In the past 15 years I’ve been on about six vendor training courses. The first was a CCNA course back in 2007, which I mainly remember being very confused about why the instructor kept insisting that one day my manager might come up to me and say “hey, can you please take this Class C network and tell me how many subnets I can get out of it if I want to host six machines in each subnet”. Aah yes, that classic question! Of course! What a great way to learn subnetting, and not at all confusing or weird.

The second course was for Juniper’s old Netscreen/ScreenOS series, a platform still dear to my heart. I think we all love the first firewall we ever learned. I remember coming back from that course and saying to my colleagues “lol we’ve been using these device all wrong”.

Last week I was lucky enough to once again go on a Juniper course – a four-day adventure into the dark art of Subscriber Management. I had a great experience, and I thought I’d write this to tell you what’s covered on the course, and hopefully convince you to sign up to the course yourself if you’re in the Service Provider world.



Subscriber Management refers to the suite of technologies that allow broadband users to connect to the internet, whether the user is using xDSL, fibre, or just “using their imagination”.

There’s a lot of moving parts to broadband, such as the various boxes in between your home and the ISP, with names like DSLAM, MSAN, BSR, BNG, LNS, and plenty more acronyms that you’ll learn and forget and re-learn about fifty times before they finally stick.

Those boxes need to understand various protocols and encapsulation types, like L2TP (Layer 2 Tunnelling Protocol) and PPPoE (Point-to-Point Protocol, over Ethernet). And that’s not to mention the way the actual subscribers terminate at the ISP, where you’ll need to be able to create logical interfaces on the fly for each subscriber, and potentially even apply a series of QoS and security profiles to those interfaces dynamically, as well as arbitrary unique VLAN tags.

In fact, that word dynamic is key to subscriber management: on the Juniper MX you’re going to be making extensive use of something called a Dynamic Profile, which is essentially some configuration you create using variables instead of actual names. These variables are filled in by the MX itself based on whatever your RADIUS server tells it, which means you can create something that’s essentially a template which you can then apply to lots of users.

From the sound of that, you’d assume that Subscriber Management was pretty crucial to a functioning ISP – and you’d be right. And yet, in my experience, Subscriber Management is often a very niche skill.

In most ISPs I’ve worked for, there’s generally only been one or two people who truly understand this stuff to the level that they could configure and troubleshoot some of the important boxes involved, like an LNS (L2TP Network Server – the box where traffic leaves the L2TP tunnel and goes onto your ISP), or the BSR, or Broadband Service Router – the layer 3 next-hop at the other end of your DSL or fibre home connection. Sometimes this box is also called a BNG (Broadband Network Gateway) or a BRAS (Broadband Remote Access Server) In fact, sometimes you see people writing B-RAS, because they’re in denial about the fact that the acronym literally says “bras”. Tough luck: the acronym has been made, and we’re now forced to giggle every time we see. This is, unfortunately, our destiny.



Anyway, my point is this: not many people know about this stuff. And that’s a shame, because it’s really interesting.

Interestingly, even though this is very much a service provider tech, you don’t learn it on any of the Juniper SP tracks, and if I’m not mistaken it’s not included on Cisco’s CCIE-SP track either. This may seem odd, and in a way it’s a shame, but thinking back to my own JNCIE experience, I’m definitely relieved that this stuff wasn’t on there. The syllabus was already overwheming enough, without throwing this hefty chunk of complexity into the mix too!

That’s why I heartily recommend you sign up to this course if you can. If you already work at an ISP, it can be difficult to learn this stuff on the job because there’s so much theory involved with all the various protocols, let alone the complex configuration. If you’re going down certification tracks you also won’t come across it, because it’s just not covered. Unless you’re lucky enough to work with someone who’ll take you under their wing and spend week and weeks showing you the ropes, you’re going to need to go off the standard certification path to self-study this one. This course is a great way to plug that gap.



Example slide from very early into the course. Enjoy this simplicity while you can: things get much more complicated from this point!

First of all, the fact that this one topic takes four days says something about the complexity. You’re going to see theory and configuration for loads of the key areas, like subscriber DHCP, PPPoE, and a deep-dive into those dynamic profiles I mentioned earlier.

There’s a big chunk on PPPoE, and a detailed look at L2TP config. All of these parts are analysed not just from the point of view of a traditional ISP, but also from the wholesale service provider that ultimately backhauls the traffic to the ISP.

But it doesn’t end there. Residential ISPs often offer IPTV, which is delivered using multicast. And it turns out there’s more to the design of this than meets the eye, such as how you assign the VLAN tags to distinguish the traffic, or whether you have one single BSR for all traffic, or split them into two: one for data and voice, or one for video. And if you do that, how do you handle IGMP? You might instinctively think that the joins only need to go to the video BSR – but not necessarily. There’s some interesting choices to be made there.

And as soon as we mention voice there, you might think of QoS. Yep: there’s a decent chunk on that in here, as there is on multicast itself, dynamic firewall filters, and so much more.

You’ll also learn about something important called PWHE, or PseudoWire Head-End. This is great stuff, but involves more than just a sentence to explain.

The initial diagrams you’ll see in this course show the BSR sitting at the very edge of the ISP’s network, acting as a border between the wholesaler and the ISP. But in reality, the BSR probably sits elsewhere deep in the core of the network, and traffic is probably tunnelled from the ISP’s edge to the BSR via some kind of MPLS pseudowire. Normally these pseudowires take traffic in on one interface, send it down an MPLS tunnel, and push it out of another physical interface, which means you’d need a box in front of the BSR to be the egress for the pseudowire tunnel.

But instead of having a box in front of the BSR that’s just there to terminate the pseudowire, what if you want the pseudowire to go all the way to the BSR itself, terminate on the actual BSR, and have the BSR process the traffic that comes out of the pseudowire as if it were actually destined for the BSR? I’ve heard stories in the past that people would literally get a short cable and plug each end into two ports on the BSR. One port would be the egress for the pseudowire, allowing the traffic to leave the MPLS interface on the BSR, go down the table… and then, three inches later, arrive right back on the very same router on a different port!

PWHE gets around that, and lets you configure a special interface that acts as an egress for the pseudowire in such a way that traffic actually lands on, and is processed by, the BSR itself. The concept is easy; the configuration is tricky. And on this course, you’ll see how to do it.



I’m definitely delighted that I attended this course. The trainer was fantastic, and lots of the content was really on-point. If you work at an ISP and you have subscribers, go on this course.

One thing that definitely strikes me is that you will NOT be ready to configure and troubleshoot this stuff after a mere four days. This is seriously complicated stuff. Instead, you need to think of this course as the beginning of a journey. You’ll come away from this course familiar with some concepts, and familiar with some examples of configuration that you might not have known about before. From there, you’re then going to have to revisit the study guides – which by the way, I thought were so good that I ended up paying $88 for the hard copies).

It wasn’t perfect – I haven’t yet found a vendor who didn’t have some sides or turns of phrase that are just dropped in without any context. A notable one this time came early days with a slide says that “The Tomcat feature set refers to the Next Generation Subscriber Management on Junos. The Tomcat feature set provides a much higher scale, higher performance architecture for subscriber management”, but doesn’t tell you what Tomcat really means, why we care that it’s called Tomcat, what Tomcat replaced, or what “higher scale, higher performance” means.

There were one or two other weird choices like that, where certain difficult concepts weren’t explained as if it was assumed that you knew it already, but then later on they’ll explain stuff that you definitely know already.  Luckily though, those moments aren’t all too common, and don’t detract from this being a great experience.

The only other thing I thought was a shame is that you don’t learn much about RADIUS servers themselves. This is a Juniper course, so of course they’re going to focus on Juniper config, but it would have been nice to see an example of a “standard” RADIUS server, and how the database is set up, particularly in regards to whether there are any common mistakes people make. I’ve heard a number of people say that Juniper can be quite precise in its requirements of how the data is presented in a RADIUS server – but even now, I don’t know exactly what that means.

I fed it back at the end of the course, so if that changes in the future, you can thank me for it. 😉

So in short: great course, learned loads, still got LOTS more self-study to do, but this course was a perfect first step in that journey.



Go here for all the info!

If you want to take this course, it’s $3,800. Or, if you’re good at maths, you’ll soon work out that Juniper’s All-Access Training Pass gives you unlimited courses for an entire year, for $5,995. Attend two courses and it pays for itself. Take three or more courses, and you’re laughing all the way to the bank. Again, I’m not being paid to tell you that, and no-one asked me to tell you that. The All-Access Pass is just an incredible deal, and if you’re going to go on one course then frankly you might as well chip in a bit more to get unlimited courses for the entire year.



If you enjoyed this post, follow me on Twitter or LinkedIn if you want to find out when I make new posts. And please share this one on your favourite social media of choice. Let me know if you end up going on the course yourself, or if you have any experience with Subscriber Management stuff. I’m always interested to hear your stories in the comments. See you next time!

(Disclosure: I was lucky enough to attend this course for free. You’ll notice I said very positive thing about this course! However, I want to let you know that Juniper didn’t ask me to write this post; they’re good eggs like that. The idea of putting some content about this course on my website was mine alone. If you do choose to go for it, buying the All-Access Pass is unquestionably the best value way to do it. Give it a look! It’s genuinely incredible, and well worth the investment.)

Leave a Reply

Your email address will not be published.