| Both sides previous revisionPrevious revisionNext revision | Previous revision |
| en:dpi:dpi_components:platform:vlan_traffic_handling [2026/06/03 12:29] – elena.krasnobryzh | en:dpi:dpi_components:platform:vlan_traffic_handling [2026/06/03 13:19] (current) – elena.krasnobryzh |
|---|
| {{indexmenu_n>10}} | {{indexmenu_n>10}} |
| ======Traffic Processing by VLAN====== | ====== VLAN Traffic Handling ====== |
| | <note warning>The ''vlan group'' data has been moved from UDR to SDR. Global rules for ''vlan drop'', ''vlan pass'', ''vlan hide'', ''vlan permit'' previously set by the old CLI command ''vlan group'' have been converted and moved from UDR to SDR, being removed from UDR.</note> |
| | - Drop traffic without analysis from a specific VLAN:<code bash>fdpi_cli vlan rule add <id> perm drop</code> |
| | - Drop traffic with preliminary analysis but without passing it to Netflow statistics from a specific VLAN (Used for asymmetric traffic when a copy of traffic from another site is fed to the site. It is necessary to analyze and drop the traffic so that it does not end up in statistics):<code bash>fdpi_cli vlan rule add <id> perm hide</code> |
| | - Pass traffic without any analysis from a specific VLAN:<code bash>fdpi_cli vlan rule add <id> perm pass</code> |
| | - Display existing settings in UDR: <code bash>fdpi_cli vlan rule dump</code> To display rules of only a specific type (e.g., only ''perm''), the ''[type]'' parameter is used: <code bash>fdpi_cli vlan rule dump perm</code> Example command output: <code bash># fdpi_cli vlan rule dump |
| | 1000 perm hide |
| | 2000 perm drop |
| | 3000 perm pass |
| | 4000 perm hide |
| | </code> In this example, all protocols related to VLAN 1000 and 4000 are subject to hide, i.e., traffic from one site is duplicated to another site; VLAN 2000 — traffic is dropped, VLAN 3000 — traffic is passed. |
| |
| <note warning>The ''vlan group'' data has been moved from UDR to SDR. Global rules for ''vlan drop'', ''vlan pass'', ''vlan hide'', and ''vlan permit'' defined via the legacy ''vlan group'' CLI command have been converted and migrated from UDR to SDR, with removal from UDR.</note> | <note tip>For more details, see the section [[dpi:bras_bng:bras_pppoe#configuring_service-name_for_vlan|Configuring Service-Name for VLAN]]</note> |
| |
| - Drop traffic without analysis from a specific VLAN: <code bash>fdpi_cli vlan rule add <id> perm drop</code> | ===== VLAN Rule ===== |
| - Drop traffic with prior analysis but without NetFlow export from a specific VLAN (used for asymmetric traffic scenarios where duplicate traffic from another site is delivered to the node. Traffic must be analyzed and dropped so it does not enter statistics): <code bash>fdpi_cli vlan rule add <id> perm hide</code> | VLAN Rule allows flexible management of network traffic at the VLAN and QinQ level, assigning specific packet processing policies for individual VLANs, VLAN ranges, or QinQ tunnels. |
| - Pass traffic without any analysis from a specific VLAN: <code bash>fdpi_cli vlan rule add <id> perm pass</code> | |
| - Display current settings in SDR: <code bash>fdpi_cli vlan rule dump</code> | |
| |
| =====CLI update (vlan rule dump)===== | ==== Rule Types ==== |
| | |
| Added the ability to filter output by rule type: | |
| | |
| Format: | |
| <code bash>vlan rule dump [type]</code> | |
| | |
| ''type'' — rule type: ''perm'', ''dhcp'', ''all'' (default) | |
| | |
| Examples: | |
| <code bash>vlan rule dump perm</code> | |
| <code bash>vlan rule dump dhcp</code> | |
| <code bash>vlan rule dump</code> | |
| | |
| =====VLAN Rule===== | |
| | |
| VLAN Rule provides flexible traffic management at the VLAN and QinQ level, allowing assignment of packet processing policies for individual VLANs, VLAN ranges, or QinQ tunnels. | |
| | |
| ====Rule types==== | |
| The following rule types are supported: | The following rule types are supported: |
| |
| * ''dhcp'' — controls DHCP request processing. | * ''dhcp'' — controls DHCP request processing. |
| * ''dhcp enable'' — allow DHCP processing in this VLAN/QinQ. | * ''dhcp enable'' — allow DHCP request processing in this VLAN/QinQ. |
| * ''dhcp disable'' — disable DHCP processing. All DHCP packets in this VLAN/QinQ will be dropped. | * ''dhcp disable'' — disable DHCP processing. All DHCP packets in this VLAN/QinQ will be dropped. |
| | * ''perm'' — defines basic processing of all traffic in VLAN/QinQ. |
| | * ''drop'' — completely discard all packets. Packets do not undergo further processing and do not go to Netflow statistics. |
| | * ''pass'' — pass packets without processing. Packets are counted in Netflow statistics. |
| | * ''accept'' — pass packets for further full processing in the system. Packets are counted in Netflow statistics. |
| | * ''hide'' — the packet goes through internal processing stages (with exceptions), but after processing it is always discarded. At the same time: |
| | * the packet does not go to Netflow statistics; |
| | * services 9, 12, 15, 18, NAT, as well as policing (general and channel) are not applied; |
| | * the packet is not written via ajb — to IPFIX, SIP, FTP, etc. |
| | * ''pppoe'' — controls PPPoE packet processing. Filtering by Service-Name is supported, including for QinQ tunnels. The following actions are available: |
| | * ''enable'' — allow PPPoE processing. |
| | * ''drop'' — drop PPPoE packets. |
| | * ''pass'' — pass PPPoE packets through without processing. |
| | * ''delay N'' — establish a PPPoE session with a delay of N seconds (0 < N < 16).\\ Rules can be specified both for all PPPoE traffic in a VLAN/QinQ range and for a specific Service-Name. |
| |
| * ''perm'' — defines the base processing behavior for all traffic in a VLAN/QinQ. | ==== Syntax for VLAN/QinQ Range Description ==== |
| * ''drop'' — fully drop all packets. Packets are not processed further and are not included in NetFlow statistics. | Rules apply to ranges specified in the following format: |
| * ''pass'' — pass packets without processing. Packets are included in NetFlow statistics. | * For a single VLAN: ''156'' |
| * ''accept'' — pass packets for full system processing. Packets are included in NetFlow statistics. | * For a VLAN range: ''56-78'' (VLANs 56 through 78 inclusive) |
| * ''hide'' — packets go through internal processing stages (with exceptions) but are dropped after processing. In this case: | * For any VLAN: ''*'' or ''any'' |
| * packets are not included in NetFlow statistics; | * For QinQ: |
| * services 9, 12, 15, 18, NAT, and policing (global and per-channel) are not applied; | * ''67.*'' or ''67.any'' — S-VLAN=67, any C-VLAN. |
| * packets are not recorded via ajb — IPFIX, SIP, FTP, etc. | * ''*.68'' or ''any.68'' — any S-VLAN, C-VLAN=68. |
| | * ''*.*'' or ''any.any'' — any QinQ. |
| | * ''12-156.78-90'' — S-VLAN range [12..156], C-VLAN range [78..90]. |
| | * ''609.1-199'' — S-VLAN=609, C-VLAN range [1..199]. |
| | <note important>Rules for ordinary VLANs (''67'') and QinQ (''67.*'') are independent and do not overlap.</note> |
| |
| ====PPPoE support (VLAN Rule)==== | **Service-Name Support for QinQ** |
| PPPoE traffic processing support has been added to VLAN rules. | Rules with Service-Name work correctly for QinQ: |
| | * Rules without selectivity by CVLAN: ''SVLAN.*'' with or without Service-Name. |
| | * Full QinQ (''SVLAN.CVLAN'') with selectivity by Service-Name. |
| |
| PPPoE rules: | ==== Rule Priority ==== |
| | If ranges of several rules overlap, the system determines the resulting action based on the "general to specific" principle: |
| | - First, rules with the broadest ranges (e.g., 1-4095 or any.any) are applied. |
| | - Then rules with narrower ranges (e.g., 100-200) can override the action set by the general rules. |
| |
| <code bash> | **Example:**\\ |
| vlan rule add <Range> pppoe [enable | drop | pass | delay N] | The following rules will create the policy: "Disable DHCP for all VLANs in the range 300-700, but enable it for VLAN 645 and the range 430-439". |
| </code> | |
| | |
| PPPoE rules with Service-Name filtering: | |
| | |
| <code bash> | |
| vlan rule add <Range> pppoe sname <Service-Name> [enable | drop | pass | delay N] | |
| </code> | |
| | |
| Permissions: | |
| * ''enable'' — allow PPPoE processing | |
| * ''drop'' — drop PPPoE packets | |
| * ''pass'' — pass PPPoE packets without processing | |
| * ''delay N'' — establish PPPoE session with N-second delay (0 < N < 16) | |
| | |
| ====VLAN/QinQ range syntax==== | |
| Rules are applied to ranges defined as follows: | |
| * Single VLAN: ''156'' | |
| * VLAN range: ''56-78'' | |
| * Any VLAN: ''*'' or ''any'' | |
| * QinQ: | |
| * ''67.*'' or ''67.any'' — S-VLAN=67, any C-VLAN | |
| * ''*.68'' or ''any.68'' — any S-VLAN, C-VLAN=68 | |
| * ''*.*'' or ''any.any'' — any QinQ | |
| * ''12-156.78-90'' — S-VLAN range [12..156], C-VLAN range [78..90] | |
| * ''609.1-199'' — S-VLAN=609, C-VLAN range [1..199] | |
| | |
| <note important>Rules for regular VLAN (''67'') and QinQ (''67.*'') are independent and do not overlap.</note> | |
| | |
| ====Rule priority==== | |
| If rule ranges overlap, the system determines the final action using a "from general to specific" approach: | |
| - First, rules with the widest ranges are applied (e.g., 1-4095 or any.any) | |
| - Then more specific rules may override them | |
| | |
| **Example:** | |
| <code bash> | <code bash> |
| vlan rule add 300-700 dhcp disable | vlan rule add 300-700 dhcp disable |
| </code> | </code> |
| |
| ====Management==== | ==== Management ==== |
| * ''vlan rule add'' — add a new rule to SDR | * ''vlan rule add'' — add a new rule to SDR.\\ Syntax for PPPoE: |
| * ''vlan rule modify'' — modify an existing rule in SDR | * Adding a rule for all PPPoE traffic in a range: <code bash>vlan rule add <Range> pppoe [enable | drop | pass | delay N]</code> |
| * ''vlan rule delete'' — delete a rule from SDR | * Adding a rule for a specific Service-Name: <code bash>vlan rule add <Range> pppoe sname <Service-Name> [enable | drop | pass | delay N]</code> Here ''<Service-Name>'' is the PPPoE Service-Name in single or double quotes (quotes can be omitted if it is an identifier: ''[a-zA-Z_][a-zA-Z_0-9]*''). |
| * ''vlan rule show'' — display all rules for a VLAN/QinQ | * ''vlan rule modify'' — modify an existing rule in SDR (similar syntax). |
| * ''vlan rule dump'' — output rules from SDR | * ''vlan rule delete'' — delete a rule from SDR. |
| * ''vlan rule purge vlan/qinq/all'' — clear VLAN/QinQ rules in SDR or both | * ''vlan rule show'' — displays all rules for the specified VLAN/QinQ. The output shows not only the general PPPoE actions but also all permissions for individual Service-Name. |
| * ''vlan rule apply'' — force rule application (no more than once per minute) | * ''vlan rule dump'' — dumps all rules in SDR. To filter output by rule type, the ''[type]'' parameter is used (e.g., ''vlan rule dump perm''). |
| | * ''vlan rule purge vlan''/''qinq''/''all'' — clear SDR VLAN/QinQ or both. |
| | * ''vlan rule apply'' — apply rules; by default, rules are applied 5 minutes after the last SDR modification. |
| | |
| | <note important>When using ''*'' in the CLI for QinQ ranges, it is recommended to enclose the expression in quotes (e.g., '' '*.68' '') or use the keyword ''any'' (e.g., ''any.68'') to avoid incorrect interpretation of the ''*'' character by the bash shell.</note> |
| |
| <note important> | **Change application specifics:** Changes to rules made with ''add'', ''modify'', or ''delete'' are saved in SDR and automatically applied by the system 5 minutes after the last modification. The ''vlan rule apply'' command allows you to apply them forcefully, but no more than once per minute. |
| When using ''*'' in CLI for QinQ ranges, it is recommended to enclose expressions in quotes or use ''any''. | |
| </note> | |
| |
| **Change application behavior:** changes are stored in SDR and automatically applied after 5 minutes since the last modification. | ==== Using VLAN Rule in BALANCER ==== |
| | VLAN rules can also be used by the **BALANCER** component for packet filtering. This allows, at the traffic balancing stage, to filter out unwanted VLAN/QinQ before they reach the main processing modules. |
