[j-nsp] Non-dhcp users with subscriber management
Baldur Norddahl
baldur at gigabit.dk
Thu Jul 4 13:10:22 EDT 2019
Hello
I am new to Juniper MX. I successfully managed to configure customer
vlan with dynamic profiles for dhcp users. I attached the important
parts of the configuration at the end of this message.
In the real network we are using q-in-q double tagged vlans, but to make
thing simple I am working with single tagged vlans for my lab. We have
customers vlan, which is each customer has a unique vlan combination.
My configuration will first cause a radius server to be queried for the
validity of the vlan. Then the DHCP server is queried and finally the
subscriber is active. This is working now.
The problem is that I want customers to be able to configure without
using DHCP. Each customer has a static IP configuration. When using DHCP
the customer will always get the same IP address. We then tell the user
that he can optionally use DHCP. Or he can use a static configuration if
he likes that better.
This is an existing ISP network working as described. We are working to
replace the old BRAS with Juniper MX204. So it would be nice if we can
keep it working like it is today.
I am a bit stuck on where to go from here. Most of the examples I find
are all assuming DHCP. I am thinking that it should be possible to
supply the customer IP address via Radius instead of DHCP.
If needed, I could find out which users are using static configuration
without DHCP and then have Radius return something different for those
users.
Anyone have some advice for me?
Regards,
Baldur
The working DHCP configuration:
system {
services {
subscriber-management {
maintain-subscriber {
interface-delete;
}
enable;
}
}
dynamic-profile-options {
versioning;
}
}
chassis {
network-services enhanced-ip;
}
access-profile rad;
interfaces {
et-0/0/0 {
flexible-vlan-tagging;
auto-configure {
vlan-ranges {
dynamic-profile DYNINTF-1VLANS-DHCP-INET {
accept any;
ranges {
any;
}
}
authentication {
password 12345678;
username-include {
user-prefix vlan;
vlan-tags;
}
}
access-profile rad;
}
}
lo0 {
unit 0 {
family inet {
address 1.2.3.4/32;
}
}
}
}
forwarding-options {
dhcp-relay {
server-group {
dhcp-group-1 {
1.2.3.5;
}
}
active-server-group dhcp-group-1;
group dhcp-group-1 {
relay-option-82;
interface et-0/0/0.0;
}
}
}
access {
radius-server {
1.2.3.6 {
secret "xxx"; ## SECRET-DATA
source-address 1.2.3.4;
}
}
profile rad {
accounting-order radius;
authentication-order radius;
radius {
authentication-server 1.2.3.6;
accounting-server 1.2.3.6;
options {
revert-interval 0;
}
}
accounting {
order radius;
immediate-update;
update-interval 15;
}
}
}
dynamic-profiles {
DYNINTF-1VLANS-DHCP-INET {
interfaces {
"$junos-interface-ifd-name" {
unit "$junos-interface-unit" {
proxy-arp restricted;
vlan-id "$junos-vlan-id";
family inet {
unnumbered-address lo0.0;
}
}
}
}
}
}
More information about the juniper-nsp
mailing list