Table of Contents
Traffic termination
Activation
The FastDPI BRAS can terminate the outgoing LAN→WAN traffic and to interconnect the incoming WAN→LAN traffic.
Traffic termination is performed at the L2 level and is enabled by the following settings in the fastdpi.conf file:
bras_terminate_l2=1 bras_gateway_ip=192.168.0.1 bras_gateway_mac=aa:bb:cc:dd:ee:ff
bras_terminate_l2 specifies:
- 1 - enabled
- 0 - disabled.
When the L2 termination mode is enabled, the parameters of the border/gateway behind the fastDPI should be specified:
bras_gateway_ip- gateway IP addressbras_gateway_mac- gateway MAC address
For the incoming (from inet) packages: srcMAC = bras_arp_mac, dstMAC = subscriber MAC address. The MAC address of a subscriber is determined by its IP; if it can not be determined the packet will be dropped.
VLAN tags
Also, termination means that the VLAN tags of outgoing packets will be removed, instead the traffic origination imply adding VLAN tags corresponding to the destination IP-address.
The VLAN traffic termination mode is enabled by the bras_vlan_terminate configuration option. If it equals to 0 (it corresponds to the default value) – VLAN termination is disabled, is it is non-zero value – termination is enabled. The following VLAN termination modes are available:
bras_vlan_terminate=1– “honest” termination – VLAN tags are cut from the packetsbras_vlan_terminate=2– VLAN tags substitutionbras_vlan_terminate=3– VLAN tags conversion (the Stingray Service Gateway version 7.4 and above)
The L2 termination and VLAN termination modes can be used independently of each other.
It is possible to specify for a specific subscriber in which VLAN to terminate its packets on the subs → inet path. To do this, in the Access-Accept authorization response, add the VasExperts-OutVLAN VSA attribute, which specifies the VLAN tag (only one). The VasExperts-OutVLAN VSA has the following assignment:
ATTRIBUTE VasExperts-OutVLAN 9 integer
If the subscriber has the outVLAN property, it has the highest priority in bras_vlan_terminate modes 2 and 3.
term. For incoming traffic, its origination is performed only if the AS for the destination IP (the gray one, i.e. besides the NAT) is marked as term.
Termination at L3 Authorization
New 9.2 version of SSG allows to indicate at L3-authorization that the subscriber is actually L2 and it is possible to apply L2-termination to him. To do this, you have to specify VSA-attribute in the L3-authorization Access-Accept response.
VasExperts-L2-User=1
In this case SSG saves the subscriber’s L2-properties in the UDR (his MAC, VLANs) from the incoming package and will process such subscriber as an L2, - handle the termination and operating his traffic.
The attribute VasExperts-L2-User=1 is used only for L3-authorization. This attribute is ignored in all the other authorization types (DHCP, ARP, PPPoE, etc), and is not considered a mistake.
In the output of the fdpi_ctrl list --ip_prop such subscribers will be marked with the special type "L3-auth". If the subscriber is already authorized by DHCP, ARP or PPPoE, specifying VasExperts-L2-User=1 will not change his session type to "L3-auth". That is, the "L3-auth" type is the least priority.
If the subscriber in SSG UDR is "L3-auth" (meaning that in L3-authorization Access-Accept response previously indicated VasExperts-L2-User=1, and the next L3 authorization does not contain this attribute), then DPI considers the subscriber cannot be terminated anymore and removes his L2-properties (MAC, VLAN) from the UDR.