IP Demultiplexing Interfaces on Packet-Triggered Subscriber Services
Read this topic to know about the packet triggered subscrivers feature available in Junos and how to configure it. Packet triggered subscribers feature creates IP demultiplexing interfaces (IP demux IFL) on receiving a data packet from clients with preassigned IP address.
IP Demultiplexing Interfaces on Packet-Triggered Subscribers Services Overview
Packet triggered subscribers feature creates IP demultiplexing interfaces (IP demux IFL) on receiving a data packet from clients with preassigned IP address. On receiving the first packet, the control plane checks the IP address. If the source IP address matches one of the configured IP address ranges, the subscriber is authenticated with authenticating server. On successful authentication, the IP demux IFL is created using the dynamic profile specified in the CLI. The IP demux IFL adds the framed route and demux source for subscriber using the mask passed by the authenticating server. If the mask is not sent by the authenticating server, access and demux routes are installed using the mask specified in the CLI.
For residential IPv4 subscribers, all traffic from single household typically has same source IPv4 address. Hence, for every household only one IP demux IFL with a single IPv4 address is created. For business IPv4 subscribers, multiple IPv4 addresses may be assigned using framed-routes, resulting in one IP demux IFL representing multiple IPv4 addresses. For IPv6, the source address of traffic coming from same household or business is different as each device has a separate IPv6 address. The most optimal representation of a household or business in this case consists of one IP demux IFL with an IPv6 prefix, representing all IPv6 addresses in the household/business.
During IP demux IFL creation if the authentication fails, the IP demux IFL is still created but such IP demux IFL cannot forward any traffic. Any received traffic for the associated subscriber is dropped. All such rejected IP demux IFLs remains in configured state and is referred as configured subscribers. Creating IP demux IFL even if the authentication fails will avoid thrashing as subsequent packets will be dropped on the PFE and will not be punted to the RE. All subscribers in ‘Configured’ state will be periodically removed. Once these subscribers are removed any new packets received from the same source will get punted to the RE.
Packet-Triggered Subscriber support requires that the MAC address of the connected
device remain unchanged for the duration of the subscriber session. If the MAC
address changes for a packet-triggered subscriber after the subscriber has logged in
and the session is up, the subscriber will not be able to connect from the new
device with the same IP address. You can avoid this by setting a period during which
the session is monitored for subscriber activity. Use the
client-idle-timeout
option at the [edit access profile
profile-name session-options
] hierarchy level. When the timeout
expires, the subscriber is gracefully logged out. The subscriber can then
successfully log in from the second device. See Configure Subscriber Session Timeout
Options.
Benefits of IP Demultiplexing Interfaces on Packet-Triggered Subscribers Services
- Allows subscriber management and dynamic subscriber interface configuration in cases where devices in the home or business already have IPv4/IPv6 addresses assigned via other means, for example, statically assigned, or via a Cable Modem Termination System (CMTS).
-
Supports packet triggered subscribers using authentication and service selection by RADIUS server and allows a maximum of 16 IPv4 and 16 IPv6 address ranges per underlying IFL.
-
Allows the authenticating server to pass in the dynamic-profile to use. When the authenticating server passes these values, they take precedence over values configured through CLI.
Provides throttling mechanism to mitigate DoS-like attack and limit the rate of exception packets sent to RE for IP demux authentication and creation. The throttling mechanism uses the existing DDoS mechanism.
See Demultiplexing Interface Overview
IP Demultiplexing Interfaces on Packet-Triggered Subscribers Services Overview
Packet triggered subscribers feature creates IP demultiplexing interfaces (IP demux IFL) on receiving a data packet from clients with preassigned IP address. On receiving the first packet, the control plane checks the IP address. If the source IP address matches one of the configured IP address ranges, the subscriber is authenticated with authenticating server. On successful authentication, the IP demux IFL is created using the dynamic profile specified in the CLI. The IP demux IFL adds the framed route and demux source for subscriber using the mask passed by the authenticating server. If the mask is not sent by the authenticating server, access and demux routes are installed using the mask specified in the CLI.
For residential IPv4 subscribers, all traffic from single household typically has same source IPv4 address. Hence, for every household only one IP demux IFL with a single IPv4 address is created. For business IPv4 subscribers, multiple IPv4 addresses may be assigned using framed-routes, resulting in one IP demux IFL representing multiple IPv4 addresses. For IPv6, the source address of traffic coming from same household or business is different as each device has a separate IPv6 address. The most optimal representation of a household or business in this case consists of one IP demux IFL with an IPv6 prefix, representing all IPv6 addresses in the household/business.
During IP demux IFL creation if the authentication fails, the IP demux IFL is still created but such IP demux IFL cannot forward any traffic. Any received traffic for the associated subscriber is dropped. All such rejected IP demux IFLs remains in configured state and is referred as configured subscribers. Creating IP demux IFL even if the authentication fails will avoid thrashing as subsequent packets will be dropped on the PFE and will not be punted to the RE. All subscribers in ‘Configured’ state will be periodically removed. Once these subscribers are removed any new packets received from the same source will get punted to the RE.
Packet-Triggered Subscriber support requires that the MAC address of the connected
device remain unchanged for the duration of the subscriber session. If the MAC
address changes for a packet-triggered subscriber after the subscriber has logged in
and the session is up, the subscriber will not be able to connect from the new
device with the same IP address. You can avoid this by setting a period during which
the session is monitored for subscriber activity. Use the
client-idle-timeout
option at the [edit access profile
profile-name session-options
] hierarchy level. When the timeout
expires, the subscriber is gracefully logged out. The subscriber can then
successfully log in from the second device. See Configure Subscriber Session Timeout
Options.
Benefits of IP Demultiplexing Interfaces on Packet-Triggered Subscribers Services
- Allows subscriber management and dynamic subscriber interface configuration in cases where devices in the home or business already have IPv4/IPv6 addresses assigned via other means, for example, statically assigned, or via a Cable Modem Termination System (CMTS).
-
Supports packet triggered subscribers using authentication and service selection by RADIUS server and allows a maximum of 16 IPv4 and 16 IPv6 address ranges per underlying IFL.
-
Allows the authenticating server to pass in the dynamic-profile to use. When the authenticating server passes these values, they take precedence over values configured through CLI.
Provides throttling mechanism to mitigate DoS-like attack and limit the rate of exception packets sent to RE for IP demux authentication and creation. The throttling mechanism uses the existing DDoS mechanism.
See Demultiplexing Interface Overview