on 08-15-2013 10:04 AM
This document provides an overview of Vendor Specific attributes that can be used in the ASR9000 BNG solution. They can either be used as part of the Access Accept Radius message or COA requests to change the behavior of the session.
QOS Feature | Action format in Radius attribute |
---|---|
Shaping | shape(<rate-in-kbps>) |
shape-rpct(<rate-in-pct>) | |
Policing | police-rpct(<conform-rate-in-pct>,<conform-burst-in-us>,<exceed-rate-in-pct>,<exceed-burst-in-us>, <conform-action>,<exceed-action>, <violate-action>) |
police(<conform-rate-in-kbps>,<conform-burst-in-kBytes>,<exceed-rate-in-kbps>,<exceed-burst-in-kbytes>, <conform-action>,<exceed-action>, <violate-action>) | |
Marking | set-cos(<cos-val>) |
set-ip-dscp(<dscp-val>) | |
set-ip-prec(<precedence>) | |
Queuing | pri-level(<priority-level>) |
bw-rpct(<pct>) bw-rratio(<ratio>) bw-abs(<bw-in-kbps>) bw-pct(<bw-in-pct>) | |
queue-limit(<qlimit-in-packets>) queue-limit-us(<qlimit-in-us>) | |
random-detect-dscp(<dscp>) | |
random-detect-prec(<precedence>) |
Primitive | Radius AVP |
---|---|
Account Logon | authentication cpe12 CoA cisco123 attribute 44 “<string>” <<< Accounting Session ID vsa cisco generic 1 string "subscriber:command=account-logon" |
Account Logoff | attribute 44 “<string>” <<< Accounting Session ID vsa cisco generic 1 string "subscriber:command=account-logoff" |
Account update (used to change a profile) | attribute 44 “<string>” <<< Accounting Session ID vsa cisco generic 1 string "subscriber:command=account-update” <radius attributes to set/update> |
Service Activate | attribute 44 “<string>” <<< Accounting Session ID vsa cisco generic 1 string "subscriber:sa=<service-name>” |
Service De-Activate | attribute 44 “<string>” <<< Accounting Session ID vsa cisco generic 1 string "subscriber:sd=<service-name>” |
All these operations from the first column, report an event to the control policy.
RP/0/RSP0/CPU0:A9K-BNG(config-pmap)#event ?
account-logoff Account logoff event
account-logon Account logon event
authentication-failure Authentication failure event
authentication-no-response Authentication no response event
authorization-failure Authorization failure event
authorization-no-response Authorization no response event
exception Exception event
service-start Service start event
service-stop Service stop event
session-activate Session activate event
session-start Session start event
session-stop Session stop event
timer-expiry Timer expiry event
Accounting session ID is the preferred session identifier. You can also use the framed-ip-address to key on the subscriber and the vrf (if applicable)
(IPv4 only):
Attribute 8: Framed-IP-Address
and starting 4.2.1:
Attribute 8: Framed-IP-Address + AVPair: ip:vrf-id=<vrf name>
Operation | Dynamic Template cmd | RADIUS Attribute | ||
Service Activation | ||||
Service Activation | N/A | 26 | 9,1 | subscriber:sa=<service-name> |
Network Forwarding | ||||
IP addess source intf | ipv4 unnumbered <interface> | 26 | 9,1 | ipv4:ipv4-unnumbered=<interface> |
PPP framed address | N/A | 8 | framed-ip-address=<IPv4 address> | |
PPP Address Pool | ppp ipcp peer-address pool <addr pool > | 26 | 9,1 | ipv4:addr-pool=<addr pool name> |
PPP framed pool | N/A | 88 | framed-pool=<addr pool name> | |
PPP framed route | N/A | 22 | framed-route=<subnet><mask> | |
VRF | vrf <vrf name> | 26 | 9,1 | subscriber:vrf-id=<vrf name> |
V4 DNS | ppp ipcp dns <pprimary dns ip> <secondary dns ip> | 26 | 9.1 | ip:primary-dns=<primary dns ip> Ip:secondary-dns=<secondary dns ip> |
DHCP classname | N/A | 26 | 9,1 | subscriber:classname=<dhcp-class-name> |
Traffic Accounting | ||||
Accounting | accounting aaa list <method list> type session | 26 | 9,1 | subscriber:accounting-list=<method list> |
Interim Interval | accounting aaa list <method list> type session periodic-interval <minutes> | 85 | Acct-Interim-Interval <minutes> | |
Dual Stack Accnt Start Delay | accounting aaa list <method list> type session dual-stack-delay <secs> | subscriber:dual-stack-delay=<sec> | ||
Session Administration | ||||
keepalives | keepalive <sec> | 26 | 9,1 | subscriber:keepalive=interval<sec> NOT SUPPORTED/Implemented |
Absolute Timeout | ppp timeout absolute <sec> | 27 | n/a | session-timeout=<sec> |
Idle Timeout | timeout idle <sec> | 28 | n/a | idle-timeout=<sec> |
Traffic conditioning | ||||
HQoS(with SPI) | service-policy input <in_mqc_name> shared-policy-instance <spi-name> service-policy output <out_mqc_name> shared-policy-instance <spi-name> | 26 | 9,1 | subscriber:sub-qos-policy-in=<in_mqc_name> [shared-policy-instance <spi-name> ] subscriber:sub-qos-policy-out=<out_mqc_name> [shared-policy-instance <spi-name>] |
pQoS | N/A | 26 | 9,1 | subscriber:qos-policy-in=add-class(target policy (class-list) qos-actions-list) subscriber:qos-policy-in=remove-class(target policy (class-list)) subscriber:qos-policy-out=add-class(target policy (class-list) qos-actions-list) subscriber:qos-policy-out=remove-class(target policy (class-list)) |
Subscriber ACLs/ABF | ipv4 access-group <in_acl_name> in Ipv4 access-group <out_acl_name> out ipv6 access-group <in_v6acl_name> in ipv6 access-group <out_v6acl_name> out | 26 | 9,1 | ipv4:inacl=<in_acl_name> ipv4:outacl=<out_acl_name> ipv6:ipv6_inacl=<in_v6acl_name> ipv6:ipv6_outacl=<out_v6acl_name> |
HTTP-R | service-policy type pbr <HTTR policy name> | 26 | 9,1 | subscriber:sub-pbr-policy-in=<HTTR policy name> |
Attribute | Defined By | Received In | IPv6 Client | Address Assignment | Dynamic Template equivalent config |
Framed-Interface-Id (96) | RFC3162 | Access-Accept | PPPoE | Any | ppp ipv6cp peer-interface-id <64bit #> |
Framed-IPv6-Prefix (97) | RFC3162 | Access-Accept | PPPoE | SLAAC | N.A. |
Framed-IPv6-Route (99) | RFC3162 | Access-Accept CoA | Any | Any | N.A. |
Framed-IPv6-Pool (100) | RFC3162 | Access-Accept | PPPoE | SLAAC | ipv6 nd framed-prefix-pool <name> |
Framed-ipv6-Address (*) | draft-ietf-radext-ipv6-access-06 | Access-Accept | PPPoE, IPoE | DHCP6 (Local Server) | N.A. |
Stateful-IPv6-Address-Pool(*) | draft-ietf-radext-ipv6-access-06 | Access-Accept | PPPoE, IPoE | DHCP6 (Local Server) | dhcpv6 address-pool <name> |
Delegated-IPv6-Prefix-Pool (*) | draft-ietf-radext-ipv6-access-06 | Access-Accept | PPPoE, IPoE | DHCP6 (Local Server) | dhcpv6 delegated-prefix-pool <name> |
DNS-Server-IPv6-Address (*) | draft-ietf-radext-ipv6-access-06 | Access-Accept | PPPoE, IPoE | DHCP6 (Local Server) | To be configured in DHCPv6 server profile |
Delegated-IPv6-Prefix | RFC4818 | Access-Accept | PPPoE, IPoE | DHCP6 (Local Server) | N.A. |
draft-ietf-radext-ipv6-access-*
Framed-ipv6-Address | “ipv6:addrv6=<ipv6 address>” |
Stateful-IPv6-Address-Pool | “ipv6:stateful-ipv6-address-pool=<name>” |
Delegated-IPv6-Prefix-Pool | “ipv6:delegated-ipv6-pool=<name>” |
DNS-Server-IPv6-Address | “ipv6:ipv6-dns-servers-addr=<ipv6 address>” |
the following accounting attributes pertaining to packet accounting for the ASR9000 solution, also specific to IPv6
Attribute | Defined By | Description |
Acct-Input-Octets (42) | RFC2866 | Session input total byte count |
Acct-Input-Packets (47) | RFC2866 | Session input total packet count |
Acct-Output-Octets (43) | RFC2866 | Session output total byte count |
Acct-Output-Packets (48) | RFC2866 | Session output total packet count |
Cisco VSA (26,9,1): acct-input-octets-ipv4 | Cisco | Session input IPv4 byte count |
Cisco VSA (26,9,1): acct-input-packets-ipv4 | Cisco | Session input IPv4 packet count |
Cisco VSA (26,9,1): acct-output-octets-ipv4 | Cisco | Session output IPv4 byte count |
Cisco VSA (26,9,1): acct-output-packets-ipv4 | Cisco | Session output IPv4 packet count |
Cisco VSA (26,9,1): acct-input-octets-ipv6 | Cisco | Session input IPv6 byte count |
Cisco VSA (26,9,1): acct-input-packets-ipv6 | Cisco | Session input IPv6 packet count |
Cisco VSA (26,9,1): acct-output-octets-ipv6 | Cisco | Session output IPv6 byte count |
Cisco VSA (26,9,1): acct-output-packets-ipv6 | Cisco | Session output IPv6 packet count |
Cisco VSA (26,9,1): connect-progress | Cisco | Indicates Session set up connection progress |
RADIUS attribute example for different type of framed-route:
PPPoE V6 route
Framed-IPv6-Route = "45:1:1:1:2:3:4:5/128 :: 4 tag 5”
PPPoE v4 route
Framed-Route = "45.1.6.0 255.255.255.0 0.0.0.0 6 tag 7”
IPoE v4 route
Framed-Route = "vrf vpn1 45.1.4.0/24 vrf vpn1 0.0.0.0 4 tag 5”
router bgp 100
address-family ipv4 unicast
redistribute subscriber <route-policy>
Xander Thuijs CCIE#6775
Principal Engineer, ASR9000
Hey Artsiom,
a great question. I had a discussion with a few folks few days ago about this also, as part of the doc:
https://supportforums.cisco.com/document/12050566/asr9000xr-bng-and-dual-stack-ipv4-and-ipv6-sessions
Look for the discussion surrounding: CSCuo70731
cheers
xander
hi mvmtech,
good question, not yet today. I have a request open to get this going via a session-query operation in COA: CSCuc45110: Need support for Session-Query
regards!
xander
Sorry Xander, missed it. Doublechecked and this attribute is present in 5.1.2, IANA attr 123.
Thank you,
Artsiom
Hi Xander,
I'm a bit confused regarding the format of the attributes. we are using 9k IPoE subs on 4.3.1, 4.3.4 and 5.2.0.
For exampel when to use ip: ipv4: ipv6: and subscriber: or nothing..
Above you are writing subscriber:classname=<dhcp-class-name> but we are using Cisco-AVPair += "dhcp-class=<name>"
and you write ipv4:ipv4-unnumbered=<interface> but we use Cisco-AVPair += "ip:ipv4-unnumbered=<interface>"
What is the supported way?
Thanks in advance!
/Gunnar
Hi Gunnar,
the intended format is ipv4:ipv4-unnumbered.
the word before the ":" is basically the targeted component, but we dont really pay attention to that (yet), that is why ip:xxx and ipv4:xxx are both working, but the proper format would be ipv4:ipv4-unnumbered.
So considering that we dont pay attention to the component, a nothing or incorrectly spelled works, but it is best to format them according to the guide above.
cheers!
xander
Hi Xander,
I would like to ask you just to verify the following implementation (I have tested it and it seems it works), because in IOS-XE is not supported the way we like it to be.
IPv6 WAN prefix assigned by local pool
dynamic-template
type ppp DYNAMIC-TEMPLATE
<...>
ipv6 nd framed-prefix-pool WAN-IPv6-POOL
IPv6 LAN prefix delegated by local dhcp server
dynamic-template
type ppp DYNAMIC-TEMPLATE
<...>
dhcpv6 delegated-prefix-pool LAN-IPv6-POOL
<...>
dhcp ipv6
profile DHCP-SERVER-LOCAL server
dns-server 2a02:2148:x:x::x 2a02:2148:x:x::y
prefix-pool LAN-IPv6-POOL
!
interface subscriber-pppoe profile DHCP-SERVER-LOCAL
The above seems to work fine for the dynamic allocation.
In case we need to provide static prefixes (framed/delegated) to specific subscribers we send the corresponding radius attributes (framed-ipv6-prefix/delegated-ipv6-prefix) during aaa and everything works, so we can simultaneously achieve massive dynamic and selective static IPv6 prefix allocation.
Could you please verify that there isn't anything weird in this approach?
Thanx,
Dimitris
Hi Xander,
we are at the end of our CGNAT logging (IsarFlow) project. We have correlation between RADIUS and ISM which is exporting all NAT session info from netflow export.
Problem is that when a subscriber disconnects and the subscriber had a NAT session, the next subscriber which just has established a PPPoE session gets the same IP address, and the new subscriber is using the same NAT session.
Problem is that the timestamp of NAT session and RADIUS start/stop does not match.
e.g. NAT started at 06:30, but the PPPoE session has been established at 06:50. This is because the new user is not using a new session but it just takes over the active one because same IPv4 address is used. A short NAT timeout could do a lot harm so we can not change it.
Question: Is it possible to put a flag on this IPv4 address from last user so that new users get a different IPv4 address, and after a short time the flag is removed and it can be used again?
I did a research and of course I could not find anything because we are the only one which such problem.
DHCPv4 for PPPoE is supported on IOS, but even if this is supported on XR this solution is not scalable and it's not recommended.
p.s. I think that this problem can be solved on IsaFlow so that it ignores CGNAT info when it was created before the pppoe session, but we are not sure if they are willing to fix it.
Hi Smail,
this requirement makes sense. in IOS the pool manager used to put recycled adds to the bottom of the queue so that too rapid reuse wouldnt happen as frequently.
It requires us to change the current IPAM (ip address management) implementation, the function that handles the pool distribution, but let me file a ddts for this to see if this can be done.
I think however, it would be best also for IsaFlow to be more "tolerant" to this scenario, as it makes their implementation a bit more adaptable for any circumstance.
regards
xander
Hi Xander,
many thanks for the reply. I really appreciate your work here.
It would be really cool if Cisco can do this.
Problem is that we have to solve this issue in the next few days and because of that we will make a push so that Isarflow makes a fix. It just makes more sense to fix this on Isarflow.
Regarding BNG - there is already a lot of features on it, but it's never enought :)
not a problem Smail! oh yeah I can't turn this IPAM around in a few days (if at all easily doable). But I'll let you know what I find out here.
Ha and that is what I love about BNG, always customizations and no two deployments are the same :)
cheers!
xander
Hello, Xander
I've got a question:
Radius Acct-Session-Id attribute could be easily found in Auth-Request along with Acct-Req presence but the value Acct-Session-Id in Auth-Request is different from Accounting Flow, the value of the session-id number in Auth-Request is typically equal to Acct-Request (Acct-Session-Id - 1), is there any possibility of correlation between these two values?
Artsiom
That is not right Artsiom! unless this is an accounting record for a service, which obviosuly will have a different accounting ID, the session accounting and the signaled ID during access request need to line up.
I just try to reverify this in 5.1.2 and it seems all right?
Tue Jun 3 16:01:46 2014: [3678] message received from 3.0.0.233/51257.64 code=1, length=278
** access request ** access-Request code 1
Tue Jun 3 16:01:46 2014: [3678] Cisco-avpair = "client-mac-address=0006.2aaa.2438"
Tue Jun 3 16:01:46 2014: [3678] Acct-Session-Id = "000000d8" <<< ID
Tue Jun 3 16:01:46 2014: [3678] NAS-Port = 67109350
Tue Jun 3 16:01:46 2014: [3678] NAS-Port-Id = "intf 0/100 00-06-2a-aa-24-38"
Tue Jun 3 16:01:46 2014: [3678] Vendor-Specific-9-2 = "intf 0/100 00-06-2a-aa-24-38"
Tue Jun 3 16:01:46 2014: [3678] User-Name = "dialer@cisco.com"
Tue Jun 3 16:01:46 2014: [3678] Service-Type = Framed-User
Tue Jun 3 16:01:46 2014: [3678] CHAP-Password = "\2244\226\237J\242||k\232\376{)}\322E\355"
Tue Jun 3 16:01:46 2014: [3678] CHAP-Challenge = "Bq\362\00595\004\032F\257*:r\204\254V"
Tue Jun 3 16:01:46 2014: [3678] Unknown-196 = "\000\000\000A"
Tue Jun 3 16:01:46 2014: [3678] Cisco-avpair = "connect-progress=LCP Open"
Tue Jun 3 16:01:46 2014: [3678] Framed-Protocol = PPP
Tue Jun 3 16:01:46 2014: [3678] NAS-Port-Type = 36
Tue Jun 3 16:01:46 2014: [3678] Event-Timestamp = 1401825800
Tue Jun 3 16:01:46 2014: [3678] NAS-Identifier = "A9K-BNG"
Tue Jun 3 16:01:46 2014: [3678] NAS-IP-Address = 3.0.0.233
Tue Jun 3 16:01:46 2014: [3680] sending accept to 3.0.0.233/51257.64
Tue Jun 3 16:01:46 2014: [3680] Framed-Protocol = PPP
Tue Jun 3 16:01:46 2014: [3680] Service-Type = Framed-User
Tue Jun 3 16:01:46 2014: [3680] Framed-IP-Address = 1.2.3.3
Tue Jun 3 16:01:46 2014: [3680] Cisco-avpair = "ipv4:ipv4-unnumbered=Loopback0"
Tue Jun 3 16:01:46 2014: [3680] Framed-Route = "10.192.1.0 255.255.255.0 0.0.0.0 1"
Tue Jun 3 16:01:46 2014: [3680] message sent to 3.0.0.233/51257.64 code=2, length=112
*** Access Accept (code 2)
Tue Jun 3 16:01:47 2014: [3679] message received from 3.0.0.233/51257.65 code=4, length=357
** Start record !
Tue Jun 3 16:01:47 2014: [3679] Acct-Interim-Interval = 3600
Tue Jun 3 16:01:47 2014: [3679] Acct-Status-Type = Start
Tue Jun 3 16:01:47 2014: [3679] Event-Timestamp = 1401825800
Tue Jun 3 16:01:47 2014: [3679] NAS-Port-Type = 36
Tue Jun 3 16:01:47 2014: [3679] Cisco-avpair = "client-mac-address=0006.2aaa.2438"
Tue Jun 3 16:01:47 2014: [3679] Acct-Session-Id = "000000d8" << ID is same?!
Tue Jun 3 16:01:47 2014: [3679] NAS-Port = 67109350
Tue Jun 3 16:01:47 2014: [3679] NAS-Port-Id = "intf 0/100 00-06-2a-aa-24-38"
Tue Jun 3 16:01:47 2014: [3679] Vendor-Specific-9-2 = "intf 0/100 00-06-2a-aa-24-38"
Tue Jun 3 16:01:47 2014: [3679] User-Name = "dialer@cisco.com"
Tue Jun 3 16:01:47 2014: [3679] Framed-IP-Address = 1.2.3.3
Tue Jun 3 16:01:47 2014: [3679] Acct-Authentic = RADIUS
Tue Jun 3 16:01:47 2014: [3679] Cisco-avpair = "vrf-id=default"
Tue Jun 3 16:01:47 2014: [3679] Framed-Route = "10.192.1.0 255.255.255.0 0.0.0.0 1"
Tue Jun 3 16:01:47 2014: [3679] Cisco-avpair = "pppoe-session-id=86"
Tue Jun 3 16:01:47 2014: [3679] Framed-Protocol = PPP
Tue Jun 3 16:01:47 2014: [3679] Service-Type = Framed-User
Tue Jun 3 16:01:47 2014: [3679] Unknown-196 = "\000\000\000C"
Tue Jun 3 16:01:47 2014: [3679] Cisco-avpair = "connect-progress=IPCP Open"
Tue Jun 3 16:01:47 2014: [3679] NAS-Identifier = "A9K-BNG"
Tue Jun 3 16:01:47 2014: [3679] NAS-IP-Address = 3.0.0.233
Tue Jun 3 16:01:47 2014: [3679] Acct-Delay-Time = 0
Tue Jun 3 16:01:47 2014: [3679] sending acct-response to 3.0.0.233/51257.65
Tue Jun 3 16:01:47 2014: [3679] message sent to 3.0.0.233/51257.65 code=5, length=20
code 5 is accounting response
It looks ok to me, if it is truly off, then I need to see the records and know the version that you are seeing this in please.
cheers!
xander
Hi Xander,
have you filed a ddts for IPAM? We got two more weeks for this project. I know that you can not fix this that fast, but it would be nice to know approximately when Cisco can release a SMU on 4.3.4.
When you create the ddts I can contact our local AM to put a request to BU.
We are in trying to find a solution with IsarFlow but they are also telling that they get the same IP address just too fast.
Thank you very much Xander,
We've rechecked the flow yesterday and we understand why we have different Acc-sess-ids - we authenticate or authorize one session twice before accounting. Now looking into it, will try to modify the control policy....
BR,
Artsiom
Hi Smail, I dug up some additional information:
Curerntly in XR511, there is a recycle time of 1 minute, that means that an address returned is not used for 1 min ideally.
It could be that there is so much churn and the pool size small taht the addr gets recycled quicker, which may be what you're running into.
Adjusting this behavior will result in rather bad cps performance and extensive LC<> RP messaging for pool/addr assignment to the user.
this we rather not change preferably.
Recommendation is that if you are using 511 with that recycle timer, to enlarge the pool to allow for that timer to run to completion and having adds properly put on hold.
regards
xander
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: