Configuring
Flow-Based Redirect for a Traffic Class Service
The following
sample output shows how a traffic class service with the Flow-Based Redirect
feature is configured to redirect all HTTP traffic to a different next hop
device upon logging in to the account:
Router# configure terminal
Router (config)# ip access-list extended WEB_ACL_IN
Router (config-ext-nacl)# permit tcp any any eq www
Router (config-ext-nacl)# permit tcp any any eq www
Router (config-ext-nacl)# class-map type traffic match-any ACF_ACL
Router (config-traffic-classmap)# match access-group input name WEB_ACL_IN
Router (config-traffic-classmap)# policy-map type service ACF_SERVICE
Router (config-service-policymap)# class type traffic ACF_ACL
Router (config-service-policymap-class-traffic)# reroute to next-hop ip 44.0.0.22
Router (config-control-policymap-class-control)# policy-map type control INTERNET_SERVICE_RULE
Router (config-control-policymap)# class type control always event account-logon
Router (config-control-policymap-class-control)# 20 service-policy type service name ACF_SERVICE
Router (config-control-policymap-class-control)# class type control always event service-stop
Router (config-control-policymap-class-control)# 1 service-policy type service unapply identifier service-name
Router (config-control-policymap)# class type control always event service-start
Router (config-control-policymap-class-control)# 10 service-policy type service identifier service-name
Router (config-control-policymap)# class type control always event account-logoff
Router (config-control-policymap-class-control)# 10 service disconnect delay 5
To view the FBR
policy that is attached to a session at session start, use the
show subscriber session
uid
uid command:
Router# show subscriber session uid 249
Type: IPv4, UID: 249, State: authen, Identity: 33.0.0.4
IPv4 Address: 33.0.0.4
Session Up-time: 00:01:43, Last Changed: 00:01:43
Switch-ID: 16972
Policy information:
Authentication status: authen
Active services associated with session:
name "ACF_SERVICE", applied before account logon
Rules, actions and conditions executed:
subscriber rule-map INTERNET_SERVICE_RULE
condition always event session-start
80 authorize identifier source-ip-address
subscriber rule-map default-internal-rule
condition always event service-start
1 service-policy type service identifier service-name
Classifiers:
Class-id Dir Packets Bytes Pri. Definition
0 In 499 31936 0 Match Any
1 Out 0 0 0 Match Any
56 In 499 31936 0 Match ACL WEB_ACL_IN
57 Out 0 0 0 Match ACL WEB_ACL_OUT
Template Id : 1
Features:
Absolute Timeout:
Class-id Timeout Value Time Remaining Source
0 3000 00:48:16 Peruser
Forced Flow Routing:
Class-id FFR Tunnel Details Source
56
Next-hop IP: 44.0.0.2
ACF_SERVICE
Configuration Sources:
Type Active Time AAA Service ID Name
SVC 00:01:43 - ACF_SERVICE
USR 00:01:43 - Peruser
INT 00:01:43 - GigabitEthernet0/0/4
To verify whether
the packet count on the interface that is connected to the next hop device is
increasing, use the
show interface interface connected to the
next hop device command:
Router(config)# show interface GigabitEthernet0/0/5
GigabitEthernet0/0/5 is up, line protocol is up
Hardware is SPA-8X1GE-V2, address is 0021.d81a.d305 (bia 0021.d81a.d305)
Description: IXIA_Client_Facing
Internet address is 44.0.0.1/24
MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive not supported
Full Duplex, 1000Mbps, link type is auto, media type is SX
output flow-control is on, input flow-control is on
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:05:03, output 00:05:03, output hang never
Last clearing of "show interface" counters 00:06:48
Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 12000 bits/sec, 20 packets/sec
7 packets input, 690 bytes, 0 no buffer
Received 2 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 0 multicast, 0 pause input
4897 packets output, 382284 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 pause output
0 output buffer failures, 0 output buffers swapped out
To display the
statistics of all the dropped packets on the Embedded Services Processor (ESP),
use the
show platform hardware qfp
active statistics drop command.
Note |
As per FBR behavior, the ISG drops packets if
next hop is unreachable. The
show platform hardware qfp active statistics
drop command output shows counters for the dropped packets.
|
Router# Show platform hardware qfp active statistics drop
-------------------------------------------------------------------------
Global Drop Stats Packets Octets
-------------------------------------------------------------------------
Disabled 13 1166
essipsubfsoldrop 2327 216495
UnconfiguredIpv6Fia 90 9492
interface GigabitEthernet0/0/4
ip address 36.0.0.1 255.255.255.0
ip nat inside
negotiation auto
ipv6 address FE80::200:5EFF:FE00:5213 link-local
service-policy type control PREMS
ip subscriber l2-connected
initiator unclassified mac-address
initiator dhcp
!
interface GigabitEthernet1/2/4
description IXIA_port_for_offload
ip address 44.0.0.1 255.255.255.0
ip nat outside
load-interval 30
negotiation auto
ipv6 address 44::1/60
!
ip nat settings mode cgn
no ip nat settings support mapping outside
ip nat pool natpool 55.0.0.3 55.0.255.250 netmask 255.255.0.0
ip nat inside source list 100 pool natpool overload