[j-nsp] BRAS IPv4/IPv6 Combined Policer & RADIUS Attributes

Darren Liew darrenssliu at gmail.com
Tue Nov 4 00:43:57 EST 2014 

Hi Team,

Just some update on test result. It seems to be working with
logical-interface-policer. Summary of the approach is

1. firewall policer with "logical-interface-policer"
2. firewall family inet filter - referencing to the same policer
3. firewall family inet6 filter - referencing to the same policer

We can then maintain the same firewall filtering construct under individual
protocol family. This has advantage of able to use RADIUS attributes to
issue ingress & egress filtering parameter.

I am yet to observe any performance issues if we were to deploy in wider
scale. Will try to confirm with our system engineer shortly.

Thanks all for the suggestion ! Will update further if there's any further
result !

set firewall policer 30m filter-specific
set firewall policer 30m logical-interface-policer
set firewall policer 30m if-exceeding bandwidth-limit 30m
set firewall policer 30m if-exceeding burst-size-limit 1875000
set firewall policer 30m then discard

set firewall family inet filter 30m interface-specific
set firewall family inet filter 30m enhanced-mode
set firewall family inet filter 30m term t0 from service-filter-hit
set firewall family inet filter 30m term t0 then accept
set firewall family inet filter 30m term t1 then policer 30m
set firewall family inet filter 30m term t1 then service-accounting
set firewall family inet filter 30m term t1 then service-filter-hit
set firewall family inet filter 30m term t1 then accept

set firewall family inet6 filter 30m-v6 interface-specific
set firewall family inet6 filter 30m-v6 enhanced-mode
set firewall family inet6 filter 30m-v6 term t0 from service-filter-hit
set firewall family inet6 filter 30m-v6 term t0 then accept
set firewall family inet6 filter 30m-v6 term t1 then policer 30m
set firewall family inet6 filter 30m-v6 term t1 then service-accounting
set firewall family inet6 filter 30m-v6 term t1 then service-filter-hit
set firewall family inet6 filter 30m-v6 term t1 then accept

set dynamic-profiles PPPOE-IP-PROFILE interfaces pp0 unit
"$junos-interface-unit" family inet filter input 30m
set dynamic-profiles PPPOE-IP-PROFILE interfaces pp0 unit
"$junos-interface-unit" family inet filter output 30m

set dynamic-profiles PPPOE-IP-PROFILE interfaces pp0 unit
"$junos-interface-unit" family inet6 filter input 30m-v6
set dynamic-profiles PPPOE-IP-PROFILE interfaces pp0 unit
"$junos-interface-unit" family inet6 filter output 30m-v6

On Mon, Nov 3, 2014 at 8:51 AM, Darren Liew <darrenssliu at gmail.com> wrote:

> Hi Guys,
>
> Thanks for all the suggestion. Part of my requirement is also to integrate
> with the RADIUS attributes, so that we can dynamic control different users
> with different bandwidth according to their subscriptions & along with the
> service accounting.
>
> I'll give it a try together with the RADIUS attributes (ingress / egress
> filter) to see if it works with the dynamic variable below.
>
> Thanks for all the suggestion. Will update shortly.
>
> users at lab-bng# ...-profiles PPPOE-IP-PROFILE interfaces pp0 unit
> "$junos-interface-unit" filter input ?
> Possible completions:
>   <input>              Name of filter applied to received packets
>   $junos-input-filter  Dynamic profile input filter
>   $junos-input-ipv6-filter  Dynamic profile input v6 filter
>
> Rgds
> Darren
>
> On Mon, Nov 3, 2014 at 6:51 AM, Ben Dale <bdale at comlinx.com.au> wrote:
>
>> Hi Darren,
>>
>> >
>> > Our requirement is per below. For example, the bandwidth package is
>> 5Mbps.
>> > The IPv4 & IPv6 should be policed jointly to bandwidth of 5Mbps rather
>> than
>> > individual IPv4 or IPv6 family policing. If policing is done
>> individually
>> > for IPv4 (5Mbps) and for IPv6 (5Mbps), the user is getting bandwidth of
>> > 10Mbps jointly  which we tried to avoid.
>>
>>
>> Modify your PPPoE template so that you're applying the filter under
>> "$junos-interface-unit" rather than the address family:
>>
>> PPPOE-IP-PROFILE {
>>     interfaces {
>>         pp0 {
>>             unit "$junos-interface-unit" {
>>                 ppp-options {
>>                     pap;
>>                 }
>>                 pppoe-options {
>>                     underlying-interface "$junos-underlying-interface";
>>                     server;
>>                 }
>>                 filter {
>>                     input 5m;
>>                     output 5m;
>>                 }
>>                 family inet {
>>                     unnumbered-address "$junos-loopback-interface";
>>                 }
>>                 family inet6 {
>>                     unnumbered-address "$junos-loopback-interface";
>>                 }
>>             }
>>         }
>>     }
>> }
>>
>> That will police regardless of the underlying address family.
>>
>> Cheers,
>>
>> Ben
>
>
>

More information about the juniper-nsp mailing list