IP and IPv6 filters

Table: IP and IPv6 filters (description)
Attribute ID Attribute name Description

92

NAS-Filter-Rule

Subscriber host specific filter entry. The match criteria are automatically extended with the subscriber host IP or IPv6 address as source (ingress) or destination (egress) IP. They represent a per-host customization of a generic filter policy: only traffic to or from the subscriber host matches against these entries.

A range of entries must be reserved for subscriber host specific entries in a filter policy: configure filter ip-filter/ipv6-filter filter-id sub-insert-radius

Subscriber host specific filter entries are moved if the subscriber host filter policy is changed (new SLA profile or ip filter policy override) and if the new filter policy contains enough free reserved entries.

When the subscriber host session terminates or is disconnected, then the corresponding subscriber host-specific filter entries are also deleted.

The function of the attribute is identical to [26.6527.159] Alc-Ascend-Data-Filter-Host-Spec but it has a different format. The format used to specify host specific filter entries (NAS-Filter-Rule format or Alc-Ascend-Data-Filter-Host-Spec format) cannot change during the lifetime of the subscriber host.

Mixing formats in a single RADIUS message results in a failure.

26.529.242

Ascend-Data-Filter

A local configured filter policy can be extended with shared dynamic filter entries. A dynamic copy of the base filter (the filter associated with the host using SLA profile or host filter override) is made and extended with the set of filter rules per type (IPv4 or IPv6) and direction (ingress or egress) in the RADIUS message. If a dynamic copy with the same set of rules already exists, no new copy is made, but the existing copy is associated with the host or session. If after host or session disconnection, no hosts or sessions are associated with the dynamic filter copy, then the dynamic copy is removed.

Shared filter entries are moved if the subscriber host filter policy is changed (new SLA profile or IP filter policy override) and if the new filter policy contains enough free reserved entries.

A range of entries must be reserved for shared entries in a filter policy: configure filter ip-filter/ipv6 filter filter-id sub-insert-shared-radius.

The function of the attribute is identical to [26.6527.158] Alc-Nas-Filter-Rule-Shared but it has a different format. The format used to specify shared filter entries (Alc-Nas-Filter-Rule-Shared format or Ascend-Data-Filter format) cannot change during the lifetime of the subscriber host.

Mixing formats in a single RADIUS message results in a failure.

Shared filter entries should only be used if many hosts share the same set of filter rules that need to be controlled from RADIUS.

26.6527.134

Alc-Subscriber-Filter

Subscriber host preconfigured IP or IPv6 ingress and egress filters to be used instead of the filters defined in the SLA profile. Non-relevant fields are ignored (for example, IPv4 filters for an IPv6 host).

The scope of the local preconfigured filter should be set to template for correct operation (configure filter ip-filter/ipv6-filter filter-id scope template). This is not enforced. For a RADIUS CoA message, if the ingress or egress field is missing in the VSA, there is no change for that direction. For a RADIUS Access-Accept message, if the ingress or egress field is missing in the VSA, then the IP filters as specified in the SLA profile is active for that direction Applicable to all dynamic host types, including L2TP LNS but excluding L2TP LAC.

26.6527.158

Alc-Nas-Filter-Rule-Shared

A local configured filter policy can be extended with shared dynamic filter entries. A dynamic copy of the base filter (the filter associated with the host using SLA profile or host filter override) is made and extended with the set of filter rules per type (IPv4 or IPv6) and direction (ingress or egress) in the RADIUS message. If a dynamic copy with the same set of rules already exists, no new copy is made, but the existing copy is associated with the host or session. If after host or session disconnection, no hosts or sessions are associated with the dynamic filter copy, then the dynamic copy is removed. Shared filter entries are moved if the subscriber host filter policy is changed (new SLA profile or IP filter policy override) and if the new filter policy contains enough free reserved entries. A range of entries must be reserved for shared entries in a filter policy: configure filter ip-filter|ipv6-filter filter-id sub-insert-shared-radius. The function of the attribute is identical to [26.529.242] Ascend-Data-Filter but it has a different format. The format used to specify shared filter entries (Alc-Nas-Filter-Rule-Shared format or Ascend-Data-Filter format) cannot change during the lifetime of the subscriber host. Mixing formats in a single RADIUS message results in a failure.

Shared filter entries should only be used if many hosts share the same set of filter rules that need to be controlled from RADIUS.

26.6527.159

Alc-Ascend-Data-Filter-Host-Spec

Subscriber host specific filter entry. The match criteria is automatically extended with the subscriber host IP address or IPv6 address as source (ingress) or destination (egress) IP. They represent a per host customization of a generic filter policy: only traffic to or from the subscriber host matches against these entries. A range of entries must be reserved for subscriber host specific entries in a filter policy: configure filter ip-filter/ipv6-filter filter-id sub-insert-radius. Subscriber host specific filter entries are moved if the subscriber host filter policy is changed (new SLA profile or IP filter policy override) and if the new filter policy contains enough free reserved entries. When the subscriber host session terminates or is disconnected, then the corresponding subscriber host specific filter entries are also deleted. The function of the attribute is identical to [92] Nas-Filter-Rule but it has a different format. The format used to specify host-specific filter entries (NAS-Filer-Rule format or Alc-Ascend-Data-Filter-Host-Spec format) cannot change during the lifetime of the subscriber host. Mixing formats in a single RADIUS message results in a failure.
Table: IP and IPv6 filters (limits)
Attribute ID Attribute name Type Limits SR OS format

92

NAS-Filter-Rule

string

Max. 10 attributes per message (up to 10 host specific filter entries)

The format of a NAS-Filter-Rule is defined in RFC 3588, Diameter Base Protocol, section-4.3, Derived AVP Data Formats. A single filter rule is a string of format <action> <direction> <protocol> from <source> to <destination> <options> Multiple rules should be separated by a NUL (0x00). A NAS-Filter-Rule attribute may contain a partial rule, one rule, or more than one rule. Filter rules may be continued across attribute boundaries.

A RADIUS message with NAS-Filter-Rule attribute value equal to 0x00 or ‟ ‟ (a space) removes all host specific filter entries for that host.

See also IP filter attribute details.

For example:

Nas-Filter-Rule = permit in ip from any to 10.1.1.1/32

26.529.242

Ascend-Data-Filter

Octets

Max. 120 attributes per message. Up to 120 shared filter entries: total of IPv4 ingress + IPv4 egress + IPv6 ingress + IPv6 egress

Minimum/maximum attribute length:

  • for IPv4, 22/110 bytes

  • for IPv6,46/140 bytes

A string of octets with fixed field lengths (type (ipv4/ipv6), direction (ingress or egress), src-ip, dst-ip, and so on. Each attribute represents a single filter entry. See IP filter attribute details for a description of the format.

For example:

# permit in ip from any to 10.1.1.1/32

Ascend-Data-Filter = 0x01010100000000000a01010100200000000000000000

26.6527.134

Alc-Subscriber-Filter

string

Max. 1 VSA.

Comma separated list of strings:

Ingr-v4:<number>, Ingr-v6:<number>,Egr-v4:<number>,Egr-v6:<number>

where <number> can be one of:

[1 to 65535] = ignore sla-profile filter; apply this filter-id

0 = ignore sla-profile filter; do not assign a new filter (only allowed if no dynamic subscriber host specific rules are present)

-1 = No change in filter configuration

-2 = Restore sla-profile filter

For example:

Alc-Subscriber-Filter = Ingr-v4:20,Egr-v4:101

26.6527.158

Alc-Nas-Filter-Rule-Shared

string

Max. 120 attributes per message. Up to 120 shared filter entries: total of IPv4 ingress + IPv4 egress + IPv6 ingress + IPv6 egress

The format is identical to [92] NAS-Filter-Rule and is defined in RFC 3588 section-4.3. A single filter rule is a string of format <action> <direction> <protocol> from <source> to <destination> <options> Multiple rules should be separated by a NUL (0x00). An Alc-Nas-Filter-Rule-Shared attribute may contain a partial rule, one rule, or more than one rule. Filter rules may be continued across attribute boundaries.

A RADIUS message with Alc-Nas-Filter-Rule-Shared attribute value equal to 0x00 or ‟ ‟ (a space) removes the shared filter entries for that host.

See also IP filter attribute details.

For example:

Alc-Nas-Filter-Rule-Shared = permit in ip from any to 10.1.1.1/32

26.6527.159

Alc-Ascend-Data-Filter-Host-Spec

octets

Max. 10 attributes per message (up to 10 host specific filter entries)

minimum/maximum attribute length:

  • for IPv4, 22/110 bytes

  • for IPv6,46/140 bytes

A string of octets with fixed field length (type ipv4 or ipv6), direction (ingress or egress), src-ip, dst-ip, and so on). Each attribute represents a single filter entry. See IP filter attribute details for a description of the format.

For example:

# permit in ip from any to 10.1.1.1/32

Alc-Ascend-Data-Filter-Host-Spec = 0x01010100000000000a01010100200000 000000000000
Table: IP and IPv6 filters (applicability)
Attribute ID Attribute name Access Request Access Accept CoA request

92

NAS-Filter-Rule

0

0+

0+

26.529.242

Ascend-Data-Filter

0

0+

0+

26.6527.134

Alc-Subscriber-Filter

0

0-1

0-1

26.6527.158

Alc-Nas-Filter-Rule-Shared

0

0+

0+

26.6527.159

Alc-Ascend-Data-Filter-Host-Spec

0

0+

0+
Parent topic: RADIUS authentication attributes