Handling traffic by VLAN [Документация VAS Experts]
Документация VAS Experts Документация VAS Experts-mobile
in

Settings

  • Show page
  • Old revisions
  • Export to PDF
  • Fold/unfold all
  • Backlinks
  • Show page
  • Old revisions
  • Export to PDF
  • Fold/unfold all
  • Backlinks

    • Differences

    This shows you the differences between two versions of the page.

    Link to this comparison view

    Both sides previous revisionPrevious revision
    Next revision    		Previous revision
    en:dpi:dpi_components:platform:vlan_traffic_handling [2025/01/23 13:38] elena.krasnobryzhen:dpi:dpi_components:platform:vlan_traffic_handling [2025/11/20 11:54] (current) elena.krasnobryzh
    Line 1: Line 1:
     {{indexmenu_n>10}} {{indexmenu_n>10}}
    -======Handling traffic by VLAN======+====== Handling traffic by VLAN ====== 
     +<note warning>The ''vlan group'' data has been moved from UDR to SDR. Global rules for ''vlan drop'', ''vlan pass'', ''vlan hide'', ''vlan permit'', configured previously by the ''vlan group'' CLI command, have been converted and moved from UDR to SDR with removal from UDR.</note> 
     +  - Drop traffic without analysis from a specific VLAN:<code bash>fdpi_cli vlan rule add <id> perm drop</code> 
     +  - Drop traffic after preliminary analysis, but without sending it to NetFlow statistics from a specific VLAN (used for working with asymmetric traffic, when duplicated traffic from another site is delivered to the site. It is necessary to analyze and drop the traffic so that it does not get into statistics):<code bash>fdpi_cli vlan rule add <id> perm hide</code> 
     +  - Pass traffic without any analysis from a specific VLAN:<code bash>fdpi_cli vlan rule add <id> perm pass</code> 
     +  - Display existing settings in UDR: <code bash>fdpi_cli vlan rule dump</code>Example of command output:<code bash># fdpi_cli vlan rule dump  
     +1000  perm hide 
     +2000  perm drop 
     +3000  perm pass 
     +4000  perm hide 
     +</code>In this example, you can see that all protocols related to VLAN 1000 and 4000 fall under the ''hide'' rule, that is, traffic from one site is duplicated to another site; VLAN 2000 — traffic is dropped, VLAN 3000 — traffic is passed.
      
    -  - Drop traffic without analysis from a specific VLAN:<code bash>fdpi_cli vlan group <id> drop</code> +<note tip>For more detailssee [[en:dpi:bras_bng:bras_pppoe#configuring_service-name_for_vlan|Configuring Service-Name for VLAN]]</note>
    -  - Dropping traffic with preliminary analysisbut without transferring it to Netflow statistics from a specific VLAN (Used to deal with asymmetric traffic when a site receives a double of traffic from another site. It is necessary to analyze and drop the traffic so that it is not included in the statistics):<code bash>fdpi_cli vlan group <id> hide</code> +
    -  - Passing traffic without any analysis from a specific VLAN:<code bash>fdpi_cli vlan group <id> pass</code> +
    -  - Display existing settings in the UDR<code bash>fdpi_cli vlan group 0 show all</code>Example output of the command:<code bash>fdpi_cli vlan group 0 show all +
    -<proto> <vlan> <service-name> <policy> <delay> +
    -all 4000 *  hide 0 +
    -all 4002 *  hide 0 +
    -all 4003 *  hide 0</code>In this example, you can see that all protocols belonging to VLAN 4000, 4002, 4003 are affected by hide, that is, traffic from one site is duplicated to another site. +
    -  Output all properties for a group with a specific id:<code bash>fdpi_cli vlan group <id> show all</code>Here ''id'' is the number of the VLAN for which you want to output Service-Name information. +
      
    -<note tip>For more informationsee[[en:dpi:bras_bng:bras_pppoe#configuring_service-name_for_vlan|Configuring Service-Name for VLAN]]</note>+=====VLAN Rule===== 
     +VLAN Rule allows flexible management of network traffic at the VLAN and QinQ level, assigning specific packet processing policies for individual VLANs, VLAN ranges, or QinQ tunnels. 
     + 
     +====Rule Types==== 
     +The following rule types are supported: 
     + 
     +  * ''dhcp'' — controls the processing of DHCP requests. 
     +    * ''dhcp enable'' — allow processing of DHCP requests in this VLAN/QinQ. 
     +    * ''dhcp disable'' — prohibit DHCP processing. All DHCP packets in this VLAN/QinQ will be dropped. 
     +  * ''perm'' — defines the basic processing of all traffic in the VLAN/QinQ. 
     +    * ''drop'' — completely drop all packets. 
     +    * ''pass'' / ''accept'' — pass packets for further processing in the system. 
     +    * ''hide'' — (system-specific action, e.g., hide VLAN from broadcast queries). 
     + 
     +====Syntax for Describing VLAN/QinQ Ranges==== 
     +Rules apply to ranges specified in the following format: 
     +  * For a single VLAN: ''156'' 
     +  * For a VLAN range: ''56-78'' (VLANs 56 through 78 inclusive) 
     +  * For any VLAN: ''*'' or ''any'' 
     +  * For QinQ: 
     +    * ''67.*'' or ''67.any'' — S-VLAN=67any C-VLAN. 
     +    * ''*.68'' or ''any.68'' — any S-VLAN, C-VLAN=68. 
     +    * ''*.*'' or ''any.any'' — any QinQ. 
     +    * ''12-156.78-90'' — S-VLAN range [12..156], C-VLAN range [78..90]. 
     +    * ''609.1-199'' — S-VLAN=609, C-VLAN range [1..199]. 
     +<note important>Rules for regular VLANs (''67'') and QinQ (''67.*'') are independent and do not intersect.</note> 
     + 
     +====Rule Priority==== 
     +If the ranges of multiple rules intersect, the system determines the final action based on the principle "from general to specific": 
     +  - Rules with the broadest ranges (e.g., 1-4095 or any.any) are applied first. 
     +  - Rules with narrower ranges (e.g., 100-200) can then override the action set by general rules. 
     + 
     +**Example:**\\ 
     +The following rules will create a policy"Disable DHCP for all VLANs in the range 300-700, but enable it for VLAN 645 and the range 430-439"
     +<code bash> 
     +vlan rule add 300-700 dhcp disable 
     +vlan rule add 645 dhcp enable 
     +vlan rule add 430-439 dhcp enable 
     +</code> 
     + 
     +====Management==== 
     +  * ''vlan rule add'' — adding a new rule to SDR 
     +  * ''vlan rule modify'' — modifying an existing rule in SDR 
     +  * ''vlan rule delete'' — deleting a rule from SDR 
     +  * ''vlan rule show'' — shows all rules for the specified VLAN/QinQ 
     +  * ''vlan rule dump'' — outputs a dump of all rules in SDR 
     +  * ''vlan rule purge vlan''/''qinq''/''all'' — clears SDR VLAN/QinQ or both 
     +  * ''vlan rule apply'' — applies rules; by default, rules are applied 5 minutes after the last SDR modification 
     + 
     +<note important>When using ''*'' in CLI for QinQ ranges, it is recommended to enclose the expression in quotes (e.g., '' '*.68' '') or use the keyword ''any'' (e.g., ''any.68'') to avoid incorrect interpretation of the ''*'' character by the bash shell.</note> 
     + 
     +**Change Application Specifics:** Rule changes made by the ''add'', ''modify'', or ''delete'' commands are saved to SDR and automatically applied by the system 5 minutes after the last modification. The ''vlan rule apply'' command allows forcing their application, but no more than once per minute.