Understanding ASR9000 BNG Routed Subscriber (DHCPv4 Triggered):

Introduction: 

IPoE subscriber sessions can be classified as L2 or L3 (Routed) sessions based on the access network that connects the subscriber to the BNG. If the subscribers are connected via a routed access network (as shown in below figure), the subscriber sessions on BNG are termed as L3 or Routed Subscriber sessions.

Routed Subscriber sessions can be of 2 types IPoE with DHCP as trigger and IPoE with IP-Packet Data traffic as trigger. 

With Routed subscriber session support, subscribers anywhere in IP cloud can be provisioned by BNG thus overcoming the restriction of l2-connectivity.

Until 5.1.1 only L2-connected Subscriber sessions were supported. From IOS-XR Release 5.1.1 onwards, ASR9k (BNG) supports DHCPv4 triggered IPoE Routed Subscriber v4 sessions with on-BNG DHCP server.

Pkt triggered routed session support will be from IOS-XR Release 5.2.2 onwards.

 

Routed Subscriber:

It is evident from the term ‘routed’ that the subscribers can be multiple hops away from BNG (as shown in above figure). As of 5.1.1 only DHCPv4 triggered routed subscribers are supported, so the DSLAM or the previous hop router(s) will relay the DHCP packets (as DHCP relay agents) between subscribers and BNG.

The subscriber initially has no IP address and it starts with DHCP discovery.

The subscriber will be initially identified using client-hw-address field in the DHCP discover which is the first sign of life (FSOL) and session will be created based on this mac address. The subscriber can optionally be authorized based on mac-address and other parameters at this stage.  Once this is done subscriber is offered an IP address.

After the DHCP DORA exchange, once the subscriber gets IP address, subscriber will be identified on BNG by its IP address in data-plane and subscriber route is added (This route addition will be based on the summary route to the subscriber network which must be preconfigured).

Other DHCP client packets (release, renew,  etc …) will not be considered as FSOLs and forwarded/punted based on the subscriber interface and route.

Later the subscriber can be authorized/authenticated (via HTTPr  web authentication) and services can be downloaded and applied to subscriber via Radius / COA.

 

Restrictions, limitation and other Functional Behavior w.r.t platform and configuration:

1. Supported on A9K-MOD80-SE A9K-MOD160-SE and above. Not supported on Trident based LCs ex A9K-8T/4-B, A9K-4T-B etc.
2. Supported on only Ether Bundle sub-interfaces as access interface.
3. Overlapping IP addresses are not supported on the same access interface, same or different VRFs
4. IPv6 DHCP routed sessions are not supported as of 5.1.1 and hence the Dual stack is not supported.
5. PPPoE is not supported.
6. Supported with DHCP Server on BNG. BNG cannot act as DHCP relay / proxy if the packet trigger is routed/relayed DHCP (As ASR9k BNG cannot act as 2nd or higher order Relay agent in relay chaining).
7. DHCP lease query is not supported as FSOL.
8. Summary (cover) route pointing to DHCP client subnet must exist.
9. HTTP redirect can be applied on Subscribers and access credentials can be authenticated in account-logon event. However we should not attempt changing subscriber ‘s vrf (and few other attributes) in this phase via access-accept / COA. As DHCP pool allocation and subscriber cover route are already allocated in session-start phase and DHCP client would have already received the IP address.
10.  Cover subscriber subnet summary/route modifications (like next hop ip / vrf) are strictly not allowed. In case if route gets updated due to dynamic routing protocols, the subscriber session will be torn down and freshly created. If summary route gets deleted, subscribers move to DOWN state and subscriber routes will be deleted. Once the summary route recoveres, subscribers move to UP state and routes are re-added.
11. Non subscriber traffic will be routed by access-interface as normal router would do. So ACLs can be enabled on access-interface to drop unintended non-dhcp and non-subscriber traffic.
12. Initial authorization can happen on mac-address or other DHCP based attributes or BNG access-interface attributes. IP Address cannot be used as we are not aware of ip address allocated by DHCP server to client in advance.
13. Before authorization, the subscriber DHCP packets will arrive on access-interface-vrf, after authorization DHCP and other subscriber traffic will arrive on subscriber-interface-vrf.

 

 

Feature supported

Feature Support will be same as those supported on L2-connected Bundle RP based subscribers.

 

Performance and Scale

Scale Numbers

•  64k Single Stack IPv4 subscriber sessions per system 

Performance will be same as other L2-connected Bundle RP based subscribers.

Approximate target CPS is listed in the table below, assuming 64K sessions per system.           

Scale/Call Flow	IPoE
64k IPv4	100 +

            

High Availability

HA Feature	Plane	Bundle subscribers
Process restart	Control Plane	Subscriber session state maintained. New subscriber bringup delayed by a small time, depending on the component being restarted.
	Data Plane	No impact to traffic
LC OIR	Control Plane	With multi-member bundles, no impact is seen. With single member bundles, control plane cannot function since no control packet is received. Session state is not lost since that is stored on the RP.
	Data plane	With multi-member bundles, no impact is seen. With single member bundles, data traffic is lost. No session state is lost.
RP FO	Control Plane	Significant quiet time (currently more than 10 minutes) before new sessions can be setup. Existing session state is not lost.
	Data Plane	No impact to traffic

 

 

Configuring BNG for DHCPv4 Routed subscribers:

 

       1. Access interface configuration(here Bundle-Ether 1.1 is access-interface):

interface Bundle-Ether1

 lacp switchover suppress-flaps 2500

 bundle wait-while 1

 bundle maximum-active links 2 hot-standby

bundle load-balancing hash dst-ip

 dampening 4

!

interface Bundle-Ether1.1

 service-policy output vlan_policy_egress subscriber-parent resource-id 0

 vrf red

 ipv4 address 12.0.0.1 255.255.0.0

 service-policy type control subscriber ISN_CNTRL_2

 encapsulation dot1q 10

 ipsubscriber ipv4 routed

  initiator dhcp

!

interface Bundle-Ether2

 lacp switchover suppress-flaps 2500

 bundle wait-while 1

 bundle maximum-active links 1

 dampening 4

!

interface Bundle-Ether2.1

 service-policy output vlan_policy_egress subscriber-parent resource-id 0

 vrf red

 ipv4 address 12.2.0.1 255.255.0.0

 service-policy type control subscriber ISN_CNTRL_2

 encapsulation dot1q 12

 ipsubscriber ipv4 routed

  initiator dhcp

!

(ipsubscriber ipv4 routed initiator dhcp—is the access interface config for IPoE routed DHCP based subscribers)

2. DHCP profile configuration:

dhcp ipv4

profile DHCP_SERVER1 server

  lease 0 3 0

  class CLASS_VRF

   pool POOL_GREEN

  !

  class CLASS_VRF_RED

   pool pool_bundle1

  !

profile DHCP_SERVER2 server

  lease 0 3 0

  pool pool_bundle2

!

profile DHCP_SERVER3 server

  lease 0 3 0

  pool pool_bundle3

!

interface Bundle-Ether1.1 server profile DHCP_SERVER1

interface Bundle-Ether2.1 server profile DHCP_SERVER3

!

3. DHCP Pool Configuration:

pool vrf red ipv4 pool_bundle1

 address-range 12.8.0.2 12.8.31.65

!

pool vrf green ipv4 POOL_GREEN

 address-range 12.100.0.2 12.100.31.65

!

pool vrf red ipv4 pool_bundle3

 address-range 12.10.0.2 12.10.31.65

!

4. VRF Configuration:

vrf red

 address-family ipv4 unicast

!

vrf green

 address-family ipv4 unicast

!

(Note the subscribers on an access-interface can come up in a vrf different from corresponding access-interface vrf. This is called cross-vrf. For this to happen, the subscribers’ subsnet summary route must exist with gateway reachable via  access-interface vrf, dhcp pool must be in subscriber vrf. Once the subscriber is created, its vrf cannot be changed - even with coa)

 

5. Routes configuration:

vrf red

  address-family ipv4 unicast

   12.8.0.0/16 12.0.0.2

   12.10.0.0/16 12.2.0.2

  !

 vrf green

  address-family ipv4 unicast

   12.100.0.0/16 vrf red Bundle-Ether1.1 12.0.0.2

  !

(Here subscribers in 12.100.0.0 network behind the CPE will come up vrf green using pool POOL-GREEN, while the subscribers in 12.8.0.0 network will come-up in vrf red using pool “pool_bundle1” on same access-interface Bundle-Ether1.1 which is in vrf red)

6. Loopback configuration for usage by IPoE subscriber interfaces.

interface Loopback2

 vrf red

 ipv4 address 12.21.0.1 255.255.255.255

!

interface Loopback4

 vrf green

 ipv4 address 12.201.1.1 255.255.0.0

!

7. Control Policy-map and class-map configs

class-map type control subscriber match-any ISN_CM_1

 match protocol dhcpv4

!

policy-map type control subscriber ISN_CNTRL_2

  event session-start match-all

  class type control subscriber ISN_CM_1 do-until-failure

   1 activate dynamic-template ISN_TEMPLATE_1

   2 authorize aaa list default identifier circuit-id password cisco

   3 activate dynamic-template httpr_service_temp_coa

  !

 

 event authorization-failure match-all

  class type control subscriber ISN_CM_1 do-until-failure

   5 activate dynamic-template httpr_service_temp_coa

   6 set-timer T1 60

  !

 event account-logon match-all

  class type control subscriber ISN_CM_1 do-until-failure

   7 authenticate aaa list default

   9 deactivate dynamic-template httpr_service_temp_coa

  !

 event account-logoff match-all

  class type control subscriber ISN_CM_1 do-until-failure

   10 disconnect

  !

 event timer-expiry match-all

  class type control subscriber ISN_CM_1 do-until-failure

   11 disconnect

  !

!

 

8. Bundle config on physical link

interface GigabitEthernet0/2/0/1

 bundle id 2 mode active

!

interface GigabitEthernet0/3/0/1

 bundle id 2 mode active

!

9. AAA configs.

radius-server host 8.45.6.173 auth-port 1812 acct-port 1813

 key 7 121A0C041104

!

radius-server host 8.45.6.174 auth-port 1712 acct-port 1713

 key 7 02050D480809

!

aaa server radius dynamic-author

 port 1700

 server-key 7 1511040D

 client 8.45.6.173 vrf default

  server-key 7 070C2E4D

!

!

radius-server source-port extended

aaa accounting network default start-stop group RADIUS1

aaa group server radius RADIUS1

 server 8.45.6.173 auth-port 1812 acct-port 1813

 server 8.45.6.174 auth-port 1712 acct-port 1713

 load-balance method least-outstanding batch-size 30

!

aaa accounting service default group RADIUS1

aaa accounting subscriber default group RADIUS1

aaa accounting subscriber Acctlist1 group RADIUS1

aaa authorization subscriber default group RADIUS1

aaa authentication subscriber default group RADIUS1 

!

 

Show commands and basic troubleshooting commands.

To check subscriber session info

• Show subscriber session all summary
• Show subscriber session all 
• Show ipsubscriber access-interface brief

 

To check DHCP server bindings and statistics . (Helpful in basic debugging)

• Show dhcp ipv4 server binding summary
• Show dhcp vrf <subscriber vrf> ipv4 server statistics

 

(Note : If the routed sessions are not connecting and if there are any DHCP drops, please check the aaa configs, radius user profiles attributes, dhcp profile and pool configs, UDP stats and NP level drop counters and controller NP counters) 

 

Other debug level information collection for helpful to triage the issue:

• show udp statistics clients location <loc>
• Show subscriber manager disconnect-history unique summary
• Show drops np all location <bundle member location>
• Show tech-support subscriber ipoe

 

Glossary:

1. COA : Change of Authorization
2. DHCP : Dynamic Host Configuration Protocol
3. FSOL : First Sign Of Life
4. HTTPr : HTTP Redirect.
5. NP: Network Processor