Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Subscriber Management] How to limit Point-to-Point Protocol over Ethernet (PPPoE) subscriber sessions

0

0

Article ID: KB31828 KB Last Updated: 23 Jun 2017Version: 1.0
Summary:

This article discusses PPPoE Service-Name-Table and its usage for enforcing PPPoE session limits.

Solution:

The PPPoE Service-Name table feature provides a configuration attribute “max-sessions” that allows the user to configure a limit on the number of PPPoE subscribers associated with a specific Service-Name tag. Every Service-Name table by default includes an <empty> Service-Name entry which would always provide a matching entry for PPPoE subscribers sending a zero-length Service-Name tag and prevent these subscribers from using configurations provided by the <any> Service-Name entry. This means that the <any> Service-Name entry can only be used by PPPoE subscribers with nonzero-length Service-Name tags and its max-sessions limit would only control this subset of subscribers while the <empty> Service-Name entry max-sessions would control the other group of subscribers.

Example

Zero-Length Service Name :00:13:01:00:00:01 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 28: vlan 100, p 0, ethertype PPPoE D, PPPoE PADI

jtac@ERX-MX960-II-RE0# run show subscribers
Interface           IP Address/VLAN ID                      User Name                      LS:RI
pp0.3221225472      20.0.0.1                                test@test.com          default:default      


jtac@ERX-MX960-II-RE0# run show pppoe interfaces pp0.3221225472
pp0.3221225472 Index 536874524
  State: Session Up, Session ID: 1, Type: Dynamic,
  Service name: <empty>, Remote MAC address: 00:13:01:00:00:01,
  Session AC name: ERX-MX960-II-RE0,
  Session uptime: 00:00:31 ago,
  Dynamic Profile: PPPOE,
  Underlying interface: demux0.100 Index 325

Limiting PPPoE Session

Configuration

jtac@ERX-MX960-II-RE0# show interfaces demux0
unit 100 {
    vlan-id 100;
    demux-options {
        underlying-interface ae1;
    }
    family pppoe {
        duplicate-protection;
        dynamic-profile PPPOE;
        service-name-table test;
    }
}

jtac@ERX-MX960-II-RE0#show protocols pppoe
service-name-tables test {
    service any {
        terminate;
        max-sessions 10;
 
00:13:01:00:00:01 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 32: vlan 100, p 0, ethertype PPPoE D, PPPoE PADI [Service-Name "TEST"]

jtac@ERX-MX960-II-RE0# run show pppoe interfaces pp0.3221225475
pp0.3221225475 Index 536874528
  State: Session Up, Session ID: 1, Type: Dynamic,
  Service name: TEST, Remote MAC address: 00:13:01:00:00:01,
  Session AC name: ERX-MX960-II-RE0,
  Session uptime: 00:00:39 ago,
  Dynamic Profile: PPPOE,
  Underlying interface: demux0.100 Index 325

jtac@ERX-MX960-II-RE0# run show subscribers summary

Subscribers by State
   Active: 10
   Total: 10

Subscribers by Client Type
   PPPoE: 10
   Total: 10

Jun  3 15:17:48.546332 Dropping PADI due to Service Name (TEST)
  <-- PPPoE session exceeding 10 will be dropped

Starting from 16.1, the default <empty> Service-Name entry will be eliminated from the Service-Name table, allowing for the possibility that PPPoE subscribers with a zero-length Service-Name tag can use the configuration provided by the <any> Service-Name entry and additionally be limited by its max-session value.The Service-Name table will be configured with only the “any” Service-Name and the required max-session value. This forces all PPPoE subscribers to be included in a single session count for the “any” Service-Name entry and restricted by its max-sessions limit.

Without the default “empty” Service-Name entry, all PADI/PADR control packets with a zero-length Service-Name tag will no longer have a default match in the Service-Name table and the behavior in the absence of explicit user configuration is then controlled by the “any”, or wildcard, Service-Name entry of the Service-Name table.

Example

00:13:01:00:00:0b > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 28: vlan 100, p 0, ethertype PPPoE D, PPPoE PADI  <-- No Service-Name

jtac@ERX-MX960-II-RE0# run show subscribers summary

Subscribers by State
   Active: 10
   Total: 10

Subscribers by Client Type
   PPPoE: 10
   Total: 10

jtac@ERX-MX960-II-RE0> show pppoe interfaces pp0.3221225483
pp0.3221225483 Index 536874539
  State: Session Up, Session ID: 2, Type: Dynamic,
  Service name: <empty>, Remote MAC address: 00:13:01:00:00:01,
  Session AC name: ERX-MX960-II-RE0,
  Session uptime: 00:00:14 ago,
  Dynamic Profile: PPPOE,
  Underlying interface: demux0.100 Index 2134


jtac@ERX-MX960-II-RE0> show pppoe service-name-tables test    
Service Name Table: test
  Service Name: <any>,
    Action: Terminate
    Max Sessions: 10
    Active Sessions: 10


Jun  3 15:43:25.263818 Dropping PADI due to Service Name ()  <-- PPPoE session exceeding 10 will be dropped

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search