Dynamic Interface Configuration Using a Profile

Profile Considerations for Dynamic Interfaces

When a dynamic interface is configured, the configuration data received from the RADIUS authentication server typically overrides configuration data obtained from a profile.

In contrast to static Point-to-Point Protocol (PPP) interfaces (above which only dynamic IP interfaces can be created), static Asynchronous Transfer Mode (ATM) 1483 subinterfaces support recognition and creation of the following upper dynamic interface types or encapsulations: bridged Ethernet, IP, IPv6, Multilink PPP, PPP, and Point-to-Point Protocol over Ethernet (PPPoE) interfaces. The auto-configure command identifies the encapsulation type. For flexibility, the router provides the ability to configure an ATM 1483 subinterface with distinct profile assignments for each encapsulation type supported by the auto-configure command. For more information, see Configuring a Dynamic Interface over an ATM 1483 Subinterface.

In contrast to dynamic ATM 1483 subinterfaces, dynamic virtual LAN (VLAN) subinterfaces support recognition and creation of simultaneous IP and PPPoE upper dynamic interface types. The vlan auto-configure command identifies the encapsulation type. For flexibility, the router provides the ability to configure a VLAN subinterface with distinct profile assignments for each encapsulation type supported by the vlan auto-configure command.

Each profile typically contains configuration attributes for the expected encapsulation, in addition to attributes for other higher-interface layers through IP. If your configuration of upper layers is intended to be different depending on which incoming encapsulation is received by the subinterface, configure and assign separate profiles for each encapsulation type. If your configuration of upper layers is the same for more than one encapsulation type, configure one profile and assign it for those encapsulation types.

Profile Characteristics

Currently, profiles support bridged Ethernet, IP, IPv6, L2TP, Multilink PPP, PPP, PPPoE, and VLANs. You create a profile with a specific set of characteristics. You then assign the profile to multiple interfaces instead of creating separate interfaces with identical attributes. After you create a profile, you can assign it to static ATM 1483, static PPP, or static VLAN major interfaces on different devices.

Bridged Ethernet Characteristics

A profile can contain the following bridged Ethernet characteristic:

• mtu—Sets the maximum allowable size, in bytes, of the MTU for dynamic bridged Ethernet interfaces

IP Characteristics

A profile can contain one or more of the following IP characteristics:

• access-routes—Enables the creation of host access routes on an interface
• address—Configures an IP address on an interface
• auto-configure ip-subscriber—Configures a primary IP interface to enable dynamic creation of subscriber interfaces
• auto-detect ip-subscriber—Enables packet detection on the router and specifies that IP automatically detects packets that do not match any entries in the demultiplexer table
• directed-broadcast—Enables directed broadcast forwarding
• filter-options all—Filters out packets that include IP options
• igmp—Configures an IGMP interface
• ignore-df-bit—Specifies that the don’t-fragment bit is ignored
• inactivity-timer—Configures an inactivity timer value for IP interfaces
• inspection—Associates an inspection list to the interface for firewalling
• mtu—Configures the MTU for a network
• nat—Configures the interface as inside or outside for NAT
• policy—Assigns a policy to the ingress or egress of an interface
• redirects—Enables transmission of ICMP redirect messages
• route-cache flow sampled—Enables J-Flow statistics on an interface
• route-map ip-subscriber—Configures the interface for route-map processing
• sa-validate—Verifies that a packet has been sent from a valid source address
• tcp adjust-mss—Modifies MSS on TCP connections when path MTU detection is not sufficient
• unnumbered—Configures IP on this interface without a specific address
• virtual-router—Specifies a virtual router to which interfaces created by this profile attach

IPv6 Characteristics

A profile can contain one or more of the following IPv6 characteristics:

• address—Configures an IPv6 address on an interface
• http—Configures the HTTP local server for IPv6
• http redirectUrl—Configures the URL to which a subscriber’s initial Web browser session is redirected
• nd—Enables Neighbor Discovery on an interface
• nd managed-config-flag—Sets the “managed address configuration” flag in IPv6 router advertisements
• nd other-config-flag—Sets the “other stateful configuration” flag in IPv6 router advertisements
• nd prefix-advertisement—Specifies which IPv6 prefixes are included in IPv6 router advertisements
• nd ra-interval—Configures the interval between IPv6 router advertisements
• nd ra-lifetime—Configures the router advertisement lifetime
• nd reachable-time—Configures the amount of time the router can reach an IPv6 node after a reachability confirmation event occurs
• nd suppress-ra—Disables router advertisement transmissions
• mld—Configures the MLD interface
• mtu—Configures the MTU for a network
• policy—Attaches (or removes) a policy to (or from) an interface
• sa-validate—Enables source address validation
• unnumbered—Configures IPv6 on this interface without a specific address
• virtual-router—Specifies a virtual router to which interfaces created by this profile attach

L2TP Characteristics

A profile can contain the following L2TP characteristic:

• policy—Assigns an L2TP policy list to a profile

MLPPP and PPP Characteristics

A profile can contain one or more of the following MLPPP or PPP characteristics:

• aaa-profile—Assigns an AAA profile
• authentication—Requests PAP or CHAP authentication from a PPP peer
• authentication virtual router—Specifies a virtual router for the authentication virtual router context
• chap challenge length—Modifies the length of the CHAP challenge
• fragmentation—Enables fragmentation on an MLPPP link interface
• hash-link-selection—Enables use of a hash-based algorithm to select the link on which the router transmits non-best-effort (high-priority) packets, such as voice or video, on dynamic MLPPP interfaces
• initiate-ip—Initiates IPv4 for passive clients
• initiate-ipv6—Initiates IPv6 for passive clients
• ipcp lockout—Terminates an invalid subscriber entry and prevents additional Internet Protocol Control Protocol negotiations
• ipcp netmask—Controls the negotiation of the IPCP netmask option 0x90; disabled indicates do not negotiate, enabled indicates negotiate
• keepalive—Specifies a keepalive value, in seconds
• log—Enables packet or state machine logging for any dynamic interfaces that use the profile
• magic-number disable—Disables negotiation of the local magic number
• magic-number ignore-mismatch—Causes the router to ignore a mismatch of the LCP peer magic number and retain the PPP connection when the peer has not negotiated an LCP magic number.
• max-negotiations—Configures the maximum number of LCPl, IPCP, or IPv6CP renegotiation attempts that the router accepts before terminating a PPP session
• mru—Configures the maximum receive unit size for the interface
• multilink enable—For MLPPP interfaces only, enables the creation of dynamic MLPPP interfaces
• multilink multiclass—Enables the creation of multilink classes on a multiclass MLPPP interface
• multilink multiclass fragmentation—Enables fragmentation on a multiclass MLPPP interface
• multilink multiclass reassembly—Enables reassembly on a multiclass MLPPP interface
• multilink multiclass traffic-class—Configures mapping of QoS traffic classes to multilink classes on a multiclass MLPPP interface
• passive-mode—Forces the interface into passive mode before LCP negotiation begins, for a period of one second to enable slow clients to start up and initiate the LCP negotiation
• peer dns—Resolves conflicts when the E Series router and the PPP peer system have the primary and secondary DNS addresses configured with different values
• peer wins—Resolves conflicts when the E Series router and the PPP peer system have the primary and secondary WINS addresses configured with different values
• reassembly—Enables reassembly on an MLPPP link interface

PPPoE Characteristics

A profile can contain one or more of the following PPPoE characteristics:

• AC name—Adds an access concentrator name to the profile configuration
• always-offer—Causes the router to offer to set up a session for the client, even when the router has insufficient resources to establish a session
• duplicate-protection—Prevents a client from establishing more than one session using the same MAC address

  Note: When the duplicate protection feature is enabled for PPPoE sessions that contain the IWF-Session DSL VSA (26–254) in the Point-to-Point Protocol over Ethernet Active Discovery Request packet sent from PPPoEt clients to the access concentrator, multiple IWF PPPoE sessions that contain the same MAC address are still processed and can access network services until the maximum number of PPPoE sessions configured per major interface (configured using the pppoe sessions command) is reached.

• log pppoeControlPacket—Enables packet trace logging on PPPoE dynamic interfaces created with this profile
• motm—Causes the router to send a PADM message of the minute
• mtu—Configures the MTU
• remote-circuit-id—Enables the router to capture and process a vendor-specific tag containing a remote circuit ID transmitted from a digital subscriber line access multiplexer device
• service-name-table—Assigns a PPPoE service name table to dynamic interfaces created with this profile
• sessions—Specifies the maximum number of subinterfaces permitted on a PPPoE major interface
• url—Causes the PPPoE application to send a URL string to the new client

VLAN Characteristics

A profile can contain one or more of the following VLAN characteristics:

• advisory-rx-speed—Sets an advisory receive speed for VLAN subinterfaces
• advisory-tx-speed—Sets an advisory connect speed for VLAN subinterfaces
• auto-configure—Specifies the types of upper-interface encapsulations that are accepted or detected by the dynamic VLAN subinterface
• auto-configure agent-circuit-identifier—Enables the creation of VLAN subinterfaces that are based on agent-circuit-identifier information
• description—Assigns a description to VLAN subinterfaces that are created with this profile
• policy—Attaches (or removes) a policy to (or from) a dynamically created VLAN
• profile—Adds a nested profile assignment, which references another profile that dynamically configures an upper-interface encapsulation type over the VLAN subinterface
• service-profile—Specifies a service profile name to a dynamically created VLAN
• svlan ethertype—Specifies that the packet must use this Ethertype to create the dynamic VLAN subinterface

How to Work with Profiles

Figure 1 shows how to create a profile and assign characteristics to it.

Figure 1: Creating and Configuring a Profile

Figure 2 shows how to assign a profile to static interfaces. These static interfaces create dynamic interfaces above them.

Figure 2: Assigning a Profile to a Static Interface

Creating a Profile for Dynamic Interfaces

You can create a profile by using CLI commands similar to those used to create the equivalent static interfaces. You can configure a profile for bridged Ethernet, IP, IPv6, MLPPP, PPP, PPPoE, or VLAN interfaces.

To configure a profile:

1. Create a profile by assigning it a name.
   host1(config)#profile foo
2. Specify a virtual router to which to assign dynamic IP interfaces created with this profile.
   host1(config-profile)#ip virtual-router egypt
3. Specify an IP loopback interface for dynamic IP interfaces created with this profile to be associated.
   host1(config-profile)#ip unnumbered loopback 0
4. Configure IPCP option 0x90.
   host1(config-profile)#ppp ipcp netmask
5. Optionally set IP, IPv6, MLPPP, PPP, or PPPoE characteristics. For more information, see Configuring Profile Characteristics .

   Note: When configuring either IP or IPv6 to operate over PPP, you might want to initiate IP or IPv6 by using the appropriate ppp initiate command, either ppp initiate-ip or ppp initiate-ipv6. This command initiates either IPv4 or IPv6 in the event you are connecting to a passive client.

Assigning a Profile to a Dynamic Interface

Use the profile command from Interface Configuration mode when you assign a profile to an interface.

For static PPP interfaces, you can assign only a profile for IP encapsulations. For static ATM 1483 subinterfaces, you can assign one profile for each bridged Ethernet, IP, PPP, and PPPoE encapsulation. For static VLAN subinterfaces, you can assign one profile for each IP or PPPoE encapsulation. You can also use the default keyword any, which applies to any autoconfigured encapsulation that does not have specific profile assignment.

For example, the following commands cause the router to use ProfileB when an IPoA packet is received, and to use ProfileA for any other received encapsulation that is autoconfigured. When you omit the keyword, it defaults to any.

To assign a profile to an interface:

1. Configure a physical interface.
   host1(config-if)#interface atm 2/1.10
2. Configure a PVC by specifying the VCD, the VPI, the VCI, and the encapsulation type. For more information, see Creating a PVC on an ATM 1483 Subinterface.
   host1(config-subif)#atm pvc 10 10 22 aal5snap host1(config-subif)#atm pvc 10 10 22 aal5autoconfig
3. Apply an existing profile.
   host1(config-subif)#profile ip holland
4. Assign subscriber identification. For more information, see Configuring a Local Subscriber for a Dynamic IPoA or Bridged Ethernet Interface.
   host1(config-subif)#subscriber ip user ispname domain abc.com password 3fds9jpt
5. Enable the dynamic encapsulation type. For more information, see Configuring a Dynamic Interface over an ATM 1483 Subinterface.
   host1(config-subif)#auto-configure ip

Example: Configuring a Profile for Dynamic Interfaces

This example shows different ways to configure profiles.

• Requirements
• Overview
• Configuring and Assigning Profiles

Requirements

• JunosE Release 7.1.0 or higher-numbered releases
• E Series router (ERX7xx models, ERX14xx models, the ERX310 router, the E120 router, or the E320 router)
• ASIC-based line modules that support Fast Ethernet or Gigabit Ethernet

Overview

Currently, profiles support bridged Ethernet, IP, IPv6, L2TP, Multilink PPP, PPP, PPPoE, and VLANs. You create a profile with a specific set of characteristics. You then assign the profile to multiple interfaces instead of creating separate interfaces with identical attributes. After you create a profile, you can assign it to static ATM 1483, static PPP, or static VLAN major interfaces on different devices.

Configuring and Assigning Profiles

This example explains various ways to assign the created profiles to multiple interfaces.

• Creating Profiles
• Assigning Distinct Profiles for Each Encapsulation
• Assigning a Single Profile for All Encapsulations
• Assigning a Profile Using any Wildcard
• Assigning a Profile for bridgedEthernet Encapsulation

Creating Profiles

Step-by-Step Procedure

1. Create a new profile with IP characteristics only.
   host1(config)#profile ProfileA host1(config-profile)#ip mtu 1024 host1(config-profile)#exit
2. Create a new profile with both IP and PPP characteristics.
   host1(config)#profile ProfileB host1(config-profile)#ip mtu 512 host1(config-profile)#ppp authentication chap host1(config-profile)#ppp keepalive 120 host1(config-profile)#exit
3. Create a new profile with IP, PPP, and PPPoE characteristics.
   host1(config)#profile ProfileC host1(config-profile)#ip mtu 1400 host1(config-profile)#ppp authentication chap host1(config-profile)#ppp keepalive 60 host1(config-profile)#pppoe sessions 64 host1(config-profile)#exit

Assigning Distinct Profiles for Each Encapsulation

Step-by-Step Procedure

1. Assign the created profiles for each encapsulation.
   host1(config)#interface atm 4/0.1host1(config-subif)#atm pvc 10 10 22 aal5autoconfig host1(config-subif)#profile ip ProfileAhost1(config-subif)#profile ppp ProfileBhost1(config-subif)#profile pppoe ProfileChost1(config-subif)#subscriber ip user atm1 domain isp1 password atm1pw
2. Enable autodetection for the encapsulation types with the default lockout time range.
   host1(config-subif)#auto-configure iphost1(config-subif)#auto-configure ppphost1(config-subif)#auto-configure pppoehost1(config-subif)#exit

Assigning a Single Profile for All Encapsulations

Step-by-Step Procedure

1. Assign the same profile for all encapsulations.
   host1(config)#interface atm 4/0.2host1(config-subif)#atm pvc 200 0 200 aal5autoconfig host1(config-subif)#profile any ProfileChost1(config-subif)#subscriber ip user atm2 domain isp2 password atm2pw
2. Enable autodetection for the encapsulation types with the default lockout time range.
   host1(config-subif)#auto-configure iphost1(config-subif)#auto-configure ppphost1(config-subif)#auto-configure pppoehost1(config-subif)#exit

Assigning a Profile Using any Wildcard

Step-by-Step Procedure

1. Assign the profile using the any keyword.
   host1(config)#interface atm 4/0.3host1(config-subif)#atm pvc 300 0 300 aal5autoconfig host1(config-subif)#profile any ProfileChost1(config-subif)#subscriber ip user atm2 domain isp3 password atm3pw
2. Enable autodetection for the IP encapsulation type with a lockout time range of 3600–7200 seconds (1–2 hours).
   host1(config-subif)#auto-configure ip lockout-time 3600 7200
3. Enable autodetection for other encapsulation types with the default lockout time range.
   host1(config-subif)#auto-configure ppphost1(config-subif)#auto-configure pppoehost1(config-subif)#exit

Assigning a Profile for bridgedEthernet Encapsulation

Step-by-Step Procedure

1. Assign the profile for the bridgedEthernet encapsulation.
   host1(config)#interface atm 4/0.3host1(config-subif)#atm pvc 300 0 300 aal5autoconfig host1(config-subif)#profile bridgedEthernet ProfileAhost1(config-subif)#subscriber bridgedEthernet user atm3 domain isp1 password fjdkei
2. Enable autodetection for the bridged Ethernet encapsulation type with a lockout time range of 3600–21600 seconds (1–6 hours).
   host1(config-subif)#auto-configure bridgedEthernet lockout-time 3600 21600