- play_arrow Subscriber Service Activation and Management
- play_arrow Subscriber Service Activation and Management
- Dynamic Service Management with RADIUS
- Service Activation and Deactivation Using the CLI Instead of RADIUS
- Management of Subscriber Services with Multiple Instances
- Subscriber Management Redundancy for PFE During Graceful OIR
- Broadband Network Gateway (BNG) Subscriber Redundancy on Aggregated Ethernet (AE) Interfaces with Disabled PFEs (MX304, MX960, and MX10004)
-
- play_arrow Configuring Dynamic Class of Service
- play_arrow CoS for Subscriber Access and Interfaces Overview
- play_arrow Configuring Scheduling and Shaping for Subscriber Access
- Configuring Traffic Scheduling and Shaping for Subscriber Access
- Configuring Schedulers in a Dynamic Profile for Subscriber Access
- Configuring Scheduler and Scheduler Map Sharing
- Example: Providing Unique Rate Configurations for Schedulers in a Dynamic Profile
- Example: Configuring Aggregate Scheduling of Queues for Residential Subscribers on Static IP Demux Interfaces
- Verifying the Scheduling and Shaping Configuration for Subscriber Access
- play_arrow Allocating Dedicated Queues for Each Logical Interface Using Per-Unit Scheduling
- play_arrow Configuring Hierarchical CoS Scheduling on MPLS Ethernet Pseudowire Subscriber Interfaces
- Enhanced Subscriber Management Subscriber Logical Interfaces or Interface Sets Over Underlying Logical Interfaces for a CoS scheduler Hierarchy
- Enhanced Subscriber Management Subscriber Logical Interfaces or Interface Sets Over MPLS Pseudowires for a CoS scheduler Hierarchy
- Configuring Layer 2 Subscriber Logical Interfaces for CoS Hierarchical Schedulers Using Dynamic Profiles for Differentiating Home and Access Node Networks
- Example: Configuring Layer 2 Subscriber Logical Interfaces for CoS Hierarchical Schedulers Using Static CoS for Differentiating Home and Access Node Networks
- play_arrow Configuring Dedicated Queue Scaling with Hierarchical CoS or Per-Unit Scheduling
- play_arrow Shaping Downstream Traffic Based on Frames or Cells
- Bandwidth Management for Downstream Traffic in Edge Networks Overview
- Configuring Dynamic Shaping Parameters to Account for Overhead in Downstream Traffic Rates
- Example: Configuring Dynamic Shaping Parameters to Account for Overhead in Downstream Traffic Rates
- Configuring Static Shaping Parameters to Account for Overhead in Downstream Traffic Rates
- Example: Configuring Static Shaping Parameters to Account for Overhead in Downstream Traffic Rates
- Setting Shaping Rate and Overhead Accounting Based on PPPoE Vendor-Specific Tags
- Configuring the Shaping Rate and Overhead Accounting Based on PPPoE Vendor-Specific Tags on Dynamic Subscriber Interfaces
- Reporting the Effective Shaping Rate for Subscribers
- Verifying the Effective Shaping Rate Reporting Configuration
- play_arrow Applying CoS to Households or Individual Subscribers Using ACI-Based Dynamic VLANs
- Applying CoS Attributes to VLANs Using Agent-Circuit-Identifiers
- Agent Circuit Identifier-Based Dynamic VLANs Bandwidth Management Overview
- Restrictions for Configuring Adjustment of CoS Shaping Rate and Overhead Accounting for Dynamic ACI Interface Sets
- Adjusting the CoS Shaping Rate and Overhead Accounting Parameters for Agent Circuit Identifier-Based Dynamic VLANs
- play_arrow Applying CoS to Households or Individual Subscribers Using Access Line Identifier Dynamic VLANs
- Applying CoS Attributes to VLANs Using Access-Line Identifiers
- Bandwidth Management Overview for Dynamic VLANs Based on Access-Line Identifiers
- Restrictions for Configuring Adjustment of CoS Shaping Rate and Overhead Accounting for Dynamic ALI Interface Sets
- Adjusting the CoS Shaping Rate and Overhead Accounting Parameters for Dynamic VLANs Based on Access-Line Identifiers
- play_arrow Managing Excess Bandwidth Distribution and Traffic Bursts
- play_arrow Applying CoS Using Parameters Received from RADIUS
- Subscriber Interfaces That Provide Initial CoS Parameters Dynamically Obtained from RADIUS
- Changing CoS Services Overview
- CoS Traffic Shaping Attributes for Dynamic Interface Sets and Member Subscriber Sessions Overview
- Guidelines for Configuring CoS Traffic Shaping Attributes for Dynamic Interface Sets and Member Subscriber Sessions
- Configuring Initial CoS Parameters Dynamically Obtained from RADIUS
- Configuring Static Default Values for Traffic Scheduling and Shaping
- Applying CoS Traffic-Shaping Attributes to Dynamic Interface Sets and Member Subscriber Sessions
- CoS Traffic Shaping Predefined Variables for Dynamic Interface Sets
- Example: Configuring Initial CoS Parameters Dynamically Obtained from RADIUS
- play_arrow Modifying a Subscriber’ s Shaping Characteristics After a Subscriber is Instantiated
- play_arrow Applying CoS to Groups of Subscriber Interfaces
- play_arrow Applying CoS to Subscriber Interfaces
- Applying Traffic Shaping and Scheduling to a Subscriber Interface in a Dynamic Profile
- Applying Minimal Shaping and Scheduling to Remaining Subscriber Traffic
- Applying a Rewrite Rule Definition to a Subscriber Interface in a Dynamic Profile
- Applying a Classifier to a Subscriber Interface in a Dynamic Profile
-
- play_arrow Configuring Dynamic Filters and Policers
- play_arrow Dynamic Firewall Filters Overview
- play_arrow Configuring Static Firewall Filters That Are Dynamically Applied
- play_arrow Streamlining Processing of Chains of Static Filters
- play_arrow Dynamically Attaching Static or Fast Update Filters to an Interface
- play_arrow Configuring Filters That Are Created Dynamically
- Parameterized Filters Overview
- Unique Identifiers for Firewall Variables
- Configuring Unique Identifiers for Parameterized Filters
- Sample Dynamic-Profile Configuration for Parameterized Filters
- Dynamic Profile After UID Substitutions for Parameterized Filters
- Multiple Parameterized Filters
- Parameterized Filter Processing Overview
- Parameterized Filters Configuration Considerations
- Guidelines for Creating and Applying Parameterized Filters for Subscriber Interfaces
- Parameterized Filter Match Conditions for IPv4 Traffic
- Parameterized Filter Match Conditions for IPv6 Traffic
- Parameterized Filter Nonterminating and Terminating Actions and Modifiers
- Firewall Filter Match Conditions for Protocol-Independent Traffic in Dynamic Service Profiles
- Firewall Filter Terminating and Nonterminating Actions for Protocol-Independent Traffic in Dynamic Service Profiles
- Interface-Shared Filters Overview
- Dynamically Attaching Filters Using RADIUS Variables
- Example: Implementing a Filter for Households That Use ACI-Based VLANs
- Example: Dynamic-Profile Parsing
- Example: Firewall Dynamic Profile
- Example: Configuring a Filter to Exclude DHCPv6 and ICMPv6 Control Traffic for LAC Subscriber
- play_arrow Using Ascend Data Filters to Implement Firewalls Based on RADIUS Attributes
- Ascend-Data-Filter Policies for Subscriber Management Overview
- Ascend-Data-Filter Attribute Fields
- Dynamically Applying Ascend-Data-Filter Policies to Subscriber Sessions
- Example: Configuring Dynamic Ascend-Data-Filter Support for Subscriber Access
- Example: Configuring Static Ascend-Data-Filter Support for Subscriber Access
- Verifying and Managing Dynamic Ascend-Data-Filter Policy Configuration
- play_arrow Configuring Fast Update Filters to Provide More Efficient Processing Over Classic Static Filters
- Fast Update Filters Overview
- Basic Fast Update Filter Syntax
- Configuring Fast Update Filters
- Example: Configuring Fast Update Filters for Subscriber Access
- Match Conditions and Actions in Fast Update Filters
- Configuring the Match Order for Fast Update Filters
- Fast Update Filter Match Conditions
- Fast Update Filter Actions and Action Modifiers
- Configuring Terms for Fast Update Filters
- Configuring Filters to Permit Expected Traffic
- Avoiding Conflicts When Terms Match
- Associating Fast Update Filters with Interfaces in a Dynamic Profile
- play_arrow Defending Against DoS and DDoS Attacks Using Unicast RPF and Fail Filters
- play_arrow Improving Scaling and Performance of Filters on Static Subscriber Interfaces
- play_arrow Configuring Dynamic Service Sets
- play_arrow Configuring Rate-Limiting Premium and Non-Premium Traffic on an Interface Using Hierarchical Policers
- play_arrow Monitoring and Managing Firewalls for Subscriber Access
-
- play_arrow Configuring Dynamic Multicast
- play_arrow Configuring Dynamic IGMP to Support IP Multicasting for Subscribers
- play_arrow Configuring Dynamic MLD to Enable Subscribers to Access Multicast Networks
-
- play_arrow Configuring Application-Aware Policy Control and Reporting
- play_arrow Configuring Application-Aware Policy Control
- Understanding Application-Aware Policy Control for Subscriber Management
- Understanding PCC Rules for Subscriber Management
- Configuring Application-Aware Policy Control for Subscriber Management
- Installing Services Packages for Subscriber Management Application-Aware Policy Management
- Configuring Service Data Flow Filters
- Configuring Policy and Charging Control Action Profiles for Subscriber Management
- Configuring Policy and Charging Control Rules
- Configuring a Policy and Charging Control Rulebase
- Configuring a Policy and Charging Enforcement Function Profile for Subscriber Management
- Identifying the Service Interface That Handles Subscriber Management Application-Aware Policy Control
- Configuring PCC Rule Activation in a Subscriber Management Dynamic Profile
- Enabling Direct PCC Rule Activation by a PCRF for Subscriber Management
- play_arrow Configuring Application Identification
- play_arrow Configuring Reporting for Application-Aware Data Sessions
- Logging and Reporting Function for Subscribers
- Log Dictionary for Template Types
- Configuring Logging and Reporting for Subscriber Management
- Installing Services Packages for Subscriber Management Logging and Reporting
- Configuring an LRF Profile for Subscribers
- Applying Logging and Reporting Configuration to a Subscriber Management Service Set
- Configuring the Activation of an LRF Rule by a PCC Rule
-
- play_arrow Configuring Subscriber Secure Policy
- play_arrow Configuring Subscriber Secure Policy Traffic Mirroring Overview
- play_arrow Configuring RADIUS-Initiated Subscriber Secure Policy Traffic Mirroring
- RADIUS-Initiated Subscriber Secure Policy Overview
- Subscriber Secure Policy Traffic Mirroring Architecture Using RADIUS
- RADIUS-Initiated Traffic Mirroring Interfaces
- RADIUS-Initiated Traffic Mirroring Process at Subscriber Login
- RADIUS-Initiated Traffic Mirroring Process for Logged-In Subscribers
- RADIUS Attributes Used for Subscriber Secure Policy
- Using the Packet Header to Track Subscribers on the Mediation Device
- Configuring RADIUS-Initiated Subscriber Secure Policy Mirroring Overview
- Guidelines for Configuring Subscriber Secure Policy Mirroring
- Configuring Support for Subscriber Secure Policy Mirroring
- Configuring RADIUS Server Support for Subscriber Secure Policy Mirroring
- Terminating RADIUS-Initiated Subscriber Traffic Mirroring
- play_arrow Configuring DTCP-Initiated Subscriber Secure Policy Traffic Mirroring
- DTCP-Initiated Subscriber Secure Policy Overview
- Subscriber Secure Policy Traffic Mirroring Architecture Using DTCP
- DTCP-Initiated Traffic Mirroring Interfaces
- DTCP-Initiated Traffic Mirroring Process
- DTCP Messages Used for Subscriber Secure Policy
- Packet Header for Mirrored Traffic Sent to Mediation Device
- Configuring DTCP-Initiated Subscriber Secure Policy Mirroring Overview
- Guidelines for Configuring Subscriber Secure Policy Mirroring
- Configuring Support for Subscriber Secure Policy Mirroring
- Configuring the Mediation Device as a User on the Router
- Configuring a DTCP-over-SSH Connection to the Mediation Device
- Configuring the Mediation Device to Provision Traffic Mirroring
- Disabling RADIUS-Initiated Subscriber Secure Policy Mirroring
- Example: Configuring Traffic That Is Mirrored Using DTCP-Initiated Subscriber Secure Policy
- Terminating DTCP-Initiated Subscriber Traffic Mirroring Sessions
- play_arrow Configuring DTCP Messages Used for DTCP-Initiated Subscriber Secure Policy Mirroring
- play_arrow Configuring Subscriber Secure Policy Support for IPv4 Multicast Traffic
- play_arrow Configuring Intercept-Related Information for Subscriber Secure Policy
-
- play_arrow Configuring Stateless, Rule-Based Services Using Application-Aware Access Lists
- play_arrow AACL Overview
- play_arrow Configuring AACL Rules
- play_arrow Example: Configuring AACL Rules
- play_arrow Example: Configuring AACL Rule Sets
- play_arrow Configuring Logging of AACL Flows
-
- play_arrow Remote Device and Service Management
- play_arrow Configuring Remote Device Services Management
- play_arrow Configuring TCP Port Forwarding for Remote Subscriber Services
- play_arrow Configuring IPFIX Mediation for Remote Device Monitoring
- play_arrow Collection and Export of Local Telemetry Data on the IPFIX Mediator
-
- play_arrow Troubleshooting
- play_arrow Contacting Juniper Networks Technical Support
- play_arrow Knowledge Base
-
- play_arrow Configuration Statements and Operational Commands
ON THIS PAGE
Example: Configuring HTTP Redirect Services Using a Next-Hop Method and Attaching It to a Static Interface
This example shows how to configure HTTP redirect services using a next-hop method and attaching it to a static interface.
Requirements
This example uses the following hardware and software components:
MX240, MX480, or MX960 Universal Routing Platform with a Multiservices Modular PIC Concentrator (MS-MPC) and Multiservices Modular Interfaces Card (MS-MIC) installed.
Junos OS Release 15.1 or later.
Before you begin:
Configure the connection between the redirect server and the MX Series router.
Define the source address (203.0.113.0/24 is used in this example).
Define one or more interfaces used for subscriber traffic.
Overview
HTTP redirect and rewrite services are supported for both IPv4 and IPv6. You can attach an HTTP redirect service or service set to either a static or dynamic interface. For dynamic subscriber management, you can attach HTTP services or service sets dynamically at subscriber login or by using a change of authorization (CoA). Using a next-hop method, you can configure HTTP redirect services and attach it to a static interface.
Configuration
To configure HTTP redirect services using a next-hop method and attach it to a static interface, perform these tasks:
- CLI Quick Configuration
- Configuring the CPCD Services and Attaching Service Set to Static Interface
- Configuring the Package and Installation for CPCD
- Configuring the Static Interface, HTTP Redirect Filters, and Interface Service Options
- Configuring the Additional Routing Instance and Assigning Its Next-Hop Static Interfaces
- Configuring the Interface-Specific Filters to Direct HTTP Traffic
- Configuring the Policy Option and Statement to Use a Private Blocks Prefix List
- Using Broadband Edge Static Route Configuration for Subscriber (Junos OS Release 23.4R1 for MX-Series Devices)
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, and then copy and paste the commands into the CLI.
[edit] edit services captive-portal-content-delivery set rule redirect match-direction input set rule redirect term REDIRECT then redirect http://redirection-portal/redirection/ set profile http-redirect cpcd-rules redirect edit services service-set http-redirect-sset set captive-portal-content-delivery-profile http-redirect set next-hop-service inside-service-interface ms-11/1/0.1 set next-hop-service outside-service-interface ms-11/1/0.2 [edit] edit chassis fpc 11 pic 1 adaptive-services service-package set extension-provider package jservices-cpcd set extension-provider syslog daemon none set extension-provider syslog external none set extension-provider syslog kernel none set extension-provider syslog pfe none [edit] set interfaces ge-0/0/1 unit 900 description VLAN REDIRECT set interfaces ge-0/0/1 unit 900 vlan-id 900 set interfaces ge-0/0/1 unit 900 family inet filter input FF_HTTP_REDIR_IN set interfaces ge-0/0/1 unit 900 family inet address 203.0.113.250/30 edit interfaces ms-11/1/0 services-options open-timeout 4 edit interfaces ms-11/1/0 services-options close-timeout 2 edit interfaces ms-11/1/0 services-options inactivity-tcp-timeout 5 edit interfaces ms-11/1/0 services-options inactivity-non-tcp-timeout 5 edit interfaces ms-11/1/0 services-options session-timeout 5 edit interfaces ms-11/1/0 services-options tcp-tickles 0 set interfaces ms-11/1/0 unit 1 family inet set interfaces ms-11/1/0 unit 1 service-domain inside set interfaces ms-11/1/0 unit 2 filter output FF_CPCD_REDIRECT_OUTPUT set interfaces ms-11/1/0 unit 2 family inet set interfaces ms-11/1/0 unit 2 service-domain outside [edit] edit routing-instances CPCD_REDIRECT set instance-type virtual-router set interface ms-1/1/0.1 set interface ms-1/1/0.2 set routing-options static route 0.0.0.0/0 next-hop ms-1/1/0.1 set routing-options static route 203.0.113.0/24 next-hop ms-1/1/0.2 [edit] edit firewall family inet set filter FF_CPCD_REDIRECT_OUTPUT interface-specific set filter FF_CPCD_REDIRECT_OUTPUT term One then count back-to-default set filter FF_CPCD_REDIRECT_OUTPUT term One then routing-instance default set filter FF_HTTP_REDIR_IN interface-specific set filter FF_HTTP_REDIR_IN term ACCEPTED_PREFIXES from prefix-list User-PRIVATE-Blocks-01 set filter FF_HTTP_REDIR_IN term ACCEPTED_PREFIXES then next term set filter FF_HTTP_REDIR_IN term HTTP from protocol tcp set filter FF_HTTP_REDIR_IN term HTTP from destination-port http set filter FF_HTTP_REDIR_IN term HTTP then count HTTP set filter FF_HTTP_REDIR_IN term HTTP then forwarding-class best-effort set filter FF_HTTP_REDIR_IN term HTTP then routing-instance CPCD_REDIRECT [edit] edit policy-options policy-statement User-PRIVATE-Blocks-01 set 203.0.113.0/24
Configuring the CPCD Services and Attaching Service Set to Static Interface
Step-by-Step Procedure
The following example requires that you navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.
Configure the HTTP redirect service by specifying the location to which a subscriber's initial Web browser session is redirected, enabling initial provisioning and service selection for the subscriber.
content_copy zoom_out_map[edit services] user@host# edit captive-portal-content-delivery
Configure the service filter as a walled garden by defining the rule the router references when applying this HTTP service.
content_copy zoom_out_map[edit services captive-portal-content-delivery] user@host# edit rule redirect
Specify that the rule matches traffic coming in on the interface.
content_copy zoom_out_map[edit services captive-portal-content-delivery rule redirect] user@host# match-direction input
Create the term match and action properties for the CPCD rule for the HTTP service.
content_copy zoom_out_map[edit services captive-portal-content-delivery rule redirect] user@host# set term REDIRECT then redirect http://redirection-portal/redirection/
Create the CPCD profile for the IP destination address to redirect the HTTP service.
content_copy zoom_out_map[edit services captive-portal-content-delivery] user@host# edit profile http-redirect
Specify the CPCD rule for the HTTP service.
content_copy zoom_out_map[edit services captive-portal-content-delivery profile http-redirect] user@host# set cpcd-rules redirect
Create the service set for the CPCD services.
content_copy zoom_out_map[edit services service-set] user@host# edit http-redirect-sset
Specify the CPCD profile for the service set.
content_copy zoom_out_map[edit services service-set http-redirect-sset] user@host# set captive-portal-content-delivery-profile http-redirect
Specify the interface name for the next-hop service for an inside and outside service interfaces and attach them to static interfaces.
content_copy zoom_out_map[edit services service-set http-redirect-sset] user@host# set next-hop-service inside-service-interface ms-11/1/0.1 user@host# set next-hop-service outside-service-interface ms-11/1/0.2
Results
From configuration mode, confirm your configuration by entering the show services command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
[edit]
root@host# show services
captive-portal-content-delivery {
rule redirect {
match-direction input;
term REDIRECT {
then {
redirect http://redirection-portal/redirection/;
}
}
}
profile http-redirect {
cpcd-rules redirect;
}
}
service-set http-redirect-sset {
captive-portal-content-delivery-profile http-redirect;
next-hop-service {
inside-service-interface ms-11/1/0.1;
outside-service-interface ms-11/1/0.2;
}
}
If you are done configuring the device, enter commit from configuration mode.
Configuring the Package and Installation for CPCD
Step-by-Step Procedure
The following example requires that you navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.
Configure Junos OS to support the service package on a service interface on an MX Series 5G Universal Routing Platform with MS-MPCs/MS-MICs.
content_copy zoom_out_map[edit chassis] user@host# edit fpc 11 pic 1 adaptive-services service-package
Configure the CPCD service package to run on the PIC. When the
extension-providerstatement is first configured, the PIC reboots.content_copy zoom_out_map[edit chassis fpc 11 pic 1 adaptive-services service-package] user@host# set extension-provider package jservices-cpcd
Enable PIC system logging to record or view system log messages on the PIC but do not include daemon, external, kernel, or Packet Forwarding Engine processes.
content_copy zoom_out_map[edit chassis fpc 11 pic 1 adaptive-services service-package extension-provider] user@host# set extension-provider syslog daemon none user@host# set extension-provider syslog external none user@host# set extension-provider syslog kernel none user@host# set extension-provider syslog pfe none
Results
From configuration mode, confirm your configuration by entering the show chassis command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
[edit]
root@host# show chassis
fpc 11 {
pic 1 {
adaptive-services {
service-package {
extension-provider {
package jservices-cpcd;
syslog {
daemon none;
external none;
kernel none;
pfe none;
}
}
}
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Configuring the Static Interface, HTTP Redirect Filters, and Interface Service Options
Step-by-Step Procedure
The following example requires that you navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.
Configure a Gigabit interface with a logical interface on which traffic arrives before it is redirected.
content_copy zoom_out_map[edit interfaces] user@host# edit ge-0/0/1 unit 900
Assign a description and VLAN ID to the logical interface.
content_copy zoom_out_map[edit interfaces ge-0/0/1 unit 900] user@host# set description VLAN-REDIRECT user@host# set vlan-id 900
Configure the IPv4 family for the interface.
content_copy zoom_out_map[edit interfaces ge-0/0/1 unit 900] user@host# edit family inet
Configure an input filter to evaluate when packets are received and redirected on the interface.
content_copy zoom_out_map[edit interfaces ge-0/0/1 unit 900 family inet] user@host# set filter input FF_HTTP_REDIR_IN
Configure an address for the input filter.
content_copy zoom_out_map[edit interfaces ge-0/0/1 unit 900 family inet] user@host# set address 203.0.113.250/30
Configure service options to be applied on the Multiservices interface.
content_copy zoom_out_map[edit interfaces] user@host# edit ms-11/1/0 services-options
Note:The values configured for the service options are shown for example only. You must configure and provision appropriate values as per the requirement.
Specify the open and close timeout periods in seconds for Transmission Control Protocol (TCP) session establishment.
content_copy zoom_out_map[edit interfaces ms-11/1/0 services-options] user@host# set open-timeout 4 user@host# set close-timeout 2
Specify the inactivity timeout periods in seconds for established TCP and non-TCP sessions.
content_copy zoom_out_map[edit interfaces ms-11/1/0 services-options] user@host# set inactivity-tcp-timeout 5 set inactivity-non-tcp-timeout 5
Specify the session lifetime in seconds globally for the Multiservices interface.
content_copy zoom_out_map[edit interfaces ms-11/1/0 services-options] user@host# set session-timeout 5
Specify the maximum number of keep-alive messages sent before a TCP session is allowed to time out.
content_copy zoom_out_map[edit interfaces ms-11/1/0 services-options] user@host# set tcp-tickles 0
Configure a logical interface on the Multiservices interface.
content_copy zoom_out_map[edit interfaces ms-11/1/0] user@host# edit unit 1
Configure the service domain to specify that the logical interface is used within the network.
content_copy zoom_out_map[edit interfaces ms-11/1/0 unit 1] user@host# set service-domain inside
Configure the IPv4 address family on the logical interface.
content_copy zoom_out_map[edit interfaces ms-11/1/0 unit 1] user@host# set family inet
Configure a second logical interface on the Multiservices interface.
content_copy zoom_out_map[edit interfaces ms-11/1/0] user@host# edit unit 2
Configure the service domain to specify that the logical interface is used outside the network.
content_copy zoom_out_map[edit interfaces ms-11/1/0 unit 2] user@host# set service-domain outside
Configure an output filter to redirect CPCD packets from the logical interface.
content_copy zoom_out_map[edit interfaces ms-11/1/0 unit 2] user@host# set filter output FF_CPCD_REDIRECT_OUTPUT
Configure the IPv4 address family on the logical interface.
content_copy zoom_out_map[edit interfaces ms-11/1/0 unit 2] user@host# set family inet
Results
From configuration mode, confirm your configuration by entering the show interfaces command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
[edit]
root@host# show interfaces
ge-0/0/1 {
unit 900 {
description VLAN-REDIRECT;
vlan-id 900;
}
family inet {
filter {
input FF_HTTP_REDIR_IN;
}
address 203.0.113.250/30;
}
}
ms-11/1/0 {
services-options {
open-timeout 4;
close-timeout 2;
inactivity-tcp-timeout 5;
inactivity-non-tcp-timeout 5;
session-timeout 5;
tcp-tickles 0;
}
unit 1 {
family inet;
service-domain inside;
}
unit 2 {
family inet {
filter {
output FF_CPCD_REDIRECT_OUTPUT;
}
}
service-domain outside;
}
}
If you are done configuring the device, enter commit from configuration mode.
Configuring the Additional Routing Instance and Assigning Its Next-Hop Static Interfaces
Step-by-Step Procedure
The following example requires that you navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.
Configure a routing instance.
content_copy zoom_out_map[edit routing-instances] user@host# edit CPCD_REDIRECT
Configure a virtual router routing instance.
content_copy zoom_out_map[edit routing-instances CPCD_REDIRECT] user@host# set instance-type virtual-router
Configure the two previously defined multiservices interfaces for the routing instance.
content_copy zoom_out_map[edit routing-instances CPCD_REDIRECT] user@host# set interface ms-11/1/0.1 user@host# set interface ms-11/1/0.2
Configure static routing options.
content_copy zoom_out_map[edit routing-instances CPCD_REDIRECT] user@host# edit routing-options static
Assign the next-hop static interfaces to the routes and routing instance.
content_copy zoom_out_map[edit routing-instances CPCD_REDIRECT routing-options static] user@host# set route 0.0.0.0/0 next-hop ms-11/1/0.1 user@host# set route 203.0.113.0/24 next-hop ms-11/1/0.2
Results
From configuration mode, confirm your configuration by entering the show routing-instances command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
[edit]
root@host# show routing-instances
CPCD_REDIRECT {
instance-type virtual-router;
interface ms-11/1/0.1;
interface ms-11/1/0.2;
routing-options {
static {
route 0.0.0.0/0 next-hop ms-11/1/0.1;
route 203.0.113.0/24 next-hop ms-11/1/0.2;
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Configuring the Interface-Specific Filters to Direct HTTP Traffic
Step-by-Step Procedure
The following example requires that you navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.
Create a family for the service filter under the
[edit firewall]hierarchy.content_copy zoom_out_map[edit firewall] user@host# edit family inet
Create an interface-specific filter to redirect output traffic for CPCD.
content_copy zoom_out_map[edit firewall family inet] user@host# edit filter FF_CPCD_REDIRECT_OUTPUT
Specify that this is an interface-specific filter.
content_copy zoom_out_map[edit firewall family inet filter FF_CPCD_REDIRECT_OUTPUT] user@host# set interface-specific
Create a filter term for the interface-specific filter for the walled garden.
content_copy zoom_out_map[edit firewall family inet filter FF_CPCD_REDIRECT_OUTPUT] user@host# edit term One
Specify both the action to count default traffic and the default routing instance.
content_copy zoom_out_map[edit firewall family inet filter FF_CPCD_REDIRECT_OUTPUT interface-specific term One] user@host# set then count back-to-default set then routing-instance default
Create a filter to redirect HTTP input traffic.
content_copy zoom_out_map[edit firewall family inet] user@host# edit filter FF_HTTP_REDIR_IN
Specify that this is an interface-specific filter.
content_copy zoom_out_map[edit firewall family inet filter FF_HTTP_REDIR_IN] user@host# set interface-specific
Create a filter term for the interface-specific filter for the walled garden.
content_copy zoom_out_map[edit firewall family inet filter FF_HTTP_REDIR_IN] user@host# edit term ACCEPTED_PREFIXES
Specify the list of accepted prefixes as a match conditions for the walled garden’s filter.
content_copy zoom_out_map[edit firewall family inet filter FF_HTTP_REDIR_IN term ACCEPTED_PREFIXES] user@host# set from prefix-list User-PRIVATE-Blocks-01
Specify the action to take for all the matching HTTP traffic.
content_copy zoom_out_map[edit firewall family inet filter FF_HTTP_REDIR_IN term ACCEPTED_PREFIXES] user@host# set then next term
Create a second filter term for the walled garden’s filter.
content_copy zoom_out_map[edit firewall family inet filter FF_HTTP_REDIR_IN interface-specific] user@host# edit term HTTP
Specify the protocol and destination port as match conditions for the walled garden’s filter.
content_copy zoom_out_map[edit firewall family inet filter FF_HTTP_REDIR_IN term HTTP] user@host# set from protocol tcp user@host# set from destination-port http
Specify the action to take for matching HTTP traffic destined to flow outside of the walled garden.
content_copy zoom_out_map[edit firewall family inet filter filter FF_HTTP_REDIR_IN interface-specific term HTTP] user@host# set then count HTTP user@host# set then forwarding-class best-effort user@host# set then routing-instance CPCD_REDIRECT
Results
From configuration mode, confirm your configuration by entering the show firewall command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
[edit]
root@host# show firewall
family inet {
filter FF_CPCD_REDIRECT_OUTPUT {
interface-specific;
term One {
then {
count back-to-default;
routing-instance default;
}
}
}
filter FF_HTTP_REDIR_IN {
interface-specific;
term ACCEPTED_PREFIXES {
from {
prefix-list {
User-PRIVATE-Blocks-01;
}
}
then next term;
}
term HTTP {
from {
protocol tcp;
destination-port http;
}
then {
count http;
forwarding-class best-effort;
routing-instance CPCD_REDIRECT;
}
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Configuring the Policy Option and Statement to Use a Private Blocks Prefix List
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.
Create a policy option and statement to use a private blocks prefix list under the
[edit policy-options]hierarchy.content_copy zoom_out_map[edit policy-options] user@host# set policy-statement User-PRIVATE-Blocks-01
Configure the source address for the private blocks prefix list.
content_copy zoom_out_map[edit policy-options policy-statement User-PRIVATE-Blocks-01] user@host# set 203.0.113.0/24
Results
From configuration mode, confirm your configuration by entering the
show policy-options command. If the output does not
display the intended configuration, repeat the configuration instructions in
this example to correct it.
[edit]
root@host# show policy-options
policy-statement User-PRIVATE-Blocks-01 {
203.0.113.0/24;
}
If you are done configuring the device, enter commit from
configuration mode.
Using Broadband Edge Static Route Configuration for Subscriber (Junos OS Release 23.4R1 for MX-Series Devices)
Starting Junos 23.4R1 the broadband edge static route configuration for subscribers feature for BNG replaces the RADIUS framed route configuration. You can now setup static IP addresses for multiple hosts on the same site.
For example:
- Use a pre-existing configuration to add the routes to the routing table.
Once this configuration is committed, the routes are hidden until the
subscriber with configured subscriber IP comes up.
content_copy zoom_out_map
staticRoute { routing-options { access { route 7.7.7.7/32 next-hop 50.1.1.1; } } } - You can enable static framed-routes feature on the BNG towards a specific
customer connection, using the command
static-framed-routeunder the[edit system services subscriber-management]mode.content_copy zoom_out_mapuser@root> set system services subscriber-management static-framed-route
- You can now use RADIUS server for authentication purposes and not for
sending framed-routes. Note: Static framed routes must be added, modified or deleted only when subscribers are down. When subscribers come up, static framed-routes are attached to them. Static framed-route is supported for IPv4 only.
Verification
To confirm that HTTP redirect services has been configured correctly within a service set, perform these tasks:
- Verifying the Configured Service Set for CPCD Services
- Verifying Details for a Configured HTTP Service Rule for a Walled Garden
Verifying the Configured Service Set for CPCD Services
Purpose
Display the configured CPCD service set.
Action
From operational mode, enter the show services captive-portal-content-delivery service-set http-redirect-sset detail command.
user@host> show services captive-portal-content-delivery service-set http-redirect-sset detail
Service Set Id Profile Compiled Rules
http-redirect-sset 1 http-redirect 1
Meaning
The output lists the service set configured for CPCD services.
Verifying Details for a Configured HTTP Service Rule for a Walled Garden
Purpose
Display details for a specific configured HTTP service rule for a walled garden.
Action
From operational mode, enter the show services captive-portal-content-delivery rule redirect term REDIRECT command.
user@host> show services captive-portal-content-delivery rule redirect term REDIRECT Rule name: redirect Rule match direction: input Term name: term REDIRECT Term action: redirect Term action option: http://redirection-portal/redirection/
Meaning
The output lists rule and term details for a specific HTTP service rule configured for the walled garden.
