Pseudowire Headend Termination - PART2
As network engineers, I think it's fair to say we like to try and spend our time making a difference?
Despite being considered the 'bread and butter' of the Service Provider world, provisioning and decommissioning are two areas that can still demand our attention. More specifically:
- Connecting subscribers from remote POPs or external access providers.
- Applying the necessary limiters to sub-rate services.
- Upgrading or downgrading subscriber services.
- VLAN and/or IP allocation... spreadsheets!
"Isn't this what network engineers do, though, Michael?"
Is your home fitted with taps?
Imagine, if, several times a day, you were asked to go and draw water from the well, as a matter of urgency. Dumbfounded, you would probably find yourself pointing at the sink whilst mouthing the words, "Taps... but we have taps?" Just me, perhaps.
The lab has changed slightly from the previous article. We are now up to 5 vMX routers. The latest addition, LIx, based at the Llanelli site, is now the BNG:
GOAL: Modify the network so as to allow our colleagues in the Provisioning or Customer Service departments to be able to help the customer directly. This allows us to focus on support exceptions, research or revenue generating opportunities.
"If a human operator needs to touch your system during normal operations, you have a bug."
Carla Geisser, Google SRE
In this example, I've simulated attaching a BT GEA cablelink circuit (single tagged) to the network. These are used to connect GEA FTTC/FTTP subscribers via Openreach's access network. What's the minimum required effort to successfully provision and decommission any associated IPoE subscribers?
The final two steps include RADIUS and a beefed up dynamic profile on the BNG, LIx.
The RADIUS config:
set access radius-server 10.10.11.9 secret "$9$YQ4JUqmT/CujHCuO1yrYgoJjH" set access radius-server 10.10.11.9 timeout 6 set access radius-server 10.10.11.9 retry 5 set access radius-server 10.10.11.9 max-outstanding-requests 1000 set access profile ACCESS1 authentication-order radius set access profile ACCESS1 radius authentication-server 10.10.11.9 set access profile ACCESS1 radius accounting-server 10.10.11.9 set access profile ACCESS1 radius options nas-identifier LIx set access profile ACCESS1 accounting order radius set access profile ACCESS1 accounting accounting-stop-on-failure set access profile ACCESS1 accounting accounting-stop-on-access-deny set access profile ACCESS1 accounting immediate-update set access profile ACCESS1 accounting coa-immediate-update set access profile ACCESS1 accounting address-change-immediate-update set access profile ACCESS1 accounting update-interval 60 set access profile ACCESS1 accounting statistics volume-time set access-profile ACCESS1
The dynamic 'client' profile to instantiate the logical interface:
set dynamic-profiles VLAN-BASIC interfaces "$junos-interface-ifd-name" unit "$junos-interface-unit" no-traps set dynamic-profiles VLAN-BASIC interfaces "$junos-interface-ifd-name" unit "$junos-interface-unit" proxy-arp restricted set dynamic-profiles VLAN-BASIC interfaces "$junos-interface-ifd-name" unit "$junos-interface-unit" vlan-tags outer "$junos-stacked-vlan-id" set dynamic-profiles VLAN-BASIC interfaces "$junos-interface-ifd-name" unit "$junos-interface-unit" vlan-tags inner "$junos-vlan-id" set dynamic-profiles VLAN-BASIC interfaces "$junos-interface-ifd-name" unit "$junos-interface-unit" family inet unnumbered-address lo0.0 set dynamic-profiles VLAN-BASIC interfaces "$junos-interface-ifd-name" unit "$junos-interface-unit" family inet unnumbered-address preferred-source-address 203.0.113.1
The dynamic 'service' profile for the goodies. This is where we'll dynamically shape the downstream, police the upstream and classify EF traffic from the subscriber. This could be targeted at gamers or voip users:
set dynamic-profiles EAD-PROFILE variables DNSTREAM default-value 10m set dynamic-profiles EAD-PROFILE variables UPSTREAM default-value 2m set dynamic-profiles EAD-PROFILE variables UPSTREAM uid set dynamic-profiles EAD-PROFILE variables POLICER default-value policerv4 set dynamic-profiles EAD-PROFILE variables POLICER uid set dynamic-profiles EAD-PROFILE variables IFILTER default-value ifilterv4 set dynamic-profiles EAD-PROFILE variables IFILTER uid set dynamic-profiles EAD-PROFILE variables OFILTER default-value ofilterv4 set dynamic-profiles EAD-PROFILE variables OFILTER uid set dynamic-profiles EAD-PROFILE interfaces "$junos-interface-ifd-name" unit "$junos-underlying-interface-unit" family inet filter input "$IFILTER" set dynamic-profiles EAD-PROFILE interfaces "$junos-interface-ifd-name" unit "$junos-underlying-interface-unit" family inet filter output "$OFILTER" set dynamic-profiles EAD-PROFILE class-of-service traffic-control-profiles SHAPER scheduler-map SMAP_BE_EF set dynamic-profiles EAD-PROFILE class-of-service traffic-control-profiles SHAPER shaping-rate "$DNSTREAM" set dynamic-profiles EAD-PROFILE class-of-service traffic-control-profiles SHAPER overhead-accounting frame-mode set dynamic-profiles EAD-PROFILE class-of-service traffic-control-profiles SHAPER overhead-accounting bytes -4 set dynamic-profiles EAD-PROFILE class-of-service interfaces "$junos-interface-ifd-name" unit "$junos-underlying-interface-unit" output-traffic-control-profile SHAPER set dynamic-profiles EAD-PROFILE class-of-service interfaces "$junos-interface-ifd-name" unit "$junos-underlying-interface-unit" classifiers dscp EAD_CLASSIFIER set dynamic-profiles EAD-PROFILE class-of-service scheduler-maps SMAP_BE_EF forwarding-class BE scheduler BE_SCH set dynamic-profiles EAD-PROFILE class-of-service scheduler-maps SMAP_BE_EF forwarding-class EF scheduler EF_SCH set dynamic-profiles EAD-PROFILE class-of-service schedulers BE_SCH transmit-rate remainder set dynamic-profiles EAD-PROFILE class-of-service schedulers BE_SCH priority low set dynamic-profiles EAD-PROFILE class-of-service schedulers EF_SCH transmit-rate 128k set dynamic-profiles EAD-PROFILE class-of-service schedulers EF_SCH transmit-rate rate-limit set dynamic-profiles EAD-PROFILE class-of-service schedulers EF_SCH priority strict-high set dynamic-profiles EAD-PROFILE firewall family inet filter "$IFILTER" interface-specific set dynamic-profiles EAD-PROFILE firewall family inet filter "$IFILTER" term term1 then policer "$POLICER" set dynamic-profiles EAD-PROFILE firewall family inet filter "$IFILTER" term term1 then service-accounting set dynamic-profiles EAD-PROFILE firewall family inet filter "$IFILTER" term rest then accept set dynamic-profiles EAD-PROFILE firewall family inet filter "$OFILTER" interface-specific set dynamic-profiles EAD-PROFILE firewall family inet filter "$OFILTER" term term1 then service-accounting set dynamic-profiles EAD-PROFILE firewall family inet filter "$OFILTER" term rest then accept set dynamic-profiles EAD-PROFILE firewall policer "$POLICER" if-exceeding bandwidth-limit "$UPSTREAM" set dynamic-profiles EAD-PROFILE firewall policer "$POLICER" if-exceeding burst-size-limit 15k set dynamic-profiles EAD-PROFILE firewall policer "$POLICER" then discard
We'll also need a sprinkle of CoS:
set class-of-service forwarding-classes class BE queue-num 0 set class-of-service forwarding-classes class BE priority low set class-of-service forwarding-classes class AF queue-num 1 set class-of-service forwarding-classes class AF priority low set class-of-service forwarding-classes class EF queue-num 2 set class-of-service forwarding-classes class EF priority high set class-of-service forwarding-classes class NC queue-num 3 set class-of-service forwarding-classes class NC priority high set class-of-service classifiers dscp EAD_CLASSIFIER forwarding-class BE loss-priority high code-points be set class-of-service classifiers dscp EAD_CLASSIFIER forwarding-class EF loss-priority low code-points ef
Some final tweaks to the DHCP server config. Here we include a pre-defined prefix for the username (the cablelink ID) as well as the interface name which allows us to build a unique, dynamic, username. The reauthenticate lease-renewal cvar is particularly useful for what comes next in our FreeRADIUS setup:
set system services dhcp-local-server group ps0 authentication password Juniper1 set system services dhcp-local-server group ps0 authentication username-include user-prefix OGHP12345678 set system services dhcp-local-server group ps0 authentication username-include interface-name set system services dhcp-local-server group ps0 interface ps0.0 set system services dhcp-local-server group ps0 reauthenticate lease-renewal
When we hope to empower our non-technical colleagues, it becomes necessary to disambiguate. Finding some sort of frontend to your RADIUS solution may be key. In this instance, I'm using FreeRADIUS on top of pfSense.
This is the point where you can probably handover to another department to populate the usernames:
If we double click on Elon's username we are presented with a myriad of options. Scroll all the way down and you'll see something like this:
That final box is all we really need. It took some time to get the dynamic profile set up just so but from here, the customer 'service profile' can be configured by any of your non-technical colleagues. Initially, it might have been set to |ERX-Service-Activate:1 += "EAD-PROFILE(40m, 10m)" which simply denotes a 40Mb/s downstream speed and a 10Mb/s upstream speed. If the customer calls up wanting to be upgraded to an 80/20 service, a quick edit in that box |ERX-Service-Activate:1 += "EAD-PROFILE(80m, 20m)" will automatically see the customer's speed updated shortly after.
No need to ask them to power cycle kit and risk them breaking something and causing more calls / truck rolls. When the DHCP lease expires, the dynamic profile will check back here for any updates. What's the lease expiry in our IPv4 exhausted world? Typically 1 - 4 hours but it can be whatever you want.
Want to disconnect a user for non-payment? Simply change their RADIUS password:
Want to issue a static IP? Just pop one in this box:
root@LIx> show subscribers Interface IP Address/VLAN ID User Name LS:RI ps0.3221225476 13 default:default ps0.3221225476 203.0.113.111 OGHP12345678.ps0:13 default:default
If, for some reason, you want to login to the router, there are a few commands you can issue to check all is well:
root@LIx> show subscribers extensive
Type: VLAN
Logical System: default
Routing Instance: default
Interface: ps0.3221225476
Interface type: Dynamic
Underlying Interface: ps0
Dynamic Profile Name: VLAN-BASIC
Dynamic Profile Version: 1
State: Active
Session ID: 7
PFE Flow ID: 14
VLAN Id: 13
Login Time: 2019-10-21 06:22:38 BST
Type: DHCP
User Name: OGHP12345678.ps0:13
IP Address: 203.0.113.111
IP Netmask: 255.255.255.0
Logical System: default
Routing Instance: default
Interface: ps0.3221225476
Interface type: Static
Underlying Interface: ps0.3221225476
MAC Address: 20:cf:30:23:ca:a6
State: Active
Radius Accounting ID: 8
Session ID: 8
PFE Flow ID: 14
VLAN Id: 13
Login Time: 2019-10-21 06:22:38 BST
Service Sessions: 1
DHCP Options: len 42
35 01 01 3d 07 01 20 cf 30 23 ca a6 0c 02 71 6c 3c 08 4d 53
46 54 20 35 2e 30 37 0e 01 03 06 0f 1f 21 2b 2c 2e 2f 77 79
f9 fc
DHCP Header: len 44
01 01 06 00 cc e4 5d 08 00 00 80 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 20 cf 30 23 ca a6 00 00 00 00 00 00
00 00 00 00
IP Address Pool: TEST-NET-3
Accounting interval: 3600
Service Session ID: 9
Service Session Name: EAD-PROFILE
Service Session Version: 1
State: Active
Family: inet
IPv4 Input Filter Name: ifilterv4_UID1019-ps0.3221225476-in
IPv4 Output Filter Name: ofilterv4_UID1020-ps0.3221225476-out
Service Activation time: 2019-10-21 06:22:39 BST
Dynamic configuration:
DNSTREAM: 40m
IFILTER: ifilterv4_UID1019
OFILTER: ofilterv4_UID1020
POLICER: policerv4_UID1018
UPSTREAM: 10m
Check the dynamically created traffic control profile:
root@LIx> show class-of-service traffic-control-profile SHAPER_UID1017 Traffic control profile: SHAPER_UID1017, Index: 4294967363 Shaping rate: 40000000 Scheduler map: SMAP_BE_EF_UID1016 Overhead accounting mode: Frame Mode Overhead bytes: -4
Check the dynamically created scheduler map:
root@LIx> show class-of-service scheduler-map SMAP_BE_EF_UID1016
Scheduler map: SMAP_BE_EF_UID1016, Index: 4294967357
Scheduler: BE_SCH_UID1014, Forwarding class: BE, Index: 4294967360
Transmit rate: remainder, Rate Limit: none, Buffer size: remainder, Buffer Limit: none, Priority: low
Excess Priority: unspecified
Drop profiles:
Loss priority Protocol Index Name
Low any 1 <default-drop-profile>
Medium low any 1 <default-drop-profile>
Medium high any 1 <default-drop-profile>
High any 1 <default-drop-profile>
Scheduler: EF_SCH_UID1015, Forwarding class: EF, Index: 4294967361
Transmit rate: 128000 bps, Rate Limit: rate-limit, Buffer size: remainder, Buffer Limit: none, Priority: strict-high
Excess Priority: unspecified
Drop profiles:
Loss priority Protocol Index Name
Low any 1 <default-drop-profile>
Medium low any 1 <default-drop-profile>
Medium high any 1 <default-drop-profile>
High any 1 <default-drop-profile>
Check the policer and accounting stats:
root@LIx> show firewall Filter: __default_bpdu_filter__ Filter: ifilterv4_UID1019-ps0.3221225476-in Counters: Name Bytes Packets __junos-dyn-service-counter 29317545 138097 Policers: Name Bytes Packets policerv4_UID1018-term1-ps0.3221225476-in 1506492 1015 Filter: ofilterv4_UID1020-ps0.3221225476-out Counters: Name Bytes Packets __junos-dyn-service-counter 80939623 99292
Check if the subscriber is making use of the QoS in the dynamic profile?
root@LIx> show interfaces queue ge-0/0/0 | find EF
Queue: 2, Forwarding classes: EF
Queued:
Packets : 212186 135 pps
Bytes : 17415738 81920 bps
Transmitted:
Packets : 212186 135 pps
Bytes : 17415738 81920 bps
Tail-dropped packets : 0 0 pps
RL-dropped packets : 0 0 pps
RL-dropped bytes : 0 0 bps
RED-dropped packets : 0 0 pps
Low : 0 0 pps
Medium-low : 0 0 pps
Medium-high : 0 0 pps
High : 0 0 pps
RED-dropped bytes : 0 0 bps
Low : 0 0 bps
Medium-low : 0 0 bps
Medium-high : 0 0 bps
High : 0 0 bps
Yes!
As always, there is so much more that can be done but hopefully I've provided the foundations from which you can try and seize more control of your working day whilst providing a high quality and consistent experience to your paying customers.
Configs