Support Support Downloads Knowledge Base Apex Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Subscriber Management] Understanding end-to-end IPv4 PPPoE Subscriber config on MX with Static/Dynamic VLAN option

0

0

Article ID: KB36435 KB Last Updated: 29 Jan 2021Version: 1.0
Summary:

This article provides an example for configuring an end-to-end simplified PPPoE (IPv4 only) subscriber on an MX BNG node with generic customer requirements such as a firewall filter, fixed/dynamic IP address pool, and framed-route.

The example:

  • Includes both static and dynamic VLAN configuration options for the PPPoE subscriber interface
  • Does not include any QoS treatment for subscriber traffic, so all traffic is treated as best-effort

  • Uses Freeradius RADIUS server. So a Freeradius user example with multiple RADIUS attributes is also included.

Note

  1. The dynamic-profile in this example is configured in such a way (predefined-variable-defaults) that if RADIUS does not send some of the mandatory attributes such as filter name, the subscriber will come up with the default filter name.

  2. If the VRF name, IP Pool name/Fixed IP or Framed-route details are not sent from the RADIUS server, the subscriber will come up with the default VRF (global routing instance) and default pool (as per the access domain map default configuration). So except Username and Password, all other attributes are optional.

  
Solution:
 

Topology

IPv4 PPPoE subscriber <----> ([vlan 3320] ge-0/0/2) MX (ge-0/0/0) <----> Radius Server(192.168.40.26)

The RADIUS Server (@192.168.40.26) is reachable via the global routing instance inet.0 table.

MX (BNG) Configuration Steps for IPv4 PPPoE Subscriber(with static vlan-id)

Configure the following:

  1. Dynamic Profile “PPPoE” for IPv4 PPPoE subscriber

  2. Access Profile “ACCESS-FTTH” for subscriber authentication via RADIUS server

  3. IPv4 Address Pool “pppv4-pool” (default pool) and “V4-IP-POOL” (user defined – used via RADIUS attribute “Framed-Pool”)

  4. Domain map “default” with default dynamic-profile, access-profile, and address-pool mapping

  5. IPv4 firewall filter “default” to be used by the dynamic-profile “PPPoE” as default in/out firewall filter (in case it is not provided via the RADIUS attribute)

  6. Dynamic-profile “PPPoE” under static vlan/unit no. for an interface with PPPoE encapsulation

For Auto-VLAN (dynamic VLAN) Configuration: Configure the following after step 5 above.

  1. Dynamic Profile “AUTO-VLAN-PPP” (dot1q) or “AUTO-VLAN-STACK-PPP” (q-in-q) for dynamic VLAN PPPoE subscriber interface

  2. Physical interface with static VLAN / auto-configure (with dynamic profile AUTO-VLAN-PPP” / ”AUTO-VLAN-STACK-PPP) to activate dynamic VLAN–based PPPoE subscribers

Configuration

Dynamic-profile configuration for static VLAN bind IPv4 (only) PPPoE subscriber deployment:

dynamic-profiles {                                  
    PPPoE {                                        
        predefined-variable-defaults {              ## Predefined default values in case not provided by AAA 
            input-filter default;                  
            output-filter default;                  
        }
        routing-instances {                         ## Enables PPPoE/LAC subscribers inside VRF
            “$junos-routing-instance” {
                interface “$junos-interface-name” {
                    any;
                }
                routing-options {
                    access {                        ## Enables static route config via AAA Framed-route
                        route $junos-framed-route-ip-address-prefix {
                            next-hop “$junos-framed-route-nexthop”;
                            metric “$junos-framed-route-cost”;
                            preference "$junos-framed-route-distance";
                            tag "$junos-framed-route-tag";
                        }
                    }
                }
            }
        }
        interfaces {
            pp0 {
                unit “$junos-interface-unit” {
                    actual-transit-statistics;           
                    ppp-options {
                        chap;                       
                        pap;                        
                        mtu 1492;                   ## PPP mtu to be set during authentication
                    }
                    pppoe-options {
                        underlying-interface “$junos-underlying-interface”;
                        server;                     ## Enables acceptance of PPPoE/LAC connection
                    }
                    family inet {
                        filter {
                            input “$junos-input-filter”;      ## input filter for subscriber int.
                            output “$junos-output-filter”;    ## output filter for subscriber int.
                        }
                        unnumbered-address “$junos-loopback-interface”;    
                    }
                }
            }
        }
    }
}
access {
    profile ACCESS-FTTH {                          ## Access-profile name
        accounting-order radius;    
        authentication-order radius;
        radius {
            authentication-server 192.168.40.26;   
            accounting-server 192.168.40.26;       
            options {
                accounting-session-id-format description;   
                client-authentication-algorithm direct;     
            }
        }
        radius-server {
            192.168.40.26 {
                port 1812;                         ## RADIUS Authentication port number
                accounting-port 1813;              ## RADIUS Accounting port number
                dynamic-request-port 3799;         ## RADIUS CoA/dynamic-request port number
                secret "$ABC123";   ## SECRET-DATA
                source-address 192.168.40.6;       ## Source IP to be used for RADIUS messages
            }
        }
        accounting {
            order radius;
            accounting-stop-on-failure;            ## Defines various accounting message conditions
            accounting-stop-on-access-deny;
            immediate-update;
            coa-immediate-update;
            update-interval 10;                    ## Interim accounting update interval in minutes
            statistics volume-time;                ## Both data volume & session duration for accounting
        }
    }
    address-assignment {
        pool pppv4-pool {
            family inet {
                network 10.10.200.0/24;
            }
        }
        pool V4-IP-POOL {
            family inet {
                network 192.168.100.0/24;
                range private {
                    low 192.168.100.1;
                    high 192.168.100.255;
                }
            }
        }
    }
    domain {                              ## Map domain-id with access-profile, pool, dynamic-profile. 
        map default {                     ## Default domain map, matches all/no domain-id
            access-profile ACCESS-FTTH;
            address-pool pppv4-pool;
            dynamic-profile PPPoE;
        }
        delimiter "@";                    ## Delimiter character to identify start of domain-id 
    }
}
firewall {
    family inet {
        filter default {
            interface-specific;
            term T1 {
                then accept;
            }
        }
    }
}
interfaces {
    ge-0/0/2 {
        hierarchical-scheduler maximum-hierarchy-levels 2;
        flexible-vlan-tagging;
        unit 3320 {                                ## Static unit no. for static VLAN subscriber int.
            encapsulation ppp-over-ether;
            vlan-id 3320;                          ## Single stack(dot1q) static Vlan ID for incoming PPPoE
            pppoe-underlying-options {
                dynamic-profile PPPoE;
            }
        }
    }
}

Extra dynamic-profile and interface configurations for dot1q / single vlan IPv4 PPPoE subscriber deployment:

dynamic-profiles {                               
    AUTO-VLAN-PPP {
        interfaces {
            demux0 {
                unit "$junos-interface-unit" {
                    actual-transit-statistics;
                    proxy-arp;
                    vlan-id "$junos-vlan-id";
                    demux-options {
                        underlying-interface "$junos-interface-ifd-name";
                    }
                    family pppoe {
                        dynamic-profile PPPoE;
                    }
                }
            }
        }
    }
}
interfaces {
    ge-0/0/2 {
        hierarchical-scheduler maximum-hierarchy-levels 2;
        flexible-vlan-tagging;
        auto-configure {
            vlan-ranges {
                dynamic-profile AUTO-VLAN-PPP {
                    accept pppoe;
                    ranges {
                        3000-4000;            ## Vlan ranges for incoming PPPoE connection
                    }
                }
            }
            remove-when-no-subscribers;
        }
    }
} 

Extra dynamic-profile and interface configurations for q-in-q / stacked vlan IPv4 PPPoE subscriber deployment:

dynamic-profiles {                               
    AUTO-VLAN-STACK-PPP {
        interfaces {
            demux0 {
                unit "$junos-interface-unit" {
                    actual-transit-statistics;
                    proxy-arp;
                    vlan-tags outer "$junos-stacked-vlan-id" inner "$junos-vlan-id";
                    demux-options {
                        underlying-interface "$junos-interface-ifd-name";
                    }
                    family pppoe {
                        dynamic-profile PPPoE;
                    }
                }
            }
        }
    }
}
interfaces {
    ge-0/0/2 {
        hierarchical-scheduler maximum-hierarchy-levels 2;
        flexible-vlan-tagging;
        auto-configure {
            stacked-vlan-ranges {
                dynamic-profile AUTO-VLAN-STACK-PPP {
                    accept pppoe;
                    ranges {
                        3000-4000,any;              ## outer, inner vlan ranges for incoming PPPoE connection
                    }
                }
            }
            remove-when-no-subscribers;
        }
    }
}

RADIUS User Configuration

RADIUS attributes specific to IPv4 subscriber:

  • Framed-IP-Address

  • Framed-IP-Netmask

  • Framed-Pool

  • Framed-Route

  • ERX-Ingress-Policy-Name

  • ERX-Ingress-Policy-Name

  • ERX-Virtual-Router-Name

  • ERX-Primary-Dns

  • ERX-Secondary-Dns

RADIUS User example for IPv4 (only) PPPoE Subscriber: 

  •  Fixed IPv4 /32 Address Assignment User Example:

Username1@domain Auth-Type := Local, User-Password := "Password"
    Service-Type = Framed-User,
    Framed-Protocol = PPP,
    Framed-IP-Address = 10.200.200.22
  • Fixed IPv4 /28 Address Assignment User Example:

Username1@domain Auth-Type := Local, User-Password := "Password"
    Service-Type = Framed-User,
    Framed-Protocol = PPP,
    Framed-IP-Address = 10.200.200.22,
    Framed-IP-Netmask = 255.255.255.240
  • Dynamic IPv4 Address Assignment via IPv4 Pool Name User Example:

Username1@domain Auth-Type := Local, User-Password := "Password"
    Service-Type = Framed-User,
    Framed-Protocol = PPP,
    Framed-Pool = "V4-IP-POOL"
  • Fixed IPv4 /32 Address Assignment with Framed-route User Example:  

Username1@domain Auth-Type := Local, User-Password := "Password"
    Service-Type = Framed-User,
    Framed-Protocol = PPP,
    Framed-IP-Address = 10.200.200.22,
    Framed-Route = "192.168.2.0/24 10.200.200.22 200"
  • Fixed IPv4 /32 Address Assignment with input/output filter and VRF termination (with DNS) User Example:

Username1@domain Auth-Type := Local, User-Password := "Password"
    Service-Type = Framed-User,
    Framed-Protocol = PPP,
    Framed-IP-Address = 10.200.200.22,
    ERX-Ingress-Policy-Name = "IN",
    ERX-Egress-Policy-Name = "default",
    ERX-Virtual-Router-Name = "l3vpn_name",      
    ERX-Primary-Dns = 8.8.8.8,
    ERX-Secondary-Dns = 8.8.4.4

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search