Re: [j-nsp] BRAS IPv4/IPv6 Combined Policer & RADIUS Attributes
On 03/11/14 01:51, Darren Liew wrote: Hi Guys, Thanks for all the suggestion. Part of my requirement is also to integrate with the RADIUS attributes, so that we can dynamic control different users with different bandwidth according to their subscriptions & along with the service accounting. OK, then you want something like this: dynamic-profiles { pppoe-subscriber-profile { predefined-variable-defaults { cos-shaping-mode frame-mode; cos-byte-adjust 0; cos-shaping-rate 2m; } class-of-service { traffic-control-profiles { tc-profile { shaping-rate "$junos-cos-shaping-rate"; overhead-accounting "$junos-cos-shaping-mode" bytes "$junos-cos-byte-adjust"; } } interfaces { pp0 { unit "$junos-interface-unit" { output-traffic-control-profile tc-profile; } } } } } } The radius attributes you need to send are: for cos-shaping-rate: ERX-Qos-Shaping-Pmt-Type = "T02 k" for cos-shaping-mode: ERX-Qos-Shaping-Pmt-Type = "T07 cell-mode" or "T07 frame-mode" for cos-byte-adjust: ERX-Qos-Shaping-Pmt-Type = "T08 " the ERX-Qos-Shaping-Pmt-Type attribute is a VSA, vendor 4874, attr 108 I'd also add a scheduler-map to the tc-profile part (left out for brevity) See also http://www.juniper.net/techpubs/en_US/junos13.3/topics/example/cos-subscriber-access-downstream-dynamic.html And definitely study http://www.juniper.net/us/en/training/jnbooks/day-one/networking-technologies-series/dynamic-subscriber-management/ Mike. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] BRAS IPv4/IPv6 Combined Policer & RADIUS Attributes
Hi Team, Just some update on test result. It seems to be working with logical-interface-policer. Summary of the approach is 1. firewall policer with "logical-interface-policer" 2. firewall family inet filter - referencing to the same policer 3. firewall family inet6 filter - referencing to the same policer We can then maintain the same firewall filtering construct under individual protocol family. This has advantage of able to use RADIUS attributes to issue ingress & egress filtering parameter. I am yet to observe any performance issues if we were to deploy in wider scale. Will try to confirm with our system engineer shortly. Thanks all for the suggestion ! Will update further if there's any further result ! set firewall policer 30m filter-specific set firewall policer 30m logical-interface-policer set firewall policer 30m if-exceeding bandwidth-limit 30m set firewall policer 30m if-exceeding burst-size-limit 1875000 set firewall policer 30m then discard set firewall family inet filter 30m interface-specific set firewall family inet filter 30m enhanced-mode set firewall family inet filter 30m term t0 from service-filter-hit set firewall family inet filter 30m term t0 then accept set firewall family inet filter 30m term t1 then policer 30m set firewall family inet filter 30m term t1 then service-accounting set firewall family inet filter 30m term t1 then service-filter-hit set firewall family inet filter 30m term t1 then accept set firewall family inet6 filter 30m-v6 interface-specific set firewall family inet6 filter 30m-v6 enhanced-mode set firewall family inet6 filter 30m-v6 term t0 from service-filter-hit set firewall family inet6 filter 30m-v6 term t0 then accept set firewall family inet6 filter 30m-v6 term t1 then policer 30m set firewall family inet6 filter 30m-v6 term t1 then service-accounting set firewall family inet6 filter 30m-v6 term t1 then service-filter-hit set firewall family inet6 filter 30m-v6 term t1 then accept set dynamic-profiles PPPOE-IP-PROFILE interfaces pp0 unit "$junos-interface-unit" family inet filter input 30m set dynamic-profiles PPPOE-IP-PROFILE interfaces pp0 unit "$junos-interface-unit" family inet filter output 30m set dynamic-profiles PPPOE-IP-PROFILE interfaces pp0 unit "$junos-interface-unit" family inet6 filter input 30m-v6 set dynamic-profiles PPPOE-IP-PROFILE interfaces pp0 unit "$junos-interface-unit" family inet6 filter output 30m-v6 On Mon, Nov 3, 2014 at 8:51 AM, Darren Liew wrote: > Hi Guys, > > Thanks for all the suggestion. Part of my requirement is also to integrate > with the RADIUS attributes, so that we can dynamic control different users > with different bandwidth according to their subscriptions & along with the > service accounting. > > I'll give it a try together with the RADIUS attributes (ingress / egress > filter) to see if it works with the dynamic variable below. > > Thanks for all the suggestion. Will update shortly. > > users@lab-bng# ...-profiles PPPOE-IP-PROFILE interfaces pp0 unit > "$junos-interface-unit" filter input ? > Possible completions: > Name of filter applied to received packets > $junos-input-filter Dynamic profile input filter > $junos-input-ipv6-filter Dynamic profile input v6 filter > > Rgds > Darren > > On Mon, Nov 3, 2014 at 6:51 AM, Ben Dale wrote: > >> Hi Darren, >> >> > >> > Our requirement is per below. For example, the bandwidth package is >> 5Mbps. >> > The IPv4 & IPv6 should be policed jointly to bandwidth of 5Mbps rather >> than >> > individual IPv4 or IPv6 family policing. If policing is done >> individually >> > for IPv4 (5Mbps) and for IPv6 (5Mbps), the user is getting bandwidth of >> > 10Mbps jointly which we tried to avoid. >> >> >> Modify your PPPoE template so that you're applying the filter under >> "$junos-interface-unit" rather than the address family: >> >> PPPOE-IP-PROFILE { >> interfaces { >> pp0 { >> unit "$junos-interface-unit" { >> ppp-options { >> pap; >> } >> pppoe-options { >> underlying-interface "$junos-underlying-interface"; >> server; >> } >> filter { >> input 5m; >> output 5m; >> } >> family inet { >> unnumbered-address "$junos-loopback-interface"; >> } >> family inet6 { >> unnumbered-address "$junos-loopback-interface"; >> } >> } >> } >> } >> } >> >> That will police regardless of the underlying address family. >> >> Cheers, >> >> Ben > > > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] BRAS IPv4/IPv6 Combined Policer & RADIUS Attributes
Hi Guys, Thanks for all the suggestion. Part of my requirement is also to integrate with the RADIUS attributes, so that we can dynamic control different users with different bandwidth according to their subscriptions & along with the service accounting. I'll give it a try together with the RADIUS attributes (ingress / egress filter) to see if it works with the dynamic variable below. Thanks for all the suggestion. Will update shortly. users@lab-bng# ...-profiles PPPOE-IP-PROFILE interfaces pp0 unit "$junos-interface-unit" filter input ? Possible completions: Name of filter applied to received packets $junos-input-filter Dynamic profile input filter $junos-input-ipv6-filter Dynamic profile input v6 filter Rgds Darren On Mon, Nov 3, 2014 at 6:51 AM, Ben Dale wrote: > Hi Darren, > > > > > Our requirement is per below. For example, the bandwidth package is > 5Mbps. > > The IPv4 & IPv6 should be policed jointly to bandwidth of 5Mbps rather > than > > individual IPv4 or IPv6 family policing. If policing is done individually > > for IPv4 (5Mbps) and for IPv6 (5Mbps), the user is getting bandwidth of > > 10Mbps jointly which we tried to avoid. > > > Modify your PPPoE template so that you're applying the filter under > "$junos-interface-unit" rather than the address family: > > PPPOE-IP-PROFILE { > interfaces { > pp0 { > unit "$junos-interface-unit" { > ppp-options { > pap; > } > pppoe-options { > underlying-interface "$junos-underlying-interface"; > server; > } > filter { > input 5m; > output 5m; > } > family inet { > unnumbered-address "$junos-loopback-interface"; > } > family inet6 { > unnumbered-address "$junos-loopback-interface"; > } > } > } > } > } > > That will police regardless of the underlying address family. > > Cheers, > > Ben ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] BRAS IPv4/IPv6 Combined Policer & RADIUS Attributes
Hi Darren, > > Our requirement is per below. For example, the bandwidth package is 5Mbps. > The IPv4 & IPv6 should be policed jointly to bandwidth of 5Mbps rather than > individual IPv4 or IPv6 family policing. If policing is done individually > for IPv4 (5Mbps) and for IPv6 (5Mbps), the user is getting bandwidth of > 10Mbps jointly which we tried to avoid. Modify your PPPoE template so that you're applying the filter under "$junos-interface-unit" rather than the address family: PPPOE-IP-PROFILE { interfaces { pp0 { unit "$junos-interface-unit" { ppp-options { pap; } pppoe-options { underlying-interface "$junos-underlying-interface"; server; } filter { input 5m; output 5m; } family inet { unnumbered-address "$junos-loopback-interface"; } family inet6 { unnumbered-address "$junos-loopback-interface"; } } } } } That will police regardless of the underlying address family. Cheers, Ben ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] BRAS IPv4/IPv6 Combined Policer & RADIUS Attributes
On Fri, Oct 31, 2014 at 05:17:40PM +0800, Darren Liew wrote: > Hi Team, > > Has anyone has experience deploying dual-stack services on Juniper BRAS? > > Our requirement is per below. For example, the bandwidth package is 5Mbps. > The IPv4 & IPv6 should be policed jointly to bandwidth of 5Mbps rather than > individual IPv4 or IPv6 family policing. If policing is done individually > for IPv4 (5Mbps) and for IPv6 (5Mbps), the user is getting bandwidth of > 10Mbps jointly which we tried to avoid. > > We would like to ask our experts on how to implement joint policing for > IPv4/IPv6 dual stack and the relevant RADIUS attributes we should use in > case we want to trigger the policing filter from the RADIUS. I believe you want a Logical Interface (Aggregate) Policer: https://www.juniper.net/documentation/en_US/junos12.3/topics/concept/policer-types.html#jd0e170 https://www.juniper.net/documentation/en_US/junos12.3/topics/example/policer-logical-interface-aggregate-example-single-rate-two-color.html ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] BRAS IPv4/IPv6 Combined Policer & RADIUS Attributes
Hi Team, Has anyone has experience deploying dual-stack services on Juniper BRAS? Our requirement is per below. For example, the bandwidth package is 5Mbps. The IPv4 & IPv6 should be policed jointly to bandwidth of 5Mbps rather than individual IPv4 or IPv6 family policing. If policing is done individually for IPv4 (5Mbps) and for IPv6 (5Mbps), the user is getting bandwidth of 10Mbps jointly which we tried to avoid. We would like to ask our experts on how to implement joint policing for IPv4/IPv6 dual stack and the relevant RADIUS attributes we should use in case we want to trigger the policing filter from the RADIUS. Our current sample of script with individual IPv4 and IPv6 family policing. dynamic-profiles { VLAN-PPPOE-PROFILE { interfaces { "$junos-interface-ifd-name" { unit "$junos-interface-unit" { encapsulation ppp-over-ether; vlan-id "$junos-vlan-id"; pppoe-underlying-options { dynamic-profile PPPOE-IP-PROFILE; } } } } } PPPOE-IP-PROFILE { interfaces { pp0 { unit "$junos-interface-unit" { ppp-options { pap; } pppoe-options { underlying-interface "$junos-underlying-interface"; server; } family inet { filter { input 5m; output 5m; } unnumbered-address "$junos-loopback-interface"; } family inet6 { filter { input 5m-v6; output 5m-v6; } unnumbered-address "$junos-loopback-interface"; } } } } } Advises much appreciated ! Rgds Darren Liu ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp