- play_arrow Subscriber Service Activation and Management
- play_arrow Subscriber Service Activation and Management
-
- play_arrow Configuring Dynamic Class of Service
- play_arrow CoS for Subscriber Access and Interfaces Overview
- play_arrow Configuring Scheduling and Shaping for Subscriber Access
- Configuring Traffic Scheduling and Shaping for Subscriber Access
- Configuring Schedulers in a Dynamic Profile for Subscriber Access
- Configuring Scheduler and Scheduler Map Sharing
- Example: Providing Unique Rate Configurations for Schedulers in a Dynamic Profile
- Example: Configuring Aggregate Scheduling of Queues for Residential Subscribers on Static IP Demux Interfaces
- Verifying the Scheduling and Shaping Configuration for Subscriber Access
- play_arrow Allocating Dedicated Queues for Each Logical Interface Using Per-Unit Scheduling
- play_arrow Configuring Hierarchical CoS Scheduling on MPLS Ethernet Pseudowire Subscriber Interfaces
- Enhanced Subscriber Management Subscriber Logical Interfaces or Interface Sets Over Underlying Logical Interfaces for a CoS scheduler Hierarchy
- Enhanced Subscriber Management Subscriber Logical Interfaces or Interface Sets Over MPLS Pseudowires for a CoS scheduler Hierarchy
- Configuring Layer 2 Subscriber Logical Interfaces for CoS Hierarchical Schedulers Using Dynamic Profiles for Differentiating Home and Access Node Networks
- Example: Configuring Layer 2 Subscriber Logical Interfaces for CoS Hierarchical Schedulers Using Static CoS for Differentiating Home and Access Node Networks
- play_arrow Configuring Dedicated Queue Scaling with Hierarchical CoS or Per-Unit Scheduling
- play_arrow Shaping Downstream Traffic Based on Frames or Cells
- Bandwidth Management for Downstream Traffic in Edge Networks Overview
- Configuring Dynamic Shaping Parameters to Account for Overhead in Downstream Traffic Rates
- Example: Configuring Dynamic Shaping Parameters to Account for Overhead in Downstream Traffic Rates
- Configuring Static Shaping Parameters to Account for Overhead in Downstream Traffic Rates
- Example: Configuring Static Shaping Parameters to Account for Overhead in Downstream Traffic Rates
- Setting Shaping Rate and Overhead Accounting Based on PPPoE Vendor-Specific Tags
- Configuring the Shaping Rate and Overhead Accounting Based on PPPoE Vendor-Specific Tags on Dynamic Subscriber Interfaces
- Reporting the Effective Shaping Rate for Subscribers
- Verifying the Effective Shaping Rate Reporting Configuration
- play_arrow Applying CoS to Households or Individual Subscribers Using ACI-Based Dynamic VLANs
- Applying CoS Attributes to VLANs Using Agent-Circuit-Identifiers
- Agent Circuit Identifier-Based Dynamic VLANs Bandwidth Management Overview
- Restrictions for Configuring Adjustment of CoS Shaping Rate and Overhead Accounting for Dynamic ACI Interface Sets
- Adjusting the CoS Shaping Rate and Overhead Accounting Parameters for Agent Circuit Identifier-Based Dynamic VLANs
- play_arrow Applying CoS to Households or Individual Subscribers Using Access Line Identifier Dynamic VLANs
- Applying CoS Attributes to VLANs Using Access-Line Identifiers
- Bandwidth Management Overview for Dynamic VLANs Based on Access-Line Identifiers
- Restrictions for Configuring Adjustment of CoS Shaping Rate and Overhead Accounting for Dynamic ALI Interface Sets
- Adjusting the CoS Shaping Rate and Overhead Accounting Parameters for Dynamic VLANs Based on Access-Line Identifiers
- play_arrow Managing Excess Bandwidth Distribution and Traffic Bursts
- play_arrow Applying CoS Using Parameters Received from RADIUS
- Subscriber Interfaces That Provide Initial CoS Parameters Dynamically Obtained from RADIUS
- Changing CoS Services Overview
- CoS Traffic Shaping Attributes for Dynamic Interface Sets and Member Subscriber Sessions Overview
- Guidelines for Configuring CoS Traffic Shaping Attributes for Dynamic Interface Sets and Member Subscriber Sessions
- Configuring Initial CoS Parameters Dynamically Obtained from RADIUS
- Configuring Static Default Values for Traffic Scheduling and Shaping
- Applying CoS Traffic-Shaping Attributes to Dynamic Interface Sets and Member Subscriber Sessions
- CoS Traffic Shaping Predefined Variables for Dynamic Interface Sets
- Example: Configuring Initial CoS Parameters Dynamically Obtained from RADIUS
- play_arrow Modifying a Subscriber’ s Shaping Characteristics After a Subscriber is Instantiated
- play_arrow Applying CoS to Groups of Subscriber Interfaces
- play_arrow Applying CoS to Subscriber Interfaces
- Applying Traffic Shaping and Scheduling to a Subscriber Interface in a Dynamic Profile
- Applying Minimal Shaping and Scheduling to Remaining Subscriber Traffic
- Applying a Rewrite Rule Definition to a Subscriber Interface in a Dynamic Profile
- Applying a Classifier to a Subscriber Interface in a Dynamic Profile
-
- play_arrow Configuring Dynamic Filters and Policers
- play_arrow Dynamic Firewall Filters Overview
- play_arrow Configuring Static Firewall Filters That Are Dynamically Applied
- play_arrow Streamlining Processing of Chains of Static Filters
- play_arrow Dynamically Attaching Static or Fast Update Filters to an Interface
- play_arrow Configuring Filters That Are Created Dynamically
- Parameterized Filters Overview
- Unique Identifiers for Firewall Variables
- Configuring Unique Identifiers for Parameterized Filters
- Sample Dynamic-Profile Configuration for Parameterized Filters
- Dynamic Profile After UID Substitutions for Parameterized Filters
- Multiple Parameterized Filters
- Parameterized Filter Processing Overview
- Parameterized Filters Configuration Considerations
- Guidelines for Creating and Applying Parameterized Filters for Subscriber Interfaces
- Parameterized Filter Match Conditions for IPv4 Traffic
- Parameterized Filter Match Conditions for IPv6 Traffic
- Parameterized Filter Nonterminating and Terminating Actions and Modifiers
- Firewall Filter Match Conditions for Protocol-Independent Traffic in Dynamic Service Profiles
- Firewall Filter Terminating and Nonterminating Actions for Protocol-Independent Traffic in Dynamic Service Profiles
- Interface-Shared Filters Overview
- Dynamically Attaching Filters Using RADIUS Variables
- Example: Implementing a Filter for Households That Use ACI-Based VLANs
- Example: Dynamic-Profile Parsing
- Example: Firewall Dynamic Profile
- Example: Configuring a Filter to Exclude DHCPv6 and ICMPv6 Control Traffic for LAC Subscriber
- play_arrow Using Ascend Data Filters to Implement Firewalls Based on RADIUS Attributes
- Ascend-Data-Filter Policies for Subscriber Management Overview
- Ascend-Data-Filter Attribute Fields
- Dynamically Applying Ascend-Data-Filter Policies to Subscriber Sessions
- Example: Configuring Dynamic Ascend-Data-Filter Support for Subscriber Access
- Example: Configuring Static Ascend-Data-Filter Support for Subscriber Access
- Verifying and Managing Dynamic Ascend-Data-Filter Policy Configuration
- play_arrow Configuring Fast Update Filters to Provide More Efficient Processing Over Classic Static Filters
- Fast Update Filters Overview
- Basic Fast Update Filter Syntax
- Configuring Fast Update Filters
- Example: Configuring Fast Update Filters for Subscriber Access
- Match Conditions and Actions in Fast Update Filters
- Configuring the Match Order for Fast Update Filters
- Fast Update Filter Match Conditions
- Fast Update Filter Actions and Action Modifiers
- Configuring Terms for Fast Update Filters
- Configuring Filters to Permit Expected Traffic
- Avoiding Conflicts When Terms Match
- Associating Fast Update Filters with Interfaces in a Dynamic Profile
- play_arrow Defending Against DoS and DDoS Attacks Using Unicast RPF and Fail Filters
- play_arrow Improving Scaling and Performance of Filters on Static Subscriber Interfaces
- play_arrow Configuring Dynamic Service Sets
- play_arrow Configuring Rate-Limiting Premium and Non-Premium Traffic on an Interface Using Hierarchical Policers
- play_arrow Monitoring and Managing Firewalls for Subscriber Access
-
- play_arrow Configuring Dynamic Multicast
- play_arrow Configuring Dynamic IGMP to Support IP Multicasting for Subscribers
- play_arrow Configuring Dynamic MLD to Enable Subscribers to Access Multicast Networks
-
- play_arrow Configuring Application-Aware Policy Control and Reporting
- play_arrow Configuring Application-Aware Policy Control
- Understanding Application-Aware Policy Control for Subscriber Management
- Understanding PCC Rules for Subscriber Management
- Configuring Application-Aware Policy Control for Subscriber Management
- Installing Services Packages for Subscriber Management Application-Aware Policy Management
- Configuring Service Data Flow Filters
- Configuring Policy and Charging Control Action Profiles for Subscriber Management
- Configuring Policy and Charging Control Rules
- Configuring a Policy and Charging Control Rulebase
- Configuring a Policy and Charging Enforcement Function Profile for Subscriber Management
- Identifying the Service Interface That Handles Subscriber Management Application-Aware Policy Control
- Configuring PCC Rule Activation in a Subscriber Management Dynamic Profile
- Enabling Direct PCC Rule Activation by a PCRF for Subscriber Management
- play_arrow Configuring Application Identification
- play_arrow Configuring Reporting for Application-Aware Data Sessions
- Logging and Reporting Function for Subscribers
- Log Dictionary for Template Types
- Configuring Logging and Reporting for Subscriber Management
- Installing Services Packages for Subscriber Management Logging and Reporting
- Configuring an LRF Profile for Subscribers
- Applying Logging and Reporting Configuration to a Subscriber Management Service Set
- Configuring the Activation of an LRF Rule by a PCC Rule
-
- play_arrow Configuring HTTP Redirect Services
- play_arrow Configuring Captive Portal Content Delivery Services for Redirected Subscribers
- HTTP Redirect Service Overview
- Remote HTTP Redirect Server Operation Flow
- Local HTTP Redirect Server Operation Flow (MX Series, ACX7100-48L, ACX7332 and ACX7348)
- Configuring MS-MPC-Based or MX-SPC3-Based Static HTTP Redirect Services
- Configuring MS-MPC-Based or MX-SPC3-Based Converged HTTP Redirect Services
- Configuring Routing Engine-Based, Static HTTP Redirect Services
- Configuring Routing Engine-Based, Converged HTTP Redirect Services
- Adding Subscriber Information to HTTP Redirect URLs
- How to Automatically Remove the HTTP Redirect Service After the Initial Redirect
- Example: Configuring HTTP Redirect Services Using a Next-Hop Method and Attaching It to a Static Interface
-
- play_arrow Configuring Subscriber Secure Policy
- play_arrow Configuring Subscriber Secure Policy Traffic Mirroring Overview
- play_arrow Configuring RADIUS-Initiated Subscriber Secure Policy Traffic Mirroring
- RADIUS-Initiated Subscriber Secure Policy Overview
- Subscriber Secure Policy Traffic Mirroring Architecture Using RADIUS
- RADIUS-Initiated Traffic Mirroring Interfaces
- RADIUS-Initiated Traffic Mirroring Process at Subscriber Login
- RADIUS-Initiated Traffic Mirroring Process for Logged-In Subscribers
- RADIUS Attributes Used for Subscriber Secure Policy
- Using the Packet Header to Track Subscribers on the Mediation Device
- Configuring RADIUS-Initiated Subscriber Secure Policy Mirroring Overview
- Guidelines for Configuring Subscriber Secure Policy Mirroring
- Configuring Support for Subscriber Secure Policy Mirroring
- Configuring RADIUS Server Support for Subscriber Secure Policy Mirroring
- Terminating RADIUS-Initiated Subscriber Traffic Mirroring
- play_arrow Configuring DTCP-Initiated Subscriber Secure Policy Traffic Mirroring
- DTCP-Initiated Subscriber Secure Policy Overview
- Subscriber Secure Policy Traffic Mirroring Architecture Using DTCP
- DTCP-Initiated Traffic Mirroring Interfaces
- DTCP-Initiated Traffic Mirroring Process
- DTCP Messages Used for Subscriber Secure Policy
- Packet Header for Mirrored Traffic Sent to Mediation Device
- Configuring DTCP-Initiated Subscriber Secure Policy Mirroring Overview
- Guidelines for Configuring Subscriber Secure Policy Mirroring
- Configuring Support for Subscriber Secure Policy Mirroring
- Configuring the Mediation Device as a User on the Router
- Configuring a DTCP-over-SSH Connection to the Mediation Device
- Configuring the Mediation Device to Provision Traffic Mirroring
- Disabling RADIUS-Initiated Subscriber Secure Policy Mirroring
- Example: Configuring Traffic That Is Mirrored Using DTCP-Initiated Subscriber Secure Policy
- Terminating DTCP-Initiated Subscriber Traffic Mirroring Sessions
- play_arrow Configuring DTCP Messages Used for DTCP-Initiated Subscriber Secure Policy Mirroring
- play_arrow Configuring Subscriber Secure Policy Support for IPv4 Multicast Traffic
- play_arrow Configuring Intercept-Related Information for Subscriber Secure Policy
-
- play_arrow Remote Device and Service Management
- play_arrow Configuring Remote Device Services Management
- play_arrow Configuring TCP Port Forwarding for Remote Subscriber Services
- play_arrow Configuring IPFIX Mediation for Remote Device Monitoring
- play_arrow Collection and Export of Local Telemetry Data on the IPFIX Mediator
-
- play_arrow Troubleshooting
- play_arrow Contacting Juniper Networks Technical Support
- play_arrow Knowledge Base
-
- play_arrow Configuration Statements and Operational Commands
- [OBSOLETE] applications (Services AACL)
- [OBSOLETE] application-group-any
- [OBSOLETE] application-groups (Services AACL)
- [OBSOLETE] destination-address (Application Aware Access List)
- [OBSOLETE] destination-address-range
- [OBSOLETE] destination-prefix-list (Services AACL)
- [OBSOLETE] from
- [OBSOLETE] match-direction
- [OBSOLETE] nested-applications
- [OBSOLETE] rule
- [OBSOLETE] rule-set
- [OBSOLETE] source-address (AACL)
- [OBSOLETE] source-address-range
- [OBSOLETE] source-prefix-list
- [OBSOLETE] term
- [OBSOLETE] then (Application Aware Access List)
- Junos CLI Reference Overview
Configuring AACL Rules
To configure an AACL rule, include the rule rule-name
statement at the [edit services aacl] hierarchy level:
rule rule-name { [OBSOLETE] match-direction (input | output | input-output); [OBSOLETE] term term-name { [OBSOLETE] from { [OBSOLETE] application-group-any; application-groups [ application-group-names ]; applications [ application-names ]; [OBSOLETE] destination-address (Application Aware Access List) address <any-unicast>; [OBSOLETE] destination-address-range low minimum-value high maximum-value; destination-prefix-list list-name; [OBSOLETE] nested-applications [ nested-application-names ]; nested-application-unknown source-address address <any-unicast>; [OBSOLETE] source-address-range low minimum-value high maximum-value; source-prefix-list list-name; } [OBSOLETE] then (Application Aware Access List) { (accept | discard); count (application | application-group | application-group-any | nested-application | none); forwarding-class class-name; policer policer-name; } } }
Each AACL rule consists of a set of terms, similar to a filter configured at the
[edit firewall] hierarchy level. A term consists of the
following:
fromstatement—Specifies the match conditions and applications that are included and excluded.thenstatement—Specifies the actions and action modifiers to be performed by the router software.
The following sections explain how to configure the components of AACL rules:
Configuring Match Direction for AACL Rules
Each rule must include a match-direction statement that specifies
the direction in which the rule match is applied. To configure where the match is
applied, include the match-direction statement at the [edit
services aacl rule rule-name] hierarchy level:
[OBSOLETE] match-direction (input | output | input-output);
If you configure match-direction input-output, bidirectional rule
creation is allowed.
The match direction is used with respect to the traffic flow through the services PIC or DPC. When a packet is sent to the PIC or DPC, direction information is carried along with it.
With an interface service set, packet direction is determined by whether a packet is entering or leaving the interface on which the service set is applied.
With a next-hop service set, packet direction is determined by the interface used to route the packet to the services PIC or DPC. If the inside interface is used to route the packet, the packet direction is input. If the outside interface is used to direct the packet to the PIC or DPC, the packet direction is output. For more information on inside and outside interfaces, see Configuring Service Sets to be Applied to Services Interfaces.
On the PIC or DPC, a flow lookup is performed. If no flow is found, rule processing is performed. All rules in the service set are considered. During rule processing, the packet direction is compared against rule directions. Only rules with direction information that matches the packet direction are considered.
Configuring Match Conditions in AACL Rules
To configure AACL match conditions, include the from statement at
the [edit services aacl rule rule-name term
term-name] hierarchy level:
from {
[OBSOLETE] application-group-any;
application-groups [ application-group-names ];
applications [ application-names ];
[OBSOLETE] destination-address (Application Aware Access List) address <any-unicast>;
[OBSOLETE] destination-address-range low minimum-value high maximum-value;
destination-prefix-list list-name;
[OBSOLETE] nested-applications [ nested-application-names ];
nested-application-unknown
source-address address <any-unicast>;
[OBSOLETE] source-address-range low minimum-value high maximum-value;
source-prefix-list list-name;
}
IPv4 and IPv6 source and destination addresses are supported. You can use either the source address or the destination address as a match condition, in the same way that you configure a firewall filter; for more information, see the Routing Policies, Firewall Filters, and Traffic Policers User Guide.
Alternatively, you can specify a list of source or destination prefixes by
configuring the prefix-list statement at the [edit
policy-options] hierarchy level and then including either the
destination-prefix-list or the
source-prefix-list statement in the AACL rule. For an example,
see Example: Configuring AACL Rules.
If you omit the from term, the AACL rule accepts all traffic and the
default protocol handlers take effect:
User Datagram Protocol (UDP), Transmission Control Protocol (TCP), and Internet Control Message Protocol (ICMP) create a bidirectional flow with a predicted reverse flow.
IP creates a unidirectional flow.
You can also include application and application group definitions you have
configured at the [edit services application-identification]
hierarchy level; for more information, see the topics in
AACL Overview.
To apply one or more specific application protocol definitions, include the
applicationsstatement at the[edit services aacl rule rule-name term term-name from]hierarchy level.To apply one or more sets of application group definitions you have defined, include the
application-groupsstatement at the[edit services aacl rule rule-name term term-name from]hierarchy level.Note:If you include one of the statements that specifies application protocols, the router derives port and protocol information from the corresponding configuration at the
[edit services application-identification]hierarchy level; you cannot specify these properties as match conditions.To consider any application group defined in the database as a match, include the
application-group-anystatement at the[edit services aacl rule rule-name term term-name from]hierarchy level.To consider any nested application defined in the database a match, include the
nested-applicationsstatement at the[edit services aacl rule rule-name term term-name from]hierarchy level. Nested applications are protocols that run on a parent application. For example, if the Facebook application runs on the parent application junos:http, the nested application is junos:http:facebook.
Configuring Actions in AACL Rules
To configure AACL actions, include the then statement at the
[edit services aacl rule rule-name term
term-name] hierarchy level:
[OBSOLETE] then (Application Aware Access List) { (accept | discard); (count (application | application-group | application-group-any | nested-application | none) | forwarding-class class-name); }
You must include one of the following actions:
accept—The packet is accepted and sent on to its destination.discard—The packet is not accepted and is not processed further.
When you select accept as the action, you can optionally configure
one or both of the following action modifiers. No action modifiers are allowed with
the discard action.
count (application | application-group | application-group-any | nested-application | none)—For all accepted packets that match the rules, record a packet count using AACL statistics practices. You can specify one of the following options; there is no default setting:application—Count the application that matched in thefromclause.application-group—Count the application group that matched in thefromclause.application-group-any—Count all application groups that matchfrom application-group-anyunder theanygroup name.nested-application—Count all nested applications that matched in thefromclause.none—Same as not specifyingcountas an action.
forwarding-class class-name—Specify the packets’ forwarding-class name.
You can optionally include a policer that has been specified at the
[edit firewall] hierarchy level. Only the bit-rate and
burst-size properties specified for the policer are applied in the AACL rule set.
The only action application when a policer is configured is
discard. For more information on policer definitions, see the Routing Policies, Firewall Filters, and Traffic Policers User Guide.
Logging AACL Flows Based on Application
You can now log AACL flows based on application. You can select a specific application or request information on unknown applications.
You can now configure AACL rules to match unknown applications. All existing actions
that can apply to recognized applications can also apply to unknown applications.
You can use the following statements at the [edit services aacl rule
rule-name term term-name
from] hierarchy level:
application-group-any
application-groups
application-unknown
applications
nested-application-unknown
nested-applications
The addition of matching application-unknown enables the specific
logging of the input flows associated with applications that cannot be identified.
Because logging is triggered by an input event, you must specify
match-direction as input-output or
input.
To configure logging of flows for AACL, include the match-direction
input or match-direction input-output statement at the
[edit services aacl rule rule-name]
hierarchy level, include an applications or
application-unknown statement at the [edit services
aacl rule rule-name term term-name
from] hierarchy level, and include only one log
statement at the [edit services aacl rule rule-name term
term-name then] hierarchy level. The log
statements can include any of the following options:
session-startsession-endsession-start-end-no-statssession-start-interim-endsession-interim-endsession-end
