- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
on 05-19-2014 03:05 AM
Understanding ASR9000 BNG Routed Subscriber (DHCPv4 Triggered):
Introduction:
IPoE subscriber sessions can be classified as L2 or L3 (Routed) sessions based on the access network that connects the subscriber to the BNG. If the subscribers are connected via a routed access network (as shown in below figure), the subscriber sessions on BNG are termed as L3 or Routed Subscriber sessions.
Routed Subscriber sessions can be of 2 types IPoE with DHCP as trigger and IPoE with IP-Packet Data traffic as trigger.
With Routed subscriber session support, subscribers anywhere in IP cloud can be provisioned by BNG thus overcoming the restriction of l2-connectivity.
Until 5.1.1 only L2-connected Subscriber sessions were supported. From IOS-XR Release 5.1.1 onwards, ASR9k (BNG) supports DHCPv4 triggered IPoE Routed Subscriber v4 sessions with on-BNG DHCP server.
Pkt triggered routed session support will be from IOS-XR Release 5.2.2 onwards.
Routed Subscriber:
It is evident from the term ‘routed’ that the subscribers can be multiple hops away from BNG (as shown in above figure). As of 5.1.1 only DHCPv4 triggered routed subscribers are supported, so the DSLAM or the previous hop router(s) will relay the DHCP packets (as DHCP relay agents) between subscribers and BNG.
The subscriber initially has no IP address and it starts with DHCP discovery.
The subscriber will be initially identified using client-hw-address field in the DHCP discover which is the first sign of life (FSOL) and session will be created based on this mac address. The subscriber can optionally be authorized based on mac-address and other parameters at this stage. Once this is done subscriber is offered an IP address.
After the DHCP DORA exchange, once the subscriber gets IP address, subscriber will be identified on BNG by its IP address in data-plane and subscriber route is added (This route addition will be based on the summary route to the subscriber network which must be preconfigured).
Other DHCP client packets (release, renew, etc …) will not be considered as FSOLs and forwarded/punted based on the subscriber interface and route.
Later the subscriber can be authorized/authenticated (via HTTPr web authentication) and services can be downloaded and applied to subscriber via Radius / COA.
Restrictions, limitation and other Functional Behavior w.r.t platform and configuration:
- Supported on A9K-MOD80-SE A9K-MOD160-SE and above. Not supported on Trident based LCs ex A9K-8T/4-B, A9K-4T-B etc.
- Supported on only Ether Bundle sub-interfaces as access interface.
- Overlapping IP addresses are not supported on the same access interface, same or different VRFs
- IPv6 DHCP routed sessions are not supported as of 5.1.1 and hence the Dual stack is not supported.
- PPPoE is not supported.
- Supported with DHCP Server on BNG. BNG cannot act as DHCP relay / proxy if the packet trigger is routed/relayed DHCP (As ASR9k BNG cannot act as 2nd or higher order Relay agent in relay chaining).
- DHCP lease query is not supported as FSOL.
- Summary (cover) route pointing to DHCP client subnet must exist.
- HTTP redirect can be applied on Subscribers and access credentials can be authenticated in account-logon event. However we should not attempt changing subscriber ‘s vrf (and few other attributes) in this phase via access-accept / COA. As DHCP pool allocation and subscriber cover route are already allocated in session-start phase and DHCP client would have already received the IP address.
- Cover subscriber subnet summary/route modifications (like next hop ip / vrf) are strictly not allowed. In case if route gets updated due to dynamic routing protocols, the subscriber session will be torn down and freshly created. If summary route gets deleted, subscribers move to DOWN state and subscriber routes will be deleted. Once the summary route recoveres, subscribers move to UP state and routes are re-added.
- Non subscriber traffic will be routed by access-interface as normal router would do. So ACLs can be enabled on access-interface to drop unintended non-dhcp and non-subscriber traffic.
- Initial authorization can happen on mac-address or other DHCP based attributes or BNG access-interface attributes. IP Address cannot be used as we are not aware of ip address allocated by DHCP server to client in advance.
- Before authorization, the subscriber DHCP packets will arrive on access-interface-vrf, after authorization DHCP and other subscriber traffic will arrive on subscriber-interface-vrf.
Feature supported
Feature Support will be same as those supported on L2-connected Bundle RP based subscribers.
Performance and Scale
Scale Numbers
- 64k Single Stack IPv4 subscriber sessions per system
Performance will be same as other L2-connected Bundle RP based subscribers.
Approximate target CPS is listed in the table below, assuming 64K sessions per system.
Scale/Call Flow |
IPoE |
64k IPv4 |
100 + |
High Availability
HA Feature |
Plane |
Bundle subscribers |
Process restart |
Control Plane |
Subscriber session state maintained. New subscriber bringup delayed by a small time, depending on the component being restarted. |
Data Plane |
No impact to traffic |
|
LC OIR |
Control Plane |
With multi-member bundles, no impact is seen. With single member bundles, control plane cannot function since no control packet is received. Session state is not lost since that is stored on the RP. |
Data plane |
With multi-member bundles, no impact is seen. With single member bundles, data traffic is lost. No session state is lost. |
|
RP FO |
Control Plane |
Significant quiet time (currently more than 10 minutes) before new sessions can be setup. Existing session state is not lost. |
Data Plane |
No impact to traffic |
Configuring BNG for DHCPv4 Routed subscribers:
1. Access interface configuration(here Bundle-Ether 1.1 is access-interface):
interface Bundle-Ether1
lacp switchover suppress-flaps 2500
bundle wait-while 1
bundle maximum-active links 2 hot-standby
bundle load-balancing hash dst-ip
dampening 4
!
interface Bundle-Ether1.1
service-policy output vlan_policy_egress subscriber-parent resource-id 0
vrf red
ipv4 address 12.0.0.1 255.255.0.0
service-policy type control subscriber ISN_CNTRL_2
encapsulation dot1q 10
ipsubscriber ipv4 routed
initiator dhcp
!
interface Bundle-Ether2
lacp switchover suppress-flaps 2500
bundle wait-while 1
bundle maximum-active links 1
dampening 4
!
interface Bundle-Ether2.1
service-policy output vlan_policy_egress subscriber-parent resource-id 0
vrf red
ipv4 address 12.2.0.1 255.255.0.0
service-policy type control subscriber ISN_CNTRL_2
encapsulation dot1q 12
ipsubscriber ipv4 routed
initiator dhcp
!
(ipsubscriber ipv4 routed initiator dhcp—is the access interface config for IPoE routed DHCP based subscribers)
2. DHCP profile configuration:
dhcp ipv4
profile DHCP_SERVER1 server
lease 0 3 0
class CLASS_VRF
pool POOL_GREEN
!
class CLASS_VRF_RED
pool pool_bundle1
!
profile DHCP_SERVER2 server
lease 0 3 0
pool pool_bundle2
!
profile DHCP_SERVER3 server
lease 0 3 0
pool pool_bundle3
!
interface Bundle-Ether1.1 server profile DHCP_SERVER1
interface Bundle-Ether2.1 server profile DHCP_SERVER3
!
3. DHCP Pool Configuration:
pool vrf red ipv4 pool_bundle1
address-range 12.8.0.2 12.8.31.65
!
pool vrf green ipv4 POOL_GREEN
address-range 12.100.0.2 12.100.31.65
!
pool vrf red ipv4 pool_bundle3
address-range 12.10.0.2 12.10.31.65
!
4. VRF Configuration:
vrf red
address-family ipv4 unicast
!
vrf green
address-family ipv4 unicast
!
(Note the subscribers on an access-interface can come up in a vrf different from corresponding access-interface vrf. This is called cross-vrf. For this to happen, the subscribers’ subsnet summary route must exist with gateway reachable via access-interface vrf, dhcp pool must be in subscriber vrf. Once the subscriber is created, its vrf cannot be changed - even with coa)
5. Routes configuration:
vrf red
address-family ipv4 unicast
12.8.0.0/16 12.0.0.2
12.10.0.0/16 12.2.0.2
!
vrf green
address-family ipv4 unicast
12.100.0.0/16 vrf red Bundle-Ether1.1 12.0.0.2
!
(Here subscribers in 12.100.0.0 network behind the CPE will come up vrf green using pool POOL-GREEN, while the subscribers in 12.8.0.0 network will come-up in vrf red using pool “pool_bundle1” on same access-interface Bundle-Ether1.1 which is in vrf red)
6. Loopback configuration for usage by IPoE subscriber interfaces.
interface Loopback2
vrf red
ipv4 address 12.21.0.1 255.255.255.255
!
interface Loopback4
vrf green
ipv4 address 12.201.1.1 255.255.0.0
!
7. Control Policy-map and class-map configs
class-map type control subscriber match-any ISN_CM_1
match protocol dhcpv4
!
policy-map type control subscriber ISN_CNTRL_2
event session-start match-all
class type control subscriber ISN_CM_1 do-until-failure
1 activate dynamic-template ISN_TEMPLATE_1
2 authorize aaa list default identifier circuit-id password cisco
3 activate dynamic-template httpr_service_temp_coa
!
event authorization-failure match-all
class type control subscriber ISN_CM_1 do-until-failure
5 activate dynamic-template httpr_service_temp_coa
6 set-timer T1 60
!
event account-logon match-all
class type control subscriber ISN_CM_1 do-until-failure
7 authenticate aaa list default
9 deactivate dynamic-template httpr_service_temp_coa
!
event account-logoff match-all
class type control subscriber ISN_CM_1 do-until-failure
10 disconnect
!
event timer-expiry match-all
class type control subscriber ISN_CM_1 do-until-failure
11 disconnect
!
!
8. Bundle config on physical link
interface GigabitEthernet0/2/0/1
bundle id 2 mode active
!
interface GigabitEthernet0/3/0/1
bundle id 2 mode active
!
9. AAA configs.
radius-server host 8.45.6.173 auth-port 1812 acct-port 1813
key 7 121A0C041104
!
radius-server host 8.45.6.174 auth-port 1712 acct-port 1713
key 7 02050D480809
!
aaa server radius dynamic-author
port 1700
server-key 7 1511040D
client 8.45.6.173 vrf default
server-key 7 070C2E4D
!
!
radius-server source-port extended
aaa accounting network default start-stop group RADIUS1
aaa group server radius RADIUS1
server 8.45.6.173 auth-port 1812 acct-port 1813
server 8.45.6.174 auth-port 1712 acct-port 1713
load-balance method least-outstanding batch-size 30
!
aaa accounting service default group RADIUS1
aaa accounting subscriber default group RADIUS1
aaa accounting subscriber Acctlist1 group RADIUS1
aaa authorization subscriber default group RADIUS1
aaa authentication subscriber default group RADIUS1
!
Show commands and basic troubleshooting commands.
To check subscriber session info
- Show subscriber session all summary
- Show subscriber session all
- Show ipsubscriber access-interface brief
To check DHCP server bindings and statistics . (Helpful in basic debugging)
- Show dhcp ipv4 server binding summary
- Show dhcp vrf <subscriber vrf> ipv4 server statistics
(Note : If the routed sessions are not connecting and if there are any DHCP drops, please check the aaa configs, radius user profiles attributes, dhcp profile and pool configs, UDP stats and NP level drop counters and controller NP counters)
Other debug level information collection for helpful to triage the issue:
- show udp statistics clients location <loc>
- Show subscriber manager disconnect-history unique summary
- Show drops np all location <bundle member location>
- Show tech-support subscriber ipoe
Glossary:
- COA : Change of Authorization
- DHCP : Dynamic Host Configuration Protocol
- FSOL : First Sign Of Life
- HTTPr : HTTP Redirect.
- NP: Network Processor
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Nice article. Can you also copy the dynamic-template configuration here? It's nice if you can put some explanation under each configuration section as well. Thanks
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Hi Aleks,
From restrictions/limitation list, Point 6 states that bng should act as DHCP server itself. Can it be made as dhcp relay/proxy in new releases? I have found some cases with some customers who requires this on CMTS network. If it can be done, my 4-5 big customers who have above 100k subscribers would be very happy to have this solution. Let me know if this is supported in latest versions or if there is a roadmap.
Regards,
Rajendra
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
hi Rajendra,
I don't think we can use DHCP proxy in case of DHCPv4 triggered Routed Subscriber session, but I will double-check and get back.
However, even with this restriction you can still make a nice distributed solution. Use the local DHCP server on BNG only to convert the access-accept received from radius into DHCP offer. In the background, radius can either assign the address directly or talk to an external DHCP server and get the address from there.
hth,
/Aleksandar
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Hi!
Is routed dual stack supported in newer XR releases? I can't find this information in documentation.