In the current firmware version, this functionality is supported only by ESR-100, ESR-200, ESR-1000, ESR-1200 and ESR-1700 routers with the license
aaa das-profile
This command selects a dynamic authorization server (DAS) profile to which CoA requests from the PCRF to change the service policy, as well as requests for operational information from CaptivePortal will be received.
The use of a negative form (no) of the command removes a specified profile of dynamic authorization servers (DAS).
Syntax
[no] aaa das-profile <NAME>
Parameters
<NAME> – DAS profile name, set by the string of up to 31 characters.
Required privilege level
15
Command mode
CONFIG-SUBSCRIBER-CONTROL
Example
esr(config-subscriber-control)# aaa das-profile profile1
aaa services-radius-profile
This command selects the profile of RADIUS servers to which requests will be sent to obtain user service parameters. If the profile is not set, the profile will be used 'aaa sessions-radius-profile'.
The use of a negative form (no) of the command removes a specified RADIUS server profile.
Syntax
[no] aaa services-radius-profile <NAME>
Parameters
<NAME> – RADIUS server profile name, set by the string of up to 31 characters.
Required privilege level
15
Command mode
CONFIG-SUBSCRIBER-CONTROL
Example
esr(config-subscriber-control)# aaa services-radius-profile profile1
aaa sessions-radius-profile
This command selects the profile of RADIUS servers to which requests will be sent to obtain user session parameters.
The use of a negative form (no) of the command removes a specified RADIUS server profile.
Syntax
[no] aaa sessions-radius-profile <NAME>
Parameters
<NAME> – RADIUS server profile name, set by the string of up to 31 characters.
Required privilege level
15
Command mode
CONFIG-SUBSCRIBER-CONTROL
Example
esr(config-subscriber-control)# aaa sessions-radius-profile profile1
backup traffic-processing transparent
This command enables transparent transmission of traffic in the backup state for BRAS.
The use of a negative form (no) of the command disables the transparent transmission of traffic in the backup state for BRAS.
Syntax
[no] backup traffic-processing transparent
Parameters
The command does not contain parameters.
Default value
Disabled.
Required privilege level
15
Command mode
CONFIG-SUBSCRIBER-CONTROL
Example
esr(config-subscriber-control)# backup traffic-processing transparent
bypass-traffic-acl
This command organizes transparent transmission of service traffic (DHCP, DNS, etc.) based on filters.
The use of a negative form (no) of the command disables the transparent traffic transmission.
Syntax
bypass-traffic-acl <NAME>
no bypass-traffic-acl
Parameters
<NAME> – name of the ACL being bound, set by the string of up to 31 characters.
Required privilege level
15
Command mode
CONFIG-SUBSCRIBER-CONTROL
Example
esr(config-subscriber-control)# bypass-traffic-acl LANs
class-map
This command binds the specified QoS class to the default service. Passing traffic not included in the QoS class is prohibited.
The use of a negative form (no) of the command removes a bind of class to the service by default.
Syntax
[no] class-map <NAME>
Parameters
<NAME> – name of the class being bound, set by the string of up to 31 characters.
Required privilege level
15
Command mode
CONFIG-SUBSCRIBER-DEFAULT-SERVICE
Example
esr(config-subscriber-default-service)# class-map LAN
clear subscriber-control sessions
This command deletes active user control sessions.
Syntax
clear subscriber-control sessions [ vrf <VRF> ] [ username <USER-NAME> ] [ session-id <SESSION-ID> ]
Parameters
<VRF> – VRF instance name, set by the string of up to 31 characters. When specifying this parameter, active sessions in a specified VRF will be removed;
<NAME> – user name, set by the string of up to 230 characters;
<SESSION-ID> – session identifier, takes values in the range of [1..18446744073709551615].
Required privilege level
1
Command mode
ROOT
Example
esr# clear subscriber-control sessions
default-action
This command specifies the action to be applied for HTTP/HTTPS packets, URLs (HTTP Host for HTTPS packets) which are not included in the URL list assigned by the 'filter-name' command (see section filter-name).
The use of a negative form (no) of the command removes an assigned action.
Syntax
default-action <ACT>
no default-action
Parameters
<ACT> – allocated action:
- permit – traffic transfer is permitted;
- deny – traffic transfer is denied.
- redirect <URL> – redirect to the specified URL will be carried out, set by the string of up to 255 characters.
Required privilege level
15
Command mode
CONFIG-SUBSCRIBER-DEFAULT-SERVICE
Example
esr(config-subscriber-default-service)# default-action redirect http://192.162.1.2/cp
default-service
Switch to the default service configuration mode. The default service applies to all new user sessions. After authentication, the user is assigned personal services.
The use of a negative form (no) of the command removes the default service configuration value.
Syntax
[no] default-service
Parameters
The command does not contain parameters.
Required privilege level
15
Command mode
CONFIG-SUBSCRIBER-CONTROL
Example
esr(config-subscriber-control)# default-service
description
This command defines the description of the user control profile.
The use of a negative form (no) of the command removes description.
Syntax
description <DESCRIPTION>
no description
Parameters
<DESCRIPTION> – wan rule description, set by the string of up to 255 characters.
Required privilege level
15
Command mode
CONFIG-SUBSCRIBER-CONTROL
Example
esr(config-subscriber-control)# description "Wi-Fi BRAS"
enable
This command activates the user control profile.
The use of a negative form (no) of the command disables user control profile.
Syntax
[no] enable
Parameters
The command does not contain parameters.
Default value
Process disabled.
Required privilege level
15
Command mode
CONFIG-SUBSCRIBER-CONTROL
CONFIG-PPP-USER
Example
esr(config-subscriber-control)# enable
filter-action
This command specifies the action to be applied for HTTP/HTTPS packets, URLs (HTTP Host for HTTPS packets) which are included in the URL list assigned by the 'filter-name' command (see section filter-name).
The use of a negative form (no) of the command removes an assigned action.
Syntax
filter-action <ACT>
no filter-action
Parameters
<ACT> – allocated action:
- permit – traffic transfer is permitted;
- deny – traffic transfer is denied.
- redirect <URL> – redirect to the specified URL will be carried out, set by the string of up to 255 characters.
Required privilege level
15
Command mode
CONFIG-SUBSCRIBER-DEFAULT-SERVICE
Example
esr(config-subscriber-default-service)# filter-action redirect http://192.162.1.2/forbidden
filter-name
Specify a name of the URL list that will be used to filtrate HTTP/HTTPS traffic of non-authenticated users. The list can be configured locally using the URL profile, or obtained from a remote server (see section subscriber-control application-filter).
The use of a negative form (no) of the command removes a list name.
Syntax
filter-name { local <LOCAL-NAME> | remote <REMOTE-NAME> }
no filter-name
Parameters
<LOCAL-NAME> – URL profile name, set by the string of up to 31 characters;
<REMOTE-NAME> – remote server URL list name, set by the string of up to 31 characters.
Required privilege level
15
Command mode
CONFIG-SUBSCRIBER-DEFAULT-SERVICE
Example
esr(config-subscriber-default-service)# filter-name local BLACK_LIST
ip proxy http listen-ports
Define destination TCP ports from which the traffic will be redirected to the router HTTP Proxy server
The use of a negative form (no) of the command sets the default value.
Syntax
ip proxy http listen-ports <NAME>
no ip proxy http listen-ports
Parameters
<NAME> – TCP/UDP ports profile name, set by the string of up to 31 characters.
Default value
80, 8080
Required privilege level
15
Command mode
CONFIG-SUBSCRIBER-CONTROL
Example
esr(config-subscriber-control)# ip proxy http listen-ports HTTP_PORTS
ip proxy https listen-ports
Define destination TCP ports from which the traffic will be redirected to the router HTTPS Proxy server
The use of a negative form (no) of the command sets the default value.
Syntax
ip proxy https listen-ports <NAME>
no ip proxy https listen-ports
Parameters
<NAME> – TCP/UDP ports profile name, set by the string of up to 31 characters.
Default value
443, 8443
Required privilege level
15
Command mode
CONFIG-SUBSCRIBER-CONTROL
Example
esr(config-subscriber-control)# ip proxy https listen-ports HTTPS_PORTS
ip proxy source-address
Set router IP address that will be used as source IP address in HTTP/HTTPS packets transmitted by Proxy server
The use of a negative form (no) of the command removes a specified source IP address.
Syntax
ip proxy source-address <ADDR>
no ip proxy source-address
Parameters
<ADDR> – source IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255];
Default value
The default is the IP address of the interface from which the packet will be sent.
Required privilege level
10
Command mode
CONFIG-SUBSCRIBER-CONTROL
Example
esr(config-subscriber-control)# ip proxy source-address 10.100.100.2
location
In the current firmware version, this functionality is supported only by ESR-100, ESR-200, ESR-1000, ESR-1200 and ESR-1700 routers
This command changes the network interface ID. This identifier is used in HTTP redirects to CaptivePortal, and is also transmitted in the RADIUS account information and when exporting information via the Netflow protocol.
The use of a negative form (no) of the command removes the identifier.
Syntax
location <ID>
no location
Parameters
<ID> – network interface identifier, set by the string of up to 220 characters.
Default value
Do not have default value.
Required privilege level
10
Command mode
CONFIG-GI
CONFIG-TE
CONFIG-SUBIF
CONFIG-QINQ-IF
CONFIG-PORT-CHANNEL
CONFIG-BRIDGE
CONFIG-IP4IP4
CONFIG-GRE
CONFIG-L2TPV3
Example
esr(config-if-gi)# location “Guest SSID”
nas-interface
This command defines router interface IP address of which will be used as the source IP address in packets sent by RADIUS.
The use of a negative form (no) of the command removes a specified source IP address.
Syntax
nas-interface {<IF> | <TUN>}
no nas-interface
Parameters
<IF> – an interface, specified in the form described in Section Types and naming order of router interfaces;
<TUN> – the name of the tunnel is specified as described in section Types and naming order of router tunnels.
Default value
Not specified.
Required privilege level
15
Command mode
CONFIG-SUBSCRIBER-CONTROL
Example
esr(config-subscriber-control)# nas-interface gi 1/0/1
nas-ip-address
This command defines the IP address of the router that will be used as the source IP address in packets sent by RADIUS.
The use of a negative form (no) of the command removes a specified source IP address.
Syntax
nas-ip-address <ADDR>
no nas-ip-address
Parameters
<ADDR> – source IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255];
Required privilege level
10
Command mode
CONFIG-SUBSCRIBER-CONTROL
Example
esr(config-subscriber-control)# nas-ip-address 10.100.100.2
quota-expired-reauth
Enable iterative query of quota value when it expires for user services with a configured restriction on the amount of traffic or time Otherwise, after the expiration of the quota, the service will be deactivated, and the user will be assigned the service by default.
The use of a negative form (no) of the command sets the default value.
Syntax
[no] quota-expired-reauth
Parameters
The command does not contain parameters.
Default value
When the quota expires, the user will be assigned a default service.
Required privilege level
15
Command mode
CONFIG-SUBSCRIBER-CONTROL
Example
esr(config-subscriber-control)# quota-expired-reauth
service-subscriber-control
This command enables user control on the interface. When executed with the 'any' parameter value, user control will work for packets from any subnet, otherwise only for packets from the subnets of the specified IP addresses in the profile.
The use of a negative form (no) of the command disables user control on the interface.
Syntax
service-subscriber-control { any | object-group <NAME> }
no service-subscriber-control
Parameters
<NAME> – IP addresses profile name, set by the string of up to 31 characters.
Required privilege level
15
Command mode
CONFIG-GI
CONFIG-TE
CONFIG-SUBIF
CONFIG-QINQ-IF
CONFIG-PORT-CHANNEL
CONFIG-BRIDGE
CONFIG-IP4IP4
CONFIG-GRE
Example
esr(config-if-gi)# service-subscriber-control object-group LAN
session accounting
This command sets the mode of sending RADIUS-accounting messages.
The use of a negative form (no) of the command sets the default value.
Syntax
session accounting { all | auth-only }
Parameters
all – sending for all sessions;
auth-only – sending for authorized sessions.
Default value
all
Required privilege level
15
Command mode
CONFIG-SUBSCRIBER-CONTROL
Example
esr(config-subscriber-control)# session accounting all
session ip-authentication
Enable session authentication by IP address.
The use of a negative form (no) of the command sets the default value.
Syntax
[no] session IP-authentication
Parameters
The command does not contain parameters.
Default value
Disabled.
Required privilege level
15
Command mode
CONFIG-SUBSCRIBER-CONTROL
Example
esr(config-subscriber-control)# session ip-authentication
session l2-roaming disable
This command disables transparent roaming of subscribers between L2-interfaces BRAS. In case of changing the L2 interface, the subscriber will need to re-authenticate.
The use of a negative form (no) of the command enables transparent roaming of subscribers between L2-interfaces BRAS.
Syntax
[no] session l2-roaming disable
Parameters
The command does not contain parameters.
Default value
Enabled transparent roaming of subscribers between L2 interfaces BRAS.
Required privilege level
15
Command mode
CONFIG-SUBSCRIBER-CONTROL
Example
esr(config-subscriber-control)# session l2-roaming disable
session l2-roaming realtime-accounting
This command enables the mode of sending RADIUS accounting in real time when changing the L2 interface of the BRAS, which is used to work with the subscriber.
The use of a negative form (no) of the command sets the default value.
Syntax
[no] session l2-roaming realtime-accounting
Parameters
The command does not contain parameters.
Default value
RADIUS accounting with a modified L2 interface is sent after Interim-Update.
Required privilege level
15
Command mode
CONFIG-SUBSCRIBER-CONTROL
Example
esr(config-subscriber-control)# session l2-roaming realtime-accounting
session mac-authentication
Enable session authentication by MAC address.
The use of a negative form (no) of the command sets the default value.
Syntax
[no] session mac-authentication
Parameters
The command does not contain parameters.
Default value
Disabled.
Required privilege level
15
Command mode
CONFIG-SUBSCRIBER-CONTROL
Example
esr(config-subscriber-control)# session mac-authentication
session unknown-mac-address
This command denies the passage of traffic in an authenticated session for packets that have changed the source MAC address since the user’s authentication. Also, when receiving a packet with a different source MAC address, a message will appear in the SYSLOG.
The use of a negative form (no) of the command sets the default value.
Syntax
[no] session unknown-mac-address
Parameters
The command does not contain parameters.
Default value
Passing traffic with a different source MAC address allowed.
Required privilege level
15
Command mode
CONFIG-SUBSCRIBER-CONTROL
Example
esr(config-subscriber-control)# session unknown-mac-address
session-timeout
Specify the interval after which, if a user has not sent any packets, the session is considered to be outdated and is removed from the device.
The use of a negative form (no) of the command sets the default value.
Syntax
session-timeout <SEC>
no session-timeout
Parameters
<SEC> – time interval in seconds, takes values of [120..3600].
Default value
120 seconds
Required privilege level
15
Command mode
CONFIG-SUBSCRIBER-DEFAULT-SERVICE
Example
esr(config-subscriber-default-service)# session-timeout 155
show subscriber-control configuration
The command displays user control configuration parameters.
Syntax
show subscriber-control configuration [ vrf <VRF> ]
Parameters
<VRF> – VRF instance name, set by the string of up to 31 characters.
Required privilege level
1
Command mode
ROOT
Example
esr# show subscriber-control configuration State: Enabled Description: -- NAS IP address: 192.168.107.201 Sessions radius profile: RADIUS Services radius profile: -- DAS profile: bras2 Quota expired reauth: Disabled Default service: Class map: list1 Filter name: defaultserv Filter type: local Filter action: permit Default action: redirect Default redirect URL: http://192.168.107.213:8080/eltex_portal/
show subscriber-control radius-servers
The command displays information about used RADIUS servers.
Syntax
show subscriber-control radius-servers [ vrf <VRF> ]
Parameters
<VRF> – VRF instance name, set by the string of up to 31 characters. When specifying this parameter, NTP configuration will be displayed in a specified VRF.
Required privilege level
1
Command mode
ROOT
Example
esr# show subscriber-control radius-servers IP address Port VRF Usage Connections count Dead interval Dead time ---------------- ------ ------------- ------------- ----------------- ------------- --------- 172.16.0.134 31813 -- services acct 0 10 -- 172.16.0.134 31812 -- services auth 0 10 -- 172.16.0.135 31813 -- sessions acct 0 10 -- 172.16.0.135 31812 -- sessions auth 0 10 --
show subscriber-control services
These commands display information and statistics on user control session services.
Syntax
show subscriber-control services { counters | status } [ vrf <VRF> ] [ session-id <SESSION-ID> ] [ service-id <SERVICE-ID> ] [ service <SERVICE-NAME> ]
Parameters
status – view operational information on the service user;
counters – view statistics on the service user;
<VRF> – VRF instance name, set by the string of up to 31 characters. When specifying this parameter, NTP configuration will be displayed in a specified VRF.
<SESSION-ID> – session identifier, takes values in the range of [1..18446744073709551615].
<SERVICE-ID> – session identifier, takes values in the range of [1..18446744073709551615].
<NAME> – host name, set by the string of up to 220 characters.
Required privilege level
1
Command mode
ROOT
Example
esr# show subscriber-control services status
Service id Session id Service name User name Quota volume Quota time
(Bytes) (Seconds)
------------ ------------ -------------- ----------- -------------- --------------
2522015791 2161727821 INTERNET5 79001110011 -- --
esr# show subscriber-control services counters session-id 2161727821
Service id Service name Recv packets Recv bytes Send packets Send bytes
------------ -------------- -------------- ------------ -------------- ------------
2522015791 INTERNET5 1221 561568 1252 191748
show subscriber-control sessions
These commands display information and statistics on user control sessions.
Syntax
show subscriber-control sessions { counters | status } [ vrf <VRF> ] [ session-id <SESSION-ID> ] [ username <SERVICE-NAME> ]
Parameters
status – view operational information on the user session;
counters – view statistics on the user session;
<VRF> – VRF instance name, set by the string of up to 31 characters. When specifying this parameter, active sessions will be displayed in a specified VRF.
<SESSION-ID> – session identifier, takes values in the range of [1..18446744073709551615];
<NAME> – user name, set by the string of up to 230 characters.
Required privilege level
1
Command mode
ROOT
Example
esr# show subscriber-control sessions status Session id User name IP address MAC address Interface Domain ------------ ----------- ------------ ----------------- --------- --------- 2161727821 79001110011 192.168.244.12 c4:12:f5:d4:af:70 bridge 13 root esr# show subscriber-control sessions counters session-id 2161727821 User name Recv packets Recv bytes Send packets Send bytes --------------- -------------- -------------- -------------- -------------- 79001110011 243 87056 294 35961
subscriber-control
This command creates a user control profile and switch to its configuration mode.
The use of a negative form (no) of the command removes a specified user control profile.
Syntax
[no] subscriber-control [ vrf <VRF> ]
Parameters
<VRF> – VRF instance name, set by the string of up to 31 characters, within which the user control will operate.
Required privilege level
10
Command mode
CONFIG
Example
esr(config)# subscriber-control
subscriber-control application-filter
This command enables application control on the interface.
The use of a negative form (no) of the command disables application control on the interface.
Syntax
subscriber-control application-filter <NAME>
no subscriber-control application-filter
Parameters
<NAME> – application profile name, set by the string of up to 31 characters.
Required privilege level
15
Command mode
CONFIG-GI
CONFIG-TE
CONFIG-SUBIF
CONFIG-QINQ-IF
CONFIG-PORT-CHANNEL
CONFIG-BRIDGE
CONFIG-IP4IP4
CONFIG-GRE
CONFIG-L2TPV3
Example
esr(config-if-gi)# subscriber-control application-filter LIST
subscriber-control apps-server-url
Specify URL address of the server providing lists of traffic filtration applications Lists are requested from the server at the time of user authentication.
The use of a negative form (no) of the command removes a specified server URL.
Syntax
subscriber-control apps-server-url <URL>
no subscriber-control apps-server-url
Parameters
<URL> – reference address, set by the string from 8 to 255 characters.
Default value
Do not have default value.
Required privilege level
15
Command mode
CONFIG
Example
esr(config)# subscriber-control apps-server-url "http://192.168.1.1/files/"
subscriber-control filters-server-url
This command sets the address of the server that provides URL lists for filtering HTTP/HTTPS traffic. Lists are requested from the server at the time of user authentication.
The use of a negative form (no) of the command removes a specified server URL.
Syntax
subscriber-control filters-server-url <URL>
no subscriber-control filters-server-url
Parameters
<URL> – reference address, set by the string from 8 to 255 characters.
Default value
Do not have default value.
Required privilege level
15
Command mode
CONFIG
Example
esr(config)# subscriber-control filters-server-url "http://192.168.1.1/files/"
subscriber-control thresholds sessions-number
This command sets the threshold for the number of BRAS sessions for all user control profiles for sending snmp-trap eltexBrasSessionsNumberHigh and eltexBrasSessionsNumberHighOk.
The use of a negative form (no) of the command sets the default value.
Syntax
subscriber-control thresholds sessions-number { high <TH-HIGH> | low <TH-LOW> }
no subscriber-control thresholds sessions-number { high | low }
Parameters
<TH-HIGH> – BRAS session number threshold for sending snmp-trap eltexBrasSessionsNumberHigh;
<TH-LOW> – BRAS session number threshold for sending snmp-trap eltexBrasSessionsNumberHighOk.
Default value
On ESR-1700 <TH-HIGH> – 47000, <TH-LOW> – 46000
On ESR-1000, ESR-1200 <TH-HIGH> – 9000, <TH-LOW> – 8500
On ESR-100 и ESR-200 <TH-HIGH> – 900, <TH-LOW> – 850
Required privilege level
15
Command mode
CONFIG
Example
esr(config)# subscriber-control thresholds sessions-number high 8000
subscriber-control unused-filters-remove-delay
Specify the interval after which currently unused URL lists will be removed.
The use of a negative form (no) of the command sets the default value.
Syntax
subscriber-control unused-filters-remove-delay <DELAY>
no subscriber-control unused-filters-remove-delay
Parameters
<DELAY> – time interval in seconds, takes values of [10800..86400].
Default value
10800 seconds
Required privilege level
15
Command mode
CONFIG
Example
esr(config)# subscriber-control unused-filters-remove-delay 40000
thresholds sessions-number
This command sets the threshold for the number of BRAS sessions for sending snmp-trap eltexBrasSessionsNumberHigh and eltexBrasSessionsNumberHighOk.
The use of a negative form (no) of the command sets the default value.
Syntax
thresholds sessions-number { high <TH-HIGH> | low <TH-LOW> }
no thresholds sessions-number { high | low }
Parameters
<TH-HIGH> – BRAS session number threshold for sending snmp-trap eltexBrasSessionsNumberHigh;
<TH-LOW> – BRAS session number threshold for sending snmp-trap eltexBrasSessionsNumberHighOk.
Default value
On ESR-1700 <TH-HIGH> – 47000, <TH-LOW> – 46000
On ESR-1000, ESR-1200 <TH-HIGH> – 9000, <TH-LOW> – 8500
On ESR-100 и ESR-200 <TH-HIGH> – 900, <TH-LOW> – 850
Required privilege level
15
Command mode
CONFIG-SUBSCRIBER-CONTROL
Example
esr(config-subscriber-control)# thresholds sessions-number high 8000
vrrp-group
This command defines the VRRP group, on the basis of which the state (main/standby) of the subscriber control service is defined. When the VRRP is switched to the BACKUP state, all user control sessions are reset.
The use of a negative form (no) of the command removes a VRRP identifier.
Syntax
vrrp-group <GRID>
no vrrp-group
Parameters
<GRID> – VRRP router group identifier, takes values in the range of [1..32].
Required privilege level
10
Command mode
CONFIG-SUBSCRIBER-CONTROL
Example
esr(config-subscriber-control)# vrrp-group 10