Example: Configuring Dynamic Ascend-Data-Filter Support for Subscriber Access

Requirements

• Ensure that the Ascend-Data-Filter has been configured on the RADIUS server.
• Create the dynamic profile. See Dynamic Profiles Overview.
• Configure RADIUS support. See Configuring RADIUS Server Parameters for Subscriber Access.

Overview

• Specify the dynamic profile to use to apply the Ascend-Data-Filter policy to the subscriber session.
• Specify the Junos OS predefined variable that maps the Ascend-Data-Filter rules to Junos OS filter functionality.
• Configure optional settings, which include counting the rule usage and setting the precedence order for the filter.

Configuration

Step-by-Step Procedure

1. Specify the dynamic profile in which you want to include the Ascend-Data-Filter, and configure the interface, the logical unit number, and the family type.
   [edit] user@host# edit dynamic-profiles adf-profile-v4 interfaces $junos-interface-ifd-name unit $junos-underlying-interface-unit family inet
2. Specify that you want to include an Ascend-Data-Filter in the dynamic profile and provide the Junos OS predefined variable as the rule that maps the Ascend-Data-Filter actions to Junos OS filter functionality.
   [edit dynamic-profiles adf-profile-v4 interfaces “$junos-interface-ifd-name” unit “$junos-underlying-interface-unit” family inet] user@host# set filter adf rule $junos-adf-rule-v4
3. Enable the counter for the rule.
   [edit dynamic-profiles adf-profile-v4 interfaces “$junos-interface-ifd-name” unit “$junos-underlying-interface-unit” family inet] user@host# set filter adf counter
4. Specify the precedence for received packets on the interface.
   [edit dynamic-profiles adf-profile-v4 interfaces “$junos-interface-ifd-name” unit “$junos-underlying-interface-unit” family inet] user@host# set filter adf input-precedence 75
5. Specify the precedence for transmitted packets on the interface.
   [edit dynamic-profiles adf-profile-v4 interfaces “$junos-interface-ifd-name” unit “$junos-underlying-interface-unit” family inet] user@host# set filter adf output precedence 80

Results

From configuration mode, confirm your configuration by entering the show dynamic-profiles command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

• Verifying that Dynamic Ascend-Data-Filter Rules Are Applied to Subscriber Sessions
• Verifying Dynamic Ascend-Data-Filter Usage

Verifying that Dynamic Ascend-Data-Filter Rules Are Applied to Subscriber Sessions

Purpose

Verify that the Ascend-Data-Filter rules were attached to the subscriber.

Action

From operational mode, enter the show subscribers extensive command.

Type: DHCP
User Name: user1-adf
IP Address: 192.168.1.10
IP Netmask: 255.255.255.0
Logical System: default
Routing Instance: default
Interface: ge-1/0/0.0
Interface type: Static
Dynamic Profile Name: adf-profile-v4
MAC Address: 00:10:94:00:00:01
State: Active
Radius Accounting ID: 5
Login Time: 2010-08-12 14:06:27 PDT
ADF IPv4 Input Filter Name: __junos_adf_5-ge-1/0/0.0-inet-in
                    Rule 0: 0101010000000000d87f9200001800000000000000000000
                            from {
                                destination-address 216.127.146.0/24;
                            }
                            then {
                                accept;
                            }
                    Rule 1: 010001000000000000000000000006000000001900020000
                            from {
                                protocol 6;
                                destination-port 25;
                            }
                            then {
                                discard;
                            }
                    Rule 2: 010101000000000000000000000000000000000000000000
                            then {
                                accept;
                            }

Meaning

The output shows the information for the dynamic profile, including Ascend-Data-Filter rules. Verify the following information:

• The User Name field indicates the correct subscriber.
• The Dynamic Profile Name field is correct for the subscriber.
• The correct Ascend-Data-Filter rules are applied to the subscriber. The display shows the rules that are configured on the RADIUS server.

Verifying Dynamic Ascend-Data-Filter Usage

Purpose

Verify usage of the dynamic Ascend-Data-Filter. Counter statistics are displayed when the counter option is configured for the adf command in the dynamic profile.

Action

From operational mode, enter the show firewall command.

Filter: __junos_adf_5-ge-1/0/0.0-inet-in
Counters:
Name                         Bytes              Packets
t0-cnt                       32758                   22
t1-cnt                       22199                   15
t2-cnt                       21723                   14

Meaning

The output shows the name of the filter and lists the counter activity. If the counter option is not configured, the output displays only the filter name.