ASR9000/XR: BNG VSA's (vendor specific attributes) and Services - Page 6

xthuijs · ‎08-15-2013

Introduction
Vendor Specific Attributes
- RADIUS Attributes for pQoS
  - Example
- VSA's for Account operations (services and logon/off)
  - Note
Template comparison to radius attribute
IPv6 Attributes
- - NOTE
Radius Accounting bytes and packets
Dynamic Route insertion
- Route destribution (please don't!)
Related Information

Introduction

This document provides an overview of Vendor Specific attributes that can be used in the ASR9000 BNG solution. They can either be used as part of the Access Accept Radius message or COA requests to change the behavior of the session.

Vendor Specific Attributes

Back to top

1. RADIUS Attributes for pQoS

sub: indicates AVPair targets MQC policy on a subscriber session

<class-list>: identifies class to be added/removed or modified in the MQC policy

Multiple classes may be specified to modify classification in a nested (child) MQC policy

<qos-action-list>: policy actions to be added/overwritten in targeted class in MQC policy (see table below)

Supported QoS features:

•Shaping rate and percentage

•Policing rate and percentage

•Marking (CoS, DSCP, IP Prec)

•Queueing (minBW, BW remaining, priority, WRED, queue-limit)

QOS Feature	Action format in Radius attribute
Shaping	shape(<rate-in-kbps>)
Shaping	shape-rpct(<rate-in-pct>)
Policing	police-rpct(<conform-rate-in-pct>,<conform-burst-in-us>,<exceed-rate-in-pct>,<exceed-burst-in-us>, <conform-action>,<exceed-action>, <violate-action>)
Policing	police(<conform-rate-in-kbps>,<conform-burst-in-kBytes>,<exceed-rate-in-kbps>,<exceed-burst-in-kbytes>, <conform-action>,<exceed-action>, <violate-action>)
Marking	set-cos(<cos-val>)
	set-ip-dscp(<dscp-val>)
	set-ip-prec(<precedence>)
Queuing	pri-level(<priority-level>)
	bw-rpct(<pct>) bw-rratio(<ratio>) bw-abs(<bw-in-kbps>) bw-pct(<bw-in-pct>)
	queue-limit(<qlimit-in-packets>) queue-limit-us(<qlimit-in-us>)
	random-detect-dscp(<dscp>)
	random-detect-prec(<precedence>)

Example

AVPair:“ip:qos-policy-out=add-class(sub,(class-default, VIDEO_CM), set-ip-dscp(af41), bw-abs(256))

Back to top

2. VSA's for Account operations (services and logon/off)

Primitive	Radius AVP
Account Logon	authentication cpe12 CoA cisco123 attribute 44 “<string>” <<< Accounting Session ID vsa cisco generic 1 string "subscriber:command=account-logon"
Account Logoff	attribute 44 “<string>” <<< Accounting Session ID vsa cisco generic 1 string "subscriber:command=account-logoff"
Account update (used to change a profile)	attribute 44 “<string>” <<< Accounting Session ID vsa cisco generic 1 string "subscriber:command=account-update” <radius attributes to set/update>
Service Activate	attribute 44 “<string>” <<< Accounting Session ID vsa cisco generic 1 string "subscriber:sa=<service-name>”
Service De-Activate	attribute 44 “<string>” <<< Accounting Session ID vsa cisco generic 1 string "subscriber:sd=<service-name>”

All these operations from the first column, report an event to the control policy.

RP/0/RSP0/CPU0:A9K-BNG(config-pmap)#event ?

account-logoff Account logoff event

account-logon Account logon event

authentication-failure Authentication failure event

authentication-no-response Authentication no response event

authorization-failure Authorization failure event

authorization-no-response Authorization no response event

exception Exception event

service-start Service start event

service-stop Service stop event

session-activate Session activate event

session-start Session start event

session-stop Session stop event

timer-expiry Timer expiry event

Note

Accounting session ID is the preferred session identifier. You can also use the framed-ip-address to key on the subscriber and the vrf (if applicable)

(IPv4 only):

Attribute 8: Framed-IP-Address

and starting 4.2.1:

Attribute 8: Framed-IP-Address + AVPair: ip:vrf-id=<vrf name>

Template comparison to radius attribute

Operation	Dynamic Template cmd	RADIUS Attribute
Service Activation
Service Activation	N/A	26	9,1	subscriber:sa=<service-name>
Network Forwarding
IP addess source intf	ipv4 unnumbered <interface>	26	9,1	ipv4:ipv4-unnumbered=<interface>
PPP framed address	N/A	8		framed-ip-address=<IPv4 address>
PPP Address Pool	ppp ipcp peer-address pool <addr pool >	26	9,1	ipv4:addr-pool=<addr pool name>
PPP framed pool	N/A	88		framed-pool=<addr pool name>
PPP framed route	N/A	22		framed-route=<subnet><mask>
VRF	vrf <vrf name>	26	9,1	subscriber:vrf-id=<vrf name>
V4 DNS	ppp ipcp dns <pprimary dns ip> <secondary dns ip>	26	9.1	ip:primary-dns=<primary dns ip> Ip:secondary-dns=<secondary dns ip>
DHCP classname	N/A	26	9,1	subscriber:classname=<dhcp-class-name>

Traffic Accounting
Accounting	accounting aaa list <method list> type session	26	9,1	subscriber:accounting-list=<method list>
Interim Interval	accounting aaa list <method list> type session periodic-interval <minutes>	85		Acct-Interim-Interval <minutes>
Dual Stack Accnt Start Delay	accounting aaa list <method list> type session dual-stack-delay <secs>			subscriber:dual-stack-delay=<sec>
Session Administration
keepalives	keepalive <sec>	26	9,1	subscriber:keepalive=interval<sec> NOT SUPPORTED/Implemented
Absolute Timeout	ppp timeout absolute <sec>	27	n/a	session-timeout=<sec>
Idle Timeout	timeout idle <sec>	28	n/a	idle-timeout=<sec>

Traffic conditioning
HQoS(with SPI)	service-policy input <in_mqc_name> shared-policy-instance <spi-name> service-policy output <out_mqc_name> shared-policy-instance <spi-name>	26	9,1	subscriber:sub-qos-policy-in=<in_mqc_name> [shared-policy-instance <spi-name> ] subscriber:sub-qos-policy-out=<out_mqc_name> [shared-policy-instance <spi-name>]
pQoS	N/A	26	9,1	subscriber:qos-policy-in=add-class(target policy (class-list) qos-actions-list) subscriber:qos-policy-in=remove-class(target policy (class-list)) subscriber:qos-policy-out=add-class(target policy (class-list) qos-actions-list) subscriber:qos-policy-out=remove-class(target policy (class-list))
Subscriber ACLs/ABF	ipv4 access-group <in_acl_name> in Ipv4 access-group <out_acl_name> out ipv6 access-group <in_v6acl_name> in ipv6 access-group <out_v6acl_name> out	26	9,1	ipv4:inacl=<in_acl_name> ipv4:outacl=<out_acl_name> ipv6:ipv6_inacl=<in_v6acl_name> ipv6:ipv6_outacl=<out_v6acl_name>
HTTP-R	service-policy type pbr <HTTR policy name>	26	9,1	subscriber:sub-pbr-policy-in=<HTTR policy name>

IPv6 Attributes

Attribute	Defined By	Received In	IPv6 Client	Address Assignment	Dynamic Template equivalent config
Framed-Interface-Id (96)	RFC3162	Access-Accept	PPPoE	Any	ppp ipv6cp peer-interface-id <64bit #>
Framed-IPv6-Prefix (97)	RFC3162	Access-Accept	PPPoE	SLAAC	N.A.
Framed-IPv6-Route (99)	RFC3162	Access-Accept CoA	Any	Any	N.A.
Framed-IPv6-Pool (100)	RFC3162	Access-Accept	PPPoE	SLAAC	ipv6 nd framed-prefix-pool <name>
Framed-ipv6-Address (*)	draft-ietf-radext-ipv6-access-06	Access-Accept	PPPoE, IPoE	DHCP6 (Local Server)	N.A.
Stateful-IPv6-Address-Pool(*)	draft-ietf-radext-ipv6-access-06	Access-Accept	PPPoE, IPoE	DHCP6 (Local Server)	dhcpv6 address-pool <name>
Delegated-IPv6-Prefix-Pool (*)	draft-ietf-radext-ipv6-access-06	Access-Accept	PPPoE, IPoE	DHCP6 (Local Server)	dhcpv6 delegated-prefix-pool <name>
DNS-Server-IPv6-Address (*)	draft-ietf-radext-ipv6-access-06	Access-Accept	PPPoE, IPoE	DHCP6 (Local Server)	To be configured in DHCPv6 server profile
Delegated-IPv6-Prefix	RFC4818	Access-Accept	PPPoE, IPoE	DHCP6 (Local Server)	N.A.

NOTE

IETF has not yet allocated numeric values for newly defined attributes in

draft-ietf-radext-ipv6-access-*

Following Cisco VSAs have been temporarily defined to close such gap

Framed-ipv6-Address	“ipv6:addrv6=<ipv6 address>”
Stateful-IPv6-Address-Pool	“ipv6:stateful-ipv6-address-pool=<name>”
Delegated-IPv6-Prefix-Pool	“ipv6:delegated-ipv6-pool=<name>”
DNS-Server-IPv6-Address	“ipv6:ipv6-dns-servers-addr=<ipv6 address>”

Radius Accounting bytes and packets

the following accounting attributes pertaining to packet accounting for the ASR9000 solution, also specific to IPv6

Attribute	Defined By	Description
Acct-Input-Octets (42)	RFC2866	Session input total byte count
Acct-Input-Packets (47)	RFC2866	Session input total packet count
Acct-Output-Octets (43)	RFC2866	Session output total byte count
Acct-Output-Packets (48)	RFC2866	Session output total packet count
Cisco VSA (26,9,1): acct-input-octets-ipv4	Cisco	Session input IPv4 byte count
Cisco VSA (26,9,1): acct-input-packets-ipv4	Cisco	Session input IPv4 packet count
Cisco VSA (26,9,1): acct-output-octets-ipv4	Cisco	Session output IPv4 byte count
Cisco VSA (26,9,1): acct-output-packets-ipv4	Cisco	Session output IPv4 packet count
Cisco VSA (26,9,1): acct-input-octets-ipv6	Cisco	Session input IPv6 byte count
Cisco VSA (26,9,1): acct-input-packets-ipv6	Cisco	Session input IPv6 packet count
Cisco VSA (26,9,1): acct-output-octets-ipv6	Cisco	Session output IPv6 byte count
Cisco VSA (26,9,1): acct-output-packets-ipv6	Cisco	Session output IPv6 packet count
Cisco VSA (26,9,1): connect-progress	Cisco	Indicates Session set up connection progress

Back to top

3.

Dynamic Route insertion

RADIUS attribute example for different type of framed-route:

PPPoE V6 route

Framed-IPv6-Route = "45:1:1:1:2:3:4:5/128 :: 4 tag 5”

PPPoE v4 route

Framed-Route = "45.1.6.0 255.255.255.0 0.0.0.0 6 tag 7”

IPoE v4 route

Framed-Route = "vrf vpn1 45.1.4.0/24 vrf vpn1 0.0.0.0 4 tag 5”

Back to top

4. Route destribution (please don't!)

router bgp 100

address-family ipv4 unicast

redistribute subscriber <route-policy>

Related Information

Xander Thuijs CCIE#6775

Principal Engineer, ASR9000

Back to top

xthuijs · ‎06-04-2014

Ah cool! yeah that make sense Artsiom!

nice investigation! :)

cheers!

xander

Artsiom Maksimenka · ‎06-04-2014

Xander...

CPE —> BOOTREQUEST (REQUEST, ciaddr defined ) —> BNG

BNG —> AAA (request)

BNG <— AAA (Accepted, Service Activate)

CPE <— BOOTREPLY (NAK) <—BNG

CPE —> BOOTREQUEST (DISCOVER ciaddr 0.0.0.0) —> BNG

BNG —> AAA (request)

BNG <— AAA (Accepted, Service Activate)

CPE <— BOOTREPLY (OFFER) <—BNG

AAA Requests are the same, how do you think if control policy can influence this?

smailmilak · ‎06-04-2014

Wow, great news. Thank you for this info Xander.

If this recycle time of 1 minute is in 5.1.1 than we can also upgrade to 5.1.2, which should has less bugs.

We are using a pool of /16 (RFC 1918) so this should be ok.

I have a couple of questions for you.

1. We are using a pool with /16. For now there are only 2000 dualstack subscribers (because of those issues). This would mean that you can add a waiting time on 4.3.4 for an ip address greater or equal of 1 minute, right?

2. Do you recommend to switch to 5.1.2? On Cisco download I do not see much SMU's, so it could mean that this release has less bugs than 4.3.4.

3. If we switch to 5.1.2 - do we have to change some pppoe config or is everything the same (I am right now checking the config guide)?

I am afraid of some possible issues which we can not solve in the maintance window, and this would mean that we have to go back to 4.3.4.

4. You probably remember CSCuo70731 - ASR9K/4.3.4:Acct start packet does not contain delegated IPv6 prefixes. If we upgrade to 5.1.2 than this would mean that we have lost this feature?

xthuijs · ‎06-04-2014

hey smail,

looks like we are limited a number of replies per discussion, and this may become hard(er) to read, if this continues, maybe we should move it to a new discussion forum topic or something...

Answers:

1) the waiting time is system defined, today we have no configurable option for it. but with a large pool, you know that that one minute wait time can be managed, so we should be fine. (still believe that your netflow APP is taking the easy way out here...)

2) 512 is only out since end of April. So far it has been doing good. 513 is out end of August which is another EMR. (ext maint release). I would promote that over 512, but if you have to make an action today, 512 is a consideration.

3) I am not aware of any cli changes between 434 and 512 so it should be a straight forward move.

4) this one is targeted for inclusion in 513 also. so that might be the ultimate strategy I think.

cheers!

xander

xthuijs · ‎06-04-2014

Somehow these forum replies are limited to a number of itterations which makes it hard to respond to the actual issue, hopefilly this still comes out ok...

It looks like we are dealing with 2 separate AAA requests, and they are cause by a request and a discover.

This is of course not ideal, so I need to undertand better where these requests are originated from.

a debug subscriber policy manager event/class will help along with a debug radius detail. Together with a config of the subscriber policy and access interface (and version) used.

Probably a tac case is easier at this time to contineu the investigation...

regards!!

xander

smailmilak · ‎06-04-2014

Yeah, it's getting harder to reply. I think that we can finish this discussion after my last question.

I can open a new discussion if it's really necessary.

Guys from netflow app are not replying back, Cisco is more professional!!

Because we can not wait, we will upgrade to 5.1.2. Regarding Ipv6 delegated prefix, we will see what we can do. After this issue the missing IPv6 DP should be nothing. I really hope that customer will not make a hell to us because of this.

Many thanks for your help. This is the 100th time I think :)

Psycho_naT · ‎02-12-2016

Hi Xander.

Analog question about Service Deactivate.

Can you explain this attributes:

sd=<service name>

subscriber:sd=<service name>

subscriber:command=service-deactivate

When this attributes are applicable ? (Access-Accept, CoA, another way)

What do this attribute subscriber:command=service-deactivate ?

Thanks.

xthuijs · ‎02-13-2016

hi!

when you have a dynamic template of the type service, that contains a (set of) feature(s) such as ACL or QOS etc, you can apply them to the user's session to allow them to have that qos profile or traffic permittance/denial defined by the ACL.

At some point, you may want to remove that service because of a usage quota exceed, a time duration expiration etc.

When you want to remove that service, you would use the service-deactivate command directives.

So you can use them in access-accept or coa.

Example:

user comes online, fails authentication because we don't recognize the mac addr or the user needs to pay their bill, we apply http redirect to hand him off to a portal to submit a payment.

After this we want to provide normal access so we can service deactivate the HTTP-R.

Or, user got a bonus for a high speed service for 3 hours to watch HD content. After 3 hours a COA request is sent to remove the service that provided this high bw shaper.

cheers

xander

smailmilak · ‎02-13-2016

Hi,

few months ago we have finished a PCRF project with scenarios like the example from Xander.

I can try to give you some more technical details about that. I have to contact some colleagues for that. Just ask.

Psycho_naT · ‎02-14-2016

Thanks for answer.

But you don't understand my question right ...

I understand what to do this attributes, but don't undberstand, when i can aplly them ?

Because different documentation contain different information.

What attributes I can use in Access-Accept ?

What attributes I can use in CoA ?

Attribute "subscriber:command=service-deactivate". This attribute triggers the action in policy-map named "event service-stop" ? Example: Radius sends attribute in CoA (or in Access-Accept ?), bng accepts it, then evaluates actions on subscriber session specified in "event service-stop" ? Analog question about attribute "subscriber:command=account-logon".

xthuijs · ‎02-15-2016

ah I see, let me see if I can produce a table like that for those atts, that may help indeed.

Service activation at access accept is a newer implementation (52/53 timeframe), so that is why you may have seen different documentation.

Service Activate/Deactivate can be used with COA and Accept

Logon is a COA directive (it doesn't make sense to run that at accept time).

When you act/deact a service it indeed enqueues another event that you can evaluate and trigger on.

cheers!

xander

Dimitris Kotsilis · ‎07-07-2016

Hi Xander,

I would like to ask you if DHCP Server RADIUS Proxy functionality is supported in IOS-XR/ASR9K BNG.

Regards,

Dimitris

Zhichun Jiang · ‎07-07-2016

Dimitris

Yes, it is supported.

BR/Roy

xthuijs · ‎07-07-2016

hi D! the ios XR dhcp server doesn't a radius proxy precisely like this requirement from the link you mention...

You can however use the radius directly before a dhcp proxy request is made. that is when the dhcp triggered subscriber comes in, IOS-XR can reach out to the radius server and get some attributes back for the session such as address, gateway, class.

while the bng then does a dhcp proxy request, it will merge the response from the dhcp server with the radius attributes for the client.

the vendor class download from radius is nice to be able to steer a pool pick request to the dhcp server.

cheers

xander

Dimitris Kotsilis · ‎07-07-2016

Thank you both for the quick answers :)

Is there any document describing the functionality in more details or a config guide?

For example, how can I trigger an access request before the DHCP proxy request? In the subscriber control policy map?

Thanks,

Dimitris