Juniper MX Sub MGMT

Juniper Junos Subscriber
Management
© 2011 Juniper Networks, Inc. All rights reserved. | www.juniper.net

Agenda
1. Introduce Junos subscriber management

2. Access Management
3. Dynamic PPPoE for Subscriber Access
4. Subscriber Interfaces and Dynamic Profiles
5. Layer 3 and Layer 2 Wholesale Services
6. Dynamic Firewall Services
7. Subscriber Class of Service
8. Dynamic Multicast Services
© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 2

Junos Subscriber Management
 Junos subscriber management provisions, controls, and
maximizes broadband subscriber access to core network
resources
• AAA services and dynamic profiles manage a variety of
subscriber services:
• Internet access
• VoIP
• IPTV
• Subscriber wholesaling
• VOD

Early Subscriber Access Networks
 A dial-up client connects to a remote access server
Internet
Provider
ATM
PSTN
Network RAS
Dial-up or Leased Office
Networking Lines Network
Client
Database
Network Server
PSTN = public switched telephone network
File Sharing

Broadband Subscriber Access Networks
 Broadband subscribers connect to a broadband services
router through residential gateways and a multiservice
access node
MSAN Broadband
DSL Services
Router
RG
Cable MSAN ISP
Core
RG
MSAN
Network
Satellite
RG

Junos Subscriber Reference Model
 The device that terminates Layer 2 traffic and begins
Layer 3 traffic performs subscriber management
Access Network Core Network
Steel-
Edge Access MX 960 Belted
Radius
MSAN
Server
DHCP
AAA services
Server
DHCP relay/local server
Dynamic profiles
-Interfaces
-Firewall filters
-Protocols (IGMP) Diameter and
-Class of Service SRC Server

Broadband Access Design
 Key design decisions:
• Edge network topology
• Single edge or multi-edge?
• Traffic aggregation
• Is an aggregation switch required?
• Services delivery point
• Centralized or distributed intelligence?
• Subscriber access protocols
• DHCP or PPPoE?
• VLAN model
• Customer VLAN (C-VLAN), service VLAN (S-VLAN) or hybrid?

Subscriber Edge Designs (1 of 2)
 Single-Edge
MX960
Data
MSAN
Voice
Video
BSR
• All subscriber traffic flows through a single BSR router

Subscriber Edge Designs (2 of 2)
 Multi-Edge MX960
a
Dat BSR
ce
Voi
MSAN
Aggregation
Vid
Switch eo
VSR
MX960
• Separate edge router for video traffic
• Requires aggregation switch or MSAN with multiple uplinks
• Requires some QoS in the MSAN or aggregation switch

MSAN Traffic Aggregation
MX960
MSAN MSAN
a
Leased Eth Dat BSR
Lines ern Voi
ce
COT et
Aggregation MX960
Switch Vid
eo
M VSR
WD
OLT

Subscriber Services Delivery Point
 Centralized intelligence DHCP options
CoS
AAA Services
Video
Core Network
RG MSAN Aggregation
Switch MX960 Data
 Distributed intelligence
DHCP options CoS AAA
Services Video
Core Network
RG MSAN Aggregation
Switch MX960 Data

Subscriber Access Protocols
DHCP
PPPoE
MX960
MSAN Video
Core Network
RG
Data
 Scenarios:
• DHCP for all services
• PPPoE for all services (No IPTV)
• DHCP for IP video, PPPoE for data traffic

Subscriber VLAN Models
Core Network
Service VLAN Customer VLAN
MX960
MX960
MSAN MSAN
MSAN MSAN
MSAN MSAN
 One VLAN per service  One VLAN per subscriber

• Shared among all subscribers • Carries multiple services
• Multiple VLANs to each subscriber  Simpler to shape all services within
 Simpler to configure, harder to manage same VLAN

VLAN Model: S-VLAN
Internet Access (S-

VLAN)
VoIP (S-
VLAN)
IPTV (S-
VLAN)
IGMP
MSAN
 Service VLAN
• Dedicated VLAN for each service
• N:1 model; multiple subscribers share each VLAN

VLAN Model: C-VLAN
Subscriber #1 (C-VLAN)
MSAN
 Customer VLAN
• Dedicated VLAN for each subscriber
• 1:1 model; each subscriber has a VLAN

VLAN Model: Hybrid C-VLAN with M-VLAN
MSAN Subscriber #1 (C-VLAN)

IPTV (M-
VLAN)
 Hybrid is customer VLANs with multicast VLANs

• Dedicated VLAN per subscriber for data and VoIP
• An M-VLAN is a service VLAN that carries multicast IPTV
traffic
Note: M-VLAN does not apply
for VOD or directed TV services.

Single Edge Architecture Example
IGMP snooping and DHCP

forwarding on C-VLAN for IPTV
(or use proxy + forking)
Single edge
BSR
MX960
MSAN M-VLAN Video
Core Network
RG C-VLANs
Data
C-VLAN
PPPoE for with M- Centralized
RG unicast VLAN model
Hybrid

Multi-Edge Architecture Example
DHCP on multicast
IGMP forking allows
VLAN for IPTV
MX960 Video
BSR to adjust QoS
VSR Core Network
MSAN M-VLAN
RG C-VLANs
Aggregation BS Core Network

R
switch for
RG Multi-Edge
MX960 Data
C-VLAN

Configuration Overview
 Configuration components:
• AAA framework
• DHCP local server, relay agent, or relay proxy
• Subscriber addressing
• Physical interfaces
• Static and dynamic VLANs
• Dynamic profiles
• Subscriber interfaces (static or dynamic)
• Variables
• Firewall services
• Class of service
• Protocols
• Multicast access

MX Subscriber Management
 Subscriber management occurs in the control plane
MX Series Router
Control Plane
Subscriber Dynamic
Management Profiles
MSAN
Forwarding
Plane

Junos Processes for Subscriber Management
 Junos subscriber management daemons
• jdhcpd: New daemon, responsible for all DHCP-related activities
• authd: Daemon for AAA and address allocation
• autoconfd: Auto-configuration daemon
• demuxd: Demux interface daemon
• Other daemons
• dcd: Daemon for physical and logical interfaces
• dfwd: Firewall daemon
• cosd: Class of service daemon

Subscriber Access Operation Flow (1 of 2)
DHCP
Subscriber 1 1 Server
Subscriber 2 MX
Router 4
9
Subscriber 30
Subscriber 31 2
10
MSAN
Subscriber 32 7
Router DHCP 3
5
Router
6
Subscriber 60 Session
Database RADIU
S
8 Internal applications
Server
1. The client issues a DHCP discover message.
2. The router DHCP component recognizes the DHCP message and adds the client to the router session database.
3. If configured, the router issues an authorization request to the RADIUS server.
4. The DHCP server issues an IP address for the client. When the address is relayed, the address is added to the
router session database.
5. RADIUS issues an authorization response to the router.

Subscriber Access Operation Flow (2 of 2)
DHCP
Subscriber 1 1 Server
Subscriber 2 MX
Router 4
9
Subscriber 30
2
Subscriber 31 10
MSAN
Subscriber 32 7
Router DHCP 3
5
Router
6
Subscriber 60 Session
Database RADIU
S
8 Internal applications
Server
6. The router adds RADIUS authorization information to the router session database.
7. The router combines the dynamic profile with the RADIUS authorization information.
8. The router alerts all internal applications involved with the subscriber access (for example,
routing protocols, dynamic firewall, and dynamic CoS).
9. The router passes the message through to the DHCP server.
10. The router DHCP component sends an acknowledgement back to the client.

Software Licensing (1 of 2)
 Subscriber management licenses
• Junos Subscriber Access Feature Pack
• Per-sub RADIUS authentication and accounting
• Address pool assignment
• Dynamic autosensed VLAN
• Dynamic and static IP
• Subscriber scaling
• Junos Service Management Feature Pack
• Service definition capability
• Change of Authorization
• Per-service accounting
• Dynamic CoS policy
• ANCP-based QoS adjustment

Software Licensing (2 of 2)
 Some features require licenses
• Junos subscriber secure policy
• Lawful intercept
• Subscriber session scaling licenses
• 1000 sessions base license included by default
user@mx> show system license

License usage:
Licenses Licenses Licenses Expiry
Feature name used installed needed
subscriber-accounting 1 1 0 permanent
subscriber-authentication 0 1 0 permanent
subscriber-address-assignment 1 1 0 permanent
subscriber-vlan 0 1 0 permanent
subscriber-ip 0 1 0 permanent
scale-subscriber 1 1000 0 permanent
scale-l2tp 0 1000 0 permanent
scale-mobile-ip 0 1000 0 permanent
user@mx> request system license add <filename or terminal>

Access Management

Access Management Overview (1 of 2)
 Subscriber access management features:
• Controls subscriber access to the network
• Controls subscriber services
• Provides subscriber accounting
 Configuration components
• AAA services framework (RADIUS)
• DHCP local server or DHCP relay
• Dynamic profiles
• IP address assignment

Access Management Overview (2 of 2)
 Allow access to subscriber services
Access to a subscriber service is based
on a defined dynamic profile and AAA
authentication attributes
• RADIUS messages can modify subscriber sessions

 Benefits to service providers and subscribers
• Providers can separate services and access technology:
• Eliminate unprofitable flat-rate billing
• Bill subscribers more efficiently
• Subscribers gain access to multiple simultaneous services

Subscriber AAA Services
 AAA services framework
• Single point of contact for all components of network access
• AAA and dynamic-request change of authorization
• External servers—RADIUS
• Address assignment
• Local pools and RADIUS
 The Junos OS includes a RADIUS client
• Supports standard RADIUS attributes
• Authentication, accounting, and authorization information
• Supports vendor-specific attributes
• Provides additional capabilities for service activation or deactivation
Juniper Networks uses vendor ID 4874

Configuring AAA Services (1 of 3)
 Define interaction with the RADIUS Server:
• Specify a RADIUS server
• Specify how the router interacts with the server
• You can configure connections to multiple servers
• You an configure globally (below) or per profile
[edit access]
user@mx# show radius-server
10.0.0.10 {
port 1812;
accounting-port 1813;
secret "$9$-wds4aJDHkP4oz39Cu0"; ## SECRET-DATA
timeout 5;
retry 5;
source-address 100.100.100.100;
}
10.1.1.10 {
port 1812;
accounting-port 1813;
secret "$9$CE2aA0IEhrKvLIR-VY2aJ"; ## SECRET-DATA
timeout 8;
retry 6;
}

 Configure an access profile:
• Specify authentication and accounting order
• Specify RADIUS servers and options
• Configure accounting settings
• Define multiple profiles
RADIUS accounting options
[edit access] accounting-session-id-format
user@mx# show profile testprofile client-accounting-algorithm
accounting-order radius; ethernet-port-type-virtual
authentication-order radius; interface-description-format
radius { nas-identifier
authentication-server [ 10.0.0.10 10.1.1.10 ]; nas-port-extended-format
accounting-server [ 10.0.0.10 10.1.1.10 ]; revert-interval
options { vlan-nas-port-stacked-format
nas-identifier 33;
}
} Access profile accounting settings
accounting {
accounting-stop-on-access-deny
order radius;
accounting-stop-on-failure
update-interval 10; coa-immediate-update
statistics time; immediate-update
} order
Statistics
update-interval

 Activate the access profile:
• Configure the profile name
• Configure for each logical system and routing instance
[edit]
user@mx# show access-profile
testprofile;
This hierarchy level activates the access

profile (everything configured up to this
point).

Verifying AAA Services
 Use the CLI test command to verify AAA services
operations
user@mx> test aaa authd-lite user username password password profile
access-profile-name
• CLI example:
user@mx> test aaa authd-lite user team1 password lab123 profile my-profile
Authentication Grant
************User Attributes***********
User Name - team1
User Password – lab123
Service Type- 0
Framed IP Address - 0.0.0.0
Framed IP Netmask - 0.0.0.0
<snip>
Logging out subscriber
Test complete. Exiting

Monitoring AAA Services
 Monitor using show and clear commands:
• show network-access aaa subscribers
• show network-access aaa statistics
• Authentication and accounting
• clear network-access aaa subscriber
• Clear statistics or log out specific subscribers
user@mx> show network-access aaa subscribers
Username Logical system/Routing instance Client type Session-ID
radiususer@jnpr.com default:default dhcp 42
demuxuser default:default dhcp 43
rad@jnpr11.com default:default dhcp 44
radiususer@jnpr.com default:default dhcp 61
user@mx> show network-access aaa statistics authentication

Authentication module statistics
Requests received: 55
Accepts: 49
Rejects: 6
Challenges: 0
Requests timed out: 0

Troubleshooting AAA Services
 Traceoptions:
• Configure in the system processes general-
authentication-service hierarchy level
[edit system processes] Traceoptions Flags
user@mx# show
address-assignment
general-authentication-service {
all
traceoptions {
configuration
file rad-auth size 1m files 5 world-readable;
framework
flag radius;
jsrc
}
ldap
} local-authentication
radius
• View using show log filename

[edit system processes]
user@mx# run show log rad-auth | last
<snip>
Oct 4 05:01:15 getRequestAttribute: requesting authd attr_type 325; vendor-id 4874; radius attr_type 10
Oct 4 05:01:15 Radius result is CLIENT_REQ_STATUS_SUCCESS
Oct 4 05:01:15 authd_radius_acctg_callback Result is :(CLIENT_REQ_STATUS_SUCCESS) reply_code:(Accounting-
Response) 5
Restart authd daemon: restart general-authentication-service

Extended DHCP Local Server
 DHCP server functions:
• Configured in the system services dhcp-local-
server hierarchy level
• Provides client addressing
• Uses address-assignment pools
• Supports advanced address range matching
• Based on DHCP option 82
• Supports user-defined options
• Lease time, name sever, router, and so on
DHCPv6 Local Server is Supported

DHCP Local Server and RADIUS Integration
 DHCP local server and RADIUS integration:
• The DHCP local server contacts the RADIUS server to
authenticate a DHCP client
• The DHCP local server or RADIUS server can provide the
DHCP client parameters:
• If DHCP local server provides full configuration, then RADIUS is
only used for authentication
• If the RADIUS server provides full client configuration, then DHCP
local server parameters are not used
• The RADIUS server can provide partial DHCP client configuration,
and the DHCP local server merges any additional configuration
information
• In case of overlap, RADIUS options take precedence

Configuring Extended DHCP Local Server
(1 of 3)
 Configure authentication:
• Specify a username and password
• Use username-include parameters for username
• Account must exist on RADIUS server
• Can be configured globally or per group
DHCP Local Server
Authentication Options
[edit system services]
circuit-type
user@mx# show dhcp-local-server delimiter
authentication { domain-name
password lab123; logical-system-name
username-include { mac-address
domain-name jnpr.com; option-60
user-prefix radiususer; option-82
} routing-instance-name
} user-prefix
You must configure username-include

parameters to enable authentication

(2 of 3)
 Define interface groups:
• Specify group names
• Add interfaces
• Group together interfaces whose clients require common DHCP
configuration
• Use upto and exclude if necessary
user@mx# show dhcp-local-server
authentication {
password lab123;
username-include {
domain-name jnpr.com;
user-prefix radiususer;
}
}
group dhcpgroup {
interface ge-1/0/3.0;
interface ge-1/0/4.1 upto ge-1/0/4.50;
interface ge-1/0/4.10 exclude;
}

(3 of 3)
 Associate a dynamic profile:
• Specify a profile for [edit system services]
subscribers logging in on authentication {
password lab123;
the specified interfaces username-include {
option-82 remote-id;
}
• Junos device applies }
services defined in the group dhcpgroup {
dynamic-profile dhcp-dyn-profile;
profile interface ge-1/0/3;
• Can be associated per }
group or globally
To apply a dynamic profile to a majority of interfaces on the device, use the

interface all command and then specify the unwanted interfaces using the
exclude command.

Multiple Subscribers on the Same VLAN
 Multiple subscribers sharing the same VLAN logical
interface
• By default, a single DHCP client is allowed per VLAN when a
dynamic profile is associated with a VLAN logical interface
• DHCP local server supports multiple subscribers on a single
VLAN logical interface
• Example: Multiple clients within a single household
• Add aggregate-clients to the dynamic-profile statement
• Firewall filters, CoS, and IGMP configurations are merged or
replaced upon each login
[edit system services] Do not use aggregate-clients

user@mx# show dhcp-local-server group dhcpgroup when attaching a dynamic profile to a
dynamic-profile dhcp-dyn-profile aggregate-clients demux interface (one dynamic demux
merge;
interface ge-1/0/3.0; interface represents one subscriber).

How Does DHCP Determine Which Address-
Assignment Pool to Use?
 DHCP local server matching options:
• IP address in client request (default)
• giaddr if relayed; otherwise address of receiving interface
• Relay agent option 82 information You must also configure the address-
assignment pool option-82 statement
• Matches to a corresponding within dhcp-attributes for the pool.
named range in
address-assignment pool [edit system services]
pool-match-order {
• Must configure default method ip-address-first;
option-82;
and then option 82 method }
authentication {
• External authority password lab123;
username-include {
• An external source determines user-prefix radiususer;
}
addressing }
group dhcpgroup {
dynamic-profile dhcp-dyn-profile;
}

Verifying DHCP Local Server
 Use the CLI test command to verify DHCP local
server operations
user@mx> test aaa dhcp user username password password
• CLI example:
user@mx> test aaa dhcp user team1 password lab123
Authentication Grant
************Attributes***********
User Name - esmeralda
Client IP Address - 10.1.1.2
Client IP Netmask - 255.255.255.0
Reply Message NULL
Primary DNS IP Address - 0.0.0.0
Secondary DNS IP Address - 0.0.0.0
Primary WINS IP Address - 0.0.0.0
Secondary WINS IP Address - 0.0.0.0
Framed Pool – dhcppool
<snip>

Monitoring DHCP Local Server
 Monitor using show and clear commands
• show dhcp server binding
• show dhcp server statistics
• clear dhcp server binding
• clear dhcp server statistics
user@mx> show dhcp server binding
4 clients, (4 bound, 0 selecting, 0 renewing, 0 rebinding)
IP address Hardware address Type Lease expires at

102.102.102.1 00:00:36:00:00:01 active 2009-10-04 07:32:07 UTC
103.103.103.1 00:00:36:00:00:01 active 2009-10-04 07:32:07 UTC
100.100.100.21 00:00:36:00:00:01 active 2009-10-04 07:32:07 UTC
101.101.101.3 00:0c:29:a8:5a:e7 active 2009-10-04 07:31:51 UTC
user@mx> show dhcp server statistics

Packets dropped:
Total 6
Authentication 6
Dhcpv6 Total 0
Messages received:
BOOTREQUEST 281642
DHCPDECLINE 0
DHCPDISCOVER 65
<snip>

Troubleshooting DHCP Local Server
 Traceoptions:
• Configure in the system services
dhcp-local-server hierarchy level
traceoptions {
file dhcplogfile;
flag all;
}

user@mx> show log dhcplogfile | last
Oct 4 07:43:34 --[ DHCP/BOOTP from == 103.103.103.1, port == 68 ]--
Oct 4 07:43:34 --[ DHCP/BOOTP size == 263, op == 2 ]--
Oct 4 07:43:34 --[ DHCP/BOOTP flags == 0 ]--
Oct 4 07:43:34 --[ DHCP/BOOTP htype == 1, hlen == 6 ]--
Oct 4 07:43:34 --[ DHCP/BOOTP hops == 0, xid == 00000001 ]--
Oct 4 07:43:34 --[ DHCP/BOOTP secs == 0, flags == 0000 ]--
Oct 4 07:43:34 --[ DHCP/BOOTP ciaddr == 103.103.103.1 ]--
Oct 4 07:43:34 --[ DHCP/BOOTP yiaddr == 103.103.103.1 ]--
Oct 4 07:43:34 --[ DHCP/BOOTP siaddr == 0.0.0.0 ]--
Oct 4 07:43:34 --[ DHCP/BOOTP giaddr == 0.0.0.0 ]--
Oct 4 07:43:34 --[ DHCP/BOOTP chaddr == 00 00 36 00 00 01 00 00 00 00 00 00 00 00 00 00 ]--
Restart jdhcpd daemon: restart dhcp-service

Extended DHCP Relay
 Extended DHCP relay functions
• Configured in the forwarding-options dhcp-relay
hierarchy level
• Forwards DHCP packets between client and server
• Provides support for centralized DHCP management

Extended DHCP Relay Agent
 DHCP relay agent monitors state persistence
• Monitors the state of active client leases
• Snoops unicast packets between client and server
• Maintains state information on disk:
• Can recover from process failure or system reboot
• Cannot recover from power failure or kernel failure
• Removes expired leases from storage
 DHCP relay agent supports graceful Routing Engine
switchover
• Relay agent mirrors state of clients to backup Routing Engine

DHCP Relay Proxy Mode
 DHCP relay proxy mode enhances DHCP relay
• DHCP relay is relatively transparent to clients and servers
• Exception: Adding giaddr and relay agent options
• Proxy mode hides DHCP server from clients
• Clients believe relay agent is the DHCP server
• Relay agent interacts normally with DHCP server
• Provides DHCP server isolation
• Protects server from clients
A DHCP relay proxy can be configured in a logical

system--non-proxy mode DHCP relay cannot.

DHCP Relay Agent Processing
IP Address of MX LAN Interface = A.B.C.D
IP Address of DHCP Server = W.X.Y.Z
Residential DHCP Relay DHCP Server

Gateway A.B.C.D W.X.Y.Z
MX Router
The relay agent operates transparently--the client

interacts directly with the DHCP server.
DHCP Relay Proxy Processing
IP Address of MX LAN Interface = A.B.C.D

IP Address of DHCP Server = W.X.Y.Z
Residential DHCP Relay DHCP Server
Gateway A.B.C.D W.X.Y.Z
MX Router
The relay agent in proxy mode hides the DHCP

server--the client interacts only with the relay agent.

Configuring Extended DHCP Relay Agent
(1 of 5)
 Configure authentication:
• Specify a username and password
• Use username-include parameters for username
• Account must exist on RADIUS server
• Can be configured globally or per group DHCP Relay
Authentication Options
[edit forwarding-options] circuit-type

user@mx# show dhcp-relay delimiter
authentication { domain-name
password lab123; logical-system-name
username-include { mac-address
option-60
} option-82
} routing-instance-name
user-prefix
You must configure username-include

parameters to enable use of authentication

(2 of 5)
 Define interface groups:
• Specify group names
• Add interfaces
• Group together interfaces whose clients require common DHCP
configuration
• Use upto and exclude if necessary
[edit forwarding-options]
user@mx# show dhcp-relay
authentication {
password lab123;
username-include {
}
}
group dhcp-relay-group {
}

(3 of 5)
 Associate a dynamic profile:
• Specify a profile for [edit forwarding-options]
subscribers logging in on authentication {
password lab123;
the specified interfaces username-include {
• The Junos device applies }
the services defined in the }

profile dynamic-profile dhcp-relay-dyn-profile;
• Can be associated per interface ge-1/0/4.1 upto ge-1/0/4.50;
}
group or globally
To apply a dynamic profile to a majority of interfaces on

the device, use the interface all command and then
specify the unwanted interfaces using the exclude
command.

(4 of 5)
 Configure overrides:
• Take precedence over default settings
• Overwrite giaddr
• Overwrite option 82 user@mx# show dhcp-relay
authentication {
• Can clear existing or password lab123;
username-include {
clear and add new domain-name jnpr.com;
• Disable DHCP relay }
}
overrides {
• Useful to disable a always-write-giaddr;
always-write-option-82;
specific group always-trust-option-82;
}
• Can be configured per group dhcp-relay-group {
dynamic-profile dhcp-relay-dyn-profile;
group or globally }

(5 of 5)
 Define server groups:
• Specify group names [edit forwarding-options dhcp-relay]
user@mx# show
• Add relay server addresses
authentication {
password lab123;
username-include {
• Specify the active server group domain-name jnpr.com;
}
• Configure server groups }
<snip>
globally server-group {
dhcp-relay-group {
10.0.0.10;
• Configure active server groups 10.1.1.10;
globally or per interface group }
other-relay-srvr {
20.0.0.20;
20.1.1.20;
}
}
active-server-group dhcp-relay-group;
dynamic-profile dhcp-relay-profile;
}

Using Option 60 Information
 Use vendor-specific information to forward clients to
specific DHCP servers
• Several configuration options
• Ascii or hex identifiers
• Match on exact or partial strings
• Can direct matching or non-matching traffic to specific relay
servers, DHCP local server, or drop
• Can be configured globally or per group

Option 60 Configuration Example
[edit forwarding-options dhcp-relay]
user@mx# show
<snip>
server-group {
dhcp-relay-group {
10.0.0.10;
10.1.1.10;
}
other-relay-srvr {
20.0.0.20;
20.1.1.20;
}
}
active-server-group dhcp-relay-group;
dynamic-profile dhcp-relay-profile;
relay-option-60 {
vendor-option {
equals {
ascii acme-settop-box {
relay-server-group dhcp-relay-group;
}
}
starts-with {
hexadecimal 00 {
local-server-group dhcpgroup;
}
}
default-relay-server-group other-relay-srvr;
}
}
}

Managing Option 82 Information
 Add option 82 information to help identify clients:
• circuit-id includes agent-circuit-id suboption
• Format is ge-fpc/pic/port:outer-vlan-id-inner-vlan-id
• Alternatively, can use interface description field
• Can also include a prefix
• Host name, logical system name, or routing instance name
• Format is hostname/logical-system-name;routing-instance-name:ge-
fpc/pic/port:outer-vlan-id-inner-vlan-id
[edit forwarding-options dhcp-relay]
Example: r7:ge-1/0/7:1-1234 user@mx# show
<snip>
• Can be configured globally relay-option-82 {
circuit-id {
prefix {
or per group host-name;
}
}
}
<snip>

Enabling DHCP Relay Proxy Mode
 Proxy mode is an override
authentication {
password lab123;
username-include {
}
}
overrides {
always-write-giaddr;
always-write-option-82;
proxy-mode;
}
dynamic-profile dhcp-relay-dyn-
profile;
}

Monitoring DHCP Relay Agent
 Monitor using show and clear commands:
• show dhcp relay binding
• show dhcp relay statistics
• clear dhcp relay binding
• clear dhcp relay statistics
user@mx> show dhcp relay binding
user@mx> show dhcp relay statistics

Packets dropped:
Total 0
Messages received:
BOOTREQUEST 0
DHCPDECLINE 0
DHCPDISCOVER 0
DHCPINFORM 0
DHCPRELEASE 0
DHCPREQUEST 0
Messages sent:
BOOTREPLY 0
DHCPOFFER 0
DHCPACK 0
DHCPNAK 0

Troubleshooting DHCP Relay Agent
 Traceoptions:
• Configure in the forwarding-options
dhcp-relay hierarchy level
traceoptions {
file dhcprelaylogfile;
flag all;
}

[edit]
user@mx# run show log dhcprelaylogfile | last
Oct 6 19:32:51 relay-agent-interface-id NOT SET
Oct 6 19:32:51 v6 client-id NOT SET
Oct 6 19:32:51 Group relaygroup using base active-server-group
Oct 6 19:32:51 Group relaygroup using base dynamic-profile:
Oct 6 19:32:51 Got interface ge-1/0/7.0 with action 2
Oct 6 19:32:51 NO interface exclude
Oct 6 19:32:51 Add interface ge-1/0/7.0
Oct 6 19:32:51 jdhcpd_interface_config_find_in_rc: if_name ge-1/0/7.0, rc default:default (0x8335000),
flags 0x1000
Oct 6 19:32:51 jdhcpd_interface_config_find_in_rc: grp_name relaygroup
Oct 6 19:32:51 Check for overlap

Subscriber Addressing
 Address-assignment:
• Address pools that can be used by DHCP local server
• Supports dynamic and static address assignment
• Static assignment uses client hardware address
• Pools can specify a network or ranges within a network
• Clients can match
[edit]
ranges based user@mx# show access
address-assignment {
on specific pool pool-name family inet {
parameters, such as network network-address;
range range-name {
option 82 low lower-limit high upper-limit;
}
host hostname {
hardware-address mac-address;
ip-address ip-address;
}
dhcp-attributes {
[protocol-specific attributes]
}
}
}

Use The Correct Hierarchy Level
 Two similar addressing hierarchy levels:
• Use address-assignment for DHCP client addressing
• address-pool is for L2TP address pools
[edit]
user@mx# show access address-?
Possible completions:
> address-assignment Address assignment configuration
> address-pool Address pool

Configuring Subscriber Addressing (1 of 3)
 Define address-assignment pools:
• Specify a pool name
• Specify a network
• Define a range for dynamic address assignment
• Ranges are optional
[edit access]
user@mx# show address-assignment
pool 192-168-1-pool {
family inet {
network 192.168.1.0/24;
range dhcprange {
low 192.168.1.1;
high 192.168.1.100;
}
}
}

 Define static address bindings:
• Map an IP address to a specific client
• Use hardware address
• Static addresses are removed from the pool
[edit access]
pool 192-168-1-pool {
family inet {
network 192.168.1.0/24;
range dhcprange {
low 192.168.1.6;
high 192.168.1.9;
}
host server1 {
hardware-address 00:0c:29:a8:5a:dd;
ip-address 192.168.1.50;
}
}
}

 Configure client-specific DHCP attributes:
• Specify any combination of parameters
[edit access]
pool 192-168-1-pool {
family inet {
DHCP Attributes
network 192.168.1.0/24; boot-file
range dhcprange { boot-server
low 192.168.1.6;
high 192.168.1.9; domain-name
} grace-period
dhcp-attributes { maximum-lease-time
maximum-lease-time 86400; name-server
grace-period 3600;
router { netbios-node-type
192.168.1.1; option
} option-match
}
host server1 { router
hardware-address 00:0c:29:a8:5a:dd; tftp-server
ip-address 192.168.1.50; wins-server
}
}
}

Using DHCP Options for Address Assignment
 Option 82 can define addressing:
• Value maps to a range
• Can use circuit ID or [edit access address-assignment]
user@mx# show pool 101-pool
remote ID family inet {
network 101.101.101.0/24;
range A {
low 101.101.101.2;
high 101.101.101.25;
}
range B {
low 101.101.101.26;
high 101.101.101.50;
}
dhcp-attributes {
option-match {
option-82 {
circuit-id DSLAM1 range A;
circuit-id DSLAM2 range B;
}
You must also configure the DHCP }
Local Server pool-match-order }
maximum-lease-time 86400;
statement to match against option 82 }

information.

Monitoring Subscriber Addressing
 Monitor using show commands:
• show network-access address-assignment
pool
• show subscribers
user@mx> show network-access address-assignment pool 101-pool

IP address Hardware address Type
101.101.101.2 00:0C:29:A8:5A:E7 dhcp
user@mx> show subscribers

Interface IP Address User Name
demux0.1073741841 102.102.102.1 demuxuser
ge-1/0/5.0 103.103.103.1 rad@jnpr11.com
ge-1/0/2.1073741854
ge-1/0/2.1073741854 100.100.100.21 radiususer@jnpr.com
ge-1/0/3.0 101.101.101.2 radiususer@jnpr.com

Troubleshooting Subscriber Addressing
 Traceoptions:
• Configure in the system processes general-
authentication-service hierarchy level
[edit system processes]
Traceoptions Flags
user@mx# show
general-authentication-service { address-assignment
traceoptions { all
file addr-assign-pool size 1m files 5 world-readable; configuration
flag address-assignment; framework
} jsrc
}
ldap
local-authentication
• View using show log filename radius
user@mx> show log addr-assign-pool | last
Oct 4 04:19:48 Received subscriber login request, subscriber-id=3e
Oct 4 04:19:48 Decoding attribute 4 length 4
Oct 4 04:19:48 Decoding attribute 100 length 6
Oct 4 04:19:48 Decoding attribute 19b length 4
Oct 4 04:19:48 Processing address request in default:default network 101.101.101.101 mac 00:0C:29:A8:5A:E7
Oct 4 04:19:48 Processing rule Network-Match
Oct 4 04:19:48 addressGetNext in pool 101-pool
Oct 4 04:19:48 Searching for available address in range default, low=101.101.101.1, high=101.101.101.255,
next=101.101.101.2
Oct 4 04:19:48 Trying to assign address 101.101.101.2 to subscriber 62

L2TP Overview
 L2TP tunnels Layer 2 (PPP) connections
• Tunnels Layer 2 between an LAC and an LNS
Telco Provider Network

LAC LNS
PPPoE
L2TP ISP
Subscriber M120
MX Router
The MX Router can only perform the LAC function. The

LNS function is supported on certain M Series routers.

PPPoE Session Initiation
RADIUS
LNS
LAC
RADIUS
ISP
Subscriber
LCP ConfReq M120
LCP ConfReq MX Router

LCP ConfAck
LCP ConfAck
 PPPoE session initiated to the LAC:
Initial Authentication
• LAC performs initial authentication and
determines whether to:
• Terminate PPPoE session locally or
• Tunnel PPP session to an LNS
• Tunnel attributes obtained:
• Tunnel profile
• RADIUS
• Domain map
Domain Mapping
 A domain map is based on the subscriber’s domain
name
• Applies session-specific parameters
• Tunnel profile
• Access profile
• Dynamic profile
• Address pool
• Used in LAC tunnel selection
 Default domain map
• Applies to subscribers when existing domain maps don’t match the
subscriber’s domain name

LAC Tunnel Selection
 LAC tunnel selection:
• Domain map configuration options
• 31 tunnel destinations per domain
• Up to 8 levels of preference
• Up to 31 destinations per preference level
RADIUS LNS
LNS
r ef . 100
tP
LAC st Att
emp 00
1
t P r ef. 1
p
ttem
4th A p t P r ef. 200 LNS
em
2nd Att
dave@xyz.com
3 rd Att
empt P
MX Router ref. 30
0
LNS

Configuring an L2TP LAC
 Configure a tunnel profile: [edit]
user@mx# show access
• Specify the tunnel profile name tunnel-profile TestProfile {
tunnel 1 {
preference 100;
• Specify the tunnel ID remote-gateway {
address 172.16.98.4;
gateway-name LNS;
• Configure the LAC IP address }
source-gateway {
• Configured the LNS IP address address 192.168.4.10;
gateway-name LAC;
}
• Configure any optional parameters secret
"$9$Bih1clKvLNVYWLHmT3tpWLx7-w";
## SECRET-DATA
• Preference level max-sessions 32;
}
• LAC hostname }
• LNS hostname
• Maximum number of sessions allowed
• Juniper RADIUS VSA 26-69 Tunnel-Password

Configuring a Domain Map
[edit]
 Configure a domain map: user@mx# show access
domain {
• Specify the domain map name map xyz.com {
access-profile AccProfile1;
• Apply the tunnel profile address-pool Pool1;
dynamic-profile DynProfile1;
• Apply the access profile tunnel-profile TestProfile;
}
• Apply the dynamic profile map default {
access-profile AccessDefault;
• Apply the address pool address-pool DefaultPool;
dynamic-profile DynDefault;
tunnel-profile TunnelDefault;
}
}

Dynamic PPPoE for Subscriber
Access

Traditional PPP Subscriber Access
 PPP provides communication between two nodes
Internet
Provider
ATM
PSTN
Network RAS
Dial-up or Leased Office
Networking Lines Network
Client
Database
Network Server
File Sharing

PPP in Ethernet Access Networks
RG
MSAN
RG Gigabit Ethernet
RG
Access Node
RG
RG
MX960
ONT
OLT
RG
ONT
 Ethernet-based access networks:

• Reduce the distance between the CPE and access node
• IPTV, VOD, VoIP, and gaming require higher bandwidth and
advanced QoS

PPPoE
diane@isp1.com RG
MX960 BSR
tim@isp1.com
MAC=A ISP1
DA IP=2.2.2.2
SA IP=1.1.1.2
MAC=X ISP2
 PPPoE:
PPP Header
PPPoE Header
SessionID=0x123 • General frame format
EtherType=0x8864
DA MAC=X
• PC requirements
SA MAC=A
• Two stages of PPPoE:
Physical • Discovery stage
• PPP session stage

PPPoE Discovery Stage
diane@isp1.com RG
MX960 BSR
tim@isp1.com
MAC=A ISP1
MAC=X ISP2
PPPoE Active PPPoE
PPPoE
Discovery Initiation Services
SessionID= PPPoE Active
PADI DA=FF 0000 Discovery Offer
SA=A
Type=Disc DA=A PADO
SA=X
Type=Disc
PPPoE
PPPoE Active SessionID=
PPPoE PPPoE Active
Discovery Request 0000
SessionID= Discovery Session
PADR DA=X 1234 Confirmation
SA=A
Type=Disc DA=A PADS
SA=X
Type=Disc

PPP Session Stage
diane@isp1.com RG
MX960 BSR
tim@isp1.com
MAC=A ISP1
PPPoE
SessionID=
PPP LCP 1234 MAC=X ISP2
DA=X PPPoE
SA=A SessionID=
Type=PPP 1234 PPP LCP
DA=A
SA=X
Type=PPP
 PPP data is sent like any other PPP session

Dynamic PPPoE Connections
 Dynamic PPPoE connections:
• Client-to-server relationship
• The MX router is the PPPoE server, also referred to as a remote access concentrator
• The client connects over an underlying Ethernet interface on the router
• The router provides address assignment and PPP attributes to the client
• Uses dynamic profiles
A dynamic profile associates the
subscriber’s PPPoE connection
with an underlying Ethernet
RADIUS Server interface on the router.
Layer 2
Dynamic ISP RADIUS Server
Aggregation
PPPoE
Client
MX RAC

PPPoE RADIUS Authentication
 The RADIUS server authenticates the PPPoE client’s
username and password
• The router interacts with RADIUS to perform authentication,
necessary for NCP negotiation
CHAP or PAP packet containing Packet is forwarded
username and password to the RADIUS server The users file on
the RADIUS server
must contain an
entry for the PPPoE
RADIUS
Dynamic PPPoE Router negotiates NCP Access-Accept packet client.
MX Server
Client with the client is sent back
Remote Access
Concentrator

Dynamic PPPoE Address Assignment
 Dynamic PPPoE address assignment:
• You can configure the router to provide the client an IP address
within the dynamic profile configuration
• You can configure the RADIUS server to assign an IP address
using IETF attributes:
• Framed-IP-Address (8)
• Framed-Pool (88)
Authentication request
RADIUS
Access-Accept packet Server
can contain IETF attributes

Sequence of Operations (1 of 3)
 Dynamic PPPoE discovery
A dynamic profile lookup
Layer 2 to create the pp0 logical
Dynamic
Aggregation interface on the router.
PPPoE
Client MX RAC
PADI
PADO
PADR
PADS
1. The client broadcasts a PADI packet.

2. The router responds to the PADI packet by sending a PADO packet to the client.
3. The client sends a unicast PADR packet to the RAC.
4. The router receives the PADR packet on the underlying interface associated with a PPPoE
dynamic profile. The router uses the dynamic profile to create the dynamic pp0 logical
interface.
5. The router sends a PADS packet to the client to confirm establishment of the PPPoE
connection.
 PPP session establishment
Access-Request
Dynamic Layer 2
PPPoE Aggregation Access-Response RADIUS
Client LCP Server
MX
Authentication Packet
NCP
Address Assignment
NCP Completes
6. The client and router use LCP to negotiate the PPP connection.
7. The client sends an authentication packet to the router.
8. The RADIUS server authenticates the client’s credentials.
9. The router uses NCP to negotiate the IP routing protocol and network family.
10. The router provides address assignment and adds the client address to the route table.
11. The router instantiates the dynamic profile and applies attributes to the subscriber interface.
NCP completes and traffic flows between the client and the router.
 Dynamic PPPoE subscriber disconnect process
Acct-Stop
Layer 2 RADIUS
Dynamic Aggregation
PPPoE Server
Client MX Removes the PPPoE logical interface.
LCP Termination Request
Removes the client route.
PADT
1. The client terminates the PPP connection and sends an LCP termination request.
2. The router removes the client access route from the routing table.
3. The router sends a PADT packet to end the PPPoE connection.
4. The router deactivates the subscriber and sends the RADIUS server an Acct-Stop
accounting message.
5. The router de-instantiates the PPPoE dynamic profile and removes the PPPoE logical
interface.
Dynamic PPPoE Benefits
 Dynamic PPPoE benefits:
• On-demand dynamic interface creation
• Dynamic removal of PPPoE subscriber interfaces
• Dynamically manage multiple PPPoE subscribers
• DoS protection
• Service name table support

Dynamic PPPoE Configuration Elements
 Dynamic PPPoE configuration elements:
• Dynamic profile
• Creates dynamic interfaces and assigns subscriber attributes
• Specifies the router’s pp0 logical interface and pppoe-options
• Uses dynamic variables
• Underlying Ethernet interface configuration
• Specifies the PPPoE encapsulation type ppp-over-ether
• Applies the dynamic profile

Dynamic PPPoE Configuration (1 of 2)
 Dynamic profile
• Use dynamic variables and pp0 logical interface
[edit]
user@mx# show dynamic-profiles
pppoe-profile {
interfaces { The PPPoE logical interface used by
pp0 { the router to provide PPP attributes.
unit "$junos-interface-unit" {
ppp-options {
chap;
pap;
}
pppoe-options {
underlying-interface "$junos-underlying-interface";
server;
}
keepalives interval 30; You must specify the server
family inet { statement for the router to
address 6.6.6.1/32; terminate PPPoE connections.
}
}
}
}
}

Dynamic PPPoE Configuration (2 of 2)
 Interface configuration
• Apply the dynamic profile to the underlying Ethernet interface
[edit]
user@mx# show interfaces
ge-1/0/0 {
vlan-tagging;
unit 1 {
Required encapsulation type for PPPoE
encapsulation ppp-over-ether;
vlan-id 1; subscriber connections.
pppoe-underlying-options {
dynamic-profile pppoe-profile;
}
}
}

Verifying Dynamic PPPoE Configuration
 Verify using show commands:
• show pppoe underlying-interfaces
user@mx> show pppoe underlying-interfaces
ge-1/0/0.300 Index 70
State: Static, Dynamic Profile: None,
Max Sessions: 32000, Active Sessions: 1,
Service Name Table: None,
AC Name: mxC-1, Duplicate Protection: Off,
• show pppoe interfaces

user@mx> show pppoe interfaces
pp0.1 Index 71
State: Session Up, Session ID: 1, Type: Static,
Service name: <empty>, Remote MAC address: 00:0C:29:C9:F7:DE,
Session AC name: mxC-1,
Session uptime: 00:00:03 ago,
Underlying interface: ge-1/0/0.300 Index 70

PPPoE Service Name Tables
 The router can create a dynamic PPPoE subscriber
interface based on service entries
• The service name table looks at client-provided information
during PPPoE negotiations:
• The PPPoE service name
• The client’s ACI
• The client’s ARI
• The service name table defines the set of services that the
router provides to the PPPoE client
• View table services with show pppoe service-name-tables

Service Name Tag Evaluation
 Service name tags are evaluated during PPPoE
discovery
• A client can connect to multiple access concentrators
• Service name table entries represent the service name tags
transmitted between client and router in a PPPoE control
packet
MX RAC
Layer 2
Dynamic
Aggregation
PPPoE
Client
PADI
PADO
PADR MX RAC
PADS

Service Name Table Entries and Actions
 Service entry types:
• Named service
• A specific client service that the RAC can support
• Empty service
• A zero-length service tag that represents an unspecified service
• Any service
• The default service for nonempty service entries that do not match
named or empty service entry types
 Service entry actions:
• Terminate, delay, or drop

ACI and ARI Pairs in Service Name Tables
 ACI and ARI pairs
• An agent circuit ID string identifies the DSLAM interface that
initiated the service request
• An agent remote ID string identifies the subscriber on the
DSLAM interface that initiated the service request
• Represents one or more PPPoE clients accessing the router by
means of the PPPoE service name table
• Configured for a named service, empty service, or any service

Evaluation Order for Matching Client Information
in PPPoE Service Name Tables
 Client service matching order:
1. The router evaluates ACI and ARI information for the any
service entry
2. The router evaluates ACI and ARI information for the
empty service entry and named service entries, and then
evaluates other attributes configured for the empty service
and named service entries
3. The router evaluates other attributes configured for the any
service entry

Service Name Table Configuration (1 of 2)
 Define the service name table
[edit]
user@mx# show protocols
pppoe {
service-name-tables TableDynamicPPPoE {
service any {
terminate;
max-sessions 100;
dynamic-profile AnyProfile;
agent-specifier {
aci "broadway-ge-1/0/1.0" ari "london" {
terminate;
dynamic-profile LondonProfile;
routing-instance LondonRI; Specify the routing instance
} for the subscriber interface.
}
}
service empty {
drop;
agent-specifier {
aci "dunstable-ge-1/0/0.1" ari "kanata" {
dynamic-profile BasicPppoeProfile;
delay 10; Apply previously configured
} dynamic profiles.
}
}
}

Service Name Table Configuration (2 of 2)
 Configure the PPPoE underlying interface
• Apply the dynamic profile and service name table
[edit]
ge-2/0/0 {
vlan-tagging;
unit 1 {
vlan-id 1;
dynamic-profile BasicPppoeProfile;
service-name-table TableDynamicPPPoE;
}
}
unit 2 {
vlan-id 2;
service-name-table TableDynamicPPPoE;
}
}
}

Service Name Table Benefits
 Service name table benefits include:
• Support for multiple PPPoE client services
• Provides tighter control over PPPoE client services
• Provides load balancing across multiple access concentrators in
a mesh topology
• Creation of dynamic PPPoE subscriber interfaces in a specified
routing instance
• Reserve a specified static PPPoE interface for use only by the
PPPoE client with matching ACI and ARI information

Subscriber Interfaces and Dynamic
Profiles

Interface Naming
 Interfaces are named according to:
• Interface media type (ge, so, at, and so forth)
• Line card (FPC) slot number Note: While some devices
use different names for
• Interface card (PIC) slot number line cards and interface
• Port number cards, the CLI almost
always uses FPC and PIC.
Interface Card
Interface naming example: PIC
•
Other interface name designations
ge-0/2/3 = port 3 of a Gigabit Ethernet PIC in slot 2 on FPC 0
exist, such as lo0, vlan, and ae PIC
Note: Slot and port numbering begins with Line card
zero (0) rather than one (1). FPC
PIC
PIC

Logical Units
 Logical unit characteristics
• Similar to subinterfaces used by other vendors
• In the Junos OS, a logical unit is always required
• Separate in meaning from VLANs and do not need to match
• Generally good practice to make them match
• Support multiple protocol addresses
• Watch for multiple addresses when correcting mistakes!
ge-0/0/14.51

Interface Properties (1 of 2)
 Physical properties settings include:
• Data Link Layer protocol
• Link speed and duplex
• Physical MTU
 Logical properties settings include:
• Protocol family:
• inet , and so on
• Addresses
• Virtual circuits (VLAN tag, DLCI, and VPI or VCI)

Interface Properties (2 of 2)
 Configuration hierarchy
• Physical and logical interface properties are configured at their
respective levels:
interfaces { Physical properties are configured under

interface-name { the interface-name
physical-properties;
[…]
unit unit-number {
logical-properties;
[…]
}
Logical properties are configured under
}
the unit-number
}

Interface Configuration Example
[edit]
user@mx# show interfaces Note: Multiple addresses
ge-0/0/2 { supported on a single unit
unit 0 {
family inet {
address 172.19.102.1/24;
address 172.19.102.2/24 {
preferred; Use preferred option to select
} preferred address for interface
}
family inet6 {
address 3001::1/64;
}
}
}
lo0 {
unit 0 { Note: Multiple protocol families supported on same
family inet { logical unit (family inet is used for IPv4 and
address 192.168.100.1/32; family inet6 is used for IPv6
address 192.168.200.1/32 {
primary; Use primary option to select primary
} address for interface
}
}
}

Terminology Check
 Interface shorthand terminology
• IFD: Interface descriptor
• Physical port
• IFL: Logical interface
• Logical unit
• IFF: Interface family
• Protocol [edit]
ge-0/0/2 { IFD
unit 100 { IFL
family inet { IFF
address 172.19.102.1/24;
address 172.19.102.2/24 {
}
}
}
}

Unnumbered Interfaces
 Single IP address for multiple interfaces
• Provides IP addressing for the interface without explicitly assigning
an address
• IP address conservation
• Unnumbered interface borrows an address from another (donor)
interface
• Donor interface is usually loopback
• IP address of donor interface becomes the source address for
unnumbered interface
• Can be used on Ethernet and IP demux interfaces
• Also point-to-point interfaces
• Borrower and donor interfaces must be in the same routing instance
and logical system

Unnumbered Interface Example
[edit]
ge-1/0/3 uses IP address
ge-1/0/3 { 100.100.100.100
unit 0 {
family inet {
unnumbered-address lo0.0;
}
} Use preferred-source-address
} to specify a nonprimary lo0.0 address
ge-1/0/4 {
unit 0 {
family inet {
unnumbered-address lo0.0 preferred-source-address 102.102.102.102;
}
}
}
lo0 {
unit 0 {
family inet { user@mx> show interfaces ge-1/0/3
Physical interface: ge-1/0/3, Enabled, Physical link is Up
address 100.100.100.100/32;
<snip>
address 101.101.101.101/32; Logical interface ge-1/0/3.0 (Index 72) (SNMP ifIndex 199)
address 102.102.102.102/32; Flags: SNMP-Traps 0x4000000 Encapsulation: ENET2
} Input packets : 10861
} Output packets: 10855
Protocol inet, MTU: 1500
}
Flags: Unnumbered
Donor interface: lo0.0 (Index 64)
Preferred source address: 100.100.100.100
Protocol multiservice, MTU: Unlimited

Static 802.1Q VLANs
 Supports static VLANs:
• Standard (single-tagged) and stacked (dual-tagged) VLANs
• Mixed tagging, including support for untagged traffic
 General static VLAN configuration
• Two steps to configure:
1. Specify tagging type (IFD level)
2. Define VLAN tags (IFL level)
• Can specify single VLAN ID, list, or range
• native-vlan-id statement identifies the logical unit
receiving untagged traffic

Static VLAN Configuration Examples
Single tagging—VLAN Dual tagging—stacked VLAN
[edit interfaces] [edit interfaces]
user@mx# show ge-1/0/0 user@mx# show ge-1/0/0
vlan-tagging; stacked-vlan-tagging;
unit 0 { unit 0 {
vlan-id 1234; vlan-tags outer 1 inner 234;
family inet { family inet {
address 192.168.1.1/24; address 192.168.1.1/24;
} }
} }
Mixed tagging—standard and stacked VLANs Mixed tagging—untagged traffic

flexible-vlan-tagging; flexible-vlan-tagging;
unit 0 { native-vlan-id 200
vlan-id 1234; unit 0 {
family inet { vlan-id 1234;
address 192.168.1.1/24; family inet {
} address 192.168.1.1/24;
} }
unit 1 { }
vlan-tags outer 1 inner 234; unit 1 {
family inet { vlan-tags outer 1 inner 234;
address 192.168.2.1/24; family inet {
} address 192.168.2.1/24;
} }
© 2011 Juniper Networks, Inc. All rights reserved. } www.juniper.net | 111
Dynamic VLANs
 Dynamic VLAN creation for subscriber management
• The Junos OS can dynamically create VLANs based on new
subscriber connections
• Support for single tagging, dual tagging, and mixed tagging
 General dynamic VLAN configuration
1.Configure a dynamic profile and associate it with an interface
2.Specify the Ethernet packet type for the dynamic profile
3.Configure VLAN ranges for the dynamic profile

Dynamic VLAN Configuration Examples
Dynamic single-tagged VLAN Dynamic stacked VLAN
vlan-tagging; flexible-vlan-tagging;
auto-configure { auto-configure {
vlan-ranges { stacked-vlan-ranges {
dynamic-profile vlanprofile { dynamic-profile vlanprofile {
accept inet; accept inet;
ranges { ranges {
1-110; 1-1,any;
} }
} }
} }
} }
You must also configure the associated dynamic

profile to make use of these settings.

Dynamic Profiles Overview
 Dynamic profiles:
• Templates containing a set of characteristics
• Use to configure large groups of subscribers
• Support static and dynamic subscriber interfaces
• VLAN and IP demux interfaces
• Provide CoS, filtering, and multicast support per subscriber
• Configured in the dynamic-profiles hierarchy

Variables
 Variables are the ‘dynamic’ part of a dynamic profile
• Variables act as placeholders for dynamically obtained
information, used to configure a subscriber interface
• Profiles fill placeholders using incoming data from:
• An interface receiving a client PDU
• An external server (RADIUS)
• An internal default value associated with a user-defined variable
• The Junos OS provides predefined variables
• Generally relate to interface-specific data
• Can also configure user-defined variables

Common Predefined Variables (1 of 2)
 Static subscriber interfaces (static VLAN)
• $junos-interface-ifd-name
• Name of the dynamic interface to which the subscriber access client
connects
• $junos-underlying-interface-unit
• Obtains the unit number for the underlying interface
 Static subscriber interfaces (dynamic VLAN)
• $junos-interface-ifd-name and $junos-
interface-unit
• $junos-stacked-vlan-id and $junos-vlan-id
• Obtains the outer and inner VLAN IDs for the underlying interface

Common Predefined Variables (2 of 2)
 Dynamic subscriber interfaces (IP demux)
• $junos-interface-unit
• Creates a unit number for a dynamic demux interface or VLAN
interface
• $junos-underlying-interface
• Creates a logical underlying interface for a dynamic demux interface
• $junos-subscriber-ip-address
• IP address of the subscriber
More predefined variables exist; see the

Subscriber Access Configuration Guide
for a complete list.

Configuring Dynamic Profiles (1 of 2)
1. Configure basic components
• Define a profile name
• Define the interface name
• Use variable to match interface of receiving interface
• $junos-interface-ifd-name
• Define the logical unit
• Use the $junos-underlying-interface-unit variable to
match the unit value for the interface or the $junos-interface-
unit variable to generate a new unit value
When referencing existing interfaces, use user@mx# show dynamic-profiles
$junos-underlying-interface-
unit to match the unit value of the receiving basic-profile {
interface. interfaces {
"$junos-interface-ifd-name" {
When creating dynamic interfaces, use
unit "$junos-underlying-interface-unit";
$junos-interface-unit to generate a
}
unit value for the interface.
}
}
Configuring Dynamic Profiles (2 of 2)
2. Add additional components as desired
• Additional interface parameters
• Dynamic VLAN variables
• Dynamic IP demux interface
• CoS
• Firewall filters
• Configured outside profile
• Protocols (IGMP)
• User-defined [edit dynamic-profiles]
user@mx# set basic-profile ?
variables Possible completions:

<snip>
> class-of-service Class-of-service configuration
> firewall Define a firewall configuration
> interfaces Interface configuration
> protocols Routing protocol configuration
> routing-instances Routing instance configuration
> routing-options Protocol-independent routing option configuration
> variables Dynamic variable configuration

Modifying Dynamic Profiles
 When to modify a profile:
• You cannot modify a dynamic profile while it is in use by a
subscriber
• If you make changes and commit, it fails
[edit]
user@mx# commit
error: Modified profile: basic-profile is in use by subscriber
error: foreign file propagation (ffp) failed
 How to modify a profile:

• Disconnect users and modify the existing profile
• Create a new profile and apply it to subscriber interface
• New subscribers use a new profile

Overview
 Subscriber interfaces:
• Static identification
• Reference VLAN interfaces in dynamic profile
• Dynamic identification
• Create variables for IP demux interfaces
• Subscriber interfaces are dynamically created by DHCP at subscriber
login

Statically Identifying Subscribers
 Two steps for statically identifying subscribers:
1. Configure the logical interfaces where clients will connect
• Static addressing or unnumbered
• Static VLAN interface per logical unit or dynamic VLAN ranges
2. Configure subscriber interfaces in a dynamic profile
• Use variables to specify the interface name and logical unit
• Use variables to specify VLAN IDs, if applicable
• The profile replaces variables with an actual interface name and logical
unit number (and VLAN IDs if applicable) of the interface that
received the DHCP request
• Device enables the subscriber interface and applies the profile
configuration parameters to the subscriber

Configuring Static Subscriber Identification
(1 of 2)
 Static VLANs
1. Configure the static VLAN interface
2. Reference the interface in a dynamic profile
• Include variables for IFD and IFL
[edit]
user@mx# show interfaces ge-1/0/4
vlan-tagging;
unit 0 {
vlan-id 10;
family inet {
}
}
user@mx# show dynamic-profiles user@mx# show system

services {
basic-profile { dhcp-local-server {
group team5 {
interfaces { dynamic-profile basic-profile;
"$junos-interface-ifd-name" { interface ge-1/0/4.0;
unit "$junos-underlying-interface-unit"; }
} }
} }
}

Configuring Static Subscriber Identification
(2 of 2)
 Dynamic VLANs
1. Configure the dynamic VLAN interface
• Use the auto-configure statement, define VLAN ranges, and
specify the dynamic profile to use
2. Reference the interface and VLAN IDs in a dynamic profile
• Include variables for IFD, IFL, and VLAN IDs
[edit interfaces]
user@mx# show ge-1/0/2
flexible-vlan-tagging;
auto-configure {
stacked-vlan-ranges {
dynamic-profile vlanprofile {
accept inet;
ranges {
1-1,any; [edit dynamic-profiles]
} user@mx# show vlanprofile
} interfaces {
} "$junos-interface-ifd-name" {
} unit "$junos-interface-unit" {
vlan-tags outer "$junos-stacked-vlan-id" inner "$junos-vlan-id";
family inet {
VLAN dynamic profiles do not unnumbered-address lo0.0 preferred-source-address 100.100.100.100;
}
support user-defined variables. }
} user@mx> show subscribers
} Interface IP Address User Name
ge-1/0/2.1073741859
ge-1/0/2.1073741859 100.100.100.22 radiususer@lab.com
Dynamically Identifying Subscribers
 Two steps for dynamically identifying subscribers:
1. Configure the logical interfaces where clients will connect
• Static addressing or unnumbered
2. Configure IP demux interfaces in a dynamic profile
• Uses variables to specify the logical unit, the name of the underlying
interface, and the IP address of the subscriber
• The profile replaces variables with the actual interface name and
logical unit number of the interface that received the DHCP request
• Device dynamically creates the demux interface when the subscriber
successfully logs in

IP Demux Interfaces
 What are demux interfaces?
• Interfaces that share a common underlying logical interface
• The IP demux interface uses the underlying logical interface to receive
packets
• Dynamically created when a subscriber logs in
 Usage guidelines
• Configure the demux0 interface in the dynamic profile
• You can configure multiple logical units for demux0
• You must associate the demux interface with an underlying logical
interface
• You can group individual subscriber interfaces using interface sets to
provide the same level of service for a group of subscribers

Configuring Dynamic Subscriber Identification
 IP demux interfaces
1. Configure the physical and logical interface properties
• Include the demux-source inet statement
2. Configure the demux interface in a dynamic profile
• Use variables for unit number, underlying interface, and subscriber’s
DHCP-assigned IP address
[edit dynamic-profiles demux-profile]
user@mx# show
[edit interfaces] interfaces {
user@mx# show ge-1/0/7 demux0 {
description Team7; unit "$junos-interface-unit" {
stacked-vlan-tagging; demux-options {
unit 0 { underlying-interface "$junos-underlying-interface";
demux-source inet; }
vlan-tags outer 7 inner 1234; family inet {
family inet { demux-source {
$junos-subscriber-ip-address;
} }
} unnumbered-address lo0.0 preferred-source-address 104.104.104.104;
}
}
} user@mx> show subscribers
} Interface IP Address User Name
demux0.1073741857 104.104.104.2 demuxuser

Validating Subscriber Traffic
 MAC address validation:
• Enables the router to confirm that received packets have the
trusted IP and MAC source addresses
• Trusted address: When a DHCP local server or relay assigns an IP
address, the client’s resulting IP and MAC address combination is
trusted
• Provides additional security from spoofing
• Supported on static Ethernet interfaces and dynamic IP demux
interfaces

Configuring MAC Address Validation (1 of 2)
 Two validation types:
• Loose
• Forwards traffic when both IP and MAC source addresses are trusted
• Forwards traffic when the IP source address is not trusted
• Drops traffic when the IP source address is trusted, but the MAC
address is not trusted
• Strict
• Forwards traffic when both IP and MAC source addresses are trusted
• Drops traffic from all untrusted IP and MAC source addresses

Configuring MAC Address Validation (2 of 2)
Dynamic subscriber interface—loose
[edit dynamic-profiles SVLAN]
user@mx# show
Static subscriber interface interfaces {
demux0 {
[edit] unit "$junos-interface-unit" {
user@mx# show interfaces ge-1/0/4 demux-options {
vlan-tagging; underlying-interface "$junos-underlying-interface";
}
unit 0 {
family inet {
vlan-id 1234; mac-validate loose;
family inet { demux-source {
mac-validate strict; $junos-subscriber-ip-address;
unnumbered-address lo0.0; }
}
}
} }
}
}
Dynamic subscriber interface—strict

[edit]
user@mx# show interfaces ge-1/0/4
vlan-tagging;
Validation configured within a unit 0 {
vlan-id 1234;
dynamic demux interface is always family inet {
loose; you must configure strict mac-validate strict;
validation in the underlying interface. }
}
Monitoring and Troubleshooting Interfaces
 show commands
• show interfaces terse
• Displays interface user@mx> show interfaces terse
Interface Admin Link Proto Local
operational status <snip>
ge-1/0/2 up up
ge-1/0/2.32767 up up multiservice
ge-1/0/2.1073741859 up up inet
multiservice
demux0 up up
demux0.1073741858 up up inet
<snip>
• show interface
• Displays detailed user@mx> show interfaces ge-1/0/2
Physical interface: ge-1/0/2, Enabled, Physical link is Up
interface information, <snip>
including parameters Logical interface ge-1/0/2.1073741859 (Index 73) (SNMP ifIndex 230)
Flags: SNMP-Traps 0x104000 VLAN-Tag [ 0x8100.6 0x8100.104 ]
inherited from a Encapsulation: ENET2
Input packets : 1624
profile Output packets: 1624
Protocol inet, MTU: 1500
Flags: Mac-Validate-Strict, Unnumbered
Donor interface: lo0.0 (Index 64)
Preferred source address: 100.100.100.100
Protocol multiservice, MTU: Unlimited

Monitoring and Troubleshooting Subscribers
 show commands
• show subscribers
demux0.1073741858 102.102.102.3 demuxuser
ge-1/0/5.0 192.168.4.7 rad@lab.com
ge-1/0/2.1073741859
• show subscribers detail

user@mx> show subscribers detail
<snip>
Type: DHCP
User Name: radiususer@lab.com
IP Address: 100.100.100.22
IP Netmask: 255.255.255.0
Logical System: default
Routing Instance: default
Interface: ge-1/0/2.1073741859
Interface type: Static
Dynamic Profile Name: dhcp-profile
MAC Address: 00:00:36:00:00:01
State: Active
Radius Accounting ID: 84
Login
© 2011 Juniper Networks, Inc. All rights Time: 2009-10-06 04:03:52 UTC
reserved. www.juniper.net | 132
Monitoring and Troubleshooting Dynamic
Configuration
show dynamic-configuration
 show commands is a hidden command.
• show dynamic-configuration
• Displays parameters generated from a profile
• Displays data fill for variables
user@mx> show dynamic-configuration session information session-id 72
Session info:
Accounting session ID: 72
IP address: 102.102.102.3 user@mx> show subscribers detail
IP netmask: 255.255.255.0
Type: DHCP
Logical system name: default
User Name: demuxuser
Profile name: demux-profile IP Address: 102.102.102.3
MAC address: 00:00:36:00:00:01 IP Netmask: 255.255.255.0
Routing instance: default Logical System: default
User name: demuxuser Routing Instance: default
Interface name: demux0.1073741858 Interface: demux0.1073741858
Dynamic-configuration state: 2 Interface type: Dynamic
Client session type: 1 Dynamic Profile Name: SVLAN
IFL type: 2 MAC Address: 00:00:36:00:00:01
Accounting type: 1 State: Active
Radius Accounting ID: 72
Accounting interval: 600
Login Time: 2009-10-05 21:25:26 UTC
Underlying logical-interface: ge-1/0/4.0
Dynamic configuration:
junos-interface-unit: 1073741858 Works for all interfaces, not just IP demux
junos-subs-login-time: 2009-10-05 21:25:26 UTC
junos-underlying-interface: ge-1/0/4.0
Monitoring and Troubleshooting Dynamic VLANs
 show commands
• show auto-configuration interfaces
• Displays dynamic VLAN interfaces
demux0.1073741858 102.102.102.3 demuxuser
ge-1/0/5.0 192.168.4.7 rad@lab.com
ge-1/0/2.1073741859
user@mx> show auto-configuration interfaces

show auto-configuration
Interface Tags State Pending Op
is a hidden command.
ge-1/0/2.1073741859 0006/0104 Active none
• clear auto-configuration interfaces

• When a subscriber disconnects, the dynamic VLAN interface remains

Troubleshooting Dynamic VLANs
 Traceoptions
• Configure in the system auto-configuration
hierarchy level
[edit system]
user@mx# show auto-configuration This command is hidden.
traceoptions {
file autoconf; Available traceoptions flags
flag all;
all
} configuration
interfaces
io
rtsock
ui

user@mx# run show log autoconf | last
Oct 7 07:47:16 profile_request_delete: profile request failed, defering delete: Host is down
Oct 7 07:47:23 L2 Input: svlan packet, index 83, svtpid 0x8100, vtpid 0x8100
Oct 7 07:47:23 autoconfd_vlan_create: vtype 2, ge-1/0/7, profile7-autoVLAN, (7/77)
Oct 7 07:47:23 autoconfd_vlan_create: profile tags found (7/77), dropping duplicate request
Oct 7 07:47:28 L2 Input: svlan packet, index 83, svtpid 0x8100, vtpid 0x8100
Oct 7 07:47:28 autoconfd_vlan_create: vtype 2, ge-1/0/7, profile7-autoVLAN, (7/77)
Oct 7 07:47:28 autoconfd_vlan_create: profile tags found (7/77), dropping duplicate request

Restarting Processes
 Some relevant restart options:
• Restart autoconfd daemon: restart auto-
configuration
• Restart demuxd daemon: restart ip-demux
user@mx> restart ?
Possible completions:
adaptive-services Adaptive services process
ancpd-service Access Node Control Protocol Process
application-identification Application-identification process
audit-process Audit process
auto-configuration Interface Auto-configuration
chassis-control Chassis control process
class-of-service Class-of-service process
database-replication Database Replication process
dhcp-service Dynamic Host Configuration Protocol process
…

Layer 3 and Layer 2 Wholesale
Services

Junos Subscriber Reference Model
Access Network Core Network
Steel-
Edge Access MX 960 Belted
Radius
MSAN
Server
DHCP
AAA services
Server
DHCP relay/local server
Dynamic profiles
-Interfaces
-Firewall filters Diameter
-Protocols (IGMP)
and SRC
-Class of Service
Server
AAA = authentication, authorization, and accounting

DHCP = Dynamic Host Configuration Protocol
IGMP = Internet Group Management Protocol
MSAN = Multi-Service Access Node
SRC = Session and Resource Control
Subscriber Wholesalers
 Wholesalers are:
• Access network providers
• Sometimes called incumbent networks
• Responsible for terminating the subscriber connection,
providing requested services, and partitioning subscriber traffic
for a retailer network
Wholesale access is the process by which

the access network provider partitions the
network into separately manageable and
accountable subscriber segments for resale
to retailer networks.

Retailers
 Retailers
• Internet service providers
• Allow wholesalers to provide services and retailer network
access within a wholesaler network space
Retailers allow subscribers to retailer

network access through a defined routing
instance or logical system within a
wholesaler router.

Subscriber Wholesale Networks
Wholesaler Retailer
RADIUS RADIUS
Server Server
MSAN
MX960
Direct ISP-Facing ISP 1
VRF Connection
VRF
MSAN Retailer
NNI ISP-Facing RADIUS
Connections Server
VRF
MX960
ISP 2
MSAN
MX960
Retailer Network Space
Wholesaler-Controlled Network Space

Layer 3 and Layer 2 Differences
 Layer 3 wholesale
• Partitions the wholesaler access network at the Network Layer
by associating the subscriber’s Layer 3 traffic with a distinct
retailer Layer 3 domain
• Supports both PPP and DHCP subscribers
 Layer 2 wholesale
• Backhauls a subscriber’s Layer 2 traffic to a retailer provider
network
• Supports dynamic VLAN subscriber access

Wholesale Configuration Options
 Wholesale configuration options:
• Fully static
• All interfaces, VLANs and routing instances are configured statically
• Static VLANs and dynamic demux interfaces
• Demux interfaces are dynamically created over static VLANs
• Dynamic VLANs
• VLANS are dynamically created using the auto-configure
statement
• Dynamic VLANs and dynamic demux interfaces
• Demux interfaces are dynamically created over dynamic VLANs

Layer 3 DHCP Wholesale
 Layer 3 DHCP wholesale

• The MX Series router performs wholesale partitioning
• Termination of Layer 3 traffic in a routing instance or logical
system that corresponds to a retailer ISP network
Retailer
RADIUS
Wholesaler Server
RADIUS Server
Retailer ISP 1
VRF ISP1
Layer 2
DHCP Aggregation Layer 3 VPN
Client
MX Retailer
VRF ISP2 ISP 2
Retailer
RADIUS
Server
Subscriber to Logical System and Routing
Instance Relationship
 Subscriber to LS:RI relationship:
• Established by the AAA framework
• Dynamic profiles use dynamic variables to trigger a RADIUS
response to decide which virtual router will authenticate the
subscriber
• $junos-routing-instance
• RADIUS uses vendor specific attributes to select single- or
double-dip authentication
• Single authentication only authenticates against the wholesaler
RADIUS server
• Double-dip authentication performs authentication against both the
wholesaler and retailer RADIUS servers

RADIUS Vendor-Specific Attributes
 Juniper RADIUS VSAs can determine where subscriber
authentication occurs
• VSA: LSRI-Name Wholesaler
RADIUS Server
Single
Retailer
Authentication
Authentication RADIUS
DHCP Discover/Request Server
Layer 2
DHCP Layer 3 VPN
Client
Aggregation ISP
VRF
DHCP
MX
Offer/Ac
• VSA: Redirect-LSRI-Name k
Wholesaler Double Dip

RADIUS Server Authentication Retailer
DHCP Discover/Request on Redirect
Authenticati Server
Layer 2
DHCP Layer 3 VPN
Client
Aggregation ISP
VRF
DHCP
MX
Offer/Ac
k

VSA LSRI-Name DHCP Server Flow
Within Within
MX MX
Default Routing Instance Retailer Routing Instance
Access-Profile Access-Profile
DHCP RADIUS DHCP RADIUS
(RADIUS (RADIUS
DHCP Client Server Server Server Server
Client) Client)
(Wholesaler) (Wholesaler) (Retailer) (Retailer)
(Wholesaler) (Retailer)
DHCP Discover
Access-Request
Access-Accept
LSRI-Name
VSA
DHCP Request Forwarded to Retailer DHCP Server
DHCP Offer
DHCP Request
DHCP Ack Instantiating Dynamic-
profile
DEMUX interface is
created on Retailer LSRI

VSA Redirect-LSRI-Name DHCP Server Flow
Within Within
MX MX
Access-Profile Access-Profile
DHCP RADIUS DHCP RADIUS
(RADIUS (RADIUS
DHCP Client Server Server Server Server
Client) Client)
(Wholesaler) (Wholesaler) (Retailer) (Retailer)
(Wholesaler) (Retailer)
DHCP Discover
Access-Request
Access-Accept
Redirect-LSRI-Name
VSA
DHCP Request Forwarded to Retailer DHCP Server

Access-Request
Access-Accept
DHCP Offer
DHCP Request
DHCP Ack Instantiating Dynamic-
profile
DEMUX interface is
created on Retailer LSRI

Retailer DHCP Relay with RADIUS VSAs
 Retailer DHCP Relay with Juniper RADIUS VSAs
• VSA: LSRI-Name Wholesaler
RADIUS Server Retailer
DHCP Discover/Request Server
Layer 2 Layer 3 VPN

DHCP
Client
Aggregation
DHCP Discover/ ISP
VRF Request DHCP
DHCP MX Server
Offer/A
ck
• VSA: Redirect-LSRI-Name
Wholesaler
RADIUS Server Retailer
on Redirect
DHCP Discover/Request Authenticati Server
Layer 2
DHCP Layer 3 VPN
Client
Aggregation ISP
VRF DHCP Discover/Request DHCP
DHCP MX Server
Offer/A
ck

VSA LSRI-Name DHCP Relay Flow
Within Within
MX MX

Access- RADIUS
DHCP Access- DHCP RADIUS
DHCP Relay Profile Server
DHCP Client Relay Profile Server Server
(Wholesaler) (Wholesaler (Wholesaler
(Retailer) (Retailer) (Retailer) (Retailer)
) )
DHCP Discover
Access-Request
Access-Accept
LSRI-Name
Retailer
Send traffic to Instance Retailer
DHCP Discover
DHCP Offer DHCP Offer
DHCP Request
DHCP Request
DHCP Ack
DHCP Ack
Instantiating Dynamic-
profile and DEMUX
interface

VSA Redirect-LSRI-Name DHCP Relay Flow
Within Within
MX MX

Access- RADIUS
DHCP Access- DHCP RADIUS
DHCP Relay Profile Server
DHCP Client Relay Profile Server Server
(Wholesaler) (Wholesaler (Wholesaler
(Retailer) (Retailer) (Retailer) (Retailer)
) )
DHCP Discover Access-Request
Access-Accept
LSRI-Name
Retailer
Send traffic to Instance Retailer
Access-Request
Access-Accept
DHCP Discover
DHCP Offer DHCP Offer
DHCP Request DHCP Request
DHCP Ack DHCP Ack
Instantiating Dynamic-
profile and DEMUX
interface

DHCP Wholesale Configuration Elements
 Layer 3 DHCP wholesale configuration elements:
• Loopback and IP demux interfaces
• Interface VLANs
• Dynamic profiles and associated variables
• Include the $junos-routing-instance variable
• Access profiles provide subscriber access information
• Routing instances
• Configure VRF for Layer 3 VPN to retailer network space

DHCP Wholesale Configuration (1 of 4)
 Configure dynamic profiles
[edit]
Retailer {
routing-instances {
"$junos-routing-instance" {
interface "$junos-interface-name";
}
}
interfaces {
demux0 {
demux-options {
}
family inet {
demux-source {
$junos-subscriber-ip-address;
}
unnumbered-address "$junos-loopback-interface";
}
}
}
}
}

 Define the DHCP local server and interfaces
[edit]
[edit] user@mx# show interfaces
user@mx# show system services ge-5/0/0 {
dhcp-local-server { vlan-tagging;
dynamic-profile Retailer; unit 100 {
group Retailer-Group { demux-source inet;
authentication { vlan-id 100;
password juniper; family inet {
username-include { unnumbered-address lo0.0;
domain-name lab.com; }
user-prefix student; }
interface ge-5/0/0.100; unit 301 {
} vlan-id 301;
} family inet {
} address 172.18.36.1/24;
} }
}
}
lo0 {
unit 0 {
family inet {
address 10.1.1.1/24;
}
unit 1 {
family inet {
address 200.200.200.10/24;
}
}

 Configure AAA settings
[edit]
user@mx# show | find access
access {
radius-server {
172.18.36.2 {
secret "$9$NaVs4UjqQF/aZF/CtIR-Vw";
}
}
profile MyProfile {
authentication-order radius;
radius {
authentication-server 172.18.36.2;
}
}
address-assignment {
pool Wholesaler-Pool {
family inet {
network 10.1.1.0/24;
range A {
low 10.1.1.100;
high 10.1.1.200;
}
dhcp-attributes {
maximum-lease-time 120;
}
}
}
}
}
access-profile MyProfile;

 Configure the retailer routing instance
[edit] access {
user@mx# show routing-instances address-assignment {
Retailer { pool Retailer-Pool {
instance-type vrf; family inet {
system { network 200.200.200.0/24;
services { range A {
dhcp-local-server { low 200.200.200.100;
pool-match-order { high 200.200.200.200;
external-authority; }
} dhcp-attributes {
dynamic-profile Retailer; maximum-lease-time 120;
group Retailer-Group { }
authentication { }
password juniper; }
username-include { }
domain-name lab.com; }
user-prefix student; interface lo0.1;
} route-distinguisher 1000:2;
} vrf-import POLICY1
interface ge-5/0/0.100; vrf-export POLICY2
}
} }
}
}

Layer 3 PPPoE Wholesale
 Layer 3 PPPoE wholesale requires:
• A dynamic profile using the pp0 interface
• The pp0 interface to use an unnumbered address on the
loopback interface
Retailer
RADIUS
Wholesaler Server
RADIUS Server
Retailer ISP 1
VRF ISP1
Layer 2
PPPoE Aggregation Layer 3 VPN
Client
MX Retailer
VRF ISP2 ISP 2

PPPoE Wholesale Configuration Elements
 Layer 3 PPPoE wholesale configuration elements:
• Loopback interfaces
• Interface VLANs
• Dynamic profiles and associated variables
• Include the pp0 interface
• Access profiles provide subscriber access information
• Routing instances
• Configure VRF for Layer 3 VPN to retailer network space

PPPoE Wholesale Configuration (1 of 2)
 Configure the dynamic profile
[edit]
PPPoE-Retailer-Profile {
routing-instances {
}
}
interfaces {
pp0 {
ppp-options {
chap;
pap;
}
pppoe-options {
server;
}
family inet {
unnumbered-address "$junos-loopback-interface";
}
}
}
}
}

PPPoE Wholesale Configuration (2 of 2)
 Define the interfaces and routing instance
[edit] [edit]
user@mx# show interfaces user@mx# show routing-instances
ge-9/3/0 { PPPoE_Retailer_Instance {
flexible-vlan-tagging; instance-type vrf;
unit 14 { access-profile PPPoE-Retailer-Access;
encapsulation ppp-over-ether; interface ge-9/3/0.302;
vlan-id 14; interface lo0.2;
pppoe-underlying-options { route-distinguisher 1:1;
dynamic-profile PPPoE-Retailer-Profile; vrf-import policyImport;
} vrf-export policyExport;
} }
unit 301 {
vlan-id 301;
family inet {
address 172.18.36.1/24;
}
} [edit]
unit 302 { user@mx# show access | find profile
vlan-id 302; profile MyProfile {
family inet { authentication-order radius;
address 172.18.90.101/24; radius {
} authentication-server 172.18.36.2;
} }
} }
lo0 { profile PPPoE-Retailer-Access {
<snip>
unit 2 { authentication-order radius;
family inet { radius {
address 203.0.0.1/24; authentication-server 172.18.90.105;
} }
} }
}

Layer 2 Wholesale
 Backhauls a subscriber’s Layer 2 traffic to a retailer
provider network
Retailer
RADIUS
Wholesaler
Server
RADIUS Server
Retailer ISP 1
VRF ISP1
Layer 2
Dynamic Aggregation VPLS
VLAN
Subscriber
MX Retailer
VRF ISP2 ISP 2
Retailer
RADIUS
Server

Layer 2 Wholesale Configuration Elements
 Layer 2 wholesale configuration elements:
• Dynamic VLAN access interface
• Uses the auto-configure statement
• Dynamic profile
• Configure single-tagged or stacked VLANs
• VLAN-map statement
• Interface VLANs
• Configure VLAN ranges and apply the dynamic profile
• Access profile
• Retailer routing instance
• Configure a Layer 2 connection to the retailer network

Layer 2 Wholesale VLAN Operations
 VLAN operations using a VLAN map:
• Push
VLAN 20 Outer Tag
• Adds an outer VLAN tag
VLAN 10 VLAN 10 Inner Tag
MX
• Pop VLAN 20
• Removes an outer VLAN tag
VLAN 10 VLAN 10
MX
• Swap
VLAN 10 VLAN 30
• Rewrites the VLAN tag
MX

Input and Output VLAN Map Statements
 Configuring VLAN map statements
• The input-vlan-map statement
Configure the input-vlan-map statement
only when there is a need either to push an
outer tag on a single-tagged packet or to
modify the outer tag in a dual-tagged packet.
• The output-vlan-map statement

Configure the output-vlan-map
statement only when there is a need either to
pop or to modify the outer tag in a dual-
tagged packet.

Layer 2 Wholesale Configuration (1 of 3)
 Define the dynamic profile
[edit]
L2_Subscriber_Profile {
routing-instances
}
}
interfaces {
encapsulation vlan-vpls;
vlan-tags outer "$junos-stacked-vlan-id" inner "$junos-vlan-id";
input-vlan-map {
swap;
vlan-id "$junos-vlan-map-id";
}
output-vlan-map swap;
family vpls;
}
}
}
}

 Configure the dynamic VLAN access interface
[edit]
ge-1/3/0 {
flexible-vlan-tagging;
auto-configure {
stacked-vlan-ranges {
dynamic-profile L2_Subscriber_Profile {
accept any;
ranges {
any,any;
}
}
access-profile Access-Profile;
}
}
encapsulation flexible-ethernet-services;
}

 Create the retailer Layer 2 routing instance
[edit]
user@mx# show routing-instances
Retailer {
instance-type vpls;
no-local-switching;
qualified-bum-pruning-mode;
route-distinguisher 10.10.1.1:1;
vrf-target target:100:1;
protocols {
vpls {
site-range 1000;
no-tunnel-services;
site A-PE {
site-identifier 1;
}
connectivity-type permanent;
}
}
}

Dynamic Firewall Services

Firewall Filter Components
Firewall filters consist of one or more

terms; the software evaluates terms my-filter
sequentially until it reaches a User-defined filter
terminating action
and term names
term firstterm
from then
match
no match
term secondterm
Then statements describe the
From statements describe
from then actions to take if a match with the
match conditions
match from statement occurs
no match
term Default
Default action for packets
discard not explicitly allowed
Note: Ordering matters! If you must reorder terms within a filter, consider using the insert CLI command.

Common Match Criteria
 Firewall filter match criteria:

• Can match based on most header fields:
• Match conditions categories include:

• Numeric range
• Address
• Bit field
term firstterm
From statements describe
match conditions from then
match

Firewall Filter Actions
 Common actions in firewall filters:
• Terminating actions:
• accept
• discard
• next term
• reject
• Action modifiers:
• count, log, syslog
• forwarding-class, loss-priority
• policer term firstterm Then statements describe the actions
to take if a match with the from
from then
statement occurs
match
The software discards all traffic not explicitly allowed!

Implementing Firewall Filters (1 of 2)
 Define the firewall filter protocol family
[edit firewall family inet]
user@mx# show The software applies
filter filter-in { family inet filters
only to interfaces my-filter
term block-some-packets {
from { running IPv4
source-address {
term firstterm
10.10.10.0/24;
} from then
} match
then { no match
count spoof-in; term secondterm
discard;
} match from then
} match
term accept-others { no match
then accept;
} term Default
}
discard

Implementing Firewall Filters (2 of 2)
 Apply the filter direction

• As input or output filters
• The protocol family on the interface and filter must match
[edit interfaces ge-0/0/1]
user@mx# show
unit 0 {
family inet { The software applies firewall
filter {
input filter-in; filters using input and
output filter-out; output statements
}
address 172.30.25.2/30;
}
}
Input firewall filters control Output firewall filters control
traffic entering an interface traffic leaving an interface
Input Output
Output Input
MX Router

Firewall Policing
 Firewall policing:
• Also called rate-limiting
• Enables you to limit the amount of traffic that passes into or out
of an interface
• Works with firewall filters to thwart DoS attacks
• Common actions include discard and setting loss-priority level
• Uses average bandwidth and maximum burst size
Bit Bucket

Policing Configuration Example
[edit firewall]
user@mx# show
policer p1 { Policer defined
if-exceeding { bandwidth-limit
bandwidth-limit 400k;
burst-size-limit 100k; * In bits per second
} * 30,520 bps to 4.29 Gbps
then discard;
}
family inet { burst-size-limit
filter rate-limit-subnet { You must apply filter!
term match-subnet { * In bytes
from {
source-address {
* Minimum should = 10
192.100.1.0/24; times MTU (low speed) or
} bandwidth times 3–5
}
then {
milliseconds (high speed)
policer p1; Policer referenced
}
}
Note: Filter must account for routing
term else-accept {
and management protocols
then accept;
}
}
}

Unicast RPF Check
 Automates antispoofing filters based on the routing table
 Two modes:
• Strict (default)—accept packet if:
• The packet’s source address matches an active route
• The next hop of the active route uses the interface on which the packet
arrived
• Loose—accept packet if:
• The packet’s source address matches a prefix in the routing table
• If the default route is present, packets always match loose mode
= Route Table
= Passed RPF Check
= Failed RPF Check

Bit Bucket

Unicast RPF Caveats (1 of 2)
 Active versus feasible paths (strict mode):

• By default, the software checks only active paths to a prefix,
which can cause drops when multiple paths exist:
R2
R4
R1
Internet
Active Path =
172.30.17.0/24
R3 Feasible Path =
• Enable the option to consider all feasible paths:

routing-options {
forwarding-table { R1
unicast-reverse-path feasible-paths;
}
}

Unicast RPF Caveats (2 of 2)
 Fail filters process traffic that fails the RPF check:

• Allows you to accept, log, or count traffic normally denied
• Required to permit DHCP or BOOTP traffic—denied by
default by RPF
firewall {
family inet {
filter rpf-dhcp {
term dhcp { Must permit traffic with a source
from {
source-address {
address of 0.0.0.0/32 and a
0.0.0.0/32; destination address of
}
destination-address {
255.255.255.255/32 for DHCP or
255.255.255.255/32; BOOTP traffic
}
}
then accept;
}
}
}
}

RPF Example
ge-0/0/1 {
unit 0 {
family inet {
rpf-check; Enables RPF check on
filter { interface
input input-ff;
output output-ff;
}
address 172.30.25.2/30;
}
}
}
ge-0/0/2 {
unit 0 {
family inet {
rpf-check fail-filter rpf-dhcp;
address 172.19.2.1/30;
}
}
}
ge-0/0/3 { RPF fail-filter application
unit 0 { (definition shown on previous
family inet {
rpf-check fail-filter rpf-dhcp; slide)
address 172.27.102.1/24;
}
}
}

Firewall Filter Functions
 Firewall filters can perform many functions:

• Filter packets
• Police traffic flows
• Count traffic accepted or denied
• Add or modify CoS values
• Sample traffic flows
• Port-mirror traffic flows
• And more

Dynamic Firewall Services Overview
 Dynamic firewall filters
• The router can apply input and output firewall filters to
subscriber interfaces dynamically within a dynamic profile
• A dynamic profile can apply a named filter or a filter specified
by a RADIUS server to an interface

Dynamic Firewall Services Filter Types
RG = Routing Gateway
MSAN = Multi-Service Access
 Classic firewall filters Node
• Statically created filters compiled during commit time

• Interface specific An interface-specific clone of the
filter is created and attached to the
logical interface. MX Device
Video
RG
Core Network
MSAN Data
 Fast update filters
• Filter can be modified without having to recompile
• Subscriber specific Subscriber-specific filter terms
are dynamically added and
removed to support subscriber MX Device
traffic.
Video
RG
Core Network
MSAN Data

Firewall Filter Processing Order
 Filter processing order:
• Classic filters are processed first, then the router looks for fast
update filters
Classic Fast Update
1 Filters 2 Filters
• Using the match-order statement in fast update filters:

• The router examines match conditions, starting with the most specific
condition first
• You can force filter processing to occur in a particular order by
using the precedence statement

Classic Filter Configuration Overview
 Classic firewall filter configuration process

1. Create standard firewall filters
• Create standard input and output filters as desired
• This process is normal, not specific to subscriber management
2. Apply the filters to interfaces using dynamic profiles
• Filters are referenced by name within the dynamic profile or through
RADIUS by using variables
 Supported classic filters
• Port (Layer 2) firewall filter
• Router (Layer 3) firewall filter
• VLAN firewall filter

Implementing Dynamic Firewall Services With
Classic Filters (1 of 2)
1. Configure the firewall filter
• Define a filter name
• Define a term and configure the desired parameters
• Include the interface-specific statement
• Provides per-interface counters [edit]
user@mx# show firewall
family inet {
filter block12345 {
interface-specific;
term A {
from {
destination-port 12345;
}
then {
count no-12345-team7;
log;
discard;
}
}
term B {
then accept;
}
}
}

Classic Filters (2 of 2)
2. Apply the filter to a dynamic profile
• Apply in the same way as a physical interface
• Use input and output statements
[edit]
user@mx# show dynamic-profiles Static reference; could use variable
profile7 { $junos-input-policy
interfaces {
unit "$junos-underlying-interface-unit" {
family inet {
rpf-check fail-filter rpf-dhcp;
filter {
input block12345;
}
}
}
}
}
}

Fast Update Filter Configuration Overview
 Fast update filter configuration:

1. Create firewall filters within the dynamic profile
• Use dynamic variables to create subscriber-specific filter match terms
• Use the match-order statement to explicitly specify the order in
which the router examines filter match conditions
2. Dynamically apply the filters to interfaces using dynamic
profiles
• Filters are referenced by name within the dynamic profile or through
RADIUS by using variables

Fast Update Filters (1 of 2)
 Create the filter and match conditions
[edit]
MyProfile {
firewall {
family inet {
fast-update-filter Filter1 {
interface-specific;
match-order [ source-address destination-address protocol destination-port ];
term allow-dhcp {
only-at-create;
from {
source-address 0.0.0.0/32;
destination-address 255.255.255.255/32;
protocol udp;
}
then accept;
}
term sub-allow-dhcp {
from {
source-address $junos-subscriber-ip-address;
destination-address 192.168.1.2/32;
protocol udp;
}
then accept;
}
}
}
}
}

Fast Update Filters (2 of 2)
2. Reference the filter in the dynamic profile
• Apply in the same way as a physical interface
• Use input and output statements
• Can explicitly name the filter or use a variable
[edit]
MyProfile {
interfaces {
family inet {
rpf-check {
mode loose;
}
filter {
input Filter1;
}
}
}
}
}
}

Using Variables
 Use RADIUS to reference filters
• The router can use dynamic profile variables to reference filters
• $junos-input-filter and $junos-output-filter
• Configure the RADIUS server to send attributes that match the
filters on the router
• When a subscriber connects, the variables tell the dynamic
profile to use the attribute values pushed down by RADIUS

Monitoring Firewall Filters and Counters
 Monitor using show commands
• show firewall
• show firewall log
user@mx> show firewall counter filter peer2peer no-12345
Filter: peer2peer
Counters:
Name Bytes Packets
no-12345 1694502 20256
user@mx> show firewall log

Log :
Time Filter Action Interface Protocol Src Addr Dest Addr
07:23:16 pfe D ge-0/0/1.0 TCP 172.27.102.10 172.27.102.100
07:23:13 pfe D ge-0/0/1.0 TCP 172.27.102.10 172.27.102.100
07:23:10 pfe D ge-0/0/1.0 TCP 172.27.102.10 172.27.102.100
07:19:38 pfe D ge-0/0/3.0 ICMP 192.168.100.2 192.168.24.1
07:19:38 pfe D ge-0/0/3.0 ICMP 192.168.100.2 192.168.24.1
07:19:37 pfe D ge-0/0/3.0 ICMP 192.168.100.2 192.168.24.1
Interface on which the router

received the packet

Interface Specific Filter Names
 The router creates interface-specific filter names
• Name format:
Filter-name-interface-name.subunit-direction
• Example:
• http-filter-ge-1/0/0.5–in
• Counter statistics are displayed when the counter is enabled in the
dynamic profile
user@mx> show firewall
Filter: http-filter-ge-1/0/0.5-in
Counters:
Name Bytes Packets
t0-cnt 32758 22
t1-cnt 22199 15
t2-cnt 21723 14
t3-cnt 17342 11
t4-cnt 15497 10
t5-cnt 6432 4

Subscriber Class of Service

Class of Service Overview
 CoS provides mechanisms for the following:
• categorizing traffic
• meeting network performance requirements
Voice
Packet A
MX 960
Video
Packet A Packet B Packet C
Packet B
Data
Packet C

Meeting Performance Requirements
 CoS meets network performance requirements:
• Prioritizing latency-sensitive traffic such as VoIP
• Controlling congestion to ensure service level agreement
maintenance
• Allocating bandwidth for different classes of traffic
Voice Voice
VoIP VoIP
Data Data
Data Data
Devices should treat traffic consistently throughout the entire network.

Forwarding Classes
 Forwarding classes:
• Identify traffic that should receive common treatment
• Used to assign traffic to output queues
Forwarding Class Output Queue
Voice
Queue 2
Packet A
MX 960
Video
Packet A Packet B Packet C Queue 1
Packet B
Data
Queue 0
Packet C

Loss Priority
 Loss priority:
• Identifies the priority a system should give to dropping a
packet
• Used to select the drop profile used in the RED process
If congestion exists…
Drop Last
MX 960 Voice
VoIP
RG
Data MSAN
Drop First Data

MSAN = Multi-Service Access Node
RG = routing gateway

CoS Deployment Models
 CoS deployment models:
• In-the-box
• Uses a multifield classifier only
(No (No
Data BA Data BA
) )
• Across-the-network
• Uses a multifield classifier at the edge and behavior aggregate rewrite
and classifier in the core
(No (No (No

Data BA Data BA Data BA
) ) )
Devices should treat traffic consistently throughout the entire network.

Multifield Classifiers
Definition Application
[edit firewall family inet] [edit interfaces]

user@mx# show filter apply-cos-markings user@mx# show ge-0/0/1
term admin { unit 0 {
from { family inet {
source-address { filter {
192.168.200.0/25; input apply-cos-markings;
} }
} address 192.168.200.1/24;
then { }
forwarding-class expedited-forwarding; }
accept;
}
}
term all-other-traffic {
then accept;
}
ge-0/0/1.0
(No (No
Data BA Data BA
) )

Behavior Aggregates
Behavior Aggregate Rewrite Behavior Aggregate Classifier
[edit class-of-service] [edit class-of-service]

user@mx# show user@mx# show
interfaces { interfaces {
ge-0/0/3 { ge-0/0/3 {
unit 0 { unit 0 {
rewrite-rules { classifiers {
inet-precedence default; inet-precedence default;
} }
} }
} }
} }
R1 R2
ge-0/0/3.0 ge-0/0/3.0
(No (No (No

Data Data Data BA)
BA) BA)

Policers
firewall {
policer admin-traffic-policer {
Data
if-exceeding {
bandwidth-limit 1m;
burst-size-limit 3k;
}
Data
then forwarding-class best-effort;
}
family inet {
filter apply-cos-markings {
term admin {
from {
source-address { Policer
192.168.200.0/25; Best Effort
} Out-of-Profile Traffic
}
then {
policer admin-traffic-policer;
forwarding-class expedited-forwarding;
accept;
}
}
term all-other-traffic {
Expedited Forwarding
then accept; Conforming Traffic
}
}
}
}

Queuing
Data
 Forwarding classes map to queues
Data
• Default queue and forwarding class
mappings for devices running the Junos
OS:
• 0: best-effort Queue 0 Queue 1 Queue 2 Queue 3
(BE) (EF) (AF) (NC)
• 1: expedited-forwarding
Scheduler Map
• 2: assured-forwarding
• 3: network-control
Data
Displays current queue and forwarding class mappings
user@mx> show class-of-service forwarding-class
Data
Forwarding class ID Queue
best-effort 0 0
expedited-forwarding 1 1
assured-forwarding 2 2
network-control 3 3

Defining Forwarding Classes
 Configure forwarding classes under the [edit
class-of-service forwarding-class]
hierarchy
[edit class-of-service]
user@mx# set forwarding-classes queue 0 general-traffic
user@mx# set forwarding-classes queue 1 important-traffic
user@mx# set forwarding-classes queue 2 critical-traffic
user@mx# commit
commit complete
user@mx# run show class-of-service forwarding-class
Forwarding class ID Queue
general-traffic 0 0
important-traffic 1 1
critical-traffic 2 2
network-control 3 3

Schedulers Overview
Data
 Schedulers
Data
Priority
Define the order in which
packets transmit
Transmission Rate
Queue 0 Queue 1 Queue 2 Queue 3
Buffer size
Scheduler Map
Define storage and
dropping of packets
RED
Configuration
Data
Data
Queue Priority
 Queues receive service according to their assigned
priority; common priorities include the following:
• High
• Medium high Queue 3
Serviced first
(H)
• Medium low 6 4
• Low Queue 2
Scheduler Map
(MH)
2
Data 5 1 3 2 6 4
Queue 1
(ML)
3
Queue 0
(L) Serviced last
5 1

Defining Schedulers
 Configure schedulers under the [edit class-of-

service schedulers] hierarchy
[edit class-of-service schedulers]
user@mx# set sched-best-effort transmit-rate percent 40

user@mx# set sched-best-effort buffer-size percent 40

user@mx# set sched-best-effort priority low

user@mx# show
sched-best-effort {
transmit-rate percent 40;
buffer-size percent 40;
priority low;
}

Defining Scheduler Maps
 Scheduler maps
• Associate schedulers with forwarding classes and queues
[edit class-of-service scheduler-maps]
user@mx# set sched-map-example forwarding-class best-effort scheduler sched-BE

user@mx# set sched-map-example forwarding-class expedited-forwarding scheduler sched-EF

user@mx# set sched-map-example forwarding-class assured-forwarding scheduler sched-AF

user@mx# set sched-map-example forwarding-class network-control scheduler sched-NC

user@mx# show
sched-map-example {
forwarding-class best-effort scheduler sched-BE;
forwarding-class expedited-forwarding scheduler sched-EF;
forwarding-class assured-forwarding scheduler sched-AF;
forwarding-class network-control scheduler sched-NC;
}

Subscriber CoS Overview
 Subscriber CoS
• The MX router can apply hierarchical scheduling or per-unit
scheduling for subscribers
• Subscriber CoS settings are dynamically applied through a
dynamic profile
 Hardware requirement
• Dynamic CoS with hierarchical scheduling requires an MPC-Q
card on the MX router or an IQ2E PIC on the M120 or M320
routers

Subscriber CoS Configuration Options
 Static configuration
• Configure the scheduler map and schedulers at the main
class-of-service stanza
• Reference the scheduler map in a dynamic profile
 Dynamic configuration
• Configure scheduler map and schedulers directly within a dynamic
profile

Implementing Subscriber CoS (1 of 6)
1. Configure the physical interface
• Add the hierarchical-scheduler statement
• Enables per-subscriber CoS for the interface
[edit interfaces]
user@mx# show ge-1/0/7
description Team7;
hierarchical-scheduler;
stacked-vlan-tagging;
unit 0 {
demux-source inet;
vlan-tags outer 7 inner 1234;
family inet {
}
}

2. Define a traffic-control profile

• Configure within the dynamic profile
• Specify a name
• Reference a scheduler map
• Configure the shaping rate
[edit]
Multiplay-profile {
interfaces {
<snip>
class-of-service {
traffic-control-profiles {
multiplay-service {
scheduler-map multiplay-sched-map;
shaping-rate 50m;
}
}
}
}

3. Configure scheduler maps

• Configure within the dynamic profile or in the main
class-of-service stanza
• Join forwarding [edit]
classes and Multiplay-profile {
interfaces {
schedulers <snip>
class-of-service {
multiplay-service {
shaping-rate 50m;
}
}
scheduler-maps {
multiplay-sched-map {
forwarding-class video scheduler mplay-video-sched;
forwarding-class voice scheduler mplay-voice-sched;
forwarding-class data scheduler mplay-data-sched;
}
}
}
}

4. Configure schedulers
• Configure within the dynamic profile or in the main class-
of-service stanza
• Define output queue parameters
• Bandwidth, buffer size, priority, and drop profile
[edit] schedulers {
user@mx# show dynamic-profiles mplay-video-sched {
Multiplay-profile { transmit-rate 35m rate-limit;
interfaces { buffer-size percent 70;
<snip> priority medium-low;
class-of-service { }
traffic-control-profiles { mplay-voice-sched {
multiplay-service { transmit-rate 128k rate-limit;
scheduler-map multiplay-sched-map; buffer-size percent 10;
shaping-rate 50m; priority strict-high;
} }
} mplay-data-sched {
scheduler-maps { transmit-rate remainder;
multiplay-sched-map { buffer-size remainder;
forwarding-class video scheduler mplay-video-sched; priority low;
forwarding-class voice scheduler mplay-voice-sched; }
forwarding-class data scheduler mplay-data-sched; }
} }
}
}
}

5. Configure forwarding classes and drop profiles

[edit]
user@mx# show class-of-service
forwarding-classes {
class data queue-num 0;
class voice queue-num 1;
class video queue-num 2;
}
[edit]
user@mx# show dynamic-profiles schedulers {
Multiplay-profile { mplay-video-sched {
interfaces { transmit-rate 35m rate-limit;
<snip> buffer-size percent 70;
class-of-service { priority medium-low;
traffic-control-profiles { }
multiplay-service { mplay-voice-sched {
scheduler-map multiplay-sched-map; transmit-rate 128k rate-limit;
shaping-rate 50m; buffer-size percent 10;
} priority strict-high;
} }
scheduler-maps { mplay-data-sched {
multiplay-sched-map { transmit-rate remainder;
forwarding-class video scheduler mplay-video-sched; buffer-size remainder;
forwarding-class voice scheduler mplay-voice-sched; priority low;
forwarding-class data scheduler mplay-data-sched; }
} }
} }
}
}

6. Apply CoS parameters to the dynamic profile
• Reference the subscriber interface within the dynamic profile
using variables
• Apply the traffic-control profile
[edit]
Multiplay-profile {
interfaces {
unit "$junos-underlying-interface-unit";
}
}
class-of-service {
multiplay-service {
shaping-rate 50m;
}
}
interfaces {
output-traffic-control-profile multiplay-service;
}
}
}
<snip>

Classifying Inbound Traffic
 Assign inbound traffic to queues
• The previous steps rely on having traffic in queues
• Mark incoming traffic using a multifield classifier filter for
queue assignment
• Then apply the filter to the appropriate interface
[edit]
user@mx# show firewall [edit]
family inet { user@mx# show interfaces ge-0/1/2
filter mark-video {
term A { description “Mcast feed";
from { unit 0 {
address { family inet {
10.10.10.100; filter {
} input mark-video;
} }
then { address 10.10.10.1/24;
count video-count; }
forwarding-class video; }
accept;
}
}
} For traffic with existing CoS values,
}
use BA classification.

Using Variables
 Use variables with RADIUS to provide CoS parameters
• The MX router can obtain CoS parameters from the RADIUS
server when a subscriber connects
• Scheduler map name and traffic shaping parameters
• Configure attributes on the RADIUS server
• When a subscriber connects, the variables tell the dynamic
profile to use the attribute values pushed down by RADIUS

Subscriber CoS Variables (1 of 3)
 Predefined subscriber variables for initial traffic shaping
• $junos-cos-scheduler-map
• Scheduler-map name to be dynamically configured in a traffic-control
profile
• $junos-cos-shaping-rate
• Shaping rate to be dynamically configured in a traffic-control profile
• $junos-cos-guaranteed-rate
• Guaranteed rate to be dynamically configured in a traffic-control profile
• $junos-cos-delay-buffer-rate
• Delay-buffer rate to be dynamically configured in a traffic-control profile

 Predefined variables for initial scheduling and queuing
• $junos-cos-scheduler
• Name of a scheduler to be dynamically configured in the client dynamic
profile
• $junos-cos-scheduler-transmit-rate
• Transmit rate to be dynamically configured for the scheduler in the
client dynamic profile
• $junos-cos-scheduler-bs
• Buffer size, as a percentage of total buffer, to be dynamically configured
for the scheduler in the client dynamic profile
• $junos-cos-scheduler-pri
• Packet-scheduling priority value to be dynamically configured for the
scheduler in the client dynamic profile

 Additional predefined variables for initial scheduling
and queuing
• $junos-cos-scheduler-dropfile-low
• $junos-cos-scheduler-dropfile-medium-low
• $junos-cos-scheduler-dropfile-medium-high
• $junos-cos-scheduler-dropfile-high
• $junos-cos-scheduler-dropfile-any
• Names of the drop profiles for RED for the various loss-priority levels
to be dynamically configured for the scheduler in the client dynamic
profile

CoS Variables Configuration Example
[edit]
user@mx# show schedulers {
dynamic-profiles BE_SCHED {
profile-with-CoS-variables { transmit-rate "$junos-cos-scheduler-tx" rate-limit;
interfaces { buffer-size temporal "$junos-cos-scheduler-bs";
<snip> priority "$junos-cos-scheduler-pri";
class-of-service { }
traffic-control-profiles { P_SCHED {
residential { transmit-rate "$junos-cos-scheduler-tx";
scheduler-map "$junos-cos-scheduler-map"; buffer-size temporal "$junos-cos-scheduler-bs";
shaping-rate "$junos-cos-shaping-rate"; priority "$junos-cos-scheduler-pri";
delay-buffer-rate "$junos-cos-delay- }
buffer-rate"; HP_SCHED {
} transmit-rate "$junos-cos-scheduler-tx";
} buffer-size temporal "$junos-cos-scheduler-bs";
interfaces { priority "$junos-cos-scheduler-pri";
demux0 { }
unit "$junos-interface-unit" { RT_SCHED {
output-traffic-control-profile transmit-rate "$junos-cos-scheduler-tx";
residential; buffer-size temporal "$junos-cos-scheduler-bs";
} priority "$junos-cos-scheduler-pri";
} }
}
scheduler-maps {
res-subscribers {
forwarding-class BE scheduler BE_SCHED;
forwarding-class P scheduler P_SCHED;
forwarding-class HP scheduler HP_SCHED;
forwarding-class RT scheduler RT_SCHED;
}
}

Monitoring Subscriber CoS
 Monitor using show commands
• show class-of-service scheduler-map
• Displays mapping of schedulers to forwarding classes
• Displays summary of scheduler parameters
• show class-of-service traffic-control-
profile
• Displays traffic shaping and scheduling profiles

Monitoring CoS (1 of 2)
user@mx> show class-of-service interface ge-0/0/3 Displays CoS setting for
Physical interface: ge-0/0/3, Index: 134 the specified interface
Queues supported: 8, Queues in use: 4
Scheduler map: multiplay-sched-map, Index: 15041
Logical interface: ge-0/0/3.0, Index: 68

Object Name Type Index
Rewrite ipprec-default ip 31
Classifier ipprec-default ip 12
user@mx> show interfaces ge-0/0/3 detail | find "Egress queues"

Egress queues: 8 supported, 4 in use
Queue counters: Queued packets Transmitted packets Dropped packets
0 data 5105 5105 0
1 voice 116136 116136 0
2 video 79268 79268 0
3 nc 103 103 0
…
Displays queued, transmitted, and dropped packets for

each queue associated with the specified interface

Monitoring CoS (2 of 2)
user@mx> show interfaces queue ge-0/0/3 Displays queue statistics for
Physical interface: ge-0/0/3, Enabled, Physical link is Up the specified interface
Interface index: 134, SNMP ifIndex: 115
Forwarding classes: 8 supported, 4 in use
Egress queues: 8 supported, 4 in use
Queue: 0, Forwarding classes: data
Queued:
Packets : 5818 0 pps
Bytes : 570108 0 bps
Transmitted:
Bytes : 570108 0 bps
Tail-dropped packets : 0 0 pps
RED-dropped packets : 0 0 pps
Low : 0 0 pps
Medium-low : 0 0 pps
Medium-high : 0 0 pps
High : 0 0 pps
RED-dropped bytes : 0 0 bps
Low : 0 0 bps
Medium-low : 0 0 bps
Medium-high : 0 0 bps
High : 0 0 bps
Queue: 1, Forwarding classes: voice
Queued:
Bytes : 149350896 0 bps
…

Troubleshooting Subscriber CoS
 Traceoptions
• Configure in the main class-of-service stanza or within
the dynamic profile Traceoptions flags
all
asynch
[edit dynamic-profiles Multiplay-profile] cos-adjustment
dynamic
user@mx# show class-of-service hardware-database
traceoptions { init
parse
file cos-dyn-prof.log; process
flag all; restart
route-socket
} show
snmp
util
• View using show log filename Deactivate traceoptions

when not in use.

Dynamic Multicast Services

IGMP Overview
 Manages group membership between hosts and routers
 IGMP message exchange
• Router queries
• Sends query messages to solicit group membership
• Host messages
• Report messages
• Leave-group messages
 The Junos OS supports IGMPv2, by default
• Configurable to v1 and v3
• Automatically enabled on multiprotocol ports where PIM is
configured

Multicast Groups and Routing
Group Membership Protocol
Multicast Routing Protocol
 IGMP operates between receivers (hosts) and routers

• IGMP is not a routing protocol
IGMP Versions
 Version 1
• Routers periodically transmit host membership query messages
to determine which groups have listeners on directly attached
networks
 Version 2
• Defines procedure for electing the multicast querier for each
LAN
• Defines a group-specific query message
• Defines a leave-group message
• Reduces IGMP leave latency
 Version 3
• Supports group-source report/query messages and
enhancements to leave-group messages
• Provides source-specific multicast (SSM)

IGMPv2 Join Process
 Report messages establish host membership for
particular multicast groups on a given network
• Reports are sent to the group address being reported
• Informs the local router that a host wants to receive traffic
associated with the specified multicast group
Nonquerier Querier
Report:
D=224.10.1.1
Group=224.10.1.1
Host 1

IGMPv2 Query-Response Process
1. Querier router sends a general query to all-hosts in the
multicast group
2. Host 2 sends its report for group 224.10.1.1 first
3. Host 1 hears the response from Host 2 and suppresses
its report
4. Host 3 sends its report for the group 224.20.1.1
3 Host 1 2 Host 2 4 Host 3
Report
224.10.1.1 Report Report
Suppressed 224.10.1.1 224.20.1.1
General
1 Query
Router A Router B
Querier Nonquerier

IGMPv2 Group Leave
1. Host 2 sends leave message for 224.1.1.1 to all-routers
multicast group address (224.0.0.2)
2. Querier router sends group-specific query for 224.1.1.1
3. Group 224.1.1.1 times out if no IGMP reports are received
within~3 seconds
Host 2 Host 3
1
Leave-group
Group=224.1.1.1
2 Group-Specific Query
Group=224.1.1.1
Router A
(Querier)

IGMPv3 and SSM
 Host 1 wants to receive from S=172.16.20.1, but not from
S=192.168.30.1
• Host 1 sends inclusion group-source message for S=172.16.20.1
• Host 1 sends exclusion group-source message for
S=192.168.30.1
Router A Router B
Source=172.16.20.1 Source=192.168.30.1
Group=224.1.1.1 Group=224.1.1.1
X
(Pruned)
IGMPv3 group-source report:
Router C
D: 224.0.0.22 (All IGMPv3 routers)
Include 172.16.20.1, 224.1.1.1
Exclude 192.168.30.1, 224.1.1.1
Host 1 member of 224.1.1.1

Dynamic Multicast Services Overview
 Dynamic multicast for subscribers

• The MX router can apply IGMP settings to subscriber
interfaces dynamically
• Within a dynamic profile
• Enables subscribers to access multicast streams
• Example: IPTV channels
• Dynamic profile can apply settings statically or use variables to
reference settings specified in RADIUS

Implementing Dynamic Multicast Services
 Configure IGMP within a dynamic profile
• Configure the protocols stanza within the dynamic profile
• Specify the interface variable
• Add desired options [edit]
mcast-profile {
IGMP Options interfaces {
accounting "$junos-interface-ifd-name" {
disable unit "$junos-underlying-interface-unit" {
group-policy family inet;
immediate-leave }
no-accounting }
oif-map }
passive protocols {
promiscuous-mode igmp {
ssm-map interface "$junos-interface-name" {
static promiscuous-mode;
version accounting;
}
}
Remember that you must also enable PIM to the }
upstream routers in the network. }

Multi-Edge Architecture Example
DHCP on multicast
IGMP forking allows VLAN for IPTV
MX960 Video
BSR to adjust QoS
VSR Core Network
MSAN M-VLAN
RG C-VLANs
BS Core Network
R
RG
MX960 Data
C-VLAN

IPTV Channels over MVLANs
MX960
VSR IPTV Channel 10
IPTV Channel 10 IPTV Channel 20
M-VLAN
Tells BSR how much

M-VLAN bandwidth will be used
Subscriber A MSAN for multicast flow
RG C-VLANs
RG BS
Subscriber B R
MX960
Subtracts bandwidth
amount used for
IPTV Channel 20 multicast flow
Using M-VLANs eliminates channel replication.

OIF Mapping and Reverse OIF Mapping
 OIF Mapping MX960
M-VLAN VSR
MSAN
Shared Multicast Data
Unicast, IGMP, MLD
Unicast, IGMP, MLD
RG
C-VLANs BS
R
MX960
 Reverse OIF Mapping MX960
M-VLAN VSR
MSAN Shared IGMP, MLD, Multicast Data
Unicast
Unicast
RG
C-VLANs BS
R
MX960

OIF Mapping Configuration Example
[edit]
DHCP-SUBSCRIBER {
interfaces {
proxy-arp;
family inet {
filter {
input "$junos-input-filter";
output "$junos-output-filter";
}
unnumbered-address lo0.0 preferred-
}
} [edit]
} user@mx# show policy-options
} policy-statement mcast-groups {
protocols { term 1 {
igmp { from {
interface "$junos-interface-name" { route-filter 239.0.0.0/8 orlonger;
promiscuous-mode; source-address-filter 6.6.6.0/24 orlonger;
oif-map mcast-groups; }
} then {
} map-to-interface ge-1/0/0.301;
} accept;
} }
}
}

Managing and Measuring Multicast Bandwidth
 Use the maximum-bandwidth command to enable call
admission control on an interface:
[edit]
user@mx# show routing-options
multicast {
interface ge-1/0/0.301 {
maximum-bandwidth 500m;
}
}
 Use the flow-map measure command for measuring
flow bandwidth
• Statically configure a bandwidth value:
• set routing-options multicast flow-map measure
bandwidth 2m
• Adaptively measure and change bandwidth traffic flow:
• set routing-options multicast flow-map measure
adaptive

IPTV Configuration Example (1 of 4)
 Configure the subscriber dynamic profile
[edit] class-of-service {
user@mx# show dynamic-profiles DHCP-SUBSCRIBER traffic-control-profiles {
interfaces { COS-SHAPER {
"$junos-interface-ifd-name" { scheduler-map IPTV-SUBSCRIBER-MAP;
unit "$junos-underlying-interface-unit" { shaping-rate "$junos-cos-shaping-rate";
proxy-arp; }
family inet { }
unnumbered-address lo0.0 preferred- interfaces {
source-address 10.1.1.1; "$junos-interface-ifd-name" {
} unit "$junos-underlying-interface-unit" {
} output-traffic-control-profile COS-
} SHAPER;
} }
protocols { }
igmp { }
interface "$junos-interface-name" { scheduler-maps {
promiscuous-mode; IPTV-SUBSCRIBER-MAP {
oif-map mcast-groups; forwarding-class best-effort scheduler be;
} forwarding-class assured-forwarding
} scheduler af;
} }
}
schedulers {
be {
shaping-rate "$junos-cos-scheduler-shaping-
rate";
priority "$junos-cos-scheduler-pri";
}
af {
transmit-rate "$junos-cos-scheduler-tx";
priority "$junos-cos-scheduler-pri";
}
}
 Configure the subscriber interface and VLAN dynamic
profiles [edit]
dynamic-vlan {
interfaces {
[edit] "$junos-interface-ifd-name" {
ge-1/0/0 { unit "$junos-interface-unit" {
hierarchical-scheduler; vlan-tags outer "$junos-
flexible-vlan-tagging; stacked-vlan-id" inner "$junos-vlan-id";
auto-configure { family inet {
stacked-vlan-ranges { unnumbered-address lo0.0
dynamic-profile dynamic-vlan { preferred-source-address 10.1.1.1;
accept any;
ranges { }
any,any; }
} }
} }
} }
vlan-ranges {
dynamic-profile dynamic-vlan-outer- dynamic-vlan-outer-tag {
tag { interfaces {
accept any; "$junos-interface-ifd-name" {
ranges { unit "$junos-interface-unit" {
any; vlan-id "$junos-vlan-id";
} family inet {
}
} unnumbered-address lo0.0
} preferred-source-address 10.1.1.1;
} }
}
}
}
 Configure the DHCP local server, routing-options, and
protocols
user@mx# show system services
dhcp-local-server { [edit]
group IPTV { user@mx# show protocols
authentication { igmp {
username-include { interface ge-1/0/0.0 {
option-82 remote-id; version 3;
} passive;
} }
dynamic-profile DHCP-SUBSCRIBER; interface ge-1/0/1.0 {
interface ge-1/0/0.0; version 3;
} }
} }
pim {
rp {
[edit] static {
user@mx# show routing-options address 10.1.5.1;
multicast { }
flow-map measure { }
policy mcast-measure; interface ge-1/0/1.0;
bandwidth 2m adaptive; interface lo0.0;
} }
interface ge-1/0/0.0 {
maximum-bandwidth 500m;
}
}

 Configure the policies and AAA services
user@mx# show | find access
user#mx show policy-options radius-server {
policy-statement mcast-groups { 10.10.10.2 {
term 1 { secret "$9$7WNs4GDimfzgoz36A1I-VbsYg"; ##
from { SECRET-DATA
route-filter 239.0.0.0/8 orlonger; source-address 10.10.10.1;
source-address-filter 6.6.6.0/24 orlonger; }
source-address-filter 10.1.1.0/24 orlonger; }
} Profile IPTV-RADIUS {
then { authentication-order radius;
map-to-interface ge-1/0/0.0; radius {
accept; authentication-server 10.10.10.2;
} }
} }
} address-assignment {
policy-statement mcast-measure { pool DHCP {
term 1 { family inet {
from { network 10.1.1.0/24;
route-filter 239.0.0.0/8 orlonger; range A {
source-address-filter 6.6.6.0/24 orlonger; low 10.1.1.100;
source-address-filter 10.1.1.0/24 orlonger; high 10.1.1.200;
} }
then accept; dhcp-attributes {
} router {
} 10.1.1.1;
}
}
}
}
}
access-profile IPTV-RADIUS;

Viewing IGMP Interface Information
user@mx> show igmp interface
Interface: ge-0/2/0.100
Querier: 10.0.0.1
State: Up Timeout: None Version: 2 Groups: 4
Querier: 10.0.1.1
State: Up Timeout: 251 Version: 2 Groups: 0
Querier: 10.0.16.1
State: Up Timeout: 184 Version: 2 Groups: 0
Configured Parameters:
IGMP Query Interval: 125.0
IGMP Query Response Interval: 10.0
IGMP Last Member Query Interval: 1.0
IGMP Robustness Count: 2
Derived Parameters:
IGMP Membership Timeout: 260.0
IGMP Other Querier Present Timeout: 255.0

Displaying IGMP Group Information
user@mx> show igmp group
Group: 224.0.0.2
Source: 0.0.0.0
Last reported by: 10.0.15.2
Timeout: 255 Type: Dynamic
Group: 224.0.0.5
Source: 0.0.0.0
Group: 224.0.0.6
Source: 0.0.0.0
. . .
Group: 224.7.7.7
Source: 0.0.0.0
Group: 224.8.8.8
Source: 0.0.0.0
. . .
Displaying IGMP Statistics
user@mx> show igmp statistics
IGMP packet statistics for all interfaces
IGMP Message type Received Sent Rx errors
Membership Query 11 13 0
V1 Membership Report 0 0 0
DVMRP 0 0 0
PIM V1 0 0 0
Cisco Trace 0 0 0
Group Leave 0 0 0
Mtrace Response 0 0 0
Mtrace Request 0 0 0
Domain Wide Report 0 0 0
Other Unknown types 0
IGMP v3 unsupported type 0
IGMP v3 source required for SSM 0
IGMP v3 mode not applicable for SSM 0
IGMP Global Statistics

Bad Length 0
Bad Checksum 0
Bad Receive If 22
Rx non-local 49

Troubleshooting IGMP
 Traceoptions Traceoptions Flag
all
• Configure in the protocols igmp stanza client-notification

general
group
host-notification
leave
mtrace
[edit protocols igmp] normal
user@mx# show packets
traceoptions { policy
query
file igmp.log; report
flag all; route
} state
task
timer
• View using show log filename Deactivate traceoptions

when not in use.
user@mx> show log igmp.log | last
Oct 15 19:17:41.208878 task_timer_dispatch: calling IGMP_GMP router general query, late by 0.001
Oct 15 19:17:41.208892 task_timer_reset: reset IGMP_GMP router general query
Oct 15 19:17:41.208919 task_timer_set_oneshot_latest: timer IGMP_GMP router general query interval set to 2
Oct 15 19:17:41.208925 task_timer_dispatch: returned from IGMP_GMP router general query, rescheduled in 2
Oct 15 19:17:43.210566 task_timer_dispatch: calling IGMP_GMP router general query, late by 0.001
Oct 15 19:17:43.210635 task_timer_set_oneshot_latest: timer IGMP_GMP router general query interval set to 2:05

Juniper MX Sub MGMT

Uploaded by

Copyright:

Available Formats

Juniper MX Sub MGMT

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Juniper MX Sub MGMT

Uploaded by

Copyright:

Available Formats

Juniper Junos Subscriber

© 2011 Juniper Networks, Inc. All rights reserved. | www.juniper.net

1. Introduce Junos subscriber management

© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 2

© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 3

© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 4

© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 5

© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 6

© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 7

• All subscriber traffic flows through a single BSR router

© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 8

© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 9

© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 10

© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 11

© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 12

 One VLAN per service  One VLAN per subscriber

© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 13

Internet Access (S-

© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 14

© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 15

MSAN Subscriber #1 (C-VLAN)

 Hybrid is customer VLANs with multicast VLANs

© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 16

IGMP snooping and DHCP

© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 17

Aggregation BS Core Network

© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 18

© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 19

© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 20

© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 21

© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 22

© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 23

© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 24

user@mx> show system license

user@mx> request system license add <filename or terminal>

© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 25

© 2011 Juniper Networks, Inc. All rights reserved. | www.juniper.net

© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 27

• RADIUS messages can modify subscriber sessions

© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 28

Juniper Networks uses vendor ID 4874

© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 29

© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 30

© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 31

This hierarchy level activates the access

© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 32

© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 33

user@mx> show network-access aaa statistics authentication

© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 34

• View using show log filename

Restart authd daemon: restart general-authentication-service

© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 35

DHCPv6 Local Server is Supported

© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 36

© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 37

You must configure username-include

© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 38

© 2011 Juniper Networks, Inc. All rights reserved. www.juniper.net | 39

To apply a dynamic profile to a majority of interfaces on the device, use the