ASR9000/XR: BNG and Dual-stack ipv4 and ipv6 sessions - Page 3

xthuijs · ‎01-14-2014

Introduction
- Dual Stack
  - Deployment models and general concept
  - Address Assignment
IPv6 Addressing
Operation and Call Flow
- Call Flows
Sample Scenario
- Configuration
- Verification example
Related Information

Introduction

This document provides an overview for dual stack sessions for ASR9000 BNG, running ipv4 and ipv6 address stacks next to each other for subscriber sessions.

Dual Stack

Dual stack refers to the concept of running a subsciber session with an IPv4 address as well as an IPv6 address.

Deployment models and general concept

Address Assignment

To unravle the complex terminology associated with address assignment in particular to IPv6 this picture below shows the various address assignment options available.

You can also use the framed-ipv6-address radius attribute to provide an address to the subscriber from radius which then will be advertised

via SLAAC (NA/ND) for both PPPoE and IPoE sessions.

The additional attribute ipv6:ipv6-default-gateway VSA can be used to provide the default router in case no dhcpv6 is used for IPoE sessions.

IPv6 Addressing

When it comes to "prefix delegation" that is having a large IPv6 like subnet that is shared between subscribers who get a subnet from that subnet sort of speak the following addressing example hopefully visualizes how it all ties together

Addressing mapping

Configuration CPE

The following 2 secions provide the configuration for the client side and the WAN side of the CPE

PC client side of the CPE

interface GigabitEthernet0/2

description to switch fa0/15

ip address 192.168.1.1 255.255.255.0

no ip unreachables

ip nat inside

ip virtual-reassembly

duplex full

speed 100

media-type rj45

negotiation auto

ipv6 address prefix-from-provider ::1:0:0:0:1/64

ipv6 enable

WAN side of the CPE

interface FastEthernet2/0.50

encapsulation dot1Q 50

ipv6 address autoconfig default

ipv6 enable

ipv6 dhcp client pd prefix-from-provider

In these examples we are expanding the delegated prefix with a :1/64 and we perceive ourselves to be the ".1" and default gateway.

Configuration DHCPv6 Server

ipv6 unicast-routing

ipv6 dhcp pool dhcpv6

prefix-delegation pool dhcpv6-pool1 lifetime 6000 2000

ipv6 route 2001:60:45:28::/64 2005::1

ipv6 route 2001:DB8:1200::/40 2005::1

ipv6 route 200B::/64 2005::1

ipv6 route 2600:80A::9/128 4000::1

ipv6 local pool dhcpv6-pool1 2001:DB8:1200::/40 48

More info on IOS dhcpv6 server:

http://www.cisco.com/en/US/tech/tk872/technologies_configuration_example09186a0080b8a116.shtml

Operation and Call Flow

Because ASR9000 treats the 2 stacks as a single subscriber, and hence ONE access request and a SINGLE accounting record are generated for both stacks, differences of desired operation exist when it comes to when for isntance to generate an accounting request.

There are 2 key things to consider and of importance:

When the first AF comes up, an access-request is generated, the access-accept should contain BOTH ipv4 and ipv6 information for the session although there is no second request for the other AF maybe yet
An accounting-start can be generated as soon as the first AF comes up, we can wait for a determined period of time and generate a single accounting start record for BOTH AF's, or we can do a triggered interim accounting record when the second AF comes up.

Call Flows

Dual stack generic call flow

PPPoE DS detailed call flow SLAAC based address assignment

PPPoE DS detailed call flow DHCPv6 based address assignment

IPoE DS detailed callflow IPv4 AF starts first

IPoE DS detailed callflow IPv6 AF starts first

Sample Scenario

Sample Topology for the configuration example

Configuration

hostname bng

logging console debugging

Radius server configuration.

Radius server is listening on 5.5.5.2 with auth-port on 1645 and accounting-port on 1646

radius-server host 5.5.5.2 auth-port 1645 acct-port 1646

key 7 010107000A5955

!

COA server or policy-server with ip-address 5.5.5.2 is running

aaa server radius dynamic-author

client 5.5.5.2 vrf default server-key 7 03165A0F575D72

!

aaa group server radius RADIUS

server 5.5.5.2 auth-port 1645 acct-port 1646

!

aaa accounting service default group radius

aaa accounting subscriber default group radius

aaa authorization subscriber default group radius

aaa authentication subscriber default group radius

line console

stopbits 1

!

DHCPv6 address pool is defined locally within BNG box and local pool is used for ipv6 address assignment to IPv6 BNG clients

pool vrf default ipv6 ipv6_address_pool

address-range 2001::2 2001::7dff

!

DHCPv4 server with ip address 20.20.20.2 is deployed externally and this ipv4 address should be reachable from BNG device. Routing protocols should take care of reachability of 20.20.20.2 from BNG device. DHCPv4 proxy is configured as follows.

dhcp ipv4

profile IPoEv4 proxy

helper-address vrf default 20.20.20.2 giaddr 10.10.10.1

!

DHCPv4 proxy is enabled on bundle sub-interface

interface Bundle-Ether1.10 proxy profile IPoEv4

!

DHCPv6 server is configured and already configured DHCPv6 address pool is referred within DHCPv6 server configuration. DHCPv6 profile is configured as follows with address pool.

dhcp ipv6

profile IPoEv6 server

address-pool ipv6_address_pool

!

DHCPv6 address pool is referred on bundle sub-interface.

interface Bundle-Ether1.10 server profile IPoEv6

!

interface Bundle-Ether1

bundle maximum-active links 1

!

Bundle sub-interface with dot1q encapsulation configured with single tag. Subscriber traffic from

CPE should come with single dot1q tag and this vlan tag should match with vlan id 10 configured under bundle sub-interface. In dual-stack IPoE configuration, “initiator dhcp” is configured ipv4/ipv6 l2 connect mode.

Policy-map type control’s name is referred with service-policy

interface Bundle-Ether1.10

ipv4 point-to-point

ipv4 unnumbered Loopback1

ipv6 enable

service-policy type control subscriber pm-src-mac

encapsulation dot1q 10

ipsubscriber ipv4 l2-connected

initiator dhcp

!

ipsubscriber ipv6 l2-connected

initiator dhcp

!

Ipv4 address 10.10.10.1 is default-gateway ip address for pool of ipv4 address allocated to dual-stack BNG clients

interface Loopback1

ipv4 address 10.10.10.1 255.255.255.0

ipv6 enable

!

interface MgmtEth0/RSP0/CPU0/0

ipv4 address 9.22.11.3 255.255.0.0

!

interface MgmtEth0/RSP0/CPU0/1

shutdown

!

Physical interface gigabit0/0/0/0 is configured as bundle interface.

interface GigabitEthernet0/0/0/0

bundle id 1 mode on

negotiation auto

transceiver permit pid all

!

interface GigabitEthernet0/0/0/1

ipv4 address 20.20.20.1 255.255.255.0

transceiver permit pid all

!

interface GigabitEthernet0/0/0/5

ipv4 address 5.5.5.1 255.255.255.0

!

Dual-stack dynamic-template is configured for dual-stack initiation. “ipv6 enabled” under dual-stack template and ipv4 unnumbered

address, ipv4 urpf configured.

dynamic-template

type ipsubscriber Dual_stack_IPoE

accounting aaa list default type session periodic-interval 5

ipv4 verify unicast source reachable-via rx

ipv4 unnumbered Loopback1

ipv6 enable

!

Class-map configured for dual-stack scenario to match DHCPv6 – SOLICIT and DHCPv4 DISCOVER as sign of life packet

class-map type control subscriber match-any dual_stack_class_map

match protocol dhcpv4 dhcpv6

end-class-map
!

Class-map “Dual_stack_class_map “ is referred within policy-map. Even session-start is hit based on DHCPv4/DHCPv6 FSOL, template “Dual_stack_IPoE” is activated. Subscriber mac-address is used as subscriber identification and it is authorized with AAA server

policy-map type control subscriber pm-src-mac

event session-start match-all

class type control subscriber dual_stack_class_map do-all

1 activate dynamic-template Dual_stack_IPoE

2 authorize aaa list default identifier source-address-mac password cisco

!

end-policy-map

!

end

Verification example

”show subscriber session all” command shows ipv4/ipv6 clients session active

RP/0/RSP0/CPU0:bng#show subscriber session all

Tue Jan 29 12:49:25.237 UTC

Codes: IN - Initialize, CN - Connecting, CD - Connected, AC - Activated,

ID - Idle, DN - Disconnecting, ED - End

Type Interface State Subscriber IP Addr / Prefix

LNS Address (Vrf)

--------------------------------------------------------------------------------

IP:DHCP BE1.10.ip22 AC 10.10.10.10 (default)

2001::2 (default)

Command “show subscriber session all detail” should show ipv4/ipv6 clients details detailly.

RP/0/RSP0/CPU0:bng#show subscriber session all deta

Tue Jan 29 12:49:27.752 UTC

Interface: Bundle-Ether1.10.ip22

Circuit ID: Unknown

Remote ID: Unknown

Type: IP: DHCP-trigger

IPv4 State: Up, Tue Jan 29 12:46:32 2013

IPv4 Address: 10.10.10.10, VRF: default

IPv6 State: Up, Tue Jan 29 12:46:42 2013

IPv6 Address: 2001::2, VRF: default

IPv6 Interface ID: ..d..... (02 00 64 ff fe 01 01 02)

Mac Address: 0000.6401.0102

Account-Session Id: 0000001c

Nas-Port: Unknown

User name: 0000.6401.0102

Outer VLAN ID: 10

Subscriber Label: 0x00000055

Created: Tue Jan 29 12:46:32 2013

State: Activated

Authentication: unauthenticated

Access-interface: Bundle-Ether1.10

Policy Executed:

policy-map type control subscriber pm-src-mac

event Session-Start match-all [at Tue Jan 29 12:46:32 2013]

class type control subscriber dual_stack_class_map do-all [Succeeded]

1 activate dynamic-template Dual_stack_IPoE [Succeeded]

2 authorize aaa list default [Succeeded]

Session Accounting:

Acct-Session-Id: 0000001c

Method-list: default

Accounting started: Tue Jan 29 12:46:32 2013

Interim accounting: On, interval 1 mins

Last successful update: Tue Jan 29 12:48:34 2013

Next update in: 00:00:06 (dhms)

Last COA request received: unavailable

”show dhcp ipv4 proxy binding” command is going to show ipoev4 clients created with ip-address and mac-address, interface on which it is created, vrf-name etc

RP/0/RSP0/CPU0:bng#show dhcp ipv4 proxy binding

Tue Jan 29 12:49:42.955 UTC

Lease

MAC Address IP Address State Remaining Interface VRF Sublabel

-------------- -------------- --------- --------- ------------------- --------- ----------

0000.6401.0102 10.10.10.10 BOUND 3409 BE1.10 default 0x55

RP/0/RSP0/CPU0:bng#show dhcp ipv4 proxy binding de

Tue Jan 29 12:49:49.498 UTC

MAC Address: 0000.6401.0102

VRF: default

Server VRF: default

IP Address: 10.10.10.10

Giaddr from client: 0.0.0.0

Giaddr to server: 10.10.10.1

Server IP Address: 20.20.20.2

Server IP Address to client: 10.10.10.1

ReceivedCircuit ID: -

InsertedCircuit ID: -

ReceivedRemote ID: -

InsertedRemote ID: -

ReceivedVSISO: -

InsertedVSISO: -

Auth. on received relay info:FALSE

Profile: IPoEv4

State: BOUND

Proxy lease: 3600 secs (01:00:00)

Proxy lease remaining: 3403 secs (00:56:43)

Client ID: 0x00-0x00-0x64-0x01-0x01-0x02

Access Interface: Bundle-Ether1.10

Access VRF: default

VLAN Id: 10

Subscriber Label: 0x55

Subscriber Interface: Bundle-Ether1.10.ip22

“show dhcp ipv6 server binding” is going to show ipv6 address allocated from DHCPv6 local pool

RP/0/RSP0/CPU0:bng#show dhcp ipv6 server binding

Tue Jan 29 12:50:04.560 UTC

Summary:

Total number of clients: 1

DUID : 00030001000064010102

MAC Address: 0000.6401.0102

Client Link Local: fe80::200:64ff:fe01:102

Sublabel: 0x55

IA ID: 0x0

STATE: BOUND

IPv6 Address: 2001::2 (Bundle-Ether1.10)

lifetime : 600 secs (00:10:00)

expiration: 399 secs (00:06:39)

RP/0/RSP0/CPU0:bng#

Related Information

Configuration example and verification provided by Narendiran Rajaram

Xander Thuijs CCIE #6775

Principal Engineer ASR9000, IOS-XR and NCS6000

xthuijs · ‎03-04-2014

thanks dimitris! I connected with the tac eng also and this info provided is useful

to continue with.

We'll keep you informed via the tac case.

thanks

xander

smailmilak · ‎03-04-2014

Hi,

I have opened a TAC case today and got a good engineer. It's SR 629372343.

I will connect tomorrow directly without L2VPN, just to be sure that the problem is not somewhere else.

I had a weird problem with IPv4 before where only subscribers connected throught an AP could reach the internet and wired connected subscribers could not reach anything. Problem was with VPLS config. With EoMPLS it's fine....

Dimitris Kotsilis · ‎03-05-2014

Hi Xander,

Alexander Thuijs wrote:

hi dimitris,

got confirmation, that this -template is supposed to be working.

If not, I would collect the relevant debugging from radius, and vpdn and open a tac case for this. We may need to file a bug with that debugging info collected.

cheers!

xander

FYI, regarding the vpdn issue, we have opened SR629388323.

Thanks,

Dimitris

Dimitris Kotsilis · ‎03-06-2014

Hi Xander,

New question:

Although the "show subscriber session all" command output includes very usefull information (which was very difficult to gather in an ASR1K), the correlation between the framed ip address + framed ipv6 prefix + delegated ipv6 prefix and the username/circuit-id is not available by executing just one simple command.

Of course there is "sh subscriber session filter username xxxx detail" which gives many info, but this output is quite big for the call center agents to handle, so I would like to ask you if there is (or if there is in your plans to introduce) a command with similar output with "show subscriber session all" command, adding the username/circuit-id information.

For example, the output could be like the following:

Type Interface Username/ State Subscriber IP Addr / Prefix

Circuit ID LNS Address (Vrf)

---------------------------------------------------------------------------------------------------------------------------------------

PPPoE:PTA BE1.33211199.pppoe62 xxxxx AC 1.2.3.4 (default)

yyyyy 2a02:2149:zzz:zzz::/64 (default)

2a02:2149:zzz:zzz::/56 (default)

where xxxxx the username and yyyyy the circuit ID.

Additionally, since this output needs more than one line per session, it would be nice if there was a variable that permits you to get the above output for a specific username.

Regards,

Dimitris

xthuijs · ‎03-06-2014

Your request makes sense and I think something is there already...

have you seen this?

RP/0/RSP0/CPU0:A9K-BNG#show subscr ses all username

Thu Mar 6 19:16:22.913 EDT

Codes: IN - Initialize, CN - Connecting, CD - Connected, AC - Activated,

ID - Idle, DN - Disconnecting, ED - End

Type Interface State User name

--------------------------------------------------------------------------------

PPPoE:PTA BE100.30.pppoe1 AC dialer@cisco.com

IP:DHCP BE100.2.ip33 AC 0006.2aaa.2438#000400020064#testme

xander

Dimitris Kotsilis · ‎03-07-2014

Hi Xander,

I have already seen this command. Unfortunately it doesn't include framed ip address + framed ipv6 prefix + delegated ipv6 prefix nor circuit-id

Regards,

Dimitris

xthuijs · ‎03-07-2014

I see, yeah it is a 2/3 step process.

I just filed CSCun59675 to create a now show subscriber command that prints that detail a-la the ios show user.

regards

xander

Dimitris Kotsilis · ‎03-07-2014

Thank you Xander

xthuijs · ‎03-13-2014

Hi Dimitris,

I wanted to let you know that we are in the process of committing the changes to the show subscriber session all username command to include the username and address.

there was no room for circuit and remote ID, but hopefully this accomodates your need:

RP/0/0/CPU0:server#show subscriber session all username
Thu Mar 13 16:25:21.861 IST
Codes: IN - Initialize, CN - Connecting, CD - Connected, AC - Activated,
       ID - Idle, DN - Disconnecting, ED - End

Username             Interface                State     Subscriber IP Addr / Prefix
                                                        LNS Address (Vrf)
--------------------------------------------------------------------------------
basic@cisco.com      Gi0/0/0/0.pppoe1         AC        10.0.0.2 (default)
basic@cisco.com      Gi0/0/0/0.pppoe2         AC        10.0.0.3 (default)
basic@cisco.com      Gi0/0/0/0.pppoe3         AC        10.0.0.1 (default)

xander

smailmilak · ‎03-21-2014

Hi Xander, can you please tell me if can you recommend to use 5.1.1 instead of 4.3.4? There is this bug CSCum26074 (FT. comm. failure etc) which is severity 1 but there is no fix (SMU) for that in 4.3.4. We upgraded a 9k to 5.1.1 because we hit this bug few days ago. Some new BNG features are also the reason why we would like to upgrade to 5.1.1. IPoE IPv6 is still not working. Cisco TAC and BU is working on it.

Nevermind. Today we tried with 5.1.1 and PPPoEv6 was not working, IPoEv6 also. We downgraded to 4.3.4, lost all vrfs in the process :).

Regarding IPoEv6, after two webex sessions nothing new. Linux host gets an IPv6 when properly configured but Windows 7 is not able to get an IPv6 address from BNG.

abdulahadov · ‎04-01-2014

SMU has been released for this bug, we used it and it helped. asr9k-px-4.3.4.CSCum26074.tar

Here is the link: http://software.cisco.com/download/release.html?mdfid=282414851&flowid=&softwareid=280867577&os=null&release=4.3.4&relind=null&rellifecycle=null&reltype=null

smailmilak · ‎04-02-2014

Hi,

yes it's out and we patched it last week.

Fortunately no reload was necessary.

jpfnc@2011 · ‎04-14-2014

Hello All

I tried both Dimitris's configuration and smailmilak configuration, but i ,haven't IPv6 configuration expected. Only SLAAC seems OK, but no delegated IPv6 address on my CPE.

Someone can help me ?

Here is my configuration

!
pool vrf default ipv6 POOL_V6_WAN_PPPOE
prefix-length 64
network 2403:200:200::/48
!
pool vrf default ipv6 POOL_V6_LAN_PD_PPPOE
prefix-length 56
network 2403:200:300::/40

!

dhcp ipv6
profile DHCPV6_LOCAL_SERVER server
lease 2
dns-server 2403:200:106::153 2403:200:101::153
prefix-pool POOL_V6_LAN_PD_PPPOE
!
interface subscriber-pppoe profile DHCPV6_LOCAL_SERVER
!

dynamic-template
type ppp PPPOE_TEMPLATE
ppp authentication chap pap
qos output minimum-bandwidth 20
accounting aaa list default type session
ipv4 mtu 1492
ipv4 unnumbered Loopback0
ipv6 nd other-config-flag
ipv6 nd framed-prefix-pool POOL_V6_WAN_PPPOE
ipv6 nd managed-config-flag
ipv6 mtu 1492
ipv6 enable
dhcpv6 delegated-prefix-pool POOL_V6_LAN_PD_PPPOE
multicast ipv4 passive
igmp query-interval 60
!

!

pppoe bba-group INTERNET_PPPOE
mtu 1492
service selection disable
!
interface Bundle-Ether10.456
ipv6 enable
service-policy type control subscriber PPPOE_PM
pppoe enable bba-group INTERNET_PPPOE
encapsulation dot1q 456
!

!
interface Loopback0
ipv4 address 113.20.32.234 255.255.255.255
ipv6 address 2403:200::8/128
ipv6 enable
!

class-map type control subscriber match-any PPPOE_CM
match protocol ppp dhcpv6
end-class-map
!
class-map type control subscriber match-any DHCP_CM_V4
match protocol dhcpv4
end-class-map
!

policy-map type control subscriber PPPOE_PM
event session-start match-all
class type control subscriber PPPOE_CM do-all
10 activate dynamic-template PPPOE_TEMPLATE
!
event session-activate match-all
class type control subscriber PPPOE_CM do-all
10 authenticate aaa list default
!
!
end-policy-map
!

After PPP session up on DSL CPE, I have only WAN ipv6 address:

Type         Interface                State     Subscriber IP Addr / Prefix
                                                LNS Address (Vrf)
--------------------------------------------------------------------------------
PPPoE:PTA    BE10.456.pppoe683        AC        113.20.34.10 (default)
                                                2403:200:200:8::/64 (default)

LAN-delegate prefix are not provided by DHCP Server configured on router.

Can someone help me ?

Another problem, is that the CPE, wan interface can ping only connected IPv6address on BNG, whereas the IPv6 Wan and Lan subnet are advertised on whole network.

Any idea ?

Thanks

Jean-Paul

smailmilak · ‎04-14-2014

Hi,

I have a really weird problem, at least for me.

On BNG we have two VRF (ipoe, dualstack). On every VRF is a static route pointing to Null0 for summarization and this static route is redistributed via OSPF. RPL is used for redistribution control.

The weird thing is that on the neighbor router I have a route which is e.g. in vrf dualstack but I have to

next-hops. The interface which is in dualstack and and which is in vrf ipoe.

So how can it be possible that the next-hop is an interface which does not have this route in its routing table? I double checked everything and this route is not in the local routing table, so it can not tell the neighboring router about this route.

Edit:

Two seperate OSPFv3 processes solved the issue.

smailmilak · ‎04-14-2014

Hi,

so you double checked DHCPv6 config on the modem?

ipv6 nd managed-config-flag is not needed in my case. I use it only for IPoE v6 (which is not working because of a weird bug).

show us show subscriber session filter XX detail internal

Also show dhcp ipv6 server binding