Table 16: IP and IPv6 filters (description)
Attribute ID Attribute Name Description
92 NAS-Filter-Rule
242
Ascend-Data-Filter
Subscriber host specific filter entry. The match criteria are automatically extended with the subscriber host ip- or ipv6-address as source (ingress) or destination (egress) ip. They represent a per host customization of a generic filter policy: only traffic to/from the subscriber host will match against these entries.
A range of entries must be reserved for subscriber host specific entries in a filter policy: config>filter>ip-filter# sub-insert-radius
Subscriber host specific filter entries are moved if the subscriber host filter policy is changed (new SLA profile or ip filter policy override) and if the new filter policy contains enough free reserved entries.
When the subscriber host session terminates or is disconnected, then the corresponding subscriber host specific filter entries are also deleted. The function of the attribute is identical to [26-6527-159] Alc-Ascend-Data- Filter-Host-Spec but it has a different format. The format used to specify host specific filter entries (NAS-Filter-Rule format or Alc-Ascend-Data-Filter- Host-Spec format) cannot change during the lifetime of the subscriber host. Mixing formats in a single RADIUS message results in a failure.
242 Ascend-Data-Filter A local configured filter policy can be extended with shared dynamic filter entries. A dynamic copy of the base filter (filter associated to the host via sla- profile or host filter override) is made and extended with the set of filter rules per type (ipv4/ipv6) and direction (ingress/egress) in the RADIUS message. If a dynamic copy with the same set of rules already exists, no new copy is made but the existing copy is associated with the host/session. If after host/session disconnection, no hosts/sessions are associated with the dynamic filter copy, then the dynamic copy is removed.
Shared filter entries are moved if the subscriber host filter policy is changed (new SLA profile or ip filter policy override) and if the new filter policy contains enough free reserved entries.
A range of entries must be reserved for shared entries in a filter policy:
configure filter ip-filter <filter-id> sub-insert-shared-radius
The function of the attribute is identical to [26-6527-158] Alc-Nas-Filter- Rule-Shared but it has a different format. The format used to specify shared filter entries (Alc-Nas-Filter-Rule-Shared format or Ascend-Data-Filter format) cannot change during the lifetime of the subscriber host. Mixing formats in a single RADIUS message results in a failure.
Important note: Shared filter entries should only be used if many hosts share the same set of filter rules that need to be controlled from RADIUS.
26-6527-134 Alc-Subscriber-Filter Subscriber host preconfigured ip/ipv6 ingress and egress filters to be used instead of the filters defined in the sla-profile. Not relevant fields will be ignored (for example, IPv4 filters for an IPv6 host). Note that the scope of the local preconfigured filter should be set to template for correct operation. This is not enforced. For a RADIUS CoA message, if the ingress or egress field is missing in the VSA, there will be no change for that direction. For a RADIUS Access-Accept message, if the ingress or egress field is missing in the VSA, then the IP-filters as specified in the sla-profile will be active for that direction Applicable to all dynamic host types, including L2TP LNS but excluding L2TP LAC.
26-6527-158 Alc-Nas-Filter-Rule- Shared
A local configured filter policy can be extended with shared dynamic filter entries. A dynamic copy of the base filter (filter associated to the host via sla- profile or host filter override) is made and extended with the set of filter rules per type (ipv4/ipv6) and direction (ingress/egress) in the RADIUS message. If a dynamic copy with the same set of rules already exists, no new copy is made but the existing copy is associated with the host/session. If after host/session disconnection, no hosts/sessions are associated with the dynamic filter copy, then the dynamic copy is removed. Shared filter entries are moved if the subscriber host filter policy is changed (new SLA profile or ip filter policy override) and if the new filter policy contains enough free reserved entries. A range of entries must be reserved for shared entries in a filter policy: config
filter ip-filter <filter-id> sub-insert-shared-radius The function of the
attribute is identical to [242] Ascend-Data-Filter but it has a different format. The format used to specify shared filter entries (Alc-Nas-Filter-Rule-Shared format or Ascend-Data-Filter format) cannot change during the lifetime of the subscriber host. Mixing formats in a single RADIUS message results in a failure. Important note: shared filter entries should only be used if many hosts share the same set of filter rules that need to be controlled from RADIUS. 26-6527-159 Alc-Ascend-Data-
Filter-Host-Spec
Subscriber host specific filter entry. The match criteria is automatically extended with the subscriber host ip- or ipv6-address as source (ingress) or destination (egress) ip. They represent a per host customization of a generic filter policy: only traffic to/from the subscriber host will match against these entries. A range of entries must be reserved for subscriber host specific entries in a filter policy: config>filter>ip-filter# sub-insert-radius. Subscriber host specific filter entries are moved if the subscriber host filter policy is changed (new SLA profile or ip filter policy override) and if the new filter policy contains enough free reserved entries. When the subscriber host session terminates or is disconnected, then the corresponding subscriber host specific filter entries are also deleted. The function of the attribute is identical to [92] Nas-Filter-Rule but it has a different format. The format used to specify host- specific filter entries (NAS-Filer-Rule format or Alc-Ascend-Data-Filter-
Table 17: IP and IPv6 Filters (limits)
Attribute ID Attribute Name Type Limits SR-OS Format
92 NAS-Filter-Rule string max. 10 attributes per message or max. 10 filter entries per message
The format of a NAS-Filter-Rule is defined in RFC 3588, Diameter Base
Protocol, section-4.3, Derived AVP Data Formats. A single filter rule is a
string of format <action> <direction> <protocol> from <source> to <destination> <options> Multiple rules should be separated by a NUL (0x00). A NAS-Filter-Rule attribute may contain a partial rule, one rule, or more than one rule. Filter rules may be continued across attribute boundaries.
A RADIUS message with NAS-Filter- Rule attribute value equal to 0x00 or “ “ (a space) removes all host specific filter entries for that host.
See also IP Filter Attribute Details on page 72
For example: Nas-Filter-Rule = permit in ip from any to 10.1.1.1/32 242 Ascend-Data-Filter Octets multiple attributes per
RADIUS message allowed. min. length 22 bytes (IPv4), 46 bytes (IPv6)
max. length: 110 bytes (IPv4), 140 bytes (IPv6)
A string of octets with fixed field length (type (ipv4/ipv6), direction (ingress/egress), src-ip, dst-ip, ...). Each attribute represents a single filter entry. See IP Filter Attribute Details on page 72 for a description of the format.
For example:# permit in ip from any to 10.1.1.1/32
Ascend-Data-Filter =
0x01010100000000000a0101010020 0000000000000000
26-6527-134 Alc-Subscriber- Filter
string Max. 1 VSA. Comma separated list of strings: Ingr-v4:<number>, Ingr-
v6:<number>,Egr-v4:<number>,Egr- v6:<number>
where <number> can be one of: [1..65535] = ignore sla-profile filter; apply this filter-id
0 = ignore sla-profile filter; do not assign a new filter (only allowed if no dynamic subscriber host specific rules are present)
-1 = No change in filter configuration -2 = Restore sla-profile filter
For example:Alc-Subscriber-Filter = Ingr-v4:20,Egr-v4:101
26-6527-158 Alc-Nas-Filter- Rule-Shared
string Multiple attributes per Radius message allowed.
The format is identical to [92] NAS- Filter-Rule and is defined in RFC 3588 section-4.3. A single filter rule is a string of format <action>
<direction> <protocol> from <source> to <destination> <options> Multiple rules should be separated by a NUL (0x00). An Alc-Nas-Filter- Rule-Shared attribute may contain a partial rule, one rule, or more than one rule. Filter rules may be continued across attribute boundaries. A RADIUS message with Alc-Nas- Filter-Rule-Shared attribute value equal to 0x00 or “ “ (a space) removes the shared filter entries for that host. See also IP Filter Attribute Details on page 72
For example:Alc-Nas-Filter-Rule- Shared = permit in ip from any to 10.1.1.1/32
26-6527-159 Alc-Ascend-Data- Filter-Host-Spec
octets max. 10 attributes per message or max. 10 filter entries per message.
min. length 22 bytes (IPv4), 46 bytes (IPv6)
max. length: 110 bytes (IPv4), 140 bytes (IPv6)
A string of octets with fixed field length (type (ipv4/ipv6), direction (ingress/egress), src-ip, dst-ip,...). Each attribute represents a single filter entry. See IP Filter Attribute Details on page 72 for a description of the format.
For example:# permit in ip from any to 10.1.1.1/32
Alc-Ascend-Data-Filter-Host-Spec = 0x01010100000000000a0101010020 0000000000000000
Table 17: IP and IPv6 Filters (limits) (Continued)
Attribute ID Attribute Name Type Limits SR-OS Format
Table 18: IP and IPv6 Filters (applicability)
Attribute ID Attribute Name Access Request Access Accept CoA Request 92 NAS-Filter-Rule 0 0+ 0+ 242 Ascend-Data-Filter 0 0+ 0+ 26-6527-134 Alc-Subscriber-Filter 0 0-1 0-1 26-6527-158 Alc-Nas-Filter-Rule-Shared 0 0+ 0+ 26-6527-159 Alc-Ascend-Data-Filter-Host-Spec 0 0+ 0+