Configuring a Dynamic Interface from a Profile

You define profiles by using CLI commands similar to the ones you would use to configure static interfaces. When configuring profiles, you have the option of choosing to specify every layer explicitly or to specify a subset of layers.

When a dynamic interface is configured, the configuration data received from the RADIUS authentication server typically overrides configuration data obtained from a profile.

In contrast to static PPP interfaces (above which only dynamic IP interfaces may be created), static ATM 1483 subinterfaces support recognition and creation of the following upper dynamic interface types or encapsulations: bridged Ethernet, IP, IPv6, Multilink PPP, PPP, and PPPoE interfaces. The encapsulation type is identified by means of the auto-configure command. For flexibility, the router offers the ability to configure an ATM 1483 subinterface with distinct profile assignments for each encapsulation type supported by the auto-configure command.

Each profile typically contains configuration attributes for the expected encapsulation, in addition to attributes for other higher-interface layers through IP. If your configuration of upper layers is intended to be different depending on which incoming encapsulation is received by the ATM 1483 subinterface, then you should configure and assign separate profiles for each encapsulation type. If your configuration of upper layers is the same for more than one encapsulation type, you can configure one profile and assign it for those encapsulation types.

Profile Characteristics

Currently, profiles support bridged Ethernet, IP, IPv6, Multilink PPP, PPP, and PPPoE interfaces. You create a profile with a specific set of characteristics. You then assign the profile to multiple interfaces instead of creating separate interfaces with identical attributes. Once you create a profile, you can assign it to static ATM 1483 or static PPP interfaces on different devices.

Profiles contain attributes for IP, IPv6, Multilink PPP, PPP, or PPPoE. Profiles do not contain attributes for bridged Ethernet.

IP Characteristics

A profile can contain one or more of the following IP characteristics:

• access-route—Enables the creation of host access routes on an interface
• address—Configures an IP address on an interface
• directed-broadcast—Enables directed broadcast forwarding
• igmp—Configures an IGMP interface
• ignore-df-bit—Specifies that the don't-fragment bit is ignored
• inspection—Associates an inspection list to the interface for firewalling
• mtu—Configures the maximum transmission unit for a network
• nat—Configures the interface as inside or outside for Network Address Translation (NAT)
• policy—Assigns a policy to the ingress or egress of an interface
• redirects—Enables transmission of ICMP redirect messages
• source address validation—Verifies that a packet has been sent from a valid source address
• tcp adjust-mss—Adjusts maximum packet sizes on TCP connections when path MTU detection is not sufficient
• unnumbered—Configures IP on this interface without a specific address
• virtual-router—Specifies a virtual router (VR) to which interfaces created by this profile will be attached

IPv6 Characteristics

A profile can contain one or more of the following IPv6 characteristics:

• access-route—Enables the creation of host access routes on an interface
• address—Configures an IPv6 address on an interface
• mtu—Configures the MTU for a network
• policy—Attaches (or removes) a policy to (or from) an interface
• unnumbered—Configures IPv6 on this interface without a specific address
• virtual-router—Specifies a virtual router to which interfaces created by this profile will be attached

MLPPP and PPP Characteristics

A profile can contain one or more of the following MLPPP or PPP characteristics:

• aaa-profile—Assigns an AAA profile
• authentication—Requests PAP or CHAP authentication from a PPP peer
• authentication virtual router—Specifies a virtual router for the authentication virtual router context
• chap challenge length—Modifies the length of the CHAP challenge
• ipcp-netmask—Controls the negotiation of the IPCP netmask option 0x90; disabled indicates do not negotiate, enabled indicates negotiate
• keepalive—Specifies a keepalive value, in seconds
• log—Enables packet or state machine logging for any dynamic interfaces that use the profile
• magic-number disable—Disables negotiation of the local magic number
• mru—Configures the maximum receive unit size for the interface
• multilink enable—For MLPPP interfaces only, enables the creation of dynamic MLPPP interfaces
• passive-mode—Forces the interface into passive mode before LCP negotiation begins, for a period of one second to enable slow clients to start up and initiate the LCP negotiation
• peer dns—Resolves conflicts when the E-series router and the PPP peer system have the primary and secondary DNS addresses configured with different values
• peer wins—Resolves conflicts when the E-series router and the PPP peer system have the primary and secondary WINS addresses configured with different values

PPPoE Characteristics

A profile can contain one or more of the following PPPoE characteristics:

• AC name—Adds an access concentrator name to the profile configuration
• always-offer—Causes the router to offer to set up a session for the client, even if the router has insufficient resources to establish a session
• duplicate-protection—Prevents a client from establishing more than one session using the same MAC address
• message string—Causes the router to send a PPPoE Active Discovery Message (PADM) message of the minute
• remote-circuit-id—Enables the router to capture and process a vendor-specific tag containing a remote circuit ID transmitted from a digital subscriber line access multiplexer (DSLAM) device
• service-name-table—Assigns a PPPoE service name table to dynamic interfaces created with this profile
• sessions—Specifies the maximum number of subinterfaces permitted on a PPPoE major interface
• url—Causes the PPPoE application to send a URL string to the new client
• control packet tracing—Enables packet trace logging for PPPoE dynamic interfaces created with this profile

Working with Profiles

Figure 34 shows how to create a profile and assign characteristics to it.

Figure 34: Creating and Configuring a Profile

Figure 35 shows how to assign a profile to static interfaces. These static interfaces will create dynamic interfaces above them.

Figure 35: Assigning a Profile to a Static Interface

Configuring a Profile

You can create a profile by using CLI commands similar to those used to create the equivalent static interfaces. You can configure a profile for bridged Ethernet, IP, IPv6, MLPPP, PPP, or PPPoE interfaces.

To configure a profile:

1. Create a profile by assigning it a name.

host1(config)#profile foo

2. Specify a VR to which dynamic IP interfaces created with this profile will be assigned.

host1(config-profile)#ip virtual-router egypt

3. Specify an IP loopback interface with which dynamic IP interfaces created with this profile will be associated.

host1(config-profile)#ip unnumbered loopback 0

4. Configure IPCP option 0x90.

host1(config-profile)#ppp ipcp netmask

5. Optionally set IP, IPv6, MLPPP, PPP, or PPPoE characteristics.
   

   NOTE: When configuring either IP or IPv6 to operate over PPP, you may want to initiate IP or IPv6 by using the appropriate ppp initiate command, either ppp initiate ip or ppp initiate ipv6. This command initiates either IPv4 or IPv6 in the event you are connecting to a passive client.

   
   

ip access-routes

• Use to enable an access route in a profile.
• Example

host1(config-profile)#ip access-routes 

• Use the no version to remove the access route.

ip address

• Use to assign an IP address to a profile.
• Example

host1(config-profile)#ip address 192.13.5.61

• Use the no version to remove the IP address assignment from the profile.

ip directed-broadcast

• Use to enable a directed broadcast address in a profile.
• Example

host1(config-profile)#ip directed-broadcast

• Use the no version to remove the directed broadcast address from the profile.

ip inspection

• Use to associate an inspection list to the inbound or outbound side of the IP interface.
• Example

host1(config-profile)#ip inspection list1

• Use the no version to remove the inspection list association to this interface.

ip mtu

• Use to assign the maximum transmission unit size sent on an IP interface.
• Example

host1(config-profile)#ip mtu 1000

• Use the no version to remove the assignment from the profile.

ip redirects

• Use to enable the sending of redirect messages if the software is forced to resend a packet through the same interface on which it was received.
• Example

host1(config-profile)#ip redirects

• Use the no version to remove the assignment from the profile.

ip sa-validate

• Use to enable source address validation.
• Example

host1(config-profile)#ip sa-validate

• Use the no version to disable source address validation.

ip unnumbered

• Use to specify the unnumbered interface with which dynamic interfaces created with the profile are associated.
• You can configure a loopback using RADIUS instead of adding one to the profile using the ip unnumbered loopback command.
• Example

host1(config-profile)#ip unnumbered loopback 5

• Use the no version to remove the assignment from the profile.

ip virtual-router

• Use to assign a VR to a profile. Interfaces created by the profile are attached to this VR.
• If you do not specify a VR with the ip virtual-router command, you must use RADIUS to specify a VR to which the dynamic interfaces are assigned. During the process of creating a dynamic interface, the router first checks RADIUS for a VR. If both RADIUS and the profile are configured to assign the VR, RADIUS overrides the profile.
• Before specifying the VR with the ip virtual-router command or RADIUS, first create it from Global Configuration mode with the virtual-router command.
• Example

host1(config-profile)#ip virtual-router salem1

• Use the no version to remove the VR assignment from the profile. If no VR is specified via RADIUS, then any subsequent use of the profile to create a dynamic interface fails for lack of a VR.

ppp aaa-profile

• Use to assign an AAA profile to static and dynamic, multilink and nonmultilink PPP interfaces.
• The PPP application associates the AAA profile with the interface and passes the AAA profile to AAA for authentication.
• If an AAA profile is deleted after it has been assigned to an interface, AAA will deny the authentication and log a message.
• When you remove an AAA profile, it does not remove any corresponding bindings between PPP interfaces or interface profiles and the AAA profile. If an AAA profile with the same name is added, the interface cannot authenticate until the AAA profile is reassigned.
  

  NOTE: Although an AAA profile and an interface profile have similar functionality, they are not related and should be treated differently.

  
  
• Example

host1(config-if)#ppp aaa-profile westford24

• Use the no version to remove the AAA profile assignment.
  

  NOTE: For more information about AAA profiles, see JUNOSe Broadband Access Configuration Guide, Chapter 1, Configuring Remote Access.

  
  

ppp authentication

• Use to require authentication from the PPP peer.
• Specify either PAP or CHAP as the primary authentication protocol. Optionally, specify the other (that is, CHAP or PAP) authentication protocol as the alternative. For example, suppose you specify pap as the primary authentication protocol and chap as the alternate:

host1(config-profile)#ppp authentication pap chap

• The router requests the use of PAP as the authentication protocol (because it appears first in the command line). If the peer refuses to use PAP, the router requests the CHAP protocol. If the peer refuses to negotiate authentication, the router terminates the PPP session.
• Specify a virtual router for the authentication virtual router context. For example:

host1(config-if)#ppp authentication virtual-router boston pap chap

• This command is available in static configurations and in profiles.
• The router supports the MD5 authentication algorithm for CHAP authentication.
• Use the no version to specify that the router does not require authentication.

ppp chap-challenge-length

• Use to modify the length of the CHAP challenge by specifying the allowable minimum length and maximum length.
  

  CAUTION: Do not use the ppp chap-challenge-length command; increasing the minimum length (from the default 16 bytes) or decreasing the maximum length (from the default 32 bytes) reduces the security of your router.

  
  
• Specify the minimum and maximum lengths in bytes in the range 8-63.
• The maximum length must be greater than or equal to the minimum length.
• Example

host1(config-if)#ppp chap-challenge-length 24 28

• Use the no version to restore the default minimum 16 bytes and default maximum 32 bytes.

ppp initiate

• Use to initiate either IP (IPv4) or IPv6 for passive clients. By default, PPP creates IP or IPv6 instances when it receives client requests.
• Example

host1(config-subif)#ppp initiate ip

• Use the no version to disable initiation of either IP or IPv6.

ppp ipcp netmask

• Use to specify Internet Protocol Control Protocol (IPCP) option 0x90 for each PPP interface. By default, IPCP option 0x90 is disabled on the interface.
• IPCP option 0x90 is a nonstandard option that allows a peer to request the netmask associated with the assigned IP address.
• The netmask can be specified via RADIUS attribute 9, Framed-Ip-Netmask. If the netmask is 255.255.255.255, the option is not negotiated. See radius ignore framed-ip-netmask.
• You can enable ppp ipcp netmask either in a profile or on a static interface.
• Example

host1(config-subif)#ppp ipcp netmask

• Use the no version to disable IPCP option 0x90 option on the interface.

ppp keepalive

• Use to specify the keepalive timeout value.
• This command always operates in high-density keepalive mode if PPP is layered over ATM or PPPoE.
• When the keepalive timer expires, the interface checks to see if any frames were received from the peer in the prior keepalive timeout seconds. If so, it assumes that the peer is alive and well, and it does not send an LCP echo request (keepalive). Keepalive packets are sent only if the peer is silent (no traffic was received from the peer during the previous keepalive timeout interval). If both sides are configured with keepalive, receipt of an LCP echo request by one end suppresses the transmission of an LCP echo request by that end.
• You can specify a timeout value in the range 30-64800 seconds. The default value is 30 seconds.
• If the keepalive interval is 30 seconds, a failed link is detected between 90 and 120 seconds after failure.
• Example

host1(config-profile)#ppp keepalive 50

• Use ppp keepalive without a value to restore the default, 30 seconds.
• Use the no version to disable keepalive.

ppp log

• Use to enable PPP packet or state machine logging on any dynamic interface that uses the profile being configured. Specify one of the following keywords:

• pppPacket—Enables PPP packet logging
• pppStateMachine—Enables PPP state machine logging

• Example

host1(config-profile)#ppp log pppPacket

 NOTE: This command is equivalent to the log severity debug pppPacket and log severity debug pppStateMachine commands.



 

• Use the no version to disable packet or state machine logging.

ppp magic-number disable

• Use to disable negotiation of the local magic number.
• Issuing this command prevents the router from detecting loopback configurations.
• Example

host1(config-profile)#ppp magic-number disable

• Use the no ppp magic-number disable command to restore negotiation of the local magic number.

ppp mru

• Use to control the negotiation of the maximum receive unit (MRU).
• Make sure to coordinate this value with the network administrator on the other end of the line.
• If you set this value with a different value for another protocol, such as IP, the router uses the lower value. Using two different values can produce unexpected behavior in your network.
• The range is 64-65535.
• Example

host1(config-profile)#ppp mru 300

• Use the no version to restore the default value, which causes PPP to negotiate MRU based on the MRU of the layer immediately below PPP, less the PPP protocol overhead.

ppp multilink enable

• Use in a profile to enable the creation of dynamic MLPPP interfaces.
• Example

host1(config-profile)#ppp multilink enable

• Use the no version to cause the LNS to reject any incoming requests to create dynamic MLPPP interfaces.

ppp passive-mode

• Use to force a static or dynamic PPP interface into passive mode before LCP negotiation begins, for a period of one second. This delay enables slow clients to start up and initiate the LCP negotiation.
• Example

host1(config-if)#ppp passive-mode

• Use the no version to disable passive mode.

ppp peer

• Use to resolve conflicts when the router and the PPP peer system have the primary and secondary DNS and WINS addresses configured with different values.
• By default, the DNS and WINS addresses configured on the router take precedence.
• Use the ppp peer dns and/or the ppp peer wins commands to configure the PPP peer system as the one that takes precedence. The ppp peer command has no effect unless both systems have the address configured and the address is in conflict. If the PPP peer system has the address and the router does not, the peer always supplies the address regardless of how you have configured the PPP peer.
• Example

host1(config-profile)#ppp peer dns

• Use the no ppp peer dns and/or the no ppp peer wins commands when you want the router to take precedence during setup negotiations between the router and the remote PC client. If the IP addresses passed to the router by the remote PC client differ from the ones you have configured on your router, the router returns the values that you configured as the correct values to the remote PC client.

pppoe acName

• Use to add an access concentrator (AC) name to the profile configuration.
• Example

host1(config-profile)#pppoe acname CYM9876

• Use the no version to remove the AC name.

pppoe always-offer

• Sets up the router to offer to set up a session for the client, even if the router has insufficient resources to establish a session.
• This feature is disabled by default.
• Example

host1(config-profile)#pppoe always-offer

• Use the no version to disable this feature.

pppoe duplicate-protection

• Use to prevent a client from establishing more than one session using the same MAC address.
• This feature is disabled by default.
• Example

host1(config-profile)#pppoe duplicate-protection 

• Use the no version to disable duplicate protection.

pppoe log pppoeControlPacket

• Use to enable packet trace logging on PPPoE dynamic interfaces created with this profile. Packet trace information is logged to the pppoeControlPacket log.
• Example

host1(config-profile)#pppoe log pppoeControlPacket

• Use the no version to turn off packet trace logging.

pppoe motm

• Use to cause the PPPoE application to send the string to the new client created when the profile is dynamically attached to an IP interface.
• The message string is saved in nonvolatile storage (NVS).
• Example

host1(config-profile)#pppoe motm string

• Use the no version to disable the command.

pppoe remote-circuit-id

• Use to enable the router to capture and process a vendor-specific tag containing a remote circuit ID transmitted from a DSLAM device.
• Optionally, the router can use the remote circuit ID in place of either or both of the Calling-Station-Id [31] and NAS-Port-Id [87] RADIUS attributes to uniquely identify subscriber locations.
• Example

host1(config-profile)#pppoe remote-circuit-id

• Use the no version to restore the default behavior, which is not to capture and process the remote circuit ID.

pppoe service-name-table

• Use to assign a PPPoE service name table to dynamic interfaces created with this profile.
• A PPPoE service name table defines the set of specific service name tags that an AC, such as an E-series router, offers to PPPoE clients. It also controls whether the router responds to or does not respond to (ignores) client requests containing an empty service name tag.
• Specify the name of the PPPoE service name table configured with the pppoe-service-name-table command from Global Configuration mode.
• Example

host1(config-profile)#pppoe service-name-table myServiceTable1

• Use the no version to remove the PPPoE service name table assignment.

pppoe sessions

• Use to specify the maximum number of PPPoE subinterfaces permitted on an interface in the range 1-4094. The default value is 4094.
• Because the sessions command affects only the creation of subinterfaces, using the sessions command affects only the creation of subinterfaces after the command is entered. Previously created interfaces remain, even if their number exceeds the new value of the sessions parameter.
• Example

host1(config-profile)#pppoe sessions 3000

• If you enable the pppoeControlPacket log at the debug level, the router sends a message when the session limit is reached.
• Example

host1(config)#log severity debug pppoecontrolpacket atm 3/0

• Use the no version to restore the default value, 4094.

pppoe url

• Use in a profile to cause the PPPoE application to send the string to the new client created when the profile is dynamically attached to an IP interface.
• The message string is saved in nonvolatile storage (NVS).
• PPPoE substitutes certain characters for information in the specified URL string before transmitting:

%U username and domain name

%u username

%d domain name

%D profile name

%% % character

• Example

host1(config-profile)#pppoe url http://www.relevanturl.com

• Use the no version to disable the command.

profile

• Use to create a profile.
• You specify a profile name with up to 80 characters.
• Example

host1(config)#profile foo

• Use the no version to remove a profile.

Assigning a Profile to an Interface

Use the profile command from Interface Configuration mode when you assign a profile to an interface.

For static PPP interfaces, you can assign only a profile for IP encapsulations. For static ATM 1483 subinterfaces, you can assign one profile for each bridged Ethernet, IP, PPP, and PPPoE encapsulation. You can also use the default keyword any, which applies to any autoconfigured encapsulation that does not have specific profile assignment.

For example, the following commands cause the router to use ProfileB if an IPoA packet is received, and to use ProfileA for any other received encapsulation that is autoconfigured. When you omit the keyword, it defaults to any.

host1(config-subif)#profile any ProfileA

host1(config-subif)#profile ip ProfileB

To assign a profile to an interface:

1. Configure a physical interface.

For ATM interfaces on ERX-7xx models, ERX-14xx models, and the ERX-310 router, use the slot/port[.subinterface ] format; for example:

host1(config-if)#interface atm 2/1.10

2. Configure a PVC by specifying the VCD, the VPI, the VCI, and the encapsulation type.

host1(config-subif)#atm pvc 10 100 22 aal5snap

host1(config-subif)#atm pvc 10 100 22 aal5autoconfig

3. Apply an existing profile.

host1(config-subif)#profile ip holland

4. Assign subscriber identification.

host1(config-subif)#subscriber ip user ispname domain abc.com 

password 3fds9jpt

5. Enable the dynamic encapsulation type.

host1(config-subif)#auto-configure ip

atm pvc

• Use to configure a PVC on an ATM interface. Select one of the following encapsulation options:

• aal5autoconfig—Enables the autodetection of the 1483 encapsulation (LLC/SNAP or VC multiplexed).
• aal5snap—Specifies a LLC encapsulated circuit; the LLC/SNAP header precedes the protocol datagram.
• aal5mux ip—Specifies a VC multiplexed circuit. This option is used for IP only.

• Example

host1(config-subif)#atm pvc 6 0 11 aal5autoconfig

• Use the no version to remove the specified PVC.

auto-configure

• Use to configure an ATM subinterface to support a dynamic interface. Specifies the type(s) of dynamic encapsulation that are accepted/detected by the ATM 1483 subinterface.
• This command creates the layers above ATM 1483 dynamically.
• Select the dynamic next upper-interface type from these options: bridgedEthernet, ip, ppp, or pppoe.
• You can issue this command repetitively to support multiple dynamic interface types.
• Encapsulation type lockout is performed on a per encapsulation type basis for each ATM 1483 subinterface. An encapsulation type not configured for autodetection with the auto-configure command is automatically locked out. The lockout, which is temporary, prevents the detection, acceptance, and creation of the encapsulation type until the lockout time expires.
  

  NOTE: Encapsulation type lockout is currently available only for IP and bridged Ethernet encapsulation types. Encapsulation type lockout for PPP and PPPoE encapsulation types will be available in a future release.

  
  
• Use the none keyword to disable the lockout feature for the encapsulation type.
  

  NOTE: Disabling lockout can result in undesirable loading time; we recommend that you not disable lockout for general use. At a minimum, use the default lockout time.

  
  
• Use the lockout-time keyword to set the minimum and maximum lockout time period. This lockout range is 1-86400 seconds (24 hours). The default range is 1-300 seconds (5 minutes). The lockout time value is defined to be:

• (minimum lockout time) * (2 ^ n-1)
• n represents the number of consecutive lockout events. n is incremented when the time between lockout events is within 15 minutes or the maximum lockout time, whichever is greater. Otherwise, n reverts to 1 when the time between lockout events is greater than either 15 minutes or the maximum lockout time.
• The lockout time never exceeds the maximum configured lockout time. For example, for a configured lockout time of 20-120 seconds, the increasing lockout time sequence is 20 seconds, 40 seconds, 80 seconds, and finally, 120 seconds.

• A short-cycle event is a dynamic interface that is created and torn down within 60 seconds. The time between short-cycle events is tracked to determine whether the lockout time should increase for a subsequent short-cycle event.
  

  NOTE: When the calculated lockout time is equal to or exceeds the maximum lockout time, the router uses the maximum lockout time until the time to the next event exceeds the greater of 15 minutes or the maximum lockout time. At that point, the lockout time reverts to the minimum lockout time.

  
  
• The minimum lockout time value cannot exceed the maximum lockout time value. When the minimum and maximum values are equal, the encapsulation type lockout time becomes fixed.
• Example 1—Enables autodetection for the bridged Ethernet encapsulation type using the default lockout time range, 1-300 seconds

host1(config-subif)#auto-configure bridgedEthernet

• Example 2—Enables autodetection for the bridged Ethernet encapsulation type using a nondefault lockout time range of 3600-21600 seconds (1-6 hours)

host1(config-subif)#auto-configure bridgedEthernet lockout-time 3600 21600

• Example 3—Disables encapsulation type lockout for the IP encapsulation type

host1(config-subif)#auto-configure ip lockout-time none

• Example 4—Either command reenables encapsulation type lockout for the IP encapsulation type using the default lockout time range

host1(config-subif)#auto-configure ip 

host1(config-subif)#no auto-configure ip lockout-time

• Example 5—Permanently locks out the PPP encapsulation type until the auto-configure ppp command is issued

host1(config-subif)#no auto-configure ppp

• Use the no version to terminate detection of the specified encapsulation type or, if the lockout-time keyword is specified, to restore the lockout time range to its default values, 1-300 seconds.

profile

• Use to assign a profile to a static ATM 1483 or static PPP interface. The profile configuration is used to dynamically configure an upper bridged Ethernet, IP, PPP, and/or PPPoE interface.
• The default encapsulation type, any, applies to any autoconfigured encapsulation that does not have a specific profile assignment.
• Example

host1(config-subif)#profile ip holland

• Use the no version to remove the profile assignment from the interface.

subscriber

• Use to configure a local subscriber on the router to support authentication and configuration from RADIUS for a dynamic IPoA or bridged Ethernet interface.
• When you configure a subscriber, you must specify the following:

• interfaceType—Type of dynamic interface, bridgedEthernet or ip.
• userNameUsage—How the dynamic interface uses the username for authentication purposes

• user—Use the name as specified.
• user-prefix—Use the name as a prefix to the interface physical location. The router automatically postpends the physical location of the user to the username string. The username format is user.slot.port.vpi.vci. The resulting username string is then used to authenticate with the RADIUS server.

• userName—RADIUS username
• domainName—Domain name

• You may optionally supply password information:

• passwordUsage—How the dynamic interface uses the password for authentication purposes

• password—Use the password as specified.
• password-prefix—Use the password as a prefix to the interface physical location. The router automatically postpends the physical location of the user to the password string. The password format is password.slot.port.vpi.vci. The resulting password string is then used to authenticate with the RADIUS server.

• password—The RADIUS password

• Example

host1(config-subif)#subscriber ip user-prefix charlie domain myisp 
password-prefix lucy

• Use the no version to remove the subscriber.

Profile Configuration Examples

Examples in this section show different ways that profiles can be configured.

• This example configures a new profile with IP characteristics only.

host1(config)#profile ProfileA

host1(config-profile)#ip mtu 1024

host1(config-profile)#exit

• This example shows a new profile configured with both IP and PPP characteristics.

host1(config)#profile ProfileB

host1(config-profile)#ip mtu 512

host1(config-profile)#ppp authentication chap

host1(config-profile)#ppp keepalive 120

host1(config-profile)#exit

• This example shows a new profile configured with IP, PPP, and PPPoE characteristics.

host1(config)#profile ProfileC

host1(config-profile)#ip mtu 1400

host1(config-profile)#ppp authentication chap

host1(config-profile)#ppp keepalive 60

host1(config-profile)#pppoe sessions 64

host1(config-profile)#exit

• This example uses the profiles created in the previous three examples. It shows distinct profiles for each encapsulation, where the configuration of dynamic layers varies according to which incoming encapsulation the ATM 1483 subinterface detects. Autodetection is enabled for the IP encapsulation type with the default lockout time range, 1-300 seconds.

host1(config)#interface atm 4/0.1

host1(config-subif)#atm pvc 10 100 22 aal5autoconfig

host1(config-subif)#profile ip ProfileA

host1(config-subif)#profile ppp ProfileB

host1(config-subif)#profile pppoe ProfileC

host1(config-subif)#subscriber ip user atm1 domain isp1 password atm1pw

host1(config-subif)#auto-configure ip

host1(config-subif)#auto-configure ppp

host1(config-subif)#auto-configure pppoe

host1(config-subif)#exit

• This example also uses the three new profiles configured in the first three examples. It shows one profile being used for all encapsulations. The configuration of dynamic layers is the same regardless of incoming encapsulations detected by ATM. Only relevant profile attributes are used for whichever dynamic interface layers are actually constructed.

host1(config)#interface atm 4/0.2

host1(config-subif)#atm pvc 200 0 200 aal5autoconfig

host1(config-subif)#profile any ProfileC

host1(config-subif)#subscriber ip user atm2 domain isp2 password atm2pw

host1(config-subif)#auto-configure ip

host1(config-subif)#auto-configure ppp

host1(config-subif)#auto-configure pppoe

host1(config-subif)#exit

• This example uses the three new profiles configured in the first three examples, and is implicitly assigned via the any encapsulation wildcard. Note that configuration of dynamic layers is the same regardless of incoming encapsulation detected by ATM. Autodetection is enabled for the IP encapsulation type with a lockout time range of 3600-7200 seconds (1-2 hours).

host1(config)#interface atm 4/0.3

host1(config-subif)#atm pvc 300 0 300 aal5autoconfig

host1(config-subif)#profile any ProfileC

host1(config-subif)#subscriber ip user atm2 domain isp3 password atm3pw

host1(config-subif)#auto-configure ip lockout-time 3600 7200

host1(config-subif)#auto-configure ppp

host1(config-subif)#auto-configure pppoe

host1(config-subif)#exit

• This example uses the profile configured in the first example. Autodetection is enabled for the bridged Ethernet encapsulation type with a lockout time range of 3600-21600 seconds (1-6 hours).

host1(config)#interface atm 4/0.3

host1(config-subif)#atm pvc 300 0 300 aal5autoconfig

host1(config-subif)#profile bridgedEthernet ProfileA

host1(config-subif)#subscriber bridgedEthernet user atm3 domain isp1 

password fjdkei

host1(config-subif)#auto-configure bridgedEthernet lockout-time 3600 21600