Ascend-Data-Filter Policies for Subscriber Management Overview
Subscriber management enables you to use Ascend-Data-Filters to create policies for subscriber traffic. An Ascend-Data-Filter is a binary value that is configured on the RADIUS server. The filter contains rules that specify match conditions for traffic and an action for the router to perform (such as accept or discard the traffic). The match conditions might include the source and destination IP address or port, the protocol, the filter direction, the traffic class, and policer information.
Subscriber management uses a dynamic profile to obtain the Ascend-Data-Filter
attribute (RADIUS attribute 242) from the RADIUS server and apply
the policy to a subscriber session. Dynamic profiles support Ascend-Data-Filters
for inet
and inet6
family types, and both families
can be present in a dynamic profile. You include Junos OS predefined
variables in the dynamic profiles — $junos-adf-rule-v4
for family inet
and $junos-adf-rule-v6
for inet6
. The Ascend-Data-Filter attribute can include rules for
both address families. The predefined variables map the Ascend-Data-Filter
rules for the respective family to the Junos OS firewall
filter process. A firewall filter is created and attached
to the subscriber’s logical interface.
You can also configure a static Ascend-Data-Filter by manually entering the required binary data as a hexadecimal string in a dynamic profile. A statically configured Ascend-Data-Filter in a dynamic profile takes precedence over an Ascend-Data-Filter attribute that is received from RADIUS. The static method is time-consuming to configure; it is typically used only for testing purposes.
The Ascend-Data-Filter attribute is supported in RADIUS Access-Accept and Change of Authorization (CoA) messages.
CoA updates existing filters based on the Ascend-Data-Filter Type field, as shown in the following list:
If the Type field is 1, IPv4 rules are updated and IPv6 rules are unchanged. The opposite is true if the Type field is 3.
If both Type 1 and 3 are specified, then all rules are updated.
If the CoA has no Ascend-Data-Filter rules, then the existing rules are unchanged.
Filter Naming Conventions
Each Ascend-Data-Filter has a unique name, which is assigned by the dynamic firewall process, dfwd. The assigned names are displayed in the results of the show subscriber extensive and show firewall commands. Ascend-Data-Filters use the following naming convention:
__junos_adf_session#-interfacename-family-direction
For example:
__junos_adf_33847-ge/1/0/4.53-init-in
Each Ascend-Data-Filter rule maps to a single term, and the
term names are simply t0
, t1
, ..., tn
. If you configure the counter option, the router adds a count action to each term that is created.
The counter names are a combination of the the term names with -cnt
appended. For example t0-cnt
and t1-cnt
.
Use of Multiple Sessions with Ascend-Data-Filters on an Interface
An interface can have multiple subscriber sessions, each session using its own Ascend-Data-Filter rules. When an Ascend-Data-Filter is applied to a subscriber session, the rules are created independently of any other filters and are added to the interface filter list. The Ascend-Data-Filter rules for the other sessions on the same interface are also added to the filter list. All packets that are processed for the interface must go through all filters, and the filters are applied according to the precedence you set.
Because the filter list can be a combination of several rules, you must consider how the multiple filters coexist. You must ensure that the filters are designed and applied correctly in order to provide the desired filtering and resulting action. For example, a session might have a filter that accepts traffic from Subscriber-A and discards all other traffic. However, a second session on the same interface might have a filter that accepts traffic from Subscriber-B only and discards other traffic. When the two filters are combined in the filter list, traffic from Subscriber-B is discarded by the first filter, and traffic from Subscriber-A is discarded by the second filter. As a result, no traffic is accepted on the interface because the two filters essentially cancel out each other and discard all traffic.
Optional ADF Filter Requirement for Some Subscribers
When you include either of the predefined variables—$junos-adf-rule-v4
or $junos-adf-rule-v6
—in
the dynamic profile, by default the RADIUS reply message must include
the Ascend-Data-Filter attribute (RADIUS attribute 242) for each subscriber.
If the attribute is not included, the router reports an error.
A service provider might apply the same dynamic profile to a
mixed pool of subscribers, such that the attribute is included by
RADIUS for some of the subscribers and is not included for others.
By default, the router returns an error for each of the subscribers
without the attribute, consuming system resources. You can configure
the dynamic profile to accommodate such a mixture of subscribers by
making the attribute requirement optional. To do so, and to suppress
attribute error reporting, specify the not-mandatory option with the adf
statement at the [edit dynamic-profiles profile-name interfaces interface-name unit logical-unit-number family family filter]
hierarchy level. With this configuration, the Ascend-Data-filter
is simply not created when the Ascend-Data-Filter attribute is not
present.