting, see Reference [8].
A DPI QoS profile handles traffic by:
The above two actions are mutually exclusive. Only one marking instruction can be in effect at a time. Any succeeding marking or rate-limiting command supersedes the previous instruction.
To configure a DPI QoS profile, enter the following commands:
(config)#dpi qos profile profile-name [policing | metering]
If you do not specify policing or metering, a bidirectional rate limiting QoS profile is implied.
(dpi-qos)#mark dscp dscp-class
(dpi-qos)#mark precedence prec-value
(dpi-qos)#mark priority {group-num | ignore} [{drop-precedence {group-num | ignore} | af-drop drop-value}]
Only one marking instruction can be in effect at any time.
(dpi-qos)#rate kbps {burst bytes | time-burst msec}
(dpi-qos-rate)#conform mark dscp dscp-class
(dpi-qos-rate)#conform mark precedence prec-value
(dpi-qos-rate)#conform mark priority {group-num | ignore} [{drop-precedence {group-num | ignore} | af-drop drop-value}]
Only one marking instruction can be in effect at any time.
(dpi-qos-rate)#exceed drop
(dpi-qos-rate)#exceed mark dscp dscp-class
(dpi-qos-rate)#exceed mark precedence prec-value
(dpi-qos-rate)#exceed mark priority {group-num | ignore} [{drop-precedence {group-num | ignore} | af-drop drop-value}]
Only one marking instruction can be in effect at any time.
To view configured DPI QoS profiles, enter the following command in any mode:
> show dpi asp slot/asp-id qos profile [profile-name]
The following example configures the DPI QoS profile qos_prof_01.
[local]Redback(config)#dpi qos profile qos_prof_01 [local]Redback(dpi-qos)#rate 64 burst 3000 [local]Redback(dpi-qos-rate)#conform mark dscp df [local]Redback(dpi-qos-rate)#exceed drop
The following example configures the DPI QoS profile qos_prof_02.
The following example configures the DPI QoS profile qos_prof_03.
[local]Redback(config)#dpi qos profile qos_prof_03 policing [local]Redback(dpi-qos)#rate 64 burst 2000 [local]Redback(dpi-qos-rate)#exceed mark dscp 6
The following example configures the DPI QoS profile qos_prof_04.
[local]Redback(config)#dpi qos profile qos_prof_04 metering [local]Redback(dpi-qos)#rate 64 burst 1500 [local]Redback(dpi-qos-rate)#conform mark dscp df [local]Redback(dpi-qos-rate)#exceed mark dscp 8
A DPI traffic management action policy is a collection of class entries, with each class defining one or more actions for that class. Actions are applied to traffic mapped to the class through the DPI traffic management policy. Specify a class as default class to process traffic assigned to a class that is not defined in the action policy.
To configure a DPI traffic management action policy, enter the following commands:
(config)#dpi traffic-management action policy name
(action)#default-class class-name
(action)#class class-name
(class)#qos profile profile-name [policing | metering]
You can apply one policing and one metering QoS profile to a single class. However, you cannot apply a policing or metering QoS profile together with a bidirectional profile.
(class)#log detection
A log is generated for every flow for every application for every subscriber, regardless of subscriber configuration. All detected flows are logged.
(class)#drop
To view configured DPI traffic management action policies, enter the following command in any mode:
> show dpi asp slot/asp-id traffic-management action policy [policy-name]
The following example configures the DPI traffic management action policy acp_01.
[local]Redback(config)#dpi traffic-management action policy acp_01 [local]Redback(action)#default-class cl_def [local]Redback(action)#class cl_def [local]Redback(class)#qos profile qos_prof_01 [local]Redback(class)#log detection [local]Redback(class)#exit [local]Redback(action)#class cl_01 [local]Redback(class)#qos profile qos_prof_02 [local]Redback(class)#exit [local]Redback(action)#class cl_02 [local]Redback(class)#exit [local]Redback(action)#class cl_03 [local]Redback(class)#qos profile qos_prof_03 policing [local]Redback(class)#qos profile qos_prof_04 metering
A traffic management policy includes a reference to a DPI ACL policy and a traffic management action policy. The DPI ACL policy maps the traffic to a class, and each class is associated with a set of actions that applies to all traffic mapped to that class.
To configure a DPI traffic management policy, enter the following commands:
(config)#dpi traffic-management policy policy-name
(config-dpi-policy)#access-group acl-name
(config-dpi-policy)#action policy action-policy-name
To view configured DPI traffic management policies, enter the following command in any mode:
> show dpi asp slot/asp-id traffic-management policy [policy-name]
The following example configures the DPI traffic management policy dpi_pol_01 and associates it with the DPI ACL policy acl_01 and the DPI traffic management action policy acp_01.
[local]Redback(config)#dpi traffic-management policy dpi_pol_01 [local]Redback(config-dpi-policy)#access-group acl_01 [local]Redback(config-dpi-policy)#action policy acp_01
A global default traffic management policy is applied to traffic when the specified policy is not configured.
To configure a default DPI traffic management policy, enter the following commands:
(config)#dpi traffic-management policy default
(config-dpi-policy)#access-group acl-name
(config-dpi-policy)#action policy action-policy-name
To view configured DPI traffic management policies, enter the following command in any mode:
> show dpi asp slot/asp-id traffic-management policy [policy-name]
The following example configures the DPI traffic management policy default and associates it with the DPI ACL policy acl_02 and the DPI traffic management action policy acp_02.
[local]Redback(config)#dpi traffic-management default [local]Redback(config-dpi-policy)#access-group acl_02 [local]Redback(config-dpi-policy)#action policy acp_02
The DPI traffic management policy name can be obtained through RADIUS (VSA 203 Security-Service) or configured in the subscriber record; for more information, see RADIUS Attributes. During the subscriber session's lifetime, the DPI traffic management policy associated with an active subscriber can be changed through RADIUS reauthentication or through Change of Authorization (CoA).
There are two ways to configure DPI traffic management for a subscriber:
To apply application traffic management to a subscriber, associate the subscriber record with a DPI traffic management policy. Different subscribers can be mapped to different DPI traffic management policies; a single traffic management policy can be used with many subscribers. Only one DPI traffic management policy can be associated with each subscriber record.
To apply a DPI traffic management policy through the CLI to a subscriber, default subscriber, or subscriber profile, enter the following command in subscriber configuration mode:
(config-sub)# dpi traffic-management policy policy-name
For a reauth or CoA to activate the policy, you must also configure the Security-Service VSA for this in RADIUS.
To configure the Security-Service VSA in RADIUS, perform one or more of the following steps:
Security-Service="dpi traffic-management enable-coa"
This VSA must be sent at the time of initial subscriber login; else, it will not be possible to activate DPI services later on.
Security-Service="dpi traffic-management enable-coa"
Security-Service+="dpi traffic-management policy policy-name"
Security-Service="dpi traffic-management policy policy-name"
Security-Service="dpi traffic-management policy"
Either an invalid policy name or no DPI policy name sent in this line causes the policy to be deleted from the subscriber record after reauthorization.
When a DPI traffic management policy change is applied, changes to the QoS profile take effect immediately on existing flows. Other changes to the contents of the DPI traffic management action policy or the DPI traffic management ACL take effect immediately for new flows.
The following example applies the DPI traffic management policy dpi_pol_01 to subscriber joe.
[isp1]Redback(config-ctx)#subscriber name joe [isp1]Redback(config-sub)#dpi traffic-management policy dpi_pol_01
The following example shows a full configuration of per class per subscriber level application traffic management, including a DPI ACL policy (acl_01), DPI QoS profiles (qos_prof_01, qos_prof_02, qos_prof_03), a DPI traffic management action policy (acp_01), and a DPI traffic management policy (dpi_pol_01). The policy is assigned to subscriber joe.
[local]Redback(config)#dpi access-list acl_01 [local]Redback(dpi-acl)#default-class cl_def [local]Redback(dpi-acl)#seq 10 application bittorrent class cl_01 [local]Redback(dpi-acl)#seq 20 streaming network 1.1.1.0/24 class cl_02 [local]Redback(dpi-acl)#exit [local]Redback(config)#dpi qos profile qos_prof_01 [local]Redback(dpi-qos)#rate 64 burst 3000 [local]Redback(dpi-qos-rate)#conform mark dscp df [local]Redback(dpi-qos-rate)#exceed drop [local]Redback(dpi-qos-rate)#exit [local]Redback(dpi-qos)#exit [local]Redback(config)#dpi qos profile qos_prof_02 [local]Redback(dpi-qos)#mark dscp 7 [local]Redback(dpi-qos)#exit [local]Redback(config)#dpi qos profile qos_prof_03 policing [local]Redback(dpi-qos)#rate 64 burst 2000 [local]Redback(dpi-qos-rate)#exceed mark dscp 6 [local]Redback(dpi-qos-rate)#exit [local]Redback(dpi-qos)#exit [local]Redback(config)#dpi qos profile qos_prof_04 metering [local]Redback(dpi-qos)#rate 64 burst 1500 [local]Redback(dpi-qos-rate)#conform mark dscp df [local]Redback(dpi-qos-rate)#exceed mark dscp 8 [local]Redback(dpi-qos-rate)#exit [local]Redback(dpi-qos)#exit [local]Redback(config)#dpi traffic-management action policy acp_01 [local]Redback(action)#default-class default [local]Redback(action)#class cl_def [local]Redback(class)#qos profile qos_prof_01 [local]Redback(class)#log detection [local]Redback(class)#exit [local]Redback(action)#class cl_01 [local]Redback(class)#qos profile qos_prof_02 [local]Redback(class)#exit [local]Redback(action)#class cl_02 [local]Redback(class)#qos profile qos_prof_03 policing [local]Redback(class)#qos profile qos_prof_04 metering [local]Redback(class)#exit [local]Redback(action)#class default [local]Redback(action)#exit [local]Redback(config)#dpi traffic-management policy dpi_pol_01 [local]Redback(config-dpi-policy)#access-group acl_01 [local]Redback(config-dpi-policy)#action policy acp_01 [local]Redback(config-dpi-policy)#exit [local]Redback(config)#context isp1 [isp1]Redback(config-ctx)#subscriber name joe [isp1]Redback(config-sub)#dpi traffic-management policy dpi_pol_01
In addition to configuring traffic management according to class and subscriber, you can configure a SmartEdge router to provide a QoS profile that applies traffic control actions to all traffic associated with a subscriber.
Configure the SmartEdge router to aggregate and perform subscriber level control actions on application traffic by performing the following steps:
A functional DPI traffic management policy that includes the following components is required before you can configure subscriber level traffic management:
To verify the existence of a valid DPI traffic management policy, enter the following command in any mode:
> show dpi asp slot/asp-id traffic-management action policy [policy-name]
To view a valid per class per subscriber level traffic management configuration, see Section 12.
The following figure illustrates the configuration workflow:
A subscriber DPI QoS profile refers to a DPI QoS profile that you apply to all traffic for a specified subscriber regardless of classification. For more information about DPI QoS profiles see Section 2.2.
To configure a subscriber DPI QoS profile, follow the same procedure used to configure a DPI QoS profile. For a detailed description of the configuration tasks required to configure a DPI QoS profile, see Section 2.2.1. When you configure a subscriber DPI QoS profile, remember to consider that class level QoS actions are applied first followed by subscriber QoS actions. Before you configure a subscriber QoS profile, verify that the existing class level QoS actions coincide with your application traffic management strategy.
To view one or all DPI QoS profiles configured on the ASE card, enter the following command in any mode:
> show dpi asp slot/asp-id qos profile [profile-name]
The following example configures the subscriber DPI QoS profile sub_qos1.
[local]Redback(config)#dpi qos profile sub_qos1 [local]Redback(dpi-qos)#rate 64 burst 3000 [local]Redback(dpi-qos-rate)#conform mark dscp df [local]Redback(dpi-qos-rate)#exceed drop
When you add a subscriber DPI QoS profile to a DPI traffic management policy, you complete the required configuration for subscriber level traffic management. You can switch between per class per subscriber level and subscriber level traffic management at any time. To enable or disable traffic management according to subscriber, add or remove the subscriber DPI QoS profile configuration from the DPI traffic management policy.
To add a subscriber DPI QoS profile to a DPI traffic management policy, enter the following command in DPI traffic-management policy configuration mode. One policing and one metering QoS profile can be applied to a single DPI traffic management policy. Neither policing nor metering QoS profiles can be applied together with a bidirectional QoS profile.
(config-dpi-policy)#qos profile profile-name [policing | metering]
The following example adds the subscriber DPI QoS profile sub_qos1 to the DPI traffic management policy p1:
[local]Redback(config)#dpi traffic-management policy p1 [local]Redback(config-dpi-policy)#qos profile sub_qos1
The following example removes the subscriber DPI QoS profile sub_qos1 from the DPI traffic management policy p1, and disables subscriber level traffic management:
[local]Redback(config)#dpi traffic-management policy p1 [local]Redback(config-dpi-policy)#no qos profile sub_qos1
The following example shows a full configuration of subscriber level traffic management, including subscriber DPI QoS profile configuration. This example implies that the DPI traffic-management policy p1 includes a DPI ACL policy, DPI QoS profile, and a DPI traffic management action policy, and is also assigned to a subscriber. For a complete example describing how to configure per class per subscriber level traffic management, see Section 2.7.
[local]Redback(config)#dpi qos profile sub_qos1 [local]Redback(dpi-qos)#rate 64 burst 3000 [local]Redback(dpi-qos-rate)#conform mark dscp df [local]Redback(dpi-qos-rate)#exceed drop [local]Redback(dpi-qos-rate)#commit [local]Redback(dpi-qos-rate)#exit [local]Redback(dpi-qos)#exit [local]Redback(config)#dpi traffic-management policy p1 [local]Redback(config-dpi-policy)#qos profile sub_qos1 [local]Redback(config-dpi-policy)#commit
Certain conditions can lead to a security service resource failure; for example, an ASP run-time failure can occur if the ASE card is physically removed or develops a hardware failure.
For information on the behavior of the Advanced Services Processor (ASP) during startup, failure, and recovery, see Reference [5].
You can configure whether the security service application drops traffic or bypasses the ASP when a resource failure occurs; by default, traffic bypasses the failed ASP.
To drop application traffic in the event of a resource failure, enter the following command in global configuration mode:
(config)#dpi traffic-management resource-failure-action drop
Reporting for advanced services like application traffic management
is based on log messages. Log messages can be sent to the console,
or the NetOp Element Management System (EMS) log mediation
server and integrated with a third-party reporting solution such as
Q1 Labs (http://www.q1labs.com/) or used by proprietary
reporting solutions to generate deployment-specific reports. Log messages
are generated when application traffic protocols are detected and
to report statistics information. For information on configuring the
NetOp EMS log mediation server, see Reference [9].
You can configure statistics reports to be sent to an external server at regular intervals. The ASP reports only incremental packet and byte statistics with timestamp information; all traffic-rate calculations are performed by the reporting solution.
For information on configuring logging to an external server, see Reference [3].
Statistics reporting is disabled by default. To enable statistics reporting, enter the following command in global configuration mode:
(config)#dpi traffic-management statistics
Statistics are sent to the log forwarding server every 30 minutes by default.
Statistics are sent on a per-subscriber basis. One statistics message is sent for each application protocol detected within the configured interval. Several log messages could be sent for a subscriber at every interval.
To configure the frequency that statistics are sent to a log forwarding server, enter the following command in global configuration mode:
(config)#dpi traffic-management statistics interim-interval [minutes]
The following example configures logging to an external server, enables statistics reporting, and configures the frequency to send statistics.
[local]Redback(config)#asp security default [local]Redback(config-asp-security-default)#log server 10.13.168.25 transport udp port 514 [local]Redback(config-asp-security-default)#log source 10.113.9.120 [local]Redback(config-asp-security-default)#commit [local]Redback(config-asp-security-default)#exit [local]Redback(config)#dpi traffic-management statistics interim-interval 30
Show commands display a variety of information for application traffic management. Enter show commands in any mode.
To display the following information... |
Enter this command... |
---|---|
ACLs configured on the ASE card |
show dpi asp slot/asp-id access-list [list-name] |
One or all QoS profiles configured on the ASE card |
show dpi asp slot/asp-id qos profile [profile-name] |
DPI traffic management action policies configured on the ASE card |
show dpi asp slot/asp-id traffic-management action policy [policy-name] |
DPI traffic management policies configured on the ASE card |
show dpi asp slot/asp-id traffic-management policy [policy-name] |
Global traffic management statistics |
show dpi asp slot/asp-id traffic-management statistics {sessions | packet [in | out] | protocol protocol-name | signature-file | subscriber} |
Security service specific information per subscriber |
show dpi circuit {agent-circuit-id agent-circuit-id | agent-remote-id agent-remote-id | slot/port[:chan-num[:sub-chan-num] [circuit-id] | username subscriber} traffic-management [sessions | statistics sessions | statistics [packet [in | out]] {class | protocol}] |
Supported traffic management applications, categories, or signature file information on the XCRP controller card |
show dpi traffic-management[signature-file sig-filename] [application | category [category-name] |
Supported traffic management applications, categories, and their mapping on the ASP |
show dpi asp slot/asp-id traffic-management [application | category [category-name] |
Statistics for the ASE card, such as Rx and Tx SPI counters, system memory information, and so on |
show security asp slot/asp-id statistics {packet slot | system} |
System-level information stored on the ASP |
show security asp slot/asp-id system |
Signature file information stored on the ASP |
show dpi asp slot/asp-id traffic-management signature-file |
The P2P signature file is referenced during DPI protocol analysis to detect and identify known P2P application traffic. Each SEOS version contains a built-in signature file that is current as of the release date. As existing P2P applications evolve and new applications emerge, the built-in signature file becomes less effective. Keeping the signature file current between SEOS releases is therefore essential to performing comprehensive application traffic management.
A new signature file containing updated application information, categories, and RC4 encrypted signatures is created and made available every six to eight weeks. If there is no signature information update required, no file is released.
To keep the file current, perform the following steps:
The configured signature file is saved to a protected memory area on the XCRP and the ASPs are notified of the signature file location. The ASPs download and validate the new file, then dynamically update their signature file definitions.
When you upgrade to a new SEOS version, a check is made to identify the current signature-file. If the signature-file packaged with the previous SEOS version is still being used, the new signature file with the new SEOS version is installed and the signature-file definition upgrade is forced on the ASPs. No configuration is required.
If it is determined that the signature file has been upgraded since the last SEOS version, verification is made to ensure the signature file in use is compatible with the new SEOS version. If the file is compatible, the signature file is not upgraded.
The signature file is available from an external server as a tarball which includes the signature file and associated release notes. The release notes specify SEOS compatibility and identify changes from the previous signature file.
To download the signature file tarball, you can use SFTP, FTP, or the SEOS copy command and copy the standalone signature file to the default XCRP directory.
For example:
copy scp://user@host/Signature-filename
The default directory for downloaded signature files is:
/flash/security/dpi/
The command to configure the signature file consists of specifying the filename and path. The configuration command validates the specified file, makes a compatibility check for the SEOS release, verifies file integrity, then saves the file to the protected /flash directory for automatic download to the ASPs.
To configure the signature file, enter the following command in global configuration mode:
(config)#dpi traffic-management signature-file sig-filename
The validated signature file is automatically downloaded by each ASP that has the service security tag. The file is saved to the local ASE directory. The applications, categories and signatures are extracted and the new signature set activated. If the activation of the signature file fails on the ASP, the ASP reboots and a critical event log entry is sent to the XCRP. An ASP with service security requires a valid signature file.
The filename format of the signature file is as follows:
App-Name-Major-Minor.sdf
Where App-Name is P2P, Major is the DPI engine major number, and Minor is the signature file release number.
The subscriber session limit refers to a single global value for the maximum number of TCP and UDP sessions allowed per subscriber. When you configure the subscriber session limit, you can specify whether packets associated with sessions that exceed the limit are dropped, or mapped to an action policy class. The sum of TCP and UDP sessions is limited to the configured value per subscriber. For example, if a session limit of 300 is configured, then the sum of the TCP and UDP sessions for a subscriber is limited to 300.
Subscriber session limiting is not enabled by default. To configure subscriber session limiting, enter the following command in global configuration mode:
(config)#dpi traffic-management maximum session max-sessions [exceed class class-name]
When you enable session limiting, all packets associated with sessions that exceed the session limit are dropped by default. To map all packets associated with sessions that exceed the session limit to an action policy class, specify a class name with the exceed class class-name construct.
When you modify the session limit, changes to the class name on new and existing sessions take effect immediately. If you reduce the session limit value to below the existing session count, no new sessions are allowed until the session count drops below the new limit value. Existing sessions are not impacted.
The following example configures a global subscriber session limit of 300. Packets associated with sessions that exceed this value are mapped to the action policy class cl_06.
[local] Redback(config)#dpi traffic-management maximum sessions 300 exceed class cl_06
To clear subscriber traffic management sessions, enter the following command in exec mode:
[local]Redback# clear dpi circuit {agent-circuit-id agent-circuit-id | agent-remote-id agent-remote-id | slot/port[:chan-num[:sub-chan-num] circuit-id | username subscriber} traffic-management sessions
To clear all peak counters and all packet or byte counters, enter the following command in exec mode:
clear dpi asp slot/port traffic-management statistics
To clear all peak counters and all packet or byte counters for a specific subscriber, enter the following command in exec mode:
clear dpi circuit {agent-circuit-id agent-circuit-id | agent-remote-id agent-remote-id | slot/port[:chan-num[:sub-chan-num] circuit-id | username subscriber} traffic-management statistics
To enable the generation of debug messages for the traffic management application, enter the following command in exec mode:
[local]Redback#debug dpi asp slot/asp-id traffic-management message-type trace {buffer | console | external} [level level]
For troubleshooting information, see Reference [1].
For information on ASE cards, ASP pools, and ASP groups, see Reference [4]. For configuration information, see Reference [2] and Reference [3].
! asp security default log server 10.172.55.55 transport udp port 514 log source 10.192.22.24 ! ! ! asp pool p2p-pool service security asp 13/1 asp 13/2 asp group p2p-group pool p2p-pool asp-count 2 ! ! dpi qos profile p2p-qos_gold rate 2000 burst 5000 exceed drop ! dpi qos profile p2p-qos_markcs0 mark dscp 0 ! dpi qos profile p2p-qos_markcs1 mark dscp 8 ! dpi qos profile p2p-qos_markcs2 mark dscp 16 ! dpi qos profile p2p-qos_markcs3 mark dscp 24 ! dpi qos profile p2p-qos_markcs4 mark dscp 32 ! dpi qos profile p2p-qos_markdf mark dscp 0 ! dpi qos profile p2p-qos_markef mark dscp 46 ! dpi qos profile p2p-qos_platinum rate 5000 burst 5000 exceed drop ! ! dpi qos profile p2p-qos_rtlimit100 rate 100 burst 5000 exceed drop ! dpi qos profile p2p-qos_silver rate 1000 burst 5000 exceed drop ! dpi access-list p2p-acl-profiles default-class p2p-class_default seq 10 application skype class p2p-class_skype seq 20 application bit-torrent class p2p-class_bittorrent seq 30 application edonkey class p2p-class_edonkey seq 40 application yahoo-messenger class p2p-class_ym ! dpi access-list p2p-acl_monitor default-class p2p-class_default seq 10 application skype class p2p-class_skype seq 20 application bit-torrent class p2p-class_bittorrent seq 30 application edonkey class p2p-class_edonkey seq 40 application yahoo-messenger class p2p-class_ym seq 50 application http class p2p-class_http seq 60 application gnutella class p2p-class_gnutella seq 70 application windows-live-messenger class p2p-class_msn seq 80 application youtube class p2p-class_youtube seq 90 application imap class p2p-class_imap seq 100 application quick-time class p2p-class_qtime seq 110 protocol esp any class p2p-class_esp seq 120 protocol ahp any class p2p-class_ah seq 130 protocol esp any class p2p-class_esp seq 140 protocol tcp any eq 21 range 1 65535 class p2p-class_ftp seq 150 protocol icmp any class p2p-class_icmp seq 160 protocol tcp any eq 21 range 1 65535 class p2p-class_ftp21 seq 170 category voip class p2p-class_voip ! dpi access-list p2p-acl_monitor2 seq 180 category gaming class p2p-class_gaming seq 190 category p2p class p2p-class_p2p seq 200 category file-transfer class p2p-class_ftp seq 210 category file-transfer 10.192.17.68/32 class p2p-class_ftp-cebox ! dpi traffic-management action policy p2p-action_gold class p2p-class_default qos profile p2p-qos_gold class p2p-class_p2p qos profile p2p-qos_gold log detection class p2p-class_skype log detection ! dpi traffic-management action policy p2p-action_platinum class p2p-class_default qos profile p2p-qos_platinum class p2p-class_p2p qos profile p2p-qos_platinum log detection ! dpi traffic-management action policy p2p-action_silver class p2p-class_bittorrent log detection drop class p2p-class_default qos profile p2p-qos_silver class p2p-class_edonkey log detection drop class p2p-class_p2p qos profile p2p-qos_silver log detection class p2p-class_skype log detection class p2p-class_ym log detection drop ! dpi traffic-management action policy p2p-action_monitor default-class p2p-class_default class p2p-class_ah qos profile p2p-qos_markef log detection class p2p-class_bittorrent log detection class p2p-class_edonkey drop class p2p-class_esp qos profile p2p-qos_markcs0 log detection class p2p-class_ftp qos profile p2p-qos_markcs1 log detection class p2p-class_ftp-cebox log detection class p2p-class_ftp21 qos profile p2p-qos_markcs3 log detection class p2p-class_gaming log detection class p2p-class_gnutella log detection class p2p-class_http qos profile p2p-qos_markef log detection class p2p-class_icmp qos profile p2p-qos_markcs2 log detection class p2p-class_imap log detection class p2p-class_msn log detection class p2p-class_p2p drop class p2p-class_qtime log detection class p2p-class_skype log detection class p2p-class_voip log detection class p2p-class_ym log detection class p2p-class_youtube log detection ! ! dpi traffic-management statistics ! dpi traffic-management policy p2p-pol_gold action policy p2p-action_gold access-group p2p-acl_gold ! dpi traffic-management policy p2p-pol_monitor action policy p2p-action_monitor access-group p2p-acl_monitor ! dpi traffic-management policy p2p-pol_platinum action policy p2p-action_platinum access-group p2p-acl_platinum ! dpi traffic-management policy p2p-pol_silver action policy p2p-action_silver access-group p2p-acl_silver context local ! ! context p2p ! no ip domain-lookup ! interface subscriber multibind ip address 40.1.1.1/24 ip pool 40.1.1.0/24 name pc_pool ! interface to_Cisco7200 ip address 150.10.1.1/24 logging console ! subscriber name joe password joe ip address pool name pc_pool dpi traffic-management policy p2p-pol_monitor ! ip route 0.0.0.0/0 150.10.1.2 ip route 40.0.0.0/24 150.10.1.2 ! ! asp-group p2p-group service security ! ! ** End Context ** ! !Ethernet connectivity fault management configuration ! ! card ge3-4-port 4 ! port ethernet 4/1 no shutdown bind interface to_Cisco7200 p2p ! ! card ether-12-port 9 ! port ethernet 9/1 no shutdown encapsulation pppoe bind authentication chap pap context p2p ! card ase 13 ! ! no service console-break ! service crash-dump-dram ! no service auto-system-recovery !
config dpi access-list application category default-class protocol dpi qos profile mark mark dscp mark precedence mark priority rate conform mark dscp conform mark precedence conform mark priority exceed drop exceed mark dscp exceed mark precedence exceed mark priority dpi traffic-management action policy class drop log detection qos profile default class dpi traffic-management maximum sessions dpi traffic-management policy access-group action policy qos profile dpi traffic-management resource-failure-action dpi traffic-management statistics context subscriber dpi traffic-management policy exec clear dpi asp clear dpi circuit traffic-management statistics clear dpi circuit traffic-management sessions debug dpi asp traffic-management all modes show dpi asp access-list show dpi asp qos profile show dpi asp traffic-management action policy show dpi asp traffic-management policy show dpi asp traffic-management statistics show dpi circuit show dpi traffic-management show security asp statistics show security asp system
ACL |
Access Control List |
ASP |
Advanced Services Processor |
CoA |
Change of Authorization |
DPI |
Deep Packet Inspection |
DSCP |
Differentiated Services Code Point |
QoS |
Quality of Service |
[1] Advanced Services Fault Management Guide, 3/1543- CRA 119 1170/1. |
[2] Advanced Services Configuration and Operation Using the NetOp EMS Software, 1553-CRA 119 1170/1. |
[3] Advanced Services Configuration and Operation Using the SmartEdge OS CLI, 1/1543-CRA 119 1170/1. |
[4] Advanced Services Infrastructure Overview, 1/221 02-CRA 119 1170/1. |
[5] Advanced Services Startup, Failure and Recovery, 1/1553-CRA 119 1170/1. |
[6] Application Traffic Management Command Reference, 190 80-CRA 119 1170/1. |
[7] Application Traffic Management Overview, 221 02-CRA 119 1170/1. |
[8] Configuring Rate-Limiting and Class-Limiting, 55/1543-CRA 119 1170/1. |
[9] Log Mediation Server, 1/1553-CRA 119 1171/1. |