Access Profile Configuration

While it is mandatory to configure an interface with an access profile name, such as pppoe-dual, it is still necessary to configure the properties and parameters of the access profile itself.

The picture below shows how the access profile configuration is related to all subscriber management configuration tasks.

ngaccess cli2 access profile
Figure 1. Access Profile Configuration

Configuring the Access Profile

supervisor@switch: cfg> set access access-profile
  <profile-name>        Name of the access profile

supervisor@switch: cfg> set access access-profile pppoe-dual
  <cr>
  address-family        Address-family configuration
  instance              Instance name
  protocol              Protocol configuration
Attribute Description

instance

Change routing instance.

Default: default

The following examples show typical access profiles for PPPoE and IPoE with IPv4 and IPv6.

PPPoE with IPv4 and IPv6:

supervisor@switch: cfg> show config access access-profile pppoe-dual
{
  "rtbrick-config:access-profile": {
    "profile-name": "pppoe-dual",
    "instance": "default",
    "protocol": {
      "pppoe": {
        "enable": "true",
        "session-protection": {
          "enable": "true"
        },
        "vlan-priority": 6
      },
      "ppp": {
        "lcp": {
          "authentication-protocol": "PAP_CHAP",
          "echo-interval": 30,
          "echo-max-retransmit": 3,
          "echo-enable": "true"
        },
        "ipcp": {
          "enable": "true",
          "source-ifl": "lo-0/0/0/1"
        },
        "ip6cp": {
          "enable": "true"
        }
      },
      "ra": {
        "enable": "true",
        "interval": 60
      },
      "dhcpv6": {
        "enable": "true"
      },
      "l2tp": {
        "tunnel-profile": "l2tp-default"
      }
    },
    "address-family": {
      "ipv4": {
        "enable": "true",
        "primary-dns": "198.51.100.1",
        "secondary-dns": "198.51.100.4"
      },
      "ipv6": {
        "enable": "true",
        "primary-dns": "2001:db8:0:100::",
        "secondary-dns": "2001:db8:0:104::"
      }
    }
  }
}

IPoE with IPv4 and IPv6:

supervisor@switch: cfg> show config access access-profile ipoe-dual
{
  "rtbrick-config:access-profile":{
    "profile-name":"ipoe",
    "protocol":{
      "dhcp":{
        "enable":"true",
        "mode":"server"
      },
      "dhcpv6":{
        "enable":"true",
        "mode":"server"
      }
    },
    "address-family":{
      "ipv4":{
        "enable":"true",
        "proxy-arp-enable": "true",
        "pool-name":"ipoe",
        "primary-dns":"198.51.100.1,
        "secondary-dns":"198.51.100.4"
      },
      "ipv6":{
        "enable":"true",
        "pool-name":"ipoe-ia-na",
        "prefix-delegation-pool-name":"ipoe-ia-pd",
        "primary-dns": "2001:db8:0:100::",
        "secondary-dns": "2001:db8:0:104::"
      }
    }
  }
}

Configuring IPv4

The address family IPv4 must be explicitly enabled in the access profile to be available for access protocols like PPP (PPPoE) or DHCP (IPoE).

supervisor@switch: cfg> set access access-profile pppoe-dual address-family ipv4
  <cr>
  enable                Enable IPv4
  pool-name             Local IPv4 pool name
  primary-dns           Primary DNS server
  proxy-arp-enable      Enable Proxy ARP
  secondary-dns         Secondary DNS server
  static-ipv4           Static address
  dad-enable            Enable/disable IPv4 duplicate address detection (Enabled by default)
Attribute Description

enable

Enable IPv4

Default: false

pool-name

The optional pool-name attribute allows assigning the IPv4 address from a local managed pool as described in Address Pool Configuration. This address is used by protocols like PPP IPCP (PPPoE) or DHCP (IPoE) as a client or peer IPv4 address.

primary-dns

secondary-dns

The primary-dns and secondary-dns servers configured are used by protocols like PPP (PPPoE) or DHCP (IPoE) and advertised to the client.

proxy-arp-enable

Enable/disable proxy ARP support for IPoE subscribers.
When proxy ARP is enabled, if the BNG device receives an ARP request from Subscriber for which it has a route to the target (destination) IP address, the BNG device responds by sending a proxy ARP reply packet containing its own MAC address. The host/subscriber that sent the ARP request then sends the actual destined packets to the BNG, which forwards them to the intended destination.

Default: NONE.

static-ipv4

The attribute static-ipv4 assigns a fixed static IPv4 address to all clients using this profile.

This feature should be only used with caution.

dad-enable

Enable/disable IPv4 duplicate address detection

Default: true

Configuring IPv6

The address family IPv6 must be explicitly enabled in the access profile to be available for access protocols like PPP (PPPoE) or DHCP (IPoE).

supervisor@switch: cfg> set access access-profile pppoe-dual address-family ipv6
  <cr>
  enable                       Enable IPv6
  pool-name                    Local IPv6 pool name
  prefix-delegation-pool-name  Local IPv6 prefix delegation pool name
  primary-dns                  Primary DNS server
  secondary-dns                Secondary DNS server
  dad-enable                   Enable/disable IPv6 duplicate address detection (Enabled by default)
Attribute Description

enable

Enable IPv6

Default: false

pool-name

prefix-delegation-pool-name

The optional pool-name attribute allows to assign of the IPv6 prefix from a locally managed pool as described in Address Pool Configuration. This prefix is advertised by ICMPv6 router-advertisements to the client where prefixes from optional prefix-delegation-pool-name are advertised by DHCPv6 as delegated prefix (IA_PD)

primary-dns

secondary-dns

The primary-dns and secondary-dns servers configured are used by protocols like ICMPv6 router-advertisements or DHCPv6 and advertise to the client.

dad-enable

Enable/disable IPv6 duplicate address detection

Default: true

IPv6 Router-Advertisement

supervisor@switch: cfg> set access access-profile pppoe-dual protocol ra
  <cr>
  enable                Enable IPv6 router-advertisement
  interval              Interval
  lifetime              Lifetime
  preferred-lifetime    Preferred lifetime
Attribute Description

enable

Enable IPv6 router-advertisement.

Default: false

interval

IPv6 router-advertisements interval in seconds.

Default: 0 (disabled)

lifetime

The valid lifetime for the prefix in seconds.

Default: 14400

preferred-lifetime

The preferred lifetime for the prefix in seconds.

Default: 1800

DHCPv4

supervisor@switch: cfg> set access access-profile ipoe-dual protocol dhcp
  <cr>
  enable                Enable DHCP
  lease-time            DHCP lease time in seconds
  mode                  DHCP mode
Attribute Description

enable

Enable DHCP.

Default: false

dhcp-mode

This option defines the DHCP mode where the server handles DHCP requests locally and relay/proxy forwards those to the configured servers. The only difference between relay and proxy is the second one will hide the actual DHCP server.

Default: server Values: server, relay, proxy

Proxy mode is not supported now.

lease-time

The lease time for the address in seconds.

Default: 300

dhcp-server

Configure global DHCP server.

DHCPv6

supervisor@switch: cfg> set access access-profile pppoe-dual protocol dhcpv6
  <cr>
  enable                Enable DHCPv6
  lifetime              Lifetime
  preferred-lifetime    Preferred lifetime
  mode                  DHCPv6 mode
Attribute Description

enable

Enable DHCPv6.

Default: false

mode

This option defines the DHCPv6 mode where server handles DHCPv6 requests locally and relay/proxy forwards those to the configured servers. The only difference between relay and proxy is that second one will hide the actual DHCPv6 server.

Default: server Values: server, relay, proxy

lifetime

The valid lifetime for IPv6 prefixes in seconds.

Default: 14400

preferred-lifetime

The preferred lifetime for IPv6 prefixes in seconds. This value should be less or equal to the valid lifetime, otherwise, RBFS will adjust the preferred lifetime to be equal to the valid lifetime.

The values for T1 and T2 are 0.5 and 0.8 times the shortest preferred-lifetime.

Default: 1800

dhcpv6-server

Configure DHCPv6 server.

Configuring PPPoE and PPP

The protocol PPPoE must be explicitly enabled in the access profile in order to allow PPPoE sessions.

supervisor@switch: cfg> set access access-profile pppoe-dual protocol pppoe enable true

PPPoE

The PPPoE configuration allows changing the default behavior of the PPPoE protocol.

supervisor@switch: cfg> set access access-profile pppoe-dual protocol pppoe
  <cr>
  enable                Enable PPPoE
  max-outstanding       Maximum outstanding PPPoE sessions
  session-protection    PPPoE session protection
Attribute Description

enable

Enable PPPoE.

Default: false

max-outstanding

Maximum outstanding PPPoE sessions.

Default: 64 Range: 1 - 65535

If PPPoE session protection is enabled, short-lived or failed sessions will be logged. Every session not established for at least 60 seconds per default (min-uptime) is considered a failed or short-lived session. This will block new sessions on this IFP and VLANs for one second per default (min-lockout), increasing exponentially with any further failed session until the maximum time of 300 seconds (max-lockout) is reached. The interval is reset after 900 seconds without failed sessions (currently not configurable).

PPPoE session protection logs the last subscriber-id and terminates the code which indicates the reason for session failures.

supervisor@switch: cfg> set access access-profile pppoe-dual protocol pppoe session-protection
  <cr>
  enable                Enable PPPoE session protection
  max-lockout           Session protection maximum lockout time in seconds
  min-lockout           Session protection minimum lockout time in seconds
  min-uptime            Session protection minimum uptime in seconds
Attribute Description

enable

Enable PPPoE session protection.

Default: false

min-lockout

Session protection min lockout time (seconds).

Default: 1

max-lockout

Session protection max lockout time (seconds).

Default: 300

min-uptime

Session with an uptime less than this will trigger protection (seconds).

Default: 60

PPP LCP

The PPP Link Control Protocol (LCP) configuration allows changing the default the behavior of the LCP protocol.

supervisor@switch: cfg> set access access-profile pppoe-dual protocol ppp lcp
  <cr>
  authentication-protocol  Authentication protocol
  config-nak-max           Max configure-reject/nak <1-255>
  echo-enable              Enable echo requests
  echo-interval            Echo interval in seconds <1-255>
  echo-max-retransmit      Echo maximum retries <1-255>
  lcp-loop-detection       Loop detection
  mru                      Maximum local MRU <1280-1500>
  mru-negotiation          MRU negotiation
  mtu                      Maximum local MTU <1280-1500>
  retransmit-interval      Retransmit interval in seconds <1-255>
  retransmit-max           Maximum retries <1-255>
Attribute Description

authentication-protocol

Per default, PPP authentication is set to PAP_CHAP. This can be changed by setting the authentication protocol to either PAP, CHAP, PAP_CHAP or CHAP_PAP. The Password Authentication Protocol (PAP) is defined in RFC 1334 and receives the password as a plaintext value from the client. The Challenge Handshake Authentication Protocol (CHAP) is defined in RFC 1994 provides a more secure way to authenticate the client without exchanging plaintext secrets. The option PAP_CHAP offers the first PAP with a fallback to CHAP if PAP is rejected by the client. Alternative the option CHAP_PAP, which starts with CHAP falling back to PAP if CHAP is rejected by the client.

Default: PAP_CHAP

echo-enable

Per default, RBFS will respond to LCP echo requests received but does not send until echo-enable is set to true.

Default: false

echo-interval

LCP echo request interval in seconds.

Default: 30 Range: 1 - 255

echo-max-retransmit

LCP echo request retransmissions.

Default: 3 Range: 1 - 255

mru-negotiation

Negotiate MRU

Default: true

mru

Maximum local MRU (peer MTU)

Default: 1492 Range: 1280 - 1500

mtu

Maximum local MTU (peer MRU)

Default: 1492 Range: 1280 - 1500

lcp-loop-detection

The negotiation and validation of magic numbers are enabled per default and can be disabled by setting lcp-loop-detection to false. It is not recommended to change this option!

Default: true

retransmit-interval

The LCP request retransmit interval.

Default: 5 Range: 1 - 255

retransmit-max

The LCP request retransmission before the session is terminated if no response is received.

Default: 3 Range: 1 - 255

config-nak-max

The option config-nak-max defines the maximum PPP LCP configuration reject/nak messages that can be sent or received before the session is terminated.

Default: 16 Range: 1 - 255

PPP IPCP

The address-family ipv4 and the protocol ppp ipcp must be explicitly enabled to use IPv4 over PPPoE. Additionally, the mandatory source-ifl option must be configured to derive the local IPv4 address from this logical interface.

supervisor@switch: cfg> set access access-profile pppoe-dual protocol ppp ipcp
  <cr>
  config-nak-max        Max configure-reject/nak <1-255>
  enable                Enable PPP IPCP
  passive               Passive mode
  retransmit-interval   Retransmit interval in seconds <1-255>
  retransmit-max        Maximum retries <1-255>
  source-ifl            Source IFL
Attribute Description

enable

Enable IPCP

Default: false

passive

IPCP passive mode

Default: false

source-ifl

This mandatory option must be configured to derive the local IPv4 address from this logical interface. This option should be set to the loopback interface of the corresponding routing instance. It’s crucial to understand that choosing a source-ifl from a different routing instance will not modify the subscribers assigned routing instance. Moreover, the routing instance can be altered via a RADIUS Access-Accept message without affecting the source-ifl. This means that the source-ifl can still be used to derive the local IPv4 address, even if it belongs to a different routing instance. Consequently, while it is not obligatory, it is recommended to configure the same loopback address across all routing instances where a subscriber might be located.

retransmit-interval

The IPCP request retransmit interval.

Default: 5 Range: 1 - 255

retransmit-max

The IPCP requests retransmission before the session is terminated if no response is received.

Default: 8 Range: 1 - 255

config-nak-max

The option config-nak-max defines the maximum PPP IPCP configuration reject/nak messages that can be sent or received before the session is terminated.

Default: 8 Range: 1 - 255

PPP IP6CP

Both the address-family ipv6 and the protocol ppp ip6cp must be explicitly enabled in order to use IPv6 over PPPoE.

supervisor@switch: cfg> set access access-profile pppoe-dual protocol ppp ip6cp
  <cr>
  config-nak-max        Max configure-reject/nak <1-255>
  enable                Enable PPP IP6CP
  passive               Passive mode
  retransmit-interval   Retransmit interval in seconds <1-255>
  retransmit-max        Maximum retries <1-255>
Attribute Description

enable

Enable IP6CP

Default: false

passive

IP6CP passive mode

Default: false

retransmit-interval

The IP6CP request retransmit interval.

Default: 5 Range: 1 - 255

retransmit-max

The IP6CP requests retransmission before the session is terminated if no response is received.

Default: 8 Range: 1 - 255

config-nak-max

The option config-nak-max defines the maximum PPP IP6CP configuration reject/nak messages that can be sent or received before the session is terminated.

Default: 6 Range: 1 - 255