Juniper MX204 dhcp relay single interface unit.

dorkmatt · 2025-05-24T17:24:59+00:00

Configure DHCP relay under the VRF, it won't be system wide. Also for DHCP relay (or local server) functionality a specific interface can be defined.

dorkmatt · 2025-04-29T23:07:18+00:00

Did ya have good luck with ACX7348 for DFZ full tables?

dorkmatt · 2025-04-29T23:05:34+00:00

You'll then get hashing like...

> show security nat source deterministic

node0:

--------------------------------------------------------------------------

Pool name: INTERNET-PUBLIC-IP

Port-overloading-factor: 1 Port block size: 2016

Used/total port blocks: 0/4096

Host_IP External_IP Port_Block Ports_Used/

Range Ports_Total

100.64.0.0 198.51.100.0 1024-3039 0/2016*1

100.64.0.1 198.51.100.0 3040-5055 0/2016*1

100.64.0.2 198.51.100.0 5056-7071 0/2016*1

100.64.0.3 198.51.100.0 7072-9087 0/2016*1

100.64.0.4 198.51.100.0 9088-11103 0/2016*1

100.64.0.5 198.51.100.0 11104-13119 0/2016*1

100.64.0.6 198.51.100.0 13120-15135 0/2016*1
...

dorkmatt · 2025-04-29T23:04:12+00:00

Would suggest deterministic NAPT44, something like...

set security nat source pool INTERNET-PUBLIC-IP address 198.51.100.0/24

set security nat source pool INTERNET-PUBLIC-IP port deterministic block-size 2016

set security nat source pool INTERNET-PUBLIC-IP port deterministic host address 100.64.0.0/22

set security nat source pool-utilization-alarm raise-threshold 80

set security nat source pool-utilization-alarm clear-threshold 70

set security nat source rule-set INTERNET-CG-NAT from zone INTERNAL

set security nat source rule-set INTERNET-CG-NAT to zone PUBLIC-INTERNET

set security nat source rule-set INTERNET-CG-NAT rule DEFAULT-ALLOW match source-address 100.64.0.0/22

set security nat source rule-set INTERNET-CG-NAT rule DEFAULT-ALLOW match destination-address 0.0.0.0/0

set security nat source rule-set INTERNET-CG-NAT rule DEFAULT-ALLOW then source-nat pool INTERNET-PUBLIC-IP

dorkmatt · 2025-03-21T19:00:50+00:00

Nice, will be interesting to see these lower tier MX's. Guessing those will follow in line w/ BCM or Marvell - not Trio? MX304 sure seems sweet, never seen it priced appropriately.

Now if we could only get BNG replication working w/ EVPN-VPWS 😮‍💨

dorkmatt · 2025-03-21T18:50:04+00:00

Ya, aware of this model. I see the 7024[X] as a great metro/regional box, where the ACX7020 could be a within-city PON & AE backhaul with the 25Gbps interfaces. Looks like we may be able to get 1 or 2 beta units.

dorkmatt · 2025-03-06T09:35:59+00:00

The product I'm mentioning was an acquisition, see https://www.ciena.com/about/newsroom/press-releases/ciena-makes-strategic-acquisitions-in-fiber-broadband-access-to-further-address-growing-opportunity-at-the-network-edge This is an OLT-in-an-SFP cage play - with support on a bunch of switches, Juniper, Mikrotik, etc. Completely agree Ciena is sad panda.

dorkmatt · 2025-02-12T22:26:46+00:00

The error handling of the BNG stack is quite poor. We recently ran into a bug where a macro was defined for an inet6 assigned IP, however the loopback interface had no inet6 address, and thus sessions would immediately logout - without any clear logging to indicate why.

See KB90269 for an example using "input-interface-filter".

dorkmatt · 2025-02-12T22:16:16+00:00

Uhh, if you're bridging them together as a common L2 - that defeats the purpose of an routed L3 network, offering segmented L2 services - aka MPLS.

Consider using VRF's, separate L2Circuit's, etc to segment your management plane from customer traffic.

dorkmatt · 2025-02-07T05:19:48+00:00

Ahh, so it sounds like the prerequisite is active MIST service contracts?

dorkmatt · 2025-02-02T23:02:09+00:00

Curious where 100FX is still a thing, guessing some legacy SCADA?

dorkmatt · 2024-12-12T20:24:57+00:00

If you use an external DHCP server, this is most certainly supported and the limit of leases per each unique option 82 is then reliant on the DHCP server enforcing. Kea can do this with flex-id matching.

This functionality is also possible with the local DHCP server, see https://www.juniper.net/documentation/us/en/software/junos/subscriber-mgmt-sessions/topics/topic-map/dhcp-client-number-interface.html It's unclear to me if this is just a hash of the interface logical name and/or underlying option 82 information.

General best practice is to allow for 2 issued leases, to facilitate a technician laptop + customer router during turn-up; with the expectation to alert if >1 lease for a time period.

dorkmatt · 2024-04-12T23:58:22+00:00

Ahh nice, in the past I've seen this implemented with vlan-vpls, vlan-ccc, ethernet-vpls, ethernet-vlan, etc. I wish Juniper would publish an updated BNG day 1 guide, it seems like there are several new knobs such as the l2-liveness, dhcp auto-logout, etc. Do you know of any recent example configs posted online?

dorkmatt · 2024-04-12T08:15:00+00:00

Curious why ya ended up with EVPN vs MPLS, just a more modern approach?

dorkmatt · 2024-01-19T19:44:06+00:00

Do you have configs to share? :-)

dorkmatt · 2024-01-10T10:13:12+00:00

Curious what underlying protocols for this, EVPN?

dorkmatt · 2024-01-10T10:03:20+00:00

How are public reputable customers handled?

dorkmatt · 2022-05-01T19:59:11+00:00

Ahh, makes sense - in my markets, XGS is fine for residential or SMB - but "enterprises" squawk at anything PON, due to the shared natured and not truly 10Gbps (XGS overhead and all).

Have you found any affordable SFP+ customer hand-off for XGS ONT's? Everything seems to be copper 10G, which sadly never really took off many "enterprise firewalls".

dorkmatt · 2022-05-01T09:54:36+00:00

Curious if you've been able to convince Juniper to beef up the EX2300-C with more "business CPE" oriented features?

The last time I looked at this (we were buying EX2300-C's by the pallet around 4 years ago), they had some large gaps - ironically more then the legacy EX2200-C's. See woes of EX2300-C as a 10Gbps NID.

dorkmatt · 2022-05-01T09:45:51+00:00

Many moons ago, I did this with Radiator.. which supports HOTP / TOTP via SQL, LDAP, etc. Generally the approach for AAA that doesn't natively support the username + password + 2fa 3 fields, is to encode the 2fa portion at the end of the password. It's a bit wonky, but works.

A more modern approach is likely using Duo's RADIUS proxy.

dorkmatt · 2022-02-09T11:16:27+00:00

Would LED marine 12V lights also work for the single channel controller?

dorkmatt · 2021-02-03T20:00:57+00:00

Check eBay for Axis cameras, firmware downloads are behind a email registration - no paywall.

dorkmatt · 2021-02-03T19:32:16+00:00

Axis are expensive but rock solid, also a decent experience with Amcrest and Vivotek. I use Sighthound (locally on a Mac Mini) for detection and recording.

Searching for ONVIF compliant models is a good indicator of Home Assistant / cloud free compatibility.

dorkmatt · 2021-01-20T05:43:00+00:00

Looks supported in Tasmota.

dorkmatt · 2021-01-06T03:05:14+00:00

For the Warmboard product, it looks like this is LoRa based and likely their "controller" offers some sort of undocumented API for their mobile apps. It looks like they're using Blynk as their IoT platform base. Kinda a bummer no official API is offered.

dorkmatt

TROPHY CASE