Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

ASR9000/XR: BNG VSA's (vendor specific attributes) and Services



This document provides an overview of Vendor Specific attributes that can be used in the ASR9000 BNG solution. They can either be used as part of the Access Accept Radius message or COA requests to change the behavior of the session.

Vendor Specific Attributes


1. RADIUS Attributes for pQoS



sub: indicates AVPair targets MQC policy on a subscriber session
<class-list>: identifies class to be added/removed or modified in the MQC policy
Multiple classes may be specified to modify classification in a nested (child) MQC policy
<qos-action-list>: policy actions to be added/overwritten in targeted class in MQC policy (see table below)
Supported QoS features:
•Shaping rate and percentage
•Policing rate and percentage
•Marking (CoS, DSCP, IP Prec)
•Queueing (minBW, BW remaining, priority, WRED, queue-limit)



QOS FeatureAction format in Radius attribute




police-rpct(<conform-rate-in-pct>,<conform-burst-in-us>,<exceed-rate-in-pct>,<exceed-burst-in-us>,    <conform-action>,<exceed-action>,    <violate-action>)

police(<conform-rate-in-kbps>,<conform-burst-in-kBytes>,<exceed-rate-in-kbps>,<exceed-burst-in-kbytes>,   <conform-action>,<exceed-action>,   <violate-action>)


















AVPair:“ip:qos-policy-out=add-class(sub,(class-default, VIDEO_CM), set-ip-dscp(af41), bw-abs(256))



2. VSA's for Account operations (services and logon/off)



PrimitiveRadius AVP
Account Logon

authentication cpe12 CoA cisco123

attribute 44 “<string>”                               <<< Accounting Session ID

vsa cisco generic 1 string "subscriber:command=account-logon"

Account Logoff

attribute 44 “<string>”                               <<< Accounting Session ID

vsa cisco generic 1 string "subscriber:command=account-logoff"

Account update

(used to change a profile)

attribute 44 “<string>”                               <<< Accounting Session ID

vsa cisco generic 1 string "subscriber:command=account-update”

<radius attributes to set/update>

Service Activate

attribute 44 “<string>”                               <<< Accounting Session ID

vsa cisco generic 1 string "subscriber:sa=<service-name>”

Service De-Activate

attribute 44 “<string>”                               <<< Accounting Session ID

vsa cisco generic 1 string "subscriber:sd=<service-name>”



All these operations from the first column, report an event to the control policy.


RP/0/RSP0/CPU0:A9K-BNG(config-pmap)#event ?

  account-logoff              Account logoff event

  account-logon               Account logon event

  authentication-failure      Authentication failure event

  authentication-no-response  Authentication no response event

  authorization-failure       Authorization failure event

  authorization-no-response   Authorization no response event

  exception                   Exception event

  service-start               Service start event

  service-stop                Service stop event

  session-activate            Session activate event

  session-start               Session start event

  session-stop                Session stop event

  timer-expiry                Timer expiry event



Accounting session ID is the preferred session identifier. You can also use the framed-ip-address to key on the subscriber and the vrf (if applicable)

(IPv4 only):


Attribute 8: Framed-IP-Address


and starting 4.2.1:


Attribute 8: Framed-IP-Address + AVPair: ip:vrf-id=<vrf name>


Template comparison to radius attribute





Dynamic Template cmd

RADIUS Attribute


Service Activation

Service Activation






Network Forwarding

IP addess source intf

ipv4 unnumbered <interface>




PPP framed address




framed-ip-address=<IPv4   address>

PPP Address Pool

ppp ipcp peer-address pool <addr pool >



ipv4:addr-pool=<addr pool name>

PPP framed pool




framed-pool=<addr pool name>

PPP framed route






vrf <vrf name>



subscriber:vrf-id=<vrf name>


ppp ipcp dns <pprimary dns ip> <secondary dns ip>



ip:primary-dns=<primary dns ip>

Ip:secondary-dns=<secondary dns ip>

DHCP classname







Traffic Accounting


accounting aaa list <method list> type session



subscriber:accounting-list=<method list>

Interim Interval

accounting aaa list <method list> type session periodic-interval <minutes>



Acct-Interim-Interval   <minutes>

Dual Stack Accnt Start Delay

accounting aaa list <method list> type session dual-stack-delay <secs>




Session Administration


keepalive <sec>





Absolute Timeout

ppp timeout absolute <sec>




Idle Timeout

timeout idle <sec>






Traffic conditioning

HQoS(with SPI)

service-policy input <in_mqc_name> shared-policy-instance <spi-name>

service-policy output <out_mqc_name> shared-policy-instance <spi-name>



subscriber:sub-qos-policy-in=<in_mqc_name> [shared-policy-instance   <spi-name> ]

subscriber:sub-qos-policy-out=<out_mqc_name> [shared-policy-instance   <spi-name>]





subscriber:qos-policy-in=add-class(target policy (class-list) qos-actions-list)

subscriber:qos-policy-in=remove-class(target policy (class-list))

subscriber:qos-policy-out=add-class(target policy (class-list) qos-actions-list)

subscriber:qos-policy-out=remove-class(target policy  (class-list))

Subscriber ACLs/ABF

ipv4 access-group <in_acl_name> in

Ipv4 access-group <out_acl_name> out

ipv6 access-group <in_v6acl_name> in

ipv6 access-group <out_v6acl_name> out








service-policy type pbr <HTTR policy   name>



subscriber:sub-pbr-policy-in=<HTTR policy name>



IPv6 Attributes



Defined By

Received In

IPv6 Client

Address Assignment

Dynamic Template   equivalent config

Framed-Interface-Id (96)





ppp ipv6cp peer-interface-id <64bit #>

Framed-IPv6-Prefix (97)






Framed-IPv6-Route (99)


Access-Accept CoA




Framed-IPv6-Pool (100)





ipv6 nd   framed-prefix-pool <name>

Framed-ipv6-Address   (*)




DHCP6 (Local   Server)






DHCP6 (Local   Server)

dhcpv6   address-pool <name>

Delegated-IPv6-Prefix-Pool   (*)




DHCP6 (Local   Server)

dhcpv6   delegated-prefix-pool <name>

DNS-Server-IPv6-Address   (*)




DHCP6 (Local   Server)

To be   configured in DHCPv6 server profile





DHCP6 (Local   Server)




IETF has not yet allocated numeric values for newly defined attributes in


Following Cisco VSAs have been temporarily defined to close such gap


“ipv6:addrv6=<ipv6 address>”






“ipv6:ipv6-dns-servers-addr=<ipv6   address>”


Radius Accounting bytes and packets


the following accounting attributes pertaining to packet accounting for the ASR9000 solution, also specific to IPv6



Defined By


Acct-Input-Octets     (42)


Session input total   byte count

Acct-Input-Packets    (47)


Session input total   packet count

Acct-Output-Octets    (43) 


Session output   total byte count

Acct-Output-Packets (48)


Session output   total packet count

Cisco VSA   (26,9,1): acct-input-octets-ipv4


Session input IPv4   byte count

Cisco VSA   (26,9,1): acct-input-packets-ipv4


Session input IPv4   packet count

Cisco VSA   (26,9,1): acct-output-octets-ipv4


Session output IPv4   byte count

Cisco VSA   (26,9,1): acct-output-packets-ipv4


Session output IPv4   packet count

Cisco VSA   (26,9,1): acct-input-octets-ipv6


Session input IPv6   byte count

Cisco VSA   (26,9,1): acct-input-packets-ipv6


Session input IPv6   packet count

Cisco VSA   (26,9,1): acct-output-octets-ipv6


Session output IPv6   byte count

Cisco VSA   (26,9,1): acct-output-packets-ipv6


Session output IPv6   packet count

Cisco VSA   (26,9,1): connect-progress


Indicates   Session set up connection progress



Dynamic Route insertion


RADIUS attribute example  for different type of framed-route:


PPPoE V6 route

Framed-IPv6-Route = "45:1:1:1:2:3:4:5/128 :: 4 tag 5”


PPPoE v4 route

Framed-Route = " 6 tag 7”


IPoE v4 route

Framed-Route = "vrf vpn1 vrf vpn1 4 tag 5”


4. Route destribution (please don't!)


router bgp 100

address-family ipv4 unicast

  redistribute subscriber <route-policy>


Xander Thuijs CCIE#6775

Principal Engineer, ASR9000


Dear Xander, thank you for the great doc.

In my system i observe  several fields with different values in Acc-Stop message from BNG:

               Cisco-AVPair = acct-input-octets-ipv4=34179

                Cisco-AVPair = acct-input-packets-ipv4=165

                Cisco-AVPair = acct-output-octets-ipv4=6989

                Cisco-AVPair = acct-output-packets-ipv4=53

                Cisco-AVPair = acct-input-octets-ipv6=0

                Cisco-AVPair = acct-input-packets-ipv6=0

                Cisco-AVPair = acct-output-octets-ipv6=0

                Cisco-AVPair = acct-output-packets-ipv6=0

                Acct-Status-Type = Stop

                Acct-Delay-Time = 0

                Acct-Input-Octets = 27171

                Acct-Output-Octets = 8946

                Acct-Session-Id = 000001c7

                Acct-Session-Time = 184

                Acct-Input-Packets = 97

                Acct-Output-Packets = 58

According this attributes description document - in my case session input total byte count defined by RFC2866 shows less bytes than ipv4 session byte count defined by Cisco.

My question:

How to differentiate these values and what do they show?

Logics tells me that IPv6 bytes + IPv4bytes = total or?

Thank you, Artsiom Maksimenka

Cisco Employee

Hi Artsiom, thsi is a bug, can you file a TAC case and have them open a sw defect for tracking please?



Hi Xander, I want to inform about this bug,  ID is  CSCui79108.

Thank you.


Cisco Employee

Yup I got a notification from the tac engineer and he filed that ddts which I am working on getting assigned to the right people. Thanks for that!



New Member

Hi Alex,

i'm deploying IPoE in version 5.1.0, and the BNG can accept Framed-IP-Address and Framed-IP-Netmask from RADIUS. is it possible we sending default-gateway CPE from RADIUS ?

thank you


Cisco Employee

Hi Anderson,

yes you can do that too, via a VSA:




New Member

Hi Alex,

That's Great !

cause i would like to do IPoE Allocation address via Radius. 

is this the right format ? (from AuthFile Users Radius)


     Framed-IP-Address =,

     Framed-IP-Netmask =,

     cisco-avpair = ipv4:default-ipv4-gateway=

i have tried to put that attribute but seems failed.

MAC Address      IP Address      State    Remaining       Interface          VRF      Sublabel

--------------  --------------  ---------  ---------  -------------------  ---------  ----------

000c.4270.3bb0         INIT_REQUEST_DPM_WAIT 47         BE100.905            default    0x0       *

* Next renew request from this client will be NAK'd in order to recreate subscriber session

New Member

hi alex,

i am applying policy-map through

Cisco-AVPair(1): subscriber:sub-qos-policy-in=BE-10m

I see this this in access-accept packet.. However This AVPair is not appearing in accounting update/interm . Is this normal behaviour?? is there anyway to to make this AVPair appear in Accouting packets?

Cisco Employee

Hi asad,

can you make sure tht the policy is applied to the subscriber session via

show policy-map interface bundle-eX.Y.<subscriber>

if it is there, then ti should appear in the accounting records, and if not, then I would like you to file a tac case

with the release and show info so we can have this fixed up. policy info should be inserted into accounting records.



New Member

Yes Alex it is being applied on the session.

show subscriber session all detail internal shows all parameters are correctly applied.. But qos parameters are not visible in any of the accouting packets and appearing only in access-accept packet.

Last COA request received: unavailable

User Profile received from AAA:

Attribute List: 0x10010b44

1:  addr            len=  4  value=

2:  netmask         len=  4  value=

3:  sub-qos-policy-in len=  6  value= BE-10m

4:  sub-qos-policy-out len=  6  value= BE-10m

also show policy-map interface bundle-eX.Y.<subscriber> shows that policy is correctly applied.

I will go for tac case now.. This 4.3.1 already has CSCug21959 which is making debugging difficult to interperate.


Hi all,

are those av-pairs ok?

Idea is to have a pool for framed prefix and delegated prefix.

It is for dualstack!

Cisco-AVPair = "vrf-id=DUALSTACK"

Cisco-AVPair = "ip:addr-pool= DS_PPPoEv4"

Cisco-AVPair = "subscriber:sub-qos-policy-in= 512_in"

Cisco-AVPair = "subscriber:sub-qos-policy-out= 4096_out"

Cisco-AVPair = “ipv4:ipv4-unnumbered= Loopback1068”

and now for IPv6

Cisco-AVpair = “ipv6:delegated-ipv6-pool = DELEGATES_PREFIX_POOL”

Cisco-AVpair = "ipv6:ipv6-dns-servers-addr=SOME_DNS_IPv6_ADDRESS"

Cisco-AVPair = "subscriber:sub-qos-policy-in= 512_in"

Cisco-AVPair = "subscriber:sub-qos-policy-out= 4096_out"

I do not have access to RADIUS server and I have to send this to the RADIUS guy.

It would be nice if I do not have to send it 10 times because I made a mistake

Cisco Employee

hey smail,

the access-request is done only once for dual stack also.

so the access accept should return the profile providing both v4 and v6 info.

this means you can only have one set of v4/v6 qos policies and not two.

another gotcha is that the dns v6 server can only be a single addr, noted as a limited and worked on for extension.

make sure your dyntpl has the v6 enable config

and of course a routable v6 addr as peer addr.




Hi Xander,

thanks for the hint. I also doubted that double av-pair attributes are needed.

I have prepared a dynamic-template from the config guides and your documents and I have ipv6 enable in it.

And with "routable v6 address as peer" you mean global IPv6 address for subscribers?

What is the exact syntax for "Framed-IPv6-Prefix"? Maybe "Cisco-AVpair = “ipv6:Framed-IPv6-Prefix = FRAMED_PREFIX_POOL”?

I am trying to figure all this out, reading config guides, forums and open TAC for assistance because of limited time for the project. I will know more when I see all this in action

This is my template:



  ppp authentication chap pap

  keepalive 30

  ppp ipcp dns

  ppp ipcp peer-address pool DS_PPPoEv4

  ipv4 mtu 1492

  ipv4 unnumbered Loopback1068

  ipv6 mtu 1492

  ipv6 enable

  ipv6 verify unicast source reachable-via rx

  ipv6 unreachables disable

  dhcpv6 address-pool FRAMED_PREFIX_POOL

  dhcpv6 delegated-prefix-pool DELEGATED_PREFIX_POOL

Cisco Employee

hey there smail, you make long days these days

the precise formatting of the framed-ipv6-prefix is dependent on your radius server what it can encode, but generally it is in the form of 2001::1/48 or something like that, this provides the delegated prefix

But because you provide the address and pool already in the template, there is no need to pass on these atts via radius again.

You can omit the radius ones, unless you want to override what you have done in the template.

I dont think you really need v6 RPF enabled because that is something native in the binding forwarding already.

uRPF cost a lot of pps, and the binding is used for forwarding (downstream) and check against the mac/addr binding on ingress (upstream).





Oh yes, very long days. Fortunately we will start today with the tests, and not next week

So I can finally test some things.

You are right about the dynamic-template, if I already have the delegated prefix and framed prefix in the template, then I do not need pass it via RADIUS. I forgot that.

I will only pass the vrf, qos and dns server via radius.

Thank you for the hint about uRPF. I saw that you are using uRPF, but for IPv4 here

Is it the same for IPv4 and v6, in regards of cost of pps?

Cisco Employee

Ah, if you do vrf's then I wanted to let you know about another interesting thing.

I see you have an unnumbered on the dynamic template already.

If this is not in the same vrf already as the vrfID you are passing from radius, then this looks like to the system you are doing a vrf transfer that it can't support.

So when you want to assign the vrf, the unnumbered and vrfID are best path BOTH from radius

and not having the unnumbered on the dynamic template.

uRPF is the same pps performance impact for v4 and v6. Basically it means we have to do a full leaf lookup on ingress which costs a bit of pps.



New Member

Hi xander,

im still not able to send default gateway from Radius to CPE using this attribute "ipv4:default-ipv4-gateway=<gateway>"

I also looked the IOS-XR has release version 5.1.1, do you think is gonna work on newest version ?

thank you


Cisco Employee

I notice that I might need to add a sw ver column to the tables, to identify in which release certain things are supported for clarity! I apologize.

I checked the sources and it seems that this attribute was added for 510.

I would recommend taking the 511.

I havent tested this myself so I cant say from personal experience whether this works or not, but for sure the attribute definition is there in 510+. (Still looking for the handler in ipoe!)



New Member

Hi Xander,

i have upgrade my ASR9001 to version 5.1.1 but still i have no luck to give default-gateway to CPE.

and the CPE has already receive IP address and Netmask from the Radius, only default-gateway that CPE doesn't recieved.

radius user config:


                Class = service-a,

                Framed-IP-Address =,

                Framed-IP-Netmask =,

                Cisco-avpair = "ipv4:default-ipv4-gateway=",

                Delegated-IPv6-Prefix = 200x:abc:abc:4::/64

for IPv6 is perfectly working from radius.

do you think i should open tac for this case ?

thank you


Cisco Employee

hi anderson, yeah I am afraid a tac case is best for this, because we need to collect some traces and find out why this default gateway is not passed on into the dhcp offer to the subscriber.

When you open the tac case make sure you collect:

debug dhcp ipv4 pack/err/event

debug dhcp ipv4 proxy event/int/<cr>

debug radius det

there may be a few more necessary, but this will give a good start from the dhcp and radius point of view.




Hi guys,

I am making good progress. IPv6 is working with local DHCP IPv6 server. Now I want to use RADIUS for prefix delegation

and SLAAC for framed prefix. Unfortunately this is not working.

This is the working config:

pool vrf dualstack ipv6 DS_FRAMED_POOL

address-range 2a02:27b0:4040:: 2a02:27b0:4040::fffe


pool vrf dualstack ipv6 DS_DELEGATED_POOL

prefix-length 56

network 2a02:27b0:4400::/40


dhcp ipv6

profile DS_DHCP server

  lease 0 1 0

  dns-server 2001:4860:4860::8844

  prefix-pool DS_DELEGATED_POOL

  address-pool DS_FRAMED_POOL


interface subscriber-pppoe profile DS_DHCP



  ppp authentication chap pap

  keepalive 30

  ppp ipcp dns

  accounting aaa list default type session

  ipv4 mtu 1492

  ipv4 unnumbered Loopback10068

  ipv6 mtu 1492

  ipv6 enable

  dhcpv6 address-pool DS_FRAMED_POOL

  dhcpv6 delegated-prefix-pool DS_DELEGATED_POOL

Then I removed the dhcp ipv6 server and dhcpv6 delegated-prefix-pool DS_DELEGATED_POOL

and added ipv6 nd framed-prefix-pool DS_FRAMED_POOL under the dynamic-template.

And in RADIUS I have this:

Cisco-AVPair = "ipv6:delegated-ipv6-pool=DS_DELEGATED_POOL"

Here is the error, please take a look at the disconnect reason.

"debug pool allocations" is not giving any info about IPv6!

Interface:                Bundle-Ether12.3102.pppoe1530

Circuit ID:               MALTA_3 atm 1/1/07/40:8.35

Remote ID:                Unknown

Type:                     PPPoE:PTA

IPv4 State:               Up, Mon Feb 10 13:20:00 2014

IPv4 Address:   , VRF: dualstack

Mac Address:              a0ec.801e.ed84

Account-Session Id:       000019a6

Nas-Port:                 Unknown

User name:                dual2

Outer VLAN ID:            3102

Subscriber Label:         0x00000076

Created:                  Mon Feb 10 13:20:00 2014

State:                    Activated

Authentication:           authenticated

Access-interface:         Bundle-Ether12.3102

Policy Executed:

policy-map type control subscriber BNG_DUALSTACK

  event Session-Start match-all [at Mon Feb 10 13:20:00 2014]

    class type control subscriber MATCH_DS do-until-failure [Succeeded]

      1 activate dynamic-template BNG_DUALSTACK_TEMPLATE [Succeeded]

  event Session-Activate match-all [at Mon Feb 10 13:20:00 2014]

    class type control subscriber MATCH_DS do-until-failure [Succeeded]

      1 authenticate aaa list default [Succeeded]

Session Accounting:       

  Acct-Session-Id:          000019a6

  Method-list:              default

  Accounting started:       Mon Feb 10 13:20:00 2014

  Interim accounting:       Off

Last COA request received: unavailable

[Last IPv6 down]

Disconnect Reason:        ND - Interface state down or pool allocation



I changed from

pool vrf dualstack ipv6 DS_FRAMED_POOL

address-range 2a02:27b0:4040:: 2a02:27b0:4040::fffe


pool vrf dualstack ipv6 DS_FRAMED_POOL

prefix-length 64

prefix-range 2a02:27b0:4040:: 2a02:27b0:4040:ffff::

and the modem gets a prefix, but the delegation is still not working.

I have to check if Free Radius is responsible for this.

New Member

hi xander,

after i debug my router doesn't recieved the attribute. any idea why this is happened ?

Cisco-avpair = "ipv4:default-ipv4-gateway="

RP/0/RSP0/CPU0:Feb 11 11:39:10.286 : radiusd[1114]:  RADIUS: Received from id 80 my_radiator_ip:1645, Access-Accept, len 82

RP/0/RSP0/CPU0:Feb 11 11:39:10.286 : radiusd[1114]:  RADIUS:  authenticator 5C F0 4F BD 3E 28 31 07 - 3D 93 3C 81 B5 A1 A9 A6

RP/0/RSP0/CPU0:Feb 11 11:39:10.286 : radiusd[1114]:  RADIUS:  Framed-IP-Address   [8]     6

RP/0/RSP0/CPU0:Feb 11 11:39:10.286 : radiusd[1114]:  RADIUS:  Class               [25]    10      service-a

RP/0/RSP0/CPU0:Feb 11 11:39:10.286 : radiusd[1114]:  RADIUS:  Framed-IP-Netmask   [9]     6

RP/0/RSP0/CPU0:Feb 11 11:39:10.286 : radiusd[1114]:  RADIUS:  Delegated-IPv6-Prefix[123]   20             

RP/0/RSP0/CPU0:Feb 11 11:39:10.287 : radiusd[1114]: Freeing server group transaction_id (14000024)

New Member

Hi xander,

beside the IPoE, i also deploying PPPoE dual stack in ASR9001. for IPv4 everything is working fine with my scenario. but for IPv6 i have a little problem. the subscriber have succeed to get IPv4 and IPv6 address. but seems like the IPv6 Traffic is stuck in the BNG. im sure i have verify the routing ipv6 accross my network it is right, no problem with the IPv6 Routing.

this is my 1st time deploying PPPoE dual stack in IOS-XR Platfrom, i've done this before in IOS-XE platform and it working well.

# version 5.1.1

# my CPE has IPv6 default-route which got from the BNG

# my CPE can ping to loopback IPv6 BNG but my CPE can't ping other IPv6 network in internet.

# if i change it into IPoE, the CPE can ping IPv6 among my network and internet.

# in IOS-XR platform, how can we define ipv6 unnumbered <interface> ?, because i used it in my virtual-template at IOS-XE platform.

# if i traceroute from my CPE, the 1st hop is link-local my BNG address. if i compare with IOS-XE the 1st hop is my IPv6 loopback router.


type ppp PPPOE

  ppp authentication pap chap

  keepalive 10

  ppp ipcp dns ip.dns.1 ip.dns.2

  accounting aaa list default type session periodic-interval 5

  ipv4 mtu 1492

  ipv4 unnumbered Loopback0

  ipv6 enable

class-map type control subscriber match-any PPPOE

match protocol ppp


policy-map type control subscriber PPPOE

event session-start match-first

  class type control subscriber PPPOE do-until-failure

   10 activate dynamic-template PPPOE



event session-activate match-first

  class type control subscriber PPPOE do-until-failure

   10 activate dynamic-template PPPOE

   20 authenticate aaa list default

   interface Bundle-Ether100.908

description "Test Subscriber Interface VLAN908"

service-policy type control subscriber PPPOE

pppoe enable bba-group PPPOE

encapsulation dot1q 908

show subscriber session all 

PPPoE:PTA    BE100.908.pppoe228       AC (default)             

                                                200a:d1a:9408:40::/64 (default)     

                                                200a:d1a:9409:40::/64 (default)   

sh ppp interfaces

Tue Feb 11 16:54:08.876 GMT

Bundle-Ether100.908.pppoe247 is up, line protocol is up

  LCP: Open

     Keepalives enabled (10 sec, retry count 5)

     Local MRU: 1492 bytes

     Peer  MRU: 1480 bytes


     Of Peer: PAP (Completed as mikrotik-iosxr)

     Of Us:   <None>

  IPCP: Open

     Local IPv4 address:

     Peer IPv4 address:

     Peer DNS primary:

     Peer DNS Secondary:

  IPv6CP: Open

     Local IPv6 address: fe80::8678:acff:fe2b:7263

     Peer IPv6 address:  fe80::a

Cisco Employee

Aha that is interesting!! can you check the logs from your radius server to see if it was able to find the definition

for the Cisco-avpair in the dictionary?

also it looks like you may be using radiator, which generally wants to be restarted if the user files change (I thought).

this is not a bNG problem we are facing here, but something in the radius server.

Attributes are also case sensitive, so check what the dictionary definition is for 26,9,1 (vendor specific, cisco, clear text avpair/cisco-avpair). And use the precise capitalization in your users profile.



Cisco Employee

you are probably using a SLAAC assignment on the WAN side of your CPE.

So a few things to try are:

-ping from the cpe with the source address of your "inside"/LAN interface to make sure the ping is soruced with a routable and not a link local address

-verify the routing on your CPE to see what the default points to

-enable a debug icmp to find out how the ping is sourced and where it comes from

-if it keeps timing out, set a retransmit high and a timeout to 0 and start the ping, verify the NP counters on the ingress side of the npu and see if there is a drop counter associated with it that would point us to something.

we dont need an ipv6 unnumbered because we're doing link local on the wan side link.

that link local is provided by the ipv6 enable already.



New Member

hi xander

section PPPOE:

i can ping ipv6 from address LAN CPE to my loopback BNG, but outside of the BNG was RTO.

default route CPE is from link-local BNG = fe80::e6c7:22ff:fe55:9683

ping from cpe loopback address BNG

ping 200a:d1a::233 src-address=200a:d1a:9409:40:: 

HOST                                     SIZE TTL TIME  STATUS                  

200a:d1a::233                              56  64 1ms   echo reply              

200a:d1a::233                              56  64 1ms   echo reply              

200a:d1a::233                              56  64 1ms   echo reply              

200a:d1a::233                              56  64 1ms   echo reply              

200a:d1a::233                              56  64 1ms   echo reply              

    sent=5 received=5 packet-loss=0% min-rtt=1ms avg-rtt=1ms max-rtt=1ms

ping from cpe to another router loopback

ping 200a:d1a::2d src-address=200a:d1a:9409:40::

HOST                                     SIZE TTL TIME  STATUS                  

200a:d1a::2d                                            timeout                 

200a:d1a::2d                                            timeout                 

200a:d1a::2d                                            timeout                 

200a:d1a::2d                                            timeout

is this what you mean about the NP counters ?

show controllers NP counters np0 location 0/0/CPU0 | i IPV6

Wed Feb 12 14:51:39.045 UTC

102  PARSE_ING_IPV6_LINK_LOCAL                                934           0

111  PARSE_EGR_INJ_PKT_TYP_IPV6                               255           0

115  PARSE_EGR_INJ_PKT_TYP_IPV6_PREROUTE                     2573           0

116  PARSE_EGR_INJ_PKT_TYP_IPV6_LINK_LOCAL                    132           0

158  PARSE_DROP_IPV6_DISABLED                                   1           0

558  RSV_EGR_IPV6_LINK_LOCAL                                  132           0

864  IPV6_TTL_ERROR                                           169           0

946  PUNT_IPV6_ADJ_NULL_RTE                                    13           0

section IPOE:

i do believe that i have the attribute :

# Here are some attributes that will allow us to work with Cisco


VENDOR          Cisco   9

VENDORATTR      9       cisco-avpair                        1       string

VENDORATTR          9       Cisco-NAS-Port                      2       string


user file :


                Class = service-a,

                Framed-IP-Address =,

                Framed-IP-Netmask =,

                cisco-avpair = "ipv4:default-ipv4-gateway=",

                Delegated-IPv6-Prefix = 2001:d10:9409:4::/64

and now BNG has received the attribute cisco-avpair:

RP/0/RSP0/CPU0:Feb 12 13:29:54.113 : radiusd[1109]:  RADIUS:  authenticator C4 F2 46 A9 66 40 43 6F - 31 84 EA FC E3 AB 53 36

RP/0/RSP0/CPU0:Feb 12 13:29:54.113 : radiusd[1109]:  RADIUS:  Framed-IP-Address   [8]     6

RP/0/RSP0/CPU0:Feb 12 13:29:54.113 : radiusd[1109]:  RADIUS:  Class               [25]    10     service-a

RP/0/RSP0/CPU0:Feb 12 13:29:54.113 : radiusd[1109]:  RADIUS:  Framed-IP-Netmask   [9]     6

RP/0/RSP0/CPU0:Feb 12 13:29:54.113 : radiusd[1109]:  RADIUS:   Vendor-Specific    [26]    47     

RP/0/RSP0/CPU0:Feb 12 13:29:54.113 : radiusd[1109]:  RADIUS:  Delegated-IPv6-Prefix[123]   20    

     but still my CPE didn't get the default-gateway from BNG.

thanks for the helps




Isarnet is asking if it's possible to get replicated accounting info from the BNG for CGNAT logging (IsafFlow).

Idea is that the BNG sends accounting to the RADIUS server and the same packets to IsarFlow.

Can this be done with adding a new radius server group in the aaa subscriber accounting line?

I can not test this now because of missing software, so I have to ask here.

Thank you!

Cisco Employee

You want to send duplicate accounting records to 2 servers at the same time?

If so yes that can be done; this is called broadcast accounting and can be defined under your server-group that is used for the accounting list.

If you want to modify the accounting records by adding packets/bytes to it, no that cannot be done.




Aha, I saw this broadcast command a few minutes ago.

Thank you Xander.

Hello Xander et al,

Finally does this AVP work? We tried on our ASR9k 5.1.1

Cisco-AVPair = "ipv4:default-ipv4-gateway="

is parsed successfully but not applied.



Cisco Employee

hi artisom, yes that avp is supported in 511 onwards and it looks like the syntax is also correct from your example.

if it doesnt work, you probably best off opening a tac case and collect the debug dhcp ipv4 <cr>/err/event and debug dhcp ipv4 proxy er/ev/packet and and a debug radius <detail>



New Member

Hi Xander,

We have noticed some differences in acct-in/out-octet acct attributes that probably show some problems. Below you can see the relevant part of an acct stop record:

        Acct-Input-Octets = 152778724
        Acct-Input-Packets = 1852008
        Acct-Output-Octets = 943026125
        Acct-Output-Gigawords = 1
        Acct-Output-Packets = 3531687
        cisco-avpair = "acct-input-octets-ipv4=64681186"
        cisco-avpair = "acct-input-packets-ipv4=1445526"
        cisco-avpair = "acct-output-octets-ipv4=3977486916"
        cisco-avpair = "acct-output-packets-ipv4=2763969"
        cisco-avpair = "acct-input-octets-ipv6=25126226"
        cisco-avpair = "acct-input-packets-ipv6=406402"
        cisco-avpair = "acct-output-octets-ipv6=1140423734"
        cisco-avpair = "acct-output-packets-ipv6=767594"

We assume that Acct-Input/Output-Octets are the sum of IPv4+IPv6 octects mentioned in the av-pairs (this is true in ASR1K).

The results show some differences though:

Acct-Output-Octets = 5237993421 (943026125 + 4294967296)
acct-output-octets-ipv4 +acct-output-octets-ipv6 = 5117910650
diff: 120082771 (2,3%)

Acct-Input-Octets = 152778724
acct-input-octets-ipv4 + acct-input-octets-ipv6= 89807412
diff: 62971312 (41%)

Are we doing something wrong or some counters don't provide the correct values?


We have also noticed that while debugging radius, several attributes are shown as unsupported although they work correctly. For example:

Debur Radius (ASR9K):

radiusd[1114]:  RADIUS:  Acct-Status-Type    [40]    6       Unsupported[33554432]

at the same time, our Radius (Radiator) is receiving the correct value:

Acct-Status-Type = Start

I have the whole output with several similar examples, if you want to investigate it further.


I was also wondering if Cisco-Policy-Up, Cisco-Policy-Down radius attributes are going to be supported in the future. We could use sub-qos-policy-in, sub-qos-policy-out instead, but it would need some massive changes in our LDAP we would like to avoid if possible.




Hi Xander, 

Thank you for the answer.

We've opened a TAC case (629388785) right on the day of your recommendation, no help so far, tried several things with TAC engineer.

Will post the result as we get the answer.



Hi Xander!

Finally we got the correct solution: VSA value was incorrect.

The correct attribute is Cisco-AVPair = ipv4:ipv4-default-gateway=

Tested, it works.

User Profile received from AAA:

 Attribute List: 0x1000ed34

1:  addr            len=  4  value=

2:  netmask         len=  4  value=

3:  ipv4-default-gateway len=  4  value=

4:  sub-qos-policy-in len= 26  value= __sub_1730ffffffd0ffffffd0

5:  sub-qos-policy-out len= 26  value= __sub_1730ffffffd0ffffffd0

Thank you




New Member

Artsiom, this saved me a lot of time! 



Hi Xander,


is the AV-Pair "Service Activation 26 9,1 subscriber:sa=<service-name>" for 

 type service TEST1 


is it for service-policy under the interface? If yes, then it's just great because customer would like to put users in dynamic-template via RADIUS.

interface Bundle-Ether12.3102
 description # DUALSTACK Downlink #
 service-policy type control subscriber BNG_DUALSTACK   ----- I would remove this and pass the                                                                                                                            dynamic tempalte via RADIUS

pppoe enable bba-group BNG_BBA
 encapsulation dot1q 3102


I am also asking myself if it's possible to do this with policy-map type control subscriber 

where I can activate multiple dynamic-template, but I have to check how to differentiate the user (PPPoEv4 only or PPPoE dualstack).


Cisco Employee

Good question Smail!

the subscriber:sa=xx refers to a dynamic template of type service.

the VSA has the same effect as an activate dynamic template on the control policy.

In the dynamic type <type> NAME, the "<type>" basically provides the CLI to a different set of sub commands. For instance if the type is ipsubscriber vs ppp different commands are available under that dynamic template. The type service provides the ability to reference this also via RADIUS and define a service on that template for activation and de-activation dynamically.




Hi Xander,


so this is ONLY for type service or not? I am not 100% if I understood you, sorry for that :)

You said "the VSA has the same effect as an activate dynamic template on the control policy."

Does this mean that I can pass the "dynamic template type ppp BNG_DUALSTACK_TEMPLATE"

via RADIUS with VSA -----  subscriber:sa=BNG_DUALSTACK_TEMPLATE

so that the user gets the DNS servers which are under this dyn. template, and all other parameters?


I still need a service-policy type control under the access-interface so I have a subscriber aware access-inteface?





Cisco Employee

If you want to pass dns servers dynamically you probably want to use the radius AVP's

ASCEND-PRIMARY/SECONDARY-DNS, numbers 136/137 (or the vsa equivalents, with the same effect).

the type ppp you will want to enable via the control policy.

as rule of thumb, you would want to use the type service via the radius avp's, not the type ipsubscriber or ppp.



Yes, I told the customer to pass DNS server via RADIUS and gave them the attriubutes

for primary and secondary DNS servers, but they still want to pass the template via RADIUS.


We tried it few minutes ago and it was working, but I don't like it. Passing DNS servers via RADIUS is a better approch and I recommended them to do it.


This is the session with subscriber:sa=BNG_HSI_TEMPLATE

  Service-ID  : 0x4000004
  Type        : Template
  Status      : Applied
  Name        : BNG_HSI_TEMPLATE
  Service-ID  : 0x4000006
  Type        : Multi Template
  Status      : Applied

New Member

hello xander

I also deploy PPPoE dual stack in ASR9001, and have same problem default gateway. I can ping all connected routed on bng, but nothing over the bng.

my ASR9001 provide to CPE ipv6 WAN in /64 using SLAAC and ipv6 LAN with DHCPv6-PD in /56

These subnets should be separate and accessible directly from bng, I mean ipv6 WAN and IPv6 LAN are seen as directly connected on bng.

So from CPE, or behind the CPE (with a laptop) I can only ping ipv6 connected route on bng.

* gateway for ipv6 WAN is local-link of bundle-Ethernet interface

* gateway for ipv6 LAN (checked on laptop) is "on-link"

And when I've done some ping and traceroute on laptop (win7) connected behind the CPE, the laptop use ipv6 WAN address as gateway. But as the ipv6 WAN cannot ping prefixes over bng (even theses are advertised in bgp), i have a time out.

So my questions:

* as there is no routing problem for me, whin CPE gateway is link-local and cammot send packet over bng?

* what do you thing the fact that ipv6 LAN provided by DHCPv6-PD, use ipv6 WAN (provided by SLAAC) as default gateway ?

Thanks for your answer.


Cisco Employee

Hi JP,

from the upstream, are you able to ping the WAN interface of the CPE and not the stations behind it?

and from the stations behind the CPE you can only ping the BNG access interface and not beyond?

If that is the case then that must be a routing issue, and likely of the client it sounds like.

We probably need to do some tshooting on the routing side and some show commands, but it may be easiest to do that via a TAC case to pull all the necessary info and provide some quick Q&A there. This method preferred also to protect your (public) addresses.

Verify with a traceroute from stations to upstream and upstream to stations where it breaks to find the point where the routing fails. Also re-verify the gateway setting ont eh station and cpe.

If that fails I think we need to pursue a tac case...



New Member

Hi Xander

Thanks for your answer.

I'll open a tac case.



New Member

Hi Xander!

Is it possible to remove pbr from subscriber through CoA if it was installed by 'subscriber:sub-pbr-policy-in' ?

Cisco Employee

you can't really, unless you overwrite it with a PBR that has no actions.

If you like to activate and deactive a service like this, then you are best off doing this:

dynamic-template type service MYSERVICE

service-policy type pbr NAME

and then

subscriber:sa=MYSERVICE (to activate/apply this PBR service)

subscriber:sd=MYSERVICE (to remove/deactivate)

cheers! xander

New Member

Thanks for the answer.

This work only if session established. When I try to apply service in the authorization proccess (dhcp subscribers), the subscriber session can't be established. I think this is a bug (ios xr 5.1.1).


My workaround for this is adding Service-Type=Framed together with Cisco-AVPair=subscriber:sa=SERVICE in Access-Accept, dhcp works fine with that
Cisco Employee

is your access-accept only containing the service activate? if that is the case then I know what the problem is.

We were just dealing with a similar situation yesterday whereby it became clear that only a service-activate constitutes an "empty profile" and that causes that trouble, by adding ANY attribute to the profile that is not skipped during activation the session operates fine.

so the solution you found is indeed the right trick.


New Member

Hi Xander,

Regarding the following:

4. Route destribution (please don't!)

How can I announce the per-user routes if not by redistributing them?

I am using a bras cluster, so I don't know which session/per user route will end up to each bras.




Cisco Employee


A better way is to announce the aggregate route or summary route to BGP for sake of scalability. When you say bras cluster, do you mean bng over ASR9K nV cluster(which is a single control plane) or two bras to work together useing PADO delay to share the load ? if it's the later, suggestion is to use different address pool on different box to make it easier for route redistribution.