csc bng workshop
DESCRIPTION
Comunidade de Suporte da Cisco - Webcast ao Vivo: ASR 9000 BNG Concept and ConfigurationTRANSCRIPT
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 1
Comunidade de Suporte da Cisco -
Webcast ao Vivo:
ASR 9000
BNG Concept and Configuration
Bruno Novais
High Touch Engineer
CCIE R&S# 37673
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 2
Webcast com Especialistas em Tecnologia da Comunidade Cisco
Especialista de hoje:
Bruno Novais, High Touch Engineer na Cisco do Brasil
Bruno Novais
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 3
Webcast com Especialistas em Tecnologia da Comunidade Cisco
Especialista ajudante de hoje:
Gustavo Coutinho, Engenheiro de Suporte da Cisco do Brasil
Gustavo Coutinho
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 4
Obrigado por estar com a gente hoje!
Durante a apresentação, serão feitas
algumas perguntas para o público.
Dê suas respostas, participe!
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 5
Obrigado por estar com a gente hoje!
Se você quiser baixar uma cópia da apresentação de hoje, basta
clicar no link abaixo ou ir até a Comunidade de Suporte e buscar
este webcast na aba “Canto dos especialistas”.
Atualizar
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 6
Primeira Pergunta
Qual é sua experiência com BNG?
a) Básica. Já tive alguns contatos, porém não entendo muito sobre a solução em si.
b) Eu tenho conhecimento avançado
c) Estou em processo de aprendizado.
d) Não conheço esta solução.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 7
ASR 9000 BNG Concept and Configuration Bruno Novais High Touch Engineer CCIE R&S# 37673
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 8
History of Broadband: Recap ASR 9000 BNG Overview Configuration Example: PPPoE Subscriber Example: IPoE Subscriber Troubleshooting
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 9
History of Broadband: Recap ASR 9000 BNG Overview Configuration Example: PPPoE Subscriber Example: IPoE Subscriber Troubleshooting
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 10
Broadband Forum—Provider Networks Segmentation POP
Point Of
Presence
Broadband Forum Divides Networks Entities in Three
Groups
Content Providers
ISP
Corporate Networks
Customer
Premises NAP NSP
Network
Access
Provider
Network
Service
Provider
Provides connectivity to Service Providers
Encompasses:
Access network (DSL or else)
Aggregation and core networks
Implements services:
Internet Connectivity
Business Access
Application specific content hosting
Handles authentication and address assignment
Can Be Same Operator
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 11
Broadband….Once Upon a Time…
NAP core network can be ATM end to end or a combination of ATM and IP based interfaces toward NSPs (ATM VC terminated on a Broadband Access Server (BAS) in NAP)
PPP is subscriber access protocol with PPPoA stack
ATM VC (typically PVC) required for each subscriber PPP session toward a NSP service
PPP can be terminated at NSP or inside NAP network depending on architecture
Content Providers
ISP
Corporate Networks
ATMoDSL ATM ATM or FR or IP
PVC PPP
PPPoA PPPoA/L2TP/IP
PPP PPP/IP
L2TP PPP
IP
BRAS
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 12
Point To Point Protocol (PPP)
What is PPP?
It’s a Data Link protocol originally designed to operate over point to point serial links. Extended to operate in Broadband Environments with PPPoX protocols (PPPoE, PPPoA)
Why is it special?
It natively embeds functionalities like: Keepalives
Reliable link
Maximum Receive Unit (MRU) negotiation
Compression
Authentication, Authorization, Accounting
Link aggregation and fragmentation
Multi Protocol Support
Peer address assignment
...more...
PPP
Appealing from a subscriber management perspective
Defined in RFC1661
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 13
Eth, FR, POS
Broadband Architecture Evolution
Adoption of PPPoE, as replacement of PPPoA, as subscriber access protocol
PPPoE can multiplex several PPP sessions over any point to point or multipoint transport
Each End Client Station can start PPP session (CPE in bridged mode)
=> Simultaneous Multi Provider access supported
PPPoE session can also be started by CPE (CPE in routed mode)
Ethernet in First Mile and Aggregation network
• Optimized multicast distribution and QoS in aggregation network
• distributed Service Insertion (“Multi Edge”)
• Virtualized Layer-2 Services (with VLANs)
From BRAS to Broadband Network Gateway (BNG) at IP Edge
IP
ATMoDSL, EFM
Ethernet (.1Q, QnQ,.1ad), EoMPLS
PPPoE
BNG
PPP
L2TP, VPN, Vlan
Aggregation
Ethernet
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 14
PPP over Ethernet - PPPoE
Access Aggregation
• PPP session started by CPE or end user • CPE can operate in routed or bridge mode
• CPE in routed mode: runs NAT to support multiple users
• PPPoE supports multiple access technologies
• Access Technology can still be DSL
• Aggregation is ATM or Ethernet
Defined in RFC2516
Ethernet
or ATM
PPP assumes Point to Point connectivity – Ethernet is a broadcast Technology
PPPoE provides tools required to carry PPP over a broadcast network
PPPoE requires a discovery phase before PPP negotiation can start
Same or Different interface per CPE
PPPoE flavor depends on interface type
ATM interface: PPPoEoA
Main Ethernet: PPPoEoE
dot1Q Eth. Subintf: PPPoEoVLAN
QnQ Subintf: PPPoEoQnQ
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 15
PPPoE Discovery
PADI
PADO
PADR
PADS
Host sends a PPPoE Active Discovery Initiation (PADI)
PADI is MAC broadcast frame
Edge device(s) sends a PPPoE Active Discovery Offering (PADI)
PADO is MAC unicast Frame to originating station
Several PPP edge devices may be present
Host selects an edge device and sends it a PPPoE Active Discovery Request
PADR is MAC unicast to selected edge device
Edge devices allocates a unique SessionID and sends it to host via PPPoE Active Discovery Session-confirmation (PADS)
PADS is MAC unicast to selected edge device
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 16
Segunda Pergunta
Qual é o 1º pacote utilizado no PPPoE Discovery?
a) PADI
b) PADR
c) DHCP
d) Discovery.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 17
PPP Operations
PPP is comprised of three main components:
A Link Control Protocol (LCP) for establishing, configuring, and testing data-link (or subscriber) connection
- authentication (if required) also part of LCP
A family of Network Control Protocols (NCPs) for establishing and configuring different network-layer protocols
A method for encapsulating multi-protocol datagrams -> based on HDLC
Configure Request
Configure Ack/Nack
Configure Request
Configuration Ack/Nack
...
(Authentication Phase) Optional: Only performed if authentication negotiated during configuration exchange
LCP is Open
PPP Session Establishment
Activation of all supported Network Protocols
Each protocol will have its <prot>CP phase (e.g. IP)
For IP, IPCP phase includes peer address assignment, if negotiated
LCP phase
NCP phase
IPCP Configure Request
IPCP Configure Ack/Nack
IPCP Configure Request
IPCP Configuration Ack/Nack
...
IPCP is Open
Data Exchange Link is established
Data exchange can start
Negotiation of data link parameters: MRU, Authentication, keepalives, compression...
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 18
Evolution to all IPoE
IP
BNG
Aggregation
DSL
ATM
RFC2684
Ethernet
IP
PPPoE
PPP
EFM Phy
Ethernet
IP
PPPoE
PPP
Access Technology ATM o DSL EFM (EoDSL, PON, PTP) EFM (EoDSL, PON, PTP)
Subscriber Access Protocol
PPP IP PPP
Access Technology Dependent
Protocol Stack
Subscriber Access Protocol Dependent
Protocol Stack
First time introduction of Ethernet as L2 Protocol over DSL
Access Node becomes Ethernet aware even on first
mile
Subscriber IP traffic carried over Ethernet
end to end
Ethernet
EFM Phy
Ethernet
IP
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 19
PPP to IP Session comparison …. Requirements – Mapped to PPP and IP-Sessions
Session Requirement PPP / PPPoE - Session IP-Session
Subscriber Session Endpoint PPPoE/PPP client Multiple Options – Common: Device
(see also “Identification”)
Subscriber Authentication (Authentication Protocol Selection)
PPP LCP Auth.Phase (PAP, CHAP,..)
MAC/Line-Authentication, Portal solutions, DHCP-Auth
Subscriber Isolation Per-Session PPP encap L3: Session Controller, ACLs, VRFs
L2: VLAN, private VLAN
Subscriber/Session Identification Session ID Multiple Options
(Interface, MAC, IP-address,…)
IP-Addressing PPP NCP DHCP, static, …
Session Health - Keepalive PPP LCP Multiple Options
(ARP ping, ICMP ping, …)
Start/Stop Session PPP LCP Multiple Options
(Packet arrivals, DHCP,…)
Traffic Encapsulation PPPoE, PPP encap none
Traffic Forwarding Point to Point Point to Point & Multipoint
Wholesale PPP/L2TP L3: VRF L2: VLAN, EoMPLS PW
Subscriber Mobility/Nomadism Reestablish PPP-Session Transparent Autologon,
Portal solutions
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 20
History of Broadband ASR 9000 BNG Overview Configuration Example: PPPoE Subscriber Example: IPoE Subscriber Troubleshooting
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 21
Hardware Support
RSP: RSP440-SE (NG RSP only)
Chassis: ASR9006, ASR9010
ASR9001 (4.2.1)
ASR9922 (4.2.2)
Access Facing X-Men (aka Typhoon) Service Edge Linecards (BNG): Optimized Linecards only:
• Weapon-X-SE with:
• A9K-MPA-2x10GE
• A9K-MPA-4x10GE
• A9K-MPA-20x1GE
Core Facing Any Trident or Typhoon based Linecard
Linecards SIP 700 supported for not L2TP based applications only
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 22
Scale and Performance (4.2.0)
Metric Per Port/NPU Per LC Per System
PPPoE sessions (LAC or PTA)
8k/32k 32k 64k
LAC tunnels n/a n/a 10k
IPoE sessions 8k/32k 32k 64k
QOS policies n/a 1000 2000
VLANs (non Ambiguous)
8k/8k 8k 8k
Ave. #classes per policy
4/4 4 4
Bundles n/a n/a 250
Members per bundle n/a n/a 64
Calls per second na 100 100
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 23
BNG’s Place in the Network
Deployed at access or service edge
Communicates with other devices to control all aspects of subscriber access in the network
Single point of contact
Subscriber Identification
Subscriber Authentication
Subscriber Policies Determination and Enforcement
Dynamic policy update
Walled Garden Open Garden
Guest Portal
AAA Server
Policy Server
Web Portal
DHCP Server
Subscriber Policy Layer
Video Audio
Servers
Internet/Core
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 24
BNG Key Functions
Subscriber Identification
Subscriber Authentication
and Authorization
Subscriber Address
Management
G0/1.10
Create a per subscriber construct over a shared
interface
G0/1.10
John
Mike
Ted
John Mike Ted
Subscribers are John, Mike and Ted.
John and Mike are HSI users, Ted is
VoIP user
There are 3 subscribers connected
through G0/1.10
G0/1.10
John
John Mike Ted
Subscribers addresses should
be:
10.1.1.10 John
10.1.1.20 Mike
10.1.1.30 Ted Mike
Uniquely establish subscriber identity and determine subscriber’s
policies
10.1.1.30 10.1.1.20 10.1.1.10
Assign a unique IP address to each
subscriber based on provider domain
Ted
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 25
Walled Garden Open Garden
Internet/Core
Guest Portal
Subscriber Policy Layer
Video Audio
Servers
AAA Server
Subscriber Authentication/Authorization
User and Service Profile Repository
Accounting
Front-end toward billing system
Policy Server Dynamic Policy Push (Application Level Trigger)
Web Portal
Front end toward the subscriber for:
Self Subscription
Web Logon
Service Selection (Application Level Trigger)
DHCP Server Hand over of addresses to subscribers
AAA Server
Policy Server
Web Portal
DHCP Server
Subscriber Policy Layer
Note: AAA Server, Policy Server, Web Portal can co-reside in the same appliance
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 26
Walled Garden Open Garden
Guest Portal
DHCP Server
Subscriber Policy Layer
Dynamic Policy Activation
Walled Garden Open Garden
Guest Portal
DHCP Server
AAA Server
Subscriber Policy Layer
Dynamic Policy Push (e.g. “Turbo Button”)
Policy Server
Application/ Service Layer event
Web Portal
Dynamic Policy Pull (e.g. Automatic Service-Profile
Download on Session Establishment)
Web Portal
Policy Server
Network Layer Event
AAA Server
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 27
Northbound Interfaces
RADIUS Interface, for subscriber AAA functionalities and service download
RADIUS Extensions (RFC 3576) Open Interface, for dynamic, administrator or subscriber driven, session and
service management functions
Walled Garden Open Garden
Internet/Core
Guest Portal
AAA Server
Policy Server
Web Portal
DHCP Server
Subscriber Policy Layer
Video Audio
Servers
Policy PULL
Policy PUSH
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 28
The Subscriber Session
Construct that represents a subscriber
subscriber: billable entity and/or an entity that should be authenticated/authorize
Common context on which subscriber policies are activated
Created at first sign of peer activity (FSOL = First Sign Of Life)
Walled Garden Open Garden
Internet/Core
Guest Portal
Subscriber Policy Layer
Video Audio
Servers
Subscriber 1
Subscriber 2
Subscriber 3
Subscriber 1
session
Subscriber 2
session
Subscriber 3
session
AAA Server
Policy Server
Web Portal
DHCP Server
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 29
Retailer X VRF
internet
Deployment Models
LAC
PPP Sessions
IP
PPP
PTA
Phy Eth
IP
PPP
PPPoE .1Q QnQ
IP/UDP L2TP
IP Sessions
IP
Phy
Eth
IP–Layer2 Connected
…
Retailer
Wholesale
internet
.1Q QnQ
IP
Phy
Eth .1Q QnQ
.1Q,QnQ.1ad
Native IP, VRF Lite MPLS MPLS VPNS
VRF Lite MPLS VPNs
L3 fwd
Native IP, VRF Lite MPLS MPLS VPNs
L2TP over: Native IP, VRF Lite MPLS VPNs
Phy Eth
IP
PPP
PPPoE .1Q QnQ
Retailer X VRF
VRF Lite MPLS VPNs
PTA
L3 fwd
L3 fwd
L3 fwd
= BNG enabled interface (access-interface) 4.2.x: Must be a Bundle-Ethernet subintf
IP–Layer2 Connected
Retailer X VRF
IP
…
IP
…
L2 brdg
.1Q,QnQ.1ad
.1Q,QnQ.1ad
.1Q,QnQ.1ad .1Q,QnQ.1ad
.1Q,QnQ.1ad
IP
…
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 30
Converged Access
internet
Retailer X VRF
Retailer X VRF
L2TP wholesale (PPP only)
IP wholesale (IP and PPP)
Native IP, VRF Lite MPLS MPLS VPNs
VRF Lite MPLS VPNs
L2TP over: Native IP, VRF Lite MPLS VPNs
PPPoE
IPoE
All models and subscriber types are supported over same access-interface
Access Interface
Physical Port
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 31
Session Authentication
Authentication models supported:
Access Protocol Native Authentication:
PPP: CHAP/PAP
Transparent Authorization:
Authenticates using subscriber related network identifiers
e.g. MAC/IP address, DHCP Option 82, DHCP Option60 (4.2.1), NAS-Port-ID (4.2.1), PPPoE Tags...
Web Logon
Authentication Is Not Mandatory on a Session, but Used in Most Situations
Authentication: Allow Access to Network Resources Only to Recognized Users
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 32
Session Authentication—PPP Retailer PPP - common scenarios
Uses legacy PPP authentication protocols
AccessNode/CPE inserts PPPoE Intermediate Agent tags (Circuit and Remote ID)
BNG performs authentication using a combination of Circuit and RemoteID as username
flexible and customizable username format
AAA Server
RADIUS Username:
PPP Username Pwd: PPP pwd
PPP CHAP/PAP
PPP CHAP/PAP
RADIUS Username:
RemoteID:CircuitID Pwd: Shared PPP AN/CPE inserts
PPPoE tags CircuitID/RemoteID
AAA Server
PPPoE Ctrl Msg
TAL: PPPoE Tag
User Logs to a Web Portal to enter credentials (username and password)
User Credentials propagated to BNG
BNG uses credentials to authenticate user with AAA
4.2.0 only supports direct portal access
HTTP Redirect in 4.2.1
RADIUS
Username/Pwd:
WebLogon
AAA Server
Web Portal
Web Logon (Direct)
Dep
loym
en
t li
ke
lih
oo
d
-
+
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 33
Session Authentication—PPP Wholesaler
AAA Server
RADIUS Username: Domain
Pwd: shared password
PPP CHAP/PAP
(L2TP tunnel to ISP)
PPP authentication used to collect subscriber username
Username must be in FQDN format (Fully Qualified Domain Name)
Username portion of FQDN stripped
Domain portion of FQDN used to authenticate user and determine ISP
Password is shared password defined on box
ALTERNATE METHOD
Authenticate user based on FQDN username and line password
Domain based authentication
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 34
Access Switch/DSLAM inserts Option82 Circuit and Remote ID in DHCP Requests
BNG performs authentication using a combination of Circuit and RemoteID as username
MAC address can also be used
4.2.1 adds support for Option 60
Customizable username format
Session Authentication—IP Retailer IP – common scenarios
+ User logs to Web Portal to enter credentials
User Credentials propagated to BNG
BNG uses credentials to authenticate user with AAA server
4.2.0 only supports direct portal access
HTTP Redirect in 4.2.1
L4 Redirect beyond 4.2.1
Dep
loym
en
t li
ke
lih
oo
d
-
RADIUS Username:
MAC:RemoteID:CircuitID
AAA Server
TAL: Option82 Auth
Access SW inserts Option 82 CircuitID/RemoteID
DHCP exchange
RADIUS Username: WebLogon Username
AAA Server
Web Portal
Web Logon (Direct)
redirection
Data Traffic
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 35
Session Authentication—WebLogon with HTTP redirect (4.2.1)
Client
Internet WebSite
Web Logon Portal
HTTP TCP SYN ACK
HTTP TCP SYN
BNG intercepts TCP exchange for HTTP session establishment toward a internet website and completes establishment
BNG returns HTTP 302 with Redirect URL pointing to Web Logon Portal
Client opens HTTP session with Web Logon Portal and enters credentials
Regular Web Logon procedures between Portal and BNG
HTTP TCP ACK
HTTP GET
HTTP 302 (redirect URL)
HTTP session establishment
Web Logon
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 36
RADIUS Interface—Access Request
Access Request Access Accept Access Reject Access Challenge
Access Reject is used for
Credential Verification Failure Notification
Access Request is used for
Session Authentication
Session Authorization
Service Authentication
Service Profile Download
Access Challenge is used for
PPP CHAP Authentication
Access Accept is used to return
Credential Verification Notification
User profile and associated services
Service Profile Download
Policy PULL
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 37
RADIUS Interface Extensions
ASR9000 supports RADIUS Extensions as defined in RFC3576
Facilitates dynamic session control from a Policy server.
Standard primitives include:
Disconnect Messages (DM or aka as PoD)
Change of Authorization (CoA)
Proprietary CoA Extensions: Account Logon
Account Logoff
Account Update
Service Activate
Service De-activate
CoA Request
CoA ACK CoA NAK
Policy PUSH
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 38
How Attributes Are Applied on a Session?
AAA Server
DHCP Server
Subscriber Policy Layer
Administrator
Via an External Policy Manager/Web Portal
During Subscriber Authentication/ Authorization
Subscriber
RADIUS CoA
Service Activate Account Update
Web Portal / Policy Server
DHCP Server
Subscriber Policy Layer
Web Portal / Policy Server
Subscriber
RADIUS Acc-req
Subscriber is successfully authenticated
RADIUS Response includes a list of attributes to apply on Session (from UserProfile)
Service Activation or Account Update request sent by External Policy Managers via a RADIUS CoA
Via the On-Box Control Policy
Policy Plane determines what actions to take on session based on events
actions *include* applying a template
Control Plane ensures actions are taken – i.e. provisions the data plane
Data Plane enforces traffic conditioning policies to the session
AAA Server
RADIUS Acc-accept
Po
licy
pla
ne
C
on
trol
pla
ne
D
ata
p
lan
e
actions
eve
nts
from external PM
from data plane
Attributes applied individually
Service-Activate: Attributes applied as part of a template Account-Update: Attributes applied individually Attributes applied as part of a template
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 39
PPP and PPPoX protocol events
Session Termination
PPPoE Sessions Exclusively IPoE Sessions Exclusively
ppp disconnect; ppp keepalives or L2TP hellos failure
DHCP
DHCP Release
OR DHCP lease expiry
Web Portal/PM
Web Logoff
RADIUS CoA Account-Logoff
Policy Manager
RADIUS PoD
RADIUS PoD (Packet of Disconnect)
IPoE(*) and PPPoE Sessions
Absolute Timeouts/Timer Expiry
+ CLI clear command
(*) IPoE Session is deleted DHCP binding flagged (See next slide) PADT sent to terminate individual PPP sessions when L2TP tunnel goes down
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 40
History of Broadband ASR 9000 BNG Overview Configuration Example: PPPoE Subscriber Example: IPoE Subscriber Troubleshooting
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 41
Dynamic Session Initiation
Subscriber sessions are initiated at the First Sign of Life (FSOL)
FSOL depends on the Session Type
PPP Sessions - FSOL IP Sessions - FSOL
DHCP Discover message
Session-start event
Single stage session establishment
Subscriber identified by MAC address
BNG must be DHCP Proxy DHCP proxy = DHCP relay that:
1. creates and maintains DHCP bindings
2. Impersonates server from client standpoint
PPPoE Call Request (PADx) DHCP Discover
PADR receipt
Session-start event
2 stage session establishment Session-start
Session-activate
Subscriber identified by MAC + PPP session ID
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 42
Terceira Pergunta
Qual o FSOL em IPoE com DHCP?
a) PADI
b) Primeiro pacote IP
c) Qualquer broadcast L2
d) DHCP Discovery
e) DHCP Request
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 43
Dynamic Session Initiation
Subscriber sessions are initiated at the First Sign of Life (FSOL)
FSOL depends on the Session Type
PPP Sessions - FSOL IP Sessions - FSOL
dhcp ipv4
profile DHCP_B10_60_PF proxy
helper-address vrf default 1.86.19.19 giaddr 60.1.1.1
!
interface Bundle-Ether10.60 proxy profile DHCP_10_60
!
interface Bundle-Ether10.60
ipv4 point-to-point
ipv4 unnumbered Loopback1060
service-policy type control subscriber IP_PM
encapsulation dot1q 60
ipsubscriber ipv4 l2-connected
initiator dhcp
!
pppoe bba-group default
service selection disable
!
interface Bundle-Ether10.50
service-policy type control subscriber
PPP_PM
encapsulation dot1q 50
pppoe enable bba-group default
!
PPPoE Call Request (PADx) DHCP Discover
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 44
Session Authentication Customizable Username format
aaa attribute format USERNAME_FORMAT
remote-id plus circuit-id plus mac-address separator -
!
aaa attribute format USERNAME_FORMAT1
mac-address plus circuit-id separator |
!
<snip>
20 authorize aaa list default format USERNAME_FORMAT password <pwd>
<snip>
Step1: Define username format
Step2: Specify desired username format and password to use for authorization
4.2.1 introduces username definition based on arbitrary string:
aaa attribute format USERNAME_FORMAT_SUPER_FLEXIBLE
format-string “%s:%s:%[email protected]” remote-id circuit-id vendor-class-id
!
From DHCP Option 82
OR PPPoE Tags
From DHCP Option 60
User defined string
Additional options: phy-slot, phy-subslot, phy-port, outer-vlan-Id, inner-vlan-id
<- Allow for NAS-Port-ID based username creation
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 45
Subscriber Templates Definition
AAA Server
Location Download
Defined as Subscriber/Service Profiles
Standard and Vendor Specific RADIUS attributes used
On demand download on a need basis
Control policy action:
activate dynamic template
<name> aaa list <list name>
<template pwd> NOT configurable
Defaults to “cisco”
Only supported when templates are activated via control-policy (4.2.0)
RADIUS Access-request Username: Premium_HSI
Password: <template pwd>
RADIUS Access-accept Features associated w/ template
2 Premium HSI service
should be activated on the session
No definition yet available
1
Service Activated on session Service Stored in local cache
while in use by at least 1 sessions
3
4
BNG
Services permanently stored in local database
Dynamic Templates pre-configured using CLI
Defined as Dynamic Subscriber/ Service Templates:
dynamic-template type { ppp |
ipsubscriber | service } <name>
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 46
Dynamic Templates on Box Definition
3 types:
ppp: for configuration on PPP sessions (both PTA and LAC)
ipsubscriber: for configuration on IpoE sessions
service: contains configuration commands for all types of sessions
Dynamic templates allow for inline modifications
Changes take effect immediately on all sessions using template.
Exception: unmutable config options (e.g session IP address)
dynamic-template type { ppp | ipsubscriber | service } <tmpl_name>
<attribute-list>
!
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 47
Control Policy (4.2.0)
policy-map type control subscriber
<name>
event 1 event <event type>
<match policy>
action1
Conditional events
Control policy-map Actions
Applied on access-interface
Defines all aspects of session processing
No in-place modifications
....... event 2 + conditions
action2
.......
Identified by their event type
Configurable and non configurable
Configurable event types: Session-start: New session initiated (PPPoE and IPoE)
Session-activate: LCP has started (PPPoE only)
Authentication/Authorization failure: Authentication failed(*)
Authentication/Authorization no response. Authentication is inconclusive for lack of answer from server
Service-stop: Req. to deactivate a service from external source
Event actions are executed only if <conditions> are met for the event
Conditions account for other aspects surrounding event
Different set of actions for same event type
Single or multiple matches (match-first or match-all)
more events
more actions for event and condition
Different set of actions per {event, condition}
Actions are in a ordered list
Executed in based on execution policy: do-all do-until-failure do-until-success
Common action types: Activate: Enables a new dynamic template
Deactivate: Terminates an active dynamic template
Authenticate: Authenticates a session using subscriber’s credentials
Authorize: Authenticates a session using one or more network identifiers (TAL)
Session
condition 1 class type control <name> <action
execution policy> .......
more conditions
(*) 4.2.0 CLI available but not supported
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 48
Defining a Control Policy policy-map type control
Condition Event Condition Event Condition Event
Control Policy Associate Events and Conditions to an ordered list of Actions
Control Class: List of Actions
1. Enable Service X 2. Enable Service Y 3. Take Action R
1. Disable Service B 2. Enable Service A
policy-map type control SUBSCRIBER_RULE
event session-start match-first
class type control subscriber PPP_SUB do-all
10 activate dynamic-template PPP_BASE_TMPL
20 authorize aaa list default format PPP_UNAME passw cisco
!
class type control subscriber IP_SUB do-all
10 activate dynamic-template IP_BASE_TMPL
20 authorize aaa list default format IP_UNAME passw cisco
!
event session-activate match-first
class type control subscriber PPP_SUB do-all
10 authenticate aaa list default
event account-logon match-first
class type control subscriber IP_SUB do-all
10 authenticate aaa list default
Condition Event
Control Class: List of Actions
Control Class: List of Actions
1. Enable Service 2. Take action AAA
Session
<- in 4.2.1
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 49
Defining a Control Policy policy-map type control
policy-map type control SUBSCRIBER_RULE
event session-start match-first
class type control subscriber PPP_SUB do-all
10 activate dynamic-template PPP_BASE_TMPL
20 authorize aaa list default format PPP_UNAME passw cisco
!
class type control subscriber IP_SUB do-all
10 activate dynamic-template IP_BASE_TMPL
20 authorize aaa list default format IP_UNAME passw cisco
!
event session-activate match-first
class type control subscriber PPP_SUB do-all
10 authenticate aaa list default
event account-logon match-first
class type control subscriber IP_SUB do-all
10 authenticate aaa list default
Condition Event
Session
<- in 4.2.1
Control class match-policy: match-first: evaluate control classes until first match match-all: evaluate all control classes
Control policy name: Used to reference control policy when applied to access-interface
Event being handled
Control class used to qualify event Defines conditions for which event is actionable
Action execution policy: do-all: execute all actions do-until-failure: execute actions until one fails do-until-success execute action until one succeeds
List of actions
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 50
Defining Control Classes class-map type control
match-policy:
match-any: match any of clauses
match-all: match all clauses
class-map type control subscriber match-any IP_SUB
match protocol dhcpv4
!
class-map type control subscriber match-any PPP_SUB
match protocol ppp
!
Examples
Match Criteria:
Domain name: domain <string>
Protocol: protocol { dhcpv4 | ppp }
Source address: source-address { ipv4 | mac }
User name: username <string>
Authentication Status: authen-status { authenticated | unauthenticated }
To negate match criteria: not <>
Session
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 51
History of Broadband ASR 9000 BNG Overview Configuration Example: PPPoE Subscriber Example: IPoE Subscriber Troubleshooting
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 52
pppoe bba-group PPPOE-USERS [BBA group defines PPPoE discovery config/throttling]
service selection disable
dynamic-template defines configuration applied to subscriber session
type ppp PPP_TEMPLATE
ppp authentication pap
ipv4 unnumbered Loopback65
interface Bundle-Ether333.6
description "Subscriber VLAN 6 - PPPoE subscribers"
service-policy type control subscriber PPP_SUBS_CONTROL policy affecting subs
pppoe enable bba-group PPPOE-USERS enables PPPoE processing on interface
encapsulation dot1q 6
class-map type control subscriber match-any PPP_SUBS
match protocol ppp
end-class-map
policy-map type control subscriber PPP_SUBS_CONTROL
event session-start match-first session-start events trigger upon FSOL - PADI
class type control subscriber PPP_SUBS do-until-failure
5 activate dynamic-template PPP_TEMPLATE calls previously-configured template
!
!
event session-activate match-first session-activate triggers upon LCP nego
class type control subscriber PPP_SUBS do-until-failure
5 activate dynamic-template PPP_TEMPLATE calls previously-configured template
10 authenticate aaa list RSIM will auth w/ PPP username/pass to AAA list RSIM
!
!
end-policy-map
Putting all together – Basic Example
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 53
History of Broadband ASR 9000 BNG Overview Configuration Example: PPPoE Subscriber Example: IPoE Subscriber Troubleshooting
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 54
Putting all together – Basic Example dhcp ipv4
profile IP_SUBSCRIBERS proxy
limit lease per-circuit-id 2
lease proxy client-lease-time 1500
helper-address vrf default 14.2.3.60 giaddr 64.40.64.1 Helper is address of external DHCP server, giaddr is local
address to inject in relayed DHCP messages
relay information option
relay information policy keep preserve received DHCP option 82 info
relay information option allow-untrusted
!
interface Bundle-Ether333.5 proxy profile IP_SUBSCRIBERS associates Bundle-E333.5 with proxy profile
!
dynamic-template
type ipsubscriber IPSUB_TEMPLATE
ipv4 unnumbered Loopback64
!
interface Bundle-Ether333.5
description "Subscriber VLAN 5 - IPoE subscribers"
ipv4 point-to-point
ipv4 unnumbered Loopback64
service-policy type control subscriber IP_SUBS_CONTROL policy to affect subs upon FSOL
encapsulation dot1q 5
ipsubscriber ipv4 l2-connected defines that subscribers are downstream from this interface
initiator dhcp FSOL is configured as receiving DHCPDISCOVER from a subscriber
!
class-map type control subscriber match-any DHCP_TEST
match protocol dhcpv4
end-class-map
!
policy-map type control subscriber IP_SUBS_CONTROL
event session-start match-first session-start events will trigger upon FSOL - DHCPDISCOVER
class type control subscriber DHCP_TEST do-until-failure
5 activate dynamic-template IPSUB_TEMPLATE
10 authorize aaa list RSIM identifier circuit-id password cisco defines sub identity to be circuit-id field from
DHCP option 82 info, will send to radius for auth
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 55
Quarta Pergunta
PPPoE e IPoE necessitam de um dynamic-template com o evento "session-start".
a) Verdadeiro
b) Falso
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 56
History of Broadband ASR 9000 BNG Overview Configuration Example: PPPoE Subscriber Example: IPoE Subscriber Troubleshooting
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 57
Useful show/debug commands
show tech [ipsubscriber | pppoe | dhcp ipv4 | dhcp ipv6]
show subscriber session all summary
show subscriber session all
show subscriber session filter [username | ipv4-address | etc] $filter detail
show subscriber manager statistics summary total
show ipsubscriber summary
show pppoe [summary | statistics]
show radius authentication
show subscriber manager trace [event | error | more...]
debug subscriber manager session next-subscriber
debug radius [detail]
debug aaa-subscriber [all | authent | author | more...]
debug pppoe [protocol | packet]
debug ppp [negotiation | aauthentication]
show dhcp ipv4 proxy [binding | stat | stat raw]
show dhcp ipv4 trace
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 58
Troubleshooting Questions
● What kind of subscribers are we dealing with?
● What is the expected session establishment call-flow?
– If auth is involved, how are they being authenticated/authorized?
– How is address allocation handled for the subscribers?
– What other services/features are applied to the session? [How? RADIUS
attributes, or on the dynamic-template?]
● Where in the above call-flow is session establishment failing?
● Has this ever worked? [Be skeptical! Make sure we have a
compelling reason to believe it should work – confirm support!]
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 59
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 60
Perguntas e Respostas
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 61
Queremos sua opinião!
Para fazer a avaliação, por favor, clique no endereço fornecido no chat ou no
pop-up quando o evento terminar.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 62
Evento Pergunte aos Especialistas com Bruno Novais
Se você quiser tirar mais dúvidas com o nosso especialista, ele
estará respondendo a perguntas entre os dias 14 e 24 de Janeiro
neste link:
https://supportforums.cisco.com/thread/2260873
O vídeo, a apresentação e as perguntas e respostas serão
disponibilizados até a terça-feira da semana que vem no link:
https://supportforums.cisco.com/community/portuguese/canto-dos-
especialistas/webcasts
.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 63
Pergunte ao Especialista (em Português)
Tema: Migração, configuração e suporte do ASA Services Module (ASA-SM)
Com o especialista Cisco: Itzcoatl Espinosa
Termina em 17 de Janeiro de 2014
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 64
Pergunte ao Especialista (em Espanhol)
Tema: QoS en Routers
Com o especialista Cisco: Hector Carranza Contreras
Termina em 22 de Janeiro de 2014
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 65
Pergunte ao Especialista (em Inglês)
Tema: Understanding and Managing Cisco Unified Communications Manager
Certificates
Com o especialista Cisco: Akhil Behl
Termina em 17 de Janeiro de 2014
Tema: Cisco Unified Computing System Director
Com o especialista Cisco: Andrew Nam
Termina em 17 de Janeiro de 2014
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 66
Pergunte ao Especialista (em Inglês)
Tema: Cisco Catalyst 6800 Series Switches
Com o especialista Cisco: Amer Atout
Termina em 17 de Janeiro de 2014
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 67
Qualifique o conteúdo da Cisco Support Community em Português
Agora é possível qualificar discussões, documentos, blogs e videos!!!
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 68
Spotlight Awards (Prêmio Participantes em Detaque)
O prêmio “participantes em destaque” foi criado em 2012 na comunidade global da Cisco e é usado para reconhecer àqueles membros que dão um contribuição significativa para a comunidade de suporte da Cisco e que além de tudo exercem um papel de liderança dentro da comunidade em distintas categorias
Foi lançado na comunidade em português, em 1 de dezembro de 2013 e conta com a categoria “O Novato”.
Mais detalhes sobre o premio, podem ser consutados no link: https://supportforums.cisco.com/community/portuguese/principais-colaboradores/participantes_em_destaque
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 69
Convidamos você a participar da CSC em português e em nossas redes sociais
https://supportforums.cisco.com/community/portuguese
Portugal: http://www.facebook.com/ciscoportugal
Brasil: http://www.facebook.com/CiscoDoBrasil
Portugal: https://twitter.com/CiscoPortugal
Brasil: http://twitter.com/CiscoDoBrasil
Portugal: http://www.youtube.com /user/ciscoportugal
Brasil: http://www.youtube.com/user/ciscoDoBrasilTV
Portugal: http://ciscoportugalblog.wordpress.com/
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 70
Muito Obrigado por assistir.
Por favor complete o formulário de avaliação e dê sugestões de temas para os próximos webcasts!
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 71