Subscriber aware traffic steering with TCP optimization

Traffic steering directs subscriber traffic from one point to another. When a subscriber connects to the network, the packet gateway associates an IP address with the subscriber and forwards the data packet to the Citrix ADC appliance. The appliance communicates with the PCRF server over the Gx interface to get the subscriber policy information. Depending on the policy information, the appliance performs one of the following actions:

  • Forward the data packet to another set of services (as shown in the following illustration).
  • Perform only TCP optimization.

The values shown in the following figure are configured in the CLI procedure that follows the figure. A content switching virtual server on the Citrix ADC appliance directs requests to the value added services or skips them and performs TCP optimization, depending on the defined rule, and then sends the packet out to the Internet.

localized image


Support for the configuration shown below was introduced in release 11.1 build 50.10.

To configure traffic steering for the above deployment by using the CLI:

  1. Add the appliance’s subnet IP (SNIP) addresses.

    add ns ip -type snip
    add ns ip -type snip
    add ns ip -type snip
    add ns ip -type snip
    add ns ip –type snip
  2. Add the VLANs. VLANs help the appliance identify the source of the traffic. Bind the VLANs to the interfaces and subnet IP addresses.

    add vlan 10
    add vlan 20
    add vlan 100
    add vlan 200
    add vlan 102
    bind vlan 10 -ifnum 1/4 -tagged -IPAddress
    bind vlan 20 -ifnum 1/4 -tagged -IPAddress
    bind vlan 100 -ifnum 1/2 -tagged -IPAddress
    bind vlan 200 -ifnum 1/2 -tagged -IPAddress
    bind vlan 102 –ifnum 1/1 –tagged –IPAddress
  3. Configure a service and virtual server of type Diameter, and bind the service to the virtual server. Specify the PCRF realm and values for the subscriber Gx interface parameters. Also specify the service path AVP that indicates where the appliance can find the service path name within the subscriber session. For primary PCEF functionality, configure a RADIUS listener service and RADIUS interface, and specify the interface type as “RadiusAndGx”.

    add service sd1 DIAMETER 3868
    add lb vserver vdiam DIAMETER 0 -persistenceType DIAMETER -persistAVPno 263
    bind lb vserver vdiam sd1
    set ns diameter -identity -realm
    set extendedmemoryparam -memLimit 2558
    set subscriber gxInterface -vServer vdiam -pcrfRealm
    set subscriber gxinterface -servicepathAVP 1001 1005 -servicepathVendorid 10415
    add service srad1 RADIUSListener 1813
    set subscriber radiusInterface -listeningService srad1
    set subscriber param -interfaceType RadiusAndGx
  4. Specify a default subscriber profile (*) to be applied if any of the following is true:

    • PCRF does not have the subscriber information.
    • The subscriber information does not include the service path AVP.
    • The appliance is unable to query the PCRF. For example, the service representing the PCRF is DOWN.
    add subscriber profile * -subscriberrules default_path
  5. Create TCP profiles for the VAS and TCP optimization path, respectively. Traffic steered to VAS will not undergo any TCP optimization before or after leaving the VAS. Therefore, the TCP mode of the VAS profile should be set to TRANSPARENT while the TCP mode of the TCPOpt profile should be set to ENDPOINT.

    add ns tcpProfile VAS –tcpMode TRANSPARENT

    add ns tcpProfile TCPOpt -WS ENABLED -SACK ENABLED -WSVal 8 -mss 1460 -maxBurst 30 -initialCwnd 16 -oooQSize 15000 -minRTO 800 -bufferSize 4000000 -flavor BIC -dynamicReceiveBuffering ENABLED -KA ENABLED -sendBuffsize 4000000 -rstWindowAttenuate ENABLED -spoofSynDrop ENABLED -ecn ENABLED -frto ENABLED -maxcwnd 1000000 -fack ENABLED -rstMaxAck enABLED -tcpmode ENDPOINT

  6. Configure load balancing for the VAS servers. Create a non-addressable virtual server of type TCP. Create TCP services with the IP addresses of the VAS servers, and bind the services to the virtual server. The virtual server and services will use the transparent TCP profile created for the VAS path:

    add service vas1 TCP * -usip YES -useproxyport NO -TCPB NO -tcpProfileName VAS
    add service vas2 TCP * -usip YES -useproxyport NO -TCPB NO -tcpProfileName VAS
    add lb vserver vs1 TCP -m MAC -l2Conn ON –tcpProfileName VAS
    bind lb vserver vs1 vas1
    bind lb vserver vs1 vas2
  7. Add a load balancing virtual server to capture VAS egress traffic. This vserver will monitor the VAS egress VLAN and will use the transparent TCP profile:

    add lb vserver vsint TCP * * -Listenpolicy "CLIENT.VLAN.ID.EQ(20)" –Listenpriority 30 –l2Conn ON –tcpProfileName VAS
  8. Add a TCP optimization virtual server that listens for any traffic in the wireless-side VLAN and uses the endpoint TCP profile created for the TCP optimization path:

    add lb vserver vs-TcpOpt TCP * * -Listenpolicy "" –Listenpriority 20 -l2Conn ON -tcpProfileName TCPOpt
  9. Add the content switching (CS) configuration. This includes virtual servers, policies, and their associated actions. The CS virtual server receives the traffic and redirects it to the appropriate load balancing virtual server according to defined CS policies. Create a CS TCP virtual server that listens for any traffic in the wireless-side VLAN with highest priority and uses the endpoint TCP profile. Create a CS policy that evaluates to TRUE when “vas” is the subscriber rule, and specify a CS action that steers traffic to VAS. Make the TCP optimization virtual server the default LB vserver. Any subscriber traffic with a rule other than “vas” will go through the default LB vserver.

    add cs vserver cs1 TCP * * -Listenpolicy "" –Listenpriority 10 -l2Conn ON –tcpProfileName TCPOpt
    add cs action csact1 -targetLBVserver vs1
    add cs policy cspol1 -rule  SUBSCRIBER.RULE_ACTIVE(\"vas\") && SYS.VSERVER(\"vs1\").STATE.EQ(UP)" -action csact1
    bind cs vserver cs1 -policyName cspol1
    bind cs vserver cs1 -lbvserver vs-TcpOpt
  10. Add static or policy based routes to the internet. Dynamic routing is also supported in this configuration. The following example uses policy based routes:

    add ns pbr pbr-vlan100-to-vlan200 ALLOW -nextHop -vlan 100 -priority 10
    add ns pbr pbr-vlan20-to-vlan200 ALLOW -nextHop -vlan 20 -priority 11
    apply ns pbrs


  • The CS policies can contain IP addresses and port numbers in addition to the subscriber expressions—for example, SUBSCRIBER.RULE_ACTIVE(“vas”) && && (CLIENT.TCP.DSTPORT.EQ(80)
  • Add IPv6 configuration (addresses, routes, PBRs) to support IPv6 subscribers. Happy Eyeballs client applications will work smoothly for both VAS and TCP optimization paths.
  • Add VLANs, IP addresses, PBRs and LB virtual servers in front of VAS (vs1, vs2, etc.) to support multiple subscriber flows. Modify the listen policies of CS vserver “cs1” and LB vserver “vsint” to include the additional VLANs.
Subscriber aware traffic steering with TCP optimization