Migrate PPPoE to IPoE

mikerpow1991 · ‎05-11-2016

I am looking for some help in understanding the best way to implement DHCP with our current ASR9001. This ASr9k is currently providing PPPoE subscriber services for about 14,000 users. I know I need DHCP servers. We use bundle interfaces and sub-interfaces with dot1q vlans. PPPoE requests get to the ASR9k via layer 2 requests. We use IPV4 pools now for IP assignment to the subscriber. I have tested DHCP broadcasts and they are reaching the ASR9k.

In a test environment, I did get a DHCP subscriber working, but I had to assign an IPV4 address to that sub-interface and then I had to reserve a subnet for that VLAN sub-interface. But this is inefficient as I would rather pull IP addresses from a pool for the entire ASR9k rather than reserve subnets per vlan sub-interface. Has anyone done this and/or is there a better way? To make a long story short, I want to migrate from PPPoE to IPoE using DHCP. We do not want to authenticate the DHCP users as we will limit the number of mac addresses at the access level. If anyone has any sample configs, or ideas to make this happen, I would appreciate it.

xthuijs · ‎05-11-2016

hi mike,

I described your use case in the bng deployment guide. the address on the access interface is necessary to process the discovers, which are ip based.

the discover will lead to a subscriber interface creation when succeeding.

this address on the access interface can be anyhting really, it is merely to enable IP on the access interface. so you can have a loopback with some address on it and make all your access interfaces unnumbered to that.

possibly with an ACL to block anything but a discover for security reasons (also descirbed in that guide ref'd).

the unnumbered on the template must be in the same subnet as the adds you hand out in the dhcp server (because it is routed and not p2p like pppoe).

sharing a pool between dhcp and pppoe is tricky, canbe done when you outsource the ppp add assignment to dhcp. think that will be tricky.

possibly easier to split say your /24 pool into smaller chunks, like 4x/26 use 1 for dhcp and 3 for pppoe and move more over as you see your sessions shift.

note that you can terminate both kinds on the same access interface. the class-eval can differentiate between session type (pppoe vs dhcp).

cheers!

xander

mikerpow1991 · ‎05-13-2016

Yes, I read that part of the guide, still trying to get my head around it.

I actually do intend on having a separate DHCP pool. I was just hoping I would not have to assign a subnet pool per access interface, or vlan. We have enough IPs to migrate a subnet at a time, from PPPoE to DHCP. So instead of vlan 10, getting a /23 and vlan 20 getting a /24, I was hoping for a pool where any valid ipv4 address can be assigned via dhcp.

Thanks for you reply Xander!

xthuijs · ‎05-13-2016

correct, you dont have to.

say you have a loopback 1.1.1.1/30, unnumber that to all your access interfaces

apply an inbound ACL to block anything but dhcp .

then have a loopback with the /24 of the block you are going to assign.

unnumber that loop to the template or assign it to the subscriber via radius.

you can add secondaries to this loop as you pool needs grow.

xander

mikerpow1991 · ‎05-17-2016

Last question Xander, is the last version of the bng deployment guide, dated:

Posted March 6, 2012 at 11:01 PM

Updated December 16, 2015 at 12:33 AM

I just want to make sure I am referencing the right document since I am running 5.2.4 on my ASR9001's.

Thanks!

Aleksandar Vidakovic · ‎05-17-2016

the index page of all cool BNG docs on supportforums is here:

https://supportforums.cisco.com/document/12253636/asr9000-bng-links

The BNG deployment guide linked off that page is the latest.

hth,

/Aleksandar

Aleksandar Vidakovic · ‎05-17-2016

A question from my side: is there a particular reason for choosing 5.2.4 for BNG deployment? We highly recommend the XR release 5.3.3 (with the latest Service Pack) for all BNG deployments.

If you have to stick to 5.2.4, please make to install also the latest 5.2.4 Service Pack.

/Aleksandar

mikerpow1991 · ‎05-17-2016

Thanks for your reply. We started out with 5.1.2 last fall, and upgraded twice since then. We have had issues with third parties and their CPE devices (ie customers with pppoe routers that may not like CISCO's pppoe termination.) I see that 5.3.3 is now the suggested release, and will talk to management about upgrading. I also need to make sure there have been no changes to pppoe, since we are a while fro migrating to IPoE/DHCP. We made a lot of customers upset with their connections not working when we rolled out our 2 ASR9001's. We had to go out and upgrade firmware on several hundred cpe devices.

mikerpow1991 · ‎06-03-2016

We have something working, but still a little config to go. My first subnet worked fine, but I can't get the second pool to work, until I changed the giaddr address to match that second subnet. Watching the packet capture, I see the dhcp request come in as the ip address of the giaadr address.

I removed the giaddr address and the request comes in as the loopback 1.1.1.1, like in your example of setting the loopback above.

The DHCP server only responds to the pool from which it sees the request address subnet. I will keep looking but if you have any suggestions, let me know. Thanks!

xthuijs · ‎06-03-2016

hi mike,

correct what you are seeing is how it would work. the giaddr is the gateway addr which provides the pool hint to the dhcp server. it also should be an addr that I have locally defined on my node because the dhcp server will respond back to this address so it needs to get back to the dhcp proxy/a9k.

if you want to dip in multiple pools you can do something like this:

dhcp ipv4

profile PROXY proxy

helper-address vrf default 1.1.1.1 giaddr 3.3.3.3

helper-address vrf default 1.1.1.2 giaddr 2.2.2.2

!

end

this will result in 2 proxy packets to both servers with different giaddr, we'll get two offers back and the client will pick one of them.

in this case you'd want to be unnumbered in your template to a loopback that has both adds configured for simplicity:

int loop0

ip add 2.2.2.2 255.255.255.0

ip add 3.3.3.3 255.255.255.0 secondary

something like that.

cheers!

xander

mikerpow1991 · ‎05-18-2016

Question, you say that "note that you can terminate both kinds on the same access interface. the class-eval can differentiate between session type (pppoe vs dhcp)." However, I can only have 1 service-policy type on an access interface. I have one template for pppoe and now I added one for ipoe. However, only 1 template can be applied at the same time. Is there a way that I can have pppoe and ipoe on the same access interface(vlan)?

xthuijs · ‎05-18-2016

yup like this mike:

1) define 2 classes to match on the access type:

class-map type control subscriber match-any PPP
match protocol ppp
end-class-map
!
class-map type control subscriber match-any DHCP
match protocol dhcpv4
end-class-map

2) define a single policy-map with directions per class on the same event. In this case we are triggering on the 2 different session types, but separate per class what we want to do on that session type

policy-map type control subscriber MIKESSUBS
event session-start match-first
class type control subscriber DHCP do-until-failure

5 activate dynamic-template IPSUB <<< ipsub template
10 authorize aaa list default identifier source-address-mac password cisco
!

class type control subscriber PPP do-until-failure
10 activate dynamic-template TPL <<< ppp template
!
event session-activate match-first
class type control subscriber PPP do-until-failure
20 authenticate aaa list default
!
!
end-policy-map

3) apply the mike's sub pmap to the access interface and you're golden!

xander

leoeletronics · ‎06-28-2019

nethousebimltd · ‎12-30-2022

Hello xthuijs,

i applied my policy map exactly like yours, bng disconnects established ppp session when subscriber cpe tries dhcp also even with auth fail. is it possible set bng stop responding dhcp requests when ppp establish?