PPPoE DS (DHCPv6) Subscriber Bringup in cnBNG
Introduction
In this tutorial we will bringup PPPoE DS subscriber session with plan policies and required ACL received from freeradius. We will use IPCP to assign IPv4 address and DHCPv6 for IPv6 address (IANA+IAPD) assignment to the subscriber.
Topology
In this setup we are using Spirent as the CPE, cnBNG will assign both IPv4 and IPv6 (NA + PD) prefixes to CPE. IPv4 prefix will be assigned using IPCP whereas IPv6 prefix will be assigned through DHCPv6. The prefix assignment will happen through IPAM which is integral part of cnBNG Controlplane.
Prerequisite
- cnBNG CP is already deployed and Ops Center is accessible. We will be using Ops Center CLI interface for configurations in this tutorial
- cnBNG CP initial configuration is applied
- cnBNG CP service network can reach cnBNG UP:
- In multi VM deployment, this means protocol VM VIP (service network) is reachable from cnBNG UP for PFCP communications
- In Baremetal CNDP deployment, this means protocol VM VIP IP, corresponding to the service network, to reach cnBNG UP for PFCP communications
- In single Node/VM AIO deployment, this means AIO VM IP is reachable from cnBNG UP
cnBNG CP Configuration
cnBNG CP Configuration has following constructs/parts:
- IPAM
- Profile PPPoE
- Profile DHCP
- Profile AAA
- Profile Radius
- Profile Feature-Template
- Profile Subscriber
- User-Plane
Let’s understand each config construct step-by-step.
IPAM
IPAM defines subscriber address pools for IPv4, IPv6 (NA) and IPv6 (PD). These are the pools from which CPE will get the IPs. IPAM assigns addresses dynamically by splitting address pools into smaller chunks and then associating each chunk with a user-plane. The pools get freed up dynamically and re-allocated to different user-planes on need basis.
ipam
instance 1
source local
address-pool pool-ISP1
vrf-name default
ipv4
split-size
per-cache 262144
per-dp 262144
exit
address-range 20.0.0.1 20.0.255.254
exit
ipv6
address-ranges
split-size
per-cache 262144
per-dp 262144
exit
address-range 2001::1 2001::1:100
exit
prefix-ranges
split-size
per-cache 65536
per-dp 65536
exit
prefix-range 2001:1:: length 48
prefix-range 2001:2:: length 48
exit
exit
exit
exit
Profile PPPoE
This profile is same as the BBA Group which was defined on ASR9k integrated BNG solution. We define service names etc. For this tutorial we will keep it simple and only specify the MTU.
profile pppoe ppp1
mtu 1494
exit
Profile DHCP
Incase of PPPoE DS subscribers we will be using the DHCPv6 server to assign the IPv6 (IANA+IAPD) prefixes to CPE. For this tutorial we will have cnBNG CP act as a DHCP server to assign IPv6 addresses to CPE/subscribers. In profile DHCP we define the DHCP server and which IPAM pool to use by default for subscriber. We can use different pools for IPv4, IPv6 (IANA) and IPv6 (IAPD).
profile dhcp dhcp-server1
ipv4
mode server
server
pool-name pool-ISP1
dns-servers [ 8.8.8.8 ]
lease days 1
exit
exit
ipv6
mode server
server
iana-pool-name pool-ISP1
iapd-pool-name pool-ISP1
lease days 1
exit
exit
exit
Note: The definition of IPv4 server profile is not needed for PPPoE subscribers. For PPPoE subscribers IPv4 address will be assigned by IPCP and from IPAM directly.
Profile AAA
This profile defines the AAA parameters, like which Radius group to be used for authentication/authorization and accounting. In this tutorial we will be using radius group defined as “local” under radius profile for authentication and accounting.
profile aaa aaa_pppoe-1
authentication
method-order [ local ]
exit
accounting
method-order [ local ]
exit
exit
Profile Radius
Under this profile, Radius groups are created.
profile server-group local
radius-group local
exit
profile radius
algorithm round-robin
deadtime 3
detect-dead-server response-timeout 60
max-retry 2
timeout 5
!!! Radius server IP and port definitions for auth and acct
server 192.168.107.152 1812
type auth
secret cisco
exit
server 192.168.107.152 1813
type acct
secret cisco
exit
attribute
nas-identifier CISCO-BNG
!!! This should be protocol VIP to reach Radius
nas-ip 192.168.107.165
exit
server-group local
server auth 192.168.107.152 1812
exit
server acct 192.168.107.152 1813
exit
exit
exit
!!! we can also set COA client
profile coa
client 192.168.107.152
server-key cisco
exit
exit
Profile Feature-template
This profile defines subscriber feature template. This is the template which will be applied to dynamic subscriber interface. We also enable service/ session accounting here.
profile feature-template pppoe-1
vrf-name default
ipv4
mtu 1500
exit
session-accounting
enable
aaa-profile aaa_pppoe-1
periodic-interval 1800
exit
ppp
authentication [ pap chap ]
!!! will use IPAM pool-ISP1 for IPv4 address assignment using IPCP
ipcp peer-address-pool pool-ISP1
ipcp renegotiation ignore
ipv6cp renegotiation ignore
lcp renegotiation ignore
max-bad-auth 4
max-failure 5
timeout absolute 1440
timeout authentication 5
timeout retry 4
!!! the following command will offload PPP keepalives to cnBNG UP
keepalive interval 30 retry 5
exit
exit
We can also define service profiles using feature-template, which gets applied on per subscriber session. The service profile in case of radius can be applied during authentication/authorization using service activate attribute or it can also be applied using CoA.
profile feature-template FT_Plan_100mbps
qos
in-policy PM_Plan_100mbps_input
out-policy PM_Plan_100mbps_output
exit
exit
Note: In above policy-map PM_Plan_100mbps_input and PM_Plan_100mbps_output are expected to be defined on userplane.
Profile Subscriber
This profile can be attached on per access port level or per user-plane level. This profile for PPPoE defines which dhcp server profile to apply for IPv6 address assignment, along with feature-template, pppoe-profile and aaa-profile to be used for auth/acct.
profile subscriber subscriber-profile_pppoe-1
dhcp-profile dhcp-server1
pppoe-profile ppp1
session-type ipv4v6
activate-feature-templates [ pppoe-1 ]
event session-activate
aaa authenticate aaa_pppoe-1
exit
exit
User-plane
This construct define the association configs. Peering IP as well as subscriber profile to be attached to user-plane or at port level. In this tutorial we will attach subscriber profile at port level.
user-plane ASR9k-1
!!! this should be the IP of ASR9k to which this control-plane will peer with
peer-address ipv4 192.168.107.142
!!! the port-id here is the ASR9k access port or interface name
port-id Bundle-Ether1.102
subscriber-profile subscriber-profile_pppoe-1
exit
exit
cnBNG UP Configuration
UP Configuration has mainly four constructs for cnBNG
- Association Configuration
- DHCP Configuration
- Access Interface
- Feature definitions: QoS, ACL
Association Configuration
This is where we define association settings between cnBNG CP and UP. The auto-loopback with “secondary-address-upadte enable” will allow dynamic IP address allocations using IPAM.
cnbng-nal location 0/RSP0/CPU0
hostidentifier ASR9k-1
!!! cnBNG UP routable IP (may be loopback or direct interface IP) used for peering with cnBNG CP
up-server ipv4 192.168.107.142 vrf default
!!! cnBNG CP IP (generally protocol VIP) used for peering with cnBNG UP
cp-server primary ipv4 192.168.107.165
auto-loopback vrf default
interface Loopback1
!!! Any dummy IP
primary-address 1.1.1.1
!
!
cp-association retry-count 5
secondary-address-update enable
!
Note: NAL stands for Network Adaptation Layer for Cloud Native BNG in IOS-XR
Note: cnBNG CP and UP doesnot require to be on same LAN, they need L3 connectivity for peering
Loopback1 is used for ASR9k internal use for cnBNG.
interface Loopback1
ipv6 enable
DHCP Configuration
This is where we associate access interfaces with cnBNG DHCP profile. cnBNG specific DHCP profile makes sure DHCP packets are punted to cnBNG CP through CPRi/GTP-u tunnel. Since PPPoE subscruibers use dhcp only for IPv6 address assignment, dhcp ipv4 profile is not needed for PPPoE subscribers.
dhcp ipv6
profile cnbng_v6 cnbng
!
interface Bundle-Ether1.102 cnbng profile cnbng_v6
Access Interface Configuration
We define and associate access interface to cnBNG. This way control packets (based on configurations) get routed to the cnBNG CP. The contruct follows ASR9k Integarted BNG model, if you are familiar with.
interface Bundle-Ether1.102
ipv4 point-to-point
ipv4 unnumbered Loopback1
ipv6 enable
pppoe enable
encapsulation ambiguous dot1q 102 second-dot1q any
!
Note: This example uses ambiguous VLAN for access interface which allows 1:1 VLAN model. cnBNG also supports N:1 VLAN model for subscribers.
Radius Profile
Following is Freeradius profile used in this tutorial
cisco Cleartext-Password:="cisco"
cisco-avpair += "subscriber:inacl=iACL_BNG_IPv4",
Cisco-AVpair += "subscriber:ipv6_inacl=iACL_BNG_IPv6",
cisco-avpair += "subscriber:sa=FT_Plan_100mbps"
Verifications
- Verfiy that the cnBNG CP-UP association is up and Active on cnBNG CP ops-center
[cnbng-tme-lab/bng] bng# show peers
Mon Feb 14 13:24:13.982 UTC+00:00
GR CONNECTED INTERFACE
INSTANCE ENDPOINT LOCAL ADDRESS PEER ADDRESS DIRECTION POD INSTANCE TYPE TIME RPC ADDITIONAL DETAILS NAME
------------------------------------------------------------------------------------------------------------------------------------------------------------------------
0 RadiusServer - 192.168.107.152:1812 Outbound radius-ep-0 Udp 5 hours Radius Status: Active,Type: Auth <none>
0 RadiusServer - 192.168.107.152:1813 Outbound radius-ep-0 Udp 5 hours Radius Status: Active,Type: Acct <none>
1 n4 192.168.107.165:8805 192.168.107.142:8805 Inbound bng-nodemgr-0 Udp 4 hours UPF Name: ASR9k-1,Nm: 0/0,Status: ACTIVE <none>
- Verify that the CP-UP Association is Up and Active on cnBNG UP
RP/0/RSP0/CPU0:ASR9k-1#show cnbng-nal cp connection status
Sun Jan 23 08:51:52.041 IST
Location: 0/RSP0/CPU0
User-Plane configurations:
-------------------------
IP : 192.168.107.142
GTP Port : 2152
PFCP Port : 8805
VRF : default
Control-Plane configurations:
----------------------------
PRIMARY IP : 192.168.107.165
GTP Port : 2152
PFCP Port : 8805
Association retry count: 5
Connection Status: Up
Connection Status time stamp: Sun Jan 23 04:35:05 2022
Connection Prev Status: Down
Connection Prev Status time stamp: Sun Jan 23 04:06:52 2022
Association status: Active
Association status time stamp: Sun Jan 23 04:35:04 2022
- Verify subscriber session is up on cnBNG CP ops-center
[cnbng-tme-lab/bng] bng# show subscriber session detail
Mon Feb 14 13:31:58.431 UTC+00:00
subscriber-details
{
"subResponses": [
{
"subLabel": "16777219",
"mac": "0010.9400.0009",
"acct-sess-id": "cnbng-tme-lab_DC_16777219",
"upf": "ASR9k-1",
"port-id": "Bundle-Ether1.102",
"up-subs-id": "2147711504",
"sesstype": "ppp",
"state": "established",
"subCreateTime": "Mon, 14 Feb 2022 09:59:04 UTC",
"transId": "6",
"subsAttr": {
"attrs": {
"Authentic": "RADIUS(1)",
"Framed-Protocol": "PPP(1)",
"Interface-Id": "0x7026f8fae3ac86e5",
"addr": "20.0.0.4",
"addrv6": "2001::5",
"authen-type": "pap(1)",
"client-mac-address": "0010.9400.0009",
"connect-progress": "DUAL_STACK_OPEN(249)",
"delegated-prefix": "2001:1::/64",
"dhcpv6-client-id": "0x00010001620a2570001094000009",
"inner-vlan-id": "1",
"outer-vlan-id": "102",
"physical-adapter": "0",
"physical-chassis": "0",
"physical-port": "1",
"physical-slot": "0",
"physical-subslot": "0",
"port-type": "PPPoE over QinQ(34)",
"pppoe-session-id": "3",
"protocol-type": "ppp(2)",
"service-type": "Framed(2)",
"string-session-id": "cnbng-tme-lab_DC_16777219",
"username": "cisco",
"vrf": "default"
}
},
"subcfgInfo": {
"committedAttrs": {
"attrs": {
"accounting-list": "aaa_pppoe-1",
"acct-interval": "1800",
"addr-pool": "pool-ISP1",
"inacl": "iACL_BNG_IPv4",
"ipv4-mtu": "1500",
"ipv6_inacl": "iACL_BNG_IPv6",
"ppp-authentication": "pap,chap",
"ppp-ipcp-reneg-ignore": "true",
"ppp-ipv6cp-reneg-ignore": "true",
"ppp-keepalive-interval": "30",
"ppp-keepalive-retry": "5",
"ppp-lcp-reneg-ignore": "true",
"ppp-max-bad-auth": "4",
"ppp-max-failure": "5",
"ppp-timeout-abs-minutes": "1440",
"ppp-timeout-authentication": "5",
"ppp-timeout-retry": "4",
"session-acct-enabled": "true",
"vrf": "default"
}
},
"activatedServices": [
{
"serviceName": "pppoe-1",
"serviceAttrs": {
"attrs": {}
}
},
{
"serviceName": "FT_Plan_100mbps",
"serviceAttrs": {
"attrs": {
"sub-qos-policy-in": "PM_Plan_100mbps_input",
"sub-qos-policy-out": "PM_Plan_100mbps_output"
}
}
}
]
},
"smupstate": "smUpSessionCreated",
"v4AfiState": "Up",
"v6AfiState": "Up",
"interimInterval": "1800",
"interimSentToUp": "1740",
"sessionAccounting": "enable",
"serviceAccounting": "disable",
"upAttr": {
"attrs": {
"Interface-Id": "0x7026f8fae3ac86e5",
"addr": "20.0.0.4",
"addrv6": "2001::5",
"delegated-prefix": "2001:1::/64",
"ppp-keepalive-interval": "30",
"ppp-keepalive-retry": "5",
"ppp-local-magic-number": "4060452463",
"ppp-mtu": "1500",
"ppp-peer-magic-number": "2318123741"
}
},
"chargingInfo": {
"sessionType": "CHARGING_AF_IPv4_IPv6",
"sessionAccounting": {
"periodicInterval": 1800,
"accountingProvision": "Enable",
"stateInfo": "CHARGING_STATE_START_ACK",
"accountingStart": {
"reqStartSuccess": "Mon, 14 Feb 2022 09:59:13 UTC"
},
"accountingUpdate": {
"reqInterimSuccess": "Mon, 14 Feb 2022 13:29:20 UTC",
"periodicAccountingProvision": "Enable",
"InterimIntervalTimeout": 1800,
"totalInterimReq": 10,
"totalInterimFailure": 0
},
"accountingStop": {},
"sessionDataStats": {
"inputPkts": 431,
"outputPkts": 495,
"inputOctet": 30142,
"outputOctet": 26437
},
"acct-sess-id": "cnbng-tme-lab_DC_16777219"
}
},
"sess-events": [
"Time, Event, Status",
"2022-02-14 09:59:04.504 +0000 UTC, SessionCreate, success",
"2022-02-14 09:59:08.524 +0000 UTC, SessionActivate, success",
"2022-02-14 09:59:13.552 +0000 UTC, SessionUpdate, success",
"2022-02-14 09:59:13.741 +0000 UTC, SessionUpdate, success",
"2022-02-14 10:00:15.836 +0000 UTC, SessionUpdate, success",
"2022-02-14 10:06:47.424 +0000 UTC, SessionUpdate, success",
"2022-02-14 10:06:57.01 +0000 UTC, SessionUpdate, success"
],
"dhcpAuditId": 1,
"pppAuditId": 4
}
]
}
- Verify that the subscriber session is up and working on cnBNG UP
RP/0/RSP0/CPU0:ASR9k-1#show cnbng-nal subscriber all
Sun Jan 23 08:59:04.282 IST
Location: 0/RSP0/CPU0
Codes: CN - Connecting, CD - Connected, AC - Activated,
ID - Idle, DN - Disconnecting, IN - Initializing
CPID(hex) Interface State Mac Address Subscriber IP Addr / Prefix (Vrf) Ifhandle
---------------------------------------------------------------------------------------------------
1000003 BE1.102.pppoe2147711504 AC 0010.9400.0009 20.0.0.4 (default) 0x67420
2001::5 (IANA)
2001:1::/64 (IAPD)
Session-count: 1
RP/0/RSP0/CPU0:ASR9k-1#show subscriber running-config interface name BE1.102.pppoe2147711504
Sun Jan 23 08:59:43.855 IST
Building configuration...
!! IOS XR Configuration 7.4.2.32I
subscriber-label 0x80037a10
dynamic-template
type user-profile U00037a10
ipv6 access-group iACL_BNG_IPv6 ingress
ipv4 access-group iACL_BNG_IPv4 ingress
ipv4 mtu 1500
ipv4 unnumbered Loopback1
ipv6 enable
!
type service-profile FT_Plan_100mbps
service-policy input PM_Plan_100mbps_input
service-policy output PM_Plan_100mbps_output
!
!
end
* Suffix indicates the configuration item can be added by aaa server only
RP/0/RSP0/CPU0:ASR9k-1#
Note: “show subscriber running-config” is the same CLI used on ASR9k integrated BNG, so ignore- Suffix indicates the configuration item can be added by aaa server only, from the output as there is no direct interaction of cnBNG UP with AAA.
Note: The ACL and QoS policies applied on subscriber interface must be defined on ASR9k (cnBNG UP), prior to subscriber session bring-up.
- Notice that the subscriber subnet route is programmed in RIB along with subscriber route
RP/0/RSP0/CPU0:ASR9k-1#show route subscriber
Sun Jan 23 09:06:19.940 IST
A 20.0.0.0/16 [1/0] via 0.0.0.0, 04:31:06
A 20.0.0.4/32 is directly connected, 03:44:28, Bundle-Ether1.102.pppoe2147711504
RP/0/RSP0/CPU0:ASR9k-1#show route ipv6 subscriber
Sun Jan 23 09:06:25.292 IST
A 2001::/111
[1/0] via ::, 04:30:20
A 2001::1/128 is directly connected,
1w2d, Unknown
A 2001::5/128 is directly connected,
03:36:50, Bundle-Ether1.102.pppoe2147711504
A 2001:1::/48
[1/0] via ::, 03:36:51
A 2001:1::/64
[2/0] 03:36:50, Bundle-Ether1.102.pppoe2147711504
RP/0/RSP0/CPU0:ASR9k-1#
Leave a Comment