Routing

Hello everyone.

I`m setting up dual-stacked subscribers on my MX box. Subscriber must be placed in SUBSCRIBERS routing-instance.

As for now everything is working, but when i face dual-stacked suscribers i got behavior which i dont know is it ok or not.

Group for interface:

interfaces {
    <*> {
        description "SUBSCRIBERS ACCESS";
        no-traps;
        flexible-vlan-tagging;
        auto-configure {
            stacked-vlan-ranges {
                dynamic-profile MAIN-WITH-RPF-CHECK {
                    accept [ dhcp-v4 dhcp-v6 ];
                    ranges {
                        4000-4020,2200-4000;
                    }
                }
            }
            remove-when-no-subscribers;
        }
        mtu 9192;
        encapsulation flexible-ethernet-services;
    }
}

Dynamic-profile for configuring interface:

routing-instances {
    "$junos-routing-instance" {
        interface "$junos-interface-name";
    }
}
interfaces {
    demux0 {
        no-traps;
        interface-mib;
        unit "$junos-interface-unit" {
            demux-source [ inet inet6 ];
            no-traps;
            proxy-arp unrestricted;
            vlan-tags outer "$junos-stacked-vlan-id" inner "$junos-vlan-id";
            demux-options {
                underlying-interface "$junos-underlying-interface";
            }
            family inet {
                rpf-check fail-filter rpf-pass-dhcp;
                mtu 1500;
                unnumbered-address "$junos-loopback-interface";
            }
            family inet6 {
                mtu 1500;
                unnumbered-address "$junos-loopback-interface";
            }
        }
    }
}
protocols {
    router-advertisement {
        interface "$junos-interface-name" {
            max-advertisement-interval 900;
            min-advertisement-interval 300;
            managed-configuration;
            other-stateful-configuration;
        }
    }
}

And finally profile for DHCP server:

predefined-variable-defaults {
    routing-instances SUBSCRIBERS;
}
routing-instances {
    "$junos-routing-instance" {
        interface "$junos-interface-name";
    }
}
interfaces {
    "$junos-interface-ifd-name" {
        unit "$junos-underlying-interface-unit" {
            family inet {
                unnumbered-address "$junos-loopback-interface";
            }
            family inet6 {
                unnumbered-address "$junos-loopback-interface";
            }
        }
    }
}

Everything works ok, but first session (inet or inet6) authorizes in default RI and subs is paced in SUBSCRIBERS RI. All radius packets are coming from NAS_IP that is configured for default RI. This is ok. Next session (inet or inet6) is authorized in SUBSCRIBERS RI and NAS_IP for this session is one that configured for SUBSCRIBERS RI. So i got situation when two sessions (inet,inet6) for one subscriber  are coming from one box but from different NAS ips. This is ok in generall, but maybe i`m doing something wrong and there is better way to do this. Problem is that i cannot use single-session dual-stack (which will solve my "problem") right now, so inet and inet6 should come as different sessions

Hi smelnik,

 

Think you could have the Radius VSA attribute# 26-25 and name "Redirect-LSRI-Name" configured on the Radius Server to help.

https://www.juniper.net/documentation/en_US/junos/topics/concept/subscriber-management-solution-wholesale-vsa-config-overview.html

 

Hope this helps.

 

Regards,
-r.

--------------------------------------------------

If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated :).

 

 

Hello.

Thanks for reply. Itried this method and it works well, no as expected:

I got auth from different RI, bu twith this VSA interim-updates are coming from specified RI and coa updates should be sent to nas ip in nas ip of RI specified in 26-25 VSA.

Many thanks again, but i got to move to Single-session dual-stack mode 🙂

I`ve found solution.

I used domain map feature with domain default:

 show access domain
map default {
    target-routing-instance SUBSCRIBERS;
}

And it worked.

But there is another problem:

unnumbered-address configured NONE for DHCP dynamic-profile.

IP-DHCPv4-DHCPv6 {
    predefined-variable-defaults {
        routing-instances {
            SUBSCRIBERS;
        }
    }
    routing-instances {
        SUBSCRIBERS {
            interface demux0.3221225741;
        }
    }
    interfaces {
        demux0 {
            unit 3221225741 {
                family {
                    inet {
                        unnumbered-address NONE;
                    }
                    inet6 {
                        unnumbered-address NONE;
                    }
                }
            }
        }
    }
}

Ok, i managed to make thing work almost as expected.

I moved subscriber with the help of dynamic profile to another demux interface.

This is dhcp profile that i use:

predefined-variable-defaults {
    routing-instances SUBSCRIBERS;
}
routing-instances {
    "$junos-routing-instance" {
        interface "$junos-interface-name";
    }
}
interfaces {
    demux0 {
        no-traps;
        unit "$junos-interface-unit" {
            demux-options {
                underlying-interface "$junos-underlying-interface";
            }
            family inet {
                rpf-check fail-filter rpf-pass-dhcp;
                unnumbered-address "$junos-loopback-interface";
            }
            family inet6 {
                unnumbered-address "$junos-loopback-interface";
            }
        }
    }
}
protocols {
    router-advertisement {
        interface "$junos-interface-name" {
            max-advertisement-interval 900;
            min-advertisement-interval 300;
            managed-configuration;
            other-stateful-configuration;
        }
    }
}

Interface profile now looks like this:

interfaces {
    demux0 {
        no-traps;
        interface-mib;
        unit "$junos-interface-unit" {
            demux-source [ inet inet6 ];
            no-traps;
            proxy-arp unrestricted;
            vlan-tags outer "$junos-stacked-vlan-id" inner "$junos-vlan-id";
            demux-options {
                underlying-interface "$junos-underlying-interface";
            }
            family inet {
                rpf-check fail-filter rpf-pass-dhcp;
                mtu 1500;
            }
            family inet6 {
                mtu 1500;
            }
        }
    }
}

And i moved to dual-stack single-session.

Subs auth looks loke this:

demux0.3221225521     0x8100.4008 0x8100.3000                                           default:default
demux0.3221225522     10.200.72.154                           DS&ge-0/1/2:4008-3000       default:SUBSCRIBERS
*                     2a00:f440:a:3::fbf
*                     2a00:f440:a:8fbf::/64

There is lo0.1 in generated profile for subscriber session as expected.

But inet6 not working. I checked and found that ND is still working on demux0.3221225521, but not on interface configured for subscriber (demux0.3221225522)

run show ipv6 neighbors
IPv6 Address                 Linklayer Address  State       Exp Rtr Secure Interface
fe80::66d1:54ff:fee6:d5f7    64:d1:54:e6:d5:f7  reachable   0   no  no      demux0.3221225521
2a00:f440:a:3::fbf           64:d1:54:e6:d5:f7  reachable   0   no  no      demux0.3221225522

So is there a way to solve this puzzle, or just forget about it and live with NONE in subscribers generated dynamic-profile? 🙂

Hello,

 

I understand that your Radius is reachable via the default RI, but it's not clear where you'd like to put your IPv4 and IPv6 subscribers - should they both be in SUBSCRIBERS RI, or IPv4 in default and IPv6 in SUBSCRIBERS?

I'm pretty sure there is a way to make it work, but let's clarify how you want it to work first.

 

Best regards,

Sergii

 

Hello Sergii.

Yes, i`m trying to put dual-stacked subscriber into RI.

both inet and inet6 should be both in SUBSCRIBERS routing-instance.

Hi smelnik,

 

Could you please try to remove the demux options once and try?

 

Hope this helps.

 

Regards,
-r.

--------------------------------------------------

If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated :).

Hello.

Should i remove it in DHCP dynamic profile or interface?

Hi smelnik,

No, just remove the demux options. Don't think that's needed with dynamic-profile.

Regards,

Hope this helps.

Regards,
-r.

--------------------------------------------------

If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated :).

Removed demux-options.

Didnt helped 😞 Still ipv6 resources not reachable for subscriber.

It should be a very peculiar service model if you need to authenticate IPv4 and IPv6 sessions from the same CPE separately. In any case, the following configuration works in my lab and fits your requirements (Radius is reachable in the default RI, both IPv4 and IPv6 sessions are authenticated separately and placed in SUBSCRIBERS RI) - I added complete configuration for the sake of other users.

The idea is to put dynamic vlan into SUBSCRIBERS RI, and use aaa-routing-instance command (you can refer https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/subscriber-management-domain-aaa-logical-system.html😞

set access domain map default aaa-routing-instance default

If it works for you, please mark this post as "Accepted Solution".

root@vmx1> show subscribers
Interface             IP Address/VLAN ID                      User Name                      LS:RI
demux0.3221225485     0x8100.1 0x8100.1                       vlan                      default:SUBSCRIBERS
demux0.3221225485     10.10.1.6                               dhcpv4                    default:SUBSCRIBERS
demux0.3221225485     fd01:1000:1000:1000::4                  dhcpv6                    default:SUBSCRIBERS

root@vmx1> show ipv6 neighbors
IPv6 Address                 Linklayer Address  State       Exp Rtr Secure Interface
fe80::24cc:e4ff:fe3c:0       26:cc:e4:3c:00:00  reachable   0   no  no      demux0.3221225485
fd01:1000:1000:1000::4       26:cc:e4:3c:00:00  reachable   0   no  no      demux0.3221225485

root@vmx1> show configuration dynamic-profiles
dv-profile {
    routing-instances {
        "$junos-routing-instance" {
            interface "$junos-interface-name";
        }
    }
    interfaces {
        demux0 {
            no-traps;
            interface-mib;
            unit "$junos-interface-unit" {
                no-traps;
                proxy-arp unrestricted;
                vlan-tags outer "$junos-stacked-vlan-id" inner "$junos-vlan-id";
                demux-options {
                    underlying-interface "$junos-underlying-interface";
                }
                family inet {
                    unnumbered-address "$junos-loopback-interface";
                }
                family inet6 {
                    unnumbered-address "$junos-loopback-interface";
                }
            }
        }
    }
    protocols {
        router-advertisement {
            interface "$junos-interface-name" {
                max-advertisement-interval 900;
                min-advertisement-interval 300;
                managed-configuration;
                other-stateful-configuration;
            }
        }
    }
}
l3-profile {
    predefined-variable-defaults {
        routing-instances SUBSCRIBERS;
    }
    routing-instances {
        "$junos-routing-instance" {
            interface "$junos-interface-name";
        }
    }
    interfaces {
        "$junos-interface-ifd-name" {
            unit "$junos-underlying-interface-unit" {
                family inet {
                    unnumbered-address "$junos-loopback-interface";
                }
                family inet6 {
                    unnumbered-address "$junos-loopback-interface";
                }
            }
        }
    }
}

root@vmx1> show configuration routing-instances
SUBSCRIBERS {
    instance-type vrf;
    system {
        services {
            dhcp-local-server {
                dhcpv6 {
                    group dhcpv6-ls {
                        authentication {
                            password password;
                            username-include {
                                user-prefix dhcpv6;
                            }
                        }
                        dynamic-profile l3-profile;
                        overrides {
                            delegated-pool PREFIX-DELEGATION;
                        }
                        interface demux0.0;
                    }
                }
                pool-match-order {
                    external-authority;
                    ip-address-first;
                }
                group dhcp-ls {
                    authentication {
                        password password;
                        username-include {
                            user-prefix dhcpv4;
                        }
                    }
                    overrides {
                        client-discover-match incoming-interface;
                    }
                    dynamic-profile l3-profile;
                    interface demux0.0;
                }
            }
        }
    }
    access {
        address-assignment {
            pool dhcpv4-pool {
                family inet {
                    network 10.10.1.0/24;
                    range range1 {
                        low 10.10.1.2;
                        high 10.10.1.200;
                    }
                    dhcp-attributes {
                        maximum-lease-time 900;
                        server-identifier 10.10.1.1;
                        router {
                            10.10.1.1;
                        }
                        option 58 unsigned-integer 360;
                        option 59 unsigned-integer 600;
                    }
                }
            }
            pool IA_NA {
                family inet6 {
                    prefix fd01:1000:1000:1000::/64;
                    range V6-RANGE {
                        low fd01:1000:1000:1000::2/128;
                        high fd01:1000:1000:1000::ffff:ffff/128;
                    }
                    dhcp-attributes {
                        dns-server {
                            fd01:0090:0:aaaa:200:187:80:5;
                        }
                    }
                }
            }
            pool PREFIX-DELEGATION {
                family inet6 {
                    prefix fd02:01:aaaa::/48;
                    range PD prefix-length 64;
                    dhcp-attributes {
                        dns-server {
                            fd01:0090:0:aaaa:200:187:80:5;
                        }
                    }
                }
            }
        }
    }
    access-profile aaa-profile;
    interface lo0.1;
    vrf-target target:1:1;
}
root@vmx1> show configuration access
radius-server {
    10.1.6.30 secret "$9$iq5Fn6AOBEP5hrvM-dUji.fz9CuORS"; ## SECRET-DATA
}
profile aaa-profile {
    authentication-order radius;
    radius {
        authentication-server 10.1.6.30;
    }
}
domain {
    map default {
        aaa-routing-instance default;
    }
}

Corresponding RADIUS profiles:

vlan    Cleartext-Password := "password"
        ERX-Virtual-Router-Name = "SUBSCRIBERS",
        Service-Type = Framed-User

dhcpv4  Cleartext-Password := "password"
        ERX-Virtual-Router-Name = "SUBSCRIBERS",
        Service-Type = Framed-User

dhcpv6  Cleartext-Password := "password"
        ERX-Virtual-Router-Name = "SUBSCRIBERS",
        Service-Type = Framed-User

 

Best regards,

Sergii

Thanks for your post.

I`m using single-session dual-stack and landing this subscriber inside one RI (SUBSCRIBERS).

It works with configuration you posted above, but if you will have a look at show dynamic-profile client session-id, you will see configured unnumbered address NONE. That was the problem (or in case of junos it is not a problem - i dont know 🙂 )

So i tried to make things right 🙂

I made underlying interface to stay in default RI:

Interface IP Address/VLAN ID User Name LS:RI
demux0.3221225523 0x8100.4008 0x8100.3000 default:default

And placed subscriber into RI:

demux0.3221225524     10.200.72.154                           DS&ge-0/1/2:4008-3000       default:SUBSCRIBERS
*                     2a00:f440:a:3::fbf
*                     2a00:f440:a:8fbf::/64

 In this case i got right lo in dynamic-profile (in my case lo0.1) , ipv4 works fine, but ipv6 not working.

You're right, I also see this "unnumbered-interface NONE", however, I don't see any functional issues and subscribers are able to send and receive traffic without any issues. The provided configuration should be working except this cosmetic issue in the output of "show dynamic-profile session" - I'll check if this is a known issue and submit a new PR if needed.

 

Are there any reasons why you want to use single-session dual-stack now (I think earlier you didn't want to use it)? This feature should also work - I'll try to check it tomorrow if I have time.

To use single-session dual-stack i must upgrade my freeradius configuration to support both single-session and not single-session modes. After solving this issue i can  use single-session dual-stack without distrupting our production environment 🙂 

---

@Sergii wrote:

You're right, I also see this "unnumbered-interface NONE", however, I don't see any functional issues and subscribers are able to send and receive traffic without any issues. The provided configuration should be working except this cosmetic issue in the output of "show dynamic-profile session" - I'll check if this is a known issue and submit a new PR if needed.

 

---

It would be great to know if its issue or not. 

 

Hi smelnik,

 

Understood. The problem with "unnumbered-address NONE" in the output of "show dynamic-profile session" command is cosmetic - it was reported and fixed for PPP subscribers in PR1222975, but for DHCP subscribers the issue remained - and I created a new PR1421894 to get it fixed (it may take a while to get it resolved as there is no impact).

 

Best regards,

Sergii

Hi smelnik,

 

Hopefully authentication for dual-stack subscribers in RI (not a single-session dual-stack) is working in your lab now. For the sake of clarity I'd like to suggest creating a new thread for the problem you mentioned with single-session dual-stack (please attach relevant pieces of configuration).

---

@smelnik wrote:

I made underlying interface to stay in default RI:

Interface IP Address/VLAN ID User Name LS:RI
demux0.3221225523 0x8100.4008 0x8100.3000 default:default

And placed subscriber into RI:

demux0.3221225524     10.200.72.154                           DS&ge-0/1/2:4008-3000       default:SUBSCRIBERS
*                     2a00:f440:a:3::fbf
*                     2a00:f440:a:8fbf::/64

 In this case i got right lo in dynamic-profile (in my case lo0.1) , ipv4 works fine, but ipv6 not working.

---

 

Best regards,

Sergii

-------------------------------------------------------------------

Please accept the solution if your problem is resolved

-------------------------------------------------------------------

 

Hello Sergii.

Thank you very much 🙂 I will create new thread.

Yes, now everything is working fine in my lab with using single demux interface.