Friday 20 April 2018

Talktalk Business VDSL Configuration for Juniper SRX110H

I've recently upgraded my broadband internet connection from a consumer grade connection with Talktalk "residential" to a business grade connection with Talktalk Business. The primary reason for this is because I want a number of static IP addresses to run applications, such as remote access VPN and a number of Unified Comms features. Plus I've always been curious about how it all works with multiple public IPs. I know you can do quite a lot with dynamic DNS, such as DYNDNS or noip, but there are quite a few advantages from a small number of static IPs for me so I'm giving it a go.

The router supplied with the broadband is a standard "budget" router, a Huawei HG633, which is ok but it's not intuitive and there's almost no assistance available. Plus as an IT professional I feel I should be using something a little more "real" anyway :) Traditionally I've used a Cisco 867VAE for ADSL / VDSL but I've run into a few issues, hopefully more in another post coming soon, so I'm decided to have a crack with a Juniper SRX110V-HA. And I have to say it's working brilliantly and it was easier than I thought to set up. So I wanted to write up a post with my configuration and a few experiences in case it helps anyone else in the future.

Talktalk Business Settings:
So starting off the TalkTalk Business VDSL settings for Simply Fibre as of April 2018:

Encapsulation Type: PPPoE
MTU: 1492
VDSL VLAN tag: 101
PPP Authentication mode: Chap
Internet Account username: phonenumber@talktalkbusiness.net
Internet Account Password: contact talktalk support for this
IP Address: negotiated

Juniper Configuration:
Now the Juniper specific Configuration.
The PT interface is the Physical VDSL Interface and the "unit 0" is default subinterface.

 pt-1/0/0 {
        vlan-tagging;
        mtu 1492;
        vdsl-options {
            vdsl-profile auto;
        }
        unit 0 {
            encapsulation ppp-over-ether;
            vlan-id 101;
        }

The PP interface is the Logical VDSL interface, similar to a dialer on a Cisco Box. This interface is linked to the Physical interface using the "underlying-interface" command:
 pp0 {
        unit 0 {
            ppp-options {
                chap {
                    default-chap-secret "xxxxxxxxxxxxx";
                    local-name "xxxxxxxxxxx@talktalkbusiness.net";
                    passive;
                }
            }
            pppoe-options {
                underlying-interface pt-1/0/0.0;
                auto-reconnect 10;
                client;
            }
            family inet {
                mtu 1492;
                negotiate-address;
            }
        }
    }

Set your local DHCP scope:
vlan {
        unit 0 {
            family inet {
                address 192.168.1.1/24;

And your default route and your done:
routing-options {
    static {
        route 0.0.0.0/0 next-hop x.x.x.x (ISPs next hop address);

You will have to setup NAT and security zones but it is done by default in the SRX so that's nice and easy, although for completeness here is the config below.

NAT:
 nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }

Security Zones:
        security-zone untrust {
            screen untrust-screen;
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
                 pp0.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
                pt-1/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }

   screen untrust-screen;
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
    pp0.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
                pt-1/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }

Please note you can't just paste the above config into your device you have to edit and set the commands, this is how JunOS works, it's actually a great OS and I'd be happy to lend a hand if anyone is new and wants a pointer. I'm no master but I'm enjoying the OS and the way it works.

Lessons Learned:
One gotcha I learned on the way. JunOS doesn't support VLAN tagging on the VDSL interface until Release 12.1. Originally my SRX shipped with 11.x and I had to upgrade this in order to get it working.

Juniper References:
SRX110 Software Config Guide (see the tabs on the left hand side):
https://www.juniper.net/documentation/en_US/release-independent/junos/topics/concept/services-gateway-srx110-configuration-preparing.html

Configuring PPPoE Interfaces:
https://www.juniper.net/documentation/en_US/junos/topics/example/pppoe-security-interface-configuring.html

Configuring Ethernet Switch Ports:
https://kb.juniper.net/InfoCenter/index?page=content&id=KB16667&actp=METADATA

Configuring a static route:
https://kb.juniper.net/InfoCenter/index?page=content&id=KB16572&actp=METADATA

Configuring OSPF:
https://www.juniper.net/documentation/en_US/junos/topics/example/ospf-single-area-configuring.html

No comments:

Post a Comment