cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2451
Views
0
Helpful
15
Replies
Highlighted
Beginner

ASR 9001 BNG dhcp and loopback problems

Hello everyone.

I am trying to configure bng on ASR 9001 (5.1.1) for IPoE using available configuration guides. The most confusing part for me is ip address on access interface. Generally there are three components encompassing/referring client's address space using ipv4 unnumbered lo or specific address: dynamic template, access interface and giaddr in dhcp proxy configuration. So if specific address block is allocated to a client and added to a dhcp server (for example 192.168.1.0/24), then giaddr will be one of the address in this block (192.168.1.1), dynamic template will have address from the same block (192.168.1.1), what ip will be applied to access interface? According to a guide for IPoE:

"The IP unnumbered interface for session (local) address assignment is a mandatory feature configured under an IP dynamic template, and provides basic settings for proper IP session establishment.  The unnumbered interface IP address will become the default gateway for the IP subscriber associated with the session. This address is also used as the "giaddr" in the dhcp proxy configuration to instruct the DHCP server to select an address in which this ipv4 add is routable in"

So I'm using same ip (192.168.1.1) from client block. Here is my configuration:
 

radius source-interface Loopback4000 vrf MANAGEMENT
radius-server vsa attribute ignore unknown
radius-server host 172.16.1.1 auth-port 1812 acct-port 1813
 key 7 XXXXXXXXXXXXXXXXXXXXX
 timeout 5
 retransmit 1
!

aaa group server radius BNG_RAD
 server 172.16.1.1 auth-port 1812 acct-port 1813
 vrf MANAGEMENT
 source-interface Loopback4000
!

aaa attribute format MY_AUTH
 mac-address
!
aaa attribute format NAS_PORT_FORMAT
 circuit-id plus remote-id separator .
!
aaa radius attribute nas-port format e SSAAPPPPQQQQQQQQQQVVVVVVVVVVUUUU type 32
aaa radius attribute nas-port format e SSAAPPPPQQQQQQQQQQVVVVVVVVVVUUUU
aaa radius attribute nas-port-id format NAS_PORT_FORMAT
aaa accounting subscriber default group BNG_RAD
aaa authorization subscriber default group BNG_RAD
aaa authentication subscriber default group BNG_RAD


dhcp ipv4
 vrf CLIENT proxy profile CLIENT
 profile CLIENT proxy
  helper-address vrf CLIENT 192.100.100.1 giaddr 192.168.1.1
  relay information option
  relay information policy keep
  relay information option allow-untrusted
 !
 interface GigabitEthernet0/0/0/0.50 proxy profile CLIENT
!

dynamic-template
 type ipsubscriber IPSUB_TPL
  vrf CLIENT
  ipv4 unnumbered Loopback346
  ipv4 access-group PERM_ALL ingress
  ipv4 access-group PERM_ALL egress
 !
!

ipv4 access-list PERM_ALL
 10 permit ipv4 any any
!

class-map type control subscriber match-any DHCP
 match protocol dhcpv4 
 end-class-map
!
!
policy-map type control subscriber IP_PM
 event session-start match-first
  class type control subscriber DHCP do-until-failure
   5 activate dynamic-template IPSUB_TPL
  !
 !
 end-policy-map
!

interface GigabitEthernet0/0/0/0.50
 description ### CLIENT SUBSCRIBERS ###
 ipv4 point-to-point
 ipv4 unnumbered Loopback346
 service-policy type control subscriber IP_PM
 encapsulation dot1q 50
 ipsubscriber ipv4 l2-connected
  initiator dhcp
 !
!

interface Loopback345
 description ### BASE UNUSED IP FOR ACCESS INTERFACE ###
 ipv4 address 11.11.11.11 255.255.255.255
!
interface Loopback346
 description ### SUBNET FOR SUBSCRIBERS ###
 vrf CLIENT
 ipv4 address 192.168.1.1 255.255.255.0
!
interface Loopback4000
 description ### Loopback for MANAGEMENT ###
 vrf MANAGEMENT
 ipv4 address 172.16.1.100 255.255.255.255
!


After commiting, session is not created and in debugs there are errors:
 

LC/0/0/CPU0:Mar 28 15:19:59.676 : dhcpd[154]: DHCPD ERROR: TP3301: Failed to get interface handle for  Loopback346
LC/0/0/CPU0:Mar 28 15:19:59.676 : dhcpd[154]: DHCPD ERROR: TP2526: Access interface Unknown with NULL primary address
LC/0/0/CPU0:Mar 28 15:19:59.676 : dhcpd[154]: DHCPD PROXY ERROR: TP1887: Giaddr policy error, chaddr d485.64eb.045c
LC/0/0/CPU0:Mar 28 15:19:59.676 : dhcpd[154]: DHCPD PROXY ERROR: TP1513: Process DISCOVER failed for chaddr d485.64eb.045c
LC/0/0/CPU0:Mar 28 15:19:59.676 : dhcpd[154]: DHCPD PROXY ERROR: TP1665: Proxy process client request packet failed for chaddr d485.64eb.045c
LC/0/0/CPU0:Mar 28 15:19:59.676 : dhcpd[154]: DHCPD ERROR: TP1675: Base process event returned failure for chaddr d485.64eb.045c: sub_label 0x4000038 (67108920)


If unnumbered loopback inside access interface is changed to loopback 345 containing  some unused ip address (11.11.11.11), then session is created, client received ip and everything is working. In debugs:
 

LC/0/0/CPU0:Mar 28 15:46:23.707 : dhcpd[154]: DHCPD ERROR: TP3301: Failed to get interface handle for  Loopback346
LC/0/0/CPU0:Mar 28 15:46:23.866 : dhcpd[154]: DHCPD EVENT: TP750: RSI event for interface received. Intf = GigabitEthernet0/0/0/0.50.ip10, VRF CLIENT, Event 0
LC/0/0/CPU0:Mar 28 15:46:37.599 : dhcpd[154]: DHCPD ERROR: TP2468: rib route delete failed, null ifhandle or IPv4 address
LC/0/0/CPU0:Mar 28 15:46:37.702 : dhcpd[154]: DHCPD ERROR: TP2678: DPM session disconnect for chaddr d485.64eb.045c, sub_label 0x0 (0) returned failure: 'Subsystem(4791)' detected the 'warning' condition 'Code(3)'
LC/0/0/CPU0:Mar 28 15:46:38.036 : dhcpd[154]: DHCPD EVENT: TP750: RSI event for interface received. Intf = GigabitEthernet0/0/0/0.50.ip10, VRF CLIENT, Event 1
LC/0/0/CPU0:Mar 28 15:46:40.364 : dhcpd[154]: DHCPD ERROR: TP3301: Failed to get interface handle for  Loopback346
LC/0/0/CPU0:Mar 28 15:46:40.498 : dhcpd[154]: DHCPD EVENT: TP750: RSI event for interface received. Intf = GigabitEthernet0/0/0/0.50.ip11, VRF CLIENT, Event 0


After session creation periodically the following warning is observed:
 

 LC/0/0/CPU0:Mar 28 10:46:45.043 : dhcpd[154]: %IP-DHCPD-4-INVALID_DEFAULT_GATEWAY : Invalid! default gateway, Client(d485.64eb.045c) Release/Renew send may fail


It must be noted that unused ip inside access interface is used by client as DHCP server's IP which forces client to send dhcp messages to a wrong address. 

Any help will be appreciated.

15 REPLIES 15
Highlighted
Cisco Employee

hi there,

ah you know, the access interface is in the global and your unnumbered in the vrf.

that won't work, you need to put the access interface in the same vrf as the unnumbered to have it working properly.

scenario 1 doesn't work for that reason.

scenario 2 doesnt work beause there is a vrf xfer issue between the access-if and the subcriber.

you have to fix either one :)

cheers!

xander

Highlighted

Thank you for a help :) My initial consideration was that only dynamic template needs to be in vrf, so during the creation of ipsubscriber interface it will be placed in correct vrf.

I've made following modifications:
1) bundle instead of a pure interface (although interface can be used in version 5.1.1)
2) access interface is in vrf now + ipv4 unnumbered lo346 with real ip address used as client gateway and giaddr
3) arp learning is disabled

The only problem which remains is generation of the following log as soon as a client session is up:

dhcpd[1081]: %IP-DHCPD-4-INVALID_DEFAULT_GATEWAY : Invalid! default gateway, Client(101f.74e5.0bad) Release/Renew send may fail

At the client side, gateway and dhcp server IPs are correct, pointing to bng. 

Highlighted

Hi,

We too are getting the

%IP-DHCPD-4-INVALID_DEFAULT_GATEWAY ....Release/Renew send may fail

error

on a 9001 router that is acting just as relay agent and not as a full dhcp server,.

Every thing seems to work may be a cosmetic error?

 

Regards

MM

Highlighted

Found!

 

https://tools.cisco.com/bugsearch/bug/CSCun75844/?referring_site=ss

 

just cosmetic!

MM

Highlighted

hey marco, you made my job very easy! nice find! nothing else to comment, but just to confirm that I read your note and agree with your assessment.

cheers!

xander

Highlighted

Hi Alex,

 

How re you ?

 

How can separate then private ip pools from public in the same access-interface ?

I want private to be in vrf, public in global.

Kindly 
Tural

Highlighted

hi tural!

if you have 2 different groups of users on the same access interface, you can use the dhcp class or some other matching in the dhcp discover to separate the users out. the config would look like this:

 

dhcp ipv4
 profile AutoSelectGiaddr proxy
  !
  class HardPhone1 <<< NAME OF A CLASS
   match option 60 hex 4861726450686F6E6531 <<< WHAT TO MATCH ON FROM DISCOVER
   helper-address vrf default 81.1.1.2 giaddr 10.1.1.254 <<< SET THE HELPER AND GIADDR (POOL SELECTION) TO THE DHCP SERVER
  !
  class HardPhone2
   match option 60 hex 4861726450686F6E6532
   helper-address vrf default 81.1.1.2 giaddr 172.28.15.254 <<< SAME HELPER< BUT DIFFERENT GIADDR SO DIFFERENT POOL.
  !
  relay information option
  relay information policy replace
  relay information option remote-id testme
  relay information option allow-untrusted
 !

radius can provide the gateway addr (eg the unnumbered loopback) and vrfID as necessary.

xander

Highlighted

Hi Alex Is it possible if I am using ASR 9k as DHCP Server ?

 

Kindly 

Tural

Highlighted

hi tural, yes you can, here is a ref on that:

http://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_r5-1/bng/configuration/guide/b_bng_cg51xasr9k/b_bng_cg51xasr9k_chapter_0101.html#concept_CA2B956D03FB4533A3653BD0119AC788

xander

Highlighted

Hi Alex,

 

I was meaning is it possible to separate out Public from Private in the same access interface so that Public Pools would be in the global, but Private in the VRF when I use BNG as my DHCP Server.

 

In my configuration when I put Access interface and Loopback interface in the VRF, it is wokring,But I do not need that.

 

I want access interface be in the global. But somehow I have to separate the requests into 2 different pools - global and vrf.

Based on what I have to match the requests ?

 

Here is my config:

==============

 

pool vrf nat ipv4 VRF
 network 10.10.0.0/16 default-router 10.10.1.1/16
!
pool vrf default ipv4 PUB
 network x.x.x.x/24
!
!
dhcp ipv4
 profile BNG server
  class NAT
   lease 0 0 10
   pool VRF
   dns-server 10.10.1.2
   subnet-mask 255.255.0.0
   default-router 10.10.1.1
  !
  class PUB
   lease 0 0 10
   pool PUB
   dns-server 10.10.1.2
   subnet-mask 255.255.255.0
   default-router x.x.x.x/24
  !
 !
 interface Bundle-Ether1.131 server profile BNG
!
!
interface Bundle-Ether1.131
 ipv4 point-to-point
 ipv4 unnumbered Loopback100
 arp learning disable
 service-policy type control subscriber BNG-PM
 ipsubscriber ipv4 l2-connected
  initiator dhcp
 !
 encapsulation ambiguous dot1q 131 second-dot1q 1500-2000
!
!
type ipsubscriber IPoE-TPL
  vrf nat
  accounting aaa list ACCT-LIST type session periodic-interval 60
  ipv4 unnumbered Loopback100
!

 

It receives ip but can not find the access-interface, it show status DOWN

================================================================

RP/0/RSP0/CPU0:FTTXBNG#sh  subscriber session all
Sun Apr 19 08:25:54.882 UTC
Codes: IN - Initialize, CN - Connecting, CD - Connected, AC - Activated,
       ID - Idle, DN - Disconnecting, ED - End

Type         Interface                State     Subscriber IP Addr / Prefix                              
                                                LNS Address (Vrf)                              
--------------------------------------------------------------------------------
IP:DHCP      No                       CD        10.10.0.11 (nat)                    
RP/0/RSP0/CPU0:FTTXBNG#

Kindly

Tural

Highlighted

Hi Alex,

 

I was meaning is it possible to separate out Public from Private in the same access interface so that Public Pools would be in the global, but Private in the VRF when I use BNG as my DHCP Server.

 

In my configuration when I put Access interface and Loopback interface in the VRF, it is wokring,But I do not need that.

 

I want access interface be in the global. But somehow I have to separate the requests into 2 different pools - global and vrf.

Based on what I have to match the requests ?

Kindly

Tural

Highlighted

the access interface can remain in global that is no problem. you can use the dynamic template or radius to instruct the user's table.

the addr allocation is defined by the giaddr from the dhcp ipv4 config.

so in order to separate the users you need to have some sort of differentiator it can be :

dhcp class (this dhcp class can be downloaded from radius also).

if downloaded from radius, then you can use the option 82 info in the discover as a username (whether or not with the mac addr) so the radius can derive if this user is the global or vrf user.

based on that classification, the dhcp proxy can use that class differentiator to set the different giaddr to pick different pools.

xander

Highlighted

Hi Alex Is it possible if I am using ASR 9k as DHCP Server ?

 

Kindly 

Tural

Highlighted

I have the same error message on asr9010 and ios xr 5.3.3. There is no full dhcp server on router, just a relay. Message shows only one specific mac on that particular subnet. It does not fit to CSCun75844.

But there is no any noticeable effect on functionality

This widget could not be displayed.