ASR9000/XR: BNG deployment guide

Document

Mar 6, 2012 8:01 AM
Mar 6th, 2012

 

Introduction

Broadband deployments are complex because of the options you have, varying needs in terms of deployments, the combination of technologies and many other reasons. In this article we'll go over the various designs, options and service deliverables that you can achieve with the ASR9000 BNG solution.

 

Access models

One of the decissions to be made when running BNG is the type of access that is preferred. There are 2 key options for the ASR9000 which is PPPoE (PPP over Ethernet) or IP sessions. Both can run on single or double tagged subinterfaces.

 

PPPoE sessions are triggered by the reception of a PADI and IP sessions are created by using DHCP as a session trigger.

In XR4.2.1 we can also use the "packet trigger" which means that an unclassified L3 address can be used to start a new session.

 

Also one has to decide on the Access interface, whether that is a single physical interface or access via bundles with multiple members. When choosing bundles the next decission is whether the members run in an active/active mode (that is all members are forwarding traffic) or in an active standby mode (whereby there is one link not forwarding traffic and only taking over when one of the member(s) fails).

 

Bundles vs Phyiscal interfaces

 

In the ASR9000 the use of a phyiscal interface, whether that be a GigabitEthernet or a TenGigabitEthernet interface are terminated on the linecard, this significantly increases the scale as effectively every linecard becomes its own controller of the sessions.

When you are running bundles, the sessions are then maintained on the RSP.

 

The LC's currently have their own Control Policy Engine, PPP manager and AAA processes. But they lack IGMP and LI today. This means that if you are planning to use LI or IGMP or parameterized QOS LC based subscribers should not be the choice for you.

 

You can use bundle interfaces with one member and disabling LACP to pull the subs to the RSP so that you have access to these features:

 

interface GigabitEthernet0/0/0/0

bundle id 100 mode on

 

When you are using bundle interfaces, all features enabled on the subscriber are programmed to the NP's where the bundle has members on.

So running a bundle with 2 members effectively creates the subscriber on both NPU's for those members, because of the phenomenal failover support it has.

For downstream loadbalancing we can use destination based hashing, which is the subscriber's ip address, so we always hash the traffic from one subscriber over 1 member, but the subscribers would be spread over the members based on their destination address.

 

The following configuration takes care of that:

interface Bundle-Ether100

bundle load-balancing hash dst-ip

 

When one member fails, the traffic is carried over to the other member seemlessly.

For the upstream direction, we can't control how the traffic arrives to us, which is controlled by the access layer device, whether that be your metro device or DSLAM.

 

Linecard based subscribers

This is an XR 5.1.1 deliverable. LC subs will increase the scale even further as it distributed the control plane to the LC as opposed to the RSP.

 

Hardware requirements

The hardware you require for BNG on the ASR9000 is:

  • Any typhoon linecard such as the A9K-MOD80-SE, A9K-24x10, 36x10 and MOD160.
  • A9K-RSP440-SE

 

Note that for both the RSP and the linecard we need to have the "SE" or Service Edge variant.

Also the ASR9001 will support BNG.

 

Trident linecards are not supported for subscriber termination, but they can be used as core facing linecard for transport

 

The MOD80 is a 2NP based linecard. Per NP we support 32k sessions with 64k per linecard.

Per Port we support up to 8K sessions when they are running QOS. This because of the QOS architecture within the NP that won't allow more then 8k parent shapers per phyiscal port. (that restriction is partially lifted in XR4.3.1 which allows for QOS chunk allocation more dynamically. You still have 32k parent shapers, but you can instruct a subinterface to use a chunk. This means a limitation of 8k per vlan, 32k per NPU)

 

These retrictions apply regardless of whether you are using LC or RSP based subscribers.

 

All linecards that run BNG need to be of the Typhoon kind (NP4). Your core facing interfaces if not running BNG can be Trident based or SIP700 based. However if you are using L2TP, then your core facing LC's need to be NP4 also. This is because the L2TP decap is not implemented in SIP or Trident which is handled by the core facing LC in the downstream direction.

 

 

Radius Source Ports

Each LC is assigned a source port range for radius, so while all LC's present themselves as a single NAS-ID, the source ports they are using effectively identify the node within the system. This is transparent for your use and nothing needs to be configured for that.

However it is imperative that your radius server supports extended source-ports (so the combination of source-port + radius-request-ID) defines a unique request. This is the same in IOS otherwise you can only support a call window of 256 (as the radius ID is only an 8 bit field). So check your radius-server capability!

 

For example see this radius request received on a radius-server:

Tue Apr 5 16:55:45 2011: [17224] message received from 3.0.0.234/49080.12 code=4, length=361

Tue Apr 5 16:55:45 2011: [17224] Acct-Interim-Interval = 60

Tue Apr 5 16:55:45 2011: [17224] Acct-Status-Type = Stop

Tue Apr 5 16:55:45 2011: [17224] Cisco-avpair = "if-handle=167774432"

Tue Apr 5 16:55:45 2011: [17224] Cisco-avpair = "client-mac-address=0010.9441.0001"

Tue Apr 5 16:55:45 2011: [17224] Acct-Session-Id = "00000054“

 

This radius (accounting) request was sent from UDP Port 49080 and its radiusID is number 12

You can check in LPTS in IOS-XR where that source port is mapping to:

 

RP/0/RSP1/CPU0:A9K-BNG#show lpts pifib hardware entry br location 0/1/CPU0 | i 49080

Tue Apr 5 17:22:52.941 EST

(VRF:0) any.49080 , any.any         UDP   any         48           deliver 48

 

 

If you decode 48 into binary: 48 =======> 0 0 0 0 1 1 0 0 0 0 (Binary of 48)

The "1" represent the RSP's in the middle slot of a 10 slot chassis!

 

PPPoE vs DHCP/IP-sessions

Broadband access has natively been using PPP based access, which originates from the dial days, whereby modems dialing into a modem-bank/access server allowing the transmission of data packets by encapsulating them in PPP packets. When access evolved to higher speeds using DSL (effectively ATM over the phone line), PPP was still used in the flavor of PPPoA (PPP over ATM).

Now that the aggregation point's uplinks are transitioning from ATM based to Ethernet based and the fact that there is Ethernet directly to the home, PPPoE has made a strong hold in the access layer.

Still with DSL in the first mile, DSLAM's may convert the PPPoA session into PPPoE towards the aggregator leaving PPP with a (well deserved) strong precense in the access.

 

In a transition to an all ethernet, there is no need per-se to run PPP at the access. PPPoE requires a client (which nowadays come natively in many operating systems however), which created the opportunity for a more simple approach of direct IP access using DHCP as a signal to trigger the session creation.

 

Drrivers of PPPoE are:

  • Ability to run multistack, each Layer 3 protocol is negotiated separately via their CP (Control Protocol) during the NCP phase (Network Control Protocol)
  • Authentication natively build in via protocols such as CHAP, PAP, MS-CHAP etc
  • Link control (~negotiable options during LCP)
  • Keepalives
  • Ability to aggregate multiple lines together into a single link such via MLP (Multilink PPP)

 

IP sessions don't have an authentication natively build in as there is no concept of username/password here, but with BNG deployments there are options now by having the BNG construct a username out of options of the DHCP discover or other fields such as MAC address, access interface, VLAN etc.

 

First Sign of Life comparison between PPPoE and IPoE sessions

 

Screen shot 2012-03-15 at 3.47.13 PM.png

 

 

 

Access Interfaces

This is the basic configuration to be setup in order to get PPPoE and IP sessions running.

Note that PPP and IPoE sessions can co-exist on the same parent interface as well as on the same subinterface.

 

This this is a base configuration example to setup the FSOL handling for PPPoE or IP sessions.

Screen shot 2012-03-15 at 3.48.40 PM.png

 

Using ambigious vlans

Originally for double tagged traffic, also known is QinQ or QiQ, we had to explicitly configure the inner and outer vlan combination for each possible termination point. In ASR9000/XR we can define ambigious ranges allowing us to specify the outer vlan only and an inner range.

The most common deployment scenario for QIQ is whereby the outer vlan represents the dslam and the inner vlan represents the subscriber, obviously configuring 64k subinterfaces is not very easy to manage and the Ambigious vlan support greatly reduces operational overhead, large configs and provides for much more simplicity:

 

Configuration example:

 

interface Bundle-Ether1.50

service-policy type control subscriber PPP_IP_PM1

pppoe enable bba-group default

encapsulation ambiguous    dot1q { any | <vlan range> }

                           dot1ad { any | <vlan range> }

                           dot1q <vlan#> second-dot1q { any | <vlan range> }

                           dot1ad <vlan#> second-dot1q { any | <vlan range> }                          

 

Screen shot 2012-03-15 at 4.14.34 PM.png

 

 

DHCP/IP sessions

PPP sessions have a native keepalive build in. If keepalives are not sent between the BNG and the client, the sessions are automatically torn down. IP sessions don't have a native keepalive mechanism and some implementations opted for an ICMP or ARP keepalive methodology to detect absent IP sessions as opposed to relying on (potentially long) DHCP lease timers.

ASR9000 does not have ICMP or ARP keepalives for IP sessions rather instead we have a different mechanism of lease-proxy which is elaborated on in this section.

Restart handling

Problem domain 1:

IPoE sessions are initiated upon receipt of a DHCP discover and can be terminated prior client’s IP address lease expires/is released by:

  • CoA Account-Logoff/PoD
  • Session Administratively cleared
  • Reload

 

Need a way to recreate session if client lease is still valid:

 

Screen shot 2012-03-15 at 4.06.37 PM.png

 

Once we have marked the Binding in the dhcp proxy on the BNG as "stale" due to one of the reasons mentioned above, a subsequent DHCP request from the client (eg on renew) is NAK'd to the client who will then faill back to a discovery mode upon which we can recreate the session.

Screen shot 2012-03-15 at 4.07.30 PM.png

To support a sort of keepalive mechanism we can shorten the lease time, which will require the session to renew its lease at half the lease time. So we effectively have a keepalive mechanism at half-lease time in this scenario.

This inherently increases the load on the dhcp server because the BNG will forward the renew requests to the dhcp server and when Acknowledged it will maintain the binding and the session.

 

A smoother solution is the concept of "lease proxy". This means that eventhough the server offers a lease, in this example of 40 minutes, the BNG advertises a lease to the client of a configurable time, in this example 10 minutes.

Every 5 minute interval the client will renew, but now the BNG intercepts and re-acknowledges the lease to the client, as opposed to relying on the dhcp server to ack the renew.

At half the lease time, here 20 minutes, we renew with the dhcp server to maintain proper state.

 

DHCP lease limits

Lease limit and Lease proxy for DHCP subscribers

 

Lease limit for a given proxy profile can be specified for:

 

per remote id:

 

eg.,

dhcp ipv4

  profile dhcp-red proxy

  limit lease per-remote-id 1000

 

per circuit-id:

 

eg.,

dhcp ipv4

profile dhcp-green proxy

  limit lease per-circuit-id 1000

 

or

per interface:

 

eg.,

dhcp ipv4

profile dhcp-blue proxy

  limit lease per-interface 1000

 

Note that per circuit-id and per remote-id options are confined to any given access

interface. In other words, per circuit id limit on a given access interfaces doesn't affect

or influence the circuit-id limit configured for any other access interface

 

Lease proxy:

DHCP lease proxy is also known as DHCP split lease.  With this implementation, the DHCP proxy

ie., BNG router will renew the lease of the client without contacting the DHCP server. The

lease proxy value configured is assumed to be lower than the server lease. Following terminologies

are used:

 

i) Client<->Proxy is the client lease

ii) Proxy<->Server is the proxy lease

 

ASR9K is the DHCP proxy

 

Lease proxy benefits include:

a) shorter client lease times and longer proxy lease

b) Proxy can respond faster to renews at the network edge

c) Reduces load on centralized DHCP servers for renewal processing

 

Configuration:

 

dhcp ipv4

profile dhcp-red proxy

RP/0/RSP0/CPU0:BNG1(config-dhcpv4-proxy-profile)#lease proxy client-lease-time ?

  <300-4294967295>  Value of lease proxy client-time in seconds

 

dhcp ipv4

profile dhcp-red proxy

lease proxy client-lease-time 300

 

Example TAL (Transparent Autologon) use case 1

TAL or transparent autologon is one of the most commonly used access scenarios for IP sessions.

You can authenticate the user on mac address or option 82 information. The following use cases depict on how to set that up with the ASR9000 BNG implementation.

Screen shot 2012-03-15 at 4.48.06 PM.png

 

Example TAL use case 2

Screen shot 2012-03-15 at 4.48.30 PM.png

IP sessions and security forwarding

When your access interface is configured for IP it by nature can start forwarding IP already. A session that takes a static source ip can start forwarding traffic just fine then.

This could be a security issue and this has been done at the explicit request from some our initial adopters of A9K BNG.

 

Downstream traffic can only flow on AMBIGUOUS vlans when we have a session since the mapping from destination IP to mac and vlan is only held by the dhcp binding. In UNAMB scenarios, we could technically send traffic down to the sub.

 

UPstream traffic can be mitigated by either using:

  • uRPF
  • ACL

ACL being a far less pps implication then uRPF.

also uRPF will not necessarily capture all issues, especially when an ip source is chosen in the same range as the unnumbered or designated address of this access interface.

     

    When you apply an ACL, make sure it allows DHCP to go through.

     

    Packet trigger or unclassified Source

    This implementation allows for IPoE subscribers to be established based on

    a received packet from an IP source on the access interface when the "unclassified

    source" is enabled.  Typically, the sessions will be restricted to packets originating

    from a particular network. Multiple matching criteria may be specified to match packets

    from discontiguous networks. In addition, the packets may be subject to radius based

    AAA for a successful session bringup. An access interface may be configured to support

    both DHCP and PKT triggered sessions

     

    In an ideal network, the subscriber would first send an ARP request to the access

    interface and if the packet matching criteria are met, this in itself is a sufficient

    condition to bringup the IPoE session. However, if there is a burst of traffic with

    unique flows, this could overwhelm the BNG router in terms of processing each packet

    to determine if it is a IPoE (PKT) candidate. The software limits the amount of in-flight

    requests to 200. In cases where traffic rates for IPoE-PKT sessions are high (>120 pps) and

    there are also parallel DHCP based sessions creates in progress, it may be desirable to

    configure static policer on the line cards.  Based on testing results, a policer rate of

    200 per LC is shown to handle this stress condition satisfactorily.

     

    Configuration:

     

    RP/0/RSP0/CPU0:BNG1#config

    Wed Jun 13 14:20:40.883 PDT

    RP/0/RSP0/CPU0:BNG1(config)#lpts punt police location 0/0/cpu0  protocol unclassified rsp rate 200

     

    aaa attribute format ip-plus-mac

    format-string length 253 "%s:%s" addr client-mac-address

    !

     

     

    interface Bundle-Ether10.41

    ipv4 address 21.1.1.1 255.255.255.0

    service-policy type control subscriber ipsub_policy1

    encapsulation dot1q 30

    ipsubscriber ipv4 l2-connected

      initiator dhcp

      initiator unclassified-source

    !

    !

     

     

    policy-map type control subscriber ipsub_policy1

    event session-start match-first

      class type control subscriber class-dhcp do-all

       1 activate dynamic-template ipsub_template

       3 authorize aaa list default identifier circuit-id password dhcp123

       5 activate dynamic-template acct-default

      !

      class type control subscriber class-pkt do-until-failure

       1 activate dynamic-template ipsub_template

       3 authorize aaa list default format ip-plus-mac password abc123

       5 activate dynamic-template acct-default

      !

    !

    end-policy-map

    !

     

     

    class-map type control subscriber match-any class-pkt

    match source-address ipv4 192.1.0.0 255.255.0.0

    end-class-map

    !

     

     

    dynamic-template

    type ipsubscriber ipsub_template

      ipv4 unnumbered Loopback1

    !

    !

     

     

     

    Using Control Polices

    One integral part of the BNG solution in XR is the use of control policies.

    With control policies you are able to manage the sessions life while various events on the session are triggered.

    You can handle these events or ignore them depending on your configuration and deployment needs.

    User authentication/control

    One key action in the control policy is obviously the authentication.

    These can be executed via the command under the event/class:

     

    • 10 authorize aaa list default identifier source-address-mac password cisco
    • 10 authenticate aaa list default

     

    Both of these will trigger a RADIUS access-request message, but the difference between the two is with the authorize statement we can compose the username ourselves regardless of what is received on the line, where as the authenticate statement uses the PPP chap or pap username and password received. The authenticate option for that reason only applies to PPP based sessions.

     

    You can define the username in the authorize statement either inline as per example above or you can construct the username via a "formatted" way:

     

    Screen shot 2012-03-15 at 4.02.20 PM.png

     

    Note that an authentication does NOT have to succeed in order for BNG to bring up the session.

    The activation of a dynamic template will create the subscriber interface regardless of the authentication result.

    A failed authentication will result in an unauthenticated state and you'll be able to apply HTTP-redirect or restricted access on the session.

     

     

    Nas identification

    Source IP

    Is by default selected of the interface's address that is used to reach the radius-server.

    This is configurable to be overriden from this default.

     

    RP/0/RSP0/CPU0:A9K-BNG(config)#radius source-interface <interface name>

     

    Or per default configuration:

     

    RP/0/RSP0/CPU0:A9K-BNG#show run | i radius-server

    Fri Mar 16 12:40:15.791 EDT

    Building configuration...

    radius-server host 3.0.0.38 auth-port 1645 acct-port 1646

    radius-server attribute list LIST

    RP/0/RSP0/CPU0:A9K-BNG#sh route 3.0.0.38

    Routing entry for 3.0.0.0/8

      Known via "connected", distance 0, metric 0 (connected)

      Installed Feb 22 15:42:37.812 for 3w1d

      Routing Descriptor Blocks

        directly connected, via MgmtEth0/RSP0/CPU0/0

          Route metric is 0

      No advertising protos.

     

    RP/0/RSP0/CPU0:A9K-BNG#sh run int mgmtEth 0/rsP0/CPU0/0

    Fri Mar 16 12:40:26.121 EDT

    interface MgmtEth0/RSP0/CPU0/0

    ipv4 address 3.0.0.233 255.0.0.0

    !

     

    RADIUS:

    Thu Mar 15 11:55:12 2012: [18848] NAS-IP-Address = 3.0.0.233

     

    Nas-Port-ID

    Attribute 87 can be filled with the configuration like this:

     

    aaa attribute format NAS-PORT-ID

    circuit-id plus remote-id

    !

    aaa radius attribute nas-port-id format NAS-PORT-ID

     

    Nas-ID

    Attribute 32 is the BNG's hostname, always and only configurable when changing the router's hostname.

     

    Example:

     

    RP/0/RSP0/CPU0:A9K-BNG#sh run | i host

    hostname A9K-BNG

     

    RADIUS:

    Thu Mar 15 11:55:12 2012: [18848] NAS-Identifier = "A9K-BNG"

     

    Nas-PORT

    Attribute 5

     

    Is computed very flexibly configured on a per session type basis:

     

    aaa radius attribute nas-port format e <format> [type <0-44>]

     

    Format (32bits): entered as a string of letters:

    Zero : 0

    One : 1

    Slot : S

    Adapter : A

    Port : P

    (Outer) VLAN Id : V

    Session-Id : U

    Inner VLAN ID: Q

     

    Ex  “SSSSAAPPPPPVVVVVVVVVVVVVVVVVVVVV”

     

    Type

    ETHERNET   15

    PPPOEOE   32

    PPPOEOVLAN   33

    PPPOEOQINQ   34

    VIRTUAL_PPPOEOE   35

    VIRTUAL_PPPOEOVLAN 36

    VIRTUAL_PPPOEOQINQ 37

     

    If type is omitted it will apply and be used for any session without a more specific type definition.

     

    Control policy Events, Classes and Actions

     

    The folllowing pictures shows how everything ties together in a control policy:

    Screen shot 2012-03-15 at 4.17.20 PM.png

     

    The diagram below shows where the various events would be triggered for a PPPoE session.

    Note that the session activate event is only applicable to PPP sessions.

     

    You need to make sure that the session-start event has a template defined with the lcp paramters

    which are used during LCP.

     

    Screen shot 2012-03-16 at 11.08.40 AM.png

     

    the power of the solution, amongst many others, is the differentiation you can do between authentication failures as well as no response,

    so you can act upon a faulty username differently then a radius-server not responding.

     

    Failover for that reason can be embedded in the control policy like this:

     

    event session-activate match-first

      class type control subscriber CLASS do-until-failure

       10 activate dynamic-template TPL

       20 authenticate aaa list default

     

    event authentication-failure

       class ...

       10 "apply http redirect"

     

    On authentication failure we an apply a layer 4 redirect service while keeping the session active.

     

    event authentication-no-response

       10 authenticate aaa list failover-list

     

    If there was no response from radius, we can try a different radius-server list

     

    Using Class-Maps

    The class map definition allows you to control how the event triggered is handled.

    Either the event is handled for the first class that is matched, or ALL classes for this event are evaluated as part of the event definition directive.

     

    Example:

    class-map type control subscriber match-any IP_SUB

    match protocol dhcpv4

    ! The above would match specifically on IP subscribers only

     

    class-map type control subscriber match-any PPP_SUB

    match protocol ppp

    ! This example would match specifically on PPP subscribers only

     

    Using these example classes allows you to have a single control policy that can handle events and use different actions per access category.

     

    Available Match Criteria:

    • Domain name: domain <string>
    • Protocol: protocol { dhcpv4 | ppp }
    • Source address: source-address { ipv4 | mac }
    • User name: username <string>
    • Authentication Status: authen-status { authenticated | unauthenticated }
    • To negate match criteria: not <>

     

    Available Match policies (as part of the class-map definition):

    •       match-any: match any of match clauses
    •       match-all: match all match clauses

     

    If you only have 1 match clause in your class-map it obviously doesn't make a difference whether you choose match-all or match-any.

     

    Also the class-maps allow for very extensive control of the event handling whereby you can handle a particular event differently for an unauthenticated ppp subscriber vs an authenticated ip subscriber or any combination of that of course!

     

    Handling failed authentications

    When an authentication fails for a subscriber against radius, we can still bring the user up by activating a dynamic template.

    So the order of actions executed during an event is very important along with using do-until-success/failure etc.

     

    For instance the following actions:

    event session-start do-all

    10 activate dynamic-template TPL

    20 authorize aaa list default mac-address password cisco

    would bring up the subscriber even with failed authentication.

     

    In this example where the actions are effectively reversed:

    event session-start do-until-failure

    10 authorize aaa list default mac-address password cisco

    20 activate dynamic-template TPL

    would not bring up a user after authentication failure.

     

    Alternatively, you can pull in the event for authorization failure and disconnect the service like this:

    event authorization-failure do-all

    10 disconnect

     

    Or you can use the authorization failure to apply HTTP-Redirect and start a timer, so effectively allowing the user to login within that time before he is getting disconnected.

     

    Account Logon

    If the user failed authentication and has a restricted access service applied, we can force the user to go the web portal to provide credentials and try to login again, pay their bill etc.

     

    The model is here that the user goes to a web page to provide credentials that are then send via a coa account logon to the BNG.

    The BNG will generate an access request to authenticate using these credentials.

     

    If it succeeds new attributes can be send in that access-accept to remove the restricted access or HTTP-R service.

    Screen shot 2012-03-16 at 1.22.28 PM.png

     

     

    How IP sessions /DHCP interact with AAA

    Screen shot 2012-03-15 at 4.49.09 PM.png

     

     

     

     

     

    Address assignment options

    Obviously in order for a subscriber to have access to the network, an address has to be handed out. There are different options available for this that'll be listed out here.

    Local pools (PPPoE)

    When you have PPPoE based sessions, the easiest implementation is to define a local pool from which the addresses are handed out to the subscriber during IPCP

     

    The associated configuration is:

    pool vrf default ipv4 POOL

    address-range 199.1.1.1 199.1.255.255

     

    Multiple ranges can be provided and addresses in that range can be excluded.

     

    Which can be monitored via this command:

    RP/0/RSP0/CPU0:A9K-BNG#show pool ipv4

     

                  Allocation Summary

    ---------------------------------------------------

    Used: 1

    Excl: 0

    Free: 65278

    Total: 65279

    Utilization: 0%

     

      Pool         VRF      Used   Excl   Free   Total

    ----------  ----------  -----  -----  -----  -----

          POOL     default      1      0  65278  65279

     

    The Pool can either be referenced directly on the dynamic template which is activated to the subscriber during its event handling in the control policy like this:

     

    This is the template that holds the base configuration for subscribers when this template gets activated on the session:

    dynamic-template

    type ppp TPL

      ppp authentication chap

      ppp ipcp dns 1.2.3.4 1.2.3.3

      ppp ipcp peer-address pool POOL

      ipv4 unnumbered Loopback1000

     

    This template can then be referenced in an event handling of the control policy as with this example:

     

    policy-map type control subscriber sub

    event session-start match-first

      class type control subscriber CLASS do-until-failure

       10 activate dynamic-template TPL

     

    Alternatively the POOL can also be referenced via Radius Attributes during the Access-Accept as per following example:

     

    • With a Cisco-Avpair

    user1@domain.com        Password = "cisco"

          Service-Type = Framed-User,

          Framed-Protocol = PPP,

          Cisco-avpair = "ipv4:addr-pool=POOL",

     

    • Using an Ascend Attribute (number 218):
         Ascend-Assign-IP-Pool = POOL

     

    • Using an IETF Attribute (number 88):

              Framed-Pool = POOL

     

    • Alternatively, but uncontrolled is the use of the Framed-IP-Address magic number 255.255.255.254 which will instruct the NAS to do a "pool pick" from any pool available.

     

    Using this method of locally defined pools on the BNG is by far preferred because it allows us to create a summary route and advertise the pool in its whole. This reduces significant amount of routing updates, but has the limitation that a full block is assigned to the BNG regardless of whether it needs it or not.

     

    Pool advertisement

    Can be done via the following methodology:

    First define a summary route for the pool range:

     

    router static

    address-family ipv4 unicast

      199.1.0.0/16 Null0

     

    Next inject that summary route into your eg IGP via a redistribution command

    router ospf CORE

    redistribute static

     

    When users come online they will have a /32 in the routing table which is then followed for forwarding rather then the summary route to NULL0.

    Another "disadvantage" of this methodology is that you'll be drawing all 199.1.x.x traffic to the BNG regardless of whether there is a session or not. However the ingress LC's NPU will drop the packets in hardware in that case.

     

    Radius based pools (PPPoE)

    Instead of assigning a pool on the BNG, you can also outsource the pool management to a radius-server.

    IT is recommended to have the radius server select a pool per BNG device, this in order to keep the model of summary advertisement.

    If the pool attributes are distributed between different BNG's, you're required to inject the /32's which will put unnecessary burden on your IGP.

    In this case you probably want to consider STUB areas to keep the /32's only floating in your OSPF STUB area and summarize them at the area border.

     

    Radius based pools rely on the accounting mechanism from AAA to learn whether addresses are in use or not.

    This requires a strong Accounting back end on the radius-server and obviously proper delivery of your AAA records.

     

    Don't implement radius pools without AAA System accounting.

     

    Static address assignment (PPPoE/IPoE)

    Requires you most of the times to inject /32's into the IGP for proper routing if not part of a summary.

    The way to achieve this is via the radius attribute Framed-IP-Address (IETF number 8).

     

    IP sessions

    IP sessions address assignment is done via a DHCP Server. IOS-XR release 4.3.0 will come with an on board dhcp server.

    In today's model the dhcp server is responsible for handing out addresses which are picked based on the "giAddr" field in the dhcp discover which is filed in by the DHCP Proxy component of the ASR9000.

    Static addresses are defined within the dhcp server.

     

    The advertisement is here more simple since the unnumbered interface to the subscriber session provides the subnet it is serving hence the inclusion of this unnumbered interface in your IGP will take care of the proper routing:

     

    In this example we set the dhcp server to 81.1.1.2, the giAddr for pool selection is set to the red value to instruct the dhcp server where to pick an address from. The giAddr selection in this example is based on the dhcp option 60, vendor Class which is matching a hex string.

     

    dhcp ipv4

    profile AutoSelectGiaddr proxy

      class MATCHALL

       match option 60 hex 68656C6C6F mask 0

       helper-address vrf default 81.1.1.2 giaddr 10.1.1.254

      !

      class HardPhone1

       match option 60 hex 4861726450686F6E6531 mask 0

       helper-address vrf default 81.1.1.2 giaddr 10.1.1.254

      !

      class HardPhone2

       match option 60 hex 4861726450686F6E6532 mask 0

       helper-address vrf default 81.1.1.2 giaddr 172.28.15.254

      !

      relay information option

      relay information policy replace

      relay information option remote-id testme

      relay information option allow-untrusted

    !

    interface Bundle-Ether100.2 proxy profile AutoSelectGiaddr

     

    This combined with the following template configuration, the subscriber is unnumbered to loopback interface number 12.

     

    dynamic-template

    type ipsubscriber IPSUB

      ipv4 unnumbered Loopback12

     

    Which has then address in the same pool range as the giAddr and the dhcp server will want to set the default-router option to this value.

     

    RP/0/RSP0/CPU0:A9K-BNG#sh run int lo12

    Fri Mar 16 10:52:33.265 EDT

    interface Loopback12

    ipv4 address 172.28.15.254 255.255.255.0

     

    Including Loopback 12 (passively) in your IGP will provide for proper downstream routing!

     

    More information on the DHCP configlet is in the BNG training guide

     

    Applying configuration to a subscriber

    Configuration can be applied to a subscriber via 3 methods and in order of preference from lowest to highest:

    1. Dynamic Template
    2. Radius/Access-Accept (also known as Policy PULL)
    3. COA (also known as Policy PUSH)

     

    So that means that local template configuration can be overridden by RADIUS, which can be overidden by COA.

     

    Here are a few examples on how to match a CLI Configuration to a radius attribute, full documentation is available in the XR configuration guide.

     

    Screen shot 2012-03-15 at 4.44.23 PM.png

    Screen shot 2012-03-15 at 4.44.35 PM.png

     

     

     

    PPP timer configuration

    It is very important for any BNG implementation to properly define your PPP timer configuration to make sure that sessions establish, also under load and that we are not prematurely timing out, or working on establishment while the peer already gave up.

     

    The picture below shows the different stages of PPP and which timers apply that need evaluation.

     

    Screen shot 2012-03-16 at 11.10.31 AM.png

     

    The referenced timers can be configured on the dynamic template for PPP subscribers:

     

    dynamic-template type ppp <tmpl_name>

    ppp max-configure <#>

         ppp max-failure <#>

         ppp timeout retry <sec>

     

         ppp lcp delay <sec>

         ppp lcp renegotiation ignore

         ppp authentication { pap | chap | ms-chap }

         keepalives { disable | <sec> }

     

         ppp max-bad-auth <#>

         ppp timeout authentication <sec>

     

         ppp ipcp peer-address pool <poolname>

         ppp ipcp mask <mask> 

         ppp ipcp { dns | wins } <server ip>

         ppp ipcp renegotiation ignore

     

         ipv4 unnumbered <interface>

     

     

    Quality of Service

    QOS application to the session can be done via static configuration in the dynamic template, or the policy-map name can be referenced via Cisco AVP's in RADIUS access-accept or COA requests.

    This requires the configuration of the policy-map to be present in the XR configuration.

     

    QOS can be applied at the port level, vlan level (subinterface)  and at the session level with classes in a hierarchical manner.

    This constitutes the 4 layers of QOS.

     

    The following pictures shows the basics of the 4 layer QOS:

     

    Screen shot 2012-03-16 at 11.03.07 AM.png

    Which can be further expanded on in this picture:

     

    Screen shot 2012-03-16 at 11.03.17 AM.png

     

     

    Parameterized QOS

    Parameterized QOS is a very powerful option in ASR9000 BNG. It allows you to construct the policy-map and its values from the AAA server.

    pQOS only requires the class-map definitions to be present in XR configuration.

     

    You can setup hierarchical policy-maps without a problem using pQOS.

     

    Note however that if you have defined a static policy-map via configuration to the dynamic template or from radius

    then you cannot override it or modify it with pQOS.

    If you desire to use pQOS the initial policy-map needs to be pQOS'd also.

     

    You can modify pQOS policies on a per class basis and while the session is active add or remove classes dynamically as you go!!

    To see pQOS in action and the benefits see this video on demand BNG demo on YOUtube

     

    VSA definition

    Understanding the format of the Vendor Specific Attribute for Parameterized QOS (pQOS).

    VSA(9-1)”qos-policy-in:add-class( <target-specifier>,(<class-list>),<qos-action-params> )”

     

                             VSA 9,1 is Cisco-Avpair

    TARGET:

    sub – The QoS policy attached to the subscriber session. This implies that the CoA/Access-Accept target must be a subscriber session.

    CLASS:

    (class-default)

    This example identifies the class “class-default” on the parent-policy.

    (class-default,voip)

    This example identifies a leaf class “voip”. This class will be added to or removed from a nested child policy specified under the class “class-default” of the policy attached to the target.

    (class-default,voip-aggregate,voip-1)

    This example specifies a leaf class “voip-1”. This class will be added to or removed from a nested child policy specified under the class “voip-aggregate” of the policy which is in turn nested under “class-default” of the policy attached to the target

     

    ACTIONS:

     

                   See this next section on how to map IOS-XR MQC (modular Qos configuration) actions to the parameterized QOS equivalent.

     

    Supported pQOS actions:

     

    Screen shot 2012-03-16 at 10.09.19 AM.png

    Examples

    Policing

    CLI Equivalent: police <bps> <burst-normal> <burst-max> <burst-size> conform-action <action> exceed-action <action> violate-action <action>

    police(CIR,CBS,PIR,PBS,conform-action,exceed-action,violate-action)

    VSA value: qos-policy-in:add-class(sub,(voip),police(200000,9216,0,0,transmit,drop,drop) )

     

    Shaping

    CLI Equivalent: shape <shape-rate>

    VSA value: qos-policy-out:add-class(sub,(class-default),shape(14700))

     

     

     

    For complete COA examples check the Change of Authorization document

     

     

    Multicast and video distribution

     

    Coming soon!!

     

     

    Call Admission Control

    Unlike IOS, ASR9000/XR BNG has no explicit call admission control configuration as that is natively build into the system.

    When resources are running slow or the system experiences internal back pressure to do slow responses on function calls

    the number of in flight sessions increases which are then throttled back down at the access interface.

     

    Most of the time you may want to control the number of in flight sessions so you can streamline the number of radius access requests that are being sent to the RADIUS server.

     

    The way to monitor and control the in flight sessions is via this command :

     

    RP/0/RSP0/CPU0:A9K-BNG#show pppoe summary total location 0/rsP0/CPU0

    ....<output omitted>...

    ==============================

    Flow Control

    ==============================

    Limit                    2000

    In Flight                   0

    Dropped                     0

    Disconnected                1

    Successful                  9

     

    Limit means the number of in lfight sessions you want to control on a per node basis. A node constitutes a pppoe processing entity which is either the LC for phyiscal interface based sessions or the RSP when using bundle interfaces. This number is configurable via the followingcommand:

    RP/0/RSP0/CPU0:A9K-BNG(config)#pppoe in-flight-window 2000

     

    In Flight is the number of sessions we are currently handling and have not fully established yet. A fully established session is the signal from the session control entity that the subscriber interface is up and forwarding

     

    Dropped are the sessions when the in flight session number exceeds the Limit set.

     

    Disconnected how many sessions ahve been disconnected for normal reasons, eg send a PADT etc.

     

    Successful is the number of sessions that we successfully established over time on this node

     

     

    AAA

    Throttling

    This feature supports throttling of access (authentication and authorization) and accounting records

    that are sent to the radius server. Throttling rate can be configured separately for access

    and accounting requests. When the threshold is reached for a server, no more requests of that type

    will be sent. A retransmit timer is started when the threshold limit is reached. After expiry of

    the retransmit timer, the queue is checked to see if the outstanding requests is less than the

    configured limit. If so, then the request is sent out to the radius server

     

    AAA throttling can be configured globally or at the server group level. Throttling configured

    for the server group will take precedence

     

    configuration:

     

    radius-server throttle access 100 access-timeout 3 accounting 150

    aaa group server radius my-grp

    server 1.74.11.103 auth-port 1812 acct-port 1813

    server 1.76.30.103 auth-port 1812 acct-port 1813

    throttle access 200 access-timeout 3 accounting 120

     

    !

     

    Subscriber Services

    Services constitute a set of features under a common umbrella.

    These features are enabled together constituting the service defintion.

     

    For instance you can allow users to access or deny parts of the network, or modify its qos parameters.

     

    Services are defined via the dynamic template in IOS-XR.

     

     

    dynamic-template type { ppp | ipsubscriber | service } <tmpl_name>

         <attribute-list>

     

    There are 3 types of templates:

    ppp: for configuration on PPP sessions (both PTA and LAC)

    ipsubscriber: for configuration on IpoE sessions

    service: contains configuration commands for all types of sessions

    Dynamic templates allow for inline modifications, changes take effect immediately on all sessions using template, with the exception: unmutable config options (e.g session IP address)

     

    The following is an example of a service definition:

     

    dynamic-template

    type service SERVICE_1

      service-policy output testme

      ipv4 access-group lab-video ingress

     

    The following set describes a few RADIUS/COA templates to activate or deactivate services on a subscriber.

     

     

    Operation

    RADIUS attributes set to achieve that operation

    Account Logon

    attribute   44 “<string>”

    attribute 1 "<username>

    Cisco-avpair = "subscriber:password=<subscriber password>

    Cisco-avpair = "subscriber:command=account-logon"

    Account Logoff

    attribute   44 “<string>”

    Cisco-avpair = "subscriber:command=account-logoff"

    Account Update

    attribute   44 “<string>”

    Cisco-avpair = "subscriber:command=account-update”

    <radius   attributes to set/update>

    Service Activate

    attribute   44 “<string>”

    Cisco-avpair = "subscriber:command=activate-service"

    Cisco-avpair = "subscriber:service-name=<service-name>”

    Service De-activate

    attribute   44 “<string>”

    Cisco-avpair =  "subscriber:command=deactivate-service"

    Cisco-avpair = "subscriber:service-name=<service-name>”

     

    Attribute 44, or accounting session ID is always used for fastest lookup of the subscriber session.

    The subscriber password is a special encoded string by providing a seed authenticator together with a hashed MD5 password of that seed.

    COA tool is available on the forum for Windows, MAC/OSX and Linux.

     

    Redundancy and fan out

    Redundancy is obviously very important these days and while IOS-XR supports process restart and process crashes without affecting the subscribers there are additional options available to increase your density and protect against failures.

     

    Cluster and Satellite are part of the ASR9000's nV concept (Network Virtualization).

    Cluster

    Cluster is the concept of binding two physical chassis together into 1 logical unit. The control plane is extended via RSP on board 1 or 10G interfaces while the data plane is extended via 1 or more physical interfaces on the linecards.

     

    So when building a bundle from the access side, if you link them to each individual chassis you'll have an active active bundle with failover between chassis!

     

    Also the physical ASR's don't need to be on the same location. Only the control plane extension needs to have minimum latency (~<20msec).

     

    Screen shot 2012-03-16 at 11.20.05 AM.png

     

    Screen shot 2012-03-16 at 11.53.40 AM.png

     

    Satellite

    Allows for port extension into a simple 1RU chassis with large 1G port fan out.

    The Satellite connects via 1 or multiple 10G uplinks ot the ASR9000 host.

    You can statically pin ports to an uplink or share an uplink via a bundle to multiple ports.

    Satellite interfaces appear in teh ASR9000 config as if they were physically on the ASR9000.

     

     

    Satellite interconnection options:

    Screen shot 2012-03-16 at 11.56.32 AM.png

     

    Configuration example:

     

    nv

    satellite 100 •ß define satellite ID

    description my lovely satellite

    type asr9000v

     

    satellite 101 •ß define satellite

    description your lovely satellite

    type asr9000v

     

    interface TenGigE 0/2/0/2

    nv

       satellite-fabric-link satellite 100

         remote-ports

           GigabitEthernet 0/0/0-9

     

     

    interface bundle-ethernet 10

    nv

       satellite-fabric-link satellite 101

       remote-ports

           GigabitEthernet 0/0/10-19

     

    On top of these bundle interfaces you can enable BNG.

     

     

    Cluster and Satellite together

     

    Screen shot 2012-03-16 at 11.58.21 AM.png

     

    Wholesale Models

    Most of the documentation here has been talking about locally terminating the subscribers on the BNG for regular access. Obviously there deployment models whereby a provider may like to just provide the initial termination on behalf of the wholesale provider.

     

    Per access technology there are different options available.

     

    Screen shot 2012-03-16 at 12.01.56 PM.png

     

    PPP

    PPP sessions can either be locally terminated, also known as PTA, or forwarded to the wholesale provider with 2 main options:

    • L2TP tunneling
    • RAMPLS

     

    IP sessions

    IP sessions only have one option for wholesaling which is inserting the subscribers in a VRF and using MPLS VPN to transport the data traffic to the wholesale provider.

    RAMPLS

    (Remote Access into MPLS-VPN) Is the concept of terminating the subscriber sesisions locally on the BNG and insert them in a specific vrf. This vrf is a separate routing context and using MPLS-VPN to transport the users traffic to the wholesale provider.

    L2TP

    Layer 2 Tunnelling Protocol is the concept of transporting the PPP session over to the wholesale provider's LNS.

    ASR9000 can only function as LAC which basically means that after authentication we are creating a tunnel or inserting the user into an existing tunnel over to the LNS.

    Doubledip

    L2TP has as key advantage that the subscriber's PPP session is sent over to the LNS. This allows the LNS to have full control over the PPP session including authentication.

    RAMPLS doesn't have such an option as the only Authentication stage is done on the BNG one time.

    The concept of "double dip" is a phenomenal extension allowing you to use a local radius server on teh BNG and then contact the wholesale provider's AAA server and merge the profiles together:

     

    Screen shot 2012-03-16 at 12.12.26 PM.png

     

    On the ASR9000 BNG you can filter the attributes from the retailer to make sure that they don't override the user's vrf for instance like this:

     

    radius-server attribute list RETAILER_X_ATTR_LIST

    attribute <accepted or rejected attribute-list>

    !

    aaa group server radius RETAILER_X_SG

    authorization reply { accept | reject } RETAILER_X_ATTR_LIST

    vrf RETAILER_X_VRF

    server-private 10.10.10.100 auth-port 1645 acct-port 1646

    !

    !

     

    This server group referenced can be used in a control policy as an additional authenticate/authorize action under the session-start event for instance.

     

     

    Related Information

     

    Special thanks to Sabrina Pittarel for some of the great visualizations seen in this document

    and Nanjangud Sreekanta Prasad providing packet trigger and dhcp lease limit sections

     

     

     

    Xander Thuijs, CCIE #6775

    Sr. Tech Lead ASR9000

    Average Rating: 5 (2 ratings)

    Comments

    harindhafdo Wed, 06/13/2012 - 22:57

    Hi Xander,

    I have few Questions on IPoE method.

    1. As per the documents it seems DHCP clients should be Layer2 connected to BNG, which requires to adopt for a distributed BNG model. but I want to check how we can have a centralized BNG and bring the DHCP Discovery through Layer3 by having a DHCP relay agent at the PEs.

    2. How do we optimize the IP address usage with distributed BNG model ?

    3. Can we offer /32 host IP addresses for DHCP clients in the present DHCP based BNG model ? if yes, how ?

    Rgds

    Harin

    xthuijs Thu, 06/14/2012 - 07:01 (reply to harindhafdo)

    Harin:

    question 1: correct we only have l2 connected subscribers today. L3 connected are in the planning. We are also working on PW HE to allow for centralized. Since we "key" on MAC, the mac needs to be unique, i.e. we need to see the subscriber's mac.

    question 2: you have a few options here including NAT/CGN (via the ISM module), we can also do dual stack sessions in XR43 (end of this year), and the dhcp proxy configuration is very flexible where you can do pool selection based on giAddr, and unnumbering your subscriber to a loopback carrying that subnet. So you can "grow" your pools by adding more subnets to the server adding a loopback on your BNG. It is not as flexible as ODAP used to be, but it is definitely operationable.

    question 3: can't do /32's. dhcp sessions are not p2p as PPP sessions are.

    Second note, question 1: theoretically the 24x10 or any Typhoon based LC will work (with the exception of the 100G cards who have dedicated NP's per direction). However due to test constraints we havent fully qualified the 24x10 as an access card. Though I can tell you from personal experience is just works fine.

    Note however that you are limited to a number of subscribers to NP and card, similar as the MOD80.

    regards and thanks for your interest!

    xander

    daga Wed, 06/27/2012 - 06:06 (reply to xthuijs)

    Actually 24 port 10GE is also fully qualified.  Agree with Xander that any other Typhoon LC will work as well.

    thanks,

    -daga.

    harindhafdo Thu, 06/14/2012 - 00:59

    Hi Xander,

    Can't we use 24x10GE SE module as client facing module for BNG with IOS-XR 4.2.1 ?, what if I have MOD80 as uplinks and 24x10GE SE as downlinks with BNG licenses ? will this work ?

    Rgds

    Harin

    gogie Wed, 11/14/2012 - 05:49

    We are going to implement 1:1 Vlan in Metro access,

    and bring this vlans as QinQ to ASR9k BNG to ambiguous vlan interface.

    Inner tag meaning DSLAM port, and outer tag meaning DSLAM. We want FSOL

    to be unclassified MAC, and to have IPv4 AND IPv6 dual stack session

    (looks like it should be possible from what we see about 4.3.0 roadmap for BNG in public presentation).

    We want to know, if it is possible to send inner and outer Vlan tags of FSOL unclassified MAC to Radius as username.

    We see Additional options: ...outer-vlan-id, inner-vlan-id in User authentication/control picture,

    but can not find this options in command reference for 4.2.x.

    This is critical, because our access equipment (DSLAMs) won't be able to insert DHCP opt82 equivalent for IPv6,

    and we don't want to authorize subscriber's MACs as they can be changing often.

    Can You please confirm, that outer-vlan-id, inner-vlan-id are indeed there, and 1:1

    vlan with ambiguous does indeed make sence for dual-stack in 4.3.0?

    xthuijs Wed, 11/14/2012 - 06:00 (reply to gogie)

    Yes you can do that:

    aaa attribute format USERNAME_FORMAT_SUPER_FLEXIBLE

    format-string "%s*%s-mystring" ?

    ...

      inner-vlan-id            Inner VLAN ID needed to form NAS Port

      outer-vlan-id            Outer VLAN ID needed to form NAS Port

    ...

    Note however that the 2 stacks are not authenticated independently.

    once the first AF comes up, radius is consulted, and will provide all the data for both stacks back.

    Then when the 2nd AF comes up, the previous (unused) author data will get applied/used.

    xander

    gogie Wed, 11/14/2012 - 06:12

    Thanks.

    For 2 stacks, I assume that BNG will key on MAC, and if say IPv4 came first, it's (s-vlan;c-vlan) was authorized, and subequent traffic from that MAC, no matter, IPv4 or IPv6, is threated as single session, is it correct?

    If so, it also automatically applies to all the traffic from IPv6 prefix delegated to customer, right?

    Also, does 9k have somthing similar (or better) to IP Subnet Session on 1k or SIP-400?

    xthuijs Wed, 11/14/2012 - 06:22 (reply to gogie)

    correct: MAC is the primary key.

    9k currently doesn't support L3 connected subs.

    xander

    gogie Wed, 11/14/2012 - 06:32

    Altough L3 connected subs are very desirable, question with Subnet Sessions was about session grouping. Say, I want 2 traffic from two MACs on same ambigous qinq interface, (or IP subnet, or group of IPs defined by ACL) to be treated as single session. Is it possible?

    rakeshsekhar Wed, 01/16/2013 - 11:26

    Hi Xander,

                  I would like to clarify my doubts. When we are applying "aaa accounting commands default start-stop group radius" , the router will start to send records to radius server for billing purposes. For creating records based on each services can we use "radius-server attribute list RETAILER_X_ATTR_LIST " ?. How the router will create those records for diffferent services ? Should we apply something on interfaces for tracking(eg: To find how long the subscriber connected to that interfaces use the services) the subscriber services for billing purposes?? Please give me your valid respose for the same.

    thushar362 Fri, 01/18/2013 - 09:58

    Hi Xander,

                      In XR, is there any accounting policy for collecting accounting statistics (accounting logs)

    according to the parameters defined within the accounting policy  for billing  ?

    xthuijs Fri, 01/18/2013 - 10:35 (reply to thushar362)

    the information in the radius accounting records is pretty much on a what is available basis for the record.

    that is, if there are no v6 packets sent, or gigawords, these attributes are not included.

    However, you can adjust the accounting (and auth request/reply) records on the bng to icnlude/exclude the parsing of these avp's.

    what is mandatory to be received in a record is defined in the RFC2865 which we comply with.

    what you may need to do proper billing depends on your delivery model. Generally people bill on time usage and or bytes sent/received.

    xander

    gogie Mon, 05/20/2013 - 05:21

    I need to apply HTTP-REDIRECT to user as soon as it gets authenticated.

    I can do it with CoA easily for already authenticated user:

    attribute1=44,00000064

    attribute2=26,9,1,subscriber:command=activate-service

    attribute3=26,9,1,subscriber:service-name=L3R

    But I want to apply HTTP redirect service to (some, not all, therefore don't want to apply dynamic template in poicy-map) users right away from Radius, without CoA, just like I apply say QoS policies.

    Assigning

    Cisco AVPair += subscriber:service-name=L3R

    to that user does NOT work. Getting this from debug:

    iedged[242]: [IEDGE:TP144:SERVICE:EVENT:0x7d] Post UP PAD rc='TmplMgr' detected the 'warning' condition 'The lookup of AAA attribute was unsuccessful' U0000007D,

    What is proper way of assigning service from Radius Access-Accept? 

    gogie Thu, 05/30/2013 - 12:18

    Just in case, correct answer is:

    Cisco AVPair += subscriber:sa=L3R

    xthuijs Thu, 05/30/2013 - 12:24 (reply to gogie)

    Gogie, that is correct, I apoligize, I have forgotten to update the thread with the right answer that you found already.

    xander

    gogie Thu, 05/30/2013 - 12:57

    Thanks

    Yet another question: once BNG redirects user to portal, how can portal understand who this user is? I can do DHCP LQ or extract username from Radius accounting table, but it would be nice to have something like

    "subscriber:command=account-profile-status-query" CoA.

    xthuijs Thu, 05/30/2013 - 13:06 (reply to gogie)

    yeah the IOS account ping would be very useful! that is not possible today but that functionality is tracked by CSCuc45110.

    The other option is to send the COA request from the portal based on the address that you see from the client as key.

    Another option what I did on the BNG demo (from you tube, google asr9000 bng if you havent seen it), is by a script from the portal to connect to the BNG and figure out with some show commands what the accounting session ID is. This only requires a TTY connection from the portal to the BNG...

    regards

    xander

    mvmtech2001 Wed, 06/26/2013 - 10:44

    What is the right way to go if I want to give ip addresses from different pools for ipoe sessions (

    IP addresses gives dhcp server)? Maybe like this:

    !

    interface Loopback2000

    ipv4 address 10.80.1.1 255.255.255.0

    ipv4 address 10.80.2.1 255.255.255.0 secondary

    ipv4 address 10.80.2.1 255.255.255.0 secondary

    etc...

    !

    interface Bundle-Ether100.100

    ipv4 point-to-point

    ipv4 unnumbered Loopback2000

    arp learning disable

    service-policy type control subscriber ipsub

    ipsubscriber ipv4 l2-connected

      initiator dhcp

    !

    encapsulation ambiguous dot1q 1000-1500

    !

    Or is there another solution?
    Thanks.

    xthuijs Wed, 06/26/2013 - 20:30 (reply to mvmtech2001)

    dhcp pool selection is done by the giaddr (gateway address), this giaddr is the address that the dhcp server will respond to and hence this giaddr needs to be a routable address on the bng itself.

    in your example you have 2 same secondary adds, but I assume you meant 3.1 for the 3rd one, to make it correct.

    Then in your dhcp proxy profile you can do this:`

    profile AutoSelectGiaddr proxy

      class MATCHALL

       match option 60 hex 68656C6C6F mask 0

       helper-address vrf default 81.1.1.2 giaddr <ONE>

      !

      class HardPhone1

       match option 60 hex 4861726450686F6E6531 mask 0

       helper-address vrf default 81.1.1.2 giaddr <TWO>

      !

      class HardPhone2

       match option 60 hex 4861726450686F6E6532 mask 0

       helper-address vrf default 81.1.1.2 giaddr <THREE>

      !

      relay information option

      relay information policy replace

      relay information option remote-id testme

      relay information option allow-untrusted

    !

    in this example I am matching a certain option in the dhcp server and set the giaddr differently ONE/TWO/THREE based on that option 60 (vendor class), still using the same dhcp server 81.1.1.2

    So in order to selectively pick a pool, based on giaddr, you need to match on something and set the giaddr accordingly.

    The string matching in the example is here a "full match" but you cn match on the first leading chars etc and all that also.

    thanks

    xander

    mvmtech2001 Thu, 06/27/2013 - 01:28 (reply to xthuijs)

    I do not need to choose a pool on dhcp server. I need to give ip addresses from the free pools on dhcp server. What must be specified in giaddr in this case?

    The challenge is to effectively distribute real ip addresses.

    Thanks.

    Carlos A. Silva Thu, 07/25/2013 - 05:58

    Hi, Xander:

    Is there a recommended way of applying of disconnect a non-paying customer that is not CoA-Based. I'll explain further, this customer today uses ASR1006 as ip-sessions BRAS, the way they disconnect non paying customers is that the sync DHCP timers with a configured session-timeout so that every 24 hours all customers time-out and have to reauthenticate. At the end of each day, they edit their authorized mac-address list on radius, so that non-paying customers are not authenticated and are redirected to an http portal.

    Can this behavior be replicated on BNG? Is there a better/recommended way to do it?

    TIA,

    c.

    xthuijs Thu, 07/25/2013 - 06:04 (reply to Carlos A. Silva)

    Hi Carlos, it is always tough to disconnect IP subs as they will retain their lease.

    How disconnect for IP session works is, we clear the subscriber session and mark the binding.

    What happens is that the user traffic will no longer have a subscriber and hit the access interface.

    You could their block the traffic (any non dhcp traffic you should block here).

    When the client tries to renew their lease, due to the marked binding, we'll send a NAK right away and the user will be ip less.

    You can also apply a timer (like IOS) and at timer expiration you can destroy the session, same as with IOS, so you can make this like to like behavior.

    regards

    xander

    eberd Fri, 10/11/2013 - 05:29

    Hello Xander,

    are there any plans to provide also LNS capabilities to ASR9K?

    Thank you in advance,

    Eirini

    xthuijs Fri, 10/11/2013 - 05:36 (reply to eberd)

    Hi Eirini,

    at this point there are no firm plans to do LNS on a9k. For now A1K would be the platform of choice for that functionality.

    regards

    xander

    Carlos A. Silva Wed, 10/16/2013 - 08:00

    Hi, Xander:

    Hope you have the time for a couple of quick question, does BNG support the following setup for IPsessions:

    Say I have multiple bundle-ether subinterfases on BNG, all in different VLANs. They will all do dhcp/ipsessions for end customers. Can you point all of those subinterfases to the same 'ip unnumbered loopback' interfase so that the dhcp pools that match that loopback are spread throughout? Or does every subinterfase have to point to its own dedicated ip unnumbered loopback address?

    Thanks in advance!

    c.

    xthuijs Wed, 10/16/2013 - 08:48 (reply to Carlos A. Silva)

    hey carlos,

    the unnumbered loop for the session will act has the subs default gateway.

    So it is important that the unnumbered loop is part of the subnet that the dhcp server is handing out addresses from.

    So the users can have adds in different subnets, or the same and need to have the right respective unnumbered assigned to them in that subnet for proper forwarding (as it is used as default gateway).

    dhcp ipv4:

    profile AutoSelectGiaddr proxy

      !

      class HardPhone1

       match option 60 hex 4861726450686F6E6531 mask 0

       helper-address vrf default 81.1.1.2 giaddr 10.1.1.254

      !

      class HardPhone2

       match option 60 hex 4861726450686F6E6532 mask 0

       helper-address vrf default 81.1.1.2 giaddr 172.28.15.254

    Loopback11                     10.1.1.254    

    Loopback12                     172.28.15.254

    so in this example, an interface with a sub matching class "1" needs to be unnumbered to loop 11

    and a dhcp discover with class matching "2" needs to be unnumbered to loop 12.

    cheers

    xander

    Carlos A. Silva Wed, 10/16/2013 - 08:52 (reply to xthuijs)

    Right, the question was more along the lines of multiple subinterfases pointing to the exact same loopback address with 'ip unnumbered' command.

    this is something we used in a cpoc last year, but wanted to make sure it is a supported scenario.

    xthuijs Wed, 10/16/2013 - 08:54 (reply to Carlos A. Silva)

    yup definitely supported carlos.

    all users in the say 172.28.15.0/24 subnet should be unnumbered to the loop12.

    regardless which vlan or access interface they are on.

    xander

    Carlos A. Silva Wed, 10/16/2013 - 08:57 (reply to xthuijs)

    thanks a lot, one last quick q: if i wanted to provision more dhcp pools for the same service/interfases, the proper way would be to add secondary ip addresses to the same loopback interfase, correct?

    then have the dhcp server 'serve' those different pools when request comes from same giaddr.

    xthuijs Wed, 10/16/2013 - 09:38 (reply to Carlos A. Silva)

    carlos: you set the giaddr on a per access interface basis (in dhcp ipv4). It can be made more granular by matching on options in the dhcp discover.

    the giaddr that is used is the loopback that the subscriber needs to be unnumbered to.

    regards

    xander

    sups@cisco.com Wed, 12/04/2013 - 03:08

    Hi Xander,

    When we configure multiple DHCP-Server address via helper-adress cli in dhcp-relay configuration, is there any algorithm, for selecting ther server, or the request is sent to all the servers and the first reply is considered only ?

    Thank you,

    Suprita

    xthuijs Wed, 12/04/2013 - 05:28 (reply to sups@cisco.com)

    hi suprita, when you configure multiple helpers the request is sent to each of those (like ios)

    so you'll get multiple offers back.

    Note btw that for BNG/subscribers you need proxy, cant use relay.

    regards

    xander

    smailmilak Tue, 01/14/2014 - 05:23

    Hello Xander,

    after a long wait we are finally going to install two BNG-s. Idea is to use PPPoE for IPv4 and PPPoE for IPv6 address space, same for IPoE. Subscribers will have IPv4 and IPv6 IP addresses on the same session (Dual stack), but IPv4 will be NAT-ed to public IPv4 address with ISM module which is in the same chassis.

    I need to check with you if it's possible to have dual stack on PPPoE and IPoE on BNG? If I can configure both parameters, IPv4 and IPv6 on the same dynamic template then it should be possible, yes? IPoE is more or less quite clear, but I am not sure about PPPoE. Reading the config guide I found this example for dynamic template, but it's configured seperatly.

    Creating Dynamic Template for IPv4 or IPv6 Subscriber Session: Examples

    //Creating Dynamic Template for IPv4 Subscriber Session

    configure

    dynamic-template

    type ipsubscriber ipsub1

    timeout idle 600

    accounting aaa list default type session periodic-interval 60 dual-stack-delay 1

    ipv4 mtu 678

    ipv4 verify unicast source reachable-via rx

    !!

    end

    //Creating Dynamic Template for IPv6 Subscriber Session

    configure

    dynamic-template

    type ipsubscriber ipsub1

    timeout idle 600

    accounting aaa list default type session periodic-interval 60 dual-stack-delay 1

    ipv6 mtu 678

    ipv6 verify unicast source reachable-via rx

    !!

    end

    Second question is if the bundle-interface is still needed on the subscribers side? We are going to use 4.3.4. Are there any limitations in number of subscribers when we are using bundle-interfaces? I am not quite sure but I think that I read somewhere that the RSP is controlling the bundle feature. Should we use "bundle-mode on" or can we use LACP?

    Third question is are there any best practices for securing the device from malicious subscribers? Like limiting number of DHCP requests, max mac-addresses etc.?

    Are you going to visit Cisco Live in Milano this month?

    xthuijs Tue, 01/14/2014 - 05:32 (reply to smailmilak)

    hi smail,

    dual stack is supported no problemo in XR4.3.4. I think you made the right release choice there also.

    I'll write a document on dual stack to expand a bit more on this also. Both the ipv4 and ipv6 can be housed in the

    same dynamic template.

    we currently dont have an ipv4 local dhcp server, but we do have one for ipv6. the ipv4 server is in XR 5.2 I thought it was.

    You still need Bundle access interfaces, linecard based subscribers, triggered by phy (sub)interface access configurations will be supported 511 onwards. So you can definitely use a single member bundle without lacp in case your remote device doesnt like or can do bundles.

    I won't be in Milan for Cisco Live. However my peer Aleksandar V will present the Cisco Live 2904 presentation I made for Orlando summer last year.

    cheers

    xander

    smailmilak Tue, 01/14/2014 - 05:42 (reply to xthuijs)

    Hi,

    DHCP server for IPv6 will be an external one, so no need for local dhcp servers. I am looking forward to your document about dual stack.

    I will attend this presentation you have made. I see that it's this one and I already put this on my schedule

    BRKSPG-2904 - ASR-9000/IOS-XR hardware Architecture, QOS, EVC, IOS-XR Configuration and Troubleshooting

    xthuijs Tue, 01/14/2014 - 06:17 (reply to smailmilak)

    Hi Smail,

    I assembled this together from all the documentation I had built over time regarding this topic. I feel it is not complete (yet), but it is a start. If you see some things that lack verbiage, please let me know so I can expand on those topics in this doc: https://supportforums.cisco.com/docs/DOC-39405

    Cool! Hope you enjoy the 2904 session. I believe there was a recording from it also from the Orlando time, in case you like to have a preview on the cisco live 2013 site.

    cheers!

    xander

    smailmilak Tue, 01/14/2014 - 06:41 (reply to xthuijs)

    Great, thank you. I will use it on the project and if I miss something I will let you know.

    I am watching the recording right now. It's a long one

    Carlos A. Silva Tue, 01/14/2014 - 06:44 (reply to xthuijs)

    Xander,

    I haven't had any contact with 5.1.0 yet, but I thought (from release notes) that what this meant:

    Broadband network gateway (BNG)

    The BNG technology segment introduces a critical feature, an onboard Dynamic Host Configuration Protocol (DHCP) server, including advanced features such as RADIUS-based address allocation. Important manageability features, such as Session Switched Port Analyzer (SPAN), idle timeout, and MIBs, are also introduced in this release.

    Is it just ipv6 then?

    Regards,

    c.

    chatasos Wed, 01/15/2014 - 05:35

    Hi Xander,

    I need some clarifications:

    With current software (until 5.1.0) there is no way to have LC-based subscribers; is that so?

    Is it the "on" keyword that forces the subscribers being driven to the RSP or is it just the bundle setup?

    I mean, in 5.1.1 (any specific date for that?) how will a bundle setup (with LACP) work in terms of subscriber scaling?

    Does LAC functionality (accept PPPoE sessions localy and then forward them to an LNS based on username/domain) require also a typhoon LC as core-facing?

    For dual-stack and ipv6-only functionality, what is the recommended software release? Should we go with the latest one? If not, are there any specific SMUs to install?

    In ASR1k there is an option to make IPv6CP passive ("ppp ncp passive ipv6cp"), which we use due to issues with some older CPEs. Is there something similar available on ASR9k?

    Thanks

    Tassos

    xthuijs Wed, 01/15/2014 - 06:04 (reply to chatasos)

    hi tassos,

    LC based subscribers are in 511.

    the bundle mode "on" just disables lacp and forces the member in a bundle.

    if your access device doesnt support bundle, you can use a single member bundle on the 9k side and put that member in the on mode, and it wouldnt even know that we perceive it as bundle on the 9k side.

    BNG requires typhoon SE cards and RSP440SE cards, for PTA, LAC and also for those cards that carry l2tp.

    the recommended release today is XR434

    the passive NCP v6 XR has somethng similar, we can do an ncp timeout as short as 1 second for IPv6 to have a remote device that only wants to do v4 "register" (as per dun) faster on the network to close ipv6 faster if it doesnt want to negotiate it. The cli for that is ppp proto-reject <time> in 434 and 511.

    regards

    xander

    Carlos A. Silva Mon, 01/27/2014 - 09:29

    Hello, Xander:

    A "quick" question about BNG/DHCP Proxy behavior.

    When a subscriber first asks for DHCP and receives a DHCP offer, it gets the full treatment: ipadd, netmask, def-gwy. But from traces I get (dhcp ipv4 proxy packets), when the same subscriber renews the lease, the BNG DHCP Proxy answers by sending an ACK that includes ipadd ONLY.

    Is this behavior correct?

    Regards,

    c.

    xthuijs Mon, 01/27/2014 - 09:37 (reply to Carlos A. Silva)

    hi carlos, yeah that is ok to do, but it is not convenient in case the client requests a full parameter set eg via using option 55.

    If you have lease proxy enabled (that is the server lease time is longer then the re-advertised proxy lease time, which means that the client will renew against a BNG) THEN you will have an issue if the client requests full parameters

    and just not seeking ack on the address.

    The related DDTS to that is CSCua07418 fixed in 510 and 511.

    regards

    xander

    Carlos A. Silva Mon, 01/27/2014 - 09:43 (reply to xthuijs)

    That's exactly my problem, seems my CPE and, say, a linux box, are 'smart' enough to recover from the lack of netmask/def-gwy on dhcp ack (on renew), but a windows box or dlink router stop working.

    Now, I don't want this behavior. Is there a way to disable it?

    So, no way around it for 4.3.2, correct?

    xthuijs Mon, 01/27/2014 - 09:46 (reply to Carlos A. Silva)

    ha yeah it is linked to lease-proxy functionality, only opytion is to not use lease- proxy and renew against the dhcp server as opposed to the bng.

    regards

    xander

    xthuijs Mon, 01/27/2014 - 09:55 (reply to Carlos A. Silva)

    you need PROXy DHCP for bng,

    but this func I was alluding to is "lease proxy":

    with regular proxy the client will renew half lease time to the dhcp server (not proxy).

    if the lease time is loooong, it may take long time for the client to fall back to renew

    or have a stale forwarding session.

    solution is shorter lease time, but that increases the load on the dhcp server.

    lease proxy takes say the 24 hour lease from the server and tells the client to renew every say 2 hours. that means every hour the client sends a renew. proxy captures that and offers the existing offer (but that misses some parameters as per ddts/feature referenced).

    At half server lease, 12 hours the proxy will forward to the dhcp server for a full renew.

    xander

    Carlos A. Silva Mon, 01/27/2014 - 10:09 (reply to xthuijs)

    Then, yes. I am using lease proxy since BNG-subscriber lease time is significantly shorter than Server-BNG.

    So, we are within the DDTS parameters you mentioned earlier, correct?

    Actions

    Login or Register to take actions

    This Document

    Posted March 6, 2012 at 8:01 AM
    Stats:
    Comments:123 Avg. Rating:5
    Views:20831 Contributors:20
    Shares:0
    Tags: No tags.