Розбіжності

Тут показані розбіжності між вибраною ревізією та поточною версією сторінки.

--- juniper:mx_bras [06/04/2022 21:10] – Method
+++ juniper:mx_bras [18/06/2023 21:52] (поточний) – Method
@@ Рядок 1: / Рядок 1: @@
-====== Juniper MX Bras ======
+{{tag>Juniper }}
-В даному розділі буду описувати свій досвід налаштування Juniper MX в ролі [[https://en.wikipedia.org/wiki/Broadband_remote_access_server|BRAS]]у.
-На моїй практиці були налаштовані Juniper MX80 MX104 MX960, на останній моделі зупинились (провайдер на якого я працюю), отже всі приклади будуть взяті з нього, але на 95% вони сумісні з іншими моделями Juniper MX. Все залежить від версії прошивки роутера.
-===== QinQ DHCP server =====
+===== DHCP server =====
+Глобальні налаштування DHCP сервера
 <code>
-set system services dhcp-local-server group IPOE_QINQ_NEW authentication password PROVIDER
+set system services dhcp-local-server pool-match-order external-authority
-set system services dhcp-local-server group IPOE_QINQ_NEW authentication username-include delimiter "|"
+set system services dhcp-local-server pool-match-order ip-address-first
-set system services dhcp-local-server group IPOE_QINQ_NEW authentication username-include user-prefix IPOE_QINQ
+set system services dhcp-local-server no-stale-timer-refresh
-set system services dhcp-local-server group IPOE_QINQ_NEW authentication username-include mac-address
+set system services dhcp-local-server stale-timer 30
-set system services dhcp-local-server group IPOE_QINQ_NEW authentication username-include vlan-tags
-set system services dhcp-local-server group IPOE_QINQ_NEW liveness-detection failure-action clear-binding
-set system services dhcp-local-server group IPOE_QINQ_NEW liveness-detection method layer2-liveness-detection transmit-interval 300
-set system services dhcp-local-server group IPOE_QINQ_NEW liveness-detection method layer2-liveness-detection max-consecutive-retries 3
-set system services dhcp-local-server group IPOE_QINQ_NEW reconfigure clear-on-abort
-set system services dhcp-local-server group IPOE_QINQ_NEW reconfigure attempts 5
-set system services dhcp-local-server group IPOE_QINQ_NEW reconfigure timeout 5
-set system services dhcp-local-server group IPOE_QINQ_NEW reconfigure token mx960_0
-set system services dhcp-local-server group IPOE_QINQ_NEW overrides client-discover-match incoming-interface
-set system services dhcp-local-server group IPOE_QINQ_NEW dynamic-profile dhcp-profile
-set system services dhcp-local-server group IPOE_QINQ_NEW access-profile IPOE_QINQ
-set system services dhcp-local-server group IPOE_QINQ_NEW interface ae1.0
 </code>
+====  QinQ DHCP server ====
+Наступний блок це власне налаштування DHCP сервера. Рекомендую зразу записувати різні кейси в окремі групи - так легше розуміти
 <code>
+set system services dhcp-local-server group IPOE_QINQ authentication password PROVIDER
+set system services dhcp-local-server group IPOE_QINQ authentication username-include delimiter "|"
+set system services dhcp-local-server group IPOE_QINQ authentication username-include user-prefix IPOE_QINQ
+set system services dhcp-local-server group IPOE_QINQ authentication username-include mac-address
+set system services dhcp-local-server group IPOE_QINQ authentication username-include vlan-tags
+set system services dhcp-local-server group IPOE_QINQ reconfigure clear-on-abort
+set system services dhcp-local-server group IPOE_QINQ reconfigure attempts 5
+set system services dhcp-local-server group IPOE_QINQ reconfigure timeout 5
+set system services dhcp-local-server group IPOE_QINQ reconfigure token mx960_0
+set system services dhcp-local-server group IPOE_QINQ overrides client-discover-match incoming-interface
+set system services dhcp-local-server group IPOE_QINQ dynamic-profile dhcp-profile
+set system services dhcp-local-server group IPOE_QINQ access-profile IPOE_QINQ
+set system services dhcp-local-server group IPOE_QINQ interface ae1.0
 </code>
+в даному блоці є 3 змінні без яких нічого не запрацює:
+  * dynamic-profile dhcp-profile
+  * access-profile IPOE_QINQ
+  * interface ae1.0
+їх треба описати
+==== dynamic-profile dhcp-profile ====
 <code>
+set dynamic-profiles dhcp-profile routing-instances "$junos-routing-instance" interface "$junos-interface-name"
+set dynamic-profiles dhcp-profile interfaces demux0 unit "$junos-interface-unit" actual-transit-statistics
+set dynamic-profiles dhcp-profile interfaces demux0 unit "$junos-interface-unit" no-traps
+set dynamic-profiles dhcp-profile interfaces demux0 unit "$junos-interface-unit" proxy-arp
+set dynamic-profiles dhcp-profile interfaces demux0 unit "$junos-interface-unit" demux-options underlying-interface "$junos-underlying-interface"
+set dynamic-profiles dhcp-profile interfaces demux0 unit "$junos-interface-unit" targeted-distribution
+set dynamic-profiles dhcp-profile interfaces demux0 unit "$junos-interface-unit" family inet demux-source $junos-subscriber-ip-address
+set dynamic-profiles dhcp-profile interfaces demux0 unit "$junos-interface-unit" family inet unnumbered-address "$junos-loopback-interface"
 </code>
+==== access-profile IPOE_QINQ ====
 <code>
+set access profile IPOE_QINQ accounting-order radius
+set access profile IPOE_QINQ authentication-order radius
+set access profile IPOE_QINQ domain-name-server 10.10.10.5
+set access profile IPOE_QINQ domain-name-server 10.10.10.6
+set access profile IPOE_QINQ radius authentication-server 10.10.10.7
+set access profile IPOE_QINQ radius accounting-server 10.10.10.7
+set access profile IPOE_QINQ radius options calling-station-id-delimiter *
+set access profile IPOE_QINQ radius options calling-station-id-format mac-address
+set access profile IPOE_QINQ radius options calling-station-id-format stacked-vlan
+set access profile IPOE_QINQ radius options calling-station-id-format vlan
+set access profile IPOE_QINQ radius options accounting-session-id-format decimal
+set access profile IPOE_QINQ radius options client-authentication-algorithm round-robin
+set access profile IPOE_QINQ radius options client-accounting-algorithm round-robin
+set access profile IPOE_QINQ accounting order radius
+set access profile IPOE_QINQ accounting immediate-update
+set access profile IPOE_QINQ accounting coa-immediate-update
+set access profile IPOE_QINQ accounting address-change-immediate-update
+set access profile IPOE_QINQ accounting update-interval 10
+set access profile IPOE_QINQ accounting statistics volume-time
+set access profile IPOE_QINQ accounting wait-for-acct-on-ack
+set access profile IPOE_QINQ accounting send-acct-status-on-config-change
 </code>
 <code>
+set access radius-server 10.10.10.7 port 1812
+set access radius-server 10.10.10.7 accounting-port 1813
+set access radius-server 10.10.10.7 dynamic-request-port 3799
+set access radius-server 10.10.10.7 secret "superhardpass:)"
+set access radius-server 10.10.10.7 retry 3
+set access radius-server 10.10.10.7 accounting-retry 3
+set access radius-server 10.10.10.7 max-outstanding-requests 2000
+set access radius-server 10.10.10.7 source-address **.**.***.2
 </code>
+Всі пули іп адрес, які можуть бути видані абоненту потрібно описати наступним чином
 <code>
+set access address-assignment pool cvlan10_128-17 family inet network 10.10.128.0/17
+set access address-assignment pool cvlan10_128-17 family inet range ip low 10.10.128.11
+set access address-assignment pool cvlan10_128-17 family inet range ip high 10.10.255.254
+set access address-assignment pool cvlan10_128-17 family inet dhcp-attributes maximum-lease-time 10000
+set access address-assignment pool cvlan10_128-17 family inet dhcp-attributes grace-period 100
+set access address-assignment pool cvlan10_128-17 family inet dhcp-attributes router 10.10.128.2
+### access address-assignment pool cvlan10_128-17 family inet dhcp-attributes option 43 hex-string 010400000002
+set interfaces lo0 unit 0 family inet address 10.10.128.2/32
 </code>
+перші 10 іп з кожного пулу я резервую для майбутніх БРАСів. В мене використовується QinQ технологія, тому немає сенсу робити пули меншими - описую весь пул за раз.
 <code>
+set interfaces ae1 description ae1
+set interfaces ae1 flexible-vlan-tagging
+set interfaces ae1 auto-configure stacked-vlan-ranges dynamic-profile Auto-VLAN-Stacked-Demux accept dhcp-v4
+### interfaces ae1 auto-configure stacked-vlan-ranges dynamic-profile Auto-VLAN-Stacked-Demux accept pppoe
+set interfaces ae1 auto-configure stacked-vlan-ranges dynamic-profile Auto-VLAN-Stacked-Demux ranges 501-515,any
+set interfaces ae1 auto-configure remove-when-no-subscribers
+set interfaces ae1 mtu 9216
+set interfaces ae1 encapsulation flexible-ethernet-services
+set interfaces ae1 aggregated-ether-options lacp active
+set interfaces ae1 aggregated-ether-options lacp periodic fast
 </code>
 <code>
+set dynamic-profiles Auto-VLAN-Stacked-Demux routing-instances "$junos-routing-instance" interface "$junos-interface-name"
+set dynamic-profiles Auto-VLAN-Stacked-Demux interfaces demux0 unit "$junos-interface-unit" no-traps
+set dynamic-profiles Auto-VLAN-Stacked-Demux interfaces demux0 unit "$junos-interface-unit" proxy-arp
+set dynamic-profiles Auto-VLAN-Stacked-Demux interfaces demux0 unit "$junos-interface-unit" vlan-tags outer "$junos-stacked-vlan-id"
+set dynamic-profiles Auto-VLAN-Stacked-Demux interfaces demux0 unit "$junos-interface-unit" vlan-tags inner "$junos-vlan-id"
+set dynamic-profiles Auto-VLAN-Stacked-Demux interfaces demux0 unit "$junos-interface-unit" demux-options underlying-interface "$junos-interface-ifd-name"
+set dynamic-profiles Auto-VLAN-Stacked-Demux interfaces demux0 unit "$junos-interface-unit" family inet mac-validate strict
+set dynamic-profiles Auto-VLAN-Stacked-Demux interfaces demux0 unit "$junos-interface-unit" family inet unnumbered-address "$junos-loopback-interface"
+### dynamic-profiles Auto-VLAN-Stacked-Demux interfaces demux0 unit "$junos-interface-unit" family pppoe access-concentrator PPPoE-Server
+### dynamic-profiles Auto-VLAN-Stacked-Demux interfaces demux0 unit "$junos-interface-unit" family pppoe duplicate-protection
+### dynamic-profiles Auto-VLAN-Stacked-Demux interfaces demux0 unit "$junos-interface-unit" family pppoe dynamic-profile PP0
 </code>
+### - не хороша ідея на одному влані тримати і pppoe і dhcp абонів - dual-access на роутерах вам почнуть снитись в страшних снах
+===== DHCP_SVLAN =====
+<code>
+set access profile RADIUS_SVLAN accounting-order radius
+set access profile RADIUS_SVLAN authentication-order radius
+set access profile RADIUS_SVLAN radius authentication-server 172.20.20.1
+set access profile RADIUS_SVLAN radius accounting-server 172.20.20.1
+set access profile RADIUS_SVLAN radius options calling-station-id-delimiter *
+set access profile RADIUS_SVLAN radius options calling-station-id-format mac-address
+set access profile RADIUS_SVLAN radius options calling-station-id-format stacked-vlan
+set access profile RADIUS_SVLAN radius options calling-station-id-format vlan
+set access profile RADIUS_SVLAN radius options accounting-session-id-format decimal
+set access profile RADIUS_SVLAN radius options client-authentication-algorithm round-robin
+set access profile RADIUS_SVLAN radius options client-accounting-algorithm round-robin
+set access profile RADIUS_SVLAN accounting order radius
+set access profile RADIUS_SVLAN accounting immediate-update
+set access profile RADIUS_SVLAN accounting coa-immediate-update
+set access profile RADIUS_SVLAN accounting address-change-immediate-update
+set access profile RADIUS_SVLAN accounting update-interval 10
+set access profile RADIUS_SVLAN accounting statistics volume-time
+set access profile RADIUS_SVLAN accounting wait-for-acct-on-ack
+set access profile RADIUS_SVLAN accounting send-acct-status-on-config-change
+</code>
+<code>
+set dynamic-profiles CLIENTS_SVLAN routing-instances "$junos-routing-instance" interface "$junos-interface-name"
+set dynamic-profiles CLIENTS_SVLAN interfaces demux0 unit "$junos-interface-unit" actual-transit-statistics
+set dynamic-profiles CLIENTS_SVLAN interfaces demux0 unit "$junos-interface-unit" no-traps
+set dynamic-profiles CLIENTS_SVLAN interfaces demux0 unit "$junos-interface-unit" proxy-arp
+set dynamic-profiles CLIENTS_SVLAN interfaces demux0 unit "$junos-interface-unit" demux-options underlying-interface "$junos-underlying-interface"
+### dynamic-profiles CLIENTS_SVLAN interfaces demux0 unit "$junos-interface-unit" targeted-distribution
+set dynamic-profiles CLIENTS_SVLAN interfaces demux0 unit "$junos-interface-unit" family inet demux-source $junos-subscriber-ip-address
+set dynamic-profiles CLIENTS_SVLAN interfaces demux0 unit "$junos-interface-unit" family inet unnumbered-address "$junos-loopback-interface"
+set dynamic-profiles CLIENTS_SVLAN interfaces demux0 unit "$junos-interface-unit" family inet unnumbered-address preferred-source-address $junos-preferred-source-address
+</code>
+<code>
+set system services dhcp-local-server pool-match-order external-authority
+set system services dhcp-local-server pool-match-order ip-address-first
+set system services dhcp-local-server group DHCP_SVLAN authentication password IPoE-Pool
+set system services dhcp-local-server group DHCP_SVLAN authentication username-include delimiter "|"
+set system services dhcp-local-server group DHCP_SVLAN authentication username-include user-prefix IPOE_SVLAN
+set system services dhcp-local-server group DHCP_SVLAN authentication username-include mac-address
+set system services dhcp-local-server group DHCP_SVLAN authentication username-include vlan-tags
+set system services dhcp-local-server group DHCP_SVLAN reconfigure clear-on-abort
+set system services dhcp-local-server group DHCP_SVLAN reconfigure attempts 5
+set system services dhcp-local-server group DHCP_SVLAN reconfigure timeout 5
+set system services dhcp-local-server group DHCP_SVLAN reconfigure token mx104_0
+### system services dhcp-local-server group DHCP_SVLAN overrides client-discover-match incoming-interface
+set system services dhcp-local-server group DHCP_SVLAN dynamic-profile CLIENTS_SVLAN
+set system services dhcp-local-server group DHCP_SVLAN access-profile RADIUS_SVLAN
+set system services dhcp-local-server group DHCP_SVLAN interface demux0.802
+set system services dhcp-local-server no-stale-timer-refresh
+set system services dhcp-local-server stale-timer 30
+</code>