Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Example: Deploying Value-Added Subscriber Services with MX Series Routers


This example shows how to configure a Broadband Network Gateway deployment where the service provider is looking for high-scale subscriber management, support for a carrier grade NAT (CGN) technique such as dual-stack lite (DS-Lite) to overcome IPv4 address depletion challenges, and advanced value-added features such as dynamic application awareness with intrusion prevention. Integrating value-added services onto the Broadband Network Gateway router enables you to eliminate many network interconnect links, which simplifies the network architecture, increasing network utilization and reducing operational and capital overhead.


This example uses a Juniper Networks MX480 3D Universal Edge Router as the Broadband Network Gateway. A traffic simulator creates real-world subscriber sessions and stateful traffic on one router.

This example uses the following hardware and software components:

  • MX480 router running Junos OS 10.4 R3.4

  • Three MultiService-Dense Port Concentrators (MS-DPC)

  • One Modular Port Concentrator (MPC2 Q) with one Modular Interface Card (MIC-3D) 4x10GE and one MIC-3D 20x1GE

  • Two DPCs


This configuration example has been tested using the software release listed and is assumed to work on all later releases.

Overview and Topology

Figure 1: Network Setup to Simulate Customer Requirements
 Network Setup to Simulate Customer Requirements

The MX Series router meets your customer requirements of the gateway router for subscriber management, CGN, and additional services of threat management. This network topology contains peripheral test equipment, which simulates subscriber sessions and applications.

  • The Security Threat Response Manager (STRM) appliance is used to analyze threat management alerts.

  • Testers include a traffic simulator with two 10-Gigabit Ethernet ports for subscriber generation, and a traffic simulator with two 10-Gigabit Ethernet ports for stateful traffic generation.

  • A radius server is used to authenticate the Point-to-Point Protocol over Ethernet (PPPoE) and Dynamic Host Configuration Protocol (DHCP) subscribers. Two N2X ports are connected to simulate the PPPoE subscribers. Traffic simulator ports are used to establish the DS-Lite softwires.


Provisioning Subscribers with PPPoE

Step-by-Step Procedure

In this example, 24,000 PPPoE subscriber sessions are simulated. Traffic is sent using the simulator. PPP authenticates users before allowing them access to the network, by requiring that they log in to the network using an assigned user ID and password. PPP authentication is tightly integrated with RADIUS. During this authentication phase, the network assigns attributes to individual subscribers by forwarding the login request to a RADIUS server.

To provision the subscriber sessions:

  1. Configure the PPP options and authentication.

    The RADIUS server returns information that allows the Broadband Remote Access Server (BRAS) to determine what to do with the session (filters, multicast enable/disable, bandwidth control, QoS control, policy routing rules, LNS destination, and so on).

  2. Configure routing options for the subscriber profiler.
  3. Configure the accounting options.
  4. Configure the RADIUS server details.
  5. Link the PPPOE-SUBSCRIBER dynamic profile to the physical interfaces where subscriber sessions come through.

Configuring DS-Lite to Address IPv4 Exhaustion and Transition to IPv6

Step-by-Step Procedure

DS-Lite is a solution that offers both IPv4 and IPv6 connectivity to customers addressed only with an IPv6 prefix. No IPv4 address is assigned to the attachment router. One of this solution’s key components is an IPv4-over-IPv6 tunnel, commonly referred to as a softwire. A DS-Lite “Basic Bridging Broadband” (B4) router does not know if the network it is attached to offers DS-Lite service.

A DNS hostname is used to inform the B4 router of the Address Family Transition Router (AFTR) location. Once this information is conveyed, the presence of the configuration indicating the AFTR’s location also informs a host to initiate the DS-Lite service and become a software initiator. For more details on DS-Lite and its implementation, see Understanding IPv6 Dual-Stack Lite.

To configure DS-Lite:

  1. Enable the relevant service packages on the MX480 chassis, and configure service options on the MS-DPC where DS-Lite sessions are terminated.
  2. Configure the NAT rules.

    With DS-Lite, IPv4 packets are encapsulated in an IPv6 softwire that originates at the B4 router (simulated by a traffic simulator in this case) and terminates on the AFTR (MS-DPC in slot 0 in this case), where they are de-capsulated to IPv4 and address translation is done.

  3. Add the softwire configuration and the associated rule.
  4. Configure the service set, link the softwire and the NAT rules to the service, and associate it with the MS-DPC in slot1, the AFTR in this case.
  5. Link the service set to the ingress physical interface (xe-5/0/0) for the DS-Lite traffic from the B4 router (traffic simulator ports 9/5 and 9/6).

    10,000 DS-Lite sessions are simulated from the traffic simulator port, which indicates that 10,000 softwires are up and running.

    At this point, there are 24,000 PPPoE subscriber sessions, and 10,000 DS-Lite sessions are on the MX Series router.

Configuring Threat Management

Step-by-Step Procedure

Now that the subscriber sessions are set up, you can enable Dynamic Application Awareness and test the intrusion prevention capability of the router. The Dynamic Application Awareness for the Junos OS set of services adds support for the intrusion detection and prevention (IDP) functionality using deep packet inspection (DPI) technology to Juniper Networks MX Series routers equipped with MS-DPCs.

DPI is configured on the MX Series router using service-sets. IDP depends on application identification services (APPID) for definition and detection of some layer 7 applications.


Before configuring any IDP policy, download the APPID application package.

To configure threat management:

  1. Configure the service package.
  2. To configure IDP properties, include statements at the [edit security idp] hierarchy level.

    In general, configure IDP processes by including the idp-policyl statement. Configure the IDP policy and include the recommended multiple match conditions.

  3. Configure the application profile.
  4. Define the service set to include the IDP policy, application profiles, and any other application-aware access list (AACL) rules defined.

    This service set is then linked to the MS-DPC, which performs all the threat management processing and forwards any alerts to the STRM appliance.

  5. Configure a dynamic profile, and link the service set test_sset to the subscriber profile interface.

    The traffic from the DHCP and PPPoE subscribers is detected by the DPI engine, and the information is then sent to the STRM application. STRM appliances are designed to respond to the right threats at the right time through effective analysis of networks, events, and audit log files. STRM appliances can identify environmental anomalies in the network, an attack path, and the source of a threat. STRM appliances provide network remediation for threat responses across all security products.


The configuration and verification parts of this example have been completed. The following sections are for your reference.

DS-Lite Relevant Configuration

DPI Relevant Configuration