Session management

Basic PFCP session functions

While PFCP sessions can support many access types, the basic session management is identical. This section provides an overview of the common session functionality.

Subscribers, QoS, and filters

BNG CUPS sessions are automatically linked together into subscribers, based on a QoS Enforcement Rule (QER) Correlation ID that is received in the PFCP session. The usual subscriber management processing applies, as described in the7450 ESS, 7750 SR, and VSR Triple Play Service Delivery Architecture Guide , sections "QoS for subscribers and hosts" through "Configuring IP and IPv6 filter policies for subscriber hosts".

The following parameters may be passed via PFCP:

subscriber and SLA profile names

Note: The subscriber profiles must be configured for use with BNG CUPS by enabling the configure subscriber-mgmt sla-profile control cups command for the profile. This disables any feature that is not supported within CUPS.
QoS overrides
SLA filter overrides, either by name or by ID
Inter-Dest-ID

In-band control plane

Most BNG session types have one or more control plane messages that are sent in-band and therefore arrive directly on the UPF. Because the BNG UPF cannot handle these messages, they are forwarded to the BNG CPF. To accomplish this, the BNG CPF installs specific Ethernet or IP filter rules that match these packets; for example, by matching UDP destination port 67 to extract DHCP. These packets are encapsulated in GTP-U and sent to the CPF. Similarly, the BNG CPF sends downstream In-Band Control Plane (IBCP) packets over GTP-U toward the BNG UPF.

For upstream traffic, the BNG UPF sends any control plane messages that do not match a session over a default tunnel. See Default IBCP session for more information about how this tunnel is signaled. If the control plane messages do not match the default tunnel rules, the messages are dropped.

When a session is created, either out-of-band or via a trigger over the default tunnel, the BNG CPF installs per-session control plane rules for both upstream and downstream. Packets that match the upstream rules are forwarded to the BNG CPF using the signaled GTP-U parameters. For downstream rules, the BNG UPF allocates a TEID that the BNG CPF can use to send packets. The BNG UPF does not support a default downstream IBCP tunnel.

The upstream IBCP (including default) follows the sgt-qos configuration, using the application list ibcp keyword. A specific DSCP value (default NC2) can be provisioned and mapped to a specific FC, as usual.

See the 7450 ESS, 7750 SR, 7950 XRS, and VSR Quality of Service Guide, section "QoS for Self-Generated (CPU) Traffic on Network Interfaces" for more information.

The downstream IBCP QoS handling depends on the session type.

IP gateway, services, and routing

In many deployments, a BNG UPF acts as a direct IP gateway for sessions. All IP addresses are allocated by the CPF and installed using the PFCP protocol. Optionally, framed routes can be provided by the CPF.

To assist with forwarding, the BNG CPF signals the following information using the PFCP protocol:

The service in which forwarding must occur is a name that maps to a preprovisioned IES or VPRN service.
The aggregate routes that the BNG UPF can announce in routing protocols to attract traffic can be distinguished in policies using the direct option for the protocol name in the configure policy-options policy-statement entry from protocol name context.

Note: The CPF guarantees that no addresses from the aggregate routes are assigned to sessions on another BNG CUPS UPF. See the 7450 ESS, 7750 SR, 7950 XRS, and VSR Unicast Routing Protocols Guide for more information about route policies.
The gateway address for IPv4 is typically a dedicated address within the aggregate route, and for IPv6 it is a link-local address, only one of which per VPRN or per IES is supported for IPv6.

The BNG UPF still runs the appropriate routing protocols and responds to ARP/ND for the gateway addresses.

Statistics reporting

Statistics reporting uses the PFCP Usage Reporting Rule (URR) mechanism. The BNG UPF supports a single URR to count all statistics that are related to a session. The BNG UPF supports sending the following statistics for the URR:

aggregate octet counters; these are always signaled
aggregate packet counters; these are signaled if enabled by the CPF

All counters, including aggregates, are based on QoS counters and are therefore affected by QoS modifiers, such as the packet-byte-offset command.

The BNG UPF sends reports for a URR in the following cases:

the UPF is explicitly queried by the BNG CPF via a PFCP Session Modification Request
the SPI counters are modified while the SPI statistics are enabled; the BNG UPF includes the counters for the old SPI in a PFCP Session Modification Response message
the periodic URR reporting is enabled and the BNG UPF sends unsolicited PFCP Session Report Request messages

PFCP statistics are reported in an incremental manner. This means that only new statistics after the last report are signaled. To achieve this, the BNG UPF baselines the counters on every report. Consequently, it is not possible to manually clear statistics on the BNG UPF using the clear service statistics subscriber command. Other operational commands (for example, show service active-subscribers detail) only show the accumulated statistics on the BNG UPF.

Because statistics are based on QoS counters, sessions sharing the same SPI also share statistics, and a report for one session baselines the counters for the entire SPI. As a result, per-session statistics on the BNG CPF are not correct when sharing an SPI; however, their aggregate counts are correct. The BNG CPF must provide the appropriate aggregate level (for example, subscriber-level accounting). When an SPI changes, the BNG UPF reports the final SPI statistics in PFCP if instructed to do so by the BNG CPF.

Hardware failures are automatically taken into account for statistics reporting. Statistics generated after the last report are irretrievably lost. However, as a result of the incremental reporting, the BNG CPF does not lose any older counters and does not see a sudden reset. That is, aggregate counters on the BNG CPF never decrease as a result of a hardware failure. However, the BNG UPF local statistics as seen in show commands reset upon a hardware failure, and therefore a mismatch of BNG CPF counters may result.

Operational commands

Most of the traditional BNG operational commands, as described in the 7450 ESS, 7750 SR, and VSR Triple Play Service Delivery Architecture Guide, apply to the CUPS BNG UPF. The significant exceptions to this rule are operational commands related to specific protocols (such as DHCP, DHCPv6, RADIUS, and PPPoE), because a BNG CUPS UPF is not aware of these states.

The primary BNG CUPS UPF operational commands are the following.

The show service active-subscribers command contains several sub-commands that provide details about a specific subscriber or session within a subscriber. These commands incorporate information about CUPS subscribers. Information that is only available on the BNG CPF is not shown on the BNG UPF (for example, details on RADIUS and metadata such as remote-id and circuit-id).
The show subscriber-mgmt statistics command contains several sub-commands that provide a wide variety of statistics on various granularity levels. These commands are extended to incorporate BNG CUPS statistics.

IBCP statistics can be displayed via the PFCP statistics using the show subscriber-mgmt pfcp statistics command.

Operational commands that are specific to PFCP associations are listed in Operational commands and debugging.

Fixed access session functions

To enable fixed access sessions, a capture-sap must be provisioned under service vpls with appropriate values for trigger-packet and a link to the pfcp association. The triggers are mandatory and are not automatically derived from the default IBCP tunnel.

Sessions without any encapsulation are supported on a dot1q capture SAP. The system creates internal constructs to correctly handle sessions without encapsulation. These sessions can be combined with dot1q encapsulated sessions on the same capture SAP.

The following example shows the trigger-packet provisioning in a PFCP association configuration:

A:admin@DUT-B# info 
    pfcp {
        association "BNG-CPF"
    }
    trigger-packet {
        pppoe true
    }

To identify sessions in the data plane, the BNG CPF must provide the following parameters.

The logical port (also known as the l2-access-id) identifies the port, LAG, or pw-port where the session is terminated.
The VLAN tags, along with the logical port, identify a SAP where the session is terminated, also known as a Layer 2 circuit (l2-circuit). The BNG CPF must signal all the VLAN tags to match the encapsulation type provisioned for the port; for example, only signaling an s-tag for a q-in-q port is not allowed. As an exception, the CPF can install sessions without any VLAN tags on a dot1q capture SAP, as described at the beginning of this section.
The source MAC address is required.
The PPPoE session ID is used for PPPoE only.
The IP anti-spoofing IP address is optionally used to enable IP anti-spoofing. While this can be signaled per session, the BNG UPF only supports a single anti-spoof type per SAP. When a second session on the same SAP has a conflicting anti-spoof indication, the setup fails. IP anti-spoofing is not supported for framed routes.

For PPPoE, the BNG UPF can perform LCP keep-alive offload, if supported and signaled by the BNG CPF. The BNG UPF automatically signals support for this feature when the PFCP association is created.

Downstream IBCP

For fixed access, downstream IBCP packets are handled directly in the data path. These packets bypass per-session processing, including QoS and filters. Ingress QoS is applied, as usual, based on the provisioning. Egress QoS is based on the QoS configuration of the capture SAP that is linked to the session.

SAP and group interface templates

The system auto-provisions any required objects, which means that subscriber interfaces, group interfaces, and SAPs do not need to be provisioned. These objects are hidden from configuration and are not modifiable. Aside from the capture SAP, the only required configuration is the VPRN or IES where IP forwarding occurs.

You can manage SAP creation by configuring a SAP template under the configure subscriber-mgmt sap-template command. The SAP template supports the configuration of the following parameters:

The hold-time command delays the deletion of the SAP after the last PFCP session is removed. An infinite hold time can be configured, but is not recommended. Idle SAPs can be cleared using the idle-saps option under clear subscriber-mgmt sap-template.
The cpu-protection and dist-cpu-protection commands configure CPU protection; see the 7450 ESS, 7750 SR, 7950 XRS, and VSR System Management Guide, section "Centralized CPU protection and distributed CPU protection" for more information about CPU protection.

Note: On platforms where CPU protection and distributed CPU protection are not supported, these commands are ignored.

Similarly, group-interface creation can be manipulated by configuring a group interface template under the configure subscriber-mgmt group-interface-template command. When setting up a PFCP session, a template name is passed via PFCP. If the template name is absent, the system falls back to the name "default".

A group interface template allows the configuration of the following parameters:

ip-mtu; is applied to outgoing packets
urpf-check; see 7450 ESS, 7750 SR, 7950 XRS, and VSR Router Configuration Guide, section "Unicast reverse path forwarding check"
icmp
remote-proxy-arp; see 7450 ESS, 7750 SR, 7950 XRS, and VSR Router Configuration Guide, section "Proxy ARP"

Note: The SAP and group interface templates must be configured on the BNG UPF (as well as the name "default") to ensure that the session setup does not fail.

Changing the configuration of a template does not automatically change all created SAPs or group interfaces.