- Cisco Community
- Technology and Support
- Service Providers
- Service Providers Knowledge Base
- ASR9000 BNG Training guide setting up PPPoE and IPoE sessions
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
on 11-07-2011 05:52 AM
Introduction
In IOS-XR version 4.2.0 (December 2011) the ASR9000 will be supporting BNG or Broadband termination capabilities with IP sessions and PPPoE. This document provides a step by step guide to setup an ASR9000 BNG solution with descriptions of what each individual component is used for and how to verify the operation.
Problem Description
BNG is a complex technology. This technote tries to expand on the configuration options and how to set it up. In the "Related Information" section is a pointer to a video on demand showing you the capabilities of A9K BNG.
Steps to completion
1) Dynamic Template configuration (~ IOS virtual template)
2) Configuring RADIUS
3) Configuring Subscriber Access
4) Configure Subscriber Authentication
5) Control Policy Definition
6) Verification of session establishment
1.0 Configure User Profiles, Dynamic-Template and Services Profiles
Exercise Description
Configure User Profiles, Dynamic-Templates and Service Profiles that will be activated on the session at different stages of the session lifecycle.
Exercise Objective
Learn how to create Dynamic Templates and configure ASR9K features (e.g. ACLs and QoS Class Maps) that will be reference by various Templates and Profiles. Dynamic templates define basic configurations to be applied to the session. Per User attributes from radius always take precedence over the dynamic template configuration.
1.1 Dynamic-Template Configuration for PPPoE Subscribers
Steps to Complete Task
Step 1. Enter the following configuration items.
dynamic-template
type ppp PPP_TPL
ppp authentication chap
ppp ipcp peer-address pool POOL
ipv4 unnumbered Loopback1000
!
!
pool vrf default ipv4 POOL
address-range 199.1.1.1 199.1.1.255
Solution Explanation and Clarification
PPP authentication protocol, address-pool for client (remote) address assignment and unnumbered interface for session (local) address assignment are typical features configured under a PPP dynamic template and provide basic settings for proper PPP session establishment.
The unnumbered Loopback address is merely an endpoint for ppp subscribers, it is not involved in (external) routing. Despite popular belief, it does NOT need to be a routable address and can be duplicated over multiple devices.
In addition to defining a ppp dynamic-template, named PPP_TPL, this step also defines the address pool POOL referenced in the dynamic template.
Multiple ranges can be configured in a pool. These address pools do NOT get automatically advertised in routing protocols, that is why during the first task we created a static (summary) route for the range and we redistributed it in OSPF.
Task Verification
The show command will provide us details of the address range and the pool usage.
RP/0/RSP0/CPU0:BNG_POD_1#show address-pool POOL
Thu Oct 6 19:12:38.671 UTC
Pool Begin End Free InUse
1.2 Dynamic-Template Configuration for IPoE Subscribers
Steps to Complete Task
Step 1. Enter the following configuration items
dynamic-template
type ipsubscriber IPSUB_TPL
ipv4 unnumbered Loopback2000
ipv4 access-group IPSUB_FAIL_ACL ingress
ipv4 access-group IPSUB_FAIL_ACL egress
!
!
ipv4 access-list IPSUB_FAIL_ACL
5 permit tcp any any eq www
10 permit tcp any eq www any
15 deny ipv4 any any
!
! This acl is the base ACL to be applied to an ipsub session. The radius profile returned upon a successful authentication may override the
! ACL to a less restrictive one. This heavy limited ACL is for demonstration purposes forcing the user to logon via the web portal in this
! example.
Solution Explanation and Clarification
In addition to defining an IP subscriber dynamic-template, named IPSUB_TPL, this step also defines the Access-List referenced in the dynamic template.
By default a session permits all traffic, so a Security ACL provides a way of restricting access over a subscriber session. This is especially true for IP subscribers who may need to get authenticated via Web Logon. In such cases an initial ACL applied to the session may permit bidirectional communication with DNS servers (not in this sample ACL) and Web Portal, while denying all the rest. Upon successful authentication, that ACL can then be replaced by a less restrictive one or totally removed.
The IP unnumbered interface for session (local) address assignment is a mandatory feature configured under an IP dynamic template, and provides basic settings for proper IP session establishment. The unnumbered interface IP address will become the default gateway for the IP subscriber associated with the session. This address is also used as the "giaddr" in the dhcp proxy configuration to instruct the DHCP server to select an address in which this ipv4 add is routable in.
1.3 Local configuration of features referenced by RADIUS defined profiles
Step 1. Part A
During verification tasks, the following 2 CoA Requests will be sent to the BNG referencing 2 MQC classes: VOIP and VIDEO. MQC classes must be pre-configured on a device.
For more information on COA see the link below in the "related information" section
coa_w32 -f voip.cfg -1 44,<session id> -n <some reachable addr of 9k>
COA profile for "voip.cfg"
attribute2=26,9,1,subscriber:command=account-update
attribute3=26,9,1,ip:qos-policy-out=add-class(sub,(class-default), shape(200)
attribute4=26,9,1,ip:qos-policy-out=add-class(sub,(class-default, VOIP), pri-level(1), police(128,8))
timeout=1
coa_w32 -f video.cfg -1 44,<session id> -n 192.168.100.10<pod>
COA profile for "video.cfg"
attribute1=26,9,1,subscriber:command=account-update
attribute2=26,9,1,ip:qos-policy-out=add-class(sub,(class-default, VIDEO), bw-abs (2048))
timeout=1
Step 1. Enter the following configuration items to define MQC classes:
!
class-map match-any VIDEO
match dscp af41
end-class-map
!
class-map match-any VOIP
match dscp ef
end-class-map
!
Step 2. Part B
During verification steps, Web Based authentication will be emulated for the IP subscriber.
The IP subscriber’s User Profile references a security ACL that will now permit all traffic.
coa_w32 -f login.cfg -n 192.168.100.10 -1 44,<session_id> -1 1,myuser
COA profile for "login.cfg"
attribute2=26,9,1,subscriber:command=account-logon
attribute3=26,9,1,subscriber:password=cisco
timeout=1
Radius profile needs to be present at the radius server. The COA account logon will try to authenticate "myuser" with pw cisco to the radius.
myuser Cleartext-Password := "cisco"
cisco-avpair = "ip:outacl=PERM_ALL",
cisco-avpair += "ip:inacl=PERM_ALL"
Step 3. Enter the following configuration items to define the “permit all” ACL in IOS-XR
ipv4 access-list PERM_ALL
10 permit ipv4 any any
!
2.0 Configure Northbound Interfaces
Exercise Description
Configure basic radius and RADIUS CoA connectivity to prepare the system for AAA authentication for subscriber access. And Dynamic Service Activation.
Exercise Objective
The system will be ready to hand off authentication requests to the radius-server and send radius-requests with the desired nas-port and nas-port-id.
It will also be ready to accept CoA requests from an external server.
2.1 Radius Configuration
Steps to Complete Task
Step 1. Enter the following configuration items:
aaa radius attribute nas-port format e SSAAPPPPQQQQQQQQQQVVVVVVVVVVUUUU type 32
aaa radius attribute nas-port-id format NAS_PORT_FORMAT
aaa accounting subscriber default group radius
aaa authorization subscriber default group radius
aaa authentication subscriber default group radius
!
aaa attribute format MY_AUTH
mac-address plus circuit-id plus remote-id separator #
!
aaa attribute format NAS_PORT_FORMAT
circuit-id plus remote-id separator .
!
radius-server host <radius server> auth-port 1812 acct-port 1813
key BNG
!
Solution Explanation and Clarification
In this configuration section you define how the radius-server nas-port-id (attr87) is to be configured; in this case it will be circuit-id with remote-id, separated by a dot “.”.
The nas-port format (attr 5), which is a decimal number, is composed of a number of bits. The first line defines how the bits are to be assigned to slot, vlan, port etc. Depending on whether the bits are 1 or 0 a value is created and that will be sent in the attribute.
NAS-PORT definition and overview
The NAS-PORT definition can be set on a per "type" basis, whether it is PPPoE or PPPoVLAN or QIQ etc. If the specific type is not defined, then the "global" definition is followed and fields not found or applicable to this session type will be set to zero (eg vlan ID for a PPPoE session is 000 etc).
Service Port Type | RADIUS Value |
|---|---|
PPPoA | 30 |
PPPoEoA | 31 |
PPPoEoE | 32 |
PPPoEoVLAN | 33 |
PPPoEoQinQ | 34 |
Value description:
| Key | Description |
|---|---|
| 0/1 | Value of "0" or "1" |
| f/F | Shelf identifier |
| s/S | Slot identifier |
| a/A | Adapter |
| p/P | port |
| i/I | subslot |
| c/L | channel |
| V | Outter VLAN |
| Q | Inner Vlan |
| U | PPPoE Session ID |
Also, we have defined the radius-server to the designated address and AAA method lists for authentication, authorization and accounting.
The attribute format “MY_AUTH” will be used in the control policy-map for IP sessions, it will designate how the username will be constructed for authenticating the IP subscriber.
Task Verification
The command show radius verifies configuration of the designated server.
RP/0/RSP0/CPU0:BNG_POD_1#show radius
Thu Oct 6 18:37:53.350 UTC
Global dead time: 0 minute(s)
Number of Servers:1
Server: 192.168.100.2/1812/1813 is UP
Timeout: 1 sec, Retransmit limit: 1
Authentication:
0 requests, 0 pending, 0 retransmits
0 accepts, 0 rejects, 0 challenges
0 timeouts, 0 bad responses, 0 bad authenticators
0 unknown types, 0 dropped, 0 ms latest rtt
Accounting:
0 requests, 0 pending, 0 retransmits
0 responses, 0 timeouts, 0 bad responses
0 bad authenticators, 0 unknown types, 0 dropped
0 ms latest rtt
2.2 Add CoA clients to the dynamic author configuration:
Steps to Complete Task:
Step 1. Enter the following configuration items:
aaa server radius dynamic-author
port 1700
auth-type any
client <radius server> vrf default server-key BNG
Solution Explanation and Clarification
In the default configuration the router will not respond to CoA requests sent from a CoA client. In order to instruct the router to accept CoA requests from a particular IP address, we need to enter that address under the dynamic author configuration section.
You need to identify the IP address where the CoA request comes from, as well as the shared secret key. Also the port, 1700 by default as per RFC for CoA is configured.
One thing that should be noted here is the “auth-type”. In order to identify a session we can use various identification attributes. Most commonly, attribute 44, accounting-session-id is used. When you send more identification attributes such as username, IP address etc., you can specify which of those attributes need to match, in order to target the designated session:
RP/0/RSP0/CPU0:A9K-BNG(config-Dynamic Author)#auth-type ?
o all auth-type all all session identifiers must match for that single subscriber
o any auth-type any any of the session identifers is ok to match the subscriber
o session-key auth-type session-key use the ASCEND SESSION SERVER KEY as match for the subscriber identification
Task Verification
Enter the following commands to confirm configuration.
RP/0/RSP0/CPU0:BNG_POD_1#show radius dynamic-author
Thu Oct 6 18:42:58.151 UTC
Radius Dynamic-Author Server:
Invalid Disc-Reqs: 0
Invalid CoA-Reqs: 0
Radius Dynamic-Author Client:
Client IP: 192.168.100.2
Disconnect-Request:
Disc-Req 0 Disc-Ack 0 Disc-Nack 0
Authorize-Only Request: 0
Authorize-Only Nack: 0
Disc-Nack for no context: 0
Malformed Req: 0
Bad Authenticator: 0
Dropped Req: 0
CoA-Request:
CoA-Req 0 CoA-Ack 0 CoA-Nack 0
Authorize-Only Request: 0
Authorize-Only Nack: 0
CoA-Nack for no context: 0
Malformed Req: 0
Bad Authenticator: 0
Dropped Req: 0
3.0 Configure Subscriber Access
Exercise Description
Prepare the system to initiate subscriber sessions.
Exercise Objective
After completing this exercise the BNG will be ready to take DHCP discovers (for IP subscribers) and PADI (for PPP subscribers) from a particular interface and create a subscriber session.
3.1 Setup Subscriber Access for IP Subscribers
Steps to Complete Task
Step 1. Enter the following configuration items to configure DHCP Proxy for IP subscribers:
dhcp ipv4
profile IP_DEFAULT proxy
helper-address <DHCP Server> giaddr 172.20.1.254
relay information option
relay information policy keep
relay information option allow-untrusted
!
interface Bundle-Ether100.1 proxy profile IP_DEFAULT
Solution Explanation and Clarification
In this configuration snippet we defined a basic DHCP profile, named IP_DEFAULT, which specifies DHCP Server IP address and Gateway IP address to be used during address assignment. It also trusts non zero Option82 and gi-address values (which is generally the case if we have a DSLAM inserting option 82) and it will interpret option 82 information.
Finally, we attach the proxy profile to the access-interface.
Task Verification for Step 1
Enter the following commands, or retrieve the following information to confirm configuration.
RP/0/RSP0/CPU0:BNG_POD_1#show dhcp ipv4 proxy profile
Thu Oct 6 19:02:25.257 UTC
DHCP IPv4 Proxy Profiles
--------------------------
IP_DEFAULT
When things are operational you can verify via:
RP/0/RSP0/CPU0:BNG_POD_1#show dhcp ipv4 proxy binding
Thu Oct 6 19:03:39.487 UTC
Lease
MAC Address IP Address State Remaining Interface VRF Sublabel
-------------- -------------- --------- --------- ------------------- --------- ----------
RP/0/RSP0/CPU0:BNG_POD_1#show dhcp ipv4 proxy statistics
Thu Oct 6 19:04:27.400 UTC
VRF | RX | TX | DR |
-------------------------------------------------------------------------------------------
default | 0 | 0 | 0 |
Step 2. Define the control policy directive that will handle IP session establishment.
class-map type control subscriber match-any DHCP
match protocol dhcpv4
end-class-map
!
policy-map type control subscriber IP_PM
event session-start match-first
class type control subscriber DHCP do-until-failure
5 activate dynamic-template IPSUB_TPL
!
!
Solution Explanation and Clarification
The anatomy of a control policy is such that we have an event (e.g.: session-start), for which we evaluate one or more classes, and then a list of actions to be executed. Classes allow us to have a single control policy, while still defining different actions for the same event type. The configured class matches on IP sessions specifically.
3.2 Apply “IPSUB_TPL” Dynamic Template
The “IPSUB_TPL” dynamic-template, configured earlier, is applied to IP subscribers when the session is initiated.
Steps to Complete Task
Step 1. Configure the terminating interface for IP subscribers. Enter the following configuration items:
interface bundle-ether100.1
ipv4 point-to-point
ipv4 unnumbered loopback2000
!service-policy type control subscriber IP_PM this will get applied later on as we need to make changes to the control pmap.
encapsulation dot1q 10
ipsubscriber ipv4 l2-connected
initiator dhcp
!
Solution Explanation and Clarification
Creates a bundle sub-interface (access-interface) and specifies DHCP as the trigger to create new sessions.
The IP address on the interface can be ANY address, but one is required in order to accept IP Packets. In the example, the access-interface will share the same address that is assigned by default to IP subscriber sessions (via the IPSUB_TPL).
The access interface needs to ahve an ip address defined in order to accept ipv4 packets (the dhcp discover). the point to point config is needed when you want to make it unnumbered to a loopback interface.
3.3 Setup Subscriber Access for PPPoE Subscribers
Steps to Complete Task
Step 1. Enter the following configuration items to configure the Broadband Access group for PPP subscribers:
pppoe bba-group NAME
service selection disable
!
Solution Explanation and Clarification
The bba-group can match on services signaled in the PPPoE service-tag or service selection can be disabled. Today we don’t do much with the service-tag except for matching. This will be extended with more comprehensive features, such as Smart Server Selection, PADO delays etc.
Step 2. Define the control policy directive that will handle PPP session establishment.
class-map type control subscriber match-any PPP
match protocol ppp
end-class-map
!
policy-map type control subscriber PPP_PM
event session-start match-first
class type control subscriber PPP do-until-failure
10 activate dynamic-template PPP_TPL
!
!
end-policy-map
Solution Explanation and Clarification
The anatomy of a control policy is such that we have an event (e.g.: session-start), for which we evaluate one or more classes, and then a list of actions to be executed. Classes allow us to have a single control policy, while still defining different actions for the same event type. The configured class matches on PPP sessions specifically.
The “PPP_TPL” dynamic-template, configured earlier, is applied to PPP subscribers when the session is initiated. It typically includes information that is used during LCP phase.
In addition to dynamic-template activation, another common action implemented during session-start event is pre-authentication based on pppoe tags (authorization).
Step 3. Configure the terminating interface for PPP subscribers. Enter the following configuration items:
interface bundle-ether100.11
!service-policy type control subscriber PPP_PM this will get applied later on as we need to make some changes to the control policy
pppoe enable bba-group NAME
encapsulation dot1q 1
!
Solution Explanation and Clarification
This activity has assign the bba group to the Access-interface facing PPPoE subscribers.
4.0 Configure Subscriber Authentication
Exercise Description
Configures subscriber authentication for PPP and IPoE subscribers.
4.1 Enable Authentication for IPoE Subscribers
Steps to Complete Task
Step 1. Enter the following configuration items:
policy-map type control subscriber IP_PM
event session-start match-first
class type control subscriber DHCP do-until-failure
10 authorize aaa list default format MY_AUTH password cisco
!
!
end-policy-map
Solution Explanation and Clarification
The authorize statement is used at session-start to authenticate the user with a username constructed by a combination of remote/circuit ID as defined in MY_AUTH format.
Note: If the RADIUS client can’t compose the username because one or more components the fields will be left empty.
Task Verification
RP/0/RSP0/CPU0:BNG_POD_1#show policy-map type control subscriber pmap-name IP_PM
Thu Oct 6 19:38:23.038 UTC
policy-map type control subscriber IP_PM
event session-start match-first
class type control subscriber DHCP do-until-failure
5 activate dynamic-template IPSUB_TPL
10 authorize aaa list default format MY_AUTH password cisco
!
!
end-policy-map
4.2 Enable Authentication for PPPoE Subscribers
Steps to Complete Task
Step 1. Enter the following configuration items:
policy-map type control subscriber PPP_PM
event session-activate match-first
class type control subscriber PPP do-until-failure
10 authenticate aaa list default
!
!
end-policy-map
Solution Explanation and Clarification
Session-activate event (triggered when PPP LCP opens) is used to authenticate the subscriber with RADIUS, using ppp username and password derived from the ppp authentication stage.
Task Verification
RP/0/RSP0/CPU0:BNG_POD_1#show policy-map type control subscriber pmap-name PPP_PM
Thu Oct 6 19:21:40.222 UTC
policy-map type control subscriber BNG_ctrl_pm
event session-start match-first
class type control subscriber PPP do-until-failure
10 activate dynamic-template PPP_TPL
!
!
event session-activate match-first
class type control subscriber PPP do-until-failure
10 authenticate aaa list default
!
!
end-policy-map
NOTE: When a control policy is assigned to an interface, it can't be modified in place (yet). You need to detach the control policy, sessions wil get disconnected and then you can reconfigure the control policy.
5.0 Apply Control Policy to Access Interface
Exercise Description
This task will apply the control-policy to the access-interface and finalize the configuration for IPoE and PPPoE subscribers.
5.1 Apply the Control Policy for IP Sessions
Steps to Complete Task
Step 1. Enter the following configuration items:
interface Bundle-Ether100.1
service-policy type control subscriber IP_PM
5.2 Apply the Control Policy for PPP Sessions
Steps to Complete Task
Step 1. Enter the following configuration items
interface bundle-ether100.11
service-policy type control subscriber PPP_PM
6.0 Exercise Verification Tasks
6.1 Verify PPP session establishment
Steps to Complete Task
Step 1. Go on the CPE and run the “test pppoe 1 1 <interface> command. (For example: gigabitEthernet 0/2.15)
Step 2. on the CPE: show “show ppp sessions”
Step 3. on the BNG: “show subscriber session all” and “show subscriber session all detail”
o note that a subscribe session is handled as a regular interface
RP/0/RSP0/CPU0:BNG_POD_1#sh subscriber session all
Fri Oct 7 06:22:34.724 UTC
Codes: IN - Initialize, CN - Connecting, CD - Connected, AC - Activated,
ID - Idle, DN - Disconnecting, ED - End
Type Interface State Subscriber-IP
LNS Address:Vrf
-------------------------------------------------------------------------
PPPoE:PTA BE100.11.pppoe30 AC 199.1.1.11:default
o Note Remote ID being collected, ALE + IWF tags, IP address and control-policy actions being executed.
RP/0/RSP0/CPU0:BNG_POD_1#sh subscriber session all detail
Fri Oct 7 06:25:19.531 UTC
Interface: Bundle-Ether1.11.pppoe30
Circuit ID: Unknown
Remote ID: POD1
Type: PPPoE:PTA
IP Address: 199.1.1.11, VRF: default
Mac Address: 0005.0034.281a
Account-Session Id: 000000c3
Nas-Port: Unknown
Username: pod1
Subscriber Label: 0x000000c3
Created: Fri Oct 7 03:46:33 2011
State: Activated
Access-interface: Bundle-Ether1.11
Policy Executed:
policy-map type control subscriber PPP_PM
event Session-Start match-first [at Fri Oct 7 03:46:33 2011]
class type control subscriber PPP do-until-failure [Succeeded]
10 activate dynamic-template PPP_TPL [Succeeded]
event Session-Activate match-first [at Fri Oct 7 03:46:36 2011]
class type control subscriber PPP do-until-failure [Succeeded]
10 authenticate aaa list default [Succeeded]
Session Accounting: disabled
User Profile Attribute List: 0x500bde14
1: service-type len= 4 svc<0> prot<0> tag<0> mand<0> client<0x0>NAS Prompt
2: access-loop-encapsulation len= 3 01 02 03
3: interworking-functionality-tag len= 1
True
Step 4. On the BNG: “show pppoe interface” and “show ppp interface”
o Note again the Tags that were collected (for PPPoE output), and the various states of the PPP connection (from PPP output)
RP/0/RSP0/CPU0:BNG_POD_1#show pppoe interfaces
Fri Oct 7 06:28:56.879 UTC
Bundle-Ether1.11.pppoe30 is Complete
Session id: 30
Parent interface: Bundle-Ether1.11
BBA-Group: pod1
Local MAC address: 0026.982f.2d53
Remote MAC address: 0005.0034.281a
Outer VLAN ID: 11
Tags:
Service name:
Max Payload: 1500
IWF
Remote ID: POD1
ALE Data Link: Ethernet (0x01)
ALE Encaps 1: Single-Tagged Ethernet (0x02)
ALE Encaps 2: IPoA LLC (0x03)
RP/0/RSP0/CPU0:BNG_POD_1#show ppp interfaces
Fri Oct 7 06:29:02.987 UTC
Bundle-Ether1.11.pppoe30 is up, line protocol is up
LCP: Open
Keepalives enabled (60 sec, retry count 5)
Local MRU: 1500 bytes
Peer MRU: 1500 bytes
Authentication
Of Peer: CHAP (Completed as pod1)
Of Us: <None>
IPCP: Open
Local IPv4 address: 101.101.1.1
Peer IPv4 address: 199.1.1.11
Step 5. -On BNG: PPP and PPPoE statistics:
RP/0/RSP0/CPU0:BNG_POD_1#show pppoe statistics access-interface Bundle-Ether1.11
Fri Oct 7 06:32:07.804 UTC
Packets Sent Received Dropped
----------------------------------------------------------------
PADI 0 10 0
PADO 10 0 0
PADR 0 10 0
PADS (success) 10 0 0
PADS (error) 0 0 0
PADT 9 0 0
Session-stage 0 0 0
Other 0 0 0
----- ----- -----
TOTAL 29 20 0
RP/0/RSP0/CPU0:BNG_POD_1#show ppp statistics interface Bundle-Ether1.11.pppoe30
Fri Oct 7 06:34:17.333 UTC
Bundle-Ether1.11.pppoe30
LCP
Packets Sent Received
Conf-Req 2 2
Conf-Ack 2 1
Conf-Nak 0 0
Conf-Rej 0 0
Echo-Req 169 1003
Echo-Rep 1003 169
Disc-Req 0 0
Line state brought up: 1
Keepalive Link Failures: 0
Authentication
Packets Sent Received
PAP
Request 0 0
Ack 0 0
Nak 0 0
(MS-)CHAP
Challenge 1 0
Response 0 1
Rep Success 1 0
Rep Fail 0 0
AAA authentication timeouts: 0
IPCP
Packets Sent Received
Conf-Req 1 2
Conf-Ack 1 1
Conf-Nak 1 0
Conf-Rej 0 0
6.2 Verify IPoE session establishment
Steps to Complete Task
Step 1. Go on the CPE and no shut the interface gi0/2.<subif> (For example: interface gi0/2.1).
Step 2. On the CPE: show “show ip interface brief” to verify address is assigned.
Step 3. On the BNG check DHCP bindings.
RP/0/RSP0/CPU0:BNG_POD_1#sh dhcp ipv4 proxy binding
Fri Oct 7 06:44:34.473 UTC
Lease
MAC Address IP Address State Remaining Interface VRF Sublabel
-------------- -------------- --------- --------- ------------------- --------- ----------
0005.0034.281a 172.20.1.16 BOUND 75979 BE1.1 default 0x45
RP/0/RSP0/CPU0:BNG_POD_1#sh dhcp ipv4 proxy binding detail
Fri Oct 7 06:44:37.543 UTC
MAC Address: 0005.0034.281a
VRF: default
server VRF: default
IP Address: 172.20.1.16
Giaddr from client: 0.0.0.0
Giaddr to server: 172.20.1.254
Server IP Address: 10.100.1.1
Server IP Address to client 172.20.1.254
ReceivedCircuit ID: -
InsertedCircuit ID: 0x00-04-00-65-00-01
ReceivedRemote ID: -
InsertedRemote ID: 0x00-06-00-26-98-2f-5b-20
Profile: DEFAULT
State: BOUND
Lease: 86400 secs (1d00h)
Remaining: 75976 secs (21:06:16)
Client ID: 0x00-0x43-0x50-0x45-0x5F-0x50-0x4F-0x44-0x31
Access Interface: Bundle-Ether1.1
Access VRF: default
Subscriber Label: 0x45
6.3 BNG Show Activity
On the BNG: “show subscriber session all” and “show subscriber session all detail”
o note that a subscribe session is handled as a regular interface
o note Circuit/Remote ID
o note the actions executed on the session…note that authorization failed (e.g subscriber is not authenticated.
RP/0/RSP0/CPU0:BNG_POD_1#sh subscriber session all
Fri Oct 7 06:38:09.011 UTC
Codes: IN - Initialize, CN - Connecting, CD - Connected, AC - Activated,
ID - Idle, DN - Disconnecting, ED - End
Type Interface State Subscriber-IP
LNS Address:Vrf
-------------------------------------------------------------------------
IP:DHCP BE1.1.ip7 AC 172.20.1.16:default
Important: Note the Account-Session Id number. You will use this later.
RP/0/RSP0/CPU0:BNG_POD_1#sh subscriber session all detail
Fri Oct 7 06:38:12.277 UTC
Interface: Bundle-Ether1.1.ip7
Circuit ID: GigE0/2.1
Remote ID: POD1
Type: IP: DHCP-trigger
IP Address: 172.20.1.16, VRF: default
Mac Address: 0005.0034.281a
Account-Session Id: 00000045
Nas-Port: Unknown
Username: unknown
Subscriber Label: 0x00000045
Created: Fri Oct 7 03:50:45 2011
State: Activated
Access-interface: Bundle-Ether1.1
Policy Executed:
policy-map type control subscriber IP_PM
event Session-Start match-first [at Fri Oct 7 03:50:45 2011]
class type control subscriber DHCP do-until-failure [Succeeded]
5 activate dynamic-template IPSUB_TPL [Succeeded]
10 authorize aaa list default [Failed]
Session Accounting: disabled
RP/0/RSP0/CPU0:BNG_POD_1#sh ipsubscriber interface Bundle-eth1.1.ip7
Fri Oct 7 06:42:28.786 UTC
Interface: Bundle-Ether1.1.ip7
Type: L2-connected
Ifhandle: 0x8000be0
Access Interface: Bundle-Ether1.1 (0x8000160)
Subscriber IP: 172.20.1.16, MAC: 0005.0034.281a
Subscriber Label: 0x45
Initiator: DHCP
Created: Oct 7 03:50:53 (age 02:51:36)
VRF: default (0x60000000), Table: default (0xe0000000)
State: Up(9) (old: Adjacency added(8))
Last state change: Oct 7 03:50:53 (02:51:36 in current state)
Solution Explanation and Clarification
During the session initiation, we will have a failed authorization as shown above. Because of this, the restrictive ACL (IPSUB_FAIL_ACL) will be applied.
Check the restrictive ACL by pinging the following addresses:
o (ie..11.11.11.11) It should not be reachable since the restrictive ACL is applied.
However, the session is up and does allow for one address to be reachable. In a real world application this may be something like a Web Portal where users can login. To test this, ping the following address:
o (ie..11.11.11.100) It should be reachable because the restrictive ACL allows this single address.
6.4 Verify Web Logon for IP subscribers
Steps to Complete Task
Step 1. Logon onto the RADIUS server and initiate web logon.
Step 2. Use the command from command prompt “coa_w32 -f login.cfg -n 192.168.100.10<pod> -1 44,<session_id> -4 1,podip<pod>” (Session ID is the Account-Session-Id collected earlier.)
Step 3. Ping (ie..11.11.11.11) It should be reachable since the (PERM_ALL) ACL is applied.
Task Verification
6.5 Verify parameterized QoS for IP Subscribers
Steps to Complete Task
Step 1. Verify that QoS is not enabled on the subscriber interface.
o Show policy-map interface <subscriber-interface>
Step 2. Log into the RADIUS server and initiate QoS update for VOIP class.
Step 3. Use command “coa_w32 -f voip.cfg -1 44,<session id> -n 192.168.100.10 ”
Step 4. Verify that QoS is enabled on the subscriber interface and class VOIP is configured
o Show policy-map interface <subscriber-interface>
RP/0/RSP0/CPU0:BNG_POD_1#sho policy-map interface Bundle-Ether1.1.ip24
Mon Oct 10 15:10:30.465 UTC
Bundle-Ether1.1.ip24 direction input: Service Policy not installed
Bundle-Ether1.1.ip24 output: sub_fffffffb24ffffff8cfffffff8
Class class-default
Classification statistics (packets/bytes) (rate - kbps)
Matched : 0/0 0
Transmitted : 0/0 0
Total Dropped : 0/0 0
Policy sub_fffffffb24ffffff8cfffffff8_child1 Class VOIP
Classification statistics (packets/bytes) (rate - kbps)
Matched : 0/0 0
Transmitted : 0/0 0
Total Dropped : 0/0 0
Policing statistics (packets/bytes) (rate - kbps)
Policed(conform) : 0/0 0
Policed(exceed) : 0/0 0
Policed(violate) : 0/0 0
Policed and dropped : 0/0
Policed and dropped(parent policer) : N/A
Queueing statistics
Queue ID : 16
High watermark (Unknown)
Inst-queue-len (packets) : 0
Avg-queue-len (Unknown)
Taildropped(packets/bytes) : 0/0
Queue(conform) : 0/0 0
Queue(exceed) : 0/0 0
RED random drops(packets/bytes) : 0/0
Policy sub_fffffffb24ffffff8cfffffff8_child1 Class class-default
Classification statistics (packets/bytes) (rate - kbps)
Matched : 0/0 0
Transmitted : 0/0 0
Total Dropped : 0/0 0
Queueing statistics
Queue ID : 18
High watermark (Unknown)
Inst-queue-len (packets) : 0
Avg-queue-len (Unknown)
Taildropped(packets/bytes) : 0/0
Queue(conform) : 0/0 0
Queue(exceed) : 0/0 0
RED random drops(packets/bytes) : 0/0
6.6 Initiate QoS update for VIDEO class.
Steps to Complete Task
Step 1. Use command “coa_w32 -f video.cfg -1 44,<session id> -n 192.168.100.10<pod>”
Step 2. Verify that QoS is enabled on the subscriber interface and class VIDEO is configured
o Show policy-map interface <subscriber-interface>
RP/0/RSP0/CPU0:BNG_POD_1#sho policy-map interface Bundle-Ether1.1.ip24
Mon Oct 10 15:12:44.260 UTC
Bundle-Ether1.1.ip24 direction input: Service Policy not installed
Bundle-Ether1.1.ip24 output: sub_fffffffb24ffffff8cfffffff8
Class class-default
Classification statistics (packets/bytes) (rate - kbps)
Matched : 0/0 0
Transmitted : 0/0 0
Total Dropped : 0/0 0
Policy sub_fffffffb24ffffff8cfffffff8_child1 Class VOIP
Classification statistics (packets/bytes) (rate - kbps)
Matched : 0/0 0
Transmitted : 0/0 0
Total Dropped : 0/0 0
Policing statistics (packets/bytes) (rate - kbps)
Policed(conform) : 0/0 0
Policed(exceed) : 0/0 0
Policed(violate) : 0/0 0
Policed and dropped : 0/0
Policed and dropped(parent policer) : N/A
Queueing statistics
Queue ID : 16
High watermark (Unknown)
Inst-queue-len (packets) : 0
Avg-queue-len (Unknown)
Taildropped(packets/bytes) : 0/0
Queue(conform) : 0/0 0
Queue(exceed) : 0/0 0
RED random drops(packets/bytes) : 0/0
Policy sub_fffffffb24ffffff8cfffffff8_child1 Class class-default
Classification statistics (packets/bytes) (rate - kbps)
Matched : 0/0 0
Transmitted : 0/0 0
Total Dropped : 0/0 0
Queueing statistics
Queue ID : 18
High watermark (Unknown)
Inst-queue-len (packets) : 0
Avg-queue-len (Unknown)
Taildropped(packets/bytes) : 0/0
Queue(conform) : 0/0 0
Queue(exceed) : 0/0 0
RED random drops(packets/bytes) : 0/0
Review Questions
Q1: Does the event session-activate apply to DHCP sessions?
Q2: What event is triggered upon reception of a PADI?
Q3: When is the event session-activate triggered?
Q4: Can an IP address pool for PPPoE include .0 addresses?
Q5: What about .0 addresses for DHCP clients?
Q6: How does the 9k load balance subscriber traffic over a bundle?
Q7: And can I change that?
Q8: How do I advertise my subscriber addresses for PPPoE and DHCP?
Q9: Does an interface require an ip address for PPPoE sessions?
Q10: And for DHCP Sessions?
Q11: Answer why for Q9 and Q10
Q12: When doing Parameterized QOS, what needs to be preconfigured in XR?
Q13: Why can the giAddr be zero in some cases and how does XR deal with that?
Q14: What is the difference between an Authorize and Authenticate statement in a control policy?
Q15: Can I activate dynamic templates multiple times?
Q16: And if the templates are different?
Q17: What will happen with the configuration of the subscriber?
Q18: Can I use pQOS on bundle interfaces or phy interfaces or both?
Appendix
PPPoE client configuration IOS:
bba-group pppoe a9k
virtual-template 21
!
interface Virtual-Template21
ip address negotiated
ppp chap hostname test
ppp chap password 0 cisco
!
interface FastEthernet2/0.100
encapsulation dot1Q 100
pppoe enable group a9k
!
!start session:
test pppoe 1 1 fa 2/0.100
Sending tags with an IOS client
bba-group pppoe tagtest
virtual-template 20
service profile test
test vendor-tag remote-id string "XTH_TEST"
test vendor-tag 0x0090 010203
test tag 0x0001 1234567890
test vendor-tag 0x00FE
test tag 0x0120 05DC
test tag 0x0082 123405
test vendor-tag 0x0082 123405
Starting a pppoe session from an IOS client: (Note: Above needs “service internal” to configure.
Router# test pppoe 1 1 fa 2/0.100
This will start 1 session at 1 cps from fastethernet 2/0.100, if the associated bba group has tags in place it would automically get inherited in the PADI transmission.
DHCP client configuration IOS:
interface GigabitEthernet0/1.1
encapsulation dot1Q 2
ip dhcp client client-id ascii CPE_POD1
ip dhcp client class-id CPE_7200
ip dhcp client circuit-id GigE0/1.1
ip dhcp client remote-id POD1
ip address dhcp
The dhcp client session is automatically started when the (sub)interface is brought up
IOS Switch configuration:
interface GigabitEthernet0/1
description A9k-BNG g0/0/0/19
switchport trunk encapsulation dot1q
switchport mode trunk
speed nonegotiate
channel-group 1 mode active
!
interface GigabitEthernet0/2
description A9K-BNG->G0/1/0/19
switchport trunk encapsulation dot1q
switchport mode trunk
speed nonegotiate
channel-group 1 mode active
!
interface Port-channel1
switchport trunk encapsulation dot1q
switchport mode trunk
speed nonegotiate
!
interface FastEthernet0/1
description Access Port
switchport access vlan 10
switchport mode access
spanning-tree portfast
CoA:
To setup CoA:
Download the tool from this guide: https://supportforums.cisco.com/docs/DOC-16677
Sample profiles are available also on that link.
Few quick profiles
:
Account-Logon:
ip-address=3.0.0.244 | Change address to your BNG mgmt interface |
secret=cisco destport=1700 | Secret defined in dynamic author config and port definition (1700 default) |
attribute2=26,9,1,subscriber:command=account-logon | VSA for command account logon |
attribute3=26,9,1,subscriber:password=cisco | Password to use to RADIUS |
attribute4=1,ipsub | Username to use to RADIUS |
timeout=1 | Timeout waiting for response from tool |
END | End identifier of COA profile |
Parameterized QOS:
ip-address=3.0.0.244
secret=cisco
destport=1700
attribute2=26,9,1,subscriber:command=account-update
attribute3=26,9,1,ip:qos-policy-out=add-class(sub, (class-default), shape(200)
attribute4=26,9,1,ip:qos-policy-out=add-class(sub,(class-default, 3play-voip), p
ri-level(1), police(128,8))
timeout=1
END
Change the RED value to reflect the parent shape rate on the session
Adding a VIDEO class:
ip-address=3.0.0.244
secret=cisco
destport=1700
attribute2=26,9,1,subscriber:command=account-update
attribute3=26,9,1,ip:qos-policy-out=add-class(sub,(class-default, VIDEO), bw-abs(2048))
timeout=1
END
Removing a video class:
ip-address=3.0.0.244
secret=cisco
destport=1700
attribute2=26,9,1,subscriber:command=account-update
attribute3=26,9,1,ip:qos-policy-out=remove-class(sub,(class-default, VIDEO), bw-abs(2048))
timeout=1
END
Sending a COA command:
sw-lab-fw:32> coa -f coaqos -1 44,000000ea
CoA Client (version 2.2),(c) May-2009,
xander thuijs CCIE#6775 Cisco Systems Int.
End detected!
Using COA with :
NAS: 30000f4
Port: 1700
Secret: cisco
Timeout: 1 (0 means indefinite wait)
CoA: Request was accepted! (ID 2)
Reply message: '000000ea'
The red identifier is the coa profile filename, the text file with the coa commands the green identifier is the accounting session ID that you can find from the “show subscriber session all detail” command (keep the 0 prefix intact, needs to be 8 chars)
If all goes well, an accepted or denied response is given
Related Information
- BNG demo on YOUtube
- Using COA (Change of Authorization) tool
- Debugging PPPoE sessions
- Configuration Walkthrough
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
hi alireza!
aik, nah that is not available in XR. it served so little purpose in IOS that we decided not to port/implement that functionality to XR. It was merely useful for login authentication and never really used for subscriber authentication (you're the first one in all my years asking about it :)
cheers
xander
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Hi Alexander
We use this command in IOS to have the ability to use two different RADIUS servers on the same router for PPPOE users and based on username format router decides which RADIUS server is responsible for the user.
For example if the username format is 123@exmple.com it goes to the second RADIUS server and if it is 123 it goes to the first RADIUS server.
We are two different ISPs with the same BRAS and different RADIUS servers!!
Is there any way in IOS XR for us to continue sharing BRAS and using different RADIUS servers?
Best Regards
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Hi Alireza,
aha, ok I think we can "mimick" that behavior you need with a control policy!
So what you can do is to make a class-map for the control policy that strips the username and matches on domain.
then in the control policy you define an event, say session-activate
under that session activate you have let's say 2 classes, these classes match on domain X vs Y.
then in each class separately you target a different aaa authen (or author) method list that hits on a different set of radius server(s).
would that work for you?
xander
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Excellent documentation !!!! i am new i want to confirm if i
i got two question about ASR1000-x LNS only
Do you have a best pratices on ASR1002-X for LNS
What is the advantages for to have ISG on the LNS ASR1000-x ?
Can i use the same type of deplyement from your ASR9000 on AS1002-x ?
https://supportforums.cisco.com/document/94171/asr9000xr-bng-deployment-guide
Thank you
Dominique
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
hi dominique, thanks!! :) great to see it being of good use :)
the ISG implementation for ASR1K/IOS-XE is slightly different then the one in XR.
so certain events that you can use in XR are not in XE. The general concept of ISG is the same though between them: controlling sessions by triggering on events and act upon them and applying services etc. Also some of the AVP's necessary to control sessions are slightly different between the two.
Because IOS-XE built forward on the classic IOS, some different best practices apply. Basically if you look at the IOS doc for scaling BB there are some good guidance there.
ISG in IOS/XE is optional, you can terminate sessions just like that in IOS without the need of a control policy. The control policy however allows you to handle session events and apply actions to it.
cheers!!
xander
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Good day,
Please can anyone assist.
I'm getting the following issues the trying to get an IPoE session up.
RP/0/RSP0/CPU0:Aug 22 20:17:27.554 : ipsub_ma[453]: EVENT: t1 TP821: (AFI IPv4) Interface doesnt exist for this subscriber - will restart the session access-interface (Bundle-Ether10.1761), subscriber-ip (0.0.0.0), subscriber-mac (54a2.746a.16e8) outer-vlan (1761), inner-vlan (0)
RP/0/RSP0/CPU0:Aug 22 20:17:27.554 : ipsub_ma[453]: EVENT: t1 TP823: (AFI IPv4) error in finding DHCP binding access-interface (Bundle-Ether10.1761), subscriber-mac (54a2.746a.16e8) outer-vlan (1761), inner-vlan (0), error ('Subsystem(3667)' detected the 'informational' condition 'Code(3)' (657032704))
RP/0/RSP0/CPU0:Aug 22 20:17:27.554 : ipsub_ma[453]: ERROR: t1 TP123: (AFI IPv4) FSOL validate params: invalid subscriber-ip (0.0.0.0) on access-interface (Bundle-Ether10.1761)
Config is attached.
Any idea what the issue could be?
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
hi lantzy, few things that are on hand here:
a - a qiq frame received with outer vlan 1761 and an inner vlan that by standard matching rules matches this access interface for frame to intf correlation
b - if the former applied it looks like a qiq frame with outer vlan 1761 and an inner vlan of 0 and vlan 0 is generally "reserved" as a priority frame
c - the user didn't send a discover, hence not triggering the classifer "dhcp triggered" but instead triggered the unclassified source directive of the control policy initiation.
Some solutions:
- define the encap to be "exact" meaning that if we say encap dot1q 1761, there is only one vlan header and only one value for us to match, excluding any qiq encap with outer vlan 1761.
- define an acl to block 0.0.0.0 as source. Albeit a dhcp discover has that, we can include the udp bootps/pc to be "permitted" by the ACL.
Anything BUT dhcp requests with source ip 0.0.0.0 will be blocked by an infrastructure ACL at the access interface level. Something like:
permit udp host 0.0.0.0 host 255.255.255.255 eq 68 ! permit a bootps request with source ip 0.0.0.0 sent as broadcast.
! possibly add a destination defined in there also for renew requests!!
deny ip any host 0.0.0.0 any ! deny anything with a sip of 0.0.0.0
permit ip any any ! allow everything else (or possibly make this more restrictive to the subnet served as part of the unclassified IP)
- instruct and review the access network to not impose qiq and make sure that the switches send the right vlan encap for this subscriber.
cheers!
xander
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Hi Xander,
Thanks for the quick response, (it was unexpected be greatly appreciated).
I've made some progress with the error messages which is attached.
But the session is still not authenticating.
Your further assist will be great.
Thanks for the assistance thus far.
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
your log shows that the system receives dhcp discovers but they are not proxied. they are not proxied because you have in the control policy an AAA directive. this means we dont relay the discover until we receive an access accept. your radius server is sending a reject because it is missing a username/password attribute. while this is a violation of the radius rfc (username must be present) in your config there is this:
5 authorize aaa list default format RM_User password Cisco
but the format definition of RM_User doesn't exist, so you need to add that to your configuration to build a username on mac, rid/cid or a combination of that as you like.
cheers
xander
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Excellent article ....keep it up
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Hi Xander,
We have a case where we need more than one DHCP proxy profile on the same BNG, in order to use a different giaddr for each of them. Moreover, we need to assign all those profiles to the same VRF.
We can configure the multiple profiles with different giaddr, but when it comes to associate the VRF with the different profiles, it seems there can be only one association. The last one always replaces the previous. I need something like the following
dhcp ipv4
vrf MYVRF proxy profile MYPROFILE1
vrf MYVRF proxy profile MYPROFILE2
Am I missing something here? Alternatively I was thinking to use a single profile for all customers but omit the giaddr specification from the profile. What is the behavior of the device in this case for the giaddr field? Is it going to use the unnumbered loopback associated with the incoming subif or will just send 0.0.0.0 toward the DHCP server?
Thanks in advance
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
correct, you can assign one profile to a vrf, if you want multiple helpers or class based selection you can use a single profile and add the multiple helpers there.
if the giaddr is not set, it will use the addr from the access interface.
xander
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Hi Xander,
Great article!
Do TR line cards of ASR9000 remain in the condition of not doing PPPoE or IPoE?
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Using A9K-RSP440-TR and A9K-MOD80-SE, its possible config PPPoE SERVER?
Version disk0: asr9k-bng-px-6.5.3 ASR 9010
Nothing yet...
#dynamic-template
type ppp PPP_TEMPLATE
ppp authentication chap
ppp ipcp dns 8.8.8.8
ppp ipcp peer-address pool POOLv4
ipv4 unnumbered Loopback0
#pool vrf default ipv4 POOLv4
address-range 100.64.0.1 100.64.15.255
#interface TenGigE0/0/0/3.1311
pppoe enable bba-group BBA1
encapsulation dot1q 1311
#interface Loopback0
ipv4 address 100.64.1.1 255.255.255.255
#pppoe bba-group BBA1
sessions max limit 500
Some help?
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Hi Xander,
How can we detect if a subscriber is terminated on RSP or on a LineCard?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: