Search

Page tree

Contents

You can create subscriber sites and add a Grid member as a collector member and RPZ members to the site in order to scale the number of subscribers that the system can support. The subscriber collector caches the subscriber data received from the NAS gateways and parental control policies from the Infoblox Harmony product. The RPZ members use the cached subscriber data and the policies to resolve DNS queries. You can add a maximum of five Grid members to the subscriber site. Note that one Grid member can serve only one subscriber site. The subscriber identity information cached in the subscriber cache is replicated between the Grid members in the subscriber site.

You can configure the NAT port as an IPSD, where the subscriber's first deterministic NAT port is used as IPSD, to distinguish from other subscribers using the same IP address. The NAT algorithms use the port range allocation where the first usable port for the subscriber is provided in a RADIUS accounting AVP. It also supports the first port in the range as a discriminator between subscribers using the same IP address. In a strict NAT configuration, where only the NATed subscribers are allowed, the value of the AVP Deterministic NAT port must be a non zero value in the RADIUS accounting message. The ports from 1-1023 (inclusive) are reserved in a deterministic port configuration.

You can manage the subscriber sites in the following ways:

Limitations using NAT port as IPSD

  • No acceleration support using SNIC appliances, however, it is supported for all appliances including vDCA acceleration.
  • You need to restart the DNS service.
  • IPSD is a global configuration that applies to all Sites. IPSD may be set from CSV, WAPI, and CLI to a different AVP.
  • A performance penalty for Dynamic subscribers (without Deterministic-Nat-Port AVP) in Deterministic Sites (Sites with block_size configuration) requires two lookups.
  • NAT port can be configured as IPSD only if the subscriber services properties are set to Deterministic-Nat-Port and block size must be greater than zero.
  • The site block size must be the same as the deployment CGNAT block size configuration.
  • Changing the site block size will initialize the state of the subscriber collection.
  • Static default network policies in a strict NAT configuration (Allow NATed Subscribers only) will not resolve at the DCA.

Adding Subscriber Sites

To add a subscriber site, complete the following:

  1. From the Data Management tab -> DNS tab -> Subscriber Services Deployment tab -> Subscriber Sites tab, click the Add icon.
  2. In the Add Subscriber Site wizard, complete the following:
    1. Name: Enter the name of the subscriber site.
    2. Maximum Subscribers: Specify the maximum number of subscribers for the subscriber site. This represents the overall size of the subscriber cache. You can enter a value between 10000 to 10000000.
    3. Comment: You can enter additional information about the subscriber site.
    4. Members: In the Members table, click the Add icon to add Grid members to the site. If there are multiple members, the Member Selector dialog box is displayed, from which you can select a member. Click the required member name in the dialog box. You can also delete a member from the list.
      Note that a Grid member can support only one subscriber site.

    5. Deterministic NAT Block Size: The block size specifies the number of ports made available for each incoming subscriber address. In a deterministic NAT, zero means not using NAT. The value can be any number from 0 to 64512. The block size configuration is not allowed to change unless the global (subscriber service properties) IPSD is set to Deterministic-NAT-Port.
    6. First port: The value of the first usable port for the subscriber. The first usable port will have a default value of 1024, and the value can be any number from 1024 to 65535, both inclusive.
    7. : Select this option to restrict only NATed subscribers (Subscribers with IPSD). Here the IP address and port block allocations are made dynamically for the subscriber instance and the IPSD of the first port is assigned to the subscriber port block. For example, if the block size is 8 for the site, then the IPSD must be set to 1024, 2032, 3040, etc.

      Note

      You can enter a value in the Deterministic NAT Block Size field only if the AVP in the IP Space Discriminator field is selected as Deterministic-NAT-port in the Subscriber Service Properties editor. To add IP space discriminators, see Adding IP Space Discriminators. To add a new AVP deterministic NAT port, configure the subscriber ID settings to associate an AVP with the subscriber in the Subscriber Services Properties editor, as described in the Configuring Subscriber Services Properties.

  3. Click Next to configure NAS gateways for the subscriber site. Complete the following:
    1. Listen on RADIUS port number: Enter the UDP port number that the collector member uses to collect accounting information from the NAS gateway. You can enter an integer from 1 to 65535. The default is 1813.
    2. NAS Gateways: You must add at least one NAS gateway to the subscriber site in order to start the subscriber collection service. You can add up to 20 NAS gateways. Click the Add icon and complete the following to add a NAS gateway:
      1. Name: Enter the name of the NAS gateway.
      2. IP Address: Enter the IP address of the NAS gateway.
      3. Shared Secret: Enter a shared secret that can be used to authenticate the communication between the RADIUS accounting server and the collector member. This shared secret must match the one you entered on the RADIUS server.
      4. Confirm Shared Secret: Enter the shared secret again.
      5. Send Protocol Acknowledgment: Select this check box to send an acknowledgment to the client when the collector member receives accounting information from the NAS gateway.
      6. Comment: Enter additional information about the NAS gateway.
      7. Click Add to add the NAS gateway.
        You can select a NAS gateway configuration and click the Edit icon to modify it or click the Delete icon to delete it.

  4. This step is required only if Infoblox Subscriber Parental Control is enabled. Click Next to configure the parental control blocking IP addresses. Complete the following:
    1. Parental Control Blocking IP Addresses: You can configure two sets of IPv4 and IPv6 addresses that are used as blocking VIP addresses. The parental control subscribers are redirected to the following blocking IP addresses whenever the domain queried by the subscriber is blocked based on the subscriber parental control policy. 

      Complete the following:

      1. IPv4 Address (primary): Enter the primary blocking IPv4 address.
      2. IPv4 Address (secondary): Enter the secondary blocking IPv4 address.
      3. IPv6 Address (primary): Enter the primary blocking IPv6 address.
      4. IPv6 Address (secondary): Enter the secondary blocking IPv6 address.
    2. Policy Management Addresses: You can add IP addresses of the policy management servers to which the appliance sends APIs about the expired parental control policies. Click the Add icon. Grid Manager adds a row to the Policy Management Addresses table. Click the row and enter the IP address in the Address field. To delete an IP address, select the check box and then click the Delete icon.
    3. Content Proxy Addresses: You can add IP addresses of the Infoblox Harmony product. The appliance will forward the subscriber session to Infoblox Harmony for in-line processing of the subscriber session, depending on the policies. Click the Add icon. Grid Manager adds a row to the Content Proxy Addresses table. Click the row and enter the IP address in the Address field. To delete an IP address, select the check box and then click the Delete icon.
  5. Save the configuration, or click Next to continue to the next step where you define extensible attributes as described in Managing Extensible Attributes.

Modifying Subscriber Sites

To modify a subscriber site, complete the following:

  1. From the Data Management tab -> DNS tab -> Subscriber Services Deployment tab -> Subscriber Sites tab, click the Action icon next to the subscriber site name and select Edit from the menu.
  2. The Subscriber Site Properties editor provides the following tabs from which you can modify data:
    1. In the General tab, you can modify the information you previously entered through the wizard, as described in Adding Subscriber Sites.
    2. In the NAS Gateways tab, you can edit the NAS gateways configured for the subscriber site, as described in Adding Subscriber Sites.

      Note

      If you make any changes to the NAS gateway configuration, the subscriber collector will automatically restart within 30 seconds. However, the subscriber data collected in the subscriber cache is not affected by the NAS gateway configuration changes.

    3. If Subscriber Parental Control is enabled, the Parental Control tab is displayed. You can modify the information in the Parental Control tab, as described in Adding Subscriber Sites.
    4. You can enter or edit information in the Extensible Attributes tab, as described in Managing Extensible Attributes.
  3. Save the configuration.

Deleting Subscriber Sites

To delete a subscriber site, complete the following:

  1. From the Data Management tab -> DNS tab -> Subscriber Services Deployment tab -> Subscriber Sites tab, click the Action icon next to the subscriber site name and select Delete from the menu.
  2. In the Delete Confirmation (Subscriber Site) dialog box, click Yes.

Viewing Subscriber Sites

To view subscriber sites, complete the following:

  1. From the Data Management tab -> DNS tab -> Subscriber Services Deployment tab -> Subscriber Sites tab.
  2. Grid Manager displays the following information for each subscriber site:
    1. Actions: Click the Action icon (shown as a gear in each row) next to a selected subscriber site and choose from the following:
      1. Edit: Modify certain general properties.
      2. Delete: You can delete the subscriber site.
      3. Extensible Attributes: Add or modify extensible attributes.
      4. View NAS Gateway Message Rates: Displays the message rates of the NAS gateways configured for the subscriber site. For information, see Viewing NAS Gateway Message Rates.
    2. Name: The name of the subscriber site.
    3. Comment: Information about the subscriber site.
    4. Site: Displays values that were entered for this predefined attribute.

You can also perform the following:

  • Edit the subscriber site information.
    • Select the subscriber site, and then click the Edit icon.
  • Delete a subscriber site.
    • Select the subscriber site, and then click the Delete icon.
  • Export the list of subscriber sites.
    • Click the Export icon.
  • Print the list of subscriber sites.
    • Click the Print icon.
  • Use filters and the Go to function to narrow down the list. With the autocomplete feature, you can just enter the first few characters of an object name in the Go to field and select the object from the possible matches.
  • Create a quick filter to save frequently used filter criteria:
    • In the filter section, click Show Filter and define filter criteria for the quick filter.
    • Click Save and complete the configuration In the Save Quick Filter dialog box.
  • The appliance adds the quick filter to the quick filter drop-down list in the panel. Note that global filters are prefixed with [G], local filters with [L], and system filters with [S].
  • Sort the subscriber sites in ascending or descending order by column.

Viewing NAS Gateway Message Rates

You can view the NAS gateways (accounting log servers) configured for the subscriber site and the message rate for each NAS gateway.

To view the NAS gateway message rates, complete the following:

  1. From the Data Management tab -> DNS tab -> Subscriber Services Deployment tab -> Subscriber Sites tab.
  2. In the Subscriber Sites tab, click the Action icon (shown as a gear in each row of the table) next to the respective subscriber site and select View NAS Gateway Message Rates from the list.
  3. The NAS Gateway Message Rates dialog box displays the following information for the selected subscriber site:
    • Name: The name of the NAS gateway.
    • IP Address: The IP address of the NAS gateway.
    • Message Rate: The message rate of the NAS gateway.


This page has no comments.