Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

ASR9000 Understanding the BNG configuration (a walkthrough)

Introduction

In this document we're walking through a configuration setting up BNG for IPoE and PPPoE. The Setup for this configuration is similar to the setup you can see in the YouTube video for an ip sessions demo.

Problem Description

Detailed description of how to set up the configuration and the options establishing PPPoE and IPoE sessions. Understanding the anatomy of a control policy language.

Setup

Slide3.JPG

Configuration and Explanations

hostname A9K-BNG

radius-server host 3.0.0.38 auth-port 1645 acct-port 1646

!Radius-server definition with ip address and UDP ports it is going to !use.

key 7 045802150C2E

!Secret key for the radius communication

timeout 1

!Maximum time waiting for response

retransmit 1

!Maximum number of times you retransmit the request, after waiting <timeout> time.

!COA server definition

aaa server radius dynamic-author

port 1700

!COA port is standard 1700

client 3.0.0.1 vrf default server-key 7 13061E010803

client 10.86.1.49 vrf default server-key 7 14141B180F0B

!The clients from which we are going to accept a COA Response.

!Attribute definitions that we can reference for the nas-port

!building.

!”MY_AUTH” will take the mac address, circuit ID and remoteIDand

!append them together separated by hash signs. If one of the fields is

!not available, an empty string will be provided for that portion.

!example 0000.1111.2222##remoteid or 0000.2222.1111#circ#remote

!

aaa attribute format MY_AUTH

mac-address plus circuit-id plus remote-id separator #

!

aaa attribute format NAS_PORT_FORMAT

circuit-id plus remote-id separator .

! Nas-port computation for PPPoE(32) and if not pppoe then follow the

! global (non typed) logic

aaa radius attribute nas-port format e SSAAPPPPQQQQQQQQQQVVVVVVVVVVUUUU type 32

aaa radius attribute nas-port format e SSAAPPPPQQQQQQQQQQVVVVVVVVVVUUUU

!Set up the XR nas-port-id (attr87) for sessions following the nas-

!port format instructions above.

aaa radius attribute nas-port-id format NAS_PORT_FORMAT

!Set up for AAA usage. Note that we don’t have “aaanew-model” in

!XR. Also “subscriber” is used for BNG. Method “PPP” is used for

!serial PPP.

aaa authorization subscriber default group radius

aaa authentication subscriber default group radius

!DHCP configuration

dhcp ipv4

!specify a profile name and define what method is used, relay, proxy

!or snooping.

profile AutoSelectGiaddr proxy

!Different classes may be defined. This is not necessarily the

!vendor class, but here we can check certain options in the discover

!to selectively set the helper address and giaddr. That last one

!will affect the pool we’re going to use on the dhcp server.

class HardPhone1

match option 60 hex 4861726450686F6E6531 mask 0

!the option 60 is vendor-class followed by a hex string. I chose it

!to match the “class” section from the line above, but that is not

!necessary. The mask defines which bytes are must match and don’t

!cares. Mask of 0 means full match.

helper-address vrf default 81.1.1.2 giaddr10.1.1.254

!

class HardPhone2

match option 60 hex 4861726450686F6E6532 mask 0

helper-address vrf default 81.1.1.2 giaddr172.28.15.254

!

relay information option

relay information policy replace

relay information option remote-id testme

relay information option allow-untrusted

! This configuration above defines the option 82 handling.

! Allow untrustedmeans that we accept dhcp discovers with a 0.0.0.0

! giaddr, which is normally the case when there is no relay between

! the client and the 9k.

Relay information Policy:

Case #

Received Packet

Option-82 Suboptions

Configured

Option-82 Suboptions

Forwarded Packet

Option-82 Suboptions

for Full-Option-82 keep

Forwarded Packet

Option-82 Suboptions

for Individual-Suboption keep

Forwarded Packet

Option-82 Suboptions

for replace

1

rx-cid”

rx-rid”



“in-rid”

vpn-id

rx-cid”

rx-rid”


rx-cid”

rx-rid”

vpn-id

rx-cid”

“in-rid”

vpn-id

2

rx-cid”




“in-rid”

vpn-id

rx-cid”



rx-cid”

“in-rid

vpn-id

rx-cid”

“in-rid”

vpn-id

3





“in-rid”

vpn-id


“in-rid”

vpn-id


“in-rid”

vpn-id


“in-rid”

vpn-id

! Define the interfaces and the attached profiles

interface Bundle-Ether100.2 proxy profile AutoSelectGiaddr

interface Bundle-Ether1001.2 proxy profile AutoSelectGiaddr

!

pppoe bba-group X

tag ppp-max-payload minimum 1200 maximum 2000

service selection disable

! PPPoE group definition. Currently there is limited service selection

!support (just matching on service name). The COS values for PPPoE

!control can be defined here and the processing/support for max-

!payload tag. In IOS you could configure the processing of vendor-tags

!and strip them selectively. In XR we always process the tags and we

!always strip them from a PADR

!IP address pool definition

pool vrf default ipv4 POOL

address-range 199.1.1.1 199.1.255.255

!

!The dynamic templates are like IOS virtual-templates. The base !configuration for each session is defined here. L3 features as well !as PPP specific parameters are defined here.

dynamic-template

type ppp TPL

ppp authentication chap

ppp ipcp dns 1.2.3.4 1.2.3.3

ppp ipcp peer-address pool POOL

ipv4 unnumbered Loopback1000

!

type ipsubscriberIPSUB

ipv4 unnumbered Loopback12

ipv4 access-group IPSUB_FAIL_ACL ingress

ipv4 access-group IPSUB_FAIL_ACL egress

!Few ACL definitions referenced in the radius profile, qos class-maps

!or in the dynamic template.

ipv4 access-list PERM_ALL

10 permit ipv4 any any

20 permit icmp any any

!

ipv4 access-list lab-video

20 permit udp any any eq 5544

30 permit udp host 49.1.1.2 any

!

ipv4 access-list IPSUB_FAIL_ACL

5 permit icmp any any

10 permit tcp any host 49.1.1.2 eqwww

15 permit tcp host 49.1.1.2 eqwww any

20 deny ipv4 any any

!QOS class-map used in COA parameterized QOS requests

!remember that with pQOS you can define the policy-map via RADIUS,

!however you need to define your class-maps locally in XR.

class-map match-any VIDEO

match access-group ipv4 lab-video

end-class-map

!

class-map match-any 3play-voip

match access-group ipv4 telnet

end-class-map

!These are the class-maps used later in the control policy. You can

!match on various aspects of the interface/session. Like username,

!domain. In this case we have simple class-maps that match on the

!protocol so we are doing to differentiate between PPP and IPsubs

!

class-map type control subscriber match-any PPP

match protocol ppp

end-class-map

!

class-map type control subscriber match-any DHCP

match protocol dhcpv4

end-class-map

!

!In this sample class-map we are taking the username and apply a

!separator switch on it as defined in the “format DOMAIN” attribute

!definition and see if that domain name matches “vrf_vpn

class-map type control subscriber match-any matchdomain

match domain vrf_vpn format DOMAIN

end-class-map

!

!This is the most important part, the XR control Policy.

policy-map type control subscriber sub

event session-start match-first

!

!Events: during the session life time, various events are triggered. !In this case a session-start event we provide a handler for. This is

!the reception of a PADI for pppoe sessions or a dhcp discover for IP

!sessions.

!The match-first describes that we are only handling one class of the !event, and the class that we match first.

!This as opposed to match-all, which means that we will traverse all

!classes to see if they match and execute the actions defined

!underneath the class.

!

Event

What does it do or when is it triggered?

session-start

when we get the first sign of life (for pppoe that is at PADR)

session-activate

This is done at the authentication phase – i.e. when we’ve got the username/password (or challenge/response) (PPPoE ONLY)

authentication-failure*

when we receive an access-reject from radius

authentication-no-response

when the method list for authentication request does not return any response (success/reject)

authorize-failure*

when we receive an access-reject from radius

authorize-no-response

when the method list for authen or author does not return any response (success/reject)

service-stop

when a service that is applied to the session is removed or stopped

class type control subscriber CLASS do-until-failure

!

!CLASS: Underneath that event, we define the classes. In this example

!I created 2 classes to match specifically on DHCP and PPP sessions.

!I can have 1 control policy with 1 event, and then the class

!differentiator to determine what I want to do specifically/separately

!for both session types.

!

Do until?

What does it do?

do-until-failure

Until we receive a failure (eg access reject or no radius response or feature application failure) We stop the execution.

do-until-success

When we successfully executed the task we stop.

do-all

Regardless of the success or failure all actions are executed

!

10 activate dynamic-template TPL

!

!Activation of the dynamic template configuration. PPP will take the !LCP parameters and auth protocol from there.

!

!Class-actions:

!

event session-activate match-first

class type control subscriber CLASS do-until-failure

10 activate dynamic-template TPL

20 authenticate aaa list default

  • Authenticate: Use the username and password from the line and send it to the servers defined in the list
  • Authorize: More flexible then authenticate, still the SAME radius request (access-request) but flexibly formatted with a username composed of different information such as domain, circuit-id, nas-port etc

Note: Because authenticate uses the line username, it is generally useless on the session-start event, the authorize with which you compose the username based on mac/circuit id etc is very useful in both session start and activate

!

!

end-policy-map

!

policy-map type control subscriber ipsub

event session-start match-first

class type control subscriber DHCP do-until-failure

10 authorize aaa list default identifier source-address-mac password cisco

! Use the authorize here to compose the username to be sent to

! radius. In this case we use pw cisco as the password.

!

end-policy-map

! Define the bundle-ether master and configure for destination ip

! based loadbalancing, this so each subscriber hashes all its traffic ! onto one member only for accurate QOS

interface Bundle-Ether100

bundle load-balancing hash dst-ip

! The IP session interface must have an ip address. This in order to

! accept ip packets, the dhcpdiscover.

! If the unicast flag is set, like in MAC OSX or WXP (IOS dhcp client

! leaves the broadcast flag), then this address MUST be the same as

! the subnet for the ip sessions. If it is not the same we can’t

! unicast the offer.

interface Bundle-Ether100.2

ipv4 address 87.78.77.1 255.255.255.0

service-policy type control subscriber ipsub_fancy_auth

encapsulation dot1q 2

ipsubscriber ipv4 l2-connected

initiator dhcp

initiator unclassified-source

!

! Define the bundle sub interface for the right vlan, enable for PPPoE

! via the bba-group and attach the control policy

interface Bundle-Ether100.20

service-policy type control subscriber sub

pppoe enable bba-group X

encapsulation dot1q 20

! Loopback interface for ppp sessions

interface Loopback1000

ipv4 address 101.101.1.1 255.255.255.255

!

interface GigabitEthernet0/0/0/19

! Enable LACP on the bundle member and set it to bundle-e100

bundle id 100 mode active

load-interval 30

!

interface GigabitEthernet0/1/0/19

! Enable LACP on the bundle member and set it to bundle-e100

bundle id 100 mode active

load-interval 30

Show command verification

RP/0/RSP0/CPU0:A9K-BNG#show subscr ses all det
Mon Nov 7 17:20:27.701 EDT
Interface: Bundle-Ether100.2.ip5
Circuit ID:
Remote ID: testme
Type: IP: DHCP-trigger
IP Address: 172.28.15.1, VRF: default
Mac Address: 0019.2f43.9a38
Account-Session Id: 00000044
Nas-Port: 67108896
Username: unknown
Subscriber Label: 0x00000044
Created: Thu Nov 3 16:26:33 2011
State: Activated
Authentication: unauthenticated
Access-interface: Bundle-Ether100.2
Policy Executed:
policy-map type control subscriber ipsub_fancy_auth
event Session-Start match-first [at Thu Nov 3 16:26:33 2011]
class type control subscriber DHCP do-until-failure [Succeeded]
5 activate dynamic-template IPSUB [Succeeded]
10 authorize aaa list default [Failed]
Session Accounting: disabled
Last COA request received: never
User Profile Attribute List: None

Interface: Bundle-Ether100.100.pppoe2
Circuit ID: Unknown
Remote ID: Unknown
Type: PPPoE:PTA
IP Address: 199.1.1.2, VRF: default
Mac Address: 0019.2f43.9a38
Account-Session Id: 00000145
Nas-Port: 67110466
Username: test
Subscriber Label: 0x00000145
Created: Thu Nov 3 16:28:10 2011
State: Activated
Authentication: authenticated
Access-interface: Bundle-Ether100.100
Policy Executed:
policy-map type control subscriber sub
event Session-Start match-first [at Thu Nov 3 16:28:10 2011]
class type control subscriber CLASS do-until-failure [Succeeded]
10 activate dynamic-template TPL [Succeeded]
event Session-Activate match-first [at Thu Nov 3 16:28:31 2011]
class type control subscriber CLASS do-until-failure [Succeeded]
10 activate dynamic-template TPL [Succeeded]
20 authenticate aaa list default [Succeeded]
Session Accounting: disabled
Last COA request received: never
User Profile Attribute List: 0x500c0d24
1: service-type len= 4 value= Framed
2: sub-qos-policy-out len= 5 value= shape

Comments
New Member

Hi Xander,

I already configure this for option-82 :

!

dhcp ipv4

profile DHCP-PROXY-DATA proxy

  helper-address vrf default 10.211.x.y giaddr 10.10.a.b

  helper-address vrf default 10.211.x.z giaddr 10.10.a.b

  relay information option

  relay information policy keep

  relay information option allow-untrusted

!

interface Bundle-Ether2.10 proxy profile DHCP-PROXY-DATA 

but I cant see any option82 value whether from debug dhcp ipv4 proxy event / debug dhcp ipv4 packet ("not inserted option82") and show dhcp ipv4 proxy binding details (insertedCurcuitID & InsertedRemoteID = -)

I also set a username to forard to AAA using remot-id but because option82 is not inserted, the aaa didn't find any value for the username.

looking forward for your feedback.

Cisco Employee

Option 82 is generally inserted by a etherlike dslam or switch. If you connect your computer directly to a port then there is likely no option 82 info available.

If the debugs don't print it, in this case for sure, it is not received.

xander

New Member

Hi Xander,

Thanks for the feedback. In addition, I'm not connecting the dummy client directly to ASR, but via L2 switch instead. since connectivity from dummy client to ASR resides on the same broadcast domain, this should be justified to get the option82 right ?

thanks in advance

Cisco Employee

If your switch is capable of intercepting the dhcp discover and insert the option 82 info (usually done via configuration on the connected interface) then the 9k would see it and can use it.

There are some cisco metro switches that can do that, but not every device.

xander

New Member

Hi Xander,

thanks again for the feedback. Does it means that i have to insert opt82 on L2 switch even if the client and9k relies on same segment ? I already tried both either using ip dhcp relay information option / ip dhcp snooping information option (but helper-address located on 9k) but still there's no opt82 on 9k. I'm using cat6506 as L2 switch..

looking forward for your response

Cisco Employee

Lets assume the following topology:

CPE---DSLAM/Etherswitch----BNG----dhcp_server

The cpe sends the discover, without any o82. The dslam/etherswitch is now acting as a relay agent and when instructed, it can intercept the dhcp discover and add this o82 info in there when it forwards it on to the BNG.

The BNG, can then interpret this info, modify it and proxy the dhcp request over to the server.

The 9k CAN insert and modify the circuit ID and remote ID no problem, but normally you'd want the AN (access node) to do that so we get the specific line info from the AN to which the CPE is connected. As the BNG would only have an "aggregated" view of the lineID (i.e. it came in on my bundle-e100, but that potentially terminates thousands of subs).

Some example ofr the switch and option 82 is here.

There should be some more doc on the switch side also and I have seen some IOS images able to configure customized strings on a per access interface basis too.

Bronze

Hello Xander,

great walkthrough. I am tying to configure IPoE on ASR9001 4.3.0. PPPoE is already tested and it works great.

Now it's time to do some testing for the IPoE/DHCP feature. I used your documents on support forum and this pdf

"Residential Broadband Subscriber Aggregation and BNG Deployment Models" from Cisco Live.

Config looks like this:

dhcp ipv4

profile IP_SUB proxy

  helper-address vrf default 10.100.14.36 giaddr 10.100.30.1

!

interface Bundle-Ether992.3127 proxy profile IP_SUB


ipv4 access-list HTTPRDRT_ACL

10 permit tcp any any eq www

!

ipv4 access-list IPSUB_ACCLIST

10 permit tcp any host 10.100.14.108 eq www

15 permit icmp any any

!

class-map type traffic match-any IPSUB_ACL

match access-group ipv4 IPSUB_ACCLIST

end-class-map

!

class-map type traffic match-any HTTPRDRT_CM

match access-group ipv4 HTTPRDRT_ACL

end-class-map

policy-map type pbr HTTP_REDIRECT_PBR

class type traffic IPSUB_ACL

  transmit

!

class type traffic HTTPRDRT_CM

  http-redirect 10.100.14.108

!

class type traffic class-default

  drop

!

end-policy-map

nterface Bundle-Ether992.3127

description # IPSUB #

ipv4 point-to-point

ipv4 unnumbered Loopback30

service-policy type control subscriber IP_SUB_PMAP

encapsulation dot1q 3127

ipsubscriber ipv4 l2-connected

  initiator dhcp

  initiator unclassified-source

interface Loopback30

ipv4 address 10.100.30.1 255.255.255.0

dynamic-template

type service HTTP_FORCE_REDIRECT

  service-policy type pbr HTTP_REDIRECT_PBR

!

type ipsubscriber IPSUB_TEMPLATE

  accounting aaa list default type session

!

class-map type control subscriber match-any IP_SUB

match protocol dhcpv4

end-class-map

!

!

class-map type control subscriber match-all AUTH_TIMER_CM

match timer AUTH_TIMER

match authen-status unauthenticated

end-class-map

!

policy-map type control subscriber IP_SUB_PMAP

event session-start match-first

  class type control subscriber IP_SUB do-until-failure

   10 activate dynamic-template IPSUB_TEMPLATE

   20 activate dynamic-template HTTP_FORCE_REDIRECT

   30 set-timer AUTH_TIMER 10

  !

!

event account-logon match-first

  class type control subscriber IP_SUB do-until-failure

   10 authenticate aaa list default

   20 deactivate dynamic-template HTTP_FORCE_REDIRECT

  !

!

event timer-expiry match-first

  class type control subscriber AUTH_TIMER_CM do-until-failure

   10 disconnect

  !

!

end-policy-map

I am using a DHCP server on Windows Server and I see that the BNG gets the IP address from the DHCP server

(DHCP server on Linux was not working for some reason)

Problem is that I don't get the IP address on my test PC that is sending the DHCP DISCOVER.

On BNG I can see the subscriber:

show subscriber session all         

Wed Jul 17 15:17:27.594 UTC

Codes: IN - Initialize, CN - Connecting, CD - Connected, AC - Activated,

       ID - Idle, DN - Disconnecting, ED - End

Type         Interface                State     Subscriber IP Addr / Prefix                             

                                                LNS Address (Vrf)                             

--------------------------------------------------------------------------------

IP:DHCP      No                       CD        10.100.30.2 (default)

show subscriber session all detail

Wed Jul 17 15:53:06.363 UTC

RP/0/RSP0/CPU0:BNGDEMO#show subscriber session all detail

Wed Jul 17 15:53:28.965 UTC

Interface:                None

Circuit ID:               Unknown

Remote ID:                Unknown

Type:                     IP: DHCP-trigger

IPv4 State:               Up Pending, Wed Jul 17 15:53:16 2013

IPv4 Address:             10.100.30.2, VRF: default

Mac Address:              000a.e43c.a077

Account-Session Id:       0000007b

Nas-Port:                 Unknown

User name:                unknown

Outer VLAN ID:            3127

Subscriber Label:         0x0000007b

Created:                  Wed Jul 17 15:53:16 2013

State:                    Connected

Authentication:           unauthenticated

Access-interface:         Bundle-Ether992.3127

Policy Executed:

policy-map type control subscriber IP_SUB_PMAP

  event Session-Start match-first [at Wed Jul 17 15:53:16 2013]

    class type control subscriber IP_SUB do-until-failure [Succeeded]

      10 activate dynamic-template IPSUB_TEMPLATE [Succeeded]

      20 activate dynamic-template HTTP_FORCE_REDIRECT [Succeeded]

      30 set-timer AUTH_TIMER 10 [Succeeded]

Session Accounting: disabled

Last COA request received: unavailable


Do you have an idea why I don't get the IP address on my test PC?

And is this config good for force web logon? We want to use it for our WiFi customers.

I hope that you can help me out with this.

Bronze

Is this because of this?

Screen shot 2012-03-15 at 4.49.09 PM.png

The IP address is held by the BNG until the client is not authenticated?

https://supportforums.cisco.com/docs/DOC-23170#How_IP_sessions_DHCP_interact_with_AAA

But how can I access the Captive portal without an IP address on my test PC?

Cisco Employee

since you dont have authentication in your session start event, this scenario doesnt apply, but yes you can run into it.

the discover is held until the radius ack is seen.

the problem is likely that the subscriber cant be reeiving the ack on the sub if because it has no unnumbered, that is there is no ip enabled on the template for the subscriber.

so you want to make the IPSUB_TEMPLATE unnumbered to the loopback 30.

that will make the routing go fine and the subscriber having the ability to ACK its lease to the dhcp server.

the discover is handled by the terminating access interface, the ack is handled by the subscriber interface.

also you may need to twiddle with the boradcast policy some OS's dont like broadcasted offers, but at this point there is this config thing that might be affecting you.

preventing broadcast offers btw helps in security too so that other stations dont learn the mac/ip combo...

regards

xander

Bronze

Awesome!
I added unnumbered under dynamic template and its working fine.

Yesterday, when I was pasting my config I have prepared in notepad I got an error regarding this and I thought that I can not have unnumbered under bundle interface and dynamic template at the same time, and thus I removed it.

Good that I have asked you

How should the force redirect to web logon portal work? I configured a service pmap, applied it to control pmap with seq 20 and thats it. After I do a ipconfig -release and -renwe I get an IP address, open a browser and type an URL but it's not redirecting me to my web portal 10.100.14.108.

The same config is on in the guide I found on Cisco Live.

Cisco Employee

awesome, glad to hear it works!

For the HTTPR problem, also check http://www.youtube.com/watch?v=Z_Hw9i_TcGY

I think your class need to be:

class type traffic HTTPRDRT_CM

  http-redirect http://10.100.14.108

I think by saying not redirecting meaning it doesn't do anything not even go to the orignal site right?

that is likely caused by the fact that DNS is not permitted in your open garden, so add

ipv4 access-list IPSUB_ACCLIST

20 permit udp any any eq domain

or in your test browser do an http://1.1.1.1 or so, so it does not require a domain lookup.

Also check within the subscriber details that the PBR/HTTPR service is indeed applied successfully to the session.

Screen Shot 2013-07-18 at 7.58.35 AM.png


(ps the 200: in front of the http example was a test at teh time of development, use http://x.x.x.x only)

xander

Bronze

You helped me again, http:// was missing, but this was not in the guide I found on Cisco Live.

Thank you very much.

Another question please, I hope that it's not too much.

I have this ACL for the type pbr pmap:

ipv4 access-list IPSUB_ACCLIST

10 permit tcp any host 10.100.14.108 eq www

15 permit icmp any any

30 permit udp any any eq domain

class-map type traffic match-any IPSUB_ACL

match access-group ipv4 IPSUB_ACCLIST

policy-map type pbr HTTP_REDIRECT_PBR

class type traffic IPSUB_ACL

  transmit

!

class type traffic HTTPRDRT_CM

  http-redirect http://www.bngportal.com

!

class type traffic class-default

  drop

!

end-policy-map

Is this enough security? I removed ICMP from the ACL and ICMP was not working anymore.

ACL under dynamic template is not needed, like this example?

dynamic-template

type ipsubscriber IPSUB_TEMPLATE

  ipv4 access-group IPSUB_ACCLIST ingress

  ipv4 access-group IPSUB_ACCLIST egress

I will now apply additional steps in my subscriber pmap where I will deactivate "HTTP_FORCE_REDIRECT" where the

IPSUB_ACCLIST is used.

It's this one:

policy-map type control subscriber IP_SUB_PMAP

event session-start match-first

class type control subscriber IP_SUB do-until-failure

10 activate dynamic-template IPSUB_TEMPLATE

20 activate dynamic-template HTTP_FORCE_REDIRECT

30 set-timer AUTH_TIMER 10

event account-logon match-first

class type control subscriber IP_SUB do-until-failure

10 authenticate aaa list default

20 deactivate dynamic-template HTTP_FORCE_REDIRECT

event timer-expiry match-first

class type control subscriber AUTH_TIMER_CM do-until-failure

10 disconnect

Cisco Employee

very nice, this is a good day   I'll tell the guy who did the preso to update that config example, although I am afraid that the pdf's wont be updated with that info anymore now that CL is over.

when a user has PBR/HTTPR enabled, it is a sort of implicit ACL already. all traffic is trapped by that PBR policy as per configuration. So you dont need the acl at that time, but after the http-r is removed, then it is open garden.

so in that case you may want to hvae a "base" acl or apply a service with an acl if there is something you want to restrict.

whether to allow icmp or not, I am either way about it. it might be good to at least allow icmp to the redirect server and the domain server in case people try to do some troubleshooting on their own.

regards

xander

Bronze

Yes, it's a good day

Well, after I have removed the HTTP_FORCE_REDIRECT because in seq 10 the user has been authenticated.

event account-logon match-first

class type control subscriber IP_SUB do-until-failure

10 authenticate aaa list default

20 deactivate dynamic-template HTTP_FORCE_REDIRECT

Because the user is authenticated, he should not have any restrictions.

This scenario is for our WiFi users where we want to use a Captive portal.

How can I authenticate residential users that have moved from PPPoE to DHCP, because there is no way to type an user/pass like its with the PPPoE client (Windows, home router...)?

I know that we can authorize them and compose an username with the MAC address and additionaly circuit-id and remote-id, but I think we will have status "unauthenticated" under "show subscribers session all det".

In summary: New users should have DHCP only and it should be plug&play because we have the MAC address of the CPE and circuit/remote id (option 82). So the username should be MAC+CIRCUITID+REMOTEID in our RADIUS database, and password for all users in the same (e.g. 12345).

This is how I understood the guides I have found. Sorry for my ignorance, still new with BGN stuff


Cisco Employee

correct yeah, when you use the authorize statement, you can compose the username and predefine a password, if that succeeds based on that mac, vlan etc whatever you compose the username with, the "state" is still unauthenticated. This is just a state flag that we move when the user is actually authenticated with his own username and password, either from the line from ppp or as part of an account logon coa event.

you could construct your class for the event to separate the user type (ppp, dhcp) and for instance not check on the auth state for dhcp sessions.

Now the thing is also, I have requested the functionality to "SET" the auth state as part of a control policy action, but that has not yet been honored.

To me that makes the auth flag a bit less useful in a mixed session enviroment exactly as you have.

In other words, in tyour design, I think I would not check the auth state as part of your policy.

Because if the account logon succeeds we know the auth state already anyway.

xander

Bronze

Great, important is that I don't have any restrictions because of the "unauthenticated" flag. I hope that they will honor your request and release it in 4.3.3 .

After captive portal is fully tested I well test authorization based of composed username.

I love the granularity of Cisco BNG.

Thank you Xander.

Cisco Employee

Working on it mate 433 may not be a a9k release, but I usually get my way in some release (ssh dont tell ).

Awesome to hear you like the 9k BNG!!

talk to you soon!

xander

Bronze

Hello Xander,

it's me again

I configured DHCP snooping and option 82 on the access switch (C2960). Additionaly I have this on my BNG

dhcp ipv4

profile IP_SUB proxy

  helper-address vrf default 10.100.14.109 giaddr 10.100.30.1

relay information option

  relay information option allow-untrusted

!

interface Bundle-Ether992.3127 proxy profile IP_SUB

I tried to manually add remote-id on BNG and it is working fine, and we will probably prepend remote-id.

But for now I need some clarification regarding circuit-id and remote-id that I see after enabling option 82

RP/0/RSP0/CPU0:BNGDEMO#show subscriber sess all det

Fri Jul 19 08:50:01.414 UTC

Interface:                Bundle-Ether992.3127.ip201

Circuit ID:               00040c3700e0

Remote ID:                0006d867d924ffe9

Type:                     IP: DHCP-trigger

IPv4 State:               Up, Fri Jul 19 08:50:01 2013

IPv4 Address:             10.100.30.100, VRF: default

Mac Address:              000a.e43c.a077

Account-Session Id:       00000051

Nas-Port:                 Unknown

User name:                unknown

Outer VLAN ID:            3127

Subscriber Label:         0x00000051

Created:                  Fri Jul 19 08:50:00 2013

State:                    Activated

Authentication:           unauthenticated

Access-interface:         Bundle-Ether992.3127

Policy Executed:

policy-map type control subscriber IP_SUB_PMAP

  event Session-Start match-first [at Fri Jul 19 08:50:00 2013]

    class type control subscriber IP_SUB do-until-failure [Succeeded]

      10 activate dynamic-template IPSUB_TEMPLATE [Succeeded]

      20 activate dynamic-template HTTP_FORCE_REDIRECT [Succeeded]

Session Accounting:

Method-list:              default

Accounting started:       Fri Jul 19 08:50:01 2013

Interim accounting:       Off

Last COA request received: unavailable

I thought that I will see under circuit-id something I can interpret, interface ID and VLAN and more?

Do I have to configure something on the external DHCP server which is running on Linux, or is the dhcp ipv4 config enough that I have on the BNG?

p.s. I researched about Option 82 and could not find anything that could clarify this output. Do you have an show subscriber output that I could use as reference?

I only found out that C37 (Circuit ID: 00040c3700e0)
is my VLAN ID 3127 thanks to this picture.

Capture.PNG

Bronze

I also have problems with CoA.

This is the config:

aaa server radius dynamic-author

port 1700

client 10.100.13.133 vrf default server-key 7 00263D2127742A

client 10.100.14.108 vrf default server-key 7 00263D2127742A

coa_w32.exe -n 10.100.11.6 -p 1700 -k BNGCOA -1 1,asr1 -2 2,1asr1

is returning this message:

CoA Client (version 2.6),(c) April-2012,

xander thuijs CCIE#6775 Cisco Systems Int.

Using COA with :

NAS: a640b06

Port: 1700

Secret: BNGCOA

Timeout: 2 (0 means indefinite wait)

COA: NAS did not honour our request! (ID 6)

User/pass should work because it's working for PPPoE user.

I tried with -f logon (cfg file)

ip-address=10.100.11.6

secret=BNGCOA

destport=1700

attribute1=44,0000005b

attribute2=26,9,1,subscriber:command=account-logon

attribute3=26,9,1,subscriber:password=1asr1

attribute4=1,asr1

And I get this:

C:\>coa_w32.exe -f logon

CoA Client (version 2.6),(c) April-2012,

xander thuijs CCIE#6775 Cisco Systems Int.

        Unrecognized token, skipping: 'timeou

Using COA with :

NAS: a640b06

Port: 1700

Secret: BNGCOA

Timeout: 1 (0 means indefinite wait)

COA: NAS did not honour our request! (ID 93)

Removing "timeout=1" error messages says

Unrecognized token, skipping: 'attribute'

I have this under show subscriber:

RP/0/RSP0/CPU0:BNGDEMO#show subscriber sess all det

Fri Jul 19 13:57:03.464 UTC

Interface:                Bundle-Ether992.3127.ip202

Circuit ID:               00040c3700e0

Remote ID:                0006d867d924ffe9

Type:                     IP: DHCP-trigger

IPv4 State:               Up, Fri Jul 19 12:17:07 2013

IPv4 Address:             255.255.255.254, VRF: Internet

Mac Address:              000a.e43c.a077

Account-Session Id:       0000005b

Nas-Port:                 Unknown

User name:                asr1

Outer VLAN ID:            3127

Subscriber Label:         0x0000005b

Created:                  Fri Jul 19 12:17:06 2013

State:                    Activated

Authentication:           authenticated

Access-interface:         Bundle-Ether992.3127

Policy Executed:

policy-map type control subscriber IP_SUB_PMAP

  event Session-Start match-first [at Fri Jul 19 12:17:06 2013]

    class type control subscriber IP_SUB do-until-failure [Succeeded]

      10 activate dynamic-template IPSUB_TEMPLATE [Succeeded]

      20 activate dynamic-template HTTP_FORCE_REDIRECT [Succeeded]

  event Account-Logon match-first [at Fri Jul 19 13:35:36 2013]

    class type control subscriber IP_SUB do-until-failure [Succeeded]

      10 authenticate aaa list default [Succeeded]

      20 deactivate dynamic-template HTTP_FORCE_REDIRECT [Succeeded]

  event Account-Logon match-first [at Fri Jul 19 13:55:02 2013]

    class type control subscriber IP_SUB do-until-failure [Succeeded]

      10 authenticate aaa list default [Succeeded]

      20 deactivate dynamic-template HTTP_FORCE_REDIRECT [Failed]

  event Account-Logon match-first [at Fri Jul 19 13:57:00 2013]

    class type control subscriber IP_SUB do-until-failure [Succeeded]

      10 authenticate aaa list default [Succeeded]

      20 deactivate dynamic-template HTTP_FORCE_REDIRECT [Failed]

Session Accounting:

Method-list:              default

Accounting started:       Fri Jul 19 12:17:07 2013

Interim accounting:       Off

Last COA request: Fri Jul 19 13:57:00 2013

COA Request  Attribute List: 0x500ec6d4

1:  string-session-id len=  8  value= 0000005b

2:  password        len=  5  value= <opaque value>

3:  username        len=  4  value= asr1

4:  command         len= 14  value= account-logon

Last COA response: Result NACK

COA Response  Attribute List: 0x500ec8e4

1:  error-cause     len=  4  value= Resource Unavailable

2:  reply-message   len=  9  value= CoA error

5th edit

http://www.youtube.com/watch?v=Z_Hw9i_TcGY

@3:38 I see your portal. Is this a custom made or does the BNG has one?

I am asking because I see users IP addess, mac address, acct session id.

portal.PNG

Any idea?

Cisco Employee

remoteID and circuitID are sort of free form text strings also, so it is really whatever the dhcp relay (in this case your switch) is inserting in it. Some also insert the actual interface name.

Show dhcp ipv4 proxy binding detail gives also very good info on the ID's before and after proxy modification.

The port designator in your circuit ID is 0/224 but that seems a bit high. But then, this value is inserted by the relay agent, we just take the string value and provide it in the output. What type of relay agent is inserting the option 82 info?

RemoteID is generally a mac address and gives an idea of what the remote device is. This mac address (if that is what it represents in this scenario) may be from the relay agent, but that is not something I wold expect.

You probably need to consult with the relay agent documentation as to how it inserts option 82.

xander

Cisco Employee

As for the account logon issue:

I see that the COA tool you are using is a bit of an oldie already (version 2.2), the latest version is 2.9 (release notes are on the page where you downloaded it from). There was an issue in that release whereby an empty line in the config file chokes the parsing. I think that that is what you are suffering from.

Either end the config file with an "END" directive, or remove the last empty line from that config. I want to say download the latest win version, but in all honesty, I haven't been doing a good job in updating the widnows version ever since I moved to a MAC (and dont have a windows compilation ability easily).

Another option is to use the CLI string to do the account logon like this:

coa -n 10.86.188.99 -p 1700 -k cisco -1 44,00001234  -2 26,9,1,subscriber:command=account-logon -3 26,9,1,subscriber:password=PASS -4 1,USER -t 3

The specific error you are seeing can be caused by this:

1) because the last line is not parsed properly, you may not get the right return response, fix with either option discussed here.

2) I see the user is authenticated already, subsequent account logon requests, don't succeed then anymore, but I would expect the COA return error to be this:

COA Response  Attribute List: 0x10011a50

1:  error-cause     len=  4  value= Invalid Request

2:  reply-message   len=  9  value= CoA error

3) the user's username and password are incorrectly sent to the radius-server and there is no account logon event class properly configured directing to radius.

     Check the radius profile and make sure the service-type is NOT present in that radius profile, that generally chokes the IPSUB auth also!

Check with the debug radius to see what attributes are returned in teh access-accept (or maybe there is an access-reject)

That portal you are looking at is something quickly put together for a demo. It is a simple web page that talks to the BNG to get some subscriber info and prints it on the page, then it has 3 buttons: login (account logon) and a QOS profile application from the portal (eg a Turbobutton model).

Depending on which button is pressed, the web page calls the COA tool you have to send a specific request to the BNG to execute that desired change. Do you think there is value if we package a demo portal into XR code for evaluation purposes?

regards

xander

Cisco Employee

The COA error you see:

1:  error-cause     len=  4  value= Resource Unavailable

2:  reply-message   len=  9  value= CoA error

Is generally seen with an incorrect user profile returning.

Since it may have been an access accept I think the state moves to authenticated, but the end result is error because the profile attributes could not be applied.

What does the user profile look like in radius?

(suspect presence of service-type=[enum]).

regards

xander

Bronze

I have 2.6 for windows. I don't see 2.9 in the attachment in this document https://supportforums.cisco.com/docs/DOC-16677

We have the same problem on Linux tool.

I did some proper debugs and found out that the user has some attributes configured which could prevent a succesfull logon.

I will check this with the RADIUS guy and tell him to create a new user for this test.

Its already too late, and I have to wait until I am back from vacation, but I can't wait to see this working

Regarding the portal I have seen on youtube. I see that there are some information about the user listed and I would like to know how you did that. How can I send all this information that I have in show subscriber sess all detail about this user to the portal so that the user knows what IP address, session-id etc. it has (it's good for help desk!)

This is a mistery for me

And yes it would be really nice if the BNG package would have an embedded portal which could be used for less experienced people and small scale deployments.

Cisco Employee

I very much love your enthusiasm! We'll get this to work for you together!

A sample profile for your account logon user could be this:

ipsub   Password="cisco"

        Cisco-avpair="ipv4:inacl=PERM_ALL"

        Cisco-avpair="ipv4:outacl=PERM_ALL"

Make sure you define the ACL PERM_ALL with a permit ipv4 any any or something like that.

The way the portal works:

it is an apache with perl and the coa tool.

First step is that the opening page reads the subscriber ip address via the perl environment variable.

Then the portal logs in via telnet to the BNG doing a sneaky route lookup to find the interface that this address is routed to. This is needed because there is currently no account ping or session -query in COA, ddts filed for this: CSCuc45110.

Now that we know the subscriber interface we can do a show command to find out the variables that are displayed on the portal in the table. At the same time the session ID is derived from that show command also and put as a hidden field in the display form.

Depending on what button is pressed, the COA is invoked with the right profile and the appropriate session ID derived from the earlier investigation.

The COA response is read and displayed to the user with a success or fail and a potential reply message if there was any.

Here is my suggestion, I'll work on the integration of that sample portal in a package in XR for test. When you come back from your vacation ping me. If it is not yet in XR, then I'll prepare some package for you to play with.

Works? and enjoy your vacation!

cheers!

xander

----

Xander Thuijs CCIE #6775

Principal Engineer ASR9000

Bronze

Wow, great

I am looking forward for your package. This would help me a lot!

I see that you did some scripting for you demo portal in order to get the info we saw on youtube.

I always asked myself how does the BNG knows for what session-id the entered credentials are (that are entered by the user on the portal and sent back to BNG with CoA feature).

After this part is solved I can finally start to test other possibilites that Cisco BNG is offering.

And regarding circuit-ID and remote-ID (I replied but it looks like that it got lost). We are using a Cisco 2960 Catalyst switch as access switch with IP DHCP snooping for our VLAN 3127 and Option 82 enabled, and I can see the binding.

The DHCP relay or in our case DHCP proxy is the BNG (I hope that this is what you have asked).

I see that the received and inserted Remode IDs are different:

RP/0/RSP0/CPU0:BNGDEMO#sh dhcp ipv4 proxy binding detail

Fri Jul 19 17:53:34.378 UTC

MAC Address:                 000a.e43c.a077

VRF:                         default

Server VRF:                  default

IP Address:                  10.100.30.100

Giaddr from client:          0.0.0.0

Giaddr to server:            10.100.30.1

Server IP Address:           10.100.14.109

Server IP Address to client: 10.100.30.1

ReceivedCircuit ID:          0x00-04-0c-37-00-05

InsertedCircuit ID:          0x00-04-0c-37-00-e0

ReceivedRemote ID:           0x00-06-00-15-63-d6-d2-40

InsertedRemote ID:           0x00-06-d8-67-d9-24-ff-e9

ReceivedVSISO:               -

InsertedVSISO:               -

Auth. on received relay info:FALSE

Profile:                     IP_SUB

State:                       BOUND

Proxy lease:                 600 secs (00:10:00)

Proxy lease remaining:       457 secs (00:07:37)

Client ID:                   0x01-0x00-0x0A-0xE4-0x3C-0xA0-0x77

Access Interface:            Bundle-Ether992.3127

Access VRF:                  default

VLAN Id:                     3127

Subscriber Label:            0xdc

Subscriber Interface:        Bundle-Ether992.3127.ip203

This in not so important now, we will test it with a DSLAM and probably get better info about circuit-id,

We will need this so we can compose an username with MAC+Circuit-ID+Remote-ID, or we can try with "first sight" so that the username is entered in the RADIUS database after the CPE is first time plugged in. I think this could work but this is more a job for the RADIUS guys, but I would like to see it this working

Cisco Employee

Ok thanks for that info.

You may want to configure the :

dhcp ipv4

profile DEFAULT proxy

  relay information policy keep

in order to preserve the original option 82 info properly.

I think that because of proxy and in the current config you have that BNG will feed some of his info into the option 82

(check the dhcp table above in the article on that also for more detail)

I remember now that the port ID is some sort of a port index and not really the interface number. I need to lookup how the index maps to the actual interface port number, but if may be the IF index I am not sure yet.

As for the portal, yeah ping me when you're back, I should have news surely then (assuming you'll take a pto of a week+ )

regards

xander

Bronze

Hello Xander,

I am back from vacation. I could not wait so I tested your CoA tool and finally got this message

"CoA: Request was accepted! (ID 200)"

Test laptop is now successfully reaching the internet

I am now pinging you back regarding the captive portal you have mentioned last time. I hope that you have good news for me

Cisco Employee

Very cool I am glad that it worked out! And welcome back!

Either the time went super fast or you had a short vacation . The package is not committed into any release yet,

but I have it prepared.

Can you send me a "private" message so I can mail this to you. Then if you can test drive it to make sure the instructions

are clear and working out then I'll publish this after everything is smoothened.

regards

xander

Bronze

I took only five days off. Thank you very much for the package, I will update you as soon we have it up and running.

Now I have another question regarding VRFs.

I am trying to put the subscriber in vrf PRIVATNI, but DHCP, Captive Portal and other services are in vrf default.

I created static routes with route leaking between the vrfs, but it looks like that after I get the IP address on my test laptop I am not able to ping the IP addreses where I am using route leaking, only the internet where the next hop is in the same vrf.

vrf PRIVATNI

  address-family ipv4 unicast

   0.0.0.0/0 10.100.37.113

   10.100.14.0/24 vrf default BVI3105 10.100.11.1

   192.168.32.0/24 vrf default BVI3105 10.100.11.1

router static

address-family ipv4 unicast

10.100.14.0/24 10.100.11.1

10.100.30.0/24 vrf PRIVATNI Loopback30

192.168.32.0/24 10.100.11.1

I think it is because of vrf default where I have to use loopback 30 as next hop, but the subsciber is on

Bundle-Ether992.3127 or to be precise on Bundle-Ether992.3127.ip222 and I don't have it in the routing table.

I tried with Bundle-Ether992.3127 as next hop, but then nothing is working.

I tried with an IP address on the bundle interface (without ipv4 unnumbered) but then DHCP is not working anymore.

I have to test it a little bit.

Cisco Employee

yeah dynamic route leaking is tricky, I dont think this scenario is going to work easily.

HAve you seen this doc for assistance on route leaking?

https://supportforums.cisco.com/docs/DOC-30871

Alternatively, you may want to open a TAC case for some assistance in that regard.

regards

xander

Bronze

Yes, in this case it's really tricky and I think we will just have more problems.

We will just use one vrf for subscribers and DHCP and other servers.

Do you know if we can use XML for our captive portal? I am using ASR Craft Tool which is using xml over telnet and

I can see subscriber information on this tool. I ask myself now if this can be used for captive portal.

I found this DOC http://www.cisco.com/en/US/docs/routers/asr9000/software/asr9k_r4.3/bng/configuration/guide/b_bng_cg43asr9k_appendix_01000.html#reference_01425A2A600D433BA0D0A1C80356E406

You have said that you have prepared a package for future IOS-XR release. Is this an embedded captive portal which can be used for several thousand users?

Cisco Employee

There is XML support for the a9k and the schema's are continously expanded on. Thsi means that if a certain command doesn't have a schema, it will produce raw output as what you would see with the ergular show command and your mgmt client needs to screen scrape and parse output manually. Same as what the portal does now which I mailed you with telnet.

For embedding and public use of COA and portal inside XR I have filed CSCui35710.

I dont have a commitment for a release yet, but we'll make sure this happens some time soon reasonably.

cheers!

xander

New Member

Hi Xander,

Sorry to jump in between your fun discussion :). I'm just wondering if I want to change the ip address of subscriber gateway on BNG from binding into the physical interface :

interface Bundle-Ether1.100

description subs gateway

ipv4 address x.x.y.z

encapsulation dot1q 100

to become :

interface loopback0

ipv4 address x.x.y.z

interface Bundle-Ether1.100

description subs gateway

ipv4 point-to-point

ipv4 unnumbered loopback 0

encapsulation dot1q 100

As I recall, the restriction using unnumbered are we can't use ping command to verify the connectivity are reachable ( i did it, ping to the same segment and the result was ".U.U.") I see a bunch of BNG config guide example and most of them are using ip unumbered. so then how to verify if the connection are reachable ? do I have to test the service itself instead of perform a simple ping ?

Thanks and appreciate your feedback

Bronze

Hi,

I am using ipv4 unnumbered and p2p on subscriber interface, and I can ping the GW IP address (which is on loopkack).

I doubt that you can use ipv4 unnumbered and ipv4 address xxyz on same interface, this would be like when you had two IP addresses on same interface (without "seconadary" statement)

Do you have some kind of ACL on dynamic template?

New Member

Hi there,

Thanks for the response. It's not putting both the ipv4 and unnumbered together, but currently my deployment on customer side is using that ipv4 add on the gateway subs interface (BE2.xxx), not using unnumbered loopback. haven't configure the dynamic template either since i just want to make sure the connectivity are put in place.

Currently the customer are expanding their broadband network, and when i'm testing using this new connectivity on same segment:

BNG (ip unnumbered) --- [metro e] --- agg switch

I can't ping the switch ip address / vice versa. Those wording on  http://www.cisco.com/en/US/docs/routers/asr9000/software/asr9k_r4.3/addr_serv/configuration/guide/b_ipaddr_cg42a9k_chapter_01000.html#con_1116630

(IPv4 processing on an Unnumbered Interface) also justify the situation.

I hope that i'm missing something on the config so that it supposedly can be deployed.

Thanks

Bronze

Subscriber node got an IP address via DHCP, and do you have something under show subscriber session all detail?

You should get subscriber info and ther should be a subscriber interface like this one "Bundle-Ether1.100.ip222".

You can share a part of the config with if us if you like.

New Member

Hi there,

Thanks for your feedback. as I mention before, I'm still building the connectivity between BNG and subscriber aggregation switch. I haven't jump into dynamic template, dhcp config and service profiling and so on. those I deployed previously (using ipv4 add that bind on BE2.xxx) already running on production and working properly & as expected.

my concern is, within my expansion deployment, i want to change the method from binding to a physical interface into unnumbered loopback, which I can't ping each other to verify the connectivity.

sorry if I confuse you, and looking forward for any findings matters (:

Bronze

Got it

Lets see what Xander has to say, he is the expert.

Cisco Employee

hey guys,

the ip address on teh access interface is only necessary to enable IP and consume the dhcp discovers.

you generally don't want full ip access on the access interface so an ACL permitting only dhcp inbound will prevent users

with retained ip addresses to gain access to the network via the bundle access interface.

The address on the dynamic template is the one that we are pinging against when there is an ip subscriber session established. Since we have a binding that is used for forwarding returning the icmp replies.

It is true that in a native unnumbered scenarion on a multipoint access interface (ethernet, gige, tengige, bundle-e etc) you need a static arp entry in order to find the way back to the client, but since we dont want users to use the bundle access we can either use the ACL to block any non dhcp traffic on teh access interface and the dhcp binding will help us route back to the subscriber interface once it is established.

regards

xander

New Member

Hi Xander,

Thanks for your comprehensive explanation, that's why it can't get ping eh ? so in other words, I can assume that the reachability are performed once the session are established and the only way to verify the deployment are test the service itself.

Thanks 

Cisco Employee

correct the bundle-access you can't ping when unnumbered, and frankly you wouldn't want that either.

you dont want to give people the idea that there is connectivity when there is no subscriber context.

a connectivity verification can be achieved by seeing the dhcp discovers coming in, triggering AAA requests and binding creation on the device.

regards

xander

New Member

Hi Xander,

Thanks, makes much more clear. Another concern that I want to have your feedback is : when deploying lots of BNG with distributed model (accross multiple city) using parameterized QoS rather than normal QoS (configured on BNG), do you see any caveats ? any particular concern with pQoS ? FYI the AAA are cisco too (CAR).

Appreciate any feedback

Thanks

Cisco Employee

hi there,

pQOS is merely a qos policy on a per user basis, where radius defines the actual parameters for the predefined classes.

this is irrespective of the centralized vs distributed model.

I am personally indifferent whether the access model needs to be distributed (BNG close to the edge) or centralized (using metro rings and terminating subscribers at a centralized location).

Both models have pros and cons. With 9k's high scale, centralized makes more sense, if your access ring can provide the bandwidth assigned and allocated to the subscribers.

How you apply the QOS to the subs dynamically, that is predefined complete policies referenced by radius to be applied to the subscriber, OR the ability to modify and manipulate the subscriber CLASS definitions inside the policy map (that is to deviate from the original bw or priority setting and/or insert/remove classes of the subscriber policy = pQOS) depends on teh scale needs.

9K can only hold so many unique policies and using pQOS will make the sub policy unique, so there is a limit there, but it provides for a massive granular ability to define true per user QOS.

The radius server used does not matter either, although I very much appreciate you using CAR . All this is defined in VSA's that any radius server can use really.

regards

xander

New Member

Hi Xander,

appreciate your prompt response (: well this was actually my first QoS implementation using pQoS, I'm afraid I missed some literature with this scheme, yet those are just my preventive action.

Thanks again for the crystal clear explanation

Bronze

Quick question for you Alexander.

Is it also possible to get subscriber info with SNMP? I see that Lawfull intercept is using SNMP to get per user sessions, which includes account-session-id.

This could also mean that we can use SNMP for our Captive portal?

Also, DHCP proxy lease time is a little bit confusing. I see that default lease time is 600 sec.

I configured 300, but lease time did not change. I also configured 5000 sec, but it was still 600.

Am I doing anything wrong? I checked the config guide, and I don't see anything special.

Cisco Employee

XR43 starts to see more and more snmp support for the bng solution.

the subscriber mib is there (and the aaa server mib), but I believe only for ppp sessions which holds some info useful.

other stuff for ip sessions, dhcp bindings, ip pools and the like are 5x deliverables.

lease proxy would "rewrite" the received lease time from the server to the configured value to the client.

the client will renew against the bng at half lease time configured.

at half lease time from the server we'd be relaying that dhcp renew to the server.

so it only works for new sessions established after the config change.

regards

xander

Bronze

I always reastablish the session when I change the dhcp lease, but it still does not change, really weird.

I have to look a little bit deeper into that.

Cisco Employee

hmm that is interesting. If this is a lab environment, maybe it is easy for you to capture some traces.

The most important ones are the debug dhcp ipv4 proxy err/ev and debug dhcp ipv4 packet.

A sniffer capture from your client would be good to have also to see what it is receiving from the proxy/bng.

When you have those traces, it might be best to open a tac case with that info as that is easier to work on a case like this

then via the support forums.

regards

xander

Bronze

Ok, I will do that as soon I done with other test I have to do on this BNG.

600 seconds is ok, but I would like to be able to change it.

Thank you Alexander.

Bronze

Hello Xander,

I have again a few questions for you.

First one is if it's possible to deauthenticate the user without terminating the session (logoff)?

For exampe, user has logged in the Captive Portal, after some time he wants to logout, so he can login later again.

Using logoff the session is being terminated and maybe some CPE will not detect that and will not send DHCP discovery again, or the users has to reconnect the cable again. That is why we would like to set the authentication status to "unauthenticated" again.

Second questions is about VRF. Is it possible to put the user in a VRF with help of RADIUS attributes?

We have this setup on Ericsson Redback 800. While testing the Cisco BNG I used "vrf forwarding" on the access interface because it's a L3 interface, and user was automatically in the VRF because of the access interface.

19447
Views
0
Helpful
117
Comments