Junos OS

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  Dual Stack Per ssession QoS BNG

    Posted 10-04-2020 04:37

    Hi 

    HI

    I am testing Dual stack features of vMX BNG. For rate-limiting Download and Upload Speed of subscriber I used following configuration step:

    1- I defined a Policer for Download and a Policer for Upload

    2- I defined two firewall filters for inet (One for Download and one for Upload)and call those policer in these configured Firewall.

    3- For some security reasons I configured another firewall filter and Block certain traffics to and From Subscriber.

    4- I called these Security Filters inside of Firewall filter for QoS Rate Limiting.

    5- Finally, during AAA procedure, the name of firewall filters for rate limiting will be passed from RADIUS server to BNG

    Up to this point everything works fine, I have both rate limiting and Security features.

     

    Now I want to embed IPv6, I did not test this yet, but I think I must do the same for IPv6 traffic as well if I want to have  both rate-limiting and Security features. now Questions:

    1- In Practice must I configure Firewall filter for both IPv4 and IPv6?

    2- Does this mean I must rate limit IPv4 traffic and IPv6 Traffic separately?

    3- Is it possible to assign two Engree-Policy and two Ingress-Policy via RADIUS AVP?

    4- Is there any configuration method to skip this rate-limiting approach and have both Security firewalls(inet and inet.6) in one filter and do a rate-limiting on entire session?

    Here is the configurations:

    Download Policer
    jcluser@vMX1> show configuration firewall policer Policer_2M_Download
    logical-bandwidth-policer;
    if-exceeding {
    bandwidth-limit 1M;
    burst-size-limit 1M;
    }
    then discard;
    Upload Policer
    jcluser@vMX1> show configuration firewall policer Policer_1M_Upload
    logical-interface-policer;
    if-exceeding {
    bandwidth-limit 2m;
    burst-size-limit 2m;
    }
    then discard;
    Download Policy
    jcluser@vMX1> show configuration firewall
    filter 2Mbps {
    interface-specific;
    enhanced-mode;
    term 1 {
    then {
    policer Policer_2M_Download;
    next term;
    }
    }
    term 3 {
    filter WWW-Attack;
    }
    }
    Upload Policy
    jcluser@vMX1> show configuration firewall
    filter 1Mbps {
    interface-specific;
    term 1 {
    then {
    policer Policer_1M_Upload;
    next term;
    }
    }
    term 3 {
    filter Attack;
    }
    }
    RADIUS Profile
    ERX-Ingress-Policy-Name = 1Mbps,
    ERX-Egress-Policy-Name = 2Mbps,

     

     

    Thank you



  • 2.  Re: Dual Stack Per ssession QoS BNG

    Posted 10-04-2020 05:06

    Hi,  you can configure filter and policer inside dynamic-profile, and pass only required attributes to profile from radius server. This is more scalable then configure many many filters and policers .

     

    > show configuration dynamic-profiles dp-internet
    variables {
        inBW;
        outBW;
        inFilter uid;
        outFilter uid;
        inPlcr uid;
        outPlcr uid;
        inBrst equals "round($inBW*0.075)";
        outBrst equals "round($outBW*0.075)";
    }
    interfaces {
        demux0 {
            unit "$junos-interface-unit" {
                family inet {
                    filter {
                        input "$inFilter" precedence 200;
                        output "$outFilter" precedence 200;
                    }
                }
            }
        }
    }
    firewall {
        family inet {
            filter "$inFilter" {
                interface-specific;
                term MATCHED_PREVIOUSLY {
                    from {
                        service-filter-hit;
                    }
                    then accept;
                }
                term PROCESS {
                    then {
                        policer "$inPlcr";
                        service-accounting;
                        forwarding-class best-effort;
                        service-filter-hit;
                        accept;
                    }
                }
            }
            filter "$outFilter" {
                interface-specific;
                term MATCHED_PREVIOUSLY {
                    from {
                        service-filter-hit;
                    }
                    then accept;
                }
                term INTERNET {
                    then {
                        policer "$outPlcr";
                        service-accounting;
                        forwarding-class best-effort;
                        service-filter-hit;
                        accept;
                    }
                }
            }
        }
        policer "$inPlcr" {
            filter-specific;
            if-exceeding {
                bandwidth-limit "$inBW";
                burst-size-limit "$inBrst";
            }
            then discard;
        }
        policer "$outPlcr" {
            filter-specific;
            if-exceeding {
                bandwidth-limit "$outBW";
                burst-size-limit "$outBrst";
            }
            then discard;
        }
    }
    


  • 3.  Re: Dual Stack Per ssession QoS BNG

    Posted 10-04-2020 05:28

    HI

    Thank you for the Answer, what about IPv6 Counterpart?



  • 4.  Re: Dual Stack Per ssession QoS BNG

    Posted 10-04-2020 05:35

    another question:

    I don't use demux interface instead I am using pp0 interface. Is this applicable?

    Thank you



  • 5.  Re: Dual Stack Per ssession QoS BNG

    Posted 10-04-2020 09:54

    You can extend this filter to support ipv6 and logical interface filters.

    also for output direction you can use traffic-control-profile , if you line cards support his.

     

    Same config applicable for pp0  



  • 6.  Re: Dual Stack Per ssession QoS BNG

    Posted 10-04-2020 22:08

    Hi

    Thank you for the followup

    Two questions:

    1- How can I apply security Firewall along side Policing? Consider I have a Firewall which Block ICMP packet in and out  of each session, How Can Include that Filter with this config as well?

    2- What is the format of AVP to pass the parameters

    Best Regards

    Alireza 



  • 7.  RE: Re: Dual Stack Per ssession QoS BNG

    Posted 08-22-2021 13:06
    Hi.

    What radius attributes do we use to return values for the different variables?


      inBW;
        outBW;
        inFilter uid;
        outFilter uid;
        inPlcr uid;
        outPlcr uid;
        inBrst equals "round($inBW*0.075)";
        outBrst equals "round($outBW*0.075)";​


    ------------------------------
    PEDER BACH
    ------------------------------



  • 8.  RE: Dual Stack Per ssession QoS BNG

    Posted 08-22-2021 19:37
    You need to have
    filter-specific;
    logical-interface-policer;
    in all your relevant policers, and call them from the filters you'll apply from Radius AVPs in v4 and v6: this way their policed throughput will be common between v4 and v6.

    You already use ERX-Ingress-Policy-Name and ERX-Egress-Policy-Name for the filters in IPv4, you'll define their matching  IPv6 ones in firewall inet6 hierarchy and call them with radius using ERX-IPv6-Ingress-Policy-Name and ERX-IPv6-Egress-Policy-Name.

    ------------------------------
    Olivier Benghozi
    ------------------------------