Subscriber Packet Type Authentication Triggers for Dynamic VLANs

Sample Uses for Packet Type Triggering

The following two use cases describe circumstances when you might want to authenticate a VLAN for only certain subscribers and not others.

• Conserving resources in a mixed access model—A mixed access model might employ dynamic VLANs to provide services for PPPoE subscribers, IPoE subscribers, IPv6oE subscribers, or other subscriber types. Typically, the PPPoE subscribers are residential customers, and the IP subscribers are business customers. An understanding of dynamic VLAN authentication and profile instantiation for these subscribers can help you conserve system resources and avoid some impacts to scaling limits.

  By default, authentication is configured for the interface based on the configured VLAN range or stacked VLAN range. Consequently, every dynamic VLAN created in the range must be authenticated, regardless of the packet type that triggers VLAN creation. This works well for the IPoE and IPv6oE subscribers, because dynamic VLAN authentication enables RADIUS-sourced services, such as CoS and filters, to be provisioned. However, the PPPoE subscribers are authenticated by PPP, making the dynamic VLAN authentication unnecessary and a waste of system resources.

  You can avoid this waste by restricting dynamic VLAN authentication to only the VLANs that need it. The packet-types statement enables you to specify that only a subset of the packet types accepted on the VLAN interface can trigger authentication. For example, in this heterogeneous access model, the VLAN dynamic profiles accept PPPoE, IPoE, and IPv6oE packets. When you use the packet-types statement to specify that only IPoE or IPv6oE packets can initiate VLAN authentication, the PPPoE VLANs are not submitted to RADIUS for authentication.

• Overriding dynamic profiles in a mixed access model—Another use for packet-type triggering is to override the configured dynamic profile for certain subscribers. To accomplish this, create one dynamic profile to match the needs of the PPPoE subscribers and create another dynamic profile for the IPoE subscribers. PPPoE subscribers make up the majority of subscribers in this model, so the PPPoE-tuned dynamic profile is applied to the VLAN interface. Include the IP profile in the Juniper Networks Client-Profile-Name VSA [26-174]. Configure the packet-types statement to specify that only IP packets trigger VLAN authentication.

  When an IPoE packet is received, RADIUS authenticates the VLAN. RADIUS returns the override profile contained in the Client-Profile-Name VSA and any other session attributes in the Access-Accept message. The VLAN autoconfiguration process overrides the PPPoE profile by instantiating the IP profile for the IPoE subscriber.

Packet Types for VLAN Creation and Authentication

Table 1 lists the packet types that you can configure for VLAN authentication depending on the packet types configured for VLAN creation.

Authentication is performed for all VLANs in either of the following cases:

• You do not specify a packet type to trigger authentication.

• You configure the any option for both VLAN creation and authentication.

In general, VLAN authentication is performed when any packet of the type configured to trigger VLAN creation matches one of the packet types configured to trigger VLAN authentication. However, for certain combinations of configured packets, a specific packet is required to trigger authentication. Table 2 lists these special cases.