major-id: Displays information of applications with the specified custom application category ID (major ID). The value range for the major-id argument is 1 to 699. If you do not specify this argument or the minor-id argument, this command displays information about all applications with app IDs.

minor-id: Displays information of an application with the specified custom application ID (minor ID). The value range for the minor-id argument is 1000 to 6999. If you do not specify this argument or the major-id argument, this command displays information about all applications with app IDs.

verbose: Displays detailed information about an application with the specified app ID. If you do not specify this keyword, this command displays brief information about an application with the specified app ID.

Examples

# Display brief information about all applications with app IDs in the custom application signature library.

<Sysname> display sa custom-app

Major ID: 1 Major name: Test1

Minor ID Minor name

1000 app1

1001 app2

Major ID: 2 Major name: Test2

Minor ID Minor name

2000 app4

2001 app5

2002 app6

# Display detailed information about the application with app ID 1 in the custom application signature library.

<Sysname> display sa custom-app 1 verbose

Major ID : 1 Major name : -

Minor ID : 1000 Minor name : -

Rule ID : 1 IP stack : IPv4

Source Port : 100 Source IP : 1.2.3.4/32

Destination Port: 99 Destination IP: 2.3.4.5/32

Protocol : TCP

Domain name : example1.com

Payload : example1

Minor ID : 1001 Minor name : -

Rule ID : 2 IP stack : IPv6

Source Port : 102 Source IP : 2313:3123:1234::ABCD/128

Destination Port: 89 Destination IP: 3313:3123:1234:9283::ABCD/128

Protocol : TCP

Domain name : example2.com

Payload : example2

Table 1 Command output

Field	Description
Major ID	Custom application category ID.
Major name	Name of the application with the specified major ID.
Minor ID	Custom app ID.
Minor name	Name of the application with the specified minor ID.
Rule ID	Match rule ID of a custom application and packet signature.
IP stack	Type of the IP address stack defined in the match rule. Options include: · IPv4—The source and destination addresses of the packets are IPv4 addresses. · IPv6—The source and destination addresses of the packets are IPv6 addresses.
Source Port	Source port number of the packets.
Source IP	Source IPv4 address and mask length of the packets, or source IPv6 address and prefix length of the packets.
Destination Port	Destination port number of the packets.
Destination IP	Destination IPv4 address and mask length of the packets, or destination IPv6 address and prefix length of the packets.
Protocol	Protocol type of the packets. Options include: · TCP. · UDP.
Domain name	Domain name information.
Payload	Signature keyword information.

Related commands

sa-ctl custom-app

sa-ctl custom-app name

display sa mirroring-group

Use display sa mirroring-group to display the monitor port or monitoring group for a mirroring group.

Syntax

display sa mirroring-group [ group-id ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

group-id: Specifies a mirroring group by its ID. The value range for this argument is 1 to 250. If you do not specify this argument, this command displays the monitor ports or monitoring groups of all mirroring groups.

Examples

# Display the monitor ports or monitoring groups for all mirroring groups.

<Sysname> display sa mirroring-group

Mirroring group Mirror to Interface Monitoring group

1 Interface XGE3/1/1 -

2 Monitoring-group - 1

Table 2 Command output

Field	Description
Mirroring group	Mirroring group ID.
Mirror to	Destination for a mirroring group. Options include: · Interface—Monitor port for a mirroring group. · Monitoring-group—Monitoring group for a mirroring group.
Interface	Name of the monitor port for a mirroring group.
Monitoring group	ID of the monitoring group for a mirroring group.

Related commands

sa mirroring-group mirror-to

display sa node

Use display sa node to display the global configuration information of SA nodes on the device.

Syntax

display sa node

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display the global configuration information of SA nodes on the device.

<Sysname> display sa node

Node ID : 1

Global mode : Inline

SA bypass : Enabled

Engine minnumber : 5

QoE : Enabled

QoE group capacity : 1000

QoE polling interval : 10

Match packet maxnumber : 5

Flow log interval : 5

Flow table aging time : 200(s)

User aging time : 300(s)

Redirect URL : http://example.com

Table 3 Command output

Field	Description
Node ID	SA node number.
Global mode	Global mode of directing traffic to the APA card for processing. Options include: · Inline—Inline mode. · offline—Bypass mode. A hyphen (-) indicates the mode is not configured.
SA bypass	Whether traffic is configured to bypass the APA card: · Enabled—Traffic is configured to bypass the APA card. · Disabled—Traffic is not configured to bypass the APA card.
Minimum Engine	Minimum number of CPUs required by the iBRAS SA feature. A hyphen (-) indicates that the minimum number is not configured.
QoE	Status of the QoE function on the APA module.
QoE group capacity	User group capacity analyzed by CPU within the polling cycle during QoE analysis.
QoE polling interval	Polling interval for user group analysis during QoE analysis.
Match packet maxnumber	Whether the packet matches the upper limit of the SA user policy.
Flow log interval	Interval for reporting user flow log to the server. This field displays a hyphen (-) is no interval is configured.
Flow table aging time	Aging time of the service forwarding flow entries, in seconds.
User aging time	Aging time of the SA user entries, in seconds.
Redirect URL	Unified redirect URL. This field displays a hyphen (-) is no interval is configured.

Related commands

sa flow-log interval

sa flow-table aging-time

sa match-packet max-number

sa qoe enable

sa qoe group-capacity

sa qoe polling-interval

sa redirect-url

sa user aging-time

display sa port mode

Use display sa port mode to display the port processing mode on the APA module.

Syntax

display sa port mode

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display the port processing mode on the APA module.

<Sysname> display sa port mode

Interface Mode

XGE3/1/1 Inline

XGE3/1/2 Bypass

Table 4 Command output

Field

Description

Interface

Name of the interface used to connect users.

Mode

Processing mode of user traffic directed to the APA module. Options include:

· Bypass.

· Inline.

Related commands

sa port mode

display sa qoe collector

Use display sa qoe collector to display user flow log information reported to servers.

Syntax

In standalone mode:‌

display sa qoe collector [ collector-id | load-balance-group group-name ] [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

display sa qoe collector [ collector-id | load-balance-group group-name ] [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

collector-id: Specifies the server ID. The value range is 1 to 10.

load-balance-group group-name: Specifies a load balancing group by its name, a case-sensitive string of 1 to 31 characters.

slot slot-number: Specifies an SA card by its slot number. If you do not specify this option, this command display information on all cards. (In standalone mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Usage guidelines

If no parameters are specified, the command displays user traffic log information on all servers.

Examples

# (In standalone mode.) ‌Display user flow log information reported to the server in slot 2.

<Sysname> display sa qoe collector slot 2

Collector ID : 1

Group name : abc

Source IP : 2.2.2.2

Destination IP : 4.4.4.4

Destination port: 2000

VPN instance : vpn1

-------------------------------------------------------------------------------

Status Tx_success Success length (bytes) Tx_failed Failed length (bytes)

Connecting 3 1000 3 1000

Collector ID : 2

Group name : abc

Source IP : 2.2.2.2

Destination IP : 4.4.4.4

Destination port: 2001

VPN instance : vpn1

-------------------------------------------------------------------------------

Status Tx_success Success length (bytes) Tx_failed Failed length (bytes)

Connecting 3 1000 3 1000

Table 5 Command output

Field	Description
Collector ID	Server number.
Group name	Load balancing group name.
Source IP	Source IP address of the TCP packets reported by the user flow log to the server.
Destination IP	Destination IP address of the TCP packets reported by the user flow log to the server.
Destination Port	Destination port number of the TCP packets.
VPN instance	Name of the VPN instance to which the destination address belongs.
Status	Status of the TCP connection established with the server. Options include: · Connected. · Connecting.
Tx_success	Number of successfully sent log messages.
Success length	Length of successfully sent log messages, in bytes.
Tx_failed	Number of log messages failed to be sent.
Failed length	Length of log messages failed to be sent, in bytes.

Related commands

sa qoe collector

display sa redirect app-id

Use display sa redirect app-id to display the traffic redirecting behavior for traffic with the specified app ID.

Syntax

display sa redirect app-id [ app-id ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

app-id: Specifies the app ID assigned to an application after its traffic is identified on an APA card. App IDs include the following types:

· App category ID (major ID) customized in the SA backend—The value range is 101 to 699.

· App ID (minor ID) customized in the SA backend—The value range is 1000 to 6999.

· App category ID (major ID) predefined in the SA backend—The value range is 700 to 999.

· App ID (minor ID) predefined in the SA backend—The value range is 7000 to 65530.

If you do not specify this argument, this command displays traffic redirecting behaviors for application traffic with any app ID.

Examples

# Display the traffic redirecting behaviors for the application traffic with any app ID.

<Sysname> display sa redirect app-id

APP ID: 1

Type: SRv6 Policy

Endpoint: 1000::1

Color: 10

SID: 2000::2

VPN name: -

APP ID: 2

Type: VPN

Endpoint: -

Color: -

SID: -

VPN name: vpna

Table 6 Command output

Field	Description
APP ID	ID assigned to an application after its traffic is identified on the APA card.
Type	Traffic redirecting type: · SRv6 Policy—Redirect traffic to an SRv6 TE policy. · VPN—Redirects traffic to a VPN instance.
Endpoint	Destination node address of the SRv6 TE policy.
Color	Color attribute value of the SRv6 TE policy.
SID	Local SRv6 SID on the egress node of the SRv6 TE policy.
VPN name	Name of the VPN instance to which the traffic is redirected.

Related commands

sa app-id redirect

display sa signature version

Use display sa signature version to display the versions of the current predefined signature libraries.

Syntax

In standalone mode:‌

display sa signature { application | url } version [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

display sa signature { application | url } version [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

application: Displays the version of the predefined application signature library.

url: Displays the version of the predefined URL signature library.

slot slot-number: Specifies an SA card by its slot number. If you do not specify this option, this command display entries on all cards. On this device, the slot-number argument represents the entire device and its value is fixed. This command applies to the entire device regardless of whether the slot-number argument is specified. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies an SA card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify this option, this command display entries on all cards. On this device, the slot-number argument represents the entire device and its value is fixed. This command applies to the entire device regardless of whether the slot-number argument is specified. (In IRF mode.) ‌

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Examples

# Display the version of the current predefined application signature library.

<Sysname> display sa signature application version slot 2

Application signature version: 1.9.

# Display the version of the current predefined URL signature library.

<Sysname> display sa signature url version slot 2

URL signature version: 1.1.

Table 7 Command output

Field	Description
Application signature version	Version of the predefined application signature library.
URL signature version	Version of the predefined URL signature library.

display sa sort-url

Use display sa sort-url to display information about the custom URL signature library.

Syntax

display sa sort-url [ major-sort-id major-sort-id | minor-sort-id minor-sort-id ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

major-sort-id major-sort-id: Displays a custom major URL category specified by its ID (major ID). The value range for the major-sort-id argument is 1 to 999.

minor-sort-id minor-sort-id: Displays a custom minor URL category specified by its ID (minor ID). The value range for the minor-sort-id argument is 2001 to 9999.

Usage guidelines

If you do not specify any parameter, this command displays configuration information about all URL category IDs in the custom URL signature library.

Examples

# Display configuration information about all URL category IDs.

<Sysname> display sa sort-url

Major sort ID : 1 Major name: -

Minor sort ID : 1000 Minor name: -

Rule ID : 3001 Exactmatch: N

URL : www.example1.com

Minor sort ID : 1001 Minor name: -

Rule ID : 3002 Exactmatch: Y

URL : www.example2.com

Major sort ID : 2 Major name: -

Minor sort ID : 2000 Minor name: -

Rule ID : 2001 Exactmatch: N

URL : www.example3.com

Minor sort ID : 2001 Minor name: -

Rule ID : 2002 Exactmatch: Y

URL : www.example4.com

Table 8 Command output

Field	Description
Major sort ID	Custom major URL category ID.
Major name	Name of a major URL category.
Minor sort ID	Custom minor URL category ID.
Minor name	Name of a minor URL category.
Rule ID	Match rule ID of a custom application and packet signature.
Exactmatch	Whether to match a URL exactly: · Y—Exact URL match. · N—Fuzzy URL match.
URL	Uniform resource locator.

Related commands

sa-ctl sort-url

sa-ctl sort-url name

display sa user

Use display sa user to display information about online users on an APA card.

Syntax

In standalone mode:‌

display sa user [ { ipv4 ipv4-address [ mask-length ] | ipv6 ipv6-address [ prefix-length ] } [ vpn-instance vpn-instance-name ] | user-name user-name ] [ slot slot-number [ cpu cpu-number ] ]

display sa user [ { ipv4 | ipv6 } | { all-vpn-instance | public-instance | vpn-instance vpn-instance-name } ] * [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

display sa user [ { ipv4 ipv4-address [ mask-length ] | ipv6 ipv6-address [ prefix-length ] } [ vpn-instance vpn-instance-name ] | user-name user-name ] [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

display sa user [ { ipv4 | ipv6 } | { all-vpn-instance | public-instance | vpn-instance vpn-instance-name } ] * [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ipv4 ipv4-address [ mask-length ]: Displays the user with the specified IPv4 address. The ipv4-address argument represents the user's IPv4 address, and the mask-length argument represents the mask length of the IPv4 address, in the range of 0 to 32. If you specify the mask-length argument, this option represents all users in the IPv4 address mask range. If you do not specify the mask-length argument, this option represents a user with the unique IPv4 address. If you do not specify the ipv4-address argument, users of all IPv4 addresses are specified. If you do not specify the ipv4 or ipv6 keyword, users of all IPv4 addresses and IPv6 addresses are specified.

ipv6 ipv6-address [ prefix-length ]: Displays the user with the specified IPv6 address. The ipv6-address argument represents the user's IPv6 address, and the prefix-length argument represents the prefix length of the IPv6 address, in the range of 0 to 128. If you specify the prefix-length argument, this option represents all users in the IPv6 address prefix range. If you do not specify the prefix-length argument, this option represents a user with the unique IPv6 address. If you do not specify the ipv6-address argument, users of all IPv6 addresses are specified. If you do not specify the ipv4 or ipv6 keyword, users of all IPv4 addresses and IPv6 addresses are specified.

all-vpn-instance: Specifies all VPN instance users. If you do not specify the all-vpn-instance, public-instance, or vpn-instance keyword, this command displays all users.

public-instance: Displays all public network users. If you do not specify the all-vpn-instance, public-instance, or vpn-instance keyword, this command displays all users.

vpn-instance vpn-instance-name: Specifies a VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify the all-vpn-instance, public-instance, or vpn-instance keyword, this command displays all users.

user-name user-name: Specifies an online user by the username, a case-sensitive string of 1 to 31 characters.

slot slot-number: Specifies a card by its slot number. On this device, the slot-number argument represents the entire device and its value is fixed. This command applies to the entire device regardless of whether the slot-number argument is specified. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. On this device, the slot-number argument represents the entire device and its value is fixed. This command applies to the entire device regardless of whether the slot-number argument is specified. (In IRF mode.) ‌

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Usage guidelines

A user is registered and comes online on an APA card in the following process:

2. According to the configuration, the SA backend binds SA user policies to some users as needed, while other users do not have bound SA user policies.

¡ For an online user bound to SA user policies, the APA card analyzes and identifies different traffic. Based on the identification results, the APA card matches user traffic with the bound SA user policies. If successful matches exist, the APA card generates a flow table based on the SA user policies. The APA card forwards user traffic according to the processing policies defined in the SA user policies (the SA user policy flow table). If no SA user policy is matched, the APA card generates a normal flow table without SA user policies and forwards packets without any operation.

¡ For online users without bound SA user policies, the APA card does not execute the SA user policies or generate any flow tables. Instead, the APA card forwards the traffic as per the normal process.

Therefore, based on whether a user has bound SA user policies and whether the user is online, the user APA cards are divided into the following types:

· If a user has SA user policies bound and is online, both the display sa user and display sa user policy commands can display information about this user.

· If a user has SA user policies bound but is offline (does not generate service traffic), only the display sa user policy command can display information about this user.

· If a user has no SA user policies bound but is online, only the display sa user command can display information about this user.

· If a user is offline (does not generate service traffic) and has no SA user policies bound, information about this user will not be displayed.

If you do not specify any parameter, this command displays information about all online users.

Examples

# Display information about online users on all APA cards.

<Sysname> display sa user

User address : 1.1.1.1

VPN instance : -

User name : abc

User access : slot 2

User address : 2.2.2.2

VPN instance : -

User name : abc

User access : slot 2

Accelerate policy : AppAccel

APP ID : 3

APP ID : 10

APP ID : 30

Mirror policy : AppMirror

APP ID : 4

Inbound mirror : 201 Outbound mirror : 202

APP ID : 40

Inbound mirror : 201 Outbound mirror : -

Flow control policy : AppControl

APP ID : 5

Inbound CIR(kbps) : 131231 Inbound CBS(byte) : 1239123

APP ID : 50

Inbound connection limit: 1020 Outbound connection limit: -

APP ID : 51

Drop : Y

APP ID : 52

Inbound remark DSCP : 10 Outbound remark DSCP : -

URL sorting policy : UrlSort

Sorturl ID : 6 Action : Drop

URL policy : Url

URL : https://www.baidu.com/

Action : Redirect Exactmatch : Y

URL whiteList policy : WhiteList

URL : https://www.baidu.com/

Exactmatch : N

Table 9 Command output

Field	Description
User address	IPv4 address/mask length or IPv6 address/prefix length that an access user obtains after the user passes authentication and comes online.
VPN instance	Name of the VPN instance to which the user belongs.
User name	Name of the online user.
User access	Card and chassis of the access user.
Accelerate policy	Name of the SA user policy with app ID-based traffic acceleration.
Mirror policy	Name of the SA user policy with app ID-based traffic mirroring.
Inbound mirror	ID of an inbound traffic mirroring group.
Outbound mirror	ID of an outbound traffic mirroring group.
Flow control policy	Name of the SA user policy with app ID-based traffic control.
Inbound CIR(kbps)	Committed information rate in kbps for controlling the inbound user traffic on the interface connecting to the user.
Inbound CBS(byte)	Committed burst size in bytes for controlling the inbound user traffic on the interface connecting to the user.
Outbound CIR(kbps)	Committed information rate in kbps for controlling the outbound user traffic on the interface connecting to the user.
Outbound CBS(byte)	Committed burst size in bytes for controlling the outbound user traffic on the interface connecting to the user.
Inbound connection limit	Limit on the number of connections for inbound traffic identified by an app ID on the interface connecting to the user.
Outbound connection limit	Limit on the number of connections for outbound traffic identified by an app ID on the interface connecting to the user.
Inbound remark DSCP	DSCP value marked for inbound traffic on the interface connecting to the user.
Outbound remark DSCP	DSCP value marked for outbound traffic on the interface connecting to the user.
Drop	Whether to drop traffic with the specified app ID. Options include: · Y—Drops traffic with the specified app ID. · Hyphen (-)—Does not drop traffic with the specified app ID.
URLsorting policy	Name of the SA user policy with URL category ID-based traffic control.
Sorturl ID	URL category ID.
Action	Action in the SA user policy with URL category ID-based traffic control: · Drop—Drops traffic. · Redirect—Redirects traffic.
URL policy	Name of the SA user policy with URL-based traffic control.
Action	Action in the SA user policy with URL-based traffic control: · Drop—Drops traffic. · Redirect—Redirects traffic.
Exactmatch	Whether to match a URL exactly: · Y—Exact URL match. · N—Fuzzy URL match. A packet matches only if its application layer information contains the specified URL field.
URL whiteList policy	Name of the SA user policy with the URL allowlist.
URL	Specified allowlisted URL.
Exactmatch	Whether to match a URL exactly: · Y—Exact URL match. · N—Fuzzy URL match. A packet matches only if its application layer information contains the specified URL field.

display sa user count

Use display sa user count to display the number of online users on an APA card.

Syntax

In standalone mode:‌

display sa user count [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

display sa user count [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Examples

# (In standalone mode.) ‌Display the online user count statistics for the APA card in slot 1.

<Sysname> display sa user count slot 1

Slot 1

IPv4 total online users : 500

IPv4 users with SA policy : 60

IPv4 users with accelerate policy : 10

IPv4 users with mirror policy : 10

IPv4 users with flow control policy : 10

IPv4 users with URL sorting policy : 10

IPv4 users with URL policy : 10

IPv4 users with URL whitelist policy : 10

IPv4 failed online attempts : 10

IPv6 total online users : 500

IPv6 users with SA policy : 60

IPv6 users with accelerate policy : 10

IPv6 users with mirror policy : 10

IPv6 users with flow control policy : 10

IPv6 users with URL sorting policy : 10

IPv6 users with URL policy : 10

IPv6 users with URL whitelist policy : 10

IPv6 failed online attempts : 10

Table 10 Command output

Field	Description
IPv4 total online users	Total number of online users with IPv4 addresses.
IPv4 users with SA policy	Number of users with IPv4 addresses bound to the SA user policy.
IPv4 users with accelerate policy	Number of users with IPv4 addresses bound to the SA user policy with app ID-based traffic acceleration.
IPv4 users with mirror policy	Number of users with IPv4 addresses bound to the SA user policy with app ID-based traffic mirroring.
IPv4 users with flow control policy	Number of users with IPv4 addresses bound to the SA user policy with app ID-based traffic control.
IPv4 users with URL sorting policy	Number of users with IPv4 addresses bound to the SA user policy with URL category ID-based traffic control.
IPv4 users with URL policy	Number of users with IPv4 addresses bound to the SA user policy with URL-based traffic control.
IPv4 users with URL whitelist policy	Number of users with IPv4 addresses bound to the SA user policy with the URL allowlist.
IPv4 failed online attempts	Number of IPv4 user login failures.
IPv6 total online users	Total number of online users with IPv6 addresses.
IPv6users with SA policy	Number of users with IPv6 addresses bound to SA user policies.
IPv6users with accelerate policy	Number of users with IPv6 addresses bound to the SA user policy with app ID-based traffic acceleration.
IPv6users with mirror policy	Number of users with IPv6 addresses bound to the SA user policy with app ID-based traffic mirroring.
IPv6users with flow control policy	Number of users with IPv6 addresses bound to the SA user policy with app ID-based traffic control.
IPv6 users with URL sorting policy	Number of users with IPv6 addresses bound to the SA user policy with URL category ID-based traffic control.
IPv6 users with URL policy	Number of users with IPv6 addresses bound to the SA user policy with URL-based traffic control.
IPv6 users with URL whitelist policy	Number of users with IPv6 addresses bound to the SA user policy with the URL allowlist.
IPv6 failed online attempts	Number of IPv6 user login failures.

display sa user policy

Use display sa user policy to display information about users with bound SA user policies.

Syntax

In standalone mode:‌

display sa user policy [ { ipv4 ipv4-address [ mask-length ] | ipv6 ipv6-address [ prefix-length ] } [ vpn-instance vpn-instance-name ] | user-name user-name ] [ slot slot-number [ cpu cpu-number ] ]

display sa user policy [ { ipv4 | ipv6 } | { all-vpn-instance | public-instance | vpn-instance vpn-instance-name } ] * [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

display sa user policy [ { ipv4 ipv4-address [ mask-length ] | ipv6 ipv6-address [ prefix-length ] } [ vpn-instance vpn-instance-name ] | user-name user-name ] [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

display sa user policy [ { ipv4 | ipv6 } | { all-vpn-instance | public-instance | vpn-instance vpn-instance-name } ] * [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

all-vpn-instance: Specifies all VPN instance users. If you do not specify the all-vpn-instance, public-instance, or vpn-instance keyword, this command displays all users.

public-instance: Displays all public network users. If you do not specify the all-vpn-instance, public-instance, or vpn-instance keyword, this command displays all users.

user-name user-name: Specifies an online user by the username, a case-sensitive string of 1 to 31 characters.

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Usage guidelines

A user is registered and comes online on an APA card in the following process:

1. After the user completes authentication, when the user generates traffic, the traffic is directed to the APA card for processing and analysis. At this point, the user information is recorded and the user comes online on the APA card. The BRAS APA card maintains and generates the SA user table. In the SA user table, an online user is uniquely identified by its IP address and the name of the VPN instance to which the user belongs.

2. According to the configuration, the SA backend binds SA user policies to some users as needed, while other users do not have bound SA user policies.

¡ For an online user bound to SA user policies, the APA card analyzes and identifies different traffic. Based on the identification results, the APA card matches user traffic with the bound SA user policies. If successful matches exist, the APA card generate a flow table based on the SA user policies. The APA card forwards user traffic according to the processing policies defined in the SA user policies (SA user policy flow table). If no SA user policy is matched, the APA card generates a normal flow table without SA user policies and forwards packets without any operation.

Therefore, based on whether a user has bound SA user policies and whether the user is online, the user APA cards are divided into the following types:

· If a user has SA user policies bound and is online, both the display sa user and display sa user policy commands can display information about this user.

· If a user has SA user policies bound but is offline (does not generate service traffic), only the display sa user policy command can display information about this user.

· If a user has no SA user policies bound but is online, only the display sa user command can display information about this user.

· If a user is offline (does not generate service traffic) and has no SA user policies bound, information about this user will not be displayed.

If you do not specify any parameter, this command displays information about all users with bound SA user policies.

Examples

# Display information about all users with bound SA user policies.

<Sysname> display sa user policy

User address : 1.1.1.0/24

VPN instance : -

User name : abc

Accelerate policy : AppAccel

APP ID : 3

APP ID : 10

APP ID : 30

Mirror policy : AppMirror

APP ID : 4

Inbound mirror : 201 Outbound mirror : 202

APP ID : 40

Inbound mirror : 201 Outbound mirror : -

Flow control policy : AppControl

APP ID : 5

Inbound CIR(kbps) : 131231 Inbound CBS(byte) : 1239123

APP ID : 50

Inbound connection limit: 1020 Outbound connection limit: -

APP ID : 51

Drop : Y

APP ID : 52

Inbound remark DSCP : 10 Outbound remark DSCP : -

URL sorting policy : UrlSort

Sorturl ID : 6 Action : Drop

URL policy : Url

URL : https://www.baidu.com/

Action : Redirect Exactmatch : Y

URL whiteList policy : WhiteList

URL : https://www.baidu.com/

Exactmatch : N

Table 11 Command output

Field	Description
User address	IPv4 address/mask length or IPv6 address/prefix length that an access user obtains after the user passes authentication and comes online.
VPN instance	Name of the VPN instance to which the user belongs.
User name	Name of the online user.
Accelerate policy	Name of the SA user policy with app ID-based traffic acceleration.
APP ID	App ID.
Mirror policy	Name of the SA user policy with app ID-based traffic mirroring.
Inbound mirror	ID of an inbound traffic mirroring group.
Outbound mirror	ID of an outbound traffic mirroring group.
Flow control policy	Name of the SA user policy with app ID-based traffic control.
Inbound CIR(kbps)	Committed information rate in kbps for controlling the inbound user traffic on the interface connecting to the user.
Inbound CBS(byte)	Committed burst size in bytes for controlling the inbound user traffic on the interface connecting to the user.
Outbound CIR(kbps)	Committed information rate in kbps for controlling the outbound user traffic on the interface connecting to the user.
Outbound CBS(byte)	Committed burst size in bytes for controlling the outbound user traffic on the interface connecting to the user.
Inbound connection limit	Limit on the number of connections for inbound traffic identified by an app ID on the interface connecting to the user.
Outbound connection limit	Limit on the number of connections for outbound traffic identified by an app ID on the interface connecting to the user.
Inbound remark DSCP	DSCP value marked for inbound traffic on the interface connecting to the user.
Outbound remark DSCP	DSCP value marked for outbound traffic on the interface connecting to the user.
Drop	Whether to drop traffic with the specified app ID. Options include: · Y—Drops traffic with the specified app ID. · Hyphen (-)—Does not drop traffic with the specified app ID.
URLsorting policy	Name of the SA user policy with URL category ID-based traffic control.
Sorturl ID	URL category ID.
Action	Action in the SA user policy with URL category ID-based traffic control: · Drop—Drops traffic. · Redirect—Redirects traffic.
URL policy	Name of the SA user policy with URL-based traffic control.
URL	Specified URL.
Action	Action in the SA user policy with URL-based traffic control: · Drop—Drops traffic. · Redirect—Redirects traffic.
Exactmatch	Whether to match a URL exactly: · Y—Exact URL match. · N—Fuzzy URL match. A packet matches only if its application layer information contains the specified URL field.
URL whiteList policy	Name of the SA user policy with the URL allowlist.
URL	Specified allowlisted URL.
Exactmatch	Whether to match a URL exactly: · Y—Exact URL match. · N—Fuzzy URL match. A packet matches only if its application layer information contains the specified URL field.

display sa user-policy

Use display sa user-policy to display SA user policy information.

Syntax

In standalone mode:‌

display sa user-policy { accelerate | control | mirror | sort-url | url | whitelist-url } [ name name ] [ slot slot-number [ cpu cpu-number ] ]

In IRF mode:

display sa user-policy { accelerate | control | mirror | sort-url | url | whitelist-url } [ name name ] [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

accelerate: Specifies an SA user policy with app ID-based traffic acceleration.

control: Specifies an SA user policy with app ID-based traffic control.

mirror: Specifies an SA user policy with app ID-based traffic mirroring.

sort-url: Specifies an SA user policy with URL category ID-based traffic control.

url: Specifies an SA user policy with URL-based traffic control.

whitelist-url: Specifies an SA user policy with the URL allowlist.

name name: Specifies an SA user policy by its name, a case-sensitive string of 1 to 31 characters. If you do not specify this option, this command displays information about SA user policies with any name.

slot slot-number: Specifies a card by its slot number.On this device, the slot-number argument represents the entire device and its value is fixed. This command applies to the entire device regardless of whether the slot-number argument is specified. (In standalone mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Examples

# Display information about the SA user policy named abc for app ID-based traffic acceleration.

<Sysname> display sa user-policy accelerate name abc

Accelerate policy : abc Create time : 2024-04-15 20:17:22

Referenced times : 511 Rule number : 3

APP ID : 11 Major : T

APP ID : 19 Major : T

APP ID : 21 Major : T

# Display information about the SA user policy named ddd for app ID-based traffic mirroring.

<Sysname> display sa user-policy mirror name ddd

Mirror policy : ddd Create time : 2024-04-15 20:17:22

Referenced times : 211 Rule number : 2

APP ID : 773 Major : T

Inbound mirror : 123 Outbound mirror : 123

APP ID : 666 Major : T

Inbound mirror : 123 Outbound mirror : -

# Display information about the SA user policy named ddd for app ID-based traffic control.

<Sysname> display sa user-policy control name ddd

Flow control policy : ddd

Create time : 2024-04-15 20:17:22

Referenced times : 1 Rule number : 2

APP ID : 773 Major : T

Inbound CIR(kbps) : 1231313 Inbound CBS(byte) : 123

APP ID : 666 Major : T

Inbound connection limit: 123 Outbound connection limit: 123

APP ID : 774 Major : T

Inbound remark DSCP : 10 Outbound remark DSCP : 10

APP ID : 775 Major : T

Drop : -

# Display information about the SA user policy named ddd for URL category ID-based traffic control.

<Sysname> display sa user-policy sort-url name ddd

URL sorting policy : ddd Create time : 2024-04-15 20:17:22

Referenced times : 1 Rule number : 2

Sorturl ID : 3 Action : Drop

Sorturl ID : 4 Action : Redirect

# Display information about the SA user policy named ddd for URL-based traffic control.

<Sysname> display sa user-policy url name ddd

URL policy : ddd Create time : 2024-04-15 20:17:22

Referenced times : 1 Rule number : 1

URL : https://www.example.com/

Action : Redirect Exactmatch : Y

# Display information about the SA user policy named ddd for the URL allowlist.

<Sysname> display sa user-policy whitelist-url ddd

URL whiteList policy: ddd Create time : 2024-04-15 20:17:22

Referenced times : 1 Rule number : 1

URL : https://www.example.com/

Exactmatch : Y

Table 12 Command output

Field	Description
Create time	Time when the SA user policy was created.
Referenced times	Number of times the SA user policy was referenced by online users.
Rule number	Number of app ID, URL category ID, or URL entries in the SA user policy.
Accelerate policy	Name of the SA user policy with app ID-based traffic acceleration.
Major	Whether the app ID is a major ID: · T—The app ID is a major ID. · F—The app ID is a minor ID rather than a major ID.
Mirror policy	Name of the SA user policy with app ID-based traffic mirroring.
Inbound mirror	ID of an inbound traffic mirroring group.
Outbound mirror	ID of an outbound traffic mirroring group.
Flow control policy	Name of the SA user policy with app ID-based traffic control.
Inbound CIR(kbps)	Committed information rate in kbps for controlling the inbound user traffic on the interface connecting to the user.
Inbound CBS(byte)	Committed burst size in bytes for controlling the inbound user traffic on the interface connecting to the user.
Outbound CIR(kbps)	Committed information rate in kbps for controlling the outbound user traffic on the interface connecting to the user.
Outbound CBS(byte)	Committed burst size in bytes for controlling the outbound user traffic on the interface connecting to the user.
Inbound connection limit	Limit on the number of connections for inbound traffic identified by an app ID on the interface connecting to the user.
Outbound connection limit	Limit on the number of connections for outbound traffic identified by an app ID on the interface connecting to the user.
Inbound remark DSCP	DSCP value marked for inbound traffic on the interface connecting to the user.
Outbound remark DSCP	DSCP value marked for outbound traffic on the interface connecting to the user.
Drop	Whether to drop traffic with the specified app ID. Options include: · Y—Drops traffic with the specified app ID. · Hyphen (-)—Does not drop traffic with the specified app ID.
URL sorting policy	Name of the SA user policy with URL category ID-based traffic control.
Sorturl ID	URL category ID.
Action	Action in the SA user policy with URL category ID-based traffic control: · Drop—Drops traffic. · Redirect—Redirects traffic.
URL policy	Name of the SA user policy with URL-based traffic control.
URL	Specified URL.
Action	Action in the SA user policy with URL-based traffic control: · Drop—Drops traffic. · Redirect—Redirects traffic.
Exactmatch	Whether to match a URL exactly: · Y—Exact URL match. · N—Fuzzy URL match. A packet matches only if its application layer information contains the specified URL field.
URLwhiteList policy	Name of the SA user policy with the URL allowlist.
URL	Specified allowlisted URL.
Exactmatch	Whether to match a URL exactly: · Y—Exact URL match. · N—Fuzzy URL match. A packet matches only if its application layer information contains the specified URL field.

Related commands

sa-ctl accelerate-policy add

sa-ctl accelerate-policy delete

sa-ctl control-policy add

sa-ctl mirror-policy add

sa-ctl mirror-policy delete

sa-ctl sort-url-policy add

sa-ctl sort-url-policy delete

sa-ctl url-policy add

sa-ctl url-policy delete

sa-ctl whitelist-url-policy add

sa-ctl whitelist-url-policy delete

reset sa qoe collector statistic

Use reset sa qoe collector statistic to clear user flow log statistics reported to servers.

Syntax

reset sa qoe collector statistic

Views

User view

Predefined user roles

network-admin

network-operator

Examples

# Clear user flow log statistics reported to servers.

<Sysname> reset sa qoe collecotr statistic

Related commands

display sa qoe collector

sa qoe collecor

sa app-id redirect

Use sa app-id redirect to redirect traffic with the specified app ID.

Use undo sa app-id to cancel redirecting traffic with the specified app ID.

Syntax

sa app-id app-id redirect { srv6-policy endpoint color [ sid sid ] | vpn-instance vpn-instance-name }

undo sa app-id app-id

Default

Traffic with the specified app ID is not redirected.

Views

SA node view

Predefined user roles

network-admin

Parameters

app-id: Specifies the app ID assigned to an application after its traffic is identified on an APA card. App IDs include the following types:

· App category ID (major ID) customized in the SA backend—The value range is 1 to 699.

· App ID (minor ID) customized in the SA backend—The value range is 1000 to 6999.

· App category ID (major ID) predefined in the SA backend—The value range is 700 to 999.

· App ID (minor ID) predefined in the SA backend—The value range is 7000 to 65530.

srv6-policy endpoint color: Redirects traffic from the application with the specified ID to the specified IPv6 Segment Routing Traffic Engineering (SRv6 TE) policy. The endpoint argument represents the destination node address of the SRv6 TE policy, in the IPv6 address format. The color argument specifies the color attribute value of the SRv6 TE policy, in the range of 0 to 4294967295.

sid sid: Specifies the SRv6 segment ID (SID) to be added to the Segment Routing Header (SRH) for packet encapsulation, which is located after the SID list in the SRv6 TE policy. After the packets are forwarded to the egress node, the egress node continues to forward the packets and takes the forwarding action based on the SRv6 SID. For example, the SRv6 SID is an End.DT4 SID on the egress node of the SRv6 TE policy. When traffic reaches the egress node, the egress node decapsulates the outer IPv6 packets according to the End.DT4 SID forwarding behavior, and then looks up the IPv4 VPN instance routing table to forward the packets to the matching VPN. If you do not specify this option, traffic is forwarded to the egress node based only on the SRv6 TE policy.

vpn-instance vpn-instance-name: Redirects traffic from the application with the specified ID to a VPN instance specified by its name, a case-sensitive string of 1 to 31 characters.

Usage guidelines

Prerequisites

For traffic redirecting or acceleration to operate correctly for traffic with the specified app IDs, make sure the following conditions are met:

· Execute the sa port mode command to direct traffic to the APA card for application identification.

· Execute the sa-ctl accelerate-policy add command. Make sure the app ID specified by using the sa app-id redirect command belongs to the SA user policy with app ID-based traffic acceleration.

· Make sure the SA backend has deployed an SA user policy with app ID-based traffic acceleration for online users.

Operating mechanism

Execute this command to redirect the traffic of the application with the specified app ID either of the following destinations for forwarding:

· The specified SRv6 TE policy.

· The specified VPN instance, where the traffic is forwarded through looking up the routes in the local VPN instance routing table.

Restrictions and guidelines

If you execute the sa app-id redirect command multiple times for traffic with the same app ID, the most recent configuration takes effect.

The traffic redirection behavior of a dual-stack user depends on the specified SRv6 SID egress node type.

· End.DT4 SID—Redirects IPv4 traffic only.

· End.DT6 SID—Redirects IPv6 traffic only.

· End.DT46 SID—Redirects both IPv4 and IPv6 traffic.

Examples

# Redirect traffic from the application with app ID 1 to the SRv6 TE policy with the following attributes:

· Destination node at IPv6 address 1000::1.

· Color attribute 10.

· SRv6 SID 2000::2 on the egress node of the SRv6 TE policy.

<Sysname> system-view

[Sysname] sa node 199

[Sysname-sa-node-199] sa app-id 1 redirect srv6-policy 1000::1 10 sid 2000::2

Related commands

display sa redirect app-id

sa-ctl accelerate-policy add

sa engine bypass

Use sa engine bypass to configure traffic to bypass the APA card.

Use undo sa engine bypass to restore the default.

Syntax

sa engine bypass

undo sa engine bypass

Default

Traffic is not configured to bypass the APA card. Whether traffic passes through the APA card depends on the configuration of the sa port mode command.

Views

SA node view

Predefined user roles

network-admin

Usage guidelines

If you execute the sa port mode command to direct traffic to the APA card for processing, you must preferentially restore the services quickly when the APA card fails due to hardware issues or software errors without automatic recovery. To do that, use the sa engine bypass command to configure traffic to bypass the APA card and skip its processing.

After you execute the sa engine bypass command, the executed sa port mode command will not take effect.

Examples

# Configure traffic to bypass the APA card and skip its processing.

<Sysname> system-view

[Sysname] sa node 199

[Sysname-sa-node-199] sa engine bypass

The traffic will bypass the APA board and continue to forward, confirm [Y/N]:y

Related commands

display sa node

sa engine min-engine

Use sa engine min-engine to configure the minimum number of CPUs required by the iBRAS SA feature.

Use undo sa engine min-engine to restore the default.

Syntax

sa engine min-engine number

undo sa engine min-engine

Default

The system does not set the minimum number of CPUs required by iBRAS SA, and the APA card with any number of CPUs can support iBRAS SA.

Views

SA node view

Predefined user roles

network-admin

Parameters

number: Specifies the minimum number of CPUs required by the iBRAS SA feature. The value range is 1 to 12.

Usage guidelines

The APA card has limited CPU engines and processing capacity. To support large-scale users and service traffic, the iBRAS SA feature requires multiple CPU engines to work together. In this case, configure the minimum number of CPUs required by the iBRAS SA feature. If the device has fewer CPUs than the minimum number required, traffic bypasses the APA card without being processed. This prevents failures caused by service overload.

Examples

# Configure the minimum number of CPUs required by the iBRAS SA feature as 2.

<Sysname> system-view

[Sysname] sa node 1

[Sysname-sa-node-1] sa engine min-engine 2

If the minimum required number of APA board is greater than the active number of APA board,the traffic will bypass the APA board, confirm [Y/N]:y

Related commands

display sa node

sa flow-log interval

Use sa flow-log interval to configure the interval for reporting user flow logs to the server.

Use undo sa flow-log interval to restore the default.

Syntax

sa flow-log interval interval

undo sa flow-log interval

Default

The interval for reporting user flow logs to the server is 300 seconds.

Views

SA node view

Predefined user roles

network-admin

Parameters

interval: Specifies the interval for reporting user flow logs to the server. The value is in the range of 300 to 86400.

Usage guidelines

An APA card generates user flow logs by resolving user signaling packets and data packets. User flow logs contain basic information, such as the user IP, the protocol type of the user service packets, and traffic statistics. Use the sa qoe enable command to enable the QoE feature on the APA card and periodically report flow logs. After the APA card establishes a TCP connection to the SA backend analysis system (server), the APA card encapsulates user flow logs in TCP packets and sends them to the SA backend server. The SA backend analysis system analyzes various service traffic of users based on the user flow logs and provides raw data for building a data warehouse. It also visually presents the analysis results of user service traffic.

Use this command to control the interval for reporting user flow logs to the server.

Examples

# Configure the interval for reporting user flow logs to the server as 120 seconds.

<Sysname> system-view

[Sysname] sa node 1

[Sysname-sa-node-1] sa flow-log interval 120

Related commands

sa qoe enable

sa flow-table aging-time

Use sa flow-table aging-time to set the aging time for service forwarding flow entries.

Use undo sa flow-table aging-time to restore the default.

Syntax

sa flow-table aging-time time

undo sa flow-table aging-time

Default

The aging time of service forwarding flow entries is 240 seconds.

Views

SA node view

Predefined user roles

network-admin

Parameters

time: Specifies the aging time. The value range is 10 to 1800 in seconds.

Usage guidelines

Operating mechanism

The service traffic of SA online users will be matched with the bound SA user policy. At this point, the traffic must be sent to the CPU of the APA module for processing, and the CPU will generate a service forwarding flow table to guide the forwarding of service packets. When the online user is no longer active and has not generated service traffic for more than the aging time, the corresponding entry in the service forwarding flow table will be aged and deleted.

The service forwarding flow table consumes certain hardware resources. By reasonably setting the aging time of the service forwarding flow entries, you can control the table size and reduce hardware resource consumption.

Recommended configuration

As a best practice, set the aging time for SA user entries longer than that for service forwarding flow entries, so that the service forwarding flow entries age out first. After the service forwarding flow entries age out, the corresponding SA user entries then age out. If the aging time for service forwarding flow entries is longer than that for SA user entries, once the SA user entries age out, the service forwarding flow entries will also be deleted, and the aging time for the service forwarding flow entries will no longer take effect.

Examples

# Set the aging time for service forwarding flow entries to 200 seconds.

<Sysname> system-view

[Sysname] sa node 199

[Sysname-sa-node-199] sa flow-table aging-time 200

Related commands

display sa node

sa mirroring-group mirror-to

Use sa mirroring-group mirror-to to configure a monitor port or monitoring group for a mirroring group.

Use undo sa mirroring-group to remove the monitor port or monitoring group for a mirroring group.

Syntax

sa mirroring-group group-id mirror-to { interface interface-type interface-number | monitoring-group monitoring-group-id }

undo sa mirroring-group group-id

Views

SA node view

Predefined user roles

network-admin

Parameters

group-id: Specifies a mirroring group by its ID. The mirroring group ID is associated with the app IDs in an SA user policy with app ID-based traffic mirroring. The value range for this argument is 1 to 250.

interface interface-type interface-number: Mirrors traffic to a monitor port specified by its type and number.

monitoring-group monitoring-group-id: Mirrors traffic to a monitoring group specified by ID. The value range for the monitoring-group-id argument is 1 to 64.

Usage guidelines

Prerequisites

For traffic mirroring to operate correctly for traffic with the specified app IDs, make sure the following conditions are met:

· Execute the sa port mode command to direct traffic to the APA card for application identification.

· Execute the sa-ctl mirror-policy add command to create an SA user policy with app ID-based traffic mirroring. Make sure the mirroring group ID specified in the sa mirroring-group mirror-to command matches one specified in the SA user policy.

· Make sure the SA backend has deployed the SA user policy with app ID-based traffic mirroring to online users.

Application scenarios

After a user completes authentication and connects to the BRAS, the user has different types of application traffic on the user endpoint. You can direct all user application traffic to the APA card. The APA card analyzes and identifies different application traffic for each user, assigning a unique app ID to each type of identified traffic. Based on the app ID, you can perform operations such as traffic redirecting, traffic mirroring, and traffic control on application traffic. To analyze traffic with the specified app IDs from the specified users, create an SA user policy with app ID-based traffic mirroring on the SA backend (the controller) and define the app ID-mirroring group ID mappings in the SA user policy. After you deploy the SA user policy to a BRAS installed with an APA card, execute this command on the BRAS to specify the monitor port or monitoring group for each mirroring group. Then, the application traffic with the specified app ID will be forwarded to the monitor port or monitoring group of the specified mirroring group.

Restrictions and guidelines

If you execute this command multiple times with the same group-id argument, the most recent configuration takes effect.

To execute this command successfully, make sure the specified monitoring group already exists.

Examples

# Mirror traffic matching mirroring group ID 1 to interface XGE3/1/1.

<Sysname> system-view

[Sysname] sa node 199

[Sysname-sa-node-199] sa mirror-group 1 mirror-to interface ten-gigabitethernet 3/1/1

Related commands

display sa mirroring-group

sa node

Use sa node to create an SA node and enter its view, or enter the view of an existing SA node.

Use undo sa node to restore the default.

Syntax

sa node node-id

undo sa node node-id

Default

No SA node exists.

Views

System view

Predefined user roles

network-admin

Parameters

node-id: Specifies a node by its ID in the range of 1 to 65534.

Usage guidelines

An SA node uniquely identifies a BRAS installed with an APA card. By identifying SA nodes, the SA backend can recognize different front-end BRASs.

In SA node view, you can configure SA user policies and SA Quality of Experience (QoE) analysis-related functions.

You can create only one SA node on one device.

Examples

# Create SA node 199 and enter its view.

<Sysname> system-view

[Sysname] sa node 199

[Sysname-sa-node-199]

sa port mode

Use sa port mode to direct the traffic from the specified interface to an APA card and set the processing mode for the APA card.

Use undo sa port mode to restore the default.

Syntax

sa port mode inline interface interface-type interface-number

undo sa port mode interface interface-type interface-number

Default

Traffic of an interface is not directed to the APA card for processing.

Views

SA node view

Predefined user roles

network-admin

Parameters

inline: Specifies the APA card to operate in inline mode.

interface interface-type interface-number: Directs to the APA card the user traffic received on an interface specified by its type and number.

Usage guidelines

Application scenarios

Users that complete authentication and connect to the BRAS have various types of application traffic. This feature directs user service traffic received on the specified interface to an APA card. The APA card analyzes the quality of different types of traffic for each user and identifies the services, and performs traffic acceleration, traffic redirecting, traffic mirroring, or traffic control on the identified service traffic based on the SA user policies.

Operating mechanism

The Service Awareness (SA) feature of the BRAS provides authenticated users with services such as Quality of Experience (QoE) quality analysis, traffic identification, traffic distribution, and traffic acceleration. It also provides network administrators with a visual user service management page. The APA card supports the following processing mode:

· Inline mode—Directly routes user traffic to the APA card. The APA card identifies, analyzes, and processes the traffic before forwarding it. In this mode, the BRAS SA feature performs QoE quality analysis on service traffic. It also performs traffic acceleration, traffic redirecting, traffic mirroring, or traffic control on identified service traffic based on SA user policies, which might introduce processing delays.

Restrictions and guidelines

Use the sa port mode command to configure how an APA card processes traffic. The sa port mode command applies only to user traffic received on the specified interface.

For APA card-based functions such as traffic redirecting and traffic mirroring to take effect, you must first execute the sa port mode command to direct traffic to an APA card in inline mode.

After you execute the sa engine bypass command, the executed sa port mode command will not take effect.

CAUTION:

When many access users exist, executing this command will refresh the user entries, which affects the device CPU performance. Do not execute this command repeatedly in a short period.

Examples

# Configure Ten-GigabitEthernet3/1/1 to direct the received traffic to an APA card, and set the processing mode to inline for the APA card.

<Sysname> system-view

[Sysname] sa node 199

[Sysname-sa-node-199] sa port mode inline interface ten-gigabitethernet 3/1/1

sa qoe collector

Use sa qoe collector to configure the encapsulation information for packets reporting user flow logs to a server.

Use undo sa qoe collector to restore the default.

Syntax

sa qoe collector collector-id { source-ipv4 source-ipv4-address destination-ipv4 destination-ipv4-address | source-ipv6 source-ipv6-address destination-ipv6 destination-ipv6-address } destination-port port [ vpn-instance vpn-instance-name ] [ load-balance-group group-name ]

undo sa qoe collector collector-id

Default

No encapsulation information is configured for packets reporting user flow logs to a server.

Views

SA node view

Predefined user roles

network-admin

Parameters

collector-id: Specifies a server by its ID. The value range for this argument is 1 to 10.

source-ipv4 source-ipv4-address: Specifies the source IPv4 address for TCP packets reporting user flow logs to a server.

destination-ipv4 destination-ipv4-address: Specifies the destination IPv4 address for TCP packets reporting user flow logs to a server.

source-ipv6 source-ipv6-address: Specifies the source IPv6 address for TCP packets reporting user flow logs to a server.

destination-ipv6 destination-ipv6-address: Specifies the destination IPv6 address for TCP packets reporting user flow logs to a server.

destination-port port: Specifies the destination port number of TCP packets, in the range of 1 to 65535.

vpn-instance vpn-instance-name: Specifies the name of the VPN instance to which the destination IP addresses belong, a case-sensitive string of 1 to 31 characters.

load-balance-group group-name: Specifies a load balancing group by its name, a case-sensitive string of 1 to 31 characters.

Usage guidelines

Application scenarios

After the APA card establishes a TCP connection to the SA backend analysis system (server), the APA card encapsulates user flow logs in TCP packets and sends them to the SA backend server. The SA backend analysis system analyzes QoE for various service traffic of users based on the user flow logs and provides raw data for building a data warehouse. It also visually presents the QoE analysis results of user service traffic.

Operating mechanism

Use the sa qoe collector command to configure the destination server address and the encapsulation information for packets reporting user flow logs to the server.

After you designate a load balancing group (load-balance-group) for multiple different server numbers, the same user flow log will be sent to only one server within the load balancing group, achieving load sharing of user flow logs. For the same backend server, you can also configure multiple different server numbers. You can specify the same load balancing group, source IP address, and destination IP address, but with different destination port numbers, to enable user flow logs to be load-shared through different TCP ports.

Restrictions and guidelines

You can execute the sa qoe collector command multiple times to specify different server numbers and destination addresses, allowing the APA card to report user flow logs to different servers. If you execute the sa qoe collector command multiple times, the most recent configuration takes effect.

Examples

# Configure the encapsulation information for packets reporting user flow logs to a server as follows:

· Source IP address 10.99.18.109.

· Destination IP address 199.199.100.19.

· Destination port number 1000.

<Sysname> system-view

[Sysname] sa node 199

[Sysname-sa-node-199] sa qoe collector 1 source 10.99.18.109 destination 199.199.100.19 destination-port 1000

sa qoe group-capacity

Use sa qoe group-capacity to set the user group capacity for CPU analysis during a polling interval.

Use undo sa qoe group-capacity to restore the default.

Syntax

sa qoe group-capacity number

undo sa qoe group-capacity

Default

The user group capacity for CPU analysis during a polling interval is 256000.

Views

SA node view

Predefined user roles

network-admin

Parameters

number: Specifies the number of users in each group. The value range is 64 to 524288.

Usage guidelines

Application scenarios

The SA backend analyzes QoE for various service traffic of users based on the user flow logs reported by the APA card. It also visually presents the QoE analysis results of user service traffic.

Due to the large number of access users and the large scale of data, the APA card needs to periodically pre-analyze and process data for a certain number of users on the local CPU. Use this command to control the number of users in the group pre-analyzed and processed by the local CPU during a polling interval.

Operating mechanism

The device will distribute all users evenly into several user groups based on the number of users configured by this command. During one polling interval specified by the sa qoe polling-interval command, the APA card sends traffic statistics of one user group to the CPU for data analysis to obtain preliminary analysis results on the quality of user traffic data. In subsequent polling intervals, the APA card sequentially polls and processes traffic statistics of other user groups.

Recommended configuration

Configuring a large user group capacity might lead to too many users in a single group, placing significant pressure on CPU analysis and processing. Conversely, configuring a small user group capacity might result in too few users in a group, making the CPU analysis and processing results less accurate. As a best practice, do not execute this command to arbitrarily adjust the user group capacity for CPU analysis during a polling interval.

Examples

# Set the user group capacity for CPU analysis during a polling interval to 2000.

<Sysname> system-view

[Sysname] sa node 199

[Sysname-sa-node-199] sa qoe group-capacity 2000

sa qoe polling-interval

Use sa qoe polling-interval to configure the polling interval for user group analysis.

Use undo sa qoe polling-interval to restore the default.

Syntax

sa qoe polling-interval interval

undo sa qoe polling-interval

Default

The polling interval is 60.

Views

SA node view

Predefined user roles

network-admin

Parameters

polling-interval interval: Specifies the polling interval. The value range is 1 to 262800.

Usage guidelines

Application scenarios

The SA backend analyzes QoE for various service traffic of users based on the user flow logs reported by the APA card. It also visually presents the QoE analysis results of user service traffic.

Due to the large number of access users and the large scale of data, the APA card needs to periodically pre-analyze and process traffic data for a certain number of users on the local CPU. Use this command to control the CPU pre-analysis interval.

Recommended configuration

As a best practice, do not adjust the polling interval arbitrarily.

Examples

# Set the polling interval for user group analysis to 1440 minutes.

<Sysname> system-view

[Sysname] sa node 199

[Sysname-sa-node-199] sa qoe polling-interval 1440

sa signature update

Use sa signature update to update and upgrade the predefined signature library.

Syntax

sa signature update { application | url } file-path

Default

The predefined signature library is not updated or upgraded automatically.

Views

System view

Predefined user roles

network-admin

Parameters

application: Updates and upgrades the predefined application signature library.

url: Updates and upgrades the predefined URL signature library.

file-path: Specifies the path and name of a local signature library file. For example, slot0#flash:/url_sort_feature_1.2.txt. (In standalone mode.) ‌

file-path: Specifies the path and name of a local signature library file. For example, chassis1#slot0flash:/url_sort_feature_1.2.txt. (In IRF mode.)

Usage guidelines

The BRAS SA feature must maintain the following two separate signature libraries.

· Predefined signature library—Signature mappings pre-loaded on the BRAS APA card and manually updated by loading a signature library file. The signature library file defines the mappings between common user service packet signatures in the live network and the app IDs or URL category IDs. The predefined signature library includes both the predefined application signature library and the predefined URL signature library.

¡ Predefined application signature library—Stores the mappings between the application packet signatures and the app IDs.

¡ Predefined URL signature library—Stores the mappings between URLs in packets and URL category IDs.

· Custom signature library—Mappings configured on the BRAS. The custom signature library includes both the custom application signature library and the custom URL signature library.

¡ Custom application signature library—Configured with the mappings between the signatures (such as the packet quintuples) and the app IDs.

¡ Custom URL signature library—Configured with the mappings between URLs in packets and URL category IDs.

For the BRAS SA feature to accurately identify over 99% of applications and URLs, which frequently change, you typically need to regularly update the predefined signature library.

To do that, upload a predefined signature library file to the local directory of the device through FTP, and then execute the sa signature update command to specify the path and name of the signature library file.

The full path and name of the local signature library file cannot exceed 255 characters, including /mnt/ and file-path, for example, /mnt/flash:/url_sort_feature_1.2.txt.

Examples

# Update and upgrade the predefined application signature library by specifying the path and name of the signature library file: slot0#flash:/PreApp_Feature.txt. (In standalone mode.) ‌

<Sysname> system-view

[Sysname] sa signature update application slot0#flash:/PreApp_Feature.txt

sa user aging-time

Use sa user aging-time to set the aging time for SA user entries.

Use undo sa user aging-time to restore the default.

Syntax

sa user aging-time time

undo sa user aging-time

Default

The aging time of SA user entries is 300 seconds.

Views

SA node view

Predefined user roles

network-admin

Parameters

time: Specifies the aging time. The value range is 10 to 1800 in seconds.

Usage guidelines

Operating mechanism

After user authentication is completed, when the user generates service traffic, the service traffic is directed to the APA module for analysis and processing. At this point, the user information is recorded on the APA module and the user goes online. The APA module maintains and generates an SA user table, which is used to display active user information on the APA module. When an online user is no longer active and has not generated service traffic for more than the aging time, the corresponding user entry in the SA user table will be aged and deleted.

The SA user table consumes certain hardware resources. By reasonably setting the aging time of SA user entries, the size of the SA user table can be controlled, reducing the hardware resources occupied by inactive users.

Recommended configuration

Examples

# Set the aging time for SA user entries to 300 seconds.

<Sysname> system-view

[Sysname] sa node 199

[Sysname-sa-node-199] sa user aging-time 300

Related commands

display sa node

sa-ctl accelerate-policy add

Use sa-ctl accelerate-policy add to create an SA user policy with app ID-based traffic acceleration, and add app IDs to the SA user policy.

Syntax

sa-ctl accelerate-policy add name { app-id app-id }&<1-64>

Views

SA node view

Predefined user roles

network-admin

Parameters

name: Specifies an SA user policy by its name, a case-sensitive string of 1 to 31 characters.

{ app-id app-id }&<1-64>: Adds app IDs for the specified applications. The app-id argument represents the app ID assigned to an application after its traffic is identified on the APA card. App IDs include the following types:

· App category ID (major ID) customized in the SA backend—The value range is 1 to 699.

· App ID (minor ID) customized in the SA backend—The value range is 1000 to 6999.

· App category ID (major ID) predefined in the SA backend—The value range is 700 to 999.

· App ID (minor ID) predefined in the SA backend—The value range is 7000 to 65530.

&<1-64>: Indicates that you can enter up to 64 app IDs.

Usage guidelines

For traffic redirecting or acceleration to operate correctly for traffic with the specified app IDs, make sure the following conditions are met:

· Execute the sa port mode command to direct traffic to the APA card for application identification.

· Make sure the SA backend has deployed an SA user policy with app ID-based traffic acceleration to online users.

· Execute the sa-ctl accelerate-policy add command. Make sure the app ID specified by using the sa app-id redirect command belongs to the SA user policy with app ID-based traffic acceleration.

Examples

# Create an SA user policy named abc for app ID-based traffic acceleration, and add app IDs 102, 103, and 104 to the SA user policy.

<Sysname> system-view

[Sysname] sa node 1

[Sysname-sa-node-1] sa-ctl accelerate-policy add abc app-id 102 app-id 103 app-id 104

Related commands

display sa user-policy

sa app-id redirect

sa-ctl accelerate-policy delete

Use sa-ctl accelerate-policy delete to delete the specified app IDs from an SA user policy with app ID-based traffic acceleration.

Syntax

sa-ctl accelerate-policy delete name { app-id app-id }&<1-64>

Views

SA node view

Predefined user roles

network-admin

Parameters

name: Specifies an SA user policy by its name, a case-sensitive string of 1 to 31 characters.

{ app-id app-id }&<1-64>: Deletes app IDs for the specified applications. The app-id argument represents the app ID assigned to an application after its traffic is identified on the APA card. App IDs include the following types:

· App category ID (major ID) customized in the SA backend—The value range is 1 to 699.

· App ID (minor ID) customized in the SA backend—The value range is 1000 to 6999.

· App category ID (major ID) predefined in the SA backend—The value range is 700 to 999.

· App ID (minor ID) predefined in the SA backend—The value range is 7000 to 65530.

&<1-64>: Indicates that you can enter up to 64 app IDs.

Examples

# Delete app IDs 102 and 103 from the SA user policy with app ID-based traffic acceleration.

<Sysname> system-view

[Sysname] sa node 1

[Sysname-sa-node-1] sa-ctl accelerate-policy delete abc app-id 102 app-id 103

Related commands

display sa user-policy

sa-ctl accelerate-policy add

sa-ctl control-policy add

Use sa-ctl control-policy add to create an SA user policy with app ID-based traffic control, and add app IDs to the SA user policy.

Syntax

sa-ctl control-policy add name { app-id app-id { { in-cir committed-information-rate [ in-cbs committed-burst-size ] | in-connection-limit number | in-remark-dscp dscp-value | out-cir committed-information-rate [ out-cbs committed-burst-size ] | out-connection-limit number | out-remark-dscp dscp-value } * | drop } }&<1-64>

Views

SA node view

Predefined user roles

network-admin

Parameters

name: Specifies an SA user policy by its name, a case-sensitive string of 1 to 31 characters.

app-id app-id: Adds app IDs for the specified applications. The app-id argument represents the app ID assigned to an application after its traffic is identified on the APA card. App IDs include the following types:

· App category ID (major ID) customized in the SA backend—The value range is 1 to 699.

· App ID (minor ID) customized in the SA backend—The value range is 1000 to 6999.

· App category ID (major ID) predefined in the SA backend—The value range is 700 to 999.

· App ID (minor ID) predefined in the SA backend—The value range is 7000 to 65530.

in-cir committed-information-rate: Specifies the rate limit for user traffic with the specified app ID in the inbound direction of the interfaces connecting to users. The value range is 1 to 40000000.

in-cbs committed-burst-size: Specifies the committed burst size for user traffic with the specified app ID in the inbound direction of the interfaces connecting to users. The value range is 2000 to 2000000.

in-connection-limit number: Limits the maximum number of connections for user traffic with the specified app ID in the inbound direction of the interfaces connecting to users. The value range is 1 to 65534.

in-remark-dscp dscp-value: Marks the specified DSCP value for user traffic with the specified app ID in the inbound direction of the interfaces connecting to users. The dscp-value argument specifies a DSCP value in the range of 0 to 63 or a keyword.

Table 13 DSCP keywords and values

Keyword	DSCP value (binary)	DSCP value (decimal)
default	000000	0
af11	001010	10
af12	001100	12
af13	001110	14
af21	010010	18
af22	010100	20
af23	010110	22
af31	011010	26
af32	011100	28
af33	011110	30
af41	100010	34
af42	100100	36
af43	100110	38
cs1	001000	8
cs2	010000	16
cs3	011000	24
cs4	100000	32
cs5	101000	40
cs6	110000	48
cs7	111000	56
ef	101110	46

‌

out-cir committed-information-rate: Specifies the rate limit for user traffic with the specified app ID in the outbound direction of the interfaces connecting to users. The committed-information-rate argument represents the committed information rate (CIR) in kbps. The value range is 1 to 40000000.

out-cbs committed-burst-size: Specifies the rate limit for user traffic with the specified app ID in the outbound direction of the interfaces connecting to users. The committed-burst-size argument represents the committed burst size (CBS) in bytes. The value range is 2000 to 2000000.

out-connection-limit number: Limits the number of connections for user traffic with the specified app ID in the outbound direction of the interfaces connecting to users. The number argument specifies the upper limit on the number of connections. The value range is 1 to 65534.

out-remark-dscp dscp-value: Marks the specified DSCP value for user traffic with the specified app ID in the outbound direction of the interfaces connecting to users. The dscp-value argument specifies a DSCP value in the range of 0 to 63 or a keyword.

drop: Drops traffic with the specified app ID.

&<1-64>: Indicates that you can enter up to 64 app IDs.

Usage guidelines

Execute the sa-ctl control-policy add command to create an SA user policy with app ID-based traffic control. The SA backend then deploys this policy to online users. When the app ID in the online user traffic matches an app ID specified in the SA user policy with app ID-based traffic control, the device will execute the matching forwarding behavior. For example, rate-limiting, limiting the number of connections for, marking a DSCP value, or directly dropping the traffic with the specified app ID.

Examples

# Create the SA user policy named abc for app ID-based traffic control, and add app IDs 102 and 203 to the SA user policy. Limit the rate of the traffic with app ID 102 to 100 kbps, and limit the number of connections for the traffic with app ID 203 to 100.

<Sysname> system-view

[Sysname] sa node 1

[Sysname-sa-node-1] sa-ctl control-policy add abc app-id 102 cir 100 app-id 203 connection-limit 100

Related commands

display sa user-policy

sa-ctl control-policy delete

Use sa-ctl control-policy delete to delete the specified app IDs from an SA user policy with app ID-based traffic control.

Syntax

sa-ctl control-policy delete name { app-id app-id }&<1-64>

Views

SA node view

Predefined user roles

network-admin

Parameters

name: Specifies an SA user policy by its name, a case-sensitive string of 1 to 31 characters.

app-id app-id: Deletes app IDs for the specified applications. The app-id argument represents the app ID assigned to an application after its traffic is identified on the APA card. App IDs include the following types:

· App category ID (major ID) customized in the SA backend—The value range is 1 to 699.

· App ID (minor ID) customized in the SA backend—The value range is 1000 to 6999.

· App category ID (major ID) predefined in the SA backend—The value range is 700 to 999.

· App ID (minor ID) predefined in the SA backend—The value range is 7000 to 65530.

&<1-64>: Indicates that you can enter up to 64 app IDs.

Examples

# Delete app ID 102 from the SA user policy named abc for app ID-based traffic control.

<Sysname> system-view

[Sysname] sa node 1

[Sysname-sa-node-1] sa-ctl control-policy delete abc app-id 102

Related commands

display sa user-policy

sa-ctl control-policy add

sa-ctl custom-app

Use sa-ctl custom-app to configure mappings between packet signatures and app IDs in the custom application signature library.

Use undo sa-ctl custom-app to delete mappings from packet signatures and app IDs from the custom application library.

Syntax

sa-ctl custom-app major-id major-id minor-id minor-id rule-id rule-id { [ [ source-ip source-ipv4-address [ mask-length ] | destination-ip destination-ipv4-address [ mask-length ]] * | [ source-ipv6 source-ipv6-address [ prefix-length ] | destination-ipv6 destination-ipv6-address [ prefix-length ] ] * ] | source-port source-port | destination-port destination-port | [ tcp | udp ] | http-payload payload-list | domain-name name } *

undo sa-ctl custom-app major-id major-id minor-id minor-id [ rule-id rule-id ]

Views

SA node view

Predefined user roles

network-admin

Parameters

major-id major-id: Specifies a custom application category ID (major ID). The value range for the major-id argument is 1 to 699.

minor-id minor-id: Specifies a custom application ID (minor ID). The value range for the minor-id argument is 1000 to 6999.

rule-id rule-id: Specifies a match rule by its ID for custom application and packet signatures. The value range for the rule-id argument is 1 to 100000. If you do not specify this option in the undo sa-ctl custom-app command, this command deletes all match rules in the specified application.

source-ip source-ipv4-address: Specifies the source IPv4 address for matching packets. If you do not specify this option or a source IPv6 address, packets from any source address can be matched.

mask-length: Specifies the mask length of the IPv4 address, in the range of 1 to 32. With a mask length specified, the address option specifies all the addresses in the range. Without a mask length specified, the address option specifies only one IPv4 address.

destination-ip destination-ipv4-address: Specifies the destination IPv4 address for matching packets. If you do not specify this option or a destination IPv6 address, packets with any destination address can be matched.

source-ipv6 source-ipv6-address: Specifies the source IPv6 address for matching packets. If you do not specify this option or a source IPv4 address, packets from any source address can be matched.

prefix-length: Specifies the prefix length of the IPv6 address, in the range of 1 to 128. With a prefix length specified, the address option specifies all the addresses in the range. Without a prefix length specified, the address option specifies only one IPv6 address.

destination-ipv6 destination-ipv6-address: Specifies the destination IPv6 address for matching packets. If you do not specify this option or a destination IPv4 address, packets with any destination address can be matched.

source-port source-port-number: Specifies the source port number for matching packets, in the range of 0 to 65535. If you do not specify this option, packets with any source port number can be matched.

destination-port destination-port-number: Specifies the destination port number for matching packets, in the range of 0 to 65535. If you do not specify this option, packets with any destination port number can be matched.

tcp: Matches packets with the transport layer protocol as TCP. If you do not specify this keyword, packets with non-TCP protocols can be matched.

udp: Matches packets with the transport layer protocol as UDP. If you do not specify this keyword, packets with non-UDP protocols can be matched.

http-payload payload-list: Matches the signature keyword in the application layer information of packets. The payload-list argument specifies the list of signature keywords, a string of a 1 to 255 characters. For example, "'sourcePeak':'0.00','sourceLuft':'-3.65'".

domain-name name: Specifies the domain name information in the application layer information of packets. The name argument represents a domain name, a case-sensitive string of 1 to 255 characters, for example, example.com.

Usage guidelines

Operating mechanism

The custom application signature library is a collection of mappings between packet signatures and app IDs. Use this command to add new mappings between packet signatures and app IDs to the custom application signature library.

Packet signatures mainly include the following elements:

· Packet quintuple—Includes the source and destination IP addresses, source and destination ports, and the transport layer protocol type (TCP or UDP) of packets.

· Application layer signature keyword.

· Domain name information.

If you specify multiple packet quintuple parameters in the match rule for a packet signature-app ID mapping, a packet must match all the specified quintuple parameters to be considered compliant with the match rule. Then, the packet is assigned the specified major ID and minor ID.

If you specify all the three elements or two of the three elements in the match rule for a packet signature-app ID mapping, a packet only needs to match one of the specified elements to be considered compliant with the match rule. Then, the packet is assigned the specified major ID and minor ID.

A packet might match both a rule in the custom application signature library and a rule in the predefined signature library. If the packet matches the quintuple match criteria in the custom application signature library, the app ID assigned to the packet by the custom application signature library takes priority.

Restrictions and guidelines

When you execute the sa-ctl custom-app command, the same major ID can be associated with multiple different minor IDs, and the same minor ID can be associated with multiple different rule IDs. To prevent a packet from matching multiple different minor IDs or major IDs, do not associate a single match rule with multiple minor IDs. Similarly, do not associate a single minor ID with multiple major IDs. Additionally, make sure the match criteria specified by different rule IDs are different.

Examples

# Configure a mapping between packet signatures and app IDs in the custom application signature library. Configure match rule 1 to assign major ID 1 and minor ID 1000 to packets with source IP address 2.3.4.5 and destination port 2234.

<Sysname> system-view

[Sysname] sa node 1

[Sysname-sa-node-1] sa-ctl custom-app major-id 1 minor-id 1000 rule-id 1 source-ip 2.3.4.5 destination-port 2234

Related commands

display sa custom-app

sa-ctl custom-app name

Use sa-ctl custom-app name to configure the name of an application with the specified app ID in the custom application signature library.

Syntax

sa-ctl custom-app { major-id major-id | minor-id minor-id } name name

Views

SA node view

Predefined user roles

network-admin

Parameters

major-id major-id: Specifies a custom application category ID (major ID). The value range for the major-id argument is 1 to 699.

minor-id minor-id: Specifies a custom app ID (minor ID). The value range for the major-id argument 1000 to 6999.

name: Specifies the name of the application with the specified app ID, a string of 1 to 31 characters.

Usage guidelines

When you configure the name for an application with the specified app ID in the custom application signature library, make sure the app ID already exist in the library. When you delete all packet signatures and mappings associated with an app ID in the custom application signature library, the application name for the app ID is also deleted.

Examples

# Set the name to aaa for the application with major ID 1 in the custom application signature library.

<Sysname> system-view

[Sysname] sa node 1

[Sysname-sa-node-1] sa-ctl custom-app major-id 1 name aaa

Related commands

sa-ctl custom-app

display sa custom-app

sa-ctl custom-app submit

Use sa-ctl custom-app submit to submit the custom application signature library configuration.

Syntax

sa-ctl custom-app submit

Default

The application signature library configuration does not take effect immediately.

Views

SA node view

Predefined user roles

network-admin

Usage guidelines

The BRAS SA feature must maintain the following two separate signature libraries.

¡ Predefined application signature library—Stores the mappings between the application packet signatures and the app IDs.

¡ Predefined URL signature library—Stores the mappings between URLs in packets and URL category IDs.

· Custom signature library—Mappings configured on the BRAS. The custom signature library includes both the custom application signature library and the custom URL signature library.

¡ Custom application signature library—Configured with the mappings between the signatures (such as the packet quintuples) and the app IDs.

¡ Custom URL signature library—Configured with the mappings between URLs in packets and URL category IDs.

After you execute the sa-ctl custom-app command to configure information related to the custom application signature library, the configuration will not take effect immediately. To update the custom application signature library and have the related configuration take effect, execute the sa-ctl custom-app submit command to submit the configuration.

TIP:

When you execute the sa-ctl custom-app command to configure the custom application signature library:

· If the specified match rules only contain packet quintuple information, the custom application signature library will automatically update and take effect without the sa-ctl custom-app submit command.

· If the specified match rule contains application layer signature keywords or domain name information, execute the sa-ctl custom-app submit command to submit the configuration, which will then update and activate the custom application signature library.

Examples

# Submit the custom application signature library configuration.

<Sysname> system-view

[Sysname] sa node 1

[Sysname-sa-node-1] sa-ctl custom-app submit

Related commands

sa-ctl custom-app

sa match-packet max-number

Use sa match-packet max-number to set the upper limit on the packet count for determining whether packets match an SA user policy.

Use undo sa match-packet max-number to restore the default.

Syntax

sa match-packet max-number number

undo sa match-packet max-number

Default

The upper limit on the packet count for determining whether packets match an SA user policy is 8.

Views

SA node view

Predefined user roles

network-admin

Parameters

number: Specifies the upper limit on the packet count for determining whether packets match an SA user policy. The value range is from 1 to 4294967294.

Usage guidelines

Operating mechanism

After the user service traffic is identified and analyzed by an APA card, the user service traffic is sent to the CPU of the APA card for processing. The CPU generates a flow table to guide traffic forwarding. The process and types for generating forwarding flow tables are as follows:

1. The CPU compares the traffic's ID (app ID or URL category ID) with the app IDs or URL category IDs specified in the SA user policies associated with the user.

¡ If the ID of multiple packets matches the app IDs or URL category IDs in an associated SA user policy, the traffic is considered to match the SA user policy. The CPU then generates a special forwarding flow table based on the SA user policy.

¡ If the ID of multiple consecutive packets does not match the app IDs or URL category IDs in an SA user policy, the traffic is considered not matching the SA user policy, and the CPU generates a common forwarding flow table.

2. Regardless of whether the SA user policy is matched, subsequent packets are directly fast forwarded based on the forwarding flow table without being sent to the CPU for comparison and processing.

Use the sa match-packet max-number command to set the upper limit on the packet count for determining whether packets match an SA user policy. If the number of packets that does not match the SA user policy exceeds the upper limit, then the traffic is considered not matching the SA user policy.

Restrictions and guidelines

Use this function mainly for testing and debugging. As a best practice, do not adjust the upper limit.

Examples

# Set the upper limit on the packet count for determining whether packets match an SA user policy to 10.

<Sysname> system-view

[Sysname] sa node 1

[Sysname-sa-node-1] sa match-packet max-number 10

sa-ctl mirror-policy add

Use sa-ctl mirror-policy add to create an SA user policy with app ID-based traffic mirroring, and add the mappings between app IDs and mirroring group IDs to the SA user policy.

Syntax

sa-ctl mirror-policy add name { app-id app-id { inbound group-id | outbound group-id } }&<1-16>

Views

SA node view

Predefined user roles

network-admin

Parameters

name: Specifies an SA user policy by its name, a case-sensitive string of 1 to 31 characters.

· App category ID (major ID) customized in the SA backend—The value range is 1 to 699.

· App ID (minor ID) customized in the SA backend—The value range is 1000 to 6999.

· App category ID (major ID) predefined in the SA backend—The value range is 700 to 999.

· App ID (minor ID) predefined in the SA backend—The value range is 7000 to 65530.

inbound group-id: Specifies an inbound traffic mirroring group by its ID and associates the ID with the specified app ID. The value range for the group-id argument is 1 to 250.

outbound group-id: Specifies an outbound traffic mirroring group by its ID and associates the ID with the specified app ID. The value range for the group-id argument is 1 to 250.

&<1-16>: Indicates that you can specify the preceding parameter for up to 16 times.

Usage guidelines

Prerequisites

For traffic mirroring to operate correctly for traffic with the specified app IDs, make sure the following conditions are met:

· Execute the sa port mode command to direct traffic to the APA card for application identification.

· Make sure the SA backend has deployed the SA user policy with app ID-based traffic mirroring to online users.

Application scenarios

Examples

# Create an SA user policy named abc for app ID-based traffic mirroring. Add app IDs 102 and 103 to the SA user policy. Specify mirroring group 10 for mirroring the incoming traffic with app ID 102. Specify mirroring group 20 for mirroring the outgoing traffic with app ID 103.

<Sysname> system-view

[Sysname]sa node 1

[Sysname-sa-node-1] sa-ctl mirror-policy add abc app-id 102 inbound 10 app-id 103 outbound 20

Related commands

display sa user-policy

sa mirroring-group mirror-to

sa-ctl mirror-policy delete

Use sa-ctl mirror-policy delete to remove the mappings between an app ID and a mirroring group in the SA user policy with app ID-based traffic mirroring.

Syntax

sa-ctl mirror-policy delete name { app-id app-id { inbound | outbound } }&<1-16>

Views

SA node view

Predefined user roles

network-admin

Parameters

name: Specifies an SA user policy by its name, a case-sensitive string of 1 to 31 characters.

· App category ID (major ID) customized in the SA backend—The value range is 1 to 699.

· App ID (minor ID) customized in the SA backend—The value range is 1000 to 6999.

· App category ID (major ID) predefined in the SA backend—The value range is 700 to 999.

· App ID (minor ID) predefined in the SA backend—The value range is 7000 to 65530.

inbound: Mirrors the inbound traffic.

outbound: Mirrors the outbound traffic.

&<1-16>: Indicates that you can specify the preceding parameter for up to 16 times.

Examples

# Delete app ID 102 from the SA user policy named abc for app ID-based traffic mirroring, and cancel incoming traffic mirroring for traffic with app ID 102.

<Sysname> system-view

[Sysname] sa node 1

[Sysname-sa-node-1] sa-ctl mirror-policy delete abc app-id 102 inbound

Related commands

display sa user-policy

sa-ctl mirror-policy add

sa qoe enable

Use sa qoe enable to enable the QoE feature on the APA card.

Use undo sa qoe enable to restore the default.

Syntax

sa qoe enable

undo sa qoe enable

Default

The global QoE feature is disabled.

Views

SA node view

Predefined user roles

network-admin

Usage guidelines

After the Quality of Experience (QoE) feature is enabled on an APA card, the APA card samples user signaling packets and data packets to create user flow logs, and sends these logs to the SA backend server through TCP. Then, the SA backend analyzes QoE for various user service traffic based on the user flow logs, provide raw data for building a data warehouse, and visually present the QoE analysis results of user service traffic.

Examples

# Enable the QoE feature on the APA card.

<Sysname> system-view

[Sysname] sa node 1

[Sysname-sa-node-1] sa qoe enable

sa redirect-url

Use sa redirect-url to redirect traffic to the specified URL.

Use undo sa redirect-url to cancel redirecting traffic to the specified URL.

Syntax

sa redirect-url url

undo sa redirect-url

Default

Traffic is not redirected to the specified URL.

Views

SA node view

Predefined user roles

network-admin

Parameters

url: Specifies a URL, a string of 1 to 1499 characters.

Usage guidelines

When traffic identified from a user matches the SA user policy with URL-based or URL category ID-based traffic control deployed to that user, if the SA user policy redirects the specified traffic, the system will redirect all specified traffic to the URL defined by the sa redirect-url command.

The URL specified by using the sa redirect-url command must start with http:// or https://.

Examples

# Redirect traffic to URL https://www.example.com.

<Sysname> system-view

[Sysname] sa node 1

[Sysname-sa-node-1] sa redirect-url https://www.example.com

Related commands

sa-ctl sort-url-policy add

sa-ctl url-policy add

sa-ctl sort-url

Use sa-ctl sort-url to configure mappings between URLs and URL category IDs in the custom URL signature library.

Use undo sa-ctl sort-url to delete mappings between URLs and URL category IDs in the custom URL signature library.

Syntax

sa-ctl sort-url major-sort-id major-sort-id minor-sort-id minor-sort-id rule-id rule-id url [ exact-match ]

undo sa-ctl sort-url major-sort-id major-sort-id minor-sort-id minor-sort-id rule-id rule-id

Views

SA node view

Predefined user roles

network-admin

Parameters

major-sort-id major-sort-id: Specifies a custom major URL category ID (major ID). The value range for the major-sort-id argument is 1 to 999.

minor-sort-id minor-sort-id: Specifies a custom minor URL category ID (minor ID). The value range for the minor-sort-id argument is 2001 to 9999.

rule-id rule-id: Specifies a match rule by its ID for URLs. The value range for the rule-id argument is 30000001 to 4294967294.

url: Specifies a URL, a string of 1 to 255 characters.

exact-match: Exactly matches the specified URL. If this keyword is not specified, the URLs are fuzzily matched.

Usage guidelines

Operating mechanism

The custom URL signature library is a collection of mappings between URLs and URL category IDs. Use this command to add new mappings between URLs and their URL category IDs to the custom URL signature library.

When the APA card receives a user packet, it can extract the URL information from the application layer information of the packet. By comparing the URL in the packet with the URL-URL category ID mappings in the custom URL signature library, the APA card can assign the matching URL category ID to the packet and process the packet based on that ID.

URL category IDs include the following types:

· Minor category ID (sort ID)—Finely categorizes URLs. One minor category ID can identify multiple URLs.

· Major category ID (sort ID)—Broadly categorizes URLs. One major category ID can identify multiple URLs.

Typically, a URL collection identified by one major category ID can contain multiple URL collections identified by different minor category IDs. A URL collection with the same minor category ID cannot belong to URL collections with different major category IDs.

Restrictions and guidelines

For URLs, you can perform either exact match or fuzzy match.

· Exact match—For the URL information carried in the application layer information of the packets to match, it must be exactly the same as the URL specified by using the sa-ctl sort-url command.

· Fuzzy match—For the URL information carried in the application layer information of the packets to match, it only needs to contain the URL specified by using the sa-ctl sort-url command.

When you execute the sa-ctl sort-url command, the same major category ID can be associated with multiple different minor category IDs, and the same minor category ID can be associated with multiple different match rule IDs. However, the same rule ID cannot be associated with multiple minor category IDs, and the same minor category ID cannot be associated with multiple major category IDs.

Examples

# In the custom URL signature library, configure mappings between URLs and URL category IDs as follows: Set the major category ID to 1 and minor category ID to 1000 for the URL exactly matching rule 1, with the custom URL set to example.com.

<Sysname> system-view

[Sysname] sa node 1

[Sysname-sa-node-1] sa-ctl sort-url major-sort-id 1 minor-sort-id 1000 rule-id 1 example.com exact-match

Related commands

display sa sort-url

sa-ctl sort-url name

sa-ctl sort-url submit

sa-ctl sort-url name

Use sa-ctl sort-url name to configure the name for a URL category ID in the custom URL signature library.

Syntax

sa-ctl sort-url { major-sort-id major-sort-id | minor-sort-id minor-sort-id } name name

Views

SA node view

Predefined user roles

network-admin

Parameters

major-sort-id major-sort-id: Specifies a custom major URL category ID. The value range for the major-sort-id argument is 1 to 999.

minor-sort-id minor-sort-id: Specifies a custom minor URL category ID. The value range for the minor-sort-id argument is 2001 to 9999.

name: Specifies the name of a URL category ID, which is a string of 1 to 31 characters.

Usage guidelines

When you set the name for a URL category ID in the custom URL signature library, make sure the URL category ID already exists in the custom URL signature library. When all mappings for a URL category ID are deleted from the custom URL signature library, the name for the URL category ID is also deleted.

Examples

# Set the name for major category ID 1 in the custom URL signature library to aaa.

<Sysname> system-view

[Sysname] sa node 1

[Sysname-sa-node-1] sa-ctl sort-url major-sort-id 1 name aaa

Related commands

sa-ctl sort-url

display sa sort-url

sa-ctl sort-url submit

Use sa-ctl sort-url submit to submit the custom URL signature library configuration.

Syntax

sa-ctl sort-url submit

Default

The URL signature library configuration does not take effect immediately.

Views

SA node view

Predefined user roles

network-admin

Usage guidelines

The BRAS SA feature must maintain the following two separate signature libraries.

¡ Predefined application signature library—Stores the mappings between the application packet signatures and the app IDs.

¡ Predefined URL signature library—Stores the mappings between URLs in packets and URL category IDs.

· Custom signature library—Mappings configured on the BRAS. The custom signature library includes both the custom application signature library and the custom URL signature library.

¡ Custom application signature library—Configured with the mappings between the signatures (such as the packet quintuples) and the app IDs.

¡ Custom URL signature library—Configured with the mappings between URLs in packets and URL category IDs.

After you execute the sa-ctl sort-url command to configure the custom URL signature library, the configuration will not take effect immediately. To update the custom URL signature library and have the related configuration take effect, execute the sa-ctl sort-url submit command to submit the configuration.

Examples

# Submit the custom URL signature library configuration.

<Sysname> system-view

[Sysname] sa node 1

[Sysname-sa-node-1] sa-ctl sort-url submit

Related commands

sa-ctl sort-url

sa-ctl sort-url-policy add

Use sa-ctl sort-url-policy add to create an SA user policy with URL category ID-based traffic control, and add the specified URL category IDs to the SA user policy.

Syntax

sa-ctl sort-url-policy add name { sort-url sort-id action { drop | redirect } }&<1-16>

Views

SA node view

Predefined user roles

network-admin

Parameters

name: Specifies an SA user policy by its name, a case-sensitive string of 1 to 31 characters.

sort-url sort-id: Adds the specified URL category ID.

URL category IDs include the following types:

· Custom application category ID (major ID)—The value range is 1 to 999.

· Custom application ID (minor ID)—The value range is 2001 to 9999.

· Predefined application category ID (major ID)—The value range is 1000 to 2000.

· Predefined application ID (minor ID)—The value range is 10000 to 20000.

action drop: Drops traffic accessing the URLs in the specified category.

action redirect: Redirects traffic accessing the URLs in the specified category.

&<1-16>: Indicates that you can specify the preceding parameter for up to 16 times.

Usage guidelines

Application scenarios

An APA card can identify traffic accessing certain webpages based on the URLs in the application layer information of the packets. The APA card can identify traffic with a specific URL and process it separately. Alternatively, the APA card can categorize certain URLs and assign a URL category ID, and process traffic with URLs in the URL category collectively in batches.

Operating mechanism

Execute this command to create an SA user policy with URL category ID-based traffic control, and add the specified URL category IDs to the SA user policy. The SA user policy uniformly drops traffic accessing URLs of specified categories or redirects the traffic to the URL specified in the sa redirect-url command.

Examples

# Create the SA user policy named abc for URL category ID-based traffic control and add URL category IDs 100 and 101 to the SA user policy. Drop the traffic with URL category ID 100 and redirect traffic with URL category ID 101.

<Sysname> system-view

[Sysname] sa node 1

[Sysname-sa-node-1] sa-ctl sort-url-policy add abc sort-url 100 action drop sort-url 101 action redirect

Related commands

display sa user-policy

sa redirect-url

sa-ctl sort-url-policy delete

Use sa-ctl sort-url-policy delete to delete the specified URL category IDs from the SA user policy with URL category ID-based traffic control.

Syntax

sa-ctl sort-url-policy delete name { sort-url sort-id }&<1-16>

Views

SA node view

Predefined user roles

network-admin

Parameters

name: Specifies an SA user policy by its name, a case-sensitive string of 1 to 31 characters.

{ sort-url sort-id }&<1-16>: Adds up to 16 URL category IDs. The sort-id argument represents a URL category ID.

URL category IDs include the following types:

· Custom application category ID (major ID)—The value range is 1 to 999.

· Custom application ID (minor ID)—The value range is 2001 to 9999.

· Predefined application category ID (major ID)—The value range is 1000 to 2000.

· Predefined application ID (minor ID)—The value range is 10000 to 20000.

Examples

# Delete URL category ID 100 from the SA user policy named abc for URL category ID-based traffic control.

<Sysname> system-view

[Sysname] sa node 1

[Sysname-sa-node-1] sa-ctl sort-url-policy delete abc sort-url 100

Related commands

display sa user-policy

sa-ctl sort-url-policy add

sa-ctl url-policy add

Use sa-ctl url-policy add to create an SA user policy with URL-based traffic control, and add the specified URLs to the SA user policy.

Syntax

sa-ctl url-policy add name { url url action { drop | redirect } [ exact-match ] }&<1-10>

Views

SA node view

Predefined user roles

network-admin

Parameters

name: Specifies an SA user policy by its name, a case-sensitive string of 1 to 31 characters.

url: Adds a URL, a string of 1 to 255 characters.

action drop: Drops traffic accessing the URLs in the specified category.

action redirect: Redirects traffic accessing the URLs in the specified category.

exact-match: Exactly matches the specified URLs. If this keyword is not specified, the URLs are fuzzily matched.

&<1-10>: Indicates that you can specify the preceding parameter for up to 10 times.

Usage guidelines

Application scenarios

Operating mechanism

Execute this command to create an SA user policy with URL-based traffic control and add the specified URLs to the SA user policy. The SA user policy drops traffic accessing the specified URLs or redirects the traffic to the URL specified in the sa redirect-url command.

For URLs, you can perform either exact match or fuzzy match.

· Exact match—For the URL information carried in the application layer information of the packets to match, it must be exactly the same as the URL specified by using the sa-ctl url-policy add command.

· Fuzzy match—For the URL information carried in the application layer information of the packets to match, it only needs to contain the URL specified by using the sa-ctl url-policy add command.

Examples

# Create an SA user policy named abc for URL-based traffic control and add URL example.com to the SA user policy. Redirect traffic that fuzzily matches this URL.

<Sysname> system-view

[Sysname] sa node 1

[Sysname-sa-node-1] sa-ctl url-policy add abc url URL1 action drop exact-match url example.com action redirect

Related commands

display sa user-policy

sa redirect-url

sa-ctl url-policy delete

Use sa-ctl url-policy delete to delete the specified URLs from an SA user policy with URL-based traffic control.

Syntax

sa-ctl url-policy delete name { url url }&<1-10>

Views

SA node view

Predefined user roles

network-admin

Parameters

name: Specifies an SA user policy by its name, a case-sensitive string of 1 to 31 characters.

url url: Adds a URL, a string of 1 to 255 characters.

&<1-10>: Indicates that you can specify the preceding parameter for up to 10 times.

Examples

# Delete URL example.com from the SA user policy named abc for URL-based traffic control.

<Sysname> system-view

[Sysname] sa node 1

[Sysname-sa-node-1] sa-ctl url-policy delete abc url example.com

Related commands

display sa user-policy

sa-ctl url-policy add

sa-ctl user bind

Use sa-ctl user bind to simulate user online events.

Syntax

sa-ctl user bind { ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] } [ vpn-instance vpn-instance-name ] [ batch count | user-name user-name ] [ accelerate-policy name | control-policy name | mirror-policy name | sort-url-policy name | url-policy name | whitelist-url-policy name ] *

Views

SA node view

Predefined user roles

network-admin

Parameters

ipv4-address [ mask-length ]: Specifies users by their IPv4 addresses. The ipv4-address argument represents the user's IPv4 address, and the mask-length argument represents the mask length of the IPv4 address, in the range of 1 to 32. If you specify the mask-length argument, this option represents all users in the IPv4 address mask range. If you do not specify the mask-length argument, this option represents a user with the unique IPv4 address.

ipv6-address [ prefix-length ]: Specifies users by their IPv6 addresses. The ipv6-address argument represents the user's IPv6 address, and the prefix-length argument represents the prefix length of the IPv6 address, in the range of 1 to 128. If you specify the prefix-length argument, this option represents all users in the IPv6 address prefix range. If you do not specify the prefix-length argument, this option represents a user with the unique IPv6 address.

vpn-instance vpn-instance-name: Specifies a VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify this parameter, the public network is specified.

batch count: Bulk binds SA users policies to online users. The count argument specifies the number of users, in the range of 1 to 100000. If you do not specify this option, SA user policies are bound to online users one by one.

user-name name: Specifies a username for a user. The user-name argument represents the username, a case-sensitive string of 1 to 31 characters. If you do not specify this option, no name will be assigned to online users.

accelerate-policy name: Binds an SA user policy for app ID-based traffic acceleration to online users. The name argument represents the name of an SA user policy, a case-sensitive string of 1 to 31 characters.

control-policy name: Binds an SA user policy for app ID-based traffic control to online users. The name argument represents the name of an SA user policy, a case-sensitive string of 1 to 31 characters.

mirror-policy name: Binds an SA user policy for app ID-based traffic mirroring to online users. The name argument represents the name of an SA user policy, a case-sensitive string of 1 to 31 characters.

sort-url-policy name: Binds an SA user policy for URL category ID-based traffic mirroring to online users. The name argument represents the name of an SA user policy, a case-sensitive string of 1 to 31 characters.

url-policy name: Binds an SA user policy for URL-based traffic control to online users. The name argument represents the name of an SA user policy, a case-sensitive string of 1 to 31 characters.

whitelist-url-policy name: Binds an SA user policy for the URL allowlist to online users. The name argument represents the name of an SA user policy, a case-sensitive string of 1 to 31 characters.

Usage guidelines

Application scenarios

After users pass authentication and come online, you can manually execute this command or have the SA backend issue this command to the BRAS to apply the bound SA user policies to online users. After the SA user policies are bound to users, you can display user information by executing the display sa user command with the policy keyword, no matter whether traffic exists.

Operating mechanism

After users come online, BRAS SA operates as follows:

1. After users pass authentication and come online, the BRAS APA card maintains and generates the SA user table. In the SA user table, an online user is uniquely identified by its IP address and the name of the VPN instance to which the user belongs.

2. The SA backend deploys various associated SA user policies to different online users based on the carrier's policy or the services the users have subscribed to. Alternatively, you can directly deploy SA user policies to online users by using this command.

3. After you execute the sa port mode command on the BRAS, the service traffic of an online user will be directed to the APA card for analysis. The APA card identifies the services of the user based on the signature libraries, and assigns app IDs or URL category IDs to different types of service traffic of the user.

4. After the user service traffic is identified and analyzed by an APA card, the user service traffic is sent to the CPU of the APA card for processing. The CPU generates a flow table to guide traffic forwarding. The CPU compares the traffic's ID (app ID or URL category ID) with the app IDs or URL category IDs specified in the SA user policies associated with the user. If the ID of multiple packets matches the app IDs or URL category IDs in an associated SA user policy, the traffic is considered to match the SA user policy. The CPU then generates a special forwarding flow table based on the SA user policy. If the ID of multiple consecutive packets does not match the app IDs or URL category IDs in an SA user policy, the traffic is considered not matching the SA user policy, and the CPU generates a common forwarding flow table. Subsequent packets are directly fast forwarded based on the forwarding flow table without being sent to the CPU for comparison and processing.

Different SA user policies are deployed to different users. Typically, all user traffic is sampled and undergoes QoE analysis, and only specific traffic from certain users undergo traffic acceleration or traffic control.

Restrictions and guidelines

When no SA user policy parameters are specified, the online users are not bound to any SA user policy. These users are insignificant.

When you execute this command multiple times to modify the mask of the same IP address or when the specified user IP addresses overlap or have an inclusion relationship, the most recent command cannot be executed. To resolve this issue, first delete the existing overlapping IP address range, and then configure the new user IP address. For example, if you configure users with IPv4 address 1.1.1.0 and mask length 24 and then configure users with IPv4 address 1.1.1.2 and mask length 32, the first configured users and the latter configured users have an inclusion relationship. The command for the latter configured users cannot be issued.

When you execute this command with the batch keyword to bulk bind SA user policies to online users, follow these restrictions and guidelines:

· When you specify a single user IP address without specifying the mask-length or prefix-length parameter, the system will allow all users to come online with addresses in the range from that specified IPv4 or IPv6 address to that address plus count minus one. For example, if you use the sa-ctl user bind command to set the user IP address to 192.168.1.2 and set the value for the count argument to 100 in the batch count option, you bulk specify the user online IP addresses in the range of 192.168.1.2 to 192.168.1.101.

· When you specify a user IP address range by configuring the mask-length or prefix-length argument, the specified user IPv4 or IPv6 address range will be used as one user and also as the start value and count-1 address ranges with the same mask or prefix length will be added. For example, if you use the sa-ctl user bind command to set the user IP address to 192.168.1.0 with mask length 24 and set the value for the count argument to 10 in the batch count option, you bulk specify the user online IP addresses in the range of 192.168.1.0/24 to 192.168.10.0/24.

Examples

# Bind a user with IP address 1.1.1.1, VPN instance vpn1, and username user1 to SA user policy aaa for app ID-based traffic acceleration.

<Sysname> system-view

[Sysname] sa node 1

[Sysname-sa-node-1] sa-ctl user bind 1.1.1.1 vpn-instance vpn-1 user-name user1 accelerate-policy aaa

# Do not bind any SA user policies to users with IP addresses in IP subnet 1.1.1.1/26.

<Sysname> system-view

[Sysname] sa node 1

[Sysname-sa-node-1] sa-ctl user bind 1.1.1.1 26

Related commands

display sa user

display sa user-policy

sa-ctl user unbind

sa-ctl user online

Use sa-ctl user online to simulate user online events.

Syntax

In standalone mode:‌

sa-ctl user online { ipv4-address | ipv6-address } [ vpn-instance vpn-instance-name ] [ batch count ] slot slot-number [ cpu cpu-number ]

In IRF mode:

sa-ctl user online { ipv4-address | ipv6-address } [ vpn-instance vpn-instance-name ] [ batch count ] chassis chassis-number slot slot-number [ cpu cpu-number ]

Views

SA node view

Predefined user roles

network-admin

Parameters

ipv4-address: Specifies the IPv4 address that a simulated user obtains after coming online.

ipv6-address: Specifies the IPv6 address that a simulated user obtains after coming online.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the simulated online users belong. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters. If you do not specify this option, the users on the public network are specified.

batch count: Bulk brings the specified number of users online. The count argument specifies the number of users, in the range of 1 to 100000. If you do not specify this option, users are brought online one by one.

slot slot-number: Specifies a card by its slot number. On this device, the slot-number argument represents the entire device and its value is fixed.(In standalone mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Usage guidelines

Application scenarios

Execute this command on the BRAS to simulate user online events without the need for normal user authentication. By simulating user online events and binding SA user policies, you can debug SA services for online users. To display simulated online users, execute the display sa user command.

Restrictions and guidelines

When you use the batch keyword to bulk bring users online, starting with the specified user IPv4 or IPv6 address, the device deploys the specified SA user policies to all users in the range from the start IP address to the start IP address + count - 1. For example, if you use the sa-ctl user online command to set the user's online IP address to 192.168.1.2 and set the value for the count argument to 100 in the batch count option, you bulk specify the user online IP addresses in the range of 192.168.1.2 to 192.168.1.101.

Examples

# (In standalone mode.) ‌Simulate the online event for the user with IP address 1.1.1.1 and VPN instance name vpn1.

<Sysname> system-view

[Sysname] sa node 1

[Sysname-sa-node-1] sa-ctl user online 1.1.1.1 vpn-instance vpn-1 slot 1

# (In standalone mode.) ‌Simulate the bulk user online events with IP addresses in the range of 1.1.1.1 to 1.1.1.32.

<Sysname> system-view

[Sysname] sa node 1

[Sysname-sa-node-1] sa-ctl user online 1.1.1.1 batch 32 slot 1

Related commands

display sa user

display sa user-policy

sa-ctl user offline

Use sa-ctl user offline to simulate user offline events.

Syntax

In standalone mode:‌

sa-ctl user offline { ipv4-address | ipv6-address } [ vpn-instance vpn-instance-name ] [ batch count ] slot slot-number

In IRF mode:

sa-ctl user offline { ipv4-address | ipv6-address } [ vpn-instance vpn-instance-name ] [ batch count ] chassis chassis-number slot slot-number

Views

SA node view

Predefined user roles

network-admin

Parameters

ipv4-address: Specifies the IPv4 address of a user.

ipv6-address: Specifies the IPv6 address of a user.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the users belong. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters. If you do not specify this option, the users on the public network are specified.

batch count: Bulk brings users offline. The count argument specifies the number of users, in the range of 1 to 100000. If you do not specify this option, users are brought offline one by one.

slot slot-number: Specifies a card by its slot number.(In standalone mode.)

cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.

Usage guidelines

Execute this command to directly simulate a user offline event on the BRAS.

Examples

# (In standalone mode.) ‌Simulate the offline event for the user with IP address 1.1.1.1 and VPN instance name vpn1.

<Sysname> system-view

[Sysname] sa node 1

[Sysname-sa-node-1] sa-ctl user offline 1.1.1.1 vpn-instance vpn1 slot 1

Related commands

display sa user

sa-ctl user online

sa-ctl user unbind

Use sa-ctl user unbind to unbind users from SA user policies.

Syntax

sa-ctl user unbind { ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] } [ vpn-instance vpn-instance-name ] [ batch count ]

sa-ctl user unbind all

Views

SA node view

Predefined user roles

network-admin

Parameters

vpn-instance vpn-instance-name: Specifies a VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify this parameter, the public network is specified.

batch count: Bulk unbinds SA user policies from online users. The count argument specifies the number of users, in the range of 1 to 100000. If you do not specify this option, SA user policies are unbound from online users one by one.

all: Unbinds all users from their SA user policies.

Usage guidelines

When you execute this command with the batch keyword to bulk unbind SA user policies from online users, follow these restrictions and guidelines:

Examples

# Unbind SA user policies from users with IP address 1.1.1.1 and VPN instance name vpn1.

<Sysname> system-view

[Sysname] sa node 1

[Sysname-sa-node-1] sa-ctl user unbind 1.1.1.1 vpn-instance vpn1

Related commands

display sa user

sa-ctl user bind

sa-ctl whitelist-url-policy add

Use sa-ctl whitelist-url-policy add to create an SA user policy with the URL allowlist and add the specified URLs to the allowlist in the SA user policy.

Syntax

sa-ctl whitelist-url-policy add name { whitelist-url url [ exact-match ] }&<1-10>

Views

SA node view

Predefined user roles

network-admin

Parameters

name: Specifies an SA user policy by its name, a case-sensitive string of 1 to 31 characters.

whitelist-url url: Adds the specified URL to the allowlist. The url argument represents a URL, a string of 1 to 255 characters.

exact-match: Exactly matches the specified URLs. If this keyword is not specified, the URLs are fuzzily matched.

&<1-10>: Indicates that you can specify the preceding parameter for up to 10 times.

Usage guidelines

Add the specified URLs to the URL allowlist, and allow traffic accessing the allowlisted URLs to pass directly without traffic control.

For URLs, you can perform either exact match or fuzzy match.

· Exact match—For the URL information carried in the application layer information of the packets to match, it must be exactly the same as the URL specified by using the sa-ctl whitelist-url-policy add command.

· Fuzzy match—For the URL information carried in the application layer information of the packets to match, it only needs to contain the URL specified by using the sa-ctl whitelist-url-policy add command.

Examples

# Create an SA user policy named abc for the URL allowlist and add URL example.com to the allowlist in the SA user policy. URL example.com uses exact match.

<Sysname> system-view

[Sysname] sa node 1

[Sysname-sa-node-1] sa-ctl whitelist-url-policy add abc whitelist-url example.com exact-match

Related commands

display sa user-policy

sa-ctl whitelist-url-policy delete

Use sa-ctl whitelist-url-policy delete to delete the specified URLs from an SA user policy with the URL allowlist.

Syntax

sa-ctl whitelist-url-policy delete name { whitelist-url url }&<1-10>

Views

SA node view

Predefined user roles

network-admin

Parameters

name: Specifies an SA user policy by its name, a case-sensitive string of 1 to 31 characters.

whitelist-url url: Deletes the specified URL from the allowlist. The url argument represents a URL, a string of 1 to 255 characters.

&<1-10>: Indicates that you can specify the preceding parameter for up to 10 times.

Examples

# Delete URL example.com from the SA user policy named abc with the URL allowlist.

<Sysname> system-view

[Sysname] sa node 1

[Sysname-sa-node-1] sa-ctl whitelist-url-policy delete abc whitelist-url URL1

Related commands

display sa user-policy

sa-ctl whitelist-url-policy add

17-BRAS Services Command Reference

iBRAS SA commands

Prerequisites

Operating mechanism

Restrictions and guidelines

Operating mechanism

Recommended configuration

Prerequisites

Application scenarios

Restrictions and guidelines

Application scenarios

Operating mechanism

Restrictions and guidelines

Application scenarios

Operating mechanism

Restrictions and guidelines

Application scenarios

Operating mechanism

Recommended configuration

Application scenarios

Recommended configuration

Operating mechanism

Recommended configuration

Operating mechanism

Restrictions and guidelines

Operating mechanism

Restrictions and guidelines

Prerequisites

Application scenarios

Operating mechanism

Restrictions and guidelines

Application scenarios

Operating mechanism

Application scenarios

Operating mechanism

Application scenarios

Operating mechanism

Restrictions and guidelines

Application scenarios

Restrictions and guidelines

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us