ON THIS PAGE
Example: Configuring a Filter to Exclude DHCPv6 and ICMPv6 Control Traffic for LAC Subscriber
This example shows how to configure a standard stateless firewall filter that excludes DHCPv6 and ICMPv6 control packets from being considered for idle-timeout detection for tunneled subscribers at the LAC.
Requirements
No special configuration beyond device initialization is required before configuring this example.
Overview
Subscriber access on a LAC can be limited by configuring an idle timeout period that specifies the maximum period of time a subscriber can remain idle after the subscriber session is established. The LAC monitors the subscriber’s upstream and downstream data traffic to determine whether the subscriber is inactive. Based on the session accounting statistics. the subscriber is not considered idle as long as data traffic is detected in either direction. When no traffic is detected for the duration of the idle time out, the subscriber is logged out gracefully similarly to a RADIUS-initiated disconnect or a CLI-initiated logout.
However, after a tunnel is established for L2TP subscribers, all packets through the tunnel at the LAC are treated as data packets. Consequently, the accounting statistics for the session are inaccurate and the subscriber is not considered to be idle as long as DHCPv6 and ICMPv6 control packets are being sent.
Starting in Junos OS Release 17.2R1, you can define a firewall
filter for the inet6 family with terms to match on these
control packets. Include the use the exclude-accounting terminating action in the filter terms to drop these control packets.
Configuration
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.
set access profile v6-exclude-idle session-options client-idle-timeout 10 set access profile v6-exclude-idle session-options client-idle-timeout-ingress-only edit firewall family inet6 filter EXCLUDE-ACCT-INET6-FILTER set interface-specific set term EXCLUDE-ACCT-DHCP-INET6 from next-header udp set term EXCLUDE-ACCT-DHCP-INET6 from source-port 546 set term EXCLUDE-ACCT-DHCP-INET6 from source-port 547 set term EXCLUDE-ACCT-DHCP-INET6 from destination-port 546 set term EXCLUDE-ACCT-DHCP-INET6 from destination-port 547 set term EXCLUDE-ACCT-DHCP-INET6 then count exclude-acct-dhcpv6 set term EXCLUDE-ACCT-DHCP-INET6 then exclude-accounting set term EXCLUDE-ACCT-ICMP6 from next-header icmp6 set term EXCLUDE-ACCT-ICMP6 from icmp-type router-solicit set term EXCLUDE-ACCT-ICMP6 from icmp-type neighbor-solicit set term EXCLUDE-ACCT-ICMP6 from icmp-type neighbor-advertisement set term EXCLUDE-ACCT-ICMP6 then count exclude-acct-icmpv6 set term EXCLUDE-ACCT-ICMP6 then exclude-accounting set term default then accept top edit dynamic-profiles pppoe-dynamic-profile interfaces pp0 unit "$junos-interface-unit" set family inet6 filter input EXCLUDE-ACCT-INET6-FILTER set family inet6 filter output EXCLUDE-ACCT-INET6-FILTER set actual-transit-statistics
Configure the Filter
Step-by-Step Procedure
The following example requires that you navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in theCLI User Guide.
To configure the filter:
Set the idle timeout for subscriber sessions..
[edit access profile v6-exclude-idle] user@host# set session-options client-idle-timeout 10
Specify the idle timeout applies only to ingress traffic.
[edit access profile v6-exclude-idle] user@host# set session-options client-idle-timeout-ingress-only
Define the firewall filter term that excludes the DHCPv6 control packets from accounting statistics.
Specify a match on packets with the first Next Header field set to UDP (17).
[edit firewall family inet6 filter EXCLUDE-ACCT-INET6-FILTER] user@host# set term EXCLUDE-ACCT-DHCP-INET6 from next-header udp
Specify a match on packets with a source port of 546 or 547 (DHCPv6).
[edit firewall family inet6 filter EXCLUDE-ACCT-INET6-FILTER] user@host# set term EXCLUDE-ACCT-DHCP-INET6 from source-port 546 user@host# set term EXCLUDE-ACCT-DHCP-INET6 from source-port 547
Specify a match on packets with a DHCP destination port of 546 or 547 (DHCPv6).
[edit firewall family inet6 filter EXCLUDE-ACCT-INET6-FILTER] user@host# set term EXCLUDE-ACCT-DHCP-INET6 from destination-port 546 user@host# set term EXCLUDE-ACCT-DHCP-INET6 from destination-port 547
Count the matched DHCPv6 packets.
[edit firewall family inet6 filter EXCLUDE-ACCT-INET6-FILTER] user@host# set term EXCLUDE-ACCT-DHCP-INET6 then count exclude-acct-dhcpv6
Exclude the matched DHCPv6 packets from accounting statistics.
[edit firewall family inet6 filter EXCLUDE-ACCT-INET6-FILTER] user@host# set term EXCLUDE-ACCT-DHCP-INET6 then exclude-accounting
Define the firewall filter term that excludes the ICMPv6 control packets from accounting statistics.
Specify a match on packets with the first Next Header field set to ICMPv6 (58).
[edit firewall family inet6 filter EXCLUDE-ACCT-INET6-FILTER] user@host# set term EXCLUDE-ACCT-ICMP6 from next-header icmp6
Specify a match on packets with an ICMPv6 message type.
[edit firewall family inet6 filter EXCLUDE-ACCT-INET6-FILTER] user@host# set term EXCLUDE-ACCT-ICMP6 from icmp-type router-solicit user@host# set term EXCLUDE-ACCT-ICMP6 from icmp-type neighbor-solicit user@host# set term EXCLUDE-ACCT-ICMP6 from icmp-type neighbor-advertisement
Count the matched ICMPv6 packets.
[edit firewall family inet6 filter EXCLUDE-ACCT-INET6-FILTER] user@host# set term EXCLUDE-ACCT-ICMP6 then count exclude-acct-icmpv6
Exclude the matched ICMPv6 packets from accounting statistics.
[edit firewall family inet6 filter EXCLUDE-ACCT-INET6-FILTER] user@host# set term EXCLUDE-ACCT-DHCP-INET6 then exclude-accounting
Define the default filter term to accept all other packets.
[edit firewall family inet6 filter EXCLUDE-ACCT-INET6-FILTER] user@host# set term default then accept
Configure the dynamic profile to apply the filter to input and output interfaces for the
inet6family.[edit dynamic-profiles pppoe-dynamic-profile interfaces pp0 unit "$junos-interface-unit"] user@host# set family inet6 filter input EXCLUDE-ACCT-INET6-FILTER user@host# set family inet6 filter output EXCLUDE-ACCT-INET6-FILTER
Enable subscriber management accurate accounting.
[edit dynamic-profiles pppoe-dynamic-profile interfaces pp0 unit "$junos-interface-unit"] user@host# set actual-transit-statistics
Results
From configuration mode, confirm your configuration
by entering the show access, show firewall,
and show dynamic-profiles commands. If the output does
not display the intended configuration, repeat the instructions in
this example to correct the configuration.
user@host# show access
profile v6-exclude-idle {
session-options {
client-idle-timeout 10;
client-idle-timeout-ingress-only;
}
}
user@host# show firewall
family inet6 {
filter EXCLUDE-ACCT-INET6-FILTER {
interface-specific;
term EXCLUDE-ACCT-DHCP-INET6 {
from {
next-header udp;
source-port [ 546 547 ];
destination-port [ 546 547 ];
}
then {
count exclude-acct-dhcpv6;
exclude-accounting
}
}
term EXCLUDE-ACCT-ICMP6 {
from {
next-header icmp6;
icmp-type [ router-solicit neighbor-solicit neighbor-advertisement ]
}
then {
count exclude-acct-icmpv6;
exclude-accounting;
}
}
term default {
then accept;
}
}
}
user@host# show dynamic-profiles
pppoe-dynamic-profile {
interfaces {
pp0 {
unit "$junos-interface-unit" {
actual-transit-statistics;
family inet6 {
filter {
input EXCLUDE-ACCT-INET6-FILTER;
output EXCLUDE-ACCT-INET6-FILTER;
}
}
}
}
}
}
If you are done configuring the device, enter commit from configuration mode.