cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
19429
Views
5
Helpful
117
Comments
xthuijs
Cisco Employee
Cisco Employee

 

Introduction

This document provides an overview of Vendor Specific attributes that can be used in the ASR9000 BNG solution. They can either be used as part of the Access Accept Radius message or COA requests to change the behavior of the session.

Vendor Specific Attributes

 

1. RADIUS Attributes for pQoS

 

ASR9000_BNG_Attributes.jpg

sub: indicates AVPair targets MQC policy on a subscriber session
<class-list>: identifies class to be added/removed or modified in the MQC policy
Multiple classes may be specified to modify classification in a nested (child) MQC policy
<qos-action-list>: policy actions to be added/overwritten in targeted class in MQC policy (see table below)
 
Supported QoS features:
•Shaping rate and percentage
•Policing rate and percentage
•Marking (CoS, DSCP, IP Prec)
•Queueing (minBW, BW remaining, priority, WRED, queue-limit)

 

 

QOS FeatureAction format in Radius attribute
Shaping

shape(<rate-in-kbps>)

shape-rpct(<rate-in-pct>)

Policing

police-rpct(<conform-rate-in-pct>,<conform-burst-in-us>,<exceed-rate-in-pct>,<exceed-burst-in-us>,    <conform-action>,<exceed-action>,    <violate-action>)

police(<conform-rate-in-kbps>,<conform-burst-in-kBytes>,<exceed-rate-in-kbps>,<exceed-burst-in-kbytes>,   <conform-action>,<exceed-action>,   <violate-action>)

Marking

set-cos(<cos-val>)

set-ip-dscp(<dscp-val>)

set-ip-prec(<precedence>)

Queuing

pri-level(<priority-level>)

bw-rpct(<pct>)

bw-rratio(<ratio>)

bw-abs(<bw-in-kbps>)

bw-pct(<bw-in-pct>)

queue-limit(<qlimit-in-packets>)

queue-limit-us(<qlimit-in-us>)

random-detect-dscp(<dscp>)

random-detect-prec(<precedence>)

 

 

Example

AVPair:“ip:qos-policy-out=add-class(sub,(class-default, VIDEO_CM), set-ip-dscp(af41), bw-abs(256))

 

 

2. VSA's for Account operations (services and logon/off)

 

 

PrimitiveRadius AVP
Account Logon

authentication cpe12 CoA cisco123

attribute 44 “<string>”                               <<< Accounting Session ID

vsa cisco generic 1 string "subscriber:command=account-logon"

Account Logoff

attribute 44 “<string>”                               <<< Accounting Session ID

vsa cisco generic 1 string "subscriber:command=account-logoff"

Account update

(used to change a profile)

attribute 44 “<string>”                               <<< Accounting Session ID

vsa cisco generic 1 string "subscriber:command=account-update”

<radius attributes to set/update>

Service Activate

attribute 44 “<string>”                               <<< Accounting Session ID

vsa cisco generic 1 string "subscriber:sa=<service-name>”

Service De-Activate

attribute 44 “<string>”                               <<< Accounting Session ID

vsa cisco generic 1 string "subscriber:sd=<service-name>”

 

 

All these operations from the first column, report an event to the control policy.

 

RP/0/RSP0/CPU0:A9K-BNG(config-pmap)#event ?

  account-logoff              Account logoff event

  account-logon               Account logon event

  authentication-failure      Authentication failure event

  authentication-no-response  Authentication no response event

  authorization-failure       Authorization failure event

  authorization-no-response   Authorization no response event

  exception                   Exception event

  service-start               Service start event

  service-stop                Service stop event

  session-activate            Session activate event

  session-start               Session start event

  session-stop                Session stop event

  timer-expiry                Timer expiry event

 

Note

Accounting session ID is the preferred session identifier. You can also use the framed-ip-address to key on the subscriber and the vrf (if applicable)

(IPv4 only):

 

Attribute 8: Framed-IP-Address

 

and starting 4.2.1:

 

Attribute 8: Framed-IP-Address + AVPair: ip:vrf-id=<vrf name>

 

Template comparison to radius attribute

 

 

 

Operation

Dynamic Template cmd

RADIUS Attribute

 

Service Activation

Service Activation

N/A

26

9,1

subscriber:sa=<service-name>

 

Network Forwarding

IP addess source intf

ipv4 unnumbered <interface>

26

9,1

ipv4:ipv4-unnumbered=<interface>

PPP framed address

N/A

8

 

framed-ip-address=<IPv4   address>

PPP Address Pool

ppp ipcp peer-address pool <addr pool >

26

9,1

ipv4:addr-pool=<addr pool name>

PPP framed pool

N/A

88

 

framed-pool=<addr pool name>

PPP framed route

N/A

22

 

framed-route=<subnet><mask>

VRF

vrf <vrf name>

26

9,1

subscriber:vrf-id=<vrf name>

V4 DNS

ppp ipcp dns <pprimary dns ip> <secondary dns ip>

26

9.1

ip:primary-dns=<primary dns ip>

Ip:secondary-dns=<secondary dns ip>

DHCP classname

N/A

26

9,1

subscriber:classname=<dhcp-class-name>

 

 

Traffic Accounting

Accounting

accounting aaa list <method list> type session

26

9,1

subscriber:accounting-list=<method list>

Interim Interval

accounting aaa list <method list> type session periodic-interval <minutes>

85

 

Acct-Interim-Interval   <minutes>

Dual Stack Accnt Start Delay

accounting aaa list <method list> type session dual-stack-delay <secs>

  

subscriber:dual-stack-delay=<sec>

 

Session Administration

keepalives

keepalive <sec>

26

9,1

subscriber:keepalive=interval<sec>

NOT SUPPORTED/Implemented

Absolute Timeout

ppp timeout absolute <sec>

27

n/a

session-timeout=<sec>

Idle Timeout

timeout idle <sec>

28

n/a

idle-timeout=<sec>

 

 

Traffic conditioning

HQoS(with SPI)

service-policy input <in_mqc_name> shared-policy-instance <spi-name>

service-policy output <out_mqc_name> shared-policy-instance <spi-name>

26

9,1

subscriber:sub-qos-policy-in=<in_mqc_name> [shared-policy-instance   <spi-name> ]

subscriber:sub-qos-policy-out=<out_mqc_name> [shared-policy-instance   <spi-name>]

pQoS

N/A

26

9,1

subscriber:qos-policy-in=add-class(target policy (class-list) qos-actions-list)

subscriber:qos-policy-in=remove-class(target policy (class-list))

subscriber:qos-policy-out=add-class(target policy (class-list) qos-actions-list)

subscriber:qos-policy-out=remove-class(target policy  (class-list))

Subscriber ACLs/ABF

ipv4 access-group <in_acl_name> in

Ipv4 access-group <out_acl_name> out

ipv6 access-group <in_v6acl_name> in

ipv6 access-group <out_v6acl_name> out

26

9,1

ipv4:inacl=<in_acl_name>

ipv4:outacl=<out_acl_name>

ipv6:ipv6_inacl=<in_v6acl_name>

ipv6:ipv6_outacl=<out_v6acl_name>

HTTP-R

service-policy type pbr <HTTR policy   name>

26

9,1

subscriber:sub-pbr-policy-in=<HTTR policy name>

 

 

IPv6 Attributes

 

Attribute

Defined By

Received In

IPv6 Client

Address Assignment

Dynamic Template   equivalent config

Framed-Interface-Id (96)

RFC3162

Access-Accept

PPPoE

Any

ppp ipv6cp peer-interface-id <64bit #>

Framed-IPv6-Prefix (97)

RFC3162

Access-Accept

PPPoE

SLAAC

N.A.

Framed-IPv6-Route (99)

RFC3162

Access-Accept CoA

Any

Any

N.A.

Framed-IPv6-Pool (100)

RFC3162

Access-Accept

PPPoE

SLAAC

ipv6 nd   framed-prefix-pool <name>

Framed-ipv6-Address   (*)

draft-ietf-radext-ipv6-access-06

Access-Accept

PPPoE, IPoE

DHCP6 (Local   Server)

N.A.

Stateful-IPv6-Address-Pool(*)

draft-ietf-radext-ipv6-access-06

Access-Accept

PPPoE, IPoE

DHCP6 (Local   Server)

dhcpv6   address-pool <name>

Delegated-IPv6-Prefix-Pool   (*)

draft-ietf-radext-ipv6-access-06

Access-Accept

PPPoE, IPoE

DHCP6 (Local   Server)

dhcpv6   delegated-prefix-pool <name>

DNS-Server-IPv6-Address   (*)

draft-ietf-radext-ipv6-access-06

Access-Accept

PPPoE, IPoE

DHCP6 (Local   Server)

To be   configured in DHCPv6 server profile

Delegated-IPv6-Prefix

RFC4818

Access-Accept

PPPoE, IPoE

DHCP6 (Local   Server)

N.A.

 

NOTE

IETF has not yet allocated numeric values for newly defined attributes in

draft-ietf-radext-ipv6-access-*

Following Cisco VSAs have been temporarily defined to close such gap

Framed-ipv6-Address

“ipv6:addrv6=<ipv6 address>”

Stateful-IPv6-Address-Pool

“ipv6:stateful-ipv6-address-pool=<name>”

Delegated-IPv6-Prefix-Pool

“ipv6:delegated-ipv6-pool=<name>”

DNS-Server-IPv6-Address

“ipv6:ipv6-dns-servers-addr=<ipv6   address>”

 

Radius Accounting bytes and packets

 

the following accounting attributes pertaining to packet accounting for the ASR9000 solution, also specific to IPv6

 

Attribute

Defined By

Description

Acct-Input-Octets     (42)

RFC2866

Session input total   byte count

Acct-Input-Packets    (47)

RFC2866

Session input total   packet count

Acct-Output-Octets    (43) 

RFC2866

Session output   total byte count

Acct-Output-Packets (48)

RFC2866

Session output   total packet count

Cisco VSA   (26,9,1): acct-input-octets-ipv4

Cisco

Session input IPv4   byte count

Cisco VSA   (26,9,1): acct-input-packets-ipv4

Cisco

Session input IPv4   packet count

Cisco VSA   (26,9,1): acct-output-octets-ipv4

Cisco

Session output IPv4   byte count

Cisco VSA   (26,9,1): acct-output-packets-ipv4

Cisco

Session output IPv4   packet count

Cisco VSA   (26,9,1): acct-input-octets-ipv6

Cisco

Session input IPv6   byte count

Cisco VSA   (26,9,1): acct-input-packets-ipv6

Cisco

Session input IPv6   packet count

Cisco VSA   (26,9,1): acct-output-octets-ipv6

Cisco

Session output IPv6   byte count

Cisco VSA   (26,9,1): acct-output-packets-ipv6

Cisco

Session output IPv6   packet count

Cisco VSA   (26,9,1): connect-progress

Cisco

Indicates   Session set up connection progress

3.

 


Dynamic Route insertion

 

RADIUS attribute example  for different type of framed-route:

 

PPPoE V6 route

Framed-IPv6-Route = "45:1:1:1:2:3:4:5/128 :: 4 tag 5”

 

PPPoE v4 route

Framed-Route = "45.1.6.0 255.255.255.0 0.0.0.0 6 tag 7”

 

IPoE v4 route

Framed-Route = "vrf vpn1 45.1.4.0/24 vrf vpn1 0.0.0.0 4 tag 5”

 

4. Route destribution (please don't!)

 

router bgp 100

address-family ipv4 unicast

  redistribute subscriber <route-policy>

 

Xander Thuijs CCIE#6775

Principal Engineer, ASR9000

Comments
xthuijs
Cisco Employee
Cisco Employee

Hey Artsiom,

a great question. I had a discussion with a few folks few days ago about this also, as part of the doc:

https://supportforums.cisco.com/document/12050566/asr9000xr-bng-and-dual-stack-ipv4-and-ipv6-sessions

Look for the discussion surrounding: CSCuo70731

cheers

xander

xthuijs
Cisco Employee
Cisco Employee

hi mvmtech,

good question, not yet today. I have a request open to get this going via a session-query operation in COA: CSCuc45110: Need support for Session-Query

regards!

xander

Artsiom Maksimenka
Community Member

Sorry Xander, missed it. Doublechecked and this attribute is present in 5.1.2, IANA attr 123. 

 Thank you,

Artsiom

gthermaenius
Beginner
Beginner

Hi Xander,

I'm a bit confused regarding the format of the attributes. we are using 9k IPoE subs on 4.3.1, 4.3.4 and 5.2.0.

For exampel when to use ip: ipv4: ipv6: and subscriber: or nothing..

Above you are writing subscriber:classname=<dhcp-class-name> but we are using Cisco-AVPair += "dhcp-class=<name>"

and you write ipv4:ipv4-unnumbered=<interface> but we use Cisco-AVPair += "ip:ipv4-unnumbered=<interface>"

What is the supported way?

Thanks in advance!

/Gunnar

 

xthuijs
Cisco Employee
Cisco Employee

Hi Gunnar,

the intended format is ipv4:ipv4-unnumbered.

the word before the ":" is basically the targeted component, but we dont really pay attention to that (yet), that is why ip:xxx and ipv4:xxx are both working, but the proper format would be ipv4:ipv4-unnumbered.

So considering that we dont pay attention to the component, a nothing or incorrectly spelled works, but it is best to format them according to the guide above.

cheers!

xander

Hi Xander,

I would like to ask you just to verify the following implementation (I have tested it and it seems it works), because in IOS-XE is not supported the way we like it to be.

IPv6 WAN prefix assigned by local pool

dynamic-template
 type ppp DYNAMIC-TEMPLATE
<...>
  ipv6 nd framed-prefix-pool WAN-IPv6-POOL

IPv6 LAN prefix delegated by local dhcp server

dynamic-template
 type ppp DYNAMIC-TEMPLATE
<...>
  dhcpv6 delegated-prefix-pool LAN-IPv6-POOL

<...>

dhcp ipv6
 profile DHCP-SERVER-LOCAL server
  dns-server 2a02:2148:x:x::x 2a02:2148:x:x::y
  prefix-pool LAN-IPv6-POOL
 !
 interface subscriber-pppoe profile DHCP-SERVER-LOCAL

The above seems to work fine for the dynamic allocation.

In case we need to provide static prefixes (framed/delegated) to specific subscribers we send the corresponding radius attributes (framed-ipv6-prefix/delegated-ipv6-prefix) during aaa and everything works, so we can simultaneously achieve massive dynamic and selective static IPv6 prefix allocation.

Could you please verify that there isn't anything weird in this approach?

Thanx,

Dimitris

smailmilak
Enthusiast
Enthusiast

Hi Xander,

 

we are at the end of our CGNAT logging (IsarFlow) project. We have correlation  between RADIUS and ISM which is exporting all NAT session info from netflow export.

Problem is that when a subscriber disconnects and the subscriber had a NAT session, the next subscriber which just has established a PPPoE session gets the same IP address, and the new subscriber is using the same NAT session.

Problem is that  the timestamp of NAT session and RADIUS start/stop does not match. 

e.g. NAT started at 06:30, but the PPPoE session has been established at 06:50. This is because the new user is not using a new session but it just takes over the active one because same IPv4 address is used. A short NAT timeout could do a lot harm so we can not change it.

 

Question: Is it possible to put a flag on this IPv4 address from last user so that new users get a different IPv4 address, and after a short time the flag is removed and it can be used again?

I did a research and of course I could not find anything because we are the only one which such problem.

DHCPv4 for PPPoE is supported on IOS, but even if this is supported on XR this solution is not scalable and it's not recommended.

 

p.s. I think that this problem can be solved on IsaFlow so that it ignores CGNAT info when it was created before the pppoe session, but we are not sure if they are willing to fix it.

xthuijs
Cisco Employee
Cisco Employee

Hi Smail,

this requirement makes sense. in IOS the pool manager used to put recycled adds to the bottom of the queue so that too rapid reuse wouldnt happen as frequently.

It requires us to change the current IPAM (ip address management) implementation, the function that handles the pool distribution, but let me file a ddts for this to see if this can be done.

I think however, it would be best also for IsaFlow to be more "tolerant" to this scenario, as it makes their implementation a bit more adaptable for any circumstance.

regards

xander

smailmilak
Enthusiast
Enthusiast

Hi Xander,

 

many thanks for the reply. I really appreciate your work here.

 

It would be really cool if Cisco can do this.

Problem is that we have to solve this issue in the next few days and because of that we will make a push so that Isarflow makes a fix. It just makes more sense to fix this on Isarflow.

Regarding BNG - there is already a lot of features on it, but it's never enought :)

xthuijs
Cisco Employee
Cisco Employee

not a problem Smail! oh yeah I can't turn this IPAM around in a few days (if at all easily doable). But I'll let you know what I find out here.

Ha and that is what I love about BNG, always customizations and no two deployments are the same :)

cheers!

xander

Artsiom Maksimenka
Community Member

Hello, Xander

I've got a question:

Radius Acct-Session-Id attribute could be easily found in Auth-Request along with Acct-Req presence but the value Acct-Session-Id in Auth-Request is different from Accounting Flow, the value of the session-id number in Auth-Request is typically equal to Acct-Request (Acct-Session-Id - 1), is there any possibility of correlation between these two values?

Artsiom

xthuijs
Cisco Employee
Cisco Employee

That is not right Artsiom! unless this is an accounting record for a service, which obviosuly will have a different accounting ID, the session accounting and the signaled ID during access request need to line up.

I just try to reverify this in 5.1.2 and it seems all right?

 

Tue Jun  3 16:01:46 2014: [3678] message received from 3.0.0.233/51257.64 code=1, length=278

** access request ** access-Request code 1


Tue Jun  3 16:01:46 2014: [3678] Cisco-avpair = "client-mac-address=0006.2aaa.2438"
Tue Jun  3 16:01:46 2014: [3678] Acct-Session-Id = "000000d8" <<< ID
Tue Jun  3 16:01:46 2014: [3678] NAS-Port = 67109350
Tue Jun  3 16:01:46 2014: [3678] NAS-Port-Id = "intf 0/100  00-06-2a-aa-24-38"
Tue Jun  3 16:01:46 2014: [3678] Vendor-Specific-9-2 = "intf 0/100  00-06-2a-aa-24-38"
Tue Jun  3 16:01:46 2014: [3678] User-Name = "dialer@cisco.com"
Tue Jun  3 16:01:46 2014: [3678] Service-Type = Framed-User
Tue Jun  3 16:01:46 2014: [3678] CHAP-Password = "\2244\226\237J\242||k\232\376{)}\322E\355"
Tue Jun  3 16:01:46 2014: [3678] CHAP-Challenge = "Bq\362\00595\004\032F\257*:r\204\254V"
Tue Jun  3 16:01:46 2014: [3678] Unknown-196 = "\000\000\000A"
Tue Jun  3 16:01:46 2014: [3678] Cisco-avpair = "connect-progress=LCP Open"
Tue Jun  3 16:01:46 2014: [3678] Framed-Protocol = PPP
Tue Jun  3 16:01:46 2014: [3678] NAS-Port-Type = 36
Tue Jun  3 16:01:46 2014: [3678] Event-Timestamp = 1401825800
Tue Jun  3 16:01:46 2014: [3678] NAS-Identifier = "A9K-BNG"
Tue Jun  3 16:01:46 2014: [3678] NAS-IP-Address = 3.0.0.233
Tue Jun  3 16:01:46 2014: [3680] sending accept to 3.0.0.233/51257.64
Tue Jun  3 16:01:46 2014: [3680] Framed-Protocol = PPP
Tue Jun  3 16:01:46 2014: [3680] Service-Type = Framed-User
Tue Jun  3 16:01:46 2014: [3680] Framed-IP-Address = 1.2.3.3
Tue Jun  3 16:01:46 2014: [3680] Cisco-avpair = "ipv4:ipv4-unnumbered=Loopback0"
Tue Jun  3 16:01:46 2014: [3680] Framed-Route = "10.192.1.0 255.255.255.0 0.0.0.0 1"
Tue Jun  3 16:01:46 2014: [3680] message sent to 3.0.0.233/51257.64 code=2, length=112

*** Access Accept (code 2)

Tue Jun  3 16:01:47 2014: [3679] message received from 3.0.0.233/51257.65 code=4, length=357

** Start record !


Tue Jun  3 16:01:47 2014: [3679] Acct-Interim-Interval = 3600
Tue Jun  3 16:01:47 2014: [3679] Acct-Status-Type = Start
Tue Jun  3 16:01:47 2014: [3679] Event-Timestamp = 1401825800
Tue Jun  3 16:01:47 2014: [3679] NAS-Port-Type = 36
Tue Jun  3 16:01:47 2014: [3679] Cisco-avpair = "client-mac-address=0006.2aaa.2438"
Tue Jun  3 16:01:47 2014: [3679] Acct-Session-Id = "000000d8" << ID is same?!
Tue Jun  3 16:01:47 2014: [3679] NAS-Port = 67109350
Tue Jun  3 16:01:47 2014: [3679] NAS-Port-Id = "intf 0/100  00-06-2a-aa-24-38"
Tue Jun  3 16:01:47 2014: [3679] Vendor-Specific-9-2 = "intf 0/100  00-06-2a-aa-24-38"
Tue Jun  3 16:01:47 2014: [3679] User-Name = "dialer@cisco.com"
Tue Jun  3 16:01:47 2014: [3679] Framed-IP-Address = 1.2.3.3
Tue Jun  3 16:01:47 2014: [3679] Acct-Authentic = RADIUS
Tue Jun  3 16:01:47 2014: [3679] Cisco-avpair = "vrf-id=default"
Tue Jun  3 16:01:47 2014: [3679] Framed-Route = "10.192.1.0 255.255.255.0 0.0.0.0 1"
Tue Jun  3 16:01:47 2014: [3679] Cisco-avpair = "pppoe-session-id=86"
Tue Jun  3 16:01:47 2014: [3679] Framed-Protocol = PPP
Tue Jun  3 16:01:47 2014: [3679] Service-Type = Framed-User
Tue Jun  3 16:01:47 2014: [3679] Unknown-196 = "\000\000\000C"
Tue Jun  3 16:01:47 2014: [3679] Cisco-avpair = "connect-progress=IPCP Open"
Tue Jun  3 16:01:47 2014: [3679] NAS-Identifier = "A9K-BNG"
Tue Jun  3 16:01:47 2014: [3679] NAS-IP-Address = 3.0.0.233
Tue Jun  3 16:01:47 2014: [3679] Acct-Delay-Time = 0
Tue Jun  3 16:01:47 2014: [3679] sending acct-response to 3.0.0.233/51257.65
Tue Jun  3 16:01:47 2014: [3679] message sent to 3.0.0.233/51257.65 code=5, length=20

code 5 is accounting response

It looks ok to me, if it is truly off, then I need to see the records and know the version that you are seeing this in please.

cheers!

xander

smailmilak
Enthusiast
Enthusiast

Hi Xander,

 

have you filed a ddts for IPAM? We got two more weeks for this project. I know that you can not fix this that fast, but it would be nice to know approximately when Cisco can release a SMU on 4.3.4.

When you create the ddts I can contact our local AM to put a request to BU.

We are in trying to find a solution with IsarFlow but they are also telling that they get the same IP address just too fast. 

Artsiom Maksimenka
Community Member

Thank you very much Xander, 

We've rechecked the flow yesterday and we understand why we have different Acc-sess-ids - we authenticate or authorize one session twice before accounting. Now looking into it, will try to modify the control policy....

BR, 

Artsiom

 

xthuijs
Cisco Employee
Cisco Employee

Hi Smail, I dug up some additional information:

Curerntly in XR511, there is a recycle time of 1 minute, that means that an address returned is not used for 1 min ideally.

It could be that there is so much churn and the pool size small taht the addr gets recycled quicker, which may be what you're running into.

Adjusting this behavior will result in rather bad cps performance and extensive LC<> RP messaging for pool/addr assignment to the user.

this we rather not change preferably.

Recommendation is that if you are using 511 with that recycle timer, to enlarge the pool to allow for that timer to run to completion and having adds properly put on hold.

regards

xander

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Quick Links