Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING SCREENOS DEVICES GUIDE REV 01 Manual page 162

Configuring ScreenOS Devices Guide
Related
Documentation
Example: Configuring Multiple PPPoE Sessions on a Single Interface (NSM Procedure)
138
Turn on the security device. The device makes a PPPoE connection to the ISP and,
13.
through the ISP, gets the IP addresses for the DNS servers.
Activate DHCP on the internal network, by turning on the workstations. The
14.
workstations automatically receive the IP addresses for the DNS servers. They get an
IP address for themselves when they attempt a TCP/IP connection. Every TCP/IP
connection that a host in the Trust zone makes to the Untrust zone automatically
goes through the PPPoE encapsulation process.
Example: Configuring Multiple PPPoE Sessions on a Single Interface (NSM Procedure)
on page 138
About Configuring PPPoE on page 135
Configuring a PPPoA Client Instance on page 141
Some security devices support multiple PPPoE subinterfaces (each with the same MAC
address) for a given physical interface. On such devices, you can make a PPPoE connection
on multiple instances by binding each subinterface to a different PPPoE instance. You
can determine which traffic the device sends over a particular PPPoE session by
configuring routes that specify a specific PPPoE sub-interface for each session (no rules
determine the flow of traffic). IPsec tunnels can terminate on such PPPoE subinterfaces.
The maximum number of concurrent PPPoE sessions on a physical interface is limited
only by the number of subinterfaces allowed by the device. There is no restriction on how
many physical interfaces can support multiple sessions. You can specify username,
static-ip, idle-timeout, auto-connect and other parameters separately for each PPPoE
instance or session.
To support a PPPoE session, a subinterface must be untagged. A tagged sub-interface
uses an associated VLAN tag to enable the subinterface to receive Layer 2 traffic and
direct it selectively to a particular VLAN, which usually resides in a trusted zone. VLAN
tags allow a single physical interface to direct exchanged packets selectively to and from
VLANs, each through a different subinterface.
By contrast, an untagged interface does not use a VLAN tag to identify a VLAN for an
subinterface. Instead, it uses a feature called encap, which binds the subinterface to a
particular defined PPPoE definition. By hosting multiple subinterfaces, a single physical
interface can host multiple PPPoE instances. You can configure each instance to go to
a specified AC (access concentrator), thus enabling separate entities (such as ISPs) to
manage the PPPoE sessions through a single interface.
In the following example you define three PPPoE instances:
Instance isp_new_york, password "swordfish," bound to interface ethernet3. This
instance provides access to a service named Big_Apple_Service . The AC is named
isp_ny_ac .
Copyright © 2010, Juniper Networks, Inc.