cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

ASR9000/XR: BNG VSA's (vendor specific attributes) and Services

13053
Views
0
Helpful
116
Comments

 

Introduction

This document provides an overview of Vendor Specific attributes that can be used in the ASR9000 BNG solution. They can either be used as part of the Access Accept Radius message or COA requests to change the behavior of the session.

Vendor Specific Attributes

 

1. RADIUS Attributes for pQoS

 

ASR9000_BNG_Attributes.jpg

sub: indicates AVPair targets MQC policy on a subscriber session
<class-list>: identifies class to be added/removed or modified in the MQC policy
Multiple classes may be specified to modify classification in a nested (child) MQC policy
<qos-action-list>: policy actions to be added/overwritten in targeted class in MQC policy (see table below)
 
Supported QoS features:
•Shaping rate and percentage
•Policing rate and percentage
•Marking (CoS, DSCP, IP Prec)
•Queueing (minBW, BW remaining, priority, WRED, queue-limit)

 

 

QOS FeatureAction format in Radius attribute
Shaping

shape(<rate-in-kbps>)

shape-rpct(<rate-in-pct>)

Policing

police-rpct(<conform-rate-in-pct>,<conform-burst-in-us>,<exceed-rate-in-pct>,<exceed-burst-in-us>,    <conform-action>,<exceed-action>,    <violate-action>)

police(<conform-rate-in-kbps>,<conform-burst-in-kBytes>,<exceed-rate-in-kbps>,<exceed-burst-in-kbytes>,   <conform-action>,<exceed-action>,   <violate-action>)

Marking

set-cos(<cos-val>)

set-ip-dscp(<dscp-val>)

set-ip-prec(<precedence>)

Queuing

pri-level(<priority-level>)

bw-rpct(<pct>)

bw-rratio(<ratio>)

bw-abs(<bw-in-kbps>)

bw-pct(<bw-in-pct>)

queue-limit(<qlimit-in-packets>)

queue-limit-us(<qlimit-in-us>)

random-detect-dscp(<dscp>)

random-detect-prec(<precedence>)

 

 

Example

AVPair:“ip:qos-policy-out=add-class(sub,(class-default, VIDEO_CM), set-ip-dscp(af41), bw-abs(256))

 

 

2. VSA's for Account operations (services and logon/off)

 

 

PrimitiveRadius AVP
Account Logon

authentication cpe12 CoA cisco123

attribute 44 “<string>”                               <<< Accounting Session ID

vsa cisco generic 1 string "subscriber:command=account-logon"

Account Logoff

attribute 44 “<string>”                               <<< Accounting Session ID

vsa cisco generic 1 string "subscriber:command=account-logoff"

Account update

(used to change a profile)

attribute 44 “<string>”                               <<< Accounting Session ID

vsa cisco generic 1 string "subscriber:command=account-update”

<radius attributes to set/update>

Service Activate

attribute 44 “<string>”                               <<< Accounting Session ID

vsa cisco generic 1 string "subscriber:sa=<service-name>”

Service De-Activate

attribute 44 “<string>”                               <<< Accounting Session ID

vsa cisco generic 1 string "subscriber:sd=<service-name>”

 

 

All these operations from the first column, report an event to the control policy.

 

RP/0/RSP0/CPU0:A9K-BNG(config-pmap)#event ?

  account-logoff              Account logoff event

  account-logon               Account logon event

  authentication-failure      Authentication failure event

  authentication-no-response  Authentication no response event

  authorization-failure       Authorization failure event

  authorization-no-response   Authorization no response event

  exception                   Exception event

  service-start               Service start event

  service-stop                Service stop event

  session-activate            Session activate event

  session-start               Session start event

  session-stop                Session stop event

  timer-expiry                Timer expiry event

 

Note

Accounting session ID is the preferred session identifier. You can also use the framed-ip-address to key on the subscriber and the vrf (if applicable)

(IPv4 only):

 

Attribute 8: Framed-IP-Address

 

and starting 4.2.1:

 

Attribute 8: Framed-IP-Address + AVPair: ip:vrf-id=<vrf name>

 

Template comparison to radius attribute

 

 

 

Operation

Dynamic Template cmd

RADIUS Attribute

 

Service Activation

Service Activation

N/A

26

9,1

subscriber:sa=<service-name>

 

Network Forwarding

IP addess source intf

ipv4 unnumbered <interface>

26

9,1

ipv4:ipv4-unnumbered=<interface>

PPP framed address

N/A

8

 

framed-ip-address=<IPv4   address>

PPP Address Pool

ppp ipcp peer-address pool <addr pool >

26

9,1

ipv4:addr-pool=<addr pool name>

PPP framed pool

N/A

88

 

framed-pool=<addr pool name>

PPP framed route

N/A

22

 

framed-route=<subnet><mask>

VRF

vrf <vrf name>

26

9,1

subscriber:vrf-id=<vrf name>

V4 DNS

ppp ipcp dns <pprimary dns ip> <secondary dns ip>

26

9.1

ip:primary-dns=<primary dns ip>

Ip:secondary-dns=<secondary dns ip>

DHCP classname

N/A

26

9,1

subscriber:classname=<dhcp-class-name>

 

 

Traffic Accounting

Accounting

accounting aaa list <method list> type session

26

9,1

subscriber:accounting-list=<method list>

Interim Interval

accounting aaa list <method list> type session periodic-interval <minutes>

85

 

Acct-Interim-Interval   <minutes>

Dual Stack Accnt Start Delay

accounting aaa list <method list> type session dual-stack-delay <secs>

  

subscriber:dual-stack-delay=<sec>

 

Session Administration

keepalives

keepalive <sec>

26

9,1

subscriber:keepalive=interval<sec>

NOT SUPPORTED/Implemented

Absolute Timeout

ppp timeout absolute <sec>

27

n/a

session-timeout=<sec>

Idle Timeout

timeout idle <sec>

28

n/a

idle-timeout=<sec>

 

 

Traffic conditioning

HQoS(with SPI)

service-policy input <in_mqc_name> shared-policy-instance <spi-name>

service-policy output <out_mqc_name> shared-policy-instance <spi-name>

26

9,1

subscriber:sub-qos-policy-in=<in_mqc_name> [shared-policy-instance   <spi-name> ]

subscriber:sub-qos-policy-out=<out_mqc_name> [shared-policy-instance   <spi-name>]

pQoS

N/A

26

9,1

subscriber:qos-policy-in=add-class(target policy (class-list) qos-actions-list)

subscriber:qos-policy-in=remove-class(target policy (class-list))

subscriber:qos-policy-out=add-class(target policy (class-list) qos-actions-list)

subscriber:qos-policy-out=remove-class(target policy  (class-list))

Subscriber ACLs/ABF

ipv4 access-group <in_acl_name> in

Ipv4 access-group <out_acl_name> out

ipv6 access-group <in_v6acl_name> in

ipv6 access-group <out_v6acl_name> out

26

9,1

ipv4:inacl=<in_acl_name>

ipv4:outacl=<out_acl_name>

ipv6:ipv6_inacl=<in_v6acl_name>

ipv6:ipv6_outacl=<out_v6acl_name>

HTTP-R

service-policy type pbr <HTTR policy   name>

26

9,1

subscriber:sub-pbr-policy-in=<HTTR policy name>

 

 

IPv6 Attributes

 

Attribute

Defined By

Received In

IPv6 Client

Address Assignment

Dynamic Template   equivalent config

Framed-Interface-Id (96)

RFC3162

Access-Accept

PPPoE

Any

ppp ipv6cp peer-interface-id <64bit #>

Framed-IPv6-Prefix (97)

RFC3162

Access-Accept

PPPoE

SLAAC

N.A.

Framed-IPv6-Route (99)

RFC3162

Access-Accept CoA

Any

Any

N.A.

Framed-IPv6-Pool (100)

RFC3162

Access-Accept

PPPoE

SLAAC

ipv6 nd   framed-prefix-pool <name>

Framed-ipv6-Address   (*)

draft-ietf-radext-ipv6-access-06

Access-Accept

PPPoE, IPoE

DHCP6 (Local   Server)

N.A.

Stateful-IPv6-Address-Pool(*)

draft-ietf-radext-ipv6-access-06

Access-Accept

PPPoE, IPoE

DHCP6 (Local   Server)

dhcpv6   address-pool <name>

Delegated-IPv6-Prefix-Pool   (*)

draft-ietf-radext-ipv6-access-06

Access-Accept

PPPoE, IPoE

DHCP6 (Local   Server)

dhcpv6   delegated-prefix-pool <name>

DNS-Server-IPv6-Address   (*)

draft-ietf-radext-ipv6-access-06

Access-Accept

PPPoE, IPoE

DHCP6 (Local   Server)

To be   configured in DHCPv6 server profile

Delegated-IPv6-Prefix

RFC4818

Access-Accept

PPPoE, IPoE

DHCP6 (Local   Server)

N.A.

 

NOTE

IETF has not yet allocated numeric values for newly defined attributes in

draft-ietf-radext-ipv6-access-*

Following Cisco VSAs have been temporarily defined to close such gap

Framed-ipv6-Address

“ipv6:addrv6=<ipv6 address>”

Stateful-IPv6-Address-Pool

“ipv6:stateful-ipv6-address-pool=<name>”

Delegated-IPv6-Prefix-Pool

“ipv6:delegated-ipv6-pool=<name>”

DNS-Server-IPv6-Address

“ipv6:ipv6-dns-servers-addr=<ipv6   address>”

 

Radius Accounting bytes and packets

 

the following accounting attributes pertaining to packet accounting for the ASR9000 solution, also specific to IPv6

 

Attribute

Defined By

Description

Acct-Input-Octets     (42)

RFC2866

Session input total   byte count

Acct-Input-Packets    (47)

RFC2866

Session input total   packet count

Acct-Output-Octets    (43) 

RFC2866

Session output   total byte count

Acct-Output-Packets (48)

RFC2866

Session output   total packet count

Cisco VSA   (26,9,1): acct-input-octets-ipv4

Cisco

Session input IPv4   byte count

Cisco VSA   (26,9,1): acct-input-packets-ipv4

Cisco

Session input IPv4   packet count

Cisco VSA   (26,9,1): acct-output-octets-ipv4

Cisco

Session output IPv4   byte count

Cisco VSA   (26,9,1): acct-output-packets-ipv4

Cisco

Session output IPv4   packet count

Cisco VSA   (26,9,1): acct-input-octets-ipv6

Cisco

Session input IPv6   byte count

Cisco VSA   (26,9,1): acct-input-packets-ipv6

Cisco

Session input IPv6   packet count

Cisco VSA   (26,9,1): acct-output-octets-ipv6

Cisco

Session output IPv6   byte count

Cisco VSA   (26,9,1): acct-output-packets-ipv6

Cisco

Session output IPv6   packet count

Cisco VSA   (26,9,1): connect-progress

Cisco

Indicates   Session set up connection progress

3.

 


Dynamic Route insertion

 

RADIUS attribute example  for different type of framed-route:

 

PPPoE V6 route

Framed-IPv6-Route = "45:1:1:1:2:3:4:5/128 :: 4 tag 5”

 

PPPoE v4 route

Framed-Route = "45.1.6.0 255.255.255.0 0.0.0.0 6 tag 7”

 

IPoE v4 route

Framed-Route = "vrf vpn1 45.1.4.0/24 vrf vpn1 0.0.0.0 4 tag 5”

 

4. Route destribution (please don't!)

 

router bgp 100

address-family ipv4 unicast

  redistribute subscriber <route-policy>

 

Xander Thuijs CCIE#6775

Principal Engineer, ASR9000

Comments
Community Member

Dear Xander, thank you for the great doc.

In my system i observe  several fields with different values in Acc-Stop message from BNG:

               Cisco-AVPair = acct-input-octets-ipv4=34179

                Cisco-AVPair = acct-input-packets-ipv4=165

                Cisco-AVPair = acct-output-octets-ipv4=6989

                Cisco-AVPair = acct-output-packets-ipv4=53

                Cisco-AVPair = acct-input-octets-ipv6=0

                Cisco-AVPair = acct-input-packets-ipv6=0

                Cisco-AVPair = acct-output-octets-ipv6=0

                Cisco-AVPair = acct-output-packets-ipv6=0

                Acct-Status-Type = Stop

                Acct-Delay-Time = 0

                Acct-Input-Octets = 27171

                Acct-Output-Octets = 8946

                Acct-Session-Id = 000001c7

                Acct-Session-Time = 184

                Acct-Input-Packets = 97

                Acct-Output-Packets = 58

According this attributes description document - in my case session input total byte count defined by RFC2866 shows less bytes than ipv4 session byte count defined by Cisco.

My question:

How to differentiate these values and what do they show?

Logics tells me that IPv6 bytes + IPv4bytes = total or?

Thank you, Artsiom Maksimenka

Cisco Employee

Hi Artsiom, thsi is a bug, can you file a TAC case and have them open a sw defect for tracking please?

regards!

xander

Community Member

Hi Xander, I want to inform about this bug,  ID is  CSCui79108.

Thank you.

Artsiom

Cisco Employee

Yup I got a notification from the tac engineer and he filed that ddts which I am working on getting assigned to the right people. Thanks for that!

regards!

xander

Community Member

Hi Alex,

i'm deploying IPoE in version 5.1.0, and the BNG can accept Framed-IP-Address and Framed-IP-Netmask from RADIUS. is it possible we sending default-gateway CPE from RADIUS ?

thank you

anderson

Cisco Employee

Hi Anderson,

yes you can do that too, via a VSA:

ipv4:default-ipv4-gateway=<gateway>

cheers!

xander

Community Member

Hi Alex,

That's Great !

cause i would like to do IPoE Allocation address via Radius. 

is this the right format ? (from AuthFile Users Radius)

000c.4270.3bb0

     Framed-IP-Address = 10.10.10.2,

     Framed-IP-Netmask = 255.255.255.0,

     cisco-avpair = ipv4:default-ipv4-gateway=10.10.10.1

i have tried to put that attribute but seems failed.

MAC Address      IP Address      State    Remaining       Interface          VRF      Sublabel

--------------  --------------  ---------  ---------  -------------------  ---------  ----------

000c.4270.3bb0  0.0.0.0         INIT_REQUEST_DPM_WAIT 47         BE100.905            default    0x0       *

* Next renew request from this client will be NAK'd in order to recreate subscriber session

Beginner

hi alex,

i am applying policy-map through

Cisco-AVPair(1): subscriber:sub-qos-policy-in=BE-10m

I see this this in access-accept packet.. However This AVPair is not appearing in accounting update/interm . Is this normal behaviour?? is there anyway to to make this AVPair appear in Accouting packets?

Cisco Employee

Hi asad,

can you make sure tht the policy is applied to the subscriber session via

show policy-map interface bundle-eX.Y.<subscriber>

if it is there, then ti should appear in the accounting records, and if not, then I would like you to file a tac case

with the release and show info so we can have this fixed up. policy info should be inserted into accounting records.

cheers!

xander

Beginner

Yes Alex it is being applied on the session.

show subscriber session all detail internal shows all parameters are correctly applied.. But qos parameters are not visible in any of the accouting packets and appearing only in access-accept packet.

Last COA request received: unavailable

User Profile received from AAA:

Attribute List: 0x10010b44

1:  addr            len=  4  value= 1.2.3.4

2:  netmask         len=  4  value= 255.255.255.255

3:  sub-qos-policy-in len=  6  value= BE-10m

4:  sub-qos-policy-out len=  6  value= BE-10m

also show policy-map interface bundle-eX.Y.<subscriber> shows that policy is correctly applied.

I will go for tac case now.. This 4.3.1 already has CSCug21959 which is making debugging difficult to interperate.

Enthusiast

Hi all,

are those av-pairs ok?

Idea is to have a pool for framed prefix and delegated prefix.

It is for dualstack!

Cisco-AVPair = "vrf-id=DUALSTACK"

Cisco-AVPair = "ip:addr-pool= DS_PPPoEv4"

Cisco-AVPair = "subscriber:sub-qos-policy-in= 512_in"

Cisco-AVPair = "subscriber:sub-qos-policy-out= 4096_out"

Cisco-AVPair = “ipv4:ipv4-unnumbered= Loopback1068”

and now for IPv6

Cisco-AVpair = “ipv6:delegated-ipv6-pool = DELEGATES_PREFIX_POOL”

Cisco-AVpair = "ipv6:ipv6-dns-servers-addr=SOME_DNS_IPv6_ADDRESS"

Cisco-AVPair = "subscriber:sub-qos-policy-in= 512_in"

Cisco-AVPair = "subscriber:sub-qos-policy-out= 4096_out"

I do not have access to RADIUS server and I have to send this to the RADIUS guy.

It would be nice if I do not have to send it 10 times because I made a mistake

Cisco Employee

hey smail,

the access-request is done only once for dual stack also.

so the access accept should return the profile providing both v4 and v6 info.

this means you can only have one set of v4/v6 qos policies and not two.

another gotcha is that the dns v6 server can only be a single addr, noted as a limited and worked on for extension.

make sure your dyntpl has the v6 enable config

and of course a routable v6 addr as peer addr.

cheers!

xander

Enthusiast

Hi Xander,

thanks for the hint. I also doubted that double av-pair attributes are needed.

I have prepared a dynamic-template from the config guides and your documents and I have ipv6 enable in it.

And with "routable v6 address as peer" you mean global IPv6 address for subscribers?

What is the exact syntax for "Framed-IPv6-Prefix"? Maybe "Cisco-AVpair = “ipv6:Framed-IPv6-Prefix = FRAMED_PREFIX_POOL”?

I am trying to figure all this out, reading config guides, forums and open TAC for assistance because of limited time for the project. I will know more when I see all this in action

This is my template:

dynamic-template

type ppp BNG_DUALSTACK_TEMPLATE

  ppp authentication chap pap

  keepalive 30

  ppp ipcp dns 10.100.35.10 10.100.36.10

  ppp ipcp peer-address pool DS_PPPoEv4

  ipv4 mtu 1492

  ipv4 unnumbered Loopback1068

  ipv6 mtu 1492

  ipv6 enable

  ipv6 verify unicast source reachable-via rx

  ipv6 unreachables disable

  dhcpv6 address-pool FRAMED_PREFIX_POOL

  dhcpv6 delegated-prefix-pool DELEGATED_PREFIX_POOL

Cisco Employee

hey there smail, you make long days these days

the precise formatting of the framed-ipv6-prefix is dependent on your radius server what it can encode, but generally it is in the form of 2001::1/48 or something like that, this provides the delegated prefix

But because you provide the address and pool already in the template, there is no need to pass on these atts via radius again.

You can omit the radius ones, unless you want to override what you have done in the template.

I dont think you really need v6 RPF enabled because that is something native in the binding forwarding already.

uRPF cost a lot of pps, and the binding is used for forwarding (downstream) and check against the mac/addr binding on ingress (upstream).

c

heers!

xander

Enthusiast

Oh yes, very long days. Fortunately we will start today with the tests, and not next week

So I can finally test some things.

You are right about the dynamic-template, if I already have the delegated prefix and framed prefix in the template, then I do not need pass it via RADIUS. I forgot that.

I will only pass the vrf, qos and dns server via radius.

Thank you for the hint about uRPF. I saw that you are using uRPF, but for IPv4 here

https://supportforums.cisco.com/docs/DOC-39405

Is it the same for IPv4 and v6, in regards of cost of pps?

CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards