ASR9000/XR: BNG VSA's (vendor specific attributes) and Services - Page 8

xthuijs · ‎08-15-2013

Introduction
Vendor Specific Attributes
- RADIUS Attributes for pQoS
  - Example
- VSA's for Account operations (services and logon/off)
  - Note
Template comparison to radius attribute
IPv6 Attributes
- - NOTE
Radius Accounting bytes and packets
Dynamic Route insertion
- Route destribution (please don't!)
Related Information

Introduction

This document provides an overview of Vendor Specific attributes that can be used in the ASR9000 BNG solution. They can either be used as part of the Access Accept Radius message or COA requests to change the behavior of the session.

Vendor Specific Attributes

Back to top

1. RADIUS Attributes for pQoS

sub: indicates AVPair targets MQC policy on a subscriber session

<class-list>: identifies class to be added/removed or modified in the MQC policy

Multiple classes may be specified to modify classification in a nested (child) MQC policy

<qos-action-list>: policy actions to be added/overwritten in targeted class in MQC policy (see table below)

Supported QoS features:

•Shaping rate and percentage

•Policing rate and percentage

•Marking (CoS, DSCP, IP Prec)

•Queueing (minBW, BW remaining, priority, WRED, queue-limit)

QOS Feature	Action format in Radius attribute
Shaping	shape(<rate-in-kbps>)
Shaping	shape-rpct(<rate-in-pct>)
Policing	police-rpct(<conform-rate-in-pct>,<conform-burst-in-us>,<exceed-rate-in-pct>,<exceed-burst-in-us>, <conform-action>,<exceed-action>, <violate-action>)
Policing	police(<conform-rate-in-kbps>,<conform-burst-in-kBytes>,<exceed-rate-in-kbps>,<exceed-burst-in-kbytes>, <conform-action>,<exceed-action>, <violate-action>)
Marking	set-cos(<cos-val>)
	set-ip-dscp(<dscp-val>)
	set-ip-prec(<precedence>)
Queuing	pri-level(<priority-level>)
	bw-rpct(<pct>) bw-rratio(<ratio>) bw-abs(<bw-in-kbps>) bw-pct(<bw-in-pct>)
	queue-limit(<qlimit-in-packets>) queue-limit-us(<qlimit-in-us>)
	random-detect-dscp(<dscp>)
	random-detect-prec(<precedence>)

Example

AVPair:“ip:qos-policy-out=add-class(sub,(class-default, VIDEO_CM), set-ip-dscp(af41), bw-abs(256))

Back to top

2. VSA's for Account operations (services and logon/off)

Primitive	Radius AVP
Account Logon	authentication cpe12 CoA cisco123 attribute 44 “<string>” <<< Accounting Session ID vsa cisco generic 1 string "subscriber:command=account-logon"
Account Logoff	attribute 44 “<string>” <<< Accounting Session ID vsa cisco generic 1 string "subscriber:command=account-logoff"
Account update (used to change a profile)	attribute 44 “<string>” <<< Accounting Session ID vsa cisco generic 1 string "subscriber:command=account-update” <radius attributes to set/update>
Service Activate	attribute 44 “<string>” <<< Accounting Session ID vsa cisco generic 1 string "subscriber:sa=<service-name>”
Service De-Activate	attribute 44 “<string>” <<< Accounting Session ID vsa cisco generic 1 string "subscriber:sd=<service-name>”

All these operations from the first column, report an event to the control policy.

RP/0/RSP0/CPU0:A9K-BNG(config-pmap)#event ?

account-logoff Account logoff event

account-logon Account logon event

authentication-failure Authentication failure event

authentication-no-response Authentication no response event

authorization-failure Authorization failure event

authorization-no-response Authorization no response event

exception Exception event

service-start Service start event

service-stop Service stop event

session-activate Session activate event

session-start Session start event

session-stop Session stop event

timer-expiry Timer expiry event

Note

Accounting session ID is the preferred session identifier. You can also use the framed-ip-address to key on the subscriber and the vrf (if applicable)

(IPv4 only):

Attribute 8: Framed-IP-Address

and starting 4.2.1:

Attribute 8: Framed-IP-Address + AVPair: ip:vrf-id=<vrf name>

Template comparison to radius attribute

Operation	Dynamic Template cmd	RADIUS Attribute
Service Activation
Service Activation	N/A	26	9,1	subscriber:sa=<service-name>
Network Forwarding
IP addess source intf	ipv4 unnumbered <interface>	26	9,1	ipv4:ipv4-unnumbered=<interface>
PPP framed address	N/A	8		framed-ip-address=<IPv4 address>
PPP Address Pool	ppp ipcp peer-address pool <addr pool >	26	9,1	ipv4:addr-pool=<addr pool name>
PPP framed pool	N/A	88		framed-pool=<addr pool name>
PPP framed route	N/A	22		framed-route=<subnet><mask>
VRF	vrf <vrf name>	26	9,1	subscriber:vrf-id=<vrf name>
V4 DNS	ppp ipcp dns <pprimary dns ip> <secondary dns ip>	26	9.1	ip:primary-dns=<primary dns ip> Ip:secondary-dns=<secondary dns ip>
DHCP classname	N/A	26	9,1	subscriber:classname=<dhcp-class-name>

Traffic Accounting
Accounting	accounting aaa list <method list> type session	26	9,1	subscriber:accounting-list=<method list>
Interim Interval	accounting aaa list <method list> type session periodic-interval <minutes>	85		Acct-Interim-Interval <minutes>
Dual Stack Accnt Start Delay	accounting aaa list <method list> type session dual-stack-delay <secs>			subscriber:dual-stack-delay=<sec>
Session Administration
keepalives	keepalive <sec>	26	9,1	subscriber:keepalive=interval<sec> NOT SUPPORTED/Implemented
Absolute Timeout	ppp timeout absolute <sec>	27	n/a	session-timeout=<sec>
Idle Timeout	timeout idle <sec>	28	n/a	idle-timeout=<sec>

Traffic conditioning
HQoS(with SPI)	service-policy input <in_mqc_name> shared-policy-instance <spi-name> service-policy output <out_mqc_name> shared-policy-instance <spi-name>	26	9,1	subscriber:sub-qos-policy-in=<in_mqc_name> [shared-policy-instance <spi-name> ] subscriber:sub-qos-policy-out=<out_mqc_name> [shared-policy-instance <spi-name>]
pQoS	N/A	26	9,1	subscriber:qos-policy-in=add-class(target policy (class-list) qos-actions-list) subscriber:qos-policy-in=remove-class(target policy (class-list)) subscriber:qos-policy-out=add-class(target policy (class-list) qos-actions-list) subscriber:qos-policy-out=remove-class(target policy (class-list))
Subscriber ACLs/ABF	ipv4 access-group <in_acl_name> in Ipv4 access-group <out_acl_name> out ipv6 access-group <in_v6acl_name> in ipv6 access-group <out_v6acl_name> out	26	9,1	ipv4:inacl=<in_acl_name> ipv4:outacl=<out_acl_name> ipv6:ipv6_inacl=<in_v6acl_name> ipv6:ipv6_outacl=<out_v6acl_name>
HTTP-R	service-policy type pbr <HTTR policy name>	26	9,1	subscriber:sub-pbr-policy-in=<HTTR policy name>

IPv6 Attributes

Attribute	Defined By	Received In	IPv6 Client	Address Assignment	Dynamic Template equivalent config
Framed-Interface-Id (96)	RFC3162	Access-Accept	PPPoE	Any	ppp ipv6cp peer-interface-id <64bit #>
Framed-IPv6-Prefix (97)	RFC3162	Access-Accept	PPPoE	SLAAC	N.A.
Framed-IPv6-Route (99)	RFC3162	Access-Accept CoA	Any	Any	N.A.
Framed-IPv6-Pool (100)	RFC3162	Access-Accept	PPPoE	SLAAC	ipv6 nd framed-prefix-pool <name>
Framed-ipv6-Address (*)	draft-ietf-radext-ipv6-access-06	Access-Accept	PPPoE, IPoE	DHCP6 (Local Server)	N.A.
Stateful-IPv6-Address-Pool(*)	draft-ietf-radext-ipv6-access-06	Access-Accept	PPPoE, IPoE	DHCP6 (Local Server)	dhcpv6 address-pool <name>
Delegated-IPv6-Prefix-Pool (*)	draft-ietf-radext-ipv6-access-06	Access-Accept	PPPoE, IPoE	DHCP6 (Local Server)	dhcpv6 delegated-prefix-pool <name>
DNS-Server-IPv6-Address (*)	draft-ietf-radext-ipv6-access-06	Access-Accept	PPPoE, IPoE	DHCP6 (Local Server)	To be configured in DHCPv6 server profile
Delegated-IPv6-Prefix	RFC4818	Access-Accept	PPPoE, IPoE	DHCP6 (Local Server)	N.A.

NOTE

IETF has not yet allocated numeric values for newly defined attributes in

draft-ietf-radext-ipv6-access-*

Following Cisco VSAs have been temporarily defined to close such gap

Framed-ipv6-Address	“ipv6:addrv6=<ipv6 address>”
Stateful-IPv6-Address-Pool	“ipv6:stateful-ipv6-address-pool=<name>”
Delegated-IPv6-Prefix-Pool	“ipv6:delegated-ipv6-pool=<name>”
DNS-Server-IPv6-Address	“ipv6:ipv6-dns-servers-addr=<ipv6 address>”

Radius Accounting bytes and packets

the following accounting attributes pertaining to packet accounting for the ASR9000 solution, also specific to IPv6

Attribute	Defined By	Description
Acct-Input-Octets (42)	RFC2866	Session input total byte count
Acct-Input-Packets (47)	RFC2866	Session input total packet count
Acct-Output-Octets (43)	RFC2866	Session output total byte count
Acct-Output-Packets (48)	RFC2866	Session output total packet count
Cisco VSA (26,9,1): acct-input-octets-ipv4	Cisco	Session input IPv4 byte count
Cisco VSA (26,9,1): acct-input-packets-ipv4	Cisco	Session input IPv4 packet count
Cisco VSA (26,9,1): acct-output-octets-ipv4	Cisco	Session output IPv4 byte count
Cisco VSA (26,9,1): acct-output-packets-ipv4	Cisco	Session output IPv4 packet count
Cisco VSA (26,9,1): acct-input-octets-ipv6	Cisco	Session input IPv6 byte count
Cisco VSA (26,9,1): acct-input-packets-ipv6	Cisco	Session input IPv6 packet count
Cisco VSA (26,9,1): acct-output-octets-ipv6	Cisco	Session output IPv6 byte count
Cisco VSA (26,9,1): acct-output-packets-ipv6	Cisco	Session output IPv6 packet count
Cisco VSA (26,9,1): connect-progress	Cisco	Indicates Session set up connection progress

Back to top

3.

Dynamic Route insertion

RADIUS attribute example for different type of framed-route:

PPPoE V6 route

Framed-IPv6-Route = "45:1:1:1:2:3:4:5/128 :: 4 tag 5”

PPPoE v4 route

Framed-Route = "45.1.6.0 255.255.255.0 0.0.0.0 6 tag 7”

IPoE v4 route

Framed-Route = "vrf vpn1 45.1.4.0/24 vrf vpn1 0.0.0.0 4 tag 5”

Back to top

4. Route destribution (please don't!)

router bgp 100

address-family ipv4 unicast

redistribute subscriber <route-policy>

Related Information

Xander Thuijs CCIE#6775

Principal Engineer, ASR9000

Back to top

xthuijs · ‎11-12-2016

yeah this will work, but you'd want to add the ip addr of the xyz server in the redirect to the open garden, otherwise we want to try to redirect the redirect :)

so if the redirect server is in the open garden, that http traffic will be excluded from the intercept for redirect.

xander

wilsonribeiro · ‎11-14-2016

I'm a bit confused.

In my case, they use ppp to connect so I wouldn't need a wallet garden. I simply want to redirect all www requests to the portal (which is a SAC portal) and block every other traffic (except www and domain). I'm pushing this policy via radius to the subscriber. So I have only dynamic template ppp.

What I need to correct in my config?

xthuijs · ‎11-14-2016

when you make the config part of the dynamic template that gets applied to the subscriber, it is hard to remove that part of the service when it is no longer needed.

for that reason it is best to:

- apply the static config for the session like dns, ip addr, authentication method to a dynamic template that you apply during session-start for ppp subscribers

- apply a service template containing the redirect config at session activate stage

this so you can remove this service at a given time in case the user has paid their bill or whatever.

for the redirect service itself, you can of course intercept the www request and redirect it, but the www connection to the redirect server you want to exempt from that redirect policy otherwise you'll be redirecting the redirect and the user never will be able to connect with the portal.

to block all other traffic you can do a simple ACL.

access-list MYLIST 10 permit tcp any any eq www

access-list MYLIST 20 deny ip any any

and for the redirect, you can check this for some config and overview:

BNG: https://www.youtube.com/watch?v=IkCv7fpaBgc

and

REDIRECT: https://www.youtube.com/watch?v=Z_Hw9i_TcGY

cheers!

xander

wilsonribeiro · ‎11-14-2016

Ok, I did almost everything you said.

However, for testing purposes, I putted the service-policy type pbr redirect in the dynamic template and it worked fine for every connection.

You say to "apply a service template containing the redirect config at session activate stage".

But I would like to "insert" this policy only to the ppp subscribers who receives a CISCO AVPair from Radius.

How can I do that?

wilsonribeiro · ‎11-14-2016

I did this:

policy-map type control subscriber politicaPPP

event session-start match-all

class type control subscriber classePPP do-until-failure

1 activate dynamic-template defaultPPPTEMP

!

event session-activate match-all

class type control subscriber classePPP do-until-failure

10 authenticate aaa list default

20 authorize aaa list default format FULL_AUTH password use-from-line

30 activate dynamic-template REDIRECT

!

end-policy-map

!

end

dynamic-template

type ppp defaultPPPTEMP

ppp authentication pap

ppp ipcp dns X.X.X.X

ppp ipcp peer-address pool POOLIP

accounting aaa list default type session periodic-interval 60

ipv4 unnumbered TenGigE0/0/2/0

!

type service REDIRECT

service-policy type pbr polREDIRECIONAMENTO

!

How can I then "deactivate" this dynamic-template now using cisco avpair?

aryabakka1 · ‎06-19-2019

Hi @xthuijs

That was a good document which made me understand althrough, but i have a question

what is the exact parameter bng need to enable the dynamic template and interim template ?

Please let me know , Thanks

xthuijs · ‎06-19-2019

hi!

for the activation of a dynamic template you can use:

cisco-avpair="subscriber:sa=TEMPLATENAME"

sa means service activate.

cheers!

xander

mikebrsnet · ‎07-29-2019

Hello Xander,

Very interesting documentation! Well Done! I have a question regarding the ipv6 octets on the ASR9K. As far as i understand the ASR9k, supports RFC attributes as well as proprietary (under attribute 26). Both attributes are sent to the AAA or by default the platform sends only the proprietary (regarding ipv6 traffic) ? if yes, how can we configure to sent both RFC along with the proprietary in IOS XR 6.2.3 ?

xthuijs · ‎07-29-2019

hey mike!
thanks for the note! :)
the ipv6 octects/packets rfc specified radius atts should be supported by default.
the vsa’s are included if you configure the radius-server vsa send.
the vsa’s are a bit easier as they dissect the v4 and the v6 and give you together with the rfc acct-input/putput octets/packets
a summary (total) and specific per protocol.
cheers!
xander

mikebrsnet · ‎07-29-2019

Hi Xander,

So you are agree that the IETF attribute acct-input/output-octet is the total octets in the session that includes either protocol (v4 or v6 or v4/v6). If this the case i dont need to configure anything, due to i see this in the debugs. So a RADIUS which honors only the IETF attributes will understand and store the session octets for any protocol. Also the command (if i understood correctly) radius-server vsa send does not work on ASR9k.

dakotacole · ‎09-23-2019

Hello Xander,

Thanks for all the fantastic responses with this thread. I'm working with IOS XR 6.4.2 on getting a simple HTTP redirect setup with a pbr on an interface, no PPPOE, I just want all traffic on this interface to redirect to the HTTP destination as I have the mechanism that puts a subscriber on this interface working. Example customer doesn't pay their bill my provisioning mechanism puts them on VLAN 999 and that vlan redirects them to a web page that requires payment. Then once payment is taken my provisioning mechanism puts them back on the production VLAN 600. I have a TAC case open (SR 687314475) because I'm attempting to attach the pbr to an interface with a service policy and for some reason as soon as I do, the bundle wont come back up...

Please see my config. Any tips would be greatly appreciated.

interface Bundle-Ether3

description TEST Bundle

interface Bundle-Ether3.597
description Walled Garden Testing
service-policy type pbr input PM_httpr-policy
vrf mgmt
ipv4 address 172.20.134.1 255.255.255.0
encapsulation dot1q 597
!

ipv4 access-list ACL_httpr
10 permit tcp any any eq www syn
20 permit tcp any any eq www ack
30 permit tcp any any eq www
!

ipv4 access-list ACL_redirect-allow
10 permit tcp any 172.20.134.0 0.255.255.255 eq www
40 permit udp any any eq domain
!

class-map type traffic match-any CM_httpr-class
match access-group ipv4 ACL_httpr
end-class-map
!

class-map type traffic match-any CM_redirect-allow
match access-group ipv4 ACL_redirect-allow
end-class-map
!

policy-map type pbr PM_httpr-policy
class type traffic CM_redirect-allow
transmit
!
class type traffic CM_httpr-class
http-redirect http://172.20.69.3/Login.html
!
class type traffic class-default
drop
!
end-policy-map
!

interface GigabitEthernet0/0/0/1
bundle id 3 mode active

sh int des

Mon Sep 23 17:46:42.289 UTC

Interface Status Protocol Description
--------------------------------------------------------------------------------
BE1 up up CORE: Uplink to COREMONTCO1
BE1.4 up up CORE: Link to MONTRCO1 ASR IPV4
BE1.6 up up CORE: Link to MONTRCO1 ASR IPV6
BE1.499 up up UPLINK: 10G to Te0/0/0/0.CORE1MNTRCO
BE2 down down GPON: LAB E720
BE3 down down REDIRECT TEST
BE3.597 down down Walled Garden Testing
BE4 down down TEST Bundle
Lo0 up up LOOPBACK: Public
Lo1 up up OSPF: Loopback Interface
Lo3 up up
Lo6 up up
Nu0 up up
Mg0/RSP0/CPU0/0 admin-down admin-down
Mg0/RSP0/CPU0/1 admin-down admin-down
Gi0/0/0/0 down down TEST: Interface to Dakotas Cude
Gi0/0/0/1 up up
Gi0/0/0/2 admin-down admin-down
Gi0/0/0/3 admin-down admin-down
Gi0/0/0/4 admin-down admin-down
Gi0/0/0/5 admin-down admin-down
Gi0/0/0/6 admin-down admin-down
Gi0/0/0/7 admin-down admin-down
Gi0/0/0/8 admin-down admin-down
Gi0/0/0/9 admin-down admin-down
Gi0/0/0/10 admin-down admin-down
Gi0/0/0/11 admin-down admin-down
Gi0/0/0/12 admin-down admin-down
Gi0/0/0/13 admin-down admin-down
Gi0/0/0/14 admin-down admin-down
Gi0/0/0/15 admin-down admin-down
Gi0/0/0/16 admin-down admin-down
Gi0/0/0/17 admin-down admin-down
Gi0/0/0/18 admin-down admin-down
Gi0/0/0/19 admin-down admin-down
Te0/0/2/0 up up
Te0/0/2/1 admin-down admin-down
Te0/0/2/2 admin-down admin-down
Te0/0/2/3 admin-down admin-down

masretnoko · ‎09-18-2022

Hi Xander,
i'm upgrading the BNG from ASR9006 6.4.2 into ASR9901 7.5.2. :
i found an issue with default gateway cannot being installed to the subscribers.
from debug radius and packet capture i know that VSA has been received by BNG, but somehow cannot be sent to subs as dhcp offer.
i'm assuming that my new BNG cannot decode the vsa gateway correctly.

VSA: t=Cisco-AVPair(1) l=41 val=ipv4:ipv4-default-gateway=103.X.X.X

i have opened a tac case, then send them debug dhcp and debug radius. but its not resolved yet. the SR number 694251420.
could you help on this?
Is there any different behaviour regarding BNG 6.4.2 (32 bit) compared to 6.5.2 (64 bit?