on 01-14-2014 05:36 AM
This document provides an overview for dual stack sessions for ASR9000 BNG, running ipv4 and ipv6 address stacks next to each other for subscriber sessions.
Dual stack refers to the concept of running a subsciber session with an IPv4 address as well as an IPv6 address.
To unravle the complex terminology associated with address assignment in particular to IPv6 this picture below shows the various address assignment options available.
![]()
You can also use the framed-ipv6-address radius attribute to provide an address to the subscriber from radius which then will be advertised
via SLAAC (NA/ND) for both PPPoE and IPoE sessions.
The additional attribute ipv6:ipv6-default-gateway VSA can be used to provide the default router in case no dhcpv6 is used for IPoE sessions.
When it comes to "prefix delegation" that is having a large IPv6 like subnet that is shared between subscribers who get a subnet from that subnet sort of speak the following addressing example hopefully visualizes how it all ties together
The following 2 secions provide the configuration for the client side and the WAN side of the CPE
interface GigabitEthernet0/2
description to switch fa0/15
ip address 192.168.1.1 255.255.255.0
no ip unreachables
ip nat inside
ip virtual-reassembly
duplex full
speed 100
media-type rj45
negotiation auto
ipv6 address prefix-from-provider ::1:0:0:0:1/64
interface FastEthernet2/0.50
encapsulation dot1Q 50
ipv6 address autoconfig default
ipv6 enable
ipv6 dhcp client pd prefix-from-provider
In these examples we are expanding the delegated prefix with a :1/64 and we perceive ourselves to be the ".1" and default gateway.
ipv6 unicast-routing
ipv6 dhcp pool dhcpv6
prefix-delegation pool dhcpv6-pool1 lifetime 6000 2000
ipv6 route 2001:60:45:28::/64 2005::1
ipv6 route 2001:DB8:1200::/40 2005::1
ipv6 route 200B::/64 2005::1
ipv6 route 2600:80A::9/128 4000::1
ipv6 local pool dhcpv6-pool1 2001:DB8:1200::/40 48
More info on IOS dhcpv6 server:
http://www.cisco.com/en/US/tech/tk872/technologies_configuration_example09186a0080b8a116.shtml
Because ASR9000 treats the 2 stacks as a single subscriber, and hence ONE access request and a SINGLE accounting record are generated for both stacks, differences of desired operation exist when it comes to when for isntance to generate an accounting request.
There are 2 key things to consider and of importance:
![]()
![]()
Sample Topology for the configuration example
![]()
hostname bng logging console debugging |
Radius server configuration.
Radius server is listening on 5.5.5.2 with auth-port on 1645 and accounting-port on 1646
radius-server host 5.5.5.2 auth-port 1645 acct-port 1646 key 7 010107000A5955 ! |
COA server or policy-server with ip-address 5.5.5.2 is running
aaa server radius dynamic-author client 5.5.5.2 vrf default server-key 7 03165A0F575D72 ! aaa group server radius RADIUS server 5.5.5.2 auth-port 1645 acct-port 1646 ! aaa accounting service default group radius aaa accounting subscriber default group radius aaa authorization subscriber default group radius aaa authentication subscriber default group radius line console stopbits 1 ! |
DHCPv6 address pool is defined locally within BNG box and local pool is used for ipv6 address assignment to IPv6 BNG clients
pool vrf default ipv6 ipv6_address_pool address-range 2001::2 2001::7dff ! |
DHCPv4 server with ip address 20.20.20.2 is deployed externally and this ipv4 address should be reachable from BNG device. Routing protocols should take care of reachability of 20.20.20.2 from BNG device. DHCPv4 proxy is configured as follows.
dhcp ipv4 profile IPoEv4 proxy helper-address vrf default 20.20.20.2 giaddr 10.10.10.1 ! |
DHCPv4 proxy is enabled on bundle sub-interface
interface Bundle-Ether1.10 proxy profile IPoEv4 ! |
DHCPv6 server is configured and already configured DHCPv6 address pool is referred within DHCPv6 server configuration. DHCPv6 profile is configured as follows with address pool.
dhcp ipv6 profile IPoEv6 server address-pool ipv6_address_pool ! |
DHCPv6 address pool is referred on bundle sub-interface.
interface Bundle-Ether1.10 server profile IPoEv6 ! interface Bundle-Ether1 bundle maximum-active links 1 ! |
Bundle sub-interface with dot1q encapsulation configured with single tag. Subscriber traffic from
CPE should come with single dot1q tag and this vlan tag should match with vlan id 10 configured under bundle sub-interface. In dual-stack IPoE configuration, “initiator dhcp” is configured ipv4/ipv6 l2 connect mode.
Policy-map type control’s name is referred with service-policy
interface Bundle-Ether1.10 ipv4 point-to-point ipv4 unnumbered Loopback1 ipv6 enable service-policy type control subscriber pm-src-mac encapsulation dot1q 10 ipsubscriber ipv4 l2-connected initiator dhcp ! ipsubscriber ipv6 l2-connected initiator dhcp ! ! |
Ipv4 address 10.10.10.1 is default-gateway ip address for pool of ipv4 address allocated to dual-stack BNG clients
interface Loopback1 ipv4 address 10.10.10.1 255.255.255.0 ipv6 enable ! interface MgmtEth0/RSP0/CPU0/0 ipv4 address 9.22.11.3 255.255.0.0 ! interface MgmtEth0/RSP0/CPU0/1 shutdown ! |
Physical interface gigabit0/0/0/0 is configured as bundle interface.
interface GigabitEthernet0/0/0/0 bundle id 1 mode on negotiation auto transceiver permit pid all ! interface GigabitEthernet0/0/0/1 ipv4 address 20.20.20.1 255.255.255.0 transceiver permit pid all ! interface GigabitEthernet0/0/0/5 ipv4 address 5.5.5.1 255.255.255.0 ! |
Dual-stack dynamic-template is configured for dual-stack initiation. “ipv6 enabled” under dual-stack template and ipv4 unnumbered
address, ipv4 urpf configured.
dynamic-template type ipsubscriber Dual_stack_IPoE accounting aaa list default type session periodic-interval 5 ipv4 verify unicast source reachable-via rx ipv4 unnumbered Loopback1 ipv6 enable ! ! |
Class-map configured for dual-stack scenario to match DHCPv6 – SOLICIT and DHCPv4 DISCOVER as sign of life packet
class-map type control subscriber match-any dual_stack_class_map match protocol dhcpv4 dhcpv6 end-class-map |
Class-map “Dual_stack_class_map “ is referred within policy-map. Even session-start is hit based on DHCPv4/DHCPv6 FSOL, template “Dual_stack_IPoE” is activated. Subscriber mac-address is used as subscriber identification and it is authorized with AAA server
policy-map type control subscriber pm-src-mac event session-start match-all class type control subscriber dual_stack_class_map do-all 1 activate dynamic-template Dual_stack_IPoE 2 authorize aaa list default identifier source-address-mac password cisco ! ! end-policy-map ! end |
”show subscriber session all” command shows ipv4/ipv6 clients session active
RP/0/RSP0/CPU0:bng#show subscriber session all Tue Jan 29 12:49:25.237 UTC Codes: IN - Initialize, CN - Connecting, CD - Connected, AC - Activated, ID - Idle, DN - Disconnecting, ED - End Type Interface State Subscriber IP Addr / Prefix LNS Address (Vrf) -------------------------------------------------------------------------------- IP:DHCP BE1.10.ip22 AC 10.10.10.10 (default) 2001::2 (default)
|
Command “show subscriber session all detail” should show ipv4/ipv6 clients details detailly.
RP/0/RSP0/CPU0:bng#show subscriber session all deta Tue Jan 29 12:49:27.752 UTC Interface: Bundle-Ether1.10.ip22 Circuit ID: Unknown Remote ID: Unknown Type: IP: DHCP-trigger IPv4 State: Up, Tue Jan 29 12:46:32 2013 IPv4 Address: 10.10.10.10, VRF: default IPv6 State: Up, Tue Jan 29 12:46:42 2013 IPv6 Address: 2001::2, VRF: default IPv6 Interface ID: ..d..... (02 00 64 ff fe 01 01 02) Mac Address: 0000.6401.0102 Account-Session Id: 0000001c Nas-Port: Unknown User name: 0000.6401.0102 Outer VLAN ID: 10 Subscriber Label: 0x00000055 Created: Tue Jan 29 12:46:32 2013 State: Activated Authentication: unauthenticated Access-interface: Bundle-Ether1.10 Policy Executed: policy-map type control subscriber pm-src-mac event Session-Start match-all [at Tue Jan 29 12:46:32 2013] class type control subscriber dual_stack_class_map do-all [Succeeded] 1 activate dynamic-template Dual_stack_IPoE [Succeeded] 2 authorize aaa list default [Succeeded] Session Accounting: Acct-Session-Id: 0000001c Method-list: default Accounting started: Tue Jan 29 12:46:32 2013 Interim accounting: On, interval 1 mins Last successful update: Tue Jan 29 12:48:34 2013 Next update in: 00:00:06 (dhms) Last COA request received: unavailable |
”show dhcp ipv4 proxy binding” command is going to show ipoev4 clients created with ip-address and mac-address, interface on which it is created, vrf-name etc
RP/0/RSP0/CPU0:bng#show dhcp ipv4 proxy binding Tue Jan 29 12:49:42.955 UTC
Lease
MAC Address IP Address State Remaining Interface VRF Sublabel -------------- -------------- --------- --------- ------------------- --------- ----------
0000.6401.0102 10.10.10.10 BOUND 3409 BE1.10 default 0x55 |
RP/0/RSP0/CPU0:bng#show dhcp ipv4 proxy binding de Tue Jan 29 12:49:49.498 UTC MAC Address: 0000.6401.0102 VRF: default Server VRF: default IP Address: 10.10.10.10 Giaddr from client: 0.0.0.0 Giaddr to server: 10.10.10.1 Server IP Address: 20.20.20.2 Server IP Address to client: 10.10.10.1 ReceivedCircuit ID: - InsertedCircuit ID: - ReceivedRemote ID: - InsertedRemote ID: - ReceivedVSISO: - InsertedVSISO: - Auth. on received relay info:FALSE Profile: IPoEv4 State: BOUND Proxy lease: 3600 secs (01:00:00) Proxy lease remaining: 3403 secs (00:56:43) Client ID: 0x00-0x00-0x64-0x01-0x01-0x02 Access Interface: Bundle-Ether1.10 Access VRF: default VLAN Id: 10 Subscriber Label: 0x55 Subscriber Interface: Bundle-Ether1.10.ip22 |
“show dhcp ipv6 server binding” is going to show ipv6 address allocated from DHCPv6 local pool
RP/0/RSP0/CPU0:bng#show dhcp ipv6 server binding Tue Jan 29 12:50:04.560 UTC Summary: Total number of clients: 1 DUID : 00030001000064010102 MAC Address: 0000.6401.0102 Client Link Local: fe80::200:64ff:fe01:102 Sublabel: 0x55 IA ID: 0x0 STATE: BOUND IPv6 Address: 2001::2 (Bundle-Ether1.10) lifetime : 600 secs (00:10:00) expiration: 399 secs (00:06:39) RP/0/RSP0/CPU0:bng# |
Configuration example and verification provided by Narendiran Rajaram
Xander Thuijs CCIE #6775
Principal Engineer ASR9000, IOS-XR and NCS6000
The config based on a "quick" scan looks like I am not spotting anything obvious.
well, you set the timer on UNCLASS sessions and your event on timer expiry seems to only match on dhcp based sessions, so this event timer expiry will bail for UNCLASS sessions, that is not related to the problem at hand however. (just fyi :)
the debug subscriber manager class-eval and policy will help in verifying the policy execution of this unclassified subscriber and see if a class is triggered and what actions are taken.
That might be most important right now to see what is going on there.
Also what ver are you on? May be best to be on 512 (not sure if this is a lab and easy to upgrade)
regards
xander
Hi,
i'm on 5.2.0.
The timer-expiery and idle-timer is by design.. You see if you have a static configured v4 adress on your CPE there is no way you can swap equipment because the session is locked to the old CPE MAC. Since there is no way to handle session mac conflict I had to do it that way and it will take 660sek for the old session to be disconnected.
Anyway, the class-eval and policy debugs are not showing anything. I just spoke to TAC and they said that the feature is not supported.. *arg* just spent 3 days trying to get it working! Kind of sad that I cant give my soho B2B customers static v6 session through the BNG without doing the "ipsubscriber interface" on the access-interface.. I have to through it on you guys.. it's 2014, everything should be v6 :)
Unless you find something else, thanks for taking the time!
~~xander response~~
the "maximum replies" we hit again and I have no way of responding to you except for editing your message, apologies.
would you be ok sending me the tac case you had open for this because I'd like to review this. I am currently checking with my dev group to see what the expectation is on that. As far as I know, although I never tried, v6 packet trigger should function, or maybe there is a small hook to be addressed. And you're right, if something has a v4 func, v6 should be natural!! Point taken, will carry that forward.
regards
xander
~~Gunnar response~~
Here you go..
SR 631164239, think this was just for the documentation but anyways. DDTS CSCuq08899
//Gunnar
~~xander response (2)~~
thanks gunnar! ok so I got conclusion on this also, this will be in 522, the hook is indeed missing for the triggered sessions for v6.
the ddts you have is filed against documentation to have it corrected. apologies for this mishap!
cheers!
xander
Hi,
We were having POC during past 2 month for ASR 9000 BNG features. All were running fine with 5.1.2. However, we were stucked in PPPoE dual-stack feature. We were having trouble with DHCPv6. We were able to obtain IPV6 address and IPv4 is working fine, but IPV6 is not being routed outside internet. I reviewed bugs mentioned on this forum and it seems like bugs were fixed with 5.1.2. On the contrary, I read from this forum that with PPPoe dual stack works fine with 4.3.x.
I would like to know if the reason why ipv6 is not being routed outside was due to a bug or we need to modify config. We have below config format:
dynamic-template type ppp PPPOE_TEMPLATE
ppp authentication chap pap
qos output minimum-bandwidth 20
accounting aaa list default type session
ipv4 mtu 1492
ipv4 unnumbered Loopback1001
ipv6 nd other-config-flag
ipv6 nd framed-prefix-pool POOL_V6_WAN_PPPOE
ipv6 nd managed-config-flag
ipv6 mtu 1492
ipv6 enable
dhcpv6 delegated-prefix-pool POOL_V6_LAN_PD_PPPOE
---
policy-map type control subscriber PPPOE_PM_DS_FREERADUIS
event session-start match-all
class type control subscriber PPPOE_CM do-all
10 activate dynamic-template PPPOE_TEMPLATE
!
event session-activate match-all
class type control subscriber PPPOE_CM do-all
10 authorize aaa list AUTHOR_LIST format MAC_FORMAT password cisco
---
class-map type control subscriber match-any PPPOE_CM_JA
match protocol ppp dhcpv6
end-class-map
Hi Jenny,
1. Do you get an IPv6 address (delegated) on your test PC and framed IPv6 on the modem?
2. If yes, do you see the delegated IPv6 prefix on your Internet gateway router?
Maybe it's just a routing problem.
Hi xander
this is Nan from CHINA TAC
i have some questions about CPE configuration . i saw you configured the ip nat inside on the interface of CPE which connected to LAN client. but no ip nat outside command on the interface of CPE which connected to BNG.
it made me confused. I don't think NAT can work without ip nat ouside interface... so i would like to ask if NAT is necessay for BNG solution ? if so how to config NAT on CPE side? if no, how did the pkt from LAN client forward to external network without nat?
the beauty of ipv6 is that due to its massive addressing space NAT is not really necessary there.
for the ipv4 you tend to want to do NAT because you want to "hide" the inside network, especially if it is private address space. the outside interface for the ip session is a dialer for pppoe, which is not part of this config example sicne it focussed on the v6 nature of it.
To make this scenario work in a routed mode without NAT, looking at the ipv4 dhcp client side,
then the BNG will need a route that points the inside network 192.168.x.x via its bng sub ipv4 address it hands out to the WAN interface of the CPE. This requires a per user or manual static route on the BNG side.
regards
xander
Hi Xander,
Hope you are doing fine.
We have spotted a bug in 5.2.4 regarding IPCP.
In case of an IPv6-only session, IPCP keeps sending CONFREQs although the PPP client sends PROTREJ. We have opened the SR636153247 and we have been proposed to use ppp ipcp passive.
I have two concerns about this:
Regards,
Dimitris
using ipcp passive is a great way to resolve this issue indeed since we would not start ipcp unless we see something from the peer.
it is true that a protrej should cause the receiver to stop sending packets for the protocol. so you are correct in that regard, however the passive mode achieves precisely that...
xander
So, if I am not mistaken, you are saying that using IPCP passive is considered as the solution and the bug is not going to be fixed.
If yes, I believe IPCP/IPv6CP passive commands should be default under dynamic (and virtual in IOS-XE) templates, for achieving a behavior as close as possible to the RFC .
Regards,
Dimitris
I agree with you that this is not the right behavior as it is today, but there is a very viable soluton to it (passive). so if you insist tac will file a ddts and I will fix it, but I am just being honest with you that this is not one that I'll sacrifice nights and weekends over or hold a release up for :).
cheers!
xander
Since the workaround works fine, I guess the issue must be documented as soon as possible and then it could be fixed in a lower priority.
Maybe making the passive behavior as the default would be a quick solution that wouldn't need so many sacrifices ;)
Regards,
Dimitris
Hi Alexander,
Is it possible to use external Radius for both ipv4 and ipv6. We are trying to configure in this scenario but can find no documentation covering this. We have a Cisco TAC case open but they have referred us to this document which covers external ipv4 and local ipv6 servers.
Regards
Brian
Hi Brian,
if you're asking about whether the radius server can be *reached* via ipv6 transport, then the answer today is no.
So the radius-server needs to have an ipv4 addr for communication between BNG and itself.
If the Q is relating to whether the radius server can provide authorization details for a session to the bng for both v4 and v6 related subscriber services, then the answer is yes.
As a matter of fact when the first authen/author request goes to the radius server when the FSOL (first sign of life, eg padi or discover) is sent, the radius server needs to respond back with BOTH the v4 and v6 information such as what addr or pool to use etc.
Although the FSOL, let's say its a v4 discover is not asking YET about v6, the author data needs to be present in the dbase so that when the v6 solicit comes in, the BNG knows what to do with it.
In other words, there is no separate author/authen for each stack, the first stack either v4 or v6 will require the radius to provide back for BOTH address families.
cheers!
xander
Hi all!
We have working implementation of dualstack on IPoE, and now we are trying to set up dualstack on PPPoE.
On ASR1000 it's working now, but on ASR9000 we have a problem.
If PC set up PPPoE session, it looks good, it can access any resources via IPv4 and v6.
But ADSL modem wich is set up dualstack on ASR1000 without problems can't get LAN IPv6 prefix.
I tried to change software version from 5.2.4SP2 to 5.3.3 without success.
In debug dhcp ipv6 I see this:
RP/0/RSP0/CPU0:Feb 9 08:54:59.208 : dhcpv6d[1084]: DHCPV6 SERVER ERROR: TP3692: dhcpv6_daps_alloc_by_pool: DAPS: daps_ipv6_alloc_by_pool: Failed rc='ip-daps' detected the 'warning' condition 'Warning: Invalid arguments passed'
RP/0/RSP0/CPU0:Feb 9 08:54:59.208 : dhcpv6d[1084]: DHCPV6 ERROR: TP3030: fsm : send_daps_req failed
RP/0/RSP0/CPU0:Feb 9 08:54:59.209 : dhcpv6d[1084]: DHCPV6 INTERNAL: TP380: req_next_addr_pfx_from_daps: client:0x502763f0 (1344758768) fsm:0x500831de (1342714334) num_req:0 iaid:0x0xf (15) rc:'ipv6-new-dhcpv6d' detected the 'warning' condition 'Error: Failed to alloc daps'
RP/0/RSP0/CPU0:Feb 9 08:54:59.209 : dhcpv6d[1084]: DHCPV6 ERROR: TP3031: fsm: sub valid handler failed, client_entry:0x502763f0 (1344758768) fsm:0x500831de (1342714334) reason:13
My config:
dhcp ipv6
profile PPPv6 server
lease 0 0 5
dns-server 2a03:xxxx:1000:10::2 2a03:xxxx:1000:10::3
prefix-pool PPP_LAN_prefix_pool
!
interface subscriber-pppoe profile PPPv6
pool vrf default ipv6 PPP_LAN_prefix_pool
prefix-length 56
prefix-range 2a03:xxxx:fe02:: 2a03:xxxx:fe02:ff00::
!
pool vrf default ipv6 PPP_WAN_prefix_pool
prefix-length 64
prefix-range 2a03:xxxx:ff02:: 2a03:xxxx:ff02:ffff::
dynamic-template
type ppp PPP_TPL
ppp authentication pap ms-chap chap
ppp timeout authentication 10
keepalive 15 3
ppp ipcp dns 217.xx.xxx.19 217.xx.xxx.18
ppp ipcp peer-address pool 1000
accounting aaa list default type session periodic-interval 25
ipv4 unnumbered Bundle-Ether4.3333
ipv6 nd framed-prefix-pool PPP_WAN_prefix_pool
ipv6 nd managed-config-flag
ipv6 enable
dhcpv6 delegated-prefix-pool PPP_LAN_prefix_pool
interface Bundle-Ether4.231
service-policy type control subscriber PPP_policy
pppoe enable bba-group vlan12
encapsulation dot1q 231
pppoe bba-group vlan12
service selection disable
sessions max limit 2
class-map type control subscriber match-any PPPoE
match protocol ppp
end-class-map
policy-map type control subscriber PPP_policy
event session-start match-first
class type control subscriber PPPoE do-until-failure
10 activate dynamic-template PPP_TPL
!
!
event timer-expiry match-first
class type control subscriber AUTH_TIMER_CM do-until-failure
10 disconnect
!
!
event authorization-failure match-first
class type control subscriber PPPoE do-until-failure
10 activate dynamic-template HTTP_UNAUTH_REDIRECT
20 set-timer AUTH_TIMER 5
!
!
event session-activate match-first
class type control subscriber PPPoE do-until-failure
10 authenticate aaa list default
!
!
end-policy-map
Hi again!
I continued to test dualstack on ASR9001 and discovered interesting thing.
All my devices (ASR9001 and ASR1004) provides WAN ipv6 address by SLAAC and LAN prefix by DHCPv6. But ADSL modem by default requests both WAN address and LAN prefix by DHCPv6. After receiving solicit with WAN and LAN address request ASR1004 proceed with advertising only LAN prefix, and WAN address is provided latter with SLAAC. ASR9001 receiving the same solicit replays back with advertise message with status code unspecific fail and modem can't get IPv6 LAN prefix.
If I manually disable WAN IPv6 address request through DHCP and only prefix delegation request comes in solicit, than all works fine both in ASR9001 and ASR1004.
I tested this on 5.2.4 SP2 and 5.3.3 versions. Is it a bug in DHCpv6 working on ASR9001 or it's normal behaviour?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: