Example: Creating Access Policies for Subscribers
In this example, the service provider manages an interface on the router. The interface is associated with a subscriber. The access policy is a default policy that supports various types of subscribers and interfaces. Some examples are DHCP, static IP subscribers, and PPP subscribers.
The default policy installed on the interface sets the context of other services that the subscriber will activate later. The default policy can restrict subscriber access to the network or provide a default access. You can also use the default policy to create a walled garden effect by sending subscribers to the SSP server and requiring them to activate a service before they can access other services in the system. (The term walled garden is used to describe an environment in which a service provider limits a subscriber's access to Web content and services.)
The precedence of the policy rules in default policies is very important. When the related service is activated, the service policy needs a high priority (low value) so that the service policy is used instead of the default policy.
Types of Policies
The policy used for access depends on the type of services that it will be used for. Generally, policies with filter, forward, rate-limit or policer, and next-hop actions are used.
Sample Access Policies
This section contains examples of access policies for DHCP subscribers and PPP subscribers. In both of these examples, there are two content providers. Traffic destined for the content provider networks is sent to the residential portal by using a next-hop action that forwards traffic to the virtual IP address of the SSP. (See SRC-PE Sample Applications Guide.)
Traffic to the SSP has a high priority and is not affected by other service policies. This way, the subscriber can always access the SSP. Traffic from the network is forwarded without any restrictions.
DHCP Policy Group
Figure 32 shows a summary of the access policy for DHCP subscribers.
![]()
The following information shows the configuration details of the DHCP policy group in Figure 32.
policyGroupName=DHCP, ou=junose, ou=sample, o=Policies, o=umcPolicyList out
name=outpolicyRoles=JUNOSEapplicability=outputPolicyRule forwardpriority=500type=JUNOSEaccountingRule=falseClassifyTrafficConditionForward ActionPolicyList in
name=inpolicyRoles=JUNOSEapplicability=inputPolicyRule cp-to-ssppriority=500type=JUNOSEaccountingRule=falseClassifyTrafficCondition content-provider-network-1DestinationNetwork:ipAddress=10.20.40.0ipMask=255.255.255.0ipOperation=isClassifyTrafficCondition content-provider-network-2DestinationNetwork:ipAddress=172.16.0.0ipMask=0.0.255.255ipOperation=isNextHop ActionnextHopAddress=virtual_ipAddressPolicyRule forward-cl-dhcppriority=200type=JUNOSEaccountingRule=falseClassifyTrafficConditionprotocol=udpDestinationNetwork:ipAddress=0.0.0.0destination port=67Forward ActionPolicyRule forward-to-ssppriority=200type=JUNOSEaccountingRule=falseClassifyTrafficConditionDestinationNetwork:ipAddress=virtual_ipAddressipMask=255.255.255.255ipOperation=isForward ActionPPP Policy Group
Figure 33 shows a summary of the access policy for PPP subscribers.
![]()
The following information shows the configuration details of the PPP policy group in Figure 33.
policyGroupName=PPP, ou=junose, ou=sample, o=Policies, o=umcPolicyList out
name=outpolicyRoles=JUNOSEapplicability=outputPolicyRule: name=forwardpriority=500type=JUNOSEaccountingRule=falseForward ActionPolicyList in
name=inpolicyRoles=JUNOSEapplicability=inputPolicyRule: name=cp-to-ssppriority=500type=JUNOSEaccountingRule=falseClassifyTrafficCondition content-provider-network-1DestinationNetwork:ipAddress=10.10.40.0ipMask=255.255.255.0ipOperation=isClassifyTrafficCondition content-provider-network-2DestinationNetwork:ipAddress=172.16.0.0ipMask=255.255.0.0ipOperation=isNextHop ActionnextHopAddress=virtual_ipAddressPolicyRule: name=forward-to-ssppriority=200type=JUNOSEaccountingRule=falseClassifyTrafficCondition saeDestinationNetwork:ipAddress=virtual_ipAddressipMask=255.255.255.255ipOperation=isForward Action