Subscriber Filters Configuration
The configuration hierarchy for Subscriber ACL is illustrated in the diagram.
Configure Subscriber Filters
Syntax:
set forwarding-options subscriber-acl <l3v4|l3v6> rule <rule-name> ordinal <ordinal-value> <option> <attribute> <value>
Attribute | Description |
---|---|
<l3v4 | l3v6> |
Specify |
<rule-name> |
Subscriber ACL rule name. |
<ordinal-value> |
The mandatory ordinal value is used to differentiate multiple rules within the rule set. |
action |
The desired action, which can be either |
priority <priority-value> |
The priority of the rule, where the lower value has a higher priority. |
match |
The match criteria. |
Configuring Subscriber Filter Match Criteria
Syntax:
set forwarding-options subscriber-acl <l3v4|l3v6> rule <rule-name> ordinal <ordinal-value> match <attribute> <value>
Attribute | Description |
---|---|
destination-ipv4-prefix <destination-ipv4-prefix> |
Packets are matched when the IPv4 destination address is within the defined prefix. |
destination-ipv4-prefix-list <destination-ipv4-prefix-list> |
Packets are matched when the IPv4 destination address is within one of the prefixes listed in the defined prefix list. |
destination-ipv4-subscriber-prefix <true> |
Packets are matched when the IPv4 destination address is within the dynamically assigned subscriber IPv4 address prefix (sometimes, referred to framed prefix). Consequently, this option shares similarity to the |
destination-ipv6-prefix <destination-ipv6-prefix> |
Packets are matched when the IPv6 destination address is within the defined prefix. |
destination-ipv6-prefix-list <destination-ipv6-prefix-list> |
Packets are matched when the IPv6 destination address is within one of the prefixes listed in the defined prefix list. |
destination-ipv6-subscriber-prefix <true> |
Packets are matched when the IPv6 destination address is within the dynamically assigned subscriber IPv6 address prefix (sometimes, referred to framed prefix). Consequently, this option shares similarity to the destination-ipv4-prefix, where the prefix is automatically set to the dynamic subscriber prefix. This option is allowed only in the egress (downstream) direction. |
destination-ipv6-delegated-subscriber-prefix <destination-ipv6-delegated-subscriber-prefix> |
This option is similar to the |
source-ipv4-prefix <source-ipv4-prefix> |
Packets are matched when the IPv4 source address is within the defined prefix. |
source-ipv4-prefix-list <source-ipv4-prefix-list> |
Packets are matched when the IPv4 source address is within one of the prefixes listed in the defined prefix list. |
source-ipv4-subscriber-prefix <source-ipv4-subscriber-prefix> |
Packets are matched when the IPv4 source address is within the dynamically assigned subscriber IPv4 address prefix (sometimes, referred to framed prefix). Consequently, this option shares similarity to |
source-ipv6-prefix <source-ipv6-prefix> |
Packets are matched when the IPv6 source address is within the defined prefix. |
source-ipv6-prefix-list <source-ipv6-prefix-list> |
Packets are matched when the IPv6 source address is within one of the prefixes listed in the defined prefix list. |
source-ipv6-subscriber-prefix <source-ipv6-subscriber-prefix> |
Packets are matched when the IPv6 source address is within the dynamically assigned subscriber IPv6 address prefix (sometimes, referred to framed prefix). Consequently, this option shares similarity to |
source-ipv6-delegated-subscriber-prefix <true | false> |
This option is similar to the |
source-l4-port <source-l4-port> |
Packets are matched based on the layer 4 source port (TCP or UDP port). |
destination-l4-port <destination-l4-port> |
Packets are matched based on the layer 4 destination port (TCP or UDP port). |
ip-protocol <ip-protocol> |
Packets are matched depending on the IP protocol (TCP or UDP). However, this option is not compatible with the MPLS-encapsulated traffic. Consequently, filtering based on IP protocol is not possible for MPLS traffic received from the core. For instance, it is feasible to drop all traffic to port 80, but it is not possible to selectively drop only TCP traffic while permitting UDP traffic when receiving traffic with an MPLS label. |
subscriber-ifl <true> |
Packets are matched based on incoming subscriber IFL. This option is allowed only in the ingress (upstream) direction. |
Configuring Subscriber Filter Actions
Syntax:
set forwarding-options subscriber-acl <l3v4|l3v6> rule <rule-name> ordinal <ordinal-value> action <attribute> <value>
Attribute | Description |
---|---|
permit |
Forward packets. |
drop |
Silently discard packets. |
http-redirect <true | false> |
Specify true to enable the redirect service. |
The following example shows an IPv4 subscriber filter configuration in which the applied ACL is ipv4-acl-in
.
supervisor@rtbrick: cfg> show config forwarding-options subscriber-acl l3v4
{
"rtbrick-config:l3v4": {
"rule": [
{
"rule-name": "ipv4-acl-in",
"ordinal": [
{
"ordinal-value": 1,
"match": {
"destination-l4-port": 80,
"ip-protocol": "TCP"
},
"action": {
"http-redirect": "true"
},
"priority": 1001
}
]
}
]
}
}
Attaching the ACL Rule
Syntax:
set access service-profile profile-name <profile-name> <attribute> <value>
Attribute | Description |
---|---|
<profile-name> |
Service profile name. |
<http-redirect> |
HTTP redirect service configuration. |
<url> |
HTTP redirect target URL. |
<acl> |
Subscriber ACL (filter) configuration. |
<ipv4-acl-in> |
IPv4 upstream ACL (ingress from subscriber). |
<ipv4-acl-out> |
IPv4 downstream ACL (egress to subscriber). |
<ipv6-acl-in> |
IPv6 upstream ACL (ingress from subscriber). |
<ipv6-acl-out> |
IPv6 downstream ACL (egress to subscriber). |