cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
38185
Views
0
Helpful
152
Comments
xthuijs
Cisco Employee
Cisco Employee

Introduction

This document provides an overview for dual stack sessions for ASR9000 BNG, running ipv4 and ipv6 address stacks next to each other for subscriber sessions.

Dual Stack

Dual stack refers to the concept of running a subsciber session with an IPv4 address as well as an IPv6 address.

Deployment models and general concept

Screen Shot 2014-01-14 at 8.46.52 AM.png

Address Assignment

To unravle the complex terminology associated with address assignment in particular to IPv6 this picture below shows the various address assignment options available.

Screen Shot 2014-01-14 at 8.47.07 AM.png

You can also use the framed-ipv6-address radius attribute to provide an address to the subscriber from radius which then will be advertised

via SLAAC (NA/ND) for both PPPoE and IPoE sessions.

The additional attribute ipv6:ipv6-default-gateway VSA can be used to provide the default router in case no dhcpv6 is used for IPoE sessions.

IPv6 Addressing

When it comes to "prefix delegation" that is having a large IPv6 like subnet that is shared between subscribers who get a subnet from that subnet sort of speak the following addressing example hopefully visualizes how it all ties together

Addressing mapping

Slide1.jpg

Configuration CPE

The following 2 secions provide the configuration for the client side and the WAN side of the CPE

PC client side of the CPE

interface GigabitEthernet0/2

description to switch fa0/15

ip address 192.168.1.1 255.255.255.0

no ip unreachables

ip nat inside

ip virtual-reassembly

duplex full

speed 100

media-type rj45

negotiation auto

ipv6 address prefix-from-provider ::1:0:0:0:1/64

ipv6 enable

 

WAN side of the CPE

interface FastEthernet2/0.50

encapsulation dot1Q 50

ipv6 address autoconfig default

ipv6 enable

ipv6 dhcp client pd prefix-from-provider

 

In these examples we are expanding the delegated prefix with a :1/64 and we perceive ourselves to be the ".1" and default gateway.

Configuration DHCPv6 Server

ipv6 unicast-routing

ipv6 dhcp pool dhcpv6

prefix-delegation pool dhcpv6-pool1 lifetime 6000 2000

ipv6 route 2001:60:45:28::/64 2005::1

ipv6 route 2001:DB8:1200::/40 2005::1

ipv6 route 200B::/64 2005::1

ipv6 route 2600:80A::9/128 4000::1

ipv6 local pool dhcpv6-pool1 2001:DB8:1200::/40 48

More info on IOS dhcpv6 server:

http://www.cisco.com/en/US/tech/tk872/technologies_configuration_example09186a0080b8a116.shtml

Operation and Call Flow

Because ASR9000 treats the 2 stacks as a single subscriber, and hence ONE access request and a SINGLE accounting record are generated for both stacks, differences of desired operation exist when it comes to when for isntance to generate an accounting request.

There are 2 key things to consider and of importance:

  • When the first AF comes up, an access-request is generated, the access-accept should contain BOTH ipv4 and ipv6 information for the session although there is no second request for the other AF maybe yet
  • An accounting-start can be generated as soon as the first AF comes up, we can wait for a determined period of time and generate a single accounting start record for BOTH AF's, or we can do a triggered interim accounting record when the second AF comes up.

Call Flows

Dual stack generic call flow

Screen Shot 2014-01-14 at 8.46.33 AM.png

PPPoE DS detailed call flow SLAAC based address assignment

Screen Shot 2014-01-14 at 9.07.40 AM.png

PPPoE DS detailed call flow DHCPv6 based address assignment

Screen Shot 2014-01-14 at 8.57.06 AM.png

IPoE DS detailed callflow IPv4 AF starts first

Screen Shot 2014-01-14 at 8.57.30 AM.png

IPoE DS detailed callflow IPv6 AF starts first

Screen Shot 2014-01-14 at 8.57.36 AM.png

Sample Scenario

Sample Topology for the configuration example

Screen Shot 2014-01-14 at 8.39.37 AM.png

Configuration

hostname bng

logging console   debugging

Radius server configuration.

Radius server is listening on 5.5.5.2 with auth-port on 1645 and accounting-port on 1646

radius-server   host 5.5.5.2 auth-port 1645 acct-port 1646

key 7 010107000A5955

!

COA server or policy-server with ip-address 5.5.5.2 is running

aaa server   radius dynamic-author

client 5.5.5.2 vrf default server-key 7   03165A0F575D72

!

aaa group server   radius RADIUS

server 5.5.5.2 auth-port 1645 acct-port 1646

!

aaa accounting   service default group radius

aaa accounting   subscriber default group radius

aaa   authorization subscriber default group radius

aaa   authentication subscriber default group radius

line console

stopbits 1

!

DHCPv6 address pool is defined locally within BNG box and local pool is used for ipv6 address assignment to IPv6 BNG clients

pool vrf default   ipv6 ipv6_address_pool

address-range 2001::2 2001::7dff

!

 

DHCPv4 server with ip address 20.20.20.2 is deployed externally and this ipv4 address should be reachable from BNG device. Routing protocols should take care of reachability of 20.20.20.2 from BNG device. DHCPv4 proxy is configured as follows.

dhcp ipv4

profile IPoEv4   proxy

helper-address vrf default 20.20.20.2   giaddr 10.10.10.1

!

 

DHCPv4 proxy is enabled on bundle sub-interface

interface   Bundle-Ether1.10 proxy profile IPoEv4

!

 

DHCPv6 server is configured and already configured DHCPv6 address pool is referred within DHCPv6 server configuration. DHCPv6 profile is configured as follows with address pool.

dhcp ipv6

   profile IPoEv6 server

   address-pool ipv6_address_pool

!

 

DHCPv6 address pool is referred on bundle sub-interface.

interface   Bundle-Ether1.10 server profile IPoEv6

!

interface   Bundle-Ether1

bundle   maximum-active links 1

!

Bundle sub-interface with dot1q encapsulation configured with single tag. Subscriber traffic from

CPE should come with single dot1q tag and this vlan tag should match with vlan id 10 configured under bundle sub-interface. In dual-stack IPoE configuration,   “initiator dhcp” is configured ipv4/ipv6 l2 connect mode.

Policy-map type control’s name is referred with service-policy

interface   Bundle-Ether1.10

ipv4   point-to-point

ipv4 unnumbered   Loopback1

ipv6 enable

service-policy   type control subscriber pm-src-mac

encapsulation   dot1q 10

ipsubscriber   ipv4 l2-connected

initiator dhcp

!

ipsubscriber ipv6 l2-connected

initiator dhcp

!

!

Ipv4 address 10.10.10.1 is default-gateway ip address for pool of ipv4 address allocated to dual-stack BNG clients

interface   Loopback1

ipv4 address 10.10.10.1 255.255.255.0

ipv6 enable

!

interface   MgmtEth0/RSP0/CPU0/0

ipv4 address 9.22.11.3 255.255.0.0

!

interface   MgmtEth0/RSP0/CPU0/1

shutdown

!

 

Physical interface gigabit0/0/0/0 is configured as bundle interface.

interface   GigabitEthernet0/0/0/0

bundle id 1 mode on

negotiation auto

transceiver permit pid all

!

interface   GigabitEthernet0/0/0/1

ipv4 address 20.20.20.1 255.255.255.0

transceiver permit pid all

!

interface GigabitEthernet0/0/0/5

ipv4 address 5.5.5.1 255.255.255.0

!

Dual-stack dynamic-template is configured for dual-stack initiation. “ipv6 enabled” under dual-stack template and ipv4 unnumbered

address, ipv4 urpf configured.

dynamic-template

   type ipsubscriber Dual_stack_IPoE

     accounting aaa list default type   session periodic-interval 5

     ipv4 verify unicast source   reachable-via rx

     ipv4 unnumbered Loopback1

     ipv6 enable

!

!

Class-map configured for dual-stack scenario to match DHCPv6 – SOLICIT and DHCPv4 DISCOVER as sign of life packet

class-map type   control subscriber match-any dual_stack_class_map

   match protocol dhcpv4 dhcpv6

   end-class-map
!

 

Class-map “Dual_stack_class_map “ is referred within policy-map.   Even session-start is hit based on DHCPv4/DHCPv6 FSOL, template “Dual_stack_IPoE” is activated.   Subscriber mac-address is used as subscriber identification and it is authorized with AAA server

policy-map type   control subscriber pm-src-mac

event session-start match-all

   class type control subscriber   dual_stack_class_map do-all

     1 activate dynamic-template   Dual_stack_IPoE

     2 authorize aaa list default identifier   source-address-mac password cisco

!

!

end-policy-map

!

end

 

Verification example

”show subscriber session all” command shows ipv4/ipv6 clients session active

RP/0/RSP0/CPU0:bng#show   subscriber session all

Tue Jan 29   12:49:25.237 UTC

Codes: IN -   Initialize, CN - Connecting, CD - Connected, AC - Activated,

       ID - Idle, DN - Disconnecting, ED -   End

Type         Interface               State     Subscriber IP Addr / Prefix

                                                 LNS Address (Vrf)                            

--------------------------------------------------------------------------------

IP:DHCP     BE1.10.ip22             AC       10.10.10.10 (default)

                                                 2001::2 (default)               

     

 

Command “show subscriber session all detail” should show ipv4/ipv6 clients details detailly.

RP/0/RSP0/CPU0:bng#show   subscriber session all deta

Tue Jan 29   12:49:27.752 UTC

Interface:               Bundle-Ether1.10.ip22

Circuit ID:               Unknown

Remote ID:               Unknown

Type:                     IP: DHCP-trigger

IPv4 State:               Up, Tue Jan 29 12:46:32 2013

IPv4   Address:             10.10.10.10, VRF:   default

IPv6 State:               Up, Tue Jan 29 12:46:42 2013

IPv6   Address:            2001::2, VRF: default

IPv6 Interface   ID:       ..d..... (02 00 64 ff fe 01   01 02)

Mac   Address:             0000.6401.0102

Account-Session   Id:       0000001c

Nas-Port:                 Unknown

User name:               0000.6401.0102

Outer VLAN ID:           10

Subscriber   Label:         0x00000055

Created:                 Tue Jan 29 12:46:32 2013

State:                   Activated

Authentication:           unauthenticated

Access-interface:         Bundle-Ether1.10

Policy Executed:

policy-map type   control subscriber pm-src-mac

event Session-Start match-all [at Tue Jan   29 12:46:32 2013]

   class type control subscriber   dual_stack_class_map do-all [Succeeded]

     1 activate dynamic-template   Dual_stack_IPoE [Succeeded]

     2 authorize aaa list default   [Succeeded]

Session   Accounting:      

Acct-Session-Id:         0000001c

Method-list:             default

Accounting started:       Tue Jan 29 12:46:32 2013

Interim accounting:       On, interval 1 mins

   Last successful update: Tue Jan 29   12:48:34 2013

   Next update in:         00:00:06 (dhms)

Last COA request   received: unavailable

”show dhcp ipv4 proxy binding” command is going to show ipoev4 clients created with ip-address and mac-address, interface on which it is created, vrf-name etc

RP/0/RSP0/CPU0:bng#show   dhcp ipv4 proxy binding

Tue Jan 29   12:49:42.955 UTC

 

                                             Lease                                                

 

MAC Address     IP Address     State     Remaining       Interface         VRF     Sublabel

-------------- -------------- ---------   --------- ------------------- ---------   ----------

 

0000.6401.0102 10.10.10.10     BOUND     3409       BE1.10               default   0x55      

 

 

RP/0/RSP0/CPU0:bng#show   dhcp ipv4 proxy binding de

Tue Jan 29   12:49:49.498 UTC

MAC   Address:                 0000.6401.0102

VRF:                         default

 

Server VRF:                 default

IP Address:                 10.10.10.10

Giaddr from   client:         0.0.0.0

Giaddr to   server:           10.10.10.1

Server IP   Address:           20.20.20.2

Server IP   Address to client: 10.10.10.1

ReceivedCircuit   ID:         -

InsertedCircuit   ID:         -

ReceivedRemote   ID:           -

InsertedRemote   ID:           -

ReceivedVSISO:               -

InsertedVSISO:               -

Auth. on   received relay info:FALSE

Profile:                     IPoEv4

State:                       BOUND

Proxy   lease:                 3600 secs   (01:00:00)

Proxy lease   remaining:       3403 secs (00:56:43)

Client ID:                     0x00-0x00-0x64-0x01-0x01-0x02

Access   Interface:           Bundle-Ether1.10

Access VRF:                 default

VLAN Id:                     10

Subscriber   Label:           0x55

Subscriber   Interface:       Bundle-Ether1.10.ip22

“show dhcp ipv6 server binding” is going to show ipv6 address allocated from DHCPv6 local pool

RP/0/RSP0/CPU0:bng#show   dhcp ipv6 server binding

Tue Jan 29   12:50:04.560 UTC

Summary:

Total number of   clients: 1

DUID   : 00030001000064010102

MAC Address: 0000.6401.0102

Client Link Local: fe80::200:64ff:fe01:102

Sublabel: 0x55

   IA ID: 0x0

   STATE: BOUND

   IPv6 Address: 2001::2 (Bundle-Ether1.10)

       lifetime : 600 secs (00:10:00)

       expiration: 399 secs (00:06:39)

RP/0/RSP0/CPU0:bng#

 

Related Information

Configuration example and verification provided by Narendiran Rajaram

Xander Thuijs CCIE #6775

Principal Engineer ASR9000, IOS-XR and NCS6000

Comments
xthuijs
Cisco Employee
Cisco Employee

hello again vladimir! :)

yeah this is a known restriction: v6 only allows one Prefix or address per interfaceID, I think both LAN and WAN represent themselves as the same IID hence is limited to one lease only.

the method of using PD by providing the prefix to the LAN effectively and use LL on the WAN side is probably a more "preferred" model.

so what you're seeing is not "new". There had been a storm of cases on this similar topic, and it was recently added to the documentation, but I can't seem to find that link quickly, but wanted to let you know your findings are along with what we know and expect.

cheers

xander

zubov1971
Level 1
Level 1

Good day. I would like to ask, if now I have ipv4 mode "initiator unclassified-ip".
Now I would like to implement the model of "Dual-stack ipv4 and ipv6".
See that the opportunity is there:
RP/0/RSP0/CPU0:ios(config-subif)#ipsubscriber ipv6 routed initiator ?
unclassified-ip Configure unclassified packets as first-sign-of-life for IPv6 subscriber
However, how to combine them in a Dual Stack session, and is it possible to do so?

mqw071201
Level 1
Level 1

hi Xander :

                sorry for jumping in we have a problem on ASR 9006 .

We have an ASR9K in one of the projects which is working as BRAS and have around 30k subscriber.

Recently there are some problem which session of some users will not complete and so they don`t have connection.

Currently the main problem is “Duplicate IPv4 Address” and as in our scenario AAA has the responsibility of IP pool to assign the ip address to the user and as AAA will see some online users as offline so it will release the ip and will assign to another user while existing user has the same IP and duplicate will happen.

It seems there is a bug which prevent BRAS to send right accounting information to AAA.
thank you very much
xthuijs
Cisco Employee
Cisco Employee

yup for radius based addr assignment we want the accounting to work properly.

there could be 2 possible reasons for this:

1) the original session has not timed out yet and the accounting record hasn't been sent

2) the accounting record was tried to be delivered, but timed out and didn't alert the Radius.

you could check with the show radius command to see if there have been a lot of accounting timeouts and retransmissions and possibly tune the retransmission count a bit to ensure delivery.

another option is to enhance the radius to do a coa session query to see if a user is still online based on a username or FIP before reclaiming an address to the pool.

the accounting has been rather robust for some time. especially if you are on 524 or 533 releases.

cheers

xander

smailmilak
Level 4
Level 4

Hi,

does anybody know what the value inside the brackets mean?

3: session-timeout len= 4 value= 86400(15180)
4: idletimeout len= 4 value= 18000(4650)

The value in hex ;)

smailmilak
Level 4
Level 4

Ouh :D

Yeah, I checked it. Thank you.

xthuijs
Cisco Employee
Cisco Employee

yeah correct, the code prints the %u and (%x) values, don't ask me what the value add of that is though :)

xander

puddingtech
Level 1
Level 1

xander, question... well 2-3 questions hehe

1. How do we tell BNG to only allow single or multiple logins per pppoe username?

2. How do i set how long a session for pppoe should be (as to force a reauth?)

3. On the ASR9001-S, if i'm doing policy-map's on the Cisco, and then assigning them to each user at connection with a sub-qos-policy-in and out, (1 in and 1 out per client, ontop of the 2 basic static ones in the dynamic template that are required, that just sets dscp default) 

What kind of users am i looking at i'm really confused vs the RSP vs LSP numbers i've seen for IPoE/PPPoE especially when it comes to the 9001-S. 

We've got 4 10G ports, 1 active right now on a bundle, so we can add more to the bundle as we need... so does that mean we can handle 8k * 4 ports if we were to bundle all 4 ports? or is it 64k per port 8k per vlan? Just want to make sure i'm understanding before i go figuring out how to deploy and how much of my subs to plan per vlan etc.

4. How does enabling dual stack for all the subs affect the above numbers? Or does it not at all since their all under the same subscriber interface/policies.

xthuijs
Cisco Employee
Cisco Employee

hi chris, :)

1) bng can apply a session limit for pppoe (that is the discovery) based on vlan, access interface, circuit ID/remoteID. Username maximum sessions is to be enforced by radius. eg radius will need to know that a username is online already and apply a reject when ti gets a 2nd/3rd request in...

2) you can provide the radius attribute session-time which is an absolute time for the session to be online until it gets a padt/lcp close. OR you can apply a absolute timeout on the template.

OR maybe even nicer, you can start a timer when the session comes online with a control policy nd when it fires, you can apply an http redirect to move all http traffic over to a portal?

3) with the 9001-S you effetively have one RSP, One LC and *ONE* NPU. so you're hard bound to 32k subs tops.

with bundle all subs are programmed on all npu's that have members in that bundle, but on the 9001-S you only have 1 npu active anyway.

4) to enable dual stack, let's assume that v4 is a given, then you need to provide some v6 config on the dynamic template OR provided by radius what v6 methods to use, so when a client opens IPv6CP the bng knows what to do, PD, addr assignment, dhcp, ND/NA req etc etc.

cheers

xander

puddingtech
Level 1
Level 1

1) ok meh, was worrying you would say that Our old pppoe concentrator supported limiting username auths to 1 session before it even went to radius. Will look into how to handle it in our radius side then.

2) Ok will try the session-time via radius/dynamic temlate first, but i agree a timer may be nicer though i haven't played with them yet, wouldn't it be better to on expiration run "authenticate aaa list default" to check if the user is still allowed to be on? Wait can i do that, if so that solves my issue without ever impacting the client, if their still allowed to be on just set the timer again, if their not the authenticate will fail and disconnect them or as you recommended redirect them, as i would love to be able to not mess with the client or disconnect them unless their radius has been terminated while they were online.

3) Ya my worry is that word "tops" i'm worried once i load X subs on 50 vlans on the bundle with 2 queues per subscriber i'll end up only supporting 500 subs lol Or worse i'll do something weird and end up using 4+ queue resources per sub instead of 2 and cause issues... Whats best way to monitor the queue resources being used up as subs come online?

4) Oh sorry i should have been clearer i meant, how does dual stack affect the # of units the box will handle. Like does that 32k drop to 16k because we're handling 2 stacks now?

EDIT: nevermind, apparently my brilliant idea won't work... i guess you can't run a authenticate from the timer, when you do it shows as [FAILED] under the subscriber.

event session-activate match-first
class type control subscriber PPP_SUB do-until-failure
10 authenticate aaa list default
20 set-timer REAUTH_TIMER 2

event timer-expiry match-first
class type control subscriber PPP_SUB do-until-failure
10 authenticate aaa list default
20 set-timer REAUTH_TIMER 2

xthuijs
Cisco Employee
Cisco Employee

hi chris,

on the items:

1) yeah bng itself doesn't apply a limit on the username. the pppoe part has no insight in the username (only mac, rid/cid, access interface) iedge does have a username, but the control policy can't enforce a limit on that, so the best place is for radius, also better inc ase you have 2 BNG's and user X is already on BNG-1 and attempts a connect on BNG-2, in that case a radius based model is nicer. You can try to use the radius-attribute MAX-Sessions or Session-Limit, but I dont believe iedge pays attention to it.

2) what you can do maybe is periodically apply an HTTP redirect so that the user is redirected to a portal, provides user access info to do a reauthorize request via a COA account logon, this way cOA can reply with some (new) response attributes also.

Or periodically just disconnects the pppoe session so it will restart and come back online and possibly pull a new access accept profile.

3+4) we tested 48 dual stack and 64k v4 only sessions on the 9001. with the -S you are limiting yourself to 32k tops because of the single NPU available. and since 32k is within the 48 dual stack, all your 32k sessions can be signle or dual stack on the 9001-S.

You can look at queue resource usage by either doing some "manual math" on the pmap in place times the number of subs.

another option is to look at the show qos hal command, it provides a perfect summary of where all the usage is in terms of queues on a per LC and NP bases:

RP/0/RSP0/CPU0:A9K-BNG# show qoshal resource summary loc 0/0/cPU0

Mon Jul 25 11:42:20.200 EDT

TY Options argc:5

nphal_show_chk -p 2081 resource summary

Done

-1

Counters: X(Y/Z): X -> Resources Allocated in HW

                  Y -> Resource Allocated in SW

                  Z -> Refcount of each resource

                  Sanity Check: X==Y && Z >= X

        :X (Y):   X -> Resource Allocated in HW

                  Y -> Resource Allocated in SW

Client - 0, General - Not any Specific Client

SW and RefCount for Entities are accounted in Client 0(general)

Only HW count for Entities is per client

NP 0

===============================================================

CLIENT : None-General

   Policy Instances: Ingress 0 Egress 0  Total: 0

    Entities: (L4 level: Queues)

     Level        Chunk 0           Chunk 1           Chunk 2           Chunk 3          

     L4         0(    0/    0)    0(    0/    0)    0(    0/    0)    0(    0/    0)

     L3(8Q)     0(    0/    0)    0(    0/    0)    0(    0/    0)    0(    0/    0)

     L2         0(    0/    0)    0(    0/    0)    0(    0/    0)    0(    0/    0)

     L1         0(    0/    0)    0(    0/    0)    0(    0/    0)    0(    0/    0)

        Policers: Internal 0(0) Regular 0(0)  Parent 0(0)  Child 0(0)  Total 0(0)

Hi Xander,

A quick question regarding IPv6 PPPoE sessions.

Mainly for troubleshooting reasons we need to see the BNG hop in a traceroute performed by the PPPoE client.

In IOS-XE

  • in case we configure the "ipv6 unnumbered" command under the virtual-template interface, we see the IPv6 address of the selected interface
  • in case we don't configure the "ipv6 unnumbered" command under the virtual-template interface, we see the IPv6 address of the core facing Te interface

In IOS-XR, the "ipv6 unnumbered" command is not supported under the dynamic-template and we get timeouts at the bng hop, as seen below:

C:\Windows\system32>tracert ipv6.forthnet.gr

Tracing route to ipv6.forthnet.gr [2a02:2148:100:a01::22]
over a maximum of 30 hops:

  1     1 ms     1 ms     1 ms  2a02:2148:w::1
  2     *        *        *     Request timed out.
  3    13 ms    13 ms    12 ms  2a02:2148:x::2
  4    11 ms    11 ms    11 ms  2a02:2148:y::3
  5    11 ms    11 ms    12 ms  2a02:2148:z::4
  6    11 ms    11 ms    11 ms  ipv6.forthnet.gr [2a02:2148:100:a01::22]

Trace complete.

Is there a way we can see the BNG hop in the traceroute?

Thanks and regards,

Dimitris

xthuijs
Cisco Employee
Cisco Employee

probably not without some code changes dimitris ... :( to scale up the system, it uses a SINT (subscriber interface) which is a lite netio. SINT likely doesnt have enough knowledge about the interface or what to respond with and therefore lets it time out.

if you can get me a debug icmp ipv6 pa/er then possibly I can see if this is quickly fixable.

cheers

xander

Thanks for the quick answer :)

Attached you can find the debug output.

Dimitris

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links