Subscriber Management and Services

Subscriber management (UFISPACE-S9600-72XC and UFISPACE-S9600-102XC)—Use the set system services subscriber-management enable command to enable the following subscriber management services for DHCP, PPPoE, and L2TP LAC subscribers:

• Firewall filters

• CoS

• Lawful intercept

• Multicast

• HTTP-redirect

• RADIUS

• Resource monitoring (RSMON)

• Subscriber and service accounting.

We introduce the following new CLI commands:

• show system subscriber-management health <clients | endpoints | services> command to view client, endpoint, and service status

• New options for show subscribers command: interface, class-of-service, and firewall.

• clear subscribers command to clear subscribers firewall counters.

[See enable (Enhanced Subscriber Management, Broadband Subscriber Services User Guide, Broadband Subscriber Management Getting Started Guide, and CLI Reference.]

Support for direction field in mirror header for subscriber secure policy (UFISPACE-S9600-72XC and UFISPACE-S9600-102XC)—Use subscriber secure policy to send mirrored traffic to a mediation device on a per-subscriber basis. The mediation device uses a mirror header to differentiate multiple mirrored streams from different sources. You can use the set system services radius-flow-tap extended-mirror-header command to enable direction field in the mirror header. The direction field helps the mediation device to quickly identify the traffic direction and apply the appropriate rules defined by the law enforcement agency.

[See Subscriber Secure Policy Overview, Mirror Header Format (Junos OS Evolved with Payload Direction), and radius-flow-tap.]

Support for initiating DHCP relay session over static IFL (UFISPACE-S9600-32X, UFISPACES9600-72XC, and UFISPACE-S9600-102XC)—You can initiate a DHCP relay session over a static IFL (logical interface). To do this, use the set interfaces interface_name auto-configure static-vlan-identity interface-tag tag_name and set interfaces interface-name unit logical-unit-number interface_tag tag_name commands. The tag_name and the mapped dynamic profile properties allow the system to identify the subscriber interface and create a dynamic VLAN to initiate a DHCP relay session. You can use the show subscriber (detail | extensive) command to view the initiated sessions.

[See interface-tag (Junos OS Evolved), auto-configure (Interfaces), unit (Interfaces), and show subscribers.]

Filters and filter services support (UFISPACE-S9600-32X, UFISPACES9600-72XC, and UFISPACE-S9600-102XC)—You can configure filters and filter services to control the subscriber’s data traffic.

The supported filters include:

• Ascend-Data-Filter
• RPF
• Classic filters.

The supported filter services include:

• Prefix list match to filter traffic based on matching IP prefixes
• Sample filter action to apply sampling for selected traffic
• HTTP redirect to redirect HTTP traffic
• Allowlist or walled garden to permit only specified traffic.

[See Ascend-Data-Filter Policies for Subscriber Management Overview, Unicast RPF in Dynamic Profiles for Subscriber Interfaces, Classic Filters Overview, Parameterized Filter Match Conditions for IPv6 Traffic, Parameterized Filter Match Conditions for IPv4 Traffic, Parameterized Filter Nonterminating and Terminating Actions and Modifiers, HTTP Redirect Service Overview, and Configuring a Walled Garden as a Firewall Service Filter.]

Support for L2TP CSUN and counters (UFISPACES9600-72XC and UFISPACE-S9600-102XC)—You can enable or disable Layer 2 Tunneling Protocol (L2TP) connection speed update notifications (CSUNs) for L2TP network servers (LNSs) that do not support receiving CSUNs from L2TP access concentrators (LACs), as defined in RFC5515. This enhancement allows overriding the connection-speed-update configuration by sending the 26-159 VSA attribute L2tp-Csun-enable in the access-accept message.

Additionally, accounting messages include new VSA attributes to enable counters for policers and queues, providing improved monitoring capabilities. Use the following CLI commands to allow the system to send the counter statistics in RADIUS accounting messages:

• set dynamic-profiles profile-name firewall family family filter filter-name service-accounting for policer counter statistics

• set dynamic-profiles profile-name class-of-service interfaces interface-name unit unit-name service-accounting for queue counter statistics

[See Configuring the Reporting and Processing of Subscriber Access Line Information, Juniper Networks VSAs Supported by the AAA Service Framework, AAA Accounting Messages and Supported RADIUS Attributes and Juniper Networks VSAs for Junos OS, Applying Traffic Shaping and Scheduling to a Subscriber Interface in a Dynamic Profile, class-of-service (Dynamic Profiles), and filter (Dynamic Profiles Filter Creation).]

Support for enhanced hierarchical policer under dynamic profile (UFISPACES9600-72XC and UFISPACE-S9600-102XC)—You can configure an enhanced hierarchical policer under a dynamic profile to rate-limit subscriber traffic. Traffic policing is supported at four levels of hierarchies with respect to the traffic priority: High, Medium-High, Medium-Low, and Low. Use the set dynamic-profiles profile_name firewall enhanced-hierarchical-policer policer_name command to create the enhanced hierarchical policer. You can apply the policer to a subscriber interface as a filter action for aggregate traffic levels. Include the logical-interface-policer statement to rate-limit across multiple protocol families (inet and inet6), without requiring separate policer instances for each family.

Additionally, we support new VSA tags and variables to define values for the enhanced hierarchical policer default parameters.

[See Enhanced Hierarchical Policer Overview (Junos OS Evolved), Configure Enhanced Hierarchical Policer (Junos OS Evolved), enhanced-hierarchical-policer (Dynamic Profiles), Juniper Networks VSAs Supported by the AAA Service Framework, and Predefined Variables in Dynamic Profiles.]

PAO REST Interface support for DT-A4 Service Edge routers (UFISPACE-S9600-32X)—PAO REST Interface support allows the POD Access Orchestrator (PAO) to manage and monitor DT-A4 routers through a REST-based interface. On Service Edge (leaf) routers, PAO uses this interface to dynamically create and delete empty-session VLANs that support subscriber onboarding workflows. Operators enable the feature by configuring the external-management hierarchy under system services subscriber-management. Spine routers support REST-based management and monitoring operations but do not support empty-session VLAN handling. This feature simplifies orchestration, supports automated recovery scenarios, and improves operational visibility in DT-A4 environments.