Differences

This shows you the differences between two versions of the page.

--- en:dpi:bras_bng:bras_l2_options:bras_l2_vlan_ipsg [2024/09/26 15:29] – created - external edit 127.0.0.1
+++ en:dpi:bras_bng:bras_l2_options:bras_l2_vlan_ipsg [2026/03/03 14:01] (current) – [Purpose] elena.krasnobryzh
@@ Line 1: / Line 1: @@
 ====== IP source guard ======
 {{indexmenu_n>1}}
-FastDPI BRAS allows you to control the correspondence of VLAN tags and IP addresses for subscribers.
-When assigning IP addresses using DHCP the fastDPI BRAS stores VLAN/QinQ subscriber tags in its [[en:dpi:dpi_components:platform:dpi_admin:admin_db#Activating the built-in database|UDR]] database and
-and then uses this data to control whether the source IP address and VLAN tag match.
-To enable IP source guard mode you should set the value of ''bras_ip_source_guard'' option in the fastdpi.conf:
+===== Purpose =====
-  * 0 – IP source guard is disabled. It is the default value.
+FastDPI BNG verifies the consistency between subscriber VLAN tags and the subscriber IP address.
-  * 1 – IP source guard is enabled and is only applicable to active sessions. If the session resides in ''unknown'' state (after the fastDPI is restarted), then the IP source guard will not be used,so a packet will be forwarded.
-The packet will be forwarded in the following cases:
+When assigning an IP address via DHCP, FastDPI BNG stores the subscriber VLAN/QinQ tags in the built-in [[en:dpi:dpi_components:platform:dpi_admin:admin_db#activation_of_built-in_udr|UDR]] database. These data are later used to validate the correspondence between the packet source IP and its VLAN tags.
-  * ''bras_ip_source_guard=1'': conditions are met
-    * Session is active and packet VLAN tags are the same as registered in DHCP request ones
-    * Session state is unknown
-If the conditions are not met the package will be dropped.
+IP source guard is applied only to outbound traffic (LAN → WAN).
-IP source guard is used just in case of outbound traffic (from LAN to WAN).
+===== Enabling the mode =====
+To activate, set the parameter ''bras_ip_source_guard'' in the fastdpi.conf file:
-Stingray Service Gateway 7.4+: the [[en:dpi:bras_bng:bras_l2_vlan_term:bras_l2_vlan_term_as|AS termination]] mode is added. The IP source guard is used only to those source IPs, where AS is marked as '' term ''.
+  * 0 — mode disabled (default)
+  * 1 — mode enabled and applied only to active sessions
+If after restarting fastDPI the session state is unknown, IP source guard is not applied and the packet is allowed.
+===== Packet processing logic =====
+With ''bras_ip_source_guard=1'', a packet is allowed if:
+  * the session is active and the packet VLAN tags match the tags registered during DHCP
+  * the session status is unknown
+In all other cases, the packet is dropped.
+===== AS-based termination mode =====
+The [[en:dpi:bras_bng:bras_l2_vlan_term:bras_l2_vlan_term_as|AS-based termination]] mode is available.
+In this mode, IP source guard is applied only to source IP addresses whose AS is marked with the ''term'' flag.
+===== Filtering by source AS flags =====
+Additional filtering of subscriber traffic by AS flags is supported in the subs → inet direction before packet processing. The mechanism is intended to block outbound DDoS traffic with spoofed IP addresses originating from the operator network.
+The parameter ''ip_filter_source_as_flags'' (hot) is used in fastdpi.conf.
+Only packets whose source IP AS contains at least one of the specified flags are allowed for processing. Otherwise, the packet is dropped.
+Flag values (bitmask):
+  * ''0'' — filtering disabled (default), ''ip_filter_source_as_flags=0x0''
+  * ''0x0100'' — pass
+  * ''0x0200'' — local
+  * ''0x0400'' — peer
+  * ''0x0800'' — term
+  * ''0x1000'' — mark1
+  * ''0x2000'' — mark2
+  * ''0x4000'' — mark3

Profile

Settings

Differences

Differences

What were you trying to find?