示例:配置过滤器以排除 LAC 订阅者的 DHCPv6 和 ICMPv6 控制流量
此示例说明如何配置标准无状态防火墙过滤器,以排除 DHCPv6 和 ICMPv6 控制数据包,以便对 LAC 上的隧道用户进行空闲超时检测。
要求
配置此示例之前,不需要除设备初始化之外的特殊配置。
概述
可以通过配置空闲超时期限来限制 LAC 上的订阅者访问,该空闲超时期限指定在建立订阅者会话后订阅者可以保持空闲状态的最长时间。LAC 监控订阅者的上行和下行数据流量,以确定订阅者是否处于非活动状态。基于会话记帐统计信息。只要在任一方向上检测到数据流量,订阅服务器就不会被视为空闲。如果在空闲超时期间未检测到流量,订阅者将正常注销,类似于 RADIUS 发起的连接或 CLI 发起的注销。
但是,在为 L2TP 用户建立隧道后,通过 LAC 隧道的所有数据包都将被视为数据包。因此,会话的记帐统计信息不准确,只要发送 DHCPv6 和 ICMPv6 控制数据包,订阅者就不会被视为空闲。
从 Junos OS 17.2R1 版开始,您可以为 该系列定义防火墙过滤器,并在这些控制数据包上匹配术语。inet6
在过滤器术语中包含使用 终止操作以丢弃这些控制数据包。exclude-accounting
配置
CLI 快速配置
要快速配置此示例,请复制以下命令,将其粘贴到文本文件中,删除所有换行符,更改与您的网络配置匹配所需的任何详细信息,然后将命令复制并粘贴到层次结构级别的 CLI 中。[edit]
set access profile v6-exclude-idle session-options client-idle-timeout 10 set access profile v6-exclude-idle session-options client-idle-timeout-ingress-only edit firewall family inet6 filter EXCLUDE-ACCT-INET6-FILTER set interface-specific set term EXCLUDE-ACCT-DHCP-INET6 from next-header udp set term EXCLUDE-ACCT-DHCP-INET6 from source-port 546 set term EXCLUDE-ACCT-DHCP-INET6 from source-port 547 set term EXCLUDE-ACCT-DHCP-INET6 from destination-port 546 set term EXCLUDE-ACCT-DHCP-INET6 from destination-port 547 set term EXCLUDE-ACCT-DHCP-INET6 then count exclude-acct-dhcpv6 set term EXCLUDE-ACCT-DHCP-INET6 then exclude-accounting set term EXCLUDE-ACCT-ICMP6 from next-header icmp6 set term EXCLUDE-ACCT-ICMP6 from icmp-type router-solicit set term EXCLUDE-ACCT-ICMP6 from icmp-type neighbor-solicit set term EXCLUDE-ACCT-ICMP6 from icmp-type neighbor-advertisement set term EXCLUDE-ACCT-ICMP6 then count exclude-acct-icmpv6 set term EXCLUDE-ACCT-ICMP6 then exclude-accounting set term default then accept top edit dynamic-profiles pppoe-dynamic-profile interfaces pp0 unit "$junos-interface-unit" set family inet6 filter input EXCLUDE-ACCT-INET6-FILTER set family inet6 filter output EXCLUDE-ACCT-INET6-FILTER set actual-transit-statistics
配置过滤器
分步过程
以下示例要求您在配置层次结构中导航各个级别。有关导航 CLI 的信息,请参阅 CLI用户指南中的在配置模式下使用 CLI 编辑器。在配置模式下使用 CLI 编辑器https://www.juniper.net/documentation/en_US/junos/information-products/pathway-pages/junos-cli/junos-cli.html
要配置过滤器:
设置订阅者会话的空闲超时。
[edit access profile v6-exclude-idle] user@host# set session-options client-idle-timeout 10
指定空闲超时仅适用于入口流量。
[edit access profile v6-exclude-idle] user@host# set session-options client-idle-timeout-ingress-only
定义从记帐统计信息中排除 DHCPv6 控制数据包的防火墙过滤器术语。
在第一个“下一个报头”字段设置为 UDP (17) 的数据包上指定匹配项。
[edit firewall family inet6 filter EXCLUDE-ACCT-INET6-FILTER] user@host# set term EXCLUDE-ACCT-DHCP-INET6 from next-header udp
指定源端口为 546 或 547 (DHCPv6) 的数据包的匹配项。
[edit firewall family inet6 filter EXCLUDE-ACCT-INET6-FILTER] user@host# set term EXCLUDE-ACCT-DHCP-INET6 from source-port 546 user@host# set term EXCLUDE-ACCT-DHCP-INET6 from source-port 547
指定 DHCP 目标端口为 546 或 547 (DHCPv6) 的数据包的匹配项。
[edit firewall family inet6 filter EXCLUDE-ACCT-INET6-FILTER] user@host# set term EXCLUDE-ACCT-DHCP-INET6 from destination-port 546 user@host# set term EXCLUDE-ACCT-DHCP-INET6 from destination-port 547
计算匹配的 DHCPv6 数据包。
[edit firewall family inet6 filter EXCLUDE-ACCT-INET6-FILTER] user@host# set term EXCLUDE-ACCT-DHCP-INET6 then count exclude-acct-dhcpv6
从计费统计信息中排除匹配的 DHCPv6 数据包。
[edit firewall family inet6 filter EXCLUDE-ACCT-INET6-FILTER] user@host# set term EXCLUDE-ACCT-DHCP-INET6 then exclude-accounting
定义从记帐统计信息中排除 ICMPv6 控制数据包的防火墙过滤器术语。
在第一个“下一个报头”字段设置为 ICMPv6 (58) 的数据包上指定匹配项。
[edit firewall family inet6 filter EXCLUDE-ACCT-INET6-FILTER] user@host# set term EXCLUDE-ACCT-ICMP6 from next-header icmp6
在具有 ICMPv6 消息类型的数据包上指定匹配项。
[edit firewall family inet6 filter EXCLUDE-ACCT-INET6-FILTER] user@host# set term EXCLUDE-ACCT-ICMP6 from icmp-type router-solicit user@host# set term EXCLUDE-ACCT-ICMP6 from icmp-type neighbor-solicit user@host# set term EXCLUDE-ACCT-ICMP6 from icmp-type neighbor-advertisement
计算匹配的 ICMPv6 数据包。
[edit firewall family inet6 filter EXCLUDE-ACCT-INET6-FILTER] user@host# set term EXCLUDE-ACCT-ICMP6 then count exclude-acct-icmpv6
从记帐统计信息中排除匹配的 ICMPv6 数据包。
[edit firewall family inet6 filter EXCLUDE-ACCT-INET6-FILTER] user@host# set term EXCLUDE-ACCT-DHCP-INET6 then exclude-accounting
定义默认过滤器术语以接受所有其他数据包。
[edit firewall family inet6 filter EXCLUDE-ACCT-INET6-FILTER] user@host# set term default then accept
配置动态配置文件以将过滤器应用于该 系列的输入和输出接口。
inet6
[edit dynamic-profiles pppoe-dynamic-profile interfaces pp0 unit "$junos-interface-unit"] user@host# set family inet6 filter input EXCLUDE-ACCT-INET6-FILTER user@host# set family inet6 filter output EXCLUDE-ACCT-INET6-FILTER
启用订阅者管理准确核算。
[edit dynamic-profiles pppoe-dynamic-profile interfaces pp0 unit "$junos-interface-unit"] user@host# set actual-transit-statistics
成果
在配置模式下,输入 、 和 命令确认您的配置。show access
show firewall
show dynamic-profiles
如果输出未显示预期的配置,请重复此示例中的说明,以便进行更正。
user@host# show access profile v6-exclude-idle { session-options { client-idle-timeout 10; client-idle-timeout-ingress-only; } }
user@host# show firewall family inet6 { filter EXCLUDE-ACCT-INET6-FILTER { interface-specific; term EXCLUDE-ACCT-DHCP-INET6 { from { next-header udp; source-port [ 546 547 ]; destination-port [ 546 547 ]; } then { count exclude-acct-dhcpv6; exclude-accounting } } term EXCLUDE-ACCT-ICMP6 { from { next-header icmp6; icmp-type [ router-solicit neighbor-solicit neighbor-advertisement ] } then { count exclude-acct-icmpv6; exclude-accounting; } } term default { then accept; } } }
user@host# show dynamic-profiles pppoe-dynamic-profile { interfaces { pp0 { unit "$junos-interface-unit" { actual-transit-statistics; family inet6 { filter { input EXCLUDE-ACCT-INET6-FILTER; output EXCLUDE-ACCT-INET6-FILTER; } } } } } }
如果完成设备配置,请从配置模式输入 commit。