cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
38355
Views
0
Helpful
152
Comments
xthuijs
Cisco Employee
Cisco Employee

Introduction

This document provides an overview for dual stack sessions for ASR9000 BNG, running ipv4 and ipv6 address stacks next to each other for subscriber sessions.

Dual Stack

Dual stack refers to the concept of running a subsciber session with an IPv4 address as well as an IPv6 address.

Deployment models and general concept

Screen Shot 2014-01-14 at 8.46.52 AM.png

Address Assignment

To unravle the complex terminology associated with address assignment in particular to IPv6 this picture below shows the various address assignment options available.

Screen Shot 2014-01-14 at 8.47.07 AM.png

You can also use the framed-ipv6-address radius attribute to provide an address to the subscriber from radius which then will be advertised

via SLAAC (NA/ND) for both PPPoE and IPoE sessions.

The additional attribute ipv6:ipv6-default-gateway VSA can be used to provide the default router in case no dhcpv6 is used for IPoE sessions.

IPv6 Addressing

When it comes to "prefix delegation" that is having a large IPv6 like subnet that is shared between subscribers who get a subnet from that subnet sort of speak the following addressing example hopefully visualizes how it all ties together

Addressing mapping

Slide1.jpg

Configuration CPE

The following 2 secions provide the configuration for the client side and the WAN side of the CPE

PC client side of the CPE

interface GigabitEthernet0/2

description to switch fa0/15

ip address 192.168.1.1 255.255.255.0

no ip unreachables

ip nat inside

ip virtual-reassembly

duplex full

speed 100

media-type rj45

negotiation auto

ipv6 address prefix-from-provider ::1:0:0:0:1/64

ipv6 enable

 

WAN side of the CPE

interface FastEthernet2/0.50

encapsulation dot1Q 50

ipv6 address autoconfig default

ipv6 enable

ipv6 dhcp client pd prefix-from-provider

 

In these examples we are expanding the delegated prefix with a :1/64 and we perceive ourselves to be the ".1" and default gateway.

Configuration DHCPv6 Server

ipv6 unicast-routing

ipv6 dhcp pool dhcpv6

prefix-delegation pool dhcpv6-pool1 lifetime 6000 2000

ipv6 route 2001:60:45:28::/64 2005::1

ipv6 route 2001:DB8:1200::/40 2005::1

ipv6 route 200B::/64 2005::1

ipv6 route 2600:80A::9/128 4000::1

ipv6 local pool dhcpv6-pool1 2001:DB8:1200::/40 48

More info on IOS dhcpv6 server:

http://www.cisco.com/en/US/tech/tk872/technologies_configuration_example09186a0080b8a116.shtml

Operation and Call Flow

Because ASR9000 treats the 2 stacks as a single subscriber, and hence ONE access request and a SINGLE accounting record are generated for both stacks, differences of desired operation exist when it comes to when for isntance to generate an accounting request.

There are 2 key things to consider and of importance:

  • When the first AF comes up, an access-request is generated, the access-accept should contain BOTH ipv4 and ipv6 information for the session although there is no second request for the other AF maybe yet
  • An accounting-start can be generated as soon as the first AF comes up, we can wait for a determined period of time and generate a single accounting start record for BOTH AF's, or we can do a triggered interim accounting record when the second AF comes up.

Call Flows

Dual stack generic call flow

Screen Shot 2014-01-14 at 8.46.33 AM.png

PPPoE DS detailed call flow SLAAC based address assignment

Screen Shot 2014-01-14 at 9.07.40 AM.png

PPPoE DS detailed call flow DHCPv6 based address assignment

Screen Shot 2014-01-14 at 8.57.06 AM.png

IPoE DS detailed callflow IPv4 AF starts first

Screen Shot 2014-01-14 at 8.57.30 AM.png

IPoE DS detailed callflow IPv6 AF starts first

Screen Shot 2014-01-14 at 8.57.36 AM.png

Sample Scenario

Sample Topology for the configuration example

Screen Shot 2014-01-14 at 8.39.37 AM.png

Configuration

hostname bng

logging console   debugging

Radius server configuration.

Radius server is listening on 5.5.5.2 with auth-port on 1645 and accounting-port on 1646

radius-server   host 5.5.5.2 auth-port 1645 acct-port 1646

key 7 010107000A5955

!

COA server or policy-server with ip-address 5.5.5.2 is running

aaa server   radius dynamic-author

client 5.5.5.2 vrf default server-key 7   03165A0F575D72

!

aaa group server   radius RADIUS

server 5.5.5.2 auth-port 1645 acct-port 1646

!

aaa accounting   service default group radius

aaa accounting   subscriber default group radius

aaa   authorization subscriber default group radius

aaa   authentication subscriber default group radius

line console

stopbits 1

!

DHCPv6 address pool is defined locally within BNG box and local pool is used for ipv6 address assignment to IPv6 BNG clients

pool vrf default   ipv6 ipv6_address_pool

address-range 2001::2 2001::7dff

!

 

DHCPv4 server with ip address 20.20.20.2 is deployed externally and this ipv4 address should be reachable from BNG device. Routing protocols should take care of reachability of 20.20.20.2 from BNG device. DHCPv4 proxy is configured as follows.

dhcp ipv4

profile IPoEv4   proxy

helper-address vrf default 20.20.20.2   giaddr 10.10.10.1

!

 

DHCPv4 proxy is enabled on bundle sub-interface

interface   Bundle-Ether1.10 proxy profile IPoEv4

!

 

DHCPv6 server is configured and already configured DHCPv6 address pool is referred within DHCPv6 server configuration. DHCPv6 profile is configured as follows with address pool.

dhcp ipv6

   profile IPoEv6 server

   address-pool ipv6_address_pool

!

 

DHCPv6 address pool is referred on bundle sub-interface.

interface   Bundle-Ether1.10 server profile IPoEv6

!

interface   Bundle-Ether1

bundle   maximum-active links 1

!

Bundle sub-interface with dot1q encapsulation configured with single tag. Subscriber traffic from

CPE should come with single dot1q tag and this vlan tag should match with vlan id 10 configured under bundle sub-interface. In dual-stack IPoE configuration,   “initiator dhcp” is configured ipv4/ipv6 l2 connect mode.

Policy-map type control’s name is referred with service-policy

interface   Bundle-Ether1.10

ipv4   point-to-point

ipv4 unnumbered   Loopback1

ipv6 enable

service-policy   type control subscriber pm-src-mac

encapsulation   dot1q 10

ipsubscriber   ipv4 l2-connected

initiator dhcp

!

ipsubscriber ipv6 l2-connected

initiator dhcp

!

!

Ipv4 address 10.10.10.1 is default-gateway ip address for pool of ipv4 address allocated to dual-stack BNG clients

interface   Loopback1

ipv4 address 10.10.10.1 255.255.255.0

ipv6 enable

!

interface   MgmtEth0/RSP0/CPU0/0

ipv4 address 9.22.11.3 255.255.0.0

!

interface   MgmtEth0/RSP0/CPU0/1

shutdown

!

 

Physical interface gigabit0/0/0/0 is configured as bundle interface.

interface   GigabitEthernet0/0/0/0

bundle id 1 mode on

negotiation auto

transceiver permit pid all

!

interface   GigabitEthernet0/0/0/1

ipv4 address 20.20.20.1 255.255.255.0

transceiver permit pid all

!

interface GigabitEthernet0/0/0/5

ipv4 address 5.5.5.1 255.255.255.0

!

Dual-stack dynamic-template is configured for dual-stack initiation. “ipv6 enabled” under dual-stack template and ipv4 unnumbered

address, ipv4 urpf configured.

dynamic-template

   type ipsubscriber Dual_stack_IPoE

     accounting aaa list default type   session periodic-interval 5

     ipv4 verify unicast source   reachable-via rx

     ipv4 unnumbered Loopback1

     ipv6 enable

!

!

Class-map configured for dual-stack scenario to match DHCPv6 – SOLICIT and DHCPv4 DISCOVER as sign of life packet

class-map type   control subscriber match-any dual_stack_class_map

   match protocol dhcpv4 dhcpv6

   end-class-map
!

 

Class-map “Dual_stack_class_map “ is referred within policy-map.   Even session-start is hit based on DHCPv4/DHCPv6 FSOL, template “Dual_stack_IPoE” is activated.   Subscriber mac-address is used as subscriber identification and it is authorized with AAA server

policy-map type   control subscriber pm-src-mac

event session-start match-all

   class type control subscriber   dual_stack_class_map do-all

     1 activate dynamic-template   Dual_stack_IPoE

     2 authorize aaa list default identifier   source-address-mac password cisco

!

!

end-policy-map

!

end

 

Verification example

”show subscriber session all” command shows ipv4/ipv6 clients session active

RP/0/RSP0/CPU0:bng#show   subscriber session all

Tue Jan 29   12:49:25.237 UTC

Codes: IN -   Initialize, CN - Connecting, CD - Connected, AC - Activated,

       ID - Idle, DN - Disconnecting, ED -   End

Type         Interface               State     Subscriber IP Addr / Prefix

                                                 LNS Address (Vrf)                            

--------------------------------------------------------------------------------

IP:DHCP     BE1.10.ip22             AC       10.10.10.10 (default)

                                                 2001::2 (default)               

     

 

Command “show subscriber session all detail” should show ipv4/ipv6 clients details detailly.

RP/0/RSP0/CPU0:bng#show   subscriber session all deta

Tue Jan 29   12:49:27.752 UTC

Interface:               Bundle-Ether1.10.ip22

Circuit ID:               Unknown

Remote ID:               Unknown

Type:                     IP: DHCP-trigger

IPv4 State:               Up, Tue Jan 29 12:46:32 2013

IPv4   Address:             10.10.10.10, VRF:   default

IPv6 State:               Up, Tue Jan 29 12:46:42 2013

IPv6   Address:            2001::2, VRF: default

IPv6 Interface   ID:       ..d..... (02 00 64 ff fe 01   01 02)

Mac   Address:             0000.6401.0102

Account-Session   Id:       0000001c

Nas-Port:                 Unknown

User name:               0000.6401.0102

Outer VLAN ID:           10

Subscriber   Label:         0x00000055

Created:                 Tue Jan 29 12:46:32 2013

State:                   Activated

Authentication:           unauthenticated

Access-interface:         Bundle-Ether1.10

Policy Executed:

policy-map type   control subscriber pm-src-mac

event Session-Start match-all [at Tue Jan   29 12:46:32 2013]

   class type control subscriber   dual_stack_class_map do-all [Succeeded]

     1 activate dynamic-template   Dual_stack_IPoE [Succeeded]

     2 authorize aaa list default   [Succeeded]

Session   Accounting:      

Acct-Session-Id:         0000001c

Method-list:             default

Accounting started:       Tue Jan 29 12:46:32 2013

Interim accounting:       On, interval 1 mins

   Last successful update: Tue Jan 29   12:48:34 2013

   Next update in:         00:00:06 (dhms)

Last COA request   received: unavailable

”show dhcp ipv4 proxy binding” command is going to show ipoev4 clients created with ip-address and mac-address, interface on which it is created, vrf-name etc

RP/0/RSP0/CPU0:bng#show   dhcp ipv4 proxy binding

Tue Jan 29   12:49:42.955 UTC

 

                                             Lease                                                

 

MAC Address     IP Address     State     Remaining       Interface         VRF     Sublabel

-------------- -------------- ---------   --------- ------------------- ---------   ----------

 

0000.6401.0102 10.10.10.10     BOUND     3409       BE1.10               default   0x55      

 

 

RP/0/RSP0/CPU0:bng#show   dhcp ipv4 proxy binding de

Tue Jan 29   12:49:49.498 UTC

MAC   Address:                 0000.6401.0102

VRF:                         default

 

Server VRF:                 default

IP Address:                 10.10.10.10

Giaddr from   client:         0.0.0.0

Giaddr to   server:           10.10.10.1

Server IP   Address:           20.20.20.2

Server IP   Address to client: 10.10.10.1

ReceivedCircuit   ID:         -

InsertedCircuit   ID:         -

ReceivedRemote   ID:           -

InsertedRemote   ID:           -

ReceivedVSISO:               -

InsertedVSISO:               -

Auth. on   received relay info:FALSE

Profile:                     IPoEv4

State:                       BOUND

Proxy   lease:                 3600 secs   (01:00:00)

Proxy lease   remaining:       3403 secs (00:56:43)

Client ID:                     0x00-0x00-0x64-0x01-0x01-0x02

Access   Interface:           Bundle-Ether1.10

Access VRF:                 default

VLAN Id:                     10

Subscriber   Label:           0x55

Subscriber   Interface:       Bundle-Ether1.10.ip22

“show dhcp ipv6 server binding” is going to show ipv6 address allocated from DHCPv6 local pool

RP/0/RSP0/CPU0:bng#show   dhcp ipv6 server binding

Tue Jan 29   12:50:04.560 UTC

Summary:

Total number of   clients: 1

DUID   : 00030001000064010102

MAC Address: 0000.6401.0102

Client Link Local: fe80::200:64ff:fe01:102

Sublabel: 0x55

   IA ID: 0x0

   STATE: BOUND

   IPv6 Address: 2001::2 (Bundle-Ether1.10)

       lifetime : 600 secs (00:10:00)

       expiration: 399 secs (00:06:39)

RP/0/RSP0/CPU0:bng#

 

Related Information

Configuration example and verification provided by Narendiran Rajaram

Xander Thuijs CCIE #6775

Principal Engineer ASR9000, IOS-XR and NCS6000

Comments
smailmilak
Level 4
Level 4

Hi Dimitris,

I am not Xander but I can try to help you. I went through the same in the past weeks.

I have PPPoE v6 running on BNG with the same version.

I am using prefix-range instead of network

for both pools.

I have a framed prefix range with prefix lenght of /64

and /60 for delegated prefixes. You can of course use /56 for delegated

prefixes. 16 bits is maximum for allocation.

pool vrf all ipv6 LLU-KLN-LAN-IPv6-POOL

prefix-length 60

prefix-range 2a02:x:x:: 2a02:x:xf:fff0::   

!

pool vrf all ipv6 LLU-KLN-WAN-IPv6-POOL

prefix-length 64

prefix-range 2a02:x:x:: 2a02:x:x:ffff::

DHCP server should use the subscriber-pppoe interface. Take a look on my config

dhcp ipv6

profile DS_DHCP server

  lease 0 1 0

  dns-server 2a02:27b0:3:a::abcd 2a02:27b0:3:b::abcd

  prefix-pool DS_DELEGATED_POOL

interface subscriber-pppoe profile DS_DHCP

Your dynamic-template can not work like this. This is how it should look like

"ipv6 nd framed-prefix-pool DS_FRAMED_POOL" is when you CPE is using SLAAC for

BNG<->CPE link.

Do you want to use SLAAC or DHCP for framed-prefix?

I am not sure if you really need ipv6 nd other-config-flag. For me it's working

without, only IPoE is needing this command.

Also enable ipv6 enable on template and access-interface.

dynamic-template

type ppp BNG_DUALSTACK_TEMPLATE

  ppp authentication chap pap

  keepalive 30

  ppp ipcp dns 10.100.35.10 10.100.36.10

  accounting aaa list default type session dual-stack-delay 5

  ipv4 mtu 1492

  ipv6 nd framed-prefix-pool DS_FRAMED_POOL

  ipv6 mtu 1492

  ipv6 enable

  dhcpv6 delegated-prefix-pool DS_DELEGATED_POOL

policy-map is looking a little bit different on my BNG. I have both PPP and DHCPv6

in one class-map and one event-session

class-map type control subscriber match-any MATCH_DS

match protocol ppp dhcpv6

end-class-map

policy-map type control subscriber BNG_DUALSTACK

event session-start match-all

  class type control subscriber MATCH_DS do-until-failure

   1 activate dynamic-template BNG_DUALSTACK_TEMPLATE

  !

!

event session-activate match-all

  class type control subscriber MATCH_DS do-until-failure

   1 authenticate aaa list default

Please try to use my example. I hope that it will help you

p.s. Let's also wait for Xander. He has probably some hints.

Hi Smail,

Thank you for you help.

The interface subscriber-pppoe profile DS_DHCP was the key.

Regarding your other comments:

  • IPv6 was enable under the dynamic template (the command was omitted from the output I have provided)
  • We are providing framed IPv6 prefixes via SLAAC, so that's the reason we have configured the ipv6 nd framed-prefix-pool LLU-KLN-WAN-IPv6-POOL command under dynamic template.
  • The ipv6 nd other-config-flag command is used for informing the host that DNS server information is available via DHCPv6.

Thanks again.

Dimitris

smailmilak
Level 4
Level 4

Great,

I am glad that it's working now.

I am not using ipv6 nd other-config-flag for PPPoE and my CPE has both DNS servers which are configured under dhcp ipv6.

Give it a try.

For IPoE it's needed, though.

Smail,

I am not using ipv6 nd other-config-flag for PPPoE and my CPE has both DNS servers which are configured under dhcp ipv6.

I believe it is upon to the CPE if it will use the O flag or not.

---

I have also realized that ipv6 mtu xxxx command under dynamic-template doesn't work as expected.

The RA towards the CPE always have 1280 as the MTU value, regardless of the configured value.

I have verified it by debugging ipv6 nd packet detail on the ASR9K.

I can't find a relevant bug. Is this a known behavior?

smailmilak
Level 4
Level 4

Yes, that is true. I am just curious if it's working without O flag on your CPE. I have only one vendor and would like to know how others are working.

In our case, although we provide CPEs from 3 vendors, it is not forbidden to our customers to use other vendor CPEs from the retail market, so we have decided to enable the O flag in order to be on the safe side.

xthuijs
Cisco Employee
Cisco Employee

hey dimitris,

that v6 nd mtu is CSCun42256.

trying to find a solution for it.

smail, thanks btw for sharing your expertise!!

cheers

xander

Thanks Xander,

Since the DDTS is private, I have asked from our local AS engineers to provide us more info about it.

It would be helpful if you could make it public.

As you have already been informed , we are performing tests in order to migrate from ASR1K to ASR9K, so I'll probably come back with other issues/questions...

Cheers,

Dimitris

xthuijs
Cisco Employee
Cisco Employee

hey dimitris, yeah the bug screener hasnt picked up the rne's yet, but it is prett much the description of your issue.

good to hear you're doing 9k bng! very interesting, as you can see there is quite some experience out there already, so lets make it happen

say tassos mentioned abou referencing the template from radius, I dont think it is working,

not sure if it was meant to be supported either, but I am verifying.

xander

Alexander Thuijs wrote:

                       

good to hear you're doing 9k bng! very interesting, as you can see there is quite some experience out there already, so lets make it happen

                   

As you now from the past, the real ASR9K bng stress tests will be performed by us, so beware! Hard times are coming...

Alexander Thuijs wrote:

                       

say tassos mentioned abou referencing the template from radius, I dont think it is working,

not sure if it was meant to be supported either, but I am verifying.

xander

                   

VPDN Template is not suppose to be working via radius, based on the documentation.

We have to find a way to apply it somehow, either by supporting the av-pair or by another way (?).

Hope you are having a pleasant flight

xthuijs
Cisco Employee
Cisco Employee

hi dimitris,

got confirmation, that this -template is supposed to be working.

If not, I would collect the relevant debugging from radius, and vpdn and open a tac case for this. We may need to file a bug with that debugging info collected.

Also, this is a list of vpdn atts that we support :

Following Un-tagged attributes supported

vpdn-template

vpn-id

vpn-vrf

tunnel-tos-reflect

tunnel-tos-setting

l2tp-clid-mask-method

ip-address-limits

tunnel-preference

ip-addresses

l2tp-tunnel-authen

l2tp-hello-interval

l2tp-cm-local-window-size

l2tp-init-retransmit-retries

l2tp-nosession-timeout

Following are tagged attributes supported.

l2tp-tunnel-password

tunnel-password

tunnel-server-endpoint (Tunnel-Server-Endpoint)

tunnel-id (Tunnel-Client-Auth-ID)

gw-name (Tunnel-Server-Auth-ID)

vpdn-group (Tunnel-Assignment-Id)

tunnel-client-endpoint (Tunnel-Client-Endpoint)

source-ip

tunnel-medium-type (Tunnel-Medium-Type)

tunnel-type (Tunnel-Type)

cheers!

xander

smailmilak
Level 4
Level 4

Since friday IPoE with IPv6 is not working. I came to work and wanted to add authorization with circuit and remote id.

After I applied the policy map, only IPv4 worked. Removing authorization again did not help.

Sometimes it happens that the test PC gets an IPv6 address but not for long...it loses it after half of lease time.

I am trying for two days to get it to work...out of desperation I reloaded the BNG

Without service-policy on AC interface and IPv6 enable the test PC gets his IPv6 with SLAAC, so the link is ok.

Sometimes there is this message but it happens not often.

RP/0/RSP0/CPU0:Mar  3 15:03:21.440 : dhcpv6d[1074]: DHCPV6 SERVER: TP598: dhcpv6d_edm_server_bindings_summary_datalist: data to send to client

RP/0/RSP0/CPU0:Mar  3 15:03:21.440 : dhcpv6d[1074]: DHCPV6 SERVER: TP599: dhcpv6d_edm_server_bindings_summary_datalist: Returning EDM data to client

LC/0/0/CPU0:Mar  3 15:03:21.441 : dhcpv6d[152]: DHCPV6 SERVER: TP598: dhcpv6d_edm_server_bindings_summary_datalist: data to send to client

LC/0/0/CPU0:Mar  3 15:03:21.441 : dhcpv6d[152]: DHCPV6 SERVER: TP599: dhcpv6d_edm_server_bindings_summary_datalist: Returning EDM data to client

LC/0/1/CPU0:Mar  3 15:03:21.445 : dhcpv6d[153]: DHCPV6 SERVER: TP598: dhcpv6d_edm_server_bindings_summary_datalist: data to send to client

DUID  : 0001000114f5d5a61cc1deb5ea5c

  MAC Address: 0026.8291.303c

  Client Link Local: fe80::1415:dc89:5344:d78d

  Sublabel: 0x14f

    IA ID: 0x16002682

      STATE: REQUESTING

      IPv6 Address: 2a02:27b0:4060::3 (Bundle-Ether12.996)

        lifetime  : 240 secs (00:04:00)

         expiration: 113 secs (00:01:53

I will try to connect a test pc over a ME switch which is directly connected to BNG. Now it's a L2VPN connection and maybeee something is wrong there. I don't know what it could be anymore.

xthuijs
Cisco Employee
Cisco Employee

Dimitris: for the ipv6 mtu problem, I may need some additional information from your setup.

A local repro shows things ok, it seems, so we need to verify the programming of the subscriber context from your problematic setup.

Can I ask if you can open a TAC case, reference the DDTS

CSCun42256, capture the ipv6 nd packet from the debugs showing that issue and the

show im database detail interface bundle-ether<subscriber interface>

show ipv6 interface  Bundle-Ether100.2.ip29

yhanks!

xander

xthuijs
Cisco Employee
Cisco Employee

Smail, this may be a bug, I had something similar going on earlier too when trying to recreate dimitris' situation fo the ipv6 mtu. May need to file a tac case for this one (too) so it can be triaged and followed through...

cheers!

xander

Hi Xander,

Alexander Thuijs wrote:

                       

Dimitris: for the ipv6 mtu problem, I may need some additional information from your setup.

A local repro shows things ok, it seems, so we need to verify the programming of the subscriber context from your problematic setup.

Can I ask if you can open a TAC case, reference the DDTS

CSCun42256, capture the ipv6 nd packet from the debugs showing that issue and the

show im database detail interface bundle-ether<subscriber interface>

show ipv6 interface  Bundle-Ether100.2.ip29

yhanks!

xander

                   

The command outputs are showing the configured IPv6 MTU value, but the reality is different.

The ASR9K sends 1280 as the IPv6 MTU value.

I have opened SR629375569 regarding this issue. You can find the relevant outputs in the case.

Thanks,

Dimitris

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links