Re: IOS XE - BPA + PAP + CGNAT not working for Broadband // BBA-GROUP

jeffreydrago · ‎07-05-2018

Hello guys - my first post here, please bear with me.

I am using an ASR 1004 with RP2 and ESP10.

That's the first time that I am trying to configure a BBA-group to work with CGNAT.

After some days, I realized that I do need the overload after the nat command, otherwise the v9 logging feature will not work... Actually the chassis sent the templates to the netflow collector but no data flows are fowarded.

With that in mind I went ahead and setup the PAP + BPA feature to reduce the logging size.

Turns out that if I configure one GI interface with ip nat inside, everything works great, and, when I check the ip nat translations, I can see the ports being allocated starting at 1024...

The issue is when I try to do the same using the BBA-GROUP - connecting a user using PPPOE over a subinterface / vlan.

When the PPPOE users is ON, the ports that are allocated are all over, and after that, if I issue a clear ip nat translation *, it will clear the translations and start doing the right thing, allocating the initial ports to 1024.

I've read the documentation many times, and I am probably missing something.

I am using Version 15.4(3)S9.

Here is my BBA setup

bba-group pppoe G-CGNAT
virtual-template 10
sessions auto cleanup

My interface config:

interface Port-channel1.4009
description G-CGNAT-PPPOE interface
encapsulation dot1Q 4009
no ip redirects
no ip unreachables
no ip proxy-arp
pppoe enable group G-CGNAT

My nat config:

ip nat settings mode cgn
no ip nat settings support mapping outside
ip nat settings pap limit 250 bpa
ip nat log translations flow-export v9 udp destination MYSERVER 59999 source Loopback1
ip nat pool VALIDOS STARTIP ENDIP prefix-length 24
ip nat inside source list CGNAT pool VALIDOS overload

Here is the virtual template

interface Virtual-Template10
ip unnumbered Loopback1
ip nat inside
peer default ip address dhcp-pool POOL-CGNAT-G
ppp authentication pap chap ms-chap ms-chap-v2 USUARIOSRADIUS
!

here is a sample of the translations when I use the ethernet port without BBA or PPPOE:

PPPoe-server#sh ip nat trans
Pro Inside global Inside local Outside local Outside global
tcp EXT-IP.0:1065 10.100.98.3:62022 --- ---
udp EXT-IP.0:1065 10.100.98.3:57136 --- ---
udp EXT-IP.0:1097 10.100.98.3:61201 --- ---
tcp EXT-IP.0:1027 10.100.98.3:61983 --- ---
udp EXT-IP.0:1027 10.100.98.3:59152 --- ---
udp EXT-IP.0:1079 10.100.98.3:58716 --- ---

I have replaced the real IP for EXT-IP.0..

everything looks fine, now, if I connect a pppoe user:

PPPoe-server#sh users
Line User Host(s) Idle Location
* 1 vty 0 support idle 00:00:00

Interface User Mode Idle Peer Address
Vi2.1 g2 PPPoE - 100.65.0.1

PPPoe-server#sh ip nat tr
PPPoe-server#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
udp EXT-IP.0:51482 100.65.0.1:51482 --- ---
udp EXT-IP.0:49502 100.65.0.1:49502 --- ---
udp EXT-IP.0:56435 100.65.0.1:56435 --- ---
tcp EXT-IP.0:62046 100.65.0.1:62046 --- ---
udp EXT-IP.0:62080 100.65.0.1:62080 --- ---
tcp EXT-IP.0:62047 100.65.0.1:62047 --- ---
udp EXT-IP.0:61318 100.65.0.1:61318 --- ---
udp EXT-IP.0:51826 100.65.0.1:51826 --- ---

Now the ports get assigned all over... BPA seems not to work, but as soon as I clear the nat translation entries, everything looks ok:

PPPoe-server#sh ip nat trans
Pro Inside global Inside local Outside local Outside global
tcp EXT-IP.0:1050 100.65.0.1:62086 --- ---
udp EXT-IP.0:1050 100.65.0.1:55039 --- ---
tcp EXT-IP.0:1072 100.65.0.1:62108 --- ---
udp EXT-IP.0:1072 100.65.0.1:61449 --- ---

Not sure if its a bug or if I am missing anything...

I really would like to have BPA to reduce log size.

Tks a lot.

Jeffrey

Georg Pauwen · ‎07-05-2018

Hello,

post the full configuration of your router...

jeffreydrago · ‎07-05-2018

Hi Georg, here is is..

Another weird situation here.. I was testing all the time with my windows box, dialing onto the ASR.

Now, I've tested with one old TPLINK router, and, everything works fine.... not sure why.

When I try the windows box again, still wrong...

anyway, here is the full config, I have several vts now because I have been trying to test a lot of combinations to make it work, without lucky....

!
! Last configuration change at 22:39:39 UTC Thu Jul 5 2018 by support
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
!
hostname PPPoe-server
!
boot-start-marker
boot system flash bootflash:asr1000rp2-adventerprisek9.03.13.09.S.154-3.S9-ext.bin
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!

!
aaa new-model
!
!
aaa group server radius RADIUS-XX
!
aaa authentication ppp default group radius local
aaa authentication ppp LISTA local
aaa authorization exec default local
aaa authorization network default group radius
aaa accounting delay-start
aaa accounting exec default
action-type start-stop
group radius
!
aaa accounting network default start-stop group radius
aaa accounting system default start-stop group radius
!
aaa nas port extended
!
!
!
aaa server radius dynamic-author
client xxx.xxx.154.8 server-key #XXXXXXXXXXX
server-key #XXXXXXXX
auth-type any
ignore session-key
ignore server-key
!
aaa session-id common
aaa policy interface-config allow-subinterface
!
!
!
!
!
!
!
!
!

ip domain name XXinternet.com
ip name-server xxx.xxx.154.3
ip name-server xxx.xxx.155.134

!
ip dhcp pool POOL-CGNAT-XX
network 100.65.0.0 255.255.192.0
domain-name XXinternet.com
dns-server xxx.xxx.154.3 xxx.xxx.155.134
lease 0 6
!
!
!
!
!
!
vpdn enable
!
!
!
!
!
spanning-tree extend system-id
!
!
redundancy
mode none
!
!
!
!
!
!
!
bba-group pppoe global
!
bba-group pppoe XX-CGNAT
virtual-template 10
sessions auto cleanup
!
bba-group pppoe XX
virtual-template 1
sessions auto cleanup
!
bba-group pppoe TESTE
virtual-template 9
sessions auto cleanup
!
bba-group pppoe XX-VALIDO
virtual-template 1
sessions auto cleanup
!
!
interface Loopback1
ip address xxx.xxx.155.50 255.255.255.252
!
interface Loopback2
ip address 100.70.1.254 255.255.255.0
ip nat inside
!
interface Loopback3
ip address 10.100.98.1 255.255.255.0
!
interface Port-channel1
no ip address
lacp fast-switchover
lacp max-bundle 1
!
interface Port-channel1.245
encapsulation dot1Q 245
ip address 10.100.97.2 255.255.255.252
!
interface Port-channel1.4004
encapsulation dot1Q 4004
!
interface Port-channel1.4005
description XX-VALIDO-PPPOE interface
encapsulation dot1Q 4005
no ip redirects
no ip unreachables
no ip proxy-arp
pppoe enable group XX-VALIDO
!
interface Port-channel1.4006
encapsulation dot1Q 4006
ip unnumbered Loopback3 poll
ip nat inside
pppoe enable group TESTE
!
interface Port-channel1.4009
description XX-CGNAT-PPPOE interface
encapsulation dot1Q 4009
no ip redirects
no ip unreachables
no ip proxy-arp
pppoe enable group XX-CGNAT
!
interface Port-channel1.4010
encapsulation dot1Q 4010
ip unnumbered Loopback1 poll
ip nat outside
!
interface TenGigabitEthernet0/3/0
no ip address
lacp port-priority 32767
channel-group 1 mode active
!
interface TenGigabitEthernet1/2/0
no ip address
channel-group 1 mode active
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
interface Virtual-Template1
mtu 1492
ip unnumbered Loopback3
ip nat inside
no logging event link-status
peer default ip address dhcp-pool POOL-CGNAT-XX
ppp mtu adaptive
ppp authentication pap chap ms-chap ms-chap-v2 USUARIOSRADIUS
ppp ipcp address required
ppp ipcp address unique
!
interface Virtual-Template2
mtu 1492
ip unnumbered Loopback3
ip nat inside
peer default ip address dhcp-pool POOL-CGNAT-XX
ppp mtu adaptive
ppp authentication pap chap ms-chap ms-chap-v2 USUARIOSRADIUS
ppp ipcp address required
ppp ipcp address unique
!
interface Virtual-Template9
ip address 1.1.1.1 255.255.255.0
ip nat inside
peer default ip address dhcp-pool POOL-CGNAT-XX
!
interface Virtual-Template10
ip unnumbered Loopback1
ip nat inside
peer default ip address dhcp-pool POOL-CGNAT-XX
ppp authentication pap chap ms-chap ms-chap-v2 USUARIOSRADIUS
!
router ospf 1
redistribute connected subnets
network 10.100.97.0 0.0.0.3 area 0
!
ip local pool PoolLivre 100.65.0.0 100.65.63.255
ip nat settings mode cgn
no ip nat settings support mapping outside
ip nat settings pap limit 250 bpa
ip nat log translations flow-export v9 udp destination xx.xxx.214.23 59999 source Loopback1
ip nat pool VALIDOS xxx.xxx.155.52 xxx.xxx.155.92 prefix-length 24
ip nat pool VALIDOS2 xxx.xxx.155.56 xxx.xxx.155.57 prefix-length 30
ip nat inside source list CGNAT pool VALIDOS overload
ip nat inside source list CGNAT2 pool VALIDOS2 overload
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip tftp source-interface GigabitEthernet0
ip route 0.0.0.0 0.0.0.0 Port-channel1.4010 xxx.xxx.155.49
ip ssh version 2
ip scp server enable
!
ip access-list extended CGNAT
permit ip 100.70.1.0 0.0.0.255 any
permit ip 100.64.0.0 0.0.7.255 any
permit ip 10.100.98.0 0.0.0.255 any
ip access-list extended CGNAT2
permit ip 100.65.0.0 0.0.63.255 any
!
ip radius source-interface Loopback1
logging trap debugging
logging facility local2
access-list 9 permit xxx.xxx.220.154
!
route-map PORTAS permit 10
match ip address 2000
!
snmp-server community public RO 9
!
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute nas-port format d
!
radius server RADIUS-XX
address ipv4 xxx.xxx.154.8 auth-port 1812 acct-port 1813
non-standard
key #XXXXXXXXXXX
!
!
control-plane
!
!
!

jeffreydrago · ‎07-05-2018

to add some complexity or clarity to this, I just tested with one windows 10 machine and it works.

So, TPLINK router is OK, windows 10 is OK.

Windows 8 does not work.. how can the SO influence on the port allocation?

I tried to change all the possible options on the PPPOE connection on the windows box without lucky.

Jeffrey

viniciusdalcin · ‎11-03-2019

I'm going through the same situation.
any advances in your setup?