ON THIS PAGE
Example: Configuring HTTP Redirect Services Using a Next-Hop Method and Attaching It to a Static Interface
This example shows how to configure HTTP redirect services using a next-hop method and attaching it to a static interface.
Requirements
This example uses the following hardware and software components:
MX240, MX480, or MX960 Universal Routing Platform with a Multiservices Modular PIC Concentrator (MS-MPC) and Multiservices Modular Interfaces Card (MS-MIC) installed.
Junos OS Release 15.1 or later.
Before you begin:
Configure the connection between the redirect server and the MX Series router.
Define the source address (203.0.113.0/24 is used in this example).
Define one or more interfaces used for subscriber traffic.
Overview
HTTP redirect and rewrite services are supported for both IPv4 and IPv6. You can attach an HTTP redirect service or service set to either a static or dynamic interface. For dynamic subscriber management, you can attach HTTP services or service sets dynamically at subscriber login or by using a change of authorization (CoA). Using a next-hop method, you can configure HTTP redirect services and attach it to a static interface.
Configuration
To configure HTTP redirect services using a next-hop method and attach it to a static interface, perform these tasks:
- CLI Quick Configuration
- Configuring the CPCD Services and Attaching Service Set to Static Interface
- Configuring the Package and Installation for CPCD
- Configuring the Static Interface, HTTP Redirect Filters, and Interface Service Options
- Configuring the Additional Routing Instance and Assigning Its Next-Hop Static Interfaces
- Configuring the Interface-Specific Filters to Direct HTTP Traffic
- Configuring the Policy Option and Statement to Use a Private Blocks Prefix List
- Using Broadband Edge Static Route Configuration for Subscriber (Junos OS Release 23.4R1 for MX-Series Devices)
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, and then copy and paste the commands into the CLI.
[edit] edit services captive-portal-content-delivery set rule redirect match-direction input set rule redirect term REDIRECT then redirect http://redirection-portal/redirection/ set profile http-redirect cpcd-rules redirect edit services service-set http-redirect-sset set captive-portal-content-delivery-profile http-redirect set next-hop-service inside-service-interface ms-11/1/0.1 set next-hop-service outside-service-interface ms-11/1/0.2 [edit] edit chassis fpc 11 pic 1 adaptive-services service-package set extension-provider package jservices-cpcd set extension-provider syslog daemon none set extension-provider syslog external none set extension-provider syslog kernel none set extension-provider syslog pfe none [edit] set interfaces ge-0/0/1 unit 900 description VLAN REDIRECT set interfaces ge-0/0/1 unit 900 vlan-id 900 set interfaces ge-0/0/1 unit 900 family inet filter input FF_HTTP_REDIR_IN set interfaces ge-0/0/1 unit 900 family inet address 203.0.113.250/30 edit interfaces ms-11/1/0 services-options open-timeout 4 edit interfaces ms-11/1/0 services-options close-timeout 2 edit interfaces ms-11/1/0 services-options inactivity-tcp-timeout 5 edit interfaces ms-11/1/0 services-options inactivity-non-tcp-timeout 5 edit interfaces ms-11/1/0 services-options session-timeout 5 edit interfaces ms-11/1/0 services-options tcp-tickles 0 set interfaces ms-11/1/0 unit 1 family inet set interfaces ms-11/1/0 unit 1 service-domain inside set interfaces ms-11/1/0 unit 2 filter output FF_CPCD_REDIRECT_OUTPUT set interfaces ms-11/1/0 unit 2 family inet set interfaces ms-11/1/0 unit 2 service-domain outside [edit] edit routing-instances CPCD_REDIRECT set instance-type virtual-router set interface ms-1/1/0.1 set interface ms-1/1/0.2 set routing-options static route 0.0.0.0/0 next-hop ms-1/1/0.1 set routing-options static route 203.0.113.0/24 next-hop ms-1/1/0.2 [edit] edit firewall family inet set filter FF_CPCD_REDIRECT_OUTPUT interface-specific set filter FF_CPCD_REDIRECT_OUTPUT term One then count back-to-default set filter FF_CPCD_REDIRECT_OUTPUT term One then routing-instance default set filter FF_HTTP_REDIR_IN interface-specific set filter FF_HTTP_REDIR_IN term ACCEPTED_PREFIXES from prefix-list User-PRIVATE-Blocks-01 set filter FF_HTTP_REDIR_IN term ACCEPTED_PREFIXES then next term set filter FF_HTTP_REDIR_IN term HTTP from protocol tcp set filter FF_HTTP_REDIR_IN term HTTP from destination-port http set filter FF_HTTP_REDIR_IN term HTTP then count HTTP set filter FF_HTTP_REDIR_IN term HTTP then forwarding-class best-effort set filter FF_HTTP_REDIR_IN term HTTP then routing-instance CPCD_REDIRECT [edit] edit policy-options policy-statement User-PRIVATE-Blocks-01 set 203.0.113.0/24
Configuring the CPCD Services and Attaching Service Set to Static Interface
Step-by-Step Procedure
The following example requires that you navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.
Configure the HTTP redirect service by specifying the location to which a subscriber's initial Web browser session is redirected, enabling initial provisioning and service selection for the subscriber.
[edit services] user@host# edit captive-portal-content-delivery
Configure the service filter as a walled garden by defining the rule the router references when applying this HTTP service.
[edit services captive-portal-content-delivery] user@host# edit rule redirect
Specify that the rule matches traffic coming in on the interface.
[edit services captive-portal-content-delivery rule redirect] user@host# match-direction input
Create the term match and action properties for the CPCD rule for the HTTP service.
[edit services captive-portal-content-delivery rule redirect] user@host# set term REDIRECT then redirect http://redirection-portal/redirection/
Create the CPCD profile for the IP destination address to redirect the HTTP service.
[edit services captive-portal-content-delivery] user@host# edit profile http-redirect
Specify the CPCD rule for the HTTP service.
[edit services captive-portal-content-delivery profile http-redirect] user@host# set cpcd-rules redirect
Create the service set for the CPCD services.
[edit services service-set] user@host# edit http-redirect-sset
Specify the CPCD profile for the service set.
[edit services service-set http-redirect-sset] user@host# set captive-portal-content-delivery-profile http-redirect
Specify the interface name for the next-hop service for an inside and outside service interfaces and attach them to static interfaces.
[edit services service-set http-redirect-sset] user@host# set next-hop-service inside-service-interface ms-11/1/0.1 user@host# set next-hop-service outside-service-interface ms-11/1/0.2
Results
From configuration mode, confirm your configuration by entering the show services
command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
[edit] root@host# show services captive-portal-content-delivery { rule redirect { match-direction input; term REDIRECT { then { redirect http://redirection-portal/redirection/; } } } profile http-redirect { cpcd-rules redirect; } } service-set http-redirect-sset { captive-portal-content-delivery-profile http-redirect; next-hop-service { inside-service-interface ms-11/1/0.1; outside-service-interface ms-11/1/0.2; } }
If you are done configuring the device, enter commit
from configuration mode.
Configuring the Package and Installation for CPCD
Step-by-Step Procedure
The following example requires that you navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.
Configure Junos OS to support the service package on a service interface on an MX Series 5G Universal Routing Platform with MS-MPCs/MS-MICs.
[edit chassis] user@host# edit fpc 11 pic 1 adaptive-services service-package
Configure the CPCD service package to run on the PIC. When the
extension-provider
statement is first configured, the PIC reboots.[edit chassis fpc 11 pic 1 adaptive-services service-package] user@host# set extension-provider package jservices-cpcd
Enable PIC system logging to record or view system log messages on the PIC but do not include daemon, external, kernel, or Packet Forwarding Engine processes.
[edit chassis fpc 11 pic 1 adaptive-services service-package extension-provider] user@host# set extension-provider syslog daemon none user@host# set extension-provider syslog external none user@host# set extension-provider syslog kernel none user@host# set extension-provider syslog pfe none
Results
From configuration mode, confirm your configuration by entering the show chassis
command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
[edit] root@host# show chassis fpc 11 { pic 1 { adaptive-services { service-package { extension-provider { package jservices-cpcd; syslog { daemon none; external none; kernel none; pfe none; } } } } } }
If you are done configuring the device, enter commit
from configuration mode.
Configuring the Static Interface, HTTP Redirect Filters, and Interface Service Options
Step-by-Step Procedure
The following example requires that you navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.
Configure a Gigabit interface with a logical interface on which traffic arrives before it is redirected.
[edit interfaces] user@host# edit ge-0/0/1 unit 900
Assign a description and VLAN ID to the logical interface.
[edit interfaces ge-0/0/1 unit 900] user@host# set description VLAN-REDIRECT user@host# set vlan-id 900
Configure the IPv4 family for the interface.
[edit interfaces ge-0/0/1 unit 900] user@host# edit family inet
Configure an input filter to evaluate when packets are received and redirected on the interface.
[edit interfaces ge-0/0/1 unit 900 family inet] user@host# set filter input FF_HTTP_REDIR_IN
Configure an address for the input filter.
[edit interfaces ge-0/0/1 unit 900 family inet] user@host# set address 203.0.113.250/30
Configure service options to be applied on the Multiservices interface.
[edit interfaces] user@host# edit ms-11/1/0 services-options
Note:The values configured for the service options are shown for example only. You must configure and provision appropriate values as per the requirement.
Specify the open and close timeout periods in seconds for Transmission Control Protocol (TCP) session establishment.
[edit interfaces ms-11/1/0 services-options] user@host# set open-timeout 4 user@host# set close-timeout 2
Specify the inactivity timeout periods in seconds for established TCP and non-TCP sessions.
[edit interfaces ms-11/1/0 services-options] user@host# set inactivity-tcp-timeout 5 set inactivity-non-tcp-timeout 5
Specify the session lifetime in seconds globally for the Multiservices interface.
[edit interfaces ms-11/1/0 services-options] user@host# set session-timeout 5
Specify the maximum number of keep-alive messages sent before a TCP session is allowed to time out.
[edit interfaces ms-11/1/0 services-options] user@host# set tcp-tickles 0
Configure a logical interface on the Multiservices interface.
[edit interfaces ms-11/1/0] user@host# edit unit 1
Configure the service domain to specify that the logical interface is used within the network.
[edit interfaces ms-11/1/0 unit 1] user@host# set service-domain inside
Configure the IPv4 address family on the logical interface.
[edit interfaces ms-11/1/0 unit 1] user@host# set family inet
Configure a second logical interface on the Multiservices interface.
[edit interfaces ms-11/1/0] user@host# edit unit 2
Configure the service domain to specify that the logical interface is used outside the network.
[edit interfaces ms-11/1/0 unit 2] user@host# set service-domain outside
Configure an output filter to redirect CPCD packets from the logical interface.
[edit interfaces ms-11/1/0 unit 2] user@host# set filter output FF_CPCD_REDIRECT_OUTPUT
Configure the IPv4 address family on the logical interface.
[edit interfaces ms-11/1/0 unit 2] user@host# set family inet
Results
From configuration mode, confirm your configuration by entering the show interfaces
command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
[edit] root@host# show interfaces ge-0/0/1 { unit 900 { description VLAN-REDIRECT; vlan-id 900; } family inet { filter { input FF_HTTP_REDIR_IN; } address 203.0.113.250/30; } } ms-11/1/0 { services-options { open-timeout 4; close-timeout 2; inactivity-tcp-timeout 5; inactivity-non-tcp-timeout 5; session-timeout 5; tcp-tickles 0; } unit 1 { family inet; service-domain inside; } unit 2 { family inet { filter { output FF_CPCD_REDIRECT_OUTPUT; } } service-domain outside; } }
If you are done configuring the device, enter commit
from configuration mode.
Configuring the Additional Routing Instance and Assigning Its Next-Hop Static Interfaces
Step-by-Step Procedure
The following example requires that you navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.
Configure a routing instance.
[edit routing-instances] user@host# edit CPCD_REDIRECT
Configure a virtual router routing instance.
[edit routing-instances CPCD_REDIRECT] user@host# set instance-type virtual-router
Configure the two previously defined multiservices interfaces for the routing instance.
[edit routing-instances CPCD_REDIRECT] user@host# set interface ms-11/1/0.1 user@host# set interface ms-11/1/0.2
Configure static routing options.
[edit routing-instances CPCD_REDIRECT] user@host# edit routing-options static
Assign the next-hop static interfaces to the routes and routing instance.
[edit routing-instances CPCD_REDIRECT routing-options static] user@host# set route 0.0.0.0/0 next-hop ms-11/1/0.1 user@host# set route 203.0.113.0/24 next-hop ms-11/1/0.2
Results
From configuration mode, confirm your configuration by entering the show routing-instances
command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
[edit] root@host# show routing-instances CPCD_REDIRECT { instance-type virtual-router; interface ms-11/1/0.1; interface ms-11/1/0.2; routing-options { static { route 0.0.0.0/0 next-hop ms-11/1/0.1; route 203.0.113.0/24 next-hop ms-11/1/0.2; } } }
If you are done configuring the device, enter commit
from configuration mode.
Configuring the Interface-Specific Filters to Direct HTTP Traffic
Step-by-Step Procedure
The following example requires that you navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.
Create a family for the service filter under the
[edit firewall]
hierarchy.[edit firewall] user@host# edit family inet
Create an interface-specific filter to redirect output traffic for CPCD.
[edit firewall family inet] user@host# edit filter FF_CPCD_REDIRECT_OUTPUT
Specify that this is an interface-specific filter.
[edit firewall family inet filter FF_CPCD_REDIRECT_OUTPUT] user@host# set interface-specific
Create a filter term for the interface-specific filter for the walled garden.
[edit firewall family inet filter FF_CPCD_REDIRECT_OUTPUT] user@host# edit term One
Specify both the action to count default traffic and the default routing instance.
[edit firewall family inet filter FF_CPCD_REDIRECT_OUTPUT interface-specific term One] user@host# set then count back-to-default set then routing-instance default
Create a filter to redirect HTTP input traffic.
[edit firewall family inet] user@host# edit filter FF_HTTP_REDIR_IN
Specify that this is an interface-specific filter.
[edit firewall family inet filter FF_HTTP_REDIR_IN] user@host# set interface-specific
Create a filter term for the interface-specific filter for the walled garden.
[edit firewall family inet filter FF_HTTP_REDIR_IN] user@host# edit term ACCEPTED_PREFIXES
Specify the list of accepted prefixes as a match conditions for the walled garden’s filter.
[edit firewall family inet filter FF_HTTP_REDIR_IN term ACCEPTED_PREFIXES] user@host# set from prefix-list User-PRIVATE-Blocks-01
Specify the action to take for all the matching HTTP traffic.
[edit firewall family inet filter FF_HTTP_REDIR_IN term ACCEPTED_PREFIXES] user@host# set then next term
Create a second filter term for the walled garden’s filter.
[edit firewall family inet filter FF_HTTP_REDIR_IN interface-specific] user@host# edit term HTTP
Specify the protocol and destination port as match conditions for the walled garden’s filter.
[edit firewall family inet filter FF_HTTP_REDIR_IN term HTTP] user@host# set from protocol tcp user@host# set from destination-port http
Specify the action to take for matching HTTP traffic destined to flow outside of the walled garden.
[edit firewall family inet filter filter FF_HTTP_REDIR_IN interface-specific term HTTP] user@host# set then count HTTP user@host# set then forwarding-class best-effort user@host# set then routing-instance CPCD_REDIRECT
Results
From configuration mode, confirm your configuration by entering the show firewall
command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
[edit] root@host# show firewall family inet { filter FF_CPCD_REDIRECT_OUTPUT { interface-specific; term One { then { count back-to-default; routing-instance default; } } } filter FF_HTTP_REDIR_IN { interface-specific; term ACCEPTED_PREFIXES { from { prefix-list { User-PRIVATE-Blocks-01; } } then next term; } term HTTP { from { protocol tcp; destination-port http; } then { count http; forwarding-class best-effort; routing-instance CPCD_REDIRECT; } } } }
If you are done configuring the device, enter commit
from configuration mode.
Configuring the Policy Option and Statement to Use a Private Blocks Prefix List
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.
Create a policy option and statement to use a private blocks prefix list under the
[edit policy-options]
hierarchy.[edit policy-options] user@host# set policy-statement User-PRIVATE-Blocks-01
Configure the source address for the private blocks prefix list.
[edit policy-options policy-statement User-PRIVATE-Blocks-01] user@host# set 203.0.113.0/24
Results
From configuration mode, confirm your configuration by entering the
show policy-options
command. If the output does not
display the intended configuration, repeat the configuration instructions in
this example to correct it.
[edit] root@host# show policy-options policy-statement User-PRIVATE-Blocks-01 { 203.0.113.0/24; }
If you are done configuring the device, enter commit
from
configuration mode.
Using Broadband Edge Static Route Configuration for Subscriber (Junos OS Release 23.4R1 for MX-Series Devices)
Starting Junos 23.4R1 the broadband edge static route configuration for subscribers feature for BNG replaces the RADIUS framed route configuration. You can now setup static IP addresses for multiple hosts on the same site.
For example:
- Use a pre-existing configuration to add the routes to the routing table.
Once this configuration is committed, the routes are hidden until the
subscriber with configured subscriber IP comes up.
staticRoute { routing-options { access { route 7.7.7.7/32 next-hop 50.1.1.1; } } }
- You can enable static framed-routes feature on the BNG towards a specific
customer connection, using the command
static-framed-route
under the[edit system services subscriber-management]
mode.user@root> set system services subscriber-management static-framed-route
- You can now use RADIUS server for authentication purposes and not for
sending framed-routes. Note: Static framed routes must be added, modified or deleted only when subscribers are down. When subscribers come up, static framed-routes are attached to them. Static framed-route is supported for IPv4 only.
Verification
To confirm that HTTP redirect services has been configured correctly within a service set, perform these tasks:
- Verifying the Configured Service Set for CPCD Services
- Verifying Details for a Configured HTTP Service Rule for a Walled Garden
Verifying the Configured Service Set for CPCD Services
Purpose
Display the configured CPCD service set.
Action
From operational mode, enter the show services captive-portal-content-delivery service-set http-redirect-sset detail
command.
user@host> show services captive-portal-content-delivery service-set http-redirect-sset detail Service Set Id Profile Compiled Rules http-redirect-sset 1 http-redirect 1
Meaning
The output lists the service set configured for CPCD services.
Verifying Details for a Configured HTTP Service Rule for a Walled Garden
Purpose
Display details for a specific configured HTTP service rule for a walled garden.
Action
From operational mode, enter the show services captive-portal-content-delivery rule redirect term REDIRECT
command.
user@host> show services captive-portal-content-delivery rule redirect term REDIRECT Rule name: redirect Rule match direction: input Term name: term REDIRECT Term action: redirect Term action option: http://redirection-portal/redirection/
Meaning
The output lists rule and term details for a specific HTTP service rule configured for the walled garden.