Alcatel-Lucent 7750 SR OS Web Redirection (Captive Portal)

Filter Policy Configuration Overview

Page 280 7750 SR OS Router Configuration Guide

Web Redirection (Captive Portal)

The 7xx0 Series introduces a new type of redirection policy. Redirection policies were designed

for testing purposes. The new redirection policy can now block a customer’s request from an

intended recipient and force the customer to connect to the service’s portal server. 255 unique

entries with http-redirect are allowed.

Traffic Flow

The following example provides a brief scenario of a customer connection with web redirection.

1. The customer gets an IP address using DHCP (if the customer is trying to set a static IP he

will be blocked by the anti-spoofing filter).

2. The customer tries to connect to a website.

3. The router intercepts the HTTP GET request and blocks it from the network

4. The router then sends the customer a HTTP 302 (service temporarily unavailable/moved).

The target URL should then include the customer’s IP and MAC addresses as part of the por-

tal’s URL.

5. The customer’s web browser will then close the original connection and open a new connec-

tion to the web portal.

6. The web portal updates the ACL (directly or through SSC) to remove the redirection policy.

7. The customer connects to the original site.

Contents

Main Page Table of Contents Getting Started Page 7750 SR OS QoS Configuration Guide Page 5 Page 7750 SR OS QoS Configuration Guide Page 7 Page List of Tables Getting Started Page LIST OF FIGURES Page Preface About This Guide Audience List of Technical Publications Page Page Getting Started Alcatel-Lucent 7750 SR-Series Router Configuration Process Page IP Router Configuration Configuring IP Router Parameters Interfaces Network Interface System Interface IP Addresses Creating an IP Address Range Router ID Autonomous Systems (AS) Confederations Figure 1: Confederation Configuration Confederation 2002 Proxy ARP Internet Protocol Versions Page IPv6 Applications Page 7750 SR OS Router Configuration Guide Page 31 IPv6 Provider Edge Router over MPLS (6PE) 6PE Control Plane Support Page Bidirectional Forwarding Detection BFD Control Packet Control Packet Format Page Page Page Router Configuration Process Overview Reference Sources Page Configuring an IP Router with CLI Router Configuration Overview Router Configuration Overview System Interface Network Interface CLI Command Structure Figure 12: CLI System Configuration Context Figure 11: CLI Configuration Context Page Page Page Page Basic Configuration Basic Configuration Configuring a System Name Page 50 7750 SR OS Router Configuration Guide The following example displays the system name output. Configuring Interfaces Configuring a System Interface Configuring a Network Interface The following displays the IP configuration output showing the interface information. Configuring IPv6 Parameters The following displays the configuration output showing the interface information. Configuring IPv6 Over IPv4 Parameters Tunnel Ingress Node Both the IPv4 and IPv6 system addresses must to configured The following displays the configuration output showing the interface information. 7750 SR OS Router Configuration Guide Page 57 Learning the Tunnel Endpoint IPv4 System Address The following displays the configuration showing the OSPF output. Configuring an IPv4 BGP Peer The following displays the configuration showing the BGP output. 7750 SR OS Router Configuration Guide Page 59 An Example of a IPv6 Over IPv4 Tunnel Configuration The following displays the configuration showing the policy output. Page Tunnel Egress Node The following displays the configuration showing the interface information. Learning the Tunnel Endpoint IPv4 System Address The following displays the configuration showing the OSPF output. 7750 SR OS Router Configuration Guide Page 63 Configuring an IPv4 BGP Peer The following displays the configuration showing the BGP output. An Example of a IPv6 Over IPv4 Tunnel Configuration The following displays the configuration showing the policy output. Page Router Advertisement Page Configuring Proxy ARP Use the following CLI syntax to configure the policy statement specified in the proxy-arp- The following output displays the prefix list and policy statement configurations: Use the following CLI to configure proxy ARP: Creating an IP Address Range Deriving the Router ID Configuring a Confederation Page 7750 SR OS Router Configuration Guide Page 75 Configuring an Autonomous System CLI Syntax: config>router autonomous-system as-number The following example displays the autonomous system configuration command usage: Example: config>router# autonomous-system 100 config>router# The following example displays the autonomous system configuration: Service Management Tasks Changing the System Name 7750 SR OS Router Configuration Guide Page 77 Modifying Interface Parameters Service Management Tasks Deleting a Logical IP Interface 7750 SR OS Router Configuration Guide Page 79 IP Router Command Reference Router Commands IP Router Command Reference Router Interface Commands 7750 SR OS Router Configuration Guide Page 81 For router interface VRRP commands, see VRRP Command Reference on page223. Router Interface IPv6 Commands Router Advertisement Commands Page Show Commands IP Router Command Reference Clear Commands Debug Commands Generic Commands Router Global Commands router aggregate autonomous-system confederation ecmp ignore-icmp-redirect mc-maximum-routes router-id service-prefix triggered-policy static-route Page Page Page Router Interface Commands address Page allow-directed-broadcasts arp-timeout local-proxy-arp loopback ntp-broadcast port proxy-arp-policy qos remote-proxy-arp secondary static-arp tos-marking-state unnumbered Page Router Interface Filter Commands egress ingress Page Router Interface ICMP Commands icmp mask-reply redirects ttl-expired unreachables Page Router Interface IPv6 Commands address (ipv6) packet-too-big param-problem redirects time-exceeded unreachables local-proxy-nd proxy-nd-policy Router Advertisement Commands router-advertisement managed-configuration current-hop-limit max-advertisement-interval min-advertisement-interval mtu other-stateful-configuration prefix autonomous on-link preferred-lifetime reachable-time valid-lifetime retransmit-time router-lifetime Page Page aggregate arp Type Dyn The ARP entry is a dynamic ARP entry. authentication Page session dhcp dhcp6 Page summary ecmp fib Page Page Page Page Page Page Page Page Page Page route-table Type Local The route is a local route. Remote The route is a remote route. Page rtr-advertisement Page Page Page Page static-arp static-route Page service-prefix Mask The subnet mask length associated with the IP prefix. IP Prefix The IP prefix of the range of addresses included in the range for ser- vices. status Yes Triggered route policy re-evaluation is enabled. Page tunnel-table Page arp session dhcp dhcp6 forwarding-table icmp-redirect-route router-advertisement Debug Commands Debug Commands enable trace-point router Page Debug Commands packet route-table Page Page VRRP VRRP Overview VRRP Overview VRRP Components Virtual Router IP Address Owner Primary and Secondary IP Addresses Virtual Router Master Virtual Router Backup Owner and Non-Owner VRRP Configurable Parameters Virtual Router ID (VRID) IP Addresses Message Interval and Master Inheritance Skew Time Master Down Interval Preempt Mode VRRP Message Authentication Authentication Type 0 No Authentication 7750 SR OS Router Configuration Guide Page 179 Authentication Type 1 Simple Text Password Authentication Failure Authentication Data Virtual MAC Address VRRP Advertisement Message IP Address List Verification Inherit Master VRRP Routers Advertisement Interval Timer Policies VRRP Priority Control Policies VRRP Virtual Router Policy Constraints VRRP Virtual Router Instance Base Priority VRRP Priority Control Policy Delta In-Use Priority Limit VRRP Priority Control Policy Priority Events Priority Event Hold-Set Timers Port Down Priority Event LAG Degrade Priority Event Page Page Host Unreachable Priority Event Route Unknown Priority Event VRRP Non-Owner Accessibility VRRP Non-Owner Accessibility Non-Owner Access Ping Reply Non-Owner Access Telnet Non-Owner Access SSH VRRP Configuration Process Overview VRRP Configuration Process Overview Figure 14: VRRP Configuration and Implementation Flow Figure 14 displays the process to provision VRRP parameters. VRRP Configuration Components VRRP Configuration Process Overview Page Configuration Notes General Reference Sources Configuring VRRP with CLI VRRP Configuration Overview VRRP Configuration Overview Preconfiguration Requirements VRRP CLI Command Structure ROUTER Figure 18: VRRP Command Structure VRRP show commands are located under the show>vrrp context. INTERFACE VRRP OWNER NON-OWNER BACKUP VRRP CLI Command Structure Page Page Page Page Page Basic VRRP Configurations Basic VRRP Configurations VRRP Policy VRRP IES Service Parameters Basic VRRP Configurations VRRP Router Interface Parameters Page Creating Interface Parameters The following example displays the IP interface configuration: Configuring VRRP Policy Components Use the CLI syntax displayed below to configure a VRRP policy: The following displays the VRRP policy configuration: Configuring IES or VPRN Service VRRP Parameters Non-Owner IES or VPRN VRRP Example Use the CLI syntax displayed below to configure IES or VPRN service non-owner VRRP The following output displays an example an IES non-owner VRRP configuration: The following example displays the basic non-owner VRRP configuration: Owner IES or VPRN VRRP Use the CLI syntax displayed below to configure IES or VPRN service owner VRRP The following output displays an example of an owner IES VRRP configuration: The following example displays the owner VRRP configuration: Configuring Router Interface VRRP Parameters Router Interface VRRP Non-Owner Use the CLI syntax displayed below to configure non-owner router interface VRRP The following example displays router interface non-owner VRRP configuration command usage: The following example displays the non-owner interface VRRP configuration: Router Interface VRRP Owner Use the CLI syntax displayed below to configure owner router interface VRRP parameters: The following example displays router interface owner VRRP configuration command usage: The following example displays the router interface owner VRRP configuration: VRRP Configuration Management Tasks Modifying a VRRP Policy VRRP Configuration Management Tasks Deleting a VRRP Policy Modifying Service and Interface VRRP Parameters Modifying Non-Owner Parameters Modifying Owner Parameters Deleting VRRP on an Interface or Service Page 7750 SR OS Router Configuration Guide Page 223 VRRP Command Reference VRRP Network Interface Commands VRRP Command Reference 7750 SR OS Router Configuration Guide Page 225 VRRP Priority Control Event Policy Commands Page Interface Configuration Commands authentication-key authentication-type backup Page Page init-delay master-int-inherit message-interval policy preempt Page ping-reply ssh-reply standby-forwarding telnet-reply traceroute-reply vrrp Page Priority Policy Commands delta-in-use-limit Page priority-event Priority Policy Event Commands hold-clear hold-set Page Page Priority Policy Port Down Event Commands port-down Page Priority Policy LAG Events Commands lag-port-down number-down Page Priority Policy Host Unreachable Event Commands drop-count host-unreachable Page interval timeout Page Priority Policy Route Unknown Event Commands less-specific next-hop protocol route-unknown Page global-statistics Page Page Page Page Page Page Page Page Page Page Page Page instance Filter Policies Filter Policy Configuration Overview Service and Network Port-based Filtering Filter Policy Entities Applying Filter Policies Redirect Policies Page Web Redirection (Captive Portal) Traffic Flow Page Creating Redirect Policies Figure 20: Filter Creation and Implementation Flow Page Policy Components Page Packet Matching Criteria Page DSCP Values Page IP Option Values Ordering Filter Entries Figure 24: Filtering Process Example INGRESSING PACKETS: #1: SA: 10.10.10.103, DA: 10.10.10.104 #2: SA: 10.10.10.103, DA: 10.10.10.105 #3: SA: 10.10.10.103, DA: 10.10.10.106 Source Address: 10.10.10.103 Destination Address: 10.10.10.104 SEARCH CRITERIA: Applying Filters Applying a Filter to a SAP Applying a Filter to a Network Port Configuration Notes MAC Filters IP Filters IPv6 Filters Log Filter Page Page Page Configuring Filter Policies with CLI Filter CLI Command Structure Filter CLI Command Structure Figure 25: Filter Command Structure ip and show>filter mac. Figure 26: Redirect Policy Command Structure Page Page Page Page Page Page Basic Configuration Page Creating an IP Filter Policy IP Filter Policy Page IP Filter Entry 7750 SR OS Router Configuration Guide Page 313 Configuring the HTTP-Redirect Option The following example displays the http-redirect configuration: Page 7750 SR OS Router Configuration Guide Page 315 Filter Sampling IP Entry Matching Criteria Use the following CLI syntax to configure IP filter matching criteria: The following displays the command usage to configure IP filter matching criteria: The following displays a matching configuration. Creating an IPv6 Filter Policy IPv6 Filter Policy IPv6 Filter Entry The following example displays the IPv6 filter entry configuration. Creating a MAC Filter Policy MAC Filter Policy MAC Filter Entry MAC Entry Matching Criteria Use the following CLI syntax to configure MAC filter matching criteria: The following displays the command usage to configure IP filter matching criteria: The following displays the filter matching configuration. Creating Filter Log Policies Use the following CLI syntax to configure filter log policy: The following displays the command usage to configure a filter log policy. The following displays the filter matching configuration. Applying Filter Policies Apply IP and MAC Filter Policies Page Apply an IPv6 Filter Policy to an IES SAP Use the following CLI syntax to apply an IPv6 filter policy to an ingress or egress SAP: The following displays the command usage to assign IPv6 filters to an IES service interface: The following output displays the IPv6 filters assigned to an IES service interface: Apply Filter Policies to Network Port Apply an IP Interface Apply an IPv6 Interface Use the following CLI syntax to apply an IPv6 filter policy to a network IP interface: Creating a Redirect Policy The following displays the command usage to create a redirect policy: The following example displays the policy configuration: Page Configuring Policy-Based Forwarding for Deep Packet Inspection in VPLS Configuring the VPLS service: The following example displays the service configuration: Configuring the MAC filter policy: The following example displays the MAC filter configuration: Adding the MAC filter to the VPLS service: The following example displays the service configuration: Filter Management Tasks Renumbering Filter Policy Entries Page Modifying an IP Filter Policy The following output displays the modified IP filter output: Page Modifying an IPv6 Filter Policy The following output displays the modified IPv6 filter output: Modifying a MAC Filter Policy The following output displays the modified MAC filter output: Deleting a Filter Policy From an Ingress SAP From an Egress SAP From a Network Interface To delete a filter from a network interface, enter the following CLI commands: CLI Syntax: config>router>if# egress no filter ip 2 CLI Syntax: config>router>if# ingress filter ip 2 config>router>if# ingress filter ipv6 1 CLI Syntax: config>router>if# ingress no filter ipv6 1 CLI Syntax: config>router>if# ingress no filter CLI Syntax: config>router>if# egress no filter From the Filter Configuration Modifying a Redirect Policy Deleting a Redirect Policy Copying Filter Policies Page 7750 SR OS Router Configuration Guide Page 351 Filter Command Reference Log Commands IP Filter Policy Commands Filter Command Reference 7750 SR OS Router Configuration Guide Page 353 IPv6 Filter Policy Commands MAC Filter Policy Commands Filter Command Reference 7750 SR OS Router Configuration Guide Page 355 Redirect Policy Configuration Commands Page Generic Commands Global Filter Commands ip-filter ipv6-filter mac-filter redirect-policy Filter Log Destination Commands summary summary-crit wrap-around Filter Policy Commands default-action scope General Filter Entry Commands entry Page IP Filter Entry Commands Page filter-sample interface-disable-sample Page Page MAC Filter Entry Commands Page Page IP Filter Match Criteria dscp dst-ip dst-port fragment icmp-code icmp-type ip-option multiple-option option-present src-ip src-port tcp-ack tcp-syn Page MAC Filter Match Criteria dot1p dsap dst-mac etype snap-oui snap-pid src-mac ssap Policy and Entry Maintenance Commands copy renum Page Redirect Policy Commands ping-test drop-count interval timeout snmp-test oid return-value url-test return-code url anti-spoof Page Page download-failed ip Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page redirect-policy Page Page ip Page Monitor Commands filter (ipv6) Monitor Commands Cflowd Cflowd Overview Cflowd Overview Operation Cflowd Overview Cflowd Filter Matching 7750 SR OS Router Configuration Guide Page 433 Cflowd Configuration Process Overview Cflowd Configuration Process Overview Figure 31: Cflowd Configuration and Implementation Flow Figure 31 displays the process to configure Cflowd parameters. Cflowd Configuration Components Cflowd Configuration Components Page Page Configuring Cflowd with CLI Cflowd Configuration Overview Traffic Sampling Collectors Aggregation Page Cflowd CLI Command Structure Figure 35: Cflowd Command Structure show>cflowd. List of Commands Page Basic Cflowd Configuration Global Cflowd Components Collector Components Configuring Cflowd Enabling Cflowd Configuring Global Cflowd Parameters The following example displays cflowd configuration command usage: The following example displays the common cflowd component configuration: Configuring Cflowd Collectors To configure cflowd collector parameters, enter the following commands: The following example displays collector and aggregation configuration command usage: The following example displays the basic cflowd configuration: Enabling Cflowd on Interfaces and Filters Dependencies Page Specifying Cflowd Options on an IP Interface Interface Configurations Page Specifying Sampling Options in Filter Entries Filter Configurations Cflowd Configuration Management Tasks Modifying Global Cflowd Components The following example displays the cflowd command usage to modify configuration parameters: The following example displays the common cflowd component configuration: Modifying Cflowd Collector Parameters Use the following commands to modify cflowd collector and aggregation parameters: The following example displays collector and aggregation configuration command usage: The following example displays the basic cflowd modifications: Page Cflowd Command Reference Show Commands Clear Commands Page Cflowd Configuration Commands Global Commands active-timeout cache-size collector aggregation as-matrix destination-prefix protocol-port raw source-destination-prefix source-prefix autonomous-system-type inactive-timeout overflow rate collector Page Page status Page Page Standards and Protocols Page 715 Standards and Protocol Support Standards Compliance Protocol Support Standards and Protocols Page 716 Standards and Protocols Standards and Protocols Standards and Protocols Page 717 I Proprietary MIBs Page 7750 SR OS Router Configuration Guide Page 481 Index C F I S V