Hi Everyone,
I have an issues with Cisco BNG/ISG feature. The situation is as following, there is an upstream service
provider who gave us 3 VLANs, say VLAN 60,61 and 62, whereas 60 is the management VLAN and the other 2
are just basic Best Effort general purpose DATA VLAN's. IPoE is the protocol that is enforced by the upstream
L1/L2 provider on the network to assign services to a customer. So as IPoE is mandatory we have been advised
to use BNG/ISG to as the cisco feature of choice.
We have been using the ISG feature for a while now on VLAN61. In the current setup customer NTU devices are receiving a single
IP adres from our DHCP server and are terminated in either the GRT or on a specific customer VRF that has been
provisioned throughout our MPLS network. The GRT is used for public internet routing. Customers are asking for
an upgrade of the internet product and want to use more public IP addresses on their NTU's WAN interface for internet services.
When reading the Cisco documentation I saw that we can use the RADIUS "Framed-Route" attribute to assign a subnet to a
subscriber, when configuring this on the RADIUS service profile of a test subscriber connection it did not work, the route
was not installed in the GRT, also the show commands did not reveal a hint that the RADIUS attribute was whas beeing used.
After a lot of reading and testing I found out that when i terminated a subscriber in a different VRF then the GRT, the route was
installed in the routing table and we could ping visa versa between an interface on the NTU and the backbone MPLS. Then I got the idea
of putting the subscribers that need a routed subnet, in a specific VRF (on the backbone edge router) called "internet" and leak the
subnets to the GRT and propogate them throughout our MPLS network to the internet.
When i configured this, the NTU suscbribed on the subscriber interface, it got an IP address and the "Framed-Route" was installed
on our edge router, even the route was leaked throughout the GRT to the internet, so I thought hooray, but it was not ping-able from the internet nor
could the NTU ping let say the google DNS server, the only ping i could do was from within the "internet" VRF on the edge router to the NTU
WAN IP address. Suprisingly, I could ping the multiservice interface from the internet, hence the multiservice interface is seated in the internet VRF,
so to me this proves that leaking is working.
Does anyone have an idea how to pull this off? below is the configuration of the 2 subscriber interfaces, the subscriber service-policy and the multiservice interface.
interface TenGigabitEthernet0/0/0.61
description *** Best Effort VLAN [A] ***
encapsulation dot1Q 261
ip address 333.333.333.3 255.255.255.0 secondary
ip address 222.222.222.2 255.255.254.0 secondary
ip address 111.111.111.1 255.255.254.0
no ip redirects
no ip proxy-arp
ip local-proxy-arp
arp timeout 3600
no lldp transmit
no lldp receive
service-policy type control ISG-POLICY
ip subscriber l2-connected
initiator dhcp
end
interface TenGigabitEthernet0/0/0.62
description *** Best Effort VLAN [B] ***
encapsulation dot1Q 262
ip address 44.44.44.1 255.255.255.248
no ip redirects
ip local-proxy-arp
standby version 2
standby 62 ip 44.44.44.6
standby 62 timers 1 4
standby 62 priority 120
standby 62 preempt
standby 62 mac-address a2de.4800.0903
standby 62 track 10 decrement 15
standby 62 track 20 decrement 15
arp timeout 3600
no lldp transmit
no lldp receive
service-policy type control ISG-POLICY
ip subscriber l2-connected
initiator dhcp
end
interface multiservice31
description *** ISG - VRF Internet - Interface ***
vrf forwarding internet
ip address 55.55.55.254 255.255.254.0
no keepalive
end
policy-map type control ISG-POLICY
class type control ISG-SUB event session-start
5 collect identifier mac-address
6 collect identifier circuit-id
15 authorize aaa password SOMEPASSWORD identifier circuit-id
!
class type control always event timed-policy-expiry
!
@xthuijs
