Це стара версія документу!
Juniper MX Bras
В даному розділі буду описувати свій досвід налаштування Juniper MX в ролі BRASу.
На моїй практиці були налаштовані Juniper MX80 MX104 MX960, на останній моделі зупинились (провайдер на якого я працюю), отже всі приклади будуть взяті з нього, але на 95% вони сумісні з іншими моделями Juniper MX. Все залежить від версії прошивки роутера.
DHCP server
Глобальні налаштування DHCP сервера
set system services dhcp-local-server pool-match-order external-authority set system services dhcp-local-server pool-match-order ip-address-first set system services dhcp-local-server no-stale-timer-refresh set system services dhcp-local-server stale-timer 30
QinQ DHCP server
Наступний блок це власне налаштування DHCP сервера. Рекомендую зразу записувати різні кейси в окремі групи - так легше розуміти
set system services dhcp-local-server group IPOE_QINQ authentication password PROVIDER set system services dhcp-local-server group IPOE_QINQ authentication username-include delimiter "|" set system services dhcp-local-server group IPOE_QINQ authentication username-include user-prefix IPOE_QINQ set system services dhcp-local-server group IPOE_QINQ authentication username-include mac-address set system services dhcp-local-server group IPOE_QINQ authentication username-include vlan-tags set system services dhcp-local-server group IPOE_QINQ liveness-detection failure-action clear-binding set system services dhcp-local-server group IPOE_QINQ liveness-detection method layer2-liveness-detection transmit-interval 300 set system services dhcp-local-server group IPOE_QINQ liveness-detection method layer2-liveness-detection max-consecutive-retries 3 set system services dhcp-local-server group IPOE_QINQ reconfigure clear-on-abort set system services dhcp-local-server group IPOE_QINQ reconfigure attempts 5 set system services dhcp-local-server group IPOE_QINQ reconfigure timeout 5 set system services dhcp-local-server group IPOE_QINQ reconfigure token mx960_0 set system services dhcp-local-server group IPOE_QINQ overrides client-discover-match incoming-interface set system services dhcp-local-server group IPOE_QINQ dynamic-profile dhcp-profile set system services dhcp-local-server group IPOE_QINQ access-profile IPOE_QINQ set system services dhcp-local-server group IPOE_QINQ interface ae1.0
в даному блоці є 3 змінні без яких нічого не запрацює:
- dynamic-profile dhcp-profile
- access-profile IPOE_QINQ
- interface ae1.0
їх треба описати
dynamic-profile dhcp-profile
set dynamic-profiles dhcp-profile routing-instances "$junos-routing-instance" interface "$junos-interface-name" set dynamic-profiles dhcp-profile interfaces demux0 unit "$junos-interface-unit" actual-transit-statistics set dynamic-profiles dhcp-profile interfaces demux0 unit "$junos-interface-unit" no-traps set dynamic-profiles dhcp-profile interfaces demux0 unit "$junos-interface-unit" proxy-arp set dynamic-profiles dhcp-profile interfaces demux0 unit "$junos-interface-unit" demux-options underlying-interface "$junos-underlying-interface" set dynamic-profiles dhcp-profile interfaces demux0 unit "$junos-interface-unit" targeted-distribution set dynamic-profiles dhcp-profile interfaces demux0 unit "$junos-interface-unit" family inet demux-source $junos-subscriber-ip-address set dynamic-profiles dhcp-profile interfaces demux0 unit "$junos-interface-unit" family inet unnumbered-address "$junos-loopback-interface"
access-profile IPOE_QINQ
set access profile IPOE_QINQ accounting-order radius set access profile IPOE_QINQ authentication-order radius set access profile IPOE_QINQ domain-name-server 10.10.10.5 set access profile IPOE_QINQ domain-name-server 10.10.10.6 set access profile IPOE_QINQ radius authentication-server 10.10.10.7 set access profile IPOE_QINQ radius accounting-server 10.10.10.7 set access profile IPOE_QINQ radius options calling-station-id-delimiter * set access profile IPOE_QINQ radius options calling-station-id-format mac-address set access profile IPOE_QINQ radius options calling-station-id-format stacked-vlan set access profile IPOE_QINQ radius options calling-station-id-format vlan set access profile IPOE_QINQ radius options accounting-session-id-format decimal set access profile IPOE_QINQ radius options client-authentication-algorithm round-robin set access profile IPOE_QINQ radius options client-accounting-algorithm round-robin set access profile IPOE_QINQ accounting order radius set access profile IPOE_QINQ accounting immediate-update set access profile IPOE_QINQ accounting coa-immediate-update set access profile IPOE_QINQ accounting address-change-immediate-update set access profile IPOE_QINQ accounting update-interval 10 set access profile IPOE_QINQ accounting statistics volume-time set access profile IPOE_QINQ accounting wait-for-acct-on-ack set access profile IPOE_QINQ accounting send-acct-status-on-config-change
set access radius-server 10.10.10.7 port 1812 set access radius-server 10.10.10.7 accounting-port 1813 set access radius-server 10.10.10.7 dynamic-request-port 3799 set access radius-server 10.10.10.7 secret "superhardpass:)" set access radius-server 10.10.10.7 retry 3 set access radius-server 10.10.10.7 accounting-retry 3 set access radius-server 10.10.10.7 max-outstanding-requests 2000 set access radius-server 10.10.10.7 source-address **.**.***.2
Всі пули іп адрес, які можуть бути видані абоненту потрібно описати наступним чином
set access address-assignment pool cvlan10_128-17 family inet network 10.10.128.0/17 set access address-assignment pool cvlan10_128-17 family inet range ip low 10.10.128.11 set access address-assignment pool cvlan10_128-17 family inet range ip high 10.10.255.254 set access address-assignment pool cvlan10_128-17 family inet dhcp-attributes maximum-lease-time 10000 set access address-assignment pool cvlan10_128-17 family inet dhcp-attributes grace-period 100 set access address-assignment pool cvlan10_128-17 family inet dhcp-attributes router 10.10.128.2 ### access address-assignment pool cvlan10_128-17 family inet dhcp-attributes option 43 hex-string 010400000002 set interfaces lo0 unit 0 family inet address 10.10.128.2/32
перші 10 іп з кожного пулу я резервую для майбутніх БРАСів. В мене використовується QinQ технологія, тому немає сенсу робити пули меншими - описую весь пул за раз.
set interfaces ae1 description ae1 set interfaces ae1 flexible-vlan-tagging set interfaces ae1 auto-configure stacked-vlan-ranges dynamic-profile Auto-VLAN-Stacked-Demux accept dhcp-v4 ### interfaces ae1 auto-configure stacked-vlan-ranges dynamic-profile Auto-VLAN-Stacked-Demux accept pppoe set interfaces ae1 auto-configure stacked-vlan-ranges dynamic-profile Auto-VLAN-Stacked-Demux ranges 501-515,any set interfaces ae1 auto-configure remove-when-no-subscribers set interfaces ae1 mtu 9216 set interfaces ae1 encapsulation flexible-ethernet-services set interfaces ae1 aggregated-ether-options lacp active set interfaces ae1 aggregated-ether-options lacp periodic fast
set dynamic-profiles Auto-VLAN-Stacked-Demux routing-instances "$junos-routing-instance" interface "$junos-interface-name" set dynamic-profiles Auto-VLAN-Stacked-Demux interfaces demux0 unit "$junos-interface-unit" no-traps set dynamic-profiles Auto-VLAN-Stacked-Demux interfaces demux0 unit "$junos-interface-unit" proxy-arp set dynamic-profiles Auto-VLAN-Stacked-Demux interfaces demux0 unit "$junos-interface-unit" vlan-tags outer "$junos-stacked-vlan-id" set dynamic-profiles Auto-VLAN-Stacked-Demux interfaces demux0 unit "$junos-interface-unit" vlan-tags inner "$junos-vlan-id" set dynamic-profiles Auto-VLAN-Stacked-Demux interfaces demux0 unit "$junos-interface-unit" demux-options underlying-interface "$junos-interface-ifd-name" set dynamic-profiles Auto-VLAN-Stacked-Demux interfaces demux0 unit "$junos-interface-unit" family inet mac-validate strict set dynamic-profiles Auto-VLAN-Stacked-Demux interfaces demux0 unit "$junos-interface-unit" family inet unnumbered-address "$junos-loopback-interface" ### dynamic-profiles Auto-VLAN-Stacked-Demux interfaces demux0 unit "$junos-interface-unit" family pppoe access-concentrator PPPoE-Server ### dynamic-profiles Auto-VLAN-Stacked-Demux interfaces demux0 unit "$junos-interface-unit" family pppoe duplicate-protection ### dynamic-profiles Auto-VLAN-Stacked-Demux interfaces demux0 unit "$junos-interface-unit" family pppoe dynamic-profile PP0
### - не хороша ідея на одному влані тримати і pppoe і dhcp абонів - dual-access на роутерах вам почнуть снитись в страшних снах