Understanding ASR9000 BNG DHCPv4 Routed Subscriber

raghuvkr · ‎05-19-2014

Understanding ASR9000 BNG Routed Subscriber (DHCPv4 Triggered):

Introduction:

IPoE subscriber sessions can be classified as L2 or L3 (Routed) sessions based on the access network that connects the subscriber to the BNG. If the subscribers are connected via a routed access network (as shown in below figure), the subscriber sessions on BNG are termed as L3 or Routed Subscriber sessions.

Routed Subscriber sessions can be of 2 types IPoE with DHCP as trigger and IPoE with IP-Packet Data traffic as trigger.

With Routed subscriber session support, subscribers anywhere in IP cloud can be provisioned by BNG thus overcoming the restriction of l2-connectivity.

Until 5.1.1 only L2-connected Subscriber sessions were supported. From IOS-XR Release 5.1.1 onwards, ASR9k (BNG) supports DHCPv4 triggered IPoE Routed Subscriber v4 sessions with on-BNG DHCP server.

Pkt triggered routed session support will be from IOS-XR Release 5.2.2 onwards.

Routed Subscriber:

It is evident from the term ‘routed’ that the subscribers can be multiple hops away from BNG (as shown in above figure). As of 5.1.1 only DHCPv4 triggered routed subscribers are supported, so the DSLAM or the previous hop router(s) will relay the DHCP packets (as DHCP relay agents) between subscribers and BNG.

The subscriber initially has no IP address and it starts with DHCP discovery.

The subscriber will be initially identified using client-hw-address field in the DHCP discover which is the first sign of life (FSOL) and session will be created based on this mac address. The subscriber can optionally be authorized based on mac-address and other parameters at this stage. Once this is done subscriber is offered an IP address.

After the DHCP DORA exchange, once the subscriber gets IP address, subscriber will be identified on BNG by its IP address in data-plane and subscriber route is added (This route addition will be based on the summary route to the subscriber network which must be preconfigured).

Other DHCP client packets (release, renew, etc …) will not be considered as FSOLs and forwarded/punted based on the subscriber interface and route.

Later the subscriber can be authorized/authenticated (via HTTPr web authentication) and services can be downloaded and applied to subscriber via Radius / COA.

Restrictions, limitation and other Functional Behavior w.r.t platform and configuration:

Supported on A9K-MOD80-SE A9K-MOD160-SE and above. Not supported on Trident based LCs ex A9K-8T/4-B, A9K-4T-B etc.
Supported on only Ether Bundle sub-interfaces as access interface.
Overlapping IP addresses are not supported on the same access interface, same or different VRFs
IPv6 DHCP routed sessions are not supported as of 5.1.1 and hence the Dual stack is not supported.
PPPoE is not supported.
Supported with DHCP Server on BNG. BNG cannot act as DHCP relay / proxy if the packet trigger is routed/relayed DHCP (As ASR9k BNG cannot act as 2nd or higher order Relay agent in relay chaining).
DHCP lease query is not supported as FSOL.
Summary (cover) route pointing to DHCP client subnet must exist.
HTTP redirect can be applied on Subscribers and access credentials can be authenticated in account-logon event. However we should not attempt changing subscriber ‘s vrf (and few other attributes) in this phase via access-accept / COA. As DHCP pool allocation and subscriber cover route are already allocated in session-start phase and DHCP client would have already received the IP address.
Cover subscriber subnet summary/route modifications (like next hop ip / vrf) are strictly not allowed. In case if route gets updated due to dynamic routing protocols, the subscriber session will be torn down and freshly created. If summary route gets deleted, subscribers move to DOWN state and subscriber routes will be deleted. Once the summary route recoveres, subscribers move to UP state and routes are re-added.
Non subscriber traffic will be routed by access-interface as normal router would do. So ACLs can be enabled on access-interface to drop unintended non-dhcp and non-subscriber traffic.
Initial authorization can happen on mac-address or other DHCP based attributes or BNG access-interface attributes. IP Address cannot be used as we are not aware of ip address allocated by DHCP server to client in advance.
Before authorization, the subscriber DHCP packets will arrive on access-interface-vrf, after authorization DHCP and other subscriber traffic will arrive on subscriber-interface-vrf.

Feature supported

Feature Support will be same as those supported on L2-connected Bundle RP based subscribers.

Performance and Scale

Scale Numbers

64k Single Stack IPv4 subscriber sessions per system

Performance will be same as other L2-connected Bundle RP based subscribers.

Approximate target CPS is listed in the table below, assuming 64K sessions per system.

Scale/Call Flow	IPoE
64k IPv4	100 +

High Availability

HA Feature	Plane	Bundle subscribers
Process restart	Control Plane	Subscriber session state maintained. New subscriber bringup delayed by a small time, depending on the component being restarted.
Process restart	Data Plane	No impact to traffic
LC OIR	Control Plane	With multi-member bundles, no impact is seen. With single member bundles, control plane cannot function since no control packet is received. Session state is not lost since that is stored on the RP.
LC OIR	Data plane	With multi-member bundles, no impact is seen. With single member bundles, data traffic is lost. No session state is lost.
RP FO	Control Plane	Significant quiet time (currently more than 10 minutes) before new sessions can be setup. Existing session state is not lost.
RP FO	Data Plane	No impact to traffic

Configuring BNG for DHCPv4 Routed subscribers:

1. Access interface configuration(here Bundle-Ether 1.1 is access-interface):

interface Bundle-Ether1

lacp switchover suppress-flaps 2500

bundle wait-while 1

bundle maximum-active links 2 hot-standby

bundle load-balancing hash dst-ip

dampening 4

!

interface Bundle-Ether1.1

service-policy output vlan_policy_egress subscriber-parent resource-id 0

vrf red

ipv4 address 12.0.0.1 255.255.0.0

service-policy type control subscriber ISN_CNTRL_2

encapsulation dot1q 10

ipsubscriber ipv4 routed

initiator dhcp

!

interface Bundle-Ether2

lacp switchover suppress-flaps 2500

bundle wait-while 1

bundle maximum-active links 1

dampening 4

!

interface Bundle-Ether2.1

service-policy output vlan_policy_egress subscriber-parent resource-id 0

vrf red

ipv4 address 12.2.0.1 255.255.0.0

service-policy type control subscriber ISN_CNTRL_2

encapsulation dot1q 12

ipsubscriber ipv4 routed

initiator dhcp

!

(ipsubscriber ipv4 routed initiator dhcp—is the access interface config for IPoE routed DHCP based subscribers)

2. DHCP profile configuration:

dhcp ipv4

profile DHCP_SERVER1 server

lease 0 3 0

class CLASS_VRF

pool POOL_GREEN

!

class CLASS_VRF_RED

pool pool_bundle1

!

profile DHCP_SERVER2 server

lease 0 3 0

pool pool_bundle2

!

profile DHCP_SERVER3 server

lease 0 3 0

pool pool_bundle3

!

interface Bundle-Ether1.1 server profile DHCP_SERVER1

interface Bundle-Ether2.1 server profile DHCP_SERVER3

!

3. DHCP Pool Configuration:

pool vrf red ipv4 pool_bundle1

address-range 12.8.0.2 12.8.31.65

!

pool vrf green ipv4 POOL_GREEN

address-range 12.100.0.2 12.100.31.65

!

pool vrf red ipv4 pool_bundle3

address-range 12.10.0.2 12.10.31.65

!

4. VRF Configuration:

vrf red

address-family ipv4 unicast

!

vrf green

address-family ipv4 unicast

!

(Note the subscribers on an access-interface can come up in a vrf different from corresponding access-interface vrf. This is called cross-vrf. For this to happen, the subscribers’ subsnet summary route must exist with gateway reachable via access-interface vrf, dhcp pool must be in subscriber vrf. Once the subscriber is created, its vrf cannot be changed - even with coa)

5. Routes configuration:

vrf red

address-family ipv4 unicast

12.8.0.0/16 12.0.0.2

12.10.0.0/16 12.2.0.2

!

vrf green

address-family ipv4 unicast

12.100.0.0/16 vrf red Bundle-Ether1.1 12.0.0.2

!

(Here subscribers in 12.100.0.0 network behind the CPE will come up vrf green using pool POOL-GREEN, while the subscribers in 12.8.0.0 network will come-up in vrf red using pool “pool_bundle1” on same access-interface Bundle-Ether1.1 which is in vrf red)

6. Loopback configuration for usage by IPoE subscriber interfaces.

interface Loopback2

vrf red

ipv4 address 12.21.0.1 255.255.255.255

!

interface Loopback4

vrf green

ipv4 address 12.201.1.1 255.255.0.0

!

7. Control Policy-map and class-map configs

class-map type control subscriber match-any ISN_CM_1

match protocol dhcpv4

!

policy-map type control subscriber ISN_CNTRL_2

event session-start match-all