Examples: Using the Ascend-Data-Filter Attribute for IPv4 Subscribers

This section provides examples showing the configuration of policies that use the Ascend-Data-Filter attribute for IPv4 subscribers.

In this example, the following Ascend-Data-Filter attribute creates a RADIUS record that configures an input policy. The policy filters all packets from network 10.2.1.0 with wildcard mask 0.0.0.255 to any destination.

Ascend-Data-Filter="01000100 0A020100 00000000 18000000 00000000 00000000"

Table 7 lists the values specified in the Ascend-Data-Filter attribute.

Table 7: Ascend-Data-Filter Attribute for an Input Policy on an IPv4 Interface

Action or Classifier

Hex Value

Actual Value

Type

01

IPv4

Filter or Forward

00

Filter

Indirection

01

Ingress

Spare

00

None

Source IP address

0a020100

10.2.1.0

Destination IP address

00000000

Any

Source IP mask

18

24 (0.0.0.255)

Destination IP mask

00

0 (255,255,255,255)

Protocol

00

None

Established

00

None

Source port

0000

None

Destination port

0000

None

Source port qualifier

00

None

Destination port qualifier

00

None

Reserved

0000

None

Use the show classifier-list and show policy-list commands to view information about the policy:

host1#show classifier-list

                         Classifier Control List Table
                         ---------- ------- ---- -----
                         
IP clin_1800020_00.1 ip 10.2.1.0 0.0.0.255 any 
host1#show policy-list
                         
                                  Policy Table
                                  ------ -----
IP Policy plin_ip_1800020
   Administrative state: enable
   Reference count:      1
   Classifier control list: clin_1800020_00, precedence 100
      filter

   Referenced by interface(s): 
      ATM4/0.0  input policy, statistics enabled, virtual-router default

   Referenced by profile(s): 
      No profile references

In this example, the Ascend-Data-Filter attribute is used to create RADIUS records that configure two policies. The first policy is an input policy that filters all TCP packets that come from a port greater than 9000 on host 10.2.1.1 and that go to any destination. The second policy is an output policy that filters all UDP packets from network 20.1.0.0 to host 10.2.1.1, port 3090.

Ascend-Data-Filter = "01000100 0A020101 00000000 20000600 23280000 03000000"
 Ascend-Data-Filter = "01000000 14010000 0A020101 10201100 00000C12 00020000"

Using the show classifier-list and show policy-list commands produces the following information about the new policies:

host1#show classifier-list

                         Classifier Control List Table
                         ---------- ------- ---- -----
IP clin_1800021_00.1 tcp 10.2.1.1 gt 9000 any
IP clout_1800021_01.1 udp 20.1.0.0 0.0.255.255 10.2.1.1 eq 3090
host1#show policy-list
                         
                                  Policy Table
                                  ------ -----
IP Policy plin_ip_1800021
   Administrative state: enable
   Reference count:      1
   Classifier control list: clin_1800021_00, precedence 100
      filter

   Referenced by interface(s): 
      ATM4/0.0  input policy, statistics enabled, virtual-router default

   Referenced by profile(s): 
      No profile references

IP Policy plout_ip_1800021
   Administrative state: enable
   Reference count:      1
   Classifier control list: clout_1800021_01, precedence 100
      filter

   Referenced by interface(s): 
      ATM4/0.0  output policy, statistics enabled, virtual-router default

   Referenced by profile(s): 
      No profile references

This example creates an input policy and an output policy, each with multiple rules. The rules for the two policies are shown in the following list:

The rules for the input policy translate to the following VSAs. The VSAs must be specified in this order:

Ascend-Data-Filter = "01010100 0A020101 14000000 20080600 00000000 00000000"
Ascend-Data-Filter = "01000100 0A020101 00000000 20000600 00000000 00000000"
Ascend-Data-Filter = "01010100 0A020101 00000000 20000000 00000000 00000000"
Ascend-Data-Filter = "01000100 00000000 00000000 00000000 00000000 00000000"

The rules for the input policy translate to the following VSAs. The VSAs must be specified in this order:

Ascend-Data-Filter = "01010000 14000000 0A020101 08200600 00000000 00000000"
Ascend-Data-Filter = "01000000 00000000 0A020101 00200600 00000000 00000000"
Ascend-Data-Filter = "01010000 00000000 0A020101 00200000 00000000 00000000"
Ascend-Data-Filter = "01000000 00000000 00000000 00000000 00000000 00000000"

Using the show classifier-list and show policy-list commands produces the following information about the new policies:

host1#show classifier-list
                                                
                         Classifier Control List Table
                         ---------- ------- ---- -----
IP clin_1800022_00.1 tcp host 10.2.1.1 20.0.0.0 0.255.255.255
IP clin_1800022_01.1 tcp host 10.2.1.1 any
IP clin_1800022_02.1 ip host 10.2.1.1 any
IP clout_1800022_04.1 tcp 20.0.0.0 0.255.255.255 host 10.2.1.1
IP clout_1800022_05.1 tcp any host 10.2.1.1
IP clout_1800022_06.1 ip any host 10.2.1.1
host1#show policy-list
                         
                                  Policy Table
                                  ------ -----
IP Policy plin_ip_1800022
   Administrative state: enable
   Reference count:      1
   Classifier control list: clin_1800022_00, precedence 100
      forward
   Classifier control list: clin_1800022_01, precedence 100
      filter
   Classifier control list: clin_1800022_02, precedence 100
      forward
   Classifier control list: *, precedence 100
      filter

   Referenced by interface(s): 
      ATM4/0.0  input policy, statistics enabled, virtual-router default

   Referenced by profile(s): 
      No profile references

IP Policy plout_ip_1800022
   Administrative state: enable
   Reference count:      1
   Classifier control list: clout_1800022_04, precedence 100
      forward
   Classifier control list: clout_1800022_05, precedence 100
      filter
   Classifier control list: clout_1800022_06, precedence 100
      forward
   Classifier control list: *, precedence 100
      filter

   Referenced by interface(s): 
      ATM4/0.0  output policy, statistics enabled, virtual-router default

   Referenced by profile(s): 
      No profile reference

In this example, the following Ascend-Data-Filter attribute creates a RADIUS record that configures an input policy on an IPv4 interface. The policy filters TCP packets from host address 10.2.1.2 to any destination. The policy marks the packets with a ToS byte of 5 and a mask of 170. The policy also applies a traffic class named someTcl and a rate-limit profile named someRlp.

Ascend-Data-Filter="01010100 0a020102 00000000 20000600 045708ae 02010000 05aa0773 6f6d6554 636c0773 6f6d6552 6c70"

Table 8 lists the values specified in the Ascend-Data-Filter attribute.

Table 8: Ascend-Data-Filter Attribute Values for a RADIUS Record

Action or Classifier

Hex Value

Actual Value

Type

01

IPv4

Forward

01

Filter

Indirection

01

Ingress

Spare

00

None

Source IP address

0a020102

10.2.1.2

Destination IP address

00000000

Any

Source IP mask

20

32 (0.0.0.0)

Destination IP mask

00

0 (255,255,255,255)

Protocol

06

TCP

Established

00

None

Source port

0000

None

Destination port

0000

None

Source port qualifier

00

None

Destination port qualifier

00

None

Reserved

0000

None

Marking value

05

5

Marking mask

aa

170

Traffic class

0773 6f6d6554 636c

someTcl

Rate-limit profile

0773 6f6d6552 6c70

someRlp

host1#show classifier-list
                                                
                         Classifier Control List Table
                         ---------- ------- ---- -----
IP clin_1800023_00.1 tcp host 10.2.1.2 
host1#show policy-list
                         
                                  Policy Table
                                  ------ -----
IP Policy plin_ip_1800023
   Administrative state: enable
   Reference count:      1
   Classifier control list: clin_1800023_00, precedence 100
      mark 5 mask 170
      traffic-class someTcl
      rate-limit-profile someRlp 

   Referenced by interface(s): 
      ATM11/0.0  input policy, statistics enabled, virtual-router default

   Referenced by profile(s): 
      No profile references

Related Documentation