More Information About HW-Data-Filter (82)

The HW-Data-Filter attribute delivers classifier-behavior pairs to achieve delivery of dynamical ACLs. These ACLs have a higher priority than those configured locally.

Format of the HW-Data-Filter Attribute

 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+-------------------------------+
|    Type(26)   |    Length     |         Vendor ID(0000)       |
|               | 6+VendorLength|                               |
+---------------+---------------+---------------+---------------+
|         Vendor ID(2011)       |Vendor Type(82)| Vendor Length |
+-------------------------------+---------------+---------------+
|           String
+---------------------------------------------------------------+

Vendor Length: 1–249 bytes, including the two bytes occupied by Vendor Type and Vendor Length. The String length is therefore two bytes subtracted from Vendor Length and is up to 247 bytes.
String: attribute content string. The HW-Data-Filter attribute supports delivery of classifier and behavior strings as well as CoA action strings, with each type of string being a combination of fields delimited by semicolons and containing only displayable characters entered using a keyboard.

The HW-Data-Filter attribute can be delivered repeatedly, and one attribute can contain multiple attribute strings that are separated using a number sign (#). For example, when one HW-Data-Filter attribute contains two classifier strings, the HW-Data-Filter attribute can be delivered with the classifier1 string#classifier2 string padded to the String field of this attribute. When one attribute string contains both classifier and behavior strings, the HW-Data-Filter attribute can be delivered with the classifier string#behavior string padded to the String field of this attribute.

In one RADIUS packet, the total number of sub-attributes of all HW-Data-Filter attributes cannot exceed 2047.

Both classifier and behavior strings are categorized as local or remote. These types can be flexibly combined, meaning that a local or remote classifier string can be combined with both local and remote behavior strings.

Local Classifier String in the HW-Data-Filter Attribute

A local classifier string refers to a classifier configured on a device using a command. A RADIUS server uses the HW-Data-Filter attribute to specify a behavior to be bound to a classifier but cannot add, delete, or modify the rules matching a classifier. The local classifier format is as follows.

Field	Name	Value Range	Example	Optional/Mandatory	Description
Local classifier name	lc	Class-name string<1--31>	lc= class2;	Mandatory<1>	When a local classifier is delivered, this field must be the first in the HW-Data-Filter attribute string.
Behavior name	rb	Behavior-name string<1--31>	rb=behavior1;	Optional<0-1>	rb stands for remote behavior; lb stands for local behavior. A local classifier can be bound to a local or remote behavior. This field specifies the name of the behavior to be bound to a local classifier. If this field is not delivered, the configuration takes effect based on the permit/deny action in the rule applied by a classifier.
Behavior name	lb	Behavior-name string<1--31>	lb= behavior2;	Optional<0-1>
Direction	dir	in	in;	Mandatory<1>	This field specifies the directions in which rules are used. in indicates the inbound direction, out indicates the outbound direction, and both indicates both the inbound and outbound directions.
		out	out;
		both	both;

For example, "lc=class2;rb=behavior1;dir=in;" represents that a local classifier named class2 is bound to a remote behavior named behavior1 and this configuration takes effect in the inbound direction.

Remote Classifier String in the HW-Data-Filter Attribute

A remote classifier string refers to a classifier dynamically configured by a RADIUS server. A RADIUS server uses the Hw-Data-Filter attribute to specify a name for a classifier, name for a behavior to be bound to a remote classifier, and rules matched by a remote classifier. The remote classifier format is as follows.

Field	Name	Value Range	Example	Optional/Mandatory	Description
Remote classifier name	rc	Class-name string<1-31>	rc= class2;	Mandatory<1>	When a remote classifier is delivered, this field must be the first in the HW-Data-Filter attribute string.
Behavior name	rb	Behavior-name string<1-31>	rb=behavior1;	Optional<0-1>	rb stands for remote behavior; lb stands for local behavior. A remote classifier can be bound to a local or remote behavior. This field specifies the name of the behavior to be bound to a remote classifier. If this field is not delivered, the configuration takes effect based on the permit/deny action in the rule applied by a classifier.
Behavior name	lb	Behavior-name string<1-31>	lb= behavior2;	Optional<0-1>
Direction	dir	in	in;	Optional<0-1>	This field specifies the directions in which rules are used. in indicates the inbound direction, out indicates the outbound direction, and both indicates both the inbound and outbound directions. This field does not need to be delivered if: An IPv4 or IPv6 address functions as the source and a user-group or service-group functions as the destination An IPv4 or IPv6 address functions as the destination and a user-group or service-group functions as the source. If neither of these situations apply, this field must be delivered to specify a direction. When a user-group or service-group functions as the source and an IPv4 or IPv6 address functions as the destination, rules are applied to the inbound direction. When an IPv4 or IPv6 address functions as the source and a user-group or service-group functions as the destination, rules are applied to the outbound direction.
		out	out;
		both	both;
Rule number	ruleid	<0-4294967294>	ruleid=11;	Optional<0-1>	This field specifies the number of a rule. If this field is not delivered, a step of 5 is used as the default value. If rules with the same number are applied by the same classifier, all the HW-Data-Filter attributes in packets being processed fail be to processed. It is recommended that you have this field either delivered or not delivered for all rules in actual rule applications.
Rule Action	NA	permit	permit;	Optional<0-1>	This field specifies an action in a rule. If this field is not delivered, the action is permit. This field's values clearly indicate the field meanings; therefore, the field name is unnecessary.
Rule Action	NA	deny	deny;	Optional<0-1>
Rule ip type	NA	ipv4	ipv4;	Optional<0-1>	This field specifies an IP address type in a rule. The value can be IPv4 or IPv6. This field does not need to be delivered when an IPv4 or IPv6 address is specified as the source or destination in a rule. In other situations, this field must be delivered. When an IPv4 or IPv6 address is specified as the source or destination and this field is delivered, the address type in this field must match the one specified. Otherwise, all the HW-Data-Filter attributes in packets being processed fail be to processed.
Rule ip type	NA	ipv6	ipv6;	Optional<0-1>
Protocol	proto	<1-255>	proto=6;	Optional<0-1>	This field specifies a protocol in a rule. The value is 6 for TCP and 17 for UDP. If this field is not delivered, the protocol is IP for IPv4 rules and IPv6 for IPv6 rules.
Source IP	sipv4	X.X.X.X/mask-length	sipv4=1.1.1.0/24;	Optional<0+>	This field specifies a source IPv4 address, IPv6 address, service-group, or user-group in a rule. If this field is not delivered, IPv4 rules match any source IPv4 addresses, and IPv6 rules match any source IPv6 addresses. Source IP addresses of the same type (IPv4, IPv6, service-group, or user-group) can appear multiple times in a remote classifier. If source IP addresses have different types, all the HW-Data-Filter attributes in packets being processed fail be to processed.
	sipv4	X.X.X.X/wild-mask	sipv4=1.1.1.0/0.255.255.255;	Optional<0+>
	sipv6	X:X::X:X/M	sipv6=2001:db8::1/64;	Optional<0+>
	ss-group	Service-group name string<1-31>	ss-group =paid;	Optional<0+>
	su-group	User-group name string<1-32>	su-group =isp1;	Optional<0+>
Destination ip	dipv4	X.X.X.X/mask-length	dipv4=1.1.1.0/24;	Optional<0+>	This field specifies a destination IPv4 address, IPv6 address, service-group, or user-group in a rule. If this field is not delivered, IPv4 rules match any source IPv4 addresses, and IPv6 rules match any source IPv6 addresses. Destination IP addresses of the same type (either IPv4 or IPv6 or service-group or user-group) can appear multiple times in a remote classifier. If destination IP addresses have different types, all the HW-Data-Filter attributes in packets being processed fail be to processed.
	dipv4	X.X.X.X/wild-mask	dipv4=1.1.1.0/0.255.255.255;	Optional<0+>
	dipv6	X:X::X:X/M	dipv6=2001:db8::1/64;	Optional<0+>
	ds-group	Service-group name string<1-31>	ds-group =paid;	Optional<0+>
	du-group	User-group name string<1-32>	du-group =isp1;	Optional<0+>
Source port	sport	<0-65535>	sport =80;	Optional<0+>	This field can be delivered only if the protocol value is 6 or 17. This field specifies a source port number in a rule. When a source port number range (sport-range) is specified, the range must be delivered in ascending order and can appear only once in a remote classifier. A source port number (sport) can appear multiple times in a remote classifier.
Source port	sport-range	<0-65535>-<0-65535>	sport-range=20-200;	Optional<0-1>	sport and sport-range cannot both appear in the same remote classifier.
Destination port	dport	<0-65535>	dport =80;	Optional<0+>	This field can be delivered only if the protocol value is 6 or 17. This field specifies a destination port number in a rule. When a destination port number range (dport-range) is specified, the range must be delivered in ascending order and can appear only once in a remote classifier. A destination port number (dport) can appear multiple times in a remote classifier. dport and dport-range cannot both appear in the same remote classifier.
Destination port	dport-range	<0-65535>-<0-65535>	dport-range =20-200;	Optional<0-1>	A source port and destination port can have different types.
Dscp	dscp	<0-63>	dscp=5;	Optional<0-1>	This field specifies a DSCP value in a rule and cannot appear in the same remote classifier as precedence and tos.
Precedence	pre	<0-7>	pre=5;	Optional<0-1>	This field specifies a precedence value in a rule and cannot appear in the same remote classifier as dscp.
Tos	tos	<0-15>	tos=5;	Optional<0-1>	This field specifies a ToS value in a rule and cannot appear in the same remote classifier as dscp.
Tcp syn flag	tcpflag	<0-511>	tcpflag=5;	Optional<0-1>	This field specifies a TCP synchronization flag in a rule and can be delivered only if the protocol value is 6. If it is delivered when the protocol value is not 6, all the HW-Data-Filter attributes in packets being processed fail be to processed.
Bidirectional	NA	bi-dir	bi-dir;	Optional<0-1>	This field specifies a reverse delivery of a rule and cannot be delivered when the direction is both. A reverse delivery means that a rule is delivered again with source and destination IP addresses swapped and source and destination port numbers swapped.

In a remote classifier, only the source, destination, source-port, and destination-port fields can be delivered multiple times. However, only one field can appear multiple times in a remote classifier.

Rule fields of enumerated type that can be delivered have the following meanings:

Protocol field

  <1-255>  Protocol number
  gre      GRE tunneling(47)                                                    
  icmp     Internet Control Message Protocol(1)                                 
  igmp     Internet Group Management Protocol(2)                                
  ip       Any IP protocol                                                      
  ipinip   IP in IP tunneling(4)                                                
  ospf     OSPF routing protocol(89)                                            
  tcp      Transmission Control Protocol (6)                                    
  udp      User Datagram Protocol (17)

Source-port/Destination-port field

  <0-65535>  Port number
  CHARgen    Character generator (19)                                           
  bgp        Border Gateway Protocol (179)                                      
  cmd        Remote commands (rcmd, 514)                                        
  daytime    Daytime (13)                                                       
  discard    Discard (9)                                                        
  domain     Domain Name Service (53)                                           
  echo       Echo (7)                                                           
  exec       Exec (rsh, 512)                                                    
  finger     Finger (79)                                                        
  ftp        File Transfer Protocol (21)                                        
  ftp-data   FTP data connections (20)                                          
  gopher     Gopher (70)                                                        
  hostname   NIC hostname server (101)                                          
  irc        Internet Relay Chat (194)                                          
  klogin     Kerberos login (543)                                               
  kshell     Kerberos shell (544)                                               
  login      Login (rlogin, 513)                                                
  lpd        Printer service (515)                                              
  nntp       Network News Transport Protocol (119)                              
  pop2       Post Office Protocol v2 (109)                                      
  pop3       Post Office Protocol v3 (110)                                      
  smtp       Simple Mail Transport Protocol (25)                                
  sunrpc   Sun Remote Procedure Call (111)                                    
  tacacs   TAC Access Control System (49)                                     
  talk     Talk (517)                                                         
  telnet    Telnet (23)                                                        
  time     Time (37)                                                          
  uucp     Unix-to-Unix Copy Program (540)                                    
  whois    Nicname (43)                                                       
  www    World Wide Web (HTTP, 80)

Precedence field

  <0-7>           Value of precedence
  critical        Specify critical precedence(5)
  flash           Specify flash precedence(3)                                   
  flash-override  Specify flash-override precedence(4)                          
  immediate       Specify immediate precedence(2)                               
  internet        Specify internetwork control precedence(6)                    
  network         Specify network control precedence(7)                         
  priority        Specify priority precedence(1)                                
  routine         Specify routine precedence(0)

Tos field

  <0-15>             Value of TOS(type of service)
  max-reliability    Match packets with max reliable TOS(2)                     
  max-throughput     Match packets with max throughput TOS(4)                   
  min-delay          Match packets with min delay TOS(8)                        
  min-monetary-cost   Match packets with min monetary cost TOS(1)                
  normal             Match packets with normal TOS(0)

Remote Behavior String in the HW-Data-Filter Attribute

A remote behavior string refers to a behavior dynamically configured by a RADIUS server. A RADIUS server uses the Hw-Data-Filter attribute to specify a behavior name and traffic action in the behavior. The remote behavior format is as follows.

Field	Name	Value Range	Example	Optional/Mandatory	Description
Remote behavior name	rb	Behavior-name string<1--31>	rb=behavior1;	Mandatory<1>	When a remote behavior is delivered, this field must be the first in the HW-Data-Filter attribute string.
Action	NA	permit	permit;	Optional<0-1>	If this field is not delivered, permit takes effect.
Action	NA	deny	deny;	Optional<0-1>	If this field is not delivered, permit takes effect.
Redirect cpu portal	NA	redirect-cpu-portal	redirect-cpu-portal;	Optional<0-1>	In portal push, if this field is configured, TCP packets that require portal redirection are sent to a RADIUS server.
Http redirect	NA	http-redirect	http-redirect;	Optional<0-1>	In forcible web redirection, if this field is configured, TCP packets that require web redirection are sent to a RADIUS server.
Remark dscp	remark-dscp	<0-63>	remark-dscp=5;	Optional<0-1>	This field can be delivered only by a remote behavior.
Remark ipv6 dscp	remark-ipv6-dscp	<0-63>	remark-ipv6-dscp=5;	Optional<0-1>	This field can be delivered only by a remote behavior.
Remark 802.1p	remark-8021p	<0-7>	remark-8021p=5;	Optional<0-1>	This field can be delivered only by a remote behavior.

If a remote behavior contains only the permit action (not other actions), the remote behavior string does not need to be delivered, and actions specified by Action (permit/deny) in rules are delivered.

CoA Action String in the HW-Data-Filter Attribute

A RADIUS server can deliver CoA action strings to CoA request packets to specify operation types on dynamic ACLs. The CoA action string format is as follows.

Field	Name	Value Range	Example	Optional/Mandatory	Description
CoA operation type	optype	update-user-class	optype = update-user-class;	Mandatory<1>	The first value specifies a substitute for the dynamic ACL information being used. To be specific, if this field is delivered, a user no longer applies the C-B pair being used but applies the C-B pair delivered by a CoA packet. If no C-B pair is delivered by a CoA packet, the user cannot get any dynamic ACL information after the CoA packet is successfully processed. If CoA packets carry a different user group (user access rights) each time, "optype = update-user-class" must be delivered.
		add-user-class	optype= add-user-class;	Mandatory<1>	The second value specifies that a C-B pair delivered by a CoA packet is added for user application.
		del-user-class	optype= del-user-class;	Mandatory<1>	The third value specifies deletion of some C-B pairs specified by CoA packets from C-B pairs being applied by a user.
		add-rule	optype= add-rule;	Mandatory<1>	The fourth value specifies addition of rules in the classifier specified by a CoA packet to the classifier being used by a user.
		update-class	optype= update-class;	Mandatory<1>	The fifth value specifies replacement of rules and actions in the C-B pair being used by a user. To be specific, the rules and actions in the C-B pair that is being used by the user and specified in a CoA packet are replaced with those in the C-B pair delivered using the CoA packet.

When CoA packets are used to deliver dynamic ACLs, an operation type (optype) must be specified for the dynamic ACLs in the CoA packets. If no operation type is delivered, update-user-class takes effect.

When optype is update-user-class or add-user-class, if C-B pairs delivered by CoA packets have been delivered by a user, only the number of reference rules is increased, and the C-B pair content is not updated; if the C-B pairs delivered by CoA packets have not been delivered by a user yet, the C-B pairs must be delivered.

Actions Supported by Local Behaviors

A local behavior string refers to a behavior configured on a device using a command. When a RADIUS server uses the Hw-Data-Filter attribute to deliver a local or remote classifier, the classifier can be bound to a local behavior. Local behavior supports only the following actions. If an action other than the following is configured in a local behavior, dynamic ACLs ignore the action.

redirect-cpu portal
redirect ip-nexthop X.X.X.X [ interface { STRING<1-256> STRING<1-256> | STRING<1-256> } | vpn STRING<1-31> | nqa STRING<1-31> STRING<1-31> ]
redirect ipv6-nexthop X:X::X:X [ interface { STRING<1-256> STRING<1-256> | STRING<1-256> } | vpn STRING<1-31> ]
{ permit | deny }
remark dscp STRING<0-63>
remark 8021p INTEGER<0-7>
remark ipv6 dscp INTEGER<0-63>
nat bind instance STRING<1-31>
ds-lite bind instance STRING<1-31>
http-redirect [ plus ]

Dynamic ACL Specifications

A device supports a maximum of 1024 C-B pairs, which can have different names and types. One classifier can contain up to 1024 rules, including both IPv4 and IPv6 rules.

The number of times that C-B pairs in dynamic ACLs on a device are applied by users cannot exceed the value obtained by multiplying 256 x 1024 x 16. If one C-B pair is applied by n users, the C-B pair is applied n times.

One user can deliver a maximum of 1024 C-B pairs. Different users can deliver C-B pairs that share the same name and type. In this situation, the rule and action in the first delivered C-B pair of the user take effect. To modify C-B pair content, modify the CoA packet. For example:

User A has a Thunder service and delivers to the service a dynamic ACL, which contains 10 rules. After User B logs in, User B also selects the same Thunder service. For example, a dynamic ACL with 11 rules that are applied by the same classifier and same behavior as those for user A is delivered in a RADIUS authentication response packet for User B. Then, the dynamic ACL for the Thunder service is still the one delivered when user A goes online, meaning that the 10 rules for User A take effect, but the rules delivered for User B do not take effect.
If the dynamic ACL for the Thunder service needs to be added, deleted, or modified and there are online users who are using the Thunder service's dynamic ACL, the dynamic ACL can be modified only when a RADIUS server delivers CoA packets to the online users.
After users who are using the Thunder service all go offline, the dynamic ACL for the Thunder service is deleted. If User C goes online at this time, the dynamic ACL for the Thunder service delivered in user C's RADIUS authentication response packet takes effect.