Junos
Highlighted
Junos

Dual Stack Per ssession QoS BNG

3 weeks ago

Hi 

HI

I am testing Dual stack features of vMX BNG. For rate-limiting Download and Upload Speed of subscriber I used following configuration step:

1- I defined a Policer for Download and a Policer for Upload

2- I defined two firewall filters for inet (One for Download and one for Upload)and call those policer in these configured Firewall.

3- For some security reasons I configured another firewall filter and Block certain traffics to and From Subscriber.

4- I called these Security Filters inside of Firewall filter for QoS Rate Limiting.

5- Finally, during AAA procedure, the name of firewall filters for rate limiting will be passed from RADIUS server to BNG

Up to this point everything works fine, I have both rate limiting and Security features.

 

Now I want to embed IPv6, I did not test this yet, but I think I must do the same for IPv6 traffic as well if I want to have  both rate-limiting and Security features. now Questions:

1- In Practice must I configure Firewall filter for both IPv4 and IPv6?

2- Does this mean I must rate limit IPv4 traffic and IPv6 Traffic separately?

3- Is it possible to assign two Engree-Policy and two Ingress-Policy via RADIUS AVP?

4- Is there any configuration method to skip this rate-limiting approach and have both Security firewalls(inet and inet.6) in one filter and do a rate-limiting on entire session?

Here is the configurations:

Download Policer
jcluser@vMX1> show configuration firewall policer Policer_2M_Download
logical-bandwidth-policer;
if-exceeding {
bandwidth-limit 1M;
burst-size-limit 1M;
}
then discard;
Upload Policer
jcluser@vMX1> show configuration firewall policer Policer_1M_Upload
logical-interface-policer;
if-exceeding {
bandwidth-limit 2m;
burst-size-limit 2m;
}
then discard;
Download Policy
jcluser@vMX1> show configuration firewall
filter 2Mbps {
interface-specific;
enhanced-mode;
term 1 {
then {
policer Policer_2M_Download;
next term;
}
}
term 3 {
filter WWW-Attack;
}
}
Upload Policy
jcluser@vMX1> show configuration firewall
filter 1Mbps {
interface-specific;
term 1 {
then {
policer Policer_1M_Upload;
next term;
}
}
term 3 {
filter Attack;
}
}
RADIUS Profile
ERX-Ingress-Policy-Name = 1Mbps,
ERX-Egress-Policy-Name = 2Mbps,

 

 

Thank you

5 REPLIES 5
Highlighted
Junos

Re: Dual Stack Per ssession QoS BNG

3 weeks ago

Hi,  you can configure filter and policer inside dynamic-profile, and pass only required attributes to profile from radius server. This is more scalable then configure many many filters and policers .

 

> show configuration dynamic-profiles dp-internet
variables {
    inBW;
    outBW;
    inFilter uid;
    outFilter uid;
    inPlcr uid;
    outPlcr uid;
    inBrst equals "round($inBW*0.075)";
    outBrst equals "round($outBW*0.075)";
}
interfaces {
    demux0 {
        unit "$junos-interface-unit" {
            family inet {
                filter {
                    input "$inFilter" precedence 200;
                    output "$outFilter" precedence 200;
                }
            }
        }
    }
}
firewall {
    family inet {
        filter "$inFilter" {
            interface-specific;
            term MATCHED_PREVIOUSLY {
                from {
                    service-filter-hit;
                }
                then accept;
            }
            term PROCESS {
                then {
                    policer "$inPlcr";
                    service-accounting;
                    forwarding-class best-effort;
                    service-filter-hit;
                    accept;
                }
            }
        }
        filter "$outFilter" {
            interface-specific;
            term MATCHED_PREVIOUSLY {
                from {
                    service-filter-hit;
                }
                then accept;
            }
            term INTERNET {
                then {
                    policer "$outPlcr";
                    service-accounting;
                    forwarding-class best-effort;
                    service-filter-hit;
                    accept;
                }
            }
        }
    }
    policer "$inPlcr" {
        filter-specific;
        if-exceeding {
            bandwidth-limit "$inBW";
            burst-size-limit "$inBrst";
        }
        then discard;
    }
    policer "$outPlcr" {
        filter-specific;
        if-exceeding {
            bandwidth-limit "$outBW";
            burst-size-limit "$outBrst";
        }
        then discard;
    }
}


===================================================
If this solves your problem, please mark this post as "Accepted Solution".
If you think that my answer was helpful, please spend some Kudos.
Highlighted
Junos

Re: Dual Stack Per ssession QoS BNG

3 weeks ago

HI

Thank you for the Answer, what about IPv6 Counterpart?

Highlighted
Junos

Re: Dual Stack Per ssession QoS BNG

3 weeks ago

another question:

I don't use demux interface instead I am using pp0 interface. Is this applicable?

Thank you

Highlighted
Junos

Re: Dual Stack Per ssession QoS BNG

3 weeks ago

You can extend this filter to support ipv6 and logical interface filters.

also for output direction you can use traffic-control-profile , if you line cards support his.

 

Same config applicable for pp0  



===================================================
If this solves your problem, please mark this post as "Accepted Solution".
If you think that my answer was helpful, please spend some Kudos.
Highlighted
Junos

Re: Dual Stack Per ssession QoS BNG

3 weeks ago

Hi

Thank you for the followup

Two questions:

1- How can I apply security Firewall along side Policing? Consider I have a Firewall which Block ICMP packet in and out  of each session, How Can Include that Filter with this config as well?

2- What is the format of AVP to pass the parameters

Best Regards

Alireza 

Feedback