Request Routing (SRC CLI)

SIC routing rules define how the SIC routes accounting and authentication requests. You configure routing rules for each server in the SIC group. There are two types of routing rules:

Explicit Routing Rules

An explicit route is a collection of criteria used to select a particular routing target. Explicit routing rules consist of a condition, or set of conditions, and an accounting or authentication target to which the request is to be routed. Routing criteria consist of a list of simple Boolean expressions on RADIUS attributes and transactional variables. The accounting target is either the SSR database or a downstream network element that contains an AAA server. The authentication target is an AAA server in a downstream network element.

You specify explicit routing rules based on the following match conditions:

You can test the value of the match condition for the following conditions:

The Has prefix and Has suffix condition tests work only on the string representation of the value. To test for a range condition, specify a low value and a high value. Figure 69 depicts the explicit routing rule process.

Figure 69: Explicit Routing Rule Process

Explicit Routing Rule

When the SIC receives an accounting or authentication request, it evaluates any defined explicit routing rules in the order they were configured. When multiple routes are configured, they are evaluated in the order they are displayed by the show command. A newly created route is displayed last among the routes and has the lowest priority, so it is evaluated last. You can use the SRC CLI insert command to move a route before or after another route to change its evaluation order. The higher a route is displayed on the list, the sooner it is evaluated. For a route to be selected, all conditions of the rule must be true. If a match is not found, the next configured rule is examined, and so on. As soon as a rule with matching criteria is encountered, the iteration stops and the accounting or authentication target in that rule is selected as the destination for the request. If a match for all conditions cannot be found in the explicit routing rules, the implicit routing rules are examined.

Before the request is sent to the specified target, you can edit it by optionally specifying an editing rule for the accounting route.

Examples of explicit routing rules are:

Rule 1: If the NAS-Identifier is nas1, then the target is accounting method method1, which is the database accounting method:

[edit shared sic group group1 server server1 accounting-route route1] 
user@host# show 
target method1;
condition {
attribute nas-identifier;
equals nas1;

Rule 2: If the NAS-Identifier is nas2 then the target is accounting method method2, which is the proxy accounting method, pointing to the RADIUS network element rne1:

[edit shared sic group group1 accounting-method method2 proxy] 
user@host# show 
radius {
network-element rne1;
[edit shared sic group group1 server server1 accounting-route route2]
user@host# show
target method2;
condition {
attribute nas-identifier;
equals nas2;

This example is an accounting route example. Authentication routes work the same way.

Implicit Routing Rules

Implicit routes are realm based. You configure implicit routes by defining a network element that contains a remote AAA server and assigning it the proxy function. You can then either define a default route used for all requests from all realms or specify that only requests from specific realms are routed to the proxy AAA server. When you specify realms, you have the option to set a condition of either an exact match of the realm string, or a match on the prefix of the realm string.

Implicit routing rules have lower priority and are evaluated only if a match is not found for explicit routing rules. When a request is received, the SIC server evaluates the associated routing rules. First, the server evaluates any explicit routing rules. If no match is found, the server evaluates the implicit routing rules. When a match is found, the server processes the request by routing it to the specified network element that has the proxy function assigned to it.

Related Documentation