Configuring Juniper SRX MPIM VDSL2 module with DHCP/IPOE for use with consumer ISP
Description
This post documents terminating consumer broadband on an SRX security gateway with a MPIM VDSL2 module installed using the DHCP/IPOE configuration. These steps require VLAN tagging which is in Junos 12.1. Most consumer broadband providers use vlan-id 101 but check with yours for correct configuration. The VDSL2 MPIM interface is at device pt-1/0/0 in Junos.
Steps
Configuring DHCP/IPOE on the VDSL2 interface.
set interfaces pt-1/0/0 vlan-tagging
set interfaces pt-1/0/0 mtu 1500
set interfaces pt-1/0/0 vdsl-options vdsl-profile auto
set interfaces pt-1/0/0 unit 0 vlan-id 101
set interfaces pt-1/0/0 unit 0 family inet dhcp
Configure VDSL2 interface in untrust zone and allow DHCP
set security zones security-zone untrust interfaces pt-1/0/0.0
set security zones security-zone untrust interfaces pt-1/0/0.0 host-inbound-traffic system-services dhcp
Configure default the route. Make sure you delete any previous default routes.
set routing-options static route 0.0.0.0/0 next-hop pp0.0
Check interface status here it is up and local public ip is configured. Below 1.2.3.4/20 will be unique and assigned by ISP.
> show interfaces pt-1/0/0 terse
Interface Admin Link Proto Local Remote
pt-1/0/0 up up
pt-1/0/0.0 up up inet 1.2.3.4/20
pt-1/0/0.32767 up up
Check interface status breif, you can also check extensive which will show the VDSL connected up and down bit rates (line speeds > show interfaces pt-1/0/0 extensive | match rate ). |
> show interfaces pt-1/0/0 brief
Physical interface: pt-1/0/0, Enabled, Physical link is Up
Type: PTM, Link-level type: Ethernet, MTU: 1500, VDSL mode, Speed: VDSL2
Device flags : Present Running
Logical interface pt-1/0/0.0
Flags: SNMP-Traps VLAN-Tag [ 0x8100.101 ] Encapsulation: ENET2
Security: Zone: untrust
Allowed host-inbound traffic : dhcp
inet 1.2.3.4/20
Logical interface pt-1/0/0.32767
Flags: SNMP-Traps VLAN-Tag [ 0x0000.0 ] Encapsulation: ENET2
Security: Zone: Null
If you have an IP assigned on the interface, exit cli and confirm you can ping google public DNS
> exit
% ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=118 time=15.032 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=118 time=15.424 ms
Troubleshooting
Monitor the interface if DHCP is not working. Check again with ISP for VLAN, MTU. Use ‘show configuration interfaces pt-1/0/0’ to validate config.
> monitor traffic interface pt-1/0/0 no-resolve
Summary
It really is very simple to setup, far more than PPPoE. You might need futher Junos SRX configuration depending on your network but connected devices set with the SRX as gateway should be internet connected. If you can ping outside from the SRX then its down to troubleshooting your local configuration.
References:
https://www.juniper.net/documentation/us/en/software/junos/interfaces-security-devices/topics/topic-map/vdsl2-interfaces-topicmap.html
For the PPPoE setup (not always supported for consumer connections)
set interfaces pt-1/0/0 vlan-tagging
set interfaces pt-1/0/0 vdsl-options vdsl-profile auto
set interfaces pt-1/0/0 unit 0 encapsulation ppp-over-ether
set interfaces pt-1/0/0 unit 0 vlan-id 101
set interfaces pp0 unit 0 ppp-options chap default-chap-secret "check_with_ISP"
set interfaces pp0 unit 0 ppp-options chap local-name "check_with_ISP"
set interfaces pp0 unit 0 ppp-options chap passive
set interfaces pp0 unit 0 pppoe-options underlying-interface pt-1/0/0.0
set interfaces pp0 unit 0 pppoe-options auto-reconnect 10
set interfaces pp0 unit 0 pppoe-options client
set interfaces pp0 unit 0 family inet negotiate-address
set security zones security-zone untrust interfaces pp0.0
set routing-options static route 0.0.0.0/0 next-hop pp0.0
monitor traffic interface pt-1/0/0 no-resolve
monitor traffic interface pt-1/0/0 size 96
monitor traffic interface pt-1/0/0 extensive
show ppp stastics detail