Subscriber Filters Configuration

The configuration hierarchy for Subscriber ACL is illustrated in the diagram.

Subscriber Filters Configuration Hierarchy

Configure Subscriber Filters

Syntax:

set forwarding-options subscriber-acl <l3v4|l3v6> rule <rule-name> ordinal <ordinal-value> <option> <attribute> <value>

Attribute Description

Attribute	Description
<l3v4 \| l3v6>	Specify `l3v4` for IPv4 and `l3v6` for IPv6.
<rule-name>	Subscriber ACL rule name.
<ordinal-value>	The mandatory ordinal value is used to differentiate multiple rules within the rule set.
action	The desired action, which can be either `permit`, `drop` or `http-redirect`.
priority <priority-value>	The priority of the rule, where the lower value has a higher priority.
match	The match criteria.

Specify l3v4 for IPv4 and l3v6 for IPv6.

<rule-name>

Subscriber ACL rule name.

<ordinal-value>

The mandatory ordinal value is used to differentiate multiple rules within the rule set.

action

The desired action, which can be either permit, drop or http-redirect.

priority <priority-value>

The priority of the rule, where the lower value has a higher priority.

match

The match criteria.

Configuring Subscriber Filter Match Criteria

Syntax:

set forwarding-options subscriber-acl <l3v4|l3v6> rule <rule-name> ordinal <ordinal-value> match <attribute> <value>

Attribute Description

Attribute	Description
destination-ipv4-prefix <destination-ipv4-prefix>	Packets are matched when the IPv4 destination address is within the defined prefix.
destination-ipv4-prefix-list <destination-ipv4-prefix-list>	Packets are matched when the IPv4 destination address is within one of the prefixes listed in the defined prefix list.
destination-ipv4-subscriber-prefix <true>	Packets are matched when the IPv4 destination address is within the dynamically assigned subscriber IPv4 address prefix (sometimes, referred to framed prefix). Consequently, this option shares similarity to the `destination-ipv4-prefix`, where the prefix is automatically set to the dynamic subscriber prefix. This option is allowed only in the egress (downstream) direction.
destination-ipv6-prefix <destination-ipv6-prefix>	Packets are matched when the IPv6 destination address is within the defined prefix.
destination-ipv6-prefix-list <destination-ipv6-prefix-list>	Packets are matched when the IPv6 destination address is within one of the prefixes listed in the defined prefix list.
destination-ipv6-subscriber-prefix <true>	Packets are matched when the IPv6 destination address is within the dynamically assigned subscriber IPv6 address prefix (sometimes, referred to framed prefix). Consequently, this option shares similarity to the destination-ipv4-prefix, where the prefix is automatically set to the dynamic subscriber prefix. This option is allowed only in the egress (downstream) direction.
destination-ipv6-delegated-subscriber-prefix <destination-ipv6-delegated-subscriber-prefix>	This option is similar to the `destination-ipv6-subscriber-prefix` using the dynamically delegated prefix instead.
source-ipv4-prefix <source-ipv4-prefix>	Packets are matched when the IPv4 source address is within the defined prefix.
source-ipv4-prefix-list <source-ipv4-prefix-list>	Packets are matched when the IPv4 source address is within one of the prefixes listed in the defined prefix list.
source-ipv4-subscriber-prefix <source-ipv4-subscriber-prefix>	Packets are matched when the IPv4 source address is within the dynamically assigned subscriber IPv4 address prefix (sometimes, referred to framed prefix). Consequently, this option shares similarity to `source-ipv4-prefix`, where the prefix is automatically set to the dynamic subscriber prefix. This option is allowed only in the ingress (upstream) direction.
source-ipv6-prefix <source-ipv6-prefix>	Packets are matched when the IPv6 source address is within the defined prefix.
source-ipv6-prefix-list <source-ipv6-prefix-list>	Packets are matched when the IPv6 source address is within one of the prefixes listed in the defined prefix list.
source-ipv6-subscriber-prefix <source-ipv6-subscriber-prefix>	Packets are matched when the IPv6 source address is within the dynamically assigned subscriber IPv6 address prefix (sometimes, referred to framed prefix). Consequently, this option shares similarity to `source-ipv4-prefix`, where the prefix is automatically set to the dynamic subscriber prefix. This option is allowed only in the ingress (upstream) direction only.
source-ipv6-delegated-subscriber-prefix true	This option is similar to the `source-ipv6-subscriber-prefix` using the dynamically delegated prefix instead. Note: To disable this configuration, use the `delete` form of the command.
source-l4-port <source-l4-port>	Packets are matched based on the layer 4 source port (TCP or UDP port).
destination-l4-port <destination-l4-port>	Packets are matched based on the layer 4 destination port (TCP or UDP port).
ip-protocol <ip-protocol>	Packets are matched depending on the IP protocol (TCP or UDP). However, this option is not compatible with the MPLS-encapsulated traffic. Consequently, filtering based on IP protocol is not possible for MPLS traffic received from the core. For instance, it is feasible to drop all traffic to port 80, but it is not possible to selectively drop only TCP traffic while permitting UDP traffic when receiving traffic with an MPLS label.
subscriber-ifl <true>	Packets are matched based on incoming subscriber IFL. This option is allowed only in the ingress (upstream) direction.

destination-ipv4-prefix <destination-ipv4-prefix>

Packets are matched when the IPv4 destination address is within the defined prefix.

destination-ipv4-prefix-list <destination-ipv4-prefix-list>

Packets are matched when the IPv4 destination address is within one of the prefixes listed in the defined prefix list.

destination-ipv4-subscriber-prefix <true>

Packets are matched when the IPv4 destination address is within the dynamically assigned subscriber IPv4 address prefix (sometimes, referred to framed prefix). Consequently, this option shares similarity to the destination-ipv4-prefix, where the prefix is automatically set to the dynamic subscriber prefix. This option is allowed only in the egress (downstream) direction.

destination-ipv6-prefix <destination-ipv6-prefix>

Packets are matched when the IPv6 destination address is within the defined prefix.

destination-ipv6-prefix-list <destination-ipv6-prefix-list>

Packets are matched when the IPv6 destination address is within one of the prefixes listed in the defined prefix list.

destination-ipv6-subscriber-prefix <true>

Packets are matched when the IPv6 destination address is within the dynamically assigned subscriber IPv6 address prefix (sometimes, referred to framed prefix). Consequently, this option shares similarity to the destination-ipv4-prefix, where the prefix is automatically set to the dynamic subscriber prefix. This option is allowed only in the egress (downstream) direction.

destination-ipv6-delegated-subscriber-prefix <destination-ipv6-delegated-subscriber-prefix>

This option is similar to the destination-ipv6-subscriber-prefix using the dynamically delegated prefix instead.

source-ipv4-prefix <source-ipv4-prefix>

Packets are matched when the IPv4 source address is within the defined prefix.

source-ipv4-prefix-list <source-ipv4-prefix-list>

Packets are matched when the IPv4 source address is within one of the prefixes listed in the defined prefix list.

source-ipv4-subscriber-prefix <source-ipv4-subscriber-prefix>

Packets are matched when the IPv4 source address is within the dynamically assigned subscriber IPv4 address prefix (sometimes, referred to framed prefix). Consequently, this option shares similarity to source-ipv4-prefix, where the prefix is automatically set to the dynamic subscriber prefix. This option is allowed only in the ingress (upstream) direction.

source-ipv6-prefix <source-ipv6-prefix>

Packets are matched when the IPv6 source address is within the defined prefix.

source-ipv6-prefix-list <source-ipv6-prefix-list>

Packets are matched when the IPv6 source address is within one of the prefixes listed in the defined prefix list.

source-ipv6-subscriber-prefix <source-ipv6-subscriber-prefix>

Packets are matched when the IPv6 source address is within the dynamically assigned subscriber IPv6 address prefix (sometimes, referred to framed prefix). Consequently, this option shares similarity to source-ipv4-prefix, where the prefix is automatically set to the dynamic subscriber prefix. This option is allowed only in the ingress (upstream) direction only.

source-ipv6-delegated-subscriber-prefix true

This option is similar to the source-ipv6-subscriber-prefix using the dynamically delegated prefix instead. Note: To disable this configuration, use the delete form of the command.

source-l4-port <source-l4-port>

Packets are matched based on the layer 4 source port (TCP or UDP port).

destination-l4-port <destination-l4-port>

Packets are matched based on the layer 4 destination port (TCP or UDP port).

ip-protocol <ip-protocol>

Packets are matched depending on the IP protocol (TCP or UDP). However, this option is not compatible with the MPLS-encapsulated traffic. Consequently, filtering based on IP protocol is not possible for MPLS traffic received from the core. For instance, it is feasible to drop all traffic to port 80, but it is not possible to selectively drop only TCP traffic while permitting UDP traffic when receiving traffic with an MPLS label.

subscriber-ifl <true>

Packets are matched based on incoming subscriber IFL. This option is allowed only in the ingress (upstream) direction.

Configuring Subscriber Filter Actions

Syntax:

set forwarding-options subscriber-acl <l3v4|l3v6> rule <rule-name> ordinal <ordinal-value> action <attribute> <value>

Attribute Description

Attribute	Description
permit	Forward packets.
drop	Silently discard packets.
http-redirect true	Specify true to enable the redirect service. Note: To disable http-redirect, use the `delete` form of the command.

permit

Forward packets.

drop

Silently discard packets.

http-redirect true

Specify true to enable the redirect service. Note: To disable http-redirect, use the delete form of the command.

The following example shows an IPv4 subscriber filter configuration in which the applied ACL is ipv4-acl-in.

supervisor@rtbrick: cfg> show config forwarding-options subscriber-acl l3v4
{
  "rtbrick-config:l3v4": {
    "rule": [
      {
        "rule-name": "ipv4-acl-in",
        "ordinal": [
          {
            "ordinal-value": 1,
            "match": {
              "destination-l4-port": 80,
              "ip-protocol": "TCP"
            },
            "action": {
              "http-redirect": "true"
            },
            "priority": 1001
          }
        ]
      }
    ]
  }
}

Attaching the ACL Rule

Syntax:

set access service-profile profile-name <profile-name> <attribute> <value>

Attribute	Description
<profile-name>	Service profile name.
<http-redirect>	HTTP redirect service configuration.
<url>	HTTP redirect target URL.
<acl>	Subscriber ACL (filter) configuration.
<ipv4-acl-in>	IPv4 upstream ACL (ingress from subscriber).
<ipv4-acl-out>	IPv4 downstream ACL (egress to subscriber).
<ipv6-acl-in>	IPv6 upstream ACL (ingress from subscriber).
<ipv6-acl-out>	IPv6 downstream ACL (egress to subscriber).

Attribute

Description

<profile-name>

Service profile name.

<http-redirect>

HTTP redirect service configuration.

<url>

HTTP redirect target URL.

<acl>

Subscriber ACL (filter) configuration.

<ipv4-acl-in>

IPv4 upstream ACL (ingress from subscriber).

<ipv4-acl-out>

IPv4 downstream ACL (egress to subscriber).

<ipv6-acl-in>

IPv6 upstream ACL (ingress from subscriber).

<ipv6-acl-out>

IPv6 downstream ACL (egress to subscriber).