Hi Alex,

i am deploying IPoE Dual Stack IPv4 and IPv6 and i am using version 5.1.0

i used Radius to allocated IPv6 on WAN-CPE(/64) and LAN-CPE (/64)

Framed-IPv6-Prefix, used for the WAN-CPE

Delegated-IPv6-Prefix, used for the LAN-CPE

if i use CPE, WAN-CPE doesn't get IPv6 Address from Framed-IPv6-Prefix, in this case between BNG and CPE was using link-local-address.

but it worked for Prefix-Delegation from Delegated-IPv6-Prefix. in connectivity the users behind the CPE can access internet with IPv6.

if i replace the CPE become a PC, the PC doesn't get IPv6 Address  from Framed-IPv6-Prefix.

and if i check the subscriber detail for this pc, there's a message that said Last IPv6 Down.

[Last IPv6 down]

Disconnect Reason:        Addr/prefix request from DAPS pool failed

--

I have deployed(running production) BNG based on ASR1K Platfrom using PPPoE Solution, the two attributes was working perfectly.

thank you

anderson

Hi Anderson,

if you use a dedicated address on the WAN side and a delegated prefix for the LAN side, you're effectively "wasting" an address ont eh wAN side as you could just do SLAAC towards the wan side.

Is that an option, it would simplify your access model significantly and reduce the need for additional routing towards the cPE LAN side from the BNG.

However I expected this to work just fine, we need to do some debugging and that is probably easiest to do via a TAC case so your config and addressing is not spread across. a ppp debug, from both sides would be needed and potentially a sniffer trace if possible to verify the handshake and address assignment/allocation would probably clarify also a lot.

the framed-v6-prefix would work for a single host/pc but it depends on how that host is obtaining an ip address, if via dhcpv6 it would be fine, although the framed-v6 could also be offered in an ND/NA, but here also traces and debugs are necessary to identify what is going on.

At the same time, not sure if can be asked, a verification/cross comparison to 434 might help here also.

cheers

xander

Hi Xander!

It's a good doc!

I am deploying dual stack for IPoE subscribers on ASR 9001. All works fine in tests.

But we use authorization by option 82 and not all of our access devices ( i mean switches, OLTs and so one ) supports IPv6 now. So, if subsrriber's PC first tries to set up session with IPv6 its session becomes unauth. If PC set up session with IPv4, then it is authorized and IPv6 part sets up normal.

So, is any mechanism to set up IPv4 part of session first and then IPv6 part? If DHCP solisit comes and there is no IPv4 part of session - not to establish IPv6 part of session until IPv4 part will establish.

And the second question is about keepalive for IPoE sessoins. As I know now keepalives are supported only with PPP sessions. Will you make the same feature for IPoE ?

thank you

hi, Vladimir

AFAIK there is no way to make the V4 come firstly, but there is a trick can do TAL for the session using dhcpv4 options or DHCPv6 options no matter which one come first.

An example to build a unified username format for V4/V6 DS session

•DHCPv4: option82 circuit_id(circuit-id-tag) + remote_id(remote-id-tag)

•DHCPv6: option18(dhcpv6-interface-id)+option37(remote-id-tag)

     circuit_id and DHCPv6 option18 ,AND inserts same string (saying YYYY)

     for DHCPv4 option82 remote_id and DHCPv6 option37

with following config

aaa attribute format DS_UNIFIED_USERNAME

format-string length 253 "%s@%s@%s" dhcpv6-interface-id circuit-id-tag remote-id-tag

No matter the DHCPv4 or DHCPv6 triggers the TAL for the session, the same

Username(XXXX@YYYY) is built and sent RADUS server for authorization.

With this approach, you need only one user profile in radius server for DS subscriber.

Roy

yeah I was thinking to handle the event session start event to amtch on protocol dhcp (v4) only and not handle an event start for dhcp trigger:

RP/0/RSP0/CPU0:A9K-BNG(config-cmap)#match protocol ?

  dhcpv4  dhcpv4

  dhcpv6  dhcpv6

  ppp     ppp

this way if the solicit comes in, we ignore it, but if the dhcp discover comes in for v4 then we trigger the event start, do the radius stuff and all that.

While that is no guarantee that v4 completes first, it is very likely to be handled first over dhcpv6...

For PPPoE, dont think there is any control we have there, it depends on the client whether it sends the IPCP before IPv6CP and the itterations it requires to complete the NCP.

Generally, clients open IPCP first, so we should be fine here, but there is little control that we can exercise over this from the BNG side...

regards

xander

Hi Xander,

I would like to ask you to give me an advice how to configure the address-pool for PPPoE with IPv6 address family.

I checked the command reference for 4.3.x and I see the network command where I can specify the IPv6 prefix and length

e.g.

RP/0/RSP0/CPU0:router# configure

RP/0/RSP0/CPU0:router(config)# pool vrf vrf1 ipv6 pool3

RP/0/RSP0/CPU0:router(config-pool-ipv6)# network 10:1:1::/50

And for prefix length:

RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router(config)# pool vrf vrf1 ipv6 pool3
RP/0/RSP0/CPU0:router(config-pool-ipv6)# prefix-length 50

Is this the right way to configure the pool or do we have to use address-range command instead of network? How long should the prefix-lenght be? I thought that we can use /128 on subscriber side for PPPoE sessions.

I am slowly making a config in notepad so I am can be ready for implementation.

A nice example would help me a lot. Customer is giving me a /40 for subscribers.

One more thing. User anderson made a comment about WAN-CPE and LAN-CPE address.

Framed-IPv6-Prefix, used for the WAN-CPE

Delegated-IPv6-Prefix, used for the LAN-CPE

Can you please explain this to me? 

My idea was to use SLAAC on BNG<->CPE and a prefix for user device.

Here is the link of the command reference I am using:

http://www.cisco.com/en/US/docs/routers/asr9000/software/asr9k_r4.3/bng/command/reference/b_bng_cr43asr9k_chapter_010.html#wp2356015420

Hi Smail,

I see what you mean, so with ipv6 we generally dont hand out /32's (or better put /128's) but little subnets. As you know v6 doesnt do NAT and there is no need for it either with this large address space.

So for v6 we provide a little network to the CPE and then the pool size defines how many of those little subnets we actually have.

Considering this picture above from the "address mapping" section:

https://supportforums.cisco.com/servlet/JiveServlet/showImage/176403/Slide1.jpg

We have a pool defined by the /40.

We provide a prefix length of 48.

This means that the /40 in the pool is carved into 256 chunks (because we have 48-40=8 bits is 256 unique).

This defines the portion of the address that is "static" and the section that is variable.

Because we are providing a 64 bit address, that leaves 64 bits for individual devices that on a per "routed subnet" of 256 each.

Now to answer your question, how do you need to go about it, what do you need to assign etc; that all depends on the

future prospect in terms of v6 enabled devices, the assigned v6 space you have etc.

In access we can provide 64 bit addresses, leaving 64 bit for the hosts (which is MASSIVE!), and then from the assigned address space, you need to chunk it up into "subnets" and assign certain portions to a BNG.

the mask - prefix lenght effectively defines the number of subscribers that can be assigned this delegated prefix,

so that is your key parameter. In this example above I only had 256 unique subnets (subscribers) whih each 64 bits worth of hosts available to them.

Think that is over the top, but that is what the trend is heading towards...

regards

xander

Hi,

with this explanation and the illustration it is much clearer now. I will do some testing in the next few weeks.

Thank you Xander.

I have problems with creating comments here. Here is the missing slide

One update: I connected Ubuntu and configured DHCP only under IPv6 settings and I got a IPv6 addres

and I see this IP address under show subs session, but Ubuntu has :: as default gateway and I can not ping

between BNG and Ubuntu.

I do some more testing

few things that I see Smail:

1) the v6 dhcp server needs to be tied to the access interface, otherwise DHCP will not proceed.

2) you have here static address assignment and not prefix delegation, so you want to assign  from the pool not a single address, but a prefix with a mask that will be handed out to the CPE so he can distribute/use that for the devices that are attached to the CPE

3) if applicable, if you do authentication, the access-accept needs to provide both v4 and v6 authorization, there is no separate lookup per address family.

4) you have a vrf applied ot the access interface, is that vrf also v6 capable, with that AF instantiated?

5) good call on the vrf the same on the access interface and dynamic template.

6) I think that you do the show upv6 dhcp binding that nothing will come up, or at least not what we expect. that is hy the session is not reproted as dual stack

7) if the cpe is fully bridged, then only the first device that comes online for v6 will get an address due to the way that it is setup. that single device will be a single subscriber.

you probably want to have a subscriber per CPE and have the cpe deal with the remote devices via PD.

8) the dns server for v6 missing is likely because of the address distribution because the dhcp server is not linked to the access interface so we do it via the pool allocation method.

hopefully this will help,

cheers

xander

Hi Xander,

thank you for replying.

I forgot to copy/paste the whole dhcp ipv6 config, sorry. I have the access-interface under dhcp

dhcp ipv6

profile IPoEv6_DHCP server

  dns-server 2a02:27b0:3:a::abcd 2a02:27b0:3:b::abcd

  address-pool IPoEv6_POOL

!

interface Bundle-Ether12.995 server profile IPoEv6_DHCP

2. and 7. Customer is requesting the bridged RG deployment model because they want to use Broadhop and give the customer the option to add/remove etc. via a portal and to have full control of the network. This is also good for Cisco because the customer need more BNG subscriber liceneses and hardware.

3. For now no auth is used. After I have accomplished to get an IPv4 and IPv6 address I will add authorization with Option82 info as username.

4. I have IPv4 and IPv6 AF under the vrf. I just checked it to be sure, good hint

Tomorrow I will try something else. This dynamic-template will be used tomorrow:

type ipsubscriber IPoE_TEMPLATE

  vrf ipoe

  timeout idle 60

  accounting aaa list default type session

  ipv4 unnumbered Loopback10070

  ipv6 nd other-config-flag

  ipv6 nd managed-config-flag

  ipv6 enable

  dhcpv6 address-pool IPoEv6_POOL

I have to check the end devices again. I know that i chose "DHCP only" on ubuntu. This probably means that it will disable router discovery. Stupid me

I have also to check if the W7 PCs are sending RDs.

I will keep you posted after I have finally an IPoE dualstack session.

p.s.

lease proxy client-lease-time 300 for DHCP IPv4

and

lease 0 0 5 under DHCP IPv6

can be used as a sort of keepalive for IPoE?

Hi,

it looks like I finally got my IPv6 subscriber session . I got a nice hint from a Cisco engineer who has put me in the right direction.

I used

ipv6 nd other-config-flag  TO GET DNS SERVERS

ipv6 nd managed-config-flag  TO GET AN IPv6 ADDRESS FROM DHCP POOL

under dynamic-template but the subscriber still did not got an IPv6 address from the pool.

After that I tried some more variations and finally got a dual-stack session on the BNG. It is mandatory to have

ipv6 nd managed-config-flag under the access-interface, too.

It looks easy now, but it was a long way to get it to work.

I also tried (was curious) with IPv6 address from the dhcp pool on the access-interface (and remove the pool from DHCP config).

My W7 got both, IPv4 and IPv6 addresses but the IPv6 session was not on the BNG. BNG behaved just like a regular router and not like a subscriber-aware router. Maybe the problem was that there was nothing to trigger the IPv6 session (missing dhcpv6 traffic) that I had in the class-map.

The test PC gets the IPv4 in a sec, but it takes time to get IPv6 address, dns server and gw...about 5 sec.

This is my final config. I will do some more testing next week, but this should be it. Not sure if I can use local DHCP server with lease time of 5 minutes in production for maybe 10K DS subscribers.

pool vrf ipoe ipv6 IPoEv6_POOL

address-range 2a02:27b0:4060::1 2a02:27b0:4060::ffff

dhcp ipv6

profile IPoEv6_DHCP server

  lease 0 0 5

  dns-server 2a02:27b0:3:a::abcd 2a02:27b0:3:b::abcd

  address-pool IPoEv6_POOL

interface Bundle-Ether12.995 server profile IPoEv6_DHCP

dynamic-template

type ipsubscriber IPoE_TEMPLATE

  vrf ipoe

  accounting aaa list default type session

  ipv4 unnumbered Loopback10070

  ipv6 nd reachable-time 10000

  ipv6 nd other-config-flag

  ipv6 nd managed-config-flag

  ipv6 enable

  dhcpv6 address-pool IPoEv6_POOL

interface Bundle-Ether12.995

description #IPoE#

vrf ipoe

ipv4 point-to-point

ipv4 unnumbered Loopback10070

ipv6 nd suppress-ra

ipv6 nd managed-config-flag

ipv6 enable

service-policy type control subscriber BNG_IPoE

encapsulation dot1q 995

ipsubscriber ipv4 l2-connected

  initiator dhcp

  initiator unclassified-source

!

ipsubscriber ipv6 l2-connected

  initiator dhcp

  initiator unclassified-source   I WILL REMOVE THIS LATER.

Thanks for providing that config example Smail!

I dont see why the nd managed config flag is necessary, but I will investigate and see/document when this may be necessary.

regards

xander

Hi Xander,

I am trying to establish a dual-stack PPPoE session in an ASR9K (4.3.4) and I have a problem in providing the LAN prefix via DHCPv6-PD.

Since all the other comments and the examples are IPoE related, I am worried that something must be different in PPPoE.

The configuration I am testing right now is the following (ipv6 irrelevant commands are omitted):

pool vrf all ipv6 LLU-KLN-LAN-IPv6-POOL

prefix-length 56

network 2a02:x:x::/40

!

pool vrf all ipv6 LLU-KLN-WAN-IPv6-POOL

prefix-length 64

network 2a02:x:x::/48

!

dhcp ipv6

profile DHCP-SERVER-LOCAL server

  dns-server 2a02:x:x:x::x 2a02:x:x:x::x

  prefix-pool LLU-KLN-LAN-IPv6-POOL

!

interface Bundle-Ether1.33211199 server profile DHCP-SERVER-LOCAL

!

!

interface Bundle-Ether1.33211199

description ** POP-KLN - Residential Internet TEST**

service-policy type control subscriber POP-KLN-PPP-SUBSCRIBER-POLICY

pppoe enable bba-group PPPoE-GROUP-POP-KLN

encapsulation dot1q 3321 second-dot1q 1199

dynamic-template

type ppp POP-KLN-DYNAMIC-TEMPLATE

  ppp ipcp peer-address pool LLU-KLN-WAN-IPv4-POOL

  ipv6 nd other-config-flag

  ipv6 nd framed-prefix-pool LLU-KLN-WAN-IPv6-POOL

  dhcpv6 delegated-prefix-pool LLU-KLN-LAN-IPv6-POOL

!

!

class-map type control subscriber match-any POP-KLN-PPP-SUBSCRIBER-CLASS

match protocol ppp

end-class-map

!

!

class-map type control subscriber match-all POP-KLN-DHCPV6-SUBSCRIBER-CLASS

match protocol dhcpv6

end-class-map

!

policy-map type control subscriber POP-KLN-PPP-SUBSCRIBER-POLICY

event session-start match-all

  class type control subscriber POP-KLN-PPP-SUBSCRIBER-CLASS do-until-failure

   10 activate dynamic-template POP-KLN-DYNAMIC-TEMPLATE

  !

  class type control subscriber POP-KLN-DHCPV6-SUBSCRIBER-CLASS do-all

   10 activate dynamic-template POP-KLN-DYNAMIC-TEMPLATE

  !

!

event session-activate match-all

  class type control subscriber POP-KLN-PPP-SUBSCRIBER-CLASS do-until-failure

   10 activate dynamic-template POP-KLN-DYNAMIC-TEMPLATE

Although the CPE sends the DHCPv6 solicit, the DHCPv6 server is not activated.

Do I miss something? I cannot say that the CCO documentation is so helpful on this matter.

Thank you in advance,

Dimitris