(ASCEND) Max DSL Terminator/Navis Radius 1.3a/Data Filters

To: <ascend-users@bungi.com>
Subject: (ASCEND) Max DSL Terminator/Navis Radius 1.3a/Data Filters
From: "Randy E. Reinhardt" <randy@pyramid.net>
Date: Fri, 7 Apr 2000 20:41:05 -0700
Importance: Normal
Reply-To: <randy@pyramid.net>
Sender: owner-ascend-users@max.bungi.com

Ladies and Gentlemen,

Perhaps one of you out in the field, or someone at Lucent/Ascend
that knows more then being able to look in the books (which I
have done as well) can tell me why I am having this problem.  I
have spent around $300 with Lucent tech support and they HAVE NOT 
SUPPLIED A WORKING SOLUTION!  For something that plainly *SHOULD*
work!

First, the setup:  Max DSL Terminator with an incoming ATM/DS3
circuit, 11 Telco DSLAM's feeding in (so far) 79 VPI/VCI circuits
from customer site bridging DSL hardware.  Then feeding out to a
dedicated Cisco Ethernet port and the rest of the world.  So the
entire WAN link topology is setup for transparent bridging.  Now
because of the inherent problems with bridging and security, 
broadcast storms, etc. I want to apply filters to the WAN links.
(For brevity the following example is a simple Ping Blocker, and yes
I have tried it in the real world, works built-in, does not work RADIUS)

All well and good in theory yes?  Yes, it is as long as you use
built-in profiles and built-in definitions.  But as you can tell
from my statement above, we have more clients then the built-in
profile limit of 64 can handle so we have to use RADIUS.

Now, using for example the following filter definition and applying
it as a data filter to a clients built-in connection profile, it
works just fine and blocks all pings (ICMP) traffic to/from the
system(s) on that WAN link.

Below that you will find an example customer RADIUS outbound
profile.  It works just fine - excluding the Data-Filter portion -
and brings up the nailed circuit in the exact way a built-in
connection profile would.  But you will note, I said *excluding*
the filter.  This is the focus of my problem.  This is the way
the books say to do it, this is the way the Ascend/Lucent tech
support people (At $2.95 per minute - Case #3038750 if those of
you at Lucent wish to look it up) say to do it, and my Navis
Radius NT in debug mode seems to have no difficulty with it either.

But it totally fails to stop ICMP/Ping traffic to the customer
systems connected to the WAN the filter was applied to.  Nor do
*ANY* other filters seem to have *ANY* effect whatsoever.  The
*ONLY* time the filters seem to have an effect is if I get the
syntax wrong, then when I start radiusd it spits the profile out.

And yes, I am remembering to go to the Terminator and tell it to
Update Rem Config's.  Plus as an added precaution, going to the
30-100 Sessions window and hanging up the circuit again.

The filters used for the built-in test are immediately below, I
have included the extra lines for completeness sake so everyone
knows there is not some extra filter active.

START=FILT=300=5
Name=PingBlock
In filter 01...Valid=Yes
In filter 01...Type=IP
In filter 01...Ip...Forward=No
In filter 01...Ip...Src Mask=0.0.0.0
In filter 01...Ip...Src Adrs=0.0.0.0
In filter 01...Ip...Dst Mask=0.0.0.0
In filter 01...Ip...Dst Adrs=0.0.0.0
In filter 01...Ip...Protocol=1
In filter 01...Ip...Src Port Cmp=None
In filter 01...Ip...Src Port #=0
In filter 01...Ip...Dst Port Cmp=None
In filter 01...Ip...Dst Port #=0
In filter 01...Ip...TCP Estab=No
In filter 02...Valid=Yes
In filter 02...Type=GENERIC
In filter 02...Generic...Forward=Yes
In filter 02...Generic...Offset=0
In filter 02...Generic...Length=0
In filter 02...Generic...Mask=0000000000000000
In filter 02...Generic...Value=0000000000000000
In filter 02...Generic...Compare=Equals
In filter 02...Generic...More=No
In filter 03...Valid=No
In filter 04...Valid=No
In filter 05...Valid=No
In filter 06...Valid=No
In filter 07...Valid=No
In filter 08...Valid=No
In filter 09...Valid=No
In filter 10...Valid=No
In filter 11...Valid=No
In filter 12...Valid=No
Out filter 01...Valid=Yes
Out filter 01...Type=IP
Out filter 01...Ip...Forward=No
Out filter 01...Ip...Src Mask=0.0.0.0
Out filter 01...Ip...Src Adrs=0.0.0.0
Out filter 01...Ip...Dst Mask=0.0.0.0
Out filter 01...Ip...Dst Adrs=0.0.0.0
Out filter 01...Ip...Protocol=1
Out filter 01...Ip...Src Port Cmp=None
Out filter 01...Ip...Src Port #=0
Out filter 01...Ip...Dst Port Cmp=None
Out filter 01...Ip...Dst Port #=0
Out filter 01...Ip...TCP Estab=No
Out filter 02...Valid=Yes
Out filter 02...Type=GENERIC
Out filter 02...Generic...Forward=Yes
Out filter 02...Generic...Offset=0
Out filter 02...Generic...Length=0
Out filter 02...Generic...Mask=0000000000000000
Out filter 02...Generic...Value=0000000000000000
Out filter 02...Generic...Compare=Equals
Out filter 02...Generic...More=No
Out filter 03...Valid=No
Out filter 04...Valid=No
Out filter 05...Valid=No
Out filter 06...Valid=No
Out filter 07...Valid=No
Out filter 08...Valid=No
Out filter 09...Valid=No
Out filter 10...Valid=No
Out filter 11...Valid=No
Out filter 12...Valid=No


And this is the sample RADIUS profile that works except the filters
*NEVER* have an effect on the connection (except if I get them
wrong).

#### John & Jane Doe Technologies  - (775) 123-4567 02/02/2000 384
permconn-maxdslterm-79	Password = "ascend"
	Service-Type = Outbound,
	Framed-Protocol = ATM-1483,
	User-Name = "Incline-JnJDoe",
	Framed-Routing = None,
	Ascend-ATM-Vpi = 6,
	Ascend-ATM-Vci = 54,
	Ascend-Traffic-Shaper = 1,
	Ascend-Route-IP = Route-IP-No,
	Ascend-Bridge = Bridge-Yes,
	Ascend-Group = "5",
	Ascend-Data-Filter = "ip in drop 1",
	Ascend-Data-Filter = "generic in forward 0 0 0",
	Ascend-Data-Filter = "ip out drop 1",
	Ascend-Data-Filter = "generic out forward 0 0 0",
	Ascend-Call-Type = Nailed

As you can see, I duplicated completely the function of the
filter I used for the built-in test.  Yet this does not work,
even after rebooting the Terminator.  And the logfile and debug
file appear to indicate the radiusd loaded it just fine.  So why
doesn't it work?  Why can't Lucent, who supplied both the hardware
and the RADIUS engine, make it work for me as advertised it should?
Why did I spend 300 bucks and still not have an answer?

Thanks in advance for *any* help on this issue.

Randy E. Reinhardt
randy@pyramid.net
System Administrator
Microsoft: "Where do you want to go today?"
Linux: "Where do you want to go tomorrow?"
FreeBSD: "Are you guys coming, or what?" 
++ Ascend Users Mailing List ++
To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd:	<http://www.nealis.net/ascend/faq>

Prev by Date: (ASCEND) Configuring NFAS
Next by Date: (ASCEND) Max DSL Terminator/Navis Radius 1.3a/Data Filters
Prev by thread: Re: (ASCEND) Configuring NFAS
Next by thread: (ASCEND) Max DSL Terminator/Navis Radius 1.3a/Data Filters
Index(es):
- Date
- Thread