Cisco Cisco ASR 5500
HA Overview
Features and Functionality - Inline Service Support ▀
HA Administration Guide, StarOS Release 18 ▄
23
based solution for parental controls and content filtering. The Content Filtering ICAP solution is appropriate for
operators with existing installations of Active Content Filtering servers in their networks.
operators with existing installations of Active Content Filtering servers in their networks.
The Enhanced Charging Service (ECS) provides a streamlined Internet Content Adaptation Protocol (ICAP) interface to
leverage the Deep Packet Inspection (DPI) to enable external Application Servers to provide their services without
performing the DPI functionality and without being inserted in the data flow. The ICAP interface may be attractive to
mobile operators that prefer to use an external Active Content Filtering (ACF) Platform. If a subscriber initiates a WAP
(WAP1.x or WAP2.0) or Web session, the subsequent GET/POST request is detected by the deep packet inspection
function. The URL of the GET/POST request is extracted by the local DPI engine on the ASR 5000 platform and
passed, along with subscriber identification information and the subscriber request, in an ICAP message to the
Application Server (AS). The AS checks the URL on the basis of its category and other classifications like, type, access
level, content category and decides if the request should be authorized, blocked or redirected by answering the
GET/POST message. Depending upon the response received from the ACF server, the HA either passes the request
unmodified or discards the message and responds to the subscriber with the appropriate redirection or block message.
leverage the Deep Packet Inspection (DPI) to enable external Application Servers to provide their services without
performing the DPI functionality and without being inserted in the data flow. The ICAP interface may be attractive to
mobile operators that prefer to use an external Active Content Filtering (ACF) Platform. If a subscriber initiates a WAP
(WAP1.x or WAP2.0) or Web session, the subsequent GET/POST request is detected by the deep packet inspection
function. The URL of the GET/POST request is extracted by the local DPI engine on the ASR 5000 platform and
passed, along with subscriber identification information and the subscriber request, in an ICAP message to the
Application Server (AS). The AS checks the URL on the basis of its category and other classifications like, type, access
level, content category and decides if the request should be authorized, blocked or redirected by answering the
GET/POST message. Depending upon the response received from the ACF server, the HA either passes the request
unmodified or discards the message and responds to the subscriber with the appropriate redirection or block message.
IPNE Service Support
The HA supports the IP Network Enabler (IPNE) service. IPNE is a Mobile and IP Network Enabler (MINE) client
component that collects and distributes session and network information to MINE servers. The MINE cloud service
provides a central portal forwireless operators and partners to share and exchange session and network information to
realize intelligent services. For detailedinformation on IPNE, refer to the IP Network Enabler appendix in this guide.
component that collects and distributes session and network information to MINE servers. The MINE cloud service
provides a central portal forwireless operators and partners to share and exchange session and network information to
realize intelligent services. For detailedinformation on IPNE, refer to the IP Network Enabler appendix in this guide.
Network Address Translation (NAT)
NAT translates non-routable private IP address(es) to routable public IP address(es) from a pool of public IP addresses
that have been designated for NAT. This enables to conserve on the number of public IP addresses required to
communicate with external networks, and ensures security as the IP address scheme for the internal network is masked
from external hosts, and each outgoing and incoming packet goes through the translation process.
that have been designated for NAT. This enables to conserve on the number of public IP addresses required to
communicate with external networks, and ensures security as the IP address scheme for the internal network is masked
from external hosts, and each outgoing and incoming packet goes through the translation process.
NAT works by inspecting both incoming and outgoing IP datagrams and, as needed, modifying the source IP address
and port number in the IP header to reflect the configured NAT address mapping for outgoing datagrams. The reverse
NAT translation is applied to incoming datagrams.
and port number in the IP header to reflect the configured NAT address mapping for outgoing datagrams. The reverse
NAT translation is applied to incoming datagrams.
NAT can be used to perform address translation for simple IP and mobile IP. NAT can be selectively applied/denied to
different flows (5-tuple connections) originating from subscribers based on the flows' L3/L4 characteristics—Source-IP,
Source-Port, Destination-IP, Destination-Port, and Protocol.
different flows (5-tuple connections) originating from subscribers based on the flows' L3/L4 characteristics—Source-IP,
Source-Port, Destination-IP, Destination-Port, and Protocol.
NAT supports the following mappings:
One-to-One
Many-to-One
Important:
For more information on NAT, refer to the Cisco ASR 5000 Series Network Address Translation
Administration Guide.
Personal Stateful Firewall
The Personal Stateful Firewall is an in-line service feature that inspects subscriber traffic and performs IP session-based
access control of individual subscriber sessions to protect the subscribers from malicious security attacks.
access control of individual subscriber sessions to protect the subscribers from malicious security attacks.