Professional Documents
Culture Documents
HUAWEI SIG9800 V300R001C00 Configuration Guide 01 PDF
HUAWEI SIG9800 V300R001C00 Configuration Guide 01 PDF
V300R001C00
Configuration Guide
Issue 01
Date 2012-06-06
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.
Website: http://www.huawei.com
Email: support@huawei.com
Related Version
The following table lists the product version related to this document.
SIG9800 V300R001C00
Intended Audience
This document describes preparation and report applications of the SIG in terms of the service
configuration preparation, subscriber and network object initialization, typical service
configuration example, and report application example.
Therefore, this document is also the material for learning how to configure a service and employ
corresponding reports.
Product Declaration
l Personal data might be involved during the service or maintenance of the SIG. Therefore,
corresponding protections are implemented. You are obligated to take related measures, in
compliance with the laws of the countries concerned and the user privacy policies of your
company, to ensure that the personal data of users is fully protected.
l To secure the network and service, certain personal data might be used or stored in line
with your requirements. Huawei alone is unable to collect or save the content of users'
communication. It is suggested that you activate the interception-related functions based
on the applicable laws and regulations in terms of purpose and scope of usage. You are
obligated to take considerable measures to ensure that the content of users' communications
is fully protected when the content is being used and saved.
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol Description
Command Conventions
The command conventions that may be found in this document are defined as follows.
Convention Description
&<1-n> The parameter before the & sign can be repeated 1 to n times.
GUI Conventions
The GUI conventions that may be found in this document are defined as follows.
Convention Description
Update History
Updates between document issues are cumulative. Therefore, the latest document issue contains
all updates made in previous issues.
Contents
4.2.7 Typical Configuration Example (Self Learning Subscribers and Identifying the Area Where the Subscriber
Resides by SN).................................................................................................................................................65
4.2.8 Maintaining Existing Subscribers............................................................................................................69
4.2.9 Managing the Subscriber Group..............................................................................................................69
4.2.10 Parameter Description...........................................................................................................................70
4.2.11 Dynamic Attribute Description.............................................................................................................76
4.3 Configuring the VIC.........................................................................................................................................85
4.3.1 Overview.................................................................................................................................................85
4.3.2 Configuration Procedure..........................................................................................................................86
4.3.3 Typical Configuration Example 1 (Manually Adding VICs)..................................................................88
4.3.4 Typical Configuration Example 2 (Importing VICs in Batches).............................................................90
4.4 Configuring the Link........................................................................................................................................92
4.4.1 Overview.................................................................................................................................................92
4.4.2 Configuration Procedure..........................................................................................................................94
4.4.3 Typical Configuration Example..............................................................................................................96
4.4.4 Reference.................................................................................................................................................99
4.5 Configuring the Virtual Tunnel........................................................................................................................99
4.5.1 Background of Introducing the Concept of Virtual Tunnel.....................................................................99
4.5.2 Introduction to User Attribute Virtual Tunnel.......................................................................................101
4.5.3 Introduction to Stream Attribute Virtual Tunnel...................................................................................103
4.5.4 Typical Application Value of the Virtual Tunnel on Carrier Network.................................................105
4.5.5 Configuration Procedure........................................................................................................................106
4.5.6 Typical Configuration Example 1 (User Attribute Virtual Tunnel, Defining SN as the Virtual Tunnel
Category)........................................................................................................................................................107
4.5.7 Typical Configuration Example 2 (User Attribute Virtual Tunnel, Defining BTS as the Virtual Tunnel
Category)........................................................................................................................................................111
4.5.8 Typical Configuration Example 3 (Stream Attribute Virtual Tunnel, Defining the Traffic of Local IP
Address or Remote IP Address as the Virtual Tunnel)..................................................................................115
4.5.9 Typical Configuration Example 4 (Stream Attribute Virtual Tunnel, Defining VLAN Traffic as the Virtual
Tunnel)............................................................................................................................................................122
4.6 Configuring the AS Domain Group................................................................................................................128
4.6.1 Overview...............................................................................................................................................128
4.6.2 Typical Configuration Example............................................................................................................129
4.6.3 Reference...............................................................................................................................................132
4.6.4 BGP Overview.......................................................................................................................................133
4.6.5 BGP Message Types..............................................................................................................................134
4.7 Configuring the Subnet...................................................................................................................................138
4.7.1 Overview...............................................................................................................................................138
4.7.2 Typical Configuration Example 1 (Manually Adding Subnets)............................................................138
4.7.3 Typical Configuration Example 2 (Importing subnets in Batches).......................................................139
5.2.1 Overview...............................................................................................................................................144
5.2.2 Operation Procedure..............................................................................................................................146
5.2.3 Report Examples (Link and Virtual Tunnel-based)...............................................................................147
5.2.4 Report Examples (Subscriber-based)....................................................................................................165
5.2.5 Report Examples (VIC-based)...............................................................................................................184
5.2.6 Report Examples (Consolidated)...........................................................................................................191
5.2.7 Reference...............................................................................................................................................195
5.3 Querying the User Behavior Statistics Report................................................................................................196
5.3.1 Overview...............................................................................................................................................196
5.3.2 Operation Procedure..............................................................................................................................197
5.3.3 Report Examples....................................................................................................................................198
5.4 Configuring Traffic QoS................................................................................................................................206
5.4.1 Overview...............................................................................................................................................206
5.4.2 Configuration Procedure........................................................................................................................210
5.4.3 Typical Configuration Example (Link, Rate Limiting, and Taking Effect as Planned)........................212
5.4.4 Typical Configuration Example (Link, Priority Mark).........................................................................215
5.4.5 Typical Configuration Example (Link, Number of Connections Control)............................................218
5.4.6 Typical Configuration Example (Link, Rate Limiting, and Pass).........................................................221
5.4.7 Typical Configuration Example (Link, Priority Mark, and Not Remark).............................................224
5.4.8 Typical Configuration Example (Virtual Tunnel, Rate Limiting).........................................................227
5.4.9 Typical Configuration Example (Link and Virtual Tunnel, Rate Limiting).........................................230
5.4.10 Typical Configuration Example (Subscriber, Rate Limiting).............................................................230
5.4.11 Typical Configuration Example (Subscriber, Throttling)...................................................................233
5.4.12 Typical Configuration Example (Subscriber, Strict Priority)..............................................................236
5.4.13 Typical Configuration Example (Subscriber, WFQ)...........................................................................240
5.4.14 Typical Configuration Example (VIC, Rate Limiting).......................................................................243
5.4.15 Policy Priority Description..................................................................................................................246
5.4.16 Reference.............................................................................................................................................251
5.5 Configuring Congestion Detection and Control.............................................................................................254
5.5.1 Overview...............................................................................................................................................254
5.5.2 Configuration Flow................................................................................................................................257
5.5.3 Typical Configuration Example for Controlling Link Congestion.......................................................259
5.5.4 Typical Configuration Example for Controlling NE Traffic Congestion..............................................263
5.5.5 Typical Configuration Example for Controlling Subscriber Traffic When the Link Is Congested......267
5.5.6 Checking the Congestion Status and Logs............................................................................................272
5.6 Implementing Traffic Direction Statistics......................................................................................................273
5.6.1 Overview...............................................................................................................................................273
5.6.2 Configuration Procedure........................................................................................................................274
5.6.3 Operation Procedure..............................................................................................................................276
5.6.4 Report Examples (Between One Link or Link Group and One AS Domain Group)............................277
5.6.5 Report Examples (Between One AS Domain Group and Another AS Domain Group).......................283
5.6.6 Report Examples (Between One Subnet and One AS Domain Group, Between One Subnet and Another
Subnet)............................................................................................................................................................286
6 FUP Service.................................................................................................................................308
6.1 About the FUP Service...................................................................................................................................309
6.2 Configuring the FUP Service (Interworking with the PCRF)........................................................................313
6.2.1 Overview...............................................................................................................................................313
6.2.2 Configuration Procedure........................................................................................................................315
6.2.3 Typical Configuration Example 1 (Predefined Rule, Total Traffic).....................................................319
6.2.4 Typical Configuration Example 2 (Predefined Rule, Service Traffic)..................................................334
6.2.5 Typical Configuration Example 3 (Predefined Rule, Quota Being Collected by Total Traffic but
Controlled by Service)....................................................................................................................................353
6.2.6 Typical Configuration Example 4 (Predefined Rule, Free Quotas for Certain Web Sites)...................368
6.2.7 Typical Configuration Example 5 (Predefined Rule, Limited Free Quotas for Certain Web Sites)
........................................................................................................................................................................394
6.2.8 Typical Configuration Example 6 (Predefined Rule, Roaming Quota Control)...................................425
6.2.9 Typical Configuration Example 7 (Dynamic Rule, Total Traffic)........................................................466
6.2.10 Typical Configuration Example 8 (Dynamic Rule, Service Traffic)..................................................482
6.3 Manually Adjusting Surplus Quotas (Interworking with the PCRF).............................................................498
7 Charging Service........................................................................................................................500
7.1 About the Charging Service...........................................................................................................................501
7.2 Configuring the Charging Service..................................................................................................................503
7.2.1 Overview...............................................................................................................................................503
7.2.2 Configuration Procedure........................................................................................................................507
7.2.3 Typical Configuration Example 1 (Online Charging by Traffic)..........................................................509
7.2.4 Typical Configuration Example 2 (Online Charging by Duration).......................................................520
7.2.5 Typical Configuration Example 3 (Online Charging by Traffic and Duration)....................................530
7.2.6 Typical Configuration Example 4 (Online Charging by Traffic and Roaming)...................................540
7.2.7 Typical Configuration Example 5 (Online Charging by Traffic, Traffic of Certain Protocols and Web
Sites Is Free of Charge)..................................................................................................................................550
7.2.8 Typical Configuration Example 6 (Comprehensive Charging, Charging for the Basic Service and Value-
added Services)...............................................................................................................................................561
7.2.9 Typical Configuration Example 7 (Online Charging by Traffic, Providing the FUP Function)...........571
7.2.10 Typical Configuration Example 8 (Charging Redirection, Obtaining User's Quota Credit Status from
the RADIUS Server).......................................................................................................................................593
7.2.11 Typical Configuration Example 9 (Online Charging by Traffic, Online-to-Offline Charging in Case of
Faults).............................................................................................................................................................596
7.2.12 Typical Configuration Example 10 (Offline Charging)......................................................................606
7.2.13 Typical Configuration Example 11 (Online/Offline Charging)..........................................................616
9 GreenNet Service.......................................................................................................................664
9.1 About the GreenNet Service...........................................................................................................................665
9.2 Configuring the GreenNet Service.................................................................................................................667
9.2.1 Overview...............................................................................................................................................667
9.2.2 Configuration Procedure........................................................................................................................668
9.2.3 Typical Configuration Example (Subscriber, Interworking with the RM9000)....................................672
9.3 Querying GreenNet Reports...........................................................................................................................689
9.3.1 Overview...............................................................................................................................................689
9.3.2 Operation Procedure..............................................................................................................................690
9.3.3 Report Examples....................................................................................................................................691
11 SmartBrowser Service.............................................................................................................721
15 Anti-Spammer Service............................................................................................................774
15.1 About the Anti-Spammer Service.................................................................................................................775
15.2 Configuring the Anti-Spammer Service.......................................................................................................775
15.2.1 Overview.............................................................................................................................................776
15.2.2 Configuration Example 1 (Detection from the Network Layer to the Transport Layer).....................778
15.2.3 Configuration Example 2 (Detection from the Network Layer to the Application Layer).................781
15.2.4 Parameter Description.........................................................................................................................784
16 Anti-DDoS Service..................................................................................................................792
16.1 About the Anti-DDoS Service......................................................................................................................793
16.2 Configuring the Anti-DDoS Service............................................................................................................794
16.2.1 Overview.............................................................................................................................................794
16.2.2 Typical Configuration Example..........................................................................................................795
16.2.3 Parameter Description.........................................................................................................................798
16.3 Querying Anti-DDoS Reports......................................................................................................................800
16.3.1 Overview.............................................................................................................................................800
16.3.2 Operation Procedure............................................................................................................................800
16.3.3 Report Examples..................................................................................................................................801
17 Anti-Botnet Service.................................................................................................................804
17.1 About the Anti-Botnet Service.....................................................................................................................805
17.2 Configuring the Anti-Botnet Service............................................................................................................806
17.2.1 Overview.............................................................................................................................................806
17.2.2 Typical Configuration Example 1 (Subscribers).................................................................................807
17.2.3 Typical Configuration Example 2 (VICs)...........................................................................................811
17.3 Querying Anti-Botnet Reports......................................................................................................................813
17.3.1 Overview.............................................................................................................................................813
17.3.2 Operation Procedure............................................................................................................................814
17.3.3 Report Examples..................................................................................................................................815
18 Anti-Worm Service..................................................................................................................822
18.1 About the Anti-Worm Service......................................................................................................................823
18.2 Configuring the Anti-Worm Service............................................................................................................824
18.2.1 Overview.............................................................................................................................................824
18.2.2 Typical Configuration Example 1 (Links)...........................................................................................824
18.2.3 Typical Configuration Example 2 (Subscribers).................................................................................827
18.2.4 Typical Configuration Example 3 (VICs)...........................................................................................831
18.3 Querying Anti-Worm Reports......................................................................................................................833
18.3.1 Overview.............................................................................................................................................833
18.3.2 Operation Procedure............................................................................................................................835
18.3.3 Report Examples (Subscribers)...........................................................................................................835
18.3.4 Report Examples (VICs).....................................................................................................................838
18.3.5 Report Examples (Links).....................................................................................................................844
19 Security Service........................................................................................................................848
19.1 About the Security Service...........................................................................................................................849
19.2 Configuring Security Service.......................................................................................................................852
19.2.1 Overview.............................................................................................................................................852
20 iPush...........................................................................................................................................863
20.1 Getting Started..............................................................................................................................................864
20.1.1 Login Mode.........................................................................................................................................864
20.1.2 System Overview.................................................................................................................................865
20.1.3 Configuration Flow..............................................................................................................................868
20.2 Permission Management...............................................................................................................................869
20.2.1 Introduction to System Permissions....................................................................................................869
20.2.2 Configuring a Role..............................................................................................................................870
20.2.3 Configuring an Administrator.............................................................................................................871
20.2.4 Setting the Login IP Address Segment................................................................................................872
20.2.5 Managing Online Administrators........................................................................................................873
20.2.6 Configuring Push Effect-Checking Permission...................................................................................873
20.2.7 Configuration Examples......................................................................................................................874
20.3 System Management.....................................................................................................................................880
20.3.1 Configure Information Server.............................................................................................................880
20.3.2 Setting System Security.......................................................................................................................881
20.3.3 Configuring Test URLs.......................................................................................................................882
20.3.4 Viewing Server Performance...............................................................................................................882
20.3.5 Viewing a Log.....................................................................................................................................882
20.3.6 Viewing an Alarm...............................................................................................................................884
20.4 Service Management....................................................................................................................................885
20.4.1 Configuration Flow..............................................................................................................................885
20.4.2 Configuring Area Mapping.................................................................................................................888
20.4.3 Configuring Area Policy......................................................................................................................889
20.4.4 Configuring the Information Audience...............................................................................................890
20.4.4.1 Configuring the Terminal User Group.......................................................................................890
20.4.4.2 Configuring the Whitelist User Group.......................................................................................890
20.4.4.3 Configuring the Whitelist Web Site...........................................................................................892
20.4.4.4 Configuring the Notify Rule.......................................................................................................892
20.4.5 Configuring the Information Category................................................................................................893
20.4.6 Configuring Information......................................................................................................................894
20.4.7 Viewing the Information Schedule......................................................................................................900
20.4.8 Configuring a Policy............................................................................................................................900
20.4.9 Auditing a Policy.................................................................................................................................904
20.4.10 Configuration Examples....................................................................................................................906
20.4.10.1 Example for Pushing Information to All Terminal Users in the Specified Area......................906
20.4.10.2 Example for Pushing Information to Terminal User Groups in the Specified Area................908
20.4.10.3 Example for Pushing Information to the Specified Synchronization User Group...................911
20.4.10.4 Example for Pushing Information to the Specified Attribute Group........................................914
20.4.10.5 Example for Not Pushing Information to the Specified Terminal User...................................918
20.4.10.6 Example for Pushing Fee Information to Terminal Users........................................................919
20.5 Report Management.....................................................................................................................................922
20.5.1 Push Effect Statistics...........................................................................................................................922
20.5.2 Push Details........................................................................................................................................926
20.5.3 Background Exporting Details............................................................................................................928
20.6 Appendix......................................................................................................................................................928
20.6.1 Making the Fee Information Page.......................................................................................................928
20.6.2 Description of the Conflicting Mechanism.........................................................................................929
20.6.3 Changing an Account Password..........................................................................................................929
21 Report Management................................................................................................................931
21.1 About Report Management..........................................................................................................................932
21.2 Configuring the Report Storage Cycle.........................................................................................................935
21.3 Managing Predefined Analysis Objects.......................................................................................................936
21.4 Managing Timed Task Reports....................................................................................................................936
21.5 Managing Background Task Reports...........................................................................................................937
21.6 Managing Customized Reports....................................................................................................................938
21.7 Managing the Protocol Colors of Reports....................................................................................................939
21.8 Exporting Configuration Data......................................................................................................................940
22 System Management...............................................................................................................943
22.1 Managing Flow Classifications and Flow Classification Items...................................................................945
22.1.1 Overview.............................................................................................................................................945
22.1.2 Operation Procedure............................................................................................................................946
22.1.3 Typical Configuration Example 1.......................................................................................................948
22.1.4 Typical Configuration Example 2.......................................................................................................951
22.1.5 Parameter Description.........................................................................................................................952
22.2 Managing System Accounts and Permissions..............................................................................................954
22.2.1 Overview.............................................................................................................................................954
22.2.2 Configuration Procedure......................................................................................................................955
22.2.3 Typical Configuration Example..........................................................................................................956
22.3 Managing Basic System Parameters.............................................................................................................959
22.3.1 Operation Procedure............................................................................................................................959
22.3.2 Parameter Description.........................................................................................................................959
22.4 Managing the Alarm Address.......................................................................................................................965
22.5 Managing the Dynamic Alarm.....................................................................................................................966
22.6 Managing the Knowledge Base....................................................................................................................970
22.6.1 Overview.............................................................................................................................................971
22.6.2 Operation Procedure............................................................................................................................972
22.6.3 Typical Configuration Example (Customized DPI Signature File, Traffic on the Specified Web Site)
........................................................................................................................................................................974
22.6.4 Typical Configuration Example (Customized DPI Signature File, MP3 Online Music Traffic on the
Specified Web Site)........................................................................................................................................976
22.6.5 Parameter Description of the Customized DPI Signature File............................................................978
22.7 Managing Operation Logs............................................................................................................................980
23 FAQs...........................................................................................................................................982
23.1 Using the Firefox Browser, How Can I Set the Disk Location for Saving the Exported Template?...........983
23.2 How to troubleshoot the fault that navigation nodes in the directory cannot be expanded, when the user uses
the Firefox browser to open the Help system?.....................................................................................................983
23.3 What if the exporting through the IE browser fails in certain OSs?.............................................................983
23.4 What are the conversion relations of traffic units and rate units in this document?.....................................984
23.5 When I use the Firefox browser, the texts on the page are incomplete or the layout is improper. What should
I do?......................................................................................................................................................................985
23.6 How to Set the Priority of a Policy Item?.....................................................................................................986
1 Quick Start
This describes basic concepts, operations, and fast service deployment procedure of the SIG,
and helps fresh users understand the system in short time and master basic operations and flows
quickly.
Service List
The SIG adopts multiple patented detection technologies. It realizes the high-performance
analysis and processing of service packets and offers intelligent and flexible means of service
control. The SIG provides the following services:
l Traffic management
Traffic management is the basic service of the SIG. Through the traffic management
service, the SIG can monitor traffic and traffic direction on the network through reports,
and implement QoS management on traffic and traffic direction.
l FUP
Through the FUP service, the SIG can limit the bandwidths of monthly-fee subscribers.
When exceeding a certain quota, subscribers' bandwidths are minimized. In this way, the
FUP services of wireless and fixed network subscribers are implemented.
l Charging
Through the charging service, the SIG provides protocol-/application-specific charging for
carriers, so that they can adopt different charging policies for various services and realize
refined charging.
l URL filtering
Through the URL filtering service, the SIG adopts different control policies (such as alarm
and block) for various URL categories. It filters out malicious URLs, providing healthy
and secure network environments for users.
l GreenNet
Also called parental control. Through the GreenNet service, the SIG provides healthy,
secure, and civilized network environments and access content for users subscribing to the
service.
l Traffic mirroring/diversion
Specific network traffic (such as email, VoIP, P2P, and HTTP video traffic) that attracts
user attention is mirrored (copied and forwarded) by the SIG. Then traffic is saved in a
third-party system which further analyzes or caches the traffic. Alternatively, the traffic is
diverted (forwarded directly) by the SIG to a third-party system. After processing, the third-
party system then injects the traffic to the network through the SIG.
l SmartBrowser
SmartBrowser realizes DNS error correction, and HTTP error correction, providing error
correction promptings and security defense for subscribers' online behaviors.
l DNS overwriting
DNS overwriting service monitors the response packet from the DNS server. If the SIG
identifies that the packet matches the DNS overwriting list, it forges a DNS response packet
to redirect the DNS request to the specified destination IP address in the DNS overwriting
list.
l Smart Advertising Interface
Through the Smart Advertising Interface service, the SIG can filter packets according to
their HTTP packet header attributes, and mirror the HTTP packets meeting conditions to
the third-party system. Then the third-party system analyzes users' online behaviors in depth
and pushes advertisements to specific users.
l VoIP monitoring
Through the VoIP monitoring service, the SIG interferes with or blocks the VoIP calls from
intranets to extranets or from extranets to intranets by means of the blacklist and whitelist.
You can also learn the running status of the VoIP monitoring service by querying reports,
including call detail record statistics and control logs.
l Anti-Spammer
Through the Anti-Spammer service, the SIG detects and controls spammers on the network,
with monitoring measures including Detection, Alarm, Evidence Collection, Block, and
Limit.
Spam, also called the Unsolicited Commercial Email (UCE) or Unsolicited Bulk Email
(UBE), spreads in large amount without receivers' consent. Most spam is about commercial
advertisement and adverse media. A spammer is a sender of spam.
l Anti-DDoS
Through the Anti-DDoS service, the SIG provides the subnet-based Anti-DDoS function
and the report query on the traffic statistics before and after cleaning.
The Denial of Service (DoS) attack causes that the attacked computer or network is unable
to provide normal services. The Distributed Denial of Service (DDoS) attack indicates that
the hacker adopts viruses, Trojan horses, or Badware to control a large number of zombies
and combine multiple computers into the attack platform to launch DoS attacks on one or
multiple targets, thus multiplying attack strength.
l Anti-Botnet
Through the Anti-Botnet service, the SIG detects and controls Botnet traffic, providing
secure network environments for users.
A Botnet is a network where a controller infects many hosts with malicious bot programs
by one or various means. The controller and zombies form a one-to-multiple control
network.
l Anti-Worm
Through the Anti-Worm service, the SIG detects and controls worm-infected network
traffic, providing secure network environments for users.
A worm is a program with the spreading function. This program, comprising malicious
codes, can spread itself to other PCs without manual intervention. The significant feature
of worms is their self-replication.
l Security Service
Through the security service, the SIG filters out malicious URLs for users subscribing to
the service.
NOTE
Except for the previous services, the SIG also provides the iPush service. For details, see HUAWEI
SIG9800 Service Inspection Gateway iPush Configuration Guide.
System Composition
As shown in Figure 1-1, the SIG consists of the Front End and the Back End.
External Network
Router1 Router2
Front
End 2
Swtich2 Back End
Router3 Router4
Internal Network
The following describes the Front End and the Back End:
l Front End
Indicates the SIG9800. The SIG9800 is developed on the basis of Huawei mature and high-
end router hardware platform. With flexible policies, the SIG9800 controls traffic on
interfaces of high density and large capacity (10G or 2.5G POS, and 10GE). The
SIG9800 can meet the requirements of the DPI solution for 2000 Gbit/s link bandwidth and
10 million users.
l Back End
The Back End consists of server groups running the SIG software, and can mount storage
devices. For example, the Back End can be composed of the T8000 server running the
SIG software and the mounted S2600 disk array.
In the deployment, one back-end device and multiple front-end devices can be installed
concurrently. These front-end devices form a cluster.
Figure 1-2 shows the system structure and the processing flow of the SIG.
NOTE
In practice, certain components are deployed in accordance with service requirements. For details, refer to
the HUAWEI SIG9800 Service Inspection Gateway Software Installation Guide.
UI BIS iPush_UI
Update RADIUS iPush_SYNC
DSE UCS Server Proxy SGMS DB EMS CFS
Server Information
Information
DAS PLS ETL Server
Server
PCRF
SPU MPU NMS / Log
OCS SAS Management System
SPS
SPS OMC
CG SPS
LPU
Network Traffic
Software
Back End Front End Board
Component
Front Service Splitting The SSP, on the LPU, diverts traffic to different Service
End Platform (SSP) Probe Systems (SPSs) according to the IP addresses of
packets. In addition, the SSP receives the configuration
commands delivered by the Operation Maintenance
Center (OMC) and implements traffic diverting policies
accordingly.
SAS The SAS, on the SPU, collects the data reported by the
SPS, reports the data to the DAS, and makes decisions
based on the configuration policy obtained from the PLS.
If control is necessary, the SAS delivers a control policy
to the SPS. Then the SPS analyzes and controls the traffic
of user accounts based on the user-IP mapping reported by
the RADIUS proxy server.
Back RADIUS Proxy Server The RADIUS proxy server obtains and caches user online
End and offline information, mappings between user accounts
and IP addresses, user attributes, and change events (for
example, roaming), and then sends them to the SAS.
Policy Server (PLS) The PLS obtains the corresponding policy information
from the DB according to the policy request from the SAS,
and then delivers the policy to the SAS.
Data Analysis Server The DAS collates the data reported by several SASs and
(DAS) SPSs, and writes them into the database to support report
generation.
System General The SGMS monitors the running status of all back-end
Management Server components in the SIG system.
(SGMS)
Component Function
User Interface (UI) The UI provides users with the unified graphic user
interface (GUI) to manage policies and query reports. In
addition, the UI provides other functions such as
administrator authentication, user authorization, and
system audit.
Update Server The update server provides the automatic upgrade of the
DPI protocol signature file and malware (such as worm
and Botnet) signature file.
URL Category Server The UCS consists of the URL Category Searching Server
(UCS) (UCSS) and the URL Category Database (UCDB), and is
primarily used for querying URL categories.
Business Interface The BIS provides interfaces for policy subscription, log
Server (BIS) query, and user management, and these interfaces can be
invoked by third-party systems, for example, the portal of
customers.
Dynamic Scan Engine The DSE analyzes URLs in the HTTP request packets in
(DSE) real time, detects whether malicious behaviors are
contained in the accessed URLs, including malicious
URLs and malware, and sends the detection result to the
SPS.
Extractive Transition The ETL server processes the data reported by multiple
Loading (ETL) DASs, and then writes the data to the database.
Element Management System The EMS, as an internal NMS of the SIG, mainly manages
(EMS) devices and systems, and tracks messages.
Apart from the components in Figure 1-2 and Table 1-1, the Back End of the SIG system
includes several service related components, as shown in Table 1-2.
iPush service Information Server Information Server: provides the contents of the
pushed information, and confirms and records the
push result.
Prerequisites
The login requires a management PC and an RS-232 cable:
l The management PC should have a COM port, and its operating system (OS) should
integrate a hyper terminal or other terminal emulation programs.
l One connector of the RS-232 cable is RJ-45, and the other is DB-9.
Context
Besides the console port, which is the basic login mode, the SIG supports the login through
Telnet, SSH, and the AUX port of the MPU. For details on other login modes, refer to the
HUAWEI SIG9800 Service Inspection Gateway Commissioning Guide.
NOTE
Procedure
Step 1 Insert the DB-9 connector into the COM port and the RJ-45 connector into the console port of
the MPU.
Generally, the SIG has two MPUs. The one where the ACT indicator is green on is the master
MPU, and the other where the ACT indicator is off is the backup MPU. You should insert the
RJ-45 connector into the console port of the master MPU.
Step 2 Run the terminal emulation program (such as the HyperTerminal on Windows XP) on the PC.
Choose Start > All Programs > Accessories > Communications > Hyper Terminal. The
Connection Description dialog box is displayed.
Step 3 In Name, enter a name (such as COMM1) for the connection between the PC and the SIG, as
shown in Figure 1-3.
Figure 1-3 Connection Description dialog box (login through a console port)
Step 4 Click OK. The Connect To dialog box is displayed, as shown in Figure 1-4.
Step 5 Select a serial port (such as COM1) from the Connect Using drop-down list for the connection
between the PC and the SIG, as shown in Figure 1-4.
If you are not sure which interface is in use, check Ports in the Device Manager of the OS.
Step 7 Set the communications parameters of the port, as shown in Figure 1-5.
Figure 1-5 Setting the port properties (login through a console port)
If the system prompts you that the login fails due to the backup MPU, you should remove the RJ-45
connector and insert it into the console port of the other MPU, and then enter the user name and password
in the HyperTerminal window.
The system has a super administrator account. The default account name is admin and the initial
password is Admin@123. To ensure the system security, you are advised to run the following
commands to change the password.
<RPD_OMC> system-view
[RPD_OMC] aaa
[RPD_OMC-aaa] local-user admin password simple Password1
Figure 1-6 shows the interface for logging in to the Back End.
----End
Prerequisites
The IP address of the current user is one of those IP addresses allowed to log in to the Back End.
NOTE
By default, the IP addresses between 1.0.0.0 and 223.255.255.255 can access the Back End. You can
perform 22.3 Managing Basic System Parameters to modify the range.
Context
You can log in to the Back End through either Firefox 3, IE 6, IE 7 or IE 8. To obtain better
experience, you are recommended to log in through Firefox browser.
The default account name is admin and the initial password is Admin@123. To ensure the
system security, you are advised to change the password upon your first login.
Procedure
Step 1 Enter the address of the Back End in the Web browser. Press Enter.
For example, if the IP address of the UI is 192.168.11.11, the IP address for the login is "https://
192.168.11.11/dpi-ui".
NOTE
The system prompts you the information such as an alarm based on the current environment. You can take
corresponding operations or ignore the alarm as shown in Figure 1-7.
Step 2 Select the favorite from the Language drop-down list. Enter the Account, Password, and Check
Code.
Step 3 Click Login. The GUI homepage is displayed.
----End
Prerequisites
You have already logged in.
Procedure
Step 1 Click Change Password on the upper right of the GUI. The Change Password dialog box is
displayed.
Step 2 In the Change Password dialog box, enter the new password and the old password.
Step 3 Click OK. The system prompts you that the operation succeeds.
NOTE
For details on system accounts and permissions, or how to change the login passwords of other users, see
22.2 Managing System Accounts and Permissions.
----End
Prerequisites
You have already logged in.
Procedure
Step 1 Click Logout on the upper right of the GUI. The dialog box for confirming the logout is
displayed.
----End
Navigation Working
tree area
Function tab The operator can concurrently open several function tabs, and switch
tabs.
NOTE
When you open multiple tabs concurrently, press F5 or click the Refresh button
on the browser. The system closes all tabs and displays the GUI homepage.
Working area The working area is used for implementing configuration and
management functions.
Installation and Implements the hardware and software installations, and initializes the
commissioning configurations of various services provided by the SIG.
engineer
Data Queries various reports to obtain the running status of services, adjusts
configuration service configurations, and hence realizes refined network operation
engineer through service visualization.
System Manages and maintains the SIG, and ensures the secure and stable
maintenance running of the SIG.
engineer
3 Preparations for Installation and Ensures that the Front End and Back End are
Service commissioning installed correctly and run normally, thus facilitating
Configuration engineer successful configurations of services.
4 Subscriber and Installation and Configures and manages links, virtual tunnels,
Network Object commissioning subscribers, very important customers (VICs), AS
Initialization engineer domain groups, and subnets.
Data
configuration
engineer
12 DNS Installation and Configures and applies DNS overwriting. The DNS
Overwriting commissioning overwriting service monitors the response packet
Service engineer from the DNS server. If the SIG identifies that the
Data packet matches the DNS overwriting list, it forges a
configuration DNS response packet to redirect the DNS request to
engineer the specified destination IP address in the DNS
overwriting list.
14 VoIP Installation and Configures and applies VoIP monitoring, and learns
Monitoring commissioning the running status of VoIP monitoring through
Service engineer reports.
Data
configuration
engineer
16 Anti- Installation and Configures and applies Anti-DDoS, and learns the
DDoS commissioning running status of Anti-DDoS through reports.
Service engineer
Data
configuration
engineer
17 Anti- Installation and Configures and applies Anti-Botnet, and learns the
Botnet commissioning running status of Anti-Botnet through reports.
Service engineer
Data
configuration
engineer
18 Anti- Installation and Configures and applies Anti-Worm, and learns the
Worm commissioning running status of Anti-Worm through reports.
Service engineer
Data
configuration
engineer
19 Security Installation and Configures and applies security service, and learns
Service commissioning the running status of security service through
engineer reports.
Data
configuration
engineer
Preparations 3.2 Checking the To ensure that the Front End and Back End are
for Service Status of the Front installed correctly and run normally, which
Configuration End and Back End guarantees successful configurations of services.
Traffic 5.2 Querying To query the traffic reports of links, subscribers, and
Management Traffic Reports VICs.
FUP 6.2 Configuring the To configure and apply the FUP service when the
FUP Service SIG interworks with the PCRF (take the UPCC as
(Interworking with an example).
the PCRF)
URL Filtering 8.2 Configuring the To configure and apply URL filtering.
URL Filtering
Service
14.3 Querying VoIP To query VoIP reports, and accordingly learn the
Reports status of this service.
16.3 Querying Anti- To query DDoS reports, and accordingly learn the
DDoS Reports status of this service.
17.3 Querying Anti- To query Botnet reports, and accordingly learn the
Botnet Reports status of this service.
18.3 Querying Anti- To query worm reports, and accordingly learn the
Worm Reports status of this service.
Report 21.2 Configuring To globally adjust storage periods of the report data.
Management the Report Storage
Cycle
21.7 Managing the When displaying reports, the SIG can automatically
Protocol Colors of set protocol colors. To manually adjust protocol
Reports colors, you should perform this task.
System 22.1 Managing Flow Flow classification item and flow classifications are
Management Classifications and used to identify the traffic according to features. A
Flow Classification flow classification item can be defined as a
Items combination of conditions that contain the
application-layer protocol, network side IP address,
L3 and L4 protocol attributes. One or more flow
classification items can form a flow classification.
Perform the task when you need to quote the
customized flow classifications in defining policy
packages or report the traffic data according to the
customized flow classifications.
22.6 Managing the To set the parameters for automatically updating the
Knowledge Base DPI protocol signature file, malware signature file,
and URL Category Database.
This flow chart only lists the tasks to be completed during the fast deployment of major services. For the
tasks that are not involved in the flow chart, see 1.5.2 List of Tasks.
Start
Initialize the
service object
Available services:
Configure the service traffic management, FUP,
URL filtering, etc.
No
End
3 Preparations for Check whether the Front End and Back End are installed correctly and
Service run normally, which facilitates the successful configurations of
Configuration services.
4 Subscriber and Configure and manage links, virtual tunnels, subscribers, VICs, AS
Network Object domain groups, and subnets, which guarantees the successful
Initialization configurations of services.
Configure certain Initialize the configurations of the services to which the carrier
services subscribes one by one.
The SIG provides the following services:
l 5 Traffic Management Service
l 6 FUP Service
l 7 Charging Service
l 8 URL Filtering Service
l 9 GreenNet Service
l 10 Traffic Mirroring/Diversion Service
l 11 SmartBrowser Service
l 12 DNS Overwriting Service
l 13 Smart Advertising Interface Service
l 14 VoIP Monitoring Service
l 15 Anti-Spammer Service
l 16 Anti-DDoS Service
l 17 Anti-Botnet Service
l 18 Anti-Worm Service
l 19 Security Service
This describes navigation nodes briefly in the GUI navigation area from top to bottom and
provides links corresponding to the Help.
Terminal
Informatio
n Signature
File
HTTP
Content
Type
Signature
File
Subscriber
Area
Dynamic
Alarm
Manageme
nt
VIC Area
Dynamic
Alarm
Manageme
nt
Alarm and l You can add some Web sites to the alarm
Charging and charging whitelist. When the user's
Whitelist credit is inadequate or exhausted, the user
Manageme can still access URLs in the whitelist
nt normally, but not redirected to the alarm
Web site.
l To exempt some Web sites (such as the
recharge Web site) from charging, add the
URLs to the alarm and charging whitelist.
Access Control URL Filter 8.2 Configuring the URL Filtering Service
Analysis Object
Predefined by VIC
Componen
t
Configurati
on
Preparations for service configuration ensures that the Front End and Back End are installed
correctly and run normally, which successful configurations of services.
3.2 Checking the Status of the Front End and Back End
Before configuring services, you should check the status of the front end and back end.
NOTE
If other personnel or method proves that the system runs normally, you can skip certain or all following
checking items.
If anomalies are discovered during checking, you should rectify faults, and then configure services. For
how to rectify faults, refer to the HUAWEI SIG9800 Service Inspection Gateway Troubleshooting; for how
to install and initialize the SIG, refer to the HUAWEI SIG9800 Service Inspection Gateway Hardware
Installation Guide, HUAWEI SIG9800 Service Inspection Gateway Software Installation Guide and
HUAWEI SIG9800 Service Inspection Gateway Commissioning Guide.
Figure 3-1 Procedure for checking the status of the Front End and Back End
Start
Check the
cluster status
End
Table 3-1 Procedure description of checking the status of the Front End and Back End
Action Description
Check the cluster Run the display dpi-node cluster state command to check the cluster
status status.
Check the basic Run the display dpi-node basic-configuration and display dpi-node
configurations of a spu state commands to check the basic configurations, such as the
device working mode and information about LPU, SPU, SAS, and SPS.
Check the status of Run the display dpi-node link local-configuration command to
the network check link configurations and the status of each link and network
interface and link interface.
Action Description
Check the license Run the display dpi-node license command to display the activated
information of the service list, and check whether they meet the requirements of current
Front End services.
Check the Run the ping command to check the connectivity between back-end
connectivity devices and the OMC, SAS, and SPS.
between the Front TIP
End and Back End When you run the display dpi-node sas run-info command, if the status of the
DAS and PLS is displayed as U, it indicates that the communication between
the SAS and back-end components (DAS and PLS) is normal, and accordingly
you can roughly determine that the Front End and Back End can communicate
with each other; if the status of the DAS and PLS is displayed as D, it indicates
that the communication between the SAS and back-end components (DAS and
PLS) is abnormal or other faults occur (for example, the incorrect settings of
the IP addresses of the DAS and PLS).
Check the running Run commands on the Front End to check the settings of the IP
status of each back- addresses of back-end components, and the running status of these
end component components. For example, run the display dpi-node policy-server
(through front-end state command to check the running status of the PLS.
commands) If you discover that a certain component is running abnormally, check
whether the IP address of the component is correctly specified on the
Front End, and back-end software is correctly installed and runs
normally. For how to rectify the fault, refer to the HUAWEI
SIG9800 Service Inspection Gateway Troubleshooting.
Check alarms Check whether any critical or major alarms exist. If yes, proceed as
the information displayed on the alarm page.
Operation page: Log in to the EMS GUI, choose Alarms > Alarm
Management > Current Alarms.
Check the IP address Check whether the IP address of the OMC is specified.
of the OMC Operation page: In the navigation tree, choose System
Management > System Configuration > Component
Configuration.
If you discover that a certain component is running abnormally, check
whether back-end software is correctly installed and runs normally.
For how to rectify the fault, refer to the HUAWEI SIG9800 Service
Inspection Gateway Troubleshooting.
Check the DPI Check whether the DPI signature file is imported.
signature file Operation page: In the navigation tree, choose Basic Configuration
> Signature File Management > Customized DPI Signature File.
Action Description
Check the real-time Check the reports of the real-time link traffic to confirm that the SIG
link traffic can monitor the IP traffic on the network.
Operation page: In the navigation tree, choose Statistics and Analysis
Report > Traffic > Link and Virtual Tunnel > Real-Time
Traffic.
Prerequisites
The installation and initialization of the Front End and Back End are implemented according to
the actual networking requirement and installation documents, such as the HUAWEI SIG9800
Service Inspection Gateway Hardware Installation Guide, HUAWEI SIG9800 Service
Inspection Gateway Software Installation Guide and HUAWEI SIG9800 Service Inspection
Gateway Commissioning Guide.
Context
As shown in Figure 3-2, DPI A is the master SIG and DPI B is the backup SIG. They form a
cluster.
DPI A and DPI B are deployed in in-line mode. DPI A monitors the traffic between router A
and router C, and DPI B monitors the traffic between router B and router D.
Figure 3-2 Typical networking example of checking the status of the Front End and Back End
External Network
Router A Router B
GE3/0/2
Swtich1 DPI System
DPI A
GE3/0/1 GE3/0/2
DPI B
GE3/0/1 Swtich2 Back End
Router C Router D
Internal Network
NOTE
The following information may vary with the version of the SIG. Therefore, similar description is omitted.
To check the current version of the SIG, run the display version command.
Procedure
Step 1 Log in to the Front End of DPI A.
The status of DPI A and DPI B is Up, one is the master device, and the other is the backup
device, indicating that the cluster runs normally.
Step 3 Check the basic configurations of the device.
Check whether the specified slot number of the SPU tallies with the actual slot number, whether
the CPU locations and IP addresses of the SAS and SPS are specified, and whether the status of
the SAS and SPS is Normal.
<DPIA> display dpi-node basic-configuration
As the preceding output shows, the SPUs in slot 6, 7, and 8 are in normal state.
Check whether links are configured, and whether each link and network interface run normally.
<DPIA> display dpi-node link local-configuration
Local link configuration
------------------------------------------------------------------------------
U:Up, D:Down
------------------------------------------------------------------------------
According to the previous information, the status of link 1 is Valid; the status of GE 1/0/1 and
GE 1/0/2 is Up. This indicates that, the link and network interfaces in this example run normally.
Run the display dpi-node license command to display the activated service list, and check
whether they meet the requirements of current services. If yes, go to next step; if no, reapply for
a license and import it.
Step 6 Check the connectivity between the Front End and Back End.
Run the ping command to check the connectivity between the Back End and the OMC, the SAS,
and the SPS. If the network is disconnected, troubleshoot your network faults; otherwise, go to
next step.
Step 2 shows that the IP address of the OMC is 192.168.1.1; Step 3 shows that the IP addresses
of the SAS and SPS range from 192.168.6.10 to 192.168.6.13. During the check, you can ping
(for example, run the ping 192.168.1.1 command) these IP addresses from the Back End.
Check whether each component runs normally according to the list of components selected
during installation planning. If the status of each component is Up, it indicates that these
components run normally. In this case, go to next step. If the status is not Up, refer to the
HUAWEI SIG9800 Service Inspection Gateway Troubleshooting to troubleshoot faults.
In this example, the PLS, DAS, management server, and update server are installed on the Back
End. You should run the following commands:
<DPIA> display dpi-node policy-server state
<DPIA> display dpi-node data-analysis-server state
If no license record exists or the authorization information in the license record does not
match the current service, contact installation and commissioning engineers to apply for a
new license and import it. Otherwise, proceed to the next step.
If the traffic report is displayed normally, it indicates that the status of the Front End and
Back End is normal; otherwise, the status is abnormal, and you need to troubleshoot faults.
For how to troubleshoot faults, refer to the HUAWEI SIG9800 Service Inspection
Gateway Troubleshooting; For how to implement the installation and initialization on the
SIG, refer to the HUAWEI SIG9800 Service Inspection Gateway Hardware Installation
Guide, HUAWEI SIG9800 Service Inspection Gateway Software Installation Guide and
HUAWEI SIG9800 Service Inspection Gateway Commissioning Guide.
----End
3.2.3 Reference
This section describes common commands for checking the status of the Front End.
Table 3-2 Common commands for checking the status of the Front End
Item Command
Item Command
Item Command
Display the display dpi-node sas slot slot-number cpu cpu-number statistics
service statistics
of the SAS
Item Command
For how to implement the installation and basic configurations on the Front End and Back End,
refer to the HUAWEI SIG9800 Service Inspection Gateway Hardware Installation Guide,
HUAWEI SIG9800 Service Inspection Gateway Software Installation Guide and HUAWEI
SIG9800 Service Inspection Gateway Commissioning Guide.
For other commands of the Front End, refer to the HUAWEI SIG9800 Service Inspection
Gateway Command Reference.
Through subscriber and network object initialization, you can configure and manage links,
virtual tunnels, subscribers, VICs, AS domain groups, and subnets.
This section describes how to configure the subnet. To configure a service to be applied to
subnets, you should perform this task first.
l Link
Refers to a physical link monitored by the SIG. For example, as shown in Figure 4-1, GE
2/0/0 is connected to the user side and GE 2/0/1 to the network side, and between GE 2/0/0
and GE 2/0/1 is a link.
LPU
Link
GE2/0/0
Router A
Router B
GE2/0/1
l Virtual tunnel
To identify and define the network traffic to be managed, the SIG supports the creation of
virtual tunnel objects by user attribute or stream attribute in addition to subscriber and
network objects such as subscribers, VICs, links, AS domain groups, and subnets.
The virtual tunnel can group data flows by dividing all data flows into multiple virtual
tunnels according to certain conditions and manage the virtual tunnels as independent links.
The conditions for grouping data flows include the IP quintuple, DSCP, VLAN, MPLS,
and link. Meanwhile, Users can be grouped according to the user area and dynamic attribute,
and the data flows of a group of users can be classified into virtual tunnels.
l Subscriber
Refers to a non-VIC, such as an ADSL dial-up user identified by an account ID, a user
identified by a fixed IP address, or a wireless user identified by International Mobile Station
Identification Code (IMSI) or Mobile Station International ISDN Number (MSISDN), as
shown in Figure 4-2.
l Very Important Customer (VIC)
Refers to a user consisting of multiple IP addresses or IP address segments, such as an
enterprise user, as shown in Figure 4-2. One IP address belongs to only one VIC.
Subscriber
Wireless
access network
Subscriber
Subscriber Broadband
access network
VIC
Table 4-1 shows the subscriber and network objects supported by the SIG.
Service Object
FUP Subscriber
Service Object
Charging Subscriber
SmartBrowser Subscriber
NOTE
The SmartBrowser service can be applied to all customers in the local domain
except VICs.
Anti-Spammer Subscriber
Anti-DDoS Subnet
NOTE
In actual networking, if the service to be configured or applied is not subject to object types (such as the
subscriber, VIC, AS domain group, subnet, or a combination of them), installation and commissioning
engineers or data configuration engineers do not need to configure the subscriber and network objects of
a specific type. For example, in the networking of a carrier, only link-based traffic management and
subscriber-based GreenNet are required. In this case, the configuration of the VIC, AS domain group, or
subnet is not necessary.
4.2.1 Overview
This section describes several concepts related to the subscriber. You can implement many
functions by configuring the subscriber.
The related concepts of the subscriber are as follows:
l Area
Indicates the physical area. The system supports hierarchical management over areas.
During the system installation, the installation and commissioning engineer defines the area
level of subscribers upon the first login to the Back End. For subscribers, the system
supports up to five levels of areas.
Areas are organized in tree structure. When adding areas, data configuration engineers
should start from the root area, and then create a new area in the root area and a subarea in
the current area, gradually building an area system. Only one root area can be added.
l Customized attribute
Refers to customized subscriber attributes.
In addition to the defined area attribute, you can extend the subscriber attribute by adding
customized attributes.
In terms of the binding relationship between attributes and subscribers, customized
attributes are categorized into the following types:
– Static attributes
Refer to the attributes whose values are static, such as the gender, address, or zip code.
– Dynamic attributes
Refer to the attributes whose values are dynamic, such as the base station, cell, mobile
type, or browser type.
In terms of whether subscribers can be divided into finite groups, customized attributes are
categorized into the following types:
– Group attributes
These attributes, such as the service package, gender, base station, cell, mobile phone,
and browser, can categorize subscribers into finite groups.
If you need to view the report based on the value of the preceding attributes, select
Enable Statistics when adding group attributes.
– Non-group attributes
These categories, such as the address and postal code, can only be used to identify
subscribers.
Static attributes can be group or non-group attributes; all dynamic attributes are group
attributes.
l User group
Refers to a collection of one or more subscribers.
To easily manage subscribers in group mode, the system supports customizing the user
groups of subscribers. After adding one or more subscribers to a user group, you can
implement service policy control based on the user group.
By default, the system supports several user groups for specific services, such as the user
group for the VoIP blacklist. This document describes corresponding user groups as well
as services, this document describes corresponding user groups.
According to the mode of adding, the two user groups are:
– General user group
Contains the users that are manually added or imported into the group.
– Heavy User group
Contains the Top N users in a certain area or according to other group attributes. The
data configuration engineer defines the query conditions, then the system can generate
and update the user groups between intervals automatically.
For example, you can define the top 10% users that use the largest amount of traffic in
each month as a Heavy User group.
With the configuration of the subscriber, the system can:
l Provide account management for subscribers
According to the requirements of account management, you can select one or multiple
management modes shown in Table 4-2.
Synchronizing The SIG serves as the FTP client, This mode is recommended. It
with the FTP realizing the automatic addition, is applicable to the scenario
server modification, and deletion of where a great volume of data
subscriber accounts in batch by requires batch synchronization,
synchronizing with the FTP server. the FTP server for
After the files containing the synchronization exists, and
account synchronizing information synchronization files need to be
are saved on the FTP server, the managed.
system can perform automatic
synchronization periodically
through this function.
For details on the FTP interface, see
HUAWEI SIG9800 Service
Inspection Gateway Subscriber
FTP Interface Description.
Account self- After the function is enabled, the The system automatically
learning system automatically learns and learns the account through the
(Through the adds subscriber accounts based on account login information. It is
login and the account online information. In applicable to the scenario
logout logs of this mode, the account login where the account cannot be
subscribers) information should pass through the directly obtained in other mode
RADIUS proxy. and the account login
information passes through the
RADIUS proxy.
Account self- After the function is enabled, the It is applicable to the scenario
learning system extracts several user where the RADIUS packets or
(Through the attributes (such as the MAC the GTP-C signaling packets
policy request address) from the service traffic, cannot be inspected.
messages of and automatically adds the The system automatically leans
subscribers) subscriber account. the account by extracting
several user attributes (such as
the MAC address) from service
traffic. It is applicable to the
scenario where learnt user
attributes are several, and either
manual mode or batch import
mode is employed.
NOTE
The system supports the scenario where multiple IP addresses (including the IPv4 and IPv6 addresses)
use one account being online at the same time. In such a scenario, each IP address independently
applies the complete control policy of the account. Detailed traffic statistics of each IP address can
be viewed in the real-time traffic report, whereas the traffic statistics of the account shown in other
reports are the data statistics collected from all the IP addresses.
l Manage multi-level subscriber areas and area-based data permission.
l Manage user groups, and customized attributes.
Start
Is the customized No
attribute required?
Yes
Is the user No
group required?
Yes
Configure the
user group
End
Configure the area Add the area and assign data permission for the area of each level as
required.
Three types of data permissions are available:
l Read
If your account has this permission for an area, you can view the
details about this area and its subareas.
l Write
If your account has this permission for an area, besides the read
permission, you can add, modify, enable, disable, or delete this area
and its subareas.
l Authorize
If your account has this permission for an area, besides the read
and write permissions, you can assign data permissions for this area
and its subareas.
NOTE
For the information about the permission control mechanism, see 22.2
Managing System Accounts and Permissions.
Operation page: In the navigation tree, choose Subscriber and
Network Management > Subscriber > Area Management.
Add or import the Add or import the subscriber account to manage the account.
subscriber Operation page: In the navigation tree, choose Subscriber and
Network Management > Subscriber > Subscriber Management.
When you add these subscribers by synchronizing the FTP server,
synchronizing the SOAP interface or through account self-learning,
the operation page also includes: In the navigation tree, choose System
Management > System Configuration > External Interface
Configuration.
Configure the user Except for applying policies to areas or other customized attribute
group groups, the SIG also supports the ability to apply policies to user
groups. Therefore, if you cannot manage service objects according to
attribute groups, add and configure user groups.
Operation page: In the navigation tree, choose Subscriber and
Network Management > Subscriber > User Group Management.
Prerequisites
The following conditions should be met:
l 3.2 Checking the Status of the Front End and Back End is complete.
l The current user has the User and Network Management service permission and the data
permission for the areas to be managed.
Requirement Description
Requirements are as follows:
Procedure
Step 1 Log in to the Back End.
In the area list, select the area for which permissions are to be assigned. Click Assign Data
Authority. Assign the permission to each system account. Click OK.
Step 3 Add subscribers.
1. In the navigation tree, choose Subscriber and Network Management > Subscriber >
Subscriber Management.
2. Click Add. The Add Subscriber Information dialog box is displayed,
3. Set parameters according to Figure 4-5.
4. Click OK. The system returns to the previous page and displays a new record.
5. Repeat Step 3.2 to Step 3.4 to add another item with Subscriber ID as
111222333444777.
6. Click Add. The Add Subscriber Information dialog box is displayed,
7. Set parameters according to Figure 4-6.
8. Click OK. The system returns to the previous page and displays a new record.
9. Repeat Step 3.6 to Step 3.8 to add another item with Subscriber ID as Test2, as shown in
Figure 4-7.
----End
Prerequisites
The following conditions should be met:
l 3.2 Checking the Status of the Front End and Back End is complete.
l The current user has the User and Network Management service permission and the data
permission for the areas to be managed.
Context
In this example, the requirements are as follows:
Procedure
Step 1 Log in to the Back End.
Step 2 Configure the area.
1. In the navigation tree, choose Subscriber and Network Management > Subscriber >
Area Management.
2. Click Add, enter Beijing in Area Name, and then click OK.
3. Click Beijing in the area list. Click Add, and enter Zhongguancun in Area Name. Then
click OK as shown in Figure 4-8.
3. Click Dynamic IP Template to obtain the .xls template file. In the file, enter the account
information to be imported and save the operations, as shown in Figure 4-10.
4. In the Import Subscriber dialog box, click Browse to select the edited files. Click OK.
5. After the operation is complete, view the data processing results in the dialog box.
Step 4 Add a Heavy User group.
1. In the navigation tree, choose Subscriber and Network Management > Subscriber >
User Group Management.
2. Click Add.
3. Enter BeijingHeavyUser in User Group Name , and select Heavy User from the User
Group Type.
4. Set parameters according to Figure 4-11.
NOTE
By clicking the button left to Rule, you can expand or fold the group box.
Statistics Time is the time range before the execution of the task. It can be specified as any point in
time within the time range for queries and generations of the Heavy User. In this example, you can
set Statistics Time to be 1 day ago, or 20 days ago.
The hour value in Statistics Time is only valid when Data Granularity is set to Hour.
5. Click OK. The system returns to the previous page and displays a new record.
----End
Follow-up Procedure
At any time after 4:00 on the first day of each month, you can view the Heavy User list of last
month in the dialog box that is displayed after clicking Subscriber Information in the
BeijingHeavyUser line on the User Group Management page.
Prerequisites
The following conditions should be met:
l 3.2 Checking the Status of the Front End and Back End is performed.
l The current user has the User and Network Management service permission and the data
permission for the areas to be managed.
Context
In this example, the requirements are as follows:
add,accounts,8613800002222,111222333444555,Bob,Zhongguancun
...
NOTE
For details on the FTP synchronization interface, see HUAWEI SIG9800 Service Inspection Gateway
Subscriber FTP Interface Description..
Procedure
Step 1 Log in to the Back End.
Step 2 Configure the area.
1. In the navigation tree, choose Subscriber and Network Management > Subscriber >
Area Management.
2. Click Add, enter Beijing in Area Name, and then click OK.
3. Click Beijing in the area list. Click Add, and enter Zhongguancun in Area Name. Then
click OK as shown in Figure 4-12.
6. Click Close.
7. Click Start.
The system automatically synchronizes subscriber accounts from the FTP server
periodically. The default interval is three minutes.
----End
Prerequisites
The following conditions should be met:
l 3.2 Checking the Status of the Front End and Back End is performed.
l The current user has the User and Network Management service permission and the data
permission for the areas to be managed.
Context
In this example, the requirements are as follows:
Procedure
Step 1 Log in to the Back End.
Step 2 Configure the area.
1. In the navigation tree, choose Subscriber and Network Management > Subscriber >
Area Management.
2. Click Add, enter Beijing in Area Name, and then click OK.
3. Click Beijing in the area list. Click Add, and enter Zhongguancun in Area Name. Then
click OK as shown in Figure 4-14.
NOTE
The system provides the operation page for customized dynamic attributes. Customized dynamic
attributes are developed for customization, and can be enabled only after you contact Huawei
technical support personnel.
4. Click Import. The Import Dynamic Attribute Value dialog box is displayed.
5. Click Base station Template to obtain the excel template file. Then enter the information
to be imported in the file and save it.
6. In the Import Dynamic Attribute Value dialog box, click Browse and select the
previously edited file. Then click OK.
7. Click OK . The system returns to the previous page and the added entry is displayed.
8. Repeat Step 3.2 to Step 3.7. Add customized attribute Cell.
Step 4 Configure user information study.
1. In the navigation tree, choose System Management > System Configuration > External
Interface Configuration.
2. In the Account Self-learning group box, click Configure. The Account Self-learning
Configuration dialog box is displayed.
3. Select Through the login and logout logs of subscribers from Mode. Select Enable from
State. Select Zhongguancun from Area. Click OK.
The previous area is used as the default value for synchronizing accounts.
If the dynamic area function is enabled, you do not need to configure Area.
4. Select the entry whose OMC Synchronization is Yes. Click Enable FTP, as shown in
Figure 4-16.
NOTE
The manually added external FTP server to implement the account self-learning function is reserved.
You are advised to confirm with the Huawei technical support engineers.
5. Click Close.
----End
Follow-up Procedure
After confirming that account self-learning is complete, you can disable the account self-learning
function. Click Disable in the Account Self-learning Configuration group box.
To delete subscribers in batches, click Batch Delete on the Subscriber Management page and
follow the instructions that are displayed.
Prerequisites
Requirements are as follows:
l 3.2 Checking the Status of the Front End and Back End is complete.
l Select a rule to identify the area where a subscriber belongs is already set to SN by the
installation and commissioning engineer during the first login to the GUI after the back-
end software is installed.
l The current user has the User and Network Management service permission and the data
permission for the areas to be managed.
Requirement Description
The requirements of a carrier's CDMA2000 network are as follows:
l Areas are divided into two levels.
Use adding Beijing as level-1 area, Haidian and Dongcheng as level-2 areas as an example
to introduce the operation procedure.
l To view and manage traffic by SN, base station, cell, and access type,
you need to configure four customized attributes, SN, base station, cell, and access type.
SNs on live network include:
– SN IP address: 10.11.11.11. SN name: HaidianSN1. Area: Haidian.
– SN IP address: 10.11.11.12. SN name: HaidianSN2. Area: Haidian.
– SN IP address: 10.11.11.13. SN name: DongchengSN. Area: Dongcheng.
The data of the base stations and cells is provided by the network operation and maintenance
department of the carrier.
l Subscriber accounts are added by the account self-learning function. When an account logs
in, the SIG system parses the RADIUS charging information of the account, obtains the
SN used by the account, and identifies the area where the account resides.
Procedure
Step 1 Log in to the Back End of the SIG.
1. In the navigation tree, choose Subscriber and Network Management > Subscriber >
Customized Attributes Management.
2. Click Add. The Add Attribute dialog box is displayed.
3. Select Dynamic Attribute in Attribute Type, SN in Attribute Name, and Traffic in
Enable Statistics. Then click OK, as shown in Figure 4-18.
4. Click Add, enter 10.11.11.11 in Sequence, enter HaidianSN1 in Alias, and select
Haidian in Area in the dialog box that is displayed.
5. Repeat the previous steps to add another two SNs, as shown in Figure 4-19.
6. Click Close.
7. Repeat Step 3.2 to Step 3.6 to add the dynamic attributes of Base Station, Cell, and Access
Type.
You are advised to click Import to download the .xls template and then import the data of
base stations and cells. The access type attribute data is automatically generated by the
system.
----End
Follow-up Procedure
After confirming that account self-learning is complete, you can disable the account self-learning
function. Click Disable in the Account Self-learning Configuration group box.
To delete subscribers in batches, click Batch Delete on the Subscriber Management page and
follow the instructions that are displayed.
Prerequisites
Requirements are as follows:
l 3.2 Checking the Status of the Front End and Back End is complete.
l The current user has the Subscriber and Network Management service permission, and
additionally has data permission of the areas to be managed.
Procedure
Step 1 Log in to the Back End of the SIG.
Step 2 In the navigation tree, choose Subscriber and Network Management > Subscriber >
Subscriber Management.
The system performs exact match by the property values entered. For blurry match, leave the check
box of Exact Match on the right side of the property value unselected.
For example, Assume there are two subscribers with the Subscriber Name Jim and Jimmy
respectively. When you query Jim and select exact match, only Jim is found; if you select blurry match,
both Jim and Jimmy are found.
l Modify
To modify the properties of a subscriber, click the link to the Subscriber ID column of the
entry, enter property values in the dialog box that is displayed, and then click OK.
l Delete
To delete a subscriber entry, select the check box to the left of the entry, click Delete, and
confirm the operation.
l Delete in batches
To delete subscriber entries in batches using an Excel template, click Batch Delete and then
the link on the right of the Downloading Template. After you download and edit the
template, click Browse in the dialog box, select the file, and then click OK. The system
displays the data handling results, including the number of entries that have been successfully
or unsuccessfully deleted.
----End
Prerequisites
Requirements are as follows:
l 3.2 Checking the Status of the Front End and Back End is complete.
l The current user has the Subscriber and Network Management service permission.
Procedure
Step 1 Log in to the Back End of the SIG.
Step 2 In the navigation tree, choose Subscriber and Network Management > Subscriber > User
Group Management.
Step 3 Optional operations are as follows:
l Add a subscriber group.
Click Add, enter the name of the user group to be added to User Group Name, and click
OK.
l Add or import users to the subscriber group.
Click Subscriber Information of the user group to be managed. The optional options are
as follows:
– To add users in Subscriber Management to the user group, click Select Subscriber,
and select the subscribers to be added in the dialog box that is displayed.
– To add new users to the user group, click Add Subscriber, and enter Subscriber ID of
the user to be added to the dialog box that is displayed.
– To add a bunch of new users to the user group, click Import, obtain the import template
from the dialog box that is displayed, and import the users.
NOTE
New users added to the group are not showed and managed in Subscriber Management. The system
can apply policies to and query the reports of the new users.
After applying a policy package to a subscriber group, the system bonds the policy package to each
user in the group.
l Delete users in the subscriber group.
Click Subscriber Information of the user group to be managed. The optional options are
as follows:
– Select the users to be deleted, and click Delete.
– Click Batch Delete, obtain the import template in the dialog box that is displayed, and
delete users.
l Add the Heavy User group.
Click Add, select Heavy User in User Group Type, and then enter related information.
l View users in the Heavy User group.
Click Subscriber Information of the user group to be managed, and view the user list in
the dialog box that is displayed.
----End
Area Indicates the area where the subscriber [Operation page]: In the
resides. navigation tree, choose
NOTE Subscriber and Network
The parameter is not required if the dynamic Management >
identification area is already specified. No Subscriber > Subscriber
further description is provided in the Management.
following.
[Setting method] Click
To dynamically identify areas, select the
check box of Select a rule to identify the the option button.
area where a subscriber belongs on the
System Management > System
Configuration > SystemBasic
Configuration page. This configuration is
completed upon your first login and cannot
be changed.
User Area The area configured here is only valid in [Operation page]: In the
Infor the case that the file to be synchronized navigation tree, choose
matio does not contain an account for the area System Management >
n during account synchronization. System Configuration >
FTP/ External Interface
SOA Configuration. In the
P User Information FTP/
Interf SOAP Interface group
ace box, click
Configuration. Select the
Basic Configuration tab.
[Setting method] Click
the option button.
Log File Indicates the path for the file to be [Operation page]: In the
Path synchronized on the FTP server. navigation tree, choose
If this parameter is not set, the system System Management >
obtains files to be synchronized from the System Configuration >
root directory of the FTP server in to External Interface
which the account has logged. Configuration. In the
User Information FTP/
SOAP Interface group
box, click
Configuration. Select the
FTP Configuration tab.
[Setting method] Enter a
value in the text box.
[Example] file/user/
Port Indicates the service port of the FTP [Operation page]: In the
server. navigation tree, choose
System Management >
System Configuration >
External Interface
Configuration. In the
User Information FTP/
SOAP Interface group
box, click
Configuration. Select the
FTP Configuration tab.
[Setting method] Enter a
value in the text box.
[Example]: 21
User Name, Indicates the user name and password for [Operation page]: In the
Password logging in to the FTP server. navigation tree, choose
System Management >
System Configuration >
External Interface
Configuration. In the
User Information FTP/
SOAP Interface group
box, click
Configuration. Select the
FTP Configuration tab.
[Setting method] Enter a
value in the text box.
FTP Mode The system supports FTP and SFTP. [Operation page]: In the
navigation tree, choose
System Management >
System Configuration >
External Interface
Configuration. In the
User Information FTP/
SOAP Interface group
box, click
Configuration. Select the
FTP Configuration tab.
[Setting method]: Select
the item from the drop-
down list.
Auto Delete You can decide whether to delete the [Operation page]: In the
FTP File synchronized FTP file automatically. navigation tree, choose
System Management >
System Configuration >
External Interface
Configuration. In the
User Information FTP/
SOAP Interface group
box, click
Configuration. Select the
FTP Configuration tab.
[Setting method]: Select
the item from the drop-
down list.
SOAP You can decide whether to use the user [Operation page]: In the
Security name and password to synchronize navigation tree, choose
Configurati subscribers through the Simple Object System Management >
on Access Protocol (SOAP) interface. System Configuration >
If selecting to use the user name and External Interface
password, you can click Add to enter one Configuration. In the
or more entries. User Information FTP/
SOAP Interface group
box, click
Configuration. Select the
SOAP Security
Configuration tab.
[Setting method] Click
the option button.
Acco Mode The following modes are available: [Operation page]: In the
unt l Through the login and logout logs of navigation tree, choose
Self- subscribers System Management >
learni System Configuration >
ng The system automatically learns the External Interface
account through the account login Configuration. In the
information. It is applicable to the Account Self-learning
scenario where the account cannot be group box, click
directly obtained in other mode and Configuration.
the account login information passes
through the RADIUS proxy. [Setting method] Click
the option button.
l Through the policy request messages
of subscribers
The system automatically leans the
account by extracting several user
attributes (such as the MAC address)
from service traffic. It is applicable to
the scenario where learnt user
attributes are several, and either
manual mode or batch import mode is
employed.
NOTE
The SIG system resolves and extracts the values of dynamic attributes through the RADIUS proxy server
from subscribers' online charging packets (such as RADIUS packets, GTP-C packets) or through the Front
End from subscribers' network traffic.
If you need to view the statistics report by attribute value, select the Enable Statistics check box when
you add the attribute.
For the subscribers, the sum of the number of areas and number of self-defined group attributes cannot
exceed 10. The self-defined group attributes consist of dynamic attributes and static group attributes.
A dynamic attribute takes effect only after it is successfully configured and synchronized to the Front End.
Then you can query traffic reports by dynamic attribute or make the policy applying the dynamic attribute
effective. For example, a subscriber goes online before the dynamic attribute takes effect and keeps online.
After the effective time, the subscriber goes online again and the policy applying the dynamic attribute
takes effect.
GN l Fixed network: You can either add the attributes Click Import. In the
(Gatewa NAS-IP-Address one by one manually or add displayed dialog box,
y Node) l G network: them in batches by using the click the link to obtain
3GPP-GGSN template. the Excel template.
Address For example, to add a GN whose For easy management,
l C network: NAS- IP address is 10.10.10.10 and one GN record can
IP-Address name is AreaA_GN, enter correspond to one or
10.10.10.10 in Sequence and more IP addresses;
l WLAN: NAS- AreaA_GN in Alias. therefore, add the
IP-Address attributes or import the
l WiMAX: NAS- template as required.
IP-Address The Area attribute is an
l GTP-C: GSN optional GN attribute.
Address When you add the
attributes or import the
template, choose
whether to set this value
as required.
SN l Fixed network: You can either add the attributes Click Import. In the
(Service Not supported one by one manually or add displayed dialog box,
Node) l G network: them in batches by using the click the link to obtain
3GPP-SGSN template. the Excel template.
address For example, to add an SN The Area attribute is an
l C network: whose IP address is 10.10.11.11 optional SN attribute.
3GPP2_PCF and name is AreaA_SN, enter When you add the
IP_Addr 10.10.11.11 in Sequence and attributes or import the
AreaA_SN in Alias. template, choose
l WLAN: Not whether to set this value
supported as required.
l WiMAX: Not NOTE
supported However, if on the
System Management >
l GTP-C: GSN
System Configuration
Address > System Basic
Configuration page, it is
configured to identify
subscribers' areas by
their access SNs, the
Area attribute is
mandatory.
Base Summarizes traffic You can either add the attributes Click Import. In the
Station according to the one by one manually or add displayed dialog box,
Cell attribute value. them in batches by using the click the link to obtain
Therefore, Base template. the Excel template.
Station takes effect For example, to add a base The Area attribute is an
only when Cell is station whose ID is 0001 and optional base station
enabled. name is AreaA_BTS, enter attribute. When you add
0001 in Sequence and the attributes or import
AreaA_BTS in Alias. the template, choose
whether to set this value
as required.
NOTE
However, if on the
System Management >
System Configuration
> System Basic
Configuration page, it is
configured to identify
subscribers' areas by
their access BTS, the
Area attribute is
mandatory.
Cell l Fixed network: You can either add the attributes Click Import. In the
Not supported one by one manually or add displayed dialog box,
l G network: them in batches by using the click the link to obtain
3GPP-User- template. the Excel template.
Location-Info For example, to add a cell whose The
l C network: ID is 0001 and name is Area and Base Station
3GPP2_BSID/ AreaA_Cell, enter 0001 in attributes are optional
3GPP2_Subnet Sequence and AreaA_Cell in cell attributes. When
Alias. you add the attributes or
l WLAN: Not import the template,
supported choose whether to set
l WiMAX: Not this value as required.
supported NOTE
l GTP-C: User However, if on the
System Management >
Location
System Configuration
Information > System Basic
Configuration page, it is
configured to identify
subscribers' areas by
their access cells, the
Area attribute is
mandatory.
Equipm l Fixed network: The value is default and cannot The equipment types
ent HTTP be set. include:
Type UserAgent l Phone
l G network: l Data Card
HTTP
UserAgent/User- l Other
Name
l C network:
HTTP
UserAgent/User-
Name
l WLAN: HTTP
UserAgent
l WiMAX: HTTP
UserAgent
l GTP-C: HTTP
UserAgent
Access l Fixed network: The value is default and cannot The access types
Type NAS-Port-Type be set. include:
l G network: l 1X
3GPP-RAT- l EVDO
Type
l UTRAN
l C network:
3GPP2_SO/ l GERAN
3GPP2_BSID l GAN
l WLAN: NAS- l WLAN
Port-Type l Other
l WiMAX: NAS-
Port-Type
l GTP-C: RAT
Type
Bearer l Fixed network: The value is default and cannot The bearer networks
Networ The RADIUS be set. include:
k Proxy resolves l 163
the User-Name
to generate the l CN2
attribute value. l Other
l G network: The
RADIUS Proxy
resolves the
User-Name to
generate the
attribute value.
l C network: The
RADIUS Proxy
resolves the
User-Name to
generate the
attribute value.
l WLAN: The
RADIUS Proxy
resolves the
User-Name to
generate the
attribute value.
l WiMAX: Not
supported
l GTP-C: Access
Point Name
VLAN Extracted from IP The value is default and cannot The system
traffic be set. automatically adds the
records whose VLAN
IDs range from 0 to
4095.
Network devices
employ VLAN IDs to
identify VLANs to
which packets belong.
A VLAN ID indicates
the ID of the VLAN to
which a packet belongs.
Its length is 12 bits and
its value ranges from 0
to 4095. 0 and 4095 are
reserved values of the
protocol; therefore, the
actual value ranges
from 1 to 4094.
Number Use the main You can either add the attributes -
Segmen identifier of one by one manually or add
t subscribers. them in batches by using the
template.
For example, to add an field
7777000 to 7777999, enter
7777000 in Start Number
Segment, enter 7777999 in End
Number Segment, and then
enter 7777 in Alias.
4.3.1 Overview
This section describes several related concepts of the VIC and multiple functions through the
VIC configuration.
The concepts related to the VIC are as follows:
l Area
Indicates the physical area. The system supports the hierarchical management over areas.
During the system installation, the installation and commissioning engineer defines the area
level of VICs upon the first login to the Back End. For VICs, the system supports up to
three levels of areas.
Areas are organized in tree structure. When adding areas, data configuration engineers
should start from the root area, and then create a new area in the root area and a subarea in
the current area, gradually building an area system. Only one root area can be added.
l VIC user group
Refers to a collection of one or more VICs.
To easily manage VICs in group mode, the system supports customizing user groups for
VICs. After adding one or more VICs to a user group, you can implement service policy
control based on the user group.
l VIC customized attribute
Refers to the customized VIC attributes.
Besides the area attribute predefined by the system, you can extend VIC attributes by adding
customized attributes.
In terms of whether VICs can be divided into finite groups, customized attributes are
categorized into the following types:
– Group attribute
These attributes, such as the gender, base station, cell, mobile phone, and browser, can
categorize VICs into finite groups.
– Non-group attribute
These attributes, such as the address and postal code, cannot categorize VICs into finite
groups.
With the configuration of VICs, the system can:
l Provide various account management for VICs
To meet the requirements of account management, you can select one or more following
modes:
– Providing the basic modes of adding, modifying, or deleting VICs.
– Manually importing VIC accounts from the .xls template file provided by the system
in batches.
l Manage the multi-level VIC areas and area-based data permission.
l Manage user groups, and customized attributes.
Start
Is the customized No
attribute required?
Yes
Add the customized attribute
Is the user No
group required?
Yes
Configure the user group
End
Configure the area Add the area and assign data permission to the area of each level as
required.
Three types of data permissions are available:
l Read
If your account has this permission for an area, you can view the
details about this area and its subareas.
l Write
If your account has this permission for an area, besides the read
permission, you can add, modify, enable, disable, or delete this area
and its subareas.
l Authorize
If your account has this permission for an area, besides the read
and write permissions, you can assign data permissions for this area
and its subareas.
NOTE
For the information about the permission control mechanism, see 22.2
Managing System Accounts and Permissions.
Operation page: In the navigation tree, choose Subscriber and
Network Management > Very Important Customer > Area
Management.
Add or import the Add or import the VIC account to manage it.
VIC Operation page: In the navigation tree, choose Subscriber and
Network Management > Very Important Customer > VIC
Management.
Configure the user Except for applying policies to areas or other customized attribute
group groups, the SIG also supports the ability to apply policies to user
groups. Therefore, if you cannot manage subscriber and network
objects according to attribute groups, add and configure user groups.
Operation page: In the navigation tree, choose Subscriber and
Network Management > Very Important Customer > User Group
Management.
Prerequisites
The following conditions should be met:
l 3.2 Checking the Status of the Front End and Back End is performed.
l The current user has the Subscriber and Network Management service permission and
the data permission for the areas to be managed.
Context
In this example, the requirements are as follows:
Procedure
Step 1 Log in to the Back End.
In the area list, click the area to be assigned with permissions. Click Assign Data
Authority. Assign the permission to each system account. Click OK.
4. Click the Static IP Address tab. Enter 20.20.20.20 in IP Address. Click Add.
5. Click the Static IP Segment tab. Select Mask from Type. Enter 10.10.10.0 in Subnet
Address. Enter 28 in Mask Digits. Click OK.
NOTE
When you add a static IP address segment of the Mask type, the allowed mask ranges from 16 to 32.
When you add a static IP address segment of the IP Segment type, the number of IP addresses on
the IP address segment should be smaller than or equal to 65536.
6. Click OK. The system returns to the previous page and the added record is displayed.
7. Repeat Step 3.2 to Step 3.6 to add ExampleVIC2.
----End
Prerequisites
The following requirements should be met:
l 3.2 Checking the Status of the Front End and Back End is performed.
l The current user has the Subscriber and Network Management service permission and
the data permission for the areas to be managed.
Context
Requirements are as follows:
For example, the name of the level-1 area is Beijing, the level-2 area is Haidian, and the
level-3 area is Zhongguancun.
l The VIC accounts to be imported include the following information:
– VIC name: ExampleVIC1; area: Zhongguancun; IP addresses: 10.10.10.0/28 and
20.20.20.20.
– VIC name: ExampleVIC2; area: Zhongguancun; IP addresses: 30.30.30.1 to
30.30.30.30 and 40.40.40.0/24.
Procedure
Step 1 Log in to the Back End.
Step 2 Configure the area.
1. In the navigation tree, choose Subscriber and Network Management > Very Important
Customer > Area Management.
2. Click Add. Enter Beijing in Area Name. Click OK.
3. Click Beijing in the area list. Click Add. Enter Haidian in Area Name. Click OK.
4. Click Haidian in the area list. Click Add. Enter Zhongguancun in Area Name. Click
OK, as shown in Figure 4-23.
3. Click VIC Template to obtain the .xsl template file. In the file, enter the account
information to be imported and save the operations, as shown in Figure 4-25.
4. In the Import VICs dialog box, click Browse to select the edited file. Click OK.
5. Wait until the system prompts you that the operation is complete. In the displayed dialog
box, view logs to learn the information about successful and failure operations.
----End
4.4.1 Overview
This section describes what you can do by configuring the link.
l Links
Refers to a physical link monitored by the SIG. For example, as shown in Figure 4-26, GE
2/0/0 is connected to the user side and GE 2/0/1 to the network side, and between GE 2/0/0
and GE 2/0/1 is a link.
LPU
Link
GE2/0/0
Router A
Router B
GE2/0/1
The link is configured during the installation and commissioning of the system. According
to the result of checking 3.2 Checking the Status of the Front End and Back End, the
status is normal, indicating that the SIG successfully monitors the link.
l Areas
To implement the hierarchical management on virtual tunnels and link groups, on the
SIG, one managed region can be divided into several management units. Each management
unit is an area.
The system supports area-based multi-level management. During the installation of the
system, the area levels of virtual tunnels and links are specified after the installation and
commissioning engineer logs in to the Back End for the first time. For virtual tunnels and
links, the system supports up to three area levels.
Areas are organized in the tree structure. When adding an area, data configuration engineers
should start at the root area and then create subareas in the current area, gradually building
an area system. All the areas except the root area must have a parent area. Only one root
area can be added.
l Customized Attributes
Refer to customized link attributes.
In addition to current customized attributes, to extend link attributes as requires, you can
add customized attributes.
By configuring the link, you can:
l Check the configurations of links.
Information about a link, such as the name, number, and type, is specified during the
configuration of the link. For convenient identification of the link and corresponding front-
end devices, a link name is displayed as link type-device number in the cluster-link number-
link name.
For example, Figure 4-27 shows that the name of linka is displayed as 10G-1-1-linka and
that of linkb is 2.5G-2-2-linkb.
External Network
Router A Router B
DPI B
GE3/0/1 Swtich2 Back End
Device Number in
Router C Router D the Cluster: 2
Link Name: linkb
Link Type: 2.5G
Link Number: 2
Internal Network
Links are configured during the installation and commissioning of the system. Thus, the system
maintenance engineer needs to reconfigure the links only after a link is added or the connection cable of
an interface is changed. For how to configure links according to cable connections. see 4.4.4 Reference.
Start
Is the
area-based link Yes
management Configure the area
required?
No
Is the
Customized Yes Add the customized
attribute attribute
required?
No
No
Is the Yes
link group Add the link group
required?
End
Action Description
Configure the area Add the area and assign the data permission to the area as required.
Three types of data permissions are available:
l Read
If your account has this permission for an area , you can view the
details about this area and its subareas.
l Write
If your account has this permission for an area, besides the read
permission, you can add, modify, enable, disable, or delete this area
and its subareas.
l Authorize
If your account has this permission for an area, besides the read
and write permissions, you can assign data permissions to this area
and its subareas.
Operation page: In the navigation tree, choose Subscriber and
Network Management > Network > Area Management.
Configure the link Set the attribute as required and configure the corresponding value.
attribute Operation page: In the navigation tree, choose Subscriber and
Network Management > Network > Physical Link Management >
Link Management.
Add the link group Add and configure the user group as required.
Operation page: In the navigation tree, choose Subscriber and
Network Management > Network > Physical Link Management >
Link Group Management.
Prerequisites
The following conditions should be met:
l 3.2 Checking the Status of the Front End and Back End is performed, and the status is
normal.
l The current user has the Subscriber and Network Management service permission.
Context
Figure 4-29 shows the SIG in the networking of a carrier. Now, the task is to log in to the Back
End to check two links and bind them as a link group named linkgroup.
In this example, the area has two levels. The name of the level-1 area is Beijing and the names
of the level-2 areas are Haidian and Chaoyang. The name of the customized attribute is
LinkType whose values are 10G and 2point5G. Linka belongs to Haidian and linkb belongs
to Chaoyang.
External Network
Router A Router B
DPI B
GE3/0/1 Swtich2 Back End
Device Number in
Router C Router D the Cluster: 2
Link Name: linkb
Link Type: 2.5G
Link Number: 2
Internal Network
Procedure
Step 1 Log in to the Back End.
Step 2 Check the link.
1. In the navigation tree, choose Subscriber and Network Management > Network >
Physical Link Management > Link Management.
2. On the Link Management page, check the configured links, as shown in Figure 4-30.
In the area list, click the area to be assigned with permissions. Click Assign Data
Authority. Assign the permission to each system account. Click OK.
To grant data permissions, select the check box of Read, Write, or Authorize. For more
information about system accounts and permissions, see 22.2 Managing System Accounts
and Permissions.
----End
4.4.4 Reference
This section describes how to configure the link on the Front End, and provides a reference for
adding a link or changing a cable connection for the link.
Do as follows:
1. Log in to the Front End.
2. In the user view, run the system-view command to enter the system view.
3. Run the dpi-node command to enter the DPI node view.
4. Run the link name link-name number link-number type { 10g | 1g | 2.5g } command to
create a link.
5. Run the quit command to exit from the DPI node view.
6. Run the interface interface-type interface-number command to enter the user-side interface
view.
7. Run the dpi-node link number link-number inside command to configure the current
interface as the user-side interface of a specific link.
8. Run the quit command to exit from the interface view.
9. Run the interface interface-type interface-number command to enter the network-side
interface view.
10. Run the dpi-node link number link-number outside command to configure the current
interface as the network-side interface of a specific link.
11. Run the quit command to exit from the interface view.
NOTE
By default, the hash traffic diversion on the network-side interface is performed based on destination-ip
(destination IP addresses), and the hash traffic diversion on the user-side interface is performed based on
source-ip (source IP addresses). Generally, it is recommended to maintain the default traffic diversion
mode. To modify the mode, you should run the dpi-node link hash-mode { source-ip | destination-ip }
command in the interface view.
traffic passing through upstream devices, for example, the PDSN, PCF, BTS, and cell shown in
Figure 4-31.
The preceding requirements cannot be met by the current subscriber and network objects. To
meet the requirements, the SIG system introduces a new object: user attribute virtual tunnel.
IP network
DPI system
ckets
IUS pa
RAD
PDSN
NE traffic analysis and control
RADIUS server
BSC/PCF
BTS
Subscriber
As shown in Figure 4-32, the current subscriber and network objects cannot meet the
requirements for managing the upstream and downstream traffic of all users accessing the server
group on a specified address segment. To meet the requirements, the SIG system introduces a
new object: stream attribute virtual tunnel.
et
pack
IUS
RAD
PDSN
RADIUS server
BSC/PCF
BTS
Subscriber
Defining a User Attribute Virtual Tunnel Using the Subscriber Group Attribute
The SIG system is required to identify the IP traffic of a specified NE. However, the IP traffic
of the NE does not carry exclusive signatures. In this case, the IP traffic is identified through
corresponding signaling packets.
As shown in Figure 4-33, on the carrier access layer network, the RADIUS packets generated
upon the subscriber's login carries the information about the NEs that the user IP traffic passes
through. In the SIG system, you can define those NE information as the dynamic attributes of
the subscriber, for example, the BTS, so that the system obtains the dynamic attribute value by
parsing the RADIUS accounting packets. (For example, the BTS ID is 1234567890.) The SIG
then identifies the NE traffic to be managed by gathering the subscriber IP traffic whose dynamic
attributes are the specified NE.
Figure 4-33 Defining a user attribute virtual tunnel using the subscriber group attribute
IP network
DPI system
BSC/PCF
BTS B
BTS ID: 1234567890
Subscriber A
As shown in the above figure, the SIG system associates the target traffic to be identified with
a group of subscribers. The subscriber and network objects defined in this way are called user
attribute virtual tunnel.
Besides the dynamic attributes, any attribute that is exclusive to a subscriber can define a user
attribute virtual tunnel. In the SIG system, this type of attribute is called Group Attributes.
NOTE
A dynamic attribute must be a group attribute, while a group attribute does not necessarily be a dynamic
group.
Precautions
l Before you define the user attribute virtual tunnel, ensure that the group attribute to define
the virtual tunnel is enabled. For details on subscribers and attributes, see 4.2 Configuring
the Subscriber.
l To facilitate the management, the system can categorize virtual tunnels by area and
customized attributes. Virtual Tunnel Category indicates a group of virtual tunnels with
the same customized attributes. For example, you can group all BTSs with the "BTS type"
attributes as a virtual tunnel categorization, and name the categorization as BTS.
For multiple virtual tunnels belonging to the same virtual tunnel category, you are advised
to ensure that their conditions cannot overlap, so that one packet can match at most one
virtual tunnel at one time. If a packet matches multiple virtual tunnel conditions in a virtual
tunnel category at the same time, only the virtual tunnel with the highest priority matches
the packet, which means The larger the value, the higher the priority.
l You can add a maximum of eight user attribute virtual tunnel categories to the system.
l You can add a maximum of 40,000 user attribute virtual tunnels to the system.
Figure 4-34 Rules for defining the stream attribute virtual tunnel
Precautions
l To facilitate the management, the system can categorize virtual tunnels by area and
customized attributes. Virtual Tunnel Category indicates a group of virtual tunnels with
the same customized attributes.
For multiple virtual tunnels belonging to the same virtual tunnel category, you are advised
to ensure that their conditions cannot overlap, so that one packet can match at most one
virtual tunnel at one time. If a packet matches multiple virtual tunnel conditions in a virtual
tunnel category at the same time, only the virtual tunnel with the highest priority matches
the packet, which means The larger the value, the higher the priority.
l You can add a maximum of four stream attribute virtual tunnel categories to the system.
l You can add a maximum of 4000 stream attribute virtual tunnels to the system.
l You can add multiple virtual tunnel rules to one virtual tunnel. These virtual tunnel rules
form the "OR" relation. That is, if matching any virtual tunnel rule, the traffic can match
this virtual tunnel.
NOTE
The multiple attributes in one virtual tunnel rule form the "AND" relation. For example, if both
Remote IP Segment and Remote Port Segment are configured in a virtual tunnel rule, a packet
matches this rule only when it meets the two conditions at the same time.
Front Back
Virtual tunnel category 1: PCF End End
Virtual tunnel object: PCF1, PCF2, ...
Virtual tunnel category 2: BTS
Virtual tunnel category 3: Cell Virtual tunnel object: BTS1, BTS2, ...
Virtual tunnel object: Cell1, Cell2, ... PDSN
After defining the virtual tunnel, you can view the following reports in the SIG system to analyze
the NE traffic:
l Real time
l Traffic trend
l Trend of number of connections
l Traffic proportion
l Number of connections proportion
l Top N protocol
l Top N number of connections
l Bandwidth usage trend
l Top N traffic
l Top N number of connections
l Top N bandwidth usage
Using all the preceding reports, you can sense the change of the NE traffic and obtain accurate
data for network operation maintenance and expansions. In addition, the SIG system can directly
apply policies including rate limiting, priority mark, number of connections control, pass, and
not remark to virtual tunnels. For details on traffic reports and traffic QoS policies, see 5 Traffic
Management Service.
Start
No
No
Add the virtual tunnel
category
End
Action Description
Configure the area. Add the area and assign data permission to the area of each level as
required.
Three types of data permissions are available: Read, Write, and
Authorize. Details are as follows:
l Read
If your account has this permission for an area, you can view the
details about this area and its subareas.
l Write
If your account has this permission for an area, besides the read
permission, you can add, modify, enable, disable, or delete this area
and its subareas.
l Authorize
If your account has this permission for an area, besides the read
and write permissions, you can assign data permissions for this area
and its subareas.
Operation page: In the navigation tree, choose Subscriber and
Network Management > Network > Area Management.
Add a customized Add the customized attribute as required. When you apply the policy,
attribute. if you bind a policy package according to a customized attribute value,
the system binds the policy package to each group of virtual tunnel
that matches the customized attribute value.
Operation page: In the navigation tree, choose Subscriber and
Network Management > Network > Customized Attributes
Management.
Add the virtual Add the virtual tunnel category according to report statistics and traffic
tunnel category. management requirements.
Operation page: In the navigation tree, choose Subscriber and
Network Management > Network > Virtual Tunnel
Management > Virtual Tunnel Category.
Add and configure Add the virtual tunnel objects to be managed and configure the rule
the virtual tunnel. definition and other related attributes for these virtual tunnels.
Operation page: In the navigation tree, choose Subscriber and
Network Management > Network > Virtual Tunnel
Management > Virtual Tunnel Object.
Prerequisites
Requirements are as follows:
l The current user has the Subscriber and Network Management service permission.
l SN in the customized attribute for subscribers is enabled and the NE information (IP address
and alias) about various SNs to be managed is imported.
Requirement Description
The SIG is deployed on a carrier's network, as shown in Figure 4-37. According to device
management requirements, it is required that users can view traffic reports and configure traffic
QoS based on the SN and its bandwidth processing capability.
In this case, users should add virtual tunnel category SN, virtual tunnels SN1 and SN2, and
customized attribute Processing Capability. Suppose that the processing capability of SN1 is
50 Mbit/s, and that of SN2 is 100 Mbit/s.
IP Backbone
PE PE
PE PE
CE CE
CE CE
DPI System
Front Back
Front End
End
End
GN1 GN2
Wireless access network
SN1 SN2
BTS1 … BTS3
BTS2
Procedure
Step 1 Log in to the Back End.
Step 2 Add a customized attribute.
1. In the navigation tree, choose Subscriber and Network Management > Network >
Customized Attributes Management.
2. Click Add.
3. Enter Processing Capability in Attribute Name and click OK.
4. Click Add. In the pop-up dialog box, enter 1 in Attribute value, and 50M in Alias of the
value. Then click OK.
5. Click Add. In the pop-up dialog box, enter 2 in Attribute value, and 100M in Alias of the
value. Then click OK, as shown in Figure 4-38.
6. Click OK. The system returns to the previous page and the added record is displayed.
Step 3 Add a virtual tunnel category.
1. In the navigation tree, choose Subscriber and Network Management > Network >
Virtual Tunnel Management > Virtual Tunnel Category.
2. Click Add.
3. In the pop-up dialog box, enter SN in Name.
4. Click Add. In the pop-up dialog box, select the check box of Processing Capability, and
then click OK, as shown in Figure 4-39.
5. Click OK. The system returns to the previous page and the added record is displayed.
Step 4 Add and configure virtual tunnels.
1. In the navigation tree, choose Subscriber and Network Management > Network >
Virtual Tunnel Management > Virtual Tunnel Object.
2. Click Add.
3. Enter SN1 in Virtual Tunnel Name; select SN from Virtual Tunnel Category, and
50M from Processing Capability; enter or select an unoccupied number in Priority, as
shown in Figure 4-40.
NOTE
Priority can be automatically assigned by the system. When you select this mode to add virtual
tunnels, set the text box to the right of Priority to be blank.
6. Click Close. The system returns to the previous page and the added record is displayed.
7. Repeat Step 4.2 to Step 4.6 to add virtual tunnel SN2.
----End
Prerequisites
Requirements are as follows:
l The current user has the Subscriber and Network Management service permission.
l BTS in the customized attribute for subscribers is enabled and the NE information
(sequence and alias) about various BTSs to be managed is imported.
Requirement Description
The SIG is deployed on a carrier's network, as shown in Figure 4-42. According to device
management requirements, it is required that users can view traffic reports and configure traffic
QoS based on the BTS and its type.
In this case, users should add a category BTS for virtual tunnels, virtual tunnels including BTS1,
BTS2, and BTS3, and customized attribute BTS Type. Suppose that the types of BTSs BTS1,
BTS2, and BTS3 are respectively 1X, DO, and 1X.
In addition, to manage the previous virtual tunnels by area easily, users need to add area
Beijing, and sub-areas Haidian and Chaoyang. BTS1 and BTS2 belong to Haidian, and BTS3
to Chaoyang.
IP Backbone
PE PE
PE PE
CE CE
CE CE
DPI System
Front Back
Front End
End
End
GN1 GN2
Wireless access network
SN1 SN2
BTS1 … BTS3
BTS2
Procedure
Step 1 Log in to the Back End.
In the area list, click the area to be assigned with permissions. Click Assign Data
Authority. Assign the permission to each system account. Click OK.
6. Click OK. The system returns to the previous page and the added record is displayed.
5. Click OK. The system returns to the previous page and the added record is displayed.
6. Click Close. The system returns to the previous page and the added record is displayed.
7. Repeat Step 5.2 to Step 5.6 to add virtual tunnels BTS2 and BTS3.
----End
remote IP address. In this case, you should specify the traffic of the local IP address or remote
IP address as the virtual tunnel.
Prerequisites
The current user has the Subscriber and Network Management and Traffic Management
service permissions.
Requirement Description
The SIG is deployed on a carrier's network, as shown in Figure 4-47. Service requirements are
as follows:
l Allow IPSec VPN traffic on local IP address segments ranging from 20.20.20.1 to
20.20.20.254 through.
l Allow VPN traffic on remote IP address segments ranging from 66.66.66.1 to 66.66.66.254
through.
l Block all VPN traffic except the previous one on linka.
External network
Router A
Front End
Router B
Internal network
Table 4-9 Data planning of the example for managing the virtual tunnel
Item Data
Item Data
l Name: IPSec_Pass_QoS2
l Item Type: Pass
l Item Name: IPSec_Pass_Item
l Flow Classification: IPSec
l Upstream QoS Pass: Pass
l Downstream QoS Pass: Pass
l Name: VPN_Pass_QoS3
l Item Type: Pass
l Item Name: VPN_Pass_Item
l Flow Classification: Tunneling
l Upstream QoS Pass: Pass
l Downstream QoS Pass: Pass
Procedure
Step 1 Log in to the Back End.
4. Click OK. The system returns to the previous page and the added record is displayed.
NOTE
You can add multiple virtual tunnel rules to one virtual tunnel. These virtual tunnel rules form the
Or relation. That is, if matching any virtual tunnel rule, the traffic can match this virtual tunnel.
7. Click OK.
8. Click Close. The system returns to the previous page and the added record is displayed.
9. Repeat Step 3.2 to Step 3.8 to add virtual tunnel VT2 according to the data planning.
Step 4 Add a QoS policy package.
1. In the navigation tree, choose Traffic Management > QoS > QoS Policy Package
Management.
2. Click Add.
3. In the pop-up dialog box, enter VPN_Block_QoS1 in Name, and then click Save.
4. Select Rate Limiting from Item Type, and click Add.
5. Figure 4-51 shows parameter settings.
6. Click OK. The system returns to the previous page and displays the added policy item.
7. Click Close. The system returns to the previous page and displays the added policy package.
8. Repeat Step 4.2 to Step 4.7 to add policy packages IPSec_Pass_QoS2 and
VPN_Pass_QoS3 according to the data planning.
For details on how to add and apply the QoS policy package, see 5.4 Configuring Traffic
QoS.
4. Click OK.
5. In the navigation tree, choose Subscriber and Network Management > Network >
Virtual Tunnel Management > Virtual Tunnel Policy Application.
6. Click Add.
8. Click OK.
9. Click Add.
10. In the pop-up dialog box, select QoS from Policy Package Type, VPN_Pass_QoS3 from
Policy Package Name, and VT2 from Virtual Tunnel.
11. Click OK.
----End
Prerequisites
The current user has the Subscriber and Network Management and Traffic Management
service permissions.
Requirement Description
The SIG is deployed on a carrier's network, as shown in Figure 4-54. Service requirements are
as follows:
l Set the maximum upstream bandwidth to 200 kbit/s and maximum downstream bandwidth
to 400 kbit/s for the traffic whose external VLAN ID is 1000 on the link.
l Set the maximum upstream bandwidth to 100 kbit/s and maximum downstream bandwidth
to 200 kbit/s for the traffic whose external VLAN ID is 2000 on the link.
External network
Router A
Front End
Router B
Internal network
Table 4-10 Data planning of the example for managing the virtual tunnel
Item Data
Item Data
l Name: VLAN_QoS2
l Item Type: Rate Limiting
l Item Name: VLAN_Item
l Flow Classification: Total
l Maximum Upstream Bandwidth: 100kbit/s
l Maximum Downstream Bandwidth: 200kbit/s
Procedure
Step 1 Log in to the Back End.
Step 2 Add a virtual tunnel category.
1. In the navigation tree, choose Subscriber and Network Management > Network >
Virtual Tunnel Management > Virtual Tunnel Category.
2. Click Add.
3. Figure 4-55 shows parameter settings.
4. Click OK. The system returns to the previous page and the added record is displayed.
Step 3 Add and configure virtual tunnels.
1. In the navigation tree, choose Subscriber and Network Management > Network >
Virtual Tunnel Management > Virtual Tunnel Object.
2. Click Add.
3. Figure 4-56 shows parameter settings.
NOTE
Priority can be automatically assigned by the system. When you select this mode to add virtual
tunnels, set the text box to the right of Priority to be blank.
7. Click OK.
8. Click Close. The system returns to the previous page and the added record is displayed.
9. Repeat Step 3.2 to Step 3.8 to add virtual tunnel VT2 according to the data planning.
Step 4 Add a QoS policy package.
1. In the navigation tree, choose Traffic Management > QoS > QoS Policy Package
Management.
2. Add policy packages VLAN_QoS1 and VLAN_QoS2 according to the data planning.
For details on how to add and apply the QoS policy package, see 5.4 Configuring Traffic
QoS.
Step 5 Apply the QoS policy package.
1. In the navigation tree, choose Subscriber and Network Management > Network >
Virtual Tunnel Management > Virtual Tunnel Policy Application.
2. Click Add.
3. In the pop-up dialog box, select QoS from Policy Package Type, VLAN_QoS1 from
Policy Package Name, and VT1 from Virtual Tunnel.
4. Click OK.
5. Click Add.
6. In the pop-up dialog box, select QoS from Policy Package Type, VLAN_QoS2 from
Policy Package Name, and VT2 from Virtual Tunnel.
7. Click OK.
----End
4.6.1 Overview
This section describes several concepts of the AS domain group. You can implement many
functions by configuring the AS domain group.
The related concepts of the AS domain group are as follows:
l Autonomous System (AS)
Refers to a set of routers adopting the same routing policy and managed by one or more
network operators.
Similar to the IP address, the AS number is allocated by the international organization. The
Front End of the SIG is generally deployed in the private AS domain and learns the AS
information from the network by establishing the EBGP neighbor relationship with
neighbor routers.
l AS domain group
Refers to a set of AS domains. AS domain group helps carriers flexibly collect statistics on
traffic among AS domains.
Installation commissioning engineers or data configuration engineers should configure the
AS domain group on the Front End, and then they can log in to the Back End to collect
traffic direction statistics or configure QoS for the objects applied to the traffic direction.
Related traffic directions include between one link (or link group) and one AS domain
group, between one AS domain group and another AS domain group, and between one
subnet and one AS domain group.
l BGP
Refers to the dynamic routing protocol among ASs. Different from Internal Gateway
Protocols (IGPs) such as OSPF and RIP, BGP is an External Gateway Protocol (EGP) that
mainly controls route spread and selection instead of finding and computing routes.
For details about BGP, see 4.6.4 BGP Overview and 4.6.5 BGP Message Types.
l Internal BGP (IBGP) and External BGP (EBGP)
The BGP running within an AS is called IBGP; The BGP running among different ASs is
called EBGP.
l Peer and peer group
A router that sends the BGP information is called a BGP speaker. The BGP speaker receives
or generates new routing information, and then advertises it to other BGP speakers. When
a BGP speaker receives a route from other ASs, if this route have precedence over current
ones, or no route exists currently, the BGP speaker advertises this route to other BGP
speakers.
The BGP speakers that exchange messages are mutually peers. Several peers can form a
peer group.
By configuring the AS domain group, you can configure AS domain groups and corresponding
BGP and peers, which facilitates traffic direction statistics and traffic direction QoS.
Prerequisites
The following conditions should be met:
l 3.2 Checking the Status of the Front End and Back End is complete.
l The current user has the User and Network Management service permission.
Context
Figure 4-58 shows a network example of the SIG. The details on networking are as follows:
l DPI A is the master device, DPI B is the backup device, and DPI C is the slave device.
These three Front Ends form a cluster.
l DPI A and DPI B learn BGP information from RR. DPI C learns the BGP information from
DPI A and DPI B.
l The external AS number includes: 65008 and 65009, and the local AS number is 65006.
The AS number used by DPI A, DPI B, and DPI C is 65533.
It is required to collect statistics on the traffic directions between link a, link b, or link c and AS
65008, between link a, link b, or link c and AS 65009, and between AS 65008 and AS 65009
that pass AS 65006.
External Network
AS65008、AS65009
DPI B
GE5/0/1
200.1.2.1
Switch
200.1.0.1 200.1.0.2
DPI A
GE5/0/1
200.1.1.1 200.1.0.3
DPI C
GE5/0/1
200.1.3.1
Back End
linka linkb linkc
Internal Network
AS65006
According to the service requirement, when configuring the AS domain group, you should
configure AS65008 as an AS domain group and AS65009 as another AS domain group. Each
of the AS domain groups have only one AS number.
Procedure
Step 1 Log in to Front End DPI A.
Step 2 Configure the BGP and routing.
# DPI A learns the EBGP routes through RR and DPI C learns IBGP routes from DPI A. The
number of the local AS is 65006, and the number of private AS is 65533. The gateway address
for network 200.1.0.0/16 to reach the RR is 200.1.0.1.
<DPIA> system-view
[DPIA] bgp 65533
[DPIA-bgp] router-id 200.1.1.1
[DPIA-bgp] peer 50.1.2.1 as-number 65006
[DPIA-bgp] peer 50.1.2.1 ebgp-max-hop
[DPIA-bgp] peer 50.1.2.1 enable
[DPIA-bgp] peer 50.1.2.1 connect-interface GigabitEthernet 5/0/1
NOTE
You need to configure the RR to establish the peer relationship between DPI A and RR.
After you run the display bgp peer command, if the peer is in Established state, the peer is normal.
After you run the display fib command, if you can view the BGP routes, the static routes of the RR are
successfully added.
----End
4.6.3 Reference
This section describes the common commands for configuring the AS domain group.
Item Command
Display the BGP display bgp routing-table ip-address [ { mask | mask-length } [ longer-
route information. prefixes ] ]
Item Command
For the installation and basic configurations on the Front End and Back End, refer to the
HUAWEI SIG9800 Service Inspection Gateway Hardware Installation Guide and HUAWEI
SIG9800 Service Inspection Gateway Software Installation Guide.
For more configurations on the Front End, refer to the HUAWEI SIG9800 Service Inspection
Gateway Commissioning Guide; for more commands of the Front End, refer to the HUAWEI
SIG9800 Service Inspection Gateway Command Reference.
BGP has three early versions, BGP-1 (defined in RFC 1105), BGP-2 (defined in RFC 1163),
and BGP-3 (defined in RFC 1267). The current version of BGP is BGP-4 (defined in RFC 1771).
The Internet Service Providers (ISPs) widely use BGP-4 as an exterior routing protocol on the
Internet.
NOTE
l It focuses on route propagation control and selection of optimal routes rather than discovery
and calculation of routes. This distinguishes it from the Interior Gateway Protocols (IGPs)
such as OSPF and RIP. BGP is an Exterior Gateway Protocol (EGP).
l It uses TCP as the transport layer protocol to enhance the reliability of the protocol. The
port number is 179.
l It supports Classless Inter-Domain Routing (CIDR).
l It transmits updated routes only. This occupies less bandwidth and is suitable for
propagating a large amount of routing information on the Internet.
l It eliminates route loops by adding AS-path information to BGP routes.
l It extends easily to support new development of the network.
The router sending BGP message is a BGP speaker. The BGP speaker receives or generates
routing information and advertises it to other BGP speakers. When a BGP speaker receives a
route from other ASs, it advertises the route to other BGP speakers in the AS if the route is better
than the current route or this route does not exist in this AS.
BGP speakers exchanging message are peers of each other. Multiple BGP peer forms a peer
group.
BGP runs on a router in two modes: Internal BGP (IBGP) and External BGP (EBGP) .
The BGP is called an IBGP when it runs within an AS. It is called an EBGP when it runs among
ASs.
Marker
Length Type
Open Message
The open message is the first message sent after the creation of a TCP connection, which is used
to connect BGP peers.
The message format is shown in Figure 4-61.
My Autonomous System
Hold Time
BGP Identifier
Optional Parameters
Update Message
The Update messages are used to exchange routing information between BGP peers. It can
advertise one feasible route, or withdraw multiple unfeasible routes.
The message format is shown in Figure 4-62.
Notification Message
The notification message is used for one side to notify errors to its peer. After that, the BGP
connection is closed immediately.
l Error Code
It specifies the error type.
l Error Subcode
It specifies the details of the error type.
l Data
It is used to diagnose the reason for the error. Its length is variable.
The information of the Notification message Error Code and Erro Subcode is shown in Table
4-12
Table 4-12 Error codes and error subcodes of the Notification messages
Error Code Error Subcode
6: Terminate 0
Keepalive Message
The keepalive message is used to check the validity of a connection. It only contains the packet
header without any other fields.
Route-refresh Message
The Route-refresh message notifies the route refreshment capability.
If all routers of BGP are enabled with route-refresh capability, local BGP router sends route-
refresh information to peers when the routing policy of BGP changes. The peers receiving the
information resends routing information to the local BGP router. Thus, the routing table of BGP
can be dynamically refreshed and the new routing policy can be used without interrupting BGP
connections.
4.7.1 Overview
A subnet is a collection of IP addresses. The subnet consists of one or multiple IP segments.
Both IPv4 and IPv6 addresses can be added to the subnet. For subnet management, the SIG
supports manually adding, modifying, and deleting subnets, as well as importing subnets in
batches from the .xls template provided by the system.
Prerequisites
The following requirements should be met:
l 3.2 Checking the Status of the Front End and Back End is complete.
l The current user has the Subscriber and Network Management service permission and
the data permission for the areas to be managed.
Context
The subnets to be imported include the following information:
l Subnet name: ExampleSubnet1; IP addresses: 10.10.10.0/28 and 20.20.20.20.
l Subnet name: ExampleSubnet2; IP addresses: 30.30.30.0 to 30.30.30.30 and 40.40.40.0/24.
Procedure
Step 1 Log in to the Back End.
Step 2 Add a subnet.
1. In the navigation tree, choose Subscriber and Network Management > Network >
Subnet And AS Domain Group > Subnet Management.
2. Click Add. The Add Subnet dialog box is displayed.
3. Enter ExampleSubnet1 in Subnet Name, as shown in Figure 4-64.
4. Click the IP Segment tab. Select Mask from Type. Enter 10.10.10.0 in Subnet
Address. Enter 28 in Mask Digits. Click Add. A record is added to the list in the dialog
box.
5. Select IP Segment from Type. Enter 20.20.20.20 in Start IP Address. Enter
20.20.20.20 in End IP Address. Click Add. Another record is added to the list in the dialog
box.
6. Click OK. The system returns to the previous page and the added records are displayed.
----End
Prerequisites
The following conditions should be met:
l 3.2 Checking the Status of the Front End and Back End is complete.
l The current user has the Subscriber and Network Management service permission and
the data permission for the areas to be managed.
Context
The subnets to be imported include the following information:
Procedure
Step 1 Log in to the Back End.
Step 2 Import the subnet.
1. In the navigation tree, choose Subscriber and Network Management > Network >
Subnet And AS Domain Group > Subnet Management.
2. Click Import. The Subnet Import dialog box is displayed, as shown in Figure 4-65.
3. Click the Subnet Template link to obtain the xsl template file. In the file, enter the account
information to be imported and save the operations, as shown in Figure 4-66.
----End
Traffic management service is the basic service of the SIG. By applying the traffic management
service, you can monitor traffic and traffic direction through reports, and implement QoS
management on traffic and traffic direction.
The customized data reporting is used to set the range in which statistics on traffic and traffic
direction data are collected, including the flow classification statistics policy, subscriber protocol
statistics policy, and subscriber group statistics policy. To adjust the range in which statistics on
traffic and traffic direction data are collected, perform this task. In addition, if you need to report
the report data by subscriber group attribute, configure the function when you add or change the
subscriber group attribute. This operation is not in the task.
5.2.1 Overview
This section describes the categories and functions of traffic reports.
Based on the DPI technology, the SIG provides diversified traffic reports to display network
traffic, as shown in Figure 5-1.
Traffic reports are divided into the following categories by analysis object:
When you need to query the connection number report, select different connection number types in
the query condition. The connection number types are listed as follows:
l Number of New Connections
Records the total number of new connections established within a specific time range.
l Number of Disconnected Connections
Records the total number of connections disconnected within a specific time range.
l Number of Average Connections
Records the value of the total number of transient connections at each sampling time point divided
by sampling times.
The sampling times for the number of average connections in a five-minute report are 4 to 8
times. The number of average connections in an hourly, daily, or monthly report are calculated
on the basis of the five-minute report.
When you query a report, if you only enter the query time range without selecting the data granularity
for the report, the data granularity is to be decided automatically according to the length of the time
range specified.
The time points at which queries can be performed are different for multiple data granularities. If no
result is displayed after a query, try modifying query conditions.
Time Granularity in the query condition does not have a mapping relationship with the data
granularity of the report in the query result, and is used only for the convenience of entering a time
range for the query.
The storage period of the report data can be specified. For details, see 21.2 Configuring the Report
Storage Cycle.
l Hourly report
Figure 5-2 and Figure 5-3 show report examples.
The hourly report is formed by the statistics of multiple five-minute reports, and statistics
within the last hour are collected every half-hour. For example, statistics from 08:00 to
09:00 are collected at 9:30. If it is 09:20, records at 08:00 are unavailable in the hourly
report.
l Daily report
The daily report is formed by the statistics of hourly reports, and statistics on the last day
are collected at 01:00 every day. For example, statistics on January 1 are collected at 01:00
on January 2. If it is 00:30 on January 2, records on January 1 are unavailable in the daily
report.
l Monthly report
The data in the monthly report can be saved for up to four years. The monthly report is
formed by the statistics of daily reports, and statistics of the last month are collected at
03:00 on the first day of each month. For example, statistics on January are collected at
03:00 on February 1. If it is 01:00 on February 1, records on January are unavailable in the
monthly report.
Prerequisites
Requirements are as follows:
l 4 Subscriber and Network Object Initialization is complete.
l The current user has the Statistics and Analysis Report service permission.
To enable port statistics collection of links for querying related reports, the current user
should have the Subscriber and Network Management service permission.
NOTE
If the system displays no data when you query the reports, perform as follows:
1. Check whether the time range of the query exceeds the storage cycle. For details on storage cycles, see
21.2 Configuring the Report Storage Cycle.
2. Check whether the configurations of the data reporting is correct. For details on data reporting, see
5.8.1 Overview in 5.8 Customized Data Reporting.
Procedure
Step 1 Log in to the Back End.
Step 2 (Optional) Enable port statistics collection to query link port-related reports.
NOTE
l If selecting Save Query Conditions before querying reports, you do not need to enter query conditions
for the next query.
l To apply the report function for timed tasks, click Timed Task. For details, see 21.4 Managing Timed
Task Reports.
To save time for other operations, click Background Implementation. For details, see 21.5 Managing
Background Task Reports.
On the report query interface, you can export reports in different formats:
----End
Report Navigation
You can click the following links to view the report examples.
NOTE
The information in the following examples are subject to change without notice.
l Statistics and Analysis Report > Traffic > Link and Virtual Tunnel > Real-Time
Traffic
l Statistics and Analysis Report > Traffic > Link and Virtual Tunnel > Port Traffic
l Statistics and Analysis Report > Traffic > Link and Virtual Tunnel > Traffic Trend
l Statistics and Analysis Report > Traffic > Link and Virtual Tunnel > Connection
Number Trend
l Statistics and Analysis Report > Traffic > Link and Virtual Tunnel > Traffic
Proportion
l Statistics and Analysis Report > Traffic > Link and Virtual Tunnel > Connection
Number Proportion
l Statistics and Analysis Report > Traffic > Link and Virtual Tunnel > Top N Protocols
by Traffic
l Statistics and Analysis Report > Traffic > Link and Virtual Tunnel > Top N Protocols
by Connection Number
l Statistics and Analysis Report > Traffic > Link and Virtual Tunnel > Top N Ports by
Traffic
l Statistics and Analysis Report > Traffic > Link and Virtual Tunnel > QoS Traffic
Trend
l Statistics and Analysis Report > Traffic > Link and Virtual Tunnel > HTTP Content
Traffic Trend
l Statistics and Analysis Report > Traffic > Link and Virtual Tunnel > Bandwidth
Usage Trend
l Statistics and Analysis Report > Traffic > Link and Virtual Tunnel > Top N by Traffic
l Statistics and Analysis Report > Traffic > Link and Virtual Tunnel > Top N by
Connection Number
l Statistics and Analysis Report > Traffic > Link and Virtual Tunnel > Top N by
Bandwidth Usage
l Statistics and Analysis Report > Traffic > Link and Virtual Tunnel > Congestion Log
Statistics and Analysis Report > Traffic > Link and Virtual Tunnel > Real-Time
Traffic
Through this report, you can monitor the traffic of the specified or all types on a link or a virtual
tunnel in real time.
Figure 5-4 shows the report screenshot of all traffic on a link.
NOTE
l The information about the real-time traffic of all types in Traffic Type List is displayed in the following
list.
l Real-time Traffic Curves has three types. The total traffic is displayed in the first figure. When you select
one or more traffic types in Traffic Type List, the real-time upstream traffic and real-time downstream
traffic are displayed in the second figure and the third figure respectively.
l Click Start Monitoring. The real-time data will be displayed in one minute.
l The refreshing frequency of the real-time data is 16 seconds.
l The real-time data is not saved.
Statistics and Analysis Report > Traffic > Link and Virtual Tunnel > Port Traffic
Through this report, you can view the traffic of one or multiple ports on a link within a given
time range, and the traffic distribution trend of the specified port.
NOTE
The system collects statistics on the source ports of upstream traffic packets and the destination ports of
downstream traffic packets.
Through the query on the traffic by port, you can view the traffic data of the TCP and UDP ports on the
link. For example, the traffic of TCP port 80 indicates all the traffic transmitted on TCP port 80, not only
HTTP traffic.
Figure 5-5 shows the report screenshot of the traffic of multiple ports on a link.
Statistics and Analysis Report > Traffic > Link and Virtual Tunnel > Traffic Trend
Through this report, you can view the traffic distribution trend on links or virtual tunnels within
a given time range, and the distribution trend comparison of the traffic before and after controlled
on a link.
NOTE
When you query the curve graph, the system supports the trend forecast function. Once the function is
enabled, the system adds the trend forecast line in the graph. This function is used to display the long-term
traffic trend when the query granularity is relatively large, such as month.
Figure 5-6 shows report screenshot of the distribution trend comparison of the traffic trend on
a link.
NOTE
The DST behind the time in the preceding figure Indicates the Daylight Saving Time. The DST is displayed
only when it is configured. No further description is provided in the following.
Outside Top N Value Value indicates all traffic types excluding the ones in Top N. If the value is specified
to 0, the query function is disabled. Similar details will be omitted in the following.
Statistics and Analysis Report > Traffic > Link and Virtual Tunnel > Connection
Number Trend
Through this report, you can view the connection number distribution trend on a link or virtual
tunnel within a given time range.
Figure 5-7 shows report screenshot of the connection number distribution trend on a link.
Statistics and Analysis Report > Traffic > Link and Virtual Tunnel > Traffic
Proportion
Through this report, you can view the proportion of the specified traffic on a link or virtual
tunnel within a given time range.
Figure 5-8 shows report screenshot of the traffic proportion of all P2P protocols to the P2P
category on a link.
NOTE
Both category traffic and protocol traffic are reported to the database respectively. Therefore, if you move
a protocol to another category manually, the system does not re-count the reported category traffic.
Statistics and Analysis Report > Traffic > Link and Virtual Tunnel > Connection
Number Proportion
Through this report, you can view the proportion of the connection number of the specified
traffic type on a link or a virtual within a given time range.
Figure 5-9 shows report screenshot of the connection number proportion of all Web_Browsing
protocols to the Web_Browsing category on a link.
Statistics and Analysis Report > Traffic > Link and Virtual Tunnel > Top N
Protocols by Traffic
Through this report, you can view top N categories or protocols by traffic on a link or a virtual
tunnel within a given time range.
Figure 5-10 shows report screenshot of top 10 protocols in the Web_Browsing category by
traffic on a link.
Statistics and Analysis Report > Traffic > Link and Virtual Tunnel > Top N
Protocols by Connection Number
Through this report, you can view top N categories or protocols by connection number on a link
or a virtual tunnel within a given time range.
Figure 5-11 shows report screenshot of top 10 categories by connection number on a link.
NOTE
For the network traffic of unknown protocol types, the SIG identifies the network traffic into four types,
namely, Error_Packets, Generic_Tcp, Generic_Udp and Generic_Other.
Statistics and Analysis Report > Traffic > Link and Virtual Tunnel > Top N Ports
by Traffic
Through this report, you can view top N ports by traffic on a link within a given time range.
Figure 5-12 shows report screenshot of top 10 ports by traffic on a link.
Statistics and Analysis Report > Traffic > Link and Virtual Tunnel > QoS Traffic
Trend
Through this report, you can view the traffic distribution trend by ToS or DSCP field on one or
multiple links within a given time range, and the distribution trend comparison of the traffic
before and after controlled by ToS or DSCP filed on a link.
Figure 5-13 shows report screenshot of the distribution trend comparison of the traffic before
and after controlled by DSCP 001010 field on a link.
Statistics and Analysis Report > Traffic > Link and Virtual Tunnel > HTTP Content
Traffic Trend
Through this report, you can view the traffic distribution trend of HTTP packets by content (such
as images, texts, and applications) on one or multiple links within a given time range. Traffic is
analyzed and categorized according to the Content-type field of HTTP packets.
NOTE
Before querying this report, ensure that the service analyze http-content enable command has been ran
to enable the content analysis function of HTTP packets.
Figure 5-14 shows report screenshot of the traffic distribution trend of HTTP packets by content
on a link.
Figure 5-14 Example of the report on the HTTP content traffic trend
Statistics and Analysis Report > Traffic > Link and Virtual Tunnel > Bandwidth
Usage Trend
Through this report, you can view the bandwidth usage trend of the specified link, link group,
or virtual tunnel monitored by the SIG within a given time range.
Figure 5-15 shows report screenshot of the bandwidth usage trend of downstream traffic on a
link.
Statistics and Analysis Report > Traffic > Link and Virtual Tunnel > Top N by
Traffic
Through this report, you can view top N links of the specified range or virtual tunnels of the
specified range in a virtual tunnel category by traffic. Both of the links and virtual tunnels are
monitored by the SIG.
and the report displays top N objects whose traffic meeting required conditions
simultaneously.
In addition, you can configure associated query conditions for this report to display the traffic
proportion of several categories of top N statistical objects and the traffic proportion of several
protocols of a certain category.
Statistics and Analysis Report > Traffic > Link and Virtual Tunnel > Top N by
Connection Number
Through this report, you can view top N links of the specified range or virtual tunnels of the
specified range in a virtual tunnel category by connection number. Both of the links and virtual
tunnels are monitored by the SIG.
Both of the links and virtual tunnels are monitored by the SIG. The following statistics modes
are available:
l Rank by average value
Indicates ranking by average connection number. For example, if you select to query the
top N statistical object report by average connection number of one day, the system ranks
objects according to the daily connection number.
l Rank by daily intersection
The system ranks top N statistical objects by connection number at multiple analysis points
in time within a given time range and then collects the intersection upon the objects in each
rank. That is, the report displays only the top N objects ranked by connection number at
each point in time. For example, to query the top N statistical object report by connection
number based on the daily intersection of a week, the system queries the top N objects
ranked by connection number at each day and the report displays top N objects whose
connection number meeting required conditions simultaneously.
In addition, you can configure associated query conditions for this report to display the traffic
proportion of several categories of top N statistical objects and the traffic proportion of several
protocols of a certain category.
Figure 5-17 shows report screenshot of top 10 links by connection number.
Figure 5-17 Example of the top N statistical object report by connection number
Statistics and Analysis Report > Traffic > Link and Virtual Tunnel > Top N by
Bandwidth Usage
Through this report, you can view top N links of the specified range or virtual tunnels of the
specified range in a virtual tunnel category by bandwidth usage. Both of the links and virtual
tunnels are monitored by the SIG.
This report collects statistics on all links of the specified range or all virtual tunnels of the
specified range in a virtual tunnel category. Both of the links and virtual tunnels are monitored
by the SIG. Traffic is divided into upstream traffic, downstream traffic, and bidirectional traffic
by direction. If you select bidirectional traffic, the bandwidth usage of the statistical objects is
the larger value between the bandwidth usage of upstream traffic and that of downstream traffic.
The following statistics modes are available:
Indicates ranking by average bandwidth usage. For example, if you select to query the top
N statistical object report by bandwidth usage of one day, the system ranks objects
according to the daily average bandwidth usage.
l Rank by daily intersection
The system ranks top N statistical objects by bandwidth usage at multiple analysis points
in time within a given time range and then collects the intersection upon the objects in each
rank. That is, the report displays only the top N statistical objects ranked by bandwidth
usage at each point in time. For example, to query the top N statistical object report by
bandwidth usage based on the daily intersection of a week, the system queries the top N
objects ranked by bandwidth usage at each day and the report displays top N objects whose
bandwidth usage meeting required conditions simultaneously.
In addition, you can configure associated query conditions for this report to display the traffic
proportion of several categories of top N statistical objects and the traffic proportion of several
protocols of a certain category.
Figure 5-18 shows report screenshot of top 10 links by bandwidth usage.
Figure 5-18 Example of the top N statistical object report by bandwidth usage
Statistics and Analysis Report > Traffic > Link and Virtual Tunnel > Congestion
Log
This report is used to view historical congestion logs of the congestion detection object.
According to the five-minute traffic report data, the Front End checks the status of the link or
virtual tunnel. If an object matches the congestion trigger or release conditions, the Front End
sends the message to the Back End and generates the congestion logs.
NOTE
For details on congestion detection and control, see 5.5 Configuring Congestion Detection and
Control.
Figure 5-19 shows an example for congestion logs of all links within a given time range.
Report Navigation
You can click the following links to view the report examples.
NOTE
The information in the following examples are subject to change without notice.
l Statistics and Analysis Report > Traffic > Subscriber > Real-Time Traffic
l Statistics and Analysis Report > Traffic > Subscriber > Traffic Trend
l Statistics and Analysis Report > Traffic > Subscriber > Customer Number Trend
l Statistics and Analysis Report > Traffic > Subscriber > YouTube Traffic Trend
l Statistics and Analysis Report > Traffic > Subscriber > Traffic Proportion
l Statistics and Analysis Report > Traffic > Subscriber > Connection Number
Proportion
l Statistics and Analysis Report > Traffic > Subscriber > Customer Number Proportion
by Attribute
l Statistics and Analysis Report > Traffic > Subscriber > Traffic Proportion by
Attribute
l Statistics and Analysis Report > Traffic > Subscriber > Top N Protocols by Traffic
l Statistics and Analysis Report > Traffic > Subscriber > Top N Protocols by Connection
Number
l Statistics and Analysis Report > Traffic > Subscriber > Traffic Comparison in
Peak&Off-peak
l Statistics and Analysis Report > Traffic > Subscriber > Customer Number Proportion
by Traffic Segment
l Statistics and Analysis Report > Traffic > Subscriber > Traffic Proportion by
Customer Proportion
l Statistics and Analysis Report > Traffic > Subscriber > Heavy User Traffic Proportion
Statistics and Analysis Report > Traffic > Subscriber > Real-Time Traffic
Through this report, you can monitor the traffic of the specified or all types for a subscriber in
real time.
Figure 5-20 shows the report screenshot of all the traffic of a subscriber in an area.
NOTE
l The information about the real-time traffic of all types in Traffic Type List is displayed in the following
list.
l Real-time Traffic Curves has three types. The total traffic is displayed in the first figure. When you select
one or more traffic types in Traffic Type List, the real-time upstream traffic and real-time downstream
traffic are displayed in the second figure and the third figure respectively.
l Click Start Monitoring. The real-time data will be displayed in one minute.
l The refreshing frequency of the real-time data is 16 seconds.
l The real-time data is not saved.
Statistics and Analysis Report > Traffic > Subscriber > Traffic Trend
Through this report, you can view the traffic distribution trend for one or multiple subscribers
within a given time range.
NOTE
When you query the curve graph, the system supports the trend forecast function. Once the function is
enabled, the system adds the trend forecast line in the graph. This function is used to display the long-term
traffic trend when the query granularity is relatively large, such as month.
Figure 5-21 shows report screenshot of the traffic distribution trend of subscribers in an area.
Statistics and Analysis Report > Traffic > Subscriber > Customer Number Trend
Through this report, you can view the connection number distribution trend for one or multiple
subscribers within a given time range.
Figure 5-22 shows report screenshot of the connection number distribution trend of subscribers
in an area.
Statistics and Analysis Report > Traffic > Subscriber > YouTube Traffic Trend
Through this report, you can view the traffic distribution trend of YouTube and YouTube_HD
for the subscribers of a category within a given time range.
YouTube and YouTube_HD are the protocols of the Video category. You can use the traffic
trend report to view the traffic distribution trend of these two protocols. The YouTube traffic
trend report provides statistics on both traffic trends and access counts.
Figure 5-23 shows the report screenshot of the traffic distribution trend of YouTube and
YouTube_HD protocols for subscribers in an area.
Statistics and Analysis Report > Traffic > Subscriber > Traffic Proportion
Through this report, you can view the proportion of the specified traffic for one or multiple
subscribers within a given time range.
Figure 5-24 shows report screenshot of the traffic proportion of all Web_Browsing protocols
to the Web_Browsing category for subscribers in an area.
NOTE
Both category traffic and protocol traffic are reported to the database respectively. Therefore, if you move
a protocol to another category manually, the system does not re-count the reported category traffic.
NOTE
l If the traffic direction is Upstream Traffic and the value type is Average, the value of Upstream
Traffic in the report is the average value of the traffic of each protocol within the specified time range.
Proportion indicates the proportion of the upstream traffic of each protocol to the total upstream traffic.
l If the traffic direction is Upstream Traffic and the value type is Peak, the value of Upstream
Traffic in the report is peak traffic. Proportion indicates the proportion of the upstream traffic of each
protocol to the total upstream traffic at peak. The peak is the time when the total upstream traffic of all
types to be queried reaches the maximum value.
l If the traffic direction is Upstream Traffic and the value type is Trough, the value of Upstream
Traffic in the report is trough traffic. Proportion indicates the proportion of the upstream traffic of
each protocol to the total upstream traffic at trough. The trough is the time when the total upstream
traffic of all types to be queried reaches the minimum value.
Statistics and Analysis Report > Traffic > Subscriber > Connection Number
Proportion
Through this report, you can view the proportion of the connection number of the specified
traffic type for one or multiple subscribers within a given time range.
Figure 5-25 shows report screenshot of the proportion of the connection number of the P2P,
PeerCasting, and Web_Browsing categories to all connections for subscribers in an area.
Statistics and Analysis Report > Traffic > Subscriber > Customer Number
Proportion by Attribute
Through this report, you can view the proportion of customers using different types of mobile
phones, browsers, or OSs for the subscribers of a category within a given time range.
Figure 5-26 shows report screenshot of the proportion of customers using different mobile types
in an area.
Figure 5-26 Example of the report on the customer number proportion by attribute
Statistics and Analysis Report > Traffic > Subscriber > Traffic Proportion by
Attribute
Through this report, you can view the traffic proportion of different mobile phone types, browser
types, and OS types to the total traffic for the subscribers of a category within a given time range.
For example, Figure 5-27 shows report screenshot of the traffic proportion of different mobile
types to the total traffic on a day in an area.
This report is similar to that on the traffic proportion of subscribers. For details, see Statistics
and Analysis Report > Traffic > Subscriber > Traffic Proportion.
Return to Report Navigation.
Statistics and Analysis Report > Traffic > Subscriber > Top N Protocols by Traffic
Through this report, you can view top N categories, protocols or flow classifications by traffic
for the subscribers of a category within a given time range.
Figure 5-28 shows report screenshot of top 10 P2P protocols by traffic of subscribers in an area.
Statistics and Analysis Report > Traffic > Subscriber > Top N Protocols by
Connection Number
Through this report, you can view top N categories, protocols or flow classifications by
connection number for the subscribers of a category within a given time range.
Figure 5-30 shows report screenshot of top 10 IM protocols by connection number of subscribers
in an area.
Statistics and Analysis Report > Traffic > Subscriber > Traffic Comparison in
Peak&Off-peak
Through this report, you can view the comparison among bandwidth peak value, average value,
and trough value for the subscribers of a category within a given time range.
Figure 5-30 shows the report screenshot of the comparison among bandwidth peak value,
average value, and trough value of subscribers in an area.
l The red box indicates the time for the peak value of the total traffic within the query time.
The traffic, bandwidth, and packet rate in record 1 are the values at the peak time.
l The green box indicates the time for the trough value of the total traffic within the query
time. The traffic, bandwidth, and packet rate in record 3 are the values at the trough time.
l The blue box indicates that within the query time, traffic in record 2 is the total value and
the bandwidth is the average value.
That is, the time for the peak value and trough value is determined by the total traffic; however,
the report displays the traffic of the queried protocol at the corresponding query moment.
Statistics and Analysis Report > Traffic > Subscriber > Customer Number
Proportion by Traffic Segment
This report is used to collect statistics on the number of subscribers within the specified traffic
segment.
For example, you can query the proportion taken by the subscribers among all the users in a
certain area according to every 100 MB downstream traffic that is used within the traffic segment
between 0 MB and 300 MB. To be more specific, the report can display the proportion taken by
the subscribers who use less than 100 MB on that day among all the users. The proportion taken
by the subscribers who use more than 100 MB and less than 200 MB on that day, and the
proportion taken by the subscribers who use more than 200 MB and less than 300 MB on that
day also can be displayed in the report.
Figure 5-32 shows report snapshot.
Statistics and Analysis Report > Traffic > Subscriber > Traffic Proportion by
Customer Proportion
This report is used to collect statistics on traffic used by the subscribers of different proportions
within the given time range. For example, you can view traffic distribution reports by subscriber
proportion of a day in an area. To be specific, the report can display the proportion of the traffic
used by top 5%, 10%, or 15% subscribers to the total traffic of a day in an area respectively.
Figure 5-33 shows the report snapshot.
Statistics and Analysis Report > Traffic > Subscriber > Heavy User Traffic
Proportion
This report is used to view the statistics on the proportion of the traffic taken by specific Heavy
User group.
Heavy User group contains the Top N users in specific area or according to other group attributes.
For example, you can include the top 10% users that use the most traffic in each month into a
Heavy User group. The rest 90% is termed as non-Heavy User.
NOTE
For details on the defining method of Heavy User group, see 4.2.4 Typical Configuration Example
(Importing Subscriber Accounts in Batches and Adding Heavy User Group).
Report Navigation
You can click the following links to view the report examples.
NOTE
The information in the following examples are subject to change without notice.
l Statistics and Analysis Report > Traffic > Very Important Customer > Real-Time
Traffic
l Statistics and Analysis Report > Traffic > Very Important Customer > Traffic Trend
l Statistics and Analysis Report > Traffic > Very Important Customer > Connection
Number Trend
l Statistics and Analysis Report > Traffic > Very Important Customer > Traffic
Proportion
l Statistics and Analysis Report > Traffic > Very Important Customer > Connection
Number Proportion
l Statistics and Analysis Report > Traffic > Very Important Customer > Top N
Protocols by Traffic
l Statistics and Analysis Report > Traffic > Very Important Customer > Top N
Protocols by Connection Number
Statistics and Analysis Report > Traffic > Very Important Customer > Real-Time
Traffic
Through this report, you can monitor the traffic of the specified or all types of a VIC in real time.
Figure 5-35 shows the report screenshot of all the traffic of a VIC in an area.
NOTE
l The information about the real-time traffic of all types in Traffic Type List is displayed in the following
list.
l Real-time Traffic Curves has three types. The total traffic is displayed in the first figure. When you select
one or more traffic types in Traffic Type List, the real-time upstream traffic and real-time downstream
traffic are displayed in the second figure and the third figure respectively.
l Click Start Monitoring. The real-time data will be displayed in one minute.
l The refreshing frequency of the real-time data is 16 seconds.
l The real-time data is not saved.
Statistics and Analysis Report > Traffic > Very Important Customer > Traffic Trend
Through this report, you can view the traffic distribution trend for one or multiple VICs within
a given time range.
Figure 5-36 shows report screenshot of the traffic distribution trend of VICs in an area.
Statistics and Analysis Report > Traffic > Very Important Customer > Connection
Number Trend
Through this report, you can view the connection number distribution trend for one or multiple
VICs within a given time range.
Figure 5-37 shows report screenshot of the connection number distribution trend of VICs in an
area.
Statistics and Analysis Report > Traffic > Very Important Customer > Traffic
Proportion
Through this report, you can view the proportion of the specified traffic for one or multiple VICs
within a given time range.
Figure 5-38 shows report screenshot of the traffic proportion of all P2P protocols to the P2P
category for a VIC in an area.
NOTE
Both category traffic and protocol traffic are reported to the database respectively. Therefore, if you move
a protocol to another category manually, the system does not re-count the reported category traffic.
Statistics and Analysis Report > Traffic > Very Important Customer > Connection
Number Proportion
Through this report, you can view the proportion of the connection number of the specified
traffic type for one or multiple VICs within a given time range.
Figure 5-39 shows report screenshot of the connection number proportion of all Web_browsing
protocols to the Web_browsing category for a VIC in an area.
Statistics and Analysis Report > Traffic > Very Important Customer > Top N
Protocols by Traffic
Through this report, you can view top N categories or protocols by traffic for the VICs of a
category within a given time range.
Figure 5-40 shows report screenshot of top 10 categories by traffic of VICs in an area.
Statistics and Analysis Report > Traffic > Very Important Customer > Top N
Protocols by Connection Number
Through this report, you can view top N categories or protocols by connection number for the
VICs of a category within a given time range.
Figure 5-41 shows report screenshot of top 10 protocols by connection number of VICs in an
area.
Report Navigation
You can click the following links to view the report examples.
NOTE
The information in the following examples are subject to change without notice.
l Statistics and Analysis Report > Traffic > Consolidated Report > Top N Video Web
Sites Traffic Trend
l Statistics and Analysis Report > Traffic > Consolidated Report > Subscriber Traffic
Proportion to Total Traffic
l Statistics and Analysis Report > Traffic > Consolidated Report > Subscriber
Connection Number Proportion to Total Connection Number
l Statistics and Analysis Report > Traffic > Consolidated Report > Subscriber Traffic
Proportion Trend to Total Traffic
Statistics and Analysis Report > Traffic > Consolidated Report > Top N Video Web
Sites Traffic Trend
Through this report, you can view the distribution trend of top N Web sites by video access
traffic on the current network within a given time range.
The report contains the following types of traffic:
l Traffic of Video and Streaming categories
l Traffic of HTTP responsive packets whose content-type is Video/XXX
If the Website has a domain name, the report displays the domain name as the statistic object;
otherwise, the report displays the IP address of the Website as the statistic object.
Figure 5-42 shows report screenshot of the traffic trend of top N video Web sites within a given
time range.
Figure 5-42 Example of the traffic trend report on top N video Web sites
Statistics and Analysis Report > Traffic > Consolidated Report > Subscriber Traffic
Proportion to Total Traffic
Through this report, you can view the traffic proportion of a subscriber to all traffic on the
monitored network within a given time range.
Figure 5-43 shows report screenshot of the traffic proportion of subscribers to all traffic in an
area.
Figure 5-43 Example of the report on the subscriber traffic proportion to total traffic
Statistics and Analysis Report > Traffic > Consolidated Report > Subscriber
Connection Number Proportion to Total Connection Number
Through this report, you can view the connection number proportion of a subscriber to all
connection numbers on the monitored network within a given time range.
Figure 5-44 shows report screenshot of the connection number proportion of subscribers to all
connection numbers in an area.
Figure 5-44 Example of the report on the subscriber connection number proportion to total
connection number
Statistics and Analysis Report > Traffic > Consolidated Report > Subscriber Traffic
Proportion Trend to Total Traffic
Through this report, you can view the trend of the traffic proportion of a subscriber to all traffic
on the monitored network within a given time range.
Figure 5-45 shows report screenshot of the trend of the traffic proportion of subscribers to all
traffic in an area.
Figure 5-45 Example of the report on the subscriber traffic proportion trend to total traffic
5.2.7 Reference
This section describes the commands related to traffic reports.
For details, see Table 5-1.
Set the protocol decapsulation tunnel-protocol { mpls | qinq | gre | l2tp | 6over4 }
type of tunnels
that need to be
decapsulated
Item Command
For other commands of the Front End, refer to the HUAWEI SIG9800 Service Inspection
Gateway Command Reference.
5.3.1 Overview
This section describes the categories and functions of the user behavior statistics report.
The user behavior statistics report is used for analyzing and collecting statistics on subscribers'
behaviors, and includes the following types:
Used for ranking and analyzing subscribers by online duration on the current network, for
example, querying top 10 subscribers by online duration within a given time range in an
area.
l Top N Customers by Online Times
Used for ranking and analyzing subscribers by online times on the current network, for
example, querying top 10 subscribers by online times within a given time range in an area.
l Customer Number Trend
Used for analyzing the number of subscribers on the live network. In this report, data for
each time segment indicates the accumulative total number of customers within this time
range. For example, hourly report data is the accumulative value of 12 five-minute reports
without repetitive values within this hour; daily report data is the accumulative value of 24
hourly reports without repetitive values on this day. Compared with the report on the
customer number trend, this report has complicated algorithms and therefore is generated
slowly.
Prerequisites
Requirements are as follows:
If the system displays no data when you query the reports, perform as follows:
1. Check whether the time range of the query exceeds the storage cycle. For details on storage cycles, see
21.2 Configuring the Report Storage Cycle.
2. Check whether the configurations of the data reporting is correct. For details on data reporting, see
5.8.1 Overview in 5.8 Customized Data Reporting.
Procedure
Step 1 Log in to the Back End.
Step 2 In the navigation tree, choose Statistics and Analysis Report > User Behavior >
Subscriber. Then select the reports to be queried as required.
l If selecting Save Query Conditions before querying reports, you do not need to enter query conditions
for the next query.
l To apply the report function for timed tasks, click Timed Task. For details, see 21.4 Managing Timed
Task Reports.
NOTE
To save time for other operations, click Background Implementation. For details, see 21.5 Managing
Background Task Reports.
On the report query interface, you can export reports in different formats:
----End
Report Navigation
You can click the following links to view the report examples.
NOTE
The information in the following examples are subject to change without notice.
l Statistics and Analysis Report > User Behavior > Subscriber > Customer Number
Proportion
l Statistics and Analysis Report > User Behavior > Subscriber > Customer Attributes
Statistics
l Statistics and Analysis Report > User Behavior > Subscriber > Peak Host Number
Trend
l Statistics and Analysis Report > User Behavior > Subscriber > Top N Customers by
Traffic
l Statistics and Analysis Report > User Behavior > Subscriber > Top N Customers by
Connection Number
l Statistics and Analysis Report > User Behavior > Subscriber > Top N Protocols by
Customer Number
l Statistics and Analysis Report > User Behavior > Subscriber > Top N Customers by
Online Duration
l Statistics and Analysis Report > User Behavior > Subscriber > Top N Customers by
Online Times
l Statistics and Analysis Report > User Behavior > Subscriber > Customer Number
Trend
Statistics and Analysis Report > User Behavior > Subscriber > Customer Number
Proportion
Through this report, you can analyze the proportion of subscribers with the access traffic of
specified types on the current network. For example, by querying the proportion of subscribers,
you can compare and analyze the number of P2P traffic users in Haidian and Chaoyang districts.
Statistics and Analysis Report > User Behavior > Subscriber > Customer Attributes
Statistics
Through this report, you can analyze the dynamic attributes of the specified subscriber.
Figure 5-47 shows report screenshot of the dynamic attributes of a subscriber.
Statistics and Analysis Report > User Behavior > Subscriber > Peak Host Number
Trend
Used for analyzing the number of hosts on the live network. In this report, data for each time
range indicates the maximum number of hosts within this time range. For example, hourly report
data is the maximum value among 12 five-minute reports within this hour; daily report data is
the maximum value among 24 hourly reports on this day, that is, the maximum value among 24
x 12 five-minute reports. The system counts hosts by IP address. Two hosts are counted if a user
logs in and out for two times within five minutes.
Figure 5-48 shows report screenshot of the peak host number trend in an area.
Statistics and Analysis Report > User Behavior > Subscriber > Top N Customers
by Traffic
Through this report, you can view top N subscribers by traffic for a category within a given time
range.
Figure 5-49 shows report screenshot of top 10 subscribers by traffic in an area.
Statistics and Analysis Report > User Behavior > Subscriber > Top N Customers
by Connection Number
Through this report, you can view top N subscribers by connection number for a category within
a given time range.
Figure 5-50 shows report screenshot of top 10 subscribers by connection number in an area.
Statistics and Analysis Report > User Behavior > Subscriber > Top N Protocols by
Customer Number
Through this report, you can view top N protocols by customer number for a category within a
given time range.
Figure 5-51 shows report screenshot of top 10 protocols by customer number in an area.
Statistics and Analysis Report > User Behavior > Subscriber > Top N Customers
by Online Duration
Through this report, you can view top N subscribers by online duration for a category within a
given time range.
NOTE
In scenarios where multiple hosts (using different IP addresses) use one account to go online, the online
duration of this account is the summed online duration of all the related hosts by IP address.
Statistics and Analysis Report > User Behavior > Subscriber > Top N Customers
by Online Times
Through this report, you can view top N subscribers by online times for a category within a
given time range.
Figure 5-53 shows report screenshot.
Statistics and Analysis Report > User Behavior > Subscriber > Customer Number
Trend
Used for analyzing the number of subscribers on the live network. In this report, data for each
time segment indicates the accumulative total number of customers within this time range. For
example, hourly report data is the accumulative value of 12 five-minute reports without repetitive
values within this hour; daily report data is the accumulative value of 24 hourly reports without
repetitive values on this day. Compared with the report on the customer number trend, this report
has complicated algorithms and therefore is generated slowly.
Figure 5-54 shows report screenshot of the number distribution trend of subscribers in an area.
5.4.1 Overview
This section describes the background knowledge and functions of traffic QoS.
l Rate Limiting
Bandwidth limiting, bandwidth control, or also known as Traffic Policing (TP), is used to
set the maximum upstream bandwidth, maximum downstream bandwidth, guaranteed
upstream bandwidth, and guaranteed downstream bandwidth of the specified or all types
of traffic.
The maximum bandwidth is also called the Peak Information Rate (PIR), and the guaranteed
bandwidth is also called Committed Information Rate (CIR).
l Priority Mark
Traffic mark, also known as QoS Remark, remarks the QoS field (ToS or DSCP field) of
an IP packet by the specified or all traffic types. In so doing, the packets of a certain traffic
type are forwarded with different priorities when passing through network devices such as
routers.
Figure 5-55 shows the locations of the 4-bit ToS filed and 6-bit DSCP field in the IP packet.
Table 5-2 shows the description of ToS field values, and Table 5-3 shows description of
DSCP field values.
Class-Selector PHB XXX000 (The Indicates that the service level is consistent
X value is 0 or with the IP precedence used on the current
1.) network.
l Not Remark
Indicates that QoS Remark is not implemented on the traffic of the specified type, that is,
traffic matching the not remark policy, and packets are not remarked.
l Throttling
Throttling is a queue scheduling method in the case of traffic congestion to proactively
schedule the output rate of the traffic of the specified or all traffic types.
When there are sufficient tokens in the token bucket, the cached packets can be sent out at
an even speed. But if the buffer queue is full, packets are to be discarded in throttling as in
rate limiting.
Additionally, throttling may increase the delay, whereas rate limiting almost introduces no
extra delay.
l Strict Priority
It is a queue scheduling method in the case of traffic congestion. Packets are configured
with different priorities according to traffic types. During queue scheduling, the system
preferentially sends the packets in the high-priority queue by strictly following the
descending priority order. When the high-priority queue is null, packets in the low-priority
queue are forwarded. In this way, the packets of key services are placed in the high-priority
queue, and those of non-key services (such as email) in the low-priority queue, ensuring
that the packets of key services are transmitted preferentially and those of non-key services
are transmitted during the idle time.
The SIG supports setting priorities (0 to 7) for upstream and downstream traffic by traffic
type. The smaller the value, the higher the priority.
The Strict Priority policy can provide bandwidth guarantee for high-priority services in
the case of congestion, but if the high-priority queue is always occupied by packets, packets
in the low-priority queue cannot get services for a long time.
l Weighted Fair Queue
It is a queue scheduling method in the case of traffic congestion to assign the traffic of
different types according to the pre-set upstream and downstream traffic proportion. For
example, for the subscribers' traffic in an area, set the proportion of the upstream and
downstream P2P traffic to 20% and that of other upstream and downstream traffic to 80%.
When a certain type of traffic in the queue is 0, the SIG allows other traffic types in the
queue to obtain these resources without any restrictions. For example, for subscribers'
traffic in an area, the upstream and downstream of the P2P traffic is set to be 10%
respectively, that of the Peer Casting traffic is set to be 10% respectively, and that of other
upstream and downstream traffic is set to be 80% respectively. If the PeerCasting traffic
takes no part of the assigned proportion, the P2P traffic and other traffic can obtain these
resources.
For details on policy priorities, see 5.4.15 Policy Priority Description. For precautions and
related introduction of each policy item, see the typical examples about configuring traffic QoS
in this document.
flow classification items. A flow classification item is the traffic that matches specified
conditions. It is defined by one or multiple conditions including application-layer protocol type
(such as HTTP), network side IP address, and Layer-3 and Layer-4 protocol attributes. The
system defines each protocol category in the DPI protocol signature file as a flow classification
by default. For example, Web_Browsing refers to all the traffic that fall into the Web_Browsing
protocol category. For details on flow classification, see 22.1.1 Overview.
Function Description
Configuring traffic QoS:
l Applies the QoS policy package to links.
Implementing policies such as rate limiting (PIR and CIR), priority mark, number of
connections control, pass, and not remark to link traffic.
l Applies the QoS policy to virtual tunnels.
Implementing policies such as rate limiting (PIR and CIR), priority mark, number of
connections control, pass, not remark to virtual tunnel traffic.
l Applies the QoS policy package to subscribers.
Identifying subscribers according to attribute group or user group, and implementing
policies such as rate limiting (PIR and CIR), priority mark, number of connections control,
pass, not remark, throttling, strict priority, and weighted fair queue (WFQ) to subscriber
traffic according to the attribute group or user group.
l Applies the QoS policy to VICs.
Implementing policies such as rate limiting (PIR and CIR), priority mark, number of
connections control, pass, not remark to VIC traffic according to the attribute group or user
group.
l Applies dynamic policies.
Setting the threshold of link and virtual tunnel traffic. When the traffic of a specified link
or virtual tunnel exceeds the threshold for a period of time, the system automatically applies
the control policy to the link, virtual tunnel, or subscriber. In this way, the congestion
problem on the carrier network is resolved.
NOTE
Start
Do you Yes
continue to add
another one?
No
Apply the policy
package
Do you Yes
continue to add
another one?
No
End
NOTE
To bind the flow classification that is not in the system by default to the policy item to process more complex
traffic, you need to complete 22.1 Managing Flow Classifications and Flow Classification Items before
adding the policy item.
On a wireless network, the SIG supports the interworking with the PCRF and requests policies from the
PCRF. For details, see 5.4.16 Reference.
Add a policy Add policy packages as required. A policy package can contain one
package or multiple policy items.
Operation page: In the navigation tree, choose Traffic Management
> QoS > QoS Policy Package Management.
Action Description
Apply the policy Apply the added policy package to service objects.
package Operation pages include:
l To apply a policy package to links: In the navigation tree, choose
Subscriber and Network Management > Network > Physical
Link Management > Link Policy Application.
l To apply a policy package to virtual tunnels: In the navigation tree,
choose Subscriber and Network Management > Network >
Virtual Tunnel Management > Virtual Tunnel Policy
Application.
l To apply a policy package to subscribers: In the navigation tree,
choose Subscriber and Network Management > Subscriber >
Policy Application.
l To apply a policy package to VICs: In the navigation tree, choose
Subscriber and Network Management > Very Important
Customer > Policy Application.
Prerequisites
The following requirements should be met:
l 4.4 Configuring the Link is complete, and the link to be managed is 10G-1-1-linka.
l The current user has the Traffic Management and Subscriber and Network
Management service permissions.
Requirement Description
The SIG is deployed at the network access layer in in-line mode, and monitors the link traffic
passing through the DPI device, as shown in Figure 5-57. Currently, the SIG needs to monitor
P2P services on the 10G link. Requirements are as follows:
l From 16:00:00 to 21:59:59 every day: The SIG should limit the maximum downstream
bandwidth of P2P services to 1,000,000 kbit/s.
l During other time segments every day: The SIG should limit the maximum downstream
bandwidth of P2P services to 1,500,000 kbit/s.
Figure 5-57 Networking diagram of the example for configuring traffic QoS (link, rate limiting)
Internet
Router
GE4/0/0
Front End
Switch
GE3/0/0 Back End
10.1.3.0/24
BRAS
User Network
Procedure
Step 1 Log in to the Back End.
Step 2 Add a policy package.
1. In the navigation tree, choose Traffic Management > QoS > QoS Policy Package
Management.
2. Click Add.
3. In the pop-up dialog box, enter myQoS in Name, and then click Save, as shown in Figure
5-58.
NOTE
Priority of the policy item in this example can be any value. For details on priorities, see 5.4.15
Policy Priority Description.
Start Date/End Date and Start Day of Week/End Day of Week together determines the valid date
of a policy item, namely, the date meeting these two conditions is the valid time of the policy item.
The system does not support the setting of Start Time and End Time by using the keyboard. Instead,
you can select the values using the mouse. In addition, do not press Backspace. Otherwise, the system
closes all the tab pages and displays the GUI homepage.
6. Click OK. The system returns to the previous page and displays the added policy item.
7. Click Close. The system returns to the previous page and displays the added policy package.
1. In the navigation tree, choose Subscriber and Network Management > Network >
Physical Link Management > Link Policy Application.
2. Click Add.
3. In the pop-up dialog box, select QoS from Policy Package Type, myQoS from Policy
Package Name, and 10G-1-1-linka from Link, as shown in Figure 5-60.
4. Click OK. The system returns to the previous page and displays the added record.
----End
Prerequisites
The following requirements should be met:
l 4.4 Configuring the Link is complete, and the link to be managed is 10G-1-1-linka.
l The current user has the Traffic Management and Subscriber and Network
Management service permissions.
Requirement Description
The SIG is deployed on the network in in-line mode, and monitors the link traffic passing through
the DPI device, as shown in Figure 5-61. It is required to monitor the VoIP service traffic on
the 10G link and set the DSCP filed of the VoIP packet to 101110, so that VoIP traffic is
preferentially forwarded by downstream routers in the case of traffic congestion.
Figure 5-61 Networking diagram of the example for configuring traffic QoS (link, priority mark)
External network
Router A
Front End
Router B
Internal network
Procedure
Step 1 Log in to the Back End.
Step 2 Add a policy package.
1. In the navigation tree, choose Traffic Management > QoS > QoS Policy Package
Management.
2. Click Add.
3. In the pop-up dialog box, enter myQoS in Name, and then click Save, as shown in Figure
5-62.
6. Click OK. The system returns to the previous page and displays the added policy item.
7. Click Close. The system returns to the previous page and displays the added policy package.
Step 3 Apply the policy package.
1. In the navigation tree, choose Subscriber and Network Management > Network >
Physical Link Management > Link Policy Application.
2. Click Add.
3. In the pop-up dialog box, select QoS from Policy Package Type, myQoS from Policy
Package Name, and 10G-1-1-linka from Link, as shown in Figure 5-64.
4. Click OK. The system returns to the previous page and displays the added record.
----End
Prerequisites
The following requirements should be met:
l 4.4 Configuring the Link is complete, and the link to be managed is 10G-1-1-linka.
l The current user has the Traffic Management and Subscriber and Network
Management service permissions.
Requirement Description
The SIG is deployed at the network access layer in in-line mode, and monitors the link traffic
passing through the DPI device, as shown in Figure 5-65. It is required to monitor the P2P
service traffic on the 10G link and set the maximum number of concurrent connections for the
service to 500000.
Figure 5-65 Networking diagram of the example for configuring traffic QoS (link, number of
connections control)
Internet
Router
GE4/0/0
Front End
Switch
GE3/0/0 Back End
10.1.3.0/24
BRAS
User Network
Procedure
Step 1 Log in to the Back End.
Step 2 Add a policy package.
1. In the navigation tree, choose Traffic Management > QoS > QoS Policy Package
Management.
2. Click Add.
3. In the pop-up dialog box, enter myQoS in Name, and then click Save, as shown in Figure
5-66.
4. Select Number of Connections Control from Item Type and click Add.
5. Set parameters in the dialog box that is displayed. Figure 5-67 shows parameter settings.
6. Click OK. The system returns to the previous page and displays the added policy item.
7. Click Close. The system returns to the previous page and displays the added policy package.
Step 3 Apply the policy package.
1. In the navigation tree, choose Subscriber and Network Management > Network >
Physical Link Management > Link Policy Application.
2. Click Add.
3. In the pop-up dialog box, select QoS from Policy Package Type, myQoS from Policy
Package Name, and 10G-1-1-linka from Link, as shown in Figure 5-68.
4. Click OK. The system returns to the previous page and displays the added record.
----End
Prerequisites
The following requirements should be met:
l 4.4 Configuring the Link is complete, and the link to be managed is 10G-1-1-linka.
l The current user has the Traffic Management and Subscriber and Network
Management service permissions.
Requirement Description
The SIG is deployed at the network access layer in in-line mode, and monitors the link traffic
passing through the DPI device, as shown in Figure 5-69. It is required to monitor the VoIP
service traffic on the 10G link and set the maximum upstream and downstream bandwidths for
the service to 500000 kbit/s. In addition, H.323, SIP, MGCP, and MEGACO signaling protocols
and their media protocols, including H.323, H323_MEDIA_VIDEO, H323_MEDIA_AUDIO,
SIP, SIP_MEDIA_VIDEO, SIP_MEDIA_AUDIO, MGCP, MGCP_MEDIA_VIDEO,
MGCP_MEDIA_AUDIO, MEGACO, MEGACO_MEDIA_VIDEO, and
MEGACO_MEDIA_AUDIO are free from bandwidth control.
Figure 5-69 Networking diagram of the example for configuring traffic QoS (link, rate limiting,
and pass)
Internet
Router
GE4/0/0
Front End
Switch
GE3/0/0 Back End
10.1.3.0/24
BRAS
User Network
Procedure
Step 1 Log in to the Back End.
For details, see 22.1 Managing Flow Classifications and Flow Classification Items.
6. Click OK. The system returns to the previous page and displays the added policy item.
7. Select Pass from Item Type and click Add.
8. Set parameters in the dialog box that is displayed. Figure 5-72 shows parameter settings.
9. Click OK. The system returns to the previous page and displays the added policy item.
10. Repeat Step 3.7 to Step 3.9, and add the pass policy respectively for
H323_MEDIA_VIDEO, H323_MEDIA_AUDIO, SIP, SIP_MEDIA_VIDEO,
SIP_MEDIA_AUDIO, MGCP, MGCP_MEDIA_VIDEO, MGCP_MEDIA_AUDIO,
MEGACO, MEGACO_MEDIA_VIDEO, and MEGACO_MEDIA_AUDIO.
11. Click Close. The system returns to the previous page and displays the added policy package.
Step 4 Apply the policy package.
1. In the navigation tree, choose Subscriber and Network Management > Network >
Physical Link Management > Link Policy Application.
2. Click Add.
3. In the pop-up dialog box, select QoS from Policy Package Type, myQoS from Policy
Package Name, and 10G-1-1-linka from Link, as shown in Figure 5-73.
4. Click OK. The system returns to the previous page and displays the added record.
----End
Prerequisites
Requirements are as follows:
l 4.4 Configuring the Link is complete, and the link to be managed is 10G-1-1-linka.
l The current user has the Traffic Management and Subscriber and Network
Management service permissions.
Requirement Description
The SIG is deployed on the network in in-line mode, and monitors the link traffic passing through
the DPI device, as shown in Figure 5-74. It is required to monitor the VoIP service traffic on
the 10G link and set the DSCP filed of the VoIP packet to 101110, so that VoIP traffic is
preferentially forwarded in the case of traffic congestion. In addition, the traffic of SkypePctoPc
(a VoIP protocol) is not preferentially forwarded.
Figure 5-74 Networking diagram of the example for configuring traffic QoS (link, priority mark,
and not remark)
External network
Router A
Front End
Router B
Internal network
Procedure
Step 1 Log in to the Back End.
Step 2 Add a flow classification item and a flow classification.
Define protocol SkypePctoPc as a flow classification item, and then add a flow classification
SkypePctoPc that contains the item.
For details, see 22.1 Managing Flow Classifications and Flow Classification Items.
Step 3 Add a policy package.
1. In the navigation tree, choose Traffic Management > QoS > QoS Policy Package
Management.
2. Click Add.
3. In the pop-up dialog box, enter myQoS in Name, and then click Save, as shown in Figure
5-75.
6. Click OK. The system returns to the previous page and displays the added policy item.
7. Select Not Remark from Item Type and click Add.
8. Set parameters in the dialog box that is displayed. Figure 5-77 shows parameter settings.
9. Click OK. The system returns to the previous page and displays the added policy item.
10. Click Close. The system returns to the previous page and displays the added policy package.
4. Click OK. The system returns to the previous page and displays the added record.
----End
Prerequisites
Requirements are as follows:
Requirement Description
The SIG is deployed on a carrier's network, as shown in Figure 5-79. 4.5.6 Typical
Configuration Example 1 (User Attribute Virtual Tunnel, Defining SN as the Virtual
Tunnel Category) is complete. Virtual tunnels and their categories are added.
The P2P traffic of SN1 must be monitored and the maximum downstream bandwidth for P2P
traffic must be controlled within 5000 Kbit/s.
Figure 5-79 Networking diagram of the example for configuring traffic QoS (virtual tunnel, rate
limiting)
IP Backbone
PE PE
PE PE
CE CE
CE CE
DPI System
Front Back
Front End
End
End
GN1 GN2
Wireless access network
SN1 SN2
BTS1 … BTS3
BTS2
Procedure
Step 1 Log in to the Back End of the SIG.
Step 2 Add a policy package.
1. In the navigation tree, choose Traffic Management > QoS > QoS Policy Package
Management.
2. Click Add.
3. In the pop-up dialog box, enter myQoS in Name, and then click Save, as shown in Figure
5-80.
6. Click OK. The system returns to the previous page and displays a new policy item.
7. Click Close. The system returns to the previous page and displays a new policy package.
8. Repeat Step 2.2 to Step 2.7 to add policy package myQoS2 and set Maximum
Downstream Bandwidth to 10000 kbit/s.
The system supports the batch application of policy packages through importing. In this case, click
Import, obtain the import template in the dialog box that is displayed, and execute the import.
3. Set parameters, as shown in Figure 5-82.
4. Click OK. The system returns to the previous page and displays a new record.
----End
For the example for configuring virtual tunnels, see 4.5.8 Typical Configuration Example 3
(Stream Attribute Virtual Tunnel, Defining the Traffic of Local IP Address or Remote IP
Address as the Virtual Tunnel).
Prerequisites
Requirements are as follows:
l 4.2 Configuring the Subscriber is complete. The subscribers to be managed reside in area
Haidian.
l The current user has the Traffic Management and Subscriber and Network
Management service permissions.
Requirement Description
The SIG is deployed at the network access layer in in-line mode, as shown in Figure 5-83. It is
required to monitor the P2P service traffic of all subscribers in the Haidian area and set the
maximum downstream bandwidth for the service to 1000 kbit/s.
Figure 5-83 Networking diagram of the example for configuring traffic QoS (subscriber, rate
limiting)
Internet
Router
GE4/0/0
Front End
Switch
GE3/0/0 Back End
10.1.3.0/24
BRAS
User Network
Procedure
Step 1 Log in to the Back End.
Step 2 Add a policy package.
1. In the navigation tree, choose Traffic Management > QoS > QoS Policy Package
Management.
2. Click Add.
3. In the pop-up dialog box, enter myQoS in Name, and then click Save, as shown in Figure
5-84.
6. Click OK. The system returns to the previous page and displays the added policy item.
7. Click Close. The system returns to the previous page and displays the added policy package.
Step 3 Apply the policy package.
1. In the navigation tree, choose Subscriber and Network Management > Subscriber >
Policy Application.
2. Click Add.
3. In the pop-up dialog box, select Haidian from Area, QoS from Type, and myQoS from
Name, as shown in Figure 5-86.
4. Click OK. The system returns to the previous page and displays the added record.
----End
Prerequisites
Requirements are as follows:
l 4.2 Configuring the Subscriber is complete. The subscribers to be managed reside in area
Zhongguancun.
l The current user has the Traffic Management and Subscriber and Network
Management service permissions.
Requirement Description
The SIG is deployed at the network access layer in in-line mode, as shown in Figure 5-87. It is
required to monitor the traffic of all subscribers in the Zhongguancun area, limiting the
maximum upstream bandwidth to 200kbit/s and maximum downstream bandwidth to 1000kbit/
s. It is required to throttle the Web_Browsing traffic, setting the guaranteed upstream bandwidth
to 40kbit/s, guaranteed downstream bandwidth to 200kbit/s, maximum upstream bandwidth to
80kbit/s, and maximum downstream bandwidth to 500kbit/s.
Figure 5-87 Networking diagram of the example for configuring traffic QoS (subscriber,
throttling)
Internet
Router
GE4/0/0
Front End
Switch
GE3/0/0 Back End
10.1.3.0/24
BRAS
User Network
Procedure
Step 1 Log in to the Back End.
Step 2 Add a policy package.
1. In the navigation tree, choose Traffic Management > QoS > QoS Policy Package
Management.
2. Click Add.
3. In the pop-up dialog box, enter myQoS in Name, and then click Save, as shown in Figure
5-88.
NOTE
Priority of the policy item in this example can be any value. For details on priorities, see 5.4.15
Policy Priority Description.
To shape the traffic of all other protocol types in addition to those in the list, select the check box of
Include Unselected. The system automatically adds a record.
6. Click OK. The system returns to the previous page and displays the added policy item.
7. Click Close. The system returns to the previous page and displays the added policy package.
1. In the navigation tree, choose Subscriber and Network Management > Subscriber >
Policy Application.
2. Click Add.
3. In the pop-up dialog box, select Zhongguancun from Area, QoS from Type, and
myQoS from Name, as shown in Figure 5-90.
4. Click OK. The system returns to the previous page and displays the added record.
----End
Prerequisites
Requirements are as follows:
l 4.2 Configuring the Subscriber is complete. The subscribers to be managed reside in area
Zhongguancun.
l The current user has the Traffic Management and Subscriber and Network
Management service permissions.
Requirement Description
The SIG is deployed at the network access layer in in-line mode, as shown in Figure 5-91. It is
required to monitor the traffic of all subscribers in the Zhongguancun area, limiting the
maximum upstream bandwidth of all subscribers' traffic to 500 kbit/s and maximum downstream
bandwidth to 1,000 kbit/s, setting the guaranteed upstream bandwidth to 50kbit/s, guaranteed
downstream bandwidth to 100kbit/s. In the case of traffic congestion, traffic is forwarded
according to the priority.
NOTE
The value of the priority ranges from 0 to 7. The smaller the value, the higher the priority.
In the same policy package, the priorities of different strict priority policy items can adopt the same value.
l VoIP traffic
The priority of upstream and downstream traffic is 0.
l Web_Browsing traffic
The priority of upstream and downstream traffic is 3.
l P2P traffic
The priority of upstream and downstream traffic is 7.
l Other traffic
The priority of upstream and downstream traffic is 5.
Figure 5-91 Networking diagram of the example for configuring traffic QoS (subscriber, strict
priority)
Internet
Router
GE4/0/0
Front End
Switch
GE3/0/0 Back End
10.1.3.0/24
BRAS
User Network
Procedure
Step 1 Log in to the Back End.
Step 2 Add a policy package.
1. In the navigation tree, choose Traffic Management > QoS > QoS Policy Package
Management.
2. Click Add.
3. In the pop-up dialog box, enter myQoS in Name, and then click Save, as shown in Figure
5-92.
NOTE
Priority of the policy item in this example can be any value. For details on priorities, see 5.4.15
Policy Priority Description.
6. Click OK. The system returns to the previous page.
7. Click Close. The system returns to the previous page and displays the added policy package.
Step 3 Apply the policy package.
1. In the navigation tree, choose Subscriber and Network Management > Subscriber >
Policy Application.
2. Click Add.
3. In the pop-up dialog box, select Zhongguancun from Area, QoS from Type, and
myQoS from Name, as shown in Figure 5-94.
4. Click OK. The system returns to the previous page and displays the added record.
----End
Prerequisites
Requirements are as follows:
l 4.2 Configuring the Subscriber is complete. The subscribers to be managed reside in area
Zhongguancun.
l The current user has the Traffic Management and Subscriber and Network
Management service permissions.
Requirement Description
The SIG is deployed at the network access layer in in-line mode, as shown in Figure 5-95. It is
required to monitor the traffic of all subscribers in the Zhongguancun area, limiting the
maximum upstream bandwidth of all subscribers' traffic to 500 kbit/s and maximum downstream
bandwidth to 1,000 kbit/s, setting the guaranteed upstream bandwidth to 50kbit/s, guaranteed
downstream bandwidth to 100kbit/s. In the case of traffic congestion, traffic is forwarded
according to the proportion.
l VoIP traffic
The proportion of upstream and downstream traffic is 5%.
l Web_Browsing traffic
The proportion of upstream and downstream traffic is 30%.
l P2P traffic
The proportion of upstream and downstream traffic is 10%.
l Other traffic
The proportion of upstream and downstream traffic is 55%.
Figure 5-95 Networking diagram of the example for configuring traffic QoS (subscriber, WFQ)
Internet
Router
GE4/0/0
Front End
Switch
GE3/0/0 Back End
10.1.3.0/24
BRAS
User Network
Procedure
Step 1 Log in to the Back End.
4. Select Weighted Fair Queue from Item Type, and click Add.
5. Set parameters in the pop-up dialog box. Figure 5-97 shows parameter settings.
By clicking Add, you can add weight control items; by clicking Delete, you can delete
weight control items.
NOTE
Priority of the policy item in this example can be any value. For details on priorities, see 5.4.15
Policy Priority Description.
6. Click OK. The system returns to the previous page and displays the added policy item.
7. Click Close. The system returns to the previous page and displays the added policy package.
4. Click OK. The system returns to the previous page and displays the added record.
----End
Prerequisites
Requirements are as follows:
l 4.3 Configuring the VIC is complete. The VICs to be managed reside in area Haidian.
l The current user has the Traffic Management and Subscriber and Network
Management service permissions.
Requirement Description
The SIG is deployed at the network access layer in in-line mode, as shown in Figure 5-99. It is
required to monitor the VoIP service traffic of all VICs in the Haidian area, and set the maximum
upstream and downstream bandwidth for the service to 10000 kbit/s.
Figure 5-99 Networking diagram of the example for configuring traffic QoS (VIC, rate limiting)
Internet
Router
GE4/0/0
Front End
Switch
GE3/0/0 Back End
10.1.3.0/24
BRAS
User Network
Procedure
Step 1 Log in to the Back End.
Step 2 Add a policy package.
1. In the navigation tree, choose Traffic Management > QoS > QoS Policy Package
Management.
2. Click Add.
3. In the pop-up dialog box, enter myQoS in Name, and then click Save, as shown in Figure
5-100.
6. Click OK. The system returns to the previous page and displays the added policy item.
7. Click Close. The system returns to the previous page and displays the added policy package.
Step 3 Apply the policy package.
1. In the navigation tree, choose Subscriber and Network Management > Very Important
Customer > Policy Application.
2. Click Add.
3. In the pop-up dialog box, select QoS from Type, myQoS from Name, and Haidian from
Area, as shown in Figure 5-102.
4. Click OK. The system returns to the previous page and displays the added record.
----End
Definition
Concepts related to policy priority are as follows:
End
l A policy application object group can be bound with only one policy package of each
service type.
For example, if traffic management and URL filtering service are enabled and Beijing is
the attribute group of subscribers, then Beijing can be bound to only one traffic QoS policy
package and one URL filtering policy package.
l When a policy application object belonging to multiple groups is bound to multiple policy
packages of the same service type, the system follows the priority decision mechanism as
shown in Figure 5-103.
1. Collect all policy packages bound with the same policy application object and
categorize policy items by service type.
Treat traffic management and FUP as the same category and each of the remaining
service types as a separate category. For example, category 1 includes traffic
management and FUP and category 2 is URL filtering.
2. Further categorize the preceding results by policy item type.
Treat Throttling, Strict Priority, and WFQ in traffic management as the same category.
For link policy packages in anti-worm, you are allowed to add control policy items in
a policy package for different control actions without having to categorize the control
policy items as one type.
NOTE
You are allowed to bind only one Worm policy package to a link; therefore, every policy item
in the Worm link policy package is valid and there is no need to decide by priority.
3. Further categorize the preceding results by flow classification bound with policy item.
Policy items of the same type may be bound to different flow classifications and you
need to further categorize policy items by the flow classification bound to them.
URL filtering and malware URL filtering policy packets contain no bound flow
classifications and the system classifies flow classifications by URL category. For
other policy packages without bound flow classifications such as anti-spammer and
anti-DDoS policy package, the system skips the categorization.
4. In the preceding categorization results, if there is only one policy item in a category,
the policy item is valid. If there are multiple policy items in a category (or they are of
the same service type, the same policy item type, and the same flow classification
bound to policy item), then the policy item with the smallest priority value is valid.
If there is a policy item for total traffic in a category of Throttling, Strict Priority, and
WFQ, then the policy item with the smallest priority value is valid; otherwise, the
policy item with the smallest priority value among all policy items is valid. Other
precautions are:
– All the strict priority and WFQ policy items contain the policy item that is specified
for the total traffic. The throttling policy item can either contain the policy the item
that is specified for the total traffic or not.
– For Throttling, Strict Priority and WFQ policy items, you need to set the priority
value for each sub-item. When a particular flow matches multiple sub-items, the
system handles the traffic by the sub-item with the smallest priority value. Sub-
items are new entries added to the list by clicking Add on the Policy Item Definition
page.
– When no policy item specified for the total traffic is configured in the throttling
policy item, the smallest priority value in the subitems is the priority of the policy
item.
NOTE
The policy item priority values are globally unique in the SIG system. If the SIG system
interconnects with the policy and charging rule function (PCRF) and policies are defined in
both the SIG system (static policy) and PCRF (dynamic policy), the parameter values may be
identical. In this case, only a dynamic policy is valid.
The following uses traffic management for example. Assume a subscriber belongs to both the
Beijing area, the Haidian area, and the myUserGroup subscriber user group. Beijing is bound
to PackageA, Haidian to PackageB, and myUserGroup to PackageC, as shown in Figure
5-104.
PackageA
Number of
Throttling Pass
Connections Control
PackageB
Rate Limiting
Priority Mark Not Remark
(without total traffic control)
PackageC
1. Collect all policy packages bound with the same application object and categorize the policy
items by service type.
Category 1: policy items 1, 2, 3, 4, 5, 6, 7, 8, and 9
Therefore, the subscriber's policy items that are eventually valid include 1, 3, 5, 6, 7, 8, and 9.
l In traffic management, Pass policy items have priority over Rate Limiting, Throttling, Strict
Priority, or WFQ policy items; and Not Remark policy items have priority over Priority
Mark policy items.
l In traffic management service, if both the rate limiting policy item on the subscribers, links,
and virtual tunnels, and the throttling, strict priority, or WFQ policy item on subscribers
exist, the system ensures the CIR defined in the policy item first. If CIR is defined in
multiple policy items, the system ensures the CIR defined in throttling, strict priority, and
WFQ first.
Table 5-5 shows the detailed requirements. A packet is initially marked without colors.
After the last action in the policy is executed, if the packet is marked green or yellow, the
packet was forwarded. If red, the packet was discarded.
Table 5-5 Rules of handling the collisions between CIR and PIR
l In traffic management, if there is execution conflict in the priority mark policy item of
different types of policy application objects, the priority in descending order is: subscriber
DSCP label, VIC DSCP label, link DSCP label, traffic direction DSCP label, user attribute
virtual tunnel DSCP label, stream attribute virtual tunnel DSCP label, subscriber ToS label,
VIC ToS label, link ToS label, traffic direction ToS label, user attribute virtual tunnel ToS
label, and stream attribute virtual tunnel ToS label.
For example, if the VoIP DSCP field is 101110 for a subscriber and the VoIP DSCP field
is 000000 for the corresponding link, then the VoIP DSCP field is for the subscriber is
actually labeled as 101110.
l Execute the other policy items in sequence and the most strict takes effect.
For example, if the maximum downstream bandwidth is limited to 100 kbit/s for a
subscriber and the maximum downstream P2P bandwidth is limited to 0 for the link to
which the subscriber belongs, then the maximum downstream P2P bandwidths for the
subscriber and the link are limited to 0 respectively.
NOTE
For other possible execution conflicts, it is recommended that you confirm system decision mechanism by
the actual execution results. For details, contact Huawei technical support personnel.
5.4.16 Reference
This section describes the configuration references when the SAS requests policies from the
Policy and Charging Rule Function (PCRF).
NOTE
The configuration command for the policy requesting mode is policy-request-server default { policy-
server | pcrf | both | none }.
For example, the PCRF is the UPCC (Unified Policy and Charging Controller). The location
where Policy Package Code is referenced is as shown in Figure 5-106.
For example, the PCRF is the UPCC (Unified Policy and Charging Controller). The location
where Code is referenced is as shown in Figure 5-108.
NOTE
To learn more about the PCRF, refer to related technical documents provided by respective vendors.
5.5.1 Overview
This section describes background information about traffic congestion detection and various
functions brought by the congestion detection configuration.
NOTE
To detect the traffic of certain NE, you can first define the NE as a user attribute virtual tunnel. For details,
see 4.5 Configuring the Virtual Tunnel.
l When the upstream or downstream traffic of a specified protocol, a flow classification, or
the total traffic of the link or virtual tunnel is over a specified value for a period of time,
the system identifies that the link or virtual tunnel is in congestion state. In the SIG system,
the value is called the trigger threshold, and the period of time is called the trigger threshold
statistics duration.
l When the upstream or downstream traffic of a specified protocol, a flow classification, or
the total traffic of the link or virtual tunnel is under a specified value for a period of time,
the system identifies that the link or virtual tunnel is in normal state. In the SIG system, the
value is called the release threshold, the period of time is called the release threshold
statistics duration.
Bandwidth
Congested Congested
Trigger threshold
Release threshold
Time
Trigger threshold Release threshold Trigger threshold Release threshold
statistics duration statistics duration statistics duration statistics duration
Definition
For the description convenience, the SIG system defines the following concepts:
l Congestion threshold
indicates the object that contains all the congestion identifying conditions. These conditions
include protocol or flow classification, traffic direction, trigger threshold, trigger threshold
statistics duration, release threshold, and release threshold statistics duration, as shown in
Figure 5-110.
You can add a maximum of 256 congestion thresholds, and import and export the thresholds
in batches.
l Congestion detection object
indicates the links and virtual tunnels that are bound with congestion thresholds.
One link or virtual tunnel can be bound with a maximum of eight congestion thresholds.
You can add a maximum of 4096 link congestion detection objects and 40,000 virtual tunnel
detection objects.
Function Description
The provided functions are as follows:
l Adding the link or virtual tunnel congestion detection objects, and viewing the status and
congestion logs of all congestion detection objects.
l Applying dynamic QoS policies to links or virtual tunnel congestion detection objects. In
this way, the policy takes effects only when the object is in congestion state.
The QoS policies applied to links or virtual tunnels support policy items including rate
limiting, priority mark, number of connections control, pass, and not remark.
l Applying dynamic QoS policies to subscribers. In this way, the policy takes effects when
the link or virtual tunnel is in congestion state.
The QoS policies applied to subscribers support policy items including rate limiting,
priority mark, number of connections control, pass, not remark, throttling, strict priority,
and weighted fair queue.
NOTE
For details on the QoS policies, see 5.4 Configuring Traffic QoS.
Start
Is the congestion No
control performed?
Yes
End
Operation Description
Operation Description
Add congestion Bind the links or virtual tunnels to be detected with the congestion
detection objects. threshold.
Operation page: In the navigation tree, choose Subscriber and
Network Management > Network > Physical Link Management >
Link Congestion Detection Object Management.
Add a QoS policy Operation page: In the navigation tree, choose Traffic Management
package. > QoS > QoS Policy Package Management.
NOTE
For details on the QoS policies, see 5.4 Configuring Traffic QoS.
Apply the QoS Apply the QoS policy to links or virtual tunnels so that the policy takes
policy package. effect when congestion occurs. Or apply the QoS policy to subscribers
so that the policy takes effect when congestion occurs on a link or
virtual tunnel.
The operation pages include:
l The operation page for applying the policy package to links: In the
navigation tree, choose Subscriber and Network Management
> Network > Physical Link Management > Link Policy
Application.
l The operation page for applying the policy package to virtual
tunnels: In the navigation tree, choose Subscriber and Network
Management > Network > Virtual Tunnel Management >
Virtual Tunnel Policy Application.
l The operation page for applying the policy package to subscribers:
In the navigation tree, choose Subscriber and Network
Management > Subscriber > Policy Application.
.
Prerequisites
l 4.4 Configuring the Link is complete. The name of the link to be managed is 10G-53-70-
xianwang.
l The current user has rights including Traffic Management, Subscriber and Network
Management, and Basic Configuration.
Requirement Description
Figure 5-112 shows the network of a carrier. The requirements for controlling the congestion
of 10G link 10G-53-70-xianwang are as follows:
l If the upstream bandwidth is over 5Gbit/s for more than 15 minutes, the link is congested.
l When the link is congested, if the downstream bandwidth is lower than 4Gbit/s for 25
minutes, the link is considered in normal state.
l When the link is congested, the P2P and PeerCasting traffic of the link is limited to 1Gbit/
s, when the link is normal, the limitation is canceled.
External Network
Router A
Front End
Link: 10G-53-70-xianwang
Router B
Internal Network
Procedure
Step 1 Add the congestion threshold.
1. In the navigation tree, choose Subscriber and Network Management > Network >
Congestion Threshold Configure.
2. Click Add.
3. Set parameters according to Figure 5-113.
4. Click OK.
4. Click OK.
4. Click Add.
----End
Verification
l Choose Statistics and Analysis Report > Traffic > Link and Virtual Tunnel > Traffic
Trend, and query the link traffic trend report to check whether the link traffic is controlled
as expected.
l Choose Statistics and Analysis Report > Traffic > Link and Virtual Tunnel >
Congestion Log, and check the congestion logs of the link.
Prerequisites
l 4.5.7 Typical Configuration Example 2 (User Attribute Virtual Tunnel, Defining BTS
as the Virtual Tunnel Category) in 4.5 Configuring the Virtual Tunnel is completed.
The name of the BTS to be managed is BTS1.
l The current user has rights including Traffic Management, Subscriber and Network
Management, and Basic Configuration.
Requirement Description
Figure 5-117 shows the network of a carrier. The requirements for controlling the congestion
of BTS1 are as follows:
l If the downstream bandwidth is over 4Mbit/s for more than 15 minutes, the BTS is
congested.
l When the link is congested, if the downstream bandwidth is lower than 3Mbit/s for more
than 15 minutes, the BTS is considered in normal state.
l When the BTS is congested, the P2P and PeerCasting traffic of the BTS are limited to
1Mbit/s, when the BTS is normal, the limitation is canceled.
IP Backbone
PE PE
PE PE
CE CE
CE CE
DPI System
Front Back
Front End
End
End
GN1 GN2
Wireless access network
SN1 SN2
BTS1 … BTS3
BTS2
Procedure
Step 1 Add the congestion threshold.
1. In the navigation tree, choose Subscriber and Network Management > Network >
Congestion Threshold Configure.
2. Click Add.
4. Click OK.
4. Click OK.
1. In the navigation tree, choose Subscriber and Network Management > Network >
Physical Link Management > Link Congestion Detection Object Management.
2. Check the congestion status in the object list.
4. Click OK.
----End
Verification
l Choose Statistics and Analysis Report > Traffic > Link and Virtual Tunnel > Traffic
Trend, and query the virtual tunnel traffic trend report to check whether the virtual tunnel
traffic is controlled as expected.
l Choose Statistics and Analysis Report > Traffic > Link and Virtual Tunnel >
Congestion Log, and check the congestion logs of the virtual tunnel.
Prerequisites
l 4.4 Configuring the Link is complete. The name of the link to be managed is 10G-53-70-
xianwang.
Requirement Description
Figure 5-122 shows the network of a carrier. The requirements for controlling the congestion
are as follows:
Figure 5-122 Networking example for controlling the subscriber traffic when the link is
congested
Internat
Router
Swtich1DPI System
Front End
Link: 10G-53-70-xianwang
Swtich2 Back End
ets
ack
Sp
DIU
RA
BRAS
Internal Network
Procedure
Step 1 Add the congestion threshold.
1. In the navigation tree, choose Subscriber and Network Management > Network >
Congestion Threshold Configure.
2. Click Add.
3. Set parameters according to Figure 5-123.
4. Click OK.
Step 2 Add congestion detection objects.
1. In the navigation tree, choose Subscriber and Network Management > Network >
Physical Link Management > Link Congestion Detection Object Management.
2. Click Add.
3. Set parameters according to Figure 5-124.
4. Click OK.
4. Click OK.
----End
Verification
l Choose Statistics and Analysis Report > Traffic > Link and Virtual Tunnel > Traffic
Trend, and query the link traffic trend report to learn the traffic trend of the link.
l Choose Statistics and Analysis Report > Traffic > Link and Virtual Tunnel >
Congestion Log, and check the congestion logs of the link.
l Choose Statistics and Analysis Report > Traffic > Subscriber > Traffic Trend, and
query the subscriber traffic trend report to check whether the subscriber traffic is controlled
as expected.
Prerequisites
The current user has the Subscriber and Network Management and Statistics and Analysis
Report service rights.
Context
According to the five-minute traffic report, the Front End checks the status of the link or virtual
tunnel. If an object matches the congestion trigger or release conditions, the Front End sends the
message to the Back End.
Procedure
Step 1 (Optional) Check the current congestion status of links.
1. In the navigation tree, choose Subscriber and Network Management > Network >
Physical Link Management > Link Congestion Detection Object Management.
2. Check the current congestion status in the congestion detection object list.
2. Select the object to be analyzed as Link or Virtual Tunnel, and enter the time range.
3. Click Query Report. The system displays the congestion logs shown as Figure 5-127.
----End
5.6.1 Overview
This section describes the concepts related to traffic direction statistics and its various functions.
l Traffic direction
Indicates the network traffic analysis object between two specified networks.
The SIG supports the following traffic direction objects:
– Between one link (or link group) and one AS domain group
– Between one AS domain group and another AS domain group
– Between one subnet and one AS domain group
– Between one subnet and another subnet
l Outgoing, incoming, and transit traffic
Outgoing, incoming, and transit traffic is only valid for analysis objects in the traffic
direction between one link and one AS domain group. Transit traffic is only available,
irrespective of traffic types.
When statistics on traffic are not collected by traffic type:
– Outgoing traffic is the upstream traffic with its IP packets originating from the local
domain group (that is, the IP address of the internal network) and destining for the AS
domain group.
– Incoming traffic is the downstream traffic with its IP packets originating from the AS
domain group and destining for the local domain group.
– Transit traffic indicates that its IP packets originating from the AS domain group and
destining for the non-local domain group.
When statistics on traffic are collected by traffic type:
– Outgoing traffic is the upstream traffic with its IP packets destining for the AS domain
group.
– Incoming traffic is the downstream traffic with its IP packets originating from the AS
domain group.
The SIG supports collecting statistics on the following traffic direction objects:
l Between one link (or link group) and one AS domain group
The system provides the traffic direction trend report, traffic direction proportion report,
and top N protocol report by traffic for analysis objects in the traffic direction between one
link (or link group) and one AS domain group.
In addition, the system provides report statistics on the traffic trend and proportion of
outgoing, incoming, and transit traffic.
l Between one AS domain group and another AS domain group
The system provides the traffic direction trend report, traffic direction proportion report,
and top N protocol report by traffic for analysis objects in the traffic direction between one
AS domain group and another AS domain group.
l Between one subnet and one AS domain group
The system provides the traffic direction trend report, traffic direction proportion report,
and top N protocol report by traffic for analysis objects in the traffic direction between one
subnet and one AS domain group.
l Between one subnet and another subnet
The system provides the traffic direction trend report, traffic direction proportion report,
and top N protocol report by traffic for analysis objects in the traffic direction between one
subnet and another subnet.
Start
Is the
traffic direction Yes
statistics configuration
added?
No
Add the traffic direction
statistics configuration
End
Add the traffic By adding the traffic direction statistics configuration, you can enable
direction statistics statistics collection for all traffic direction objects whose statistics are
configuration to be collected. If the configuration is already added, this action is not
required.
Operation page: In the navigation tree, choose Subscriber and
Network Management > Network > Traffic Direction Object >
Traffic Direction Object Management.
NOTE
To add the traffic direction configuration of a link group, you should make sure
that the traffic direction configuration of the link is already added. For example,
suppose that link group LinkGroup contains two links, namely, Linka and
Linkb. Therefore, to add the traffic direction statistics configuration of the link
group between LinkGroup and one AS domain group, you should first add the
traffic direction statistics configurations of links between Linka and the AS
domain group, between Linkb and the AS domain group.
Action Description
Query the traffic You can enter report query conditions and then implement traffic
direction reports direction statistics.
Operation pages include:
l To collect statistics on the traffic between one link (or link group)
and one AS domain group: In the navigation tree, choose Statistics
and Analysis Report > Traffic Direction > Link.
l To collect statistics on the traffic between one AS domain group
and another AS domain group: In the navigation tree, choose
Statistics and Analysis Report > Traffic Direction > AS
Domain Group.
l To collect statistics on the traffic between one subnet and one AS
domain group or between one subnet and another subnet: In the
navigation tree, choose Statistics and Analysis Report > Traffic
Direction > Subnet.
Prerequisites
Requirements are as follows:
If the system displays no data when you query the reports, perform as follows:
1. Check whether the time range of the query exceeds the storage cycle. For details on storage cycles, see
21.2 Configuring the Report Storage Cycle.
2. Check whether the configurations of the data reporting is correct. For details on data reporting, see
5.8.1 Overview in 5.8 Customized Data Reporting.
Procedure
Step 1 Log in to the Back End.
3. In the pop-up dialog box, select the network objects at both ends for traffic direction
statistics, and then click OK.
4. (Optional) Repeat Step 2.1 to Step 2.3 to add other traffic direction statistics configurations.
Step 3 Select the corresponding operations based on the type of the report to be queried.
l To collect statistics on the traffic between one link (or link group) and one AS domain group,
In the navigation tree, choose Statistics and Analysis Report > Traffic Direction >
Link. Select the report to be queried.
l To collect statistics on the traffic between one AS domain group and another AS domain
group, In the navigation tree, choose Statistics and Analysis Report > Traffic Direction
> AS Domain Group. Select the report to be queried.
l To collect statistics on the traffic between one subnet and one AS domain group or between
one subnet and another subnet, In the navigation tree, choose Statistics and Analysis
Report > Traffic Direction > Subnet. Select the report to be queried.
Step 4 Enter query conditions according to prompts.
TIP
l If selecting Save Query Conditions before querying reports, you do not need to enter query conditions
for the next query.
l To apply the report function for timed tasks, click Timed Task. For details, see 21.4 Managing Timed
Task Reports.
To save time for other operations, click Background Implementation. For details, see 21.5 Managing
Background Task Reports.
On the report query interface, you can export reports in different formats:
----End
5.6.4 Report Examples (Between One Link or Link Group and One
AS Domain Group)
This section describes reports on the traffic direction between one link (or link group) and one
AS domain group and provides examples of the reports.
Report Navigation
You can click the following links to view the report examples.
NOTE
The information in the following examples are subject to change without notice.
l Statistics and Analysis Report > Traffic Direction > Link > Trend of Incoming and
Outgoing and Transit Traffic
l Statistics and Analysis Report > Traffic Direction > Link > Proportion of Incoming
and Outgoing and Transit Traffic
l Statistics and Analysis Report > Traffic Direction > Link > Top N Incoming and
Outgoing and Transit Traffic
l Statistics and Analysis Report > Traffic Direction > Link > Traffic Direction Trend
l Statistics and Analysis Report > Traffic Direction > Link > Traffic Direction
Proportion
l Statistics and Analysis Report > Traffic Direction > Link > Top N Protocols by Traffic
Statistics and Analysis Report > Traffic Direction > Link > Trend of Incoming and
Outgoing and Transit Traffic
Through this report, you can view the trends of incoming, outgoing, and transit traffic between
one link and one AS domain group.
NOTE
When you query the curve graph, the system supports the trend forecast function. Once the function is
enabled, the system adds the trend forecast line in the graph. This function is used to display the long-term
traffic trend when the query granularity is relatively large, such as month.
Figure 5-129 Example of the report on the trends of incoming, outgoing, and transit traffic
Statistics and Analysis Report > Traffic Direction > Link > Proportion of Incoming
and Outgoing and Transit Traffic
Through this report, you can view the proportions of incoming, outgoing, and transit traffic
between one link and one AS domain group.
Figure 5-130 shows report examples.
Figure 5-130 Example of the report on the proportions of incoming, outgoing, and transit traffic
Statistics and Analysis Report > Traffic Direction > Link > Top N Incoming and
Outgoing and Transit Traffic
Through this report, you can view the top N incoming, outgoing, and transit traffic statistics
collected in different modes.
Figure 5-131 shows report examples.
Figure 5-131 Example of the report on top 10 incoming, outgoing, and transit traffic
Statistics and Analysis Report > Traffic Direction > Link > Traffic Direction Trend
Through this report, you can view the trend of the traffic between one link (or link group) and
one AS domain group.
NOTE
When you query the curve graph, the system supports the trend forecast function. Once the function is
enabled, the system adds the trend forecast line in the graph. This function is used to display the long-term
traffic trend when the query granularity is relatively large, such as month.
Statistics and Analysis Report > Traffic Direction > Link > Traffic Direction
Proportion
Through this report, you can view the proportion of the traffic between one link (or link group)
and one AS domain group. If you select proportion to total traffic, the report displays the traffic
proportion of the specified traffic type to the total traffic of the analysis object; if you select
proportion to the corresponding traffic type, the report displays the traffic proportion to the traffic
of the type.
Figure 5-133 shows report examples.
Statistics and Analysis Report > Traffic Direction > Link > Top N Protocols by
Traffic
Through this report, you can view top N categories or protocols by traffic between one link (or
link group) and one AS domain group.
Figure 5-134 shows report examples.
Report Navigation
You can click the following links to view the report examples.
NOTE
The information in the following examples are subject to change without notice.
l Statistics and Analysis Report > Traffic Direction > AS Domain Group > Traffic
Direction Trend
l Statistics and Analysis Report > Traffic Direction > AS Domain Group > Traffic
Direction Proportion
l Statistics and Analysis Report > Traffic Direction > AS Domain Group > Top N
Protocols by Traffic
Statistics and Analysis Report > Traffic Direction > AS Domain Group > Traffic
Direction Trend
Through this report, you can view the trend of the traffic between one AS domain group and
another AS domain group.
NOTE
When you query the curve graph, the system supports the trend forecast function. Once the function is
enabled, the system adds the trend forecast line in the graph. This function is used to display the long-term
traffic trend when the query granularity is relatively large, such as month.
Statistics and Analysis Report > Traffic Direction > AS Domain Group > Traffic
Direction Proportion
Through this report, you can view the proportion of the traffic between one AS domain group
and another AS domain group. If you select to query the traffic proportion to the total traffic,
the report displays the traffic proportion of the specified traffic type to the total traffic of the
analysis object; if you select to query the traffic proportion to the corresponding traffic type, the
report displays the traffic proportion to all the category traffic.
Figure 5-136 shows report examples.
Statistics and Analysis Report > Traffic Direction > AS Domain Group > Top N
Protocols by Traffic
Through this report, you can view top N categories or protocols by traffic between one AS
domain group and another AS domain group.
Figure 5-137 shows report examples.
Report Navigation
You can click the following links to view the report examples.
NOTE
The information in the following examples are subject to change without notice.
l Statistics and Analysis Report > Traffic Direction > Subnet > Traffic Direction Trend
l Statistics and Analysis Report > Traffic Direction > Subnet > Traffic Direction
Proportion
l Statistics and Analysis Report > Traffic Direction > Subnet > Top N Protocols by
Traffic
Statistics and Analysis Report > Traffic Direction > Subnet > Traffic Direction
Trend
Through this report, you can view the trend of the traffic between one subnet and one AS domain
group or between one subnet and another subnet.
NOTE
When you query the curve graph, the system supports the trend forecast function. Once the function is
enabled, the system adds the trend forecast line in the graph. This function is used to display the long-term
traffic trend when the query granularity is relatively large, such as month.
Statistics and Analysis Report > Traffic Direction > Subnet > Traffic Direction
Proportion
Through this report, you can view the proportion of the traffic between one subnet and one AS
domain group or between one subnet and another subnet. If you select to query the traffic
proportion to the total traffic, the report displays the traffic proportion of the specified traffic
type to the total traffic of the analysis object; if you select to query the traffic proportion to the
corresponding traffic type, the report displays the traffic proportion to all the category traffic.
Figure 5-139 shows report examples.
Statistics and Analysis Report > Traffic Direction > Subnet > Top N Protocols by
Traffic
Through this report, you can view top N categories or protocols by traffic between one subnet
and one AS domain group or between one subnet and another subnet.
Figure 5-140 shows report examples.
5.7.1 Overview
This section describes various functions of configuring traffic direction QoS.
Traffic direction QoS supports:
l The rate limiting (PIR only) and pass policies based on flow classification on the traffic
direction objects between one link and one AS domain group.
l The rate limiting (PIR only) and pass policies based on flow classification on the traffic
direction objects between one AS domain group and another AS domain group.
l The rate limiting (PIR only) and pass objects based on flow classification on the traffic
direction objects between one subnet and one AS domain group, and between one subnet
and another subnet.
NOTE
The pass policy item has a higher priority than the rate limiting policy item. For example, by applying a
policy package that contains the pass item, you can permit the traffic of a specified subnet and free the
target traffic from the traffic QoS or traffic direction QoS policies. For example, you already add the policy
package that limits the rate of the P2P link traffic. To permit the P2P traffic of specified IP address segments,
you can add the traffic between these addresses and other addresses (the addresses and existing in the
system by default) as the traffic direction objects, and apply the policy package containing the pass item
to the traffic objects.
Related concepts of traffic direction QoS are similar to those of traffic QoS. For details, see
5.4.1 Overview of 5.4 Configuring Traffic QoS.
Start
Is the
traffic direction Yes
statistics configuration
added?
No
Add the traffic direction
statistics configuration
End
Add the traffic By adding the traffic direction statistics configuration, you can enable
direction statistics statistics collection for all traffic direction objects whose statistics are
configuration to be collected. If the configuration is already added currently, this
action is not required.
Operation page: In the navigation tree, choose Subscriber and
Network Management > Network > Traffic Direction Object >
Traffic Direction Object Management.
NOTE
The operation page for adding the traffic direction statistics configuration is the
same as that for binding the policy package to the traffic direction object. To
facilitate the operation, you can add the policy package first and then perform
these two steps.
Add a policy You can add policy packages as required. A policy package can
package contain one or multiple policy items.
Operation page: In the navigation tree, choose Traffic Management
> Traffic Direction > Traffic Direction Policy Package
Management.
Action Description
Apply the policy Apply an added policy package to traffic direction objects.
package to the Operation page: In the navigation tree, choose Subscriber and
traffic direction Network Management > Network > Traffic Direction Object >
object Policy Application.
Prerequisites
Requirements are as follows:
l 4.4 Configuring the Link and 4.6 Configuring the AS Domain Group are complete.
l The current user has the Traffic Management and Subscriber and Network
Management service permissions.
Requirement Description
The SIG is deployed on the network in in-line mode, as shown in Figure 5-142. The name of
linka is 10G-1-1-linka, and that of linkb is 2.5G-2-1-linkb. Moreover, AS65008 is configured
as AS domain group as8.
It is required to monitor the P2P service traffic between linka and AS65008 and set the maximum
downstream bandwidth for the service to 1000000 kbit/s, as well as monitor the P2P service
traffic between linkb and AS65008 and set the maximum downstream bandwidth for the service
to 250000 kbit/s.
Figure 5-142 Networking diagram of the example for configuring traffic direction QoS (between
one link and one AS domain group)
External network
AS65008, AS65009
RR
Router A Router B
Switch
DPI A DPI B
linka linkb
Back End
Router C Router D
Internal network
AS65006
Procedure
Step 1 Log in to the Back End.
Step 2 Add a policy package.
1. In the navigation tree, choose Traffic Management > Traffic Direction > Traffic
Direction Policy Package Management.
2. Click Add.
3. In the pop-up dialog box, enter myQoSa in Name, and then click Save, as shown in Figure
5-143.
6. Click OK. The system returns to the previous page and displays the added policy item.
7. Click Close. The system returns to the previous page and displays the added policy package.
8. Repeat Step 2.2 to Step 2.7 to add policy package myQoSb and set Maximum
Downstream Bandwidth of P2P traffic to 250000.
Step 3 Add the traffic direction statistics configuration and apply the policy package to the traffic
direction object.
1. In the navigation tree, choose Subscriber and Network Management > Network >
Traffic Direction Object > Traffic Direction Object Management.
2. Click Add.
3. Set parameters according to Figure 5-145.
4. Click OK. The system returns to the previous page and displays the added record.
5. In the navigation tree, choose Subscriber and Network Management > Network >
Traffic Direction Object > Policy Application.
6. Click Add.
7. In the pop-up dialog box, select Traffic Direction from Policy Package Type, select
myQoSa from Policy Package Name, select 10G-1-1-linka-as8 from Traffic Direction
Object.
8. Click OK. The system returns to the previous page.
9. Repeat Step 3.2 to Step 3.8 to bind policy package myQoSb to the traffic direction from
2.5G-2-1-linkb to as8.
----End
Prerequisites
Requirements are as follows:
l 4.6 Configuring the AS Domain Group is complete.
l The current user has the Traffic Management and Subscriber and Network
Management service permissions.
Requirement Description
The SIG is deployed on the network in in-line mode, as shown in Figure 5-146. AS65006 is
configured as AS domain group as6, and AS65008 is configured as AS domain group as8.
It is required to monitor the P2P service traffic between AS65006 and AS65008 and set the
maximum downstream bandwidth for the service to 1250000 kbit/s.
Figure 5-146 Networking diagram of the example for configuring traffic direction QoS (between
one AS domain group and another AS domain group)
External network
AS65008, AS65009
RR
Router A Router B
Switch
DPI A DPI B
linka linkb
Back End
Router C Router D
Internal network
AS65006
Procedure
Step 1 Log in to the Back End.
Step 2 Add a policy package.
1. In the navigation tree, choose Traffic Management > Traffic Direction > Traffic
Direction Policy Package Management.
2. Click Add.
3. In the pop-up dialog box, enter myQoS in Name, and then click Save, as shown in Figure
5-147.
Step 3 Add the traffic direction statistics configuration and apply the policy package to the traffic
direction object.
1. In the navigation tree, choose Subscriber and Network Management > Network >
Traffic Direction Object > Traffic Direction Object Management.
2. Click Add.
3. Set parameters according to Figure 5-148.
4. Click OK. The system returns to the previous page and displays the added record.
5. In the navigation tree, choose Subscriber and Network Management > Network >
Traffic Direction Object > Policy Application.
6. Click Add.
7. In the pop-up dialog box, select Traffic Direction from Policy Package Type, select
myQoS from Policy Package Name, select as6-as8 from Traffic Direction Object.
8. Click OK. The system returns to the previous page.
----End
Prerequisites
Requirements are as follows:
l 4.7 Configuring the Subnet and 4.6 Configuring the AS Domain Group are complete.
l The current user has the Traffic Management and Subscriber and Network
Management service permissions.
Requirement Description
The SIG is deployed on the network in in-line mode, as shown in Figure 5-149. Subnet service
object ExampleSubnet is added, and AS65008 is configured as AS domain group as8.
It is required to monitor the traffic between ExampleSubnet and AS65008, and set the maximum
upstream bandwidth to 50000 kbit/s and maximum downstream bandwidth to 100000 kbit/s.
Figure 5-149 Networking diagram of the example for configuring traffic direction QoS (between
one subnet and one AS domain group)
External network
AS65008, AS65009
Router
Front End
Switch
Back End
BRAS
User Network
ExampleSubnet
Procedure
Step 1 Log in to the Back End.
Step 2 Add a policy package.
1. In the navigation tree, choose Traffic Management > Traffic Direction > Traffic
Direction Policy Package Management.
2. Click Add.
3. In the pop-up dialog box, enter myQoS in Name, and then click Save, as shown in Figure
5-150.
Step 3 Add the traffic direction statistics configuration and apply the policy package to the traffic
direction object.
1. In the navigation tree, choose Subscriber and Network Management > Network >
Traffic Direction Object > Traffic Direction Object Management.
2. Click Add.
3. Set parameters according to Figure 5-151.
4. Click OK. The system returns to the previous page and displays the added record.
5. In the navigation tree, choose Subscriber and Network Management > Network >
Traffic Direction Object > Policy Application.
6. Click Add.
7. In the pop-up dialog box, select Traffic Direction from Policy Package Type, select
myQoS from Policy Package Name, select ExampleSubnet-as8 from Traffic Direction
Object.
8. Click OK. The system returns to the previous page.
----End
Prerequisites
Requirements are as follows:
l 4.7 Configuring the Subnet is complete.
l The current user has the Traffic Management and Subscriber and Network
Management service permissions.
Requirement Description
The SIG is deployed on the network in in-line mode, as shown in Figure 5-152. Subnet service
objects ExampleSubnet1 and ExampleSubnet2 are added.
It is required to monitor the VoIP traffic between ExampleSubnet1 and ExampleSubnet2, and
set the maximum upstream bandwidth to 10000 kbit/s and maximum downstream bandwidth to
10000 kbit/s.
Figure 5-152 Networking diagram of the example for configuring traffic direction QoS (between
one subnet and another subnet)
External network
Router
Front End
Switch
Back End
BRAS
User Network
ExampleSubnet1 ExampleSubnet2
Procedure
Step 1 Log in to the Back End.
Step 2 Add a policy package.
1. In the navigation tree, choose Traffic Management > Traffic Direction > Traffic
Direction Policy Package Management.
2. Click Add.
3. In the pop-up dialog box, enter myQoS in Name, and then click Save, as shown in Figure
5-153.
Step 3 Add the traffic direction statistics configuration and apply the policy package to the traffic
direction object.
1. In the navigation tree, choose Subscriber and Network Management > Network >
Traffic Direction Object > Traffic Direction Object Management.
2. Click Add.
3. Set parameters according to Figure 5-154.
4. Click OK. The system returns to the previous page and displays the added record.
5. In the navigation tree, choose Subscriber and Network Management > Network >
Traffic Direction Object > Policy Application.
6. Click Add.
7. In the pop-up dialog box, select Traffic Direction from Policy Package Type, select
myQoS from Policy Package Name, select ExampleSubnet1-ExampleSubnet2 from
Traffic Direction Object.
8. Click OK. The system returns to the previous page.
----End
5.8.1 Overview
This section describes the purpose of customized data reporting.
The definable data report policies include:
l Flow classification statistic policy
When the customized flow classification matches any of the following conditions, you can
view the traffic and traffic direction report:
– Policy package has been bound
Apply one of or several of the policy items including rate limiting, number of
connections control, strict priority, WFQ to the flow classification, and bind the policy
package to a subscriber or network object. Then you can view the traffic report of the
subscriber and network object according to the flow classification.
– Customized data reporting
In the Traffic Management > Customized Data Reporting > Flow Classification
Statistic Policy page, reference the policy package of a flow classification, and bind
the policy package to a user or network object. Then you can view the traffic report of
the subscriber and network object according to the flow classification.
The subscriber and network objects supported by the customized data reporting function
include subscribers, VICs, links, virtual tunnels, and traffic direction objects.
NOTE
For details on flow classification, see 22.1.1 Overview in 22.1 Managing Flow Classifications and
Flow Classification Items.
l Subscriber protocol statistics policy
Options:
– Collecting statistics on all protocols
Collecting statistics on all the protocol categories in the protocol signature file and traffic
and traffic direction report data. This option consumes the disk space most.
Prerequisites
l The 22.1 Managing Flow Classifications and Flow Classification Items and 4
Subscriber and Network Object Initialization are completed.
l The current user has the rights of Traffic Management and Subscriber and Network
Management.
Procedure
Step 1 Log in to the Back End of the SIG.
Step 2 Add the policy package for flow classification statistics.
1. In the navigation tree, choose Traffic Management > Customized Data Reporting >
Flow Classification Statistic Policy.
2. Click Add.
3. Enter a name in Policy Package Code, and then click Save.
4. Click Add, enter the policy item name in Item Name, select the flow classification for the
data to be reported in Flow Classification, and click OK. Figure 5-155 shows the system
information that is displayed.
5. (Optional) Repeat the previous operation and add flow classifications for the data to be
reported.
1. Click Close. The system returns to the previous page and displays a new policy package
record.
The following uses applying the policy package to a link as an example. Figure 5-155
shows the operation page.
Figure 5-156 Applying the flow classification statistics policy package (1)
4. Click OK. The system returns to the previous page and displays a new record as shown in
Figure 5-157.
Figure 5-157 Applying the flow classification statistics policy package (2)
----End
Follow-up Procedure
You can view the real-time traffic report data in 2 minutes.
Prerequisites
The current user has service right Traffic Management.
Procedure
Step 1 Log in to the Back End of the SIG.
Step 2 In the navigation tree, choose Traffic Management > Customized Data Reporting >
Subscriber Protocol Statistic Policy.
----End
Prerequisites
The current user has service right Traffic Management.
Procedure
Step 1 Log in to the Back End of the SIG.
Step 2 In the navigation tree, choose Traffic Management > Customized Data Reporting >
Subscriber Group Statistic Policy.
Step 3 Optional operations are as follows:
l To enable the statistics collection, select the user group to be enabled, and click Start
Statistics.
l To disable the statistics collection, select the user group to be disabled, and click Cancel
Statistics.
----End
6 FUP Service
Through the Fair Usage Policy (FUP) service, the SIG limits the bandwidths of monthly-fee
users. When exceeding a certain quota, users' bandwidths are minimized. Thereby, the SIG
provides the FUP service for wireless and fixed network users.
The Fair Usage Policy (FUP) indicates limiting a user's bandwidth usage (by traffic quota or
duration quota) in a specified period of time and adjusting policies when a user's total traffic,
traffic of a specified service, total duration, or the duration of a specified service exceeds the
corresponding quota. Using the FUP, you can reduce the bandwidth for the total traffic or the
traffic of a specified service so as to fairly allocate network resources, or send notifications to
users when their traffic or duration usage reach certain amount.
In short, the FUP service of the SIG is policy control based on the traffic/duration usage, as
shown in Figure 6-1.
500
250
When the user traffic exceeds the specified value, the corresponding bandwidth is limited. For
example:
l When user traffic is less than 1000 MB, the bandwidth is limited to 1000 kbit/s.
l When user traffic is between 1000 MB and 2000 MB, the bandwidth is limited to 500 kbit/
s.
l When user traffic is more than 2000 MB, the bandwidth is limited to 250 kbit/s.
The data configuration engineer can configure redirection. When the used quota reaches a certain
level or the quota is used up, user's HTTP access is redirected and the user is prompted with
recharge or other information.
Back End
RADIUS
PCRF
Server
et Gx
a ck
U SP
DI
RA
Gi
IP/MPLS
Video Streaming
PCEF
SGSN GGSN (Front End) Voice VoIP
DPI System
NOTE
The RADIUS proxy server on the Back End of the SIGsystem (Which is the DPI system in the figure) can
obtain account information in Carbon Copy (CC), listen, proxy or sniffer mode (the figure shows the CC
mode). In this scenario, the Front End, that is, the DPI device, acts as the PCEF.
Backbone PCRF
Route of MAN
t
ke DPI System
Pac
S
D IU
RA
BRAS
...
Users
NOTE
In this scenario, the Front End of the SIG, serving as the DPI device, is deployed at the access layer.
l Collects the quota of the total traffic and controls the total traffic.
l Collects the quota of the service traffic and controls the service traffic.
l Collects the quota of the total traffic and controls service traffic.
l Collects the quota of Web sites except some specified ones and controls the traffic.
l Uses certain quota for some specified Web sites for free, and then collects the quota of the
charged traffic and controls the traffic.
l Collects the quota of the total traffic respectively in local and roaming places and controls
the traffic when the user is roaming.
Based on the processing modes of RADIUS packets, the Sniffer-RADIUS mode has two
submodes:
– Monitor mode
Upon receiving the RADIUS packet, the Front End sends a copy of the packet to the
RADIUS proxy server, and then sends the RADIUS packet to the AAA server through
the outbound interface. After receiving the ACK message, the Front End deletes the
copy of the RADIUS packets. If the ACK message is not received within the timeout
duration (you can set it to a value from 100 milliseconds to 10 seconds), the Front End
retransmits the RADIUS packets as configured (you can set the number of
retransmissions to a value from 0 to 5).
This mode is used on the Front End by default. This mode ensures that the RADIUS
packets are preferentially sent to the AAA server. If the Front End cannot process the
RADIUS packets because of anomalous on the SPS (for example, the cache exceeds
the upper limit), the Front End sends the RADIUS packets directly to the AAA server,
not the RADIUS proxy server.
– In-line mode
Upon receiving a RADIUS packet, the Front End sends a copy of it to the RADIUS
proxy server. After receiving the ACK message from the proxy server, the Front End
sends the RADIUS packet to the AAA server. If the Front End cannot receive the ACK
message, the Front End discards the RADIUS packet.
This mode preferentially ensures the RADIUS packets received by the RADIUS proxy
server are the same as those received by the AAA server. You are advised to use this
mode when the NAS supports the response and retransmission mechanism. You can
also use this mode when the charging service is enabled.
NOTE
The RADIUS packet must carry Mobile Station Integrated Service Digital Network (MSISDN) or
International Mobile Subscriber Identity (IMSI).
The devices acting as the NAS are differentiated with networks.
l On the fixed network, the Broadband Remote Access Server (BRAS) acts as the NAS.
l On the GPRS/WCDMA networks, the Gateway GPRS Support Node (GGSN) acts as the NAS.
l On the CDMA/CDMA2000 networks, the Packet Data Serving Node (PDSN) acts as the NAS.
l On the Worldwide Interoperability for Microwave Access (WiMAX) networks, the ASN-GW acts as
the NAS.
6.2.1 Overview
To configure the FUP service, you need to learn the related concepts of the FUP service.
Concepts related to the FUP service are as follows:
l Quota
For dual-stack users who use both the IPv4 and IPv6 addresses, traffic/duration of the IPv4 and IPv6
addresses share the quota, but are controlled separately.
For other concepts, refer to the related documents of the UPCC.
The following examples describe the service traffic and total traffic. Configurations of the
service duration and total duration are similar to those of the traffic and are therefore omitted.
Flowchart Navigation
You can view configuration procedures in various scenarios by clicking the following links:
No
Add the flow class
Add a PLMN
Add a notification
Add a quota
Add a condition group
End
Add the flow class Add the flow class manually when the predefined ones are insufficient.
Operation location: Back-end UI of the SIG. In the navigation tree,
choose Basic Configuration > Flow Classification Management >
Flow Classification Configuration.
Add the rating group To control service traffic, you need to add the rating group; to control
total traffic, no adding is required.
In the FUP service, rating group IDs only server bridges. Through the
adding of the FUP service configuration, a rating group ID can be
bound to the flow class (such as HTTP, FTP, or P2P). During adding
a FUP quota, you can identify the flow classification through the rating
group.
Operation location: Back-end UI of the SIG. In the navigation tree,
choose Value-added Service > Application Charging > Application
Mapping > Rating Group Management.
Add an FUP traffic Through this action, you can bind different FUP traffic control policy
control policy packages to corresponding quota levels. The system automatically
package generates IDs for policy packages after they are added.
Operation location: Back-end UI of the SIG. In the navigation tree,
choose Value-added Service > Application Charging > FUP > FUP
Traffic Control Policy Package Management.
Add the FUP service To control service traffic, you need to add the FUP service
configuration configuration; to control total traffic, no adding is required.
One FUP service configuration can include one or multiple
configuration items. After adding, the system automatically generates
policy package IDs.
Operation location: Back-end UI of the SIG. In the navigation tree,
choose Value-added Service > Application Charging > FUP > FUP
Service Configuration.
Add a PLMN To configure the roaming policy, you need to add a PLMN.
When the user accesses the mobile network, the system determines
whether the user is in the local or roaming place according to the
PLMN information. The local and roaming places apply their own
policies.
Operation location: UPCC Web UI. In the navigation tree, choose
Location Management > Location > PLMN.
Add a notification To notify the user of the current status through a short message or
email, you need to add a notification.
Operation location: UPCC Web UI.
l In the navigation tree, choose System Management > System
Configuration > Message Template.
l In the navigation tree, choose Policy Management > Policy >
Notification.
Action Description
Add a quota Both the service quota and the session quota are available.
l To control service traffic, select the service quota. The rating group
can be bound to the flow classification. In this case, the rating group
ID is required.
l To control total traffic, select the session quota.
Operation location: UPCC Web UI. In the navigation tree, choose
Service Management > Service > Quota.
Add a condition To configure the rule, you need to add a condition group. A condition
group group consists of basic information and multiple conditions. A
condition comprises the attributes of certain value-specified objects.
Operation location: UPCC Web UI. In the navigation tree, choose
Policy Management > Policy > Condition Group.
Add a rule A rule is required during the configuration of the policy. Configuring
a rule is to bind the configured FUP traffic control policy package to
the FUP service configuration policy package. Both the FUP traffic
control policy package and its ID are required.
Since the FUP policy package is already configured on the Back End
of the SIG, you need to select Predefined rule.
Operation location: UPCC Web UI. In the navigation tree, choose
Policy Management > Policy > Rule.
Add a policy A policy is required during the service configuration. Each policy
comprises one trigger and multiple rules.
Operation location: UPCC Web UI. In the navigation tree, choose
Policy Management > Policy > Policy.
Bind the service to a Bind the user to the configured FUP service.
user Operation location: UPCC Web UI. In the navigation tree, choose
Subscriber Management > Subscriber > Subscriber.
No
Back End of the
Add the flow class
DPI system
Add a quota
Add a policy
Add a service
End
Add the flow class Add the flow class manually when the predefined ones are insufficient.
Operation location: Back-end UI of the SIG. In the navigation tree,
choose Basic Configuration > Flow Classification Management >
Flow Classification Configuration.
Action Description
Add a quota Both the service quota and the session quota are available.
l To control service traffic, select the service quota. The rating group
can be bound to the flow classification.
l To control total traffic, select the session quota.
Operation location: UPCC Web UI. In the navigation tree, choose
Service Management > Service > Quota.
Add a condition To configure the rule, you need to add a condition group. The condition
group group consists of basic information and multiple conditions. A
condition comprises the attributes of certain value-specified objects.
Operation location: UPCC Web UI. In the navigation tree, choose
Policy Management > Policy > Condition Group.
Add an action group To configure a dynamic rule, you need to add an action group. The
action group consists of basic information and multiple actions. An
action comprises certain value-specified elements.
Operation location: UPCC Web UI. In the navigation tree, choose
Policy Management > Policy > Action Group.
Add a rule A rule is required during the configuration of the policy. Configuring
a rule is to bind the configured FUP traffic control policy package to
the FUP service configuration policy package.
Since the FUP policy package is already configured on the Back End
of the SIG, you need to select predefined rule.
Operation location: UPCC Web UI. In the navigation tree, choose
Policy Management > Policy > Rule.
Add a policy A policy is required during the service configuration. Each policy
comprises one trigger and multiple rules.
Operation location: UPCC Web UI. In the navigation tree, choose
Policy Management > Policy > Policy.
Bind the service to a Bind the user to the configured FUP service.
user Operation location: UPCC Web UI. In the navigation tree, choose
Subscriber Management > Subscriber > Subscriber.
Prerequisites
Requirements are as follows:
l The connection of the SIG to the UPCC is commissioned. For details, see Connecting the
Front End to the PCRF, Connecting the PCRF to the Front End, and Commissioning
the Connection to the PCRF in HUAWEI SIG9800 Service Inspection Gateway
Commissioning Guide.
l 4.2 Configuring the Subscriber is complete, and the account of the subscriber (the target
user) to be managed is 460100000000022.
l The current user has the Value-added Service service permission.
l The current user has the permission to operate the UPCC.
NOTE
To learn more about the UPCC, refer to related technical documents provided by the corresponding vendor.
Requirement Description
The SIG interworks with the UPCC, and the FUP service is required. Figure 6-6 shows the
networking.
RADIUS PCRF
Server (RM9000)
t
ke Gx
Pac
US
DI
RA
Gi
PCEF
User:460100000000022 SGSN GGSN
(Front End)
DPI System
Policy 2 Quota status change trigger Predefined Policy FUP traffic control policy package
policy_fup UsageStatusChange exhuast Flow Classfication: Total; Upstream: 64kbit/s; Downstream: 64kbit/s
Suppose that the user subscribes to service_fup, and the service has session quota quota_fup.
l Policy policy_ipcan: When a user is activated during the access to the mobile data network,
and the current quota status is matched with the rule in the policy, the matched rule is
considered as the current control policy of the user. For example, if the quota of the current
online user is less than 40% of the total quota, and rule rule-normal is employed, the
upstream and downstream bandwidths of the total traffic are limited to 1024 kbit/s and 2048
kbit/s respectively.
l Policy policy_fup: defines the quota status-based policy control. When the quota status
changes, the control policy is switched to the corresponding one of the new quota status.
rule-normal Accumulated traffic quota The maximum uplink bandwidth is 1024 kbit/
usage within a month < s, and the maximum downlink bandwidth is
40% of the total quota 2048 kbit/s.
rule-level 40% of the total quota≤ The maximum uplink bandwidth is 512 kbit/
Accumulated quota usage s, and the maximum downlink bandwidth is
within a month < 80% of 1024 kbit/s.
the total quota
rule-level2 80% of the total quota≤ The maximum uplink bandwidth is 256 kbit/
Accumulated quota usage s, and the maximum downlink bandwidth is
within a month < 100% of 512 kbit/s.
the total quota
rule-exhaust 100% of the total quota Both the maximum uplink and downlink
≤ Accumulated quota bandwidths are 64 kbit/s.
usage within a month
Data Planning
You can click the following links to view the data planning of main parameters:
l Table 6-3 shows the data planning of quota quota_fup.
l Table 6-4 shows the data planning of policy policy_ipcan.
l Table 6-5 shows the data planning of policy policy_fup.
l Table 6-6 shows the data planning of service service_fup.
l Table 6-7 shows the data planning of user 460100000000022.
Value(KB): 1000000
CAUTION
In the UPCC, 1 KB=1024 bytes. The UPCC delivers traffic to the Front
End, in bytes. When the quota value on the UPCC is set to 1,000,000 KB,
the traffic of 1024 x 1,000,000 bytes is delivered from the UPCC to the
Front End.
However, on the SIG, 1 KB=1000 bytes. That is, the SIG actually receives
1,024,000 KB traffic.
Slice(%): 5
Description: -
Level2: 80
Exhaust: 100
Name policy_ipcan
Trigger IPCANSessionEstablish
The triggering condition is the CCR_Initial Request message on
the Gx interface. It is applicable to the scenario where users
access the mobile data network.
Description -
Rule rule-normal
rule-level1
rule-level2
rule-exhaust
Name policy_fup
Trigger UsageStatusChange
The triggering condition is the change of the quota status, and
the application scenario is the quota status-based policy control.
Description -
Rule rule-normal
rule-level1
rule-level2
rule-exhaust
Type: VALUE_ADDED_SERVICE
APN: -
VPN: -
SP: default1
Account: -
Is Meter To Basic: No
Precedence: 0
Description: -
Policy policy_ipcan
policy_fup
Quota quota_fup
NOTE
Is Meter To Basic and QoS Mode are irrelevant to this service. For details, refer to the product manual
of the UPCC.
Subscriber ID 460100000000022
MSISDN 8613810000022
Service service_fup
Procedure
Step 1 Log in to the Back End of the SIG.
Step 2 Add FUP traffic control policy packages.
1. In the navigation tree, choose Value-added Service > Application Charging > FUP >
FUP Traffic Control Policy Package Management.
2. Click Add.
3. Set Policy Package Code to 1:200019, set Name to normal. Then click Save.
4. Select Rate Limiting from Item Type, and click Add.
5. Set parameters in the dialog box that is displayed. Figure 6-8 shows parameter settings.
NOTE
The policy package codes are required during the adding of rules.
This step is optional, but mandatory if you need to log in to the UPCC Web UI through only a client
for the first time.
b. Confirm the security alarm, and then click Yes, as shown in Figure 6-11.
3. Enter values in User Name, Password, and Verify Code, as shown in Figure 6-12.
NOTE
The default user name and password of the administrator of the UPCC Web UI are admin and
huawei respectively.
4. Click Login.
Step 4 Add a quota.
1. In the navigation tree, choose Service Management > Service > Quota.
2. Figure 6-13 shows the configuration page.
When Object Attribute is selected, set Object to Quota and click QuotaStatus. Then click OK.
Refer to Figure 6-15.
2. Add rule rule-normal, and bind it to configured FUP traffic control policy package. Figure
6-20 shows the configuration page.
The configurations of rules rule-level1, rule-level2, and rule-exhaust are identical with
configuration of rule rule-normal. These rules are bound to policy packages 1:200020,
1:200021, and 1:200022 respectively.
Step 7 Add policies.
1. In the navigation tree, choose Policy Management > Policy > Policy.
2. Add policy policy_ipcan. Figure 6-21 shows the configuration page.
4. Click OK.
----End
Prerequisites
Requirements are as follows:
l The connection of the SIG to the UPCC is commissioned. For details, see Connecting the
Front End to the PCRF, Connecting the PCRF to the Front End, and Commissioning
the Connection to the PCRF in HUAWEI SIG9800 Service Inspection Gateway
Commissioning Guide.
l 4.2 Configuring the Subscriber is complete, and the account of the subscriber (the target
user) to be managed is 460100000000022.
l The current user has the Value-added Service service permission.
l The current user has the permission to operate the UPCC.
NOTE
To learn more about the UPCC, refer to related technical documents provided by the corresponding vendor.
Requirement Description
The SIG interworks with the UPCC, and the FUP service is required. Figure 6-25 shows the
networking.
RADIUS PCRF
Server (RM9000)
t
ke Gx
Pac
US
DI
RA
Gi
PCEF
User:460100000000022 SGSN GGSN
(Front End)
DPI System
Requirements of the FUP service for P2P and VoIP traffic are as follows:
l The target user employs the quota by month; the settlement is in reset mode; the settlement
time is 00:00 on the first day of each month.
l If the total quota is 1024000 KB, the requirements on bandwidth control are as follows:
– When quota consumption is less than 40% of the total quota, upstream and downstream
bandwidths are limited to 1024 kbit/s and 2048 kbit/s respectively.
– When quota consumption exceeds 40% of the total quota, upstream and downstream
bandwidths are limited to 512 kbit/s and 1024 kbit/s respectively.
– When quota consumption exceeds 80% of the total quota, upstream and downstream
bandwidths are limited to 256 kbit/s and 512 kbit/s respectively.
– When quota consumption exceeds 100% of the total quota, both upstream and
downstream bandwidths are limited to 64 kbit/s.
Figure 6-26 shows the relation between configuration objects in the FUP service.
Policy 2 Quota status change trigger Predefined Policy FUP service configuration
policy_fup UsageStatusChange fup_service_con Flow classification: p2p_voip; Rating Group: p2p_voip
Suppose that the user subscribes to service_fup, and the service has service quota quota_fup.
Service service_fup includes two policies:
l Policy policy_ipcan: When a user is activated during the access to the mobile data network,
and the current quota status is matched with the rule in the policy, the matched rule is
considered as the current control policy of the user. For example, if the quota of the current
online user is less than 40% of the total quota, and rule rule-normal is employed, the
upstream and downstream bandwidths of the P2P and VoIP traffic are limited to 1024 kbit/
s and 2048 kbit/s respectively.
l Policy policy_fup: defines the quota status-based policy control. When the quota status
changes, the control policy is switched to the corresponding one of the new quota status.
The following rules need defining:
rule-exhaust 100% of the total quota Both the maximum uplink and
≤ Accumulated quota downlink bandwidths are 64 kbit/s.
usage within a month
NOTE
When "accumulated traffic quota usage within a month < 40% of the total quota" is met, rules rule-fup-
service-normal and rule-normal are delivered to the user concurrently. That is, while collecting the traffic
quota of the given type, the system limits the bandwidth of this type of traffic. Other conditions are similar.
Data Planning
You can click the following links to view the data planning of main parameters:
Monitor Key: 3
Value(KB): 1000000
CAUTION
In the UPCC, 1 KB=1024 bytes. The UPCC delivers traffic to the Front
End, in bytes. When the quota value on the UPCC is set to 1,000,000 KB,
the traffic of 1024 x 1,000,000 bytes is delivered from the UPCC to the
Front End.
However, on the SIG, 1 KB=1000 bytes. That is, the SIG actually receives
1,024,000 KB traffic.
Slice(%): 5
Description: -
Level2: 80
Exhaust: 100
Name policy_ipcan
Trigger IPCANSessionEstablish
The triggering condition is the CCR_Initial Request message
on the Gx interface. It is applicable to the scenario where users
access the mobile data network.
Description -
Rule rule-fup-service-normal
rule-fup-service-level1
rule-fup-service-level2
rule-fup-service-exhaust
rule-normal
rule-level1
rule-level2
rule-exhaust
Name policy_fup
Trigger UsageStatusChange
The triggering condition is the change of the quota status, and
the application scenario is the quota status-based policy control.
Description -
Rule rule-fup-service-normal
rule-fup-service-level1
rule-fup-service-level2
rule-fup-service-exhaust
rule-normal
rule-level1
rule-level2
rule-exhaust
Type: VALUE_ADDED_SERVICE
APN: -
VPN: -
SP: default1
Account: -
Is Meter To Basic: No
Precedence: 0
Description: -
Policy policy_ipcan
policy_fup
Quota quota_fup
NOTE
Is Meter To Basic and QoS Mode are irrelevant to this service. For details, refer to the product manual
of the UPCC.
Subscriber ID 460100000000022
MSISDN 8613810000022
Service service_fup
Procedure
Step 1 Log in to the Back End of the SIG.
3. Set Policy Package Code to 1:200019, set Name to p2p_voip_normal. Then click
Save.
4. Select Rate Limiting from Item Type, and click Add.
5. Set parameters in the dialog box that is displayed. Figure 6-27 shows parameter settings.
NOTE
The policy package codes are required during the adding of rules.
This step is optional, but mandatory if you need to log in to the UPCC Web UI through only a client
for the first time.
b. Confirm the security alarm, and then click Yes, as shown in Figure 6-31.
3. Enter values in User Name, Password, and Verify Code, as shown in Figure 6-32.
NOTE
The default user name and password of the administrator of the UPCC Web UI are admin and
huawei respectively.
4. Click Login.
Step 7 Add a quota.
1. In the navigation tree, choose Service Management > Service > Quota.
2. Figure 6-33 shows the configuration page.
When Object Attribute is selected, set Object to Quota and click QuotaStatus. Then click OK.
Refer to Figure 6-35.
2. Add rule rule-normal, and bind it to configured FUP traffic control policy package. Figure
6-40 shows the configuration page.
The configurations of rules rule-level1, rule-level2, and rule-exhaust are identical with
configuration of rule rule-normal. These rules are bound to policy packages 1:200020,
1:200021, and 1:200022 respectively.
3. Add fifth rule rule-fup-service-normal and bind it to the FUP service configuration policy
package. Figure 6-41 shows the configuration page.
4. Click OK.
----End
Prerequisites
Requirements are as follows:
l The connection of the SIG to the UPCC is commissioned. For details, see Connecting the
Front End to the PCRF, Connecting the PCRF to the Front End, and Commissioning
the Connection to the PCRF in HUAWEI SIG9800 Service Inspection Gateway
Commissioning Guide.
l 4.2 Configuring the Subscriber is complete, and the account of the subscriber (the target
user) to be managed is 460100000000022.
l The current user has the Value-added Service service permission.
l The current user has the permission to operate the UPCC.
NOTE
To learn more about the UPCC, refer to related technical documents provided by the corresponding vendor.
Requirement Description
The SIG interworks with the UPCC, and the FUP service is required. Figure 6-46 shows the
networking.
RADIUS PCRF
Server (RM9000)
t
ke Gx
Pac
US
DI
RA
Gi
PCEF
User:460100000000022 SGSN GGSN
(Front End)
DPI System
Policy 2 Quota status change trigger Predefined Policy FUP traffic control policy package
policy_fup UsageStatusChange p2p_exhuast Flow classification: P2P; Upstream: 64kbit/s; Downstream: 64kbit/s
Suppose that the user subscribes to service_fup, and the service has service quota quota_fup.
Service service_fup includes two policies:
l Policy policy_ipcan: When a user is activated during the access to the mobile data network,
and the current quota status is matched with the rule in the policy, the matched rule is
considered as the current control policy of the user. For example, if the quota of the current
online user is less than 40% of the total quota, and rule rule-normal is employed, the
upstream and downstream bandwidths of the P2P traffic are limited to 1024 kbit/s and 2048
kbit/s respectively.
l Policy policy_fup: defines the quota status-based policy control. When the quota status
changes, the control policy is switched to the corresponding one of the new quota status.
The following rules need defining:
rule-exhaust 100% of the total quota Both the maximum uplink and
≤ Accumulated quota downlink bandwidths of P2P traffic
usage within a month are set to 64 kbit/s.
Data Planning
You can click the following links to view the data planning of main parameters:
l Table 6-13 shows the data planning of quota quota_fup.
l Table 6-14 shows the data planning of policy policy_ipcan.
l Table 6-15 shows the data planning of policy policy_fup.
l Table 6-16 shows the data planning of service service_fup.
l Table 6-17 shows the data planning of user 460100000000022.
Value(KB): 1000000
CAUTION
In the UPCC, 1 KB=1024 bytes. The UPCC delivers traffic to the Front
End, in bytes. When the quota value on the UPCC is set to 1,000,000 KB,
the traffic of 1024 x 1,000,000 bytes is delivered from the UPCC to the
Front End.
However, on the SIG, 1 KB=1000 bytes. That is, the SIG actually receives
1,024,000 KB traffic.
Slice(%): 5
Description: -
Level2: 80
Exhaust: 100
Name policy_ipcan
Trigger IPCANSessionEstablish
The triggering condition is the CCR_Initial Request message on
the Gx interface. It is applicable to the scenario where users
access the mobile data network.
Description -
Rule rule-normal
rule-level1
rule-level2
rule-exhaust
Name policy_fup
Trigger UsageStatusChange
The triggering condition is the change of the quota status, and
the application scenario is the quota status-based policy control.
Description -
Rule rule-normal
rule-level1
rule-level2
rule-exhaust
Type: VALUE_ADDED_SERVICE
APN: -
VPN: -
SP: default1
Account: -
Is Meter To Basic: No
Precedence: 0
Description: -
Policy policy_ipcan
policy_fup
Quota quota_fup
NOTE
Is Meter To Basic and QoS Mode are irrelevant to this service. For details, refer to the product manual
of the UPCC.
Subscriber ID 460100000000022
MSISDN 8613810000022
Service service_fup
Procedure
Step 1 Log in to the Back End of the SIG.
Step 2 Add the FUP traffic control policy package for P2P traffic.
1. In the navigation tree, choose Value-added Service > Application Charging > FUP >
FUP Traffic Control Policy Package Management.
2. Click Add.
3. Set Policy Package Code to 1:200019, set Name to p2p_normal. Then click Save.
4. Select Rate Limiting from Item Type, and click Add.
5. Set parameters in the dialog box that is displayed. Figure 6-48 shows parameter settings.
NOTE
The policy package codes are required during the adding of rules.
This step is optional, but mandatory if you need to log in to the UPCC Web UI through only a client
for the first time.
a. Select the digital certificate, and then click OK, as shown in Figure 6-50.
b. Confirm the security alarm, and then click Yes, as shown in Figure 6-51.
3. Enter values in User Name, Password, and Verify Code, as shown in Figure 6-52.
NOTE
The default user name and password of the administrator of the UPCC Web UI are admin and
huawei respectively.
4. Click Login.
Step 4 Add a quota.
1. In the navigation tree, choose Service Management > Service > Quota.
2. Figure 6-53 shows the configuration page.
When Object Attribute is selected, set Object to Quota and click QuotaStatus. Then click OK.
Refer to Figure 6-55.
2. Add rule rule-normal, and bind it to configured FUP traffic control policy package. Figure
6-60 shows the configuration page.
The configurations of rules rule-level1, rule-level2, and rule-exhaust are identical with
configuration of rule rule-normal. These rules are bound to policy packages 1:200020,
1:200021, and 1:200022 respectively.
Step 7 Add policies.
1. In the navigation tree, choose Policy Management > Policy > Policy.
2. Add policy policy_ipcan. Figure 6-61 shows the configuration page.
4. Click OK.
----End
Prerequisites
Requirements are as follows:
l The connection of the SIG to the UPCC is commissioned. For details, see Connecting the
Front End to the PCRF, Connecting the PCRF to the Front End, and Commissioning
the Connection to the PCRF in HUAWEI SIG9800 Service Inspection Gateway
Commissioning Guide.
l 4.2 Configuring the Subscriber is complete, and the account of the subscriber (the target
user) to be managed is 460100000000022.
l The current user has the Value-added Service service permission.
l The current user has the permission to operate the UPCC.
NOTE
To learn more about the UPCC, refer to related technical documents provided by the corresponding vendor.
Requirement Description
The SIG interworks with the UPCC, and the FUP service requires enabling. Figure 6-65 shows
the networking.
RADIUS PCRF
Server (RM9000)
t
ke Gx
Pac
US
DI
RA
Gi
PCEF
User:460100000000022 SGSN GGSN
(Front End)
DPI System
Condition Group
rule-normal Object Attribute= QuotaStatus; Right Value= Normal
condition-normal
Condition Group
rule-level1 Object Attribute= QuotaStatus; Right Value= Level1
condition-level1
Condition Group
rule-level2 Object Attribute= QuotaStatus; Right Value= Level2
condition-level2
Condition Group
rule-exhaust Object Attribute= QuotaStatus; Right Value= Exhaust
condition-exhaust
Condition Group
rule1 Object Attribute= QuotaStatus; Right Value= Normal
condition-normal
Condition Group
rule2 Object Attribute= QuotaStatus; Right Value= Level1
condition-level1
Condition Group
rule3 Object Attribute= QuotaStatus; Right Value= Level2
condition-level2
Condition Group
rule4 Object Attribute= QuotaStatus; Right Value= Exhaust
condition-exhaust
Policy 2 Quota status change trigger Predefined Policy FUP service configuration (Low priority)
policy_fup_total UsageStatusChange fup_con1 Flow classification: Total; Rating Group: total
l Policy policy_fup_total: defines the quota status-based policy control. When the quota
status of the non-free traffic quota changes, the control policy is switched to the
corresponding one of the new quota status.
l Policy policy_ipcan_free: When a user is activated during the access to the mobile data
network, the traffic of the free type is for free.
The main category protocol whose free type is user-defined needs to be added with Web
sites features. The system identifies the traffic of accessing the Web sites by identifying
the traffic of the free type.
The following rules need defining:
rule-normal Accumulated traffic quota The maximum uplink bandwidth is 1024 kbit/
usage within a month < s, and the maximum downlink bandwidth is
40% of the total quota 2048 kbit/s.
rule-level1 40% of the total quota≤ The maximum uplink bandwidth is 512 kbit/
Accumulated quota usage s, and the maximum downlink bandwidth is
within a month < 80% of 1024 kbit/s.
the total quota
rule-level2 80% of the total quota≤ The maximum uplink bandwidth is 256 kbit/
Accumulated quota usage s, and the maximum downlink bandwidth is
within a month < 100% of 512 kbit/s.
the total quota
rule-exhaust 100% of the total quota Both the maximum uplink and downlink
≤ Accumulated quota bandwidths are 64 kbit/s.
usage within a month
rule1 Accumulated traffic quota Defines the mapping between rating group
usage within a month < total and total traffic to collect the quota of
40% of the total quota the total traffic into rating group total.
NOTE
When "accumulated traffic quota usage within a month < 40% of the total quota" is met, rules rule-
normal and rule1 are delivered to the user concurrently. That is, while collecting the traffic quota of the
given type, the system limits the bandwidth of this type of traffic. Other conditions are similar.
Data Planning
You can view the data planning of main parameters by clicking the following links:
Monitor Key: 1
Value(KB): 1000000
CAUTION
In the UPCC, 1 KB=1024 bytes. The UPCC delivers traffic to the Front
End, in bytes. When the quota value on the UPCC is set to 1,000,000 KB,
the traffic of 1024 x 1,000,000 bytes is delivered from the UPCC to the
Front End.
However, on the SIG, 1 KB=1000 bytes. That is, the SIG actually receives
1,024,000 KB traffic.
Slice(%): 5
Level2: 80
Exhaust: 100
Name policy_ipcan_total
Trigger IPCANSessionEstablish
The triggering condition is the CCR_Initial Request message on
the Gx interface. It is applicable to the scenario where users
access the mobile data network.
Description -
Rule rule1
rule2
rule3
rule4
rule_normal
rule_level1
rule_level2
rule_exhaust
Name policy_fup_total
Trigger UsageStatusChange
The triggering condition is the change of the quota status, and
the application scenario is the quota status-based policy control.
Description -
Rule rule1
rule2
rule3
rule4
rule_normal
rule_level1
rule_level2
rule_exhaust
Name policy_ipcan_free
Trigger IPCANSessionEstablish
The triggering condition is the CCR_Initial Request message on
the Gx interface. It is applicable to the scenario where users
access the mobile data network.
Description -
Rule rule5
rule6
Type: VALUE_ADDED_SERVICE
APN: -
VPN: -
SP: default1
Account: -
Precedence: 0
Description: -
Policy policy_ipcan_total
policy_fup_total
Quota quota_fup
NOTE
Is Meter To Basic and QoS Mode are irrelevant to this service. For details, refer to the product manual
of the UPCC.
Type: VALUE_ADDED_SERVICE
APN: -
VPN: -
SP: default1
Account: -
Is Meter To Basic: No
Precedence: 0
Description: -
Policy policy_ipcan_free
Quota None
Subscriber ID 460100000000022
MSISDN 8613810000022
Service service_total
service_free
Procedure
Step 1 Log in to the Back End of the SIG.
CAUTION
If a website has multiple domain names, you must add all the domain names
as keywords.
d. Click OK.
e. In the navigation tree, choose Basic Configuration > Flow Classification
Management > Flow Classification Configuration.
f. Click Add.
g. Enter free in Name.
h. Click Add and select the free flow classification item.
i. Click OK and OK.
Step 4 Add the traffic control policy package for the total traffic.
1. In the navigation tree, choose Value-added Service > Application Charging > FUP >
FUP Traffic Control Policy Package Management.
2. Click Add.
3. Set Policy Package Code to 1:200019, set Name to normal. Then click Save.
NOTE
The policy package codes are required during the adding of rules.
NOTE
This step is optional, but mandatory if you need to log in to the UPCC Web UI through only a client
for the first time.
b. Confirm the security alarm, and then click Yes, as shown in Figure 6-75.
3. Enter values in User Name, Password, and Verify Code, as shown in Figure 6-76.
NOTE
The default user name and password of the administrator of the UPCC Web UI are admin and
huawei respectively.
4. Click Login.
Step 8 Add a quota.
1. In the navigation tree, choose Service Management > Service > Quota.
2. Add quota quota_fup. Figure 6-77 shows the configuration page.
When Object Attribute is selected, set Object to Quota and click QuotaStatus. Then click OK.
Refer to Figure 6-79.
2. Add rule rule-normal, and bind it to configured FUP traffic control policy package. Figure
6-84 shows the configuration page.
The configurations of rules rule-level1, rule-level2, and rule-exhaust are identical with
configuration of rule rule-normal. These rules are bound to policy packages 1:200020,
1:200021, and 1:200022 respectively.
3. Add rule rule1 and bind it to FUP service configuration policy package fup_con1
(14:200024) and condition group condition-normal. Figure 6-85 shows the configuration
page.
The configurations of rules rule2, rule3, and rule4 are similar to those of rule rule1. The
former three rules are bound to condition groups condition-level1, condition-level2, and
condition-exhaust respectively, and policy package 14:200024.
4. Add rule rule5 and bind it to FUP service configuration policy package fup_con2
(14:200025). Figure 6-86 shows the configuration page.
5. Add rule rule6 and bind it to the permit policy package (1:200023) of Free traffic. Figure
6-87 shows the configuration page.
4. Click OK.
----End
Prerequisites
Requirements are as follows:
l The connection of the SIG to the UPCC is commissioned. For details, see Connecting the
Front End to the PCRF, Connecting the PCRF to the Front End, and Commissioning
the Connection to the PCRF in HUAWEI SIG9800 Service Inspection Gateway
Commissioning Guide.
l 4.2 Configuring the Subscriber is complete, and the account of the subscriber (the target
user) to be managed is 460100000000022.
l The current user has the Value-added Service service permission.
l The current user has the permission to operate the UPCC.
NOTE
To learn more about the UPCC, refer to related technical documents provided by the corresponding vendor.
Requirement Description
The SIG interworks with the UPCC, and the FUP service is required. Figure 6-94 shows the
networking.
RADIUS PCRF
Server (RM9000)
t
ke Gx
Pac
US
DI
RA
Gi
PCEF
User:460100000000022 SGSN GGSN
(Front End)
DPI System
Service Quota
Value= 1000000KB; Limit: Exhaust=100; Slice= 5%
quota2
Condition Group
rule2 Condition quota1_normal and condition quota2_normal
condition_normal_normal
Condition Group
rule3 Condition quota1_normal and condition quota2_exhaust
condition_normal_exhaust
Condition Group
Rule rule4 Condition quota1_normal and condition quota2_exhaust
condition_normal_exhaust
Condition Group
rule5 Condition quota1_normal and condition quota2_exhaust
condition_normal_exhaust
FUP traffic control policy package
Predefined Policy
Flow classification: total-free; Upstream: 64kbit/s; Downstream:
total-free
64kbit/s
Condition Group
rule6 Condition quota1_exhaust and condition quota2_normal
condition_exhaust_normal
Condition Group
rule7 Condition quota1_exhaust and condition quota2_exhaust
condition_exhaust_exhaust
Condition Group
rule8 Condition quota1_exhaust and condition quota2_exhaust
condition_exhaust_exhaust
Policy 2 Quota status change trigger Predefined Policy FUP traffic control policy package
policy_fup UsageStatusChange total Flow classification: Total; Upstream: 64kbit/s; Downstream: 64kbit/s
l Policy policy_ipcan: When a user is activated during the access to the mobile data network,
and the current quota status matches the rule in the policy, the matched rule is considered
as the current control policy of the user. For example, if both the free quota and charged
quota for the current online user are used up, rule7 and rule8 serve as the control policies
to collect statistics on user total traffic and limit the upstream bandwidth for the total traffic
to 64 kbit/s and downstream bandwidth to 64 kbit/s.
l Policy policy_fup: defines the quota status-based policy control over the total traffic. When
the quota status changes, the control policy is switched to the corresponding one of the new
quota status.
rule1 Neither free quota Defines the mapping between rating group
quota1 nor charged quota free and free traffic to collect the quota of free
quota2 is used up. traffic into rating group free.
rule3 Charged quota quota2 is Defines the mapping between rating group
used up but free quota free and free traffic to collect the quota of free
quota1 is not. traffic into rating group free.
rule6 Free quota quota1 is used Defines the mapping between rating group
up but charged quota charge and charged traffic to collect the
quota2 is not. quota of the total traffic into rating group
charge.
rule7 Free quota quota1 and Defines the mapping between rating group
charged quota quota2 are charge and charged traffic to collect the
both used up. quota of the total traffic into rating group
charge.
Data Planning
You can click the following links to view the data planning of main parameters:
Monitor Key: 1
Value(KB): 100000
CAUTION
In the UPCC, 1 KB=1024 bytes. The UPCC delivers traffic to the Front
End, in bytes. When the quota value on the UPCC is set to 1,000,000 KB,
the traffic of 1024 x 1,000,000 bytes is delivered from the UPCC to the
Front End.
However, on the SIG, 1 KB=1000 bytes. That is, the SIG actually receives
1,024,000 KB traffic.
Slice(%): 5
Monitor Key: 2
Value(KB): 1000000
Slice(%): 5
Name policy_ipcan
Trigger IPCANSessionEstablish
The triggering condition is the CCR_Initial Request message on
the Gx interface. It is applicable to the scenario where users
access the mobile data network.
Description -
Rule rule1
rule2
rule3
rule4
rule5
rule6
rule7
rule8
Name policy_fup
Trigger UsageStatusChange
The triggering condition is the change of the quota status, and
the application scenario is the quota status-based policy control.
Description -
Rule rule1
rule2
rule3
rule4
rule5
rule6
rule7
rule8
Type: VALUE_ADDED_SERVICE
APN: -
VPN: -
SP: default1
Account: -
Precedence: 0
Description: -
Policy policy_ipcan
policy_fup
Quota quota1
quota2
NOTE
Is Meter To Basic and QoS Mode are irrelevant to this service. For details, refer to the product manual
of the UPCC.
MSISDN: 8613810000022
Service service
Procedure
Step 1 Log in to the Back End of the SIG.
CAUTION
If a website has multiple domain names, you must add all the domain names
as keywords.
d. Click OK.
e. In the navigation tree, choose Basic Configuration > Flow Classification
Management > Flow Classification Configuration.
f. Click Add.
g. Enter free in Name.
h. Click Add and select the free flow classification item.
i. Click OK and OK.
3. Add flow classification total-free.
a. Click Add.
b. Enter total-free in Name.
c. Click Add and select all the flow classification items except free.
The policy package codes are required during the adding of rules.
3. Add a traffic control policy package for the total traffic.
a. Click Add.
b. Set Policy Package Code to 1:200002, set Name to total. Then click Save.
c. Select Rate Limiting from Item Type, and click Add.
d. Set parameters in the dialog box that is displayed. Figure 6-99 shows parameter
settings.
The policy package codes are required during the adding of rules.
b. Set Service Configuration Code to 14:200002, set Name to fup_free. Then click
Save.
c. Set parameters in the dialog box that is displayed. Figure 6-101 shows parameter
settings.
This step is optional, but mandatory if you need to log in to the UPCC Web UI through only a client
for the first time.
b. Confirm the security alarm, and then click Yes, as shown in Figure 6-103.
3. Enter values in User Name, Password, and Verify Code, as shown in Figure 6-104.
NOTE
The default user name and password of the administrator of the UPCC Web UI are admin and
huawei respectively.
4. Click Login.
Step 7 Add quotas.
1. In the navigation tree, choose Service Management > Service > Quota.
2. Add quota quota1. Figure 6-105 shows the configuration page.
NOTE
When Object Attribute is selected, set Object to Quota and click QuotaStatus. Then click
OK. Refer to Figure 6-108.
d. On the Condition tab, click Add to add another condition quota2_normal. Figure
6-109 shows the configuration page. Click OK.
Conditions quota1_normal and quota2_exhaust are involved. Figure 6-110 shows the
added condition group.
Conditions quota1_exhaust and quota2_normal are involved. Figure 6-111 shows the
added condition group.
3. Add rule rule2 and bind it to FUP service configuration policy package fup_charge
(14:200003) and condition group condition_normal_normal. Figure 6-114 shows the
configuration page.
4. Add rule rule3 and bind it to FUP service configuration policy package fup_free
(14:200004) and condition group condition_normal_exhaust. Figure 6-115 shows the
configuration page.
5. Add rule rule4 and bind it to FUP service configuration policy package fup_charge
(14:200003) and condition group condition_normal_exhaust. Figure 6-116 shows the
configuration page.
6. Add rule rule5 and bind it to FUP traffic control policy package total-free (1:200001) and
condition group condition_normal_exhaust. Figure 6-117 shows the configuration page.
7. Add rule rule6 and bind it to FUP service configuration policy package fup_charge
(14:200003) and condition group condition_exhaust_normal. Figure 6-118 shows the
configuration page.
8. Add rule rule7 and bind it to FUP service configuration policy package fup_charge
(14:200003) and condition group condition_exhaust_exhaust. Figure 6-119 shows the
configuration page.
9. Add rule rule8 and bind it to FUP traffic control policy package total (1:200002) and
condition group condition_exhaust_exhaust. Figure 6-120 shows the configuration page.
4. Click OK.
----End
Prerequisites
Requirements are as follows:
l The connection of the SIG to the UPCC is commissioned. For details, see Connecting the
Front End to the PCRF, Connecting the PCRF to the Front End, and Commissioning
the Connection to the PCRF in HUAWEI SIG9800 Service Inspection Gateway
Commissioning Guide.
l 4.2 Configuring the Subscriber is complete, and the account of the subscriber (the target
user) to be managed is 460100000000022.
l The current user has the Value-added Service service permission.
l The current user has the permission to operate the UPCC.
NOTE
To learn more about the UPCC, refer to related technical documents provided by the corresponding vendor.
Requirement Description
The SIG interworks with the UPCC, and the FUP service is required. Figure 6-125 shows the
networking.
RADIUS PCRF
Server (RM9000)
t
ke Gx
Pac
US
DI
RA
Gi
PCEF
User:460100000000022 SGSN GGSN
(Front End)
DPI System
Condition Group
rule_local_normal Object Attribute= QuotaStatus; Right Value= Normal
condition_local_normal
Condition Group
rule_local_level1 Object Attribute= QuotaStatus; Right Value= Level1
condition_local_level1
Message Template
Notification
Notification_Template
Condition Group
Rule rule_local_exhaust_fup Object Attribute= QuotaStatus; Right Value= Exhaust
condition_local_exhaust
Condition Group
rule_local_exhaust_qos Object Attribute= QuotaStatus; Right Value= Exhaust
condition-exhaust
Condition Group
rule_outlocal Object Attribute= RoamingStatus; Right Value= Native
condition_outlocal
Condition Group
rule_roaming_normal Object Attribute= QuotaStatus; Right Value= Normal
condition_roaming_normal
Condition Group
rule_roaming_level1 Object Attribute= QuotaStatus; Right Value= Level1
condition_roaming_level1
Message Template
Notification
Notification_Template
Condition Group
Rule rule_roaming_exhaust_fup Object Attribute= QuotaStatus; Right Value= Exhaust
condition_roaming_exhaust
Condition Group
rule_roaming_exhaust_qos Object Attribute= QuotaStatus; Right Value= Exhaust
condition-exhaust
Condition Group
rule_outroaming Object Attribute= RoamingStatus; Right Value= Native
condition_outroaming
Suppose that the user subscribes to the service_local and service_roaming services. The
service_local service is delivered when the user is in the local and the service_roaming service
is delivered when the user is in the roaming place.
Service service_local includes two policies:
l Policy policy_local_ipcan: When a user is activated during the access to the local mobile
data network, and the current quota status is matched with the rule in the policy, the matched
rule is considered as the current control policy of the user.
l Policy policy_local_usage: defines the quota status-based policy control when the user is
in the local. When the quota status changes, the control policy is switched to the
corresponding one of the new quota status.
Service service_roaming includes two policies:
l Policy policy_roaming_ipcan: When a user is activated during the access to the mobile
data network in the roaming place, and the current quota status is matched with the rule in
the policy, the matched rule is considered as the current control policy of the user.
l Policy policy_roaming_usage: defines the quota status-based policy control when the user
is in the roaming place. When the quota status changes, the control policy is switched to
the corresponding one of the new quota status.
rule_local_normal The user is in the local and Defines the mapping between
the monthly quota rating group total and total traffic.
accumulation is less than
80% of the total quota.
rul_local_level1 The user is in the local and Defines the mapping between
the monthly quota rating group total and total traffic.
accumulation is between When 80% of the total traffic is
80% (included) and 100% consumed, the system sends a short
of the total quota. message to the user about the
consumed traffic.
rul_roaming_level1 The user is in the roaming
place and the monthly
quota accumulation is
between 80% (included)
and 100% of the total
quota.
rul_local_exhaust_fup The user is in the local and Defines the mapping between
the monthly quota rating group total and total traffic to
accumulation is not less collect the quota of the total traffic
than 100% of the total into rating group total.
quota.
rul_local_exhaust_qos The user is in the local and Both the maximum uplink and
the monthly quota downlink bandwidths are 64 kbit/s.
accumulation is not less
than 100% of the total
quota.
Data Planning
You can click the following links to view the data planning of main parameters:
l Table 6-31 shows the data planning of quota quota_local.
l Table 6-32 shows the data planning of quota quota_roaming.
l Table 6-33 shows the data planning of policy policy_local_ipcan.
l Table 6-34 shows the data planning of policy policy_local_usage.
l Table 6-35 shows the data planning of policy policy_roaming_ipcan.
l Table 6-36 shows the data planning of policy policy_roaming_usage.
l Table 6-37 shows the data planning of service service_local.
l Table 6-38 shows the data planning of service service_roaming.
l Table 6-39 shows the data planning of user 460100000000022.
Monitor Key: 1
Value(KB): 1000000
CAUTION
In the UPCC, 1 KB=1024 bytes. The UPCC delivers traffic to the Front
End, in bytes. When the quota value on the UPCC is set to 1,000,000 KB,
the traffic of 1024 x 1,000,000 bytes is delivered from the UPCC to the
Front End.
However, on the SIG, 1 KB=1000 bytes. That is, the SIG actually receives
1,024,000 KB traffic.
Slice(%): 5
Description: -
Exhaust: 100
Monitor Key: 2
Slice(%): 5
Description: -
Exhaust: 100
Name policy_local_ipcan
Trigger IPCANSessionEstablish
The triggering condition is the CCR_Initial Request message on
the Gx interface. It is applicable to the scenario where users
access the mobile data network.
Description -
Rule rule_local_normal
rule_local_level1
rule_local_exhaust_fup
rule_local_exhaust_qos
rule_outlocal
Name policy_local_usage
Trigger UsageStatusChange
The triggering condition is the change of the quota status, and
the application scenario is the quota status-based policy control.
Description -
Rule rule_local_normal
rule_local_level1
rule_local_exhaust_fup
rule_local_exhaust_qos
rule_outlocal
Name policy_roaming_ipcan
Trigger IPCANSessionEstablish
The triggering condition is the CCR_Initial Request message on
the Gx interface. It is applicable to the scenario where users
access the mobile data network.
Description -
Rule rule_roaming_normal
rule_roaming_level1
rule_roaming_exhaust_fup
rule_roaming_exhaust_qos
rule_outroaming
Name policy_roaming_usage
Trigger UsageStatusChange
The triggering condition is the change of the quota status, and
the application scenario is the quota status-based policy control.
Description -
Rule rule_roaming_normal
rule_roaming_level1
rule_roaming_exhaust_fup
rule_roaming_exhaust_qos
rule_outroaming
Type: VALUE_ADDED_SERVICE
APN: -
VPN: -
SP: default1
Account: -
Precedence: 0
Description: -
Policy policy_local_ipcan
policy_local_usage
Quota quota_local
NOTE
Is Meter To Basic and QoS Mode are irrelevant to this service. For details, refer to the product manual
of the UPCC.
Type: VALUE_ADDED_SERVICE
APN: -
VPN: -
SP: default1
Account: -
Precedence: 0
Description: -
Policy policy_roaming_ipcan
policy_roaming_usage
Quota quota_roaming
MSISDN: 8613810000022
Service service_local
service_roaming
Procedure
Step 1 Log in to the Back End of the SIG.
2. Click Add. Set Number to 1, and Name to total. Then click OK.
This step is optional, but mandatory if you need to log in to the UPCC Web UI through only a client
for the first time.
b. Confirm the security alarm, and then click Yes, as shown in Figure 6-130.
3. Enter values in User Name, Password, and Verify Code, as shown in Figure 6-131.
NOTE
The default user name and password of the administrator of the UPCC Web UI are admin and
huawei respectively.
4. Click Login.
2. Add the local PLMN. Figure 6-132 shows the configuration page.
3. Click OK.
Step 7 Add a notification.
1. In the navigation tree, choose System Management > System Configuration > Message
Template.
2. Click Add, add template Notification_Tempalte. Figure 6-133 shows the configuration
page. Click OK.
3. In the navigation tree, choose Policy Management > Policy > Notification.
4. Click Add, and add notification Notification. Figure 6-134 shows the configuration page.
Click OK.
When Object Attribute is selected, set Object to Quota and click QuotaStatus. Then click
OK. Refer to Figure 6-138.
e. Add condition con2, Figure 6-139 shows the configuration page. Click OK.
NOTE
When Object Attribute is selected, set Object to IPSession and click RoamingStatus. Then
click OK. Refer to Figure 6-140.
8. Add condition group condition_outlocal. Figure 6-151 shows the configuration page.
9. Add condition group condition_outroaming. Figure 6-152 shows the configuration page.
4. Click OK.
----End
Prerequisites
Requirements are as follows:
l The connection of the SIG to the UPCC is commissioned. For details, see Connecting the
Front End to the PCRF, Connecting the PCRF to the Front End, and Commissioning
the Connection to the PCRF in HUAWEI SIG9800 Service Inspection Gateway
Commissioning Guide.
l 4.2 Configuring the Subscriber is complete, and the account of the subscriber (the target
user) to be managed is 460100000000022.
l The current user has the permission to operate the UPCC.
NOTE
To learn more about the UPCC, refer to related technical documents provided by the corresponding vendor.
Requirement Description
The SIG interworks with the UPCC, and the FUP service is required. Figure 6-165 shows the
networking.
RADIUS PCRF
Server (RM9000)
t
ke Gx
P ac
US
DI
RA
Gi
PCEF
User:460100000000022 SGSN GGSN
(Front End)
DPI System
Action group Traffic control policy for the total traffic Flow classification
action-normal Upstream: 1024kbit/s; Downstream: 2048kbit/s Total
Action group Traffic control policy for the total traffic Flow classification
Rule action-level1 Upstream: 512kbit/s; Downstream: 1024kbit/s Total
Action group Traffic control policy for the total traffic Flow classification
action-level2 Upstream: 256kbit/s; Downstream: 1024kbit/s Total
Action group Traffic control policy for the total traffic Flow classification
Policy 2 Quota status change trigger
action-exhuast Upstream: 64kbit/s; Downstream: 64kbit/s Total
policy_fup UsageStatusChange
Suppose that the user subscribes to service_fup, and the service has session quota quota_fup.
l Policy policy_ipcan: When a user is activated during the access to the mobile data network,
and the current quota status is matched with the rule in the policy, the matched rule is
considered as the current control policy of the user. For example, if the quota of the current
online user is less than 40% of the total quota, and rule rule-normal is employed, the
upstream and downstream bandwidths of the total traffic are limited to 1024 kbit/s and 2048
kbit/s respectively.
l Policy policy_fup: defines the quota status-based policy control. When the quota status
changes, the control policy is switched to the corresponding one of the new quota status.
rule-normal Accumulated traffic quota The maximum uplink bandwidth is 1024 kbit/
usage within a month < s, and the maximum downlink bandwidth is
40% of the total quota 2048 kbit/s.
rule-level 40% of the total quota≤ The maximum uplink bandwidth is 512 kbit/
Accumulated quota usage s, and the maximum downlink bandwidth is
within a month < 80% of 1024 kbit/s.
the total quota
rule-level2 80% of the total quota≤ The maximum uplink bandwidth is 256 kbit/
Accumulated quota usage s, and the maximum downlink bandwidth is
within a month < 100% of 512 kbit/s.
the total quota
rule-exhaust 100% of the total quota Both the maximum uplink and downlink
≤ Accumulated quota bandwidths are 64 kbit/s.
usage within a month
Data Planning
You can click the following links to view the data planning of main parameters:
Value(KB): 1000000
CAUTION
In the UPCC, 1 KB=1024 bytes. The UPCC delivers traffic to the Front
End, in bytes. When the quota value on the UPCC is set to 1,000,000 KB,
the traffic of 1024 x 1,000,000 bytes is delivered from the UPCC to the
Front End.
However, on the SIG, 1 KB=1000 bytes. That is, the SIG actually receives
1,024,000 KB traffic.
Slice(%): 5
Description: -
Level2: 80
Exhaust: 100
Name policy_ipcan
Trigger IPCANSessionEstablish
The triggering condition is the CCR_Initial Request message
on the Gx interface. It is applicable to the scenario where users
access the mobile data network.
Description -
Rule rule-normal
rule-level1
rule-level2
rule-exhaust
Name policy_fup
Trigger UsageStatusChange
The triggering condition is the change of the quota status, and
the application scenario is the quota status-based policy control.
Description -
Rule rule-normal
rule-level1
rule-level2
rule-exhaust
Type: VALUE_ADDED_SERVICE
APN: -
VPN: -
SP: default1
Account: -
Is Meter To Basic: No
Precedence: 0
Description: -
Policy policy_ipcan
policy_fup
Quota quota_fup
NOTE
Is Meter To Basic and QoS Mode are irrelevant to this service. For details, refer to the product manual
of the UPCC.
Subscriber ID 460100000000022
MSISDN 8613810000022
Service service_fup
Procedure
Step 1 Log in to the Back End of the SIG.
Step 2 Log in to the UPCC Web UI.
1. Install the digital certificate for the IE browser.
NOTE
This step is optional, but mandatory if you need to log in to the UPCC Web UI through only a client
for the first time.
b. Confirm the security alarm, and then click Yes, as shown in Figure 6-168.
3. Enter values in User Name, Password, and Verify Code, as shown in Figure 6-169.
NOTE
The default user name and password of the administrator of the UPCC Web UI are admin and
huawei respectively.
4. Click Login.
Step 3 Add a quota.
1. In the navigation tree, choose Service Management > Service > Quota.
2. Figure 6-170 shows the configuration page.
When Object Attribute is selected, set Object to Quota and click QuotaStatus. Then click OK.
Refer to Figure 6-172.
3. In the navigation tree, choose Policy Management > Policy > Action Group.
4. Configure action QoSAction for action group action_normal, and then define the
bandwidth control policy, as shown in Figure 6-178.
NOTE
Although the QCI is mandatory, it is not used this service. You can set a value only. For details, refer
to the product document of the UPCC.
For the action of the QoSAction type, MBRUL and MBRDL are set to 1024 and 2048
respectively. That is, upstream and downstream bandwidths for this action group are 1024
kbit/s and 2048 kbit/s. Other action elements do not need configuring.
5. Configure action GxProtoClassifierName for action group action_normal, and specify
the flow classification number, as shown in Figure 6-179.
NOTE
The number of the predefined flow classification Total can be viewed in the following way:
a. Log in to the Back End of the SIG.
b. In the navigation tree, choose Basic Configuration > Flow Classification Management > Flow
Classification Configuration.
6. Add action groups action-level1, action-level2, and action-exhaust according to previous
steps. Each action group defines the bandwidth control policy, and specifies the flow
classification number for each quota level.
When the quota is exhausted, users' HTTP access is redirected. You need to add another
action, namely, Redirection, to action group action-exhaust. Figure 6-180 shows the
configuration page.
The configurations of rules rule-level1, rule-level2, and rule-exhaust are consistent with
that of rule rule-normal. Condition groups bound to previous three rules are condition-
level1, condition-level2, and condition-exhaust; their bound action groups are action-
level1, action-level2, and action-exhaust.
Step 7 Add policies.
1. In the navigation tree, choose Policy Management > Policy > Policy.
2. Add policy policy_ipcan. Figure 6-182 shows the configuration page.
4. Click OK.
----End
Prerequisites
Requirements are as follows:
l The connection of the SIG to the UPCC is commissioned. For details, see Connecting the
Front End to the PCRF, Connecting the PCRF to the Front End, and Commissioning
the Connection to the PCRF in HUAWEI SIG9800 Service Inspection Gateway
Commissioning Guide.
l 4.2 Configuring the Subscriber is complete, and the account of the subscriber (the target
user) to be managed is 460100000000022.
l The current user has the Value-added Service service permission.
l The current user has the permission to operate the UPCC.
NOTE
To learn more about the UPCC, refer to related technical documents provided by the corresponding vendor.
Requirement Description
The SIG interworks with the UPCC, and the FUP service is required. Figure 6-186 shows the
networking.
RADIUS PCRF
Server (RM9000)
t
ke Gx
P ac
I US
R AD
Gi
PCEF
User:460100000000022 SGSN GGSN
(Front End)
DPI System
Requirements of the FUP service for P2P and VoIP traffic are as follows:
l The target user employs the quota by month; the settlement is in reset mode; the settlement
time is 00:00 on the first day of each month.
l If the total quota is 1024000 KB, the requirements on bandwidth control are as follows:
– When quota consumption is less than 40% of the total quota, upstream and downstream
bandwidths are limited to 1024 kbit/s and 2048 kbit/s respectively.
– When quota consumption exceeds 40% of the total quota, upstream and downstream
bandwidths are limited to 512 kbit/s and 1024 kbit/s respectively.
– When quota consumption exceeds 80% of the total quota, upstream and downstream
bandwidths are limited to 256 kbit/s and 512 kbit/s respectively.
– When quota consumption exceeds 100% of the total quota, both upstream and
downstream bandwidths are limited to 64 kbit/s; when quotas are used up, users' HTTP
access is redirected to the Web site of the carrier, and users are reminded of recharge.
Figure 6-187 shows the relation between configuration objects in the FUP service.
Action group Traffic control policy for the P2P and VoIP traffic Flow classification
action-normal Upstream: 1024kbit/s; Downstream: 2048kbit/s p2p_voip
Rule Action group Traffic control policy for the P2P and VoIP traffic Flow classification
action-level1 Upstream: 512kbit/s; Downstream: 1024kbit/s p2p_voip
Action group Traffic control policy for the P2P and VoIP traffic Flow classification
action-level2 Upstream: 256kbit/s; Downstream: 1024kbit/s p2p_voip
Policy 2 Quota status change trigger Action group Traffic control policy for the P2P and VoIP traffic Flow classification
policy_fup UsageStatusChange action-exhuast Upstream: 64kbit/s; Downstream: 64kbit/s p2p_voip
Suppose that the user subscribes to service service_fup, and the service has service quota
quota_fup.
Service service_fup includes two policies:
l Policy policy_ipcan: When a user is activated during the access to the mobile data network,
and the current quota status is matched with the rule in the policy, the matched rule is
considered as the current control policy of the user. For example, if the quota of the current
online user is less than 40% of the total quota, and rule rule-normal is employed, the
upstream and downstream bandwidths of the P2P and VoIP traffic are limited to 1024 kbit/
s and 2048 kbit/s respectively.
l Policy policy_fup: defines the quota status-based policy control. When the quota status
changes, the control policy is switched to the corresponding one of the new quota status.
The following rules need defining:
rule-normal Accumulated traffic quota The maximum uplink bandwidth is 1024 kbit/
usage within a month < s, and the maximum downlink bandwidth is
40% of the total quota 2048 kbit/s.
rule-exhaust 100% of the total quota Both the maximum uplink and downlink
≤ Accumulated quota bandwidths are 64 kbit/s.
usage within a month
Data Planning
You can click the following links to view the data planning of main parameters:
l Table 6-45 shows the data planning of quota quota_fup.
l Table 6-46 shows the data planning of policy policy_ipcan.
l Table 6-47 shows the data planning of policy policy_fup.
l Table 6-48 shows the data planning of service service_fup.
l Table 6-49 shows the data planning of user 460100000000022.
Monitor Key: 3
Value(KB): 1000000
CAUTION
In the UPCC, 1 KB=1024 bytes. The UPCC delivers traffic to the Front
End, in bytes. When the quota value on the UPCC is set to 1,000,000 KB,
the traffic of 1024 x 1,000,000 bytes is delivered from the UPCC to the
Front End.
However, on the SIG, 1 KB=1000 bytes. That is, the SIG actually receives
1,024,000 KB traffic.
Slice(%): 5
Description: -
Level2: 80
Exhaust: 100
Name policy_ipcan
Trigger IPCANSessionEstablish
The triggering condition is the CCR_Initial Request message
on the Gx interface. It is applicable to the scenario where users
access the mobile data network.
Description -
Rule rule-normal
rule-level1
rule-level2
rule-exhaust
Name policy_fup
Trigger UsageStatusChange
The triggering condition is the change of the quota status, and
the application scenario is the quota status-based policy control.
Description -
Rule rule-normal
rule-level1
rule-level2
rule-exhaust
Type: VALUE_ADDED_SERVICE
APN: -
VPN: -
SP: default1
Account: -
Is Meter To Basic: No
Precedence: 0
Description: -
Policy policy_ipcan
policy_fup
Quota quota_fup
NOTE
Is Meter To Basic and QoS Mode are irrelevant to this service. For details, refer to the product manual
of the UPCC.
Subscriber ID 460100000000022
MSISDN 8613810000022
Service service_fup
Procedure
Step 1 Log in to the Back End of the SIG.
Step 2 Add a flow class.
1. In the navigation tree, choose Basic Configuration > Flow Classification Management
> Flow Classification Configuration.
2. Click Add.
3. Enter p2p_voip in Name.
4. Click Add and select the predefined flow classification items P2P and VoIP.
5. Click OK and Close.
NOTE
After the flow class is added, the system automatically generates flow classification ID 1, which is required
during the adding of the action group.
This step is optional, but mandatory if you need to log in to the UPCC Web UI through only a client
for the first time.
b. Confirm the security alarm, and then click Yes, as shown in Figure 6-189.
3. Enter values in User Name, Password, and Verify Code, as shown in Figure 6-190.
NOTE
The default user name and password of the administrator of the UPCC Web UI are admin and
huawei respectively.
4. Click Login.
Step 4 Add a quota.
1. In the navigation tree, choose Service Management > Service > Quota.
2. Figure 6-191 shows the configuration page.
When Object Attribute is selected, set Object to Quota and click QuotaStatus. Then click OK.
Refer to Figure 6-193.
3. In the navigation tree, choose Policy Management > Policy > Action Group.
4. Configure action QoSAction for action group action_normal, and then define the
bandwidth control policy, as shown in Figure 6-199.
NOTE
Although the QCI is mandatory, it is not used this service. You can set a value only. For details, refer
to the product document of the UPCC.
For the action of the QoSAction type, MBRUL and MBRDL are set to 1024 and 2048
respectively. That is, upstream and downstream bandwidths for this action group are 1024
kbit/s and 2048 kbit/s. Other action elements do not need configuring.
5. Configure action ChargingAction for action group action_normal, and then define the
rating group and reporting ldevel, as shown in Figure 6-200.
The configurations of rules rule-level1, rule-level2, and rule-exhaust are consistent with
that of rule rule-normal. Condition groups bound to previous three rules are condition-
level1, condition-level2, and condition-exhaust; their bound action groups are action-
level1, action-level2, and action-exhaust.
Step 8 Add policies.
1. In the navigation tree, choose Policy Management > Policy > Policy.
2. Add policy policy_ipcan. Figure 6-204 shows the configuration page.
4. Click OK.
----End
Prerequisites
Requirements are as follows:
l The current user has the service permission to adjust users' surplus quotas.
l The target user whose quota is to be adjusted is configured and the FUP policy is applied.
Additionally, the target user already consumes certain traffic.
Procedure
Step 1 Log in to the UPCC Web UI.
Step 2 In the navigation tree, choose Subscriber Management > Subscriber > Subscriber.
Step 3 Select the user whose surplus quota needs adjusting, and click Quota.
Figure 6-208 shows the configuration interface.
Step 4 Click Clear Balance and Reset Balance on the Subscriber Quota interface to adjust the surplus
quota.
----End
7 Charging Service
With the charging service, the SIG can identify the charging service of the protocol/application
type, so that users can adopt different charging policies for various service types. Thus, carriers
are provided with refined charging.
Typical Networking
Figure 7-1 shows the typical networking of the charging service.
Back End
RADIUS
PCRF OCS CG
Server
Gx Gy Ga/Gz
et
ck
Pa
S
IU
AD
R
Gi
IP/MPLS
Video Streaming
PCEF
SGSN GGSN
(Front End) Voice VoIP
DPI System
NOTE
The RADIUS proxy server on the Back End of the SIGsystem (Which is the DPI system in the figure) can
obtain account information in Carbon Copy (CC), listen, proxy or sniffer mode (the figure shows the CC
mode). In this scenario, the Front End, that is, the DPI device, acts as the PCEF.
To enable offline charging when no CG is available, the Front End of the SIG sends CDRs to the back-end
Charging Data Record File Server (CFS). The CFS generates CDR files, saves them to the local server
where the CFS resides, and connects to the Billing System (BS) through an FTP interface.
Charging Modes
The SIG supports the following charging modes:
l Online charging
Online charging affects users' access to services in real time. Therefore, this mechanism
needs to directly interact with resource usage. Prepaid users adopt online charging to surf
the Internet. That is, users apply for quotas first and then access network resources.
When online charging users initiate data services, the Online Charging System (OCS)
determines whether to allow users to perform the packet data service (based on user
information and account balances). It traces the usage of purchased resources (time and
traffic) and deducts the current usage expense from the account balance in real time. When
the account balance or credit is insufficient or exhausted, the service is disabled or the
related prompt is displayed.
To be brief, online charging controls users' credits. If the OCS supports Charging Data
Record (CDR) exporting, the CDR can be exported to the BS for charging.
l Offline charging
Offline charging does not affect users' access to services in real time.
The Front End of the SIG generates the CDR and then sends it to the Charging Gateway
(CG) through the Ga/Gz interface. After being processed by the CG, the CDR is sent to the
BS for charging.
The following types are available for triggering the Front End of the SIG to generate the
CDR:
7.2.1 Overview
To configure the charging service, you need to learn the related concepts of the charging service.
l Charging by service
The Deep Packet Inspection (DPI) technology of the SIG can classify services. Carriers
charge users based on services, thus implementing refined operation.
For example, compared with Web page browsing, the Video On Demand (VOD) service
consumes relatively heavy data traffic, and thus should be charged at a lower rate.
Therefore, the charge rate for P2P traffic is $0.5/MB, and that for HTTP traffic is $1/MB.
l Charging by total traffic
To charge the traffic of all services in a unified way, you need to select total traffic-based
charging.
l Charging by traffic
Due to the insufficient resources and the low transmission rates of wireless data services,
users are charged by the volume of transmitted data.
For example, a mobile phone user subscribes to the 20 MB traffic service monthly.
l Charging by duration
For the traditional charging by duration, users can preliminarily estimate online fees
according to their own online duration.
For example, a mobile phone user subscribes to the Prepaid Service (PPS) of total 80 hours
monthly.
Online charging also supports charging by time segment, charging redirection and alarm and
charging whitelist.
l Charging by time segment
Charging rates vary with the online time segment of users.
For example, when the time segment ranges from 20:00 to 23:00 (the network is busy or
lots of bandwidths are occupied), the relatively high charge rate is adopted; during other
time segments (the network is relatively idle), the relatively low charge rate is adopted. In
this way, users are encouraged to avoid traffic peaks on the network, which not only saves
the network bandwidth in rush hours, but also increases bandwidth usage in the idle time
period.
NOTE
By configuring the OCS, you can adopt differentiate charge rates for different time segments.
l Charging Redirection
– Redirection upon the last slice of the quota
When the SIG is connected to the OCS, the SIG reports users' quota usage to the OCS.
If a user requests the last slice of the quota, the OCS delivers the redirection URL to the
SIG through Final Usage Indication (FUI).
When the user requests the last slice of quota, the OCS delivers the redirection URL to
the Front End of the SIG.
– Charging redirection
When carriers use their own OCS for charging, and use the SIG only for charging
redirection, the RADIUS server copies RADIUS packets (including user information)
to the RADIUS proxy server on the Back End of the SIG to obtain the status of the user,
namely, with inadequate credit or exhausted credit.
The SIG redirects user's HTTP access to the alarm Web site, and notifies the user of
recharging. If having recharged, users can continue to access network resources. If users
have not recharged, the SIG prevents users from accessing network resources.
The SIG redirects only HTTP and WAP1.X traffic to the alarm Web site.
The SIG does not charge on the traffic generated by the access to the alarm Web site.
l Alarm and Charging Whitelist
– You can add some Web sites to the alarm and charging whitelist. When the user's credit
is inadequate or exhausted, the user can still access URLs in the whitelist normally, but
not redirected to the alarm Web site.
– To exempt some Web sites (such as the recharge Web site) from charging, add the URLs
to the alarm and charging whitelist.
The alarm and charging whitelist supports blurry matching. For example, if you add http://
www.example.com/news to the alarm whitelist, the user is neither redirected to the alarm
Web site not charged when accessing the subdirectories (such as http://www.example.com/
news/sports) of http://www.example.com/news.
NOTE
The alarm and charging whitelist is a global configuration. To exempt some users of a Web site from
charging, add this Web site to the user-defined protocols, and then configure differentiated actions
for users.
On the SIG, you can add only the HTTP URLs to the alarm and charging whitelist.
For example, charging by the combination of the service, traffic, time duration, and time
segment, as shown in Figure 7-2.
Figure 7-2 Charging by the combination of the service, traffic, time duration, and time segment
19:00
Normal hours: $0.5/min Busy hours: $1.5 /min
P2P downloading
Online video
Network chatting
Online game
Online Offline
l Post payment
l Offline charging in the case of online charging faults
l Both online charging and offline charging. No charging is performed on specified URLs,
and the IP addresses and ports of servers.
When a user accesses certain URLs or servers, offline charging instead of online charging
is performed (certain traffic is already charged in other systems). Then the CDR is
generated, thus facilitating the CDR check.
For example, when the quota credit of a user is exhausted, the access page is redirected to
the recharge page. Thus, no charging is performed on the traffic.
l Quota
Indicates the traffic traffic/duration allowed by carriers.
No
Add a rule
Add a policy
No
Online charging?
Yes
BS Configure a charge rate Configure the quota and charge rate
OCS
Configure the redirection URL
End
Add the flow class Add the flow class manually when the predefined ones are insufficient.
Operation location: Front End of the SIG.
Add services bound Add services bound to the policy item manually when the predefined
to the policy item services bound to the policy item are insufficient.
Operation location: Back-end UI of the SIG. In the navigation tree,
choose Basic Configuration > Flow Classification Management >
Flow Classification Configuration.
Add the rating group In the online charging service, the rating group ID and service ID serve
and service ID as only bridges.
Through the adding of the charging policy package, a rating group ID
and service ID can be bound to the flow class (such as HTTP or P2P).
Then the charge rate of the rating group is specified for charging.
Operation location: Back-end UI of the SIG.
l In the navigation tree, choose Value-added Service > Application
Charging > Application Mapping > Rating Group
Management.
l In the navigation tree, choose Value-added Service > Application
Charging > Application Mapping > Service ID Management.
Add a charging A charging policy package can include one or multiple configuration
policy package items.
Operation location: Back-end UI of the SIG. In the navigation tree,
choose Value-added Service > Application Charging > Charging
> Charging Policy Package Management.
Add a rule A rule is required during the configuration of the policy. Configuring
a rule is to bind the configured charging policy. The ID of the charging
policy package is required during the adding of a rule.
Since the charging policy package is already configured on the Back
End of the SIG, you need to select Predefined.
Operation location: UPCC Web UI. In the navigation tree, choose
Policy Management > Policy > Rule.
Add a policy A policy is required during the service configuration. Each policy
comprises one trigger and multiple rules.
Operation location: UPCC Web UI. In the navigation tree, choose
Policy Management > Policy > Policy.
Action Description
Add a charging The UPCC notifies the SAS on the Front End of the SIG to request
server quotas from the charging server.
Operation location: UPCC Web UI. In the navigation tree, choose
Subscriber Management > Subscriber > Charging Server.
Add the user and Bind the user group to the configured charging service, and add users
user group to the user group.
Operation location: UPCC Web UI.
l In the navigation tree, choose Subscriber Management >
Subscriber > Subscriber.
l In the navigation tree, choose Subscriber Management >
Subscriber > Subscriber Group.
Configure the quota It is required for online charging. The system collects statistics on
and charge rate traffic by rating group. Therefore, you need to configure the charge
rate for each rating group.
Operation location: OCS.
Configure the It is required when online charging is adopted and the OCS delivers
redirection URL the redirection URL to the SIG.
Operation location: OCS.
Configure the It is required for offline charging. The system collects statistics on
charge rate traffic by rating group. Therefore, you need to configure the charge
rate for each rating group.
Operation location: BS.
Prerequisites
Requirements are as follows:
l The connections of the SIG to the UPCC and OCS are commissioned. For details, see
Connecting the Front End to the PCRF, Connecting the PCRF to the Front End,
Commissioning the Connection to the PCRF, and Connecting to the OCS in
HUAWEI SIG9800 Service Inspection Gateway Commissioning Guide respectively.
l 4.2 Configuring the Subscriber is complete, and the account of the subscriber to be
managed is 460100000000022.
l The current user has the Value-added Service service permission.
l The current user has the permission to operate the UPCC and OCS.
NOTE
To learn more about the UPCC and OCS, refer to related technical documents provided by respective vendors.
Requirement Description
The carrier needs to enable online charging. Figure 7-4 shows the networking.
RADIUS PCRF
OCS
Server (UPCC)
Gx Gy
et
ck
Pa
S
IU
AD
R
Gi
IP/MPLS
Video Streaming
PCEF
User:460100000000022 SGSN GGSN
(Front End) Voice VoIP
DPI System
The quota and charge rate for each user are as follows:
l The amount of a user account is $100.
l The traffic quota requested from the OCS each time is 256 KB.
l The charge rate for P2P and Video traffic is $0.1/MB.
l The charge rate for Web_Browsing traffic is $0.05/MB.
l The charge rate for other traffic is $0.2/MB.
l When a user requests the last slice of the quota, the OCS delivers the redirection URL to
the Front End of the SIG, the SIG redirects the user's HTTP access, and the user is reminded
of recharge. If completing recharge, the user can continue to access network resources;
otherwise, the SIG blocks the user's access to network resources.
Figure 7-5 shows the relation between configuration objects in the charging service.
Suppose that all users in user group group subscribe to service service.
Data Planning
You can click the following links to view the data planning of main parameters:
Name policy
Trigger IPCANSessionEstablish
The triggering condition is the CCR_Initial Request message
on the Gx interface. It is applicable to the scenario where users
access the mobile data network.
Description -
Type: Predefined
Type: VALUE_ADDED_SERVICE
APN: -
VPN: -
SP: default1
Account: -
Is Meter To Basic: No
Preference: 0
Description: -
Policy policy
NOTE
Is Meter To Basic and QoS Mode are irrelevant to this service. For details, refer to the product manual
of the UPCC.
Type: Dynamic
Precedence: 10
Service service
Procedure
Step 1 Log in to the Front End of the SIG.
6. Click OK.
7. Click Add, add policy item item2.
8. Click OK.
9. Click Add, add policy item item3.
NOTE
The policy package code is required during the adding of the rule.
This step is optional, but mandatory if you need to log in to the UPCC Web UI through only a client
for the first time.
b. Confirm the security alarm, and then click Yes, as shown in Figure 7-10.
3. Enter values in User Name, Password, and Verify Code, as shown in Figure 7-11.
NOTE
The default user name and password of the administrator of the UPCC Web UI are admin and
huawei respectively.
4. Click Login.
2. Add rule rule and bind it to the configured charging policy package. Figure 7-12 shows
the configuration interface.
----End
Prerequisites
Requirements are as follows:
l The connections of the SIG to the UPCC and OCS are commissioned. For details, see
Connecting the Front End to the PCRF, Connecting the PCRF to the Front End,
Commissioning the Connection to the PCRF, and Connecting to the OCS in
HUAWEI SIG9800 Service Inspection Gateway Commissioning Guide respectively.
l 4.2 Configuring the Subscriber is complete, and the account of the subscriber to be
managed is 460100000000022.
l The current user has the Value-added Service service permission.
l The current user has the permission to operate the UPCC and OCS.
NOTE
To learn more about the UPCC and OCS, refer to related technical documents provided by respective vendors.
Requirement Description
The carrier needs to enable online charging. Figure 7-17 shows the networking.
RADIUS PCRF
OCS
Server (UPCC)
Gx Gy
et
ck
Pa
S
IU
AD
R
Gi
IP/MPLS
Video Streaming
PCEF
User:460100000000022 SGSN GGSN
(Front End) Voice VoIP
DPI System
The quota and charge rate for each user are as follows:
Figure 7-18 shows the relation between configuration objects in the charging service.
Suppose that all users in user group group subscribe to service service.
Data Planning
See Data Planning in 7.2.3 Typical Configuration Example 1 (Online Charging by
Traffic).
Procedure
Step 1 Log in to the Front End of the SIG.
6. Click OK.
7. Click Add, add policy item item2.
Figure 7-20 shows how to configure policy item item2.
8. Click OK.
9. Click Add, add policy item item3.
Figure 7-21 shows how to configure policy item item3.
The policy package code is required during the adding of the rule.
This step is optional, but mandatory if you need to log in to the UPCC Web UI through only a client
for the first time.
b. Confirm the security alarm, and then click Yes, as shown in Figure 7-23.
3. Enter values in User Name, Password, and Verify Code, as shown in Figure 7-24.
NOTE
The default user name and password of the administrator of the UPCC Web UI are admin and
huawei respectively.
4. Click Login.
Step 8 Add a rule.
1. In the navigation tree, choose Policy Management > Policy > Rule.
2. Add rule rule and bind it to the configured charging policy package. Figure 7-25 shows
the configuration interface.
----End
Prerequisites
Requirements are as follows:
l The connections of the SIG to the UPCC and OCS are commissioned. For details, see
Connecting the Front End to the PCRF, Connecting the PCRF to the Front End,
Commissioning the Connection to the PCRF, and Connecting to the OCS in
HUAWEI SIG9800 Service Inspection Gateway Commissioning Guide respectively.
l 4.2 Configuring the Subscriber is complete, and the account of the subscriber to be
managed is 460100000000022.
l The current user has the Value-added Service service permission.
l The current user has the permission to operate the UPCC and OCS.
NOTE
To learn more about the UPCC and OCS, refer to related technical documents provided by respective vendors.
Requirement Description
The carrier needs to enable online charging. Figure 7-30 shows the networking.
RADIUS PCRF
OCS
Server (UPCC)
Gx Gy
et
ck
Pa
S
IU
AD
R
Gi
IP/MPLS
Video Streaming
PCEF
User:460100000000022 SGSN GGSN
(Front End) Voice VoIP
DPI System
The quota and charge rate for each user are as follows:
l The amount of a user account is $100.
l The traffic quota requested from the OCS each time is 256 KB, and the time quota requested
each time is 30 seconds.
l The charge rate for P2P and Video traffic is $0.1/MB.
l The charge rate for Web_Browsing traffic is $0.05/minute.
l The charge rate for other traffic is $0.2/minute.
l When a user requests the last slice of the quota, the OCS delivers the redirection URL to
the Front End of the SIG, the SIG redirects the user's HTTP access, and the user is reminded
of recharge. If completing recharge, the user can continue to access network resources;
otherwise, the SIG blocks the user's access to network resources.
Figure 7-31 shows the relation between configuration objects in the charging service.
Suppose that all users in user group group subscribe to service service.
Data Planning
See Data Planning in 7.2.3 Typical Configuration Example 1 (Online Charging by
Traffic).
Procedure
Step 1 Log in to the Front End of the SIG.
Step 2 Configure basic information.
Set the quota control mode for online charging to distributed.
[Sysname-dpi-charge-view] online-charging quota-control-mode decentralization
[Sysname-dpi-charge-view] quit
6. Click OK.
7. Click Add, add policy item item2.
Figure 7-33 shows how to configure policy item item2.
8. Click OK.
9. Click Add, add policy item item3.
Figure 7-34 shows how to configure policy item item3.
The policy package code is required during the adding of the rule.
This step is optional, but mandatory if you need to log in to the UPCC Web UI through only a client
for the first time.
b. Confirm the security alarm, and then click Yes, as shown in Figure 7-36.
3. Enter values in User Name, Password, and Verify Code, as shown in Figure 7-37.
NOTE
The default user name and password of the administrator of the UPCC Web UI are admin and
huawei respectively.
4. Click Login.
Step 8 Add a rule.
1. In the navigation tree, choose Policy Management > Policy > Rule.
2. Add rule rule and bind it to the configured charging policy package. Figure 7-38 shows
the configuration interface.
----End
Prerequisites
Requirements are as follows:
l The connections of the SIG to the UPCC and OCS are commissioned. For details, see
Connecting the Front End to the PCRF, Connecting the PCRF to the Front End,
Commissioning the Connection to the PCRF, and Connecting to the OCS in
HUAWEI SIG9800 Service Inspection Gateway Commissioning Guide respectively.
l 4.2 Configuring the Subscriber is complete, and the account of the subscriber to be
managed is 460100000000022.
l The current user has the Value-added Service service permission.
l The current user has the permission to operate the UPCC and OCS.
NOTE
To learn more about the UPCC and OCS, refer to related technical documents provided by respective vendors.
Requirement Description
The carrier needs to enable online charging. Figure 7-43 shows the networking.
Gx Gy
et
ck
Pa
S
IU
AD
R
Gi
IP/MPLS
Video Streaming
PCEF
User:460100000000022 SGSN1 GGSN
(Front End) Voice VoIP
DPI System
SGSN2
The quota and charge rate for each user are as follows:
Figure 7-44 shows the relation between configuration objects in the charging service.
Suppose that all users in user group group subscribe to service service.
Data Planning
See Data Planning in 7.2.3 Typical Configuration Example 1 (Online Charging by
Traffic).
Procedure
Step 1 Log in to the Front End of the SIG.
Step 2 Configure basic information.
Set the quota control mode for online charging to distributed.
[Sysname-dpi-charge-view] online-charging quota-control-mode decentralization
[Sysname-dpi-charge-view] quit
The policy package code is required during the adding of the rule.
3. Add charging policy package charge2.
a. Click Add.
b. Set Policy Package Code to 8:200002, set Name to charge2. Then click Save.
c. Select Charging from Item Type, and click Add.
d. Set the parameters of policy item item1 in the dialog box that is displayed. Figure
7-46 shows parameter settings.
The policy package code is required during the adding of the rule.
This step is optional, but mandatory if you need to log in to the UPCC Web UI through only a client
for the first time.
a. Select the digital certificate, and then click OK, as shown in Figure 7-47.
b. Confirm the security alarm, and then click Yes, as shown in Figure 7-48.
3. Enter values in User Name, Password, and Verify Code, as shown in Figure 7-49.
NOTE
The default user name and password of the administrator of the UPCC Web UI are admin and
huawei respectively.
4. Click Login.
Step 7 Add rules.
1. In the navigation tree, choose Policy Management > Policy > Rule.
2. Add rule rule1 adopted before the SGSN change, and bind the rule to policy package
charge1. Figure 7-50 shows the configuration interface.
3. Add rule rule2 adopted after the SGSN change, and bind the rule to policy package
charge2. Figure 7-51 shows the configuration interface.
3. Add policy policy2 (including rule rule2) adopted after the SGSN change. Figure 7-53
shows the configuration interface.
----End
Prerequisites
Requirements are as follows:
l The connections of the SIG to the UPCC and OCS are commissioned. For details, see
Connecting the Front End to the PCRF, Connecting the PCRF to the Front End,
Commissioning the Connection to the PCRF, and Connecting to the OCS in
HUAWEI SIG9800 Service Inspection Gateway Commissioning Guide respectively.
l 4.2 Configuring the Subscriber is complete, and the account of the subscriber to be
managed is 460100000000022.
l The current user has the Value-added Service service permission.
l The current user has the permission to operate the UPCC and OCS.
NOTE
To learn more about the UPCC and OCS, refer to related technical documents provided by respective vendors.
Requirement Description
The carrier needs to enable online charging. Figure 7-57 shows the networking.
RADIUS PCRF
OCS
Server (UPCC)
Gx Gy
et
ck
Pa
S
IU
AD
R
Gi
IP/MPLS
Video Streaming
PCEF
User:460100000000022 SGSN GGSN
(Front End) Voice VoIP
DPI System
The quota and charge rate for each user are as follows:
l The amount of a user account is $100.
l The traffic quota requested from the OCS each time is 256 KB.
l P2P traffic and Video traffic are not charged.
l The access traffic of certain Web sites such as www.huawei.com is not charged.
l The charge rate for other traffic is $0.1/MB.
Figure 7-58 shows the relation between configuration objects in the charging service.
Procedure
Step 1 Log in to the Front End of the SIG.
CAUTION
If a website has multiple domain names, you must add all the domain names
as keywords.
c. Click OK.
d. In the navigation tree, choose Basic Configuration > Flow Classification
Management > Flow Classification Configuration.
e. Click Add.
f. Enter websites in Name.
g. Click Add and select the flow classification item websites.
h. Choose OK and OK.
3. Add flow classification p2p_video.
a. In the navigation tree, choose Basic Configuration > Flow Classification
Management > Flow Classification Configuration.
b. Click Add.
6. Click OK.
7. Click Add, add the policy item item2.
8. Click OK.
9. Click Add, add the policy item item3.
NOTE
The policy package code is required during the adding of the rule.
This step is optional, but mandatory if you need to log in to the UPCC Web UI through only a client
for the first time.
b. Confirm the security alarm, and then click Yes, as shown in Figure 7-65.
3. Enter values in User Name, Password, and Verify Code, as shown in Figure 7-66.
NOTE
The default user name and password of the administrator of the UPCC Web UI are admin and
huawei respectively.
4. Click Login.
2. Add rule rule and bind it to the configured charging policy package. Figure 7-67 shows
the configuration interface.
----End
Prerequisites
Requirements are as follows:
l The connections of the SIG to the UPCC and OCS are commissioned. For details, see
Connecting the Front End to the PCRF, Connecting the PCRF to the Front End,
Commissioning the Connection to the PCRF, and Connecting to the OCS in
HUAWEI SIG9800 Service Inspection Gateway Commissioning Guide respectively.
l 4.2 Configuring the Subscriber is complete.
l The current user has the Value-added Service service permission.
l The current user has the permission to operate the UPCC and OCS.
NOTE
To learn more about the UPCC and OCS, refer to related technical documents provided by respective vendors.
Requirement Description
A carrier needs to enable online charging. Figure 7-72 shows the networking.
RADIUS PCRF
OCS
Server (UPCC)
Gx Gy
et
ck
Pa
S
IU
AD
R
Gi
IP/MPLS
Video Streaming
PCEF
User:460100000000022 SGSN GGSN
(Front End) Voice VoIP
DPI System
Charging policy Charging policy Charging policy Charging policy Charging policy
package package package package package
basic_traffic basic_duration basic_free added_traffic added_free
Rating group Rating group Rating group Rating group Rating group
basic_traffic basic_traffic basic_traffic basic_traffic basic_traffic
CAUTION
You need to perform configurations from bottom to top, as shown in Figure 7-73.
Data Planning
According to the preceding requirements, the data planning is as follows:
l Customize protocol
Define category websites that contains protocols protocal1 and protocal2.
– Define the HTTP traffic to access www.example1.com as protocol protocal1.
– Define the HTTP traffic to access www.example2.com as protocol protocal2.
l Charging policy package
As shown in Table 7-5.
Procedure
Step 1 Log in to the Front End of the SIG.
For details on how to add the HTTP traffic of the specified URL to the user-defined protocol,
see 22.6.3 Typical Configuration Example (Customized DPI Signature File, Traffic on the
Specified Web Site) in 22.6 Managing the Knowledge Base.
4. Click OK.
5. According to previous steps, set Name to basic_duration, and Number to 2; set Name to
basic_free, and Number to 3; set Name to added_traffic, and Number to 4; set Name to
added_free, and Number to 5.
Step 6 Add charging policy packages.
1. In the navigation tree, choose Value-added Service > Application Charging >
Charging > Charging Policy Package Management.
2. Click Add.
3. Set Policy Package Code to 8:200051, set Name to basic_traffic. Then click Save.
4. Select OCS from Item Type, and click Add.
5. Set parameters in the dialog box that is displayed. Figure 7-74 shows the configuration
interface.
NOTE
The policy package codes are required during the adding of rules.
This step is optional, but mandatory if you need to log in to the UPCC Web UI through only a client
for the first time.
b. Confirm the security alarm, and then click Yes, as shown in Figure 7-76.
3. Enter values in User Name, Password, and Verify Code, as shown in Figure 7-77.
NOTE
The default user name and password of the administrator of the UPCC Web UI are admin and
huawei respectively.
4. Click Login.
When a user request the last slice of the quota (the credit is to be exhausted), the user's HTTP
access is redirected and the user is reminded of recharge. The redirection is configured by the
data configuration engineer.
----End
Follow-up Procedure
After the data configuration engineer of the carrier completes the further packaging of services,
subscribers can log in to the portal of the carrier and order required services.
Prerequisites
Requirements are as follows:
l The connections of the SIG to the UPCC and OCS are commissioned. For details, see
Connecting the Front End to the PCRF, Connecting the PCRF to the Front End,
Commissioning the Connection to the PCRF, and Connecting to the OCS in
HUAWEI SIG9800 Service Inspection Gateway Commissioning Guide respectively.
l 4.2 Configuring the Subscriber is complete, and the account of the subscriber to be
managed is 460100000000022.
l The current user has the Value-added Service service permission.
l The current user has the permission to operate the UPCC and OCS.
NOTE
To learn more about the UPCC and OCS, refer to related technical documents provided by respective vendors.
Requirement Description
Carriers require the online charging and the FUP function during the charging process. Figure
7-83 shows the networking.
RADIUS PCRF
OCS
Server (UPCC)
Gx Gy
t
ke
c
Pa
S
IU
AD
R
Gi
IP/MPLS
Video Streaming
PCEF
User:460100000000022 SGSN GGSN
(Front End) Voice VoIP
DPI System
For details on the FUP function, see 6.1 About the FUP Service.
The quota and charge rate for each user are as follows:
The FUP function is applied to the charging process to limit user bandwidths:
l When quota consumption is less than 4 GB, upstream and downstream bandwidths are
limited to 1024 kbit/s and 2048 kbit/s respectively.
Condition group
rule_qos1 Object Attribute= QuotaStatus; Right Value= Normal
condition-normal
Condition group
rule_qos2 Object Attribute= QuotaStatus; Right Value= Level1
condition-level1
Condition group
rule_qos3 Object Attribute= QuotaStatus; Right Value= Level2
condition-level2
Condition group
rule_qos4 Object Attribute= QuotaStatus; Right Value= Exhaust
condition-exhaust
Condition group
rule_fup1 Object Attribute= QuotaStatus; Right Value= Normal
condition-normal
Condition group
rule_fup2 Object Attribute= QuotaStatus; Right Value= Level1
condition-level1
Condition group
rule_fup3 Object Attribute= QuotaStatus; Right Value= Level2
condition-level2
Condition group
rule_fup4 Object Attribute= QuotaStatus; Right Value= Exhaust
condition-exhaust
Condition group
rule_ocs1 Object Attribute= QuotaStatus; Right Value= Normal
condition-normal
Condition group
rule_ocs2 Object Attribute= QuotaStatus; Right Value= Level1
condition-level1
Condition group
rule_ocs3 Object Attribute= QuotaStatus; Right Value= Level2
condition-level2
Condition group
rule_ocs4 Object Attribute= QuotaStatus; Right Value= Exhaust
condition-exhaust
Suppose that the user subscribes to service, and the service has session quota quota_fup.
Service service_fup includes two policies:
l Policy policy_ipcan: When a user is activated during the access to the mobile data network,
and the current quota status is matched with the rule in the policy, the matched rule is
considered as the current control policy of the user. For example, if the quota of the current
online user is less than 40% of the total quota, and rule rule_qos1 is employed, the upstream
and downstream bandwidths of the total traffic are limited to 1024 kbit/s and 2048 kbit/s
respectively.
l Policy policy_fup: defines the quota status-based policy control. When the quota status
changes, the control policy is switched to the corresponding one of the new quota status.
rule_fup1 Accumulated traffic quota Defines the mapping between rating group
usage within a month < 4 total and total traffic.
GB
rule_qos1 Accumulated traffic quota The maximum uplink bandwidth is 1024 kbit/
usage within a month < 4 s, and the maximum downlink bandwidth is
GB 2048 kbit/s.
Data Planning
You can click the following links to view the data planning of main parameters:
Value(KB): 10000000
CAUTION
In the UPCC, 1 KB=1024 bytes. The UPCC delivers traffic to the Front
End, in bytes. When the quota value on the UPCC is set to 1,000,000 KB,
the traffic of 1024 x 1,000,000 bytes is delivered from the UPCC to the
Front End.
However, on the SIG, 1 KB=1000 bytes. That is, the SIG actually receives
1,024,000 KB traffic.
Slice(%): 5
Description: -
Level2: 80
Exhaust: 100
Name policy_ipcan
Trigger IPCANSessionEstablish
The triggering condition is the CCR_Initial Request message on
the Gx interface. It is applicable to the scenario where users
access the mobile data network.
Description -
Rule rule_ocs1
rule_ocs2
rule_ocs3
rule_ocs4
rule_fup1
rule_fup2
rule_fup3
rule_fup4
rule_qos1
rule_qos2
rule_qos3
rule_qos4
Name policy_usage
Trigger UsageStatusChange
The triggering condition is the change of the quota status, and
the application scenario is the quota status-based policy control.
Description -
Rule rule_ocs1
rule_ocs2
rule_ocs3
rule_ocs4
rule_fup1
rule_fup2
rule_fup3
rule_fup4
rule_qos1
rule_qos2
rule_qos3
rule_qos4
Type: VALUE_ADDED_SERVICE
APN: -
VPN: -
SP: default1
Account: -
Precedence: 0
Description: -
Policy policy_ipcan
policy_usage
Quota quota_fup
NOTE
Is Meter To Basic and QoS Mode are irrelevant to this service. For details, refer to the product manual
of the UPCC.
Type: Dynamic
Precedence: 10
Service service
Procedure
Step 1 Log in to the Front End of the SIG.
Step 2 Configure basic information.
Set the quota control mode for online charging to distributed.
[Sysname-dpi-charge-view] online-charging quota-control-mode decentralization
[Sysname-dpi-charge-view] quit
NOTE
The policy package codes are required during the adding of rules.
NOTE
NOTE
This step is optional, but mandatory if you need to log in to the UPCC Web UI through only a client
for the first time.
b. Confirm the security alarm, and then click Yes, as shown in Figure 7-90.
3. Enter values in User Name, Password, and Verify Code, as shown in Figure 7-91.
NOTE
The default user name and password of the administrator of the UPCC Web UI are admin and
huawei respectively.
4. Click Login.
When Object Attribute is selected, set Object to Quota and click QuotaStatus. Then click OK.
Refer to Figure 7-94.
2. Add rule rule_qos1 and bind it to the FUP traffic control policy package (1:200019). Figure
7-99 shows the configuration page.
The configurations of rules rule_qos2, rule_qos3, and rule_qos4 are identical with
configuration of rule rule_qos1. These rules are bound to policy packages 1:200020,
1:200021, and 1:200022 respectively.
3. Add rule rule_fup1 and bind it to the FUP service configuration policy package fup_con
(14:200001). Figure 7-100 shows the configuration page.
The configurations of rules rule_fup2, rule_fup3, and rule_fup4 are identical with
configuration of rule rule_fup1. Rules rule_fup2, rule_fup3, and rule_fup4 are bound to
condition-level1, condition-level2, and condition-exhaust respectively, and each rule is
bound to policy package 14:200001.
4. Add rule rule_fup1 and bind it to the charging policy package charge (8:200005). Figure
7-101 shows the configuration page.
The configurations of rules rule_ocs2, rule_ocs3, and rule_ocs4 are identical with the
configuration of rule rule_ocs1. Rules rule_ocs2, rule_ocs3, and rule_ocs4 are bound to
condition-level1, condition-level2, and condition-exhaust respectively, and each rule is
bound to policy package 8:200005.
Step 12 Add policies.
1. In the navigation tree, choose Policy Management > Policy > Policy.
2. Add policy policy_ipcan. Figure 7-102 shows the configuration page.
The amount of a user account is $100 and the charge rate is $0.2/MB.
----End
Prerequisites
l The RADIUS server interworks with the SIG successfully.
l The current user has the Value-added Service service permission.
Requirement Description
The carrier adopts its own OCS for charging and the SIG is only required for providing the
charging redirection function. Figure 7-107 shows the networking.
Gi
IP/MPLS
Video Streaming
PCEF
SGSN GGSN
(Front End) Voice VoIP
DPI System
The RADIUS server copies Radius packets (containing user information) to the RADIUS proxy
on the Back End of the SIG, identifying that the quota credit of the user is insufficient or
exhausted. When HTTP traffic is generated, the user is redirected to the alarm page.
l After receiving charging packets, the RADIUS proxy resolves user attributes (such as IMIS,
IP address, and Login-LAT-Service) and sends them to the SAS.
l The SAS saves user information and detects the value of Login-LAT-Service, deciding
whether to deliver the redirection policy to the SPS.
Suppose that three values of Login-LAT-Service are available and corresponding policies are
performed:
l If the value of Login-LAT-Service is CAPHTTP, the SAS delivers the redirection policy.
HTTP traffic generated by a user's access to the charging Web site is allowed through; other
HTTP traffic is redirected to www.alarm1.com, and non-HTTP traffic is allowed through.
l If the value of Login-LAT-Service is CAP, the SAS delivers the redirection policy. HTTP
traffic generated by a user's access to the charging Web site is allowed through; other HTTP
traffic is redirected to www.alarm2.com, and non-HTTP traffic is blocked.
l If the value of Login-LAT-Service is ACT, the SAS does not deliver the redirection policy.
NOTE
Procedure
Step 1 Log in to the Back End of the SIG.
Step 2 Add alarm URLs.
1. In the navigation tree, choose Basic Configuration > User Message Configuration >
Alarm URL Management.
2. Click Add and enter www.alarm1.com (in the case of credit insufficiency) in Alarm
URL.
3. Click OK.
4. Click Add and enter www.alarm2.com (in the case of credit exhaustion) in Alarm
URL.
5. Click OK.
Step 3 Configure charging redirection.
1. In the navigation tree, choose Value-added Service > Application Charging >
Charging > Charging Redirection Configuration.
2. Add CAPHTTP.
a. Click Add.
b. Set CAPHTTP parameters in the dialog box that is displayed. Figure 7-108 shows
parameter settings.
c. Click OK.
3. Add CAP.
a. Click Add.
b. Set CAP parameters in the dialog box that is displayed. Figure 7-109 shows parameter
settings.
c. Click OK.
4. Add ACT.
a. Click Add.
b. Set ACT parameters in the dialog box that is displayed. Figure 7-110 shows parameter
settings.
c. Click OK.
Step 4 (Optional) Add the charging redirection whitelist. When the user's credit is insufficient or
exhausted, the user can still access URLs in the whitelist normally and no alarm is generated.
1. In the navigation tree, choose Basic Configuration > User Message Configuration >
Alarm and Charging Whitelist Management.
2. Click Add, and enter an alarm URL in Alarm and Charging Whitelist.
NOTE
The format of the URLs in the alarm and charging whitelist is http://www.example.com. Https URLs
cannot be added to the whitelist.
3. Click OK.
4. Refer to previous steps. You can add multiple URLs to the charging redirection URL
whitelist.
----End
and the traffic of other types use the charge rates different from that used by P2P and Video
traffic.
Prerequisites
Requirements are as follows:
l The connections of the SIG to the UPCC, OCS, and CG/CFS are commissioned. For details,
see Connecting the Front End to the PCRF, Connecting the PCRF to the Front End,
Commissioning the Connection to the PCRF, Connecting to the OCS, and Connecting
to the CG/CFS in HUAWEI SIG9800 Service Inspection Gateway Commissioning
Guide respectively.
l 4.2 Configuring the Subscriber is complete, and the account of the subscriber to be
managed is 460100000000022.
l The current user has the Value-added Service service permission.
l The current user has the permission to operate the UPCC, OCS and BS.
NOTE
To learn more about the UPCC, OCS, and BS, refer to related technical documents provided by respective
vendors.
Requirement Description
The carrier needs to enable online charging, and converting online charging to offline charging
in case of faults. Figure 7-111 shows the networking.
BS
RADIUS PCRF
Back End OCS
Server (UPCC)
Gx Gy
et
ck
Pa
S
IU
AD
R
Gi
IP/MPLS
Video Streaming
PCEF
User:460100000000022 SGSN GGSN
(Front End) Voice VoIP
DPI System
NOTE
Here takes the back-end CFS of the SIG serving as the CG as an example.
The quota and charge rate for each user are as follows:
l The amount of a user account is $100.
l The traffic quota requested from the OCS each time is 256 KB.
l The charge rate for P2P and Video traffic is $0.1/MB.
Figure 7-112 shows the relation between configuration objects in the charging service.
Suppose that all users in user group group subscribe to service service.
NOTE
The configuration of online-to-offline charging in case of faults is consistent with that of online charging.
Their difference lies in:
l Both the CFS (CG) and BS should be added during the deployment, and the CFS (CG) should be
specified on the Front End during the configuration.
l When faults occur during the configuration of the OCS on the Front End, the processing mode for
traffic is Permit and in offline charging mode.
Data Planning
See Data Planning in 7.2.3 Typical Configuration Example 1 (Online Charging by
Traffic).
Procedure
Step 1 Log in to the Front End of the SIG.
2. When the OCS is faulty, the SIG allows service traffic through and the charging mode
changes to the offline charging.
[Sysname-dpi-charge-view] online-charging ccfh continue
6. Click OK.
7. Click Add, add policy item item2.
8. Click OK.
9. Click Add, add policy item item3.
NOTE
The policy package code is required during the adding of the rule.
This step is optional, but mandatory if you need to log in to the UPCC Web UI through only a client
for the first time.
b. Confirm the security alarm, and then click Yes, as shown in Figure 7-117.
3. Enter values in User Name, Password, and Verify Code, as shown in Figure 7-118.
NOTE
The default user name and password of the administrator of the UPCC Web UI are admin and
huawei respectively.
4. Click Login.
2. Add rule rule and bind it to the configured charging policy package. Figure 7-119 shows
the configuration interface.
----End
Prerequisites
Requirements are as follows:
l The connections of the SIG to the UPCC and CG/CFS are commissioned. For details, see
Connecting the Front End to the PCRF, Connecting the PCRF to the Front End,
Commissioning the Connection to the PCRF, and Connecting to the CG/CFS in
HUAWEI SIG9800 Service Inspection Gateway Commissioning Guide respectively.
l 4.2 Configuring the Subscriber is complete, and the account of the subscriber to be
managed is 460100000000022.
l The current user has the Value-added Service service permission.
l The current user has the permission to operate the UPCC and BS.
NOTE
To learn more about the UPCC and BS, refer to related technical documents provided by respective vendors.
Requirement Description
The carrier needs to enable online charging. Figure 7-124 shows the networking.
BS
Gx
et
ck
Pa
S
IU
AD
R
Gi
IP/MPLS
Video Streaming
PCEF
User:460100000000022 SGSN GGSN
(Front End) Voice VoIP
DPI System
NOTE
Here takes the back-end CFS of the SIG serving as the CG as an example.
The quota and charge rate for each user are as follows:
Figure 7-125 shows the relation between configuration objects in the charging service.
Suppose that all users in user group group subscribe to service service.
Data Planning
See Data Planning in 7.2.3 Typical Configuration Example 1 (Online Charging by
Traffic).
Procedure
Step 1 Log in to the Back End of the SIG.
Step 2 Add flow classes.
1. In the navigation tree, choose Basic Configuration > Flow Classification Management
> Flow Classification Configuration.
2. Click Add.
3. Enter p2p_video in Name.
4. Click Add and select the predefined flow classification items P2P and Video.
5. Click OK and Close.
6. Click Add.
7. Enter else in Name.
8. Click Add and select all the flow classification items except P2P, Video and
Web_Browsing.
9. Click OK and Close.
Step 3 Add rating groups.
1. In the navigation tree, choose Value-added Service > Application Charging >
Application Mapping > Rating Group Management.
2. Click Add.
3. Set Number to 1, and Name to p2p_video.
4. Click OK.
5. According to previous steps, set Name to web_browsing, and Number to 2; set Name to
else, and Number to 3.
Step 4 Add a charging policy package.
1. In the navigation tree, choose Value-added Service > Application Charging >
Charging > Charging Policy Package Management.
2. Click Add.
3. Set Policy Package Code to 8:200005, set Name to charge. Then click Save.
4. Select Charging from Item Type, and click Add.
5. Set the parameters of policy item item1 in the dialog box that is displayed. Figure 7-126
shows parameter settings.
6. Click OK.
7. Click Add, add policy item item2.
Figure 7-127 shows how to configure policy item item2.
8. Click OK.
9. Click Add, add policy item item3.
Figure 7-128 shows how to configure policy item item3.
The policy package code is required during the adding of the rule.
This step is optional, but mandatory if you need to log in to the UPCC Web UI through only a client
for the first time.
b. Confirm the security alarm, and then click Yes, as shown in Figure 7-130.
3. Enter values in User Name, Password, and Verify Code, as shown in Figure 7-131.
NOTE
The default user name and password of the administrator of the UPCC Web UI are admin and
huawei respectively.
4. Click Login.
Step 6 Add a rule.
1. In the navigation tree, choose Policy Management > Policy > Rule.
2. Add rule rule and bind it to the configured charging policy package. Figure 7-132 shows
the configuration interface.
----End
Prerequisites
Requirements are as follows:
l The connections of the SIG to the UPCC, OCS, and CG/CFS are commissioned. For details,
see Connecting the Front End to the PCRF, Connecting the PCRF to the Front End,
Commissioning the Connection to the PCRF, Connecting to the OCS, and Connecting
to the CG/CFS in HUAWEI SIG9800 Service Inspection Gateway Commissioning
Guide respectively.
l 4.2 Configuring the Subscriber is complete, and the account of the subscriber to be
managed is 460100000000022.
l The current user has the Value-added Service service permission.
l The current user has the permission to operate the UPCC, OCS and BS.
NOTE
To learn more about the UPCC, OCS, and BS, refer to related technical documents provided by respective
vendors.
Requirement Description
The carrier needs to enable online/offline charging. Figure 7-137 shows the networking.
BS
RADIUS PCRF
Back End OCS
Server (UPCC)
Gx Gy
t
ke
c
Pa
S
IU
AD
R
Gi
IP/MPLS
Video Streaming
PCEF
User:460100000000022 SGSN GGSN
(Front End) Voice VoIP
DPI System
NOTE
Here takes the back-end CFS of the SIG serving as the CG as an example.
The quota and charge rate for each user are as follows:
Figure 7-138 shows the relation between configuration objects in the charging service.
Online/Offline charging is enabled for users. Online charging is in charge of credit control;
offline charging is in charge of CDR exporting.
Suppose that all users in user group group subscribe to service service.
Data Planning
See Data Planning in 7.2.3 Typical Configuration Example 1 (Online Charging by
Traffic).
Procedure
Step 1 Log in to the Front End of the SIG.
2. When the OCS is faulty, the SIG allows service traffic through and the charging mode
changes to the offline charging.
[Sysname-dpi-charge-view] online-charging ccfh continue
2. Click Add.
3. Set Policy Package Code to 8:200005, set Name to charge. Then click Save.
4. Select Charging from Item Type, and click Add.
5. Set the parameters of policy item item1 in the dialog box that is displayed. Figure 7-139
shows parameter settings.
6. Click OK.
7. Click Add, add policy item item2.
8. Click OK.
The policy package code is required during the adding of the rule.
This step is optional, but mandatory if you need to log in to the UPCC Web UI through only a client
for the first time.
b. Confirm the security alarm, and then click Yes, as shown in Figure 7-143.
3. Enter values in User Name, Password, and Verify Code, as shown in Figure 7-144.
NOTE
The default user name and password of the administrator of the UPCC Web UI are admin and
huawei respectively.
4. Click Login.
Step 8 Add a rule.
1. In the navigation tree, choose Policy Management > Policy > Rule.
2. Add rule rule and bind it to the configured charging policy package. Figure 7-145 shows
the configuration interface.
----End
Through Uniform Resource Locator (URL) filtering, you can apply different control policies
(such as alarm and block) to URL categories for filtering, providing healthy and secure network
environments for users.
l URL filtering
With the rapid development of the Internet, diversified Web sites are blooming, and harms
of Web sites are becoming more and more conspicuous. As a result, carriers have to pay
attention to how to control URLs effectively.
URL filtering indicates that the SIG implements control (such as block, alarm, or pass) over
URL categories. For example, you can configure the device to block gambling Web sites,
and redirect illegitimate Web sites to alarm pages, thus prompting users that there are
potential security risks. URL categories can be predefined (by the SIG) or user-defined.
URL filtering is applicable to both fixed and wireless networks, as shown in Figure 8-1.
Radio
Front
Access SGSN/GGSN End
Back
End
DSLAM BRAS
DPI system
The UCSS provides URL category search services for the SPS on the Front End of the DPI
system. Meanwhile, the UCSS reports the URLs whose categories are not found to the
UCSP.
l URL Management
– URL Category Management
With the power of URL filtering, the SIG controls the Web sites that are accessed by
users based on URL categories. URL categories include predefined and user-defined
URL categories. One URL belongs to only one category. Policies for user-defined
categories enjoy higher priorities than those for predefined categories.
– URL Address Management
The predefined categories comprise certain URLs. To move a URL to another category,
you can define this URL into another category on the URL Address Management page
to overwrite the existing setting.
If a URL is not predefined, you can add the URL on the URL Address Management
page and select its category. You can add URLs such as the domain names, IPv4
addresses, and IPv6 addresses.
– URL Encoding Management
By default, the system provides some commonly used encoding types for URL
keywords, so that the administrator can view them and configure them as the default.
The encoding types configured as the default are displayed during the adding of the
URL keyword blacklist.
l URL Filtering Service
– URL Policy Package Management
According to the URL categories (such as news or gambling) to which the accessed
Web sites belong, the system detects and controls (control modes include block, alarm
page push, or not control) users' Web access behaviors.
For example, you can configure the policy package for URL filtering to block gambling-
related Web sites and redirect access to illegitimate Web sites to the alarm page. In so
doing, users are notified of security risks.
– URL Whitelist Group
To exempt some special users from URL filtering policies, you can add these users to
the URL whitelist user group.
The system provides subscriber group URL Whitelist Group and VIC group URL
Whitelist Group by default. You can add whitelist users to be permitted to the groups.
By default, a policy package (policy package code: 3:000001) whose control mode is
Pass is assigned to URL Whitelist Group.
– URL Blacklist Category and Policy Management
The administrator can define categories for the URL blacklist and configure the policies
for these categories as block or alarm.
For example, if you add a category named violence to the URL blacklist, configure the
category policy as alarm, and select the URL of the alarm page, the system alarms on
the Web sites matching this blacklist category, as shown in Figure 8-2.
NOTE
The processing mode for the URL address whitelist is similar to that for the blacklist except that
the system does not support whitelist categories.
It is conflicting to add a URL address to both the URL address blacklist/whitelist and a self-
defined URL category, that is, a URL address in the blacklist/whitelist cannot be added to a URL
self-defined category, or a URL address in a URL self-defined category cannot be added to the
URL address blacklist/whitelist.
– URL Keyword Blacklist Management
The system can block the URL or push an alarm by keyword. When adding a URL
keyword, you need to select the URL blacklist category, add words, and select the
encoding code.
One keyword can comprise multiple words. A URL is regarded as matching a keyword
only after it matches all words included in the keyword. Then the URL is blocked or
alarmed according to the blacklist category where this keyword belongs. For example,
keyword 1 is added, comprising words A, B, and C, and the action for its category is
block; keyword 2 is added, comprising words A, B, C, and D, and the action for its
category is alarm. If a URL is www.example.com?var=A&var=B&var=C, it is regarded
that this URL matches keyword 1 and is blocked.
As shown in Figure 8-4, the keyword belongs to the violence category in the URL
blacklist and the policy is alarm. If you set Keyword to violence&force, Character
Encoding to Default Encoding(Default encoding) and Unicode(UTF-8), URLs with
code containing character string 76696F6C656E636526666F726365, violence%
26force, or violence&force are alarmed.
URLs. When configuring a blurry definition URL, you can specify the priority. The
lower the value, the higher the priority.
l SSL Access Management
The system controls (bandwidth control or priority marking) SSL traffic and does not
control specified HTTPS Web sites.
For example, in the scenario where SSL traffic is configured with the QoS policy and the
bandwidth limit of the SSL traffic is set to 0, to permit the access to some HTTPS Web
sites, add these Web sites to the domain name whitelist.
You can add either the domain name or the IP address of a Web site to a domain name
blacklist and whitelist. If you add a domain name of a Web site, you can obtain the mapping
between the domain name and IP address of the Web site in either of the following methods:
– The Front End resolves the DNS response packets.
This method is applicable to the scenario where the SPS can probe user's DNS response
packets. Either of the following conditions triggers the SPS to resolve the DNS response
packets of the domain name blacklist and whitelist:
– The version of the SSL domain name blacklist and whitelist changes. (Adding or
deleting blacklist/whitelist entries leads to the version change.)
– The version of the SSL domain name blacklist and whitelist does not change, but
the interval since the latest resolution exceeds the defined threshold (configure on
the Front End).
– The Update Server accesses the DNS Server.
This method is applicable to the scenario where the update server can access the DNS
server (configure on the Back End). Either of the following conditions triggers the
update server to access the DNS Server:
– The version of the SSL domain name blacklist and whitelist changes.
– The version of the SSL domain name blacklist and whitelist does not change, but
the interval since the latest access exceeds the defined threshold.
8.2.1 Overview
This describes the functions realized through the configuration of URL filtering.
By configuring URL filtering, you can provide subscribers, VICs, and links with the following
functions:
l Controlling the spread of vulgar information contained by unhealthy Web sites related to
pornography, violence, crime, and gambling.
l Shielding phishing Web sites, and thus protecting user privacy.
l Shielding malicious Web sites, and thus reducing Trojan attacks.
You can select to filter either only page packets or all packets in HTTP request packets.
l Page packet: indicates the HTTP request packets whose request objects are Web page files
such as .html and .htm.
l Non-page packet: indicates the HTTP request packets whose request objects are non-Web
page files such as images and music.
Concepts relating to the URL service are as follows:
l URL whitelist group
By default, the system has the URL whitelist group to add users to be allowed through the
whitelist. The system has already configured the control mode towards URL Whitelist
Group to Pass by default.
l URL policy
URL policies consist of user policies and link policies. Policies are defined on the back-
end UI. Policies those applied to subscribers and VICs are user policies and those applied
to links are link policies.
l Policy item priority
Is the priority value specified in policy item definition. The smaller the value, the higher
the priority. The value is an integer that ranges from 1 to 9,999. The value is globally unique
in the system.
Start
No
Is a new user-defined URL category required?
Yes
Add a URL category
No
Is a new user-defined URL required?
Yes
Add a URL
Back End
No
Is an alarm policy required?
Yes
Add an alarm URL
End
Configure basic Configure the packet type for URL filtering: By default, the SPS
information filters only the page packets. You can configure to filter all HTTP
request packets.
Configure the policy for the first packet of HTTP request packets:
When the SPS does not have URL category cache, the SPS
caches HTTP request packets by default. You can configure the
policy for HTTP request packets as permit or deny.
Configure the preferential matching sequence of URL policies:
By default, the priority of the URL link policy is higher than that
of the user policy. That is, when matching the link policy, a
packet is not to match the user policy. On the contrary, the packet
continues to match the user policy. You can configure the priority
of the user policy to be higher than that of the link policy.
Operation location: Front End of the SIG.
Add the user-defined URL categories can be predefined (by the SIG) or user-defined.
URL category If the URL to be controlled is a predefined one, you do not need
to add any URL category. If the URL to be controlled is a user-
defined one, you need to add a user-defined URL category.
Operation location: Back-end UI of the SIG. In the navigation
tree, choose Access Control > URL Filter > URL
Management.
Add the user-defined When the current URL category does not contain the URL to be
URL controlled, you should add the URL to the specified category.
The URL definition can be precise and blurry. You can add a
single URL or import URLs in batches.
Operation location: Back-end UI of the SIG. In the navigation
tree, choose Access Control > URL Filter > URL
Management.
Action Description
Add the URL alarm You can set alarm policies for URL categories. Before
address configuring the alarm policy, you need to set the alarm address
first. When the URL accessed by the user is of the category, users'
access is redirected to the alarm address, prompting users that
there are security risks.
For detailed, refer to the 22.4 Managing the Alarm Address or
22.5 Managing the Dynamic Alarm.
Operation location: Back-end UI of the SIG.
l In the navigation tree, choose Basic Configuration > User
Message Configuration > Alarm URL Management.
l In the navigation tree, choose Basic Configuration > User
Message Configuration > Global Dynamic Alarm
Management.
l In the navigation tree, choose Basic Configuration > User
Message Configuration > Subscriber Area Dynamic
Alarm Management.
l In the navigation tree, choose Basic Configuration > User
Message Configuration > VIC Area Dynamic Alarm
Management.
Configure the URL You can define the control policy for the URL category to be
filtering policy controlled.
Operation location:Back-end UI of the SIG. In the navigation
tree, choose Access Control > URL Filter > URL Policy
Package Management.
Apply the URL filtering You can apply the configured control policy to the specified URL
policy category. URL filtering can be applied to subscribers, VICs, and
links.
Operation location: Back-end UI of the SIG.
l In the navigation tree, choose Subscriber and Network
Management > Subscriber > Policy Application.
l In the navigation tree, choose Subscriber and Network
Management > Very Important Customer > Policy
Application.
l In the navigation tree, choose Subscriber and Network
Management > Network > Physical Link Management >
Link Policy Application.
Prerequisites
The following requirements should be met:
l 4.4 Configuring the Link is complete, and the link to be managed is 10G-1-1-linka.
l The current user has the Access Control service permission.
Requirement Description
The SIG is deployed at the egress of the MAN in in-line mode, as shown in Figure 8-6.
Requirements are as follows to filter URLs over link 10G-1-1-linka.
l When URL www.20010.com in category Games is accessed, the alarm should be reported.
In the navigation tree, choose Access Control > URL Filter > URL Category
Management. If you cannot find Games in the URL categories on this page, you should
create a user-define URL category named Games.
In the navigation tree, choose Access Control > URL Filter > URL Management. If you
cannot find URL www.20010.com by URL, you should add a user-defined URL to
Games.
l Access to gambling URLs should be blocked directly.
In the navigation tree, choose Access Control > URL Filter > URL Category
Management. If you can find the corresponding URL category, this category is predefined.
Router
DPI system
BRAS
Users
Procedure
Step 1 Log in to the Front End of the SIG.
<Sysname> system-view
[Sysname] dpi-node
[Sysname-dpi-node] url-filter all enable
2. Configure the policy for the first packet of HTTP request packets as cache. That is, when
the SPS does not have the category cache, the SPS caches the HTTP request packets.
[Sysname-dpi-node] url-filter no-cache action hold
4. Select Games, and click Add to add its subcategories, as shown in Figure 8-8.
NOTE
URLs can be added to the subcategory of a URL category only. Thus, after creating a user-defined
URL category, you should add its subcategories.
NOTE
You can add a single URL, or import URLs in batches. If you import URLs in batches, you should
use a template for importing.
URL definition can be precise or blurry. To filter URLs containing a certain field, you can adopt the
blurry definition.
6. Click OK. The system returns to the previous page and displays the added policy item.
7. Click Add. In the pop-up dialog box, configure the alarm policy item named url_b, as
shown in Figure 8-12.
8. Click OK. The system returns to the previous page and displays the added policy item.
9. Click Close. The system returns to the previous page and displays the added policy package.
----End
Prerequisites
Requirements are as follows:
Requirement Description
The SIG is deployed at the access layer of the MAN in in-line mode, as shown in Figure 8-14.
The user from haidian should meet the following requirements to access URLs:
l When URL www.20010.com in category Games is accessed, the alarm should be reported.
In the navigation tree, choose Access Control > URL Filter > URL Category
Management. If you cannot find Games in the URL categories on this page, you should
create a user-defined URL category named Games.
In the navigation tree, choose Access Control > URL Filter > URL Management. If you
cannot find URL www.20010.com by URL, you should add a user-defined URL to
Games.
l Access to crime URLs must be blocked directly.
In the navigation tree, choose Access Control > URL Filter > URL Category
Management. If you can find the corresponding URL category, this category is predefined.
Router
DPI system
BRAS
Users
Procedure
Step 1 Log in to the Front End of the SIG.
Step 2 Configure basic information.
1. Configure the packet type for URL filtering as all HTTP request packets, not only the page
packets.
<Sysname> system-view
[Sysname] dpi-node
[Sysname-dpi-node] url-filter all enable
2. Configure the policy for the first packet of HTTP request packets as cache. That is, when
the SPS does not have the category cache, the SPS caches the HTTP request packets.
4. Select Games, and click Add to add its subcategories, as shown in Figure 8-16.
NOTE
URLs can be added to the subcategories of a URL category only. Thus, after creating a user-defined
URL category, you should add its subcategories.
3. Set the parameters in the dialog box that is displayed, as shown in Figure 8-17. Click
OK. The URL is added successfully.
NOTE
You can add a single URL, or import URLs in batches. If you import URLs in batches, you should
use a template for importing.
URL definition can be precise or blurry. To filter URLs containing a certain field, you can adopt the
blurry definition.
6. Click OK. The system returns to the previous page and displays the added policy item.
7. Click Add. In the pop-up dialog box, configure the alarm policy item named url_b, as
shown in Figure 8-20.
8. Click OK. The system returns to the previous page and displays the added policy item.
9. Click Close. The system returns to the previous page and displays the added policy package.
Step 8 Apply a policy package.
1. In the navigation tree, choose Subscriber and Network Management > Subscriber >
Policy Application.
2. Click Add.
3. Set parameters in the dialog box that is displayed. Figure 8-21 shows parameter settings.
----End
Prerequisites
Requirements are as follows:
l 4 Subscriber and Network Object Initialization is complete, and the VIC to be managed
belongs to area haidian.
l The current user has the Access Control service permission.
Requirement Description
The SIG is deployed at the access layer of the MAN in in-line mode, as shown in Figure 8-22.
If the VIC from haidian accesses crime URLs, the alarm is reported.
In the navigation tree, choose Access Control > URL Filter > URL Category Management.
If you can find the corresponding URL category, this category is predefined.
Router
DPI system
BRAS
Users
Procedure
Step 1 Log in to the Front End of the SIG.
<Sysname> system-view
[Sysname] dpi-node
[Sysname-dpi-node] url-filter all enable
2. Configure the policy for the first packet of HTTP request packets as cache. That is, when
the SPS does not have the category cache, the SPS caches the HTTP request packets.
[Sysname-dpi-node] url-filter no-cache action hold
6. Click OK. The system returns to the previous page and displays the added policy item.
7. Click Close. The system returns to the previous page and displays the added policy package.
Step 6 Apply a policy package.
1. In the navigation tree, choose Subscriber and Network Management > Very Important
Customer > Policy Application.
2. Click Add.
3. Set parameters in the dialog box that is displayed. Figure 8-25 shows parameter settings.
----End
8.3.1 Overview
This describes related concepts of the URL report, and lists all types of URL reports.
To realize the comprehensive and accurate behavior analysis of URL access, the SIG provides
the following types of analysis reports for the monitored URL access traffic.
You can query the stacked curves, percentage curves, or curves describing the access count
trend of URLs in a certain category or categories according to customer range and time
range.
l Category URL access count proportion
You can query the pie chart or histogram describing the access count proportion of URLs
in a certain category or categories according to customer range and time range.
l Top N category URL access counts
You can query the report on the top N URLs (by access count) in a category according to
customer range and time range.
l Top N global URLs by traffic
You can query the report on the top N global URLs by traffic according to conditions such
as the time range.
l Top N category URLs by traffic
You can query the report on the top N URLs (by traffic) in a certain category or categories
according to conditions such as the time range.
Prerequisites
Requirements are as follows:
Procedure
Step 1 (Optional) To view the reports on Top N Global URLs by Access Count, Top N Category URLs
by Access Count, Top N Global URLs by Traffic, and Top N Category URLs by Traffic,
configure the cluster information first.
1. In the navigation tree, choose System Management > System Configuration >
Component Configuration.
2. Click Configure in the OMC Configuration group box.
3. Configure the OMC and cluster information in the dialog box that is displayed.
4. After the configuration is complete, click Close.
Step 2 (Optional) To query hot URL-related reports (such as the top N customers by access count report
and the hot URL access counts trend report), enable the hot URL configuration.
NOTE
NOTE
The system supports up to 10 hot URLs. Hot URLs do not support the IPv6 address format.
Step 3 In the navigation tree, choose Statistics and Analysis Report > URL.
Step 4 Enter query conditions according to prompts.
TIP
l If selecting Save Query Conditions before querying reports, you do not need to enter query conditions
for the next query.
l To apply the report function for timed tasks, click Timed Task. For details, see 21.4 Managing Timed
Task Reports.
To save time for other operations, click Background Implementation. For details, see 21.5 Managing
Background Task Reports.
On the report query interface, you can export reports in different formats:
----End
Report Navigation
You can click the following links to view the report examples.
NOTE
The information in the following examples are subject to change without notice.
l Statistics and Analysis Report > URL > Top N Global URLs by Access Count
l Statistics and Analysis Report > URL > Top N Category URLs by Access Count
l Statistics and Analysis Report > URL > Top N Customers by Access Count
l Statistics and Analysis Report > URL > Hot URL Access Counts Trend
l Statistics and Analysis Report > URL > Category URL Access Count Trend
l Statistics and Analysis Report > URL > Category URL Access Count Proportion
l Statistics and Analysis Report > URL > Top N Category URL Access Counts
l Statistics and Analysis Report > URL > Top N Global URLs by Traffic
l Statistics and Analysis Report > URL > Top N Category URLs by Traffic
Statistics and Analysis Report > URL > Top N Global URLs by Access Count
Through this report, you can view top N global URLs of a specified cluster (by access count in
descending order) in a specified period. Generally, a POP is deployed with a cluster of the
SIG. By querying URL access information of the specified cluster, you can view URL access
information of the POP to which the cluster belongs.
Figure 8-26 shows the report screenshot of top 10 global URLs of the specified cluster (by
access count in descending order) in a specified hour. The report screenshot uses host names as
the statistical method.
Figure 8-26 Example of the report on top 10 global URLs by access count
Statistics and Analysis Report > URL > Top N Category URLs by Access Count
Through this report, you can view top N URLs (by access count in descending order) of a
specified cluster in a certain category or among several categories in a specified period.
Generally, a POP is deployed with a cluster of the SIG. By querying URL access information
of the specified cluster, you can view URL access information of the POP to which the cluster
belongs.
Figure 8-27 shows the report screenshot of top 10 URLs in specified category (by access count
in descending order) of a specified cluster in a specified period.
Figure 8-27 Example of the report on top 10 P2P URLs by access count
Statistics and Analysis Report > URL > Top N Customers by Access Count
Through this report, you can view the top N customers (by access count in descending order)
accessing certain hot URL or URLs in a specified period.
Figure 8-28 shows the report screenshot of the top 5 customers (by access count in descending
order) accessing hot URL in a specified period.
Statistics and Analysis Report > URL > Hot URL Access Counts Trend
Through this report, you can view the access count trend of certain hot URL or URLs in a
specified period.
Figure 8-29 shows the report screenshot of the access count trend of specified hot URLs in a
specified period.
Figure 8-29 Example of the report on hot URL access count trend
Statistics and Analysis Report > URL > Category URL Access Count Trend
Through this report, you can view the access count trend of URLs in a certain category or
categories in a specified period.
Figure 8-30 shows the report screenshot of the access count trend of specified URL categories
in a specified period.
Figure 8-30 Example of the report on category URL access count trend
Statistics and Analysis Report > URL > Category URL Access Count Proportion
Through this report, you can view the access count proportion of URLs in a certain category or
categories in a specified period.
Figure 8-31 shows the report screenshot of the access count proportion of specified URL
categories in a specified period.
Figure 8-31 Example of the report on category URL access count proportion
Statistics and Analysis Report > URL > Top N Category URL Access Counts
Through this report, you can view the top N URL categories (by specified subscriber's access
counts in descending order) in a specified period.
Figure 8-32 shows the report screenshot of the top 10 URL categories (by access count in
descending order of the subscriber in an area) in a specified period.
Figure 8-32 Example of the report on top 10 category URL access counts
Statistics and Analysis Report > URL > Top N Global URLs by Traffic
Through this report, you can view top N Global URLs (by traffic in descending order) of a
specified cluster in a specified period. Generally, a POP is deployed with a cluster of the SIG.
By querying URL access information of the specified cluster, you can view URL access
information of the POP to which the cluster belongs.
Figure 8-33 shows the report screenshot of top 10 global URLs of the specified cluster (by traffic
in descending order) in a specified hour. The report screenshot uses domain names as the
statistical method.
Statistics and Analysis Report > URL > Top N Category URLs by Traffic
Through this report, you can view top N URLs in a certain category or categories (by traffic in
descending order) of a specified cluster in a specified period. Generally, a POP is deployed with
a cluster of the SIG. By querying URL access information of the specified cluster, you can view
URL access information of the POP to which the cluster belongs.
Figure 8-34 shows the report screenshot of top 10 URLs in specified category (by traffic in
descending order) of a specified cluster in an appointed period.
9 GreenNet Service
The GreenNet service of the SIG enables network users with healthy, secure, and civilized
network environments, and access content.
Figure 9-1 Controlling Web sites, network applications, and online duration available to
children
Pornographic
Weekday: 21:00-23:00
Illegal
Game/Chatting
Violent
News
Weekday: 19:00-21:00
Reading
Reading/Game/Chatting
Entertainment
Weekend: 14:00-17:00
News/Reading/Game/Chatting
Radio
Front
Access SGSN/GGSN End
Back
End
Portal
DSLAM BRAS
DPI system
– GreenNet subscriber: The parent can set the GreenNet package used by the child on the
Portal. Both IPv4 and IPv6 users can subscribe to the GreenNet service.
l Portal
The SIG needs to interwork with the Portal (or third-party policy server, such as the
RM9000) of the carrier, so that you can configure and apply the GreenNet service.
The Portal delivers the following functions:
– Data configuration engineers can customize the GreenNet service for family users on
the Portal Web site.
– Family users can subscribe to GreenNet services by themselves, and the carrier can
increase the service revenue accordingly. The parent subscribing to the GreenNet
service can modify the GreenNet package (provided by the carrier) on the Portal, control
Web sites available to the child, network applications, and online duration.
l URL category
The SIG supports URL classification, and control policy configurations for the URLs of a
certain category.
9.2.1 Overview
This describes the functions supported by the GreenNet service.
The SIG provides the GreenNet service for subscribers and VICs. Through the service, the
system supports:
The default priority (in descending order) of the URL control is URL blacklist, URL
whitelist, and URL database category.
l Online duration control
Supporting the control over the online duration of subscribers. Thus, the parent can control
children's daily online duration.
l Network application blocking
The SIG can identify the network applications of users, and hence block the network
applications of a certain category.
For example, the parent can directly shield chat software such as MSN and QQ. After the
successful application, the system automatically controls users over communications
through the chat software.
l Customized policy management
GreenNet subscribers can modify the GreenNet packages provided by carriers on the Portal
Web site.
Take the default condition as an example, the SPS matches URL control policies in the following
order:
1. URL whitelist
2. URL category
a. Link policy
b. User policy
The SIG needs to interwork with the Portal (or a third-party PLS, such as the RM9000) of the
carrier, so that you can configure and apply the GreenNet service.
NOTE
When the SIG directly interconnects with the Portal of the carrier to provide the GreenNet service for
subscribers or VICs, refer to the Portal Help and observe the following configuration procedure.
In the case that the SIG interconnects with the RM9000, only subscribers, instead of VICs, can subscribe
to the GreenNet service. The RM9000 should be of V300R001C02.
Figure 9-3 shows the configuration procedure of the GreenNet service for subscribers, when
the SIG interconnects with the RM9000.
RM9000 PMS
Add GreenNet and log sending services
Add a user
End
Configure basic Configure the packet type for URL filtering: By default, the SPS filters
information only the page packets. You can configure to filter all HTTP request
packets.
Configure the policy for the first packet of HTTP request packets: The
SPS caches HTTP request packets by default. You can configure the
policy for HTTP request packets as permit or deny.
Configure the preferential matching sequence of URL policies: By
default, the priority of the URL link policy is higher than that of the
user policy. That is, when matching the link policy, a packet is not to
match the user policy. On the contrary, the packet continues to match
the user policy. You can configure the priority of the user policy to be
higher than that of the link policy.
Operation location: Front End of the SIG.
Configure the alarm When the policy for a URL category is configured as alarm, you need
URL to set the URL of the alarm page pushed to the user.
Operation location: Back-end UI of the SIG. In the navigation tree,
choose Value-added Service > GreenNet > Alarm URL
Management.
Add an URL Selecting certain categories from predefined and user-defined URL
category categories as those of the GreenNet service. In this manner, URL
filtering is implemented through the configurations of corresponding
control modes.
Operation location: Back-end UI of the SIG. In the navigation tree,
choose Value-added Service > GreenNet > GreenNet URL
Category Management.
NOTE
The system supports the URL categories of multiple types, but only 32 URL
categories for the GreenNet service. If these categories cannot meet
requirements, you can define an URL category, and add predefined categories
to this URL category. Then you need to add this URL category as that of the
GreenNet service. Operation location: In the navigation tree, choose Access
Control > URL Filter > URL Category Management.
Add the GreenNet In addition to the predefined flow classes, the system also supports
flow class user-defined flow classes. For details about flow classes, see 22.1
Managing Flow Classifications and Flow Classification Items.
To control an Internet application (for example, Web browsing), you
must add the corresponding flow class as a GreenNet flow class (for
example, Web_Browsing).
Operation location: Back-end UI of the SIG. In the navigation tree,
choose Value-added Service > GreenNet > GreenNet Flow
Classification Management.
Action Description
Add a device and set Specifying the BIS of the SIG for interconnecting with the RM9000
the URL level PMS.
The administrator needs to add multiple URL filtering levels, so that
GreenNet subscribers can choose them. The existing URL categories
are required during the setting of URL levels.
Operation location: RM9000 PMS.
Add GreenNet and Add a GreenNet service to allow the users to customize it and add the
log sending services log sending service to send URL filtering and network application
filtering logs to the emails of the users.
Operation location: RM9000 PMS.
Add the PMS and Specifying a policy server (the RM9000 PMS) for communicating
synchronize its with the Portal and synchronizing the PMS configuration information
configuration (such as user information) to the Portal.
Operation location: RM9000 Service Select Portal (SSP)
Use the password After logging in to the RM9000 SSP with the user account, you can
with high query only the control information about the online behaviors of the
permissions to log in account. To control the online behaviors of the account, you need to
to the configuration use the password with high permissions to log in to the configuration
interface interface.
Operation location: RM9000 SSP.
Enable GreenNet Users must enable the GreenNet service before using the service. If
and log sending the users need to receive the logs, they must enable the log sending
services service.
Operation location: RM9000 SSP.
Configure URL A carrier provides multiple URL filtering levels. The user can set the
filtering corresponding URL level as desired. In this case, existing URL
categories are required.
Operation location: RM9000 SSP.
Configure the URL This action is not required when the URL blacklist and whitelist are
blacklist and unnecessary.
whitelist The user can define URL blacklist and whitelist, thus blocking URLs
in the blacklist and allowing URLs in the whitelist through. In this
case, existing URL categories are required.
Operation location: RM9000 SSP.
Action Description
Configure network This action is not required in the case of no control over network
application filtering applications.
This action is to configure policies for controlling corresponding
network applications. In this case, existing GreenNet protocol groups
are required.
Operation location: RM9000 SSP.
Set the log sending This action is required when URL filtering logs and network
function application filtering logs need to be periodically sent through emails.
Operation location: RM9000 SSP.
Prerequisites
Requirements are as follows:
l The UHC and UCDB configurations are complete. For details, see Configuring Back-End
Servers and Configuring the UCDB in HUAWEI SIG9800 Service Inspection Gateway
Commissioning Guide.
l 4.2 Configuring the Subscriber is complete, and the account (user1-gnet) of the
subscriber is added.
l The current user has the Value-added Service service permission.
l The current user has the permission to operate the RM9000 PMS and RM9000 SSP.
NOTE
To learn more about the RM9000, refer to related technical documents provided by the corresponding
vendor.
Requirement Description
NOTE
When interworking with the RM9000, the SIG cannot control online duration.
The carrier needs to configure and apply the GreenNet service. Figure 9-4 shows the networking.
...
Backbone
DSLAM BRAS Front End
Router of MAN
DPI System
Users
A carrier provides the GreenNet service for users accessible to the Internet, and delivers the
following:
CAUTION
In the following steps, Step 1 to Step 13 are performed by data configuration engineers; Step
14 to Step 21 are performed by the parent on account user1-gnet.
Procedure
Step 1 Log in to the Front End of the SIG.
2. Configure the policy for the first packet of HTTP request packets as cache. That is, when
the SPS does not have the category cache, the SPS caches the HTTP request packets.
[Sysname-dpi-node] url-filter no-cache action hold
The preferential matching sequence of URL policies is the URL whitelist, user policy, and
link policy in descending order.
[Sysname-dpi-node] url-filter policy flow-content url-whitelist priority
[Sysname-dpi-node] url-filter policy inspect-object user priority
When the policy for a URL category is configured as alarm, you need to set the URL of the alarm page
pushed to the user.
1. In the navigation tree, choose Value-added Service > GreenNet > Alarm URL
Management.
2. Select Alarm URL Type from Specify Alarm URL.
3. Select Domain Name Mode from Specify Alarm URL.
4. Enter www.warning.com in Alarm URL.
5. Click OK.
CAUTION
To enable the GreenNet service, you need to add all related URL categories as GreenNet ones.
1. In the navigation tree, choose Value-added Service > GreenNet > GreenNet URL
Category Management.
2. Click Add, and select URL categories Sports, Computing, Vulgar, Pornography &
Violence, Search Engines & Portals, Education, and News & Media.
3. Click OK.
Before sending URL filtering logs and network application filtering logs to users' mail boxes,
you need to configure the mail server.
1. In the navigation tree, choose Basic Configuration > User Message Configuration >
Value-added Service Mail Server Configuration.
2. Set parameters. Figure 9-6 shows parameter settings.
NOTE
If the mail server is configured with identity identification, you need to set the user name and password
of the mail server on this page. Otherwise, mails cannot be sent.
3. Click OK.
NOTE
After the installation is complete, the default user name and password of the administrator of the
RM9000 PMS are admin and huawei respectively.
3. Click Login.
Step 9 Add a device and set the URL level.
1. In the navigation tree, choose Service Management > Device > Device.
2. Click Add. Add device SIG, with its IP address and port number the same as those of the
SIG BIS. Figure 9-8 shows the configuration interface.
NOTE
l If you don't know the IP address of the SIG BIS. Log in to the EMS for query ( refer to Logging
In to the EMS ). Choose Resources > NE Discovery > Discovered NEs. Search out a device
whose Model is SIG Server from the discovered devices. Then, check the device name and
record the virtual IP address of the BIS.
l Enter a numeral ranging from 1 to 100 in PRI.
l SIG Port No. indicates the port number of the BIS, and is set to 838.
3. Click OK.
4. Set URL levels.
Select the added device, and click URL Level to add an URL level, as shown in Figure
9-9. Click OK.
The configurations of URL levels level2, level3, and level4 are consistent with that of URL
level level1.
l URL level level2 indicates allowing the URLs of Search Engines & Portals and News
& Media categories through.
l URL level level3 indicates allowing the URLs of Search Engines & Portals, News &
Media, and Computing categories through.
l URL level level4 indicates allowing the URLs of Search Engines & Portals, News &
Media, Computing, and Sports categories through.
Step 10 Add GreenNet and log sending services.
1. In the navigation tree, choose Service Management > Service > Service.
2. Add a GreenNet service.
a. Click Add, and then select service template Default_PC. Figure 9-10 shows the
configuration interface.
b. Click Next, and then set Name to Gnet. Other parameters remain the default values.
Figure 9-11 shows the configuration interface.
c. Click Finish.
3. Add the log sending service.
a. Click Add, and then select service template Default_LogSend_Service. Figure
9-12 shows the configuration interface.
b. Click Next, and then set Name to logsend. Other parameters remain the default values.
Figure 9-13shows the configuration interface.
c. Click Finish.
Step 11 Add a user.
1. In the navigation tree, choose Service Management > Subscriber > Subscriber.
2. Click Add. Add user user1-gnet. Figure 9-14 shows the configuration interface.
Note: Parameter High-rights Password indicates the password specified by the parent on
the Portal Web site for controlling the online behaviors of children's account user1-gnet.
3. Click OK.
Step 12 Log in to the RM9000 SSP as the administrator.
1. Open login URL http://128.18.30.44/portal/admin/.
2. Enter values in User Name, Password, and Verify Code. Figure 9-15 shows the
configuration interface.
NOTE
After the installation is complete, the default user name and password of the administrator of the
RM9000 SSP are admin and huawei respectively.
3. Click Login.
Step 13 Add the PMS, and synchronize its configuration.
1. In the navigation tree, choose Configuration Management > Policy Server.
2. Add the PLS. Figure 9-16 shows the configuration interface.
The IP address and port number of the PLS are those of the RM9000 PMS. For example,
if the URL of the RM9000 PMS is http://110.64.2.1:8080/RM9000, the IP address and
port number are 110.64.2.1 and 8080 respectively.
3. Click Save.
4. Click Synchronize to synchronize the PMS configuration information (such as user
information) with that on the Portal.
NOTE
After modifying the service or user information on the RM9000 PMS, you should click
Synchronize on the RM9000 SSP to synchronize the information.
The name for login is account name user1-gnet, and the password is that adopted by user user1-
gnet for dial-up access.
Figure 9-17 Logging in to the RM9000 SSP with user account user1-gnet
3. Click Login.
Step 15 Use the password with high rights to log in to the configuration interface.
NOTE
After logging in to the RM9000 SSP with user account user1-gnet, you can query only the control
information about the online behaviors of the account. To control the online behaviors of the account, you
need to use the password with high rights to log in to the configuration interface.
Enter the password with high right in High-rights Control, and click Enter. Figure 9-18 shows
the configuration interface.
Figure 9-18 Logging in to the configuration interface with the highest-right password
that for Default Control Model is set to Warn, the access to all URLs except those of the
search engines and portals are redirected to the warning page.
3. Click OK.
4. Click Back, and then click OK in the pop-up dialog box.
5. Click Activate in the URL Filter group box to activate URL filtering.
3. Click OK.
3. Click OK.
4. Click Back, and then click OK in the pop-up dialog box.
5. Click Activate in the Black List group box to enable the URL blacklist.
Step 20 Configure network application filtering.
1. In the navigation tree, choose My Services > Gnet.
2. In the APP Filter group box, click Set.
3. Select Yes from Enable Time Slice.
4. Click Add, select Item, and then configure filtering policies for network applications.
Figure 9-24 shows the interface.
Figure 9-24 Configuring time-based policy item1 for network application filtering
5. Click OK.
6. Click Add, select the second Item, and then configure filtering policies for network
applications. Figure 9-25 shows the interface.
Figure 9-25 Configuring time-based policy item2 for network application filtering
7. Click OK.
8. Click Back, and then click OK in the pop-up dialog box.
9. Click Activate in the APP Filter group box to enable network application filtering.
Step 21 Set the log sending function.
1. In the navigation tree, choose My Services > logsend.
2. In the logsend group box, click Set.
3. Set parameters. Figure 9-26 shows parameter settings.
Note the following during the configuration:
4. Click OK.
5. Click Back, and then click OK in the pop-up dialog box.
6. Click Activate in the logsend group box to enable network application filtering.
----End
Follow-up Procedure
In the navigation tree, choose Value-added Service > GreenNet > GreenNet Subscriber
Management. The administrator can view and export information about users subscribing to
the GreenNet service, for example, user account, area, URL filtering policy, application control
policy, and duration control information.
9.3.1 Overview
This describes all reports of the GreenNet service.
Data configuration engineers can query the URL and application blocking reports of GreenNet
subscribers on the SIG. Reports can be classified into the following types:
Through the report, you can view the application blocking log (including the application
name, time, and blocking times) of a specified subscriber, based on conditions such as the
time range.
l URL Blocking Log of Very Important Customer
Through the report, you can view the URL blocking log (including the URL, URL category,
blocking times, and time) of a specified VIC, based on conditions such as the URL category
and time range.
l Application Blocking Log of Very Important Customer
Through the report, you can view the application blocking log (including the application
name, time, and blocking times) of a specified VIC, based on conditions such as the time
range.
NOTE
Data configuration engineers can also provide the log query service, and thus increase the revenue.
GreenNet subscribers subscribing to the service can query URL and application blocking logs on the Portal.
For example, the carrier can periodically send GreenNet reports to the mailboxes of corresponding
subscribers or VICs through mails.
Prerequisites
Requirements are as follows:
Procedure
Step 1 Log in to the Front End of the SIG.
Step 2 Make sure that the service module sends URL service logs and application service logs to the
DAS.
By default, the service module of the SPU sends URL service logs and application service logs
to the DAS.
If the function of sending URL service logs and application logs is disabled, you need to enable
the function through the service-log command.
# Configure the service log so that the logs sent to the data analysis server are the logs of the
URL service and application service of the Green Net service.
<Sysname> system-view
[Sysname] dpi-node
[Sysname-dpi-node] service-log green-net url enable
[Sysname-dpi-node] service-log green-net application enable
Step 4 In the navigation tree, choose Statistics and Analysis Report > GreenNet. Then select the
reports to be queried as required.
l If selecting Save Query Conditions before querying reports, you do not need to enter query conditions
for the next query.
l To apply the report function for timed tasks, click Timed Task. For details, see 21.4 Managing Timed
Task Reports.
To save time for other operations, click Background Implementation. For details, see 21.5 Managing
Background Task Reports.
On the report query interface, you can export reports in different formats:
----End
Report Navigation
You can click the following links to view the report examples.
NOTE
The information in the following examples are subject to change without notice.
l Statistics and Analysis Report > GreenNet > Subscriber > URL Blocking Log
l Statistics and Analysis Report > GreenNet > Subscriber > Application Blocking Log
l Statistics and Analysis Report > GreenNet > Very Important Customer > URL
Blocking Log
l Statistics and Analysis Report > GreenNet > Very Important Customer > Application
Blocking Log
Statistics and Analysis Report > GreenNet > Subscriber > URL Blocking Log
Through this report, you can view the blocking of subscribers' malicious URLs within a given
time segment.
Figure 9-27 shows report screenshot of the blocking of a subscriber's malicious URLs.
Statistics and Analysis Report > GreenNet > Subscriber > Application Blocking
Log
Through this report, you can view the blocking of subscribers' network applications within a
given time segment.
Figure 9-28 shows report screenshot of the blocking of a subscriber's network applications.
Statistics and Analysis Report > GreenNet > Very Important Customer > URL
Blocking Log
Through this report, you can view the blocking of VICs' malicious URLs within a given time
segment.
Figure 9-29 shows report screenshot of the blocking of a VIC's malicious URLs.
Figure 9-29 Example of the URL blocking log (Very Important Customer)
Statistics and Analysis Report > GreenNet > Very Important Customer >
Application Blocking Log
Through this report, you can view the blocking of VICs' network applications within a given
time segment.
Figure 9-30 shows report screenshot of the blocking of a VIC's network applications.
Figure 9-30 Example of the application blocking log (Very Important Customer)
Specific network traffic (such as email, VoIP, P2P, and HTTP video traffic) that attracts user
attention is mirrored (copied and forwarded) by the SIG. Then traffic is saved in a third-party
system which further analyzes or caches the traffic. Alternatively, the traffic is diverted
(forwarded directly) by the SIG to a third-party system. After processing, the third-party system
then injects the traffic to the network through the SIG.
Traffic Mirroring
The SIG identifies network traffic, copies and forwards the packets of the specified type as
required, and forwards the traffic in the given third-party system such as the iCache system.
Then the third-party system further analyzes or caches the traffic. In this way, traffic mirroring
is implemented. Traffic mirroring does not affect the original traffic direction of the packet.
Typical application examples are as follows:
l Configure a mirroring policy for the Simple Mail Transfer Protocol (SMTP) traffic and
VoIP traffic in a specified link and store the traffic for query, monitoring SMTP mails and
VoIP services.
l Configure a mirroring policy for the HTTP video traffic and P2P traffic in a specified link
and mirror user access requests to the third-party cache system, realizing accelerated
downloading of networks.
Figure 10-1 shows the typical networking of traffic mirroring.
Backbone
router of Analysis
the MAN system
DPI system
Cache
BRAS system
Service traffic
...
Mirrored traffic
Users
The Front End of SIG mainly realizes the following functions in the traffic mirroring service:
1. Abstract and mirror the traffic matching the mirroring group policy.
2. Replace the destination MAC address.
3. Mirror the traffic matching the policy to the third-party device.
Traffic Diversion
With the traffic diversion function, the SIG identifies network traffic, and forwards the specified
type of packets to the third-party system (the VAS in the following). Then the VAS further
analyzes and processes the traffic, and injects the processed packets to the Front End of the
SIG. Finally, the Front End sends the packets back to the network. The VAS is generally a cache
system or virus removing system.
l Configure the diversion policy for the HTTP video traffic and P2P traffic in a specified
area and redirect user access requests to the VAS (such as the iCache system), realizing
accelerated download on networks.
l On a wireless network, divert SMTP, POP3, HTTP, and MMS traffic to the VAS, enabling
the anti-virus function of mobile phones.
l Single diversion
The traffic processed by the VAS is injected to the network by the Front End of the SIG.
Figure 10-2 shows the networking diagram.
inside outside
...
Users
Upstream traffic
Back End Downstream traffic
DPI System Injected traffic
...
outside1 Inside n
inside1 outside n
Users
...
Backbone
BRAS Front End router of
the MAN
Upstream traffic
Back End Downstream traffic
Injected traffic
DPI System
The Front End of the SIG can be connected to the VAS directly or with a switch which realizes the
multiplexing of ports.
Traffic Replicates a copy of the network The processed traffic does not pass
mirroring traffic and sends the copy of the through the SIG Front End and is
traffic to third-party systems. forwarded to intranet users by other
network devices such as routers.
10.2.1 Overview
This describes the basic concepts of the traffic mirroring service.
l Only the Ethernet interface on the LPU can be configured as the mirroring port, which means
that 1GE and 10GE interfaces can serve as mirroring interfaces.
l A maximum of forty mirroring ports can be configured on one device.
l The management interface (specified with an IP address) , data detection interface (configured
with a link), diversion interface and cascade interface cannot be added to the mirroring group as
the mirroring port.
l Mirroring Group
A mirroring group consists of multiple mirroring ports. They are on different devices, or
in different clusters of the front end (on the premise that the clusters of the front end share
one back end). The policy can take effect for all clusters of the front end (corresponding to
the back end) when configured for a mirroring group on the GUI of the back end.
The SIG system has eight default mirroring groups. A maximum of 40 mirroring interfaces
can be configured in one mirroring group. You must add the interfaces of a Front End to
mirroring groups, and associate the mirroring groups with mirroring policies configured
on the Back End. The Front End replicates the packets that match the mirroring policies,
and sends the packets to thrid-party analysis devices through the interfaces in the mirroring
groups according to the mirroring policies. If a group contains no interface, the group cannot
mirror any traffic.
l Mirroring Group ID
Each Front End of the SIG supports eight mirroring groups, each of which corresponds to
one ID (from 1 to 8).
l Replacing the Destination MAC Address
According to the live network, you need to confirm whether to enable the function of the
destination MAC address replacement.
– When the mirroring port is directly connected to the third-party device through Ethernet
cables, you do not need to configure the destination MAC address replacement function.
– When the mirroring port is connected to the third-party device through a Layer-2 device,
you should enable the destination MAC address replacement function and set the
destination MAC address.
l IP Protocol Type
– TCP
– UDP
– ICMP
– All: contains TCP, UDP, ICMP, and all other IP-layer protocols.
l Remote IP
The remote IP address is the external IP address. The relations between the remote IP
address and the traffic direction are as follows:
– If the traffic direction is set to upstream and the remote IP address is specified, the
system mirrors the traffic that passes through the Front End of the SIG and is destined
for the remote IP address.
– If the traffic direction is set to downstream and the remote IP address is specified, the
system mirrors the traffic that passes through the Front End of the SIG and originates
from the remote IP address.
– If the traffic direction is set to bidirectional and the remote IP address is specified, the
system mirrors the downstream traffic originating from the remote IP address and
upstream traffic destinating for the remote IP address that pass through the Front End
of the SIG.
l Port
– Port used to match traffic of specified type of service. For example, The administrator
can set the port to 80, indicating that only the HTTP traffic is mirrored.
– The remote port of upstream packets is the destination port and that of downstream
packets is the source port.
l Feature character
– If the feature character is not configured, the SIG Front End mirrors all the packets of
the traffic flow that matches the mirroring condition.
– If the feature character is configured, the SIG Front End inspects the first ten packets
of the traffic flow:
– If the first ten packets do not match the feature character, the entire flow is not
mirrored.
– If one or multiple packets of the first ten packets match the configured feature
character, the SIG Front End mirrors only the first packet that matches the feature
character.
The feature character offset is used to set from which byte a packet is inspected. The feature
character can either be hexadecimal or a character string.
Start
Is the mirroring
Yes interface directly connected to Front End of the
the third-party device through DPI system
Ethernet cables?
No
End
Configure the The mirroring interface is the egress of the traffic matching the
mirroring interface mirroring policy. The mirroring interface should be configured on the
Front End through commands.
Operation location: Front End of the SIG.
Action Description
Configure the You need to confirm whether to enable the destination MAC address
destination MAC replacement according to the current network environment.
address replacement l When the mirroring interface is directly connected to the third-
party device through Ethernet cables, you don't need configure the
destination MAC address replacement.
l When the mirroring interface is connected to the third-party device
through a Layer-2 device, you should enable the destination MAC
address replacement and set the destination MAC address.
By default, the destination MAC address replacement is disabled.
Operation location: Front End of the SIG.
Add a mirroring A policy package can contain one or multiple policy items.
policy package Operation location: back-end UI of the SIG.In the navigation tree,
choose Traffic Management > Mirror/Divert > Mirror/Divert
Policy Package Management.
Apply the mirroring Apply the added policy package to service objects.
policy package Operation location: back-end UI of the SIG.
l In the navigation tree, choose Subscriber and Network
Management > Network > Physical Link Management > Link
Policy Application.
l In the navigation tree, choose Subscriber and Network
Management > Subscriber > Policy Application.
l In the navigation tree, choose Subscriber and Network
Management > Very Important Customer > Policy
Application.
Prerequisites
Requirements are as follows:
l 4.4 Configuring the Link is complete, and link 1G-80-2-link_2 passes through the Front
End of the SIG.
l The current user has the Traffic Management service permission.
Requirement Description
The carrier needs to configure and apply traffic mirroring. Figure 10-5 shows the networking.
Router
1 Third-party device
/0/
Link: 1G-80-2-link_2 E3
:G
ce
t e rfa
in
o r ing
rr
Mi
DPI system
Mirrored traffic
...
Users
The Front End of the SIG is directly connected to the Back End through the management
interface. The system mirrors the VoIP traffic (on the external IP address segment from 1.1.1.1
to 1.1.1.254) passing through the Front End of the SIG.
Traffic goes along link 1G-80-2-link_2 through the Front End of the SIG; interface 0 of the LPU
in slot 3 enables normal communications between the Front End and the Back End of the SIG;
interface 1 of the LPU in slot 3 mirrors VoIP traffic to the third-party system, and this interface
belongs to mirroring group 1.
Procedure
Step 1 Log in to the Front End of the SIG.
4. Click OK.
----End
Prerequisites
Requirements are as follows:
l 4.4 Configuring the Link is complete, and link 1G-80-2-link_2 passes through the Front
End of the SIG.
l The current user has the Traffic Management service permission.
Requirement Description
The carrier needs to configure and apply traffic mirroring. Figure 10-8 shows the networking.
Router
Back End
Link: 1G-80-2-link_2
BRAS
Analysis system
MAC address: 00E0-FC53-A1C2
Service traffic
... Mirrored traffic 1
Users
Mirrored traffic 2
The Front End of the SIG is connected to the Back End through a switch. The system mirrors
P2P traffic from the upstream and downstream, and mirrors HTTP traffic from the upstream
traffic passing through the Front End.
Switch A is divided into three VLANs, namely, VLAN1, VLAN2, and VLAN3. The
management interface on the Front End of the SIG resides on VLAN1 with the Back End;
mirroring interface 1 resides on VLAN2 with the cache system; mirroring interface 2 resides on
VLAN3 with the analysis system.
Traffic goes along link 1G-80-2-link_2 through the Front End of the SIG; interface 0 of the LPU
in slot 3 enables normal communications between the Front End and the Back End of the SIG;
interface 1 of the LPU in slot 3 mirrors upstream and downstream P2P traffic to the cache system,
and this interface belongs to mirroring group 1; interface 2 of the LPU in slot 3 mirrors upstream
HTTP traffic to the analysis system, and this interface belongs to mirroring group 2.
Procedure
Step 1 Log in to the Front End of the SIG.
Step 2 Configure GigabitEthernet 3/0/1 as mirroring interface 1, and add it to mirroring group 1.
<Sysname> system-view
[Sysname] interface GigabitEthernet 3/0/1
[Sysname-GigabitEthernet3/0/1] dpi-node mirror group-number 1
Step 3 Enable the destination MAC address replacement of mirroring interface 1, and set the destination
MAC address to 00A0-7C5E-A1E2.
[Sysname-GigabitEthernet3/0/1] dpi-node mirror replace ethernet destination-mac
enable
[Sysname-GigabitEthernet3/0/1] dpi-node mirror replace destination-mac 00A0-7C5E-
A1E2
[Sysname-GigabitEthernet3/0/1] quit
Step 4 Configure GigabitEthernet 3/0/2 as mirroring interface 2, and add it to mirroring group 2.
[Sysname] interface GigabitEthernet 3/0/2
[Sysname-GigabitEthernet3/0/2] dpi-node mirror group-number 2
Step 5 Enable the destination MAC address replacement of mirroring interface 2, and set the destination
MAC address to 00E0-FC53-A1C2.
[Sysname-GigabitEthernet3/0/2] dpi-node mirror replace ethernet destination-mac
enable
[Sysname-GigabitEthernet3/0/2] dpi-node mirror replace destination-mac 00E0-FC53-
A1C2
[Sysname-GigabitEthernet3/0/2] quit
6. Click OK.
7. Select mirror from Item Type and click Add.
8. Set the parameters of policy item http in the dialog box that is displayed. Figure 10-10
shows parameter settings.
4. Click OK.
----End
10.3.1 Overview
This describes the basic concepts of the traffic diversion service.
The traffic processed by the VAS (generally the cache system or the virus removing system)
is injected to the intranet through the inside interface, and to the extranet through the outside
interface.
NOTE
l Only the Ethernet interface on the LPU can be configured as the diversion one.
l A maximum of eight pairs of inside and outside interfaces can be configured on one device.
l The interface that is assigned an IP address or the data monitoring interface cannot serve as the
diversion interface.
l The interface that is configured as the mirroring interface cannot serve as the diversion interface.
l VLAN ID
Traffic passing through the Front End of the SIG is diverted to different VASs by means
of VLAN IDs.
For example, you can configure multiple diversions. The VAS1 belongs to VLAN 100 and
the VAS2 belongs to LVAN 200. On the UI of the SIG, configure the diversion policy item,
enter 100,200 in VLANID, and apply the policy. In this way, traffic is diverted to the VAS1
and VAS2.
l IP Protocol Type
– TCP
– UDP
– ICMP
– All: contains TCP, UDP, ICMP, and all other IP-layer protocols.
l Remote IP
The remote IP address is the external IP address. The relations between the remote IP
address and the traffic direction are as follows:
– If the traffic direction is set to upstream and the remote IP address is specified, the
system diverts the traffic that passes through the Front End of the SIG and is destined
for the remote IP address.
– If the traffic direction is set to downstream and the remote IP address is specified, the
system diverts the traffic that passes through the Front End of the SIG and originates
from the remote IP address.
– If the traffic direction is set to bidirectional and the remote IP address is specified, the
system diverts the traffic that passes through the Front End of the SIG, and is destined
for or originates from the remote IP address.
l Port
– Port used to match traffic of specified type of service. For example, The administrator
can set the port to 80, indicating that only the HTTP traffic is mirrored.
– The remote port of upstream packets is the destination port and that of downstream
packets is the source port.
Start
End
Action Description
Configure the The diversion interface is the egress of the traffic matching the
diversion interfaces diversion policy. To configure the diversion interface, you need to
(inside interface and specify the peer VAS for communicating with the Front End.
outside interface) Operation location: Front End of the SIG.
and peer VAS
Add a diversion A policy package can contain one or multiple policy items.
policy package Operation location: back-end UI of the SIG.In the navigation tree,
choose Traffic Management > Mirror/Divert > Mirror/Divert
Policy Package Management.
Action Description
Apply the diversion Apply the added policy package to service objects.
policy package Operation location: back-end UI of the SIG.
l In the navigation tree, choose Subscriber and Network
Management > Network > Physical Link Management > Link
Policy Application.
l In the navigation tree, choose Subscriber and Network
Management > Subscriber > Policy Application.
l In the navigation tree, choose Subscriber and Network
Management > Very Important Customer > Policy
Application.
Prerequisites
Requirements are as follows:
l 4.4 Configuring the Link is complete, and link 1G-80-2-link_2 passes through the Front
End of the SIG.
l Make sure that the predefined P2P service is available and correct.
l The current user has the Traffic Management service permission.
Requirement Description
The carrier needs to configure and apply traffic diversion. Figure 10-13 shows the networking.
inside outside
2/0/0 2/0/1
...
Users
1G-80-2-link_2
Front End Backbone
BRAS router of
the MAN
Upstream traffic
Downstream traffic
Back End
DPI System
The VAS is configured to work in transparent mode. Traffic goes along link 1G-80-2-link_2
through the Front End of the SIG. Interface 0 on the LPU in slot 2 is the inside interface and
interface 1 is the outside interface.
Upstream P2P traffic that passes through the Front End of the SIG and whose external IP address
segment ranges from 1.1.1.1 to 1.1.1.254 is diverted to the VAS by the inside interface and
downstream P2P traffic to the VAS by the outside interface.
Procedure
Step 1 Log in to the Front End of the SIG.
Step 3 Configure the diversion interfaces (inside interface and outside interface) and peer VAS.
[Sysname] interface GigabitEthernet 2/0/0
[Sysname-GigabitEthernet2/0/0] dpi-node divert inside
[Sysname-GigabitEthernet2/0/0] dpi-node vas-server 1 vlan 100
[Sysname-GigabitEthernet2/0/0] quit
[Sysname] interface GigabitEthernet 2/0/1
[Sysname-GigabitEthernet2/0/1] dpi-node divert outside
[Sysname-GigabitEthernet2/0/1] dpi-node vas-server 1 vlan 100
[Sysname-GigabitEthernet2/0/1] quit
4. Click OK.
----End
Prerequisites
Requirements are as follows:
l 4.4 Configuring the Link is complete, and link 1G-80-2-link_2 passes through the Front
End of the SIG.
l 22.1 Managing Flow Classifications and Flow Classification Items is complete, and
flow classification p2p_http is added, including predefined flow classification items P2P
and Web_browsing.
l The current user has the Traffic Management service permission.
Requirement Description
The carrier needs to configure and apply traffic diversion. Figure 10-16 shows the networking.
outside1 inside2
inside1 outside2
Users
...
1G-80-2-link_2
Backbone
BRAS
Front End router of
the MAN
Upstream traffic
Downstream traffic
Back End
DPI System
Both VAS1 and VAS2 work in transparent mode. Traffic goes along link 1G-80-2-link_2
through the Front End of the SIG. Interface 0 on the LPU in slot 1 is the inside1 interface,
interface 1 is the outside1 one, interface 2 is the inside2 one, and interface 3 is the outside2 one.
P2P traffic and HTTP traffic that pass through the Front End of the SIG are respectively diverted
to the VAS1 and VAS2. Upstream traffic is diverted by the inside interface and downstream
traffic by the outside interface.
Procedure
Step 1 Log in to the Front End of the SIG.
Step 2 Configure the transparent transmission mode for diversion packets.
<Sysname> system-view
[Sysname] dpi-node
[Sysname-dpi-node] divert transparence enable
[Sysname-dpi-node] quit
[Sysname]
Step 3 Configure the diversion interfaces (inside interface and outside interface) and peer VAS1 and
VAS2.
[Sysname] interface GigabitEthernet 2/0/0
[Sysname-GigabitEthernet2/0/0] dpi-node divert inside
[Sysname-GigabitEthernet2/0/0] dpi-node vas-server 1 vlan 100
[Sysname-GigabitEthernet2/0/0] quit
[Sysname] interface GigabitEthernet 2/0/1
[Sysname-GigabitEthernet2/0/1] dpi-node divert outside
[Sysname-GigabitEthernet2/0/1] dpi-node vas-server 1 vlan 100
[Sysname-GigabitEthernet2/0/1] quit
[Sysname] interface GigabitEthernet 2/0/2
[Sysname-GigabitEthernet2/0/2] dpi-node divert inside
[Sysname-GigabitEthernet2/0/2] dpi-node vas-server 2 vlan 200
[Sysname-GigabitEthernet2/0/2] quit
[Sysname] interface GigabitEthernet 2/0/3
[Sysname-GigabitEthernet2/0/3] dpi-node divert outside
4. Click OK.
----End
11 SmartBrowser Service
The SmartBrowser service delivers DNS error correction, and HTTP error correction. It can
provide error correction messages and security defense for the online behaviors of subscribers.
Data configuration engineers can enable one or multiple functions as required.
NOTE
The SmartBrowser service can be applied to all customers in the local domain except VICs.
Platform
Internet
Back
Front
End
End
DPI system
BRAS
DNS packet
... HTTP packet
User
to the domain name in the packet to that of the third-party platform (such as a search engine).
In this way, DNS error correction is implemented through the access to the third-party
platform.
Additionally, the system supports DNS error correction blacklist and whitelist. The details
are as follows:
– DNS error correction whitelist
Domain names in the whitelist are not corrected by the SIG. That is, during the access
to these domain names, the SIG directly replies packets to the user's browser.
– DNS error correction blacklist
Domain names in the blacklist are forcibly corrected by the SIG. That is, during the
access to these domain names, the SIG directly discards original packets and forges
response packets for DNS error correction to the browser, enabling users to access the
redirected Web site.
NOTE
A domain name cannot be added to both the blacklist and whitelist for DNS error correction.
If DNS error correction and overwriting are enabled simultaneously, packets match lists in priority
order (highest priority first), that is, DNS error correction whitelist, DNS overwriting list, and DNS
error correction blacklist.
l HTTP error correction
It monitors the HTTP response packet. If identifying that the packet complies with the
specified condition defined in the policy, the SIG forges an HTTP response packet (HTTP
redirection packet) to redirect the access to the third-party platform (such as a search
engine). Additionally, the original URL is employed as the search condition, realizing
HTTP error correction.
11.2.1 Overview
This describes the functions implemented through the configuration of the SmartBrowser
service.
The SmartBrowser service provides the following functions:
l DNS error correction
This function corrects identified error domain name packets. The system supports DNS
error correction blacklist and whitelist.
l HTTP error correction
This function monitors HTTP response packets and corrects them based on configurations.
NOTE
For DNS and HTTP error correction, the SIG can connect to a third-party portal system, so that terminal
users can flexibly enable or disable services.
Start Start
End End
NOTE
The SIG can connect to the third-party portal system, so that terminal users can flexibly enable or disable
DNS and HTTP error correction.
Enable DNS error Enable DNS error correction. In this case, you should set the IP
correction address of the redirected platform (such as a search engine).
Operation page: In the navigation tree, choose Value-added
Service > SmartBrowser > DNS Error Correction
Configuration.
Add the DNS whitelist Add DNS domain names to be corrected to the DNS blacklist
and blacklist and those not requiring correcting to the DNS whitelist.
Operation page: In the navigation tree, choose Value-added
Service > SmartBrowser > DNS Error Correction Blacklist
and Whitelist Management.
Action Description
Configure HTTP error Set the IP address or domain name, and content search mode of
correction the redirected platform (such as a search engine). Based on
various HTTP labels and suffixes, HTTP error correction can
correct incorrect HTTP response packets.
Operation page: In the navigation tree, choose Value-added
Service > SmartBrowser > HTTP Error Correction
Configuration.
Prerequisites
The current user has the Value-added Service service permission.
Requirement Description
The carrier hopes to provide the following services for all subscribers on the intranet.
l When subscribers enter incorrect domain names, the SIG automatically redirects DNS
requests to the third-party search system (suppose that the IP address is 10.1.1.1).
l The access to phishing Web sites (with a large number) should be denied and DNS error
correction should not be implemented on certain Web sites (with a small number).
Procedure
Step 1 Log in to the Back End of the SIG.
If Enable DNS Error Correction is selected, DNS error correction is enabled for all customers in
the local domain except VICs; if not, DNS error correction is enabled only for subscribers subscribing
to it on the portal.
3. Click Save.
Step 3 Import DNS error correction blacklist items in batches.
1. In the navigation tree, choose Value-added Service > SmartBrowser > DNS Error
Correction Blacklist and Whitelist Management.
2. In the DNS Rectify Blacklist group box, click Add.
3. In the pop-up dialog box, select Guide File. Download the template for the DNS error
correction blacklist, and enter related information according to the template. Figure 11-4
shows the configuration page.
----End
Prerequisites
The current user has the Value-added Service service permission.
Requirement Description
The carrier hopes to provide services for all subscribers on the intranet: When a subscriber uses
the HTTP service but the target server cannot find the Web page to be accessed, the SIG can
automatically redirect the HTTP access request to the third-party searching system such as http://
www.example.com, take the access content as the searching information for searching, and then
display the searching result. Details are as follows:
Procedure
Step 1 Log in to the Back End of the SIG.
1. In the navigation tree, choose Value-added Service > SmartBrowser > HTTP Error
Correction Configuration.
2. Set parameters according to Figure 11-6.
NOTE
If Enable HTTP Error Correction is selected, HTTP error correction is enabled for all customers
in the local domain except VICs; if not, HTTP error correction is enabled only for the user subscribing
to it on the portal.
3. Click Save.
----End
Table 11-2 shows important parameters for configuring the SmartBrowser service.
DNS Enable Enable/Disable DNS error correction. If [Setting method] Select the
Error DNS Error the check box is selected, it indicates check box.
Corr Correction that DNS error correction is enabled.
ectio That is, the system corrects the
n identified packets whose domain names
Conf are incorrect.
igura
tion IP To enable DNS error correction, this [Setting method] Enter the IP
Address of parameter should be specified. address of the platform in the
the Enter the IP address of a third-party text box.
Platform platform (such as a search engine), using
which the user can perform DNS error
correction for invalid DNS access
through third-party platform.
HTT Enable Enable/Disable HTTP error correction. [Setting method] Select the
P HTTP If the check box is selected, it indicates check box.
Error Error that HTTP error correction is enabled.
Corr Correction That is, the system monitors HTTP
ectio response packets and implements error
n correction based on configurations.
Conf
igura IP To enable HTTP error correction, either [Setting method] Select the
tion Address, of two parameters should be specified. IP address and domain name,
Domain Enter the IP address or domain name of and enter them in the text
name a third-party platform (such as a search box.
engine), using which the user can
perform HTTP error correction for
invalid access through third-party
platform.
Parameter Set the format of the URL of the [Setting method] Enter the
redirected third-party platform. Search item in the text box.
contents are replaced by the @dpi- [Example] s?wd=@dpi-
param@ variable. param@
For example, the URL of the third-party
platform is www.baidu.com. Suppose
that the URL is displayed as http://
www.baidu.com/s?
wd=www.sina.com.cn during the
search of www.sina.com.cn in
www.baidu.com. In this case,
Parameter should be set to s?
wd=@dpi-param@.
HTTP Select one or multiple HTTP labels [Setting method] Select the
Error where error correction should be check box.
Correction enabled.
Label The following error correction labels are
available:
l 400: Bad Request: indicates that the
HTTP request cannot be resolved by
the server due to incorrect syntax.
l 403: Forbidden: indicates that the
server can resolve the HTTP request
but deny to address it. Additionally,
the deny cause is provided.
l 404: Not Found: indicates that the
server does not find any URI
resource matching the HTTP
request. Additionally, it cannot
determine whether the resource is in
shortage temporarily or
permanently.
l 410: Gone: indicates that the server
does not find any URI resource
matching the HTTP request;
however, it can identify that the
resource does not exist permanently.
HTTP Select one or multiple suffixes where [Setting method] Select the
Error error correction should be enabled. check box.
Correction The following suffixes are available:
Suffix
l HTM: for example, http://
www.example.com/index.htm
l HTM: for example, http://
www.example.com/index.html
l Subdirectory: for example,
www.example.com/support/
The system provides error correction
only for level-1 subdirectories.
l Others: all suffix formats except
previous three types
11.3.1 Overview
This describes the DNS and HTTP error correction reports of the SmartBrowser service.
The Front End of the SIG collects statistics on the total DNS or HTTP error correction times
within five minutes to form a five-minute report. Then it reports the result to the Back End of
the SIG, which compiles the data. Through the report, data configuration engineers can query
the total DNS or HTTP error correction times within a given time range, obtaining the visualized
information about system error correction times.
l DNS error correction statistics: collects statistics on the times of DNS error correction
within a given time rage.
l HTTP error correction statistics: collects statistics on the times of HTTP error correction
within a given time rage.
Prerequisites
Requirements are as follows:
Procedure
Step 1 In the navigation tree, choose Statistics and Analysis Report > Smartbrowser > DNS/HTTP
Error Correction Statistics.
l If selecting Save Query Conditions before querying reports, you do not need to enter query conditions
for the next query.
l To apply the report function for timed tasks, click Timed Task. For details, see 21.4 Managing Timed
Task Reports.
To save time for other operations, click Background Implementation. For details, see 21.5 Managing
Background Task Reports.
On the report query interface, you can export reports in different formats:
----End
Report Navigation
You can click the following links to view the report examples.
NOTE
The information in the following examples are subject to change without notice.
l Statistics and Analysis Report > SmartBrowser > DNS/HTTP Error Correction
Statistics
Statistics and Analysis Report > SmartBrowser > DNS/HTTP Error Correction
Statistics
Through this report, you can view statistics on DNS or HTTP error correction times within a
given time range.
Figure 11-7 shows the report screenshot of DNS error correction statistics within a given time
range.
Figure 11-8 shows the report screenshot of HTTP error correction statistics within a given time
range.
The DNS overwriting service monitors the response packet from the DNS server. If the SIG
identifies that the packet matches the DNS overwriting list, it forges a DNS response packet to
redirect the DNS request to the specified destination IP address in the DNS overwriting list.
The DNS overwriting service monitors the response packet from the DNS server. If the SIG
identifies that the packet matches the DNS overwriting list, it forges a DNS response packet to
redirect the DNS request to the specified destination IP address in the DNS overwriting list.
Figure 12-1 shows the schematic diagram of the DNS overwriting service.
Internet
DNS overwritng
Destination
Source domain name IP address Back
Front
End
End
DPI system
BRAS
DNS packet
...
User
If DNS overwriting and error correction of the SmartBrowser service are enabled
simultaneously, packets match lists in priority order (highest priority first), that is, DNS error
correction whitelist, DNS overwriting list, and DNS error correction blacklist.
Start
Enable DNS
overwriting
End
Configure the DNS Add the DNS overwriting list, so that the SIG monitors the
overwriting list response packets of the DNS server based on the list.
Operation page: In the navigation tree, choose Access Control
> DNS Overwriting > DNS Overwriting List Management.
Prerequisites
The current user has the Access Control service permission.
Requirement Description
DNS overwriting should be enabled. When intranet users access external Web sites with such
source domain names as shown in Table 12-2, DNS requests are redirected to the target IP
addresses as shown on the right.
www.example1.com 10.10.10.10
www.example2.com 11.11.11.11
Procedure
Step 1 Log in to the Back End of the SIG.
Step 2 Enable DNS overwriting.
1. In the navigation tree, choose Access Control > DNS Overwriting > DNS Overwriting
Configuration.
2. Select the check box of Enable DNS Overwriting.
3. Click Save.
Step 3 Add items to the DNS overwriting list.
1. In the navigation tree, choose Access Control > DNS Overwriting > DNS Overwriting
List Management.
2. Click Add.
NOTE
In addition to manual adding, you can import items to the DNS overwriting list.
To import items, you need to click Import. In the pop-up dialog box, obtain and edit the file template,
and then import items.
3. Set parameters according to Figure 12-3.
4. Click OK. The system returns to the previous page and displays a new record.
5. Repeat Step 3.2 to Step 3.4 to add another item.
----End
Through the Smart Advertising Interface service, the SIG can filter packets according to their
HTTP packet header attributes, and mirror the HTTP packets meeting conditions to the third-
party system. Then the third-party system analyzes users' online behaviors in depth and pushes
advertisements to specific users.
Through the Smart Advertising Interface service, the SIG can mirror the HTTP packets meeting
conditions to the third-party system according to their HTTP packet header attributes. Then the
third-party system analyzes users' online behaviors in depth and pushes advertisements to
specific users.
Figure 13-1 shows the typical networking of the Smart Advertising Interface service.
Figure 13-1 Typical networking diagram of the Smart Advertising Interface service
Router
...
Mirroring
Management group 1
interface
Mirroring
Back End Front End
group 2 Switch
DPI system
RA
DI
US ...
pa
ck
et
BRAS
The third-party system
Service traffic
Mirroring traffic 1
...
Mirroring traffic 2
Users
NOTE
A switch should support load balancing based on the source IP address, destination IP address, and source
+destination IP addresses.
The Smart Advertising Interface service does not support the reassembly and resolution of disordered TCP
packets and HTTP header fragments; therefore, the SIG cannot ensure the proper processing towards these
packets.
Figure 13-2 shows the processing procedure of the Smart Advertising Interface service.
Yes
Is the Smart
Do not perform Smart Advertising Interface No
Advertising Interface service
processing on all packets in HTTP traffic
enabled?
Yes
Is the
The processing is the same as that towards No
HTTP packet header
the last packet
contained?
Yes
Yes
No
End
13.2.1 Overview
To configure the Smart Advertising Interface service, you need to learn related concepts.
NOTE
The Smart Advertising Interface service becomes available only after subscribers subscribe to it in the
third-parity portal system.
l Policy item priority
Is the priority value specified in policy item definition. The smaller the value, the higher
the priority. The value is an integer that ranges from 1 to 9,999. The value is globally unique
in the system.
l Mirroring port
Mirroring port is the egress of the current device through which the traffic matching the
traffic mirroring policy is mirrored to the third-party device.
NOTE
l Only the Ethernet interface on the LPU can be configured as the mirroring port, which means
that 1GE and 10GE interfaces can serve as mirroring interfaces.
l A maximum of forty mirroring ports can be configured on one device.
l The management interface (specified with an IP address) , data detection interface (configured
with a link), diversion interface and cascade interface cannot be added to the mirroring group as
the mirroring port.
l Mirroring Group
A mirroring group consists of multiple mirroring ports. They are on different devices, or
in different clusters of the front end (on the premise that the clusters of the front end share
one back end). The policy can take effect for all clusters of the front end (corresponding to
the back end) when configured for a mirroring group on the GUI of the back end.
The SIG system has eight default mirroring groups. A maximum of 40 mirroring interfaces
can be configured in one mirroring group. You must add the interfaces of a Front End to
mirroring groups, and associate the mirroring groups with mirroring policies configured
on the Back End. The Front End replicates the packets that match the mirroring policies,
and sends the packets to thrid-party analysis devices through the interfaces in the mirroring
groups according to the mirroring policies. If a group contains no interface, the group cannot
mirror any traffic.
l Mirroring Group ID
Each Front End of the SIG supports eight mirroring groups, each of which corresponds to
one ID (from 1 to 8).
l HTTP Request Matching Condition
Defined by the file name extension of the accessed URL resource and the User-Agent field
in the HTTP request packet header. Only the HTTP request packets (upstream packets)
complying with the matching rule can be mirrored.
The matching condition comprises the File Extension blacklist, User-Agent whitelist, and
User-Agent blacklist. The traffic matching the blacklist cannot be mirrored but that
matching the whitelist can.
– Blacklist File Extension
File Extension indicates the type of the Web page that is accessed, for example, html,
htm, xml, do, and js. If http://www.huawei.com/solutions.do is accessed, the File
Extension field is do. If do is added to the File Extension blacklist, the HTTP traffic
accessing the Web sites suffixed .do cannot be mirrored.
– User-Agent blacklist/whitelist
The User-Agent field identifies such attributes as the browser type, OS type, and
language type of the user. The packets whose User-Agent field matching the User-Agent
blacklist cannot be mirrored while those matching the User-Agent whitelist can. The
system uses the regular expression to define the User-Agent blacklist/whitelist.
l HTTP Response Matching Condition
The matching condition is defined by the Content-type field of the HTTP response packet
(downstream packets). Only the HTTP 200 OK response packets meeting the condition can
be mirrored.
NOTE
In the HTTP response packets, the packet of the 200 OK type indicates that the server successfully
responds.
– Whitelist Content-type:
The Content-type field identifies the contents of the Web page that is accessed, for
example, text/html, image/jpeg, text/css, and application/octet-stream.If image/jpeg is
added to the Content-type whitelist, the packets whose Content-type field contains
image/jpeg are mirrored.
l Sent RST Packets to Mirror Group When Stop
When Sent RST Packets to mirror group when stop is enabled in the policy, and the last
traffic matches the mirroring condition while the next traffic does not, the SIG stops
mirroring traffic and sends Reset packets to the third-parity system. Then the third-parity
system saves the traffic for further processing.
Back End
Apply the Smart Advertising Interface policy package
End
Configure the The mirroring interface is the egress of the traffic matching the
mirroring interface mirroring policy. The mirroring interface should be configured on the
Front End through commands.
Operation location: Front End of the SIG.
Add the policy A Smart Advertising Interface policy package can contain one or
package of the multiple policy items.
Smart Advertising Operation location: Back-end UI of the SIG. In the navigation tree,
Interface service choose Value-added Service > Mirror/Divert > Smart Advertising
Interface Policy Package Management.
Apply the policy Apply the added policy package to service objects.
package of the Operation location: Back-end UI of the SIG.
Smart Advertising
Interface service l In the navigation tree, choose Subscriber and Network
Management > Subscriber > Policy Application.
l In the navigation tree, choose Subscriber and Network
Management > Very Important Customer > Policy
Application.
Prerequisites
Requirements are as follows:
l 4.2 Configuring the Subscriber is complete.
l The current user has the Value-added Service service permission.
Requirement Description
The carrier requires the third-party system to analyze subscribers' online behaviors and therefore
push advertisements to users selectively. The SIG can analyze HTTP packet headers and then
mirror HTTP packets meeting conditions to the third-party system.
Since a single server of the third-party system cannot process the heavy traffic mirrored from
each mirroring interface (GE) of the SIG, a switch is required for load balancing. The following
describes how to configure the switch through an example of the Quidway S5300. Figure
13-4 shows the networking diagram.
Router
Mirroring GE0/0/8
1
Link: 1G-80-2-link_2 group 1 GE0/0/1 GE0/0/9 The third-party
/0/12 system1
GE0 GE0/0/10
DPI system /0/0
GE3
/0/1
Management G 3
E S5300 A
interface GE3
/0/2
GE3 GE0
/0/3 /0/13
Front GE0/0/15
Back End GE0
End /0/14
RA GE0/0/16 The third-party
DIU Mirroring
Sp system 2
ac group 2 GE0/0/17
ke
t
BRAS S5300 B
Service traffic
Mirroring traffic 1
Mirroring traffic 2
...
Users
NOTE
l Mirroring group 2 performs load balancing through S5300 B based on the source IP address
+destination IP address, and mirrors both upstream and downstream traffic to the third-
party system 2.
Mirroring group 2 comprises GE3/0/2 and GE3/0/3, which respectively connect to
GE0/0/13 and GE0/0/14 on S5300 B. Add GE0/0/15, GE0/0/16, and GE0/0/17 to link
aggregation group Eth-Trunk 2 and configure source IP address+destination IP address-
based load balancing.
Procedure
Step 1 Log in to the Front End of the SIG.
Step 2 Configure mirroring groups.
1. Configure GigabitEthernet 3/0/0 and GigabitEthernet 3/0/1 as mirroring interfaces, and add
them to mirroring group 1.
<Sysname> system-view
[Sysname] interface GigabitEthernet 3/0/0
[Sysname-GigabitEthernet3/0/0] dpi-node mirror group-number 1
[Sysname-GigabitEthernet3/0/0] quit
[Sysname] interface GigabitEthernet 3/0/1
[Sysname-GigabitEthernet3/0/1] dpi-node mirror group-number 1
[Sysname-GigabitEthernet3/0/1] quit
2. Configure GigabitEthernet 3/0/2 and GigabitEthernet 3/0/3 as mirroring interfaces, and add
them to mirroring group 2.
[Sysname] interface GigabitEthernet 3/0/2
[Sysname-GigabitEthernet3/0/2] dpi-node mirror group-number 2
[Sysname-GigabitEthernet3/0/2] quit
[Sysname] interface GigabitEthernet 3/0/3
[Sysname-GigabitEthernet3/0/3] dpi-node mirror group-number 2
[Sysname-GigabitEthernet3/0/3] quit
6. Click OK.
7. Select Smart Advertising Interface from Item Type and click Add.
8. Set the parameters of policy item item2 in the dialog box that is displayed. Figure 13-6
shows parameter settings.
4. Click OK.
----End
Prerequisites
Requirements are as follows:
Requirement Description
The carrier requires the third-party system to analyze VICs' online behaviors and therefore push
advertisements to users selectively. The SIG can analyze HTTP packet headers and then mirror
HTTP packets meeting conditions to the third-party system.
Since a single server of the third-party system cannot process the heavy traffic mirrored from
each mirroring interface (GE) of the SIG, a switch is required for load balancing. The following
describes how to configure the switch through an example of the Quidway S5300. Figure
13-8 shows the networking diagram.
Router
Mirroring GE0/0/8
1
Link: 1G-80-2-link_2 group 1 GE0/0/1 GE0/0/9 The third-party
/0/12 system1
GE0 GE0/0/10
DPI system /0/0
GE3
/0/1
Management GE3 S5300 A
interface GE3
/0/2
GE3 GE0
/0/3 /0/13
Front GE0/0/15
Back End GE0
End /0/14
RA GE0/0/16 The third-party
DIU Mirroring
Sp system 2
ac group 2 GE0/0/17
ke
t
BRAS S5300 B
Service traffic
Mirroring traffic 1
Mirroring traffic 2
...
Users
NOTE
l Upstream HTTP traffic is mirrored to third-party system 1. The upstream HTTP traffic of
the Web sites whose suffix is .do is not mirrored.
l Upstream and downstream HTTP traffic is mirrored to the third-party system 2. The
upstream HTTP traffic of the Web sites whose suffix is .do is not mirrored; the downstream
HTTP traffic whose Content-type filed contains text/html, image/jpeg, or image/gif is
mirrored.
Details are as follows:
l The Front End of the SIG has two mirroring groups: mirroring group 1 and mirroring group
2.
l The third-party system 1 processes the traffic from mirroring group 1 and the third-party
system 2 processes traffic from mirroring group 2.
l Mirroring group 1 performs load balancing through S5300 A based on the source IP address
and mirrors upstream traffic to the third-party system 1.
Mirroring group 1 comprises GE3/0/0 and GE3/0/1, which respectively connect to
GE0/0/11 and GE0/0/12 on S5300 A. Add GE0/0/8, GE0/0/9, and GE0/0/10 to link
aggregation group Eth-Trunk 1 and configure source IP address-based load balancing.
l Mirroring group 2 performs load balancing through S5300 B based on the source IP address
+destination IP address, and mirrors both upstream and downstream traffic to the third-
party system 2.
Mirroring group 2 comprises GE3/0/2 and GE3/0/3, which respectively connect to
GE0/0/13 and GE0/0/14 on S5300 B. Add GE0/0/15, GE0/0/16, and GE0/0/17 to link
aggregation group Eth-Trunk 2 and configure source IP address+destination IP address-
based load balancing.
Procedure
Step 1 Log in to the Front End of the SIG.
2. Configure GigabitEthernet 3/0/2 and GigabitEthernet 3/0/3 as mirroring interfaces, and add
them to mirroring group 2.
[Sysname] interface GigabitEthernet 3/0/2
[Sysname-GigabitEthernet3/0/2] dpi-node mirror group-number 2
[Sysname-GigabitEthernet3/0/2] quit
[Sysname] interface GigabitEthernet 3/0/3
[Sysname-GigabitEthernet3/0/3] dpi-node mirror group-number 2
[Sysname-GigabitEthernet3/0/3] quit
<Sysname> system-view
[Sysname] interface eth-trunk 1
[Sysname-Eth-Trunk1] quit
1. In the navigation tree, choose Value-added Service > Mirror/Divert > Smart
Advertising Interface Policy Package Management.
2. Click Add.
3. Enter smartnet in Name and then click Save.
4. Select Smart Advertising Interface from Item Type and click Add.
5. Set the parameters of policy item item1 in the dialog box that is displayed. Figure 13-9
shows parameter settings.
6. Click OK.
7. Select Smart Advertising Interface from Item Type and click Add.
8. Set the parameters of policy item item2 in the dialog box that is displayed. Figure 13-10
shows parameter settings.
4. Click OK.
----End
Through the VoIP monitoring service, the SIG interferes with or blocks the VoIP calls from
intranets to extranets or from extranets to intranets by means of the blacklist and whitelist. You
can also learn the running status of the VoIP monitoring service by querying reports, including
call detail record statistics and control logs.
External blacklist:
Internet IP address, phone number,
and URI
Access network
Internal blacklist:
Internal whitelist:
user group, IP address, phone
user group
number, and URI
Common
VIC
customer
l VoIP media protocol
One VoIP call generates one or multiple media flows. VoIP media protocols refer to the
protocols that are used by media flows over UDP.
The media protocols supported by the SIG include AoWei, GBPhone, HeadCall,
Lava_Lava, P5P, Paltalk_Voip, RTP, ShangYang, ShiJiWangTong, SkypePctoPhone,
SkypePctoPc, TeamSpeak2, TelTel, UUCall, Ventrilo, Vtalk, ZhongFang,
YahooMsg_Video, YahooMsg_Audio, MEGACO_MEDIA_VIDEO,
MEGACO_MEDIA_AUDIO, MGCP_MEDIA_VIDEO, MGCP_MEDIA_AUDIO,
14.2.1 Overview
This describes the functions implemented through the configuration of the VoIP monitoring
service.
The VoIP monitoring service of the SIG supports:
l Interference with or block of VoIP calls from non-internal whitelist users to blacklisted
users
In the VoIP global policy configuration, select Interferential Direction and Control
Density. The following shows the details:
– Interferential Direction
Bidirectional interference, Interfere with the caller, and Interfere with the callee are
available.
– Control Density
Pass, Low, Medium, High, and Block are available.
If the caller or callee is not an internal whitelist user but is in the internal blacklist, IP
address blacklist, telephone number blacklist, or URI blacklist, the system interferes
with or blocks the call.
l Internal blacklist/whitelist management
For subscribers, the system provides one VoIP Blacklist User Group and one VoIP
Whitelist User Group. For VICs, the system provides one VoIP Blacklist User Group
and one VoIP Whitelist User Group.
If the caller or the callee is in the blacklist user group, the system directly interferes with
or blocks the call. If the caller or callee is in the whitelist user group, the system permits
the VoIP service to pass no matter the caller or callee is blacklisted or not.
l VoIP IP blacklist management
The system provides the internal and external IP address blacklist management function.
If the caller or callee is not in the whitelist but in the VoIP IP blacklist, the system interferes
with or blocks the call.
l VoIP number blacklist management
The system provides the internal and external number blacklist management function. The
resolution of telephone numbers is valid only for H.323, SIP, MGCP, and MEGACO.
For VoIP services using H.323, SIP, MGCP, or MEGACO, if the caller or callee is not in
the whitelist but in the number blacklist, the system interferes with or blocks the call.
Prerequisites
Requirements are as follows:
l 4.2 Configuring the Subscriber is complete. In addition, user 1 and user 2 are subscribers.
l The current user has the Access Control and Subscriber and Network Management
service permissions.
Requirement Description
Service requirements are as follows:
l Protocols of the CDR adopt the default protocol list.
l The control density is Block.
l Internal blacklist and whitelist user group management is enabled.
It is required to add user 1 to the blacklist user group, and add user 2 to the whitelist user
group.
l IP blacklist management is enabled.
It is required to add 66.66.66.66 to the blacklist.
l Telephone number blacklist management is enabled.
It is required to add 12345678 to the blacklist.
l URI blacklist management is enabled.
It is required to add user1@www.example.com to the blacklist.
Procedure
Step 1 Log in to the Back End of the SIG.
Step 2 Perform the global VoIP policy configuration.
1. In the navigation tree, choose Access Control > VoIP Control > VoIP Control Policy
Configuration.
2. Select Block in Control Density, as shown in Figure 14-2.
3. Click Save. The system prompts the user that the operation succeeds.
Step 3 Manage subscriber groups VoIP Blacklist User Group and VoIP Whitelist User Group.
1. In the navigation tree, choose Subscriber and Network Management > Subscriber >
User Group Management.
2. Click VoIP Blacklist User Group. The View and Modify User Group dialog box is
displayed.
3. Click Add. Set User1 to selected, and then click OK. The system prompts that one record
is added.
4. Click Close.
5. Repeat Step 3.2 to Step 3.4 to add User2 to VoIP Whitelist User Group.
----End
Prerequisites
Requirements are as follows:
l 4.3 Configuring the VIC is complete. In addition, user 1 and user 2 are VICs.
l The current user has the Access Control and Subscriber and Network Management
service permissions.
Requirement Description
The service requirements are as follows:
l Protocols of the CDR adopt the default protocol list.
l The control density is Block.
l Internal blacklist and whitelist user group management is enabled.
It is required to add user 1 to the blacklist user group, and add user 2 to the whitelist user
group.
l IP blacklist management is enabled.
It is required to add 66.66.66.66 to the blacklist.
l Telephone number blacklist management is enabled.
It is required to add 12345678 to the blacklist.
l URI blacklist management is enabled.
It is required to add user1@www.example.com to the blacklist.
Procedure
Step 1 Log in to the Back End of the SIG.
Step 2 Configure the VoIP global policy configuration.
1. In the navigation tree, choose Access Control > VoIP Control > VoIP Control Policy
Configuration.
2. Select Block in Control Density, as shown in Figure 14-3.
3. Click Save. The system prompts the user that the operation succeeds.
Step 3 Manage VIC groups VoIP Blacklist User Group and VoIP Whitelist User Group.
1. In the navigation tree, choose Subscriber and Network Management > Very Important
Customer > User Group Management.
2. Click VoIP Blacklist User Group. The View and Modify User Group dialog box is
displayed.
3. Click Add. Set User1 to selected, and then click OK. The system prompts that one record
is added.
4. Click Close.
5. Repeat Step 3.2 to Step 3.4 to add User2 to VoIP Whitelist User Group.
Step 4 Manage the IP blacklist.
1. In the navigation tree, choose Access Control > VoIP Control > VoIP IP Blacklist
Management.
2. Click Add. Enter 66.66.66.66 in IP.
3. Click OK.
Step 5 Manage the telephone number blacklist.
1. In the navigation tree, choose Access Control > VoIP Control > VoIP Number Blacklist
Management.
2. Click Add. Enter 12345678 in Number.
3. Click OK.
Step 6 Manage the URI blacklist.
1. In the navigation tree, choose Access Control > VoIP Control > VoIP URI Blacklist
Management.
2. Click Add. Enter user1@www.example.com in URI Address.
3. Click OK.
----End
Control Pass, Low, Medium, High, and Block are available. [Setting method]
Density The details are as follows: Select the
l Pass corresponding
item from the
The system does not interfere with or block any drop-down list.
VoIP service.
l Low, Medium, High
The system interferes with the VoIP service,
degrading users' service experiences. Low indicates
that the interfered user can catch most messages
from the other side; Medium indicates that the
interfered user can hardly catch messages from the
other side; High indicate that the interfered user
cannot catch messages from the other side
completely.
l Block
The system directly blocks the VoIP service.
Protocol of the Select the media protocol whose CDR is to be exported [Setting method]
CDR (VoIP as required. l In the VoIP
Statistics Statistics
Policy Policy
Configuration Configuratio
) n page, click
Add. Then
select the
check boxes
corresponding
to the
protocols to be
added.
l To delete
certain
protocols, you
can select the
protocols to be
deleted, and
then click
Delete.
14.3.1 Overview
This describes the categories and functions of VoIP reports.
For subscribers and VICs, the system provides the following reports:
l Control Log
Through this report, you can view control logs of the VoIP service. The VoIP service is to
interfere with or block non-internal whitelist users' VoIP calls to blacklist users.
Corresponding control logs are generated when the SIG interferes with or blocks those
VoIP calls.
This report displays the control actions on users matching with the internal blacklist user
group, internal and external IP address blacklist, internal and external number blacklist,
internal and external URI blacklist.
When the caller and callee are in different blacklists, you can view the control action log
according to the blacklist with the higher priority. The blacklists in descending order by
priority are internal blacklist user group, URI blacklist, number blacklist, and IP address
blacklist.
l Top N Customers by Control Count
Through this report, you can view top N subscribers or VICs by control count.
A control action upon a user can be triggered because the user is in the internal blacklist
user group, IP address blacklist, number blacklist, or URI blacklist, or because the peer-
end user is in the external IP address blacklist, number blacklist, or URI blacklist.
l Top N Blacklists by Control Count
Through this report, you can view top N blacklists by control count.
This report collects the statistics of blacklists including the internal and external IP address
blacklist, internal and external number blacklist, and internal and external URI blacklist.
l Call Detail Record Statistics
Through this report, you can view the call detail record statistics of the VoIP service
applying specified signaling and media protocols.
l Top N Customers by Session
Through this report, you can view top N subscribers or VICs by the number of VoIP session
or session duration.
l Top N URIs by Session
Through this report, you can view top N URIs by the number of VoIP session or session
duration.
l Signaling Protocol Session Statistics
Through this report, you can view the number of sessions or session durations based on
signaling protocols.
In addition, the SIG provides the report on Provider Call Duration Statistics, which displays call
durations of URI providers.
NOTE
You should add or import the IP apanage configuration, and the information configuration of the service
provider for generating the specific reports. The mappings between the configurations and the reports are
as follows:
l IP Apanage Configuration
l In the navigation tree, choose Statistics and Analysis Report > VoIP > Subscriber > Call Detail
Record Statistics.
l In the navigation tree, choose Statistics and Analysis Report > VoIP > Very Important
Customer > Call Detail Record Statistics.
l SP Configuration
l In the navigation tree, choose Statistics and Analysis Report > VoIP > Subscriber > Provider
Call Duration Statistics.
l In the navigation tree, choose Statistics and Analysis Report > VoIP > Very Important
Customer > Provider Call Duration Statistics.
l In the navigation tree, choose Statistics and Analysis Report > VoIP > Provider Call Duration
Statistics.
Prerequisites
Requirements are as follows:
l 14.2 Configuring the VoIP Monitoring Service is complete.
l The current user has the Statistics and Analysis Report service permission.
Procedure
Step 1 Log in to the Back End of the SIG.
Step 2 In the navigation tree, choose Statistics and Analysis Report > VoIP. Then select the reports
to be queried as required.
Step 3 Enter query conditions as required according to prompts.
TIP
l If selecting Save Query Conditions before querying reports, you do not need to enter query conditions
for the next query.
l To apply the report function for timed tasks, click Timed Task. For details, see 21.4 Managing Timed
Task Reports.
NOTE
To save time for other operations, click Background Implementation. For details, see 21.5 Managing
Background Task Reports.
On the report query interface, you can export reports in different formats.
----End
Report Navigation
You can click the following links to view the report examples.
NOTE
The information in the following examples are subject to change without notice.
l Statistics and Analysis Report > VoIP > Subscriber/Very Important Customer >
Control Log
l Statistics and Analysis Report > VoIP > Subscriber/Very Important Customer > Top
N Customers by Control Count
l Statistics and Analysis Report > VoIP > Subscriber/Very Important Customer > Top
N Blacklists by Control Count
l Statistics and Analysis Report > VoIP > Subscriber/Very Important Customer > Call
Detail Record Statistics
l Statistics and Analysis Report > VoIP > Subscriber/Very Important Customer > Top
N Customers by Session
l Statistics and Analysis Report > VoIP > Subscriber/Very Important Customer > Top
N URIs by Session
l Statistics and Analysis Report > VoIP > Subscriber/Very Important Customer >
Signaling Protocol Session Statistics
l Statistics and Analysis Report > VoIP > Subscriber/Very Important Customer >
Provider Call Duration Statistics
l Statistics and Analysis Report > VoIP > Provider Call Duration Statistics
Statistics and Analysis Report > VoIP > Subscriber/Very Important Customer >
Control Log
Through this report, you can view control logs of the VoIP service. The VoIP service is to
interfere with or block non-internal whitelist users' VoIP calls to blacklist users. Corresponding
control logs are generated when the SIG interferes with or blocks those VoIP calls.
This report displays the control actions on users matching with the internal blacklist user group,
internal and external IP address blacklist, internal and external number blacklist, internal and
external URI blacklist.
When the caller and callee are in different blacklists, you can view the control action log
according to the blacklist with the higher priority. The blacklists in descending order by priority
are internal blacklist user group, URI blacklist, number blacklist, and IP address blacklist.
Figure 14-4 Example of the log report on the controlling the VoIP
Statistics and Analysis Report > VoIP > Subscriber/Very Important Customer >
Top N Customers by Control Count
Through this report, you can view top N subscribers or VICs by control count.
A control action upon a user can be triggered because the user is in the internal blacklist user
group, IP address blacklist, number blacklist, or URI blacklist, or because the peer-end user is
in the external IP address blacklist, number blacklist, or URI blacklist.
Statistics and Analysis Report > VoIP > Subscriber/Very Important Customer >
Top N Blacklists by Control Count
Through this report, you can view top N blacklists by control count.
This report collects the statistics of blacklists including the internal and external IP address
blacklist, internal and external number blacklist, and internal and external URI blacklist.
Statistics and Analysis Report > VoIP > Subscriber/Very Important Customer >
Call Detail Record Statistics
Through this report, you can view the call detail record statistics of the VoIP services applying
specified signaling and media protocols.
Statistics and Analysis Report > VoIP > Subscriber/Very Important Customer >
Top N Customers by Session
Through this report, you can view top N subscribers or VICs by the number of VoIP session or
session duration.
Statistics and Analysis Report > VoIP > Subscriber/Very Important Customer >
Top N URIs by Session
Through this report, you can view top N URIs by the number of VoIP session or session duration.
Figure 14-9 shows report examples.
Statistics and Analysis Report > VoIP > Subscriber/Very Important Customer >
Signaling Protocol Session Statistics
Through this report, you can view the number of sessions or session durations based on signaling
protocols.
Figure 14-10 shows report examples.
Statistics and Analysis Report > VoIP > Subscriber/Very Important Customer >
Provider Call Duration Statistics
Through this report, you can view the call duration statistics based on various URI providers in
the specified subscribers or VICs attribute group.
Figure 14-11 shows report examples.
Statistics and Analysis Report > VoIP > Provider Call Duration Statistics
Through this report, you can view the total call duration statistics based on various URI providers
without distinguishing between subscribers and VICs.
Figure 14-12 shows report examples.
15 Anti-Spammer Service
Through the Anti-Spammer service, the SIG detects and controls spammers on the network, with
monitoring measures including Detection, Alarm, Evidence Collection, Block, and Limit.
l Spam
Spam, also called the Unsolicited Commercial Email (UCE) or Unsolicited Bulk Email
(UBE), spreads in large amount without receivers' consent. Most spam is about commercial
advertisement and adverse media.
l Spammer
Sender of spam.
l Anti-Spammer
Anti-Spammer indicates a service provided by the SIG to detect and control spammers on
the network.
Figure 15-1 shows the Anti-Spammer service.
Mail server
Internet
Access network
Common
customer
Mail server
15.2.1 Overview
This describes the functions implemented through the configuration of the Anti-Spammer
service.
The alarm policy item depends on the detection policy item. Therefore, you need to add
the detection policy item before adding the alarm policy item.
– Evidence Collection
The system logs mail sending behaviors and uploads the logs to the FTP server. The
log can be used as the evidence of spam sending. The log contains the time, source IP
address, destination IP address, sender address, recipient address, and mail subject.
Before adding a policy item of the Evidence Collection type, you need to complete the
global setting of evidence collection, including the address of the FTP server, and login
user name and password. When adding a policy item of the evidence collection type,
you can adjust values of Sampling Percentage and Mail Number for Evidence
Collection. For example, Sampling Percentage to 1:50, and Mail Number for
Evidence Collection to 50, the system extracts one out of fifty mails sent by the user
covered by this policy item. A total of 50 mails are extracted for evidence collection.
If the memory occupied by mails to be extracted for evidence collection exceeds the
threshold (8 MB per user) or the time for evidence collection exceeds one hour, the
system automatically stops collecting evidence. Therefore, in the evidence log file
uploaded to the FTP server, the number of mails is smaller than or equal to the value
specified in Mail Number for Evidence Collection.
Due to a variety of language codes, the system does not decode mail titles in the evidence
log file. For example, if the mail title is =?gb2312?B?1tC5+tXQserN+C274dSxu
+62rw==?=, resolution is as follows:
– =? in the header and ?= in the end indicate that the content in between is the mail
title, and ? in the middle indicates separation.
– gb2312 indicates the character set.
– B indicates that Base64 codes are adopted.
If Q is displayed, Quoted-Printable codes are adopted.
– gb2312?B?1tC5+tXQserN+C274dSxu+62rw== indicates the actual code of the
title.
The Evidence Collection policy item depends on the detection policy item. Therefore,
you need to add the detection policy item before adding the Evidence Collection policy
item.
l External Spammer Whitelist and Blacklist Management
Mails sent from extranets to intranets are filtered. Mails sent from the IP addresses and IP
address segments in the whitelist can directly go to intranets. Mails sent from the IP
addresses and IP address segments in the blacklist are blocked. In the system, you can
enable or disable the blacklist function as required.
l Mail Address Blacklist Management
Mails sent by users in the blacklist from intranets to extranets are blocked. The system
supports a maximum of 100000 blacklist records.
Two types of email addresses can be added to the blacklist: complete email address and
mail server domain name. For example, test@yahoo.com is a complete email address and
therefore requires accurate matching, that is, email addresses such as tst@yahoo.com and
atest@yahoo.com cannot be matched. Moreover, yahoo.com is a mail server domain name
and all mails of it can be matched. In this case, abc@yahoo.com can be matched but mails
of yahoo.com.cn cannot be matched.
For enabled Spammer Whitelist User Group, the email address blacklist management is
invalid.
NOTE
You can select the depth of detection on spam, including Network Layer to Application Layer and
Network Layer to Transport Layer. When Network Layer to Transport Layer is selected, the evidence
collection policy item, mail number control of the limit function in the control policy item in the internal
spammer management, email address blacklist management, and outbound mail server IP address blacklist
management are available.
Mail address blacklist management and outbound mail server IP address blacklist management are realized
by the function of monitoring configurations by destination IP address. The function can be enabled or
disabled in the system. When it is disabled, mail address blacklist management and outbound mail server
IP address blacklist management are unavailable.
Prerequisites
Requirements are as follows:
Requirement Description
The task requirements are as follows:
Procedure
Step 1 Log in to the Back End of the SIG.
Step 2 Perform the global spammer configuration.
1. In the navigation tree, choose Security Defense > Spammer > Global Spammer
Configuration.
2. Select Block in Control Action on External Blacklist, and Network Layer to Transport
Layer in Spam Detection Dimension, as shown in Figure 15-2.
10. Click Close. The Spammer Policy Package Management page is displayed.
11. In the navigation tree, choose Subscriber and Network Management > Subscriber >
Policy Application.
12. Click Add. The Add Policy Application dialog box is displayed.
13. Select Spammer in Type, AreaA_Spammer in Name, Attribute Group in Object
Type, and A in Area.
14. Click OK. The policy package takes effect.
Step 4 Manage the subscriber groups Spammer Blacklist User Group and Spammer Whitelist User
Group.
1. In the navigation tree, choose Subscriber and Network Management > Subscriber >
User Group Management.
2. Click Spammer Blacklist User Group. The View and Modify User Group dialog box
is displayed.
3. Click Add and select User1 in the list, and then click OK. The system prompts that one
record is added.
4. Click Close.
5. Repeat Step 4.2 to Step 4.4 to add User2 to Spammer Whitelist User Group.
----End
Prerequisites
Requirements are as follows:
l 4.2 Configuring the Subscriber is complete.
l The current user has the Security Defense and Subscriber and Network Management
service permissions.
Requirement Description
The task requirements are as follows:
l Enable the management of internal spammers.
The following policy items are required:
– Detection: Threshold for Suspicious Users is set to 10 and Threshold for
Spammers to 20, which are the default values.
– Evidence Collection: Sampling Percentage to 1:50, and Mail Number for Evidence
Collection to 50. The IP address of the FTP server where evidence logs are uploaded
is 192.168.10.10, the user name is ftpuser, and the password is 12345678.
– Control: the detected spammers can send a maximum of 100 mails per hour.
In addition, you need to enable the internal blacklists and whitelists of Spammer Blacklist
User Group and Spammer Whitelist User Group, and add User1 to Spammer Blacklist
User Group and User2 to Spammer Whitelist User Group respectively.
l Enable External Spammer Whitelist and Blacklist Management.
You need to add IP address 66.66.66.66 to the blacklist, and IP address segment ranging
from 222.22.22.22 to 222.22.22.77 to the whitelist.
l Disable Email Address Blacklist Management.
l Disable Outbound Mail Server IP Address Blacklist Management.
Procedure
Step 1 Log in to the Back End of the SIG.
Step 2 Perform the global spammer configuration.
1. In the navigation tree, choose Security Defense > Spammer > Global Spammer
Configuration.
3. Click Test Connection. The system prompts the user that the connection succeeds.
4. Click Save.
10. Select any value in Priority, and select Forever in Need Slice and Limit in Control
Policy, and enter 100 in Mail Sent per Hour. Then click OK. A new policy item is
displayed, as shown in Figure 15-5.
11. Click Close. The Spammer Policy Package Management page is displayed.
12. In the navigation tree, choose Subscriber and Network Management > Subscriber >
Policy Application.
13. Click Add. The Add Policy Application dialog box is displayed.
14. Select Spammer in Type, AreaA_Spammer in Name, Attribute Group in Object
Type, and A in Area.
15. Click OK. The policy package takes effect.
Step 4 Manage subscriber groups Spammer Blacklist User Group and Spammer Whitelist User
Group.
1. In the navigation tree, choose Subscriber and Network Management > Subscriber >
User Group Management.
2. Click Spammer Blacklist User Group. The View and Modify User Group dialog box
is displayed.
3. Click Add and select User1 in the list. Then click OK. A new record is displayed.
4. Click Close.
5. Repeat Step 4.2 to Step 4.4 to add User2 to Spammer Whitelist User Group.
5. In the External Spammer Whitelist group box, click Add. The Add Whitelist dialog box
is displayed.
6. Select IP Address Segment, and enter 222.22.22.22 in Start IP Address and
222.22.22.77 in End IP Address.
7. Click OK.
----End
Threshold for l If the detection score is smaller [Setting method] Enter a value in the
Suspicious than Threshold for Suspicious text box.
Users, Users, the user is identified as a [Value range] The value is an integer
Threshold for normal user. ranging from 1 to 100.
Spammers l If the detection score is larger
than or equal to Threshold for
Spammers, the user is identified
as a spammer.
l If the detection score is between
Threshold for Suspicious
Users and Threshold for
Spammers, the user is identified
as a suspicious user.
Control Policy The following control modes are [Setting method] Set the values by
available for outbound mails: selecting option buttons or entering
l Pass: Mails sent by monitored values in text boxes.
users can directly pass the system
without control. Users can send
mails normally.
l Block: Mails sent by monitored
users are intercepted and blocked
directly. As a result, users cannot
send mails.
l Limit: Mails sent by monitored
users are limited. The following
limiting methods are available:
– Sessions Connection per
Minute: The system limits the
maximum number of SMTP
sessions established by the
user, that is, limiting the
maximum number of
concurrent connections.
– Mail Sent per Hour: The SIG
limits the number of mails
sent by the user per hour.
– SMTP Bandwidth (kbit/s):
The SIG limits the SMTP
traffic sent by the user in a
certain period.
Priority The smaller the value, the higher the [Setting method] selecting an item
priority. When a subscriber is bound from the drop-down list or entering
with multiply policy items of the a value into the text box
same type, only the policy item with [Value range] The value is an integer
the highest priority level is valid. ranging from 1 to 9999.
For details on the policy priorities
5.4.15 Policy Priority Description.
15.3.1 Overview
This describes the categories and functions of spammer reports.
Prerequisites
Requirements are as follows:
Procedure
Step 1 Log in to the Back End.
Step 3 In the navigation tree, choose Statistics and Analysis Report > Spammer > Subscriber. Then
select the reports to be queried as required.
TIP
l If selecting Save Query Conditions before querying reports, you do not need to enter query conditions
for the next query.
l To apply the report function for timed tasks, click Timed Task. For details, see 21.4 Managing Timed
Task Reports.
To save time for other operations, click Background Implementation. For details, see 21.5 Managing
Background Task Reports.
On the report query interface, you can export reports in different formats.
----End
Report Navigation
You can click the following links to view the report examples.
NOTE
The information in the following examples are subject to change without notice.
l Statistics and Analysis Report > Spammer > Subscriber > Top N Spammers by Mail
Number
l Statistics and Analysis Report > Spammer > Subscriber > Spammer Detection Log
l Statistics and Analysis Report > Spammer > Subscriber > Spammer Control Log
l Statistics and Analysis Report > Spammer > Subscriber > Blacklist Control Statistics
l Statistics and Analysis Report > Spammer > Subscriber > Comparison and Analysis
l Statistics and Analysis Report > Spammer > Subscriber > Evidence Log
l Statistics and Analysis Report > Spammer > Subscriber > External Recipient
Blocking Log
l Statistics and Analysis Report > Spammer > Subscriber > External Recipient Top N
Customers by Blocking Count
l Statistics and Analysis Report > Spammer > Subscriber > External Recipient Top N
Recipients by Blocking Count
Statistics and Analysis Report > Spammer > Subscriber > Top N Spammers by Mail
Number
Through this report, you can view top N spammers by mail number or traffic volume.
Statistics and Analysis Report > Spammer > Subscriber > Spammer Detection Log
After obtaining top N spammers, you can view the details of a spammer for analysis.
Figure 15-7 shows report examples.
NOTE
In a mail sending process (an SMTP flow), if the SIG detects a MAIL command, it regards it as a mail
sending attempt. If the MAIL, RCPT, and DATA commands are not detected, the SIG regards it as a sending
error. If an error occurs before a sending attempt, the Sent Mails Attempts does not change, but the
Sending Error Counts is increased by one.
Statistics and Analysis Report > Spammer > Subscriber > Spammer Control Log
Through this report, you can view the detailed control logs of a specified subscriber.
Statistics and Analysis Report > Spammer > Subscriber > Blacklist Control
Statistics
Through this report, you can view details on the control over mails sending by blacklisted internal
users.
Figure 15-9 shows report examples.
Statistics and Analysis Report > Spammer > Subscriber > Comparison and
Analysis
Through comparison and analysis, you can obtain the overall information about blacklist users,
whitelist users, normal users, suspicious users, and spammers.
NOTE
In user-based comparison analysis, data in five-minute granularity is an accumulated value within these
five minutes; data in the hourly granularity is an average value of each five minutes; data in the daily
granularity is an average value of each hour.
Statistics and Analysis Report > Spammer > Subscriber > Evidence Log
Through evidence logs, you can obtain detailed mail evidence of a specified subscriber.
Figure 15-11 shows report examples.
Statistics and Analysis Report > Spammer > Subscriber > External Recipient
Blocking Log
The recipient monitoring is to block the emails sent from intranets to extranets, and those
recipients are in the blacklist. Through this report, you can view the detailed blocking log.
Figure 15-12 shows report examples.
Statistics and Analysis Report > Spammer > Subscriber > External Recipient Top
N Customers by Blocking Count
The recipient monitoring is to block the emails sent from intranets to extranets, and those
recipients are in the blacklist. Through this report, you can view top N subscribers by blocking
count.
Figure 15-13 shows report examples.
Figure 15-13 Example of reports on external recipient top N customers by blocking count
Statistics and Analysis Report > Spammer > Subscriber > External Recipient Top
N Recipients by Blocking Count
The recipient monitoring is to block the emails sent from intranets to extranets, and those whose
recipients are in the blacklist. Through this report, you can view top N mails or IP addresses of
recipients by blocking count.
Figure 15-14 shows report examples.
16 Anti-DDoS Service
The SIG provides the subnet-based anti-DDoS function and collects traffic statistics before and
after cleaning in report format.
Internet
Intranet
Subnet
The SIG provides the subnet-based Anti-DDoS function and thus can detect various
malformed packet attacks and flood attacks, such as TCP land, TCP WinNuke, TCP flag,
UDP Fraggle, and Ping of Death. The SIG supports dynamically learning the traffic model
of the protected object through the dynamic baseline technology, and effectively detects
and defends against various TCP attacks, UDP attacks, and application-layer DDoS attacks
through the unique fingerprint identification technology. In addition, abnormal traffic can
be cleaned through configured restriction measures. As a result, the services provided at
the destination IP address can be protected, and traffic statistics before and after cleaning
can be viewed by the configuration engineer.
l Subnet
A subnet, referring to a collection of IP addresses, consists of one or multiple IP address
segments.
Subnets are protected by the Anti-DDoS service after the policy package is applied.
l Static baseline
Static baseline is values manually specified to identify the traffic of DDoS attacks, and
includes network indicators such as the TCP traffic packet rate, UDP traffic packet rate,
and UDP traffic bandwidth.
The traffic baseline values do not change with network traffic. When traffic changes on the
subnet are relatively regular and stable, the static traffic baseline can be used.
l Dynamic baseline
The dynamic baseline is the values of the dynamically-learned traffic features of the
protected object, and the traffic baseline refreshes according to the running status of the
current network.
The dynamic baseline changes as network traffic changes. When the dynamic baseline is
established and no attack occurs, the SIG refreshes the traffic baseline regularly.
The system dynamically learns the traffic baseline according to the cycle configured by the
configuration engineer.
– During the learning cycle, the system adopts the static baseline to detect abnormal
traffic. If the static baseline is not exceeded, the network status is considered to be
normal. The system records the network indicators in this cycle and generates the
dynamic baseline.
– After the learning cycle is complete, the system adopts the dynamic baseline to detect
abnormal traffic.
l Fingerprint cleaning
The fingerprint cleaning function obtains and identifies the fingerprint features of attack
packets to clean attack traffic.
The attacker launches DDoS attacks by controlling zombies to send a large number of
malicious requests to the target. Therefore, packets sent to the target have the same features.
When identifying an attacked IP address, the SIG starts the fingerprint learning of traffic
sent to the attacked destination IP address. After the features of all attack packets are
learned, the SIG directly discards the follow-up packets that meet the fingerprint features.
16.2.1 Overview
This describes the functions supported by the Anti-DDoS service.
Adding and applying DDoS policy packages defend against DDoS attacks for subnets. A policy
package can contain multiple types of policy items but each type contains only one item. The
following shows the details of the policy item:
l Static baseline
The static baseline is to enable the traffic baseline values for identifying DDoS attacks.
You can change default values according to the traffic of the protected subnet, and
determine whether to enable the detection of abnormal packets. If the detection of abnormal
packets is enabled, the SIG detects and discards abnormal packets or illegitimate packets.
In an Anti-DDoS policy package, you should add the policy items of the static baseline and
then those of the dynamic baseline or cleaning.
l Dynamic baseline
The dynamic baseline is to enable the traffic learning switch for generating the values of
the dynamic baseline and set the tolerance deviation percentage for determining the attack
threshold. Attack threshold = baseline value x (1 + allowable deviation percentage).
If the traffic learning switch is not enabled or the cycle of learning the dynamic baseline
does not end, the SIG adopts the static baseline to detect anomalies. After the learning cycle
is ended, the system adopts the dynamic baseline to detect anomalies.
In this case, if the traffic learning switch is not disabled manually, the system adjusts the
dynamic baseline by continuously learning the traffic on the current network.
l Cleaning
Cleaning is to enable the function of cleaning the traffic of DDoS attacks identified by the
system, and the target value of cleaning can be adjusted according to the traffic of the
protected subnet on the current network.
During the adding of the policy items of cleaning, you can determine whether to enable the
fingerprint-based cleaning switch:
– If yes, for the attack packets whose fingerprint features can be extracted, the system
identifies their fingerprint features and clean the packets directly. For other attack
packets, the system discards them and thus cleans attack traffic to the specified target
threshold.
– If no, the system cleans attack traffic to the specified target threshold only by discarding
packets.
Prerequisites
Requirements are as follows:
l 4.7 Configuring the Subnet is complete, and the name of the subnet to be protected is
ExampleSubnet1.
l The current user has the Security Defense and Subscriber and Network Management
service permissions.
Requirement Description
Figure 16-2 shows the networking of a carrier. The Anti-DDoS service needs to be enabled for
ExampleSubnet1. Requirements are as follows:
l The static baseline is adopted to detect DDoS attacks in the first seven days. After that, the
automatically-learned dynamic baseline is adopted to detect DDoS attacks.
l When the dynamic baseline is generated, Historical Traffic Weight is 80% and Tolerance
Deviation Percentage is 60%. In this case, the threshold for identifying attacks = baseline
value x (1 + 60%).
l Detection of abnormal packets, traffic cleaning, and fingerprint-based cleaning are enabled.
NOTE
When you are not certain about the static baseline, you can leave the cleaning functions disabled until the
automatic learning of the dynamic baseline is finished.
Figure 16-2 Networking diagram of the example for configuring the Anti-DDoS service
Internet
Anti-DDoS
Front
End
Back End
Intranet
ExampleSubnet1
Procedure
Step 1 Log in to the Back End.
Step 2 Add a policy package.
1. In the navigation tree, choose Security Defense > DDoS > DDoS Policy Package
Management.
2. Click Add.
3. Set Name to myDDoS, and click Save.
4. Select Static Baseline from Item Type, and click Add.
5. In the pop-up dialog box, select the check box of Abnormal Packet Detection. Set other
parameters as required, as shown in Figure 16-3.
6. Click OK. The system returns to the previous page and displays the added policy item.
7. Select Dynamic Baseline from Item Type, and click Add.
8. Set parameters according to Figure 16-4.
9. Click OK. The system returns to the previous page and displays the added policy item.
10. Select Cleaning from Item Type, and click Add.
11. Set parameters according to Figure 16-5.
12. Click OK. The system returns to the previous page and displays the added policy item, as
shown in Figure 16-6.
13. Click Close. The system returns to the previous page and displays the added policy package.
Step 3 Apply the policy package.
1. In the navigation tree, choose Subscriber and Network Management > Network >
Subnet And AS Domain Group > Policy Application.
2. Click Add.
3. Set parameters according to Figure 16-7.
4. Click OK. The system returns to the previous page and displays a new record.
----End
Historical The historical traffic weight indicates the [Setting method] Enter
traffic weight weight of the historical baseline value when the the historical traffic
current dynamic baseline is generated. Current weight in the text box.
dynamic baseline = maximum current traffic x
(1 - historical traffic weight) + historical
baseline value x historical traffic weight.
Learning This indicates the learning cycle of a dynamic [Setting method] Enter
cycle baseline. If the cycle of learning the dynamic the learning cycle in the
baseline does not end, the SIG adopts the static text box.
baseline to detect anomalies. After the learning
cycle ends, the system adopts the dynamic
baseline to detect anomalies.
In this case, if the traffic learning switch is not
disabled manually, the system adjusts the
dynamic baseline by continuously learning the
traffic on the current network.
Fingerprint The fingerprint clean switch is to enable the [Setting method] Select
clean switch function of fingerprint-based cleaning. the check box.
l If the fingerprint clean switch is enabled, for
the attack packets whose fingerprint
features can be extracted, the system
identifies their fingerprint features and
cleans the packets directly. For other attack
packets, the system discards them and thus
cleans attack traffic to the specified target
threshold.
l If the fingerprint clean switch is disabled,
the system only discards packets to clean
attack traffic to the specified target
threshold.
16.3.1 Overview
This describes the categories and functions of Anti-DDoS reports.
l Attack log
Through the attack log report, you can view details about the DDoS attacks of the specified
traffic type in the specified time range, including the logs of ongoing attacks and ended
attacks.
l Attack traffic
Through the attack traffic report, you can view the comparison of the attack traffic of the
specified type in the specified time range before and after cleaning.
l Dynamic baseline
Through the dynamic baseline report, you can view the current and history values of the
dynamic baseline of the protected subnet.
Prerequisites
Requirements are as follows:
Procedure
Step 1 Log in to the Back End.
Step 2 In the navigation tree, choose Statistics and Analysis Report > DDoS. Select the reports to be
queried as required.
l If selecting Save Query Conditions before querying reports, you do not need to enter query conditions
for the next query.
l To apply the report function for timed tasks, click Timed Task. For details, see 21.4 Managing Timed
Task Reports.
NOTE
To save time for other operations, click Background Implementation. For details, see 21.5 Managing
Background Task Reports.
On the report query interface, you can export reports in different formats:
----End
Report Navigation
You can click the following links to view the report examples.
NOTE
The information in the following examples are subject to change without notice.
l Statistics and Analysis Report > DDoS > Attack Log
l Statistics and Analysis Report > DDoS > Attack Traffic
l Statistics and Analysis Report > DDoS > Dynamic Baseline
17 Anti-Botnet Service
The Anti-Botnet service can identify and control Botnet traffic on the network, thus providing
users with a secure network environment.
l Botnet
A Botnet is a network where a controller infects many hosts with malicious bot programs
by one or various means. The controller and zombies form a one-to-multiple control
network.
By employing Botnets, hackers can not only launch DDoS attacks, intercept personal
confidential information, and spread malware, but also blackmail target Web sites or even
lease Botnets for their own interests. As a result, users' network environments are severely
threatened.
l Anti-Botnet service
The Anti-Botnet service protects users' network resources against the harms brought by
Botnets.Based on features of the Botnet programs, the SIG can detect and control Botnet
programs in advance (for example, alarming or blocking Botnet programs) to eliminate the
hidden security risks on the network. This service enhances user online experience and
protects carriers' reputation.
In in-line mode, the SIG supports bot program detection and control, and report query. In
off-line mode, the SIG supports only bot program detection, and the query of certain reports
(such as the detection log report).
Figure 17-1 shows the schematic diagram of the Anti-Botnet service.
Router
Pass
Alarm
Block
Front End
BRAS
Botnet traffic
User Normal traffic
l Bot program
A bot program can either automatically implement predefined functions or be controlled
by predefined commands. Bot programs on Botnets perform malicious functions.
l Controller
A controller refers to a PC that spreads bot programs through zombie tools. The SIG can
identify level-1 controllers (who control zombies directly) on the network, and query related
information about controllers through reports on detection logs and controller statistics.
NOTE
For extranet controllers, the SIG can log their IP addresses only.
l Zombie
A zombie refers to a computer installed with malicious bot programs or other malicious
remote control programs.
l Zombie tool
A zombie tool is used by a controller to spread malicious bot programs.
l Anti-Malware Engine (AME)
As one type of the knowledge base of the SIG, the AME collects the features of known
worms and bot programs. The system analyzes the traffic passing by and matches virus
features in the AME. If a match is found, the traffic is regarded as malicious traffic, and
then implements further operation according to the predefined policy package, for example,
alarm or block.
17.2.1 Overview
This describes the basic concepts of the Anti-Botnet service.
l Policy item type
– Control
– Block
The SIG blocks the traffic infected with bot programs.
– Pass
The SIG allows the traffic infected with bot programs through.
– Alarm
The SIG pushes alarms to users, notifying them of the Botnet program.
Alarming is applicable to the subscribers infected with bot programs only. The SIG
pushes an alarm only when subscribers access HTTP Web sites such as
www.example.com/news.
The Anti-Botnet service of the SIG performs control policies towards controllers, and it
performs control and alarm policies towards the Botnet programs to ensure that all Botnet
traffic passing through the SIG is processed. In so doing, users are provided with secure
network environments.
l Policy item priority
Is the priority value specified in policy item definition. The smaller the value, the higher
the priority. The value is an integer that ranges from 1 to 9,999. The value is globally unique
in the system.
Prerequisites
Requirements are as follows:
l 4 Subscriber and Network Object Initialization is complete, and the subscriber to be
managed belongs to area haidian.
l The current user has the Security Defense service permission.
Requirement Description
The SIG is deployed at the access layer of a MAN in in-line mode, as shown in Figure 17-2.
After the anti-Botnet service for subscribers in the haidian district is enabled, the SIG pushes
an alarm page (suppose that the page is www.alarm.com) to the users infected with bot
programs, and blocks the Botnet traffic.
Requirements for configuring the Anti-Botnet service are as follows:
l Alarm URL www.alarm.com is specified.
l Subscriber-based policy package botnet is configured.
l The policy package should contain alarm policy item botnet_alarm, policy object
Zombie, and alarm URL www.alarm.com.
l The policy package should contain control policy item botnet_control, policy object
Zombie, and control mode Block.
Router
DPI system
BRAS
Users
Procedure
Step 1 Log in to the Back End of the SIG.
Step 2 Add an alarm URL.
1. In the navigation tree, choose Basic Configuration > User Message Configuration >
Alarm URL Management.
2. Click Add.
3. In the pop-up dialog box, enter the alarm URL, as shown in Figure 17-3. Click OK. The
alarm URL is saved.
If the alarm URL has not been added before this operation, you need to add it. For detailed,
refer to the 22.4 Managing the Alarm Address or 22.5 Managing the Dynamic
Alarm.
6. Click OK. The system returns to the previous page and displays the added policy item.
7. Select Control from Item Type and click Add.
8. Configure policy item botnet_control in the pop-up dialog box, as shown in Figure
17-5.
9. Click OK. The system returns to the previous page and displays the added policy item.
10. Click Close. The system returns to the previous page and displays the added policy package.
Prerequisites
Requirements are as follows:
l 4 Subscriber and Network Object Initialization is complete, and the VIC to be managed
belongs to area haidian.
l The current user has the Security Defense service permission.
Requirement Description
The SIG is deployed at the access layer of a MAN in in-line mode, as shown in Figure 17-7.
After the anti-Botnet service for VICs in the haidian district is enabled, the SIG blocks all
identified Botnet traffic, including that of controllers and zombies.
Requirements for configuring the Anti-Botnet service are as follows:
l VIC-based policy package botnet is configured.
l The policy package contains two control policy items botnet_control1 and
botnet_control2.
The policy objects of policy items botnet_control1 and botnet_control2 are controller
and zombie respectively. The control modes for both policy items are Block.
Router
DPI system
BRAS
Users
Procedure
Step 1 Log in to the Back End of the SIG.
6. Click OK. The system returns to the previous page and displays the added policy item.
7. Click Add and configure policy item botnet_control2 in the pop-up dialog box, as shown
in Figure 17-9.
8. Click OK. The system returns to the previous page and displays the added policy item.
9. Click Close. The system returns to the previous page and displays the added policy package.
1. In the navigation tree, choose Subscriber and Network Management > Very Important
Customer > Policy Application.
2. Click Add.
3. Set parameters in the dialog box that is displayed. Figure 17-10 shows parameter settings.
----End
17.3.1 Overview
This describes the classifications, functions, and related concepts of Anti-Botnet reports.
Through this report, you can view the information about top N customers by detected packet
number in the descending order, based on query conditions such as the analysis object and
zombie tool.
l Detection log
Through this report, you can view the information about Botnet detection logs (including
the botnet flag and discovery time) within the given time range, based on query conditions
such as the analysis object and zombie tool.
l Controller statistics
Through this report, you can view statistics on Botnet controllers (including the zombie
tool and count) within the given time range, based on query conditions such as the analysis
object and zombie tool.
l Area statistics
Through this report, you can view statistics on Botnet controllers, zombies, and zombie
tool types (including the analysis object and time) in the specified area, based on query
conditions such as the analysis object and time range.
l Control count statistics
Through this report, you can view statistics on Botnet control counts (including the analysis
object and zombie tool) within the given time range, based on query conditions such as the
analysis object and zombie tool.
Prerequisites
Requirements are as follows:
l 4 Subscriber and Network Object Initialization is complete.
l The current user has the Statistics and Analysis Report service permission.
Procedure
Step 1 Log in to the Back End of the SIG.
Step 2 In the navigation tree, choose Statistics and Analysis Report > Botnet.
Step 3 Enter query conditions according to prompts.
TIP
l If selecting Save Query Conditions before querying reports, you do not need to enter query conditions
for the next query.
l To apply the report function for timed tasks, click Timed Task. For details, see 21.4 Managing Timed
Task Reports.
NOTE
To save time for other operations, click Background Implementation. For details, see 21.5 Managing
Background Task Reports.
On the report query interface, you can export reports in different formats:
----End
Report Navigation
You can click the following links to view the report examples.
NOTE
The information in the following examples are subject to change without notice.
l Statistics and Analysis Report > Botnet > Subscriber/VIC > Top N Tools by Detected
Count
l Statistics and Analysis Report > Botnet > Subscriber/VIC > Top N Customers by
Detected Packet Number
l Statistics and Analysis Report > Botnet > Subscriber/VIC > Detection Log
l Statistics and Analysis Report > Botnet > Subscriber/VIC > Controller Statistics
l Statistics and Analysis Report > Botnet > Subscriber/VIC > Area Statistics
l Statistics and Analysis Report > Botnet > Subscriber/VIC > Control Count Statistics
Statistics and Analysis Report > Botnet > Subscriber/VIC > Top N Tools by
Detected Count
Through this report, you can view statistics on top N tools by detected count in the descending
order for the specified subscriber/VIC within a given time range.
Figure 17-11 shows report screenshot of top 5 tools by detected count for subscribers in an area
within a given time range.
Statistics and Analysis Report > Botnet > Subscriber/VIC > Top N Customers by
Detected Packet Number
Through this report, you can view statistics on top N customers by detected packet number in
the descending order for the specified subscriber/VIC within a given time range.
Figure 17-12 shows report screenshot of top 5 customers by detected packet number for
subscribers in an area within a given time range.
Figure 17-12 Example of the report on top 5 customers by detected packet number
Statistics and Analysis Report > Botnet > Subscriber/VIC > Detection Log
Through this report, you can view statistics on the detection logs of Botnets for the specified
subscriber/VIC within a given time range.
Figure 17-13 shows report screenshot of the detection logs of Botnets for subscribers in an area
within a given time range.
Statistics and Analysis Report > Botnet > Subscriber/VIC > Controller Statistics
Through this report, you can view the information about the specified subscriber/VIC as the
controllers within a given time range.
The controller statistics report provides information about controllers on both internal and
external networks. The system, however, can only detects the IP addresses of controllers on
external networks. Therefore, to query information about a controller on the external network,
you need to set the IP address. You can obtain the IP address of the controller by querying the
detection log report.
Figure 17-14 shows report screenshot of the controller statistics of subscribers in an area within
a given time range.
Statistics and Analysis Report > Botnet > Subscriber/VIC > Area Statistics
Through this report, you can view statistics on the Botnet detection information (including
statistics on the total numbers of controllers, zombies, and zombie tools) for subscribers/VICs
in the specified area within a given time range.
Figure 17-15 shows report screenshot of statistics on the total number of zombies for subscribers
in an area within a given time range.
Statistics and Analysis Report > Botnet > Subscriber/VIC > Control Count Statistics
Through this report, you can view counts for the specified subscriber/VIC to control Botnets by
blocking connection numbers or pushing alarms within a given time range.
Figure 17-16 shows report screenshot of alarm pushing counts for subscribers in an area within
a given time range.
18 Anti-Worm Service
The Anti-Worm service can identify and control worm traffic on the network, thus providing
users with a secure network environment.
l Worm
A worm is a program with the spreading function. This program, comprising malicious
codes, can spread itself to other PCs without manual intervention. The significant feature
of worms is their self-replication.
l Anti-Worm Service
Recently, network users severely fall victims to variable and flooding worms. Worms
consume huge network resources and may be accompanied by other viruses with specific
purposes, which may lead to the leakage of network users' private information, loss of large
amounts of confidential information, network fraud, or network breakdown. As a result,
network users cannot normally enjoy the convenience of networks, their personal
information may be leaked, and carriers' reputation may be severely damaged.
The Anti-Worm service detects and controls worms in advance (for example, blocking
worms) to eliminate the hidden security risks on the network. This service enhances user
online experience and protect carriers' reputation.
In in-line mode, the SIG supports worm detection and control, and report query. In off-line
mode, the SIG supports worm detection only.
Figure 18-1 shows the schematic diagram of the Anti-Worm service.
Router
Pass
Alarm
Block
Front End Limit
BRAS
Worm traffic
User Normal traffic
As one type of the knowledge base of the SIG, the AME collects the features of known
worms and Bot programs. The system analyzes the traffic passing by and matches virus
information in the AME. If the match succeeds, the traffic is regarded as malicious traffic,
and then the corresponding operation (alarm or control) is required.
18.2.1 Overview
This describes the basic concepts of the Anti-Worm service.
Prerequisites
The following requirements should be met:
l 4.4 Configuring the Link is complete, and the link to be managed is 10G-1-1-linka.
l The current user has the Security Defense service permission.
Requirement Description
The SIG is deployed at the egress of a MAN in in-line mode, as shown in Figure 18-2. It is
required to process worm traffic on 10G-1-1-linka as follows:
l When identifying that worm traffic bandwidth on the link is lower than 10 Mbit/s, the
SIG allows all the traffic through.
l When identifying that the worm traffic bandwidth on the link is between 10 Mbit/s and 20
Mbit/s, the SIG allows only 5 Mbit/s traffic through.
l When identifying that the worm traffic bandwidth on the link is higher than 20 Mbit/s, the
SIG blocks the traffic.
Router
DPI system
BRAS
Users
The threshold is for traffic of links. Data configuration engineers can set the threshold according to the
actual network traffic volume. When the traffic volume is equal to or higher than the threshold, the system
takes corresponding control measures, such as pass, block, or limit. In this example, when the threshold is
set to 10 Mbit/s, the system performs the limit policy, and when the threshold is set to 20 Mbit/s, the system
performs the block policy.
Procedure
Step 1 Log in to the Back End of the SIG.
1. In the navigation tree, choose Security Defense > Worm > Worm Link Policy Package
Management.
2. Click Add.
3. Configure policy package worm and click Save in the pop-up dialog box.
4. Select Control from Item Type and click Add.
5. Configure policy item worm1 in the pop-up dialog box, as shown in Figure 18-3.
6. Click OK. The system returns to the previous page and displays the added policy item.
7. Repeat Step 2.4 to Step 2.6 to configure policy item worm2, as shown in Figure 18-4.
8. Click Close. The system returns to the previous page and displays the added policy package.
Step 3 Apply a policy package.
1. In the navigation tree, choose Subscriber and Network Management > Network >
Physical Link Management > Link Policy Application.
2. Click Add.
3. Set parameters in the dialog box that is displayed. Figure 18-5 shows parameter settings.
Prerequisites
Requirements are as follows:
l 4 Subscriber and Network Object Initialization is complete, and the subscriber to be
managed belongs to area haidian.
l The current user has the Security Defense service permission.
Requirement Description
The SIG is deployed at the access layer of a MAN in in-line mode, as shown in Figure 18-6.
After the anti-worm service for subscribers in the haidian district is enabled, the SIG pushes an
alarm page (suppose that the page is www.alarm.com) to the users infected with worms, and
blocks worm traffic.
Requirements for configuring the Anti-Worm service are as follows:
l Alarm URL www.alarm.com is specified.
l Subscriber-based policy package worm is configured.
l This policy package should contain one alarm policy item whose alarm URL is
www.alarm.com.
l The policy package should contain one control policy item whose control type is block.
Router
DPI system
BRAS
Users
Procedure
Step 1 Log in to the Back End of the SIG.
Step 2 Add an alarm URL.
1. In the navigation tree, choose Basic Configuration > User Message Configuration >
Alarm URL Management.
2. Click Add.
3. In the pop-up dialog box, enter the alarm URL, as shown in Figure 18-7. Click OK. The
alarm URL is saved.
6. Click OK. The system returns to the previous page and displays the added policy item.
7. Select Control from Item Type and click Add.
8. Set Control Type to Block in the pop-up dialog box, as shown in Figure 18-9.
9. Click OK. The system returns to the previous page and displays the added policy item.
10. Click Close. The system returns to the previous page and displays the added policy package.
Step 4 Apply a policy package.
1. In the navigation tree, choose Subscriber and Network Management > Subscriber >
Policy Application.
2. Click Add.
3. Set parameters in the dialog box that is displayed. Figure 18-10 shows parameter settings.
----End
Prerequisites
Requirements are as follows:
l 4 Subscriber and Network Object Initialization is complete, and the VIC to be managed
belongs to area haidian.
l The current user has the Security Defense service permission.
Requirement Description
The SIG is deployed at the access layer of a MAN in in-line mode, as shown in Figure 18-11.
After the anti-worm service for VICs in the haidian district is enabled, the SIG blocks all the
identified worm traffic.
Router
DPI system
BRAS
Users
Procedure
Step 1 Log in to the Back End of the SIG.
6. Click OK. The system returns to the previous page and displays the added policy item.
7. Click Close. The system returns to the previous page and displays the added policy package.
----End
18.3.1 Overview
This describes the classifications and functions of Anti-Worm reports.
l Subscriber
– Top N Customers by Attack Packet Number
Through this report, you can view statistics on top N customers by attack packet number
(including the number of attack packets and that of attacked packets) for the specified
subscriber within a given time range.
– Attack Log
Through this report, you can view statistics on attack logs for specified subscribers
within a given time range.
– Control Count Statistics
Through this report, you can view statistics on worm traffic control counts (including
block and alarm counts) for specified subscribers within a given time range.
l Very Important Customer
– Top N Customers by Attack Packet Number
Through this report, you can view statistics on top N customers by attack packet number
for the specified VIC within a given time range.
– Top N Customers by Attacked Packet Number
Through this report, you can view statistics on top N customers by attacked packet
number for the specified VIC within a given time range.
– Attack Statistics by IP Address
Through this report, you can view statistics on IP addresses from which worm attacks
are launched for a specified VIC within a given time range.
– Attack Log
Through this report, you can view statistics on the logs of worm attacks for the VIC at
the specified IP address within a given time range.
– Attacked Statistics by IP Address
Through this report, you can view statistics on the IP addresses attacked by worms for
a specified VIC within a given time range.
– Attacked Log
Through this report, you can view statistics on worm-attacked logs for the VIC at the
specified IP address within a given time range.
– Control Count Statistics of Attacking VICs
Through this report, you can view statistics on worm attack control counts for a specified
VIC within a given time range.
– Control Count Statistics of Attacked VICs
Through this report, you can view statistics on worm-attacked counts for a specified
VIC within a given time range.
l Link
– Top N Worms by Attack Packet Number
Through this report, you can view statistics on top N worms by attack packet number
(including the number of attack packets and that of attacked packets) for the specified
link within a given time range.
– Attack Log
Through this report, you can view statistics on attack logs for a specified link within a
given time range.
– Control Statistics
Through this report, you can view statistics on the control (including block times,
blocked traffic, and the number of blocked packets) over worm traffic on a specified
link within a given time range.
Prerequisites
Requirements are as follows:
l 4 Subscriber and Network Object Initialization is complete.
l The current user has the Statistics and Analysis Report service permission.
Procedure
Step 1 Log in to the Back End of the SIG.
Step 2 In the navigation tree, choose Statistics and Analysis Report > Worm.
Step 3 Enter query conditions according to prompts.
TIP
l If selecting Save Query Conditions before querying reports, you do not need to enter query conditions
for the next query.
l To apply the report function for timed tasks, click Timed Task. For details, see 21.4 Managing Timed
Task Reports.
To save time for other operations, click Background Implementation. For details, see 21.5 Managing
Background Task Reports.
On the report query interface, you can export reports in different formats:
----End
Report Navigation
You can click the following links to view the report examples.
NOTE
The information in the following examples are subject to change without notice.
l Statistics and Analysis Report > Worm > Subscriber > Top N Customers by Attack
Packet Number
l Statistics and Analysis Report > Worm > Subscriber > Attack Log
l Statistics and Analysis Report > Worm > Subscriber > Control Count Statistics
Statistics and Analysis Report > Worm > Subscriber > Top N Customers by Attack
Packet Number
Through this report, you can view statistics on top N customers by attack packet number
(including the number of attack packets and that of attacked packets) for the specified subscriber
within a given time range.
Figure 18-14 shows report screenshot of top 3 customers by attack packet number for subscribers
in an area within a given time range.
Figure 18-14 Example of the report on top 3 customers by attack packet number
Statistics and Analysis Report > Worm > Subscriber > Attack Log
Through this report, you can view statistics on attack logs for specified subscribers within a
given time range.
Figure 18-15 shows the report screenshot of the attack logs of specified customers within a
given time range.
Statistics and Analysis Report > Worm > Subscriber > Control Count Statistics
Through this report, you can view statistics on worm traffic control counts (including block and
alarm counts) for specified subscribers within a given time range.
Figure 18-16 shows the report screenshot of worm traffic block counts of specified customers
within a given time range.
Report Navigation
You can click the following links to view the report examples.
NOTE
The information in the following examples are subject to change without notice.
l Statistics and Analysis Report > Worm > VIC > Top N Customers by Attack Packet
Number
l Statistics and Analysis Report > Worm > VIC > Top N Customers by Attacked Packet
Number
l Statistics and Analysis Report > Worm > VIC > Attack Statistics by IP Address
l Statistics and Analysis Report > Worm > VIC > Attack Log
l Statistics and Analysis Report > Worm > VIC > Attacked Statistics by IP Address
l Statistics and Analysis Report > Worm > VIC > Attacked Log
l Statistics and Analysis Report > Worm > VIC > Control Count Statistics of Attacking
VICs
l Statistics and Analysis Report > Worm > VIC > Control Count Statistics of Attacked
VICs
Statistics and Analysis Report > Worm > VIC > Top N Customers by Attack Packet
Number
Through this report, you can view statistics on top N customers by attack packet number for the
specified VIC within a given time range.
Figure 18-17 shows report screenshot of top 2 customers by attack packet number for VICs in
a specified area within a given time range.
Figure 18-17 Example of the report on top 2 customers by attack packet number
Statistics and Analysis Report > Worm > VIC > Top N Customers by Attacked
Packet Number
Through this report, you can view statistics on top N customers by attacked packet number for
the specified VIC within a given time range.
Figure 18-18 shows report screenshot of top 2 customers by attacked packet number for VICs
in an area within a given time range.
Figure 18-18 Example of the report on top 2 customers by attacked packet number
Statistics and Analysis Report > Worm > VIC > Attack Statistics by IP Address
Through this report, you can view statistics on IP addresses from which worm attacks are
launched for a specified VIC within a given time range.
Figure 18-19 shows the report screenshot of IP addresses from which worm attacks are launched
for a specified VIC within a given time range.
Statistics and Analysis Report > Worm > VIC > Attack Log
Through this report, you can view statistics on the logs of worm attacks for the VIC at the
specified IP address within a given time range.
Figure 18-20 shows the report screenshot of the logs of worm attacks for the VIC at an IP address
within a given time range.
Statistics and Analysis Report > Worm > VIC > Attacked Statistics by IP Address
Through this report, you can view statistics on the IP addresses attacked by worms for a specified
VIC within a given time range.
Figure 18-21 shows the report screenshot of the IP addresses attacked by worms for a specified
VIC within a given time range.
Statistics and Analysis Report > Worm > VIC > Attacked Log
Through this report, you can view statistics on worm-attacked logs for the VIC at the specified
IP address within a given time range.
Figure 18-22 shows the report screenshot of worm-attacked logs for the VIC at an IP address
within a given time range.
Statistics and Analysis Report > Worm > VIC > Control Count Statistics of
Attacking VICs
Through this report, you can view statistics on worm attack control counts for a specified VIC
within a given time range.
Figure 18-23 shows the report screenshot of worm attack control counts for a specified VIC
within a given time range.
Statistics and Analysis Report > Worm > VIC > Control Count Statistics of Attacked
VICs
Through this report, you can view statistics on worm-attacked counts for a specified VIC within
a given time range.
Figure 18-24 shows the report screenshot of worm-attacked control counts for a specified VIC
within a given time range.
Report Navigation
You can click the following links to view the report examples.
NOTE
The information in the following examples are subject to change without notice.
l Statistics and Analysis Report > Worm > Link > Top N Worms by Attack Packet
Number
l Statistics and Analysis Report > Worm > Link > Attack Log
l Statistics and Analysis Report > Worm > Link > Control Statistics
Statistics and Analysis Report > Worm > Link > Top N Worms by Attack Packet
Number
Through this report, you can view statistics on top N worms by attack packet number (including
the number of attack packets and that of attacked packets) for the specified link within a given
time range.
Figure 18-25 shows report screenshot of top 5 worms by attack packet number for a link within
a given time range.
Figure 18-25 Example of the report on top 5 worms by attack packet number
Statistics and Analysis Report > Worm > Link > Attack Log
Through this report, you can view statistics on attack logs for a specified link within a given
time range.
Figure 18-26 shows the report screenshot of the attack logs of a specified link within a given
time range.
Statistics and Analysis Report > Worm > Link > Control Statistics
Through this report, you can view statistics on the control (including block times, blocked traffic,
and the number of blocked packets) over worm traffic on a specified link within a given time
range.
Figure 18-27 shows the report screenshot of the number of blocked worm packets on a specified
link within a given time range.
19 Security Service
Through the security service, the SIG can filter malicious URLs, and implement the Anti-Botnet
and Anti-Worm, providing a secure network environment for network users subscribing to the
service.
The SIG supports dividing URLs into different categories, and configuring control policies for
the URLs of a certain category. Malicious Web sites is a URL category.
Con
down tent
loadi
n g
DSE system
fic
t raf
TP ing
HT irror
m
Front End
UCDB UCSP
BRAS
UCSS
Service traffic
...
Malicious URL information
cache. For the implementation of URL policies, the user-defined category enjoys the
highest priority, then the DSE category, and last the predefined category.
l If the URL matches a user-defined category in the SPS cache, control is implemented
according to the corresponding control policy for the user-defined category.
l If the URL matches a predefined category in the SPS cache, control is implemented
according to the corresponding control policy for the predefined category.
l If the URL matches a DSE category in the SPS cache, the SPS needs to query the UCSS
for the corresponding category information of the URL.
– If the URL matches a user-defined category in the UCSS, control is implemented
according to the corresponding control policy for the user-defined category. Then
the DSE and user-defined category information is both cached in the SPS for the
URL. If the URL is re-accessed, it can be queried directly from the cache.
– If the URL matches a predefined category in the UCSS, control is implemented
according to the corresponding control policy for the DSE category. Then the DSE
and predefined category information is both cached in the SPS for the URL. If the
URL is re-accessed, it can be queried directly from the cache.
l If the URL matches both the user-defined category and the DSE category in the SPS
cache, control is implemented according to the corresponding control policy for the
user-defined category. If there is no policy for the user-defined category, control is
implemented according to the corresponding control policy for the DSE category.
l If the URL matches both the DSE category and the predefined category in the SPS
cache, control is implemented according to the corresponding control policy for the
DSE category. If there is no policy for the DSE category, control is implemented
according to the corresponding control policy for the predefined category.
2. User-defined category database of the URL category server.
When the category information corresponding to the URL cannot be queried in the SPS
cache, the SPS requests the query of the category information corresponding to the URL
to the URL category server. There are three kinds of URL category databases on the URL
category server: user-defined category database, user-defined blurry category database, and
predefined category database. The user-defined category database is queried first.
3. URL category server (user-defined blurry category database, queried according to the
priority of the blurry URL.).
When the URL category cannot be queried in the user-defined URL category database, the
URL category server queries the user-defined blurry category database.
4. URL category server (predefined category database).
When the URL category cannot be queried in the user-defined URL blurry category
database, the URL category server queries predefined category database.
If the query on the predefined category database is complete, but the URL category still cannot
be queried, the URL is identified as an unknown URL and stored on the URL category server.
The URL category server periodically reports unknown URLs to the UCSP.
If the policy corresponding to the URL category is not found in the SPS, the URL is allowed.
19.2.1 Overview
To configure security service, you need to learn related concepts.
Concepts related to security service are as follows:
l Traffic Mirroring
For details, see 10.1 About the Traffic Mirroring/Diversion Service. To monitor
malicious Web sites in real time, you need to mirror HTTP traffic passing through the Front
End of the SIG to the DSE for analysis.
l Portal
The SIG needs to interwork with the carrier Portal to realize the configuration and
application of malicious URL filtering.
Users can subscribe to malicious URL filtering on the Portal.
l Worm and Botnet
For worm- and Botnet-related concepts, see 17 Anti-Botnet Service and 18 Anti-Worm
Service.
l Policy item priority
Is the priority value specified in policy item definition. The smaller the value, the higher
the priority. The value is an integer that ranges from 1 to 9,999. The value is globally unique
in the system.
Yes
No
Subscribers subscribe
Subscribe to malicious URL filtering
on the Portal.
End
Configure the The mirroring interface is the egress of the traffic matching the
mirroring interface mirroring policy. The mirroring interface should be configured on the
Front End through commands.
Operation location: Front End of the SIG.
Action Description
Configure the You need to confirm whether to enable the destination MAC address
destination MAC replacement according to the current network environment.
address replacement l When the mirroring interface is directly connected to the third-
party device through Ethernet cables, you don't need configure the
destination MAC address replacement.
l When the mirroring interface is connected to the third-party device
through a Layer-2 device, you should enable the destination MAC
address replacement and set the destination MAC address.
By default, the destination MAC address replacement is disabled.
Operation location: Front End of the SIG.
Add a mirroring A policy package can contain one or multiple policy items.
policy package Operation location: back-end UI of the SIG.In the navigation tree,
choose Traffic Management > Mirror/Divert > Mirror/Divert
Policy Package Management.
Apply the mirroring Apply the added policy package to service objects.
policy package Operation location: back-end UI of the SIG.
l In the navigation tree, choose Subscriber and Network
Management > Network > Physical Link Management > Link
Policy Application.
l In the navigation tree, choose Subscriber and Network
Management > Subscriber > Policy Application.
l In the navigation tree, choose Subscriber and Network
Management > Very Important Customer > Policy
Application.
Subscribe to Users can implement security service only after subscribing to them.
malicious URL Operation location: Portal.
filtering
Prerequisites
Requirements are as follows:
Requirement Description
The carrier needs to configure and apply malicious URL filtering. Figure 19-3 shows the
networking.
Con
down tent
loadi
n g
UCDB UCSP
BRAS
UCSS
Service traffic
...
Malicious URL information
The Front End of the SIG directly connects to the Back End and the third-party system through
the management interface respectively. The system mirrors HTTP upstream traffic passing
through the Front End of the SIG.
Traffic goes through the Front End of the SIG along link 1G-80-2-link_2, and interface 1 of the
LPU in slot 3 mirrors HTTP traffic to the cache system. This interface belongs to mirroring
group 1.
Procedure
Step 1 Log in to the Front End of the SIG.
<Sysname> system-view
[Sysname] interface GigabitEthernet 3/0/1
[Sysname-GigabitEthernet3/0/1] dpi-node mirror group-number 1
[Sysname-GigabitEthernet3/0/1] quit
4. Click OK.
If the alarm URL has not been added before this operation, you need to add it. For detailed,
refer to the 22.4 Managing the Alarm Address or 22.5 Managing the Dynamic
Alarm.
4. Click OK.
----End
19.3.1 Overview
This describes all the types of security service reports.
Prerequisites
Requirements are as follows:
Procedure
Step 1 Log in to the Back End of the SIG.
Step 2 In the navigation tree, choose Statistics and Analysis Report > Security Service. Select the
reports to be queried as required.
Step 3 Enter query conditions according to prompts.
TIP
l If selecting Save Query Conditions before querying reports, you do not need to enter query conditions
for the next query.
l To apply the report function for timed tasks, click Timed Task. For details, see 21.4 Managing Timed
Task Reports.
To save time for other operations, click Background Implementation. For details, see 21.5 Managing
Background Task Reports.
On the report query interface, you can export reports in different formats:
----End
Report Navigation
You can click the following links to view the report examples.
NOTE
The information in the following examples are subject to change without notice.
l Statistics and Analysis Report > Security Service > Subscriber > Botnet Block Log
l Statistics and Analysis Report > Security Service > Subscriber > Worm Block Log
l Statistics and Analysis Report > Security Service > Subscriber > Malicious URL Block
Log
l Statistics and Analysis Report > Security Service > Very Important Customer >
Botnet Block Log
l Statistics and Analysis Report > Security Service > Very Important Customer >
Worm Block Log
l Statistics and Analysis Report > Security Service > Very Important Customer >
Malicious URL Block Log
Statistics and Analysis Report > Security Service > Subscriber > Botnet Block Log
Through this report, you can view the blocking of botnet for subscribers within a given time
range.
Figure 19-7 shows report screenshot of the blocking of botnet for a subscriber.
Figure 19-7 Example of the log report on the blocking of botnet for subscribers
Statistics and Analysis Report > Security Service > Subscriber > Worm Block Log
Through this report, you can view the blocking of worm for subscribers within a given time
range.
Figure 19-8 shows report screenshot of the blocking of worm for a subscriber.
Figure 19-8 Example of the log report on the blocking of worm for subscribers
Statistics and Analysis Report > Security Service > Subscriber > Malicious URL
Block Log
Through this report, you can view the blocking of malicious URLs for subscribers within a given
time range.
Figure 19-9 shows report screenshot of the blocking of malicious URLs for a subscriber.
Figure 19-9 Example of the log report on the blocking of malicious URLs for subscribers
Statistics and Analysis Report > Security Service > Very Important Customer >
Botnet Block Log
Through this report, you can view the blocking of botnet for VICs within a given time range.
Figure 19-10 shows report screenshot of the blocking of botnet for a VIC.
Figure 19-10 Example of the log report on the blocking of botnet for VICs
Statistics and Analysis Report > Security Service > Very Important Customer >
Worm Block Log
Through this report, you can view the blocking of worm for VICs within a given time range.
Figure 19-11 shows report screenshot of the blocking of worm for a VIC.
Figure 19-11 Example of the log report on the blocking of worm for VICs
Statistics and Analysis Report > Security Service > Very Important Customer >
Malicious URL Block Log
Through this report, you can view the blocking of malicious URLs for VICs within a given time
range.
Figure 19-12 shows report screenshot of the blocking of malicious URLs for a VIC.
Figure 19-12 Example of the log report on blocking of malicious URLs for VICs
20 iPush
iPush is an information push system which pushes information to the specified user groups. By
using the iPush system, carriers can make full use of current network resources to carry out
value-added services.
Prerequisites
The IP address of the management terminal is within the IP address segment for logging in to
the iPush system.
NOTE
The iPush system allows login from all IP addresses by default. To set the IP address segment for logging
in to the iPush system, see 20.2.4 Setting the Login IP Address Segment.
Context
The iPush system supports the login through Internet Explorer 6.0, Internet Explorer 7.0, Internet
Explorer 8.0, and Firefox 10.0.
By default, the system has a super administrator whose user name is admin and password is
Admin@123.
After one account fails to log in for three consecutive times, the system locks out this account
for 15 minutes to protect the iPush system. Within the lock-out time, this account cannot log in
again.
NOTE
The lock time is 15 minutes by default, but the administrator can change it manually. For details, see 20.3.2
Setting System Security.
Procedure
Step 1 Open the Microsoft Internet Explorer browser.
Step 3 Select a language from Language, enter User Name, Password, and Verification Code.
NOTE
XX.XX.XX.XX specifies the IP address of the iPush_UI server, and 841 indicates the HTTPS service port
of the iPush_UI server.
Step 4 Click Login to access the Web management page of the iPush system.
----End
System Components
The iPush system is a subsystem of the SIG. It consists of the iPush UI server (iPush_UI),
Information Server, third-party information content server, and iPush Data Synchronization
Server (iPush_SYNC). Figure 20-1 shows the components of the iPush system.
Third-party information
content server
Router
Information Server
Switch …
Front End
iPush_SYNC BOSS
BRAS
iPush_UI
If a third-party information content server is deployed, it provides the contents of pushed information. Then
the Information Server confirms and records the information push results.
Information Audiences
The information audience refers to one or more users, to whom the information is pushed.
In the iPush system, a user is a subscriber configured in the SIG system, such as the ADSL dial-
up user identified by the subscriber ID and the wireless user identified by the IMSI or MSISDN.
The iPush system can push information to specific types of information audiences:
l To all users in the specified area.
l To a specific terminal user group in the specified area.
The terminal user group is configured in the iPush system, and can be added with one or
multiple users.
l To the specified synchronized user group.
A synchronized user group is the subscriber group synchronized by the iPush system from
the SIG system. The subscriber group is configured in the SIG system, and can be added
with one or multiple users.
l To the specified attribute group.
An attribute group contains one or more attributes. Information is pushed to the user who
matches all attributes. An attribute is the subscriber group attribute synchronized by the
iPush system from the SIG system. The subscriber grouping attribute is configured in the
SIG system. Subscribers can be classified into certain groups by attribute value, for
example, the gender, BST, and cell.
The iPush system does not push information to specific types of information audiences:
l To the whitelist user group.
The whitelist user group is configured in the iPush system, and can be added with one or
multiple users. To exempt some users from the information pushed by the iPush system,
add them to the whitelist user group.
l To those accessing the whitelist Web site.
The whitelist Web site is configured in the iPush system, and can be added with one or
multiple Web sites. To exempt the users who are accessing some Web sites from pushed
information, add these Web sites to the whitelist Web site.
Information Management
The iPush system provides diverse measures for information management.
Permission Management
The iPush system supports permission- and region-based management by means of roles and
administrators.
l Role
The iPush system predefines role ROLE_ADMIN which has all operation permissions of
the system. The administrator of ROLE_ADMIN can define other roles and assign
different service operation permissions.
l Administrator
The administrator belongs to a role, and inherits the service operation permissions of the
role. The administrator can manage only the information of the corresponding area and
information category.
System Management
With the UI provided by iPush_UI, the system administrator (belonging to the ROLE_ADMIN
role) can configure and manage the iPush_UI Server and Information Server.
By viewing the status and performance of the servers, you can learn about the resource
usage of the iPush system. When the usage of the server CPU, memory, or hard disk is too
high (for example, over 80% for a long time), upgrade hardware configurations or expand
service capacity.
l Configuring the security of the iPush system
You can set system security to improve the security of the iPush system, or adjust display
and export configurations according to the terminal hardware configurations or the network
status.
CAUTION
Before you configure the iPush service, import the terminal signature file in the SIG management
page. Otherwise, the iPush service does not work properly. For detailed procedure, see
Managing the Knowledge Base in the online help on the SIG management interface.
Start
Permission
Management
Service Management
End
Required
4 20.4 Service After completing the initial configuration of the iPush system,
Management configure the iPush service.
The iPush system enables permission management by means of roles and administrators, which
are described as follows:
l Role
By creating a series of roles and assigning certain iPush functional permissions, you can
implement permission-based management over the iPush system.
l Administrator
An administrator is associated with the role, area, and information category, and inherits
the iPush functional permissions that are possessed by the role. Therefore, the administrator
can manage permissions to the iPush service in the corresponding area as well as view and
configure the information about the corresponding information category.
When managing permissions, you can implement security management over the iPush system
by configuring the following contents:
l Login Address Segment
Setting the IP address segment for logging in to the iPush system. The IP address of a
terminal determines whether the terminal can access the iPush system.
l Online Administrator
Querying online administrators and force out those unauthorized ones.
l Push Effect-checking Permission
Generally, the administrator of an area can query the information only about this area, and
the administrator in charge of an information category can query the information only about
this category. By configuring the permissions of querying push effects, you can authorize
administrators in other areas to query the information push effects in this area, or the
administrators of other information categories in this area to query the information push
effects of this information category.
Role ROLE_ADMIN and administrator admin for this role are predefined in the system. The
default password for admin is Admin@123. The service permissions possessed by a predefined
role cannot be modified, and admin has all operation permissions to the iPush system. For details
on how to change the password of the admin, see Changing an Account Password.
Prerequisites
The current online administrator belongs to role ROLE_ADMIN.
Procedure
Step 1 In the navigation tree, choose Permission Management > Role Management.
Step 2 Add a role.
1. Click Add.
2. Enter Name and Description for the role.
3. Click OK.
4. (Optional) Repeat Step 2.2 to Step 2.3 to add another role according to the role plan.
5. Click Return.
To add the full permissions to the selected item, select the item, and then click
.
5. Repeat Step 3.2 to Step 3.4 to assign other permission to this role.
6. Click Save.
7. Click Return.
8. (Optional) Repeat Step 3.1 to Step 3.7 to assign permissions to another role according to
the role plan.
----End
Prerequisites
The role, area, and information category are already created.
Context
If several administrators have the same role, area, and permission to one information category,
they can query and modify the information or policies created by other administrators under this
information category.
Procedure
Step 1 In the navigation tree, choose Permission Management > Administrator Management.
Step 3 Enter information about the administrator. Table 20-2 shows parameters.
Parameter Description
Name Indicates the account used by the administrator to log in to the iPush
system.
Parameter Description
Role Indicates the role to which the administrator belongs. The administrator
inherits all service permissions possessed by the role.
Area Indicates the area to which the administrator belongs. The administrator
has permissions to configure information and query push effects in this
area and its subareas by default.
Information Indicates the information category that can be configured and queried by
type the administrator.
Step 5 (Optional) Add another administrator according to the permission- and area-based management
plan.
----End
Prerequisites
The current online administrator belongs to role ROLE_ADMIN.
Procedure
Step 1 In the navigation tree, choose Permission Management > Login Address Segment.
CAUTION
When you add the first IP address segment, make sure that the IP address of the current terminal
is within the IP address segment to be specified. Otherwise, after you add the IP address segment,
the administrator of the current terminal will be forced out and cannot log in from the current
terminal again.
Step 3 Enter the start IP address of the IP address segment in Start IP address.
Step 4 (Optional) Enter the end IP address of the IP address segment in End IP address.
If End IP address is not specified, the system regards End IP address as Start IP address by
default.
TIP
If the administrator cannot log in from the current terminal by the mistaken adding of the IP address
segment, the administrator can change the IP address of the terminal to log in to the iPush system again if
there is an available IP address on the specified IP address segment.
----End
Prerequisites
The current online administrator belongs to role ROLE_ADMIN.
Procedure
Step 1 In the navigation tree, choose Permission Management > Online Administrator.
Step 2 View details about the login of an online administrator.
Click of an online administrator to access the Details page.
Step 3 (Optional) Force out unauthorized online administrators in the list.
1. Select the check boxes of the online administrators to be forced out.
2. Click Force logout to force out the selected online administrators.
----End
Prerequisites
Administrators belong to different areas and information categories are configured.
The information to be pushed is configured.
Context
The administrator can query the pushed information only in the corresponding area or of the
corresponding information category. By configuring the push effect query permission, you can:
l Authorize administrators in other areas to query pushed information in this area.
l Authorize administrators that do not belong to this information category in this area to
query the pushed information of this information category.
At a time, you can authorize the permission of querying only one piece of pushed information,
but the permission can be authorized to multiple administrators.
Procedure
Step 1 In the navigation tree, choose Permission Management > Push Effect-checking
Permission.
The administrator can select the information about the corresponding information category in
this area, including the information created by other administrators.
----End
Prerequisites
The following subscriber areas are configured in the SIG system:
l Level-2 area X
– Level-3 area X1
– Level-3 area X2
l Level-2 area Y
– Level-3 area Y1
– Level-3 area Y1
Information category Weather info is configured. For details, see Configuring Information
Categories.
Requirement Description
Carriers need to implement the permission-based and area-based management of the iPush
system. Requirements are as follows:
l Super administrator
Employs predefined role ROLE_ADMIN, and is in charge of the initial configuration and
maintenance, and permission management of the device. The super administrator has all
permissions to the iPush system.
Predefined administrator admin maintains the iPush system and pushes bulletins to the
specified area, for example, transient service interruption caused by system maintenance.
l Role A
Configures information and policies. Role A has permissions to add and configure pushed
information as well as policies.
Area X and area Y respectively have two administrators belonging to role A for adding and
configuring the information and policies of different information categories in their own
areas.
l Role B
Audits policies. Role B has all permissions except log dumping.
Area X and area Y respectively have one administrator belonging to role B for auditing
policies in their own area.
l Role C
Add users to the whitelist user group as required by users. Role C has permissions to query
reports and configure whitelist user groups.
Area X1, area X2, area Y1, and area Y2 respectively have an administrator belonging to
role C for configuring whitelist user groups in their own areas.
The administrator in area X who is in charge of bulletin can authorize the administrator in area
Y to query the push effects of bulletin for reference.
Data Planning
According to requirements, the role plan is as shown in Table 20-3.
NOTE
Configure √ √ ×
Types
Check × √ ×
Information
Status
Audit Policy × √ ×
Information √ √ ×
Schedule
Configure Area × √ ×
Policy
Background √ √ ×
Export Details
View Alarm × √ ×
Dump Log × × ×
Procedure
Step 1 Configure a role.
1. In the navigation tree, choose Permission Management > Role Management.
2. Click Add.
3. Add role Role A, as shown in Figure 20-3.
4. Click OK.
5. Repeat Step 1.3 to Step 1.4 to add other roles by referring to Table 20-3.
6. Click Return.
4. Click .
5. Repeat Step 2.2 to Step 2.4 to assign other permissions to Role A by referring to Table
20-3.
6. Click Save.
7. Click Return.
8. Repeat Step 2.1 to Step 2.7 to assign permissions to other roles by referring to Table
20-3.
Step 3 Configure an administrator.
1. In the navigation tree, choose Permission Management > Administrator
Management.
2. Click Add.
3. Add administrator admin_ax_1, as shown in Figure 20-5.
4. Click OK.
5. Repeat Step 3.3 to Step 3.4 to add other administrators by referring to Table 20-4.
6. Click Return.
----End
Result
After you log in using an administrator account, you can view the functional permission nodes
for the administrator in the navigation tree.
Follow-up Procedure
Administrator admin_ax_2 creates bulletin Info1, and authorizes administrator admin_ay_2
to query the push effects of Info1.
After logging in to the iPush system, administrator admin_ay_2 can query the push effects of
bulletin Info1 in report statistics.
Prerequisites
The Information Server is installed and its IP address is obtained or planned.
Context
The iPush system supports a maximum of 12 Information Servers.
Procedure
Step 1 In the navigation tree, choose System Configuration > Configure Information Server.
Step 3 Set parameters for the Information Server. Table 20-5 shows parameters.
Parameter Description
External IP Indicates the IP address through which the Information Server provides
services for terminal users. This IP address must be used to communicate
with the public network.
The combination of the external IP address and external port should be
unique.
Internal Port Indicates the port through which the Information Server provides internal
communication. The default value is 848, and cannot be changed.
Parameter Description
External Port Indicates the port through which the Information Server provides Web
services for external networks.
If the NAT function is not enabled, External Port and Internal Port are
the same, that is, 848. If the NAT function is enabled, External Port is
the mapped port of private port 848.
----End
Context
Setting system security covers the following:
Procedure
Step 1 In the navigation tree, choose System Configuration > Set System Security.
----End
Procedure
Step 1 In the navigation tree, choose System Configuration > Configure Test URL.
----End
Context
By viewing the status and performance of the servers, you can learn about the resource usage
of the iPush system. When the usage of the server CPU, memory, or hard disk is too high (for
example, over 80% for a long time), upgrade hardware configurations or expand service capacity.
NOTE
Procedure
l In the navigation tree, choose System Configuration > View Server Performance.
----End
Prerequisites
The current administrator has the View Log permission.
Context
To ensure that the operations and operating status of the iPush system can be traced, logs can
be viewed, but not deleted. Administrators can store and delete obsolete logs by dumping logs.
Procedure
l View Log
1. In the navigation tree, choose Log and Alarm > View Log.
2. Set query conditions to query desired logs. Table 20-6 shows parameters.
3. Click Query.
Logs complying with the query condition are displayed in the list in the below.
If a log is long and displayed incompletely, click the description in the Details column
to view the complete log.
NOTE
The DST behind the time in the figure Indicates the Daylight Saving Time. The DST is
displayed only when it is configured.
l Dump Log
1. In the navigation tree, choose Log and Alarm > Dump Log.
2. Set dumping parameters. Table 20-7 shows parameters.
End time Indicates that the iPush system dumps the logs generated before
End time.
Default Dump Indicates the directory where dumped logs are saved.
Directory
Parameter Description
Dump File Indicates that the iPush system names dumped files by using the
Name character strings containing the date part of End time by default.
You can also define the file name in the text box.
If a dumped file with the same name already exists, the iPush
system adds the new log to the end of the original dumped file
automatically.
3. Click Dump.
----End
Prerequisites
The current administrator has the View Alarm permission.
Context
Alarms have two statuses, namely, Confirm and Unconfirm. When an alarm is rectified or does
not affect the normal operating of the iPush system, administrators can confirm the alarm. For
details, see Step 4.
Procedure
Step 1 In the navigation tree, choose Log and Alarm > View Alarm.
Step 2 Set query conditions to query desired alarms. Table 20-8 shows parameters.
NOTE
The DST behind the time in the figure Indicates the Daylight Saving Time. The DST is displayed only
when it is configured.
----End
The iPush service provides an entrance for quick start, which facilitates administrators in quick
configuration. To configure a piece of information to be pushed to all users in a specified area, see In the
navigation tree, choose Quick Start > Configure Guide.
To configure other pushed information, see Figure 20-6.
Start
Configuring
Area Mapping
Configuring
Area Policy Configuring the
Terminal User Group
Configuring the Configuring the
Information Audience Whitelist User Group
Configuring the
Configuring the Whitelist Web Site
Information Category
Configuring the
Notify Rule
Configuring Information
Viewing the
Information Schedule
Configuring a Policy
Auditing a Policy
End
Required Optional
Nu Task Description
m
be
r
Nu Task Description
m
be
r
20.4.4.3 To exempt the users who are accessing some Web sites from
Config pushed information, configure these Web sites as the whitelist
uring Web sites.
the In the iPush system: In the navigation tree, choose Audience
Whiteli Management > Whitelist Website.
st Web
Site
20.4.4.4 Notify Rule is used to generate a dynamic terminal user group for
Config pushing fee information.
uring In the iPush system: In the navigation tree, choose Audience
the Management > Notify Rule Manage.
Notify
Rule
Nu Task Description
m
be
r
6 20.4.7 Viewing Before configuring a new policy, you can query the schedule gantt
the Information chart of existing information, to arrange the push plan for new
Schedule information properly and optimize push effects.
In the iPush system: In the navigation tree, choose Policy
Management > Information Schedule.
7 20.4.8 A push policy determines the push objects and push methods,
Configuring a including the validity period, push times, interval, and time range.
Policy In the iPush system: In the navigation tree, choose Policy
Management > Configure Policy.
Prerequisites
Areas are configured in the SIG system.
The plan for the carriers to divide areas is obtained.
Context
You can establish mapping between the areas divided by the SIG system and those divided by
the carrier. Then the synchronization interface synchronizes user information to the
corresponding areas.
For example, area A already exists in the SIG system, and area 1 in the carrier system. You can
add an area mapping, which sets the area to A and external area to 1. With this mapping, the
synchronization interface can synchronize user information in area 1 of the carrier system to
area A.
Procedure
Step 1 In the navigation tree, choose Policy Management > Configure Area Mapping.
Step 2 Click Add.
Step 3 Select an area in the SIG system from Area.
Step 4 In External Area No., enter the carrier area number, which ranges from 1 to 999999999.
----End
Prerequisites
Areas are configured in the SIG system.
Context
All areas except the root area have the Minimum Push Interval default value. To change the
default value, add an area policy for this area and set Minimum Push Interval.
Minimum Push Interval in this area policy is valid for the entire area, and Minimum Push
Interval per User in the information policy is valid only for the corresponding information. If
the minimum push interval is configured for both the policy and area, the Minimum Push
Interval that has a greater value is preferred. In this case, the iPush system sends the
corresponding information only when the interval meets the Minimum Push Interval that has
the greater value.
Procedure
Step 1 In the navigation tree, choose Policy Management > Configure Area Policy.
Parameter Description
Area Indicates the area for which the policy is valid. You can select
multiple areas. The iPush system adds one area policy for each
selected area. Only one policy can be configured for an area.
Minimum Interval Indicates the minimum interval at which the system pushes
(minutes) information to terminal users in this area.
Maximum Push Times Indicates the maximum times for pushing information to a single
per Day per User terminal user in this area each day.
Push to Dynamic IP Only Indicates that the information is pushed only to the users
accessing the Internet using dynamic IP in the corresponding
area.
----End
Prerequisites
Areas are configured in the SIG system.
Procedure
Step 1 In the navigation tree, choose Audience Management > Terminal User Group.
----End
Prerequisites
Areas are configured in the SIG system.
Context
Whitelist user groups fall into three types:
l Global Whitelist Group
No information is pushed to users in this group. The group is predefined in the system, and
cannot be changed or deleted. The administrator can add, import, or delete terminal users
to this group.
l Categoried Whitelist Group
The information of the corresponding category is not pushed to users in this group.
After an information category is added, a whitelist user group related to this information
category is added automatically. The iPush system does not push information under this
information category to users in the whitelist user group.
The group cannot be changed or deleted. The administrator can add, import, or delete
terminal users to this group.
l User-defined Whitelist Group
The information related to the group is not pushed to users in this group.
Procedure
Step 1 In the navigation tree, choose Audience Management > Whitelist User Group.
Parameter Description
Period Indicates the maximum period when the user can reside in
the user-defined whitelist group.
The iPush system calculates the period every day. When the
threshold is hit, the user is removed from the user-defined
whitelist group.
3. Click OK.
----End
Context
Whitelist Web sites are valid for global users. That is, unless you select Push to white
websites when configuring a policy, no information is pushed for users' access to the whitelist
Web sites.
Procedure
Step 1 In the navigation tree, choose Audience Management > Whitelist Website.
----End
Prerequisites
Areas are configured in the SIG system.
Context
Notify Rule is used to generate a dynamic terminal user group for pushing fee information. After
the Notify Rule is configured, a cognominal user group is generated and displayed in Terminal
User Group.
The iPush system synchronizes all user information and adds the users compliant with the Notify
Rule to the corresponding user group.
Procedure
Step 1 In the navigation tree, choose Audience Management > Notify Rule Manage.
Parameter Description
Area Selects an area. The Notify Rule is valid only for the subscribers
in this area.
Upper Limit of Push The iPush system periodically synchronizes all user information
Days/Lower Limit of from the third-party system and takes actions based on the Notify
Push Days Rule:
l When the service package remaining days of the Due-push
Fee Upper Limit/Fee
User is between Upper Limit of Push Days and Lower
Lower Limit
Limit of Push Days, the iPush system adds the user to the
group.
l When the balance of the Balance-push User is between Fee
Upper Limit and Fee Lower Limit, the iPush system adds
the user to the group.
----End
Context
After an information category is added, a whitelist user group related to this information category
is added automatically. The iPush system does not push information under this information
category to users in the whitelist user group.
Priorities can be configured for both information categories and information policies. However,
the priorities for information categories are unique, and those for information policies can be
the same. If multiple information policies are valid for a user, the iPush system pushes
information by the priorities of information categories. The information enjoying a higher
priority is preferentially pushed. If the information categories are of the same priority, the iPush
system pushes information by the priorities of information policies. If both the information
categories and information policies are of the same priority, the iPush system sends the
information in a recurring manner.
The iPush system predefines two information categories. The administrator can configure new
ones or configure subcategories for the predefined one as required.
Procedure
Step 1 In the navigation tree, choose Information Management > Configure Category.
l Click Higher to raise its location in the list, namely, raise its priority.
l Click Lower to lower its location in the list, namely, lower its priority.
3. Click OK.
----End
Prerequisites
Information categories are configured.
Context
One piece information can be referenced only by one policy. One piece of information has the
same status as its policy. Five states are available for information and policies: Initialized,
Waiting for audit, Released, Update, and Completed. Figure 20-7 shows the relationship
between the five states.
Re
je
Policy expires or the push
ct:
Reject:Completed
Up
times are used up
Su
Stop
da
bm
te
it
Completed Update
Update
Manual execution
by administrator
Automatic execution
by the system
You can change the information only in Initialized or Update state. Meanwhile, you can delete
the information only in Initialized or Completed state, or that is in Update state for more than
10 minutes.
NOTE
The message is valid and can be pushed to users when the state of the message is Released.
When the information file of the user-defined style is used, the iPush system adds the following
information that is processed by Base64 code to the end of the URL of the file in the
adid=****&area=****&tcca=****&urip=****&orlu=****&aorlu=****&spid=****
format: information number, user area number, subscriber ID, user IP address, originally
accessed URL, URL of information resources, and SPS number.
When making the information file in the user-defined style, resolve and use related parameters.
l The information file in the user-defined style needs to obtain the originally accessed URL
to display the page. Therefore, add code to the file to resolve and use parameter
orlu=****.
l The user-defined style file needs to display the page. Therefore, additional code are required
to be added to the user-defined style file to resolve and use the aorlu=**** parameter.
l To use other related information (such as the subscriber ID) on the information page, add
code to the file to resolve and use the corresponding parameter.
l To add the statistical function on the information page, add code to the file to obtain
corresponding parameters and generate the following URL: http://asip/a/adclick?
tcca=****&urip=****&spid=****&adid=****. This HTTP request can be triggered by
an event (for example, a user clicks the information) by means of code control.
asip is the IP address of the Information Server.
l To add the function for users to add themselves to the whitelist on the information page,
add code to the file to obtain corresponding parameters and generate the following URL:
http://asip/a/unpush?tcca=****&urip=****&area=****&adid=****. Then deliver
this URL to a control (such as a button displaying Do not display this information). When
the user clicks this button, the HTTP request is triggered.
Procedure
Step 1 In the navigation tree, choose Information Management > Configure Information.
Step 2 Click Add.
TIP
To create a piece of information that is the same as or similar to an existing one, select the existing
information, and click Copy and Add. The system copies this information. You can create a same or similar
piece information by changing parameters.
Step 3 Set basic parameters for the pushed information. Table 20-13 shows parameters.
Style The style is the display of information on user terminals. Styles fall in to
the following types:
l Predefined
Displays information in the predefined style of the iPush system. When
configuring the predefined style, configure the content source, display
style, and related parameters of the information.
l User-defined
Generates the pushed information using the file of the user-defined
style or the external URL pointing to the file of the user-defined style.
The content source and display style of the information are determined
by the source file of the user-defined style.
Step 4 Configure the contents of the pushed information (only applicable to the Predefined
information). Table 20-14 shows parameters.
Link The parameter can be specified when the content source is Picture.
When you upload a picture, Link is the pointed URL upon your click on
the picture. When you upload a flash file, the iPush system appends
Link to the generated pushed information for the flash file to invoke.
Enable Digital If the content source is the local Picture or File, you can add an invisible
Signature digital signature to the information, preventing information from being
modified and ensuring the integrity of the information.
Step 5 Configure the style of the pushed information. Table 20-15 shows the parameters of predefined
styles and Table 20-16 shows the parameters of user-defined styles.
Style Parameter Sets parameters related to various display styles, such as the size and
location.
Parameter Description
Parameters After the following options are selected, the iPush system can add
information to the end of the URL of the information automatically for the
information page to invoke.
l Subscriber ID
The iPush system adds a character string containing subscriber ID
information to the end of the external URL, in the account=****
format.
l Originally accessed URL
The iPush system adds a character string containing originally accessed
URL information to the end of the external URL, in the url=****
format.
The character strings containing the subscriber ID information and
originally accessed URL information are encoded by the iPush system
using Base64 and then added to the end of the external URL automatically.
For example, if an external URL is http://www.example.com/ad.html,
the subscriber ID is abc0123, and the originally accessed URL is
www.site.com, the iPush system encodes the subscriber ID information
and originally accessed URL information in the
account=abc0123&url=www.site.com format by using Based64 and
adds the encoded information to the end of the external URL. Finally, the
URL is http://www.example.com/ad.html?
param=YWNjb3VudD1hYmMwMTIzJnVybD13d3cuc2l0ZS5jb20=
. If you select to append only one parameter, only the corresponding
information is added.
Functions The iPush system can append the following functions on the information
page.
l Click statistics
If this function is added to the pushed information, information clicks
are sent to the Information Server after users click the information.
Copies script and its contents in the script to tag head in the
information source file.
Copies the onclick="addClickCount()" attribute (with the half-width
space in the front) of body in the script to the first half body in the
information source file as the attribute of body for the information
source file.
l Manually add whitelist
If users do not want to receive information, they can click the button
or link added for the pushed information to add themselves to the
whitelist user group.
Copies script and its contents in the script to tag head in the
information source file. Copies the contents of body (excluding
body) in the script to body in the information source file.
After a user-defined whitelist user group is created, the information for
realizing the Manually add whitelist function should be associated
with this group.
Parameter Description
External URL Displays information by using the predefined page on another Web server
as the style file. The URL of the page should be specified.
Local File Displays information by uploading a local file. The uploaded file is saved
in the Information Server.
Enable Digital If the content source is the local Local File, you can add an invisible digital
Signature signature to the information, preventing information from being modified
and ensuring the integrity of the information.
----End
Context
The gantt chart is a bar diagram displaying the start time and duration of an activity, helping you
arrange, plan, and manage projects. The push schedule gantt chart displays the start time and
end time of the information push, which helps in arranging the information push schedule.
Procedure
Step 1 In the navigation tree, choose Policy Management > Information Schedule.
l Hour Schedule
Queries the information schedule of a day, and the time granularity is based on hours.
l Daily Schedule
Queries the information schedule on a specified date, and the time granularity is based on
days.
----End
Prerequisites
The pushed information and information audiences are configured.
Context
One piece information can be referenced only by one policy. One piece of information has the
same status as its policy. Five states are available for information and policies: Initialized,
Waiting for audit, Released, Update, and Completed. Figure 20-8 shows the relationship
between the five states.
Re
jec
Policy expires or the push
t:U
Reject:Completed times are used up
Su
pd
Stop
a
bm
te
it
Completed Update
Update
Manual execution
by administrator
Automatic execution
by the system
The Initialized, Waiting for audit, Released, and Update states are all labeled as the
Uncompleted state. The new information and policy are in Initialized state. You can change the
policy only in Initialized or Update state. Meanwhile, you can delete the policy only in Initialized
state.
NOTE
The message is valid and can be pushed to users when the state of the message is Released.
Procedure
Step 1 In the navigation tree, choose Policy Management > Configure Policy.
Select an added policy, and click Copy and Add. Then, you can modify the existing policy and configure
a new policy.
Period A policy is valid only within the specified period. After you select
Unlimited, the policy is valid from the start time of the validity
period until the specified total push times is hit.
Total Push Times Indicates the total push times within the validity period, namely,
the sum of push times to all objects.
After you select Unlimited, the policy is valid within the validity
period, and total push times is not limited.
Minimum Push Interval When a user accesses the network, the iPush system does not
per User push information to the user until Minimum Push Interval per
User after the last push.
The minimum push interval can be specified by:
l Pushing information to a single user every N minutes or
longer, about a maximum of M times a day.
l Pushing information to a single user every N days or longer.
NOTE
If the minimum push interval is configured for both the policy and area,
the Minimum Push Interval that has a greater value is preferred. In this
case, the iPush system sends the corresponding information only when
the interval meets the Minimum Push Interval that has the greater value.
The minimum push interval for all areas except the root area is 60 minutes
by default. The administrator can manually set the minimum push
interval. For details, see 20.4.3 Configuring Area Policy.
Terminal User Groups Pushes information to users belonging to the specified area and
terminal user group after Terminal User Groups is selected.
The terminal user group is configured in the iPush system. For
details, see Configuring a Terminal User Group.
Attribute Groups After Attribute Group is selected, the administrator can set one
or multiple attributes to push information to users matching all
attributes.
All attributes of subscribers are displayed on the page. Area is
mandatory, and others are optional.
NOTE
The attributes displayed on the page is the subscriber static and dynamic
attributes synchronized by the iPush system from the SIG system. For
details, refer to section "4.2 Configuring the Subscriber" in the
HUAWEI SIG9800 Service Inspection Gateway Configuration Guide.
The iPush system cannot push information to attribute groups of
terminal type, phone model, operating system, and browser.
User Groups Pushes information to users in the specified user group after User
Groups is selected.
NOTE
The user groups displayed on the page is the subscriber groups
synchronized by the iPush system from the SIG system. For details, refer
to section "4.2 Configuring the Subscriber" in the HUAWEI SIG9800
Service Inspection Gateway Configuration Guide.
Step 5 (Optional) Add Time-sharing Configuration. To push information to users at the specified
time, set the time range for information push.
1. Set Period, Timeshare Week, and Time Slice.
2. Click Add to add a push time range.
3. (Optional) Repeat Step 5.1 to Step 5.2 to add more push time ranges. You must add more
time ranges by time order. Specifically, the push start time must be specified later than the
existing time range.
4. Set Time-sharing is not configured.
l If Normal Push is selected, information is pushed by default within the validity period
of the policy but beyond the selected weekday.
l If No Push is selected, information is not pushed by default within the validity period
of the policy but beyond the selected weekday.
After a policy is saved, the Status of information is Initialized. In this case, the policy does not
take effect, and you can modify the policy in Initialized state.
NOTE
You can also click Save & Submit. The information is in Waiting for audit state, and the policy cannot
be modified.
----End
Follow-up Procedure
After a policy is submitted for auditing, the Status of information is Waiting for audit. In this
case, the policy does not take effect after it is audited (Status is Released). Therefore, after a
policy is submitted for auditing, only the administrator with the policy audit permission can audit
the policy.
Prerequisites
The current administrator has the policy audit permission.
Context
On the Audit Policy page, the administrator can:
l Audit the information in Waiting for audit state.
Only the audited information can be released and take effect. The information failing the
audit is returned to the policy creator for updating or is completed directly.
l Stop the information in Released state.
The released information can be deleted only after it is stopped.
l Update the information in Completed state.
The completed information can be converted to the Update state, modified, and then
released again.
One piece information can be referenced only by one policy. One piece of information has the
same status as its policy. Five states are available for information and policies: Initialized,
Waiting for audit, Released, Update, and Completed. Figure 20-9 shows the relationship
between the five states.
Re
jec
Policy expires or the push
t:U
Reject:Completed times are used up
Su
pd
Stop
ate
bm
it
Completed Update
Update
Manual execution
by administrator
Automatic execution
by the system
Procedure
l Audit the policy.
1. In the navigation tree, choose Policy Management > Audit Policy.
2. Select Waiting for audit from Status.
3. Click Query.
4. Click corresponding to the policy to be audited and view details of the policy.
5. Click Audit.
6. Set the audit result. Table 20-19 shows parameters.
Parameter Description
Priority/ When Audit is set to Pass, the priority of the policy should be
Return to specified.
When Audit is set to Reject, you need to select the return status
of the policy:
l Update
Return to the policy creator for modification.
l Completed
No longer use this policy. After a policy is completed, the
information cannot be assigned to other policies. You can add
a piece of information with the same contents by using the copy
and add function.
Parameter Description
Audit opinion Enter the audit opinion. If the audit result is Pass, the policy can
be reviewed in future. If the audit result is Reject, the policy can
be used as a reference by the administrator who modifies the
policy.
7. Click OK.
l (Optional) Stop the information in Released state.
1. In the navigation tree, choose Policy Management > Audit Policy.
2. Select Released from Status.
3. Click Query.
4. Click Stop corresponding to the policy to be stopped.
5. Click OK in the dialog box that is displayed.
l (Optional) Update the information in Completed state.
1. In the navigation tree, choose Policy Management > Audit Policy.
2. Select Completed from Status.
3. Click Query.
4. Click Update corresponding to the policy to be updated.
5. Click OK in the dialog box that is displayed.
----End
20.4.10.1 Example for Pushing Information to All Terminal Users in the Specified
Area
This section provides an example for pushing bulletins to all terminal users in a specified area
by using the quick start. You can refer to this configuration example to configure information
quickly using the quick start.
Prerequisites
The current administrator has the Configure Guide, Configure Information, Configure
Policy, Configure Categories, and Audit Policy permissions.
Requirement Description
The carrier plans to maintain the device on the morning of Jan. 17, 2011, which may affect users'
access to the network in Area Y. Therefore, the carrier needs to push a bulletin to all terminal
users in Area Y about this case from 2011-01-10 to 2011-01-16.
Procedure
Step 1 Configure the category.
1. In the navigation tree, choose Information Management > Configure Category.
2. Add the System maintenance bulletin subcategory under the Bulletin information
category, as shown in Figure 20-10.
3. Click OK.
Step 2 Configure the information and policy.
1. In the navigation tree, choose Quick Start > Configure Guide.
2. Configure the push information and policy, as shown in Figure 20-11.
3. In Figure 20-11, click Save & Submit to complete the configuration of the information
and policy and access the policy audit page.
Step 3 Audit the policy.
1. On the Audit Policy page, click Audit corresponding to Area Y Bulletin to audit the policy,
as shown in Figure 20-12.
2. Click OK.
After the policy is audited, Status of Area Y Bulletin is Released, indicating that the
bulletin is configured.
----End
Result
The Area Y Bulletin policy takes effect for terminal users in Area Y from Jan. 10, 2011 to Jan.
16, 2011.
Users in Area Y will receive the bulletin pushed by the iPush system after accessing the Internet
since Jan. 10, 2011.
Prerequisites
The list of 2M broadband users in Area X is obtained.
The push information with the user-defined style is edited, and the external URL is http://
www.example.com/weather.html.
Requirement Description
The carrier service department needs to push weather information to 2M broadband users in
Area X from 2011-01-17 to 2011-01-23.
Procedure
Step 1 Configure the terminal user group.
1. In the navigation tree, choose Audience Management > Terminal User Group.
2. Add terminal user group 2M broadband user in Area X, as shown in Figure 20-13.
5. Click OK.
Step 3 Configure information.
1. In the navigation tree, choose Information Management > Configure Information.
2. Add the Weather information , as shown in Figure 20-16.
3. In Figure 20-16, click Save & To Configure Policy to complete the information
configuration and access the policy configuration page.
Step 4 Configure a policy.
1. On the Add Policy page, configure the basic information and push objects of the policy,
as shown in Figure 20-17.
2. Click OK.
After the policy is audited, Status of Weather information is Released, indicating that
the information is configured.
----End
Result
The Weather information policy takes effect for the specified terminal users in Area X from
Jan. 17, 2011 to Jan. 23, 2011.
Broadband users whose accounts are a01 and b01 in Area X will receive Weather
information after accessing the Internet.
Prerequisites
Subscribers attributes are configured in the SIG system.
The administrator account of the SIG system with the Subscriber User Group permission is
obtained.
The current administrator of the iPush system has the Configure Subcategory, Add
Information, Add Policy, and Audit Policy permissions.
The push information with the user-defined style is edited, and the external URL is http://
www.example.com/weather.html.
Requirement Description
The service department of the carrier needs to push weather information to the broadband users
whose accounts contain cust in area X from 2011-01-01 to 2011-01-31.
Procedure
Step 1 Log in to the SIG system.
In the navigation tree, choose Subscriber and Network Management > Subscriber > User
Group Management.Add user group Group1 in the SIG system and add subscribers whose
subscriber IDs contain cust in area X to Group1.
Add the Weather subcategory to the Bulletin category for information management.
5. Click OK.
Step 5 Configure information.
1. In the navigation tree, choose Information Management > Configure Information.
2. Click Add.
3. Configure the basic information, contents, and style for the pushed information, as shown
in Figure 20-20.
4. In Figure 20-20, click Save & To Configure Policy to complete the information
configuration and access the policy configuration page.
Step 6 Configure a policy.
1. On the Add Policy page, configure the basic information and push objects of the policy,
as shown in Figure 20-21.
2. Click OK.
After the policy is audited, Status in Weather Information is Released, indicating that
the Weather Information is configured.
----End
Result
The Weather Information policy takes effect for users in Group1 of Area X from Jan. 1, 2011
to Jan. 31, 2011.
Prerequisites
Subscribers and Subscriber area attributes are configured in the SIG system.
The administrator account of the SIG system with the Subscriber Customized Attributes
Management permission is obtained.
The current administrator of the iPush system has the Configure Subcategory, Add
Information, Add Policy, and Audit Policy permissions.
Requirement Description
The service department of the carrier needs to push weather information to users whose access
type is EVDO in area X from 19:00 to 21:00 on Saturdays and Sundays from Aug. 1, 2011 to
Aug. 31, 2011. The total push times is not restricted, a single user can be pushed every 30 minutes
and altogether twice a day only.
Procedure
Step 1 Log in to the SIG system.
3. Click OK.
Add the Weather subcategory to the Bulletin category for information management.
5. Click OK.
4. In Figure 20-25, click Save & To Configure Policy to complete the information
configuration and access the policy configuration page.
Step 6 Configure a policy.
1. On the Add Policy page, configure the basic information, push objects, and time-based
configuration of the policy, as shown in Figure 20-26.
2. Click OK.
After the policy is audited, Status in Weather Information is Released, indicating that
the Weather Information is configured.
----End
Result
The Weather Information policy takes effect for the users whose access type is EVDO in Area
X from 19:00 to 21:00 on Saturdays and Sundays from Aug. 1, 2011 to Aug. 31, 2011.
20.4.10.5 Example for Not Pushing Information to the Specified Terminal User
This section provides an example for adding the user to the whitelist user group when the user
does not want to receive the information.
Prerequisites
The current administrator has the Add Whitelist User Group and Config Whitelist User
permission.
Requirement Description
The administrator in Area Y receives the feedback from broadband user abc0123 that the user
does not want to receive Information A. Then the administrator can define a whitelist user group
and adds the user to the group. Therefore, the information is no longer pushed to the user.
Procedure
Step 1 In the navigation tree, choose Audience Management > Whitelist User Group.
Step 2 Add a whitelist user group.
1. Click Add.
2. Set parameters for the whitelist user group, as shown in Figure 20-28.
3. Click OK.
4. Click Return.
Step 5 Configure information about the whitelisted user, as shown in Figure 20-29.
----End
Prerequisites
Before fee information configuration, the SIG system is connected to the BOSS to obtain the
terminal user account, service expiration time, and account balance.
The current administrator has the Add Information, Add Policy, Audit Policy, and Notify
Rule Add permissions.
Requirement Description
The carrier needs to notify the users subscribing to the broadband service package in Area X of
the expiration from 2011-01-01: The notification is sent once a day since there are seven days
left for the service package.
Procedure
Step 1 Configure notify rule.
After the charge notice rule is configured, the iPush system generates a cognominal user group
and displays it in Terminal user group. The iPush system synchronizes all user information
from the BOSS and adds the users compliant with the charge notice rule to the corresponding
group.
1. In the navigation tree, choose Audience Management > Notify Rule Manage.
2. Click Add.
3. Configure notify rule, Figure 20-30 shows parameters.
The source of the fee information is the file uploaded locally, which is defined according
to parameters in the template. In this example, the information contents are as shown in
Figure 20-32. The parameter in a red frame must be consistent with that in the template.
4. In Figure 20-31, click Save & To Configure Policy to save the configurations.
2. Click OK.
After the policy is audited, Status in Expiration notice is Released, indicating that the fee
information is configured.
----End
Result
The Expiration notice policy takes effect for broadband users in area X since Jan. 1, 2011.
According to the policy configured in Expiration notice, if the broadband service for account
user-a in Area X expires on Feb. 1, 2011, the iPush system will notify user-a every day during
one week earlier than Feb. 1, 2011, specifically, notify the user every day from Jan. 26 to Feb.
1.
If user-a does not recharge, the user will receive such information as shown in Figure 20-35
after logging in. If user-a recharges, the iPush system does not push fee information to the user.
Report Function
You can view the push times and change trend by graphs, and view push effects (such as the
push times, click times, unique visitor number, click unique visitor number, and click percentage)
by reports. Two types of reports are available by time granularity:
Collects the push effects of information on a daily basis. The effects can be summarized
by pushed information, area, time, statistical mode, and type.
NOTE
In the case of heavy data volume, online query is slow, and you can employ the background exporting
function to enable the iPush system to generate reports on the background.
To use the background exporting function, set query conditions first, and then click Unique Visitor
Export.
Saving Period
Parameters
Unique Visitor number Indicates the number of unique visitors to whom information is
pushed. A unique visitor is a broadband subscriber.
Click Unique Visitor Indicates the number of unique visitors who click the
number information.
Click Percentage Indicates the percentage of the click times to push times.
2. Click Query to view push effects by curve graph, as shown in Figure 20-37.
3. Select Report from Type, and click Query to view the push times and click times every
hour on the hour through reports, as shown in Figure 20-38.
NOTE
The DST behind the time in the figure Indicates the Daylight Saving Time. The DST is displayed
only when it is configured.
2. Click Query to view push effects by curve graph, as shown in Figure 20-40.
Report Function
This section describes how to view details about the specified information or user, including
whether the user clicks the information, push time, and the URL that is being accessed by the
user when the information is pushed.
NOTE
In the case of heavy data volume, online query is slow, and you can employ the background exporting
function to enable the iPush system to generate reports on the background.
To use the background exporting function, set query conditions first, and then click Background
Export.
Saving Period
Saving period: three months
Parameters
Parameter Description
Area Views the push details of the information in the selected areas
when the push objects are multiple areas.
Access address Indicates the URL that is being accessed by the user when the
user receives the pushed information.
2. Click Query to view push details by curve graph, as shown in Figure 20-42.
3. Select Summary from Statistical Mode, and click Query to view push details by user
summary through reports, as shown in Figure 20-43.
2. Click Query to view push details to the user through reports, as shown in Figure 20-45.
3. Select Summary from Statistical Mode, and click Query to view push details by pushed
information summary through reports, as shown in Figure 20-46.
Function
After you set the exporting task of the number of unique visitors in the Push Effect Statistics
report or the background exporting task in the Push Details report, you can view and manage
the created export tasks, and download the exported reports.
Description
Create a background exporting task.
l Click the task name in the Report Name column to view the task information and query
conditions of the background task.
l Click Download corresponding to the task to download the exported report.
20.6 Appendix
Table 20-23 shows parameters of the code for the fee information page.
Table 20-23 Parameters of the code for the fee information page
Parameter Description
@baseurl@ This is a special parameter for the fee information page, and is used to
make up the relative path used by the information page as a complete
path.
Do not delete this field.
@act@ The Information Server replaces this parameter with the broadband
subscriber ID when it pushes fee information. Locate this parameter to
the place where the subscriber ID is to be displayed.
@enddate@ The Information Server replaces this parameter with the expiration date
of the broadband service package for a broadband user when it pushes
fee information. Locate this parameter to the place where the expiration
date of the broadband service package is to be displayed.
@balance@ The Information Server replaces this parameter with the balance of the
broadband user when it pushes fee information to users with other types
of payments. Locate this parameter to the place where the user balance
is to be displayed.
Prerequisites
The current online administrator belongs to the role Modify Password.
Procedure
Step 1 In the navigation tree, choose Permission Management > Administrator Management.
Step 2 Click Set user password on the right side of the account.
Step 3 Enter the new password and confirm it.
Ensure that the new password and the confirmed new password are the same.
Step 4 Click OK. The password of the specified administrator has been changed successfully.
----End
21 Report Management
Through report management, you can learn the public management operations of reports,
including managing predefined analysis objects, timed task reports, and background task reports.
NOTE
Report formats vary with report types. If a format is grey, the timed task report of this format cannot
be generated.
l Background task report
As the process of querying reports lasts for a certain period, the operator can transfer the
process to the Back End for saving time, and then the background task report is generated.
During the report query, when you click Background Implementation in the pop-up
dialog box, the background task report is generated.
l Customized report
You can customize report query conditions and data display for the report.
By setting the customized report, you can fix report query conditions, therefore simplifying
query operations on common reports. Meanwhile, the SIG can display multiple reports in
a centralized manner as required.
l Protocol color management
When displaying reports, the SIG can automatically set protocol colors. Through protocol
color management, you can manually adjust the display colors for protocols.
l Report categories
Reports are divided into the following categories by data granularity:
– Five-minute report
NOTE
When you query a report, if you only enter the query time range without selecting the data
granularity for the report, the data granularity is to be decided automatically according to the
length of the time range specified.
The time points at which queries can be performed are different for multiple data granularities.
If no result is displayed after a query, try modifying query conditions.
Time Granularity in the query condition does not have a mapping relationship with the data
granularity of the report in the query result, and is used only for the convenience of entering a
time range for the query.
– Hourly report
Figure 21-2 and Figure 21-3 show report examples.
The hourly report is formed by the statistics of multiple five-minute reports, and
statistics within the last hour are collected every half-hour. For example, statistics from
08:00 to 09:00 are collected at 9:30. If it is 09:20, records at 08:00 are unavailable in
the hourly report.
– Daily report
The daily report is formed by the statistics of hourly reports, and statistics on the last
day are collected at 01:00 every day. For example, statistics on January 1 are collected
at 01:00 on January 2. If it is 00:30 on January 2, records on January 1 are unavailable
in the daily report.
NOTE
When you query the daily report, only the year, month, and day values on the query page are
valid, and the month and minute values are invalid. When you query the monthly report, only
the year and month values on the query page are valid, and the day, hour, and minute values are
invalid.
– Monthly report
The data in the monthly report can be saved for up to four years. The monthly report is
formed by the statistics of daily reports, and statistics of the last month are collected at
03:00 on the first day of each month. For example, statistics on January are collected at
03:00 on February 1. If it is 01:00 on February 1, records on January are unavailable in
the monthly report.
Prerequisites
The current user has the System Management service permission.
NOTE
If the previous operation of changing the storage cycle of report data takes effect, this operation cannot be
performed. In this case, you should perform the operation after the previous operation takes effect.
Context
The SIG supports the setting of the five-minute, hourly, daily, and monthly storage cycles for
the traffic, traffic direction of a single user's data (report data of subscribers), and collected data
(by statistics objects such as the VIC, link, and direction). For example, the storage cycle of the
five-minute report of a user's traffic is specified as seven days. In this case, the system reserves
the data of the five-minute report for seven calendar days. If data is generated on the first day
of each month, the data can be queried on the eighth day and earlier days, but is deleted by the
system at 00:00 on the ninth day.
Procedure
Step 1 Log in to the Back End of the SIG.
Step 2 In the navigation tree, choose System Management > System Configuration > Statistic Data
saved Cycle.
Step 3 Perform the following operations as required:
l If the storage cycle does not need to be specified according to the service or data type, directly
enter the cycle value to be changed in the text box.
l If the storage cycle needs to be specified according to the service or data type, click Show
Advance Configuration, and then enter the cycle value to be changed in the text box.
Step 4 Click Save. The system displays a prompt indicating that the operation succeeds.
----End
Prerequisites
The current user has the Statistics and Analysis Report service permission.
Procedure
Step 1 Log in to the Back End of the SIG.
For example, to define the subscribers whose areas are Haidian and service packages are
2M_Package as a predefined analysis object, you should select Haidian from Area and
2M_Package from Service Package.
For details on the attributes of subscribers, see 4.2 Configuring the Subscriber. For details on
the attributes of VICs, see 4.3 Configuring the VIC.
----End
Prerequisites
The current user has the Statistics and Analysis Report service permission.
Context
After the task of querying a certain report is specified as the timed task, the system completes
the report query at the specified time and saves the queried report to the database. The operator
can specify the query condition on the Timed Task Management interface to query reports.
Procedure
Step 1 Log in to the Back End of the SIG.
Step 2 In the navigation tree, choose Statistics and Analysis Report > Timed Task Management.
Step 3 Click Query, enter the query condition as required, and then confirm the operation.
----End
Prerequisites
The current user has the Statistics and Analysis Report service permission.
Context
The process of querying reports lasts for a certain period. Therefore, the operator can transfer
the process of querying reports to the background, saving the time for performing other
operations. When estimating that the report query is complete, the operator can set query
conditions on the Background Task Management interface to query interested reports.
The SIG system automatically cleans the background tasks of the previous week at 04:00
everyday.
Procedure
Step 1 Log in to the Back End of the SIG.
Step 2 In the navigation tree, choose Statistics and Analysis Report > Background Task
Management.
Step 3 Click Query, enter the query condition as required, and then confirm the operation.
You can query the details about reports only when the task status is end.
1. Click View Report in the line where the task to be queried. Only one task can be queried
at a time.
2. Query the details about the report in the pop-up dialog box.
l Delete report tasks.
1. Select the task to be deleted, and then click Delete.
2. Click Yes in the confirmation dialog box.
----End
Prerequisites
The current user has the Statistics and Analysis Report service permission.
Procedure
Step 1 In the navigation tree, choose Statistics and Analysis Report > Customized Report
Management.
Step 2 Click Add.
Step 3 In the pop-up dialog box, enter the name of the customized report to be added in Customized
Report Name.
Step 4 Select the service type, sub-service type, and report type from the drop-down list and then set
them.
Step 5 Click Add. Set query conditions in the pop-up dialog box, and click OK. The system returns to
the previous page and displays a new record.
Step 6 (Optional) Repeat Step 4 to Step 5 and add other report entries as required.
Step 7 Click OK. The system returns to the previous page and displays a new record.
----End
Prerequisites
The current user has the Statistics and Analysis Report service permission.
Context
The SIG provides two modes of displaying the protocol colors of reports.
When this mode is adopted, the color of one protocol keeps the same in all reports.
Procedure
Step 1 Log in to the Back End of the SIG.
Step 2 In the navigation tree, choose Statistics and Analysis Report > Protocol Color
Management.
----End
Prerequisites
The current user has the service permission of Statistics and Analysis Report.
Context
The system supports only the export of the five-minute report data of common customers. The
data is exported in .csv files, as shown in Figure 21-5.
NOTE
The last entry of records in the preceding figure indicates the collection end time which can be parsed as
the Universal Time Coordinated (UTC).
The system supports the data export to an FTP server or server group. When you export data to
a FTP server group, set a priority value to each FTP server in the group. The system supports
the following modes:
l Master/Standby mode
The system exports the data to the available FTP server with the smallest priority value.
l Load balancing mode
The system exports the data file to each FTP server in the polling way.
Procedure
Step 1 Log in to the Back End of the SIG.
Step 2 In the navigation tree, choose Statistics and Analysis Report > Data Export Configuration.
Step 3 Add an FTP server or server group.
1. Click Add.
2. Enter the name of the FTP server or server group in Destination Name in the dialog box
that is displayed.
3. Click Add, enter the information of the FTP server such as IP Address, User Name, User
Password and Priority Level in the dialog box that is displayed, and click OK.
NOTE
You can click Test Connection to check whether the FTP server can be accessed.
4. (Optional) Repeat the previous step to add other FTP servers.
5. Click Save.
Step 4 Select the Data Export Configuration in the upper page.
Step 5 Click Add.
Step 6 Set parameters in the dialog box that is displayed, as shown in Figure 21-6.
NOTE
The system supports only the export of five-minute report data at present.
After Export Log is enabled, the system automatically stores the record export log to the FTP server at
01:00 a.m. each day.
----End
22 System Management
System management mainly involves managing system accounts and their permissions, back-
end licenses, basic system parameters, knowledge bases, and operation logs. Through system
management, you can ensure the normal running of the system.
Operation logs record the details about the operations performed by the operator on the Back
End, including the login account, operation time, operation type, and IP address of the operator.
To query or manage operation logs, you should perform this task.
22.1.1 Overview
This section details the concept and purpose of flow classification items and flow classifications.
The concepts involved are as follows:
l Flow Classification Item
A flow classification item is a network traffic categorization that meets one or more
conditions including application-layer protocol type (such as HTTP), network-side IP
address, Layer-3 protocol attributes, and Layer-4 protocol attributes.
The system defines each protocol category in the DPI protocol signature file as a flow
classification by default to serve as reference in flow classification definition.
For details about flow classification item definition, see 22.1.5 Parameter Description.
l Flow Classification
Is network traffic combination defined by one or more flow classification items.
The system defines each protocol category in the DPI protocol signature file as a flow
classification by default. For example, Web_Browsing is all the network traffic that falls
into the Web_Browsing protocol category.
One flow classification may include one or more flow classification items and a flow
classification item may be included in multiple flow classifications. Figure 22-1 shows the
relationship between flow classification items and flow classifications.
Figure 22-1 Relationship between flow classification items and flow classifications
Flow classification 1 Flow classification 2 Flow classification M
Figure 22-2 Relationship among policy packages, policy items, and flow classifications
Policy Package
… … …
1≤X≤256
Prerequisites
The current user has the Basic Configuration permission.
Procedure
Step 1 Log in to the Back End of the SIG.
When the flow classification code is used for interconnecting with a third party policy
server (such as HuaweiUPCC), it will be cited in policy definition in the third party policy
server to identify flow classification object.
c. In the Add Flow Classification dialog box, click Select the flow classification
item which has been configured, and select the flow classification items included
in the flow classification in the pop-up dialog box.
NOTE
----End
Prerequisites
The current user has the Basic Configuration permission.
Requirement Description
Define the HTTP traffic of some music Web sites as a flow classification to define separate
control policies (such as applying specific charge rates) for the traffic visiting the Web site by
subscribers in the internal network.
l 50.50.50.50
l 60.60.60.100/30
l 70.70.70.70 to 70.70.70.100
Procedure
Step 1 Log in to the Back End of the SIG using account admin.
4. Click Manage to the right of Network Side IP and the Network Side IP Management
dialog box appears.
5. Click Add. in the dialog box that is displayed, enter myMusicIPAddress in the Name
field, and then click OK.
6. Click Add, select IP Segment from Type, enter 50.50.50.50 in Start IP Address and
50.50.50.50 in End IP Address, and click OK.
7. Select Mask from Type, enter 60.60.60.100 in Subnet Address and 30 in Mask Digits,
and click OK.
8. Select IP Segment from Type, enter 70.70.70.70 in Start IP Address and 70.70.70.100
in End IP Address, click OK, and click Cancel. Figure 22-4 is displayed.
11. Click to the right of Network Side IP and select myMusicIPAddress as shown in
Figure 22-5.
1. Click OK. The system returns to the Flow Classification Item Configuration page and
displays the added record.
6. Click OK. The system returns to the Flow Classification Configuration page and displays
the added record.
----End
Prerequisites
The current user has the Basic Configuration permission.
Requirement Description
Define system protocol categories P2P and PeerCasting as a flow classification to define
separate control policies for the relevant flow (such as applying separate QoS policies).
Procedure
Step 1 Log in to the Back End of the SIG using account admin.
Step 2 Add flow classifications.
1. In the navigation tree, choose Basic Configuration > Flow Classification Management
> Flow Classification Configuration.
2. Click Add.
3. Enter myP2PandPeerCasting in the Name dialog box.
4. Click Select the flow classification item which has been configured and select P2P and
PeerCasting in the dialog box that is displayed.
5. Click OK. Figure 22-7 appears.
6. Click OK. The system returns to the Flow Classification Configuration page and displays
the added record.
----End
Network Side Optional, specifies the destination IP address of [Setting] Click Manage
IP upstream packets or source IP address of on the right and add
downstream packets. options in the dialog box
The network-side IP address of a flow that is displayed. After
classification item may consist of one or more you add an option, click
IP address segments. Add IP addresses in the on the right and select
segments as follows: a network-side IP address.
l IP Segment
For Example: 20.20.20.20-20.20.20.222
l Mask
For Example: 30.30.0.0/16
22.2.1 Overview
This section describes the permission control mechanism of the system.
To ensure the secure and stable running of the system, you need to grant system users different
permissions.
The SIG adopts the role-based permission management mode. A role is the collection of
permissions, and different roles can be defined for the system. If a user obtains a certain role,
the user has all the permissions of the role.
For the SIG, two types of permissions are provided. One role can have either or both types of
permissions.
l Service Authority
With this permission, you can open operation interfaces and perform corresponding
operations.
The service permissions of the system are divided based on the operation items on the
interfaces and the nodes in the navigation tree. For example, the Administrator
Management interface includes the service permissions of viewing, adding, and modifying
the administrator.
l Data Authority
With this permission, you can perform the read, write, or authorize permission on operation
objects. Data permissions are only valid to the operation objects of role management and
area management.
NOTE
Choose System Management > System Configuration > System Basic Configuration and you
can disable the data authority function on the interface. When the data authority function is disabled,
the SIG provides only the service authority control mechanism. If an account has the service authority
of a certain interface, it indicates that the account has the operation permissions for all data objects
on the interface.
For roles, assignable data permissions include:
– Read
If an account has the read permission of a role, through the account, you can query the
details about the role.
– Write
If an account has the write permission of a role, through the account, you can query,
modify, and delete the role, and assign service permissions to the role.
– Authorize
If an account has the authorize permission of a role, through the account, you can query,
modify, and delete the role, and assign service permissions and data permissions to the
role.
For areas in service object management, assignable data permissions include:
– Read
If an account has the read permission of an area, through the account, you can view the
details about the area and its sub-areas, and service objects and reports of the area or
sub-areas.
– Write
If an account has the write permission of an area, through the account, you have the
read permission, and can add, modify, enable, disable, and delete the area and sub-areas.
– Authorize
If an account has the authorize permission of an area, through the account, you have the
read and write permissions, and data permissions for the area and sub-areas.
NOTE
Similar to the area, if you have added customized reports, you can assign data permissions to them.
When managing system accounts and permissions, you are recommended to add roles, service
permissions to the roles, add system accounts, and then data permissions to the system accounts
according to data management requirements.
NOTE
By default, the SIG has a system administrator (also called the super administrator) account whose user
name is admin and default password is Admin@123. This account has all the permissions of the system,
and cannot be deleted.
Figure 22-8 Procedure for configuring system account and permission management
Start
Add a role
Assign service
permissions
Add an account
Assign data
permissions
End
Action Description
Add a role You can add a role to globally manage system accounts by role.
Operation page: In the navigation tree, choose System
Management > Permission Management > Role Management.
Add an account You can add a system account to assign a role to the account.
Operation page: In the navigation tree, choose System
Management > Permission Management > Administrator
Management.
Assign data You can assign data permissions to roles and areas as required.
permissions Operation pages include:
l To assign data permissions to roles: In the navigation tree, choose
System Management > Permission Management > Role
Management.
l To assign data permissions to the areas of subscribers: In the
navigation tree, choose Subscriber and Network Management
> Subscriber > Area Management.
l To assign data permissions to the areas of VICs: In the navigation
tree, choose Subscriber and Network Management > Very
Important Customer > Area Management.
NOTE
For details on the service object management service, see 4 Subscriber and
Network Object Initialization.
Prerequisites
The current user has the Permission Management service permission, and data permissions to
authorize the objects.
Requirement Description
An account named as reportUser needs to be added. Through the account, service reports can
be queried.
Suppose that 4.2 Configuring the Subscriber is complete, and the name of the root area is
Beijing. Through account reportUser, all the reports of subscribers in the Beijing area can be
queried.
Suppose that the system maintenance engineer (Mr. Zhang) with account admin performs the
task.
Procedure
Step 1 Log in to the Back End of the SIG with account admin.
NOTE
The password must contain no less than six characters covering uppercase letters, lowercase letters,
and digits.
4. Click OK. The system returns to the previous page and displays a new record.
5. Select the check box of record reportUser, and then click Assign Role.
6. Select the check box of the reportRole line in the pop-up dialog box.
7. Click OK, and then confirm the operation.
----End
Prerequisites
The current user has the System Management service permission.
CAUTION
After the Back End is installed, you should set certain basic system parameters in the pop-up
dialog box on the first login to the Back End. Once specified, parameters cannot be changed.
Procedure
Step 1 Log in to the Back End of the SIG.
Step 2 According to the interface for the parameters to be specified, operations are as follows:
l To view partial basic system parameters: In the navigation tree, choose System
Management > System Configuration > System Basic Configuration.
l To set device connection parameters: In the navigation tree, choose System Management
> System Configuration > Component Configuration.
l To set login security parameters: In the navigation tree, choose System Management >
System Security > Security Configuration.
----End
Table 22-3 shows the description of the important items in managing basic system parameters.
VIC Area Level The system supports the hierarchical [Operation page]: In
management (up to three levels) of VIC the navigation tree,
areas. choose System
Management >
System
Configuration >
System Basic
Configuration.
[Setting method]:
Select the item from the
drop-down list.
[Example]: 3
Virtual Tunnel and The system supports the hierarchical [Operation page]: In
Link Area Level management (up to three levels) of virtual the navigation tree,
tunnels and link areas. choose System
Management >
System
Configuration >
System Basic
Configuration.
[Setting method]:
Select the item from the
drop-down list.
[Example]: 3
Data Authority You can enable or disable the data authority [Operation page]: In
function by clicking the option button. the navigation tree,
When the data authority function is choose System
disabled, the SIG provides only the service Management >
authority control mechanism. If an account System
has the service authority of a certain Configuration >
interface, it indicates that the account has System Basic
the operation permissions for all data Configuration.
objects on the interface. [Setting method]:
Click the option button.
Working Mode This parameter is used to set the working [Operation page]: In
Configuration mode. The options are in-line and off-line. the navigation tree,
choose System
Management >
System
Configuration >
Component
Configuration.
[Setting method] Click
Configure, and then
click the option button.
CFS Configuration The CDR routing condition and the [Operation page]:
disabling conditions of the CDR file can be [Setting method] Click
adjusted according to the default value. Configure, and then
The CDR routing conditions are used to click the check box.
identify the paths for saving CDR files by
GGSN IP address. The system has already
provided a default condition to specify the
path for saving all CDRs. If the CDR
routing condition changes, the system
immediately disables all CDR files related
to the original routing condition.
The disabling condition of CDR files is
used to adjust the triggering condition. The
system immediately disables the CDR files
if the triggering condition is reached.
For details on offline charging, see 7
Charging Service.
Conf Start IP This parameter is used to set the range of IP [Operation page]: In
igure Address, addresses, through which the Back End can the navigation tree,
IP End IP be logged in. By default, the range of IP choose System
Seg Address addresses allowed to be accessed is 1.0.0.0 Management >
ment to 223.255.255.255. System Security >
To ensure security, you are recommended Security
to delete the default IP address range Configuration.
(1.0.0.0 to 223.255.255.255), and reset the [Setting method] Click
IP address range. If no IP address exists in Configure, and then
the specified IP address list, all operators enter the parameter
that remotely log in fail to log in to the Back value in the text box.
End. The current operator is not forced
offline, but fails to log in the next time.
Conf Enable the This parameter is used to enable the email [Operation page]: In
igure Email service and enter certain settings. the navigation tree,
Emai Service, After the email server is enabled, the SIG choose System
l Server can send the random login password and Management >
Serv Address, timed task report to users through emails. System Security >
er Sender Security
Email Configuration.
Address [Setting method] Click
Configure, select the
check box, and then
enter certain settings in
the text box.
Configure Session When the interaction between the SIG [Operation page]: In
Expired Time client and the Web server exceeds the the navigation tree,
specified time, the session expires, and thus choose System
the Web server disconnects with the SIG Management >
client. System Security >
By default, the session expiration time is 10 Security
minutes. You can set the session expiration Configuration.
time as required. The setting takes effect on [Setting method] Click
the next login for online users including the Configure, and then
current user. enter the parameter
value in the text box.
Prerequisites
The current user has the Basic Configuration service permission.
Procedure
Step 1 In the navigation tree, choose Basic Configuration > User Message Configuration > Alarm
URL Management.
Step 2 Click Add. The Add Alarm URL dialog box is displayed.
The system supports WAP alarm push. Protocols such as WAP1.0, WAP1.1, WAP1.2, and WAP2.0 are
supported.
----End
Prerequisites
The current user has the Basic Configuration service permission.
Context
The dynamic alarms of the SIG include the following functions:
l Global dynamic alarms
Indicate the alarm configurations for the service objects in all areas. By default, there is an
alarm configuration entry for all services in the system. The administrator can respectively
configure alarm records for URL filtering, spammer monitoring, Botnet monitoring, worm
monitoring, GreenNet service, Botnet security service, worm security service, and
malicious URL filtering of security service.
When configuring the alarm records of all services or a certain service, the administrator
can specify alarm addresses, such as the URL of the accessible external Web server, or
upload local .htm or .html files; so that information is displayed for the target user when
the SIG generates an alarm.
The priority of the alarm policy configured for all services is lower than that configured
for a certain service. That is, the alarm policy for all services is enabled only when the alarm
for a certain service is not configured.
l Area dynamic alarms
To generate diversified service alarms for users in different areas, the SIG supports area-
based alarms as follows:
– For subscribers
Based on areas, the administrator respectively sets the alarm address of URL filtering,
spammer monitoring, Botnet monitoring, worm monitoring, GreenNet service, Botnet
security service, worm security service, malicious URL filtering of security service, and
the alarm address of all services.
– For VICs
Based on areas, the administrator respectively sets the alarm address of URL filtering
and GreenNet service.
The configurations of area dynamic alarms are the same as those of global dynamic alarms.
The administrator can specify the alarm address or upload .htm or .html files, so that
information is displayed for the target user when the SIG generates an alarm.
When configuring area-based alarm policies, the administrator can concurrently configure
alarm policies for the areas of all levels or partial levels. For the alarms of different levels,
the priority of the son-area alarm is higher than that of the parent-area alarm. For example,
if Beijing and Haidian areas are configured with alarms, the alarms for Haidian users match
the alarm configuration in Haidian area firstly.
The priority of area dynamic alarms is higher than that of global dynamic alarms. When a certain
service triggers the alarm policy, the SIG firstly detects whether the area dynamic alarm in this
area is configured. If the alarm is configured, an alarm is generated according to the area dynamic
alarm configuration; otherwise, an alarm is generated according to the global dynamic alarm
configuration.
NOTE
The system supports WAP alarm push. Protocols such as WAP1.0, WAP1.1, WAP1.2, and WAP2.0 are
supported.
Procedure
Step 1 (Optional) Configure global dynamic alarms.
1. In the navigation tree, choose Basic Configuration > User Message Configuration >
Global Dynamic Alarm Management.
2. Perform the following operations as required:
l If you want to modify the alarm configuration for all services, click All Services, and
enter the alarm address or select the path where the alarm file is saved in the displayed
dialog box.
l If you want to add the alarm configuration of the URL filtering service type, click
Add, select URL Filter in the displayed Service Type dialog box, and enter the alarm
address or the path where the alarm file is saved as required.
l If you want to add the alarm configuration of the spammer service type, click Add,
select Spammer in the displayed Service Type dialog box, and enter the alarm address
or the path where the alarm file is saved as required.
l If you want to add the alarm configuration of the Botnet service type, click Add, select
Botnet in the displayed Service Type dialog box, and enter the alarm address or the
path where the alarm file is saved as required.
l If you want to add the alarm configuration of the worm service type, click Add, select
Worm in the displayed Service Type dialog box, and enter the alarm address or the
path where the alarm file is saved as required.
l If you want to add the alarm configuration of the GreenNet service type, click Add,
select GreenNet-URL Filter in the displayed Service Type dialog box, and enter the
alarm address or the path where the alarm file is saved as required.
l If you want to add the alarm configuration of the security service-Botnet type, click
Add, select Security-Botnet in the displayed Service Type dialog box, and enter the
alarm address or the path where the alarm file is saved as required.
l If you want to add the alarm configuration of the security service-worm type, click
Add, select Security-Worm in the displayed Service Type dialog box, and enter the
alarm address or the path where the alarm file is saved as required.
l If you want to add the alarm configuration of the security service-malicious URL filter
type, click Add, select Security-Malicious URL Filter in the displayed Service
Type dialog box, and enter the alarm address or the path where the alarm file is saved
as required.
Table 22-4 shows the parameter description of the previous operations.
Table 22-4 Parameter description of the basic information about dynamic alarms
Parameter Description
Service Type If the alarm is configured for all services, the value of this
parameter is fixed to All Services; otherwise, the following
can be selected:
l URL Filter
l Spammer
l Botnet
l Worm
l GreenNet-URL Filter
Indicates the configuration of the alarm address or the
alarm file for the GreenNet service.
l Security-Botnet
l Security-Worm
l Security-Malicious URL Filter
HTTP Alarm Select the previously added alarm URL. The alarm URL is
URL added in Basic Configuration > User Message
Configuration > Alarm URL Management.
Alarm File Select the previously added alarm file. The alarm file is
added in Basic Configuration > User Message
Configuration > Alarm URL Management.
WAP Alarm File This item need to be configured only when WAP users exist.
Select the previously added alarm file. The file is added in
Basic Configuration > User Message Configuration >
Alarm URL Management.
Parameter Description
Redirect This parameter is valid when Service Type is not URL filter.
It indicates whether the target access page is displayed after
the system prompts alarm information for the target user.
When Redirect is Yes, you need to choose at least one
redirection mode, for example, the automatic redirection
mode or the confirmation redirection mode, or you can adopt
two redirection modes concurrently.
NOTE
If Auto-redirect and Confirm redirection are enabled at the same
time, the system immediately performs redirection after the user
confirms the alarm information in Redirection interval. If the user
does not confirm the alarm information in Redirection interval after
the period times out, the system immediately performs the
redirection without user confirmation.
Confirm redirection This parameter is valid when Redirect it or not is Yes. Users
can select this option and confirm the operation on the alarm
page, and then the target access page is displayed.
By repeating the previous operations, you can configure alarms for other areas.
l If you want to add the area alarm configuration of the worm service type, click Add,
select Worm in the displayed Service Type dialog box, select the target area that needs
alarm configuration in Select Area, and then enter the alarm address or the path where
the alarm file is saved as required.
By repeating the previous operations, you can configure alarms for other areas.
l If you want to add the area alarm configuration of the worm service type, click Add,
select GreenNet-URL Filter in the displayed Service Type dialog box, select the target
area that needs alarm configuration in Select Area, and then enter the alarm address or
the path where the alarm file is saved as required.
By repeating the previous operations, you can configure alarms for other areas.
l If you want to add the area alarm configuration of the security service-Botnet type, click
Add, select Security-Botnet in the displayed Service Type dialog box, select the target
area that needs alarm configuration in Select Area, and then enter the alarm address or
the path where the alarm file is saved as required.
By repeating the previous operations, you can configure alarms for other areas.
l If you want to add the area alarm configuration of security service-worm type, click
Add, select Security-Worm in the displayed Service Type dialog box, select the target
area that needs alarm configuration in Select Area, and then enter the alarm address or
the path where the alarm file is saved as required.
By repeating the previous operations, you can configure alarms for other areas.
l If you want to add the area alarm configuration of security service-malicious URL filter
type, click Add, select Security-Malicious URL Filter in the displayed Service
Type dialog box, select the target area that needs alarm configuration in Select Area,
and then enter the alarm address or the path where the alarm file is saved as required.
By repeating the previous operations, you can configure alarms for other areas.
By repeating the previous operations, you can configure area alarms for VICs.
----End
22.6.1 Overview
This section describes the categories and functions of the knowledge base of the system.
Related concepts of knowledge base management are as follows:
l DPI protocol file
DPI protocol signature file, serving as a large-capacity dedicated DPI system, the SIG
system provides powerful protocol analysis capability and analyzes hundreds of protocols
including P2P, IM, game, and stream media protocols.
Moreover, the SIG system supports the automatic upgrade and manual importing for the
signature file, as well as the customized signature file.
l UCDB
The UCDB saves a large amount of URL category information and provides a database
delivering the query function. Through the UCDB, the SIG system provides the URL
monitoring function. For example, certain URLs that subscribers or VICs access can be
blocked or alarmed according to the related policy.
In addition, the SIG system provides the automatic upgrade for the UCDB and supports
customized UCDBs.
l Malware signature file
The malware signature file is used to identify malicious traffic such as worm and Botnet
traffic. Through the malware signature file, the SIG system implements detection on
malicious traffic, and provides the worm monitoring service for subscribers, VICs, and
links, or delivers the Botnet monitoring function for subscribers or VICs.
Besides, the SIG system supports the automatic upgrade and manual importing for the
malware signature file. The malware signature file and DPI signature file adopt the same
automatic upgrade mechanism. That is, after the automatic upgrade of the protocol database
is configured, the system implements the same configuration on the automatic upgrade of
the malware signature file.
With knowledge base management, you can implement:
l DPI signature file management
The automatic upgrade and manual importing of the DPI signature file can be implemented
and customized DPI signature files are supported.
l UCDB management
The automatic upgrade can be implemented and customized UCDBs are supported.
l Malware signature file management
The automatic upgrade and manual importing of the malware signature file can be
implemented and customized malware signature files are supported.
l Terminal information signature file management
With terminal information signature file management, the equipment type (mobile, data
card, or other unknown types), mobile telephone brand, operating system type, and browser
type can be identified according to the account type and traffic features. After the
corresponding dynamic attributes of subscribers are added and enabled, the policy
management and report analysis can be implemented on the traffic of different types.
By default, the management on terminal information signature file is enabled. The
equipment type, mobile telephone brand, operating system type, and browser type can be
identified through the analysis of RADIUS packets and HTTP packets. Moreover, you can
manually add a terminal feature or import terminal features in batches in knowledge base
management, so that references are provided for the identification of unknown terminals.
In this case, the accurate and comprehensive identification of user terminals on the current
network is achieved.
NOTE
The HTTP content type signature file is used for collecting statistics in a certain report. Operation page:
In the navigation tree, choose Statistics and Analysis Report > Traffic > Link and Virtual Tunnel >
HTTP Content Traffic Trend.
Prerequisites
The current user has the Basic Configuration and System Management service permissions.
NOTE
If you need to enable the automatic upgrade function of the signature file, ensure that the Update Server
can access the Internet.
If you need to manually import the DPI signature file, malware signature file, or UCDB version file,
download the version file to be upgraded from http://sec.huawei.com.
Procedure
Step 1 Log in to the Back End of the SIG.
Step 2 (Optional) Import the DPI signature file and malware signature file.
1. In the navigation tree, choose System Management > Update of System Knowledge
Base > Update of Signature File.
2. Perform the following operations as required:
l To import the DPI signature file, click Import in the DPI Signature File Version
Management. Click Browse to select the file to be imported, and then click Import.
l To import the malware signature file, click Import in the AME Signature File Version
Management. Click Browse to select the file to be imported, and then click Import.
Step 3 (Optional) Configure the automatic upgrade for the DPI signature file and malware signature
file.
1. In the navigation tree, choose System Management > Update of System Knowledge
Base > Update of Signature File.
2. In the Update Server Configuration group box, click Configure.
3. Enter the information of the update Web site, and then click Save.
NOTE
To learn related information about the upgrade Web site, contact Huawei technical support personnel.
4. In the Update Cycle Configuration group box, click Configure.
5. Enter the upgrade cycle, and then click Save.
Step 4 (Optional) Import the UCDB version file.
1. In the navigation tree, choose System Management > Update of System Knowledge
Base > Update of URL File.
2. Click Import.
3. Click Browse to select the file to be imported, and then click Import.
Step 6 (Optional) Check the versions of the DPI signature file, malware signature file, and UCDB.
l To check the version of the DPI signature file: In the navigation tree, choose System
Management > Update of System Knowledge Base > Update of Signature File. In the
corresponding group box, click Version Management.
l To check the version of the malware signature file: In the navigation tree, choose System
Management > Update of System Knowledge Base > Update of Signature File. In the
corresponding group box, click Version Management.
l To check the version of the UCDB: In the navigation tree, choose System Management >
Update of System Knowledge Base > Update of URL File. In the URL Category Version
Management group box, view the current version.
NOTE
When multiple versions of DPI signature files or malware signature files exist, the system allows you to
switch the current version to another one. When performing the switching, select the version to be switched
to the current one, and then click Set Current Version.
l To delete one or more signature values, select the signature value to be deleted in the
Terminal Information area, and click Delete.
l To delete a category without signature values, Click the category to be deleted in the
Terminal Information area, and click Delete.
l To export the terminal signature file, click Export All and save the file to a local path.
----End
Prerequisites
The current user has the Basic Configuration service permission.
Requirement Description
You should configure the specified URL as the customized protocol. In this manner, the SIG
can identify the generated traffic of the URL as that of the customized protocol instead of HTTP.
Procedure
Step 1 Log in to the Back End of the SIG.
Step 2 In the navigation tree, choose Basic Configuration > Signature File Management >
Customized DPI Signature File.
5. Click Add.
6. Set parameters according to Figure 22-13.
7. Click OK. The system returns to the previous interface and display a new record.
8. Click Close. The system returns to the previous interface and the added protocol is
displayed in the protocol list.
9. Click Submit a New Version, and then confirm the operation.
----End
Prerequisites
The current user has the Basic Configuration service permission.
Requirement Description
The MP3 online music traffic on Web site music.example.com is configured as carried by a
customized protocol. In this way, when such type of traffic is sent, its protocol is identified by
the SIG as the customized protocol, but not the predefined one.
Network packet analysis software is used to extract the target traffic. The sample is as follows:
//Upstream packets
GET
/service/03835c3ffb89a4a5a6fe64d20a2cda89.mp3?
xcode=dfdb0015e114519df90987aa0a25be9c24 HTTP/1.1
Accept: */*
User-Agent: NSPlayer/10.0.0.4072 WMFSDK/10.0
Accept-Encoding: gzip, deflate
Host: music.example.com
Connection: Keep-Alive
Cookie: EXAMPLEID=1717B049F1DB473CFA9A4F4E7CF060BA:FG=1
//Downstream packets
HTTP/1.1 200 OK
Server: JSP/1.0.3.0
Date: Thu, 22 Jul 2010 02:49:14 GMT
Content-Type: application/octet-stream
Content-Length: 3578983
Connection: close
Last-Modified: Tue, 20 Jul 2010 01:49:00 GMT
Expires: Sun, 25 Jul 2010 00:29:13 GMT
Cache-Control: max-age=259200
Accept-Ranges: bytes
After the sample is analyzed, the following features of the target traffic are concluded:
Procedure
Step 1 Log in to the Back End of the SIG.
Step 2 In the navigation tree, choose Basic Configuration > Signature File Management >
Customized DPI Signature File.
Step 3 Add a category.
1. Click Add a Category.
2. In the pop-up dialog box, enter the name of the category (for example, myMP3) to be
defined in Category Name.
3. Click OK. The system returns to the previous interface and the added category is displayed
in the category list.
Step 4 Define a protocol.
1. Select an existing category (for example, myMP3) in the category list.
2. Click Add a Protocol.
3. In the pop-up dialog box, select HTTP for Protocol Type, and enter the name of the
protocol (for example, ExampleMP3) to be defined in Protocol Name.
4. Click Save. Figure 22-14 shows the interface.
5. Click Add.
6. Set parameters according to Figure 22-15.
7. Click OK. The system returns to the previous interface and display a new record.
8. Click Close. The system returns to the previous interface and the added protocol is
displayed in the protocol list.
9. Click Submit a New Version, and then confirm the operation.
----End
Protocol Type To increase the accuracy of protocol [Setting method] Select the
identification. Options are: corresponding item from the
l HTTP drop-down list.
l RTSP (Real-Time Streaming [Value range]
Protocol) l HTTP
l MMS (Microsoft Media Server) l RTSP
l Other l MMS
If it is not HTTP, RTSP or MMS, select l Other
Other.
Content Options are Character String and [Setting method] Select the
Type Hex. corresponding item from the
drop-down list.
[Value range]
l Character String
l Hex
Prerequisites
The current user has the System Management service permission.
Procedure
Step 1 Log in to the Back End of the SIG.
Step 2 In the navigation tree, choose System Management > System Security > Log Management.
Step 3 View logs on the interface, or click Query to query logs by entering query conditions.
Step 4 (Optional) Export logs within the specified range to the local.
----End
23 FAQs
23.1 Using the Firefox Browser, How Can I Set the Disk Location for Saving the Exported
Template?
23.2 How to troubleshoot the fault that navigation nodes in the directory cannot be expanded,
when the user uses the Firefox browser to open the Help system?
23.3 What if the exporting through the IE browser fails in certain OSs?
23.4 What are the conversion relations of traffic units and rate units in this document?
23.5 When I use the Firefox browser, the texts on the page are incomplete or the layout is
improper. What should I do?
23.6 How to Set the Priority of a Policy Item?
23.1 Using the Firefox Browser, How Can I Set the Disk
Location for Saving the Exported Template?
Question
Using the Firefox Browser, How Can I Set the Disk Location for Saving the Exported Template?
Answer
Step 1 In the menu bar of the Firefox, choose Tools > Options. The Downloads dialog box is displayed.
Step 3 The following are the methods of saving the exported template:
l The downloaded files are saved to a specified path every time.
1. Click the Save files to option button.
2. Click Browse to set the default path for saving the downloaded files.
l The system prompts that the path for saving the file needs to be selected every time a file is
downloaded.
Click Always ask me where to save flies, and the system prompts that the path for saving
the file needs to be selected every time a file is downloaded.
Step 4 Click OK to complete the setting.
----End
Question
How to troubleshoot the fault that navigation nodes in the directory cannot be expanded, when
the user uses the Firefox browser to open the Help system?
Answer
Click in the toolbar to reload the current page. Alternatively, use the IE browser to re-log in
to the Back End, and call and read the Help system.
Question
What if the exporting through the IE browser fails in certain OSs?
Answer
You can add the current URL to the trusted sites. If the fault still persists, set the security level
to Low, and Automatic prompting for file downloads to Enable, as shown in Figure 23-1.
Question
What are the conversion relations of traffic units and rate units in this document?
Answer
1GB=1000MB, 1MB=1000KB, 1KB=1000bytes, 1byte=8bits
1kbit/s=1000bit/s
23.5 When I use the Firefox browser, the texts on the page
are incomplete or the layout is improper. What should I do?
Question
When I use the Firefox browser, the texts on the page are incomplete or the layout is improper,
as shown in Figure 23-2. What should I do?
Answer
1. Open the Firefox browser, and choose Tools > Options.
2. Click the Content tab, and then click Advanced in the Fonts & Colors group box.
3. In the Fonts dialog box, click Allow pages to choose their own fonts, instead of my
selections above, as shown in Figure 23-3.
4. Click OK.
Question
How to set the priority of a policy item?
Answer
The smaller the value, the higher the priority. When a subscriber and network object is bound
with multiply policy items of the same type, only the policy item with the highest priority level
is valid. For details on policy priorities, see 5.4.15 Policy Priority Description.
Select a value from the drop-down list or enter an unused value in the text box.
NOTE
By default, the system displays 100 priorities with the smallest values and unused by other policy items in
the drop-down list.
5 Traffic 5.2 Querying Traffic 5.2.3 Report Examples (Link and Virtual
Management Reports Tunnel-based)
Service
5.2.4 Report Examples (Subscriber-
based)