Search our Knowledge Base sites to find answers to your questions.
Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles[Subscriber Management] Configuration Example - end-to-end IPv6 or Dual-Stack IPoE Subscriber
This article provides an example on how to configure an end-to-end simplified IPv6 or Dual-Stack IPoE Subscribers on MX BNG node with generic requirements such as firewall filter, fixed/dynamic IP address pool, framed-route etc.
The example:
Topology:
IPv4/IPv6/Dual-Stack IPoE subscriber <---->
([vlan 3320] ge-0/0/2) MX (ge-0/0/0) <---->
Radius Server(192.168.40.26)
Radius Server(@192.168.40.26) is reachable via global routing instance inet.0 table.
There are two types of addressing for IPv6 in a subscriber access network:The following methods can be used for assigning IPv6 addresses:
IPv6 IPoE subscriber(WAN link’s IPv6 address assignment of CPE) can be deployed in two ways:
MX (BNG) Configuration Steps for IPv4 / IPv6 / Dual-stack IPoE Subscriber (with local-dhcp-server)
Configuration:
Dynamic-profile configuration for IPv4 only, IPv6(ND/RA, DHCPv6 IA_NA / PD) & Dual-Stack(ND/RA, DHCPv6 IA_NA / PD) IPoE (dot1q / single vlan) subscriber deployment:
dynamic-profiles {
DHCP-PROFILE {
predefined-variable-defaults { ## Predefines variable’s default value
input-filter default;
output-filter default;
output-ipv6-filter default-v6;
input-ipv6-filter default-v6;
}
routing-instances { ## Enables the IPoE subscribers inside VRF
“$junos-routing-instance” {
interface “$junos-interface-name” {
any;
}
routing-options {
rib "$junos-ipv6-rib" { ## IPv6 Access Stanza
access {
route $junos-framed-route-ipv6-address-prefix {
qualified-next-hop "$junos-interface-name";
metric "$junos-framed-route-ipv6-cost";
preference "$junos-framed-route-ipv6-distance";
tag "$junos-framed-route-ipv6-tag";
}
}
}
access { ## Enables static route config via AAA Framed-route
route $junos-framed-route-ip-address-prefix {
next-hop “$junos-framed-route-nexthop”;
metric “$junos-framed-route-cost”;
preference "$junos-framed-route-distance";
tag "$junos-framed-route-tag";
}
}
}
}
}
interfaces {
demux0 {
unit "$junos-interface-unit" {
proxy-arp;
demux-options {
underlying-interface "$junos-underlying-interface";
}
family inet {
demux-source {
$junos-subscriber-ip-address;
}
filter {
input “$junos-input-filter”;
output “$junos-output-filter”;
}
unnumbered-address "$junos-loopback-interface";
}
family inet6 {
address $junos-ipv6-address;
demux-source {
"$junos-subscriber-ipv6-address";
}
filter {
input "$junos-input-ipv6-filter";
output "$junos-output-ipv6-filter";
}
unnumbered-address "$junos-loopback-interface";
}
}
}
}
protocols {
router-advertisement { ## for IPv6 IA_NA /128 address disable 'router-advertisement'
interface "$junos-interface-name" {
link-mtu;
prefix $junos-ipv6-ndra-prefix {
valid-lifetime 14400;
on-link;
preferred-lifetime 14400;
}
}
}
}
}
AUTO-VLAN {
interfaces {
demux0 {
unit "$junos-interface-unit" {
actual-transit-statistics;
demux-source [ inet inet6 ];
proxy-arp;
vlan-id "$junos-vlan-id";
demux-options {
underlying-interface "$junos-interface-ifd-name";
}
family inet {
unnumbered-address lo0.0;
}
family inet6 {
unnumbered-address lo0.0;
}
}
}
}
}
}
system {
services {
dhcp-local-server {
dhcpv6 {
group V6 {
authentication {
password Test2222;
username-include {
domain-name ftth.c;
mac-address;
}
}
overrides {
delegated-pool V6-DHCP-POOL;
dual-stack dualstack;
}
interface ge-0/0/2.0;
interface demux0.0;
interface pp0.0;
}
}
group V4 {
authentication {
password Test2222;
username-include {
domain-name ftth.c;
mac-address;
}
}
overrides {
dual-stack dualstack;
}
interface ge-0/0/2.0;
interface demux0.0;
}
dual-stack-group dualstack {
dynamic-profile DHCP-PROFILE;
}
}
}
}
access {
profile ACCESS-FTTH { ## Access-profile name
accounting-order radius;
authentication-order radius;
radius {
authentication-server 192.168.40.26; ## Radius server IP - Authentication
accounting-server 192.168.40.26; ## Radius server IP - Accounting
options {
accounting-session-id-format description;
client-authentication-algorithm direct; ## Radius authentication request algorithm
}
}
radius-server {
192.168.40.26 {
port 1812; ## Radius Authentication port no.
accounting-port 1813; ## Radius Accounting port no.
dynamic-request-port 3799; ## Radius CoA/dynamic-request port no.
secret "$ABC123"; ## SECRET-DATA
source-address 192.168.40.6; ## Source IP to be used for radius messages
}
}
accounting {
order radius;
accounting-stop-on-failure;
accounting-stop-on-access-deny;
immediate-update;
coa-immediate-update;
update-interval 10; ## Interim accounting update interval in minutes
statistics volume-time; ## Both data volume & session duration for Acc.
}
}
address-assignment {
neighbor-discovery-router-advertisement V6-DHCP-POOL;
pool V6-DHCP-POOL {
family inet6 {
prefix 2000:1::/64;
range ndra-range prefix-length 64;
}
}
pool IP-POOL-V6 {
family inet6 {
prefix 2004:2003::0/64;
inactive: range ndra-range prefix-length 64;
range ixia {
low 2004:2003::10/128;
high 2004:2003::ff/128;
}
}
}
pool dhcpv4-pool {
family inet {
network 10.10.200.0/24;
}
}
pool V4-IP-POOL {
family inet {
network 192.168.100.0/24;
range private {
low 192.168.100.1;
high 192.168.100.255;
}
}
}
}
domain { ## Map domain-id with access-profile, pool, dynamic-profile
map default { ## Default domain map, matches all/no domain-id
access-profile ACCESS-FTTH;
address-pool dhcpv4-pool;
dynamic-profile DHCP-PROFILE;
}
map ftth.c {
access-profile ACCESS-FTTH;
address-pool dhcpv4-pool;
dynamic-profile DHCP-PROFILE;
}
delimiter "@"; ## Delimiter character to identify start of domain-id
}
}
firewall {
family inet {
filter default {
interface-specific;
term T1 {
then accept;
}
}
}
family inet6 {
filter default-v6 {
interface-specific;
term T1 {
then accept;
}
}
}
}
interfaces {
ge-0/0/2 {
hierarchical-scheduler maximum-hierarchy-levels 2;
flexible-vlan-tagging;
auto-configure {
vlan-ranges {
dynamic-profile AUTO-VLAN {
accept [ dhcp-v4 dhcp-v6 ];
ranges {
3000-4000; ## Vlan ranges for incoming IPoE connection
}
}
}
remove-when-no-subscribers;
}
}
}
Extra dynamic-profile & interface configs for q-in-q / Stacked vlan IPv4 IPoE subscriber deployment:
dynamic-profiles {
AUTO-VLAN-STACK {
interfaces {
demux0 {
unit "$junos-interface-unit" {
actual-transit-statistics;
demux-source [ inet inet6 ];
proxy-arp;
vlan-tags outer "$junos-stacked-vlan-id" inner "$junos-vlan-id";
demux-options {
underlying-interface "$junos-interface-ifd-name";
}
family inet {
unnumbered-address lo0.0;
}
family inet6 {
unnumbered-address lo0.0;
}
}
}
}
}
}
interfaces {
ge-0/0/2 {
hierarchical-scheduler maximum-hierarchy-levels 2;
flexible-vlan-tagging;
auto-configure {
stacked-vlan-ranges {
dynamic-profile AUTO-VLAN-STACK {
accept [ dhcp-v4 dhcp-v6 ];
ranges {
3000-4000,any; ## outer, inner Vlan ranges for incoming IPoE connection
}
}
}
remove-when-no-subscribers;
}
}
}
Radius User Configuration:
Radius Attributes specific to IPv6:
Jnpr-IPv6-Ingress-Policy-Name
Jnpr-IPv6-Egress-Policy-Name
Framed-IPv6-Prefix
Framed-IPv6-Pool
Delegated-Ipv6-Prefix
Framed-IPv6-Route
Radius user example specific for IPv6 / Dual-Stack User(can be used along with IPoE IPv4 attributes): (CPE mac address: 52:54:00:f9:c0:81)
5254.00f9.c081@ftth.c Auth-Type := Local, User-Password := "Test2222"
Service-Type = Framed-User,
Framed-IP-Address = 10.200.200.26,
Framed-IPv6-Prefix = "4001:1:1:1::100/128",
ERX-Primary-Dns = 8.8.8.8
5254.00f9.c081@ftth.c Auth-Type := Local, User-Password := "Test2222"
Service-Type = Framed-User,
Framed-IP-Address = 10.200.200.26,
Framed-IPv6-Prefix = "4010:1:1:10::/64",
ERX-Primary-Dns = 8.8.8.8
5254.00f9.c081@ftth.c Auth-Type := Local, User-Password := "Test2222"
Service-Type = Framed-User,
Framed-Pool = "V4-DHCP-POOL",
Framed-IPv6-Pool = "IP-POOL-V6",
ERX-Primary-Dns = 8.8.8.8
5254.00f9.c081@ftth.c Auth-Type := Local, User-Password := "Test2222"
Service-Type = Framed-User,
Framed-IP-Address = 10.200.200.26,
Framed-IPv6-Prefix = "4010:1:1:10::/64",
Delegated-IPv6-Prefix = "4001:1:1:1000::/64",
ERX-Primary-Dns = 8.8.8.8,
ERX-Secondary-Dns = 8.8.4.4
5254.00f9.c081 Auth-Type := Local, User-Password := "Test2222"
Service-Type = Framed-User,
Framed-IP-Address = 10.200.200.26,
Framed-IPv6-Prefix = "4010:1:1:10::/64",
Delegated-IPv6-Prefix = "4001:1:1:1000::/64",
# Framed-IPv6-Route = "2a00:a600:0100::/48 :: 1",
ERX-Primary-Dns = 8.8.8.8
Getting Up and Running with Junos
Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search