Configuring HTTP Redirect

Contents

1Overview

2

Configuration and Operations Tasks
2.1Configure Subscriber Authentication and Reauthorization
2.2Configure an IP ACL and Apply It to Subscribers
2.3Configure the HTTP Server on the Active Controller Card
2.4Configure and Attach an HTTP Redirect Profile to Subscribers
2.5Configure a Policy ACL That Classifies HTTP Packets
2.6Configure and Attach a Forward Policy to Redirect HTTP Packets
2.7Operations Tasks

3

Configuration Examples
Copyright

© Ericsson AB 2009–2010. All rights reserved. No part of this document may be reproduced in any form without the written permission of the copyright owner.

Disclaimer

The contents of this document are subject to revision without notice due to continued progress in methodology, design and manufacturing. Ericsson shall have no liability for any error or damage of any kind resulting from the use of this document.

Trademark List
SmartEdge is a registered trademark of Telefonaktiebolaget LM Ericsson.

1   Overview

This document provides an overview of the HTTP redirect features on the SmartEdge® router and describes the tasks used to configure, monitor, and administer HTTP redirect. This document also provides a configuration example of HTTP redirect.

HTTP redirect enables service providers to interrupt subscriber HTTP sessions and to redirect them to a preconfigured URL. By default, a message displays to the subscriber for a period of time while the subscriber HTTP session is redirected to a preconfigured URL. The default message reads “Please wait while you are redirected . . ..” and the default timeout period is 1 second. You have the option of configuring a customized HTTP redirect message and timeout period. You also have the option to provide the subscriber’s identity attributes along with the URL and encrypt this data.

Applications of the HTTP redirect feature include the ability to require customer registration, to direct customers to web sites for downloading virus protection software, and to advertise new services or software updates.

Note:  
In the following descriptions, the term, controller card, applies to the Cross-Connect Route Processor (XCRP4) Controller card, unless otherwise noted.

The SmartEdge router provides a lightweight HTTP server on its controller card. When a subscriber initiates an HTTP session, authentication triggers an HTTP redirect when two conditions are in place: an HTTP redirect profile containing a new URL is attached to the subscriber record, and a forward policy that redirects HTTP traffic to the HTTP server on the controller card is attached to the subscriber circuit. HTTP packets must be permitted to pass through to the external HTTP server that hosts the redirect URL. The subscriber session opens to the web page indicated by the redirect URL. The forward policy that performs the redirection is removed through the subscriber reauthorization mechanism.

2   Configuration and Operations Tasks

Note:  
In this section, the command syntax in the task tables displays only the root command; for the complete command syntax, see Command List.

To configure, monitor, and troubleshoot HTTP redirect features, perform the tasks described in the following sections:

2.1   Configure Subscriber Authentication and Reauthorization

To configure subscriber authentication and reauthorization, see Configure Subscriber Authentication and Configure Dynamic Subscriber Reauthorization.

2.2   Configure an IP ACL and Apply It to Subscribers

To redirect subscriber traffic to the new web page to which subscriber circuits are to be redirected, you configure an IP access control list (ACL) that permits access to that web page and apply it to the subscriber circuits (their records or profiles) that are to be redirected. To configure and apply an IP ACL, see Configuring ACLs.

2.3   Configure the HTTP Server on the Active Controller Card

To configure the HTTP server on the active controller card, perform the tasks described in Table 1.

Table 1    Configure the HTTP Server on the Controller Card

Task

Root Command

Notes

Enable the HTTP server on the controller card and access HTTP redirect server configuration mode.

http-redirect server

Enter this command in global configuration mode.

Optional. Select the port on which HTTP server listens.

port (http)

Enter this command in HTTP redirect server configuration mode.

2.4   Configure and Attach an HTTP Redirect Profile to Subscribers

To configure and attach an HTTP redirect profile to subscribers, perform the tasks described in Table 2.

Table 2    Configure and Attach an HTTP Redirect Profile to Subscribers

Task

Root Command

Notes

Configure an HTTP redirect profile and access HTTP redirect profile configuration mode.

http-redirect profile

Enter this command in context configuration mode.

Optional. Configure the http-redirect message to display to the subscriber before the http-subscriber session is redirected.

message

Enter this command in HTTP redirect profile configuration mode.

Optional. Sets the maximum time the SmartEdge router displays the customized http-redirect message to the subscriber before the subscriber HTTP session is redirected to the preconfigured URL.

timeout (HTTP redirect)

Enter this command in HTTP redirect profile configuration mode.

Configure the URL to which subscriber sessions are to be redirected.

url

Enter this command in HTTP redirect profile configuration mode.

Attach the HTTP redirect profile to a subscriber record, a named subscriber profile, or the default subscriber profile.

http-redirect profile

Enter this command in subscriber configuration mode.


 Caution! 
Risk of redirect loop. Redirect can recur until an IP ACL that permits access to the new web page is applied to the subscriber record or profile. To reduce the risk, before modifying an existing URL, ensure that the subscriber record includes an IP ACL that permits access to the new URL.

The SmartEdge OS applies an HTTP profile in the following order of precedence:

  1. Uses the vendor-specific attribute (VSA) 107 provided by Ericsson AB, HTTP-Redirect-Profile-Name, in the subscriber record returned by the RADIUS server in Access-Accept packets for the subscriber.
  2. If the RADIUS server does not return an HTTP profile name, it uses the HTTP profile attached to the named subscriber configured in the context.
  3. If the named subscriber does not have an HTTP profile attached to it, it uses the HTTP profile attached to the named subscriber profile configured in the context.
  4. If the subscriber profile does not have an HTTP profile attached to it, it uses the HTTP profile attached to the default subscriber profile configured in the context.

2.5   Configure a Policy ACL That Classifies HTTP Packets

To configure a policy access control list (ACL) that classifies HTTP packets for the forward policy that redirects HTTP packets, perform the tasks described in Table 3.

Table 3    Configure a Policy ACL That Classifies HTTP Packets

Task

Root Command

Notes

Create or select the policy ACL and enter access control list configuration mode.

policy access-list

Enter this command in context configuration mode.

Assign HTTP packets that are destined to the web server hosting the URL to a separate class.

permit

Enter this command in access control list configuration mode. Use the following construct: permit tcp any host ip-addr eq www class class-name


where the ip-addr argument is the IP address of the web server hosting the URL that you configured in step 2 in Table 2.

Assign all other HTTP packets to a different class.

permit

Enter this command in access control list configuration mode. Use the following construct: permit tcp any any eq www class class-name


where the class-name argument is distinct from the one you configured in step 2.

2.6   Configure and Attach a Forward Policy to Redirect HTTP Packets

To configure a forward policy to redirect HTTP packets and attach it to a circuit or subscriber, perform the tasks described in Table 4.

Table 4    Configure and Attach a Forward Policy to Redirect HTTP Packets

Task

Root Command

Notes

Create or select the forward policy and access forward policy configuration mode.

forward policy

Enter this command in global configuration mode.


For more information about forward policies, see Configuring Forward Policies.

Apply the policy ACL that you configured in Table 3 to the forward policy and access policy ACL configuration mode.

access-group

Enter this command in forward policy configuration mode.

Specify all HTTP packets and access policy ACL class configuration mode.

class

Enter this command in policy ACL configuration mode.


Use the class-name argument that you specified in step 3 in Table 3.

Redirect HTTP packets to the HTTP server on the controller card.

redirect destination local

Enter this command in policy ACL class configuration mode.

Attach the forward policy to a circuit, a subscriber record, named subscriber profile, or default subscriber profile.

forward policy in

Enter this command in ATM DS-3, ATM OC, ATM PVC, dot1q PVC, DS-0 group, DS-1, DS-3, Frame Relay PVC, port, or subscriber configuration mode.


For more information about forward policies, see Configuring Forward Policies.

2.7   Operations Tasks

To monitor and troubleshoot the HTTP redirect features, perform the appropriate HTTP redirect operations tasks described in Table 5. Enter the debug command in exec mode; enter the show commands in any mode.

Table 5    HTTP Redirect Operations Tasks

Task

Command

Enable the generation of debug messages for the HTTP redirect events and error messages.

debug hr

Display the current HTTP redirect configuration.

show configuration hr

Display HTTP redirect circuit information.

show http-redirect circuit

3   Configuration Examples

The following example provides a simple HTTP redirect configuration:

!First enable the HTTP redirect server on the controller card:

[local]Redback(config)#http-redirect server

[local]Redback(config-hr-server)#port 80 8080

[local]Redback(config-hr-server)#exit



!Configure the HTTP redirect profile, customized http-redirect message, timeout and url:

[local]Redback(config)#context local

[local]Redback(config-ctx)#http-redirect profile Redirect

[local]Redback(config-hr-profile)#message “Please wait while you are redirected to the customer portal server. Thank you.”

[local]Redback(config-hr-profile)#timeout 30

[local]Redback(config-hr-profile)#url http://www.Redirect.com

[local]Redback(config-hr-profile)#exit



!Attach the HTTP redirect profile to the default subscriber profile:

[local]Redback(config-ctx)#subscriber default

[local]Redback(config-sub)#http-redirect profile Redirect

[local]Redback(config-sub)#exit



!Create a policy ACL:

[local]Redback(config-ctx)#policy access-list http-packets

!Create class abc for HTTP packets that are destined to the web server with the new URL:

[local]Redback(config-access-list)#permit tcp any host 10.1.1.1 eq www class abc



!Create class xyz for all other HTTP packets to be redirected using the forward policy:

[local]Redback(config-access-list)#permit tcp any any eq www class xyz

[local]Redback(config-ctx)#exit



!Create the forward policy:

[local]Redback(config)#forward policy www-redirect



!Apply the policy ACL that classifies HTTP packets:

[local]Redback(config-policy-frwd)#access-group http-packets local

!Redirect all HTTP packets except those destined to the web server (class xyz):



!to the HTTP server on the controller card:

[local]Redback(config-policy-group)#class xyz

[local]Redback(config-policy-group-class)#redirect destination local

[local]Redback(config-policy-group-class)#exit



!Packets that are destined to the web server (class abc) use normal routing (no action).

[local]Redback(config-policy-group)#class abc

[local]Redback(config-policy-group-class)#exit

[local]Redback(config-policy-group)#exit

[local]Redback(config-policy-frwd)#exit



!Attach the forward policy to incoming packets on ATM PVC 3 5:

[local]Redback(config)#port atm 4/1

[local]Redback(config-atm)#no shutdown

[local]Redback(config-atm-oc)#atm pvc 3 5 profile atm-pro encapsulation bridge1483

[local]Redback(config-atm-pvc)#forward policy www-redirect in



!Bind the appropriate subscriber record to the ATM PVC:

[local]Redback(config-atm-pvc)#bind subscriber joe@local