Appendix A Sample Content Filtering Service Configuration

Appendix A
Sample Content Filtering Service Configuration
 
This appendix includes the following sample configuration files for Content Filtering configuration within an ECS service:
 
URL Blacklisting Configuration
This section presents a sample configuration file with URL Blacklisting configuration within an ECS service.
 
config
  license key "\
VER=1|C1M=SanDiskSDCFJ-4096|C1S=016816D2597X4624|C2M=SanDiskSDCFJ-4096\
FAA=Y|FCP=Y|LCF=30000|SIG=MC0CFQC2Zp+qSGqGR+VQ5QdhkHksZgXxgAIUN7+bT/OL\
qeFwAMiJbb4acy33JsU"
  aaa large-configuration
  timestamps
  autoconfirm
  clock timezone asia-calcutta
  crash enable encrypted url 01abc234d56e7f8g01abc234d56e7f8g
  card 1
     mode active psc
  #exit
  card 2
     mode active psc
  #exit
  card 3
     mode active psc
  #exit
  require session recovery
  require active-charging
  require diameter-proxy multiple
  context local
     interface spio
        ip address 1.2.3.4 255.255.255.0
     #exit
     server ftpd
     #exit
     ssh key f22330a765e10f40001920bf01dbf89a224dd8f09fe8d1598751401cb392f3c062f859a4335cb92f4a352a4686dcea99e4740be8a0063da1c657c560991ec87ce06728 len 461
     server sshd
        subsystem sftp
     #exit
     server telnetd
     #exit
     server tftpd
     #exit
     subscriber default
     exit
     administrator administrator encrypted password 123abc456def789gh ftp
     aaa group default
     #exit
     gtpp group default
     #exit
     ip route 0.0.0.0 0.0.0.0 1.2.3.4 spio
     ip domain-lookup
     ip domain-name ind.star.com
     ip name-servers 1.2.3.4
  #exit
  port ethernet 24/1
     no shutdown
     bind interface spio local
  #exit
  ntp
     enable
     server 1.2.3.4
  #exit
  snmp community private read-only
  snmp community public read-only
  snmp target abc1 1.2.3.4 port 162 security-name public version 2c traps
  active-charging service bl_service
     ruledef clwap-dst
        udp dst-port = 9200
        rule-application routing
     #exit
     ruledef clwap-src
        udp src-port = 9200
        rule-application routing
     #exit
     ruledef cowap-dst
        udp dst-port = 9201
        rule-application routing
     #exit
     ruledef cowap-src
        udp src-port = 9201
        rule-application routing
     #exit
     ruledef default
        ip any-match = TRUE
     #exit
     ruledef ftp-ctrl-dst
        tcp dst-port = 21
        rule-application routing
     #exit
     ruledef ftp-ctrl-src
        tcp src-port = 21
        rule-application routing
     #exit
     ruledef ftp-data-dst
        tcp dst-port = 20
        rule-application routing
     #exit
     ruledef ftp-data-src
        tcp src-port = 20
        rule-application routing
     #exit
     ruledef handshake
        tcp payload-length = 0
        tcp any-match = TRUE
        tcp flag !contains fin
        tcp flag !contains reset
     #exit
     ruledef http-dst
        tcp dst-port = 80
        rule-application routing
     #exit
     ruledef http-get
        http request method = get
     #exit
     ruledef http-pkts
        http any-match = TRUE
     #exit
     ruledef http-proxy-dst
        tcp dst-port = 3128
        rule-application routing
     #exit
     ruledef http-proxy-src
        tcp src-port = 3128
        rule-application routing
     #exit
     ruledef http-route
        tcp either-port = 80
        rule-application routing
     #exit
     ruledef http-src
        tcp src-port = 80
     #exit
     ruledef http-wap2-dst
        tcp dst-port = 8799
        rule-application routing
     #exit
     ruledef http-wap2-src
        tcp src-port = 8799
        rule-application routing
     #exit
     ruledef https-dst
        tcp dst-port = 443
        rule-application routing
     #exit
     ruledef https-src
        tcp src-port = 443
        rule-application routing
     #exit
     ruledef pop3-dst
        tcp dst-port = 110
        rule-application routing
     #exit
     ruledef pop3-src
        tcp src-port = 110
        rule-application routing
     #exit
     ruledef rtsp-dst
        tcp dst-port = 554
        rule-application routing
     #exit
     ruledef rtsp-src
        tcp src-port = 554
        rule-application routing
     #exit
     ruledef rule2
        http uri starts-with http://1.2.3.4/test/service/2000/
     #exit
     ruledef rule3
        http uri starts-with http://1.2.3.4/test/service/3000/
     #exit
     ruledef rule4
        http uri starts-with http://1.2.3.4/test/service/4000/
     #exit
     ruledef rule5
        http uri starts-with http://1.2.3.4/test/service/5000/
     #exit
     ruledef rule6
        http uri starts-with http://1.2.3.4/test/service/6000/
     #exit
     ruledef rule7
        http uri starts-with http://1.2.3.4/test/service/7000/
     #exit
     ruledef rule8
        http uri starts-with http://1.2.3.4/test/service/8000/
     #exit
     ruledef rule9
        http uri starts-with http://1.2.3.4/test/service/9000/
     #exit
     ruledef sdp_route
        sip content type = application/sdp
        rule-application routing
     #exit
     ruledef sip-dst
        udp dst-port = 5060
        rule-application routing
     #exit
     ruledef sip-src
        udp src-port = 5060
        rule-application routing
     #exit
     ruledef smtp-dst
        tcp dst-port = 25
        rule-application routing
     #exit
     ruledef smtp-src
        tcp src-port = 25
        rule-application routing
     #exit
     ruledef tcp
        ip protocol = 6
        rule-application routing
     #exit
     ruledef udp
        ip protocol = 17
        rule-application routing
     #exit
     charging-action standard
        content-id 10
        retransmissions-counted
     #exit
     url-blacklisting method exact-match
     rulebase rulebase1
        action priority 1 ruledef http-get charging-action standard
        action priority 65000 ruledef default charging-action standard
        url-blacklisting action discard
        route priority 80 ruledef http-route analyzer http
        no transport-layer-checksum verify-during-packet-inspection
     #exit
     rulebase default
     #exit
  #exit
  context source
     interface chassis1_2_CLIENT
        ip address 1.2.3.4 255.255.255.0
        ip address 1.2.3.5 255.255.255.255 secondary
        ip address 1.2.3.6 255.255.255.255 secondary
     #exit
     interface chassis1_2_RADIUS
        ip address 1.2.3.4 255.255.255.0
     #exit
     subscriber default
        ip access-group acl1 in
        ip access-group acl1 out
        ip context-name dest
        active-charging rulebase rulebase1
     exit
     aaa group default
        radius attribute nas-ip-address address 1.2.3.4
        radius server 1.2.3.4 encrypted key 01abc234d56e7f8g port 1812
        radius accounting server 1.2.3.4 encrypted key 01abc234d port 1813
     #exit
     gtpp group default
     #exit
     ha-service HA         mn-ha-spi spi-number 1000 encrypted secret 01abc234d56e7f8g hash-algorithm md5
        fa-ha-spi remote-address 1.2.3.4 spi-number 256 encrypted secret 01abc234d56e7f8g hash-algorithm md5
        fa-ha-spi remote-address 1.2.3.4 spi-number 256 encrypted secret 01abc234d56e7f8g hash-algorithm md5
        no reg-lifetime
        bind address 1.2.3.4
     #exit
     edr-module active-charging-service
     #exit
     ip igmp profile default
     #exit
  #exit
  context dest
     ip access-list acl1
        redirect css service srv1   any
     #exit
     ip pool callgen_A11 1.2.3.4 255.255.0.0 static
     ip pool callgen_B11 1.2.3.5 255.255.0.0 static
     ip pool dpool00 1.2.3.6 255.255.0.0 public 0
     ip pool dpool01 1.2.3.7 255.255.0.0 public 0
     interface chassis1_2_SERVER
        ip address 1.2.3.4 255.255.255.0
     #exit
     subscriber default
     exit
     aaa group default
     #exit
     gtpp group default
     #exit
     ip igmp profile default
     #exit
  #exit
  port ethernet 17/1
     no shutdown
     vlan 4000
        no shutdown
        bind interface chassis1_2_SERVER dest
     #exit
  #exit
  port ethernet 18/1
     no shutdown
     vlan 2000
        no shutdown
        bind interface chassis1_2_CLIENT source
     #exit
     vlan 3000
        no shutdown
        bind interface chassis1_2_RADIUS source
     #exit
  #exit
  port ethernet 18/5
     no shutdown
  #exit
  port ethernet 18/6
     no shutdown
  #exit
  port ethernet 18/7
     no shutdown
  #exit
  port ethernet 18/8
     no shutdown
  #exit
  port ethernet 19/1
     no shutdown
  #exit
  task facility sessmgr start aggressive
  task facility acsmgr start aggressive
end
Category-based Content Filtering Configuration
This section presents a sample configuration file with Category-based Content Filtering configuration within an ECS service.
 
config
  license key "\
VER=1|C1M=SanDiskSDCFJ-4096|C1S=016816D2597X4624|C2M=SanDiskSDCFJ-4096\
FAA=Y|FCP=Y|LCF=30000|SIG=MC0CFQC2Zp+qSGqGR+VQ5QdhkHksZgXxgAIUN7+bT/OL"
  aaa large-configuration
  timestamps
  autoconfirm
  clock timezone asia-calcutta
     crash enable encrypted url 90b248ca778edc0db4a55318525bc
  card 1
     mode active psc
  #exit
  card 2
     mode active psc
  #exit
  card 3
     mode active psc
  #exit
  card 4
     mode active psc
  #exit
  require session recovery
  content-filtering category database directory path /flash/cf/
  require active-charging content-filtering category static-and-dynamic
  context local
     interface spio
        ip address 1.2.3.4 255.255.255.0
     #exit
     server ftpd
     #exit
     ssh key f22330a765e10f40001920bf01dbf89a224dd8f09fe8d1598751401cb392f3c062f859a59520b1a8f0684335cb92f4a352a4686dcea99e4740be8a0063da1c657c5609 len 006
    ssh key 75f41778bab0a173ee6e4e79c1026389918dca8b9f4701078f6841add6a81a669d183107638abac6c0de03f606736334e1f5ee618dc370636824c0c8aaffc96050ecb88 len 007 type v2-dsa
     server sshd
        subsystem sftp
     #exit
     server telnetd
     #exit
     server tftpd
     #exit
     subscriber default
     exit
     administrator test encrypted password abc123def456ghi789 ftp
     aaa group default
     #exit
     gtpp group default
     #exit
     ip route 0.0.0.0 0.0.0.0 2.3.4.5 spio
     ip domain-lookup
     ip domain-name test.ind.testing.com
     ip name-servers 10.4.5.253
  #exit
  port ethernet 24/1
     no shutdown
     bind interface spio local
  #exit
  ntp
     enable
     server 3.4.5.6
  #exit
  snmp community private read-only
  snmp community public read-only
  snmp target test 1.3.5.7 port 162 security-name public version 2c traps
  active-charging service srv1
     ruledef http-dst
        tcp dst-port = 80
        rule-application routing
     #exit
     ruledef http-response-1x
        http reply code >= 100
        http reply code < 199
     #exit
     ruledef http-response-2x
        http reply code >= 200
        http reply code < 299
     #exit
     ruledef http-response-3x
        http reply code >= 300
        http reply code < 399
     #exit
     ruledef http-response-4x
        http reply code >= 400
        http reply code < 499
     #exit
     ruledef http-response-5x
        http reply code >= 500
     #exit
     ruledef http-get
        http request method = get
     #exit
     ruledef http-post-req
        http request method = post
     #exit
     ruledef http-src
        tcp src-port = 80
        rule-application routing
     #exit
     ruledef wsp-cl-dst
        udp dst-port = 9200
        rule-application routing
     #exit
     ruledef wsp-cl-src
        udp src-port = 9200
        rule-application routing
     #exit
     ruledef wsp-co-dst
        udp dst-port = 9201
        rule-application routing
     #exit
     ruledef wsp-co-src
        udp src-port = 9201
        rule-application routing
     #exit
     ruledef wsp-get-req
        wsp pdu-type = get
     #exit
     ruledef wsp-post-req
        wsp pdu-type = post
     #exit
     ruledef wsp-put-req
        wsp pdu-type = put
     #exit
     edr-format web-hit
        attribute radius-user-name priority 1
        attribute radius-calling-station-id priority 2
        attribute   sn-end-time format MM/DD/YYYY-HH:MM:SS priority 3
        attribute   sn-start-time format MM/DD/YYYY-HH:MM:SS priority 4
        attribute radius-nas-ip-address priority 5
        rule-variable http url priority 6
        rule-variable wsp url priority 7
        rule-variable ip subscriber-ip-address priority 8
        attribute sn-closure-reason priority 22
        attribute sn-cf-category-policy priority 23
        attribute sn-cf-category-rating-type priority 24
        attribute sn-cf-category-classification-used priority 25
        attribute sn-cf-category-flow-action priority 26
        attribute sn-cf-category-unknown-url priority 27
        attribute sn-volume-amt ip pkts uplink priority 50
        attribute sn-volume-amt ip pkts downlink priority 51
        attribute sn-volume-amt ip bytes uplink priority 52
        attribute sn-volume-amt ip bytes downlink priority 53
        rule-variable http request method priority 54
        rule-variable http content type priority 70
        rule-variable http reply code priority 75      #exit
     charging-action standard
        content-id 10
     #exit
     content-filtering category policy-id 1
        analyze priority 65535 all action allow
     #exit
     content-filtering category policy-id 2
        analyze priority 65535 all action allow
     #exit
     content-filtering category policy-id 3
        analyze priority 65535 all action allow
     #exit
     content-filtering category policy-id 4
        analyze priority 1 category ABOR    action allow edr web-hit
        analyze priority 2 category ADULT   action allow edr web-hit
        analyze priority 3 category ADVERT action allow edr web-hit
        analyze priority 4 category ANON    action allow edr web-hit
        analyze priority 5 category ART      action allow edr web-hit
        analyze priority 7 category AUTO    action allow edr web-hit
        analyze priority 8 category BLACK   action allow edr web-hit
        analyze priority 9 category BLOG    action allow edr web-hit
        analyze priority 10 category BUSI    action allow edr web-hit
        analyze priority 11 category CAR      action allow edr web-hit
        analyze priority 12 category CHAT    action allow edr web-hit
        analyze priority 14 category CMC      action allow edr web-hit
        analyze priority 15 category CRIME   action allow edr web-hit
        analyze priority 16 category CULT    action allow edr web-hit
        analyze priority 17 category DRUG    action allow edr web-hit
        analyze priority 18 category EDU      action allow edr web-hit
        analyze priority 19 category ENT      action allow edr web-hit
        analyze priority 20 category FIN      action allow edr web-hit
        analyze priority 21 category FORUM   action allow edr web-hit
        analyze priority 22 category GAMB    action allow edr web-hit
        analyze priority 23 category GAME    action allow edr web-hit
        analyze priority 24 category GOVERN action allow edr web-hit
        analyze priority 25 category GLAM    action allow edr web-hit
        analyze priority 26 category HACK    action allow edr web-hit
        analyze priority 27 category HATE    action allow edr web-hit
        analyze priority 28 category HEALTH action allow edr web-hit
        analyze priority 29 category HOBBY   action allow edr web-hit
        analyze priority 30 category HOSTS   action allow edr web-hit
        analyze priority 31 category KIDS    action allow edr web-hit
        analyze priority 32 category LEGAL   action allow edr web-hit
        analyze priority 33 category LIFES   action allow edr web-hit
        analyze priority 34 category MAIL    action allow edr web-hit
        analyze priority 35 category MIL      action allow edr web-hit
        analyze priority 36 category NEWS    action allow edr web-hit
        analyze priority 37 category OCCULT action allow edr web-hit
        analyze priority 39 category PEER    action allow edr web-hit
        analyze priority 40 category PERS    action allow edr web-hit
        analyze priority 42 category POLTIC action allow edr web-hit
        analyze priority 43 category PORN    action allow edr web-hit
        analyze priority 44 category PORTAL action allow edr web-hit
        analyze priority 45 category PROXY   action allow edr web-hit
        analyze priority 47 category REF      action allow edr web-hit
        analyze priority 48 category REL      action allow edr web-hit
        analyze priority 49 category SEARCH action allow edr web-hit
        analyze priority 50 category SCI      action allow edr web-hit
        analyze priority 52 category SHOP    action allow edr web-hit
        analyze priority 53 category SPORT   action allow edr web-hit
        analyze priority 55 category SUIC    action allow edr web-hit
        analyze priority 57 category SXED    action allow edr web-hit
        analyze priority 58 category TECH    action allow edr web-hit
        analyze priority 59 category TRAV    action allow edr web-hit
        analyze priority 60 category VIOL    action allow edr web-hit
        analyze priority 61 category WEAP    action allow edr web-hit
        analyze priority 62 category WHITE   action allow edr web-hit
        analyze priority 63 category UNKNOW action allow edr web-hit
     #exit
     rulebase rulebase1
        action priority 1 ruledef http-response-1x charging-action standard
        action priority 2 ruledef http-response-2x charging-action standard
        action priority 3 ruledef http-response-3x charging-action standard
        action priority 4 ruledef http-response-4x charging-action standard
        action priority 5 ruledef http-response-5x charging-action standard
        action priority 10 ruledef http-get charging-action standard
        route priority 78 ruledef http-src analyzer http
        route priority 79 ruledef http-dst analyzer http
        no transport-layer-checksum verify-during-packet-inspection
     #exit
     rulebase rulebase2
        content-filtering category policy-id 4
        content-filtering mode category static-and-dynamic
        content-filtering flow-any-error permit
        action priority 1 ruledef http-response-1x charging-action standard
        action priority 2 ruledef http-response-2x charging-action standard
        action priority 3 ruledef http-response-3x charging-action standard
        action priority 4 ruledef http-response-4x charging-action standard
        action priority 5 ruledef http-response-5x charging-action standard
        action priority 10 ruledef http-get charging-action standard
        route priority 78 ruledef http-src analyzer http
        route priority 79 ruledef http-dst analyzer http
        no transport-layer-checksum verify-during-packet-inspection
     #exit   
     rulebase default
     #exit
  #exit
  context test_src
     interface TEST_CLIENT
        ip address 1.1.1.1 255.255.255.0
        ip address 1.1.1.200 255.255.255.0 secondary
     #exit
     subscriber default
        encrypted password 123abc456def789ghi
        ip context-name test_dest
     exit
     subscriber name cf
        encrypted password 123abc456def789ghi
        ip access-group acl1 in
        ip access-group acl1 out
        ip context-name test_dest
        active-charging rulebase rulebase2
     exit
     subscriber name ecs
        encrypted password 123abc456def789ghi
        ip access-group acl1 in
        ip access-group acl1 out
        ip context-name test_dest
        active-charging rulebase rulebase1
     exit
     domain cf.com default subscriber cf
     domain ecs.com default subscriber ecs
     aaa group default
        radius attribute nas-ip-address address 1.1.1.200
        radius server 1.1.1.10 key secret port 1111
        radius accounting server 1.1.1.10 key secret port 2222
     #exit
     gtpp group default
     #exit
     ha-service test_ha
        mn-ha-spi spi-number 1000 encrypted secret 123abc456def789ghi hash-algorithm md5
        fa-ha-spi remote-address 1.1.1.100 spi-number 777 secret 123abc456def789ghi hash-algorithm md5
        no reg-lifetime
        bind address 1.1.1.200
     #exit
     pdsn-service test_pdsn
        spi remote-address 1.1.1.100 spi-number 256 encrypted secret 123abc456def789ghi
        authentication pap 1 chap 2 mschap 3
        bind address 1.1.1.200
     #exit
  #exit
  context test_dest
     ip access-list acl1
        redirect css service srv1 any
     #exit
     ip pool pool3 70.70.0.0 255.255.0.0 public 0 policy allow-static-allocation
     interface TEST_SERVER
        ip address 1.1.1.1 255.255.255.0
        ip address 1.1.1.200 255.255.255.0 secondary
     #exit
     ssh key 75f41778bab0a1731c19851a8e68f5e9cef4cca2bd3adf9544ec64f75a8d3823028f57815369b9b73388f688261e49f5d200bef8c435459db536c97e4eb len 777 type v2-raa
     subscriber default
     exit
     aaa group default
     #exit
     gtpp group default
     #exit
     ip route 0.0.0.0 0.0.0.0 1.1.1.100 TEST_SERVER
     edr-module active-charging-service
        file rotation volume 123456789 headers
        cdr use-harddisk
     #exit
  #exit
  bulkstats collection
  bulkstats mode
     file 1
        schema cf format %cf-ttlsub%,%cf-cursub%
        schema cf-system format CF,PDSNSystem,%date%,%time%,%cf-static-ratereq%,%cf-static-ratesucc%,%cf-static-rateblock%,%cf-static-ratefail%,%cf-static-ratefail-nr%,%cf-static-ratefail-notindb%,%cf-dyn-ratereq%,%cf-dyn-ratesucc%,%cf-dyn-rateblock%,%cf-dyn-ratefail%,%cf-cache-hits%,%cf-cache-misses%,%cf-cache-has-path-hits%,%cf-cache-flushes%,%cf-ratereq%,%cf-ratesucc%,%cf-rateblock%,%cf-ratefail%,%cf-cat-pkts-hit-summary%,%cf-cat-pkts-block-summary%
     #exit
  #exit
  #exit
  port ethernet 18/4
     no shutdown
     vlan 11
        no shutdown
        bind interface TEST_CLIENT test_src
     #exit
  #exit
  port ethernet 18/8
     no shutdown
     vlan 31
        no shutdown
        bind interface TEST_SERVER test_dest
     #exit
  #exit
  task facility sessmgr start aggressive
end
 
 
 
 

Cisco Systems Inc.
Tel: 408-526-4000
Fax: 408-527-0883