SR OS routers support redirecting HTTP traffic by using the line card ingress IP and IPv6 filter policy action http-redirect. This capability is mainly used in a subscriber-management context to redirect a subscriber web session to a captive portal landing page. Examples of use-cases include redirecting a subscriber after initial connection to a new network to accept the terms of service, or a subscriber out of quota redirection.
Traffic matching the http-redirect filter entry is sent to the SF/CPM for HTTP redirection:
The SF/CPM completes the TCP three-way handshake for new TCP sessions on behalf of the intended server, and responds to the HTTP GET request with an 302 redirect. Therefore, the subscriber web session is redirected to the portal landing page configured in the http-redirect filter action.
Non TCP flows are ignored
TCP flows other than HTTP, matching an http-redirect filter action, are TCP reset after the three-way handshake. Therefore, it is recommended to configure the http-redirect filter entry to match only TCP port 80. HTTPs uses TLS as underlying protocol, and cannot be redirected to a landing page.
Additional subscriber information may be required by the captive portal. This information can be appended as variables in the http-redirect URL and automatically substituted with the relevant subscriber session data, as follows:
$IP: subscriber host IP address
$MAC: subscriber host MAC address
$URL: original requested URL
$SAP: subscriber SAP
$SUB: subscriber identification string
$CID: circuit-ID, or interface-ID of the subscriber host (hexadecimal format)
$RID: remote-ID of the subscriber host (hexadecimal format)
$SAPDESC: configured SAP description
The recommended filter configuration to redirect HTTP traffic page is described below using ingress ip-filter policy "10":
entry 10: Allows DNS UDP port 53 to a list of allowed DNS servers. Allowing DNS is mandatory for a web client to resolve a URL in the first place. The UDP port directionality indicates DNS request. The destination IP match criteria is optional, creating a list that includes the operator DNS, and the most common open DNS servers provide the most security, allowing, alternatively, UDP -port 53 alone is another option.
entry 20: Allows HTTP TCP port 80 traffic to the portal landing page defined as a prefix-list. The TCP port directionality indicates an HTTP request. Optionally, the operator can create an additional entry to allow TCP port 443 in case the landing page uses both HTTP and HTTPS.
entry 30: Redirects all TCP port 80 traffic, other than entry 20, to the landing page URL http://www.mydomain/com/redirect.html?subscriber=$SUB&ipaddress=$IP&mac=$MAC&location=$SAP .
entry 40: Drops explicitly any other IP flows, as in the following configuration example:
ip-filter 10 name "10" create
entry 10 create
description "Allow DNS Traffic to DNS servers"
match protocol udp
dst-ip ip-prefix-list "dns-servers"
dst-port eq 53
exit
action
forward
exit
exit
entry 20 create
description "Allow HTTP traffic to redirect portal"
match protocol tcp
dst-ip ip-prefix-list "portal-servers"
dst-port eq 80
exit
action
forward
exit
exit
entry 30 create
description "HTTP Redirect all other TCP 80 flows"
match protocol tcp
dst-port eq 80
exit
action
http-redirect "http://www.mydomain/com/ redirect.html?subscriber=$SUB&ipaddress=$IP&mac=$MAC&location=$SAP."
exit
exit
entry 40 create
description "Drop anything else"
action
drop
exit
exit
exit
Also, the router supports two redirect scale modes that are configurable at the system level. The optimized-mode improves the number of HTTP redirect sessions supported by system as compared to the no optimized-mode, as follows:
A>config>system>cpm-http-redirect#
----------------------------------------------
optimized-mode
----------------------------------------------