Currently gateway supports PCC dynamic rules with L3/L4 filters through the Flow-Description AVP. This feature provides finer control over the filters with L7 support. This feature is implemented in such a way that PCEF/PCRF is able to fully support L7 dynamic rules and thereby enabling dynamic routes to redirect L7 traffic.

Important

This feature requires a valid license to be installed prior to configuring this feature. Contact your Cisco account representative for more information on the licensing requirements.

When Out-of-Credit (OOC) trigger is sent from OCS to PCRF, an L7 dynamic rule is sent from PCRF along with a condition and action which allow the subscriber to access specific URLs. The condition is the trigger when to apply the action. For example: If OOC (quota exhaustion condition) is sent from OCS, PCEF should allow (action) all the packets matching that rule (rating-group) to pass through. Once the relocation of credit occurs the gateway reverts back the special treatment for these URLs.

The gateway supports L7 dynamic rule installation through Charging-Rule-Definition AVP. The Charging-Rule-Definition AVP is extended to include these additional AVPs "L7-Application-Description" and "Rule-Condition-Action" to support L7 capabilities.

A new CLI command policy-control l7-dynamic-rules is introduced in the ACS Configuration mode to enable L7 capabilities through Charging-Rule-Definition AVP received over Gx interface.

These optional grouped AVPs "L7-Application-Description" and "Rule-Condition-Action" are supported in r8-gx-standard dictionary.

• L7-Application-Description: This AVP is part of dynamic rule. This AVP carries L7 information with the L7 dynamic rule. This L7 filter is used by rule matching logic.

  • L7-Protocol-Name: This AVP specifies the protocol name for the application.

    This is an enumerated value received from PCRF. In Release 20, only HTTP Protocol is supported.

  • L7-Field: This AVP specifies the name of field to be matched from the protocol.

    This is an enumerated value received from PCRF. In Release 20, only URL Field is supported.

  • L7-Operator: This AVP specifies the operator to be used for matching the values.

    The following operators are supported:

    • EQUALS (1)

    • STARTS_WITH (2)

    • ENDS_WITH (3)

    • CONTAINS (4)

    • NOT_EQUALS (5)

    • NOT_START_WITH (6)

    • NOT_END_WITH (7)

    • NOT_CONTAINS (8)

  • L7-Case-Sensitivity: This AVP mentions if the above L7-Value field has to be compared with or without case-sensitivity.

  • L7-Value: This AVP mentions the value that is to be compared with the one received in the user packet. This is a string with length of 256 characters.

• Rule-Condition-Action: This AVP specifies the special action to be taken by PCEF when the dynamic rule is matched and conditions are met. This is part of Charging-Rule-Definition AVP and can be received in CCA-I/CCA-U/RAR.

  • Rule-Condition: This AVP mentions the condition with the action that has to be applied for the call. In Release 20, Out-of-Credit is the only condition supported.

  • Rule-Action: This AVP mentions the action to be taken when the above condition occurred for the call. In Release 20, only Allow action is supported.

Relationship to Other Features

L7 Dynamic Rule support is extended to the existing Flow Aware Packet Acceleration (FAPA) and Transactional Rule Matching (TRM) features. The L7 Dynamic Rule Activation feature is independent of these two features.

The flows can be accelerated when the subscriber packets match the L7 dynamic rules. When subscriber quota for a rating group is exhausted and when the OOC condition action is being applied for the rule, accelerated path is not applied to the flow. Once the required quota is available, the accelerated path will resume for that flow.

Limitations

The following are the limitations of this feature:

• A maximum of up to eight L7 application descriptions is supported per one L7 rule.

• When deploying Release 20 software, an L7 dynamic rule is installed correctly with/without flow description and the data flow begins. If a downgrade to any previous software releases is performed, the L7 information checkpoints are not decoded, resulting in a rule without any flow description or L7 information.

L7 Static Rule Detection

This section explains how an L7 based ruledef (static rule) can be added to the gateway.

Configuration of the following entities is required to support L7 analysis.

• Routing ruledef: This ruledef captures the L3/L4 filters for the protocol. When packets matching to these filters are received, the packets are passed to the configured analyzer. One or more routing rule lines can be configured in ruledef.

• Charging L7 based ruledef: This ruledef captures the L7 based filters supported by the gateway. This ruledef gets packets only after the routing rule has matched the L3/L4 filters and the application has been identified as matching to the configured value. One or more charging rule lines can be configured in ruledef.

• Charging action: This captures the charging and policy parameters for the charging ruledef. These parameters are used when the charging ruledef is hit.

• Rulebase: Rulebase is a set of routing and charging ruledefs, which will be applied for the subscriber.

  • Route priority line: This configuration links the routing ruledef with the protocol and activates the routing ruledef for the subscriber.

  • Action priority line: This configuration links the charging action with charging ruledef and activates the charging ruledef for the subscriber.

L7 Dynamic Rule Handling

This section explains how the dynamic rule can be extended to support L7 capabilities.

The Flow-Description AVP that is already part of Charging-Rule-Definition AVP is used like a "Routing Rule". The packets matching to the Flow-Information will be sent to the analyzer mentioned in L7-Protocol-Name AVP.

When an L7 dynamic rule is received with Flow-Description AVP, the Flow-Description AVP is used for routing the packets matching to the protocol specified through L7-Application-Description AVP. The gateway internally creates a route using the Flow-Description AVP from the dynamic rule to the protocol mentioned in the L7-Protocol-Name AVP. Hence, all flows matching the specified criteria are sent for protocol analysis.

When Flow-Description AVP is not received with the dynamic rule, default routes are used to enable the corresponding protocol routing. The well-known port numbers are used to enable the protocol analyzer. Since only HTTP protocol is supported, port 80 is used for enabling the protocol.

For rule matching, both the criteria associated with Flow-Description and L7-Application-Description AVPs are used. If Flow-Description AVP is not received, only the criteria associated with L7-Application-Description AVP is used.

For dynamic rule modification, the L7 dynamic rule is installed again with a new set of values for L7-Application-Description AVP. The old values are overridden with the new values and added to the dynamic rule. For removal of L7 dynamic rules, Charging-Rule-Remove AVP is used.

The following are some additional points related to handling of L7 dynamic PCC rules from PCRF.

• L7 dynamic rule binding is similar to the normal L3 dynamic rule.

• If L7 rule does not contain TFT filter then rule will be bound to the bearer matching QoS.

• Session Recovery (SR)/Inter-Chassis Session Recover (ICSR) will be supported for L7 dynamic rules.

In releases prior to 20, when invalid values are sent for Rule-Condition and Rule-Action AVPs from PCRF for a dynamic rule, gateway accepts and installs the dynamic rule. In 20 and later releases, the gateway rejects the dynamic rule with invalid condition-action, and reports the failure with the cause "GW/PCEF_MALFUNCTION (4) ". The same behavior is observed even when the AVP fields are empty.

This section describes how to configure the activation of L7 dynamic PCC rules from PCRF to support L7 capabilities.

Important

This feature requires a valid license to be installed prior to configuring this feature. Contact your Cisco account representative for more information on the licensing requirements.

To enable the L7 capabilities through Charging-Rule-Definition AVP received over Gx interface, use the following configuration:

configure 
require active-charging 
   active-charging service service_name 
      policy-control l7-dynamic-rules 
      end 

Important

After you configure this command, you must save the configuration and then reload the chassis for the command to take effect. For information on saving the configuration file and reloading the chassis, refer to the System Administration Guide for your deployment.

• The policy-control l7-dynamic-rules CLI command is license dependant.

• policy-control l7-dynamic-rules : Enables the L7 capabilities through Charging-Rule-Definition AVP received over G.x interface.

• no policy-control l7-dynamic-rules : Disables the L7 capabilities through Charging-Rule-Definition AVP. By default, this functionality is disabled.

Verifying the L7 Dynamic Rule Activation Feature Configuration

To verify your configuration, in the Exec mode, enter the following command:

show configuration 

The output displays a concise list of settings that you have configured for the context. From this output, you can confirm if the feature is enabled.

This section provides information regarding show commands and/or their outputs in support of the L7 Dynamic Rule Activation feature.

show active-charging sessions full all

The output of this show command has been enhanced to display the L7 filters, condition and action received along with the L7 dynamic rule when the rule is installed.

• Total L7 Dynamic Rules

• Dynamic Charging Rule Definition(s) Configured:

  • L7-Filter

  • Protocol

  • Field

  • Operator

  • Value

  • Case-Sensitive

  • Condition-Action

  • Condition

  • Action

show active-charging service statistics

The following statistics are added to the output of show active-charging service statistics command in support of the L7 Dynamic Rule Activation feature.

• Dynamic Rule Statistics:

  • L7 Rules Received: Displays the total number of L7 dynamic rules that are received from PCRF.

  • L7 Install Succeeded: Displays the total number of L7 dynamic rules that are successfully installed.

  • L7 Install Failed: Displays the total number of L7 dynamic rules that failed to install due to invalid L7 dynamic rules, etc.

• Install Failure Reason:

  • L7 Rule Invalid: Displays the total number of L7 dynamic rules that failed to install due to invalid L7 dynamic rule.

  • L7 Protocol Invalid: Displays the total number of L7 dynamic rules that failed to install due to invalid L7 protocol.

  • L7 Field Invalid: Displays the total number of L7 dynamic rules that failed to install due to invalid L7 field.

  • L7 Operator Invalid: Displays the total number of L7 dynamic rules that failed to install due to invalid L7 operator.

  • L7 Value Invalid: Displays the total number of L7 dynamic rules that failed to install due to invalid L7 value.

  • L7 Case-Sens Invalid: Displays the total number of L7 dynamic rules that failed to install due to invalid case-sensitive value.

show active-charging rulebase statistics name

The output of this show command has been enhanced to display the total number of packets that are deemed candidates for condition action OOC (Out of Credit).

• Condition Action Statistics:

  • Out of Credit allow actions received: Total number of times the "out of credit allow" actions have been received.

  • Action applied to packets: Total number of packets to which the "out of credit allow" actions are applied.

  • Action applied to bytes: Total number of bytes to which the "out of credit allow" actions are applied.

Monitor Protocol

When using the monitor protocol command in the Exec mode, enable option 75 - 3 to check whether or not the L7 dynamic rule is installed successfully.