Discussion:
[j-nsp] BRAS IPv4/IPv6 Combined Policer & RADIUS Attributes
Darren Liew
2014-10-31 09:17:40 UTC
Permalink
Hi Team,

Has anyone has experience deploying dual-stack services on Juniper BRAS?

Our requirement is per below. For example, the bandwidth package is 5Mbps.
The IPv4 & IPv6 should be policed jointly to bandwidth of 5Mbps rather than
individual IPv4 or IPv6 family policing. If policing is done individually
for IPv4 (5Mbps) and for IPv6 (5Mbps), the user is getting bandwidth of
10Mbps jointly which we tried to avoid.

We would like to ask our experts on how to implement joint policing for
IPv4/IPv6 dual stack and the relevant RADIUS attributes we should use in
case we want to trigger the policing filter from the RADIUS.

Our current sample of script with individual IPv4 and IPv6 family policing.

dynamic-profiles {
VLAN-PPPOE-PROFILE {
interfaces {
"$junos-interface-ifd-name" {
unit "$junos-interface-unit" {
encapsulation ppp-over-ether;
vlan-id "$junos-vlan-id";
pppoe-underlying-options {
dynamic-profile PPPOE-IP-PROFILE;
}
}
}
}
}
PPPOE-IP-PROFILE {
interfaces {
pp0 {
unit "$junos-interface-unit" {
ppp-options {
pap;
}
pppoe-options {
underlying-interface "$junos-underlying-interface";
server;
}
family inet {
filter {
input 5m;
output 5m;
}
unnumbered-address "$junos-loopback-interface";
}
family inet6 {
filter {
input 5m-v6;
output 5m-v6;
}
unnumbered-address "$junos-loopback-interface";
}
}
}
}
}

Advises much appreciated !

Rgds
Darren Liu
_______________________________________________
juniper-nsp mailing list juniper-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Chuck Anderson
2014-10-31 14:04:02 UTC
Permalink
Post by Darren Liew
Hi Team,
Has anyone has experience deploying dual-stack services on Juniper BRAS?
Our requirement is per below. For example, the bandwidth package is 5Mbps.
The IPv4 & IPv6 should be policed jointly to bandwidth of 5Mbps rather than
individual IPv4 or IPv6 family policing. If policing is done individually
for IPv4 (5Mbps) and for IPv6 (5Mbps), the user is getting bandwidth of
10Mbps jointly which we tried to avoid.
We would like to ask our experts on how to implement joint policing for
IPv4/IPv6 dual stack and the relevant RADIUS attributes we should use in
case we want to trigger the policing filter from the RADIUS.
I believe you want a Logical Interface (Aggregate) Policer:

https://www.juniper.net/documentation/en_US/junos12.3/topics/concept/policer-types.html#jd0e170

https://www.juniper.net/documentation/en_US/junos12.3/topics/example/policer-logical-interface-aggregate-example-single-rate-two-color.html
_______________________________________________
juniper-nsp mailing list juniper-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Ben Dale
2014-11-02 22:51:19 UTC
Permalink
Hi Darren,
Post by Darren Liew
Our requirement is per below. For example, the bandwidth package is 5Mbps.
The IPv4 & IPv6 should be policed jointly to bandwidth of 5Mbps rather than
individual IPv4 or IPv6 family policing. If policing is done individually
for IPv4 (5Mbps) and for IPv6 (5Mbps), the user is getting bandwidth of
10Mbps jointly which we tried to avoid.
Modify your PPPoE template so that you're applying the filter under "$junos-interface-unit" rather than the address family:

PPPOE-IP-PROFILE {
interfaces {
pp0 {
unit "$junos-interface-unit" {
ppp-options {
pap;
}
pppoe-options {
underlying-interface "$junos-underlying-interface";
server;
}
filter {
input 5m;
output 5m;
}
family inet {
unnumbered-address "$junos-loopback-interface";
}
family inet6 {
unnumbered-address "$junos-loopback-interface";
}
}
}
}
}

That will police regardless of the underlying address family.

Cheers,

Ben
_______________________________________________
juniper-nsp mailing list juniper-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Darren Liew
2014-11-03 00:51:54 UTC
Permalink
Hi Guys,

Thanks for all the suggestion. Part of my requirement is also to integrate
with the RADIUS attributes, so that we can dynamic control different users
with different bandwidth according to their subscriptions & along with the
service accounting.

I'll give it a try together with the RADIUS attributes (ingress / egress
filter) to see if it works with the dynamic variable below.

Thanks for all the suggestion. Will update shortly.

***@lab-bng# ...-profiles PPPOE-IP-PROFILE interfaces pp0 unit
"$junos-interface-unit" filter input ?
Possible completions:
<input> Name of filter applied to received packets
$junos-input-filter Dynamic profile input filter
$junos-input-ipv6-filter Dynamic profile input v6 filter

Rgds
Darren
Post by Ben Dale
Hi Darren,
Post by Darren Liew
Our requirement is per below. For example, the bandwidth package is
5Mbps.
Post by Darren Liew
The IPv4 & IPv6 should be policed jointly to bandwidth of 5Mbps rather
than
Post by Darren Liew
individual IPv4 or IPv6 family policing. If policing is done individually
for IPv4 (5Mbps) and for IPv6 (5Mbps), the user is getting bandwidth of
10Mbps jointly which we tried to avoid.
Modify your PPPoE template so that you're applying the filter under
PPPOE-IP-PROFILE {
interfaces {
pp0 {
unit "$junos-interface-unit" {
ppp-options {
pap;
}
pppoe-options {
underlying-interface "$junos-underlying-interface";
server;
}
filter {
input 5m;
output 5m;
}
family inet {
unnumbered-address "$junos-loopback-interface";
}
family inet6 {
unnumbered-address "$junos-loopback-interface";
}
}
}
}
}
That will police regardless of the underlying address family.
Cheers,
Ben
_______________________________________________
juniper-nsp mailing list juniper-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Darren Liew
2014-11-04 05:43:57 UTC
Permalink
Hi Team,

Just some update on test result. It seems to be working with
logical-interface-policer. Summary of the approach is

1. firewall policer with "logical-interface-policer"
2. firewall family inet filter - referencing to the same policer
3. firewall family inet6 filter - referencing to the same policer

We can then maintain the same firewall filtering construct under individual
protocol family. This has advantage of able to use RADIUS attributes to
issue ingress & egress filtering parameter.

I am yet to observe any performance issues if we were to deploy in wider
scale. Will try to confirm with our system engineer shortly.

Thanks all for the suggestion ! Will update further if there's any further
result !

set firewall policer 30m filter-specific
set firewall policer 30m logical-interface-policer
set firewall policer 30m if-exceeding bandwidth-limit 30m
set firewall policer 30m if-exceeding burst-size-limit 1875000
set firewall policer 30m then discard

set firewall family inet filter 30m interface-specific
set firewall family inet filter 30m enhanced-mode
set firewall family inet filter 30m term t0 from service-filter-hit
set firewall family inet filter 30m term t0 then accept
set firewall family inet filter 30m term t1 then policer 30m
set firewall family inet filter 30m term t1 then service-accounting
set firewall family inet filter 30m term t1 then service-filter-hit
set firewall family inet filter 30m term t1 then accept

set firewall family inet6 filter 30m-v6 interface-specific
set firewall family inet6 filter 30m-v6 enhanced-mode
set firewall family inet6 filter 30m-v6 term t0 from service-filter-hit
set firewall family inet6 filter 30m-v6 term t0 then accept
set firewall family inet6 filter 30m-v6 term t1 then policer 30m
set firewall family inet6 filter 30m-v6 term t1 then service-accounting
set firewall family inet6 filter 30m-v6 term t1 then service-filter-hit
set firewall family inet6 filter 30m-v6 term t1 then accept

set dynamic-profiles PPPOE-IP-PROFILE interfaces pp0 unit
"$junos-interface-unit" family inet filter input 30m
set dynamic-profiles PPPOE-IP-PROFILE interfaces pp0 unit
"$junos-interface-unit" family inet filter output 30m

set dynamic-profiles PPPOE-IP-PROFILE interfaces pp0 unit
"$junos-interface-unit" family inet6 filter input 30m-v6
set dynamic-profiles PPPOE-IP-PROFILE interfaces pp0 unit
"$junos-interface-unit" family inet6 filter output 30m-v6
Post by Darren Liew
Hi Guys,
Thanks for all the suggestion. Part of my requirement is also to integrate
with the RADIUS attributes, so that we can dynamic control different users
with different bandwidth according to their subscriptions & along with the
service accounting.
I'll give it a try together with the RADIUS attributes (ingress / egress
filter) to see if it works with the dynamic variable below.
Thanks for all the suggestion. Will update shortly.
"$junos-interface-unit" filter input ?
<input> Name of filter applied to received packets
$junos-input-filter Dynamic profile input filter
$junos-input-ipv6-filter Dynamic profile input v6 filter
Rgds
Darren
Post by Ben Dale
Hi Darren,
Post by Darren Liew
Our requirement is per below. For example, the bandwidth package is
5Mbps.
Post by Darren Liew
The IPv4 & IPv6 should be policed jointly to bandwidth of 5Mbps rather
than
Post by Darren Liew
individual IPv4 or IPv6 family policing. If policing is done
individually
Post by Darren Liew
for IPv4 (5Mbps) and for IPv6 (5Mbps), the user is getting bandwidth of
10Mbps jointly which we tried to avoid.
Modify your PPPoE template so that you're applying the filter under
PPPOE-IP-PROFILE {
interfaces {
pp0 {
unit "$junos-interface-unit" {
ppp-options {
pap;
}
pppoe-options {
underlying-interface "$junos-underlying-interface";
server;
}
filter {
input 5m;
output 5m;
}
family inet {
unnumbered-address "$junos-loopback-interface";
}
family inet6 {
unnumbered-address "$junos-loopback-interface";
}
}
}
}
}
That will police regardless of the underlying address family.
Cheers,
Ben
_______________________________________________
juniper-nsp mailing list juniper-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Miquel van Smoorenburg
2014-11-10 00:11:11 UTC
Permalink
Post by Darren Liew
Hi Guys,
Thanks for all the suggestion. Part of my requirement is also to integrate
with the RADIUS attributes, so that we can dynamic control different users
with different bandwidth according to their subscriptions & along with the
service accounting.
OK, then you want something like this:

dynamic-profiles {
pppoe-subscriber-profile {
predefined-variable-defaults {
cos-shaping-mode frame-mode;
cos-byte-adjust 0;
cos-shaping-rate 2m;
}
class-of-service {
traffic-control-profiles {
tc-profile {
shaping-rate "$junos-cos-shaping-rate";
overhead-accounting "$junos-cos-shaping-mode" bytes
"$junos-cos-byte-adjust";
}
}
interfaces {
pp0 {
unit "$junos-interface-unit" {
output-traffic-control-profile tc-profile;
}
}
}
}
}
}

The radius attributes you need to send are:

for cos-shaping-rate: ERX-Qos-Shaping-Pmt-Type = "T02 <speed-in-kbps>k"
for cos-shaping-mode: ERX-Qos-Shaping-Pmt-Type = "T07 cell-mode"
or "T07 frame-mode"
for cos-byte-adjust: ERX-Qos-Shaping-Pmt-Type = "T08 <bytes>"

the ERX-Qos-Shaping-Pmt-Type attribute is a VSA, vendor 4874, attr 108

I'd also add a scheduler-map to the tc-profile part (left out for brevity)

See also
http://www.juniper.net/techpubs/en_US/junos13.3/topics/example/cos-subscriber-access-downstream-dynamic.html

And definitely study
http://www.juniper.net/us/en/training/jnbooks/day-one/networking-technologies-series/dynamic-subscriber-management/

Mike.
_______________________________________________
juniper-nsp mailing list juniper-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Loading...