[j-nsp] Non-dhcp users with subscriber management
Matt Peterson
matt at peterson.org
Mon Jul 8 20:02:34 EDT 2019
Either configure the DHCP server to match the option 82 VLAN tags (and
serve up a lease for the "static" IP space), or configure specific VLAN tag
combos under the interface (in your case et-0/0/0). For example:
et-0/0/0 {
flexible-vlan-tagging;
auto-configure {
stacked-vlan-ranges {
dynamic-profile l2-profile {
accept [ dhcp-v4 dhcp-v6 ];
ranges { any }
}
access-profile access-profile-1;
}
remove-when-no-subscribers;
}
unit 10 {
vlan-tags outer 2002 inner 200;
family inet {
address 192.168.200.1/30;
}
}
On Thu, Jul 4, 2019 at 10:10 AM Baldur Norddahl <baldur at gigabit.dk> wrote:
> Hello
>
> I am new to Juniper MX. I successfully managed to configure customer
> vlan with dynamic profiles for dhcp users. I attached the important
> parts of the configuration at the end of this message.
>
> In the real network we are using q-in-q double tagged vlans, but to make
> thing simple I am working with single tagged vlans for my lab. We have
> customers vlan, which is each customer has a unique vlan combination.
>
> My configuration will first cause a radius server to be queried for the
> validity of the vlan. Then the DHCP server is queried and finally the
> subscriber is active. This is working now.
>
> The problem is that I want customers to be able to configure without
> using DHCP. Each customer has a static IP configuration. When using DHCP
> the customer will always get the same IP address. We then tell the user
> that he can optionally use DHCP. Or he can use a static configuration if
> he likes that better.
>
> This is an existing ISP network working as described. We are working to
> replace the old BRAS with Juniper MX204. So it would be nice if we can
> keep it working like it is today.
>
> I am a bit stuck on where to go from here. Most of the examples I find
> are all assuming DHCP. I am thinking that it should be possible to
> supply the customer IP address via Radius instead of DHCP.
>
> If needed, I could find out which users are using static configuration
> without DHCP and then have Radius return something different for those
> users.
>
> Anyone have some advice for me?
>
> Regards,
>
> Baldur
>
> The working DHCP configuration:
>
> system {
> services {
> subscriber-management {
> maintain-subscriber {
> interface-delete;
> }
> enable;
> }
> }
> dynamic-profile-options {
> versioning;
> }
> }
> chassis {
> network-services enhanced-ip;
> }
> access-profile rad;
> interfaces {
> et-0/0/0 {
> flexible-vlan-tagging;
> auto-configure {
> vlan-ranges {
> dynamic-profile DYNINTF-1VLANS-DHCP-INET {
> accept any;
> ranges {
> any;
> }
> }
> authentication {
> password 12345678;
> username-include {
> user-prefix vlan;
> vlan-tags;
> }
> }
> access-profile rad;
> }
> }
> lo0 {
> unit 0 {
> family inet {
> address 1.2.3.4/32;
> }
> }
> }
> }
> forwarding-options {
> dhcp-relay {
> server-group {
> dhcp-group-1 {
> 1.2.3.5;
> }
> }
> active-server-group dhcp-group-1;
> group dhcp-group-1 {
> relay-option-82;
> interface et-0/0/0.0;
> }
> }
> }
> access {
> radius-server {
> 1.2.3.6 {
> secret "xxx"; ## SECRET-DATA
> source-address 1.2.3.4;
> }
> }
> profile rad {
> accounting-order radius;
> authentication-order radius;
> radius {
> authentication-server 1.2.3.6;
> accounting-server 1.2.3.6;
> options {
> revert-interval 0;
> }
> }
> accounting {
> order radius;
> immediate-update;
> update-interval 15;
> }
> }
> }
> dynamic-profiles {
> DYNINTF-1VLANS-DHCP-INET {
> interfaces {
> "$junos-interface-ifd-name" {
> unit "$junos-interface-unit" {
> proxy-arp restricted;
> vlan-id "$junos-vlan-id";
> family inet {
> unnumbered-address lo0.0;
> }
> }
> }
> }
> }
> }
>
>
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
More information about the juniper-nsp
mailing list