cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

ASR9000 Understanding the BNG configuration (a walkthrough)

25264
Views
0
Helpful
117
Comments

Introduction

In this document we're walking through a configuration setting up BNG for IPoE and PPPoE. The Setup for this configuration is similar to the setup you can see in the YouTube video for an ip sessions demo.

Problem Description

Detailed description of how to set up the configuration and the options establishing PPPoE and IPoE sessions. Understanding the anatomy of a control policy language.

Setup

Slide3.JPG

Configuration and Explanations

hostname A9K-BNG

radius-server host 3.0.0.38 auth-port 1645 acct-port 1646

!Radius-server definition with ip address and UDP ports it is going to !use.

key 7 045802150C2E

!Secret key for the radius communication

timeout 1

!Maximum time waiting for response

retransmit 1

!Maximum number of times you retransmit the request, after waiting <timeout> time.

!COA server definition

aaa server radius dynamic-author

port 1700

!COA port is standard 1700

client 3.0.0.1 vrf default server-key 7 13061E010803

client 10.86.1.49 vrf default server-key 7 14141B180F0B

!The clients from which we are going to accept a COA Response.

!Attribute definitions that we can reference for the nas-port

!building.

!”MY_AUTH” will take the mac address, circuit ID and remoteIDand

!append them together separated by hash signs. If one of the fields is

!not available, an empty string will be provided for that portion.

!example 0000.1111.2222##remoteid or 0000.2222.1111#circ#remote

!

aaa attribute format MY_AUTH

mac-address plus circuit-id plus remote-id separator #

!

aaa attribute format NAS_PORT_FORMAT

circuit-id plus remote-id separator .

! Nas-port computation for PPPoE(32) and if not pppoe then follow the

! global (non typed) logic

aaa radius attribute nas-port format e SSAAPPPPQQQQQQQQQQVVVVVVVVVVUUUU type 32

aaa radius attribute nas-port format e SSAAPPPPQQQQQQQQQQVVVVVVVVVVUUUU

!Set up the XR nas-port-id (attr87) for sessions following the nas-

!port format instructions above.

aaa radius attribute nas-port-id format NAS_PORT_FORMAT

!Set up for AAA usage. Note that we don’t have “aaanew-model” in

!XR. Also “subscriber” is used for BNG. Method “PPP” is used for

!serial PPP.

aaa authorization subscriber default group radius

aaa authentication subscriber default group radius

!DHCP configuration

dhcp ipv4

!specify a profile name and define what method is used, relay, proxy

!or snooping.

profile AutoSelectGiaddr proxy

!Different classes may be defined. This is not necessarily the

!vendor class, but here we can check certain options in the discover

!to selectively set the helper address and giaddr. That last one

!will affect the pool we’re going to use on the dhcp server.

class HardPhone1

match option 60 hex 4861726450686F6E6531 mask 0

!the option 60 is vendor-class followed by a hex string. I chose it

!to match the “class” section from the line above, but that is not

!necessary. The mask defines which bytes are must match and don’t

!cares. Mask of 0 means full match.

helper-address vrf default 81.1.1.2 giaddr10.1.1.254

!

class HardPhone2

match option 60 hex 4861726450686F6E6532 mask 0

helper-address vrf default 81.1.1.2 giaddr172.28.15.254

!

relay information option

relay information policy replace

relay information option remote-id testme

relay information option allow-untrusted

! This configuration above defines the option 82 handling.

! Allow untrustedmeans that we accept dhcp discovers with a 0.0.0.0

! giaddr, which is normally the case when there is no relay between

! the client and the 9k.

Relay information Policy:

Case #

Received Packet

Option-82 Suboptions

Configured

Option-82 Suboptions

Forwarded Packet

Option-82 Suboptions

for Full-Option-82 keep

Forwarded Packet

Option-82 Suboptions

for Individual-Suboption keep

Forwarded Packet

Option-82 Suboptions

for replace

1

rx-cid”

rx-rid”



“in-rid”

vpn-id

rx-cid”

rx-rid”


rx-cid”

rx-rid”

vpn-id

rx-cid”

“in-rid”

vpn-id

2

rx-cid”




“in-rid”

vpn-id

rx-cid”



rx-cid”

“in-rid

vpn-id

rx-cid”

“in-rid”

vpn-id

3





“in-rid”

vpn-id


“in-rid”

vpn-id


“in-rid”

vpn-id


“in-rid”

vpn-id

! Define the interfaces and the attached profiles

interface Bundle-Ether100.2 proxy profile AutoSelectGiaddr

interface Bundle-Ether1001.2 proxy profile AutoSelectGiaddr

!

pppoe bba-group X

tag ppp-max-payload minimum 1200 maximum 2000

service selection disable

! PPPoE group definition. Currently there is limited service selection

!support (just matching on service name). The COS values for PPPoE

!control can be defined here and the processing/support for max-

!payload tag. In IOS you could configure the processing of vendor-tags

!and strip them selectively. In XR we always process the tags and we

!always strip them from a PADR

!IP address pool definition

pool vrf default ipv4 POOL

address-range 199.1.1.1 199.1.255.255

!

!The dynamic templates are like IOS virtual-templates. The base !configuration for each session is defined here. L3 features as well !as PPP specific parameters are defined here.

dynamic-template

type ppp TPL

ppp authentication chap

ppp ipcp dns 1.2.3.4 1.2.3.3

ppp ipcp peer-address pool POOL

ipv4 unnumbered Loopback1000

!

type ipsubscriberIPSUB

ipv4 unnumbered Loopback12

ipv4 access-group IPSUB_FAIL_ACL ingress

ipv4 access-group IPSUB_FAIL_ACL egress

!Few ACL definitions referenced in the radius profile, qos class-maps

!or in the dynamic template.

ipv4 access-list PERM_ALL

10 permit ipv4 any any

20 permit icmp any any

!

ipv4 access-list lab-video

20 permit udp any any eq 5544

30 permit udp host 49.1.1.2 any

!

ipv4 access-list IPSUB_FAIL_ACL

5 permit icmp any any

10 permit tcp any host 49.1.1.2 eqwww

15 permit tcp host 49.1.1.2 eqwww any

20 deny ipv4 any any

!QOS class-map used in COA parameterized QOS requests

!remember that with pQOS you can define the policy-map via RADIUS,

!however you need to define your class-maps locally in XR.

class-map match-any VIDEO

match access-group ipv4 lab-video

end-class-map

!

class-map match-any 3play-voip

match access-group ipv4 telnet

end-class-map

!These are the class-maps used later in the control policy. You can

!match on various aspects of the interface/session. Like username,

!domain. In this case we have simple class-maps that match on the

!protocol so we are doing to differentiate between PPP and IPsubs

!

class-map type control subscriber match-any PPP

match protocol ppp

end-class-map

!

class-map type control subscriber match-any DHCP

match protocol dhcpv4

end-class-map

!

!In this sample class-map we are taking the username and apply a

!separator switch on it as defined in the “format DOMAIN” attribute

!definition and see if that domain name matches “vrf_vpn

class-map type control subscriber match-any matchdomain

match domain vrf_vpn format DOMAIN

end-class-map

!

!This is the most important part, the XR control Policy.

policy-map type control subscriber sub

event session-start match-first

!

!Events: during the session life time, various events are triggered. !In this case a session-start event we provide a handler for. This is

!the reception of a PADI for pppoe sessions or a dhcp discover for IP

!sessions.

!The match-first describes that we are only handling one class of the !event, and the class that we match first.

!This as opposed to match-all, which means that we will traverse all

!classes to see if they match and execute the actions defined

!underneath the class.

!

Event

What does it do or when is it triggered?

session-start

when we get the first sign of life (for pppoe that is at PADR)

session-activate

This is done at the authentication phase – i.e. when we’ve got the username/password (or challenge/response) (PPPoE ONLY)

authentication-failure*

when we receive an access-reject from radius

authentication-no-response

when the method list for authentication request does not return any response (success/reject)

authorize-failure*

when we receive an access-reject from radius

authorize-no-response

when the method list for authen or author does not return any response (success/reject)

service-stop

when a service that is applied to the session is removed or stopped

class type control subscriber CLASS do-until-failure

!

!CLASS: Underneath that event, we define the classes. In this example

!I created 2 classes to match specifically on DHCP and PPP sessions.

!I can have 1 control policy with 1 event, and then the class

!differentiator to determine what I want to do specifically/separately

!for both session types.

!

Do until?

What does it do?

do-until-failure

Until we receive a failure (eg access reject or no radius response or feature application failure) We stop the execution.

do-until-success

When we successfully executed the task we stop.

do-all

Regardless of the success or failure all actions are executed

!

10 activate dynamic-template TPL

!

!Activation of the dynamic template configuration. PPP will take the !LCP parameters and auth protocol from there.

!

!Class-actions:

!

event session-activate match-first

class type control subscriber CLASS do-until-failure

10 activate dynamic-template TPL

20 authenticate aaa list default

  • Authenticate: Use the username and password from the line and send it to the servers defined in the list
  • Authorize: More flexible then authenticate, still the SAME radius request (access-request) but flexibly formatted with a username composed of different information such as domain, circuit-id, nas-port etc

Note: Because authenticate uses the line username, it is generally useless on the session-start event, the authorize with which you compose the username based on mac/circuit id etc is very useful in both session start and activate

!

!

end-policy-map

!

policy-map type control subscriber ipsub

event session-start match-first

class type control subscriber DHCP do-until-failure

10 authorize aaa list default identifier source-address-mac password cisco

! Use the authorize here to compose the username to be sent to

! radius. In this case we use pw cisco as the password.

!

end-policy-map

! Define the bundle-ether master and configure for destination ip

! based loadbalancing, this so each subscriber hashes all its traffic ! onto one member only for accurate QOS

interface Bundle-Ether100

bundle load-balancing hash dst-ip

! The IP session interface must have an ip address. This in order to

! accept ip packets, the dhcpdiscover.

! If the unicast flag is set, like in MAC OSX or WXP (IOS dhcp client

! leaves the broadcast flag), then this address MUST be the same as

! the subnet for the ip sessions. If it is not the same we can’t

! unicast the offer.

interface Bundle-Ether100.2

ipv4 address 87.78.77.1 255.255.255.0

service-policy type control subscriber ipsub_fancy_auth

encapsulation dot1q 2

ipsubscriber ipv4 l2-connected

initiator dhcp

initiator unclassified-source

!

! Define the bundle sub interface for the right vlan, enable for PPPoE

! via the bba-group and attach the control policy

interface Bundle-Ether100.20

service-policy type control subscriber sub

pppoe enable bba-group X

encapsulation dot1q 20

! Loopback interface for ppp sessions

interface Loopback1000

ipv4 address 101.101.1.1 255.255.255.255

!

interface GigabitEthernet0/0/0/19

! Enable LACP on the bundle member and set it to bundle-e100

bundle id 100 mode active

load-interval 30

!

interface GigabitEthernet0/1/0/19

! Enable LACP on the bundle member and set it to bundle-e100

bundle id 100 mode active

load-interval 30

Show command verification

RP/0/RSP0/CPU0:A9K-BNG#show subscr ses all det
Mon Nov 7 17:20:27.701 EDT
Interface: Bundle-Ether100.2.ip5
Circuit ID:
Remote ID: testme
Type: IP: DHCP-trigger
IP Address: 172.28.15.1, VRF: default
Mac Address: 0019.2f43.9a38
Account-Session Id: 00000044
Nas-Port: 67108896
Username: unknown
Subscriber Label: 0x00000044
Created: Thu Nov 3 16:26:33 2011
State: Activated
Authentication: unauthenticated
Access-interface: Bundle-Ether100.2
Policy Executed:
policy-map type control subscriber ipsub_fancy_auth
event Session-Start match-first [at Thu Nov 3 16:26:33 2011]
class type control subscriber DHCP do-until-failure [Succeeded]
5 activate dynamic-template IPSUB [Succeeded]
10 authorize aaa list default [Failed]
Session Accounting: disabled
Last COA request received: never
User Profile Attribute List: None

Interface: Bundle-Ether100.100.pppoe2
Circuit ID: Unknown
Remote ID: Unknown
Type: PPPoE:PTA
IP Address: 199.1.1.2, VRF: default
Mac Address: 0019.2f43.9a38
Account-Session Id: 00000145
Nas-Port: 67110466
Username: test
Subscriber Label: 0x00000145
Created: Thu Nov 3 16:28:10 2011
State: Activated
Authentication: authenticated
Access-interface: Bundle-Ether100.100
Policy Executed:
policy-map type control subscriber sub
event Session-Start match-first [at Thu Nov 3 16:28:10 2011]
class type control subscriber CLASS do-until-failure [Succeeded]
10 activate dynamic-template TPL [Succeeded]
event Session-Activate match-first [at Thu Nov 3 16:28:31 2011]
class type control subscriber CLASS do-until-failure [Succeeded]
10 activate dynamic-template TPL [Succeeded]
20 authenticate aaa list default [Succeeded]
Session Accounting: disabled
Last COA request received: never
User Profile Attribute List: 0x500c0d24
1: service-type len= 4 value= Framed
2: sub-qos-policy-out len= 5 value= shape

Comments
Enthusiast

Yes, in this case it's really tricky and I think we will just have more problems.

We will just use one vrf for subscribers and DHCP and other servers.

Do you know if we can use XML for our captive portal? I am using ASR Craft Tool which is using xml over telnet and

I can see subscriber information on this tool. I ask myself now if this can be used for captive portal.

I found this DOC http://www.cisco.com/en/US/docs/routers/asr9000/software/asr9k_r4.3/bng/configuration/guide/b_bng_cg43asr9k_appendix_01000.html#reference_01425A2A600D433BA0D0A1C80356E406

You have said that you have prepared a package for future IOS-XR release. Is this an embedded captive portal which can be used for several thousand users?

Cisco Employee

There is XML support for the a9k and the schema's are continously expanded on. Thsi means that if a certain command doesn't have a schema, it will produce raw output as what you would see with the ergular show command and your mgmt client needs to screen scrape and parse output manually. Same as what the portal does now which I mailed you with telnet.

For embedding and public use of COA and portal inside XR I have filed CSCui35710.

I dont have a commitment for a release yet, but we'll make sure this happens some time soon reasonably.

cheers!

xander

Beginner

Hi Xander,

Sorry to jump in between your fun discussion :). I'm just wondering if I want to change the ip address of subscriber gateway on BNG from binding into the physical interface :

interface Bundle-Ether1.100

description subs gateway

ipv4 address x.x.y.z

encapsulation dot1q 100

to become :

interface loopback0

ipv4 address x.x.y.z

interface Bundle-Ether1.100

description subs gateway

ipv4 point-to-point

ipv4 unnumbered loopback 0

encapsulation dot1q 100

As I recall, the restriction using unnumbered are we can't use ping command to verify the connectivity are reachable ( i did it, ping to the same segment and the result was ".U.U.") I see a bunch of BNG config guide example and most of them are using ip unumbered. so then how to verify if the connection are reachable ? do I have to test the service itself instead of perform a simple ping ?

Thanks and appreciate your feedback

Enthusiast

Hi,

I am using ipv4 unnumbered and p2p on subscriber interface, and I can ping the GW IP address (which is on loopkack).

I doubt that you can use ipv4 unnumbered and ipv4 address xxyz on same interface, this would be like when you had two IP addresses on same interface (without "seconadary" statement)

Do you have some kind of ACL on dynamic template?

Beginner

Hi there,

Thanks for the response. It's not putting both the ipv4 and unnumbered together, but currently my deployment on customer side is using that ipv4 add on the gateway subs interface (BE2.xxx), not using unnumbered loopback. haven't configure the dynamic template either since i just want to make sure the connectivity are put in place.

Currently the customer are expanding their broadband network, and when i'm testing using this new connectivity on same segment:

BNG (ip unnumbered) --- [metro e] --- agg switch

I can't ping the switch ip address / vice versa. Those wording on  http://www.cisco.com/en/US/docs/routers/asr9000/software/asr9k_r4.3/addr_serv/configuration/guide/b_ipaddr_cg42a9k_chapter_01000.html#con_1116630

(IPv4 processing on an Unnumbered Interface) also justify the situation.

I hope that i'm missing something on the config so that it supposedly can be deployed.

Thanks

Enthusiast

Subscriber node got an IP address via DHCP, and do you have something under show subscriber session all detail?

You should get subscriber info and ther should be a subscriber interface like this one "Bundle-Ether1.100.ip222".

You can share a part of the config with if us if you like.

Beginner

Hi there,

Thanks for your feedback. as I mention before, I'm still building the connectivity between BNG and subscriber aggregation switch. I haven't jump into dynamic template, dhcp config and service profiling and so on. those I deployed previously (using ipv4 add that bind on BE2.xxx) already running on production and working properly & as expected.

my concern is, within my expansion deployment, i want to change the method from binding to a physical interface into unnumbered loopback, which I can't ping each other to verify the connectivity.

sorry if I confuse you, and looking forward for any findings matters (:

Enthusiast

Got it

Lets see what Xander has to say, he is the expert.

Cisco Employee

hey guys,

the ip address on teh access interface is only necessary to enable IP and consume the dhcp discovers.

you generally don't want full ip access on the access interface so an ACL permitting only dhcp inbound will prevent users

with retained ip addresses to gain access to the network via the bundle access interface.

The address on the dynamic template is the one that we are pinging against when there is an ip subscriber session established. Since we have a binding that is used for forwarding returning the icmp replies.

It is true that in a native unnumbered scenarion on a multipoint access interface (ethernet, gige, tengige, bundle-e etc) you need a static arp entry in order to find the way back to the client, but since we dont want users to use the bundle access we can either use the ACL to block any non dhcp traffic on teh access interface and the dhcp binding will help us route back to the subscriber interface once it is established.

regards

xander

Beginner

Hi Xander,

Thanks for your comprehensive explanation, that's why it can't get ping eh ? so in other words, I can assume that the reachability are performed once the session are established and the only way to verify the deployment are test the service itself.

Thanks 

Cisco Employee

correct the bundle-access you can't ping when unnumbered, and frankly you wouldn't want that either.

you dont want to give people the idea that there is connectivity when there is no subscriber context.

a connectivity verification can be achieved by seeing the dhcp discovers coming in, triggering AAA requests and binding creation on the device.

regards

xander

Beginner

Hi Xander,

Thanks, makes much more clear. Another concern that I want to have your feedback is : when deploying lots of BNG with distributed model (accross multiple city) using parameterized QoS rather than normal QoS (configured on BNG), do you see any caveats ? any particular concern with pQoS ? FYI the AAA are cisco too (CAR).

Appreciate any feedback

Thanks

Cisco Employee

hi there,

pQOS is merely a qos policy on a per user basis, where radius defines the actual parameters for the predefined classes.

this is irrespective of the centralized vs distributed model.

I am personally indifferent whether the access model needs to be distributed (BNG close to the edge) or centralized (using metro rings and terminating subscribers at a centralized location).

Both models have pros and cons. With 9k's high scale, centralized makes more sense, if your access ring can provide the bandwidth assigned and allocated to the subscribers.

How you apply the QOS to the subs dynamically, that is predefined complete policies referenced by radius to be applied to the subscriber, OR the ability to modify and manipulate the subscriber CLASS definitions inside the policy map (that is to deviate from the original bw or priority setting and/or insert/remove classes of the subscriber policy = pQOS) depends on teh scale needs.

9K can only hold so many unique policies and using pQOS will make the sub policy unique, so there is a limit there, but it provides for a massive granular ability to define true per user QOS.

The radius server used does not matter either, although I very much appreciate you using CAR . All this is defined in VSA's that any radius server can use really.

regards

xander

Beginner

Hi Xander,

appreciate your prompt response (: well this was actually my first QoS implementation using pQoS, I'm afraid I missed some literature with this scheme, yet those are just my preventive action.

Thanks again for the crystal clear explanation

Enthusiast

Quick question for you Alexander.

Is it also possible to get subscriber info with SNMP? I see that Lawfull intercept is using SNMP to get per user sessions, which includes account-session-id.

This could also mean that we can use SNMP for our Captive portal?

Also, DHCP proxy lease time is a little bit confusing. I see that default lease time is 600 sec.

I configured 300, but lease time did not change. I also configured 5000 sec, but it was still 600.

Am I doing anything wrong? I checked the config guide, and I don't see anything special.

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here