on 08-15-2013 10:04 AM
This document provides an overview of Vendor Specific attributes that can be used in the ASR9000 BNG solution. They can either be used as part of the Access Accept Radius message or COA requests to change the behavior of the session.
QOS Feature | Action format in Radius attribute |
---|---|
Shaping | shape(<rate-in-kbps>) |
shape-rpct(<rate-in-pct>) | |
Policing | police-rpct(<conform-rate-in-pct>,<conform-burst-in-us>,<exceed-rate-in-pct>,<exceed-burst-in-us>, <conform-action>,<exceed-action>, <violate-action>) |
police(<conform-rate-in-kbps>,<conform-burst-in-kBytes>,<exceed-rate-in-kbps>,<exceed-burst-in-kbytes>, <conform-action>,<exceed-action>, <violate-action>) | |
Marking | set-cos(<cos-val>) |
set-ip-dscp(<dscp-val>) | |
set-ip-prec(<precedence>) | |
Queuing | pri-level(<priority-level>) |
bw-rpct(<pct>) bw-rratio(<ratio>) bw-abs(<bw-in-kbps>) bw-pct(<bw-in-pct>) | |
queue-limit(<qlimit-in-packets>) queue-limit-us(<qlimit-in-us>) | |
random-detect-dscp(<dscp>) | |
random-detect-prec(<precedence>) |
Primitive | Radius AVP |
---|---|
Account Logon | authentication cpe12 CoA cisco123 attribute 44 “<string>” <<< Accounting Session ID vsa cisco generic 1 string "subscriber:command=account-logon" |
Account Logoff | attribute 44 “<string>” <<< Accounting Session ID vsa cisco generic 1 string "subscriber:command=account-logoff" |
Account update (used to change a profile) | attribute 44 “<string>” <<< Accounting Session ID vsa cisco generic 1 string "subscriber:command=account-update” <radius attributes to set/update> |
Service Activate | attribute 44 “<string>” <<< Accounting Session ID vsa cisco generic 1 string "subscriber:sa=<service-name>” |
Service De-Activate | attribute 44 “<string>” <<< Accounting Session ID vsa cisco generic 1 string "subscriber:sd=<service-name>” |
All these operations from the first column, report an event to the control policy.
RP/0/RSP0/CPU0:A9K-BNG(config-pmap)#event ?
account-logoff Account logoff event
account-logon Account logon event
authentication-failure Authentication failure event
authentication-no-response Authentication no response event
authorization-failure Authorization failure event
authorization-no-response Authorization no response event
exception Exception event
service-start Service start event
service-stop Service stop event
session-activate Session activate event
session-start Session start event
session-stop Session stop event
timer-expiry Timer expiry event
Accounting session ID is the preferred session identifier. You can also use the framed-ip-address to key on the subscriber and the vrf (if applicable)
(IPv4 only):
Attribute 8: Framed-IP-Address
and starting 4.2.1:
Attribute 8: Framed-IP-Address + AVPair: ip:vrf-id=<vrf name>
Operation | Dynamic Template cmd | RADIUS Attribute | ||
Service Activation | ||||
Service Activation | N/A | 26 | 9,1 | subscriber:sa=<service-name> |
Network Forwarding | ||||
IP addess source intf | ipv4 unnumbered <interface> | 26 | 9,1 | ipv4:ipv4-unnumbered=<interface> |
PPP framed address | N/A | 8 | framed-ip-address=<IPv4 address> | |
PPP Address Pool | ppp ipcp peer-address pool <addr pool > | 26 | 9,1 | ipv4:addr-pool=<addr pool name> |
PPP framed pool | N/A | 88 | framed-pool=<addr pool name> | |
PPP framed route | N/A | 22 | framed-route=<subnet><mask> | |
VRF | vrf <vrf name> | 26 | 9,1 | subscriber:vrf-id=<vrf name> |
V4 DNS | ppp ipcp dns <pprimary dns ip> <secondary dns ip> | 26 | 9.1 | ip:primary-dns=<primary dns ip> Ip:secondary-dns=<secondary dns ip> |
DHCP classname | N/A | 26 | 9,1 | subscriber:classname=<dhcp-class-name> |
Traffic Accounting | ||||
Accounting | accounting aaa list <method list> type session | 26 | 9,1 | subscriber:accounting-list=<method list> |
Interim Interval | accounting aaa list <method list> type session periodic-interval <minutes> | 85 | Acct-Interim-Interval <minutes> | |
Dual Stack Accnt Start Delay | accounting aaa list <method list> type session dual-stack-delay <secs> | subscriber:dual-stack-delay=<sec> | ||
Session Administration | ||||
keepalives | keepalive <sec> | 26 | 9,1 | subscriber:keepalive=interval<sec> NOT SUPPORTED/Implemented |
Absolute Timeout | ppp timeout absolute <sec> | 27 | n/a | session-timeout=<sec> |
Idle Timeout | timeout idle <sec> | 28 | n/a | idle-timeout=<sec> |
Traffic conditioning | ||||
HQoS(with SPI) | service-policy input <in_mqc_name> shared-policy-instance <spi-name> service-policy output <out_mqc_name> shared-policy-instance <spi-name> | 26 | 9,1 | subscriber:sub-qos-policy-in=<in_mqc_name> [shared-policy-instance <spi-name> ] subscriber:sub-qos-policy-out=<out_mqc_name> [shared-policy-instance <spi-name>] |
pQoS | N/A | 26 | 9,1 | subscriber:qos-policy-in=add-class(target policy (class-list) qos-actions-list) subscriber:qos-policy-in=remove-class(target policy (class-list)) subscriber:qos-policy-out=add-class(target policy (class-list) qos-actions-list) subscriber:qos-policy-out=remove-class(target policy (class-list)) |
Subscriber ACLs/ABF | ipv4 access-group <in_acl_name> in Ipv4 access-group <out_acl_name> out ipv6 access-group <in_v6acl_name> in ipv6 access-group <out_v6acl_name> out | 26 | 9,1 | ipv4:inacl=<in_acl_name> ipv4:outacl=<out_acl_name> ipv6:ipv6_inacl=<in_v6acl_name> ipv6:ipv6_outacl=<out_v6acl_name> |
HTTP-R | service-policy type pbr <HTTR policy name> | 26 | 9,1 | subscriber:sub-pbr-policy-in=<HTTR policy name> |
Attribute | Defined By | Received In | IPv6 Client | Address Assignment | Dynamic Template equivalent config |
Framed-Interface-Id (96) | RFC3162 | Access-Accept | PPPoE | Any | ppp ipv6cp peer-interface-id <64bit #> |
Framed-IPv6-Prefix (97) | RFC3162 | Access-Accept | PPPoE | SLAAC | N.A. |
Framed-IPv6-Route (99) | RFC3162 | Access-Accept CoA | Any | Any | N.A. |
Framed-IPv6-Pool (100) | RFC3162 | Access-Accept | PPPoE | SLAAC | ipv6 nd framed-prefix-pool <name> |
Framed-ipv6-Address (*) | draft-ietf-radext-ipv6-access-06 | Access-Accept | PPPoE, IPoE | DHCP6 (Local Server) | N.A. |
Stateful-IPv6-Address-Pool(*) | draft-ietf-radext-ipv6-access-06 | Access-Accept | PPPoE, IPoE | DHCP6 (Local Server) | dhcpv6 address-pool <name> |
Delegated-IPv6-Prefix-Pool (*) | draft-ietf-radext-ipv6-access-06 | Access-Accept | PPPoE, IPoE | DHCP6 (Local Server) | dhcpv6 delegated-prefix-pool <name> |
DNS-Server-IPv6-Address (*) | draft-ietf-radext-ipv6-access-06 | Access-Accept | PPPoE, IPoE | DHCP6 (Local Server) | To be configured in DHCPv6 server profile |
Delegated-IPv6-Prefix | RFC4818 | Access-Accept | PPPoE, IPoE | DHCP6 (Local Server) | N.A. |
draft-ietf-radext-ipv6-access-*
Framed-ipv6-Address | “ipv6:addrv6=<ipv6 address>” |
Stateful-IPv6-Address-Pool | “ipv6:stateful-ipv6-address-pool=<name>” |
Delegated-IPv6-Prefix-Pool | “ipv6:delegated-ipv6-pool=<name>” |
DNS-Server-IPv6-Address | “ipv6:ipv6-dns-servers-addr=<ipv6 address>” |
the following accounting attributes pertaining to packet accounting for the ASR9000 solution, also specific to IPv6
Attribute | Defined By | Description |
Acct-Input-Octets (42) | RFC2866 | Session input total byte count |
Acct-Input-Packets (47) | RFC2866 | Session input total packet count |
Acct-Output-Octets (43) | RFC2866 | Session output total byte count |
Acct-Output-Packets (48) | RFC2866 | Session output total packet count |
Cisco VSA (26,9,1): acct-input-octets-ipv4 | Cisco | Session input IPv4 byte count |
Cisco VSA (26,9,1): acct-input-packets-ipv4 | Cisco | Session input IPv4 packet count |
Cisco VSA (26,9,1): acct-output-octets-ipv4 | Cisco | Session output IPv4 byte count |
Cisco VSA (26,9,1): acct-output-packets-ipv4 | Cisco | Session output IPv4 packet count |
Cisco VSA (26,9,1): acct-input-octets-ipv6 | Cisco | Session input IPv6 byte count |
Cisco VSA (26,9,1): acct-input-packets-ipv6 | Cisco | Session input IPv6 packet count |
Cisco VSA (26,9,1): acct-output-octets-ipv6 | Cisco | Session output IPv6 byte count |
Cisco VSA (26,9,1): acct-output-packets-ipv6 | Cisco | Session output IPv6 packet count |
Cisco VSA (26,9,1): connect-progress | Cisco | Indicates Session set up connection progress |
RADIUS attribute example for different type of framed-route:
PPPoE V6 route
Framed-IPv6-Route = "45:1:1:1:2:3:4:5/128 :: 4 tag 5”
PPPoE v4 route
Framed-Route = "45.1.6.0 255.255.255.0 0.0.0.0 6 tag 7”
IPoE v4 route
Framed-Route = "vrf vpn1 45.1.4.0/24 vrf vpn1 0.0.0.0 4 tag 5”
router bgp 100
address-family ipv4 unicast
redistribute subscriber <route-policy>
Xander Thuijs CCIE#6775
Principal Engineer, ASR9000
hi artisom, yes that avp is supported in 511 onwards and it looks like the syntax is also correct from your example.
if it doesnt work, you probably best off opening a tac case and collect the debug dhcp ipv4 <cr>/err/event and debug dhcp ipv4 proxy er/ev/packet and and a debug radius <detail>
regards
xander
Hi Xander,
We have noticed some differences in acct-in/out-octet acct attributes that probably show some problems. Below you can see the relevant part of an acct stop record:
Acct-Input-Octets = 152778724
Acct-Input-Packets = 1852008
Acct-Output-Octets = 943026125
Acct-Output-Gigawords = 1
Acct-Output-Packets = 3531687
cisco-avpair = "acct-input-octets-ipv4=64681186"
cisco-avpair = "acct-input-packets-ipv4=1445526"
cisco-avpair = "acct-output-octets-ipv4=3977486916"
cisco-avpair = "acct-output-packets-ipv4=2763969"
cisco-avpair = "acct-input-octets-ipv6=25126226"
cisco-avpair = "acct-input-packets-ipv6=406402"
cisco-avpair = "acct-output-octets-ipv6=1140423734"
cisco-avpair = "acct-output-packets-ipv6=767594"
We assume that Acct-Input/Output-Octets are the sum of IPv4+IPv6 octects mentioned in the av-pairs (this is true in ASR1K).
The results show some differences though:
Acct-Output-Octets = 5237993421 (943026125 + 4294967296)
acct-output-octets-ipv4 +acct-output-octets-ipv6 = 5117910650
diff: 120082771 (2,3%)
Acct-Input-Octets = 152778724
acct-input-octets-ipv4 + acct-input-octets-ipv6= 89807412
diff: 62971312 (41%)
Are we doing something wrong or some counters don't provide the correct values?
---
We have also noticed that while debugging radius, several attributes are shown as unsupported although they work correctly. For example:
Debur Radius (ASR9K):
radiusd[1114]: RADIUS: Acct-Status-Type [40] 6 Unsupported[33554432]
at the same time, our Radius (Radiator) is receiving the correct value:
Acct-Status-Type = Start
I have the whole output with several similar examples, if you want to investigate it further.
---
I was also wondering if Cisco-Policy-Up, Cisco-Policy-Down radius attributes are going to be supported in the future. We could use sub-qos-policy-in, sub-qos-policy-out instead, but it would need some massive changes in our LDAP we would like to avoid if possible.
Regards,
Dimitris
Hi Xander,
Thank you for the answer.
We've opened a TAC case (629388785) right on the day of your recommendation, no help so far, tried several things with TAC engineer.
Will post the result as we get the answer.
BR
Artsiom
Hi Xander!
Finally we got the correct solution: VSA value was incorrect.
The correct attribute is Cisco-AVPair = ipv4:ipv4-default-gateway=134.17.92.129
Tested, it works.
User Profile received from AAA:
Attribute List: 0x1000ed34
1: addr len= 4 value= 134.17.92.211
2: netmask len= 4 value= 255.255.255.128
3: ipv4-default-gateway len= 4 value= 134.17.92.129
4: sub-qos-policy-in len= 26 value= __sub_1730ffffffd0ffffffd0
5: sub-qos-policy-out len= 26 value= __sub_1730ffffffd0ffffffd0
Thank you
BR
Artsiom
Artsiom, this saved me a lot of time!
Hi Xander,
is the AV-Pair "Service Activation 26 9,1 subscriber:sa=<service-name>" for
dynamic-template
type service TEST1
or
is it for service-policy under the interface? If yes, then it's just great because customer would like to put users in dynamic-template via RADIUS.
interface Bundle-Ether12.3102
description # DUALSTACK Downlink #
service-policy type control subscriber BNG_DUALSTACK ----- I would remove this and pass the dynamic tempalte via RADIUS
pppoe enable bba-group BNG_BBA
encapsulation dot1q 3102
I am also asking myself if it's possible to do this with policy-map type control subscriber
where I can activate multiple dynamic-template, but I have to check how to differentiate the user (PPPoEv4 only or PPPoE dualstack).
Good question Smail!
the subscriber:sa=xx refers to a dynamic template of type service.
the VSA has the same effect as an activate dynamic template on the control policy.
In the dynamic type <type> NAME, the "<type>" basically provides the CLI to a different set of sub commands. For instance if the type is ipsubscriber vs ppp different commands are available under that dynamic template. The type service provides the ability to reference this also via RADIUS and define a service on that template for activation and de-activation dynamically.
regards
xander
Hi Xander,
so this is ONLY for type service or not? I am not 100% if I understood you, sorry for that :)
You said "the VSA has the same effect as an activate dynamic template on the control policy."
Does this mean that I can pass the "dynamic template type ppp BNG_DUALSTACK_TEMPLATE"
via RADIUS with VSA ----- subscriber:sa=BNG_DUALSTACK_TEMPLATE
so that the user gets the DNS servers which are under this dyn. template, and all other parameters?
I still need a service-policy type control under the access-interface so I have a subscriber aware access-inteface?
If you want to pass dns servers dynamically you probably want to use the radius AVP's
ASCEND-PRIMARY/SECONDARY-DNS, numbers 136/137 (or the vsa equivalents, with the same effect).
the type ppp you will want to enable via the control policy.
as rule of thumb, you would want to use the type service via the radius avp's, not the type ipsubscriber or ppp.
xander
Yes, I told the customer to pass DNS server via RADIUS and gave them the attriubutes
for primary and secondary DNS servers, but they still want to pass the template via RADIUS.
We tried it few minutes ago and it was working, but I don't like it. Passing DNS servers via RADIUS is a better approch and I recommended them to do it.
This is the session with subscriber:sa=BNG_HSI_TEMPLATE
Services:
Name : BNG_DUALSTACK_TEMPLATE
Service-ID : 0x4000004
Type : Template
Status : Applied
-------------------------
Name : BNG_HSI_TEMPLATE
Service-ID : 0x4000006
Type : Multi Template
Status : Applied
-------------------------
hello xander
I also deploy PPPoE dual stack in ASR9001, and have same problem default gateway. I can ping all connected routed on bng, but nothing over the bng.
my ASR9001 provide to CPE ipv6 WAN in /64 using SLAAC and ipv6 LAN with DHCPv6-PD in /56
These subnets should be separate and accessible directly from bng, I mean ipv6 WAN and IPv6 LAN are seen as directly connected on bng.
So from CPE, or behind the CPE (with a laptop) I can only ping ipv6 connected route on bng.
* gateway for ipv6 WAN is local-link of bundle-Ethernet interface
* gateway for ipv6 LAN (checked on laptop) is "on-link"
And when I've done some ping and traceroute on laptop (win7) connected behind the CPE, the laptop use ipv6 WAN address as gateway. But as the ipv6 WAN cannot ping prefixes over bng (even theses are advertised in bgp), i have a time out.
So my questions:
* as there is no routing problem for me, whin CPE gateway is link-local and cammot send packet over bng?
* what do you thing the fact that ipv6 LAN provided by DHCPv6-PD, use ipv6 WAN (provided by SLAAC) as default gateway ?
Thanks for your answer.
Jean-paul
Hi JP,
from the upstream, are you able to ping the WAN interface of the CPE and not the stations behind it?
and from the stations behind the CPE you can only ping the BNG access interface and not beyond?
If that is the case then that must be a routing issue, and likely of the client it sounds like.
We probably need to do some tshooting on the routing side and some show commands, but it may be easiest to do that via a TAC case to pull all the necessary info and provide some quick Q&A there. This method preferred also to protect your (public) addresses.
Verify with a traceroute from stations to upstream and upstream to stations where it breaks to find the point where the routing fails. Also re-verify the gateway setting ont eh station and cpe.
If that fails I think we need to pursue a tac case...
regards!
xander
Hi Xander
Thanks for your answer.
I'll open a tac case.
Jean-Paul.
Hi Xander!
Is it possible to remove pbr from subscriber through CoA if it was installed by 'subscriber:sub-pbr-policy-in' ?
you can't really, unless you overwrite it with a PBR that has no actions.
If you like to activate and deactive a service like this, then you are best off doing this:
dynamic-template type service MYSERVICE
service-policy type pbr NAME
and then
subscriber:sa=MYSERVICE (to activate/apply this PBR service)
subscriber:sd=MYSERVICE (to remove/deactivate)
cheers! xander
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: