Alcatel-Lucent 7750 Reference Manual page 86

IP and IPv6 Filters
Table 17: IP and IPv6 filters (description) (Continued)
Attribute ID Attribute Name
26-6527-134 Alc-Subscriber-Filter
26-6527-158 Alc-Nas-Filter-Rule-
Shared
26-6527-159 Alc-Ascend-Data-
Filter-Host-Spec
Page 86
Subscriber host preconfigured ip/ipv6 ingress and egress filters to be used
instead of the filters defined in the sla-profile. Not relevant fields will be
ignored (for example, IPv4 filters for an IPv6 host). Note that the scope of the
local preconfigured filter should be set to template for correct operation. This
is not enforced. For a RADIUS CoA message, if the ingress or egress field is
missing in the VSA, there will be no change for that direction. For a RADIUS
Access-Accept message, if the ingress or egress field is missing in the VSA,
then the IP-filters as specified in the sla-profile will be active for that direction
Applicable to all dynamic host types, including L2TP LNS but excluding
L2TP LAC.
A local configured filter policy can be extended with shared dynamic filter
entries. A dynamic copy of the base filter (filter associated to the host via sla-
profile or host filter override) is made and extended with the set of filter rules
per type (ipv4/ipv6) and direction (ingress/egress) in the RADIUS message. If
a dynamic copy with the same set of rules already exists, no new copy is made
but the existing copy is associated with the host/session. If after host/session
disconnection, no hosts/sessions are associated with the dynamic filter copy,
then the dynamic copy is removed. Shared filter entries are moved if the
subscriber host filter policy is changed (new SLA profile or ip filter policy
override) and if the new filter policy contains enough free reserved entries. A
range of entries must be reserved for shared entries in a filter policy: config
filter ip-filter <filter-id> sub-insert-shared-radius The function of the
attribute is identical to [242] Ascend-Data-Filter but it has a different format.
The format used to specify shared filter entries (Alc-Nas-Filter-Rule-Shared
format or Ascend-Data-Filter format) cannot change during the lifetime of the
subscriber host. Mixing formats in a single RADIUS message results in a
failure. Important note: shared filter entries should only be used if many hosts
share the same set of filter rules that need to be controlled from RADIUS.
Subscriber host specific filter entry. The match criteria is automatically
extended with the subscriber host ip- or ipv6-address as source (ingress) or
destination (egress) ip. They represent a per host customization of a generic
filter policy: only traffic to/from the subscriber host will match against these
entries. A range of entries must be reserved for subscriber host specific entries
in a filter policy: config>filter>ip-filter# sub-insert-radius. Subscriber host
specific filter entries are moved if the subscriber host filter policy is changed
(new SLA profile or ip filter policy override) and if the new filter policy
contains enough free reserved entries. When the subscriber host session
terminates or is disconnected, then the corresponding subscriber host specific
filter entries are also deleted. The function of the attribute is identical to [92]
Nas-Filter-Rule but it has a different format. The format used to specify host-
specific filter entries (NAS-Filer-Rule format or Alc-Ascend-Data-Filter-
Host-Spec format) cannot change during the lifetime of the subscriber host.
Mixing formats in a single RADIUS message results in a failure.
7750 SR RADIUS Attributes Reference Guide
Description