Juniper MX BRAS – Part 2

In this post I will continue to deep dive into the Juniper MX configuration and tweak it to work as a BRAS. Please refer to my previous blog post for more information on PPP protocol Stack

Let’s start

to configure MX as a BRAS,  The Following configuration is needed on BRAS

Basics Configuration

  • Interface creation –>configuration inside dynamic profile
    • Vlan Interface
    • PPP Interface
  • PPP Handling(PAP) –>configuration inside dynamic profile
  • Creating loopback
  • Radius Authentication – – >configuration inside access-profile
  • Radius Accounting – – >configuration inside access-profile
  • Address Assignment – – >configuration inside access-profileService and speed allocation

Advanced(Optional)

  • Advanced QoS
  • Change Of Authorization
  • Captive portal/redirection configuration
  • Wholesale

How MX Handle the incoming PPP Packets from DSLAM?

Juniper MX use a concept of Dynamic Profile to create a PPPoE interface under the main unit interface (ge-1/0/1 .0 for example) upon receipt of PPP PADR message(Note: this is a pure layer 2 communications and no IP is configured. routing decision is left for the VLANS and PPP ID inside the PPP packets). The receiving of PPP packet will trigger the Dynamic profile

clip_image003

So What is the Dynamic Profile?

  • The Dynamic interface is created on demand (i.e. when the user is login) and deleted when user logout in order to reserve the BRAS resources. So the Subscriber configuration is “instantiated” from the template
  • The Dynamic profile allow you to dynamically create interface (VLAN interface or PPP interface) based on captured attributes from networks (such as the incoming VLAN) and from AAA (Such as input and output filter). we will discuss this concept in details in this post

Juniper did a great job on trying to abstract the configuration of dynamic profile and use variables-like parameters that substituted during the subscriber creation. These variables are preceded by $ sign

Basic/minimal Info that Dynamic Profile should include inside the PP0 interface (built-in interface inside the MX)

  • The logical unit number represented by $junos-interface-unit. One logical interface per subscribe
  • The name of unit interface(ex: ge-1/0/1.0) that received the PPPoE Packet represented by $junos-underlying-interface parameter
  • Instruct the router to act as PPPoE Server
  • The Authentication protocol negotiated within LCP Phase to be used during Authentication Phase (PAP or CHAP)
  • The unnumbered address used for NCP phase
  • Additional Info for Dynamic Profile
    • Keepalive timer for PPPoE Session
    • Input and Output filter (Speed returned from AAA)

image

After you configure a dynamic profile to define the attributes & parameters of a dynamic PPPoE subscriber interface, You must attach the dynamic profile to the underlying Ethernet interface on which you want the router to dynamically create the PPPoE logical interface. The underlying interface for a dynamic PPPoE logical interface must be statically created and configured with PPPoE (ppp-over-ether) encapsulation. When a PPPoE subscriber logs in on the underlying interface, the router dynamically creates the PPPoE logical interface and applies the attributes defined in the profile to the interface

No More theories, Let’s start getting our hands dirty !

first we will configure the following parts

  • Interface creation –>configuration inside dynamic profile
    • Vlan Interface
    • PPP Interface
  • PPP Handling(PAP) –>configuration inside dynamic profile

Interface Creation

VLAN Interface

If you have a small and limited number of DSLAM in your network, You can handle the VLAN configuration “manually” and create a sub-interface for each new DSLAM terminated in MX edge. For example if you’ve a new DSLAM in POP that will be terminated at ge-1/0/1 in BRAS, you need to enter the below configuration each time and change only the vlan id

ge-0/0/1 {

vlan-tagging;

unit 800 {

encapsulation ppp-over-ether;

vlan-id 800;

pppoe-underlying-options {

access-concentrator TEDATA;

dynamic-profile pppoe-profile;

}

}

unit 900 {

encapsulation ppp-over-ether;

vlan-id 900;

pppoe-underlying-options {

access-concentrator TEDATA;

dynamic-profile pppoe-profile;

}

}

}

PPP Interface

the PPP interface is dynamically created through using the Dynamic profile

interfaces {

pp0 {

unit “$junos-interface-unit” {

ppp-options {

pap;

}

pppoe-options {

underlying-interface “$junos-underlying-interface”;

server;

}

keepalives interval 30;

family inet {

filter {

input “$junos-input-filter”;

output “$junos-output-filter”;

}

unnumbered-address lo0.0;

}

}

}

}
let’s breakdown each line in above configuration

1-Create a new dynamic profile called pppoe-profile

root@vMX-1# edit dynamic-profiles pppoe-profile

2-Use the pp0 interface to handle the incoming ppp packets and create a new subif over it for each subscriber

[edit dynamic-profiles pppoe-profile]

root@vMX-1# set interfaces pp0 unit $junos-interface-unit

3-Configure the pp0 subinterface to use the PAP protocol during the authentication inside ppp-options

[edit dynamic-profiles pppoe-profile]

root@vMX-1# set interfaces pp0 unit $junos-interface-unit ppp-options pap

4-Configure the pp0 subinterface to act as a PPPoE server inside pppoe-options

[edit dynamic-profiles pppoe-profile]

root@vMX-1# set interfaces pp0 unit $junos-interface-unit pppoe-options server

5-Connect the newly created dynamic interface with the main interface that receive the traffic (for example: ge-1/0/1.800)

[edit dynamic-profiles pppoe-profile]

root@vMX-1# set interfaces pp0 unit $junos-interface-unit pppoe-options underlying-interface $junos-underlying-interface

6-Configure the IP unnumbered interface used during the NCP

[edit dynamic-profiles pppoe-profile]

root@vMX-1# set interfaces pp0 unit “$junos-interface-unit” family inet unnumbered-address lo0.0

Why Use IP Unnumbered? clip_image004   7-Configure firewall filters that returned from SBR (basically the speed)

[edit dynamic-profiles pppoe-profile]

root@vMX-1# set interfaces pp0 unit “$junos-interface-unit” family inet filter input “$junos-input-filter”

root@vMX-1# set interfaces pp0 unit “$junos-interface-unit” family inet filter output “$junos-output-filter”

A complete picture of configuration is summarized in below picture clip_image005   XML Structure for the dynamic profile clip_image006   Let’s complete the other parts

    • Creating loopback
    • Radius Authentication – – >configuration inside access-profile
    • Radius Accounting – – >configuration inside access-profile
  • Address Assignment – – >configuration inside access-profile

Creating Loopback

#set interfaces lo0 unit 0 family inet address 90.90.90.1/32

Radius Authentication

1-Define radius servers

#set access radius-server 192.168.5.246 secret password123

#set access radius-server 192.168.5.246 source-address 192.168.3.103 #set access radius-server 192.168.5.247 secret password123

#set access radius-server 192.168.5.247 source-address 192.168.3.103

2-Create access-profile that use the above radius servers in authentication

#set access profile SBR radius authentication-server 192.168.5.246

#set access profile SBR radius authentication-server 192.168.5.247

#set access profile SBR authentication-order radius

3-set the NAS-Identifier used inside

#set access profile SBR radius options nas-identifier 192.168.3.103

Radius Accounting

1-Instruct the MX to use the pre-configured radius server in accounting process

#set access profile SBR radius accounting-server 192.168.5.246

#set access profile SBR radius accounting-server 192.168.5.247 #set access profile SBR accounting-order radius

IP Address Assignment 1-Configure address pool name & network

#set access address-assignment pool BRAS_POOL family inet network 192.168.3.0/24

2-Configure low and high address

#set access address-assignment pool BRAS_POOL family inet range 1 low 192.168.3.66

#set access address-assignment pool BRAS_POOL family inet range 1 high 192.168.3.70

3-Configure the maximum lease time

#set access address-assignment pool BRAS_POOL family inet dhcp-attributes maximum-lease-time 3600

4-Configure the DNS and Gateway

#set access address-assignment pool BRAS_POOL family inet dhcp-attributes name-server 8.8.8.8

#set access address-assignment pool BRAS_POOL family inet dhcp-attributes router 192.168.3.4

Firewall and speed allocation

Firewall and policer is used to limit the speed of subscriber port to specific bandwidth, Advanced QoS and hierarchal schedulers will be discussed later but for now we will apply an ingress and egress speed for each subscriber subinterface

1-Configure the Egress Filter

#set firewall family inet filter MONTHLY_4096_OUT interface-specific

#set firewall family inet filter MONTHLY_4096_OUT term 1 then policer MONTHLY_4096_POLICER

#set firewall family inet filter MONTHLY_4096_OUT term 1 then accept

2-Configure the Ingress filter

#set firewall family inet filter MONTHLY_4096_IN interface-specific

#set firewall family inet filter MONTHLY_4096_IN term 1 then policer MONTHLY_256K_POLICER

#set firewall family inet filter MONTHLY_4096_IN term 1 then accept

3-Configure the policer used in egress filter

#set firewall policer MONTHLY_4096_POLICER if-exceeding bandwidth-limit 4m

#set firewall policer MONTHLY_4096_POLICER if-exceeding burst-size-limit 100k

#set firewall policer MONTHLY_4096_POLICER then discard

4-Configure the policer used in ingress filter

#set firewall policer MONTHLY_256K_POLICER if-exceeding bandwidth-limit 1m

#set firewall policer MONTHLY_256K_POLICER if-exceeding burst-size-limit 128k

#set firewall policer MONTHLY_256K_POLICER then discard

Summary for above configuration is below clip_image007     Steel-Belted Radius Configuration

we will add a subscriber username as a Native User inside SBR and configure the return list attribute to return the Address pool name (BRAS_POOL) and authorize the subscriber with the two policy applied on both direction (ingress & egress) clip_image008 clip_image009     Also we will add our router IP address as a Radius Client inside SBR and configure it with the same shared-secret clip_image010   Now Let’s test!   Let’s fire our PPPoE Client

1-Start the PPPoE client and configure it with the username and password inside the Steel-Belted Radius clip_image011

MX Logs

Jumping into the MX to see the status of subscriber, You can see that the User is successfully connected to BRAS and get a IP address from allocated range clip_image012

root@vMX-1# run show dynamic-configuration session information session-id 3


Session info:

Accounting session ID: 3

IP address: 192.168.3.66

IP netmask: 255.255.255.0

Logical system name: default

Profile name: PP0

Session version: 2

Physical IFD name of the interface: ge-0/0/1

MAC address: 00:0c:29:b6:25:41

NAS port type: 15

Routing instance: default

Access Profile: SBR

User name: basim@tedata.net.eg

Interface IFD Name: pp0

Interface name: pp0.1073741826 //Dynamically Created interface by Dynamic profile

Unit number of the interface: 1073741826

Dynamic-configuration state: 2

Client session type: 64

IFL type: 2

Framed Ipv4 Pool: BRAS_POOL

Accounting type: 1

Accounting interval: 0

Client login time: 2015-10-13 17:53:46 UTC

VLAN tag: 800

Service Type: 2

Framed Protocol: 1

Advisory options upstream rate: 0

Advisory options downstream rate: 0

Primary DNS address: 8.8.8.8

NAS port: 4195104

Configuration bits: 0x80003 0 0 0 0 0

Dynamic configuration:

junos-input-filter: MONTHLY_4096_IN //Applied Firewall ingress filter

junos-output-filter: MONTHLY_4096_OUT //Applied Firewall egress filter

SBR Logs

1-Access Request received from BRAS

Authentication Request

Received from IpAddr=192.168.3.103 Port=58716

Packet Code=0x01 Id=0x01

Client Name=”192.168.3.103″

Dictionary Name=”juniper.dct”

Vector =

000: e2 07 ed 9e 00 38 29 2e d2 49 48 90 f1 67 a6 2e |…..8)..IH..g..|

Parsed Packet :

User-Name : String Value = basim@tedata.net.eg

User-Password : Value =

000: 2e 02 66 a4 2a 42 75 24 8a c1 7d 9b 8c 8d db df |..f.*Bu$..}…..|

Service-Type : Integer Value = 2

Framed-Protocol : Integer Value = 1

Chargeable-User-Identity : String Value =

Acct-Session-Id : String Value = 3

Unisphere-Dhcp-Mac-Addr : String Value = 000c.29b6.2541

NAS-Identifier : String Value = 192.168.3.103

NAS-Port : Integer Value = 4195104

NAS-Port-Type : Integer Value = 15

NAS-IP-Address : IPAddress = 192.168.3.103

2-Access Accept sent from SBR to BRAS

Authentication Response

Packet Code=0x02 Id=0x01

Vector =

000: 43 96 10 96 8d 24 55 c6 7f 6c e3 d5 33 c5 2a 05 |C….$U..l..3.*.|

Framed-Pool : String Value = BRAS_POOL //returned IP Pool

Unisphere-Egress-Policy-Name : String Value = MONTHLY_4096_OUT //returned egress filter

Unisphere-Ingress-Policy-Name : String Value = MONTHLY_4096_IN  //returned ingress filter

3-Accounting Request sent from BRAS to SBR

Accounting Request

Received from IpAddr=192.168.3.103 Port=58716

Packet Code=0x04 Id=0x02

Client Name=”192.168.3.103″

Dictionary Name=”juniper.dct”

Vector =

000: 06 4d 42 c7 ff e2 22 48 20 36 e3 86 e9 36 0f 84 |.MB…”H 6…6..|

Parsed Packet :

User-Name : String Value = basim@tedata.net.eg

Acct-Status-Type : Integer Value = 1 //Accounting-Start

Acct-Session-Id : String Value = 3

Event-Timestamp : Integer Value = 1444758828

Service-Type : Integer Value = 2

Framed-Protocol : Integer Value = 1

Unknown type : Value =

000: 00 00 13 0a b1 16 50 6f 72 74 20 53 70 65 65 64 |……Port Speed|

010: 3a 20 31 30 30 30 30 30 30 6b |: 1000000k |

Acct-Authentic : Integer Value = 1

Acct-Delay-Time : Integer Value = 0

Unisphere-Dhcp-Mac-Addr : String Value = 000c.29b6.2541

Unisphere-Egress-Policy-Name : String Value = MONTHLY_4096_OUT

Framed-IP-Address : IPAddress = 192.168.3.66

Framed-IP-Netmask : IPAddress = 255.255.255.0

Unisphere-Ingress-Policy-Name : String Value = MONTHLY_4096_IN

NAS-Identifier : String Value = 192.168.3.103

NAS-Port : Integer Value = 4195104

NAS-Port-Type : Integer Value = 15

NAS-IP-Address : IPAddress = 192.168.3.103

4-Active Session

CurrentSessions:

+ — — — — — — — — — — — — — — — — — — — — — — — + (1)

CORE

UniqueSessionId: ‘1f0b5a234793efca010c6c33cf88b111’x

CreationTime: 2015-10-13 17:53:48 (TZ=+00:00)

ExpirationTime: 2015-10-14 17:53:48 (TZ=+00:00)

Ipv4Address: 192.168.3.66

IpAddrPool: (n u l l)

NasName: “192.168.3.103”

Status: Active (2)

UserConcurrencyId: (n u l l)

MobileIpType: 0

3gpp2ReqType: 0

WimaxClientType: 0

WimaxAcctFlows:

FEATURE

AcctAutoStop: (n u l l)

ClassAttribute: ’00’x

OPTIONAL

UserName: “basim@tedata.net.eg”

AcctSessionId: “3”

TransactionId: (n u l l)

NasPortType: Ethernet (15)

NasPort: 4,195,104

CallingStationId: (n u l l)

CalledStationId: (n u l l)

MobileCorrelationId: (n u l l)

Ipv6InterfaceId: (n u l l)

NasIpv4Address: 192.168.3.103

NasIpv6Address: (n u l l)

RADATTR

WimaxSessionId: (n u l l)

AcctMultiSessionId: (n u l l)

FunkOuterUserName: (n u l l)

PRIVATE

Great, Everything now is Ok!

But is there a way to provide more “Dynamically” to the overall picture? Is there a way to not provision the VLAN manually and use instead a dynamic configuration to automatically provision it?

image

The answer is Yes. we can configure the VLAN also to be provisioned dynamically using a special interface called “demux” that used to host the VLAN and SVLAN stack. We will talk about this scenario in next blog post isA and we will talk also about the different between Service Vlan and Customer Vlan design approach in aggregation network.

image

Advertisements

16 thoughts on “Juniper MX BRAS – Part 2

  1. thanks for your great explanation , can you email me the full configuration so that i can use it in my demo ? also can i need your help with freePCRF if you had it .

  2. Dear @basimaly

    Thanks you so much for the clear and very useful guide. Could you please show me to how to config MX BRAS to use another RADIUS server (not SBR).

    Thanks!

  3. Hi Basim,

    I have gone through this multiple times and I’m still having some trouble. If you would send the actual configuration which you have done on MX, I’d be really grateful. My email is vajahat07@gmail.com

    Thanks!

  4. Great, tutorial! I was wondering if I was to use NAT for address assignment, coud you provide a sample config to tie up with this config?

    Thank you so much

  5. Thanks for the informative post. Everything seems to be working except for applying interface-specific filters. It doesn’t seem to matter if I apply them statically from the pppoe config or via radius. Is there perhaps a chassis configuration that is needed to be able to apply interface-specific filters?

  6. Quick update in case anyone else runs into this. I figured out that my MX was running in all ethernet network-services mode. I reconfigured it in ip mode, rebooted and everything works now.

Share you opinion to benefit others :)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s