ASR9000 Understanding the BNG configuration (a walkthrough) - Page 2

xthuijs · ‎11-07-2011

Introduction

In this document we're walking through a configuration setting up BNG for IPoE and PPPoE. The Setup for this configuration is similar to the setup you can see in the YouTube video for an ip sessions demo.

Problem Description

Detailed description of how to set up the configuration and the options establishing PPPoE and IPoE sessions. Understanding the anatomy of a control policy language.

Setup

Configuration and Explanations

hostname A9K-BNG

radius-server host 3.0.0.38 auth-port 1645 acct-port 1646

!Radius-server definition with ip address and UDP ports it is going to !use.

key 7 045802150C2E

!Secret key for the radius communication

timeout 1

!Maximum time waiting for response

retransmit 1

!Maximum number of times you retransmit the request, after waiting <timeout> time.

!COA server definition

aaa server radius dynamic-author

port 1700

!COA port is standard 1700

client 3.0.0.1 vrf default server-key 7 13061E010803

client 10.86.1.49 vrf default server-key 7 14141B180F0B

!The clients from which we are going to accept a COA Response.

!Attribute definitions that we can reference for the nas-port

!building.

!”MY_AUTH” will take the mac address, circuit ID and remoteIDand

!append them together separated by hash signs. If one of the fields is

!not available, an empty string will be provided for that portion.

!example 0000.1111.2222##remoteid or 0000.2222.1111#circ#remote

!

aaa attribute format MY_AUTH

mac-address plus circuit-id plus remote-id separator #

!

aaa attribute format NAS_PORT_FORMAT

circuit-id plus remote-id separator .

! Nas-port computation for PPPoE(32) and if not pppoe then follow the

! global (non typed) logic

aaa radius attribute nas-port format e SSAAPPPPQQQQQQQQQQVVVVVVVVVVUUUU type 32

aaa radius attribute nas-port format e SSAAPPPPQQQQQQQQQQVVVVVVVVVVUUUU

!Set up the XR nas-port-id (attr87) for sessions following the nas-

!port format instructions above.

aaa radius attribute nas-port-id format NAS_PORT_FORMAT

!Set up for AAA usage. Note that we don’t have “aaanew-model” in

!XR. Also “subscriber” is used for BNG. Method “PPP” is used for

!serial PPP.

aaa authorization subscriber default group radius

aaa authentication subscriber default group radius

!DHCP configuration

dhcp ipv4

!specify a profile name and define what method is used, relay, proxy

!or snooping.

profile AutoSelectGiaddr proxy

!Different classes may be defined. This is not necessarily the

!vendor class, but here we can check certain options in the discover

!to selectively set the helper address and giaddr. That last one

!will affect the pool we’re going to use on the dhcp server.

class HardPhone1

match option 60 hex 4861726450686F6E6531 mask 0

!the option 60 is vendor-class followed by a hex string. I chose it

!to match the “class” section from the line above, but that is not

!necessary. The mask defines which bytes are must match and don’t

!cares. Mask of 0 means full match.

helper-address vrf default 81.1.1.2 giaddr10.1.1.254

!

class HardPhone2

match option 60 hex 4861726450686F6E6532 mask 0

helper-address vrf default 81.1.1.2 giaddr172.28.15.254

!

relay information option

relay information policy replace

relay information option remote-id testme

relay information option allow-untrusted

! This configuration above defines the option 82 handling.

! Allow untrustedmeans that we accept dhcp discovers with a 0.0.0.0

! giaddr, which is normally the case when there is no relay between

! the client and the 9k.

Relay information Policy:

Case #

Received Packet

Option-82 Suboptions

Configured

Option-82 Suboptions

Forwarded Packet

Option-82 Suboptions

for Full-Option-82 keep

Forwarded Packet

Option-82 Suboptions

for Individual-Suboption keep

Forwarded Packet

Option-82 Suboptions

for replace

1

“rx-cid”

“rx-rid”

“in-rid”

vpn-id

“rx-cid”

“rx-rid”

“rx-cid”

“rx-rid”

vpn-id

“rx-cid”

“in-rid”

vpn-id

2

“rx-cid”

“in-rid”

vpn-id

“rx-cid”

“in-rid”

vpn-id

“rx-cid”

“in-rid”

vpn-id

3

“in-rid”

vpn-id

“in-rid”

vpn-id

“in-rid”

vpn-id

“in-rid”

vpn-id

! Define the interfaces and the attached profiles

interface Bundle-Ether100.2 proxy profile AutoSelectGiaddr

interface Bundle-Ether1001.2 proxy profile AutoSelectGiaddr

!

pppoe bba-group X

tag ppp-max-payload minimum 1200 maximum 2000

service selection disable

! PPPoE group definition. Currently there is limited service selection

!support (just matching on service name). The COS values for PPPoE

!control can be defined here and the processing/support for max-

!payload tag. In IOS you could configure the processing of vendor-tags

!and strip them selectively. In XR we always process the tags and we

!always strip them from a PADR

!IP address pool definition

pool vrf default ipv4 POOL

address-range 199.1.1.1 199.1.255.255

!

!The dynamic templates are like IOS virtual-templates. The base !configuration for each session is defined here. L3 features as well !as PPP specific parameters are defined here.

dynamic-template

type ppp TPL

ppp authentication chap

ppp ipcp dns 1.2.3.4 1.2.3.3

ppp ipcp peer-address pool POOL

ipv4 unnumbered Loopback1000

!

type ipsubscriberIPSUB

ipv4 unnumbered Loopback12

ipv4 access-group IPSUB_FAIL_ACL ingress

ipv4 access-group IPSUB_FAIL_ACL egress

!Few ACL definitions referenced in the radius profile, qos class-maps

!or in the dynamic template.

ipv4 access-list PERM_ALL

10 permit ipv4 any any

20 permit icmp any any

!

ipv4 access-list lab-video

20 permit udp any any eq 5544

30 permit udp host 49.1.1.2 any

!

ipv4 access-list IPSUB_FAIL_ACL

5 permit icmp any any

10 permit tcp any host 49.1.1.2 eqwww

15 permit tcp host 49.1.1.2 eqwww any

20 deny ipv4 any any

!QOS class-map used in COA parameterized QOS requests

!remember that with pQOS you can define the policy-map via RADIUS,

!however you need to define your class-maps locally in XR.

class-map match-any VIDEO

match access-group ipv4 lab-video

end-class-map

!

class-map match-any 3play-voip

match access-group ipv4 telnet

end-class-map

!These are the class-maps used later in the control policy. You can

!match on various aspects of the interface/session. Like username,

!domain. In this case we have simple class-maps that match on the

!protocol so we are doing to differentiate between PPP and IPsubs

!

class-map type control subscriber match-any PPP

match protocol ppp

end-class-map

!

class-map type control subscriber match-any DHCP

match protocol dhcpv4

end-class-map

!

!In this sample class-map we are taking the username and apply a

!separator switch on it as defined in the “format DOMAIN” attribute

!definition and see if that domain name matches “vrf_vpn”

class-map type control subscriber match-any matchdomain

match domain vrf_vpn format DOMAIN

end-class-map

!

!This is the most important part, the XR control Policy.

policy-map type control subscriber sub

event session-start match-first

!

!Events: during the session life time, various events are triggered. !In this case a session-start event we provide a handler for. This is

!the reception of a PADI for pppoe sessions or a dhcp discover for IP

!sessions.

!The match-first describes that we are only handling one class of the !event, and the class that we match first.

!This as opposed to match-all, which means that we will traverse all

!classes to see if they match and execute the actions defined

!underneath the class.

!

Event	What does it do or when is it triggered?
session-start	when we get the first sign of life (for pppoe that is at PADR)
session-activate	This is done at the authentication phase – i.e. when we’ve got the username/password (or challenge/response) *(PPPoE ONLY)*
authentication-failure*	when we receive an access-reject from radius
authentication-no-response	when the method list for authentication request does not return any response (success/reject)
authorize-failure*	when we receive an access-reject from radius
authorize-no-response	when the method list for authen or author does not return any response (success/reject)
service-stop	when a service that is applied to the session is removed or stopped

class type control subscriber CLASS do-until-failure

!

!CLASS: Underneath that event, we define the classes. In this example

!I created 2 classes to match specifically on DHCP and PPP sessions.

!I can have 1 control policy with 1 event, and then the class

!differentiator to determine what I want to do specifically/separately

!for both session types.

!

Do until?	What does it do?
do-until-failure	Until we receive a failure (eg access reject or no radius response or feature application failure) We stop the execution.
do-until-success	When we successfully executed the task we stop.
do-all	Regardless of the success or failure all actions are executed

!

10 activate dynamic-template TPL

!

!Activation of the dynamic template configuration. PPP will take the !LCP parameters and auth protocol from there.

!

!Class-actions:

!

event session-activate match-first

class type control subscriber CLASS do-until-failure

10 activate dynamic-template TPL

20 authenticate aaa list default

Authenticate: Use the username and password from the line and send it to the servers defined in the list

Authorize: More flexible then authenticate, still the SAME radius request (access-request) but flexibly formatted with a username composed of different information such as domain, circuit-id, nas-port etc

Note: Because authenticate uses the line username, it is generally useless on the session-start event, the authorize with which you compose the username based on mac/circuit id etc is very useful in both session start and activate

!

end-policy-map

!

policy-map type control subscriber ipsub

event session-start match-first

class type control subscriber DHCP do-until-failure

10 authorize aaa list default identifier source-address-mac password cisco

! Use the authorize here to compose the username to be sent to

! radius. In this case we use pw cisco as the password.

!

end-policy-map

! Define the bundle-ether master and configure for destination ip

! based loadbalancing, this so each subscriber hashes all its traffic ! onto one member only for accurate QOS

interface Bundle-Ether100

bundle load-balancing hash dst-ip

! The IP session interface must have an ip address. This in order to

! accept ip packets, the dhcpdiscover.

! If the unicast flag is set, like in MAC OSX or WXP (IOS dhcp client

! leaves the broadcast flag), then this address MUST be the same as

! the subnet for the ip sessions. If it is not the same we can’t

! unicast the offer.

interface Bundle-Ether100.2

ipv4 address 87.78.77.1 255.255.255.0

service-policy type control subscriber ipsub_fancy_auth

encapsulation dot1q 2

ipsubscriber ipv4 l2-connected

initiator dhcp

initiator unclassified-source

!

! Define the bundle sub interface for the right vlan, enable for PPPoE

! via the bba-group and attach the control policy

interface Bundle-Ether100.20

service-policy type control subscriber sub

pppoe enable bba-group X

encapsulation dot1q 20

! Loopback interface for ppp sessions

interface Loopback1000

ipv4 address 101.101.1.1 255.255.255.255

!

interface GigabitEthernet0/0/0/19

! Enable LACP on the bundle member and set it to bundle-e100

bundle id 100 mode active

load-interval 30

!

interface GigabitEthernet0/1/0/19

! Enable LACP on the bundle member and set it to bundle-e100

bundle id 100 mode active

load-interval 30

Show command verification

RP/0/RSP0/CPU0:A9K-BNG#show subscr ses all det
Mon Nov 7 17:20:27.701 EDT
Interface: Bundle-Ether100.2.ip5
Circuit ID:
Remote ID: testme
Type: IP: DHCP-trigger
IP Address: 172.28.15.1, VRF: default
Mac Address: 0019.2f43.9a38
Account-Session Id: 00000044
Nas-Port: 67108896
Username: unknown
Subscriber Label: 0x00000044
Created: Thu Nov 3 16:26:33 2011
State: Activated
Authentication: unauthenticated
Access-interface: Bundle-Ether100.2
Policy Executed:
policy-map type control subscriber ipsub_fancy_auth
event Session-Start match-first [at Thu Nov 3 16:26:33 2011]
class type control subscriber DHCP do-until-failure [Succeeded]
5 activate dynamic-template IPSUB [Succeeded]
10 authorize aaa list default [Failed]
Session Accounting: disabled
Last COA request received: never
User Profile Attribute List: None

Interface: Bundle-Ether100.100.pppoe2
Circuit ID: Unknown
Remote ID: Unknown
Type: PPPoE:PTA
IP Address: 199.1.1.2, VRF: default
Mac Address: 0019.2f43.9a38
Account-Session Id: 00000145
Nas-Port: 67110466
Username: test
Subscriber Label: 0x00000145
Created: Thu Nov 3 16:28:10 2011
State: Activated
Authentication: authenticated
Access-interface: Bundle-Ether100.100
Policy Executed:
policy-map type control subscriber sub
event Session-Start match-first [at Thu Nov 3 16:28:10 2011]
class type control subscriber CLASS do-until-failure [Succeeded]
10 activate dynamic-template TPL [Succeeded]
event Session-Activate match-first [at Thu Nov 3 16:28:31 2011]
class type control subscriber CLASS do-until-failure [Succeeded]
10 activate dynamic-template TPL [Succeeded]
20 authenticate aaa list default [Succeeded]
Session Accounting: disabled
Last COA request received: never
User Profile Attribute List: 0x500c0d24
1: service-type len= 4 value= Framed
2: sub-qos-policy-out len= 5 value= shape

Related Information

smailmilak · ‎07-18-2013

Great, important is that I don't have any restrictions because of the "unauthenticated" flag. I hope that they will honor your request and release it in 4.3.3 .

After captive portal is fully tested I well test authorization based of composed username.

I love the granularity of Cisco BNG.

Thank you Xander.

xthuijs · ‎07-18-2013

Working on it mate 433 may not be a a9k release, but I usually get my way in some release (ssh dont tell ).

Awesome to hear you like the 9k BNG!!

talk to you soon!

xander

smailmilak · ‎07-18-2013

Hello Xander,

it's me again

I configured DHCP snooping and option 82 on the access switch (C2960). Additionaly I have this on my BNG

dhcp ipv4

profile IP_SUB proxy

helper-address vrf default 10.100.14.109 giaddr 10.100.30.1

relay information option

relay information option allow-untrusted

!

interface Bundle-Ether992.3127 proxy profile IP_SUB

I tried to manually add remote-id on BNG and it is working fine, and we will probably prepend remote-id.

But for now I need some clarification regarding circuit-id and remote-id that I see after enabling option 82

RP/0/RSP0/CPU0:BNGDEMO#show subscriber sess all det

Fri Jul 19 08:50:01.414 UTC

Interface: Bundle-Ether992.3127.ip201

Circuit ID: 00040c3700e0

Remote ID: 0006d867d924ffe9

Type: IP: DHCP-trigger

IPv4 State: Up, Fri Jul 19 08:50:01 2013

IPv4 Address: 10.100.30.100, VRF: default

Mac Address: 000a.e43c.a077

Account-Session Id: 00000051

Nas-Port: Unknown

User name: unknown

Outer VLAN ID: 3127

Subscriber Label: 0x00000051

Created: Fri Jul 19 08:50:00 2013

State: Activated

Authentication: unauthenticated

Access-interface: Bundle-Ether992.3127

Policy Executed:

policy-map type control subscriber IP_SUB_PMAP

event Session-Start match-first [at Fri Jul 19 08:50:00 2013]

class type control subscriber IP_SUB do-until-failure [Succeeded]

10 activate dynamic-template IPSUB_TEMPLATE [Succeeded]

20 activate dynamic-template HTTP_FORCE_REDIRECT [Succeeded]

Session Accounting:

Method-list: default

Accounting started: Fri Jul 19 08:50:01 2013

Interim accounting: Off

Last COA request received: unavailable

I thought that I will see under circuit-id something I can interpret, interface ID and VLAN and more?

Do I have to configure something on the external DHCP server which is running on Linux, or is the dhcp ipv4 config enough that I have on the BNG?

p.s. I researched about Option 82 and could not find anything that could clarify this output. Do you have an show subscriber output that I could use as reference?

I only found out that C37 (Circuit ID: 00040c3700e0)
is my VLAN ID 3127 thanks to this picture.

smailmilak · ‎07-19-2013

I also have problems with CoA.

This is the config:

aaa server radius dynamic-author

port 1700

client 10.100.13.133 vrf default server-key 7 00263D2127742A

client 10.100.14.108 vrf default server-key 7 00263D2127742A

coa_w32.exe -n 10.100.11.6 -p 1700 -k BNGCOA -1 1,asr1 -2 2,1asr1

is returning this message:

CoA Client (version 2.6),(c) April-2012,

xander thuijs CCIE#6775 Cisco Systems Int.

Using COA with :

NAS: a640b06

Port: 1700

Secret: BNGCOA

Timeout: 2 (0 means indefinite wait)

COA: NAS did not honour our request! (ID 6)

User/pass should work because it's working for PPPoE user.

I tried with -f logon (cfg file)

ip-address=10.100.11.6

secret=BNGCOA

destport=1700

attribute1=44,0000005b

attribute2=26,9,1,subscriber:command=account-logon

attribute3=26,9,1,subscriber:password=1asr1

attribute4=1,asr1

And I get this:

C:\>coa_w32.exe -f logon

CoA Client (version 2.6),(c) April-2012,

xander thuijs CCIE#6775 Cisco Systems Int.

Unrecognized token, skipping: 'timeou

Using COA with :

NAS: a640b06

Port: 1700

Secret: BNGCOA

Timeout: 1 (0 means indefinite wait)

COA: NAS did not honour our request! (ID 93)

Removing "timeout=1" error messages says

Unrecognized token, skipping: 'attribute'

I have this under show subscriber:

RP/0/RSP0/CPU0:BNGDEMO#show subscriber sess all det

Fri Jul 19 13:57:03.464 UTC

Interface: Bundle-Ether992.3127.ip202

Circuit ID: 00040c3700e0

Remote ID: 0006d867d924ffe9

Type: IP: DHCP-trigger

IPv4 State: Up, Fri Jul 19 12:17:07 2013

IPv4 Address: 255.255.255.254, VRF: Internet

Mac Address: 000a.e43c.a077

Account-Session Id: 0000005b

Nas-Port: Unknown

User name: asr1

Outer VLAN ID: 3127

Subscriber Label: 0x0000005b

Created: Fri Jul 19 12:17:06 2013

State: Activated

Authentication: authenticated

Access-interface: Bundle-Ether992.3127

Policy Executed:

policy-map type control subscriber IP_SUB_PMAP

event Session-Start match-first [at Fri Jul 19 12:17:06 2013]

class type control subscriber IP_SUB do-until-failure [Succeeded]

10 activate dynamic-template IPSUB_TEMPLATE [Succeeded]

20 activate dynamic-template HTTP_FORCE_REDIRECT [Succeeded]

event Account-Logon match-first [at Fri Jul 19 13:35:36 2013]

class type control subscriber IP_SUB do-until-failure [Succeeded]

10 authenticate aaa list default [Succeeded]

20 deactivate dynamic-template HTTP_FORCE_REDIRECT [Succeeded]

event Account-Logon match-first [at Fri Jul 19 13:55:02 2013]

class type control subscriber IP_SUB do-until-failure [Succeeded]

10 authenticate aaa list default [Succeeded]

20 deactivate dynamic-template HTTP_FORCE_REDIRECT [Failed]

event Account-Logon match-first [at Fri Jul 19 13:57:00 2013]

class type control subscriber IP_SUB do-until-failure [Succeeded]

10 authenticate aaa list default [Succeeded]

20 deactivate dynamic-template HTTP_FORCE_REDIRECT [Failed]

Session Accounting:

Method-list: default

Accounting started: Fri Jul 19 12:17:07 2013

Interim accounting: Off

Last COA request: Fri Jul 19 13:57:00 2013

COA Request Attribute List: 0x500ec6d4

1: string-session-id len= 8 value= 0000005b

2: password len= 5 value= <opaque value>

3: username len= 4 value= asr1

4: command len= 14 value= account-logon

Last COA response: Result NACK

COA Response Attribute List: 0x500ec8e4

1: error-cause len= 4 value= Resource Unavailable

2: reply-message len= 9 value= CoA error

5th edit

http://www.youtube.com/watch?v=Z_Hw9i_TcGY

@3:38 I see your portal. Is this a custom made or does the BNG has one?

I am asking because I see users IP addess, mac address, acct session id.

Any idea?

xthuijs · ‎07-19-2013

remoteID and circuitID are sort of free form text strings also, so it is really whatever the dhcp relay (in this case your switch) is inserting in it. Some also insert the actual interface name.

Show dhcp ipv4 proxy binding detail gives also very good info on the ID's before and after proxy modification.

The port designator in your circuit ID is 0/224 but that seems a bit high. But then, this value is inserted by the relay agent, we just take the string value and provide it in the output. What type of relay agent is inserting the option 82 info?

RemoteID is generally a mac address and gives an idea of what the remote device is. This mac address (if that is what it represents in this scenario) may be from the relay agent, but that is not something I wold expect.

You probably need to consult with the relay agent documentation as to how it inserts option 82.

xander

xthuijs · ‎07-19-2013

As for the account logon issue:

I see that the COA tool you are using is a bit of an oldie already (version 2.2), the latest version is 2.9 (release notes are on the page where you downloaded it from). There was an issue in that release whereby an empty line in the config file chokes the parsing. I think that that is what you are suffering from.

Either end the config file with an "END" directive, or remove the last empty line from that config. I want to say download the latest win version, but in all honesty, I haven't been doing a good job in updating the widnows version ever since I moved to a MAC (and dont have a windows compilation ability easily).

Another option is to use the CLI string to do the account logon like this:

coa -n 10.86.188.99 -p 1700 -k cisco -1 44,00001234 -2 26,9,1,subscriber:command=account-logon -3 26,9,1,subscriber:password=PASS -4 1,USER -t 3

The specific error you are seeing can be caused by this:

1) because the last line is not parsed properly, you may not get the right return response, fix with either option discussed here.

2) I see the user is authenticated already, subsequent account logon requests, don't succeed then anymore, but I would expect the COA return error to be this:

COA Response Attribute List: 0x10011a50

1: error-cause len= 4 value= Invalid Request

2: reply-message len= 9 value= CoA error

3) the user's username and password are incorrectly sent to the radius-server and there is no account logon event class properly configured directing to radius.

Check the radius profile and make sure the service-type is NOT present in that radius profile, that generally chokes the IPSUB auth also!

Check with the debug radius to see what attributes are returned in teh access-accept (or maybe there is an access-reject)

That portal you are looking at is something quickly put together for a demo. It is a simple web page that talks to the BNG to get some subscriber info and prints it on the page, then it has 3 buttons: login (account logon) and a QOS profile application from the portal (eg a Turbobutton model).

Depending on which button is pressed, the web page calls the COA tool you have to send a specific request to the BNG to execute that desired change. Do you think there is value if we package a demo portal into XR code for evaluation purposes?

regards

xander

xthuijs · ‎07-19-2013

The COA error you see:

1: error-cause len= 4 value= Resource Unavailable

2: reply-message len= 9 value= CoA error

Is generally seen with an incorrect user profile returning.

Since it may have been an access accept I think the state moves to authenticated, but the end result is error because the profile attributes could not be applied.

What does the user profile look like in radius?

(suspect presence of service-type=[enum]).

regards

xander

smailmilak · ‎07-19-2013

I have 2.6 for windows. I don't see 2.9 in the attachment in this document https://supportforums.cisco.com/docs/DOC-16677

We have the same problem on Linux tool.

I did some proper debugs and found out that the user has some attributes configured which could prevent a succesfull logon.

I will check this with the RADIUS guy and tell him to create a new user for this test.

Its already too late, and I have to wait until I am back from vacation, but I can't wait to see this working

Regarding the portal I have seen on youtube. I see that there are some information about the user listed and I would like to know how you did that. How can I send all this information that I have in show subscriber sess all detail about this user to the portal so that the user knows what IP address, session-id etc. it has (it's good for help desk!)

This is a mistery for me

And yes it would be really nice if the BNG package would have an embedded portal which could be used for less experienced people and small scale deployments.

xthuijs · ‎07-19-2013

I very much love your enthusiasm! We'll get this to work for you together!

A sample profile for your account logon user could be this:

ipsub Password="cisco"

Cisco-avpair="ipv4:inacl=PERM_ALL"

Cisco-avpair="ipv4:outacl=PERM_ALL"

Make sure you define the ACL PERM_ALL with a permit ipv4 any any or something like that.

The way the portal works:

it is an apache with perl and the coa tool.

First step is that the opening page reads the subscriber ip address via the perl environment variable.

Then the portal logs in via telnet to the BNG doing a sneaky route lookup to find the interface that this address is routed to. This is needed because there is currently no account ping or session -query in COA, ddts filed for this: CSCuc45110.

Now that we know the subscriber interface we can do a show command to find out the variables that are displayed on the portal in the table. At the same time the session ID is derived from that show command also and put as a hidden field in the display form.

Depending on what button is pressed, the COA is invoked with the right profile and the appropriate session ID derived from the earlier investigation.

The COA response is read and displayed to the user with a success or fail and a potential reply message if there was any.

Here is my suggestion, I'll work on the integration of that sample portal in a package in XR for test. When you come back from your vacation ping me. If it is not yet in XR, then I'll prepare some package for you to play with.

Works? and enjoy your vacation!

cheers!

xander

----

Xander Thuijs CCIE #6775

Principal Engineer ASR9000

smailmilak · ‎07-19-2013

Wow, great

I am looking forward for your package. This would help me a lot!

I see that you did some scripting for you demo portal in order to get the info we saw on youtube.

I always asked myself how does the BNG knows for what session-id the entered credentials are (that are entered by the user on the portal and sent back to BNG with CoA feature).

After this part is solved I can finally start to test other possibilites that Cisco BNG is offering.

And regarding circuit-ID and remote-ID (I replied but it looks like that it got lost). We are using a Cisco 2960 Catalyst switch as access switch with IP DHCP snooping for our VLAN 3127 and Option 82 enabled, and I can see the binding.

The DHCP relay or in our case DHCP proxy is the BNG (I hope that this is what you have asked).

I see that the received and inserted Remode IDs are different:

RP/0/RSP0/CPU0:BNGDEMO#sh dhcp ipv4 proxy binding detail

Fri Jul 19 17:53:34.378 UTC

MAC Address: 000a.e43c.a077

VRF: default

Server VRF: default

IP Address: 10.100.30.100

Giaddr from client: 0.0.0.0

Giaddr to server: 10.100.30.1

Server IP Address: 10.100.14.109

Server IP Address to client: 10.100.30.1

ReceivedCircuit ID: 0x00-04-0c-37-00-05

InsertedCircuit ID: 0x00-04-0c-37-00-e0

ReceivedRemote ID: 0x00-06-00-15-63-d6-d2-40

InsertedRemote ID: 0x00-06-d8-67-d9-24-ff-e9

ReceivedVSISO: -

InsertedVSISO: -

Auth. on received relay info:FALSE

Profile: IP_SUB

State: BOUND

Proxy lease: 600 secs (00:10:00)

Proxy lease remaining: 457 secs (00:07:37)

Client ID: 0x01-0x00-0x0A-0xE4-0x3C-0xA0-0x77

Access Interface: Bundle-Ether992.3127

Access VRF: default

VLAN Id: 3127

Subscriber Label: 0xdc

Subscriber Interface: Bundle-Ether992.3127.ip203

This in not so important now, we will test it with a DSLAM and probably get better info about circuit-id,

We will need this so we can compose an username with MAC+Circuit-ID+Remote-ID, or we can try with "first sight" so that the username is entered in the RADIUS database after the CPE is first time plugged in. I think this could work but this is more a job for the RADIUS guys, but I would like to see it this working

xthuijs · ‎07-19-2013

Ok thanks for that info.

You may want to configure the :

dhcp ipv4

profile DEFAULT proxy

relay information policy keep

in order to preserve the original option 82 info properly.

I think that because of proxy and in the current config you have that BNG will feed some of his info into the option 82

(check the dhcp table above in the article on that also for more detail)

I remember now that the port ID is some sort of a port index and not really the interface number. I need to lookup how the index maps to the actual interface port number, but if may be the IF index I am not sure yet.

As for the portal, yeah ping me when you're back, I should have news surely then (assuming you'll take a pto of a week+ )

regards

xander

smailmilak · ‎07-29-2013

Hello Xander,

I am back from vacation. I could not wait so I tested your CoA tool and finally got this message

"CoA: Request was accepted! (ID 200)"

Test laptop is now successfully reaching the internet

I am now pinging you back regarding the captive portal you have mentioned last time. I hope that you have good news for me

xthuijs · ‎07-29-2013

Very cool I am glad that it worked out! And welcome back!

Either the time went super fast or you had a short vacation . The package is not committed into any release yet,

but I have it prepared.

Can you send me a "private" message so I can mail this to you. Then if you can test drive it to make sure the instructions

are clear and working out then I'll publish this after everything is smoothened.

regards

xander

smailmilak · ‎07-29-2013

I took only five days off. Thank you very much for the package, I will update you as soon we have it up and running.

Now I have another question regarding VRFs.

I am trying to put the subscriber in vrf PRIVATNI, but DHCP, Captive Portal and other services are in vrf default.

I created static routes with route leaking between the vrfs, but it looks like that after I get the IP address on my test laptop I am not able to ping the IP addreses where I am using route leaking, only the internet where the next hop is in the same vrf.

vrf PRIVATNI

address-family ipv4 unicast

0.0.0.0/0 10.100.37.113

10.100.14.0/24 vrf default BVI3105 10.100.11.1

192.168.32.0/24 vrf default BVI3105 10.100.11.1

router static

address-family ipv4 unicast

10.100.14.0/24 10.100.11.1

10.100.30.0/24 vrf PRIVATNI Loopback30

192.168.32.0/24 10.100.11.1

I think it is because of vrf default where I have to use loopback 30 as next hop, but the subsciber is on

Bundle-Ether992.3127 or to be precise on Bundle-Ether992.3127.ip222 and I don't have it in the routing table.

I tried with Bundle-Ether992.3127 as next hop, but then nothing is working.

I tried with an IP address on the bundle interface (without ipv4 unnumbered) but then DHCP is not working anymore.

I have to test it a little bit.

xthuijs · ‎07-29-2013

yeah dynamic route leaking is tricky, I dont think this scenario is going to work easily.

HAve you seen this doc for assistance on route leaking?

https://supportforums.cisco.com/docs/DOC-30871

Alternatively, you may want to open a TAC case for some assistance in that regard.

regards

xander