ASR9000/XR: BNG VSA's (vendor specific attributes) and Services - Page 3

xthuijs · ‎08-15-2013

Introduction
Vendor Specific Attributes
- RADIUS Attributes for pQoS
  - Example
- VSA's for Account operations (services and logon/off)
  - Note
Template comparison to radius attribute
IPv6 Attributes
- - NOTE
Radius Accounting bytes and packets
Dynamic Route insertion
- Route destribution (please don't!)
Related Information

Introduction

This document provides an overview of Vendor Specific attributes that can be used in the ASR9000 BNG solution. They can either be used as part of the Access Accept Radius message or COA requests to change the behavior of the session.

Vendor Specific Attributes

Back to top

1. RADIUS Attributes for pQoS

sub: indicates AVPair targets MQC policy on a subscriber session

<class-list>: identifies class to be added/removed or modified in the MQC policy

Multiple classes may be specified to modify classification in a nested (child) MQC policy

<qos-action-list>: policy actions to be added/overwritten in targeted class in MQC policy (see table below)

Supported QoS features:

•Shaping rate and percentage

•Policing rate and percentage

•Marking (CoS, DSCP, IP Prec)

•Queueing (minBW, BW remaining, priority, WRED, queue-limit)

QOS Feature	Action format in Radius attribute
Shaping	shape(<rate-in-kbps>)
Shaping	shape-rpct(<rate-in-pct>)
Policing	police-rpct(<conform-rate-in-pct>,<conform-burst-in-us>,<exceed-rate-in-pct>,<exceed-burst-in-us>, <conform-action>,<exceed-action>, <violate-action>)
Policing	police(<conform-rate-in-kbps>,<conform-burst-in-kBytes>,<exceed-rate-in-kbps>,<exceed-burst-in-kbytes>, <conform-action>,<exceed-action>, <violate-action>)
Marking	set-cos(<cos-val>)
	set-ip-dscp(<dscp-val>)
	set-ip-prec(<precedence>)
Queuing	pri-level(<priority-level>)
	bw-rpct(<pct>) bw-rratio(<ratio>) bw-abs(<bw-in-kbps>) bw-pct(<bw-in-pct>)
	queue-limit(<qlimit-in-packets>) queue-limit-us(<qlimit-in-us>)
	random-detect-dscp(<dscp>)
	random-detect-prec(<precedence>)

Example

AVPair:“ip:qos-policy-out=add-class(sub,(class-default, VIDEO_CM), set-ip-dscp(af41), bw-abs(256))

Back to top

2. VSA's for Account operations (services and logon/off)

Primitive	Radius AVP
Account Logon	authentication cpe12 CoA cisco123 attribute 44 “<string>” <<< Accounting Session ID vsa cisco generic 1 string "subscriber:command=account-logon"
Account Logoff	attribute 44 “<string>” <<< Accounting Session ID vsa cisco generic 1 string "subscriber:command=account-logoff"
Account update (used to change a profile)	attribute 44 “<string>” <<< Accounting Session ID vsa cisco generic 1 string "subscriber:command=account-update” <radius attributes to set/update>
Service Activate	attribute 44 “<string>” <<< Accounting Session ID vsa cisco generic 1 string "subscriber:sa=<service-name>”
Service De-Activate	attribute 44 “<string>” <<< Accounting Session ID vsa cisco generic 1 string "subscriber:sd=<service-name>”

All these operations from the first column, report an event to the control policy.

RP/0/RSP0/CPU0:A9K-BNG(config-pmap)#event ?

account-logoff Account logoff event

account-logon Account logon event

authentication-failure Authentication failure event

authentication-no-response Authentication no response event

authorization-failure Authorization failure event

authorization-no-response Authorization no response event

exception Exception event

service-start Service start event

service-stop Service stop event

session-activate Session activate event

session-start Session start event

session-stop Session stop event

timer-expiry Timer expiry event

Note

Accounting session ID is the preferred session identifier. You can also use the framed-ip-address to key on the subscriber and the vrf (if applicable)

(IPv4 only):

Attribute 8: Framed-IP-Address

and starting 4.2.1:

Attribute 8: Framed-IP-Address + AVPair: ip:vrf-id=<vrf name>

Template comparison to radius attribute

Operation	Dynamic Template cmd	RADIUS Attribute
Service Activation
Service Activation	N/A	26	9,1	subscriber:sa=<service-name>
Network Forwarding
IP addess source intf	ipv4 unnumbered <interface>	26	9,1	ipv4:ipv4-unnumbered=<interface>
PPP framed address	N/A	8		framed-ip-address=<IPv4 address>
PPP Address Pool	ppp ipcp peer-address pool <addr pool >	26	9,1	ipv4:addr-pool=<addr pool name>
PPP framed pool	N/A	88		framed-pool=<addr pool name>
PPP framed route	N/A	22		framed-route=<subnet><mask>
VRF	vrf <vrf name>	26	9,1	subscriber:vrf-id=<vrf name>
V4 DNS	ppp ipcp dns <pprimary dns ip> <secondary dns ip>	26	9.1	ip:primary-dns=<primary dns ip> Ip:secondary-dns=<secondary dns ip>
DHCP classname	N/A	26	9,1	subscriber:classname=<dhcp-class-name>

Traffic Accounting
Accounting	accounting aaa list <method list> type session	26	9,1	subscriber:accounting-list=<method list>
Interim Interval	accounting aaa list <method list> type session periodic-interval <minutes>	85		Acct-Interim-Interval <minutes>
Dual Stack Accnt Start Delay	accounting aaa list <method list> type session dual-stack-delay <secs>			subscriber:dual-stack-delay=<sec>
Session Administration
keepalives	keepalive <sec>	26	9,1	subscriber:keepalive=interval<sec> NOT SUPPORTED/Implemented
Absolute Timeout	ppp timeout absolute <sec>	27	n/a	session-timeout=<sec>
Idle Timeout	timeout idle <sec>	28	n/a	idle-timeout=<sec>

Traffic conditioning
HQoS(with SPI)	service-policy input <in_mqc_name> shared-policy-instance <spi-name> service-policy output <out_mqc_name> shared-policy-instance <spi-name>	26	9,1	subscriber:sub-qos-policy-in=<in_mqc_name> [shared-policy-instance <spi-name> ] subscriber:sub-qos-policy-out=<out_mqc_name> [shared-policy-instance <spi-name>]
pQoS	N/A	26	9,1	subscriber:qos-policy-in=add-class(target policy (class-list) qos-actions-list) subscriber:qos-policy-in=remove-class(target policy (class-list)) subscriber:qos-policy-out=add-class(target policy (class-list) qos-actions-list) subscriber:qos-policy-out=remove-class(target policy (class-list))
Subscriber ACLs/ABF	ipv4 access-group <in_acl_name> in Ipv4 access-group <out_acl_name> out ipv6 access-group <in_v6acl_name> in ipv6 access-group <out_v6acl_name> out	26	9,1	ipv4:inacl=<in_acl_name> ipv4:outacl=<out_acl_name> ipv6:ipv6_inacl=<in_v6acl_name> ipv6:ipv6_outacl=<out_v6acl_name>
HTTP-R	service-policy type pbr <HTTR policy name>	26	9,1	subscriber:sub-pbr-policy-in=<HTTR policy name>

IPv6 Attributes

Attribute	Defined By	Received In	IPv6 Client	Address Assignment	Dynamic Template equivalent config
Framed-Interface-Id (96)	RFC3162	Access-Accept	PPPoE	Any	ppp ipv6cp peer-interface-id <64bit #>
Framed-IPv6-Prefix (97)	RFC3162	Access-Accept	PPPoE	SLAAC	N.A.
Framed-IPv6-Route (99)	RFC3162	Access-Accept CoA	Any	Any	N.A.
Framed-IPv6-Pool (100)	RFC3162	Access-Accept	PPPoE	SLAAC	ipv6 nd framed-prefix-pool <name>
Framed-ipv6-Address (*)	draft-ietf-radext-ipv6-access-06	Access-Accept	PPPoE, IPoE	DHCP6 (Local Server)	N.A.
Stateful-IPv6-Address-Pool(*)	draft-ietf-radext-ipv6-access-06	Access-Accept	PPPoE, IPoE	DHCP6 (Local Server)	dhcpv6 address-pool <name>
Delegated-IPv6-Prefix-Pool (*)	draft-ietf-radext-ipv6-access-06	Access-Accept	PPPoE, IPoE	DHCP6 (Local Server)	dhcpv6 delegated-prefix-pool <name>
DNS-Server-IPv6-Address (*)	draft-ietf-radext-ipv6-access-06	Access-Accept	PPPoE, IPoE	DHCP6 (Local Server)	To be configured in DHCPv6 server profile
Delegated-IPv6-Prefix	RFC4818	Access-Accept	PPPoE, IPoE	DHCP6 (Local Server)	N.A.

NOTE

IETF has not yet allocated numeric values for newly defined attributes in

draft-ietf-radext-ipv6-access-*

Following Cisco VSAs have been temporarily defined to close such gap

Framed-ipv6-Address	“ipv6:addrv6=<ipv6 address>”
Stateful-IPv6-Address-Pool	“ipv6:stateful-ipv6-address-pool=<name>”
Delegated-IPv6-Prefix-Pool	“ipv6:delegated-ipv6-pool=<name>”
DNS-Server-IPv6-Address	“ipv6:ipv6-dns-servers-addr=<ipv6 address>”

Radius Accounting bytes and packets

the following accounting attributes pertaining to packet accounting for the ASR9000 solution, also specific to IPv6

Attribute	Defined By	Description
Acct-Input-Octets (42)	RFC2866	Session input total byte count
Acct-Input-Packets (47)	RFC2866	Session input total packet count
Acct-Output-Octets (43)	RFC2866	Session output total byte count
Acct-Output-Packets (48)	RFC2866	Session output total packet count
Cisco VSA (26,9,1): acct-input-octets-ipv4	Cisco	Session input IPv4 byte count
Cisco VSA (26,9,1): acct-input-packets-ipv4	Cisco	Session input IPv4 packet count
Cisco VSA (26,9,1): acct-output-octets-ipv4	Cisco	Session output IPv4 byte count
Cisco VSA (26,9,1): acct-output-packets-ipv4	Cisco	Session output IPv4 packet count
Cisco VSA (26,9,1): acct-input-octets-ipv6	Cisco	Session input IPv6 byte count
Cisco VSA (26,9,1): acct-input-packets-ipv6	Cisco	Session input IPv6 packet count
Cisco VSA (26,9,1): acct-output-octets-ipv6	Cisco	Session output IPv6 byte count
Cisco VSA (26,9,1): acct-output-packets-ipv6	Cisco	Session output IPv6 packet count
Cisco VSA (26,9,1): connect-progress	Cisco	Indicates Session set up connection progress

Back to top

3.

Dynamic Route insertion

RADIUS attribute example for different type of framed-route:

PPPoE V6 route

Framed-IPv6-Route = "45:1:1:1:2:3:4:5/128 :: 4 tag 5”

PPPoE v4 route

Framed-Route = "45.1.6.0 255.255.255.0 0.0.0.0 6 tag 7”

IPoE v4 route

Framed-Route = "vrf vpn1 45.1.4.0/24 vrf vpn1 0.0.0.0 4 tag 5”

Back to top

4. Route destribution (please don't!)

router bgp 100

address-family ipv4 unicast

redistribute subscriber <route-policy>

Related Information

Xander Thuijs CCIE#6775

Principal Engineer, ASR9000

Back to top

xthuijs · ‎03-04-2014

hi artisom, yes that avp is supported in 511 onwards and it looks like the syntax is also correct from your example.

if it doesnt work, you probably best off opening a tac case and collect the debug dhcp ipv4 <cr>/err/event and debug dhcp ipv4 proxy er/ev/packet and and a debug radius <detail>

regards

xander

Dimitris Kotsilis · ‎03-11-2014

Hi Xander,

We have noticed some differences in acct-in/out-octet acct attributes that probably show some problems. Below you can see the relevant part of an acct stop record:

        Acct-Input-Octets = 152778724
        Acct-Input-Packets = 1852008
        Acct-Output-Octets = 943026125
        Acct-Output-Gigawords = 1
        Acct-Output-Packets = 3531687
        cisco-avpair = "acct-input-octets-ipv4=64681186"
        cisco-avpair = "acct-input-packets-ipv4=1445526"
        cisco-avpair = "acct-output-octets-ipv4=3977486916"
        cisco-avpair = "acct-output-packets-ipv4=2763969"
        cisco-avpair = "acct-input-octets-ipv6=25126226"
        cisco-avpair = "acct-input-packets-ipv6=406402"
        cisco-avpair = "acct-output-octets-ipv6=1140423734"
        cisco-avpair = "acct-output-packets-ipv6=767594"

We assume that Acct-Input/Output-Octets are the sum of IPv4+IPv6 octects mentioned in the av-pairs (this is true in ASR1K).

The results show some differences though:

Acct-Output-Octets = 5237993421 (943026125 + 4294967296)
acct-output-octets-ipv4 +acct-output-octets-ipv6 = 5117910650
diff: 120082771 (2,3%)

Acct-Input-Octets = 152778724
acct-input-octets-ipv4 + acct-input-octets-ipv6= 89807412
diff: 62971312 (41%)

Are we doing something wrong or some counters don't provide the correct values?

---

We have also noticed that while debugging radius, several attributes are shown as unsupported although they work correctly. For example:

Debur Radius (ASR9K):

radiusd[1114]: RADIUS: Acct-Status-Type [40] 6 Unsupported[33554432]

at the same time, our Radius (Radiator) is receiving the correct value:

Acct-Status-Type = Start

I have the whole output with several similar examples, if you want to investigate it further.

---

I was also wondering if Cisco-Policy-Up, Cisco-Policy-Down radius attributes are going to be supported in the future. We could use sub-qos-policy-in, sub-qos-policy-out instead, but it would need some massive changes in our LDAP we would like to avoid if possible.

Regards,

Dimitris

Artsiom Maksimenka · ‎03-12-2014

Hi Xander,

Thank you for the answer.

We've opened a TAC case (629388785) right on the day of your recommendation, no help so far, tried several things with TAC engineer.

Will post the result as we get the answer.

BR

Artsiom

Artsiom Maksimenka · ‎03-14-2014

Hi Xander!

Finally we got the correct solution: VSA value was incorrect.

The correct attribute is Cisco-AVPair = ipv4:ipv4-default-gateway=134.17.92.129

Tested, it works.

User Profile received from AAA:

Attribute List: 0x1000ed34

1: addr len= 4 value= 134.17.92.211

2: netmask len= 4 value= 255.255.255.128

3: ipv4-default-gateway len= 4 value= 134.17.92.129

4: sub-qos-policy-in len= 26 value= __sub_1730ffffffd0ffffffd0

5: sub-qos-policy-out len= 26 value= __sub_1730ffffffd0ffffffd0

Thank you

BR

Artsiom

gogie · ‎03-20-2014

Artsiom, this saved me a lot of time!

smailmilak · ‎04-17-2014

Hi Xander,

is the AV-Pair "Service Activation 26 9,1 subscriber:sa=<service-name>" for

dynamic-template
type service TEST1

or

is it for service-policy under the interface? If yes, then it's just great because customer would like to put users in dynamic-template via RADIUS.

interface Bundle-Ether12.3102
description # DUALSTACK Downlink #
service-policy type control subscriber BNG_DUALSTACK ----- I would remove this and pass the dynamic tempalte via RADIUS

pppoe enable bba-group BNG_BBA
encapsulation dot1q 3102

I am also asking myself if it's possible to do this with policy-map type control subscriber

where I can activate multiple dynamic-template, but I have to check how to differentiate the user (PPPoEv4 only or PPPoE dualstack).

xthuijs · ‎04-18-2014

Good question Smail!

the subscriber:sa=xx refers to a dynamic template of type service.

the VSA has the same effect as an activate dynamic template on the control policy.

In the dynamic type <type> NAME, the "<type>" basically provides the CLI to a different set of sub commands. For instance if the type is ipsubscriber vs ppp different commands are available under that dynamic template. The type service provides the ability to reference this also via RADIUS and define a service on that template for activation and de-activation dynamically.

regards

xander

smailmilak · ‎04-18-2014

Hi Xander,

so this is ONLY for type service or not? I am not 100% if I understood you, sorry for that :)

You said "the VSA has the same effect as an activate dynamic template on the control policy."

Does this mean that I can pass the "dynamic template type ppp BNG_DUALSTACK_TEMPLATE"

via RADIUS with VSA ----- subscriber:sa=BNG_DUALSTACK_TEMPLATE

so that the user gets the DNS servers which are under this dyn. template, and all other parameters?

I still need a service-policy type control under the access-interface so I have a subscriber aware access-inteface?

xthuijs · ‎04-18-2014

If you want to pass dns servers dynamically you probably want to use the radius AVP's

ASCEND-PRIMARY/SECONDARY-DNS, numbers 136/137 (or the vsa equivalents, with the same effect).

the type ppp you will want to enable via the control policy.

as rule of thumb, you would want to use the type service via the radius avp's, not the type ipsubscriber or ppp.

xander

smailmilak · ‎04-18-2014

Yes, I told the customer to pass DNS server via RADIUS and gave them the attriubutes

for primary and secondary DNS servers, but they still want to pass the template via RADIUS.

We tried it few minutes ago and it was working, but I don't like it. Passing DNS servers via RADIUS is a better approch and I recommended them to do it.

This is the session with subscriber:sa=BNG_HSI_TEMPLATE

Services:
Name : BNG_DUALSTACK_TEMPLATE
Service-ID : 0x4000004
Type : Template
Status : Applied
-------------------------
Name : BNG_HSI_TEMPLATE
Service-ID : 0x4000006
Type : Multi Template
Status : Applied
-------------------------

jpfnc@2011 · ‎04-23-2014

hello xander

I also deploy PPPoE dual stack in ASR9001, and have same problem default gateway. I can ping all connected routed on bng, but nothing over the bng.

my ASR9001 provide to CPE ipv6 WAN in /64 using SLAAC and ipv6 LAN with DHCPv6-PD in /56

These subnets should be separate and accessible directly from bng, I mean ipv6 WAN and IPv6 LAN are seen as directly connected on bng.

So from CPE, or behind the CPE (with a laptop) I can only ping ipv6 connected route on bng.

* gateway for ipv6 WAN is local-link of bundle-Ethernet interface

* gateway for ipv6 LAN (checked on laptop) is "on-link"

And when I've done some ping and traceroute on laptop (win7) connected behind the CPE, the laptop use ipv6 WAN address as gateway. But as the ipv6 WAN cannot ping prefixes over bng (even theses are advertised in bgp), i have a time out.

So my questions:

* as there is no routing problem for me, whin CPE gateway is link-local and cammot send packet over bng?

* what do you thing the fact that ipv6 LAN provided by DHCPv6-PD, use ipv6 WAN (provided by SLAAC) as default gateway ?

Thanks for your answer.

Jean-paul

xthuijs · ‎04-24-2014

Hi JP,

from the upstream, are you able to ping the WAN interface of the CPE and not the stations behind it?

and from the stations behind the CPE you can only ping the BNG access interface and not beyond?

If that is the case then that must be a routing issue, and likely of the client it sounds like.

We probably need to do some tshooting on the routing side and some show commands, but it may be easiest to do that via a TAC case to pull all the necessary info and provide some quick Q&A there. This method preferred also to protect your (public) addresses.

Verify with a traceroute from stations to upstream and upstream to stations where it breaks to find the point where the routing fails. Also re-verify the gateway setting ont eh station and cpe.

If that fails I think we need to pursue a tac case...

regards!

xander

jpfnc@2011 · ‎04-24-2014

Hi Xander

Thanks for your answer.

I'll open a tac case.

Jean-Paul.

Max Antonenko · ‎04-29-2014

Hi Xander!

Is it possible to remove pbr from subscriber through CoA if it was installed by 'subscriber:sub-pbr-policy-in' ?

xthuijs · ‎04-29-2014

you can't really, unless you overwrite it with a PBR that has no actions.

If you like to activate and deactive a service like this, then you are best off doing this:

dynamic-template type service MYSERVICE

service-policy type pbr NAME

and then

subscriber:sa=MYSERVICE (to activate/apply this PBR service)

subscriber:sd=MYSERVICE (to remove/deactivate)

cheers! xander