ASR9000 BNG Training guide setting up PPPoE and IPoE sessions

Document

Nov 7, 2011 5:52 AM
Nov 7th, 2011

Introduction

In IOS-XR version 4.2.0 (December 2011) the ASR9000 will be supporting BNG or Broadband termination capabilities with IP sessions and PPPoE. This document provides a step by step guide to setup an ASR9000 BNG solution with descriptions of what each individual component is used for and how to verify the operation.

Problem Description

BNG is a complex technology. This technote tries to expand on the configuration options and how to set it up. In the "Related Information" section is a pointer to a video on demand showing you the capabilities of A9K BNG.

Steps to completion

1) Dynamic Template configuration (~ IOS virtual template)
2) Configuring RADIUS
3) Configuring Subscriber Access
4) Configure Subscriber Authentication
5) Control Policy Definition
6) Verification of session establishment

1.0       Configure User Profiles, Dynamic-Template and Services Profiles 

Exercise Description 

Configure User Profiles, Dynamic-Templates and Service Profiles that will be activated on the session at different stages of the session lifecycle. 

Exercise Objective 

Learn how to create Dynamic Templates and configure ASR9K features (e.g. ACLs and QoS Class Maps) that will be reference by various Templates and Profiles.  Dynamic templates define basic configurations to be applied to the session. Per User attributes from radius always take precedence over the dynamic template configuration.

1.1       Dynamic-Template Configuration for PPPoE Subscribers 

Steps to Complete Task 

Step 1.        Enter the following configuration items. 

dynamic-template

type ppp PPP_TPL

  ppp authentication chap

  ppp ipcp peer-address pool POOL

  ipv4 unnumbered Loopback1000

!

!

pool vrf default ipv4 POOL

address-range 199.1.1.1 199.1.1.255

Solution Explanation and Clarification 

PPP authentication protocol, address-pool for client (remote) address assignment and unnumbered interface for session (local) address assignment are typical features configured under a PPP dynamic template and provide basic settings for proper PPP session establishment. 

The unnumbered Loopback address is merely an endpoint for ppp subscribers, it is not involved in (external) routing.  Despite popular belief, it does NOT need to be a routable address and can be duplicated over multiple devices. 

In addition to defining a ppp dynamic-template, named PPP_TPL, this step also defines the address pool POOL referenced in the dynamic template. 

Multiple ranges can be configured in a pool.  These address pools do NOT get automatically advertised in routing protocols, that is why during the first task we created a static (summary) route for the range and we redistributed it in OSPF. 

Task Verification 

The show command will provide us details of the address range and the pool usage. 

RP/0/RSP0/CPU0:BNG_POD_1#show address-pool POOL

Thu Oct  6 19:12:38.671 UTC

Pool                                  Begin           End             Free InUse

1.2       Dynamic-Template Configuration for IPoE Subscribers 

Steps to Complete Task 

Step 1.        Enter the following configuration items 

dynamic-template

type ipsubscriber IPSUB_TPL

  ipv4 unnumbered Loopback2000

  ipv4 access-group IPSUB_FAIL_ACL ingress

  ipv4 access-group IPSUB_FAIL_ACL egress

!

!

ipv4 access-list IPSUB_FAIL_ACL

  5 permit tcp any any eq www

  10 permit tcp any eq www any

  15 deny ipv4 any any

!

! This acl is the base ACL to be applied to an ipsub session. The radius profile returned upon a successful authentication may override the

! ACL to a less restrictive one. This heavy limited ACL is for demonstration purposes forcing the user to logon via the web portal in this

! example.

Solution Explanation and Clarification 

In addition to defining an IP subscriber dynamic-template, named IPSUB_TPL, this step also defines the Access-List referenced in the dynamic template. 

By default a session permits all traffic, so a Security ACL provides a way of restricting access over a subscriber session.  This is especially true for IP subscribers who may need to get authenticated via Web Logon.  In such cases an initial ACL applied to the session may permit bidirectional communication with DNS servers (not in this sample ACL) and Web Portal, while denying all the rest.  Upon successful authentication, that ACL can then be replaced by a less restrictive one or totally removed. 

The IP unnumbered interface for session (local) address assignment is a mandatory feature configured under an IP dynamic template, and provides basic settings for proper IP session establishment.  The unnumbered interface IP address will become the default gateway for the IP subscriber associated with the session. This address is also used as the "giaddr" in the dhcp proxy configuration to instruct the DHCP server to select an address in which this ipv4 add is routable in.

1.3       Local configuration of features referenced by RADIUS defined profiles 

Step 1.        Part A 

During verification tasks, the following 2 CoA Requests will be sent to the BNG referencing 2 MQC classes: VOIP and VIDEO.  MQC classes must be pre-configured on a device. 

For more information on COA see the link below in the "related information" section

coa_w32 -f voip.cfg -1 44,<session id> -n <some reachable addr of 9k>

COA profile for "voip.cfg"

attribute2=26,9,1,subscriber:command=account-update

attribute3=26,9,1,ip:qos-policy-out=add-class(sub,(class-default), shape(200)

attribute4=26,9,1,ip:qos-policy-out=add-class(sub,(class-default, VOIP), pri-level(1), police(128,8))

timeout=1

coa_w32 -f video.cfg -1 44,<session id> -n 192.168.100.10<pod>

COA profile for "video.cfg"

attribute1=26,9,1,subscriber:command=account-update

attribute2=26,9,1,ip:qos-policy-out=add-class(sub,(class-default, VIDEO), bw-abs (2048))

timeout=1

Step 1.        Enter the following configuration items to define MQC classes: 

!

class-map match-any VIDEO

match dscp af41

end-class-map

!

class-map match-any VOIP

match dscp ef

end-class-map

!

Step 2.        Part B 

During verification steps, Web Based authentication will be emulated for the IP subscriber. 

The IP subscriber’s User Profile references a security ACL that will now permit all traffic. 

coa_w32 -f login.cfg -n 192.168.100.10 -1 44,<session_id> -1 1,myuser

COA profile for "login.cfg"

attribute2=26,9,1,subscriber:command=account-logon

attribute3=26,9,1,subscriber:password=cisco

timeout=1

Radius profile needs to be present at the radius server. The COA account logon will try to authenticate "myuser" with pw cisco to the radius.

myuser Cleartext-Password := "cisco"

           cisco-avpair = "ip:outacl=PERM_ALL",

           cisco-avpair += "ip:inacl=PERM_ALL"

Step 3.        Enter the following configuration items to define the “permit all” ACL in IOS-XR

ipv4 access-list PERM_ALL

10 permit ipv4 any any

!


2.0       Configure Northbound Interfaces 

Exercise Description 

Configure basic radius and RADIUS CoA connectivity to prepare the system for AAA authentication for subscriber access. And Dynamic Service Activation. 

Exercise Objective 

The system will be ready to hand off authentication requests to the radius-server and send radius-requests with the desired nas-port and nas-port-id. 

It will also be ready to accept CoA requests from an external server.

2.1       Radius Configuration 

Steps to Complete Task 

Step 1.        Enter the following configuration items: 

aaa radius attribute nas-port format e SSAAPPPPQQQQQQQQQQVVVVVVVVVVUUUU type 32

aaa radius attribute nas-port-id format NAS_PORT_FORMAT

aaa accounting subscriber default group radius

aaa authorization subscriber default group radius

aaa authentication subscriber default group radius

!

aaa attribute format MY_AUTH

mac-address plus circuit-id plus remote-id separator #

!

aaa attribute format NAS_PORT_FORMAT

circuit-id plus remote-id separator .

!

radius-server host <radius server> auth-port 1812 acct-port 1813

key BNG

!

Solution Explanation and Clarification 

In this configuration section you define how the radius-server nas-port-id (attr87) is to be configured; in this case it will be circuit-id with remote-id, separated by a dot “.”. 

The nas-port format (attr 5), which is a decimal number, is composed of a number of bits.  The first line defines how the bits are to be assigned to slot, vlan, port etc.  Depending on whether the bits are 1 or 0 a value is created and that will be sent in the attribute. 

NAS-PORT definition and overview

The NAS-PORT definition can be set on a per "type" basis, whether it is PPPoE or PPPoVLAN or QIQ etc. If the specific type is not defined, then the "global" definition is followed and fields not found or applicable to this session type will be set to zero (eg vlan ID for a PPPoE session is 000 etc).

Service Port Types and Corresponding RADIUS Values


Service Port Type

RADIUS Value

PPPoA

30

PPPoEoA

31

PPPoEoE

32

PPPoEoVLAN

33

PPPoEoQinQ

34

Example NAS-PORT formath: aaa radius attribute nas-port format e SSAAPPPPQQQQQQQQQQVVVVVVVVVVUUUU

Value description:

KeyDescription
0/1 Value of "0" or "1"
f/F Shelf identifier
s/S Slot identifier
a/A Adapter
p/P port
i/I subslot
c/L channel
V Outter VLAN
Q Inner Vlan
U PPPoE Session ID

Also, we have defined the radius-server to the designated address and AAA method lists for authentication, authorization and accounting. 

The attribute format “MY_AUTH” will be used in the control policy-map for IP sessions, it will designate how the username will be constructed for authenticating the IP subscriber. 

Task Verification 

The command show radius verifies configuration of the designated server. 

RP/0/RSP0/CPU0:BNG_POD_1#show radius

Thu Oct  6 18:37:53.350 UTC

Global dead time: 0 minute(s)

Number of Servers:1

Server: 192.168.100.2/1812/1813  is UP

  Timeout: 1 sec, Retransmit limit: 1

  Authentication:

    0 requests, 0 pending, 0 retransmits

    0 accepts, 0 rejects, 0 challenges

    0 timeouts, 0 bad responses, 0 bad authenticators

    0 unknown types, 0 dropped, 0 ms latest rtt

  Accounting:

    0 requests, 0 pending, 0 retransmits

    0 responses, 0 timeouts, 0 bad responses

    0 bad authenticators, 0 unknown types, 0 dropped

    0 ms latest rtt

2.2       Add CoA clients to the dynamic author configuration: 

Steps to Complete Task: 

Step 1.        Enter the following configuration items: 

aaa server radius dynamic-author

port 1700

auth-type any

client <radius server> vrf default server-key BNG

Solution Explanation and Clarification 

In the default configuration the router will not respond to CoA requests sent from a CoA client.  In order to instruct the router to accept CoA requests from a particular IP address, we need to enter that address under the dynamic author configuration section. 

You need to identify the IP address where the CoA request comes from, as well as the shared secret key.  Also the port, 1700 by default as per RFC for CoA is configured. 

One thing that should be noted here is the “auth-type”.  In order to identify a session we can use various identification attributes.  Most commonly, attribute 44, accounting-session-id is used.  When you send more identification attributes such as username, IP address etc., you can specify which of those attributes need to match, in order to target the designated session: 

RP/0/RSP0/CPU0:A9K-BNG(config-Dynamic Author)#auth-type ? 

o     all          auth-type all  all session identifiers must match for that single subscriber

o     any          auth-type any  any of the session identifers is ok to match the subscriber

o     session-key  auth-type session-key  use the ASCEND SESSION SERVER KEY as match for the subscriber identification


Task Verification 

Enter the following commands to confirm configuration. 

RP/0/RSP0/CPU0:BNG_POD_1#show radius dynamic-author

Thu Oct  6 18:42:58.151 UTC

Radius Dynamic-Author Server:

    Invalid Disc-Reqs:          0

    Invalid CoA-Reqs:           0

Radius Dynamic-Author Client:

    Client IP:          192.168.100.2

    Disconnect-Request:

        Disc-Req  0   Disc-Ack  0  Disc-Nack  0

        Authorize-Only Request:        0

        Authorize-Only Nack:           0

        Disc-Nack for no context:      0

        Malformed Req:                 0

        Bad Authenticator:             0

        Dropped Req:                   0

    CoA-Request:

        CoA-Req   0   CoA-Ack   0  CoA-Nack   0

        Authorize-Only Request:        0

        Authorize-Only Nack:           0

        CoA-Nack for no context:       0

        Malformed Req:                 0

        Bad Authenticator:             0

        Dropped Req:                   0

3.0         Configure Subscriber Access 

Exercise Description 

Prepare the system to initiate subscriber sessions. 

Exercise Objective 

After completing this exercise the BNG will be ready to take DHCP discovers (for IP subscribers) and PADI (for PPP subscribers) from a particular interface and create a subscriber session. 

3.1       Setup Subscriber Access for IP Subscribers 

Steps to Complete Task 

Step 1.        Enter the following configuration items to configure DHCP Proxy for IP subscribers: 

dhcp ipv4

profile IP_DEFAULT proxy

  helper-address <DHCP Server> giaddr 172.20.1.254

  relay information option

  relay information policy keep

  relay information option allow-untrusted

!

interface Bundle-Ether100.1 proxy profile IP_DEFAULT

Solution Explanation and Clarification 

In this configuration snippet we defined a basic DHCP profile, named IP_DEFAULT, which specifies DHCP Server IP address and Gateway IP address to be used during address assignment.  It also trusts non zero Option82 and gi-address values (which is generally the case if we have a DSLAM inserting option 82) and it will interpret option 82 information. 

Finally, we attach the proxy profile to the access-interface. 

Task Verification for Step 1 

Enter the following commands, or retrieve the following information to confirm configuration. 

RP/0/RSP0/CPU0:BNG_POD_1#show dhcp ipv4 proxy profile

Thu Oct  6 19:02:25.257 UTC

DHCP IPv4 Proxy Profiles

--------------------------

IP_DEFAULT

When things are operational you can verify via:

RP/0/RSP0/CPU0:BNG_POD_1#show dhcp ipv4 proxy binding

Thu Oct  6 19:03:39.487 UTC

                                           Lease                                    

MAC Address      IP Address      State    Remaining       Interface          VRF      Sublabel

--------------  --------------  ---------  ---------  -------------------  ---------  ----------

RP/0/RSP0/CPU0:BNG_POD_1#show dhcp ipv4 proxy statistics

Thu Oct  6 19:04:27.400 UTC

                  VRF                     |      RX       |      TX       |       DR   |

-------------------------------------------------------------------------------------------

default                                  |            0  |            0  |          0  |

Step 2.        Define the control policy directive that will handle IP session establishment. 

class-map type control subscriber match-any DHCP

match protocol dhcpv4

end-class-map

!

policy-map type control subscriber IP_PM

event session-start match-first

  class type control subscriber DHCP do-until-failure

   5 activate dynamic-template IPSUB_TPL

  !

!

Solution Explanation and Clarification 

The anatomy of a control policy is such that we have an event (e.g.: session-start), for which we evaluate one or more classes, and then a list of actions to be executed.  Classes allow us to have a single control policy, while still defining different actions for the same event type.  The configured class matches on IP sessions specifically. 

3.2       Apply “IPSUB_TPL” Dynamic Template 

The “IPSUB_TPL” dynamic-template, configured earlier, is applied to IP subscribers when the session is initiated. 

Steps to Complete Task 

Step 1.        Configure the terminating interface for IP subscribers.  Enter the following configuration items: 

interface bundle-ether100.1

ipv4 point-to-point

ipv4 unnumbered loopback2000

!service-policy type control subscriber IP_PM this will get applied later on as we need to make changes to the control pmap.

encapsulation dot1q 10

ipsubscriber ipv4 l2-connected

    initiator dhcp

!

Solution Explanation and Clarification 

Creates a bundle sub-interface (access-interface) and specifies DHCP as the trigger to create new sessions. 

The IP address on the interface can be ANY address, but one is required in order to accept IP Packets. In the example, the access-interface will share the same address that is assigned by default to IP subscriber sessions (via the IPSUB_TPL).

The access interface needs to ahve an ip address defined in order to accept ipv4 packets (the dhcp discover). the point to point config is needed when you want to make it unnumbered to a loopback interface.

3.3       Setup Subscriber Access for PPPoE Subscribers 

Steps to Complete Task 

Step 1.        Enter the following configuration items to configure the Broadband Access group for PPP subscribers: 

pppoe bba-group NAME

service selection disable

!

Solution Explanation and Clarification 

The bba-group can match on services signaled in the PPPoE service-tag or service selection can be disabled.  Today we don’t do much with the service-tag except for matching.  This will be extended with more comprehensive features, such as Smart Server Selection, PADO delays etc. 

Step 2.        Define the control policy directive that will handle PPP session establishment. 

class-map type control subscriber match-any PPP

match protocol ppp

end-class-map

!

policy-map type control subscriber PPP_PM

event session-start match-first

  class type control subscriber PPP do-until-failure

   10 activate dynamic-template PPP_TPL

  !

!

end-policy-map

Solution Explanation and Clarification 

The anatomy of a control policy is such that we have an event (e.g.: session-start), for which we evaluate one or more classes, and then a list of actions to be executed. Classes allow us to have a single control policy, while still defining different actions for the same event type.  The configured class matches on PPP sessions specifically. 

The “PPP_TPL” dynamic-template, configured earlier, is applied to PPP subscribers when the session is initiated.  It typically includes information that is used during LCP phase. 

In addition to dynamic-template activation, another common action implemented during session-start event is pre-authentication based on pppoe tags (authorization). 

Step 3.        Configure the terminating interface for PPP subscribers.  Enter the following configuration items: 

interface bundle-ether100.11

!service-policy type control subscriber PPP_PM    this will get applied later on as we need to make some changes to the control policy

pppoe enable bba-group NAME

encapsulation dot1q 1

!

Solution Explanation and Clarification 

This activity has assign the bba group to the Access-interface facing PPPoE subscribers. 


4.0         Configure Subscriber Authentication 

Exercise Description 

Configures subscriber authentication for PPP and IPoE subscribers. 

4.1       Enable Authentication for IPoE Subscribers 

Steps to Complete Task 

Step 1.        Enter the following configuration items: 

policy-map type control subscriber IP_PM

event session-start match-first

  class type control subscriber DHCP do-until-failure

   10 authorize aaa list default format MY_AUTH password cisco

  !

!

end-policy-map

Solution Explanation and Clarification 

The authorize statement is used at session-start to authenticate the user with a username constructed by a combination of remote/circuit ID as defined in MY_AUTH format. 

Note:  If the RADIUS client can’t compose the username because one or more components the fields will be left empty.

Task Verification 

RP/0/RSP0/CPU0:BNG_POD_1#show policy-map type control subscriber pmap-name  IP_PM

Thu Oct  6 19:38:23.038 UTC

policy-map type control subscriber IP_PM

event session-start match-first

  class type control subscriber DHCP do-until-failure

   5 activate dynamic-template IPSUB_TPL

   10 authorize aaa list default format MY_AUTH password cisco

  !

!

end-policy-map

4.2       Enable Authentication for PPPoE Subscribers 

Steps to Complete Task 

Step 1.        Enter the following configuration items: 

policy-map type control subscriber PPP_PM

event session-activate match-first

  class type control subscriber PPP do-until-failure

   10 authenticate aaa list default

  !

!

end-policy-map

Solution Explanation and Clarification 

Session-activate event (triggered when PPP LCP opens) is used to authenticate the subscriber with RADIUS, using ppp username and password derived from the ppp authentication stage. 

Task Verification 

RP/0/RSP0/CPU0:BNG_POD_1#show policy-map type control subscriber pmap-name PPP_PM

Thu Oct  6 19:21:40.222 UTC

policy-map type control subscriber BNG_ctrl_pm

event session-start match-first

  class type control subscriber PPP do-until-failure

   10 activate dynamic-template PPP_TPL

  !

!

event session-activate match-first

  class type control subscriber PPP do-until-failure

   10 authenticate aaa list default

  !

!

end-policy-map

NOTE: When a control policy is assigned to an interface, it can't be modified in place (yet). You need to detach the control policy, sessions wil get disconnected and then you can reconfigure the control policy.


5.0         Apply Control Policy to Access Interface 

Exercise Description 

This task will apply the control-policy to the access-interface and finalize the configuration for IPoE and PPPoE subscribers. 

5.1       Apply the Control Policy for IP Sessions 

Steps to Complete Task 

Step 1.        Enter the following configuration items: 

interface Bundle-Ether100.1

service-policy type control subscriber IP_PM

5.2       Apply the Control Policy for PPP Sessions 

Steps to Complete Task 

Step 1.        Enter the following configuration items 

interface bundle-ether100.11

service-policy type control subscriber PPP_PM

6.0         Exercise Verification Tasks 

6.1       Verify PPP session establishment 

Steps to Complete Task 

Step 1.        Go on the CPE and run the “test pppoe 1 1 <interface> command.  (For example:  gigabitEthernet 0/2.15) 

Step 2.        on the CPE: show  “show ppp sessions” 

Step 3.        on  the BNG: “show subscriber session all” and “show subscriber session all detail”

o   note that a subscribe session is handled as a regular interface 

RP/0/RSP0/CPU0:BNG_POD_1#sh subscriber session all       

Fri Oct  7 06:22:34.724 UTC

Codes: IN - Initialize, CN - Connecting, CD - Connected, AC - Activated,

       ID - Idle, DN - Disconnecting, ED - End

Type         Interface                State     Subscriber-IP       

                                                LNS Address:Vrf     

-------------------------------------------------------------------------

PPPoE:PTA    BE100.11.pppoe30           AC        199.1.1.11:default   

o   Note Remote ID being collected, ALE + IWF tags, IP address and control-policy actions being executed.

RP/0/RSP0/CPU0:BNG_POD_1#sh subscriber session all detail

Fri Oct  7 06:25:19.531 UTC

Interface:                Bundle-Ether1.11.pppoe30

Circuit ID:               Unknown

Remote ID:                POD1

Type:                     PPPoE:PTA

IP Address:               199.1.1.11, VRF: default

Mac Address:              0005.0034.281a

Account-Session Id:       000000c3

Nas-Port:                 Unknown

Username:                 pod1

Subscriber Label:         0x000000c3

Created:                  Fri Oct  7 03:46:33 2011

State:                    Activated

Access-interface:         Bundle-Ether1.11

Policy Executed:

policy-map type control subscriber PPP_PM

  event Session-Start match-first [at Fri Oct  7 03:46:33 2011]

    class type control subscriber PPP do-until-failure [Succeeded]

      10 activate dynamic-template PPP_TPL [Succeeded]

  event Session-Activate match-first [at Fri Oct  7 03:46:36 2011]

    class type control subscriber PPP do-until-failure [Succeeded]

      10 authenticate aaa list default [Succeeded]

Session Accounting: disabled

User Profile Attribute List: 0x500bde14

1:  service-type    len=  4  svc<0> prot<0> tag<0> mand<0> client<0x0>NAS Prompt

2:  access-loop-encapsulation len=  3  01 02 03

3:  interworking-functionality-tag len=  1 

True

Step 4.        On the BNG: “show pppoe interface” and “show ppp interface” 

o   Note again the Tags that were collected (for PPPoE output), and the various states of the PPP connection (from PPP output)

RP/0/RSP0/CPU0:BNG_POD_1#show pppoe interfaces

Fri Oct  7 06:28:56.879 UTC

Bundle-Ether1.11.pppoe30 is Complete

  Session id: 30

  Parent interface: Bundle-Ether1.11

  BBA-Group: pod1

  Local MAC address: 0026.982f.2d53

  Remote MAC address: 0005.0034.281a

  Outer VLAN ID: 11

  Tags:

    Service name:

    Max Payload: 1500

    IWF

    Remote ID: POD1

    ALE Data Link: Ethernet (0x01)

    ALE Encaps 1: Single-Tagged Ethernet (0x02)

    ALE Encaps 2: IPoA LLC (0x03)

RP/0/RSP0/CPU0:BNG_POD_1#show ppp interfaces  

Fri Oct  7 06:29:02.987 UTC

Bundle-Ether1.11.pppoe30 is up, line protocol is up

  LCP: Open

     Keepalives enabled (60 sec, retry count 5)

     Local MRU: 1500 bytes

     Peer  MRU: 1500 bytes

  Authentication

     Of Peer: CHAP (Completed as pod1)

     Of Us:   <None>

  IPCP: Open

     Local IPv4 address: 101.101.1.1

     Peer IPv4 address:  199.1.1.11   

Step 5.        -On BNG: PPP and PPPoE statistics: 

RP/0/RSP0/CPU0:BNG_POD_1#show pppoe statistics access-interface Bundle-Ether1.11

Fri Oct  7 06:32:07.804 UTC

Packets                     Sent        Received         Dropped

----------------------------------------------------------------

PADI                           0              10               0

PADO                          10               0               0

PADR                           0              10               0

PADS (success)                10               0               0

PADS (error)                   0               0               0

PADT                           9               0               0

Session-stage                  0               0               0

Other                          0               0               0

                           -----           -----           -----

TOTAL                         29              20               0

RP/0/RSP0/CPU0:BNG_POD_1#show ppp statistics interface Bundle-Ether1.11.pppoe30

Fri Oct  7 06:34:17.333 UTC

Bundle-Ether1.11.pppoe30

  LCP

    Packets                     Sent        Received

    Conf-Req                       2               2

    Conf-Ack                       2               1

    Conf-Nak                       0               0

    Conf-Rej                       0               0

    Echo-Req                     169            1003

    Echo-Rep                    1003             169

    Disc-Req                       0               0

    Line state brought up: 1

    Keepalive Link Failures: 0

  Authentication

    Packets                     Sent        Received

    PAP

      Request                      0               0

      Ack                          0               0

      Nak                          0               0

    (MS-)CHAP

      Challenge                    1               0

      Response                     0               1

      Rep Success                  1               0

      Rep Fail                     0               0

    AAA authentication timeouts: 0

  IPCP

    Packets                     Sent        Received

    Conf-Req                       1               2

    Conf-Ack                       1               1

    Conf-Nak                       1               0

Conf-Rej                       0               0

6.2       Verify IPoE session establishment 

Steps to Complete Task 

Step 1.        Go on the CPE and no shut the interface gi0/2.<subif>  (For example:  interface gi0/2.1). 

Step 2.        On the CPE: show “show  ip interface brief” to verify address is assigned. 

Step 3.        On the BNG check DHCP bindings. 

RP/0/RSP0/CPU0:BNG_POD_1#sh dhcp ipv4 proxy binding

Fri Oct  7 06:44:34.473 UTC

                                           Lease                                     

MAC Address      IP Address      State    Remaining       Interface          VRF      Sublabel

--------------  --------------  ---------  ---------  -------------------  ---------  ----------

0005.0034.281a  172.20.1.16     BOUND      75979      BE1.1                default    0x45     

RP/0/RSP0/CPU0:BNG_POD_1#sh dhcp ipv4 proxy binding detail

Fri Oct  7 06:44:37.543 UTC

MAC Address:                0005.0034.281a

VRF:                        default

server VRF:                 default

IP Address:                 172.20.1.16

Giaddr from client:         0.0.0.0

Giaddr to server:           172.20.1.254

Server IP Address:          10.100.1.1

Server IP Address to client 172.20.1.254

ReceivedCircuit ID:         -

InsertedCircuit ID:         0x00-04-00-65-00-01

ReceivedRemote ID:          -

InsertedRemote ID:          0x00-06-00-26-98-2f-5b-20

Profile:                    DEFAULT

State:                      BOUND

Lease:                      86400 secs (1d00h)

Remaining:                  75976 secs (21:06:16)

Client ID:                  0x00-0x43-0x50-0x45-0x5F-0x50-0x4F-0x44-0x31

Access Interface:           Bundle-Ether1.1

Access VRF:                 default

Subscriber Label:           0x45

6.3       BNG Show Activity 

On the BNG: “show subscriber session all” and “show subscriber session all detail” 

o   note that a subscribe session is handled as a regular interface 

o   note Circuit/Remote ID 

o   note the actions executed on the session…note that authorization failed (e.g subscriber is not authenticated.

RP/0/RSP0/CPU0:BNG_POD_1#sh subscriber session all                 

Fri Oct  7 06:38:09.011 UTC

Codes: IN - Initialize, CN - Connecting, CD - Connected, AC - Activated,

       ID - Idle, DN - Disconnecting, ED - End

Type         Interface                State     Subscriber-IP       

                                                LNS Address:Vrf   

-------------------------------------------------------------------------

IP:DHCP      BE1.1.ip7                AC        172.20.1.16:default  

    Important:  Note the Account-Session Id number.  You will use this later.  

RP/0/RSP0/CPU0:BNG_POD_1#sh subscriber session all detail

Fri Oct  7 06:38:12.277 UTC

Interface:                Bundle-Ether1.1.ip7

Circuit ID:               GigE0/2.1

Remote ID:                POD1

Type:                     IP: DHCP-trigger

IP Address:               172.20.1.16, VRF: default

Mac Address:              0005.0034.281a

Account-Session Id:       00000045

Nas-Port:                 Unknown

Username:                 unknown

Subscriber Label:         0x00000045

Created:                  Fri Oct  7 03:50:45 2011

State:                    Activated

Access-interface:         Bundle-Ether1.1

Policy Executed:

policy-map type control subscriber IP_PM

  event Session-Start match-first [at Fri Oct  7 03:50:45 2011]

    class type control subscriber DHCP do-until-failure [Succeeded]

      5 activate dynamic-template IPSUB_TPL [Succeeded]

      10 authorize aaa list default [Failed]

Session Accounting: disabled

RP/0/RSP0/CPU0:BNG_POD_1#sh ipsubscriber interface Bundle-eth1.1.ip7

Fri Oct  7 06:42:28.786 UTC

Interface: Bundle-Ether1.1.ip7

  Type: L2-connected

  Ifhandle: 0x8000be0

  Access Interface: Bundle-Ether1.1 (0x8000160)

  Subscriber IP: 172.20.1.16, MAC: 0005.0034.281a

  Subscriber Label: 0x45

  Initiator: DHCP

  Created: Oct  7 03:50:53 (age 02:51:36)

  VRF: default (0x60000000), Table: default (0xe0000000)

  State: Up(9) (old: Adjacency added(8))

  Last state change: Oct  7 03:50:53 (02:51:36 in current state)

Solution Explanation and Clarification 

During the session initiation, we will have a failed authorization as shown above.  Because of this, the restrictive ACL (IPSUB_FAIL_ACL) will be applied. 

Check the restrictive ACL by pinging the following addresses: 

o    (ie..11.11.11.11)   It should not be reachable since the restrictive ACL is applied. 

However, the session is up and does allow for one address to be reachable.  In a real world application this may be something like a Web Portal where users can login.  To test this, ping the following address: 

o    (ie..11.11.11.100)   It should be reachable because the restrictive ACL allows this single address. 

6.4       Verify Web Logon for IP subscribers 

Steps to Complete Task 

Step 1.        Logon onto the RADIUS server and initiate web logon. 

Step 2.        Use the command from command prompt “coa_w32 -f login.cfg -n 192.168.100.10<pod> -1 44,<session_id> -4 1,podip<pod>”  (Session ID is the Account-Session-Id collected earlier.) 

Step 3.        Ping (ie..11.11.11.11)   It should be reachable since the (PERM_ALL) ACL is applied.

Task Verification 

6.5       Verify parameterized QoS for IP Subscribers 

Steps to Complete Task 

Step 1.        Verify that QoS is not enabled on the subscriber interface.

o   Show policy-map interface <subscriber-interface>

Step 2.        Log into the RADIUS server and initiate QoS update for VOIP class.

Step 3.        Use command “coa_w32 -f voip.cfg -1 44,<session id> -n 192.168.100.10

Step 4.        Verify that QoS is enabled on the subscriber interface and class VOIP is configured

o    Show policy-map interface <subscriber-interface>

RP/0/RSP0/CPU0:BNG_POD_1#sho policy-map interface Bundle-Ether1.1.ip24

Mon Oct 10 15:10:30.465 UTC

Bundle-Ether1.1.ip24 direction input: Service Policy not installed

Bundle-Ether1.1.ip24 output: sub_fffffffb24ffffff8cfffffff8

Class class-default

  Classification statistics          (packets/bytes)     (rate - kbps)

    Matched             :                   0/0                    0

    Transmitted         :                   0/0                    0

    Total Dropped       :                   0/0                    0

    Policy sub_fffffffb24ffffff8cfffffff8_child1 Class VOIP

      Classification statistics          (packets/bytes)     (rate - kbps)

        Matched             :                   0/0                    0

        Transmitted         :                   0/0                    0

        Total Dropped       :                   0/0                    0

      Policing statistics                (packets/bytes)     (rate - kbps)

        Policed(conform)    :                   0/0                    0

        Policed(exceed)     :                   0/0                    0

        Policed(violate)    :                   0/0                    0

        Policed and dropped :                   0/0                 

        Policed and dropped(parent policer)  : N/A

      Queueing statistics

        Queue ID                             : 16

        High watermark  (Unknown)           

        Inst-queue-len  (packets)            : 0

        Avg-queue-len   (Unknown)           

        Taildropped(packets/bytes)           : 0/0

        Queue(conform)      :                   0/0                    0

        Queue(exceed)       :                   0/0                    0

        RED random drops(packets/bytes)      : 0/0

    Policy sub_fffffffb24ffffff8cfffffff8_child1 Class class-default

      Classification statistics          (packets/bytes)     (rate - kbps)

        Matched             :                   0/0                    0

        Transmitted         :                   0/0                    0

        Total Dropped       :                   0/0                    0

      Queueing statistics

        Queue ID                             : 18

        High watermark  (Unknown)           

        Inst-queue-len  (packets)            : 0

        Avg-queue-len   (Unknown)           

        Taildropped(packets/bytes)           : 0/0

        Queue(conform)      :                   0/0                    0

        Queue(exceed)       :                   0/0                    0

        RED random drops(packets/bytes)      : 0/0

6.6       Initiate QoS update for VIDEO class. 

Steps to Complete Task 

Step 1.        Use command “coa_w32 -f video.cfg -1 44,<session id> -n 192.168.100.10<pod>”

Step 2.        Verify that QoS is enabled on the subscriber interface and class VIDEO is configured

o   Show policy-map interface <subscriber-interface> 

RP/0/RSP0/CPU0:BNG_POD_1#sho policy-map interface Bundle-Ether1.1.ip24

Mon Oct 10 15:12:44.260 UTC

Bundle-Ether1.1.ip24 direction input: Service Policy not installed

Bundle-Ether1.1.ip24 output: sub_fffffffb24ffffff8cfffffff8

Class class-default

  Classification statistics          (packets/bytes)     (rate - kbps)

    Matched             :                   0/0                    0

    Transmitted         :                   0/0                    0

    Total Dropped       :                   0/0                    0

    Policy sub_fffffffb24ffffff8cfffffff8_child1 Class VOIP

      Classification statistics          (packets/bytes)     (rate - kbps)

        Matched             :                   0/0                    0

        Transmitted         :                   0/0                    0

        Total Dropped       :                   0/0                    0

      Policing statistics                (packets/bytes)     (rate - kbps)

        Policed(conform)    :                   0/0                    0

        Policed(exceed)     :                   0/0                    0

        Policed(violate)    :                   0/0                    0

        Policed and dropped :                   0/0                 

        Policed and dropped(parent policer)  : N/A

      Queueing statistics

        Queue ID                             : 16

        High watermark  (Unknown)           

        Inst-queue-len  (packets)            : 0

        Avg-queue-len   (Unknown)           

        Taildropped(packets/bytes)           : 0/0

        Queue(conform)      :                   0/0                    0

        Queue(exceed)       :                   0/0                    0

        RED random drops(packets/bytes)      : 0/0

    Policy sub_fffffffb24ffffff8cfffffff8_child1 Class class-default

      Classification statistics          (packets/bytes)     (rate - kbps)

        Matched             :                   0/0                    0

        Transmitted         :                   0/0                    0

        Total Dropped       :                   0/0                    0

      Queueing statistics

        Queue ID                             : 18

        High watermark  (Unknown)           

        Inst-queue-len  (packets)            : 0

        Avg-queue-len   (Unknown)           

        Taildropped(packets/bytes)           : 0/0

        Queue(conform)      :                   0/0                    0

        Queue(exceed)       :                   0/0                    0

        RED random drops(packets/bytes)      : 0/0


Review Questions 

Q1:      Does the event session-activate apply to DHCP sessions?  

Q2:      What event is triggered upon reception of a PADI? 

Q3:      When is the event session-activate triggered? 

Q4:      Can an IP address pool for PPPoE include .0 addresses? 

Q5:      What about .0 addresses for DHCP clients? 

Q6:      How does the 9k load balance subscriber traffic over a bundle? 

Q7:      And can I change that? 

Q8:      How do I advertise my subscriber addresses for PPPoE and DHCP? 

Q9:      Does an interface require an ip address for PPPoE sessions? 

Q10:    And for DHCP Sessions? 

Q11:    Answer why for Q9 and Q10 

Q12:    When doing Parameterized QOS, what needs to be preconfigured in XR? 

Q13:     Why can the giAddr be zero in some cases and how does XR deal with that? 

Q14:    What is the difference between an Authorize and Authenticate statement in a control policy? 

Q15:    Can I activate dynamic templates multiple times? 

Q16:    And if the templates are different? 

Q17:    What will happen with the configuration of the subscriber? 

Q18:    Can I use pQOS on bundle interfaces or phy interfaces or both? 

#Table_of_Content


Appendix 

PPPoE client configuration IOS:

bba-group pppoe a9k

virtual-template 21

!

interface Virtual-Template21

ip address negotiated

ppp chap hostname test

ppp chap password 0 cisco

!

interface FastEthernet2/0.100

encapsulation dot1Q 100

pppoe enable group a9k

!

!start session:

test pppoe 1 1 fa 2/0.100

Sending tags with an IOS client

bba-group pppoe tagtest

virtual-template 20

service profile test

test vendor-tag remote-id string "XTH_TEST"

test vendor-tag 0x0090 010203

test tag 0x0001 1234567890

test vendor-tag 0x00FE

test tag 0x0120 05DC

test tag 0x0082 123405

test vendor-tag 0x0082 123405

Starting a pppoe session from an IOS client: (Note:  Above needs “service internal” to configure.

Router# test pppoe 1 1 fa 2/0.100

This will start 1 session at 1 cps from fastethernet 2/0.100, if the associated bba group has tags in place it would automically get inherited in the PADI transmission.

DHCP client configuration IOS:

interface GigabitEthernet0/1.1

encapsulation dot1Q 2

ip dhcp client client-id ascii CPE_POD1

ip dhcp client class-id CPE_7200

ip dhcp client circuit-id GigE0/1.1

ip dhcp client remote-id POD1

ip address dhcp

The dhcp client session is automatically started when the (sub)interface is brought up

IOS Switch configuration:

interface GigabitEthernet0/1

description A9k-BNG g0/0/0/19

switchport trunk encapsulation dot1q

switchport mode trunk

speed nonegotiate

channel-group 1 mode active

!

interface GigabitEthernet0/2

description A9K-BNG->G0/1/0/19

switchport trunk encapsulation dot1q

switchport mode trunk

speed nonegotiate

channel-group 1 mode active

!

interface Port-channel1

switchport trunk encapsulation dot1q

switchport mode trunk

speed nonegotiate

!

interface FastEthernet0/1

description Access Port

switchport access vlan 10

switchport mode access

spanning-tree portfast


CoA:

To setup CoA:

Download the tool from this guide: https://supportforums.cisco.com/docs/DOC-16677

Sample profiles are available also on that link.

Few quick profiles

:

Account-Logon:

ip-address=3.0.0.244

Change address to your BNG mgmt   interface

secret=cisco

destport=1700

Secret defined in dynamic author   config and port definition (1700 default)

attribute2=26,9,1,subscriber:command=account-logon

VSA for command account logon

attribute3=26,9,1,subscriber:password=cisco

Password to use to RADIUS

attribute4=1,ipsub

Username to use to RADIUS

timeout=1

Timeout waiting for response from   tool

END

End identifier of COA profile

Parameterized QOS:

ip-address=3.0.0.244

secret=cisco

destport=1700

attribute2=26,9,1,subscriber:command=account-update

attribute3=26,9,1,ip:qos-policy-out=add-class(sub,  (class-default), shape(200)

attribute4=26,9,1,ip:qos-policy-out=add-class(sub,(class-default, 3play-voip), p

ri-level(1), police(128,8))

timeout=1

END

Change the RED value to reflect the parent shape rate on the session

Adding a VIDEO class:

ip-address=3.0.0.244

secret=cisco

destport=1700

attribute2=26,9,1,subscriber:command=account-update

attribute3=26,9,1,ip:qos-policy-out=add-class(sub,(class-default, VIDEO), bw-abs(2048))

timeout=1

END

Removing a video class:

ip-address=3.0.0.244

secret=cisco

destport=1700

attribute2=26,9,1,subscriber:command=account-update

attribute3=26,9,1,ip:qos-policy-out=remove-class(sub,(class-default, VIDEO), bw-abs(2048))

timeout=1

END

Sending a COA command:

sw-lab-fw:32> coa -f coaqos -1 44,000000ea

CoA Client (version 2.2),(c) May-2009,

xander thuijs CCIE#6775 Cisco Systems Int.

End detected!

Using COA with :

NAS: 30000f4

Port: 1700

Secret: cisco

Timeout: 1 (0 means indefinite wait)

CoA: Request was accepted! (ID 2)

Reply message: '000000ea'

The red identifier is the coa profile filename, the text file with the coa commands the green identifier is the accounting session ID that you can find from the “show subscriber session all detail” command (keep the 0 prefix intact, needs to be 8 chars)

If all goes well, an accepted or denied response is given

#Table_of_Content

Related Information


Average Rating: 5 (3 ratings)

Comments

humphreys Thu, 01/26/2012 - 12:39

Excelent document dear Xander! i will start to study it for the deployment of this platform. I hope to see you soon.

Cheers javier humphreys

humphreys Thu, 01/24/2013 - 08:33

Hi Xander how are you, let me do some questions. Is is possible to have differents dhcp profile applied in differents subinterfaces?, so that in the same physical port we can have two differents N:1 models with differents giaddress. Second question, I wonder if i must allways configure a bundle interface or I can do the second configuration for IP sesions.

dhcp ipv4

profile IP_DEFAULT proxy

  helper-address <DHCP Server> giaddr 172.20.1.254

  relay information option

  relay information policy keep

  relay information option allow-untrusted

!

profile ToIP proxy

  helper-address <DHCP Server> giaddr 172.16.1.254

  relay information option

  relay information policy keep

  relay information option allow-untrusted

!

interface Bundle-Ether100.2 proxy profile IP_DEFAULT

interface Bundle-Ether202.1 proxy profile IP_DEFAULT

interface Bundle-Ether202.2 proxy profile ToIP

!

Second

dhcp ipv4

profile IP_DEFAULT proxy

  helper-address <DHCP Server> giaddr 172.20.1.254

  relay information option

  relay information policy keep

  relay information option allow-untrusted

!

profile ToIP proxy

  helper-address <DHCP Server> giaddr 172.16.1.254

  relay information option

  relay information policy keep

  relay information option allow-untrusted

!

interface tengiga 0/1/3.1 proxy profile IP_DEFAULT

interface tengiga 1/0/3.1 proxy profile ToIP

nterface tengiga 1/0/3.2 proxy profile IP_DEFAULT

!


Thanks

Best regards,

Javier.

xthuijs Thu, 01/24/2013 - 09:56 (reply to humphreys)

That is very much possible Javier! Just make sure that the giAddr is routable as the dhcp server will reply back the offer to that address.

Generally this giAddr will be the one that is applied to the interface receiving the dhcp discover.

If dhcp proxy is used in teh context of ip subscribers, then yes you need bundle access sub-interfaces today (because BNG requires that). If you are just using stand alone proxy, it can either be a bundle or physical (sub) interface.

xander

humphreys Tue, 01/29/2013 - 05:47

Hi, in connection with my last question I come up with two doubts. First, if there is some scalabity limits of giaddress in the platform. Second, as you have said ip subscriber need bundle access sub-interfaces today, is it in some release to support session ip subscriber termination directly without bundle?

Regards,

Javier

xthuijs Tue, 01/29/2013 - 05:52 (reply to humphreys)

hi javier!

there is virtually no limit to the number of dhcp proxy profiles and classes.

as for the bundle configuration: we require that today to pull the subscriber management to the RSP. Linecard based subscribers is something we are looking at to increase scale, but it is not set in stone yet. If you dont want bundle or multiple members, then you can configure a bundle interface with a single member and disable LACP. The connecting device doesnt then even know we are perceiving it as a bundle on the 9k end.

regards

xander

ameishjennings Wed, 02/27/2013 - 13:32

hello Xander. first of all i would like to say thank you for doing this stuff man its very much appreciated by myself and i am sure by all here. i wanted to ask you a question about the ASR-9K being used as a BNG and its dependencies on having a radius server that supports extended source ports. Is this really the case and if so how can i tell what feature set the radius box has. the current radius admin is not aware of the feature and i was wondering if you could tell us how to find out. thanks again

xthuijs Wed, 02/27/2013 - 13:44 (reply to ameishjennings)

Thank you for the comment, appreciate it! :)

As for your question, you know, generally, most recent radius-servers are written to be smart and return the reply with the dest port that was the source port when the access-request was received.

Whether your radius server does that properly, that is, taking the received source port and putting it as the dest port is really up to the socket programming of the radius-server.

The easiest way to verify that is with a packet sniffer. If your radius server is setting a dest port to the original received source port, you're fine!

xander

ameishjennings Thu, 02/28/2013 - 07:08

good morning Xander. i had a short but very important question for you. as you know we are in the process of deploying ASR9K's as BNG's. we  currently have the 10k communicating to the radius server as a BNG now and wanted to check how those communications/configs translate to XR. below are the current configuration for communication to the radius server on the 10K. if you would be kind enough to tell us how this translates to XR or at least point us in the right direction. I think XR sends 6 and 32 by default but what about the others and is there a command to check and see the active atributes currently on the device.

radius-server attribute 44 include-in-access-req

radius-server attribute 6 on-for-login auth

radius-sever attribute 8 include-in-access-req

radius-server attribute 32 inlude-in-access-req

radius-sever attribute 32 include-in-accounting-req

radius-server attribute  55 include-in-acct-req

radius-server  attribute 55 acces-request include

xthuijs Thu, 02/28/2013 - 08:32 (reply to ameishjennings)

Got a few answers for you:

radius-server attribute 44 include-in-access-req

     this is default.

radius-server  attribute 6 on-for-login auth

    this is CSCud59174 which is fixed in 431 (new enhancement request

radius-sever attribute 8  include-in-access-req

    default if non zero. Note that this is not that useful for PPPoE sessions and only for dhcp based sessions if at all necessary. Thing though is with the implementation of XR with control policies, the access-reqest is generally never sent before dhcp completes.

radius-server attribute 32  inlude-in-access-req

    default

radius-sever attribute 32  include-in-accounting-req

    default

radius-server attribute  55  include-in-acct-req

radius-server  attribute 55 acces-request  include

    both default.

Here is a sample radius accounting request and access-request:

Thu Feb 28 11:08:35 2013: [23103] message received from 3.0.0.233/40671.144 code=1, length=244

Thu Feb 28 11:08:35 2013: [23103] Cisco-avpair = "if-handle=4128"

Thu Feb 28 11:08:35 2013: [23103] Cisco-avpair = "client-mac-address=0006.2aaa.2438"

Thu Feb 28 11:08:35 2013: [23103] NAS-Port = 67109347

Thu Feb 28 11:08:35 2013: [23103] NAS-Port-Id = "."

Thu Feb 28 11:08:35 2013: [23103] Vendor-Specific-9-2 = "."

Thu Feb 28 11:08:35 2013: [23103] User-Name = "dialer"

Thu Feb 28 11:08:35 2013: [23103] Service-Type = Framed-User

Thu Feb 28 11:08:35 2013: [23103] Password = "******"

Thu Feb 28 11:08:35 2013: [23103] Acct-Session-Id = "00000068"

Thu Feb 28 11:08:35 2013: [23103] Unknown-196 = "\000\000\000A"

Thu Feb 28 11:08:35 2013: [23103] Cisco-avpair = "connect-progress=LCP Open"

Thu Feb 28 11:08:35 2013: [23103] Framed-Protocol = PPP

Thu Feb 28 11:08:35 2013: [23103] Cisco-avpair = "parent-if-handle=1248"

Thu Feb 28 11:08:35 2013: [23103] NAS-Port-Type = 36

Thu Feb 28 11:08:35 2013: [23103] Event-Timestamp = 1362067826

Thu Feb 28 11:08:35 2013: [23103] NAS-Identifier = "A9K-BNG"

Thu Feb 28 11:08:35 2013: [23103] NAS-IP-Address = 3.0.0.233

Thu Feb 28 11:08:35 2013: [23170] message sent to 3.0.0.233/40671.144 code=2, length=76

Thu Feb 28 11:08:35 2013: [23104] message received from 3.0.0.233/40671.145 code=4, length=324

Thu Feb 28 11:08:35 2013: [23104] Acct-Interim-Interval = 3600

Thu Feb 28 11:08:35 2013: [23104] Acct-Status-Type = Start

Thu Feb 28 11:08:35 2013: [23104] Event-Timestamp = 1362067826

Thu Feb 28 11:08:35 2013: [23104] Cisco-avpair = "if-handle=4128"

Thu Feb 28 11:08:35 2013: [23104] Cisco-avpair = "client-mac-address=0006.2aaa.2

438"

Thu Feb 28 11:08:35 2013: [23104] Acct-Session-Id = "00000068"

Thu Feb 28 11:08:35 2013: [23104] Cisco-avpair = "parent-if-handle=1248"

Thu Feb 28 11:08:35 2013: [23104] NAS-Port-Type = 36

Thu Feb 28 11:08:35 2013: [23104] Cisco-avpair = "pppoe-session-id=19"

Thu Feb 28 11:08:35 2013: [23104] NAS-Port = 67109347

Thu Feb 28 11:08:35 2013: [23104] NAS-Port-Id = "."

Thu Feb 28 11:08:35 2013: [23104] Vendor-Specific-9-2 = "."

Thu Feb 28 11:08:35 2013: [23104] User-Name = "dialer"

Thu Feb 28 11:08:35 2013: [23104] Framed-Protocol = PPP

Thu Feb 28 11:08:35 2013: [23104] Service-Type = Framed-User

Thu Feb 28 11:08:35 2013: [23104] Unknown-196 = "\000\000\000C"

Thu Feb 28 11:08:35 2013: [23104] Cisco-avpair = "connect-progress=IPCP Open"

Thu Feb 28 11:08:35 2013: [23104] Password = "handle=1248=\006\000\000\000"

Thu Feb 28 11:08:35 2013: [23104] Acct-Authentic = RADIUS

Thu Feb 28 11:08:35 2013: [23104] Framed-IP-Address = 1.2.3.3

Thu Feb 28 11:08:35 2013: [23104] Cisco-avpair = "vrf-id=default"

Thu Feb 28 11:08:35 2013: [23104] NAS-Identifier = "A9K-BNG"

Thu Feb 28 11:08:35 2013: [23104] NAS-IP-Address = 3.0.0.233

Thu Feb 28 11:08:35 2013: [23104] Acct-Delay-Time = 0

Thu Feb 28 11:08:35 2013: [23104] sending acct-response to 3.0.0.233/40671.145

ameishjennings Fri, 03/01/2013 - 08:48

hello Xander,

i feel bad coming to you so often and after this question i will try to cut back. i was wondering if you could give me a short rundown on the importance of the BBA group as it relates to XR-BNG. we currently have it running in our network on IOS and we are trying to figure out a way to translate the configurations. i know they must be relavant to how the sesseions work because they reference the dynamic templates in the configuration. we know how to create the bba group but we are not sure how to have it reference the virtual template or if it has to. thanks in advance foe your help.

bba-group pppoe pppoe profile8

virtual template 8

vendor-tag circuit-id service

vendor-tag remote sevice xxx

sessions per-vlan limit xxx

sessions per-mac throttle 6 60 0

xthuijs Fri, 03/01/2013 - 09:49 (reply to ameishjennings)

No problem, you can also always reach out to your AS rep (which I think you have right?) for some Q&A.

the bba group in XR is used for any pppoe specific configuration (almost similar to IOS).

the virtual-template is not present in XR, because the equivalent, dynamic template, is applied under the control policy.

the vendor tag servic commands are default.

the sessions throttle and limit have only limited capabilities in XR423 and much more so in XR43.

the command structure is the same.

regards

xander

cheupel Fri, 06/07/2013 - 06:07

Alexander,

Is it possible to deploy the ASR9K BNG without a AAA server?  We run a 10K today for subscriber termination with no authentication.  We don't use policy-maps/class-maps.  Just termination of vlans on sub-interfaces with ipunnumbered to a loopback interface.  When we put this configuration on the ASR9K, the CPE receives an IP from the DHCP server but the 9K doesn't create a static route in the routing table like the 10k.  I was told by my SE that it would work exactly like my 10K but that doesn't seem to be the case.

Thank you,

Shane

xthuijs Fri, 06/07/2013 - 06:35 (reply to cheupel)

Hi Shane,

9k implementation requires the configuration of ISG (like) config to create subscriber interfaces, so for that the policy-maps/class-maps are necessary. Authentication is not a necessary part of the control policy, leaving that out just passes auth natively and creates the subscr if and passes on teh dhcp transparently.

If you dont have any need for subscriber interfaces, L2VPN with DHCP snooping might be a possibility.

BNG/iEDGE gives you the ability to have per subscr interfaces that can be modified via COA.

If you dont need per subscriber (for ip sessions is "lease") configuration, l2vpn might be a better fit...

So technically yes 10k and 9k are equivalent, however the bng implementation for 9k requires the config of ISG, which was optional in 10k/IOS

regards

xander

dfauluchi Tue, 11/12/2013 - 04:28

Hi Alexander,

We are using dhcp ipv4 proxy profile. How can we clear a particular binding using assigned IP address?

XR version 4.3.1

Thanks, Diego.

xthuijs Tue, 11/12/2013 - 04:57 (reply to dfauluchi)

hi diego, you cant... and it is a bit dangerous too if you have mutliple sessions using the same addr in different vrf's.

we can clear on mac addr and interface (but thati s the access interfcae, so might result in clearing multiple sessions in one go also)

regards

xander

dfauluchi Tue, 11/12/2013 - 07:18 (reply to xthuijs)

Hi Xander,

We are using this config:

dhcp ipv4

profile DHCP proxy

  class VOIP-IAD

   match vrf VOIP-IAD

   helper-address vrf VOIP-IAD 172.19.0.21 giaddr 10.21.0.1

  !

!

interface TenGigE0/7/0/3.3598 proxy profile DHCP

interface TenGigE0/7/0/3.3599 proxy profile DHCP

!

interface Loopback1002

vrf VOIP-IAD

ipv4 address 10.21.0.1 255.255.192.0

!

interface TenGigE0/7/0/3.3598

service-policy input setvoip

vrf VOIP-IAD

ipv4 point-to-point

ipv4 unnumbered Loopback1002

arp timeout 30

encapsulation dot1q 3598

!

What we need is lo list only connected subscribers. If one subscriber is disconnected, we wouldn't notice.

In IOS we could clear arp cache and clear ip routing table for just one ip address (one subscriber). Now we see the ARP table differently for dynamic learned or DHCP assigned addresses.

RP/0/RSP1/CPU0:XXXXXX#sh arp vrf VOIP-IAD

Wed Oct 23 11:08:25.425 GMT

-------------------------------------------------------------------------------

0/6/CPU0

-------------------------------------------------------------------------------

Address         Age        Hardware Addr   State      Type  Interface

10.21.66.35     -          cc5d.4e1a.f35b  DHCP       ARPA  TenGigE0/7/0/3.3598

10.21.66.36     -          7488.8b70.85b9  DHCP       ARPA  TenGigE0/7/0/3.3598

10.21.66.37     -          0090.8f23.8610  DHCP       ARPA  TenGigE0/7/0/3.3598

10.53.146.77    00:00:04   c86c.87fc.45ce  Dynamic    ARPA  TenGigE0/7/0/3.3598

10.53.194.187   00:00:08   cc5d.4ea6.46be  Dynamic    ARPA  TenGigE0/7/0/3.3598

We can clear ARP cache for dynamic (age goes to 0), but not for the others.

Can you tell if the command clear dhcp ipv4 server binding would help?

(available from 5.2)

Thanks, Diego.

xthuijs Tue, 11/12/2013 - 07:59 (reply to dfauluchi)

yeah in XR however in this model there is no ARP used at all.

the binding is used for forwarding to the subscriber, this to ensure security in terms of arp poisoning prevention, so there may be an ARP entry but it is not used for forwarding.

in the upstream, the 9k would respond to its unnumbered/local address requests and can function as a proxy also for peer to peer connectivity.

so the command for the dhcp binding clearing is:

clear dhcp ipv4 proxy binding .....mac/if/etc

5.2 is not out yet, not in EFT either.

regards

xander

Sebastiaan1978 Mon, 01/06/2014 - 03:13

Hi Xander,

I'm using IPoE sessions and apply an ACL through the dynamic template similar to your chapter 1.2. I notice the acl works by a ping-test, but when I use <show ipv4 int Bundle-Ether1.300.ip7> I see no access-list inbound or outbound access-list applied to the subscriber interface, is this correct?

Bundle-Ether1.300.ip7 is Up, ipv4 protocol is Up

  Vrf is default (vrfid 0x60000000)

  Interface is unnumbered.  Using address of Loopback300 (x.x.x.x)

  MTU is 1500 (1500 is available to IP)

  Helper address is not set

  Directed broadcast forwarding is disabled

Outgoing access list is not set

  Inbound  access list is not set

  Proxy ARP is disabled

  ICMP redirects are never sent

  ICMP unreachables are always sent

  ICMP mask replies are never sent

  Table Id is 0xe0000000

IP unicast RPF check is enabled

RPF mode strict

Regards, Sebastiaan

xthuijs Mon, 01/06/2014 - 04:09 (reply to Sebastiaan1978)

hey sebastiaan,

yeah known issue, working on getting that fixed, because it is very annoying.

you can use the following trick to see what the hw programmed:

show access-lists <acl_name> usage pfilterlocation 0/rSP1/CPU0

location is rsp for bundle sessions or the Lc for phy/sub termination. (either RSP0 or RSP1)

example output:

RP/0/RSP1/CPU0:A9K-BOTTOM#show access-lists BNG_test usage pfilterlocation 0/rSP1/CPU0
Interface : Bundle-Ether1001.100.pppoe9

    Input ACL : N/A

    Output ACL : BNG_test

RP/0/RSP1/CPU0:A9K-BOTTOM#

ipv4 access-list BNG_test

10 permit icmp any any

20 deny tcp any any eq telnet

30 permit ipv4 any any

regards

xander

aanderson Fri, 02/28/2014 - 08:11

Xander,

I have been able to get a session up using encap dot1q 100 on our bundle interface, however, I would prefer to use encapsulation ambiguous.  When this is implemented, the DHCP server recieves a 0.0.0.0 Giaddr and cannot select the proper pool.  I have included the configurations below along with the show subscriber output

RP/0/RSP1/CPU0:GATEWAY1#sh run int bundle-ether 2.1

Fri Feb 28 08:04:02.701 UTC

interface Bundle-Ether2.1

ipv4 point-to-point

ipv4 unnumbered Loopback0

service-policy type control subscriber IP_SUB_PMAP

encapsulation dot1q 100

ipsubscriber ipv4 l2-connected

  initiator dhcp

  initiator unclassified-source

!

!

RP/0/RSP1/CPU0:GATEWAY1#show subsc sess all       

Fri Feb 28 08:04:09.075 UTC

Codes: IN - Initialize, CN - Connecting, CD - Connected, AC - Activated,

       ID - Idle, DN - Disconnecting, ED - End

Type         Interface                State     Subscriber IP Addr / Prefix                             

                                                LNS Address (Vrf)                             

--------------------------------------------------------------------------------

IP:DHCP      BE2.1.ip7                AC        192.168.132.2 (default)             

RP/0/RSP1/CPU0:GATEWAY1#

RP/0/RSP1/CPU0:GATEWAY1#sh run int bundle-ether 2.1

Fri Feb 28 08:04:50.234 UTC

interface Bundle-Ether2.1

ipv4 point-to-point

ipv4 unnumbered Loopback0

service-policy type control subscriber IP_SUB_PMAP

ipsubscriber ipv4 l2-connected

  initiator dhcp

  initiator unclassified-source

!

encapsulation ambiguous dot1q any

!

RP/0/RSP1/CPU0:GATEWAY1#show subsc sess all       

Fri Feb 28 08:04:53.288 UTC

Codes: IN - Initialize, CN - Connecting, CD - Connected, AC - Activated,

       ID - Idle, DN - Disconnecting, ED - End

Type         Interface                State     Subscriber IP Addr / Prefix                             

                                                LNS Address (Vrf)                             

--------------------------------------------------------------------------------

RP/0/RSP1/CPU0:GATEWAY1#

Is there something I'm missing to bind the gateway to this interface?

Thanks,

Tony

xthuijs Sat, 03/01/2014 - 09:33 (reply to aanderson)

hey tony,

I think I need to see the show run dhcp ipv4 also to see precisely.

the giAddr is set in that configuration and should be set to the address of the unnumbered loopback routable TO the BNG, which then also acts as the default gateway for the sessions.

Can you give me a show run of the loop0 also please? (and maybe the policy-map to make sure that everything is set for there also).

cheers!

xander

aanderson Mon, 03/03/2014 - 08:07 (reply to xthuijs)

Hi Xander,

Here are the configuration pieces you requested:

dhcp ipv4

profile DHCP_SUBS proxy

  broadcast-flag policy check

  helper-address vrf default 66.38.2.14 giaddr 192.168.132.1

  relay information option

  relay information policy keep

  relay information option allow-untrusted

!

interface Bundle-Ether2.1 proxy profile DHCP_SUBS

!

interface Loopback0

ipv4 address 192.168.132.1 255.255.255.0

class-map type control subscriber match-any SUBS

match protocol dhcpv4

end-class-map

!

policy-map type control subscriber IP_SUB_PMAP

event session-start match-first

  class type control subscriber SUBS do-until-failure

   10 activate dynamic-template IPSUBS

  !

!

end-policy-map

!

dynamic-template

type ipsubscriber IPSUBS

  accounting aaa list SUBS type session

  ipv4 unnumbered Loopback0

!

Please let me know if there is anything further I can do to help troubleshoot this issue.

Thanks,

Tony

xthuijs Mon, 03/03/2014 - 15:52 (reply to aanderson)

ah thanks for that tony, I think I see what is going on...

when you have amb vlans, you need to broadcast the offer to the client.

unfortunately, at this point (due to the way the inject works for amb vlans) we can't "preroute" the packet as on dedicated vlan.

potential solution: set the broadcast policy flag to broadcast always.

I am working on having a different inject so we can unicast the offer to the client.

If that is still not it, maybe you can get us the debug dhcp ipv4 proxy event/<cr>, debug dhcp packet/er/ev.

ps for troubleshooting cases like this it may be best to raise new topics on the larger forum, so that more people see it to pipe in. comments on a doc as here only is seen by authors, modifiers and people who have previously commented (just to get more attention to this)...

cheers!

xander

Actions

Login or Register to take actions

This Document

Posted November 7, 2011 at 5:52 AM
Stats:
Comments:25 Avg. Rating:5
Views:11270 Contributors:7
Shares:0
Tags: No tags.