The following excerpt is from Ascend-Data-Filter Policies for Subscriber Management Overview:
Subscriber management enables to use Ascend-Data-Filters to create policies for subscriber traffic. An Ascend-Data-Filter is a binary value that is configured on the RADIUS server.
Subscriber management uses a dynamic profile to obtain the Ascend-Data-Filter attribute (RADIUS attribute 242) from the RADIUS server and apply the policy to a subscriber session. Dynamic profiles support Ascend-Data-Filters for inet and inet6 family types, and both families can be present in a dynamic profile.
This article provides an example for configuring a firewall filter for subscribers using Ascend-Data-Filter.
Configuration
labroot@ERX-MX480-II-RE0# show dynamic-profiles PPPoE-TEST
routing-instances {
"$junos-routing-instance" {
interface "$junos-interface-name" {
any;
}
}
}
interfaces {
pp0 {
unit "$junos-interface-unit" {
no-traps;
ppp-options {
chap;
pap;
}
pppoe-options {
underlying-interface "$junos-underlying-interface";
server;
}
keepalives interval 30;
family inet {
filter {
input "$junos-input-filter" precedence 250;
output "$junos-output-filter" precedence 250;
adf { <-- Ascend-Data-Filter included in dynamic-profile.
rule "$junos-adf-rule-v4";
counter;
input-precedence 252;
output-precedence 252;
}
}
unnumbered-address "$junos-loopback-interface";
}
}
}
}
Attribute configured under Radius
test@mx.com Cleartext-Password := "jtac123"
Framed-IP-Address := "177.220.177.164",
X-Ascend-Data-Filter = "ip in forward dstip 1.1.1.1/32 0 dstport = 25",
X-Ascend-Data-Filter += "ip in forward",
X-Ascend-Data-Filter += "0x01010100000000000000000000000000000000000000000000000b626573742d6566666f72740b706c63722d4f474f2d336d",
ERX-Ingress-Policy-Name = "test",
ERX-Egress-Policy-Name = "test"
Refer to
Ascend-Data-Filter Attribute Fields for more information.
"0x01010100000000000000000000000000000000000000000000000b626573742d6566666f72740b706c63722d4f474f2d336d" <-- (IPv4, Accept,Ingress, 0b=Length, 626573742d6566666f7274=best-effort, 0b=Length, 706c63722d4f474f2d336d = plcr-OGO-3m)
Refer to
Online-toolz for converting text to hex.
labroot@ERX-MX480-II-RE0# run show subscribers extensive
Type: VLAN
Logical System: default
Routing Instance: default
Interface: demux0.3221225482
Interface type: Dynamic
Underlying Interface: xe-3/0/0
Dynamic Profile Name: DYN-DEMUX3
Dynamic Profile Version: 1
State: Active
Session ID: 42
PFE Flow ID: 19
VLAN Id: 100
Login Time: 2017-04-09 10:41:27 IST
Type: PPPoE
User Name: test@mx.com
IP Address: 177.220.177.164
IP Netmask: 255.255.255.255
Logical System: default
Routing Instance: default
Interface: pp0.3221225483
Interface type: Dynamic
Underlying Interface: demux0.3221225482
Dynamic Profile Name: PPPoE-TEST
Dynamic Profile Version: 1
MAC Address: 6e:51:35:4e:00:00
Idle Timeout (seconds): 7200
Idle Timeout Ingress Only: FALSE
State: Active
Radius Accounting ID: 43
Session ID: 43
PFE Flow ID: 20
VLAN Id: 100
Login Time: 2017-04-09 10:41:27 IST
IPv4 Input Filter Name: test-pp0.3221225483-in
IPv4 Output Filter Name: test-pp0.3221225483-out
ADF IPv4 Input Filter Name: __junos_adf_43-pp0.3221225483-inet-in
Rule 0: 0101010000000000010101010020000000000019000200000000000000000000
from {
destination-address 1.1.1.1/32;
destination-port 25;
}
then {
accept;
}
Rule 1: 0101010000000000000000000000000000000000000000000000000000000000
then {
accept;
}
Rule 2: 01010100000000000000000000000000000000000000000000000b626573742d6566666f72740b706c63722d4f474f2d336d
then {
forwarding-class best-effort;
policer plcr-OGO-3m;
accept;
}
Accounting interval: 600
Dynamic configuration:
junos-adf-rule-v4: 0101010000000000010101010020000000000019000200000000000000000000
junos-adf-rule-v4: 0101010000000000000000000000000000000000000000000000000000000000
junos-adf-rule-v4: 01010100000000000000000000000000000000000000000000000b626573742d6566666f72740b706c63722d4f474f2d336d
junos-input-filter: test
junos-output-filter: test