Intelligent Traffic Control


Intelligent Traffic Control
 
 
The product administration guides provide examples and procedures to configure basic services on the system. It is recommended that you select the configuration example that best meets your service model, and configure the required elements for that model before using the procedures in this chapter.
Important: Intelligent Traffic Control is only available if you have purchased and installed a feature license Intelligent Traffic Controlon your system. If you have not previously purchased this enhanced feature, contact your sales representative for more information.
This chapter covers the following topics:
 
 
Overview
Intelligent Traffic Control (ITC) enables you to configure a set of customizable policy definitions that enforce and manage service level agreements for a subscriber profile, thus enabling you to provide differentiated levels of services for native and roaming subscribers.
 
In 3GPP2 service ITC uses a local policy look-up table and permits either static EV-DO Rev 0 or dynamic EV-DO Rev A policy configuration.
Important: ITC includes the class-map, policy-map and policy-group commands. Currently ITC does not include an external policy server interface.
ITC provides per-subscriber/per-flow traffic policing to control bandwidth and session quotas. Flow-based traffic policing enables the configuring and enforcing bandwidth limitations on individual subscribers, which can be enforced on a per-flow basis on the downlink and the uplink directions.
Flow-based traffic policies are used to support various policy functions like Quality of Service (QoS), and bandwidth, and admission control. It provides the management facility to allocate network resources based on defined traffic-flow, QoS, and security policies.
 
ITC and EV-DO Rev A in 3GPP2 Networks
 
Important: The EV-DO Rev A features are only available if you have purchased and installed the session use EV-DO Rev A PDSN License on your system. If you have not previously purchased this enhanced feature, contact your sales representative for more information.
You can configure your system to support both EV-DO Rev A and ITC. ITC uses flow-based traffic policing to configure and enforce bandwidth limitations per subscriber. Enabling EV-DO Rev A with ITC allows you to control the actual level of bandwidth that is allocated to individual subscriber sessions and the application flows within the sessions.
For more information on EV-DO Rev A, refer to the Policy-Based Management and EV-DO Rev A chapter. For setting the DSCP parameters to control ITC functionality, refer to the Traffic Policy-Map Configuration Mode Commands chapter in the Command Line Reference.
 
Bandwidth Control and Limiting
Bandwidth control in ITC controls the bandwidth limit, flow action, and charging action for a subscriber, application, and source/destination IP addresses. This is important to help limit bandwidth intensive applications on a network. You can configure ITC to trigger an action to drop, lower-ip-precedence, or allow the flow when the subscriber exceeds the bandwidth usage they have been allotted by their policy.
 
How it Works
ITC enables you to configure traffic policing on a per-subscriber/per-flow basis with the potential to manipulate Differentiated Services Code Points (DSCPs), queue redirection (for example, move traffic to a Best Effort (BE) classification), or drop profile traffic.
In flow-based traffic policies, policy modules interact with the system through a set of well defined entry points, provide access to a stream of system events, and permit the defined policies to implement functions such as access control decisions, QoS enforcement decisions, etc.
Traffic policing can be generally defined as
policy: condition >> action
 
condition: Specifies the flow-parameters like source-address, destination-address, source-port, destination-port, protocol, etc. for ingress and/or egress packet.
action: Specifies a set of treatments for flow/packet when condition matches. Broadly these actions are based on:
Refer to the Traffic Policing and Shaping chapter for more information on Token Bucket Algorithm.
 
Configuring Flow-based Traffic Policing
Traffic Policing is configured on a per-subscriber basis for either locally configured subscribers on the system or subscriber profiles configured on a remote RADIUS server.
Flow-based traffic policy is configured on the system with the following building blocks:
 
This section provides instructions for configuring traffic policies and assigning to local subscriber profiles on the system.
For information on how to configure subscriber profiles on a remote RADIUS server, refer to the StarentVSA and StarentVSA1 dictionary descriptions in the AAA Interface Administration and Reference.
Important: This section provides the minimum instruction set for configuring flow-based traffic policing on an AGW service. Commands that configure additional properties are provided in the Command Line Interface Reference.
These instructions assume that you have already configured the system-level configuration as described in product administration guide.
To configure the flow-based traffic policing on an AGW service:
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Save your configuration as described in the Verifying and Saving Your Configuration chapter.
 
Configuring Class Maps
This section describes how to configure Class Maps on the system to support Flow-based Traffic Policing.
Important: In this mode classification match rules added sequentially with match command to form a Class-Map. To change and/or delete or re-add a particular rule user must delete specific Class-Map and re-define it.
configure
  context <vpn_context_name> [ -noconfirm ]
     class-map name <class_name> [ match-all | match-any ]
        match src-ip-address <src_ip_address> [ <subnet_mask> ]
        match dst-ip-address <dst_ip_address> [ <subnet_mask> ]
        match source-port-range <initial_port_number> [ to <last_port_number> ]
        match dst-port-range <initial_port_number> [ to <last_port_number> ]
        match protocol [ tcp | udp | gre | ip-in-ip ]
        match ip-tos <service_value>
        match ipsec-spi <index_value>
        match packet-size [ gt | lt ] <size>
        end
Notes:
<vpn_context_name> is the name of the destination context in which you want to configure the flow-based traffic policing.
<class_name> is the name of the traffic class to map with the flow for the flow-based traffic policing. A maximum of 32 class-maps can be configured in one context.
For description and variable values of these commands and keywords, refer to the Class-Map Configuration Mode Commands chapter of the Command Line Interface Reference.
 
Configuring Policy Maps
This section provides information and instructions for configuring the policy maps on the system to support flow-based traffic policing.
configure
  context <vpn_context_name>
     policy-map name <policy_name>
        class <class_name>
        type { static | dynamic }
        access-control { allow | discard }
        qos traffic-police committed <bps> peak <bps> burst-size <byte> exceed-action { drop | lower-ip-precedence | allow } violate-action { drop | lower-ip-precedence | allow }
        qos encaps-header dscp-marking [ copy-from-user-datagram | <dscp_code> ]
        end
Notes:
 
<vpn_context_name> is the name of the destination context in which is configured during Class-Map configuration for flow-based traffic policing.
<policy_name> is the name of the traffic policy map you want to configure for the flow-based traffic policing. A maximum of 32 policy maps can be configured in one context.
<class_name> is the name of the traffic class to map that you configured in Configuring Class Maps section for the flow-based traffic policing.
For description and variable values of these commands and keywords, refer to the Traffic Policy-Map Configuration Mode Commands chapter of the Command Line Interface Reference.
 
Configuring Policy Groups
This section provides information and instructions for configuring the policy group in a context to support flow-based traffic policing.
configure
  context <vpn_context_name>
     policy-group name <policy_group>
        policy <policy_map_name> precedence <value>
        end
Notes:
 
<vpn_context_name> is the name of the destination context which is configured during Class-Map configuration for flow-based traffic policing.
<policy_group> is name of the traffic policy group of policy maps you want to configure for the flow-based traffic policing. A maximum of 32 policy groups can be configured in one context.
<policy_map_name> is name of the traffic policy you configured in Configuring Policy Maps section for the flow-based traffic policing. A maximum of 16 Policy Maps can be assigned in a Policy Group.
For description and variable values of these commands and keywords, refer to the Traffic Policy-Map Configuration Mode Commands chapter of the Command Line Interface Reference.
 
Configuring a Subscriber for Flow-based Traffic Policing
This section provides information and instructions for configuring the subscriber for Flow-based Traffic Policing.
 
configure
  context <vpn_context_name>
     subscriber name <user_name>
        policy-group <policy_group> direction [ in | out ]
        end
Notes:
 
<vpn_context_name> is the name of the destination context configured during Class-Map configuration for flow-based traffic policing.
<user_name> is the name of the subscriber profile you want to configure for the flow-based traffic policing.
<policy_group> is name of the traffic policy group you configured in Configuring Policy Groups section for the flow-based traffic policing. A maximum of 16 Policy groups can be assigned to a subscriber profile.
For description and variable values of these commands and keywords, refer to the Traffic Policy-Group Configuration Mode Commands chapter of the Command Line Interface Reference.
 
Verifying Flow-based Traffic Policing Configuration
Step 1
The output of this command displays flow-based information for a subscriber session.
 

Cisco Systems Inc.
Tel: 408-526-4000
Fax: 408-527-0883