Junos OS

Expand all | Collapse all

Accounting Subscriber based on Specific IP traffic

Jump to Best Answer
  • 1.  Accounting Subscriber based on Specific IP traffic

    Posted 09-19-2020 00:04
      |   view attached

    Hi

    I am test JMX BNG feature, I want to Define several services as follow:

    1-Serivce#1,Traffic from Subscriber to 1.1.1.1 and vice versa(CLASS01)

    2-Service#2,Traffic from Subscriber to 2.2.2.2 and vice versa(CLASS02)

    3-Service#3,Traffic from Subscriber to 3.3.3.3 and vice versa(CLASS03)

    I am using following document:

    https://www.juniper.net/documentation/en_US/junos/information-products/pathway-pages/subscriber-access/subscriber-mgmt-advanced-provisioning.pdf

    It confused me. It was mentioned I can do this by using dynamic-profiles. Now Questions:

    1- I already define a dynamic-profile for PPPoE session. Do I need to define the mentioned service in different dynamic profiles or the one which handles PPPoE sessions?

    2- There are several filter types in mentioned document. which type of filter I must use?

    3- I just want to accounting on passed traffic in each class. There are two QoS policies for rate limiting the entire session

    I attached the configuration

     

    Attachment(s)

    txt
    MX.txt   7K 1 version


  • 2.  RE: Accounting Subscriber based on Specific IP traffic

    Posted 09-19-2020 00:44

    1) if you want account traffic for each service separately , then yes, you need different dynamic-profile for each service

    you should set precedence for filter in each dynamic-profile to defie in which order these profiles (filters) will be executed.

    Dont forget to add service-filter-hit when filter matches traffic 

    and skip already matched traffic in next filter

    Should be something like this 

    firewall {
        family inet {
            filter "$inFilter" {
                interface-specific;
                term MATCHED_PREVIOUSLY {
                    from {
                        service-filter-hit;  <<<< if traffic already matched in previous dynamic-profile 
                    }
                    then accept;
                }
                term PROCESS {
                    then {
                        policer "$inPlcr";
                        service-accounting;
                        service-filter-hit;
                        accept;
                    }
                }
            }
    

     

     



  • 3.  RE: Accounting Subscriber based on Specific IP traffic

    Posted 09-19-2020 00:48

    Hi

    Thank you for the tip.

    My problem is the service is not applied to the subscriber session. would you please provide an example for dynamic profile configuration based on configuration in your answer?

    Thank you



  • 4.  RE: Accounting Subscriber based on Specific IP traffic

    Posted 09-19-2020 02:41
      |   view attached

    Hi

    Here is my detail steps of configuration:

    1) I configured an access-profile as follow:

    set access profile aaa-profile authentication-order radius
    set access profile aaa-profile radius authentication-server 10.100.12.2
    set access profile aaa-profile radius accounting-server 10.100.12.2
    set access profile aaa-profile radius options interface-description-format exclude-sub-interface
    set access profile aaa-profile radius options nas-identifier 10.10.10.10
    set access profile aaa-profile radius options accounting-session-id-format decimal
    set access profile aaa-profile radius options service-activation extensible-service required-at-login
    set access profile aaa-profile radius options service-activation dynamic-profile required-at-login
    set access profile aaa-profile radius-server 10.100.12.2 port 1812
    set access profile aaa-profile radius-server 10.100.12.2 accounting-port 1813
    set access profile aaa-profile radius-server 10.100.12.2 secret "$9$EgUyvLdVYoaUdb4ZGDPf"
    set access profile aaa-profile radius-server 10.100.12.2 timeout 10
    set access profile aaa-profile radius-server 10.100.12.2 retry 10
    set access profile aaa-profile radius-server 10.100.12.2 source-address 10.10.10.10
    set access profile aaa-profile accounting order radius
    set access profile aaa-profile accounting accounting-stop-on-failure
    set access profile aaa-profile accounting accounting-stop-on-access-deny
    set access profile aaa-profile accounting coa-immediate-update
    set access profile aaa-profile accounting update-interval 10
    set access profile aaa-profile accounting statistics volume-time
    set access profile aaa-profile service accounting-order radius
    set access profile aaa-profile service accounting update-interval 10
    set access profile aaa-profile service accounting statistics volume-time
    set access address-assignment pool POOL1 family inet network 192.168.120.0/24

     

    2- I configured a dyanmic profile for PPPoE termination, It was applied on Ge-0/0/0.801:

    set dynamic-profiles Virtual-Template1 interfaces pp0 unit "$junos-interface-unit" ppp-options pap
    set dynamic-profiles Virtual-Template1 interfaces pp0 unit "$junos-interface-unit" pppoe-options underlying-interface "$junos-underlying-interface"
    set dynamic-profiles Virtual-Template1 interfaces pp0 unit "$junos-interface-unit" pppoe-options server
    set dynamic-profiles Virtual-Template1 interfaces pp0 unit "$junos-interface-unit" family inet unnumbered-address lo0.0

    3- I create following dynamic profile for CLASS01:

    set dynamic-profiles CLASS01 variables filter mandatory
    set dynamic-profiles CLASS01 variables filter uid-reference
    set dynamic-profiles CLASS01 interfaces "$junos-interface-ifd-name" unit "$junos-interface-unit" family inet filter input "$filter"
    set dynamic-profiles CLASS01 interfaces "$junos-interface-ifd-name" unit "$junos-interface-unit" family inet filter input precedence 10
    set firewall family inet filter CLASS01 term 1 from source-address 1.1.1.1/32
    set firewall family inet filter CLASS01 term 1 then service-accounting
    set firewall family inet filter CLASS01 term 1 then service-filter-hit
    set firewall family inet filter CLASS01 term 1 then accept

    4- The Dynamic profile is assigned to subscriber via RADIUS AVP ERX-Activate-Service(I am using FreeRadius)

    5- The Session will be established but the service is not activated on the session:

    jcluser@vMX1> show subscribers extensive
    Type: PPPoE
    User Name: 217625test2
    IP Address: 192.168.120.30
    IP Netmask: 255.255.255.255
    Primary DNS Address: 4.2.2.4
    Secondary DNS Address: 8.8.8.8
    Logical System: default
    Routing Instance: default
    Interface: pp0.3221225502
    Interface type: Dynamic
    Underlying Interface: ge-0/0/0.801
    Dynamic Profile Name: Virtual-Template1
    MAC Address: 00:0c:29:0b:ff:59
    Session Timeout (seconds): 172800
    State: Active
    Radius Accounting ID: 38
    Session ID: 38
    PFE Flow ID: 49
    VLAN Id: 801
    Agent Circuit ID: ge-0/0/0:801
    Login Time: 2020-09-19 09:44:26 UTC
    IP Address Pool: POOL1
    Accounting interval: 600
    Dynamic configuration:
    junos-output-service-filter: CLASS01

    Only the Filter name for Service is applied. 

    What is the main reason for this issue?

    I attached the whole configuration as well.

    Thank you

    Attachment(s)

    txt
    MX_10.txt   8K 1 version


  • 5.  RE: Accounting Subscriber based on Specific IP traffic
    Best Answer

    Posted 09-19-2020 21:32

    Hi

    I figured it out, I must use RADIUS VSA with following format

    ERX-Service-Activate:1 := Service name