03-28-2014 05:00 AM
Hello everyone.
I am trying to configure bng on ASR 9001 (5.1.1) for IPoE using available configuration guides. The most confusing part for me is ip address on access interface. Generally there are three components encompassing/referring client's address space using ipv4 unnumbered lo or specific address: dynamic template, access interface and giaddr in dhcp proxy configuration. So if specific address block is allocated to a client and added to a dhcp server (for example 192.168.1.0/24), then giaddr will be one of the address in this block (192.168.1.1), dynamic template will have address from the same block (192.168.1.1), what ip will be applied to access interface? According to a guide for IPoE:
"The IP unnumbered interface for session (local) address assignment is a mandatory feature configured under an IP dynamic template, and provides basic settings for proper IP session establishment. The unnumbered interface IP address will become the default gateway for the IP subscriber associated with the session. This address is also used as the "giaddr" in the dhcp proxy configuration to instruct the DHCP server to select an address in which this ipv4 add is routable in"
So I'm using same ip (192.168.1.1) from client block. Here is my configuration:
radius source-interface Loopback4000 vrf MANAGEMENT
radius-server vsa attribute ignore unknown
radius-server host 172.16.1.1 auth-port 1812 acct-port 1813
key 7 XXXXXXXXXXXXXXXXXXXXX
timeout 5
retransmit 1
!
aaa group server radius BNG_RAD
server 172.16.1.1 auth-port 1812 acct-port 1813
vrf MANAGEMENT
source-interface Loopback4000
!
aaa attribute format MY_AUTH
mac-address
!
aaa attribute format NAS_PORT_FORMAT
circuit-id plus remote-id separator .
!
aaa radius attribute nas-port format e SSAAPPPPQQQQQQQQQQVVVVVVVVVVUUUU type 32
aaa radius attribute nas-port format e SSAAPPPPQQQQQQQQQQVVVVVVVVVVUUUU
aaa radius attribute nas-port-id format NAS_PORT_FORMAT
aaa accounting subscriber default group BNG_RAD
aaa authorization subscriber default group BNG_RAD
aaa authentication subscriber default group BNG_RAD
dhcp ipv4
vrf CLIENT proxy profile CLIENT
profile CLIENT proxy
helper-address vrf CLIENT 192.100.100.1 giaddr 192.168.1.1
relay information option
relay information policy keep
relay information option allow-untrusted
!
interface GigabitEthernet0/0/0/0.50 proxy profile CLIENT
!
dynamic-template
type ipsubscriber IPSUB_TPL
vrf CLIENT
ipv4 unnumbered Loopback346
ipv4 access-group PERM_ALL ingress
ipv4 access-group PERM_ALL egress
!
!
ipv4 access-list PERM_ALL
10 permit ipv4 any any
!
class-map type control subscriber match-any DHCP
match protocol dhcpv4
end-class-map
!
!
policy-map type control subscriber IP_PM
event session-start match-first
class type control subscriber DHCP do-until-failure
5 activate dynamic-template IPSUB_TPL
!
!
end-policy-map
!
interface GigabitEthernet0/0/0/0.50
description ### CLIENT SUBSCRIBERS ###
ipv4 point-to-point
ipv4 unnumbered Loopback346
service-policy type control subscriber IP_PM
encapsulation dot1q 50
ipsubscriber ipv4 l2-connected
initiator dhcp
!
!
interface Loopback345
description ### BASE UNUSED IP FOR ACCESS INTERFACE ###
ipv4 address 11.11.11.11 255.255.255.255
!
interface Loopback346
description ### SUBNET FOR SUBSCRIBERS ###
vrf CLIENT
ipv4 address 192.168.1.1 255.255.255.0
!
interface Loopback4000
description ### Loopback for MANAGEMENT ###
vrf MANAGEMENT
ipv4 address 172.16.1.100 255.255.255.255
!
After commiting, session is not created and in debugs there are errors:
If unnumbered loopback inside access interface is changed to loopback 345 containing some unused ip address (11.11.11.11), then session is created, client received ip and everything is working. In debugs:
After session creation periodically the following warning is observed:
It must be noted that unused ip inside access interface is used by client as DHCP server's IP which forces client to send dhcp messages to a wrong address.
Any help will be appreciated.
04-02-2014 05:18 AM
hi there,
ah you know, the access interface is in the global and your unnumbered in the vrf.
that won't work, you need to put the access interface in the same vrf as the unnumbered to have it working properly.
scenario 1 doesn't work for that reason.
scenario 2 doesnt work beause there is a vrf xfer issue between the access-if and the subcriber.
you have to fix either one :)
cheers!
xander
04-02-2014 10:29 PM
Thank you for a help :) My initial consideration was that only dynamic template needs to be in vrf, so during the creation of ipsubscriber interface it will be placed in correct vrf.
I've made following modifications:
1) bundle instead of a pure interface (although interface can be used in version 5.1.1)
2) access interface is in vrf now + ipv4 unnumbered lo346 with real ip address used as client gateway and giaddr
3) arp learning is disabled
The only problem which remains is generation of the following log as soon as a client session is up:
dhcpd[1081]: %IP-DHCPD-4-INVALID_DEFAULT_GATEWAY : Invalid! default gateway, Client(101f.74e5.0bad) Release/Renew send may fail
At the client side, gateway and dhcp server IPs are correct, pointing to bng.
10-27-2014 12:49 PM
Hi,
We too are getting the
%IP-DHCPD-4-INVALID_DEFAULT_GATEWAY ....Release/Renew send may fail
error
on a 9001 router that is acting just as relay agent and not as a full dhcp server,.
Every thing seems to work may be a cosmetic error?
Regards
MM
10-27-2014 12:53 PM
Found!
https://tools.cisco.com/bugsearch/bug/CSCun75844/?referring_site=ss
just cosmetic!
MM
10-27-2014 01:19 PM
hey marco, you made my job very easy! nice find! nothing else to comment, but just to confirm that I read your note and agree with your assessment.
cheers!
xander
04-17-2015 10:57 PM
Hi Alex,
How re you ?
How can separate then private ip pools from public in the same access-interface ?
I want private to be in vrf, public in global.
Kindly
Tural
04-18-2015 05:38 AM
hi tural!
if you have 2 different groups of users on the same access interface, you can use the dhcp class or some other matching in the dhcp discover to separate the users out. the config would look like this:
dhcp ipv4
profile AutoSelectGiaddr proxy
!
class HardPhone1 <<< NAME OF A CLASS
match option 60 hex 4861726450686F6E6531 <<< WHAT TO MATCH ON FROM DISCOVER
helper-address vrf default 81.1.1.2 giaddr 10.1.1.254 <<< SET THE HELPER AND GIADDR (POOL SELECTION) TO THE DHCP SERVER
!
class HardPhone2
match option 60 hex 4861726450686F6E6532
helper-address vrf default 81.1.1.2 giaddr 172.28.15.254 <<< SAME HELPER< BUT DIFFERENT GIADDR SO DIFFERENT POOL.
!
relay information option
relay information policy replace
relay information option remote-id testme
relay information option allow-untrusted
!
radius can provide the gateway addr (eg the unnumbered loopback) and vrfID as necessary.
xander
04-19-2015 04:30 AM
Hi Alex Is it possible if I am using ASR 9k as DHCP Server ?
Kindly
Tural
04-19-2015 04:37 AM
hi tural, yes you can, here is a ref on that:
http://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_r5-1/bng/configuration/guide/b_bng_cg51xasr9k/b_bng_cg51xasr9k_chapter_0101.html#concept_CA2B956D03FB4533A3653BD0119AC788
xander
04-19-2015 08:29 AM
04-19-2015 05:44 AM
Hi Alex,
I was meaning is it possible to separate out Public from Private in the same access interface so that Public Pools would be in the global, but Private in the VRF when I use BNG as my DHCP Server.
In my configuration when I put Access interface and Loopback interface in the VRF, it is wokring,But I do not need that.
I want access interface be in the global. But somehow I have to separate the requests into 2 different pools - global and vrf.
Based on what I have to match the requests ?
Kindly
Tural
04-20-2015 04:17 AM
the access interface can remain in global that is no problem. you can use the dynamic template or radius to instruct the user's table.
the addr allocation is defined by the giaddr from the dhcp ipv4 config.
so in order to separate the users you need to have some sort of differentiator it can be :
dhcp class (this dhcp class can be downloaded from radius also).
if downloaded from radius, then you can use the option 82 info in the discover as a username (whether or not with the mac addr) so the radius can derive if this user is the global or vrf user.
based on that classification, the dhcp proxy can use that class differentiator to set the different giaddr to pick different pools.
xander
04-19-2015 04:24 AM
Hi Alex Is it possible if I am using ASR 9k as DHCP Server ?
Kindly
Tural
05-05-2016 01:04 AM
I have the same error message on asr9010 and ios xr 5.3.3. There is no full dhcp server on router, just a relay. Message shows only one specific mac on that particular subnet. It does not fit to CSCun75844.
But there is no any noticeable effect on functionality
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
Hi Alex,
I was meaning is it possible to separate out Public from Private in the same access interface so that Public Pools would be in the global, but Private in the VRF when I use BNG as my DHCP Server.
In my configuration when I put Access interface and Loopback interface in the VRF, it is wokring,But I do not need that.
I want access interface be in the global. But somehow I have to separate the requests into 2 different pools - global and vrf.
Based on what I have to match the requests ?
Here is my config:
==============
pool vrf nat ipv4 VRF
network 10.10.0.0/16 default-router 10.10.1.1/16
!
pool vrf default ipv4 PUB
network x.x.x.x/24
!
!
dhcp ipv4
profile BNG server
class NAT
lease 0 0 10
pool VRF
dns-server 10.10.1.2
subnet-mask 255.255.0.0
default-router 10.10.1.1
!
class PUB
lease 0 0 10
pool PUB
dns-server 10.10.1.2
subnet-mask 255.255.255.0
default-router x.x.x.x/24
!
!
interface Bundle-Ether1.131 server profile BNG
!
!
interface Bundle-Ether1.131
ipv4 point-to-point
ipv4 unnumbered Loopback100
arp learning disable
service-policy type control subscriber BNG-PM
ipsubscriber ipv4 l2-connected
initiator dhcp
!
encapsulation ambiguous dot1q 131 second-dot1q 1500-2000
!
!
type ipsubscriber IPoE-TPL
vrf nat
accounting aaa list ACCT-LIST type session periodic-interval 60
ipv4 unnumbered Loopback100
!
It receives ip but can not find the access-interface, it show status DOWN
================================================================
RP/0/RSP0/CPU0:FTTXBNG#sh subscriber session all
Sun Apr 19 08:25:54.882 UTC
Codes: IN - Initialize, CN - Connecting, CD - Connected, AC - Activated,
ID - Idle, DN - Disconnecting, ED - End
Type Interface State Subscriber IP Addr / Prefix
LNS Address (Vrf)
--------------------------------------------------------------------------------
IP:DHCP No CD 10.10.0.11 (nat)
RP/0/RSP0/CPU0:FTTXBNG#
Kindly
Tural