As network engineers, I think it’s fair to say we like to try and spend our time making a difference?

Despite being considered the ‘bread and butter’ of the Service Provider world, provisioning and decommissioning are two areas that can still demand our attention. More specifically:

  1. Connecting subscribers from remote POPs or external access providers.
  2. Applying the necessary limiters to sub-rate services.
  3. Upgrading or downgrading subscriber services.
  4. VLAN and/or IP allocation… spreadsheets!

“Isn’t this what network engineers do, though, Michael?”

 

Is your home fitted with taps?

Imagine, if, several times a day, you were asked to go and draw water from the well, as a matter of urgency. Dumbfounded, you would probably find yourself pointing at the sink whilst mouthing the words, “Taps… but we have taps?” Just me, perhaps.

The lab has changed slightly from the previous article. We are now up to 5 vMX routers. The latest addition, LIx, based at the Llanelli site, is now the BNG:

 

GOAL: Modify the network so as to allow our colleagues in the Provisioning or Customer Service departments to be able to help the customer directly. This allows us to focus on support exceptions, research or revenue generating opportunities.

“If a human operator needs to touch your system during normal operations, you have a bug.”
Carla Geisser, Google SRE

 

In this example, I’ve simulated attaching a BT GEA cablelink circuit (single tagged) to the network. These are used to connect GEA FTTC/FTTP subscribers via Openreach‘s access network. What’s the minimum required effort to successfully provision and decommission any associated IPoE subscribers?

The final two steps include RADIUS and a beefed up dynamic profile on the BNG, LIx.

The RADIUS config:

set access radius-server 10.10.11.9 secret "$9$YQ4JUqmT/CujHCuO1yrYgoJjH"
set access radius-server 10.10.11.9 timeout 6
set access radius-server 10.10.11.9 retry 5
set access radius-server 10.10.11.9 max-outstanding-requests 1000

set access profile ACCESS1 authentication-order radius
set access profile ACCESS1 radius authentication-server 10.10.11.9
set access profile ACCESS1 radius accounting-server 10.10.11.9
set access profile ACCESS1 radius options nas-identifier LIx
set access profile ACCESS1 accounting order radius
set access profile ACCESS1 accounting accounting-stop-on-failure
set access profile ACCESS1 accounting accounting-stop-on-access-deny
set access profile ACCESS1 accounting immediate-update
set access profile ACCESS1 accounting coa-immediate-update
set access profile ACCESS1 accounting address-change-immediate-update
set access profile ACCESS1 accounting update-interval 60
set access profile ACCESS1 accounting statistics volume-time

set access-profile ACCESS1

 

The dynamic ‘client’ profile to instantiate the logical interface:

set dynamic-profiles VLAN-BASIC interfaces "$junos-interface-ifd-name" unit "$junos-interface-unit" no-traps
set dynamic-profiles VLAN-BASIC interfaces "$junos-interface-ifd-name" unit "$junos-interface-unit" proxy-arp restricted
set dynamic-profiles VLAN-BASIC interfaces "$junos-interface-ifd-name" unit "$junos-interface-unit" vlan-tags outer "$junos-stacked-vlan-id"
set dynamic-profiles VLAN-BASIC interfaces "$junos-interface-ifd-name" unit "$junos-interface-unit" vlan-tags inner "$junos-vlan-id"
set dynamic-profiles VLAN-BASIC interfaces "$junos-interface-ifd-name" unit "$junos-interface-unit" family inet unnumbered-address lo0.0
set dynamic-profiles VLAN-BASIC interfaces "$junos-interface-ifd-name" unit "$junos-interface-unit" family inet unnumbered-address preferred-source-address 203.0.113.1

 

The dynamic ‘service’ profile for the goodies. This is where we’ll dynamically shape the downstream, police the upstream and classify EF traffic from the subscriber. This could be targeted at gamers or voip users:

set dynamic-profiles EAD-PROFILE variables DNSTREAM default-value 10m
set dynamic-profiles EAD-PROFILE variables UPSTREAM default-value 2m
set dynamic-profiles EAD-PROFILE variables UPSTREAM uid
set dynamic-profiles EAD-PROFILE variables POLICER default-value policerv4
set dynamic-profiles EAD-PROFILE variables POLICER uid
set dynamic-profiles EAD-PROFILE variables IFILTER default-value ifilterv4
set dynamic-profiles EAD-PROFILE variables IFILTER uid
set dynamic-profiles EAD-PROFILE variables OFILTER default-value ofilterv4
set dynamic-profiles EAD-PROFILE variables OFILTER uid
set dynamic-profiles EAD-PROFILE interfaces "$junos-interface-ifd-name" unit "$junos-underlying-interface-unit" family inet filter input "$IFILTER"
set dynamic-profiles EAD-PROFILE interfaces "$junos-interface-ifd-name" unit "$junos-underlying-interface-unit" family inet filter output "$OFILTER"
set dynamic-profiles EAD-PROFILE class-of-service traffic-control-profiles SHAPER scheduler-map SMAP_BE_EF
set dynamic-profiles EAD-PROFILE class-of-service traffic-control-profiles SHAPER shaping-rate "$DNSTREAM"
set dynamic-profiles EAD-PROFILE class-of-service traffic-control-profiles SHAPER overhead-accounting frame-mode
set dynamic-profiles EAD-PROFILE class-of-service traffic-control-profiles SHAPER overhead-accounting bytes -4
set dynamic-profiles EAD-PROFILE class-of-service interfaces "$junos-interface-ifd-name" unit "$junos-underlying-interface-unit" output-traffic-control-profile SHAPER
set dynamic-profiles EAD-PROFILE class-of-service interfaces "$junos-interface-ifd-name" unit "$junos-underlying-interface-unit" classifiers dscp EAD_CLASSIFIER
set dynamic-profiles EAD-PROFILE class-of-service scheduler-maps SMAP_BE_EF forwarding-class BE scheduler BE_SCH
set dynamic-profiles EAD-PROFILE class-of-service scheduler-maps SMAP_BE_EF forwarding-class EF scheduler EF_SCH
set dynamic-profiles EAD-PROFILE class-of-service schedulers BE_SCH transmit-rate remainder
set dynamic-profiles EAD-PROFILE class-of-service schedulers BE_SCH priority low
set dynamic-profiles EAD-PROFILE class-of-service schedulers EF_SCH transmit-rate 128k
set dynamic-profiles EAD-PROFILE class-of-service schedulers EF_SCH transmit-rate rate-limit
set dynamic-profiles EAD-PROFILE class-of-service schedulers EF_SCH priority strict-high
set dynamic-profiles EAD-PROFILE firewall family inet filter "$IFILTER" interface-specific
set dynamic-profiles EAD-PROFILE firewall family inet filter "$IFILTER" term term1 then policer "$POLICER"
set dynamic-profiles EAD-PROFILE firewall family inet filter "$IFILTER" term term1 then service-accounting
set dynamic-profiles EAD-PROFILE firewall family inet filter "$IFILTER" term rest then accept
set dynamic-profiles EAD-PROFILE firewall family inet filter "$OFILTER" interface-specific
set dynamic-profiles EAD-PROFILE firewall family inet filter "$OFILTER" term term1 then service-accounting
set dynamic-profiles EAD-PROFILE firewall family inet filter "$OFILTER" term rest then accept
set dynamic-profiles EAD-PROFILE firewall policer "$POLICER" if-exceeding bandwidth-limit "$UPSTREAM"
set dynamic-profiles EAD-PROFILE firewall policer "$POLICER" if-exceeding burst-size-limit 15k
set dynamic-profiles EAD-PROFILE firewall policer "$POLICER" then discard

 

We’ll also need a sprinkle of CoS:

set class-of-service forwarding-classes class BE queue-num 0
set class-of-service forwarding-classes class BE priority low
set class-of-service forwarding-classes class AF queue-num 1
set class-of-service forwarding-classes class AF priority low
set class-of-service forwarding-classes class EF queue-num 2
set class-of-service forwarding-classes class EF priority high
set class-of-service forwarding-classes class NC queue-num 3
set class-of-service forwarding-classes class NC priority high

set class-of-service classifiers dscp EAD_CLASSIFIER forwarding-class BE loss-priority high code-points be
set class-of-service classifiers dscp EAD_CLASSIFIER forwarding-class EF loss-priority low code-points ef

 

Some final tweaks to the DHCP server config. Here we include a pre-defined prefix for the username (the cablelink ID) as well as the interface name which allows us to build a unique, dynamic, username. The reauthenticate lease-renewal cvar is particularly useful for what comes next in our FreeRADIUS setup:

set system services dhcp-local-server group ps0 authentication password Juniper1
set system services dhcp-local-server group ps0 authentication username-include user-prefix OGHP12345678
set system services dhcp-local-server group ps0 authentication username-include interface-name
set system services dhcp-local-server group ps0 interface ps0.0
set system services dhcp-local-server group ps0 reauthenticate lease-renewal

 

When we hope to empower our non-technical colleagues, it becomes necessary to disambiguate. Finding some sort of frontend to your RADIUS solution may be key. In this instance, I’m using FreeRADIUS on top of pfSense.

This is the point where you can probably handover to another department to populate the usernames:

 

If we double click on Elon’s username we are presented with a myriad of options. Scroll all the way down and you’ll see something like this:

 

That final box is all we really need. It took some time to get the dynamic profile set up just so but from here, the customer ‘service profile’ can be configured by any of your non-technical colleagues. Initially, it might have been set to |ERX-Service-Activate:1 += “EAD-PROFILE(40m, 10m)” which simply denotes a 40Mb/s downstream speed and a 10Mb/s upstream speed. If the customer calls up wanting to be upgraded to an 80/20 service, a quick edit in that box |ERX-Service-Activate:1 += “EAD-PROFILE(80m, 20m)” will automatically see the customer’s speed updated shortly after.

No need to ask them to power cycle kit and risk them breaking something and causing more calls / truck rolls. When the DHCP lease expires, the dynamic profile will check back here for any updates. What’s the lease expiry in our IPv4 exhausted world? Typically 1 – 4 hours but it can be whatever you want.

Want to disconnect a user for non-payment? Simply change their RADIUS password:

Want to issue a static IP? Just pop one in this box:

root@LIx> show subscribers                 
Interface             IP Address/VLAN ID                      User Name                      LS:RI
ps0.3221225476         13                                                               default:default      
ps0.3221225476        203.0.113.111                           OGHP12345678.ps0:13       default:default

 

If, for some reason, you want to login to the router, there are a few commands you can issue to check all is well:

root@LIx> show subscribers extensive 
Type: VLAN
Logical System: default
Routing Instance: default
Interface: ps0.3221225476
Interface type: Dynamic
Underlying Interface: ps0
Dynamic Profile Name: VLAN-BASIC
Dynamic Profile Version: 1
State: Active
Session ID: 7
PFE Flow ID: 14
VLAN Id: 13
Login Time: 2019-10-21 06:22:38 BST

Type: DHCP
User Name: OGHP12345678.ps0:13
IP Address: 203.0.113.111
IP Netmask: 255.255.255.0
Logical System: default
Routing Instance: default
Interface: ps0.3221225476
Interface type: Static
Underlying Interface: ps0.3221225476
MAC Address: 20:cf:30:23:ca:a6
State: Active
Radius Accounting ID: 8
Session ID: 8
PFE Flow ID: 14
VLAN Id: 13
Login Time: 2019-10-21 06:22:38 BST
Service Sessions: 1
DHCP Options: len 42
35 01 01 3d 07 01 20 cf 30 23 ca a6 0c 02 71 6c 3c 08 4d 53
46 54 20 35 2e 30 37 0e 01 03 06 0f 1f 21 2b 2c 2e 2f 77 79
f9 fc
DHCP Header: len 44
01 01 06 00 cc e4 5d 08 00 00 80 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 20 cf 30 23 ca a6 00 00 00 00 00 00
00 00 00 00
IP Address Pool: TEST-NET-3
Accounting interval: 3600

   Service Session ID: 9                
   Service Session Name: EAD-PROFILE
   Service Session Version: 1
   State: Active
   Family: inet
   IPv4 Input Filter Name: ifilterv4_UID1019-ps0.3221225476-in
   IPv4 Output Filter Name: ofilterv4_UID1020-ps0.3221225476-out
   Service Activation time: 2019-10-21 06:22:39 BST
   Dynamic configuration: 
     DNSTREAM: 40m
     IFILTER: ifilterv4_UID1019
     OFILTER: ofilterv4_UID1020
     POLICER: policerv4_UID1018
     UPSTREAM: 10m

 

Check the dynamically created traffic control profile:

root@LIx> show class-of-service traffic-control-profile SHAPER_UID1017 
Traffic control profile: SHAPER_UID1017, Index: 4294967363
  Shaping rate: 40000000
  Scheduler map: SMAP_BE_EF_UID1016
  Overhead accounting mode: Frame Mode
  Overhead bytes: -4

 

Check the dynamically created scheduler map:

root@LIx> show class-of-service scheduler-map SMAP_BE_EF_UID1016                   
Scheduler map: SMAP_BE_EF_UID1016, Index: 4294967357

  Scheduler: BE_SCH_UID1014, Forwarding class: BE, Index: 4294967360
    Transmit rate: remainder, Rate Limit: none, Buffer size: remainder, Buffer Limit: none, Priority: low
    Excess Priority: unspecified
    Drop profiles:
      Loss priority   Protocol    Index    Name
      Low             any             1    <default-drop-profile>      
      Medium low      any             1    <default-drop-profile>      
      Medium high     any             1    <default-drop-profile>      
      High            any             1    <default-drop-profile>      

  Scheduler: EF_SCH_UID1015, Forwarding class: EF, Index: 4294967361
    Transmit rate: 128000 bps, Rate Limit: rate-limit, Buffer size: remainder, Buffer Limit: none, Priority: strict-high
    Excess Priority: unspecified
    Drop profiles:
      Loss priority   Protocol    Index    Name
      Low             any             1    <default-drop-profile>      
      Medium low      any             1    <default-drop-profile>      
      Medium high     any             1    <default-drop-profile>      
      High            any             1    <default-drop-profile>

 

Check the policer and accounting stats:

root@LIx> show firewall 

Filter: __default_bpdu_filter__                                

Filter: ifilterv4_UID1019-ps0.3221225476-in                    
Counters:
Name                                                Bytes              Packets
__junos-dyn-service-counter                      29317545               138097
Policers:
Name                                                Bytes              Packets
policerv4_UID1018-term1-ps0.3221225476-in              1506492                 1015

Filter: ofilterv4_UID1020-ps0.3221225476-out                   
Counters:
Name                                                Bytes              Packets
__junos-dyn-service-counter                      80939623                99292

 

Check if the subscriber is making use of the QoS in the dynamic profile?

root@LIx> show interfaces queue ge-0/0/0 | find EF    
Queue: 2, Forwarding classes: EF
  Queued:
    Packets              :                212186                   135 pps
    Bytes                :              17415738                 81920 bps
  Transmitted:
    Packets              :                212186                   135 pps
    Bytes                :              17415738                 81920 bps
    Tail-dropped packets :                     0                     0 pps
    RL-dropped packets   :                     0                     0 pps
    RL-dropped bytes     :                     0                     0 bps
    RED-dropped packets  :                     0                     0 pps
     Low                 :                     0                     0 pps
     Medium-low          :                     0                     0 pps
     Medium-high         :                     0                     0 pps
     High                :                     0                     0 pps
    RED-dropped bytes    :                     0                     0 bps
     Low                 :                     0                     0 bps
     Medium-low          :                     0                     0 bps
     Medium-high         :                     0                     0 bps
     High                :                     0                     0 bps

Yes!

As always, there is so much more that can be done but hopefully I’ve provided the foundations from which you can try and seize more control of your working day whilst providing a high quality and consistent experience to your paying customers.

 

Configs

3_LIx
3_LI
3_SA
3_NT
3_CF

Leave a Reply

Your email address will not be published. Required fields are marked *