Junos OS

 View Only
last person joined: yesterday 

Ask questions and share experiences about Junos OS.
  • 1.  Dual Stack Per ssession QoS BNG

    Posted 10-04-2020 04:37

    Hi 

    HI

    I am testing Dual stack features of vMX BNG. For rate-limiting Download and Upload Speed of subscriber I used following configuration step:

    1- I defined a Policer for Download and a Policer for Upload

    2- I defined two firewall filters for inet (One for Download and one for Upload)and call those policer in these configured Firewall.

    3- For some security reasons I configured another firewall filter and Block certain traffics to and From Subscriber.

    4- I called these Security Filters inside of Firewall filter for QoS Rate Limiting.

    5- Finally, during AAA procedure, the name of firewall filters for rate limiting will be passed from RADIUS server to BNG

    Up to this point everything works fine, I have both rate limiting and Security features.

     

    Now I want to embed IPv6, I did not test this yet, but I think I must do the same for IPv6 traffic as well if I want to have  both rate-limiting and Security features. now Questions:

    1- In Practice must I configure Firewall filter for both IPv4 and IPv6?

    2- Does this mean I must rate limit IPv4 traffic and IPv6 Traffic separately?

    3- Is it possible to assign two Engree-Policy and two Ingress-Policy via RADIUS AVP?

    4- Is there any configuration method to skip this rate-limiting approach and have both Security firewalls(inet and inet.6) in one filter and do a rate-limiting on entire session?

    Here is the configurations:

    Download Policer
    jcluser@vMX1> show configuration firewall policer Policer_2M_Download
    logical-bandwidth-policer;
    if-exceeding {
    bandwidth-limit 1M;
    burst-size-limit 1M;
    }
    then discard;
    Upload Policer
    jcluser@vMX1> show configuration firewall policer Policer_1M_Upload
    logical-interface-policer;
    if-exceeding {
    bandwidth-limit 2m;
    burst-size-limit 2m;
    }
    then discard;
    Download Policy
    jcluser@vMX1> show configuration firewall
    filter 2Mbps {
    interface-specific;
    enhanced-mode;
    term 1 {
    then {
    policer Policer_2M_Download;
    next term;
    }
    }
    term 3 {
    filter WWW-Attack;
    }
    }
    Upload Policy
    jcluser@vMX1> show configuration firewall
    filter 1Mbps {
    interface-specific;
    term 1 {
    then {
    policer Policer_1M_Upload;
    next term;
    }
    }
    term 3 {
    filter Attack;
    }
    }
    RADIUS Profile
    ERX-Ingress-Policy-Name = 1Mbps,
    ERX-Egress-Policy-Name = 2Mbps,

     

     

    Thank you



  • 2.  Re: Dual Stack Per ssession QoS BNG

    Posted 10-04-2020 05:06

    Hi,  you can configure filter and policer inside dynamic-profile, and pass only required attributes to profile from radius server. This is more scalable then configure many many filters and policers .

     

    > show configuration dynamic-profiles dp-internet
    variables {
        inBW;
        outBW;
        inFilter uid;
        outFilter uid;
        inPlcr uid;
        outPlcr uid;
        inBrst equals "round($inBW*0.075)";
        outBrst equals "round($outBW*0.075)";
    }
    interfaces {
        demux0 {
            unit "$junos-interface-unit" {
                family inet {
                    filter {
                        input "$inFilter" precedence 200;
                        output "$outFilter" precedence 200;
                    }
                }
            }
        }
    }
    firewall {
        family inet {
            filter "$inFilter" {
                interface-specific;
                term MATCHED_PREVIOUSLY {
                    from {
                        service-filter-hit;
                    }
                    then accept;
                }
                term PROCESS {
                    then {
                        policer "$inPlcr";
                        service-accounting;
                        forwarding-class best-effort;
                        service-filter-hit;
                        accept;
                    }
                }
            }
            filter "$outFilter" {
                interface-specific;
                term MATCHED_PREVIOUSLY {
                    from {
                        service-filter-hit;
                    }
                    then accept;
                }
                term INTERNET {
                    then {
                        policer "$outPlcr";
                        service-accounting;
                        forwarding-class best-effort;
                        service-filter-hit;
                        accept;
                    }
                }
            }
        }
        policer "$inPlcr" {
            filter-specific;
            if-exceeding {
                bandwidth-limit "$inBW";
                burst-size-limit "$inBrst";
            }
            then discard;
        }
        policer "$outPlcr" {
            filter-specific;
            if-exceeding {
                bandwidth-limit "$outBW";
                burst-size-limit "$outBrst";
            }
            then discard;
        }
    }
    


  • 3.  Re: Dual Stack Per ssession QoS BNG

    Posted 10-04-2020 05:28

    HI

    Thank you for the Answer, what about IPv6 Counterpart?



  • 4.  Re: Dual Stack Per ssession QoS BNG

    Posted 10-04-2020 05:35

    another question:

    I don't use demux interface instead I am using pp0 interface. Is this applicable?

    Thank you



  • 5.  Re: Dual Stack Per ssession QoS BNG

    Posted 10-04-2020 09:54

    You can extend this filter to support ipv6 and logical interface filters.

    also for output direction you can use traffic-control-profile , if you line cards support his.

     

    Same config applicable for pp0  



  • 6.  Re: Dual Stack Per ssession QoS BNG

    Posted 10-04-2020 22:08

    Hi

    Thank you for the followup

    Two questions:

    1- How can I apply security Firewall along side Policing? Consider I have a Firewall which Block ICMP packet in and out  of each session, How Can Include that Filter with this config as well?

    2- What is the format of AVP to pass the parameters

    Best Regards

    Alireza 



  • 7.  RE: Re: Dual Stack Per ssession QoS BNG

    Posted 08-22-2021 13:06
    Hi.

    What radius attributes do we use to return values for the different variables?


      inBW;
        outBW;
        inFilter uid;
        outFilter uid;
        inPlcr uid;
        outPlcr uid;
        inBrst equals "round($inBW*0.075)";
        outBrst equals "round($outBW*0.075)";​


    ------------------------------
    PEDER BACH
    ------------------------------



  • 8.  RE: Dual Stack Per ssession QoS BNG

    Posted 08-22-2021 19:37
    You need to have
    filter-specific;
    logical-interface-policer;
    in all your relevant policers, and call them from the filters you'll apply from Radius AVPs in v4 and v6: this way their policed throughput will be common between v4 and v6.

    You already use ERX-Ingress-Policy-Name and ERX-Egress-Policy-Name for the filters in IPv4, you'll define their matching  IPv6 ones in firewall inet6 hierarchy and call them with radius using ERX-IPv6-Ingress-Policy-Name and ERX-IPv6-Egress-Policy-Name.

    ------------------------------
    Olivier Benghozi
    ------------------------------