Cisco Cisco Packet Data Gateway (PDG)
dynamically to existing subscriber sessions. By default, the ACL is applied as both the input and output filter
for the matching subscriber unless the Filter-Id in the CoA message bears the prefix in: or out:.
for the matching subscriber unless the Filter-Id in the CoA message bears the prefix in: or out:.
For information on CoA messages and how they are implemented in the system, refer to
of Authorization and Disconnect Message, on page 135
.
Changing ACL and rulebase together in a single CoA is not supported. For this, two separate CoA requests
can be sent through AAA server requesting for one attribute change per request.
can be sent through AAA server requesting for one attribute change per request.
Important
Session Limits On Redirection
To limit the amount of memory consumed by a session manager a limit of 2000 redirected session entries per
session manager is allocated. This limit is equally shared by the set of subscribers who are currently being
redirected. Whenever a redirected session entry is subject to revocation from a subscriber due to an insufficient
number of available session entries, the least recently used entry is revoked.
session manager is allocated. This limit is equally shared by the set of subscribers who are currently being
redirected. Whenever a redirected session entry is subject to revocation from a subscriber due to an insufficient
number of available session entries, the least recently used entry is revoked.
Stopping Redirection
The redirected session entries for a subscriber remain active until a CoA message issued from the RADIUS
server specifies a filter that does not contain the readdress server ACL rule. When this happens, the redirected
session entries for the subscriber are deleted.
server specifies a filter that does not contain the readdress server ACL rule. When this happens, the redirected
session entries for the subscriber are deleted.
All redirected session entries are also deleted when the subscriber disconnects.
Handling IP Fragments
Since TCP/UDP port numbers are part of the redirection mechanism, fragmented IP datagrams must be
reassembled before being redirected. Reassembly is particularly necessary when fragments are sent out of
order. The session manager performs reassembly of datagrams and reassembly is attempted only when a
datagram matches the redirect server ACL rule. To limit memory usage, only up to 10 different datagrams
may be concurrently reassembled for a subscriber. Any additional requests cause the oldest datagram being
reassembled to be discarded. The reassembly timeout is set to 2 seconds. In addition, the limit on the total
number of fragments being reassembled by a session manager is set to 1000. If this limit is reached, the oldest
datagram being reassembled in the session manager and its fragment list are discarded. These limits are not
configurable.
reassembled before being redirected. Reassembly is particularly necessary when fragments are sent out of
order. The session manager performs reassembly of datagrams and reassembly is attempted only when a
datagram matches the redirect server ACL rule. To limit memory usage, only up to 10 different datagrams
may be concurrently reassembled for a subscriber. Any additional requests cause the oldest datagram being
reassembled to be discarded. The reassembly timeout is set to 2 seconds. In addition, the limit on the total
number of fragments being reassembled by a session manager is set to 1000. If this limit is reached, the oldest
datagram being reassembled in the session manager and its fragment list are discarded. These limits are not
configurable.
Recovery
When a session manager dies, the ACL rules are recovered. The session redirect entries have to be re-created
when the MN initiates new traffic for the session. Therefore when a crash occurs, traffic from the Internet
side is not redirected to the MN.
when the MN initiates new traffic for the session. Therefore when a crash occurs, traffic from the Internet
side is not redirected to the MN.
AAA Accounting
Where destination-based accounting is implemented, traffic from the subscriber is accounted for using the
original destination address and not the redirected address.
original destination address and not the redirected address.
HNB-GW Administration Guide, StarOS Release 19
141
CoA, RADIUS DM, and Session Redirection (Hotlining)
Operation