Re: [j-nsp] BRAS IPv4/IPv6 Combined Policer & RADIUS Attributes

2014-11-09 Thread Miquel van Smoorenburg 

On 03/11/14 01:51, Darren Liew wrote:

Hi Guys,

Thanks for all the suggestion. Part of my requirement is also to integrate
with the RADIUS attributes, so that we can dynamic control different users
with different bandwidth according to their subscriptions & along with the
service accounting.


OK, then you want something like this:

dynamic-profiles {
pppoe-subscriber-profile {
predefined-variable-defaults {
cos-shaping-mode frame-mode;
cos-byte-adjust 0;
cos-shaping-rate 2m;
}
class-of-service {
traffic-control-profiles {
tc-profile {
shaping-rate "$junos-cos-shaping-rate";
overhead-accounting "$junos-cos-shaping-mode" bytes 
"$junos-cos-byte-adjust";

}
}
interfaces {
pp0 {
unit "$junos-interface-unit" {
output-traffic-control-profile tc-profile;
}
}
}
}
}
}

The radius attributes you need to send are:

for cos-shaping-rate:  ERX-Qos-Shaping-Pmt-Type = "T02 k"
for cos-shaping-mode:  ERX-Qos-Shaping-Pmt-Type = "T07 cell-mode"
  or  "T07 frame-mode"
for cos-byte-adjust:   ERX-Qos-Shaping-Pmt-Type = "T08 "

the ERX-Qos-Shaping-Pmt-Type attribute is a VSA, vendor 4874, attr 108

I'd also add a scheduler-map to the tc-profile part (left out for brevity)

See also
http://www.juniper.net/techpubs/en_US/junos13.3/topics/example/cos-subscriber-access-downstream-dynamic.html

And definitely study
http://www.juniper.net/us/en/training/jnbooks/day-one/networking-technologies-series/dynamic-subscriber-management/

Mike.
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] BRAS IPv4/IPv6 Combined Policer & RADIUS Attributes

2014-11-03 Thread Darren Liew 
Hi Team,

Just some update on test result. It seems to be working with
logical-interface-policer. Summary of the approach is

1. firewall policer with "logical-interface-policer"
2. firewall family inet filter - referencing to the same policer
3. firewall family inet6 filter - referencing to the same policer

We can then maintain the same firewall filtering construct under individual
protocol family. This has advantage of able to use RADIUS attributes to
issue ingress & egress filtering parameter.

I am yet to observe any performance issues if we were to deploy in wider
scale. Will try to confirm with our system engineer shortly.

Thanks all for the suggestion ! Will update further if there's any further
result !

set firewall policer 30m filter-specific
set firewall policer 30m logical-interface-policer
set firewall policer 30m if-exceeding bandwidth-limit 30m
set firewall policer 30m if-exceeding burst-size-limit 1875000
set firewall policer 30m then discard

set firewall family inet filter 30m interface-specific
set firewall family inet filter 30m enhanced-mode
set firewall family inet filter 30m term t0 from service-filter-hit
set firewall family inet filter 30m term t0 then accept
set firewall family inet filter 30m term t1 then policer 30m
set firewall family inet filter 30m term t1 then service-accounting
set firewall family inet filter 30m term t1 then service-filter-hit
set firewall family inet filter 30m term t1 then accept

set firewall family inet6 filter 30m-v6 interface-specific
set firewall family inet6 filter 30m-v6 enhanced-mode
set firewall family inet6 filter 30m-v6 term t0 from service-filter-hit
set firewall family inet6 filter 30m-v6 term t0 then accept
set firewall family inet6 filter 30m-v6 term t1 then policer 30m
set firewall family inet6 filter 30m-v6 term t1 then service-accounting
set firewall family inet6 filter 30m-v6 term t1 then service-filter-hit
set firewall family inet6 filter 30m-v6 term t1 then accept

set dynamic-profiles PPPOE-IP-PROFILE interfaces pp0 unit
"$junos-interface-unit" family inet filter input 30m
set dynamic-profiles PPPOE-IP-PROFILE interfaces pp0 unit
"$junos-interface-unit" family inet filter output 30m

set dynamic-profiles PPPOE-IP-PROFILE interfaces pp0 unit
"$junos-interface-unit" family inet6 filter input 30m-v6
set dynamic-profiles PPPOE-IP-PROFILE interfaces pp0 unit
"$junos-interface-unit" family inet6 filter output 30m-v6

On Mon, Nov 3, 2014 at 8:51 AM, Darren Liew  wrote:

> Hi Guys,
>
> Thanks for all the suggestion. Part of my requirement is also to integrate
> with the RADIUS attributes, so that we can dynamic control different users
> with different bandwidth according to their subscriptions & along with the
> service accounting.
>
> I'll give it a try together with the RADIUS attributes (ingress / egress
> filter) to see if it works with the dynamic variable below.
>
> Thanks for all the suggestion. Will update shortly.
>
> users@lab-bng# ...-profiles PPPOE-IP-PROFILE interfaces pp0 unit
> "$junos-interface-unit" filter input ?
> Possible completions:
> Name of filter applied to received packets
>   $junos-input-filter  Dynamic profile input filter
>   $junos-input-ipv6-filter  Dynamic profile input v6 filter
>
> Rgds
> Darren
>
> On Mon, Nov 3, 2014 at 6:51 AM, Ben Dale  wrote:
>
>> Hi Darren,
>>
>> >
>> > Our requirement is per below. For example, the bandwidth package is
>> 5Mbps.
>> > The IPv4 & IPv6 should be policed jointly to bandwidth of 5Mbps rather
>> than
>> > individual IPv4 or IPv6 family policing. If policing is done
>> individually
>> > for IPv4 (5Mbps) and for IPv6 (5Mbps), the user is getting bandwidth of
>> > 10Mbps jointly  which we tried to avoid.
>>
>>
>> Modify your PPPoE template so that you're applying the filter under
>> "$junos-interface-unit" rather than the address family:
>>
>> PPPOE-IP-PROFILE {
>> interfaces {
>> pp0 {
>> unit "$junos-interface-unit" {
>> ppp-options {
>> pap;
>> }
>> pppoe-options {
>> underlying-interface "$junos-underlying-interface";
>> server;
>> }
>> filter {
>> input 5m;
>> output 5m;
>> }
>> family inet {
>> unnumbered-address "$junos-loopback-interface";
>> }
>> family inet6 {
>> unnumbered-address "$junos-loopback-interface";
>> }
>> }
>> }
>> }
>> }
>>
>> That will police regardless of the underlying address family.
>>
>> Cheers,
>>
>> Ben
>
>
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] BRAS IPv4/IPv6 Combined Policer & RADIUS Attributes

2014-11-02 Thread Darren Liew 
Hi Guys,

Thanks for all the suggestion. Part of my requirement is also to integrate
with the RADIUS attributes, so that we can dynamic control different users
with different bandwidth according to their subscriptions & along with the
service accounting.

I'll give it a try together with the RADIUS attributes (ingress / egress
filter) to see if it works with the dynamic variable below.

Thanks for all the suggestion. Will update shortly.

users@lab-bng# ...-profiles PPPOE-IP-PROFILE interfaces pp0 unit
"$junos-interface-unit" filter input ?
Possible completions:
Name of filter applied to received packets
  $junos-input-filter  Dynamic profile input filter
  $junos-input-ipv6-filter  Dynamic profile input v6 filter

Rgds
Darren

On Mon, Nov 3, 2014 at 6:51 AM, Ben Dale  wrote:

> Hi Darren,
>
> >
> > Our requirement is per below. For example, the bandwidth package is
> 5Mbps.
> > The IPv4 & IPv6 should be policed jointly to bandwidth of 5Mbps rather
> than
> > individual IPv4 or IPv6 family policing. If policing is done individually
> > for IPv4 (5Mbps) and for IPv6 (5Mbps), the user is getting bandwidth of
> > 10Mbps jointly  which we tried to avoid.
>
>
> Modify your PPPoE template so that you're applying the filter under
> "$junos-interface-unit" rather than the address family:
>
> PPPOE-IP-PROFILE {
> interfaces {
> pp0 {
> unit "$junos-interface-unit" {
> ppp-options {
> pap;
> }
> pppoe-options {
> underlying-interface "$junos-underlying-interface";
> server;
> }
> filter {
> input 5m;
> output 5m;
> }
> family inet {
> unnumbered-address "$junos-loopback-interface";
> }
> family inet6 {
> unnumbered-address "$junos-loopback-interface";
> }
> }
> }
> }
> }
>
> That will police regardless of the underlying address family.
>
> Cheers,
>
> Ben
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] BRAS IPv4/IPv6 Combined Policer & RADIUS Attributes

2014-11-02 Thread Ben Dale 
Hi Darren,

> 
> Our requirement is per below. For example, the bandwidth package is 5Mbps.
> The IPv4 & IPv6 should be policed jointly to bandwidth of 5Mbps rather than
> individual IPv4 or IPv6 family policing. If policing is done individually
> for IPv4 (5Mbps) and for IPv6 (5Mbps), the user is getting bandwidth of
> 10Mbps jointly  which we tried to avoid.


Modify your PPPoE template so that you're applying the filter under 
"$junos-interface-unit" rather than the address family:

PPPOE-IP-PROFILE {
interfaces {
pp0 {
unit "$junos-interface-unit" {
ppp-options {
pap;
}
pppoe-options {
underlying-interface "$junos-underlying-interface";
server;
}
filter {
input 5m;
output 5m;
}
family inet {
unnumbered-address "$junos-loopback-interface";
}
family inet6 {
unnumbered-address "$junos-loopback-interface";
}
}
}
}   
}

That will police regardless of the underlying address family.

Cheers,

Ben
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] BRAS IPv4/IPv6 Combined Policer & RADIUS Attributes

2014-10-31 Thread Chuck Anderson 
On Fri, Oct 31, 2014 at 05:17:40PM +0800, Darren Liew wrote:
> Hi Team,
> 
> Has anyone has experience deploying dual-stack services on Juniper BRAS?
> 
> Our requirement is per below. For example, the bandwidth package is 5Mbps.
> The IPv4 & IPv6 should be policed jointly to bandwidth of 5Mbps rather than
> individual IPv4 or IPv6 family policing. If policing is done individually
> for IPv4 (5Mbps) and for IPv6 (5Mbps), the user is getting bandwidth of
> 10Mbps jointly  which we tried to avoid.
> 
> We would like to ask our experts on how to implement joint policing for
> IPv4/IPv6 dual stack and the relevant RADIUS attributes we should use in
> case we want to trigger the policing filter from the RADIUS.

I believe you want a Logical Interface (Aggregate) Policer:

https://www.juniper.net/documentation/en_US/junos12.3/topics/concept/policer-types.html#jd0e170

https://www.juniper.net/documentation/en_US/junos12.3/topics/example/policer-logical-interface-aggregate-example-single-rate-two-color.html
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] BRAS IPv4/IPv6 Combined Policer & RADIUS Attributes

2014-10-31 Thread Darren Liew 
Hi Team,

Has anyone has experience deploying dual-stack services on Juniper BRAS?

Our requirement is per below. For example, the bandwidth package is 5Mbps.
The IPv4 & IPv6 should be policed jointly to bandwidth of 5Mbps rather than
individual IPv4 or IPv6 family policing. If policing is done individually
for IPv4 (5Mbps) and for IPv6 (5Mbps), the user is getting bandwidth of
10Mbps jointly  which we tried to avoid.

We would like to ask our experts on how to implement joint policing for
IPv4/IPv6 dual stack and the relevant RADIUS attributes we should use in
case we want to trigger the policing filter from the RADIUS.

Our current sample of script with individual IPv4 and IPv6 family policing.

dynamic-profiles {
VLAN-PPPOE-PROFILE {
interfaces {
"$junos-interface-ifd-name" {
unit "$junos-interface-unit" {
encapsulation ppp-over-ether;
vlan-id "$junos-vlan-id";
pppoe-underlying-options {
dynamic-profile PPPOE-IP-PROFILE;
}
}
}
}
}
PPPOE-IP-PROFILE {
interfaces {
pp0 {
unit "$junos-interface-unit" {
ppp-options {
pap;
}
pppoe-options {
underlying-interface "$junos-underlying-interface";
server;
}
family inet {
filter {
input 5m;
output 5m;
}
unnumbered-address "$junos-loopback-interface";
}
family inet6 {
filter {
input 5m-v6;
output 5m-v6;
}
unnumbered-address "$junos-loopback-interface";
}
}
}
}
}

Advises much appreciated !

Rgds
Darren Liu
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp