Configuring Enhanced Subscriber Management with CLI

This section provides information to configure subscriber management features using the command line interface. It is assumed that the reader is familiar with VPLS and IES services.

Topics in this section include:

  1. Configuring RADIUS Authentication of DHCP Sessions
  2. Configuring Enhanced Subscriber Management
    1. Basic Configurations
    2. Configuring Enhanced Subscriber Management Entities
      1. Configuring a Subscriber Identification Policy
      2. Configuring a Subscriber Profile
      3. Configuring an SLA Profile
      4. Configuring Explicit Mapping Entries
    3. Applying the Profiles and Policies
    4. Configuring Dual Homing
  3. Python Script Support for ESM
  4. Sample Python Scripts

Configuring RADIUS Authentication of DHCP Sessions

When RADIUS authentication for subscriber sessions is enabled, DHCP messages from subscribers are temporarily held by the BSA, while the user’s credentials are checked on a RADIUS server.

Configuring RADIUS authentication for subscriber sessions is done in two steps:

  1. First define an authentication-policy in the config>subscriber-mgmt>authentication-policy context.
  2. Then apply the policy to one or more SAPs in the config>service>vpls>sap>authentication-policy auth-plcy-name context (for a VPLS service).
    Or apply the policy to one or more interfaces config>service>ies>if>authentication-policy auth-plcy-name context (for an IES service):

The following example displays a partial BSA configuration with RADIUS authentication:

A:ALA-1>config>service# info
----------------------------------------------
subscriber-management
    authentication-policy BSA_RADIUS create
        description "RADIUS policy for DHCP users Authentication"
        password "mysecretpassword"
        radius-authentication-server
            server 1 address 10.100.1.1 secret "radiuskey"
            retry 3
            timeout 10
        exit    
        re-authentication
        user-name-format circuit-id
    exit    
exit    
...
vpls 800 customer 6001
    description "VPLS with RADIUS authentication”
    sap 2/1/4:100 split-horizon-group DSL-group create
        authentication-policy BSA_RADIUS
    exit    
    sap 3/1/4:200 split-horizon-group DSL-group create
        authentication-policy BSA_RADIUS
    exit
    no shutdown
exit
...
----------------------------------------------
A:ALA-1>config>service#

TCP MSS adjustment for ESM Hosts

TCP MSS adjustment is supported to prevent fragmentation of TCP packets from/to ESM hosts. See the TCP MSS Adjustment for ESM Hosts section of the Multiservice Integrated Service Adapter Guide.

Configuring Enhanced Subscriber Management

Basic Configurations

Configuring and applying the Enhanced Subscriber Management profiles and policies are optional. There are no default Profiles or policies.

The basic Enhanced Subscriber Management profiles and policies must conform to the following:

  1. Unique profile or policy names (IDs)
  2. Profiles and/or policies must be associated with a VPLS or IES service to facilitate Enhanced Subscriber Management.
  3. QoS and IP filter entries configured in Enhanced Subscriber Management profiles and policies override the defaults and/or modified parameters or the default policies.
  4. The Enhanced Subscriber Management profiles and policies must be configured within the context of VPLS or IES.

Subscriber Interface Configuration

The following output displays a basic subscriber interface configuration.

*A:ALA-48>config>service>ies>sub-if# info
----------------------------------------------
description "Routed CO - Antwerp 2018"
address 192.168.2.254/24
address 192.168.3.254/24
address 192.168.4.254/24
address 192.168.5.254/24
address 192.168.6.254/24
group-interface "DSLAM_01" create
description "Routed CO - vlan / subscriber"
sap 1/1/2:1001 create
static-host ip 192.168.2.2 create
exit
sap 1/1/2:1002 create
static-host ip 192.168.2.2 create
exit
sap 1/1/2:1004 create
static-host ip 192.168.2.4 create
exit
sap 1/1/2:1100 create
static-host ip 192.168.2.100 create
exit
exit
exit
----------------------------------------------
*A:ALA-48>config>service>ies>sub-if#

Configuring Enhanced Subscriber Management Entities

  1. Configuring a Subscriber Identification Policy
  2. Configuring a Subscriber Profile
  3. Configuring a Subscriber Identification Policy
  4. Configuring Explicit Mapping Entries
  5. Applying the Profiles and Policies

Configuring a Subscriber Identification Policy

The following displays an example of a subscriber identification policy configuration:

A:ALA-48>config>subscr-mgmt# info
----------------------------------------------
...
sub-ident-policy "Globocom" create
description "Subscriber Identification Policy Id Globocom"
sub-profile-map
entry key "1/1/2" sub-profile "ADSL Business"
exit
sla-profile-map
entry key "1/1/2" sla-profile "BE-Video"
exit
primary
script-url "primaryscript.py"
no shutdown
exit
secondary
script-url "secundaryscript.py"
exit
tertiary
script-url "tertiaryscript.py"
no shutdown
exit
exit
...
----------------------------------------------
A:ALA-48>config>subscr-mgmt#

Configuring a Subscriber Profile

Enhanced Subscriber Management subscriber profile configurations specify existing QoS scheduler profiles. In the following example, “BE-Video-max100M” is specified in the sub-profile “ADSL Business” for the ingress-scheduler-policy. “Upload” is specified in the sub-profile egress-scheduler-policy.

#--------------------------------------------------
echo "QoS Policy Configuration"
#--------------------------------------------------
qos
scheduler-policy "BE-Video-max100M" create
description "Scheduler Policy Id BE-Video-max100M"
tier 1
scheduler "tier1" create
description "Scheduler Policy Id BE-Video-max100M Tier 1 tier1"
exit
exit
exit
scheduler-policy "Upload" create
description "Scheduler Policy Id Upload"
tier 3
scheduler "tier3" create
description "Scheduler Policy Id Upload Tier 3 tier3"
exit
exit
exit
sap-ingress 2 create
description "Description for Sap-Ingress Policy id # 2"
queue 1 create
            parent "tier1"
exit
queue 11 multipoint create
            parent "tier1"
exit
exit
sap-egress 3 create
description "Description for Sap-Egress Policy id # 3"
queue 1 create
            parent "tier3"
exit
exit
exit
#-----------------------

The following displays an example of a subscriber identification policy configuration:

A:ALA-48>config>subscr-mgmt# info
----------------------------------------------
...
sub-profile "ADSL Business" create
description "Subscriber Profile Id ADSL Business"
ingress-scheduler-policy "BE-Video-max100M"
scheduler "tier1" rate 99
exit
egress-scheduler-policy "Upload"
scheduler "tier3" rate 1 cir 1
exit
sla-profile-map
entry key "1/1/3" sla-profile "BE-Video"
exit
exit
----------------------------------------------
A:ALA-48>config>subscr-mgmt#

Configuring an SLA Profile

The following displays an example of a SLA Profile configuration:

A:ALA-48>config>subscr-mgmt# info
--------------------------------------------------
subscriber-mgmt
sla-profile "BE-Video" create
description "SLA Profile Id BE-Video"
ingress
qos 2
queue 1
exit
exit
exit
egress
qos 3
queue 1
exit
exit
exit
exit
----------------------------------------------
A:ALA-48>config>subscr-mgmt#

Configuring Explicit Mapping Entries

The following displays an example of a explicit subscriber mapping:

A:ALA-7>config>subscr-mgmt# info
--------------------------------------------------
A:ALA-48>config>subscr-mgmt# info
----------------------------------------------
...
explicit-subscriber-map
entry key "1/1/1:1111" sub-profile "ADSL GO" alias "Sub-Ident-1/1/1:
1111" sla-profile "BE-Video"
exit
...
----------------------------------------------
A:A:ALA-48>config>subscr-mgmt#

Routed CO with Basic Subscriber Management Features

The following displays the output of an IES service configured with and without enhanced subscriber management and only applies to the 7750 SR.

A:term17>config>service>ies# inf
----------------------------------------------
subscriber-interface "s2" create
address 11.20.1.1/16
dhcp
gi-address 11.20.1.1
exit
group-interface "g3" create
description "With Enhanced Subscriber Mgmt"
arp-populate
dhcp
server 12.1.1.1
trusted
lease-populate 8000
no shutdown
exit
sap lag-1:11 create
sub-sla-mgmt
def-sub-profile "subProf"
def-sla-profile "slaProf"
sub-ident-policy "foo"
multi-sub-sap
no shutdown
exit
host ip 11.20.1.10 mac 00:00:aa:aa:aa:dd subscriber "One" sub-
profile "subProf" sla-profile "slaProf"
exit
exit
exit
subscriber-interface "s3" create
address 11.39.1.1/16
dhcp
gi-address 11.39.1.1
exit
group-interface "g5" create
description "Without Enhanced Subscriber Mgmt"
arp-populate
dhcp
server 12.1.1.1
trusted
lease-populate 8000
no shutdown
exit
sap 4/1/1:24.4094 create
exit
exit
exit
no shutdown
----------------------------------------------
A:term17>config>service>ies#

Applying the Profiles and Policies

Note:

Subscriber interfaces operate only with basic (or enhanced) subscriber management. At the very least, a host, either statically configured or dynamically learned by DHCP must be present in order for the interface to be useful. This note applies to the 7750 SR only.

Apply the Enhanced Subscriber Management profiles and policies to the following entities:

  1. SLA Profile
  2. Subscriber Identification Policy
  3. Subscriber Profile

SLA Profile

The following syntax applies to the 7450 ESS:

CLI Syntax:
configure>service>ies service-id
interface ip-int-name
sap sap-id
host {[ip ip-address] [mac ieee-address} [subscriber sub-ident-string] [sub-profile sub-profile-name] [sla-profile sla-profile-name]

The following syntax applies to the 7750 SR:

CLI Syntax:
configure>service>ies service-id
interface ip-int-name
sap sap-id
host {[ip ip-address] [mac ieee-address} [subscriber sub-ident-string] [sub-profile sub-profile-name] [sla-profile sla-profile-name]
sub-sla-mgmt
def-sla-profile default-sla-profile-name
single-sub-parameters
non-sub-traffic sub-profile sub-profile-name sla-profile sla-profile-name [subscriber sub-ident-string]
subscriber-interface ip-int-name
group-interface ip-int-name
sap sap-id
host ip ip-address [mac ieee-address] [subscriber sub-ident-string] [sub-profile sub-profile-name] [sla-profile sla-profile-name]
sub-sla-mgmt
def-sla-profile default-sla-profile-name
single-sub-parameters
non-sub-traffic sub-profile sub-profile-name sla-profile sla-profile-name [subscriber sub-ident-string]

The following syntax applies to the 7450 ESS and 7750 SR:

CLI Syntax:
configure>service>vpls service-id
sap sap-id
host {[ip ip-address] [mac ieee-address]} [subscriber sub-ident-string] [sub-profile sub-profile-name] [sla-profile sla-profile-name]
sub-sla-mgmt
def-sla-profile default-sla-profile-name
single-sub-parameters
non-sub-traffic sub-profile sub-profile-name sla-profile sla-profile-name [subscriber sub-ident-string]

The following syntax applies to the 7750 SR:

CLI Syntax:
configure>service>vprn service-id
interface ip-int-name
sap sap-id
host {[ip ip-address] [mac ieee-address]} [subscriber sub-ident-string] [sub-profile sub-profile-name] [sla-profile sla-profile-name]

The following syntax applies to the 7450 ESS and 7750 SR:

CLI Syntax:
configure>subscriber-mgmt
explicit-subscriber-map
entry key sub-ident-string [sub-profile sub-profile-name] [alias sub-alias-string] [sla-profile sla-profile-name]
sub-ident-policy sub-ident-policy-name
sla-profile-map
entry key sla-profile-string sla-profile sla-profile-name
sub-profile sla-profile-map
sla-profile-map
entry key sla-profile-string sla-profile sla-profile

Configuring Dual Homing

The following displays an example of a dual homing configuration a. The configuration shows dual homing with a peer node with a system address of 1.1.1.23. The DHCP server returns a default route with a 11.21.1.3 next hop. This example only applies to the 7750 SR.

A:ALA-48#
#--------------------------------------------------
echo "Redundancy Configuration"
#--------------------------------------------------
redundancy
multi-chassis
peer 1.1.1.23 create
sync
srrp
sub-mgmt
port lag-100 sync-tag "Tag1" create
exit
no shutdown
exit
no shutdown
exit
exit
exit
#--------------------------------------------------
echo "Service Configuration"
#--------------------------------------------------
service
customer 1 create
description "Default customer"
exit
sdp 23 create
far-end 1.1.1.23
no shutdown
exit
ies 40 customer 1 create
redundant-interface "r40-1" create
address 2.1.1.1/31
spoke-sdp 23:1 create
exit
exit
subscriber-interface "s40-1" create
address 11.21.1.1/16 gw-ip-address 11.21.1.3
dhcp
gi-address 11.21.1.1
exit
group-interface "g40-1" create
dhcp
server 12.1.1.1
lease-populate 8000
no shutdown
exit
redundant-interface r40-1
remote-proxy-arp
sap lag-100:1 create
sub-sla-mgmt
def-sub-profile "subProf"
def-sla-profile "slaProf"
sub-ident-policy "subIdentPolicy"
multi-sub-sap                            
                            no shutdown
                        exit
exit
sap lag-100:4094 create
exit
srrp 1 create
message-path lag-100:4094
no shutdown
exit
exit
exit
no shutdown
exit
exit
...
----------------------------------------------
A:ALA-48#

SHCV Policies

Under the group-interface, the host-connectivity-verify configuration was used as a reference timer for some event triggered SHCV while other used hardcoded values. The SHCV-policy and separated out every type of SHCV and allowed each type to have their individual configurable timer values. Furthermore, individual SHCV trigger types can be shut down. The SHCV policy can be applied to one or more group interfaces and can be configured differently for IPv4 vs. IPv6 hosts.There are various types of triggered SHCV:

  1. ip-conflict: Sent when a SAP detects that there is a IP address or prefix conflict on the SAP.
  2. host-limit-exceeded: Sent when a subscriber has exceeded a configured host-limit. Host-limits are set on sla-profile host-limit, ipoe-session sap-session-limit, and ipoe-session session-limit.
  3. inactivity: Category-map configured under sla-profile can trigger an SHCV once the subscriber host has become idle.
  4. mobility: Intended for mobility applications such as WiFi. When a subscriber moves between SAPs and requests for the same IP address, a triggered SHCV is sent to verify if the old host is still connected before removing the old host entry.
  5. mac-learning: For IP-only static-host MAC learning. The trigger SHCV is sent to learn the subscriber MAC when a no shutdown command is executed on the CLI for the static host.

Note that some SHCVs are triggered based on a host’s DHCP messages. These DHCP messages are not buffered. The SHCV is used only to perform a verification check on an old host to verify if the host is still connected to the BNG. Therefore, the BNG still requires the new hosts to retransmit their DHCP messages once the SHCV removes the disconnected host.

SHCV Policy

Under the group-interface, the host-connectivity-verify configuration was used as a reference timer for some event triggered SHCV while other used hardcoded values. The SHCV-policy and separated out every type of SHCV and allowed each type to have their individual configurable timer values. Furthermore, individual SHCV trigger types can be shut down. The SHCV policy can be applied to one or more group interfaces and can be configured differently for IPv4 vs. IPv6 hosts.There are various types of triggered SHCV:

  1. ip-conflict: Sent when a SAP detects that there is a IP address or prefix conflict on the SAP.
  2. host-limit-exceeded: Sent when a subscriber has exceeded a configured host-limit. Host-limits are set on sla-profile host-limit, ipoe-session sap-session-limit, and ipoe-session session-limit.
  3. inactivity: Category-map configured under sla-profile can trigger an SHCV once the subscriber host has become idle.
  4. mobility: Intended for mobility applications such as WiFi. When a subscriber moves between SAPs and requests for the same IP address, a triggered SHCV is sent to verify if the old host is still connected before removing the old host entry.
  5. mac-learning: For IP-only static-host MAC learning. The trigger SHCV is sent to learn the subscriber MAC when a no shutdown command is executed on the CLI for the static host.

Note that some SHCVs are triggered based on a host’s DHCP messages. These DHCP messages are not buffered. The SHCV is used only to perform a verification check on an old host to verify if the host is still connected to the BNG. Therefore, the BNG still requires the new hosts to retransmit their DHCP messages once the SHCV removes the disconnected host.

Subscriber Identification Policy

The following syntax applies to the 7450 ESS:

CLI Syntax:
configure>service>ies service-id
interface ip-int-name
sap sap-id
host {[ip ip-address] [mac ieee-address} [subscriber sub-ident-string] [sub-profile sub-profile-name] [sla-profile sla-profile-name]

The following syntax applies to the 7750 SR:

CLI Syntax:
configure>service>ies service-id
interface ip-int-name
sap sap-id
host {[ip ip-address] [mac ieee-address} [subscriber sub-ident-string] [sub-profile sub-profile-name] [sla-profile sla-profile-name]
sub-sla-mgmt
single-sub-parameters
non-sub-traffic sub-profile sub-profile-name sla-profile sla-profile-name [subscriber sub-ident-string]
sub-ident-policy sub-ident-policy-name

Subscriber Profile

The following syntax applies to the 7450 ESS:

CLI Syntax:
configure>service>ies service-id
interface ip-int-name
sap sap-id
host {[ip ip-address] [mac ieee-address} [subscriber sub-ident-string] [sub-profile sub-profile-name] [sla-profile sla-profile-name]

The following syntax applies to the 7750 SR:

CLI Syntax:
configure>service>ies service-id
interface ip-int-name
sap sap-id
host {[ip ip-address] [mac ieee-address} [subscriber sub-ident-string] [sub-profile sub-profile-name] [sla-profile sla-profile-name]
sub-sla-mgmt
def-sub-profile default-subscriber-profile-name
single-sub-parameters
non-sub-traffic sub-profile sub-profile-name sla-profile sla-profile-name [subscriber sub-ident-string]

The following syntax applies to the 7450 ESS and 7750 SR:

CLI Syntax:
configure>service>vpls service-id
sap sap-id
host {[ip ip-address] [mac ieee-address]} [subscriber sub-ident-string] [sub-profile sub-profile-name] [sla-profile sla-profile-name]
sub-sla-mgmt
def-sub-profile default-sub-profile-name
single-sub-parameters
non-sub-traffic sub-profile sub-profile-name sla-profile sla-profile-name [subscriber sub-ident-string]

The following syntax applies to the 7450 ESS and 7750 SR:

CLI Syntax:
configure>subscriber-mgmt
sub-profile subscriber-profile-name
explicit-subscriber-map
entry key sub-ident-string [sub-profile sub-profile-name] [alias sub-alias-string] [sla-profile sla-profile-name]
sub-ident-policy sub-ident-policy-name
sub-profile-map
entry key sub-profile-string sub-profile sub-profile-name