====== Traffic termination ======
{{indexmenu_n>5}}
===== Activation =====
The FastDPI BRAS can terminate the outgoing LAN->WAN traffic and to interconnect the incoming WAN->LAN traffic.
Traffic termination is performed at the L2 level and is enabled by the following settings in the **fastdpi.conf** file:
bras_terminate_l2=1
bras_gateway_ip=192.168.0.1
bras_gateway_mac=aa:bb:cc:dd:ee:ff
''bras_terminate_l2'' specifies:
* 1 - enabled
* 0 - disabled.
When the L2 termination mode is enabled, the parameters of the border/gateway behind the fastDPI should be specified:
* ''bras_gateway_ip'' - gateway IP address
* ''bras_gateway_mac'' - gateway MAC address
When L2-termination is enabled, all the L2 headers of outgoing packets will contain:
srcMAC =[[en:dpi:bras_bng:bras_l2_vlan:bras_l2_vlan_arp_proxy|bras_arp_mac]], dstMAC=bras_gateway_mac.
For the incoming (from inet) packages: srcMAC = bras_arp_mac, dstMAC = subscriber MAC address. The MAC address of a subscriber is determined by its IP; if it can not be determined the packet will be dropped.
{{ :dpi:bras_bng:bras_l2_vlan_term:termination_l2.png?nolink&600 |}}
===== VLAN tags =====
Also, termination means that the VLAN tags of outgoing packets will be removed, instead the traffic origination imply adding VLAN tags corresponding to the destination IP-address.
The VLAN traffic termination mode is enabled by the ''bras_vlan_terminate'' configuration option. If it equals to 0 (it corresponds to the default value) – VLAN termination is disabled, is it is non-zero value – termination is enabled. The following VLAN termination modes are available:
* ''bras_vlan_terminate=1'' – __[[en:dpi:bras_bng:bras_l2_vlan_term:bras_l2_vlan_term_cut|“honest” termination]]__ – VLAN tags are cut from the packets
* ''bras_vlan_terminate=2'' – __[[en:dpi:bras_bng:bras_l2_vlan_term:bras_l2_vlan_term_zero|VLAN tags substitution]]__
* ''bras_vlan_terminate=3'' – __[[en:dpi:bras_bng:bras_l2_vlan_term:bras_l2_vlan_term_trans|VLAN tags conversion]]__ (the Stingray Service Gateway version 7.4 and above)
The L2 termination and VLAN termination modes can be used independently of each other.
{{anchor:outvlan}}
It is possible to specify for a specific subscriber in which VLAN to terminate its packets on the subs → inet path. To do this, in the ''Access-Accept'' authorization response, add the ''VasExperts-OutVLAN'' VSA attribute, which specifies the VLAN tag (only one). The VasExperts-OutVLAN VSA has the following assignment:
ATTRIBUTE VasExperts-OutVLAN 9 integer
If the subscriber has the outVLAN property, it has the highest priority in ''bras_vlan_terminate'' modes 2 and 3.
The SSG 7.4+: [[en:dpi:bras_bng:bras_l2_vlan_term:bras_l2_vlan_term_as|AS termination]] mode is added: in this mode, termination is performed only if the AS for the source IP is marked as ''term''. For incoming traffic, its origination is performed only if the AS for the destination IP (the gray one, i.e. besides the NAT) is marked as ''term''.
SSG 9.3+: You can find the details of VLAN termination compatibility with [[en:dpi:dpi_components:platform:dpi_vlan_recode|VLAN translation]] right [[en:dpi:dpi_components:platform:dpi_vlan_recode#l2_bras_compat|here]]
===== Termination at L3 Authorization =====
New 9.2 version of SSG allows to indicate at [[en:dpi:bras_bng:general_setup#fastdpi_l3_bras_setup|L3-authorization]] that the subscriber is actually L2 and it is possible to apply L2-termination to him. To do this, you have to specify VSA-attribute in the L3-authorization [[en:dpi:bras_bng:radius_integration:radius_auth_server_integration:radius_auth_response:radius_auth_access_accept|Access-Accept]] response.
VasExperts-L2-User=1
In this case SSG saves the subscriber’s L2-properties in the UDR (his MAC, VLANs) from the incoming package and will process such subscriber as an L2, - handle the termination and operating his traffic.
The attribute ''VasExperts-L2-User=1'' is used only for L3-authorization. This attribute is ignored in all the other authorization types (DHCP, ARP, PPPoE, etc), and is not considered a mistake.
In the output of the [[en:dpi:bras_bng:cli:bras_l2_vlan_ctl|fdpi_ctrl list --ip_prop]] such subscribers will be marked with the special type "L3-auth". If the subscriber is already authorized by DHCP, ARP or PPPoE, specifying ''VasExperts-L2-User=1'' will not change his session type to "L3-auth". That is, the "L3-auth" type is the least priority.
If the subscriber in SSG UDR is "L3-auth" (meaning that in L3-authorization ''Access-Accept'' response previously indicated ''VasExperts-L2-User=1'', and the next L3 authorization does not contain this attribute), then DPI considers the subscriber cannot be terminated anymore and removes his L2-properties (MAC, VLAN) from the UDR.