Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Subscriber Management] Example Configuration - Adding Framed-Route attribute and Framed-IPv6-Route attribute using Junos dynamic-profiles

0

0

Article ID: KB31778 KB Last Updated: 16 Oct 2017Version: 2.0
Summary:

This article explains how to use Junos OS dynamic-profiles to install the Framed-Route and Framed-IPv6-Route attributes.

Symptoms:

Framed-IPv6-Route is supported from Junos OS 16.1 or later.  The Access Route is used to represent the Framed-Route and Framed-IPv6-Route. A framed route consists of a prefix that represents a public network behind the CPE, a next-hop gateway, and optional route attributes consisting of a combination of metric, preference, and tag.

RADIUS returns Framed-route and Framed-IPv6-route attributes as seen from authd logs shown below:

Feb  7 12:08:10.531154 radius-access-accept: Framed-IP-Address received: 20.20.20.1
Feb  7 12:08:10.531170 radius-access-accept: Framed-IPv6-Pool received: ipv6-pd-pool
Feb  7 12:08:10.531184 processRadiusAttrib22: wholeString: [2a00:a600:0603::/48 :: 1]
Feb  7 12:08:10.531209 getIpv6AddressFromFrameRouteString: Decoding framed-ipv6-route string:2a00:a600:0603::/48 :: 1
Feb  7 12:08:10.531231 getIpv6AddressFromFrameRouteString: IPv6 address value in the framed-ipv6-route string is:2a00:a600:603::
Feb  7 12:08:10.531253 processRadiusAttrib22: Decoded IPv6 prefix:2a00:a600:603::/48 len:18 nexthop::: len:2
Feb  7 12:08:10.531265 processRadiusAttrib22: Received FR Attributes
Feb  7 12:08:10.531283 radius-access-accept: Framed-IPv6-Route received: 2a00:a600:0603::/48 :: 1
Feb  7 12:08:10.531296 processRadiusAttrib22: wholeString: [192.192.192.0/24 20.20.20.1 1]
Feb  7 12:08:10.531325 processRadiusAttrib22: Attribute 22 missing nextHop, using default [0.0.0.0]
Feb  7 12:08:10.531337 processRadiusAttrib22: Received FR Attributes
Feb  7 12:08:10.531352 radius-access-accept: Framed-Route received: 192.192.192.0/24 20.20.20.1 1
Feb  7 12:08:10.531371 Framework - module(radius) return: SUCCESS
Feb  7 12:08:10.531383 authd_advance_module_for_aaa_response_msg: result:2
Feb  7 12:08:10.531407 Client-session response-attr:: type:21 len:4
Feb  7 12:08:10.531423 Client-session response-attr:: type:28 len:12
Feb  7 12:08:10.531472 authd_update_session_dynamic_attributes: Client-session response-dyn-attr:: name:junos-framed-route-ipv6-address-prefix, len:18, value: 2a00:a600:603::/48, encode 2
Feb  7 12:08:10.531488 authd_update_session_dynamic_attributes: Client-session response-dyn-attr:: name:junos-framed-route-ipv6-nexthop, len:2, value: ::, encode 3
Feb  7 12:08:10.531502 authd_update_session_dynamic_attributes: Client-session response-dyn-attr:: name:junos-framed-route-ipv6-cost, len:1, value: 1, encode 3
Feb  7 12:08:10.531516 authd_update_session_dynamic_attributes: Client-session response-dyn-attr:: name:junos-framed-route-ip-address-prefix, len:17, value: 192.192.192.0/24, encode 1
Feb  7 12:08:10.531529 authd_update_session_dynamic_attributes: Client-session response-dyn-attr:: name:junos-framed-route-nexthop, len:8, value: 0.0.0.0, encode 2
Feb  7 12:08:10.531542 authd_update_session_dynamic_attributes: Client-session response-dyn-attr:: name:junos-framed-route-cost, len:1, value: 1, encode 3
Solution:

Beginning with Junos OS 15.1, we recommend using only access routes for framed route support. If the RADIUS Framed-Route attribute (22) or Framed-IPv6-Route attribute [99] does not specify the next-hop gateway—as is common—the variable representing the next-hop, $junos-framed-route-nexthop is automatically resolved. If you configure the access-internal statement in the dynamic-profile when Tomcat has been enabled, it is ignored.

Configuration

labroot@JTAC-MX480-lab1# show dynamic-profiles
lns-client-profile {
    routing-instances {
        "$junos-routing-instance" {
            interface "$junos-interface-name";
            routing-options {
                rib "$junos-ipv6-rib" {   <-- IPv6 Access Stanza
                    access {
                        route $junos-framed-route-ipv6-address-prefix {         
                            qualified-next-hop "$junos-interface-name";
                            metric "$junos-framed-route-ipv6-cost";
                            preference "$junos-framed-route-ipv6-distance";
                            tag "$junos-framed-route-ipv6-tag";
                        }
                    }
                }
                access {                  <-- IPv4 Access Stanza
                    route $junos-framed-route-ip-address-prefix {
                        qualified-next-hop "$junos-interface-name";
                        metric "$junos-framed-route-cost";
                        preference "$junos-framed-route-distance";
                    }
                }
            }
        }
    }
    interfaces {
        "$junos-interface-ifd-name" {
            unit "$junos-interface-unit" {
                dial-options {
                    l2tp-interface-id lns1-thn-lon-id;
                    dedicated;
                }
                proxy-arp;
                family inet {
                    unnumbered-address "$junos-loopback-interface";
                }
                family inet6 {
                    unnumbered-address "$junos-loopback-interface";
                }
            }
        }
    }
    protocols {
        router-advertisement {
            interface "$junos-interface-name" {
                prefix $junos-ipv6-ndra-prefix;
            }
        }
    }
}

Note: The Nexthop attribute in a framed route is not applicable anymore. Since the subscriber IP address is used as the nexthop in all cases, there is no need to have an additional attribute for nexthop for framed routes.

Verification

labroot@JTAC-MX480-lab1# run show subscribers
Interface           IP Address/VLAN ID                      User Name                      LS:RI
si-1/0/0.3221225478 20.20.20.1                              testtest.com            default:default      
*                   2015:ceed:0:4::/64

labroot@JTAC-MX480-lab1# run show subscribers extensive
Type: L2TP
User Name: test@test.com
IP Address: 20.20.20.1
IP Netmask: 255.255.255.255
IPv6 User Prefix: 2015:ceed:0:4::/64
Logical System: default
Routing Instance: default
Interface: si-1/0/0.3221225478
Interface type: Dynamic
Underlying Interface: si-1/0/0.3221225478
Dynamic Profile Name: lns-client-profile
Dynamic Profile Version: 3
State: Active
Radius Accounting ID: 7
Session ID: 7
PFE Flow ID: 20
Login Time: 2017-02-07 14:32:22 SGT
IPv6 Address Pool: ipv6-pd-pool
IPv6 Interface Address: 2015:ceed:0:4::1/64
IPv6 Framed Interface Id: 0:0:700:0
Accounting interval: 3600
Dynamic configuration:
  junos-framed-route-ip-address-prefix: 192.192.192.0/24
      junos-framed-route-nexthop: 0.0.0.0                 
          junos-framed-route-cost: 1
      junos-framed-route-ipv6-address-prefix: 2a00:a600:603::/48
          junos-framed-route-ipv6-nexthop: ::
          junos-framed-route-ipv6-cost: 1
  junos-ipv6-ndra-prefix: 2015:ceed:0:4::/64
labroot@JTAC-MX480-lab1# run show route

inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

20.20.20.1/32      *[Access-internal/12] 00:00:42
                      Private unicast
192.192.192.0/24   *[Access/13] 00:00:42, metric 1
                      Private unicast

inet6.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

2015:ceed:0:4::/64 *[Access/13] 00:00:42
                      Private unicast
2a00:a600:603::/48 *[Access/13] 00:00:42, metric 1
                      Private unicast
3001:db8:2000:1::1/128
                   *[Direct/0] 02:25:55
                    > via lo0.0
fe80::2a0:a50f:fc8a:506a/128
                   *[Direct/0] 02:25:55
                    > via lo0.0
fe80::2a0:a510:8a:506a/128
                   *[Local/0] 02:25:55
                      Local via si-1/0/0.0
ff02::2/128        *[INET6/0] 12:17:31
                      MultiRecv

labroot@JTAC-MX480-lab1# run show system subscriber-management route family inet   

Route:  1.1.1.1/32
     Route Type:               Local
     Next-Hop:                 0
Route:  1.1.1.1.22.22.22.2.17.6.165.6.165/104
     Route Type:               Kernel
     Interface:                none
     Next-Hop:                 0
Route:  1.1.1.1.22.22.22.2.17.6.165.6.165.0.0/120
     Route Type:               Kernel
     Interface:                none
     Next-Hop:                 0
Route:  1.1.1.1.22.22.22.2.17.6.165.6.165.221.2/120
     Route Type:               Kernel
     Interface:                none
     Next-Hop:                 0
Route:  1.1.1.1.22.22.22.2.17.6.165.6.165.221.2.161.177/136
     Route Type:               Kernel
     Interface:                none
     Next-Hop:                 708
Route:  20.20.20.1/32
     Route Type:               Access-internal
     Interface:                si-1/0/0.3221225478
     Next-Hop:                 708
Route:  192.192.192.0/24
     Route Type:               Access
     Interface:                si-1/0/0.3221225478
     Next-Hop:                 708
labroot@JTAC-MX480-lab1# run show system subscriber-management route family inet6   

Route:  2015:ceed:0:4::/64
     Route Type:               Access
     Interface:                si-1/0/0.3221225478
     Next-Hop:                 708
Route:  2a00:a600:603::/48
     Route Type:               Access
     Interface:                si-1/0/0.3221225478
     Next-Hop:                 708
Route:  3001:db8:2000:1::1/128
     Route Type:               Local
     Next-Hop:                 0
Route:  fe80::200:ff:fe00:0/128
     Route Type:               Local
     Next-Hop:                 0
Modification History:

2017-10-16: Corrected grammatical mistakes.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search