Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Subscriber Management] Configuration Example - end-to-end IPv6 or Dual-Stack IPoE Subscriber

0

0
Article ID: KB36460 KB Last Updated: 16 Feb 2021Version: 1.0 Summary:

This article provides an example on how to configure an end-to-end simplified IPv6 or Dual-Stack IPoE Subscribers on MX BNG node with generic requirements such as firewall filter, fixed/dynamic IP address pool, framed-route etc.

The example:

  • Includes both dynamic VLAN (dot1q & q-in-q) configuration options for IPoE subscriber interface.
  • Does not include any QOS treatment for subscriber traffic, so all traffics are treated as best-effort.
  • Uses Freeradius radius server. Freeradius user example with multiple radius attributes are also included.
Notes
  1. In this example, MX is acts as Local DHCP Server. In case separate DHCP server available, dhcp-relay configuration can be used for IPoE address assignment instead of local DHCP server.
  2. The dynamic-profile In this example is configured such a way that the same dynamic-profile can be used for both IPv6 only & Dual-Stack IPoE Subscriber provisioning.  
  3. The dynamic-profile in this example is configured in such a way (predefined-variable-defaults) that in case radius does not send some of the mandatory attributes like filter name, etc. the subscriber will be coming up with default filter name.
  4. In case VRF name, IP Pool name/Fixed IP or Framed-route etc. are not sent from radius server the subscriber will be coming up with default VRF(Global routing instance), default pool (as per 'access domain map default' configuration). Except Username and Password, all other attributes are optional.
Solution:

Topology:

IPv4/IPv6/Dual-Stack IPoE subscriber <----> ([vlan 3320] ge-0/0/2) MX (ge-0/0/0) <----> Radius Server(192.168.40.26)

Radius Server(@192.168.40.26) is reachable via global routing instance inet.0 table.

There are two types of addressing for IPv6 in a subscriber access network: 
  1. WAN link addressing—For the WAN interface on the CPE (CPE upstream interface). 
  2. Subscriber LAN addressing—For devices connected to the CPE on the subscriber LAN (CPE downstream interfaces). 

  The following methods can be used for assigning IPv6 addresses: 

  • For WAN link addressing, use ND/RA or DHCPv6 IA_NA to provision a global IPv6 address. 
  • For subscriber LAN addressing, use DHCPv6 prefix delegation to provision global IPv6 addresses to subscribers on the LAN. 

IPv6 IPoE subscriber(WAN link’s IPv6 address assignment of CPE) can be deployed in two ways:

  1. Via ND/RA messages
  2. Via DHCPv6 IA_NA or PD

MX (BNG) Configuration Steps for IPv4 / IPv6 / Dual-stack IPoE Subscriber (with local-dhcp-server)

  1. Configure common Dynamic Profile “DHCP-PROFILE” for both IPv4, IPv6/Dual-stack IPoE subscriber
  2. Configure Access Profile “ACCESS-FTTH” for subscriber CPE authentication via radius server
  3. Configure IPv4 Address Pool “dhcpv4-pool”(default pool) & “V4-IP-POOL”(user defined – used via radius attribute “Framed-Pool”)
  4. Configure IPv6 Address Pool “V6-DHCP-POOL”(default pool) & “IP-POOL-V6”(user defined – used via radius attribute “Framed-IPv6-Pool”)
  5. Configure domain map “default” & “ftth.c”(specific for IPoE via dhcp/dhcpv6 mac auth.) with default dynamic-profile, access-profile & address-pool mapping.
  6. Configure IPv4 firewall filter “default” & IPv6 firewall filter “default-v6” to be used by the dynamic-profile “DHCP-PROFILE” as default in/out firewall filter(in case not provided via radius attribute).
  7. Configure MX as DHCP server (dhcp-local-server group “V4” & dhcp-local-server dhcpv6 group “V6”) for IPoE subscriber address assignment.
  8. Configure Dynamic Profile “AUTO-VLAN”(dot1q) or “AUTO-VLAN-STACK”(q-in-q) for dynamic vlan IPoE subscriber interface.
  9. Finally configure the Physical Interface with auto-configure (with dynamic profile AUTO-VLAN” / ”AUTO-VLAN-STACK) to activate dynamic VLAN based IPoE subscribers.

Configuration:

Dynamic-profile configuration for IPv4 only, IPv6(ND/RA, DHCPv6 IA_NA / PD) & Dual-Stack(ND/RA, DHCPv6 IA_NA / PD) IPoE (dot1q / single vlan) subscriber deployment:

dynamic-profiles {                               
    DHCP-PROFILE {
        predefined-variable-defaults {           ## Predefines variable’s default value
            input-filter default;                
            output-filter default;               
            output-ipv6-filter default-v6;
            input-ipv6-filter default-v6;
        }
        routing-instances {                      ## Enables the IPoE subscribers inside VRF
            “$junos-routing-instance” {
                interface “$junos-interface-name” {
                    any;
                }
                routing-options {
                    rib "$junos-ipv6-rib" {      ## IPv6 Access Stanza
                        access {
                            route $junos-framed-route-ipv6-address-prefix {         
                                qualified-next-hop "$junos-interface-name";
                                metric "$junos-framed-route-ipv6-cost";
                                preference "$junos-framed-route-ipv6-distance";
                                tag "$junos-framed-route-ipv6-tag";
                            }
                        }
                    }
                    access {                     ## Enables static route config via AAA Framed-route
                        route $junos-framed-route-ip-address-prefix {
                            next-hop “$junos-framed-route-nexthop”;
                            metric “$junos-framed-route-cost”;
                            preference "$junos-framed-route-distance";
                            tag "$junos-framed-route-tag";
                        }
                    }
                }
            }
        }
        interfaces {
            demux0 {
                unit "$junos-interface-unit" {
                    proxy-arp;
                    demux-options {
                        underlying-interface "$junos-underlying-interface";
                    }
                    family inet {
                        demux-source {
                            $junos-subscriber-ip-address;
                        }
                        filter {
                            input “$junos-input-filter”; 
                            output “$junos-output-filter”; 
                        }
                        unnumbered-address "$junos-loopback-interface";
                    }
                    family inet6 {
                        address $junos-ipv6-address;
                        demux-source {
                            "$junos-subscriber-ipv6-address";
                        }
                        filter {
                            input "$junos-input-ipv6-filter";
                            output "$junos-output-ipv6-filter";
                        }
                        unnumbered-address "$junos-loopback-interface";
                    }
                }
            }
        }
        protocols {
            router-advertisement {            ## for IPv6 IA_NA /128 address disable 'router-advertisement'
                interface "$junos-interface-name" {
                    link-mtu;
                    prefix $junos-ipv6-ndra-prefix {  
                        valid-lifetime 14400;
                        on-link;
                        preferred-lifetime 14400;
                    }
                }
            }
        }
    }
    AUTO-VLAN {
        interfaces {
            demux0 {
                unit "$junos-interface-unit" {
                    actual-transit-statistics;
                    demux-source [ inet inet6 ];
                    proxy-arp;
                    vlan-id "$junos-vlan-id";
                    demux-options {
                        underlying-interface "$junos-interface-ifd-name";
                    }
                    family inet {
                        unnumbered-address lo0.0;
                    }
                    family inet6 {
                        unnumbered-address lo0.0;
                    }
                }
            }
        }
    }
}
system {
    services {
        dhcp-local-server {
            dhcpv6 {
                group V6 {
                    authentication {
                        password Test2222;
                        username-include {
                            domain-name ftth.c;
                            mac-address;
                        }
                    }
                    overrides {
                        delegated-pool V6-DHCP-POOL;
                        dual-stack dualstack;
                    }
                    interface ge-0/0/2.0;
                    interface demux0.0;
                    interface pp0.0;
                }
            }
            group V4 {
                authentication {
                    password Test2222;
                    username-include {
                        domain-name ftth.c;
                        mac-address;
                    }
                }
                overrides {
                    dual-stack dualstack;
                }
                interface ge-0/0/2.0;
                interface demux0.0;
            }
            dual-stack-group dualstack {
                dynamic-profile DHCP-PROFILE;
            }
        }
    }
}
access {
    profile ACCESS-FTTH {                                ## Access-profile name
        accounting-order radius;    
        authentication-order radius;
        radius {
            authentication-server 192.168.40.26;         ## Radius server IP - Authentication
            accounting-server 192.168.40.26;             ## Radius server IP - Accounting
            options {
                accounting-session-id-format description;   
                client-authentication-algorithm direct;     ## Radius authentication request algorithm
            }
        }
        radius-server {
            192.168.40.26 {
                port 1812;                         ## Radius Authentication port no.
                accounting-port 1813;              ## Radius Accounting port no.
                dynamic-request-port 3799;         ## Radius CoA/dynamic-request port no.
                secret "$ABC123";                  ## SECRET-DATA
                source-address 192.168.40.6;       ## Source IP to be used for radius messages
            }
        }
        accounting {
            order radius;
            accounting-stop-on-failure;            
            accounting-stop-on-access-deny;
            immediate-update;
            coa-immediate-update;
            update-interval 10;                    ## Interim accounting update interval in minutes
            statistics volume-time;                ## Both data volume & session duration for Acc.
        }
    }
    address-assignment {
        neighbor-discovery-router-advertisement V6-DHCP-POOL;
        pool V6-DHCP-POOL {
            family inet6 {
                prefix 2000:1::/64;
                range ndra-range prefix-length 64;
            }
        }
        pool IP-POOL-V6 {
            family inet6 {
                prefix 2004:2003::0/64;
                inactive: range ndra-range prefix-length 64;
                range ixia {
                    low 2004:2003::10/128;
                    high 2004:2003::ff/128;
                }
            }
        }
        pool dhcpv4-pool {
            family inet {
                network 10.10.200.0/24;
            }
        }
        pool V4-IP-POOL {
            family inet {
                network 192.168.100.0/24;
                range private {
                    low 192.168.100.1;
                    high 192.168.100.255;
                }
            }
        }
    }
    domain {                     ## Map domain-id with access-profile, pool, dynamic-profile
        map default {            ## Default domain map, matches all/no domain-id
            access-profile ACCESS-FTTH;
            address-pool dhcpv4-pool;
            dynamic-profile DHCP-PROFILE;
        }
        map ftth.c {            
            access-profile ACCESS-FTTH;
            address-pool dhcpv4-pool;
            dynamic-profile DHCP-PROFILE;
        }
        delimiter "@";           ## Delimiter character to identify start of domain-id 
    }
}
firewall {
    family inet {
        filter default {
            interface-specific;
            term T1 {
                then accept;
            }
        }
    }
    family inet6 {
        filter default-v6 {
            interface-specific;
            term T1 {
                then accept;
            }
        }
    }
}
interfaces {
    ge-0/0/2 {
        hierarchical-scheduler maximum-hierarchy-levels 2;
        flexible-vlan-tagging;
        auto-configure {
            vlan-ranges {
                dynamic-profile AUTO-VLAN {
                    accept [ dhcp-v4 dhcp-v6 ];
                    ranges {
                        3000-4000;        ## Vlan ranges for incoming IPoE connection
                    }
                }
            }
            remove-when-no-subscribers;
        }
    }
}

Extra dynamic-profile & interface configs for q-in-q / Stacked vlan IPv4 IPoE subscriber deployment:

dynamic-profiles {                               
    AUTO-VLAN-STACK {
        interfaces {
            demux0 {
                unit "$junos-interface-unit" {
                    actual-transit-statistics;
                    demux-source [ inet inet6 ];
                    proxy-arp;
                    vlan-tags outer "$junos-stacked-vlan-id" inner "$junos-vlan-id";
                    demux-options {
                        underlying-interface "$junos-interface-ifd-name";
                    }
                    family inet {
                        unnumbered-address lo0.0;
                    }
                    family inet6 {
                        unnumbered-address lo0.0;
                    }
                }
            }
        }
    }
}
interfaces {
    ge-0/0/2 {
        hierarchical-scheduler maximum-hierarchy-levels 2;
        flexible-vlan-tagging;
        auto-configure {
            stacked-vlan-ranges {
                dynamic-profile AUTO-VLAN-STACK {
                    accept [ dhcp-v4 dhcp-v6 ];
                    ranges {
                        3000-4000,any;        ## outer, inner Vlan ranges for incoming IPoE connection
                    }
                }
            }
            remove-when-no-subscribers;
        }
    }
}

Radius User Configuration:

Radius Attributes specific to IPv6:

  1. Jnpr-IPv6-Ingress-Policy-Name
  2. Jnpr-IPv6-Egress-Policy-Name
  3. Framed-IPv6-Prefix
  4. Framed-IPv6-Pool
  5. Delegated-Ipv6-Prefix
  6. Framed-IPv6-Route

Radius user example specific for IPv6 / Dual-Stack User(can be used along with IPoE IPv4 attributes): (CPE mac address: 52:54:00:f9:c0:81)

  1. Fixed IA_NA IPv6 /128 IPv6 Address User Example: ( for IA_NA address disable dynamic-profiles > protocols > router-advertisement ) 
      5254.00f9.c081@ftth.c Auth-Type := Local, User-Password := "Test2222"
          Service-Type = Framed-User,
          Framed-IP-Address = 10.200.200.26,
          Framed-IPv6-Prefix = "4001:1:1:1::100/128",
          ERX-Primary-Dns = 8.8.8.8
  1. NDRA/IPv6 Prefix Address assignment(Dual-Stack) User Example: 
      5254.00f9.c081@ftth.c Auth-Type := Local, User-Password := "Test2222"
          Service-Type = Framed-User,
          Framed-IP-Address = 10.200.200.26,
          Framed-IPv6-Prefix = "4010:1:1:10::/64",
          ERX-Primary-Dns = 8.8.8.8
  1. IPv6 Address assignment via IPv6 Pool name User Example:
      5254.00f9.c081@ftth.c Auth-Type := Local, User-Password := "Test2222"
          Service-Type = Framed-User,
          Framed-Pool = "V4-DHCP-POOL",
          Framed-IPv6-Pool = "IP-POOL-V6",
          ERX-Primary-Dns = 8.8.8.8
  1. IPv6 Prefix Delegation Address Assignment User Example:  
      5254.00f9.c081@ftth.c Auth-Type := Local, User-Password := "Test2222"
          Service-Type = Framed-User,
          Framed-IP-Address = 10.200.200.26,
          Framed-IPv6-Prefix = "4010:1:1:10::/64",
          Delegated-IPv6-Prefix = "4001:1:1:1000::/64",
          ERX-Primary-Dns = 8.8.8.8,
          ERX-Secondary-Dns = 8.8.4.4
  1. No domain name/only MAC IPv6 prefix delegation address assignment user example:
      5254.00f9.c081 Auth-Type := Local, User-Password := "Test2222"
          Service-Type = Framed-User,
          Framed-IP-Address = 10.200.200.26,
          Framed-IPv6-Prefix = "4010:1:1:10::/64",
          Delegated-IPv6-Prefix = "4001:1:1:1000::/64",
      #    Framed-IPv6-Route = "2a00:a600:0100::/48 :: 1",
          ERX-Primary-Dns = 8.8.8.8
 
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search