cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
configure & troubleshoot anyconnect

ASR9000/XR: BNG and Dual-stack ipv4 and ipv6 sessions

13972
Views
0
Helpful
149
Comments

Introduction

This document provides an overview for dual stack sessions for ASR9000 BNG, running ipv4 and ipv6 address stacks next to each other for subscriber sessions.

Dual Stack

Dual stack refers to the concept of running a subsciber session with an IPv4 address as well as an IPv6 address.

Deployment models and general concept

Screen Shot 2014-01-14 at 8.46.52 AM.png

Address Assignment

To unravle the complex terminology associated with address assignment in particular to IPv6 this picture below shows the various address assignment options available.

Screen Shot 2014-01-14 at 8.47.07 AM.png

You can also use the framed-ipv6-address radius attribute to provide an address to the subscriber from radius which then will be advertised

via SLAAC (NA/ND) for both PPPoE and IPoE sessions.

The additional attribute ipv6:ipv6-default-gateway VSA can be used to provide the default router in case no dhcpv6 is used for IPoE sessions.

IPv6 Addressing

When it comes to "prefix delegation" that is having a large IPv6 like subnet that is shared between subscribers who get a subnet from that subnet sort of speak the following addressing example hopefully visualizes how it all ties together

Addressing mapping

Slide1.jpg

Configuration CPE

The following 2 secions provide the configuration for the client side and the WAN side of the CPE

PC client side of the CPE

interface GigabitEthernet0/2

description to switch fa0/15

ip address 192.168.1.1 255.255.255.0

no ip unreachables

ip nat inside

ip virtual-reassembly

duplex full

speed 100

media-type rj45

negotiation auto

ipv6 address prefix-from-provider ::1:0:0:0:1/64

ipv6 enable

 

WAN side of the CPE

interface FastEthernet2/0.50

encapsulation dot1Q 50

ipv6 address autoconfig default

ipv6 enable

ipv6 dhcp client pd prefix-from-provider

 

In these examples we are expanding the delegated prefix with a :1/64 and we perceive ourselves to be the ".1" and default gateway.

Configuration DHCPv6 Server

ipv6 unicast-routing

ipv6 dhcp pool dhcpv6

prefix-delegation pool dhcpv6-pool1 lifetime 6000 2000

ipv6 route 2001:60:45:28::/64 2005::1

ipv6 route 2001:DB8:1200::/40 2005::1

ipv6 route 200B::/64 2005::1

ipv6 route 2600:80A::9/128 4000::1

ipv6 local pool dhcpv6-pool1 2001:DB8:1200::/40 48

More info on IOS dhcpv6 server:

http://www.cisco.com/en/US/tech/tk872/technologies_configuration_example09186a0080b8a116.shtml

Operation and Call Flow

Because ASR9000 treats the 2 stacks as a single subscriber, and hence ONE access request and a SINGLE accounting record are generated for both stacks, differences of desired operation exist when it comes to when for isntance to generate an accounting request.

There are 2 key things to consider and of importance:

  • When the first AF comes up, an access-request is generated, the access-accept should contain BOTH ipv4 and ipv6 information for the session although there is no second request for the other AF maybe yet
  • An accounting-start can be generated as soon as the first AF comes up, we can wait for a determined period of time and generate a single accounting start record for BOTH AF's, or we can do a triggered interim accounting record when the second AF comes up.

Call Flows

Dual stack generic call flow

Screen Shot 2014-01-14 at 8.46.33 AM.png

PPPoE DS detailed call flow SLAAC based address assignment

Screen Shot 2014-01-14 at 9.07.40 AM.png

PPPoE DS detailed call flow DHCPv6 based address assignment

Screen Shot 2014-01-14 at 8.57.06 AM.png

IPoE DS detailed callflow IPv4 AF starts first

Screen Shot 2014-01-14 at 8.57.30 AM.png

IPoE DS detailed callflow IPv6 AF starts first

Screen Shot 2014-01-14 at 8.57.36 AM.png

Sample Scenario

Sample Topology for the configuration example

Screen Shot 2014-01-14 at 8.39.37 AM.png

Configuration

hostname bng

logging console   debugging

Radius server configuration.

Radius server is listening on 5.5.5.2 with auth-port on 1645 and accounting-port on 1646

radius-server   host 5.5.5.2 auth-port 1645 acct-port 1646

key 7 010107000A5955

!

COA server or policy-server with ip-address 5.5.5.2 is running

aaa server   radius dynamic-author

client 5.5.5.2 vrf default server-key 7   03165A0F575D72

!

aaa group server   radius RADIUS

server 5.5.5.2 auth-port 1645 acct-port 1646

!

aaa accounting   service default group radius

aaa accounting   subscriber default group radius

aaa   authorization subscriber default group radius

aaa   authentication subscriber default group radius

line console

stopbits 1

!

DHCPv6 address pool is defined locally within BNG box and local pool is used for ipv6 address assignment to IPv6 BNG clients

pool vrf default   ipv6 ipv6_address_pool

address-range 2001::2 2001::7dff

!

 

DHCPv4 server with ip address 20.20.20.2 is deployed externally and this ipv4 address should be reachable from BNG device. Routing protocols should take care of reachability of 20.20.20.2 from BNG device. DHCPv4 proxy is configured as follows.

dhcp ipv4

profile IPoEv4   proxy

helper-address vrf default 20.20.20.2   giaddr 10.10.10.1

!

 

DHCPv4 proxy is enabled on bundle sub-interface

interface   Bundle-Ether1.10 proxy profile IPoEv4

!

 

DHCPv6 server is configured and already configured DHCPv6 address pool is referred within DHCPv6 server configuration. DHCPv6 profile is configured as follows with address pool.

dhcp ipv6

   profile IPoEv6 server

   address-pool ipv6_address_pool

!

 

DHCPv6 address pool is referred on bundle sub-interface.

interface   Bundle-Ether1.10 server profile IPoEv6

!

interface   Bundle-Ether1

bundle   maximum-active links 1

!

Bundle sub-interface with dot1q encapsulation configured with single tag. Subscriber traffic from

CPE should come with single dot1q tag and this vlan tag should match with vlan id 10 configured under bundle sub-interface. In dual-stack IPoE configuration,   “initiator dhcp” is configured ipv4/ipv6 l2 connect mode.

Policy-map type control’s name is referred with service-policy

interface   Bundle-Ether1.10

ipv4   point-to-point

ipv4 unnumbered   Loopback1

ipv6 enable

service-policy   type control subscriber pm-src-mac

encapsulation   dot1q 10

ipsubscriber   ipv4 l2-connected

initiator dhcp

!

ipsubscriber ipv6 l2-connected

initiator dhcp

!

!

Ipv4 address 10.10.10.1 is default-gateway ip address for pool of ipv4 address allocated to dual-stack BNG clients

interface   Loopback1

ipv4 address 10.10.10.1 255.255.255.0

ipv6 enable

!

interface   MgmtEth0/RSP0/CPU0/0

ipv4 address 9.22.11.3 255.255.0.0

!

interface   MgmtEth0/RSP0/CPU0/1

shutdown

!

 

Physical interface gigabit0/0/0/0 is configured as bundle interface.

interface   GigabitEthernet0/0/0/0

bundle id 1 mode on

negotiation auto

transceiver permit pid all

!

interface   GigabitEthernet0/0/0/1

ipv4 address 20.20.20.1 255.255.255.0

transceiver permit pid all

!

interface GigabitEthernet0/0/0/5

ipv4 address 5.5.5.1 255.255.255.0

!

Dual-stack dynamic-template is configured for dual-stack initiation. “ipv6 enabled” under dual-stack template and ipv4 unnumbered

address, ipv4 urpf configured.

dynamic-template

   type ipsubscriber Dual_stack_IPoE

     accounting aaa list default type   session periodic-interval 5

     ipv4 verify unicast source   reachable-via rx

     ipv4 unnumbered Loopback1

     ipv6 enable

!

!

Class-map configured for dual-stack scenario to match DHCPv6 – SOLICIT and DHCPv4 DISCOVER as sign of life packet

class-map type   control subscriber match-any dual_stack_class_map

   match protocol dhcpv4 dhcpv6

   end-class-map
!

 

Class-map “Dual_stack_class_map “ is referred within policy-map.   Even session-start is hit based on DHCPv4/DHCPv6 FSOL, template “Dual_stack_IPoE” is activated.   Subscriber mac-address is used as subscriber identification and it is authorized with AAA server

policy-map type   control subscriber pm-src-mac

event session-start match-all

   class type control subscriber   dual_stack_class_map do-all

     1 activate dynamic-template   Dual_stack_IPoE

     2 authorize aaa list default identifier   source-address-mac password cisco

!

!

end-policy-map

!

end

 

Verification example

”show subscriber session all” command shows ipv4/ipv6 clients session active

RP/0/RSP0/CPU0:bng#show   subscriber session all

Tue Jan 29   12:49:25.237 UTC

Codes: IN -   Initialize, CN - Connecting, CD - Connected, AC - Activated,

       ID - Idle, DN - Disconnecting, ED -   End

Type         Interface               State     Subscriber IP Addr / Prefix

                                                 LNS Address (Vrf)                            

--------------------------------------------------------------------------------

IP:DHCP     BE1.10.ip22             AC       10.10.10.10 (default)

                                                 2001::2 (default)               

     

 

Command “show subscriber session all detail” should show ipv4/ipv6 clients details detailly.

RP/0/RSP0/CPU0:bng#show   subscriber session all deta

Tue Jan 29   12:49:27.752 UTC

Interface:               Bundle-Ether1.10.ip22

Circuit ID:               Unknown

Remote ID:               Unknown

Type:                     IP: DHCP-trigger

IPv4 State:               Up, Tue Jan 29 12:46:32 2013

IPv4   Address:             10.10.10.10, VRF:   default

IPv6 State:               Up, Tue Jan 29 12:46:42 2013

IPv6   Address:            2001::2, VRF: default

IPv6 Interface   ID:       ..d..... (02 00 64 ff fe 01   01 02)

Mac   Address:             0000.6401.0102

Account-Session   Id:       0000001c

Nas-Port:                 Unknown

User name:               0000.6401.0102

Outer VLAN ID:           10

Subscriber   Label:         0x00000055

Created:                 Tue Jan 29 12:46:32 2013

State:                   Activated

Authentication:           unauthenticated

Access-interface:         Bundle-Ether1.10

Policy Executed:

policy-map type   control subscriber pm-src-mac

event Session-Start match-all [at Tue Jan   29 12:46:32 2013]

   class type control subscriber   dual_stack_class_map do-all [Succeeded]

     1 activate dynamic-template   Dual_stack_IPoE [Succeeded]

     2 authorize aaa list default   [Succeeded]

Session   Accounting:      

Acct-Session-Id:         0000001c

Method-list:             default

Accounting started:       Tue Jan 29 12:46:32 2013

Interim accounting:       On, interval 1 mins

   Last successful update: Tue Jan 29   12:48:34 2013

   Next update in:         00:00:06 (dhms)

Last COA request   received: unavailable

”show dhcp ipv4 proxy binding” command is going to show ipoev4 clients created with ip-address and mac-address, interface on which it is created, vrf-name etc

RP/0/RSP0/CPU0:bng#show   dhcp ipv4 proxy binding

Tue Jan 29   12:49:42.955 UTC

 

                                             Lease                                                

 

MAC Address     IP Address     State     Remaining       Interface         VRF     Sublabel

-------------- -------------- ---------   --------- ------------------- ---------   ----------

 

0000.6401.0102 10.10.10.10     BOUND     3409       BE1.10               default   0x55      

 

 

RP/0/RSP0/CPU0:bng#show   dhcp ipv4 proxy binding de

Tue Jan 29   12:49:49.498 UTC

MAC   Address:                 0000.6401.0102

VRF:                         default

 

Server VRF:                 default

IP Address:                 10.10.10.10

Giaddr from   client:         0.0.0.0

Giaddr to   server:           10.10.10.1

Server IP   Address:           20.20.20.2

Server IP   Address to client: 10.10.10.1

ReceivedCircuit   ID:         -

InsertedCircuit   ID:         -

ReceivedRemote   ID:           -

InsertedRemote   ID:           -

ReceivedVSISO:               -

InsertedVSISO:               -

Auth. on   received relay info:FALSE

Profile:                     IPoEv4

State:                       BOUND

Proxy   lease:                 3600 secs   (01:00:00)

Proxy lease   remaining:       3403 secs (00:56:43)

Client ID:                     0x00-0x00-0x64-0x01-0x01-0x02

Access   Interface:           Bundle-Ether1.10

Access VRF:                 default

VLAN Id:                     10

Subscriber   Label:           0x55

Subscriber   Interface:       Bundle-Ether1.10.ip22

“show dhcp ipv6 server binding” is going to show ipv6 address allocated from DHCPv6 local pool

RP/0/RSP0/CPU0:bng#show   dhcp ipv6 server binding

Tue Jan 29   12:50:04.560 UTC

Summary:

Total number of   clients: 1

DUID   : 00030001000064010102

MAC Address: 0000.6401.0102

Client Link Local: fe80::200:64ff:fe01:102

Sublabel: 0x55

   IA ID: 0x0

   STATE: BOUND

   IPv6 Address: 2001::2 (Bundle-Ether1.10)

       lifetime : 600 secs (00:10:00)

       expiration: 399 secs (00:06:39)

RP/0/RSP0/CPU0:bng#

 

Related Information

Configuration example and verification provided by Narendiran Rajaram

Xander Thuijs CCIE #6775

Principal Engineer ASR9000, IOS-XR and NCS6000

Comments
Community Member

Hi Alex,

i am deploying IPoE Dual Stack IPv4 and IPv6 and i am using version 5.1.0

i used Radius to allocated IPv6 on WAN-CPE(/64) and LAN-CPE (/64)

Framed-IPv6-Prefix, used for the WAN-CPE

Delegated-IPv6-Prefix, used for the LAN-CPE

if i use CPE, WAN-CPE doesn't get IPv6 Address from Framed-IPv6-Prefix, in this case between BNG and CPE was using link-local-address.

but it worked for Prefix-Delegation from Delegated-IPv6-Prefix. in connectivity the users behind the CPE can access internet with IPv6.

if i replace the CPE become a PC, the PC doesn't get IPv6 Address  from Framed-IPv6-Prefix.

and if i check the subscriber detail for this pc, there's a message that said Last IPv6 Down.

[Last IPv6 down]

Disconnect Reason:        Addr/prefix request from DAPS pool failed

--

I have deployed(running production) BNG based on ASR1K Platfrom using PPPoE Solution, the two attributes was working perfectly.

thank you

anderson

Cisco Employee

Hi Anderson,

if you use a dedicated address on the WAN side and a delegated prefix for the LAN side, you're effectively "wasting" an address ont eh wAN side as you could just do SLAAC towards the wan side.

Is that an option, it would simplify your access model significantly and reduce the need for additional routing towards the cPE LAN side from the BNG.

However I expected this to work just fine, we need to do some debugging and that is probably easiest to do via a TAC case so your config and addressing is not spread across. a ppp debug, from both sides would be needed and potentially a sniffer trace if possible to verify the handshake and address assignment/allocation would probably clarify also a lot.

the framed-v6-prefix would work for a single host/pc but it depends on how that host is obtaining an ip address, if via dhcpv6 it would be fine, although the framed-v6 could also be offered in an ND/NA, but here also traces and debugs are necessary to identify what is going on.

At the same time, not sure if can be asked, a verification/cross comparison to 434 might help here also.

cheers

xander

Hi Xander!

It's a good doc!

I am deploying dual stack for IPoE subscribers on ASR 9001. All works fine in tests.

But we use authorization by option 82 and not all of our access devices ( i mean switches, OLTs and so one ) supports IPv6 now. So, if subsrriber's PC first tries to set up session with IPv6 its session becomes unauth. If PC set up session with IPv4, then it is authorized and IPv6 part sets up normal.

So, is any mechanism to set up IPv4 part of session first and then IPv6 part? If DHCP solisit comes and there is no IPv4 part of session - not to establish IPv6 part of session until IPv4 part will establish.

And the second question is about keepalive for IPoE sessoins. As I know now keepalives are supported only with PPP sessions. Will you make the same feature for IPoE ?

thank you

Beginner

hi, Vladimir

AFAIK there is no way to make the V4 come firstly, but there is a trick can do TAL for the session using dhcpv4 options or DHCPv6 options no matter which one come first.

An example to build a unified username format for V4/V6 DS session

•DHCPv4: option82 circuit_id(circuit-id-tag) + remote_id(remote-id-tag)

•DHCPv6: option18(dhcpv6-interface-id)+option37(remote-id-tag)

•The absent option will be ignored when build the username.
•Assume the DSALM inserts same string(saying XXXX) for DHCPv4 option82

     circuit_id and DHCPv6 option18 ,AND inserts same string (saying YYYY)

     for DHCPv4 option82 remote_id and DHCPv6 option37

with following config

aaa attribute format DS_UNIFIED_USERNAME

format-string length 253 "%s@%s@%s" dhcpv6-interface-id circuit-id-tag remote-id-tag

No matter the DHCPv4 or DHCPv6 triggers the TAL for the session, the same

Username(XXXX@YYYY) is built and sent RADUS server for authorization.

With this approach, you need only one user profile in radius server for DS subscriber.

Roy

Cisco Employee

yeah I was thinking to handle the event session start event to amtch on protocol dhcp (v4) only and not handle an event start for dhcp trigger:

RP/0/RSP0/CPU0:A9K-BNG(config-cmap)#match protocol ?

  dhcpv4  dhcpv4

  dhcpv6  dhcpv6

  ppp     ppp

this way if the solicit comes in, we ignore it, but if the dhcp discover comes in for v4 then we trigger the event start, do the radius stuff and all that.

While that is no guarantee that v4 completes first, it is very likely to be handled first over dhcpv6...

For PPPoE, dont think there is any control we have there, it depends on the client whether it sends the IPCP before IPv6CP and the itterations it requires to complete the NCP.

Generally, clients open IPCP first, so we should be fine here, but there is little control that we can exercise over this from the BNG side...

regards

xander

Enthusiast

Hi Xander,

I would like to ask you to give me an advice how to configure the address-pool for PPPoE with IPv6 address family.

I checked the command reference for 4.3.x and I see the network command where I can specify the IPv6 prefix and length

e.g.

RP/0/RSP0/CPU0:router# configure

RP/0/RSP0/CPU0:router(config)# pool vrf vrf1 ipv6 pool3

RP/0/RSP0/CPU0:router(config-pool-ipv6)# network 10:1:1::/50

And for prefix length:

RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router(config)# pool vrf vrf1 ipv6 pool3
RP/0/RSP0/CPU0:router(config-pool-ipv6)# prefix-length 50

Is this the right way to configure the pool or do we have to use address-range command instead of network? How long should the prefix-lenght be? I thought that we can use /128 on subscriber side for PPPoE sessions.

I am slowly making a config in notepad so I am can be ready for implementation.

A nice example would help me a lot. Customer is giving me a /40 for subscribers.

One more thing. User anderson made a comment about WAN-CPE and LAN-CPE address.

Framed-IPv6-Prefix, used for the WAN-CPE

Delegated-IPv6-Prefix, used for the LAN-CPE

Can you please explain this to me? 

My idea was to use SLAAC on BNG<->CPE and a prefix for user device.

Here is the link of the command reference I am using:

http://www.cisco.com/en/US/docs/routers/asr9000/software/asr9k_r4.3/bng/command/reference/b_bng_cr43asr9k_chapter_010.html#wp2356015420

Cisco Employee

Hi Smail,

I see what you mean, so with ipv6 we generally dont hand out /32's (or better put /128's) but little subnets. As you know v6 doesnt do NAT and there is no need for it either with this large address space.

So for v6 we provide a little network to the CPE and then the pool size defines how many of those little subnets we actually have.

Considering this picture above from the "address mapping" section:

https://supportforums.cisco.com/servlet/JiveServlet/showImage/176403/Slide1.jpg

We have a pool defined by the /40.

We provide a prefix length of 48.

This means that the /40 in the pool is carved into 256 chunks (because we have 48-40=8 bits is 256 unique).

This defines the portion of the address that is "static" and the section that is variable.

Because we are providing a 64 bit address, that leaves 64 bits for individual devices that on a per "routed subnet" of 256 each.

Now to answer your question, how do you need to go about it, what do you need to assign etc; that all depends on the

future prospect in terms of v6 enabled devices, the assigned v6 space you have etc.

In access we can provide 64 bit addresses, leaving 64 bit for the hosts (which is MASSIVE!), and then from the assigned address space, you need to chunk it up into "subnets" and assign certain portions to a BNG.

the mask - prefix lenght effectively defines the number of subscribers that can be assigned this delegated prefix,

so that is your key parameter. In this example above I only had 256 unique subnets (subscribers) whih each 64 bits worth of hosts available to them.

Think that is over the top, but that is what the trend is heading towards...

regards

xander

Enthusiast

Hi,

with this explanation and the illustration it is much clearer now. I will do some testing in the next few weeks.

Thank you Xander.

Not applicable

Hi,

I am trying to set up IPoE dualstack on 4.3.4. IPv4 is working fine, but I am struggling with IPv6.

Idea is to have TR-177 model with bridged residental gateway and home device (PC, Tablet, TV) gets an IPv6 address

if it supports it.

I see that we can only use SLAAC plus stateless DHCP to get a DNS server?

I configured an /64 IPv6 on the access-interface and configued a DHCP IPv6 local server with dns servers.

Problem is that the Windows 7 PC gets an IPv6 address via autodiscovery but not the DNS server.

Another problem is that I do not see an active session with IPv6 on the BNG, there is only a IPv4 address.

I tried multiple way and once I had a session with IPv4 and IPv6 on the BNG, but the PC did not have this IPv6 address...:)

Is there a way to get an IPv6 address from DHCPv6 server on the BNG? Just like it is with IPv4.

I used this config guide but this is more for routed residental gateway model.

http://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_r4-3/bng/configuration/guide/b_bng_cg43xasr9k/b_bng_cg43asr9k_chapter_0100.html#concept_24F63FF2D5E14200967BF214E00E6248

This slide is from Cisco and I would like to know how I can get an /64 prefix on every device? Any examples?

I used your example and I have an IPv6 address on W7 but no DNS server and ping to BNGs Loopback with IPv6 address is not working. Show subscribers session does not show the IPv6 address, only IPv4.

With PPPoE I have both IPv4 and IPv6 Framed and delegated prefix.

Here is my config:

pool vrf ipoe ipv6 IPoEv6_POOL

address-range 2a02:27b0:4060::1 2a02:27b0:4060::ffff

!

dhcp ipv6

profile IPoEv6_DHCP server

  dns-server 2a02:27b0:3:a::abcd 2a02:27b0:3:b::abcd

  address-pool IPoEv6_POOL

!

dynamic-template

type ipsubscriber IPoE_TEMPLATE

  vrf ipoe

  accounting aaa list default type session

  ipv4 unnumbered Loopback10070

  ipv6 enable

  dhcpv6 address-pool IPoEv6_POOL

!

class-map type control subscriber match-any IPoE_CLASS

match protocol dhcpv4 dhcpv6

end-class-map

!

policy-map type control subscriber BNG_IPoE

event session-start match-first

  class type control subscriber IPoE_CLASS do-until-failure

   10 activate dynamic-template IPoE_TEMPLATE

  !

interface Bundle-Ether12.995

description #IPoE#

vrf ipoe

ipv4 point-to-point

ipv4 unnumbered Loopback10070

ipv6 enable

service-policy type control subscriber BNG_IPoE

encapsulation dot1q 995

ipsubscriber ipv4 l2-connected

  initiator dhcp

  initiator unclassified-source

!

ipsubscriber ipv6 l2-connected

  initiator dhcp

  initiator unclassified-source

Enthusiast

I have problems with creating comments here. Here is the missing slide

One update: I connected Ubuntu and configured DHCP only under IPv6 settings and I got a IPv6 addres

and I see this IP address under show subs session, but Ubuntu has :: as default gateway and I can not ping

between BNG and Ubuntu.

I do some more testing

ipv6 tr 177.JPG

Cisco Employee

few things that I see Smail:

1) the v6 dhcp server needs to be tied to the access interface, otherwise DHCP will not proceed.

2) you have here static address assignment and not prefix delegation, so you want to assign  from the pool not a single address, but a prefix with a mask that will be handed out to the CPE so he can distribute/use that for the devices that are attached to the CPE

3) if applicable, if you do authentication, the access-accept needs to provide both v4 and v6 authorization, there is no separate lookup per address family.

4) you have a vrf applied ot the access interface, is that vrf also v6 capable, with that AF instantiated?

5) good call on the vrf the same on the access interface and dynamic template.

6) I think that you do the show upv6 dhcp binding that nothing will come up, or at least not what we expect. that is hy the session is not reproted as dual stack

7) if the cpe is fully bridged, then only the first device that comes online for v6 will get an address due to the way that it is setup. that single device will be a single subscriber.

you probably want to have a subscriber per CPE and have the cpe deal with the remote devices via PD.

8) the dns server for v6 missing is likely because of the address distribution because the dhcp server is not linked to the access interface so we do it via the pool allocation method.

hopefully this will help,

cheers

xander

Enthusiast

Hi Xander,

thank you for replying.

I forgot to copy/paste the whole dhcp ipv6 config, sorry. I have the access-interface under dhcp

dhcp ipv6

profile IPoEv6_DHCP server

  dns-server 2a02:27b0:3:a::abcd 2a02:27b0:3:b::abcd

  address-pool IPoEv6_POOL

!

interface Bundle-Ether12.995 server profile IPoEv6_DHCP

2. and 7. Customer is requesting the bridged RG deployment model because they want to use Broadhop and give the customer the option to add/remove etc. via a portal and to have full control of the network. This is also good for Cisco because the customer need more BNG subscriber liceneses and hardware.

3. For now no auth is used. After I have accomplished to get an IPv4 and IPv6 address I will add authorization with Option82 info as username.

4. I have IPv4 and IPv6 AF under the vrf. I just checked it to be sure, good hint

Tomorrow I will try something else. This dynamic-template will be used tomorrow:

type ipsubscriber IPoE_TEMPLATE

  vrf ipoe

  timeout idle 60

  accounting aaa list default type session

  ipv4 unnumbered Loopback10070

  ipv6 nd other-config-flag

  ipv6 nd managed-config-flag

  ipv6 enable

  dhcpv6 address-pool IPoEv6_POOL

I have to check the end devices again. I know that i chose "DHCP only" on ubuntu. This probably means that it will disable router discovery. Stupid me

I have also to check if the W7 PCs are sending RDs.

I will keep you posted after I have finally an IPoE dualstack session.

p.s.

lease proxy client-lease-time 300 for DHCP IPv4

and

lease 0 0 5 under DHCP IPv6

can be used as a sort of keepalive for IPoE?

Enthusiast

Hi,

it looks like I finally got my IPv6 subscriber session . I got a nice hint from a Cisco engineer who has put me in the right direction.

I used

ipv6 nd other-config-flag  TO GET DNS SERVERS

ipv6 nd managed-config-flag  TO GET AN IPv6 ADDRESS FROM DHCP POOL

under dynamic-template but the subscriber still did not got an IPv6 address from the pool.

After that I tried some more variations and finally got a dual-stack session on the BNG. It is mandatory to have

ipv6 nd managed-config-flag under the access-interface, too.

It looks easy now, but it was a long way to get it to work.

I also tried (was curious) with IPv6 address from the dhcp pool on the access-interface (and remove the pool from DHCP config).

My W7 got both, IPv4 and IPv6 addresses but the IPv6 session was not on the BNG. BNG behaved just like a regular router and not like a subscriber-aware router. Maybe the problem was that there was nothing to trigger the IPv6 session (missing dhcpv6 traffic) that I had in the class-map.

The test PC gets the IPv4 in a sec, but it takes time to get IPv6 address, dns server and gw...about 5 sec.

This is my final config. I will do some more testing next week, but this should be it. Not sure if I can use local DHCP server with lease time of 5 minutes in production for maybe 10K DS subscribers.

pool vrf ipoe ipv6 IPoEv6_POOL

address-range 2a02:27b0:4060::1 2a02:27b0:4060::ffff

dhcp ipv6

profile IPoEv6_DHCP server

  lease 0 0 5

  dns-server 2a02:27b0:3:a::abcd 2a02:27b0:3:b::abcd

  address-pool IPoEv6_POOL

interface Bundle-Ether12.995 server profile IPoEv6_DHCP

dynamic-template

type ipsubscriber IPoE_TEMPLATE

  vrf ipoe

  accounting aaa list default type session

  ipv4 unnumbered Loopback10070

  ipv6 nd reachable-time 10000

  ipv6 nd other-config-flag

  ipv6 nd managed-config-flag

  ipv6 enable

  dhcpv6 address-pool IPoEv6_POOL

interface Bundle-Ether12.995

description #IPoE#

vrf ipoe

ipv4 point-to-point

ipv4 unnumbered Loopback10070

ipv6 nd suppress-ra

ipv6 nd managed-config-flag

ipv6 enable

service-policy type control subscriber BNG_IPoE

encapsulation dot1q 995

ipsubscriber ipv4 l2-connected

  initiator dhcp

  initiator unclassified-source

!

ipsubscriber ipv6 l2-connected

  initiator dhcp

  initiator unclassified-source   I WILL REMOVE THIS LATER.

Cisco Employee

Thanks for providing that config example Smail!

I dont see why the nd managed config flag is necessary, but I will investigate and see/document when this may be necessary.

regards

xander

Hi Xander,

I am trying to establish a dual-stack PPPoE session in an ASR9K (4.3.4) and I have a problem in providing the LAN prefix via DHCPv6-PD.

Since all the other comments and the examples are IPoE related, I am worried that something must be different in PPPoE.

The configuration I am testing right now is the following (ipv6 irrelevant commands are omitted):

pool vrf all ipv6 LLU-KLN-LAN-IPv6-POOL

prefix-length 56

network 2a02:x:x::/40

!

pool vrf all ipv6 LLU-KLN-WAN-IPv6-POOL

prefix-length 64

network 2a02:x:x::/48

!

dhcp ipv6

profile DHCP-SERVER-LOCAL server

  dns-server 2a02:x:x:x::x 2a02:x:x:x::x

  prefix-pool LLU-KLN-LAN-IPv6-POOL

!

interface Bundle-Ether1.33211199 server profile DHCP-SERVER-LOCAL

!

!

interface Bundle-Ether1.33211199

description ** POP-KLN - Residential Internet TEST**

service-policy type control subscriber POP-KLN-PPP-SUBSCRIBER-POLICY

pppoe enable bba-group PPPoE-GROUP-POP-KLN

encapsulation dot1q 3321 second-dot1q 1199

dynamic-template

type ppp POP-KLN-DYNAMIC-TEMPLATE

  ppp ipcp peer-address pool LLU-KLN-WAN-IPv4-POOL

  ipv6 nd other-config-flag

  ipv6 nd framed-prefix-pool LLU-KLN-WAN-IPv6-POOL

  dhcpv6 delegated-prefix-pool LLU-KLN-LAN-IPv6-POOL

!

!

class-map type control subscriber match-any POP-KLN-PPP-SUBSCRIBER-CLASS

match protocol ppp

end-class-map

!

!

class-map type control subscriber match-all POP-KLN-DHCPV6-SUBSCRIBER-CLASS

match protocol dhcpv6

end-class-map

!

policy-map type control subscriber POP-KLN-PPP-SUBSCRIBER-POLICY

event session-start match-all

  class type control subscriber POP-KLN-PPP-SUBSCRIBER-CLASS do-until-failure

   10 activate dynamic-template POP-KLN-DYNAMIC-TEMPLATE

  !

  class type control subscriber POP-KLN-DHCPV6-SUBSCRIBER-CLASS do-all

   10 activate dynamic-template POP-KLN-DYNAMIC-TEMPLATE

  !

!

event session-activate match-all

  class type control subscriber POP-KLN-PPP-SUBSCRIBER-CLASS do-until-failure

   10 activate dynamic-template POP-KLN-DYNAMIC-TEMPLATE

Although the CPE sends the DHCPv6 solicit, the DHCPv6 server is not activated.

Do I miss something? I cannot say that the CCO documentation is so helpful on this matter.

Thank you in advance,

Dimitris

CreatePlease to create content
Content for Community-Ad
June's Community Spotlight Awards