[j-nsp] ERX-1440 - IPv4 and IPv6 Policies to dual-stack subscriber by RADIUS

FBH1 netzwerk at fbh1.de
Tue Jan 22 10:54:17 EST 2013 

Hello,

i have an issue with an ERX-1440 and JunosE 11.3.2 Release:

The subscribers entering the BRAS are coming through a L2TP tunnel and 
operating in dual-stack mode as you can see here:

ERX-1440#show ip interface tunnel l2tp:1/15/29283
TUNNEL l2tp:1/15/29283 line protocol Ppp is up, ip is up
...
Access routing = enabled: Using 123.123.123.123
...

ERX-1440#show ipv6 interface tunnel l2tp:1/15/29283
TUNNEL l2tp:1/15/29283 line protocol Ppp is up, ipv6 is up
...
ND RA prefix advertisements configured:
2a00:0000:401:375::/64 life 2592000, preferred 604800, onLink, autoConfig
...

=> This works just fine and the subscriber is able to reach all 
destinations.

What we are trying now is to restrict his session in case of a lack of 
payments or something like that.
For this case we decided to create a local policy-list on the ERX which 
let him go to our customer-portal and reach his Voice-Server (SIP) and 
nowhere else (ip classifier-list block-ia)

!
ip policy-list "block-internet"
classifier-group block-ia precedence 50
forward
classifier-group * precedence 80
filter
log
!

==> When we now by RADIUS send the attribute "Ingress-Policy-Name", this 
policy will be bound to the subscriber interface and works just fine.

DEBUG 01/22/2013 15:03:27 CET radiusAttributes: ingress policy name 
(vsa) attr: block-internet-access

BUT, the subscriber is still able to reach all the external destination 
via IPv6. Due to the fact that the RADIUS-Attribute 
"IPv6-Ingress-Policy-Name" is not available for JunosE 11.3.2 (works 
from 13.0), i thought about "Ascend-Data-Filter" -> 
http://www.juniper.net/techpubs/en_US/junose10.1/information-products/topic-collections/policy-management/policy-mgm-ascend-data-filter-ipv6.html

So, we created two Ascend-Data-Filter for blocking UDP and TCP from any 
to any and put this in the RADIUS record and send them to the ERX:

DEBUG 01/22/2013 15:03:27 CET radiusAttributes: ingress policy name 
(vsa) attr: block-internet-access
DEBUG 01/22/2013 15:03:27 CET radiusAttributes: ascend filter attr: 
(binary data)
DEBUG 01/22/2013 15:03:27 CET radiusAttributes: ascend filter attr: 
(binary data)

But now, there seems to be a mix up and the only policy the subscriber 
is bound to, is the dynamically created by the two Ascend-Data-Filter.

=> Now, the subscriber isn´t able to reach anything via IPv6, but all 
over IPv4.


Long story short:
Am i doing something wrong? Is there a software bug?
Or how can a bound a ipv4 AND ipv6 policy-list to an dual-stack 
interface from one subscriber controlled by RADIUS?

Thanks in advance!

More information about the juniper-nsp mailing list