Junos
Highlighted
Junos

Accounting Subscriber based on Specific IP traffic

‎09-19-2020 12:03 AM

Hi

I am test JMX BNG feature, I want to Define several services as follow:

1-Serivce#1,Traffic from Subscriber to 1.1.1.1 and vice versa(CLASS01)

2-Service#2,Traffic from Subscriber to 2.2.2.2 and vice versa(CLASS02)

3-Service#3,Traffic from Subscriber to 3.3.3.3 and vice versa(CLASS03)

I am using following document:

https://www.juniper.net/documentation/en_US/junos/information-products/pathway-pages/subscriber-acce...

It confused me. It was mentioned I can do this by using dynamic-profiles. Now Questions:

1- I already define a dynamic-profile for PPPoE session. Do I need to define the mentioned service in different dynamic profiles or the one which handles PPPoE sessions?

2- There are several filter types in mentioned document. which type of filter I must use?

3- I just want to accounting on passed traffic in each class. There are two QoS policies for rate limiting the entire session

I attached the configuration

 

Attachments

4 REPLIES 4
Highlighted
Junos

Re: Accounting Subscriber based on Specific IP traffic

‎09-19-2020 12:44 AM

1) if you want account traffic for each service separately , then yes, you need different dynamic-profile for each service

you should set precedence for filter in each dynamic-profile to defie in which order these profiles (filters) will be executed.

Dont forget to add service-filter-hit when filter matches traffic 

and skip already matched traffic in next filter

Should be something like this 

firewall {
    family inet {
        filter "$inFilter" {
            interface-specific;
            term MATCHED_PREVIOUSLY {
                from {
                    service-filter-hit;  <<<< if traffic already matched in previous dynamic-profile 
                }
                then accept;
            }
            term PROCESS {
                then {
                    policer "$inPlcr";
                    service-accounting;
                    service-filter-hit;
                    accept;
                }
            }
        }

 

 



===================================================
If this solves your problem, please mark this post as "Accepted Solution".
If you think that my answer was helpful, please spend some Kudos.
Highlighted
Junos

Re: Accounting Subscriber based on Specific IP traffic

‎09-19-2020 12:48 AM

Hi

Thank you for the tip.

My problem is the service is not applied to the subscriber session. would you please provide an example for dynamic profile configuration based on configuration in your answer?

Thank you

Highlighted
Junos

Re: Accounting Subscriber based on Specific IP traffic

‎09-19-2020 02:40 AM

Hi

Here is my detail steps of configuration:

1) I configured an access-profile as follow:

set access profile aaa-profile authentication-order radius
set access profile aaa-profile radius authentication-server 10.100.12.2
set access profile aaa-profile radius accounting-server 10.100.12.2
set access profile aaa-profile radius options interface-description-format exclude-sub-interface
set access profile aaa-profile radius options nas-identifier 10.10.10.10
set access profile aaa-profile radius options accounting-session-id-format decimal
set access profile aaa-profile radius options service-activation extensible-service required-at-login
set access profile aaa-profile radius options service-activation dynamic-profile required-at-login
set access profile aaa-profile radius-server 10.100.12.2 port 1812
set access profile aaa-profile radius-server 10.100.12.2 accounting-port 1813
set access profile aaa-profile radius-server 10.100.12.2 secret "$9$EgUyvLdVYoaUdb4ZGDPf"
set access profile aaa-profile radius-server 10.100.12.2 timeout 10
set access profile aaa-profile radius-server 10.100.12.2 retry 10
set access profile aaa-profile radius-server 10.100.12.2 source-address 10.10.10.10
set access profile aaa-profile accounting order radius
set access profile aaa-profile accounting accounting-stop-on-failure
set access profile aaa-profile accounting accounting-stop-on-access-deny
set access profile aaa-profile accounting coa-immediate-update
set access profile aaa-profile accounting update-interval 10
set access profile aaa-profile accounting statistics volume-time
set access profile aaa-profile service accounting-order radius
set access profile aaa-profile service accounting update-interval 10
set access profile aaa-profile service accounting statistics volume-time
set access address-assignment pool POOL1 family inet network 192.168.120.0/24

 

2- I configured a dyanmic profile for PPPoE termination, It was applied on Ge-0/0/0.801:

set dynamic-profiles Virtual-Template1 interfaces pp0 unit "$junos-interface-unit" ppp-options pap
set dynamic-profiles Virtual-Template1 interfaces pp0 unit "$junos-interface-unit" pppoe-options underlying-interface "$junos-underlying-interface"
set dynamic-profiles Virtual-Template1 interfaces pp0 unit "$junos-interface-unit" pppoe-options server
set dynamic-profiles Virtual-Template1 interfaces pp0 unit "$junos-interface-unit" family inet unnumbered-address lo0.0

3- I create following dynamic profile for CLASS01:

set dynamic-profiles CLASS01 variables filter mandatory
set dynamic-profiles CLASS01 variables filter uid-reference
set dynamic-profiles CLASS01 interfaces "$junos-interface-ifd-name" unit "$junos-interface-unit" family inet filter input "$filter"
set dynamic-profiles CLASS01 interfaces "$junos-interface-ifd-name" unit "$junos-interface-unit" family inet filter input precedence 10
set firewall family inet filter CLASS01 term 1 from source-address 1.1.1.1/32
set firewall family inet filter CLASS01 term 1 then service-accounting
set firewall family inet filter CLASS01 term 1 then service-filter-hit
set firewall family inet filter CLASS01 term 1 then accept

4- The Dynamic profile is assigned to subscriber via RADIUS AVP ERX-Activate-Service(I am using FreeRadius)

5- The Session will be established but the service is not activated on the session:

jcluser@vMX1> show subscribers extensive
Type: PPPoE
User Name: 217625test2
IP Address: 192.168.120.30
IP Netmask: 255.255.255.255
Primary DNS Address: 4.2.2.4
Secondary DNS Address: 8.8.8.8
Logical System: default
Routing Instance: default
Interface: pp0.3221225502
Interface type: Dynamic
Underlying Interface: ge-0/0/0.801
Dynamic Profile Name: Virtual-Template1
MAC Address: 00:0c:29:0b:ff:59
Session Timeout (seconds): 172800
State: Active
Radius Accounting ID: 38
Session ID: 38
PFE Flow ID: 49
VLAN Id: 801
Agent Circuit ID: ge-0/0/0:801
Login Time: 2020-09-19 09:44:26 UTC
IP Address Pool: POOL1
Accounting interval: 600
Dynamic configuration:
junos-output-service-filter: CLASS01

Only the Filter name for Service is applied. 

What is the main reason for this issue?

I attached the whole configuration as well.

Thank you

Attachments

Highlighted
Junos
Solution
Accepted by topic author Asoltanian
‎09-19-2020 09:31 PM

Re: Accounting Subscriber based on Specific IP traffic

‎09-19-2020 09:31 PM

Hi

I figured it out, I must use RADIUS VSA with following format

ERX-Service-Activate:1 := Service name

Feedback