on 08-15-2013 10:04 AM
This document provides an overview of Vendor Specific attributes that can be used in the ASR9000 BNG solution. They can either be used as part of the Access Accept Radius message or COA requests to change the behavior of the session.
QOS Feature | Action format in Radius attribute |
---|---|
Shaping | shape(<rate-in-kbps>) |
shape-rpct(<rate-in-pct>) | |
Policing | police-rpct(<conform-rate-in-pct>,<conform-burst-in-us>,<exceed-rate-in-pct>,<exceed-burst-in-us>, <conform-action>,<exceed-action>, <violate-action>) |
police(<conform-rate-in-kbps>,<conform-burst-in-kBytes>,<exceed-rate-in-kbps>,<exceed-burst-in-kbytes>, <conform-action>,<exceed-action>, <violate-action>) | |
Marking | set-cos(<cos-val>) |
set-ip-dscp(<dscp-val>) | |
set-ip-prec(<precedence>) | |
Queuing | pri-level(<priority-level>) |
bw-rpct(<pct>) bw-rratio(<ratio>) bw-abs(<bw-in-kbps>) bw-pct(<bw-in-pct>) | |
queue-limit(<qlimit-in-packets>) queue-limit-us(<qlimit-in-us>) | |
random-detect-dscp(<dscp>) | |
random-detect-prec(<precedence>) |
Primitive | Radius AVP |
---|---|
Account Logon | authentication cpe12 CoA cisco123 attribute 44 “<string>” <<< Accounting Session ID vsa cisco generic 1 string "subscriber:command=account-logon" |
Account Logoff | attribute 44 “<string>” <<< Accounting Session ID vsa cisco generic 1 string "subscriber:command=account-logoff" |
Account update (used to change a profile) | attribute 44 “<string>” <<< Accounting Session ID vsa cisco generic 1 string "subscriber:command=account-update” <radius attributes to set/update> |
Service Activate | attribute 44 “<string>” <<< Accounting Session ID vsa cisco generic 1 string "subscriber:sa=<service-name>” |
Service De-Activate | attribute 44 “<string>” <<< Accounting Session ID vsa cisco generic 1 string "subscriber:sd=<service-name>” |
All these operations from the first column, report an event to the control policy.
RP/0/RSP0/CPU0:A9K-BNG(config-pmap)#event ?
account-logoff Account logoff event
account-logon Account logon event
authentication-failure Authentication failure event
authentication-no-response Authentication no response event
authorization-failure Authorization failure event
authorization-no-response Authorization no response event
exception Exception event
service-start Service start event
service-stop Service stop event
session-activate Session activate event
session-start Session start event
session-stop Session stop event
timer-expiry Timer expiry event
Accounting session ID is the preferred session identifier. You can also use the framed-ip-address to key on the subscriber and the vrf (if applicable)
(IPv4 only):
Attribute 8: Framed-IP-Address
and starting 4.2.1:
Attribute 8: Framed-IP-Address + AVPair: ip:vrf-id=<vrf name>
Operation | Dynamic Template cmd | RADIUS Attribute | ||
Service Activation | ||||
Service Activation | N/A | 26 | 9,1 | subscriber:sa=<service-name> |
Network Forwarding | ||||
IP addess source intf | ipv4 unnumbered <interface> | 26 | 9,1 | ipv4:ipv4-unnumbered=<interface> |
PPP framed address | N/A | 8 | framed-ip-address=<IPv4 address> | |
PPP Address Pool | ppp ipcp peer-address pool <addr pool > | 26 | 9,1 | ipv4:addr-pool=<addr pool name> |
PPP framed pool | N/A | 88 | framed-pool=<addr pool name> | |
PPP framed route | N/A | 22 | framed-route=<subnet><mask> | |
VRF | vrf <vrf name> | 26 | 9,1 | subscriber:vrf-id=<vrf name> |
V4 DNS | ppp ipcp dns <pprimary dns ip> <secondary dns ip> | 26 | 9.1 | ip:primary-dns=<primary dns ip> Ip:secondary-dns=<secondary dns ip> |
DHCP classname | N/A | 26 | 9,1 | subscriber:classname=<dhcp-class-name> |
Traffic Accounting | ||||
Accounting | accounting aaa list <method list> type session | 26 | 9,1 | subscriber:accounting-list=<method list> |
Interim Interval | accounting aaa list <method list> type session periodic-interval <minutes> | 85 | Acct-Interim-Interval <minutes> | |
Dual Stack Accnt Start Delay | accounting aaa list <method list> type session dual-stack-delay <secs> | subscriber:dual-stack-delay=<sec> | ||
Session Administration | ||||
keepalives | keepalive <sec> | 26 | 9,1 | subscriber:keepalive=interval<sec> NOT SUPPORTED/Implemented |
Absolute Timeout | ppp timeout absolute <sec> | 27 | n/a | session-timeout=<sec> |
Idle Timeout | timeout idle <sec> | 28 | n/a | idle-timeout=<sec> |
Traffic conditioning | ||||
HQoS(with SPI) | service-policy input <in_mqc_name> shared-policy-instance <spi-name> service-policy output <out_mqc_name> shared-policy-instance <spi-name> | 26 | 9,1 | subscriber:sub-qos-policy-in=<in_mqc_name> [shared-policy-instance <spi-name> ] subscriber:sub-qos-policy-out=<out_mqc_name> [shared-policy-instance <spi-name>] |
pQoS | N/A | 26 | 9,1 | subscriber:qos-policy-in=add-class(target policy (class-list) qos-actions-list) subscriber:qos-policy-in=remove-class(target policy (class-list)) subscriber:qos-policy-out=add-class(target policy (class-list) qos-actions-list) subscriber:qos-policy-out=remove-class(target policy (class-list)) |
Subscriber ACLs/ABF | ipv4 access-group <in_acl_name> in Ipv4 access-group <out_acl_name> out ipv6 access-group <in_v6acl_name> in ipv6 access-group <out_v6acl_name> out | 26 | 9,1 | ipv4:inacl=<in_acl_name> ipv4:outacl=<out_acl_name> ipv6:ipv6_inacl=<in_v6acl_name> ipv6:ipv6_outacl=<out_v6acl_name> |
HTTP-R | service-policy type pbr <HTTR policy name> | 26 | 9,1 | subscriber:sub-pbr-policy-in=<HTTR policy name> |
Attribute | Defined By | Received In | IPv6 Client | Address Assignment | Dynamic Template equivalent config |
Framed-Interface-Id (96) | RFC3162 | Access-Accept | PPPoE | Any | ppp ipv6cp peer-interface-id <64bit #> |
Framed-IPv6-Prefix (97) | RFC3162 | Access-Accept | PPPoE | SLAAC | N.A. |
Framed-IPv6-Route (99) | RFC3162 | Access-Accept CoA | Any | Any | N.A. |
Framed-IPv6-Pool (100) | RFC3162 | Access-Accept | PPPoE | SLAAC | ipv6 nd framed-prefix-pool <name> |
Framed-ipv6-Address (*) | draft-ietf-radext-ipv6-access-06 | Access-Accept | PPPoE, IPoE | DHCP6 (Local Server) | N.A. |
Stateful-IPv6-Address-Pool(*) | draft-ietf-radext-ipv6-access-06 | Access-Accept | PPPoE, IPoE | DHCP6 (Local Server) | dhcpv6 address-pool <name> |
Delegated-IPv6-Prefix-Pool (*) | draft-ietf-radext-ipv6-access-06 | Access-Accept | PPPoE, IPoE | DHCP6 (Local Server) | dhcpv6 delegated-prefix-pool <name> |
DNS-Server-IPv6-Address (*) | draft-ietf-radext-ipv6-access-06 | Access-Accept | PPPoE, IPoE | DHCP6 (Local Server) | To be configured in DHCPv6 server profile |
Delegated-IPv6-Prefix | RFC4818 | Access-Accept | PPPoE, IPoE | DHCP6 (Local Server) | N.A. |
draft-ietf-radext-ipv6-access-*
Framed-ipv6-Address | “ipv6:addrv6=<ipv6 address>” |
Stateful-IPv6-Address-Pool | “ipv6:stateful-ipv6-address-pool=<name>” |
Delegated-IPv6-Prefix-Pool | “ipv6:delegated-ipv6-pool=<name>” |
DNS-Server-IPv6-Address | “ipv6:ipv6-dns-servers-addr=<ipv6 address>” |
the following accounting attributes pertaining to packet accounting for the ASR9000 solution, also specific to IPv6
Attribute | Defined By | Description |
Acct-Input-Octets (42) | RFC2866 | Session input total byte count |
Acct-Input-Packets (47) | RFC2866 | Session input total packet count |
Acct-Output-Octets (43) | RFC2866 | Session output total byte count |
Acct-Output-Packets (48) | RFC2866 | Session output total packet count |
Cisco VSA (26,9,1): acct-input-octets-ipv4 | Cisco | Session input IPv4 byte count |
Cisco VSA (26,9,1): acct-input-packets-ipv4 | Cisco | Session input IPv4 packet count |
Cisco VSA (26,9,1): acct-output-octets-ipv4 | Cisco | Session output IPv4 byte count |
Cisco VSA (26,9,1): acct-output-packets-ipv4 | Cisco | Session output IPv4 packet count |
Cisco VSA (26,9,1): acct-input-octets-ipv6 | Cisco | Session input IPv6 byte count |
Cisco VSA (26,9,1): acct-input-packets-ipv6 | Cisco | Session input IPv6 packet count |
Cisco VSA (26,9,1): acct-output-octets-ipv6 | Cisco | Session output IPv6 byte count |
Cisco VSA (26,9,1): acct-output-packets-ipv6 | Cisco | Session output IPv6 packet count |
Cisco VSA (26,9,1): connect-progress | Cisco | Indicates Session set up connection progress |
RADIUS attribute example for different type of framed-route:
PPPoE V6 route
Framed-IPv6-Route = "45:1:1:1:2:3:4:5/128 :: 4 tag 5”
PPPoE v4 route
Framed-Route = "45.1.6.0 255.255.255.0 0.0.0.0 6 tag 7”
IPoE v4 route
Framed-Route = "vrf vpn1 45.1.4.0/24 vrf vpn1 0.0.0.0 4 tag 5”
router bgp 100
address-family ipv4 unicast
redistribute subscriber <route-policy>
Xander Thuijs CCIE#6775
Principal Engineer, ASR9000
Thanks for the answer.
This work only if session established. When I try to apply service in the authorization proccess (dhcp subscribers), the subscriber session can't be established. I think this is a bug (ios xr 5.1.1).
is your access-accept only containing the service activate? if that is the case then I know what the problem is.
We were just dealing with a similar situation yesterday whereby it became clear that only a service-activate constitutes an "empty profile" and that causes that trouble, by adding ANY attribute to the profile that is not skipped during activation the session operates fine.
so the solution you found is indeed the right trick.
xander
Hi Xander,
Regarding the following:
How can I announce the per-user routes if not by redistributing them?
I am using a bras cluster, so I don't know which session/per user route will end up to each bras.
Regards,
Dimitris
Dimitris
A better way is to announce the aggregate route or summary route to BGP for sake of scalability. When you say bras cluster, do you mean bng over ASR9K nV cluster(which is a single control plane) or two bras to work together useing PADO delay to share the load ? if it's the later, suggestion is to use different address pool on different box to make it easier for route redistribution.
BR/Roy
yeah my point was that with the scale of a9k, 128k subs going to 512k you just don't want to smoke your OSPF for instance with all kinds of /32's.
It is best to have a pool per device and advertise the pool range/summary instead.
However, if you're running nv Cluster then both devices are a single logical chassis. If you run both devices stand alone with backup for each other's sessions, then the trick of pool per device and summary advertise applies.
regards
xander
We have implemented BRAS clustering using PPPoE Smart server selection (pado delay) and we are providing static IP services via radius. So a subscriber can login to several different BRAS routers (ASR1K or ASR9K) using the same IPv4 framed address/subnet or IPv6 prefix.
So different pools is not a solution for our case :(
do all users have a static address? If not, then you can do the redist on those users that may end up on either device and/or reserve a range out of a pool for that static assignment.
Even in the 7200 days, having /32's in your network floating all over the place is somewhat of a drain to the IGP in use.
If there is really no alternative, one thing to consider would be to put the BRAS into a different OSPF area and then summarize at the area boundary, so that at least the LSA updates are contained within that limited region and not your IGP suffers from this.
xander
A part of the users has static addresses. The rest of them get IP addresses dynamically from local pools
Our implementation in ASR1K is the following (in high level):
The relevant parts of the config are the following (in order to get a better idea).
router bgp xxx
!
address-family ipv4
bgp aggregate-timer 0
network x.x.x.x mask y.y.y.y ! Aggregated local pool
redistribute connected route-map CONNECTED-TO-BGP-ROUTEPOLICY ! for framed-ip-address from radius/route map denies router connected networks (e.g. interfaces, /32 from PPP sessions)
redistribute static route-map STATIC-TO-BGP-ROUTEPOLICY ! for framed-route from radius/route map denies configured statice routes (e.g. default route)
!
ip route x.x.x.x y.y.y.y Null0 254 tag 1 name LOCAL-POOL ! local pool
ip route 0.0.0.0 0.0.0.0 z.z.z.z tag 1 name DEFAULT-ROUTE ! default route
ip prefix-list CONNECTED-TO-BGP-DENY-PREFIXES seq 10 permit x.x.x.x/w ge 32 ! local pool
!
route-map STATIC-TO-BGP-ROUTEPOLICY deny 10
match tag 1 ! denies configured static routes
!
route-map STATIC-TO-BGP-ROUTEPOLICY permit 99
!
!
route-map CONNECTED-TO-BGP-ROUTEPOLICY deny 10
match interface Loopback0 TenGigabitEthernet1/0/0 ! denies local interfaces
!
route-map CONNECTED-TO-BGP-ROUTEPOLICY deny 20
match ip address prefix-list CONNECTED-TO-BGP-DENY-PREFIXES ! denies /32 from local pools
!
route-map CONNECTED-TO-BGP-ROUTEPOLICY permit 99
In ASR9K, using "subscriber" routes instead of static/connected makes it easier for us to advertise the per user routes (framed-ip-address, framed-route) then it was in IOS-XE, because we don't need to use all the route maps in order to distinguish them from the local static/connected routes.
The question is if do you see any problems in redistributing per user subscriber routes. I guess I have to use route policy for not redistributing /32 from the local pools (since they are also subscriber routes), but I cannot see a different way to implement it in order to totally avoid using redistribution.
~~~~~
Got the same reply problem here as with the other question dimitris, editing inline then instead...
Yeah the route marking from connected to subscriber definitely makes it easy. See we do learn from the past and improve forward :)
This what you have above, is perfect. Controlling the /32's out. You can do the same in XR with RPL (route policy language) in a similar fashion as with route-maps on your redistribute command for subscriber routes:
RP/0/RSP0/CPU0:A9K-BNG(config-bgp-af)#redistribute subscriber route-policy test
xander
Hi Xander,
I am facing some issues regarding some specific radius attributes in 4.3.4
1. I cannot see how I can apply a per-user ACL sent via radius. In IOS-XE I am using ip:inacl#1=permit ip any any av-pair, but in IOS-XR the inacl attribute is supposed to be used differently (if I have understood correctly).
2. ipv4 access-group <in_acl_name> in under dynamic-template does not seem to work:
dynamic-template
type ppp POP-KLN-DYNAMIC-TEMPLATE
<...>
ipv4 access-group SUBSCRIBER-IPV4-IN ingress
RP/0/RSP0/CPU0:bbras-llu-kln-31#sh access-lists interface bundle-ether 1.33211199.pppoe1241
Input ACL : N/A
Output ACL : N/A
3. Trying to apply a configured ACL from radius (ipv4:inacl=<in_acl_name>) doesn't seem to work:
Radius profile: cisco-avpair="ip:inacl=SUBSCRIBER-IPV4-IN",
RP/0/RSP0/CPU0:bbras-llu-kln-31#sh access-lists interface bundle-ether 1.33211199.pppoe1240
Input ACL : N/A
Output ACL : N/A
So, I haven't found a way to do the following:
Could you help please?
Regards,
Dimitris
Hi D,
1) correct, that is not supported yet in XR, we have no case for it yet, so its been put on the backburner...
2) that command is not working yet, but I have a fix up for that filed and will come soon, the right now command is like this:
show access-lists <acl_name> usage pfilterlocation 0/rSP1/CPU0
location is rsp for bundle sessions or the Lc for phy/sub termination.
output:
Thanks for the prompt reply :)
1. I guess we are the first. Do you need us to open a TAC case or involve our acct team in order to describe you the case?
2. Works
RP/0/RSP0/CPU0:bbras-llu-kln-31#show access-lists LOCAL-SUBSCRIBER-IPV4-IN usage pfilter location 0/RSP0/CPU0
Interface : Bundle-Ether1.33211199.pppoe1244
Input Common-ACL : N/A ACL : LOCAL-SUBSCRIBER-IPV4-IN
Output ACL : N/A
3. Works
RP/0/RSP0/CPU0:bbras-llu-kln-31#show access-lists RADIUS-SUBSCRIBER-IPV4-IN usage pfilter location 0/RSP0/CPU0
Interface : Bundle-Ether1.33211199.pppoe1245
Input Common-ACL : N/A ACL :RADIUS-SUBSCRIBER-IPV4-IN
Output ACL : N/A
RP/0/RSP0/CPU0:bbras-llu-kln-31#sh subsc sess all detail internal
Interface: Bundle-Ether1.33211199.pppoe1245
<...>
4: inacl len= 26 value= RADIUS-SUBSCRIBER-IPV4-IN
Do you have any estimations about the availability of the fix?
Hello Xander,
For any established v6 session we can see subscriber v6 address in Cisco-AVPair = addrv6=2a02:x:x:x::x attribute in accounting requests from BNG.
Is there an attribute in Accounting flow, which shows the delegated ipv6 prefix to an ipsubscriber when using BNG DHCPv6 server?
BR,
Artsiom
Hello.
How can I determine which services the subscriber is subscribed (using CoA)?
Nah no need for a TAC case Dimitris, then I'll get the same question different route and the answer to you will be the same: For this one it is best to consult with your account team and explain the requirement/necessity. They will create a business case to our marketing team so that when there is enough demand this will be prioritized accordingly.
I looked into this before, because I liked this functionality on IOS (a1k/c10k). Although it is a drag on scale, because every p-u ACL gets a unique instance although all the ACE's may be the same or very similar (/compressable?), the work to do this is quite substantial. Unfortunately this is not an easy fix that I could do under the table, so need that user demand for it to justify the dev and test time etc... Otherwise I would have sneaked it in somewhere :)
and awesome on the items 2 and 3! :)
xander
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: