| Both sides previous revisionPrevious revisionNext revision | Previous revision |
| en:dpi:bras_bng:radius_integration:radius_auth_server_integration:radius_auth_response [2025/09/03 08:37] – elena.krasnobryzh | en:dpi:bras_bng:radius_integration:radius_auth_server_integration:radius_auth_response [2026/03/25 11:45] (current) – [2. Policing with absolute values (simplified format)] elena.krasnobryzh |
|---|
| |
| ===== VasExperts-Policing-Profile ===== | ===== VasExperts-Policing-Profile ===== |
| The response to an Access-Accept must contain no more than one of this attribute.\\ | |
| - Preconfigured policing \\ A string attribute specifying the [[en:dpi:dpi_components:platform:subscriber_management:subsman_profiles|policing profile name]] for the user. \\ ''VasExperts-Policing-Profile = "50Mbps"'' | |
| - Policing with absolute values transfer \\ ''VasExperts-Policing-Profile = "BV##100000#100000#+++-++++"'' \\ here: | |
| * ''BV'' --- By Value | |
| * ''##100000'' --- Internet-to-subscriber limit in Kbps | |
| * ''#100000'' --- Subscriber-to-Internet limit in Kbps | |
| * ''#+++-++++'' --- cs0 ... cs7, rate(cs3)=0, cs3 is blocked, other classes are allowed at root speed with borrowing (HTB algorithm). | |
| |
| ===== VasExperts-Service-Profile ===== | The ''VasExperts-Policing-Profile'' attribute is included in the Access-Accept response and is responsible for applying policing rules. |
| A string option specifying the profile name for a specific fastDPI service. Used format: | |
| | <note important>The Access-Accept response must contain **no more than one** ''VasExperts-Policing-Profile'' attribute.</note> |
| | |
| | Profile configuration options: |
| | |
| | ==== 1. Preconfigured Profile==== |
| | A string attribute that specifies the name of the [[dpi:dpi_components:platform:subscriber_management:subsman_profiles|policing profile]]: |
| | <code>VasExperts-Policing-Profile = “50Mbps”</code> |
| | |
| | ====2. Policing with absolute values (simplified format)==== |
| | <code>VasExperts-Policing-Profile = “BV##100000#100000#+++-++++”</code> |
| | where: |
| | * ''BV'' — By Value, the HTB algorithm is used, where the ceil for each class is equal to the root rate |
| | * ''##100000'' — limit from the Internet to the subscriber (download), kbps |
| | * ''#100000'' — limit from subscriber to Internet (upload), kbps |
| | * ''#+++-++++'' — permission for classes cs0 … cs7, rate(cs3)=0 — class cs3 is blocked, other classes use root speed with the possibility of borrowing (HTB) |
| | |
| | ====3. Policing with Absolute Value Transmission (Extended HTB Format)==== |
| | SSG DPI uses [[en:dpi:dpi_options:opt_bandwidth_mgmt:bandwidth_conf|two types of policing]] — HTB (Hierarchical Token Bucket) and TBF (Token Bucket Filter). The examples below use the **HTB** algorithm with a minimum (rate) and maximum (ceil) speed limit for each class. |
| | |
| | The policing profile defines the overall rate (root) and the rate for each traffic class (cs0 … cs7) |
| | |
| | It allows you to set the rate and ceil parameters for each class separately and contains 36 parameters. |
| | |
| | <note important>Zero values are not passed</note> |
| | |
| | Format (displayed as a single line without line breaks): |
| | <code>VasExperts-Policing-Profile = "BR##4#<RIN><ROUT><CIN><COUT><RIN0><ROUT0><CIN0><COUT0><RIN1><ROUT1><CIN1><COUT1><RIN2><ROUT2><CIN2><COUT2><RIN3><ROUT3><CIN3><COUT3><RIN4><ROUT4><CIN4><COUT4><RIN5><ROUT5><CIN5><COUT5><RIN6><ROUT6><CIN6><COUT6><RIN7><ROUT7><CIN7><COUT7> |
| | </code> |
| | |
| | where: |
| | * ''BR'' — By Rates |
| | * ''##4#'' — HTB is used; the rate and ceil are transmitted for inbound and outbound traffic |
| | * ''<RIN>'' — kbps root rate (#8192k), the total rate for all classes for inbound traffic (download) |
| | * ''<ROUT>'' — kbps root rate (#8192k), total speed for all classes for outbound traffic (upload) |
| | * ''<RIN0> … <RIN7>'' — kbps class rate, minimum speed by class for inbound traffic (download) |
| | * ''<CIN0> … <CIN7>'' — kbps ceiling rate, maximum speed per class for inbound traffic (download) |
| | * ''<ROUT0> … <ROUT7>'' — kbps class rate, minimum speed per class for outbound traffic (upload) |
| | * ''<COUT0> … <COUT7>'' — kbps ceiling rate, maximum speed (ceiling) by class for outbound traffic (upload) |
| | |
| | <note important>The sum of the rates by class must be ≤ root rate\\ The ceiling of each class must be ≤ root rate</note> |
| | |
| | ===Example=== |
| | For convenience, it has been broken into lines, but it must be sent as a single line. |
| <code> | <code> |
| service_id:profile_name | VasExperts-Policing-Profile = "BR##4# |
| | 8192k8192k65M65M |
| | 1024k1024k8192k8192k |
| | 1024k1024k8192k8192k |
| | 1024k1024k8192k8192k |
| | 1024k1024k8192k8192k |
| | 1024k1024k8192k8192k |
| | 1024k1024k8192k8192k |
| | 1024k1024k8192k8192k |
| | 1024k1024k8192k8192k" |
| </code> | </code> |
| Here: | |
| * ''service_id'' – is the number representing [[en:dpi:dpi_components:platform:subscriber_management:subsman_cmd|the fastDPI service identifier]] | |
| * ''profile_name'' – is the string representing [[en:dpi:dpi_components:platform:subscriber_management:subsman_profiles|the profile name according to the service]] | |
| |
| **Example 1,** activating the NAT (11) service with the “cgnat” profile: | === DPI Test === |
| | <code>sudo fdpi_ctrl list --policing --ip <ip> | sed 's/\s/\n/g'</code> |
| | |
| | Sample output: |
| <code> | <code> |
| | htb_inbound_root=rate 8192kbit |
| | htb_inbound_class0=rate 1024kbit ceil 8192kbit |
| | htb_inbound_class1=rate 1024kbit ceil 8192kbit |
| | htb_inbound_class2=rate 1024kbit ceil 8192kbit |
| | htb_inbound_class3=rate 1024kbit ceil 8192kbit |
| | htb_inbound_class4=rate 1024kbit ceil 8192kbit |
| | htb_inbound_class5=rate 1024kbit ceil 8192kbit |
| | htb_inbound_class6=rate 1024kbit ceil 8192kbit |
| | htb_inbound_class7=rate 1024kbit ceil 8192kbit |
| | |
| | htb_root=rate 8192kbit |
| | htb_class0=rate 1024kbit ceil 8192kbit |
| | htb_class1=rate 1024kbit ceil 8192kbit |
| | htb_class2=rate 1024kbit ceil 8192kbit |
| | htb_class3=rate 1024kbit ceil 8192kbit |
| | htb_class4=rate 1024kbit ceil 8192kbit |
| | htb_class5=rate 1024kbit ceil 8192kbit |
| | htb_class6=rate 1024kbit ceil 8192kbit |
| | htb_class7=rate 1024kbit ceil 8192kbit |
| | </code> |
| | |
| | ===== VasExperts-Service-Profile ===== |
| | |
| | A string parameter that specifies the profile name for a specific fastDPI service.\\ String format: |
| | <code bash> |
| | service_id:profile_name |
| | </code> |
| | Where: |
| | - ''service_id'' — a number, [[dpi:dpi_components:platform:subscriber_management:subsman_cmd|fastDPI service identifier]]; |
| | - ''profile_name'' — a string, [[dpi:dpi_components:platform:subscriber_management:subsman_profiles|the profile name for the service]]. |
| | |
| | <note tip>The authorization response may contain zero or more ''VasExperts-Service-Profile'' attributes—one attribute for each service.</note> |
| | |
| | ====Example 1. NAT Connection==== |
| | NAT connection (service 11) using the "cgnat" profile. |
| | |
| | <code bash> |
| VasExperts-Service-Profile="11:cgnat" | VasExperts-Service-Profile="11:cgnat" |
| </code> | </code> |
| |
| **Example 2,** connecting the [[en:dpi:dpi_options:opt_capture|Allow List and Captive Portal, HTTP redirect]] (service 16) specifying page parameters for redirect "http://info.com" and allowed list of IP addresses "/var/lib/dpi/ip_list.bin": | ====Example 2. Configuring the Whitelist==== |
| <code> | Configuring [[en:dpi:dpi_options:opt_capture|Whitelist and Captive Portal, HTTP redirect]] (16 services) with the redirect page parameters set to "http://info.com" and the allowed IP address list set to "''/var/lib/dpi/ip_list.bin''". |
| | |
| | <code bash> |
| VasExperts-Service-Profile = "16:BV##/var/lib/dpi/ip_list.bin#http://info.com" | VasExperts-Service-Profile = "16:BV##/var/lib/dpi/ip_list.bin#http://info.com" |
| </code> | </code> |
| |
| <note tip>The authorization response may contain zero or more ''VasExperts-Service-Profile attributes'', one attribute for each service.</note> | ====Example 3. Overriding Traffic Classes and Policing==== |
| | |
| | [[en:dpi:dpi_options:opt_shaping:shaping_session|Service 18 (Session-Based Policing)]] is used to override traffic classes (cs0 … cs7) and configure session-based policing for a specific subscriber. |
| | |
| | The profile defines the distribution of DPI protocols across traffic classes.\\ Classes are assigned individually for each subscriber. |
| | |
| | Format: |
| | <code>VasExperts-Service-Profile = "18:BP##profile_name#/share/#IMSI_number.dscp#IMSI_number.tbf"</code> |
| | |
| | where: |
| | * ''18'' — traffic class reclassification and per-session policing |
| | * ''BP'' — By Parameters |
| | * ''##profile_name'' — profile name, created dynamically, displayed in the GUI and CLI |
| | * ''#/share/'' — directory on fastPCEF. Accessible over the network; only the filename is passed, while the file itself is read from the original directory. Contains source (.txt) files (not converted to binary) for easy verification |
| | * ''#IMSI_number.dscp'' — protocol and traffic class mapping file. Determines which class (cs0 … cs7) the traffic is placed in. Supports the **drop** flag for blocking |
| | * ''#IMSI_number.tbf'' — a file containing session-level policing parameters. Sets policing rules for individual protocols. Used to limit speed at the session level |
| | |
| | Example: |
| | <code>VasExperts-Service-Profile =18:BP##250019500475292#/share/#250019500475292.dscp#250019500475292.tbf</code> |
| |
| ===== VasExperts-Enable-Service ===== | ===== VasExperts-Enable-Service ===== |
