cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

ASR9000/XR: BNG VSA's (vendor specific attributes) and Services

14237
Views
5
Helpful
116
Comments

 

Introduction

This document provides an overview of Vendor Specific attributes that can be used in the ASR9000 BNG solution. They can either be used as part of the Access Accept Radius message or COA requests to change the behavior of the session.

Vendor Specific Attributes

 

1. RADIUS Attributes for pQoS

 

ASR9000_BNG_Attributes.jpg

sub: indicates AVPair targets MQC policy on a subscriber session
<class-list>: identifies class to be added/removed or modified in the MQC policy
Multiple classes may be specified to modify classification in a nested (child) MQC policy
<qos-action-list>: policy actions to be added/overwritten in targeted class in MQC policy (see table below)
 
Supported QoS features:
•Shaping rate and percentage
•Policing rate and percentage
•Marking (CoS, DSCP, IP Prec)
•Queueing (minBW, BW remaining, priority, WRED, queue-limit)

 

 

QOS FeatureAction format in Radius attribute
Shaping

shape(<rate-in-kbps>)

shape-rpct(<rate-in-pct>)

Policing

police-rpct(<conform-rate-in-pct>,<conform-burst-in-us>,<exceed-rate-in-pct>,<exceed-burst-in-us>,    <conform-action>,<exceed-action>,    <violate-action>)

police(<conform-rate-in-kbps>,<conform-burst-in-kBytes>,<exceed-rate-in-kbps>,<exceed-burst-in-kbytes>,   <conform-action>,<exceed-action>,   <violate-action>)

Marking

set-cos(<cos-val>)

set-ip-dscp(<dscp-val>)

set-ip-prec(<precedence>)

Queuing

pri-level(<priority-level>)

bw-rpct(<pct>)

bw-rratio(<ratio>)

bw-abs(<bw-in-kbps>)

bw-pct(<bw-in-pct>)

queue-limit(<qlimit-in-packets>)

queue-limit-us(<qlimit-in-us>)

random-detect-dscp(<dscp>)

random-detect-prec(<precedence>)

 

 

Example

AVPair:“ip:qos-policy-out=add-class(sub,(class-default, VIDEO_CM), set-ip-dscp(af41), bw-abs(256))

 

 

2. VSA's for Account operations (services and logon/off)

 

 

PrimitiveRadius AVP
Account Logon

authentication cpe12 CoA cisco123

attribute 44 “<string>”                               <<< Accounting Session ID

vsa cisco generic 1 string "subscriber:command=account-logon"

Account Logoff

attribute 44 “<string>”                               <<< Accounting Session ID

vsa cisco generic 1 string "subscriber:command=account-logoff"

Account update

(used to change a profile)

attribute 44 “<string>”                               <<< Accounting Session ID

vsa cisco generic 1 string "subscriber:command=account-update”

<radius attributes to set/update>

Service Activate

attribute 44 “<string>”                               <<< Accounting Session ID

vsa cisco generic 1 string "subscriber:sa=<service-name>”

Service De-Activate

attribute 44 “<string>”                               <<< Accounting Session ID

vsa cisco generic 1 string "subscriber:sd=<service-name>”

 

 

All these operations from the first column, report an event to the control policy.

 

RP/0/RSP0/CPU0:A9K-BNG(config-pmap)#event ?

  account-logoff              Account logoff event

  account-logon               Account logon event

  authentication-failure      Authentication failure event

  authentication-no-response  Authentication no response event

  authorization-failure       Authorization failure event

  authorization-no-response   Authorization no response event

  exception                   Exception event

  service-start               Service start event

  service-stop                Service stop event

  session-activate            Session activate event

  session-start               Session start event

  session-stop                Session stop event

  timer-expiry                Timer expiry event

 

Note

Accounting session ID is the preferred session identifier. You can also use the framed-ip-address to key on the subscriber and the vrf (if applicable)

(IPv4 only):

 

Attribute 8: Framed-IP-Address

 

and starting 4.2.1:

 

Attribute 8: Framed-IP-Address + AVPair: ip:vrf-id=<vrf name>

 

Template comparison to radius attribute

 

 

 

Operation

Dynamic Template cmd

RADIUS Attribute

 

Service Activation

Service Activation

N/A

26

9,1

subscriber:sa=<service-name>

 

Network Forwarding

IP addess source intf

ipv4 unnumbered <interface>

26

9,1

ipv4:ipv4-unnumbered=<interface>

PPP framed address

N/A

8

 

framed-ip-address=<IPv4   address>

PPP Address Pool

ppp ipcp peer-address pool <addr pool >

26

9,1

ipv4:addr-pool=<addr pool name>

PPP framed pool

N/A

88

 

framed-pool=<addr pool name>

PPP framed route

N/A

22

 

framed-route=<subnet><mask>

VRF

vrf <vrf name>

26

9,1

subscriber:vrf-id=<vrf name>

V4 DNS

ppp ipcp dns <pprimary dns ip> <secondary dns ip>

26

9.1

ip:primary-dns=<primary dns ip>

Ip:secondary-dns=<secondary dns ip>

DHCP classname

N/A

26

9,1

subscriber:classname=<dhcp-class-name>

 

 

Traffic Accounting

Accounting

accounting aaa list <method list> type session

26

9,1

subscriber:accounting-list=<method list>

Interim Interval

accounting aaa list <method list> type session periodic-interval <minutes>

85

 

Acct-Interim-Interval   <minutes>

Dual Stack Accnt Start Delay

accounting aaa list <method list> type session dual-stack-delay <secs>

  

subscriber:dual-stack-delay=<sec>

 

Session Administration

keepalives

keepalive <sec>

26

9,1

subscriber:keepalive=interval<sec>

NOT SUPPORTED/Implemented

Absolute Timeout

ppp timeout absolute <sec>

27

n/a

session-timeout=<sec>

Idle Timeout

timeout idle <sec>

28

n/a

idle-timeout=<sec>

 

 

Traffic conditioning

HQoS(with SPI)

service-policy input <in_mqc_name> shared-policy-instance <spi-name>

service-policy output <out_mqc_name> shared-policy-instance <spi-name>

26

9,1

subscriber:sub-qos-policy-in=<in_mqc_name> [shared-policy-instance   <spi-name> ]

subscriber:sub-qos-policy-out=<out_mqc_name> [shared-policy-instance   <spi-name>]

pQoS

N/A

26

9,1

subscriber:qos-policy-in=add-class(target policy (class-list) qos-actions-list)

subscriber:qos-policy-in=remove-class(target policy (class-list))

subscriber:qos-policy-out=add-class(target policy (class-list) qos-actions-list)

subscriber:qos-policy-out=remove-class(target policy  (class-list))

Subscriber ACLs/ABF

ipv4 access-group <in_acl_name> in

Ipv4 access-group <out_acl_name> out

ipv6 access-group <in_v6acl_name> in

ipv6 access-group <out_v6acl_name> out

26

9,1

ipv4:inacl=<in_acl_name>

ipv4:outacl=<out_acl_name>

ipv6:ipv6_inacl=<in_v6acl_name>

ipv6:ipv6_outacl=<out_v6acl_name>

HTTP-R

service-policy type pbr <HTTR policy   name>

26

9,1

subscriber:sub-pbr-policy-in=<HTTR policy name>

 

 

IPv6 Attributes

 

Attribute

Defined By

Received In

IPv6 Client

Address Assignment

Dynamic Template   equivalent config

Framed-Interface-Id (96)

RFC3162

Access-Accept

PPPoE

Any

ppp ipv6cp peer-interface-id <64bit #>

Framed-IPv6-Prefix (97)

RFC3162

Access-Accept

PPPoE

SLAAC

N.A.

Framed-IPv6-Route (99)

RFC3162

Access-Accept CoA

Any

Any

N.A.

Framed-IPv6-Pool (100)

RFC3162

Access-Accept

PPPoE

SLAAC

ipv6 nd   framed-prefix-pool <name>

Framed-ipv6-Address   (*)

draft-ietf-radext-ipv6-access-06

Access-Accept

PPPoE, IPoE

DHCP6 (Local   Server)

N.A.

Stateful-IPv6-Address-Pool(*)

draft-ietf-radext-ipv6-access-06

Access-Accept

PPPoE, IPoE

DHCP6 (Local   Server)

dhcpv6   address-pool <name>

Delegated-IPv6-Prefix-Pool   (*)

draft-ietf-radext-ipv6-access-06

Access-Accept

PPPoE, IPoE

DHCP6 (Local   Server)

dhcpv6   delegated-prefix-pool <name>

DNS-Server-IPv6-Address   (*)

draft-ietf-radext-ipv6-access-06

Access-Accept

PPPoE, IPoE

DHCP6 (Local   Server)

To be   configured in DHCPv6 server profile

Delegated-IPv6-Prefix

RFC4818

Access-Accept

PPPoE, IPoE

DHCP6 (Local   Server)

N.A.

 

NOTE

IETF has not yet allocated numeric values for newly defined attributes in

draft-ietf-radext-ipv6-access-*

Following Cisco VSAs have been temporarily defined to close such gap

Framed-ipv6-Address

“ipv6:addrv6=<ipv6 address>”

Stateful-IPv6-Address-Pool

“ipv6:stateful-ipv6-address-pool=<name>”

Delegated-IPv6-Prefix-Pool

“ipv6:delegated-ipv6-pool=<name>”

DNS-Server-IPv6-Address

“ipv6:ipv6-dns-servers-addr=<ipv6   address>”

 

Radius Accounting bytes and packets

 

the following accounting attributes pertaining to packet accounting for the ASR9000 solution, also specific to IPv6

 

Attribute

Defined By

Description

Acct-Input-Octets     (42)

RFC2866

Session input total   byte count

Acct-Input-Packets    (47)

RFC2866

Session input total   packet count

Acct-Output-Octets    (43) 

RFC2866

Session output   total byte count

Acct-Output-Packets (48)

RFC2866

Session output   total packet count

Cisco VSA   (26,9,1): acct-input-octets-ipv4

Cisco

Session input IPv4   byte count

Cisco VSA   (26,9,1): acct-input-packets-ipv4

Cisco

Session input IPv4   packet count

Cisco VSA   (26,9,1): acct-output-octets-ipv4

Cisco

Session output IPv4   byte count

Cisco VSA   (26,9,1): acct-output-packets-ipv4

Cisco

Session output IPv4   packet count

Cisco VSA   (26,9,1): acct-input-octets-ipv6

Cisco

Session input IPv6   byte count

Cisco VSA   (26,9,1): acct-input-packets-ipv6

Cisco

Session input IPv6   packet count

Cisco VSA   (26,9,1): acct-output-octets-ipv6

Cisco

Session output IPv6   byte count

Cisco VSA   (26,9,1): acct-output-packets-ipv6

Cisco

Session output IPv6   packet count

Cisco VSA   (26,9,1): connect-progress

Cisco

Indicates   Session set up connection progress

3.

 


Dynamic Route insertion

 

RADIUS attribute example  for different type of framed-route:

 

PPPoE V6 route

Framed-IPv6-Route = "45:1:1:1:2:3:4:5/128 :: 4 tag 5”

 

PPPoE v4 route

Framed-Route = "45.1.6.0 255.255.255.0 0.0.0.0 6 tag 7”

 

IPoE v4 route

Framed-Route = "vrf vpn1 45.1.4.0/24 vrf vpn1 0.0.0.0 4 tag 5”

 

4. Route destribution (please don't!)

 

router bgp 100

address-family ipv4 unicast

  redistribute subscriber <route-policy>

 

Xander Thuijs CCIE#6775

Principal Engineer, ASR9000

Comments
Beginner

Thanks for the answer.

This work only if session established. When I try to apply service in the authorization proccess (dhcp subscribers), the subscriber session can't be established. I think this is a bug (ios xr 5.1.1).

 

Community Member
My workaround for this is adding Service-Type=Framed together with Cisco-AVPair=subscriber:sa=SERVICE in Access-Accept, dhcp works fine with that
Cisco Employee

is your access-accept only containing the service activate? if that is the case then I know what the problem is.

We were just dealing with a similar situation yesterday whereby it became clear that only a service-activate constitutes an "empty profile" and that causes that trouble, by adding ANY attribute to the profile that is not skipped during activation the session operates fine.

so the solution you found is indeed the right trick.

xander

Hi Xander,

Regarding the following:

4. Route destribution (please don't!)
 

How can I announce the per-user routes if not by redistributing them?

I am using a bras cluster, so I don't know which session/per user route will end up to each bras.

 

Regards,

Dimitris

Beginner

Dimitris

A better way is to announce the aggregate route or summary route to BGP for sake of scalability. When you say bras cluster, do you mean bng over ASR9K nV cluster(which is a single control plane) or two bras to work together useing PADO delay to share the load ? if it's the later, suggestion is to use different address pool on different box to make it easier for route redistribution.

 

BR/Roy

Cisco Employee

yeah my point was that with the scale of a9k, 128k subs going to 512k you just don't want to smoke your OSPF for instance with all kinds of /32's.

It is best to have a pool per device and advertise the pool range/summary instead.

However, if you're running nv Cluster then both devices are a single logical chassis. If you run both devices stand alone with backup for each other's sessions, then the trick of pool per device and summary advertise applies.

regards

xander

We have implemented BRAS clustering using PPPoE Smart server selection (pado delay) and we are providing static IP services via radius. So a subscriber can login to several different BRAS routers (ASR1K or ASR9K) using the same IPv4 framed address/subnet or IPv6 prefix.

So different pools is not a solution for our case :(

Cisco Employee

do all users have a static address? If not, then you can do the redist on those users that may end up on either device and/or reserve a range out of a pool for that static assignment.

Even in the 7200 days, having /32's in your network floating all over the place is somewhat of a drain to the IGP in use.

If there is really no alternative, one thing to consider would be to put the BRAS into a different OSPF area and then summarize at the area boundary, so that at least the LSA updates are contained within that limited region and not your IGP suffers from this.

xander

A part of the users has static addresses. The rest of them get IP addresses dynamically from local pools

Our implementation in ASR1K is the following (in high level):

  • Local pools are advertised aggregated in BGP.
  • Per user routes (static or connected) are redistributed in BGP

The relevant parts of the config are the following (in order to get a better idea).


router bgp xxx
 !
 address-family ipv4
  bgp aggregate-timer 0
  network x.x.x.x mask y.y.y.y ! Aggregated local pool
  redistribute connected route-map CONNECTED-TO-BGP-ROUTEPOLICY ! for framed-ip-address from radius/route map denies router connected networks (e.g. interfaces, /32 from PPP sessions)
  redistribute static route-map STATIC-TO-BGP-ROUTEPOLICY ! for framed-route from radius/route map denies configured statice routes (e.g. default route)
!
ip route x.x.x.x y.y.y.y Null0 254 tag 1 name LOCAL-POOL ! local pool
ip route 0.0.0.0 0.0.0.0 z.z.z.z tag 1 name DEFAULT-ROUTE ! default route

ip prefix-list CONNECTED-TO-BGP-DENY-PREFIXES seq 10 permit x.x.x.x/w ge 32 ! local pool

!
route-map STATIC-TO-BGP-ROUTEPOLICY deny 10
 match tag 1 ! denies configured static routes
!
route-map STATIC-TO-BGP-ROUTEPOLICY permit 99
!

!
route-map CONNECTED-TO-BGP-ROUTEPOLICY deny 10
 match interface Loopback0 TenGigabitEthernet1/0/0 ! denies local interfaces
!
route-map CONNECTED-TO-BGP-ROUTEPOLICY deny 20
 match ip address prefix-list CONNECTED-TO-BGP-DENY-PREFIXES ! denies /32 from local pools
!
route-map CONNECTED-TO-BGP-ROUTEPOLICY permit 99

In ASR9K, using "subscriber" routes instead of static/connected makes it easier for us to advertise the per user routes (framed-ip-address, framed-route) then it was in IOS-XE, because we don't need to use all the route maps in order to distinguish them from the local static/connected routes.

The question is if do you see any problems in redistributing per user subscriber routes. I guess I have to use route policy for not redistributing /32 from the local pools (since they are also subscriber routes), but I cannot see a different way to implement it in order to totally avoid using redistribution.

 

~~~~~

Got the same reply problem here as with the other question dimitris, editing inline then instead...

Yeah the route marking from connected to subscriber definitely makes it easy. See we do learn from the past and improve forward :)

This what you have above, is perfect. Controlling the /32's out. You can do the same in XR with RPL (route policy language) in a similar fashion as with route-maps on your redistribute command for subscriber routes:

RP/0/RSP0/CPU0:A9K-BNG(config-bgp-af)#redistribute subscriber route-policy test

xander

Hi Xander,

 

I am facing some issues regarding some specific radius attributes in 4.3.4

1. I cannot see how I can apply a per-user ACL sent via radius. In IOS-XE I am using ip:inacl#1=permit ip any any av-pair, but in IOS-XR the inacl attribute is supposed to be used differently (if I have understood correctly).

2. ipv4 access-group <in_acl_name> in under dynamic-template does not seem to work:

dynamic-template
 type ppp POP-KLN-DYNAMIC-TEMPLATE
 <...>
  ipv4 access-group SUBSCRIBER-IPV4-IN ingress

RP/0/RSP0/CPU0:bbras-llu-kln-31#sh access-lists interface bundle-ether 1.33211199.pppoe1241
Input ACL : N/A
Output ACL : N/A

3. Trying to apply a configured ACL from radius (ipv4:inacl=<in_acl_name>) doesn't seem to work:

Radius profile: cisco-avpair="ip:inacl=SUBSCRIBER-IPV4-IN",

RP/0/RSP0/CPU0:bbras-llu-kln-31#sh access-lists interface bundle-ether 1.33211199.pppoe1240
Input ACL : N/A
Output ACL : N/A

So, I haven't found a way to do the following:

  • Assign a local configured ACL to all subscribers (either via dynamic template or via radius)
  • Assign a per-user ACL to some specific subscribers (via radius)

Could you help please?

Regards,

Dimitris

Cisco Employee

Hi D,

1) correct, that is not supported yet in XR, we have no case for it yet, so its been put on the backburner...

2) that command is not working yet, but I have a fix up for that filed and will come soon, the right now command is like this:

show access-lists <acl_name> usage pfilterlocation 0/rSP1/CPU0

location is rsp for bundle sessions or the Lc for phy/sub termination.

output:

RP/0/RSP1/CPU0:A9K-BOTTOM#show access-lists BNG_test usage pfilterlocation 0/rSP1/CPU0
Fri Jun  3 14:33:45.292 EDT
Interface : Bundle-Ether1001.100.pppoe9
    Input ACL : N/A
    Output ACL : BNG_test
 
RP/0/RSP1/CPU0:A9K-BOTTOM#
ipv4 access-list BNG_test
 10 permit icmp any any
 20 deny tcp any any eq telnet
 30 permit ipv4 any any
 
3) yeah use same command for verification.
also on the show subscr ses all you should be able to see the application I think in the radius attr set.
 
xander

Thanks for the prompt reply :)

1. I guess we are the first. Do you need us to open a TAC case or involve our acct team in order to describe you the case?

2. Works

RP/0/RSP0/CPU0:bbras-llu-kln-31#show access-lists LOCAL-SUBSCRIBER-IPV4-IN usage pfilter location 0/RSP0/CPU0
Interface : Bundle-Ether1.33211199.pppoe1244
    Input Common-ACL : N/A  ACL : LOCAL-SUBSCRIBER-IPV4-IN
    Output ACL : N/A


3. Works

RP/0/RSP0/CPU0:bbras-llu-kln-31#show access-lists RADIUS-SUBSCRIBER-IPV4-IN usage pfilter location 0/RSP0/CPU0
Interface : Bundle-Ether1.33211199.pppoe1245
    Input Common-ACL : N/A  ACL :RADIUS-SUBSCRIBER-IPV4-IN
    Output ACL : N/A

RP/0/RSP0/CPU0:bbras-llu-kln-31#sh subsc sess all detail internal
Interface:                Bundle-Ether1.33211199.pppoe1245
<...>
4:  inacl           len= 26  value= RADIUS-SUBSCRIBER-IPV4-IN

 

Do you have any estimations about the availability of the fix?

Community Member

Hello Xander,  

For any established v6 session we can see subscriber v6 address in Cisco-AVPair = addrv6=2a02:x:x:x::x attribute in accounting requests from BNG.

Is there an attribute in Accounting flow, which shows the delegated ipv6 prefix to an ipsubscriber when using BNG DHCPv6 server? 

BR, 

Artsiom

 

Beginner

Hello.

How can I determine which services the subscriber is subscribed (using CoA)?

Cisco Employee

Nah no need for a TAC case Dimitris, then I'll get the same question different route and the answer to you will be the same: For this one it is best to consult with your account team and explain the requirement/necessity. They will create a business case to our marketing team so that when there is enough demand this will be prioritized accordingly.

I looked into this before, because I liked this functionality on IOS (a1k/c10k). Although it is a drag on scale, because every p-u ACL gets a unique instance although all the ACE's may be the same or very similar (/compressable?), the work to do this is quite substantial. Unfortunately this is not an easy fix that I could do under the table, so need that user demand for it to justify the dev and test time etc... Otherwise I would have sneaked it in somewhere :)

and awesome on the items 2 and 3! :)

xander

CreatePlease to create content
Content for Community-Ad

Cisco COVID-19 Survey