Hello,
i have an issue with an ERX-1440 and JunosE 11.3.2 Release:
The subscribers entering the BRAS are coming through a L2TP tunnel and
operating in dual-stack mode as you can see here:
ERX-1440#show ip interface tunnel l2tp:1/15/29283
TUNNEL l2tp:1/15/29283 line protocol Ppp is up, ip is up
...
Access routing = enabled: Using 123.123.123.123
...
ERX-1440#show ipv6 interface tunnel l2tp:1/15/29283
TUNNEL l2tp:1/15/29283 line protocol Ppp is up, ipv6 is up
...
ND RA prefix advertisements configured:
2a00:0000:401:375::/64 life 2592000, preferred 604800, onLink, autoConfig
...
=> This works just fine and the subscriber is able to reach all
destinations.
What we are trying now is to restrict his session in case of a lack of
payments or something like that.
For this case we decided to create a local policy-list on the ERX which
let him go to our customer-portal and reach his Voice-Server (SIP) and
nowhere else (ip classifier-list block-ia)
!
ip policy-list "block-internet"
classifier-group block-ia precedence 50
forward
classifier-group * precedence 80
filter
log
!
==> When we now by RADIUS send the attribute "Ingress-Policy-Name", this
policy will be bound to the subscriber interface and works just fine.
DEBUG 01/22/2013 15:03:27 CET radiusAttributes: ingress policy name
(vsa) attr: block-internet-access
BUT, the subscriber is still able to reach all the external destination
via IPv6. Due to the fact that the RADIUS-Attribute
"IPv6-Ingress-Policy-Name" is not available for JunosE 11.3.2 (works
from 13.0), i thought about "Ascend-Data-Filter" ->
http://www.juniper.net/techpubs/en_US/junose10.1/information-products/topic-collections/policy-management/policy-mgm-ascend-data-filter-ipv6.html
So, we created two Ascend-Data-Filter for blocking UDP and TCP from any
to any and put this in the RADIUS record and send them to the ERX:
DEBUG 01/22/2013 15:03:27 CET radiusAttributes: ingress policy name
(vsa) attr: block-internet-access
DEBUG 01/22/2013 15:03:27 CET radiusAttributes: ascend filter attr:
(binary data)
DEBUG 01/22/2013 15:03:27 CET radiusAttributes: ascend filter attr:
(binary data)
But now, there seems to be a mix up and the only policy the subscriber
is bound to, is the dynamically created by the two Ascend-Data-Filter.
=> Now, the subscriber isnĀ“t able to reach anything via IPv6, but all
over IPv4.
Long story short:
Am i doing something wrong? Is there a software bug?
Or how can a bound a ipv4 AND ipv6 policy-list to an dual-stack
interface from one subscriber controlled by RADIUS?
Thanks in advance!
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
