Juniper JUNOSE SOFTWARE 11.0.X - BROADBAND ACCESS CONFIGURATION GUIDE 4-1-2010, JUNOSe 11.0.X Configuration Manual

JUNOSe™ Software
for E Series™ Broadband Services Routers

Broadband Access
Configuration Guide

Release 11.0.x

Juniper Networks, Inc.

1194 North Mathilda Avenue

Sunnyvale, California 94089

USA

408-745-2000

www.juniper.net

Published: 2010-01-04

Juniper Networks, the Juniper Networks logo, JUNOS, NetScreen, ScreenOS, and Steel-Belted Radius are registered trademarks of Juniper Networks, Inc. in
the United States and other countries. JUNOSe is a trademark of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or
registered service marks are the property of their respective owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or
otherwise revise this publication without notice.

Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed
to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347,
6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.

JUNOSe™ Software for E Series™ Broadband Services Routers Broadband Access Configuration Guide

Release 11.0.x
Copyright © 2010, Juniper Networks, Inc.
All rights reserved. Printed in USA.

Writing: Mark Barnard, Diane Florio, Bruce Gillham, Sarah Lesway-Ball, Brian Wesley Simmons, Fran Singer, Poornima Goswami, Chander Aima, Hema
Priya J, Krupa Chandrashekar, Subash Babu Asokan, Sairam Venugopalan
Editing: Benjamin Mann
Illustration: Nathaniel Woodward
Cover Design: Edmonds Design

Revision History
January 2010—FRS JUNOSe 11.0.x

The information in this document is current as of the date listed in the revision history.

YEAR 2000 NOTICE

Juniper Networks hardware and software products are Year 2000 compliant. The JUNOS Software has no known time-related limitations through the year

2038. However, the NTP application is known to have some difficulty in the year 2036.

ii ■

END USER LICENSE AGREEMENT

READ THIS END USER LICENSE AGREEMENT (“AGREEMENT”) BEFORE DOWNLOADING, INSTALLING, OR USING THE SOFTWARE. BY DOWNLOADING,
INSTALLING, OR USING THE SOFTWARE OR OTHERWISE EXPRESSING YOUR AGREEMENT TO THE TERMS CONTAINED HEREIN, YOU (AS CUSTOMER
OR IF YOU ARE NOT THE CUSTOMER, AS A REPRESENTATIVE/AGENT AUTHORIZED TO BIND THE CUSTOMER) CONSENT TO BE BOUND BY THIS
AGREEMENT. IF YOU DO NOT OR CANNOT AGREE TO THE TERMS CONTAINED HEREIN, THEN (A) DO NOT DOWNLOAD, INSTALL, OR USE THE SOFTWARE,
AND (B) YOU MAY CONTACT JUNIPER NETWORKS REGARDING LICENSE TERMS.

1. The Parties. The parties to this Agreement are (i) Juniper Networks, Inc. (if the Customer’s principal office is located in the Americas) or Juniper Networks
(Cayman) Limited (if the Customer’s principal office is located outside the Americas) (such applicable entity being referred to herein as “Juniper”), and (ii)
the person or organization that originally purchased from Juniper or an authorized Juniper reseller the applicable license(s) for use of the Software (“Customer”)
(collectively, the “Parties”).

2. The Software. In this Agreement, “Software” means the program modules and features of the Juniper or Juniper-supplied software, for which Customer
has paid the applicable license or support fees to Juniper or an authorized Juniper reseller, or which was embedded by Juniper in equipment which Customer
purchased from Juniper or an authorized Juniper reseller. “Software” also includes updates, upgrades and new releases of such software. “Embedded
Software” means Software which Juniper has embedded in or loaded onto the Juniper equipment and any updates, upgrades, additions or replacements
which are subsequently embedded in or loaded onto the equipment.

3. License Grant. Subject to payment of the applicable fees and the limitations and restrictions set forth herein, Juniper grants to Customer a non-exclusive
and non-transferable license, without right to sublicense, to use the Software, in executable form only, subject to the following use restrictions:

a. Customer shall use Embedded Software solely as embedded in, and for execution on, Juniper equipment originally purchased by Customer from Juniper
or an authorized Juniper reseller.

b. Customer shall use the Software on a single hardware chassis having a single processing unit, or as many chassis or processing units for which Customer
has paid the applicable license fees; provided, however, with respect to the Steel-Belted Radius or Odyssey Access Client software only, Customer shall use
such Software on a single computer containing a single physical random access memory space and containing any number of processors. Use of the
Steel-Belted Radius or IMS AAA software on multiple computers or virtual machines (e.g., Solaris zones) requires multiple licenses, regardless of whether
such computers or virtualizations are physically contained on a single chassis.

c. Product purchase documents, paper or electronic user documentation, and/or the particular licenses purchased by Customer may specify limits to
Customer’s use of the Software. Such limits may restrict use to a maximum number of seats, registered endpoints, concurrent users, sessions, calls,
connections, subscribers, clusters, nodes, realms, devices, links, ports or transactions, or require the purchase of separate licenses to use particular features,
functionalities, services, applications, operations, or capabilities, or provide throughput, performance, configuration, bandwidth, interface, processing,
temporal, or geographical limits. In addition, such limits may restrict the use of the Software to managing certain kinds of networks or require the Software
to be used only in conjunction with other specific Software. Customer’s use of the Software shall be subject to all such limitations and purchase of all applicable
licenses.

d. For any trial copy of the Software, Customer’s right to use the Software expires 30 days after download, installation or use of the Software. Customer
may operate the Software after the 30-day trial period only if Customer pays for a license to do so. Customer may not extend or create an additional trial
period by re-installing the Software after the 30-day trial period.

e. The Global Enterprise Edition of the Steel-Belted Radius software may be used by Customer only to manage access to Customer’s enterprise network.
Specifically, service provider customers are expressly prohibited from using the Global Enterprise Edition of the Steel-Belted Radius software to support any
commercial network access services.

The foregoing license is not transferable or assignable by Customer. No license is granted herein to any user who did not originally purchase the applicable
license(s) for the Software from Juniper or an authorized Juniper reseller.

4. Use Prohibitions. Notwithstanding the foregoing, the license provided herein does not permit the Customer to, and Customer agrees not to and shall
not: (a) modify, unbundle, reverse engineer, or create derivative works based on the Software; (b) make unauthorized copies of the Software (except as
necessary for backup purposes); (c) rent, sell, transfer, or grant any rights in and to any copy of the Software, in any form, to any third party; (d) remove
any proprietary notices, labels, or marks on or in any copy of the Software or any product in which the Software is embedded; (e) distribute any copy of
the Software to any third party, including as may be embedded in Juniper equipment sold in the secondhand market; (f) use any ‘locked’ or key-restricted
feature, function, service, application, operation, or capability without first purchasing the applicable license(s) and obtaining a valid key from Juniper, even
if such feature, function, service, application, operation, or capability is enabled without a key; (g) distribute any key for the Software provided by Juniper
to any third party; (h) use the Software in any manner that extends or is broader than the uses purchased by Customer from Juniper or an authorized Juniper
reseller; (i) use Embedded Software on non-Juniper equipment; (j) use Embedded Software (or make it available for use) on Juniper equipment that the
Customer did not originally purchase from Juniper or an authorized Juniper reseller; (k) disclose the results of testing or benchmarking of the Software to
any third party without the prior written consent of Juniper; or (l) use the Software in any manner other than as expressly provided herein.

5. Audit. Customer shall maintain accurate records as necessary to verify compliance with this Agreement. Upon request by Juniper, Customer shall furnish
such records to Juniper and certify its compliance with this Agreement.

■ iii

6. Confidentiality. The Parties agree that aspects of the Software and associated documentation are the confidential property of Juniper. As such, Customer
shall exercise all reasonable commercial efforts to maintain the Software and associated documentation in confidence, which at a minimum includes
restricting access to the Software to Customer employees and contractors having a need to use the Software for Customer’s internal business purposes.

7. Ownership. Juniper and Juniper’s licensors, respectively, retain ownership of all right, title, and interest (including copyright) in and to the Software,
associated documentation, and all copies of the Software. Nothing in this Agreement constitutes a transfer or conveyance of any right, title, or interest in
the Software or associated documentation, or a sale of the Software, associated documentation, or copies of the Software.

8. Warranty, Limitation of Liability, Disclaimer of Warranty. The warranty applicable to the Software shall be as set forth in the warranty statement that
accompanies the Software (the “Warranty Statement”). Nothing in this Agreement shall give rise to any obligation to support the Software. Support services
may be purchased separately. Any such support shall be governed by a separate, written support services agreement. TO THE MAXIMUM EXTENT PERMITTED
BY LAW, JUNIPER SHALL NOT BE LIABLE FOR ANY LOST PROFITS, LOSS OF DATA, OR COSTS OR PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES,
OR FOR ANY SPECIAL, INDIRECT, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT, THE SOFTWARE, OR ANY JUNIPER OR
JUNIPER-SUPPLIED SOFTWARE. IN NO EVENT SHALL JUNIPER BE LIABLE FOR DAMAGES ARISING FROM UNAUTHORIZED OR IMPROPER USE OF ANY
JUNIPER OR JUNIPER-SUPPLIED SOFTWARE. EXCEPT AS EXPRESSLY PROVIDED IN THE WARRANTY STATEMENT TO THE EXTENT PERMITTED BY LAW,
JUNIPER DISCLAIMS ANY AND ALL WARRANTIES IN AND TO THE SOFTWARE (WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE), INCLUDING
ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT DOES JUNIPER
WARRANT THAT THE SOFTWARE, OR ANY EQUIPMENT OR NETWORK RUNNING THE SOFTWARE, WILL OPERATE WITHOUT ERROR OR INTERRUPTION,
OR WILL BE FREE OF VULNERABILITY TO INTRUSION OR ATTACK. In no event shall Juniper’s or its suppliers’ or licensors’ liability to Customer, whether
in contract, tort (including negligence), breach of warranty, or otherwise, exceed the price paid by Customer for the Software that gave rise to the claim, or
if the Software is embedded in another Juniper product, the price paid by Customer for such other product. Customer acknowledges and agrees that Juniper
has set its prices and entered into this Agreement in reliance upon the disclaimers of warranty and the limitations of liability set forth herein, that the same
reflect an allocation of risk between the Parties (including the risk that a contract remedy may fail of its essential purpose and cause consequential loss),
and that the same form an essential basis of the bargain between the Parties.

9. Termination. Any breach of this Agreement or failure by Customer to pay any applicable fees due shall result in automatic termination of the license
granted herein. Upon such termination, Customer shall destroy or return to Juniper all copies of the Software and related documentation in Customer’s
possession or control.

10. Taxes. All license fees payable under this agreement are exclusive of tax. Customer shall be responsible for paying Taxes arising from the purchase of
the license, or importation or use of the Software. If applicable, valid exemption documentation for each taxing jurisdiction shall be provided to Juniper prior
to invoicing, and Customer shall promptly notify Juniper if their exemption is revoked or modified. All payments made by Customer shall be net of any
applicable withholding tax. Customer will provide reasonable assistance to Juniper in connection with such withholding taxes by promptly: providing Juniper
with valid tax receipts and other required documentation showing Customer’s payment of any withholding taxes; completing appropriate applications that
would reduce the amount of withholding tax to be paid; and notifying and assisting Juniper in any audit or tax proceeding related to transactions hereunder.
Customer shall comply with all applicable tax laws and regulations, and Customer will promptly pay or reimburse Juniper for all costs and damages related
to any liability incurred by Juniper as a result of Customer’s non-compliance or delay with its responsibilities herein. Customer’s obligations under this
Section shall survive termination or expiration of this Agreement.

11. Export. Customer agrees to comply with all applicable export laws and restrictions and regulations of any United States and any applicable foreign
agency or authority, and not to export or re-export the Software or any direct product thereof in violation of any such restrictions, laws or regulations, or
without all necessary approvals. Customer shall be liable for any such violations. The version of the Software supplied to Customer may contain encryption
or other capabilities restricting Customer’s ability to export the Software without an export license.

12. Commercial Computer Software. The Software is “commercial computer software” and is provided with restricted rights. Use, duplication, or disclosure
by the United States government is subject to restrictions set forth in this Agreement and as provided in DFARS 227.7201 through 227.7202-4, FAR 12.212,
FAR 27.405(b)(2), FAR 52.227-19, or FAR 52.227-14(ALT III) as applicable.

13. Interface Information. To the extent required by applicable law, and at Customer's written request, Juniper shall provide Customer with the interface
information needed to achieve interoperability between the Software and another independently created program, on payment of applicable fee, if any.
Customer shall observe strict obligations of confidentiality with respect to such information and shall use such information in compliance with any applicable
terms and conditions upon which Juniper makes such information available.

14. Third Party Software. Any licensor of Juniper whose software is embedded in the Software and any supplier of Juniper whose products or technology
are embedded in (or services are accessed by) the Software shall be a third party beneficiary with respect to this Agreement, and such licensor or vendor
shall have the right to enforce this Agreement in its own name as if it were Juniper. In addition, certain third party software may be provided with the
Software and is subject to the accompanying license(s), if any, of its respective owner(s). To the extent portions of the Software are distributed under and
subject to open source licenses obligating Juniper to make the source code for such portions publicly available (such as the GNU General Public License
(“GPL”) or the GNU Library General Public License (“LGPL”)), Juniper will make such source code portions (including Juniper modifications, as appropriate)
available upon request for a period of up to three years from the date of distribution. Such request can be made in writing to Juniper Networks, Inc., 1194

N. Mathilda Ave., Sunnyvale, CA 94089, ATTN: General Counsel. You may obtain a copy of the GPL at http://www.gnu.org/licenses/gpl.html, and
a copy of the LGPL at http://www.gnu.org/licenses/lgpl.html.

15. Miscellaneous. This Agreement shall be governed by the laws of the State of California without reference to its conflicts of laws principles. The provisions
of the U.N. Convention for the International Sale of Goods shall not apply to this Agreement. For any disputes arising under this Agreement, the Parties
hereby consent to the personal and exclusive jurisdiction of, and venue in, the state and federal courts within Santa Clara County, California. This Agreement
constitutes the entire and sole agreement between Juniper and the Customer with respect to the Software, and supersedes all prior and contemporaneous

iv ■

agreements relating to the Software, whether oral or written (including any inconsistent terms contained in a purchase order), except that the terms of a
separate written agreement executed by an authorized Juniper representative and Customer shall govern to the extent such terms are inconsistent or conflict
with terms contained herein. No modification to this Agreement nor any waiver of any rights hereunder shall be effective unless expressly assented to in
writing by the party to be charged. If any portion of this Agreement is held invalid, the Parties agree that such invalidity shall not affect the validity of the
remainder of this Agreement. This Agreement and associated documentation has been written in the English language, and the Parties agree that the English
version will govern. (For Canada: Les parties aux présentés confirment leur volonté que cette convention de même que tous les documents y compris tout
avis qui s'y rattaché, soient redigés en langue anglaise. (Translation: The parties confirm that this Agreement and all related documentation is and will be
in the English language)).

■ v

vi ■

Abbreviated Table of Contents

About the Documentation xxxvii

Part 1 Managing Remote Access

Chapter 1 Configuring Remote Access 3

Chapter 2 Monitoring and Troubleshooting Remote Access 109

Part 2 Managing RADIUS and TACACS+

Chapter 3 Configuring RADIUS Attributes 165

Chapter 4 Configuring RADIUS Dynamic-Request Server 235

Chapter 5 Configuring RADIUS Relay Server 245

Chapter 6 RADIUS Attribute Descriptions 253

Chapter 7 Application Terminate Reasons 273

Chapter 8 Monitoring RADIUS 297

Chapter 9 Configuring TACACS+ 311

Chapter 10 Monitoring TACACS+ 323

Part 3 Managing L2TP

Chapter 11 L2TP Overview 329

Chapter 12 Configuring an L2TP LAC 337

Chapter 13 Configuring an L2TP LNS 369

Chapter 14 Configuring L2TP Dial-Out 405

Chapter 15 L2TP Disconnect Cause Codes 417

Chapter 16 Monitoring L2TP and L2TP Dial-Out 421

Part 4 Managing DHCP

Chapter 17 DHCP Overview 455

Chapter 18 DHCP Local Server Overview 463

Chapter 19 Configuring DHCP Local Server 471

Chapter 20 Configuring DHCP Relay 489

Chapter 21 Configuring the DHCP External Server Application 517

Chapter 22 Monitoring and Troubleshooting DHCP 533

Abbreviated Table of Contents ■ vii

JUNOSe 11.0.x Broadband Access Configuration Guide

Part 5 Managing the Subscriber Environment

Chapter 23 Configuring Subscriber Management 577

Chapter 24 Monitoring Subscriber Management 593

Chapter 25 Configuring Subscriber Interfaces 597

Chapter 26 Monitoring Subscriber Interfaces 629

Part 6 Managing Subscriber Services

Chapter 27 Configuring Service Manager 635

Chapter 28 Monitoring Service Manager 701

Part 7 Index

Index 729

viii ■

Table of Contents

About the Documentation xxxvii

E Series and JUNOSe Documentation and Release Notes .........................xxxvii

Audience ..................................................................................................xxxvii

E Series and JUNOSe Text and Syntax Conventions .................................xxxvii

Obtaining Documentation ........................................................................xxxix

Documentation Feedback .........................................................................xxxix

Requesting Technical Support ...................................................................xxxix

Self-Help Online Tools and Resources ......................................................xl

Opening a Case with JTAC .......................................................................xl

Part 1 Managing Remote Access

Chapter 1 Configuring Remote Access 3

Remote Access Overview ................................................................................4

B-RAS Data Flow .......................................................................................4

Configuring IP Addresses for Remote Clients ............................................4

AAA Overview ..........................................................................................5

Remote Access Platform Considerations .........................................................5

B-RAS Protocol Support ............................................................................5

Remote Access References ..............................................................................6

Before You Configure B-RAS ............................................................................6

Remote Access Configuration Tasks ................................................................6

Configuring a B-RAS License ...........................................................................7

Mapping a User Domain Name to a Virtual Router ..........................................8

Mapping User Requests Without a Valid Domain Name ............................8

Mapping User Requests Without a Configured Domain Name ..................9

Using DNIS ...............................................................................................9

Redirected Authentication .........................................................................9

IP Hinting ...............................................................................................10

Setting Up Domain Name and Realm Name Usage .......................................12

Using the Realm Name as the Domain Name .........................................12

Using Delimiters Other Than @ ..............................................................12

Using Either the Domain or the Realm as the Domain Name ..................13

Specifying the Domain Name or Realm Name Parse Direction ...............13

Stripping the Domain Name ...................................................................14

Domain Name and Realm Name Examples ............................................15

Specifying a Single Name for Users from a Domain ......................................16

Table of Contents ■ ix

JUNOSe 11.0.x Broadband Access Configuration Guide

Configuring RADIUS Authentication and Accounting Servers ........................18

Server Access ..........................................................................................18

Server Request Processing Limit .............................................................19

Authentication and Accounting Methods .................................................19

Supporting Exchange of Extensible Authentication Protocol

Messages ..........................................................................................20

Immediate Accounting Updates ..............................................................21

Duplicate and Broadcast Accounting .......................................................21

Configuring AAA Duplicate Accounting .............................................22

Configuring AAA Broadcast Accounting ............................................22

Overriding AAA Accounting NAS Information ..................................22

UDP Checksums .....................................................................................23

Collecting Accounting Statistics ...............................................................23

Configuring RADIUS AAA Servers ...........................................................23

SNMP Traps and System Log Messages ...................................................36

SNMP Traps ......................................................................................36

System Log Messages .......................................................................37

Configuring SNMP Traps .........................................................................37

Configuring Local Authentication Servers ......................................................40

Creating the Local Authentication Environment ......................................40

Creating Local User Databases ................................................................40

Adding User Entries to Local User Databases ..........................................40

Using the username Command ........................................................41

Using the aaa local username Command ..........................................41

Assigning a Local User Database to a Virtual Router ...............................42

Enabling Local Authentication on the Virtual Router ...............................42

Configuration Commands .......................................................................43

Local Authentication Example .................................................................47

Configuring Tunnel Subscriber Authentication ...............................................50

Configuring Name Server Addresses .............................................................51

Configuration Tasks ................................................................................51

DNS Primary and Secondary NMS Configuration ..............................52

WINS Primary and Secondary NMS Configuration ............................53

Configuring Local Address Servers ................................................................54

Local Address Pool Ranges .....................................................................54

Local Address Pool Aliases ......................................................................55

Shared Local Address Pools ....................................................................55

SNMP Thresholds ....................................................................................56

Configuring a Local Address Server .........................................................56

Configuring DHCP Features ...........................................................................60

Creating an IP Interface .................................................................................61

Single Clients per ATM Subinterface .......................................................61

Multiple Clients per ATM Subinterface ....................................................62

Configuring AAA Profiles ...............................................................................63

Allowing or Denying Domain Names ......................................................64

Configuration Example .....................................................................64

Using Domain Name Aliases ...................................................................65

Manually Setting NAS-Port-Type Attribute ...............................................69

Service-Description Attribute ..................................................................70

x ■ Table of Contents

Table of Contents

Using RADIUS Route-Download Server to Distribute Routes ..........................71

Format of Downloaded Routes ...............................................................71

Framed-Route (RADIUS attribute 22) ................................................72

Cisco-AVPair (Cisco VSA 26-1) ..........................................................72

How the Route-Download Server Downloads Routes ..............................72

Configuring the Route-Download Server to Download Routes .................72

Using the AAA Logical Line Identifier to Track Subscribers ............................76

How the Router Obtains and Uses the LLID ............................................76

RADIUS Attributes in Preauthentication Request ....................................77

Considerations for Using the LLID ...........................................................78

Configuring the Router to Obtain the LLID for a Subscriber ....................79

Troubleshooting Subscriber Preauthentication ........................................81

Using VSAs for Dynamic IP Interfaces ...........................................................82

Traffic Shaping for PPP over ATM Interfaces ...........................................83

Mapping Application Terminate Reasons to RADIUS Terminate Codes .........84

Configuration Example ...........................................................................86

Configuring Timeout .....................................................................................88

Limiting Active Subscribers ...........................................................................89

Notifying RADIUS of AAA Failure ..................................................................90

Configuring Standard RADIUS IPv6 Attributes for IPv6 Neighbor Discovery

Router Advertisements and DHCPv6 Prefix Delegation ...........................90

Propagation of LAG Subscriber Information to AAA and RADIUS ..................92

Configuring the SRC Client ............................................................................94

DHCPv6 Local Address Pools for Allocation of IPv6 Prefixes Overview .......101

DHCPv6 Prefix Delegation Example .....................................................103

Order of Preference in Determining the Local Address Pool for Allocating

Prefixes ..........................................................................................103

Order of Preference in Allocating Prefixes and Assigning DNS Addresses

to Requesting Routers ....................................................................104

Configuring the DHCPv6 Local Address Pools ..............................................104

Limitation on the Number of Prefixes Used by Clients ..........................107

Using DHCPv6 Local Address Pools for Prefix Delegation over non-PPP Links

Example ...............................................................................................107

Chapter 2 Monitoring and Troubleshooting Remote Access 109

Setting Baselines for Remote Access ...........................................................110

How to Monitor PPP Interfaces ...................................................................112

Monitoring AAA Accounting Configuration ..................................................112

Monitoring AAA Accounting Default ............................................................113

Monitoring Accounting Interval ...................................................................114

Monitoring Specific Virtual Router Groups ...................................................114

Monitoring the Default AAA Authentication Method List ..............................115

Monitoring Domain and Realm Name Delimiters ........................................115

Setting a Baseline for AAA Statistics ......................................................111

Setting a Baseline for AAA Route Downloads ........................................111

Setting a Baseline for COPS Statistics ....................................................111

Setting a Baseline for Local Address Pool Statistics ...............................111

Setting a Baseline for RADIUS Statistics ................................................112

Setting the Baseline for SRC Statistics ...................................................112

Table of Contents ■ xi

JUNOSe 11.0.x Broadband Access Configuration Guide

Monitoring Mapping Between User Domains and Virtual Routers ...............115

Monitoring Tunnel Subscriber Authentication ..............................................117

Monitoring Routing Table Address Lookup ..................................................118

Monitoring the AAA Model ..........................................................................118

Monitoring IP Addresses of Primary and Secondary DNS and WINS Name

Servers ..................................................................................................118

Monitoring AAA Profile Configuration .........................................................119

Monitoring Statistics about the RADIUS Route-Download Server .................120

Monitoring Routes Downloaded by the RADIUS Route-Download Server ....122

Monitoring Chassis-Wide Routes Downloaded by RADIUS Route-Download

Servers ..................................................................................................123

Monitoring Authentication, Authorization, and Accounting Statistics ...........125

Monitoring the Number of Active Subscribers Per Port ................................127

Monitoring the Maximum Number of Active Subscribers Per Virtual

Router ...................................................................................................127

Monitoring Session Timeouts ......................................................................127

Monitoring Interim Accounting for Users on the Virtual Router ...................128

Monitoring Virtual Router Groups Configured for AAA Broadcast

Accounting ............................................................................................128

Monitoring Configuration Information for AAA Local Authentication ...........129

Monitoring AAA Server Attributes ................................................................130

Monitoring the COPS Layer Over SRC Connection ......................................132

Monitoring Statistics About the COPS Layer ................................................134

Monitoring Local Address Pool Aliases ........................................................136

Monitoring Local Address Pools ...................................................................136

Monitoring Local Address Pool Statistics .....................................................138

Monitoring Shared Local Address Pools .......................................................138

Monitoring the Routing Table ......................................................................139

Monitoring the B-RAS License .....................................................................140

Monitoring the RADIUS Server Algorithm ....................................................140

Monitoring RADIUS Override Settings .........................................................140

Monitoring the RADIUS Rollover Configuration ...........................................141

Monitoring RADIUS Server Information .......................................................141

Monitoring RADIUS Services Statistics .........................................................143

Monitoring RADIUS SNMP Traps .................................................................146

Monitoring RADIUS Accounting for L2TP Tunnels .......................................147

Monitoring RADIUS UDP Checksums ..........................................................147

Monitoring RADIUS Server IP Addresses .....................................................147

Monitoring the RADIUS Attribute Used for IPv6 Neighbor Discovery Router

Advertisements .....................................................................................148

Monitoring the RADIUS Attribute Used for DHCPv6 Prefix Delegation ........148

Monitoring SRC Client Connection Status ....................................................148

Monitoring SRC Client Connection Statistics ................................................150

Monitoring the SRC Client Version Number .................................................152

Monitoring Subscriber Information ..............................................................152

Monitoring Application Terminate Reason Mappings ..................................157

Monitoring IPv6 Local Pools for DHCP Prefix Delegation By All Configured

Pools .....................................................................................................159

Monitoring IPv6 Local Pools for DHCP Prefix Delegation By Pool Name ......160

Monitoring IPv6 Local Pool Statistics for DHCP Prefix Delegation ...............161

xii ■ Table of Contents

Table of Contents

Part 2 Managing RADIUS and TACACS+

Chapter 3 Configuring RADIUS Attributes 165

RADIUS Overview .......................................................................................165

RADIUS Services ...................................................................................166

RADIUS Attributes ................................................................................166

RADIUS Platform Considerations ................................................................166

RADIUS References .....................................................................................167

Subscriber AAA Access Messages ................................................................167

Supported RADIUS IETF Attributes .......................................................168

Supported Juniper Networks VSAs ........................................................170

Subscriber AAA Accounting Messages .........................................................175

Supported RADIUS IETF Attributes .......................................................175

Supported Juniper Networks VSAs ........................................................178

Tunnel Accounting Messages ................................................................181

DSL Forum VSAs in AAA Access and Accounting Messages .........................182

CLI AAA Messages .......................................................................................184

CLI Commands Used to Modify RADIUS Attributes .....................................184

RADIUS IETF Attributes ........................................................................185

[4] NAS-IP-Address .........................................................................185

[5] NAS-Port ...................................................................................186

[8] Framed-IP-Address ....................................................................189

[9] Framed-Ip-Netmask ..................................................................189

[13] Framed-Compression ..............................................................190

[25] Class .......................................................................................190

[30] Called-Station-Id ......................................................................191

[31] Calling-Station-Id .....................................................................191

[32] NAS-Identifier .........................................................................196

[41] Acct-Delay-Time ......................................................................198

[44] Acct-Session-Id ........................................................................199

[45] Acct-Authentic .........................................................................200

[49] Acct-Terminate-Cause .............................................................200

[50] Acct-Multi-Session-Id ...............................................................201

[51] Acct-Link-Count .......................................................................201

[52] Acct-Input-Gigawords ..............................................................202

[53] Output-Gigawords ...................................................................202

[55] Event-Timestamp ....................................................................202

[61] NAS-Port-Type ........................................................................203

[64] Tunnel-Type ............................................................................204

[65] Tunnel-Medium-Type ..............................................................205

[66] Tunnel-Client-Endpoint ...........................................................205

[67] Tunnel-Server-Endpoint ..........................................................205

[68] Acct-Tunnel-Connection ..........................................................206

[77] Connect-Info ...........................................................................206

[82] Tunnel-Assignment-Id .............................................................207

[83] Tunnel-Preference ...................................................................208

[87] NAS-Port-Id .............................................................................208

[90] Tunnel-Client-Auth-Id ..............................................................209

[91] Tunnel-Server-Auth-Id .............................................................210

Table of Contents ■ xiii

JUNOSe 11.0.x Broadband Access Configuration Guide

[96] Framed-Interface-Id ................................................................210

[97] Framed-Ipv6-Prefix .................................................................211

[99] Framed-Ipv6-Route .................................................................211

[100] Framed-Ipv6-Pool .................................................................212

[123] Delegated-Ipv6-Prefix ............................................................212

[188] Ascend-Num-In-Multilink .......................................................213

All Tunnel Server Attributes ............................................................213

Juniper Networks Vendor-Specific Attributes .........................................214

[26-1] Virtual-Router .......................................................................214

[26-10] Ingress-Policy-Name ..........................................................214

[26-11] Egress-Policy-Name ............................................................215

[26-14] Service-Category ................................................................216

[26-15] PCR ....................................................................................216

[26-16] SCR ....................................................................................217

[26-17] MBS ...................................................................................217

[26-24] Pppoe-Description ..............................................................217

[26-35] Acct-Input-Gigapackets .......................................................218

[26-36] Acct-Output-Gigapackets ....................................................218

[26-44] Tunnel-Interface-Id .............................................................218

[26-45] Ipv6-Virtual-Router .............................................................219

[26-46] Ipv6-Local-Interface ...........................................................219

[26-47] Ipv6-Primary-DNS ..............................................................220

[26-48] Ipv6-Secondary-DNS ..........................................................220

[26-51] Disconnect-Cause ...............................................................221

[26-53] Service-Description ............................................................221

[26-55] DHCP-Options ....................................................................222

[26-56] DHCP-MAC-Address ...........................................................222

[26-57] DHCP-GI-Address ...............................................................222

[26-62] MLPPP-Bundle-Name .........................................................223

[26-63] Interface-Desc ....................................................................223

[26-81] L2C-Information .................................................................224

[26-92] L2C-Up-Stream-Data ..........................................................224

[26-93] L2C-Down-Stream-Data ......................................................225

[26-129] Ipv6-NdRa-Prefix ..............................................................225

[26-141] Downstream-Calculated-Qos-Rate ....................................226

[26-142] Upstream-Calculated-Qos-Rate .........................................226

[26-143] Max-Clients-Per-Interface .................................................227

[26-150] ICR-Partition-Id ................................................................227

All IPv6 Accounting Attributes ........................................................228

ANCP-Related Juniper Networks VSAs ...................................................229

DSL Forum Vendor-Specific Attributes ..................................................231

Including or Excluding Attributes in RADIUS Messages .........................232

Ignoring Attributes When Receiving Access-Accept Messages ...............233

Chapter 4 Configuring RADIUS Dynamic-Request Server 235

RADIUS Dynamic-Request Server Overview ................................................235

RADIUS Dynamic-Request Server Platform Considerations .........................236

RADIUS Dynamic-Request Server References .............................................236

How RADIUS Dynamic-Request Server Works ............................................237

xiv ■ Table of Contents

Table of Contents

RADIUS-Initiated Disconnect .......................................................................237

Disconnect Messages ............................................................................237

Message Exchange ......................................................................................237

Supported Error-Cause Codes (RADIUS Attribute 101) ..........................238

Qualifications for Disconnect ................................................................238

Security/Authentication .........................................................................239

Configuring RADIUS-Initiated Disconnect ....................................................239

RADIUS-Initiated Change of Authorization ..................................................239

Change-of-Authorization Messages ........................................................239

Message Exchange ................................................................................240

Supported Error-Cause Codes (RADIUS Attribute 101) ..........................240

Qualifications for Change of Authorization ............................................241

Security/Authentication .........................................................................241

Configuring RADIUS-Initiated Change of Authorization ...............................241

RADIUS Dynamic-Request Server Commands .............................................242

Monitoring RADIUS Dynamic-Request Servers ............................................244

Chapter 5 Configuring RADIUS Relay Server 245

RADIUS Relay Server Overview ...................................................................245

RADIUS Relay Server Platform Considerations ............................................246

RADIUS Relay Server References ................................................................246

How RADIUS Relay Server Works ...............................................................246

Authentication and Addressing .............................................................247

Accounting ............................................................................................247

Terminating the Wireless Subscriber’s Connection ...............................248

RADIUS Relay Server and the SRC Software ................................................248

Using the SRC Software for Addressing .................................................248

Using the SRC Application for Accounting .............................................248

Configuring RADIUS Relay Server Support ..................................................249

Monitoring RADIUS Relay Server .................................................................251

Chapter 6 RADIUS Attribute Descriptions 253

RADIUS IETF Attributes ...............................................................................253

Juniper Networks VSAs ................................................................................259

DSL Forum VSAs .........................................................................................270

Pass Through RADIUS Attributes .................................................................271

RADIUS Attributes References .....................................................................272

Chapter 7 Application Terminate Reasons 273

AAA Terminate Reasons ..............................................................................273

L2TP Terminate Reasons .............................................................................274

PPP Terminate Reasons ..............................................................................289

RADIUS Client Terminate Reasons ..............................................................295

Table of Contents ■ xv

JUNOSe 11.0.x Broadband Access Configuration Guide

Chapter 8 Monitoring RADIUS 297

Monitoring Override Settings of RADIUS IETF Attributes .............................297

Monitoring the NAS-Port-Format RADIUS Attribute .....................................298

Monitoring the Calling-Station-Id RADIUS Attribute .....................................299

Monitoring the NAS-Identifier RADIUS Attribute ..........................................299

Monitoring the Format of the Remote-Circuit-ID for RADIUS .......................300

Monitoring the Delimiter Character in the Remote-Circuit-ID for RADIUS ....300

Monitoring the Acct-Session-Id RADIUS Attribute ........................................300

Monitoring the DSL-Port-Type RADIUS Attribute .........................................301

Monitoring the Connect-Info RADIUS Attribute ...........................................301

Monitoring the NAS-Port-ID RADIUS Attribute .............................................301

Monitoring Included RADIUS Attributes ......................................................302

Monitoring Ignored RADIUS Attributes ........................................................304

Setting the Baseline for RADIUS Dynamic-Request Server Statistics ............304

Monitoring RADIUS Dynamic-Request Server Statistics ...............................305

Monitoring the Configuration of the RADIUS Dynamic-Request Server ........306

Setting a Baseline for RADIUS Relay Statistics .............................................307

Monitoring RADIUS Relay Server Statistics ..................................................307

Monitoring the Configuration of the RADIUS Relay Server ..........................309

Monitoring the Status of RADIUS Relay UDP Checksums ............................310

Monitoring the Status of ICR Partition Accounting .......................................310

Chapter 9 Configuring TACACS+ 311

TACACS+ Overview ...................................................................................311

AAA Overview ......................................................................................312

Administrative Login Authentication .....................................................312

Privilege Authentication ........................................................................313

Login Authorization ..............................................................................313

Accounting ............................................................................................313

TACACS+ Platform Considerations .............................................................315

TACACS+ References .................................................................................315

Before You Configure TACACS+ .................................................................316

Configuring TACACS+ Support ...................................................................316

Configuring Authentication ...................................................................316

Configuring Accounting ........................................................................317

Chapter 10 Monitoring TACACS+ 323

Setting Baseline TACACS+ Statistics ...........................................................323

Monitoring TACACS+ Statistics ...................................................................323

Monitoring TACACS+ Information ..............................................................325

xvi ■ Table of Contents

Table of Contents

Part 3 Managing L2TP

Chapter 11 L2TP Overview 329

L2TP Overview ............................................................................................329

L2TP Terminology .......................................................................................330

Implementing L2TP .....................................................................................331

Sequence of Events on the LAC ............................................................331

Sequence of Events on the LNS .............................................................332

Packet Fragmentation .................................................................................333

L2TP Platform Considerations .....................................................................334

L2TP Module Requirements ........................................................................334

ERX7xx Models, ERX14xx Models, and the ERX310 Router .................334

E120 Router and E320 Router ..............................................................335

Sessions and Tunnels Supported .................................................................335

L2TP References .........................................................................................336

Chapter 12 Configuring an L2TP LAC 337

LAC Configuration Prerequisites ..................................................................337

Modifying L2TP LAC Default Settings for Managing Destinations, Tunnels,

and Sessions .........................................................................................338

Generating UDP Checksums in Packets to L2TP Peers .................................339

Specifying a Destruct Timeout for L2TP Tunnels and Sessions ....................339

Preventing Creation of New Destinations, Tunnels, and Sessions ................340

Preventing Creation of New Destinations, Tunnels, and Sessions on the

Router ............................................................................................340

Preventing Creation of New Tunnels and Sessions at a Destination ......341

Preventing Creation of New Sessions for a Tunnel ................................341

Specifying a Drain Timeout for a Disconnected Tunnel .........................341

Shutting Down Destinations, Tunnels, and Sessions ....................................342

Closing Existing and Preventing New Destinations, Tunnels, and Sessions

on the Router .................................................................................342

Closing Existing and Preventing New Tunnels and Sessions for a

Destination .....................................................................................342

Closing Existing and Preventing New Sessions in a Specific Tunnel ......342

Closing a Specific Session .....................................................................343

Specifying the Number of Retransmission Attempts ....................................343

Configuring Calling Number AVP Formats ...................................................343

Calling Number AVP 22 Configuration Tasks ........................................347

Configuring the Fallback Format ...........................................................348

Disabling the Calling Number AVP ........................................................351

Mapping a User Domain Name to an L2TP Tunnel Overview ......................352

Mapping User Domain Names to L2TP Tunnels from Domain Map Tunnel

Mode ....................................................................................................353

Mapping User Domain Names to L2TP Tunnels from Tunnel Group Tunnel

Mode ....................................................................................................357

Configuring the RX Speed on the LAC .........................................................359

Table of Contents ■ xvii

JUNOSe 11.0.x Broadband Access Configuration Guide

Managing the L2TP Destination Lockout Process .........................................360

Modifying the Lockout Procedure .........................................................360

Verifying That a Locked-Out Destination Is Available ............................362

Configuring a Lockout Timeout .............................................................362

Unlocking a Destination that is Currently Locked Out ...........................362

Starting an Immediate Lockout Test .....................................................363

Managing Address Changes Received from Remote Endpoints ...................363

Configuring LAC Tunnel Selection Parameters .............................................364

Configuring the Failover Between Preference Levels Method ................364

Configuring the Failover Within a Preference Level Method ..................365

Configuring the Maximum Sessions per Tunnel ....................................366

Configuring the Weighted Load Balancing Method ................................366

Chapter 13 Configuring an L2TP LNS 369

LNS Configuration Prerequisites ..................................................................369

Configuring an LNS .....................................................................................370

Creating an L2TP Destination Profile ...........................................................372

Creating an L2TP Host Profile ......................................................................373

Configuring the Maximum Number of LNS Sessions ...................................374

Configuring the RADIUS Connect-Info Attribute on the LNS ........................374

Overriding LNS Out-of-Resource Result Codes 4 and 5 ................................375

Overriding the Result Codes .................................................................375

Displaying the Current Override Setting ................................................376

Selecting Tunnel-Service Modules for LNS Sessions Using MLPPP ...............376

Assigning Bundled Group Identifiers .....................................................377

Overriding All Endpoint Discriminators ................................................378

Enabling Tunnel Switching ..........................................................................378

Creating Persistent Tunnels .........................................................................379

Testing Tunnel Configuration ......................................................................379

Managing L2TP Destinations, Tunnels, and Sessions ...................................379

Configuring Disconnect Cause Information .................................................380

Generating the Disconnect Cause AVP Globally .....................................380

Generating the Disconnect Cause AVP with a Host Profile ....................381

Enabling RADIUS Accounting for Disconnect Cause ..............................381

Displaying Disconnect Cause Statistics .................................................381

Configuring the Receive Window Size .........................................................382

Configuring the Default Receive Window Size ......................................382

Configuring the Receive Window Size on the LAC ................................383

Configuring the Receive Window Size on the LNS .................................384

Configuring Peer Resynchronization ...........................................................385

Configuring Peer Resynchronization for L2TP Host Profiles and AAA

Domain Map Tunnels .....................................................................386

Configuring the Global L2TP Peer Resynchronization Method ...............387

Using RADIUS to Configure Peer Resynchronization .............................388

Configuring L2TP Tunnel Switch Profiles .....................................................388

Applying the L2TP Tunnel Switch Profile ..............................................388

Configuration Guidelines .......................................................................389

Configuring L2TP AVPs for Relay ..........................................................389

xviii ■ Table of Contents

Table of Contents

Configuration Tasks ..............................................................................390

Enabling Tunnel Switching on the Router .......................................390

Configuring L2TP Tunnel Switch Profiles ........................................390

Applying L2TP Tunnel Switch Profiles by Using AAA Domain

Maps ........................................................................................391

Applying L2TP Tunnel Switch Profiles by Using AAA Tunnel

Groups .....................................................................................392

Applying Default L2TP Tunnel Switch Profiles ................................393

Applying L2TP Tunnel Switch Profiles by Using RADIUS ................393

Configuring the Transmit Connect Speed Calculation Method .....................394

Transmit Connect Speed Calculation Methods ......................................395

Static Layer 2 .................................................................................395

Dynamic Layer 2 ............................................................................396

QoS ................................................................................................396

Actual .............................................................................................396

Transmit Connect Speed Calculation Examples ....................................396

Example 1: L2TP Session over ATM 1483 Interface ........................396

Example 2: L2TP Session over Ethernet VLAN Interface .................397

Transmit Connect Speed Reporting Considerations ..............................398

Session Termination for Dynamic Speed Timeout ..........................398

Advisory Speed Precedence for VLANs over Bridged Ethernet ........398

Using AAA Domain Maps to Configure the Transmit Connect Speed

Calculation Method .........................................................................398

Using AAA Tunnel Groups to Configure the Transmit Connect Speed

Calculation Method .........................................................................399

Using AAA Default Tunnel Parameters to Configure the Transmit Connect

Speed Calculation Method ..............................................................400

Using RADIUS to Configure the Transmit Connect Speed Calculation

Method ...........................................................................................401

PPP Accounting Statistics ............................................................................402

Chapter 14 Configuring L2TP Dial-Out 405

L2TP Dial-Out Overview ..............................................................................405

Terms ...................................................................................................406

Network Model for Dial-Out ..................................................................406

Dial-Out Process ...................................................................................407

Dial-Out Operational States ...................................................................407

Chassis ...........................................................................................407

Virtual Router .................................................................................408

Targets ...........................................................................................408

Sessions .........................................................................................409

Outgoing Call Setup Details ...................................................................410

Access-Request Message ................................................................410

Access-Accept Message ..................................................................411

Outgoing Call ..................................................................................411

Mutual Authentication ....................................................................412

Route Installation ...........................................................................412

L2TP Dial-Out Platform Considerations .......................................................412

L2TP Dial-Out References ............................................................................412

Table of Contents ■ xix

JUNOSe 11.0.x Broadband Access Configuration Guide

Before You Configure L2TP Dial-Out ...........................................................413

Configuring L2TP Dial-Out ...........................................................................413

Monitoring L2TP Dial-Out ............................................................................415

Chapter 15 L2TP Disconnect Cause Codes 417

L2TP Disconnect Cause Codes .....................................................................417

Chapter 16 Monitoring L2TP and L2TP Dial-Out 421

Monitoring the Mapping for User Domains and Virtual Routers with AAA ....422

Monitoring Configured Tunnel Groups with AAA .........................................424

Monitoring Configuration of Tunnel Parameters with AAA ..........................426

Monitoring Global Configuration Status on E Series Routers ........................427

Monitoring Detailed Configuration Information for Specified

Destinations ..........................................................................................429

Monitoring Locked Out Destinations ...........................................................431

Monitoring Configured Destination Profiles or Host Profiles ........................431

Monitoring Configured and Operational Status of all Destinations ...............434

Monitoring Statistics on the Cause of a Session Disconnection ....................435

Monitoring Detailed Configuration Information about Specified Sessions ....436

Monitoring Configured and Operational Summary Status ............................437

Monitoring Configured Switch Profiles on Router ........................................438

Monitoring Detailed Configuration Information about Specified Tunnels .....439

Monitoring Configured and Operational Status of All Tunnels .....................442

Monitoring Chassis-wide Configuration for L2TP Dial-out ............................442

Monitoring Status of Dial-out Sessions .........................................................447

Monitoring Dial-out Targets within the Current VR Context .........................448

Monitoring Operational Status within the Current VR Context .....................450

Part 4 Managing DHCP

Chapter 17 DHCP Overview 455

DHCP Overview Information .......................................................................455

DHCP Platform Considerations ....................................................................456

DHCP References ........................................................................................457

Configuring the DHCP Access Model ...........................................................457

Configuring DHCP Proxy Clients .................................................................458

Logging DHCP Packet Information ..............................................................459

Viewing and Deleting DHCP Client Bindings ................................................460

xx ■ Table of Contents

Session and Resource Control Software ................................................456

Table of Contents

Chapter 18 DHCP Local Server Overview 463

Embedded DHCP Local Server Overview ....................................................463

DHCP Local Server and Client Configuration .........................................463

Equal-Access Mode Overview ......................................................................464

Local Pool Selection and Address Allocation .........................................464

The Connection Process ........................................................................465

Standalone Mode Overview .........................................................................466

Local Pool Selection and Address Allocation .........................................466

Server Management Table ....................................................................468

DHCP Local Server Prerequisites .................................................................468

DHCP Local Server Configuration Tasks ......................................................469

Chapter 19 Configuring DHCP Local Server 471

Configuring the DHCP Local Server .............................................................471

Basic Configuration of DHCP Local Server ............................................471

Limiting the Number of IP Addresses Supplied by DHCP Local

Server .............................................................................................473

Excluding IP Addresses from Address Pools .........................................473

Configuring DHCP Local Server to Support Creation of Dynamic

Subscriber Interfaces ......................................................................474

Differentiating Between Clients with the Same Client ID or Hardware

Address ..........................................................................................474

Logging Out DHCP Local Server Subscribers .........................................475

Clearing an IP DHCP Local Server Binding ............................................476

Using SNMP Traps to Monitor DHCP Local Server Events .....................476

Using DHCP Local Server Event Logs ....................................................477

Configuring DHCP Local Address Pools .......................................................478

Basic Configuration of DHCP Local Address Pools .................................478

Linking Local Address Pools ..................................................................480

Setting Grace Periods for Address Leases ..............................................480

Configuring AAA Authentication for DHCP Local Server Standalone

Mode ....................................................................................................481

Configuring the DHCPv6 Local Server .........................................................483

Deleting DHCPv6 Client Bindings ................................................................485

Configuring the Router to Work with the SRC Software ...............................486

Chapter 20 Configuring DHCP Relay 489

Configuring DHCP Relay and BOOTP Relay ................................................489

Enabling DHCP Relay ............................................................................490

Removing Access Routes from Routing Tables and NVS .......................490

Treating All Packets as Originating at Trusted Sources ..........................491

Assigning the Giaddr to Source IP Address ............................................491

Protecting Against Spoofed Giaddr and Relay Agent Option Values ......491

Table of Contents ■ xxi

JUNOSe 11.0.x Broadband Access Configuration Guide

Using the Broadcast Flag Setting to Control Transmission of DHCP Reply

Packets ...........................................................................................492

Interaction with Layer 2 Unicast Transmission Method ..................493

Preventing DHCP Relay from Installing Host Routes by Default ............494

Configuration Example—Preventing Installation of Host Routes .....494

Including Relay Agent Option Values in the PPPoE Remote Circuit

ID ...................................................................................................495

Using the Giaddr to Identify the Primary Interface for Dynamic Subscriber

Interfaces .......................................................................................496

Configuring Layer 2 Unicast Transmission Method for Reply Packets to

DHCP Clients ..................................................................................496

Using Option 60 Strings to Forward Client Traffic to Specific DHCP

Servers ...........................................................................................497

Configuration Example—Using DHCP Relay Option 60 to Specify

Traffic Forwarding ...................................................................499

Relaying DHCP Packets That Originate from a Cable Modem ...............500

Configuring Relay Agent Option 82 Information ...................................500

Preventing Option 82 Information from Being Stripped from Trusted

Client Packets .................................................................................501

Configuring Relay Agent Information Option (Option 82) Suboption

Values ............................................................................................501

Format of the JUNOSe Data Field in the Vendor-Specific Suboption

for Option 82 ...........................................................................503

Using the set dhcp relay agent sub-option Command to Enable

Option 82 Suboption Support ..................................................505

Configuration Example—Using DHCP Relay Option 82 to Pass IEEE

802.1p Values to DHCP Servers ...............................................507

Using the set dhcp relay agent Command to Enable Option 82

Suboption Support ...................................................................510

Configuring DHCP Relay Proxy ...................................................................512

Enabling DHCP Relay Proxy .................................................................513

Use the First Offer from a DHCP Server ................................................513

Set a Timeout for DHCP Client Renewal Messages ................................513

Managing Host Routes ..........................................................................513

Selecting the DHCP Server Response ..............................................514

Behavior for Bound Clients and Address Renewals .........................514

Chapter 21 Configuring the DHCP External Server Application 517

DHCP External Server Overview .................................................................517

Preservation of Dynamic Subscriber Interfaces with DHCP External Server

DHCP External Server Identification of Clients with Duplicate MAC Addresses

DHCP External Server Configuration Requirements ....................................522

Enabling and Disabling the DHCP External Server Application ....................522

Monitoring DHCP Traffic Between Remote Clients and DHCP Servers ........523

Synchronizing the DHCP External Application and the Router ....................523

xxii ■ Table of Contents

Overview ..............................................................................................519

Overview ..............................................................................................520

Configuration Guidelines for Using Duplicate MAC Mode ......................521

Restrictions for Using Duplicate MAC Mode to Manage Clients .............521

Table of Contents

Configuring Interoperation with Ethernet DSLAMs ......................................523

Configuring the DHCP External Server to Support the Creation of Dynamic

Subscriber Interfaces ............................................................................524

Configuring DHCP External Server to Control Preservation of Dynamic

Subscriber Interfaces ............................................................................526

Configuring Dynamic Subscriber Interfaces for Interoperation with DHCP

Relay and DHCP Relay Proxy ................................................................527

Deleting Clients from a Virtual Router’s DHCP Binding Table ......................528

Configuring DHCP External Server to Uniquely Identify Clients with Duplicate

MAC Addresses .....................................................................................530

Configuring DHCP External Server to Re-Authenticate Auto-Detected Dynamic

Subscriber Interfaces ............................................................................531

Chapter 22 Monitoring and Troubleshooting DHCP 533

Setting Baselines for DHCP Statistics ...........................................................534

Setting a Baseline for DHCP Relay and Relay Proxy ..............................534

Setting a Baseline for DHCP Proxy Server Statistics ..............................534

Setting a Baseline for DHCP External Server Statistics ..........................535

Setting a Baseline for DHCP Local Server Statistics ...............................535

Monitoring Addresses Excluded from DHCP Local Server Use .....................535

Monitoring DHCP Bindings ..........................................................................536

Monitoring DHCP Binding Information ........................................................537

Monitoring DHCP Binding Count Information .............................................540

Monitoring DHCP Binding Host Information ................................................542

Monitoring DHCP Bindings (Displaying IP Address-to-MAC Address

Bindings) ...............................................................................................544

Monitoring DHCP Bindings (Displaying DHCP Bindings Based on Binding

ID) ........................................................................................................545

Monitoring DHCP Bindings (Local Server Binding Information) ...................546

Monitoring DHCP External Server Configuration Information .....................547

Monitoring DHCP External Server Statistics .................................................548

Monitoring DHCP External Server Duplicate MAC Address Setting ..............549

Monitoring DHCP Local Address Pools ........................................................550

Monitoring DHCP Local Server Authentication Information .........................552

Monitoring DHCP Local Server Configuration ..............................................553

Monitoring DHCP Local Server Leases .........................................................554

Monitoring DHCP Local Server Statistics ......................................................555

Monitoring DHCP Option 60 Information ....................................................558

Monitoring DHCP Packet Capture Settings ..................................................559

Monitoring DHCP Relay Configuration Information .....................................560

Monitoring DHCP Relay Proxy Statistics ......................................................561

Monitoring DHCP Relay Statistics ................................................................563

Monitoring DHCP Server and DHCP Relay Agent Statistics ..........................565

Monitoring DHCP Server and Proxy Client Information ...............................566

Monitoring DHCPv6 Local Server Binding Information ................................567

Monitoring DHCPv6 Local Server DNS Search Lists .....................................568

Monitoring DHCPv6 Local Server DNS Servers ............................................569

Monitoring DHCPv6 Local Server Prefix Lifetime ........................................569

Monitoring DHCPv6 Local Server Statistics ..................................................570

Table of Contents ■ xxiii

JUNOSe 11.0.x Broadband Access Configuration Guide

Monitoring Duplicate MAC Addresses Use By DHCP Local Server Clients ....571

Monitoring the Maximum Number of Available Leases ...............................572

Monitoring Static IP Address and MAC Address Pairs Supplied by DHCP Local

Server ...................................................................................................573

Monitoring Status of DHCP Applications ......................................................574

Part 5 Managing the Subscriber Environment

Chapter 23 Configuring Subscriber Management 577

Subscriber Management Overview ..............................................................577

Subscriber Management Platform Considerations .......................................578

Subscriber Management Attributes ..............................................................578

Dynamic IP Subscriber Interfaces .........................................................578

Subscriber Management Procedure .............................................................579

Configuring Subscriber Management with an External DHCP Server ....580

Subscriber Management Commands ...........................................................581

Subscriber Management Configuration Examples .......................................589

Username with ATM Circuit Identifier and No Circuit Type ...................589

Username with VLAN Circuit Identifier and Circuit Type .......................590

Username with MAC Address ...............................................................590

Chapter 24 Monitoring Subscriber Management 593

Monitoring IP Service Profiles ......................................................................593

Monitoring Active IP Subscribers Created by Subscriber Management ........594

Chapter 25 Configuring Subscriber Interfaces 597

Subscriber Interfaces Overview ...................................................................597

Dynamic Interfaces and Dynamic Subscriber Interfaces .......................598

Relationship to Shared IP Interfaces .....................................................599

Relationship to Primary IP Interfaces ....................................................600

Ethernet Interfaces and VLANs .............................................................600

Moving Interfaces .................................................................................601

Preventing IP Spoofing .........................................................................601

Routing Protocols ..................................................................................601

Policies and QoS ...................................................................................601

Applications ..........................................................................................601

Directing Traffic Toward Special Local Content ..............................602

Differentiating Traffic for VPNs ......................................................603

Subscriber Interfaces Platform Considerations ............................................603

Interface Specifiers ...............................................................................604

Subscriber Interfaces References .................................................................604

xxiv ■ Table of Contents

Table of Contents

Dynamic Creation of Subscriber Interfaces ..................................................604

DHCP Servers .......................................................................................605

DHCP Local Server and Address Allocation ....................................605

DHCP External Server and Address Allocation ................................605

DHCP Relay Configuration .............................................................606

Supported Configurations ...............................................................606

Packet Detection ...................................................................................606

Designating Traffic for the Primary IP Interface ....................................607

Using Framed Routes ............................................................................607

Inheritance of MAC Address Validation State for Dynamic Subscriber

Interfaces .......................................................................................607

How MAC Address Validation State Inheritance Works ..................608

Configuration of MAC Address Validation State Inheritance ...........608

Verification of MAC Address Validation State Inheritance ...............609

Configuring Static Subscriber Interfaces ......................................................609

Using a Destination Address to Demultiplex Traffic ..............................610

Using a Source Address to Demultiplex Traffic .....................................611

Configuring Dynamic Subscriber Interfaces .................................................616

Configuring Dynamic Subscriber Interfaces over Ethernet ....................616

Configuring Dynamic Subscriber Interfaces over VLANs .......................617

Configuring Dynamic Subscriber Interfaces over Bridged Ethernet .......618

Configuring Dynamic Subscriber Interfaces over GRE Tunnels .............619

Dynamic Subscriber Interface Configuration Example ..........................620

Chapter 26 Monitoring Subscriber Interfaces 629

Monitoring Subscriber Interfaces Overview .................................................629

Monitoring Subscriber Interfaces .................................................................629

Monitoring Active IP Subscribers Created by Subscriber Management ........630

Part 6 Managing Subscriber Services

Chapter 27 Configuring Service Manager 635

Service Manager Overview ..........................................................................635

Service Manager Terms and Acronyms .................................................636

Service Manager Platform Considerations ...................................................637

Service Manager References ........................................................................637

Service Manager Configuration Tasks ..........................................................637

Service Definitions ......................................................................................639

Creating Service Definitions ..................................................................640

Managing Your Service Definitions .......................................................643

Referencing Policies in Service Definitions ..................................................644

Table of Contents ■ xxv

JUNOSe 11.0.x Broadband Access Configuration Guide

Referencing QoS Configurations in Service Definitions ................................645

Specifying QoS Profiles in a Service Definition .....................................645

Configuring a QoS Profile for Service Manager ...............................645

Specifying QoS Profiles in a Service Definition ...............................646

Specifying QoS Parameter Instances in a Service Definition .................646

Creating a Parameter Instance in a Profile .....................................646

Specifying QoS Parameter Instances in a Service Definition ...........647

Modifying QoS Configurations with Service Manager ............................648

Modifying Parameter Instances ......................................................648

Modifying QoS Configurations in a Single Service Manager

Event .......................................................................................650

Modifying QoS Configurations Using Other Sources .......................650

Removing QoS Configurations Referenced by Service Manager ............652

QoS for Service Manager Considerations ..............................................652

RADIUS or Service Manager ...........................................................653

Interoperability with Other Service Components ............................653

QoS Statistics .................................................................................653

Ranges ...........................................................................................653

Configuring the Service Manager License ....................................................653

Managing and Activating Service Sessions ...................................................654

Using RADIUS to Manage Subscriber Service Sessions ................................654

Using RADIUS to Activate Subscriber Service Sessions ..........................655

Service Manager RADIUS Attributes ......................................................656

Using Tags with RADIUS Attributes ................................................658

Using RADIUS to Deactivate Service Sessions .......................................659

Setting Thresholds ..........................................................................659

Using the Deactivate-Service Attribute ............................................660

Using Mutex Groups to Activate and Deactivate Subscriber Services ...........661

Activating and Deactivating Multiple Services .......................................661

Configuring a Mutex Service .................................................................662

Combined and Independent IPv4 and IPv6 Services in a Dual Stack

Overview ..............................................................................................663

Activation and Deactivation of IPv4 and IPv6 Services in a Dual Stack ........664

Independent IPv4 and IPv6 Services in a Dual Stack .............................664

Combined IPv4 and IPv6 Service in a Dual Stack ..................................665

Performance Impact on the Router and Compatibility with Previous

Releases for an IPv4 and IPv6 Dual Stack .......................................665

Configuring RADIUS Accounting for Service Manager .................................666

Configuring Service Interim Accounting ................................................667

Service Interim Accounting for IPv4 and IPv6 Services in a Dual Stack

Overview ........................................................................................670

Using the CLI to Manage Subscriber Service Sessions ..................................671

Using the CLI to Activate Subscriber Service Sessions ...........................671

Preprovisioning Services .......................................................................674

Using Service Session Profiles ...............................................................674

Using the CLI to Deactivate Subscriber Service Sessions .......................677

Gracefully Deactivating Subscriber Service Sessions .......................678

Forcing Immediate Deactivation of Subscriber Service Sessions .....678

Using Service Session Profiles to Deactivate Service Sessions .........679

xxvi ■ Table of Contents

Table of Contents

Configuring Service Manager Statistics ........................................................680

Setting Up the Service Definition File for Statistics Collection ...............680

Enabling Statistics Collection with RADIUS ...........................................681

Enabling Statistics Collection with the CLI .............................................682

External Parent Group Statistics Collection Setup ..................................683

Service Manager Performance Considerations .............................................684

Service Definition Examples ........................................................................684

Tiered Service Example ........................................................................684

Video-on-Demand Service Definition Example .....................................685

Voice-over-IP Service Definition Example .............................................686

Guided Entrance Service Example ........................................................687

Guided Entrance Service Definition Example .................................688

Using CoA Messages with Guided Entrance Services ......................689

Configuring the HTTP Local Server to Support Guided Entrance .....690

Combined IPv4 and IPv6 Service in a Dual Stack Example ...................696

Chapter 28 Monitoring Service Manager 701

Setting a Baseline for HTTP Local Server Statistics ......................................701

Monitoring the Connections to the HTTP Local Server .................................702

Monitoring the Configuration of the HTTP Local Server ...............................702

Monitoring Statistics for Connections to the HTTP Local Server ...................703

Monitoring Profiles for the HTTP Local Server .............................................704

Monitoring the Default Interval for Interim Accounting of Services .............705

Monitoring the Status of the Service Manager License .................................706

Monitoring Profiles for Service Manager ......................................................706

Monitoring IPv4 and IPv6 Interfaces for Service Manager ...........................707

Monitoring Service Definitions ....................................................................717

Monitoring Service Session Profiles .............................................................718

Monitoring Active Owner Sessions with Service Manager ............................719

Monitoring Active Subscriber Sessions with Service Manager ......................721

Monitoring the Number of Active Subscriber and Service Sessions with

Service Manager ...................................................................................724

Part 7 Index

Index ...........................................................................................................729

Table of Contents ■ xxvii

JUNOSe 11.0.x Broadband Access Configuration Guide

xxviii ■ Table of Contents

List of Figures

Part 1 Managing Remote Access

Chapter 1 Configuring Remote Access 3

Figure 1: Local Address Pool Hierarchy .........................................................54

Figure 2: Shared Local Address Pools ............................................................55

Figure 3: Single PPP Clients per ATM Subinterface ........................................61

Figure 4: Multiple PPP Clients per ATM Subinterface .....................................62

Part 2 Managing RADIUS and TACACS+

Chapter 4 Configuring RADIUS Dynamic-Request Server 235

Figure 5: Sample Remote Access Network Using RADIUS ...........................236

Chapter 5 Configuring RADIUS Relay Server 245

Figure 6: RADIUS Relay Server ....................................................................246

Part 3 Managing L2TP

Chapter 11 L2TP Overview 329

Figure 7: Using the E Series Router as an LAC .............................................330

Figure 8: Using the E Series Router as an LNS .............................................330

Chapter 12 Configuring an L2TP LAC 337

Figure 9: Lockout States ..............................................................................361

Chapter 14 Configuring L2TP Dial-Out 405

Figure 10: Network Model for Dial-Out ........................................................406

Part 4 Managing DHCP

Chapter 18 DHCP Local Server Overview 463

Figure 11: Non-PPP Equal Access via the Router .........................................466

Chapter 19 Configuring DHCP Local Server 471

Figure 12: Non-PPP Equal-Access Configuration Example ...........................486

Chapter 20 Configuring DHCP Relay 489

Figure 13: Passing 802.1p Values to the DHCP Server .................................508

Chapter 21 Configuring the DHCP External Server Application 517

Figure 14: DHCP External Server .................................................................518

Part 5 Managing the Subscriber Environment

Chapter 23 Configuring Subscriber Management 577

List of Figures ■ xxix

JUNOSe 11.0.x Broadband Access Configuration Guide

Figure 15: DHCP External Server .................................................................579

Chapter 25 Configuring Subscriber Interfaces 597

Figure 16: Example of a Dynamic Interface Stack .......................................598

Figure 17: Example of a Dynamic Subscriber Interface ...............................599

Figure 18: Subscriber Interfaces over Ethernet ............................................600

Figure 19: Subscriber Interfaces in a Cable Modem Network .......................602

Figure 20: Associating Subnets with a VPN Using Subscriber Interfaces ......603

Figure 21: IP over Ethernet Dynamic Subscriber Interface Configuration ....606

Figure 22: Subscriber Interfaces Using a Destination Address to Demultiplex

Traffic ...................................................................................................610

Figure 23: Subscriber Interfaces Using a Source Address to Demultiplex

Traffic ...................................................................................................612

Figure 24: IP over Ethernet Dynamic Subscriber Interface Configuration ....617

Figure 25: IP over VLAN over Ethernet Dynamic Subscriber Interface

Configuration ........................................................................................618

Figure 26: IP over Bridged Ethernet over ATM Dynamic Subscriber Interface

Configuration ........................................................................................619

Figure 27: GRE Tunnel Dynamic Subscriber Interface Configuration ...........620

Part 6 Managing Subscriber Services

Chapter 27 Configuring Service Manager 635

Figure 28: Service Manager Configuration Flowchart ...................................639

Figure 29: Sample Service Definition Macro File .........................................642

Figure 30: QoS Configuration Dependency Chain ........................................652

Figure 31: Comparing RADIUS Login and RADIUS CoA Methods .................655

Figure 32: Guided Entrance .........................................................................688

Figure 33: Input Traffic Flow with Rate-Limit Profile on an External Parent

Group for a Combined IPv4/IPv6 Service ..............................................696

Figure 34: Output Traffic Flow with Rate-Limit Profile on an External Parent

Group for a Combined IPv4/IPv6 Service ..............................................696

xxx ■ List of Figures