ASR9000/XR: BNG VSA's (vendor specific attributes) and Services

xthuijs · ‎08-15-2013

Introduction
Vendor Specific Attributes
- RADIUS Attributes for pQoS
  - Example
- VSA's for Account operations (services and logon/off)
  - Note
Template comparison to radius attribute
IPv6 Attributes
- - NOTE
Radius Accounting bytes and packets
Dynamic Route insertion
- Route destribution (please don't!)
Related Information

Introduction

This document provides an overview of Vendor Specific attributes that can be used in the ASR9000 BNG solution. They can either be used as part of the Access Accept Radius message or COA requests to change the behavior of the session.

Vendor Specific Attributes

Back to top

1. RADIUS Attributes for pQoS

sub: indicates AVPair targets MQC policy on a subscriber session

<class-list>: identifies class to be added/removed or modified in the MQC policy

Multiple classes may be specified to modify classification in a nested (child) MQC policy

<qos-action-list>: policy actions to be added/overwritten in targeted class in MQC policy (see table below)

Supported QoS features:

•Shaping rate and percentage

•Policing rate and percentage

•Marking (CoS, DSCP, IP Prec)

•Queueing (minBW, BW remaining, priority, WRED, queue-limit)

QOS Feature	Action format in Radius attribute
Shaping	shape(<rate-in-kbps>)
Shaping	shape-rpct(<rate-in-pct>)
Policing	police-rpct(<conform-rate-in-pct>,<conform-burst-in-us>,<exceed-rate-in-pct>,<exceed-burst-in-us>, <conform-action>,<exceed-action>, <violate-action>)
Policing	police(<conform-rate-in-kbps>,<conform-burst-in-kBytes>,<exceed-rate-in-kbps>,<exceed-burst-in-kbytes>, <conform-action>,<exceed-action>, <violate-action>)
Marking	set-cos(<cos-val>)
	set-ip-dscp(<dscp-val>)
	set-ip-prec(<precedence>)
Queuing	pri-level(<priority-level>)
	bw-rpct(<pct>) bw-rratio(<ratio>) bw-abs(<bw-in-kbps>) bw-pct(<bw-in-pct>)
	queue-limit(<qlimit-in-packets>) queue-limit-us(<qlimit-in-us>)
	random-detect-dscp(<dscp>)
	random-detect-prec(<precedence>)

Example

AVPair:“ip:qos-policy-out=add-class(sub,(class-default, VIDEO_CM), set-ip-dscp(af41), bw-abs(256))

Back to top

2. VSA's for Account operations (services and logon/off)

Primitive	Radius AVP
Account Logon	authentication cpe12 CoA cisco123 attribute 44 “<string>” <<< Accounting Session ID vsa cisco generic 1 string "subscriber:command=account-logon"
Account Logoff	attribute 44 “<string>” <<< Accounting Session ID vsa cisco generic 1 string "subscriber:command=account-logoff"
Account update (used to change a profile)	attribute 44 “<string>” <<< Accounting Session ID vsa cisco generic 1 string "subscriber:command=account-update” <radius attributes to set/update>
Service Activate	attribute 44 “<string>” <<< Accounting Session ID vsa cisco generic 1 string "subscriber:sa=<service-name>”
Service De-Activate	attribute 44 “<string>” <<< Accounting Session ID vsa cisco generic 1 string "subscriber:sd=<service-name>”

All these operations from the first column, report an event to the control policy.

RP/0/RSP0/CPU0:A9K-BNG(config-pmap)#event ?

account-logoff Account logoff event

account-logon Account logon event

authentication-failure Authentication failure event

authentication-no-response Authentication no response event

authorization-failure Authorization failure event

authorization-no-response Authorization no response event

exception Exception event

service-start Service start event

service-stop Service stop event

session-activate Session activate event

session-start Session start event

session-stop Session stop event

timer-expiry Timer expiry event

Note

Accounting session ID is the preferred session identifier. You can also use the framed-ip-address to key on the subscriber and the vrf (if applicable)

(IPv4 only):

Attribute 8: Framed-IP-Address

and starting 4.2.1:

Attribute 8: Framed-IP-Address + AVPair: ip:vrf-id=<vrf name>

Template comparison to radius attribute

Operation	Dynamic Template cmd	RADIUS Attribute
Service Activation
Service Activation	N/A	26	9,1	subscriber:sa=<service-name>
Network Forwarding
IP addess source intf	ipv4 unnumbered <interface>	26	9,1	ipv4:ipv4-unnumbered=<interface>
PPP framed address	N/A	8		framed-ip-address=<IPv4 address>
PPP Address Pool	ppp ipcp peer-address pool <addr pool >	26	9,1	ipv4:addr-pool=<addr pool name>
PPP framed pool	N/A	88		framed-pool=<addr pool name>
PPP framed route	N/A	22		framed-route=<subnet><mask>
VRF	vrf <vrf name>	26	9,1	subscriber:vrf-id=<vrf name>
V4 DNS	ppp ipcp dns <pprimary dns ip> <secondary dns ip>	26	9.1	ip:primary-dns=<primary dns ip> Ip:secondary-dns=<secondary dns ip>
DHCP classname	N/A	26	9,1	subscriber:classname=<dhcp-class-name>

Traffic Accounting
Accounting	accounting aaa list <method list> type session	26	9,1	subscriber:accounting-list=<method list>
Interim Interval	accounting aaa list <method list> type session periodic-interval <minutes>	85		Acct-Interim-Interval <minutes>
Dual Stack Accnt Start Delay	accounting aaa list <method list> type session dual-stack-delay <secs>			subscriber:dual-stack-delay=<sec>
Session Administration
keepalives	keepalive <sec>	26	9,1	subscriber:keepalive=interval<sec> NOT SUPPORTED/Implemented
Absolute Timeout	ppp timeout absolute <sec>	27	n/a	session-timeout=<sec>
Idle Timeout	timeout idle <sec>	28	n/a	idle-timeout=<sec>

Traffic conditioning
HQoS(with SPI)	service-policy input <in_mqc_name> shared-policy-instance <spi-name> service-policy output <out_mqc_name> shared-policy-instance <spi-name>	26	9,1	subscriber:sub-qos-policy-in=<in_mqc_name> [shared-policy-instance <spi-name> ] subscriber:sub-qos-policy-out=<out_mqc_name> [shared-policy-instance <spi-name>]
pQoS	N/A	26	9,1	subscriber:qos-policy-in=add-class(target policy (class-list) qos-actions-list) subscriber:qos-policy-in=remove-class(target policy (class-list)) subscriber:qos-policy-out=add-class(target policy (class-list) qos-actions-list) subscriber:qos-policy-out=remove-class(target policy (class-list))
Subscriber ACLs/ABF	ipv4 access-group <in_acl_name> in Ipv4 access-group <out_acl_name> out ipv6 access-group <in_v6acl_name> in ipv6 access-group <out_v6acl_name> out	26	9,1	ipv4:inacl=<in_acl_name> ipv4:outacl=<out_acl_name> ipv6:ipv6_inacl=<in_v6acl_name> ipv6:ipv6_outacl=<out_v6acl_name>
HTTP-R	service-policy type pbr <HTTR policy name>	26	9,1	subscriber:sub-pbr-policy-in=<HTTR policy name>

IPv6 Attributes

Attribute	Defined By	Received In	IPv6 Client	Address Assignment	Dynamic Template equivalent config
Framed-Interface-Id (96)	RFC3162	Access-Accept	PPPoE	Any	ppp ipv6cp peer-interface-id <64bit #>
Framed-IPv6-Prefix (97)	RFC3162	Access-Accept	PPPoE	SLAAC	N.A.
Framed-IPv6-Route (99)	RFC3162	Access-Accept CoA	Any	Any	N.A.
Framed-IPv6-Pool (100)	RFC3162	Access-Accept	PPPoE	SLAAC	ipv6 nd framed-prefix-pool <name>
Framed-ipv6-Address (*)	draft-ietf-radext-ipv6-access-06	Access-Accept	PPPoE, IPoE	DHCP6 (Local Server)	N.A.
Stateful-IPv6-Address-Pool(*)	draft-ietf-radext-ipv6-access-06	Access-Accept	PPPoE, IPoE	DHCP6 (Local Server)	dhcpv6 address-pool <name>
Delegated-IPv6-Prefix-Pool (*)	draft-ietf-radext-ipv6-access-06	Access-Accept	PPPoE, IPoE	DHCP6 (Local Server)	dhcpv6 delegated-prefix-pool <name>
DNS-Server-IPv6-Address (*)	draft-ietf-radext-ipv6-access-06	Access-Accept	PPPoE, IPoE	DHCP6 (Local Server)	To be configured in DHCPv6 server profile
Delegated-IPv6-Prefix	RFC4818	Access-Accept	PPPoE, IPoE	DHCP6 (Local Server)	N.A.

NOTE

IETF has not yet allocated numeric values for newly defined attributes in

draft-ietf-radext-ipv6-access-*

Following Cisco VSAs have been temporarily defined to close such gap

Framed-ipv6-Address	“ipv6:addrv6=<ipv6 address>”
Stateful-IPv6-Address-Pool	“ipv6:stateful-ipv6-address-pool=<name>”
Delegated-IPv6-Prefix-Pool	“ipv6:delegated-ipv6-pool=<name>”
DNS-Server-IPv6-Address	“ipv6:ipv6-dns-servers-addr=<ipv6 address>”

Radius Accounting bytes and packets

the following accounting attributes pertaining to packet accounting for the ASR9000 solution, also specific to IPv6

Attribute	Defined By	Description
Acct-Input-Octets (42)	RFC2866	Session input total byte count
Acct-Input-Packets (47)	RFC2866	Session input total packet count
Acct-Output-Octets (43)	RFC2866	Session output total byte count
Acct-Output-Packets (48)	RFC2866	Session output total packet count
Cisco VSA (26,9,1): acct-input-octets-ipv4	Cisco	Session input IPv4 byte count
Cisco VSA (26,9,1): acct-input-packets-ipv4	Cisco	Session input IPv4 packet count
Cisco VSA (26,9,1): acct-output-octets-ipv4	Cisco	Session output IPv4 byte count
Cisco VSA (26,9,1): acct-output-packets-ipv4	Cisco	Session output IPv4 packet count
Cisco VSA (26,9,1): acct-input-octets-ipv6	Cisco	Session input IPv6 byte count
Cisco VSA (26,9,1): acct-input-packets-ipv6	Cisco	Session input IPv6 packet count
Cisco VSA (26,9,1): acct-output-octets-ipv6	Cisco	Session output IPv6 byte count
Cisco VSA (26,9,1): acct-output-packets-ipv6	Cisco	Session output IPv6 packet count
Cisco VSA (26,9,1): connect-progress	Cisco	Indicates Session set up connection progress

Back to top

3.

Dynamic Route insertion

RADIUS attribute example for different type of framed-route:

PPPoE V6 route

Framed-IPv6-Route = "45:1:1:1:2:3:4:5/128 :: 4 tag 5”

PPPoE v4 route

Framed-Route = "45.1.6.0 255.255.255.0 0.0.0.0 6 tag 7”

IPoE v4 route

Framed-Route = "vrf vpn1 45.1.4.0/24 vrf vpn1 0.0.0.0 4 tag 5”

Back to top

4. Route destribution (please don't!)

router bgp 100

address-family ipv4 unicast

redistribute subscriber <route-policy>

Related Information

Xander Thuijs CCIE#6775

Principal Engineer, ASR9000

Back to top

Artsiom Maksimenka · ‎08-21-2013

Dear Xander, thank you for the great doc.

In my system i observe several fields with different values in Acc-Stop message from BNG:

Cisco-AVPair = acct-input-octets-ipv4=34179

Cisco-AVPair = acct-input-packets-ipv4=165

Cisco-AVPair = acct-output-octets-ipv4=6989

Cisco-AVPair = acct-output-packets-ipv4=53

Cisco-AVPair = acct-input-octets-ipv6=0

Cisco-AVPair = acct-input-packets-ipv6=0

Cisco-AVPair = acct-output-octets-ipv6=0

Cisco-AVPair = acct-output-packets-ipv6=0

Acct-Status-Type = Stop

Acct-Delay-Time = 0

Acct-Input-Octets = 27171

Acct-Output-Octets = 8946

Acct-Session-Id = 000001c7

Acct-Session-Time = 184

Acct-Input-Packets = 97

Acct-Output-Packets = 58

According this attributes description document - in my case session input total byte count defined by RFC2866 shows less bytes than ipv4 session byte count defined by Cisco.

My question:

How to differentiate these values and what do they show?

Logics tells me that IPv6 bytes + IPv4bytes = total or?

Thank you, Artsiom Maksimenka

xthuijs · ‎08-21-2013

Hi Artsiom, thsi is a bug, can you file a TAC case and have them open a sw defect for tracking please?

regards!

xander

Artsiom Maksimenka · ‎08-22-2013

Hi Xander, I want to inform about this bug, ID is CSCui79108.

Thank you.

Artsiom

xthuijs · ‎08-22-2013

Yup I got a notification from the tac engineer and he filed that ddts which I am working on getting assigned to the right people. Thanks for that!

regards!

xander

andersonlich · ‎01-12-2014

Hi Alex,

i'm deploying IPoE in version 5.1.0, and the BNG can accept Framed-IP-Address and Framed-IP-Netmask from RADIUS. is it possible we sending default-gateway CPE from RADIUS ?

thank you

anderson

xthuijs · ‎01-13-2014

Hi Anderson,

yes you can do that too, via a VSA:

ipv4:default-ipv4-gateway=<gateway>

cheers!

xander

andersonlich · ‎01-13-2014

Hi Alex,

That's Great !

cause i would like to do IPoE Allocation address via Radius.

is this the right format ? (from AuthFile Users Radius)

000c.4270.3bb0

Framed-IP-Address = 10.10.10.2,

Framed-IP-Netmask = 255.255.255.0,

cisco-avpair = ipv4:default-ipv4-gateway=10.10.10.1

i have tried to put that attribute but seems failed.

MAC Address IP Address State Remaining Interface VRF Sublabel

-------------- -------------- --------- --------- ------------------- --------- ----------

000c.4270.3bb0 0.0.0.0 INIT_REQUEST_DPM_WAIT 47 BE100.905 default 0x0 *

* Next renew request from this client will be NAK'd in order to recreate subscriber session

Asad Ul Islam · ‎01-27-2014

hi alex,

i am applying policy-map through

Cisco-AVPair(1): subscriber:sub-qos-policy-in=BE-10m

I see this this in access-accept packet.. However This AVPair is not appearing in accounting update/interm . Is this normal behaviour?? is there anyway to to make this AVPair appear in Accouting packets?

xthuijs · ‎01-27-2014

Hi asad,

can you make sure tht the policy is applied to the subscriber session via

show policy-map interface bundle-eX.Y.<subscriber>

if it is there, then ti should appear in the accounting records, and if not, then I would like you to file a tac case

with the release and show info so we can have this fixed up. policy info should be inserted into accounting records.

cheers!

xander

Asad Ul Islam · ‎01-27-2014

Yes Alex it is being applied on the session.

show subscriber session all detail internal shows all parameters are correctly applied.. But qos parameters are not visible in any of the accouting packets and appearing only in access-accept packet.

Last COA request received: unavailable

User Profile received from AAA:

Attribute List: 0x10010b44

1: addr len= 4 value= 1.2.3.4

2: netmask len= 4 value= 255.255.255.255

3: sub-qos-policy-in len= 6 value= BE-10m

4: sub-qos-policy-out len= 6 value= BE-10m

also show policy-map interface bundle-eX.Y.<subscriber> shows that policy is correctly applied.

I will go for tac case now.. This 4.3.1 already has CSCug21959 which is making debugging difficult to interperate.

smailmilak · ‎02-05-2014

Hi all,

are those av-pairs ok?

Idea is to have a pool for framed prefix and delegated prefix.

It is for dualstack!

Cisco-AVPair = "vrf-id=DUALSTACK"

Cisco-AVPair = "ip:addr-pool= DS_PPPoEv4"

Cisco-AVPair = "subscriber:sub-qos-policy-in= 512_in"

Cisco-AVPair = "subscriber:sub-qos-policy-out= 4096_out"

Cisco-AVPair = “ipv4:ipv4-unnumbered= Loopback1068”

and now for IPv6

Cisco-AVpair = “ipv6:delegated-ipv6-pool = DELEGATES_PREFIX_POOL”

Cisco-AVpair = "ipv6:ipv6-dns-servers-addr=SOME_DNS_IPv6_ADDRESS"

Cisco-AVPair = "subscriber:sub-qos-policy-in= 512_in"

Cisco-AVPair = "subscriber:sub-qos-policy-out= 4096_out"

I do not have access to RADIUS server and I have to send this to the RADIUS guy.

It would be nice if I do not have to send it 10 times because I made a mistake

xthuijs · ‎02-05-2014

hey smail,

the access-request is done only once for dual stack also.

so the access accept should return the profile providing both v4 and v6 info.

this means you can only have one set of v4/v6 qos policies and not two.

another gotcha is that the dns v6 server can only be a single addr, noted as a limited and worked on for extension.

make sure your dyntpl has the v6 enable config

and of course a routable v6 addr as peer addr.

cheers!

xander

smailmilak · ‎02-05-2014

Hi Xander,

thanks for the hint. I also doubted that double av-pair attributes are needed.

I have prepared a dynamic-template from the config guides and your documents and I have ipv6 enable in it.

And with "routable v6 address as peer" you mean global IPv6 address for subscribers?

What is the exact syntax for "Framed-IPv6-Prefix"? Maybe "Cisco-AVpair = “ipv6:Framed-IPv6-Prefix = FRAMED_PREFIX_POOL”?

I am trying to figure all this out, reading config guides, forums and open TAC for assistance because of limited time for the project. I will know more when I see all this in action

This is my template:

dynamic-template

type ppp BNG_DUALSTACK_TEMPLATE

ppp authentication chap pap

keepalive 30

ppp ipcp dns 10.100.35.10 10.100.36.10

ppp ipcp peer-address pool DS_PPPoEv4

ipv4 mtu 1492

ipv4 unnumbered Loopback1068

ipv6 mtu 1492

ipv6 enable

ipv6 verify unicast source reachable-via rx

ipv6 unreachables disable

dhcpv6 address-pool FRAMED_PREFIX_POOL

dhcpv6 delegated-prefix-pool DELEGATED_PREFIX_POOL

xthuijs · ‎02-05-2014

hey there smail, you make long days these days

the precise formatting of the framed-ipv6-prefix is dependent on your radius server what it can encode, but generally it is in the form of 2001::1/48 or something like that, this provides the delegated prefix

But because you provide the address and pool already in the template, there is no need to pass on these atts via radius again.

You can omit the radius ones, unless you want to override what you have done in the template.

I dont think you really need v6 RPF enabled because that is something native in the binding forwarding already.

uRPF cost a lot of pps, and the binding is used for forwarding (downstream) and check against the mac/addr binding on ingress (upstream).

c

heers!

xander

smailmilak · ‎02-06-2014

Oh yes, very long days. Fortunately we will start today with the tests, and not next week

So I can finally test some things.

You are right about the dynamic-template, if I already have the delegated prefix and framed prefix in the template, then I do not need pass it via RADIUS. I forgot that.

I will only pass the vrf, qos and dns server via radius.

Thank you for the hint about uRPF. I saw that you are using uRPF, but for IPv4 here

https://supportforums.cisco.com/docs/DOC-39405

Is it the same for IPv4 and v6, in regards of cost of pps?