ON THIS PAGE
Example: Configuring Static Ascend-Data-Filter Support for Subscriber Access
This example shows how to configure support for static Ascend-Data-Filter policies. In a static configuration, you manually configure the Ascend-Data-Filter as part of the dynamic profile configuration. This procedure differs from dynamic configuration, in which the Ascend-Data-Filter is defined on the RADIUS server and then subscriber management uses a predefined variable to map the Ascend-Data-Filter rules to Junos OS filter functionality. Because creating a static Ascend-Data-Filter configuration can be labor-intensive, you might typically use this method for testing purposes.
Requirements
Create the dynamic profile. See Dynamic Profiles Overview.
Configure RADIUS support. See RADIUS Servers and Parameters for Subscriber Access.
Overview
Ascend-Data-Filters contain rules that create policies. Subscriber management uses a dynamic profile to apply the policy to a subscriber session. You manually configure the Ascend-Data-Filter as part of the dynamic policy.
Specify the dynamic profile to use to apply the Ascend-Data-Filter policy to the subscriber session.
Configure the Ascend-Data-Filter.
Configure optional settings, which include counting the rule usage and setting the precedence for received and transmitted traffic.
Configuration
Procedure
Step-by-Step Procedure
To configure static Ascend-Data-Filter support:
Specify the dynamic profile in which you want to create the Ascend-Data-Filter, and configure the interface, the logical unit number, and the family type.
[edit] user@host# edit dynamic-profiles adf-profile-v4 interfaces $junos-interface-ifd-name unit $junos-underlying-interface-unit family inet
Configure the Ascend-Data-Filter. Enclose the filter values within quotation marks. You can configure multiple Ascend-Data-Filter rules in the same dynamic profile.
[edit dynamic-profiles adf-profile-v4 interfaces “$junos-interface-ifd-name” unit “$junos-underlying-interface-unit” family inet] user@host# set filter adf rule “01000100 CB007100 00000000 18000000 00000000 00000000”
Enable the counter for the rule.
[edit dynamic-profiles adf-profile-v4 interfaces “$junos-interface-ifd-name” unit “$junos-underlying-interface-unit” family inet] user@host# set filter adf counter
Specify the precedence for received packets on the interface.
[edit dynamic-profiles adf-profile-v4 interfaces “$junos-interface-ifd-name” unit “$junos-underlying-interface-unit” family inet] user@host# set filter adf input-precedence 80
Specify the precedence for transmitted packets on the interface.
[edit dynamic-profiles adf-profile-v4 interfaces “$junos-interface-ifd-name” unit “$junos-underlying-interface-unit” family inet] user@host# set filter adf output precedence 85
Results
From configuration mode, confirm your configuration by entering the show dynamic-profiles command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
[edit]
user@host# show dynamic-profiles
...
adf-profile-v4 {
interfaces {
"$junos-interface-ifd-name" {
unit "$junos-underlying-interface-unit" {
family inet {
filter {
adf {
rule "01000100 CB007100 00000000 18000000 00000000 00000000";
counter;
input-precedence 80;
output-precedence 85;
...
If you are done configuring the device, enter commit from configuration mode.
Results
The Ascend-Data-Filter rule defined in Step 2 of the procedure configures an input policy that filters all packets from network 203.0.113.0 with wildcard mask 255.255.255.0 to any destination.
Table 1 lists the values specified in the Ascend-Data-Filter rule.
Action or Classifier |
Hex Value |
Junos OS Filter Function |
|---|---|---|
Type |
01 |
IPv4 |
Forward |
00 |
Forward |
Indirection |
01 |
Ingress |
Spare |
00 |
None |
Source IP address |
CB007100 |
203.0.113.0 |
Destination IP address |
00000000 |
Any |
Source IP mask |
18 |
24 (255.255.255.0) |
Destination IP mask |
00 |
0 (0.0.0.0) |
Protocol |
00 |
None |
Established |
00 |
None |
Source port |
0000 |
None |
Destination port |
0000 |
None |
Source port qualifier |
00 |
None |
Destination port qualifier |
00 |
None |
Reserved |
0000 |
None |
Verification
To confirm that the configuration is working properly, perform these tasks:
- Verifying that Static Ascend-Data-Filter Rules are Applied to Subscriber Sessions
- Verifying Static Ascend-Data-Filter Usage
Verifying that Static Ascend-Data-Filter Rules are Applied to Subscriber Sessions
Purpose
Verify that the Ascend-Data-Filter rules you manually configured were attached to the subscriber.
Action
From operational mode, enter the show subscribers extensive command.
user@host>show subscriber extensive
Type: DHCP
User Name: user1-adf
IP Address: 192.168.1.10
IP Netmask: 255.255.255.0
Logical System: default
Routing Instance: default
Interface: ge-1/0/0.0
Interface type: Static
Dynamic Profile Name: adf-profile-v4
MAC Address: 00:00:5E:00:53:01
State: Active
Radius Accounting ID: 5
Login Time: 2010-08-12 14:06:27 PDT
ADF IPv4 Input Filter Name: __junos_adf_5-ge-1/0/0.0-inet-in
Rule 0: 01000100CB00710000000000180000000000000000000000
from {
destination-address 203.0.113.0/24;
}
then {
accept;
}
Meaning
The output shows the information for the dynamic profile, including Ascend-Data-Filter rules. Verify the following information:
The User Name field indicates the correct subscriber.
The Dynamic Profile Name field is correct for the subscriber.
The correct static Ascend-Data-Filter rule is applied to the subscriber.
Verifying Static Ascend-Data-Filter Usage
Purpose
Verify usage of the static Ascend-Data-Filter. Counter statistics are displayed when the counter option is configured for the adf command in the dynamic profile.
Action
From operational mode, enter the show firewall command.
user@host> show firewall Filter: __junos_adf_5-ge-1/0/0.0-inet-in Counters: Name Bytes Packets t0-cnt 32758 22
Meaning
The output shows the name of the filter and the lists counter activity. If the counter option is not configured, the output displays only the filter name.