示例:配置过滤器以排除 LAC 订阅者的 DHCPv6 和 ICMPv6 控制流量
此示例演示如何配置标准无状态防火墙过滤器,从为 LAC 上的隧道订阅者考虑将 DHCPv6 和 ICMPv6 控制数据包视为空闲超时检测。
要求
配置此示例之前,不需要在设备初始化之外进行特殊配置。
概述
在 LAC 上的订阅者访问可通过配置空闲超时时间来限制,该时段指定订阅者会话建立后订户可保持空闲的最长时间周期。LAC 将监控用户的上游和下游数据信息流,以确定订阅者是否处于非活动状态。基于会话计费统计。只要两个方向上检测到数据流量,订阅者就不会被视为空闲。在空闲超时的持续时间内未检测到流量时,订阅者将正常地注销与 RADIUS 发起的断开或 CLI 启动的注销类似的信息。
但是,在为 L2TP 订阅者建立通道之后,通过 LAC 上的通道的所有数据包都被视为数据包。因此,只要发送 DHCPv6 和 ICMPv6 控制数据包,会话的记帐统计数据就不会变得准确,并且订阅者不会被视为空闲。
从 Junos OS Release 17.2 R1 开始,您可以为具有要在这些控制inet6数据包上匹配的术语的系列定义防火墙过滤器。包括在过滤器术语exclude-accounting中使用终止操作丢弃这些控制数据包。
配置
CLI 快速配置
要快速配置此示例,请复制以下命令,将其粘贴到文本文件中,删除任何换行符,更改与网络配置匹配的必要详细信息,然后将命令复制并粘贴到[edit]层次结构级别的 CLI 中。
set access profile v6-exclude-idle session-options client-idle-timeout 10 set access profile v6-exclude-idle session-options client-idle-timeout-ingress-only edit firewall family inet6 filter EXCLUDE-ACCT-INET6-FILTER set interface-specific set term EXCLUDE-ACCT-DHCP-INET6 from next-header udp set term EXCLUDE-ACCT-DHCP-INET6 from source-port 546 set term EXCLUDE-ACCT-DHCP-INET6 from source-port 547 set term EXCLUDE-ACCT-DHCP-INET6 from destination-port 546 set term EXCLUDE-ACCT-DHCP-INET6 from destination-port 547 set term EXCLUDE-ACCT-DHCP-INET6 then count exclude-acct-dhcpv6 set term EXCLUDE-ACCT-DHCP-INET6 then exclude-accounting set term EXCLUDE-ACCT-ICMP6 from next-header icmp6 set term EXCLUDE-ACCT-ICMP6 from icmp-type router-solicit set term EXCLUDE-ACCT-ICMP6 from icmp-type neighbor-solicit set term EXCLUDE-ACCT-ICMP6 from icmp-type neighbor-advertisement set term EXCLUDE-ACCT-ICMP6 then count exclude-acct-icmpv6 set term EXCLUDE-ACCT-ICMP6 then exclude-accounting set term default then accept top edit dynamic-profiles pppoe-dynamic-profile interfaces pp0 unit "$junos-interface-unit" set family inet6 filter input EXCLUDE-ACCT-INET6-FILTER set family inet6 filter output EXCLUDE-ACCT-INET6-FILTER set actual-transit-statistics
配置过滤器
分步过程
以下示例要求您在配置层次结构中导航各个级别。有关导航 CLI 的信息,请参阅Cli 用户指南中的使用配置模式中的 CLI 编辑器。
要配置过滤器:
设置订阅者会话的空闲超时。。
[edit access profile v6-exclude-idle] user@host# set session-options client-idle-timeout 10
指定空闲超时仅适用于入口流量。
[edit access profile v6-exclude-idle] user@host# set session-options client-idle-timeout-ingress-only
定义从计费统计中排除 DHCPv6 控制数据包的防火墙过滤器术语。
指定与第一个标头字段设置为 UDP (17)的数据包匹配。
[edit firewall family inet6 filter EXCLUDE-ACCT-INET6-FILTER] user@host# set term EXCLUDE-ACCT-DHCP-INET6 from next-header udp
指定源端口为546或547(DHCPv6)的数据包上的匹配项。
[edit firewall family inet6 filter EXCLUDE-ACCT-INET6-FILTER] user@host# set term EXCLUDE-ACCT-DHCP-INET6 from source-port 546 user@host# set term EXCLUDE-ACCT-DHCP-INET6 from source-port 547
指定 DHCP 目标端口为546或547(DHCPv6)的数据包上的匹配项。
[edit firewall family inet6 filter EXCLUDE-ACCT-INET6-FILTER] user@host# set term EXCLUDE-ACCT-DHCP-INET6 from destination-port 546 user@host# set term EXCLUDE-ACCT-DHCP-INET6 from destination-port 547
统计匹配的 DHCPv6 数据包。
[edit firewall family inet6 filter EXCLUDE-ACCT-INET6-FILTER] user@host# set term EXCLUDE-ACCT-DHCP-INET6 then count exclude-acct-dhcpv6
从计费统计中排除匹配的 DHCPv6 数据包。
[edit firewall family inet6 filter EXCLUDE-ACCT-INET6-FILTER] user@host# set term EXCLUDE-ACCT-DHCP-INET6 then exclude-accounting
定义防火墙过滤器术语,用于排除来自计费统计的 ICMPv6 控制数据包。
指定与第一个标头字段设置为 ICMPv6 (58)的数据包上的匹配项。
[edit firewall family inet6 filter EXCLUDE-ACCT-INET6-FILTER] user@host# set term EXCLUDE-ACCT-ICMP6 from next-header icmp6
使用 ICMPv6 消息类型指定数据包上的匹配项。
[edit firewall family inet6 filter EXCLUDE-ACCT-INET6-FILTER] user@host# set term EXCLUDE-ACCT-ICMP6 from icmp-type router-solicit user@host# set term EXCLUDE-ACCT-ICMP6 from icmp-type neighbor-solicit user@host# set term EXCLUDE-ACCT-ICMP6 from icmp-type neighbor-advertisement
对匹配的 ICMPv6 数据包进行计数。
[edit firewall family inet6 filter EXCLUDE-ACCT-INET6-FILTER] user@host# set term EXCLUDE-ACCT-ICMP6 then count exclude-acct-icmpv6
从计费统计中排除匹配的 ICMPv6 数据包。
[edit firewall family inet6 filter EXCLUDE-ACCT-INET6-FILTER] user@host# set term EXCLUDE-ACCT-DHCP-INET6 then exclude-accounting
定义默认过滤器术语以接受所有其他数据包。
[edit firewall family inet6 filter EXCLUDE-ACCT-INET6-FILTER] user@host# set term default then accept
将动态配置文件配置为将过滤器应用于
inet6系列的输入和输出接口。[edit dynamic-profiles pppoe-dynamic-profile interfaces pp0 unit "$junos-interface-unit"] user@host# set family inet6 filter input EXCLUDE-ACCT-INET6-FILTER user@host# set family inet6 filter output EXCLUDE-ACCT-INET6-FILTER
支持订阅者管理准确性核算。
[edit dynamic-profiles pppoe-dynamic-profile interfaces pp0 unit "$junos-interface-unit"] user@host# set actual-transit-statistics
成果
从配置模式,输入show access、 show firewall和show dynamic-profiles命令以确认您的配置。如果输出未显示预期的配置,请重复此示例中的说明以更正配置。
user@host# show access
profile v6-exclude-idle {
session-options {
client-idle-timeout 10;
client-idle-timeout-ingress-only;
}
}
user@host# show firewall
family inet6 {
filter EXCLUDE-ACCT-INET6-FILTER {
interface-specific;
term EXCLUDE-ACCT-DHCP-INET6 {
from {
next-header udp;
source-port [ 546 547 ];
destination-port [ 546 547 ];
}
then {
count exclude-acct-dhcpv6;
exclude-accounting
}
}
term EXCLUDE-ACCT-ICMP6 {
from {
next-header icmp6;
icmp-type [ router-solicit neighbor-solicit neighbor-advertisement ]
}
then {
count exclude-acct-icmpv6;
exclude-accounting;
}
}
term default {
then accept;
}
}
}
user@host# show dynamic-profiles
pppoe-dynamic-profile {
interfaces {
pp0 {
unit "$junos-interface-unit" {
actual-transit-statistics;
family inet6 {
filter {
input EXCLUDE-ACCT-INET6-FILTER;
output EXCLUDE-ACCT-INET6-FILTER;
}
}
}
}
}
}
如果您完成了设备配置,请从commit配置模式进入。