Example: Configuring Static Ascend-Data-Filter Support for Subscriber Access
This example shows how to configure support for static Ascend-Data-Filter policies. In a static configuration, you manually configure the Ascend-Data-Filter as part of the dynamic profile configuration. This procedure differs from dynamic configuration, in which the Ascend-Data-Filter is defined on the RADIUS server and then subscriber management uses a predefined variable to map the Ascend-Data-Filter rules to Junos OS filter functionality. Because creating a static Ascend-Data-Filter configuration can be labor-intensive, you might typically use this method for testing purposes.
Requirements
- Create the dynamic profile. See Dynamic Profiles Overview.
- Configure RADIUS support. See Configuring RADIUS Server Parameters for Subscriber Access.
Overview
Ascend-Data-Filters contain rules that create policies. Subscriber management uses a dynamic profile to apply the policy to a subscriber session. You manually configure the Ascend-Data-Filter as part of the dynamic policy.
- Specify the dynamic profile to use to apply the Ascend-Data-Filter policy to the subscriber session.
- Configure the Ascend-Data-Filter.
- Configure optional settings, which include counting the rule usage and setting the precedence for received and transmitted traffic.
Configuration
Step-by-Step Procedure
To configure static Ascend-Data-Filter support:
- Specify the dynamic profile in which you want to create
the Ascend-Data-Filter, and configure the interface, the logical unit
number, and the family type.[edit] user@host# edit dynamic-profiles adf-profile-v4 interfaces $junos-interface-ifd-name unit $junos-underlying-interface-unit family inet
- Configure the Ascend-Data-Filter.
Enclose the filter values within quotation marks. You can configure
multiple Ascend-Data-Filter rules in the same dynamic profile. [edit dynamic-profiles adf-profile-v4 interfaces “$junos-interface-ifd-name” unit “$junos-underlying-interface-unit” family inet] user@host# set filter adf rule “01000100 0A020100 00000000 18000000 00000000 00000000”
- Enable the counter for the rule.[edit dynamic-profiles adf-profile-v4 interfaces “$junos-interface-ifd-name” unit “$junos-underlying-interface-unit” family inet] user@host# set filter adf counter
- Specify the precedence for received packets on the interface. [edit dynamic-profiles adf-profile-v4 interfaces “$junos-interface-ifd-name” unit “$junos-underlying-interface-unit” family inet] user@host# set filter adf input-precedence 80
- Specify the precedence for transmitted packets on the
interface.[edit dynamic-profiles adf-profile-v4 interfaces “$junos-interface-ifd-name” unit “$junos-underlying-interface-unit” family inet] user@host# set filter adf output precedence 85
Results
From configuration mode, confirm your configuration by entering the show dynamic-profiles command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
If you are done configuring the device, enter commit from configuration mode.
Results
The Ascend-Data-Filter rule defined in Step 2 of the procedure configures an input policy that filters all packets from network 10.2.1.0 with wildcard mask 255.255.255.0 to any destination.
Table 1 lists the values specified in the Ascend-Data-Filter rule.
Table 1: Ascend-Data-Filter Rule
Action or Classifier | Hex Value | Junos OS Filter Function |
|---|---|---|
Type | 01 | IPv4 |
Forward | 00 | Forward |
Indirection | 01 | Ingress |
Spare | 00 | None |
Source IP address | 0a020100 | 10.2.1.0 |
Destination IP address | 00000000 | Any |
Source IP mask | 18 | 24 (255.255.255.0) |
Destination IP mask | 00 | 0 (0.0.0.0) |
Protocol | 00 | None |
Established | 00 | None |
Source port | 0000 | None |
Destination port | 0000 | None |
Source port qualifier | 00 | None |
Destination port qualifier | 00 | None |
Reserved | 0000 | None |
Verification
To confirm that the configuration is working properly, perform these tasks:
- Verifying that Static Ascend-Data-Filter Rules are Applied to Subscriber Sessions
- Verifying Static Ascend-Data-Filter Usage
Verifying that Static Ascend-Data-Filter Rules are Applied to Subscriber Sessions
Purpose
Verify that the Ascend-Data-Filter rules you manually configured were attached to the subscriber.
Action
From operational mode, enter the show subscribers extensive command.
Type: DHCP
User Name: user1-adf
IP Address: 192.168.1.10
IP Netmask: 255.255.255.0
Logical System: default
Routing Instance: default
Interface: ge-1/0/0.0
Interface type: Static
Dynamic Profile Name: adf-profile-v4
MAC Address: 00:10:94:00:00:01
State: Active
Radius Accounting ID: 5
Login Time: 2010-08-12 14:06:27 PDT
ADF IPv4 Input Filter Name: __junos_adf_5-ge-1/0/0.0-inet-in
Rule 0: 010001000A02010000000000180000000000000000000000
from {
destination-address 10.2.1.0/24;
}
then {
accept;
}
Meaning
The output shows the information for the dynamic profile, including Ascend-Data-Filter rules. Verify the following information:
- The User Name field indicates the correct subscriber.
- The Dynamic Profile Name field is correct for the subscriber.
- The correct static Ascend-Data-Filter rule is applied to the subscriber.
Verifying Static Ascend-Data-Filter Usage
Purpose
Verify usage of the static Ascend-Data-Filter. Counter statistics are displayed when the counter option is configured for the adf command in the dynamic profile.
Action
From operational mode, enter the show firewall command.
user@host> show firewallFilter: __junos_adf_5-ge-1/0/0.0-inet-in Counters: Name Bytes Packets t0-cnt 32758 22
Meaning
The output shows the name of the filter and the lists counter activity. If the counter option is not configured, the output displays only the filter name.
