- Cisco Community
- Technology and Support
- Service Providers
- Service Providers Knowledge Base
- ASR9000 BNG Training guide setting up PPPoE and IPoE sessions
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
on 11-07-2011 05:52 AM
Introduction
In IOS-XR version 4.2.0 (December 2011) the ASR9000 will be supporting BNG or Broadband termination capabilities with IP sessions and PPPoE. This document provides a step by step guide to setup an ASR9000 BNG solution with descriptions of what each individual component is used for and how to verify the operation.
Problem Description
BNG is a complex technology. This technote tries to expand on the configuration options and how to set it up. In the "Related Information" section is a pointer to a video on demand showing you the capabilities of A9K BNG.
Steps to completion
1) Dynamic Template configuration (~ IOS virtual template)
2) Configuring RADIUS
3) Configuring Subscriber Access
4) Configure Subscriber Authentication
5) Control Policy Definition
6) Verification of session establishment
1.0 Configure User Profiles, Dynamic-Template and Services Profiles
Exercise Description
Configure User Profiles, Dynamic-Templates and Service Profiles that will be activated on the session at different stages of the session lifecycle.
Exercise Objective
Learn how to create Dynamic Templates and configure ASR9K features (e.g. ACLs and QoS Class Maps) that will be reference by various Templates and Profiles. Dynamic templates define basic configurations to be applied to the session. Per User attributes from radius always take precedence over the dynamic template configuration.
1.1 Dynamic-Template Configuration for PPPoE Subscribers
Steps to Complete Task
Step 1. Enter the following configuration items.
dynamic-template
type ppp PPP_TPL
ppp authentication chap
ppp ipcp peer-address pool POOL
ipv4 unnumbered Loopback1000
!
!
pool vrf default ipv4 POOL
address-range 199.1.1.1 199.1.1.255
Solution Explanation and Clarification
PPP authentication protocol, address-pool for client (remote) address assignment and unnumbered interface for session (local) address assignment are typical features configured under a PPP dynamic template and provide basic settings for proper PPP session establishment.
The unnumbered Loopback address is merely an endpoint for ppp subscribers, it is not involved in (external) routing. Despite popular belief, it does NOT need to be a routable address and can be duplicated over multiple devices.
In addition to defining a ppp dynamic-template, named PPP_TPL, this step also defines the address pool POOL referenced in the dynamic template.
Multiple ranges can be configured in a pool. These address pools do NOT get automatically advertised in routing protocols, that is why during the first task we created a static (summary) route for the range and we redistributed it in OSPF.
Task Verification
The show command will provide us details of the address range and the pool usage.
RP/0/RSP0/CPU0:BNG_POD_1#show address-pool POOL
Thu Oct 6 19:12:38.671 UTC
Pool Begin End Free InUse
1.2 Dynamic-Template Configuration for IPoE Subscribers
Steps to Complete Task
Step 1. Enter the following configuration items
dynamic-template
type ipsubscriber IPSUB_TPL
ipv4 unnumbered Loopback2000
ipv4 access-group IPSUB_FAIL_ACL ingress
ipv4 access-group IPSUB_FAIL_ACL egress
!
!
ipv4 access-list IPSUB_FAIL_ACL
5 permit tcp any any eq www
10 permit tcp any eq www any
15 deny ipv4 any any
!
! This acl is the base ACL to be applied to an ipsub session. The radius profile returned upon a successful authentication may override the
! ACL to a less restrictive one. This heavy limited ACL is for demonstration purposes forcing the user to logon via the web portal in this
! example.
Solution Explanation and Clarification
In addition to defining an IP subscriber dynamic-template, named IPSUB_TPL, this step also defines the Access-List referenced in the dynamic template.
By default a session permits all traffic, so a Security ACL provides a way of restricting access over a subscriber session. This is especially true for IP subscribers who may need to get authenticated via Web Logon. In such cases an initial ACL applied to the session may permit bidirectional communication with DNS servers (not in this sample ACL) and Web Portal, while denying all the rest. Upon successful authentication, that ACL can then be replaced by a less restrictive one or totally removed.
The IP unnumbered interface for session (local) address assignment is a mandatory feature configured under an IP dynamic template, and provides basic settings for proper IP session establishment. The unnumbered interface IP address will become the default gateway for the IP subscriber associated with the session. This address is also used as the "giaddr" in the dhcp proxy configuration to instruct the DHCP server to select an address in which this ipv4 add is routable in.
1.3 Local configuration of features referenced by RADIUS defined profiles
Step 1. Part A
During verification tasks, the following 2 CoA Requests will be sent to the BNG referencing 2 MQC classes: VOIP and VIDEO. MQC classes must be pre-configured on a device.
For more information on COA see the link below in the "related information" section
coa_w32 -f voip.cfg -1 44,<session id> -n <some reachable addr of 9k>
COA profile for "voip.cfg"
attribute2=26,9,1,subscriber:command=account-update
attribute3=26,9,1,ip:qos-policy-out=add-class(sub,(class-default), shape(200)
attribute4=26,9,1,ip:qos-policy-out=add-class(sub,(class-default, VOIP), pri-level(1), police(128,8))
timeout=1
coa_w32 -f video.cfg -1 44,<session id> -n 192.168.100.10<pod>
COA profile for "video.cfg"
attribute1=26,9,1,subscriber:command=account-update
attribute2=26,9,1,ip:qos-policy-out=add-class(sub,(class-default, VIDEO), bw-abs (2048))
timeout=1
Step 1. Enter the following configuration items to define MQC classes:
!
class-map match-any VIDEO
match dscp af41
end-class-map
!
class-map match-any VOIP
match dscp ef
end-class-map
!
Step 2. Part B
During verification steps, Web Based authentication will be emulated for the IP subscriber.
The IP subscriber’s User Profile references a security ACL that will now permit all traffic.
coa_w32 -f login.cfg -n 192.168.100.10 -1 44,<session_id> -1 1,myuser
COA profile for "login.cfg"
attribute2=26,9,1,subscriber:command=account-logon
attribute3=26,9,1,subscriber:password=cisco
timeout=1
Radius profile needs to be present at the radius server. The COA account logon will try to authenticate "myuser" with pw cisco to the radius.
myuser Cleartext-Password := "cisco"
cisco-avpair = "ip:outacl=PERM_ALL",
cisco-avpair += "ip:inacl=PERM_ALL"
Step 3. Enter the following configuration items to define the “permit all” ACL in IOS-XR
ipv4 access-list PERM_ALL
10 permit ipv4 any any
!
2.0 Configure Northbound Interfaces
Exercise Description
Configure basic radius and RADIUS CoA connectivity to prepare the system for AAA authentication for subscriber access. And Dynamic Service Activation.
Exercise Objective
The system will be ready to hand off authentication requests to the radius-server and send radius-requests with the desired nas-port and nas-port-id.
It will also be ready to accept CoA requests from an external server.
2.1 Radius Configuration
Steps to Complete Task
Step 1. Enter the following configuration items:
aaa radius attribute nas-port format e SSAAPPPPQQQQQQQQQQVVVVVVVVVVUUUU type 32
aaa radius attribute nas-port-id format NAS_PORT_FORMAT
aaa accounting subscriber default group radius
aaa authorization subscriber default group radius
aaa authentication subscriber default group radius
!
aaa attribute format MY_AUTH
mac-address plus circuit-id plus remote-id separator #
!
aaa attribute format NAS_PORT_FORMAT
circuit-id plus remote-id separator .
!
radius-server host <radius server> auth-port 1812 acct-port 1813
key BNG
!
Solution Explanation and Clarification
In this configuration section you define how the radius-server nas-port-id (attr87) is to be configured; in this case it will be circuit-id with remote-id, separated by a dot “.”.
The nas-port format (attr 5), which is a decimal number, is composed of a number of bits. The first line defines how the bits are to be assigned to slot, vlan, port etc. Depending on whether the bits are 1 or 0 a value is created and that will be sent in the attribute.
NAS-PORT definition and overview
The NAS-PORT definition can be set on a per "type" basis, whether it is PPPoE or PPPoVLAN or QIQ etc. If the specific type is not defined, then the "global" definition is followed and fields not found or applicable to this session type will be set to zero (eg vlan ID for a PPPoE session is 000 etc).
Service Port Type | RADIUS Value |
|---|---|
PPPoA | 30 |
PPPoEoA | 31 |
PPPoEoE | 32 |
PPPoEoVLAN | 33 |
PPPoEoQinQ | 34 |
Value description:
| Key | Description |
|---|---|
| 0/1 | Value of "0" or "1" |
| f/F | Shelf identifier |
| s/S | Slot identifier |
| a/A | Adapter |
| p/P | port |
| i/I | subslot |
| c/L | channel |
| V | Outter VLAN |
| Q | Inner Vlan |
| U | PPPoE Session ID |
Also, we have defined the radius-server to the designated address and AAA method lists for authentication, authorization and accounting.
The attribute format “MY_AUTH” will be used in the control policy-map for IP sessions, it will designate how the username will be constructed for authenticating the IP subscriber.
Task Verification
The command show radius verifies configuration of the designated server.
RP/0/RSP0/CPU0:BNG_POD_1#show radius
Thu Oct 6 18:37:53.350 UTC
Global dead time: 0 minute(s)
Number of Servers:1
Server: 192.168.100.2/1812/1813 is UP
Timeout: 1 sec, Retransmit limit: 1
Authentication:
0 requests, 0 pending, 0 retransmits
0 accepts, 0 rejects, 0 challenges
0 timeouts, 0 bad responses, 0 bad authenticators
0 unknown types, 0 dropped, 0 ms latest rtt
Accounting:
0 requests, 0 pending, 0 retransmits
0 responses, 0 timeouts, 0 bad responses
0 bad authenticators, 0 unknown types, 0 dropped
0 ms latest rtt
2.2 Add CoA clients to the dynamic author configuration:
Steps to Complete Task:
Step 1. Enter the following configuration items:
aaa server radius dynamic-author
port 1700
auth-type any
client <radius server> vrf default server-key BNG
Solution Explanation and Clarification
In the default configuration the router will not respond to CoA requests sent from a CoA client. In order to instruct the router to accept CoA requests from a particular IP address, we need to enter that address under the dynamic author configuration section.
You need to identify the IP address where the CoA request comes from, as well as the shared secret key. Also the port, 1700 by default as per RFC for CoA is configured.
One thing that should be noted here is the “auth-type”. In order to identify a session we can use various identification attributes. Most commonly, attribute 44, accounting-session-id is used. When you send more identification attributes such as username, IP address etc., you can specify which of those attributes need to match, in order to target the designated session:
RP/0/RSP0/CPU0:A9K-BNG(config-Dynamic Author)#auth-type ?
o all auth-type all all session identifiers must match for that single subscriber
o any auth-type any any of the session identifers is ok to match the subscriber
o session-key auth-type session-key use the ASCEND SESSION SERVER KEY as match for the subscriber identification
Task Verification
Enter the following commands to confirm configuration.
RP/0/RSP0/CPU0:BNG_POD_1#show radius dynamic-author
Thu Oct 6 18:42:58.151 UTC
Radius Dynamic-Author Server:
Invalid Disc-Reqs: 0
Invalid CoA-Reqs: 0
Radius Dynamic-Author Client:
Client IP: 192.168.100.2
Disconnect-Request:
Disc-Req 0 Disc-Ack 0 Disc-Nack 0
Authorize-Only Request: 0
Authorize-Only Nack: 0
Disc-Nack for no context: 0
Malformed Req: 0
Bad Authenticator: 0
Dropped Req: 0
CoA-Request:
CoA-Req 0 CoA-Ack 0 CoA-Nack 0
Authorize-Only Request: 0
Authorize-Only Nack: 0
CoA-Nack for no context: 0
Malformed Req: 0
Bad Authenticator: 0
Dropped Req: 0
3.0 Configure Subscriber Access
Exercise Description
Prepare the system to initiate subscriber sessions.
Exercise Objective
After completing this exercise the BNG will be ready to take DHCP discovers (for IP subscribers) and PADI (for PPP subscribers) from a particular interface and create a subscriber session.
3.1 Setup Subscriber Access for IP Subscribers
Steps to Complete Task
Step 1. Enter the following configuration items to configure DHCP Proxy for IP subscribers:
dhcp ipv4
profile IP_DEFAULT proxy
helper-address <DHCP Server> giaddr 172.20.1.254
relay information option
relay information policy keep
relay information option allow-untrusted
!
interface Bundle-Ether100.1 proxy profile IP_DEFAULT
Solution Explanation and Clarification
In this configuration snippet we defined a basic DHCP profile, named IP_DEFAULT, which specifies DHCP Server IP address and Gateway IP address to be used during address assignment. It also trusts non zero Option82 and gi-address values (which is generally the case if we have a DSLAM inserting option 82) and it will interpret option 82 information.
Finally, we attach the proxy profile to the access-interface.
Task Verification for Step 1
Enter the following commands, or retrieve the following information to confirm configuration.
RP/0/RSP0/CPU0:BNG_POD_1#show dhcp ipv4 proxy profile
Thu Oct 6 19:02:25.257 UTC
DHCP IPv4 Proxy Profiles
--------------------------
IP_DEFAULT
When things are operational you can verify via:
RP/0/RSP0/CPU0:BNG_POD_1#show dhcp ipv4 proxy binding
Thu Oct 6 19:03:39.487 UTC
Lease
MAC Address IP Address State Remaining Interface VRF Sublabel
-------------- -------------- --------- --------- ------------------- --------- ----------
RP/0/RSP0/CPU0:BNG_POD_1#show dhcp ipv4 proxy statistics
Thu Oct 6 19:04:27.400 UTC
VRF | RX | TX | DR |
-------------------------------------------------------------------------------------------
default | 0 | 0 | 0 |
Step 2. Define the control policy directive that will handle IP session establishment.
class-map type control subscriber match-any DHCP
match protocol dhcpv4
end-class-map
!
policy-map type control subscriber IP_PM
event session-start match-first
class type control subscriber DHCP do-until-failure
5 activate dynamic-template IPSUB_TPL
!
!
Solution Explanation and Clarification
The anatomy of a control policy is such that we have an event (e.g.: session-start), for which we evaluate one or more classes, and then a list of actions to be executed. Classes allow us to have a single control policy, while still defining different actions for the same event type. The configured class matches on IP sessions specifically.
3.2 Apply “IPSUB_TPL” Dynamic Template
The “IPSUB_TPL” dynamic-template, configured earlier, is applied to IP subscribers when the session is initiated.
Steps to Complete Task
Step 1. Configure the terminating interface for IP subscribers. Enter the following configuration items:
interface bundle-ether100.1
ipv4 point-to-point
ipv4 unnumbered loopback2000
!service-policy type control subscriber IP_PM this will get applied later on as we need to make changes to the control pmap.
encapsulation dot1q 10
ipsubscriber ipv4 l2-connected
initiator dhcp
!
Solution Explanation and Clarification
Creates a bundle sub-interface (access-interface) and specifies DHCP as the trigger to create new sessions.
The IP address on the interface can be ANY address, but one is required in order to accept IP Packets. In the example, the access-interface will share the same address that is assigned by default to IP subscriber sessions (via the IPSUB_TPL).
The access interface needs to ahve an ip address defined in order to accept ipv4 packets (the dhcp discover). the point to point config is needed when you want to make it unnumbered to a loopback interface.
3.3 Setup Subscriber Access for PPPoE Subscribers
Steps to Complete Task
Step 1. Enter the following configuration items to configure the Broadband Access group for PPP subscribers:
pppoe bba-group NAME
service selection disable
!
Solution Explanation and Clarification
The bba-group can match on services signaled in the PPPoE service-tag or service selection can be disabled. Today we don’t do much with the service-tag except for matching. This will be extended with more comprehensive features, such as Smart Server Selection, PADO delays etc.
Step 2. Define the control policy directive that will handle PPP session establishment.
class-map type control subscriber match-any PPP
match protocol ppp
end-class-map
!
policy-map type control subscriber PPP_PM
event session-start match-first
class type control subscriber PPP do-until-failure
10 activate dynamic-template PPP_TPL
!
!
end-policy-map
Solution Explanation and Clarification
The anatomy of a control policy is such that we have an event (e.g.: session-start), for which we evaluate one or more classes, and then a list of actions to be executed. Classes allow us to have a single control policy, while still defining different actions for the same event type. The configured class matches on PPP sessions specifically.
The “PPP_TPL” dynamic-template, configured earlier, is applied to PPP subscribers when the session is initiated. It typically includes information that is used during LCP phase.
In addition to dynamic-template activation, another common action implemented during session-start event is pre-authentication based on pppoe tags (authorization).
Step 3. Configure the terminating interface for PPP subscribers. Enter the following configuration items:
interface bundle-ether100.11
!service-policy type control subscriber PPP_PM this will get applied later on as we need to make some changes to the control policy
pppoe enable bba-group NAME
encapsulation dot1q 1
!
Solution Explanation and Clarification
This activity has assign the bba group to the Access-interface facing PPPoE subscribers.
4.0 Configure Subscriber Authentication
Exercise Description
Configures subscriber authentication for PPP and IPoE subscribers.
4.1 Enable Authentication for IPoE Subscribers
Steps to Complete Task
Step 1. Enter the following configuration items:
policy-map type control subscriber IP_PM
event session-start match-first
class type control subscriber DHCP do-until-failure
10 authorize aaa list default format MY_AUTH password cisco
!
!
end-policy-map
Solution Explanation and Clarification
The authorize statement is used at session-start to authenticate the user with a username constructed by a combination of remote/circuit ID as defined in MY_AUTH format.
Note: If the RADIUS client can’t compose the username because one or more components the fields will be left empty.
Task Verification
RP/0/RSP0/CPU0:BNG_POD_1#show policy-map type control subscriber pmap-name IP_PM
Thu Oct 6 19:38:23.038 UTC
policy-map type control subscriber IP_PM
event session-start match-first
class type control subscriber DHCP do-until-failure
5 activate dynamic-template IPSUB_TPL
10 authorize aaa list default format MY_AUTH password cisco
!
!
end-policy-map
4.2 Enable Authentication for PPPoE Subscribers
Steps to Complete Task
Step 1. Enter the following configuration items:
policy-map type control subscriber PPP_PM
event session-activate match-first
class type control subscriber PPP do-until-failure
10 authenticate aaa list default
!
!
end-policy-map
Solution Explanation and Clarification
Session-activate event (triggered when PPP LCP opens) is used to authenticate the subscriber with RADIUS, using ppp username and password derived from the ppp authentication stage.
Task Verification
RP/0/RSP0/CPU0:BNG_POD_1#show policy-map type control subscriber pmap-name PPP_PM
Thu Oct 6 19:21:40.222 UTC
policy-map type control subscriber BNG_ctrl_pm
event session-start match-first
class type control subscriber PPP do-until-failure
10 activate dynamic-template PPP_TPL
!
!
event session-activate match-first
class type control subscriber PPP do-until-failure
10 authenticate aaa list default
!
!
end-policy-map
NOTE: When a control policy is assigned to an interface, it can't be modified in place (yet). You need to detach the control policy, sessions wil get disconnected and then you can reconfigure the control policy.
5.0 Apply Control Policy to Access Interface
Exercise Description
This task will apply the control-policy to the access-interface and finalize the configuration for IPoE and PPPoE subscribers.
5.1 Apply the Control Policy for IP Sessions
Steps to Complete Task
Step 1. Enter the following configuration items:
interface Bundle-Ether100.1
service-policy type control subscriber IP_PM
5.2 Apply the Control Policy for PPP Sessions
Steps to Complete Task
Step 1. Enter the following configuration items
interface bundle-ether100.11
service-policy type control subscriber PPP_PM
6.0 Exercise Verification Tasks
6.1 Verify PPP session establishment
Steps to Complete Task
Step 1. Go on the CPE and run the “test pppoe 1 1 <interface> command. (For example: gigabitEthernet 0/2.15)
Step 2. on the CPE: show “show ppp sessions”
Step 3. on the BNG: “show subscriber session all” and “show subscriber session all detail”
o note that a subscribe session is handled as a regular interface
RP/0/RSP0/CPU0:BNG_POD_1#sh subscriber session all
Fri Oct 7 06:22:34.724 UTC
Codes: IN - Initialize, CN - Connecting, CD - Connected, AC - Activated,
ID - Idle, DN - Disconnecting, ED - End
Type Interface State Subscriber-IP
LNS Address:Vrf
-------------------------------------------------------------------------
PPPoE:PTA BE100.11.pppoe30 AC 199.1.1.11:default
o Note Remote ID being collected, ALE + IWF tags, IP address and control-policy actions being executed.
RP/0/RSP0/CPU0:BNG_POD_1#sh subscriber session all detail
Fri Oct 7 06:25:19.531 UTC
Interface: Bundle-Ether1.11.pppoe30
Circuit ID: Unknown
Remote ID: POD1
Type: PPPoE:PTA
IP Address: 199.1.1.11, VRF: default
Mac Address: 0005.0034.281a
Account-Session Id: 000000c3
Nas-Port: Unknown
Username: pod1
Subscriber Label: 0x000000c3
Created: Fri Oct 7 03:46:33 2011
State: Activated
Access-interface: Bundle-Ether1.11
Policy Executed:
policy-map type control subscriber PPP_PM
event Session-Start match-first [at Fri Oct 7 03:46:33 2011]
class type control subscriber PPP do-until-failure [Succeeded]
10 activate dynamic-template PPP_TPL [Succeeded]
event Session-Activate match-first [at Fri Oct 7 03:46:36 2011]
class type control subscriber PPP do-until-failure [Succeeded]
10 authenticate aaa list default [Succeeded]
Session Accounting: disabled
User Profile Attribute List: 0x500bde14
1: service-type len= 4 svc<0> prot<0> tag<0> mand<0> client<0x0>NAS Prompt
2: access-loop-encapsulation len= 3 01 02 03
3: interworking-functionality-tag len= 1
True
Step 4. On the BNG: “show pppoe interface” and “show ppp interface”
o Note again the Tags that were collected (for PPPoE output), and the various states of the PPP connection (from PPP output)
RP/0/RSP0/CPU0:BNG_POD_1#show pppoe interfaces
Fri Oct 7 06:28:56.879 UTC
Bundle-Ether1.11.pppoe30 is Complete
Session id: 30
Parent interface: Bundle-Ether1.11
BBA-Group: pod1
Local MAC address: 0026.982f.2d53
Remote MAC address: 0005.0034.281a
Outer VLAN ID: 11
Tags:
Service name:
Max Payload: 1500
IWF
Remote ID: POD1
ALE Data Link: Ethernet (0x01)
ALE Encaps 1: Single-Tagged Ethernet (0x02)
ALE Encaps 2: IPoA LLC (0x03)
RP/0/RSP0/CPU0:BNG_POD_1#show ppp interfaces
Fri Oct 7 06:29:02.987 UTC
Bundle-Ether1.11.pppoe30 is up, line protocol is up
LCP: Open
Keepalives enabled (60 sec, retry count 5)
Local MRU: 1500 bytes
Peer MRU: 1500 bytes
Authentication
Of Peer: CHAP (Completed as pod1)
Of Us: <None>
IPCP: Open
Local IPv4 address: 101.101.1.1
Peer IPv4 address: 199.1.1.11
Step 5. -On BNG: PPP and PPPoE statistics:
RP/0/RSP0/CPU0:BNG_POD_1#show pppoe statistics access-interface Bundle-Ether1.11
Fri Oct 7 06:32:07.804 UTC
Packets Sent Received Dropped
----------------------------------------------------------------
PADI 0 10 0
PADO 10 0 0
PADR 0 10 0
PADS (success) 10 0 0
PADS (error) 0 0 0
PADT 9 0 0
Session-stage 0 0 0
Other 0 0 0
----- ----- -----
TOTAL 29 20 0
RP/0/RSP0/CPU0:BNG_POD_1#show ppp statistics interface Bundle-Ether1.11.pppoe30
Fri Oct 7 06:34:17.333 UTC
Bundle-Ether1.11.pppoe30
LCP
Packets Sent Received
Conf-Req 2 2
Conf-Ack 2 1
Conf-Nak 0 0
Conf-Rej 0 0
Echo-Req 169 1003
Echo-Rep 1003 169
Disc-Req 0 0
Line state brought up: 1
Keepalive Link Failures: 0
Authentication
Packets Sent Received
PAP
Request 0 0
Ack 0 0
Nak 0 0
(MS-)CHAP
Challenge 1 0
Response 0 1
Rep Success 1 0
Rep Fail 0 0
AAA authentication timeouts: 0
IPCP
Packets Sent Received
Conf-Req 1 2
Conf-Ack 1 1
Conf-Nak 1 0
Conf-Rej 0 0
6.2 Verify IPoE session establishment
Steps to Complete Task
Step 1. Go on the CPE and no shut the interface gi0/2.<subif> (For example: interface gi0/2.1).
Step 2. On the CPE: show “show ip interface brief” to verify address is assigned.
Step 3. On the BNG check DHCP bindings.
RP/0/RSP0/CPU0:BNG_POD_1#sh dhcp ipv4 proxy binding
Fri Oct 7 06:44:34.473 UTC
Lease
MAC Address IP Address State Remaining Interface VRF Sublabel
-------------- -------------- --------- --------- ------------------- --------- ----------
0005.0034.281a 172.20.1.16 BOUND 75979 BE1.1 default 0x45
RP/0/RSP0/CPU0:BNG_POD_1#sh dhcp ipv4 proxy binding detail
Fri Oct 7 06:44:37.543 UTC
MAC Address: 0005.0034.281a
VRF: default
server VRF: default
IP Address: 172.20.1.16
Giaddr from client: 0.0.0.0
Giaddr to server: 172.20.1.254
Server IP Address: 10.100.1.1
Server IP Address to client 172.20.1.254
ReceivedCircuit ID: -
InsertedCircuit ID: 0x00-04-00-65-00-01
ReceivedRemote ID: -
InsertedRemote ID: 0x00-06-00-26-98-2f-5b-20
Profile: DEFAULT
State: BOUND
Lease: 86400 secs (1d00h)
Remaining: 75976 secs (21:06:16)
Client ID: 0x00-0x43-0x50-0x45-0x5F-0x50-0x4F-0x44-0x31
Access Interface: Bundle-Ether1.1
Access VRF: default
Subscriber Label: 0x45
6.3 BNG Show Activity
On the BNG: “show subscriber session all” and “show subscriber session all detail”
o note that a subscribe session is handled as a regular interface
o note Circuit/Remote ID
o note the actions executed on the session…note that authorization failed (e.g subscriber is not authenticated.
RP/0/RSP0/CPU0:BNG_POD_1#sh subscriber session all
Fri Oct 7 06:38:09.011 UTC
Codes: IN - Initialize, CN - Connecting, CD - Connected, AC - Activated,
ID - Idle, DN - Disconnecting, ED - End
Type Interface State Subscriber-IP
LNS Address:Vrf
-------------------------------------------------------------------------
IP:DHCP BE1.1.ip7 AC 172.20.1.16:default
Important: Note the Account-Session Id number. You will use this later.
RP/0/RSP0/CPU0:BNG_POD_1#sh subscriber session all detail
Fri Oct 7 06:38:12.277 UTC
Interface: Bundle-Ether1.1.ip7
Circuit ID: GigE0/2.1
Remote ID: POD1
Type: IP: DHCP-trigger
IP Address: 172.20.1.16, VRF: default
Mac Address: 0005.0034.281a
Account-Session Id: 00000045
Nas-Port: Unknown
Username: unknown
Subscriber Label: 0x00000045
Created: Fri Oct 7 03:50:45 2011
State: Activated
Access-interface: Bundle-Ether1.1
Policy Executed:
policy-map type control subscriber IP_PM
event Session-Start match-first [at Fri Oct 7 03:50:45 2011]
class type control subscriber DHCP do-until-failure [Succeeded]
5 activate dynamic-template IPSUB_TPL [Succeeded]
10 authorize aaa list default [Failed]
Session Accounting: disabled
RP/0/RSP0/CPU0:BNG_POD_1#sh ipsubscriber interface Bundle-eth1.1.ip7
Fri Oct 7 06:42:28.786 UTC
Interface: Bundle-Ether1.1.ip7
Type: L2-connected
Ifhandle: 0x8000be0
Access Interface: Bundle-Ether1.1 (0x8000160)
Subscriber IP: 172.20.1.16, MAC: 0005.0034.281a
Subscriber Label: 0x45
Initiator: DHCP
Created: Oct 7 03:50:53 (age 02:51:36)
VRF: default (0x60000000), Table: default (0xe0000000)
State: Up(9) (old: Adjacency added(8))
Last state change: Oct 7 03:50:53 (02:51:36 in current state)
Solution Explanation and Clarification
During the session initiation, we will have a failed authorization as shown above. Because of this, the restrictive ACL (IPSUB_FAIL_ACL) will be applied.
Check the restrictive ACL by pinging the following addresses:
o (ie..11.11.11.11) It should not be reachable since the restrictive ACL is applied.
However, the session is up and does allow for one address to be reachable. In a real world application this may be something like a Web Portal where users can login. To test this, ping the following address:
o (ie..11.11.11.100) It should be reachable because the restrictive ACL allows this single address.
6.4 Verify Web Logon for IP subscribers
Steps to Complete Task
Step 1. Logon onto the RADIUS server and initiate web logon.
Step 2. Use the command from command prompt “coa_w32 -f login.cfg -n 192.168.100.10<pod> -1 44,<session_id> -4 1,podip<pod>” (Session ID is the Account-Session-Id collected earlier.)
Step 3. Ping (ie..11.11.11.11) It should be reachable since the (PERM_ALL) ACL is applied.
Task Verification
6.5 Verify parameterized QoS for IP Subscribers
Steps to Complete Task
Step 1. Verify that QoS is not enabled on the subscriber interface.
o Show policy-map interface <subscriber-interface>
Step 2. Log into the RADIUS server and initiate QoS update for VOIP class.
Step 3. Use command “coa_w32 -f voip.cfg -1 44,<session id> -n 192.168.100.10 ”
Step 4. Verify that QoS is enabled on the subscriber interface and class VOIP is configured
o Show policy-map interface <subscriber-interface>
RP/0/RSP0/CPU0:BNG_POD_1#sho policy-map interface Bundle-Ether1.1.ip24
Mon Oct 10 15:10:30.465 UTC
Bundle-Ether1.1.ip24 direction input: Service Policy not installed
Bundle-Ether1.1.ip24 output: sub_fffffffb24ffffff8cfffffff8
Class class-default
Classification statistics (packets/bytes) (rate - kbps)
Matched : 0/0 0
Transmitted : 0/0 0
Total Dropped : 0/0 0
Policy sub_fffffffb24ffffff8cfffffff8_child1 Class VOIP
Classification statistics (packets/bytes) (rate - kbps)
Matched : 0/0 0
Transmitted : 0/0 0
Total Dropped : 0/0 0
Policing statistics (packets/bytes) (rate - kbps)
Policed(conform) : 0/0 0
Policed(exceed) : 0/0 0
Policed(violate) : 0/0 0
Policed and dropped : 0/0
Policed and dropped(parent policer) : N/A
Queueing statistics
Queue ID : 16
High watermark (Unknown)
Inst-queue-len (packets) : 0
Avg-queue-len (Unknown)
Taildropped(packets/bytes) : 0/0
Queue(conform) : 0/0 0
Queue(exceed) : 0/0 0
RED random drops(packets/bytes) : 0/0
Policy sub_fffffffb24ffffff8cfffffff8_child1 Class class-default
Classification statistics (packets/bytes) (rate - kbps)
Matched : 0/0 0
Transmitted : 0/0 0
Total Dropped : 0/0 0
Queueing statistics
Queue ID : 18
High watermark (Unknown)
Inst-queue-len (packets) : 0
Avg-queue-len (Unknown)
Taildropped(packets/bytes) : 0/0
Queue(conform) : 0/0 0
Queue(exceed) : 0/0 0
RED random drops(packets/bytes) : 0/0
6.6 Initiate QoS update for VIDEO class.
Steps to Complete Task
Step 1. Use command “coa_w32 -f video.cfg -1 44,<session id> -n 192.168.100.10<pod>”
Step 2. Verify that QoS is enabled on the subscriber interface and class VIDEO is configured
o Show policy-map interface <subscriber-interface>
RP/0/RSP0/CPU0:BNG_POD_1#sho policy-map interface Bundle-Ether1.1.ip24
Mon Oct 10 15:12:44.260 UTC
Bundle-Ether1.1.ip24 direction input: Service Policy not installed
Bundle-Ether1.1.ip24 output: sub_fffffffb24ffffff8cfffffff8
Class class-default
Classification statistics (packets/bytes) (rate - kbps)
Matched : 0/0 0
Transmitted : 0/0 0
Total Dropped : 0/0 0
Policy sub_fffffffb24ffffff8cfffffff8_child1 Class VOIP
Classification statistics (packets/bytes) (rate - kbps)
Matched : 0/0 0
Transmitted : 0/0 0
Total Dropped : 0/0 0
Policing statistics (packets/bytes) (rate - kbps)
Policed(conform) : 0/0 0
Policed(exceed) : 0/0 0
Policed(violate) : 0/0 0
Policed and dropped : 0/0
Policed and dropped(parent policer) : N/A
Queueing statistics
Queue ID : 16
High watermark (Unknown)
Inst-queue-len (packets) : 0
Avg-queue-len (Unknown)
Taildropped(packets/bytes) : 0/0
Queue(conform) : 0/0 0
Queue(exceed) : 0/0 0
RED random drops(packets/bytes) : 0/0
Policy sub_fffffffb24ffffff8cfffffff8_child1 Class class-default
Classification statistics (packets/bytes) (rate - kbps)
Matched : 0/0 0
Transmitted : 0/0 0
Total Dropped : 0/0 0
Queueing statistics
Queue ID : 18
High watermark (Unknown)
Inst-queue-len (packets) : 0
Avg-queue-len (Unknown)
Taildropped(packets/bytes) : 0/0
Queue(conform) : 0/0 0
Queue(exceed) : 0/0 0
RED random drops(packets/bytes) : 0/0
Review Questions
Q1: Does the event session-activate apply to DHCP sessions?
Q2: What event is triggered upon reception of a PADI?
Q3: When is the event session-activate triggered?
Q4: Can an IP address pool for PPPoE include .0 addresses?
Q5: What about .0 addresses for DHCP clients?
Q6: How does the 9k load balance subscriber traffic over a bundle?
Q7: And can I change that?
Q8: How do I advertise my subscriber addresses for PPPoE and DHCP?
Q9: Does an interface require an ip address for PPPoE sessions?
Q10: And for DHCP Sessions?
Q11: Answer why for Q9 and Q10
Q12: When doing Parameterized QOS, what needs to be preconfigured in XR?
Q13: Why can the giAddr be zero in some cases and how does XR deal with that?
Q14: What is the difference between an Authorize and Authenticate statement in a control policy?
Q15: Can I activate dynamic templates multiple times?
Q16: And if the templates are different?
Q17: What will happen with the configuration of the subscriber?
Q18: Can I use pQOS on bundle interfaces or phy interfaces or both?
Appendix
PPPoE client configuration IOS:
bba-group pppoe a9k
virtual-template 21
!
interface Virtual-Template21
ip address negotiated
ppp chap hostname test
ppp chap password 0 cisco
!
interface FastEthernet2/0.100
encapsulation dot1Q 100
pppoe enable group a9k
!
!start session:
test pppoe 1 1 fa 2/0.100
Sending tags with an IOS client
bba-group pppoe tagtest
virtual-template 20
service profile test
test vendor-tag remote-id string "XTH_TEST"
test vendor-tag 0x0090 010203
test tag 0x0001 1234567890
test vendor-tag 0x00FE
test tag 0x0120 05DC
test tag 0x0082 123405
test vendor-tag 0x0082 123405
Starting a pppoe session from an IOS client: (Note: Above needs “service internal” to configure.
Router# test pppoe 1 1 fa 2/0.100
This will start 1 session at 1 cps from fastethernet 2/0.100, if the associated bba group has tags in place it would automically get inherited in the PADI transmission.
DHCP client configuration IOS:
interface GigabitEthernet0/1.1
encapsulation dot1Q 2
ip dhcp client client-id ascii CPE_POD1
ip dhcp client class-id CPE_7200
ip dhcp client circuit-id GigE0/1.1
ip dhcp client remote-id POD1
ip address dhcp
The dhcp client session is automatically started when the (sub)interface is brought up
IOS Switch configuration:
interface GigabitEthernet0/1
description A9k-BNG g0/0/0/19
switchport trunk encapsulation dot1q
switchport mode trunk
speed nonegotiate
channel-group 1 mode active
!
interface GigabitEthernet0/2
description A9K-BNG->G0/1/0/19
switchport trunk encapsulation dot1q
switchport mode trunk
speed nonegotiate
channel-group 1 mode active
!
interface Port-channel1
switchport trunk encapsulation dot1q
switchport mode trunk
speed nonegotiate
!
interface FastEthernet0/1
description Access Port
switchport access vlan 10
switchport mode access
spanning-tree portfast
CoA:
To setup CoA:
Download the tool from this guide: https://supportforums.cisco.com/docs/DOC-16677
Sample profiles are available also on that link.
Few quick profiles
:
Account-Logon:
ip-address=3.0.0.244 | Change address to your BNG mgmt interface |
secret=cisco destport=1700 | Secret defined in dynamic author config and port definition (1700 default) |
attribute2=26,9,1,subscriber:command=account-logon | VSA for command account logon |
attribute3=26,9,1,subscriber:password=cisco | Password to use to RADIUS |
attribute4=1,ipsub | Username to use to RADIUS |
timeout=1 | Timeout waiting for response from tool |
END | End identifier of COA profile |
Parameterized QOS:
ip-address=3.0.0.244
secret=cisco
destport=1700
attribute2=26,9,1,subscriber:command=account-update
attribute3=26,9,1,ip:qos-policy-out=add-class(sub, (class-default), shape(200)
attribute4=26,9,1,ip:qos-policy-out=add-class(sub,(class-default, 3play-voip), p
ri-level(1), police(128,8))
timeout=1
END
Change the RED value to reflect the parent shape rate on the session
Adding a VIDEO class:
ip-address=3.0.0.244
secret=cisco
destport=1700
attribute2=26,9,1,subscriber:command=account-update
attribute3=26,9,1,ip:qos-policy-out=add-class(sub,(class-default, VIDEO), bw-abs(2048))
timeout=1
END
Removing a video class:
ip-address=3.0.0.244
secret=cisco
destport=1700
attribute2=26,9,1,subscriber:command=account-update
attribute3=26,9,1,ip:qos-policy-out=remove-class(sub,(class-default, VIDEO), bw-abs(2048))
timeout=1
END
Sending a COA command:
sw-lab-fw:32> coa -f coaqos -1 44,000000ea
CoA Client (version 2.2),(c) May-2009,
xander thuijs CCIE#6775 Cisco Systems Int.
End detected!
Using COA with :
NAS: 30000f4
Port: 1700
Secret: cisco
Timeout: 1 (0 means indefinite wait)
CoA: Request was accepted! (ID 2)
Reply message: '000000ea'
The red identifier is the coa profile filename, the text file with the coa commands the green identifier is the accounting session ID that you can find from the “show subscriber session all detail” command (keep the 0 prefix intact, needs to be 8 chars)
If all goes well, an accepted or denied response is given
Related Information
- BNG demo on YOUtube
- Using COA (Change of Authorization) tool
- Debugging PPPoE sessions
- Configuration Walkthrough
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Hi Alexander,
We are using dhcp ipv4 proxy profile. How can we clear a particular binding using assigned IP address?
XR version 4.3.1
Thanks, Diego.
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
hi diego, you cant... and it is a bit dangerous too if you have mutliple sessions using the same addr in different vrf's.
we can clear on mac addr and interface (but thati s the access interfcae, so might result in clearing multiple sessions in one go also)
regards
xander
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Hi Xander,
We are using this config:
dhcp ipv4
profile DHCP proxy
class VOIP-IAD
match vrf VOIP-IAD
helper-address vrf VOIP-IAD 172.19.0.21 giaddr 10.21.0.1
!
!
interface TenGigE0/7/0/3.3598 proxy profile DHCP
interface TenGigE0/7/0/3.3599 proxy profile DHCP
!
interface Loopback1002
vrf VOIP-IAD
ipv4 address 10.21.0.1 255.255.192.0
!
interface TenGigE0/7/0/3.3598
service-policy input setvoip
vrf VOIP-IAD
ipv4 point-to-point
ipv4 unnumbered Loopback1002
arp timeout 30
encapsulation dot1q 3598
!
What we need is lo list only connected subscribers. If one subscriber is disconnected, we wouldn't notice.
In IOS we could clear arp cache and clear ip routing table for just one ip address (one subscriber). Now we see the ARP table differently for dynamic learned or DHCP assigned addresses.
RP/0/RSP1/CPU0:XXXXXX#sh arp vrf VOIP-IAD
Wed Oct 23 11:08:25.425 GMT
-------------------------------------------------------------------------------
0/6/CPU0
-------------------------------------------------------------------------------
Address Age Hardware Addr State Type Interface
10.21.66.35 - cc5d.4e1a.f35b DHCP ARPA TenGigE0/7/0/3.3598
10.21.66.36 - 7488.8b70.85b9 DHCP ARPA TenGigE0/7/0/3.3598
10.21.66.37 - 0090.8f23.8610 DHCP ARPA TenGigE0/7/0/3.3598
10.53.146.77 00:00:04 c86c.87fc.45ce Dynamic ARPA TenGigE0/7/0/3.3598
10.53.194.187 00:00:08 cc5d.4ea6.46be Dynamic ARPA TenGigE0/7/0/3.3598
We can clear ARP cache for dynamic (age goes to 0), but not for the others.
Can you tell if the command clear dhcp ipv4 server binding would help?
(available from 5.2)
Thanks, Diego.
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
yeah in XR however in this model there is no ARP used at all.
the binding is used for forwarding to the subscriber, this to ensure security in terms of arp poisoning prevention, so there may be an ARP entry but it is not used for forwarding.
in the upstream, the 9k would respond to its unnumbered/local address requests and can function as a proxy also for peer to peer connectivity.
so the command for the dhcp binding clearing is:
clear dhcp ipv4 proxy binding .....mac/if/etc
5.2 is not out yet, not in EFT either.
regards
xander
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Hi Xander,
I'm using IPoE sessions and apply an ACL through the dynamic template similar to your chapter 1.2. I notice the acl works by a ping-test, but when I use <show ipv4 int Bundle-Ether1.300.ip7> I see no access-list inbound or outbound access-list applied to the subscriber interface, is this correct?
Bundle-Ether1.300.ip7 is Up, ipv4 protocol is Up
Vrf is default (vrfid 0x60000000)
Interface is unnumbered. Using address of Loopback300 (x.x.x.x)
MTU is 1500 (1500 is available to IP)
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is disabled
ICMP redirects are never sent
ICMP unreachables are always sent
ICMP mask replies are never sent
Table Id is 0xe0000000
IP unicast RPF check is enabled
RPF mode strict
Regards, Sebastiaan
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
hey sebastiaan,
yeah known issue, working on getting that fixed, because it is very annoying.
you can use the following trick to see what the hw programmed:
show access-lists <acl_name> usage pfilterlocation 0/rSP1/CPU0
location is rsp for bundle sessions or the Lc for phy/sub termination. (either RSP0 or RSP1)
example output:
Input ACL : N/A
RP/0/RSP1/CPU0:A9K-BOTTOM#
ipv4 access-list BNG_test
10 permit icmp any any
30 permit ipv4 any any
regards
xander
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Xander,
I have been able to get a session up using encap dot1q 100 on our bundle interface, however, I would prefer to use encapsulation ambiguous. When this is implemented, the DHCP server recieves a 0.0.0.0 Giaddr and cannot select the proper pool. I have included the configurations below along with the show subscriber output
RP/0/RSP1/CPU0:GATEWAY1#sh run int bundle-ether 2.1
Fri Feb 28 08:04:02.701 UTC
interface Bundle-Ether2.1
ipv4 point-to-point
ipv4 unnumbered Loopback0
service-policy type control subscriber IP_SUB_PMAP
encapsulation dot1q 100
ipsubscriber ipv4 l2-connected
initiator dhcp
initiator unclassified-source
!
!
RP/0/RSP1/CPU0:GATEWAY1#show subsc sess all
Fri Feb 28 08:04:09.075 UTC
Codes: IN - Initialize, CN - Connecting, CD - Connected, AC - Activated,
ID - Idle, DN - Disconnecting, ED - End
Type Interface State Subscriber IP Addr / Prefix
LNS Address (Vrf)
--------------------------------------------------------------------------------
IP:DHCP BE2.1.ip7 AC 192.168.132.2 (default)
RP/0/RSP1/CPU0:GATEWAY1#
RP/0/RSP1/CPU0:GATEWAY1#sh run int bundle-ether 2.1
Fri Feb 28 08:04:50.234 UTC
interface Bundle-Ether2.1
ipv4 point-to-point
ipv4 unnumbered Loopback0
service-policy type control subscriber IP_SUB_PMAP
ipsubscriber ipv4 l2-connected
initiator dhcp
initiator unclassified-source
!
encapsulation ambiguous dot1q any
!
RP/0/RSP1/CPU0:GATEWAY1#show subsc sess all
Fri Feb 28 08:04:53.288 UTC
Codes: IN - Initialize, CN - Connecting, CD - Connected, AC - Activated,
ID - Idle, DN - Disconnecting, ED - End
Type Interface State Subscriber IP Addr / Prefix
LNS Address (Vrf)
--------------------------------------------------------------------------------
RP/0/RSP1/CPU0:GATEWAY1#
Is there something I'm missing to bind the gateway to this interface?
Thanks,
Tony
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
hey tony,
I think I need to see the show run dhcp ipv4 also to see precisely.
the giAddr is set in that configuration and should be set to the address of the unnumbered loopback routable TO the BNG, which then also acts as the default gateway for the sessions.
Can you give me a show run of the loop0 also please? (and maybe the policy-map to make sure that everything is set for there also).
cheers!
xander
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Hi Xander,
Here are the configuration pieces you requested:
dhcp ipv4
profile DHCP_SUBS proxy
broadcast-flag policy check
helper-address vrf default 66.38.2.14 giaddr 192.168.132.1
relay information option
relay information policy keep
relay information option allow-untrusted
!
interface Bundle-Ether2.1 proxy profile DHCP_SUBS
!
interface Loopback0
ipv4 address 192.168.132.1 255.255.255.0
class-map type control subscriber match-any SUBS
match protocol dhcpv4
end-class-map
!
policy-map type control subscriber IP_SUB_PMAP
event session-start match-first
class type control subscriber SUBS do-until-failure
10 activate dynamic-template IPSUBS
!
!
end-policy-map
!
dynamic-template
type ipsubscriber IPSUBS
accounting aaa list SUBS type session
ipv4 unnumbered Loopback0
!
Please let me know if there is anything further I can do to help troubleshoot this issue.
Thanks,
Tony
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
ah thanks for that tony, I think I see what is going on...
when you have amb vlans, you need to broadcast the offer to the client.
unfortunately, at this point (due to the way the inject works for amb vlans) we can't "preroute" the packet as on dedicated vlan.
potential solution: set the broadcast policy flag to broadcast always.
I am working on having a different inject so we can unicast the offer to the client.
If that is still not it, maybe you can get us the debug dhcp ipv4 proxy event/<cr>, debug dhcp packet/er/ev.
ps for troubleshooting cases like this it may be best to raise new topics on the larger forum, so that more people see it to pipe in. comments on a doc as here only is seen by authors, modifiers and people who have previously commented (just to get more attention to this)...
cheers!
xander
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Hi Alexander,
I have a question around failover of CPE clients in IPOE environment vs PPPOE.
PPPoe has the native keep alives built in; so the CPE device can detect if the BNG is gone and re-establish;
How does this work for the CPE device in the case of IPOE; Is there some "keepalive function" other than DHCP lease expiry that keeps the CPE in the loop as to the state of the network that the ASR9K BNG reponds to?
If this is not the case; would you not end up needing to have a really short DHCP renew lease timer to use instead; but would this not overload the 9K; especially in large networks.... is there optimal lease timers etc..?
What is the best way of doing this for CPE clients with IPOE rather than reverting back to PPPOE and using the native keepalives built into to the protocol. What are the options?
Any help would be greatly appreciated.
I am really thinking of a lot of subscribers needing to failover "as fast as possible" as opposed to getting no answer eventually from the DHCP renew and thinking "perhaps i should try and re-broadcast dhcp request and look for another BNG.
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
yeah that is the funny problem, with the ppp subs, you have native lcp keeps, with ipoe sessions we dont have native keeps; you can rely on the lease time, or if you want it shorter leverage the lease proxy functionality (so that there is a shorter lease time, but no overload on the dhcp server transactions).
another option would be to use idle timers (with packet trigger), idle timers detecting the absence of the sub, packet trigger allowing them to re-establish without a dhcp renew.
arp keeps are tricky (people's fav), not recommended, not supported either, so little point discussing that possibly.
regards
xander
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Thanks for the quick response.
I thought from a previous thread you mentioned with the idle-timer even through subscriber is deleted on the BNG; their lease remains and you can end up blackholing the subscriber?
how does the packet trigger function help / or do in this case? where a client has to failover to another BNG
With lease proxy doesnt the BNG now get hammered instead of the DHCP server? Is that not the same problem just moved to the BNG?
Thanks
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
if you pull an idle timer the subscriber interface is deleted, so can't forward traffic, or it will be routed against the access interface.
with the packet triger we can recreate a subscriber interface based on unclassified source so this sub can continue to forward its traffic.
xander
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Hi Alexander
In IOS we had the following command in RADIUS configuration:
radius-server directed-request
(directed-request Allow user to specify radius server to use with `@server')
Is there an equivalent command in IOS XR?
Best Regards
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: