Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASR 9001 BNG dhcp and loopback problems

Hello everyone.

I am trying to configure bng on ASR 9001 (5.1.1) for IPoE using available configuration guides. The most confusing part for me is ip address on access interface. Generally there are three components encompassing/referring client's address space using ipv4 unnumbered lo or specific address: dynamic template, access interface and giaddr in dhcp proxy configuration. So if specific address block is allocated to a client and added to a dhcp server (for example 192.168.1.0/24), then giaddr will be one of the address in this block (192.168.1.1), dynamic template will have address from the same block (192.168.1.1), what ip will be applied to access interface? According to a guide for IPoE:

"The IP unnumbered interface for session (local) address assignment is a mandatory feature configured under an IP dynamic template, and provides basic settings for proper IP session establishment.  The unnumbered interface IP address will become the default gateway for the IP subscriber associated with the session. This address is also used as the "giaddr" in the dhcp proxy configuration to instruct the DHCP server to select an address in which this ipv4 add is routable in"

So I'm using same ip (192.168.1.1) from client block. Here is my configuration:
 

radius source-interface Loopback4000 vrf MANAGEMENT
radius-server vsa attribute ignore unknown
radius-server host 172.16.1.1 auth-port 1812 acct-port 1813
 key 7 XXXXXXXXXXXXXXXXXXXXX
 timeout 5
 retransmit 1
!

aaa group server radius BNG_RAD
 server 172.16.1.1 auth-port 1812 acct-port 1813
 vrf MANAGEMENT
 source-interface Loopback4000
!

aaa attribute format MY_AUTH
 mac-address
!
aaa attribute format NAS_PORT_FORMAT
 circuit-id plus remote-id separator .
!
aaa radius attribute nas-port format e SSAAPPPPQQQQQQQQQQVVVVVVVVVVUUUU type 32
aaa radius attribute nas-port format e SSAAPPPPQQQQQQQQQQVVVVVVVVVVUUUU
aaa radius attribute nas-port-id format NAS_PORT_FORMAT
aaa accounting subscriber default group BNG_RAD
aaa authorization subscriber default group BNG_RAD
aaa authentication subscriber default group BNG_RAD


dhcp ipv4
 vrf CLIENT proxy profile CLIENT
 profile CLIENT proxy
  helper-address vrf CLIENT 192.100.100.1 giaddr 192.168.1.1
  relay information option
  relay information policy keep
  relay information option allow-untrusted
 !
 interface GigabitEthernet0/0/0/0.50 proxy profile CLIENT
!

dynamic-template
 type ipsubscriber IPSUB_TPL
  vrf CLIENT
  ipv4 unnumbered Loopback346
  ipv4 access-group PERM_ALL ingress
  ipv4 access-group PERM_ALL egress
 !
!

ipv4 access-list PERM_ALL
 10 permit ipv4 any any
!

class-map type control subscriber match-any DHCP
 match protocol dhcpv4 
 end-class-map
!
!
policy-map type control subscriber IP_PM
 event session-start match-first
  class type control subscriber DHCP do-until-failure
   5 activate dynamic-template IPSUB_TPL
  !
 !
 end-policy-map
!

interface GigabitEthernet0/0/0/0.50
 description ### CLIENT SUBSCRIBERS ###
 ipv4 point-to-point
 ipv4 unnumbered Loopback346
 service-policy type control subscriber IP_PM
 encapsulation dot1q 50
 ipsubscriber ipv4 l2-connected
  initiator dhcp
 !
!

interface Loopback345
 description ### BASE UNUSED IP FOR ACCESS INTERFACE ###
 ipv4 address 11.11.11.11 255.255.255.255
!
interface Loopback346
 description ### SUBNET FOR SUBSCRIBERS ###
 vrf CLIENT
 ipv4 address 192.168.1.1 255.255.255.0
!
interface Loopback4000
 description ### Loopback for MANAGEMENT ###
 vrf MANAGEMENT
 ipv4 address 172.16.1.100 255.255.255.255
!


After commiting, session is not created and in debugs there are errors:
 

LC/0/0/CPU0:Mar 28 15:19:59.676 : dhcpd[154]: DHCPD ERROR: TP3301: Failed to get interface handle for  Loopback346
LC/0/0/CPU0:Mar 28 15:19:59.676 : dhcpd[154]: DHCPD ERROR: TP2526: Access interface Unknown with NULL primary address
LC/0/0/CPU0:Mar 28 15:19:59.676 : dhcpd[154]: DHCPD PROXY ERROR: TP1887: Giaddr policy error, chaddr d485.64eb.045c
LC/0/0/CPU0:Mar 28 15:19:59.676 : dhcpd[154]: DHCPD PROXY ERROR: TP1513: Process DISCOVER failed for chaddr d485.64eb.045c
LC/0/0/CPU0:Mar 28 15:19:59.676 : dhcpd[154]: DHCPD PROXY ERROR: TP1665: Proxy process client request packet failed for chaddr d485.64eb.045c
LC/0/0/CPU0:Mar 28 15:19:59.676 : dhcpd[154]: DHCPD ERROR: TP1675: Base process event returned failure for chaddr d485.64eb.045c: sub_label 0x4000038 (67108920)


If unnumbered loopback inside access interface is changed to loopback 345 containing  some unused ip address (11.11.11.11), then session is created, client received ip and everything is working. In debugs:
 

LC/0/0/CPU0:Mar 28 15:46:23.707 : dhcpd[154]: DHCPD ERROR: TP3301: Failed to get interface handle for  Loopback346
LC/0/0/CPU0:Mar 28 15:46:23.866 : dhcpd[154]: DHCPD EVENT: TP750: RSI event for interface received. Intf = GigabitEthernet0/0/0/0.50.ip10, VRF CLIENT, Event 0
LC/0/0/CPU0:Mar 28 15:46:37.599 : dhcpd[154]: DHCPD ERROR: TP2468: rib route delete failed, null ifhandle or IPv4 address
LC/0/0/CPU0:Mar 28 15:46:37.702 : dhcpd[154]: DHCPD ERROR: TP2678: DPM session disconnect for chaddr d485.64eb.045c, sub_label 0x0 (0) returned failure: 'Subsystem(4791)' detected the 'warning' condition 'Code(3)'
LC/0/0/CPU0:Mar 28 15:46:38.036 : dhcpd[154]: DHCPD EVENT: TP750: RSI event for interface received. Intf = GigabitEthernet0/0/0/0.50.ip10, VRF CLIENT, Event 1
LC/0/0/CPU0:Mar 28 15:46:40.364 : dhcpd[154]: DHCPD ERROR: TP3301: Failed to get interface handle for  Loopback346
LC/0/0/CPU0:Mar 28 15:46:40.498 : dhcpd[154]: DHCPD EVENT: TP750: RSI event for interface received. Intf = GigabitEthernet0/0/0/0.50.ip11, VRF CLIENT, Event 0


After session creation periodically the following warning is observed:
 

 LC/0/0/CPU0:Mar 28 10:46:45.043 : dhcpd[154]: %IP-DHCPD-4-INVALID_DEFAULT_GATEWAY : Invalid! default gateway, Client(d485.64eb.045c) Release/Renew send may fail


It must be noted that unused ip inside access interface is used by client as DHCP server's IP which forces client to send dhcp messages to a wrong address. 

Any help will be appreciated.

Everyone's tags (1)
15 REPLIES
Cisco Employee

hi there,ah you know, the

hi there,

ah you know, the access interface is in the global and your unnumbered in the vrf.

that won't work, you need to put the access interface in the same vrf as the unnumbered to have it working properly.

scenario 1 doesn't work for that reason.

scenario 2 doesnt work beause there is a vrf xfer issue between the access-if and the subcriber.

you have to fix either one :)

cheers!

xander

Xander Thuijs CCIE #6775 Principal Engineer ASR9000, CRS, NCS6000 & IOS-XR
New Member

Thank you for a help :) My

Thank you for a help :) My initial consideration was that only dynamic template needs to be in vrf, so during the creation of ipsubscriber interface it will be placed in correct vrf.

I've made following modifications:
1) bundle instead of a pure interface (although interface can be used in version 5.1.1)
2) access interface is in vrf now + ipv4 unnumbered lo346 with real ip address used as client gateway and giaddr
3) arp learning is disabled

The only problem which remains is generation of the following log as soon as a client session is up:

dhcpd[1081]: %IP-DHCPD-4-INVALID_DEFAULT_GATEWAY : Invalid! default gateway, Client(101f.74e5.0bad) Release/Renew send may fail

At the client side, gateway and dhcp server IPs are correct, pointing to bng. 

New Member

Hi,We too are getting the%IP

Hi,

We too are getting the

%IP-DHCPD-4-INVALID_DEFAULT_GATEWAY ....Release/Renew send may fail

error

on a 9001 router that is acting just as relay agent and not as a full dhcp server,.

Every thing seems to work may be a cosmetic error?

 

Regards

MM

New Member

Found! https://tools.cisco

Found!

 

https://tools.cisco.com/bugsearch/bug/CSCun75844/?referring_site=ss

 

just cosmetic!

MM

Cisco Employee

hey marco, you made my job

hey marco, you made my job very easy! nice find! nothing else to comment, but just to confirm that I read your note and agree with your assessment.

cheers!

xander

Xander Thuijs CCIE #6775 Principal Engineer ASR9000, CRS, NCS6000 & IOS-XR
New Member

Hi Alex, How re you ? How can

Hi Alex,

 

How re you ?

 

How can separate then private ip pools from public in the same access-interface ?

I want private to be in vrf, public in global.

Kindly 
Tural

Cisco Employee

hi tural!if you have 2

hi tural!

if you have 2 different groups of users on the same access interface, you can use the dhcp class or some other matching in the dhcp discover to separate the users out. the config would look like this:

 

dhcp ipv4
 profile AutoSelectGiaddr proxy
  !
  class HardPhone1 <<< NAME OF A CLASS
   match option 60 hex 4861726450686F6E6531 <<< WHAT TO MATCH ON FROM DISCOVER
   helper-address vrf default 81.1.1.2 giaddr 10.1.1.254 <<< SET THE HELPER AND GIADDR (POOL SELECTION) TO THE DHCP SERVER
  !
  class HardPhone2
   match option 60 hex 4861726450686F6E6532
   helper-address vrf default 81.1.1.2 giaddr 172.28.15.254 <<< SAME HELPER< BUT DIFFERENT GIADDR SO DIFFERENT POOL.
  !
  relay information option
  relay information policy replace
  relay information option remote-id testme
  relay information option allow-untrusted
 !

radius can provide the gateway addr (eg the unnumbered loopback) and vrfID as necessary.

xander

Xander Thuijs CCIE #6775 Principal Engineer ASR9000, CRS, NCS6000 & IOS-XR
New Member

Hi Alex Is it possible if I

Hi Alex Is it possible if I am using ASR 9k as DHCP Server ?

 

Kindly 

Tural

Cisco Employee

hi tural, yes you can, here

hi tural, yes you can, here is a ref on that:

http://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_r5-1/bng/configuration/guide/b_bng_cg51xasr9k/b_bng_cg51xasr9k_chapter_0101.html#concept_CA2B956D03FB4533A3653BD0119AC788

xander

Xander Thuijs CCIE #6775 Principal Engineer ASR9000, CRS, NCS6000 & IOS-XR
New Member

Hi Alex, I was meaning is it

Hi Alex,

 

I was meaning is it possible to separate out Public from Private in the same access interface so that Public Pools would be in the global, but Private in the VRF when I use BNG as my DHCP Server.

 

In my configuration when I put Access interface and Loopback interface in the VRF, it is wokring,But I do not need that.

 

I want access interface be in the global. But somehow I have to separate the requests into 2 different pools - global and vrf.

Based on what I have to match the requests ?

 

Here is my config:

==============

 

pool vrf nat ipv4 VRF
 network 10.10.0.0/16 default-router 10.10.1.1/16
!
pool vrf default ipv4 PUB
 network x.x.x.x/24
!
!
dhcp ipv4
 profile BNG server
  class NAT
   lease 0 0 10
   pool VRF
   dns-server 10.10.1.2
   subnet-mask 255.255.0.0
   default-router 10.10.1.1
  !
  class PUB
   lease 0 0 10
   pool PUB
   dns-server 10.10.1.2
   subnet-mask 255.255.255.0
   default-router x.x.x.x/24
  !
 !
 interface Bundle-Ether1.131 server profile BNG
!
!
interface Bundle-Ether1.131
 ipv4 point-to-point
 ipv4 unnumbered Loopback100
 arp learning disable
 service-policy type control subscriber BNG-PM
 ipsubscriber ipv4 l2-connected
  initiator dhcp
 !
 encapsulation ambiguous dot1q 131 second-dot1q 1500-2000
!
!
type ipsubscriber IPoE-TPL
  vrf nat
  accounting aaa list ACCT-LIST type session periodic-interval 60
  ipv4 unnumbered Loopback100
!

 

It receives ip but can not find the access-interface, it show status DOWN

================================================================

RP/0/RSP0/CPU0:FTTXBNG#sh  subscriber session all
Sun Apr 19 08:25:54.882 UTC
Codes: IN - Initialize, CN - Connecting, CD - Connected, AC - Activated,
       ID - Idle, DN - Disconnecting, ED - End

Type         Interface                State     Subscriber IP Addr / Prefix                              
                                                LNS Address (Vrf)                              
--------------------------------------------------------------------------------
IP:DHCP      No                       CD        10.10.0.11 (nat)                    
RP/0/RSP0/CPU0:FTTXBNG#

Kindly

Tural

New Member

Hi Alex, I was meaning is it

Hi Alex,

 

I was meaning is it possible to separate out Public from Private in the same access interface so that Public Pools would be in the global, but Private in the VRF when I use BNG as my DHCP Server.

 

In my configuration when I put Access interface and Loopback interface in the VRF, it is wokring,But I do not need that.

 

I want access interface be in the global. But somehow I have to separate the requests into 2 different pools - global and vrf.

Based on what I have to match the requests ?

Kindly

Tural

Cisco Employee

the access interface can

the access interface can remain in global that is no problem. you can use the dynamic template or radius to instruct the user's table.

the addr allocation is defined by the giaddr from the dhcp ipv4 config.

so in order to separate the users you need to have some sort of differentiator it can be :

dhcp class (this dhcp class can be downloaded from radius also).

if downloaded from radius, then you can use the option 82 info in the discover as a username (whether or not with the mac addr) so the radius can derive if this user is the global or vrf user.

based on that classification, the dhcp proxy can use that class differentiator to set the different giaddr to pick different pools.

xander

Xander Thuijs CCIE #6775 Principal Engineer ASR9000, CRS, NCS6000 & IOS-XR
New Member

Hi Alex Is it possible if I

Hi Alex Is it possible if I am using ASR 9k as DHCP Server ?

 

Kindly 

Tural

New Member

I have the same error message

I have the same error message on asr9010 and ios xr 5.3.3. There is no full dhcp server on router, just a relay. Message shows only one specific mac on that particular subnet. It does not fit to CSCun75844.

But there is no any noticeable effect on functionality

Cisco Employee

Do you possibly have DHCP

Do you possibly have DHCP inform messages going around?

if that is the case, which is smells like, since you dont see any affected problems here and also it is said that the ip addr and gateway are fine then I can explain it as follows.

There is a check in sw that does this:

In the code we have this condition:
if ((server_id & subnet_mask) != (pak->yiaddr & subnet_mask)) {

so basially if the address of the user and subnet doesnt fit in the gateway and subnet, we spit this message, BUT the issue is with DHCP INFORM. When we sent ACK on INFORM yiaddr will be 0.0.0.0 as per RFC. So this check will fail and print that message.

need to fix that in sw.

so fi you have inform, you can ignore this.

xander

Xander Thuijs CCIE #6775 Principal Engineer ASR9000, CRS, NCS6000 & IOS-XR
1287
Views
0
Helpful
15
Replies