Access Profile Configuration
While it is mandatory to configure an interface with an access profile name, such as pppoe-dual
,
it is still necessary to configure the properties and parameters of the access profile itself.
The picture below shows how the access profile configuration is related to all subscriber management configuration tasks.
Configuring the Access Profile
supervisor@switch: cfg> set access access-profile <profile-name> Name of the access profile supervisor@switch: cfg> set access access-profile pppoe-dual <cr> address-family Address-family configuration instance Instance name protocol Protocol configuration
Attribute | Description |
---|---|
instance |
Change routing instance. Default: default |
The following examples show typical access profiles for PPPoE and IPoE with IPv4 and IPv6.
PPPoE with IPv4 and IPv6:
supervisor@switch: cfg> show config access access-profile pppoe-dual { "rtbrick-config:access-profile": { "profile-name": "pppoe-dual", "instance": "default", "protocol": { "pppoe": { "enable": "true", "session-protection": { "enable": "true" }, "vlan-priority": 6 }, "ppp": { "lcp": { "authentication-protocol": "PAP_CHAP", "echo-interval": 30, "echo-max-retransmit": 3, "echo-enable": "true" }, "ipcp": { "enable": "true", "source-ifl": "lo-0/0/0/1" }, "ip6cp": { "enable": "true" } }, "ra": { "enable": "true", "interval": 60 }, "dhcpv6": { "enable": "true" }, "l2tp": { "tunnel-profile": "l2tp-default" } }, "address-family": { "ipv4": { "enable": "true", "primary-dns": "198.51.100.1", "secondary-dns": "198.51.100.4" }, "ipv6": { "enable": "true", "primary-dns": "2001:db8:0:100::", "secondary-dns": "2001:db8:0:104::" } } } }
IPoE with IPv4 and IPv6:
supervisor@switch: cfg> show config access access-profile ipoe-dual { "rtbrick-config:access-profile":{ "profile-name":"ipoe", "protocol":{ "dhcp":{ "enable":"true", "mode":"server" }, "dhcpv6":{ "enable":"true", "mode":"server" } }, "address-family":{ "ipv4":{ "enable":"true", "proxy-arp-enable": "true", "pool-name":"ipoe", "primary-dns":"198.51.100.1, "secondary-dns":"198.51.100.4" }, "ipv6":{ "enable":"true", "pool-name":"ipoe-ia-na", "prefix-delegation-pool-name":"ipoe-ia-pd", "primary-dns": "2001:db8:0:100::", "secondary-dns": "2001:db8:0:104::" } } } }
Configuring IPv4
The address family IPv4 must be explicitly enabled in the access profile to be available for access protocols like PPP (PPPoE) or DHCP (IPoE).
supervisor@switch: cfg> set access access-profile pppoe-dual address-family ipv4 <cr> enable Enable IPv4 pool-name Local IPv4 pool name primary-dns Primary DNS server proxy-arp-enable Enable Proxy ARP secondary-dns Secondary DNS server static-ipv4 Static address dad-enable Enable/disable IPv4 duplicate address detection (Enabled by default)
Attribute | Description | ||
---|---|---|---|
enable |
Enable IPv4 Default: false |
||
pool-name |
The optional pool-name attribute allows assigning the IPv4 address from a local managed pool as described in Address Pool Configuration. This address is used by protocols like PPP IPCP (PPPoE) or DHCP (IPoE) as a client or peer IPv4 address. |
||
primary-dns secondary-dns |
The primary-dns and secondary-dns servers configured are used by protocols like PPP (PPPoE) or DHCP (IPoE) and advertised to the client. |
||
proxy-arp-enable |
Enable/disable proxy ARP support for IPoE subscribers. Default: NONE. |
||
static-ipv4 |
The attribute static-ipv4 assigns a fixed static IPv4 address to all clients using this profile.
|
||
dad-enable |
Enable/disable IPv4 duplicate address detection Default: true |
Configuring IPv6
The address family IPv6 must be explicitly enabled in the access profile to be available for access protocols like PPP (PPPoE) or DHCP (IPoE).
supervisor@switch: cfg> set access access-profile pppoe-dual address-family ipv6 <cr> enable Enable IPv6 pool-name Local IPv6 pool name prefix-delegation-pool-name Local IPv6 prefix delegation pool name primary-dns Primary DNS server secondary-dns Secondary DNS server dad-enable Enable/disable IPv6 duplicate address detection (Enabled by default)
Attribute | Description |
---|---|
enable |
Enable IPv6 Default: false |
pool-name prefix-delegation-pool-name |
The optional pool-name attribute allows to assign of the IPv6 prefix from a locally managed pool as described in Address Pool Configuration. This prefix is advertised by ICMPv6 router-advertisements to the client where prefixes from optional prefix-delegation-pool-name are advertised by DHCPv6 as delegated prefix (IA_PD) |
primary-dns secondary-dns |
The primary-dns and secondary-dns servers configured are used by protocols like ICMPv6 router-advertisements or DHCPv6 and advertise to the client. |
dad-enable |
Enable/disable IPv6 duplicate address detection Default: true |
IPv6 Router-Advertisement
supervisor@switch: cfg> set access access-profile pppoe-dual protocol ra <cr> enable Enable IPv6 router-advertisement interval Interval lifetime Lifetime preferred-lifetime Preferred lifetime
Attribute | Description |
---|---|
enable |
Enable IPv6 router-advertisement. Default: false |
interval |
IPv6 router-advertisements interval in seconds. Default: 0 (disabled) |
lifetime |
The valid lifetime for the prefix in seconds. Default: 14400 |
preferred-lifetime |
The preferred lifetime for the prefix in seconds. Default: 1800 |
DHCPv4
supervisor@switch: cfg> set access access-profile ipoe-dual protocol dhcp <cr> enable Enable DHCP lease-time DHCP lease time in seconds mode DHCP mode
Attribute | Description | ||
---|---|---|---|
enable |
Enable DHCP. Default: false |
||
dhcp-mode |
This option defines the DHCP mode where the server handles DHCP requests locally and relay/proxy forwards those to the configured servers. The only difference between relay and proxy is the second one will hide the actual DHCP server. Default: server Values: server, relay, proxy
|
||
lease-time |
The lease time for the address in seconds. Default: 300 |
||
dhcp-server |
Configure global DHCP server. |
DHCPv6
supervisor@switch: cfg> set access access-profile pppoe-dual protocol dhcpv6 <cr> enable Enable DHCPv6 lifetime Lifetime preferred-lifetime Preferred lifetime mode DHCPv6 mode
Attribute | Description |
---|---|
enable |
Enable DHCPv6. Default: false |
mode |
This option defines the DHCPv6 mode where server handles DHCPv6 requests locally and relay/proxy forwards those to the configured servers. The only difference between relay and proxy is that second one will hide the actual DHCPv6 server. Default: server Values: server, relay, proxy |
lifetime |
The valid lifetime for IPv6 prefixes in seconds. Default: 14400 |
preferred-lifetime |
The preferred lifetime for IPv6 prefixes in seconds. This value should be less or equal to the valid lifetime, otherwise, RBFS will adjust the preferred lifetime to be equal to the valid lifetime. The values for T1 and T2 are 0.5 and 0.8 times the shortest preferred-lifetime. Default: 1800 |
dhcpv6-server |
Configure DHCPv6 server. |
Configuring PPPoE and PPP
The protocol PPPoE must be explicitly enabled in the access profile in order to allow PPPoE sessions.
supervisor@switch: cfg> set access access-profile pppoe-dual protocol pppoe enable true
PPPoE
The PPPoE configuration allows changing the default behavior of the PPPoE protocol.
supervisor@switch: cfg> set access access-profile pppoe-dual protocol pppoe <cr> enable Enable PPPoE max-outstanding Maximum outstanding PPPoE sessions session-protection PPPoE session protection
Attribute | Description |
---|---|
enable |
Enable PPPoE. Default: false |
max-outstanding |
Maximum outstanding PPPoE sessions. Default: 64 Range: 1 - 65535 |
If PPPoE session protection is enabled, short-lived or failed sessions will be logged. Every session not established for at least 60 seconds per default (min-uptime) is considered a failed or short-lived session. This will block new sessions on this IFP and VLANs for one second per default (min-lockout), increasing exponentially with any further failed session until the maximum time of 300 seconds (max-lockout) is reached. The interval is reset after 900 seconds without failed sessions (currently not configurable).
PPPoE session protection logs the last subscriber-id and terminates the code which indicates the reason for session failures.
supervisor@switch: cfg> set access access-profile pppoe-dual protocol pppoe session-protection <cr> enable Enable PPPoE session protection max-lockout Session protection maximum lockout time in seconds min-lockout Session protection minimum lockout time in seconds min-uptime Session protection minimum uptime in seconds
Attribute | Description |
---|---|
enable |
Enable PPPoE session protection. Default: false |
min-lockout |
Session protection min lockout time (seconds). Default: 1 |
max-lockout |
Session protection max lockout time (seconds). Default: 300 |
min-uptime |
Session with an uptime less than this will trigger protection (seconds). Default: 60 |
PPP LCP
The PPP Link Control Protocol (LCP) configuration allows changing the default the behavior of the LCP protocol.
supervisor@switch: cfg> set access access-profile pppoe-dual protocol ppp lcp <cr> authentication-protocol Authentication protocol config-nak-max Max configure-reject/nak <1-255> echo-enable Enable echo requests echo-interval Echo interval in seconds <1-255> echo-max-retransmit Echo maximum retries <1-255> lcp-loop-detection Loop detection mru Maximum local MRU <1280-1500> mru-negotiation MRU negotiation mtu Maximum local MTU <1280-1500> retransmit-interval Retransmit interval in seconds <1-255> retransmit-max Maximum retries <1-255>
Attribute | Description |
---|---|
authentication-protocol |
Per default, PPP authentication is set to Default: PAP_CHAP |
echo-enable |
Per default, RBFS will respond to LCP echo requests received but does not send until echo-enable is set to true. Default: true |
echo-interval |
LCP echo request interval in seconds. Default: 30 Range: 1 - 255 |
echo-max-retransmit |
LCP echo request retransmissions. Default: 3 Range: 1 - 255 |
mru-negotiation |
Negotiate MRU Default: true |
mru |
Maximum local MRU (peer MTU) Default: 1492 Range: 1280 - 1500 |
mtu |
Maximum local MTU (peer MRU) Default: 1492 Range: 1280 - 1500 |
lcp-loop-detection |
The negotiation and validation of magic numbers are enabled per default and can be disabled by setting lcp-loop-detection to false. It is not recommended to change this option! Default: true |
retransmit-interval |
The LCP request retransmit interval. Default: 5 Range: 1 - 255 |
retransmit-max |
The LCP request retransmission before the session is terminated if no response is received. Default: 3 Range: 1 - 255 |
config-nak-max |
The option config-nak-max defines the maximum PPP LCP configuration reject/nak messages that can be sent or received before the session is terminated. Default: 16 Range: 1 - 255 |
PPP IPCP
The address-family ipv4
and the protocol ppp ipcp
must be explicitly enabled
to use IPv4 over PPPoE. Additionally, the mandatory source-ifl
option must be
configured to derive the local IPv4 address from this logical interface.
supervisor@switch: cfg> set access access-profile pppoe-dual protocol ppp ipcp <cr> config-nak-max Max configure-reject/nak <1-255> enable Enable PPP IPCP passive Passive mode retransmit-interval Retransmit interval in seconds <1-255> retransmit-max Maximum retries <1-255> source-ifl Source IFL
Attribute | Description |
---|---|
enable |
Enable IPCP Default: false |
passive |
IPCP passive mode Default: false |
source-ifl |
This mandatory option must be configured to derive the local IPv4 address from this logical interface. This option should be set to the loopback interface of the corresponding routing instance. It’s crucial to understand that choosing a source-ifl from a different routing instance will not modify the subscribers assigned routing instance. Moreover, the routing instance can be altered via a RADIUS Access-Accept message without affecting the source-ifl. This means that the source-ifl can still be used to derive the local IPv4 address, even if it belongs to a different routing instance. Consequently, while it is not obligatory, it is recommended to configure the same loopback address across all routing instances where a subscriber might be located. |
retransmit-interval |
The IPCP request retransmit interval. Default: 5 Range: 1 - 255 |
retransmit-max |
The IPCP requests retransmission before the session is terminated if no response is received. Default: 8 Range: 1 - 255 |
config-nak-max |
The option config-nak-max defines the maximum PPP IPCP configuration reject/nak messages that can be sent or received before the session is terminated. Default: 8 Range: 1 - 255 |
PPP IP6CP
Both the address-family ipv6
and the protocol ppp ip6cp
must be explicitly enabled
in order to use IPv6 over PPPoE.
supervisor@switch: cfg> set access access-profile pppoe-dual protocol ppp ip6cp <cr> config-nak-max Max configure-reject/nak <1-255> enable Enable PPP IP6CP passive Passive mode retransmit-interval Retransmit interval in seconds <1-255> retransmit-max Maximum retries <1-255>
Attribute | Description |
---|---|
enable |
Enable IP6CP Default: false |
passive |
IP6CP passive mode Default: false |
retransmit-interval |
The IP6CP request retransmit interval. Default: 5 Range: 1 - 255 |
retransmit-max |
The IP6CP requests retransmission before the session is terminated if no response is received. Default: 8 Range: 1 - 255 |
config-nak-max |
The option config-nak-max defines the maximum PPP IP6CP configuration reject/nak messages that can be sent or received before the session is terminated. Default: 6 Range: 1 - 255 |