HUAWEI SIG9800 V300R001C00 Configuration Guide 01 PDF

HUAWEI SIG9800 Service Inspection Gateway
V300R001C00
Configuration Guide
Issue 01
Date 2012-06-06
HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2012. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website: http://www.huawei.com
Email: support@huawei.com
Issue 01 (2012-06-06) Huawei Proprietary and Confidential i

Copyright © Huawei Technologies Co., Ltd.
Configuration Guide About This Document
About This Document
Related Version
The following table lists the product version related to this document.
Product Name Version
SIG9800 V300R001C00
Intended Audience
This document describes preparation and report applications of the SIG in terms of the service
configuration preparation, subscriber and network object initialization, typical service
configuration example, and report application example.
Therefore, this document is also the material for learning how to configure a service and employ
corresponding reports.
This document is intended for:
l Installation and commissioning engineers

l Data configuration engineers
l System maintenance engineers
Product Declaration
l Personal data might be involved during the service or maintenance of the SIG. Therefore,
corresponding protections are implemented. You are obligated to take related measures, in
compliance with the laws of the countries concerned and the user privacy policies of your
company, to ensure that the personal data of users is fully protected.
l To secure the network and service, certain personal data might be used or stored in line
with your requirements. Huawei alone is unable to collect or save the content of users'
communication. It is suggested that you activate the interception-related functions based
on the applicable laws and regulations in terms of purpose and scope of usage. You are
obligated to take considerable measures to ensure that the content of users' communications
is fully protected when the content is being used and saved.
Issue 01 (2012-06-06) Huawei Proprietary and Confidential ii

Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol Description
Indicates a hazard with a high level of risk, which if not

avoided, will result in death or serious injury.
DANGER
Indicates a hazard with a medium or low level of risk, which

if not avoided, could result in minor or moderate injury.
WARNING
Indicates a potentially hazardous situation, which if not

avoided, could result in equipment damage, data loss,
CAUTION
performance degradation, or unexpected results.
TIP Indicates a tip that may help you solve a problem or save
time.
NOTE Provides additional information to emphasize or supplement

important points of the main text.
Command Conventions
The command conventions that may be found in this document are defined as follows.
Convention Description
Boldface The keywords of a command line are in boldface.
Italic Command arguments are in italics.
[] Items (keywords or arguments) in brackets [ ] are optional.
{ x | y | ... } Optional items are grouped in braces and separated by

vertical bars. One item is selected.
[ x | y | ... ] Optional items are grouped in brackets and separated by

vertical bars. One item is selected or no item is selected.
{ x | y | ... }* Optional items are grouped in braces and separated by

vertical bars. A minimum of one item or a maximum of all
items can be selected.
[ x | y | ... ]* Optional items are grouped in brackets and separated by

vertical bars. Several items or no item can be selected.
&<1-n> The parameter before the & sign can be repeated 1 to n times.
# A line starting with the # sign is comments.
Issue 01 (2012-06-06) Huawei Proprietary and Confidential iii

GUI Conventions
The GUI conventions that may be found in this document are defined as follows.
Convention Description
Boldface Buttons, menus, parameters, tabs, window, and dialog titles

are in boldface. For example, click OK.
> Multi-level menus are in boldface and separated by the ">"

signs. For example, choose File > Create > Folder.
Update History
Updates between document issues are cumulative. Therefore, the latest document issue contains
all updates made in previous issues.
Updates in Issue 01 (2012-06-06)

The initial commercial release.
Issue 01 (2012-06-06) Huawei Proprietary and Confidential iv

Configuration Guide Contents
Contents
About This Document.....................................................................................................................ii

1 Quick Start......................................................................................................................................1
1.1 What Is the SIG System?....................................................................................................................................2
1.2 Introduction to Basic Operations........................................................................................................................8
1.2.1 Logging in to the Front End......................................................................................................................8
1.2.2 Logging in to the Back End.....................................................................................................................11
1.2.3 Changing the Login Password of the Back End......................................................................................13
1.2.4 Logging out of the Back End...................................................................................................................14
1.3 Introduction to the GUI....................................................................................................................................14
1.4 Role Definition.................................................................................................................................................15
1.5 Overview of Tasks............................................................................................................................................15
1.5.1 Task Classification..................................................................................................................................16
1.5.2 List of Tasks............................................................................................................................................18
1.6 Fast Service Deployment Procedure.................................................................................................................23
2 Quick Index from the GUI Navigation Node to the Help...................................................25

3 Preparations for Service Configuration..................................................................................30
3.1 About Preparations for Service Configuration.................................................................................................31
3.2 Checking the Status of the Front End and Back End.......................................................................................31
3.2.1 Operation Procedure................................................................................................................................31
3.2.2 Typical Operation Example.....................................................................................................................34
3.2.3 Reference.................................................................................................................................................39
4 Subscriber and Network Object Initialization......................................................................43

4.1 About Subscriber and Network Object Initialization.......................................................................................45
4.2 Configuring the Subscriber...............................................................................................................................47
4.2.1 Overview.................................................................................................................................................47
4.2.2 Configuration Procedure..........................................................................................................................51
4.2.3 Typical Configuration Example (Adding Subscribers Manually)...........................................................54
4.2.4 Typical Configuration Example (Importing Subscriber Accounts in Batches and Adding Heavy User
Group)...............................................................................................................................................................57
4.2.5 Typical Configuration Example (Synchronizing Subscriber from the FTP Server)...............................60
4.2.6 Typical Configuration Example (Self Learning Subscribers and Adding Customized Attributes)........62
Issue 01 (2012-06-06) Huawei Proprietary and Confidential v

4.2.7 Typical Configuration Example (Self Learning Subscribers and Identifying the Area Where the Subscriber
Resides by SN).................................................................................................................................................65
4.2.8 Maintaining Existing Subscribers............................................................................................................69
4.2.9 Managing the Subscriber Group..............................................................................................................69
4.2.10 Parameter Description...........................................................................................................................70
4.2.11 Dynamic Attribute Description.............................................................................................................76
4.3 Configuring the VIC.........................................................................................................................................85
4.3.1 Overview.................................................................................................................................................85
4.3.3 Typical Configuration Example 1 (Manually Adding VICs)..................................................................88
4.3.4 Typical Configuration Example 2 (Importing VICs in Batches).............................................................90
4.4 Configuring the Link........................................................................................................................................92
4.4.1 Overview.................................................................................................................................................92
4.4.3 Typical Configuration Example..............................................................................................................96
4.4.4 Reference.................................................................................................................................................99
4.5 Configuring the Virtual Tunnel........................................................................................................................99
4.5.1 Background of Introducing the Concept of Virtual Tunnel.....................................................................99
4.5.2 Introduction to User Attribute Virtual Tunnel.......................................................................................101
4.5.3 Introduction to Stream Attribute Virtual Tunnel...................................................................................103
4.5.4 Typical Application Value of the Virtual Tunnel on Carrier Network.................................................105
4.5.5 Configuration Procedure........................................................................................................................106
4.5.6 Typical Configuration Example 1 (User Attribute Virtual Tunnel, Defining SN as the Virtual Tunnel
Category)........................................................................................................................................................107
4.5.7 Typical Configuration Example 2 (User Attribute Virtual Tunnel, Defining BTS as the Virtual Tunnel
Category)........................................................................................................................................................111
4.5.8 Typical Configuration Example 3 (Stream Attribute Virtual Tunnel, Defining the Traffic of Local IP
Address or Remote IP Address as the Virtual Tunnel)..................................................................................115
4.5.9 Typical Configuration Example 4 (Stream Attribute Virtual Tunnel, Defining VLAN Traffic as the Virtual
Tunnel)............................................................................................................................................................122
4.6 Configuring the AS Domain Group................................................................................................................128
4.6.1 Overview...............................................................................................................................................128
4.6.2 Typical Configuration Example............................................................................................................129
4.6.3 Reference...............................................................................................................................................132
4.6.4 BGP Overview.......................................................................................................................................133
4.6.5 BGP Message Types..............................................................................................................................134
4.7 Configuring the Subnet...................................................................................................................................138
4.7.1 Overview...............................................................................................................................................138
4.7.2 Typical Configuration Example 1 (Manually Adding Subnets)............................................................138
4.7.3 Typical Configuration Example 2 (Importing subnets in Batches).......................................................139
5 Traffic Management Service...................................................................................................141

5.1 About the Traffic Management Service.........................................................................................................143
5.2 Querying Traffic Reports................................................................................................................................144
Issue 01 (2012-06-06) Huawei Proprietary and Confidential vi

5.2.1 Overview...............................................................................................................................................144
5.2.2 Operation Procedure..............................................................................................................................146
5.2.3 Report Examples (Link and Virtual Tunnel-based)...............................................................................147
5.2.4 Report Examples (Subscriber-based)....................................................................................................165
5.2.5 Report Examples (VIC-based)...............................................................................................................184
5.2.6 Report Examples (Consolidated)...........................................................................................................191
5.2.7 Reference...............................................................................................................................................195
5.3 Querying the User Behavior Statistics Report................................................................................................196
5.3.1 Overview...............................................................................................................................................196
5.3.3 Report Examples....................................................................................................................................198
5.4 Configuring Traffic QoS................................................................................................................................206
5.4.1 Overview...............................................................................................................................................206
5.4.3 Typical Configuration Example (Link, Rate Limiting, and Taking Effect as Planned)........................212
5.4.4 Typical Configuration Example (Link, Priority Mark).........................................................................215
5.4.5 Typical Configuration Example (Link, Number of Connections Control)............................................218
5.4.6 Typical Configuration Example (Link, Rate Limiting, and Pass).........................................................221
5.4.7 Typical Configuration Example (Link, Priority Mark, and Not Remark).............................................224
5.4.8 Typical Configuration Example (Virtual Tunnel, Rate Limiting).........................................................227
5.4.9 Typical Configuration Example (Link and Virtual Tunnel, Rate Limiting).........................................230
5.4.10 Typical Configuration Example (Subscriber, Rate Limiting).............................................................230
5.4.11 Typical Configuration Example (Subscriber, Throttling)...................................................................233
5.4.12 Typical Configuration Example (Subscriber, Strict Priority)..............................................................236
5.4.13 Typical Configuration Example (Subscriber, WFQ)...........................................................................240
5.4.14 Typical Configuration Example (VIC, Rate Limiting).......................................................................243
5.4.15 Policy Priority Description..................................................................................................................246
5.4.16 Reference.............................................................................................................................................251
5.5 Configuring Congestion Detection and Control.............................................................................................254
5.5.1 Overview...............................................................................................................................................254
5.5.2 Configuration Flow................................................................................................................................257
5.5.3 Typical Configuration Example for Controlling Link Congestion.......................................................259
5.5.4 Typical Configuration Example for Controlling NE Traffic Congestion..............................................263
5.5.5 Typical Configuration Example for Controlling Subscriber Traffic When the Link Is Congested......267
5.5.6 Checking the Congestion Status and Logs............................................................................................272
5.6 Implementing Traffic Direction Statistics......................................................................................................273
5.6.1 Overview...............................................................................................................................................273
5.6.4 Report Examples (Between One Link or Link Group and One AS Domain Group)............................277
5.6.5 Report Examples (Between One AS Domain Group and Another AS Domain Group).......................283
5.6.6 Report Examples (Between One Subnet and One AS Domain Group, Between One Subnet and Another
Subnet)............................................................................................................................................................286
Issue 01 (2012-06-06) Huawei Proprietary and Confidential vii

5.7 Configuring Traffic Direction QoS................................................................................................................289

5.7.1 Overview...............................................................................................................................................289
5.7.3 Typical Configuration Example 1 (Between One Link and One AS Domain Group)..........................291
5.7.4 Typical Configuration Example 2 (Between One AS Domain Group and Another AS Domain Group)
........................................................................................................................................................................294
5.7.5 Typical Configuration Example 3 (Between One Subnet and One AS Domain Group)......................297
5.7.6 Typical Configuration Example 4 (Between One Subnet and Another Subnet)...................................300
5.8 Customized Data Reporting............................................................................................................................303
5.8.1 Overview...............................................................................................................................................303
5.8.2 Adjusting the Flow Classification Statistics Policy...............................................................................304
5.8.3 Adjusting the Protocol Statistics Policy of Subscriber..........................................................................306
5.8.4 Adjusting the Statistics Policy of Subscriber User Groups...................................................................307
6 FUP Service.................................................................................................................................308
6.1 About the FUP Service...................................................................................................................................309
6.2 Configuring the FUP Service (Interworking with the PCRF)........................................................................313
6.2.1 Overview...............................................................................................................................................313
6.2.3 Typical Configuration Example 1 (Predefined Rule, Total Traffic).....................................................319
6.2.4 Typical Configuration Example 2 (Predefined Rule, Service Traffic)..................................................334
6.2.5 Typical Configuration Example 3 (Predefined Rule, Quota Being Collected by Total Traffic but
Controlled by Service)....................................................................................................................................353
6.2.6 Typical Configuration Example 4 (Predefined Rule, Free Quotas for Certain Web Sites)...................368
6.2.7 Typical Configuration Example 5 (Predefined Rule, Limited Free Quotas for Certain Web Sites)
........................................................................................................................................................................394
6.2.8 Typical Configuration Example 6 (Predefined Rule, Roaming Quota Control)...................................425
6.2.9 Typical Configuration Example 7 (Dynamic Rule, Total Traffic)........................................................466
6.2.10 Typical Configuration Example 8 (Dynamic Rule, Service Traffic)..................................................482
6.3 Manually Adjusting Surplus Quotas (Interworking with the PCRF).............................................................498
7 Charging Service........................................................................................................................500
7.1 About the Charging Service...........................................................................................................................501
7.2 Configuring the Charging Service..................................................................................................................503
7.2.1 Overview...............................................................................................................................................503
7.2.3 Typical Configuration Example 1 (Online Charging by Traffic)..........................................................509
7.2.4 Typical Configuration Example 2 (Online Charging by Duration).......................................................520
7.2.5 Typical Configuration Example 3 (Online Charging by Traffic and Duration)....................................530
7.2.6 Typical Configuration Example 4 (Online Charging by Traffic and Roaming)...................................540
7.2.7 Typical Configuration Example 5 (Online Charging by Traffic, Traffic of Certain Protocols and Web
Sites Is Free of Charge)..................................................................................................................................550
7.2.8 Typical Configuration Example 6 (Comprehensive Charging, Charging for the Basic Service and Value-
added Services)...............................................................................................................................................561
7.2.9 Typical Configuration Example 7 (Online Charging by Traffic, Providing the FUP Function)...........571
Issue 01 (2012-06-06) Huawei Proprietary and Confidential viii

7.2.10 Typical Configuration Example 8 (Charging Redirection, Obtaining User's Quota Credit Status from
the RADIUS Server).......................................................................................................................................593
7.2.11 Typical Configuration Example 9 (Online Charging by Traffic, Online-to-Offline Charging in Case of
Faults).............................................................................................................................................................596
7.2.12 Typical Configuration Example 10 (Offline Charging)......................................................................606
7.2.13 Typical Configuration Example 11 (Online/Offline Charging)..........................................................616
8 URL Filtering Service................................................................................................................627

8.1 About the URL Filtering Service....................................................................................................................628
8.2 Configuring the URL Filtering Service..........................................................................................................632
8.2.1 Overview...............................................................................................................................................632
8.2.3 Typical Configuration Example 1 (Links).............................................................................................636
8.2.4 Typical Configuration Example 2 (Subscribers)...................................................................................641
8.2.5 Typical Configuration Example 3 (VICs).............................................................................................647
8.3 Querying URL Reports...................................................................................................................................650
8.3.1 Overview...............................................................................................................................................650
8.3.3 Report Examples....................................................................................................................................652
9 GreenNet Service.......................................................................................................................664
9.1 About the GreenNet Service...........................................................................................................................665
9.2 Configuring the GreenNet Service.................................................................................................................667
9.2.1 Overview...............................................................................................................................................667
9.2.3 Typical Configuration Example (Subscriber, Interworking with the RM9000)....................................672
9.3 Querying GreenNet Reports...........................................................................................................................689
9.3.1 Overview...............................................................................................................................................689
9.3.3 Report Examples....................................................................................................................................691
10 Traffic Mirroring/Diversion Service....................................................................................695

10.1 About the Traffic Mirroring/Diversion Service............................................................................................696
10.2 Configuring the Traffic Mirroring Service...................................................................................................700
10.2.1 Overview.............................................................................................................................................700
10.2.2 Configuration Procedure......................................................................................................................702
10.2.3 Typical Configuration Example 1 (Link, VoIP Traffic Mirroring).....................................................704
10.2.4 Typical Configuration Example 2 (Link, P2P and HTTP Traffic Mirroring).....................................707
10.3 Configuring Traffic Diversion Service.........................................................................................................711
10.3.1 Overview.............................................................................................................................................711
10.3.3 Typical Configuration Example 1 (Single Diversion).........................................................................714
10.3.4 Typical Configuration Example 2 (Multiple Diversions)....................................................................717
11 SmartBrowser Service.............................................................................................................721
Issue 01 (2012-06-06) Huawei Proprietary and Confidential ix

11.1 About the SmartBrowser Service.................................................................................................................722

11.2 Configuring the SmartBrowser Service........................................................................................................723
11.2.1 Overview.............................................................................................................................................723
11.2.3 Typical Configuration Example 1 (DNS Error Correction)................................................................725
11.2.4 Typical Configuration Example 2 (HTTP Error Correction)..............................................................727
11.2.5 Parameter Description.........................................................................................................................728
11.3 Querying SmartBrowser Reports..................................................................................................................730
11.3.1 Overview.............................................................................................................................................731
11.3.2 Operation Procedure............................................................................................................................731
11.3.3 Report Examples..................................................................................................................................732
12 DNS Overwriting Service......................................................................................................734

12.1 About the DNS Overwriting Service............................................................................................................735
12.2 Configuring the DNS Overwriting Service..................................................................................................735
12.2.2 Typical Configuration Example..........................................................................................................736
13 Smart Advertising Interface Service....................................................................................738

13.1 About the Smart Advertising Interface Service............................................................................................739
13.2 Configuring the Smart Advertising Interface Service..................................................................................741
13.2.1 Overview.............................................................................................................................................741
13.2.3 Typical Configuration Example 1 (Subscriber)...................................................................................744
13.2.4 Typical Configuration Example 2 (VIC).............................................................................................751
14 VoIP Monitoring Service.......................................................................................................757

14.1 About the VoIP Monitoring Service.............................................................................................................758
14.2 Configuring the VoIP Monitoring Service...................................................................................................759
14.2.1 Overview.............................................................................................................................................759
14.2.2 Typical Configuration Example 1 (Subscribers).................................................................................760
14.2.3 Typical Configuration Example 2 (VICs)...........................................................................................761
14.3 Querying VoIP Reports................................................................................................................................764
14.3.1 Overview.............................................................................................................................................765
14.3.3 Report Examples..................................................................................................................................767
15 Anti-Spammer Service............................................................................................................774
15.1 About the Anti-Spammer Service.................................................................................................................775
15.2 Configuring the Anti-Spammer Service.......................................................................................................775
15.2.1 Overview.............................................................................................................................................776
15.2.2 Configuration Example 1 (Detection from the Network Layer to the Transport Layer).....................778
15.2.3 Configuration Example 2 (Detection from the Network Layer to the Application Layer).................781
Issue 01 (2012-06-06) Huawei Proprietary and Confidential x

15.3 Query Spammer Reports..............................................................................................................................785

15.3.1 Overview.............................................................................................................................................785
15.3.3 Report Examples..................................................................................................................................787
16 Anti-DDoS Service..................................................................................................................792
16.1 About the Anti-DDoS Service......................................................................................................................793
16.2 Configuring the Anti-DDoS Service............................................................................................................794
16.2.1 Overview.............................................................................................................................................794
16.3 Querying Anti-DDoS Reports......................................................................................................................800
16.3.1 Overview.............................................................................................................................................800
16.3.3 Report Examples..................................................................................................................................801
17 Anti-Botnet Service.................................................................................................................804
17.1 About the Anti-Botnet Service.....................................................................................................................805
17.2 Configuring the Anti-Botnet Service............................................................................................................806
17.2.1 Overview.............................................................................................................................................806
17.3 Querying Anti-Botnet Reports......................................................................................................................813
17.3.1 Overview.............................................................................................................................................813
17.3.3 Report Examples..................................................................................................................................815
18 Anti-Worm Service..................................................................................................................822
18.1 About the Anti-Worm Service......................................................................................................................823
18.2 Configuring the Anti-Worm Service............................................................................................................824
18.2.1 Overview.............................................................................................................................................824
18.2.2 Typical Configuration Example 1 (Links)...........................................................................................824
18.3 Querying Anti-Worm Reports......................................................................................................................833
18.3.1 Overview.............................................................................................................................................833
18.3.3 Report Examples (Subscribers)...........................................................................................................835
18.3.4 Report Examples (VICs).....................................................................................................................838
18.3.5 Report Examples (Links).....................................................................................................................844
19 Security Service........................................................................................................................848
19.1 About the Security Service...........................................................................................................................849
19.2 Configuring Security Service.......................................................................................................................852
19.2.1 Overview.............................................................................................................................................852
Issue 01 (2012-06-06) Huawei Proprietary and Confidential xi


19.2.3 Typical Configuration Example (Malicious URL Filtering)...............................................................854
19.3 Querying Security Service Reports..............................................................................................................858
19.3.1 Overview.............................................................................................................................................858
19.3.3 Report Examples..................................................................................................................................859
20 iPush...........................................................................................................................................863
20.1 Getting Started..............................................................................................................................................864
20.1.1 Login Mode.........................................................................................................................................864
20.1.2 System Overview.................................................................................................................................865
20.1.3 Configuration Flow..............................................................................................................................868
20.2 Permission Management...............................................................................................................................869
20.2.1 Introduction to System Permissions....................................................................................................869
20.2.2 Configuring a Role..............................................................................................................................870
20.2.3 Configuring an Administrator.............................................................................................................871
20.2.4 Setting the Login IP Address Segment................................................................................................872
20.2.5 Managing Online Administrators........................................................................................................873
20.2.6 Configuring Push Effect-Checking Permission...................................................................................873
20.2.7 Configuration Examples......................................................................................................................874
20.3 System Management.....................................................................................................................................880
20.3.1 Configure Information Server.............................................................................................................880
20.3.2 Setting System Security.......................................................................................................................881
20.3.3 Configuring Test URLs.......................................................................................................................882
20.3.4 Viewing Server Performance...............................................................................................................882
20.3.5 Viewing a Log.....................................................................................................................................882
20.3.6 Viewing an Alarm...............................................................................................................................884
20.4 Service Management....................................................................................................................................885
20.4.1 Configuration Flow..............................................................................................................................885
20.4.2 Configuring Area Mapping.................................................................................................................888
20.4.3 Configuring Area Policy......................................................................................................................889
20.4.4 Configuring the Information Audience...............................................................................................890
20.4.4.1 Configuring the Terminal User Group.......................................................................................890
20.4.4.2 Configuring the Whitelist User Group.......................................................................................890
20.4.4.3 Configuring the Whitelist Web Site...........................................................................................892
20.4.4.4 Configuring the Notify Rule.......................................................................................................892
20.4.5 Configuring the Information Category................................................................................................893
20.4.6 Configuring Information......................................................................................................................894
20.4.7 Viewing the Information Schedule......................................................................................................900
20.4.8 Configuring a Policy............................................................................................................................900
20.4.9 Auditing a Policy.................................................................................................................................904
20.4.10 Configuration Examples....................................................................................................................906
20.4.10.1 Example for Pushing Information to All Terminal Users in the Specified Area......................906
Issue 01 (2012-06-06) Huawei Proprietary and Confidential xii

20.4.10.2 Example for Pushing Information to Terminal User Groups in the Specified Area................908
20.4.10.3 Example for Pushing Information to the Specified Synchronization User Group...................911
20.4.10.4 Example for Pushing Information to the Specified Attribute Group........................................914
20.4.10.5 Example for Not Pushing Information to the Specified Terminal User...................................918
20.4.10.6 Example for Pushing Fee Information to Terminal Users........................................................919
20.5 Report Management.....................................................................................................................................922
20.5.1 Push Effect Statistics...........................................................................................................................922
20.5.2 Push Details........................................................................................................................................926
20.5.3 Background Exporting Details............................................................................................................928
20.6 Appendix......................................................................................................................................................928
20.6.1 Making the Fee Information Page.......................................................................................................928
20.6.2 Description of the Conflicting Mechanism.........................................................................................929
20.6.3 Changing an Account Password..........................................................................................................929
21 Report Management................................................................................................................931
21.1 About Report Management..........................................................................................................................932
21.2 Configuring the Report Storage Cycle.........................................................................................................935
21.3 Managing Predefined Analysis Objects.......................................................................................................936
21.4 Managing Timed Task Reports....................................................................................................................936
21.5 Managing Background Task Reports...........................................................................................................937
21.6 Managing Customized Reports....................................................................................................................938
21.7 Managing the Protocol Colors of Reports....................................................................................................939
21.8 Exporting Configuration Data......................................................................................................................940
22 System Management...............................................................................................................943
22.1 Managing Flow Classifications and Flow Classification Items...................................................................945
22.1.1 Overview.............................................................................................................................................945
22.1.3 Typical Configuration Example 1.......................................................................................................948
22.1.4 Typical Configuration Example 2.......................................................................................................951
22.2 Managing System Accounts and Permissions..............................................................................................954
22.2.1 Overview.............................................................................................................................................954
22.3 Managing Basic System Parameters.............................................................................................................959
22.4 Managing the Alarm Address.......................................................................................................................965
22.5 Managing the Dynamic Alarm.....................................................................................................................966
22.6 Managing the Knowledge Base....................................................................................................................970
22.6.1 Overview.............................................................................................................................................971
Issue 01 (2012-06-06) Huawei Proprietary and Confidential xiii

22.6.3 Typical Configuration Example (Customized DPI Signature File, Traffic on the Specified Web Site)
........................................................................................................................................................................974
22.6.4 Typical Configuration Example (Customized DPI Signature File, MP3 Online Music Traffic on the
Specified Web Site)........................................................................................................................................976
22.6.5 Parameter Description of the Customized DPI Signature File............................................................978
22.7 Managing Operation Logs............................................................................................................................980
23 FAQs...........................................................................................................................................982
23.1 Using the Firefox Browser, How Can I Set the Disk Location for Saving the Exported Template?...........983
23.2 How to troubleshoot the fault that navigation nodes in the directory cannot be expanded, when the user uses
the Firefox browser to open the Help system?.....................................................................................................983
23.3 What if the exporting through the IE browser fails in certain OSs?.............................................................983
23.4 What are the conversion relations of traffic units and rate units in this document?.....................................984
23.5 When I use the Firefox browser, the texts on the page are incomplete or the layout is improper. What should
I do?......................................................................................................................................................................985
23.6 How to Set the Priority of a Policy Item?.....................................................................................................986
24 Typical Configuration Example Summaries......................................................................988

25 Report Example Summaries..................................................................................................994
Issue 01 (2012-06-06) Huawei Proprietary and Confidential xiv

Configuration Guide 1 Quick Start
1 Quick Start
About This Chapter
This describes basic concepts, operations, and fast service deployment procedure of the SIG,
and helps fresh users understand the system in short time and master basic operations and flows
quickly.
1.1 What Is the SIG System?

The Service Inspection Gateway system (hereinafter referred to as the SIG) is a professional
Deep Packet Inspection (DPI) system of high capacity, with functions such as traffic
management, Fair Usage Policy (FUP), wireless charging, URL filtering, traffic mirroring/
diversion, iPush, VoIP monitoring, Anti-Spammer, Anti-DDoS, Anti-Botnet, and Anti-Worm.
1.2 Introduction to Basic Operations
This section describes basic operations for configuring and managing the Front End and Back
End.
1.3 Introduction to the GUI
The Graphical User Interface (GUI) of the management server of the SIG consists of the
navigation tree, function tab, information area, and working area.
1.4 Role Definition
Operators can be divided into installation and commissioning engineers, data configuration
engineers, and system maintenance engineers according to their roles in different tasks.
1.5 Overview of Tasks
This section describes the task categories and presents the task list.
1.6 Fast Service Deployment Procedure
After the initial installation and basic configuration of the Front End and Back End of the SIG
are complete, you are recommended to refer to the procedures in this document to configure
major services in short time according to the service requirements of the live network.
Issue 01 (2012-06-06) Huawei Proprietary and Confidential 1

1.1 What Is the SIG System?

The Service Inspection Gateway system (hereinafter referred to as the SIG) is a professional
Deep Packet Inspection (DPI) system of high capacity, with functions such as traffic
management, Fair Usage Policy (FUP), wireless charging, URL filtering, traffic mirroring/
diversion, iPush, VoIP monitoring, Anti-Spammer, Anti-DDoS, Anti-Botnet, and Anti-Worm.
Service List
The SIG adopts multiple patented detection technologies. It realizes the high-performance
analysis and processing of service packets and offers intelligent and flexible means of service
control. The SIG provides the following services:
l Traffic management
Traffic management is the basic service of the SIG. Through the traffic management
service, the SIG can monitor traffic and traffic direction on the network through reports,
and implement QoS management on traffic and traffic direction.
l FUP
Through the FUP service, the SIG can limit the bandwidths of monthly-fee subscribers.
When exceeding a certain quota, subscribers' bandwidths are minimized. In this way, the
FUP services of wireless and fixed network subscribers are implemented.
l Charging
Through the charging service, the SIG provides protocol-/application-specific charging for
carriers, so that they can adopt different charging policies for various services and realize
refined charging.
l URL filtering
Through the URL filtering service, the SIG adopts different control policies (such as alarm
and block) for various URL categories. It filters out malicious URLs, providing healthy
and secure network environments for users.
l GreenNet
Also called parental control. Through the GreenNet service, the SIG provides healthy,
secure, and civilized network environments and access content for users subscribing to the
service.
l Traffic mirroring/diversion
Specific network traffic (such as email, VoIP, P2P, and HTTP video traffic) that attracts
user attention is mirrored (copied and forwarded) by the SIG. Then traffic is saved in a
third-party system which further analyzes or caches the traffic. Alternatively, the traffic is
diverted (forwarded directly) by the SIG to a third-party system. After processing, the third-
party system then injects the traffic to the network through the SIG.
l SmartBrowser
SmartBrowser realizes DNS error correction, and HTTP error correction, providing error
correction promptings and security defense for subscribers' online behaviors.
l DNS overwriting
DNS overwriting service monitors the response packet from the DNS server. If the SIG
identifies that the packet matches the DNS overwriting list, it forges a DNS response packet

to redirect the DNS request to the specified destination IP address in the DNS overwriting
list.
l Smart Advertising Interface
Through the Smart Advertising Interface service, the SIG can filter packets according to
their HTTP packet header attributes, and mirror the HTTP packets meeting conditions to
the third-party system. Then the third-party system analyzes users' online behaviors in depth
and pushes advertisements to specific users.
l VoIP monitoring
Through the VoIP monitoring service, the SIG interferes with or blocks the VoIP calls from
intranets to extranets or from extranets to intranets by means of the blacklist and whitelist.
You can also learn the running status of the VoIP monitoring service by querying reports,
including call detail record statistics and control logs.
l Anti-Spammer
Through the Anti-Spammer service, the SIG detects and controls spammers on the network,
with monitoring measures including Detection, Alarm, Evidence Collection, Block, and
Limit.
Spam, also called the Unsolicited Commercial Email (UCE) or Unsolicited Bulk Email
(UBE), spreads in large amount without receivers' consent. Most spam is about commercial
advertisement and adverse media. A spammer is a sender of spam.
l Anti-DDoS
Through the Anti-DDoS service, the SIG provides the subnet-based Anti-DDoS function
and the report query on the traffic statistics before and after cleaning.
The Denial of Service (DoS) attack causes that the attacked computer or network is unable
to provide normal services. The Distributed Denial of Service (DDoS) attack indicates that
the hacker adopts viruses, Trojan horses, or Badware to control a large number of zombies
and combine multiple computers into the attack platform to launch DoS attacks on one or
multiple targets, thus multiplying attack strength.
l Anti-Botnet
Through the Anti-Botnet service, the SIG detects and controls Botnet traffic, providing
secure network environments for users.
A Botnet is a network where a controller infects many hosts with malicious bot programs
by one or various means. The controller and zombies form a one-to-multiple control
network.
l Anti-Worm
Through the Anti-Worm service, the SIG detects and controls worm-infected network
traffic, providing secure network environments for users.
A worm is a program with the spreading function. This program, comprising malicious
codes, can spread itself to other PCs without manual intervention. The significant feature
of worms is their self-replication.
l Security Service
Through the security service, the SIG filters out malicious URLs for users subscribing to
the service.
NOTE
Except for the previous services, the SIG also provides the iPush service. For details, see HUAWEI
SIG9800 Service Inspection Gateway iPush Configuration Guide.

System Composition
As shown in Figure 1-1, the SIG consists of the Front End and the Back End.
Figure 1-1 System composition
External Network
Router1 Router2
Swtich1 DPI System

Front
End 1
Front
End 2
Swtich2 Back End
Router3 Router4
Internal Network
The following describes the Front End and the Back End:
l Front End
Indicates the SIG9800. The SIG9800 is developed on the basis of Huawei mature and high-
end router hardware platform. With flexible policies, the SIG9800 controls traffic on
interfaces of high density and large capacity (10G or 2.5G POS, and 10GE). The
SIG9800 can meet the requirements of the DPI solution for 2000 Gbit/s link bandwidth and
10 million users.
l Back End
The Back End consists of server groups running the SIG software, and can mount storage
devices. For example, the Back End can be composed of the T8000 server running the
SIG software and the mounted S2600 disk array.
In the deployment, one back-end device and multiple front-end devices can be installed
concurrently. These front-end devices form a cluster.

Figure 1-2 shows the system structure and the processing flow of the SIG.
NOTE
In practice, certain components are deployed in accordance with service requirements. For details, refer to
the HUAWEI SIG9800 Service Inspection Gateway Software Installation Guide.
Figure 1-2 System components and data processing flowchart

Upgrade Web Site
(DPI protocol signature file Third-party Third-party System
BS BOSS
and malware signature file) NTP Server (eg. Portal)
UI BIS iPush_UI
Update RADIUS iPush_SYNC
DSE UCS Server Proxy SGMS DB EMS CFS
Server Information
Information
DAS PLS ETL Server
Server
PCRF
SPU MPU NMS / Log
OCS SAS Management System
SPS
SPS OMC
CG SPS
LPU
Network Traffic
Software
Back End Front End Board
Component
BOSS (Business and Operation Support System)

PCRF (Policy and Charging Rule Function)
OCS (Online Charging System)
CG (Charging Gateway)
BS (Billing System)
NMS (Network Management System)
Table 1-1 shows the description of components in Figure 1-2.

Table 1-1 Description of system components

Component Function
Front Service Splitting The SSP, on the LPU, diverts traffic to different Service
End Platform (SSP) Probe Systems (SPSs) according to the IP addresses of
packets. In addition, the SSP receives the configuration
commands delivered by the Operation Maintenance
Center (OMC) and implements traffic diverting policies
accordingly.
SPS The SPS, on the SPU, analyzes packets and identifies

protocols on the network, and then uploads the result to
related Service Analysis System (SAS) or Data Analysis
Server (DAS). The SPS also receives and implements
management policies delivered by the SAS. Furthermore,
the SPS performs traffic control, connection control, and
QoS remark. In addition, it mirrors traffic, analyzes
RADIUS packets, and sends the result to the RADIUS
proxy server.
SAS The SAS, on the SPU, collects the data reported by the
SPS, reports the data to the DAS, and makes decisions
based on the configuration policy obtained from the PLS.
If control is necessary, the SAS delivers a control policy
to the SPS. Then the SPS analyzes and controls the traffic
of user accounts based on the user-IP mapping reported by
the RADIUS proxy server.
OMC The OMC, on the MPU, is mainly in charge of device

management, system configuration, and log and alarm
generation. To be specific, the OMC registers the device
and monitors the status of the device, configures the traffic
distribution policy, schedules services, manages SIG
clusters, and provides interfaces for connecting to the
NMS and log server.
Back RADIUS Proxy Server The RADIUS proxy server obtains and caches user online
End and offline information, mappings between user accounts
and IP addresses, user attributes, and change events (for
example, roaming), and then sends them to the SAS.
Policy Server (PLS) The PLS obtains the corresponding policy information
from the DB according to the policy request from the SAS,
and then delivers the policy to the SAS.
Data Analysis Server The DAS collates the data reported by several SASs and
(DAS) SPSs, and writes them into the database to support report
generation.
System General The SGMS monitors the running status of all back-end
Management Server components in the SIG system.
(SGMS)

Component Function
User Interface (UI) The UI provides users with the unified graphic user
interface (GUI) to manage policies and query reports. In
addition, the UI provides other functions such as
administrator authentication, user authorization, and
system audit.
Update Server The update server provides the automatic upgrade of the
DPI protocol signature file and malware (such as worm
and Botnet) signature file.
URL Category Server The UCS consists of the URL Category Searching Server
(UCS) (UCSS) and the URL Category Database (UCDB), and is
primarily used for querying URL categories.
Business Interface The BIS provides interfaces for policy subscription, log
Server (BIS) query, and user management, and these interfaces can be
invoked by third-party systems, for example, the portal of
customers.
Dynamic Scan Engine The DSE analyzes URLs in the HTTP request packets in
(DSE) real time, detects whether malicious behaviors are
contained in the accessed URLs, including malicious
URLs and malware, and sends the detection result to the
SPS.
Database (DB) The DB saves the information such as configurations,

policies, and statistics.
Extractive Transition The ETL server processes the data reported by multiple
Loading (ETL) DASs, and then writes the data to the database.
Element Management System The EMS, as an internal NMS of the SIG, mainly manages
(EMS) devices and systems, and tracks messages.
Apart from the components in Figure 1-2 and Table 1-1, the Back End of the SIG system
includes several service related components, as shown in Table 1-2.
Table 1-2 Functions of other components in the SIG Back End

Service Component Function
Offline Charging Data To enable offline charging when no CG is available,

charging service Record File Server the Front End of the SIG sends CDRs to the CFS.
(CFS) The CFS generates CDR files, saves them to the
local server where the CFS resides, and connects to
the Billing System (BS) through an FTP interface.
iPush service Information Server Information Server: provides the contents of the
pushed information, and confirms and records the
push result.

Service Component Function
iPush User iPush_UI: provides iPush management page, on

Interface Server which the administrator can carry out service
(iPush_UI) management, report query, permission
management, and system management.
iPush Data iPush_SYNC: synchronizes user accounts, service

Synchronization packages, or charge information from a carrier
Server system.
(iPush_SYNC)
1.2 Introduction to Basic Operations

This section describes basic operations for configuring and managing the Front End and Back
End.
1.2.1 Logging in to the Front End

This section describes how to log in to the Front End through the console port of the MPU.
Prerequisites
The login requires a management PC and an RS-232 cable:
l The management PC should have a COM port, and its operating system (OS) should
integrate a hyper terminal or other terminal emulation programs.
l One connector of the RS-232 cable is RJ-45, and the other is DB-9.
Context
Besides the console port, which is the basic login mode, the SIG supports the login through
Telnet, SSH, and the AUX port of the MPU. For details on other login modes, refer to the
HUAWEI SIG9800 Service Inspection Gateway Commissioning Guide.
NOTE
SIG9800-X8 has no MPU. Use SRU instead.
Procedure
Step 1 Insert the DB-9 connector into the COM port and the RJ-45 connector into the console port of
the MPU.
Generally, the SIG has two MPUs. The one where the ACT indicator is green on is the master
MPU, and the other where the ACT indicator is off is the backup MPU. You should insert the
RJ-45 connector into the console port of the master MPU.
Step 2 Run the terminal emulation program (such as the HyperTerminal on Windows XP) on the PC.
Choose Start > All Programs > Accessories > Communications > Hyper Terminal. The
Connection Description dialog box is displayed.

Step 3 In Name, enter a name (such as COMM1) for the connection between the PC and the SIG, as
shown in Figure 1-3.
Figure 1-3 Connection Description dialog box (login through a console port)
Step 4 Click OK. The Connect To dialog box is displayed, as shown in Figure 1-4.
Step 5 Select a serial port (such as COM1) from the Connect Using drop-down list for the connection
between the PC and the SIG, as shown in Figure 1-4.
If you are not sure which interface is in use, check Ports in the Device Manager of the OS.
Figure 1-4 Connect To dialog box (login through a console port)
Step 6 Click OK. The COM1 Properties dialog box is displayed.
Step 7 Set the communications parameters of the port, as shown in Figure 1-5.

Figure 1-5 Setting the port properties (login through a console port)
Step 8 Click OK.

Step 9 Press Enter, and then enter the user name and password.
NOTE
If the system prompts you that the login fails due to the backup MPU, you should remove the RJ-45
connector and insert it into the console port of the other MPU, and then enter the user name and password
in the HyperTerminal window.
The system has a super administrator account. The default account name is admin and the initial
password is Admin@123. To ensure the system security, you are advised to run the following
commands to change the password.
<RPD_OMC> system-view
[RPD_OMC] aaa
[RPD_OMC-aaa] local-user admin password simple Password1
Figure 1-6 shows the interface for logging in to the Back End.

Figure 1-6 Logging in to the Front End
----End
1.2.2 Logging in to the Back End

This section describes how to log in to the Back End through a Web browser.
Prerequisites
The IP address of the current user is one of those IP addresses allowed to log in to the Back End.
NOTE
By default, the IP addresses between 1.0.0.0 and 223.255.255.255 can access the Back End. You can
perform 22.3 Managing Basic System Parameters to modify the range.
Context
You can log in to the Back End through either Firefox 3, IE 6, IE 7 or IE 8. To obtain better
experience, you are recommended to log in through Firefox browser.
The default account name is admin and the initial password is Admin@123. To ensure the
system security, you are advised to change the password upon your first login.

Procedure
Step 1 Enter the address of the Back End in the Web browser. Press Enter.
For example, if the IP address of the UI is 192.168.11.11, the IP address for the login is "https://
192.168.11.11/dpi-ui".
NOTE
The system prompts you the information such as an alarm based on the current environment. You can take
corresponding operations or ignore the alarm as shown in Figure 1-7.
Figure 1-7 Ignoring alarms

Step 2 Select the favorite from the Language drop-down list. Enter the Account, Password, and Check
Code.
Step 3 Click Login. The GUI homepage is displayed.
----End
1.2.3 Changing the Login Password of the Back End

This section describes how to change the login password of the Back End.
Prerequisites
You have already logged in.
Procedure
Step 1 Click Change Password on the upper right of the GUI. The Change Password dialog box is
displayed.
Step 2 In the Change Password dialog box, enter the new password and the old password.
Step 3 Click OK. The system prompts you that the operation succeeds.
NOTE
For details on system accounts and permissions, or how to change the login passwords of other users, see
22.2 Managing System Accounts and Permissions.
----End

1.2.4 Logging out of the Back End

This section describes how to log out of the Back End securely.
Prerequisites
You have already logged in.
Procedure
Step 1 Click Logout on the upper right of the GUI. The dialog box for confirming the logout is
displayed.
Step 2 Click Yes, and log out of the Back End.
----End
1.3 Introduction to the GUI

The Graphical User Interface (GUI) of the management server of the SIG consists of the
navigation tree, function tab, information area, and working area.
For details, see Figure 1-8 and Table 1-3.
Figure 1-8 GUI

Information
area
Function tab
Navigation Working
tree area
Table 1-3 GUI description
GUI Element Description
Navigation tree The navigation tree provides the navigation function.

GUI Element Description
Function tab The operator can concurrently open several function tabs, and switch
tabs.
NOTE
When you open multiple tabs concurrently, press F5 or click the Refresh button
on the browser. The system closes all tabs and displays the GUI homepage.
Information area The following links are provided:

l About: Displays the information about the back-end software,
including the version number, email address, the Web site and service
telephone number.
l Help: Displays the help.
l Change Password: Changes the password of the current account.
l Logout: Logs out of the system.
Working area The working area is used for implementing configuration and
management functions.
1.4 Role Definition

Operators can be divided into installation and commissioning engineers, data configuration
engineers, and system maintenance engineers according to their roles in different tasks.
For details, see Table 1-4.
Table 1-4 Role Description

Role Description
Installation and Implements the hardware and software installations, and initializes the
commissioning configurations of various services provided by the SIG.
engineer
Data Queries various reports to obtain the running status of services, adjusts
configuration service configurations, and hence realizes refined network operation
engineer through service visualization.
System Manages and maintains the SIG, and ensures the secure and stable
maintenance running of the SIG.
engineer
1.5 Overview of Tasks

This section describes the task categories and presents the task list.

1.5.1 Task Classification

This document describes how to configure services and apply related reports in terms of
configuration preparation, object initialization, typical configuration examples, and report
application examples. It also presents system management and maintenance tasks.
Role-based operators of the SIG mainly perform the tasks listed in Table 1-5.
Table 1-5 Task classification

Category Main Role Classification
3 Preparations for Installation and Ensures that the Front End and Back End are
Service commissioning installed correctly and run normally, thus facilitating
Configuration engineer successful configurations of services.
4 Subscriber and Installation and Configures and manages links, virtual tunnels,
Network Object commissioning subscribers, very important customers (VICs), AS
Initialization engineer domain groups, and subnets.
Data
configuration
engineer
Se 5 Traffic Installation and Configures and applies traffic management.

rvi Management commissioning Accordingly, implements monitoring and QoS
ce Service engineer management over traffic and traffic direction
co Data through reports.
nfi configuration
gu engineer
rat
ion 6 FUP Installation and Configures and applies the FUP.
an Service commissioning
d engineer
ap Data
pli configuration
cat engineer
ion
7 Charging Installation and Configures and applies online charging.
Service commissioning
engineer
Data
configuration
engineer
8 URL Installation and Configures and applies URL filtering.

Filtering commissioning
Service engineer
Data
configuration
engineer

9 GreenNet Installation and Configures and applies GreenNet, and analyzes

Service commissioning subscribers' URL access behaviors through reports.
engineer
Data
configuration
engineer
10 Traffic Installation and Configures and applies traffic mirroring/diversion.

Mirroring/ commissioning
Diversion engineer
Service Data
configuration
engineer
11 Installation and Configures and applies SmartBrowser, and displays

SmartBrows commissioning the running status of the SmartBrowser through
er Service engineer reports.
Data
configuration
engineer
12 DNS Installation and Configures and applies DNS overwriting. The DNS
Overwriting commissioning overwriting service monitors the response packet
Service engineer from the DNS server. If the SIG identifies that the
Data packet matches the DNS overwriting list, it forges a
configuration DNS response packet to redirect the DNS request to
engineer the specified destination IP address in the DNS
overwriting list.
13 Smart Installation and Configures and applies Smart Advertising Interface

Advertising commissioning service.
Interface engineer
Service Data
configuration
engineer
14 VoIP Installation and Configures and applies VoIP monitoring, and learns
Monitoring commissioning the running status of VoIP monitoring through
Service engineer reports.
Data
configuration
engineer
15 Anti- Installation and Configures and applies Anti-Spammer, and learns

Spammer commissioning the running status of Anti-Spammer through reports.
Service engineer
Data
configuration
engineer

16 Anti- Installation and Configures and applies Anti-DDoS, and learns the
DDoS commissioning running status of Anti-DDoS through reports.
Service engineer
Data
configuration
engineer
17 Anti- Installation and Configures and applies Anti-Botnet, and learns the
Botnet commissioning running status of Anti-Botnet through reports.
Service engineer
Data
configuration
engineer
18 Anti- Installation and Configures and applies Anti-Worm, and learns the
Worm commissioning running status of Anti-Worm through reports.
Service engineer
Data
configuration
engineer
19 Security Installation and Configures and applies security service, and learns
Service commissioning the running status of security service through
engineer reports.
Data
configuration
engineer
21 Report Data Performs report management operations, including

Management configuration configuring report storage periods, and managing
engineer predefined analysis objects, scheduled task reports,
and back-end task reports.
22 System System Performs system management operations, including

Management maintenance managing system accounts and permissions, the
engineer back-end license, system basic parameters,
knowledge base, and operation logs.
1.5.2 List of Tasks

This section describes the task categories and lists the tasks in this document.
Table 1-6 shows the main tasks performed by operators of different roles.

Table 1-6 Task categories

Category Task Purpose
Preparations 3.2 Checking the To ensure that the Front End and Back End are
for Service Status of the Front installed correctly and run normally, which
Configuration End and Back End guarantees successful configurations of services.
Service object 4.2 Configuring the To configure a service to be applied to subscribers,

initialization Subscriber you should perform this task first.
4.3 Configuring the To configure a service to be applied to VICs, you

VIC should perform this task first.
4.4 Configuring the To configure a service to be applied to links, you

Link should perform this task first.
4.5 Configuring the To configure a service to be applied to virtual

Virtual Tunnel tunnels, you should perform this task first.
4.6 Configuring the To configure a service to be applied to AS domain

AS Domain Group groups, you should perform this task first.
4.7 Configuring the To configure a service to be applied to subnets, you

Subnet should perform this task first.
Traffic 5.2 Querying To query the traffic reports of links, subscribers, and
Management Traffic Reports VICs.
5.3 Querying the To query the statistics reports of subscriber

User Behavior behaviors.
Statistics Report
5.4 Configuring To implement QoS control over the traffic of links,

Traffic QoS subscribers, and VICs, including bandwidth
limiting and connection number limiting.
5.5 Configuring Congestion indicates a status that the bandwidths of

Congestion links or NEs are over certain level continuously,
Detection and which compromises the performance of the
Control network service. To check whether and when traffic
congestion occurs on links or virtual tunnels, or to
trigger the QoS policies for specified links, virtual
tunnels, or subscribers when congestion occurs.
5.6 Implementing To query traffic direction reports, and accordingly

Traffic Direction collect statistics on traffic data between one link (or
Statistics link group) and one AS domain group, between one
AS domain group and another AS domain group,
between one subnet and one AS domain group, and
between one subnet and another subnet.

5.7 Configuring To implement QoS bandwidth limiting on the traffic

Traffic Direction between one link and one AS domain group,
QoS between one AS domain group and another AS
domain group, between one subnet and one AS
domain group, and between one subnet and another
subnet.
5.8 Customized Customized Data Reporting is used to set the range

Data Reporting of statistics on traffic and traffic direction report
data, including the flow classification statistics
policy, subscriber protocol statistics policy, and
subscriber group statistics policy. To adjust the
range of the statistics on traffic and direction report
data.
FUP 6.2 Configuring the To configure and apply the FUP service when the
FUP Service SIG interworks with the PCRF (take the UPCC as
(Interworking with an example).
the PCRF)
6.3 Manually To add or reduce users' surplus quotas, you should

Adjusting Surplus refer to this part and manually adjust the surplus
Quotas quotas on the UPCC.
(Interworking with
the PCRF)
Charging 7.2 Configuring the To configure and apply charging.

Charging Service
URL Filtering 8.2 Configuring the To configure and apply URL filtering.
URL Filtering
Service
8.3 Querying URL To query URL reports of subscribers, and

Reports accordingly provide subscribers with
comprehensive and accurate URL access behavior
analysis.
GreenNet 9.2 Configuring the To configure and apply GreenNet.

GreenNet Service
9.3 Querying To query the log reports of blocking URL access

GreenNet Reports and application access through GreenNet, and
accordingly learn the status of this service.
Traffic 10.2 Configuring To configure and apply traffic mirroring.

Mirroring the Traffic
Mirroring Service
10.3 Configuring To configure and apply traffic diversion.

Traffic Diversion
Service

SmartBrowser 11.2 Configuring To configure and apply SmartBrowser.

the SmartBrowser
Service
11.3 Querying To query statistics reports of correcting DNS and

SmartBrowser HTTP errors through SmartBrowser.
Reports
DNS 12.2 Configuring to configure and apply the DNS overwriting

Overwriting the DNS service.
Overwriting Service
Smart 13.2 Configuring To configure and apply Smart Advertising

Advertising the Smart Interface.
Interface Advertising
Interface Service
VoIP 14.2 Configuring To configure and apply VoIP monitoring.

Monitoring the VoIP
Monitoring Service
14.3 Querying VoIP To query VoIP reports, and accordingly learn the
Reports status of this service.
Anti- 15.2 Configuring To configure and apply Anti-Spammer.

Spammer the Anti-Spammer
Service
15.3 Query To query spammer reports, and accordingly learn

Spammer Reports the status of this service.
Anti-DDoS 16.2 Configuring To configure and apply Anti-DDoS.

the Anti-DDoS
Service
16.3 Querying Anti- To query DDoS reports, and accordingly learn the
DDoS Reports status of this service.
Anti-Botnet 17.2 Configuring To configure and apply Anti-Botnet.

the Anti-Botnet
Service
17.3 Querying Anti- To query Botnet reports, and accordingly learn the
Botnet Reports status of this service.
Anti-Worm 18.2 Configuring To configure and apply Anti-Worm.

the Anti-Worm
Service
18.3 Querying Anti- To query worm reports, and accordingly learn the
Worm Reports status of this service.
Security 19.2 Configuring To configure and apply security service.

Service Security Service

19.3 Querying To query log reports of blocking Botnet access,

Security Service worm access, and malicious URL access through
Reports security service, and accordingly learn the status of
the service.
Report 21.2 Configuring To globally adjust storage periods of the report data.
Management the Report Storage
Cycle
21.3 Managing To define report query conditions, such as area, as

Predefined Analysis predefined analysis objects, and accordingly
Objects simplify report query.
21.4 Managing To globally query and manage reports of scheduled

Timed Task Reports tasks specified during report query.
21.5 Managing To globally query and manage reports of back-end

Background Task tasks set during report query.
Reports
21.6 Managing By setting customized reports, you can fix report

Customized Reports query conditions, therefore simplifying query
operations on common reports. Meanwhile, the
system can display multiple reports in a centralized
manner as required. To add, delete, or query
customized reports, or assign data permissions to
them, you should perform this task.
21.7 Managing the When displaying reports, the SIG can automatically
Protocol Colors of set protocol colors. To manually adjust protocol
Reports colors, you should perform this task.
System 22.1 Managing Flow Flow classification item and flow classifications are
Management Classifications and used to identify the traffic according to features. A
Flow Classification flow classification item can be defined as a
Items combination of conditions that contain the
application-layer protocol, network side IP address,
L3 and L4 protocol attributes. One or more flow
classification items can form a flow classification.
Perform the task when you need to quote the
customized flow classifications in defining policy
packages or report the traffic data according to the
customized flow classifications.
22.2 Managing To globally manage system accounts, roles, and the

System Accounts permission control mechanism.
and Permissions
22.3 Managing To adjust the basic parameters, such as the IP

Basic System address of the OMC, and working mode.
Parameters

22.4 Managing the To manage the used alarm addresses in a uniformed

Alarm Address manner.
22.5 Managing the To manage the flexible dynamic alarm mechanism.

Dynamic Alarm
22.6 Managing the To set the parameters for automatically updating the
Knowledge Base DPI protocol signature file, malware signature file,
and URL Category Database.
22.7 Managing To query and manage operation logs.

Operation Logs
1.6 Fast Service Deployment Procedure

After the initial installation and basic configuration of the Front End and Back End of the SIG
are complete, you are recommended to refer to the procedures in this document to configure
major services in short time according to the service requirements of the live network.
Figure 1-9 shows the fast service deployment procedure.
NOTE
This flow chart only lists the tasks to be completed during the fast deployment of major services. For the
tasks that are not involved in the flow chart, see 1.5.2 List of Tasks.
Figure 1-9 Fast service deployment procedure
Start
Prepare for the

service configuration
Initialize the
service object
Available services:
Configure the service traffic management, FUP,
URL filtering, etc.
Yes Are other

services required?
No
End
Table 1-7 shows description.

Table 1-7 Procedure description

Action Description
3 Preparations for Check whether the Front End and Back End are installed correctly and
Service run normally, which facilitates the successful configurations of
Configuration services.
4 Subscriber and Configure and manage links, virtual tunnels, subscribers, VICs, AS
Network Object domain groups, and subnets, which guarantees the successful
Initialization configurations of services.
Configure certain Initialize the configurations of the services to which the carrier
services subscribes one by one.
The SIG provides the following services:
l 5 Traffic Management Service
l 6 FUP Service
l 7 Charging Service
l 8 URL Filtering Service
l 9 GreenNet Service
l 10 Traffic Mirroring/Diversion Service
l 11 SmartBrowser Service
l 12 DNS Overwriting Service
l 13 Smart Advertising Interface Service
l 14 VoIP Monitoring Service
l 15 Anti-Spammer Service
l 16 Anti-DDoS Service
l 17 Anti-Botnet Service
l 18 Anti-Worm Service
l 19 Security Service

Configuration Guide 2 Quick Index from the GUI Navigation Node to the Help
2 Quick Index from the GUI Navigation Node

to the Help
This describes navigation nodes briefly in the GUI navigation area from top to bottom and
provides links corresponding to the Help.
Navigation Nodes Quick Index
Basic Signature Customize 22.6 Managing the Knowledge Base

Configuration File d DPI
Manageme Signature
nt File
Terminal
Informatio
n Signature
File
HTTP
Content
Type
Signature
File
User Alarm 22.4 Managing the Alarm Address

Message URL
Configurati Manageme
on nt
Global 22.5 Managing the Dynamic Alarm

Dynamic
Alarm
Manageme
nt

Subscriber
Area
Dynamic
Alarm
Manageme
nt
VIC Area
Dynamic
Alarm
Manageme
nt
Value- When the security service and GreenNet

added service employ the mail sending function,
Service you need to configure the mail sending server.
Mail
Server
Configurati
on
Alarm and l You can add some Web sites to the alarm
Charging and charging whitelist. When the user's
Whitelist credit is inadequate or exhausted, the user
Manageme can still access URLs in the whitelist
nt normally, but not redirected to the alarm
Web site.
l To exempt some Web sites (such as the
recharge Web site) from charging, add the
URLs to the alarm and charging whitelist.
Service Management 22.1 Managing Flow Classifications and

Flow Classification Items
Subscriber and Subscriber 4.2 Configuring the Subscriber

Network
Management VIC 4.3 Configuring the VIC
Network Area Area management of physical links or virtual

Manageme tunnels
nt
Customize Customized attributes management of

d physical links or virtual tunnels
Attributes
Manageme
nt
Congestion 5.5 Configuring Congestion Detection and

Threshold Control
Configure

Physical 4.4 Configuring the Link

Link
Manageme
nt
Virtual 4.5 Configuring the Virtual Tunnel

Tunnel
Manageme
nt
Subnet l Subnet: 4.7 Configuring the Subnet

And AS l AS Domain Group: 4.6 Configuring the
Domain AS Domain Group
Group
Traffic 5.6 Implementing Traffic Direction

Direction Statistics and 5.7 Configuring Traffic
Object Direction QoS
Traffic QoS 5.4 Configuring Traffic QoS

Management
Traffic Direction 5.7 Configuring Traffic Direction QoS
Mirror/Divert 10.2 Configuring the Traffic Mirroring

Service,10.3 Configuring Traffic
Diversion Service and13.2 Configuring the
Smart Advertising Interface Service
Customized Data 5.8 Customized Data Reporting

Reporting Management
Access Control URL Filter 8.2 Configuring the URL Filtering Service
VoIP Control 14.2 Configuring the VoIP Monitoring

Service
DNS Overwriting 12 DNS Overwriting Service
Security DDoS 16.2 Configuring the Anti-DDoS Service

Defense
Spammer 15.2 Configuring the Anti-Spammer
Service
Botnet 17.2 Configuring the Anti-Botnet Service
Worm 18.2 Configuring the Anti-Worm Service
Value-added Application Charging l Charging: 7 Charging Service

Service l FUP: 6.2 Configuring the FUP Service
(Interworking with the PCRF)
GreenNet 9.2 Configuring the GreenNet Service
Security Service 19.2 Configuring Security Service

SmartBrowser 11.2 Configuring the SmartBrowser

Service
Statistics and Traffic 5.2 Querying Traffic Reports

Analysis Report
Traffic Direction 5.6 Implementing Traffic Direction
Statistics
User Behavior 5.3 Querying the User Behavior Statistics

Report
VoIP 14.3 Querying VoIP Reports
Spammer 15.2 Configuring the Anti-Spammer

Service
URL 8.3 Querying URL Reports
SmartBrowser 11.3 Querying SmartBrowser Reports
GreenNet 9.3 Querying GreenNet Reports
DDoS 16.3 Querying Anti-DDoS Reports
Botnet 17.3 Querying Anti-Botnet Reports
Worm 18.3 Querying Anti-Worm Reports
Security Service 19.3 Querying Security Service Reports
Analysis Object 21.3 Managing Predefined Analysis

Predefined by Subscriber Objects
Analysis Object
Predefined by VIC
Timed Task Management 21.4 Managing Timed Task Reports
Background Task 21.5 Managing Background Task Reports

Management
Customized Report 21.6 Managing Customized Reports

Management
Protocol Color 21.7 Managing the Protocol Colors of

Management Reports
System License Management Managing the Back-End License

Management
Device Device Checking the Status of the Back-End Devices
Manageme Status
nt
Bypass Logging in to the External Bypass Device
Manageme
nt

Update of System 22.6 Managing the Knowledge Base

Knowledge Base
Disaster Recovery Applying and Managing Geographical

Configuration Redundancy
Permission Management 22.2 Managing System Accounts and

Permissions
System Security 22.3 Managing Basic System Parameters

Security Configurati
on
Log 22.7 Managing Operation Logs

Manageme
nt
System Statistic 21.2 Configuring the Report Storage Cycle

Configurati Data saved
on Cycle
External 4.2 Configuring the Subscriber

Interface
Configurati
on
System 22.3 Managing Basic System Parameters

Basic
Configurati
on
Componen
t
Configurati
on

Configuration Guide 3 Preparations for Service Configuration
3 Preparations for Service Configuration
About This Chapter
Preparations for service configuration ensures that the Front End and Back End are installed
correctly and run normally, which successful configurations of services.
3.1 About Preparations for Service Configuration

Preparations for service configuration includes only one task, namely, checking the status of the
Front End and Back End.
3.2 Checking the Status of the Front End and Back End
Before configuring services, you should check the status of the front end and back end.

3.1 About Preparations for Service Configuration

Preparations for service configuration includes only one task, namely, checking the status of the
Front End and Back End.
Before configuring services, installation and commissioning engineers should implement the
installation and basic configurations of the Front End and Back End by referring to the
HUAWEI SIG9800 Service Inspection Gateway Hardware Installation Guide, HUAWEI
SIG9800 Service Inspection Gateway Software Installation Guide and HUAWEI SIG9800
Service Inspection Gateway Commissioning Guide. According to networking environments,
these basic configurations should include:
l On the Front End, you should configure the deployment mode (in-line or off-line), links,
and the route used for realizing communication between the Front End and Back End, and
set the IP address of the OMC, the positions and IP addresses of the SAS and the SPS, the
IP addresses of back-end components, and configure IP address domain groups.
l On the Back End, you should import the license file on the EMS GUI, import the DPI
protocol signature file, and can normally view the real-time traffic reports of links.
To ensure the successful implementation of previous operations, you can check the running
status of the Front End and Back End, which facilitates the successful configuration of services.
3.2 Checking the Status of the Front End and Back End
Before configuring services, you should check the status of the front end and back end.
3.2.1 Operation Procedure

This section describes how to check the status of the Front End and Back End, and provides a
brief operation procedure for installation and commissioning engineers, and data configuration
engineers.
Figure 3-1 shows the processing procedure.
NOTE
If other personnel or method proves that the system runs normally, you can skip certain or all following
checking items.
If anomalies are discovered during checking, you should rectify faults, and then configure services. For
how to rectify faults, refer to the HUAWEI SIG9800 Service Inspection Gateway Troubleshooting; for how
to install and initialize the SIG, refer to the HUAWEI SIG9800 Service Inspection Gateway Hardware
Installation Guide, HUAWEI SIG9800 Service Inspection Gateway Software Installation Guide and

Figure 3-1 Procedure for checking the status of the Front End and Back End
Start
Check the
cluster status
Check the basic

configurations
of a device
Check the status of

the network interface
and link
Check the license

On the information of the
Front End Front End
Check the connectivity

between the Front Check the back-end
End and Back End license file
Check the running Check the running

status of each status of each
back-end component back-end component
Check the IP address On the

Yes No of the OMC
Are other Back End
front-end devices
available?
Check the DPI
signature file
Check the real-time

link traffic
End
Table 3-1 shows procedure descriptions.
Table 3-1 Procedure description of checking the status of the Front End and Back End
Action Description
Check the cluster Run the display dpi-node cluster state command to check the cluster
status status.
Check the basic Run the display dpi-node basic-configuration and display dpi-node
configurations of a spu state commands to check the basic configurations, such as the
device working mode and information about LPU, SPU, SAS, and SPS.
Check the status of Run the display dpi-node link local-configuration command to
the network check link configurations and the status of each link and network
interface and link interface.

Action Description
Check the license Run the display dpi-node license command to display the activated
information of the service list, and check whether they meet the requirements of current
Front End services.
Check the Run the ping command to check the connectivity between back-end
connectivity devices and the OMC, SAS, and SPS.
between the Front TIP
End and Back End When you run the display dpi-node sas run-info command, if the status of the
DAS and PLS is displayed as U, it indicates that the communication between
the SAS and back-end components (DAS and PLS) is normal, and accordingly
you can roughly determine that the Front End and Back End can communicate
with each other; if the status of the DAS and PLS is displayed as D, it indicates
that the communication between the SAS and back-end components (DAS and
PLS) is abnormal or other faults occur (for example, the incorrect settings of
the IP addresses of the DAS and PLS).
Check the running Run commands on the Front End to check the settings of the IP
status of each back- addresses of back-end components, and the running status of these
end component components. For example, run the display dpi-node policy-server
(through front-end state command to check the running status of the PLS.
commands) If you discover that a certain component is running abnormally, check
whether the IP address of the component is correctly specified on the
Front End, and back-end software is correctly installed and runs
normally. For how to rectify the fault, refer to the HUAWEI
SIG9800 Service Inspection Gateway Troubleshooting.
Check the back-end Check whether the license file is imported.

license file Operation page: Log in to the EMS GUI, In the navigation tree, choose
Device Management > License Management > System License.
Check alarms Check whether any critical or major alarms exist. If yes, proceed as
the information displayed on the alarm page.
Operation page: Log in to the EMS GUI, choose Alarms > Alarm
Management > Current Alarms.
Check the IP address Check whether the IP address of the OMC is specified.
of the OMC Operation page: In the navigation tree, choose System
Management > System Configuration > Component
Configuration.
If you discover that a certain component is running abnormally, check
whether back-end software is correctly installed and runs normally.
For how to rectify the fault, refer to the HUAWEI SIG9800 Service
Inspection Gateway Troubleshooting.
Check the DPI Check whether the DPI signature file is imported.
signature file Operation page: In the navigation tree, choose Basic Configuration
> Signature File Management > Customized DPI Signature File.

Action Description
Check the real-time Check the reports of the real-time link traffic to confirm that the SIG
link traffic can monitor the IP traffic on the network.
Operation page: In the navigation tree, choose Statistics and Analysis
Report > Traffic > Link and Virtual Tunnel > Real-Time
Traffic.
3.2.2 Typical Operation Example

This section provides the example for checking the status of the Front End and Back End.
Prerequisites
The installation and initialization of the Front End and Back End are implemented according to
the actual networking requirement and installation documents, such as the HUAWEI SIG9800
Service Inspection Gateway Hardware Installation Guide, HUAWEI SIG9800 Service
Inspection Gateway Software Installation Guide and HUAWEI SIG9800 Service Inspection
Gateway Commissioning Guide.
Context
As shown in Figure 3-2, DPI A is the master SIG and DPI B is the backup SIG. They form a
cluster.
DPI A and DPI B are deployed in in-line mode. DPI A monitors the traffic between router A
and router C, and DPI B monitors the traffic between router B and router D.

Figure 3-2 Typical networking example of checking the status of the Front End and Back End
External Network
Router A Router B
GE3/0/2
Swtich1 DPI System
DPI A
GE3/0/1 GE3/0/2
DPI B
GE3/0/1 Swtich2 Back End
Router C Router D
Internal Network
NOTE
The following information may vary with the version of the SIG. Therefore, similar description is omitted.
To check the current version of the SIG, run the display version command.
Procedure
Step 1 Log in to the Front End of DPI A.
Step 2 Check the cluster status.

<DPIA> display dpi-node cluster state
Cluster state information

------------------------------------------------------------------------------
*:Self, A:Active,
S:Standby
------------------------------------------------------------------------------
Number IP Address Role State Name

------------------------------------------------------------------------------
1 192.168.1.1 *Master(A) Up DPIA
2 192.168.2.1 Backup Up DPIB
------------------------------------------------------------------------------

The status of DPI A and DPI B is Up, one is the master device, and the other is the backup
device, indicating that the cluster runs normally.
Step 3 Check the basic configurations of the device.
Check whether the specified slot number of the SPU tallies with the actual slot number, whether
the CPU locations and IP addresses of the SAS and SPS are specified, and whether the status of
the SAS and SPS is Normal.
<DPIA> display dpi-node basic-configuration
Basic configuration information

-------------------------------------------------------------------------
Device role :Master
Deployment mode :In-line
SYNC mode :Automatic
Heartbeat interval (in seconds) :3
State holding time (in seconds)
Cluster :9
Management Server :9
Radius Proxy :9
Update Server :9
Cluster master preempt :Disable
LPU slot :1, 2, 3
SPU slot :6, 7, 8
SAS location :6/0/0
:7/0/0
:8/0/0
SPS location :6/0/1, 6/0/2, 6/0/3
:7/0/1, 7/0/2, 7/0/3
:8/0/1, 8/0/2, 8/0/3
Number of Configured Active SPSs :9
SPS least-number :7
insufficient handle-mode :Bypass
SPU IP address pool :192.168.6.10 - 192.168.6.30
-------------------------------------------------------------------------
<DPIA> display dpi-node spu state
SPU state information

----------------------------------------------------------------------
Type IP Address State Location
----------------------------------------------------------------------
SAS 192.168.6.10 Normal SPU6/0/0
SPS 192.168.6.11 Normal SPU6/0/1
SPS 192.168.6.12 Normal SPU6/0/2
SPS 192.168.6.13 Normal SPU6/0/3
SAS 192.168.6.14 Normal SPU7/0/0
SPS 192.168.6.15 Normal SPU7/0/1
SPS 192.168.6.16 Normal SPU7/0/2
SPS 192.168.6.17 Normal SPU7/0/3
SAS 192.168.6.18 Normal SPU8/0/0
SPS 192.168.6.19 Normal SPU8/0/1
SPS 192.168.6.20 Normal SPU8/0/2
SPS 192.168.6.21 Normal SPU8/0/3
----------------------------------------------------------------------
<DPIA> display dpi-node sps mode
SPS mode information

-----------------------------------------------------
Location IP Address Mode
-----------------------------------------------------
SPU6/0/1 192.168.6.11 Active
SPU6/0/2 192.168.6.12 Active
SPU6/0/3 192.168.6.13 Active
SPU7/0/1 192.168.6.15 Active
SPU7/0/2 192.168.6.16 Active
SPU7/0/3 192.168.6.17 Active
SPU8/0/1 192.168.6.19 Active
SPU9/0/2 192.168.6.20 Active

SPU9/0/3 192.168.6.21 Active

-----------------------------------------------------
<DPIA> display dpi-node sas run-info
Running information about the SAS

------------------------------------------------------------------------------
DMG: Domain group, DAS: Data Analysis Server,
PLS: Policy server, RDP: RADIUS proxy server
------------------------------------------------------------------------------
SAS Mode DMG DAS PLS RDP Device
------------------------------------------------------------------------------
192.168.6.10 Main 1 1(U) 1(U) 1,2 1,2
192.168.6.14 Active 2 1(U) 1(U) 1,2 N/A
192.168.6.18 Active 3 1(U) 1(U) 1,2 N/A
------------------------------------------------------------------------------
As the preceding output shows, the SPUs in slot 6, 7, and 8 are in normal state.
Step 4 Check the status of network interfaces and links.
Check whether links are configured, and whether each link and network interface run normally.
<DPIA> display dpi-node link local-configuration
Local link configuration
------------------------------------------------------------------------------
U:Up, D:Down
------------------------------------------------------------------------------
Number Type Inside Outside State Inside/Outside Speed Link Name

------------------------------------------------------------------------------
1 10G G1/0/1(U) G1/0/2(U) Valid 10G/10G link_1
------------------------------------------------------------------------------
According to the previous information, the status of link 1 is Valid; the status of GE 1/0/1 and
GE 1/0/2 is Up. This indicates that, the link and network interfaces in this example run normally.
Step 5 Check the license information of the Front End.
Run the display dpi-node license command to display the activated service list, and check
whether they meet the requirements of current services. If yes, go to next step; if no, reapply for
a license and import it.
Step 6 Check the connectivity between the Front End and Back End.
Run the ping command to check the connectivity between the Back End and the OMC, the SAS,
and the SPS. If the network is disconnected, troubleshoot your network faults; otherwise, go to
next step.
Step 2 shows that the IP address of the OMC is 192.168.1.1; Step 3 shows that the IP addresses
of the SAS and SPS range from 192.168.6.10 to 192.168.6.13. During the check, you can ping
(for example, run the ping 192.168.1.1 command) these IP addresses from the Back End.
Step 7 Check the running status of each component.
Check whether each component runs normally according to the list of components selected
during installation planning. If the status of each component is Up, it indicates that these
components run normally. In this case, go to next step. If the status is not Up, refer to the
HUAWEI SIG9800 Service Inspection Gateway Troubleshooting to troubleshoot faults.
In this example, the PLS, DAS, management server, and update server are installed on the Back
End. You should run the following commands:
<DPIA> display dpi-node policy-server state
<DPIA> display dpi-node data-analysis-server state

<DPIA> display dpi-node management-server state

<DPIA> display dpi-node update-server state
Step 8 Log in to the Front End of DPI B.
Step 9 Repeat Step 2 to Step 7 to check the related configurations of DPI B.
Step 10 Log into the EMS GUI.
Step 11 Check whether the license is already imported.

1. In the navigation tree, choose Device Management > License Management > System
License.
2. Click View. Then in the dialog box that is displayed, view the license authorization
information such as the services, date, and number of users.
If no license record exists or the authorization information in the license record does not
match the current service, contact installation and commissioning engineers to apply for a
new license and import it. Otherwise, proceed to the next step.
Step 12 Check alarms.

1. In the navigation tree, choose Alarms > Alarm Management > Current Alarms.
2. Check whether any critical or major alarms exist.
If yes, proceed as the information displayed on the alarm page. Otherwise, proceed to the
next step.
Step 13 Log in to the Back End of the SIG.
Step 14 Check whether the IP address of the OMC is specified.

1. In the navigation tree, choose System Management > System Configuration >
Component Configuration.
2. In the OMC Configuration group box, click Configure.
3. If the displayed dialog box lists the OMC IP addresses of DPI A and DPI B, go to next step;
otherwise, after the configuration is complete, click Add.
Step 15 Check whether the DPI signature file is imported.

1. In the navigation tree, choose Basic Configuration > Signature File Management >
Customized DPI Signature File.
2. In the Protocol group box, perform the following operations:
l If the list for protocols, such as P2P and VoIP, is displayed, it indicates that the DPI
signature file is already imported. In this case, go to next step.
l If this group box is empty, it indicates that the DPI signature file is not imported. Contact
installation and commissioning engineers to obtain the signature file. Choose System
Management > Update of System Knowledge Base > Update of Signature File >
DPI Signature File Version Management, and then import the signature file.
Step 16 Check the real-time link traffic report.

1. Ensure that the link traffic is continuous.
If the SIG is not connected to the current network, you can continuously access the network
through certain software or dedicated instrument, or in manual mode at the user side to
generate traffic.
2. In the navigation tree, choose Statistics and Analysis Report > Traffic > Link and
Virtual Tunnel > Real-Time Traffic.

3. Select a link monitored by DPI A or DPI B from Link.

4. (Optional) In Traffic Type List, select the traffic types to be monitored separately.
5. Click Start Monitoring.
6. Wait about 1 minute. The system displays the report data every 16 seconds, as shown in
Figure 3-3.
If the traffic report is displayed normally, it indicates that the status of the Front End and
Back End is normal; otherwise, the status is abnormal, and you need to troubleshoot faults.
For how to troubleshoot faults, refer to the HUAWEI SIG9800 Service Inspection
Gateway Troubleshooting; For how to implement the installation and initialization on the
SIG, refer to the HUAWEI SIG9800 Service Inspection Gateway Hardware Installation
Guide, HUAWEI SIG9800 Service Inspection Gateway Software Installation Guide and
Figure 3-3 Checking a real-time link traffic report
----End
3.2.3 Reference
This section describes common commands for checking the status of the Front End.
Table 3-2 Common commands for checking the status of the Front End
Item Command
Display basic display dpi-node basic-configuration

configurations

Item Command
Display the cluster display dpi-node cluster [ name device-name ] state

status
Display the display dpi-node domain [ name domain-name | number domain-

domain number | ip-address [ ip-address ] | ipv6-address [ ipv6-address ] ]
information
Display the display dpi-node domain-group [ name domain-group-name |

domain group number domain-group-number ]
information
Display the display dpi-node license

license
information
Display local link display dpi-node link [ interface interface-type interface-number |

configurations number link-number ] local-configuration
Display global display dpi-node link [ name device-name ] global-configuration

link
configurations
Display the display dpi-node management-server [ name server-name ] state

management
server status
Display the PLS display dpi-node policy-server [ name server-name ] state

status
Display the DAS display dpi-node data-analysis-server [ name server-name ] state

status
Display the display dpi-node sas [ ip-address ip-address ] run-info

running
information about
the SAS
Display the mode display dpi-node sas mode

information about
the SAS
Display the mode display dpi-node sps mode

information about
the SPS
Check the SPU display dpi-node spu state [ ip-address ip-address ]

status
Display the display dpi-node interface [ interface-type interface-number ]

interface mode
and the link to
which the
interface belongs

Item Command
Display the display dpi-node radius-proxy master { name server-name |

binding number number } configuration
relationship
between the
RADIUS Proxy
server and domain
group
Display the status display dpi-node radius-proxy [ name server-name ] state

of the RADIUS
Proxy sever
Display the display dpi-node sas slot slot-number cpu cpu-number statistics
service statistics
of the SAS
Display the display dpi-node service-info

service
information
Display the update display dpi-node update-server [ name update-server-name ] state

server status
Display the display dpi-node pcrf [ name pcrf-name ] configuration

configurations of
the PCRF
Display the node display dpi-node sas account-analyze account account-name

information about
the specified
account on the
SAS
Display the node display dpi-node sas ip-analyze ip-address ip-address

information about
the specified IP
address on the
SAS
Display the display dpi-node sas ip-policy fup ip-address ip-address

binding
relationship
between the
specified IP
address of the FUP
and the QoS or
FUP policy
package

Item Command
Display the FUP display dpi-node sps fup-quota ip-address ip-address

quota information
about the specified
IP address on the
SPS
Display the node display dpi-node sps ip-analyze ip-address ip-address

information about
the specified IP
address on the SPS
Display the display dpi-node sps ip-session-analyze ip-address ip-address

session
information about
the specified IP
address on the SPS
For how to implement the installation and basic configurations on the Front End and Back End,
refer to the HUAWEI SIG9800 Service Inspection Gateway Hardware Installation Guide,
HUAWEI SIG9800 Service Inspection Gateway Software Installation Guide and HUAWEI
SIG9800 Service Inspection Gateway Commissioning Guide.
For other commands of the Front End, refer to the HUAWEI SIG9800 Service Inspection
Gateway Command Reference.

Configuration Guide 4 Subscriber and Network Object Initialization
4 Subscriber and Network Object

Initialization
About This Chapter
Through subscriber and network object initialization, you can configure and manage links,
virtual tunnels, subscribers, VICs, AS domain groups, and subnets.
4.1 About Subscriber and Network Object Initialization

subscribers, VICs, AS domain groups, and subnets, which facilitates the successful configuration
of services.
4.2 Configuring the Subscriber
This section describes how to configure subscribers and corresponding areas, user groups, and
customized attributes. To configure a service to be applied to subscribers, you should perform
this task first.
4.3 Configuring the VIC
This section described how to configure the VIC and corresponding areas, user groups, and
customized attributes. To configure a service to be applied to VICs, you should perform this
task first.
4.4 Configuring the Link
This section describes how to manage the current links of the SIG, and add link groups required
for report statistics. To configure a service to be applied to links, you should perform this task
first.
4.5 Configuring the Virtual Tunnel
This section describes how to manage the virtual tunnel monitored by the SIG, and related areas,
customized attributes, and virtual tunnel categories. To implement traffic report statistics and
QoS control over the virtual tunnel, you should perform this task.
4.6 Configuring the AS Domain Group
This section describes how to configure the AS domain group and corresponding AS domains
and BGP. To configure a service to be applied to AS domain groups, you should perform this
task first.
4.7 Configuring the Subnet

This section describes how to configure the subnet. To configure a service to be applied to
subnets, you should perform this task first.

4.1 About Subscriber and Network Object Initialization

subscribers, VICs, AS domain groups, and subnets, which facilitates the successful configuration
of services.
The subscriber and network objects are as follows:
l Link
Refers to a physical link monitored by the SIG. For example, as shown in Figure 4-1, GE
2/0/0 is connected to the user side and GE 2/0/1 to the network side, and between GE 2/0/0
and GE 2/0/1 is a link.
Figure 4-1 Link diagram
LPU
Link
GE2/0/0
Router A
Router B
GE2/0/1
l Virtual tunnel
To identify and define the network traffic to be managed, the SIG supports the creation of
virtual tunnel objects by user attribute or stream attribute in addition to subscriber and
network objects such as subscribers, VICs, links, AS domain groups, and subnets.
The virtual tunnel can group data flows by dividing all data flows into multiple virtual
tunnels according to certain conditions and manage the virtual tunnels as independent links.
The conditions for grouping data flows include the IP quintuple, DSCP, VLAN, MPLS,
and link. Meanwhile, Users can be grouped according to the user area and dynamic attribute,
and the data flows of a group of users can be classified into virtual tunnels.
l Subscriber
Refers to a non-VIC, such as an ADSL dial-up user identified by an account ID, a user
identified by a fixed IP address, or a wireless user identified by International Mobile Station
Identification Code (IMSI) or Mobile Station International ISDN Number (MSISDN), as
l Very Important Customer (VIC)
Refers to a user consisting of multiple IP addresses or IP address segments, such as an
enterprise user, as shown in Figure 4-2. One IP address belongs to only one VIC.

Figure 4-2 Subscriber and VIC diagram
Subscriber
Wireless
access network
Subscriber
Subscriber Broadband
access network
VIC
l Autonomous System (AS) domain group

Refers to a set of AS domains. In SIG, the AS domain group helps carriers collect the
statistics on the traffic among AS domains.
AS is a set of routers adopting the same routing policy and managed by one or more network
operators. The same as an IP address, an AS number is allocated by the international
organization. The Front End of the SIG is generally deployed in the private AS domain and
learns the AS information from the network by establishing EBGP neighbor relationship
with neighbor routers.
l Subnet
Refers to a collection of IP addresses. A subnet consists of one or multiple IP segments.
l Traffic direction
Indicates the network traffic analysis object between two specified networks.
The SIG supports the following traffic direction objects:
– Between one link (or link group) and one AS domain group
– Between one AS domain group and another AS domain group
– Between one subnet and one AS domain group
– Between one subnet and another subnet
For details on traffic direction, see 5.6 Implementing Traffic Direction Statistics and 5.7
Configuring Traffic Direction QoS.
Table 4-1 shows the subscriber and network objects supported by the SIG.
Table 4-1 Objects of each service
Service Object
Traffic Traffi Link, virtual tunnel, subscriber, and VIC

Manage c
ment
Traffi Between one link (or link group) and one AS domain group, between
c one AS domain group and another AS domain group, between one subnet
Direc and one AS domain group, and between one subnet and another subnet
tion
FUP Subscriber

Service Object
Charging Subscriber
URL Filtering Link, subscriber, and VIC
GreenNet Subscriber and VIC
Traffic Mirroring/ Link, subscriber, and VIC

Diversion
SmartBrowser Subscriber
NOTE
The SmartBrowser service can be applied to all customers in the local domain
except VICs.
DNS Overwriting Subscriber
Smart account user of the subscriber, and VIC

Advertising
Interface
VoIP Monitoring Subscriber and VIC
Anti-Spammer Subscriber
Anti-DDoS Subnet
Anti-Botnet Subscriber and VIC
Anti-Worm Link, subscriber, and VIC
Security Service Subscriber and VIC
NOTE
In actual networking, if the service to be configured or applied is not subject to object types (such as the
subscriber, VIC, AS domain group, subnet, or a combination of them), installation and commissioning
engineers or data configuration engineers do not need to configure the subscriber and network objects of
a specific type. For example, in the networking of a carrier, only link-based traffic management and
subscriber-based GreenNet are required. In this case, the configuration of the VIC, AS domain group, or
subnet is not necessary.
4.2 Configuring the Subscriber

This section describes how to configure subscribers and corresponding areas, user groups, and
customized attributes. To configure a service to be applied to subscribers, you should perform
this task first.
4.2.1 Overview
This section describes several concepts related to the subscriber. You can implement many
functions by configuring the subscriber.
The related concepts of the subscriber are as follows:

l Area
Indicates the physical area. The system supports hierarchical management over areas.
During the system installation, the installation and commissioning engineer defines the area
level of subscribers upon the first login to the Back End. For subscribers, the system
supports up to five levels of areas.
Areas are organized in tree structure. When adding areas, data configuration engineers
should start from the root area, and then create a new area in the root area and a subarea in
the current area, gradually building an area system. Only one root area can be added.
l Customized attribute
Refers to customized subscriber attributes.
In addition to the defined area attribute, you can extend the subscriber attribute by adding
customized attributes.
In terms of the binding relationship between attributes and subscribers, customized
attributes are categorized into the following types:
– Static attributes
Refer to the attributes whose values are static, such as the gender, address, or zip code.
– Dynamic attributes
Refer to the attributes whose values are dynamic, such as the base station, cell, mobile
type, or browser type.
In terms of whether subscribers can be divided into finite groups, customized attributes are
categorized into the following types:
– Group attributes
These attributes, such as the service package, gender, base station, cell, mobile phone,
and browser, can categorize subscribers into finite groups.
If you need to view the report based on the value of the preceding attributes, select
Enable Statistics when adding group attributes.
– Non-group attributes
These categories, such as the address and postal code, can only be used to identify
subscribers.
Static attributes can be group or non-group attributes; all dynamic attributes are group
attributes.
l User group
Refers to a collection of one or more subscribers.
To easily manage subscribers in group mode, the system supports customizing the user
groups of subscribers. After adding one or more subscribers to a user group, you can
implement service policy control based on the user group.
By default, the system supports several user groups for specific services, such as the user
group for the VoIP blacklist. This document describes corresponding user groups as well
as services, this document describes corresponding user groups.
According to the mode of adding, the two user groups are:
– General user group
Contains the users that are manually added or imported into the group.
– Heavy User group

Contains the Top N users in a certain area or according to other group attributes. The
data configuration engineer defines the query conditions, then the system can generate
and update the user groups between intervals automatically.
For example, you can define the top 10% users that use the largest amount of traffic in
each month as a Heavy User group.
With the configuration of the subscriber, the system can:
l Provide account management for subscribers
According to the requirements of account management, you can select one or multiple
management modes shown in Table 4-2.
Table 4-2 Management modes of subscriber accounts

Type Description Application Scenario
Manually Manually adding, modifying, or This mode is applied to when

adding deleting subscriber accounts. few subscriber accounts require
accounts maintaining.
Importing Manually importing subscriber This mode is recommended.

accounts in accounts from the .xls template file The .xls template file needs to
batches provided by the system. be manually maintained.
A maximum of 50,000
subscribers can be imported at
a time. A maximum of 10,000
customized attribute values can
be imported at a time. The total
number of subscribers is
controlled by the license.
Synchronizing The SIG serves as the FTP client, This mode is recommended. It
with the FTP realizing the automatic addition, is applicable to the scenario
server modification, and deletion of where a great volume of data
subscriber accounts in batch by requires batch synchronization,
synchronizing with the FTP server. the FTP server for
After the files containing the synchronization exists, and
account synchronizing information synchronization files need to be
are saved on the FTP server, the managed.
system can perform automatic
synchronization periodically
through this function.
For details on the FTP interface, see
HUAWEI SIG9800 Service
Inspection Gateway Subscriber
FTP Interface Description.

Synchronizing Realizing the automatic It is applicable to the scenario

the Simple synchronization of subscriber where the system poses high
Object Access accounts, areas, and customized requirements on timeliness and
Protocol attributes. accuracy, and supports the
(SOAP) After the back-end software is SOAP interface.
interface successfully installed, the SIG
automatically enables the SOAP
interface on the BIS component.
The default port of the HTTP and
HTTPS services is 804 and 838
respectively. When the information
about subscriber accounts, areas,
and customized attributes changes
in the interconnection system, the
interconnection system calls the
interface, and synchronizes the
change information with the SIG.
For example, if the virtual IP
address of the BIS component is
10.10.10.10, the access addresses
for the peer system should be http://
10.10.10.10:804/dpi-bis/services/
or https://10.10.10.10:838/dpi-
bis/services/.
For details on the SOAP interface,
see HUAWEI SIG9800 Service
Inspection Gateway Subscriber
SOAP Interface Description.
Account self- After the function is enabled, the The system automatically
learning system automatically learns and learns the account through the
(Through the adds subscriber accounts based on account login information. It is
login and the account online information. In applicable to the scenario
logout logs of this mode, the account login where the account cannot be
subscribers) information should pass through the directly obtained in other mode
RADIUS proxy. and the account login
information passes through the
RADIUS proxy.

Account self- After the function is enabled, the It is applicable to the scenario
learning system extracts several user where the RADIUS packets or
(Through the attributes (such as the MAC the GTP-C signaling packets
policy request address) from the service traffic, cannot be inspected.
messages of and automatically adds the The system automatically leans
subscribers) subscriber account. the account by extracting
several user attributes (such as
the MAC address) from service
traffic. It is applicable to the
scenario where learnt user
attributes are several, and either
manual mode or batch import
mode is employed.
NOTE
The system supports the scenario where multiple IP addresses (including the IPv4 and IPv6 addresses)
use one account being online at the same time. In such a scenario, each IP address independently
applies the complete control policy of the account. Detailed traffic statistics of each IP address can
be viewed in the real-time traffic report, whereas the traffic statistics of the account shown in other
reports are the data statistics collected from all the IP addresses.
l Manage multi-level subscriber areas and area-based data permission.
l Manage user groups, and customized attributes.
4.2.2 Configuration Procedure

This section describes the procedure for configuring the subscriber.
Figure 4-3 shows the configuration procedure.

Figure 4-3 Procedure for configuring the subscriber
Start
Configure the area
Is the customized No
attribute required?
Yes
Add the customized attribute
Add or import the

subscriber
Is the user No
group required?
Yes
Configure the
user group
End
Table 4-3 shows the procedure description.

Table 4-3 Procedure description of configuring the subscriber

Action Description
Configure the area Add the area and assign data permission for the area of each level as
required.
Three types of data permissions are available:
l Read
If your account has this permission for an area, you can view the
details about this area and its subareas.
l Write
If your account has this permission for an area, besides the read
permission, you can add, modify, enable, disable, or delete this area
and its subareas.
l Authorize
and write permissions, you can assign data permissions for this area
and its subareas.
NOTE
For the information about the permission control mechanism, see 22.2
Managing System Accounts and Permissions.
Operation page: In the navigation tree, choose Subscriber and
Network Management > Subscriber > Area Management.
Add the customized Add the customized attribute as required.

attribute Operation page: In the navigation tree, choose Subscriber and
Network Management > Subscriber > Customized Attributes
Management.
Add or import the Add or import the subscriber account to manage the account.
subscriber Operation page: In the navigation tree, choose Subscriber and
Network Management > Subscriber > Subscriber Management.
When you add these subscribers by synchronizing the FTP server,
synchronizing the SOAP interface or through account self-learning,
the operation page also includes: In the navigation tree, choose System
Management > System Configuration > External Interface
Configuration.
Configure the user Except for applying policies to areas or other customized attribute
group groups, the SIG also supports the ability to apply policies to user
groups. Therefore, if you cannot manage service objects according to
attribute groups, add and configure user groups.
Network Management > Subscriber > User Group Management.

4.2.3 Typical Configuration Example (Adding Subscribers

Manually)
This section provides an example for configuring the subscriber. Subscribers are manually added
one by one.
Prerequisites
The following conditions should be met:
l 3.2 Checking the Status of the Front End and Back End is complete.
l The current user has the User and Network Management service permission and the data
permission for the areas to be managed.
Requirement Description
Requirements are as follows:
l Areas are divided into two levels.

Use adding Beijing as level-1 area, Zhongguancun as level-2 area as an example to
introduce the operation procedure.
l The subscriber account to be added, including:
– Dynamic IP type, Subscriber ID: 111222333444555, Contract number:
8613800001111, Area: Zhongguancun
– Dynamic IP type, Subscriber ID: 111222333444777, Contract number:
– Static IP type, Subscriber ID: Test1, IP address: 10.10.10.10, Area: Zhongguancun
– Static IP type, Subscriber ID: Test2, IP address: 2001::a, Area: Zhongguancun
Procedure
Step 1 Log in to the Back End.
Step 2 Configure the area.

1. In the navigation tree, choose Subscriber and Network Management > Subscriber >
Area Management.
2. Click Add, enter Beijing in Area Name, and then click OK.
3. Click Beijing in the area list. Click Add, and enter Zhongguancun in Area Name. Then
click OK as shown in Figure 4-4.
Figure 4-4 Configuring the area
4. (Optional) Assign the data permission.

In the area list, select the area for which permissions are to be assigned. Click Assign Data
Authority. Assign the permission to each system account. Click OK.
Step 3 Add subscribers.
Subscriber Management.
2. Click Add. The Add Subscriber Information dialog box is displayed,
3. Set parameters according to Figure 4-5.
Figure 4-5 Adding a subscriber (1)
4. Click OK. The system returns to the previous page and displays a new record.
5. Repeat Step 3.2 to Step 3.4 to add another item with Subscriber ID as
111222333444777.
6. Click Add. The Add Subscriber Information dialog box is displayed,


9. Repeat Step 3.6 to Step 3.8 to add another item with Subscriber ID as Test2, as shown in
Figure 4-7.
----End
4.2.4 Typical Configuration Example (Importing Subscriber

Accounts in Batches and Adding Heavy User Group)
This section provides an example for configuring the subscriber. Subscribers are imported from
a specific file in batches. You should manually import subscriber accounts from the .xls template
file provided by the system. In addition to that, an example for adding a heavy user group is also
provided.
Prerequisites
Context
In this example, the requirements are as follows:


l The subscriber accounts to be imported include:
– Dynamic IP address, Subscriber ID: 111222333444555, Contract number:
– Dynamic IP address, Subscriber ID: 111222333444777. Contract number:
8613800002222. Area: Zhongguancun
l Add a Heavy User group named BeijingHeavyUser.
Users in this group meet the following requirements:
– The upstream and downstream traffic last month is among the top 10%.
– The user in this group is updated at 4:00 on the first day of each month.
– The data is valid within a month.
Procedure
Area Management.

Step 3 Import the subscriber.
2. Click Import. The Import Subscriber dialog box is displayed, as shown in Figure 4-9.

Figure 4-9 Importing subscribers (1)
3. Click Dynamic IP Template to obtain the .xls template file. In the file, enter the account
information to be imported and save the operations, as shown in Figure 4-10.
Figure 4-10 Importing subscribers (2)
4. In the Import Subscriber dialog box, click Browse to select the edited files. Click OK.
5. After the operation is complete, view the data processing results in the dialog box.
Step 4 Add a Heavy User group.
User Group Management.
2. Click Add.
3. Enter BeijingHeavyUser in User Group Name , and select Heavy User from the User
Group Type.
NOTE
By clicking the button left to Rule, you can expand or fold the group box.
Statistics Time is the time range before the execution of the task. It can be specified as any point in
time within the time range for queries and generations of the Heavy User. In this example, you can
set Statistics Time to be 1 day ago, or 20 days ago.
The hour value in Statistics Time is only valid when Data Granularity is set to Hour.

Figure 4-11 Adding a heavy user group
----End
Follow-up Procedure
At any time after 4:00 on the first day of each month, you can view the Heavy User list of last
month in the dialog box that is displayed after clicking Subscriber Information in the
BeijingHeavyUser line on the User Group Management page.
4.2.5 Typical Configuration Example (Synchronizing Subscriber

from the FTP Server)
This section provides an example for configuring the subscriber. The subscribers are
synchronized from the FTP server.
Prerequisites
l 3.2 Checking the Status of the Front End and Back End is performed.
Context

l For the FTP server, the IP address, service port, user name, and password are 192.168.10.10,
21, user, and 123456 respectively. The .csv files are saved in file/user/. The examples are
as follows:
operation,operation-key,identifier,accounts,display-name,area
add,accounts,8613800001111,111222333444555,Jimmy,Zhongguancun

add,accounts,8613800002222,111222333444555,Bob,Zhongguancun
...
NOTE
For details on the FTP synchronization interface, see HUAWEI SIG9800 Service Inspection Gateway
Subscriber FTP Interface Description..
Procedure
Area Management.

Step 3 Configure the FTP server.
1. In the navigation tree, choose System Management > System Configuration > External
Interface Configuration.
2. In the User Information FTP/SOAP Interface group box, click Configure. The
Subscriber Information Interface dialog box is displayed.
3. Select Zhongguancun from Area, click OK, and then click another tab.
The area is the default value for account synchronization and invalid for the accounts with
an area specified in the files to be synchronized.
4. Click Add. The Add FTP Config dialog box is displayed.
5. Enter file/user/ in Log File Path. Enter 192.168.10.10 in IP Address. Enter 21 in Port.
Enter user in User Name. Enter 123456 in Password, click Test Connection. Click
OK. The previous page is displayed, as shown in Figure 4-13.

Figure 4-13 Synchronizing the FTP server
6. Click Close.
7. Click Start.
The system automatically synchronizes subscriber accounts from the FTP server
periodically. The default interval is three minutes.
----End
4.2.6 Typical Configuration Example (Self Learning Subscribers

and Adding Customized Attributes)
This section provides an example for configuring the subscriber. Start account self-learning and
add subscriber accounts with customized properties based on account login information.
Prerequisites
Context


l To view and manage traffic by base station and cell.

you need to configure two customized attributes, base station and cell.
l The subscriber accounts are self-learned.
Procedure
Area Management.

Step 3 Add customized attributes.
Customized Attributes Management.
2. Click Add. The Add Attribute dialog box is displayed.
3. Select Dynamic Attribute from Attribute Type, Base Station from Attribute Name, and
click OK, as shown in Figure 4-15.

Figure 4-15 Adding a customized attribute
NOTE
The system provides the operation page for customized dynamic attributes. Customized dynamic
attributes are developed for customization, and can be enabled only after you contact Huawei
technical support personnel.
4. Click Import. The Import Dynamic Attribute Value dialog box is displayed.
5. Click Base station Template to obtain the excel template file. Then enter the information
to be imported in the file and save it.
6. In the Import Dynamic Attribute Value dialog box, click Browse and select the
previously edited file. Then click OK.
7. Click OK . The system returns to the previous page and the added entry is displayed.
8. Repeat Step 3.2 to Step 3.7. Add customized attribute Cell.
Step 4 Configure user information study.
2. In the Account Self-learning group box, click Configure. The Account Self-learning
Configuration dialog box is displayed.
3. Select Through the login and logout logs of subscribers from Mode. Select Enable from
State. Select Zhongguancun from Area. Click OK.
The previous area is used as the default value for synchronizing accounts.
If the dynamic area function is enabled, you do not need to configure Area.

4. Select the entry whose OMC Synchronization is Yes. Click Enable FTP, as shown in
Figure 4-16.
Figure 4-16 Configuring account self-learning
NOTE
The manually added external FTP server to implement the account self-learning function is reserved.
You are advised to confirm with the Huawei technical support engineers.
5. Click Close.
----End
Follow-up Procedure
After confirming that account self-learning is complete, you can disable the account self-learning
function. Click Disable in the Account Self-learning Configuration group box.
To delete subscribers in batches, click Batch Delete on the Subscriber Management page and
follow the instructions that are displayed.
4.2.7 Typical Configuration Example (Self Learning Subscribers

and Identifying the Area Where the Subscriber Resides by SN)
This section provides an example for configuring the subscriber. Enable account self-learning
which automatically adds subscriber accounts based on the account login information, and
identifies the area where the subscriber resides by service node (SN).
Prerequisites

l Select a rule to identify the area where a subscriber belongs is already set to SN by the
installation and commissioning engineer during the first login to the GUI after the back-
end software is installed.
The requirements of a carrier's CDMA2000 network are as follows:
Use adding Beijing as level-1 area, Haidian and Dongcheng as level-2 areas as an example
to introduce the operation procedure.
l To view and manage traffic by SN, base station, cell, and access type,
you need to configure four customized attributes, SN, base station, cell, and access type.
SNs on live network include:
– SN IP address: 10.11.11.11. SN name: HaidianSN1. Area: Haidian.
– SN IP address: 10.11.11.12. SN name: HaidianSN2. Area: Haidian.
– SN IP address: 10.11.11.13. SN name: DongchengSN. Area: Dongcheng.
The data of the base stations and cells is provided by the network operation and maintenance
department of the carrier.
l Subscriber accounts are added by the account self-learning function. When an account logs
in, the SIG system parses the RADIUS charging information of the account, obtains the
SN used by the account, and identifies the area where the account resides.
Procedure

Area Management.
3. Click Beijing in the area list. Click Add, and enter Haidian in Area Name. Then click
OK.
4. Click Beijing in the area list. Click Add, and enter Dongcheng in Area Name. Then click
OK as shown in Figure 4-17.
Step 3 Add a customized attribute.

2. Click Add. The Add Attribute dialog box is displayed.
3. Select Dynamic Attribute in Attribute Type, SN in Attribute Name, and Traffic in
Enable Statistics. Then click OK, as shown in Figure 4-18.
4. Click Add, enter 10.11.11.11 in Sequence, enter HaidianSN1 in Alias, and select
Haidian in Area in the dialog box that is displayed.
5. Repeat the previous steps to add another two SNs, as shown in Figure 4-19.

6. Click Close.
7. Repeat Step 3.2 to Step 3.6 to add the dynamic attributes of Base Station, Cell, and Access
Type.
You are advised to click Import to download the .xls template and then import the data of
base stations and cells. The access type attribute data is automatically generated by the
system.
Step 4 Configure the account self-learning.

2. Click Configure in the Account Self-learning group box. The Account Self-learning
Configuration dialog box is displayed.
3. Select Through the login and logout logs of subscribers in Mode, select Enable in
State, and click OK.
4. Select the record whose OMC Synchronization is Yes and then click Enable FTP.
5. Click Close.
----End
Follow-up Procedure
After confirming that account self-learning is complete, you can disable the account self-learning
function. Click Disable in the Account Self-learning Configuration group box.

To delete subscribers in batches, click Batch Delete on the Subscriber Management page and
follow the instructions that are displayed.
4.2.8 Maintaining Existing Subscribers

This section introduces how to query, modify, and delete subscribers.
Prerequisites
l The current user has the Subscriber and Network Management service permission, and
additionally has data permission of the areas to be managed.
Procedure
Step 2 In the navigation tree, choose Subscriber and Network Management > Subscriber >
Step 3 Optional operations are as follows:

l Search
To query a subscriber(s), click Query, enter any of Subscriber ID, IP Address, or Area as
a query condition(s), and then click OK.
NOTE
The system performs exact match by the property values entered. For blurry match, leave the check
box of Exact Match on the right side of the property value unselected.
For example, Assume there are two subscribers with the Subscriber Name Jim and Jimmy
respectively. When you query Jim and select exact match, only Jim is found; if you select blurry match,
both Jim and Jimmy are found.
l Modify
To modify the properties of a subscriber, click the link to the Subscriber ID column of the
entry, enter property values in the dialog box that is displayed, and then click OK.
l Delete
To delete a subscriber entry, select the check box to the left of the entry, click Delete, and
confirm the operation.
l Delete in batches
To delete subscriber entries in batches using an Excel template, click Batch Delete and then
the link on the right of the Downloading Template. After you download and edit the
template, click Browse in the dialog box, select the file, and then click OK. The system
displays the data handling results, including the number of entries that have been successfully
or unsuccessfully deleted.
----End
4.2.9 Managing the Subscriber Group

This section introduces how to query, modify, and delete subscriber groups.

Prerequisites
l The current user has the Subscriber and Network Management service permission.
Procedure
Step 2 In the navigation tree, choose Subscriber and Network Management > Subscriber > User
Group Management.
l Add a subscriber group.
Click Add, enter the name of the user group to be added to User Group Name, and click
OK.
l Add or import users to the subscriber group.
Click Subscriber Information of the user group to be managed. The optional options are
as follows:
– To add users in Subscriber Management to the user group, click Select Subscriber,
and select the subscribers to be added in the dialog box that is displayed.
– To add new users to the user group, click Add Subscriber, and enter Subscriber ID of
the user to be added to the dialog box that is displayed.
– To add a bunch of new users to the user group, click Import, obtain the import template
from the dialog box that is displayed, and import the users.
NOTE
New users added to the group are not showed and managed in Subscriber Management. The system
can apply policies to and query the reports of the new users.
After applying a policy package to a subscriber group, the system bonds the policy package to each
user in the group.
l Delete users in the subscriber group.
Click Subscriber Information of the user group to be managed. The optional options are
as follows:
– Select the users to be deleted, and click Delete.
– Click Batch Delete, obtain the import template in the dialog box that is displayed, and
delete users.
l Add the Heavy User group.
Click Add, select Heavy User in User Group Type, and then enter related information.
l View users in the Heavy User group.
Click Subscriber Information of the user group to be managed, and view the user list in
the dialog box that is displayed.
----End
4.2.10 Parameter Description

This section describes important parameters for configuring the subscriber.

Table 4-4 shows important parameters for configuring the subscriber.
Table 4-4 Parameter description of configuring the subscriber

Parameter Description How to Set
Subscriber ID This parameter is optional for identifying [Operation page]: In the

a subscriber. navigation tree, choose
Subscriber and Network
Management >
Subscriber > Subscriber
Management.
[Setting method] Enter a
value in the text box.
[Example] Jimmy
Subscriber Type l Dynamic IP [Operation page] In the

Indicates the account that uses the navigation tree, choose
dynamic IP address which is obtained Subscriber and Network
by the RADIUS proxy server by Management >
parsing the subscriber ID from the Subscriber > Subscriber
RADIUS accounting packets. Management.
l Static IP [Setting method] Select in
the drop-down list.
Indicates the account that uses the
fixed IP address. These accounts are [Example] Dynamic IP
usually used in acceptance tests.
Area Indicates the area where the subscriber [Operation page]: In the
resides. navigation tree, choose
NOTE Subscriber and Network
The parameter is not required if the dynamic Management >
identification area is already specified. No Subscriber > Subscriber
further description is provided in the Management.
following.
[Setting method] Click
To dynamically identify areas, select the
check box of Select a rule to identify the the option button.
area where a subscriber belongs on the
System Management > System
Configuration > SystemBasic
Configuration page. This configuration is
completed upon your first login and cannot
be changed.

User Area The area configured here is only valid in [Operation page]: In the
Infor the case that the file to be synchronized navigation tree, choose
matio does not contain an account for the area System Management >
n during account synchronization. System Configuration >
FTP/ External Interface
SOA Configuration. In the
P User Information FTP/
Interf SOAP Interface group
ace box, click
Configuration. Select the
Basic Configuration tab.
the option button.
Log File Indicates the path for the file to be [Operation page]: In the
Path synchronized on the FTP server. navigation tree, choose
If this parameter is not set, the system System Management >
obtains files to be synchronized from the System Configuration >
root directory of the FTP server in to External Interface
which the account has logged. Configuration. In the
User Information FTP/
SOAP Interface group
box, click
FTP Configuration tab.
[Example] file/user/
IP Address Indicates the IP address of the FTP [Operation page]: In the

server. navigation tree, choose
System Management >
System Configuration >
External Interface
Configuration. In the
box, click

Port Indicates the service port of the FTP [Operation page]: In the
server. navigation tree, choose
System Management >
External Interface
box, click
[Example]: 21
User Name, Indicates the user name and password for [Operation page]: In the
Password logging in to the FTP server. navigation tree, choose
System Management >
External Interface
box, click
FTP Mode The system supports FTP and SFTP. [Operation page]: In the
navigation tree, choose
System Management >
External Interface
box, click
[Setting method]: Select
the item from the drop-
down list.

Auto Delete You can decide whether to delete the [Operation page]: In the
FTP File synchronized FTP file automatically. navigation tree, choose
System Management >
External Interface
box, click
[Setting method]: Select
the item from the drop-
down list.
SOAP You can decide whether to use the user [Operation page]: In the
Security name and password to synchronize navigation tree, choose
Configurati subscribers through the Simple Object System Management >
on Access Protocol (SOAP) interface. System Configuration >
If selecting to use the user name and External Interface
password, you can click Add to enter one Configuration. In the
or more entries. User Information FTP/
box, click
SOAP Security
Configuration tab.
the option button.
Start/Stop Enables/Disables account [Operation page]: In the

synchronization. Only the FTP interface navigation tree, choose
is supported. System Management >
External Interface
box.
the option button.

Acco Mode The following modes are available: [Operation page]: In the
unt l Through the login and logout logs of navigation tree, choose
Self- subscribers System Management >
learni System Configuration >
ng The system automatically learns the External Interface
account through the account login Configuration. In the
information. It is applicable to the Account Self-learning
scenario where the account cannot be group box, click
directly obtained in other mode and Configuration.
the account login information passes
through the RADIUS proxy. [Setting method] Click
the option button.
l Through the policy request messages
of subscribers
The system automatically leans the
account by extracting several user
attributes (such as the MAC address)
from service traffic. It is applicable to
the scenario where learnt user
attributes are several, and either
manual mode or batch import mode is
employed.
State Enables/Disables self-learning. [Operation page]: In the

navigation tree, choose
System Management >
External Interface
Account Self-learning
group box, click
Configuration.
the option button.
Area The system specifies all subscribers [Operation page]: In the

learnt through the user information study navigation tree, choose
function in this area. System Management >
External Interface
Account Self-learning
group box, click
Configuration.
the option button.

OMC The FTP server whose OMC [Operation page]: In the

Synchroniz Synchronization is Yes is added navigation tree, choose
ation automatically after system software is System Management >
installed. The IP address of the server is System Configuration >
synchronized to the back-end database External Interface
by the OMC on the Front End. Generally, Configuration. In the
you are recommended to use this server Account Self-learning
for self-learning. group box, click
The FTP server whose OMC Configuration.
Synchronization is No is added
manually.
4.2.11 Dynamic Attribute Description

This section describes the dynamic attributes of subscribers supported by the system. Dynamic
attributes are the subscriber attributes whose values can be upgraded along with the changes of
geological locations or environment, such as base station, cell, mobile phone type, and browser
type.
Table 4-5 lists the details on dynamic attributes of subscribers.
NOTE
The SIG system resolves and extracts the values of dynamic attributes through the RADIUS proxy server
from subscribers' online charging packets (such as RADIUS packets, GTP-C packets) or through the Front
End from subscribers' network traffic.
If you need to view the statistics report by attribute value, select the Enable Statistics check box when
you add the attribute.
For the subscribers, the sum of the number of areas and number of self-defined group attributes cannot
exceed 10. The self-defined group attributes consist of dynamic attributes and static group attributes.
A dynamic attribute takes effect only after it is successfully configured and synchronized to the Front End.
Then you can query traffic reports by dynamic attribute or make the policy applying the dynamic attribute
effective. For example, a subscriber goes online before the dynamic attribute takes effect and keeps online.
After the effective time, the subscriber goes online again and the policy applying the dynamic attribute
takes effect.

Table 4-5 Introduction to dynamic attributes

Name Packet Types and Adding Method Remarks
Attribute Fields
GN l Fixed network: You can either add the attributes Click Import. In the
(Gatewa NAS-IP-Address one by one manually or add displayed dialog box,
y Node) l G network: them in batches by using the click the link to obtain
3GPP-GGSN template. the Excel template.
Address For example, to add a GN whose For easy management,
l C network: NAS- IP address is 10.10.10.10 and one GN record can
IP-Address name is AreaA_GN, enter correspond to one or
10.10.10.10 in Sequence and more IP addresses;
l WLAN: NAS- AreaA_GN in Alias. therefore, add the
IP-Address attributes or import the
l WiMAX: NAS- template as required.
IP-Address The Area attribute is an
l GTP-C: GSN optional GN attribute.
Address When you add the
attributes or import the
template, choose
whether to set this value
as required.
SN l Fixed network: You can either add the attributes Click Import. In the
(Service Not supported one by one manually or add displayed dialog box,
Node) l G network: them in batches by using the click the link to obtain
3GPP-SGSN template. the Excel template.
address For example, to add an SN The Area attribute is an
l C network: whose IP address is 10.10.11.11 optional SN attribute.
3GPP2_PCF and name is AreaA_SN, enter When you add the
IP_Addr 10.10.11.11 in Sequence and attributes or import the
AreaA_SN in Alias. template, choose
l WLAN: Not whether to set this value
supported as required.
l WiMAX: Not NOTE
supported However, if on the
System Management >
l GTP-C: GSN
System Configuration
Address > System Basic
Configuration page, it is
configured to identify
subscribers' areas by
their access SNs, the
Area attribute is
mandatory.


Attribute Fields
Base Summarizes traffic You can either add the attributes Click Import. In the
Station according to the one by one manually or add displayed dialog box,
Cell attribute value. them in batches by using the click the link to obtain
Therefore, Base template. the Excel template.
Station takes effect For example, to add a base The Area attribute is an
only when Cell is station whose ID is 0001 and optional base station
enabled. name is AreaA_BTS, enter attribute. When you add
0001 in Sequence and the attributes or import
AreaA_BTS in Alias. the template, choose
whether to set this value
as required.
NOTE
However, if on the
System Management >
> System Basic
their access BTS, the
Area attribute is
mandatory.
Cell l Fixed network: You can either add the attributes Click Import. In the
Not supported one by one manually or add displayed dialog box,
l G network: them in batches by using the click the link to obtain
3GPP-User- template. the Excel template.
Location-Info For example, to add a cell whose The
l C network: ID is 0001 and name is Area and Base Station
3GPP2_BSID/ AreaA_Cell, enter 0001 in attributes are optional
3GPP2_Subnet Sequence and AreaA_Cell in cell attributes. When
Alias. you add the attributes or
l WLAN: Not import the template,
supported choose whether to set
l WiMAX: Not this value as required.
supported NOTE
l GTP-C: User However, if on the
System Management >
Location
Information > System Basic
their access cells, the
Area attribute is
mandatory.


Attribute Fields
Equipm l Fixed network: The value is default and cannot The equipment types
ent HTTP be set. include:
Type UserAgent l Phone
l G network: l Data Card
HTTP
UserAgent/User- l Other
Name
l C network:
HTTP
UserAgent/User-
Name
l WLAN: HTTP
UserAgent
l WiMAX: HTTP
UserAgent
l GTP-C: HTTP
UserAgent
Access l Fixed network: The value is default and cannot The access types
Type NAS-Port-Type be set. include:
l G network: l 1X
3GPP-RAT- l EVDO
Type
l UTRAN
l C network:
3GPP2_SO/ l GERAN
3GPP2_BSID l GAN
l WLAN: NAS- l WLAN
Port-Type l Other
l WiMAX: NAS-
Port-Type
l GTP-C: RAT
Type


Attribute Fields
Bearer l Fixed network: The value is default and cannot The bearer networks
Networ The RADIUS be set. include:
k Proxy resolves l 163
the User-Name
to generate the l CN2
attribute value. l Other
l G network: The
RADIUS Proxy
resolves the
User-Name to
generate the
attribute value.
l C network: The
RADIUS Proxy
resolves the
User-Name to
generate the
attribute value.
l WLAN: The
RADIUS Proxy
resolves the
User-Name to
generate the
attribute value.
l WiMAX: Not
supported
l GTP-C: Access
Point Name


Attribute Fields
Mobile The UserAgent The UserAgent fields are If this attribute of

Type fields in the HTTP extracted from subscribers' subscribers is not
Get packets HTTP Get packets and recognized, its value is
compared with rules of the N/A. Then, the system
terminal information signature automatically resolves
file, and thus this attribute value the UserAgent field of
of subscribers is obtained. new HTTP traffic.
You can import the terminal When the reports are
signature file delivered with the queried by attribute, the
version, or manually add or attributes whose values
change the feature item. are N/A are free from
The operation page of the statistics.
terminal information signature The regular expression
file: In the navigation tree, supports the wildcards
choose Basic Configuration > (* and ?). * indicates
Signature File Management > zero or multiple random
Terminal Information characters, and ?
Signature File. indicates one random
For example, to configure the character. However, to
system to recognize the mobile guarantee high
phone type as NOKIA if the performance, it is
UserAgent filed contains recommended to avoid
Nokia, enter Nokia in Regular wildcards as possible.
Expression and NOKIA in
Terminal Name, and select
Mobile Phone from Terminal
Type.


Attribute Fields
Browser The UserAgent The UserAgent fields in the If this attribute of

Type fields in the HTTP HTTP Get packets are extracted subscribers is not
Get packets from subscribers' network recognized, its value is
traffic and compared with rules N/A. Then, the system
of the terminal information automatically resolves
signature file, and thus this the UserAgent field of
attribute value of subscribers is new HTTP traffic.
obtained. For the traffic that is not
You can import the terminal generated by browsers,
signature file delivered with the this attribute value
version, or manually add or should be recognized as
change the feature item. N/A. For example,
The operation page of the enter Windows-
terminal information signature media-play in Regular
file: In the navigation tree, Expression, enter N/A
choose Basic Configuration > in Terminal Name,
Signature File Management > and select Browser
Terminal Information from Terminal Type.
Signature File. When the reports are
For example, to configure the queried by attribute, the
system to recognize the browser attributes whose values
type as FIREFOX if the are N/A are free from
UserAgent filed contains statistics.
Firefox, enter Firefox in The regular expression
Regular Expression and supports the wildcards,
FIREFOX in Terminal * and ?. * indicates zero
Name, and select Browser or multiple random
from Terminal Type. characters, and ?
indicates one random
character. However, to
guarantee high
performance, it is
recommended to avoid
wildcards as possible.


Attribute Fields
OS The UserAgent The UserAgent fields in the If this attribute of

Type fields in the HTTP HTTP Get packets are extracted subscribers is not
Get packets from subscribers' network recognized, its value is
traffic and compared with rules N/A. Then, the system
of the terminal information automatically resolves
signature file, and thus this the UserAgent field of
attribute value of subscribers is new HTTP traffic.
obtained. When the reports are
You can import the terminal queried by attribute, the
signature file delivered with the attributes whose values
version, or manually add or are N/A are free from
change the feature item. statistics.
The operation page of the The regular expression
terminal information signature supports the wildcards,
file: In the navigation tree, * and ?. * indicates zero
choose Basic Configuration > or multiple random
Signature File Management > characters, and ?
Terminal Information indicates one random
Signature File. character. However, to
For example, to configure the guarantee high
system to recognize the OS type performance, it is
as WINDOWS 7 if the recommended to avoid
UserAgent filed contains wildcards as possible.
Windows NT 6.1, enter
Windows NT 6.1 in Regular
Expression and WINDOWS 7
in Terminal Name, and select
OS from Terminal Type.
APN l Fixed network: The value can be added APN is a network

(Access Not supported manually. identifier that is defined
Point l G network: For example, to add an APN by the GPRS/UMTS
Name) Called-Station- (WAP services accessed system. On one hand,
Id through GPRS) whose name is an APN helps the
cmwap and alias is CMWAP, GPRS/UMTS identify
l C network: the GGSN. On the other
enter cmwap in Sequence and
Called-Station- hand, an APN identifies
CMWAP in Alias.
Id the external PDNs
l WLAN: Not (such as ISP network
supported and enterprise network)
connected through this
l WiMAX: Not GGSN or certain
supported associated services
l GTP-C: Access (such as Internet access
Point Name and WAP services).


Attribute Fields
Customi l Fixed network: The value can be added It is a user-customized

zed custom-service manually. requirement. To enable
Service (Customized For example, to add a this dynamic attribute,
fields) customized service whose contact technical
l G network: sequence number is 0011 and personnel of Huawei.
custom-service name is ExampleService, enter
(Customized 0011 in Sequence and
fields) ExampleService in Alias.
l C network: Not
supported
l WLAN: Not
supported
l WiMAX:
custom-service
(Customized
fields)
l GTP-C: Not
supported
VLAN Extracted from IP The value is default and cannot The system
traffic be set. automatically adds the
records whose VLAN
IDs range from 0 to
4095.
Network devices
employ VLAN IDs to
identify VLANs to
which packets belong.
A VLAN ID indicates
the ID of the VLAN to
which a packet belongs.
Its length is 12 bits and
its value ranges from 0
to 4095. 0 and 4095 are
reserved values of the
protocol; therefore, the
actual value ranges
from 1 to 4094.


Attribute Fields
Number Use the main You can either add the attributes -
Segmen identifier of one by one manually or add
t subscribers. them in batches by using the
template.
For example, to add an field
7777000 to 7777999, enter
7777000 in Start Number
Segment, enter 7777999 in End
Number Segment, and then
enter 7777 in Alias.
- l Fixed network: Customize dynamic attribute. -

Not supported The Attribute Code is 203. The
l G network: attribute value can be added
3GPP-Charging- according to that of the current
Characteristics network packets. For example:
0100, 0200, 0400 and 0800.
l C network: Not
supported
l WLAN: Not
supported
l WiMAX: Not
supported
l GTP-C: Not
supported
4.3 Configuring the VIC

This section described how to configure the VIC and corresponding areas, user groups, and
customized attributes. To configure a service to be applied to VICs, you should perform this
task first.
4.3.1 Overview
This section describes several related concepts of the VIC and multiple functions through the
VIC configuration.
The concepts related to the VIC are as follows:
l Area
Indicates the physical area. The system supports the hierarchical management over areas.
During the system installation, the installation and commissioning engineer defines the area
level of VICs upon the first login to the Back End. For VICs, the system supports up to
three levels of areas.

Areas are organized in tree structure. When adding areas, data configuration engineers
should start from the root area, and then create a new area in the root area and a subarea in
the current area, gradually building an area system. Only one root area can be added.
l VIC user group
Refers to a collection of one or more VICs.
To easily manage VICs in group mode, the system supports customizing user groups for
VICs. After adding one or more VICs to a user group, you can implement service policy
control based on the user group.
l VIC customized attribute
Refers to the customized VIC attributes.
Besides the area attribute predefined by the system, you can extend VIC attributes by adding
customized attributes.
In terms of whether VICs can be divided into finite groups, customized attributes are
categorized into the following types:
– Group attribute
These attributes, such as the gender, base station, cell, mobile phone, and browser, can
categorize VICs into finite groups.
– Non-group attribute
These attributes, such as the address and postal code, cannot categorize VICs into finite
groups.
With the configuration of VICs, the system can:
l Provide various account management for VICs
To meet the requirements of account management, you can select one or more following
modes:
– Providing the basic modes of adding, modifying, or deleting VICs.
– Manually importing VIC accounts from the .xls template file provided by the system
in batches.
l Manage the multi-level VIC areas and area-based data permission.
l Manage user groups, and customized attributes.

This section describes the procedure for configuring the VIC.

Figure 4-20 Procedure for configuring the VIC
Start
Configure the area
Is the customized No
attribute required?
Yes
Add the customized attribute
Add or import the VIC
Is the user No
group required?
Yes
Configure the user group
End

Table 4-6 Procedure for configuring the VIC

Action Description
Configure the area Add the area and assign data permission to the area of each level as
required.
l Read
l Write
and its subareas.
l Authorize
and its subareas.
NOTE
For the information about the permission control mechanism, see 22.2
Managing System Accounts and Permissions.
Network Management > Very Important Customer > Area
Management.

Network Management > Very Important Customer > Customized
Attributes Management.
Add or import the Add or import the VIC account to manage it.
VIC Operation page: In the navigation tree, choose Subscriber and
Network Management > Very Important Customer > VIC
Management.
Configure the user Except for applying policies to areas or other customized attribute
group groups, the SIG also supports the ability to apply policies to user
groups. Therefore, if you cannot manage subscriber and network
objects according to attribute groups, add and configure user groups.
Network Management > Very Important Customer > User Group
Management.
4.3.3 Typical Configuration Example 1 (Manually Adding VICs)

This section provides an example for configuring the VIC. The VIC is added manually.
Prerequisites

l The current user has the Subscriber and Network Management service permission and
the data permission for the areas to be managed.
Context
l The area contains three levels.

The name of the level-1 area is Beijing, the level-2 area is Haidian, and the level-3 area
is Zhongguancun.
l The VIC accounts to be imported include the following information:
– VIC name: ExampleVIC1; area: Zhongguancun; IP addresses: 10.10.10.0/28 and
20.20.20.20.
– VIC name: ExampleVIC2; area: Zhongguancun; IP addresses: 30.30.30.1 to
30.30.30.30 and 40.40.40.0/24.
Procedure

1. In the navigation tree, choose Subscriber and Network Management > Very Important
Customer > Area Management.
2. Click Add. Enter Beijing in Area Name. Click OK.
3. Click Beijing in the area list. Click Add. Enter Haidian in Area Name. Click OK.
4. Click Haidian in the area list. Click Add. Enter Zhongguancun in Area Name. Click
OK, as shown in Figure 4-21.
In the area list, click the area to be assigned with permissions. Click Assign Data
Step 3 Add the VIC.

Customer > VIC Management.
2. Click Add. The Add VIC dialog box is displayed.

Figure 4-22 Adding the VIC
4. Click the Static IP Address tab. Enter 20.20.20.20 in IP Address. Click Add.
5. Click the Static IP Segment tab. Select Mask from Type. Enter 10.10.10.0 in Subnet
Address. Enter 28 in Mask Digits. Click OK.
NOTE
When you add a static IP address segment of the Mask type, the allowed mask ranges from 16 to 32.
When you add a static IP address segment of the IP Segment type, the number of IP addresses on
the IP address segment should be smaller than or equal to 65536.
6. Click OK. The system returns to the previous page and the added record is displayed.
7. Repeat Step 3.2 to Step 3.6 to add ExampleVIC2.
----End
4.3.4 Typical Configuration Example 2 (Importing VICs in Batches)

This section provides an example for configuring the VICs. The VICs are imported from the
specific file in batches.
Prerequisites
The following requirements should be met:
Context
l The area contains three levels.

For example, the name of the level-1 area is Beijing, the level-2 area is Haidian, and the
level-3 area is Zhongguancun.
l The VIC accounts to be imported include the following information:
– VIC name: ExampleVIC1; area: Zhongguancun; IP addresses: 10.10.10.0/28 and
20.20.20.20.
– VIC name: ExampleVIC2; area: Zhongguancun; IP addresses: 30.30.30.1 to
30.30.30.30 and 40.40.40.0/24.
Procedure
Customer > Area Management.
4. Click Haidian in the area list. Click Add. Enter Zhongguancun in Area Name. Click

Step 3 Import VICs.
Customer > VIC Management.
2. Click Import. The Import VICs dialog box is displayed, as shown in Figure 4-24.

Figure 4-24 Importing VICs (1)
3. Click VIC Template to obtain the .xsl template file. In the file, enter the account
Figure 4-25 Importing VICs (2)
4. In the Import VICs dialog box, click Browse to select the edited file. Click OK.
5. Wait until the system prompts you that the operation is complete. In the displayed dialog
box, view logs to learn the information about successful and failure operations.
----End
4.4 Configuring the Link

This section describes how to manage the current links of the SIG, and add link groups required
for report statistics. To configure a service to be applied to links, you should perform this task
first.
4.4.1 Overview
This section describes what you can do by configuring the link.
The concepts relating to links are as follows:
l Links
Refers to a physical link monitored by the SIG. For example, as shown in Figure 4-26, GE
2/0/0 is connected to the user side and GE 2/0/1 to the network side, and between GE 2/0/0
and GE 2/0/1 is a link.

LPU
Link
GE2/0/0
Router A
Router B
GE2/0/1
The link is configured during the installation and commissioning of the system. According
to the result of checking 3.2 Checking the Status of the Front End and Back End, the
status is normal, indicating that the SIG successfully monitors the link.
l Areas
To implement the hierarchical management on virtual tunnels and link groups, on the
SIG, one managed region can be divided into several management units. Each management
unit is an area.
The system supports area-based multi-level management. During the installation of the
system, the area levels of virtual tunnels and links are specified after the installation and
commissioning engineer logs in to the Back End for the first time. For virtual tunnels and
links, the system supports up to three area levels.
Areas are organized in the tree structure. When adding an area, data configuration engineers
should start at the root area and then create subareas in the current area, gradually building
an area system. All the areas except the root area must have a parent area. Only one root
area can be added.
l Customized Attributes
Refer to customized link attributes.
In addition to current customized attributes, to extend link attributes as requires, you can
add customized attributes.
By configuring the link, you can:
l Check the configurations of links.
Information about a link, such as the name, number, and type, is specified during the
configuration of the link. For convenient identification of the link and corresponding front-
end devices, a link name is displayed as link type-device number in the cluster-link number-
link name.
For example, Figure 4-27 shows that the name of linka is displayed as 10G-1-1-linka and
that of linkb is 2.5G-2-2-linkb.

External Network
Router A Router B
Device Number in GE3/0/2

the Cluster: 1 Swtich1 DPI System
Link Name: linka DPI A
Link Type: 10G
Link Number: 1 GE3/0/1 GE3/0/2
DPI B
Device Number in
Router C Router D the Cluster: 2
Link Name: linkb
Link Type: 2.5G
Link Number: 2
Internal Network
l Add the link group required for report statistics.

To check the reports on the traffic trend or traffic proportion of several links at the same
time, you need to bind these links as a link group for report query.
For example, to easily check the trend of the total traffic over two links in Figure 4-27,
you need to bind the links as a link group.
l Manage the multi-level area and area-based permission.
l Manage the customized attribute
NOTE
Links are configured during the installation and commissioning of the system. Thus, the system
maintenance engineer needs to reconfigure the links only after a link is added or the connection cable of
an interface is changed. For how to configure links according to cable connections. see 4.4.4 Reference.

This section describes how to configuring links.
Figure 4-28 shows processing procedure.

Figure 4-28 Procedure for configuring links
Start
Check the link
Is the
area-based link Yes
management Configure the area
required?
No
Is the
Customized Yes Add the customized
attribute attribute
required?
No
Is the Yes Configure the link

link attribute
required? attribute
No
Is the Yes
link group Add the link group
required?
End
Table 4-7 Procedure description of configuring links

Action Description
Check the link Check the current physical link.

Operation page is: In the navigation tree, choose Subscriber and
Network Management > Network > Physical Link Management >
Link Management.

Action Description
Configure the area Add the area and assign the data permission to the area as required.
l Read
If your account has this permission for an area , you can view the
l Write
and its subareas.
l Authorize
and write permissions, you can assign data permissions to this area
and its subareas.
Network Management > Network > Area Management.

Network Management > Network > Customized Attributes
Management.
Configure the link Set the attribute as required and configure the corresponding value.
Link Management.
Add the link group Add and configure the user group as required.
Link Group Management.
4.4.3 Typical Configuration Example

This section provides an example for configuring the link.
Prerequisites
l 3.2 Checking the Status of the Front End and Back End is performed, and the status is
normal.
Context
Figure 4-29 shows the SIG in the networking of a carrier. Now, the task is to log in to the Back
End to check two links and bind them as a link group named linkgroup.

In this example, the area has two levels. The name of the level-1 area is Beijing and the names
of the level-2 areas are Haidian and Chaoyang. The name of the customized attribute is
LinkType whose values are 10G and 2point5G. Linka belongs to Haidian and linkb belongs
to Chaoyang.
Figure 4-29 Networking example of link management
External Network
Router A Router B
Device Number in GE3/0/2

the Cluster: 1 Swtich1 DPI System
Link Name: linka DPI A
Link Type: 10G
Link Number: 1 GE3/0/1 GE3/0/2
DPI B
Device Number in
Router C Router D the Cluster: 2
Link Name: linkb
Link Type: 2.5G
Link Number: 2
Internal Network
Procedure
Step 2 Check the link.
1. In the navigation tree, choose Subscriber and Network Management > Network >
Physical Link Management > Link Management.
2. On the Link Management page, check the configured links, as shown in Figure 4-30.


1. In the navigation tree, choose Subscriber and Network Management > Network > Area
Management.
4. Click Beijing in the area list. Click Add. Enter Chaoyang in Area Name. Click OK.
To grant data permissions, select the check box of Read, Write, or Authorize. For more
information about system accounts and permissions, see 22.2 Managing System Accounts
and Permissions.
Step 4 Add the customized attribute.

2. Click Add.
3. Enter LinkType in Attribute Name. Click OK.
4. Click Add. In the displayed dialog box, enter 10G in Attribute Value and Alias of the
value. Click OK.
5. Click Add. In the displayed dialog box, enter 2point5G in Attribute Value and Alias of
the value. Click OK.
Step 5 Configure the link attribute.

Physical Link Management > Link Management.
2. Click Link Property. In the displayed dialog box, click LinkType in the left list. Click
>>. Click OK.
3. In the link list, click the link in the linka row and Link Name column.
4. In the displayed dialog box, select Haidian from Area. Select 10G from LinkType. Click
OK.
5. In the link list, click the link in the linkb row and Link Name column.
6. In the displayed dialog box, select Chaoyang from Area. Select 2point5G from
LinkType. Click OK.
Step 6 Add the link group.

Physical Link Management > Link Group Management.
2. Click Add.
3. In the displayed dialog box, enter linkgroup in Link Group Name.
4. Click the Link tab. Click Add. Select the two links. Click OK.
----End

4.4.4 Reference
This section describes how to configure the link on the Front End, and provides a reference for
adding a link or changing a cable connection for the link.
Do as follows:
1. Log in to the Front End.
2. In the user view, run the system-view command to enter the system view.
3. Run the dpi-node command to enter the DPI node view.
4. Run the link name link-name number link-number type { 10g | 1g | 2.5g } command to
create a link.
5. Run the quit command to exit from the DPI node view.
6. Run the interface interface-type interface-number command to enter the user-side interface
view.
7. Run the dpi-node link number link-number inside command to configure the current
interface as the user-side interface of a specific link.
8. Run the quit command to exit from the interface view.
9. Run the interface interface-type interface-number command to enter the network-side
interface view.
10. Run the dpi-node link number link-number outside command to configure the current
interface as the network-side interface of a specific link.
11. Run the quit command to exit from the interface view.
NOTE
By default, the hash traffic diversion on the network-side interface is performed based on destination-ip
(destination IP addresses), and the hash traffic diversion on the user-side interface is performed based on
source-ip (source IP addresses). Generally, it is recommended to maintain the default traffic diversion
mode. To modify the mode, you should run the dpi-node link hash-mode { source-ip | destination-ip }
command in the interface view.
4.5 Configuring the Virtual Tunnel

This section describes how to manage the virtual tunnel monitored by the SIG, and related areas,
customized attributes, and virtual tunnel categories. To implement traffic report statistics and
QoS control over the virtual tunnel, you should perform this task.
4.5.1 Background of Introducing the Concept of Virtual Tunnel

This section describes why the concept of virtual tunnel is introduced.
Requirement 1: NE Traffic Analysis and Control

All the services provided by the SIG system are ultimately applied to subscriber and network
objects, for example, viewing the service reports of those objects, or applying control policies
to those objects.
Before introducing the virtual tunnel, the SIG supports subscriber and network objects including
subscribers, VICs, links, subnets, and traffic direction objects. In managing all the NEs in the
carrier's access layer network, the system lacks the ability to analyze and control the subscriber

traffic passing through upstream devices, for example, the PDSN, PCF, BTS, and cell shown in
Figure 4-31.
The preceding requirements cannot be met by the current subscriber and network objects. To
meet the requirements, the SIG system introduces a new object: user attribute virtual tunnel.
Figure 4-31 Analyzing and controlling the NE
IP network
DPI system
Front End Back End
ckets
IUS pa
RAD
PDSN
NE traffic analysis and control
RADIUS server
BSC/PCF
BTS
Subscriber
Requirement 2: Managing IP Traffic with Specified Signatures

As an expansion of the current subscriber and network objects, IP packets with the same
signatures are expected to be managed. The signature can include the IP quintuple, DSCP, VLAN
ID and MPLS Tag.
As shown in Figure 4-32, the current subscriber and network objects cannot meet the
requirements for managing the upstream and downstream traffic of all users accessing the server
group on a specified address segment. To meet the requirements, the SIG system introduces a
new object: stream attribute virtual tunnel.

Figure 4-32 Managing the IP traffic with specified signatures
The IP addresses IP network

accessed by
subscribers are on
the same segment.
DPI system
Front End Back End
et
pack
IUS
RAD
PDSN
RADIUS server
BSC/PCF
BTS
Subscriber
4.5.2 Introduction to User Attribute Virtual Tunnel

This section describes how to define the user attribute virtual tunnel and notes on using the
tunnel.
Defining a User Attribute Virtual Tunnel Using the Subscriber Group Attribute
The SIG system is required to identify the IP traffic of a specified NE. However, the IP traffic
of the NE does not carry exclusive signatures. In this case, the IP traffic is identified through
corresponding signaling packets.
As shown in Figure 4-33, on the carrier access layer network, the RADIUS packets generated
upon the subscriber's login carries the information about the NEs that the user IP traffic passes
through. In the SIG system, you can define those NE information as the dynamic attributes of

the subscriber, for example, the BTS, so that the system obtains the dynamic attribute value by
parsing the RADIUS accounting packets. (For example, the BTS ID is 1234567890.) The SIG
then identifies the NE traffic to be managed by gathering the subscriber IP traffic whose dynamic
attributes are the specified NE.
Figure 4-33 Defining a user attribute virtual tunnel using the subscriber group attribute
IP network
DPI system
Front End Back End

Parsing attribute value 1234567890 from the
RADIUS packets, and obtaining that subscriber
ets
A’s IP traffic is going to travel through BTS B pack
IUS
RAD
PDSN
RADIUS server
BSC/PCF
BTS B
BTS ID: 1234567890
Subscriber A
As shown in the above figure, the SIG system associates the target traffic to be identified with
a group of subscribers. The subscriber and network objects defined in this way are called user
attribute virtual tunnel.
Besides the dynamic attributes, any attribute that is exclusive to a subscriber can define a user
attribute virtual tunnel. In the SIG system, this type of attribute is called Group Attributes.
NOTE
A dynamic attribute must be a group attribute, while a group attribute does not necessarily be a dynamic
group.

Subscriber Group Attribute

The group attribute that can define a user attribute virtual tunnel includes:
l All enabled dynamic attributes
Indicate all the enabled dynamic attributes in the Subscriber and Network
Management > Subscriber > Customized Attributes Management page.
The dynamic attributes supported by the system include the GN, SN, BTS, and cell. For
details, see 4.2.11 Dynamic Attribute Description.
l Area
l Other customized group attributes
Indicate the customized group attributes added to the Subscriber and Network
Management > Subscriber > Customized Attributes Management page.
Precautions
l Before you define the user attribute virtual tunnel, ensure that the group attribute to define
the virtual tunnel is enabled. For details on subscribers and attributes, see 4.2 Configuring
the Subscriber.
l To facilitate the management, the system can categorize virtual tunnels by area and
customized attributes. Virtual Tunnel Category indicates a group of virtual tunnels with
the same customized attributes. For example, you can group all BTSs with the "BTS type"
attributes as a virtual tunnel categorization, and name the categorization as BTS.
For multiple virtual tunnels belonging to the same virtual tunnel category, you are advised
to ensure that their conditions cannot overlap, so that one packet can match at most one
virtual tunnel at one time. If a packet matches multiple virtual tunnel conditions in a virtual
tunnel category at the same time, only the virtual tunnel with the highest priority matches
the packet, which means The larger the value, the higher the priority.
l You can add a maximum of eight user attribute virtual tunnel categories to the system.
l You can add a maximum of 40,000 user attribute virtual tunnels to the system.
4.5.3 Introduction to Stream Attribute Virtual Tunnel

This section describes how the stream attribute virtual tunnel is defined and corresponding
precautions.
Defining the Stream Attribute Virtual Tunnel

The SIG system can define the stream attribute virtual tunnel by IP quintuple, DSCP, VLAN,
MPLS, or physical links, as shown in Figure 4-34.

Figure 4-34 Rules for defining the stream attribute virtual tunnel
Precautions
l To facilitate the management, the system can categorize virtual tunnels by area and
customized attributes. Virtual Tunnel Category indicates a group of virtual tunnels with
the same customized attributes.
For multiple virtual tunnels belonging to the same virtual tunnel category, you are advised
to ensure that their conditions cannot overlap, so that one packet can match at most one
virtual tunnel at one time. If a packet matches multiple virtual tunnel conditions in a virtual
tunnel category at the same time, only the virtual tunnel with the highest priority matches
the packet, which means The larger the value, the higher the priority.
l You can add a maximum of four stream attribute virtual tunnel categories to the system.
l You can add a maximum of 4000 stream attribute virtual tunnels to the system.
l You can add multiple virtual tunnel rules to one virtual tunnel. These virtual tunnel rules
form the "OR" relation. That is, if matching any virtual tunnel rule, the traffic can match
this virtual tunnel.
NOTE
The multiple attributes in one virtual tunnel rule form the "AND" relation. For example, if both
Remote IP Segment and Remote Port Segment are configured in a virtual tunnel rule, a packet
matches this rule only when it meets the two conditions at the same time.

4.5.4 Typical Application Value of the Virtual Tunnel on Carrier

Network
As a type of subscriber and network objects, the virtual tunnel, along with subscriber, VIC, link,
subnet, and traffic direction object, provides flexible capabilities of categorizing traffic, and
expands the application space of the SIG on the carrier network.
Analyzing and Controlling the NE Traffic

Use the CDMA network as an example. Define the PCF, BTS, and cell NE as user attribute
virtual tunnels, as shown in Figure 4-35.
Figure 4-35 Typical virtual tunnel application on the CDMA network

DPI System
Front Back
Virtual tunnel category 1: PCF End End
Virtual tunnel object: PCF1, PCF2, ...
Virtual tunnel category 2: BTS
Virtual tunnel category 3: Cell Virtual tunnel object: BTS1, BTS2, ...
Virtual tunnel object: Cell1, Cell2, ... PDSN
PCF1 PCF2 ... PCF(m-1) PCFm
BTS1 BTS2 BTS3 ... ... BTS(n-2) BTS(n-1) BTSn
Cell1 Cell2 Cell3 ... ... Cell(y-2) Cell(y-1) Celly
After defining the virtual tunnel, you can view the following reports in the SIG system to analyze
the NE traffic:
l Real time
l Traffic trend
l Trend of number of connections
l Traffic proportion
l Number of connections proportion
l Top N protocol
l Top N number of connections
l Bandwidth usage trend
l Top N traffic
l Top N number of connections
l Top N bandwidth usage
Using all the preceding reports, you can sense the change of the NE traffic and obtain accurate
data for network operation maintenance and expansions. In addition, the SIG system can directly
apply policies including rate limiting, priority mark, number of connections control, pass, and
not remark to virtual tunnels. For details on traffic reports and traffic QoS policies, see 5 Traffic
Management Service.

Analyzing and Controlling the IP Traffic with Specified Signatures

Similar to analyzing and controlling the NE traffic, you can analyze and control the traffic with
specified signatures by defining the target traffic as a stream attribute virtual tunnel.

This section describes the procedure for configuring the virtual tunnel.
Figure 4-36 Procedure for managing a virtual tunnel
Start
Is the virtual Yes

tunnel managed Configure the area
by area?
No
Is the customized Yes Add a customized

attribute added? attribute
No
Add the virtual tunnel
category
Add and configure the

virtual tunnel
End

Table 4-8 Procedure description of configuring the virtual tunnel
Action Description
Configure the area. Add the area and assign data permission to the area of each level as
required.
Three types of data permissions are available: Read, Write, and
Authorize. Details are as follows:
l Read
l Write
and its subareas.
l Authorize
and its subareas.
Network Management > Network > Area Management.
Add a customized Add the customized attribute as required. When you apply the policy,
attribute. if you bind a policy package according to a customized attribute value,
the system binds the policy package to each group of virtual tunnel
that matches the customized attribute value.
Network Management > Network > Customized Attributes
Management.
Add the virtual Add the virtual tunnel category according to report statistics and traffic
tunnel category. management requirements.
Network Management > Network > Virtual Tunnel
Management > Virtual Tunnel Category.
Add and configure Add the virtual tunnel objects to be managed and configure the rule
the virtual tunnel. definition and other related attributes for these virtual tunnels.
Management > Virtual Tunnel Object.
4.5.6 Typical Configuration Example 1 (User Attribute Virtual

Tunnel, Defining SN as the Virtual Tunnel Category)
This section provides an example for configuring the virtual tunnel. Suppose that you need to
manage the traffic of Service Node (SN) devices on wireless networks and view traffic reports.
Therefore, you should define SN as the virtual tunnel category.

Prerequisites
l SN in the customized attribute for subscribers is enabled and the NE information (IP address
and alias) about various SNs to be managed is imported.
The SIG is deployed on a carrier's network, as shown in Figure 4-37. According to device
management requirements, it is required that users can view traffic reports and configure traffic
QoS based on the SN and its bandwidth processing capability.
In this case, users should add virtual tunnel category SN, virtual tunnels SN1 and SN2, and
customized attribute Processing Capability. Suppose that the processing capability of SN1 is
50 Mbit/s, and that of SN2 is 100 Mbit/s.
Figure 4-37 Networking diagram managing the virtual tunnel
IP Backbone
PE PE
PE PE
CE CE
CE CE
DPI System
Front Back
Front End
End
End
GN1 GN2
Wireless access network
SN1 SN2
BTS1 … BTS3
BTS2

Procedure
2. Click Add.
3. Enter Processing Capability in Attribute Name and click OK.
4. Click Add. In the pop-up dialog box, enter 1 in Attribute value, and 50M in Alias of the
value. Then click OK.
5. Click Add. In the pop-up dialog box, enter 2 in Attribute value, and 100M in Alias of the
value. Then click OK, as shown in Figure 4-38.
Step 3 Add a virtual tunnel category.
Virtual Tunnel Management > Virtual Tunnel Category.
2. Click Add.
3. In the pop-up dialog box, enter SN in Name.
4. Click Add. In the pop-up dialog box, select the check box of Processing Capability, and
then click OK, as shown in Figure 4-39.

Figure 4-39 Adding a virtual tunnel category
Step 4 Add and configure virtual tunnels.
Virtual Tunnel Management > Virtual Tunnel Object.
2. Click Add.
3. Enter SN1 in Virtual Tunnel Name; select SN from Virtual Tunnel Category, and
50M from Processing Capability; enter or select an unoccupied number in Priority, as
NOTE
Priority can be automatically assigned by the system. When you select this mode to add virtual
tunnels, set the text box to the right of Priority to be blank.

Figure 4-40 Adding virtual tunnels
4. Click OK. The Virtual Tunnel Rule Definition tab is displayed.

5. Click Add. In the pop-up dialog box, select SN1 from SN and then click OK, as shown in
Figure 4-41.
SN1 is already imported in the customized attribute for subscribers.
Figure 4-41 Adding virtual tunnel rules
6. Click Close. The system returns to the previous page and the added record is displayed.
7. Repeat Step 4.2 to Step 4.6 to add virtual tunnel SN2.
----End
4.5.7 Typical Configuration Example 2 (User Attribute Virtual

Tunnel, Defining BTS as the Virtual Tunnel Category)
manage the traffic of station devices on wireless networks and view traffic reports. Therefore,
you should define BTS as virtual tunnel category.

Prerequisites
l BTS in the customized attribute for subscribers is enabled and the NE information
(sequence and alias) about various BTSs to be managed is imported.
The SIG is deployed on a carrier's network, as shown in Figure 4-42. According to device
management requirements, it is required that users can view traffic reports and configure traffic
QoS based on the BTS and its type.
In this case, users should add a category BTS for virtual tunnels, virtual tunnels including BTS1,
BTS2, and BTS3, and customized attribute BTS Type. Suppose that the types of BTSs BTS1,
BTS2, and BTS3 are respectively 1X, DO, and 1X.
In addition, to manage the previous virtual tunnels by area easily, users need to add area
Beijing, and sub-areas Haidian and Chaoyang. BTS1 and BTS2 belong to Haidian, and BTS3
to Chaoyang.
Figure 4-42 Networking diagram of managing the virtual tunnel
IP Backbone
PE PE
PE PE
CE CE
CE CE
DPI System
Front Back
Front End
End
End
GN1 GN2
SN1 SN2
BTS1 … BTS3
BTS2

Procedure

1. In the navigation tree, choose Subscriber and Network Management > Network > Area
Management.
3. Click Beijing in the area list. Click Add, and enter Haidian in Area Name. Then click
OK.
4. Click Beijing in the area list. Click Add, and enter Chaoyang in Area Name. Then click
OK.

2. Click Add.
3. Enter BTS Type in Attribute Name and click OK.
4. Click Add. In the pop-up dialog box, enter 1X in Attribute value, and 1X in Alias of the
value. Then click OK.
5. Click Add. In the pop-up dialog box, enter DO in Attribute value, and DO in Alias of the
value. Then click OK, as shown in Figure 4-43.


2. Click Add.
3. In the pop-up dialog box, enter BTS in Name.
4. Click Add. In the pop-up dialog box, select the check box of BTS Type, and then click

2. Click Add.
3. Enter BTS1 in Virtual Tunnel Name; select BTS from Virtual Tunnel Category, and
1X from BTS Type; enter or select an unoccupied number in Priority; select Haidian from
Virtual Tunnel Area, as shown in Figure 4-45.
NOTE

Figure 4-45 Adding virtual tunnels

5. Click Add. In the pop-up dialog box, select BTS1 from BTS and then click OK, as shown
in Figure 4-46.
BTS1 is already added in the customized attribute for subscribers.
Figure 4-46 Adding virtual tunnel rules
7. Repeat Step 5.2 to Step 5.6 to add virtual tunnels BTS2 and BTS3.
----End
4.5.8 Typical Configuration Example 3 (Stream Attribute Virtual

Tunnel, Defining the Traffic of Local IP Address or Remote IP
Address as the Virtual Tunnel)
This section provides an example for configuring the virtual tunnel. Suppose that all VPN traffic
is required denying by default except certain VPN traffic of the specified local IP address or

remote IP address. In this case, you should specify the traffic of the local IP address or remote
IP address as the virtual tunnel.
Prerequisites
The current user has the Subscriber and Network Management and Traffic Management
service permissions.
The SIG is deployed on a carrier's network, as shown in Figure 4-47. Service requirements are
as follows:
l Allow IPSec VPN traffic on local IP address segments ranging from 20.20.20.1 to
20.20.20.254 through.
l Allow VPN traffic on remote IP address segments ranging from 66.66.66.1 to 66.66.66.254
through.
l Block all VPN traffic except the previous one on linka.
External network
Router A
Front End
linka Switch Back End
Router B
Internal network
Table 4-9 shows data planning.
Table 4-9 Data planning of the example for managing the virtual tunnel
Item Data
Virtual Tunnel Category l Name: VPN_Pass_VTCategory

l Type: Stream Attribute

Item Data
Virtual Tunnel l Virtual Tunnel Name: VT1

l Virtual Tunnel Category: VPN_Pass_VTCategory
l Priority: 100
l Virtual Tunnel Rule: The local IP address segment ranges from
20.20.20.1 to 20.20.20.254.
l Virtual Tunnel Name: VT2

l Virtual Tunnel Category: VPN_Pass_VTCategory
l Priority: 200
l Virtual Tunnel Rule: The remote IP address segment ranges
from 66.66.66.1 to 66.66.66.254.
QoS Policy Package l Name: VPN_Block_QoS1

l Item Type: Rate Limiting
l Item Name: VPN_Block_Item
l Flow Classification: Tunneling
l Maximum Upstream Bandwidth: 0
l Maximum Downstream Bandwidth: 0
l Name: IPSec_Pass_QoS2
l Item Type: Pass
l Item Name: IPSec_Pass_Item
l Flow Classification: IPSec
l Upstream QoS Pass: Pass
l Downstream QoS Pass: Pass
l Name: VPN_Pass_QoS3
l Item Type: Pass
l Item Name: VPN_Pass_Item
l Flow Classification: Tunneling
l Upstream QoS Pass: Pass
l Downstream QoS Pass: Pass
Policy Application l Policy Package Name: VPN_Block_QoS1

l Object: linka
l Policy Package Name: IPSec_Pass_QoS2

l Object: VT1
l Policy Package Name: VPN_Pass_QoS3

l Object: VT2

Procedure

2. Click Add.
3. Figure 4-48 shows parameter settings.

2. Click Add.
NOTE

Figure 4-49 Adding a virtual tunnel (1)

5. Click Add.

NOTE
You can add multiple virtual tunnel rules to one virtual tunnel. These virtual tunnel rules form the
Or relation. That is, if matching any virtual tunnel rule, the traffic can match this virtual tunnel.
7. Click OK.
9. Repeat Step 3.2 to Step 3.8 to add virtual tunnel VT2 according to the data planning.
Step 4 Add a QoS policy package.
1. In the navigation tree, choose Traffic Management > QoS > QoS Policy Package
Management.
2. Click Add.
3. In the pop-up dialog box, enter VPN_Block_QoS1 in Name, and then click Save.
4. Select Rate Limiting from Item Type, and click Add.

Figure 4-51 Adding a policy item
6. Click OK. The system returns to the previous page and displays the added policy item.
7. Click Close. The system returns to the previous page and displays the added policy package.
8. Repeat Step 4.2 to Step 4.7 to add policy packages IPSec_Pass_QoS2 and
VPN_Pass_QoS3 according to the data planning.
For details on how to add and apply the QoS policy package, see 5.4 Configuring Traffic
QoS.
Step 5 Apply the QoS policy package.

Physical Link Management > Link Policy Application.
2. Click Add.
4. Click OK.
Virtual Tunnel Management > Virtual Tunnel Policy Application.
6. Click Add.

8. Click OK.
9. Click Add.
10. In the pop-up dialog box, select QoS from Policy Package Type, VPN_Pass_QoS3 from
Policy Package Name, and VT2 from Virtual Tunnel.
11. Click OK.
----End
4.5.9 Typical Configuration Example 4 (Stream Attribute Virtual

Tunnel, Defining VLAN Traffic as the Virtual Tunnel)
apply the QoS policy to all traffic on the link by external VLAN ID and internal VLAN ID.
Prerequisites
The current user has the Subscriber and Network Management and Traffic Management
The SIG is deployed on a carrier's network, as shown in Figure 4-54. Service requirements are
as follows:

l Set the maximum upstream bandwidth to 200 kbit/s and maximum downstream bandwidth
to 400 kbit/s for the traffic whose external VLAN ID is 1000 on the link.
l Set the maximum upstream bandwidth to 100 kbit/s and maximum downstream bandwidth
to 200 kbit/s for the traffic whose external VLAN ID is 2000 on the link.
External network
Router A
Front End
Router B
Internal network
Table 4-10 shows data planning.
Table 4-10 Data planning of the example for managing the virtual tunnel
Item Data
Virtual Tunnel Category l Name: VLAN_VTCategory

l Type: Stream Attribute
Virtual Tunnel l Virtual Tunnel Name: VT1

l Virtual Tunnel Category: VLAN_VTCategory
l Priority: 100
l Virtual Tunnel Rule Definition: External VLAN ID 1000
l Virtual Tunnel Name: VT2

l Virtual Tunnel Category: VLAN_VTCategory
l Priority: 200
l Virtual Tunnel Rule Definition: External VLAN ID 2000

Item Data
QoS Policy Package l Name: VLAN_QoS1

l Item Name: VLAN_Item
l Flow Classification: Total
l Maximum Upstream Bandwidth: 200kbit/s
l Maximum Downstream Bandwidth: 400kbit/s
l Name: VLAN_QoS2
l Item Name: VLAN_Item
l Maximum Upstream Bandwidth: 100kbit/s
l Maximum Downstream Bandwidth: 200kbit/s
Policy Application l Policy Package Name: VLAN_QoS1

l Object: VT1
l Policy Package Name: VLAN_QoS2

l Object: VT2
Procedure
2. Click Add.

2. Click Add.
NOTE


5. Click Add.

7. Click OK.
9. Repeat Step 3.2 to Step 3.8 to add virtual tunnel VT2 according to the data planning.
Management.
2. Add policy packages VLAN_QoS1 and VLAN_QoS2 according to the data planning.
For details on how to add and apply the QoS policy package, see 5.4 Configuring Traffic
QoS.
2. Click Add.
3. In the pop-up dialog box, select QoS from Policy Package Type, VLAN_QoS1 from
4. Click OK.
5. Click Add.
6. In the pop-up dialog box, select QoS from Policy Package Type, VLAN_QoS2 from
7. Click OK.
----End

4.6 Configuring the AS Domain Group

This section describes how to configure the AS domain group and corresponding AS domains
and BGP. To configure a service to be applied to AS domain groups, you should perform this
task first.
4.6.1 Overview
This section describes several concepts of the AS domain group. You can implement many
functions by configuring the AS domain group.
The related concepts of the AS domain group are as follows:
l Autonomous System (AS)
Refers to a set of routers adopting the same routing policy and managed by one or more
network operators.
Similar to the IP address, the AS number is allocated by the international organization. The
Front End of the SIG is generally deployed in the private AS domain and learns the AS
information from the network by establishing the EBGP neighbor relationship with
neighbor routers.
l AS domain group
Refers to a set of AS domains. AS domain group helps carriers flexibly collect statistics on
traffic among AS domains.
Installation commissioning engineers or data configuration engineers should configure the
AS domain group on the Front End, and then they can log in to the Back End to collect
traffic direction statistics or configure QoS for the objects applied to the traffic direction.
Related traffic directions include between one link (or link group) and one AS domain
group, between one AS domain group and another AS domain group, and between one
subnet and one AS domain group.
l BGP
Refers to the dynamic routing protocol among ASs. Different from Internal Gateway
Protocols (IGPs) such as OSPF and RIP, BGP is an External Gateway Protocol (EGP) that
mainly controls route spread and selection instead of finding and computing routes.
For details about BGP, see 4.6.4 BGP Overview and 4.6.5 BGP Message Types.
l Internal BGP (IBGP) and External BGP (EBGP)
The BGP running within an AS is called IBGP; The BGP running among different ASs is
called EBGP.
l Peer and peer group
A router that sends the BGP information is called a BGP speaker. The BGP speaker receives
or generates new routing information, and then advertises it to other BGP speakers. When
a BGP speaker receives a route from other ASs, if this route have precedence over current
ones, or no route exists currently, the BGP speaker advertises this route to other BGP
speakers.
The BGP speakers that exchange messages are mutually peers. Several peers can form a
peer group.
By configuring the AS domain group, you can configure AS domain groups and corresponding
BGP and peers, which facilitates traffic direction statistics and traffic direction QoS.


This section provides an example for configuring the AS domain group.
Prerequisites
l The current user has the User and Network Management service permission.
Context
Figure 4-58 shows a network example of the SIG. The details on networking are as follows:
l DPI A is the master device, DPI B is the backup device, and DPI C is the slave device.
These three Front Ends form a cluster.
l DPI A and DPI B learn BGP information from RR. DPI C learns the BGP information from
DPI A and DPI B.
l The external AS number includes: 65008 and 65009, and the local AS number is 65006.
The AS number used by DPI A, DPI B, and DPI C is 65533.
It is required to collect statistics on the traffic directions between link a, link b, or link c and AS
65008, between link a, link b, or link c and AS 65009, and between AS 65008 and AS 65009
that pass AS 65006.

Figure 4-58 Networking diagram of configuring the AS domain group
External Network
AS65008、AS65009
Router RR Router Router

50.1.2.1
DPI B
GE5/0/1
200.1.2.1
Switch
200.1.0.1 200.1.0.2
DPI A
GE5/0/1
200.1.1.1 200.1.0.3
DPI C
GE5/0/1
200.1.3.1
Back End
linka linkb linkc
Router Router Router
Internal Network
AS65006
According to the service requirement, when configuring the AS domain group, you should
configure AS65008 as an AS domain group and AS65009 as another AS domain group. Each
of the AS domain groups have only one AS number.
Procedure
Step 1 Log in to Front End DPI A.
Step 2 Configure the BGP and routing.
# DPI A learns the EBGP routes through RR and DPI C learns IBGP routes from DPI A. The
number of the local AS is 65006, and the number of private AS is 65533. The gateway address
for network 200.1.0.0/16 to reach the RR is 200.1.0.1.
<DPIA> system-view
[DPIA] bgp 65533
[DPIA-bgp] router-id 200.1.1.1
[DPIA-bgp] peer 50.1.2.1 as-number 65006
[DPIA-bgp] peer 50.1.2.1 ebgp-max-hop
[DPIA-bgp] peer 50.1.2.1 enable
[DPIA-bgp] peer 50.1.2.1 connect-interface GigabitEthernet 5/0/1

[DPIA-bgp] peer 200.1.3.1 as-number 65533

[DPIA-bgp] peer 200.1.3.1 enable
[DPIA-bgp] peer 200.1.3.1 connect-interface GigabitEthernet 5/0/1
[DPIA-bgp] quit
[DPIA] ip route-static 50.1.0.0 255.255.0.0 200.1.0.1 // Indicates the route
to the RR to learn the BGP information on the network.
NOTE
You need to configure the RR to establish the peer relationship between DPI A and RR.
After you run the display bgp peer command, if the peer is in Established state, the peer is normal.
After you run the display fib command, if you can view the BGP routes, the static routes of the RR are
successfully added.
Step 3 Configure the AS domain group.

[DPIA] dpi-node
[DPIA-dpi-node] as-group name as8 number 8
[DPIA-dpi-node-asgroup-as8] item 1 as-number 65008
[DPIA-dpi-node-asgroup-as8] quit
[DPIA-dpi-node] as-group name as9 number 9
[DPIA-dpi-node-asgroup-as9] item 1 as-number 65009
[DPIA-dpi-node-asgroup-as9] quit
Step 4 Log in to Front End DPI B.

Step 5 Configure the BGP and routing.
# DPI B learns the EBGP routes through RR and DPI C learns IBGP routes from DPI B. The
number of local AS is 65006, and the number of the private AS is 65533. The gateway address
for network 200.1.0.0/16 to reach the RR is 200.1.0.2.
<DPIB> system-view
[DPIB] bgp 65533
[DPIB-bgp] router-id 200.1.2.1
[DPIB-bgp] peer 50.1.2.1 as-number 65006
[DPIB-bgp] peer 50.1.2.1 ebgp-max-hop
[DPIB-bgp] peer 50.1.2.1 enable
[DPIB-bgp] peer 50.1.2.1 connect-interface GigabitEthernet 5/0/1
[DPIB-bgp] peer 200.1.3.1 as-number 65533
[DPIB-bgp] peer 200.1.3.1 enable
[DPIB-bgp] peer 200.1.3.1 connect-interface GigabitEthernet 5/0/1
[DPIB-bgp] quit
[DPIB] ip route-static 50.1.0.0 255.255.0.0 200.1.0.2 // Indicates the route
to the RR to learn the BGP information on the network.
Step 6 Configure the AS domain group.

[DPIB] dpi-node
[DPIB-dpi-node] as-group name as8 number 8
[DPIB-dpi-node-asgroup-as8] item 1 as-number 65008
[DPIB-dpi-node-asgroup-as8] quit
[DPIB-dpi-node] as-group name as9 number 9
[DPIB-dpi-node-asgroup-as9] item 1 as-number 65009
[DPIB-dpi-node-asgroup-as9] quit
Step 7 Log in to Front End DPI C.

Step 8 Configure BGP.
# DPI C learns IBGP routes from DPI A and DPI B. The gateway address for network
200.1.0.0/16 to reach the RR is 200.1.0.3.
<DPIC> system-view
[DPIC] bgp 65533
[DPIC-bgp] router-id 200.1.3.1
[DPIC-bgp] peer 200.1.1.1 as-number 65533
[DPIC-bgp] peer 200.1.1.1 enable
[DPIC-bgp] peer 200.1.1.1 connect-interface GigabitEthernet 5/0/1

[DPIC-bgp] peer 200.1.2.1 as-number 65533

[DPIC-bgp] peer 200.1.2.1 enable
[DPIC-bgp] peer 200.1.2.1 connect-interface GigabitEthernet 5/0/1
[DPIC-bgp] quit
[DPIC] ip route-static 50.1.0.0 255.255.0.0 200.1.0.3 // Add the route to
the RR, otherwise the BGP route that has been learnt cannot enter into the FIB
tabel.
Step 10 View the AS domain group.

Subnet And AS Domain Group > AS Domain Group Query.
2. Check the added AS domain groups in the list, including as8 and as9 as shown in Figure
4-59.
Figure 4-59 Configure the AS domain group.
Step 11 Collect traffic direction statistics.

For details, see 5.6 Implementing Traffic Direction Statistics.
----End
4.6.3 Reference
This section describes the common commands for configuring the AS domain group.
Table 4-11 AS domain group configuration commands
Item Command
Display the AS display dpi-node as-group [ name as-group-name | number as-group-

domain group number | as-number [ as-number ] ]
information.
Display the peer display bgp group [ group-name ]

group
information.
Display the BGP display bgp peer [ peer-address ] [ log-info | verbose ]

peer information.
Display the BGP display bgp routing-table ip-address [ { mask | mask-length } [ longer-
route information. prefixes ] ]

Item Command
Display the display fib [ verbose ] [ | { begin | exclude | include } regular-

abstract expression ]
information of the
forwarding table.
For the installation and basic configurations on the Front End and Back End, refer to the
HUAWEI SIG9800 Service Inspection Gateway Hardware Installation Guide and HUAWEI
SIG9800 Service Inspection Gateway Software Installation Guide.
For more configurations on the Front End, refer to the HUAWEI SIG9800 Service Inspection
Gateway Commissioning Guide; for more commands of the Front End, refer to the HUAWEI
SIG9800 Service Inspection Gateway Command Reference.
4.6.4 BGP Overview

The Border Gateway Protocol (BGP) is a dynamic routing protocol used between Autonomous
Systems (ASs).
BGP has three early versions, BGP-1 (defined in RFC 1105), BGP-2 (defined in RFC 1163),
and BGP-3 (defined in RFC 1267). The current version of BGP is BGP-4 (defined in RFC 1771).
The Internet Service Providers (ISPs) widely use BGP-4 as an exterior routing protocol on the
Internet.
NOTE
The following BGPs refer to BGP-4 unless otherwise stated.
The following are features of BGP:
l It focuses on route propagation control and selection of optimal routes rather than discovery
and calculation of routes. This distinguishes it from the Interior Gateway Protocols (IGPs)
such as OSPF and RIP. BGP is an Exterior Gateway Protocol (EGP).
l It uses TCP as the transport layer protocol to enhance the reliability of the protocol. The
port number is 179.
l It supports Classless Inter-Domain Routing (CIDR).
l It transmits updated routes only. This occupies less bandwidth and is suitable for
propagating a large amount of routing information on the Internet.
l It eliminates route loops by adding AS-path information to BGP routes.
l It extends easily to support new development of the network.
The router sending BGP message is a BGP speaker. The BGP speaker receives or generates
routing information and advertises it to other BGP speakers. When a BGP speaker receives a
route from other ASs, it advertises the route to other BGP speakers in the AS if the route is better
than the current route or this route does not exist in this AS.
BGP speakers exchanging message are peers of each other. Multiple BGP peer forms a peer
group.
BGP runs on a router in two modes: Internal BGP (IBGP) and External BGP (EBGP) .

The BGP is called an IBGP when it runs within an AS. It is called an EBGP when it runs among
ASs.
4.6.5 BGP Message Types
Message Header Format

BGP is driven by messages of the following five types. These messages are transmitted with
TCP. The maximum length of a message is 4096 bytes and the minimum length is 19 bytes
(including packet header only). These messages have the same packet header.
The message header format is shown in Figure 4-60.
Figure 4-60 Packet header of BGP messages

0 7 15 31
Marker
Length Type
The main fields are explained as follows:

l Marker
It used for calculation in BGP authentication. If there is no authentication, it is all "1"s.
l Length
It indicates the total length of a BGP message (including packet header) in bytes. The value
is in the range of 19 to 4096.
l Type
It indicates the message type. It can be 1 to 5, representing Open, Update, Notification,
Keepalive and Route-refresh messages respectively. The first four message types are
defined in RFC 1771 and the last one is defined in RFC 2918.
Open Message
The open message is the first message sent after the creation of a TCP connection, which is used
to connect BGP peers.
The message format is shown in Figure 4-61.

Figure 4-61 Format of Open messages

0 7 15 31
Version
My Autonomous System
Hold Time
BGP Identifier
Opt Parm Len
Optional Parameters

l Version
It indicates BGP version number. For BGP-4, it is 4.
l My Autonomous System
It indicates the local AS number. You can determine whether it is an EBGP connection or
an IBGP connection by comparing the AS numbers of the BGP peers.
l Hold Time
The BGP peers need to negotiate the hold time when establishing the peer relationship and
keep it consistent. If the hold time of all sides is not same, BGP selects the smaller value.
If one side does not receive Keepalive or Update messages from its peer within this time,
it considers the BGP connection as closed.
l BGP Identifier
It identifies a BGP router. It is in the form of IP address.
l Opt Parm Len (Optional Parameters Length)
It indicates the length of the Optional Parameters field. The value 0 indicates no optional
parameters.
l Optional Parameters
It indicates the optional parameters used for BGP authentication or multiprotocol
extensions.
Update Message
The Update messages are used to exchange routing information between BGP peers. It can
advertise one feasible route, or withdraw multiple unfeasible routes.
Figure 4-62 Format of Update messages

Unfeasible Routes Length (2 octets)
Withdrawn Routes (variable)
Total Path Attribute Length (2 octets)
Path Attributes (variable)
Network Layer Reachability Information (variable)

l Unfeasible Routes Length

It indicates the length of the Withdrawn Routes field in bytes. The value 0 represents no
Withdrawn Routes field.
l Withdrawn Routes
It contains a list of unfeasible routes.
l Total Path Attribute Length
It indicates the length of the Path Attributes field in bytes. The value 0 represents no Path
Attributes or NLRI field.
l Path Attributes
It contains a list of all path attributes related to Network Layer Reachability Information
(NLRI). Each path attribute is a triple Type-Length-Value (TLV).
– Type: It indicates the attributes type (2 bits), including Attribute Flags and Attribute
Type Code.
– Length: It indicates the total length of a path attributes. The number of bytes occupied
by the Length field is determined by the extended length (E) bit value of the Type field.
If the bit value is 0, the third byte is Length; if the bit value is 1, both the third and the
fourth bytes are occupied by the Length field.
– Value: It indicates the value of a path attributes.
l NLRI
It indicates the prefix of a feasible route and the length of the prefix.
Notification Message
The notification message is used for one side to notify errors to its peer. After that, the BGP
connection is closed immediately.
Figure 4-63 Format of Notification messages

0 7 15 31
Error Code Error Subcode
Data
l Error Code
It specifies the error type.
l Error Subcode
It specifies the details of the error type.
l Data
It is used to diagnose the reason for the error. Its length is variable.

The information of the Notification message Error Code and Erro Subcode is shown in Table
4-12
Table 4-12 Error codes and error subcodes of the Notification messages
Error Code Error Subcode
1: Message head error. l 1: Unsynchronized connection.

l 2: Incorrect message length.
l 3: Incorrect message type.
2: Open message error. l 1: Unsupported version number.

l 2: Incorrect peer AS.
l 3: Incorrect BGP identifier.
l 4: Unsupported optional parameter.
l 5: Authentication failed.
l 6: Unacceptable hold-in time.
3: Update message error. l 1: Malformed attribute list.

l 2: Unidentifiable accepted attribute.
l 3: Accepted attribute miss.
l 4: Attribute label error.
l 5: Attribute length error.
l 6: Invalid Origin attribute.
l 7: AS route loop
l 8: Invalid Next_Hop attribute.
l 9: Optional attribute error.
l 10: Invalid network field.
l 11: Malformed AS_Path.
4: Hold timer overflow. 0
5: Finite state machine error. 0
6: Terminate 0
Keepalive Message
The keepalive message is used to check the validity of a connection. It only contains the packet
header without any other fields.
Route-refresh Message
The Route-refresh message notifies the route refreshment capability.
If all routers of BGP are enabled with route-refresh capability, local BGP router sends route-
refresh information to peers when the routing policy of BGP changes. The peers receiving the
information resends routing information to the local BGP router. Thus, the routing table of BGP

can be dynamically refreshed and the new routing policy can be used without interrupting BGP
connections.
4.7 Configuring the Subnet

This section describes how to configure the subnet. To configure a service to be applied to
subnets, you should perform this task first.
4.7.1 Overview
A subnet is a collection of IP addresses. The subnet consists of one or multiple IP segments.
Both IPv4 and IPv6 addresses can be added to the subnet. For subnet management, the SIG
supports manually adding, modifying, and deleting subnets, as well as importing subnets in
batches from the .xls template provided by the system.
4.7.2 Typical Configuration Example 1 (Manually Adding Subnets)

This section provides an example for configuring the subnet. The subnet is added manually.
Prerequisites
Context
The subnets to be imported include the following information:
l Subnet name: ExampleSubnet1; IP addresses: 10.10.10.0/28 and 20.20.20.20.
l Subnet name: ExampleSubnet2; IP addresses: 30.30.30.0 to 30.30.30.30 and 40.40.40.0/24.
Procedure
Step 2 Add a subnet.
Subnet And AS Domain Group > Subnet Management.
2. Click Add. The Add Subnet dialog box is displayed.
3. Enter ExampleSubnet1 in Subnet Name, as shown in Figure 4-64.

Figure 4-64 Adding a subnet
4. Click the IP Segment tab. Select Mask from Type. Enter 10.10.10.0 in Subnet
Address. Enter 28 in Mask Digits. Click Add. A record is added to the list in the dialog
box.
5. Select IP Segment from Type. Enter 20.20.20.20 in Start IP Address. Enter
20.20.20.20 in End IP Address. Click Add. Another record is added to the list in the dialog
box.
6. Click OK. The system returns to the previous page and the added records are displayed.
----End
4.7.3 Typical Configuration Example 2 (Importing subnets in

Batches)
This section provides an example for configuring the subnet. The subnets are imported from the
specific file in batches.
Prerequisites
Context
The subnets to be imported include the following information:
l Subnet name: ExampleSubnet1; IP addresses: 10.10.10.0/28 and 20.20.20.20.

l Subnet name: ExampleSubnet2; IP addresses: 30.30.30.0 to 30.30.30.30 and 40.40.40.0/24.

Procedure
Step 2 Import the subnet.
Subnet And AS Domain Group > Subnet Management.
2. Click Import. The Subnet Import dialog box is displayed, as shown in Figure 4-65.
Figure 4-65 Importing the subnet (1)
3. Click the Subnet Template link to obtain the xsl template file. In the file, enter the account
Figure 4-66 Importing the subnet (2)
4. Click Browse to select the edited file. Click OK.

5. Wait until the system prompts you that the operation is complete. In the displayed dialog
box, view logs to know the information about successful operations and failure operations.
----End

Configuration Guide 5 Traffic Management Service
5 Traffic Management Service
About This Chapter
Traffic management service is the basic service of the SIG. By applying the traffic management
service, you can monitor traffic and traffic direction through reports, and implement QoS
management on traffic and traffic direction.
5.1 About the Traffic Management Service

This section describes the basic concepts of the traffic management service.
5.2 Querying Traffic Reports
To query various traffic reports based on links, virtual tunnels, subscribers, and VICs, you should
perform this task.
5.3 Querying the User Behavior Statistics Report
To query multiple types of statistics reports on the user behaviors of subscribers, you should
perform this task.
5.4 Configuring Traffic QoS
To implement QoS control (such as bandwidth control and connection number control) over the
traffic of links, virtual tunnels, subscribers, or VICs, you should perform this task.
5.5 Configuring Congestion Detection and Control
Congestion indicates a status that the bandwidths of links or NEs are over certain level
continuously, which compromises the performance of the network service. Perform this task to
check whether and when traffic congestion occurs on links or virtual tunnels, and to trigger the
QoS policies for specified links, virtual tunnels, or subscribers when congestion occurs.
5.6 Implementing Traffic Direction Statistics
To query the traffic direction report for collecting statistics on the traffic directions between one
link (or link group) and one AS domain group, between one AS domain group and another AS
domain group, between one subnet and one AS domain group, or between one subnet and another
subnet, you should perform this task.
5.7 Configuring Traffic Direction QoS
To implement QoS bandwidth control over the traffic between one link and one AS domain
group, between one AS domain group and another AS domain group, between one subnet and
one AS domain group, or between one subnet and another subnet, you should perform this task.
5.8 Customized Data Reporting

The customized data reporting is used to set the range in which statistics on traffic and traffic
direction data are collected, including the flow classification statistics policy, subscriber protocol
statistics policy, and subscriber group statistics policy. To adjust the range in which statistics on
traffic and traffic direction data are collected, perform this task. In addition, if you need to report
the report data by subscriber group attribute, configure the function when you add or change the
subscriber group attribute. This operation is not in the task.

5.1 About the Traffic Management Service

This section describes the basic concepts of the traffic management service.
Concepts:
l Traffic report
Indicates a series of reports analyzing and collecting statistics on the traffic and connection
numbers of the network by link, virtual tunnels, subscribers, or VICs based on the DPI
technology of the SIG, for example, real-time traffic, traffic trend, traffic proportion,
connection number trend, and connection number proportion.
l User behavior statistics report
Indicates a series of reports by traffic, connection number, and customer number for
analyzing and collecting statistics on subscriber behaviors, for example, top N customers
by traffic, top N customers by connection number, and customer number trend.
User behavior statistics reports can be regarded as a type of subscriber traffic reports with
specified application value (for analyzing subscriber behaviors).
l Traffic direction
Indicates the network traffic analysis object with the specified source and destination.
The SIG supports the following traffic direction objects: between one link (or link group)
and one AS domain group, between one AS domain group and another AS domain group,
between one subnet and one AS domain group, and between one subnet and another subnet.
l Traffic direction statistics
Indicates a series of reports for analyzing and collecting statistics on traffic direction
objects, for example, the traffic trend, traffic proportion, and top N protocols by traffic.
l Congestion
Indicates a status that the bandwidths of links or NEs are over certain level continuously,
which compromises the performance of the network service.
l Traffic QoS
Indicates various types of traffic management measures such as Rate Limiting and
Number of Connections Control over the traffic of links, virtual tunnels, subscribers, or
VICs, thus realizing refined management on network traffic.
For details, see 5.4.1 Overview in 5.4 Configuring Traffic QoS.
l Traffic direction QoS
Indicates the traffic management measures such as Rate Limiting over traffic direction
objects.
l Customized data reporting
Customized data reporting enables the SIG system to report data on traffic and traffic
direction for specified flow classifications for specified subscriber and network objects.
Perform the task when you need to view the report data that is not default.
For details on flow classification, see 22.1.1 Overview in 22.1 Managing Flow
Classifications and Flow Classification Items.

5.2 Querying Traffic Reports

To query various traffic reports based on links, virtual tunnels, subscribers, and VICs, you should
perform this task.
5.2.1 Overview
This section describes the categories and functions of traffic reports.
Based on the DPI technology, the SIG provides diversified traffic reports to display network
traffic, as shown in Figure 5-1.
Figure 5-1 Schematic diagram of the functions of traffic reports
Traffic reports are divided into the following categories by analysis object:
l Link and virtual tunnel-based traffic report

Indicates a series of reports (covering aspects such as the network traffic and connection
number) for analyzing and collecting statistics by link, for example, the real-time traffic,
traffic trend, traffic proportion, connection number trend, and connection number
proportion of links.
NOTE
When you need to query the connection number report, select different connection number types in
the query condition. The connection number types are listed as follows:
l Number of New Connections
Records the total number of new connections established within a specific time range.
l Number of Disconnected Connections
Records the total number of connections disconnected within a specific time range.
l Number of Average Connections
Records the value of the total number of transient connections at each sampling time point divided
by sampling times.
The sampling times for the number of average connections in a five-minute report are 4 to 8
times. The number of average connections in an hourly, daily, or monthly report are calculated
on the basis of the five-minute report.

l Subscriber-based traffic report

number) for analyzing and collecting statistics by subscriber, for example, the real-time
traffic, traffic trend, traffic proportion, connection number trend, and connection number
proportion of subscribers.
l VIC-based traffic report
number) for analyzing and collecting statistics by VIC, for example, the real-time traffic,
traffic trend, traffic proportion, connection number trend, and connection number
proportion of VICs.
l Consolidated traffic report
Indicates other consolidated reports, for example, subscriber traffic proportion to total
traffic, subscriber connection number proportion to total connection number, and subscriber
traffic proportion trend to total traffic.
Reports are divided into the following categories by data granularity:
l Five-minute report
NOTE
When you query a report, if you only enter the query time range without selecting the data granularity
for the report, the data granularity is to be decided automatically according to the length of the time
range specified.
The time points at which queries can be performed are different for multiple data granularities. If no
result is displayed after a query, try modifying query conditions.
Time Granularity in the query condition does not have a mapping relationship with the data
granularity of the report in the query result, and is used only for the convenience of entering a time
range for the query.
The storage period of the report data can be specified. For details, see 21.2 Configuring the Report
Storage Cycle.
l Hourly report
Figure 5-2 and Figure 5-3 show report examples.
The hourly report is formed by the statistics of multiple five-minute reports, and statistics
within the last hour are collected every half-hour. For example, statistics from 08:00 to
09:00 are collected at 9:30. If it is 09:20, records at 08:00 are unavailable in the hourly
report.
l Daily report
The daily report is formed by the statistics of hourly reports, and statistics on the last day
are collected at 01:00 every day. For example, statistics on January 1 are collected at 01:00
on January 2. If it is 00:30 on January 2, records on January 1 are unavailable in the daily
report.
l Monthly report
The data in the monthly report can be saved for up to four years. The monthly report is
formed by the statistics of daily reports, and statistics of the last month are collected at
03:00 on the first day of each month. For example, statistics on January are collected at
03:00 on February 1. If it is 01:00 on February 1, records on January are unavailable in the
monthly report.

Figure 5-2 Graph of the hourly report
Figure 5-3 Record of the hourly report

This section describes how to query traffic reports.
Prerequisites
l 4 Subscriber and Network Object Initialization is complete.
l The current user has the Statistics and Analysis Report service permission.
To enable port statistics collection of links for querying related reports, the current user
should have the Subscriber and Network Management service permission.

NOTE
If the system displays no data when you query the reports, perform as follows:
1. Check whether the time range of the query exceeds the storage cycle. For details on storage cycles, see
21.2 Configuring the Report Storage Cycle.
2. Check whether the configurations of the data reporting is correct. For details on data reporting, see
5.8.1 Overview in 5.8 Customized Data Reporting.
Procedure
Step 2 (Optional) Enable port statistics collection to query link port-related reports.
NOTE
If you do not need to query link port-related reports, go to Step 3.

You can enable port statistics collection on a maximum of four links.
Physical Link Management > Link Port Statistics Configuration.
2. Click Add.
3. Select the check boxes before the links for which the statistics of the port traffic is to be
collected, and then click OK.
Step 3 In the navigation tree, choose Statistics and Analysis Report > Traffic. Select the reports to
be queried.
Step 4 Enter query conditions according to prompts.
TIP
l If selecting Save Query Conditions before querying reports, you do not need to enter query conditions
for the next query.
l To apply the report function for timed tasks, click Timed Task. For details, see 21.4 Managing Timed
Task Reports.
Step 5 Click Query Report to query reports.

NOTE
To save time for other operations, click Background Implementation. For details, see 21.5 Managing
Background Task Reports.
On the report query interface, you can export reports in different formats:
l Click to export reports in .pdf format.
l Click to export reports in .html format.
l Click to export reports in .xls or .csv format.
----End
5.2.3 Report Examples (Link and Virtual Tunnel-based)

This section describes Link and Virtual Tunnel traffic-related reports and provides examples of
the reports.
Report Navigation
You can click the following links to view the report examples.

NOTE
The information in the following examples are subject to change without notice.
l Statistics and Analysis Report > Traffic > Link and Virtual Tunnel > Real-Time
Traffic
l Statistics and Analysis Report > Traffic > Link and Virtual Tunnel > Port Traffic
l Statistics and Analysis Report > Traffic > Link and Virtual Tunnel > Traffic Trend
l Statistics and Analysis Report > Traffic > Link and Virtual Tunnel > Connection
Number Trend
l Statistics and Analysis Report > Traffic > Link and Virtual Tunnel > Traffic
Proportion
l Statistics and Analysis Report > Traffic > Link and Virtual Tunnel > Connection
Number Proportion
l Statistics and Analysis Report > Traffic > Link and Virtual Tunnel > Top N Protocols
by Traffic
l Statistics and Analysis Report > Traffic > Link and Virtual Tunnel > Top N Protocols
by Connection Number
l Statistics and Analysis Report > Traffic > Link and Virtual Tunnel > Top N Ports by
Traffic
l Statistics and Analysis Report > Traffic > Link and Virtual Tunnel > QoS Traffic
Trend
l Statistics and Analysis Report > Traffic > Link and Virtual Tunnel > HTTP Content
Traffic Trend
l Statistics and Analysis Report > Traffic > Link and Virtual Tunnel > Bandwidth
Usage Trend
l Statistics and Analysis Report > Traffic > Link and Virtual Tunnel > Top N by Traffic
l Statistics and Analysis Report > Traffic > Link and Virtual Tunnel > Top N by
Connection Number
l Statistics and Analysis Report > Traffic > Link and Virtual Tunnel > Top N by
Bandwidth Usage
l Statistics and Analysis Report > Traffic > Link and Virtual Tunnel > Congestion Log
Statistics and Analysis Report > Traffic > Link and Virtual Tunnel > Real-Time
Traffic
Through this report, you can monitor the traffic of the specified or all types on a link or a virtual
tunnel in real time.
Figure 5-4 shows the report screenshot of all traffic on a link.

NOTE
l The information about the real-time traffic of all types in Traffic Type List is displayed in the following
list.
l Real-time Traffic Curves has three types. The total traffic is displayed in the first figure. When you select
one or more traffic types in Traffic Type List, the real-time upstream traffic and real-time downstream
traffic are displayed in the second figure and the third figure respectively.
l Click Start Monitoring. The real-time data will be displayed in one minute.
l The refreshing frequency of the real-time data is 16 seconds.
l The real-time data is not saved.
Figure 5-4 Example of the real-time traffic report
Return to Report Navigation.
Statistics and Analysis Report > Traffic > Link and Virtual Tunnel > Port Traffic
Through this report, you can view the traffic of one or multiple ports on a link within a given
time range, and the traffic distribution trend of the specified port.
NOTE
The system collects statistics on the source ports of upstream traffic packets and the destination ports of
downstream traffic packets.
Through the query on the traffic by port, you can view the traffic data of the TCP and UDP ports on the
link. For example, the traffic of TCP port 80 indicates all the traffic transmitted on TCP port 80, not only
HTTP traffic.
Figure 5-5 shows the report screenshot of the traffic of multiple ports on a link.

Figure 5-5 Example of the port traffic report
Statistics and Analysis Report > Traffic > Link and Virtual Tunnel > Traffic Trend
Through this report, you can view the traffic distribution trend on links or virtual tunnels within
a given time range, and the distribution trend comparison of the traffic before and after controlled
on a link.
NOTE
When you query the curve graph, the system supports the trend forecast function. Once the function is
enabled, the system adds the trend forecast line in the graph. This function is used to display the long-term
traffic trend when the query granularity is relatively large, such as month.
Figure 5-6 shows report screenshot of the distribution trend comparison of the traffic trend on
a link.

Figure 5-6 Example of the traffic trend report
NOTE
The DST behind the time in the preceding figure Indicates the Daylight Saving Time. The DST is displayed
only when it is configured. No further description is provided in the following.
Outside Top N Value Value indicates all traffic types excluding the ones in Top N. If the value is specified
to 0, the query function is disabled. Similar details will be omitted in the following.
Statistics and Analysis Report > Traffic > Link and Virtual Tunnel > Connection
Number Trend
Through this report, you can view the connection number distribution trend on a link or virtual
tunnel within a given time range.
Figure 5-7 shows report screenshot of the connection number distribution trend on a link.

Figure 5-7 Example of the connection number trend report
Statistics and Analysis Report > Traffic > Link and Virtual Tunnel > Traffic
Proportion
Through this report, you can view the proportion of the specified traffic on a link or virtual
Figure 5-8 shows report screenshot of the traffic proportion of all P2P protocols to the P2P
category on a link.

NOTE
Both category traffic and protocol traffic are reported to the database respectively. Therefore, if you move
a protocol to another category manually, the system does not re-count the reported category traffic.
Figure 5-8 Example of the traffic proportion report
Statistics and Analysis Report > Traffic > Link and Virtual Tunnel > Connection
Number Proportion
Through this report, you can view the proportion of the connection number of the specified
traffic type on a link or a virtual within a given time range.
Figure 5-9 shows report screenshot of the connection number proportion of all Web_Browsing
protocols to the Web_Browsing category on a link.

Figure 5-9 Example of the connection number proportion report
Statistics and Analysis Report > Traffic > Link and Virtual Tunnel > Top N
Protocols by Traffic
Through this report, you can view top N categories or protocols by traffic on a link or a virtual
Figure 5-10 shows report screenshot of top 10 protocols in the Web_Browsing category by
traffic on a link.

Figure 5-10 Example of the report on top 10 protocols by traffic
Statistics and Analysis Report > Traffic > Link and Virtual Tunnel > Top N
Protocols by Connection Number
Through this report, you can view top N categories or protocols by connection number on a link
or a virtual tunnel within a given time range.
Figure 5-11 shows report screenshot of top 10 categories by connection number on a link.

Figure 5-11 Example of the report on top N protocols by connection number
NOTE
For the network traffic of unknown protocol types, the SIG identifies the network traffic into four types,
namely, Error_Packets, Generic_Tcp, Generic_Udp and Generic_Other.
Statistics and Analysis Report > Traffic > Link and Virtual Tunnel > Top N Ports
by Traffic
Through this report, you can view top N ports by traffic on a link within a given time range.
Figure 5-12 shows report screenshot of top 10 ports by traffic on a link.

Figure 5-12 Example of the report of top N ports by traffic
Statistics and Analysis Report > Traffic > Link and Virtual Tunnel > QoS Traffic
Trend
Through this report, you can view the traffic distribution trend by ToS or DSCP field on one or
multiple links within a given time range, and the distribution trend comparison of the traffic
before and after controlled by ToS or DSCP filed on a link.
Figure 5-13 shows report screenshot of the distribution trend comparison of the traffic before
and after controlled by DSCP 001010 field on a link.

Figure 5-13 Example of the QoS traffic trend report
Statistics and Analysis Report > Traffic > Link and Virtual Tunnel > HTTP Content
Traffic Trend
Through this report, you can view the traffic distribution trend of HTTP packets by content (such
as images, texts, and applications) on one or multiple links within a given time range. Traffic is
analyzed and categorized according to the Content-type field of HTTP packets.
NOTE
Before querying this report, ensure that the service analyze http-content enable command has been ran
to enable the content analysis function of HTTP packets.
Figure 5-14 shows report screenshot of the traffic distribution trend of HTTP packets by content
on a link.

Figure 5-14 Example of the report on the HTTP content traffic trend
Statistics and Analysis Report > Traffic > Link and Virtual Tunnel > Bandwidth
Usage Trend
Through this report, you can view the bandwidth usage trend of the specified link, link group,
or virtual tunnel monitored by the SIG within a given time range.
Figure 5-15 shows report screenshot of the bandwidth usage trend of downstream traffic on a
link.

Figure 5-15 Example of the bandwidth usage trend report
Statistics and Analysis Report > Traffic > Link and Virtual Tunnel > Top N by
Traffic
Through this report, you can view top N links of the specified range or virtual tunnels of the
specified range in a virtual tunnel category by traffic. Both of the links and virtual tunnels are
monitored by the SIG.
The following statistics modes are available:
l Rank by average value

Indicates ranking by average traffic. For example, if you select to query the top N statistical
object report of one day by average traffic, the system ranks statistical objects according
to daily traffic.
l Rank by daily intersection
The system ranks top N statistical objects by traffic at multiple analysis points in time within
a given time range and then collects the intersection upon the objects in each rank. That is,
the report displays only the top N statistical objects ranked by traffic at each point in time.
For example, to query the top N statistical object report by traffic based on the daily
intersection of a week, the system queries the top N objects ranked by traffic at each day

and the report displays top N objects whose traffic meeting required conditions
simultaneously.
In addition, you can configure associated query conditions for this report to display the traffic
proportion of several categories of top N statistical objects and the traffic proportion of several
protocols of a certain category.
Figure 5-16 shows report screenshot of top 10 links by traffic.
Figure 5-16 Example of the top N statistical object report by traffic
Connection Number
specified range in a virtual tunnel category by connection number. Both of the links and virtual
tunnels are monitored by the SIG.

Both of the links and virtual tunnels are monitored by the SIG. The following statistics modes
are available:
Indicates ranking by average connection number. For example, if you select to query the
top N statistical object report by average connection number of one day, the system ranks
objects according to the daily connection number.
The system ranks top N statistical objects by connection number at multiple analysis points
in time within a given time range and then collects the intersection upon the objects in each
rank. That is, the report displays only the top N objects ranked by connection number at
each point in time. For example, to query the top N statistical object report by connection
number based on the daily intersection of a week, the system queries the top N objects
ranked by connection number at each day and the report displays top N objects whose
connection number meeting required conditions simultaneously.
Figure 5-17 shows report screenshot of top 10 links by connection number.

Figure 5-17 Example of the top N statistical object report by connection number
Bandwidth Usage
specified range in a virtual tunnel category by bandwidth usage. Both of the links and virtual
tunnels are monitored by the SIG.
This report collects statistics on all links of the specified range or all virtual tunnels of the
specified range in a virtual tunnel category. Both of the links and virtual tunnels are monitored
by the SIG. Traffic is divided into upstream traffic, downstream traffic, and bidirectional traffic
by direction. If you select bidirectional traffic, the bandwidth usage of the statistical objects is
the larger value between the bandwidth usage of upstream traffic and that of downstream traffic.
The following statistics modes are available:

Indicates ranking by average bandwidth usage. For example, if you select to query the top
N statistical object report by bandwidth usage of one day, the system ranks objects
according to the daily average bandwidth usage.
The system ranks top N statistical objects by bandwidth usage at multiple analysis points
in time within a given time range and then collects the intersection upon the objects in each
rank. That is, the report displays only the top N statistical objects ranked by bandwidth
usage at each point in time. For example, to query the top N statistical object report by
bandwidth usage based on the daily intersection of a week, the system queries the top N
objects ranked by bandwidth usage at each day and the report displays top N objects whose
bandwidth usage meeting required conditions simultaneously.
Figure 5-18 shows report screenshot of top 10 links by bandwidth usage.
Figure 5-18 Example of the top N statistical object report by bandwidth usage

Statistics and Analysis Report > Traffic > Link and Virtual Tunnel > Congestion
Log
This report is used to view historical congestion logs of the congestion detection object.
According to the five-minute traffic report data, the Front End checks the status of the link or
virtual tunnel. If an object matches the congestion trigger or release conditions, the Front End
sends the message to the Back End and generates the congestion logs.
NOTE
For details on congestion detection and control, see 5.5 Configuring Congestion Detection and
Control.
Figure 5-19 shows an example for congestion logs of all links within a given time range.
Figure 5-19 Example for congestion logs
5.2.4 Report Examples (Subscriber-based)

This section describes subscribers' traffic-related reports and provides examples of the reports.
Report Navigation
NOTE
l Statistics and Analysis Report > Traffic > Subscriber > Real-Time Traffic

l Statistics and Analysis Report > Traffic > Subscriber > Traffic Trend
l Statistics and Analysis Report > Traffic > Subscriber > Customer Number Trend
l Statistics and Analysis Report > Traffic > Subscriber > YouTube Traffic Trend
l Statistics and Analysis Report > Traffic > Subscriber > Traffic Proportion
l Statistics and Analysis Report > Traffic > Subscriber > Connection Number
Proportion
l Statistics and Analysis Report > Traffic > Subscriber > Customer Number Proportion
by Attribute
l Statistics and Analysis Report > Traffic > Subscriber > Traffic Proportion by
Attribute
l Statistics and Analysis Report > Traffic > Subscriber > Top N Protocols by Traffic
l Statistics and Analysis Report > Traffic > Subscriber > Top N Protocols by Connection
Number
l Statistics and Analysis Report > Traffic > Subscriber > Traffic Comparison in
Peak&Off-peak
l Statistics and Analysis Report > Traffic > Subscriber > Customer Number Proportion
by Traffic Segment
l Statistics and Analysis Report > Traffic > Subscriber > Traffic Proportion by
Customer Proportion
l Statistics and Analysis Report > Traffic > Subscriber > Heavy User Traffic Proportion
Statistics and Analysis Report > Traffic > Subscriber > Real-Time Traffic
Through this report, you can monitor the traffic of the specified or all types for a subscriber in
real time.
Figure 5-20 shows the report screenshot of all the traffic of a subscriber in an area.
NOTE
list.

Statistics and Analysis Report > Traffic > Subscriber > Traffic Trend
Through this report, you can view the traffic distribution trend for one or multiple subscribers
within a given time range.
NOTE
Figure 5-21 shows report screenshot of the traffic distribution trend of subscribers in an area.

Statistics and Analysis Report > Traffic > Subscriber > Customer Number Trend
Through this report, you can view the connection number distribution trend for one or multiple
subscribers within a given time range.
Figure 5-22 shows report screenshot of the connection number distribution trend of subscribers
in an area.

Figure 5-22 Example of the customer number trend report
Statistics and Analysis Report > Traffic > Subscriber > YouTube Traffic Trend
Through this report, you can view the traffic distribution trend of YouTube and YouTube_HD
for the subscribers of a category within a given time range.
YouTube and YouTube_HD are the protocols of the Video category. You can use the traffic
trend report to view the traffic distribution trend of these two protocols. The YouTube traffic
trend report provides statistics on both traffic trends and access counts.
Figure 5-23 shows the report screenshot of the traffic distribution trend of YouTube and
YouTube_HD protocols for subscribers in an area.

Figure 5-23 Example of the YouTube traffic trend report
Statistics and Analysis Report > Traffic > Subscriber > Traffic Proportion
Through this report, you can view the proportion of the specified traffic for one or multiple
subscribers within a given time range.
Figure 5-24 shows report screenshot of the traffic proportion of all Web_Browsing protocols
to the Web_Browsing category for subscribers in an area.
NOTE


NOTE
l If the traffic direction is Upstream Traffic and the value type is Average, the value of Upstream
Traffic in the report is the average value of the traffic of each protocol within the specified time range.
Proportion indicates the proportion of the upstream traffic of each protocol to the total upstream traffic.
l If the traffic direction is Upstream Traffic and the value type is Peak, the value of Upstream
Traffic in the report is peak traffic. Proportion indicates the proportion of the upstream traffic of each
protocol to the total upstream traffic at peak. The peak is the time when the total upstream traffic of all
types to be queried reaches the maximum value.
l If the traffic direction is Upstream Traffic and the value type is Trough, the value of Upstream
Traffic in the report is trough traffic. Proportion indicates the proportion of the upstream traffic of
each protocol to the total upstream traffic at trough. The trough is the time when the total upstream
traffic of all types to be queried reaches the minimum value.
Statistics and Analysis Report > Traffic > Subscriber > Connection Number
Proportion
traffic type for one or multiple subscribers within a given time range.
Figure 5-25 shows report screenshot of the proportion of the connection number of the P2P,
PeerCasting, and Web_Browsing categories to all connections for subscribers in an area.

Statistics and Analysis Report > Traffic > Subscriber > Customer Number
Proportion by Attribute
Through this report, you can view the proportion of customers using different types of mobile
phones, browsers, or OSs for the subscribers of a category within a given time range.
Figure 5-26 shows report screenshot of the proportion of customers using different mobile types
in an area.

Figure 5-26 Example of the report on the customer number proportion by attribute
Statistics and Analysis Report > Traffic > Subscriber > Traffic Proportion by
Attribute
Through this report, you can view the traffic proportion of different mobile phone types, browser
types, and OS types to the total traffic for the subscribers of a category within a given time range.
For example, Figure 5-27 shows report screenshot of the traffic proportion of different mobile
types to the total traffic on a day in an area.

Figure 5-27 Example of the report on the traffic proportion by attribute
This report is similar to that on the traffic proportion of subscribers. For details, see Statistics
and Analysis Report > Traffic > Subscriber > Traffic Proportion.
Statistics and Analysis Report > Traffic > Subscriber > Top N Protocols by Traffic
Through this report, you can view top N categories, protocols or flow classifications by traffic
for the subscribers of a category within a given time range.
Figure 5-28 shows report screenshot of top 10 P2P protocols by traffic of subscribers in an area.

Figure 5-28 Example of the report on top N protocols by traffic
Statistics and Analysis Report > Traffic > Subscriber > Top N Protocols by
Connection Number
Through this report, you can view top N categories, protocols or flow classifications by
connection number for the subscribers of a category within a given time range.
Figure 5-30 shows report screenshot of top 10 IM protocols by connection number of subscribers
in an area.

Figure 5-29 Example of the report on top 10 protocols by connection number
Statistics and Analysis Report > Traffic > Subscriber > Traffic Comparison in
Peak&Off-peak
Through this report, you can view the comparison among bandwidth peak value, average value,
and trough value for the subscribers of a category within a given time range.
Figure 5-30 shows the report screenshot of the comparison among bandwidth peak value,
average value, and trough value of subscribers in an area.

Figure 5-30 Example of the traffic comparison in peak&off-peak report
Figure 5-31 Records in a report
l The red box indicates the time for the peak value of the total traffic within the query time.
The traffic, bandwidth, and packet rate in record 1 are the values at the peak time.
l The green box indicates the time for the trough value of the total traffic within the query
time. The traffic, bandwidth, and packet rate in record 3 are the values at the trough time.

l The blue box indicates that within the query time, traffic in record 2 is the total value and
the bandwidth is the average value.
That is, the time for the peak value and trough value is determined by the total traffic; however,
the report displays the traffic of the queried protocol at the corresponding query moment.
Statistics and Analysis Report > Traffic > Subscriber > Customer Number
Proportion by Traffic Segment
This report is used to collect statistics on the number of subscribers within the specified traffic
segment.
For example, you can query the proportion taken by the subscribers among all the users in a
certain area according to every 100 MB downstream traffic that is used within the traffic segment
between 0 MB and 300 MB. To be more specific, the report can display the proportion taken by
the subscribers who use less than 100 MB on that day among all the users. The proportion taken
by the subscribers who use more than 100 MB and less than 200 MB on that day, and the
proportion taken by the subscribers who use more than 200 MB and less than 300 MB on that
day also can be displayed in the report.
Figure 5-32 shows report snapshot.

Figure 5-32 Customer Number Proportion by Traffic Segment

Statistics and Analysis Report > Traffic > Subscriber > Traffic Proportion by
Customer Proportion
This report is used to collect statistics on traffic used by the subscribers of different proportions
within the given time range. For example, you can view traffic distribution reports by subscriber
proportion of a day in an area. To be specific, the report can display the proportion of the traffic
used by top 5%, 10%, or 15% subscribers to the total traffic of a day in an area respectively.
Figure 5-33 shows the report snapshot.
Figure 5-33 Traffic Proportion by Customer Proportion

Statistics and Analysis Report > Traffic > Subscriber > Heavy User Traffic
Proportion
This report is used to view the statistics on the proportion of the traffic taken by specific Heavy
User group.
Heavy User group contains the Top N users in specific area or according to other group attributes.
For example, you can include the top 10% users that use the most traffic in each month into a
Heavy User group. The rest 90% is termed as non-Heavy User.
NOTE
For details on the defining method of Heavy User group, see 4.2.4 Typical Configuration Example
(Importing Subscriber Accounts in Batches and Adding Heavy User Group).
Figure 5-34 shows the report snapshot.

Figure 5-34 Heavy User Traffic Proportion

5.2.5 Report Examples (VIC-based)

This section describes VICs' traffic-related reports and provides examples of the reports.
Report Navigation
NOTE
l Statistics and Analysis Report > Traffic > Very Important Customer > Real-Time
Traffic

l Statistics and Analysis Report > Traffic > Very Important Customer > Traffic Trend
l Statistics and Analysis Report > Traffic > Very Important Customer > Connection
Number Trend
l Statistics and Analysis Report > Traffic > Very Important Customer > Traffic
Proportion
l Statistics and Analysis Report > Traffic > Very Important Customer > Connection
Number Proportion
l Statistics and Analysis Report > Traffic > Very Important Customer > Top N
l Statistics and Analysis Report > Traffic > Very Important Customer > Top N
Statistics and Analysis Report > Traffic > Very Important Customer > Real-Time
Traffic
Through this report, you can monitor the traffic of the specified or all types of a VIC in real time.
Figure 5-35 shows the report screenshot of all the traffic of a VIC in an area.
NOTE
list.

Statistics and Analysis Report > Traffic > Very Important Customer > Traffic Trend
Through this report, you can view the traffic distribution trend for one or multiple VICs within
a given time range.
Figure 5-36 shows report screenshot of the traffic distribution trend of VICs in an area.
Statistics and Analysis Report > Traffic > Very Important Customer > Connection
Number Trend
Through this report, you can view the connection number distribution trend for one or multiple
VICs within a given time range.
Figure 5-37 shows report screenshot of the connection number distribution trend of VICs in an
area.

Figure 5-37 Example of the connection number trend report
Statistics and Analysis Report > Traffic > Very Important Customer > Traffic
Proportion
Through this report, you can view the proportion of the specified traffic for one or multiple VICs
Figure 5-38 shows report screenshot of the traffic proportion of all P2P protocols to the P2P
category for a VIC in an area.
NOTE

Statistics and Analysis Report > Traffic > Very Important Customer > Connection
Number Proportion
traffic type for one or multiple VICs within a given time range.
Figure 5-39 shows report screenshot of the connection number proportion of all Web_browsing
protocols to the Web_browsing category for a VIC in an area.

Statistics and Analysis Report > Traffic > Very Important Customer > Top N
Through this report, you can view top N categories or protocols by traffic for the VICs of a
category within a given time range.
Figure 5-40 shows report screenshot of top 10 categories by traffic of VICs in an area.

Figure 5-40 Example of the report on top 10 protocols by traffic
Statistics and Analysis Report > Traffic > Very Important Customer > Top N
Through this report, you can view top N categories or protocols by connection number for the
VICs of a category within a given time range.
Figure 5-41 shows report screenshot of top 10 protocols by connection number of VICs in an
area.

Figure 5-41 Example of the report on top 10 protocols by connection number
5.2.6 Report Examples (Consolidated)

This section describes certain consolidated reports and provides examples of the reports.
Report Navigation
NOTE
l Statistics and Analysis Report > Traffic > Consolidated Report > Top N Video Web
Sites Traffic Trend
l Statistics and Analysis Report > Traffic > Consolidated Report > Subscriber Traffic
Proportion to Total Traffic
l Statistics and Analysis Report > Traffic > Consolidated Report > Subscriber
Connection Number Proportion to Total Connection Number
l Statistics and Analysis Report > Traffic > Consolidated Report > Subscriber Traffic
Proportion Trend to Total Traffic

Statistics and Analysis Report > Traffic > Consolidated Report > Top N Video Web
Sites Traffic Trend
Through this report, you can view the distribution trend of top N Web sites by video access
traffic on the current network within a given time range.
The report contains the following types of traffic:
l Traffic of Video and Streaming categories
l Traffic of HTTP responsive packets whose content-type is Video/XXX
If the Website has a domain name, the report displays the domain name as the statistic object;
otherwise, the report displays the IP address of the Website as the statistic object.
Figure 5-42 shows report screenshot of the traffic trend of top N video Web sites within a given
time range.
Figure 5-42 Example of the traffic trend report on top N video Web sites

Statistics and Analysis Report > Traffic > Consolidated Report > Subscriber Traffic
Proportion to Total Traffic
Through this report, you can view the traffic proportion of a subscriber to all traffic on the
monitored network within a given time range.
Figure 5-43 shows report screenshot of the traffic proportion of subscribers to all traffic in an
area.
Figure 5-43 Example of the report on the subscriber traffic proportion to total traffic
Statistics and Analysis Report > Traffic > Consolidated Report > Subscriber
Connection Number Proportion to Total Connection Number
Through this report, you can view the connection number proportion of a subscriber to all
connection numbers on the monitored network within a given time range.
Figure 5-44 shows report screenshot of the connection number proportion of subscribers to all
connection numbers in an area.

Figure 5-44 Example of the report on the subscriber connection number proportion to total
connection number
Statistics and Analysis Report > Traffic > Consolidated Report > Subscriber Traffic
Proportion Trend to Total Traffic
Through this report, you can view the trend of the traffic proportion of a subscriber to all traffic
on the monitored network within a given time range.
Figure 5-45 shows report screenshot of the trend of the traffic proportion of subscribers to all
traffic in an area.

Figure 5-45 Example of the report on the subscriber traffic proportion trend to total traffic
5.2.7 Reference
This section describes the commands related to traffic reports.
Table 5-1 Traffic report-related command

Item Command
Set the protocol decapsulation tunnel-protocol { mpls | qinq | gre | l2tp | 6over4 }
type of tunnels
that need to be
decapsulated

Item Command
Configure that the service ignore gre-a10

Front End ignores
the detection on
GRE-A10 packets
For other commands of the Front End, refer to the HUAWEI SIG9800 Service Inspection
Gateway Command Reference.
5.3 Querying the User Behavior Statistics Report

To query multiple types of statistics reports on the user behaviors of subscribers, you should
perform this task.
5.3.1 Overview
This section describes the categories and functions of the user behavior statistics report.
The user behavior statistics report is used for analyzing and collecting statistics on subscribers'
behaviors, and includes the following types:
l Customer Number Proportion

Used for analyzing the proportion of subscribers with the access traffic of specified types
on the current network. For example, by querying the proportion of subscribers, you can
compare and analyze the number of P2P traffic users in District1 and District2.
l Customer Attributes Statistics
Used for analyzing the dynamic attributes of the specified subscriber.
l Peak Host Number Trend
Used for analyzing the number of hosts on the live network. In this report, data for each
time range indicates the maximum number of hosts within this time range. For example,
hourly report data is the maximum value among 12 five-minute reports within this hour;
daily report data is the maximum value among 24 hourly reports on this day, that is, the
maximum value among 24 x 12 five-minute reports. The system counts hosts by IP address.
Two hosts are counted if a user logs in and out for two times within five minutes.
l Top N Customers by Traffic
Used for ranking and analyzing subscribers by traffic on the current network, for example,
querying top 10 subscribers by P2P traffic within a given time range in an area.
l Top N Customers by Connection Number
Used for ranking and analyzing subscribers by connection number on the current network,
for example, querying top 10 subscribers by new connection number within a given time
range in an area.
l Top N Protocols by Customer Number
Used for ranking and analyzing top N protocols by customer number for a category within
a given time range.
l Top N Customers by Online Duration

Used for ranking and analyzing subscribers by online duration on the current network, for
example, querying top 10 subscribers by online duration within a given time range in an
area.
l Top N Customers by Online Times
Used for ranking and analyzing subscribers by online times on the current network, for
example, querying top 10 subscribers by online times within a given time range in an area.
l Customer Number Trend
Used for analyzing the number of subscribers on the live network. In this report, data for
each time segment indicates the accumulative total number of customers within this time
range. For example, hourly report data is the accumulative value of 12 five-minute reports
without repetitive values within this hour; daily report data is the accumulative value of 24
hourly reports without repetitive values on this day. Compared with the report on the
customer number trend, this report has complicated algorithms and therefore is generated
slowly.

This section describes how to query the user behavior statistics report.
Prerequisites

NOTE
Procedure
Step 2 In the navigation tree, choose Statistics and Analysis Report > User Behavior >
Subscriber. Then select the reports to be queried as required.
Step 3 Enter query conditions as required according to prompts.

TIP
for the next query.
Task Reports.

NOTE
----End
5.3.3 Report Examples

This section describes reports on user behavior statistics and provides examples of the reports.
Report Navigation
NOTE
l Statistics and Analysis Report > User Behavior > Subscriber > Customer Number
Proportion
l Statistics and Analysis Report > User Behavior > Subscriber > Customer Attributes
Statistics
l Statistics and Analysis Report > User Behavior > Subscriber > Peak Host Number
Trend
l Statistics and Analysis Report > User Behavior > Subscriber > Top N Customers by
Traffic
Connection Number
l Statistics and Analysis Report > User Behavior > Subscriber > Top N Protocols by
Customer Number
Online Duration
Online Times
l Statistics and Analysis Report > User Behavior > Subscriber > Customer Number
Trend
Statistics and Analysis Report > User Behavior > Subscriber > Customer Number
Proportion
Through this report, you can analyze the proportion of subscribers with the access traffic of
specified types on the current network. For example, by querying the proportion of subscribers,
you can compare and analyze the number of P2P traffic users in Haidian and Chaoyang districts.
Figure 5-46 shows report screenshot of the proportion of subscribers.

Figure 5-46 Example of the customer number proportion report
Statistics and Analysis Report > User Behavior > Subscriber > Customer Attributes
Statistics
Through this report, you can analyze the dynamic attributes of the specified subscriber.
Figure 5-47 shows report screenshot of the dynamic attributes of a subscriber.

Figure 5-47 Example of the report on customer attribute statistics
Statistics and Analysis Report > User Behavior > Subscriber > Peak Host Number
Trend
Used for analyzing the number of hosts on the live network. In this report, data for each time
range indicates the maximum number of hosts within this time range. For example, hourly report
data is the maximum value among 12 five-minute reports within this hour; daily report data is
the maximum value among 24 hourly reports on this day, that is, the maximum value among 24
x 12 five-minute reports. The system counts hosts by IP address. Two hosts are counted if a user
logs in and out for two times within five minutes.
Figure 5-48 shows report screenshot of the peak host number trend in an area.

Figure 5-48 Example of peak host number trend report
Statistics and Analysis Report > User Behavior > Subscriber > Top N Customers
by Traffic
Through this report, you can view top N subscribers by traffic for a category within a given time
range.
Figure 5-49 shows report screenshot of top 10 subscribers by traffic in an area.

Figure 5-49 Example of the report on top 10 customers by traffic
by Connection Number
Through this report, you can view top N subscribers by connection number for a category within
a given time range.
Figure 5-50 shows report screenshot of top 10 subscribers by connection number in an area.

Figure 5-50 Top 10 Customers by Connection Number
Statistics and Analysis Report > User Behavior > Subscriber > Top N Protocols by
Customer Number
Through this report, you can view top N protocols by customer number for a category within a
given time range.
Figure 5-51 shows report screenshot of top 10 protocols by customer number in an area.

Figure 5-51 Example of the report on top 10 protocols by customer number
by Online Duration
Through this report, you can view top N subscribers by online duration for a category within a
given time range.
NOTE
In scenarios where multiple hosts (using different IP addresses) use one account to go online, the online
duration of this account is the summed online duration of all the related hosts by IP address.
Figure 5-52 shows report screenshot.

Figure 5-52 Example of the report on top N subscribers by online duration
by Online Times
Through this report, you can view top N subscribers by online times for a category within a
given time range.
Figure 5-53 shows report screenshot.
Figure 5-53 Example of the report on top N subscribers by online times
Statistics and Analysis Report > User Behavior > Subscriber > Customer Number
Trend
Used for analyzing the number of subscribers on the live network. In this report, data for each
time segment indicates the accumulative total number of customers within this time range. For
example, hourly report data is the accumulative value of 12 five-minute reports without repetitive
values within this hour; daily report data is the accumulative value of 24 hourly reports without
repetitive values on this day. Compared with the report on the customer number trend, this report
has complicated algorithms and therefore is generated slowly.
Figure 5-54 shows report screenshot of the number distribution trend of subscribers in an area.

Figure 5-54 Example of the customer number trend report
5.4 Configuring Traffic QoS

To implement QoS control (such as bandwidth control and connection number control) over the
traffic of links, virtual tunnels, subscribers, or VICs, you should perform this task.
5.4.1 Overview
This section describes the background knowledge and functions of traffic QoS.
Policy Item and Priority Description

Indicates the record identifying the control policy of a specified service. Policy items added to
the SIG can be configured with time-based attributes, that is, to be effective during the specified
time range.
Policy items in traffic QoS are classified into the following categories:
l Rate Limiting
l Priority Mark
l Number of Connections Control
l Pass
l Not Remark
l Throttling
l Strict Priority
l Weighted Fair Queue
Details are as follows:

l Rate Limiting
Bandwidth limiting, bandwidth control, or also known as Traffic Policing (TP), is used to
set the maximum upstream bandwidth, maximum downstream bandwidth, guaranteed
upstream bandwidth, and guaranteed downstream bandwidth of the specified or all types
of traffic.
The maximum bandwidth is also called the Peak Information Rate (PIR), and the guaranteed
bandwidth is also called Committed Information Rate (CIR).
l Priority Mark
Traffic mark, also known as QoS Remark, remarks the QoS field (ToS or DSCP field) of
an IP packet by the specified or all traffic types. In so doing, the packets of a certain traffic
type are forwarded with different priorities when passing through network devices such as
routers.
Figure 5-55 shows the locations of the 4-bit ToS filed and 6-bit DSCP field in the IP packet.
Table 5-2 shows the description of ToS field values, and Table 5-3 shows description of
DSCP field values.
Figure 5-55 Locations of ToS and DSCP fields
Table 5-2 Value description of the ToS field

ToS filed value Description
0000 Normal Service
1000 Minimize Delay Service
0100 Maximize Throughput Service
0010 Maximize Reliability Service
0001 Minimize Monetary Cost Service

Table 5-3 Value description of the DSCP field
DSCP field Forwarding QoS

PHB Type value
Default PHB (Per-Hop 000000 Indicates the best-effort service.

Behaviors)
Class-Selector PHB XXX000 (The Indicates that the service level is consistent
X value is 0 or with the IP precedence used on the current
1.) network.
Expedited Forwarding 101110 Indicates the best QoS on the DiffServ

PHB network. In the case of enough bandwidths,
the packet sending rate is higher than the
packet receiving rate, which is applicable
to real-time services such as VoIP and
Virtual Leased Line (VLL). The PHB can
be realized by means of the priority queue,
low-delay queue, or Real-time Transport
Protocol (RTP) queue.
Assured AF1 001010 Indicates the services with guaranteed

Forwarding bandwidths and controllable delay, for
PHB 001100 example, video and VPN services.
001110 The IETF DiffServ workgroup defines four
service levels (AF1, AF2, AF3, and AF4)
AF2 010010 for the AF HB. Each service level
corresponds to a certain bandwidth and
010100
cache.
010110 Each service level defines three packet
discarding priorities.
AF3 011010
For AF1, 001010, 001100, and 001110
011100 represent the packet discarding priorities in
ascending order.
011110 For AF2, 010010, 010100, and 010110
AF4 100010 represent the packet discarding priorities in
ascending order.
100100 For AF3, 011010, 011100, and 011110
represent the packet discarding priorities in
100110
ascending order.
For AF4, 100010, 100100, 100110
represent the packet discarding priorities in
ascending order.
l Number of Connections Control

Indicates that the maximum number of concurrent connections is limited based on the
specified or all traffic types.
l Pass
Indicates that rate limiting is not implemented on the traffic of the specified type, that is,
traffic matching the pass policy.

l Not Remark
Indicates that QoS Remark is not implemented on the traffic of the specified type, that is,
traffic matching the not remark policy, and packets are not remarked.
l Throttling
Throttling is a queue scheduling method in the case of traffic congestion to proactively
schedule the output rate of the traffic of the specified or all traffic types.
When there are sufficient tokens in the token bucket, the cached packets can be sent out at
an even speed. But if the buffer queue is full, packets are to be discarded in throttling as in
rate limiting.
Additionally, throttling may increase the delay, whereas rate limiting almost introduces no
extra delay.
l Strict Priority
It is a queue scheduling method in the case of traffic congestion. Packets are configured
with different priorities according to traffic types. During queue scheduling, the system
preferentially sends the packets in the high-priority queue by strictly following the
descending priority order. When the high-priority queue is null, packets in the low-priority
queue are forwarded. In this way, the packets of key services are placed in the high-priority
queue, and those of non-key services (such as email) in the low-priority queue, ensuring
that the packets of key services are transmitted preferentially and those of non-key services
are transmitted during the idle time.
The SIG supports setting priorities (0 to 7) for upstream and downstream traffic by traffic
type. The smaller the value, the higher the priority.
The Strict Priority policy can provide bandwidth guarantee for high-priority services in
the case of congestion, but if the high-priority queue is always occupied by packets, packets
in the low-priority queue cannot get services for a long time.
l Weighted Fair Queue
It is a queue scheduling method in the case of traffic congestion to assign the traffic of
different types according to the pre-set upstream and downstream traffic proportion. For
example, for the subscribers' traffic in an area, set the proportion of the upstream and
downstream P2P traffic to 20% and that of other upstream and downstream traffic to 80%.
When a certain type of traffic in the queue is 0, the SIG allows other traffic types in the
queue to obtain these resources without any restrictions. For example, for subscribers'
traffic in an area, the upstream and downstream of the P2P traffic is set to be 10%
respectively, that of the Peer Casting traffic is set to be 10% respectively, and that of other
upstream and downstream traffic is set to be 80% respectively. If the PeerCasting traffic
takes no part of the assigned proportion, the P2P traffic and other traffic can obtain these
resources.
For details on policy priorities, see 5.4.15 Policy Priority Description. For precautions and
related introduction of each policy item, see the typical examples about configuring traffic QoS
in this document.
Introduction to the Policy Package

A policy package indicates the record containing one or multiple policy items. After a policy
package is applied to one or multiple policy application objects, such as a link, subscriber group,
or VIC group, the SIG can apply the policy items in this package to the target objects.
The system identifies the traffic to be controlled according to the flow classification attributes
in the policy package. A flow classification is the traffic combination defined by one or multiple

flow classification items. A flow classification item is the traffic that matches specified
conditions. It is defined by one or multiple conditions including application-layer protocol type
(such as HTTP), network side IP address, and Layer-3 and Layer-4 protocol attributes. The
system defines each protocol category in the DPI protocol signature file as a flow classification
by default. For example, Web_Browsing refers to all the traffic that fall into the Web_Browsing
protocol category. For details on flow classification, see 22.1.1 Overview.
Function Description
Configuring traffic QoS:
l Applies the QoS policy package to links.
Implementing policies such as rate limiting (PIR and CIR), priority mark, number of
connections control, pass, and not remark to link traffic.
l Applies the QoS policy to virtual tunnels.
connections control, pass, not remark to virtual tunnel traffic.
l Applies the QoS policy package to subscribers.
Identifying subscribers according to attribute group or user group, and implementing
policies such as rate limiting (PIR and CIR), priority mark, number of connections control,
pass, not remark, throttling, strict priority, and weighted fair queue (WFQ) to subscriber
traffic according to the attribute group or user group.
l Applies the QoS policy to VICs.
connections control, pass, not remark to VIC traffic according to the attribute group or user
group.
l Applies dynamic policies.
Setting the threshold of link and virtual tunnel traffic. When the traffic of a specified link
or virtual tunnel exceeds the threshold for a period of time, the system automatically applies
the control policy to the link, virtual tunnel, or subscriber. In this way, the congestion
problem on the carrier network is resolved.
NOTE
Generally, the policy takes effect within one minute.

For details on dynamic policies, see 5.5 Configuring Congestion Detection and Control.

This section describes how to configure traffic QoS, so that installation and commissioning
engineers or data configuration engineers can obtain the brief information about the operation.

Figure 5-56 Procedure for configuring traffic QoS
Start
Add a policy package
Do you Yes
continue to add
another one?
No
Apply the policy
package
Do you Yes
continue to add
another one?
No
End
NOTE
To bind the flow classification that is not in the system by default to the policy item to process more complex
traffic, you need to complete 22.1 Managing Flow Classifications and Flow Classification Items before
adding the policy item.
On a wireless network, the SIG supports the interworking with the PCRF and requests policies from the
PCRF. For details, see 5.4.16 Reference.
Table 5-4 Procedure description of configuring traffic QoS

Action Description
Add a policy Add policy packages as required. A policy package can contain one
package or multiple policy items.
Operation page: In the navigation tree, choose Traffic Management
> QoS > QoS Policy Package Management.

Action Description
Apply the policy Apply the added policy package to service objects.
package Operation pages include:
l To apply a policy package to links: In the navigation tree, choose
Subscriber and Network Management > Network > Physical
Link Management > Link Policy Application.
l To apply a policy package to virtual tunnels: In the navigation tree,
choose Subscriber and Network Management > Network >
Virtual Tunnel Management > Virtual Tunnel Policy
Application.
l To apply a policy package to subscribers: In the navigation tree,
choose Subscriber and Network Management > Subscriber >
Policy Application.
l To apply a policy package to VICs: In the navigation tree, choose
Subscriber and Network Management > Very Important
Customer > Policy Application.
5.4.3 Typical Configuration Example (Link, Rate Limiting, and

Taking Effect as Planned)
This section provides an example for configuring traffic QoS in detail. The policy item is Rate
Limiting and is applied to links. It takes effect as planned.
Prerequisites
l 4.4 Configuring the Link is complete, and the link to be managed is 10G-1-1-linka.
l The current user has the Traffic Management and Subscriber and Network
Management service permissions.
The SIG is deployed at the network access layer in in-line mode, and monitors the link traffic
passing through the DPI device, as shown in Figure 5-57. Currently, the SIG needs to monitor
P2P services on the 10G link. Requirements are as follows:
l From 16:00:00 to 21:59:59 every day: The SIG should limit the maximum downstream
bandwidth of P2P services to 1,000,000 kbit/s.
l During other time segments every day: The SIG should limit the maximum downstream
bandwidth of P2P services to 1,500,000 kbit/s.

Figure 5-57 Networking diagram of the example for configuring traffic QoS (link, rate limiting)
Internet
Router
GE4/0/0
Front End
Switch
GE3/0/0 Back End
10.1.3.0/24
BRAS
User Network
Procedure
Step 2 Add a policy package.
Management.
2. Click Add.
3. In the pop-up dialog box, enter myQoS in Name, and then click Save, as shown in Figure
5-58.

Figure 5-58 Adding a policy package
4. Select Rate Limiting from Item Type and click Add.

5. Set parameters in the dialog box that is displayed. Figure 5-59 shows parameter settings.
NOTE
Priority of the policy item in this example can be any value. For details on priorities, see 5.4.15
Policy Priority Description.
Start Date/End Date and Start Day of Week/End Day of Week together determines the valid date
of a policy item, namely, the date meeting these two conditions is the valid time of the policy item.
The system does not support the setting of Start Time and End Time by using the keyboard. Instead,
you can select the values using the mouse. In addition, do not press Backspace. Otherwise, the system
closes all the tab pages and displays the GUI homepage.
Step 3 Apply the policy package.

2. Click Add.
3. In the pop-up dialog box, select QoS from Policy Package Type, myQoS from Policy
Package Name, and 10G-1-1-linka from Link, as shown in Figure 5-60.
Figure 5-60 Applying a policy package
4. Click OK. The system returns to the previous page and displays the added record.
----End
5.4.4 Typical Configuration Example (Link, Priority Mark)

This section provides an example for configuring traffic QoS in detail. The policy item is
Priority Mark and is applied to links.
Prerequisites
The SIG is deployed on the network in in-line mode, and monitors the link traffic passing through
the DPI device, as shown in Figure 5-61. It is required to monitor the VoIP service traffic on
the 10G link and set the DSCP filed of the VoIP packet to 101110, so that VoIP traffic is
preferentially forwarded by downstream routers in the case of traffic congestion.

Figure 5-61 Networking diagram of the example for configuring traffic QoS (link, priority mark)
External network
Router A
Front End
Router B
Internal network
Procedure
Management.
2. Click Add.
5-62.

4. Select Priority Mark from Item Type and click Add.

2. Click Add.

Figure 5-64 Applying the policy package
----End
5.4.5 Typical Configuration Example (Link, Number of

Connections Control)
This section provides an example for configuring traffic QoS in detail. The policy item is
Number of Connections Control and is applied to links.
Prerequisites
passing through the DPI device, as shown in Figure 5-65. It is required to monitor the P2P
service traffic on the 10G link and set the maximum number of concurrent connections for the
service to 500000.

Figure 5-65 Networking diagram of the example for configuring traffic QoS (link, number of
connections control)
Internet
Router
GE4/0/0
Front End
Switch
GE3/0/0 Back End
10.1.3.0/24
BRAS
User Network
Procedure
Management.
2. Click Add.
5-66.

4. Select Number of Connections Control from Item Type and click Add.
2. Click Add.

----End
5.4.6 Typical Configuration Example (Link, Rate Limiting, and

Pass)
This section provides an example for configuring traffic QoS in detail. Policy items are Rate
Limiting and Pass, and are applied to links.
Prerequisites
passing through the DPI device, as shown in Figure 5-69. It is required to monitor the VoIP
service traffic on the 10G link and set the maximum upstream and downstream bandwidths for
the service to 500000 kbit/s. In addition, H.323, SIP, MGCP, and MEGACO signaling protocols
and their media protocols, including H.323, H323_MEDIA_VIDEO, H323_MEDIA_AUDIO,
SIP, SIP_MEDIA_VIDEO, SIP_MEDIA_AUDIO, MGCP, MGCP_MEDIA_VIDEO,
MGCP_MEDIA_AUDIO, MEGACO, MEGACO_MEDIA_VIDEO, and
MEGACO_MEDIA_AUDIO are free from bandwidth control.

Figure 5-69 Networking diagram of the example for configuring traffic QoS (link, rate limiting,
and pass)
Internet
Router
GE4/0/0
Front End
Switch
GE3/0/0 Back End
10.1.3.0/24
BRAS
User Network
Procedure
Step 2 Add flow classification items and a flow classification.
Respectively define protocols H.323, H.323_MEDIA_VIDEO, H.323_MEDIA_AUDIO, SIP,

SIP_MEDIA_VIDEO, SIP_MEDIA_AUDIO, MGCP, MGCP_MEDIA_VIDEO,
MGCP_MEDIA_AUDIO, MEGACO, MEGACO_MEDIA_VIDEO, and
MEGACO_MEDIA_AUDIO as different flow classification items, and then add a flow
classification H323_SIP_MGCP_MEGACO that contains the preceding items.
For details, see 22.1 Managing Flow Classifications and Flow Classification Items.

Management.
2. Click Add.
5-70.


7. Select Pass from Item Type and click Add.

10. Repeat Step 3.7 to Step 3.9, and add the pass policy respectively for
H323_MEDIA_VIDEO, H323_MEDIA_AUDIO, SIP, SIP_MEDIA_VIDEO,
SIP_MEDIA_AUDIO, MGCP, MGCP_MEDIA_VIDEO, MGCP_MEDIA_AUDIO,
MEGACO, MEGACO_MEDIA_VIDEO, and MEGACO_MEDIA_AUDIO.
2. Click Add.
----End
5.4.7 Typical Configuration Example (Link, Priority Mark, and Not

Remark)
This section provides an example for configuring traffic QoS in detail. Policy items are Priority
Mark and Not Remark, and are applied to links.
Prerequisites

The SIG is deployed on the network in in-line mode, and monitors the link traffic passing through
the DPI device, as shown in Figure 5-74. It is required to monitor the VoIP service traffic on
the 10G link and set the DSCP filed of the VoIP packet to 101110, so that VoIP traffic is
preferentially forwarded in the case of traffic congestion. In addition, the traffic of SkypePctoPc
(a VoIP protocol) is not preferentially forwarded.
Figure 5-74 Networking diagram of the example for configuring traffic QoS (link, priority mark,
and not remark)
External network
Router A
Front End
Router B
Internal network
Procedure
Step 2 Add a flow classification item and a flow classification.
Define protocol SkypePctoPc as a flow classification item, and then add a flow classification
SkypePctoPc that contains the item.
For details, see 22.1 Managing Flow Classifications and Flow Classification Items.
Management.
2. Click Add.
5-75.

4. Select Priority Mark from Item Type and click Add.

7. Select Not Remark from Item Type and click Add.


2. Click Add.
----End
5.4.8 Typical Configuration Example (Virtual Tunnel, Rate

Limiting)
Limiting and applies to virtual Tunnels.
Prerequisites
l 4.5.6 Typical Configuration Example 1 (User Attribute Virtual Tunnel, Defining SN

as the Virtual Tunnel Category) is complete.

The SIG is deployed on a carrier's network, as shown in Figure 5-79. 4.5.6 Typical
Configuration Example 1 (User Attribute Virtual Tunnel, Defining SN as the Virtual
Tunnel Category) is complete. Virtual tunnels and their categories are added.
The P2P traffic of SN1 must be monitored and the maximum downstream bandwidth for P2P
traffic must be controlled within 5000 Kbit/s.
Figure 5-79 Networking diagram of the example for configuring traffic QoS (virtual tunnel, rate
limiting)
IP Backbone
PE PE
PE PE
CE CE
CE CE
DPI System
Front Back
Front End
End
End
GN1 GN2
SN1 SN2
BTS1 … BTS3
BTS2
Procedure
Management.
2. Click Add.
5-80.


5. Set parameters in the pop-up dialog box. Figure 5-81 shows parameter settings.
6. Click OK. The system returns to the previous page and displays a new policy item.
7. Click Close. The system returns to the previous page and displays a new policy package.
8. Repeat Step 2.2 to Step 2.7 to add policy package myQoS2 and set Maximum
Downstream Bandwidth to 10000 kbit/s.

2. Click Add.
NOTE
The system supports the batch application of policy packages through importing. In this case, click
Import, obtain the import template in the dialog box that is displayed, and execute the import.
3. Set parameters, as shown in Figure 5-82.

----End
5.4.9 Typical Configuration Example (Link and Virtual Tunnel,

Rate Limiting)
Limiting and applies to links and virtual tunnels.
For the example for configuring virtual tunnels, see 4.5.8 Typical Configuration Example 3
(Stream Attribute Virtual Tunnel, Defining the Traffic of Local IP Address or Remote IP
Address as the Virtual Tunnel).
5.4.10 Typical Configuration Example (Subscriber, Rate Limiting)

Limiting and is applied to subscribers.
Prerequisites
l 4.2 Configuring the Subscriber is complete. The subscribers to be managed reside in area
Haidian.

The SIG is deployed at the network access layer in in-line mode, as shown in Figure 5-83. It is
required to monitor the P2P service traffic of all subscribers in the Haidian area and set the
maximum downstream bandwidth for the service to 1000 kbit/s.
Figure 5-83 Networking diagram of the example for configuring traffic QoS (subscriber, rate
limiting)
Internet
Router
GE4/0/0
Front End
Switch
GE3/0/0 Back End
10.1.3.0/24
BRAS
User Network
Procedure
Management.
2. Click Add.
5-84.


Policy Application.
2. Click Add.
3. In the pop-up dialog box, select Haidian from Area, QoS from Type, and myQoS from
Name, as shown in Figure 5-86.

----End
5.4.11 Typical Configuration Example (Subscriber, Throttling)

This section provides an example for configuring traffic QoS in detail. The policy items is
throttling, and is applied to subscribers.
Prerequisites
Zhongguancun.
required to monitor the traffic of all subscribers in the Zhongguancun area, limiting the
maximum upstream bandwidth to 200kbit/s and maximum downstream bandwidth to 1000kbit/
s. It is required to throttle the Web_Browsing traffic, setting the guaranteed upstream bandwidth
to 40kbit/s, guaranteed downstream bandwidth to 200kbit/s, maximum upstream bandwidth to
80kbit/s, and maximum downstream bandwidth to 500kbit/s.

Figure 5-87 Networking diagram of the example for configuring traffic QoS (subscriber,
throttling)
Internet
Router
GE4/0/0
Front End
Switch
GE3/0/0 Back End
10.1.3.0/24
BRAS
User Network
Procedure
Management.
2. Click Add.
5-88.

4. Select Throttling from Item Type and click Add.

NOTE
To shape the traffic of all other protocol types in addition to those in the list, select the check box of
Include Unselected. The system automatically adds a record.

Policy Application.
2. Click Add.
3. In the pop-up dialog box, select Zhongguancun from Area, QoS from Type, and
myQoS from Name, as shown in Figure 5-90.
----End
5.4.12 Typical Configuration Example (Subscriber, Strict Priority)

This section provides an example for configuring traffic QoS in detail. The policy item is Strict
Priority, and is applied to subscribers.
Prerequisites
Zhongguancun.
maximum upstream bandwidth of all subscribers' traffic to 500 kbit/s and maximum downstream

bandwidth to 1,000 kbit/s, setting the guaranteed upstream bandwidth to 50kbit/s, guaranteed
downstream bandwidth to 100kbit/s. In the case of traffic congestion, traffic is forwarded
according to the priority.
NOTE
The value of the priority ranges from 0 to 7. The smaller the value, the higher the priority.
In the same policy package, the priorities of different strict priority policy items can adopt the same value.
l VoIP traffic
The priority of upstream and downstream traffic is 0.
l Web_Browsing traffic
l P2P traffic
l Other traffic
Figure 5-91 Networking diagram of the example for configuring traffic QoS (subscriber, strict
priority)
Internet
Router
GE4/0/0
Front End
Switch
GE3/0/0 Back End
10.1.3.0/24
BRAS
User Network

Procedure
Management.
2. Click Add.
5-92.
4. Select Strict Priority from Item Type, and click Add.

By clicking Add, you can add priority control items; by clicking Delete, you can delete
priority control items; by double-clicking the cell whose value needs changing, you can
change the parameter value.

NOTE
6. Click OK. The system returns to the previous page.
Policy Application.
2. Click Add.

----End
5.4.13 Typical Configuration Example (Subscriber, WFQ)

This section provides an example for configuring traffic QoS in detail. The policy item is WFQ,
and is applied to subscribers.
Prerequisites
Zhongguancun.
maximum upstream bandwidth of all subscribers' traffic to 500 kbit/s and maximum downstream
bandwidth to 1,000 kbit/s, setting the guaranteed upstream bandwidth to 50kbit/s, guaranteed
downstream bandwidth to 100kbit/s. In the case of traffic congestion, traffic is forwarded
according to the proportion.
l VoIP traffic
The proportion of upstream and downstream traffic is 5%.

l Web_Browsing traffic
l P2P traffic
l Other traffic
Figure 5-95 Networking diagram of the example for configuring traffic QoS (subscriber, WFQ)
Internet
Router
GE4/0/0
Front End
Switch
GE3/0/0 Back End
10.1.3.0/24
BRAS
User Network
Procedure

Management.
2. Click Add.
5-96.

4. Select Weighted Fair Queue from Item Type, and click Add.
By clicking Add, you can add weight control items; by clicking Delete, you can delete
weight control items.
NOTE


Policy Application.
2. Click Add.
----End
5.4.14 Typical Configuration Example (VIC, Rate Limiting)

Limiting and is applied to VICs.
Prerequisites
l 4.3 Configuring the VIC is complete. The VICs to be managed reside in area Haidian.
required to monitor the VoIP service traffic of all VICs in the Haidian area, and set the maximum
upstream and downstream bandwidth for the service to 10000 kbit/s.

Figure 5-99 Networking diagram of the example for configuring traffic QoS (VIC, rate limiting)
Internet
Router
GE4/0/0
Front End
Switch
GE3/0/0 Back End
10.1.3.0/24
BRAS
User Network
Procedure
Management.
2. Click Add.
5-100.


2. Click Add.
3. In the pop-up dialog box, select QoS from Type, myQoS from Name, and Haidian from
Area, as shown in Figure 5-102.

----End
5.4.15 Policy Priority Description

This section describes the priority decision mechanism and execution conflict decision
mechanism used by the SIG system in policy execution.
Definition
Concepts related to policy priority are as follows:
l Policy application objects

Are the subscriber and network objects, including subscribers, VICs, links, virtual tunnels,
subnets, and traffic direction objects.
l Service types
Are the types of services provided by SIG to the carrier, including traffic management,
FUP, charging, URL filtering, GreenNet, traffic mirroring/diversion, SmartBrowser, DNS
overwriting, Smart Advertising Interface, VoIP monitoring, anti-spammer, anti-DDoS,
anti-Botnet, anti-worm, and security services.
l Policy package
Is a set including one or more policy items. After applying the policy package to an
application object such as a link, subscriber, or VIC, the SIG system is able to apply every
item in the package to the application object.
l Policy item type

Is an entry identifying a particular service control policy. For example, in traffic

management service, policy item types include Rate Limiting, Priority Mark, Number of
Connections Control, Pass, Not Remark, Throttling, Strict Priority, and WFQ.
l Flow classification bound with policy item
Indicates network traffic bound in the policy item that meets particular conditions
For details, see 22.1.1 Overview in 22.1 Managing Flow Classifications and Flow
Classification Items.
l Policy item priority
Is the priority value specified in policy item definition. The smaller the value, the higher
the priority. The value is an integer that ranges from 1 to 9,999. The value is globally unique
in the system.
Priority Decision Mechanism

When a policy application object are bound to multiple policy packages of the same service type,
the system follows the priority decision mechanism as shown in Figure 5-103.
Figure 5-103 Priority decision mechanism
Collect all policy items bound with the

object
Categorize policy items

by service type
Further categorize results

by policy item type
Further categorize results

by flow classification
The policy item with the highest priority

in each category takes effect
End
l A policy application object group can be bound with only one policy package of each
service type.

For example, if traffic management and URL filtering service are enabled and Beijing is
the attribute group of subscribers, then Beijing can be bound to only one traffic QoS policy
package and one URL filtering policy package.
l When a policy application object belonging to multiple groups is bound to multiple policy
packages of the same service type, the system follows the priority decision mechanism as
1. Collect all policy packages bound with the same policy application object and
categorize policy items by service type.
Treat traffic management and FUP as the same category and each of the remaining
service types as a separate category. For example, category 1 includes traffic
management and FUP and category 2 is URL filtering.
2. Further categorize the preceding results by policy item type.
Treat Throttling, Strict Priority, and WFQ in traffic management as the same category.
For link policy packages in anti-worm, you are allowed to add control policy items in
a policy package for different control actions without having to categorize the control
policy items as one type.
NOTE
You are allowed to bind only one Worm policy package to a link; therefore, every policy item
in the Worm link policy package is valid and there is no need to decide by priority.
3. Further categorize the preceding results by flow classification bound with policy item.
Policy items of the same type may be bound to different flow classifications and you
need to further categorize policy items by the flow classification bound to them.
URL filtering and malware URL filtering policy packets contain no bound flow
classifications and the system classifies flow classifications by URL category. For
other policy packages without bound flow classifications such as anti-spammer and
anti-DDoS policy package, the system skips the categorization.
4. In the preceding categorization results, if there is only one policy item in a category,
the policy item is valid. If there are multiple policy items in a category (or they are of
the same service type, the same policy item type, and the same flow classification
bound to policy item), then the policy item with the smallest priority value is valid.
If there is a policy item for total traffic in a category of Throttling, Strict Priority, and
WFQ, then the policy item with the smallest priority value is valid; otherwise, the
policy item with the smallest priority value among all policy items is valid. Other
precautions are:
– All the strict priority and WFQ policy items contain the policy item that is specified
for the total traffic. The throttling policy item can either contain the policy the item
that is specified for the total traffic or not.
– For Throttling, Strict Priority and WFQ policy items, you need to set the priority
value for each sub-item. When a particular flow matches multiple sub-items, the
system handles the traffic by the sub-item with the smallest priority value. Sub-
items are new entries added to the list by clicking Add on the Policy Item Definition
page.
– When no policy item specified for the total traffic is configured in the throttling
policy item, the smallest priority value in the subitems is the priority of the policy
item.

NOTE
The policy item priority values are globally unique in the SIG system. If the SIG system
interconnects with the policy and charging rule function (PCRF) and policies are defined in
both the SIG system (static policy) and PCRF (dynamic policy), the parameter values may be
identical. In this case, only a dynamic policy is valid.
The following uses traffic management for example. Assume a subscriber belongs to both the
Beijing area, the Haidian area, and the myUserGroup subscriber user group. Beijing is bound
to PackageA, Haidian to PackageB, and myUserGroup to PackageC, as shown in Figure
5-104.
Figure 5-104 Priority description example
PackageA
Policy Item 1 Policy Item 2 Policy Item 3
Service 1 Service 2 Service 3
Number of
Throttling Pass
Connections Control
Priority: 9 Priority: 100 Priority: 200
PackageB
Rate Limiting
Priority Mark Not Remark
(without total traffic control)
PackageC
Weighted Fair Number of

Pass
Queue Connections Control
The analysis process is as follows:
1. Collect all policy packages bound with the same application object and categorize the policy
items by service type.
Category 1: policy items 1, 2, 3, 4, 5, 6, 7, 8, and 9

2. Further categorize the preceding results by policy item type.

Category 1: Rate Limiting, policy item 1
Category 2: Number of Connections Control, policy items 2 and 8
Category 3: Pass, policy items 3 and 9
Category 4: Throttling, Strict Priority and WFQ, policy items 4 and 7
Category 5: Priority Mark, policy item 5
Category 6: Not Remark, policy item 6
3. Further categorize the preceding results by flow classification bound with policy item.
Category 1: Rate Limiting, flow classification 1, policy item 1
Category 2: Number of Connections Control, flow classification 2, policy items 2 and 8
Category 3: Pass, flow classification 3, policy item 3
Category 5: Throttling, Strict Priority, and WFQ, flow classification 1, policy items 4 and
7
Category 6: Priority Mark, flow classification 2, policy item 5
Category 7: Not Remark, flow classification 3, policy item 6
4. In category 2, reserve policy item 8 with the smallest priority value; in category 5, reserve
policy item 7 with total traffic control; and reserve the only policy item contained in all the
other categories.
Category 1: Rate Limiting, flow classification 1, policy item 1
Category 2: Number of Connections Control, flow classification 2, policy item 8
Category 5: Throttling, Strict Priority, and WFQ, flow classification 1, policy item 7
Category 6: Priority Mark, flow classification 2, policy item 5
Category 7: Not Remark, flow classification 3, policy item 6
Therefore, the subscriber's policy items that are eventually valid include 1, 3, 5, 6, 7, 8, and 9.
Execution Conflict Decision Mechanism

You can filter all valid policy items using the priority decision mechanism. If the system detects
any conflict when executing these policy items, it follows this conflict decision mechanism:
l In traffic management, Pass policy items have priority over Rate Limiting, Throttling, Strict
Priority, or WFQ policy items; and Not Remark policy items have priority over Priority
Mark policy items.
l In traffic management service, if both the rate limiting policy item on the subscribers, links,
and virtual tunnels, and the throttling, strict priority, or WFQ policy item on subscribers
exist, the system ensures the CIR defined in the policy item first. If CIR is defined in
multiple policy items, the system ensures the CIR defined in throttling, strict priority, and
WFQ first.
Table 5-5 shows the detailed requirements. A packet is initially marked without colors.
After the last action in the policy is executed, if the packet is marked green or yellow, the
packet was forwarded. If red, the packet was discarded.

Table 5-5 Rules of handling the collisions between CIR and PIR
Current Under CIR Between CIR and Over PIR

Packet Color PIR
None. Marked green Marked yellow Marked red
Green Stay green Stay green Stay green
Yellow Marked green Stay yellow Marked red
Red Marked green Stay red Stay red
l In traffic management, if there is execution conflict in the priority mark policy item of
different types of policy application objects, the priority in descending order is: subscriber
DSCP label, VIC DSCP label, link DSCP label, traffic direction DSCP label, user attribute
virtual tunnel DSCP label, stream attribute virtual tunnel DSCP label, subscriber ToS label,
VIC ToS label, link ToS label, traffic direction ToS label, user attribute virtual tunnel ToS
label, and stream attribute virtual tunnel ToS label.
For example, if the VoIP DSCP field is 101110 for a subscriber and the VoIP DSCP field
is 000000 for the corresponding link, then the VoIP DSCP field is for the subscriber is
actually labeled as 101110.
l Execute the other policy items in sequence and the most strict takes effect.
For example, if the maximum downstream bandwidth is limited to 100 kbit/s for a
subscriber and the maximum downstream P2P bandwidth is limited to 0 for the link to
which the subscriber belongs, then the maximum downstream P2P bandwidths for the
subscriber and the link are limited to 0 respectively.
NOTE
For other possible execution conflicts, it is recommended that you confirm system decision mechanism by
the actual execution results. For details, contact Huawei technical support personnel.
5.4.16 Reference
This section describes the configuration references when the SAS requests policies from the
Policy and Charging Rule Function (PCRF).
Policy Requesting Mode

The SIG supports the following policy requesting modes:
l The SAS requests policies from the PCRF.

The SAS on the Front End requests policies only from the PCRF. This mode is applicable
to wireless networks.
l The SAS requests policies from the PLS.
The SAS on the Front End requests policies only from the PLS on the Back End. This mode
is applicable to fixed networks.
l The SAS requests the policy from the PCRF and policy server.
By default, the policy request mode of the SAS is both, namely, both the PCRF and PLS
request policies at the same time.

NOTE
The configuration command for the policy requesting mode is policy-request-server default { policy-
server | pcrf | both | none }.
Policy Configuration Methods for Different Policy Requesting Modes

When the SAS requests policies from the PLS, the policies defined on the GUI of the Back End
directly take effect, and no other operation is required.
When the SAS requests policies from the PCRF, the system supports the following policy
defining methods:
l Pre-defining policies on the SIG
Defines a policy package on the GUI of the Back End, records Policy Package Code of
the defined policy package, and then defines a policy on the PCRF. During the defining of
the policy, Policy Package Code is referenced.
Figure 5-105 shows an example of Policy Package Code.
Figure 5-105 Recording the code of the policy package
For example, the PCRF is the UPCC (Unified Policy and Charging Controller). The location
where Policy Package Code is referenced is as shown in Figure 5-106.

Figure 5-106 Referencing the code of the policy package
l Defining policies on the PCRF

Defines the type of the traffic where a policy is applied as one or more flow classifications
on the GUI of the Back End, records Code of the defined flow classifications, and then
defines a policy on the PCRF. During the defining of the policy, Code is referenced.
Figure 5-107 shows an example of Code.
Figure 5-107 Recording the code of the protocol group
For example, the PCRF is the UPCC (Unified Policy and Charging Controller). The location
where Code is referenced is as shown in Figure 5-108.

Figure 5-108 Referencing the code of the protocol group
NOTE
To learn more about the PCRF, refer to related technical documents provided by respective vendors.
5.5 Configuring Congestion Detection and Control

Congestion indicates a status that the bandwidths of links or NEs are over certain level
continuously, which compromises the performance of the network service. Perform this task to
check whether and when traffic congestion occurs on links or virtual tunnels, and to trigger the
QoS policies for specified links, virtual tunnels, or subscribers when congestion occurs.
5.5.1 Overview
This section describes background information about traffic congestion detection and various
functions brought by the congestion detection configuration.
Identifying the Congestion

The SIG system can perform the congestion detection on links and virtual tunnels. As shown in
Figure 5-109, the standards are as follows:
NOTE
To detect the traffic of certain NE, you can first define the NE as a user attribute virtual tunnel. For details,
see 4.5 Configuring the Virtual Tunnel.
l When the upstream or downstream traffic of a specified protocol, a flow classification, or
the total traffic of the link or virtual tunnel is over a specified value for a period of time,
the system identifies that the link or virtual tunnel is in congestion state. In the SIG system,
the value is called the trigger threshold, and the period of time is called the trigger threshold
statistics duration.
l When the upstream or downstream traffic of a specified protocol, a flow classification, or
the total traffic of the link or virtual tunnel is under a specified value for a period of time,
the system identifies that the link or virtual tunnel is in normal state. In the SIG system, the

value is called the release threshold, the period of time is called the release threshold
statistics duration.
Figure 5-109 Identifying the congestion
Bandwidth
Congested Congested
Trigger threshold
Release threshold
Time
Trigger threshold Release threshold Trigger threshold Release threshold
statistics duration statistics duration statistics duration statistics duration
Definition
For the description convenience, the SIG system defines the following concepts:
l Congestion threshold
indicates the object that contains all the congestion identifying conditions. These conditions
include protocol or flow classification, traffic direction, trigger threshold, trigger threshold
statistics duration, release threshold, and release threshold statistics duration, as shown in
Figure 5-110.

Figure 5-110 Example for congestion thresholds
You can add a maximum of 256 congestion thresholds, and import and export the thresholds
in batches.
l Congestion detection object
indicates the links and virtual tunnels that are bound with congestion thresholds.
One link or virtual tunnel can be bound with a maximum of eight congestion thresholds.
You can add a maximum of 4096 link congestion detection objects and 40,000 virtual tunnel
detection objects.
Function Description
The provided functions are as follows:
l Adding the link or virtual tunnel congestion detection objects, and viewing the status and
congestion logs of all congestion detection objects.
l Applying dynamic QoS policies to links or virtual tunnel congestion detection objects. In
this way, the policy takes effects only when the object is in congestion state.
The QoS policies applied to links or virtual tunnels support policy items including rate
limiting, priority mark, number of connections control, pass, and not remark.
l Applying dynamic QoS policies to subscribers. In this way, the policy takes effects when
the link or virtual tunnel is in congestion state.
The QoS policies applied to subscribers support policy items including rate limiting,
priority mark, number of connections control, pass, not remark, throttling, strict priority,
and weighted fair queue.

NOTE
For details on the QoS policies, see 5.4 Configuring Traffic QoS.
5.5.2 Configuration Flow

This section describes the configuration flow of congestion detection and control.
Figure 5-111 shows the configuration process.
Figure 5-111 Configuration flow of congestion detection and control
Start
Add congestion thresholds.
Add congestion detection

objects.
Check the current status and

history congestion logs.
Is the congestion No
control performed?
Yes
Add QoS policy package.
Apply QoS policy package.
End
Table 5-6 shows the flow description.
Table 5-6 Flow description of configuring the QoS policy
Operation Description
Add congestion The threshold is used as a condition to identify the congestion.

threshold. Operation page: In the navigation tree, choose Subscriber and
Network Management > Network > Congestion Threshold
Configure.

Operation Description
Add congestion Bind the links or virtual tunnels to be detected with the congestion
detection objects. threshold.
Link Congestion Detection Object Management.
View the current Operation pages include:

congestion status l The operation page for viewing the current congestion status of
and congestion links: In the navigation tree, choose Subscriber and Network
history logs. Management > Network > Physical Link Management > Link
Congestion Detection Object Management.
l The operation page for viewing the current congestion status of
virtual tunnels: In the navigation tree, choose Subscriber and
Management > Virtual Tunnel Congestion Detection Object
Management.
l The operation page for viewing the history congestion logs: In the
navigation tree, choose Statistics and Analysis Report >
Traffic > Link and Virtual Tunnel > Congestion Log.
Add a QoS policy Operation page: In the navigation tree, choose Traffic Management
package. > QoS > QoS Policy Package Management.
NOTE
For details on the QoS policies, see 5.4 Configuring Traffic QoS.
Apply the QoS Apply the QoS policy to links or virtual tunnels so that the policy takes
policy package. effect when congestion occurs. Or apply the QoS policy to subscribers
so that the policy takes effect when congestion occurs on a link or
virtual tunnel.
The operation pages include:
l The operation page for applying the policy package to links: In the
navigation tree, choose Subscriber and Network Management
> Network > Physical Link Management > Link Policy
Application.
l The operation page for applying the policy package to virtual
tunnels: In the navigation tree, choose Subscriber and Network
Management > Network > Virtual Tunnel Management >
Virtual Tunnel Policy Application.
l The operation page for applying the policy package to subscribers:
In the navigation tree, choose Subscriber and Network
Management > Subscriber > Policy Application.
.

5.5.3 Typical Configuration Example for Controlling Link

Congestion
This section provides examples for methods of link congestion detection and control. On a 10G
link, when the downstream bandwidth exceeds 5Gbit/s, the link is considered congested. In this
case, you need to limit the P2P and PeerCasting traffic to 1Gbit/s.
Prerequisites
l 4.4 Configuring the Link is complete. The name of the link to be managed is 10G-53-70-
xianwang.
l The current user has rights including Traffic Management, Subscriber and Network
Management, and Basic Configuration.
Figure 5-112 shows the network of a carrier. The requirements for controlling the congestion
of 10G link 10G-53-70-xianwang are as follows:
l If the upstream bandwidth is over 5Gbit/s for more than 15 minutes, the link is congested.
l When the link is congested, if the downstream bandwidth is lower than 4Gbit/s for 25
minutes, the link is considered in normal state.
l When the link is congested, the P2P and PeerCasting traffic of the link is limited to 1Gbit/
s, when the link is normal, the limitation is canceled.

Figure 5-112 Networking example for link congestion control
External Network
Router A
Swtich1 DPI System
Front End
Link: 10G-53-70-xianwang
Swtich2 Back End
Router B
Internal Network
Procedure
Step 1 Add the congestion threshold.
Congestion Threshold Configure.
2. Click Add.

Figure 5-113 Adding the congestion threshold
4. Click OK.
Step 2 Add congestion detection objects.

Physical Link Management > Link Congestion Detection Object Management.
2. Click Add.
Figure 5-114 Adding congestion detection objects
4. Click OK.
Step 3 Check the current congestion status.

2. Check the congestion status in the object list.

If is displayed in the Congestion Status column, the link is normal. If is displayed

in the Congestion Status column, the link is congested.
1. Add a flow classification.
Define protocol classifications P2P and PeerCasting as flow classification
P2PandPeerCasting. For details, see 22.1.4 Typical Configuration Example 2 in 22.1
Managing Flow Classifications and Flow Classification Items.
Management.
3. Click Add.
4. Enter P2PandPeerCastingControl in Name in the dialog box that is displayed, and click
Save.
5. Select Rate Limiting in Item Type, and then click Add.
Figure 5-115 Adding a QoS policy package
7. Click OK and click Cancel.

2. Click Add.

Figure 5-116 Applying the QoS policy package
4. Click Add.
If is displayed in Enabled Status, the policy package is disabled. If is displayed

in Enabled Status, the policy package is enabled, which means the link is congested.
----End
Verification
l Choose Statistics and Analysis Report > Traffic > Link and Virtual Tunnel > Traffic
Trend, and query the link traffic trend report to check whether the link traffic is controlled
as expected.
l Choose Statistics and Analysis Report > Traffic > Link and Virtual Tunnel >
Congestion Log, and check the congestion logs of the link.
5.5.4 Typical Configuration Example for Controlling NE Traffic

Congestion
This section provides examples for methods of NE traffic congestion detection and control. On
a BTS, when the downstream bandwidth exceeds 4Mbit/s, the BTS is considered congested. In
this case, you need to limit the P2P and PeerCasting traffic to 1Mbit/s.
Prerequisites
l 4.5.7 Typical Configuration Example 2 (User Attribute Virtual Tunnel, Defining BTS
as the Virtual Tunnel Category) in 4.5 Configuring the Virtual Tunnel is completed.
The name of the BTS to be managed is BTS1.
l The current user has rights including Traffic Management, Subscriber and Network
Management, and Basic Configuration.

of BTS1 are as follows:
l If the downstream bandwidth is over 4Mbit/s for more than 15 minutes, the BTS is
congested.
l When the link is congested, if the downstream bandwidth is lower than 3Mbit/s for more
than 15 minutes, the BTS is considered in normal state.
l When the BTS is congested, the P2P and PeerCasting traffic of the BTS are limited to
1Mbit/s, when the BTS is normal, the limitation is canceled.
Figure 5-117 Networking example for NE traffic congestion control
IP Backbone
PE PE
PE PE
CE CE
CE CE
DPI System
Front Back
Front End
End
End
GN1 GN2
SN1 SN2
BTS1 … BTS3
BTS2
Procedure
2. Click Add.

Figure 5-118 Adding congestion thresholds
4. Click OK.

2. Click Add.
4. Click OK.


1. Add a flow classification.
Define protocol classifications P2P and PeerCasting as flow classification
P2PandPeerCasting. For details, see 22.1.4 Typical Configuration Example 2 in 22.1
Management.
3. Click Add.
4. Enter P2PandPeerCastingControl in Name in the dialog box that is displayed, and click
Save.
5. Select Rate Limiting in Item Type, and then click Add.
7. Click OK and click Close.

2. Click Add.

4. Click OK.

----End
Verification
Trend, and query the virtual tunnel traffic trend report to check whether the virtual tunnel
traffic is controlled as expected.
Congestion Log, and check the congestion logs of the virtual tunnel.
5.5.5 Typical Configuration Example for Controlling Subscriber

Traffic When the Link Is Congested
This section provides examples for controlling the subscriber traffic when the link is congested.
On a 10G link, when the downstream bandwidth exceeds 5Gbit/s, the link is considered
congested. In this case, you need to throttle the total traffic of each subscriber in a specified area.
Prerequisites
l 4.4 Configuring the Link is complete. The name of the link to be managed is 10G-53-70-
xianwang.

l 4.2 Configuring the Subscriber is completed. The subscribers to be managed reside in

area Haidian.
l The current user has permissions including Traffic Management and Subscriber and
Network Management.
are as follows:
l If the downstream bandwidth pf link 10G-53-70-xianwang is over 5Gbit/s for 15 minutes,

the link is congested.
l When the link is congested, if the downstream bandwidth is lower than 4Gbit/s for 25
minutes, the link is considered in normal state.
l When the link is congested, throttle the total traffic of all subscribers in Haidian district.
Limit the maximum upstream bandwidth, maximum downstream bandwidth, guaranteed
upstream bandwidth, guaranteed downstream bandwidth of all subscriber to 500kbit/s,
1000kbit/s, 100kbit/s, 200kbit/s respectively.
Figure 5-122 Networking example for controlling the subscriber traffic when the link is
congested
Internat
Router
Swtich1DPI System
Front End
Link: 10G-53-70-xianwang
Swtich2 Back End
ets
ack
Sp
DIU
RA
BRAS
Internal Network

Procedure
2. Click Add.
Figure 5-123 Adding the congestion threshold
4. Click OK.
2. Click Add.

4. Click OK.



Management.
2. Click Add.
3. Enter HaidianControl in Name in the dialog box that is displayed, and click Save.
4. Select Throttling from Item Type and click Add.
6. Click OK and click Close.

2. Click Add.

4. Click OK.

----End

Verification
Trend, and query the link traffic trend report to learn the traffic trend of the link.
Congestion Log, and check the congestion logs of the link.
l Choose Statistics and Analysis Report > Traffic > Subscriber > Traffic Trend, and
query the subscriber traffic trend report to check whether the subscriber traffic is controlled
as expected.
5.5.6 Checking the Congestion Status and Logs

This section describes how to check whether an object is in congestion state and the congestion
history logs.
Prerequisites
The current user has the Subscriber and Network Management and Statistics and Analysis
Report service rights.
Context
According to the five-minute traffic report, the Front End checks the status of the link or virtual
tunnel. If an object matches the congestion trigger or release conditions, the Front End sends the
message to the Back End.
Procedure
Step 1 (Optional) Check the current congestion status of links.
2. Check the current congestion status in the congestion detection object list.
If is displayed in the Congestion Status column of an object, the object is normal. If

is displayed in the Congestion Status column of an object, the object is in congestion
state.
Step 2 (Optional) Check the current congestion status of virtual tunnels.

Virtual Tunnel Management > Virtual Tunnel Congestion Detection Object
Management.
2. Check the current congestion status in the congestion detection object list.
If is displayed in the Congestion Status column of an object, the object is normal. If

is displayed in the Congestion Status column of an object, the object is in congestion
state.
Step 3 (Optional) View congestion logs.

1. In the navigation tree, choose Statistics and Analysis Report > Traffic > Link and
Virtual Tunnel > Congestion Log.

2. Select the object to be analyzed as Link or Virtual Tunnel, and enter the time range.
3. Click Query Report. The system displays the congestion logs shown as Figure 5-127.
Figure 5-127 Viewing the congestion logs
----End
5.6 Implementing Traffic Direction Statistics

To query the traffic direction report for collecting statistics on the traffic directions between one
link (or link group) and one AS domain group, between one AS domain group and another AS
domain group, between one subnet and one AS domain group, or between one subnet and another
subnet, you should perform this task.
5.6.1 Overview
This section describes the concepts related to traffic direction statistics and its various functions.
Concepts related to traffic direction statistics are as follows:
l Traffic direction
Indicates the network traffic analysis object between two specified networks.
The SIG supports the following traffic direction objects:
– Between one link (or link group) and one AS domain group
– Between one AS domain group and another AS domain group
– Between one subnet and one AS domain group
– Between one subnet and another subnet
l Outgoing, incoming, and transit traffic

Outgoing, incoming, and transit traffic is only valid for analysis objects in the traffic
direction between one link and one AS domain group. Transit traffic is only available,
irrespective of traffic types.
When statistics on traffic are not collected by traffic type:
– Outgoing traffic is the upstream traffic with its IP packets originating from the local
domain group (that is, the IP address of the internal network) and destining for the AS
domain group.
– Incoming traffic is the downstream traffic with its IP packets originating from the AS
domain group and destining for the local domain group.
– Transit traffic indicates that its IP packets originating from the AS domain group and
destining for the non-local domain group.
When statistics on traffic are collected by traffic type:
– Outgoing traffic is the upstream traffic with its IP packets destining for the AS domain
group.
– Incoming traffic is the downstream traffic with its IP packets originating from the AS
domain group.
The SIG supports collecting statistics on the following traffic direction objects:
l Between one link (or link group) and one AS domain group
The system provides the traffic direction trend report, traffic direction proportion report,
and top N protocol report by traffic for analysis objects in the traffic direction between one
link (or link group) and one AS domain group.
In addition, the system provides report statistics on the traffic trend and proportion of
outgoing, incoming, and transit traffic.
l Between one AS domain group and another AS domain group
AS domain group and another AS domain group.
l Between one subnet and one AS domain group
subnet and one AS domain group.
l Between one subnet and another subnet
subnet and another subnet.

This section describes how to implement traffic direction statistics in detail, so that you can
obtain the brief information about the operation.

Figure 5-128 Procedure for implementing traffic direction statistics
Start
Is the
traffic direction Yes
statistics configuration
added?
No
Add the traffic direction
Query the traffic direction

reports
End
Table 5-7 Procedure description of implementing traffic direction statistics

Action Description
Add the traffic By adding the traffic direction statistics configuration, you can enable
direction statistics statistics collection for all traffic direction objects whose statistics are
configuration to be collected. If the configuration is already added, this action is not
required.
Network Management > Network > Traffic Direction Object >
Traffic Direction Object Management.
NOTE
To add the traffic direction configuration of a link group, you should make sure
that the traffic direction configuration of the link is already added. For example,
suppose that link group LinkGroup contains two links, namely, Linka and
Linkb. Therefore, to add the traffic direction statistics configuration of the link
group between LinkGroup and one AS domain group, you should first add the
traffic direction statistics configurations of links between Linka and the AS
domain group, between Linkb and the AS domain group.

Action Description
Query the traffic You can enter report query conditions and then implement traffic
direction reports direction statistics.
Operation pages include:
l To collect statistics on the traffic between one link (or link group)
and one AS domain group: In the navigation tree, choose Statistics
and Analysis Report > Traffic Direction > Link.
l To collect statistics on the traffic between one AS domain group
and another AS domain group: In the navigation tree, choose
Statistics and Analysis Report > Traffic Direction > AS
Domain Group.
l To collect statistics on the traffic between one subnet and one AS
domain group or between one subnet and another subnet: In the
navigation tree, choose Statistics and Analysis Report > Traffic
Direction > Subnet.

This section describes how to implement traffic direction statistics.
Prerequisites

To add the traffic direction statistics configuration, the current user should have the
Subscriber and Network Management service permission.
NOTE
Procedure
Step 2 (Optional) Add the traffic direction statistics configuration.

NOTE
If the traffic direction statistics configuration is already added, go to Step 3.

Traffic Direction Object > Traffic Direction Object Management.
2. Click Add.

3. In the pop-up dialog box, select the network objects at both ends for traffic direction
statistics, and then click OK.
4. (Optional) Repeat Step 2.1 to Step 2.3 to add other traffic direction statistics configurations.
Step 3 Select the corresponding operations based on the type of the report to be queried.
l To collect statistics on the traffic between one link (or link group) and one AS domain group,
In the navigation tree, choose Statistics and Analysis Report > Traffic Direction >
Link. Select the report to be queried.
l To collect statistics on the traffic between one AS domain group and another AS domain
group, In the navigation tree, choose Statistics and Analysis Report > Traffic Direction
> AS Domain Group. Select the report to be queried.
l To collect statistics on the traffic between one subnet and one AS domain group or between
one subnet and another subnet, In the navigation tree, choose Statistics and Analysis
Report > Traffic Direction > Subnet. Select the report to be queried.
TIP
for the next query.
Task Reports.

NOTE
----End
5.6.4 Report Examples (Between One Link or Link Group and One
AS Domain Group)
This section describes reports on the traffic direction between one link (or link group) and one
AS domain group and provides examples of the reports.
Report Navigation
NOTE
l Statistics and Analysis Report > Traffic Direction > Link > Trend of Incoming and
Outgoing and Transit Traffic
l Statistics and Analysis Report > Traffic Direction > Link > Proportion of Incoming
and Outgoing and Transit Traffic

l Statistics and Analysis Report > Traffic Direction > Link > Top N Incoming and
l Statistics and Analysis Report > Traffic Direction > Link > Traffic Direction Trend
l Statistics and Analysis Report > Traffic Direction > Link > Traffic Direction
Proportion
l Statistics and Analysis Report > Traffic Direction > Link > Top N Protocols by Traffic
Statistics and Analysis Report > Traffic Direction > Link > Trend of Incoming and
Through this report, you can view the trends of incoming, outgoing, and transit traffic between
one link and one AS domain group.
NOTE
Figure 5-129 shows report examples.
Figure 5-129 Example of the report on the trends of incoming, outgoing, and transit traffic

Statistics and Analysis Report > Traffic Direction > Link > Proportion of Incoming
and Outgoing and Transit Traffic
Through this report, you can view the proportions of incoming, outgoing, and transit traffic
between one link and one AS domain group.
Figure 5-130 Example of the report on the proportions of incoming, outgoing, and transit traffic
Statistics and Analysis Report > Traffic Direction > Link > Top N Incoming and
Through this report, you can view the top N incoming, outgoing, and transit traffic statistics
collected in different modes.

Figure 5-131 Example of the report on top 10 incoming, outgoing, and transit traffic
Statistics and Analysis Report > Traffic Direction > Link > Traffic Direction Trend
Through this report, you can view the trend of the traffic between one link (or link group) and
one AS domain group.
NOTE

Figure 5-132 Example of the report on the traffic direction trend
Statistics and Analysis Report > Traffic Direction > Link > Traffic Direction
Proportion
Through this report, you can view the proportion of the traffic between one link (or link group)
and one AS domain group. If you select proportion to total traffic, the report displays the traffic
proportion of the specified traffic type to the total traffic of the analysis object; if you select
proportion to the corresponding traffic type, the report displays the traffic proportion to the traffic
of the type.

Figure 5-133 Example of the report on the traffic direction proportion
Statistics and Analysis Report > Traffic Direction > Link > Top N Protocols by
Traffic
Through this report, you can view top N categories or protocols by traffic between one link (or
link group) and one AS domain group.

5.6.5 Report Examples (Between One AS Domain Group and

Another AS Domain Group)
This section describes reports on the traffic direction between one AS domain group and another
AS domain group and provides examples of the reports.
Report Navigation
NOTE
l Statistics and Analysis Report > Traffic Direction > AS Domain Group > Traffic
Direction Trend
l Statistics and Analysis Report > Traffic Direction > AS Domain Group > Traffic
Direction Proportion
l Statistics and Analysis Report > Traffic Direction > AS Domain Group > Top N
Statistics and Analysis Report > Traffic Direction > AS Domain Group > Traffic
Direction Trend
Through this report, you can view the trend of the traffic between one AS domain group and
another AS domain group.
NOTE

Statistics and Analysis Report > Traffic Direction > AS Domain Group > Traffic
Direction Proportion
Through this report, you can view the proportion of the traffic between one AS domain group
and another AS domain group. If you select to query the traffic proportion to the total traffic,
the report displays the traffic proportion of the specified traffic type to the total traffic of the
analysis object; if you select to query the traffic proportion to the corresponding traffic type, the
report displays the traffic proportion to all the category traffic.

Statistics and Analysis Report > Traffic Direction > AS Domain Group > Top N
Through this report, you can view top N categories or protocols by traffic between one AS
domain group and another AS domain group.

5.6.6 Report Examples (Between One Subnet and One AS Domain

Group, Between One Subnet and Another Subnet)
This section describes reports on the traffic direction between one subnet and one AS domain
group or between one subnet and another subnet and provides examples of the reports.
Report Navigation
NOTE
l Statistics and Analysis Report > Traffic Direction > Subnet > Traffic Direction Trend
l Statistics and Analysis Report > Traffic Direction > Subnet > Traffic Direction
Proportion
l Statistics and Analysis Report > Traffic Direction > Subnet > Top N Protocols by
Traffic
Statistics and Analysis Report > Traffic Direction > Subnet > Traffic Direction
Trend
Through this report, you can view the trend of the traffic between one subnet and one AS domain
group or between one subnet and another subnet.
NOTE

Statistics and Analysis Report > Traffic Direction > Subnet > Traffic Direction
Proportion
Through this report, you can view the proportion of the traffic between one subnet and one AS
domain group or between one subnet and another subnet. If you select to query the traffic
proportion to the total traffic, the report displays the traffic proportion of the specified traffic
type to the total traffic of the analysis object; if you select to query the traffic proportion to the
corresponding traffic type, the report displays the traffic proportion to all the category traffic.

Statistics and Analysis Report > Traffic Direction > Subnet > Top N Protocols by
Traffic
Through this report, you can view top N categories or protocols by traffic between one subnet
and one AS domain group or between one subnet and another subnet.

5.7 Configuring Traffic Direction QoS

To implement QoS bandwidth control over the traffic between one link and one AS domain
group, between one AS domain group and another AS domain group, between one subnet and
one AS domain group, or between one subnet and another subnet, you should perform this task.
5.7.1 Overview
This section describes various functions of configuring traffic direction QoS.
Traffic direction QoS supports:
l The rate limiting (PIR only) and pass policies based on flow classification on the traffic
direction objects between one link and one AS domain group.
l The rate limiting (PIR only) and pass policies based on flow classification on the traffic
direction objects between one AS domain group and another AS domain group.
l The rate limiting (PIR only) and pass objects based on flow classification on the traffic
direction objects between one subnet and one AS domain group, and between one subnet
and another subnet.
NOTE
The pass policy item has a higher priority than the rate limiting policy item. For example, by applying a
policy package that contains the pass item, you can permit the traffic of a specified subnet and free the
target traffic from the traffic QoS or traffic direction QoS policies. For example, you already add the policy
package that limits the rate of the P2P link traffic. To permit the P2P traffic of specified IP address segments,
you can add the traffic between these addresses and other addresses (the addresses and existing in the
system by default) as the traffic direction objects, and apply the policy package containing the pass item
to the traffic objects.
Related concepts of traffic direction QoS are similar to those of traffic QoS. For details, see
5.4.1 Overview of 5.4 Configuring Traffic QoS.

This section describes how to configure traffic direction QoS in detail, so that you can obtain
the brief information about the operation.

Figure 5-141 Procedure for configuring traffic direction QoS
Start
Is the
traffic direction Yes
added?
No
Add the traffic direction
Add a policy package
Apply the policy package to

the traffic direction object
End
Table 5-8 Procedure description of configuring traffic direction QoS

Action Description
Add the traffic By adding the traffic direction statistics configuration, you can enable
direction statistics statistics collection for all traffic direction objects whose statistics are
configuration to be collected. If the configuration is already added currently, this
action is not required.
Network Management > Network > Traffic Direction Object >
Traffic Direction Object Management.
NOTE
The operation page for adding the traffic direction statistics configuration is the
same as that for binding the policy package to the traffic direction object. To
facilitate the operation, you can add the policy package first and then perform
these two steps.
Add a policy You can add policy packages as required. A policy package can
package contain one or multiple policy items.
Operation page: In the navigation tree, choose Traffic Management
> Traffic Direction > Traffic Direction Policy Package
Management.

Action Description
Apply the policy Apply an added policy package to traffic direction objects.
package to the Operation page: In the navigation tree, choose Subscriber and
traffic direction Network Management > Network > Traffic Direction Object >
object Policy Application.
5.7.3 Typical Configuration Example 1 (Between One Link and One

AS Domain Group)
This section provides an example for configuring traffic direction QoS in detail. The traffic
direction object is between one link and one AS domain group.
Prerequisites
l 4.4 Configuring the Link and 4.6 Configuring the AS Domain Group are complete.
The SIG is deployed on the network in in-line mode, as shown in Figure 5-142. The name of
linka is 10G-1-1-linka, and that of linkb is 2.5G-2-1-linkb. Moreover, AS65008 is configured
as AS domain group as8.
It is required to monitor the P2P service traffic between linka and AS65008 and set the maximum
downstream bandwidth for the service to 1000000 kbit/s, as well as monitor the P2P service
traffic between linkb and AS65008 and set the maximum downstream bandwidth for the service
to 250000 kbit/s.

Figure 5-142 Networking diagram of the example for configuring traffic direction QoS (between
one link and one AS domain group)
External network
AS65008, AS65009
RR
Router A Router B
Switch
DPI A DPI B
linka linkb
Back End
Router C Router D
Internal network
AS65006
Procedure
1. In the navigation tree, choose Traffic Management > Traffic Direction > Traffic
Direction Policy Package Management.
2. Click Add.
3. In the pop-up dialog box, enter myQoSa in Name, and then click Save, as shown in Figure
5-143.


8. Repeat Step 2.2 to Step 2.7 to add policy package myQoSb and set Maximum
Downstream Bandwidth of P2P traffic to 250000.
Step 3 Add the traffic direction statistics configuration and apply the policy package to the traffic
direction object.
2. Click Add.

Figure 5-145 Adding the traffic direction statistics configuration
Traffic Direction Object > Policy Application.
6. Click Add.
7. In the pop-up dialog box, select Traffic Direction from Policy Package Type, select
myQoSa from Policy Package Name, select 10G-1-1-linka-as8 from Traffic Direction
Object.
9. Repeat Step 3.2 to Step 3.8 to bind policy package myQoSb to the traffic direction from
2.5G-2-1-linkb to as8.
----End
5.7.4 Typical Configuration Example 2 (Between One AS Domain

Group and Another AS Domain Group)
direction object is between one AS domain group and another AS domain group.
Prerequisites
l 4.6 Configuring the AS Domain Group is complete.
The SIG is deployed on the network in in-line mode, as shown in Figure 5-146. AS65006 is
configured as AS domain group as6, and AS65008 is configured as AS domain group as8.
It is required to monitor the P2P service traffic between AS65006 and AS65008 and set the
maximum downstream bandwidth for the service to 1250000 kbit/s.

one AS domain group and another AS domain group)
External network
AS65008, AS65009
RR
Router A Router B
Switch
DPI A DPI B
linka linkb
Back End
Router C Router D
Internal network
AS65006
Procedure
2. Click Add.
5-147.


5. In the pop-up dialog box, enter P2P Control in Item Name, select any value from
Priority, and select P2P from Flow Classification. Then double-click the text box of
Maximum Downstream Bandwidth, and enter 1250000.
direction object.
2. Click Add.

6. Click Add.
myQoS from Policy Package Name, select as6-as8 from Traffic Direction Object.
----End
5.7.5 Typical Configuration Example 3 (Between One Subnet and

One AS Domain Group)
direction object is between one subnet and one AS domain group.
Prerequisites
l 4.7 Configuring the Subnet and 4.6 Configuring the AS Domain Group are complete.
The SIG is deployed on the network in in-line mode, as shown in Figure 5-149. Subnet service
object ExampleSubnet is added, and AS65008 is configured as AS domain group as8.
It is required to monitor the traffic between ExampleSubnet and AS65008, and set the maximum
upstream bandwidth to 50000 kbit/s and maximum downstream bandwidth to 100000 kbit/s.

one subnet and one AS domain group)
External network
AS65008, AS65009
Router
Front End
Switch
Back End
BRAS
User Network
ExampleSubnet
Procedure
2. Click Add.
5-150.


5. In the pop-up dialog box, enter TotalControl in Item Name, select any value from
Priority, and select Total from Flow Classification. Then double-click the text box of
Maximum Upstream Bandwidth and enter 50000; double-click the text box of Maximum
Downstream Bandwidth and enter 100000.
direction object.
2. Click Add.

6. Click Add.
myQoS from Policy Package Name, select ExampleSubnet-as8 from Traffic Direction
Object.
----End
5.7.6 Typical Configuration Example 4 (Between One Subnet and

Another Subnet)
direction object is between one subnet and another subnet.
Prerequisites
l 4.7 Configuring the Subnet is complete.
The SIG is deployed on the network in in-line mode, as shown in Figure 5-152. Subnet service
objects ExampleSubnet1 and ExampleSubnet2 are added.
It is required to monitor the VoIP traffic between ExampleSubnet1 and ExampleSubnet2, and
set the maximum upstream bandwidth to 10000 kbit/s and maximum downstream bandwidth to
10000 kbit/s.

one subnet and another subnet)
External network
Router
Front End
Switch
Back End
BRAS
User Network
ExampleSubnet1 ExampleSubnet2
Procedure
2. Click Add.
5-153.


5. In the pop-up dialog box, enter VoIPControl in Item Name, select any value from
Priority, and select VoIP from Flow Classification. Then double-click the text box of
Maximum Upstream Bandwidth and enter 10000; double-click the text box of Maximum
Downstream Bandwidth and enter 10000.
direction object.
2. Click Add.

6. Click Add.
myQoS from Policy Package Name, select ExampleSubnet1-ExampleSubnet2 from
Traffic Direction Object.
----End
5.8 Customized Data Reporting

The customized data reporting is used to set the range in which statistics on traffic and traffic
direction data are collected, including the flow classification statistics policy, subscriber protocol
statistics policy, and subscriber group statistics policy. To adjust the range in which statistics on
traffic and traffic direction data are collected, perform this task. In addition, if you need to report
the report data by subscriber group attribute, configure the function when you add or change the
subscriber group attribute. This operation is not in the task.
5.8.1 Overview
This section describes the purpose of customized data reporting.
The definable data report policies include:
l Flow classification statistic policy
When the customized flow classification matches any of the following conditions, you can
view the traffic and traffic direction report:
– Policy package has been bound
Apply one of or several of the policy items including rate limiting, number of
connections control, strict priority, WFQ to the flow classification, and bind the policy
package to a subscriber or network object. Then you can view the traffic report of the
subscriber and network object according to the flow classification.
– Customized data reporting
In the Traffic Management > Customized Data Reporting > Flow Classification
Statistic Policy page, reference the policy package of a flow classification, and bind
the policy package to a user or network object. Then you can view the traffic report of
the subscriber and network object according to the flow classification.
The subscriber and network objects supported by the customized data reporting function
include subscribers, VICs, links, virtual tunnels, and traffic direction objects.
NOTE
For details on flow classification, see 22.1.1 Overview in 22.1 Managing Flow Classifications and
Flow Classification Items.
l Subscriber protocol statistics policy
Options:
– Collecting statistics on all protocols
Collecting statistics on all the protocol categories in the protocol signature file and traffic
and traffic direction report data. This option consumes the disk space most.

– Collecting statistics on specified protocols

Manually selecting the protocol and protocol category whose traffic and traffic direction
report data are to be collected.
– Collecting the statistics only on the total traffic
Collecting the statistics on traffic and traffic direction data of the total traffic regardless
of protocols. This option consumes the disk space least.
l Subscriber user group statistics policy
After you enable a subscriber group statistics policy, the statistics on the traffic of all
protocol categories and protocols of all subscribers in the group are collected free from the
impact from the protocol statistics policy.
l Subscriber user group attribute statistics policy
Sets whether to enable the statistics collection when you add or change the group attributes.
After you enable the traffic statistics collection function of an attribute group, you can view
some of the subscriber reports according to the group attribute. This setting is subject to
the protocol statistics policies.
For details on group attributes, see 4.2 Configuring the Subscriber.
After you configure the data reporting policies, you can view the required report data when 5.2
Querying Traffic Reports, 5.3 Querying the User Behavior Statistics Report, or 5.6
Implementing Traffic Direction Statistics.
5.8.2 Adjusting the Flow Classification Statistics Policy

This section describes how to configure the flow classification statistics policy
Prerequisites
l The 22.1 Managing Flow Classifications and Flow Classification Items and 4
Subscriber and Network Object Initialization are completed.
l The current user has the rights of Traffic Management and Subscriber and Network
Management.
Procedure
Step 2 Add the policy package for flow classification statistics.
1. In the navigation tree, choose Traffic Management > Customized Data Reporting >
Flow Classification Statistic Policy.
2. Click Add.
3. Enter a name in Policy Package Code, and then click Save.
4. Click Add, enter the policy item name in Item Name, select the flow classification for the
data to be reported in Flow Classification, and click OK. Figure 5-155 shows the system
information that is displayed.

Figure 5-155 Adding a flow classification statistics policy package
5. (Optional) Repeat the previous operation and add flow classifications for the data to be
reported.
1. Click Close. The system returns to the previous page and displays a new policy package
record.
Step 3 Apply the flow classification statistics policy package.

1. Depending on the subscriber and network object type, the optional operations are as
follows:
l When applying the policy package to a subscriber, In the navigation tree, choose
Subscriber and Network Management > Subscriber > Policy Application.
l When applying the policy package to a VIC, In the navigation tree, choose Subscriber
and Network Management > Very Important Customer > Policy Application.
l When applying the policy package to a link, In the navigation tree, choose Subscriber
and Network Management > Network > Physical Link Management > Link Policy
Application.
l When applying the policy package to a virtual tunnel, In the navigation tree, choose
Subscriber and Network Management > Network > Virtual Tunnel
Management > Virtual Tunnel Policy Application.
l When applying the policy package to a traffic direction object, In the navigation tree,
choose Subscriber and Network Management > Network > Traffic Direction
Object > Policy Application.
2. Click Add.
3. Apply the flow classification statistics policy package added in the preceding step to a target
object.
The following uses applying the policy package to a link as an example. Figure 5-155
shows the operation page.

Figure 5-156 Applying the flow classification statistics policy package (1)
4. Click OK. The system returns to the previous page and displays a new record as shown in
Figure 5-157.
Figure 5-157 Applying the flow classification statistics policy package (2)
----End
Follow-up Procedure
You can view the real-time traffic report data in 2 minutes.
5.8.3 Adjusting the Protocol Statistics Policy of Subscriber

This section describes the method of adjusting subscriber protocol statistics policy.
Prerequisites
The current user has service right Traffic Management.
Procedure
Step 2 In the navigation tree, choose Traffic Management > Customized Data Reporting >
Subscriber Protocol Statistic Policy.

l To collect the statistics on all protocols, select Total Traffic Statistic.

l To collect the statistics on specified protocols, select Specified Protocol Statistic, and then
select the protocol and protocol categories of the traffic to be collected in the protocol tree.
l To collect the statistics on the total traffic, select All Protocols Statistic.
Step 4 Click Save.
The configuration takes effect in about five minutes.
----End
5.8.4 Adjusting the Statistics Policy of Subscriber User Groups

This section describes the method of adjusting the statistics policy on subscriber user groups.
Prerequisites
The current user has service right Traffic Management.
Procedure
Step 2 In the navigation tree, choose Traffic Management > Customized Data Reporting >
Subscriber Group Statistic Policy.
l To enable the statistics collection, select the user group to be enabled, and click Start
Statistics.
l To disable the statistics collection, select the user group to be disabled, and click Cancel
Statistics.
----End

Configuration Guide 6 FUP Service
6 FUP Service
About This Chapter
Through the Fair Usage Policy (FUP) service, the SIG limits the bandwidths of monthly-fee
users. When exceeding a certain quota, users' bandwidths are minimized. Thereby, the SIG
provides the FUP service for wireless and fixed network users.
6.1 About the FUP Service

This describes the FUP service and FUP function supported by the SIG.
6.2 Configuring the FUP Service (Interworking with the PCRF)
To configure and apply the FUP service when the SIG interworks with the PCRF (take the UPCC
V300R002C06 as an example, the configuration varies with the UPCC version), you should
refer to this part.
6.3 Manually Adjusting Surplus Quotas (Interworking with the PCRF)
When the SIG interworks with the PCRF (take the UPCC as an example), and the FUP service
is applied for a period of time, certain users' quotas are consumed. To add or reduce users' surplus
quotas, you should refer to this part and manually adjust the surplus quotas on the UPCC.

6.1 About the FUP Service

This describes the FUP service and FUP function supported by the SIG.
FUP Service Introduction

To attract users, carriers launch non-traffic-based charging packages such as monthly payment.
With the popularization of such services, carriers are gradually confronted with unfair usage of
resources. On the network, 10% users consume 80% resources. As a result, subscribers to the
same service cannot enjoy the same experience. The FUP service resolves this problem and can
send notifications to users when their usage reach certain amount.
The Fair Usage Policy (FUP) indicates limiting a user's bandwidth usage (by traffic quota or
duration quota) in a specified period of time and adjusting policies when a user's total traffic,
traffic of a specified service, total duration, or the duration of a specified service exceeds the
corresponding quota. Using the FUP, you can reduce the bandwidth for the total traffic or the
traffic of a specified service so as to fairly allocate network resources, or send notifications to
users when their traffic or duration usage reach certain amount.
In short, the FUP service of the SIG is policy control based on the traffic/duration usage, as
Figure 6-1 Adjusting the policy by traffic

Bandwidth
Unit: kbit/s
1000
500
250
0 1000 2000 Traffic

Unit: MB
When the user traffic exceeds the specified value, the corresponding bandwidth is limited. For
example:
l When user traffic is less than 1000 MB, the bandwidth is limited to 1000 kbit/s.
l When user traffic is between 1000 MB and 2000 MB, the bandwidth is limited to 500 kbit/
s.
l When user traffic is more than 2000 MB, the bandwidth is limited to 250 kbit/s.
The data configuration engineer can configure redirection. When the used quota reaches a certain
level or the quota is used up, user's HTTP access is redirected and the user is prompted with
recharge or other information.

Typical Networking of the FUP

The FUP service of the SIG system are available on wireless and fixed networks. The following
wireless networks are supported:
l GPRS/Universal Mobile Telecommunications System (UMTS) network, including GPRS
(2.5G), Enhanced Data Rates for GSM Evolution (EDGE) (2.75G), WCDMA (3G), and
High Speed Downlink Packet Access (HSDPA) (3.5G).
l CDMA/CDMA2000 network, including CDMA 1X (2.5G) and CDMA EVDO (3G).
In this case, the SIG reports only the user ID, IP address, and Base Station Identify Code
(BSID) to the PCRF, but not other user attributes such as the user location. That is, it does
not support the features based on other user attributes.
l Worldwide Interoperability for Microwave Access (WiMAX) network
In this case, the SIG reports only the user ID and IP address to the PCRF, but not other user
attributes such as the user location. That is, it does not support the features based on other
user attributes.
l Wireless Fidelity (WiFi) network
user attributes.
The SIG, serving as the PCEF, interworks with the PCRF such as the UPCC. In this manner, it
supports the pre-defined rules and dynamic rules of the FUP service, and adjusts user policies
upon event changes, for example, roaming of a wireless user.
According to the devices where policies are configured, pre-defined rules distinguished from
dynamic rules:
l Pre-defined rule: A rule is pre-defined, that is, the policy is configured on the SIG. The
content of the FUP traffic control policy is flexible. Therefore, when the SIG interworks
with the PCRF, the pre-defined rule is recommended. However, users' HTTP access cannot
be redirected with the pre-defined rule.
l Dynamic rule: A rule is dynamic, that is, the policy is configured on the PCRF. With the
dynamic rule, users' HTTP access can be redirected.
Figure 6-2 shows the typical deployment of the wireless network.
Figure 6-2 Typical networking diagram of the wireless scenario
Back End
RADIUS
PCRF
Server
et Gx
a ck
U SP
DI
RA
Gi
IP/MPLS
Video Streaming
PCEF
SGSN GGSN (Front End) Voice VoIP
DPI System

NOTE
The RADIUS proxy server on the Back End of the SIGsystem (Which is the DPI system in the figure) can
obtain account information in Carbon Copy (CC), listen, proxy or sniffer mode (the figure shows the CC
mode). In this scenario, the Front End, that is, the DPI device, acts as the PCEF.
Figure 6-3 shows the typical deployment of the fixed network.
Figure 6-3 Typical networking diagram of the fixed network scenario
Backbone PCRF
Route of MAN
Front End Back End
t
ke DPI System
Pac
S
D IU
RA
BRAS
...
Users
NOTE
In this scenario, the Front End of the SIG, serving as the DPI device, is deployed at the access layer.
Typical application of the FUP service

The typical application examples describe the service traffic and total traffic. Applications of
the service duration and total duration are similar to those of the traffic and are therefore omitted.
l Collects the quota of the total traffic and controls the total traffic.
l Collects the quota of the service traffic and controls the service traffic.
l Collects the quota of the total traffic and controls service traffic.
l Collects the quota of Web sites except some specified ones and controls the traffic.
l Uses certain quota for some specified Web sites for free, and then collects the quota of the
charged traffic and controls the traffic.

l Collects the quota of the total traffic respectively in local and roaming places and controls
the traffic when the user is roaming.
Implementation of the FUP Function

The FUP service of the SIG supports:
l Quota configuration and FUP control for the total traffic, service traffic, total duration, and
service duration.
For example, you can enable the FUP service for the traffic of users subscribing to the 1
Mbit/s bandwidth service, or the P2P and VoIP traffic of certain users.
l Resetting quotas periodically, thus realizing service-oriented refined operation.
You can set the total quota based on the day, week, and month, and manually adjust quota
consumption. Two settlement modes, namely, Reset and Cumulate, are available.
l Setting several levels of quota consumption. You can bind different FUP traffic control
policy packages to corresponding levels, and limit the traffic of a certain level to the specific
value, thus realizing hierarchical bandwidth management. For the dynamic rule of the FUP
service, data configuration engineers can set redirections. When users' quota consumption
reaches the specific level or the quota is exhausted, users' HTTP access is redirected and
users are reminded of recharge.
For example, when a user's service quota is exhausted, the device lowers the user's upstream
and downstream bandwidths, so that the user can access only basic services. With this
service, the user whose quota is exhausted does not occupy the quotas of normal users. To
use the original bandwidth, the user should pay certain fees. By configuring the threshold
and corresponding policy, carriers can control the policy delivered to the PCEF based on
the quota status. In so doing, the quota consumption-based traffic control is implemented.
Online User Identification

The SIG needs to extract the user login and logout information, mapping between the account
and IP address, and user roaming information.
The methods of the SIG to obtain RADIUS packets are as follows:

l Carbon Copy (CC) mode: In CC mode, the NAS or AAA server copies RADIUS packets
to the RADIUS proxy server; however, the RADIUS proxy server does not respond to
received packets.
l CC-ACK mode: When the NAS or AAA server supports the CC function, the NAS or AAA
server copies RADIUS packets to the RADIUS proxy server. Then the RADIUS proxy
server responds to received packets.
l Listen mode: The NAS and AAA server are connected using optical fibers or deployed
with the mirroring-enabled device. The RADIUS proxy server obtains RADIUS packets
using the optical splitter or mirroring device.
l GTP-C: The SGSN and GGSN are connected through optical fibers or deployed with the
mirroring-enabled device. The RADIUS proxy server obtains GTP-C packets through the
optical splitter or mirroring device.
l Proxy mode: When the NAS or AAA server does not support the CC mode, the NAS regards
the RADIUS proxy server as the RADIUS server, and the AAA server regards the RADIUS
proxy server as the NAS.
l Sniffer mode (Sniffer-RADIUS): RADIUS packets are transmitted on data links monitored
by the Front End.

Based on the processing modes of RADIUS packets, the Sniffer-RADIUS mode has two
submodes:
– Monitor mode
Upon receiving the RADIUS packet, the Front End sends a copy of the packet to the
RADIUS proxy server, and then sends the RADIUS packet to the AAA server through
the outbound interface. After receiving the ACK message, the Front End deletes the
copy of the RADIUS packets. If the ACK message is not received within the timeout
duration (you can set it to a value from 100 milliseconds to 10 seconds), the Front End
retransmits the RADIUS packets as configured (you can set the number of
retransmissions to a value from 0 to 5).
This mode is used on the Front End by default. This mode ensures that the RADIUS
packets are preferentially sent to the AAA server. If the Front End cannot process the
RADIUS packets because of anomalous on the SPS (for example, the cache exceeds
the upper limit), the Front End sends the RADIUS packets directly to the AAA server,
not the RADIUS proxy server.
– In-line mode
Upon receiving a RADIUS packet, the Front End sends a copy of it to the RADIUS
proxy server. After receiving the ACK message from the proxy server, the Front End
sends the RADIUS packet to the AAA server. If the Front End cannot receive the ACK
message, the Front End discards the RADIUS packet.
This mode preferentially ensures the RADIUS packets received by the RADIUS proxy
server are the same as those received by the AAA server. You are advised to use this
mode when the NAS supports the response and retransmission mechanism. You can
also use this mode when the charging service is enabled.
NOTE
The RADIUS packet must carry Mobile Station Integrated Service Digital Network (MSISDN) or
International Mobile Subscriber Identity (IMSI).
The devices acting as the NAS are differentiated with networks.
l On the fixed network, the Broadband Remote Access Server (BRAS) acts as the NAS.
l On the GPRS/WCDMA networks, the Gateway GPRS Support Node (GGSN) acts as the NAS.
l On the CDMA/CDMA2000 networks, the Packet Data Serving Node (PDSN) acts as the NAS.
l On the Worldwide Interoperability for Microwave Access (WiMAX) networks, the ASN-GW acts as
the NAS.
6.2 Configuring the FUP Service (Interworking with the

PCRF)
To configure and apply the FUP service when the SIG interworks with the PCRF (take the UPCC
V300R002C06 as an example, the configuration varies with the UPCC version), you should
refer to this part.
6.2.1 Overview
To configure the FUP service, you need to learn the related concepts of the FUP service.
Concepts related to the FUP service are as follows:
l Quota

Indicates the traffic traffic/duration allowed by carriers.

l Quota Value
Indicates the total traffic/duration of the access to certain applications (such as FTP, HTTP,
and VoIP) through networks within a certain period (such as one month or year).
For example, the total FUP quota of the user each month is 100 MB.
l Service traffic & total traffic & service duration & total duration
– Service traffic: traffic of the specific flow classification.
– Total traffic: indicates user's total traffic regardless of the flow classification.
– Service duration: indicates the duration of a specified flow classification.
– Total duration: user's total duration regardless of the flow classification.
in the system.
l Quota Type
Both Session Level and Service Level are available. Session Level indicates the total
traffic/duration of users, irrespective of services. Service Level indicates the traffic/
duration of the specific service idefined by the rating group and FUP service.
For example, to enable the FUP service for the total traffic of a user, select Session
Level; to enable the FUP service for the P2P traffic of a user, select Service Level.
l Slice
For the FUP service, the system delivers quotas through slices. The next slice is delivered
only after the previous one is exhausted. A slice refers to the proportion of the delivered
quota slice to the total quota.
For example, if the total quota is 1000 MB and the slice is 5%, the delivered quota slice is
50 MB.
l Rating Group
Rating Group: One rating group corresponds to one charge rate, for example, $2/MB. The
SIG accumulates all the service in one rating group together.
In the FUP service, the rating group IDs only serve as bridges. A rating group ID can be
bound to the service (such as HTTP, FTP, or P2P). During adding FUP quotas, you can
identify the service of the quota through the rating group.
l Whether to accumulate quota
– If Yes is selected, the rating group needs to be specified, that is, to accumulate the
matched traffic quota to the rating group.
– If No is selected, the rating group does not need to be specified, that is, not to accumulate
the matched traffic quota to the rating group. The traffic is for free.
NOTE
For dual-stack users who use both the IPv4 and IPv6 addresses, traffic/duration of the IPv4 and IPv6
addresses share the quota, but are controlled separately.
For other concepts, refer to the related documents of the UPCC.


Taking the Unified Policy and Charging Controller (UPCC) serving as the PCRF for example,
this describes how to configure the FUP service in wireless scenario.
The following examples describe the service traffic and total traffic. Configurations of the
service duration and total duration are similar to those of the traffic and are therefore omitted.
Flowchart Navigation
You can view configuration procedures in various scenarios by clicking the following links:
l Interworking with the UPCC — Predefined Rule

l Interworking with the UPCC — Dynamic Rule
Interworking with the UPCC — Predefined Rule

Figure 6-4 Interworking with the UPCC — Predefined rule

Start
Yes Check whether the flow

class is a predefined one?
No
Add the flow class
Add the rating group

Back End of the
DPI system
Add an FUP traffic control policy package
Add the FUP service configuration
Add a PLMN
Add a notification
Add a quota
Add a condition group
Add the policy data Add a rule UPCC Web UI
Add a service Add a policy
Bind the service to a user
End

Table 6-1 Interworking with the UPCC — Predefined rule

Action Description
Add the flow class Add the flow class manually when the predefined ones are insufficient.
Operation location: Back-end UI of the SIG. In the navigation tree,
choose Basic Configuration > Flow Classification Management >
Flow Classification Configuration.
Add the rating group To control service traffic, you need to add the rating group; to control
total traffic, no adding is required.
In the FUP service, rating group IDs only server bridges. Through the
adding of the FUP service configuration, a rating group ID can be
bound to the flow class (such as HTTP, FTP, or P2P). During adding
a FUP quota, you can identify the flow classification through the rating
group.
choose Value-added Service > Application Charging > Application
Mapping > Rating Group Management.
Add an FUP traffic Through this action, you can bind different FUP traffic control policy
control policy packages to corresponding quota levels. The system automatically
package generates IDs for policy packages after they are added.
choose Value-added Service > Application Charging > FUP > FUP
Traffic Control Policy Package Management.
Add the FUP service To control service traffic, you need to add the FUP service
configuration configuration; to control total traffic, no adding is required.
One FUP service configuration can include one or multiple
configuration items. After adding, the system automatically generates
policy package IDs.
choose Value-added Service > Application Charging > FUP > FUP
Service Configuration.
Add a PLMN To configure the roaming policy, you need to add a PLMN.
When the user accesses the mobile network, the system determines
whether the user is in the local or roaming place according to the
PLMN information. The local and roaming places apply their own
policies.
Operation location: UPCC Web UI. In the navigation tree, choose
Location Management > Location > PLMN.
Add a notification To notify the user of the current status through a short message or
email, you need to add a notification.
Operation location: UPCC Web UI.
l In the navigation tree, choose System Management > System
Configuration > Message Template.
l In the navigation tree, choose Policy Management > Policy >
Notification.

Action Description
Add a quota Both the service quota and the session quota are available.
l To control service traffic, select the service quota. The rating group
can be bound to the flow classification. In this case, the rating group
ID is required.
l To control total traffic, select the session quota.
Service Management > Service > Quota.
Add a condition To configure the rule, you need to add a condition group. A condition
group group consists of basic information and multiple conditions. A
condition comprises the attributes of certain value-specified objects.
Policy Management > Policy > Condition Group.
Add a rule A rule is required during the configuration of the policy. Configuring
a rule is to bind the configured FUP traffic control policy package to
the FUP service configuration policy package. Both the FUP traffic
control policy package and its ID are required.
Since the FUP policy package is already configured on the Back End
of the SIG, you need to select Predefined rule.
Policy Management > Policy > Rule.
Add a policy A policy is required during the service configuration. Each policy
comprises one trigger and multiple rules.
Policy Management > Policy > Policy.
Add a service A service is of a carrier, and includes multiple policies. Diversified

services are implemented through policy combinations.
Service Management > Service > Service.
Bind the service to a Bind the user to the configured FUP service.
user Operation location: UPCC Web UI. In the navigation tree, choose
Subscriber Management > Subscriber > Subscriber.
Return to Flowchart Navigation.
Interworking with the UPCC — Dynamic Rule


Figure 6-5 Interworking with the UPCC — dynamic rule

Start
Yes Check whether the flow

class is a predefined one?
No
Back End of the
Add the flow class
DPI system
Add a quota
Add a condition group
Add an action group
Add a rule UPCC Web UI
Add a policy
Add a service
Bind the service to a user
End
Table 6-2 Interworking with the UPCC — dynamic rule

Action Description

Action Description
Add a quota Both the service quota and the session quota are available.
l To control service traffic, select the service quota. The rating group
can be bound to the flow classification.
l To control total traffic, select the session quota.
Service Management > Service > Quota.
Add a condition To configure the rule, you need to add a condition group. The condition
group group consists of basic information and multiple conditions. A
condition comprises the attributes of certain value-specified objects.
Policy Management > Policy > Condition Group.
Add an action group To configure a dynamic rule, you need to add an action group. The
action group consists of basic information and multiple actions. An
action comprises certain value-specified elements.
Policy Management > Policy > Action Group.
a rule is to bind the configured FUP traffic control policy package to
the FUP service configuration policy package.
Since the FUP policy package is already configured on the Back End
of the SIG, you need to select predefined rule.

Bind the service to a Bind the user to the configured FUP service.
user Operation location: UPCC Web UI. In the navigation tree, choose
Subscriber Management > Subscriber > Subscriber.
Return to Flowchart Navigation.
6.2.3 Typical Configuration Example 1 (Predefined Rule, Total

Traffic)
This provides an example of using the predefined rule to apply the FUP service to the total traffic
of wireless users when the SIG interworks with the UPCC.

Prerequisites
l The connection of the SIG to the UPCC is commissioned. For details, see Connecting the
Front End to the PCRF, Connecting the PCRF to the Front End, and Commissioning
the Connection to the PCRF in HUAWEI SIG9800 Service Inspection Gateway
Commissioning Guide.
l 4.2 Configuring the Subscriber is complete, and the account of the subscriber (the target
user) to be managed is 460100000000022.
l The current user has the Value-added Service service permission.
l The current user has the permission to operate the UPCC.
NOTE
To learn more about the UPCC, refer to related technical documents provided by the corresponding vendor.
The SIG interworks with the UPCC, and the FUP service is required. Figure 6-6 shows the
networking.
Figure 6-6 Networking diagram of the wireless scenario

Back End UPCC Web UI IP:128.18.88.226
RADIUS PCRF
Server (RM9000)
t
ke Gx
Pac
US
DI
RA
Gi
PCEF
User:460100000000022 SGSN GGSN
(Front End)
DPI System
Requirements of the FUP service for total traffic are as follows:

l The target user employs the quota by month; the settlement is in reset mode; the settlement
time is 00:00 on the first day of each month.
l If the total quota is 1024000 KB, the requirements on bandwidth control are as follows:
– When quota consumption is less than 40% of the total quota, upstream and downstream
bandwidths are limited to 1024 kbit/s and 2048 kbit/s respectively.
– When quota consumption exceeds 40% of the total quota, upstream and downstream
– When quota consumption exceeds 100% of the total quota, both upstream and
downstream bandwidths are limited to 64 kbit/s.
Figure 6-7 shows the relation between configuration objects in the FUP service.

Figure 6-7 Relation between configuration objects

Service Session Quota
User Value= 1GB; Limit: level1=40, level2=80; Slice= 5%
service_fup quota_fup
Policy 1 Online trigger

policy_ipcan IPCANSessionEstablish
Rule 1 Condition Group

Object Attribute= QuotaStatus; Right Value= Normal
rule-normal condition-normal
Predefined Policy FUP traffic control policy package

normal Flow Classfication: Total; Upstream: 1024kbit/s; Downstream: 2048kbit/s

Object Attribute= QuotaStatus; Right Value= Level1
rule-level1 condition-level1

Rule
level1 Flow Classfication: Total; Upstream: 512kbit/s; Downstream: 1024kbit/s


level2 Flow Classfication: Total; Upstream: 256kbit/s; Downstream: 1024kbit/s

Object Attribute= QuotaStatus; Right Value= Exhaust
rule-exhaust condition-exhaust
Policy 2 Quota status change trigger Predefined Policy FUP traffic control policy package
policy_fup UsageStatusChange exhuast Flow Classfication: Total; Upstream: 64kbit/s; Downstream: 64kbit/s
Configuration on the UPCC Web UI

Configuration on the back-end UI
Configuration (predefined on the UPCC Web UI) to be selected
Suppose that the user subscribes to service_fup, and the service has session quota quota_fup.
Service service_fup includes two policies:
l Policy policy_ipcan: When a user is activated during the access to the mobile data network,
and the current quota status is matched with the rule in the policy, the matched rule is
considered as the current control policy of the user. For example, if the quota of the current
online user is less than 40% of the total quota, and rule rule-normal is employed, the
upstream and downstream bandwidths of the total traffic are limited to 1024 kbit/s and 2048
kbit/s respectively.
l Policy policy_fup: defines the quota status-based policy control. When the quota status
changes, the control policy is switched to the corresponding one of the new quota status.
The following rules need defining:
Name Condition Description
rule-normal Accumulated traffic quota The maximum uplink bandwidth is 1024 kbit/
usage within a month < s, and the maximum downlink bandwidth is
40% of the total quota 2048 kbit/s.
rule-level 40% of the total quota≤ The maximum uplink bandwidth is 512 kbit/
Accumulated quota usage s, and the maximum downlink bandwidth is
within a month < 80% of 1024 kbit/s.
the total quota
rule-level2 80% of the total quota≤ The maximum uplink bandwidth is 256 kbit/
the total quota
rule-exhaust 100% of the total quota Both the maximum uplink and downlink
≤ Accumulated quota bandwidths are 64 kbit/s.
usage within a month

Data Planning
You can click the following links to view the data planning of main parameters:
l Table 6-3 shows the data planning of quota quota_fup.
l Table 6-4 shows the data planning of policy policy_ipcan.
l Table 6-5 shows the data planning of policy policy_fup.
l Table 6-6 shows the data planning of service service_fup.
l Table 6-7 shows the data planning of user 460100000000022.
Table 6-3 Data planning of quota quota_fup

Quota Attribute Example
Basic Information Name: quota_fup
Quota Class: Volume
Type: Session Level
Value(KB): 1000000
CAUTION
In the UPCC, 1 KB=1024 bytes. The UPCC delivers traffic to the Front
End, in bytes. When the quota value on the UPCC is set to 1,000,000 KB,
the traffic of 1024 x 1,000,000 bytes is delivered from the UPCC to the
Front End.
However, on the SIG, 1 KB=1000 bytes. That is, the SIG actually receives
1,024,000 KB traffic.
Slice(%): 5
Description: -
Reset Cycle Billing Cycle Mode: Monthly Service
Billing Cycle Time: 00:00:00
Balance Reset Method: Reset
Set Limit Level1: 40
Level2: 80
Exhaust: 100
Table 6-4 Data planning of policy policy_ipcan

Policy Attribute Example
Name policy_ipcan

Trigger IPCANSessionEstablish
The triggering condition is the CCR_Initial Request message on
the Gx interface. It is applicable to the scenario where users
access the mobile data network.
Description -
Rule rule-normal
rule-level1
rule-level2
rule-exhaust
Table 6-5 Data planning of policy policy_fup
Name policy_fup
Trigger UsageStatusChange
The triggering condition is the change of the quota status, and
the application scenario is the quota status-based policy control.
Description -
Rule rule-normal
rule-level1
rule-level2
rule-exhaust
Table 6-6 Data planning of service service_fup
Service Attribute Example
Basic Information Name: service_fup
Type: VALUE_ADDED_SERVICE
APN: -
VPN: -
SP: default1
Account: -
Is Meter To Basic: No

Activated By: PCEF
Precedence: 0
QoS Mode: Replace
Subscription Forced: Yes
Absolute Validity Period: -
Description: -
Policy policy_ipcan
policy_fup
Quota quota_fup
NOTE
Is Meter To Basic and QoS Mode are irrelevant to this service. For details, refer to the product manual
of the UPCC.
Table 6-7 Data planning of user 460100000000022

User Attribute Example
Subscriber ID 460100000000022
MSISDN 8613810000022
Service service_fup
Procedure
Step 2 Add FUP traffic control policy packages.
1. In the navigation tree, choose Value-added Service > Application Charging > FUP >
FUP Traffic Control Policy Package Management.
2. Click Add.
3. Set Policy Package Code to 1:200019, set Name to normal. Then click Save.

Figure 6-8 Adding policy package normal
6. Click OK and Close.

7. Add policy packages level1, level2, and exhaust according to previous steps. The policy
packages are numbered 1:200020, 1:200021, and 1:200022 respectively, and the priorities
of the policy items contained in these three policy packages are 12, 13, and 14 respectively.
Figure 6-9 shows added FUP policy packages.
Figure 6-9 Added FUP policy packages
NOTE
The policy package codes are required during the adding of rules.
Step 3 Log in to the UPCC Web UI.

1. Install the digital certificate for the IE browser.
NOTE
This step is optional, but mandatory if you need to log in to the UPCC Web UI through only a client
for the first time.
a. Obtain digital certificates UPCC_CLIENT.p12 and UPCC_CA.crt from the

installation package in turn.
b. Double-click digital certificate UPCC_CLIENT.p12, and then hold down Next.
When the password is required, enter 123456.
c. Double-click digital certificate UPCC_CA.crt, and then hold down Next until the
installation is complete.
2. Open login URL https://128.18.88.226/.
a. Select the digital certificate, and then click OK, as shown in Figure 6-10.

Figure 6-10 Selecting the digital certificate
b. Confirm the security alarm, and then click Yes, as shown in Figure 6-11.
Figure 6-11 Confirming the security alarm
3. Enter values in User Name, Password, and Verify Code, as shown in Figure 6-12.

Figure 6-12 Logging in to the UPCC Web UI
NOTE
The default user name and password of the administrator of the UPCC Web UI are admin and
huawei respectively.
4. Click Login.
Step 4 Add a quota.
1. In the navigation tree, choose Service Management > Service > Quota.
2. Figure 6-13 shows the configuration page.

Figure 6-13 Adding quota quota_fup
Step 5 Add condition groups.

1. In the navigation tree, choose Policy Management > Policy > Condition Group.
2. Click Add.
3. Set Name to condition-normal on the Basic Information tab.
4. Click the Condition tab, and click Add to add a condition. Figure 6-14 shows the
configuration page.
NOTE
When Object Attribute is selected, set Object to Quota and click QuotaStatus. Then click OK.
Refer to Figure 6-15.

Figure 6-14 Conditions in condition group condition-normal
Figure 6-15 Selecting object attribute QuotaStatus

5. Add condition groups condition-level1, condition-level2, and condition-exhaust

according to previous steps. Figure 6-16 to Figure 6-19 show conditions in added condition
groups.
Figure 6-17 Conditions in condition group condition-level1
Figure 6-19 Conditions in condition group condition-exhaust
Step 6 Add rules.

1. In the navigation tree, choose Policy Management > Policy > Rule.

2. Add rule rule-normal, and bind it to configured FUP traffic control policy package. Figure
6-20 shows the configuration page.
Figure 6-20 Adding rule rule-normal
The configurations of rules rule-level1, rule-level2, and rule-exhaust are identical with
configuration of rule rule-normal. These rules are bound to policy packages 1:200020,
1:200021, and 1:200022 respectively.
Step 7 Add policies.
1. In the navigation tree, choose Policy Management > Policy > Policy.
2. Add policy policy_ipcan. Figure 6-21 shows the configuration page.

Figure 6-21 Adding policy policy_ipcan
3. Add policy policy_fup. Figure 6-22 shows the configuration page.
Figure 6-22 Adding policy policy_fup
Step 8 Add a service.

1. In the navigation tree, choose Service Management > Service > Service.

Figure 6-23 Adding service service_fup
Step 9 Bind the service to a user.

1. In the navigation tree, choose Subscriber Management > Subscriber > Subscriber.
2. Search for and select the user to be bound to a service, and click Configure.
3. Click the Service tab, click Add, and add service service_fup. Figure 6-24 shows the
configuration page.

Figure 6-24 Binding a service
4. Click OK.
----End
6.2.4 Typical Configuration Example 2 (Predefined Rule, Service

Traffic)
This provides an example of using the dynamic rule to apply the FUP service to the P2P and
VoIP traffic of wireless users when the SIG interworks with the UPCC.
Prerequisites
NOTE

networking.

RADIUS PCRF
Server (RM9000)
t
ke Gx
Pac
US
DI
RA
Gi
PCEF
(Front End)
DPI System
Requirements of the FUP service for P2P and VoIP traffic are as follows:


Service Service Quota



normal Flow classification: p2p_voip; Upstream: 1024kbit/s; Downstream: 2048kbit/s


level1 Flow classification: p2p_voip; Upstream: 512kbit/s; Downstream: 1024kbit/s


level2 Flow classification: p2p_voip; Upstream: 256kbit/s; Downstream: 1024kbit/s


Rule exhuast Flow classification: p2p_voip; Upstream: 64kbit/s; Downstream: 64kbit/s

rule-fup-service-normal condition-normal
Predefined Policy FUP service configuration

fup_service_con Flow classification: p2p_voip; Rating Group: p2p_voip

rule-fup-service-level1 condition-level1


rule-fup-service-level2 condition-level2


rule-fup-service-exhaust condition-exhaust
Policy 2 Quota status change trigger Predefined Policy FUP service configuration
policy_fup UsageStatusChange fup_service_con Flow classification: p2p_voip; Rating Group: p2p_voip

Suppose that the user subscribes to service_fup, and the service has service quota quota_fup.
upstream and downstream bandwidths of the P2P and VoIP traffic are limited to 1024 kbit/
s and 2048 kbit/s respectively.
Name Condition Traffic Control
rule-fup-service-normal Accumulated traffic quota Associated flow classification and

usage within a month < rating group to collect the traffic
40% of the total quota quota of a given type into the
specified rating group
rule-fup-service-level1 40% of the total quota≤
Accumulated quota usage
within a month < 80% of
the total quota

rule-fup-service-level2 80% of the total quota≤

the total quota
rule-fup-service-exhaust 100% of the total quota

≤ Accumulated quota
rule-normal Accumulated traffic quota The maximum uplink bandwidth is

usage within a month < 1024 kbit/s, and the maximum
40% of the total quota downlink bandwidth is 2048 kbit/s.
rule-level 40% of the total quota≤ The maximum uplink bandwidth is

Accumulated quota usage 512 kbit/s, and the maximum
within a month < 80% of downlink bandwidth is 1024 kbit/s.
the total quota
rule-level2 80% of the total quota≤ The maximum uplink bandwidth is

Accumulated quota usage 256 kbit/s, and the maximum
within a month < 100% of downlink bandwidth is 512 kbit/s.
the total quota
rule-exhaust 100% of the total quota Both the maximum uplink and
≤ Accumulated quota downlink bandwidths are 64 kbit/s.
NOTE
When "accumulated traffic quota usage within a month < 40% of the total quota" is met, rules rule-fup-
service-normal and rule-normal are delivered to the user concurrently. That is, while collecting the traffic
quota of the given type, the system limits the bandwidth of this type of traffic. Other conditions are similar.
Data Planning

Quota Class: Volume

Type: Service Level
Monitor Key: 3
Value(KB): 1000000
CAUTION
Front End.
Slice(%): 5
Description: -
Level2: 80
Exhaust: 100
Name policy_ipcan
The triggering condition is the CCR_Initial Request message
on the Gx interface. It is applicable to the scenario where users
Description -
Rule rule-fup-service-normal
rule-fup-service-level1
rule-fup-service-exhaust
rule-normal
rule-level1
rule-level2

rule-exhaust
Name policy_fup
Description -
Rule rule-fup-service-normal
rule-fup-service-exhaust
rule-normal
rule-level1
rule-level2
rule-exhaust
APN: -
VPN: -
SP: default1
Account: -
Activated By: PCEF
Precedence: 0
QoS Mode: Replace

Description: -
Policy policy_ipcan
policy_fup
Quota quota_fup
NOTE
of the UPCC.
MSISDN 8613810000022
Service service_fup
Procedure
Step 2 Add a flow class.

1. In the navigation tree, choose Basic Configuration > Flow Classification Management
> Flow Classification Configuration.
2. Click Add.
3. Enter p2p_voip in Name.
4. Click Add and select the predefined flow classification items P2P and VoIP.
Step 3 Add a rating group.
1. In the navigation tree, choose Value-added Service > Application Charging >
Application Mapping > Rating Group Management.
2. Click Add. Set Number to 3, and Name to p2p_voip. Then click OK.
2. Click Add.

3. Set Policy Package Code to 1:200019, set Name to p2p_voip_normal. Then click
Save.
Figure 6-27 Adding policy package p2p_voip_normal

7. Add policy packages p2p_voip_level1, p2p_voip_level2, and p2p_voip_exhaust
according to previous steps. The policy packages are numbered 1:200020, 1:200021, and
1:200022 respectively, and the priorities of the policy items contained in these three policy
packages are 12, 13, and 14 respectively.
NOTE
Step 5 Add the FUP service configuration.

FUP Service Configuration.
2. Click Add.
3. Set Service Configuration Code to 14:200025, set Name to fup_service_con. Then click
Save.

Figure 6-29 Adding FUP service configuration policy package fup_service_con

NOTE
The service configuration code is required during the adding of rules.

NOTE
for the first time.



NOTE
4. Click Login.
Step 7 Add a quota.


2. Click Add.
configuration page.
NOTE



groups.
Step 9 Add rules.


3. Add fifth rule rule-fup-service-normal and bind it to the FUP service configuration policy
package. Figure 6-41 shows the configuration page.

Figure 6-41 Adding rule rule-fup-service-normal
The configurations of rules rule-fup-service-level1, rule-fup-service-level2, and rule-

fup-service-exhaust are identical with configuration of rule rule-normal. These rules are
bound to the same policy package 14:200025.





configuration page.

4. Click OK.
----End
6.2.5 Typical Configuration Example 3 (Predefined Rule, Quota

Being Collected by Total Traffic but Controlled by Service)
This provides an example of using the predefined rule to configure the FUP service for wireless
users' service traffic when the SIG interworks with the UPCC. The carrier collects the quota of
the total user traffic, and implements bandwidth control over the service type of heavy traffic
when the total quota reaches a certain threshold.
Prerequisites
NOTE

networking.

RADIUS PCRF
Server (RM9000)
t
ke Gx
Pac
US
DI
RA
Gi
PCEF
(Front End)
DPI System
Requirements of the FUP service are as follows:

l The charging cycle is one month, the settlement mode is reset, and the reset time is 00:00
on the first day each month.
l The quota for the total traffic is 1,024,000 KB.
l When the consumption of the total traffic reaches a certain threshold, the system
implements bandwidth control over P2P traffic. The control policies for P2P traffic are as
follows:





p2p_normal Flow classification: P2P; Upstream: 1024kbit/s; Downstream: 2048kbit/s


Rule
p2p_level1 Flow classification: P2P; Upstream: 512kbit/s; Downstream: 1024kbit/s


p2p_level2 Flow classification: P2P; Upstream: 256kbit/s; Downstream: 1024kbit/s

policy_fup UsageStatusChange p2p_exhuast Flow classification: P2P; Upstream: 64kbit/s; Downstream: 64kbit/s

Suppose that the user subscribes to service_fup, and the service has service quota quota_fup.
upstream and downstream bandwidths of the P2P traffic are limited to 1024 kbit/s and 2048
rule-normal Accumulated traffic quota Set the maximum upstream

usage within a month < bandwidth of P2P traffic to 1024
40% of the total quota kbit/s and maximum downstream
bandwidth to 2048 kbit/s.
rule-level1 40% of the total quota≤ Set the maximum upstream

Accumulated quota usage bandwidth of P2P traffic to 512
within a month < 80% of kbit/s and maximum downstream
the total quota bandwidth to 1024 kbit/s.
rule-level2 80% of the total quota≤ Set the maximum upstream

Accumulated quota usage bandwidth of P2P traffic to 256
within a month < 100% of kbit/s and maximum downstream
the total quota bandwidth to 512 kbit/s.
rule-exhaust 100% of the total quota Both the maximum uplink and
≤ Accumulated quota downlink bandwidths of P2P traffic
usage within a month are set to 64 kbit/s.

Data Planning

Quota Class: Volume
Type: Session Level
Value(KB): 1000000
CAUTION
Front End.
Slice(%): 5
Description: -
Level2: 80
Exhaust: 100

Name policy_ipcan

Description -
Rule rule-normal
rule-level1
rule-level2
rule-exhaust
Name policy_fup
Description -
Rule rule-normal
rule-level1
rule-level2
rule-exhaust
APN: -
VPN: -
SP: default1
Account: -

Activated By: PCEF
Precedence: 0
QoS Mode: Replace
Description: -
Policy policy_ipcan
policy_fup
Quota quota_fup
NOTE
of the UPCC.

MSISDN 8613810000022
Service service_fup
Procedure
Step 2 Add the FUP traffic control policy package for P2P traffic.
2. Click Add.
3. Set Policy Package Code to 1:200019, set Name to p2p_normal. Then click Save.

Figure 6-48 Adding policy package p2p_normal

7. Add policy packages p2p_level1, p2p_level2, and p2p_exhaust according to previous
steps. The policy packages are numbered 1:200020, 1:200021, and 1:200022 respectively,
and the priorities of the policy items contained in these three policy packages are 12, 13,
and 14 respectively.
NOTE

NOTE
for the first time.



NOTE
4. Click Login.
Step 4 Add a quota.


2. Click Add.
configuration page.
NOTE



groups.
Step 6 Add rules.






configuration page.

4. Click OK.
----End
6.2.6 Typical Configuration Example 4 (Predefined Rule, Free

Quotas for Certain Web Sites)
users when the SIG interworks with the UPCC.The carrier allows the user to access certain Web
sites for free, that is, the traffic for accessing these Web sites is not calculated into the total traffic
quota.
Prerequisites
NOTE

The SIG interworks with the UPCC, and the FUP service requires enabling. Figure 6-65 shows
the networking.
Figure 6-65 Networking of the wireless scenario

RADIUS PCRF
Server (RM9000)
t
ke Gx
Pac
US
DI
RA
Gi
PCEF
(Front End)
DPI System

l The charging cycle is one month, the settlement mode is reset, and the reset time is 00:00
on the first day each month.
l The quota for the total traffic is 1,024,000 KB.
l Traffic for accessing certain Web sites is free of quota collection, that is, free of charging.
In addition, traffic of these Web sites is neither collected nor controlled.
l The control policies for non-Free traffic are as follows:


Service 1 Service Quota
service_total quota1

policy_ipcan_total IPCANSessionEstablish
Condition Group
rule-normal Object Attribute= QuotaStatus; Right Value= Normal
condition-normal

normal Flow classification: Total; Upstream: 1024kbit/s; Downstream: 2048kbit/s
Condition Group
rule-level1 Object Attribute= QuotaStatus; Right Value= Level1
condition-level1

level1 Flow classification: Total; Upstream: 512kbit/s; Downstream: 1024kbit/s
Condition Group
rule-level2 Object Attribute= QuotaStatus; Right Value= Level2
condition-level2

Condition Group
rule-exhaust Object Attribute= QuotaStatus; Right Value= Exhaust
condition-exhaust
Rule Predefined Policy FUP traffic control policy package

exhuast Flow classification: Total; Upstream: 64kbit/s; Downstream: 64kbit/s
Condition Group
rule1 Object Attribute= QuotaStatus; Right Value= Normal
condition-normal
Predefined Policy FUP service configuration (Low priority)

fup_con1 Flow classification: Total; Rating Group: total
Condition Group
rule2 Object Attribute= QuotaStatus; Right Value= Level1
condition-level1

Condition Group
rule3 Object Attribute= QuotaStatus; Right Value= Level2
condition-level2

Condition Group
rule4 Object Attribute= QuotaStatus; Right Value= Exhaust
condition-exhaust
Policy 2 Quota status change trigger Predefined Policy FUP service configuration (Low priority)
policy_fup_total UsageStatusChange fup_con1 Flow classification: Total; Rating Group: total
Service 2 Policy 3 Online trigger

service_free policy_ipcan_free IPCANSessionEstablish
Predefined Policy FUP service configuration (High priority)

Rule rule5
fup_con2 Flow classification: free; Rating Group: free
Predefined Policy Traffic permit policy

rule6
free_pass Permits the free traffic

Suppose that the user subscribes to service_total and service_free.

l Service service_total defines the quota for the total traffic, that is, 1,024,000 KB, and the
FUP traffic control policy. Different traffic control policies are applied when the user traffic
quota is consumed by less than 40%, more than 40%, more than 80%, and 100%.
l Service service_free allows the user to access certain Web sites (for example,
www.huawei.com) for free, that is, the traffic for accessing these Web sites is not calculated
into the total traffic quota.
Three policies to be defined are as follows:
l Policy policy_ipcan_total: When a user is activated during the access to the mobile data
network, the control policy for non-free traffic is defined. After the user goes online, and
the current quota status matches the rule in the policy, the matched rule is considered as
the current control policy of the user.
For example, if the quota of the current online user is less than 40% of the total quota, and
rule rule-normal is employed, the upstream and downstream bandwidths of the non-Free
traffic are limited to 1024 kbit/s and 2048 kbit/s respectively.

l Policy policy_fup_total: defines the quota status-based policy control. When the quota
status of the non-free traffic quota changes, the control policy is switched to the
corresponding one of the new quota status.
l Policy policy_ipcan_free: When a user is activated during the access to the mobile data
network, the traffic of the free type is for free.
The main category protocol whose free type is user-defined needs to be added with Web
sites features. The system identifies the traffic of accessing the Web sites by identifying
the traffic of the free type.
the total quota
the total quota
rule1 Accumulated traffic quota Defines the mapping between rating group
usage within a month < total and total traffic to collect the quota of
40% of the total quota the total traffic into rating group total.
rule2 40% of the total quota≤

the total quota
rule3 80% of the total quota≤

the total quota
rule4 100% of the total quota

≤ Accumulated quota
rule5 - Defines that the traffic of the free type is not

accumulated to the total quota (not charging).
rule6 - Defines the permit rule for Free traffic.

NOTE
When "accumulated traffic quota usage within a month < 40% of the total quota" is met, rules rule-
normal and rule1 are delivered to the user concurrently. That is, while collecting the traffic quota of the
given type, the system limits the bandwidth of this type of traffic. Other conditions are similar.
Data Planning
You can view the data planning of main parameters by clicking the following links:

l Table 6-19 shows the data planning of policy policy_ipcan_total.
l Table 6-20 shows the data planning of policy policy_fup_total.
l Table 6-21 shows the data planning of policy policy_ipcan_free.
l Table 6-22 shows the data planning of service service_total.
l Table 6-23 shows the data planning of service service_free.
Quota Class: Volume
Type: Service Level
Monitor Key: 1
Value(KB): 1000000
CAUTION
Front End.
Slice(%): 5
Level2: 80
Exhaust: 100

Table 6-19 Data planning of policy policy_ipcan_total
Name policy_ipcan_total
Description -
Rule rule1
rule2
rule3
rule4
rule_normal
rule_level1
rule_level2
rule_exhaust
Table 6-20 Data planning of policy policy_fup_total
Name policy_fup_total
Description -
Rule rule1
rule2
rule3
rule4
rule_normal
rule_level1
rule_level2
rule_exhaust

Table 6-21 Data planning of policy policy_ipcan_free

Name policy_ipcan_free
Description -
Rule rule5
rule6
Table 6-22 Data planning of service service_total

Basic Information Name: service_total
APN: -
VPN: -
SP: default1
Account: -
Is Meter To Basic: Yes
Activated By: PCEF
Precedence: 0
QoS Mode: Replace
Description: -
Policy policy_ipcan_total
policy_fup_total
Quota quota_fup
NOTE
of the UPCC.

Table 6-23 Data planning of service service_free
Basic Information service_free
APN: -
VPN: -
SP: default1
Account: -
Activated By: PCEF
Precedence: 0
QoS Mode: Replace
Description: -
Policy policy_ipcan_free
Quota None
MSISDN 8613810000022
Service service_total
service_free
Procedure
Step 2 Add flow classes.

1. Add www.huawei.com to the user-defined protocol.
a. In the navigation tree, choose Basic Configuration > Signature File Management
> Customized DPI Signature File.

b. Add category free.

1) Click Add a Category.
2) Enter free in Category Name. Select a value in Category Code.
3) Click OK.
c. Add protocol huawei.
1) Select the added category free in the Protocol group box and then click Add a
Protocol.
2) Select HTTP in Protocol Type, enter huawei in Protocol Name, select a value
in Protocol Code, and then click Save.
3) Click Add to add a rule.
1) Set parameters in the Add Rule dialog box. Figure 6-67 shows the
configuration page.
Figure 6-67 Adding keyword in rule
CAUTION
If a website has multiple domain names, you must add all the domain names
as keywords.

2) Click Add and OK.

4) In the Add a Protocol dialog box, click Close.
d. Click Submit a new version and OK.
2. Add flow classification free.
a. In the navigation tree, choose Basic Configuration > Flow Classification
Management > Flow Classification Item Configuration.
b. Click Add. Set parameters in the dialog box that is displayed. Figure 6-68 shows the
configuration page.
c. Figure 6-68 Add flow classification item free.
d. Click OK.
e. In the navigation tree, choose Basic Configuration > Flow Classification
Management > Flow Classification Configuration.
f. Click Add.
g. Enter free in Name.
h. Click Add and select the free flow classification item.
i. Click OK and OK.

2. Click Add. Set Number to 1, and Name to total. Then click OK.
Step 4 Add the traffic control policy package for the total traffic.
2. Click Add.



NOTE
Step 5 Add the permit policy package of the Free traffic.

Management.
2. Click Add.
3. Set Policy Package Code to 1:200023, set Name to free_pass. Then click Save.
4. Select Pass from Item Type, and click Add.

Figure 6-71 Adding permit policy package free_pass

NOTE
The policy package code is required during the adding of rules.

2. Click Add.
3. Set Service Configuration Code to 14:200024, set Name to fup_con1. Then click Save.
Figure 6-72 Adding FUP service configuration policy package fup_con1

NOTE

6. Refer to the preceding steps to add FUP service configuration policy package fup_con2 ,
set Service Configuration Code to 14:200025. Figure 6-73 shows the configuration page.

Figure 6-73 Adding FUP service configuration policy package fup_con2
NOTE

NOTE
for the first time.



NOTE
4. Click Login.
Step 8 Add a quota.
2. Add quota quota_fup. Figure 6-77 shows the configuration page.


2. Click Add.
configuration page.
NOTE



groups.
Step 10 Add rules.


3. Add rule rule1 and bind it to FUP service configuration policy package fup_con1
(14:200024) and condition group condition-normal. Figure 6-85 shows the configuration
page.

Figure 6-85 Adding rule rule1
The configurations of rules rule2, rule3, and rule4 are similar to those of rule rule1. The
former three rules are bound to condition groups condition-level1, condition-level2, and
condition-exhaust respectively, and policy package 14:200024.
4. Add rule rule5 and bind it to FUP service configuration policy package fup_con2
(14:200025). Figure 6-86 shows the configuration page.

5. Add rule rule6 and bind it to the permit policy package (1:200023) of Free traffic. Figure


2. Add policy policy_ipcan_total. Figure 6-88 shows the configuration page.

Figure 6-88 Adding policy policy_ipcan_total
3. Add policy policy_fup_total. Figure 6-89 shows the configuration page.

Figure 6-89 Adding policy policy_fup_total
4. Add policy policy_ipcan_free. Figure 6-90 shows the configuration page.
Figure 6-90 Adding policy policy_ipcan_free
Step 12 Add services.


2. Add service service_total with policies policy_ipcan_total and policy_fup_total. Figure

Figure 6-91 Adding service service_total
3. Add service service_free with policy policy_ipcan_free.Figure 6-92 shows the

configuration page.

Figure 6-92 Adding service service_free

3. Click the Service tab, click Add, and add services service_total and service_fup. Figure

4. Click OK.
----End
6.2.7 Typical Configuration Example 5 (Predefined Rule, Limited

Free Quotas for Certain Web Sites)
users when the SIG interworks with the UPCC. When allowed to access some Web sites, the
user can consume certain traffic quota each month for free. After the free quota is used up, new
traffic is counted into the total traffic.
Prerequisites
NOTE

networking.

RADIUS PCRF
Server (RM9000)
t
ke Gx
Pac
US
DI
RA
Gi
PCEF
(Front End)
DPI System

l The charging cycle is one month, the settlement is in reset mode, and the settlement time
is 00:00 on the first day of each month.
l The quota for free traffic is 102,400 KB, and that for the charged traffic is 1,024,000 KB
(Y).
– When the two quotas are used up, free traffic consumes quota X and charged traffic
(total traffic - free traffic) consumes quota Y.
– If quota Y is used up but quota X is not, free traffic continues to consume quota X, but
the bandwidth of charged traffic is limited to 64 kbit/s.
– If quota X is used up but quota Y is not, free traffic consumes quota Y.
– When both quota X and quota Y are used up, the bandwidth of total traffic is limited to
64 kbit/s.


User Value= 100000KB; Limit: Exhaust=100; Slice= 5%
service quota1
Service Quota
Value= 1000000KB; Limit: Exhaust=100; Slice= 5%
quota2

Condition Group
rule1 Condition quota1_normal and condition quota2_normal
condition_normal_normal

fup_free Flow classification: free; Rating Group: free
Condition Group
rule2 Condition quota1_normal and condition quota2_normal
condition_normal_normal

fup_charge Flow classification: Total; Rating Group: charge
Condition Group
rule3 Condition quota1_normal and condition quota2_exhaust
condition_normal_exhaust

fup_free Flow classification: free; Rating Group: free
Condition Group
Rule rule4 Condition quota1_normal and condition quota2_exhaust

Condition Group
rule5 Condition quota1_normal and condition quota2_exhaust
FUP traffic control policy package
Predefined Policy
Flow classification: total-free; Upstream: 64kbit/s; Downstream:
total-free
64kbit/s
Condition Group
rule6 Condition quota1_exhaust and condition quota2_normal
condition_exhaust_normal

Condition Group
rule7 Condition quota1_exhaust and condition quota2_exhaust
condition_exhaust_exhaust

Condition Group
rule8 Condition quota1_exhaust and condition quota2_exhaust
condition_exhaust_exhaust
policy_fup UsageStatusChange total Flow classification: Total; Upstream: 64kbit/s; Downstream: 64kbit/s

Suppose that the user subscribes to service.
Two policies to be defined are as follows:
and the current quota status matches the rule in the policy, the matched rule is considered
as the current control policy of the user. For example, if both the free quota and charged
quota for the current online user are used up, rule7 and rule8 serve as the control policies
to collect statistics on user total traffic and limit the upstream bandwidth for the total traffic
to 64 kbit/s and downstream bandwidth to 64 kbit/s.
l Policy policy_fup: defines the quota status-based policy control over the total traffic. When
the quota status changes, the control policy is switched to the corresponding one of the new
quota status.
rule1 Neither free quota Defines the mapping between rating group
quota1 nor charged quota free and free traffic to collect the quota of free
quota2 is used up. traffic into rating group free.
rule2 Defines the mapping between rating group

charge and charged traffic to collect the
quota of the charged traffic (total traffic - free
traffic) into rating group charge.

rule3 Charged quota quota2 is Defines the mapping between rating group
used up but free quota free and free traffic to collect the quota of free
quota1 is not. traffic into rating group free.
rule4 Defines the mapping between rating group

charge and charged traffic to collect the
quota of the charged traffic (total traffic - free
traffic) into rating group charge.
rule5 Set both the maximum upstream bandwidth

and downstream bandwidth of the traffic
(total traffic - free traffic) to 64 kbit/s.
rule6 Free quota quota1 is used Defines the mapping between rating group
up but charged quota charge and charged traffic to collect the
quota2 is not. quota of the total traffic into rating group
charge.
rule7 Free quota quota1 and Defines the mapping between rating group
charged quota quota2 are charge and charged traffic to collect the
both used up. quota of the total traffic into rating group
charge.
rule8 Set both the maximum upstream bandwidth

and downstream bandwidth of total traffic to
64 kbit/s.
Data Planning
l Table 6-25 shows the data planning of quota quota1.

l Table 6-26 shows the data planning of quota quota2.
l Table 6-29 shows the data planning of service service.
Table 6-25 Data planning of quota quota1
Basic Information Name: quota1
Quota Class: Volume
Type: Service Level
Monitor Key: 1

Value(KB): 100000
CAUTION
Front End.
Slice(%): 5
Set Limit Exhaust: 100
Table 6-26 Data planning of quota quota2

Basic Information Name: quota2
Quota Class: Volume
Type: Service Level
Monitor Key: 2
Value(KB): 1000000
Slice(%): 5
Set Limit Exhaust: 100

Name policy_ipcan

Description -
Rule rule1
rule2
rule3
rule4
rule5
rule6
rule7
rule8

Name policy_fup
Description -
Rule rule1
rule2
rule3
rule4
rule5
rule6
rule7
rule8

Table 6-29 Data planning of service service
Basic Information Name: service
APN: -
VPN: -
SP: default1
Account: -
Activated By: PCEF
Precedence: 0
QoS Mode: Replace
Description: -
Policy policy_ipcan
policy_fup
Quota quota1
quota2
NOTE
of the UPCC.
Baisc Information Subscriber ID: 460100000000022
MSISDN: 8613810000022
Service service
Procedure


b. Add category free.
2) Enter free in Category Name. Select a value in Category Code.
3) Click OK.
Protocol.
configuration page.

CAUTION
as keywords.

2. Add flow classification free.
b. Click Add. Set parameters in the dialog box that is displayed. Figure 6-97 shows the
configuration page.
c. Figure 6-97 Add flow classification item free.
d. Click OK.
e. In the navigation tree, choose Basic Configuration > Flow Classification
f. Click Add.
g. Enter free in Name.
h. Click Add and select the free flow classification item.
i. Click OK and OK.
3. Add flow classification total-free.
a. Click Add.
b. Enter total-free in Name.
c. Click Add and select all the flow classification items except free.

d. Click OK and OK.

Step 3 Add rating groups.
2. Click Add. Set Number to 1, and Name to free. Then click OK.
3. Click Add. Set Number to 2, and Name to charge. Then click OK.
2. Add a traffic control policy package for the traffic (total traffic - free traffic).
a. Click Add.
b. Set Policy Package Code to 1:200001, set Name to total-free. Then click Save.
c. Select Rate Limiting from Item Type, and click Add.
d. Set parameters in the dialog box that is displayed. Figure 6-98 shows parameter
settings.
Figure 6-98 Adding policy package total-free
e. Click OK and Close.

NOTE
3. Add a traffic control policy package for the total traffic.
a. Click Add.
b. Set Policy Package Code to 1:200002, set Name to total. Then click Save.
c. Select Rate Limiting from Item Type, and click Add.
d. Set parameters in the dialog box that is displayed. Figure 6-99 shows parameter
settings.

Figure 6-99 Adding policy package total
e. Click OK and Close.

NOTE

2. Add the FUP service configuration for charged traffic.
a. Click Add.
b. Set Service Configuration Code to 14:200001, set Name to fup_charge. Then click
Save.
c. Set parameters in the dialog box that is displayed. Figure 6-100 shows parameter
settings.
Figure 6-100 Adding FUP service configuration policy package fup_charge
d. Click OK and Close.

NOTE

3. Add the FUP service configuration for free traffic.
a. Click Add.

b. Set Service Configuration Code to 14:200002, set Name to fup_free. Then click
Save.
c. Set parameters in the dialog box that is displayed. Figure 6-101 shows parameter
settings.
Figure 6-101 Adding FUP service configuration policy package fup_free
d. Click OK and Close.

NOTE

NOTE
for the first time.



NOTE
4. Click Login.
Step 7 Add quotas.
2. Add quota quota1. Figure 6-105 shows the configuration page.

Figure 6-105 Adding quota quota1
3. Add quota quota2. Figure 6-106 shows the configuration page.

Figure 6-106 Adding quota quota2

2. Add the condition group condition_normal_normal.
a. Click Add.
b. Set Name to condition_normal_normal on the Basic Information tab.
c. Click the Condition tab, and click Add to add condition quota1_normal. Figure
6-107 shows the configuration page. Click OK.

Figure 6-107 Condition quota1_normal
NOTE
When Object Attribute is selected, set Object to Quota and click QuotaStatus. Then click
OK. Refer to Figure 6-108.

d. On the Condition tab, click Add to add another condition quota2_normal. Figure
6-109 shows the configuration page. Click OK.

Figure 6-109 Condition quota2_normal
3. Add the condition group condition_normal_exhaust.
Conditions quota1_normal and quota2_exhaust are involved. Figure 6-110 shows the
added condition group.
Figure 6-110 Condition group condition_normal_exhaust
4. Add the condition group condition_exhaust_normal.
Conditions quota1_exhaust and quota2_normal are involved. Figure 6-111 shows the

Figure 6-111 Condition group condition_exhaust_normal
5. Add the condition group condition_exhaust_exhaust.

Conditions quota1_exhaust and quota2_exhaust are involved. Figure 6-112 shows the
Figure 6-112 Condition group condition_exhaust_exhaust
Step 9 Add rules.

2. Add rule rule1 and bind it to FUP service configuration policy package fup_free
(14:200004) and condition group condition_normal_normal. Figure 6-113 shows the
configuration page.

3. Add rule rule2 and bind it to FUP service configuration policy package fup_charge
(14:200003) and condition group condition_normal_normal. Figure 6-114 shows the
configuration page.

4. Add rule rule3 and bind it to FUP service configuration policy package fup_free
(14:200004) and condition group condition_normal_exhaust. Figure 6-115 shows the
configuration page.

(14:200003) and condition group condition_normal_exhaust. Figure 6-116 shows the
configuration page.

6. Add rule rule5 and bind it to FUP traffic control policy package total-free (1:200001) and
condition group condition_normal_exhaust. Figure 6-117 shows the configuration page.

(14:200003) and condition group condition_exhaust_normal. Figure 6-118 shows the
configuration page.

(14:200003) and condition group condition_exhaust_exhaust. Figure 6-119 shows the
configuration page.

9. Add rule rule8 and bind it to FUP traffic control policy package total (1:200002) and
condition group condition_exhaust_exhaust. Figure 6-120 shows the configuration page.




Step 11 Add the service.

2. Add service service with policies policy_ipcan and policy_fup. Figure 6-123 shows the
configuration page.

Figure 6-123 Adding service service

3. Click the Service tab, click Add, and add service service. Figure 6-124 shows the
configuration page.

4. Click OK.
----End
6.2.8 Typical Configuration Example 6 (Predefined Rule, Roaming

Quota Control)
users in the local and roaming places when the SIG interworks with the UPCC.The carrier
configures quotas respectively for local and roaming users. When the quota is about to be used
up, a short message is sent to the user; after the quota is used up, the bandwidth of total user
traffic is controlled.
Prerequisites
NOTE

networking.

RADIUS PCRF
Server (RM9000)
t
ke Gx
Pac
US
DI
RA
Gi
PCEF
(Front End)
DPI System

l A user has 1,024,000 KB quota for the total traffic locally and 20,480 KB quota in the
roaming place. The user consumes the local quota in the local and consumes the roaming
quota in the roaming place.
l The control policies for total traffic in the local place are as follows:
– When quota consumption exceeds 80% of the total quota, the system sends a short
message to the user about the consumed traffic.
– When quota consumption exceeds 100% of the total quota, the system limits both the
upstream and downstream bandwidths of total traffic to 64 kbit/s.
l The control policies for total traffic in the roaming place are as follows:
– When quota consumption exceeds 80% of the total quota, the system sends a short
message to the user about the consumed traffic.
– When quota consumption exceeds 100% of the total quota, the system limits both the
upstream and downstream bandwidths of total traffic to 64 kbit/s.


User Service 1 Service Quota
Value= 1GB; Limit: level1=80; Slice= 5%
service_local quota_local

policy_local_ipcan IPCANSessionEstablish
Condition Group
rule_local_normal Object Attribute= QuotaStatus; Right Value= Normal
condition_local_normal

fup_con Flow classification: Total; Rating Group: total
Condition Group
rule_local_level1 Object Attribute= QuotaStatus; Right Value= Level1
condition_local_level1
Message Template
Notification
Notification_Template

Condition Group
Rule rule_local_exhaust_fup Object Attribute= QuotaStatus; Right Value= Exhaust
condition_local_exhaust

Condition Group
rule_local_exhaust_qos Object Attribute= QuotaStatus; Right Value= Exhaust
condition-exhaust

total Flow classification: Total; Upstream: 64kbit/s; Downstream: 64kbit/s
Condition Group
rule_outlocal Object Attribute= RoamingStatus; Right Value= Native
condition_outlocal
Policy 2 Quota status change trigger

policy_local_usage UsageStatusChange
Service 2 Service Quota

Value= 20MB; Limit: level1=80; Slice= 5%
service_roaming quota_roaming

policy_roaming_ipcan IPCANSessionEstablish
Condition Group
rule_roaming_normal Object Attribute= QuotaStatus; Right Value= Normal
condition_roaming_normal

Condition Group
rule_roaming_level1 Object Attribute= QuotaStatus; Right Value= Level1
condition_roaming_level1
Message Template
Notification
Notification_Template

Condition Group
Rule rule_roaming_exhaust_fup Object Attribute= QuotaStatus; Right Value= Exhaust
condition_roaming_exhaust

Condition Group
rule_roaming_exhaust_qos Object Attribute= QuotaStatus; Right Value= Exhaust
condition-exhaust

total Flow classification: Total; Upstream: 64kbit/s; Downstream: 64kbit/s
Condition Group
rule_outroaming Object Attribute= RoamingStatus; Right Value= Native
condition_outroaming
Policy 4 Quota status change trigger Configuration on the UPCC Web UI

policy_roaming_usage UsageStatusChange
Suppose that the user subscribes to the service_local and service_roaming services. The
service_local service is delivered when the user is in the local and the service_roaming service
is delivered when the user is in the roaming place.
Service service_local includes two policies:
l Policy policy_local_ipcan: When a user is activated during the access to the local mobile
data network, and the current quota status is matched with the rule in the policy, the matched
rule is considered as the current control policy of the user.
l Policy policy_local_usage: defines the quota status-based policy control when the user is
in the local. When the quota status changes, the control policy is switched to the
corresponding one of the new quota status.
Service service_roaming includes two policies:
l Policy policy_roaming_ipcan: When a user is activated during the access to the mobile
data network in the roaming place, and the current quota status is matched with the rule in
the policy, the matched rule is considered as the current control policy of the user.
l Policy policy_roaming_usage: defines the quota status-based policy control when the user
is in the roaming place. When the quota status changes, the control policy is switched to
the corresponding one of the new quota status.

rule_local_normal The user is in the local and Defines the mapping between
the monthly quota rating group total and total traffic.
accumulation is less than
80% of the total quota.
rule_roaming_normal The user is in the roaming

place and the monthly
quota accumulation is less
than 80% of the total
quota.
rul_local_level1 The user is in the local and Defines the mapping between
the monthly quota rating group total and total traffic.
accumulation is between When 80% of the total traffic is
80% (included) and 100% consumed, the system sends a short
of the total quota. message to the user about the
consumed traffic.
rul_roaming_level1 The user is in the roaming
place and the monthly
quota accumulation is
between 80% (included)
and 100% of the total
quota.
rul_local_exhaust_fup The user is in the local and Defines the mapping between
the monthly quota rating group total and total traffic to
accumulation is not less collect the quota of the total traffic
than 100% of the total into rating group total.
quota.
rul_roaming_exhaust_fu The user is in the roaming

p place and the monthly
quota accumulation is not
less than 100% of the total
quota.
rul_local_exhaust_qos The user is in the local and Both the maximum uplink and
the monthly quota downlink bandwidths are 64 kbit/s.
accumulation is not less
than 100% of the total
quota.
rul_roaming_exhaust_qo The user is in the roaming

s place and the monthly
quota accumulation is not
less than 100% of the total
quota.
rul_local_outlocal The user is in the roaming The current service is disabled.

place.
rul_roaming_outlocal The user is in the local.

Data Planning
l Table 6-31 shows the data planning of quota quota_local.
l Table 6-32 shows the data planning of quota quota_roaming.
l Table 6-33 shows the data planning of policy policy_local_ipcan.
l Table 6-34 shows the data planning of policy policy_local_usage.
l Table 6-35 shows the data planning of policy policy_roaming_ipcan.
l Table 6-36 shows the data planning of policy policy_roaming_usage.
l Table 6-37 shows the data planning of service service_local.
l Table 6-38 shows the data planning of service service_roaming.
Table 6-31 Data planning of quota quota_local

Basic Information Name: quota_local
Quota Class: Volume
Type: Service Level
Monitor Key: 1
Value(KB): 1000000
CAUTION
Front End.
Slice(%): 5
Description: -
Exhaust: 100

Table 6-32 Data planning of quota quota_roaming

Basic Information Name: quota_roamming
Quota Class: Volume
Type: Service Level
Monitor Key: 2
Quata (KB): 20,000
Slice(%): 5
Description: -
Exhaust: 100
Table 6-33 Data planning of policy policy_local_ipcan

Name policy_local_ipcan
Description -
Rule rule_local_normal
rule_local_level1
rule_local_exhaust_fup
rule_local_exhaust_qos
rule_outlocal

Table 6-34 Data planning of policy policy_local_usage

Name policy_local_usage
Description -
Rule rule_local_normal
rule_local_level1
rule_local_exhaust_fup
rule_local_exhaust_qos
rule_outlocal
Table 6-35 Data planning of policy policy_roaming_ipcan

Name policy_roaming_ipcan
Description -
Rule rule_roaming_normal
rule_roaming_level1
rule_roaming_exhaust_fup
rule_roaming_exhaust_qos
rule_outroaming
Table 6-36 Data planning of policy policy_roaming_usage

Name policy_roaming_usage

Description -
Rule rule_roaming_normal
rule_roaming_level1
rule_roaming_exhaust_fup
rule_roaming_exhaust_qos
rule_outroaming
Table 6-37 Data planning of service service_local

Basic Information Name: service_local
APN: -
VPN: -
SP: default1
Account: -
Activated By: PCEF
Precedence: 0
QoS Mode: Replace
Description: -
Policy policy_local_ipcan
policy_local_usage
Quota quota_local
NOTE
of the UPCC.

Table 6-38 Data planning of service service_roaming
Basic Information Name: service_roaming
APN: -
VPN: -
SP: default1
Account: -
Activated By: PCEF
Precedence: 0
QoS Mode: Replace
Description: -
Policy policy_roaming_ipcan
policy_roaming_usage
Quota quota_roaming
Baisc Information Subscriber ID: 460100000000022
MSISDN: 8613810000022
Service service_local
service_roaming
Procedure


2. Click Add. Set Number to 1, and Name to total. Then click OK.
Step 3 Add a FUP traffic control policy package.

2. Click Add.
3. Set Policy Package Code to 1:200001, set Name to total. Then click Save.
Figure 6-127 Adding policy package total

NOTE

2. Click Add.
3. Set Service Configuration Code to 14:200002, set Name to fup_con. Then click Save.
Figure 6-128 Adding FUP service configuration policy package fup_con


NOTE

NOTE
for the first time.


NOTE
4. Click Login.
Step 6 Add the local PLMN.

1. In the navigation tree, choose Location Management > Location > PLMN.

2. Add the local PLMN. Figure 6-132 shows the configuration page.
Figure 6-132 Adding the local PLMN
3. Click OK.
Step 7 Add a notification.
1. In the navigation tree, choose System Management > System Configuration > Message
Template.
2. Click Add, add template Notification_Tempalte. Figure 6-133 shows the configuration
page. Click OK.

Figure 6-133 Adding template Notification_Tempalte
3. In the navigation tree, choose Policy Management > Policy > Notification.
4. Click Add, and add notification Notification. Figure 6-134 shows the configuration page.
Click OK.

Figure 6-134 Adding notification Notification
Step 8 Add quotas.

2. Add quota quota_local. Figure 6-135 shows the configuration page.

Figure 6-135 Adding quota quota_local
3. Add quota quota_roaming. Figure 6-136 shows the configuration page.

Figure 6-136 Adding quota quota_roaming

2. Add condition group condition_local_normal.
a. Click Add.
b. Set Name to condition_local_normal on the Basic Information tab.
c. Click the Condition tab, and click Add.
d. Add condition con1, Figure 6-137 shows the configuration page. Click OK.
NOTE
When Object Attribute is selected, set Object to Quota and click QuotaStatus. Then click
OK. Refer to Figure 6-138.

Figure 6-137 Condition con1

e. Add condition con2, Figure 6-139 shows the configuration page. Click OK.
NOTE
When Object Attribute is selected, set Object to IPSession and click RoamingStatus. Then
click OK. Refer to Figure 6-140.

Figure 6-140 Selecting object attribute RoamingStatus
f. In the Add Condition Group dialog box, click OK.

3. Add condition group condition_local_level1.
The configuration of condition group condition_local_level is identical with configuration
of condition group condition_local_normal. Conditions con1 and con2 are involved, as
shown in Figure 6-141 and Figure 6-142.


4. Add condition group condition_local_exhaust.

The configuration of condition group condition_local_exhaust is identical with
configuration of condition group condition_local_normal. Conditions con1 and con2 are
involved, as shown in Figure 6-143 and Figure 6-144.


5. Add condition group condition_roaming_normal.

The configuration of condition group condition_roaming_normal is identical with
configuration of condition group condition_local_normal. Conditions con1 and con2 are
involved, as shown in Figure 6-145 and Figure 6-146.


6. Add condition group condition_roaming_level1.

The configuration of condition group condition_roaming_level1 is identical with
configuration of condition group condition_roaming_normal. Conditions con1 and
con2 are involved, as shown in Figure 6-147 and Figure 6-148.


7. Add condition group condition_roaming_exhaust.

The configuration of condition group condition_roaming_exhaust is identical with
configuration of condition group condition_roaming_normal. Conditions con1 and
con2 are involved, as shown in Figure 6-149 and Figure 6-150.


8. Add condition group condition_outlocal. Figure 6-151 shows the configuration page.

Figure 6-151 Condition con
9. Add condition group condition_outroaming. Figure 6-152 shows the configuration page.

Figure 6-152 Condition con
Step 10 Add rules.

2. Add rule rule_local_normal_fup. Figure 6-153 shows the configuration page. Click
OK.

Figure 6-153 Adding rule rule_local_normal_fup
The configuration of rule rule_roaming_normal_fup is identical with configuration of

rule rule_local_normal_fup. rule_roaming_normal_fup is bound to condition group
condition_roaming_normal.
3. Add rule rule_local_level1. Figure 6-154 shows the configuration page. Click OK.

Figure 6-154 Adding rule rule_local_level1
The configuration of rule rule_roaming_level1 is identical with configuration of rule

rule_local_level1. rule_roaming_level1 is bound to condition group
condition_roaming_level1.
4. Add rule rule_local_exhaust_fup. Figure 6-155 shows the configuration page. Click
OK.

Figure 6-155 Adding rule rule_local_exhaust_fup
The configuration of rule rule_roaming_exhaust_fup is identical with configuration of

rule rule_local_exhaust_fup. rule_roaming_exhaust_fup is bound to condition group
condition_roaming_exhaust.
5. Add rule rule_local_exhaust_qos. Figure 6-156 shows the configuration page. Click
OK.

Figure 6-156 Adding rule rule_local_exhaust_qos
The configuration of rule rule_roaming_exhaust_qos is identical with configuration of

rule rule_local_exhaust_qos. rule_roaming_exhaust_qos is bound to condition group
condition_roaming_exhaust.
6. Add rule rule_outlocal. Figure 6-157 shows the configuration page. Click OK.

Figure 6-157 Adding rule rule_outlocal
The configuration of rule rule_roaming is identical with configuration of rule

rule_local. rule_roaming is bound to condition group condition_outroaming.
2. Add policy policy_local_ipcan. Figure 6-158 shows the configuration page.

Figure 6-158 Adding policy policy_local_ipcan
3. Add policy policy_local_usage. Figure 6-159 shows the configuration page.
Figure 6-159 Adding policy policy_local_usage
4. Add policy policy_roaming_ipcan. Figure 6-160 shows the configuration page.

Figure 6-160 Adding policy policy_roaming_ipcan
5. Add policy policy_roaming_usage. Figure 6-161 shows the configuration page.
Figure 6-161 Adding policy policy_roaming_usage

2. Add service service_local. Figure 6-162 shows the configuration page.

Figure 6-162 Adding service service_local
3. Add service service_roaming. Figure 6-163 shows the configuration page.

Figure 6-163 Adding service service_roaming

3. Click the Service tab, click Add, and add services service_local and service_roaming.
Figure 6-164 shows the configuration page.

4. Click OK.
----End
6.2.9 Typical Configuration Example 7 (Dynamic Rule, Total

Traffic)
This provides an example of using the dynamic rule to apply the FUP service to the total traffic
of wireless users when the SIG interworks with the UPCC.
Prerequisites
NOTE

networking.

RADIUS PCRF
Server (RM9000)
t
ke Gx
P ac
US
DI
RA
Gi
PCEF
(Front End)
DPI System

downstream bandwidths are limited to 64 kbit/s; when quotas are used up, users' HTTP
access is redirected to the Web site of the carrier, and users are reminded of recharge.


Rule 1 Condition group

Action group Traffic control policy for the total traffic Flow classification
action-normal Upstream: 1024kbit/s; Downstream: 2048kbit/s Total

Rule action-level1 Upstream: 512kbit/s; Downstream: 1024kbit/s Total

action-level2 Upstream: 256kbit/s; Downstream: 1024kbit/s Total

action-exhuast Upstream: 64kbit/s; Downstream: 64kbit/s Total
policy_fup UsageStatusChange


Suppose that the user subscribes to service_fup, and the service has session quota quota_fup.
upstream and downstream bandwidths of the total traffic are limited to 1024 kbit/s and 2048
Name Condition Action
rule-level 40% of the total quota≤ The maximum uplink bandwidth is 512 kbit/
the total quota
the total quota
Data Planning


Quota Class: Volume
Type: Session Level
Value(KB): 1000000
CAUTION
Front End.
Slice(%): 5
Description: -
Level2: 80
Exhaust: 100

Name policy_ipcan
Description -
Rule rule-normal
rule-level1
rule-level2
rule-exhaust


Name policy_fup
Description -
Rule rule-normal
rule-level1
rule-level2
rule-exhaust

APN: -
VPN: -
SP: default1
Account: -
Activated By: PCEF
Precedence: 0
QoS Mode: Replace
Description: -
Policy policy_ipcan
policy_fup
Quota quota_fup

NOTE
of the UPCC.

MSISDN 8613810000022
Service service_fup
Procedure
NOTE
for the first time.



NOTE
4. Click Login.
Step 3 Add a quota.


2. Click Add.
configuration page.
NOTE



according to previous steps. Figure 6-173 to Figure 6-176 show conditions in added
condition groups.
Step 5 Add action groups.

1. In the navigation tree, choose Dictionary Management > Dictionary > Action.

2. Define action GxProtoClassifierName, as shown in Figure 6-177
Figure 6-177 Action GxProtoClassifierName
3. In the navigation tree, choose Policy Management > Policy > Action Group.
4. Configure action QoSAction for action group action_normal, and then define the
bandwidth control policy, as shown in Figure 6-178.
Figure 6-178 Actions in action group action-normal — QoSAction
NOTE
Although the QCI is mandatory, it is not used this service. You can set a value only. For details, refer
to the product document of the UPCC.
For the action of the QoSAction type, MBRUL and MBRDL are set to 1024 and 2048
respectively. That is, upstream and downstream bandwidths for this action group are 1024
kbit/s and 2048 kbit/s. Other action elements do not need configuring.
5. Configure action GxProtoClassifierName for action group action_normal, and specify
the flow classification number, as shown in Figure 6-179.

Figure 6-179 Actions in action group action-normal — GxProtoClassifierName
Set GxProtoClassifierName to 5025. The value of GxProtoClassifierName should be

consistent with the number of predefined flow classification Total.
NOTE
The number of the predefined flow classification Total can be viewed in the following way:
a. Log in to the Back End of the SIG.
b. In the navigation tree, choose Basic Configuration > Flow Classification Management > Flow
Classification Configuration.
6. Add action groups action-level1, action-level2, and action-exhaust according to previous
steps. Each action group defines the bandwidth control policy, and specifies the flow
classification number for each quota level.
When the quota is exhausted, users' HTTP access is redirected. You need to add another
action, namely, Redirection, to action group action-exhaust. Figure 6-180 shows the
configuration page.
Figure 6-180 Action Redirection in action group action-exhaust
l RedirectAddressType can be either URL or IPv4.

l RedirectServerAddress can be either the URL or IP address of a redirection URL.

l If OneshotRedrection is set to Disable, it indicates continuous redirection. If

OneshotRedrection is set to Enable, it indicates one-off redirection.
Step 6 Add rules.
2. Add rules rule-normal, rule-level1, rule-level2, and rule-exhaust, and bind them to
configured condition groups and action groups respectively. For example, the condition
group and action group bound to rule rule-normal are condition-normal and
action_normal accordingly. Figure 6-181 shows the configuration page.
The configurations of rules rule-level1, rule-level2, and rule-exhaust are consistent with
that of rule rule-normal. Condition groups bound to previous three rules are condition-
level1, condition-level2, and condition-exhaust; their bound action groups are action-
level1, action-level2, and action-exhaust.




configuration page.

4. Click OK.
----End
6.2.10 Typical Configuration Example 8 (Dynamic Rule, Service

Traffic)
This provides an example of using the dynamic rule to apply the FUP service to the P2P and
VoIP traffic of wireless users when the SIG interworks with the UPCC.
Prerequisites
NOTE

networking.

RADIUS PCRF
Server (RM9000)
t
ke Gx
P ac
I US
R AD
Gi
PCEF
(Front End)
DPI System
Requirements of the FUP service for P2P and VoIP traffic are as follows:
downstream bandwidths are limited to 64 kbit/s; when quotas are used up, users' HTTP
access is redirected to the Web site of the carrier, and users are reminded of recharge.



Action group Traffic control policy for the P2P and VoIP traffic Flow classification
action-normal Upstream: 1024kbit/s; Downstream: 2048kbit/s p2p_voip

Rule Action group Traffic control policy for the P2P and VoIP traffic Flow classification
action-level1 Upstream: 512kbit/s; Downstream: 1024kbit/s p2p_voip

Action group Traffic control policy for the P2P and VoIP traffic Flow classification
action-level2 Upstream: 256kbit/s; Downstream: 1024kbit/s p2p_voip

Policy 2 Quota status change trigger Action group Traffic control policy for the P2P and VoIP traffic Flow classification
policy_fup UsageStatusChange action-exhuast Upstream: 64kbit/s; Downstream: 64kbit/s p2p_voip


Suppose that the user subscribes to service service_fup, and the service has service quota
quota_fup.
upstream and downstream bandwidths of the P2P and VoIP traffic are limited to 1024 kbit/
s and 2048 kbit/s respectively.
Name Condition Action
rule-level 40% ≤ Accumulated The maximum uplink bandwidth is 512 kbit/

quota usage within a s, and the maximum downlink bandwidth is
month < 80% of the total 1024 kbit/s.
quota
rule-level2 80% ≤ Accumulated The maximum uplink bandwidth is 256 kbit/

month < 100% of the total 512 kbit/s.
quota
Data Planning


Quota Class: Volume
Type: Service Level
Monitor Key: 3
Value(KB): 1000000
CAUTION
Front End.
Slice(%): 5
Description: -
Level2: 80
Exhaust: 100

Name policy_ipcan
Description -
Rule rule-normal
rule-level1
rule-level2
rule-exhaust


Name policy_fup
Description -
Rule rule-normal
rule-level1
rule-level2
rule-exhaust

APN: -
VPN: -
SP: default1
Account: -
Activated By: PCEF
Precedence: 0
QoS Mode: Replace
Description: -
Policy policy_ipcan
policy_fup
Quota quota_fup

NOTE
of the UPCC.

MSISDN 8613810000022
Service service_fup
Procedure
Step 2 Add a flow class.
2. Click Add.
3. Enter p2p_voip in Name.
4. Click Add and select the predefined flow classification items P2P and VoIP.
NOTE
After the flow class is added, the system automatically generates flow classification ID 1, which is required
during the adding of the action group.

NOTE
for the first time.



NOTE
4. Click Login.
Step 4 Add a quota.


2. Click Add.
configuration page.
NOTE



according to previous steps. Figure 6-194 to Figure 6-197 show conditions in added
condition groups.
Step 6 Add action groups.

1. In the navigation tree, choose Dictionary Management > Dictionary > Action.

2. Define action GxProtoClassifierName, as shown in Figure 6-198
Figure 6-198 Action GxProtoClassifierName
3. In the navigation tree, choose Policy Management > Policy > Action Group.
4. Configure action QoSAction for action group action_normal, and then define the
bandwidth control policy, as shown in Figure 6-199.
Figure 6-199 Actions in action group action-normal — QoSAction
NOTE
Although the QCI is mandatory, it is not used this service. You can set a value only. For details, refer
to the product document of the UPCC.
For the action of the QoSAction type, MBRUL and MBRDL are set to 1024 and 2048
respectively. That is, upstream and downstream bandwidths for this action group are 1024
kbit/s and 2048 kbit/s. Other action elements do not need configuring.
5. Configure action ChargingAction for action group action_normal, and then define the
rating group and reporting ldevel, as shown in Figure 6-200.

Figure 6-200 Actions in action group action-normal — ChargingAction
Set RatingGroup to 3, ReportingLevel to Rating Group Level.

6. Configure action GxProtoClassifierName for action group action_normal, and specify
the flow classification number, as shown in Figure 6-201.
Figure 6-201 Actions in action group action-normal — GxProtoClassifierName
Set GxProtoClassifierName to 5025. The value of GxProtoClassifierName should be

consistent with the ID of the flow classification configured in Step 2.
7. Add action groups action-level1, action-level2, and action-exhaust according to previous
steps. Each action group defines the bandwidth control policy, and specifies the rating group
number and flow classification number for each quota level.
When the quota is exhausted, users' HTTP access is redirected. You need to add another
action, namely, Redirection, to action group action-exhaust. Figure 6-202 shows the
configuration page.

Figure 6-202 Action Redirection in action group action-exhaust
l RedirectAddressType can be either URL or IPv4.

l RedirectServerAddress can be either the URL or IP address of a redirection URL.
l If OneshotRedrection is set to Disable, it indicates continuous redirection. If
OneshotRedrection is set to Enable, it indicates one-off redirection.
Step 7 Add rules.
2. Add rules rule-normal, rule-level1, rule-level2, and rule-exhaust, and bind them to
configured condition groups and action groups respectively. For example, the condition
group and action group bound to rule rule-normal are condition-normal and
action_normal accordingly. Figure 6-203 shows the configuration page.

The configurations of rules rule-level1, rule-level2, and rule-exhaust are consistent with
that of rule rule-normal. Condition groups bound to previous three rules are condition-
level1, condition-level2, and condition-exhaust; their bound action groups are action-
level1, action-level2, and action-exhaust.



configuration page.

4. Click OK.
----End
6.3 Manually Adjusting Surplus Quotas (Interworking with

the PCRF)
When the SIG interworks with the PCRF (take the UPCC as an example), and the FUP service
is applied for a period of time, certain users' quotas are consumed. To add or reduce users' surplus
quotas, you should refer to this part and manually adjust the surplus quotas on the UPCC.
Prerequisites
l The current user has the service permission to adjust users' surplus quotas.
l The target user whose quota is to be adjusted is configured and the FUP policy is applied.
Additionally, the target user already consumes certain traffic.
Procedure
Step 2 In the navigation tree, choose Subscriber Management > Subscriber > Subscriber.
Step 3 Select the user whose surplus quota needs adjusting, and click Quota.
Figure 6-208 shows the configuration interface.

Figure 6-208 Adjusting the quota
Step 4 Click Clear Balance and Reset Balance on the Subscriber Quota interface to adjust the surplus
quota.
----End

Configuration Guide 7 Charging Service
7 Charging Service
About This Chapter
With the charging service, the SIG can identify the charging service of the protocol/application
type, so that users can adopt different charging policies for various service types. Thus, carriers
are provided with refined charging.
7.1 About the Charging Service

This describes the basic concepts of the charging service.
7.2 Configuring the Charging Service
To configure and apply the charging service when the SIG interworks with the PCRF (take the
UPCC V300R002C06 as an example, the configuration varies with the UPCC version), you
should refer to this part.

7.1 About the Charging Service

This describes the basic concepts of the charging service.
Nowadays, mobile networks are evolving towards IP-based and broadband-oriented, and their
integration with the Internet becomes increasingly close. Due to increasingly various service
contents, the duration-based or monthly payment cannot address the requirements of terminal
users. It is a trend that the charging mode is further segmented.
In addition to more diversified services for mobile users, carriers need to provide dynamic and
refined charging functions. In so doing, these users can sign required service agreements at
different levels and select proper charging modes.
Catering for such scenarios, the SIG is empowered with the online charging function, enabling
refined charging capabilities. In this way, carriers not only realize protocol/application type
identification but also implement traffic-based, duration-based, or traffic and duration-based
charging for varied applications, thus attracting more users.
Supported Wireless Network Types

l GPRS/Universal Mobile Telecommunications System (UMTS) network, including GPRS
(2.5G), Enhanced Data Rates for GSM Evolution (EDGE) (2.75G), WCDMA (3G), and
High Speed Downlink Packet Access (HSDPA) (3.5G).
l CDMA/CDMA2000 network, including CDMA 1X (2.5G) and CDMA EVDO (3G).
In this case, the SIG reports only the user ID, IP address, and Base Station Identify Code
(BSID) to the PCRF, but not other user attributes such as the user location. That is, it does
not support the features based on other user attributes.
l Worldwide Interoperability for Microwave Access (WiMAX) network
user attributes.
l Wireless Fidelity (WiFi) network
user attributes.
Typical Networking
Figure 7-1 shows the typical networking of the charging service.

Figure 7-1 Typical networking diagram of the charging service

Billing
System
Back End
RADIUS
PCRF OCS CG
Server
Gx Gy Ga/Gz
et
ck
Pa
S
IU
AD
R
Gi
IP/MPLS
Video Streaming
PCEF
SGSN GGSN
(Front End) Voice VoIP
DPI System
NOTE
The RADIUS proxy server on the Back End of the SIGsystem (Which is the DPI system in the figure) can
obtain account information in Carbon Copy (CC), listen, proxy or sniffer mode (the figure shows the CC
mode). In this scenario, the Front End, that is, the DPI device, acts as the PCEF.
To enable offline charging when no CG is available, the Front End of the SIG sends CDRs to the back-end
Charging Data Record File Server (CFS). The CFS generates CDR files, saves them to the local server
where the CFS resides, and connects to the Billing System (BS) through an FTP interface.
Charging Modes
The SIG supports the following charging modes:
l Online charging
Online charging affects users' access to services in real time. Therefore, this mechanism
needs to directly interact with resource usage. Prepaid users adopt online charging to surf
the Internet. That is, users apply for quotas first and then access network resources.
When online charging users initiate data services, the Online Charging System (OCS)
determines whether to allow users to perform the packet data service (based on user
information and account balances). It traces the usage of purchased resources (time and
traffic) and deducts the current usage expense from the account balance in real time. When
the account balance or credit is insufficient or exhausted, the service is disabled or the
related prompt is displayed.
To be brief, online charging controls users' credits. If the OCS supports Charging Data
Record (CDR) exporting, the CDR can be exported to the BS for charging.
l Offline charging
Offline charging does not affect users' access to services in real time.
The Front End of the SIG generates the CDR and then sends it to the Charging Gateway
(CG) through the Ga/Gz interface. After being processed by the CG, the CDR is sent to the
BS for charging.
The following types are available for triggering the Front End of the SIG to generate the
CDR:

– Service containers reaching the specified value

When the traffic or time of the service container reaches the specified value, the
container is triggered to close. When the number of the closed service containers reaches
the specified value, the Front End of the SIG generates the CDR.
– Generating the CDR by the change count of charging conditions
The Front End of the SIG generates the CDR when the changes of charging conditions
(such as the QoS and charge rate) exceed the threshold.
– Generatig the CDR by user logout
A CDR is generated when the wireless user goes offline.
To be brief, offline charging functions as exporting CDRs.
l Online/Offline charging
If the OCS does not support CDR exporting, you can configure both online charging and
offline charging to easily check CDRs. The OCS is mainly in charge of credit control,
whereas the CG is in charge of CDR exporting.
l No charging
If certain Web sites, IP addresses, and ports do not need re-charging because their charging
is implemented in other systems, you can configure No charging for the traffic accessing
these Web sites, IP addresses, and ports.
7.2 Configuring the Charging Service

To configure and apply the charging service when the SIG interworks with the PCRF (take the
UPCC V300R002C06 as an example, the configuration varies with the UPCC version), you
should refer to this part.
7.2.1 Overview
To configure the charging service, you need to learn the related concepts of the charging service.
Charging can be classified into the following types based on services:
l Charging by service
The Deep Packet Inspection (DPI) technology of the SIG can classify services. Carriers
charge users based on services, thus implementing refined operation.
For example, compared with Web page browsing, the Video On Demand (VOD) service
consumes relatively heavy data traffic, and thus should be charged at a lower rate.
Therefore, the charge rate for P2P traffic is $0.5/MB, and that for HTTP traffic is $1/MB.
l Charging by total traffic
To charge the traffic of all services in a unified way, you need to select total traffic-based
charging.
Through the online charging service, you can implement:
l Charging by traffic
Due to the insufficient resources and the low transmission rates of wireless data services,
users are charged by the volume of transmitted data.
For example, a mobile phone user subscribes to the 20 MB traffic service monthly.

l Charging by duration
For the traditional charging by duration, users can preliminarily estimate online fees
according to their own online duration.
For example, a mobile phone user subscribes to the Prepaid Service (PPS) of total 80 hours
monthly.
Online charging also supports charging by time segment, charging redirection and alarm and
charging whitelist.
l Charging by time segment
Charging rates vary with the online time segment of users.
For example, when the time segment ranges from 20:00 to 23:00 (the network is busy or
lots of bandwidths are occupied), the relatively high charge rate is adopted; during other
time segments (the network is relatively idle), the relatively low charge rate is adopted. In
this way, users are encouraged to avoid traffic peaks on the network, which not only saves
the network bandwidth in rush hours, but also increases bandwidth usage in the idle time
period.
NOTE
By configuring the OCS, you can adopt differentiate charge rates for different time segments.
l Charging Redirection
– Redirection upon the last slice of the quota
When the SIG is connected to the OCS, the SIG reports users' quota usage to the OCS.
If a user requests the last slice of the quota, the OCS delivers the redirection URL to the
SIG through Final Usage Indication (FUI).
When the user requests the last slice of quota, the OCS delivers the redirection URL to
the Front End of the SIG.
– Charging redirection
When carriers use their own OCS for charging, and use the SIG only for charging
redirection, the RADIUS server copies RADIUS packets (including user information)
to the RADIUS proxy server on the Back End of the SIG to obtain the status of the user,
namely, with inadequate credit or exhausted credit.
The SIG redirects user's HTTP access to the alarm Web site, and notifies the user of
recharging. If having recharged, users can continue to access network resources. If users
have not recharged, the SIG prevents users from accessing network resources.
The SIG redirects only HTTP and WAP1.X traffic to the alarm Web site.
The SIG does not charge on the traffic generated by the access to the alarm Web site.
l Alarm and Charging Whitelist
– You can add some Web sites to the alarm and charging whitelist. When the user's credit
is inadequate or exhausted, the user can still access URLs in the whitelist normally, but
not redirected to the alarm Web site.
– To exempt some Web sites (such as the recharge Web site) from charging, add the URLs
to the alarm and charging whitelist.
The alarm and charging whitelist supports blurry matching. For example, if you add http://
www.example.com/news to the alarm whitelist, the user is neither redirected to the alarm
Web site not charged when accessing the subdirectories (such as http://www.example.com/
news/sports) of http://www.example.com/news.

NOTE
The alarm and charging whitelist is a global configuration. To exempt some users of a Web site from
charging, add this Web site to the user-defined protocols, and then configure differentiated actions
for users.
On the SIG, you can add only the HTTP URLs to the alarm and charging whitelist.
A user can adopt the combination of previous online charging modes.
For example, charging by the combination of the service, traffic, time duration, and time
segment, as shown in Figure 7-2.
Figure 7-2 Charging by the combination of the service, traffic, time duration, and time segment
19:00
Normal hours: $0.5/min Busy hours: $1.5 /min
Time segment-based charging
P2P downloading
Web page browsing
Online video
Network chatting
Online game
Traffic-based and Time duration-based charging

Charging package
$1/min Web page browsing
e
$5 /MB Online video
$3/MB Network chatting
$5/MB Online game
Online Offline
Through the offline charging service, you can implement:
l Post payment
l Offline charging in the case of online charging faults
l Both online charging and offline charging. No charging is performed on specified URLs,
and the IP addresses and ports of servers.
When a user accesses certain URLs or servers, offline charging instead of online charging
is performed (certain traffic is already charged in other systems). Then the CDR is
generated, thus facilitating the CDR check.
For example, when the quota credit of a user is exhausted, the access page is redirected to
the recharge page. Thus, no charging is performed on the traffic.
Concepts related to the charging service are as follows:
l Quota
Indicates the traffic traffic/duration allowed by carriers.


in the system.
l Rating group and Service ID
Rating group: One group corresponds to one charging rate, for example, $2/MB. When
allocating quotas, you can bind multiple services into one rating group. In this way, the
SIG charges various types of traffic corresponding to the same rating group.
Service ID: The charging can be managed based on services, such as P2P and VoIP. The
SIG can deliver quotas to different services. A service ID indicates the corresponding
service during quota delivery.
In the charging service, the rating group ID and service ID serve as only bridges. The rating
group ID and service ID can be bound to the service of a certain type (such as HTTP, FTP,
or P2P). During quota adding, you can identify the service of the quota through the rating
group and service ID.
l Quotas Asking For
The quota control mode for online charging falls into centralized quota control and
distributed quota control.
Centralized quota control mode: The PCEF requests a quota, but the OCS decides the size
of the quota to be delivered. This is the default mode.
Distributed quota control mode: When the PCEF controls requested quotas, the OCS
determines the delivered quota according to users' balances. The PCEF should carry the
size of the quota to be requested. This mode can be configured in the charging policy
package. If you do not configure the control mode in the charging policy package, the
system adopts the default mode.
Requested quotas can be divided into two types, namely, time quota and traffic quota. For
the charging by duration, the requested time quota should be configured in the charging
policy package. For traffic-based charging, the requested traffic quota should be
configured.
l Offline Charging Rating Template
If the function is configured, the Front End of SIG is triggered to generate the CDR on
entering new bill settlement cycle.
If the function is not configured, the Front End of the SIG is triggered to generate the CDR
only on the following conditions:
– Service containers reaching the specified value
When the traffic or time of the service container reaches the specified value, the
container is triggered to close. When the number of the closed service containers reaches
the specified value, the Front End of the SIG generates the CDR.
– Generating the CDR by the change count of charging conditions
The Front End of the SIG generates the CDR when the changes of charging conditions
(such as the QoS and charge rate) exceed the threshold.
– Generatig the CDR by user logout

A CDR is generated when the wireless user goes offline.

For example, in the charge rate switching template, if the Task Cycle is set to Monthly,
Date as Last Day, Start Time as 00:00:00, and End Time as 00:00:00, the Front End of
SIG generates the CDR and report it to CG at 00:00:00 on the last day of each month.

Taking the Unified Policy and Charging Controller (UPCC) V300R002C06 serving as the PCRF
for example, this describes how to configure the charging service.
Figure 7-3 Procedure for configuring the charging service

Start
Front End of the

Configure basic information
DPI system
Yes Are predefined flow

classes sufficient?
No
Add the flow class
Add the rating group and service ID Back End of the

DPI system
Add a charging policy package
Add a rule
Add a policy
Add a service UPCC Web UI
Add a charging server
Add the user and user group
No
Online charging?
Yes
BS Configure a charge rate Configure the quota and charge rate
OCS
Configure the redirection URL
End

Table 7-1 Procedure description of the charging service

Action Description
Operation location: Front End of the SIG.
Add services bound Add services bound to the policy item manually when the predefined
to the policy item services bound to the policy item are insufficient.
Add the rating group In the online charging service, the rating group ID and service ID serve
and service ID as only bridges.
Through the adding of the charging policy package, a rating group ID
and service ID can be bound to the flow class (such as HTTP or P2P).
Then the charge rate of the rating group is specified for charging.
Operation location: Back-end UI of the SIG.
l In the navigation tree, choose Value-added Service > Application
Charging > Application Mapping > Rating Group
Management.
l In the navigation tree, choose Value-added Service > Application
Charging > Application Mapping > Service ID Management.
Add a charging A charging policy package can include one or multiple configuration
policy package items.
choose Value-added Service > Application Charging > Charging
> Charging Policy Package Management.
a rule is to bind the configured charging policy. The ID of the charging
policy package is required during the adding of a rule.
Since the charging policy package is already configured on the Back
End of the SIG, you need to select Predefined.


Action Description
Add a charging The UPCC notifies the SAS on the Front End of the SIG to request
server quotas from the charging server.
Subscriber Management > Subscriber > Charging Server.
Add the user and Bind the user group to the configured charging service, and add users
user group to the user group.
Operation location: UPCC Web UI.
l In the navigation tree, choose Subscriber Management >
Subscriber > Subscriber.
l In the navigation tree, choose Subscriber Management >
Subscriber > Subscriber Group.
Configure the quota It is required for online charging. The system collects statistics on
and charge rate traffic by rating group. Therefore, you need to configure the charge
rate for each rating group.
Operation location: OCS.
Configure the It is required when online charging is adopted and the OCS delivers
redirection URL the redirection URL to the SIG.
Operation location: OCS.
Configure the It is required for offline charging. The system collects statistics on
charge rate traffic by rating group. Therefore, you need to configure the charge
rate for each rating group.
Operation location: BS.
7.2.3 Typical Configuration Example 1 (Online Charging by Traffic)

This provides an example for configuring online charging by traffic. Carriers adopt the same
charging mode for the users subscribing to the same service, P2P and Video traffic uses the same
charge rate, and Web_Browsing traffic and the traffic of other types use the charge rates different
from that used by P2P and Video traffic.
Prerequisites
l The connections of the SIG to the UPCC and OCS are commissioned. For details, see
Connecting the Front End to the PCRF, Connecting the PCRF to the Front End,
Commissioning the Connection to the PCRF, and Connecting to the OCS in
HUAWEI SIG9800 Service Inspection Gateway Commissioning Guide respectively.
l 4.2 Configuring the Subscriber is complete, and the account of the subscriber to be
managed is 460100000000022.
l The current user has the permission to operate the UPCC and OCS.

NOTE
To learn more about the UPCC and OCS, refer to related technical documents provided by respective vendors.
The carrier needs to enable online charging. Figure 7-4 shows the networking.
Figure 7-4 Networking diagram of online charging
RADIUS PCRF
OCS
Server (UPCC)
Gx Gy
et
ck
Pa
S
IU
AD
R
Gi
IP/MPLS
Video Streaming
PCEF
DPI System
The quota and charge rate for each user are as follows:
l The amount of a user account is $100.
l The traffic quota requested from the OCS each time is 256 KB.
l The charge rate for P2P and Video traffic is $0.1/MB.
l The charge rate for Web_Browsing traffic is $0.05/MB.
l The charge rate for other traffic is $0.2/MB.
l When a user requests the last slice of the quota, the OCS delivers the redirection URL to
the Front End of the SIG, the SIG redirects the user's HTTP access, and the user is reminded
of recharge. If completing recharge, the user can continue to access network resources;
otherwise, the SIG blocks the user's access to network resources.
Figure 7-5 shows the relation between configuration objects in the charging service.

User group Service Charging server
group service ocs
Policy Online trigger

policy IPCANSessionEstablish
Rule Predefined Policy Charging policy package (item1)

rule charge Flow classification: p2p_voip; Rating group: p2p_voip
Charging policy package (item2)

Flow classification: Web_Browsing; Rating group: web_browsing

Flow classification: other; Rating group: other


Suppose that all users in user group group subscribe to service service.
Data Planning
l Table 7-2 shows the data planning of policy policy.

l Table 7-3 shows the data planning of service service.
l Table 7-4 shows the data planning of user group group.
Table 7-2 Data planning of policy policy
Name policy
Description -
Rule Name: rule
Operation: Change Rule
Type: Predefined
Predefined Name: Indicate the ID of the charging policy package

defined on the SIG. The system automatically generates the ID
after the policy package is added.
Policy package charge defines actions, including:
l Rating group p2p_video for P2P and Video traffic
l Rating group web_browsing for Web_Browsing traffic
l Rating group else for traffic of other types
APN: -
VPN: -
SP: default1

Account: -
Activated By: PCEF
Preference: 0
QoS Mode: Replace
Description: -
Policy policy
NOTE
of the UPCC.
Table 7-4 Data planning of user group group
User Group Attribute Example
Basic Information Name: group
Type: Dynamic
Precedence: 10
Charging Server: ocs
PCEF Host Name: sas3_0_0
PCEF Domain Name: realm1
Service service
Procedure
Step 1 Log in to the Front End of the SIG.
Step 2 Configure basic information.
Set the quota control mode for online charging to distributed.

[Sysname-dpi-charge-view] online-charging quota-control-mode decentralization
[Sysname-dpi-charge-view] quit


2. Click Add.
3. Enter p2p_video in Name.
4. Click Add and select the predefined flow classification items P2P and Video.
6. Click Add.
7. Enter else in Name.
8. Click Add and select all the flow classification items except P2P, Video and
Web_Browsing.
2. Click Add.
3. Set Number to 1, and Name to p2p_video.
4. Click OK.
5. According to previous steps, set Name to web_browsing, and Number to 2; set Name to
else, and Number to 3.
Step 6 Add a charging policy package.
Charging > Charging Policy Package Management.
2. Click Add.
3. Set Policy Package Code to 8:200005, set Name to charge. Then click Save.
4. Select Charging from Item Type, and click Add.
5. Set the parameters of policy item item1 in the dialog box that is displayed. Figure 7-6
shows parameter settings.
Figure 7-6 Configuring policy item item1

6. Click OK.
7. Click Add, add policy item item2.
Figure 7-7 shows how to configure policy item item2.
8. Click OK.

NOTE
The policy package code is required during the adding of the rule.

NOTE
for the first time.


NOTE
4. Click Login.
Step 8 Add a rule.


2. Add rule rule and bind it to the configured charging policy package. Figure 7-12 shows
the configuration interface.
Figure 7-12 Adding rule rule
Step 9 Add a policy.

2. Add policy policy. Figure 7-13 shows the configuration interface.
Figure 7-13 Adding policy policy


2. Add service service. Figure 7-14 shows the configuration interface.
Step 11 Add a charging server.

1. In the navigation tree, choose Subscriber Management > Subscriber > Charging
Server.
2. Add charging server ocs. Figure 7-15 shows the configuration interface.

Figure 7-15 Add charging server ocs
Step 12 Add the user group.

1. In the navigation tree, choose Subscriber Management > Subscriber > Subscriber
Group.
2. Add a user group, and then bind the user group to the service. Figure 7-16 shows the
configuration interface.
Figure 7-16 Adding user group group and binding it to a service

The bound service is service.

Step 13 Log in to the OCS.
Step 14 Configure the quota and charge rates.
The amount of a user account is $100, and the charge rates for rating groups p2p_video,
web_browsing, and else are $0.1/MB, $0.05/MB, and $0.2/MB.
Step 15 Configure the redirection URL.
When a user request the last slice of the quota (the credit is to be exhausted), the user's HTTP
access is redirected and the user is reminded of recharge. The redirection is configured by the
data configuration engineer.
----End
7.2.4 Typical Configuration Example 2 (Online Charging by

Duration)
This provides an example for configuring online charging by duration. Carriers adopt the same
Prerequisites
managed is 460100000000022.
NOTE

RADIUS PCRF
OCS
Server (UPCC)
Gx Gy
et
ck
Pa
S
IU
AD
R
Gi
IP/MPLS
Video Streaming
PCEF
DPI System

l The quota requested from the OCS each time is 30 seconds.
l The charge rate for P2P and Video traffic is $0.1/minute.
l The charge rate for Web_Browsing traffic is $0.05/minute.
l The charge rate for other traffic is $0.2/minute.

group service ocs






Data Planning
See Data Planning in 7.2.3 Typical Configuration Example 1 (Online Charging by
Traffic).
Procedure


2. Click Add.
6. Click Add.
Web_Browsing.

2. Click Add.
4. Click OK.

2. Click Add.

6. Click OK.
8. Click OK.


NOTE

NOTE
for the first time.



NOTE
4. Click Login.
Step 8 Add a rule.





Server.


Group.


The amount of a user account is $100, the charge rates for rating groups p2p_video,
web_browsing, and else are $0.1/minute, $0.05/minute, and $0.2/minute.
----End
7.2.5 Typical Configuration Example 3 (Online Charging by Traffic

and Duration)
Based on protocol types, this describes the example for configuring online charging either by
traffic or by duration. Carriers adopt the same charging mode for the users subscribing to the
same service. P2P and Video traffic is charged by traffic and at the same charge rate.
Web_Browsing traffic and the traffic of other types are charged by duration and at different
charge rates.
Prerequisites
managed is 460100000000022.
NOTE

RADIUS PCRF
OCS
Server (UPCC)
Gx Gy
et
ck
Pa
S
IU
AD
R
Gi
IP/MPLS
Video Streaming
PCEF
DPI System
l The traffic quota requested from the OCS each time is 256 KB, and the time quota requested
each time is 30 seconds.
l The charge rate for Web_Browsing traffic is $0.05/minute.
l The charge rate for other traffic is $0.2/minute.

group service ocs





Data Planning
Traffic).

Procedure

2. Click Add.
6. Click Add.
Web_Browsing.
2. Click Add.
4. Click OK.
2. Click Add.

6. Click OK.
8. Click OK.


NOTE

NOTE
for the first time.



NOTE
4. Click Login.
Step 8 Add a rule.





Server.


Group.


The amount of a user account is $100, and the total duration quota is 60 hours; the charge rates
for rating groups p2p_video, web_browsing,and else are $0.1/MB, $0.05/minute and $0.2/
minute.
----End
7.2.6 Typical Configuration Example 4 (Online Charging by Traffic

and Roaming)
This provides an example for configuring charge rate changes based on online charging by traffic
and roaming. Carriers adopt the same charging mode for the users subscribing to the same
service. When the SGSN accessed by the user changes, the charge rate varies accordingly.
Prerequisites
managed is 460100000000022.
NOTE

UPCC Web UI IP:128.18.88.226

Back End
RADIUS PCRF
OCS
Server (UPCC)
Gx Gy
et
ck
Pa
S
IU
AD
R
Gi
IP/MPLS
Video Streaming
PCEF
User:460100000000022 SGSN1 GGSN
DPI System
SGSN2

l Before the SGSN change, the charge rate for rating group p2p is $0.6/MB.
l After the SGSN change, the charge rate for rating group p2p is $0.8/MB.

group service ocs

Policy 1 IPCANSessionEstablish
Rule 1 Predefined Policy Charging policy package

Rule 1 charge1 Flow classification: p2p; Rating Group: p2p_1
Policy 2 SGSN change trigger

Policy 2 SGSNChange
Rule 2 Predefined Policy Charging policy package

Rule 2 charge2 Flow classification: p2p; Rating Group: p2p_2


Data Planning
Traffic).
Procedure

2. Click Add.
3. Set Number to 1, and Name to p2p_1.
4. Click OK.
5. According to previous steps, set Name to p2p_2, and Number to 2.
Step 5 Add charging policy packages.
2. Add charging policy package charge1.
a. Click Add.
b. Set Policy Package Code to 8:200001, set Name to charge1. Then click Save.
c. Select Charging from Item Type, and click Add.
d. Set the parameters of policy item item1 in the dialog box that is displayed. Figure
7-45 shows parameter settings.
Figure 7-45 Configuring policy item item1 in policy package charge1

e. Click OK and Save.

NOTE
3. Add charging policy package charge2.
a. Click Add.
b. Set Policy Package Code to 8:200002, set Name to charge2. Then click Save.
c. Select Charging from Item Type, and click Add.
d. Set the parameters of policy item item1 in the dialog box that is displayed. Figure
7-46 shows parameter settings.
Figure 7-46 Configuring policy item item1 in policy package charge2
e. Click OK and Save.

NOTE

NOTE
for the first time.



NOTE
4. Click Login.
Step 7 Add rules.
2. Add rule rule1 adopted before the SGSN change, and bind the rule to policy package
charge1. Figure 7-50 shows the configuration interface.
Figure 7-50 Configuring rule rule1

3. Add rule rule2 adopted after the SGSN change, and bind the rule to policy package
charge2. Figure 7-51 shows the configuration interface.
Figure 7-51 Configuring rule rule2

2. Add policy policy1 (including rule rule1) adopted before the SGSN change. Figure 7-52
shows the configuration interface.
Figure 7-52 Configuring policy policy1

3. Add policy policy2 (including rule rule2) adopted after the SGSN change. Figure 7-53
shows the configuration interface.
Figure 7-53 Configuring policy policy2

2. Add service service, including policies policy1 and policy2. Figure 7-54 shows the


Server.


Group.


The amount of a user account is $100. Before the SGSN change, the charge rate for rating group
p2p_1 is $0.6/MB; after the SGSN change, the charge rate for rating group p2p_2 is $0.8/MB.
----End
7.2.7 Typical Configuration Example 5 (Online Charging by Traffic,

Traffic of Certain Protocols and Web Sites Is Free of Charge)
This example describes how to configure online charging by traffic and ensure that the traffic
of certain protocols and Web sites is free of charge. Carriers adopt the same charging mode for
the users subscribing to the same service. P2P and Video traffic is free of charge, traffic for
accessing certain Web sites (such as www.huawei.com) is free of charge, and traffic of other
types is charged by traffic.
Prerequisites
managed is 460100000000022.
NOTE

RADIUS PCRF
OCS
Server (UPCC)
Gx Gy
et
ck
Pa
S
IU
AD
R
Gi
IP/MPLS
Video Streaming
PCEF
DPI System
l P2P traffic and Video traffic are not charged.
l The access traffic of certain Web sites such as www.huawei.com is not charged.

group service ocs



Flow classification: Websites; Rating group: websites


Procedure



b. Add category websites.
2) Enter websites in Category Name. Select a value in Category Code.
3) Click OK.
Protocol.
configuration page.

CAUTION
as keywords.

2. Add flow classification websites.
b. Click Add and set parameters in the dialog box that is displayed. Figure 7-60 shows
the configuration page.
Figure 7-60 Add flow classification item websites
c. Click OK.
d. In the navigation tree, choose Basic Configuration > Flow Classification
e. Click Add.
f. Enter websites in Name.
g. Click Add and select the flow classification item websites.
h. Choose OK and OK.
3. Add flow classification p2p_video.
b. Click Add.

c. Enter p2p_video in Name.

d. Click Add and select the predefined flow classification items P2P and Video.
e. Choose OK and OK.
4. Add flow classification else.
b. Click Add.
c. Enter else in Name.
d. Click Add and select all the flow classification items except P2P, Video and
websites.
e. Choose OK and OK.

2. Click Add.
4. Click OK.
5. According to previous steps, set Name to websites, and Number to 2; set Name to else,
and Number to 3.

2. Click Add.

6. Click OK.
7. Click Add, add the policy item item2.
8. Click OK.
9. Click Add, add the policy item item3.

NOTE

NOTE
for the first time.


NOTE
4. Click Login.
Step 8 Add a rule.






Server.


Group.


The amount of a user account is $100, and the traffic of charging groups p2p_video and
websites is not charged, the charge rate for charging group else is $0.1/MB.
----End
7.2.8 Typical Configuration Example 6 (Comprehensive Charging,

Charging for the Basic Service and Value-added Services)
This provides an example for configuring the online charging service. The carrier provides one
basic service and multiple value-added services for subscribers, both with multiple charging
modes. The basic service charges users based on the traffic of all protocols. Value-added services
charges users based on the application traffic of the specific service. The priority of charging
for value-added services is higher than that of the charging of the basic service.
Prerequisites
l 4.2 Configuring the Subscriber is complete.
NOTE
A carrier needs to enable online charging. Figure 7-72 shows the networking.

Figure 7-72 Networking of online charging
RADIUS PCRF
OCS
Server (UPCC)
Gx Gy
et
ck
Pa
S
IU
AD
R
Gi
IP/MPLS
Video Streaming
PCEF
DPI System
The carrier provides the following services for subscribers to subscribe:

l Basic service
Available charging modes include:
– Online charging based on traffic: $0.2/MB
– Online charging based on time length: $0.2/minute
– Non-online charging: $200/month
l Value-added service: MP3 downloading
Available charging modes include:
– Online charging based on traffic: $0.1/MB
– Non-online charging: $100/month
– Non-charging: free (charged by service providers)
If the Web sites through which the service provider provides the value-added service are
www.example1.com and www.example2.com, users that subscribe to this service are
allowed to access the Web sites and one of the preceding charging modes is adopted for
the HTTP traffic to these Web sites.
On the portal provided by the carrier, subscribers can order the basic service and value-added
services (optional) and select the corresponding charging modes.


Mutex group Mutex group
mutex_basic mutex_added
Service 1 Service 2 Service 3 Service 4 Service 5

service_basic1 service_basic2 service_basic3 service_added1 service_added2
Policy Policy Policy Policy Policy

policy_basic1 policy_basic2 policy_basic3 policy_added1 policy_added2
Online trigger Rule Rule Rule Rule Rule Online trigger

IPCANSessionEstablish rule_basic1 rule_basic2 rule_basic3 rule_added1 rule_added2 IPCANSessionEstablish
Charging policy Charging policy Charging policy Charging policy Charging policy
package package package package package
basic_traffic basic_duration basic_free added_traffic added_free
Rating group Rating group Rating group Rating group Rating group
basic_traffic basic_traffic basic_traffic basic_traffic basic_traffic

CAUTION
You need to perform configurations from bottom to top, as shown in Figure 7-73.
Data Planning
According to the preceding requirements, the data planning is as follows:
l Customize protocol
Define category websites that contains protocols protocal1 and protocal2.
– Define the HTTP traffic to access www.example1.com as protocol protocal1.
– Define the HTTP traffic to access www.example2.com as protocol protocal2.
l Charging policy package
As shown in Table 7-5.
Table 7-5 Planning of the charging policy package
Name Prioriti Attribute

es of
the
Policy
Items
basic_traffic 15 l Rating Group: basic_traffic

l Quota requested each time: 256 KB

Name Prioriti Attribute

es of
the
Policy
Items
basic_duration 14 l Rating Group: basic_duration

l Quota requested each time: 30 seconds
basic_free 13 l Rating Group: basic_free

l Not charging
added_traffic 12 l Rating Group: added_traffic

l Flow Classification: websites
l Quota requested each time: 256 KB
added_free 11 l Rating Group: added_free

l Not charging
l Flow Classification: websites
Procedure

Step 4 Add user-defined protocols.

1. Add category websites.
2. Add protocols protocal1 and protocal2 to category websites.
l Define the HTTP traffic to access www.example1.com as protocol protocal1.
l Define the HTTP traffic to access www.example2.com as protocol protocal2.
For details on how to add the HTTP traffic of the specified URL to the user-defined protocol,
see 22.6.3 Typical Configuration Example (Customized DPI Signature File, Traffic on the
Specified Web Site) in 22.6 Managing the Knowledge Base.

2. Click Add.
3. Set Number to 1, and Name to basic_traffic.

4. Click OK.
5. According to previous steps, set Name to basic_duration, and Number to 2; set Name to
basic_free, and Number to 3; set Name to added_traffic, and Number to 4; set Name to
added_free, and Number to 5.
Step 6 Add charging policy packages.
2. Click Add.
3. Set Policy Package Code to 8:200051, set Name to basic_traffic. Then click Save.
4. Select OCS from Item Type, and click Add.
5. Set parameters in the dialog box that is displayed. Figure 7-74 shows the configuration
interface.

7. By referring to the previous steps, add policy packages basic_duration, basic_free,
added_duration, added_free according to the data planning.Table 7-5 shows the data
planning of the policy packages.
The codes of these policy packages are 8:200052, 8:200053, 8:200054, and 8:200055, and
the priorities of the policy items contained in these three policy packages are 14, 13, 12,
and 11 respectively.
NOTE

NOTE
for the first time.



NOTE
4. Click Login.
Step 8 Add rules.


2. Add rule rule_basic1. Figure 7-78 shows the configuration interface.
Figure 7-78 Adding rule rule_basic1
The configurations of rules rule_basic2, rule_basic3, rule_added1 and rule_added2 are

identical with configuration of rule rule_basic1. These rules are bound to policy packages
8:200052, 8:200053, 8:200054, and 8:200055 respectively.
2. Add policy policy_basic1. Figure 7-79 shows the configuration interface.
Figure 7-79 Adding policy policy_basic1

The configurations of policies policy_basic2, policy_basic3, policy_added1 and

policy_added2 are identical with configuration of policy policy_basic1. These policies
are bound to rules rule_basic2, rule_basic3, rule_added1, and rule_added2 respectively.

2. Add service service_basic1. Figure 7-80 shows the configuration interface.
Figure 7-80 Adding service service_basic1
The configurations of services service_basic2, service_basic3, service_added1 and

service_added2 are identical with configuration of service service_basic1. These policies

are bound to policies policy_basic2, policy_basic3, policy_added1, and policy_added2

respectively.
Step 11 Add the mutual exclusive group of services.
1. In the navigation tree, choose Service Management > Service > Mutex Group.
2. Add mutual exclusive group mutex_basic with services service_basic1, service_basic2,
and service_basic3. Figure 7-81 shows the configuration interface.
Figure 7-81 Adding mutual exclusive group mutex_basic
The configuration of mutual exclusive group mutex_added is similar to that of mutual

exclusive group mutex_basic. The mutex_added mutual exclusive group contains
service_basic1 and service_basic2.
Server.

Step 14 Configure rating groups and their charging rates.
The requirements are as follows:
l The charging rate for rating group basic_traffic is $0.2/MB.

l The charging rate for rating group basic_duration is $0.2/minute.
l Rating group basic_free does not charge users.
l The charging rate for rating group added_traffic is $0.1/minute.
l Rating group added_free does not charge users.
----End
Follow-up Procedure
After the data configuration engineer of the carrier completes the further packaging of services,
subscribers can log in to the portal of the carrier and order required services.
7.2.9 Typical Configuration Example 7 (Online Charging by Traffic,

Providing the FUP Function)
This provides an example of configuring online charging by traffic and the FUP function during
the charging process. The carrier implements the same charging mode towards users subscribing
to the same service and uses the same change rate towards all traffic. When user traffic reaches
the threshold within a cycle, the bandwidth is controlled. In this way, other users subscribing to
the same service can enjoy network resources fairly.

Prerequisites
managed is 460100000000022.
NOTE
Carriers require the online charging and the FUP function during the charging process. Figure
7-83 shows the networking.
RADIUS PCRF
OCS
Server (UPCC)
Gx Gy
t
ke
c
Pa
S
IU
AD
R
Gi
IP/MPLS
Video Streaming
PCEF
DPI System
For details on the FUP function, see 6.1 About the FUP Service.

l The charge rate is $0.2/MB.
The FUP function is applied to the charging process to limit user bandwidths:
l When quota consumption is less than 4 GB, upstream and downstream bandwidths are
limited to 1024 kbit/s and 2048 kbit/s respectively.

l When quota consumption is between 4 GB and 8 GB, upstream and downstream

l When quota consumption is between 8 GB and 10 GB, upstream and downstream
l When quota consumption exceeds 10 GB, upstream and downstream bandwidths are
limited to 128 kbit/s and 128 kbit/s respectively.

User Group Service Session Quota
Value= 10GB; Limit: level1=40, level2=80; Slice= 5%
group service quota_fup

Condition group
rule_qos1 Object Attribute= QuotaStatus; Right Value= Normal
condition-normal

normal Flow classification: Total; Upstream: 1024kbit/s; Downstream: 2048kbit/s
Condition group
rule_qos2 Object Attribute= QuotaStatus; Right Value= Level1
condition-level1

Condition group
rule_qos3 Object Attribute= QuotaStatus; Right Value= Level2
condition-level2

Condition group
rule_qos4 Object Attribute= QuotaStatus; Right Value= Exhaust
condition-exhaust

exhuast Flow classification: Total; Upstream: 128kbit/s; Downstream: 128kbit/s
Condition group
rule_fup1 Object Attribute= QuotaStatus; Right Value= Normal
condition-normal

Condition group
rule_fup2 Object Attribute= QuotaStatus; Right Value= Level1
condition-level1

Rule
Condition group
rule_fup3 Object Attribute= QuotaStatus; Right Value= Level2
condition-level2

Condition group
rule_fup4 Object Attribute= QuotaStatus; Right Value= Exhaust
condition-exhaust

Condition group
rule_ocs1 Object Attribute= QuotaStatus; Right Value= Normal
condition-normal
Predefined Policy Charging policy package

charge Flow classification: Total; Rating Group: total
Condition group
rule_ocs2 Object Attribute= QuotaStatus; Right Value= Level1
condition-level1

Condition group
rule_ocs3 Object Attribute= QuotaStatus; Right Value= Level2
condition-level2

Condition group
rule_ocs4 Object Attribute= QuotaStatus; Right Value= Exhaust
condition-exhaust

policy_usage UsageStatusChange
Suppose that the user subscribes to service, and the service has session quota quota_fup.
online user is less than 40% of the total quota, and rule rule_qos1 is employed, the upstream

and downstream bandwidths of the total traffic are limited to 1024 kbit/s and 2048 kbit/s
respectively.
rule_ocs1 Accumulated traffic quota Binds the charging policy package.

usage within a month < 4
GB
rule_ocs2 4 GB≤ Accumulated

quota usage within a
month < 8 GB

month < 10 GB

month
rule_fup1 Accumulated traffic quota Defines the mapping between rating group
usage within a month < 4 total and total traffic.
GB
rule_fup2 4 GB≤ Accumulated

month < 8 GB

month < 10 GB

month
rule_qos1 Accumulated traffic quota The maximum uplink bandwidth is 1024 kbit/
usage within a month < 4 s, and the maximum downlink bandwidth is
GB 2048 kbit/s.
rule_qos2 4 GB≤ Accumulated The maximum uplink bandwidth is 512 kbit/

month < 8 GB 1024 kbit/s.

month < 10 GB 512 kbit/s.

month 128 kbit/s.

Data Planning

l Table 7-8 shows the data planning of policy policy_usage
l Table 7-10 shows the data planning of user group group.
Quota Class: Volume
Type: Session Level
Value(KB): 10000000
CAUTION
Front End.
Slice(%): 5
Description: -
Level2: 80
Exhaust: 100
Name policy_ipcan

Description -
Rule rule_ocs1
rule_ocs2
rule_ocs3
rule_ocs4
rule_fup1
rule_fup2
rule_fup3
rule_fup4
rule_qos1
rule_qos2
rule_qos3
rule_qos4
Table 7-8 Data planning of policy policy_usage

Name policy_usage
Description -
Rule rule_ocs1
rule_ocs2
rule_ocs3
rule_ocs4
rule_fup1
rule_fup2

rule_fup3
rule_fup4
rule_qos1
rule_qos2
rule_qos3
rule_qos4

APN: -
VPN: -
SP: default1
Account: -
Activated By: PCEF
Precedence: 0
QoS Mode: Replace
Description: -
Policy policy_ipcan
policy_usage
Quota quota_fup
NOTE
of the UPCC.

Table 7-10 Data planning of user group group

User Group Attribute Example
Basic Information Name: group
Type: Dynamic
Precedence: 10
Charging Server: ocs
PCEF Host Name: sas3_0_0
PCEF Domain Name: realm1
Service service
Procedure

2. Click Add.
3. Set Number to 1, and Name to total.
4. Click OK.
Step 5 Add the traffic control policy package for the total traffic.
2. Click Add.


NOTE

2. Set Service Configuration Code to 14:200001, set Name to fup_con. Then click Save.

Figure 7-87 Adding FUP service configuration policy package fup_con
NOTE


2. Click Add.

NOTE

NOTE
for the first time.


NOTE
4. Click Login.
Step 9 Add a quota.


2. Add quota quota_fup.Figure 7-92 shows the configuration page.

2. Click Add.
configuration page.
NOTE



groups.
Step 11 Add rules.


2. Add rule rule_qos1 and bind it to the FUP traffic control policy package (1:200019). Figure
Figure 7-99 Adding rule rule_qos1
The configurations of rules rule_qos2, rule_qos3, and rule_qos4 are identical with
configuration of rule rule_qos1. These rules are bound to policy packages 1:200020,
3. Add rule rule_fup1 and bind it to the FUP service configuration policy package fup_con
(14:200001). Figure 7-100 shows the configuration page.

Figure 7-100 Adding rule rule_fup1
The configurations of rules rule_fup2, rule_fup3, and rule_fup4 are identical with
configuration of rule rule_fup1. Rules rule_fup2, rule_fup3, and rule_fup4 are bound to
condition-level1, condition-level2, and condition-exhaust respectively, and each rule is
bound to policy package 14:200001.
4. Add rule rule_fup1 and bind it to the charging policy package charge (8:200005). Figure

Figure 7-101 Adding rule rule_ocs1
The configurations of rules rule_ocs2, rule_ocs3, and rule_ocs4 are identical with the
configuration of rule rule_ocs1. Rules rule_ocs2, rule_ocs3, and rule_ocs4 are bound to
condition-level1, condition-level2, and condition-exhaust respectively, and each rule is
bound to policy package 8:200005.

3. Add policy policy_usage. Figure 7-103 shows the configuration page.

Figure 7-103 Adding policy policy_usage

2. Add service service that contains policies policy_ipcan and policy_usage. Figure 7-104
shows the configuration page.


Server.


Group.

The amount of a user account is $100 and the charge rate is $0.2/MB.
----End
7.2.10 Typical Configuration Example 8 (Charging Redirection,

Obtaining User's Quota Credit Status from the RADIUS Server)
This provides an example for configuring the charging redirection function of the SIG when the
SIG obtains a user's quota credit status from the RADIUS server.
Prerequisites
l The RADIUS server interworks with the SIG successfully.
The carrier adopts its own OCS for charging and the SIG is only required for providing the
charging redirection function. Figure 7-107 shows the networking.

Back End
RADIUS Packet
RADIUS (Status of Users)
Server
Gi
IP/MPLS
Video Streaming
PCEF
SGSN GGSN
DPI System
The RADIUS server copies Radius packets (containing user information) to the RADIUS proxy
on the Back End of the SIG, identifying that the quota credit of the user is insufficient or
exhausted. When HTTP traffic is generated, the user is redirected to the alarm page.
The detailed procedure is as follows:

l After receiving charging packets, the RADIUS proxy resolves user attributes (such as IMIS,
IP address, and Login-LAT-Service) and sends them to the SAS.
l The SAS saves user information and detects the value of Login-LAT-Service, deciding
whether to deliver the redirection policy to the SPS.
Suppose that three values of Login-LAT-Service are available and corresponding policies are
performed:
l If the value of Login-LAT-Service is CAPHTTP, the SAS delivers the redirection policy.
HTTP traffic generated by a user's access to the charging Web site is allowed through; other
HTTP traffic is redirected to www.alarm1.com, and non-HTTP traffic is allowed through.
l If the value of Login-LAT-Service is CAP, the SAS delivers the redirection policy. HTTP
traffic generated by a user's access to the charging Web site is allowed through; other HTTP
traffic is redirected to www.alarm2.com, and non-HTTP traffic is blocked.
l If the value of Login-LAT-Service is ACT, the SAS does not deliver the redirection policy.
NOTE
DNS service traffic is always allowed through.
Procedure
Step 2 Add alarm URLs.
1. In the navigation tree, choose Basic Configuration > User Message Configuration >
Alarm URL Management.
2. Click Add and enter www.alarm1.com (in the case of credit insufficiency) in Alarm
URL.
3. Click OK.
4. Click Add and enter www.alarm2.com (in the case of credit exhaustion) in Alarm
URL.
5. Click OK.
Step 3 Configure charging redirection.
Charging > Charging Redirection Configuration.
2. Add CAPHTTP.
a. Click Add.
b. Set CAPHTTP parameters in the dialog box that is displayed. Figure 7-108 shows
parameter settings.

Figure 7-108 Adding CAPHTTP
c. Click OK.
3. Add CAP.
a. Click Add.
b. Set CAP parameters in the dialog box that is displayed. Figure 7-109 shows parameter
settings.
Figure 7-109 Adding CAP

c. Click OK.
4. Add ACT.
a. Click Add.
b. Set ACT parameters in the dialog box that is displayed. Figure 7-110 shows parameter
settings.
Figure 7-110 Adding ACT
c. Click OK.
Step 4 (Optional) Add the charging redirection whitelist. When the user's credit is insufficient or
exhausted, the user can still access URLs in the whitelist normally and no alarm is generated.
Alarm and Charging Whitelist Management.
2. Click Add, and enter an alarm URL in Alarm and Charging Whitelist.
NOTE
The format of the URLs in the alarm and charging whitelist is http://www.example.com. Https URLs
cannot be added to the whitelist.
3. Click OK.
4. Refer to previous steps. You can add multiple URLs to the charging redirection URL
whitelist.
----End
7.2.11 Typical Configuration Example 9 (Online Charging by

Traffic, Online-to-Offline Charging in Case of Faults)
This provides an example for configuring online charging by traffic, and online-to-offline
charging in case of faults. Carriers adopt the same charging mode for the users subscribing to
the same service, P2P and Video traffic uses the same charge rate, and Web_Browsing traffic

and the traffic of other types use the charge rates different from that used by P2P and Video
traffic.
Prerequisites
l The connections of the SIG to the UPCC, OCS, and CG/CFS are commissioned. For details,
see Connecting the Front End to the PCRF, Connecting the PCRF to the Front End,
Commissioning the Connection to the PCRF, Connecting to the OCS, and Connecting
to the CG/CFS in HUAWEI SIG9800 Service Inspection Gateway Commissioning
Guide respectively.
managed is 460100000000022.
l The current user has the permission to operate the UPCC, OCS and BS.
NOTE
To learn more about the UPCC, OCS, and BS, refer to related technical documents provided by respective
vendors.
The carrier needs to enable online charging, and converting online charging to offline charging
in case of faults. Figure 7-111 shows the networking.
Figure 7-111 Networking diagram of online/offline charging
BS
UPCC Web UI IP:128.18.88.226
RADIUS PCRF
Back End OCS
Server (UPCC)
Gx Gy
et
ck
Pa
S
IU
AD
R
Gi
IP/MPLS
Video Streaming
PCEF
DPI System
NOTE
Here takes the back-end CFS of the SIG serving as the CG as an example.



group service ocs





NOTE
The configuration of online-to-offline charging in case of faults is consistent with that of online charging.
Their difference lies in:
l Both the CFS (CG) and BS should be added during the deployment, and the CFS (CG) should be
specified on the Front End during the configuration.
l When faults occur during the configuration of the OCS on the Front End, the processing mode for
traffic is Permit and in offline charging mode.
Data Planning
Traffic).
Procedure

1. Set the quota control mode for online charging to distributed.
[Sysname-dpi-charge-view]
2. When the OCS is faulty, the SIG allows service traffic through and the charging mode
changes to the offline charging.
[Sysname-dpi-charge-view] online-charging ccfh continue


2. Click Add.
6. Click Add.
Web_Browsing.
2. Click Add.
4. Click OK.
2. Click Add.

6. Click OK.
8. Click OK.

NOTE

NOTE
for the first time.


NOTE
4. Click Login.
Step 8 Add a rule.






Server.


Group.


Step 15 Log in to the BS.
Step 16 Configure charge rates.
Charge rates for rating groups p2p_video, web_browsing, and other are $0.1/MB, $0.05/MB,
and $0.2/MB respectively.
----End
7.2.12 Typical Configuration Example 10 (Offline Charging)

This provides an example for configuring offline charging by traffic. Carriers adopt the same
Prerequisites
l The connections of the SIG to the UPCC and CG/CFS are commissioned. For details, see
Commissioning the Connection to the PCRF, and Connecting to the CG/CFS in
managed is 460100000000022.
l The current user has the permission to operate the UPCC and BS.
NOTE
To learn more about the UPCC and BS, refer to related technical documents provided by respective vendors.

Figure 7-124 Networking diagram of offline charging
BS
UPCC Web UI IP:128.18.88.226

RADIUS PCRF
Back End
Server (UPCC)
Gx
et
ck
Pa
S
IU
AD
R
Gi
IP/MPLS
Video Streaming
PCEF
DPI System
NOTE


User group Service Policy Online trigger
group service policy IPCANSessionEstablish




Data Planning
Traffic).

Procedure
2. Click Add.
6. Click Add.
Web_Browsing.
2. Click Add.
4. Click OK.
2. Click Add.

6. Click OK.
8. Click OK.


NOTE

NOTE
for the first time.



NOTE
4. Click Login.
Step 6 Add a rule.





Server.


Group.
2. Add a user group, and bind it to a service. Figure 7-136 shows the configuration interface.


----End
7.2.13 Typical Configuration Example 11 (Online/Offline

Charging)
This provides an example for configuring online/offline charging by traffic. Carriers adopt the
same charging mode for the users subscribing to the same service, P2P and Video traffic uses
the same charge rate, and Web_Browsing traffic and the traffic of other types use the charge
rates different from that used by P2P and Video traffic.
Prerequisites
l The connections of the SIG to the UPCC, OCS, and CG/CFS are commissioned. For details,
see Connecting the Front End to the PCRF, Connecting the PCRF to the Front End,
Commissioning the Connection to the PCRF, Connecting to the OCS, and Connecting
to the CG/CFS in HUAWEI SIG9800 Service Inspection Gateway Commissioning
Guide respectively.
managed is 460100000000022.
l The current user has the permission to operate the UPCC, OCS and BS.
NOTE
To learn more about the UPCC, OCS, and BS, refer to related technical documents provided by respective
vendors.
The carrier needs to enable online/offline charging. Figure 7-137 shows the networking.

Figure 7-137 Networking diagram of online/offline charging
BS
UPCC Web UI IP:128.18.88.226
RADIUS PCRF
Back End OCS
Server (UPCC)
Gx Gy
t
ke
c
Pa
S
IU
AD
R
Gi
IP/MPLS
Video Streaming
PCEF
DPI System
NOTE

l The quota requested each time is 256 KB.

group service ocs






Online/Offline charging is enabled for users. Online charging is in charge of credit control;
offline charging is in charge of CDR exporting.
Data Planning
Traffic).
Procedure

1. Set the quota control mode for online charging to distributed.
[Sysname-dpi-charge-view]
2. When the OCS is faulty, the SIG allows service traffic through and the charging mode
changes to the offline charging.
[Sysname-dpi-charge-view] online-charging ccfh continue

2. Click Add.
6. Click Add.
Web_Browsing.

2. Click Add.
4. Click OK.


2. Click Add.
6. Click OK.
8. Click OK.



NOTE

NOTE
for the first time.



NOTE
4. Click Login.
Step 8 Add a rule.





Server.


Group.


----End

Configuration Guide 8 URL Filtering Service
8 URL Filtering Service
About This Chapter
Through Uniform Resource Locator (URL) filtering, you can apply different control policies
(such as alarm and block) to URL categories for filtering, providing healthy and secure network
environments for users.
8.1 About the URL Filtering Service

This describes basic concepts of the URL filtering service.
8.2 Configuring the URL Filtering Service
To configure and apply URL filtering, you should perform this task.
8.3 Querying URL Reports
To query URL reports of subscribers for providing subscribers with comprehensive and accurate
URL access behavior analysis, you should perform this task.

8.1 About the URL Filtering Service

This describes basic concepts of the URL filtering service.
These concepts are:
l URL filtering
With the rapid development of the Internet, diversified Web sites are blooming, and harms
of Web sites are becoming more and more conspicuous. As a result, carriers have to pay
attention to how to control URLs effectively.
URL filtering indicates that the SIG implements control (such as block, alarm, or pass) over
URL categories. For example, you can configure the device to block gambling Web sites,
and redirect illegitimate Web sites to alarm pages, thus prompting users that there are
potential security risks. URL categories can be predefined (by the SIG) or user-defined.
URL filtering is applicable to both fixed and wireless networks, as shown in Figure 8-1.
Figure 8-1 Application of URL filtering

Longevity/Fitness Pornography
Physical connection Education Illegal
Data flow to illegal Web sites (fixed network) Travelling Violence
Shopping Gambling
Data flow to illegal Web sites (wireless) Entertainment
Data flow to legal Web sites Sports
News
Radio
Front
Access SGSN/GGSN End
Back
End
DSLAM BRAS
DPI system
l URL Category Service Platform (UCSP)

The UCSP, the back-end component for realizing URL filtering, provides the update service
of the predefined URL Category Database (UCDB) for the URL category server.
l URL Category Database (UCDB)
The UCDB, the back-end component for realizing URL filtering, is the data storage module,
periodically downloading update data from the UCSP and synchronizing the data with all
UCCSs.
l URL Category Searching Server (UCSS)

The UCSS provides URL category search services for the SPS on the Front End of the DPI
system. Meanwhile, the UCSS reports the URLs whose categories are not found to the
UCSP.
l URL Management
– URL Category Management
With the power of URL filtering, the SIG controls the Web sites that are accessed by
users based on URL categories. URL categories include predefined and user-defined
URL categories. One URL belongs to only one category. Policies for user-defined
categories enjoy higher priorities than those for predefined categories.
– URL Address Management
The predefined categories comprise certain URLs. To move a URL to another category,
you can define this URL into another category on the URL Address Management page
to overwrite the existing setting.
If a URL is not predefined, you can add the URL on the URL Address Management
page and select its category. You can add URLs such as the domain names, IPv4
addresses, and IPv6 addresses.
– URL Encoding Management
By default, the system provides some commonly used encoding types for URL
keywords, so that the administrator can view them and configure them as the default.
The encoding types configured as the default are displayed during the adding of the
URL keyword blacklist.
l URL Filtering Service
– URL Policy Package Management
According to the URL categories (such as news or gambling) to which the accessed
Web sites belong, the system detects and controls (control modes include block, alarm
page push, or not control) users' Web access behaviors.
For example, you can configure the policy package for URL filtering to block gambling-
related Web sites and redirect access to illegitimate Web sites to the alarm page. In so
doing, users are notified of security risks.
– URL Whitelist Group
To exempt some special users from URL filtering policies, you can add these users to
the URL whitelist user group.
The system provides subscriber group URL Whitelist Group and VIC group URL
Whitelist Group by default. You can add whitelist users to be permitted to the groups.
By default, a policy package (policy package code: 3:000001) whose control mode is
Pass is assigned to URL Whitelist Group.
– URL Blacklist Category and Policy Management
The administrator can define categories for the URL blacklist and configure the policies
for these categories as block or alarm.
For example, if you add a category named violence to the URL blacklist, configure the
category policy as alarm, and select the URL of the alarm page, the system alarms on
the Web sites matching this blacklist category, as shown in Figure 8-2.

Figure 8-2 Adding category violence to the URL blacklist
– URL Address Blacklist and Whitelist Management

Before you add a URL to the URL address blacklist, select a blacklist category for this
URL. If the URL belongs to a blacklist category, the system blocks this URL or pushes
an alarm by the policy configured for this category.
For example, after you add www.example.com to the violence category of the URL
address blacklist, and the corresponding policy is alarm, an alarm is generated upon
users' access to www.example.com, as shown in Figure 8-3.
Figure 8-3 Adding a URL to the URL blacklist
NOTE
The processing mode for the URL address whitelist is similar to that for the blacklist except that
the system does not support whitelist categories.
It is conflicting to add a URL address to both the URL address blacklist/whitelist and a self-
defined URL category, that is, a URL address in the blacklist/whitelist cannot be added to a URL
self-defined category, or a URL address in a URL self-defined category cannot be added to the
URL address blacklist/whitelist.
– URL Keyword Blacklist Management
The system can block the URL or push an alarm by keyword. When adding a URL
keyword, you need to select the URL blacklist category, add words, and select the
encoding code.
One keyword can comprise multiple words. A URL is regarded as matching a keyword
only after it matches all words included in the keyword. Then the URL is blocked or

alarmed according to the blacklist category where this keyword belongs. For example,
keyword 1 is added, comprising words A, B, and C, and the action for its category is
block; keyword 2 is added, comprising words A, B, C, and D, and the action for its
category is alarm. If a URL is www.example.com?var=A&var=B&var=C, it is regarded
that this URL matches keyword 1 and is blocked.
As shown in Figure 8-4, the keyword belongs to the violence category in the URL
blacklist and the policy is alarm. If you set Keyword to violence&force, Character
Encoding to Default Encoding(Default encoding) and Unicode(UTF-8), URLs with
code containing character string 76696F6C656E636526666F726365, violence%
26force, or violence&force are alarmed.
Figure 8-4 Adding the keyword blacklist
– Priority for URL Policies to Take Effect

The following shows the priorities for URL policies to take effect in descending order:
URL whitelist user group > URL address blacklist and whitelist > URL keyword
blacklist > user-defined URL category > predefined URL category.
URLs in the user-defined categories include precise definition and blurry definition
URLs. The priority of the precise definition URLs is higher than that of blurry definition

URLs. When configuring a blurry definition URL, you can specify the priority. The
lower the value, the higher the priority.
l SSL Access Management
The system controls (bandwidth control or priority marking) SSL traffic and does not
control specified HTTPS Web sites.
For example, in the scenario where SSL traffic is configured with the QoS policy and the
bandwidth limit of the SSL traffic is set to 0, to permit the access to some HTTPS Web
sites, add these Web sites to the domain name whitelist.
You can add either the domain name or the IP address of a Web site to a domain name
blacklist and whitelist. If you add a domain name of a Web site, you can obtain the mapping
between the domain name and IP address of the Web site in either of the following methods:
– The Front End resolves the DNS response packets.
This method is applicable to the scenario where the SPS can probe user's DNS response
packets. Either of the following conditions triggers the SPS to resolve the DNS response
packets of the domain name blacklist and whitelist:
– The version of the SSL domain name blacklist and whitelist changes. (Adding or
deleting blacklist/whitelist entries leads to the version change.)
– The version of the SSL domain name blacklist and whitelist does not change, but
the interval since the latest resolution exceeds the defined threshold (configure on
the Front End).
– The Update Server accesses the DNS Server.
This method is applicable to the scenario where the update server can access the DNS
server (configure on the Back End). Either of the following conditions triggers the
update server to access the DNS Server:
– The version of the SSL domain name blacklist and whitelist changes.
– The version of the SSL domain name blacklist and whitelist does not change, but
the interval since the latest access exceeds the defined threshold.
8.2 Configuring the URL Filtering Service

To configure and apply URL filtering, you should perform this task.
8.2.1 Overview
This describes the functions realized through the configuration of URL filtering.
By configuring URL filtering, you can provide subscribers, VICs, and links with the following
functions:
l Controlling the spread of vulgar information contained by unhealthy Web sites related to
pornography, violence, crime, and gambling.
l Shielding phishing Web sites, and thus protecting user privacy.
l Shielding malicious Web sites, and thus reducing Trojan attacks.
You can select to filter either only page packets or all packets in HTTP request packets.
l Page packet: indicates the HTTP request packets whose request objects are Web page files
such as .html and .htm.

l Non-page packet: indicates the HTTP request packets whose request objects are non-Web
page files such as images and music.
Concepts relating to the URL service are as follows:
l URL whitelist group
By default, the system has the URL whitelist group to add users to be allowed through the
whitelist. The system has already configured the control mode towards URL Whitelist
Group to Pass by default.
l URL policy
URL policies consist of user policies and link policies. Policies are defined on the back-
end UI. Policies those applied to subscribers and VICs are user policies and those applied
to links are link policies.
in the system.

You can easily configure URL filtering through the following procedure.

Figure 8-5 Procedure for configuring URL filtering
Start
Configure basic information Front End
No
Is a new user-defined URL category required?
Yes
Add a URL category
No
Is a new user-defined URL required?
Yes
Add a URL
Back End
No
Is an alarm policy required?
Yes
Add an alarm URL
Configure the URL filtering policy
Apply the URL filtering policy
End

Table 8-1 Procedure description of configuring URL filtering

Action Description
Configure basic Configure the packet type for URL filtering: By default, the SPS
information filters only the page packets. You can configure to filter all HTTP
request packets.
Configure the policy for the first packet of HTTP request packets:
When the SPS does not have URL category cache, the SPS
caches HTTP request packets by default. You can configure the
policy for HTTP request packets as permit or deny.
Configure the preferential matching sequence of URL policies:
By default, the priority of the URL link policy is higher than that
of the user policy. That is, when matching the link policy, a
packet is not to match the user policy. On the contrary, the packet
continues to match the user policy. You can configure the priority
of the user policy to be higher than that of the link policy.
Add the user-defined URL categories can be predefined (by the SIG) or user-defined.
URL category If the URL to be controlled is a predefined one, you do not need
to add any URL category. If the URL to be controlled is a user-
defined one, you need to add a user-defined URL category.
Operation location: Back-end UI of the SIG. In the navigation
tree, choose Access Control > URL Filter > URL
Management.
Add the user-defined When the current URL category does not contain the URL to be
URL controlled, you should add the URL to the specified category.
The URL definition can be precise and blurry. You can add a
single URL or import URLs in batches.
Operation location: Back-end UI of the SIG. In the navigation
tree, choose Access Control > URL Filter > URL
Management.

Action Description
Add the URL alarm You can set alarm policies for URL categories. Before
address configuring the alarm policy, you need to set the alarm address
first. When the URL accessed by the user is of the category, users'
access is redirected to the alarm address, prompting users that
there are security risks.
For detailed, refer to the 22.4 Managing the Alarm Address or
22.5 Managing the Dynamic Alarm.
l In the navigation tree, choose Basic Configuration > User
Message Configuration > Alarm URL Management.
Message Configuration > Global Dynamic Alarm
Management.
Message Configuration > Subscriber Area Dynamic
Alarm Management.
Message Configuration > VIC Area Dynamic Alarm
Management.
Configure the URL You can define the control policy for the URL category to be
filtering policy controlled.
Operation location:Back-end UI of the SIG. In the navigation
tree, choose Access Control > URL Filter > URL Policy
Package Management.
Apply the URL filtering You can apply the configured control policy to the specified URL
policy category. URL filtering can be applied to subscribers, VICs, and
links.
l In the navigation tree, choose Subscriber and Network
Management > Very Important Customer > Policy
Application.
Management > Network > Physical Link Management >
Link Policy Application.
8.2.3 Typical Configuration Example 1 (Links)

This provides an example for configuring URL filtering for links.
Prerequisites

l The current user has the Access Control service permission.
The SIG is deployed at the egress of the MAN in in-line mode, as shown in Figure 8-6.
Requirements are as follows to filter URLs over link 10G-1-1-linka.
l When URL www.20010.com in category Games is accessed, the alarm should be reported.
In the navigation tree, choose Access Control > URL Filter > URL Category
Management. If you cannot find Games in the URL categories on this page, you should
create a user-define URL category named Games.
In the navigation tree, choose Access Control > URL Filter > URL Management. If you
cannot find URL www.20010.com by URL, you should add a user-defined URL to
Games.
l Access to gambling URLs should be blocked directly.
Management. If you can find the corresponding URL category, this category is predefined.
Figure 8-6 Networking diagram of configuring URL filtering
Router
Front End Back End
DPI system
BRAS
Users
Procedure

1. Configure the packet type for URL filtering as all HTTP request packets, not only the page
packets.

<Sysname> system-view
[Sysname] dpi-node
[Sysname-dpi-node] url-filter all enable
2. Configure the policy for the first packet of HTTP request packets as cache. That is, when
the SPS does not have the category cache, the SPS caches the HTTP request packets.
[Sysname-dpi-node] url-filter no-cache action hold
3. Give priority to the link policy of URL policies.

[Sysname-dpi-node] url-filter policy inspect-object link priority
Step 4 Add a user-defined URL category named Games.

1. In the navigation tree, choose Access Control > URL Filter > URL Category
Management.
2. Click Add.
3. In the pop-up dialog box, enter Category Name and Description, as shown in Figure
8-7. Click Save. The user-defined URL category is added successfully.
Figure 8-7 Adding a user-defined URL category
4. Select Games, and click Add to add its subcategories, as shown in Figure 8-8.
Figure 8-8 Adding a subcategory
NOTE
URLs can be added to the subcategory of a URL category only. Thus, after creating a user-defined
URL category, you should add its subcategories.

Step 5 Add a URL.

1. In the navigation tree, choose Access Control > URL Filter > URL Management.
2. Click Add.
3. Set the parameters in the dialog box that is displayed, as shown in Figure 8-9. Click OK.
The URL is added successfully.
Figure 8-9 Adding a URL
NOTE
You can add a single URL, or import URLs in batches. If you import URLs in batches, you should
use a template for importing.
URL definition can be precise or blurry. To filter URLs containing a certain field, you can adopt the
blurry definition.
Step 6 Add an alarm address.

2. Click Add.
3. In the pop-up dialog box, enter the alarm address, as shown in Figure 8-10. Click OK. The
alarm address is added successfully.

Figure 8-10 Adding an alarm address

1. In the navigation tree, choose Access Control > URL Filter > URL Policy Package
Management.
2. Click Add.
3. In the pop-up dialog box, configure the policy package named url, and then click Save.
4. Select Control from Item Type, and click Add.
5. In the pop-up dialog box, configure the alarm policy item named url_a, as shown in Figure
8-11.
Figure 8-11 Adding an alarm policy item
7. Click Add. In the pop-up dialog box, configure the alarm policy item named url_b, as
Figure 8-12 Adding a block policy item

Step 8 Apply a policy package.

2. Click Add.
3. In the pop-up dialog box, select Policy Package Type, Policy Package Name, and Link
Name, as shown in Figure 8-13.
4. Click OK. The policy package is applied.
----End
8.2.4 Typical Configuration Example 2 (Subscribers)

This provides an example for configuring URL filtering for subscribers.
Prerequisites
l 4 Subscriber and Network Object Initialization is complete, and the subscriber to be

managed belongs to area haidian.

The SIG is deployed at the access layer of the MAN in in-line mode, as shown in Figure 8-14.
The user from haidian should meet the following requirements to access URLs:
l When URL www.20010.com in category Games is accessed, the alarm should be reported.
Management. If you cannot find Games in the URL categories on this page, you should
create a user-defined URL category named Games.
In the navigation tree, choose Access Control > URL Filter > URL Management. If you
cannot find URL www.20010.com by URL, you should add a user-defined URL to
Games.
l Access to crime URLs must be blocked directly.
Management. If you can find the corresponding URL category, this category is predefined.
Router
Front End Back End
DPI system
BRAS
Users
Procedure
packets.
[Sysname] dpi-node

3. Give priority to the user policy of URL policies.

[Sysname-dpi-node] url-filter policy inspect-object user priority
Step 4 Add a user-defined URL category named Games.

1. In the navigation tree, choose Access Control > URL Filter > URL Category
Management.
2. Click Add.
3. In the pop-up dialog box, enter Category Name and Description, as shown in Figure
8-15. Click Save. The user-defined URL category is added successfully.
Figure 8-15 Adding a user-defined URL category
4. Select Games, and click Add to add its subcategories, as shown in Figure 8-16.
Figure 8-16 Adding a subcategory
NOTE
URLs can be added to the subcategories of a URL category only. Thus, after creating a user-defined
URL category, you should add its subcategories.
Step 5 Add a URL.

1. In the navigation tree, choose Access Control > URL Filter > URL Management.
2. Click Add.

3. Set the parameters in the dialog box that is displayed, as shown in Figure 8-17. Click
OK. The URL is added successfully.
Figure 8-17 Adding a URL
NOTE
You can add a single URL, or import URLs in batches. If you import URLs in batches, you should
use a template for importing.
URL definition can be precise or blurry. To filter URLs containing a certain field, you can adopt the
blurry definition.
Step 6 Add an alarm URL.

2. Click Add.
3. In the pop-up dialog box, enter the alarm URL, as shown in Figure 8-18. Click OK. The
alarm URL is saved.


Management.
2. Click Add.
8-19.
7. Click Add. In the pop-up dialog box, configure the alarm policy item named url_b, as
Figure 8-20 Adding a block policy item
Policy Application.
2. Click Add.

----End

8.2.5 Typical Configuration Example 3 (VICs)

This provides an example for configuring URL filtering for VICs.
Prerequisites
l 4 Subscriber and Network Object Initialization is complete, and the VIC to be managed
belongs to area haidian.
The SIG is deployed at the access layer of the MAN in in-line mode, as shown in Figure 8-22.
If the VIC from haidian accesses crime URLs, the alarm is reported.
In the navigation tree, choose Access Control > URL Filter > URL Category Management.
If you can find the corresponding URL category, this category is predefined.
Router
Front End Back End
DPI system
BRAS
Users
Procedure

packets.

[Sysname] dpi-node
3. Give priority to the user policy of URL policies.


Step 4 Add an alarm address.
2. Click Add.
3. In the pop-up dialog box, enter the alarm address, as shown in Figure 8-23. Click OK. The
alarm address is added successfully.

Management.
2. Click Add.
8-24.

2. Click Add.
----End

8.3 Querying URL Reports

To query URL reports of subscribers for providing subscribers with comprehensive and accurate
URL access behavior analysis, you should perform this task.
8.3.1 Overview
This describes related concepts of the URL report, and lists all types of URL reports.
These concepts are:
l Global URL, category URL, and hot URL

– Global URL: indicates all URLs. That is, the analysis of objects of reports are all URLs.
– Category URL: indicates the URLs in a certain category or categories. That is, the
analysis objects of reports are the URLs in a certain selected category or categories.
– Hot URL: indicates the URLs that are manually added and require attention. For
example, to query the internal user's access to www.huawei.com , the administrator can
add this URL as a hot URL.
l Access counts, access traffic, access count trend, and access count proportion
– Access counts: indicates the times that the service object accesses each URL category.
– Access traffic: indicates the traffic generated during the service object's access to URLs.
– Access count trend: indicates the trend of the access counts of the specific analysis object
within a certain period. It is described through stacked curves, percentage curves, and
curves.
– Access count proportion: indicates the access count proportion of the specific analysis
object in various categories within a certain period. It is described through the pie chart
and the histogram.
To realize the comprehensive and accurate behavior analysis of URL access, the SIG provides
the following types of analysis reports for the monitored URL access traffic.
l Top N global URLs by access count

You can query the report on the top N global URLs by access count according to conditions
such as the time range.
l Top N category URLs by access count
You can query the report on the top N URLs (by access count) in a certain category or
categories according to conditions such as the time range.
l Top N customers by access count
You can query the report on the top N subscribers (by access count) accessing certain hot
URL or URLs according to conditions such as the time range.
l Hot URL access count trend
You can query the stacked curves or curves describing the access count trend of certain hot
URL or URLs according to conditions such as the time range.
l Category URL access count trend

You can query the stacked curves, percentage curves, or curves describing the access count
trend of URLs in a certain category or categories according to customer range and time
range.
l Category URL access count proportion
You can query the pie chart or histogram describing the access count proportion of URLs
in a certain category or categories according to customer range and time range.
l Top N category URL access counts
You can query the report on the top N URLs (by access count) in a category according to
customer range and time range.
l Top N global URLs by traffic
You can query the report on the top N global URLs by traffic according to conditions such
as the time range.
l Top N category URLs by traffic
You can query the report on the top N URLs (by traffic) in a certain category or categories
according to conditions such as the time range.

This describes how to query URL reports.
Prerequisites

Procedure
Step 1 (Optional) To view the reports on Top N Global URLs by Access Count, Top N Category URLs
by Access Count, Top N Global URLs by Traffic, and Top N Category URLs by Traffic,
configure the cluster information first.
1. In the navigation tree, choose System Management > System Configuration >
Component Configuration.
2. Click Configure in the OMC Configuration group box.
3. Configure the OMC and cluster information in the dialog box that is displayed.
4. After the configuration is complete, click Close.
Step 2 (Optional) To query hot URL-related reports (such as the top N customers by access count report
and the hot URL access counts trend report), enable the hot URL configuration.
NOTE
If the query is unnecessary, go to Step 3.

1. In the navigation tree, choose Statistics and Analysis Report > URL > Hot URL
Configuration.
2. Click Add.
3. In the displayed dialog box, enter the URL, and then click OK.
4. (Optional) Repeat Step 2.2 to Step 2.3 to add more hot URLs as required.

NOTE
The system supports up to 10 hot URLs. Hot URLs do not support the IPv6 address format.
Step 3 In the navigation tree, choose Statistics and Analysis Report > URL.
TIP
for the next query.
Task Reports.

NOTE
----End

This describes reports on URL filtering and provides examples of the reports.
Report Navigation
NOTE
l Statistics and Analysis Report > URL > Top N Global URLs by Access Count
l Statistics and Analysis Report > URL > Top N Category URLs by Access Count
l Statistics and Analysis Report > URL > Top N Customers by Access Count
l Statistics and Analysis Report > URL > Hot URL Access Counts Trend
l Statistics and Analysis Report > URL > Category URL Access Count Trend
l Statistics and Analysis Report > URL > Category URL Access Count Proportion
l Statistics and Analysis Report > URL > Top N Category URL Access Counts
l Statistics and Analysis Report > URL > Top N Global URLs by Traffic
l Statistics and Analysis Report > URL > Top N Category URLs by Traffic
Statistics and Analysis Report > URL > Top N Global URLs by Access Count
Through this report, you can view top N global URLs of a specified cluster (by access count in
descending order) in a specified period. Generally, a POP is deployed with a cluster of the
SIG. By querying URL access information of the specified cluster, you can view URL access
information of the POP to which the cluster belongs.

Figure 8-26 shows the report screenshot of top 10 global URLs of the specified cluster (by
access count in descending order) in a specified hour. The report screenshot uses host names as
the statistical method.
Figure 8-26 Example of the report on top 10 global URLs by access count
Statistics and Analysis Report > URL > Top N Category URLs by Access Count
Through this report, you can view top N URLs (by access count in descending order) of a
specified cluster in a certain category or among several categories in a specified period.
Generally, a POP is deployed with a cluster of the SIG. By querying URL access information
of the specified cluster, you can view URL access information of the POP to which the cluster
belongs.
Figure 8-27 shows the report screenshot of top 10 URLs in specified category (by access count
in descending order) of a specified cluster in a specified period.

Figure 8-27 Example of the report on top 10 P2P URLs by access count

Statistics and Analysis Report > URL > Top N Customers by Access Count
Through this report, you can view the top N customers (by access count in descending order)
accessing certain hot URL or URLs in a specified period.
Figure 8-28 shows the report screenshot of the top 5 customers (by access count in descending
order) accessing hot URL in a specified period.

Figure 8-28 Example of the report on top 5 customers by access count
Statistics and Analysis Report > URL > Hot URL Access Counts Trend
Through this report, you can view the access count trend of certain hot URL or URLs in a
specified period.
Figure 8-29 shows the report screenshot of the access count trend of specified hot URLs in a
specified period.

Figure 8-29 Example of the report on hot URL access count trend
Statistics and Analysis Report > URL > Category URL Access Count Trend
Through this report, you can view the access count trend of URLs in a certain category or
categories in a specified period.
Figure 8-30 shows the report screenshot of the access count trend of specified URL categories
in a specified period.

Figure 8-30 Example of the report on category URL access count trend
Statistics and Analysis Report > URL > Category URL Access Count Proportion
Through this report, you can view the access count proportion of URLs in a certain category or

Figure 8-31 shows the report screenshot of the access count proportion of specified URL
Figure 8-31 Example of the report on category URL access count proportion

Statistics and Analysis Report > URL > Top N Category URL Access Counts
Through this report, you can view the top N URL categories (by specified subscriber's access
counts in descending order) in a specified period.
Figure 8-32 shows the report screenshot of the top 10 URL categories (by access count in
descending order of the subscriber in an area) in a specified period.
Figure 8-32 Example of the report on top 10 category URL access counts
Statistics and Analysis Report > URL > Top N Global URLs by Traffic
Through this report, you can view top N Global URLs (by traffic in descending order) of a
specified cluster in a specified period. Generally, a POP is deployed with a cluster of the SIG.

By querying URL access information of the specified cluster, you can view URL access
information of the POP to which the cluster belongs.
Figure 8-33 shows the report screenshot of top 10 global URLs of the specified cluster (by traffic
in descending order) in a specified hour. The report screenshot uses domain names as the
statistical method.
Figure 8-33 Example of the report on top 10 global URLs by traffic
Statistics and Analysis Report > URL > Top N Category URLs by Traffic
Through this report, you can view top N URLs in a certain category or categories (by traffic in
descending order) of a specified cluster in a specified period. Generally, a POP is deployed with
a cluster of the SIG. By querying URL access information of the specified cluster, you can view
URL access information of the POP to which the cluster belongs.
Figure 8-34 shows the report screenshot of top 10 URLs in specified category (by traffic in
descending order) of a specified cluster in an appointed period.

Figure 8-34 Example of the report on top 10 P2P URLs by traffic


Configuration Guide 9 GreenNet Service
9 GreenNet Service
About This Chapter
The GreenNet service of the SIG enables network users with healthy, secure, and civilized
network environments, and access content.
9.1 About the GreenNet Service

This describes the basic concepts of the GreenNet service.
9.2 Configuring the GreenNet Service
To configure and apply the GreenNet service, you should refer to this part.
9.3 Querying GreenNet Reports
To query the URL and application blocking log reports of the GreenNet service for learning the
running status of the service, you should refer to this part.

9.1 About the GreenNet Service

This describes the basic concepts of the GreenNet service.
Basic concepts include:
l GreenNet service
With the popularity of broadband networks, Web sites containing harmful content such as
pornography, violence, drug dealing, and online games increase. As a result, the social
problems caused by online activities of youths, such as online chatting and dating, are
mounting.
Based on URL filtering and application program control, GreenNet helps the parent manage
children's online behaviors.
The GreenNet service of the SIG provides the following functions:
– Filtering out harmful content, including pornography, violence, drug dealing, and adult
Web sites.
– Shielding users from harmful network tools, including online games, chatting, and
friend-making tools.
– Configuring the online duration and online time segments for users as required (such
as weekends and holidays).
Figure 9-1 shows the GreenNet service.
Figure 9-1 Controlling Web sites, network applications, and online duration available to
children
Pornographic
Weekday: 21:00-23:00
Illegal
Game/Chatting
Violent
News
Weekday: 19:00-21:00
Reading
Reading/Game/Chatting
Entertainment
Weekend: 14:00-17:00
News/Reading/Game/Chatting
Filtering of unhealthy Network applications

information on the network and duration control
Figure 9-2 shows the typical networking of GreenNet service.

Figure 9-2 Typical networking diagram of GreenNet service

Longevity/Fitness Pornography
Physical connection Education Illegal
Data flow to illegal Web sites (fixed network) Travelling Violence
Shopping Gambling
Data flow to illegal Web sites (wireless) Entertainment
Data flow to legal Web sites Sports
News
Radio
Front
Access SGSN/GGSN End
Back
End
Portal
DSLAM BRAS
DPI system
l Parental and children's account

– Parent and child use the same account.
The account is used by subscribers subscribing to the GreenNet service, not the PPPoE
account of the family gateway, that is, ADSL dial-up account. For example, if the PPPoE
account is 13812345678, and password is 123456, after the ADSL dial-up through the
Model, all family subscribers connected to the family gateway can access the Internet.
If the parent and child use the same GreenNet account, the parent has the high-
permission password to control the online behavior of the account. In this case, if the
parent controls the online behavior of the account, both parental and children's online
behaviors are controlled.
For example, if the parent controls gambling-and lottery-related Web sites, the system
displays a Web page during the access to the Web sites of this type. To query the
information about lotteries, the parent can enter the high-permission password,
disabling the control policy temporarily. In this case, the child can also access gambling-
related Web sites. After the parent exits these Web sites, both parent and child cannot
access them.
– Parent and child use different accounts.
The carrier allocates accounts and passwords respectively to the parent and child. In
this case, the parent and child use its own account and password to access the Internet
through dial-up. The parent can set the accessible Web sites, application types, and
online duration available to the children's account on the Portal.
l GreenNet role
– Data configuration engineer: configures the GreenNet package and adds GreenNet
subscribers.

– GreenNet subscriber: The parent can set the GreenNet package used by the child on the
Portal. Both IPv4 and IPv6 users can subscribe to the GreenNet service.
l Portal
The SIG needs to interwork with the Portal (or third-party policy server, such as the
RM9000) of the carrier, so that you can configure and apply the GreenNet service.
The Portal delivers the following functions:
– Data configuration engineers can customize the GreenNet service for family users on
the Portal Web site.
– Family users can subscribe to GreenNet services by themselves, and the carrier can
increase the service revenue accordingly. The parent subscribing to the GreenNet
service can modify the GreenNet package (provided by the carrier) on the Portal, control
Web sites available to the child, network applications, and online duration.
l URL category
The SIG supports URL classification, and control policy configurations for the URLs of a
certain category.
9.2 Configuring the GreenNet Service

To configure and apply the GreenNet service, you should refer to this part.
9.2.1 Overview
This describes the functions supported by the GreenNet service.
The SIG provides the GreenNet service for subscribers and VICs. Through the service, the
system supports:
l URL access control

Providing URL access control services for users to filter out illegitimate Web sites and thus
protect the youth.
The SIG supports URL classification, and control policy configurations for the URLs of a
certain category. The system provides a predefined URL category list, covering
pornography, gambling, shopping, news, and chatting. If predefined URL categories cannot
meet requirements, you can define URL categories. During the tracing to access behaviors,
the device can check whether the Web sites accessed by users are legitimate, and thus
effectively control the access to illegitimate Web sites.
The policies for the URLs of a certain category are as follows:
– Block
– Alarm
Redirecting to alarm pages (prompting users that there are security risks)
– Pass
l URL blacklist and whitelist management
The parent subscribing to the GreenNet service can define the URL blacklist and whitelist
on the Portal Web site. With the URL blacklist, children are prevented from accessing
certain special Web sites; with the URL whitelist, children can access certain special Web
sites.

The default priority (in descending order) of the URL control is URL blacklist, URL
whitelist, and URL database category.
l Online duration control
Supporting the control over the online duration of subscribers. Thus, the parent can control
children's daily online duration.
l Network application blocking
The SIG can identify the network applications of users, and hence block the network
applications of a certain category.
For example, the parent can directly shield chat software such as MSN and QQ. After the
successful application, the system automatically controls users over communications
through the chat software.
l Customized policy management
GreenNet subscribers can modify the GreenNet packages provided by carriers on the Portal
Web site.
URL control policies can be classified according to the following dimensions:
l Policy application methods

– URL whitelist (the whitelist IP addresses that terminal online users set through the portal
interface provided by the third party)
– URL category (predefined URL categories and the URL categories that operators define
through the GUI of the Back End)
By default, the URL whitelist has higher priority.
l Policy application objects
– User (policies are applied to users)
– Link (policies are applied to links)
By default, the link has higher priority.
Take the default condition as an example, the SPS matches URL control policies in the following
order:
1. URL whitelist
2. URL category
a. Link policy
b. User policy

This describes the procedure for configuring the GreenNet service.
The SIG needs to interwork with the Portal (or a third-party PLS, such as the RM9000) of the
carrier, so that you can configure and apply the GreenNet service.
NOTE
When the SIG directly interconnects with the Portal of the carrier to provide the GreenNet service for
subscribers or VICs, refer to the Portal Help and observe the following configuration procedure.
In the case that the SIG interconnects with the RM9000, only subscribers, instead of VICs, can subscribe
to the GreenNet service. The RM9000 should be of V300R001C02.

Figure 9-3 shows the configuration procedure of the GreenNet service for subscribers, when
the SIG interconnects with the RM9000.
Figure 9-3 Procedure for configuring the GreenNet service

Stsrt
Front End of the

Configure basic information DPI system
Configure the alarm URL
Add an URL category

Back End of the
DPI system
Data Configuration
Engineer Add the GreenNet flow class
Add a device and set the URL level
RM9000 PMS
Add GreenNet and log sending services
Add a user
Add the PMS and synchronize Log in to the RM9000 SSP

its configuration as the administrator
Use the password with high permissions

to log in to the configuration interface
Enable GreenNet and log

sending services
Configure URL filtering Log in to the RM9000 SSP

GreenNet
with user account
subscriber
Configure the URL whitelist and blacklist
Configure network application filtering
Set the log sending function
End

Table 9-1 Procedure description of the GreenNet service

Action Description
Configure basic Configure the packet type for URL filtering: By default, the SPS filters
information only the page packets. You can configure to filter all HTTP request
packets.
Configure the policy for the first packet of HTTP request packets: The
SPS caches HTTP request packets by default. You can configure the
policy for HTTP request packets as permit or deny.
Configure the preferential matching sequence of URL policies: By
default, the priority of the URL link policy is higher than that of the
user policy. That is, when matching the link policy, a packet is not to
match the user policy. On the contrary, the packet continues to match
the user policy. You can configure the priority of the user policy to be
higher than that of the link policy.
Configure the alarm When the policy for a URL category is configured as alarm, you need
URL to set the URL of the alarm page pushed to the user.
choose Value-added Service > GreenNet > Alarm URL
Management.
Add an URL Selecting certain categories from predefined and user-defined URL
category categories as those of the GreenNet service. In this manner, URL
filtering is implemented through the configurations of corresponding
control modes.
choose Value-added Service > GreenNet > GreenNet URL
Category Management.
NOTE
The system supports the URL categories of multiple types, but only 32 URL
categories for the GreenNet service. If these categories cannot meet
requirements, you can define an URL category, and add predefined categories
to this URL category. Then you need to add this URL category as that of the
GreenNet service. Operation location: In the navigation tree, choose Access
Control > URL Filter > URL Category Management.
Add the GreenNet In addition to the predefined flow classes, the system also supports
flow class user-defined flow classes. For details about flow classes, see 22.1
To control an Internet application (for example, Web browsing), you
must add the corresponding flow class as a GreenNet flow class (for
example, Web_Browsing).
choose Value-added Service > GreenNet > GreenNet Flow
Classification Management.

Action Description
Add a device and set Specifying the BIS of the SIG for interconnecting with the RM9000
the URL level PMS.
The administrator needs to add multiple URL filtering levels, so that
GreenNet subscribers can choose them. The existing URL categories
are required during the setting of URL levels.
Operation location: RM9000 PMS.
Add GreenNet and Add a GreenNet service to allow the users to customize it and add the
log sending services log sending service to send URL filtering and network application
filtering logs to the emails of the users.
Add a user Add a user.

Add the PMS and Specifying a policy server (the RM9000 PMS) for communicating
synchronize its with the Portal and synchronizing the PMS configuration information
configuration (such as user information) to the Portal.
Operation location: RM9000 Service Select Portal (SSP)
Use the password After logging in to the RM9000 SSP with the user account, you can
with high query only the control information about the online behaviors of the
permissions to log in account. To control the online behaviors of the account, you need to
to the configuration use the password with high permissions to log in to the configuration
interface interface.
Operation location: RM9000 SSP.
Enable GreenNet Users must enable the GreenNet service before using the service. If
and log sending the users need to receive the logs, they must enable the log sending
services service.
Configure URL A carrier provides multiple URL filtering levels. The user can set the
filtering corresponding URL level as desired. In this case, existing URL
categories are required.
Configure the URL This action is not required when the URL blacklist and whitelist are
blacklist and unnecessary.
whitelist The user can define URL blacklist and whitelist, thus blocking URLs
in the blacklist and allowing URLs in the whitelist through. In this
case, existing URL categories are required.

Action Description
Configure network This action is not required in the case of no control over network
application filtering applications.
This action is to configure policies for controlling corresponding
network applications. In this case, existing GreenNet protocol groups
are required.
Set the log sending This action is required when URL filtering logs and network
function application filtering logs need to be periodically sent through emails.
9.2.3 Typical Configuration Example (Subscriber, Interworking

with the RM9000)
This provides an example for configuring that data configuration engineer customize the
GreenNet service for account user1-gnet (the parent and children use the same GreenNet
account) and then the parent configures URL filtering and network application filtering for this
account, when the SIG interworks with the RM9000.
Prerequisites
l The UHC and UCDB configurations are complete. For details, see Configuring Back-End
Servers and Configuring the UCDB in HUAWEI SIG9800 Service Inspection Gateway
l 4.2 Configuring the Subscriber is complete, and the account (user1-gnet) of the
subscriber is added.
l The current user has the permission to operate the RM9000 PMS and RM9000 SSP.
NOTE
To learn more about the RM9000, refer to related technical documents provided by the corresponding
vendor.
NOTE
When interworking with the RM9000, the SIG cannot control online duration.
The carrier needs to configure and apply the GreenNet service. Figure 9-4 shows the networking.

Figure 9-4 Networking diagram of the GreenNet service

RM9000
BIS IP: 110.166.1.52 SSP
Port: 804 128.18.30.44
Back End
RADIUS RM9000
Server PMS
110.64.2.1:8080
ket
ac
U SP
DI
RA
...
Backbone
DSLAM BRAS Front End
Router of MAN
DPI System
Users
A carrier provides the GreenNet service for users accessible to the Internet, and delivers the
following:
l Customizing the GreenNet service for users accessing the Internet.

l Providing URL categories available to the youth:
– Under 10 years old: Search Engines & Portals
– 10 to 13 years old: Search Engines & Portals; News & Media
– 13 to 15 years old: Search Engines & Portals; News & Media; Computing
– 15 to 18 years old: Search Engines & Portals; News & Media; Computing; Sports
l Providing the control over the traffic of the following application types:
– Web_browsing
– IM
– Game
GreenNet subscribers can:
l Set the URL control level for the account.

l Set the URL whitelist.
The URLs of the Education & Science category are added to the whitelist, so that the user
can access these URLs at any time.
l Set the URL blacklist.
The URLs of the Pornography & Violence, and Vulgar categories are added to the
blacklist, so that the children's account cannot access these URLs at any time.
l Control the network applications of the account.
Monday to Friday: 19:00 to 21:00 (no games); 21:00 to 23:00 (no chatting or games)
l Send logs to emails periodically.
URL filtering logs and network application filtering logs are sent to user1-
gnet@huawei.com at the scheduled time every week.

CAUTION
In the following steps, Step 1 to Step 13 are performed by data configuration engineers; Step
14 to Step 21 are performed by the parent on account user1-gnet.
Procedure

packets.
[Sysname] dpi-node
3. Configure the preferential matching sequence of URL policies.
The preferential matching sequence of URL policies is the URL whitelist, user policy, and
link policy in descending order.
[Sysname-dpi-node] url-filter policy flow-content url-whitelist priority
Step 4 Configure the alarm URL.

NOTE
When the policy for a URL category is configured as alarm, you need to set the URL of the alarm page
pushed to the user.
1. In the navigation tree, choose Value-added Service > GreenNet > Alarm URL
Management.
2. Select Alarm URL Type from Specify Alarm URL.
3. Select Domain Name Mode from Specify Alarm URL.
4. Enter www.warning.com in Alarm URL.
5. Click OK.
Step 5 Add URL categories.
CAUTION
To enable the GreenNet service, you need to add all related URL categories as GreenNet ones.
1. In the navigation tree, choose Value-added Service > GreenNet > GreenNet URL
Category Management.

2. Click Add, and select URL categories Sports, Computing, Vulgar, Pornography &
Violence, Search Engines & Portals, Education, and News & Media.
3. Click OK.
Figure 9-5 shows added URL categories.
Figure 9-5 Adding URL categories
Step 6 Add the GreenNet flow class.

1. In the navigation tree, choose Value-added Service > GreenNet > GreenNet Flow
Classification Management.
2. Click Add and select Web_Browsing, IM, and Game.
3. Click OK.
Step 7 Configure the mail server.
Before sending URL filtering logs and network application filtering logs to users' mail boxes,
you need to configure the mail server.
Value-added Service Mail Server Configuration.
2. Set parameters. Figure 9-6 shows parameter settings.
Figure 9-6 Configuring the mail server
NOTE
If the mail server is configured with identity identification, you need to set the user name and password
of the mail server on this page. Otherwise, mails cannot be sent.
3. Click OK.
Step 8 Log in to the RM9000 PMS.

1. Open login URL http://110.64.2.1:8080/RM9000/.

NOTE
After the installation is complete, the default user name and password of the administrator of the
RM9000 PMS are admin and huawei respectively.
Figure 9-7 Logging in to the RM9000 PMS
3. Click Login.
Step 9 Add a device and set the URL level.
1. In the navigation tree, choose Service Management > Device > Device.
2. Click Add. Add device SIG, with its IP address and port number the same as those of the
SIG BIS. Figure 9-8 shows the configuration interface.
NOTE
l If you don't know the IP address of the SIG BIS. Log in to the EMS for query ( refer to Logging
In to the EMS ). Choose Resources > NE Discovery > Discovered NEs. Search out a device
whose Model is SIG Server from the discovered devices. Then, check the device name and
record the virtual IP address of the BIS.
l Enter a numeral ranging from 1 to 100 in PRI.
l SIG Port No. indicates the port number of the BIS, and is set to 838.

Figure 9-8 Adding device SIG
3. Click OK.
4. Set URL levels.
Select the added device, and click URL Level to add an URL level, as shown in Figure
9-9. Click OK.
Figure 9-9 Adding URL level level1

The configurations of URL levels level2, level3, and level4 are consistent with that of URL
level level1.
l URL level level2 indicates allowing the URLs of Search Engines & Portals and News
& Media categories through.
l URL level level3 indicates allowing the URLs of Search Engines & Portals, News &
Media, and Computing categories through.
l URL level level4 indicates allowing the URLs of Search Engines & Portals, News &
Media, Computing, and Sports categories through.
Step 10 Add GreenNet and log sending services.
2. Add a GreenNet service.
a. Click Add, and then select service template Default_PC. Figure 9-10 shows the
Figure 9-10 Selecting the service template
b. Click Next, and then set Name to Gnet. Other parameters remain the default values.
Figure 9-11 shows the configuration interface.

Figure 9-11 Configuring the GreenNet service
c. Click Finish.
3. Add the log sending service.
a. Click Add, and then select service template Default_LogSend_Service. Figure
9-12 shows the configuration interface.
Figure 9-12 Selecting the service template

b. Click Next, and then set Name to logsend. Other parameters remain the default values.
Figure 9-13shows the configuration interface.
Figure 9-13 Configuring the log sending service
c. Click Finish.
Step 11 Add a user.
1. In the navigation tree, choose Service Management > Subscriber > Subscriber.
2. Click Add. Add user user1-gnet. Figure 9-14 shows the configuration interface.
Note: Parameter High-rights Password indicates the password specified by the parent on
the Portal Web site for controlling the online behaviors of children's account user1-gnet.

Figure 9-14 Add user user1-gnet
3. Click OK.
Step 12 Log in to the RM9000 SSP as the administrator.
1. Open login URL http://128.18.30.44/portal/admin/.
2. Enter values in User Name, Password, and Verify Code. Figure 9-15 shows the
NOTE
After the installation is complete, the default user name and password of the administrator of the
RM9000 SSP are admin and huawei respectively.

Figure 9-15 Logging in to the RM9000 SSP as the administrator
3. Click Login.
Step 13 Add the PMS, and synchronize its configuration.
1. In the navigation tree, choose Configuration Management > Policy Server.
2. Add the PLS. Figure 9-16 shows the configuration interface.
The IP address and port number of the PLS are those of the RM9000 PMS. For example,
if the URL of the RM9000 PMS is http://110.64.2.1:8080/RM9000, the IP address and
port number are 110.64.2.1 and 8080 respectively.

Figure 9-16 Adding a PMS
3. Click Save.
4. Click Synchronize to synchronize the PMS configuration information (such as user
information) with that on the Portal.
NOTE
After modifying the service or user information on the RM9000 PMS, you should click
Synchronize on the RM9000 SSP to synchronize the information.
Step 14 Log in to the RM9000 SSP with user account user1-gnet.

1. Open login URL http://128.18.30.44/portal/user.
2. Enter values in Name, Password, and Verify Code. Figure 9-17 shows the configuration
interface.
NOTE
The name for login is account name user1-gnet, and the password is that adopted by user user1-
gnet for dial-up access.

Figure 9-17 Logging in to the RM9000 SSP with user account user1-gnet
3. Click Login.
Step 15 Use the password with high rights to log in to the configuration interface.
NOTE
After logging in to the RM9000 SSP with user account user1-gnet, you can query only the control
information about the online behaviors of the account. To control the online behaviors of the account, you
need to use the password with high rights to log in to the configuration interface.
Enter the password with high right in High-rights Control, and click Enter. Figure 9-18 shows
Figure 9-18 Logging in to the configuration interface with the highest-right password
Step 16 Enable GreenNet and log sending services.

1. Enable the GreenNet service.
a. In the navigation tree, choose All Services > Gnet.
b. Click Subscribe. Figure 9-19 shows the configuration interface.

Figure 9-19 Enabling the GreenNet service
c. Click OK in the pop-up dialog box.

2. Enable the log sending service.
a. In the navigation tree, choose All Services > logsend.
b. Click Subscribe. Figure 9-20 shows the configuration interface.
Figure 9-20 Enabling the log sending service
c. Click OK in the pop-up dialog box.

Step 17 Configure URL filtering.
1. In the navigation tree, choose My Services > Gnet.
2. Click Set in the URL Filter group box to set the URL level. Figure 9-21 shows the
You should note that Default Control Model is the default control policy for URL
categories. For example, if the action for search engines and portals is set to Permit, and

that for Default Control Model is set to Warn, the access to all URLs except those of the
search engines and portals are redirected to the warning page.
Figure 9-21 Setting the URL level
3. Click OK.
4. Click Back, and then click OK in the pop-up dialog box.
5. Click Activate in the URL Filter group box to activate URL filtering.
Step 18 Configure the URL whitelist.

2. Click Set in the White List group box to set the URL whitelist. Figure 9-22 shows the
Figure 9-22 Setting the URL whitelist
3. Click OK.


5. Click Activate in the White List group box to enable the URL whitelist.
Step 19 Configure the URL blacklist.
2. Click Set in the Black List group box to set the URL blacklist. Figure 9-23 shows the
Figure 9-23 Setting the URL blacklist
3. Click OK.
5. Click Activate in the Black List group box to enable the URL blacklist.
Step 20 Configure network application filtering.
2. In the APP Filter group box, click Set.
3. Select Yes from Enable Time Slice.
4. Click Add, select Item, and then configure filtering policies for network applications.
Figure 9-24 shows the interface.

Figure 9-24 Configuring time-based policy item1 for network application filtering
5. Click OK.
6. Click Add, select the second Item, and then configure filtering policies for network
applications. Figure 9-25 shows the interface.
Figure 9-25 Configuring time-based policy item2 for network application filtering
7. Click OK.
9. Click Activate in the APP Filter group box to enable network application filtering.
Step 21 Set the log sending function.
1. In the navigation tree, choose My Services > logsend.
2. In the logsend group box, click Set.
3. Set parameters. Figure 9-26 shows parameter settings.
Note the following during the configuration:

l Email indicates the address of the email for receiving logs.

l To receive log mails immediately, you can set Real-time sending to send logs to emails
within the specified time segment.
Figure 9-26 Setting the periodical sending of logs
4. Click OK.
6. Click Activate in the logsend group box to enable network application filtering.
----End
Follow-up Procedure
In the navigation tree, choose Value-added Service > GreenNet > GreenNet Subscriber
Management. The administrator can view and export information about users subscribing to
the GreenNet service, for example, user account, area, URL filtering policy, application control
policy, and duration control information.
9.3 Querying GreenNet Reports

To query the URL and application blocking log reports of the GreenNet service for learning the
running status of the service, you should refer to this part.
9.3.1 Overview
This describes all reports of the GreenNet service.
Data configuration engineers can query the URL and application blocking reports of GreenNet
subscribers on the SIG. Reports can be classified into the following types:
l URL Blocking Log of Subscriber

Through the report, you can view the URL blocking log (including the URL, URL category,
blocking times, and time) of a specified subscriber, based on conditions such as the URL
category and time range.
l Application Blocking Log of Subscriber

Through the report, you can view the application blocking log (including the application
name, time, and blocking times) of a specified subscriber, based on conditions such as the
time range.
l URL Blocking Log of Very Important Customer
Through the report, you can view the URL blocking log (including the URL, URL category,
blocking times, and time) of a specified VIC, based on conditions such as the URL category
and time range.
l Application Blocking Log of Very Important Customer
Through the report, you can view the application blocking log (including the application
name, time, and blocking times) of a specified VIC, based on conditions such as the time
range.
NOTE
Data configuration engineers can also provide the log query service, and thus increase the revenue.
GreenNet subscribers subscribing to the service can query URL and application blocking logs on the Portal.
For example, the carrier can periodically send GreenNet reports to the mailboxes of corresponding
subscribers or VICs through mails.

This describes how to query GreenNet reports.
Prerequisites

Procedure
Step 2 Make sure that the service module sends URL service logs and application service logs to the
DAS.
By default, the service module of the SPU sends URL service logs and application service logs
to the DAS.
# Display the configuration of the service log.

<Sysname> display dpi-node service-log
Service log information

--------------------------------------
Name Content
--------------------------------------
Green-Net URL Disable
Green-Net Application Disable
--------------------------------------
If the function of sending URL service logs and application logs is disabled, you need to enable
the function through the service-log command.
# Configure the service log so that the logs sent to the data analysis server are the logs of the
URL service and application service of the Green Net service.

[Sysname] dpi-node
[Sysname-dpi-node] service-log green-net url enable
[Sysname-dpi-node] service-log green-net application enable
Step 4 In the navigation tree, choose Statistics and Analysis Report > GreenNet. Then select the
reports to be queried as required.

TIP
for the next query.
Task Reports.

NOTE
----End

This describes reports on GreenNet services and provides examples of report charts.
Report Navigation
NOTE
l Statistics and Analysis Report > GreenNet > Subscriber > URL Blocking Log
l Statistics and Analysis Report > GreenNet > Subscriber > Application Blocking Log
l Statistics and Analysis Report > GreenNet > Very Important Customer > URL
Blocking Log
l Statistics and Analysis Report > GreenNet > Very Important Customer > Application
Blocking Log
Statistics and Analysis Report > GreenNet > Subscriber > URL Blocking Log
Through this report, you can view the blocking of subscribers' malicious URLs within a given
time segment.
Figure 9-27 shows report screenshot of the blocking of a subscriber's malicious URLs.

Figure 9-27 Example of the URL blocking log (Subscriber)
Statistics and Analysis Report > GreenNet > Subscriber > Application Blocking
Log
Through this report, you can view the blocking of subscribers' network applications within a
given time segment.
Figure 9-28 shows report screenshot of the blocking of a subscriber's network applications.
Figure 9-28 Example of the application blocking log (Subscriber)

Statistics and Analysis Report > GreenNet > Very Important Customer > URL
Blocking Log
Through this report, you can view the blocking of VICs' malicious URLs within a given time
segment.
Figure 9-29 shows report screenshot of the blocking of a VIC's malicious URLs.
Figure 9-29 Example of the URL blocking log (Very Important Customer)
Statistics and Analysis Report > GreenNet > Very Important Customer >
Application Blocking Log
Through this report, you can view the blocking of VICs' network applications within a given
time segment.
Figure 9-30 shows report screenshot of the blocking of a VIC's network applications.

Figure 9-30 Example of the application blocking log (Very Important Customer)

Configuration Guide 10 Traffic Mirroring/Diversion Service
10 Traffic Mirroring/Diversion Service
About This Chapter
Specific network traffic (such as email, VoIP, P2P, and HTTP video traffic) that attracts user
attention is mirrored (copied and forwarded) by the SIG. Then traffic is saved in a third-party
system which further analyzes or caches the traffic. Alternatively, the traffic is diverted
(forwarded directly) by the SIG to a third-party system. After processing, the third-party system
then injects the traffic to the network through the SIG.
10.1 About the Traffic Mirroring/Diversion Service

This section describes the traffic mirroring/diversion service and traffic mirroring/diversion
function supported by the SIG.
10.2 Configuring the Traffic Mirroring Service
To configure and apply the traffic mirroring service, you should refer to this part.
10.3 Configuring Traffic Diversion Service
To configure and apply the traffic diversion service, you should refer to this part.

10.1 About the Traffic Mirroring/Diversion Service

This section describes the traffic mirroring/diversion service and traffic mirroring/diversion
function supported by the SIG.
Traffic Mirroring
The SIG identifies network traffic, copies and forwards the packets of the specified type as
required, and forwards the traffic in the given third-party system such as the iCache system.
Then the third-party system further analyzes or caches the traffic. In this way, traffic mirroring
is implemented. Traffic mirroring does not affect the original traffic direction of the packet.
Typical application examples are as follows:
l Configure a mirroring policy for the Simple Mail Transfer Protocol (SMTP) traffic and
VoIP traffic in a specified link and store the traffic for query, monitoring SMTP mails and
VoIP services.
l Configure a mirroring policy for the HTTP video traffic and P2P traffic in a specified link
and mirror user access requests to the third-party cache system, realizing accelerated
downloading of networks.
Figure 10-1 shows the typical networking of traffic mirroring.
Figure 10-1 Typical networking diagram of traffic mirroring
Backbone
router of Analysis
the MAN system
Front End Back End
DPI system
Cache
BRAS system
Service traffic
...
Mirrored traffic
Users

Implementation of Traffic Mirroring

The traffic mirroring service of the SIG supports:
l Mirroring the traffic of links.

The security department needs to closely monitor suspicious areas, especially on their voice
communications and mail sending. All the voice and mail records are monitored
legitimately and stored as a copy to the local analysis system for necessary check.
On a link, traffic can be mirrored to the local cache system, therefore localizing the
applications consuming huge bandwidths, and greatly reducing redundant traffic on the
backbone network. This not only helps carriers improve the usage of bandwidth resources,
but also enhances the satisfaction of users.
l Mirroring the traffic of subscribers and VICs. You can apply a policy through the attribute
group or user group.
The security department needs to closely monitor suspicious users or departments,
especially on their voice communications and mail sending. All the voice and mail records
are monitored legitimately and stored as a copy to the local analysis system for necessary
check.
l Mirroring both link traffic and user (subscribers and VICs) traffic.
When both link traffic and user traffic are mirrored, the user traffic is mirrored
preferentially. The same traffic is not mirrored twice. For example, the traffic of user1 is
transmitted along link1. The administrator has configured mirroring policy policy1 for the
traffic of user1 and policy2 for the traffic of link1.In this case, the traffic of user1 is mirrored
only by policy1, but not policy2.
l Mirroring of transport-layer and application-layer protocols, mirroring groups, upstream
and downstream packets, remote IP addresses, port and feature character.
l Traffic entering the SIG can be forwarded to multiple third-party systems through different
mirroring interfaces by matching several conditions.
l Directional configuration of the forwarding interface. Specific traffic can be forwarded to
the specified target system.
The Front End of SIG mainly realizes the following functions in the traffic mirroring service:
1. Abstract and mirror the traffic matching the mirroring group policy.
2. Replace the destination MAC address.
3. Mirror the traffic matching the policy to the third-party device.
Traffic Diversion
With the traffic diversion function, the SIG identifies network traffic, and forwards the specified
type of packets to the third-party system (the VAS in the following). Then the VAS further
analyzes and processes the traffic, and injects the processed packets to the Front End of the
SIG. Finally, the Front End sends the packets back to the network. The VAS is generally a cache
system or virus removing system.
Typical application examples are as follows:
l Configure the diversion policy for the HTTP video traffic and P2P traffic in a specified
area and redirect user access requests to the VAS (such as the iCache system), realizing
accelerated download on networks.

l On a wireless network, divert SMTP, POP3, HTTP, and MMS traffic to the VAS, enabling
the anti-virus function of mobile phones.
The application scenarios of traffic diversion are as follows:
l Single diversion
The traffic processed by the VAS is injected to the network by the Front End of the SIG.
Figure 10-2 shows the networking diagram.
Figure 10-2 Networking diagram of single diversion

VAS
inside outside
...
Users
Front End Backbone

BRAS router of
the MAN
Upstream traffic
Back End Downstream traffic
DPI System Injected traffic
The service flow is as follows:

1. The Front End of the SIG extracts the traffic matching the diversion policy, changes
the VLAN ID of the packet to that of the VAS, and changes the destination MAC
address of the packet to that of the VAS.
2. The Front End of the SIG forwards the traffic matching the diversion policy to the
VAS through the diversion interface.
Upstream traffic is diverted to the VAS through the inside interface and downstream
traffic through the outside interface.
3. The VAS injects the processed traffic to the Front End of the SIG.
The processed traffic is injected to the intranet through the inside interface, and to the
extranet through the outside interface.
4. The Front End of the SIG restores the VLAN ID and MAC address of the packet and
sends the packet to the network.
l Multiple diversions
Traffic passes through multiple VASs. Each time after traffic passes through a VAS, it is
injected to the Front End of the SIG. Finally, traffic is injected to the network through the
Front End of the SIG.

Figure 10-3 Networking diagram of multiple diversions

VAS1 VAS n
...
outside1 Inside n
inside1 outside n
Users
...
Backbone
BRAS Front End router of
the MAN
Upstream traffic
Back End Downstream traffic
Injected traffic
DPI System
The service flow is as follows:

1. The Front End of the SIG extracts the traffic matching the diversion policy, changes
the VLAN ID of the packet to that of the VAS, and changes the destination MAC
address of the packet to that of the VAS.
VAS1 through the diversion interface.
Upstream traffic is diverted to the VAS1 through the inside1 interface and downstream
traffic through the outside1 interface.
3. The VAS1 injects the processed traffic to the Front End of the SIG.
The processed traffic is injected to the intranet through the inside1 interface, and to
the extranet through the outside1 interface.
4. If the traffic is injected to the Front End of the SIG through the outside1 interface, the
Front End changes the VLAN ID of the packet to that of the VAS2 and changes the
destination MAC address of the packet to that of the VAS2.
VAS2 through the diversion interface.
Upstream traffic is diverted to the VAS2 through the inside2 interface and downstream
traffic through the outside2 interface.
6. The VAS2 injects the processed traffic to the Front End of the SIG.
The processed traffic is injected to the intranet through the inside2 interface, and to
the extranet through the outside2 interface.
7. Repeat 4 to 6 to divert traffic respectively to multiple VASs.
8. The Front End of the SIG restores the VLAN ID and MAC address of the packet and
sends the packet to the network.
NOTE
The Front End of the SIG can be connected to the VAS directly or with a switch which realizes the
multiplexing of ports.

Implementation of Traffic Diversion

The traffic diversion service of the SIG supports:
l VAS types
– In transparent mode
The VAS in transparent mode can receive the packets whose destination MAC addresses
are not the MAC address of the VAS. You need to specify the VLAN ID of the VAS
on the Front End of the SIG to divert traffic to the VAS.
– In non-transparent mode
The VAS in transparent mode cannot receive the packets whose destination MAC
addresses are not the MAC address of the VAS. You need to specify the VLAN ID of
the VAS and change the MAC address of the packet to that of the VAS on the Front
End of the SIG to divert traffic to the VAS.
l Traffic diversion for subscribers, VICs, and links. Only one diversion policy is effective
for each object.
l Transport-layer and application-layer protocol diversion, upstream and downstream packet
diversion, remote IP address diversion and port diversion.
l Diverting traffic to different VASs by means of their VLAN IDs.
l Eight pairs of inside and outside interfaces, and traffic diversion to 256 VASs.
l The Front End of the SIG cannot process new flows created by the VAS. That is, the
quintuple of the packet processed by the VAS cannot be modified. Otherwise, the Front
End of the SIG directly discards the new flows created by the VAS.
Comparison between Traffic Mirroring and Diversion

Table 10-1 shows the comparison between traffic mirroring and diversion.
Table 10-1 Comparison between traffic mirroring and diversion

Function Traffic Forwarding After Being Processed by
Third-Party Systems
Traffic Replicates a copy of the network The processed traffic does not pass
mirroring traffic and sends the copy of the through the SIG Front End and is
traffic to third-party systems. forwarded to intranet users by other
network devices such as routers.
Traffic Forwards the network traffic to The processed traffic is injected to

diversion third-party systems. the SIG Front End, which sends the
traffic to intranet users.
10.2 Configuring the Traffic Mirroring Service

To configure and apply the traffic mirroring service, you should refer to this part.
10.2.1 Overview
This describes the basic concepts of the traffic mirroring service.


in the system.
l Mirroring port
Mirroring port is the egress of the current device through which the traffic matching the
traffic mirroring policy is mirrored to the third-party device.
NOTE
l Only the Ethernet interface on the LPU can be configured as the mirroring port, which means
that 1GE and 10GE interfaces can serve as mirroring interfaces.
l A maximum of forty mirroring ports can be configured on one device.
l The management interface (specified with an IP address) , data detection interface (configured
with a link), diversion interface and cascade interface cannot be added to the mirroring group as
the mirroring port.
l Mirroring Group
A mirroring group consists of multiple mirroring ports. They are on different devices, or
in different clusters of the front end (on the premise that the clusters of the front end share
one back end). The policy can take effect for all clusters of the front end (corresponding to
the back end) when configured for a mirroring group on the GUI of the back end.
The SIG system has eight default mirroring groups. A maximum of 40 mirroring interfaces
can be configured in one mirroring group. You must add the interfaces of a Front End to
mirroring groups, and associate the mirroring groups with mirroring policies configured
on the Back End. The Front End replicates the packets that match the mirroring policies,
and sends the packets to thrid-party analysis devices through the interfaces in the mirroring
groups according to the mirroring policies. If a group contains no interface, the group cannot
mirror any traffic.
l Mirroring Group ID
Each Front End of the SIG supports eight mirroring groups, each of which corresponds to
one ID (from 1 to 8).
l Replacing the Destination MAC Address
According to the live network, you need to confirm whether to enable the function of the
destination MAC address replacement.
– When the mirroring port is directly connected to the third-party device through Ethernet
cables, you do not need to configure the destination MAC address replacement function.
– When the mirroring port is connected to the third-party device through a Layer-2 device,
you should enable the destination MAC address replacement function and set the
destination MAC address.
l IP Protocol Type
– TCP
– UDP

– ICMP
– All: contains TCP, UDP, ICMP, and all other IP-layer protocols.
l Remote IP
The remote IP address is the external IP address. The relations between the remote IP
address and the traffic direction are as follows:
– If the traffic direction is set to upstream and the remote IP address is specified, the
system mirrors the traffic that passes through the Front End of the SIG and is destined
for the remote IP address.
– If the traffic direction is set to downstream and the remote IP address is specified, the
system mirrors the traffic that passes through the Front End of the SIG and originates
from the remote IP address.
– If the traffic direction is set to bidirectional and the remote IP address is specified, the
system mirrors the downstream traffic originating from the remote IP address and
upstream traffic destinating for the remote IP address that pass through the Front End
of the SIG.
l Port
– Port used to match traffic of specified type of service. For example, The administrator
can set the port to 80, indicating that only the HTTP traffic is mirrored.
– The remote port of upstream packets is the destination port and that of downstream
packets is the source port.
l Feature character
– If the feature character is not configured, the SIG Front End mirrors all the packets of
the traffic flow that matches the mirroring condition.
– If the feature character is configured, the SIG Front End inspects the first ten packets
of the traffic flow:
– If the first ten packets do not match the feature character, the entire flow is not
mirrored.
– If one or multiple packets of the first ten packets match the configured feature
character, the SIG Front End mirrors only the first packet that matches the feature
character.
The feature character offset is used to set from which byte a packet is inspected. The feature
character can either be hexadecimal or a character string.

This describes the procedure for configuring the traffic mirroring service.

Figure 10-4 Procedure for configuring traffic mirroring
Start
Configure the mirroring interface
Is the mirroring
Yes interface directly connected to Front End of the
the third-party device through DPI system
Ethernet cables?
No
Configure the destination MAC

address replacement
Add a mirroring policy package
Back End of the

DPI system
Apply the mirroring policy package
End
Table 10-2 describes the procedure description.
Table 10-2 Procedure description of traffic mirroring

Action Description
Configure the The mirroring interface is the egress of the traffic matching the
mirroring interface mirroring policy. The mirroring interface should be configured on the
Front End through commands.

Action Description
Configure the You need to confirm whether to enable the destination MAC address
destination MAC replacement according to the current network environment.
address replacement l When the mirroring interface is directly connected to the third-
party device through Ethernet cables, you don't need configure the
l When the mirroring interface is connected to the third-party device
through a Layer-2 device, you should enable the destination MAC
address replacement and set the destination MAC address.
By default, the destination MAC address replacement is disabled.
Add a mirroring A policy package can contain one or multiple policy items.
policy package Operation location: back-end UI of the SIG.In the navigation tree,
choose Traffic Management > Mirror/Divert > Mirror/Divert
Policy Package Management.
Apply the mirroring Apply the added policy package to service objects.
policy package Operation location: back-end UI of the SIG.
Management > Network > Physical Link Management > Link
Policy Application.
Application.
10.2.3 Typical Configuration Example 1 (Link, VoIP Traffic

Mirroring)
This provides an example for mirroring upstream and downstream VoIP traffic on the link to
the third-party system for for storage through the SIG, thus facilitating further analysis.
Prerequisites
l 4.4 Configuring the Link is complete, and link 1G-80-2-link_2 passes through the Front
End of the SIG.
l The current user has the Traffic Management service permission.
The carrier needs to configure and apply traffic mirroring. Figure 10-5 shows the networking.

Figure 10-5 Networking diagram of traffic mirroring
Router
1 Third-party device
/0/
Link: 1G-80-2-link_2 E3
:G
ce
t e rfa
in
o r ing
rr
Mi
Management interface: GE3/0/0

Front End Back End
DPI system
BRAS Service traffic
Mirrored traffic
...
Users
The Front End of the SIG is directly connected to the Back End through the management
interface. The system mirrors the VoIP traffic (on the external IP address segment from 1.1.1.1
to 1.1.1.254) passing through the Front End of the SIG.
Traffic goes along link 1G-80-2-link_2 through the Front End of the SIG; interface 0 of the LPU
in slot 3 enables normal communications between the Front End and the Back End of the SIG;
interface 1 of the LPU in slot 3 mirrors VoIP traffic to the third-party system, and this interface
belongs to mirroring group 1.
Procedure
Step 2 Configure the mirroring interface.

[Sysname] interface GigabitEthernet 3/0/1
[Sysname-GigabitEthernet3/0/1] dpi-node mirror group-number 1
[Sysname-GigabitEthernet3/0/1] quit

Step 4 Add a mirroring policy package.

1. In the navigation tree, choose Traffic Management > Mirror/Divert > Mirror/Divert
2. Click Add.
3. Enter mirror in Name, and then click Save.
4. Select mirror from Item Type and click Add.
5. Set the parameters of policy item voip in the dialog box that is displayed. Figure 10-6
Figure 10-6 Configuring policy item voip

Step 5 Apply the mirroring policy package.
2. Click Add.

Figure 10-7 Applying policy package mirror
4. Click OK.
----End
10.2.4 Typical Configuration Example 2 (Link, P2P and HTTP

Traffic Mirroring)
This provides an example for mirroring upstream and downstream P2P traffic and upstream
HTTP traffic on the link to the third-party cache system and upstream HTTP traffic to the third-
party analysis system through the SIG, thus facilitating further analysis.
Prerequisites
End of the SIG.
The carrier needs to configure and apply traffic mirroring. Figure 10-8 shows the networking.

Figure 10-8 Networking diagram of traffic mirroring
Router
Back End
Link: 1G-80-2-link_2
Management interface: GE3/0/0

Mirroring interface 1: GE3/0/1
Front End Cache system
Mirroring interface 2: GE3/0/2
MAC address: 00A0-7C5E-A1E2
Switch A
BRAS
Analysis system
MAC address: 00E0-FC53-A1C2
Service traffic
... Mirrored traffic 1
Users
Mirrored traffic 2
The Front End of the SIG is connected to the Back End through a switch. The system mirrors
P2P traffic from the upstream and downstream, and mirrors HTTP traffic from the upstream
traffic passing through the Front End.
Switch A is divided into three VLANs, namely, VLAN1, VLAN2, and VLAN3. The
management interface on the Front End of the SIG resides on VLAN1 with the Back End;
mirroring interface 1 resides on VLAN2 with the cache system; mirroring interface 2 resides on
VLAN3 with the analysis system.
Traffic goes along link 1G-80-2-link_2 through the Front End of the SIG; interface 0 of the LPU
in slot 3 enables normal communications between the Front End and the Back End of the SIG;
interface 1 of the LPU in slot 3 mirrors upstream and downstream P2P traffic to the cache system,
and this interface belongs to mirroring group 1; interface 2 of the LPU in slot 3 mirrors upstream
HTTP traffic to the analysis system, and this interface belongs to mirroring group 2.
Procedure
Step 2 Configure GigabitEthernet 3/0/1 as mirroring interface 1, and add it to mirroring group 1.
Step 3 Enable the destination MAC address replacement of mirroring interface 1, and set the destination
MAC address to 00A0-7C5E-A1E2.
[Sysname-GigabitEthernet3/0/1] dpi-node mirror replace ethernet destination-mac
enable
[Sysname-GigabitEthernet3/0/1] dpi-node mirror replace destination-mac 00A0-7C5E-

A1E2
Step 4 Configure GigabitEthernet 3/0/2 as mirroring interface 2, and add it to mirroring group 2.
Step 5 Enable the destination MAC address replacement of mirroring interface 2, and set the destination
MAC address to 00E0-FC53-A1C2.
[Sysname-GigabitEthernet3/0/2] dpi-node mirror replace ethernet destination-mac
enable
[Sysname-GigabitEthernet3/0/2] dpi-node mirror replace destination-mac 00E0-FC53-
A1C2

2. Click Add.
5. Set the parameters of policy item p2p in the dialog box that is displayed. Figure 10-9 shows
parameter settings.
Figure 10-9 Configuring policy item p2p

6. Click OK.
8. Set the parameters of policy item http in the dialog box that is displayed. Figure 10-10
Figure 10-10 Configuring policy item http

2. Click Add.

4. Click OK.
----End
10.3 Configuring Traffic Diversion Service

To configure and apply the traffic diversion service, you should refer to this part.
10.3.1 Overview
This describes the basic concepts of the traffic diversion service.

in the system.
l Inside interface and outside interface
The inside interface is the diversion interface for upstream traffic and the outside interface
is the diversion interface for downstream traffic.

The traffic processed by the VAS (generally the cache system or the virus removing system)
is injected to the intranet through the inside interface, and to the extranet through the outside
interface.
NOTE
l Only the Ethernet interface on the LPU can be configured as the diversion one.
l A maximum of eight pairs of inside and outside interfaces can be configured on one device.
l The interface that is assigned an IP address or the data monitoring interface cannot serve as the
diversion interface.
l The interface that is configured as the mirroring interface cannot serve as the diversion interface.
l VLAN ID
Traffic passing through the Front End of the SIG is diverted to different VASs by means
of VLAN IDs.
For example, you can configure multiple diversions. The VAS1 belongs to VLAN 100 and
the VAS2 belongs to LVAN 200. On the UI of the SIG, configure the diversion policy item,
enter 100,200 in VLANID, and apply the policy. In this way, traffic is diverted to the VAS1
and VAS2.
l IP Protocol Type
– TCP
– UDP
– ICMP
– All: contains TCP, UDP, ICMP, and all other IP-layer protocols.
l Remote IP
The remote IP address is the external IP address. The relations between the remote IP
address and the traffic direction are as follows:
– If the traffic direction is set to upstream and the remote IP address is specified, the
system diverts the traffic that passes through the Front End of the SIG and is destined
for the remote IP address.
– If the traffic direction is set to downstream and the remote IP address is specified, the
system diverts the traffic that passes through the Front End of the SIG and originates
from the remote IP address.
– If the traffic direction is set to bidirectional and the remote IP address is specified, the
system diverts the traffic that passes through the Front End of the SIG, and is destined
for or originates from the remote IP address.
l Port
– Port used to match traffic of specified type of service. For example, The administrator
can set the port to 80, indicating that only the HTTP traffic is mirrored.
– The remote port of upstream packets is the destination port and that of downstream
packets is the source port.

This describes the procedure for configuring the traffic diversion service.

Figure 10-12 Procedure for configuring traffic diversion
Start
Configure the transmission mode of diverting packets

Front End of the
DPI system
Configure the diverting interfaces
(inside interface and outside interface) and peer VAS
Add a diverting policy package
Back End of the

DPI system
Apply the diverting policy package
End
Table 10-3 Procedure description of traffic diversion
Action Description
Configure the Diversion packets can be transmitted either transparently or non-

transmission mode transparently.
of diversion packets l In transparent mode, the VAS server at the peer end of the diversion
interface poses no requirement over the MAC address or IP address
of the diversion packet.
l In non-transparent mode, the VAS server at the peer end of the
diversion interface can receive only the packets destined for VAS
server itself (MAC address or IP address).
Configure the The diversion interface is the egress of the traffic matching the
diversion interfaces diversion policy. To configure the diversion interface, you need to
(inside interface and specify the peer VAS for communicating with the Front End.
outside interface) Operation location: Front End of the SIG.
and peer VAS
Add a diversion A policy package can contain one or multiple policy items.

Action Description
Apply the diversion Apply the added policy package to service objects.
Policy Application.
Application.
10.3.3 Typical Configuration Example 1 (Single Diversion)

This provides an example for diverting the P2P traffic among link traffic to a third-party cache
system through the SIG, therefore accelerating network download.
Prerequisites
End of the SIG.
l Make sure that the predefined P2P service is available and correct.
The carrier needs to configure and apply traffic diversion. Figure 10-13 shows the networking.

Figure 10-13 Networking diagram of traffic diversion

VAS
VLAN 100
inside outside
2/0/0 2/0/1
...
Users
1G-80-2-link_2
Front End Backbone
BRAS router of
the MAN
Upstream traffic
Downstream traffic
Back End
DPI System
The VAS is configured to work in transparent mode. Traffic goes along link 1G-80-2-link_2
through the Front End of the SIG. Interface 0 on the LPU in slot 2 is the inside interface and
interface 1 is the outside interface.
Upstream P2P traffic that passes through the Front End of the SIG and whose external IP address
segment ranges from 1.1.1.1 to 1.1.1.254 is diverted to the VAS by the inside interface and
downstream P2P traffic to the VAS by the outside interface.
Procedure
Step 2 Configure the transparent transmission mode for diversion packets.

[Sysname] dpi-node
[Sysname-dpi-node] divert transparence enable
[Sysname-dpi-node] quit
[Sysname]
Step 3 Configure the diversion interfaces (inside interface and outside interface) and peer VAS.
[Sysname-GigabitEthernet2/0/0] dpi-node divert inside
[Sysname-GigabitEthernet2/0/0] dpi-node vas-server 1 vlan 100
[Sysname-GigabitEthernet2/0/1] dpi-node divert outside

Step 5 Add a diversion policy package.

2. Click Add.
3. Enter divert in Name, and then click Save.
4. Select divert from Item Type and click Add.
5. Set the parameters in the dialog box that is displayed. Figure 10-14 shows parameter
settings.
Figure 10-14 Configuring policy item p2p

Step 6 Apply the diversion policy package.
2. Click Add.

Figure 10-15 Applying policy package divert
4. Click OK.
----End
10.3.4 Typical Configuration Example 2 (Multiple Diversions)

This section provides an example of the SIG diverting P2P and HTTP traffic on the link to third-
party cache system VAS1 and analysis system VAS2, therefore accelerating network download
and enabling further analysis.
Prerequisites
End of the SIG.
l 22.1 Managing Flow Classifications and Flow Classification Items is complete, and
flow classification p2p_http is added, including predefined flow classification items P2P
and Web_browsing.
The carrier needs to configure and apply traffic diversion. Figure 10-16 shows the networking.

Figure 10-16 Networking diagram of traffic diversion

VAS1 VAS2
VLAN 100 VLAN 200
outside1 inside2
inside1 outside2
Users
...
1G-80-2-link_2
Backbone
BRAS
Front End router of
the MAN
Upstream traffic
Downstream traffic
Back End
DPI System
Both VAS1 and VAS2 work in transparent mode. Traffic goes along link 1G-80-2-link_2
through the Front End of the SIG. Interface 0 on the LPU in slot 1 is the inside1 interface,
interface 1 is the outside1 one, interface 2 is the inside2 one, and interface 3 is the outside2 one.
P2P traffic and HTTP traffic that pass through the Front End of the SIG are respectively diverted
to the VAS1 and VAS2. Upstream traffic is diverted by the inside interface and downstream
traffic by the outside interface.
Procedure
Step 2 Configure the transparent transmission mode for diversion packets.
[Sysname] dpi-node
[Sysname-dpi-node] divert transparence enable
[Sysname-dpi-node] quit
[Sysname]
Step 3 Configure the diversion interfaces (inside interface and outside interface) and peer VAS1 and
VAS2.



Step 5 Add a diversion policy package.
2. Click Add.
3. Enter divert in Name, and then click Save.
4. Select divert from Item Type and click Add.
5. Set the parameters in the dialog box that is displayed. Figure 10-17 shows parameter
settings.
Figure 10-17 Configuring policy item p2p_http

Step 6 Apply the diversion policy package.
2. Click Add.

Figure 10-18 Applying policy package divert
4. Click OK.
----End

Configuration Guide 11 SmartBrowser Service
11 SmartBrowser Service
About This Chapter
The SmartBrowser service delivers DNS error correction, and HTTP error correction. It can
provide error correction messages and security defense for the online behaviors of subscribers.
Data configuration engineers can enable one or multiple functions as required.
NOTE
The SmartBrowser service can be applied to all customers in the local domain except VICs.
11.1 About the SmartBrowser Service

This describes the basic concepts of the SmartBrowser service.
11.2 Configuring the SmartBrowser Service
You can perform this task to configure and apply the SmartBrowser service.
11.3 Querying SmartBrowser Reports
To query the DNS or HTTP error correction reports of the SmartBrowser service, you should
perform this task.

11.1 About the SmartBrowser Service

This describes the basic concepts of the SmartBrowser service.
These basic concepts include:
l SmartBrowser service
The SmartBrowser service delivers DNS error correction, and HTTP error correction. Data
configuration engineers can enable one or multiple functions as required.
Figure 11-1 shows the schematic diagram of the SmartBrowser service.
Figure 11-1 Schematic diagram of the SmartBrowser service
Platform
Internet
Web server DNS server
HTTP error correction DNS error correction
Back
Front
End
End
DPI system
BRAS
DNS packet
... HTTP packet
User
l DNS error correction

In normal cases, the process for accessing Web sites through the domain name is as follows:
1. During the access to the domain name of a Web site through the browser, the access
request is sent to the DNS server.
2. The DNS server implements the query based on the domain name in the access request
and returns the IP address corresponding to the domain name to the browser.
3. The browser accesses the Web site server based on the returned IP address.
When DNS error correction is enabled and an incorrect domain name is input, the SIG
implements error correction over the domain name. If the DNS server cannot find the IP
address corresponding to the domain name, it replies an error response packet to the
browser. When identifying the packet as the domain name error packet, the SIG forges a
DNS response packet based on the predefined policy, and sets the IP address corresponding

to the domain name in the packet to that of the third-party platform (such as a search engine).
In this way, DNS error correction is implemented through the access to the third-party
platform.
Additionally, the system supports DNS error correction blacklist and whitelist. The details
are as follows:
– DNS error correction whitelist
Domain names in the whitelist are not corrected by the SIG. That is, during the access
to these domain names, the SIG directly replies packets to the user's browser.
– DNS error correction blacklist
Domain names in the blacklist are forcibly corrected by the SIG. That is, during the
access to these domain names, the SIG directly discards original packets and forges
response packets for DNS error correction to the browser, enabling users to access the
redirected Web site.
NOTE
A domain name cannot be added to both the blacklist and whitelist for DNS error correction.
If DNS error correction and overwriting are enabled simultaneously, packets match lists in priority
order (highest priority first), that is, DNS error correction whitelist, DNS overwriting list, and DNS
error correction blacklist.
l HTTP error correction
It monitors the HTTP response packet. If identifying that the packet complies with the
specified condition defined in the policy, the SIG forges an HTTP response packet (HTTP
redirection packet) to redirect the access to the third-party platform (such as a search
engine). Additionally, the original URL is employed as the search condition, realizing
HTTP error correction.
11.2 Configuring the SmartBrowser Service

You can perform this task to configure and apply the SmartBrowser service.
11.2.1 Overview
This describes the functions implemented through the configuration of the SmartBrowser
service.
The SmartBrowser service provides the following functions:
l DNS error correction
This function corrects identified error domain name packets. The system supports DNS
error correction blacklist and whitelist.
l HTTP error correction
This function monitors HTTP response packets and corrects them based on configurations.
NOTE
For DNS and HTTP error correction, the SIG can connect to a third-party portal system, so that terminal
users can flexibly enable or disable services.

This describes the procedure for configuring the SmartBrowser service, so that you can obtain
a brief information about the operation.

Figure 11-2 Procedure for configuring the SmartBrowser service

Configure DNS error correction Configure HTTP error correction
Start Start
Enable DNS error Enable HTTP error

correction correction
Add DNS blacklist and Configure HTTP error

whitelist items correction
End End
NOTE
The SIG can connect to the third-party portal system, so that terminal users can flexibly enable or disable
DNS and HTTP error correction.
Table 11-1 Procedure description of the SmartBrowser service

Action Description
Enable DNS error Enable DNS error correction. In this case, you should set the IP
correction address of the redirected platform (such as a search engine).
Operation page: In the navigation tree, choose Value-added
Service > SmartBrowser > DNS Error Correction
Configuration.
Add the DNS whitelist Add DNS domain names to be corrected to the DNS blacklist
and blacklist and those not requiring correcting to the DNS whitelist.
Service > SmartBrowser > DNS Error Correction Blacklist
and Whitelist Management.
Enable HTTP error Enable HTTP error correction.

correction Operation page: In the navigation tree, choose Value-added
Service > SmartBrowser > HTTP Error Correction
Configuration.

Action Description
Configure HTTP error Set the IP address or domain name, and content search mode of
correction the redirected platform (such as a search engine). Based on
various HTTP labels and suffixes, HTTP error correction can
correct incorrect HTTP response packets.
Service > SmartBrowser > HTTP Error Correction
Configuration.
11.2.3 Typical Configuration Example 1 (DNS Error Correction)

This provides an example for configuring DNS error correction.
Prerequisites
The current user has the Value-added Service service permission.
The carrier hopes to provide the following services for all subscribers on the intranet.
l When subscribers enter incorrect domain names, the SIG automatically redirects DNS
requests to the third-party search system (suppose that the IP address is 10.1.1.1).
l The access to phishing Web sites (with a large number) should be denied and DNS error
correction should not be implemented on certain Web sites (with a small number).
Procedure
Step 2 Configure DNS error correction.

1. In the navigation tree, choose Value-added Service > SmartBrowser > DNS Error
Correction Configuration.
NOTE
If Enable DNS Error Correction is selected, DNS error correction is enabled for all customers in
the local domain except VICs; if not, DNS error correction is enabled only for subscribers subscribing
to it on the portal.
Figure 11-3 Configuration page of DNS error correction

3. Click Save.
Step 3 Import DNS error correction blacklist items in batches.
Correction Blacklist and Whitelist Management.
2. In the DNS Rectify Blacklist group box, click Add.
3. In the pop-up dialog box, select Guide File. Download the template for the DNS error
correction blacklist, and enter related information according to the template. Figure 11-4
shows the configuration page.
Figure 11-4 Importing DNS error correction blacklist items in batches
4. Click Browse and select the saved template file.

5. Click OK.
Step 4 Add the DNS error correction whitelist item.
Correction Blacklist and Whitelist Management.
2. In the DNS Rectify Whitelist group box, click Add.

Figure 11-5 Adding a DNS error correction whitelist item
4. Click OK. Adding a DNS error correction whitelist item is complete.

5. Repeat Step 4.2 to Step 4.4 to add other DNS error correction whitelist items as required.
----End
11.2.4 Typical Configuration Example 2 (HTTP Error Correction)

This provides an example for configuring HTTP error correction.
Prerequisites
The current user has the Value-added Service service permission.
The carrier hopes to provide services for all subscribers on the intranet: When a subscriber uses
the HTTP service but the target server cannot find the Web page to be accessed, the SIG can
automatically redirect the HTTP access request to the third-party searching system such as http://
www.example.com, take the access content as the searching information for searching, and then
display the searching result. Details are as follows:
l Domain name of the third-party searching system: http://www.example.com

l Searching parameter formula of the searching system: search?wd=@dpi-param@
l HTTP error correction label: 404 and 410
l HTTP error correction suffix: html and htm
NOTE
For details, see 11.2.5 Parameter Description.
Procedure
Step 2 Enable and configure HTTP error correction.

1. In the navigation tree, choose Value-added Service > SmartBrowser > HTTP Error
Correction Configuration.
NOTE
If Enable HTTP Error Correction is selected, HTTP error correction is enabled for all customers
in the local domain except VICs; if not, HTTP error correction is enabled only for the user subscribing
to it on the portal.
Figure 11-6 Configuration page of HTTP error correction
3. Click Save.
----End

This describes important parameters for configuring the SmartBrowser service.
Table 11-2 shows important parameters for configuring the SmartBrowser service.
Table 11-2 Parameter description for configuring the SmartBrowser service
Parameter Name Description How to Set
DNS Enable Enable/Disable DNS error correction. If [Setting method] Select the
Error DNS Error the check box is selected, it indicates check box.
Corr Correction that DNS error correction is enabled.
ectio That is, the system corrects the
n identified packets whose domain names
Conf are incorrect.
igura
tion IP To enable DNS error correction, this [Setting method] Enter the IP
Address of parameter should be specified. address of the platform in the
the Enter the IP address of a third-party text box.
Platform platform (such as a search engine), using
which the user can perform DNS error
correction for invalid DNS access
through third-party platform.

HTT Enable Enable/Disable HTTP error correction. [Setting method] Select the
P HTTP If the check box is selected, it indicates check box.
Error Error that HTTP error correction is enabled.
Corr Correction That is, the system monitors HTTP
ectio response packets and implements error
n correction based on configurations.
Conf
igura IP To enable HTTP error correction, either [Setting method] Select the
tion Address, of two parameters should be specified. IP address and domain name,
Domain Enter the IP address or domain name of and enter them in the text
name a third-party platform (such as a search box.
engine), using which the user can
perform HTTP error correction for
invalid access through third-party
platform.
Parameter Set the format of the URL of the [Setting method] Enter the
redirected third-party platform. Search item in the text box.
contents are replaced by the @dpi- [Example] s?wd=@dpi-
param@ variable. param@
For example, the URL of the third-party
platform is www.baidu.com. Suppose
that the URL is displayed as http://
www.baidu.com/s?
wd=www.sina.com.cn during the
search of www.sina.com.cn in
www.baidu.com. In this case,
Parameter should be set to s?
wd=@dpi-param@.

HTTP Select one or multiple HTTP labels [Setting method] Select the
Error where error correction should be check box.
Correction enabled.
Label The following error correction labels are
available:
l 400: Bad Request: indicates that the
HTTP request cannot be resolved by
the server due to incorrect syntax.
l 403: Forbidden: indicates that the
server can resolve the HTTP request
but deny to address it. Additionally,
the deny cause is provided.
l 404: Not Found: indicates that the
server does not find any URI
resource matching the HTTP
request. Additionally, it cannot
determine whether the resource is in
shortage temporarily or
permanently.
l 410: Gone: indicates that the server
does not find any URI resource
matching the HTTP request;
however, it can identify that the
resource does not exist permanently.
HTTP Select one or multiple suffixes where [Setting method] Select the
Error error correction should be enabled. check box.
Correction The following suffixes are available:
Suffix
l HTM: for example, http://
www.example.com/index.htm
l HTM: for example, http://
www.example.com/index.html
l Subdirectory: for example,
www.example.com/support/
The system provides error correction
only for level-1 subdirectories.
l Others: all suffix formats except
previous three types
11.3 Querying SmartBrowser Reports

To query the DNS or HTTP error correction reports of the SmartBrowser service, you should
perform this task.

11.3.1 Overview
This describes the DNS and HTTP error correction reports of the SmartBrowser service.
The Front End of the SIG collects statistics on the total DNS or HTTP error correction times
within five minutes to form a five-minute report. Then it reports the result to the Back End of
the SIG, which compiles the data. Through the report, data configuration engineers can query
the total DNS or HTTP error correction times within a given time range, obtaining the visualized
information about system error correction times.
The reports of the SmartBrowser service include:
l DNS error correction statistics: collects statistics on the times of DNS error correction
within a given time rage.
l HTTP error correction statistics: collects statistics on the times of HTTP error correction
within a given time rage.

This describes how to query DNS and HTTP error correction reports of the SmartBrowser
service.
Prerequisites

Procedure
Step 1 In the navigation tree, choose Statistics and Analysis Report > Smartbrowser > DNS/HTTP
Error Correction Statistics.

TIP
for the next query.
Task Reports.

NOTE
----End


This describes reports on the SmartBrowser service and provides examples of the reports.
Report Navigation
NOTE
l Statistics and Analysis Report > SmartBrowser > DNS/HTTP Error Correction
Statistics
Statistics and Analysis Report > SmartBrowser > DNS/HTTP Error Correction
Statistics
Through this report, you can view statistics on DNS or HTTP error correction times within a
given time range.
Figure 11-7 shows the report screenshot of DNS error correction statistics within a given time
range.
Figure 11-7 Example of the report on DNS error correction statistics
Figure 11-8 shows the report screenshot of HTTP error correction statistics within a given time
range.

Figure 11-8 Example of the report on HTTP error correction statistics

Configuration Guide 12 DNS Overwriting Service
12 DNS Overwriting Service
About This Chapter
The DNS overwriting service monitors the response packet from the DNS server. If the SIG
identifies that the packet matches the DNS overwriting list, it forges a DNS response packet to
redirect the DNS request to the specified destination IP address in the DNS overwriting list.
12.1 About the DNS Overwriting Service

This describes the basic concepts of the DNS overwriting service.
12.2 Configuring the DNS Overwriting Service
You can perform this task to configure and apply the DNS overwriting service.

12.1 About the DNS Overwriting Service

This describes the basic concepts of the DNS overwriting service.
The DNS overwriting service monitors the response packet from the DNS server. If the SIG
identifies that the packet matches the DNS overwriting list, it forges a DNS response packet to
redirect the DNS request to the specified destination IP address in the DNS overwriting list.
Figure 12-1 shows the schematic diagram of the DNS overwriting service.
Figure 12-1 Schematic diagram of the DNS overwriting service
Internet
Web server DNS server
DNS overwritng
Destination
Source domain name IP address Back
Front
End
End
DPI system
BRAS
DNS packet
...
User
If DNS overwriting and error correction of the SmartBrowser service are enabled
simultaneously, packets match lists in priority order (highest priority first), that is, DNS error
correction whitelist, DNS overwriting list, and DNS error correction blacklist.
12.2 Configuring the DNS Overwriting Service

You can perform this task to configure and apply the DNS overwriting service.

This describes the procedure for configuring the DNS overwriting service, so that you can obtain
a brief information about the operation.

Figure 12-2 Procedure for configuring the DNS overwriting service
Start
Enable DNS
overwriting
Add the DNS

overwriting list
End
Table 12-1 Procedure description of the DNS overwriting service

Action Description
Enable DNS overwriting Enable DNS overwriting.

Operation page: In the navigation tree, choose Access Control
> DNS Overwriting > DNS Overwriting Configuration.
Configure the DNS Add the DNS overwriting list, so that the SIG monitors the
overwriting list response packets of the DNS server based on the list.
Operation page: In the navigation tree, choose Access Control
> DNS Overwriting > DNS Overwriting List Management.

This provides an example for configuring DNS overwriting. By applying DNS overwriting, the
carrier can redirect DNS requests for accessing illegitimate Web sites to other Web sites.
Prerequisites
The current user has the Access Control service permission.
DNS overwriting should be enabled. When intranet users access external Web sites with such
source domain names as shown in Table 12-2, DNS requests are redirected to the target IP
addresses as shown on the right.

Table 12-2 DNS overwriting list

Source Domain Name Destination IP Address
www.example1.com 10.10.10.10
www.example2.com 11.11.11.11
Procedure
Step 2 Enable DNS overwriting.
1. In the navigation tree, choose Access Control > DNS Overwriting > DNS Overwriting
Configuration.
2. Select the check box of Enable DNS Overwriting.
3. Click Save.
Step 3 Add items to the DNS overwriting list.
1. In the navigation tree, choose Access Control > DNS Overwriting > DNS Overwriting
List Management.
2. Click Add.
NOTE
In addition to manual adding, you can import items to the DNS overwriting list.
To import items, you need to click Import. In the pop-up dialog box, obtain and edit the file template,
and then import items.
Figure 12-3 Adding items to the DNS overwriting list
5. Repeat Step 3.2 to Step 3.4 to add another item.
----End

Configuration Guide 13 Smart Advertising Interface Service
13 Smart Advertising Interface Service
About This Chapter
Through the Smart Advertising Interface service, the SIG can filter packets according to their
HTTP packet header attributes, and mirror the HTTP packets meeting conditions to the third-
party system. Then the third-party system analyzes users' online behaviors in depth and pushes
advertisements to specific users.
13.1 About the Smart Advertising Interface Service

This describes the basic concepts of the Smart Advertising Interface service.
13.2 Configuring the Smart Advertising Interface Service
To configure and apply the Smart Advertising Interface service, you should refer to this part.

13.1 About the Smart Advertising Interface Service

This describes the basic concepts of the Smart Advertising Interface service.
Through the Smart Advertising Interface service, the SIG can mirror the HTTP packets meeting
conditions to the third-party system according to their HTTP packet header attributes. Then the
third-party system analyzes users' online behaviors in depth and pushes advertisements to
specific users.
Figure 13-1 shows the typical networking of the Smart Advertising Interface service.
Figure 13-1 Typical networking diagram of the Smart Advertising Interface service
Router
...
Mirroring
Management group 1
interface
Mirroring
Back End Front End
group 2 Switch
DPI system
RA
DI
US ...
pa
ck
et
BRAS
The third-party system
Service traffic
Mirroring traffic 1
...
Mirroring traffic 2
Users
The switch is required in the following situations:

l When the SIG and the third-party system is remotely deployed, a switch is required for
interconnection.
l When the third-party server cannot process the heavy traffic mirrored from the mirroring
interface (GE) of the SIG, a switch is required for load balancing.
l When there are insufficient mirroring interfaces (the Front End of the SIG supports forty
mirroring interfaces), a switch is deployed to extend interfaces.

NOTE
A switch should support load balancing based on the source IP address, destination IP address, and source
+destination IP addresses.
The working principle of the Smart Advertising Interface service is as follows:

l The data configuration engineer configures the policy for mirroring HTTP traffic on the
Back End of the SIG.
l The Back End delivers the policy to the Front End.
l The Front End forwards the HTTP traffic meeting conditions to the third-party system
through the mirroring interface.
NOTE
The Smart Advertising Interface service does not support the reassembly and resolution of disordered TCP
packets and HTTP header fragments; therefore, the SIG cannot ensure the proper processing towards these
packets.
Figure 13-2 shows the processing procedure of the Smart Advertising Interface service.

Figure 13-2 Processing procedure of the Smart Advertising Interface service

Start
Identify traffic type
Do not perform the Smart Advertising No

Is it HTTP traffic?
Interface policy check
Yes
Is the Smart
Do not perform Smart Advertising Interface No
Advertising Interface service
processing on all packets in HTTP traffic
enabled?
Yes
Is the
The processing is the same as that towards No
HTTP packet header
the last packet
contained?
Yes
Does the HTTP

No
Do not mirror traffic packet header meet the
matching condition?
Yes
Mirror the traffic to the Phorm system
Is there a subsequent Yes

HTTP packet?
No
End
13.2 Configuring the Smart Advertising Interface Service

To configure and apply the Smart Advertising Interface service, you should refer to this part.
13.2.1 Overview
To configure the Smart Advertising Interface service, you need to learn related concepts.
NOTE
The Smart Advertising Interface service becomes available only after subscribers subscribe to it in the
third-parity portal system.

in the system.
l Mirroring port
Mirroring port is the egress of the current device through which the traffic matching the
traffic mirroring policy is mirrored to the third-party device.
NOTE
l Only the Ethernet interface on the LPU can be configured as the mirroring port, which means
that 1GE and 10GE interfaces can serve as mirroring interfaces.
l A maximum of forty mirroring ports can be configured on one device.
l The management interface (specified with an IP address) , data detection interface (configured
with a link), diversion interface and cascade interface cannot be added to the mirroring group as
the mirroring port.
l Mirroring Group
A mirroring group consists of multiple mirroring ports. They are on different devices, or
in different clusters of the front end (on the premise that the clusters of the front end share
one back end). The policy can take effect for all clusters of the front end (corresponding to
the back end) when configured for a mirroring group on the GUI of the back end.
The SIG system has eight default mirroring groups. A maximum of 40 mirroring interfaces
can be configured in one mirroring group. You must add the interfaces of a Front End to
mirroring groups, and associate the mirroring groups with mirroring policies configured
on the Back End. The Front End replicates the packets that match the mirroring policies,
and sends the packets to thrid-party analysis devices through the interfaces in the mirroring
groups according to the mirroring policies. If a group contains no interface, the group cannot
mirror any traffic.
l Mirroring Group ID
Each Front End of the SIG supports eight mirroring groups, each of which corresponds to
one ID (from 1 to 8).
l HTTP Request Matching Condition
Defined by the file name extension of the accessed URL resource and the User-Agent field
in the HTTP request packet header. Only the HTTP request packets (upstream packets)
complying with the matching rule can be mirrored.
The matching condition comprises the File Extension blacklist, User-Agent whitelist, and
User-Agent blacklist. The traffic matching the blacklist cannot be mirrored but that
matching the whitelist can.
– Blacklist File Extension
File Extension indicates the type of the Web page that is accessed, for example, html,
htm, xml, do, and js. If http://www.huawei.com/solutions.do is accessed, the File
Extension field is do. If do is added to the File Extension blacklist, the HTTP traffic
accessing the Web sites suffixed .do cannot be mirrored.
– User-Agent blacklist/whitelist
The User-Agent field identifies such attributes as the browser type, OS type, and
language type of the user. The packets whose User-Agent field matching the User-Agent
blacklist cannot be mirrored while those matching the User-Agent whitelist can. The
system uses the regular expression to define the User-Agent blacklist/whitelist.
l HTTP Response Matching Condition

The matching condition is defined by the Content-type field of the HTTP response packet
(downstream packets). Only the HTTP 200 OK response packets meeting the condition can
be mirrored.
NOTE
In the HTTP response packets, the packet of the 200 OK type indicates that the server successfully
responds.
– Whitelist Content-type:
The Content-type field identifies the contents of the Web page that is accessed, for
example, text/html, image/jpeg, text/css, and application/octet-stream.If image/jpeg is
added to the Content-type whitelist, the packets whose Content-type field contains
image/jpeg are mirrored.
l Sent RST Packets to Mirror Group When Stop
When Sent RST Packets to mirror group when stop is enabled in the policy, and the last
traffic matches the mirroring condition while the next traffic does not, the SIG stops
mirroring traffic and sends Reset packets to the third-parity system. Then the third-parity
system saves the traffic for further processing.

This describes the procedure for configuring the Smart Advertising Interface service.
Figure 13-3 Procedure for configuring Smart Advertising Interface

Start
Configure the mirroring interface Front End
(Optional) Configure the switch
Add the Smart Advertising Interface policy package
Back End
Apply the Smart Advertising Interface policy package
End

Table 13-1 Procedure description of Smart Advertising Interface

Action Description
(Optional) The switch is required in the following situations:

Configure the l When the SIG and the third-party system is remotely deployed, a
switch switch is required for interconnection.
l When the third-party server cannot process the heavy traffic
mirrored from the mirroring interface (GE) of the SIG, a switch is
required for load balancing.
l When there are insufficient mirroring interfaces (the Front End of
the SIG supports forty mirroring interfaces), a switch is deployed
to extend interfaces.
Add the policy A Smart Advertising Interface policy package can contain one or
package of the multiple policy items.
Smart Advertising Operation location: Back-end UI of the SIG. In the navigation tree,
Interface service choose Value-added Service > Mirror/Divert > Smart Advertising
Interface Policy Package Management.
Apply the policy Apply the added policy package to service objects.
package of the Operation location: Back-end UI of the SIG.
Smart Advertising
Interface service l In the navigation tree, choose Subscriber and Network
Application.
13.2.3 Typical Configuration Example 1 (Subscriber)

This provides an example for mirroring HTTP packets meeting conditions in subscribers' traffic
to the third-party system based on the HTTP packet header attribute.
Prerequisites
The carrier requires the third-party system to analyze subscribers' online behaviors and therefore
push advertisements to users selectively. The SIG can analyze HTTP packet headers and then
mirror HTTP packets meeting conditions to the third-party system.

Since a single server of the third-party system cannot process the heavy traffic mirrored from
each mirroring interface (GE) of the SIG, a switch is required for load balancing. The following
describes how to configure the switch through an example of the Quidway S5300. Figure
13-4 shows the networking diagram.
Figure 13-4 Networking diagram of the Smart Advertising Interface Service
Router
Mirroring GE0/0/8
1
Link: 1G-80-2-link_2 group 1 GE0/0/1 GE0/0/9 The third-party
/0/12 system1
GE0 GE0/0/10
DPI system /0/0
GE3
/0/1
Management G 3
E S5300 A
interface GE3
/0/2
GE3 GE0
/0/3 /0/13
Front GE0/0/15
Back End GE0
End /0/14
RA GE0/0/16 The third-party
DIU Mirroring
Sp system 2
ac group 2 GE0/0/17
ke
t
BRAS S5300 B
Service traffic
Mirroring traffic 1
Mirroring traffic 2
...
Users
NOTE
One S5300 can use only one load balancing mode.

Mirroring traffic requires the following conditions:
l Upstream HTTP traffic is mirrored to third-party system 1. The upstream HTTP traffic of
the Web sites whose suffix is .do is not mirrored.
l Upstream and downstream HTTP traffic is mirrored to the third-party system 2. The
upstream HTTP traffic of the Web sites whose suffix is .do is not mirrored; the downstream
HTTP traffic whose Content-type filed contains text/html, image/jpeg, or image/gif is
mirrored.
l The Front End of the SIG has two mirroring groups: mirroring group 1 and mirroring group
2.
l The third-party system 1 processes the traffic from mirroring group 1 and the third-party
system 2 processes traffic from mirroring group 2.
l Mirroring group 1 performs load balancing through S5300 A based on the source IP address
and mirrors upstream traffic to the third-party system 1.
Mirroring group 1 comprises GE3/0/0 and GE3/0/1, which respectively connect to
GE0/0/11 and GE0/0/12 on S5300 A. Add GE0/0/8, GE0/0/9, and GE0/0/10 to link
aggregation group Eth-Trunk 1 and configure source IP address-based load balancing.

l Mirroring group 2 performs load balancing through S5300 B based on the source IP address
+destination IP address, and mirrors both upstream and downstream traffic to the third-
party system 2.
GE0/0/13 and GE0/0/14 on S5300 B. Add GE0/0/15, GE0/0/16, and GE0/0/17 to link
aggregation group Eth-Trunk 2 and configure source IP address+destination IP address-
based load balancing.
Procedure
Step 2 Configure mirroring groups.
1. Configure GigabitEthernet 3/0/0 and GigabitEthernet 3/0/1 as mirroring interfaces, and add
them to mirroring group 1.
Step 3 Log in to S5300 A.

Step 4 Configure Eth-Trunk 1.
1. Create Eth-Trunk 1.
[Sysname] interface eth-trunk 1
[Sysname-Eth-Trunk1] quit
2. Add member interfaces to Eth-Trunk 1.

# Add GE0/0/8 to Eth-Trunk 1.
[Sysname] interface gigabitethernet 0/0/8
[Sysname-GigabitEthernet0/0/8] eth-trunk 1


3. Configure source IP address-based load balancing for Eth-Trunk 1.

[Sysname-Eth-Trunk1] mac-address learning disable

[Sysname-Eth-Trunk1] port link-type access

[Sysname-Eth-Trunk1] load-balance src-ip
Step 5 Log in to S5300 B.




3. Configure source IP address+destination IP address-based load balancing for Eth-Trunk 2.

[Sysname-Eth-Trunk2] load-balance src-dst-ip

Step 8 Add a Smart Advertising Interface policy package.
1. In the navigation tree, choose Value-added Service > Mirror/Divert > Smart
Advertising Interface Policy Package Management.
2. Click Add.
3. Enter smartnet in Name and then click Save.
4. Select Smart Advertising Interface from Item Type and click Add.

6. Click OK.


Step 9 Apply the Smart Advertising Interface policy package.
Policy Application.
2. Click Add.
3. Set the parameters in the dialog box that is displayed. Figure 13-7 shows parameter settings.

Figure 13-7 Applying policy package smartnet
4. Click OK.
----End

13.2.4 Typical Configuration Example 2 (VIC)

This provides an example for mirroring HTTP packets meeting conditions in VICs' traffic to the
third-party system based on the HTTP packet header attribute.
Prerequisites
l 4.3 Configuring the VIC is complete.

The carrier requires the third-party system to analyze VICs' online behaviors and therefore push
advertisements to users selectively. The SIG can analyze HTTP packet headers and then mirror
HTTP packets meeting conditions to the third-party system.
Since a single server of the third-party system cannot process the heavy traffic mirrored from
each mirroring interface (GE) of the SIG, a switch is required for load balancing. The following
describes how to configure the switch through an example of the Quidway S5300. Figure
13-8 shows the networking diagram.
Figure 13-8 Networking diagram of the Smart Advertising Interface Service
Router
Mirroring GE0/0/8
1
Link: 1G-80-2-link_2 group 1 GE0/0/1 GE0/0/9 The third-party
/0/12 system1
GE0 GE0/0/10
DPI system /0/0
GE3
/0/1
Management GE3 S5300 A
interface GE3
/0/2
GE3 GE0
/0/3 /0/13
Front GE0/0/15
Back End GE0
End /0/14
RA GE0/0/16 The third-party
DIU Mirroring
Sp system 2
ac group 2 GE0/0/17
ke
t
BRAS S5300 B
Service traffic
Mirroring traffic 1
Mirroring traffic 2
...
Users
NOTE
One S5300 can use only one load balancing mode.

Mirroring traffic requires the following conditions:

l Upstream HTTP traffic is mirrored to third-party system 1. The upstream HTTP traffic of
the Web sites whose suffix is .do is not mirrored.
l Upstream and downstream HTTP traffic is mirrored to the third-party system 2. The
upstream HTTP traffic of the Web sites whose suffix is .do is not mirrored; the downstream
HTTP traffic whose Content-type filed contains text/html, image/jpeg, or image/gif is
mirrored.
l The Front End of the SIG has two mirroring groups: mirroring group 1 and mirroring group
2.
l The third-party system 1 processes the traffic from mirroring group 1 and the third-party
system 2 processes traffic from mirroring group 2.
l Mirroring group 1 performs load balancing through S5300 A based on the source IP address
and mirrors upstream traffic to the third-party system 1.
GE0/0/11 and GE0/0/12 on S5300 A. Add GE0/0/8, GE0/0/9, and GE0/0/10 to link
aggregation group Eth-Trunk 1 and configure source IP address-based load balancing.
l Mirroring group 2 performs load balancing through S5300 B based on the source IP address
+destination IP address, and mirrors both upstream and downstream traffic to the third-
party system 2.
GE0/0/13 and GE0/0/14 on S5300 B. Add GE0/0/15, GE0/0/16, and GE0/0/17 to link
aggregation group Eth-Trunk 2 and configure source IP address+destination IP address-
based load balancing.
Procedure
Step 2 Configure mirroring groups.

Step 3 Log in to S5300 A.





3. Configure source IP address-based load balancing for Eth-Trunk 1.

[Sysname-Eth-Trunk1] load-balance src-ip
Step 5 Log in to S5300 B.




3. Configure source IP address+destination IP address-based load balancing for Eth-Trunk 2.

[Sysname-Eth-Trunk2] load-balance src-dst-ip
Step 8 Add a Smart Advertising Interface policy package.

1. In the navigation tree, choose Value-added Service > Mirror/Divert > Smart
Advertising Interface Policy Package Management.
2. Click Add.
3. Enter smartnet in Name and then click Save.
6. Click OK.


Step 9 Apply the Smart Advertising Interface policy package.
2. Click Add.

Figure 13-11 Applying policy package smartnet
4. Click OK.
----End

Configuration Guide 14 VoIP Monitoring Service
14 VoIP Monitoring Service
About This Chapter
Through the VoIP monitoring service, the SIG interferes with or blocks the VoIP calls from
intranets to extranets or from extranets to intranets by means of the blacklist and whitelist. You
can also learn the running status of the VoIP monitoring service by querying reports, including
call detail record statistics and control logs.
14.1 About the VoIP Monitoring Service

This describes the basic concepts of the VoIP monitoring service.
14.2 Configuring the VoIP Monitoring Service
To configure and apply the VoIP monitoring service, you should perform this task.
14.3 Querying VoIP Reports
To query VoIP reports for learning the running status of the service, you should perform this
task.

14.1 About the VoIP Monitoring Service

This describes the basic concepts of the VoIP monitoring service.
l Voice over Internet Protocol (VoIP)

VoIP is a service that transmits voice on the Internet in real time.
Basic principle of VoIP: VoIP encodes voice signals, compresses the voice data codes based
on voice compression algorithms, and then packs the compressed voice data based on the
TCP/IP standards. Then the packets are transmitted to the receiving end over the IP network
and the voice packets are ordered. The voice packets are restored to the original signals
after decompression. The transmission of voice over the Internet is thus realized.
l VoIP monitoring
Indicates a service provided by the SIG to interfere with or block the VoIP calls from
intranets to extranets or from extranets to intranets by means of the blacklist and whitelist.
Figure 14-1 shows the VoIP monitoring service.
Figure 14-1 VoIP monitoring
External blacklist:
Internet IP address, phone number,
and URI
VoIP whitelist: permit Front

VoIP blacklist: interfere
(Taking precedence End
with or block
over the blacklist)
Access network
Internal blacklist:
Internal whitelist:
user group, IP address, phone
user group
number, and URI
Common
VIC
customer
l VoIP media protocol
One VoIP call generates one or multiple media flows. VoIP media protocols refer to the
protocols that are used by media flows over UDP.
The media protocols supported by the SIG include AoWei, GBPhone, HeadCall,
Lava_Lava, P5P, Paltalk_Voip, RTP, ShangYang, ShiJiWangTong, SkypePctoPhone,
SkypePctoPc, TeamSpeak2, TelTel, UUCall, Ventrilo, Vtalk, ZhongFang,
YahooMsg_Video, YahooMsg_Audio, MEGACO_MEDIA_VIDEO,
MEGACO_MEDIA_AUDIO, MGCP_MEDIA_VIDEO, MGCP_MEDIA_AUDIO,

SIP_MEDIA_VIDEO, SIP_MEDIA_AUDIO, H323_MEDIA_VIDEO,

H323_MEDIA_AUDIO, GoogleTalk, and Kondge_NetPhone.
l VoIP signaling protocol
Protocols used for establishing and releasing calls. Through the detection on signaling flows
for establishing and releasing VoIP calls, detailed information about each call such as the
phone number of the callee can be obtained.
The SIG can detect four signaling protocols: H.323, SIP, MGCP, and MEGACO.
14.2 Configuring the VoIP Monitoring Service

To configure and apply the VoIP monitoring service, you should perform this task.
14.2.1 Overview
This describes the functions implemented through the configuration of the VoIP monitoring
service.
The VoIP monitoring service of the SIG supports:
l Interference with or block of VoIP calls from non-internal whitelist users to blacklisted
users
In the VoIP global policy configuration, select Interferential Direction and Control
Density. The following shows the details:
– Interferential Direction
Bidirectional interference, Interfere with the caller, and Interfere with the callee are
available.
– Control Density
Pass, Low, Medium, High, and Block are available.
If the caller or callee is not an internal whitelist user but is in the internal blacklist, IP
address blacklist, telephone number blacklist, or URI blacklist, the system interferes
with or blocks the call.
l Internal blacklist/whitelist management
For subscribers, the system provides one VoIP Blacklist User Group and one VoIP
Whitelist User Group. For VICs, the system provides one VoIP Blacklist User Group
and one VoIP Whitelist User Group.
If the caller or the callee is in the blacklist user group, the system directly interferes with
or blocks the call. If the caller or callee is in the whitelist user group, the system permits
the VoIP service to pass no matter the caller or callee is blacklisted or not.
l VoIP IP blacklist management
The system provides the internal and external IP address blacklist management function.
If the caller or callee is not in the whitelist but in the VoIP IP blacklist, the system interferes
with or blocks the call.
l VoIP number blacklist management
The system provides the internal and external number blacklist management function. The
resolution of telephone numbers is valid only for H.323, SIP, MGCP, and MEGACO.
For VoIP services using H.323, SIP, MGCP, or MEGACO, if the caller or callee is not in
the whitelist but in the number blacklist, the system interferes with or blocks the call.

l Uniform Resource Identifier (URI) blacklist management

The system provides the internal and external URI blacklist management function. The
URI resolution is valid only for SIP.
For VoIP services using SIP, if the caller or callee is not in the whitelist but in the URI
blacklist, the system interferes with or blocks the call.

It is applicable to the scenario where a carrier needs to apply the VoIP monitoring service to
block the VoIP service borne by media protocols according to the whitelist and blacklist.
Prerequisites
l 4.2 Configuring the Subscriber is complete. In addition, user 1 and user 2 are subscribers.
l The current user has the Access Control and Subscriber and Network Management
Service requirements are as follows:
l Protocols of the CDR adopt the default protocol list.
l The control density is Block.
l Internal blacklist and whitelist user group management is enabled.
It is required to add user 1 to the blacklist user group, and add user 2 to the whitelist user
group.
l IP blacklist management is enabled.
It is required to add 66.66.66.66 to the blacklist.
l Telephone number blacklist management is enabled.
It is required to add 12345678 to the blacklist.
l URI blacklist management is enabled.
It is required to add user1@www.example.com to the blacklist.
Procedure
Step 2 Perform the global VoIP policy configuration.
1. In the navigation tree, choose Access Control > VoIP Control > VoIP Control Policy
Configuration.
2. Select Block in Control Density, as shown in Figure 14-2.

Figure 14-2 Perform the global VoIP policy configuration
3. Click Save. The system prompts the user that the operation succeeds.
Step 3 Manage subscriber groups VoIP Blacklist User Group and VoIP Whitelist User Group.
2. Click VoIP Blacklist User Group. The View and Modify User Group dialog box is
displayed.
3. Click Add. Set User1 to selected, and then click OK. The system prompts that one record
is added.
4. Click Close.
5. Repeat Step 3.2 to Step 3.4 to add User2 to VoIP Whitelist User Group.
Step 4 Manage the IP blacklist.

1. In the navigation tree, choose Access Control > VoIP Control > VoIP IP Blacklist
Management.
2. Click Add. Enter 66.66.66.66 in IP.
3. Click OK.
Step 5 Manage the telephone number blacklist.

1. In the navigation tree, choose Access Control > VoIP Control > VoIP Number Blacklist
Management.
2. Click Add. Enter 12345678 in Number.
3. Click OK.
Step 6 Manage the URI blacklist.

1. In the navigation tree, choose Access Control > VoIP Control > VoIP URI Blacklist
Management.
2. Click Add. Enter user1@www.example.com in URI Address.
3. Click OK.
----End

It is applicable to the scenario where a carrier needs to apply the VoIP monitoring service to
block the VoIP service borne by media protocols according to the whitelist and blacklist.
Prerequisites

l 4.3 Configuring the VIC is complete. In addition, user 1 and user 2 are VICs.
l The current user has the Access Control and Subscriber and Network Management
The service requirements are as follows:
l Protocols of the CDR adopt the default protocol list.
l The control density is Block.
l Internal blacklist and whitelist user group management is enabled.
It is required to add user 1 to the blacklist user group, and add user 2 to the whitelist user
group.
l IP blacklist management is enabled.
It is required to add 66.66.66.66 to the blacklist.
l Telephone number blacklist management is enabled.
It is required to add 12345678 to the blacklist.
l URI blacklist management is enabled.
It is required to add user1@www.example.com to the blacklist.
Procedure
Step 2 Configure the VoIP global policy configuration.
1. In the navigation tree, choose Access Control > VoIP Control > VoIP Control Policy
Configuration.
2. Select Block in Control Density, as shown in Figure 14-3.
Figure 14-3 Perform the VoIP global policy configuration
3. Click Save. The system prompts the user that the operation succeeds.
Step 3 Manage VIC groups VoIP Blacklist User Group and VoIP Whitelist User Group.
Customer > User Group Management.
2. Click VoIP Blacklist User Group. The View and Modify User Group dialog box is
displayed.
3. Click Add. Set User1 to selected, and then click OK. The system prompts that one record
is added.
4. Click Close.

5. Repeat Step 3.2 to Step 3.4 to add User2 to VoIP Whitelist User Group.
Step 4 Manage the IP blacklist.
1. In the navigation tree, choose Access Control > VoIP Control > VoIP IP Blacklist
Management.
2. Click Add. Enter 66.66.66.66 in IP.
3. Click OK.
Step 5 Manage the telephone number blacklist.
1. In the navigation tree, choose Access Control > VoIP Control > VoIP Number Blacklist
Management.
2. Click Add. Enter 12345678 in Number.
3. Click OK.
Step 6 Manage the URI blacklist.
1. In the navigation tree, choose Access Control > VoIP Control > VoIP URI Blacklist
Management.
2. Click Add. Enter user1@www.example.com in URI Address.
3. Click OK.
----End

This describes the important parameters for configuring the VoIP monitoring service.
Table 14-1 shows important parameters for configuring the VoIP monitoring service.
Table 14-1 Parameter description of configuring the VoIP monitoring service

Interferential Bidirectional Interference, Interfere with the [Setting method]

Direction Caller, and Interfere with the Callee are available. Select the
corresponding
item from the
drop-down list.

Control Pass, Low, Medium, High, and Block are available. [Setting method]
Density The details are as follows: Select the
l Pass corresponding
item from the
The system does not interfere with or block any drop-down list.
VoIP service.
l Low, Medium, High
The system interferes with the VoIP service,
degrading users' service experiences. Low indicates
that the interfered user can catch most messages
from the other side; Medium indicates that the
interfered user can hardly catch messages from the
other side; High indicate that the interfered user
cannot catch messages from the other side
completely.
l Block
The system directly blocks the VoIP service.
Protocol of the Select the media protocol whose CDR is to be exported [Setting method]
CDR (VoIP as required. l In the VoIP
Statistics Statistics
Policy Policy
Configuration Configuratio
) n page, click
Add. Then
select the
check boxes
corresponding
to the
protocols to be
added.
l To delete
certain
protocols, you
can select the
protocols to be
deleted, and
then click
Delete.
14.3 Querying VoIP Reports

To query VoIP reports for learning the running status of the service, you should perform this
task.

14.3.1 Overview
This describes the categories and functions of VoIP reports.
For subscribers and VICs, the system provides the following reports:
l Control Log
Through this report, you can view control logs of the VoIP service. The VoIP service is to
interfere with or block non-internal whitelist users' VoIP calls to blacklist users.
Corresponding control logs are generated when the SIG interferes with or blocks those
VoIP calls.
This report displays the control actions on users matching with the internal blacklist user
group, internal and external IP address blacklist, internal and external number blacklist,
internal and external URI blacklist.
When the caller and callee are in different blacklists, you can view the control action log
according to the blacklist with the higher priority. The blacklists in descending order by
priority are internal blacklist user group, URI blacklist, number blacklist, and IP address
blacklist.
l Top N Customers by Control Count
Through this report, you can view top N subscribers or VICs by control count.
A control action upon a user can be triggered because the user is in the internal blacklist
user group, IP address blacklist, number blacklist, or URI blacklist, or because the peer-
end user is in the external IP address blacklist, number blacklist, or URI blacklist.
l Top N Blacklists by Control Count
Through this report, you can view top N blacklists by control count.
This report collects the statistics of blacklists including the internal and external IP address
blacklist, internal and external number blacklist, and internal and external URI blacklist.
l Call Detail Record Statistics
Through this report, you can view the call detail record statistics of the VoIP service
applying specified signaling and media protocols.
l Top N Customers by Session
Through this report, you can view top N subscribers or VICs by the number of VoIP session
or session duration.
l Top N URIs by Session
Through this report, you can view top N URIs by the number of VoIP session or session
duration.
l Signaling Protocol Session Statistics
Through this report, you can view the number of sessions or session durations based on
signaling protocols.
In addition, the SIG provides the report on Provider Call Duration Statistics, which displays call
durations of URI providers.

NOTE
You should add or import the IP apanage configuration, and the information configuration of the service
provider for generating the specific reports. The mappings between the configurations and the reports are
as follows:
l IP Apanage Configuration
l In the navigation tree, choose Statistics and Analysis Report > VoIP > Subscriber > Call Detail
Record Statistics.
l In the navigation tree, choose Statistics and Analysis Report > VoIP > Very Important
Customer > Call Detail Record Statistics.
l SP Configuration
l In the navigation tree, choose Statistics and Analysis Report > VoIP > Subscriber > Provider
Call Duration Statistics.
l In the navigation tree, choose Statistics and Analysis Report > VoIP > Very Important
Customer > Provider Call Duration Statistics.
l In the navigation tree, choose Statistics and Analysis Report > VoIP > Provider Call Duration
Statistics.

This describes how to query VoIP reports.
Prerequisites
l 14.2 Configuring the VoIP Monitoring Service is complete.
Procedure
Step 2 In the navigation tree, choose Statistics and Analysis Report > VoIP. Then select the reports
to be queried as required.
TIP
for the next query.
Task Reports.

NOTE
On the report query interface, you can export reports in different formats.
----End

This describes VoIP reports and provides examples of the reports.
Report Navigation
NOTE
l Statistics and Analysis Report > VoIP > Subscriber/Very Important Customer >
Control Log
l Statistics and Analysis Report > VoIP > Subscriber/Very Important Customer > Top
N Customers by Control Count
N Blacklists by Control Count
l Statistics and Analysis Report > VoIP > Subscriber/Very Important Customer > Call
Detail Record Statistics
N Customers by Session
N URIs by Session
Signaling Protocol Session Statistics
Provider Call Duration Statistics
l Statistics and Analysis Report > VoIP > Provider Call Duration Statistics
Statistics and Analysis Report > VoIP > Subscriber/Very Important Customer >
Control Log
Through this report, you can view control logs of the VoIP service. The VoIP service is to
interfere with or block non-internal whitelist users' VoIP calls to blacklist users. Corresponding
control logs are generated when the SIG interferes with or blocks those VoIP calls.
This report displays the control actions on users matching with the internal blacklist user group,
internal and external IP address blacklist, internal and external number blacklist, internal and
external URI blacklist.

When the caller and callee are in different blacklists, you can view the control action log
according to the blacklist with the higher priority. The blacklists in descending order by priority
are internal blacklist user group, URI blacklist, number blacklist, and IP address blacklist.
Figure 14-4 Example of the log report on the controlling the VoIP
Top N Customers by Control Count
Through this report, you can view top N subscribers or VICs by control count.
A control action upon a user can be triggered because the user is in the internal blacklist user
group, IP address blacklist, number blacklist, or URI blacklist, or because the peer-end user is
in the external IP address blacklist, number blacklist, or URI blacklist.
Figure 14-5 Example of the report on top N customers by control counts
Top N Blacklists by Control Count
Through this report, you can view top N blacklists by control count.
This report collects the statistics of blacklists including the internal and external IP address
blacklist, internal and external number blacklist, and internal and external URI blacklist.

Figure 14-6 Example of the report on top N blacklists by control counts
Call Detail Record Statistics
Through this report, you can view the call detail record statistics of the VoIP services applying
specified signaling and media protocols.
Figure 14-7 Example of the VoIP CDR statistics
Top N Customers by Session
Through this report, you can view top N subscribers or VICs by the number of VoIP session or
session duration.

Figure 14-8 Example of the report on top N customers by sessions
Top N URIs by Session
Through this report, you can view top N URIs by the number of VoIP session or session duration.
Figure 14-9 Example of the report on top N URIs by sessions
Signaling Protocol Session Statistics
Through this report, you can view the number of sessions or session durations based on signaling
protocols.

Figure 14-10 Example of call duration statistics based on signaling protocols
Provider Call Duration Statistics
Through this report, you can view the call duration statistics based on various URI providers in
the specified subscribers or VICs attribute group.

Figure 14-11 Example of call duration statistics of VoIP providers
Statistics and Analysis Report > VoIP > Provider Call Duration Statistics
Through this report, you can view the total call duration statistics based on various URI providers
without distinguishing between subscribers and VICs.

Figure 14-12 Example of call duration statistics of VoIP providers

Configuration Guide 15 Anti-Spammer Service
15 Anti-Spammer Service
About This Chapter
Through the Anti-Spammer service, the SIG detects and controls spammers on the network, with
monitoring measures including Detection, Alarm, Evidence Collection, Block, and Limit.
15.1 About the Anti-Spammer Service

This describes basic concepts of the Anti-Spammer service.
15.2 Configuring the Anti-Spammer Service
To configure and apply the Anti-Spammer service, you should perform this task.
15.3 Query Spammer Reports
To query spammer reports for learning the running status of a service, you should perform this
task.

15.1 About the Anti-Spammer Service

This describes basic concepts of the Anti-Spammer service.
l Spam
Spam, also called the Unsolicited Commercial Email (UCE) or Unsolicited Bulk Email
(UBE), spreads in large amount without receivers' consent. Most spam is about commercial
advertisement and adverse media.
l Spammer
Sender of spam.
l Anti-Spammer
Anti-Spammer indicates a service provided by the SIG to detect and control spammers on
the network.
Figure 15-1 shows the Anti-Spammer service.
Figure 15-1 Anti-Spammer service diagram
Mail server
Internet
Bidirectional detection on SMTP traffic (outbound

and inbound)
Front End Spammer threshold detection, blocking, traffic
limiting, alarming, and evidence collection
Blacklist and whitelist control
Access network
Common
customer
Mail server
15.2 Configuring the Anti-Spammer Service

To configure and apply the Anti-Spammer service, you should perform this task.

15.2.1 Overview
This describes the functions implemented through the configuration of the Anti-Spammer
service.
The Anti-Spammer service of the SIG supports:
l Internal Spammer Management

You can add and then apply an spammer policy package to detect, control, generate alarms,
and evidence collections of internal spammers. A policy package can contain multiple types
of policy items but each type contains only one item. The following shows the details on
policy items:
– Detection
The SIG detects internal spammers by collecting and analyzing the key information
extracted from SMTP traffic. The information, serving as detection indexes, includes
the number of sent mails, number of recipients, variance of total mail sizes, and
addresses of different mail senders. Each index, either a positive index or negative index,
has a weight and a threshold. When the value of a positive index is larger than its
threshold, or that of a negative index is smaller than its threshold, the SIG gives a score
to the index. The sum of all the scores for the indexes make a mail sender's total score,
which is in direct proportion to the weights of indexes. The SIG identifies a sender as
a spammer if the sender's total score is larger than the threshold for spammers, and as
a suspicious user if the total score is larger than the threshold for suspicious users but
smaller than that for spammers. Both thresholds can be configured by a data
configuration engineer.
When adding a policy item for detection, you can adjust the values of Threshold for
Suspicious Users and Threshold for Spammers to detect spammers.
– Control
The following control modes are available:
– Pass
Mails sent by monitored users can directly pass the system without control. As a
result, users can normally send mails.
– Block
Mails sent by users detected as spammers are intercepted and directly blocked.
– Limit
The system limits the traffic of the user detected as a spammer. The system can limit
the number of sessions, SMTP bandwidth, and number of sent mails.
In one policy package, you must add detection policy items first and then control policy
items.
The system provides Spammer Blacklist User Group and Spammer Whitelist User
Group by default. You can add blacklist users to be blocked and whitelist users to be
permitted to the two groups. By default, a policy package (policy package code:
2:000006) whose control mode is Block is assigned to Spammer Blacklist User
Group and a policy package (policy package code: 2:000002) whose control mode is
Pass is assigned to Spammer Whitelist User Group.
– Alarm
The users detected as spammers receive alarm messages when using the HTTP service.

The alarm policy item depends on the detection policy item. Therefore, you need to add
the detection policy item before adding the alarm policy item.
– Evidence Collection
The system logs mail sending behaviors and uploads the logs to the FTP server. The
log can be used as the evidence of spam sending. The log contains the time, source IP
address, destination IP address, sender address, recipient address, and mail subject.
Before adding a policy item of the Evidence Collection type, you need to complete the
global setting of evidence collection, including the address of the FTP server, and login
user name and password. When adding a policy item of the evidence collection type,
you can adjust values of Sampling Percentage and Mail Number for Evidence
Collection. For example, Sampling Percentage to 1:50, and Mail Number for
Evidence Collection to 50, the system extracts one out of fifty mails sent by the user
covered by this policy item. A total of 50 mails are extracted for evidence collection.
If the memory occupied by mails to be extracted for evidence collection exceeds the
threshold (8 MB per user) or the time for evidence collection exceeds one hour, the
system automatically stops collecting evidence. Therefore, in the evidence log file
uploaded to the FTP server, the number of mails is smaller than or equal to the value
specified in Mail Number for Evidence Collection.
Due to a variety of language codes, the system does not decode mail titles in the evidence
log file. For example, if the mail title is =?gb2312?B?1tC5+tXQserN+C274dSxu
+62rw==?=, resolution is as follows:
– =? in the header and ?= in the end indicate that the content in between is the mail
title, and ? in the middle indicates separation.
– gb2312 indicates the character set.
– B indicates that Base64 codes are adopted.
If Q is displayed, Quoted-Printable codes are adopted.
– gb2312?B?1tC5+tXQserN+C274dSxu+62rw== indicates the actual code of the
title.
The Evidence Collection policy item depends on the detection policy item. Therefore,
you need to add the detection policy item before adding the Evidence Collection policy
item.
l External Spammer Whitelist and Blacklist Management
Mails sent from extranets to intranets are filtered. Mails sent from the IP addresses and IP
address segments in the whitelist can directly go to intranets. Mails sent from the IP
addresses and IP address segments in the blacklist are blocked. In the system, you can
enable or disable the blacklist function as required.
l Mail Address Blacklist Management
Mails sent by users in the blacklist from intranets to extranets are blocked. The system
supports a maximum of 100000 blacklist records.
Two types of email addresses can be added to the blacklist: complete email address and
mail server domain name. For example, test@yahoo.com is a complete email address and
therefore requires accurate matching, that is, email addresses such as tst@yahoo.com and
atest@yahoo.com cannot be matched. Moreover, yahoo.com is a mail server domain name
and all mails of it can be matched. In this case, abc@yahoo.com can be matched but mails
of yahoo.com.cn cannot be matched.
For enabled Spammer Whitelist User Group, the email address blacklist management is
invalid.

l Outbound Mail Server IP Address Blacklist Management

Mails sent from intranets to extranets by mail servers whose IP addresses are in the blacklist
are blocked. The system supports a maximum of 100000 blacklist records.
For enabled Spammer Whitelist User Group, the IP address blacklist of the extranet mail
server management is invalid.
NOTE
You can select the depth of detection on spam, including Network Layer to Application Layer and
Network Layer to Transport Layer. When Network Layer to Transport Layer is selected, the evidence
collection policy item, mail number control of the limit function in the control policy item in the internal
spammer management, email address blacklist management, and outbound mail server IP address blacklist
management are available.
Mail address blacklist management and outbound mail server IP address blacklist management are realized
by the function of monitoring configurations by destination IP address. The function can be enabled or
disabled in the system. When it is disabled, mail address blacklist management and outbound mail server
IP address blacklist management are unavailable.
15.2.2 Configuration Example 1 (Detection from the Network Layer

to the Transport Layer)
This describes how to configure the Anti-Spammer service in detail. It is applicable to the
scenario where a carrier needs to enable the internal spammer detection and the management of
the external whitelist and blacklist for all subscribers in area A, except users in the internal
whitelist and blacklist.
Prerequisites

l The current user has the Security Defense and Subscriber and Network Management
The task requirements are as follows:
l Enable the management of internal spammers.

The following policy items are required:
– Detection: Threshold for Suspicious Users is set to 10 and Threshold for
Spammers to 20, which are the default values.
– Alarm: the system pushes alarms to detected spammers.
– Control: the SMTP bandwidths of detected spammers are up to 20 kbit/s.
In addition, you need to enable the internal blacklists and whitelists of Spammer Blacklist
User Group and Spammer Whitelist User Group, and add User1 to Spammer Blacklist
User Group and User2 to Spammer Whitelist User Group respectively.
l Enable External Spammer Whitelist and Blacklist Management.
You need to add IP address 66.66.66.66 to the blacklist, and IP address segment ranging
from 222.22.22.22 to 222.22.22.77 to the whitelist.

Procedure
Step 2 Perform the global spammer configuration.
1. In the navigation tree, choose Security Defense > Spammer > Global Spammer
Configuration.
2. Select Block in Control Action on External Blacklist, and Network Layer to Transport
Layer in Spam Detection Dimension, as shown in Figure 15-2.
Figure 15-2 Performing the global spammer configuration
3. Click Save, and then confirm the operation.

Step 3 Add and apply the spammer policy package.
1. In the navigation tree, choose Security Defense > Spammer > Spammer Policy Package
Management.
2. Click Add. The Add a Policy Package dialog box is displayed.
3. Enter AreaA_Spammer in Name.
4. Click Save. The basic information about the policy package is saved.
5. Select Detection in the Item Type. Click Add.
6. Select any value in Priority, enter 10 in Threshold for Suspicious Users, and 20 in
Threshold for Spammers. Click OK. The system prompts that one policy item is added.
7. Select Alarm in Item Type. Click Add. Then select any value in Priority, select an alarm
URL. The system prompts that one policy item is added.
If the alarm URL has not been added before this operation, you need to add it. For detailed,
refer to the 22.4 Managing the Alarm Address or 22.5 Managing the Dynamic
Alarm.
8. Select Control in Item Type. Click Add.
9. Select any value in Priority, select Forever in Need Slice and Limit in Control Policy,
and enter 20 in SMTP Bandwidth. Then click OK. The system prompts that one policy
item is added, as shown in Figure 15-3.

Figure 15-3 Adding the policy package
10. Click Close. The Spammer Policy Package Management page is displayed.
Policy Application.
12. Click Add. The Add Policy Application dialog box is displayed.
13. Select Spammer in Type, AreaA_Spammer in Name, Attribute Group in Object
Type, and A in Area.
14. Click OK. The policy package takes effect.
Step 4 Manage the subscriber groups Spammer Blacklist User Group and Spammer Whitelist User
Group.
2. Click Spammer Blacklist User Group. The View and Modify User Group dialog box
is displayed.
3. Click Add and select User1 in the list, and then click OK. The system prompts that one
record is added.
4. Click Close.
5. Repeat Step 4.2 to Step 4.4 to add User2 to Spammer Whitelist User Group.
Step 5 Manage the external whitelist and blacklist.

1. In the navigation tree, choose Security Defense > Spammer > External Spammer
Whitelist and Blacklist Management.
2. In the External Spammer Blacklist group box, click Add. The Add Blacklist dialog box
is displayed.
3. Enter 66.66.66.66 in IP Address.
4. Click OK.
5. In the External Spammer Whitelist group box, click Add. The Add Whitelist dialog box
is displayed.

6. Select IP Address Segment, and enter 222.22.22.22 in Start IP Address and

222.22.22.77 in End IP Address.
7. Click OK.
----End
15.2.3 Configuration Example 2 (Detection from the Network Layer

to the Application Layer)
This describes how to configure the Anti-Spammer service in detail. It is applicable to the
scenario where a carrier needs to enable the internal spammer detection and evidence collection
for all subscribers in area A, except users in the external whitelist and blacklist. In addition, the
management of the external whitelist and blacklist is required at the same time.
Prerequisites
The task requirements are as follows:
l Enable the management of internal spammers.
The following policy items are required:
– Detection: Threshold for Suspicious Users is set to 10 and Threshold for
Spammers to 20, which are the default values.
– Evidence Collection: Sampling Percentage to 1:50, and Mail Number for Evidence
Collection to 50. The IP address of the FTP server where evidence logs are uploaded
is 192.168.10.10, the user name is ftpuser, and the password is 12345678.
– Control: the detected spammers can send a maximum of 100 mails per hour.
In addition, you need to enable the internal blacklists and whitelists of Spammer Blacklist
User Group and Spammer Whitelist User Group, and add User1 to Spammer Blacklist
User Group and User2 to Spammer Whitelist User Group respectively.
l Enable External Spammer Whitelist and Blacklist Management.
You need to add IP address 66.66.66.66 to the blacklist, and IP address segment ranging
from 222.22.22.22 to 222.22.22.77 to the whitelist.
l Disable Email Address Blacklist Management.
l Disable Outbound Mail Server IP Address Blacklist Management.
Procedure
Step 2 Perform the global spammer configuration.
1. In the navigation tree, choose Security Defense > Spammer > Global Spammer
Configuration.

2. Select Block in Control Action on External Blacklist, Network Layer to Application

Layer in Spam Detection Dimension, and Disable in Monitoring Configurations by
Destination IP Address. Then enter 192.168.10.10 in FTP Address, ftpuser in
Username, and 12345678 in Password, as shown in Figure 15-4.
Figure 15-4 Performing the global spammer configuration
3. Click Test Connection. The system prompts the user that the connection succeeds.
4. Click Save.
Step 3 Add and apply the spammer policy package.

1. In the navigation tree, choose Security Defense > Spammer > Spammer Policy Package
Management.
2. Click Add. The Add a Policy Package dialog box is displayed.
3. Enter AreaA_Spammer in Name.
4. Click Save. The basic information about the policy package is saved.
5. Select Detection in Item Type, and then click Add.
6. Select any value in Priority, and enter 10 in Threshold for Suspicious Users and 20 in
Threshold for Spammers. Then click OK. A new policy item is displayed.
7. Select Evidence Collection in Item Type, and then click Add.
8. Select any value in Priority, and enter 50 in Sampling Percentage and Mail Number for
Evidence Collection respectively. Then click OK. A new policy item is displayed.
9. Select Control in Item Type, and then click Add.

10. Select any value in Priority, and select Forever in Need Slice and Limit in Control
Policy, and enter 100 in Mail Sent per Hour. Then click OK. A new policy item is
displayed, as shown in Figure 15-5.
Figure 15-5 Adding the policy package
11. Click Close. The Spammer Policy Package Management page is displayed.
Policy Application.
13. Click Add. The Add Policy Application dialog box is displayed.
14. Select Spammer in Type, AreaA_Spammer in Name, Attribute Group in Object
Type, and A in Area.
15. Click OK. The policy package takes effect.
Step 4 Manage subscriber groups Spammer Blacklist User Group and Spammer Whitelist User
Group.
2. Click Spammer Blacklist User Group. The View and Modify User Group dialog box
is displayed.
3. Click Add and select User1 in the list. Then click OK. A new record is displayed.
4. Click Close.
5. Repeat Step 4.2 to Step 4.4 to add User2 to Spammer Whitelist User Group.
Step 5 Manage the external whitelist and blacklist.

1. In the navigation tree, choose Security Defense > Spammer > External Spammer
Whitelist and Blacklist Management.
2. In the External Spammer Blacklist group box, click Add. The Add Blacklist dialog box
is displayed.
3. Enter 66.66.66.66 in IP Address.
4. Click OK.

5. In the External Spammer Whitelist group box, click Add. The Add Whitelist dialog box
is displayed.
6. Select IP Address Segment, and enter 222.22.22.22 in Start IP Address and
222.22.22.77 in End IP Address.
7. Click OK.
----End

This describes important parameters for configuring the Anti-Spammer service.
Table 15-1 shows important parameters for configuring the Anti-Spammer service.
Table 15-1 Parameter description of configuring the Anti-Spammer service

Threshold for l If the detection score is smaller [Setting method] Enter a value in the
Suspicious than Threshold for Suspicious text box.
Users, Users, the user is identified as a [Value range] The value is an integer
Threshold for normal user. ranging from 1 to 100.
Spammers l If the detection score is larger
than or equal to Threshold for
Spammers, the user is identified
as a spammer.
l If the detection score is between
Threshold for Suspicious
Users and Threshold for
Spammers, the user is identified
as a suspicious user.

Control Policy The following control modes are [Setting method] Set the values by
available for outbound mails: selecting option buttons or entering
l Pass: Mails sent by monitored values in text boxes.
users can directly pass the system
without control. Users can send
mails normally.
l Block: Mails sent by monitored
users are intercepted and blocked
directly. As a result, users cannot
send mails.
l Limit: Mails sent by monitored
users are limited. The following
limiting methods are available:
– Sessions Connection per
Minute: The system limits the
maximum number of SMTP
sessions established by the
user, that is, limiting the
maximum number of
concurrent connections.
– Mail Sent per Hour: The SIG
limits the number of mails
sent by the user per hour.
– SMTP Bandwidth (kbit/s):
The SIG limits the SMTP
traffic sent by the user in a
certain period.
Priority The smaller the value, the higher the [Setting method] selecting an item
priority. When a subscriber is bound from the drop-down list or entering
with multiply policy items of the a value into the text box
same type, only the policy item with [Value range] The value is an integer
the highest priority level is valid. ranging from 1 to 9999.
For details on the policy priorities
5.4.15 Policy Priority Description.
15.3 Query Spammer Reports

To query spammer reports for learning the running status of a service, you should perform this
task.
15.3.1 Overview
This describes the categories and functions of spammer reports.
The system provides the following spammer reports:

l Top N Spammers by Mail Number

Through this report, you can view top N spammers by mail number or traffic volume.
l Spammer Detection Log
After obtaining top N spammers, you can view the details of a spammer for analysis.
l Spammer Control Log
Through this report, you can view the detailed control logs of a specified subscriber.
l Blacklist Control Statistics
Through this report, you can view details on the control over mails sending by blacklisted
internal users.
l Comparison and Analysis
Through comparison and analysis, you can obtain the overall information about blacklist
users, whitelist users, normal users, suspicious users, and spammers.
l Evidence Log
Through evidence logs, you can obtain detailed mail evidence of a specified subscriber.
l External Recipient Blocking Log
The recipient monitoring is to block the emails sent from intranets to extranets, and those
whose recipients are in the blacklist. Through this report, you can view the detailed blocking
log.
l External Recipient Top N Customers by Blocking Count
The recipient monitoring blocks the emails sent from the intranets to extranets, and those
whose recipients are in the blacklist. Through this report, you can view top N subscribers
by blocking count.
l External Recipient Top N Recipients by Blocking Count
The recipient monitoring blocks the emails sent from intranets to extranets, and those whose
recipients are in the blacklist. Through this report, you can view top N mails or IP addresses
of recipients by blocking count.

This describes how to query spammer reports.
Prerequisites
l 15.2 Configuring the Anti-Spammer Service is complete.

Procedure
Step 3 In the navigation tree, choose Statistics and Analysis Report > Spammer > Subscriber. Then
select the reports to be queried as required.

TIP
for the next query.
Task Reports.

NOTE
On the report query interface, you can export reports in different formats.
----End

This describes reports on the spammer service and provides examples of the reports.
Report Navigation
NOTE
l Statistics and Analysis Report > Spammer > Subscriber > Top N Spammers by Mail
Number
l Statistics and Analysis Report > Spammer > Subscriber > Spammer Detection Log
l Statistics and Analysis Report > Spammer > Subscriber > Spammer Control Log
l Statistics and Analysis Report > Spammer > Subscriber > Blacklist Control Statistics
l Statistics and Analysis Report > Spammer > Subscriber > Comparison and Analysis
l Statistics and Analysis Report > Spammer > Subscriber > Evidence Log
l Statistics and Analysis Report > Spammer > Subscriber > External Recipient
Blocking Log
l Statistics and Analysis Report > Spammer > Subscriber > External Recipient Top N
Customers by Blocking Count
l Statistics and Analysis Report > Spammer > Subscriber > External Recipient Top N
Recipients by Blocking Count
Statistics and Analysis Report > Spammer > Subscriber > Top N Spammers by Mail
Number
Through this report, you can view top N spammers by mail number or traffic volume.

Figure 15-6 Example of reports on top N spammers by mail number
Statistics and Analysis Report > Spammer > Subscriber > Spammer Detection Log
After obtaining top N spammers, you can view the details of a spammer for analysis.
Figure 15-7 Example of spammer detection log report
NOTE
In a mail sending process (an SMTP flow), if the SIG detects a MAIL command, it regards it as a mail
sending attempt. If the MAIL, RCPT, and DATA commands are not detected, the SIG regards it as a sending
error. If an error occurs before a sending attempt, the Sent Mails Attempts does not change, but the
Sending Error Counts is increased by one.
Statistics and Analysis Report > Spammer > Subscriber > Spammer Control Log
Through this report, you can view the detailed control logs of a specified subscriber.

Figure 15-8 Example of reports on the spammer control log
Statistics and Analysis Report > Spammer > Subscriber > Blacklist Control
Statistics
Through this report, you can view details on the control over mails sending by blacklisted internal
users.
Figure 15-9 Example of reports on the blacklist control statistics
Statistics and Analysis Report > Spammer > Subscriber > Comparison and
Analysis
Through comparison and analysis, you can obtain the overall information about blacklist users,
whitelist users, normal users, suspicious users, and spammers.
NOTE
In user-based comparison analysis, data in five-minute granularity is an accumulated value within these
five minutes; data in the hourly granularity is an average value of each five minutes; data in the daily
granularity is an average value of each hour.

Figure 15-10 Example of reports on the spammer comparison and analysis
Statistics and Analysis Report > Spammer > Subscriber > Evidence Log
Through evidence logs, you can obtain detailed mail evidence of a specified subscriber.
Figure 15-11 Example of reports on the spammer evidence log
Statistics and Analysis Report > Spammer > Subscriber > External Recipient
Blocking Log
recipients are in the blacklist. Through this report, you can view the detailed blocking log.

Figure 15-12 Example of reports on the external recipient blocking log
Statistics and Analysis Report > Spammer > Subscriber > External Recipient Top
N Customers by Blocking Count
recipients are in the blacklist. Through this report, you can view top N subscribers by blocking
count.
Figure 15-13 Example of reports on external recipient top N customers by blocking count
Statistics and Analysis Report > Spammer > Subscriber > External Recipient Top
N Recipients by Blocking Count
The recipient monitoring is to block the emails sent from intranets to extranets, and those whose
recipients are in the blacklist. Through this report, you can view top N mails or IP addresses of
recipients by blocking count.
Figure 15-14 Example of reports on top N external recipients by blocking count

Configuration Guide 16 Anti-DDoS Service
16 Anti-DDoS Service
About This Chapter
The SIG provides the subnet-based anti-DDoS function and collects traffic statistics before and
after cleaning in report format.
16.1 About the Anti-DDoS Service

This describes the basic concepts of the Anti-DDoS service.
16.2 Configuring the Anti-DDoS Service
To configure and apply the Anti-DDoS service, you should perform this task.
16.3 Querying Anti-DDoS Reports
To query the Anti-DDoS report for learning the running status of the service, you should perform
this task.

16.1 About the Anti-DDoS Service

This describes the basic concepts of the Anti-DDoS service.
l Denial of Service (DoS)

The DoS attack causes that the attacked computer or network is unable to provide normal
services.
l Distributed Denial of Service (DDoS)
The DDoS attack indicates that the hacker adopts viruses, Trojan horses, or Badware to
control a large number of zombies and combine multiple computers into the attack platform
to launch DoS attacks on one or multiple targets, thus multiplying attack strength.
l Anti-DDoS
Figure 16-1 shows the schematic diagram of the Anti-DDoS service.
Figure 16-1 Schematic diagram of the Anti-DDoS service
Internet
DDoS attack traffic

Anti-DDoS:
SYN flood
Front UDP flood
End ICMP flood
Fraggle attack
…
Intranet
Subnet
The SIG provides the subnet-based Anti-DDoS function and thus can detect various
malformed packet attacks and flood attacks, such as TCP land, TCP WinNuke, TCP flag,
UDP Fraggle, and Ping of Death. The SIG supports dynamically learning the traffic model
of the protected object through the dynamic baseline technology, and effectively detects
and defends against various TCP attacks, UDP attacks, and application-layer DDoS attacks
through the unique fingerprint identification technology. In addition, abnormal traffic can
be cleaned through configured restriction measures. As a result, the services provided at
the destination IP address can be protected, and traffic statistics before and after cleaning
can be viewed by the configuration engineer.
l Subnet
A subnet, referring to a collection of IP addresses, consists of one or multiple IP address
segments.

Subnets are protected by the Anti-DDoS service after the policy package is applied.
l Static baseline
Static baseline is values manually specified to identify the traffic of DDoS attacks, and
includes network indicators such as the TCP traffic packet rate, UDP traffic packet rate,
and UDP traffic bandwidth.
The traffic baseline values do not change with network traffic. When traffic changes on the
subnet are relatively regular and stable, the static traffic baseline can be used.
l Dynamic baseline
The dynamic baseline is the values of the dynamically-learned traffic features of the
protected object, and the traffic baseline refreshes according to the running status of the
current network.
The dynamic baseline changes as network traffic changes. When the dynamic baseline is
established and no attack occurs, the SIG refreshes the traffic baseline regularly.
The system dynamically learns the traffic baseline according to the cycle configured by the
configuration engineer.
– During the learning cycle, the system adopts the static baseline to detect abnormal
traffic. If the static baseline is not exceeded, the network status is considered to be
normal. The system records the network indicators in this cycle and generates the
dynamic baseline.
– After the learning cycle is complete, the system adopts the dynamic baseline to detect
abnormal traffic.
l Fingerprint cleaning
The fingerprint cleaning function obtains and identifies the fingerprint features of attack
packets to clean attack traffic.
The attacker launches DDoS attacks by controlling zombies to send a large number of
malicious requests to the target. Therefore, packets sent to the target have the same features.
When identifying an attacked IP address, the SIG starts the fingerprint learning of traffic
sent to the attacked destination IP address. After the features of all attack packets are
learned, the SIG directly discards the follow-up packets that meet the fingerprint features.
16.2 Configuring the Anti-DDoS Service

To configure and apply the Anti-DDoS service, you should perform this task.
16.2.1 Overview
This describes the functions supported by the Anti-DDoS service.
Adding and applying DDoS policy packages defend against DDoS attacks for subnets. A policy
package can contain multiple types of policy items but each type contains only one item. The
following shows the details of the policy item:
l Static baseline
The static baseline is to enable the traffic baseline values for identifying DDoS attacks.
You can change default values according to the traffic of the protected subnet, and
determine whether to enable the detection of abnormal packets. If the detection of abnormal
packets is enabled, the SIG detects and discards abnormal packets or illegitimate packets.

In an Anti-DDoS policy package, you should add the policy items of the static baseline and
then those of the dynamic baseline or cleaning.
l Dynamic baseline
The dynamic baseline is to enable the traffic learning switch for generating the values of
the dynamic baseline and set the tolerance deviation percentage for determining the attack
threshold. Attack threshold = baseline value x (1 + allowable deviation percentage).
If the traffic learning switch is not enabled or the cycle of learning the dynamic baseline
does not end, the SIG adopts the static baseline to detect anomalies. After the learning cycle
is ended, the system adopts the dynamic baseline to detect anomalies.
In this case, if the traffic learning switch is not disabled manually, the system adjusts the
dynamic baseline by continuously learning the traffic on the current network.
l Cleaning
Cleaning is to enable the function of cleaning the traffic of DDoS attacks identified by the
system, and the target value of cleaning can be adjusted according to the traffic of the
protected subnet on the current network.
During the adding of the policy items of cleaning, you can determine whether to enable the
fingerprint-based cleaning switch:
– If yes, for the attack packets whose fingerprint features can be extracted, the system
identifies their fingerprint features and clean the packets directly. For other attack
packets, the system discards them and thus cleans attack traffic to the specified target
threshold.
– If no, the system cleans attack traffic to the specified target threshold only by discarding
packets.

This provides an example for configuring anti-DDoS. The Anti-DDoS service needs to be
enabled for ExampleSubnet1 of a carrier.
Prerequisites
l 4.7 Configuring the Subnet is complete, and the name of the subnet to be protected is
ExampleSubnet1.
Figure 16-2 shows the networking of a carrier. The Anti-DDoS service needs to be enabled for
ExampleSubnet1. Requirements are as follows:
l The static baseline is adopted to detect DDoS attacks in the first seven days. After that, the
automatically-learned dynamic baseline is adopted to detect DDoS attacks.
l When the dynamic baseline is generated, Historical Traffic Weight is 80% and Tolerance
Deviation Percentage is 60%. In this case, the threshold for identifying attacks = baseline
value x (1 + 60%).
l Detection of abnormal packets, traffic cleaning, and fingerprint-based cleaning are enabled.

NOTE
When you are not certain about the static baseline, you can leave the cleaning functions disabled until the
automatic learning of the dynamic baseline is finished.
Figure 16-2 Networking diagram of the example for configuring the Anti-DDoS service
Internet
Anti-DDoS
Front
End
Back End
Intranet
ExampleSubnet1
Procedure
1. In the navigation tree, choose Security Defense > DDoS > DDoS Policy Package
Management.
2. Click Add.
3. Set Name to myDDoS, and click Save.
4. Select Static Baseline from Item Type, and click Add.
5. In the pop-up dialog box, select the check box of Abnormal Packet Detection. Set other
parameters as required, as shown in Figure 16-3.

Figure 16-3 Adding an Anti-DDoS policy package (1)
7. Select Dynamic Baseline from Item Type, and click Add.
10. Select Cleaning from Item Type, and click Add.
12. Click OK. The system returns to the previous page and displays the added policy item, as

Subnet And AS Domain Group > Policy Application.
2. Click Add.
Figure 16-7 Adding an Anti-DDoS policy package 5
----End

This describes the important parameters for configuring the Anti-DDoS service.
Table 16-1 shows the description for the important parameters of configuring the Anti-DDoS
service.

Table 16-1 Parameter description for configuring the Anti-DDoS service

Parameter Meaning How to Set
Name
Abnormal If the detection of abnormal packets is enabled, [Setting method] Select

packet the SIG detects and discards abnormal or the check box.
detection illegitimate packets. This function mainly
detects abnormal or illegitimate packets.
Historical The historical traffic weight indicates the [Setting method] Enter
traffic weight weight of the historical baseline value when the the historical traffic
current dynamic baseline is generated. Current weight in the text box.
dynamic baseline = maximum current traffic x
(1 - historical traffic weight) + historical
baseline value x historical traffic weight.
Learning This indicates the learning cycle of a dynamic [Setting method] Enter
cycle baseline. If the cycle of learning the dynamic the learning cycle in the
baseline does not end, the SIG adopts the static text box.
baseline to detect anomalies. After the learning
cycle ends, the system adopts the dynamic
baseline to detect anomalies.
In this case, if the traffic learning switch is not
disabled manually, the system adjusts the
dynamic baseline by continuously learning the
traffic on the current network.
Tolerance The tolerance deviation percentage is to [Setting method] Enter

deviation implement the weight calculation of the attack the tolerance deviation
percentage threshold together with the baseline value. percentage in the text box.
Attack threshold = baseline value x (1 +
tolerance deviation percentage).
Fingerprint The fingerprint clean switch is to enable the [Setting method] Select
clean switch function of fingerprint-based cleaning. the check box.
l If the fingerprint clean switch is enabled, for
the attack packets whose fingerprint
features can be extracted, the system
identifies their fingerprint features and
cleans the packets directly. For other attack
packets, the system discards them and thus
cleans attack traffic to the specified target
threshold.
l If the fingerprint clean switch is disabled,
the system only discards packets to clean
attack traffic to the specified target
threshold.

16.3 Querying Anti-DDoS Reports

To query the Anti-DDoS report for learning the running status of the service, you should perform
this task.
16.3.1 Overview
This describes the categories and functions of Anti-DDoS reports.
The system provides the following types of reports:
l Attack log
Through the attack log report, you can view details about the DDoS attacks of the specified
traffic type in the specified time range, including the logs of ongoing attacks and ended
attacks.
l Attack traffic
Through the attack traffic report, you can view the comparison of the attack traffic of the
specified type in the specified time range before and after cleaning.
l Dynamic baseline
Through the dynamic baseline report, you can view the current and history values of the
dynamic baseline of the protected subnet.

This describes how to query Anti-DDoS reports.
Prerequisites
l 16.2 Configuring the Anti-DDoS Service is complete.

Procedure
Step 2 In the navigation tree, choose Statistics and Analysis Report > DDoS. Select the reports to be
queried as required.

TIP
for the next query.
Task Reports.

NOTE
----End

This describes reports on the Anti-DDoS service and provides examples of the reports.
Report Navigation
NOTE
l Statistics and Analysis Report > DDoS > Attack Log
l Statistics and Analysis Report > DDoS > Attack Traffic
l Statistics and Analysis Report > DDoS > Dynamic Baseline
Statistics and Analysis Report > DDoS > Attack Log

Through this report, you can view the DDoS attacks of the specified traffic type in the specified
time range, including the logs of ongoing attacks and ended attacks.
Figure 16-8 shows the report example.
Figure 16-8 Example of the report of DDoS attack logs
Statistics and Analysis Report > DDoS > Attack Traffic

Through this report, the administrator can view the comparison of the attack traffic of the
specified type in the specified time range before and after cleaning.

Figure 16-9 Example of the report of DDoS attack traffic
Statistics and Analysis Report > DDoS > Dynamic Baseline

Through this report, you can view the current and history values of the dynamic baseline of the
protected subnet.

Figure 16-10 Example of the report of DDoS dynamic baselines

Configuration Guide 17 Anti-Botnet Service
17 Anti-Botnet Service
About This Chapter
The Anti-Botnet service can identify and control Botnet traffic on the network, thus providing
users with a secure network environment.
17.1 About the Anti-Botnet Service

This describes the basic concepts of the Anti-Botnet service.
17.2 Configuring the Anti-Botnet Service
To configure and apply the Anti-Botnet service, you should perform this task.
17.3 Querying Anti-Botnet Reports
To query Anti-Botnet reports for learning the running status of the service, you should perform
this task.

17.1 About the Anti-Botnet Service

l Botnet
A Botnet is a network where a controller infects many hosts with malicious bot programs
by one or various means. The controller and zombies form a one-to-multiple control
network.
By employing Botnets, hackers can not only launch DDoS attacks, intercept personal
confidential information, and spread malware, but also blackmail target Web sites or even
lease Botnets for their own interests. As a result, users' network environments are severely
threatened.
l Anti-Botnet service
The Anti-Botnet service protects users' network resources against the harms brought by
Botnets.Based on features of the Botnet programs, the SIG can detect and control Botnet
programs in advance (for example, alarming or blocking Botnet programs) to eliminate the
hidden security risks on the network. This service enhances user online experience and
protects carriers' reputation.
In in-line mode, the SIG supports bot program detection and control, and report query. In
off-line mode, the SIG supports only bot program detection, and the query of certain reports
(such as the detection log report).
Figure 17-1 shows the schematic diagram of the Anti-Botnet service.
Figure 17-1 Schematic diagram of the Anti-Botnet service
Router
Pass
Alarm
Block
Front End
BRAS
Botnet traffic
User Normal traffic

l Bot program
A bot program can either automatically implement predefined functions or be controlled
by predefined commands. Bot programs on Botnets perform malicious functions.
l Controller
A controller refers to a PC that spreads bot programs through zombie tools. The SIG can
identify level-1 controllers (who control zombies directly) on the network, and query related
information about controllers through reports on detection logs and controller statistics.
NOTE
For extranet controllers, the SIG can log their IP addresses only.
l Zombie
A zombie refers to a computer installed with malicious bot programs or other malicious
remote control programs.
l Zombie tool
A zombie tool is used by a controller to spread malicious bot programs.
l Anti-Malware Engine (AME)
As one type of the knowledge base of the SIG, the AME collects the features of known
worms and bot programs. The system analyzes the traffic passing by and matches virus
features in the AME. If a match is found, the traffic is regarded as malicious traffic, and
then implements further operation according to the predefined policy package, for example,
alarm or block.
17.2 Configuring the Anti-Botnet Service

To configure and apply the Anti-Botnet service, you should perform this task.
17.2.1 Overview
l Policy item type
– Control
– Block
The SIG blocks the traffic infected with bot programs.
– Pass
The SIG allows the traffic infected with bot programs through.
– Alarm
The SIG pushes alarms to users, notifying them of the Botnet program.
Alarming is applicable to the subscribers infected with bot programs only. The SIG
pushes an alarm only when subscribers access HTTP Web sites such as
www.example.com/news.
The Anti-Botnet service of the SIG performs control policies towards controllers, and it
performs control and alarm policies towards the Botnet programs to ensure that all Botnet
traffic passing through the SIG is processed. In so doing, users are provided with secure
network environments.

in the system.

This provides an example for configuring Anti-Botnet for subscribers.
Prerequisites
l The current user has the Security Defense service permission.
The SIG is deployed at the access layer of a MAN in in-line mode, as shown in Figure 17-2.
After the anti-Botnet service for subscribers in the haidian district is enabled, the SIG pushes
an alarm page (suppose that the page is www.alarm.com) to the users infected with bot
programs, and blocks the Botnet traffic.
Requirements for configuring the Anti-Botnet service are as follows:
l Alarm URL www.alarm.com is specified.
l Subscriber-based policy package botnet is configured.
l The policy package should contain alarm policy item botnet_alarm, policy object
Zombie, and alarm URL www.alarm.com.
l The policy package should contain control policy item botnet_control, policy object
Zombie, and control mode Block.

Figure 17-2 Typical networking of the Anti-Botnet service
Router
Front End Back End
DPI system
BRAS
Users
Procedure
2. Click Add.
alarm URL is saved.


1. In the navigation tree, choose Security Defense > Botnet > Botnet Subscriber Policy
Package Management.
2. Click Add.
3. Configure policy package botnet and click Save in the pop-up dialog box.
4. Select Alarm from Item Type and click Add.
5. Configure policy item botnet_alarm in the pop-up dialog box, as shown in Figure 17-4.
Alarm.
7. Select Control from Item Type and click Add.
8. Configure policy item botnet_control in the pop-up dialog box, as shown in Figure
17-5.
Figure 17-5 Adding a control policy item


Policy Application.
2. Click Add.

4. Click OK. Applying the policy package is complete.

----End

This provides an example for configuring Anti-Botnet for VICs.
Prerequisites
After the anti-Botnet service for VICs in the haidian district is enabled, the SIG blocks all
identified Botnet traffic, including that of controllers and zombies.
Requirements for configuring the Anti-Botnet service are as follows:
l VIC-based policy package botnet is configured.
l The policy package contains two control policy items botnet_control1 and
botnet_control2.
The policy objects of policy items botnet_control1 and botnet_control2 are controller
and zombie respectively. The control modes for both policy items are Block.
Figure 17-7 Typical networking of the Anti-Botnet service
Router
Front End Back End
DPI system
BRAS
Users

Procedure

1. In the navigation tree, choose Security Defense > Botnet > Botnet VIC Policy Package
Management.
2. Click Add.
3. Configure policy package botnet and click Save in the pop-up dialog box.
5. Configure policy item botnet_control1 in the pop-up dialog box, as shown in Figure
17-8.
7. Click Add and configure policy item botnet_control2 in the pop-up dialog box, as shown
in Figure 17-9.

2. Click Add.
----End
17.3 Querying Anti-Botnet Reports

To query Anti-Botnet reports for learning the running status of the service, you should perform
this task.
17.3.1 Overview
This describes the classifications, functions, and related concepts of Anti-Botnet reports.
The classifications and functions of Anti-Botnet reports are as follows:
l Top N tools by detected count

Through this report, you can view top N zombie tools by detected count in the descending
order, based on query conditions such as the analysis object and time range.
l Top N customers by detected packet number

Through this report, you can view the information about top N customers by detected packet
number in the descending order, based on query conditions such as the analysis object and
zombie tool.
l Detection log
Through this report, you can view the information about Botnet detection logs (including
the botnet flag and discovery time) within the given time range, based on query conditions
such as the analysis object and zombie tool.
l Controller statistics
Through this report, you can view statistics on Botnet controllers (including the zombie
tool and count) within the given time range, based on query conditions such as the analysis
object and zombie tool.
l Area statistics
Through this report, you can view statistics on Botnet controllers, zombies, and zombie
tool types (including the analysis object and time) in the specified area, based on query
conditions such as the analysis object and time range.
l Control count statistics
Through this report, you can view statistics on Botnet control counts (including the analysis
object and zombie tool) within the given time range, based on query conditions such as the
analysis object and zombie tool.

This describes how to query Anti-Botnet service reports.
Prerequisites
Procedure
Step 2 In the navigation tree, choose Statistics and Analysis Report > Botnet.
TIP
for the next query.
Task Reports.

NOTE
----End

This describes reports on Anti-Botnet and provides examples of the reports.
Report Navigation
NOTE
l Statistics and Analysis Report > Botnet > Subscriber/VIC > Top N Tools by Detected
Count
l Statistics and Analysis Report > Botnet > Subscriber/VIC > Top N Customers by
Detected Packet Number
l Statistics and Analysis Report > Botnet > Subscriber/VIC > Detection Log
l Statistics and Analysis Report > Botnet > Subscriber/VIC > Controller Statistics
l Statistics and Analysis Report > Botnet > Subscriber/VIC > Area Statistics
l Statistics and Analysis Report > Botnet > Subscriber/VIC > Control Count Statistics
Statistics and Analysis Report > Botnet > Subscriber/VIC > Top N Tools by
Detected Count
Through this report, you can view statistics on top N tools by detected count in the descending
order for the specified subscriber/VIC within a given time range.
Figure 17-11 shows report screenshot of top 5 tools by detected count for subscribers in an area

Figure 17-11 Example of the report on top 5 tools by detected count
Statistics and Analysis Report > Botnet > Subscriber/VIC > Top N Customers by
Detected Packet Number
Through this report, you can view statistics on top N customers by detected packet number in
the descending order for the specified subscriber/VIC within a given time range.
Figure 17-12 shows report screenshot of top 5 customers by detected packet number for
subscribers in an area within a given time range.

Figure 17-12 Example of the report on top 5 customers by detected packet number
Statistics and Analysis Report > Botnet > Subscriber/VIC > Detection Log
Through this report, you can view statistics on the detection logs of Botnets for the specified
subscriber/VIC within a given time range.
Figure 17-13 shows report screenshot of the detection logs of Botnets for subscribers in an area

Figure 17-13 Example of the report on detection logs
Statistics and Analysis Report > Botnet > Subscriber/VIC > Controller Statistics
Through this report, you can view the information about the specified subscriber/VIC as the
controllers within a given time range.
The controller statistics report provides information about controllers on both internal and
external networks. The system, however, can only detects the IP addresses of controllers on
external networks. Therefore, to query information about a controller on the external network,
you need to set the IP address. You can obtain the IP address of the controller by querying the
detection log report.
Figure 17-14 shows report screenshot of the controller statistics of subscribers in an area within
a given time range.

Figure 17-14 Example of the report on controller statistics
Statistics and Analysis Report > Botnet > Subscriber/VIC > Area Statistics
Through this report, you can view statistics on the Botnet detection information (including
statistics on the total numbers of controllers, zombies, and zombie tools) for subscribers/VICs
in the specified area within a given time range.
Figure 17-15 shows report screenshot of statistics on the total number of zombies for subscribers
in an area within a given time range.

Figure 17-15 Example of the report on area statistics
Statistics and Analysis Report > Botnet > Subscriber/VIC > Control Count Statistics
Through this report, you can view counts for the specified subscriber/VIC to control Botnets by
blocking connection numbers or pushing alarms within a given time range.
Figure 17-16 shows report screenshot of alarm pushing counts for subscribers in an area within
a given time range.

Figure 17-16 Example of the report on control count statistics

Configuration Guide 18 Anti-Worm Service
18 Anti-Worm Service
About This Chapter
The Anti-Worm service can identify and control worm traffic on the network, thus providing
users with a secure network environment.
18.1 About the Anti-Worm Service

This describes the basic concepts of the Anti-Worm service.
18.2 Configuring the Anti-Worm Service
To configure and apply the Anti-Worm service, you should perform this task.
18.3 Querying Anti-Worm Reports
To query Anti-Worm reports for learning the running status of the service, you should perform
this task.

18.1 About the Anti-Worm Service

l Worm
A worm is a program with the spreading function. This program, comprising malicious
codes, can spread itself to other PCs without manual intervention. The significant feature
of worms is their self-replication.
l Anti-Worm Service
Recently, network users severely fall victims to variable and flooding worms. Worms
consume huge network resources and may be accompanied by other viruses with specific
purposes, which may lead to the leakage of network users' private information, loss of large
amounts of confidential information, network fraud, or network breakdown. As a result,
network users cannot normally enjoy the convenience of networks, their personal
information may be leaked, and carriers' reputation may be severely damaged.
The Anti-Worm service detects and controls worms in advance (for example, blocking
worms) to eliminate the hidden security risks on the network. This service enhances user
online experience and protect carriers' reputation.
In in-line mode, the SIG supports worm detection and control, and report query. In off-line
mode, the SIG supports worm detection only.
Figure 18-1 shows the schematic diagram of the Anti-Worm service.
Figure 18-1 Schematic diagram of the Anti-Worm service
Router
Pass
Alarm
Block
Front End Limit
BRAS
Worm traffic
User Normal traffic
l Anti-Malware Engine (AME)

As one type of the knowledge base of the SIG, the AME collects the features of known
worms and Bot programs. The system analyzes the traffic passing by and matches virus
information in the AME. If the match succeeds, the traffic is regarded as malicious traffic,
and then the corresponding operation (alarm or control) is required.
18.2 Configuring the Anti-Worm Service

To configure and apply the Anti-Worm service, you should perform this task.
18.2.1 Overview
l Policy item type

– Control
– Pass
The SIG allows worm traffic through.
– Block
The SIG blocks worm traffic.
– Limit
The SIG limits worm traffic, allowing certain traffic through. This policy is only
applicable to the Anti-Worm service of links.
– Alarm
The SIG pushes alarms to users, notifying them of the worm threat. This policy is only
applicable to the Anti-Worm service of subscribers.
in the system.
18.2.2 Typical Configuration Example 1 (Links)

This provides an example for configuring Anti-Worm for links.
Prerequisites
The SIG is deployed at the egress of a MAN in in-line mode, as shown in Figure 18-2. It is
required to process worm traffic on 10G-1-1-linka as follows:
l When identifying that worm traffic bandwidth on the link is lower than 10 Mbit/s, the
SIG allows all the traffic through.

l When identifying that the worm traffic bandwidth on the link is between 10 Mbit/s and 20
Mbit/s, the SIG allows only 5 Mbit/s traffic through.
l When identifying that the worm traffic bandwidth on the link is higher than 20 Mbit/s, the
SIG blocks the traffic.
Figure 18-2 Typical networking of the Anti-Worm service
Router
Front End Back End
DPI system
BRAS
Users
Requirements for configuring the anti-worm service are as follows:
l Configure link-based policy package worm.

l This policy package should contain two policy items:
– If the threshold is 10 Mbit/s, configure traffic limiting policy item worm1: When the
worm traffic volume is lower than 10 Mbit/s, the system allows the traffic through:
When the worm traffic volume is higher than 10 Mbit/s, the system limits the traffic
and allows only 5 Mbit/s traffic through.
– If the threshold is 20 Mbit/s, configure blocking policy item worm2: When the worm
traffic volume is higher than 20 Mbit/s, the system blocks the traffic.
NOTE
The threshold is for traffic of links. Data configuration engineers can set the threshold according to the
actual network traffic volume. When the traffic volume is equal to or higher than the threshold, the system
takes corresponding control measures, such as pass, block, or limit. In this example, when the threshold is
set to 10 Mbit/s, the system performs the limit policy, and when the threshold is set to 20 Mbit/s, the system
performs the block policy.
Procedure

1. In the navigation tree, choose Security Defense > Worm > Worm Link Policy Package
Management.
2. Click Add.
3. Configure policy package worm and click Save in the pop-up dialog box.
5. Configure policy item worm1 in the pop-up dialog box, as shown in Figure 18-3.
Figure 18-3 Adding policy item worm1
7. Repeat Step 2.4 to Step 2.6 to configure policy item worm2, as shown in Figure 18-4.
Figure 18-4 Adding policy item worm2

2. Click Add.

----End

This provides an example for configuring Anti-Worm for subscribers.
Prerequisites
After the anti-worm service for subscribers in the haidian district is enabled, the SIG pushes an

alarm page (suppose that the page is www.alarm.com) to the users infected with worms, and
blocks worm traffic.
Requirements for configuring the Anti-Worm service are as follows:
l Alarm URL www.alarm.com is specified.
l Subscriber-based policy package worm is configured.
l This policy package should contain one alarm policy item whose alarm URL is
www.alarm.com.
l The policy package should contain one control policy item whose control type is block.
Router
Front End Back End
DPI system
BRAS
Users
Procedure
2. Click Add.
alarm URL is saved.


1. In the navigation tree, choose Security Defense > Worm > Worm Subscriber Policy
Package Management.
2. Click Add.
4. Select Alarm from Item Type and click Add.
5. Set the alarm URL in the pop-up dialog box, as shown in Figure 18-8.
Alarm.
8. Set Control Type to Block in the pop-up dialog box, as shown in Figure 18-9.

Figure 18-9 Adding a control policy item
Policy Application.
2. Click Add.

----End

This provides an example for configuring Anti-Worm for VICs.
Prerequisites
After the anti-worm service for VICs in the haidian district is enabled, the SIG blocks all the
identified worm traffic.
Requirements for configuring the Anti-Worm service are as follows:
l VIC-based policy package worm is configured.

l The policy package should contain one control policy item whose control type is block.

Router
Front End Back End
DPI system
BRAS
Users
Procedure

1. In the navigation tree, choose Security Defense > Worm > Worm VIC Policy Package
Management.
2. Click Add.
5. Set Control Type to Block in the pop-up dialog box, as shown in Figure 18-12.


2. Click Add.
----End
18.3 Querying Anti-Worm Reports

To query Anti-Worm reports for learning the running status of the service, you should perform
this task.
18.3.1 Overview
This describes the classifications and functions of Anti-Worm reports.
The classifications and functions of Anti-Worm reports are as follows:
l Subscriber
– Top N Customers by Attack Packet Number

Through this report, you can view statistics on top N customers by attack packet number
(including the number of attack packets and that of attacked packets) for the specified
subscriber within a given time range.
– Attack Log
Through this report, you can view statistics on attack logs for specified subscribers
– Control Count Statistics
Through this report, you can view statistics on worm traffic control counts (including
block and alarm counts) for specified subscribers within a given time range.
l Very Important Customer
– Top N Customers by Attack Packet Number
for the specified VIC within a given time range.
– Top N Customers by Attacked Packet Number
Through this report, you can view statistics on top N customers by attacked packet
number for the specified VIC within a given time range.
– Attack Statistics by IP Address
Through this report, you can view statistics on IP addresses from which worm attacks
are launched for a specified VIC within a given time range.
– Attack Log
Through this report, you can view statistics on the logs of worm attacks for the VIC at
the specified IP address within a given time range.
– Attacked Statistics by IP Address
Through this report, you can view statistics on the IP addresses attacked by worms for
a specified VIC within a given time range.
– Attacked Log
Through this report, you can view statistics on worm-attacked logs for the VIC at the
specified IP address within a given time range.
– Control Count Statistics of Attacking VICs
Through this report, you can view statistics on worm attack control counts for a specified
VIC within a given time range.
– Control Count Statistics of Attacked VICs
Through this report, you can view statistics on worm-attacked counts for a specified
l Link
– Top N Worms by Attack Packet Number
Through this report, you can view statistics on top N worms by attack packet number
(including the number of attack packets and that of attacked packets) for the specified
link within a given time range.
– Attack Log
Through this report, you can view statistics on attack logs for a specified link within a
given time range.
– Control Statistics

Through this report, you can view statistics on the control (including block times,
blocked traffic, and the number of blocked packets) over worm traffic on a specified

This describes how to query Anti-Worm reports.
Prerequisites
Procedure
Step 2 In the navigation tree, choose Statistics and Analysis Report > Worm.
TIP
for the next query.
Task Reports.

NOTE
----End
18.3.3 Report Examples (Subscribers)

This describes reports on the Anti-Worm service and provides examples of the reports.
Report Navigation
NOTE
l Statistics and Analysis Report > Worm > Subscriber > Top N Customers by Attack
Packet Number

l Statistics and Analysis Report > Worm > Subscriber > Attack Log
l Statistics and Analysis Report > Worm > Subscriber > Control Count Statistics
Statistics and Analysis Report > Worm > Subscriber > Top N Customers by Attack
Packet Number
(including the number of attack packets and that of attacked packets) for the specified subscriber
Figure 18-14 shows report screenshot of top 3 customers by attack packet number for subscribers
Figure 18-14 Example of the report on top 3 customers by attack packet number

Statistics and Analysis Report > Worm > Subscriber > Attack Log
Through this report, you can view statistics on attack logs for specified subscribers within a
given time range.
Figure 18-15 shows the report screenshot of the attack logs of specified customers within a
given time range.
Figure 18-15 Example of the report on attack logs
Statistics and Analysis Report > Worm > Subscriber > Control Count Statistics
Through this report, you can view statistics on worm traffic control counts (including block and
alarm counts) for specified subscribers within a given time range.
Figure 18-16 shows the report screenshot of worm traffic block counts of specified customers

Figure 18-16 Example of the report on control count statistics
18.3.4 Report Examples (VICs)

This describes reports on the Anti-Worm service and provides examples of the reports.
Report Navigation
NOTE
l Statistics and Analysis Report > Worm > VIC > Top N Customers by Attack Packet
Number
l Statistics and Analysis Report > Worm > VIC > Top N Customers by Attacked Packet
Number
l Statistics and Analysis Report > Worm > VIC > Attack Statistics by IP Address

l Statistics and Analysis Report > Worm > VIC > Attack Log
l Statistics and Analysis Report > Worm > VIC > Attacked Statistics by IP Address
l Statistics and Analysis Report > Worm > VIC > Attacked Log
l Statistics and Analysis Report > Worm > VIC > Control Count Statistics of Attacking
VICs
l Statistics and Analysis Report > Worm > VIC > Control Count Statistics of Attacked
VICs
Statistics and Analysis Report > Worm > VIC > Top N Customers by Attack Packet
Number
Through this report, you can view statistics on top N customers by attack packet number for the
specified VIC within a given time range.
Figure 18-17 shows report screenshot of top 2 customers by attack packet number for VICs in
a specified area within a given time range.
Figure 18-17 Example of the report on top 2 customers by attack packet number

Statistics and Analysis Report > Worm > VIC > Top N Customers by Attacked
Packet Number
Through this report, you can view statistics on top N customers by attacked packet number for
the specified VIC within a given time range.
Figure 18-18 shows report screenshot of top 2 customers by attacked packet number for VICs
Figure 18-18 Example of the report on top 2 customers by attacked packet number

Statistics and Analysis Report > Worm > VIC > Attack Statistics by IP Address
Through this report, you can view statistics on IP addresses from which worm attacks are
launched for a specified VIC within a given time range.
Figure 18-19 shows the report screenshot of IP addresses from which worm attacks are launched
for a specified VIC within a given time range.
Figure 18-19 Example of the report on attack IP addresses
Statistics and Analysis Report > Worm > VIC > Attack Log
Through this report, you can view statistics on the logs of worm attacks for the VIC at the
specified IP address within a given time range.
Figure 18-20 shows the report screenshot of the logs of worm attacks for the VIC at an IP address

Statistics and Analysis Report > Worm > VIC > Attacked Statistics by IP Address
Through this report, you can view statistics on the IP addresses attacked by worms for a specified
Figure 18-21 shows the report screenshot of the IP addresses attacked by worms for a specified
Figure 18-21 Example of the report on attacked IP addresses
Statistics and Analysis Report > Worm > VIC > Attacked Log
Through this report, you can view statistics on worm-attacked logs for the VIC at the specified
IP address within a given time range.
Figure 18-22 shows the report screenshot of worm-attacked logs for the VIC at an IP address
Figure 18-22 Example of the report on attacked logs

Statistics and Analysis Report > Worm > VIC > Control Count Statistics of
Attacking VICs
Through this report, you can view statistics on worm attack control counts for a specified VIC
Figure 18-23 shows the report screenshot of worm attack control counts for a specified VIC
Figure 18-23 Example of the report on attack control count statistics
Statistics and Analysis Report > Worm > VIC > Control Count Statistics of Attacked
VICs
Through this report, you can view statistics on worm-attacked counts for a specified VIC within
a given time range.
Figure 18-24 shows the report screenshot of worm-attacked control counts for a specified VIC

Figure 18-24 Example of the report on attacked control count statistics
18.3.5 Report Examples (Links)

This describes reports on Anti-Worm services and provides examples of the reports.
Report Navigation
NOTE
l Statistics and Analysis Report > Worm > Link > Top N Worms by Attack Packet
Number
l Statistics and Analysis Report > Worm > Link > Attack Log

l Statistics and Analysis Report > Worm > Link > Control Statistics
Statistics and Analysis Report > Worm > Link > Top N Worms by Attack Packet
Number
Through this report, you can view statistics on top N worms by attack packet number (including
the number of attack packets and that of attacked packets) for the specified link within a given
time range.
Figure 18-25 shows report screenshot of top 5 worms by attack packet number for a link within
a given time range.
Figure 18-25 Example of the report on top 5 worms by attack packet number

Statistics and Analysis Report > Worm > Link > Attack Log
Through this report, you can view statistics on attack logs for a specified link within a given
time range.
Figure 18-26 shows the report screenshot of the attack logs of a specified link within a given
time range.
Statistics and Analysis Report > Worm > Link > Control Statistics
Through this report, you can view statistics on the control (including block times, blocked traffic,
and the number of blocked packets) over worm traffic on a specified link within a given time
range.
Figure 18-27 shows the report screenshot of the number of blocked worm packets on a specified

Figure 18-27 Example of the report on control statistics

Configuration Guide 19 Security Service
19 Security Service
About This Chapter
Through the security service, the SIG can filter malicious URLs, and implement the Anti-Botnet
and Anti-Worm, providing a secure network environment for network users subscribing to the
service.
19.1 About the Security Service

This describes the basic concepts of security service.
19.2 Configuring Security Service
To configure and apply security service, you should refer to this part.
19.3 Querying Security Service Reports
To query malicious URL blocking log reports for the running status of the service, you should
refer to this part.

19.1 About the Security Service

This describes the basic concepts of security service.
Malicious URL Filtering

With the popularity of broadband networks and the increase of malicious Web sites and malware
sites, network security becomes a great concern. When subscribers and VICs subscribing to the
malicious URL filtering function access malicious Web sites, the access is blocked or the
interface is redirected to the alarm page.
The SIG supports dividing URLs into different categories, and configuring control policies for
the URLs of a certain category. Malicious Web sites is a URL category.
Figure 19-1 shows the typical networking of malicious URL filtering.
Figure 19-1 Typical networking diagram of malicious URL filtering
Con
down tent
loadi
n g
DSE system
fic
t raf
TP ing
HT irror
m
Front End
UCDB UCSP
BRAS
UCSS
Service traffic
...
Malicious URL information
Users Mirrored traffic
l UCSS (URL Category Searching Server)

The UCSS classifies the collected data and provides URL category query for the Service
Probe System (SPS).

l UCDB (URL Category Database)

The UCDB, in charge of data storage, obtains upgrade data from the UCSP regularly, and
synchronizes the data to all UCSSs.
l UCSP (URL Category Service Platform)
The UCSP provides the upgrade service of the URL category database predefined by the
system for the URL category server.
l DSE (Dynamic Scan Engine)
The DSE system implements real-time monitoring on malicious Web sites; however, if the
DSE system is not deployed, the UCDB regularly updates URL category information to
the UCSP.
The DSE detects the URLs of the malicious Web sites and software accessed by users, and
redirects those malicious URLs to alarm pages, thus protecting users against viruses.
Moreover, the DSE can extract URL access requests from upstream HTTP traffic and
identify the URLs with viruses and malicious code. In addition, the DSE detects the target
files in downloading links and checks whether the downloading links are malicious.
URL Category Database

l Predefined Category Database
The predefined category database includes mapping between predefined URLs of the
SIG system and URL categories.
The predefined category database supports automatic updates. The URL category server
periodically sends update requests for the predefined category database to the UCSP, and
submits the version number of the local URL category database to the UCSP when sending
the request. The UCSP filters out the records to be updated and sends the record back to
the URL category server, thus updating the predefined category database.
l DSE Category Database
The DSE category database updates malicious URLs in real time. If upstream HTTP Get
packets are identified, the SPS mirrors them and then sends them to the DSE. Then the DSE
sends identified new malicious URL entries or the ones to deleted to the UCDB in message
format. Upon startup, the SPS first synchronizes all current malicious URLs with the
UCDB, and during operation, periodically sends requests to the UCDB for DSE category
database updates.
l User-Defined Category Database
Data configuration engineers can configure user-defined URL categories and add the
categories to the user-defined category database after logging in to the management server.
In addition to precise URL matching, the SIG system also supports blurry URL matching.
This allows data configuration engineers to configure user-defined URL categories, URLs,
and URL priorities for blurry matching through the management server.
URL Category Query

When the SIG system is deployed on the network, the SPS on the front end of SIG can detect
all upstream HTTP Get packets, and extract URLs by resolving HTTP Get packets. The SPS
queries the URL category in the following order until the category is queried or the predefined
category database query is completed.
1. URL category information cached in the SPS.
Certain URL category information is in the SPS cache. After the SPS extracts a URL
through resolution, the corresponding URL category information is first queried in the SPS

cache. For the implementation of URL policies, the user-defined category enjoys the
highest priority, then the DSE category, and last the predefined category.
l If the URL matches a user-defined category in the SPS cache, control is implemented
according to the corresponding control policy for the user-defined category.
l If the URL matches a predefined category in the SPS cache, control is implemented
according to the corresponding control policy for the predefined category.
l If the URL matches a DSE category in the SPS cache, the SPS needs to query the UCSS
for the corresponding category information of the URL.
– If the URL matches a user-defined category in the UCSS, control is implemented
according to the corresponding control policy for the user-defined category. Then
the DSE and user-defined category information is both cached in the SPS for the
URL. If the URL is re-accessed, it can be queried directly from the cache.
– If the URL matches a predefined category in the UCSS, control is implemented
according to the corresponding control policy for the DSE category. Then the DSE
and predefined category information is both cached in the SPS for the URL. If the
URL is re-accessed, it can be queried directly from the cache.
l If the URL matches both the user-defined category and the DSE category in the SPS
cache, control is implemented according to the corresponding control policy for the
user-defined category. If there is no policy for the user-defined category, control is
implemented according to the corresponding control policy for the DSE category.
l If the URL matches both the DSE category and the predefined category in the SPS
cache, control is implemented according to the corresponding control policy for the
DSE category. If there is no policy for the DSE category, control is implemented
according to the corresponding control policy for the predefined category.
2. User-defined category database of the URL category server.
When the category information corresponding to the URL cannot be queried in the SPS
cache, the SPS requests the query of the category information corresponding to the URL
to the URL category server. There are three kinds of URL category databases on the URL
category server: user-defined category database, user-defined blurry category database, and
predefined category database. The user-defined category database is queried first.
3. URL category server (user-defined blurry category database, queried according to the
priority of the blurry URL.).
When the URL category cannot be queried in the user-defined URL category database, the
URL category server queries the user-defined blurry category database.
4. URL category server (predefined category database).
When the URL category cannot be queried in the user-defined URL blurry category
database, the URL category server queries predefined category database.
If the query on the predefined category database is complete, but the URL category still cannot
be queried, the URL is identified as an unknown URL and stored on the URL category server.
The URL category server periodically reports unknown URLs to the UCSP.
Category-based URL Control

The category-based URL control is realized through policy delivery. When the policy server is
enabled or the policy is changed, the policy server delivers the policy package to the Service
Analysis System (SAS). The SAS forwards the policy package to the SPS cache. For the URL
whose category is available, the SPS queries the category policy defined in the policy package
in the SPS cache, and then blocks or allows the access to such URLs, or pushes an alarm
according to the queried category policy.

If the policy corresponding to the URL category is not found in the SPS, the URL is allowed.
Anti-Botnet and Anti-Worm

Anti-Botnet and Anti-Worm are similar to their corresponding services. For details, see 17 Anti-
Botnet Service and 18 Anti-Worm Service.
The difference lies in: Anti-Botnet and Anti-Worm in security services can be provided for
terminal users as packages. Data configuration engineers need to configure their policies first.
Then terminal users subscribe to Anti-Botnet and Anti-Worm packages on the Portal, thus
defending against Botnets and worms.
19.2 Configuring Security Service

To configure and apply security service, you should refer to this part.
19.2.1 Overview
To configure security service, you need to learn related concepts.
Concepts related to security service are as follows:
l Traffic Mirroring
For details, see 10.1 About the Traffic Mirroring/Diversion Service. To monitor
malicious Web sites in real time, you need to mirror HTTP traffic passing through the Front
End of the SIG to the DSE for analysis.
l Portal
The SIG needs to interwork with the carrier Portal to realize the configuration and
application of malicious URL filtering.
Users can subscribe to malicious URL filtering on the Portal.
l Worm and Botnet
For worm- and Botnet-related concepts, see 17 Anti-Botnet Service and 18 Anti-Worm
Service.
in the system.

This describes the procedure for configuring security service in detail.
Figure 19-2 shows the configuration procedure of malicious URL filtering.

Figure 19-2 Procedure for configuring malicious URL filtering

Start
Are you to realize real-time No

malicious URL monitoring?
Yes
Configure the mirroring interface
The data configuration engineer Is the mirroring interface Yes

performs configurations on the directly connected to the DSE
Front End of the DPI system. through Ethernet cables?
No
Configure the destination

MAC address replacement
Add a mirroring policy package
The data configuration engineer

Apply the mirroring policy package
performs configurations on the
Back End of the DPI system.
Configure the malicious URL filtering policy
Subscribers subscribe
Subscribe to malicious URL filtering
on the Portal.
End
Table 19-1 shows the procedure description of malicious URL filtering.
Table 19-1 Procedure description of malicious URL filtering

Action Description

Action Description
Configure the You need to confirm whether to enable the destination MAC address
destination MAC replacement according to the current network environment.
address replacement l When the mirroring interface is directly connected to the third-
party device through Ethernet cables, you don't need configure the
l When the mirroring interface is connected to the third-party device
through a Layer-2 device, you should enable the destination MAC
address replacement and set the destination MAC address.
By default, the destination MAC address replacement is disabled.
Add a mirroring A policy package can contain one or multiple policy items.
Apply the mirroring Apply the added policy package to service objects.
Policy Application.
Application.
Configure the By configuring the security service policy, data configuration

malicious URL engineers can encapsulate security service as packages for users to
filtering policy select.
choose Value-added Service > Security Service > Malicious URL
Filtering Policy Management.
Subscribe to Users can implement security service only after subscribing to them.
malicious URL Operation location: Portal.
filtering
19.2.3 Typical Configuration Example (Malicious URL Filtering)

This provides an example for configuring malicious URL filtering for subscribers. In this
example, data configuration engineers configures a malicious URL filtering policy, and user
user1 enables the malicious URL filtering function.
Prerequisites

l 4.2 Configuring the Subscriber is complete and subscriber user1 is added.

The carrier needs to configure and apply malicious URL filtering. Figure 19-3 shows the
networking.
Figure 19-3 Networking diagram of malicious URL filtering
Con
down tent
loadi
n g
Link:1G-80-2-link_2 DSE system

g
rin /0/
1
rro E3
mi :G
ffic e
ra ac
Pt erf
HT
T
g int
rin
ri ro
M
Front End
UCDB UCSP
BRAS
UCSS
Service traffic
...
Malicious URL information
Users Mirrored traffic
The Front End of the SIG directly connects to the Back End and the third-party system through
the management interface respectively. The system mirrors HTTP upstream traffic passing
through the Front End of the SIG.
Traffic goes through the Front End of the SIG along link 1G-80-2-link_2, and interface 1 of the
LPU in slot 3 mirrors HTTP traffic to the cache system. This interface belongs to mirroring
group 1.
Procedure
Step 2 Configure the mirroring interface.


2. Click Add.
5. Set the parameters of policy item http in the dialog box that is displayed. Figure 19-4
Figure 19-4 Configuring policy item http

2. Click Add.

4. Click OK.
Step 6 Configure the malicious URL filtering policy.

1. In the navigation tree, choose Value-added Service > Security Service > Malicious URL
Filtering Policy Management.
2. Click Add.
Alarm.
Figure 19-6 Configuring the malicious URL filtering policy

4. Click OK.
Step 7 Log in to the Portal with account user1.
Step 8 Subscribe to malicious URL filtering.
----End
19.3 Querying Security Service Reports

To query malicious URL blocking log reports for the running status of the service, you should
refer to this part.
19.3.1 Overview
This describes all the types of security service reports.
Security service reports fall into the following types:
l Botnet blocking logs of subscribers

You can query the botnet blocking log information of subscribers by botnet tool and time
range.
l Worm blocking logs of subscribers
You can query the worm blocking log information of subscribers by worm type and time
range.
l Malicious URL blocking logs of subscribers
You can query the malicious URL blocking log information of subscribers by URL category
and time range.
l Botnet blocking logs of common VICs
You can query the botnet blocking log information of VICs by botnet tool and time range.
l Worm blocking logs of common VICs
You can query the worm blocking log information of VICs by worm type and time range.
l Malicious URL blocking logs of VICs
You can query the malicious URL blocking log information of VICs by URL category and
time range.

This describes how to query security service reports.
Prerequisites


Procedure
Step 2 In the navigation tree, choose Statistics and Analysis Report > Security Service. Select the
reports to be queried as required.
TIP
for the next query.
Task Reports.

NOTE
----End

This describes reports on security service and provides examples of the reports.
Report Navigation
NOTE
l Statistics and Analysis Report > Security Service > Subscriber > Botnet Block Log
l Statistics and Analysis Report > Security Service > Subscriber > Worm Block Log
l Statistics and Analysis Report > Security Service > Subscriber > Malicious URL Block
Log
l Statistics and Analysis Report > Security Service > Very Important Customer >
Botnet Block Log
Worm Block Log
Malicious URL Block Log
Statistics and Analysis Report > Security Service > Subscriber > Botnet Block Log
Through this report, you can view the blocking of botnet for subscribers within a given time
range.

Figure 19-7 shows report screenshot of the blocking of botnet for a subscriber.
Figure 19-7 Example of the log report on the blocking of botnet for subscribers
Statistics and Analysis Report > Security Service > Subscriber > Worm Block Log
Through this report, you can view the blocking of worm for subscribers within a given time
range.
Figure 19-8 shows report screenshot of the blocking of worm for a subscriber.
Figure 19-8 Example of the log report on the blocking of worm for subscribers
Statistics and Analysis Report > Security Service > Subscriber > Malicious URL
Block Log
Through this report, you can view the blocking of malicious URLs for subscribers within a given
time range.
Figure 19-9 shows report screenshot of the blocking of malicious URLs for a subscriber.

Figure 19-9 Example of the log report on the blocking of malicious URLs for subscribers
Statistics and Analysis Report > Security Service > Very Important Customer >
Botnet Block Log
Through this report, you can view the blocking of botnet for VICs within a given time range.
Figure 19-10 shows report screenshot of the blocking of botnet for a VIC.
Figure 19-10 Example of the log report on the blocking of botnet for VICs
Worm Block Log
Through this report, you can view the blocking of worm for VICs within a given time range.
Figure 19-11 shows report screenshot of the blocking of worm for a VIC.

Figure 19-11 Example of the log report on the blocking of worm for VICs
Malicious URL Block Log
Through this report, you can view the blocking of malicious URLs for VICs within a given time
range.
Figure 19-12 shows report screenshot of the blocking of malicious URLs for a VIC.
Figure 19-12 Example of the log report on blocking of malicious URLs for VICs

Configuration Guide 20 iPush
20 iPush
About This Chapter
iPush is an information push system which pushes information to the specified user groups. By
using the iPush system, carriers can make full use of current network resources to carry out
value-added services.
20.1 Getting Started

The iPush system is a subsystem of the SIG system to push information to users. Before getting
started, you are advised to learn the basic knowledge and configuration flow of the iPush system
from here.
20.2 Permission Management
Permission management is required when multiple administrators manage the iPush service
together. Configuring roles and administrators implements the permission-based and area-based
management of the iPush system, and managing address segments and online administrators
implements the security management of the iPush system.
20.3 System Management
The iPush Web server needs to interwork with the Information Server to push information.
Before using the iPush service, configure the Information Server. Setting parameters about
system security can improve the security of the iPush system.
20.4 Service Management
After the initial configuration of the iPush system is complete, you can implement service
management to start information push. This section describes the configuration flow of the iPush
service and provides examples for explaining the configuration process.
20.5 Report Management
This section describe how to collect statistics on and view the push times of a policy, and the
push times to different users. You can perform this task to view information push effects.
20.6 Appendix

20.1 Getting Started

The iPush system is a subsystem of the SIG system to push information to users. Before getting
started, you are advised to learn the basic knowledge and configuration flow of the iPush system
from here.
20.1.1 Login Mode

The iPush system is a subsystem of the SIG system, and employs an independent Web
management page. After logging to the iPush system using the browser, the administrator can
configure the iPush service.
Prerequisites
The IP address of the management terminal is within the IP address segment for logging in to
the iPush system.
NOTE
The iPush system allows login from all IP addresses by default. To set the IP address segment for logging
in to the iPush system, see 20.2.4 Setting the Login IP Address Segment.
Context
The iPush system supports the login through Internet Explorer 6.0, Internet Explorer 7.0, Internet
Explorer 8.0, and Firefox 10.0.
By default, the system has a super administrator whose user name is admin and password is
Admin@123.
After one account fails to log in for three consecutive times, the system locks out this account
for 15 minutes to protect the iPush system. Within the lock-out time, this account cannot log in
again.
NOTE
The lock time is 15 minutes by default, but the administrator can change it manually. For details, see 20.3.2
Setting System Security.
Procedure
Step 1 Open the Microsoft Internet Explorer browser.
Step 2 Enter https://XX.XX.XX.XX:841/ipush-ui in the address box, and press Enter.
Step 3 Select a language from Language, enter User Name, Password, and Verification Code.
NOTE
XX.XX.XX.XX specifies the IP address of the iPush_UI server, and 841 indicates the HTTPS service port
of the iPush_UI server.
Step 4 Click Login to access the Web management page of the iPush system.
----End

20.1.2 System Overview

The iPush system pushes different types of information to online users (including those on fixed
networks and those accessing the Internet by using wireless data cards), and provides permission
management as well as system management to ensure information push.
System Components
The iPush system is a subsystem of the SIG. It consists of the iPush UI server (iPush_UI),
Information Server, third-party information content server, and iPush Data Synchronization
Server (iPush_SYNC). Figure 20-1 shows the components of the iPush system.
Figure 20-1 Components of the iPush system

Other components
on the Back End
Third-party information
content server
Router
Information Server
Switch …
Front End
iPush_SYNC BOSS
BRAS
iPush_UI
Users Back End
Component functions of the iPush system are as follows:

l iPush_UI Server: provides the Web management page of the iPush system. The
administrator can achieve service management, report query, permission management, and
system management on the management page.
l Information Server: provides the contents of pushed information, and confirms and records
information push results.
l iPush_SYNC: synchronizes user accounts, service packages, or charge information to the
carriers' system.
l Third-party information content server (optional): provides the contents of pushed
information.
NOTE
If a third-party information content server is deployed, it provides the contents of pushed information. Then
the Information Server confirms and records the information push results.

Information Audiences
The information audience refers to one or more users, to whom the information is pushed.
In the iPush system, a user is a subscriber configured in the SIG system, such as the ADSL dial-
up user identified by the subscriber ID and the wireless user identified by the IMSI or MSISDN.
The iPush system can push information to specific types of information audiences:
l To all users in the specified area.
l To a specific terminal user group in the specified area.
The terminal user group is configured in the iPush system, and can be added with one or
multiple users.
l To the specified synchronized user group.
A synchronized user group is the subscriber group synchronized by the iPush system from
the SIG system. The subscriber group is configured in the SIG system, and can be added
with one or multiple users.
l To the specified attribute group.
An attribute group contains one or more attributes. Information is pushed to the user who
matches all attributes. An attribute is the subscriber group attribute synchronized by the
iPush system from the SIG system. The subscriber grouping attribute is configured in the
SIG system. Subscribers can be classified into certain groups by attribute value, for
example, the gender, BST, and cell.
The iPush system does not push information to specific types of information audiences:
l To the whitelist user group.
The whitelist user group is configured in the iPush system, and can be added with one or
multiple users. To exempt some users from the information pushed by the iPush system,
add them to the whitelist user group.
l To those accessing the whitelist Web site.
The whitelist Web site is configured in the iPush system, and can be added with one or
multiple Web sites. To exempt the users who are accessing some Web sites from pushed
information, add these Web sites to the whitelist Web site.
Information Content Category

The iPush system supports the information content category and information content
subcategory, facilitating pushed information management. Moreover, the iPush system supports
information category priorities to define the push sequence of multiple pieces of information.
Predefined information falls into two types:
l Bulletin
Publicizing information such as news and system upgrade bulletins to terminal users.
l Fee Information
Sends user account balance information or service package due information to terminal
users and notifies users of recharge.
In addition, the system administrator can define information categories and subcategories.
Information Management
The iPush system provides diverse measures for information management.

l Various information styles

Multiple styles are predefined in the iPush system. Specified information contents are
supported and can be presented as the predefined styles. The iPush system can also present
information in the form of external URLs or local information files with information styles.
The display style is defined by the information file.
l Time-based push
By setting the validity period, you can configure the system to push information to terminal
users by week or hour within the validity period. The iPush system supports flexible push
intervals. You can set the push interval for a single user or all users in an area.
l Information priority
If multiple policies are effective for one user, information is pushed by the priorities of
information categories and policies. The priority of the information category is higher than
that of the information policy.
l Configurable push times
– If the push times is not limited for a piece of information, the total push times is not
specified, and the information is always pushed at intervals within the validity period
of the policy.
– If the push times is specified for a piece of information, the information is pushed at
intervals within the validity period of the policy until the push times is hit.
l Information status
You can manage the creation, audit, release, and completion of information by means of
information status. Five states are available, including Initialized, Waiting for audit,
Released, Update, and Completed.
Permission Management
The iPush system supports permission- and region-based management by means of roles and
administrators.
l Role
The iPush system predefines role ROLE_ADMIN which has all operation permissions of
the system. The administrator of ROLE_ADMIN can define other roles and assign
different service operation permissions.
l Administrator
The administrator belongs to a role, and inherits the service operation permissions of the
role. The administrator can manage only the information of the corresponding area and
information category.
System Management
With the UI provided by iPush_UI, the system administrator (belonging to the ROLE_ADMIN
role) can configure and manage the iPush_UI Server and Information Server.
l Configuring the Information Server

The Information Server provides the predefined display styles of information, saves the
local images or files uploaded during the configuration of push information, and confirms
and records push results.
l Viewing the performance of the iPush_UI Server and Information Server

By viewing the status and performance of the servers, you can learn about the resource
usage of the iPush system. When the usage of the server CPU, memory, or hard disk is too
high (for example, over 80% for a long time), upgrade hardware configurations or expand
service capacity.
l Configuring the security of the iPush system
You can set system security to improve the security of the iPush system, or adjust display
and export configurations according to the terminal hardware configurations or the network
status.
Log and Alarm

The iPush system provides log and alarm query functions. The system administrator can learn
about operation records of different administrators and the operating information about the
device by viewing system logs, as well as the abnormal status of the device by viewing alarms.

This section describes the flow for configuring the iPush service.
Figure 20-2 shows the configuration flow of the iPush system.
CAUTION
Before you configure the iPush service, import the terminal signature file in the SIG management
page. Otherwise, the iPush service does not work properly. For detailed procedure, see
Managing the Knowledge Base in the online help on the SIG management interface.
Figure 20-2 Configuration flow of the iPush system
Start
Configuring on the Configuring

SIG system or iPush subscriber
system.
Permission
Management
Configuring on the System Management

iPush system.
Service Management
End
Required

Table 20-1 shows the configuration flow.
Table 20-1 Configuration flow of the iPush system

Num Task Description
ber
1 Configuring a The iPush system can push information to different types of

subscriber audiences. All these types should be configured on the basis of
subscribers.
Before configuring the iPush service, complete the configuration
of common customers. You can configure common customers in
the SIG and iPush systems.
l For the configuration in the SIG system:
Management > Subscriber > Subscriber Management.
Then add a user.
Management > Subscriber > User Group Management.
Then you can add a user to a user group.
l For the configuration in the iPush system:
In the navigation tree, choose Audience Management >
Terminal User Group. Then you can add a user to the
terminal user group.
2 20.2 Using permission management, the system administrator can

Permission configure different roles and administrators. A role is used to
Management control the permission of each administrator, ensuring the normal
operating of the entire service flow.
3 20.3 System Using system management, the system administrator can

Management configure the Information Server and manage the security of the
iPush system.
4 20.4 Service After completing the initial configuration of the iPush system,
Management configure the iPush service.
20.2 Permission Management

Permission management is required when multiple administrators manage the iPush service
together. Configuring roles and administrators implements the permission-based and area-based
management of the iPush system, and managing address segments and online administrators
implements the security management of the iPush system.
20.2.1 Introduction to System Permissions

Configuring roles and administrators implements the permission- and area-based management
of the iPush system. The specified user can complete the specific sections of the service flow in
an area.

The iPush system enables permission management by means of roles and administrators, which
are described as follows:
l Role
By creating a series of roles and assigning certain iPush functional permissions, you can
implement permission-based management over the iPush system.
l Administrator
An administrator is associated with the role, area, and information category, and inherits
the iPush functional permissions that are possessed by the role. Therefore, the administrator
can manage permissions to the iPush service in the corresponding area as well as view and
configure the information about the corresponding information category.
When managing permissions, you can implement security management over the iPush system
by configuring the following contents:
l Login Address Segment
Setting the IP address segment for logging in to the iPush system. The IP address of a
terminal determines whether the terminal can access the iPush system.
l Online Administrator
Querying online administrators and force out those unauthorized ones.
l Push Effect-checking Permission
Generally, the administrator of an area can query the information only about this area, and
the administrator in charge of an information category can query the information only about
this category. By configuring the permissions of querying push effects, you can authorize
administrators in other areas to query the information push effects in this area, or the
administrators of other information categories in this area to query the information push
effects of this information category.
Role ROLE_ADMIN and administrator admin for this role are predefined in the system. The
default password for admin is Admin@123. The service permissions possessed by a predefined
role cannot be modified, and admin has all operation permissions to the iPush system. For details
on how to change the password of the admin, see Changing an Account Password.
20.2.2 Configuring a Role

By creating a series of roles and assigning certain iPush functional permissions, you can
implement permission-based management over the iPush system.
Prerequisites
The current online administrator belongs to role ROLE_ADMIN.
Procedure
Step 1 In the navigation tree, choose Permission Management > Role Management.
Step 2 Add a role.
1. Click Add.
2. Enter Name and Description for the role.
3. Click OK.
4. (Optional) Repeat Step 2.2 to Step 2.3 to add another role according to the role plan.

5. Click Return.
Step 3 Assign role permission.

1. On the Role Management page, click Assign role permission corresponding to a role.
2. Choose an item from functional permission navigation tree.
3. In the middle column, select the operation permission of this role to this function.
4. Click to add a permission.
To add the full permissions to the selected item, select the item, and then click
.
5. Repeat Step 3.2 to Step 3.4 to assign other permission to this role.
6. Click Save.
7. Click Return.
8. (Optional) Repeat Step 3.1 to Step 3.7 to assign permissions to another role according to
the role plan.
----End
20.2.3 Configuring an Administrator

You can create an administrator according to the role and area, and configure the information
categories that can be queried and configured by the administrator.
Prerequisites
The role, area, and information category are already created.
Context
If several administrators have the same role, area, and permission to one information category,
they can query and modify the information or policies created by other administrators under this
information category.
Procedure
Step 1 In the navigation tree, choose Permission Management > Administrator Management.
Step 2 Click Add.
Step 3 Enter information about the administrator. Table 20-2 shows parameters.
Table 20-2 Parameters for adding an administrator
Parameter Description
Name Indicates the account used by the administrator to log in to the iPush
system.

Role Indicates the role to which the administrator belongs. The administrator
inherits all service permissions possessed by the role.
Area Indicates the area to which the administrator belongs. The administrator
has permissions to configure information and query push effects in this
area and its subareas by default.
Information Indicates the information category that can be configured and queried by
type the administrator.
Step 4 Click OK.
Step 5 (Optional) Add another administrator according to the permission- and area-based management
plan.
Step 6 Click Return.
----End
20.2.4 Setting the Login IP Address Segment

By setting the IP address segment for logging in to the iPush system, you can limit the terminals
logging to the iPush system. If no login IP address segment is specified, all terminals are allowed
to log in to the iPush system.
Prerequisites
Procedure
Step 1 In the navigation tree, choose Permission Management > Login Address Segment.
Step 2 Click Add.
CAUTION
When you add the first IP address segment, make sure that the IP address of the current terminal
is within the IP address segment to be specified. Otherwise, after you add the IP address segment,
the administrator of the current terminal will be forced out and cannot log in from the current
terminal again.
Step 3 Enter the start IP address of the IP address segment in Start IP address.
Step 4 (Optional) Enter the end IP address of the IP address segment in End IP address.
If End IP address is not specified, the system regards End IP address as Start IP address by
default.
Step 5 Click OK.

TIP
If the administrator cannot log in from the current terminal by the mistaken adding of the IP address
segment, the administrator can change the IP address of the terminal to log in to the iPush system again if
there is an available IP address on the specified IP address segment.
----End
20.2.5 Managing Online Administrators

You can view details about currently online administrators and force out those unauthorized
ones, for example, the administrator logging in from a strange IP address.
Prerequisites
Procedure
Step 1 In the navigation tree, choose Permission Management > Online Administrator.
Step 2 View details about the login of an online administrator.
Click of an online administrator to access the Details page.
Step 3 (Optional) Force out unauthorized online administrators in the list.
1. Select the check boxes of the online administrators to be forced out.
2. Click Force logout to force out the selected online administrators.
----End
20.2.6 Configuring Push Effect-Checking Permission

You can authorize administrators in other areas to query the information push effects of this
area, and the administrators of other information categories in this area to query the information
push effects of this information category. If the administrators in other areas or of other
information categories need to refer to the information push effects in this area or of this
information category, you can configure the push effect query permission.
Prerequisites
Administrators belong to different areas and information categories are configured.
The information to be pushed is configured.
Context
The administrator can query the pushed information only in the corresponding area or of the
corresponding information category. By configuring the push effect query permission, you can:
l Authorize administrators in other areas to query pushed information in this area.
l Authorize administrators that do not belong to this information category in this area to
query the pushed information of this information category.
At a time, you can authorize the permission of querying only one piece of pushed information,
but the permission can be authorized to multiple administrators.

Procedure
Step 1 In the navigation tree, choose Permission Management > Push Effect-checking
Permission.
Step 2 Click Add.
Step 3 Select a piece of information.
The administrator can select the information about the corresponding information category in
this area, including the information created by other administrators.
Step 4 Select the administrator that can query the information.
The following administrators are available:
l Administrators that do not belong to this information category in this area.

l Administrators in other areas.
Step 5 Click OK.
----End
20.2.7 Configuration Examples

This section describes a plan for permission-based and area-based management of the iPush
system and explains the configuration flow for implementing this plan. Carriers can refer to this
example to define their plans by service department division when requiring the permission-
based and area-based management of the iPush system.
Prerequisites
The following subscriber areas are configured in the SIG system:
l Level-2 area X
– Level-3 area X1
– Level-3 area X2
l Level-2 area Y
– Level-3 area Y1
– Level-3 area Y1
Information category Weather info is configured. For details, see Configuring Information
Categories.
Carriers need to implement the permission-based and area-based management of the iPush
system. Requirements are as follows:
l Super administrator
Employs predefined role ROLE_ADMIN, and is in charge of the initial configuration and
maintenance, and permission management of the device. The super administrator has all
permissions to the iPush system.

Predefined administrator admin maintains the iPush system and pushes bulletins to the
specified area, for example, transient service interruption caused by system maintenance.
l Role A
Configures information and policies. Role A has permissions to add and configure pushed
information as well as policies.
Area X and area Y respectively have two administrators belonging to role A for adding and
configuring the information and policies of different information categories in their own
areas.
l Role B
Audits policies. Role B has all permissions except log dumping.
Area X and area Y respectively have one administrator belonging to role B for auditing
policies in their own area.
l Role C
Add users to the whitelist user group as required by users. Role C has permissions to query
reports and configure whitelist user groups.
Area X1, area X2, area Y1, and area Y2 respectively have an administrator belonging to
role C for configuring whitelist user groups in their own areas.
The administrator in area X who is in charge of bulletin can authorize the administrator in area
Y to query the push effects of bulletin for reference.
Data Planning
According to requirements, the role plan is as shown in Table 20-3.
NOTE
Table 20-3 does not contain predefined role ROLE_ADMIN.

Signs in Table 20-3 are described as follows:
l √ indicates that the role has all permissions of this function in the functional navigation tree.
l ○ indicates that the role has partial permissions of this function. For details, see the description.
l × indicates that the role does not have permissions of this function.
Table 20-3 Description of role planning
Assignable Functional Role

Permissions
Function Function Role A Role B Role C

Category
Quick Start Configure × √ ×

Guide
Information Configure ○: Adding and √ ×

Management Information editing pushed
information
Configure √ √ ×
Types

Assignable Functional Role

Permissions
Function Function Role A Role B Role C

Category
Audience Terminal User × √ ×

Management Group
Whitelist User × √ ○: Configuring

the whitelist
user
Whitelist × √ ○: Adding the

Website whitelist Web
site
Policy Configure ○: Adding and √ ×

Management Policy editing policies
Check × √ ×
Information
Status
Audit Policy × √ ×
Information √ √ ×
Schedule
Configure Area × √ ×
Policy
Report Statistics Push Effect √ √ √

Statistics
Push Details
Background √ √ ×
Export Details
Permission Reset Password √ √ ×

Management Push Effect-
checking
Permission
Log and Alarm View Log × √ √
View Alarm × √ ×
Dump Log × × ×
Table 20-4 shows the administrator plan.

Table 20-4 Description of administrator planning
Administrator Role Area Information Category

Name
admin_ax_1 Role A Area X Fee information, and Weather info
admin_ax_2 Role A Area X Bulletin
admin_ay_1 Role A Area Y Fee information, and Weather info
admin_ay_2 Role A Area Y Bulletin
admin_bx Role B Area X All information categories
admin_by Role B Area Y All information categories
admin_cx1 Role C Area X1 All information categories
admin_cx2 Role C Area X2 All information categories
admin_cy1 Role C Area Y1 All information categories
admin_cy2 Role C Area Y2 All information categories
Procedure
Step 1 Configure a role.
1. In the navigation tree, choose Permission Management > Role Management.
2. Click Add.
3. Add role Role A, as shown in Figure 20-3.
Figure 20-3 Adding a role
4. Click OK.
5. Repeat Step 1.3 to Step 1.4 to add other roles by referring to Table 20-3.
6. Click Return.

Step 2 Assign service permissions to the role.

1. On the Role Management page, click Assign role permission in the Operation column
for Role A.
2. In the navigation tree, choose Information Management > Configure Information.
3. Select Add Information and Edit Information in Operation right, as shown in Figure
20-4.
Figure 20-4 Assigning service permissions to the role
4. Click .
5. Repeat Step 2.2 to Step 2.4 to assign other permissions to Role A by referring to Table
20-3.
6. Click Save.
7. Click Return.
8. Repeat Step 2.1 to Step 2.7 to assign permissions to other roles by referring to Table
20-3.
Step 3 Configure an administrator.
1. In the navigation tree, choose Permission Management > Administrator
Management.
2. Click Add.
3. Add administrator admin_ax_1, as shown in Figure 20-5.

Figure 20-5 Adding an administrator
4. Click OK.
5. Repeat Step 3.3 to Step 3.4 to add other administrators by referring to Table 20-4.
6. Click Return.
----End
Result
After you log in using an administrator account, you can view the functional permission nodes
for the administrator in the navigation tree.
Follow-up Procedure
Administrator admin_ax_2 creates bulletin Info1, and authorizes administrator admin_ay_2
to query the push effects of Info1.
1. Using account admin_ax_2 to log in to the iPush system.

2. In the navigation tree, choose Permission Management > Push Effect-checking
Permission.
3. Click Add.
4. Select Info1 from Information, and admin_ay_2 from Administrator with querying
permission.
5. Click OK.

After logging in to the iPush system, administrator admin_ay_2 can query the push effects of
bulletin Info1 in report statistics.
20.3 System Management

The iPush Web server needs to interwork with the Information Server to push information.
Before using the iPush service, configure the Information Server. Setting parameters about
system security can improve the security of the iPush system.
20.3.1 Configure Information Server

The Information Server provides the contents of pushed information, and confirms and records
information push results. To ensure the normal operating of the iPush system, configure the
Information Server.
Prerequisites
The Information Server is installed and its IP address is obtained or planned.
Context
The iPush system supports a maximum of 12 Information Servers.
Procedure
Step 1 In the navigation tree, choose System Configuration > Configure Information Server.
Step 2 Click Add.
Step 3 Set parameters for the Information Server. Table 20-5 shows parameters.
Table 20-5 Parameters of the Information Server
Threshold Indicates the maximum number of concurrent HTTP connections allowed

by the Information Server, namely, the maximum number of requests
allowed in a second. Excess requests are discarded.
Internal IP Indicates the IP address through which the Information Server

communicates with other iPush components.
The internal IP address must be unique.
External IP Indicates the IP address through which the Information Server provides
services for terminal users. This IP address must be used to communicate
with the public network.
The combination of the external IP address and external port should be
unique.
Internal Port Indicates the port through which the Information Server provides internal
communication. The default value is 848, and cannot be changed.

External Port Indicates the port through which the Information Server provides Web
services for external networks.
If the NAT function is not enabled, External Port and Internal Port are
the same, that is, 848. If the NAT function is enabled, External Port is
the mapped port of private port 848.
Step 4 Click OK.
Step 5 Click Return.
----End
20.3.2 Setting System Security

You can set system security to improve the security of the iPush system, or adjust display and
export configurations according to the terminal hardware configurations or the network status.
Only the administrator belonging to role ROLE_ADMIN can perform this operation.
Context
Setting system security covers the following:
l Session Timeout Configuration

If an administrator does not perform any operations after login within Session Timeout,
the system automatically logs out the administrator to prevent illegitimate use of the iPush
system.
l Display/Export Configuration
In the case of heavy data volume, a large value of Records/page leads to slow page display,
and a large value of Maximum Page Number of Export leads to the oversize of the file.
Set these two parameters according to network status and terminal hardware configurations.
If the page display is slow, reduce the value of Records/page. If the file is oversized, reduce
the value of Maximum Page Number of Export.
l Login Configuration
If one administrator account enters an incorrect password consecutively for more times
than the value in Login Attempt Times, the iPush system locks out this account for a period
of time specified in Lock Duration. During this period, the account cannot log in to the
iPush system from any terminals.
Setting the lock parameters prevent hackers from logging in to the iPush system
illegitimately by guessing the password.
l Load Balancing Configuration
On the Configure Information Server page, set Threshold. In practice, if the proportion
between the concurrent connection number and the concurrent connection number
threshold is larger than Load Balancing Excess Percentage, the Information Server stops
pushing information.
Session Timeout Configuration, Display/Export Configuration, and Login Configuration

are independent of each other. After parameters are specified, click OK. Only corresponding
parameters take effect.

Procedure
Step 1 In the navigation tree, choose System Configuration > Set System Security.
Step 2 Set parameters to be modified.
Step 3 Click OK in the corresponding group box.
Step 4 (Optional) Repeat Step 2 to Step 3 to set other parameters.
----End
20.3.3 Configuring Test URLs

Test URLs are used for previewing information. When you preview information, the iPush
system accesses the URL and displays the information on the page. Only the administrator
belonging to role ROLE_ADMIN can perform this operation.
Procedure
Step 1 In the navigation tree, choose System Configuration > Configure Test URL.
Step 2 Enter a new URL in Test URL.
Step 3 Click OK.

Click Restore to restore the test URL to the default value.
----End
20.3.4 Viewing Server Performance

You can view the performance and status of the iPush UI Server and Information Server, as well
as the load balance of the Last 24 Hours Information Server. Only the administrator belonging
to role ROLE_ADMIN can perform this operation.
Context
By viewing the status and performance of the servers, you can learn about the resource usage
of the iPush system. When the usage of the server CPU, memory, or hard disk is too high (for
example, over 80% for a long time), upgrade hardware configurations or expand service capacity.
NOTE
Last 24 Hours indicates 24 hours before the current server time.
Procedure
l In the navigation tree, choose System Configuration > View Server Performance.
----End
20.3.5 Viewing a Log

Logs record the logins and operations of administrators in the iPush system, as well as the
operating status of iPush components. By viewing logs, you can trace the use and operating of
the iPush system.

Prerequisites
The current administrator has the View Log permission.
Context
To ensure that the operations and operating status of the iPush system can be traced, logs can
be viewed, but not deleted. Administrators can store and delete obsolete logs by dumping logs.
Procedure
l View Log
1. In the navigation tree, choose Log and Alarm > View Log.
2. Set query conditions to query desired logs. Table 20-6 shows parameters.
Table 20-6 Parameters of log query

Start time/End Queries logs within a time range.

time
Area Queries logs for an area.
Device type Queries logs generated by a certain component.

To query administrator's operations in the iPush system, select
iPush_UI.
Details Queries the specified log information in logs.
3. Click Query.
Logs complying with the query condition are displayed in the list in the below.
If a log is long and displayed incompletely, click the description in the Details column
to view the complete log.
NOTE
The DST behind the time in the figure Indicates the Daylight Saving Time. The DST is
displayed only when it is configured.
l Dump Log
1. In the navigation tree, choose Log and Alarm > Dump Log.
2. Set dumping parameters. Table 20-7 shows parameters.
Table 20-7 Parameters of log query

End time Indicates that the iPush system dumps the logs generated before
End time.
Default Dump Indicates the directory where dumped logs are saved.
Directory

Dump File Indicates that the iPush system names dumped files by using the
Name character strings containing the date part of End time by default.
You can also define the file name in the text box.
If a dumped file with the same name already exists, the iPush
system adds the new log to the end of the original dumped file
automatically.
3. Click Dump.
----End
20.3.6 Viewing an Alarm

Alarms record the abnormal information generated during the operating of the iPush system.
The alarms help administrators find anomalies in a timely manner, or help them locate the fault.
Prerequisites
The current administrator has the View Alarm permission.
Context
Alarms have two statuses, namely, Confirm and Unconfirm. When an alarm is rectified or does
not affect the normal operating of the iPush system, administrators can confirm the alarm. For
details, see Step 4.
Procedure
Step 1 In the navigation tree, choose Log and Alarm > View Alarm.
Step 2 Set query conditions to query desired alarms. Table 20-8 shows parameters.
Table 20-8 Parameters of alarm query

Start time/End Queries alarms within a time range.

time
Confirm User Queries the alarm confirmed by a specified administrator.
Confirm Status Queries alarms in different statuses.
Alarm Module Queries alarms generated by a specified module.
Step 3 Click Query.

Alarms complying with the query condition are displayed in the list in the below.
If an alarm is long and displayed incompletely, click the description in the Details column to
view the complete alarm.

NOTE
The DST behind the time in the figure Indicates the Daylight Saving Time. The DST is displayed only
when it is configured.
Step 4 (Optional) Confirm the alarm.

Select the check box of the alarm to be confirmed, and click Confirm.
----End
20.4 Service Management

After the initial configuration of the iPush system is complete, you can implement service
management to start information push. This section describes the configuration flow of the iPush
service and provides examples for explaining the configuration process.

This section describes the flow for configuring the iPush service. The configuration flow guides
you through the configuration of the iPush service.
Figure 20-6 shows the configuration flow of the iPush service.
TIP
The iPush service provides an entrance for quick start, which facilitates administrators in quick
configuration. To configure a piece of information to be pushed to all users in a specified area, see In the
navigation tree, choose Quick Start > Configure Guide.
To configure other pushed information, see Figure 20-6.

Figure 20-6 Configuration flow for iPush
Start
Configuring
Area Mapping
Configuring
Area Policy Configuring the
Terminal User Group
Configuring the Configuring the
Information Audience Whitelist User Group
Configuring the
Configuring the Whitelist Web Site
Information Category
Configuring the
Notify Rule
Configuring Information
Viewing the
Information Schedule
Configuring a Policy
Auditing a Policy
End
Required Optional
Table 20-9 shows the configuration flow.
Table 20-9 Description of the configuration flow for iPush
Nu Task Description
m
be
r
1 20.4.2 To use the synchronization interface of the iPush system to obtain

Configuring Area terminal user information, configure area mapping.
Mapping In the iPush system: In the navigation tree, choose Policy
Management > Configure Area Mapping.

Nu Task Description
m
be
r
2 20.4.3 An area policy is used to configure the minimum push interval

Configuring Area for a cell, maximum times of push to a single user per day, and
Policy whether to push to dynamic IP only.
In the iPush system: In the navigation tree, choose Policy
Management > Configure Area Policy.
3 20.4.4 20.4.4.1 To push information to users in a specified group, configure the

Config Config terminal user group.
uring uring In the iPush system: In the navigation tree, choose Audience
the the Management > Terminal User Group.
Inform Termin
ation al User
Audien Group
ce
20.4.4.2 To push information not to users in a specified group, configure
Config the whitelist user group.
uring In the iPush system: In the navigation tree, choose Audience
the Management > Whitelist User Group.
Whiteli
st User
Group
20.4.4.3 To exempt the users who are accessing some Web sites from
Config pushed information, configure these Web sites as the whitelist
uring Web sites.
the In the iPush system: In the navigation tree, choose Audience
Whiteli Management > Whitelist Website.
st Web
Site
20.4.4.4 Notify Rule is used to generate a dynamic terminal user group for
Config pushing fee information.
uring In the iPush system: In the navigation tree, choose Audience
the Management > Notify Rule Manage.
Notify
Rule
4 20.4.5 You can configure information categories and subcategories for

Configuring the information management. You can also configure priorities for
Information information categories to set their push sequence.
Category In the iPush system: In the navigation tree, choose Information
Management > Configure Category.
5 20.4.6 Before you configure a policy, configure the pushed information

Configuring and its display on the user terminal.
Information In the iPush system: In the navigation tree, choose Information
Management > Configure Information.

Nu Task Description
m
be
r
6 20.4.7 Viewing Before configuring a new policy, you can query the schedule gantt
the Information chart of existing information, to arrange the push plan for new
Schedule information properly and optimize push effects.
In the iPush system: In the navigation tree, choose Policy
Management > Information Schedule.
7 20.4.8 A push policy determines the push objects and push methods,
Configuring a including the validity period, push times, interval, and time range.
Policy In the iPush system: In the navigation tree, choose Policy
Management > Configure Policy.
8 20.4.9 Auditing a A created policy can be released only after it is audited.

Policy In the iPush system: In the navigation tree, choose Policy
Management > Audit Policy.
20.4.2 Configuring Area Mapping

When pushing the fee information, the iPush system needs to synchronize subscriber ID, service
packages, and fee information from the carrier system. To use the synchronization interface to
synchronize user information, configure area mapping.
Prerequisites
Areas are configured in the SIG system.
The plan for the carriers to divide areas is obtained.
Context
You can establish mapping between the areas divided by the SIG system and those divided by
the carrier. Then the synchronization interface synchronizes user information to the
corresponding areas.
For example, area A already exists in the SIG system, and area 1 in the carrier system. You can
add an area mapping, which sets the area to A and external area to 1. With this mapping, the
synchronization interface can synchronize user information in area 1 of the carrier system to
area A.
Procedure
Step 1 In the navigation tree, choose Policy Management > Configure Area Mapping.
Step 2 Click Add.
Step 3 Select an area in the SIG system from Area.
Step 4 In External Area No., enter the carrier area number, which ranges from 1 to 999999999.

Step 5 Click OK.
----End
20.4.3 Configuring Area Policy

To control the information push frequency and times of an area globally, configure the area
policy.
Prerequisites
Context
All areas except the root area have the Minimum Push Interval default value. To change the
default value, add an area policy for this area and set Minimum Push Interval.
Minimum Push Interval in this area policy is valid for the entire area, and Minimum Push
Interval per User in the information policy is valid only for the corresponding information. If
the minimum push interval is configured for both the policy and area, the Minimum Push
Interval that has a greater value is preferred. In this case, the iPush system sends the
corresponding information only when the interval meets the Minimum Push Interval that has
the greater value.
Procedure
Step 1 In the navigation tree, choose Policy Management > Configure Area Policy.
Step 2 Click Add.
Step 3 Set area policy parameters. Table 20-10 shows parameters.
Table 20-10 Parameters of the area policy
Area Indicates the area for which the policy is valid. You can select
multiple areas. The iPush system adds one area policy for each
selected area. Only one policy can be configured for an area.
Minimum Interval Indicates the minimum interval at which the system pushes
(minutes) information to terminal users in this area.
Maximum Push Times Indicates the maximum times for pushing information to a single
per Day per User terminal user in this area each day.
Push to Dynamic IP Only Indicates that the information is pushed only to the users
accessing the Internet using dynamic IP in the corresponding
area.
Step 4 Click OK.
----End

20.4.4 Configuring the Information Audience

When you configure information policies, apply them to information audiences. Therefore,
configure information audiences before the information policies.
20.4.4.1 Configuring the Terminal User Group

You can configure a user group based on accounts in the specified area, which facilitates the
information push according to the user group.
Prerequisites
Procedure
Step 1 In the navigation tree, choose Audience Management > Terminal User Group.
Step 2 Add a terminal user group.

1. Click Add, and the Add page is displayed.
2. In Area, select the area where the terminal user group resides.
3. In Name, enter the group name.
4. (Optional) In Description, enter the group description.
5. Click OK.
6. Click Return.
Step 3 Configure a terminal user group.

1. On the Terminal User Group page, click Configure corresponding to the name of the
group to be configured.
2. Configure users in the group, either by manual adding or batch importing.
l Manual adding
The users to be added can either be the subscribers that already exist in the SIG system
or those do not exist in the SIG system.
l Batch import
The users to be imported can either be the subscribers that already exist in the SIG
system or those do not exist in the SIG system.
----End
20.4.4.2 Configuring the Whitelist User Group

To exempt some users from the information pushed by the iPush system, add them to the whitelist
user group.
Prerequisites

Context
Whitelist user groups fall into three types:
l Global Whitelist Group
No information is pushed to users in this group. The group is predefined in the system, and
cannot be changed or deleted. The administrator can add, import, or delete terminal users
to this group.
l Categoried Whitelist Group
The information of the corresponding category is not pushed to users in this group.
After an information category is added, a whitelist user group related to this information
category is added automatically. The iPush system does not push information under this
information category to users in the whitelist user group.
The group cannot be changed or deleted. The administrator can add, import, or delete
terminal users to this group.
l User-defined Whitelist Group
The information related to the group is not pushed to users in this group.
Procedure
Step 1 In the navigation tree, choose Audience Management > Whitelist User Group.
Step 2 Add a user-defined whitelist group.

1. Click Add.
2. Set parameters for the user-defined whitelist group. Table 20-11 shows parameters.
Table 20-11 Parameters of the user-defined whitelist group
Information Indicates the information related to the user-defined whitelist

group. The iPush system does not push such information to
users in this group.
If the Manually add whitelist function is enabled for the
selected information and related scripts are added to the
information, you can click the whitelist user link to add
yourself to the group.
Period Indicates the maximum period when the user can reside in
the user-defined whitelist group.
The iPush system calculates the period every day. When the
threshold is hit, the user is removed from the user-defined
whitelist group.
3. Click OK.
Step 3 Configure a whitelist user group.

1. Click Configure corresponding to the user group to be configured.
2. Click Add.

3. Enter the information about the whitelisted user.

4. Click OK.
----End
20.4.4.3 Configuring the Whitelist Web Site

To exempt the users who are accessing some Web sites from pushed information, configure
these Web sites as the whitelist Web sites.
Context
Whitelist Web sites are valid for global users. That is, unless you select Push to white
websites when configuring a policy, no information is pushed for users' access to the whitelist
Web sites.
Procedure
Step 1 In the navigation tree, choose Audience Management > Whitelist Website.
Step 2 Click Add.
Step 3 Enter the whitelist Web site and its description.
Step 4 Click OK.
----End
20.4.4.4 Configuring the Notify Rule

Notify Rule is used to generate a dynamic terminal user group for pushing fee information.
Prerequisites
Context
Notify Rule is used to generate a dynamic terminal user group for pushing fee information. After
the Notify Rule is configured, a cognominal user group is generated and displayed in Terminal
User Group.
The iPush system synchronizes all user information and adds the users compliant with the Notify
Rule to the corresponding user group.
Procedure
Step 1 In the navigation tree, choose Audience Management > Notify Rule Manage.
Step 2 Click Add.
Step 3 Set Notify Rule parameters. Table 20-12 shows parameters.

Table 20-12 Notify Rule parameters
Area Selects an area. The Notify Rule is valid only for the subscribers
in this area.
User Type l Due-push User

Indicates the users enjoying the network access service
package provided by the carrier.
l Balance-push User
Indicates the users who are charged by online duration or
traffic in real time.
Upper Limit of Push The iPush system periodically synchronizes all user information
Days/Lower Limit of from the third-party system and takes actions based on the Notify
Push Days Rule:
l When the service package remaining days of the Due-push
Fee Upper Limit/Fee
User is between Upper Limit of Push Days and Lower
Lower Limit
Limit of Push Days, the iPush system adds the user to the
group.
l When the balance of the Balance-push User is between Fee
Upper Limit and Fee Lower Limit, the iPush system adds
the user to the group.
Step 4 Click OK.
----End
20.4.5 Configuring the Information Category

You can configure information categories and subcategories for information management. You
can also configure priorities for information categories to set their push sequence.
Context
After an information category is added, a whitelist user group related to this information category
is added automatically. The iPush system does not push information under this information
category to users in the whitelist user group.
Priorities can be configured for both information categories and information policies. However,
the priorities for information categories are unique, and those for information policies can be
the same. If multiple information policies are valid for a user, the iPush system pushes
information by the priorities of information categories. The information enjoying a higher
priority is preferentially pushed. If the information categories are of the same priority, the iPush
system pushes information by the priorities of information policies. If both the information
categories and information policies are of the same priority, the iPush system sends the
information in a recurring manner.
The iPush system predefines two information categories. The administrator can configure new
ones or configure subcategories for the predefined one as required.

Procedure
Step 1 In the navigation tree, choose Information Management > Configure Category.
Step 2 Add an information category.

1. Click Add.
2. Enter the name and description of the information category.
3. Click OK.
4. (Optional) Repeat Step 2.2 to Step 2.3 to add more information categories.
5. Click Return.
Step 3 Configure information subcategories.

1. On the Configure Category page, click Set Subcategory corresponding to an information
category.
2. Click Add.
3. Enter the name and description of the information subcategory.
4. Click OK.
5. (Optional) Repeat Step 3.3 to Step 3.4 to add more information subcategories.
6. Click Return.
Step 4 Adjust the priorities of information categories.

1. On the Configure Category page, click Change priority.
2. Adjust the priorities of information categories.
Select an information category:
l Click Higher to raise its location in the list, namely, raise its priority.
l Click Lower to lower its location in the list, namely, lower its priority.
3. Click OK.
----End
20.4.6 Configuring Information

Before you configure a policy, configure the pushed information and its display on the user
terminal.
Prerequisites
Information categories are configured.
Context
One piece information can be referenced only by one policy. One piece of information has the
same status as its policy. Five states are available for information and policies: Initialized,
Waiting for audit, Released, Update, and Completed. Figure 20-7 shows the relationship
between the five states.

Figure 20-7 Relationship between the states of information and policies

Submit Pass
Intialized Waiting for audit Released
Re
je
Policy expires or the push
ct:
Reject:Completed
Up
times are used up
Su
Stop
da
bm
te
it
Completed Update
Update
Manual execution
by administrator
Automatic execution
by the system
You can change the information only in Initialized or Update state. Meanwhile, you can delete
the information only in Initialized or Completed state, or that is in Update state for more than
10 minutes.
NOTE
The message is valid and can be pushed to users when the state of the message is Released.
When the information file of the user-defined style is used, the iPush system adds the following
information that is processed by Base64 code to the end of the URL of the file in the
adid=****&area=****&tcca=****&urip=****&orlu=****&aorlu=****&spid=****
format: information number, user area number, subscriber ID, user IP address, originally
accessed URL, URL of information resources, and SPS number.
When making the information file in the user-defined style, resolve and use related parameters.
l The information file in the user-defined style needs to obtain the originally accessed URL
to display the page. Therefore, add code to the file to resolve and use parameter
orlu=****.
l The user-defined style file needs to display the page. Therefore, additional code are required
to be added to the user-defined style file to resolve and use the aorlu=**** parameter.
l To use other related information (such as the subscriber ID) on the information page, add
code to the file to resolve and use the corresponding parameter.
l To add the statistical function on the information page, add code to the file to obtain
corresponding parameters and generate the following URL: http://asip/a/adclick?
tcca=****&urip=****&spid=****&adid=****. This HTTP request can be triggered by
an event (for example, a user clicks the information) by means of code control.
asip is the IP address of the Information Server.
l To add the function for users to add themselves to the whitelist on the information page,
add code to the file to obtain corresponding parameters and generate the following URL:
http://asip/a/unpush?tcca=****&urip=****&area=****&adid=****. Then deliver
this URL to a control (such as a button displaying Do not display this information). When
the user clicks this button, the HTTP request is triggered.

asip is the IP address of the Information Server.
Procedure
Step 1 In the navigation tree, choose Information Management > Configure Information.
Step 2 Click Add.
TIP
To create a piece of information that is the same as or similar to an existing one, select the existing
information, and click Copy and Add. The system copies this information. You can create a same or similar
piece information by changing parameters.
Step 3 Set basic parameters for the pushed information. Table 20-13 shows parameters.
Table 20-13 Parameters of basic information

Name A meaningful name distinguishes one piece of information from other

information.
Category The information inherits the priority of its information category.
Subcategory A proper information subcategory facilitates information management.
Style The style is the display of information on user terminals. Styles fall in to
the following types:
l Predefined
Displays information in the predefined style of the iPush system. When
configuring the predefined style, configure the content source, display
style, and related parameters of the information.
l User-defined
Generates the pushed information using the file of the user-defined
style or the external URL pointing to the file of the user-defined style.
The content source and display style of the information are determined
by the source file of the user-defined style.
Step 4 Configure the contents of the pushed information (only applicable to the Predefined
information). Table 20-14 shows parameters.

Table 20-14 Parameters of contents

Source Select the content source of the information:

l External URL
When you use a predefined page to push information, specify the URL
of the page.
l Picture
Generates the pushed information by using an uploaded picture of a
flash file.
l File
Uploads a file as the pushed information.
Fee Information To push the fee information, set Source to File.

To push fee information to users, select Yes, and use the fee information
template. Do not delete @baseurl@ from the template file. For the use of
the fee information template, see 20.6.1 Making the Fee Information
Page.
Link The parameter can be specified when the content source is Picture.
When you upload a picture, Link is the pointed URL upon your click on
the picture. When you upload a flash file, the iPush system appends
Link to the generated pushed information for the flash file to invoke.
Enable Digital If the content source is the local Picture or File, you can add an invisible
Signature digital signature to the information, preventing information from being
modified and ensuring the integrity of the information.
Step 5 Configure the style of the pushed information. Table 20-15 shows the parameters of predefined
styles and Table 20-16 shows the parameters of user-defined styles.

Table 20-15 Parameters of predefined styles

Display Style The iPush system provides the following styles:

l Bannner
Information is displayed on the top of the browser in banners.
l Pop
Information pops up from the browser in the form of small windows.
The pop-up location can be configured.
l Tear page
Information is displayed in a small window overlapping the original
browsed contents on the browser. Torn paper information is generally
displayed on the upper right of the browser window. It maps with the
transparent flash file information, and can simulate the effects of
opening papers.
l Pair-adv.
Information is displayed on both sides of the browser in antithetical
couplets.
l Float
Information is floated above the browser window.
l Replacement
Information replaces the original browsed contents completely.
l Behind
Information is displayed in another browser window or a tab page.
l MSN
Information pops up from the lower right of the browser window.
Style Parameter Sets parameters related to various display styles, such as the size and
location.
Display Time Sets the display time of the pushed information.

(sec.)

Parameters After the following options are selected, the iPush system can add
information to the end of the URL of the information automatically for the
information page to invoke.
l Subscriber ID
The iPush system adds a character string containing subscriber ID
information to the end of the external URL, in the account=****
format.
l Originally accessed URL
The iPush system adds a character string containing originally accessed
URL information to the end of the external URL, in the url=****
format.
The character strings containing the subscriber ID information and
originally accessed URL information are encoded by the iPush system
using Base64 and then added to the end of the external URL automatically.
For example, if an external URL is http://www.example.com/ad.html,
the subscriber ID is abc0123, and the originally accessed URL is
www.site.com, the iPush system encodes the subscriber ID information
and originally accessed URL information in the
account=abc0123&url=www.site.com format by using Based64 and
adds the encoded information to the end of the external URL. Finally, the
URL is http://www.example.com/ad.html?
param=YWNjb3VudD1hYmMwMTIzJnVybD13d3cuc2l0ZS5jb20=
. If you select to append only one parameter, only the corresponding
information is added.
Functions The iPush system can append the following functions on the information
page.
l Click statistics
If this function is added to the pushed information, information clicks
are sent to the Information Server after users click the information.
Copies script and its contents in the script to tag head in the
information source file.
Copies the onclick="addClickCount()" attribute (with the half-width
space in the front) of body in the script to the first half body in the
information source file as the attribute of body for the information
source file.
l Manually add whitelist
If users do not want to receive information, they can click the button
or link added for the pushed information to add themselves to the
whitelist user group.
Copies script and its contents in the script to tag head in the
information source file. Copies the contents of body (excluding
body) in the script to body in the information source file.
After a user-defined whitelist user group is created, the information for
realizing the Manually add whitelist function should be associated
with this group.

Table 20-16 Parameters of user-defined styles
External URL Displays information by using the predefined page on another Web server
as the style file. The URL of the page should be specified.
Local File Displays information by uploading a local file. The uploaded file is saved
in the Information Server.
Enable Digital If the content source is the local Local File, you can add an invisible digital
Signature signature to the information, preventing information from being modified
and ensuring the integrity of the information.
----End
20.4.7 Viewing the Information Schedule

You can view the information schedule within a period of time using the gantt chart.Before
configuring a new policy, you can query the schedule gantt chart of existing information, to
arrange the push plan for new information properly and optimize push effects.
Context
The gantt chart is a bar diagram displaying the start time and duration of an activity, helping you
arrange, plan, and manage projects. The push schedule gantt chart displays the start time and
end time of the information push, which helps in arranging the information push schedule.
Procedure
Step 1 In the navigation tree, choose Policy Management > Information Schedule.
Step 2 Select a graph type.
Two types are available by time granularity:
l Hour Schedule
Queries the information schedule of a day, and the time granularity is based on hours.
l Daily Schedule
Queries the information schedule on a specified date, and the time granularity is based on
days.
Step 3 Set the query conditions.
Step 4 Click Query.
----End
20.4.8 Configuring a Policy

A push policy determines the push objects and push methods, including the validity period, push
times, interval, and time range.

Prerequisites
The pushed information and information audiences are configured.
Context

Submit Pass
Re
jec
t:U
Reject:Completed times are used up
Su
pd
Stop
a
bm
te
it
Completed Update
Update
Manual execution
by administrator
Automatic execution
by the system
The Initialized, Waiting for audit, Released, and Update states are all labeled as the
Uncompleted state. The new information and policy are in Initialized state. You can change the
policy only in Initialized or Update state. Meanwhile, you can delete the policy only in Initialized
state.
NOTE
The message is valid and can be pushed to users when the state of the message is Released.
Procedure
Step 1 In the navigation tree, choose Policy Management > Configure Policy.
Step 2 Click Add.

TIP
Select an added policy, and click Copy and Add. Then, you can modify the existing policy and configure
a new policy.
Step 3 Set Basic Information.
Table 20-17 shows parameters.

Table 20-17 Parameters of basic policy information

Information One piece information can be applied only to one policy.
Period A policy is valid only within the specified period. After you select
Unlimited, the policy is valid from the start time of the validity
period until the specified total push times is hit.
Total Push Times Indicates the total push times within the validity period, namely,
the sum of push times to all objects.
After you select Unlimited, the policy is valid within the validity
period, and total push times is not limited.
Minimum Push Interval When a user accesses the network, the iPush system does not
per User push information to the user until Minimum Push Interval per
User after the last push.
The minimum push interval can be specified by:
l Pushing information to a single user every N minutes or
longer, about a maximum of M times a day.
l Pushing information to a single user every N days or longer.
NOTE
If the minimum push interval is configured for both the policy and area,
the Minimum Push Interval that has a greater value is preferred. In this
case, the iPush system sends the corresponding information only when
the interval meets the Minimum Push Interval that has the greater value.
The minimum push interval for all areas except the root area is 60 minutes
by default. The administrator can manually set the minimum push
interval. For details, see 20.4.3 Configuring Area Policy.
Options Pushes information forcibly to whitelisted users.

l Push to global white users
Pushes information to a user even if the user belongs to
Global Whitelist Group.
l Push to classified white users
Pushes information to a user even if the user belongs to
Categoried Whitelist Group.
l Push to white websites
Pushes information to a user even if the the accessed Web site
belongs to Whitelist Website.
Step 4 Set Target Groups.


Table 20-18 Description of configuring target groups
Push Object Type Description
Terminal User Groups Pushes information to users belonging to the specified area and
terminal user group after Terminal User Groups is selected.
The terminal user group is configured in the iPush system. For
details, see Configuring a Terminal User Group.
Attribute Groups After Attribute Group is selected, the administrator can set one
or multiple attributes to push information to users matching all
attributes.
All attributes of subscribers are displayed on the page. Area is
mandatory, and others are optional.
NOTE
The attributes displayed on the page is the subscriber static and dynamic
attributes synchronized by the iPush system from the SIG system. For
details, refer to section "4.2 Configuring the Subscriber" in the
HUAWEI SIG9800 Service Inspection Gateway Configuration Guide.
The iPush system cannot push information to attribute groups of
terminal type, phone model, operating system, and browser.
User Groups Pushes information to users in the specified user group after User
Groups is selected.
NOTE
The user groups displayed on the page is the subscriber groups
synchronized by the iPush system from the SIG system. For details, refer
to section "4.2 Configuring the Subscriber" in the HUAWEI SIG9800
Service Inspection Gateway Configuration Guide.
Step 5 (Optional) Add Time-sharing Configuration. To push information to users at the specified
time, set the time range for information push.
1. Set Period, Timeshare Week, and Time Slice.
2. Click Add to add a push time range.
3. (Optional) Repeat Step 5.1 to Step 5.2 to add more push time ranges. You must add more
time ranges by time order. Specifically, the push start time must be specified later than the
existing time range.
4. Set Time-sharing is not configured.
l If Normal Push is selected, information is pushed by default within the validity period
of the policy but beyond the selected weekday.
l If No Push is selected, information is not pushed by default within the validity period
of the policy but beyond the selected weekday.
Step 6 Click Save to save the configurations.
After a policy is saved, the Status of information is Initialized. In this case, the policy does not
take effect, and you can modify the policy in Initialized state.
NOTE
You can also click Save & Submit. The information is in Waiting for audit state, and the policy cannot
be modified.

Step 7 (Optional) Repeat Step 2 to Step 6 to add more policies.

Step 8 On the Configure Policy page, select one or multiple pieces of information whose status is
Initialized or Update, and then click Submit to submit the policies.
----End
Follow-up Procedure
After a policy is submitted for auditing, the Status of information is Waiting for audit. In this
case, the policy does not take effect after it is audited (Status is Released). Therefore, after a
policy is submitted for auditing, only the administrator with the policy audit permission can audit
the policy.
20.4.9 Auditing a Policy

A created policy can be released only after it is audited.
Prerequisites
The current administrator has the policy audit permission.
Context
On the Audit Policy page, the administrator can:
l Audit the information in Waiting for audit state.
Only the audited information can be released and take effect. The information failing the
audit is returned to the policy creator for updating or is completed directly.
l Stop the information in Released state.
The released information can be deleted only after it is stopped.
l Update the information in Completed state.
The completed information can be converted to the Update state, modified, and then
released again.


Submit Pass
Re
jec
t:U
Reject:Completed times are used up
Su
pd
Stop
ate
bm
it
Completed Update
Update
Manual execution
by administrator
Automatic execution
by the system
Procedure
l Audit the policy.
1. In the navigation tree, choose Policy Management > Audit Policy.
2. Select Waiting for audit from Status.
3. Click Query.
4. Click corresponding to the policy to be audited and view details of the policy.
5. Click Audit.
6. Set the audit result. Table 20-19 shows parameters.
Table 20-19 Parameters of auditing a policy
Audit Select Pass for a compliant policy.

Select Reject for an incompliant policy.
Priority/ When Audit is set to Pass, the priority of the policy should be
Return to specified.
When Audit is set to Reject, you need to select the return status
of the policy:
l Update
Return to the policy creator for modification.
l Completed
No longer use this policy. After a policy is completed, the
information cannot be assigned to other policies. You can add
a piece of information with the same contents by using the copy
and add function.

Audit opinion Enter the audit opinion. If the audit result is Pass, the policy can
be reviewed in future. If the audit result is Reject, the policy can
be used as a reference by the administrator who modifies the
policy.
7. Click OK.
l (Optional) Stop the information in Released state.
2. Select Released from Status.
3. Click Query.
4. Click Stop corresponding to the policy to be stopped.
5. Click OK in the dialog box that is displayed.
l (Optional) Update the information in Completed state.
2. Select Completed from Status.
3. Click Query.
4. Click Update corresponding to the policy to be updated.
5. Click OK in the dialog box that is displayed.
----End
20.4.10 Configuration Examples

This section provides examples for configuring the iPush service. You can refer to the
configuration examples to configure the iPush service.
20.4.10.1 Example for Pushing Information to All Terminal Users in the Specified
Area
This section provides an example for pushing bulletins to all terminal users in a specified area
by using the quick start. You can refer to this configuration example to configure information
quickly using the quick start.
Prerequisites
The current administrator has the Configure Guide, Configure Information, Configure
Policy, Configure Categories, and Audit Policy permissions.
The carrier plans to maintain the device on the morning of Jan. 17, 2011, which may affect users'
access to the network in Area Y. Therefore, the carrier needs to push a bulletin to all terminal
users in Area Y about this case from 2011-01-10 to 2011-01-16.

Procedure
Step 1 Configure the category.
1. In the navigation tree, choose Information Management > Configure Category.
2. Add the System maintenance bulletin subcategory under the Bulletin information
category, as shown in Figure 20-10.
Figure 20-10 Configuring the information category
3. Click OK.
Step 2 Configure the information and policy.
1. In the navigation tree, choose Quick Start > Configure Guide.
2. Configure the push information and policy, as shown in Figure 20-11.
Figure 20-11 Configuring push information
3. In Figure 20-11, click Save & Submit to complete the configuration of the information
and policy and access the policy audit page.
Step 3 Audit the policy.
1. On the Audit Policy page, click Audit corresponding to Area Y Bulletin to audit the policy,
as shown in Figure 20-12.

Figure 20-12 Auditing a policy
2. Click OK.
After the policy is audited, Status of Area Y Bulletin is Released, indicating that the
bulletin is configured.
----End
Result
The Area Y Bulletin policy takes effect for terminal users in Area Y from Jan. 10, 2011 to Jan.
16, 2011.
Users in Area Y will receive the bulletin pushed by the iPush system after accessing the Internet
since Jan. 10, 2011.
20.4.10.2 Example for Pushing Information to Terminal User Groups in the

Specified Area
This section provides an example for pushing information to the specified terminal user group.
Prerequisites
The list of 2M broadband users in Area X is obtained.
The push information with the user-defined style is edited, and the external URL is http://
www.example.com/weather.html.
The carrier service department needs to push weather information to 2M broadband users in
Area X from 2011-01-17 to 2011-01-23.
Suppose that 2M broadband users in Area X contain a01 and b01.
Procedure
Step 1 Configure the terminal user group.
1. In the navigation tree, choose Audience Management > Terminal User Group.
2. Add terminal user group 2M broadband user in Area X, as shown in Figure 20-13.

Figure 20-13 Adding a terminal user group
3. On the Terminal User Group page, click Configure corresponding to 2M broadband

user.
Import the 2M broadband users in Area X. The contents filled in the template is as shown
in Figure 20-14.
Figure 20-14 Importing terminal users
Step 2 Configure the category.

Add the Weather subcategory to the Bulletin category for information management.
2. Click Set Subcategory corresponding to Bulletin.
3. Click Add.
4. Enter the name and description of the information subcategory, as shown in Figure
20-15.

Figure 20-15 Adding an information subcategory
5. Click OK.
Step 3 Configure information.
2. Add the Weather information , as shown in Figure 20-16.
Figure 20-16 Adding information
3. In Figure 20-16, click Save & To Configure Policy to complete the information
configuration and access the policy configuration page.
Step 4 Configure a policy.
1. On the Add Policy page, configure the basic information and push objects of the policy,

Figure 20-17 Adding a policy
2. Click Save & Submit to complete the configuration of a policy.

1. On the Audit Policy page, click Audit corresponding to Weather information, as shown
in Figure 20-18.
2. Click OK.
After the policy is audited, Status of Weather information is Released, indicating that
the information is configured.
----End
Result
The Weather information policy takes effect for the specified terminal users in Area X from
Jan. 17, 2011 to Jan. 23, 2011.
Broadband users whose accounts are a01 and b01 in Area X will receive Weather
information after accessing the Internet.
20.4.10.3 Example for Pushing Information to the Specified Synchronization User

Group
This section provides an example for pushing information to the specified synchronization user
group.

Prerequisites
Subscribers attributes are configured in the SIG system.
The administrator account of the SIG system with the Subscriber User Group permission is
obtained.
The current administrator of the iPush system has the Configure Subcategory, Add
Information, Add Policy, and Audit Policy permissions.
The push information with the user-defined style is edited, and the external URL is http://
www.example.com/weather.html.
The service department of the carrier needs to push weather information to the broadband users
whose accounts contain cust in area X from 2011-01-01 to 2011-01-31.
Procedure
Step 1 Log in to the SIG system.
Step 2 Configure a subscriber user group.
In the navigation tree, choose Subscriber and Network Management > Subscriber > User
Group Management.Add user group Group1 in the SIG system and add subscribers whose
subscriber IDs contain cust in area X to Group1.
Step 3 Log in to the iPush system.
Step 4 Configure the categories.

3. Click Add.
20-19.

5. Click OK.
2. Click Add.
3. Configure the basic information, contents, and style for the pushed information, as shown
in Figure 20-20.
Figure 20-20 Configuring information
Figure 20-21 Configuring a Policy

1. On the Audit Policy page, click Audit corresponding to Weather Information to audit
the policy, as shown in Figure 20-22.

2. Click OK.
After the policy is audited, Status in Weather Information is Released, indicating that
the Weather Information is configured.
----End
Result
The Weather Information policy takes effect for users in Group1 of Area X from Jan. 1, 2011
to Jan. 31, 2011.
20.4.10.4 Example for Pushing Information to the Specified Attribute Group

This section provides an example for pushing information to the specified attribute group.
Prerequisites
Subscribers and Subscriber area attributes are configured in the SIG system.
The administrator account of the SIG system with the Subscriber Customized Attributes
Management permission is obtained.
The current administrator of the iPush system has the Configure Subcategory, Add
Information, Add Policy, and Audit Policy permissions.
The service department of the carrier needs to push weather information to users whose access
type is EVDO in area X from 19:00 to 21:00 on Saturdays and Sundays from Aug. 1, 2011 to
Aug. 31, 2011. The total push times is not restricted, a single user can be pushed every 30 minutes
and altogether twice a day only.
Procedure
Step 1 Log in to the SIG system.
Step 2 Add the access type for the group attribute.


2. Click Add and configure attribute information, as shown in Figure 20-23.
Figure 20-23 Adding an attribute
3. Click OK.
Step 3 Log in to the iPush system.
Step 4 Configure the Categories.

3. Click Add.
20-24.
5. Click OK.

2. Click Add.
3. Configure the basic information, contents, and style for the information, as shown in Figure
20-25.

Figure 20-25 Configuring information
1. On the Add Policy page, configure the basic information, push objects, and time-based
configuration of the policy, as shown in Figure 20-26.

Figure 20-26 Configuring a policy

1. On the Audit Policy page, click Audit corresponding to Weather Information to audit
the policy, as shown in Figure 20-27.
2. Click OK.

After the policy is audited, Status in Weather Information is Released, indicating that
the Weather Information is configured.
----End
Result
The Weather Information policy takes effect for the users whose access type is EVDO in Area
X from 19:00 to 21:00 on Saturdays and Sundays from Aug. 1, 2011 to Aug. 31, 2011.
20.4.10.5 Example for Not Pushing Information to the Specified Terminal User
This section provides an example for adding the user to the whitelist user group when the user
does not want to receive the information.
Prerequisites
The current administrator has the Add Whitelist User Group and Config Whitelist User
permission.
The administrator in Area Y receives the feedback from broadband user abc0123 that the user
does not want to receive Information A. Then the administrator can define a whitelist user group
and adds the user to the group. Therefore, the information is no longer pushed to the user.
Procedure
Step 1 In the navigation tree, choose Audience Management > Whitelist User Group.
Step 2 Add a whitelist user group.
1. Click Add.
2. Set parameters for the whitelist user group, as shown in Figure 20-28.
Figure 20-28 Configuring a whitelist user group
3. Click OK.
4. Click Return.

Step 3 Click Configure corresponding to the Operation column in Information A Group.
Step 4 Click Add.
Step 5 Configure information about the whitelisted user, as shown in Figure 20-29.
Figure 20-29 Configuring information about the whitelisted user
Step 6 Click OK.
----End
20.4.10.6 Example for Pushing Fee Information to Terminal Users

This section provides an example for pushing fee information to the users whose services are
going to expire to notify them of timely recharge.
Prerequisites
Before fee information configuration, the SIG system is connected to the BOSS to obtain the
terminal user account, service expiration time, and account balance.
The current administrator has the Add Information, Add Policy, Audit Policy, and Notify
Rule Add permissions.
The carrier needs to notify the users subscribing to the broadband service package in Area X of
the expiration from 2011-01-01: The notification is sent once a day since there are seven days
left for the service package.
Procedure
Step 1 Configure notify rule.
After the charge notice rule is configured, the iPush system generates a cognominal user group
and displays it in Terminal user group. The iPush system synchronizes all user information
from the BOSS and adds the users compliant with the charge notice rule to the corresponding
group.
1. In the navigation tree, choose Audience Management > Notify Rule Manage.
2. Click Add.
3. Configure notify rule, Figure 20-30 shows parameters.

Figure 20-30 add notify rule
Step 2 Configure fee information.

2. Click Add.
3. Configure the basic information, contents, and style. Figure 20-31 shows parameters.
Figure 20-31 Adding fee information
The source of the fee information is the file uploaded locally, which is defined according
to parameters in the template. In this example, the information contents are as shown in
Figure 20-32. The parameter in a red frame must be consistent with that in the template.

Figure 20-32 Information contents
4. In Figure 20-31, click Save & To Configure Policy to save the configurations.

Figure 20-33 Adding a policy

1. On the Audit Policy page, click Audit corresponding to Expiration notice to audit the
policy, as shown in Figure 20-34.

2. Click OK.
After the policy is audited, Status in Expiration notice is Released, indicating that the fee
information is configured.
----End
Result
The Expiration notice policy takes effect for broadband users in area X since Jan. 1, 2011.
According to the policy configured in Expiration notice, if the broadband service for account
user-a in Area X expires on Feb. 1, 2011, the iPush system will notify user-a every day during
one week earlier than Feb. 1, 2011, specifically, notify the user every day from Jan. 26 to Feb.
1.
If user-a does not recharge, the user will receive such information as shown in Figure 20-35
after logging in. If user-a recharges, the iPush system does not push fee information to the user.
Figure 20-35 Push effects
20.5 Report Management

This section describe how to collect statistics on and view the push times of a policy, and the
push times to different users. You can perform this task to view information push effects.
20.5.1 Push Effect Statistics
Report Function
You can view the push times and change trend by graphs, and view push effects (such as the
push times, click times, unique visitor number, click unique visitor number, and click percentage)
by reports. Two types of reports are available by time granularity:
l Push Effect Hourly Statistics

Collects the push effects of the compliant information every hour on the hour. The effects
can be summarized by pushed information, area, time, and type.
l Push Effect Daily Statistics

Collects the push effects of information on a daily basis. The effects can be summarized
by pushed information, area, time, statistical mode, and type.
NOTE
In the case of heavy data volume, online query is slow, and you can employ the background exporting
function to enable the iPush system to generate reports on the background.
To use the background exporting function, set query conditions first, and then click Unique Visitor
Export.
Saving Period
Table 20-20 Saving period

Report Saving Period
Push Effect Hourly 3 months

Statistics
Push Effect Daily 12 months

Statistics
Parameters
Table 20-21 Parameters

Area When an area is selected, its sub-areas are excluded.
Statistical Mode Available statistical modes are:

l Statistics by information contents
Summarizes the push effects per day by the compliant pushed
information.
l Statistics by area
Summarizes the push effects per day by all areas (if no area
is selected) or the selected area.
l Statistics by time
Summarizes the push effects per day by the selected time
range.
Push times Indicates the push times of the iPush system.
Click times Indicates the click times on the information.
Unique Visitor number Indicates the number of unique visitors to whom information is
pushed. A unique visitor is a broadband subscriber.
Click Unique Visitor Indicates the number of unique visitors who click the
number information.
Click Percentage Indicates the percentage of the click times to push times.

Viewing Push Effects Every Hour on the Hour in Specified Areas

View push effects every hour on the hour in Area X from 2011-02-16 07:00:00 to 2011-02-17
07:00:00.
1. Set query conditions, as shown in Figure 20-36.
Figure 20-36 Setting query conditions
2. Click Query to view push effects by curve graph, as shown in Figure 20-37.
Figure 20-37 Viewing the push effect curve graph
3. Select Report from Type, and click Query to view the push times and click times every
hour on the hour through reports, as shown in Figure 20-38.
NOTE
The DST behind the time in the figure Indicates the Daylight Saving Time. The DST is displayed
only when it is configured.

Figure 20-38 Viewing the push effect report
Viewing the Push Effects of Multiple Pieces of Information by Day

View the push effects of information AD_S and information AD_S_2 from 2011-02-01 to
2011-02-16.
2. Click Query to view push effects by curve graph, as shown in Figure 20-40.
Figure 20-40 Viewing the push effect curve graph

20.5.2 Push Details
Report Function
This section describes how to view details about the specified information or user, including
whether the user clicks the information, push time, and the URL that is being accessed by the
user when the information is pushed.
NOTE
In the case of heavy data volume, online query is slow, and you can employ the background exporting
function to enable the iPush system to generate reports on the background.
To use the background exporting function, set query conditions first, and then click Background
Export.
Saving Period
Saving period: three months
Parameters
Table 20-22 Parameters
Area Views the push details of the information in the selected areas
when the push objects are multiple areas.
Information Views the push details of a piece of information.
Terminal user Views the push details of an information audience.
Statistical Mode Two statistical methods are available:

l Details
Collects details about each piece of pushed information.
l Summary
Summarizes the push times by user when collecting details
about a piece of information. Summarizes the push times by
information when collecting details about push to a terminal
user.
Subscriber ID Indicates the identification of the subscriber who receives the

information.
Click Indicates whether the user clicks the information.
Access address Indicates the URL that is being accessed by the user when the
user receives the pushed information.
Viewing Push Details About a Piece of Information Within a Time Range

View the push details on information lzy0216_2 in a specified time range.

2. Click Query to view push details by curve graph, as shown in Figure 20-42.
Figure 20-42 Viewing push details
3. Select Summary from Statistical Mode, and click Query to view push details by user
summary through reports, as shown in Figure 20-43.
Figure 20-43 Viewing push details by user summary
Viewing Push Details to a subscriber Within a Time Range

View the push details on broadband subscriber lzy111 in a specified time range.
2. Click Query to view push details to the user through reports, as shown in Figure 20-45.
Figure 20-45 Viewing push details to a specified ID
3. Select Summary from Statistical Mode, and click Query to view push details by pushed
information summary through reports, as shown in Figure 20-46.

Figure 20-46 Viewing push details by pushed information summary
20.5.3 Background Exporting Details
Function
After you set the exporting task of the number of unique visitors in the Push Effect Statistics
report or the background exporting task in the Push Details report, you can view and manage
the created export tasks, and download the exported reports.
Description
Create a background exporting task.
l Number of unique visitors to whom information is pushed

In the navigation tree, choose Report Statistics > Push Effect Statistics. Click Push Effect
Daily Statistics, set the querying conditions, and click Unique Visitor Export.
l Querying push details
In the navigation tree, choose Report Statistics > Push Details. Set the querying condition,
and click Background Export.
The administrator can perform the following operations:
l Click the task name in the Report Name column to view the task information and query
conditions of the background task.
l Click Download corresponding to the task to download the exported report.
20.6 Appendix
20.6.1 Making the Fee Information Page

The fee information page needs to contain information about users' fee. Therefore, use
parameters to express related information in the code of the fee information page file.
Download the fee information page on the Configure Information page:

2. Click Add.
3. Select File from Source of the Content group box.
4. Select Yes from Fee Information.
5. Click Download template to download the information template file.
Table 20-23 shows parameters of the code for the fee information page.

Table 20-23 Parameters of the code for the fee information page
@baseurl@ This is a special parameter for the fee information page, and is used to
make up the relative path used by the information page as a complete
path.
Do not delete this field.
@act@ The Information Server replaces this parameter with the broadband
subscriber ID when it pushes fee information. Locate this parameter to
the place where the subscriber ID is to be displayed.
@enddate@ The Information Server replaces this parameter with the expiration date
of the broadband service package for a broadband user when it pushes
fee information. Locate this parameter to the place where the expiration
date of the broadband service package is to be displayed.
@balance@ The Information Server replaces this parameter with the balance of the
broadband user when it pushes fee information to users with other types
of payments. Locate this parameter to the place where the user balance
is to be displayed.
20.6.2 Description of the Conflicting Mechanism

If information types conflict with information policies, or the area policies conflict with
information policies, the iPush system processes the conflict according to the conflicting
mechanism.
The description of the conflicting mechanism is as follows:
l The priorities of information types are different from those of information policies.
If multiple pieces of information are valid for one audience, the information whose
information category enjoys a higher priority is preferentially pushed. If the information
categories enjoy the same priority, the information whose policy enjoys a higher priority
is preferentially pushed.
l Minimum Push Interval per User configured in the information policy is different from
Minimum Push Interval in the area policy.
If Minimum Push Interval per User is configured in the information policy, use the larger
value between Minimum Push Interval per User in the policy and Minimum Push
Interval in the area policy. If Minimum Push Interval per User is not configured in the
information policy, use the value of Minimum Push Interval in the area policy.
l The push times per day is configured in the information policy, and Maximum Push Times
per Day per User is configured in the area policy.
If the push times per day is configured in the information policy, and Maximum Push
Times per Day per User is configured in the area policy, use the smaller value.
20.6.3 Changing an Account Password

Prerequisites
The current online administrator belongs to the role Modify Password.
Procedure
Step 1 In the navigation tree, choose Permission Management > Administrator Management.
Step 2 Click Set user password on the right side of the account.
Step 3 Enter the new password and confirm it.
Ensure that the new password and the confirmed new password are the same.
Step 4 Click OK. The password of the specified administrator has been changed successfully.
----End

Configuration Guide 21 Report Management
21 Report Management
About This Chapter
Through report management, you can learn the public management operations of reports,
including managing predefined analysis objects, timed task reports, and background task reports.
21.1 About Report Management

This section describes the basic concepts of report management.
21.2 Configuring the Report Storage Cycle
To globally change the storage cycle of report data, you should perform this task.
21.3 Managing Predefined Analysis Objects
To bind report query conditions such as the area to predefined analysis objects for simplifying
the operation of querying reports, you should perform this task.
21.4 Managing Timed Task Reports
To globally query and manage the timed task reports specified during the report query operation,
you should perform this task.
21.5 Managing Background Task Reports
To globally query and manage the background task reports specified during the report query
operation, you should perform this task.
21.6 Managing Customized Reports
By setting customized reports, you can fix report query conditions, therefore simplifying query
operations on common reports. Meanwhile, the system can display multiple reports in a
centralized manner as required. To add, delete, or query customized reports, or assign data
permissions to them, you should perform this task.
21.7 Managing the Protocol Colors of Reports
When displaying reports, the SIG can automatically set protocol colors. To manually adjust
protocol colors, you should perform this task.
21.8 Exporting Configuration Data
To export the traffic report data of common customers to the external FTP server or server group,
perform this task.

21.1 About Report Management

This section describes the basic concepts of report management.
l Report storage cycle
Indicates the storage cycle of the report data stored in the database.
The SIG supports the setting of the five-minute, hourly, daily, and monthly report storage
cycles of a single user's data (report data of subscribers), and collected data (by statistics
objects such as the VIC, link, and direction). For example, the storage cycle of the five-
minute report of a user's traffic is specified as seven days. In this case, the system reserves
the data of the five-minute report for seven calendar days. If data is generated on the first
day of each month, the data can be queried on the eighth day and earlier days, but is deleted
by the system at 00:00 on the ninth day.
l Predefined analysis object
To simplify the operation of entering conditions during the report query, you can bind two
or more query conditions that specify the range of analysis objects and thus define one type
of query objects. For example, you can define the subscribers whose areas are Haidian and
service package is 2M_Package as a predefined analysis object.
Based on the types of analysis objects, predefined analysis objects include subscriber and
VIC predefined analysis objects.
l Timed task report
The system automatically queries reports according to a certain running cycle such as at a
time point daily, weekly, monthly, or yearly.
During the report query, when you click Timed Task and set timed parameters, the timed
task report is generated. For example, to configure a timed task report to query the traffic
trend from Monday to Friday at 01:00 on each Saturday, you should set parameters as
shown in Figure 21-1. The day number in the query conditions is the number of days before
Execution Time, and HH:MM is the absolute time.

Figure 21-1 Setting the parameters of the timed task
NOTE
Report formats vary with report types. If a format is grey, the timed task report of this format cannot
be generated.
l Background task report
As the process of querying reports lasts for a certain period, the operator can transfer the
process to the Back End for saving time, and then the background task report is generated.
During the report query, when you click Background Implementation in the pop-up
dialog box, the background task report is generated.
l Customized report
You can customize report query conditions and data display for the report.
By setting the customized report, you can fix report query conditions, therefore simplifying
query operations on common reports. Meanwhile, the SIG can display multiple reports in
a centralized manner as required.
l Protocol color management
When displaying reports, the SIG can automatically set protocol colors. Through protocol
color management, you can manually adjust the display colors for protocols.
l Report categories
Reports are divided into the following categories by data granularity:
– Five-minute report

NOTE
When you query a report, if you only enter the query time range without selecting the data
granularity for the report, the data granularity is to be decided automatically according to the
length of the time range specified.
The time points at which queries can be performed are different for multiple data granularities.
If no result is displayed after a query, try modifying query conditions.
Time Granularity in the query condition does not have a mapping relationship with the data
granularity of the report in the query result, and is used only for the convenience of entering a
time range for the query.
– Hourly report
Figure 21-2 and Figure 21-3 show report examples.
The hourly report is formed by the statistics of multiple five-minute reports, and
statistics within the last hour are collected every half-hour. For example, statistics from
08:00 to 09:00 are collected at 9:30. If it is 09:20, records at 08:00 are unavailable in
the hourly report.
– Daily report
The daily report is formed by the statistics of hourly reports, and statistics on the last
day are collected at 01:00 every day. For example, statistics on January 1 are collected
at 01:00 on January 2. If it is 00:30 on January 2, records on January 1 are unavailable
in the daily report.
NOTE
When you query the daily report, only the year, month, and day values on the query page are
valid, and the month and minute values are invalid. When you query the monthly report, only
the year and month values on the query page are valid, and the day, hour, and minute values are
invalid.
– Monthly report
The data in the monthly report can be saved for up to four years. The monthly report is
formed by the statistics of daily reports, and statistics of the last month are collected at
03:00 on the first day of each month. For example, statistics on January are collected at
03:00 on February 1. If it is 01:00 on February 1, records on January are unavailable in
the monthly report.
Figure 21-2 Graph of the hourly report

Figure 21-3 Record of the hourly report
21.2 Configuring the Report Storage Cycle

To globally change the storage cycle of report data, you should perform this task.
Prerequisites
The current user has the System Management service permission.
NOTE
If the previous operation of changing the storage cycle of report data takes effect, this operation cannot be
performed. In this case, you should perform the operation after the previous operation takes effect.
Context
The SIG supports the setting of the five-minute, hourly, daily, and monthly storage cycles for
the traffic, traffic direction of a single user's data (report data of subscribers), and collected data
(by statistics objects such as the VIC, link, and direction). For example, the storage cycle of the
five-minute report of a user's traffic is specified as seven days. In this case, the system reserves
the data of the five-minute report for seven calendar days. If data is generated on the first day
of each month, the data can be queried on the eighth day and earlier days, but is deleted by the
system at 00:00 on the ninth day.
Procedure
Step 2 In the navigation tree, choose System Management > System Configuration > Statistic Data
saved Cycle.
Step 3 Perform the following operations as required:
l If the storage cycle does not need to be specified according to the service or data type, directly
enter the cycle value to be changed in the text box.
l If the storage cycle needs to be specified according to the service or data type, click Show
Advance Configuration, and then enter the cycle value to be changed in the text box.
Step 4 Click Save. The system displays a prompt indicating that the operation succeeds.
----End

21.3 Managing Predefined Analysis Objects

To bind report query conditions such as the area to predefined analysis objects for simplifying
the operation of querying reports, you should perform this task.
Prerequisites
The current user has the Statistics and Analysis Report service permission.
Procedure

l To add subscriber predefined analysis objects: In the navigation tree, choose Statistics and
Analysis Report > Analysis Object Predefined by Subscriber.
l To add VIC predefined analysis objects: In the navigation tree, choose Statistics and
Analysis Report > Analysis Object Predefined by VIC.
Step 3 Click Add.
Step 4 Set the attribute value of predefined analysis objects.
For example, to define the subscribers whose areas are Haidian and service packages are
2M_Package as a predefined analysis object, you should select Haidian from Area and
2M_Package from Service Package.
For details on the attributes of subscribers, see 4.2 Configuring the Subscriber. For details on
the attributes of VICs, see 4.3 Configuring the VIC.
Step 5 Enter the object name in Name, click OK.
----End
21.4 Managing Timed Task Reports

To globally query and manage the timed task reports specified during the report query operation,
you should perform this task.
Prerequisites
Context
After the task of querying a certain report is specified as the timed task, the system completes
the report query at the specified time and saves the queried report to the database. The operator
can specify the query condition on the Timed Task Management interface to query reports.

Procedure
Step 2 In the navigation tree, choose Statistics and Analysis Report > Timed Task Management.
Step 3 Click Query, enter the query condition as required, and then confirm the operation.

l View the details about timed tasks.
1. Click Task Information in the line where the task to be queried. Only one task can be
queried at a time.
2. View the details in the dialog box.
l Query the details about timed task reports.
1. Click Log in the line where the timed task of the report to be queried resides. The system
displays all queried reports after the timed task is implemented.
2. Click Report Information in the line where the report to be queried resides to query
the details about the report.
l Disable or enable the timed task.
1. Select the timed task report to be disabled or enabled, and then click Disable or
Enable.
2. Click Yes.
l clean the report generated by the timed task.
1. Click Clean Configure.
2. In the pop-up dialog box, enter the time condition of implementing the periodical
cleaning task according to the time of generating the report.
3. Click OK. The generated reports that meet the cleaning condition of timed tasks are
cleaned. For example, if the cleaning cycle of the timed task whose implementation
cycle is daily is set to seven days, the system automatically cleans the reports generated
seven days ago by the timed task that is performed daily.
l Delete the timed task.
NOTE
Only the task in Disabled state can be deleted.
1. Select the task to be deleted, and then click Delete.

2. Click Yes in the confirmation dialog box.
----End
21.5 Managing Background Task Reports

To globally query and manage the background task reports specified during the report query
operation, you should perform this task.
Prerequisites

Context
The process of querying reports lasts for a certain period. Therefore, the operator can transfer
the process of querying reports to the background, saving the time for performing other
operations. When estimating that the report query is complete, the operator can set query
conditions on the Background Task Management interface to query interested reports.
The SIG system automatically cleans the background tasks of the previous week at 04:00
everyday.
Procedure
Step 2 In the navigation tree, choose Statistics and Analysis Report > Background Task
Management.
Step 3 Click Query, enter the query condition as required, and then confirm the operation.

l View the details about tasks.
1. Click Task Information in the line where the task to be queried. Only one task can be
queried at a time.
2. View the details about the tasks in the pop-up dialog box.
l Query the details about reports.
NOTE
You can query the details about reports only when the task status is end.
1. Click View Report in the line where the task to be queried. Only one task can be queried
at a time.
2. Query the details about the report in the pop-up dialog box.
l Delete report tasks.
1. Select the task to be deleted, and then click Delete.
2. Click Yes in the confirmation dialog box.
----End
21.6 Managing Customized Reports

By setting customized reports, you can fix report query conditions, therefore simplifying query
operations on common reports. Meanwhile, the system can display multiple reports in a
centralized manner as required. To add, delete, or query customized reports, or assign data
permissions to them, you should perform this task.
Prerequisites

Procedure
Step 1 In the navigation tree, choose Statistics and Analysis Report > Customized Report
Management.
Step 2 Click Add.
Step 3 In the pop-up dialog box, enter the name of the customized report to be added in Customized
Report Name.
Step 4 Select the service type, sub-service type, and report type from the drop-down list and then set
them.
Step 5 Click Add. Set query conditions in the pop-up dialog box, and click OK. The system returns to
the previous page and displays a new record.
Step 6 (Optional) Repeat Step 4 to Step 5 and add other report entries as required.
Step 7 Click OK. The system returns to the previous page and displays a new record.

l Querying reports: Click Query Report of the report to be queried and query the result.
l Setting the scheduled task: Click Save Timed Task of the report to be specified and set
implementation conditions.
l Modifying reports: Click the link of the report to be modified and modify related attributes.
l Assigning data permissions: Select the check box of the report where the data permission is
to be assigned. Click Assign Data Authority and set the read, write, or authorized permission
for accounts.
l Deleting reports: Select the check box of the report to be deleted. Click Delete.
----End
21.7 Managing the Protocol Colors of Reports

When displaying reports, the SIG can automatically set protocol colors. To manually adjust
protocol colors, you should perform this task.
Prerequisites
Context
The SIG provides two modes of displaying the protocol colors of reports.
l Default protocol color

It is the default management mode in the system, with the protocol color disabled.
When this mode is adopted, the SIG provides dozens of colors by default for the system to
display reports. The color of one protocol may vary with reports.
l Fixed protocol color
The protocol color is enabled, and the system displays reports according to the system
template or the protocol-bound colors in the user-defined template.

When this mode is adopted, the color of one protocol keeps the same in all reports.
Procedure
Step 2 In the navigation tree, choose Statistics and Analysis Report > Protocol Color
Management.

l If the default protocol color mode is adopted, make sure that Protocol Color Switch is in
Disable state, that is, the Disable button is grey. Then you can click the Default Color
Management tab to add, modify, or delete colors by default for the system to display reports.
l If the fixed protocol color mode is adopted, click Enable to the right of Protocol Color
Switch and confirm the operation. Then select a desired template from the Configure
Template drop-down list and confirm the operation.
You can add, modify, or delete the protocol color template. To add a template, select the
check box of New Template, and enter the name of the new template in Template Name.
Then specify colors for protocols in the Color Table area as required and click
Application, as shown in Figure 21-4. Click Save at the bottom of the page.
Figure 21-4 Adding a color template
----End
21.8 Exporting Configuration Data

To export the traffic report data of common customers to the external FTP server or server group,
perform this task.
Prerequisites
The current user has the service permission of Statistics and Analysis Report.
Context
The system supports only the export of the five-minute report data of common customers. The
data is exported in .csv files, as shown in Figure 21-5.

Figure 21-5 Example for exporting data
NOTE
The last entry of records in the preceding figure indicates the collection end time which can be parsed as
the Universal Time Coordinated (UTC).
The system supports the data export to an FTP server or server group. When you export data to
a FTP server group, set a priority value to each FTP server in the group. The system supports
the following modes:
l Master/Standby mode
The system exports the data to the available FTP server with the smallest priority value.
l Load balancing mode
The system exports the data file to each FTP server in the polling way.
Procedure
Step 2 In the navigation tree, choose Statistics and Analysis Report > Data Export Configuration.
Step 3 Add an FTP server or server group.
1. Click Add.
2. Enter the name of the FTP server or server group in Destination Name in the dialog box
that is displayed.
3. Click Add, enter the information of the FTP server such as IP Address, User Name, User
Password and Priority Level in the dialog box that is displayed, and click OK.
NOTE
You can click Test Connection to check whether the FTP server can be accessed.
4. (Optional) Repeat the previous step to add other FTP servers.
5. Click Save.
Step 4 Select the Data Export Configuration in the upper page.
Step 5 Click Add.
Step 6 Set parameters in the dialog box that is displayed, as shown in Figure 21-6.

Figure 21-6 Exporting Configuration Data
NOTE
The system supports only the export of five-minute report data at present.
After Export Log is enabled, the system automatically stores the record export log to the FTP server at
01:00 a.m. each day.
Step 7 Click Save.

Wait for about 15 minutes, and log in to the FTP server to view the synchronization file.
----End

Configuration Guide 22 System Management
22 System Management
About This Chapter
System management mainly involves managing system accounts and their permissions, back-
end licenses, basic system parameters, knowledge bases, and operation logs. Through system
management, you can ensure the normal running of the system.
22.1 Managing Flow Classifications and Flow Classification Items

Flow classification items and flow classifications are used to identify network traffic by flow
features. Flow classification items are defined by one or more conditions including application-
layer protocol type (such as HTTP), network-side IP address, Layer-3 protocol attributes, and
Layer-4 protocol attributes, and one flow classification can consist of one or more flow
classification items. Perform this task when you need to customize flow classifications to
implement policy control or report traffic data by flow classification.
22.2 Managing System Accounts and Permissions
To globally manage system accounts, roles, and permission control mechanism, you should
perform this task.
22.3 Managing Basic System Parameters
To modify the basic system parameters such as the IP address of the OMC, working mode, and
IP address range that allows to access the Back End, you should perform this task.
22.4 Managing the Alarm Address
The data configuration engineer can manage the used alarm addresses in a uniformed manner.
22.5 Managing the Dynamic Alarm
To meet the diversified customization requirements of the alarm functions in URL filtering,
spammer monitoring, Botnet monitoring, worm monitoring, the GreenNet service, and security
service (Botnets, worms, and malicious URLs), the SIG provides the flexible dynamic alarm
mechanism.Through dynamic alarm, the device pushes different alarms by area or service.
22.6 Managing the Knowledge Base
To set the parameters for automatically updating the DPI protocol signature file, malware
signature file, and URL Category Database (UCDB), you should perform this task.
22.7 Managing Operation Logs

Operation logs record the details about the operations performed by the operator on the Back
End, including the login account, operation time, operation type, and IP address of the operator.
To query or manage operation logs, you should perform this task.

22.1 Managing Flow Classifications and Flow Classification

Items
Flow classification items and flow classifications are used to identify network traffic by flow
features. Flow classification items are defined by one or more conditions including application-
layer protocol type (such as HTTP), network-side IP address, Layer-3 protocol attributes, and
Layer-4 protocol attributes, and one flow classification can consist of one or more flow
classification items. Perform this task when you need to customize flow classifications to
implement policy control or report traffic data by flow classification.
22.1.1 Overview
This section details the concept and purpose of flow classification items and flow classifications.
The concepts involved are as follows:
l Flow Classification Item
A flow classification item is a network traffic categorization that meets one or more
conditions including application-layer protocol type (such as HTTP), network-side IP
address, Layer-3 protocol attributes, and Layer-4 protocol attributes.
The system defines each protocol category in the DPI protocol signature file as a flow
classification by default to serve as reference in flow classification definition.
For details about flow classification item definition, see 22.1.5 Parameter Description.
l Flow Classification
Is network traffic combination defined by one or more flow classification items.
The system defines each protocol category in the DPI protocol signature file as a flow
classification by default. For example, Web_Browsing is all the network traffic that falls
into the Web_Browsing protocol category.
One flow classification may include one or more flow classification items and a flow
classification item may be included in multiple flow classifications. Figure 22-1 shows the
relationship between flow classification items and flow classifications.
Figure 22-1 Relationship between flow classification items and flow classifications
Flow classification 1 Flow classification 2 Flow classification M
Flow classification Flow classification Flow classification

Item N Item N Item N
… … … …
Item 2 Item 3 Item 5
Item 1 Item 2 Item 4
M≤500
1≤N≤100

As the basic management unit of SIG, flow classifications are used:
l to identify traffic objects in policy definition.

A flow classification is used as the control object of the policy item in the policy package
in the definition of certain types of policy package. For example, when defining QoS policy
package, to limit the maximum downstream P2P bandwidth, cite P2P to identify the P2P
traffic to be controlled.
Figure 22-2 shows the relationship among policy packages, policy items, and flow
classifications.
Figure 22-2 Relationship among policy packages, policy items, and flow classifications
Policy Package
Policy Item 1 Policy Item 2 Policy Item X

Flow Flow Flow
classification 1 classification 2 classification X
Action Action Action

…
Priority Priority Priority
… … …
1≤X≤256
l To support traffic report view by flow classification

The system supports traffic report view by protocol category or protocol by default. For
customized flow classifications, you can view traffic reports by flow classification when
any of the following conditions is met:
– Policy package has been bound.
If any one or more of the policy items of Rate Limiting, Number of Connections Control,
Throttling, Strict Priority, and WFQ are set for a flow classification and the policy
package is bound to a subscriber and network object, you can view the traffic report for
the subscriber and network object by the flow classification.
For example, if you define policy package Package1 that contains the policy item Rate
Limiting for Flow Classification 1 and bind Package1 to all subscribers in Beijing area,
then you can view the traffic report on Flow Classification 1 for all subscribers in the
Beijing area.
– Customized data reporting
If you define the policy package that cites a particular flow classification on the Traffic
Management > Customized Data Reporting > Flow Classification Statistic Policy
page and binds the package to a subscriber and network object, you can view the traffic
report for this subscriber and network object by the flow classification.

This section describes procedure for managing flow classification items and flow classifications.

Prerequisites
The current user has the Basic Configuration permission.
Procedure
Step 2 Manage flow classification items.

> Flow Classification Item Configuration.
2. Optional operations are as follows:
l To add a flow classification item manually, click Add, enter a parameter value in the
pop-up dialog box, and then click OK.
l To import flow classification items in batches, click Import and then the link on the
right of Downloading Template in the pop-up dialog box to obtain the Excel template.
Enter data about the flow classification items to be imported in the Excel template, click
Browse in the dialog box, select the edited Excel file, and click OK.
l To export all flow classification item data defined by the current system, click Export
All, and then click OK in the pop-up dialog box.
l To view or modify information on a flow classification item, click the link of Name of
entries to be modified of the flow classification item list, and perform operations as
needed in the dialog box.
l To delete a flow classification item(s), select the check box for the entries to be deleted
from the flow classification item list, click Delete, and confirm the operation.
l To query a flow classification item(s), click Query, enter conditions in the pop-up dialog
box, and then click OK.
Step 3 Manage flow classifications.

2. Optional operations are as follows:
l To add a flow classification, do the following:
a. Click Add. The Add Flow Classification dialog box appears.
b. Enter flow classification name, code, and description information in the text box
in the Add Flow Classification dialog box,
where Name is mandatory, Code is generated by the system, and Description is
optional.
NOTE
When the flow classification code is used for interconnecting with a third party policy
server (such as HuaweiUPCC), it will be cited in policy definition in the third party policy
server to identify flow classification object.
c. In the Add Flow Classification dialog box, click Select the flow classification
item which has been configured, and select the flow classification items included
in the flow classification in the pop-up dialog box.

NOTE
You can also click Add to add a flow classification item.

d. Click OK. The Add Flow Classification dialog box appears.
e. Click OK. The system returns to the Flow Classification Configuration page and
displays the added record.
l To view or modify information on a flow classification, click the link of Name of the
entries to be modified of the flow classification list, and perform operations as needed
in the dialog box.
l To delete a flow classification(s), select the check box for the entries to be deleted from
the flow classification list, click Delete, and confirm the operation.
l To query a flow classification(s), click Query, enter conditions in the pop-up dialog
box, and then click OK.
----End
22.1.3 Typical Configuration Example 1

This section provides detailed operations for managing basic flow classification items and flow
classifications.
Prerequisites
Define the HTTP traffic of some music Web sites as a flow classification to define separate
control policies (such as applying specific charge rates) for the traffic visiting the Web site by
subscribers in the internal network.
The IP address range of the music Web sites is:
l 50.50.50.50
l 60.60.60.100/30
l 70.70.70.70 to 70.70.70.100
Procedure
Step 1 Log in to the Back End of the SIG using account admin.
Step 2 Add flow classification items.

> Flow Classification Item Configuration.
2. Click Add.

Figure 22-3 Adding flow classification items (1)
4. Click Manage to the right of Network Side IP and the Network Side IP Management
dialog box appears.
5. Click Add. in the dialog box that is displayed, enter myMusicIPAddress in the Name
field, and then click OK.
6. Click Add, select IP Segment from Type, enter 50.50.50.50 in Start IP Address and
50.50.50.50 in End IP Address, and click OK.
7. Select Mask from Type, enter 60.60.60.100 in Subnet Address and 30 in Mask Digits,
and click OK.
8. Select IP Segment from Type, enter 70.70.70.70 in Start IP Address and 70.70.70.100
in End IP Address, click OK, and click Cancel. Figure 22-4 is displayed.

Figure 22-4 Adding network-side IP addresses
9. Click Close to return to the previous dialog box.

10. Click Close. The Add Flow Classification Item dialog box appears.
11. Click to the right of Network Side IP and select myMusicIPAddress as shown in
Figure 22-5.
Figure 22-5 Adding flow classification items (2)
1. Click OK. The system returns to the Flow Classification Item Configuration page and
displays the added record.

Step 3 Add flow classifications.

2. Click Add.
3. Enter myMusicService in the Name dialog box.
4. Click Select the flow classification item which has been configured and select
myMusicServiceItem in the dialog box that is displayed.
5. Click OK. Figure 22-6 appears.
Figure 22-6 Adding a flow classification
6. Click OK. The system returns to the Flow Classification Configuration page and displays
the added record.
----End

This section provides detailed operations for managing flow classification items and flow
classifications.
Prerequisites
Define system protocol categories P2P and PeerCasting as a flow classification to define
separate control policies for the relevant flow (such as applying separate QoS policies).

Procedure
Step 1 Log in to the Back End of the SIG using account admin.
Step 2 Add flow classifications.
2. Click Add.
3. Enter myP2PandPeerCasting in the Name dialog box.
4. Click Select the flow classification item which has been configured and select P2P and
PeerCasting in the dialog box that is displayed.
5. Click OK. Figure 22-7 appears.
Figure 22-7 Adding a flow classification
6. Click OK. The system returns to the Flow Classification Configuration page and displays
the added record.
----End

This section describes key parameters for managing flow classification items.
Table 22-1 shows important parameters for managing flow classification items.

Table 22-1 Parameter description for managing flow classification items

Name Identifies a flow classification item. [Setting method] Enter a

Application Mandatory, a protocol category or protocol in [Setting method] Select

Layer a DPI protocol signature file the item in the list box.
Protocol [Example] HTTP
Network Side Optional, specifies the destination IP address of [Setting] Click Manage
IP upstream packets or source IP address of on the right and add
downstream packets. options in the dialog box
The network-side IP address of a flow that is displayed. After
classification item may consist of one or more you add an option, click
IP address segments. Add IP addresses in the on the right and select
segments as follows: a network-side IP address.
l IP Segment
For Example: 20.20.20.20-20.20.20.222
l Mask
For Example: 30.30.0.0/16
L3 Protocol Optional, specifies the ToS or DSCP attributes

Attribute of IP packets For details about ToS or DSCP, [Setting] Click on the
see 5.4.1 Overview. right.
The system has listed all possible ToS and
DSCP attribute values by default. To set the
attributes, click on the left.

NOTE
To set multiple ToS or DSCP attributes for a flow
classification item, click Manage on the right, delete
the corresponding ToS or DSCP attribute values in
the dialog box that is displayed, and then click
Add .
L4 Protocol Optional, specifies the destination port of [Setting] Click Manage

Attribute upstream packets or source port of downstream on the right and add
packets. options in the dialog box
NOTE that is displayed. After
To learn about Layer-4 protocol type (TCP or UDP), you add an option, click
see the selected Application Layer Protocol.
on the right and select
a Layer-4 protocol
attribute.
[Example] 0-100

22.2 Managing System Accounts and Permissions

To globally manage system accounts, roles, and permission control mechanism, you should
perform this task.
22.2.1 Overview
This section describes the permission control mechanism of the system.
To ensure the secure and stable running of the system, you need to grant system users different
permissions.
The SIG adopts the role-based permission management mode. A role is the collection of
permissions, and different roles can be defined for the system. If a user obtains a certain role,
the user has all the permissions of the role.
For the SIG, two types of permissions are provided. One role can have either or both types of
permissions.
l Service Authority
With this permission, you can open operation interfaces and perform corresponding
operations.
The service permissions of the system are divided based on the operation items on the
interfaces and the nodes in the navigation tree. For example, the Administrator
Management interface includes the service permissions of viewing, adding, and modifying
the administrator.
l Data Authority
With this permission, you can perform the read, write, or authorize permission on operation
objects. Data permissions are only valid to the operation objects of role management and
area management.
NOTE
Choose System Management > System Configuration > System Basic Configuration and you
can disable the data authority function on the interface. When the data authority function is disabled,
the SIG provides only the service authority control mechanism. If an account has the service authority
of a certain interface, it indicates that the account has the operation permissions for all data objects
on the interface.
For roles, assignable data permissions include:
– Read
If an account has the read permission of a role, through the account, you can query the
details about the role.
– Write
If an account has the write permission of a role, through the account, you can query,
modify, and delete the role, and assign service permissions to the role.
– Authorize
If an account has the authorize permission of a role, through the account, you can query,
modify, and delete the role, and assign service permissions and data permissions to the
role.
For areas in service object management, assignable data permissions include:

– Read
If an account has the read permission of an area, through the account, you can view the
details about the area and its sub-areas, and service objects and reports of the area or
sub-areas.
– Write
If an account has the write permission of an area, through the account, you have the
read permission, and can add, modify, enable, disable, and delete the area and sub-areas.
– Authorize
If an account has the authorize permission of an area, through the account, you have the
read and write permissions, and data permissions for the area and sub-areas.
NOTE
Similar to the area, if you have added customized reports, you can assign data permissions to them.
When managing system accounts and permissions, you are recommended to add roles, service
permissions to the roles, add system accounts, and then data permissions to the system accounts
according to data management requirements.
NOTE
By default, the SIG has a system administrator (also called the super administrator) account whose user
name is admin and default password is Admin@123. This account has all the permissions of the system,
and cannot be deleted.

This section describes the detailed operation procedure of managing system accounts and
permissions, so that the system maintenance engineer can learn the corresponding operation
procedure.
Figure 22-8 shows the recommended configuration procedure.
Figure 22-8 Procedure for configuring system account and permission management
Start
Add a role
Assign service
permissions
Add an account
Assign data
permissions
End

Table 22-2 Procedure description of managing system accounts and permissions
Action Description
Add a role You can add a role to globally manage system accounts by role.
Operation page: In the navigation tree, choose System
Management > Permission Management > Role Management.
Assign service You can assign service permissions to the role.

permissions Operation page: In the navigation tree, choose System
Management > Permission Management > Role Management.
Add an account You can add a system account to assign a role to the account.
Operation page: In the navigation tree, choose System
Management > Permission Management > Administrator
Management.
Assign data You can assign data permissions to roles and areas as required.
permissions Operation pages include:
l To assign data permissions to roles: In the navigation tree, choose
System Management > Permission Management > Role
Management.
l To assign data permissions to the areas of subscribers: In the
navigation tree, choose Subscriber and Network Management
> Subscriber > Area Management.
l To assign data permissions to the areas of VICs: In the navigation
tree, choose Subscriber and Network Management > Very
Important Customer > Area Management.
NOTE
For details on the service object management service, see 4 Subscriber and
Network Object Initialization.

This section provides an example for managing system accounts and permissions.
Prerequisites
The current user has the Permission Management service permission, and data permissions to
authorize the objects.
An account named as reportUser needs to be added. Through the account, service reports can
be queried.
Suppose that 4.2 Configuring the Subscriber is complete, and the name of the root area is
Beijing. Through account reportUser, all the reports of subscribers in the Beijing area can be
queried.

Suppose that the system maintenance engineer (Mr. Zhang) with account admin performs the
task.
Procedure
Step 1 Log in to the Back End of the SIG with account admin.
Step 2 Add a role and assign service permissions to the role.

1. In the navigation tree, choose System Management > Permission Management > Role
Management.
2. Click Add.
3. Enter reportRole in Role Name of the pop-up dialog box, and then click OK. The system
returns to the previous page and displays a new record.
4. Select the check box of reportRole, and then click Assign Service Authority.
5. Select the check box of Statistics and Analysis Report, as shown in Figure 22-9.
Figure 22-9 Allocating service permissions
6. Click OK to confirm the operation.
Step 3 Add an account and assign the role to the account.

1. In the navigation tree, choose System Management > Permission Management >
Administrator Management.
2. Click Add.

Figure 22-10 Adding an account
NOTE
The password must contain no less than six characters covering uppercase letters, lowercase letters,
and digits.
5. Select the check box of record reportUser, and then click Assign Role.
6. Select the check box of the reportRole line in the pop-up dialog box.
7. Click OK, and then confirm the operation.
Step 4 Assign data permissions.

Area Management.
2. In the area list, select Beijing, and then click Assign Data Authority.
3. Select the check box of Read in the reportUser line of the pop-up dialog box, as shown
in Figure 22-11.
Figure 22-11 Allocating data permissions

4. Click OK, and then confirm the operation.
----End
22.3 Managing Basic System Parameters

To modify the basic system parameters such as the IP address of the OMC, working mode, and
IP address range that allows to access the Back End, you should perform this task.

This section describes how to manage basic system parameters.
Prerequisites
CAUTION
After the Back End is installed, you should set certain basic system parameters in the pop-up
dialog box on the first login to the Back End. Once specified, parameters cannot be changed.
Procedure
Step 2 According to the interface for the parameters to be specified, operations are as follows:
l To view partial basic system parameters: In the navigation tree, choose System
Management > System Configuration > System Basic Configuration.
l To set device connection parameters: In the navigation tree, choose System Management
> System Configuration > Component Configuration.
l To set login security parameters: In the navigation tree, choose System Management >
System Security > Security Configuration.
Step 3 Set parameters as required.
----End

This section describes the important parameters for managing basic system parameters.
Table 22-3 shows the description of the important items in managing basic system parameters.

Table 22-3 Description of basic system parameters

Parameter Name Meaning How to Set
Subscriber Area To implement the hierarchical management [Operation page]: In

Level of services, the SIG supports dividing one the navigation tree,
managed region into several management choose System
units. Each management unit is an area. Management >
The system supports the hierarchical System
management (up to five levels) of Configuration >
subscriber areas. System Basic
Configuration.
[Setting method]:
Select the item from the
drop-down list.
[Example]: 2
VIC Area Level The system supports the hierarchical [Operation page]: In
management (up to three levels) of VIC the navigation tree,
areas. choose System
Management >
System
Configuration >
System Basic
Configuration.
[Setting method]:
drop-down list.
[Example]: 3
Virtual Tunnel and The system supports the hierarchical [Operation page]: In
Link Area Level management (up to three levels) of virtual the navigation tree,
tunnels and link areas. choose System
Management >
System
Configuration >
System Basic
Configuration.
[Setting method]:
drop-down list.
[Example]: 3

Data Authority You can enable or disable the data authority [Operation page]: In
function by clicking the option button. the navigation tree,
When the data authority function is choose System
disabled, the SIG provides only the service Management >
authority control mechanism. If an account System
has the service authority of a certain Configuration >
interface, it indicates that the account has System Basic
the operation permissions for all data Configuration.
objects on the interface. [Setting method]:
Click the option button.
Select a rule to This is an optional parameter. If the check [Operation page]: In

identify the area box is selected, the area is set to the dynamic the navigation tree,
where a subscriber attribute of the subscriber. After this choose System
belongs function is enabled, the subscriber and the Management >
area cannot be bound statically; instead, the System
SIG extracts user's SN, BTS, or cell Configuration >
information from the RADIUS or GTP-C System Basic
packet upon user's login to judge the area Configuration.
where the subscriber belongs. [Setting method]
In addition, the SIG automatically enables Select the check box
the selected dynamic attribute of SN, BTS, and click the option
or Cell to the customized attributes of button.
subscribers.
OMC Configuration When multiple front-end devices form a [Operation page]: In

cluster, the cluster should have only one the navigation tree,
device as the master device, and can have choose System
another device serving as the backup Management >
device. All other devices serve as slave System
devices. Configuration >
This parameter is used to add the IP Component
addresses of the master and backup devices Configuration.
as well as the name and ID of the cluster [Setting method] Click
where the devices reside. The cluster ID Configure, enter the IP
needs to be unique in the system. address in the text box,
NOTE and then click Add.
The IP address of the slave device does not need
to be set here.
The system supports querying the URL report
by the cluster name. For details, refer to 8.3.3
Report Examples.

UCDB This parameter is used to set the IP address [Operation page]: In

Configuration and database password of the UCDB. the navigation tree,
choose System
Management >
System
Configuration >
Component
Configuration.
Configure, and then
enter the parameter
Working Mode This parameter is used to set the working [Operation page]: In
Configuration mode. The options are in-line and off-line. the navigation tree,
choose System
Management >
System
Configuration >
Component
Configuration.
Configure, and then
click the option button.
CFS Configuration The CDR routing condition and the [Operation page]:
disabling conditions of the CDR file can be [Setting method] Click
adjusted according to the default value. Configure, and then
The CDR routing conditions are used to click the check box.
identify the paths for saving CDR files by
GGSN IP address. The system has already
provided a default condition to specify the
path for saving all CDRs. If the CDR
routing condition changes, the system
immediately disables all CDR files related
to the original routing condition.
The disabling condition of CDR files is
used to adjust the triggering condition. The
system immediately disables the CDR files
if the triggering condition is reached.
For details on offline charging, see 7
Charging Service.

NTP NTP Server CAUTION [Operation page]: In

Serv Configuratio If the Back End uses the SUSE Linux Enterprise the navigation tree,
Server 11 operating system, modification on the
er n choose System
configurations of the NTP server may lead to
Conf process anomaly of the Oracle database. In this Management >
igura case, you need to log in to the server blade where System
tion the Oracle database resides, and run the service Configuration >
dpiserver restart command as the root user to Component
restart the process. Configuration.
Oracle database components include the
MPD_DB, ETL_DB, USER_DB & CUST_DB,
and EMS_DB. Configure, and then
enter the parameter
When the Back End uses the third-party value in the text box.
Network Time Protocol (NTP) server to
synchronize time, you can set this
parameter to specify the IP address of the
NTP server. If the third-party NTP server is
not used, this parameter does not need to be
specified.
If a slave NTP server exists, enter the IP
address of the server.
You can run the ntp-service unicast-
serverip-address command on the Front
End to specify the IP address of the NTP
server. During configuration, you can set
the IP address either to that of the actual
NTP server or that of the back-end SGMS
(Regardless of whether the third-party NTP
server is used, the IP address of the back-
end SGMS is available).
Conf Start IP This parameter is used to set the range of IP [Operation page]: In
igure Address, addresses, through which the Back End can the navigation tree,
IP End IP be logged in. By default, the range of IP choose System
Seg Address addresses allowed to be accessed is 1.0.0.0 Management >
ment to 223.255.255.255. System Security >
To ensure security, you are recommended Security
to delete the default IP address range Configuration.
(1.0.0.0 to 223.255.255.255), and reset the [Setting method] Click
IP address range. If no IP address exists in Configure, and then
the specified IP address list, all operators enter the parameter
that remotely log in fail to log in to the Back value in the text box.
End. The current operator is not forced
offline, but fails to log in the next time.

Conf Enable the This parameter is used to enable the email [Operation page]: In
igure Email service and enter certain settings. the navigation tree,
Emai Service, After the email server is enabled, the SIG choose System
l Server can send the random login password and Management >
Serv Address, timed task report to users through emails. System Security >
er Sender Security
Email Configuration.
Address [Setting method] Click
Configure, select the
check box, and then
enter certain settings in
the text box.
Enable When identity authentication is required by [Operation page]: In

Authenticati the email server, the identity authentication the navigation tree,
on, User function needs to be enabled and the choose System
Name, corresponding user name and password Management >
Password need to be specified. System Security >
Security
Configuration.
Configure, select the
check box, and then
enter certain settings in
the text box.
Conf Enable If the password validity period function is [Operation page]: In

igure Password specified, the SIG starts to prompt you to the navigation tree,
Secu Validity change the password before the expiration choose System
rity Period, Days date approaches. Otherwise, you cannot log Management >
Man Before in to the Back End after the password System Security >
agem Password expires. Security
ent Expiration, If the function is not specified, the password Configuration.
Time to never expires and is not restricted by the [Setting method] Click
Prompt validity period. Configure, and then
Password set the parameters
Expiration through check boxes
and the drop-down list.

Enable After Enable Lockout for Wrong [Operation page]: In

Lockout for Password, Security Password Retry the navigation tree,
Wrong Count, Lockout Duration, Inputting choose System
Password, Interval is selected, if the password retry Management >
Security count exceeds the specified value, the login System Security >
Password account is locked. Security
Retry Count, By default, the function is not enabled, the Configuration.
Lockout password retry count is not restricted, and [Setting method] Click
Duration, the account is not locked by the system. Configure, and then
Inputting set the parameters
Interval through check boxes
and the drop-down list.
Configure Session When the interaction between the SIG [Operation page]: In
Expired Time client and the Web server exceeds the the navigation tree,
specified time, the session expires, and thus choose System
the Web server disconnects with the SIG Management >
client. System Security >
By default, the session expiration time is 10 Security
minutes. You can set the session expiration Configuration.
time as required. The setting takes effect on [Setting method] Click
the next login for online users including the Configure, and then
current user. enter the parameter
22.4 Managing the Alarm Address

The data configuration engineer can manage the used alarm addresses in a uniformed manner.
Prerequisites
The current user has the Basic Configuration service permission.
Procedure
Step 1 In the navigation tree, choose Basic Configuration > User Message Configuration > Alarm
URL Management.
Step 2 Click Add. The Add Alarm URL dialog box is displayed.

l Enter a URL in Alarm URL.
Such as http://www.huawei.com.
To attach subscriber information to the alarm URL to be pushed, you need to set User
Parameter Format, and add Fixed Parameter as required. For example, if the alarm URL
needs to be set to http://www.example.com/?lan=en&n=@dpi_userid@ (dpi_userid is the

account identifier), enter www.example.com in Alarm URL, lan=en in selected Fixed

Parameter, and n in selected User Parameter Format.
l Click Alarm File and then upload alarm files in HTM, HTML, or WML format.
l Click Alarm Template and enter a file name and text content to generate an alarm file.
NOTE
The system supports WAP alarm push. Protocols such as WAP1.0, WAP1.1, WAP1.2, and WAP2.0 are
supported.
Step 4 Click OK.
----End
22.5 Managing the Dynamic Alarm

To meet the diversified customization requirements of the alarm functions in URL filtering,
spammer monitoring, Botnet monitoring, worm monitoring, the GreenNet service, and security
service (Botnets, worms, and malicious URLs), the SIG provides the flexible dynamic alarm
mechanism.Through dynamic alarm, the device pushes different alarms by area or service.
Prerequisites
Context
The dynamic alarms of the SIG include the following functions:
l Global dynamic alarms
Indicate the alarm configurations for the service objects in all areas. By default, there is an
alarm configuration entry for all services in the system. The administrator can respectively
configure alarm records for URL filtering, spammer monitoring, Botnet monitoring, worm
monitoring, GreenNet service, Botnet security service, worm security service, and
malicious URL filtering of security service.
When configuring the alarm records of all services or a certain service, the administrator
can specify alarm addresses, such as the URL of the accessible external Web server, or
upload local .htm or .html files; so that information is displayed for the target user when
the SIG generates an alarm.
The priority of the alarm policy configured for all services is lower than that configured
for a certain service. That is, the alarm policy for all services is enabled only when the alarm
for a certain service is not configured.
l Area dynamic alarms
To generate diversified service alarms for users in different areas, the SIG supports area-
based alarms as follows:
– For subscribers
Based on areas, the administrator respectively sets the alarm address of URL filtering,
spammer monitoring, Botnet monitoring, worm monitoring, GreenNet service, Botnet
security service, worm security service, malicious URL filtering of security service, and
the alarm address of all services.
– For VICs

Based on areas, the administrator respectively sets the alarm address of URL filtering
and GreenNet service.
The configurations of area dynamic alarms are the same as those of global dynamic alarms.
The administrator can specify the alarm address or upload .htm or .html files, so that
information is displayed for the target user when the SIG generates an alarm.
When configuring area-based alarm policies, the administrator can concurrently configure
alarm policies for the areas of all levels or partial levels. For the alarms of different levels,
the priority of the son-area alarm is higher than that of the parent-area alarm. For example,
if Beijing and Haidian areas are configured with alarms, the alarms for Haidian users match
the alarm configuration in Haidian area firstly.
The priority of area dynamic alarms is higher than that of global dynamic alarms. When a certain
service triggers the alarm policy, the SIG firstly detects whether the area dynamic alarm in this
area is configured. If the alarm is configured, an alarm is generated according to the area dynamic
alarm configuration; otherwise, an alarm is generated according to the global dynamic alarm
configuration.
NOTE
The system supports WAP alarm push. Protocols such as WAP1.0, WAP1.1, WAP1.2, and WAP2.0 are
supported.
Procedure
Step 1 (Optional) Configure global dynamic alarms.
Global Dynamic Alarm Management.
2. Perform the following operations as required:
l If you want to modify the alarm configuration for all services, click All Services, and
enter the alarm address or select the path where the alarm file is saved in the displayed
dialog box.
l If you want to add the alarm configuration of the URL filtering service type, click
Add, select URL Filter in the displayed Service Type dialog box, and enter the alarm
address or the path where the alarm file is saved as required.
l If you want to add the alarm configuration of the spammer service type, click Add,
select Spammer in the displayed Service Type dialog box, and enter the alarm address
or the path where the alarm file is saved as required.
l If you want to add the alarm configuration of the Botnet service type, click Add, select
Botnet in the displayed Service Type dialog box, and enter the alarm address or the
path where the alarm file is saved as required.
l If you want to add the alarm configuration of the worm service type, click Add, select
Worm in the displayed Service Type dialog box, and enter the alarm address or the
l If you want to add the alarm configuration of the GreenNet service type, click Add,
select GreenNet-URL Filter in the displayed Service Type dialog box, and enter the
alarm address or the path where the alarm file is saved as required.
l If you want to add the alarm configuration of the security service-Botnet type, click
Add, select Security-Botnet in the displayed Service Type dialog box, and enter the

l If you want to add the alarm configuration of the security service-worm type, click
Add, select Security-Worm in the displayed Service Type dialog box, and enter the
l If you want to add the alarm configuration of the security service-malicious URL filter
type, click Add, select Security-Malicious URL Filter in the displayed Service
Type dialog box, and enter the alarm address or the path where the alarm file is saved
as required.
Table 22-4 shows the parameter description of the previous operations.
Table 22-4 Parameter description of the basic information about dynamic alarms
Service Type If the alarm is configured for all services, the value of this
parameter is fixed to All Services; otherwise, the following
can be selected:
l URL Filter
l Spammer
l Botnet
l Worm
l GreenNet-URL Filter
Indicates the configuration of the alarm address or the
alarm file for the GreenNet service.
l Security-Botnet
l Security-Worm
l Security-Malicious URL Filter
HTTP Alarm Select the previously added alarm URL. The alarm URL is
URL added in Basic Configuration > User Message
Configuration > Alarm URL Management.
Alarm File Select the previously added alarm file. The alarm file is
added in Basic Configuration > User Message
Configuration > Alarm URL Management.
WAP Alarm File This item need to be configured only when WAP users exist.
Select the previously added alarm file. The file is added in
Basic Configuration > User Message Configuration >

Redirect This parameter is valid when Service Type is not URL filter.
It indicates whether the target access page is displayed after
the system prompts alarm information for the target user.
When Redirect is Yes, you need to choose at least one
redirection mode, for example, the automatic redirection
mode or the confirmation redirection mode, or you can adopt
two redirection modes concurrently.
NOTE
If Auto-redirect and Confirm redirection are enabled at the same
time, the system immediately performs redirection after the user
confirms the alarm information in Redirection interval. If the user
does not confirm the alarm information in Redirection interval after
the period times out, the system immediately performs the
redirection without user confirmation.
Auto-redirect This parameter is valid when Redirect it or not is Yes. Users

can select this option and enter the interval in Redirection
interval, so that after this interval, the alarm page of the
system is redirected to the target access page.
Confirm redirection This parameter is valid when Redirect it or not is Yes. Users
can select this option and confirm the operation on the alarm
page, and then the target access page is displayed.

Step 2 (Optional) Configure the area dynamic alarms for subscribers.
Subscriber Area Dynamic Alarm Management.
l If you want to add the area alarm configuration of all services, click Add, select All
Services in the displayed Service Type dialog box, select the target area that needs
alarm configuration in Select Area, and then enter the alarm address or the path where
the alarm file is saved as required.
By repeating the previous operations, you can configure alarms for other areas.
l If you want to add the area alarm configuration of the URL filtering service type, click
Add, select URL Filter in the displayed Service Type dialog box, select the target area
that needs alarm configuration in Select Area, and then enter the alarm address or the
l If you want to add the area alarm configuration of the spammer service type, click
Add, select Spammer in the displayed Service Type dialog box, select the target area
that needs alarm configuration in Select Area, and then enter the alarm address or the
l If you want to add the area alarm configuration of the Botnet service type, click Add,
select Botnet in the displayed Service Type dialog box, select the target area that needs

l If you want to add the area alarm configuration of the worm service type, click Add,
select Worm in the displayed Service Type dialog box, select the target area that needs
l If you want to add the area alarm configuration of the worm service type, click Add,
select GreenNet-URL Filter in the displayed Service Type dialog box, select the target
area that needs alarm configuration in Select Area, and then enter the alarm address or
the path where the alarm file is saved as required.
l If you want to add the area alarm configuration of the security service-Botnet type, click
Add, select Security-Botnet in the displayed Service Type dialog box, select the target
l If you want to add the area alarm configuration of security service-worm type, click
Add, select Security-Worm in the displayed Service Type dialog box, select the target
l If you want to add the area alarm configuration of security service-malicious URL filter
type, click Add, select Security-Malicious URL Filter in the displayed Service
Type dialog box, select the target area that needs alarm configuration in Select Area,
and then enter the alarm address or the path where the alarm file is saved as required.

Step 3 (Optional) Configure the area dynamic alarms for VICs.

VIC Area Dynamic Alarm Management.
2. Click Add, select the target area that needs alarm configuration in the displayed Select
Area dialog box, and then enter the alarm address or the path where the alarm file is saved
as required.
By repeating the previous operations, you can configure area alarms for VICs.

----End
22.6 Managing the Knowledge Base

To set the parameters for automatically updating the DPI protocol signature file, malware
signature file, and URL Category Database (UCDB), you should perform this task.

22.6.1 Overview
This section describes the categories and functions of the knowledge base of the system.
Related concepts of knowledge base management are as follows:
l DPI protocol file
DPI protocol signature file, serving as a large-capacity dedicated DPI system, the SIG
system provides powerful protocol analysis capability and analyzes hundreds of protocols
including P2P, IM, game, and stream media protocols.
Moreover, the SIG system supports the automatic upgrade and manual importing for the
signature file, as well as the customized signature file.
l UCDB
The UCDB saves a large amount of URL category information and provides a database
delivering the query function. Through the UCDB, the SIG system provides the URL
monitoring function. For example, certain URLs that subscribers or VICs access can be
blocked or alarmed according to the related policy.
In addition, the SIG system provides the automatic upgrade for the UCDB and supports
customized UCDBs.
l Malware signature file
The malware signature file is used to identify malicious traffic such as worm and Botnet
traffic. Through the malware signature file, the SIG system implements detection on
malicious traffic, and provides the worm monitoring service for subscribers, VICs, and
links, or delivers the Botnet monitoring function for subscribers or VICs.
Besides, the SIG system supports the automatic upgrade and manual importing for the
malware signature file. The malware signature file and DPI signature file adopt the same
automatic upgrade mechanism. That is, after the automatic upgrade of the protocol database
is configured, the system implements the same configuration on the automatic upgrade of
the malware signature file.
With knowledge base management, you can implement:
l DPI signature file management
The automatic upgrade and manual importing of the DPI signature file can be implemented
and customized DPI signature files are supported.
l UCDB management
The automatic upgrade can be implemented and customized UCDBs are supported.
l Malware signature file management
The automatic upgrade and manual importing of the malware signature file can be
implemented and customized malware signature files are supported.
l Terminal information signature file management
With terminal information signature file management, the equipment type (mobile, data
card, or other unknown types), mobile telephone brand, operating system type, and browser
type can be identified according to the account type and traffic features. After the
corresponding dynamic attributes of subscribers are added and enabled, the policy
management and report analysis can be implemented on the traffic of different types.
By default, the management on terminal information signature file is enabled. The
equipment type, mobile telephone brand, operating system type, and browser type can be
identified through the analysis of RADIUS packets and HTTP packets. Moreover, you can
manually add a terminal feature or import terminal features in batches in knowledge base

management, so that references are provided for the identification of unknown terminals.
In this case, the accurate and comprehensive identification of user terminals on the current
network is achieved.
NOTE
The HTTP content type signature file is used for collecting statistics in a certain report. Operation page:
In the navigation tree, choose Statistics and Analysis Report > Traffic > Link and Virtual Tunnel >
HTTP Content Traffic Trend.

This section describes how to manage the knowledge base.
Prerequisites
The current user has the Basic Configuration and System Management service permissions.
NOTE
If you need to enable the automatic upgrade function of the signature file, ensure that the Update Server
can access the Internet.
If you need to manually import the DPI signature file, malware signature file, or UCDB version file,
download the version file to be upgraded from http://sec.huawei.com.
Procedure
Step 2 (Optional) Import the DPI signature file and malware signature file.
1. In the navigation tree, choose System Management > Update of System Knowledge
Base > Update of Signature File.
l To import the DPI signature file, click Import in the DPI Signature File Version
Management. Click Browse to select the file to be imported, and then click Import.
l To import the malware signature file, click Import in the AME Signature File Version
Management. Click Browse to select the file to be imported, and then click Import.
Step 3 (Optional) Configure the automatic upgrade for the DPI signature file and malware signature
file.
Base > Update of Signature File.
2. In the Update Server Configuration group box, click Configure.
3. Enter the information of the update Web site, and then click Save.
NOTE
To learn related information about the upgrade Web site, contact Huawei technical support personnel.
4. In the Update Cycle Configuration group box, click Configure.
5. Enter the upgrade cycle, and then click Save.
Step 4 (Optional) Import the UCDB version file.
Base > Update of URL File.
2. Click Import.

3. Click Browse to select the file to be imported, and then click Import.
Step 5 (Optional) Configure the automatic upgrade of the UCDB.

Base > Update of URL File.
2. In the Update Server Configuration group box, click Configure.
3. Enter the information of the update server, and then click Save.
NOTE
To learn related information about the upgrade server, contact Huawei technical support personnel.
4. In the Update Cycle Configuration group box, click Configure.
5. Enter the upgrade cycle, and then click Save.
Step 6 (Optional) Check the versions of the DPI signature file, malware signature file, and UCDB.
l To check the version of the DPI signature file: In the navigation tree, choose System
Management > Update of System Knowledge Base > Update of Signature File. In the
corresponding group box, click Version Management.
l To check the version of the malware signature file: In the navigation tree, choose System
Management > Update of System Knowledge Base > Update of Signature File. In the
corresponding group box, click Version Management.
l To check the version of the UCDB: In the navigation tree, choose System Management >
Update of System Knowledge Base > Update of URL File. In the URL Category Version
Management group box, view the current version.
NOTE
When multiple versions of DPI signature files or malware signature files exist, the system allows you to
switch the current version to another one. When performing the switching, select the version to be switched
to the current one, and then click Set Current Version.
Step 7 (Optional) Customize the DPI signature file.

For details, see 22.6.3 Typical Configuration Example (Customized DPI Signature File,
Traffic on the Specified Web Site).
Step 8 (Optional) Customize the URLs and categories.

For details, see 8.2.3 Typical Configuration Example 1 (Links).
Step 9 (Optional) Manage the Terminal Information Signature File.

1. In the navigation tree, choose Basic Configuration > Signature File Management >
Terminal Information Signature File.
2. Select the type of the terminal to be managed in the Terminal Type drop-down list box.
3. The available operations are as follows:
l To import signature values in batches, click Import. Then click Browse, and select the
file to be imported.
If the template of the file to be imported is required, click Terminal Eigenvalue
Template in the dialog box.
l To add a signature category, click Add Category and enter corresponding information.
l To add a signature value, click Add Terminal and enter corresponding information.
l To modify the name of a specified category, click the category to be modified in the
Terminal Information area, click Modify, and enter corresponding information.

l To delete one or more signature values, select the signature value to be deleted in the
Terminal Information area, and click Delete.
l To delete a category without signature values, Click the category to be deleted in the
Terminal Information area, and click Delete.
l To export the terminal signature file, click Export All and save the file to a local path.
----End
22.6.3 Typical Configuration Example (Customized DPI Signature

File, Traffic on the Specified Web Site)
This section provides an example for customizing the DPI signature file. The traffic on the
specified Web site should be configured as the customized protocol.
Prerequisites
You should configure the specified URL as the customized protocol. In this manner, the SIG
can identify the generated traffic of the URL as that of the customized protocol instead of HTTP.
The following takes defining www.example.com as the protocol (named as RedirectURL) as

an example. Protocol RedirectURL belongs to the category named as PremiumURL.
Procedure
Step 2 In the navigation tree, choose Basic Configuration > Signature File Management >
Step 3 Add a category.

1. Click Add a Category.
2. In the pop-up dialog box, enter the name of the category (for example, PremiumURL) to
be defined in Category Name.
3. Click OK. The system returns to the previous interface and the added category is displayed
in the category list.
Step 4 Define a protocol.

1. Select an existing category (for example, PremiumURL) in the category list.
2. Click Add a Protocol.
3. In the pop-up dialog box, select HTTP for Protocol Type, and enter the name of the
protocol (for example, RedirectURL) to be defined in Protocol Name.
4. Click Save. Figure 22-12 shows the interface.

Figure 22-12 Configuring a customized protocol (1)
5. Click Add.

7. Click OK. The system returns to the previous interface and display a new record.
8. Click Close. The system returns to the previous interface and the added protocol is
displayed in the protocol list.
9. Click Submit a New Version, and then confirm the operation.
----End
22.6.4 Typical Configuration Example (Customized DPI Signature

File, MP3 Online Music Traffic on the Specified Web Site)
This section provides an example for customizing the DPI signature file. The MP3 online music
traffic on the specified Web site should be configured as the customized protocol.
Prerequisites
The MP3 online music traffic on Web site music.example.com is configured as carried by a
customized protocol. In this way, when such type of traffic is sent, its protocol is identified by
the SIG as the customized protocol, but not the predefined one.
Network packet analysis software is used to extract the target traffic. The sample is as follows:
//Upstream packets
GET
/service/03835c3ffb89a4a5a6fe64d20a2cda89.mp3?
xcode=dfdb0015e114519df90987aa0a25be9c24 HTTP/1.1
Accept: */*
User-Agent: NSPlayer/10.0.0.4072 WMFSDK/10.0
Accept-Encoding: gzip, deflate
Host: music.example.com
Connection: Keep-Alive
Cookie: EXAMPLEID=1717B049F1DB473CFA9A4F4E7CF060BA:FG=1
//Downstream packets
HTTP/1.1 200 OK
Server: JSP/1.0.3.0
Date: Thu, 22 Jul 2010 02:49:14 GMT
Content-Type: application/octet-stream
Content-Length: 3578983
Connection: close
Last-Modified: Tue, 20 Jul 2010 01:49:00 GMT
Expires: Sun, 25 Jul 2010 00:29:13 GMT
Cache-Control: max-age=259200
Accept-Ranges: bytes
After the sample is analyzed, the following features of the target traffic are concluded:
l Character string .mp3 and global scanning

l Character string music.example.com and global scanning
Procedure

Step 2 In the navigation tree, choose Basic Configuration > Signature File Management >
Step 3 Add a category.
1. Click Add a Category.
2. In the pop-up dialog box, enter the name of the category (for example, myMP3) to be
defined in Category Name.
3. Click OK. The system returns to the previous interface and the added category is displayed
in the category list.
Step 4 Define a protocol.
1. Select an existing category (for example, myMP3) in the category list.
2. Click Add a Protocol.
3. In the pop-up dialog box, select HTTP for Protocol Type, and enter the name of the
protocol (for example, ExampleMP3) to be defined in Protocol Name.
4. Click Save. Figure 22-14 shows the interface.
5. Click Add.

7. Click OK. The system returns to the previous interface and display a new record.
8. Click Close. The system returns to the previous interface and the added protocol is
displayed in the protocol list.
9. Click Submit a New Version, and then confirm the operation.
----End
22.6.5 Parameter Description of the Customized DPI Signature File

This section describes the important parameters for customizing the DPI signature file.
Table 22-5 shows the description of the important parameters for customizing the DPI signature
file.

Table 22-5 Description of customized DPI signature file parameters

Protocol Type To increase the accuracy of protocol [Setting method] Select the
identification. Options are: corresponding item from the
l HTTP drop-down list.
l RTSP (Real-Time Streaming [Value range]
Protocol) l HTTP
l MMS (Microsoft Media Server) l RTSP
l Other l MMS
If it is not HTTP, RTSP or MMS, select l Other
Other.
Quin Protocol To specify the transport-layer protocol [Setting method] Enter a

tuple Transmit type for this protocol. value in the text box.
Setti Type [Value range]
ng
l TCP
l UDP
Source IP To specify the source IP address range [Setting method] Enter a

Address, of packets. value in the text box.
Source
Mask
Source To specify the source port of packets. [Setting method] Enter a

Port value in the text box.
Destinatio To specify the destination IP address [Setting method] Enter a

n IP range for packets. value in the text box.
Address,
Destinatio
n Mask
Destinatio To specify the destination port of [Setting method] Enter a

n Port packets. value in the text box.
Key Offset Options are: [Setting method] Select the

word Direction l Payload Header corresponding item from the
Setti drop-down list.
ng Starts scanning and matching from
the packet header. [Value range]
l Payload End l Payload Header
Starts scanning and matching from l Payload End
the packet end.

Offset To specify the scanning location. For [Setting method] Enter a

Location example, if this parameter is set to 10, value in the text box.
Offset Direction to Payload Header,
Content Type to Character String,
and Content to .mp3, the system scans
11 to 14 bytes after the payload header,
and checks whether they match
the .mp3 character string.
The offset location value is an integer
ranging from 0 to 63, in bytes. If the
value falls out of the range, set the
attribute to null to enable global
scanning (provided HTTP, MMS, or
RTSP is present).
Content Options are Character String and [Setting method] Select the
Type Hex. corresponding item from the
drop-down list.
[Value range]
l Character String
l Hex
Content To configure the contents to be scanned. [Setting method] Enter a

If Content Type is set to Hex, enter a value in the text box.
hexadecimal character string to be
scanned; if Content Type is set to
Character String, enter a character
string to be scanned.
22.7 Managing Operation Logs

Operation logs record the details about the operations performed by the operator on the Back
End, including the login account, operation time, operation type, and IP address of the operator.
To query or manage operation logs, you should perform this task.
Prerequisites
Procedure
Step 2 In the navigation tree, choose System Management > System Security > Log Management.
Step 3 View logs on the interface, or click Query to query logs by entering query conditions.
Step 4 (Optional) Export logs within the specified range to the local.

1. Click Export All.

2. (Optional) In the pop-up dialog box, enter the operation account, start time, end time, and
type of the log to be exported.
3. Click OK and confirm the operation. The system saves the log in .csv format to the local.
Step 5 (Optional) Dump the logs of the specified time range to the specified path of the master UI server.
1. Click Dump.
2. (Optional) Enter the start time, end time, and path of the logs to be dumped in the pop-up
dialog box.
3. Click OK.
----End

Configuration Guide 23 FAQs
23 FAQs
About This Chapter
23.1 Using the Firefox Browser, How Can I Set the Disk Location for Saving the Exported
Template?
23.2 How to troubleshoot the fault that navigation nodes in the directory cannot be expanded,
when the user uses the Firefox browser to open the Help system?
23.3 What if the exporting through the IE browser fails in certain OSs?
23.4 What are the conversion relations of traffic units and rate units in this document?
23.5 When I use the Firefox browser, the texts on the page are incomplete or the layout is
improper. What should I do?
23.6 How to Set the Priority of a Policy Item?

23.1 Using the Firefox Browser, How Can I Set the Disk
Location for Saving the Exported Template?
Question
Using the Firefox Browser, How Can I Set the Disk Location for Saving the Exported Template?
Answer
Step 1 In the menu bar of the Firefox, choose Tools > Options. The Downloads dialog box is displayed.
Step 2 Click the Main tab.
Step 3 The following are the methods of saving the exported template:
l The downloaded files are saved to a specified path every time.
1. Click the Save files to option button.
2. Click Browse to set the default path for saving the downloaded files.
l The system prompts that the path for saving the file needs to be selected every time a file is
downloaded.
Click Always ask me where to save flies, and the system prompts that the path for saving
the file needs to be selected every time a file is downloaded.
Step 4 Click OK to complete the setting.
----End
23.2 How to troubleshoot the fault that navigation nodes in

the directory cannot be expanded, when the user uses the
Firefox browser to open the Help system?
Question
How to troubleshoot the fault that navigation nodes in the directory cannot be expanded, when
the user uses the Firefox browser to open the Help system?
Answer
Click in the toolbar to reload the current page. Alternatively, use the IE browser to re-log in
to the Back End, and call and read the Help system.
23.3 What if the exporting through the IE browser fails in

certain OSs?

Question
What if the exporting through the IE browser fails in certain OSs?
Answer
You can add the current URL to the trusted sites. If the fault still persists, set the security level
to Low, and Automatic prompting for file downloads to Enable, as shown in Figure 23-1.
Figure 23-1 Security Setting
23.4 What are the conversion relations of traffic units and

rate units in this document?
Question
What are the conversion relations of traffic units and rate units in this document?
Answer
1GB=1000MB, 1MB=1000KB, 1KB=1000bytes, 1byte=8bits
1kbit/s=1000bit/s

23.5 When I use the Firefox browser, the texts on the page
are incomplete or the layout is improper. What should I do?
Question
When I use the Firefox browser, the texts on the page are incomplete or the layout is improper,
as shown in Figure 23-2. What should I do?
Figure 23-2 Improper page layout
Answer
1. Open the Firefox browser, and choose Tools > Options.
2. Click the Content tab, and then click Advanced in the Fonts & Colors group box.
3. In the Fonts dialog box, click Allow pages to choose their own fonts, instead of my
selections above, as shown in Figure 23-3.

Figure 23-3 Font setting
4. Click OK.
23.6 How to Set the Priority of a Policy Item?
Question
How to set the priority of a policy item?
Answer
The smaller the value, the higher the priority. When a subscriber and network object is bound
with multiply policy items of the same type, only the policy item with the highest priority level
is valid. For details on policy priorities, see 5.4.15 Policy Priority Description.

Select a value from the drop-down list or enter an unused value in the text box.
NOTE
By default, the system displays 100 priorities with the smallest values and unused by other policy items in
the drop-down list.

Configuration Guide 24 Typical Configuration Example Summaries
24 Typical Configuration Example

Summaries
Task of the Example Example Name
3 Preparations 3.2 Checking the Status 3.2.2 Typical Operation Example

for Service of the Front End and
Configuration Back End
4 Subscriber and 4.2 Configuring the 4.2.3 Typical Configuration Example

Network Object Subscriber (Adding Subscribers Manually)
Initialization
(Importing Subscriber Accounts in
Batches and Adding Heavy User Group)

(Synchronizing Subscriber from the FTP
Server)

(Self Learning Subscribers and Adding
Customized Attributes)

(Self Learning Subscribers and
Identifying the Area Where the
Subscriber Resides by SN)
4.3 Configuring the 4.3.3 Typical Configuration Example 1

VIC (Manually Adding VICs)

(Importing VICs in Batches)
4.4 Configuring the 4.4.3 Typical Configuration Example

Link


Virtual Tunnel (User Attribute Virtual Tunnel, Defining
SN as the Virtual Tunnel Category)

(User Attribute Virtual Tunnel, Defining
BTS as the Virtual Tunnel Category)

(Stream Attribute Virtual Tunnel,
Defining the Traffic of Local IP Address
or Remote IP Address as the Virtual
Tunnel)

(Stream Attribute Virtual Tunnel,
Defining VLAN Traffic as the Virtual
Tunnel)
4.6 Configuring the AS 4.6.2 Typical Configuration Example

Domain Group

Subnet (Manually Adding Subnets)

(Importing subnets in Batches)
5 Traffic 5.4 Configuring Traffic 5.4.3 Typical Configuration Example

Management QoS (Link, Rate Limiting, and Taking Effect
Service as Planned)

(Link, Priority Mark)

(Link, Number of Connections Control)

(Link, Rate Limiting, and Pass)

(Link, Priority Mark, and Not Remark)

(Virtual Tunnel, Rate Limiting)

(Link and Virtual Tunnel, Rate Limiting)

(Subscriber, Rate Limiting)

(Subscriber, Throttling)


(Subscriber, Strict Priority)

(Subscriber, WFQ)

(VIC, Rate Limiting)
5.5 Configuring 5.5.3 Typical Configuration Example for

Congestion Detection Controlling Link Congestion
and Control
5.5.4 Typical Configuration Example for
Controlling NE Traffic Congestion
5.5.5 Typical Configuration Example for

Controlling Subscriber Traffic When the
Link Is Congested
5.7 Configuring Traffic 5.7.3 Typical Configuration Example 1

Direction QoS (Between One Link and One AS Domain
Group)

(Between One AS Domain Group and
Another AS Domain Group)

(Between One Subnet and One AS
Domain Group)

(Between One Subnet and Another
Subnet)
6 FUP Service 6.2 Configuring the 6.2.3 Typical Configuration Example 1

FUP Service (Predefined Rule, Total Traffic)
(Interworking with the
PCRF) 6.2.4 Typical Configuration Example 2
(Predefined Rule, Service Traffic)

(Predefined Rule, Quota Being Collected
by Total Traffic but Controlled by
Service)

(Predefined Rule, Free Quotas for
Certain Web Sites)

(Predefined Rule, Limited Free Quotas
for Certain Web Sites)


(Predefined Rule, Roaming Quota
Control)

(Dynamic Rule, Total Traffic)

(Dynamic Rule, Service Traffic)
7 Charging 7.2 Configuring the 7.2.3 Typical Configuration Example 1

Service Charging Service (Online Charging by Traffic)

(Online Charging by Duration)

(Online Charging by Traffic and
Duration)

(Online Charging by Traffic and
Roaming)

(Online Charging by Traffic, Traffic of
Certain Protocols and Web Sites Is Free
of Charge)

(Comprehensive Charging, Charging for
the Basic Service and Value-added
Services)

(Online Charging by Traffic, Providing
the FUP Function)

(Charging Redirection, Obtaining User's
Quota Credit Status from the RADIUS
Server)

(Online Charging by Traffic, Online-to-
Offline Charging in Case of Faults)

(Offline Charging)

(Online/Offline Charging)
8 URL Filtering 8.2 Configuring the 8.2.3 Typical Configuration Example 1

Service URL Filtering Service (Links)


(Subscribers)

(VICs)
9 GreenNet 9.2 Configuring the 9.2.3 Typical Configuration Example

Service GreenNet Service (Subscriber, Interworking with the
RM9000)
10 Traffic 10.2 Configuring the 10.2.3 Typical Configuration Example 1

Mirroring/ Traffic Mirroring (Link, VoIP Traffic Mirroring)
Diversion Service
Service 10.2.4 Typical Configuration Example 2
(Link, P2P and HTTP Traffic Mirroring)
10.3 Configuring 10.3.3 Typical Configuration Example 1

Traffic Diversion (Single Diversion)
Service
(Multiple Diversions)
11 11.2 Configuring the 11.2.3 Typical Configuration Example 1

SmartBrowser SmartBrowser Service (DNS Error Correction)
Service
(HTTP Error Correction)
12 DNS 12.2 Configuring the 12.2.2 Typical Configuration Example

Overwriting DNS Overwriting
Service Service
13 Smart 13.2 Configuring the 13.2.3 Typical Configuration Example 1

Advertising Smart Advertising (Subscriber)
Interface Service Interface Service
(VIC)
14 VoIP 14.2 Configuring the 14.2.2 Typical Configuration Example 1

Monitoring VoIP Monitoring (Subscribers)
Service Service
(VICs)
15 Anti- 15.2 Configuring the 15.2.2 Configuration Example 1

Spammer Anti-Spammer Service (Detection from the Network Layer to the
Service Transport Layer)
15.2.3 Configuration Example 2

(Detection from the Network Layer to the
Application Layer)
16 Anti-DDoS 16.2 Configuring the 16.2.2 Typical Configuration Example

Service Anti-DDoS Service

17 Anti-Botnet 17.2 Configuring the 17.2.2 Typical Configuration Example 1

Service Anti-Botnet Service (Subscribers)

(VICs)
18 Anti-Worm 18.2 Configuring the 18.2.2 Typical Configuration Example 1

Service Anti-Worm Service (Links)

(Subscribers)

(VICs)
19 Security 19.2 Configuring 19.2.3 Typical Configuration Example

Service Security Service (Malicious URL Filtering)
22 System 22.1 Managing Flow 22.1.3 Typical Configuration Example 1

Management Classifications and
Flow Classification 22.1.4 Typical Configuration Example 2
Items
22.2 Managing System 22.2.3 Typical Configuration Example

Accounts and
Permissions
22.6 Managing the 22.6.3 Typical Configuration Example

Knowledge Base (Customized DPI Signature File, Traffic
on the Specified Web Site)

(Customized DPI Signature File, MP3
Online Music Traffic on the Specified
Web Site)

Configuration Guide 25 Report Example Summaries
25 Report Example Summaries
5 Traffic 5.2 Querying Traffic 5.2.3 Report Examples (Link and Virtual
Management Reports Tunnel-based)
Service
5.2.4 Report Examples (Subscriber-
based)
5.2.5 Report Examples (VIC-based)
5.2.6 Report Examples (Consolidated)
5.3 Querying the User 5.3.3 Report Examples

Behavior Statistics
Report
5.6 Implementing 5.6.4 Report Examples (Between One

Traffic Direction Link or Link Group and One AS Domain
Statistics Group)
5.6.5 Report Examples (Between One AS

Domain Group and Another AS Domain
Group)
5.6.6 Report Examples (Between One

Subnet and One AS Domain Group,
Between One Subnet and Another
Subnet)
8 URL Filtering 8.3 Querying URL 8.3.3 Report Examples

Service Reports
9 GreenNet 9.3 Querying GreenNet 9.3.3 Report Examples

Service Reports
11 11.3 Querying 11.3.3 Report Examples

SmartBrowser SmartBrowser Reports
Service

Configuration Guide 25 Report Example Summaries
14 VoIP 14.3 Querying VoIP 14.3.3 Report Examples

Monitoring Reports
Service
15 Anti- 15.3 Query Spammer 15.3.3 Report Examples

Spammer Reports
Service
16 Anti-DDoS 16.3 Querying Anti- 16.3.3 Report Examples

Service DDoS Reports
17 Anti-Botnet 17.3 Querying Anti- 17.3.3 Report Examples

Service Botnet Reports
18 Anti-Worm 18.3 Querying Anti- 18.3.3 Report Examples (Subscribers)

Service Worm Reports
18.3.4 Report Examples (VICs)
18.3.5 Report Examples (Links)
19 Security 19.3 Querying Security 19.3.3 Report Examples

Service Service Reports


HUAWEI SIG9800 V300R001C00 Configuration Guide 01 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

HUAWEI SIG9800 V300R001C00 Configuration Guide 01 PDF

Uploaded by

Copyright:

Available Formats

HUAWEI SIG9800 Service Inspection Gateway

HUAWEI TECHNOLOGIES CO., LTD.

Trademarks and Permissions

Huawei Technologies Co., Ltd.

Issue 01 (2012-06-06) Huawei Proprietary and Confidential i

About This Document

Product Name Version

This document is intended for:

l Installation and commissioning engineers

Issue 01 (2012-06-06) Huawei Proprietary and Confidential ii

Indicates a hazard with a high level of risk, which if not

Indicates a hazard with a medium or low level of risk, which

Indicates a potentially hazardous situation, which if not

NOTE Provides additional information to emphasize or supplement

Boldface The keywords of a command line are in boldface.

Italic Command arguments are in italics.

[] Items (keywords or arguments) in brackets [ ] are optional.

{ x | y | ... } Optional items are grouped in braces and separated by

[ x | y | ... ] Optional items are grouped in brackets and separated by

{ x | y | ... }* Optional items are grouped in braces and separated by

[ x | y | ... ]* Optional items are grouped in brackets and separated by

# A line starting with the # sign is comments.

Issue 01 (2012-06-06) Huawei Proprietary and Confidential iii

Boldface Buttons, menus, parameters, tabs, window, and dialog titles

> Multi-level menus are in boldface and separated by the ">"

Updates in Issue 01 (2012-06-06)

Issue 01 (2012-06-06) Huawei Proprietary and Confidential iv

About This Document.....................................................................................................................ii

2 Quick Index from the GUI Navigation Node to the Help...................................................25

4 Subscriber and Network Object Initialization......................................................................43

Issue 01 (2012-06-06) Huawei Proprietary and Confidential v

5 Traffic Management Service...................................................................................................141

Issue 01 (2012-06-06) Huawei Proprietary and Confidential vi

Issue 01 (2012-06-06) Huawei Proprietary and Confidential vii

5.7 Configuring Traffic Direction QoS................................................................................................................289

Issue 01 (2012-06-06) Huawei Proprietary and Confidential viii

8 URL Filtering Service................................................................................................................627

10 Traffic Mirroring/Diversion Service....................................................................................695

Issue 01 (2012-06-06) Huawei Proprietary and Confidential ix

11.1 About the SmartBrowser Service.................................................................................................................722

12 DNS Overwriting Service......................................................................................................734

13 Smart Advertising Interface Service....................................................................................738

14 VoIP Monitoring Service.......................................................................................................757

Issue 01 (2012-06-06) Huawei Proprietary and Confidential x

15.3 Query Spammer Reports..............................................................................................................................785

Issue 01 (2012-06-06) Huawei Proprietary and Confidential xi

19.2.2 Configuration Procedure......................................................................................................................852

Issue 01 (2012-06-06) Huawei Proprietary and Confidential xii

Issue 01 (2012-06-06) Huawei Proprietary and Confidential xiii

24 Typical Configuration Example Summaries......................................................................988

Issue 01 (2012-06-06) Huawei Proprietary and Confidential xiv

About This Chapter

1.1 What Is the SIG System?

Issue 01 (2012-06-06) Huawei Proprietary and Confidential 1

1.1 What Is the SIG System?

Issue 01 (2012-06-06) Huawei Proprietary and Confidential 2

Issue 01 (2012-06-06) Huawei Proprietary and Confidential 3

Figure 1-1 System composition

Swtich1 DPI System

Issue 01 (2012-06-06) Huawei Proprietary and Confidential 4

Figure 1-2 System components and data processing flowchart

BOSS (Business and Operation Support System)

Table 1-1 shows the description of components in Figure 1-2.