Mailing List Archive

Non-dhcp users with subscriber management
Hello

I am new to Juniper MX. I successfully managed to configure customer
vlan with dynamic profiles for dhcp users. I attached the important
parts of the configuration at the end of this message.

In the real network we are using q-in-q double tagged vlans, but to make
thing simple I am working with single tagged vlans for my lab. We have
customers vlan, which is each customer has a unique vlan combination.

My configuration will first cause a radius server to be queried for the
validity of the vlan. Then the DHCP server is queried and finally the
subscriber is active. This is working now.

The problem is that I want customers to be able to configure without
using DHCP. Each customer has a static IP configuration. When using DHCP
the customer will always get the same IP address. We then tell the user
that he can optionally use DHCP. Or he can use a static configuration if
he likes that better.

This is an existing ISP network working as described. We are working to
replace the old BRAS with Juniper MX204. So it would be nice if we can
keep it working like it is today.

I am a bit stuck on where to go from here. Most of the examples I find
are all assuming DHCP. I am thinking that it should be possible to
supply the customer IP address via Radius instead of DHCP.

If needed, I could find out which users are using static configuration
without DHCP and then have Radius return something different for those
users.

Anyone have some advice for me?

Regards,

Baldur

The working DHCP configuration:

system {
    services {
        subscriber-management {
            maintain-subscriber {
                interface-delete;
            }
            enable;
        }
    }
    dynamic-profile-options {
        versioning;
    }
}
chassis {
    network-services enhanced-ip;
}
access-profile rad;
interfaces {
    et-0/0/0 {
        flexible-vlan-tagging;
        auto-configure {
            vlan-ranges {
                dynamic-profile DYNINTF-1VLANS-DHCP-INET {
                    accept any;
                    ranges {
                        any;
                    }
                }
                authentication {
                    password 12345678;
                    username-include {
                        user-prefix vlan;
                        vlan-tags;
                    }
                }
                access-profile rad;
            }
        }
    lo0 {
        unit 0 {
            family inet {
                address 1.2.3.4/32;
            }
        }
    }
}
forwarding-options {
    dhcp-relay {
        server-group {
            dhcp-group-1 {
                1.2.3.5;
            }
        }
        active-server-group dhcp-group-1;
        group dhcp-group-1 {
            relay-option-82;
            interface et-0/0/0.0;
        }
    }
}
access {
    radius-server {
        1.2.3.6 {
            secret "xxx"; ## SECRET-DATA
            source-address 1.2.3.4;
        }
    }
    profile rad {
        accounting-order radius;
        authentication-order radius;
        radius {
            authentication-server 1.2.3.6;
            accounting-server 1.2.3.6;
            options {
                revert-interval 0;
            }
        }
        accounting {
            order radius;
            immediate-update;
            update-interval 15;
        }
    }
}
dynamic-profiles {
    DYNINTF-1VLANS-DHCP-INET {
        interfaces {
            "$junos-interface-ifd-name" {
                unit "$junos-interface-unit" {
                    proxy-arp restricted;
                    vlan-id "$junos-vlan-id";
                    family inet {
                        unnumbered-address lo0.0;
                    }
                }
            }
        }
    }
}



_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: Non-dhcp users with subscriber management [ In reply to ]
Either configure the DHCP server to match the option 82 VLAN tags (and
serve up a lease for the "static" IP space), or configure specific VLAN tag
combos under the interface (in your case et-0/0/0). For example:

et-0/0/0 {
flexible-vlan-tagging;
auto-configure {
stacked-vlan-ranges {
dynamic-profile l2-profile {
accept [ dhcp-v4 dhcp-v6 ];
ranges { any }
}
access-profile access-profile-1;
}
remove-when-no-subscribers;
}
unit 10 {
vlan-tags outer 2002 inner 200;
family inet {
address 192.168.200.1/30;
}
}

On Thu, Jul 4, 2019 at 10:10 AM Baldur Norddahl <baldur@gigabit.dk> wrote:

> Hello
>
> I am new to Juniper MX. I successfully managed to configure customer
> vlan with dynamic profiles for dhcp users. I attached the important
> parts of the configuration at the end of this message.
>
> In the real network we are using q-in-q double tagged vlans, but to make
> thing simple I am working with single tagged vlans for my lab. We have
> customers vlan, which is each customer has a unique vlan combination.
>
> My configuration will first cause a radius server to be queried for the
> validity of the vlan. Then the DHCP server is queried and finally the
> subscriber is active. This is working now.
>
> The problem is that I want customers to be able to configure without
> using DHCP. Each customer has a static IP configuration. When using DHCP
> the customer will always get the same IP address. We then tell the user
> that he can optionally use DHCP. Or he can use a static configuration if
> he likes that better.
>
> This is an existing ISP network working as described. We are working to
> replace the old BRAS with Juniper MX204. So it would be nice if we can
> keep it working like it is today.
>
> I am a bit stuck on where to go from here. Most of the examples I find
> are all assuming DHCP. I am thinking that it should be possible to
> supply the customer IP address via Radius instead of DHCP.
>
> If needed, I could find out which users are using static configuration
> without DHCP and then have Radius return something different for those
> users.
>
> Anyone have some advice for me?
>
> Regards,
>
> Baldur
>
> The working DHCP configuration:
>
> system {
> services {
> subscriber-management {
> maintain-subscriber {
> interface-delete;
> }
> enable;
> }
> }
> dynamic-profile-options {
> versioning;
> }
> }
> chassis {
> network-services enhanced-ip;
> }
> access-profile rad;
> interfaces {
> et-0/0/0 {
> flexible-vlan-tagging;
> auto-configure {
> vlan-ranges {
> dynamic-profile DYNINTF-1VLANS-DHCP-INET {
> accept any;
> ranges {
> any;
> }
> }
> authentication {
> password 12345678;
> username-include {
> user-prefix vlan;
> vlan-tags;
> }
> }
> access-profile rad;
> }
> }
> lo0 {
> unit 0 {
> family inet {
> address 1.2.3.4/32;
> }
> }
> }
> }
> forwarding-options {
> dhcp-relay {
> server-group {
> dhcp-group-1 {
> 1.2.3.5;
> }
> }
> active-server-group dhcp-group-1;
> group dhcp-group-1 {
> relay-option-82;
> interface et-0/0/0.0;
> }
> }
> }
> access {
> radius-server {
> 1.2.3.6 {
> secret "xxx"; ## SECRET-DATA
> source-address 1.2.3.4;
> }
> }
> profile rad {
> accounting-order radius;
> authentication-order radius;
> radius {
> authentication-server 1.2.3.6;
> accounting-server 1.2.3.6;
> options {
> revert-interval 0;
> }
> }
> accounting {
> order radius;
> immediate-update;
> update-interval 15;
> }
> }
> }
> dynamic-profiles {
> DYNINTF-1VLANS-DHCP-INET {
> interfaces {
> "$junos-interface-ifd-name" {
> unit "$junos-interface-unit" {
> proxy-arp restricted;
> vlan-id "$junos-vlan-id";
> family inet {
> unnumbered-address lo0.0;
> }
> }
> }
> }
> }
> }
>
>
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: Non-dhcp users with subscriber management [ In reply to ]
Hi Baldur,

Maybe this feature could be useful for you despite it's documented in
completely wrong place?
https://www.juniper.net/documentation/en_US/junos/topics/topic-map/dual-stack-pppoe-access-ndra.html#id-ip-demultiplexing-interfaces-on-packet-triggered-subscribers-services-overview

Kind regards,
Andrey

Baldur Norddahl ????? 2019-07-04 13:10:
> Hello
>
> I am new to Juniper MX. I successfully managed to configure customer
> vlan with dynamic profiles for dhcp users. I attached the important
> parts of the configuration at the end of this message.
>
> In the real network we are using q-in-q double tagged vlans, but to
> make thing simple I am working with single tagged vlans for my lab. We
> have customers vlan, which is each customer has a unique vlan
> combination.
>
> My configuration will first cause a radius server to be queried for
> the validity of the vlan. Then the DHCP server is queried and finally
> the subscriber is active. This is working now.
>
> The problem is that I want customers to be able to configure without
> using DHCP. Each customer has a static IP configuration. When using
> DHCP the customer will always get the same IP address. We then tell
> the user that he can optionally use DHCP. Or he can use a static
> configuration if he likes that better.
>
> This is an existing ISP network working as described. We are working
> to replace the old BRAS with Juniper MX204. So it would be nice if we
> can keep it working like it is today.
>
> I am a bit stuck on where to go from here. Most of the examples I find
> are all assuming DHCP. I am thinking that it should be possible to
> supply the customer IP address via Radius instead of DHCP.
>
> If needed, I could find out which users are using static configuration
> without DHCP and then have Radius return something different for those
> users.
>
> Anyone have some advice for me?
>
> Regards,
>
> Baldur
>
> The working DHCP configuration:
>
> system {
>     services {
>         subscriber-management {
>             maintain-subscriber {
>                 interface-delete;
>             }
>             enable;
>         }
>     }
>     dynamic-profile-options {
>         versioning;
>     }
> }
> chassis {
>     network-services enhanced-ip;
> }
> access-profile rad;
> interfaces {
>     et-0/0/0 {
>         flexible-vlan-tagging;
>         auto-configure {
>             vlan-ranges {
>                 dynamic-profile DYNINTF-1VLANS-DHCP-INET {
>                     accept any;
>                     ranges {
>                         any;
>                     }
>                 }
>                 authentication {
>                     password 12345678;
>                     username-include {
>                         user-prefix vlan;
>                         vlan-tags;
>                     }
>                 }
>                 access-profile rad;
>             }
>         }
>     lo0 {
>         unit 0 {
>             family inet {
>                 address 1.2.3.4/32;
>             }
>         }
>     }
> }
> forwarding-options {
>     dhcp-relay {
>         server-group {
>             dhcp-group-1 {
>                 1.2.3.5;
>             }
>         }
>         active-server-group dhcp-group-1;
>         group dhcp-group-1 {
>             relay-option-82;
>             interface et-0/0/0.0;
>         }
>     }
> }
> access {
>     radius-server {
>         1.2.3.6 {
>             secret "xxx"; ## SECRET-DATA
>             source-address 1.2.3.4;
>         }
>     }
>     profile rad {
>         accounting-order radius;
>         authentication-order radius;
>         radius {
>             authentication-server 1.2.3.6;
>             accounting-server 1.2.3.6;
>             options {
>                 revert-interval 0;
>             }
>         }
>         accounting {
>             order radius;
>             immediate-update;
>             update-interval 15;
>         }
>     }
> }
> dynamic-profiles {
>     DYNINTF-1VLANS-DHCP-INET {
>         interfaces {
>             "$junos-interface-ifd-name" {
>                 unit "$junos-interface-unit" {
>                     proxy-arp restricted;
>                     vlan-id "$junos-vlan-id";
>                     family inet {
>                         unnumbered-address lo0.0;
>                     }
>                 }
>             }
>         }
>     }
> }
>
>
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp