Policy Forwarding

This chapter provides information on configuring an enhanced, or extended, service. The product administration guides provide examples and procedures for configuration of basic services on the system. It is recommended that you select the configuration example that best meets your service model and configure the required elements for that model before using the procedures in this chapter.

Sections in this chapter include:

Overview

The system can be configured to automatically forward data packets to a predetermined network destination. This can be done in one of three ways:

  • IP Pool-based Next Hop Forwarding - Forwards data packets based on the IP pool from which a subscriber obtains an IP address.

  • ACL-based Policy Forwarding - Forwards data packets based on policies defined in Access Control Lists (ACLs) and applied to contexts or interfaces.

  • Subscriber specific Next Hop Forwarding - Forwards all packets for a specific subscriber.

The simplest way to forward subscriber data is to use IP Pool-based Next Hop Forwarding. An IP pool is configured with the address of a next hop gateway and data packets from all subscribers using the IP pool are forward to that gateway.

Subscriber Next Hop forwarding is also very simple. In the subscriber configuration a nexthop forwarding address is specified and all data packets for that subscriber are forwarded to the specified nexthop destination.

ACL-based Policy Forwarding gives you more control on redirecting data packets. By configuring an Access Control List (ACL) you can forward data packets from a context or an interface by different criteria, such as; source or destination IP address, ICMP type, or TCP/UDP port numbers.

ACLs are applied first. If ACL-based Policy Forwarding and Pool-based Next Hop Forwarding or Subscriber are configured, data packets are first redirected as defined in the ACL, then all remaining data packets are redirected to the next hop gateway defined by the IP pool or subscriber profile.

IP Pool-based Next Hop Forwarding

When an IP pool in a destination context has a Next Hop Forwarding address specified, any subscriber that obtains an IP address from that IP pool has all data coming from the mobile node automatically forwarded to the specified Next Hop Forwarding address.

For more information on creating IP pools, refer to the System Administration Guide and for additional information on the ip pool command, refer to the Command Line Interface Reference.

Configuring IP Pool-based Next Hop Forwarding

Configure Next Hop Forwarding on an existing IP Pool in a destination context by applying the following example configuration: 

configure 
      context <context_name> 
            ip pool <pool_name> nexthop-forwarding-address <forwarding_ip_address> 
            end

Save the configuration to flash memory, an external memory device, and/or a network location using the Exec mode command save configuration . For additional information on how to verify and save configuration files, refer to the System Administration Guide and the Command Line Interface Reference.

Subscriber-based Next Hop Forwarding

When a subscriber configuration has a Next Hop Forwarding address specified, any sessions authenticated as that subscriber have all data coming from the mobile node automatically forwarded to the specified Next Hop Forwarding address.

Configuring Subscriber-based Next Hop Forwarding

Configure Next Hop Forwarding for a specific subscriber by applying the following example configuration: 

configure 
      context <context_name> 
            subscriber name <subs_name> 
                  nexthop-forwarding-address <forwarding_ip_address> 
                  end

Save the configuration to flash memory, an external memory device, and/or a network location using the Exec mode command save configuration . For additional information on how to verify and save configuration files, refer to the System Administration Guide and the Command Line Interface Reference.

ACL-based Policy Forwarding

ACL-based Policy Forwarding is a feature in the system that forwards subscriber data based on policies defined in Access Control Lists (ACLs). When ACLs are applied to access groups, priorities are given to the ACLS. The ACL applied with the highest priority is used to define the policy that is used for forwarding the subscriber data.


Important

Refer to Access Control Lists for additional information on creating and using ACLs.

Configuring ACL-based Policy Forwarding

Configure ACL-based Policy Forwarding by applying the following example configuration: 

configure 
      context <context_name> 
            ip access-list <acl_name> 
                  redirect <interface_name> <next_hop_address> <criteria> 
                  exit

The following example specifies that any IP packet coming from any system on the 192.168.55.0 network that has a destination host address of 192.168.80.1 is to be redirected, or forwarded, through the system interface named interface2 to the host at 192.168.23.12: 

redirect interface2 192.168.23.12 ip 192.168.55.0 255.255.255.0 host 192.168.80.1

Save the configuration to flash memory, an external memory device, and/or a network location using the Exec mode command save configuration . For additional information on how to verify and save configuration files, refer to the System Administration Guide and the Command Line Interface Reference.

Applying the ACL to an IP Access Group

To apply the ACL to the IP access group for the current destination context, go to Applying the ACL to a Destination Context.

To apply the ACL to the IP access group for an interface in the current destination context, go to Applying the ACL to an Interface in a Destination Context.

Applying the ACL to a Destination Context

Procedure
Step 1

At the context configuration mode prompt, enter the following command: 

ip access-group <acl_name> { in | out } <priority-value>
Step 2

Save the configuration to flash memory, an external memory device, and/or a network location using the Exec mode command save configuration . For additional information on how to verify and save configuration files, refer to the System Administration Guide and the Command Line Interface Reference.

Applying the ACL to an Interface in a Destination Context

Procedure
Step 1

Set parameters for inbound data by applying the following example configuration: 

configure 
      context <context_name> 
            interface <interface_name> 
                  ip access-group <acl_name> in <priority-value> 
                  end
Step 2

Set parameters for outbound data by applying the following example configuration: 

configure 
      context <context_name> 
            interface <interface_name> 
                  ip access-group <acl_name> out <priority-value> 
                  end
Step 3

Save the configuration to flash memory, an external memory device, and/or a network location using the Exec mode command save configuration . For additional information on how to verify and save configuration files, refer to the System Administration Guide and the Command Line Interface Reference.