Junos OS

For Junos version 17.x I used to configure my pools like:

set access profile My-Profile address-assignment pool pool1

set access address-assignment pool reserved-pool family inet network 10.0.0.0/24
set access address-assignment pool reserved-pool family inet range v4-range-0 low 10.0.0.0
set access address-assignment pool reserved-pool family inet range v4-range-0 high 10.0.0.255

set access address-assignment pool pool1 link pool2
set access address-assignment pool pool1 family inet network 192.168.1.0/24
set access address-assignment pool pool1 family inet range v4-range-0 low 192.168.1.0
set access address-assignment pool pool1 family inet range v4-range-0 high 192.168.1.255

set access address-assignment pool pool2 link pool3
set access address-assignment pool pool2 family inet network 192.168.2.0/24
set access address-assignment pool pool2 family inet range v4-range-0 low 192.168.2.0
set access address-assignment pool pool2 family inet range v4-range-0 high 192.168.2.255

set access address-assignment pool pool3 family inet network 192.168.3.0/24
set access address-assignment pool pool3 family inet range v4-range-0 low 192.168.3.0
set access address-assignment pool pool3 family inet range v4-range-0 high 192.168.3.255

So I could use reserved-pool for Framed-Pool radius attribute and pool1, pool2, pool3 when absent of Framed-Pool attribute.

But now for version 18.1R2-S1.4 if I use:
set access profile My-Profile address-assignment pool pool1

Juniper ignores the default pool then use the first pool in list reserved-pool.

I would like to use reserved-pool just for when I set Framed-Pool pool attribute with the value reserved-pool.

set access profile My-Profile address-assignment pool doesn't have any effect anymore? Or is there a bug?

Can't I configure that way anymore?

Another command that I've found out is set access address-pool test

Hi,

can you check if  access profile "My-Profile" is set/active?

>show configuration access-profile

If not configured yet, configure & check once:

set access-profile My-Profile

Just fyi, Bydefault, Radius returned VSA(s)  (such as "framed-pool" ) or for any VSA returned from radius in general have higher prefrence than the locally configured ones.

And BTW, what was exact version of JUNOS 17.x you used previously and may i know why you consider using 18.1R2 for subscribers use case? Please note that NOT all junos version are quailfied for subscribers-mgmt used. I would suggest using the following JUNOS for subscribers-mgmt.

15.1R4 onwards, that is 15.1R5, 15.1R6, 15.1R7.

16.1R4 onwards, that is 16.1R5, 16.1R6, 16.1R7.

17.1R4 onwards, (yet to release)

18.1R4 onwards, (yet to release)

previous was mx 204 version - 17.4R1-S4

Yes, profile is configured like that.

Yes framed-pool takes high precedence. But i don't want to use reserved-pool from locally. I want to use reserved-pool just if i set a VSA.

Thanks for quick rresponse.

Could you share output for "show configuration access-profile"?

I just want to ensure if access-profile is set.

A quick workaround to the problem would return VSA framed-pool=pool1 so that preferred over reserved-pool.

Pool1 is linked to pool2 and pool2 linked to pool3. and exclude specified addresses or address ranges to prevent them from being allocated from an address pool:

https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/subscriber-management-address-assignment-pools-excluding.html

show | display set | match access | match profile
set access-profile Access-Profile
set access profile Access-Profile authentication-order radius
set access profile Access-Profile domain-name-server-inet xxxxx
set access profile Access-Profile domain-name-server-inet xxxxx
set access profile Access-Profile domain-name-server-inet6 xxxxx
set access profile Access-Profile domain-name-server-inet6 xxxxx
set access profile Access-Profile address-assignment pool pool1
set access profile Access-Profile radius authentication-server xxxxx
set access profile Access-Profile radius authentication-server xxxxx
set access profile Access-Profile radius accounting-server xxxxx
set access profile Access-Profile radius accounting-server xxxxx
set access profile Access-Profile radius options nas-port-id-format interface-text-description
set access profile Access-Profile radius options nas-port-type ethernet virtual
set access profile Access-Profile radius options override nas-port tunnel-client-nas-port
set access profile Access-Profile accounting order radius
set access profile Access-Profile accounting update-interval 10
set access profile Access-Profile accounting statistics volume-time

Just to make sure I have downgrade and tried version 17.4R1-S4.2 again.

so I had found out that 

set access profile My-Profile address-assignment pool pool1

didn't work for version 17.4R1-S4.2 either.

But now I know what happened and how to make work again.

Juniper assumes that first pool in configuration like primary:

set access address-assignment pool reserved-pool family inet network 10.0.0.0/24
set access address-assignment pool reserved-pool family inet range v4-range-0 low 10.0.0.0
set access address-assignment pool reserved-pool family inet range v4-range-0 high 10.0.0.255

set access address-assignment pool pool1 family inet network 192.168.1.0/24
set access address-assignment pool pool1 family inet range v4-range-0 low 192.168.1.0
set access address-assignment pool pool1 family inet range v4-range-0 high 192.168.1.255

So I just needed to move reserved-pool  to end like that:

set access address-assignment pool pool1 family inet network 192.168.1.0/24
set access address-assignment pool pool1 family inet range v4-range-0 low 192.168.1.0
set access address-assignment pool pool1 family inet range v4-range-0 high 192.168.1.255

set access address-assignment pool reserved-pool family inet network 10.0.0.0/24
set access address-assignment pool reserved-pool family inet range v4-range-0 low 10.0.0.0
set access address-assignment pool reserved-pool family inet range v4-range-0 high 10.0.0.255

I have deleted and recreated the pool for that.

But unfortunately I also have found out that each time that I move the pool to end I need to request vmhost reboot to work 😞

Thats the reason I suggested to return the VSA from radius for the pools to be used.

Also, I believe 17.4R1 affected by this bug tracked via PR 1323829.

https://prsearch.juniper.net/InfoCenter/index?page=prcontent&id=PR1323829

Thanks!

But for version 18.1 R1/R2 if I configure the right order and reboot the router to be sure do you think that address pool can work normally following the sequence or are there a change to be wrong?

The bug was that the JUNOS used to allocate IP address from other pool in chain without validating avilable addresses space from its former pools. Now with the PR fix, here is expected behaviour:

For instance,  In a 13 linked pool chain, say each pool has 15 addresses. Total of about 195 addresses.
   
1. Take 60 PPPoE subscribers that will take the first 15 IP Addresses from first pool:
   >followed another 15 addresses from the second linked pool,
   >followed by another 15 addresses from third linked pool,
   >followed by another 15 addresses from forth linked pool.

2. Disconnect 4 subscribers from second pool range, & 3 subscribers from third pool.
   >Upon reconnect, all the 7 subscribers gets IP from the second & third pool.

3. Disconnect 3 subscribers from third pool range, & 4 subscribers from forth pool:
   >Upon reconnect, all the 7 subscribers gets IP from the third & forth pool.

4. Disconnect 5 subscribers from first pool:
   >Upon reconnect, all 5 subscribers get IP from first pool.

By default, the matching pool is searched first, then the search moves to the first pool in the chain and proceeds through the chain until an available address is found and allocated, or until the search determines no addresses are free. In each pool, all address ranges are fully searched for an address. This behavior enables addresses to be assigned contiguously.

Alternatively, you can configure the linked-pool-aggregation statement to search first within a block of addresses in each range in the matching pool and then successively through the linked pools. The search then moves back to the first pool in the chain and searches all addresses in all ranges in each pool through the last pool in the chain.

For more info on the address-assignment:

https://www.juniper.net/documentation/en_US/junos/topics/concept/subscriber-management-address-assignment-pools-overview.html

Now in your case, I see your requirement is that you want use the pool name "123" only when returning VSA for certain subscribers and use pool name "XYZ" (which is linked chain) for other subscribers.

I'd suggest that for other subscribers(s), return framed-pool "XYZ" so the system always looks for pool "XYZ" and allocate address from within "XYZ". Simiarily for pool name "123". or another way would be to Terminate the subscribers in RI pick address from that isolated RI.

Another thought solution i wondered was using predefined-variable-defaults statement( of dynamic-profile )  but unfortunately it doesn't do for address-assigment/allocation.

Thats mean if my 13 pools are sufficient to allocate all subscribers, never will reach the 14 (reserved VSA) pool) right?

Nope it wont unless you run out of addresses.

So that's solves my problem 🙂

It does but partially, I would return the VSA for rest so that it always picks from the desired pool.