Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Wi-Fi Access Gateways

Wi-Fi Access Gateway Overview

Wi-Fi access gateway (WAG) provides the public with Wi-Fi access from a residential Wi-Fi network or from a business Wi-Fi network. At home, subscribers have their existing Wi-Fi network; however, a part of their network is available for the general public to use. Members of the public who have an account with the same Internet service provider as the subscriber has at home can access the Internet and mobile network through the public part of the subscriber’s Wi-Fi connection when they are in close proximity to the subscriber’s home. WAG authenticates and connects subscribers regardless of their physical location.

Starting in Junos OS Release 17.2R1, service providers can deploy the MX Series router as a broadband network gateway (BNG) within their network, and then deploy the BNG as a WAG. Figure 1 shows a sample topology.

Figure 1: MX Series Router Deployed as a WAGMX Series Router Deployed as a WAG

After a WAG has been deployed, service providers can configure the WAG to create secure wireless home network connections for computers, laptops, and other Wi-Fi electronic products (such as game systems, tablets, or mobile phones). WAG offers wireline and mobile service providers the following deployments and business value opportunities:

  • Wireline service providers–The WAG deployment is based on an in-home division of access points or public access points, and works with any Wi-Fi access point that creates a generic routing encapsulation (GRE) tunnel to the MX Series router. This deployment protects subscribers and reduces churn by including free Wi-Fi with a paid wireline subscription. For added value, service providers can also sell ad hoc access or mode, such as airport, public safety, search-and-rescue, and café access.

  • Mobile service providers–The WAG deployment is based on the mobile service provider’s own access points, or wholesale and retail with the wireline service provider. Service providers that offer quadruple play, where TV, Internet, wireless, and landline phone services are combined, can leverage both wireline and wireless assets. This deployment offsets costs in mobile packet core and radio access network infrastructures with the ability to offload mobile data. For added value, service providers can offer Wi-Fi for all devices with a mobile data place as a competitive differentiator.

Customers who purchase broadband can also receive Wi-Fi on any community Wi-Fi access point. Subscribers have a private and secure home connection, and can also access a public connection that is shared by other subscribers. To maintain a level of security and protect the private home connection, the two networks are separated. This separation ensures a strong level of bandwidth on the subscribers’ personal connections.

Subscriber services such as authentication, authorization, and accounting (AAA); address assignment; hierarchical quality of service (QoS); lawful intercept; and class of service (CoS) are supported for individual Dynamic Host Configuration Protocol (DHCP) subscribers within the GRE tunnels. Using GRE tunnels for Wi-Fi provides the following benefits:

  • Wi-Fi users who are not directly connected through Layer 2 to WAG are authenticated because GRE tunnels transmit Layer 2 information across any IP network.

  • Services based on user equipment-specific information are applied using the media access control (MAC) address or Subscriber Identity Module (SIM) card.

  • Services are applied in the network, not just at the Wi-Fi access point.

  • The soft GRE or Ethernet-over-GRE standard is supported on most Wi-Fi access points. For services using the Ethernet over GRE standard, only one side of the tunnel needs to be configured; the other end learns the remote IP addresses of all remote tunnel endpoints by examining the incoming GRE packets.

Wi-Fi Access Gateway Deployment Model Overview

Figure 2 shows an MX Series router broadband network gateway (BNG) deployed as a Wi-Fi access gateway (WAG). The WAG provides a multiservice edge with a full broadband feature set that is highly reliable because of the included redundant hardware. Ethernet frames from the user equipment device must be tunneled to the BNG across an IP cloud or public Internet.

Figure 2: MX Series as Wi-Fi Access Gateway Deployment ModelMX Series as Wi-Fi Access Gateway Deployment Model

To support the MX Series BNG deployed as a WAG, dynamic-bridged generic routing encapsulation (GRE) tunnels are created and terminated at the BNG when it receives GRE traffic from the wireless access point (WAP). Dynamic Host Configuration Protocol (DHCP) subscribers are transported through GRE tunnels as either VLAN-tagged per service set identifier (SSID) or untagged. When the user equipment device connects to the SSID and begins to send traffic, the access point initiates a Layer 2 soft GRE or Ethernet-over-GRE connection to the MX Series BNG and the BNG dynamically builds the GRE tunnel. GRE tunnels are cleared after all of the subscribers within a GRE tunnel have logged out and a configurable timer has expired.

This deployment model supports a full set of services per user equipment device and per access point. Subscriber services such as authentication, authorization, and accounting (AAA); address assignment; hierarchical quality of service (QoS); lawful intercept; and class of service (CoS) are supported for individual DHCP subscribers within the GRE tunnels. No additional service cards are required for GRE or QoS because all features run inline on MPCs.

External RADIUS proxy supports Extensible Authentication Protocol (EAP) Subscriber Identity Module (SIM), Tunneled Transport Layer Security (TTLS), and Authentication and Key Agreement (AKA) protocols. The External RADIUS proxy also integrates with HTTP redirect to the Web portal.

The MX Series as WAG deployment model also supports the wholesale of access point access to multiple retail service providers. This wholesaling allows the local breakout of traffic or Layer 3 handoff to retail service providers.

Supported Access Models for Dynamic-Bridged GRE Tunnels on the Wi-Fi Access Gateway

Dynamic-bridged generic routing encapsulation (GRE) tunnels and the Wi-Fi access gateway support interface stacks for VLAN-tagged and untagged subscribers. Subscriber features such as dynamic and service profiles for DHCP subscribers, lawful intercept, firewall filters, and change of authorization (CoA) are supported.

Scaling limitations of pseudowire subscriber interface devices (psn IFDs) require that multiple tunnels share the same psn IFD. The pseudowire is a virtual device that is stacked above the logical tunnel anchor point on the physical interface (the IFD).

Note:

The psn IFD used to service dynamic GRE tunnel terminations cannot be simultaneously used to service MPLS pseudowire terminations.

Subscriber services and lawful intercept are supported only at the IP demultiplexing (demux) interface level.

Note:

A GRE tunnel cannot have both untagged and tagged subscribers.

The tagged model and the untagged model are described in the following sections:

Dynamic VLAN-Tagged Subscribers

To make provisioning and troubleshooting easier for VLAN-tagged subscribers, use the same set of VLANs on all of the Wi-Fi access points. Doing this requires that the same pseudowire subscriber interface service logical interface (psn IFL) (associated with a VLAN ID) on a psn IFD represents multiple GRE tunnels.

A dynamic VLAN demux interface (demux0.yyyyyyyy) is created for each VLAN tag and is stacked over the tunnel psn interface (psn.xxxxxxxx). There can be multiple VLANs (single and dual-tagged) over the same GRE tunnel. The subscribers' IP demux interfaces are then created over the VLAN demux interface.

Untagged Subscribers

Untagged DHCP subscribers can be created directly over the GRE tunnel. For each subscriber, an IP demux interface (demux0.yyyyyyyy) is created and is stacked over the tunnel psn logical interface (psn.xxxxxxxx). There can be multiple subscribers over the same GRE tunnel.

Wi-Fi Access Gateway Configuration Overview

To configure the MX Series router as a Wi-Fi access gateway (WAG):

  1. Configure a pseudowire subscriber logical interface device.

    See Configuring a Pseudowire Subscriber Logical Interface Device for the Wi-Fi Access Gateway.

  2. Configure the conditions for enabling dynamic-bridged GRE tunnels.

    See Configuring Conditions for Enabling Dynamic-Bridged GRE Tunnel Creation.

  3. Configure the type of dynamic-bridged GRE tunnel that carries subscriber traffic to the WAG:
    Note:

    A GRE tunnel cannot have both untagged and tagged subscribers.

Configuring a Pseudowire Subscriber Logical Interface Device for the Wi-Fi Access Gateway

Before you begin, you must create a logical tunnel interface:

To configure the pseudowire subscriber logical interface device on which the dynamic-bridged GRE tunnel is built on the MX Series router Wi-Fi access gateway:

  1. Specify that you want to configure the pseudowire subscriber logical interface device.

    For example:

  2. Specify the logical tunnel interface that is the anchor point for the pseudowire logical device interface.

    For example:

  3. Configure three-level hierarchical scheduling on the logical tunnel interface.

    For example:

  4. Configure the mixed VLAN tagging method for the pseudowire logical interface device.
    Note:

    You must configure flexible-vlan-tagging even if only untagged subscriber packets are being transported on the dynamic-bridged GRE tunnel.

    For example:

  5. Specify that you want to configure unit 0, which represents the transport logical interface.

    For example:

  6. Specify the Ethernet CCC encapsulation method for the transport logical interface.

    For example:

Configuring Conditions for Enabling Dynamic-Bridged GRE Tunnel Creation

Before you begin:

To configure the conditions for enabling dynamic-bridged generic routing encapsulation (GRE) tunnel creation on the MX Series router WAG, you configure one or more GRE tunnel groups. Multiple GRE tunnel groups can have the same source-address or the same destination-networks value, but you cannot use a specific source-address and destination-networks combination in more than one GRE tunnel group.

To configure a GRE tunnel group:

  1. Name the dynamic GRE tunnel group.

    For example:

  2. Specify the source IP address of the GRE tunnels for the WAG. Use the IP address of the MX Series router that you configured to receive the incoming GRE traffic.

    For example:

  3. Specify the IP subnets from which GRE traffic can be processed.

    For example:

  4. Specify the pseudowire subscriber interface device (IFD) on which to build the dynamic-bridged GRE tunnels.

    For example:

  5. Specify the dynamic profile that configures the GRE tunnel.

    For example:

  6. (Optional) Configure the number of seconds that a GRE tunnel remains up after the last subscriber session on the tunnel has ended.

    The default tunnel-idle-timeout value is 120 seconds.

    For example:

  7. To configure another GRE tunnel group, repeat this procedure.

Configuring VLAN Subscriber Interfaces for Dynamic-Bridged GRE Tunnels on Wi-Fi Access Gateways

To configure subscriber interfaces for VLAN-tagged Dynamic Host Configuration Protocol (DHCP) subscribers on dynamic-bridged generic routing encapsulation (GRE) tunnels:

  1. Name the dynamic profile. that creates the GRE tunnel

    For example:

  2. Define the interface with the internal variable used by the router to match the interface name of the receiving interface.

    For example:

  3. Define the unit with the internal variable.

    For example:

  4. (Optional) Enable packet reassembly for fragmented GRE packets.
  5. Define the unit family type.

    For example:

  6. Enable the local address for the interface to be derived from the loopback interface address.

    For example:

  7. Configure the router to respond to any ARP request.
  8. Configure stacked VLAN processing:
    1. Access the VLAN range configuration for stacked VLANs.

      For example:

    2. Specify the dynamic profile that is used to create VLANs.

      For example:

    3. Specify that the VLAN dynamic profile accepts any type of VLAN Ethernet packet.

      For example:

    4. Specify the outer and inner stacked VLAN ranges that you want the dynamic profile to use.

      For example:

  9. Configure single-tagged VLAN processing:
    1. Access the VLAN range configuration for single VLANs.

      For example:

    2. Specify the dynamic profile used to create VLANs.

      For example:

    3. Specify that the VLAN dynamic profile accepts any type of VLAN Ethernet packet.

      For example:

    4. Specify the VLAN range that you want the dynamic profile to use.

      For example:

Configuring Untagged Subscriber Interfaces for Dynamic-Bridged GRE Tunnels on Wi-Fi Access Gateways

To configure subscriber interfaces for untagged Dynamic Host Configuration Protocol (DHCP) subscribers on dynamic-bridged generic routing encapsulation (GRE) tunnels:

  1. Name the dynamic profile that creates the GRE tunnel.

    For example:

  2. Define the interface with the internal variable used by the router to match the interface name of the receiving interface.

    For example:

  3. Define the unit with the internal variable.

    For example:

  4. (Optional) Enable packet reassembly for fragmented GRE packets.
  5. Configure the variable for the underlying interface of the demux interfaces.

    For example:

  6. Define the unit family type.

    For example:

Release History Table
Release
Description
17.2R1
Starting in Junos OS Release 17.2R1, service providers can deploy the MX Series router as a broadband network gateway (BNG) within their network, and then deploy the BNG as a WAG.