Sample Content Filtering Service Configuration
This appendix includes the following sample configuration files for Content Filtering configuration within an ECS service:
l
l
URL Blacklisting Configuration
This section presents a sample configuration file with URL Blacklisting configuration within an ECS service.
config
license key "\
VER=1|C1M=SanDiskSDCFJ-4096|C1S=016816D2597X4624|C2M=SanDiskSDCFJ-4096\
FAA=Y|FCP=Y|LCF=30000|SIG=MC0CFQC2Zp+qSGqGR+VQ5QdhkHksZgXxgAIUN7+bT/OL\
qeFwAMiJbb4acy33JsU"
aaa large-configuration
timestamps
autoconfirm
clock timezone asia-calcutta
crash enable encrypted url 01abc234d56e7f8g01abc234d56e7f8g
card 1
mode active psc
#exit
card 2
mode active psc
#exit
card 3
mode active psc
#exit
require session recovery
require active-charging
require diameter-proxy multiple
context local
interface spio
ip address 1.2.3.4 255.255.255.0
#exit
server ftpd
#exit
ssh key f22330a765e10f40001920bf01dbf89a224dd8f09fe8d1598751401cb392f3c062f859a4335cb92f4a352a4686dcea99e4740be8a0063da1c657c560991ec87ce06728 len 461
server sshd
subsystem sftp
#exit
server telnetd
#exit
server tftpd
#exit
subscriber default
exit
administrator administrator encrypted password 123abc456def789gh ftp
aaa group default
#exit
gtpp group default
#exit
ip route 0.0.0.0 0.0.0.0 1.2.3.4 spio
ip domain-lookup
ip domain-name ind.starent.com
ip name-servers 1.2.3.4
#exit
port ethernet 24/1
no shutdown
bind interface spio local
#exit
ntp
enable
server 1.2.3.4
#exit
snmp community private read-only
snmp community public read-only
snmp target abc1 1.2.3.4 port 162 security-name public version 2c traps
active-charging service bl_service
ruledef clwap-dst
udp dst-port = 9200
rule-application routing
#exit
ruledef clwap-src
udp src-port = 9200
rule-application routing
#exit
ruledef cowap-dst
udp dst-port = 9201
rule-application routing
#exit
ruledef cowap-src
udp src-port = 9201
rule-application routing
#exit
ruledef default
ip any-match = TRUE
#exit
ruledef ftp-ctrl-dst
tcp dst-port = 21
rule-application routing
#exit
ruledef ftp-ctrl-src
tcp src-port = 21
rule-application routing
#exit
ruledef ftp-data-dst
tcp dst-port = 20
rule-application routing
#exit
ruledef ftp-data-src
tcp src-port = 20
rule-application routing
#exit
ruledef handshake
tcp payload-length = 0
tcp any-match = TRUE
tcp flag !contains fin
tcp flag !contains reset
#exit
ruledef http-dst
tcp dst-port = 80
rule-application routing
#exit
ruledef http-get
http request method = get
#exit
ruledef http-pkts
http any-match = TRUE
#exit
ruledef http-proxy-dst
tcp dst-port = 3128
rule-application routing
#exit
ruledef http-proxy-src
tcp src-port = 3128
rule-application routing
#exit
ruledef http-route
tcp either-port = 80
rule-application routing
#exit
ruledef http-src
tcp src-port = 80
#exit
ruledef http-wap2-dst
tcp dst-port = 8799
rule-application routing
#exit
ruledef http-wap2-src
tcp src-port = 8799
rule-application routing
#exit
ruledef https-dst
tcp dst-port = 443
rule-application routing
#exit
ruledef https-src
tcp src-port = 443
rule-application routing
#exit
ruledef pop3-dst
tcp dst-port = 110
rule-application routing
#exit
ruledef pop3-src
tcp src-port = 110
rule-application routing
#exit
ruledef rtsp-dst
tcp dst-port = 554
rule-application routing
#exit
ruledef rtsp-src
tcp src-port = 554
rule-application routing
#exit
ruledef rule2
http uri starts-with http://1.2.3.4/test/service/2000/
#exit
ruledef rule3
http uri starts-with http://1.2.3.4/test/service/3000/
#exit
ruledef rule4
http uri starts-with http://1.2.3.4/test/service/4000/
#exit
ruledef rule5
http uri starts-with http://1.2.3.4/test/service/5000/
#exit
ruledef rule6
http uri starts-with http://1.2.3.4/test/service/6000/
#exit
ruledef rule7
http uri starts-with http://1.2.3.4/test/service/7000/
#exit
ruledef rule8
http uri starts-with http://1.2.3.4/test/service/8000/
#exit
ruledef rule9
http uri starts-with http://1.2.3.4/test/service/9000/
#exit
ruledef sdp_route
sip content type = application/sdp
rule-application routing
#exit
ruledef sip-dst
udp dst-port = 5060
rule-application routing
#exit
ruledef sip-src
udp src-port = 5060
rule-application routing
#exit
ruledef smtp-dst
tcp dst-port = 25
rule-application routing
#exit
ruledef smtp-src
tcp src-port = 25
rule-application routing
#exit
ruledef tcp
ip protocol = 6
rule-application routing
#exit
ruledef udp
ip protocol = 17
rule-application routing
#exit
charging-action standard
content-id 10
retransmissions-counted
#exit
url-blacklisting method exact-match
rulebase rulebase1
action priority 1 ruledef http-get charging-action standard
action priority 65000 ruledef default charging-action standard
url-blacklisting action discard
route priority 80 ruledef http-route analyzer http
no transport-layer-checksum verify-during-packet-inspection
#exit
rulebase default
#exit
#exit
context source
interface ST40_2_CLIENT
ip address 1.2.3.4 255.255.255.0
ip address 1.2.3.5 255.255.255.255 secondary
ip address 1.2.3.6 255.255.255.255 secondary
#exit
interface ST40_2_RADIUS
ip address 1.2.3.4 255.255.255.0
#exit
subscriber default
ip access-group acl1 in
ip access-group acl1 out
ip context-name dest
active-charging rulebase rulebase1
exit
aaa group default
radius attribute nas-ip-address address 1.2.3.4
radius server 1.2.3.4 encrypted key 01abc234d56e7f8g port 1812
radius accounting server 1.2.3.4 encrypted key 01abc234d port 1813
#exit
gtpp group default
#exit
ha-service HA
mn-ha-spi spi-number 1000 encrypted secret 01abc234d56e7f8g hash-algorithm md5
fa-ha-spi remote-address 1.2.3.4 spi-number 256 encrypted secret 01abc234d56e7f8g hash-algorithm md5
fa-ha-spi remote-address 1.2.3.4 spi-number 256 encrypted secret 01abc234d56e7f8g hash-algorithm md5
no reg-lifetime
bind address 1.2.3.4
#exit
edr-module active-charging-service
#exit
ip igmp profile default
#exit
#exit
context dest
ip access-list acl1
redirect css service srv1 any
#exit
ip pool callgen_A11 1.2.3.4 255.255.0.0 static
ip pool callgen_B11 1.2.3.5 255.255.0.0 static
ip pool dpool00 1.2.3.6 255.255.0.0 public 0
ip pool dpool01 1.2.3.7 255.255.0.0 public 0
interface ST40_2_SERVER
ip address 1.2.3.4 255.255.255.0
#exit
subscriber default
exit
aaa group default
#exit
gtpp group default
#exit
ip igmp profile default
#exit
#exit
port ethernet 17/1
no shutdown
vlan 4000
no shutdown
bind interface ST40_2_SERVER dest
#exit
#exit
port ethernet 18/1
no shutdown
vlan 2000
no shutdown
bind interface ST40_2_CLIENT source
#exit
vlan 3000
no shutdown
bind interface ST40_2_RADIUS source
#exit
#exit
port ethernet 18/5
no shutdown
#exit
port ethernet 18/6
no shutdown
#exit
port ethernet 18/7
no shutdown
#exit
port ethernet 18/8
no shutdown
#exit
port ethernet 19/1
no shutdown
#exit
task facility sessmgr start aggressive
task facility acsmgr start aggressive
end
Category-based Content Filtering Configuration
This section presents a sample configuration file with Category-based Content Filtering configuration within an ECS service.
config
  license key "\
VER=1|C1M=SanDiskSDCFJ-4096|C1S=016816D2597X4624|C2M=SanDiskSDCFJ-4096\
FAA=Y|FCP=Y|LCF=30000|SIG=MC0CFQC2Zp+qSGqGR+VQ5QdhkHksZgXxgAIUN7+bT/OL"
aaa large-configuration
timestamps
autoconfirm
clock timezone asia-calcutta
crash enable encrypted url 90b248ca778edc0db4a55318525bc
card 1
mode active psc
#exit
card 2
mode active psc
#exit
card 3
mode active psc
#exit
card 4
mode active psc
#exit
require session recovery
content-filtering category database directory path /flash/cf/
require active-charging content-filtering category static-and-dynamic
context local
interface spio
ip address 1.2.3.4 255.255.255.0
#exit
server ftpd
#exit
ssh key f22330a765e10f40001920bf01dbf89a224dd8f09fe8d1598751401cb392f3c062f859a59520b1a8f0684335cb92f4a352a4686dcea99e4740be8a0063da1c657c5609 len 006
    ssh key 75f41778bab0a173ee6e4e79c1026389918dca8b9f4701078f6841add6a81a669d183107638abac6c0de03f606736334e1f5ee618dc370636824c0c8aaffc96050ecb88 len 007 type v2-dsa
server sshd
subsystem sftp
#exit
server telnetd
#exit
server tftpd
#exit
subscriber default
exit
administrator test encrypted password abc123def456ghi789 ftp
aaa group default
#exit
gtpp group default
#exit
ip route 0.0.0.0 0.0.0.0 2.3.4.5 spio
ip domain-lookup
ip domain-name test.ind.testing.com
ip name-servers 10.4.5.253
#exit
port ethernet 24/1
no shutdown
bind interface spio local
#exit
ntp
enable
server 3.4.5.6
#exit
snmp community private read-only
snmp community public read-only
snmp target test 1.3.5.7 port 162 security-name public version 2c traps
active-charging service srv1
ruledef http-dst
tcp dst-port = 80
rule-application routing
#exit
ruledef http-response-1x
http reply code >= 100
http reply code < 199
#exit
ruledef http-response-2x
http reply code >= 200
http reply code < 299
#exit
ruledef http-response-3x
http reply code >= 300
http reply code < 399
#exit
ruledef http-response-4x
http reply code >= 400
http reply code < 499
#exit
ruledef http-response-5x
http reply code >= 500
#exit
ruledef http-get
http request method = get
#exit
ruledef http-post-req
http request method = post
#exit
ruledef http-src
tcp src-port = 80
rule-application routing
#exit
ruledef wsp-cl-dst
udp dst-port = 9200
rule-application routing
#exit
ruledef wsp-cl-src
udp src-port = 9200
rule-application routing
#exit
ruledef wsp-co-dst
udp dst-port = 9201
rule-application routing
#exit
ruledef wsp-co-src
udp src-port = 9201
rule-application routing
#exit
ruledef wsp-get-req
wsp pdu-type = get
#exit
ruledef wsp-post-req
wsp pdu-type = post
#exit
ruledef wsp-put-req
wsp pdu-type = put
#exit
edr-format web-hit
attribute radius-user-name priority 1
attribute radius-calling-station-id priority 2
attribute sn-end-time format MM/DD/YYYY-HH:MM:SS priority 3
attribute sn-start-time format MM/DD/YYYY-HH:MM:SS priority 4
attribute radius-nas-ip-address priority 5
rule-variable http url priority 6
rule-variable wsp url priority 7
rule-variable ip subscriber-ip-address priority 8
attribute sn-closure-reason priority 22
attribute sn-cf-category-policy priority 23
attribute sn-cf-category-rating-type priority 24
attribute sn-cf-category-classification-used priority 25
attribute sn-cf-category-flow-action priority 26
attribute sn-cf-category-unknown-url priority 27
attribute sn-volume-amt ip pkts uplink priority 50
attribute sn-volume-amt ip pkts downlink priority 51
attribute sn-volume-amt ip bytes uplink priority 52
attribute sn-volume-amt ip bytes downlink priority 53
rule-variable http request method priority 54
rule-variable http content type priority 70
rule-variable http reply code priority 75
#exit
charging-action standard
content-id 10
#exit
content-filtering category policy-id 1
analyze priority 65535 all action allow
#exit
content-filtering category policy-id 2
analyze priority 65535 all action allow
#exit
content-filtering category policy-id 3
analyze priority 65535 all action allow
#exit
content-filtering category policy-id 4
analyze priority 1 category ABOR action allow edr web-hit
analyze priority 2 category ADULT action allow edr web-hit
analyze priority 3 category ADVERT action allow edr web-hit
analyze priority 4 category ANON action allow edr web-hit
analyze priority 5 category ART action allow edr web-hit
analyze priority 7 category AUTO action allow edr web-hit
analyze priority 8 category BLACK action allow edr web-hit
analyze priority 9 category BLOG action allow edr web-hit
analyze priority 10 category BUSI action allow edr web-hit
analyze priority 11 category CAR action allow edr web-hit
analyze priority 12 category CHAT action allow edr web-hit
analyze priority 14 category CMC action allow edr web-hit
analyze priority 15 category CRIME action allow edr web-hit
analyze priority 16 category CULT action allow edr web-hit
analyze priority 17 category DRUG action allow edr web-hit
analyze priority 18 category EDU action allow edr web-hit
analyze priority 19 category ENT action allow edr web-hit
analyze priority 20 category FIN action allow edr web-hit
analyze priority 21 category FORUM action allow edr web-hit
analyze priority 22 category GAMB action allow edr web-hit
analyze priority 23 category GAME action allow edr web-hit
analyze priority 24 category GOVERN action allow edr web-hit
analyze priority 25 category GLAM action allow edr web-hit
analyze priority 26 category HACK action allow edr web-hit
analyze priority 27 category HATE action allow edr web-hit
analyze priority 28 category HEALTH action allow edr web-hit
analyze priority 29 category HOBBY action allow edr web-hit
analyze priority 30 category HOSTS action allow edr web-hit
analyze priority 31 category KIDS action allow edr web-hit
analyze priority 32 category LEGAL action allow edr web-hit
analyze priority 33 category LIFES action allow edr web-hit
analyze priority 34 category MAIL action allow edr web-hit
analyze priority 35 category MIL action allow edr web-hit
analyze priority 36 category NEWS action allow edr web-hit
analyze priority 37 category OCCULT action allow edr web-hit
analyze priority 39 category PEER action allow edr web-hit
analyze priority 40 category PERS action allow edr web-hit
analyze priority 42 category POLTIC action allow edr web-hit
analyze priority 43 category PORN action allow edr web-hit
analyze priority 44 category PORTAL action allow edr web-hit
analyze priority 45 category PROXY action allow edr web-hit
analyze priority 47 category REF action allow edr web-hit
analyze priority 48 category REL action allow edr web-hit
analyze priority 49 category SEARCH action allow edr web-hit
analyze priority 50 category SCI action allow edr web-hit
analyze priority 52 category SHOP action allow edr web-hit
analyze priority 53 category SPORT action allow edr web-hit
analyze priority 55 category SUIC action allow edr web-hit
analyze priority 57 category SXED action allow edr web-hit
analyze priority 58 category TECH action allow edr web-hit
analyze priority 59 category TRAV action allow edr web-hit
analyze priority 60 category VIOL action allow edr web-hit
analyze priority 61 category WEAP action allow edr web-hit
analyze priority 62 category WHITE action allow edr web-hit
analyze priority 63 category UNKNOW action allow edr web-hit
#exit
rulebase rulebase1
action priority 1 ruledef http-response-1x charging-action standard
action priority 2 ruledef http-response-2x charging-action standard
action priority 3 ruledef http-response-3x charging-action standard
action priority 4 ruledef http-response-4x charging-action standard
action priority 5 ruledef http-response-5x charging-action standard
action priority 10 ruledef http-get charging-action standard
route priority 78 ruledef http-src analyzer http
route priority 79 ruledef http-dst analyzer http
no transport-layer-checksum verify-during-packet-inspection
#exit
rulebase rulebase2
content-filtering category policy-id 4
content-filtering mode category static-and-dynamic
content-filtering flow-any-error permit
action priority 1 ruledef http-response-1x charging-action standard
action priority 2 ruledef http-response-2x charging-action standard
action priority 3 ruledef http-response-3x charging-action standard
action priority 4 ruledef http-response-4x charging-action standard
action priority 5 ruledef http-response-5x charging-action standard
action priority 10 ruledef http-get charging-action standard
route priority 78 ruledef http-src analyzer http
route priority 79 ruledef http-dst analyzer http
no transport-layer-checksum verify-during-packet-inspection
#exit
rulebase default
#exit
#exit
context test_src
interface TEST_CLIENT
ip address 1.1.1.1 255.255.255.0
ip address 1.1.1.200 255.255.255.0 secondary
#exit
subscriber default
encrypted password 123abc456def789ghi
ip context-name test_dest
exit
subscriber name cf
encrypted password 123abc456def789ghi
ip access-group acl1 in
ip access-group acl1 out
ip context-name test_dest
active-charging rulebase rulebase2
exit
subscriber name ecs
encrypted password 123abc456def789ghi
ip access-group acl1 in
ip access-group acl1 out
ip context-name test_dest
active-charging rulebase rulebase1
exit
domain cf.com default subscriber cf
domain ecs.com default subscriber ecs
aaa group default
radius attribute nas-ip-address address 1.1.1.200
radius server 1.1.1.10 key secret port 1111
radius accounting server 1.1.1.10 key secret port 2222
#exit
gtpp group default
#exit
ha-service test_ha
mn-ha-spi spi-number 1000 encrypted secret 123abc456def789ghi hash-algorithm md5
fa-ha-spi remote-address 1.1.1.100 spi-number 777 secret 123abc456def789ghi hash-algorithm md5
no reg-lifetime
bind address 1.1.1.200
#exit
pdsn-service test_pdsn
spi remote-address 1.1.1.100 spi-number 256 encrypted secret 123abc456def789ghi
authentication pap 1 chap 2 mschap 3
bind address 1.1.1.200
#exit
#exit
context test_dest
ip access-list acl1
redirect css service srv1 any
#exit
ip pool pool3 70.70.0.0 255.255.0.0 public 0 policy allow-static-allocation
interface TEST_SERVER
ip address 1.1.1.1 255.255.255.0
ip address 1.1.1.200 255.255.255.0 secondary
#exit
ssh key 75f41778bab0a1731c19851a8e68f5e9cef4cca2bd3adf9544ec64f75a8d3823028f57815369b9b73388f688261e49f5d200bef8c435459db536c97e4eb len 777 type v2-raa
subscriber default
exit
aaa group default
#exit
gtpp group default
#exit
ip route 0.0.0.0 0.0.0.0 1.1.1.100 TEST_SERVER
edr-module active-charging-service
file rotation volume 123456789 headers
cdr use-harddisk
#exit
#exit
bulkstats collection
bulkstats mode
file 1
schema cf format %cf-ttlsub%,%cf-cursub%
schema cf-system format CF,PDSNSystem,%date%,%time%,%cf-static-ratereq%,%cf-static-ratesucc%,%cf-static-rateblock%,%cf-static-ratefail%,%cf-static-ratefail-nr%,%cf-static-ratefail-notindb%,%cf-dyn-ratereq%,%cf-dyn-ratesucc%,%cf-dyn-rateblock%,%cf-dyn-ratefail%,%cf-cache-hits%,%cf-cache-misses%,%cf-cache-has-path-hits%,%cf-cache-flushes%,%cf-ratereq%,%cf-ratesucc%,%cf-rateblock%,%cf-ratefail%,%cf-cat-pkts-hit-summary%,%cf-cat-pkts-block-summary%
#exit
#exit
#exit
port ethernet 18/4
no shutdown
vlan 11
no shutdown
bind interface TEST_CLIENT test_src
#exit
#exit
port ethernet 18/8
no shutdown
vlan 31
no shutdown
bind interface TEST_SERVER test_dest
#exit
#exit
task facility sessmgr start aggressive
end
 

Cisco Systems Inc.
Tel: 408-526-4000
Fax: 408-527-0883