Professional Documents
Culture Documents
Release
11.4
Published: 2011-11-14
This product includes memory allocation software developed by Mark Moraes, copyright © 1988, 1989, 1993, University of Toronto.
This product includes FreeBSD software developed by the University of California, Berkeley, and its contributors. All of the documentation
and software included in the 4.4BSD and 4.4BSD-Lite Releases is copyrighted by the Regents of the University of California. Copyright ©
1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994. The Regents of the University of California. All rights reserved.
GateD software copyright © 1995, the Regents of the University. All rights reserved. Gate Daemon was originated and developed through
release 3.0 by Cornell University and its collaborators. Gated is based on Kirton’s EGP, UC Berkeley’s routing daemon (routed), and DCN’s
HELLO routing protocol. Development of Gated has been supported in part by the National Science Foundation. Portions of the GateD
software copyright © 1988, Regents of the University of California. All rights reserved. Portions of the GateD software copyright © 1991, D.
L. S. Associates.
This product includes software developed by Maker Communications, Inc., copyright © 1996, 1997, Maker Communications, Inc.
Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United
States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other
trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,
transfer, or otherwise revise this publication without notice.
Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are
owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312,
6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.
®
Junos OS Broadband Subscriber Management Solutions Guide
Release 11.4
Copyright © 2011, Juniper Networks, Inc.
All rights reserved.
Revision History
November 2011—R1 Junos OS 11.4
The information in this document is current as of the date listed in the revision history.
Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the
year 2038. However, the NTP application is known to have some difficulty in the year 2036.
The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks
software. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted at
http://www.juniper.net/support/eula.html. By downloading, installing or using such software, you agree to the terms and conditions
of that EULA.
Part 8 Index
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
If the information in the latest release notes differs from the information in the
documentation, follow the JUNOS Release Notes.
®
To obtain the most current version of all Juniper Networks technical documentation,
see the product documentation page on the Juniper Networks website at
http://www.juniper.net/techpubs/ .
Juniper Networks supports a technical book program to publish books by Juniper Networks
engineers and subject matter experts with book publishers around the world. These
books go beyond the technical documentation to explore the nuances of network
architecture, deployment, and administration using the Junos operating system (Junos
OS) and Juniper Networks devices. In addition, the Juniper Networks Technical Library,
published in conjunction with O'Reilly Media, explores improving network security,
reliability, and availability using Junos OS configuration techniques. All the books are for
sale at technical bookstores and book outlets around the world. The current list can be
viewed at http://www.juniper.net/books .
Objectives
Audience
This guide is designed for network administrators who are configuring and monitoring a
Juniper Networks MX Series 3D Universal Edge Router.
To use this guide, you need a broad understanding of networks in general, the Internet
in particular, networking principles, and network configuration. You must also be familiar
with one or more of the following Internet routing protocols:
Personnel operating the equipment must be trained and competent; must not conduct
themselves in a careless, willfully negligent, or hostile manner; and must abide by the
instructions provided by the documentation.
For the features described in this manual, the Junos OS currently supports the following
router:
If you want to use the examples in this manual, you can use the load merge or the load
merge relative command. These commands cause the software to merge the incoming
configuration into the current candidate configuration. The example does not become
active until you commit the candidate configuration.
If the example configuration contains the top level of the hierarchy (or multiple
hierarchies), the example is a full example. In this case, use the load merge command.
If the example configuration does not start at the top level of the hierarchy, the example
is a snippet. In this case, use the load merge relative command. These procedures are
described in the following sections.
1. From the HTML or PDF version of the manual, copy a configuration example into a
text file, save the file with a name, and copy the file to a directory on your routing
platform.
For example, copy the following configuration to a file and name the file ex-script.conf.
Copy the ex-script.conf file to the /var/tmp directory on your routing platform.
system {
scripts {
commit {
file ex-script.xsl;
}
}
}
interfaces {
fxp0 {
disable;
unit 0 {
family inet {
address 10.0.0.1/24;
}
}
}
2. Merge the contents of the file into your routing platform configuration by issuing the
load merge configuration mode command:
[edit]
user@host# load merge /var/tmp/ex-script.conf
load complete
Merging a Snippet
To merge a snippet, follow these steps:
1. From the HTML or PDF version of the manual, copy a configuration snippet into a text
file, save the file with a name, and copy the file to a directory on your routing platform.
For example, copy the following snippet to a file and name the file
ex-script-snippet.conf. Copy the ex-script-snippet.conf file to the /var/tmp directory
on your routing platform.
commit {
file ex-script-snippet.xsl; }
2. Move to the hierarchy level that is relevant for this snippet by issuing the following
configuration mode command:
[edit]
user@host# edit system scripts
[edit system scripts]
3. Merge the contents of the file into your routing platform configuration by issuing the
load merge relative configuration mode command:
For more information about the load command, see the Junos OS CLI User Guide.
Documentation Conventions
Caution Indicates a situation that might result in loss of data or hardware damage.
Laser warning Alerts you to the risk of personal injury from a laser.
Table 2 on page xvii defines the text and syntax conventions used in this guide.
Bold text like this Represents text that you type. To enter configuration mode, type the
configure command:
user@host> configure
Fixed-width text like this Represents output that appears on the user@host> show chassis alarms
terminal screen.
No alarms currently active
Italic text like this • Introduces important new terms. • A policy term is a named structure
• Identifies book names. that defines match conditions and
actions.
• Identifies RFC and Internet draft titles.
• Junos OS System Basics Configuration
Guide
• RFC 1997, BGP Communities Attribute
Italic text like this Represents variables (options for which Configure the machine’s domain name:
you substitute a value) in commands or
configuration statements. [edit]
root@# set system domain-name
domain-name
Text like this Represents names of configuration • To configure a stub area, include the
statements, commands, files, and stub statement at the [edit protocols
directories; interface names; ospf area area-id] hierarchy level.
configuration hierarchy levels; or labels • The console port is labeled CONSOLE.
on routing platform components.
< > (angle brackets) Enclose optional keywords or variables. stub <default-metric metric>;
# (pound sign) Indicates a comment specified on the rsvp { # Required for dynamic MPLS only
same line as the configuration statement
to which it applies.
[ ] (square brackets) Enclose a variable for which you can community name members [
substitute one or more values. community-ids ]
> (bold right angle bracket) Separates levels in a hierarchy of J-Web In the configuration editor hierarchy,
selections. select Protocols>Ospf.
Documentation Feedback
Technical product support is available through the Juniper Networks Technical Assistance
Center (JTAC). If you are a customer with an active J-Care or JNASC support contract,
or are covered under warranty, and need postsales technical support, you can access
our tools and resources online or open a case with JTAC.
• JTAC Hours of Operation —The JTAC centers have resources available 24 hours a day,
7 days a week, 365 days a year.
• Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/
To verify service entitlement by product serial number, use our Serial Number Entitlement
(SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/
This guide focuses on the general components necessary for configuring a Juniper
Networks MX Series 3D Universal Edge Router to dynamically provision and manage
subscribers. However, you can also use a Juniper Networks EX Series Ethernet Switch in
a subscriber network.
• Planning and configuring a virtual LAN (VLAN) architecture for the access network.
and disconnect operations through external servers, and address assignment through
a combination of local address-assignment pools and RADIUS.
• Configuring DHCP local server or DHCP relay for subscriber address assignment for
DHCP-based networks.
• Configuring dynamic profiles to include dynamic IGMP, firewall filter, and class of
service (CoS) configuration for subscriber access.
To better understand the subscriber access network, this guide also provides general
information about some hardware not from Juniper Networks and suggests methods for
choosing different network configuration options. You can configure a subscriber network
in many different ways. This guide does not cover all configuration scenarios. It is intended
as a starting point for understanding subscriber management and how you can use
Juniper Networks hardware and software to plan and build your own subscriber
management solution.
Figure 1 on page 5 illustrates how network elements can make up a residential broadband
access network.
BSR
Apps
EX Series
g016989
VSO/Central Office
SIP
MX Series MX Series MX Series
MX Series EX Series
MSAN
VSR and MX Series MX Series MX Series Video
Aggregation
Switch
• BSR (broadband services router)—A router used for subscriber management and
edge routing.
• DHCP (Dynamic Host Configuration Protocol )—A mechanism through which hosts
using TCP/IP can obtain protocol configuration parameters automatically from a DHCP
server on the network; allocates IP addresses dynamically so that they can be reused
when no longer needed.
• Multiplay—A networking paradigm that enables the ability to add new and robust
networking services that individual subscribers can access.
• OSPF (Open Shortest Path First)—A link-state interior gateway protocol (IGP) that
makes routing decisions based on the shortest-path-first (SPF) algorithm (also referred
to as the Dijkstra algorithm).
• PIM (Protocol Independent Multicast)—A multicast routing protocol used for delivering
multicast messages in a routed environment.
• set-top box—The end host or device used to receive IPTV video streams.
• Triple play—A networking paradigm that dedicates bandwidth to data, voice, and
video service.
• VOD (video on demand)—A unicast streaming video offering by service providers that
enables the reception of an isolated video session per user with rewind, pause, and
similar VCR-like capabilities.
• VSR (video services router)—A router used in a video services network to route video
streams between an access network and a metro or core network. The video services
router is any M Series Multiservice Edge Router or MX Series router that supports the
video routing package provided with Junos OS Release 8.3 or later.
The Junos OS Broadband Subscriber Management Solutions Guide relies heavily on existing
configuration documentation. In particular, this guide references configuration material
presented in the Junos OS Subscriber Access Configuration Guide. We recommend you
become familiar with the configuration options presented for subscriber access before
reading this guide.
For more detailed configuration information, see the following Junos OS documents:
For other solution examples, see the following Junos OS solutions guides:
In addition to related Junos OS documentation, you can obtain useful information from
the JunosE Software documentation. Many features described in the JunosE Broadband
Access Configuration Guide are similar to those described in both this guide and the Junos
OS Subscriber Access Configuration Guide.
This document defines triple play and multiplay networks as different entities:
• A triple play network dedicates bandwidth to each possible service—data, voice, and
video. This method works well when a limited number of services are deployed and
sufficient bandwidth is available.
• A multiplay network refers to the ability to add new and robust networking services
that each subscriber can access. This method requires the integration of dynamic
bandwidth management and the ability to manage subscribers dynamically though
the use of features such as hierarchical quality of service (QoS) and a AAA service
framework that provides authentication, accounting, dynamic change of authorization
(CoA), and dynamic address assignment.
Table 3 on page 8 provides some comparison between a triple play and multiplay
network and the level of flexibility associated with certain networking options.
Bandwidth Fixed bandwidth allocation for each service. One bandwidth pool for each subscriber is shared by all
Management services.
Adding New Services Requires deallocating bandwidth from one The existence of one shared bandwidth pool eliminates
service and allocating that bandwith to the the need to reallocate bandwidth to new services.
new service.
Subscriber Flexibility Limited subscriber flexibility because a fixed Subscribers can use their share of bandwidth for
bandwidth is allocated to each service or whatever applications they want to run.
application.
Client Device Types Client devices (PCs or set-top boxes) are Client devices are not assigned to any specific ports.
dedicated to specific services and often This flexibility enables the ability to use client devices
assigned to specific ports on customer for various services (for example, adding software to a
premise equipment. PC to enable television broadcasts) and allows different
client devices (PCs, Voice-over-IP phones, and set-top
boxes) to reside on a single LAN.
With software and hardware now available to enable client devices to access and use
the network in a variety of ways, bandwidth demands increasing, and new networking
business models emerging, dynamic support of new applications is required to ensure
subscriber satisfaction. A dynamic multiplay network configuration can provide the
flexibility to meet these demands.
Broadband History
This always on model quickly evolved in several ways. Dedicated broadband access such
as DSL replaced dial-up service, replacing the dial-up modem with a DSL modem. Dial-up
remote access servers were replaced by the Broadband Remote Access Server (B-RAS)
and residential gateways were introduced to allow multiple PCs from one site to connect
to the broadband network. Residential gateways have since evolved to provide a wide
range of functions including firewall and wireless (802.1b/g/n wi-fi) connectivity. The
residential gateway also became the termination point for the PPP connection, eliminating
the need for the installation of special PC software.
These new broadband networks were built based on the following two key assumptions:
• Traffic was TCP-based and not real-time. If a packet was lost due to network
congestion, TCP detected the loss and retransmitted the packets.
The basic broadband architecture was initially defined by DSL Forum TR-025 (November
1999). This specification assumed only one service was provided to subscribers—Internet
Access (or data). DSL Forum TR-059 (September 2003) introduced quality of service
(QoS) to allow broadband networks to deliver voice over IP (VoIP) in addition to data.
Because VoIP is a small percentage of overall network traffic, its introduction has not
significantly altered the broadband delivery landscape. It is also worth noting that these
original standards specified ATM as the Layer 2 protocol on the broadband network.
Point-to-Point Protocol (PPP) is used for communications between two nodes, such as
between a client and a server. Originally defined by the IETF in RFC 1661, and used for
direct connection between devices over a leased line using ISO 3309 framing, several
methods have been defined to establish PPP connections across other media. Because
residential broadband services historically used an ATM infrastructure, Point-to-Point
Protocol over ATM (PPPoA) was originally the dominant access protocol in service
provider networks. However, as networks have transitioned to Ethernet, Point-to-Point
Protocol over Ethernet (PPPoE) has emerged as an alternative to PPPoA.
The usage of PPP for subscriber access is not without its challenges, however. As more
client connections are managed, the amount of state information maintained by the
routers increases. The management of this state information can become more complex
when using advanced features and when managing clients dynamically.
Four primary delivery options exist today for delivering broadband network service. These
options include the following:
• Active Ethernet
The head-end to a DSL system is the Digital Subscriber Line Access Multiplexer (DSLAM).
The demarcation device at the customer premise is a DSL modem. DSL service models
are defined by the Broadband Forum (formerly called the DSL Forum).
Active Ethernet
Active Ethernet uses traditional Ethernet technology to deliver broadband service across
a fiber-optic network. Active Ethernet does not provide a separate channel for existing
voice service, so VoIP (or TDM-to-VoIP) equipment is required. In addition, sending
full-speed (10 or 100 Mbps) Ethernet requires significant power, necessitating distribution
to Ethernet switches and optical repeaters located in cabinets outside of the central
office. Due to these restrictions, early Active Ethernet deployments typically appear in
densely populated areas.
A key advantage of PON is that it does not require any powered equipment outside of
the central office. Each fiber leaving the central office is split using a non-powered optical
splitter. The split fiber then follows a point-to-point connection to each subscriber.
• ATM PON (APON), Broadband PON (BPON), and Gigabit-capable PON (GPON)—PON
standards that use the following different delivery options:
• APON—The first passive optical network standard is primarily used for business
applications.
• GPON—The most recent PON adaptation, GPON is based on BPON but supports
higher rates, enhanced security, and a choice of which Layer 2 protocol to use (ATM,
Generic Equipment Model [GEM], or Ethernet).
• Ethernet PON (EPON)—Provides capabilities similar to GPON, BPON, and APON, but
uses Ethernet standards. These standards are defined by the IEEE. Gigabit Ethernet
PON (GEPON) is the highest speed version.
The head-end to a PON system is an Optical Line Terminator (OLT). The demarcation
device at the customer premises is an Optical Network Terminator (ONT). The ONT
provides subscriber-side ports for connecting Ethernet (RJ-45), telephone wires (RJ-11)
or coaxial cable (F-connector).
Many implementations use existing copper cabling to deliver signal to the premises, but
fiber-optic cable connectivity is making its way closer to the subscriber. Most networks
use a combination of both copper and fiber-optic cabling. The term fiber to the x (FTTx)
describes how far into the network fiber-optic cabling runs before a switch to copper
cabling takes place. Both PON and Active Ethernet can use fiber-optic portion of the
network, while xDSL is typically used on the copper portion. This means that a single
fiber-optic strand may support multiple copper-based subscribers.
Increasing the use of fiber in the network increases cost but it also increases network
access speed to each subscriber.
The following terms are used to describe the termination point of fiber-optic cable in a
network:
• Fiber to the Premises (FTTP), Fiber to the Home (FTTH), Fiber to the Business
(FTTB)—Fiber extends all the way to the subscriber. PON is most common for residential
access, although Active Ethernet can be efficiently used in dense areas such as
apartment complexes. Active Ethernet is more common for delivering services to
businesses.
• Fiber to the Curb (FTTC)—Fiber extends most of the way (typically, 500 feet/150
meters or less) to the subscriber. Existing copper is used for the remaining distance to
the subscriber.
The edge router is the demarcation point between the residential broadband access
network and the core network. The Juniper Networks MX Series router (along with the
Juniper Networks EX Series Ethernet Switch) can play multiple roles as an edge router.
The most common include the following:
• Broadband services router (BSR)—This router supports high speed Internet access
along with several other subscriber-based services including VoIP, IPTV, and gaming.
• Video services router (VSR)—The video services router capabilities are a subset of
those provided by a broadband services router. In general, using the MX Series router
as a video services router provides bi-directional traffic destined for the set-top box
(STB). This traffic includes IPTV and video on demand (VoD) streams as well as
associated control traffic such as IGMP and electronic program guide (EPG) updates.
You can also use the MX Series router in certain Layer 2 solutions. For information about
configuring the MX Series router in Layer 2 scenarios, see the Junos OS Layer 2 Configuration
Guide or the Junos OS MX Series 3D Universal Edge Routers Solutions Guide.
The broadband services router communicates with the RADIUS server to enforce which
services each subscriber can access. For example, one subscriber might have signed up
for a smaller Internet access service of 1 Mbps where another subscriber might have
signed up for a higher, 10 Mbps service. The broadband services router manages the
traffic to each subscriber, ensuring that each subscriber obtains the level of access service
they have purchased, while also ensuring that any VoIP traffic receives priority. The
broadband services router also makes traffic forwarding decisions based on aggregate
bandwidth detected on any adjacent multiservice access node (MSAN).
IPTV Support
The broadband services router supports IPTV traffic including support for IGMP multicast
group start and stop requests from downstream MSANs. The broadband services router
manages the bandwidth allocations associated with high-bandwidth IPTV as well as
video on demand (VoD) traffic to ensure high quality service delivery.
Some advantages of using a separate video services router for video traffic include the
following:
• Provides the ability to add IPTV service without the need to modify an existing edge
router that is performing other functions.
• Reduces network bandwidth by moving the video edge further out to the network edge
while still allowing for centralized broadband services router operation.
• Typically requires less capital investment because the video services router does not
need to provide per-subscriber management.
Single-Edge Placement
In a single-edge network, you use only broadband services routers because the single
device must perform all of the necessary edge functions—providing subscriber
management for high-speed Internet access and IPTV services. You can use the two
following topology models when placing the broadband services router:
• Centralized single edge—The edge router is centrally located and placed at one location
to cover a particular region. A secondary router is sometimes placed in this location to
act as a backup. Downstream MSANs are connected to the broadband services router
using a ring or mesh topology.
• Distributed single edge—The edge router is placed further out into the network, typically
in the central office (CO) closest to the subscribers that it services. Downstream MSANs
are typically connected directly to the broadband services router (in a true, single edge
topology) or through an Ethernet aggregation switch.
In general, the addition of IPTV service favors a more distributed model because it pushes
the need for subscriber management farther out into the network.
Multiedge Placement
In a multiedge network, you use both broadband services routers and video services
routers. The broadband services router controls any high-speed Internet traffic and the
video services router controls video traffic. You can use the two following topology models
when placing service routers in a multiedge network topology:
• Co-located multiedge—The broadband services router and video services router are
housed in the same location and an Ethernet switch directs traffic in the CO to the
appropriate edge router.
NOTE: A single MX Series router can serve as both Ethernet switch and
video services router. For information about configuring the MX Series
router in Layer 2 scenarios, see the Junos OS Layer 2 Configuration Guide or
the Junos OS MX Series 3D Universal Edge Routers Solutions Guide.
• Split multiedge—The video services router and broadband services router reside in
different locations. In this model, the broadband services router is typically located
more centrally and video services routers are distributed.
A multiservice access node is a broader term that refers to a group of commonly used
aggregation devices. These devices include digital subscriber line access multiplexers
(DSLAMs) used in xDSL networks, optical line termination (OLT) for PON/FTTx networks,
and Ethernet switches for Active Ethernet connections. Modern MSANs often support
all of these connections, as well as providing connections for additional circuits such as
plain old telephone service (referred to as POTS) or Digital Signal 1 (DS1 or T1).
The defining function of a multiservice access node is to aggregate traffic from multiple
subscribers. At the physical level, the MSAN also converts traffic from the last mile
technology (for example, ADSL) to Ethernet for delivery to subscribers.
You can broadly categorize MSANs into three types based on how they forward traffic
in the network:
Layer 2 DSLAMs cannot interpret IGMP, so they cannot selectively replicate IPTV
channels.
• Layer–3 aware MSAN—This IP-aware MSAN can interpret and respond to IGMP
requests by locally replicating a multicast stream and forwarding the stream to any
subscriber requesting it. Layer 3 awareness is important when supporting IPTV traffic
to perform channel changes (sometimes referred to as channel zaps). Static IP-aware
MSANs always receive all multicast television channels. They do not have the ability
to request that specific channels be forwarded to the DSLAM. Dynamic IP-aware
DSLAMs, however, can inform the network to begin (or discontinue) sending individual
channels to the DSLAM. Configuring IGMP proxy or IGMP snooping on the DSLAM
accomplishes this function.
Start
No No At MSAN
g017267
L3 MSAN with
L2 MSAN L3-aware MSAN
IGMP Proxy
Each MSAN can connect directly to an edge router (broadband services router or video
services router), or an intermediate device (for example, an Ethernet switch) can
aggregate MSAN traffic before being sent to the services router. Table 4 on page 19 lists
the possible MSAN aggregation methods and under what conditions they are used.
Direct connection Each MSAN connects directly to the broadband services router and optional video
services router.
Ethernet aggregation switch connection Each MSAN connects directly to an intermediate Ethernet switch. The switch, in turn,
connects to the broadband services router or optional video services router.
Ethernet ring aggregation connection Each MSAN connects to a ring topology of MSANs. The head-end MSAN (the device
closest to the upstream edge router) connects to the broadband services router.
You can use different aggregation methods in different portions of the network. You can
also create multiple layers of traffic aggregation within the network. For example, an
MSAN can connect to a central office terminal (COT), which, in turn, connects to an
Ethernet aggregation switch, or you can create multiple levels of Ethernet aggregation
switches prior to connecting to the edge router.
Direct Connection
In the direct connection method, each MSAN has a point-to-point connection to the
broadband services router. If an intermediate central office exists, traffic from multiple
MSANs can be combined onto a single connection using wave-division multiplexing
(WDM). You can also connect the MSAN to a video services router. However, this
connection method requires that you use a Layer 3 MSAN that has the ability to determine
which link to use when forwarding traffic.
When using the direct connection method, keep the following in mind:
• Because multiple MSANs are used to connect to the services router, and Layer 3 MSANs
generally require a higher equipment cost, this method is rarely used in a multiedge
subscriber management model.
• Direct connection is typically used when most MSAN links are utilized less than 33
percent and there is little value in combining traffic from multiple MSANs.
When using the Ethernet aggregation switch connection method, keep the following in
mind:
• Ethernet aggregation is typically used when most MSAN links are utilized over 33
percent or to aggregate traffic from lower speed MSANs (for example, 1 Gbps) to a
higher speed connection to the services router (for example, 10 Gbps).
• You can use an MX Series router as an Ethernet aggregation switch. For information
about configuring the MX Series router in Layer 2 scenarios, see the Junos OS Layer 2
Configuration Guide or the Junos OS MX Series 3D Universal Edge Routers Solutions Guide.
NOTE: The RT and COT must support the same ring resiliency protocol.
You can use an MX Series router in an Ethernet ring aggregation topology. For information
about configuring the MX Series router in Layer 2 scenarios, see the Junos OS Layer 2
Configuration Guide or the Junos OS MX Series 3D Universal Edge Routers Solutions Guide.
The network topology for the broadband subscriber management solution focuses on
configuring the access network to which the MX Series routers connect. There are many
possible broadband subscriber management configurations. Figure 3 on page 21 illustrates
an example of a basic DHCP topology model.
Edge Access
DHCP
server
MSAN
MX Series
RADIUS
Access Network Configuration server
AAA Service Framework
DHCP Relay / DHCP Local Server
Dynamic Profiles
- Interfaces
g017268
Three VLAN models deliver multiple services to subscribers. These models include the
following:
• Hybrid C-VLAN—The hybrid VLAN combines the best of both previous VLANs by using
one VLAN per subscriber to carry unicast traffic and one shared multicast VLAN
(M-VLAN) for carrying broadcast (multicast) television traffic. You can use both the
pure and hybrid C-VLAN models in different portions of the network, depending upon
available bandwidth and MSAN capabilities.
NOTE: The term C-VLAN, when used casually, often refers to a hybrid
C-VLAN implementation.
• The VLAN identifiers can be carried within the ATM VCs or they can be removed. The
value of keeping the VLAN header is that it carries the IEEE 802.1p Ethernet priority
bits. These priority bits can be added to upstream traffic by the residential gateway,
allowing the DSLAM to easily identify and prioritize more important traffic (for example,
control and VoIP traffic). Typically, a VLAN identifier of zero (0) is used for this purpose.
• In a C-VLAN model, the MSAN might modify the VLAN identifier so that the same VLAN
is sent to each subscriber. This enables the use of the same digital subscriber line (DSL)
modem and residential gateway configuration for all subscribers without the need to
define a different VLAN for each device.
VLAN stacking is not necessary for S-VLANs or M-VLANs. However, for the hybrid (C-VLAN
and M-VLAN) model, the Ethernet switch or services router must be able to pop or push
tags onto C-VLAN traffic while not modifying M-VLAN packets.
Most conditional access systems (for example, video on demand) require detecting the
real IP address of the set-top box (STB). This security measure means that traffic to and
from the STB must be bridged, not routed, across all network elements including
aggregation switches, MSANs, and residential gateways. NAT cannot be used at the
residential gateway for traffic to and from the STB. In addition, some residential gateways
associate VLANs (or ATM virtual circuits) with ports. Traffic on a given VLAN is always
forwarded to specific downstream port. Use caution when mapping VLANs on an MSAN.
Related • Static Subscriber Interfaces and VLAN Overview in the Junos OS Subscriber Access
Documentation Configuration Guide.
In an IPTV network, channel changes occur when a set-top box (STB) sends IGMP
commands that inform an upstream device (for example, a multiservice access node
[MSAN] or services router) whether to start or stop sending multicast groups to the
subscriber. In addition, IGMP hosts periodically request notification from the STB about
which channels (multicast groups) are being received.
You can implement IGMP in the subscriber management network in the following ways:
• Static IGMP—All multicast channels are sent to the MSAN. When the MSAN receives
an IGMP request to start or stop sending a channel, it adds the subscriber to the
multicast group and then discards the IGMP packet.
• IGMP Proxy—Only multicast channels currently being viewed are sent to the MSAN.
If the MSAN receives a request to view a channel that is not currently being forwarded
to the MSAN, it forwards the request upstream. However, the upstream device does
not see all channel change requests from each subscriber, limiting bandwidth control
options.
• IGMP Snooping—Only multicast channels currently being viewed are sent to the MSAN.
The MSAN forwards all IGMP requests upstream, unaltered, even if it is already receiving
the channel. The upstream device sees all channel change requests from each
subscriber. Using IGMP snooping enables the broadband services router to determine
the mix of services and the bandwidth requirements of each subscriber and adjust the
bandwidth made available to each service.
IGMP hosts (sources) also periodically verify that they are sending the correct traffic by
requesting that each client send information about what multicast groups it wants to
receive. The responses to this IGMP query can result in a substantial upstream traffic
burst.
IGMPv2 is the minimum level required to support IPTV, and is the most widely deployed.
Emerging standards specify IGMPv3.
Related • Dynamic IGMP Configuration Overview in the Junos OS Subscriber Access Configuration
Documentation Guide.
You use DHCP in broadband networks to provide IP address configuration and service
provisioning. DHCP, historically a popular protocol in LANs, works well with Ethernet
connectivity and is becoming increasingly popular in broadband networks as a simple,
scalable solution for assigning IP addresses to subscriber home PCs, set-top boxes
(STBs), and other devices.
• DHCP Relay
DHCP uses address assignment pools from which to allocate subscriber addresses.
Address-assignment pools support both dynamic and static address assignment:
NOTE: Addresses that are reserved for static assignment are removed
from the dynamic address pool and cannot be assigned to other clients.
packets between a DHCP client and a DHCP server. You can use DHCP relay in carrier
edge applications such as video and IPTV to obtain configuration parameters, including
an IP address, for your subscribers. The extended DHCP relay agent supports the use of
external AAA authentication services, such as RADIUS, to authenticate DHCP clients.
Related • Extended DHCP Local Server Overview in the Junos OS Subscriber Access Configuration
Documentation Guide.
• Extended DHCP Relay Agent Overview in the Junos OS Subscriber Access Configuration
Guide.
You use AAA Service Framework for all authentication, authorization, accounting, address
assignment, and dynamic request services that the services router uses for network
access. The framework supports authentication and authorization through external
servers, such as RADIUS. The framework also supports accounting and dynamic-request
CoA and disconnect operations through external servers, and address assignment through
a combination of local address-assignment pools and RADIUS.
The broadband services router interacts with external servers to determine how individual
subscribers access the broadband network. The router also obtains information from
external servers for the following:
Related • AAA Service Framework Overview in the Junos OS Subscriber Access Configuration Guide.
Documentation
• RADIUS-Initiated Change of Authorization (CoA) Overview in the Junos OS Subscriber
Access Configuration Guide.
Class of service (CoS) is a mechanism that enables you to divide traffic into classes and
offer various levels of throughput and acceptable packet loss when congestion occurs.
CoS also provides the option of using differentiated services when best-effort traffic
delivery is insufficient. You can also configure the services router to provide hierarchical
scheduling for subscribers by dynamically adding or deleting queues when subscribers
require services.
By using a dynamic profile, you can provide all subscribers in your network with default
CoS parameters when they log in. For example, you can configure an access dynamic
profile to specify that all subscribers receive a basic data service. If you use RADIUS
variables in the dynamic profile, you can enable the service to be activated for those
subscribers at login. You can also use variables to configure a service profile that enables
subscribers to activate a service or upgrade to different services through RADIUS
change-of-authorization (CoA) messages following initial login.
Related • CoS for Subscriber Access Overview in the Junos OS Subscriber Access Configuration
Documentation Guide.
You can use the Juniper Networks Session and Resource Control (SRC) software to
implement policy and control in the subscriber management network. The SRC software
provides policy management, subscriber management, and network resource control
functions that enable the creation and delivery of services across the network.
For information about how to purchase Juniper Networks Junos OS licenses, contact your
Juniper Networks sales representative. For information about installing and managing
software licenses that pertain to your broadband subscriber management network, see
the Junos OS Installation and Upgrade Guide.
In a Layer 3 wholesale configuration, you partition the wholesaler access network at the
network layer or the subscriber IP component by associating the IP component with a
distinct Layer 3 domain. In a Layer 2 wholesale configuration, you partition the access
network at the subscriber circuit or customer VLAN (C-VLAN) by backhauling the
connection through the service provider backbone network to the subscribing retailer
network where the access traffic can be managed at higher layers.
NOTE: This Junos OS release supports the use of only the default logical
system. Partitioning currently occurs through the use of separate routing
instances.
A logical system can have one or more routing instances. Typically used in Layer 3 VPN
scenarios, a routing instance does not have the same level of administrative separation
as a logical system because it does not offer administrative isolation. However, the routing
instance defines a distinct routing table, set of routing policies, and set of interfaces.
You can configure a wholesale network any number of ways using Juniper Hardware and
JUNOS software. For information about subscriber management hardware support, see
Subscriber Access Support Considerations in the Junos OS Subscriber Access Configuration
Guide. The general configuration options, and considerations for each, are provided below:
Fully Static (all interfaces, VLANs, and Providing more control over retailer space and access, this option is more labor
routing instances are configured intensive and can require more detailed planning of the network, address allocation,
statically) and so on.
Static VLANs and Dynamic Demux Service VLANS are created statically and must be managed. Demux interfaces are
Interfaces dynamically created over the service VLANs. This option uses more logical interfaces;
one for each VLAN and one for each dynamic demux interface that runs over each
VLAN.
Dynamic VLANs Only (dedicated Dynamic (auto-sensed) VLANs are authenticated and installed in the correct
customer VLANs for each subscriber) non-default routing instance before DHCP is instantiated. This method helps to
conserve logical interfaces by avoiding the need for additional logical interfaces being
created for each demux interface.
NOTE: In a customer VLAN model, each VLAN functions on a 1:1 basis for each
customer (in this case, per household).
Dynamic VLANs and Dynamic Demux Allows for the greatest ease of use and flexibility in configuring subscribers, by enabling
Interfaces access over a service VLAN and targetting more service levels over individual,
dynamically-created demux interfaces over the service VLAN. This option uses more
logical interfaces; one for each VLAN and one for each demux interface that runs
over each VLAN.
PPPoE Layer 3 wholesale requires the use of PPP interfaces. This means that you must
specify the PP0 interface when configuring Layer 3 wholesaling in a PPPoE network.
For general additional information about configuring PPPoE interfaces, see the Junos OS
Network Interfaces Configuration Guide.
• Configuring Dynamic PPPoE Subscriber Interfaces Using Dynamic Profiles in the Junos
OS Subscriber Access Configuration Guide.
• Configuring a PPPoE Dynamic Profile with Additional Options in the Junos OS Subscriber
Access Configuration Guide.
DHCP Layer 3 wholesale currently supports only the use of IP demux interfaces.
For general additional information about configuring IP demux interfaces, see the Junos
OS Network Interfaces Configuration Guide.
• DHCP Relay
NOTE: All routing instances within the same wholesale network must use
the same DHCP configuration option.
For additional information about any of these DHCP options, see the AAA Service
Framework Overview in the Junos OS Subscriber Access Configuration Guide.
Related • Extended DHCP Relay Agent Overview in the Junos OS Subscriber Access Configuration
Documentation Guide.
• DHCP Relay Proxy Overview in the Junos OS Subscriber Access Configuration Guide.
• Extended DHCP Local Server Overview in the Junos OS Subscriber Access Configuration
Guide.
Related • See Routing Instances Overview in the Junos OS Routing Protocols Configuration Guide.
Documentation
You can use RADIUS to assign various values through the use of dynamic variables within
dynamic profiles. However, the configuration of at least one of the two VSAs described
in Table 5 on page 33 is required for a wholesale network to function.
Related • Juniper Networks VSAs Supported by the AAA Service Framework in the Junos OS
Documentation Subscriber Access Configuration Guide.
This configuration explains the basics in configuring a basic triple-play (data, voice, and
video) network. Figure 4 on page 37 provides the reference topology for this configuration
example.
GE-1/3/0 GE-1/3/1
MX Series
MSAN
RADIUS
server
The top-level steps for configuring the edge access in the subscriber management network
include the following:
See “Configuring Static Customer VLANs for the Broadband Subscriber Management
Solution” on page 41.
See “Configuring a Global Class of Service Profile for the Broadband Subscriber
Management Solution” on page 44.
See “Configuring Dynamic Firewall Filter Services for Use in Dynamic Profiles” on
page 50.
See “Configuring AAA Service Framework for the Broadband Subscriber Management
Solution” on page 51.
See “Configuring Address Server Elements for the Broadband Subscriber Management
Solution” on page 53.
See “Configuring Address Server Elements for the Broadband Subscriber Management
Solution” on page 53.
You must configure a loopback interface for use in the subscriber management access
network. The loopback interface is automatically used for unnumbered interfaces.
NOTE: If you do not configure the loopback interface, the routing platform
chooses the first interface to come online as the default. If you configure
more than one address on the loopback interface, we recommend that you
configure one to be the primary address to ensure that it is selected for use
with unnumbered interfaces. By default, the primary address is used as the
source address when packets originate from the interface.
[edit]
user@host# edit interfaces lo0
In this example configuration, the access interface (ge-1/3/0) connects to a device (that
is, a DSLAM) on the access side of the network. You can define static customer VLANs
(C-VLANs) for use by the access network subscribers.
[edit]
user@host# edit interfaces ge-1/3/0
[edit]
user@host# edit interfaces ge-1/3/0
6. Define the unnumbered address and the preferred source address for the first VLAN.
In this example configuration, the access interface (ge-1/3/0) connects to a device (that
is, a DSLAM) on the access side of the network. This procedure enables the dynamic
creation of up to five customer VLANs (C-VLANs) for use by the access network
subscribers.
[edit]
user@host# edit dynamic-profiles VLAN-PROF
d. (Optional) To configure the router to respond to any ARP request, specify the
proxy-arp statement.
The variable is dynamically replaced with an outer VLAN ID within the VLAN range
specified at the [edit interfaces] hierarchy level.
The variable is dynamically replaced with an inner VLAN ID within the VLAN range
specified at the [edit interfaces] hierarchy level.
i. (Optional) Enable IP and MAC address validation for dynamic IP demux interfaces
in a dynamic profile.
a. Access the interface that you want to use for creating VLANs.
[edit interfaces]
d. Specify the dynamic VLAN profile that you want the interface to use.
3. Specify the Ethernet packet type that the VLAN dynamic profile can accept.
4. Define VLAN ranges for use by the dynamic profile when dynamically creating VLAN
IDs. For this solution, specify the outer and inner stacked VLAN ranges that you want
the dynamic profile to use. To mimic the static VLAN configuration, the following
example specifies an outer stacked VLAN ID range of 3–3 (enabling only the outer
range of 3) and an inner stacked VLAN ID range of 1–5 (enabling a range from 1 through
5 for the inner stacked VLAN ID).
• Dynamic 802.1Q VLAN Overview in the Junos OS Network Interfaces Configuration Guide
• Configuring VLAN Dynamic Profiles in the Junos OS Subscriber Access Configuration Guide
• Configuring VLAN Interfaces to Use Dynamic Profiles in the Junos OS Subscriber Access
Configuration Guide
• Configuring Which VLAN Ethernet Packet Types Dynamic Profiles Can Accept in the
Junos OS Subscriber Access Configuration Guide
• Configuring VLAN Ranges for Use with Dynamic Profiles in the Junos OS Subscriber
Access Configuration Guide
Configuring a Global Class of Service Profile for the Broadband Subscriber Management
Solution
Junos OS CoS enables you to divide traffic into classes and offer various levels of
throughput and packet loss (when congestion occurs) in accordance to service rules
that you specify. The Junos OS CoS features provide a set of mechanisms that you can
use to provide differentiated (video, voice, and data) services over the same network for
subscribers.
2. Configuring schedulers.
4. Configuring classifiers.
In the configuration we build in this section, we configure three forwarding classes, each
with its own scheduler, and an IP precedence classifier for the traffic destined for the
access network. Table 6 on page 45 provides an overview of the queue configuration:
NOTE: The network control forwarding class is not configured in this solution.
• Expedited forwarding (EF)—Provides a low loss, low latency, low jitter, assured
bandwidth, end-to-end service.
• Assured forwarding (AF)—Provides a group of values you can define and includes four
subclasses: AF1, AF2, AF3, and AF4, each with three drop probabilities: low, medium,
and high.
• Best effort (BE)—Provides no service profile. For the BE forwarding class, loss priority
is typically not carried in a class-of-service (CoS) value, and random early detection
(RED) drop profiles are more aggressive.
• Network control (NC)—This class is typically high priority because it supports protocol
control.
[edit]
user@host# edit class-of-service forwarding-classes queue 0
[edit]
user@host# edit class-of-service forwarding-classes queue 1
[edit]
user@host# edit class-of-service forwarding-classes queue 2
[edit]
user@host# edit class-of-service schedulers sched_be
[edit]
user@host# edit class-of-service schedulers sched_ef
[edit]
user@host# edit class-of-service schedulers sched_af
[edit]
user@host# edit class-of-service scheduler-maps SchedulerMap_Triple_Play_Basic
3. Associate the scheduler that you want this forwarding class to use.
5. Associate the scheduler that you want this forwarding class to use.
7. Associate the scheduler that you want this forwarding class to use.
1. Create a Differentiated Services code point (DSCP) classifier and name it.
[edit]
user@host# edit class-of-service classifiers dscp Class_DSCP
3. Edit the loss priority level for the forwarding class queue.
6. Edit the loss priority level for the forwarding class queue.
9. Edit the loss priority level for the forwarding class queue.
[edit]
user@host# edit class-of-service interfaces ge-1/3/0
3. Set the shaping rate value to throttle traffic to the subscriber local loops.
[edit]
user@host# edit class-of-service interfaces ge-1/3/1
7. Apply the classifier to the interface to classify traffic coming from the Internet.
Firewall filters provide rules that define whether to permit or deny packets that are
transiting an interface on a router. You can configure firewall filters for use in dynamic
profiles. After you configure dynamic firewall filters, you can specify which filters you
want to apply to subscriber interfaces using a dynamic profile.
[edit]
user@host# edit firewall filter fw_fltr_af41
7. Set the then action to take when a match occurs for term 2.
See “Configuring a DHCP Dynamic Profile for the Triple Play Solution” on page 58.
[edit]
user@host# edit access radius-server
[edit]
user@host# edit access profile AccessProfile_general
4. Set the address or address list for the RADIUS authentication server.
5. Set the address or address list for the RADIUS accounting server.
8. Specify that RADIUS accounting stop when a user fails authentication but is granted
access.
11. Specify the amount of time (in minutes) between RADIUS updates.
• AAA Service Framework Overview in the Junos OS Subscriber Access Configuration Guide.
[edit]
user@host# edit access address-assignment pool AddressPool_1
[edit]
user@host# set access-profile AccessProfile_general
[edit]
user@host# edit access address-assignment pool AddressPool_1
[edit]
user@host# set access-profile AccessProfile_general
[edit]
user@host# edit system services
8. Specify a dynamic profile that you want the DHCP local server group to use.
11. Specify a log file into which you want trace option information to be saved.
12. Specify the DHCP local server message operations that you want saved in the log file.
• Extended DHCP Local Server Overview in the Junos OS Subscriber Access Configuration
Guide.
A dynamic profile is a set of characteristics, defined in a type of template, that you can
use to provide dynamic subscriber access and services for broadband applications. These
services are assigned dynamically to interfaces.
[edit]
user@host# edit dynamic-profiles Profile-Triple-Play
8. Define the router to act as a PPPoE server when a PPPoE logical interface is
dynamically created.
10. Specify the input filter that you want to apply to each dynamic interface when it is
created.
11. Specify the output filter that you want to apply to each dynamic interface when it is
created.
12. Enable the local address to be derived from the specified PPPoE interface (in this
case, the loopback address).
16. Specify a scheduler map that you want the dynamic CoS traffic control profile to use.
17. Specify the shaping rate that you want the dynamic CoS traffic control profile to use.
18. Apply CoS to the dynamic interfaces and apply an output traffic control profile.
A dynamic profile is a set of characteristics, defined in a type of template, that you can
use to provide dynamic subscriber access and services for broadband applications. These
services are assigned dynamically to interfaces.
[edit]
user@host# edit dynamic-profiles Profile-Triple_Play
5. Specify the input filter that you want to apply to each dynamic interface when it is
created.
6. Specify the output filter that you want to apply to each dynamic interface when it is
created.
10. Specify a scheduler map that you want the dynamic CoS traffic control profile to use.
11. Specify the shaping rate that you want the dynamic CoS traffic control profile to use.
12. Apply CoS to the dynamic interfaces and apply an output traffic control profile.
The network topology for the subscriber management DHCPv4 Layer 3 wholesale solution
includes configuring separate routing instances for individual retailers that use a portion
of the router. This solution uses a DHCPv4 relay configuration. However, you can also
implement DHCPv4 Relay Proxy or DHCPv4 Local Server configuration.
To explain the concept, but to limit complexity, this solution provides a configuration
with one wholesaler and only two retailers. Figure 5 on page 64 illustrates a basic Layer
3 wholesale topology model from which you can expand.
Wholesaler
RADIUS
MX Series Wholesaler Network Space server
Wholesaler
DHCP
server
Retailer 2
RADIUS
server
Retailer 2
MSAN DHCP
server
g017381
Retailer 2 Network Space
A DHCP Layer 3 wholesale network solution can use various combinations of the following
configuration elements:
• DHCPv4 configuration (DHCPv4 Relay, DHCPv4 Relay Proxy, or DHCPv4 Local Server)
• Addressing server or addressing server access configuration (if not using DHCPv4 Local
Server)
Wholesaler
GE-2/3/0 RADIUS
MX Series server
GE-2/3/0 Wholesaler
DHCP
server
Retailer 2
RADIUS
server
Retailer 2
MSAN DHCP
server
g017382
Retailer 2 Network Space
You must configure loopback interfaces for use in the subscriber management access
network. The loopback interfaces are automatically used for unnumbered interfaces.
[edit]
user@host# edit interfaces lo0
5. Edit the unit for a retail loopback interface to be assigned to the retailer.
6. Edit the loopback interface family that will be assigned to the retailer.
7. Specify the loopback interface address that will be assigned to the retailer.
8. Repeat steps 5 through 7 for additional retailers, making sure to use unique unit and
address values for each retailer loopback interface.
You can configure either static or dynamic customer VLANs for use in the DHCPv4
wholesale network solution.
• Configuring Static Customer VLANs for the DHCPv4 Layer 3 Wholesale Network
Solution on page 67
• Configuring Dynamic VLANs for the DHCPv4 Layer 3 Wholesale Network
Solution on page 68
Configuring Static Customer VLANs for the DHCPv4 Layer 3 Wholesale Network Solution
In this example configuration, the access interface (ge-2/3/0) connects to a device (that
is, a DSLAM) on the access side of the network. You can define static VLANs for use by
the access network subscribers.
[edit]
user@host# edit interfaces ge-2/3/0
7. (Optional) Define the unnumbered address and the preferred source address for the
first VLAN.
Configuring Dynamic VLANs for the DHCPv4 Layer 3 Wholesale Network Solution
[edit]
user@host# edit dynamic-profiles VLAN-PROF
d. (Optional) To configure the router to respond to any ARP request, specify the
proxy-arp statement.
The variable is dynamically replaced with an outer VLAN ID within the VLAN range
specified at the [interfaces] hierarchy level.
The variable is dynamically replaced with an inner VLAN ID within the VLAN range
specified at the [interfaces] hierarchy level.
i. (Optional) Enable IP and MAC address validation for dynamic IP demux interfaces
in a dynamic profile.
2. Associate the dynamic profile with the interface on which the dynamic VLANs will be
created.
a. Access the interface that you want to use for creating VLANs.
[edit interfaces]
user@host# edit interfaces ge-2/3/0
e. Specify the dynamic VLAN profile that you want the interface to use.
f. Repeat steps a through e for any other interfaces that you want to use for creating
VLANs.
3. Specify the Ethernet packet type that the VLAN dynamic profile can accept.
4. Define VLAN ranges for use by the dynamic profile when dynamically creating VLAN
IDs. For this solution, specify the outer and inner stacked VLAN ranges that you want
the dynamic profile to use. The following example specifies an outer stacked VLAN
ID range of 3–3 (enabling only the outer range of 3) and an inner stacked VLAN ID
range of 1–3 (enabling a range from 1 through 3 for the inner stacked VLAN ID).
Configuring Access Components for the DHCP Layer 3 Wholesale Network Solution
When configuring a wholesale network, you must configure several components globally.
This configuration provides access to RADIUS servers that you want the wholesaler and
any configured retailers to use globally. The access configuration includes the following
general steps:
[edit ]
user@host# edit access radius-server
2. Specify the address and secret for any RADIUS servers in the network.
[edit]
user@host# edit access-profile Wholesaler_Access
2. Specify the authentication methods for the profile and the order in which they are
used.
and interface over which you want subscribers to access the network after being redirected
by the wholesale access profile.
[edit]
user@host# edit access-profile Retailer_Access1
2. Specify the authentication methods for the profile and the order in which they are
used.
Configuring Dynamic Profiles for the DHCPv4 Layer 3 Wholesale Network Solution
A dynamic profile is a set of characteristics, defined in a type of template, that you can
use to provide services for broadband applications. These services are assigned
dynamically to interfaces as they access the network. When configuring dynamic profiles
for the DHCPv4 Layer 3 wholesale network, you can choose to configure one dynamic
profile to address all incoming subscribers or you can configure individual dynamic profiles
for use by the different network management groups (that is, the wholesaler and any
retailers). In fact, you can create multiple dynamic profiles that you can use to roll out
different services and selectively apply those dynamic profiles to different subscriber
groups as necessary.
In this solution example, one dynamic profile is created for use by the wholesaler when
subscribers initially access the network. Other dynamic profiles are created for the
subscribers for each individual retailer to use after they are redirected to that retailer
network space.
• Configuring a Wholesale Dynamic Profile for use in the DHCPv4 Solution on page 73
• Configuring a Dynamic Profile for use by a Retailer in the DHCPv4 Solution on page 74
[edit]
user@host# edit dynamic-profiles Wholesaler_Profile
2. Specify that you want to configure the demux0 interface in the dynamic profile.
a. Configure the variable for the unit number of the demux0 interface.
The variable is dynamically replaced with the unit number that DHCP supplies
when the subscriber logs in.
b. Configure the variable for the underlying interface of the demux interfaces and
specify the $junos-underlying-interface variable.
The variable is dynamically replaced with the underlying interface that DHCP
supplies when the subscriber logs in.
c. Configure the variable for the IPv4 address of the demux interface.
The variable is dynamically replaced with the IPv4 address that DHCP supplies
when the subscriber logs in.
[edit]
user@host# edit dynamic-profiles Subscriber_Profile_Retail1
3. Set the dynamic interface variable for the dynamic routing instance.
4. Specify that you want to configure the demux0 interface in the dynamic profile.
a. Configure the variable for the unit number of the demux0 interface.
The variable is dynamically replaced with the unit number that DHCP supplies
when the subscriber logs in.
b. Configure the variable for the underlying interface of the demux interfaces and
specify the $junos-underlying-interface variable.
The variable is dynamically replaced with the underlying interface that DHCP
supplies when the subscriber logs in.
c. Configure the variable for the IPv6 address of the demux interface.
The variable is dynamically replaced with the IPv6 address that DHCP supplies
when the subscriber logs in.
As the owner of the system, the wholesaler typically uses the default routing instance.
You must create separate routing instances for each individual retailer to keep routing
information for individual retailers separate and to define any servers and forwarding
options specific to each retailer.
[edit]
user@host# edit routing-instances RetailerInstance1
3. Specify the access profile that you want the routing instance to use.
7. Access the DHCP Relay forwarding options hierarchy for the routing instance.
NOTE: The configuration for this wholesale solution uses DHCP Relay.
However, you can also configure DHCP Proxy Relay or DHCP Local Server
for the DHCP Layer 3 wholesale network.
8. Specify that you want to configure authentication options and use external AAA
authentication services.
11. Specify the default dynamic profile that you want to attach to DHCP subscriber for
this retailer.
12. Specify any overrides for the default DHCP Relay configuration.
14. Specify the DHCP server address for the retailer group.
15. Specify the retailer group as the active server group for this routing instance.
16. Configure a group you can use to define the retailer dynamic profile and DHCP access
interface.
17. Specify the dynamic profile that the retailer DHCP subscribers use.
18. Specify the retailer interface that the retailer DHCP subscribers use.
19. (Optional) Configure any passwords that authenticate the username to the external
authentication service for the retailer groups that you created.
20. (Optional) Configure any unique username values for the retailer groups that you
created.
21. (Optional) Specify any overrides for any of the DHCP Relay group configurations that
you created.
Configure Default Forwarding Options for the DHCPv4 Wholesale Network Solution
You can use DHCP Relay, DHCP Relay Proxy, or DHCP Local Server configuration in a
DHCP wholesale network. DHCP configuration is defined at the [edit forwarding-options]
hierarchy level.
NOTE: The configuration for this wholesale solution uses DHCP Relay.
[edit]
user@host# edit forwarding-options dhcp-relay
2. Specify that you want to configure authentication options and use external AAA
authentication services.
5. Specify the default dynamic profile that you want to attach to all DHCP subscriber
that access the router.
7. Configure a named server group for default (wholesaler) DHCP server access.
8. Specify the DHCP server address for the default (wholesale) group.
10. Configure a group you can use to define the wholesale DHCP access interface.
11. Specify the default (wholesale) interface that all DHCP subscribers use when first
accessing the router.
12. Configure a group you can use to define a retail DHCP interface.
13. Specify the logical interface the DHCP subscribers use once redirected.
In this solution example, you configure another group name of “Retailer2_Group” and
specify ge-2/3/0.3 for the logical interface.
15. (Optional) Configure any passwords that authenticate the username to the external
authentication service for any of the groups that you created.
16. (Optional) Configure optional features to create a unique username for any of the
groups that you created.
17. (Optional) Specify any overrides for any of the DHCP Relay group configurations that
you created.
dynamic-profiles {
Wholesaler_Profile {
interfaces {
demux0 {
unit "$junos-interface-unit" {
demux-options {
underlying-interface "$junos-underlying-interface";
}
family inet {
demux-source {
$junos-subscriber-ip-address;
}
filter {
input "$junos-input-filter";
}
unnumbered-address "$junos-loopback-interface" preferred-source-address
$junos-preferred-source-address;
}
}
}
}
}
dynamic-profiles {
Subscriber_Profile_Retailer1 {
routing-instances {
"$junos-routing-instance" {
interface "$junos-interface-name";
}
}
interfaces {
demux0 {
unit "$junos-interface-unit" {
demux-options {
underlying-interface "$junos-underlying-interface";
}
family inet {
demux-source {
"$junos-subscriber-ip-address";
}
unnumbered-address "$junos-loopback-interface" preferred-source-address
"$junos-preferred-source-address";
}
}
}
}
}
Example: Default Forwarding Options Configuration for the DHCPv4 Wholesale Network
forwarding-options {
dhcp-relay {
traceoptions {
file size 1g;
inactive: flag all;
}
authentication {
password psswd;
username-include {
user-prefix WholesaleNetwork;
}
}
dynamic-profile Wholesaler_Profile;
overrides {
always-write-giaddr;
always-write-option-82;
layer2-unicast-replies;
trust-option-82;
client-discover-match;
}
server-group {
Wholesaler-Server-Group {
192.168.100.1;
}
}
routing-instances {
Retailer_Instance1 {
instance-type vrf;
access-profile Retailer_Access1;
interface ge-11/1/9.10;
interface ge-11/1/10.100;
interface lo0.1;
route-distinguisher 1:1;
forwarding-options {
dhcp-relay {
authentication {
password psswd1;
username-include {
user-prefix WholesaleNetwork_Retailer1;
}
}
dynamic-profile Subscriber_Profile_Retailer1;
overrides {
always-write-giaddr;
always-write-option-82;
layer2-unicast-replies;
trust-option-82;
client-discover-match;
}
server-group {
Retailer1-Server-Group {
10.10.100.1;
}
}
active-server-group Retailer1-Server-Group;
group Retailer1-Group {
authentication {
password psswd1;
username-include {
user-prefix WholesaleNetwork_Retailer1;
}
}
dynamic-profile Subscriber_Profile_Retailer1;
overrides {
always-write-giaddr;
trust-option-82;
client-discover-match;
}
interface ge-2/3/0.2;
}
}
}
}
Retailer_Instance2 {
instance-type vrf;
access-profile Retailer_Access2;
interface ge-7/1/9.10;
interface ge-7/1/9.100;
interface lo0.2;
route-distinguisher 2:2;
forwarding-options {
dhcp-relay {
authentication {
password psswd2;
username-include {
user-prefix WholesaleNetwork_Retailer2;
}
}
dynamic-profile Subscriber_Profile_Retailer2;
overrides {
always-write-giaddr;
trust-option-82;
client-discover-match;
}
server-group {
Retailer2-Group {
10.20.200.1;
}
}
active-server-group Retailer2-Group;
group Retailer2-Group {
authentication {
password psswd2;
username-include {
user-prefix psswd2;
}
}
dynamic-profile Subscriber_Profile_Retailer2;
overrides {
always-write-giaddr;
trust-option-82;
client-discover-match;
}
interface ge-2/3/0.3;
}
}
}
}
}
The network topology for the subscriber management DHCPv6 Layer 3 wholesale solution
includes configuring separate routing instances for individual retailers that use a portion
of the router. This solution uses a DHCPv6 local server configuration.
NOTE: Only DHCPv6 local server is currently supported for DHCPv6 Layer 3
wholesale configuration.
To explain the concept, but to limit complexity, this solution provides a configuration
with one wholesaler and only two retailers. Figure 7 on page 90 illustrates a basic Layer
3 wholesale topology model from which you can expand.
Retailer 1
RADIUS
server
MSAN
Wholesaler
MX Series Wholesaler Network Space RADIUS
server
Retailer 2
RADIUS
MSAN server
g017501
Retailer 2 Network Space
A DHCPv6 Layer 3 wholesale network solution can use various combinations of the
following configuration elements:
Retailer 1
RADIUS
MSAN server
Wholesaler
GE-2/3/0 RADIUS
MX Series server
GE-2/3/0
Retailer 2
RADIUS
server
MSAN
g017502
Retailer 2 Network Space
You must configure loopback interfaces for use in the subscriber management access
network. The loopback interfaces are automatically used for unnumbered interfaces.
[edit]
user@host# edit interfaces lo0
2. Edit the unit for the loopback interface that you want to use for the wholesaler.
8. Repeat steps 5 through 7 for additional retailers, making sure to use unique unit and
address values for each retailer loopback interface.
You can configure either static or dynamic customer VLANs for use in the DHCPv6
wholesale network solution.
• Configuring Static Customer VLANs for the DHCPv6 Layer 3 Wholesale Network
Solution on page 94
• Configuring Dynamic Customer VLANs for the DHCPv6 Layer 3 Wholesale Network
Solution on page 94
Configuring Static Customer VLANs for the DHCPv6 Layer 3 Wholesale Network Solution
In this example configuration, the access interface (ge-2/3/0) connects to a device (that
is, a DSLAM) on the access side of the network. You can define static VLANs for use by
access network subscribers.
[edit]
user@host# edit interfaces ge-2/3/0
7. (Optional) Define the unnumbered address and the preferred source address for the
first VLAN.
Configuring Dynamic Customer VLANs for the DHCPv6 Layer 3 Wholesale Network Solution
[edit]
user@host# edit dynamic-profiles VLAN-PROF
The variable is dynamically replaced with an outer VLAN ID within the VLAN range
specified at the [interfaces] hierarchy level.
The variable is dynamically replaced with an inner VLAN ID within the VLAN range
specified at the [interfaces] hierarchy level.
2. Associate the dynamic profile with the interface on which you want the VLANs created.
a. Access the interface that you want to use for creating VLANs.
[edit interfaces]
user@host# edit interfaces ge-2/3/0
e. Specify the dynamic VLAN profile that you want the interface to use.
f. Repeat steps a through e for any other interfaces that you want to use for creating
VLANs.
3. Specify the Ethernet packet type that the VLAN dynamic profile can accept.
4. Define VLAN ranges for use by the dynamic profile when dynamically creating VLAN
IDs. For this solution, specify the outer and inner stacked VLAN ranges that you want
the dynamic profile to use. The following example specifies an outer stacked VLAN
ID range of 3–3 (enabling only the outer range of 3) and an inner stacked VLAN ID
range of 1–3 (enabling a range from 1 through 3 for the inner stacked VLAN ID).
Configuring Access Components for the DHCP Layer 3 Wholesale Network Solution
When configuring a wholesale network, you must configure several components globally.
This configuration provides access to RADIUS servers that you want the wholesaler and
any configured retailers to use globally. The access configuration includes the following
general steps:
[edit ]
user@host# edit access radius-server
2. Specify the address and secret for any RADIUS servers in the network.
[edit]
user@host# edit access-profile Wholesaler_Access
2. Specify the authentication methods for the profile and the order in which they are
used.
[edit]
user@host# edit access-profile Retailer_Access1
2. Specify the authentication methods for the profile and the order in which they are
used.
Configuring Dynamic Profiles for the DHCPv6 Layer 3 Wholesale Network Solution
A dynamic profile is a set of characteristics, defined in a type of template, that you can
use to provide services for broadband applications. These services are assigned
dynamically to interfaces as they access the network. When configuring dynamic profiles
for the DHCPv6 Layer 3 wholesale network, you can choose to configure one dynamic
profile to address all incoming subscribers or you can configure individual dynamic profiles
for use by the different network management groups (that is, the wholesaler and any
retailers). In fact, you can create multiple dynamic profiles that you can use to roll out
different services and selectively apply those dynamic profiles to different subscriber
groups as necessary.
In this solution example, one dynamic profile is created for use by the wholesaler when
subscribers initially access the network. Other dynamic profiles are created for the
subscribers for each individual retailer to use after they are redirected to that retailer
network space.
• Configuring a Wholesale Dynamic Profile for use in the DHCPv6 Solution on page 98
• Configuring a Dynamic Profile for use by Each Retailer in the DHCPv6
Solution on page 99
[edit]
user@host# edit dynamic-profiles Wholesaler_Profile
2. Specify that you want to configure the demux0 interface in the dynamic profile.
a. Configure the variable for the unit number of the demux0 interface.
The variable is dynamically replaced with the unit number that DHCP supplies
when the subscriber logs in.
b. Configure the variable for the underlying interface of the demux interfaces and
specify the $junos-underlying-interface variable.
The variable is dynamically replaced with the underlying interface that DHCP
supplies when the subscriber logs in.
c. Configure the variable for the IPv6 address of the demux interface.
The variable is dynamically replaced with the IPv6 address that DHCP supplies
when the subscriber logs in.
Configuring a Dynamic Profile for use by Each Retailer in the DHCPv6 Solution
To configure a dynamic profile for use with retailer access:
[edit]
user@host# edit dynamic-profiles Subscriber_Profile_Retail1
3. Set the dynamic interface variable for the dynamic routing instance.
4. Specify that you want to configure the demux0 interface in the dynamic profile.
a. Configure the variable for the unit number of the demux0 interface.
The variable is dynamically replaced with the unit number that DHCP supplies
when the subscriber logs in.
b. Configure the variable for the underlying interface of the demux interfaces and
specify the $junos-underlying-interface variable.
The variable is dynamically replaced with the underlying interface that DHCP
supplies when the subscriber logs in.
b. Configure the unnumbered address and preferred source address for the family.
c. Configure the variable that identifies the demux interface on the logical interface.
The variable is dynamically replaced with the IPv6 address that DHCP supplies
when the subscriber logs in.
As the owner of the system, the wholesaler typically uses the default routing instance.
You must create separate routing instances for each individual retailer to keep routing
information for individual retailers separate and to define any servers and forwarding
options specific to each retailer.
[edit]
user@host# edit routing-instances Retailer_Instance1
3. Specify the access profile that you want the routing instance to use.
Configuring Address Server Elements for the DHCPv6 Layer 3 Wholesale Solution
You can create address assignment pools that provide full 128 bit IPv6 addresses or
pools that provide prefixes of a specified length.
To configure an address assignment pool that provides full 128 -bit IPv6 addresses:
[edit]
user@host# edit access address-assignment pool AddressPool_1
To configure an address assignment pool that provides shorter, 74-bit IPv6 prefixes:
[edit]
user@host# edit access address-assignment pool AddressPool_2
4. Define a named address range limit for the pool of IPv6 addresses.
[edit]
user@host# edit system services
5. (Optional) Edit the values you want included with the username.
6. (Optional) Set the values you want included with the username.
9. Specify a dynamic profile that you want the DHCPv6 local server group to use.
12. Specify a log file into which you want trace option information to be saved.
13. Specify the DHCPv6 local server message operations that you want saved in the log
file.
• DHCPv6 Local Server Overview in the Junos OS Subscriber Access Configuration Guide.
• Example: Retailer Dynamic Profile for a DHCPv6 Wholesale Network on page 105
• Example: Retailer Routing Instances for a DHCPv6 Wholesale Network on page 106
• Example: DHCPv6 Address Assignment Pool That Provides Full 128-bit IPV6 Addresses
for a DHCPv6 Wholesale Network on page 106
• Example: DHCPv6 Address Assignment Pool That Provides 74-bit IPV6 Prefixes for a
DHCPv6 Wholesale Network on page 106
• Example: Extended DHCPv6 Local Server for a DHCPv6 Wholesale Network on page 107
dynamic-profiles {
Subscriber_Profile_Retailer1 {
routing-instances {
"$junos-routing-instance" {
interface "$junos-interface-name";
}
}
interfaces {
demux0 {
unit "$junos-interface-unit" {
demux-options {
underlying-interface "$junos-underlying-interface";
}
family inet6 {
demux-source {
"$junos-subscriber-ip-address";
}
unnumbered-address "$junos-loopback-interface" preferred-source-address
"$junos-preferred-source-address";
}
}
}
}
}
routing-instances {
Retailer_Instance1 {
instance-type vrf;
access-profile Retailer_Access1;
interface ge-11/1/9.10;
interface lo0.1;
route-distinguisher 1:1;
}
Retailer_Instance2 {
instance-type vrf;
access-profile Retailer_Access2;
interface ge-7/1/9.10;
interface lo0.2;
}
}
Example: DHCPv6 Address Assignment Pool That Provides Full 128-bit IPV6 Addresses
for a DHCPv6 Wholesale Network
access {
address-assignment {
pool AddressPool_1 {
family inet6 {
prefix 2121::0/64;
range Range1 {
low 2121::a/128;
high 2121::7ffe/128;
}
dhcp-attributes {
maximum-lease-time 3600;
grace-period 60;
}
}
}
}
}
Example: DHCPv6 Address Assignment Pool That Provides 74-bit IPV6 Prefixes for a
DHCPv6 Wholesale Network
access {
address-assignment {
pool AddressPool_2 {
family inet6 {
prefix 2222::0/64;
range BitLimit prefix-length 74;
dhcp-attributes {
maximum-lease-time 3600;
grace-period 60;
}
}
}
}
}
}
}
system {
services {
dhcp-local-server {
traceoptions {
file dhcp-server-msgs.log;
flag all;
}
dhcpv6 {
group dhcp-ls-group {
dynamic-profile Wholesaler_Profile;
interface ge-1/3/0.1 {
upto ge-1/3/0.5;
}
}
}
pool-match-order {
ip-address-first;
}
authentication {
password auth-psswrd;
username-include {
domain-name yourcompany.com;
user-prefix user-defined-prefix;
}
}
}
}
}
The network topology for the subscriber management PPPoE Layer 3 wholesale solution
includes configuring separate routing instances for individual retailers that use a portion
of the router.
To explain the concept, but to limit complexity, this solution provides a configuration
with one wholesaler and only two retailers. Figure 9 on page 112 illustrates a basic PPPoE
Layer 3 wholesale topology model from which you can expand.
Retailer 1
RADIUS
MSAN server
Wholesaler
MX Series Wholesaler Network Space RADIUS
server
Retailer 2
RADIUS
server
MSAN Retailer 2 Network Space
g017456
When you are configuring a PPPoE Layer 3 wholesale network solution, the following
configuration elements are required:
• AAA server assignment of subscribers to different routing instances within the same
(default) logical system only.
This configuration explains how to configure a simple PPPoE Layer 3 wholesale subscriber
access network. This solution incorporates two retailers sharing resources on a wholesaler
router. Figure 10 on page 114 provides the reference topology for this configuration example.
Retailer 1
RADIUS
MSAN server
GE-9/3/0 Wholesaler
MX Series RADIUS
GE-9/3/0 server
Retailer 2
RADIUS
server
MSAN
g017457
Retailer 2 Network Space
You must configure loopback interfaces for use in the subscriber management access
network. The loopback interfaces are automatically used for unnumbered interfaces.
NOTE: If you do not configure the loopback interface, the routing platform
chooses the first interface to come online as the default. If you configure
more than one address on the loopback interface, we recommend that you
configure one to be the primary address to ensure that it is selected for use
with unnumbered interfaces. By default, the primary address is used as the
source address when packets originate from the interface.
[edit]
user@host# edit interfaces lo0
5. (Optional) Specify the loopback interface address as the primary loopback interface.
9. (Optional) Specify the loopback interface address as the primary loopback interface.
10. Repeat steps 7 through 10 for additional retailers, making sure to use unique unit and
address values for each retailer loopback interface.
Configuring Static Customer VLANs for the PPPoE Layer 3 Wholesale Network Solution
In this example configuration, the access interface (ge-9/3/0) connects to a device (that
is, a DSLAM) on the access side of the network. You can define static customer VLANs
(C-VLANs) for use by the wholesaler and any access network subscribers.
[edit]
user@host# edit interfaces ge-9/3/0
4. Specify the type of encapsulation that you want the wholesaler VLAN to use.
5. (Optional) Specify that you want the wholesaler VLAN to use Proxy ARP.
7. Specify the dynamic profile that you want the wholesaler VLAN to use.
When configuring a wholesale network, you must configure several components globally.
This configuration provides access to RADIUS servers (if used) that you want the
wholesaler and any configured retailers to use globally. The access configuration includes
the following general steps:
[edit ]
2. Specify the address and secret for any RADIUS servers in the network.
[edit]
user@host# edit access profile PPPoE_Wholesaler_Access
2. Specify the authentication methods for the profile and the order in which they are
used.
[edit]
user@host# edit access profile PPPoE_Retailer_Access1
2. Specify the authentication methods for the profile and the order in which they are
used.
Configuring Dynamic Profiles for the PPPoE Layer 3 Wholesale Network Solution
A dynamic profile is a set of characteristics, defined in a type of template, that you can
use to provide services for broadband applications. These services are assigned
dynamically to interfaces as they access the network. When configuring dynamic profiles
for the PPPoE Layer 3 wholesale network, you can choose to configure one dynamic
profile to address all incoming subscribers or you can configure individual dynamic profiles
for use by the different network management groups (that is, the wholesaler and any
retailers). In fact, you can create multiple dynamic profiles that you can use to roll out
different services and selectively apply those dynamic profiles to different subscriber
groups as necessary.
In this solution example, one dynamic profile is created for use by the wholesaler when
subscribers initially access the network. Subscribers are assigned by the wholesaler
RADIUS server to a particular retailer routing instance and can then be redirected to that
retailer network space.
• Configuring a Wholesale Dynamic Profile for use in the PPPoE Solution on page 119
[edit]
user@host# edit dynamic-profiles PPPoE_Wholesaler_Profile
3. Set the dynamic interface variable for the dynamic routing instance.
4. Specify that you want to configure the pp0 interface in the dynamic profile.
a. Configure the variable for the unit number of the pp0 interface.
The variable is dynamically replaced with the unit number that RADIUS supplies
when the subscriber logs in.
c. Configure the variable for the underlying interface of the pp0 interfaces.
The variable is dynamically replaced with the underlying interface that RADIUS
supplies when the subscriber logs in.
NOTE: You can specify inet for IPv4 and inet6 for IPv6. However, this
solution provides the IPv4 configuration only.
As the owner of the system, the wholesaler uses the default routing instance. You must
create separate routing instances for each individual retailer to keep routing information
for individual retailers separate and to define any servers and forwarding options specific
to each retailer.
[edit]
user@host# edit routing-instances PPPoE_Retailer_Instance1
3. Specify the access profile that you want the routing instance to use.
7. Specify how routes are imported into the local PE router’s VPN routing table from the
remote PE router.
8. Specify which routes are exported from the local instance table to the remote PE
router.
• Example: Wholesaler Dynamic Profile for a PPPoE Wholesale Network on page 123
• Example: Retailer Routing Instances for a PPPoE Wholesale Network on page 124
PPPoE_Wholesaler_Profile {
routing-instances {
"$junos-routing-instance" {
interface "$junos-interface-name";
}
}
interfaces {
pp0 {
unit "$junos-interface-unit" {
ppp-options {
chap;
pap;
}
pppoe-options {
underlying-interface "$junos-underlying-interface";
server;
}
keepalives interval 15;
family inet {
filter {
input "$junos-input-filter";
output "$junos-output-filter";
}
unnumbered-address "$junos-loopback-interface";
}
}
}
}
routing-instances {
PPPoE_Retailer_Instance1 {
instance-type vrf;
access-profile PPPoE_Retailer_Access1;
interface ge-11/1/9.10;
interface lo0.5;
route-distinguisher 1:1;
vrf-import policyImport;
vrf-export policyExport;
}
Retailer_Instance2 {
instance-type vrf;
access-profile PPPoE_Retailer_Access2;
interface ge-11/1/9.10;
interface lo0.6;
route-distinguisher 2:2;
vrf-import policyImport;
vrf-export policyExport;
}
}
The network topology for the subscriber management Layer 2 wholesale solution includes
configuring separate routing instances for individual retailers that use a portion of the
router. This solution uses a Virtual Private LAN Service (VPLS) configuration.
To explain the concept but limit complexity, this solution provides a configuration with
one wholesaler and only two retailers. Figure 11 on page 128 illustrates a basic Layer 2
wholesale topology model from which you can expand.
Client
(Retailer 1)
Client Wholesaler
(Retailer 1) RADIUS
server
Client
(Retailer 1) MSAN
Retailer 1
Client Direct ISP-Facing DHCP
(Retailer 2) MX Series Connection server
Retailer 1
ISP Access
Client Network Space
(Retailer 2)
Retailer 1
Client RADIUS
(Retailer 1) MSAN server
Standard
NNI ISP-Facing
BGP / MPLS MX Series
Client Connections
Configuration
(Retailer 1)
Retailer 2
DHCP
Client server
(Retailer 1) MSAN
Retailer 2
ISP Access
Network Space
Client
(Retailer 1) MX Series
Retailer 2
RADIUS
Client server
(Retailer 2)
Wholesaler Controlled
Client Network Space
(Retailer 2) MSAN
g017481
Client
(Retailer 1) Layer 2
Access Network Backhaul Network
When you are configuring a Layer 2 wholesale network solution, the following configuration
elements are required:
• Routing instance configuration for individual retailers on provider edge (PE) routers
and network-to-network interface (NNI) routers.
This configuration explains how to configure a simple Layer 2 wholesale subscriber access
network. This solution illustrates two Internet Service Provider (ISP) retailers sharing
access to a wholesaler network. The wholesaler network contains a Layer 2 Network
access router and two Virtual Private LAN Service (VPLS) network-to-network interface
(NNI) routers.
NOTE: You can have more than one ISP router connecting to a single VPLS
NNI router with VPLS interfaces configured with routing instances specific
to each different ISP-facing interfaces.
The example also shows two different connection options from one subscriber access
router to one of the individual ISP access routers. One connection option uses an interface
on the subscriber access router to connect directly to the ISP access router. Another
connection option uses two routers: a subscriber access router and another NNI router
that connects to the ISP access router.
NOTE: When using the NNI router connection option, use a standard BGP or
MPLS configuration between the subscriber access routers and the edge
router that connects to the ISP access routers. See the Junos OS Routing
Protocols Configuration Guide for information about BGP configuration. See
the Junos OS MPLS Applications Configuration Guide for information about MPLS
configuration.
Figure 12 on page 130 provides the reference topology for this configuration example.
GE-2/3/0 Retailer 1
Client DHCP
(Retailer 2) MX Series server
GE-1/1/0 Retailer 1
ISP Access
Client Network Space
(Retailer 2)
Retailer 1
Client RADIUS
(Retailer 1) MSAN server
GE-1/1/0
MX Series
Client GE-2/2/0
(Retailer 1)
Retailer 2
DHCP
Client server
(Retailer 1) MSAN
Retailer 2
ISP Access
Network Space
Client
(Retailer 1) MX Series
Retailer 2
RADIUS
Client server
(Retailer 2)
Wholesaler Controlled
Client Network Space Wholesaler NNI-2 ISP-Facing Interface
(Retailer 2) MSAN Interface facing ISP Retailer 2: GE-2/2/0.0
VPLS Routing Instances: Retailer_Instance2
g017536
Client
(Retailer 1) Layer 2
Access Network Backhaul Network
Configuring a Retail Dynamic Profile for Use in the Layer 2 Wholesale Solution
[edit]
user@host# edit dynamic-profiles Subscriber_Profile_Retail1
3. Set the dynamic interface variable for the dynamic routing instance.
5. Define the dynamic interface unit variable for the dynamic profile.
NOTE: This solution example uses stacked VLAN tagging. However, you
can also specify single-tag VLANs. For additional information about
configuring dynamic VLANs, see the Junos OS Subscriber Access Configuration
Guide.
8. Define the input and output VLAN maps. See “Stacking and Rewriting VLAN Tags for
the Layer 2 Wholesale Solution” on page 132 for details.
9. Specify the unit family as vpls at the [edit dynamic-profiles profile-name interfaces
“$junos-interface-ifd-name” unit “$junos-interface-unit” family] hierarchy level.
Stacking and Rewriting VLAN Tags for the Layer 2 Wholesale Solution
Stacking and rewriting VLAN tags allows you to use an additional (outer) VLAN tag to
differentiate between routers in the Layer 2 wholesale network. A frame can be received
on an interface, or it can be internal to the system (as a result of the input-vlan-map
statement).
You can configure rewrite operations to stack (push), remove (pop), or rewrite (swap)
tags on single-tagged frames and dual-tagged frames. If a port is not tagged, rewrite
operations are not supported on any logical interface on that port.
• pop—Remove a VLAN tag from the top of the VLAN tag stack. The outer VLAN tag of
the frame is removed.
• push—Add a new VLAN tag to the top of the VLAN stack. An outer VLAN tag is pushed
in front of the existing VLAN tag.
• swap—Replace the inner VLAN tag of the incoming frame with a user-specified VLAN
tag value.
You configure VLAN rewrite operations for logical interfaces in the input VLAN map for
incoming frames and in the output VLAN map for outgoing frames.
You can include both the input-vlan-map and output-vlan-map statements at the [edit
dynamic-profiles profile-name interface “$junos-interface-ifd-name” unit ”
$junos-interface-unit] hierarchy level.
The type of VLAN rewrite operation permitted depends upon whether the frame is
single-tagged or dual-tagged. Table 7 on page 132 shows supported rewrite operations
and whether they can be applied to single-tagged frames or dual-tagged frames. The
table also indicates the number of tags being added or removed during the operation.
Depending on the VLAN rewrite operation, you configure the rewrite operation for the
interface in the input VLAN map, the output VLAN map, or both. Table 8 on page 133
shows what rewrite operation combinations you can configure. “None” means that no
rewrite operation is specified for the VLAN map.
push No No Yes No
pop No Yes No No
NOTE: You configure the input-vlan-map statement only when there is a need
either to push an outer tag on a single-tagged subscriber packet or to modify
the outer tag in a subscriber dual-tagged packet.
2. Specify the action that you want the input VLAN map to take.
3. Include the vlan-id statement along with the $junos-vlan-map-id dynamic variable.
2. Specify the action that you want the output VLAN map to take.
You must know whether the VLAN rewrite operation is valid and is applied to the input
VLAN map or the output VLAN map. You must also know whether the rewrite operation
requires you to include statements to configure the inner and outer tag protocol identifiers
(TPIDs) and inner and outer VLAN IDs in the input VLAN map or output VLAN map. For
information about configuring inner and outer TPIDs and inner and outer VLAN IDs, see
Configuring Inner and Outer TPIDs and VLAN IDs.
Clients access the Layer 2 Wholesale network through a specific interface. After they
access this interface, and when they are authenticated, VLANs are dynamically created
to carry the client traffic.
1. Access the physical interface that you want to use for dynamically creating VLAN
interfaces.
[edit interfaces]
user@host# edit interfaces ge-2/3/0
6. Specify the dynamic VLAN profile that you want the interface to use.
7. Specify that any type of VLAN Ethernet packet is accepted by the interface.
8. Repeat steps for any other interfaces that you want to use for creating VLANs.
Related • Configuring Single-Level VLAN Ranges for Use with VLAN Dynamic Profiles
Documentation
• Configuring Encapsulation for Layer 2 Wholesale VLAN Interfaces on page 135
Each dynamic VLAN interface in a Layer 2 wholesale network must use encapsulation.
You can configure encapsulation dynamically for each VLAN interface by using the
encapsulation statement at the [edit dynamic-profiles profile-name interface
“$junos-interface-ifd-name” unit “$junos-interface-unit”] hierarchy level or configure
encapsulation for the physical interfaces at the [edit interfaces interface-name] hierarchy
level for each dynamically created VLAN interface to use. However, how you choose to
configure (or not configure) encapsulation at the [edit dynamic-profiles profile-name
interface “$junos-interface-ifd-name” unit “$junos-interface-unit”] hierarchy level affects
how you configure encapsulation at the [edit interfaces interface-name] hierarchy level.
Table 9 on page 135 provides the valid encapsulation combinations for both dynamic
profiles and physical interfaces in the Layer 2 wholesale network.
Related • Configuring a Retail Dynamic Profile for Use in the Layer 2 Wholesale Solution on
Documentation page 131
• Configuring VLAN Interfaces for the Layer 2 Wholesale Solution on page 134
You must configure separate, ISP-facing interfaces on each NNI ISP-facing router that
connect to individual retailer ISP access routers in the Layer 2 Wholesale solution.
1. Access the physical interface that you want to use to access the retailer ISP network.
[edit interfaces]
user@host# edit interfaces ge-1/1/0
3. Specify the interface unit that you want ISP clients to use.
4. Repeat these steps for any other NNI ISP-facing interfaces that you want to use. In
this example, you must also configure interface ge-2/2/0.0.
Related • Configuring Single-Level VLAN Ranges for Use with VLAN Dynamic Profiles
Documentation
• Configuring Direct ISP-Facing Interfaces for the Layer 2 Wholesale Solution on page 137
• Configuring Separate Access Routing Instances for Layer 2 Wholesale Service Retailers
on page 137
When connecting a subscriber access router directly to an ISP access router, you must
define any ISP-facing interfaces that connect to the retailer ISP access routers as
core-facing interfaces.
1. Access the physical interface that you want to use to access the retailer ISP network.
[edit interfaces]
user@host# edit interfaces ge-1/1/0
3. Specify the interface unit that you want ISP clients to use.
5. Define the interface as core-facing to ensure that the network does not improperly
treat the interface as a client interface..
6. Repeat steps for any other direct ISP-facing interfaces that you want to use..
Related • Configuring Single-Level VLAN Ranges for Use with VLAN Dynamic Profiles
Documentation
• Configuring NNI ISP-Facing Interfaces for the Layer 2 Wholesale Solution on page 136
• Configuring Separate Access Routing Instances for Layer 2 Wholesale Service Retailers
on page 137
Configuring Separate Access Routing Instances for Layer 2 Wholesale Service Retailers
As the owner of the system, the wholesaler uses the default routing instance. You must
create separate routing instances for each individual retailer to keep routing information
for individual retailers separate and to define any servers and forwarding options specific
to each retailer.
When creating separate routing instances, it is important to understand the role that the
router plays in the Layer 2 Wholesale network and specify that role (either access or NNI)
in the routing instance configuration. If the router connects directly to an ISP network (or
ISP-controlled device), you must configure the routing instances as an NNI routing
instance. See “Configuring Separate NNI Routing Instances for Layer 2 Wholesale Service
Retailers” on page 140.
[edit]
user@host# edit routing-instances RetailerInstance1
2. Specify the VLAN model that you want the retailer to follow.
3. Specify the role that you want the routing instance to take.
6. Specify that access ports in this VLAN domain do not forward packets to each other.
7. Specify a unique identifier attached to a route that enables you to distinguish to which
VPN the route belongs.
c. Specify the maximum number of sites allowed for the VPLS domain.
d. Specify the size of the VPLS MAC address table for the routing instance.
e. Specify the maximum number of MAC addresses that can be learned by the VPLS
routing instance.
f. (Optional) Specify the no-tunnel-services statement if the router does not have a
Tunnel Services PIC.
10. Repeat this procedure for other retailers. In this example, you must configure a routing
instance for Retailer 2.
• Configuring NNI ISP-Facing Interfaces for the Layer 2 Wholesale Solution on page 136
• Configuring Separate NNI Routing Instances for Layer 2 Wholesale Service Retailers
on page 140
Configuring Separate NNI Routing Instances for Layer 2 Wholesale Service Retailers
As the owner of the system, the wholesaler uses the default routing instance. You must
create separate routing instances for each individual retailer to keep routing information
for individual retailers separate and to define any servers and forwarding options specific
to each retailer.
When creating separate routing instances, it is important to understand the role that the
router plays in the Layer 2 Wholesale network and specify that role (either access or NNI)
in the routing instance configuration. If the router connects to the access portion of the
network (for example, to an MSAN device) , you must configure the routing instances as
an access routing instance. See “Configuring Separate Access Routing Instances for Layer
2 Wholesale Service Retailers” on page 137.
[edit]
user@host# edit routing-instances RetailerInstance1
2. Specify the VLAN model that you want the retailer to follow.
3. Specify the role that you want the routing instance to take.
6. Specify that access ports in this VLAN domain do not forward packets to each other.
7. Specify a unique identifier attached to a route that enables you to distinguish to which
VPN the route belongs.
c. Specify the maximum number of sites allowed for the VPLS domain.
d. (Optional) Specify the no-tunnel-services statement if the router does not have a
Tunnel Services PIC.
g. Define the connectivity of the VPLS routing instance as permanent to keep the
VPLS connection up until specifically taken down.
• Configuring VLAN Interfaces for the Layer 2 Wholesale Solution on page 134
• Configuring Separate Access Routing Instances for Layer 2 Wholesale Service Retailers
on page 137
When configuring a wholesale network, you must configure several components globally.
This configuration provides access to RADIUS servers (if used) that you want the
wholesaler and any configured retailers to use globally. The access configuration includes
the following general steps:
[edit ]
user@host# edit access radius-server
2. Specify the address and secret for any RADIUS servers in the network.
[edit]
user@host# edit access profile AccessProfile
2. Specify the authentication methods for the profile and the order in which they are
used.
• Example: Retailer Dynamic Profile for a Layer 2 Wholesale Network on page 145
• Example: Access Interface for a Layer 2 Wholesale Network on page 146
• Example: Retailer Access Routing Instances for a Layer 2 Wholesale Network on page 146
• Example: Retailer NNI ISP-Facing Interfaces for a Layer 2 Wholesale Network on page 147
• Example: Retailer Direct ISP-Facing Interface for a Layer 2 Wholesale
Network on page 147
dynamic-profiles {
Subscriber_Profile_Retail1 {
routing-instances {
"$junos-routing-instance" {
interface "$junos-interface-name";
}
}
interfaces {
"$junos-interface-ifd-name" {
unit "$junos-interface-unit" {
encapsulation vlan-vpls;
vlan-tags outer "$junos-stacked-vlan-id" inner "$junos-vlan-id";
input-vlan-map {
swap;
vlan-id "$junos-vlan-map-id";
}
output-vlan-map swap;
family vpls;
}
}
}
}
interfaces {
ge-2/3/0 {
flexible-vlan-tagging;
auto-configure {
stacked-vlan-ranges {
dynamic-profile Subscriber_Profile_Retail1 {
accept any;
ranges {
any,any;
}
}
access-profile AccessProfile;
}
}
encapsulation flexible-ethernet-services;
}
routing-instances {
Retailer_Instance1 {
vlan-model one-to-one;
instance-role access;
instance-type l2backhaul-vpn;
interface ge-1/1/0.0
no-local-switching;
route-distinguisher 10.10.1.1:1;
vrf-target target:100:1;
protocols {
vpls {
site-range 10;
mac-table-size {
6000;
}
interface-mac-limit {
2000;
}
no-tunnel-services;
site A-PE {
site-identifier 1;
}
}
}
}
Retailer_Instance2 {
vlan-model one-to-one;
instance-role access;
instance-type l2backhaul-vpn;
interface ge-2/2/0.0
no-local-switching;
route-distinguisher 10.10.1.1:2;
vrf-target target:300:1;
protocols {
vpls {
site-range 1000;
no-tunnel-services;
site A-PE {
site-identifier 1;
}
}
}
}
}
interfaces {
ge-1/1/0 {
description Retailer 1 NNI ISP-facing interface;
encapsulation ethernet-vpls;
unit 0{
}
interfaces {
ge-2/2/0 {
description Retailer 2 NNI ISP-facing interface;
encapsulation ethernet-vpls;
unit 0;
}
interfaces {
ge-1/1/0 {
description Retailer 1 Direct ISP-facing interface;
encapsulation ethernet-vpls;
unit 1
family vpls {
core-facing;
}
}
}
You can use a number of Junos OS CLI commands to monitor and troubleshoot a
configured subscriber management solution. The following sections provide links to CLI
commands that are related to the subscriber management configuration and where to
locate details about each command.
• Subscriber Management AAA and Address Assignment Pool CLI Commands on page 151
• Subscriber Management DHCPv4 Local Server CLI Commands on page 152
• Subscriber Management DHCPv6 Local Server CLI Commands on page 152
• Subscriber Management DHCP Relay CLI Commands on page 152
• Subscriber Management Interface CLI Commands on page 153
• Subscriber Management Dynamic Protocol CLI Commands on page 153
• Subscriber Management Subscriber CLI Commands on page 154
Table 10 on page 151 provides a list of AAA–related and address assignment pool CLI
commands that are associated with subscriber management configuration. These
commands appear in the Junos OS System Basics and Services Command Reference.
Table 10: Subscriber Management AAA and Address Assignment Pools CLI Commands
CLI Command Purpose
show network-access aaa statistics Display AAA accounting and authentication statistics.
show network-access address-assignment pool Display state information for each address-assignment pool.
Table 11 on page 152 provides a list of DHCPv4 local server–related CLI commands that
are associated with subscriber management configuration. These commands appear in
the Junos OS System Basics and Services Command Reference.
show dhcp server binding Display the address bindings in the client table on the extended Dynamic Host
Configuration Protocol version 4 (DHCPv4) local server.
show dhcp server statistics Display extended Dynamic Host Configuration Protocol version 4 (DHCPv4) local
server statistics.
clear dhcp server binding Clear the binding state of a Dynamic Host Configuration Protocol version 4 (DHCPv4)
client from the client table on the extended DHCPv4 local server.
clear dhcp server statistics Clear all extended Dynamic Host Configuration Protocol version 4 (DHCPv4) local
server statistics.
Table 12 on page 152 provides a list of DHCPv6 local server–related CLI commands that
are associated with subscriber management configuration. These commands appear in
the Junos OS System Basics and Services Command Reference.
show dhcpv6 server binding Display the address bindings in the client table on the extended Dynamic Host
Configuration Protocol version 6 (DHCPv6) local server.
show dhcpv6 server statistics Display extended Dynamic Host Configuration Protocol version 6 (DHCPv6) local
server statistics.
clear dhcpv6 server binding Clear the binding state of a Dynamic Host Configuration Protocol version 6 (DHCPv6)
client from the client table on the extended DHCPv6 local server.
clear dhcpv6 server statistics Clear all extended Dynamic Host Configuration Protocol version 6 (DHCPv6) local
server statistics.
Table 13 on page 153 provides a list of DHCP relay–related CLI commands that are
associated with subscriber management configuration. These commands appear in the
Junos OS Routing Protocols and Policies Command Reference.
show dhcp relay binding Display the address bindings in the Dynamic Host Configuration Protocol (DHCP)
client table.
show dhcp relay statistics Display Dynamic Host Configuration Protocol (DHCP) relay statistics.
clear dhcp relay binding Clear the binding state of a Dynamic Host Configuration Protocol (DHCP) client
from the client table.
clear dhcp relay statistics Clear all Dynamic Host Configuration Protocol (DHCP) relay statistics.
Table 14 on page 153 provides a list of interface–related CLI commands that are associated
with subscriber management configuration. These commands appear in the Junos OS
Interfaces Command Reference.
show interfaces (Aggregated Ethernet) Display information about configured interfaces. This command includes
brief, detail, and extensive options that you can use to view all interfaces
show interfaces (Fast Ethernet) or a specific Ethernet or LAG interface.
show interfaces demux0 (Demux Interfaces) Display information about configured Demux interfaces.
show interfaces filters Display all firewall filters that are installed on each interface.
show interfaces (PPPoE) Display status information about the PPPoE interface.
show interfaces routing Have the routing protocol process display its view of the state of the router's
interfaces.
Table 15 on page 154 provides a list of dynamic protocol–related CLI commands that are
associated with subscriber management configuration. These commands appear in the
Junos OS Routing Protocols and Policies Command Reference.
show igmp interface Display information about Internet Group Management Protocol (IGMP)-enabled
interfaces.
show igmp statistics Display Internet Group Management Protocol (IGMP) statistics.
Table 16 on page 154 provides the subscriber–related CLI command that is associated
with subscriber management configuration. This command appears in the Junos OS
System Basics and Services Command Reference.
Index
• Index on page 157
W
wholesale See Layer 2 wholesale See Layer 3
wholesale