cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
19454
Views
5
Helpful
117
Comments
xthuijs
Cisco Employee
Cisco Employee

 

Introduction

This document provides an overview of Vendor Specific attributes that can be used in the ASR9000 BNG solution. They can either be used as part of the Access Accept Radius message or COA requests to change the behavior of the session.

Vendor Specific Attributes

 

1. RADIUS Attributes for pQoS

 

ASR9000_BNG_Attributes.jpg

sub: indicates AVPair targets MQC policy on a subscriber session
<class-list>: identifies class to be added/removed or modified in the MQC policy
Multiple classes may be specified to modify classification in a nested (child) MQC policy
<qos-action-list>: policy actions to be added/overwritten in targeted class in MQC policy (see table below)
 
Supported QoS features:
•Shaping rate and percentage
•Policing rate and percentage
•Marking (CoS, DSCP, IP Prec)
•Queueing (minBW, BW remaining, priority, WRED, queue-limit)

 

 

QOS FeatureAction format in Radius attribute
Shaping

shape(<rate-in-kbps>)

shape-rpct(<rate-in-pct>)

Policing

police-rpct(<conform-rate-in-pct>,<conform-burst-in-us>,<exceed-rate-in-pct>,<exceed-burst-in-us>,    <conform-action>,<exceed-action>,    <violate-action>)

police(<conform-rate-in-kbps>,<conform-burst-in-kBytes>,<exceed-rate-in-kbps>,<exceed-burst-in-kbytes>,   <conform-action>,<exceed-action>,   <violate-action>)

Marking

set-cos(<cos-val>)

set-ip-dscp(<dscp-val>)

set-ip-prec(<precedence>)

Queuing

pri-level(<priority-level>)

bw-rpct(<pct>)

bw-rratio(<ratio>)

bw-abs(<bw-in-kbps>)

bw-pct(<bw-in-pct>)

queue-limit(<qlimit-in-packets>)

queue-limit-us(<qlimit-in-us>)

random-detect-dscp(<dscp>)

random-detect-prec(<precedence>)

 

 

Example

AVPair:“ip:qos-policy-out=add-class(sub,(class-default, VIDEO_CM), set-ip-dscp(af41), bw-abs(256))

 

 

2. VSA's for Account operations (services and logon/off)

 

 

PrimitiveRadius AVP
Account Logon

authentication cpe12 CoA cisco123

attribute 44 “<string>”                               <<< Accounting Session ID

vsa cisco generic 1 string "subscriber:command=account-logon"

Account Logoff

attribute 44 “<string>”                               <<< Accounting Session ID

vsa cisco generic 1 string "subscriber:command=account-logoff"

Account update

(used to change a profile)

attribute 44 “<string>”                               <<< Accounting Session ID

vsa cisco generic 1 string "subscriber:command=account-update”

<radius attributes to set/update>

Service Activate

attribute 44 “<string>”                               <<< Accounting Session ID

vsa cisco generic 1 string "subscriber:sa=<service-name>”

Service De-Activate

attribute 44 “<string>”                               <<< Accounting Session ID

vsa cisco generic 1 string "subscriber:sd=<service-name>”

 

 

All these operations from the first column, report an event to the control policy.

 

RP/0/RSP0/CPU0:A9K-BNG(config-pmap)#event ?

  account-logoff              Account logoff event

  account-logon               Account logon event

  authentication-failure      Authentication failure event

  authentication-no-response  Authentication no response event

  authorization-failure       Authorization failure event

  authorization-no-response   Authorization no response event

  exception                   Exception event

  service-start               Service start event

  service-stop                Service stop event

  session-activate            Session activate event

  session-start               Session start event

  session-stop                Session stop event

  timer-expiry                Timer expiry event

 

Note

Accounting session ID is the preferred session identifier. You can also use the framed-ip-address to key on the subscriber and the vrf (if applicable)

(IPv4 only):

 

Attribute 8: Framed-IP-Address

 

and starting 4.2.1:

 

Attribute 8: Framed-IP-Address + AVPair: ip:vrf-id=<vrf name>

 

Template comparison to radius attribute

 

 

 

Operation

Dynamic Template cmd

RADIUS Attribute

 

Service Activation

Service Activation

N/A

26

9,1

subscriber:sa=<service-name>

 

Network Forwarding

IP addess source intf

ipv4 unnumbered <interface>

26

9,1

ipv4:ipv4-unnumbered=<interface>

PPP framed address

N/A

8

 

framed-ip-address=<IPv4   address>

PPP Address Pool

ppp ipcp peer-address pool <addr pool >

26

9,1

ipv4:addr-pool=<addr pool name>

PPP framed pool

N/A

88

 

framed-pool=<addr pool name>

PPP framed route

N/A

22

 

framed-route=<subnet><mask>

VRF

vrf <vrf name>

26

9,1

subscriber:vrf-id=<vrf name>

V4 DNS

ppp ipcp dns <pprimary dns ip> <secondary dns ip>

26

9.1

ip:primary-dns=<primary dns ip>

Ip:secondary-dns=<secondary dns ip>

DHCP classname

N/A

26

9,1

subscriber:classname=<dhcp-class-name>

 

 

Traffic Accounting

Accounting

accounting aaa list <method list> type session

26

9,1

subscriber:accounting-list=<method list>

Interim Interval

accounting aaa list <method list> type session periodic-interval <minutes>

85

 

Acct-Interim-Interval   <minutes>

Dual Stack Accnt Start Delay

accounting aaa list <method list> type session dual-stack-delay <secs>

  

subscriber:dual-stack-delay=<sec>

 

Session Administration

keepalives

keepalive <sec>

26

9,1

subscriber:keepalive=interval<sec>

NOT SUPPORTED/Implemented

Absolute Timeout

ppp timeout absolute <sec>

27

n/a

session-timeout=<sec>

Idle Timeout

timeout idle <sec>

28

n/a

idle-timeout=<sec>

 

 

Traffic conditioning

HQoS(with SPI)

service-policy input <in_mqc_name> shared-policy-instance <spi-name>

service-policy output <out_mqc_name> shared-policy-instance <spi-name>

26

9,1

subscriber:sub-qos-policy-in=<in_mqc_name> [shared-policy-instance   <spi-name> ]

subscriber:sub-qos-policy-out=<out_mqc_name> [shared-policy-instance   <spi-name>]

pQoS

N/A

26

9,1

subscriber:qos-policy-in=add-class(target policy (class-list) qos-actions-list)

subscriber:qos-policy-in=remove-class(target policy (class-list))

subscriber:qos-policy-out=add-class(target policy (class-list) qos-actions-list)

subscriber:qos-policy-out=remove-class(target policy  (class-list))

Subscriber ACLs/ABF

ipv4 access-group <in_acl_name> in

Ipv4 access-group <out_acl_name> out

ipv6 access-group <in_v6acl_name> in

ipv6 access-group <out_v6acl_name> out

26

9,1

ipv4:inacl=<in_acl_name>

ipv4:outacl=<out_acl_name>

ipv6:ipv6_inacl=<in_v6acl_name>

ipv6:ipv6_outacl=<out_v6acl_name>

HTTP-R

service-policy type pbr <HTTR policy   name>

26

9,1

subscriber:sub-pbr-policy-in=<HTTR policy name>

 

 

IPv6 Attributes

 

Attribute

Defined By

Received In

IPv6 Client

Address Assignment

Dynamic Template   equivalent config

Framed-Interface-Id (96)

RFC3162

Access-Accept

PPPoE

Any

ppp ipv6cp peer-interface-id <64bit #>

Framed-IPv6-Prefix (97)

RFC3162

Access-Accept

PPPoE

SLAAC

N.A.

Framed-IPv6-Route (99)

RFC3162

Access-Accept CoA

Any

Any

N.A.

Framed-IPv6-Pool (100)

RFC3162

Access-Accept

PPPoE

SLAAC

ipv6 nd   framed-prefix-pool <name>

Framed-ipv6-Address   (*)

draft-ietf-radext-ipv6-access-06

Access-Accept

PPPoE, IPoE

DHCP6 (Local   Server)

N.A.

Stateful-IPv6-Address-Pool(*)

draft-ietf-radext-ipv6-access-06

Access-Accept

PPPoE, IPoE

DHCP6 (Local   Server)

dhcpv6   address-pool <name>

Delegated-IPv6-Prefix-Pool   (*)

draft-ietf-radext-ipv6-access-06

Access-Accept

PPPoE, IPoE

DHCP6 (Local   Server)

dhcpv6   delegated-prefix-pool <name>

DNS-Server-IPv6-Address   (*)

draft-ietf-radext-ipv6-access-06

Access-Accept

PPPoE, IPoE

DHCP6 (Local   Server)

To be   configured in DHCPv6 server profile

Delegated-IPv6-Prefix

RFC4818

Access-Accept

PPPoE, IPoE

DHCP6 (Local   Server)

N.A.

 

NOTE

IETF has not yet allocated numeric values for newly defined attributes in

draft-ietf-radext-ipv6-access-*

Following Cisco VSAs have been temporarily defined to close such gap

Framed-ipv6-Address

“ipv6:addrv6=<ipv6 address>”

Stateful-IPv6-Address-Pool

“ipv6:stateful-ipv6-address-pool=<name>”

Delegated-IPv6-Prefix-Pool

“ipv6:delegated-ipv6-pool=<name>”

DNS-Server-IPv6-Address

“ipv6:ipv6-dns-servers-addr=<ipv6   address>”

 

Radius Accounting bytes and packets

 

the following accounting attributes pertaining to packet accounting for the ASR9000 solution, also specific to IPv6

 

Attribute

Defined By

Description

Acct-Input-Octets     (42)

RFC2866

Session input total   byte count

Acct-Input-Packets    (47)

RFC2866

Session input total   packet count

Acct-Output-Octets    (43) 

RFC2866

Session output   total byte count

Acct-Output-Packets (48)

RFC2866

Session output   total packet count

Cisco VSA   (26,9,1): acct-input-octets-ipv4

Cisco

Session input IPv4   byte count

Cisco VSA   (26,9,1): acct-input-packets-ipv4

Cisco

Session input IPv4   packet count

Cisco VSA   (26,9,1): acct-output-octets-ipv4

Cisco

Session output IPv4   byte count

Cisco VSA   (26,9,1): acct-output-packets-ipv4

Cisco

Session output IPv4   packet count

Cisco VSA   (26,9,1): acct-input-octets-ipv6

Cisco

Session input IPv6   byte count

Cisco VSA   (26,9,1): acct-input-packets-ipv6

Cisco

Session input IPv6   packet count

Cisco VSA   (26,9,1): acct-output-octets-ipv6

Cisco

Session output IPv6   byte count

Cisco VSA   (26,9,1): acct-output-packets-ipv6

Cisco

Session output IPv6   packet count

Cisco VSA   (26,9,1): connect-progress

Cisco

Indicates   Session set up connection progress

3.

 


Dynamic Route insertion

 

RADIUS attribute example  for different type of framed-route:

 

PPPoE V6 route

Framed-IPv6-Route = "45:1:1:1:2:3:4:5/128 :: 4 tag 5”

 

PPPoE v4 route

Framed-Route = "45.1.6.0 255.255.255.0 0.0.0.0 6 tag 7”

 

IPoE v4 route

Framed-Route = "vrf vpn1 45.1.4.0/24 vrf vpn1 0.0.0.0 4 tag 5”

 

4. Route destribution (please don't!)

 

router bgp 100

address-family ipv4 unicast

  redistribute subscriber <route-policy>

 

Xander Thuijs CCIE#6775

Principal Engineer, ASR9000

Comments
xthuijs
Cisco Employee
Cisco Employee

yeah this will work, but you'd want to add the ip addr of the xyz server in the redirect to the open garden, otherwise we want to try to redirect the redirect :)

so if the redirect server is in the open garden, that http traffic will be excluded from the intercept for redirect.

xander

wilsonribeiro
Beginner
Beginner

I'm a bit confused.

In my case, they use ppp to connect so I wouldn't need a wallet garden. I simply want to redirect all www requests to the portal (which is a SAC portal) and block every other traffic (except www and domain). I'm pushing this policy via radius to the subscriber. So I have only dynamic template ppp.

What I need to correct in my config?

xthuijs
Cisco Employee
Cisco Employee

when you make the config part of the dynamic template that gets applied to the subscriber, it is hard to remove that part of the service when it is no longer needed.

for that reason it is best to:

- apply the static config for the session like dns, ip addr, authentication method to a dynamic template that you apply during session-start for ppp subscribers

- apply a service template containing the redirect config at session activate stage

this so you can remove this service at a given time in case the user has paid their bill or whatever.

for the redirect service itself, you can of course intercept the www request and redirect it, but the www connection to the redirect server you want to exempt from that redirect policy otherwise you'll be redirecting the redirect and the user never will be able to connect with the portal.

to block all other traffic you can do a simple ACL.

access-list MYLIST 10 permit tcp any any eq www

access-list MYLIST 20 deny ip any any

and for the redirect, you can check this for some config and overview:

BNG: https://www.youtube.com/watch?v=IkCv7fpaBgc

and

REDIRECT: https://www.youtube.com/watch?v=Z_Hw9i_TcGY

cheers!

xander

wilsonribeiro
Beginner
Beginner

Ok, I did almost everything you said.

However, for testing purposes, I putted the service-policy type pbr redirect in the dynamic template and it worked fine for every connection.

You say to "apply a service template containing the redirect config at session activate stage". 

But I would like to "insert" this policy only to the ppp subscribers who receives a CISCO AVPair from Radius.

How can I do that?

wilsonribeiro
Beginner
Beginner

I did this:

policy-map type control subscriber politicaPPP

event session-start match-all

  class type control subscriber classePPP do-until-failure

   1 activate dynamic-template defaultPPPTEMP

  !

!

event session-activate match-all

  class type control subscriber classePPP do-until-failure

   10 authenticate aaa list default

   20 authorize aaa list default format FULL_AUTH password use-from-line

   30 activate dynamic-template REDIRECT

  !

!

end-policy-map

!

end

dynamic-template

type ppp defaultPPPTEMP

  ppp authentication pap

  ppp ipcp dns X.X.X.X

  ppp ipcp peer-address pool POOLIP

  accounting aaa list default type session periodic-interval 60

  ipv4 unnumbered TenGigE0/0/2/0

!

type service REDIRECT

  service-policy type pbr polREDIRECIONAMENTO

!

!

How can I then "deactivate" this dynamic-template now using cisco avpair?

aryabakka1
Beginner
Beginner

Hi @xthuijs 

That was a good document which made me understand althrough, but i have a question

what is the exact parameter bng need to enable the dynamic template and interim template ?

Please let me know , Thanks

xthuijs
Cisco Employee
Cisco Employee

hi!

for the activation of a dynamic template you can use:

cisco-avpair="subscriber:sa=TEMPLATENAME"

 

sa means service activate.

 

cheers!

xander

mikebrsnet
Beginner
Beginner

Hello Xander,

 

Very interesting documentation! Well Done! I have a question regarding the ipv6 octets on the ASR9K. As far as i understand the ASR9k, supports RFC attributes as well as proprietary (under attribute 26). Both attributes are sent to the AAA or by default the platform sends only the proprietary (regarding ipv6 traffic) ? if yes, how can we configure to sent both RFC along with the proprietary in IOS XR 6.2.3 ?

xthuijs
Cisco Employee
Cisco Employee
hey mike!
thanks for the note! :)
the ipv6 octects/packets rfc specified radius atts should be supported by default.
the vsa’s are included if you configure the radius-server vsa send.
the vsa’s are a bit easier as they dissect the v4 and the v6 and give you together with the rfc acct-input/putput octets/packets
a summary (total) and specific per protocol.
cheers!
xander
mikebrsnet
Beginner
Beginner

 

Hi Xander,

 

So you are agree that the IETF attribute acct-input/output-octet is the total octets in the session that includes either protocol (v4 or v6 or v4/v6). If this the case i dont need to configure anything, due to i see this in the debugs. So a RADIUS which honors only the IETF attributes will understand and store the session octets for any protocol. Also the command (if i understood correctly) radius-server vsa send does not work on ASR9k.

dakotacole
Beginner
Beginner

Hello Xander,

 

Thanks for all the fantastic responses with this thread. I'm working with IOS XR 6.4.2 on getting a simple HTTP redirect setup with a pbr on an interface, no PPPOE, I just want all traffic on this interface to redirect to the HTTP destination as I have the mechanism that puts a subscriber on this interface working. Example customer doesn't pay their bill my provisioning mechanism puts them on VLAN 999 and that vlan redirects them to a web page that requires payment. Then once payment is taken my provisioning mechanism puts them back on the production VLAN 600. I have a TAC case open (SR 687314475) because I'm attempting to attach the pbr to an interface with a service policy and for some reason as soon as I do, the bundle wont come back up...

 

Please see my config. Any tips would be greatly appreciated. 

 

interface Bundle-Ether3

description TEST Bundle

 

interface Bundle-Ether3.597
description Walled Garden Testing
service-policy type pbr input PM_httpr-policy
vrf mgmt
ipv4 address 172.20.134.1 255.255.255.0
encapsulation dot1q 597
!

ipv4 access-list ACL_httpr
10 permit tcp any any eq www syn
20 permit tcp any any eq www ack
30 permit tcp any any eq www
!

 

ipv4 access-list ACL_redirect-allow
10 permit tcp any 172.20.134.0 0.255.255.255 eq www
40 permit udp any any eq domain
!

 


class-map type traffic match-any CM_httpr-class
match access-group ipv4 ACL_httpr
end-class-map
!

class-map type traffic match-any CM_redirect-allow
match access-group ipv4 ACL_redirect-allow
end-class-map
!


policy-map type pbr PM_httpr-policy
class type traffic CM_redirect-allow
transmit
!
class type traffic CM_httpr-class
http-redirect http://172.20.69.3/Login.html
!
class type traffic class-default
drop
!
end-policy-map
!

 

interface GigabitEthernet0/0/0/1
bundle id 3 mode active

 

 

 

sh int des

Mon Sep 23 17:46:42.289 UTC

Interface Status Protocol Description
--------------------------------------------------------------------------------
BE1 up up CORE: Uplink to COREMONTCO1
BE1.4 up up CORE: Link to MONTRCO1 ASR IPV4
BE1.6 up up CORE: Link to MONTRCO1 ASR IPV6
BE1.499 up up UPLINK: 10G to Te0/0/0/0.CORE1MNTRCO
BE2 down down GPON: LAB E720
BE3 down down REDIRECT TEST
BE3.597 down down Walled Garden Testing
BE4 down down TEST Bundle
Lo0 up up LOOPBACK: Public
Lo1 up up OSPF: Loopback Interface
Lo3 up up
Lo6 up up
Nu0 up up
Mg0/RSP0/CPU0/0 admin-down admin-down
Mg0/RSP0/CPU0/1 admin-down admin-down
Gi0/0/0/0 down down TEST: Interface to Dakotas Cude
Gi0/0/0/1 up up
Gi0/0/0/2 admin-down admin-down
Gi0/0/0/3 admin-down admin-down
Gi0/0/0/4 admin-down admin-down
Gi0/0/0/5 admin-down admin-down
Gi0/0/0/6 admin-down admin-down
Gi0/0/0/7 admin-down admin-down
Gi0/0/0/8 admin-down admin-down
Gi0/0/0/9 admin-down admin-down
Gi0/0/0/10 admin-down admin-down
Gi0/0/0/11 admin-down admin-down
Gi0/0/0/12 admin-down admin-down
Gi0/0/0/13 admin-down admin-down
Gi0/0/0/14 admin-down admin-down
Gi0/0/0/15 admin-down admin-down
Gi0/0/0/16 admin-down admin-down
Gi0/0/0/17 admin-down admin-down
Gi0/0/0/18 admin-down admin-down
Gi0/0/0/19 admin-down admin-down
Te0/0/2/0 up up
Te0/0/2/1 admin-down admin-down
Te0/0/2/2 admin-down admin-down
Te0/0/2/3 admin-down admin-down

 

 

 

masretnoko
Beginner
Beginner

Hi Xander,
i'm upgrading the BNG from ASR9006 6.4.2 into ASR9901 7.5.2. :
i found an issue with default gateway cannot being installed to the subscribers.
from debug radius and packet capture i know that VSA has been received by BNG, but somehow cannot be sent to subs as dhcp offer.
i'm assuming that my new BNG cannot decode the vsa gateway correctly.

VSA: t=Cisco-AVPair(1) l=41 val=ipv4:ipv4-default-gateway=103.X.X.X

i have opened a tac case, then send them debug dhcp and debug radius. but its not resolved yet. the SR number 694251420.
could you help on this?
Is there any different behaviour regarding BNG 6.4.2 (32 bit) compared to 6.5.2 (64 bit?

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Quick Links