Juniper Subscriber-Aware and Application-Aware Traffic Treatment User Manual

Junos® OS

Subscriber-Aware and

c

r

rc Treatment User Guide

Published

2021-04-18

ii

Juniper Networks, Inc. 1133 nn v n Way Sunnyvale, California 94089 USA

408-745-2000 www.juniper.net

Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their r s c v owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right

to change, modify, transfer, or otherwise revise this				b c	n without n c
Junos® OS Subscriber-Aware and		c	n w r	r	c Treatment User Guide
Copyright © 2021 Juniper Networks, Inc. All rights reserved.
The n rm	n in this document is current as of the date on the					page.

YEAR 2000 NOTICE

Juniper Networks hardware and s ftw r products are Year 2000 compliant. Junos OS has no known m r

m ns through the year 2038. However, the NTP c n is known to have some c y in the year 2036.

END USER LICENSE AGREEMENT

The Juniper Networks product that is the subject of this technical						c m n	n consists of (or is intended for use
with) Juniper Networks s ftw r	Use of such s		ftw r	is subject to the terms and c n				ns of the End User License
Agreement ("EULA") posted at	s s	r	n r n	s	r	. By downloading, installing or using such
s ftw r you agree to the terms and c n		ns of that EULA.

iii

Table of Contents

1

2

About This Guide | xxiv

Subscriber-Aware and

c

n

w r r

c Treatment Overview

Subscriber-Aware and

c

n w r

r

c Treatment Overview | 2

Subscriber-Aware and

c

n

w r

r

c Treatment Overview |

2

C n

r n

Subscriber-Aware and

c

n

w r

r

c Treatment Overview | 6

Applying Subscriber-Aware and

c

n

w r

Policies and Services

n

r n

the Service PIC, Session PIC, and TDF Gateway | 9

TDF Gateway Service PICs and Session PICs for Subscriber-Aware

r

c Treatment | 9

C

n

r n

Service PICs and Session PICs Overview

| 12

r c n

r

Groups for Service PICs and for Session PICs Overview | 13

C

n

r n

a Services Interface for a Session PIC or Service PIC | 15

C n

r n

a TDF Gateway | 16

Making

r

n Groups Available for Session PIC and Service PIC C

n r n | 17

C

n

r n

Service PICs | 18

C

n

r n

Session PICs | 19

C n

r n

Tracing for TDF Gateway | 20

n

r n

c

n

n

c

n | 23

c

n

n

c

n Overview | 23

Downloading and Installing r

n

Junos OS

c

n Signature Packages | 24

C n

r n

Custom

c

n Signatures | 26

Uninstalling a r

n

Junos OS

c

n Signature Package | 33

nr n HTTP Header Enrichment | 34

Junos Web Aware HTTP Header Enrichment Overview | 34

HTTP Content Manager (HCM) | 35

iv

C n		r n	HTTP Header Enrichment Overview | 41
C	n	r n	Tag Rules | 42
C	n	r n	HCM r s and Assigning Tag Rules | 49

nr n Policy and Charging Enforcement | 51

Understanding Junos Subscriber Aware Policy and Charging Enforcement F nc n (PCEF) | 52

Understanding r	n Policy and Charging Control Rules for Subscriber-Aware r c
Treatment | 56

Understanding How Subscriber-Aware Policy and Charging Control Rules Are Provisioned Dynamically by a PCRF | 58

Understanding How Subscriber-Aware Policy and Charging Control Rules Are Provisioned

Sc y | 63

Understanding How a RADIUS Server Controls Policy and Charging Control Rules | 64

Understanding PCEF r				s | 70
Understanding Network Elements | 71
Understanding AAA r				s | 73
Understanding S c Time-of-Day PCC Rule					c	v	n and	c v n | 74
Understanding Usage Monitoring for TDF Subscribers | 74
C n		r n	Dynamic Policy Control by PCRF | 76
C	n	r n	S c Policy Control | 77
C	n	r n	Policy Control by RADIUS Servers | 78
C	n	r n	Service Data Flow Filters | 79
C	n	r n	Policy and Charging Control c		n	r	s For Junos OS Subscriber Aware | 83
C	n	r n	Policy and Charging Control Rules | 86
C	n	r n	a Policy and Charging Control Rulebase | 89
C n		r n	RADIUS Servers | 91
C n		r n	RADIUS Network Elements | 94
C n		r n	an AAA r	| 96

v

C	n	r n	a Policy and Charging Enforcement F nc	n	r	for Junos OS Subscriber Aware
	Dynamic Policies | 98
C	n	r n	a Policy and Charging Enforcement F nc	n	r	for Junos OS Subscriber Aware

Sc Policies | 100

C n	r n	a Policy and Charging Enforcement F nc				n	r	for Junos OS Subscriber Aware
Policies That a RADIUS Server Controls | 101
C n	r	n of S		c Time-of-Day PCC Rule c	v	n and		c v	n Overview | 102
C n	r n	the NTP Server | 103
C n	r n	S	c Time-of-Day PCC Rule c v		n and		c	v n in a Junos OS Subscriber
Aware PCEF			r	| 103
C n	r n	TDF Subscriber Usage Monitoring for			r	c That Matches			r	n PCC Rules | 105

nr n TDF Subscribers | 106

IP-Based and IFL-Based TDF Subscribers Overview | 107

IP-Based Subscriber Setup Overview | 107

Understanding the

n n of a Set of IP-Based Subscriber r r s with a TDF Domain | 108

Understanding Source IP Filtering with Address Pools in TDF Domains for IP-Based Subscribers | 110

Understanding S					c	n of	r	r s for an IP-Based TDF Subscriber | 110
Understanding S					c	n of Policy-Control r			r	s for an IP-based TDF Subscriber | 112
Snooping RADIUS					cc	n	n	Requests for IP-Based Subscribers Overview | 114
Understanding IFL-Based Subscriber Setup | 115
Understanding the						n	n of a Set of IFL-Based Subscriber r r s with a TDF Domain | 116
C n		r n	IP-Based TDF Subscriber Setup When MX Series Router Is a RADIUS Server | 117
C n		r n	IP-Based TDF Subscriber Setup When							cc	n n Requests Are Snooped | 118
C n		r n	Address Pools for Source-IP Filtering of IP-Based Subscribers | 119
C n		r n	a Set of IP-Based TDF Subscriber						r	r	s with a TDF Domain | 121
	C n		r n	the TDF Domain Name and AAA Parameters | 121
	C	n	r n	Address Filtering | 124
	C	n	r n	Subscriber Services and Policies | 125
	C	n	r n	Access Interfaces | 125

vi

	C	n	r n	Session Controls | 126
	C	n	r n	Default Policy | 126
C	n	r n	RADIUS Clients That Send			cc	n	n	Requests for IP-Based Subscribers | 128
C	n	r n	Assignment of TDF Subscriber				r	r		s and Policy-Control r r s to IP-Based
	Subscribers | 130
	C n		r n	the Term Name | 130
	C n		r n	Match C n	ns for the RADIUS Client | 131
	C n		r n	Match C n	ns for Snoop Segments | 131
	C n		r n	Match C n	ns for	r	n	AVPs | 131
	C n		r n	Match C n	ns for Custom AVP					r b s | 133
	C n		r n	the TDF Domain to Select | 135
	C	n	r n	the PCEF r	to Select | 135
C	n	r n	Snooping of RADIUS cc			n n	Requests for IP-Based Subscribers | 136
C	n	r n	IFL-Based TDF Subscriber Setup | 139
C n		r n	IFL-Based TDF Subscribers and				r	r		s with a TDF Domain | 140
	C n		r n	the TDF Domain Name and Type | 140
	C	n	r n	IFL-Based Subscribers | 141
	C	n	r n	Address Filtering | 142
	C	n	r n	Subscriber Services and Policies | 142
	C	n	r n	Session Controls | 142
C	n	r n	a TDF Logical Interface | 143
C	n	r n	TDF Interface to Access Interface					ss	c	ns in VRFs | 144

nr n Services | 145

Overview of Applying Services to Subscribers | 145

Applying Services to Subscriber-Aware r c with a Service Set | 146

nr n Diameter | 149

Diameter r s Overview | 149

Juniper Networks Diameter AVPs for Subscriber Aware Policy Control | 150

C n r n Diameter Overview | 152

C n r n Diameter r

s | 152

3

4

vii

C	n	r n	Diameter Bindings | 154
C n		r n	Diameter Network Elements | 155
C n		r n	Diameter AVPs for Gx	c	ns | 156
C n		r n	Diameter Peers | 158
C	n	r n	the Diameter Transport | 161
C n		r n	v r s m n s in Diameter Messages | 162
C	n	r n	Parameters for Diameter	c	ns | 162
C	n	r n	the Origin r b s of the Diameter Instance | 163

n

r n

R

r

n for Subscriber-Aware Data Sessions

n

r n

R

r

n

| 166

Logging and R

r

n

F nc

n for Subscribers | 166

Log

c n ry for Template Types | 174

C

n

r n

Logging and R

r n

for Junos OS Subscriber Aware | 186

C

n

r n

an LRF r

for Subscribers | 187

C n

r n

the LRF

r

Name | 187

C

n

r n

Policy-Based Logging | 188

(

n

) C

n

r n

HTTP

r ns c

n Logging | 188

C

n

r n

Collectors | 188

C n

r n

Templates | 190

C

n

r n

Logging and R

r n Rules | 192

Assigning an LRF

r

to Subscribers | 194

C n

r n

the

c

v

n of an LRF Rule by a PCC Rule | 196

Modifying Subscriber-Aware

n

r

n

Modifying Subscriber-Aware

n

r

n in Maintenance Mode | 200

Maintenance Mode Overview for Subscriber Aware Policy Enforcement | 200

Changing Address r b s in the Address Pool | 202

n an Address Pool | 203

Changing AMS Interface Parameters on a TDF Gateway | 205

5

6

viii

Modifying a TDF Domain | 208

Modifying the TDF Interface of a TDF Domain | 210

n a TDF Domain | 212

Changing a TDF Interface | 214

n a TDF Interface | 216

Changing TDF Gateway Parameters with Maintenance Mode | 218

Changing PCEF

r

s PCC Rules, PCC Rulebases, Diameter r

s Flow scr

ns and PCC

c

n

r

s | 220

Changing PCEF

r

s PCC Rules, PCC Rulebases, Diameter

r

s Flow

scr

ns and

PCC

c

n

r

s with the TDF Domain in Maintenance Mode | 221

Changing PCEF

r

s PCC Rules, PCC Rulebases, Diameter

r

s Flow

scr

ns and

PCC

c

n

r

s with the TDF Gateway in Maintenance Mode | 223

n

a PCEF

r

| 225

n

a PCEF

r

with the TDF Domain in Maintenance Mode | 226

n

a PCEF

r

with the Gateway in Maintenance Mode | 228

Changing S c Time-of-Day S

n s for PCC Rules | 231

n

a Services PIC

| 232

n

a Session PIC

| 234

Monitoring and

r

b

s

n

Monitoring and r

b s

n

| 239

C

n

r n

Tracing for PCEF

r

ns | 239

C

n

r n

Call-Rate S

s

cs C

c

n | 241

Using the n

r

r s

S

c c

y MIB | 242

Using the

n

r

r s

S

c c

y MIB | 242

n

the

n

r r s

S

c

c

y MIB with n

rm

n | 243

Stopping the SLAX Script with the CLI | 251

Clearing the

y MIB | 251

Recovering from an Abnormal SLAX Script Exit or a SLAX Script Exit with the CLI | 251

n

r

n Statements and

r

n

Commands

n r n Statements | 253

ix

3gpp-imsi | 262
aaa clients (TDF) | 264
aaa-policy-control (PCEF							r	) | 265
	r		(PCEF		r	) | 267
access-interfaces (IFL Subscriber) | 268
access-interfaces (IP Subscriber) | 270
cc	n	n	(AAA		r	) | 271
cc	n	n	(RADIUS Client) | 273
cc	n	n	r	(RADIUS Server) | 274
cc	n	n	s cr		(RADIUS Server) | 275
c	v	n	r b		(AAA		r	) | 277
address (Diameter Peer) | 278
address (LRF r					) | 279
address (RADIUS Clients) | 281
address (RADIUS Server) | 282
address-mapping (						c	n	n	c	n) | 283
address-pools | 285
allow-dynamic-requests (RADIUS Server) | 287
alt-name (			c		n	n	c	n) | 288
	c	n (		c		n	n	c	n) | 289
	c	n	r		| 292
	c	n	r	s (PCC Rules) | 293
	c	n	n		c	n (		c	n	n	c n) | 295
	c	n	n		c	n	r	(Service Set) | 299
	c	ns (Services					c	n	n	c	n) | 300
	c	ns (Diameter) | 301

x

cns (PCC Rules) | 303

	r b		| 305
	r b s (Diameter Gx						r	s) | 308
		n	c	n (AAA		r		) | 309
burst-size (Default Local Policy)									| 311
burst-size (TDF Domain) | 312
cac (TDF Gateway) | 314
cacheable (					c	n	n c			n) | 315
c	r		s	s	cs | 316
c		s		n	| 318
c	n	s		n	| 319
chain-order (					c	n		n	c	n) | 321
check-bytes (					c	n		n	c	n) | 322
class		| 323
client		| 325
clients | 327
c		cc	n	n	(AAA r			) | 328
code | 330
code (AAA				r	) | 331
code (			c		n	n	c	n) | 333
collector (LRF					r	) | 334
collector (LRF Rule) | 336
c	m		b	y (	c	n		n	c	n) | 337
c nn c			c	v	y | 338
constant | 341
context (				c	n	n		c	n) | 342

xi

count (HTTP Header Enrichment) | 344

cpu (TDF Gateway) | 346
	c	v		n	r b		(AAA		r	) | 347
dead-criteria-retries (RADIUS Server) | 348
default-local-policy | 350
default-pool (Address Pools) | 351
scr				n (		c	n	n	c	n) | 353
s		n		n (		c	n	n	c	n) | 354
s		n		n (LRF		r	) | 355
s		n		n	r ss (HTTP Header Enrichment) | 357
s		n		n	r ss r n			(HTTP Header Enrichment) | 359
s		n		n		r ss (RADIUS Snoop Segment) | 360
s		n		n	r	(RADIUS Snoop Segment) | 362
s		n		n	r	r n	(HTTP Header Enrichment) | 363
s		n		n	r s (HTTP Header Enrichment) | 365
s		n		n r		x s	(HTTP Header Enrichment) | 366
diameter (Subscriber Aware Policy Control) | 368
diameter (TDF Gateway) | 370
m			r	r		(PCEF		r	) | 372
r	c		n (		c	n		n	c	n) | 373
r	c		n (Service Data Flow Filters) | 375
sc nn c					r	m		| 377
domain (TDF Domain S								c	n) | 378
m		n s		c	n | 380
domains | 384
dynamic-policy-control | 387

xii

dynamic-requests-secret (RADIUS Server) | 389 encrypt (HTTP Header Enrichment) | 390

equals | 392
exclude (Diameter Gx r				s) | 394
external-assigned (Address Pools) | 395
family (Address Pools) | 397
family (Exclude			r x) | 398
family (TDF Interface) | 400
fl	w c	n | 401
fl	w	scr	ns | 403
fl	ws (PCC Rules) | 405

format (		n		Edge Gateways) | 407
format (LRF			r	) | 409
forwarding-class (PCC					c	n r	s) | 410
rmw r		r v s		n | 412
framed-ip-address | 414
r m		v	r	x | 415
from (HTTP Header Enrichment) | 417
from (PCC Rules) | 418
from (TDF Domain S					c	n) | 420
nc	n (Diameter Network Element) | 424
gate-status | 425
greater-than | 427
x	r	| 429
s	r	x (	n	Edge Gateways) | 431
s s		x | 432

xiii

hcm (HTTP Header Enrichment) | 434
cm	r	(HTTP Header Enrichment) | 436
cm	r	(PCC	c n	r	s) | 438
host (Diameter Origin) | 439
	m		r ns c		ns (LRF r	) | 441
icmp-mapping (			c	n	n c	n) | 442

id-components | 443

m| 446

fl s bscr b r | 447
mm	cc n n	r s	ns		| 449
include (Diameter Gx		r	s) | 450
incoming-queue | 452
inet (TDF Subscriber Address) | 453
inet (TDF Subscriber Exclude				r	x) | 455
inet6 (TDF Subscriber Address) | 456
inet6 (TDF Subscriber Exclude				r	x) | 457
integer	| 459
interface (Services PIC)		| 460
interface (Session PICs) | 462
interface-service (Services Interfaces)						| 464
ip-protocol-mapping (			c	n	n	c n) | 465
ip-subscriber | 467

ipv4-address (Steering Path) | 469 ipv4-mask (HTTP Header Enrichment) | 471

ipv4-or-value (HTTP Header Enrichment) | 472 ipv6-address (Steering Path) | 474

xiv

ipv6-mask (HTTP Header Enrichment) | 475 ipv6-or-value (HTTP Header Enrichment) | 477

x s n s	r n	| 478
less-than | 480
local-port-range | 481
local-ports | 483
logging-rule (PCC	c	n r	) | 485

rr (Service Set) | 487

matches | 489

maximum-bit-rate (Default Local Policy) | 492

maximum-bit-rate (PCC c n r	s) | 493
maximum-bit-rate (TDF Domain) | 495
maximum-pending-reqs-limit | 497

maximum-pending-requests (Diameter) | 498 maximum-sessions (TDF Gateway) | 500 maximum-subscribers | 501

maximum-sessions-trap-percentage (TDF Gateway) | 502

member (	c n	n	c	n) | 504
memory (TDF Gateway) | 505
mif (TDF Interface) | 507
monitoring-key (PCC c			n r	) | 508
mtu (TDF Interface) | 509
nas-ip-address | 511
nat-rule-sets (Service Set)			| 512
nat-rules | 514
network-element (AAA		r	) | 515

xv

network-element (Diameter Base Protocol) | 516 network-element (Subscriber Aware Policy Control) | 518 network-elements (RADIUS) | 520

network (Address Pools) | 521
network (TDF Domain) | 523
n		c	n sys			m c c		| 525
no-send-to-ue | 526
order (			c		n	n	c	n) | 527
order-priority (					c		n	n	c n) | 529
origin (Diameter Base Protocol) | 531
outgoing-queue | 532
over (			c	n		n	c	n) | 534
packet-capture (Next Gen Services) | 536
path (Steering)				| 539
	rn (		c		n	n		c	n) | 540
	rn (Class				r b	)	| 542
cc	c	n	r		(PCC Rules) | 543
cc	c	n	r		s | 545
pcc-rule | 548
pcc-rulebases (PCEF) | 550
pcc-rulebases (PCEF						r		) | 551
pcc-rules (PCEF) | 554
pcc-rules (PCEF					r	) | 556
cc	m			y	r	s | 558
pcef | 560
c	r		(Service Set)				| 563

xvi

cr (TDF Domain) | 564

c	r	(TDF Domain S		c	n) | 566
peer (Diameter Base Protocol) | 568
peer (Diameter Network Element) | 569
pending-queue-watermark | 571
pending-queue-watermark-abate | 572
policy-based-logging (LRF			r		) | 574
pool (TDF Domain) | 575
port (LRF r		) | 577
port (RADIUS Server) | 578
port-range (		c n	n	c	n) | 579

prefer-framed-ip-address (RADIUS Clients) | 581

r r r m v r x (RADIUS Clients) | 582

priority (Diameter Network Element) | 583 priority (RADIUS Network Elements) | 585 product-name | 586

r| 587

r(HTTP Header Enrichment) | 589

r(LRF) | 590

r

(Services

c n n c n) | 593

r(Services PCEF) | 594

rs (AAA) | 595

rs (PCEF) | 597

protocol (	c n	n c n) | 600
protocol (Flow	scr	ns) | 602

realm (Diameter Origin) | 604

xvii

redirect (PCC			c	n	r	s) | 605
regex (Class			r b	)	| 607
remote-address | 608
remote-port-range | 610
remote-ports | 612
report (LRF Rule) | 614
r q	s	c c	m		(RADIUS Snoop Segment) | 616
r q	s	m	| 617
r s	ns	c c	m		(RADIUS Client) | 618
retry (RADIUS Server) | 620
revert-interval (RADIUS Server) | 621
r	n	ns nc	(PCC		c	n r	s) | 623

rule (HTTP Header Enrichment for Tag Rule Set) | 625

rule (LRF)		| 626
r	c v	n m | 628

rc v n m | 630

secret (RADIUS Client) | 632 secret (RADIUS Server) | 633

server (RADIUS Network Elements) | 634 servers (RADIUS) | 636

service-mode | 638 service-pics | 640

service-set (Subscriber-Aware) | 641 service-set (TDF Interface) | 643 session-pics | 644

session-pics (Diameter) | 645

xviii

shared-secret (RADIUS Snoop Segment) | 647

snoop-segment (TDF Domain S						c	n) | 649
snoop-segments (RADIUS) | 650
snoop-segments (TDF Gateway) | 652
source (		c	n	n	c n) | 653
source-address (LRF				r	) | 655
source-interface | 656
source-interface (RADIUS Server) | 657
source-interface (RADIUS Snoop Segment) | 659
source-ip-address (RADIUS Snoop Segment) | 660
s	c	cy c	n r	| 661
steering | 663
string | 665
subscriber-address | 667
subscriber-awareness (Service Set							ns) | 668
subscriber-aware-services | 669
s	bscr b	r xc		r x | 670
subscriber-type (TDF Domain) | 672
s	bscr	n	| 674
s	bscr	n		ns | 675
s	bscr	n	y	(Class	r b	)	| 677
tag (HTTP Header Enrichment) | 679
	r b	(HTTP Header Enrichment) | 680
	r b	(HTTP Header Enrichment Tag Rule) | 682
tag-header (HTTP Header Enrichment) | 683
	r	n (HTTP Header Enrichment) | 685

xix

tag-rule ( r		s for HTTP Header Enrichment) | 686
tag-rule (HTTP Header Enrichment) | 688
tag-rules (Service Set)				| 690
tag-rule-set (HTTP Header Enrichment) | 692
tag-rule-sets (Service Set)					| 693
tag-separator (HTTP Header Enrichment) | 695
tag-value (HTTP Header Enrichment) | 696
tags (	c	n	n	c		n) | 697
targets	| 699
tdf ( n	Edge) | 701
tdf-interface		| 702
template (LRF		r	) | 704
template (LRF Rule) | 705
template-tx-interval (LRF					r	) | 707
template-type (LRF			r		) | 708
term (HTTP Header Enrichment) | 711
term (TDF Domain S				c	n) | 713
then (HTTP Header Enrichment) | 717
then (LRF rule) | 719
then (PCC Rules) | 720
then (TDF Domain S				c	n) | 722

m| 724

mm (LRF Rule) | 725

m(Diameter Network Element) | 727

m(RADIUS Server) | 728

r c ns (Diameter Base Protocol) | 730

xx

r c		ns (PCEF) | 732
r c		ns (TDF Gateway) | 735
trigger-type (LRF				r	)	| 738
type (		c	n	n		c	n) | 740
type (ICMP Mapping for							c n n c n) | 741
unit (TDF Interface) | 743
url	| 744
use-class (Class				r b		)	| 746
user-name | 747
user-password (PCEF					r		) | 749
v4address | 750
v6address | 752
v	r	x | 753
vendor-id | 755
vendor-id (AAA			r		) | 756
vendor-support | 758
volume-limit (LRF Rule) | 759
w	c	m		| 760

rn Commands | 763

clear services	c	n	n	c	n	c	n sys m c c | 765
clear services	c	n	n	c	n s	s	cs | 767
clear services lrf collector s			s	cs	| 769

clear services lrf s		s	cs | 771
clear services sessions			| 772
clear	n	tdf aaa radius client s s cs | 777
clear	n	tdf aaa radius network-element s s cs | 779

xxi

clear	n	tdf aaa radius server s		s	cs | 781
clear	n	tdf aaa radius snoop-segment s				s	cs | 782
clear	n	tdf aaa s	s cs | 784
clear	n	tdf address-assignment pool | 786
clear	n	tdf address-assignment s			s cs | 788
clear	n	tdf call-admission-control s			s	cs | 790
clear	n	tdf diameter network-element s				s	cs | 791
clear	n	tdf diameter pcc-gx s		s cs | 793
clear	n	tdf diameter peer s s		cs | 795
clear	n	tdf s s	cs | 797
clear	n	tdf subscribers | 798
clear	n	tdf subscribers peer | 800

request interface load-balancing revert (Aggregated M s								rv c	s) | 802
request interface load-balancing switchover (Aggregated M								s	rv c s) | 804
request services	c	n	n	c	n	c	n | 806
request services	c	n	n	c	n download | 808
request services	c	n	n	c	n download status | 809
request services	c	n	n	c	n group | 811
request services	c	n	n	c	n install | 813
request services	c	n	n	c	n install status | 814
request services	c	n	n	c	n proto-bundle-status | 816
request services	c	n	n	c	n uninstall | 817
request services	c	n	n	c	n uninstall status | 819

request	n	tdf call-trace clear	| 820
request	n	tdf call-trace show | 822
request	n	tdf call-trace start	| 826

xxii

request n tdf call-trace stop | 829

show interfaces anchor-group (Aggregated Packet Forwarding Engine) | 831

show interfaces load-balancing (Aggregated M

s rv c

s) | 836

show services

c

n

n

c

n

c

n | 841

show services

c

n

n

c

n

c

n sys

m c c

| 850

show services

c

n

n

c

n counter | 856

show services

c

n

n

c

n group | 860

show services

c

n

n

c

n s

s

cs

c

n r

s | 865

show services

c

n

n

c

n s

s

cs

c

ns | 868

show services

c

n

n

c

n status | 870

show services

c

n

n

c

n version | 873

show services ha detail | 874

show services ha s

s

cs | 877

show services hcm s

s

cs | 885

show services hcm

c s

s

cs | 888

show services lrf collector s

s

cs

| 896

show services lrf rule s

s

cs | 898

show services lrf s

s

cs | 901

show services lrf template | 903

show services

r

c

c

n

nc

n hcm s

s cs | 906

show services

r

c

c

n

nc

n sessions | 911

show	n	tdf aaa radius client s	s cs | 915
show	n	tdf aaa radius client status | 923
show	n	tdf aaa radius network-element s		s cs | 925
show	n	tdf aaa radius server s	s cs | 930
show	n	tdf aaa radius server status | 936

xxiii

show	n	tdf aaa radius snoop-segment s						s cs | 940
show	n	tdf aaa s	s	cs | 945
show	n	tdf address-assignment pool | 958
show	n	tdf address-assignment service-mode | 964
show	n	tdf address-assignment s				s	cs | 967
show	n	tdf call-admission-control s					s	cs | 970
show	n	tdf call-rate s		s cs	| 974
show	n	tdf diameter network-element s						s cs | 978
show	n	tdf diameter network-element status | 981
show	n	tdf diameter pcc-gx s			s	cs | 984
show	n	tdf diameter peer s			s cs | 992
show	n	tdf diameter peer status | 999
show	n	tdf domain service-mode | 1004
show	n	tdf domain s		s cs | 1007
show	n	tdf resource-manager clients | 1014
show	n	tdf service-mode | 1017
show	n	tdf s s	cs | 1020
show	n	tdf status | 1032
show	n	tdf subscribers | 1038
show	n	tdf system interfaces | 1059
show	n	tdf system interfaces service-mode | 1061

xxiv

About This Guide

Use this guide to c n	r	and monitor subscriber-aware and		c	n w r	r	c policies. This lets
you n y the mobile or		x	n subscriber associated with a data session, and enforce r c
treatment for the subscriber based on Layer 7 or Layer 3/Layer 4				c	n n	rm	n for the
session.

1

PART

Subscriber-Aware and

c

rr c Treatment Overview

Subscriber-Aware and	c n w r r c Treatment Overview | 2

2

CHAPTER 1
Subscriber-Aware and	c n w r r c
Treatment Overview

IN THIS CHAPTER
	Subscriber-Aware and	c n	w r r	c Treatment Overview | 2
	C n r n Subscriber-Aware and		c	n w r r c Treatment Overview | 6

Subscriber-Aware and

c n w r r c Treatment Overview

IN THIS SECTION
	n r	c n |	2			c Treatment |	3
	Access-Independent Subscriber r
	Subscriber		n	c	n Methods |	4
	c	n	n	c	n | 4
	Policy Control Methods | 5						n | 5
	Subscriber-Aware Data Session Logging and R r
	Usage Monitoring |				5

This topic contains an overview of subscriber-aware and c n w r r c treatment.

n r	c n
Junos Subscriber Aware		n	s the mobile or x	n subscriber associated with a data session, and
enforces	r c treatment based on policies assigned to the subscriber. This permits highly customizable
r n	services for subscribers. A subscriber policy can be based on Layer 7				c	n
n rm	n for the IP fl	w (for example, YouTube) or can be based on Layer 3/Layer 4 n rm				n for

3

the IP fl w (for example, the source and s n					n IP address). Junos Subscriber Aware resides on an
MX Series router.
Subscriber-aware policies can specify the following c ns
•	R	r c n	HTTP r c to another URL or IP address
•	Forwarding packets to a r			n instance so that packets are directed to external service chains
	( r	n	sequence of services)

•S n the forwarding class

•S n the maximum bit rate

•Performing HTTP header enrichment (provided by Junos Web Aware, which resides on the same MX Series router as Junos Subscriber Aware)

• S n the	n status to blocked or allowed
Subscriber-aware policies can also specify the m of day that the policies are in		c

Access-Independent Subscriber	r	c Treatment
Subscriber n c n for both mobile access and wireline access provides a n			experience for
the subscriber, regardless of the c nn	c	n method.

Junos Subscriber Aware resides on an MX Series router that is located between the gateway of the access network and the public network and network services, as shown in Figure 1 on page 4. Subscribers may be controlled by a broadband network gateway (BNG) in a wireline access network, by

4

a gateway GPRS support node (GGSN) in a 2G or 3G network architecture, or by a Packet Data Network Gateway (PGW) in a 4G/LTE network architecture.

Figure 1: Subscriber-Aware Policy Enforcement on the MX Series

Subscriber			n	c	n Methods
You can use the following methods to						n	y subscribers:
•	IP-based—Processes a RADIUS cc					n	n start request to n y the subscriber. An IP-based
	subscriber session is for one unique user IP address.
•	IFL-based—Requires you to c n					r a subscriber name and specify a set of MX Series router access
	interfaces for the subscriber. Junos Subscriber Aware assigns all data sessions received on those
	interfaces to the c			n	r subscriber.
	c	n	n	c	n

Layer 7	c	n n	c	n is provided by Junos	c	n Aware, which performs deep packet
ns c	n (DPI) to determine whether the subscriber’s data packets match an						c	n signature.
When an	c	n is	n	the appropriate subscriber policy is applied to the packets. Juniper

5

Networks provides a set of r	n	c n signatures that you can download and that are
periodically updated. You can also c n		r your own custom	c n signatures.
Junos Subscriber Aware and Junos		c n Aware reside on the same MX Series router, allowing
policy control on a single	rm

Policy Control Methods

Subscriber-aware policies can be controlled dynamically by a policy and charging rules					nc	n (PCRF)
server, can be c v	by a RADIUS server, or can be under s		c control.
Under dynamic control, a PCRF either sends policies to the MX Series router or				c v	s r	n
policies that you c n	r	on the MX Series router. Dynamic policy control is provided by Junos Policy
Control, which resides on the same MX Series router as Junos Subscriber Aware.
Under RADIUS server control, the RADIUS server controls the			c v n of your	r	n	polices but
does not send policies to the MX Series router.
Under s c control, your r		n policies are not controlled by a PCRF or RADIUS server.

Subscriber-Aware Data Session Logging and R r n

Junos Subscriber Aware can log data for subscriber-aware data sessions and send that data in an IPFIX

format to an external log collector. These logs can include subscriber n rm					n	c	n
n rm	n HTTP metadata, data volume, m	y n	rm	n and source and		s	n	n details.
You can then use the external collector, which is not a Juniper Networks product, to perform								n y cs
that provide you with insights about subscriber and		c	n usage, enabling you to create packages
and policies that increase revenue.

Usage Monitoring

For subscriber data sessions that are under the dynamic policy control of a PCRF, Junos Subscriber

Aware can monitor the volume of r c or amount of m	the subscriber uses during a session, and
send reports to the PCRF. The PCRF can use this n rm	n to adjust the policies for a subscriber.

RELATED DOCUMENTATION

C n r n Subscriber-Aware and

c n w r r c Treatment Overview | 6

6

n r n Subscriber-Aware and	c n w r r c Treatment
Overview

To c n

r subscriber-aware and

c

n w r r c treatment:

1. C n r service PICs and session PICs.

	See	C	n	r n Service PICs and Session PICs Overview " on page 12.
2.	(	n	)	n	y Layer 7			c	ns
	a. Install			c		n signature packages.
	See "Downloading and Installing								r	n Junos OS	c n Signature Packages" on page
	24.
	b. C	n	r	custom			c	n signatures.
	See		C n		r n	Custom		c n Signatures" on page 26.
3.	(	n	) C	n	r	HTTP header enrichment.
	See	C n		r n HTTP Header Enrichment Overview" on page 41.

4. C n r a policy enforcement method.

•	For dynamic policy control, see		C n	r n		Dynamic Policy Control by PCRF" on page 76.
•	For s	c policy control, see C	n	r n	S	c Policy Control" on page 77.
•	For RADIUS server policy control, see C				n	r n Policy Control by RADIUS Servers" on page
	78.
5. C	n r	the policy enforcement for an IP-based subscriber. An IP-based subscriber session handles

rc for one unique user IP address.

•	If the MX Series router is n			as a RADIUS server for the access gateway, see C n r n
	IP-Based TDF Subscriber Setup When MX Series Router Is a RADIUS Server" on page 117
•	If the MX Series router is not n			as a RADIUS server for the access gateway, see
		C n	r n IP-Based TDF Subscriber Setup When cc n n Requests Are Snooped" on page
	118
6. C	n	r	the policy enforcement for an IFL-based subscriber. An IFL-based subscriber session
handles all the r c received on a s				c c set of interfaces.
See		C n	r n IFL-Based TDF Subscriber Setup" on page 139.

7. Apply services to a subscriber.

See "Applying Services to Subscriber-Aware r c with a Service Set" on page 146. 8. ( n ) If you c n r dynamic policy control, c n r Diameter.

See C n r n Diameter Overview" on page 152.