SRX

Hi,

I've been having a read of the following document:

https://www.juniper.net/documentation/en_US/junos/topics/example/vdsl2-pim-security-interface-configuring.html

And to be honest, it just is not working....

I have an SRX340 that will have ethernet as it's primary link, but I want the DSL to be back up if the primary fails....

Anyone got a basic config I can use for ppp connectivity over ADSL to an LNS?

I probably need to explain the requirments a little better:

The VDSL2 MPIM will be acting like an ADSL CPE (as a backup if the primary Ethernet Circuit fails).

So, I need to ensure it is configured as per a CPE, automated RADIUS assigned (IPCP) IP address. authentication via PPP etc etc...

I have a working Cisco one and here is the Config from that device:

interface ATM0
no ip address
no atm ilmi-keepalive
bridge-group 1
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1

interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname me@me.com
ppp chap password 7 helpmeifyoucan

So, I need something similar to this in Juniper..... Any help would be great?

Oh, almost forgot, I have the Sync light as Green and solid....

I have configured the following, so I think I am almost there, but missing something:

set interfaces at-4/0/0 encapsulation atm-pvc
set interfaces at-4/0/0 atm-options vpi 0
set interfaces at-4/0/0 dsl-options operating-mode auto
set interfaces at-4/0/0 unit 0 encapsulation atm-ppp-vc-mux
set interfaces at-4/0/0 unit 0 vci 0.33
set interfaces at-4/0/0 unit 0 ppp-options chap default-chap-secret "$9$w4soGDjqfQnHqIclMN-HqmP5F"
set interfaces at-4/0/0 unit 0 ppp-options chap local-name "me@me.co.uk"
set interfaces at-4/0/0 unit 0 ppp-options chap passive
set interfaces at-4/0/0 unit 0 ppp-options pap local-name "me@me.co.uk"
set interfaces at-4/0/0 unit 0 ppp-options pap local-password "$9$Web8NbsYoGjqgo/tORlegoJZUH"
set interfaces at-4/0/0 unit 0 ppp-options pap passive
set interfaces at-4/0/0 unit 0 family inet negotiate-address

When I look at interfaces terse I see the following:

at-4/0/0    up    up
at-4/0/0.0 up    down      inet
at-4/0/0.32767 up   up

And if I complete the following command:

run show ppp statistics - to see where the LCP process is at....

Session statistics from PPP process
  Total sessions: 1
    Sessions in disabled phase    : 0
    Sessions in establish phase   : 1
    Sessions in authenticate phase: 0
    Sessions in network phase     : 0
    Bundles in pending phase      : 0

Not exactly sure of the readout......

Any help please?

Okay, I have it working. This ADSL is to be used as a backup in case the ethernet circuit goes down, so I have also configured a default route with preference.... here is the working config:

I have installed the VDSL module into slot 4... for reference:

set interfaces at-4/0/0 encapsulation atm-pvc
set interfaces at-4/0/0 atm-options vpi 0
set interfaces at-4/0/0 dsl-options operating-mode auto
set interfaces at-4/0/0 unit 0 encapsulation atm-ppp-vc-mux
set interfaces at-4/0/0 unit 0 vci 0.38
set interfaces at-4/0/0 unit 0 ppp-options chap default-chap-secret "$9$w4soGDjqfQnHqIclMN-HqmP5F"
set interfaces at-4/0/0 unit 0 ppp-options chap local-name "test@test.co.uk"
set interfaces at-4/0/0 unit 0 ppp-options chap passive
set interfaces at-4/0/0 unit 0 ppp-options pap local-name "test@test.co.uk"
set interfaces at-4/0/0 unit 0 ppp-options pap local-password "$9$Web8NbsYoGjqgo/tORlegoJZUH"
set interfaces at-4/0/0 unit 0 ppp-options pap passive
set interfaces at-4/0/0 unit 0 family inet negotiate-address

set routing-options static route 0.0.0.0/0 next-hop x.x.x.x
set routing-options static route 0.0.0.0/0 qualified-next-hop at-4/0/0.0 preference 25 

The above post shows the working ADSL from the NTE perspective. If I pull the ethernet connection it does route through the backup ADSL, exactly as I want.

The problem I still have is the other end..... Let's have a closer look at the connection through the downstream ISP between my Core PE and the Customer NTE device:

ge-0/0/1 (192.168.1.1/30) NTE ge-0/0/15.10 (10.20.30.2/30) --> S-Tag (Downstream ISP) --> xe-1/2/4.10 (10.20.30.1/30) Core

So, although the NTE recognises the ethernet cable has been pulled, the Core does NOT see the route as being down and still tries to forward the traffic out of the xe-1/2/4.10 interface instead of routing to the LNS and ADSL.....

This must be because of the layer 2 connectivity between the downstream ISP and the Core...... it never see's the route go down so will never fail over...... I will discuss options with the ISP but wanted to get your thoughts on this?

Okay. The issue could be a little more complicated than originally thought.

Given that we do not know for sure what the customer would order, we are looking at the following as a scenario:

NTE device = SRX340 - Ethernet / VDSL

The NTE device has the following ports configured:

ge-0/0/1 - towards the Customer CPE

ge-0/0/15.10 - Customer VLAN to the PE Core

ge-0/0/15.99 - Management VLAN to NTE (Only between PE core and NTE)

at-4/0/0 - DSL Failover

Requirement:

If ge-0/0/15 fails then all traffic from and to the customer will go through at-4/0/0 interface.

Possible issues with scenario requirement:

1: How the PE Core will detect that the ge-0/0/15 interface has failed?

2: The LCP (IPCP) negotiated address on the at-4/0/0 interface will have to be different than the interface on the CPE and then routing has to be in place for that?

3: How do ISPs already get around the above issues?

I note the following forum post has some information, but it does not explain it from an ISP perspective:

https://forums.juniper.net/t5/SRX-Services-Gateway/Juniper-SRX-ADSL-configuration-for-ISP-s-in-the-UK/td-p/166018

Any help would be greatly appreciated.

Thanks

This is more to keep people updated so they can try too.....

I have completed the following:

Moved the at-4/0/0 interface into the untrust zone. 

Now I have completed source NAT. This overcomes both the usage of the same address (CPE and AT-4/0/0 interfaces) and the core not recognising the loss of the interface/route.....

Whether this is an end resolution or not remains to be seen and tested.....

The NAT is between the untrust and trust zone and as the ONLY interface in the untrust is at-4/0/0 then there is no effect when the ethernet is up.

I will close this discussion as I believe the issue with configuring the VDSL2 MPIM is complete. It is working as expected. I do have another issue but it is not with the module, so I will open a new discussion.

Thanks