ASR9000/XR: BNG and Dual-stack ipv4 and ipv6 sessions - Page 6

xthuijs · ‎01-14-2014

Introduction
- Dual Stack
  - Deployment models and general concept
  - Address Assignment
IPv6 Addressing
Operation and Call Flow
- Call Flows
Sample Scenario
- Configuration
- Verification example
Related Information

Introduction

This document provides an overview for dual stack sessions for ASR9000 BNG, running ipv4 and ipv6 address stacks next to each other for subscriber sessions.

Dual Stack

Dual stack refers to the concept of running a subsciber session with an IPv4 address as well as an IPv6 address.

Deployment models and general concept

Address Assignment

To unravle the complex terminology associated with address assignment in particular to IPv6 this picture below shows the various address assignment options available.

You can also use the framed-ipv6-address radius attribute to provide an address to the subscriber from radius which then will be advertised

via SLAAC (NA/ND) for both PPPoE and IPoE sessions.

The additional attribute ipv6:ipv6-default-gateway VSA can be used to provide the default router in case no dhcpv6 is used for IPoE sessions.

IPv6 Addressing

When it comes to "prefix delegation" that is having a large IPv6 like subnet that is shared between subscribers who get a subnet from that subnet sort of speak the following addressing example hopefully visualizes how it all ties together

Addressing mapping

Configuration CPE

The following 2 secions provide the configuration for the client side and the WAN side of the CPE

PC client side of the CPE

interface GigabitEthernet0/2

description to switch fa0/15

ip address 192.168.1.1 255.255.255.0

no ip unreachables

ip nat inside

ip virtual-reassembly

duplex full

speed 100

media-type rj45

negotiation auto

ipv6 address prefix-from-provider ::1:0:0:0:1/64

ipv6 enable

WAN side of the CPE

interface FastEthernet2/0.50

encapsulation dot1Q 50

ipv6 address autoconfig default

ipv6 enable

ipv6 dhcp client pd prefix-from-provider

In these examples we are expanding the delegated prefix with a :1/64 and we perceive ourselves to be the ".1" and default gateway.

Configuration DHCPv6 Server

ipv6 unicast-routing

ipv6 dhcp pool dhcpv6

prefix-delegation pool dhcpv6-pool1 lifetime 6000 2000

ipv6 route 2001:60:45:28::/64 2005::1

ipv6 route 2001:DB8:1200::/40 2005::1

ipv6 route 200B::/64 2005::1

ipv6 route 2600:80A::9/128 4000::1

ipv6 local pool dhcpv6-pool1 2001:DB8:1200::/40 48

More info on IOS dhcpv6 server:

http://www.cisco.com/en/US/tech/tk872/technologies_configuration_example09186a0080b8a116.shtml

Operation and Call Flow

Because ASR9000 treats the 2 stacks as a single subscriber, and hence ONE access request and a SINGLE accounting record are generated for both stacks, differences of desired operation exist when it comes to when for isntance to generate an accounting request.

There are 2 key things to consider and of importance:

When the first AF comes up, an access-request is generated, the access-accept should contain BOTH ipv4 and ipv6 information for the session although there is no second request for the other AF maybe yet
An accounting-start can be generated as soon as the first AF comes up, we can wait for a determined period of time and generate a single accounting start record for BOTH AF's, or we can do a triggered interim accounting record when the second AF comes up.

Call Flows

Dual stack generic call flow

PPPoE DS detailed call flow SLAAC based address assignment

PPPoE DS detailed call flow DHCPv6 based address assignment

IPoE DS detailed callflow IPv4 AF starts first

IPoE DS detailed callflow IPv6 AF starts first

Sample Scenario

Sample Topology for the configuration example

Configuration

hostname bng

logging console debugging

Radius server configuration.

Radius server is listening on 5.5.5.2 with auth-port on 1645 and accounting-port on 1646

radius-server host 5.5.5.2 auth-port 1645 acct-port 1646

key 7 010107000A5955

!

COA server or policy-server with ip-address 5.5.5.2 is running

aaa server radius dynamic-author

client 5.5.5.2 vrf default server-key 7 03165A0F575D72

!

aaa group server radius RADIUS

server 5.5.5.2 auth-port 1645 acct-port 1646

!

aaa accounting service default group radius

aaa accounting subscriber default group radius

aaa authorization subscriber default group radius

aaa authentication subscriber default group radius

line console

stopbits 1

!

DHCPv6 address pool is defined locally within BNG box and local pool is used for ipv6 address assignment to IPv6 BNG clients

pool vrf default ipv6 ipv6_address_pool

address-range 2001::2 2001::7dff

!

DHCPv4 server with ip address 20.20.20.2 is deployed externally and this ipv4 address should be reachable from BNG device. Routing protocols should take care of reachability of 20.20.20.2 from BNG device. DHCPv4 proxy is configured as follows.

dhcp ipv4

profile IPoEv4 proxy

helper-address vrf default 20.20.20.2 giaddr 10.10.10.1

!

DHCPv4 proxy is enabled on bundle sub-interface

interface Bundle-Ether1.10 proxy profile IPoEv4

!

DHCPv6 server is configured and already configured DHCPv6 address pool is referred within DHCPv6 server configuration. DHCPv6 profile is configured as follows with address pool.

dhcp ipv6

profile IPoEv6 server

address-pool ipv6_address_pool

!

DHCPv6 address pool is referred on bundle sub-interface.

interface Bundle-Ether1.10 server profile IPoEv6

!

interface Bundle-Ether1

bundle maximum-active links 1

!

Bundle sub-interface with dot1q encapsulation configured with single tag. Subscriber traffic from

CPE should come with single dot1q tag and this vlan tag should match with vlan id 10 configured under bundle sub-interface. In dual-stack IPoE configuration, “initiator dhcp” is configured ipv4/ipv6 l2 connect mode.

Policy-map type control’s name is referred with service-policy

interface Bundle-Ether1.10

ipv4 point-to-point

ipv4 unnumbered Loopback1

ipv6 enable

service-policy type control subscriber pm-src-mac

encapsulation dot1q 10

ipsubscriber ipv4 l2-connected

initiator dhcp

!

ipsubscriber ipv6 l2-connected

initiator dhcp

!

Ipv4 address 10.10.10.1 is default-gateway ip address for pool of ipv4 address allocated to dual-stack BNG clients

interface Loopback1

ipv4 address 10.10.10.1 255.255.255.0

ipv6 enable

!

interface MgmtEth0/RSP0/CPU0/0

ipv4 address 9.22.11.3 255.255.0.0

!

interface MgmtEth0/RSP0/CPU0/1

shutdown

!

Physical interface gigabit0/0/0/0 is configured as bundle interface.

interface GigabitEthernet0/0/0/0

bundle id 1 mode on

negotiation auto

transceiver permit pid all

!

interface GigabitEthernet0/0/0/1

ipv4 address 20.20.20.1 255.255.255.0

transceiver permit pid all

!

interface GigabitEthernet0/0/0/5

ipv4 address 5.5.5.1 255.255.255.0

!

Dual-stack dynamic-template is configured for dual-stack initiation. “ipv6 enabled” under dual-stack template and ipv4 unnumbered

address, ipv4 urpf configured.

dynamic-template

type ipsubscriber Dual_stack_IPoE

accounting aaa list default type session periodic-interval 5

ipv4 verify unicast source reachable-via rx

ipv4 unnumbered Loopback1

ipv6 enable

!

Class-map configured for dual-stack scenario to match DHCPv6 – SOLICIT and DHCPv4 DISCOVER as sign of life packet

class-map type control subscriber match-any dual_stack_class_map

match protocol dhcpv4 dhcpv6

end-class-map
!

Class-map “Dual_stack_class_map “ is referred within policy-map. Even session-start is hit based on DHCPv4/DHCPv6 FSOL, template “Dual_stack_IPoE” is activated. Subscriber mac-address is used as subscriber identification and it is authorized with AAA server

policy-map type control subscriber pm-src-mac

event session-start match-all

class type control subscriber dual_stack_class_map do-all

1 activate dynamic-template Dual_stack_IPoE

2 authorize aaa list default identifier source-address-mac password cisco

!

end-policy-map

!

end

Verification example

”show subscriber session all” command shows ipv4/ipv6 clients session active

RP/0/RSP0/CPU0:bng#show subscriber session all

Tue Jan 29 12:49:25.237 UTC

Codes: IN - Initialize, CN - Connecting, CD - Connected, AC - Activated,

ID - Idle, DN - Disconnecting, ED - End

Type Interface State Subscriber IP Addr / Prefix

LNS Address (Vrf)

--------------------------------------------------------------------------------

IP:DHCP BE1.10.ip22 AC 10.10.10.10 (default)

2001::2 (default)

Command “show subscriber session all detail” should show ipv4/ipv6 clients details detailly.

RP/0/RSP0/CPU0:bng#show subscriber session all deta

Tue Jan 29 12:49:27.752 UTC

Interface: Bundle-Ether1.10.ip22

Circuit ID: Unknown

Remote ID: Unknown

Type: IP: DHCP-trigger

IPv4 State: Up, Tue Jan 29 12:46:32 2013

IPv4 Address: 10.10.10.10, VRF: default

IPv6 State: Up, Tue Jan 29 12:46:42 2013

IPv6 Address: 2001::2, VRF: default

IPv6 Interface ID: ..d..... (02 00 64 ff fe 01 01 02)

Mac Address: 0000.6401.0102

Account-Session Id: 0000001c

Nas-Port: Unknown

User name: 0000.6401.0102

Outer VLAN ID: 10

Subscriber Label: 0x00000055

Created: Tue Jan 29 12:46:32 2013

State: Activated

Authentication: unauthenticated

Access-interface: Bundle-Ether1.10

Policy Executed:

policy-map type control subscriber pm-src-mac

event Session-Start match-all [at Tue Jan 29 12:46:32 2013]

class type control subscriber dual_stack_class_map do-all [Succeeded]

1 activate dynamic-template Dual_stack_IPoE [Succeeded]

2 authorize aaa list default [Succeeded]

Session Accounting:

Acct-Session-Id: 0000001c

Method-list: default

Accounting started: Tue Jan 29 12:46:32 2013

Interim accounting: On, interval 1 mins

Last successful update: Tue Jan 29 12:48:34 2013

Next update in: 00:00:06 (dhms)

Last COA request received: unavailable

”show dhcp ipv4 proxy binding” command is going to show ipoev4 clients created with ip-address and mac-address, interface on which it is created, vrf-name etc

RP/0/RSP0/CPU0:bng#show dhcp ipv4 proxy binding

Tue Jan 29 12:49:42.955 UTC

Lease

MAC Address IP Address State Remaining Interface VRF Sublabel

-------------- -------------- --------- --------- ------------------- --------- ----------

0000.6401.0102 10.10.10.10 BOUND 3409 BE1.10 default 0x55

RP/0/RSP0/CPU0:bng#show dhcp ipv4 proxy binding de

Tue Jan 29 12:49:49.498 UTC

MAC Address: 0000.6401.0102

VRF: default

Server VRF: default

IP Address: 10.10.10.10

Giaddr from client: 0.0.0.0

Giaddr to server: 10.10.10.1

Server IP Address: 20.20.20.2

Server IP Address to client: 10.10.10.1

ReceivedCircuit ID: -

InsertedCircuit ID: -

ReceivedRemote ID: -

InsertedRemote ID: -

ReceivedVSISO: -

InsertedVSISO: -

Auth. on received relay info:FALSE

Profile: IPoEv4

State: BOUND

Proxy lease: 3600 secs (01:00:00)

Proxy lease remaining: 3403 secs (00:56:43)

Client ID: 0x00-0x00-0x64-0x01-0x01-0x02

Access Interface: Bundle-Ether1.10

Access VRF: default

VLAN Id: 10

Subscriber Label: 0x55

Subscriber Interface: Bundle-Ether1.10.ip22

“show dhcp ipv6 server binding” is going to show ipv6 address allocated from DHCPv6 local pool

RP/0/RSP0/CPU0:bng#show dhcp ipv6 server binding

Tue Jan 29 12:50:04.560 UTC

Summary:

Total number of clients: 1

DUID : 00030001000064010102

MAC Address: 0000.6401.0102

Client Link Local: fe80::200:64ff:fe01:102

Sublabel: 0x55

IA ID: 0x0

STATE: BOUND

IPv6 Address: 2001::2 (Bundle-Ether1.10)

lifetime : 600 secs (00:10:00)

expiration: 399 secs (00:06:39)

RP/0/RSP0/CPU0:bng#

Related Information

Configuration example and verification provided by Narendiran Rajaram

Xander Thuijs CCIE #6775

Principal Engineer ASR9000, IOS-XR and NCS6000

xthuijs · ‎06-13-2014

Hi Joerg,

I assume you have an asr1k or IOS based device on the LNS side correct?

If so, then you can either use the ipv6-prefix vsa or the framed-ipv6-address attribute to assign a static address. Here a sample:

joerg.micheel · ‎06-13-2014

Hi Xander ,

yes you are right. It´s a AS1K. So far with the CPE it is working.Here the Output:

Dialer3                [up/up]
    FE80::8
    2001:2:2::8 <<<<< This is configured on the Radius Server with Framed-IPv6-Prefix and Interface-Id

But the other side the LNS has only a link local Address on the Virtual-Access Interface:

Virtual-Access2.4 [up/up]
FE80::F2F7:55FF:FE98:F500

So How can i configure the Router that the Virtual-Access interface gets also a Global-IP-address with the same prefix and another Interface ID as the CPE.

Thx for an answer or an example

Cheers joerg

xthuijs · ‎06-13-2014

joerg, I have some answers and examples for you, but this supprot forum only seems to allow an x number of replies per thread or so, so I can't reply to your note and share the detail I want to. Could you raise a new discussion on the xr os and platforms so I can provide that detail to you please?

thanks

xander

joerg.micheel · ‎06-13-2014

Hi Xander,

ok i have done it.

Thx in advance

greetings joerg

Vladimir Pysarenco · ‎07-18-2014

Hi, Xander.

Now I am testing BNG dual-stack on 5.2.0.

Our subscribers authenticating with option 82 from DHCPv4 discover message.

I made session initialization only with DHCPv4 discover:

class-map type control subscriber match-any IPoE
match protocol dhcpv4
end-class-map

But when IPv6 protocol starts earlier then IPv4, PC gets ipv6 address without initiating session.

Is it possible not to give IPv6 address (to drop dhcpv6 requests from subscriber) until it will initiate session with IPv4 protocol? Then, when session is initiated and subscriber received ipv4 address, BNG accepts ipv6 dhcp requests from this subscriber...

Thanks for your help

xthuijs · ‎07-18-2014

You could try to add a class-map for the protocol dhcpv6 and then in the event handler for session-start start a timer of say 5 seconds, and then on the event of timer-expiry for that timer you could activate the dynamic template or make a radius call.

this way you would delay the v6 for 5 seconds for ipv4 to come up. havent tried it but this could work.

cheers!

xander

Vladimir Pysarenco · ‎07-18-2014

But in the event for session-start I can choose time only in minutes

10 set-timer TIMER ?
<0-4294967295> Timer value in minutes

I think 1 minute is very big delay.

xthuijs · ‎07-18-2014

true indeed, it is in minutes. We could give it a try to see if that is the desired functionality, if so I can see if a timer in seconds is an option.

regards

xander

Vladimir Pysarenco · ‎07-19-2014

Please, feel free to inform me about results.

And I think it would be a nice feature to have possibility to delay IPv6 address assigment untill IPv4 address will be assigned.

Thanks, Xander!

Vladimir Pysarenco · ‎07-22-2014

Hi Xander!

I think I found solution!

event session-start match-first
class type control subscriber IPV4 do-until-failure
10 activate dynamic-template FTTX
20 authorize aaa list default format LOGIN password ISG
!
class type control subscriber IPV6 do-until-failure
10 disconnect

So, when session is trying to start with IPv6 stack, session disconnects without giving IP to the subscriber. When session is trying to start with IPv4 stack, it starts normal, and subscriber can try to iniciate IPv6 stack.

I have another question to you. From software 5.1.1 cisco introduced linecard-based subscribers. Scaling up to 64K per linecard. Is it right for 9001 too?

xthuijs · ‎07-22-2014

nice find Vovan! yeah this would work indeed as an alternative.

for the 9001, which is a single RP and single LC system, the scale difference between an LC sub and an RP based sub is zero...

The hard limit you have on 9001 is the 2 NPU's which only support 32k subs each.

with bundles, having members on multiple npu's decreases the overall scale obivously as subs are programmed on each bundle member, so using LC based subs makes it easier, or using bundles with members on the same npu.

cheers!

xander

Vladimir Pysarenco · ‎07-23-2014

Thanks Xander!

So, you mean that if I will create 2 port-channels, each based on ports belonging to different NPUs I can reach 64K subs per ASR9001 ?? It would be cool!

But as I understood you from

https://supportforums.cisco.com/document/94171/asr9000xr-bng-deployment-guide#Bundles_vs_Phyiscal_interfaces

if I create bundle even with 1 interface in it, sessions automaticaly begin to terminate on RP.

xander response:

at some point the forums dont allow replies anymore, which is really annoying I know, so the best thing I can do is edit your note with a response....

back and forth Q&A is probably best handled with new discussions raised as opposed to the document it feels at times, but anyways.

The 9001 has one rp and one lc, so that platform is just limited to 64k sessions always. regardless of whether they are LC based or RP based.

just because you only have 2 NPU's in there and the NPU has a limit of 32k UIDB's (interface descriptor blocks) and 32k L0 shapers (parent shapers). Now if you have either a bundle with one member, of a bundle with multiple members, but the members are on the same NPU, or you have LC based subscribers (so directly on the phy/subif) then you can reach 64k subs.

regards

xander

gthermaenius · ‎07-24-2014

Hi Xander,

I'am trying to get ipv6 initiator with unclassified-source to work with no luck. In this case the subscriber is configured with static IPv6 address and sending packets. My control-policy matches a class-map which does 'not' match dhcpv4 or v6. It works for v4 but not v6. I'm running IOS-XR 5.2.0.

What does trigger a unclassified-source for v6 and what would the dyn-template look like?

Thanks in advance!

//Gunnar

xthuijs · ‎07-24-2014

hi gunnar, a bit of config or debus would help in assessing the situation, but maybe this part is missing?

RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router(config)# interface Bundle-Ether 56
RP/0/RSP0/CPU0:router(config-if)# ipsubscriber ipv6 l2-connected
RP/0/RSP0/CPU0:router(config-if-ipsub-ipv6-l2conn)# initiator unclassified-source

if not, check with a debug subscriber manager class-eval and policy to see if there is a trigger to the control policy for this event.

xander

gthermaenius · ‎07-24-2014

Hi,

The loopback 22001 gets sent via radius and v4 works. Not doing any acls at the moment just to rule that out. I'm doing the reauth timer just so i dont have to do CoA in case you wonder...

interface Bundle-Ether1.1502102
description ### B2B LAN 2.0-1 ###
aaa radius attribute nas-port-type Ethernet
ipv4 point-to-point
ipv4 unnumbered Loopback0
ipv4 verify unicast source reachable-via rx
arp learning disable
ipv6 verify unicast source reachable-via rx
ipv6 enable
lldp
transmit disable
!
service-policy type control subscriber BNG-CP-B2B-1
load-interval 30
encapsulation dot1q 1502 second-dot1q 102
ipsubscriber ipv4 l2-connected
initiator dhcp
initiator unclassified-source
!
ipsubscriber ipv6 l2-connected
initiator dhcp
initiator unclassified-source
!
ipsubscriber session-limit
unclassified-source per-vlan 16
!
!
interface Loopback22001
description ### B2B-1 LAN2.0-1 ###
ipv4 address 213.200.154.5 255.255.255.255
ipv4 address 83.255.227.17 255.255.255.248 secondary
ipv4 address 83.255.227.25 255.255.255.248 secondary
ipv6 address 2a04:ae37:0:fd4::1/64
ipv6 enable
!
policy-map type control subscriber BNG-CP-B2B-1
event session-start match-first
class type control subscriber DHCPv4v6 do-until-failure
   10 authorize aaa list B2B-1 format B2BDYNAMIC-USERNAME-1 password cisco
   20 activate dynamic-template IPSUB_B2B-TPL-1
   30 set-timer reauthorize 10
!
class type control subscriber UNCLASS do-until-failure
   10 authorize aaa list B2B-1 format B2BSTATIC-USERNAME-1 password cisco
   20 activate dynamic-template IPSUB_B2B-TPL-1
   30 set-timer reauthorize 10
!
!
event idle-timeout match-first
class type control subscriber UNCLASS do-all
   10 disconnect
!
!
event timer-expiry match-first
class type control subscriber DHCPv4v6 do-until-failure
   10 set-timer reauthorize 10
   20 authorize aaa list B2B-1 format B2BDYNAMIC-USERNAME-1 password cisco
!
class type control subscriber UNCLASS do-until-failure
   10 set-timer reauthorize 10
   20 authorize aaa list B2B-1 format B2BSTATIC-USERNAME-1 password cisco
!
!
event authorization-failure match-first
class type control subscriber UNAUTH do-all
   10 disconnect
!
!
end-policy-map
!
class-map type control subscriber match-any UNAUTH
match authen-status unauthenticated
end-class-map
!
!
class-map type control subscriber match-any UNCLASS
match not source-address mac ffff.ffff.ffff
end-class-map
!
class-map type control subscriber match-any DHCPv4v6
match protocol dhcpv4 dhcpv6
end-class-map
!
dynamic-template
type ipsubscriber IPSUB_B2B-TPL-1
timeout idle 660 traffic both
accounting aaa list B2B-1 type session periodic-interval 5 dual-stack-delay 1
ipv4 verify unicast source reachable-via rx
ipv6 nd ra-interval 30
ipv6 nd dad attempts 1
ipv6 nd other-config-flag
ipv6 nd managed-config-flag
ipv6 enable
!
!
aaa attribute format SYS-CALLID
format-string length 253 "BNG"
!
aaa attribute format B2BSTATIC-USERNAME-1
format-string length 253 "B2BSTATIC_2001"
!
aaa attribute format B2BDYNAMIC-USERNAME-1
format-string length 253 "B2BDYNAMIC_2001"
!
aaa radius attribute nas-port-id format NAS_PORT_T2_FORMAT type 2
aaa radius attribute calling-station-id format SYS-CALLID type 2