Routing

Expand all | Collapse all

Subscriber management and Framed-Route

Jump to Best Answer
  • 1.  Subscriber management and Framed-Route

    Posted 03-27-2018 10:38

    And again hello everyone )

    I`m trying to make Framed-Route attribute work.

    My subscriber looks like this:

    ge-0/0/4:4020-3000 Auth-Type := Accept
            Framed-IP-Address := "10.200.4.2",
            Framed-IP-Netmask := "255.255.252.0",
            Framed-Route := "10.200.200.0/25 10.200.4.2 1"

    Dynamic profile:

    interfaces {
        "$junos-interface-ifd-name" {
            unit "$junos-underlying-interface-unit" {
                family inet {
                    unnumbered-address lo0.0 preferred-source-address 213.108.136.127;
                }
                family inet6 {
                    unnumbered-address lo0.0 preferred-source-address 2a22:f440:a:3::1;
                }
            }
        }
    }
    routing-options {
        access {
            route $junos-framed-route-ip-address-prefix next-hop "$junos-framed-route-nexthop";
        }
    }
    

    subscriber session starts:

    run show subscribers extensive
    Type: VLAN
    Logical System: default
    Routing Instance: default
    Interface: demux0.3221225478
    Interface type: Dynamic
    Underlying Interface: ge-0/0/4
    Dynamic Profile Name: TEST-PROFILE
    State: Active
    Session ID: 24
    PFE Flow ID: 152
    Stacked VLAN Id: 0x8100.4020
    VLAN Id: 0x8100.3000
    Login Time: 2010-02-17 16:01:56 EET
    IPv4 rpf-check Fail Filter Name: rpf-pass-dhcp
    
    Type: DHCP
    User Name: ge-0/0/4:4020-3000
    IP Address: 10.200.4.2
    IP Netmask: 255.255.252.0
    Logical System: default
    Routing Instance: default
    Interface: demux0.3221225478
    Interface type: Static
    Underlying Interface: demux0.3221225478
    Dynamic Profile Name: IP-DHCPv4-DHCPv6
    MAC Address: 4c:5e:0c:b3:1c:0d
    State: Active
    Radius Accounting ID: 25
    Session ID: 25
    PFE Flow ID: 152
    Stacked VLAN Id: 4020
    VLAN Id: 3000
    Agent Circuit ID: len 6
    00 04 0f b4 00 18
    Agent Remote ID: len 9
    01 07 42 6f 67 64 2d 31 35
    Login Time: 2010-02-17 16:01:56 EET
    DHCP Options: len 32
    35 01 01 37 08 01 79 03 21 06 2a 8a 2b 0c 08 4d 69 6b 72 6f
    54 69 6b 3d 07 01 4c 5e 0c b3 1c 0d
    DHCP Header: len 44
    01 01 06 00 ba da ac 48 00 36 00 00 00 00 00 00 00 00 00 00
    00 00 00 00 00 00 00 00 4c 5e 0c b3 1c 0d 00 00 00 00 00 00
    00 00 00 00
    IP Address Pool: 10-200-4-0
    Accounting interval: 3600
    Dynamic configuration:
      junos-framed-route-ip-address-prefix: 10.200.200.0/25
          junos-framed-route-nexthop: 0.0.0.0
              junos-framed-route-cost: 1
    

    I even got framed-route attribute but with no next-hop.

    In log file i see this:

    Feb 17 16:01:56.294167 Parsing RADIUS message for session-id:25
    Feb 17 16:01:56.294213 radius-access-accept: Framed-IP-Address received: 10.200.4.2
    Feb 17 16:01:56.294248 radius-access-accept: Framed-IP-Netmask received: 255.255.252.0
    Feb 17 16:01:56.294279 processRadiusAttrib22: wholeString: [10.200.200.0/25 10.200.4.2 1]
    Feb 17 16:01:56.294348 processRadiusAttrib22: Attribute 22 missing nextHop, using default [0.0.0.0]
    Feb 17 16:01:56.294373 processRadiusAttrib22: Received FR Attributes
    Feb 17 16:01:56.294413 radius-access-accept: Framed-Route received: 10.200.200.0/25 10.200.4.2 1
    Feb 17 16:01:56.294450 Framework - module(radius) return: SUCCESS
    Feb 17 16:01:56.294826 authd_advance_module_for_aaa_response_msg: result:2
    Feb 17 16:01:56.294869 Client-session response-attr:: type:21 len:4
    Feb 17 16:01:56.294901 Client-session response-attr:: type:22 len:4
    Feb 17 16:01:56.294979 authd_update_session_dynamic_attributes: Client-session response-dyn-attr:: name:junos-framed-route-ip-address-prefix, len:16, value: 10.200.200.0/25, encode 1
    Feb 17 16:01:56.295016 authd_update_session_dynamic_attributes: Client-session response-dyn-attr:: name:junos-framed-route-nexthop, len:8, value: 0.0.0.0, encode 2
    Feb 17 16:01:56.295048 authd_update_session_dynamic_attributes: Client-session response-dyn-attr:: name:junos-framed-route-cost, len:1, value: 1, encode 3

    I just cant figure out why it is  Attribute 22 missing nextHop, using default [0.0.0.0] ?



  • 2.  RE: Subscriber management and Framed-Route

     
    Posted 03-27-2018 20:14

    Hi Smelnik,

    User IP:10.200.4.2.

     

    Nexthop attribute in a framed route is not applicable anymore. Since subscriber IP address is used as the nexthop in all cases,
    there is no need to have an additional attribute for nexthop for framed routes.

     

    Please refer to this PR:

    https://prsearch.juniper.net/InfoCenter/index?page=prcontent&id=PR1186046

     

    Also, the below log is missleding when Framed-route with non-zero next-hop is received, 

    it is always set as 0.0.0.0 (ignored) from Authd so that user IP address can be used as next-hop.

     

    Feb 17 16:01:56.294279 processRadiusAttrib22: wholeString: [10.200.200.0/25 10.200.4.2 1]
    Feb 17 16:01:56.294348 processRadiusAttrib22: Attribute 22 missing nextHop, using default [0.0.0.0]

     

    I'll open a new PR & this log will corrected in future releases.

     

     

     



  • 3.  RE: Subscriber management and Framed-Route

    Posted 03-27-2018 22:43

    Are you able to see the access-route installed correctly? We have a problem if its not getting installed as expected.

     

    What do you see with, "show route protocol access"

     

    The log is misleading, subscriber IP will be used as next-hop.



  • 4.  RE: Subscriber management and Framed-Route

     
    Posted 03-27-2018 23:13

    This behavior is expected in NG Release. In NG release, both Access and Access-Internal routes are pointing to the same pseudo-ifl [Demux0.X] by default [show route forwarding-table destination <subscriber ip>. So we don’t need to define the next-hop [Karan has already shared the Public link]. Both Framed-address and Framed-Route will be pointing to private-unicast [Pseudo IFL].Please use below command to verify the correct next-hop. This command will show the correct subscriber IFL.

     

    show system subscriber-management route route-type access detail
    show system subscriber-management route route-type access-internal detail


    Regards,
    Rahul



  • 5.  RE: Subscriber management and Framed-Route

    Posted 03-28-2018 04:56

    I finally got it working 

    RADIUS:

    ge-0/0/4:4020-3000 Auth-Type := Accept
            Framed-IP-Address := "10.200.4.2",
            Framed-IP-Netmask := "255.255.252.0",
            Framed-Route := "10.200.200.0/25"

    But i needed to remove rpf-check from subscribers profile.



  • 6.  RE: Subscriber management and Framed-Route

     
    Posted 03-28-2018 05:19

     

    glad to heart that, but wasn't the subscriber up based on your orginal post? was more related to framed-route than the rpf check.

     

    Here are more details to rpf check, set it loose mode for testing purpose:

    https://www.juniper.net/documentation/en_US/junos/topics/concept/unicast-mx-series-dynamic-profiles.html

     



  • 7.  RE: Subscriber management and Framed-Route

    Posted 03-28-2018 05:48

    Hello.

    I got this group configured for interface

    show groups SUBSCRIBERS-TEST
    interfaces {
        <*> {
            description "SUBSCRIBERS ACCESS";
            flexible-vlan-tagging;
            auto-configure {
                stacked-vlan-ranges {
                    dynamic-profile TEST-PROFILE {
                        accept [ dhcp-v4 dhcp-v6 ];
                        ranges {
                            4000-4020,2200-4000;
                        }
                    }
                    dynamic-profile STATIC-SUBS-NO-DEMUX {
                        accept any;
                        ranges {
                            4030-4050,2200-4000;
                        }
                    }
                }
                remove-when-no-subscribers;
            }
            mtu 9192;
            encapsulation flexible-ethernet-services;
        }
    }
    

    Dynamic profile looks like this:

     show dynamic-profiles TEST-PROFILE
    interfaces {
        demux0 {
            no-traps;
            interface-mib;
            unit "$junos-interface-unit" {
                demux-source [ inet inet6 ];
                no-traps;
                proxy-arp unrestricted;
                vlan-tags outer "$junos-stacked-vlan-id" inner "$junos-vlan-id";
                demux-options {
                    underlying-interface "$junos-underlying-interface";
                }
                family inet {
                    rpf-check fail-filter rpf-pass-dhcp;
                    unnumbered-address lo0.0 preferred-source-address 10.200.4.1;
                }
                family inet6 {
                    unnumbered-address lo0.0 preferred-source-address 2a22:f440:a:3::1;
                }
            }
        }
    }
    protocols {
        router-advertisement {
            interface "$junos-interface-name" {
                max-advertisement-interval 900;
                min-advertisement-interval 300;
                managed-configuration;
                other-stateful-configuration;
            }
        }
    }
    

    which has 

    rpf-check fail-filter rpf-pass-dhcp

    show firewall family inet filter rpf-pass-dhcp
    term 1 {
    from {
    destination-address {
    255.255.255.255/32;
    }
    destination-port dhcp;
    }
    then accept;
    }
    term 2 {
    then {
    discard;
    }
    }

     If i got it enabled, i have no pings to framed-route network:

     run ping 10.200.200.2
    PING 10.200.200.2 (10.200.200.2): 56 data bytes
    ^C
    --- 10.200.200.2 ping statistics ---
    3 packets transmitted, 0 packets received, 100% packet loss
    

    if i change it to (i`ve added term 100)

    term 1 {
        from {
            destination-address {
                255.255.255.255/32;
            }
            destination-port dhcp;
        }
        then accept;
    }
    term 100 {
        from {
            source-address {
                10.200.200.0/25;
            }
        }
        then accept;
    }
    term 2 {
        then {
            discard;
        }
    }
    

    Everything works fine.

     

     

     



  • 8.  RE: Subscriber management and Framed-Route
    Best Answer

     
    Posted 03-28-2018 07:00

    Ok. Since there was no mentioning of ping/reachabilty towards the host, the focus was more on the framed-route next-hop output and authd log message as highlighed in the post which I believe I've clarified.  Coming to rpf check, ofcourse the term 100 makes point since its validates the check in default strict mode. I think the loose mode would bypass it.  Anyways, glad that you're all set.

     

     



  • 9.  RE: Subscriber management and Framed-Route

    Posted 03-28-2018 07:34

    Thanks! 🙂