The following two configuration methods co-exist but are mutually exclusive:
This configuration method is preferred as it can be re-used amongst multiple applications (Subscriber authentication and accounting, L2TP tunnel accounting, WLAN gateway RADIUS proxy) and enables additional functionality not available in the legacy configuration method. For example:
Note: A RADIUS server is marked down if it detects a few consecutive timeouts independent of the transaction ID or origin of request. |
Where consecutive timeouts are defined by the number of retries configured below the RADIUS server policy servers.
The default number of retries is 3, meaning 1 initial try and 2 retries.
If, for example, the RADIUS server has “2 timeouts, 1 reply, 1 timeouts”, whereby the timeouts are originated for the same host, the server is not marked down since intermediate replies were received.
To attach a RADIUS server policy to an authentication policy:
For example,
Note:
|
To attach a RADIUS server policy to a RADIUS accounting policy:
For example:
Note: To avoid conflicts, the following CLI commands are ignored in the RADIUS accounting policy when a radius-server-policy is attached:
|
To configure the RADIUS servers in a RADIUS server policy:
For example:
To configure the RADIUS servers in the routing instance:
For example:
Note: To configure RADIUS CoA servers for use in Enhanced Subscriber Management, the server must be configured in the corresponding routing instance with the accept-coa command enabled. |
Note: It is recommended to migrate to the uniform RADIUS server configuration as described above to have additional functionality enabled. |
To configure a RADIUS server in an authentication policy:
Note: In a legacy RADIUS server configuration, to configure RADIUS CoA servers for use in Enhanced Subscriber Management, the server must be configured in the authentication policy with the accept-authorization-change command enabled. A CoA only server can be configured with the optional coa-only flag. |
To configure a RADIUS server in a RADIUS accounting policy:
This section describes the Nokia router acting as a Broadband Subscriber Aggregator (BSA).
Note: In the TPSDA solutions, the Nokia 5750 Subscriber Services Controller (SSC) serves as the policy manager, DHCP and RADIUS server. |
In this application, one of the required functions can be to authenticate users trying to gain access to the network. While sometimes the DHCP server (an SSC) can perform authentication, in most cases a RADIUS server (an SSC) is used to check the customer's credentials.
Note: See the DHCP Management section for information about DHCP and DHCP Snooping. |
For information about the RADIUS server selection algorithm, refer to the 7450 ESS, 7750 SR, 7950 XRS, and VSR System Management Guide.
If authentication is enabled, the router temporarily holds any received DHCP discover message and sends a access-request message to a configured RADIUS server containing the client's MAC address or Circuit-ID (from the Option 82 field) as the user name. If access is granted by the RADIUS server, the router then forwards or relays the DHCP discover message to the DHCP server and allows an IP address to be assigned. If the RADIUS authentication request is denied, the DHCP message is dropped and an event is generated.
A typical initial DHCP scenario (after client bootup) is shown in Figure 68.
But, when the client already knows its IP address (when an existing lease is being renewed), it can skip straight to the request/ack phase, as shown in Figure 69.
In the first scenario, the DHCP discover triggers an authentication message to RADIUS and the DHCP request also triggers RADIUS authentication. The previous reply is cached for 10 seconds, the second DHCP packet does not result in a RADIUS request.
In the second scenario, the DHCP request triggers an authentication message to RADIUS.
If the optional subscriber management authentication policy re-authentication command is enabled, DHCP authentication is performed at every DHCP lease renew request. Only dynamic DHCP sessions are subject to remote authentication. Statically provisioned hosts are not authenticated.
This section describes an extension to RADIUS functionality in the subscriber management context. As part of subscriber host authentication, RADIUS can respond with access-response message, which, in the case of an accept, can include several RADIUS attributes (standard and vendor-specific) that allow proper provisioning of a given subscriber-host.
Change-of-Authorization (CoA) messages as defined by RFC 3576, Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS), are supported. The goal of CoA messages is to provide a mechanism for “mid-session change” support through RADIUS.
Figure 70 shows a flow of RADIUS authentication of DHCP hosts in the triple play aggregation environment. Besides granting the authentication of given DHCP host, the RADIUS server can include RADIUS attributes (standard and/or Vendor-Specific Attributes (VSAs)) which are then used by the network element to provision objects related to a given DHCP host.
RADIUS is a distributed client/server concept that is used to protect networks against unauthorized access. In the context of the router’s subscriber management in TPSDA, the RADIUS client running on nodes sends authentication requests to the SSC.
RADIUS can be used to perform three distinct services:
The RADIUS protocol uses “attributes” to describe specific authentication, authorization, and accounting elements in a user profile (which are stored on the RADIUS server). RADIUS messages contain RADIUS attributes to communicate information between network elements running a RADIUS client and a RADIUS server.
RADIUS divides attributes into two groups, standard attributes and Vendor-Specific Attributes (VSAs). VSA is a concept allowing conveying vendor-specific configuration information in a RADIUS messages, as discussed in RFC 2865, Remote Authentication Dial In User Service (RADIUS). It is up to the vendor to specify the exact format of the VSAs.
Nokia-specific VSAs are identified by vendor-id 6527.
The following sections define different functional extensions and list relevant RADIUS attributes.
Basic Provisioning of Authentication Extensions
To comply with RFC 4679, DSL Forum Vendor-Specific RADIUS Attributes, the software includes the following attributes in the authentication-request message:
The following attributes can also be included if configured and provided by downstream equipment:
When the node is configured to insert (or replace) Option 82, the above mentioned attributes do have the content after this operation has been performed by the software.
In addition, the following standard RADIUS attributes are included in authentication request messages (subject to configuration):
These are only be included in the access-request if they have been configured.
To provide the possibility to push new policies for currently active subscribers, the routers support commands to force re-authentication of the given subscriber-host. After issuing such a command, the router sends a DHCP FORCERENEW packet, which causes the subscriber to renew its lease (provided it supports force-renew). The DHCP request and ACK are then authenticated and processed by the routers as they would be during a normal DHCP renew.
A calling-station-id can be configured at SAP level and can be included in the RADIUS authentication and accounting messages. This attribute is used in legacy BRAS to identify the user (typically phone number used for RAS connection). In the broadband networks this was replaced by circuit-id in Option 82. However, the Option 82 format is highly dependent on access-node vendor, which makes interpretation in management servers (such as RADIUS) difficult. Some operators use the calling-station-id attribute as an attribute indicating the way the circuit-id should be interpreted. The calling-station-id attribute can be configured as a string which is be configured on the SAP. It can also be configured to use the sap-id, remote-id or mac-address.
To limit the lifetime of a PPP session or DHCPv4 host to a fixed time interval, a timeout can be specified from RADIUS. By default, a PPP session or DHCPv4 host has no session timeout (infinite).
For PPP sessions, a session-timeout can be configured in the ppp-policy. A RADIUS specified session-timeout overrides the CLI configured value.
When the session timeout expires a PPP session is terminated and a DHCPv4 host deleted. For a DHCPv4 host, a DHCP release message is also sent to the server.
The following two attributes can be used in RADIUS Access-Accept and CoA messages to limit the PPP session or DHCPv4 host session time (Table 11):
Attribute ID | Attribute Name | Type | Limits | Purpose and Format |
27 | Session-Timeout | integer | 2147483647 seconds | 0 = infinite (no session-timeout) (1 to 2147483647) in seconds For example: Session-Timeout = 3600 |
26-6527-160 | Alc-Relative-Session-Timeout | integer | [0 to 2147483647] seconds | 0 = infinite (no session-timeout) (1 to 2147483647) in seconds For example: Alc-Relative-Session-Timeout = 3600 |
When specified in a RADIUS Access-Accept message, both attributes specify an absolute value for session timeout. When specified in a RADIUS CoA message, attribute [26-6527-160] Alc-Relative-Session-Timeout specifies a relative session timeout value in addition to the current session time while attribute [27] Session-Timeout specifies an absolute session timeout value. If the current session time is greater than the received Session-Timeout, a CoA NAK is sent with error cause “Invalid Attribute Value (407)”.
Only one of the above attributes to specify a session timeout can be present in a single RADIUS message. An event is raised when both are specified in a single message.
The output of the show service id service-id ppp session detail CLI command contains following fields related to session timeout for PPP sessions:
The output of the show service id service-id dhcp lease-state detail CLI command contains following fields related to session timeout for DHCPv4 hosts:
Note: In a radius-proxy scenario or when a DHCPv4 host is created with a RADIUS CoA message, the RADIUS attribute [26-6527-174] Alc-Lease-Time attribute must be used to specify the lease time. If the [26-6527-174] Alc-Lease-Time is not present in these scenarios, then the RADIUS attribute [27] Session-Timeout is interpreted as DHCPv4 lease time. |
In many networks, the user name has specific meaning with respect to the domain (ISP) where the user should be authenticated. To identify the user correctly, the user name in an authentication-request message should contain a domain-name. The domain-name can be derived from different places. In PPPoE authentication the domain name is given by the PPPoE client with the user name used in PAP or CHAP authentication. For DHCP hosts similar functionality is implemented by a “pre-authentication” lookup in a local user database before performing the RADIUS request.
For example, it can be derived from option60 which contains the vendor-specific string identifying the ISP the set-box has been commissioned by.
To append a domain name to a DHCP host, the following configuration steps should be taken:
The string returned in a [18] Reply-Message attribute in a RADIUS Access-Accept is passed to the PPPoE client in the CHAP Success or PAP Authentication-Ack message.
The string returned in a [18] Reply-Message attribute in a RADIUS Access-Reject is passed to the PPPoE client in the CHAP Failure or PAP Authentication-Nak message.
When no [18] Reply-Message attribute is available, the SR OS default messages are used instead: “CHAP authentication success” or “CHAP authentication failure” for CHAP and “Login ok” or “Login incorrect” for PAP.
SHCV policies are used to control subscriber host connectivity verification which verifies the host connectivity to the BNG. There are two types of SHCV: periodic and event triggered. Prior to Release 13.0R4, some event triggered SHCV relied on the reference timer set by the host-connectivity-verify under the group interface while others had hard-coded values. Release 13.0R4 introduced the SHCV policy that allows individual configuration of trigger SHCV timers and periodic SHCV timers depending on the application.
Under the group-interface, the host-connectivity-verify configuration was used as a reference timer for some event triggered SHCV while other used hard-coded values. The SHCV-policy separated out every type of SHCV and allows each type to have their individual configurable timer values. Furthermore, individual SHCV trigger types can be shut down. The SHCV policy can be applied to one or more group interfaces and can be configured differently for IPv4 vs. IPv6 hosts.There are various types of triggered SHCV:
Some SHCVs are triggered based on a host’s DHCP messages. These DHCP messages are not buffered. The SHCV is used only to perform a verification check on an old host to verify if the host is still connected to the BNG. Therefore, the BNG still requires the new hosts to retransmit their DHCP messages once the SHCV removes the disconnected host.
This feature maximizes the use of the remaining healthy RADIUS servers for subscriber authentication and accounting. After the hold-down time expires, a single RADIUS message is used to determine the status of the RADIUS server. If the server remains unresponsive after waiting for a single timeout interval (without any retries), then it is placed back into the hold-down state. If the RADIUS server responds, then it is used for subscriber authentication and accounting with the rest of the healthy servers.
The different operating states of a RADIUS server are shown in RADIUS Server Operating States. When a RADIUS server is first provisioned into the AAA using the radius-server-policy command, the operating state is “unknown”. This state indicates that the RADIUS server has yet to receive a RADIUS request message. To send a request message, the radius-server-policy command provides three different access algorithms: direct, round-robin, and hash. With the direct algorithm, request messages are always sent to the in-service RADIUS server with the lowest configured server index. With the round-robin algorithm, the RADIUS requests are load-balanced in a round-robin manner. The hash algorithm offers a load-balanced alternative; the 7750 SR generates a hash-key based on the subscriber information, and the RADIUS request is then sent to a server based on the hash key. The hash method differs from the round-robin method in that, under normal working conditions, RADIUS requests from a particular subscriber are always forwarded to the same RADIUS server. When a server replies to a RADIUS request, it transitions from the operational state of “unknown” to “in-service”. A server may transition from “unknown” to “out-of-service” if the server fails to respond to the initial RADIUS message.
A RADIUS server is declared “out-of-service” when the down-timeout timer expires. The router starts the down-timeout timer when an access-request is sent. The timer only resets to “0” when a reply is received from the RADIUS server. This means that the timer can be reset to “0” if a reply message is received for another subscriber. For example, the RADIUS server may miss a message but stay “in-service” if the server responds to another access request from a different subscriber or from a retry of the same subscriber, if the reply is received within the down-timeout interval.
Note: It is highly recommended that the down-timeout command be set to its default value, which is no down-timeout. |
The down-timeout default value is the timeout value multiplied by the number of retry attempts. The timeout value is the time that the router waits for the RADIUS server to reply, and the retry value is the number of attempts the 7750 SR makes to contact the RADIUS server. If the RADIUS server remains unresponsive, the timer continues to increment until it reaches the configured down-timeout value and the server is declared “out-of-service”.
For RADIUS servers that do not respond to all RADIUS requests, a test user account can be optionally set up to periodically send RADIUS request messages to keep the server in service. Typically, a RADIUS server should always respond to all access requests. However, creating a test user account for periodic keep-alive may place an unnecessary load on the processor and may lower the overall scale of the router.
At the start of the out-of-service state, a hold-down-time timer starts. The timer holds down the RADIUS server and prevents it from operating; no RADIUS messages are sent to an out-of-service server. This is beneficial for the following reasons.
After the hold-down-time timer expires, the server enters into the “probing” state. There must be multiple RADIUS servers and at least one healthy server for the server to enter the probing state. Probing is always performed by the test user account; actual subscriber requests are never used during probing. If no test user account exists, an actual subscriber request is used to perform the probe. There are no retry attempts; only a single RADIUS message is used to probe a RADIUS server. If the RADIUS server responds, it is declared “in-service” immediately. If the RADIUS server fails to respond within the timeout value, it is declared “out-of-service” again and the hold-down-time timer restarts. Subscriber RADIUS messages used for probing are not cached, and if the server fails to respond, the subscriber is required to send the RADIUS message again by sending an address request; for example, DHCP, PPP, or Stateless Address Auto-Configuration (SLAAC) or by performing a data-trigger.
Stickiness applies to the following subscriber RADIUS accounting sessions: start, interim, and stop. By default, the subscriber sticks with the server that served its last accounting message. For example, if server 1 served the subscriber an accounting start message, then the subsequent interim messages and stop message from the same subscriber is sent to server 1. If server 1 is out of service, server 2 is used for the subsequent interim and stop messages. When server 1 recovers, the interim and stop messages sticks with server 2. The RADIUS accounting messages are always be forwarded to the server that serviced the subscriber’s last accounting message.
Typically, when using the direct access algorithm, the primary server (lowest configured server index) serves all RADIUS request messages. The other RADIUS servers are used for backup purposes only and might be using a lighter-weight processor. Therefore, it is best to revert to the primary server as soon as it is restored. This can be accomplished by disabling stickiness in direct mode; the RADIUS accounting messages are forwarded to the primary server once it is restored.
In a round-robin algorithm, while each subscriber session is assigned to a different server in round-robin order, a particular subscriber sticks with a server for the entire accounting session. Disabling stickiness sends a subscriber’s RADIUS accounting messages to the list of configured RADIUS servers in a round-robin order.
The fallback action comes into effect when connectivity to all RADIUS servers is lost. The operating state of the RADIUS servers changes to either “out-of-service” or “probing”. There are two configurable fallback actions: accept or user-db. An accept action without force-probing automatically accepts all authentication requests from all subscribers. A user-db action without force-probing uses the local-user-db for subscriber authentication.
Both accept and user-db can be combined with the force-probing command. Force-probing forces the out-of-service server to transition to the probing state immediately, bypassing the hold-down-time timer. Force-probing is a mechanism to promptly restore connectivity to a RADIUS server. A test user is not used to perform a force probe; only actual subscriber authentication is used to test the operating state of the RADIUS server. Probing only occurs when a server is out of service. If all servers are in the probing state, all new incoming authentication requests follow the fallback action immediately.
When probing with an actual subscriber authentication, the 7750 SR only waits for a reply for one timeout interval without any retries. During the wait, the server is in a probing state and no other subscribers are used to probe this server. The subscriber authentication request is not cached when used for probing. Therefore, to trigger authentication again, the subscriber is required to authenticate again with an address request or a data-trigger packet.
A test user account is used in the rare case where a RADIUS server ignores RADIUS messages as mentioned in the AAA RADIUS Server Operation Status section. Consequently, when messages are ignored, the router places the RADIUS server out of service. The test user account can keep a RADIUS server in service by periodically sending RADIUS requests to the server. The RADIUS server, while randomly ignoring other subscriber RADIUS requests, must respond to the test user requests. A RADIUS server is in service if it replies to RADIUS messages before the down-timeout timer expires. The default down-timeout default value is the timeout value multiplied by the retry value, but it is also configurable. The test user account has a configurable interval value, and it is recommended that this value be configured to be less than the down-timeout value for it to be useful. The test user account only applies to RADIUS authentication.
Typically, a RADIUS server always responds to all RADIUS requests, and therefore it is not recommended that a test user account be used unless it is absolutely required for certain types of servers. The test user account creates extra load for the processor and can affect scaling. The test user account can be used with a python script (for example, adding additional attributes to the test user account during an access-request operation).
The tools>perform>security>authentication-server-check command can be used to troubleshoot a RADIUS server by checking the connectivity and functional status of a RADIUS server for subscriber management operations. The command keyword debug can be specified to view additional information on the access request. All VSAs sent and received from the RADIUS server, the hex dump, and all other debug detailed information can be shown without the need to turn on system-wide debugging.
Additional attributes in an Access-Request message can be specified in an attribute file referenced with the command keyword attr-from-file file-url. Each attribute must be specified on a separate line in the text file in the following format shown in Table 12.
Attribute file format | Description |
<type> = <value> | Standard attribute |
<vendor>,<type> = <value> | Vendor Specific Attribute |
e,<type>,<ext-type> = <value> | Extended type attribute (RFC 6929) |
evs, <type>, <vendor>, <vendortype> = <value> | Extended Vendor Specific attribute (RFC 6929) |
le,<type>,<ext-type> = <value> | Long Extended type attribute (RFC6929) |
evs, <type>, <vendor>, <vendortype> = <value> | Long Extended Vendor Specific attribute (RFC 6929) |
In the ESM concept on network elements, a subscriber host is described by the following aspects:
This information is typically extracted from DHCP-ACK message using a Python script, and is used to provision subscriber-specific resources such as queues and filter entries. As an alternative to extracting this information from DHCP-ACK packet, provisioning from RADIUS server is supported.
As a part of this feature, the following VSAs have been defined:
When RADIUS authentication response messages contain the above VSAs, the information is used during processing of DHCP-ACK message as an input for the configuration of subscriber-host parameters, such as QoS and filter entries.
If ESM is not enabled on a given SAP, information in the VSAs is ignored.
If ESM is enabled and the RADIUS response does not include all ESM-related VSAs (an ANCP string is not considered as a part of ESM attributes), only the subscriber-id is mandatory (the other ESM-related VSAs are not included). The remaining ESM information (sub-profile, sla-profile) is extracted from DHCP-ACK message according to normal flow (Python script, and so on).
If the profiles are missing from RADIUS, they are not extracted from the DHCP data with Python to prevent inconsistent information. Instead, the data reverts to the configured default values.
However, if the above case, a missing subscriber ID causes the DHCP request to be dropped. The DHCP server is not queried in that case.
When no DHCP server is configured, DHCP-discover/request messages are discarded.
The other aspect of subscriber-host authorization is providing IP configuration (ip-address, subnet-mask, default gateway and dns) through RADIUS directory rather than using centralized DHCP server. In this case, the node receiving following RADIUS attributes assumes the role of DHCP server in conversation with the client and provide the IP configuration received from RADIUS server.
These attributes are accepted only if the system is explicitly configured to perform DHCP-server functionality on a given interface.
The following RADIUS attributes are accepted from authentication-response messages:
To support VRF selection, the following attributes are supported:
In a typical RADIUS environment, the network element serves as a RADIUS client, which means the messages are originated by a routers. In some cases, such as mid-session changes, it is desirable that the RADIUS server initiates a CoA request to impose a change in policies applicable to the subscriber, as defined by RFC 3576.
To configure a RADIUS server to accept CoA and Disconnect Messages is achieved in one of the following ways:
Note: There is a priority in the functions that can be performed by CoA. The first matching one is performed:
|
There are several reasons for using RADIUS initiated CoA messages:
If the changes to ESM attributes are required, the RADIUS server sends CoA messages to the network element requesting the change in attributes included in the CoA request:
Note: If the subscriber-id-string is changed while the ANCP string is explicitly set, the ANCP-string must be changed simultaneously. When changing the alc-subscriber-id-string, the lease state is temporarily duplicated, causing two identical ANCP-strings to be in the system at the same time. This is not allowed. |
As a reaction to such message, the router changes the ESM settings applicable to the given host.
If changes to the IP configuration (including the VRF-id in the case of wholesaling) of the given host are needed, the RADIUS server may send a CoA message containing VSA indicating request for FORCERENEW generation:
As a reaction to a message, router generates a DHCP FORCERENEW message for the given subscriber host. Consequently, during the re-authentication, new configuration parameters can be populated based on attributes included in Authentication-response message. The force-NAK attribute has the same function as the Force-Renew attribute, but causes the BNG to reply with a NAK to the next DHCP renew. This invalidates the lease state on the BNG and force the client to completely recreate its lease, making it possible to update parameters that cannot be updated through normal CoA messages, such as IP address or address pool.
If the configuration of the new subscriber-host is required, RADIUS server sends a CoA message containing VSA request new host generation along with VSAs specifying all required parameters.
After executing the requested action, the router element responds with an ACK or NAK message depending on the success/failure of the operation. In case of failure (and hence NAK response), the element includes the error code in accordance with RFC 3576 definitions if an appropriate error code is available.
Supporting CoA messages has security risks as it essentially requires action to unsolicited messages from the RADIUS server. This can be primarily the case in an environment where RADIUS servers from multiple ISPs share the same aggregation network. To minimize the security risks, the following rules apply:
In all cases (creation, modification, force-renew) subscriber host identification attributes are mandatory in the CoA request: “NAS-Port-Id + IP” or “Acct-Session-Id” or “Alc-Subsc-ID-Str” or “user-name”.
When there are no subscriber host identification attributes present in the CoA, the message is NAK’d with corresponding error code.
The properties of an existing RADIUS-authenticated PPPoE session can be changed by sending a Change of Authorization (CoA) message from the RADIUS server. Processing of a CoA is done in the same way as for DHCP hosts, with the exception that only the ESM settings can be changed for a PPPoE session (the Force-Renew attribute is not supported for PPPoE sessions and a Create-Host CoA always generates a DHCP host).
For terminating PPPoE sessions from the RADIUS server, the disconnect-request message can be sent from the RADIUS server. This message triggers a shut down of the PPPoE session. The attributes needed to identify the PPPoE session are the same as for DHCP hosts.
A CoA can be triggered through the CLI by using a tools command that does not require a RADIUS authentication policy. The tools command can also be used to spoof a CoA from a configured server for purposes such as testing CoA python scripts. However, when spoofing the CoA from a RADIUS server, the configuration of a RADIUS authentication policy is required.
The tools command, tools>perform>subscriber-mgmt>coa, supports up to five different VSAs. If more than five VSAs are required, a file with more than five VSAs can be used for execution.
The tools command does not support lawful intercept attributes.
SNMP can also trigger the tools CoA command. However, SNMP cannot execute the command when it is referencing an on-board flash file. To execute from a file, the file must be non-local, such as using a URL specifying the location of the file on an FTP server.
Only one tools>perform>subscriber-mgmt>coa command can be performed at a time. The command must complete execution before processing a new one. If the tools command becomes unresponsive, CTRL-c can be used to break out of the CoA. In addition, a failsafe mechanism automatically terminates the tools command if it has not completed within a minute.
When a router is configured to perform RADIUS-based accounting, at the creation of a subscriber-host, it generates an accounting-start packet describing the subscriber-host and send it to the RADIUS accounting server. At the termination of the session, it generates an accounting-stop packet including accounting statistics for a given host. The router can also be configured to send an interim-accounting message to provide updates for a subscriber-host.
The exact format of accounting messages, their types, and communication between client running on the routers and RADIUS accounting server is described in RFC 2866, RADIUS Accounting. The following describes a few specific configurations.
To identify a subscriber-host in accounting messages different RADIUS attributes can be included in the accounting-start, interim-accounting, and accounting-stop messages. The inclusion of the individual attributes is controlled by the following commands.
RADIUS volume accounting attributes are depending on the type of volume reporting and can be controlled with an include-radius-attribute CLI command. Multiple volume reporting types can be enabled simultaneously:
where:
detailed-acct-attributes — Report detailed per queue and per policer counters using RADIUS VSAs (enabled by default). Each VSA contains a queue or policer id followed by the stat-mode or 64 bit counter. The VSA’s included in the Accounting messages is function of the context (policer or queue, stat-mode, MDA type, and so on):
[26-6527-107] Alc-Acct-I-statmode
[26-6527-127] Alc-Acct-O-statmode
[26-6527-19] Alc-Acct-I-Inprof-Octets-64
[26-6527-20] Alc-Acct-I-Outprof-Octets-64
[26-6527-21] Alc-Acct-O-Inprof-Octets-64
[26-6527-22] Alc-Acct-O-Outprof-Octets-64
[26-6527-23] Alc-Acct-I-Inprof-Pkts-64
[26-6527-24] Alc-Acct-I-Outprof-Pkts-64
[26-6527-25] Alc-Acct-O-Inprof-Pkts-64
[26-6527-26] Alc-Acct-O-Outprof-Pkts-64
[26-6527-39] Alc-Acct-OC-O-Inprof-Octets-64
[26-6527-40] Alc-Acct-OC-O-Outprof-Octets-64
[26-6527-43] Alc-Acct-OC-O-Inprof-Pkts-64
[26-6527-44] Alc-Acct-OC-O-Outprof-Pkts-64
[26-6527-69] Alc-Acct-I-High-Octets-Drop_64
[26-6527-70] Alc-Acct-I-Low-Octets-Drop_64
[26-6527-71] Alc-Acct-I-High-Pack-Drop_64
[26-6527-72] Alc-Acct-I-Low-Pack-Drop_64
[26-6527-73] Alc-Acct-I-High-Octets-Offer_64
[26-6527-74] Alc-Acct-I-Low-Octets-Offer_64
[26-6527-75] Alc-Acct-I-High-Pack-Offer_64
[26-6527-76] Alc-Acct-I-Low-Pack-Offer_64
[26-6527-77] Alc-Acct-I-Unc-Octets-Offer_64
[26-6527-78] Alc-Acct-I-Unc-Pack-Offer_64
[26-6527-81] Alc-Acct-O-Inprof-Pack-Drop_64
[26-6527-82] Alc-Acct-O-Outprof-Pack-Drop_64
[26-6527-83] Alc-Acct-O-Inprof-Octs-Drop_64
[26-6527-84] Alc-Acct-O-Outprof-Octs-Drop_64
[26-6527-91] Alc-Acct-OC-O-Inpr-Pack-Drop_64
[26-6527-92] Alc-Acct-OC-O-Outpr-Pack-Drop_64
[26-6527-93] Alc-Acct-OC-O-Inpr-Octs-Drop_64
[26-6527-94] Alc-Acct-OC-O-Outpr-Octs-Drop_64
[26-6527-108] Alc-Acct-I-Hiprio-Octets_64
[26-6527-109] Alc-Acct-I-Lowprio-Octets_64
[26-6527-110] Alc-Acct-O-Hiprio-Octets_64
[26-6527-111] Alc-Acct-O-Lowprio-Octets_64
[26-6527-112] Alc-Acct-I-Hiprio-Packets_64
[26-6527-113] Alc-Acct-I-Lowprio-Packets_64
[26-6527-114] Alc-Acct-O-Hiprio-Packets_64
[26-6527-115] Alc-Acct-O-Lowprio-Packets_64
[26-6527-116] Alc-Acct-I-All-Octets_64
[26-6527-117] Alc-Acct-O-All-Octets_64
[26-6527-118] Alc-Acct-I-All-Packets_64
[26-6527-119] Alc-Acct-O-All-Packets_64
std-acct-attributes — Report IPv4 and IPv6 aggregated forwarded counters using standard RADIUS attributes (disabled by default):
[42] Acct-Input-Octets
[43] Acct-Output-Octets
[47] Acct-Input-Packets
[48] Acct-Output-Packets
[52] Acct-Input-Gigawords
[53] Acct-Output- Gigawords
v6-aggregate-stats — Report IPv6 aggregated forwarded counters of queues and policers in stat-mode v4-v6 using RADIUS VSAs (disabled by default):
[26-6527-194] Alc-IPv6-Acct-Input-Packets
[26-6527-195] Alc-IPv6-Acct-Input-Octets
[26-6527-196] Alc-IPv6-Acct-Input-GigaWords
[26-6527-197] Alc-IPv6-Acct-Output-Packets
[26-6527-198] Alc-IPv6-Acct-Output-Octets
[26-6527-199] Alc-IPv6-Acct-Output-Gigawords
In addition to accounting-start, interim-accounting, and accounting-stop messages, a RADIUS client on a routers also sends accounting-on and accounting-off messages. An accounting-on message is sent when a given RADIUS accounting-policy is applied to a given subscriber-profile, or the first server is defined in the context of an already applied policy. The following attributes included are in these messages:
Accounting-off messages are sent at following events:
These messages contain following attributes:
In case of dual homing, both nodes send RADIUS accounting messages for the host, with all attributes as it is locally configured. The RADIUS log files on both boxes need to be parsed to get aggregate accounting data for the given subscriber host regardless the node used for forwarding.
For RADIUS-based accounting, a custom record can be defined to refine the data that is sent to the RADIUS server. Refer to the “Configuring an Accounting Custom Record” in the 7450 ESS, 7750 SR, 7950 XRS, and VSR System Management Guide for further information.
The VSA acct-terminate-cause attribute provides some termination information. Two additional attributes: [VSA 227] alc-error-message and [VSA 226] alc-error-code provide additional information in both string and numeric format about the terminating cause of the subscriber session. The full list of error messages and their corresponding error codes can be viewed using the command tools>dump>aaa> radius-acct-terminate-cause.
If required, python can alter the content of both VSAs. The following is a python script example where the error codes are remapped from 123 to 8 and from 124 to 17:
This section is applicable to the 7750 SR or the 7450 ESS. There are three basic accounting models:
Each of the basic models can optionally be enabled to send interim-updates. Inclusion/exclusion of interim-updates depends on whether volume based (start/interim-updates/stop) or time-based (start/stop) accounting is required.
The difference between the three basic accounting models is in its core related to the processing of the acc-session-id for each model. The differences are related to:
The counters for volume-based accounting are collected from queues or policers that are instantiated per sla-profile instance (SPI). This is true regardless of which model of accounting (or combination of models) is deployed. Within accounting context, the SPI equates to queue-instance.
Table 13 summarizes the key differences between various accounting modes of operation that are supported. Interim-updates for each individual mode can be enabled or disabled through configuration (interim-update keyword as an extension to the commands that enable three basic modes of accounting). This is denoted by the IU-Config keyword under the ‘I-U’ column in the table. The table also shows that any two combinations of the three basic models (including their variants for volume and time- based accounting) can be enabled simultaneously.
Accounting Mode | Accounting Entity | START | I-U | STOP | Acct-session-id | Acct-multi- session-id |
queue-instance-accounting | queue-instance | X | IU-config | X | X | |
session | ||||||
host | ||||||
session-accounting | queue-instance | |||||
session | X | IU-config | X | X | queue-instance | |
host | ||||||
host-accounting | queue-instance | |||||
session | ||||||
host | X | IU-config | X | X | queue-instance | |
queue-instance-accounting + host-accounting | queue-instance | X | IU-config | X | X | queue-instance |
session | ||||||
host | X | IU-config | X | X | queue-instance | |
queue-instance-accounting + session-accounting | queue-instance | X | IU-config | X | X | queue-instance |
session | X | IU-config | X | X | queue-instance | |
host | ||||||
session- accounting + host-accounting | queue-instance | queue-instance | ||||
session | X | IU-config | X | X | ||
host | X | X | X | SESSION |
Note: Hosts within the targeted CoA entity are affected as follows:
|
The same principle applies to LI.
The accounting behavior (accounting messages and accounting attributes) in case that the SPI is changed with CoA depends on the accounting mode of operation. The behavior is the following:
In the per session accounting mode of operation the accounting message stream (START/INTERIM-UPDATE/STOP) is generated per session. The accounting message stream refers to a collection of accounting messages (START/INTERIM-UPDATE/STOP) sharing the same acct-session-id.
In dual-stack PPPoE case, IPv4 and IPv6 hosts are tied to the same (LCP) session. A single authentication request is initiated for such session (triggered by the first host that initiates the session).
For a single stack PPPoE host, the behavior defined in the per session accounting model is indistinguishable from the per host accounting model. The per session accounting model makes difference in behavior only for dual-stack PPPoE hosts.
The following are the properties of the Per Session Accounting model:
The Prefix Delegation (PD) prefix is included in the accounting messages using the VSA [99], Framed-IPv6-Route attribute with the string type “pd-host” appended to differentiate it from a regular framed IPv6 route; for example, FRAMED IPV6 ROUTE [99] 39 2001:1000::/64 :: 0 pref 0 type pd-host. PD as a managed route is applicable to both PPP and IPoE sessions and can point either to an IPv4 host or to an IPv6 WAN host.
Table 14 outlines the RADIUS accounting behavior based on the session type and the next-hop host.
Session Type and Next-Hop Host | RADIUS Accounting Start | RADIUS Accounting Interims | RADIUS Accounting Stop |
PPP session with IPv6 PD pointing to IPv4 host as the next hop | A PPP connection triggers an accounting start | A DHCP NA+PD solicit triggers an interim update for the PD host with interim reason “delegated-ipv6-prefix-up” and the prefix included in the VSA Framed-IPv6-Route A DHCP PD solicit triggers an interim update for the PD host with interim reason delegated-ipv6-prefix-up and the prefix included in the VSA framed-ipv6-route Caveat
| A PPP disconnect with only the IPv4 and IPv6 PD host triggers an accounting stop with the prefix included in the VSA Framed-IPv6-Route Caveat
|
PPP session with IPv6 PD pointing to IPv6 NA host as the next hop | A PPP connection triggers an accounting start. It is possible to have a single-stack IPv6-only session | A DHCP NA+PD solicit triggers an interim update for the PD host with interim reason delegated-ipv6-prefix-up and the prefix included in the VSA framed-ipv6-route Caveat
| A PPP subscriber disconnect triggers an accounting stop with the PD host prefix included in the VSA Framed-IPv6-Route |
IPoE session with IPv6 PD pointing to IPv4 host as the next hop | A DHCPv4 or a DHCPv6 request (DHCPv6 always performs NA and PD requests together) triggers the accounting start | A DHCP PD is always performed together with NA. The PD is not in the start message but is included in the accounting interim update as a part of the host update. If the DHCPv4 lease expires, the interim update contains the PD prefix in the VSA framed-ipv6-route Caveat
| If only the IPv4 host and PD host remain, the release of the DHCPv4 triggers an accounting stop with the PD host prefix included in the VSA Framed-IPv6-Route Caveat
|
IPoE session with IPv6 PD pointing to IPv6 NA host as the next hop | A DHCPv4 or a DHCPv6 request (DHCPv6 always performs NA and PD requests together) triggers the accounting start. It is possible to have a single-stack IPv6-only session | A DHCP PD is always performed together with NA. The PD is not in the start message but is included in the accounting interim update as a part of the host update. Caveat
| If only the IPv6 subscriber is left, the release of NA contains the prefix of the PD host Caveat
|
RADIUS Per Host Accounting
In SR OS, the accounting paradigm is based on SLA profile instances yet this is at odds with traditional RADIUS authentication and accounting which is host-centric. In previous SR OS releases, it was possible to have many hosts sharing a common SLA profile instance, and thus accounting and QoS parameters. Complications would arise with RADIUS accounting because Accounting-Start and Accounting-Stop are a function of sla-profile instance and not the hosts. This meant that some host-specific parameters (like framed-ip-address) would not be consistently included in RADIUS accounting.
Currently, dual-stack subscribers are really two different hosts sharing a single sla-profile instance. A new RADIUS accounting mode has been introduced to support multiple-host environments.
Under accounting-policy, a host-accounting command allows configurable behavior.
In prior releases and when no host-accounting is configured, the accounting behavior is as follows:
When host-accounting is configured, additional RADIUS accounting messages are created for host activity in addition to messages for common queue accounting. The behavior is as follows:
This new behavior means certain AVP may be in either host; sla-profile instance or both accounting records.
Note that interim-acct records are not sent for hosts, only the start- and stop-accting messages. Refer to the 7750 SR and VSR RADIUS Attributes Reference Guide for attributes that are applicable for RADIUS accounting AVPs.
When host-update is enabled In session accounting, a dual-stack subscriber can generate multiple host update accounting messages at the start and end of a session (for example, one for the IPv4 host and two more for the IPv6 WAN and IPv6 PD hosts). Two features can be used to reduce the number of host update messages per subscriber.
The first feature delays the Start Accounting message by a configurable value and is applicable to both PPPoE and IPoE sessions. The command for configuring this feature is config>subscr-mgmt>acct-plcy>delay-start-time. The delay allows the full dual-stack address assignment to be completed before triggering the accounting Start message. The Start message reports all the addresses and prefixes assigned to the subscriber at that time. Subsequent new or disconnected hosts triggers interim host updates if enabled.
The second feature is for PPPoE sessions only and is used to reduce the number of host update messages when a dual-stack PPP subscriber disconnects. The command for configuring this feature is config>subscr-mgmt>sub-prof>rad-acct>session-optimized-stop. A single accounting Stop message containing all the addresses and prefixes for the subscriber at the time is generated.
The interval between two RADIUS Accounting Interim Update messages can be configured in the RADIUS accounting policy with the update-interval command, for example:
A RADIUS specified interim interval (attribute [85] Acct-Interim-Interval) overrides the CLI configured value.
By default, a random delay of 10% of the configured update-interval is added to the update-interval between two Accounting Interim Update messages. This jitter value can be configured with the update-interval-jitter to an absolute value in seconds between zero and 3600. The effective maximum random delay value is the minimum value of the configured absolute jitter value and 10% of the configured update-interval.
A value of zero sends the Accounting Interim Update message without introducing an additional random delay.
The vendor-specific attribute (VSA) [228], Alc-Triggered-Acct-Interim, can be used in a Change of Authorization message to trigger an interim accounting message. This feature requires the accounting mode to have interim updates enabled. You can enable interim updates using, the config>subscr-mgmt>radius-acct-plcy>host-accounting interim-update command. The VSA can hold a string of up to 247 characters. The accounting interim echoes this string in the interim message under the same Alc-Triggered-Acct-Interim VSA along with Alc-Acct-Triggered-Reason = CoA-triggered. If the VSA is left blank, it still triggers the accounting interim message with Alc-Acct-Triggered-Reason = CoA-triggered (18), but without the Alc-Triggered-Acct-Interim attribute. If the subscriber session has multiple accounting policies or modes enabled, multiple interim messages are generated.Some CoAs, such as SLA profile or sub-profile changes, triggers accounting update messages to be generated automatically. These CoAs can automatically generate one or more accounting interim messages. If these CoAs also include the Alc-Triggered-Acct-Interim VSA, no additional interim accounting messages are generated. The last automatically-generated accounting interim message contain these reasons:
The RADIUS class attribute helps to aid in user identification.
User identification is used to correlate RADIUS accounting messages with the given user. During the authentication process, the RADIUS authentication server inserts a class attribute into the RADIUS authenticate response message and the router echoes this class attribute in all RADIUS accounting messages.
The 7750 SR can store up to six class attributes for both RADIUS and NASREQ. Each class VSA or AVP can have a maximum of 253 characters. If the VSA or AVP contains more than 253 characters, only the first 253 characters is stored. If there are more than six VSAs or AVPs, only the first six is stored. This functionality is also applicable to RADIUS authentication by the ISA.
The user-name, which is used for user authentication (user-name attribute in RADIUS authentication request), can be included in RADIUS accounting messages. Per RFC 2865, when a RADIUS server returns a (different) user-name attribute, the changed user name is used in accounting and not the originally sent user name.
For RADIUS servers configured in a RADIUS server policy, the accounting on and off behavior is controlled with the acct-on-off command in the radius-server-policy.
By default, no Accounting-On or Accounting-Off messages are sent (no acct-on-off).
With the acct-on-off command configured in the radius-server-policy:
The Accounting-On or Accounting-Off message is sent to the servers configured in the radius-server-policy, following the configured access-algorithm until an Accounting Response is received. If the first server responds, no message is sent to the other servers.
The Accounting-On message is repeated until an Accounting Response message is received from a RADIUS server: If after the configured retry or timeout timers for each RADIUS server in the RADIUS server no response is received then the process starts again after a fixed one minute wait interval.
The Accounting-Off message is attempted once: If after the configured retry or timeout timers for each RADIUS server in the RADIUS server policy no response is received then no new attempt is made.
It is possible to block a RADIUS server policy until an Accounting Response is received from one of the RADIUS servers in the RADIUS server policy that acknowledges the reception of an Accounting-On. The RADIUS server policy cannot be used by applications for sending RADIUS messages until the state becomes “Not Blocked”. This is achieved with the optional “oper-state-change” flag, for example:
If multiple RADIUS server policies are in use for different applications (for example, authentication and accounting) and an Accounting-On must be send for only one RADIUS server policy, it is possible to tie the acct-on-off states of both policies together using an acct-on-off-group. With this configuration, it is possible to block the authentication servers until the accounting servers are available. An acct-on-off-group can be referenced by:
It is possible to force an Accounting-On or Accounting-Off message for a RADIUS server policy with acct-on-off enabled using following CLI commands:
tools perform aaa acct-on [radius-server-policy policy-name] [force]
tools perform aaa acct-off [radius-server-policy policy-name] [force] [acct-terminate-cause number]
If an Accounting-On was sent to the radius-server-policy and it was acknowledged with an Accounting Response then a new Accounting-On can only be sent with the “force” flag.
If an Accounting-Off was sent to the radius-server-policy and it was acknowledged with an Accounting Response then a new Accounting-Off can only be sent with the “force” flag. The Acct-Terminate-Cause value in the Accounting-Off can be overwritten.
Use the following CLI command to display the Accounting On/Off information for a radius-server-policy:
The operational state provides following state information: The sending of the Accounting-On or Accounting-Off message is ongoing (sendAcctOn, SendAcctOff), is successfully responded (on, off) or no response received (OffNoResp).
The Session-Id is a unique identifier for each RADIUS server policy accounting Accounting-On/Accounting-Off sequence.
The Trigger field shows what triggered the Accounting On or Accounting Off message. If the radius-server-policy is part of an acct-on-off group then the group name is shown in brackets.
The Server field shows which server in the RADIUS server policy responded to the Accounting-On or Accounting-Off message.
To display the acct-on-off state of a radius-server-policy, use the command, for example:
The Acct-On-Off field indicates if the sending of Accounting-On and Accounting-Off messages is enabled or disabled. If enabled, the oper-state is displayed: state Blocked or state Not Blocked. When Blocked, the radius-server-policy cannot be used to send RADIUS messages.
To display acct-on-off-group information, use following command, for example:
When all servers in a RADIUS server policy are unreachable, it is possible to buffer the Accounting Start, Accounting Stop, and Accounting Interim-Update messages for up to 25 hours. Accounting Start messages have a separate buffer from Accounting Interim-Update and Stop messages. When a RADIUS server becomes reachable again, the messages in the buffer are retransmitted. If, for the same accounting session, an Accounting Start message and an Accounting Interim-Update or Stop message is buffered, then the Accounting Start message is sent before the Interim-Update or Stop message.
RADIUS Accounting message buffering parameters can be configured per message type, for example:
When RADIUS accounting message buffering is enabled:
When Accounting Start message buffering is enabled:
When Accounting Interim-Update message buffering is enabled:
Use the following clear command to manually delete messages from the RADIUS accounting message buffer:
clear aaa radius-server-policy policy-name msg-buffer [acct-session-id acct-session-id]
When specifying the account session ID, only that specific message is deleted from the message buffer. If no account session ID is specified, all messages for that RADIUS server policy are deleted from the message buffer.
Use the following show commands to display the RADIUS accounting message buffer statistics:
Use following clear command to reset the RADIUS accounting message buffer statistics:
# clear aaa radius-server-policy policy-name statistics msg-buffer-only
Use the following tools commands to display the RADIUS accounting message buffer content:
# tools dump aaa radius-server-policy policy-name msg-buffer [session-id acct-session-id]
For example:
When specifying the Acct-Session-Id, the message details are displayed.
The subscriber profile allows the user to configure a primary accounting policy with an additional accounting policy. The accounting policies are independent of each other and each policy has its own accounting mode, update interval, and include attributes. The RADIUS VSA [85] Acct-Interim-Interval attribute changes both the primary and the duplicate accounting interim update interval.
In scenarios where PAP/CHAP RADIUS authentication is used for PPPoE sessions, an accounting stop message can be generated to notify the RADIUS servers in case of an authentication failure. This feature is not supported for PADI authentication.
The failure events are categorized in three categories:
Each of the categories can be enabled separately in the RADIUS authentication policy.
In the Enhanced Subscriber Management (ESM) model, the RADIUS accounting server is found after authentication and host identification as part of the subscriber profile configuration. To report authentication failures to accounting servers, an alternative RADIUS accounting policy configuration is required: local user database pre-authentication can provide the RADIUS authentication policy to be used for authentication and the RADIUS accounting policy to be used for authentication failure reporting. A duplicate RADIUS accounting policy can be specified if the accounting stop resulting from a RADIUS authentication failure must also be sent to a second RADIUS destination.
To enable local user database pre-authentication, use the user-db configuration in the capture SAP and in the group interface. For example:
If IPoE host creation fails, the system can generate an accounting stop message. This feature is similar to the feature described in Sending an Accounting Stop Message upon a RADIUS Authentication Failure of a PPPoE Session. It allows the system to generate an accounting stop message for most host creation failure cases. For IPoE, only the failure event “on-accept-failure” is supported. This failure condition applies when the host was successfully authenticated but the host creation failed (for example, a duplicate host IP address was detected on the new host).
Because RADIUS accounting starts only after the host is successfully created, a failed host cannot trigger a RADIUS accounting message. For this reason, similar to PPPoE, the local user database must be used to provide the RADIUS accounting server for reporting the failure.
The [26.6527.226] Alc-Error-Code and [26.6527.227] Alc-Error-Message attributes are used to report the failure in the RADIUS accounting stop message. The error code is a numeric value that represents the error, and the error message is a descriptive text string that explains the actual failure reason. For IPoE, the error code uses the 279 value (in decimal format) or 0x117 value (in hexadecimal format) "Failed to create subscriber host". The error message provides the same detailed reason for the host creation failure as the log message in log 99.
In residential broadband networks numerous subscribers can be provisioned that can require significant changes on a daily basis. Manually configuring the applicable parameters for each subscriber would be prohibitive. The Nokia 7450 ESS and 7750 SR have been designed to support fully dynamic provisioning of access, QoS and security aspects for residential subscribers using DHCP to obtain an IP address. Enabling Enhanced Subscriber Management drastically reduces the configuration burden.
Enhanced Subscriber Management in the 7450 ESS and 7750 SR supports many vendor's access nodes and network aggregation models, including VLAN per customer, per service or per access node.
The system can switch between standard and enhanced subscriber management modes on a per SAP basis. The Enhanced Subscriber Management mode is supported on the SR-7 and SR-12 chassis and on the ESS-7 chassis.
Some functions are common between the standard and enhanced modes. These include DHCP lease management, static subscriber host definitions and anti-spoofing. While the functions of these features may be similar between the two modes, the behavior is considerably different.
When the enhanced mode is enabled on a SAP (see Subscriber SAPs), first, the router ensures that existing configurations on the SAP do not prevent proper enhanced mode operation. If any one of the following requirements is not met, enhanced mode operation is not allowed on the SAP:
When the router successfully enables the enhanced mode, the current dynamic subscriber hosts are not touched until a DHCP message event occurs that allows re-population of the dynamic host information. Thus, over time, the dynamic subscriber host entries are moved from SAP-based queuing and SAP-based filtering to subscriber-based queuing and filtering. In the event that a dynamic host event cannot be processed due to insufficient resources, the DHCP ACK message is discarded and the previous host lease information is retained in the system.
Subscriber — A subscriber is typically defined by a unique subscriber identifier to which an assortment of polices (or subscriber profile) can be applied. A subscriber typically (but not always) maps into a VLAN, a VPI/VCI pair, an “ifentry” (a logical interface such as a SAP), a (source) MAC or IP address or a physical port, which uniquely identify a billable entity for the service provider.
Subscriber Management — The management of all services, policies, AAA functions and configurations that relate to the concept of a subscriber. Subscriber management can be configured in a variety of ways, but it is critical that subscriber management integrates seamlessly with element and service management across the broadband infrastructure by, for instance, the 5750 Subscriber Services Controller (SSC). Subscriber management can also be implemented through CLI or scripted commands at the platform level, whereby a network administrator would manually configure the set of QoS, security, AAA or anti-spoofing functions that relate to a particular billable entity or subscriber. Subscriber management is typically centralized and highly integrated with the element, services and middleware management functions for streamlined management, flowthrough provisioning, and accelerated service activation, with minimized operating expenditures.
Subscriber Policy Enforcement — The set of actual enforcement functions that are implemented relative to a given subscriber, possibly at multiple enforcement points in the infrastructure and as a result of a match between the subscriber profile which was defined by the subscriber management suite (5750 SSC) and actual traffic patterns. Examples include for instance, the shaping, policing or rate limiting of traffic or the traffic of a given subscriber being dropped because it matched or violated any specific rule (packet with a mismatch between MAC and IP address suggesting an address spoof for instance).
Subscriber SAPs — A subscriber SAP is a service access point (SAP) where enhanced subscriber management is active. Enhanced subscriber management must be explicitly enabled on a per-SAP basis with the CLI sub-sla-mgmt command.
A subscriber SAP can be used by a single subscriber or support multiple subscribers simultaneously. Each subscriber can be represented by one or multiple subscriber hosts on the subscriber SAP. If enhanced subscriber management is enabled on a SAP, any configured QoS and IP filter policies defined on the SAP are ignored. A subscriber SAP must refer to an existing subscriber identification policy.
Hosts and Subscribers — A host is a device identified by a unique combination of IP address and MAC address. Typically, the term “subscriber host” is used instead of the “host”.
A host can be an end-user device, such as a PC, VoIP phone or a set top box, or it can be the user’s Residential Gateway (RGW) if the RGW is using Network Address Translation (NAT).
Each subscriber host must be either statically provisioned or dynamically learned by the system. The host’s IP address plus MAC address are populated in the subscriber host table on the appropriate SAP to allow packets matching the IP address and MAC address access to the provider’s network.
A subscriber (in the context of the router) is a collection of hosts getting common (overall) treatment. It is expected that this group of hosts originate from the same site and all hosts of a subscriber are reached by the same physical path (such as a DSL port).
Once a subscriber host is known by the system, it is associated with a subscriber identifier and an SLA profile instance. Subscriber hosts with a common subscriber identifier are considered to be owned by the same subscriber.
Depending on the network model, hosts associated with a single subscriber can be associated with a single subscriber SAP or spread across multiple subscriber SAPs on the same port.
The subscriber identification policy contains the URL definitions for the Programmable Subscriber Configuration Policy (PSCP) scripts used for DHCP ACK message processing. Up to three URLs can be defined per subscriber identification policy. These are designated as primary, secondary and tertiary. Each URL can be individually enabled or disabled. Only one script (the URL with the highest priority active script) is used at any one time to process DHCP ACK messages. If the system detects an error with a specified script, the URL is placed in an operationally down state. If the script is shut down, it is placed in an administratively down state. A script that is operationally or administratively down is considered inactive. The system automatically reverts to the highest priority active script. If a script becomes operationally down, it must be cycled through the administratively down then administratively up states for the system to attempt to reactivate the script.
Multiple subscriber identification policies are provided for the event that access nodes (such as DSLAMs) from different vendors are attached to the same router. Each policy’s active script can be explicitly defined to process the various DHCP message formats or idiosyncrasies of each vendor.
If a script is changed, it must be reloaded by disabling and re-enabling any URL which refers to the changed script (a shutdown command followed by a no shutdown command).
Each subscriber identification policy can also contain a subscriber profile map and/or an SLA profile map. The subscriber profile map creates a mapping between the sub-profile-strings returned from the active script with an existing subscriber profile name. The SLA profile map is used to create a mapping between the sla-profile-strings returned from the active script with an existing SLA profile name.
The subscriber identification policy is designed to accept a DHCP ACK message destined for a subscriber host and return up to three string values to the system;
These strings are used to derive the subscriber profile and the SLA profile to be used for this host See Using Scripts for Dynamic Recognition of Subscribers.
Subscribers are managed by the router through the use of subscriber identification strings. A subscriber identification string uniquely identifies a subscriber.
The subscriber identification string is the index key to any entry in the active subscriber table, and thus must always be available. It is derived as follows:
When multiple hosts are associated with the same subscriber identification string, they are considered to be host members of the same subscriber. Hosts from multiple SAPs can be members of the same subscriber, but for proper virtual scheduling to be performed all hosts of a subscriber must be active on the same IOM.
When the first host (either dynamic or static) is created with a certain subscriber identification string, an entry is created in the active subscriber table. The entries are grouped by their subscriber identification string.
The subscriber profile is a template which contains those hierarchical QoS (HQoS) and accounting settings which are applicable to all hosts belonging to the same subscriber. These include:
Subscribers are either explicitly mapped to a subscriber profile template or are dynamically associated with a subscriber profile.
Attempting to delete any subscriber profile (including the profile named ‘default’) while in use by an existing active subscriber fails.
For the purpose of supporting multiple service types (such as high speed Internet (HSI), voice over IP (VoIP), video on demand (VoD) and Broadcast TV) for a single subscriber, the hosts associated with a subscriber can be subdivided into multiple SLA profiles.
The SLA profile contains those QoS and security settings which are applicable to individual hosts. An SLA profile acts like a template and can be used by many subscribers at one time. Settings in the SLA profile include:
If the SLA profile does not explicitly define an ingress or egress QoS policy, the default SAP ingress or default SAP egress QoS policy is used.
See Determining the SLA Profile for information on how the SLA profile is determined for dynamic hosts.
An explicit mapping of a subscriber identification string to a specific subscriber profile can be configured.
An explicit mapping overrides all default subscriber profile definitions while processing a DHCP ACK. In an environment where dynamic and static hosts coexist in the context of a single subscriber, do not define a subscriber profile in the explicit subscriber map that conflicts with the subscriber profile provisioned for the static host(s). If such a conflict occurs, the DHCP ACKs are dropped.
An explicit mapping of a subscriber identification string to the subscriber profile name ‘default’ is not allowed. However, it is possible for the subscriber identification string to be entered in the mapping table without a defined subscriber profile which can result in the explicitly defined subscriber to be associated with the subscriber profile named ‘default’.
Attempting to delete a subscriber profile that is currently defined in an explicit subscriber identification string mapping fails.
The explicit mapping entries can be removed at any time.
ESM for IPv6 is supported on the 7750 SR chassis or the 7450 ESS chassis. ESM for IPv6 is supported with RADIUS as the backend authentication and authorization mechanism.
For PPPoE, the BNG suggests the IPv6CP protocol to the client during the session setup phase if the appropriate attributes have been returned by the RADIUS server on authentication. The RADIUS attribute that indicates the setup of a PPPoE host is Framed-IPv6-Prefix, which should contain a /64 prefix for the client.
When a PPPoE host has successfully completed the IPv6CP negotiation, the BNG transmits a Router Advertisement to the PPPoE host containing the suggested prefix and any other options that are configured. The client may use this information to pick one or more addresses from the suggested prefix; all addresses within the prefix are forwarded towards the client.
Alternatively, the Recursive DNS Server (RDNSS) Option as defined in RFC 6106, IPv6 Router Advertisement Options for DNS Configuration, can be included in IPv6 Router Advertisements for DNS name resolution of IPv6 SLAAC hosts. The following CLI command includes the DNS info in IPv6 Router Advertisements for SLAAC hosts and sets the RDNSS lifetime:
The source for DNS information to be included in Router Advertisements for IPv6 SLAAC hosts, can be (listed in priority order):
Note: A default IPv6 server configuration at the group interface is a last resort IPv6 DNS info that can be used for IPoEv6 hosts (IA_NA, IA_PD and SLAAC) and PPPoEv6 hosts (IA_NA, IA_PD and SLAAC). |
Initially, a PPPoE RG follows the same procedure as a PPPoE host: the BNG receives a prefix from RADIUS (in this case through a Delegated-IPv6-Prefix attribute), which is used as a trigger to suggest the IPv6CP protocol to the client. The prefix that is suggested to the client should have the same prefix length as configured under the subscriber>if>ipv6 node (delegated-prefix-length). This length should be between 48 and 64 bits, inclusive.
After the IPv6CP protocol has completed, however, the client should run the DHCPv6 protocol over its PPPoE tunnel to receive a Delegated Prefix (IA_PD) and optionally IPv6 DNS server information. This Delegated Prefix can then be subdivided by the client and distributed over its downstream interfaces. During DHCPv6, no extra RADIUS requests are made; the information is stored during the initial (PPPoE or PPP) authentication until the client starts DHCPv6.
Only after DHCPv6 has completed, the IPv6 subscriber host is instantiated and the BNG starts sending Router Advertisements (if configured.) The router advertisements do not contain any prefix information, which has already been provided by DHCPv6, but it is used as an indication to the client that its default gateway should be the BNG.
Similar to an IPv4 DHCP client, a DHCPv6 client is authenticated at its Solicit message, where it can request one or more addresses or prefixes. The address and prefix types supported are IA_NA (Non-Temporary Address) through the Alc-IPv6-Address RADIUS attribute and IA_PD (Delegated Prefix) through the Delegated-IPv6-Prefix attribute. Contrary to the IPv4 case, the BNG always replies to a DHCPv6 request because the client may request more than one address or prefix simultaneously and not all of the requests may be honored.
The DHCPv6 protocol handling and Router Advertisement behavior are similar to the PPPoE RG case above, with the exception that for an IA_NA address, the entire /64 prefix containing the address is allocated to the client.
For SLAAC prefix assignment, authentication is triggered on router-solicit message. The SLAAC prefix can be assigned statically or dynamically. For a static SLAAC prefix, frame-ipv6-prefix, RADIUS attribute is used. For dynamic SLAAC prefix assignment from a local pool, Alc-slaac-ipv6-pool, RADIUS attribute is used.
IPv6 ESM hosts are only supported in the Routed CO model (both VPRN and IES).
At the IPv6 node under the subscriber interface level, the length of the prefixes that are offered is defined through the delegated-prefix-length option. This setting is fixed for the subscriber interface and cannot be changed once subscriber prefixes are defined.
Subscriber prefixes define the ranges of addresses that are offered on this subscriber interface. By default, only these subscriber prefixes are exported to the routing protocols to keep the routing tables small. There are three types of subscriber interfaces:
The subscriber interface prefix can also be provisioned through RADIUS. The RADIUS VSA Alc-IPv6-Sub-If-Prefix requires a prefix and the prefix type. The prefix type can be pd, wan, or both. The prefix is then installed on the subscriber interface where the subscriber is instantiated. The prefix state is tied to the state of the subscriber. Once the subscriber session ends, the prefix is removed from the subscriber interface and subsequently from both the FDB and the RIB. This feature can be used as an alternative to unnumbered subscriber interfaces, where the subscriber interface prefix does not need to be predetermined. However, by installing the prefix after authentication, the subscriber interface becomes numbered. In an unnumbered subscriber interface all subscriber routes are installed whereas in a numbered subscriber interface only the subscriber interface prefix is advertised, therefore reducing the number of advertised routes significantly. The RADIUS-installed prefix can then be advertised through a routing protocol. Subscriber interface prefixes are under the protocol direct type similar to other router interfaces. To advertise only the subscriber interface prefix installed by RADIUS, origin aaa can be used in the router policy.
The IPv6 node under the group interface contains the DHCPv6 proxy configuration and the router advertisement configuration.
Subscriber interfaces are created as 64-bit WAN mode interfaces by default. At the time of creation, the subscriber interface can also be created as a 128-bit WAN mode interface. After the subscriber interface is created, the WAN mode cannot be changed. To change the WAN mode, the 64-bit subscriber interface must be removed and then recreated as 128-bit. This section describes the differences between 64-bit and 128-bit WAN modes.
In a 64-bit WAN mode subscriber interface, the following rules apply.
64-bit WAN mode is applicable in deployment models where each subscriber is assigned a unique /64 WAN-prefix which can be used for DHCP or SLAAC.
In a 128-bit WAN mode subscriber interface, the following rules apply.
It might be beneficial in some deployments for operators to migrate from 64-bit to 128-bit WAN mode. For example, the ability to assign consecutive 128-bit address and minimize the subnet required for Residential Gateway or Cable Modem IPv6 DHCP IANA WAN management address.
A 64-bit WAN mode subscriber interface cannot be changed into a 128-bit WAN mode subscriber interface in real time. To migrate to a 128-bit WAN mode subscriber interface, the 64-bit WAN mode subscriber interface must be a removed and re-created. The 64-bit configuration must be copied, shut down, and the configuration removed. The configuration can be pasted back with the 128-bit mode added to the subscriber interface. Below are some migration scenarios.
Change RADIUS, Diameter, and LUDB in advance of migrations to minimize service impact. Ensure that MSAP stickiness is disabled and idle sticky MSAPs are removed. Nokia recommends performing this migration during a maintenance window.
To prepare to migrate PPPoE and IPoE DHCP hosts on MSAPs, perform the following steps.
A migration can be performed for either PPPoE and LNS hosts or IPoE DHCP-based hosts. The migration is dependent on subscriber deletion.
For PPPoE and LNS hosts, when a host disconnects their session, the next session is migrated. To speed up the migration, and depending on the RG capability, manually clearing the session could trigger the RG to re-connect through PPPoE immediately, and migrate to the new interface.
When migrating IPoE DHCP-based hosts, Nokia recommends changing both the current DHCPv4 and DHCPv6 lease time and rebind times to one hour or more. It is important to migrate only a small sample size to control the number of DHCP renews. Subscribers are migrated in the following three ways.
Nokia recommends performing this migration during a maintenance window. This migration process is service-impacting.
When migrating IPoE DHCP-based hosts, Nokia recommends changing both the current DHCPv4 and DHCPv6 lease time and rebind time to one hour or more. It is also recommended to migrate only a small sample size to control the number of DHCP renews. After all leases have been changed to a shorter lease time, perform the following steps to prepare for the migration.
Following these preparation steps, a migration can be performed for either PPPoE and LNS hosts or IPoE DHCP-based hosts. The migration is dependent on subscriber deletion.
For PPPoE and LNS, when hosts disconnect their session, the RG may try to re-connect by PPPoE immediately and migrate to the new interface.
For IPoE hosts, new subscribers are automatically migrated upon logging in. Some end customers may be required to manually reboot the RG to send a DHCP discover/solicit.
Nokia recommends performing this migration during a maintenance window. This migration process is service-impacting. Before the migration can begin, the data-trigger node on the group interface must be shut down, then all the data-triggered hosts must be cleared.
To migrate data-trigger hosts:
Clients may support both IPv4 and IPv6 simultaneously (dual-stack hosts.) In this case, one subscriber host entry is created for the IPv4 address family and one for the IPv6 instance. The scaling limits apply for all entries, regardless of address type.
For DHCP, these subscriber hosts are fully independent (as they are set up through different protocols), but for PPPoE hosts or RGs, the ESM information in both subscriber host entries is linked together through the PPPoE session.
Router Advertisement (RA) messages begin immediately after the subscriber host is instantiated and unsolicited messages are sent in the interval defined in the configuration. Apart from unsolicited RAs, the client may also send a router solicitation (RS) to explicitly request the information. RAs are throttled so that they are not sent more than once every three seconds.
The Router Advertisement Policy feature overrides the group interface RA configuration for hosts on a given MAC on a given SAP. The policy is applied directly to the sending instance where it sends periodic RAs. The policy can be applied at authentication or by CoA during the subscriber session. The RA policy can be used in the following ways.
The prefix option inside the RA policy allows independent prefix options for subscribers that utilize bridge hosts. The bridge hosts can consist of both DHCPv6 and SLAAC, and are represented as stateful and stateless within the policy respectively. Within the policy, the autoconfig flag is not configurable and is disabled by default for the DHCPv6 address and enabled by default for SLAAC. For SLAAC hosts, if the autoconfig flag is enabled inside the RA policy along with the SLAAC prefix, the autoconfig flag for the DHCPv6 address or prefix is not enabled as a result. The timers for either SLAAC and DHCPv6 prefixes can also be configured independently.
The router advertisement policy has a separate configuration for stateless and stateful operations. The general recommendation is to configure the valid and preferred lifetimes for longer than the minimum RA interval to ensure the subscriber has a valid address to use between each RA interval. If this general rule is not followed, the subscriber can deprecate the SLAAC prefix between each RA interval and experience service interruptions. As the minimum RA interval is approximately 15 minutes, the valid and preferred lifetime values should be at least 15 minutes. Shorter valid and preferred lifetime values can impact the system’s scalability. The stateful RA has a static option and a dynamic option when configuring the valid and preferred lifetime values. If the static option is used, the valid and preferred lifetime values should be greater than the RA interval. For the dynamic option, the auto-lifetimes feature derives the valid and preferred lifetime values from the DHCPv6 lease. Therefore, the RA and DHCPv6 have the same valid and preferred lifetime values.
SLAAC hosts are assigned prefixes, where the full Global Unicast Address (GUA) is not known. Regardless of the force-mcast configuration, the destination IP address for an RA to an SLAAC host is always be a multicast IP address, with one exception. If the feature allow-multiple-wan-address is enabled and the same host (same MAC on the same SAP and same device) has a DHCPv6 NA address, the NA address is used for the unicast RA. The MAC address can either be a multicast or unicast address, depending on the configuration of force-mcast.
Table 15 outlines the behavior of the system when the RA policy VSA is included in authentication, CoA, and re-authentication. The RA policy that is sent from RADIUS may not yet be provisioned in CLI, and therefore may not exist in the system.
Authentication | CoA/Tools CoA | Re-authentication | |
BRG | An RA policy does not need to exist. The RA policy becomes active when a matching RA policy is provisioned. If an RA policy does not exist, the RA parameters configured under the group interface are used. | An RA policy must exist; otherwise, a NACK is sent in response to the CoA. | An RA policy must exist; otherwise, all VSAs and the RA policy are ignored. An SNMP trap is raised. |
Subscriber is session-based (for example, an IPoE session) | An RA policy does not need to exist for the IPv4 host. The RA policy becomes active when a matching RA policy is provisioned. ESM IPv6 host creation fails when a policy does not exist. If an RA policy does not exist, the RA parameters configured under the group interface are used. | An RA policy must exist; otherwise, a NACK is sent in response to the CoA. | An RA policy must exist; otherwise, all VSAs and the RA policy are ignored. An SNMP trap is raised. |
Subscriber has a dual-stack host and is not session-based | An RA policy does not need to exist for the IPv4 host. The RA policy becomes active when a matching RA policy is provisioned. ESM IPv6 host creation fails when a policy does not exist. If an RA policy does not exist, the RA parameters configured under the group interface are used. | An RA policy must exist; otherwise, a NACK is sent in response to the CoA. | An RA policy must exist; otherwise, all VSAs and the RA policy are ignored. An SNMP trap is raised. |
IPv4 host that is not session-based | An RA policy must exist. Otherwise, the subscriber setup is rejected. | An RA policy must exist; otherwise, a NACK is sent in response to the CoA. | An RA policy must exist; otherwise, all VSAs and the RA policy are ignored. An SNMP trap is raised. |
Dual-stack host that is not session-based, where the CoA is targeted to an IPv4 host only | N/A | An RA policy must exist; otherwise, a NACK is sent in response to the CoA. | N/A |
Dual-stack host that is not session-based, where the CoA is targeted to an IPv6 host only | N/A | An RA policy must exist; otherwise, a NACK is sent in response to the CoA. | N/A |
IPoE linking (both session-based and not session-based) | An RA policy does not need to exist for the IPv4 host. The RA policy becomes active when a matching RA policy is provisioned. ESM IPv6 host creation fails when a policy does not exist. If an RA policy does not exist, the RA parameters configured under the group interface are used. | An RA policy must exist; otherwise, a NACK is sent in response to the CoA. | An RA policy must exist; otherwise, all VSAs and the RA policy are ignored. An SNMP trap is raised. |
PD host as managed to IPv4 (both session-based and not session-based) | An RA policy does not need to exist for the IPv4 host. The RA policy becomes active when a matching RA policy is provisioned. ESM IPv6 host creation fails when a policy does not exist. If an RA policy does not exist, the RA parameters configured under the group interface are used. | An RA policy must exist; otherwise, a NACK is sent in response to the CoA. | An RA policy must exist; otherwise, all VSAs and the RA policy are ignored. An SNMP trap is raised. |
The following are RA policy limitations.
For IPv6 subscriber hosts, RADIUS-triggered mid-session changes and session terminations may identify the subscriber host to be changed by the same address or prefix that was originally returned from RADIUS. Only one address attribute (framed-IP address, framed-IPv6-prefix, delegated-IPv6-prefix or Alc-IPv6-address) may be given in a single request.
For PPPoE clients, changing either the IPv4 or IPv6 information results in both the v4 and v6 subscriber host being modified (if they are contained within the same PPPoE session).
The only CoA action that is allowed for IPv6 hosts is a change of ESM strings; creation of new hosts and forcing a DHCPv6 RENEW is not supported.
The delegated prefix length (DPL) is applicable to subscriber-hosts with IPv6 Prefix (IA-PD) assigned by the DHCPv6 Server. IPv6 Prefix is more akin to a route then it is to an IP address. The length of the prefix plays crucial role in forwarding decisions, antispoofing, and prefix assignment through DHCPv6 pools in the local DHCPv6 Server.
The structure of an IPv6 prefix is shown in Figure 73.
For example, a DHCPv6 server prefix pool contains an aggregated (configured) IPv6 prefix from which the delegated prefixes are carved out. In Figure 73 this aggregated IPv6 prefix has length of /48. In addition, the DHCPv6 server needs to know the length of the delegated prefix (in the above case /60). These two values are marking the boundary within which a unique delegated prefix is selected.
The delegated prefix length can be obtained using:
Alternatively, the entire prefix, including the DPL can be returned by LUDB.
If the DPL is statically provisioned under the sub-if>ipv6 hierarchy, all hosts under this subscriber interface inherits this fixed DPL. In case that the DPL is provided by LUDB or RADIUS in addition to static configuration under the subscriber interface then the LUDB or the RADIUS one not match the DPL that is statically provisioned under the subscriber-interface. Otherwise, the prefix instantiation in 7450 ESS and 7750 SR fails.
Note that the no delegated-prefix-length command under the sub-if>ipv6 hierarchy means that the DPL is set to a default-value of 64.
When the delegated-prefix-length commands under the sub-if>ipv6 hierarchy is set to variable, prefixes under such subscriber-interface can have different lengths and the DPL can be configured by one of the following:
If the delegated prefix length is variable, for each consecutive address allocation request for the given delegated prefix, the DHCPv6 server allocates the prefix at the end of the last delegated lease with the same delegated prefix length. This minimizes the address space fragmentation within the configured prefix.
A DHCPv6 Relay Agent can support a 7450 ESS and 7750 SR DHCPv6 local server (same or remote chassis) and a third party DHCPv6 external server.
An incoming DHCPv6 client message is relayed within the Relay-Forward message specified in RFC 3315, Dynamic Host Configuration Protocol for IPv6 (DHCPv6). If the server responds with a valid address/prefix, the ESM process attempts to install it. If it fails, the DHCPv6 Relay Agent sends an explicit RELEASE to the server. There is no retransmission of DHCPv6 Relay-Forwards in the case of failure, it requires the client to re-start or re-send the original DHCPv6 message.
A Lightweight DHCPv6 Relay Agent may insert Relay Agent Information including the Interface ID option between the DHCPv6 client and the DHCPv6 Relay Agent.
Additional Relay Agents (non-LDRA) between the DHCPv6 client and the DHCPv6 Relay Agent are not supported.
DHCPv6 Reconfigure messages received from an external DHCPv6 server are forwarded to the DHCP client, if a corresponding DHCPv6 lease exists. The Reconfigure message can be sent in a unicast message to the client or encapsulated in a Relay-Reply message to the DHCPv6 relay agent. The DHCPv6 Reconfigure message is dropped if no corresponding DHCPv6 lease exists.
A DHCPv6 Relay Agent is configured in the IPv6 DHCP6 context of a group-interface:
Up to eight DHCPv6 servers can be provisioned to be served by a DHCPv6 Relay Agent. A Relay-Forward is send to all servers and the Relay-Replies from all servers are sent to the client.
The “client-applications” parameter specifies if the Relay Agent can be used for IPoE (dhcp) or PPP (ppp) hosts. Optional configuration parameters:
When the DHCPv6 Relay Agent is relaying to a third party DHCPv6 external server, following conditions should be met:
Following information is available to the third party DHCPv6 server in a Vendor-Specific-Information-Option (17) included in the Relay-Forward message:
A local DHCPv6 pool server for both addresses (IA_NA) and prefixed (IA_PD) manages the address and prefixes sent to either routing gateways or hosts.
Because IPv6 home networks lack NAT, the IPv6 addresses delegated to a routing gateway are in turn assigned to hosts in the home. These addresses are assigned with reasonably long (but configurable) lifetimes so the loss of the WAN connection does not result in the IPv6 hosts in the LAN losing their IPv6 addresses. One consequence of these long lifetimes is that the IPv6 hosts retains any IPv6 address provided the valid-lifetime is greater than zero. If an operator delegates a prefix and then at a later time delegate a second IPv6 prefix, a host may end up with two or more valid prefixes. This situation affects IPv6 source address selection and may result in impaired service.
To overcome the problems of multiple IPv6 prefixes in the home, the operator must ensure that the individual subscriber has the same IPv6 prefix even across modem reboots (that is, if a subscriber session is destroyed and later re-created, an attempt should be made to use the previously delegated prefix). In Release 8.0, the operator used RADIUS for all address and prefix assignment, but in Release 9.0, with the introduction of the local DHCPv6 server, it requires the 7750 to process and maintain some state even after a session disconnects.
For the DHCPv6 local server to function, a DHCPv6 relay or proxy function must also operate alongside ESM. For the purposes of this document, to relay means to implement a DHCPv6 Relay as indicated in RFC 3315: a relay encapsulates the client DHCP message within a DHCP Relay-Forward message and unicasts it to a specified destination.
A proxy is an internal concept. Unlike a DHCPv6 relay, the DHCPv6 proxy does not encapsulate the client message in a Relay-Forward, nor does it send packets towards the Local DHCPv6 Server. The DHCPv6 proxy is exclusively used as an interface between the RADIUS Access-Accept or local user database lookup and the DHCPv6 client in the consumer device.
The use of the DHCPv6 relay or proxy function depends on the attributes returned from authentication phase (RADIUS or LUDB).
Note: If IPv6 DNS parameters are returned in RADIUS and a pool is specified then the DNS parameters are ignored. It is the DHCPv6 server that needs to reply with appropriate DNS servers. |
To support all processing for Enhanced Subscriber Management, several tables are maintained in the router (Figure 74).
An entry is created in the active subscriber table when the first host (either dynamic or static) is created with a certain subscriber identification string. The entries are grouped by their subscriber identification string.
Fields for each entry in the active subscriber table include:
An entry is created in the SLA profile instance table when the first subscriber host on a certain SAP is created that uses a certain SLA profile. All subsequent hosts of the same subscriber on the same SAP that use the same SLA profile are associated with this entry. When the last host on this SAP, using this SLA profile disappears, the SLA profile instance is deleted from the table and the associated queues are removed.
SLA profile instances cannot span multiple subscriber SAPs. If subscriber hosts from the same subscriber exist on multiple SAPs and are associated with the same SLA profile template, a separate SLA profile instance is created for each SAP.
Fields for each entry in the SLA profile instance table include:
An entry is created in the subscriber host table if anti-spoofing is enabled as well as:
Fields for each entry in the subscriber host table include:
An entry in the DHCP lease state table is created for each dynamic host. Fields for each entry in the lease state table include:
Figure 75 illustrates the relationship between the main entities in Enhanced Subscriber Management:
When a DHCP ACK is received for a new subscriber host on a particular SAP:
If this is the first host of a subscriber, an HQoS scheduler is instantiated using the ingress and egress scheduler policies referred to in the subscriber profile. Otherwise, if the subscriber profile of the new host equals the subscriber profile of the existing subscriber, the new host is linked to the existing scheduler. If the subscriber profile is different from the subscriber profile of the existing subscriber, a new scheduler is created and all the hosts belonging to that subscriber are linked to this new scheduler. The new subscriber profile does conflict with the subscriber profile provisioned for a static host or non-sub-traffic under the same SAP.
If this is the first host of a subscriber on a particular SAP using a particular SLA profile, an SLA profile instance is generated and added to the SLA profile instance table. This includes instantiating a number of queues, according to the ingress and egress QoS profiles referred to in SLA profile, optionally with some specific overrides defined in the SLA profile. Otherwise the host is linked to the existing SLA profile instance for this subscriber on this SAP.
Note:
|
Whenever an IP packet arrives on a subscriber-facing SAP on which Enhanced Subscriber Management (ESM) is enabled, a lookup is done in the subscriber host table using as the index the SAP, source IP address, and source MAC address.
This feature increasingly penalizes hosts that fail repeated login attempts within a configurable time interval. This is done by holding off on creation attempts for these hosts for a configured but adaptable time period. A transient failure, due to a mis-configuration, is quickly corrected and does not prevent the host from logging in within a reasonable amount of time. At the same time, a malicious client or a constantly mis-configured client is locked-out and does not take up resources impacting other clients.
A lockout time per host supports exponential back-off with each retry and failure cycle, starting with a configured minimum value and increasing up to a configured maximum. The lockout time can be reset to the configured minimum value if there is no failed retry within a configured time threshold. The configurable values include:
If multiple retries/failure cycles occur within the lockout time, then lockout period is exponentially increased starting from configured minimum value up to the configured maximum value. The lockout is reset to the minimum value if there is no failed retry till this lockout time.
This mechanism is supported for both single and dual-stack PPPoE and IPoE (DHCP) hosts over 1:1 or N:1 static or managed SAPs. The hold-off timer maintenance is on a per host basis (as follows):
A show lockout state for hosts is supported, given one or more of <SAP, MAC@, agent-circuit-id, agent-remote-id>.
A clear lockout state is supported for hosts given one or more of <SAP, MAC@, agent-circuit-id, agent-remote-id>.
Any changes in configured lockout values do not apply to hosts currently under lockout and only applies once these hosts are out of lockout.
ESM lockout is supported for dual-stack PPPoE hosts, L2TP LAC hosts, dual-stack IPoE hosts, and ARP hosts. ESM Lockout tracks the following:
During lockout, authentication and ESM host creation is suppressed. A lockout context is created when a client first enters lockout. The context maintains state and timeout parameters for the lockout. If a lockout policy is configured for the underlying SAP for a host that has failed authentication or host creation, the host enters lockout for the configured minimum time (1 to 86400 seconds). When the lockout time expires, normal authentication and ESM host creation is resumed on relevant PPP or DHCP messages. In case of another failure, the host again enters the lockout state. The lockout time for the host on each failure is exponentially increased up to the configured maximum time (1 to 86400 seconds). The lockout time for a client is reset to the configured minimum value, and the corresponding lockout context is deleted, if there is no authentication (and host creation) failure within a configured amount of time that needs to elapse after the client initially enters lockout. This time is called the lockout-reset-time.
The host identification for lockout includes <SAP, MAC@, circuit ID, remote ID>.
Access Node Control Protocol Management (ANCP) can provide the following information to the router:
When ANCP is used with Enhanced Subscriber Management (ESM), a new string ancp-string can be returned from the Python script or from RADIUS. If not returned it defaults to the subscriber ID.
ANCP version 0x31 and 0x32 are both supported and are autodetected at the start of each ANCP session. Within version 0x32, partitioning is also supported.
Multiple partitions from the same Access Node are also supported. If partitions are used, they are automatically detected during the start of an ANCP session.
As depicted in Figure 76, a DSLAM is connected to an aggregation network that is connecting the DSLAM to a BRAS. ANCP is used to provide SAP level rate management. The DSLAM in this application maintains multiple ANCP connections. The primary connection is to the BRAS, providing rate and OAM capabilities while the secondary is to the router to provide rate management.
7750 SR and 7450 ESS:
In this application ANCP is used between the DSLAM and the router to provide line control. There are multiple attributes defined as described below. Figure 77 depicts the connectivity model.
This application is used to communicate the following from the DSLAM to the router (the policy control point):
To support node communication with the access device the line rate, OAM commands, and so on. the node can use an ANCP string that serves as a key in the out-of-band channel with the access node. The string can be either provisioned in the static case, retrieved from RADIUS or from the Python script.
Persistency is available for subscriber’s ANCP attributes and is stored on the on-board compact flash card. ANCP data stays persistence during an ISSU as well as nodal reboots. During recovery, ANCP attributes are first restored fully from the persistence file and incoming ANCP sessions are temporarily on hold. Afterwards new ANCP data can overwrite any existing values. This new data is then stored into the compact flash in preparation for the next event.
General Switch Management Protocol version 3 (GSMPv3) is a generic protocol that allows a switch controller node to establish and maintain connections with one or more nodes to exchange operational information. Several extensions to GSMPv3 exist in the context of broadband aggregation. These extensions were proposed to allow GSMPv3 to be used in a broadband environment as additional information is needed to synchronize the control plane between access nodes (such as DSLAMs) and broadband network gateways (such as BRAS).
In the TPSDA framework, nodes fulfill some BRAS functionality, where per subscriber QoS enforcement is one of the most important aspects. To provide accurate per-subscriber QoS enforcement, the network element not only knows about the subscriber profile and its service level agreement but it is aware of the dynamic characteristics of the subscriber access circuit.
The most important parameters in this context are the subscriber-line capacity (DSL sync-rate) and the subscriber's channel viewership status (the actual number of BTV channels received by the given subscriber in any point in time). This information can be then used to adjust parameters of aggregate scheduling policy.
Besides, the above-mentioned information, GSMPv3 can convey OAM information between a switch controller and access switch. The node can operate in two roles:
The DSL forum working documents recommends that a dedicated Layer 2 path (such as, a VLAN in an Ethernet aggregation network) is used for this communication to provide a certain level of security. The actual connection between DSLAM and BRAS is established at TCP level, and then individual messages are transported.
The node supports DHCP release messages. A DHCP release message removes state from the DHCP server when the node rejects ACKs or removes hosts.
DHCP release messages are controlled by the node and sent to the DHCP server to clear stale state. There are two examples:
Client mobility allows the node to use host monitoring (SHCV, ANCP, split DHCP) to remove network and server state when a host is removed locally. This allows for MAC addressed learned and pinned to move based on policy parameters.
Subscriber Host Connectivity Verification (SHCV) configuration is mandatory. This allows clients to move from one SAP to another SAP in the same service. This is only applicable in a VPLS service and group interfaces.
The first DHCP message on the new SAP with same MAC address (and IP address for group-interfaces) triggers SHCV and is always discarded.
SHCV checks that the host is no longer present on the SAP where the lease is currently populated to prevent spoofing. When SHCV detects that the host is not present on the original SAP, the lease-state is removed. The next DHCP message on the new SAP can initiate the host.
DHCP lease control allows the node to be configured to present a different lease to the client. This can be used to monitor the health of the client.
Whenever a host belonging to a subscriber is activated (when a PC or set-top box (STB) is turned on), the host typically requests an IP address from the network using DHCP. See the DHCP Management section for an explanation of DHCP and DHCP snooping in the router.
The DHCP ACK response from the DHCP server can be parsed and the contents of the message can be used to identify the class to which this host belongs, and thus, the QoS and security settings to apply.
The information necessary to select these settings can be codified in, the IP address by the DHCP server and/or the Option 82 string inserted by the DSLAM or other access node.
PSCP is an identification mechanism using the Python scripting language. The PSCP references a Python script that can use regular expressions to derive the sub-ident-string, sub-profile-string and sla-profile-string from the DHCP response. A tutorial of regular expressions is beyond the scope of this guide, and can be found on the Internet (refer to https://docs.python.org/2/howto/regex.html).
A tutorial of Python is beyond the scope of this guide but can be found on the Internet (refer to http://www.python.org/).
Example scripts, using some regular expressions, can be found in Sample Python Scripts. See the Python Script Support for ESM section for additional information about the service manager scripting language.
One or more scripts can be written by the operator and stored centrally on a server (in a location accessible by the router). They are loaded into each router at bootup.
Note that if a centrally stored script is changed, it is not automatically re-loaded onto the router. The reload must be forced by executing the shutdown and no shutdown commands on the affected URL(s).
Figure 78 describes the data flow while determining which subscriber profile and SLA profile to use for a certain subscriber host based on a snooped/relayed DHCP ACK for that subscriber host.
An incoming DHCP ACK (relayed or snooped) is processed by the script provisioned in the sub-ident-policy defined in the SAP on which the message arrived. This script outputs one or more of the following strings:
These strings are used for a lookup in one or more maps to find the names of the sub-profile and sla-profile to use. If none of the maps contained an entry for these strings, the names are determined based on a set of defaults.
Only when the names for both the sub-profile and sla-profile are known, the subscriber host can be instantiated. If even no default is found for either profile, the DHCP ACK is dropped and the host does not gain network access.
All hosts (devices) belonging to the same subscriber are subject to the same HQoS processing. The HQoS processing is defined in the sub-profile. A sub-profile refers to an existing scheduler policy and offers the possibility to overrule the rate of individual schedulers within this policy.
Because all subscriber hosts of one subscriber use the same scheduler policy instance, they must all reside on the same I/O module.
Figure 79 shows how the sub-profile is derived, based on the sub-ident string, the sub-profile string and/or the provisioned data structures. The numbers associated with the arrows pointing toward the subscriber profiles indicate the precedence of the checks.
For each host that comes on-line, the router also needs to determine which SLA profile to use. The SLA profile determines for this host:
The SLA profile also has host-limits and session-limits attributes that limit the number of hosts or sessions per SLA profile instance.
The classification and the queue mapping are shared by all the hosts on the same forwarding complex that use the same QoS policy (by their SLA profile).
The queues/policers are shared by all the hosts (of the same subscriber) on the same SAP that are using the same SLA profile. In other words, queues/policers are instantiated when, on a given SAP, a host of a subscriber is the first to use a certain SLA profile. This instantiation is referred to as an SLA profile instance. Ingress queues can be parented to a scheduler referenced in the ingress of a subscriber profile. Egress policers and queues can be parented to a scheduler referenced in the egress of a subscriber or SLA profile, or to a port scheduler.
A scheduler policy can be applied to the egress an SLA profile, allowing its schedulers to be the parent for its queues and for its tier 1 schedulers to be parented to a scheduler in a scheduler policy applied to the egress of a subscriber profile or a Vport, or to a port scheduler applied to a port or Vport. Configuring scheduler overrides is allowed for SLA profile egress schedulers. The configuration of a scheduler policy in the egress of an SLA profile is supported for all host types only on Ethernet interfaces. It is not supported for ESM over MPLS pseudowires, nor is HQoS adjustment and host tracking supported on its schedulers.
The following show, monitor and clear commands are available related to the SLA profile scheduler:
The show qos scheduler-hierarchy subscriber command (shown above) displays the scheduler hierarchy with the SLA profile scheduler as the root. Note that if the SLA profile scheduler is orphaned (that is when the scheduler has a parent which does not exist) then the hierarchy is only shown when the show command includes the sla-profile and sap parameters.
If the SLA profile scheduler is orphaned (that is when the scheduler has a parent which does not exist) then the hierarchy is only shown when the show command includes the sla-profile and SAP parameters.
Figure 80 shows a graphical description of how the SLA profile is derived based on the subscriber identification string, the SLA profile string and the provisioned data structures. The numbers on the arrows towards the SLA profile indicate the priority of the provisioning (the lower number means the higher priority).
Each subscriber host or session has an SLA Profile Instance (SPI) associated with it. The SPI, is by default, determined by the subscriber ID, the SLA profile name, and the SAP where the subscriber host or session is active. See Figure 75.
SPIs with the same SLA profile name, have the same configuration, however, the following functions are effective per SPI:
For a bridged Residential Gateway deployment, typically multiple IPoE or PPPoE sessions per subscriber are active on the BNG. The next sections describe the different SPI sharing mechanisms that apply for multiple subscriber sessions from the same subscriber, that are active on the same SAP with the same SLA profile name assigned.
By default, all subscriber sessions or hosts from the same subscriber, active on the same SAP and with the same SLA profile assigned, share an SPI. The default SPI sharing is per SAP, as depicted in Figure 81.
With SPI sharing per SAP, traffic from all subscriber sessions on a given SAP and with the same SLA profile associated are mapped to the same set of queues and policers for QoS handling. Statistics from these queues and policers are also used in accounting. Per-host or per-session accounting modes cannot report counters for individual sessions unless their traffic is mapped in separate queues.
SPI sharing per SAP is the default configuration in an SLA profile and applies to PPPoE sessions, IPoE sessions (enabled on the group-interface) and IPoE hosts (IPoE sessions are disabled on the group-interface):
If QoS handling or accounting per-IPoE or per-PPPoE session is required, then the SPI sharing is configured to per-session sharing in the SLA profile:
Per-session sharing applies to PPPoE sessions and IPoE sessions (enabled on the group interface). An IPoE host setup fails when IPoE sessions are disabled on the group interface and per-session sharing is configured.
Each IPoE or PPPoE session from the same subscriber, active on the same SAP and having the same SLA profile assigned, has its own set of queues and policers. Per-session SPI sharing is depicted in Figure 82.
Note: SPI sharing per session is not supported on HS MDA and on HSQ with hs-sla-mode single. |
When even more granular control is needed over which sessions share an SPI, an SPI sharing group identifier can be specified during IPoE or PPPoE session authentication. This overrides the default SPI sharing method for that session as configured in the SLA profile.
Per-group SPI sharing is depicted in Figure 83. The same SPI is shared by all IPoE and PPPoE sessions from the same subscriber, active on the same SAP, having the same SLA Profile assigned and having the same SPI sharing group identifier.
Note: SPI sharing per group is not supported on HSQ with hs-sla-mode single. |
The SPI sharing group identifier is an integer value in the range 0 to 65535 and can be specified in authentication using:
Per-group sharing applies to PPPoE sessions and IPoE sessions (enabled on the group interface). An IPoE host setup fails when IPoE sessions are disabled on the group interface and an SPI sharing group identifier is specified.
During the lifetime of an IPoE or PPPoE session, the SLA profile and the SPI sharing can change. Such a dynamic change can be triggered by re-authentication, RADIUS CoA, or Diameter Gx RAR by specifying a new SLA profile and optionally, an SPI sharing group ID.
Table 16 describes the different transitions in SPI sharing because of re-authentication, RADIUS CoA, or Diameter Gx RAR.
from ↓ to |
SLA Profile and SPI sharing info provided for dynamic change |
per sap ↓ per sap | SLA profile = <SLA profile name>
[SPI sharing type = default]
|
per session ↓ per session | [SLA profile = <SLA profile name>]
[SPI sharing type = default]
|
per group ↓ per group | SLA profile = <SLA profile name>
SPI sharing type = group SPI sharing ID = <group-id>
|
per sap ↓ per group | SLA profile = <SLA profile name>
SPI sharing type = group SPI sharing ID = <group-id>
|
per session ↓ per group | SLA profile = <SLA profile name>
SPI sharing type = group SPI sharing ID = <group-id>
|
per group ↓ per sap | SLA profile = <SLA profile name>
SPI sharing type = default
------------------------------------------------------------------------------------ SLA profile = <SLA profile name>
|
per group ↓ per session | [SLA profile = <SLA profile name>]
SPI sharing type = default
------------------------------------------------------------------------------------ SLA profile = <SLA profile name>
|
per sap ↓ per session | SLA profile = <SLA profile name>
[SPI sharing type = default]
|
per session ↓ per sap | SLA profile = <SLA profile name>
[SPI sharing type = default]
|
An SPI is uniquely identified by the following characteristics:
The following are examples for SPI representations in the system:
Note: Although they can have the same value as in the following output, an SPI sharing id is not the same as the PPP session id. |
In RADIUS accounting messages, the SPI is uniquely defined by the following attributes:
For example:
The egress QoS marking for subscriber-host traffic is derived from the SAP-egress QoS policy associated with a corresponding SAP, rather than from the SLA profile associated with the corresponding subscriber host. Therefore, no egress QoS marking (Dot1p marking is set to 0, the dscp/prec field is kept unchanged) is performed for traffic transmitted on a managed SAP because by default, sap-egress policy 1 is attached to every managed SAP.
The default value of the “qos-marking-from-sap” flag is enabled. This means that the qos-marking defined in the SAP egress QoS policy associated with the SAP is used. The default setting of this flag in a combination with managed-SAP results in the same behavior as in the current system (dot1p=0, dscp/prec is unchanged).
If the no qos-marking-from-sap command is executed, then both the Dot1p marking and DSCP marking are derived from the sla-profile.
Changing the flag setting in the SLA profile being used by any subscriber-hosts (this includes subscriber-hosts on managed-SAPs as well) is allowed.
The following MC traffic characteristics apply:
Beginning with Release 20.2.R1, the length of sub-id and brg-id names increased from 32 characters to 64 characters. These are referred to as long sub-id and long brg-id. The length of the corresponding RADIUS attributes, Alc-SubscID-Str and Alc-BRG-ID, that are mapped to the long sub-id and long brg-id are also increased to 64 characters.
As a result of this length increase, all MIB tables containing sub-id and brg-id names are affected. In a majority of those tables, the sub-id and brg-id name length is directly increased from 32 characters to 64 characters. However, tables where the MIB OID key contains a sub-id or brg-id as one of the fields do not increase the size of the sub-id and brg-id fields since the maximum key size of 128 characters could be exceeded when the sub-id and brg-id names are combined to form the key. Since the maximum size of the key in the MIB tables is limited to 128 characters, the sub-id and brg-id length in such tables remains limited to 32 characters. This ensures that the MIB key does not exceed the maximum size of 128 characters. This also means that an operator-defined sub-id and brg-id name that is greater than 32 characters must be internally translated (within the SR OS) into a 32-character identification. Rather than truncating sub-id and brg-id names that are greater than 32 characters to a 32 characters value (which could lead to duplicate sub-ids or brg-ids), an internal and unique 32-character length sub-id and brg-id is automatically generated by the system. These internally generated sub-id and brg-id names are used in the following tables where the long sub-id and brg-id (>32characters) could lead to violations of the maximum key size (128 characters). The affected tables are:
The operator-defined long sub-id and long brg-id names are listed in these tables and replaced with the internally-generated version with a 32-character length version.
Table 17 shows examples of sub-id and brg-id names where a long sub-id and long brg-id may lead to a violation of the maximum key size. The internally-generated ID begins with the _tmnx_ prefix:
tmnxSubInfoSubIdent | otherKey | Attributes |
ABCshort | keyA1 | existingInfoA1 |
ABCshort | keyA2 | existingInfoA2 |
_tmnx_sub_123 | keyB1 | existingInfoB1 |
_tmnx_brg_123 | keyB2 | existingInfoB2 |
_tmnx_sub_456 | keyC | existingInfoC |
ghiShort | keyD | existingInfoD |
The operator-defined sub-ids and brg-ids with lengths up to 32 characters are not affected by this change.
In most cases, operators are not concerned with the internal sub-id and brg-id which are only used by the system to access data in one of the 11 MIB tables where the long sub-id or long brg-id would otherwise violate the maximum length of the key. Therefore, the internal ID is not shown in the output of any show command.
An exception occurs when a SNMP table walk is performed in one of the 11 tables in which an entry of interest is found that contains an internal sub-id and brg-id, that needs to be connected with the real (long) subscriber identity.
This conversion can be performed and is aided by the MIB tables tmnxSubShortEntry (Table 18) and tmnxSubBrgShortEntry tables (Table 19):
tmnxSubShortId | tmnxSubLongId |
ABCshort | ABCshort |
_tmnx_sub_123 | defLongstring |
_tmnx_sub_456 | JKLLongstring |
ghiShort | ghiShort |
tmnxSubBrgShortId | tmnxSubBrgLongId |
MNPshort | ABCshort |
_tmnx_brg_333 | xyzLongstring |
_tmnx_brg_222 | OQRLongstring |
WVZShort | WVZhort |
The mapping from long to an internal ID can be retrieved from the tmnxSubscriberInfoEntry (Table 20) and tmnxSubBrgEntry (Table 21) tables:
tmnxSubInfoSubIdent | attributes | tmnxSubInfoShortId |
ABCshort | subscrInfoA | ABCshort |
JKLlongstring | subscrInfoC | _tmnx_456 |
defLongstring | subscrInfoB | _tmnx_123 |
ghiShort | subscrInfoD | ghiShort |
tmnxSubBrgId | attributes | tmnxSubBrgIdShort |
MNPshort | subscrInfoM | MNPshort |
OQRlongstring | subscrInfoO | _tmnx_222 |
xyzLongstring | subscrInfoX | _tmnx_333 |
WVZShort | subscrInfoW | WVZShort |
The sub-id and brg-id strings can be changed online with CLI and CoA/RAR (RADIUS and Diameter interfaces). Conversion between any combination of long and short sub-ids and short brg-ids is supported by moving each IPoE/PPPoE session or host under a new or renamed subscriber. This is performed by:
This section describes the usage of sub-id and brg-id criteria.
Multicast host tracking only works with short sub-ids and is configured as follows:
However, multicast HQoS adjustment is supported with long sub-ids, and should be deployed as a replacement for legacy multicast host tracking. Multicast HQoS adjustment is configured as follows:
The subscriber ID name (sub-id) is a mandatory object that binds all hosts of a given subscriber together. Briefly, the sub-id name represents a residential household. Many management/troubleshooting and even billing operations rely on the sub-id name entity. The sub-id name is required for the host creation process, and it can be supplied by any authentication source, such as RADIUS, Diameter, LUDB, or Python. It can be derived from the sap-id or can be statically provisioned in the form of a string.
In some ESM deployments, it is desirable that the sub-id is automatically generated within the router rather than burdening the OSS with this function. A typical application for auto sub-id is as follows:
The following are the properties of auto sub-id generation:
There can be only a single set of subscriber identification fields defined per host type (IPoE or PPPoE) per chassis. If the combination of the fields must be modified, the existing subscribers with an automatically generated subscriber ID must be manually terminated. Considering that remote termination of the IPoE subscribers by a DHCP server is not supported by all DHCP client vendors through the FORCERENEW DHCP message (RFC 3203, DHCP reconfigure extension), changing the subscriber fields while subscribers with automatically generated subscriber ID are active should be avoided.
The subscriber ID name automatic generation takes place at the end of the host initiation process (after the authentication phase is completed) and only in case whereby the subscriber ID had not been already provided by any other more specific means (RADIUS, Diameter, LUDB, or Python).
The format of the sub-id name can be either a 10-character encoded string (characters A to Z and 0 to 9) or a user- friendly string based on the subscriber identification fields. The maximum length of the subscriber ID name is 64 characters.
The subscriber ID name is not passed in the Access-Request to the RADIUS server since it is generated after the authentication phase.
The subscriber ID name can be automatically generated regardless of how the SLA or subscriber profile strings are obtained (RADIUS, LUDB, Python, or static).
The subscriber identification fields used in automatic generation of the subscriber ID name are enabled at the system level.
If no sub-id-key per host type is configured, the defaults are:
PPPoE host type: | mac, sap-id, session-id |
IPoE host type: | <mac, sap-id>. |
The order in which the fields are configured is important because the subscriber ID name potentially becomes a concatenated string of the subscriber host identifiers in the order in which they are provisioned. The subscriber ID cannot be longer than 64 characters.
The following would generate a subscriber ID name: xx:xx:xx:xx:xx:xx|1/1/3:23|44. The length of such subscriber ID name would be 29B.
If the key contains the circuit ID as: 0x610163 (3 bytes), then the subscriber ID name is formatted as 610161, in hex, since 01 hex is non-printable in ASCII. Then the subscriber ID name’s length is 6B.
However, if the circuit ID is 0x616263 (3 bytes), then the string is formatted as ASCII string abc (three characters). The subscriber ID name’s length is 3B.
The assignment of the subscriber ID to dynamic hosts is performed in the following order:
Static subscribers are required to have the sub-id manually configured.
The sub-id can be based on any combination of the following identifiers:
Auto-generation of sub-id names for subscribers with a single dual-stack hosts (IPoE and PPPoE) is enabled by default by not explicitly provisioning anything for the def-sub-id. The sub-id name would be semi-randomly generated based on the <mac, sap-id, session-id> for PPPoE hosts and the <mac, sap-id> combination for IPoE host.
Hosts with different sub-id names but identical auto-sub-id keys are not linked into the same subscriber. Such scenarios can arise with hosts with the same auto-sub-id keys but different methods for obtaining the sub-id name. For example, one host relying on auto-generated sub-id name while the other is using explicit configuration methods (sap-id, string, RADIUS or LUDB). If the auto-generated sub-id name and explicit sub-id name are the same, the host is tied into the same subscriber.
For example:
The default auto-sub-id for the following two hosts are <mac, sap-id>.
Host X on SAP 1/1/1:1 with MAC 00:00:00:00:00:01 obtains sub-id through RADIUS.
Host Y on SAP 1/1/1:1 with MAC 00:00:00:00:00:01 has sub-id auto-generated.
Regardless of which host comes up first, those two hosts at the end belong to different subscribers if their sub-ids are different.
The following is a deployment example scenario.
Assume the following cases:
In the first case where RADIUS returns the sub-id string, the following occurs
In the second case, the effects are the following:
Only a single combination of the subscriber fields used to auto generate sub-id is allowed per host type (IPoE or PPPoE) and per chassis. In case that the combination of the fields needs to be changed, the existing subscribers with an auto-generated sub-id must be manually terminated. Considering that remote termination of the IPoE subscribers by DHCP server is not supported by all DHCP client vendors through FORCERENEW DHCP message (RFC 3203), changing the subscriber fields while subscribers with auto generated sub-id are active should be avoided.
This section provides an overview of the different configuration options in SR OS to restrict the number of subscribers, subscriber hosts, and subscriber sessions.
The setup of a new subscriber host or session fails if any of these limits is reached.
The number of IPoE sessions per SAP is limited with the sap-session-limit command configured in the group-interface ipoe-session context
The number of IPoE sessions per group interface or retail subscriber interface is limited with the session-limit command configured in the group-interface ipoe-session or retail subscriber-interface ipoe-session context.
IPoE sessions and subscriber hosts associated with IPoE sessions are subject to the per SLA profile instance host and session limits configured in the config>subscr-mgmt>sla-prof>host-limits context and to the per subscriber host and session limits configured in the config>subscr-mgmt>sub-prof context. See Limiting the Number of Hosts and Sessions per SLA Profile Instance and per Subscriber for a detailed description.
The number of PPPoE sessions per SAP is limited with the sap-session-limit command configured in the group-interface pppoe context.
To limit the number of PPPoE sessions per group interface or retail subscriber interface use the session-limit command configured in the group-interface pppoe or retail subscriber-interface pppoe context.
PPPoE sessions and subscriber hosts associated with PPPoE sessions are subject to the per SLA profile instance host and session limits configured in the config>subscr-mgmt>sla-prof>host-limits context and to the per subscriber host and session limits configured in the config>subscr-mgmt>sub-prof context. See Limiting the Number of Hosts and Sessions per SLA Profile Instance and per Subscriber for a detailed description.
Table 22 list the host limits and Table 24 lists the session limits that can be configured in the following profiles:
Example
For a bridged RGW, allow one dual stack IPoE session (IPv4 and IPv6 IA-PD) per SLA profile instance and up to two sessions per subscriber.
Table 23 specifies the host-limits counters that are applicable for each of the different subscriber host types in SR OS. Table 25 specifies the session-limits counters that are applicable for each of the different subscriber session types in SR OS.
Host and session limits are checked when the host or session is created in the system. When a limit is reached, the host or session setup fails, and an error event is logged. For example:
When a host or session limit is reached for an ARP host, an IPoE host or an IPoE session, a host-limit-exceeded Subscriber Host Connectivity Verification (SHCV) can be triggered to clean up the state of disconnected devices.
Note: If the remove-oldest command is configured in the host-limits context and an IPv4 ARP host, IPv4 DHCP host, IPv4 host, or subscriber host limit is reached when a new DHCPv4 host or an ARP host connects, the oldest active host disconnects and the new host is granted access. The dynamic host with the least remaining lease time is considered the oldest host. The remove-oldest command is not applicable for PPPoE or IPv6 subscriber hosts. |
Command Name | Description |
overall | Limits the total number of subscriber hosts |
ipv4-overall | Limits the total number of IPv4 hosts |
ipv4-arp | Limits the number of IPv4 ARP hosts |
ipv4-dhcp | Limits the number of IPv4 DHCP hosts |
ipv4-ppp | Limits the number of IPv4 PPP hosts |
ipv6-overall | Limits the total number of IPv6 hosts |
ipv6-pd-overall | Limits the total number of IPv6 DHCP Prefix Delegation hosts (IA-PD) |
ipv6-pd-ipoe-dhcp | Limits the number of IPv6 IPoE DHCP Prefix Delegation hosts (IA-PD) |
ipv6-pd-ppp-dhcp | Limits the number of IPv6 PPPoE DHCP Prefix Delegation hosts (IA-PD) |
ipv6-wan-overall | Limits the total number of IPv6 WAN hosts |
ipv6-wan-ipoe-dhcp | Limits the number of IPv6 IPoE DHCP WAN hosts (IA-NA) |
ipv6-wan-ipoe-slaac | Limits the number of IPv6 IPoE SLAAC WAN hosts |
ipv6-wan-ppp-dhcp | Limits the number of IPv6 PPPoE DHCP WAN hosts (IA-NA). |
ipv6-wan-ppp-slaac | Limits the number of IPv6 PPPoE SLAAC WAN hosts |
lac-overall | Limits the total number of L2TP LAC hosts |
Subscriber Host Type | Counts Towards Following Host Limits |
IPv4 - PPP Hosts - IPCP | ipv4-ppp, ipv4-overall, overall |
IPv4 - PPP Hosts - PFCP | — |
IPv4 - IPOE Hosts - DHCP | ipv4-dhcp, ipv4-overall, overall |
IPv4 - IPOE Hosts - ARP | ipv4-arp, ipv4-overall, overall |
IPv4 - IPOE Hosts - Static | ipv4-overall, overall |
IPv4 - IPOE Hosts - PFCP | — |
IPv4 - IPOE Mngd Hosts - Data-trig | ipv4-overall, overall |
IPv4 - IPOE Mngd Hosts - AAA | ipv4-overall, overall |
IPv4 - IPOE Mngd Hosts - GTP | ipv4-overall, overall |
IPv4 - IPOE Mngd Hosts - Bonding | ipv4-overall, overall |
IPv4 - IPOE Hosts BSM - DHCP | — |
IPv4 - IPOE Hosts BSM - Static | — |
IPv4 - IPOE BSM - DHCP | — |
IPv4 - IPOE BSM - Static | — |
IPv6 - PPP Hosts - SLAAC | ipv6-wan-ppp-slaac, ipv6-wan-overall, ipv6-overall, overall |
IPv6 - IPOE Hosts - DHCP6 (NA) | ipv6-wan-ppp-dhcp, ipv6-wan-overall, ipv6-overall, overall |
IPv6 - PPP Hosts - DHCP6 (PD) | ipv6-pd-ppp-dhcp, ipv6-pd-overall, ipv6-overall, overall |
IPv6 - PPP Mngd Routes - DHCP6 (PD) | — |
IPv6 - PPP Hosts - PFCP (SLAAC) | — |
IPv6 - PPP Hosts - PFCP (NA) | — |
IPv6 - PPP Hosts - PFCP (PD) | — |
IPv6 - IPOE Hosts - SLAAC | ipv6-wan-ipoe-slaac, ipv6-wan-overall, ipv6-overall, overall |
IPv6 - IPOE Hosts - DHCP6 (NA) | ipv6-wan-ipoe-dhcp, ipv6-wan-overall, ipv6-overall, overall |
IPv6 - IPOE Hosts - DHCP6 (PD) | ipv6-pd-ipoe-dhcp, ipv6-pd-overall, ipv6-overall, overall |
IPv6 - IPOE Mngd Routes - DHCP6 (PD) | — |
IPv6 - IPOE Hosts - Static (WAN) | ipv6-wan-overall, ipv6-overall, overall |
IPv6 - IPOE Hosts - Static (Pfx) | ipv6-pd-overall, ipv6-overall, overall |
IPv6 - IPOE Hosts - PFCP (SLAAC) | — |
IPv6 - IPOE Hosts - PFCP (NA) | — |
IPv6 - IPOE Hosts - PFCP (PD) | — |
IPv6 - IPOE Mngd Hosts - Data-trig (WAN) | ipv6-wan-overall, ipv6-overall, overall |
IPv6 - IPOE Mngd Hosts - Data-trig (Pfx) | ipv6-pd-overall, ipv6-overall, overall |
IPv6 - IPOE Mngd Routes - Data-trig (Pfx) | — |
IPv6 - IPOE Mngd Hosts - AAA | ipv6-wan-overall, ipv6-overall, overall |
IPv6 - IPOE Mngd Hosts - GTP (SLAAC) | ipv6-pd-overall, ipv6-overall, overall |
IPv6 - IPOE Mngd Hosts - Bonding | ipv6-pd-overall, ipv6-overall, overall |
IPv6 - IPOE BSM - DHCP6 (NA) | — |
IPv6 - IPOE BSM - DHCP6 (PD) | — |
L2TP LAC Hosts | lac-overall, ipv4-overall, ipv6-overall, overall |
Command Name | Description |
overall | Limits the total number of subscriber sessions |
ipoe | Limits the number of IPoE sessions |
pppoe-overall | Limits the total number of PPPoE sessions |
pppoe-local | Limits the number of PPPoE local terminated sessions (PTA) |
pppoe-lac | Limits the number of PPPoE L2TP LAC sessions |
l2tp-overall | Limits the total number of L2TP sessions |
l2tp-lns | Limits the number of L2TP LNS sessions |
l2tp-lts | Limits the number of L2TP LTS sessions |
Subscriber Session Type | Counts Towards Following Session Limits |
Local PPP Sessions - PPPoE | pppoe-local, pppoe-overall, overall |
Local PPP Sessions - L2TP (LNS) | l2tp-lns, l2tp-overall, overall |
LAC PPP Sessions - PPPoE | pppoe-lac, pppoe-overall, overall |
LAC PPP Sessions - L2TP (LTS) | l2tp-lts, l2tp-overall, overall |
IPOE Sessions | ipoe, overall |
PFCP Sessions - PPP | — |
PFCP Sessions - IPOE | — |
PFCP Sessions - default tunnels | — |
The host and session limits per SLA profile instance and per subscriber can be overridden at subscriber host or session creation by the following.
The combination of overrides and configured limits is only checked when the host or session is created.
Overrides are stored in the subscriber host and session ESM info and can be displayed using the following show commands:
For example:
It is the operator's responsibility to keep consistency in the overrides that are stored per subscriber host and session by the following:
For existing hosts or sessions, this consistency can be achieved by a mid-session change, for example, by RADIUS CoA or Diameter Gx RAR or CCA-U.
Note: If different subscriber hosts or sessions that belong to the same SLA profile instance or subscriber have different override limits, an inconsistent behavior can occur when sessions are recovered from persistency or in case of Multi-Chassis Synchronization (MCS). This may occur because the order in which hosts recover from persistency and the order in which the hosts or sessions are synchronized through MCS, may be different from the order in which sessions were created in the system. |
While it is typically preferred to have all hosts provisioned dynamically through DHCP snooping, it may be needed to provide static access for specific hosts (those that do not support DHCP).
Since a subscriber identification policy is not applicable to static subscriber hosts, the subscriber identification string, subscriber profile and SLA profile must be explicitly defined with the host’s IP address and MAC address (if Enhanced Subscriber Management is enabled).
If an SPI associated with the named SLA profile already exists on the SAP for the subscriber, the static subscriber host is placed into that SPI. If an SPI does not yet exist, one is created if possible. If the SLA profile cannot be created, or the host cannot be placed in the existing SPI (the host-limits was exceeded), the static host definition fails.
QoS aspects for subscribers and hosts can be defined statically on a SAP or dynamically using.
Enhanced Subscriber Management. For example, in a VLAN-per-service model, different services belonging to a single subscriber are split over different SAPs, and thus the overall QoS (such as a scheduler policy) of this subscriber must be assigned using Enhanced Subscriber Management.
QoS parameters are shared among the subscriber profile and SLA profile as follows:
The primary use of the subscriber profile is to define the ingress and egress scheduler policies and policer control policies used to govern the aggregate SLA for all hosts associated with a subscriber. To be effective, the queues or policers defined in the SLA profile’s QoS policies references a scheduler or arbiter from the scheduler policy or policer-control-policy respectively as their parent.
Generic QoS queue or policer parameters can be specified for the SAP in a QoS policy and overridden for some customers by queue and policer parameters defined in the SLA profile. This allows for a single SAP ingress and SAP egress QoS policy to be used for many subscribers, while providing individual subscriber parameters for queue or policer operation.
ESM subscribers can make use of both queues and or policers for both the ingress and egress traffic. The queue and policers are configured within SAP ingress and egress policies applied to the SLA profile. The policers (at egress only) and queues can parent to different levels and cir-levels with different weights and cir weights of a virtual scheduler configured within a scheduler policy, and to an egress port scheduler configured in a port scheduler policy, to achieve hierarchical traffic control. The policers can parent to different levels with different weights of an arbiter configured within a policer control policies to achieve hierarchical traffic control.
Hierarchical QoS (HQoS) corresponds to scheduling bandwidth distribution to policers, queues and schedulers and is applied using scheduler policies at ingress and egress of the subscriber profile for a subscriber, and at egress in the SLA profile for a host, together with a port scheduler at both the port and Vport level.
Each scheduler policy can contain up to three tiers of schedulers with lower level schedulers being able to parent to higher level schedulers in the same scheduler policy.
Policers and queues can parent to any scheduler in their related scheduler policy hierarchy (except Vport at egress) and also at the egress to a port scheduler.
Schedulers can parent to any higher level scheduler in their related scheduler policy hierarchy and, at the egress to a port scheduler configured within the port or Vport. When an egress port scheduler is used, an aggregate rate limit can be applied at the subscriber profile and Vport levels instead of using a scheduler. To extend the hierarchy further at egress, a tier 1 scheduler within a scheduler policy can parent to any scheduler in a scheduler policy at a higher level.
The scheduling levels are comprised of:
The ingress hierarchical parenting relationship options are shown in Figure 84.
The egress hierarchical parenting relationship options are shown in Figure 85. Not all combinations can be configured concurrently, and some uses of port parent could be equally achieved using a scheduler parent and a child parent-location.
The parent command is used to specify the name of the parent scheduler when parenting a queue or scheduler, together with the level/cir-level and weight/cir-weight at which to connect.
The location of the parent scheduler (in which applied scheduler policy it exists) for a policer or queue defaults to a scheduler in the subscriber ingress or egress scheduler policy. Parents of schedulers themselves must be explicitly configured and by default must be within the same scheduler policy.
At egress, the scheduler parenting relationship is determined using the parent-location command:
By default, egress queues parent to any scheduler in subscriber egress scheduler policy.
Egress queues can parent to any scheduler within the scheduler policy applied to the egress of an SLA profile (this is not supported for policers managed by HQoS).
By default, a tier 1 scheduler in the scheduler policy is not allowed to be parented to another scheduler.
A tier 1 scheduler in the scheduler policy applied to the egress of an SLA profile can parent to a scheduler applied to the egress of a subscriber profile.
A tier 1 scheduler in the scheduler policy applied to the egress of a subscriber profile can parent to a scheduler applied to the egress of a Vport.
The configuration of a parent-location and frame-based accounting in a scheduler policy is mutually exclusive to ensure consistency between the different scheduling levels.
Note that the parent-location command is supported only on Ethernet interfaces. It is not supported for ESM over MPLS pseudowires.
Both egress queues and egress schedulers can port parent using directly to different levels/cir-levels, with different weights/cir weights, to a port egress port scheduler. Egress schedulers can also port parent directly to different levels/cir-levels, with different weights/cir weights, to a Vport egress port scheduler.
Class Fair Hierarchical Policing (CFHP) corresponds to the policing control of traffic by policers/arbiters. This uses policer control policies and can be applied for ingress and egress capacity control for the subscriber in the subscriber profile.
Each policer control policy can contain up to three tiers of arbiters with lower level arbiters being able to parent to higher level arbiters in the same scheduler policy.
Policers can parent to any arbiter in their related policer control policy hierarchy.
The policing levels are comprised of:
Note: Ingress policed traffic uses the shared policer-output-queues to access the switch fabric. At egress, the policed traffic accesses the egress port through a queue group queue (by default the policer-output-queues queue group, though user configurable queue groups can also be used) or a locally configured subscriber queue. Egress policers can also be managed by HQoS. |
The ingress hierarchical parenting relationship options are shown in Figure 86.
The egress hierarchical parenting relationship options are shown in Figure 87.
The parent command is used to specify the name of the parent arbiter when parenting a policer or arbiter, together with the level and weight at which to connect.
This feature allows the user to perform hierarchical scheduling of subscriber host packets in a way that the packet encapsulation overhead and ATM bandwidth expansion (when applicable) due to the last mile for each type of broadband session, that is, PPPoEoA LLC/SNAP and VC-Mux, IPoE, IPoEoA LLC/SNAP and VC-Mux, and so on, is accounted for by the 7450 ESS and 7750 SR acting as the Broadband Network Gateway (BNG).
The intent is that the BNG distributes bandwidth among the subscriber host sessions fairly by accounting for the encapsulation overhead and bandwidth expansion of the last mile so the packets are less likely to be dropped downstream in the DSLAM DSL port.
The last mile encapsulation type can be configured by the user or signaled using the Access-loop-encapsulation sub-TLV in the Vendor-Specific PPPoE Tags or DHCP Relay Options as per RFC 4679.
Furthermore, this feature allows the BNG to shape the aggregate rate of each subscriber and the aggregate rate of all subscribers destined to a given DSLAM to prevent congestion of the DSLAM. The subscriber aggregate rate is adjusted for the last mile overhead. The shaping to the aggregate rate of all subscribers of a given destination DSLAM is achieved by a new scheduling object, referred to as Virtual Port or Vport in CLI, which represents the DSLAM aggregation node in the BNG scheduling hierarchy
An application of this feature in a BNG is shown in Figure 88.
Residential and business subscribers use PPPoEoA, PPoA, IPoA, or IPoEoA based session over ATM/DSL lines. Each subscriber host can use a different type of session. Although Figure 88 illustrates ATM/DSL as the subscriber last mile, this feature supports both ATM and Ethernet in the last mile.
A subscriber SAP is auto-configured through DHCP or the RADIUS authentication process, or is statically configured, and uses a Q-in-Q SAP with the inner C-VLAN identifying the subscriber while the outer S-VLAN identifies the Broadband Service Access Node (BSAN) which services the subscriber, such as, the DSLAM. The SAP configuration is triggered by the first successfully validated subscriber host requesting a session. Within each subscriber SAP, there can be one or more hosts using any of the above session types. The subscriber SAP terminates on an IES or VPRN service on the BNG. It can also terminate on a VPLS instance.
When the 7750 BNG forwards IP packets from the IP-MPLS core network downstream towards the Residential Gateway (RG) or the Enterprise Gateway (EG), it adds the required PPP and Ethernet headers, including the SAP encapsulation with C-VLAN/S-VLAN. When the BSAN node receives the packet, it strips the S-VLAN tag, strips or overwrites the C-VLAN tag, and adds padding to minimum Ethernet size if required. It also adds the LLC/SNAP or VC-mux headers plus the fixed AAL5 trailer and variable AAL5 padding (to next multiple of 48 bytes) and then segments the resulting PDU into ATM cells when the last mile is ATM/DSL. Thus the packet size undergoes a fixed offset due to the encapsulation change and a variable expansion due to the AAL5 padding when applicable. Each type of subscriber host session requires a different amount of fixed offset and may require a per packet variable expansion depending of the encapsulation used by the session. The BNG node learns the encapsulation type of each subscriber host session by inspecting the Access-loop-encapsulation sub-TLV in the Vendor-Specific PPPoE Tags as specified in RFC 4679. The BNG node must account for this overhead when shaping packets destined to subscriber.
Figure 89 illustrates the queuing and scheduling model for a BNG using the Ethernet or ATM last-mile aware QoS feature.
A set of per FC queues are applied to each subscriber host context to enforce the packet rate within each FC in the host session as specified in the subscriber’s host SLA profile. A packet is stored in the queue corresponding the packet’s FC as per the mapping of forwarding class to queue-id defined in the sap-egress QoS policy used by the host SLA profile. In the BNG application however, the host per FC queue packet rate is overridden by the rate provided in the RADIUS access-accept message. This rate represents the ATM rate that is seen on the last mile, that is, it includes the encapsulation offset and the per packet expansion due to ATM segmentation into cells at the BSAN.
To enforce the aggregate rate of each destination BSAN, a scheduling node, referred to as virtual port, and Vport is in the CLI. The Vport operates exactly like a port scheduler with the difference that multiple Vport objects can be configured on the egress context of an Ethernet port. The user adds a Vport to an Ethernet port using the following command:
The Vport is always configured at the port level even when a port is a member of a LAG. The vport-name is local to the port it is applied to but must be the same for all member ports of a LAG. It however does not need to be unique globally on a chassis.
The user applies a port scheduler policy to a Vport using the following command:
A Vport cannot be parented to the port scheduler when it is using a port scheduler policy itself. It is thus important the user ensures that the sum of the max-rate parameter value in the port scheduler policies of all Vport instances on a given egress Ethernet port does not oversubscribe the port’s hardware rate. If it does, the scheduling behavior degenerates to that of the H/W scheduler on that port. A Vport which uses an agg-rate can be parented to a port scheduler. This is explained in Applying Aggregate Rate Limit to a Vport. Note that the application of the agg-rate, port-scheduler-policy and scheduler-policy commands under a Vport configuration are mutually exclusive.
Each subscriber host queue is port parented to the Vport which corresponds to the destination BSAN using the existing port-parent command:
This command can parent the queue to either a port or to a Vport. These operations are mutually exclusive in CLI as explained above. When parenting to a Vport, the parent Vport for a subscriber host queue is not explicitly indicated in the above command. It is determined indirectly. The determination of the parent Vport for a given subscriber host queue is described in Vport Determination and Evaluation.
Furthermore, the weight (cir-weight) of a queue is normalized to the sum of the weights (cir-weights) of all active subscriber host queues port-parented at the same priority level of the Vport or the port scheduler policy. Since packets of ESM subscriber host queues are sprayed among the link of a LAG port based on the subscriber-id, it is required that all subscribers host queues mapping to the same Vport, such as having the same destination BSAN, be on the same LAG link so that the aggregate rate towards the BSAN is enforced. The only way of achieving this is to operate the LAG port in active/standby mode with a single active link and a single standby link.
The aggregate rate of each subscriber must also be enforced. The user achieves this by applying the existing agg-rate-limit command to the egress context of the subscriber profile:
In the BNG application however, this rate is overridden by the rate provided in the RADIUS access-accept message. This rate represents the ATM rate that is seen on the last mile, that is, it includes the encapsulation offset and the per packet expansion due to ATM segmentation into cells at the BSAN.
The existing port scheduler policy defines a set of eight priority levels with no ability of grouping levels within a single priority. To allow for the application of a scheduling weight to groups of subscriber host queues competing at the same priority level of the port scheduler policy applied to the Vport, or to the Ethernet port, a new group object is defined under the port scheduler policy:
Up to eight groups can be defined within each port scheduler policy. One or more levels can map to the same group. A group has a rate and optionally a cir-rate and inherits the highest scheduling priority of its member levels. For example, the scheduler group shown in the Vport consists of level priority 3 and level priority 4. It thus inherits priority 4 when competing for bandwidth with the standalone priority levels 8, 7, and 5.
In essence, a group receives bandwidth from the port or from the Vport and distributes it within the member levels of the group according to the weight of each level within the group. Each priority level competes for bandwidth within the group based on its weight under congestion situation. If there is no congestion, a priority level can achieve up to its rate (cir-rate) worth of bandwidth.
The mapping of a level to a group is performed as follows:
Note: CLI enforces that mapping of levels to a group are contiguous. In other words, a user would not be able to add priority level to group unless the resulting set of priority levels is contiguous. |
When a level is not explicitly mapped to any group, it maps directly to the root of the port scheduler at its own priority like in existing behavior.
Software-Based Implementation
The subscriber aggregate rate is adjusted and based on an average frame size.
The user enables the use of this adjustment method by configuring the following option in the egress context of the subscriber profile:
This command allows the user to configure a default value to be used by all hosts of the subscriber in the absence of a valid signaled value. The following is a list of the configurable values:
Values: | pppoa-llc, pppoa-null, pppoeoa-llc, pppoeoa-llc-fcs, pppoeoa-llc-tagged, pppoeoa-llc-tagged-fcs, pppoeoa-null, pppoeoa-null-fcs, pppoeoa-null-tagged, pppoeoa-null-tagged-fcs, ipoa-llc, ipoa-null, ipoeoa-llc, ipoeoa-llc-fcs, ipoeoa-llc-tagged, ipoeoa-llc-tagged-fcs, ipoeoa-null, ipoeoa-null-fcs, ipoeoa-null-tagged, ipoeoa-null-tagged-fcs, pppoe, pppoe-tagged, ipoe, ipoe-tagged |
Otherwise, the fixed packet offset is derived from the encapsulation type value signaled in the Access-loop-encapsulation sub-TLV in the Vendor-Specific PPPoE Tags as explained in Section Signaling of Last Mile Encapsulation Type. Only signaling using PPPoE Tags is supported in the software based implementation. The last signaled valid value is then applied to all active hosts of this subscriber. If no value is signaled in the subscriber host session or the value in the fields of the Access-loop-encapsulation sub-TLV are invalid, then the offset applied to the aggregate rate of this subscriber uses the last valid value signaled by a host of this subscriber if it exists, or the user entered default type value if configured, or no offset is applied.
Configure the average frame size value to be used for this adjustment:
The entered value must include the FCS but not the Inter-Frame Gap (IFG) or the preamble. If the user does not explicitly configure a value for the avg-frame-size parameter, then it is also assumed the offset is zero regardless of the signaled or user-configured value.
The computation of the subscriber aggregate rate consists of taking the average frame size, adding the encapsulation fixed offset including the AAL5 trailer, and then adding the variable offset consisting of the AAL5 padding to next multiple of 48 bytes. The AverageFrameExpansionRatio is then derived as follows:
AverageFrameExpansionRatio = (53/48 x (AverageFrameSize + FixedEncapOffset + AAL5Padding)) / (AverageFrameSize + IFG + Preamble).
When the last mile is Ethernet, the formula simplifies to:
AverageFrameExpansionRatio = (AverageFrameSize + FixedEncapOffset + IFG + Preamble) / (AverageFrameSize + IFG + Preamble).
The following are the frame size and rate applied to the subscriber queue and scheduler:
Subscriber Host Queue (no change):
Size = ImmediateEgressEncap + Data
Rate = ImmediateEgressEncap + Data
Subscriber Aggregate Rate Scheduler:
Size = ImmediateEgressEncap + Data
Rate = sub-agg-rate / AverageFrameExpansionRatio
Note that the CPM applies the AverageFrameExpansionRatio adjustment to the various components used in the determination of the net subscriber operational aggregate rate. It then pushes these adjusted components to IOM which then makes the calculation of the net subscriber operational aggregate rate.
The formula used by the IOM for this determination is:
sub-oper-agg-rate = min(sub-policy-agg-rate/AverageFrameExpansionRatio, ancp_rate/AverageFrameExpansionRatio) + (igmp_rate_delta/AverageFrameExpansionRatio),
where sub-policy-agg-rate is either the value configured in the agg-rate-limit parameter in the subscriber profile or the resulting RADIUS override value. In both cases, the CPM uses an internal override to download the adjusted value to IOM.
The value of sub-oper-agg-rate is stored in the IOM's subscriber table.
The following are the procedures for handling signaling changes or configuration changes affecting the subscriber profile:
Hardware-Based Implementation — The data path computes the adjusted frame size real-time for each serviced packet from a queue by adding the actual packet size to the fixed offset provided by CPM for this queue and variable AAL5 padding.
Like in the software based implementation, the user enables the use of the fixed offset and per packet variable expansion by configuring the following option in the egress context of the subscriber profile:
When this command is enabled, the fixed packet offset is derived from the encapsulation type value signaled in the Access-loop-encapsulation sub-TLV in the Vendor-Specific PPPoE Tags or DHCP Relay Options as explained in Section Signaling of Last Mile Encapsulation Type.
If the user specifies an encapsulation type with the command, this value is used as the default value for all hosts of this subscriber until a host session signaled a valid value. The signaled value is applied to this host only and the remaining hosts of this subscriber continue to use the user entered default type value if configured, or no offset is applied. Hosts of the same subscriber using the same SLA profile and which are on the same SAP share the same instance of FC queues. In this case, the last valid encapsulation value signaled by a host of that same instance of the SAP egress QoS policy overrides any previous signaled or configured value.
The procedures for handling signaling changes or configuration changes affecting the subscriber profile are the same as in the software-based implementation with except for the following:
The encap-offset option forces all the rates to be either last-mile frame over the wire or local port frame over the wire, referred to as LM-FoW and FoW respectively. The system maintains a running average frame expansion ratio for each queue to convert queue rates between these two formats as explained in Frame Size, Rates, and Running Average Frame Expansion Ratio. The following are details of the queue and scheduler operation:
The following are the details of the rates and frame sizes applied to the subscriber host queues, the subscriber aggregate rate, and the Vport root scheduler for the scheduling model and when the encap-offset option is enabled in the subscriber profile.
Subscriber Host Queue:
Size = LastMileFrameOverWireEncap + Data
Rate = (48/53)* x (LastMileFrameOverWireEncap + Data)
*Applicable to ATM last-mile only.
Subscriber Aggregate Rate:
Size = LastMileFrameOverWireEncap + Data
Rate = (48/53)* x (LastMileFrameOverWireEncap + Data)
*Applicable to ATM last-mile only.
Vport/Port Port Scheduler and Weighted Scheduler Group
Size = FrameOverWireEncap + Data
Rate = FrameOverWireEncap + Data
When a frame arrives at the queue, the size is ImmediateEgressEncap+Data. This size is stored as the OfferedFrameSize so that the queue offered stats used in HQoS calculations are correct. Refer to the HQoS-offered statistics as Offered.
This size is then adjusted by removing the ImmediateEgressEncap and adding the LastMileFrameOverWireEncap. This new adjusted frame size, referred as LastMileOfferedFrameSize, is then used for checking compliance of the frame against the queue PIR and CIR bucket sizes and for updating the queue forwarded and dropped stats.
The LastMileOfferedFrameSize value is computed dynamically for each packet serviced by the queue.
A new HQoS stat counter OfferedLastMileAdjusted is maintained for the purpose of calculating the running average frame expansion ratio, which is the ratio of the accumulated OfferedLastMileAdjusted and Offered of each queue:
RunningAverageFrameExpansionRatio = OfferedLastMileAdjusted / Offered
The vport/port port-scheduler hands out its FoW bandwidth in terms of Fair Information Rate (FIR) bandwidth to each subscriber queue. This queue FIR must be converted into LM-FoW format to cap it by the queue PIR (adminPIR) and to make sure the sum of FIRs of all queues of the same subscriber does not exceed the subscriber agg-rate-limit which is also expressed in LM-FoW format. The conversion between these two rates makes use of the cumulative RunningAverageFrameExpansionRatio value.
A queue LM-FoW AdminPIR value is always capped to the value of the local port FoW rate even if the conversion based on the current RunningAverageFrameExpansionRatio value indicates that a higher AdminPIR may be able to fill in the full line rate of the local port.
In the BNG application, host queues of all subscribers destined to the same downstream BSAN, for example, all SAPs on the egress port matching the same S-VLAN tag value, are parented to the same Vport which matches the destination ID of the BSAN.
The BNG determines the parent Vport of a subscriber host queue, which has the port-parent option enabled, by matching the destination string associated with the subscriber with the string defined under a Vport on the port associated with the subscriber.
The user configures the dest string match under the egress Vport context of the Ethernet port associated with the subscriber:
If a given subscriber host queue does not have the port-parent option enabled, it is foster-parented to the Vport used by this subscriber and which is based on matching the dest string. If the subscriber could not be matched with a Vport on the egress port, the host queue is not bandwidth controlled and competes for bandwidth directly based on its own PIR and CIR parameters.
By default, a subscriber host queue with the port-parent option enabled is scheduled within the context of the port’s port scheduler policy. To indicate the option to schedule the queue in the context of a port scheduler policy associated with a Vport, the user enters the following command in SLA profile used by the subscriber host:
This command is persistent meaning that the user can re-enter the qos node without specifying the vport-scheduler argument each time and the system remembers it. The user can revert to the default setting without deleting the association of the SLA profile with the SAP egress QoS policy by explicitly re-entering the command with the following new argument:
The user can apply an aggregate rate limit to the Vport and apply a port scheduler policy to the port.
This model allows the user to oversubscribe the Ethernet port. The application of the agg-rate option is mutually exclusive with the application of a port scheduler policy, or a scheduler policy to a Vport.
When using this model, a subscriber host queue with the port-parent option enabled is scheduled within the context of the port’s port scheduler policy. However, the user must still indicate to the system that the queues are managed by the aggregate rate limit instance of a Vport by enabling the vport-scheduler option in the subscriber host SLA profile:
A subscriber host-queue which is port-parented is parented to the port scheduler policy of the port used by the subscriber and aggregate rate limited within the instance of the Vport used by this subscriber and which is based on matching the dest string and org string.
If a given subscriber host queue does not have the port-parent option enabled, it is foster-parented to the port used by this subscriber and aggregate rate limited within the instance of the Vport used by this subscriber. If the Vport exists but the port does not have a port scheduler policy applied, then the host queue is orphaned and no aggregate rate limit can be enforced.
The user can apply a scheduler policy to the Vport. This allows scheduling control of subscriber tier 1 schedulers in a scheduler policy applied to the egress of a subscriber or SLA profile, or to a PW SAP in an IES or VPRN service.
The advantage of using a scheduler policy under a Vport, compared to the use of a port scheduler (with or without an agg-rate), is that it allows a port parent to be configured at the Vport level.
Bandwidth distribution from an egress port scheduler to a Vport configured with a scheduler policy can be performed based on the level/cir-level and weight/cir-weight configured under the scheduler’s port parent. The result is in allowing multiple Vports, for example representing different DSLAMs, to share the port bandwidth capacity in a flexible way that is under the control of the user.
The configuration of a scheduler policy under a Vport is mutually exclusive with the configuration of a port scheduler policy or an aggregate rate limit.
A scheduler policy is configured under a Vport as follows:
When using this model, a tier 1 scheduler in a scheduling policy applied to a subscriber profile or SLA profiles must be configured as follows:
If the Vport exists, but port does not have a scheduler policy applied, then its schedulers are orphaned and no port level QOS control can be enforced.
The following show/monitor/clear commands are available related to the Vport scheduler:
HQoS adjustment and host tracking are not supported on schedulers that are configured in a scheduler policy on a Vport, so the configuration of a scheduler policy under a Vport is mutually exclusive with the configuration of the egress-rate-modify parameter.
ESM over MPLS pseudowires are not supported when a scheduler policy is configured on a Vport.
A subscriber host session can signal one of many encapsulation types each with a different fixed offset in the last mile. These encapsulation types are described in RFC 4679 and are illustrated in Figure 90 and Figure 91. The BNG node learns the encapsulation type of each subscriber host session by inspecting the Access-loop-encapsulation sub-TLV in the Vendor-Specific PPPoE Tags as specified in RFC 4679.When Ethernet is the last mile, the encapsulation type results in a fixed offset for all packet sizes. When ATM/DSL is the last mile, there is an additional expansion due to AAL5 padding to next multiple of 48 bytes and which varies depending on the packet size.
Both ATM and Ethernet access using PPP encapsulation options are supported in the software and hardware based implementations. Thus, both provide support for the Access-loop-encapsulation sub-TLV in the Vendor-Specific PPPoEv4/PPPoEv6 Tags with the ATM encapsulation values and Ethernet encapsulation values.
ATM and Ethernet access using IP encapsulation are only supported using default encapsulation offset configuration in the subscriber profile in the software based implementation. Support for signaling the Access-loop-encapsulation sub-TLV in the DHCPv4/DHCPv6 Relay Options is included in the hardware based implementation. There is no support for DHCPv6 relay options.
The operational last-mile values for hosts on the same SAP, having the same SLA profile are displayed in following the show command:
The data-link can have values: atm, other and, unknown. If no offset is supplied it is set to unknown. other is used when the data-link is non-atm, otherwise it states atm.
Operational per-queue values can also be found in the show command:
The following is an example of displaying whether the queue is operating in last-mile mode.
Last Mile ATM:
Last Mile Ethernet:
Next Mile ATM:
The following CLI configuration achieves the specific use case shown in Figure 89.
Subscriber volume statistics or octet and packet counters are available through the queues and policers that are instantiated for the subscriber. The queue and policer configuration is defined in the SLA profile using ingress and egress QoS policy associations with optional overrides. By default, subscriber hosts that belong to the same subscriber, that are active on the same SAP, and that have the same SLA profile share the set of queues and policers defined by that SPI. Alternatively, for bridged Residential Gateway scenarios, an SPI can be instantiated per subscriber session or per group identifier obtained during authentication. See SLA Profile Instance Sharing for more details.
Subscriber volume statistics by default count Layer 2 frame sizes optionally modified by configuration such as packet-byte-offset, last mile aware shaping, and so on.
To report subscriber volume statistics as Layer 3 (IP) packet sizes, the volume-stats-type can be configured to ip in the subscriber profile:
volume-stats-type ip affects the subscriber statistics in SNMP, CLI, RADIUS accounting, XML accounting and Diameter Gx usage monitoring. Volume quota for RADIUS or Diameter Credit Control applications are interpreted as Layer 3 quota.
The following restrictions apply for volume-stats-type ip:
IPv4 and IPv6 forwarded and dropped subscriber traffic can be counted separately by a stat-mode v4-v6 command that is configured as a policer or queue qos override in the sla-profile. The stat-mode v4-v6 command is only applicable for Enhanced Subscriber Management (ESM).
For policers, the stat-mode command overrides the policer stat-mode configuration as defined in the sap-ingress or sap-egress qos policy. For details on sap-ingress and sap-egress policer stat-mode, refer to the 7450 ESS, 7750 SR, 7950 XRS, and VSR Quality of Service Guide. For a policer in stat-mode v4-v6, following counters are available:
When a policer’s stat-mode is changed while the SLA profile is in use, any previous counter values are lost and any new counters are set to zero.
For queues, a stat-mode is only available for use in Enhanced Subscriber Management (ESM) context to enable separate IPv4/IPv6 counters. For a queue in stat-mode v4-v6, following counters are available:
A queue’s stat-mode cannot be changed while the SLA profile is in use.
There are no in-profile or out-of-profile forwarded and dropped counters for policers and queues in stat-mode v4-v6.
Non-IP traffic (for example PPPoE LCP frames) is counted against the IPv4 counters.
The separate IPv4 and IPv6 forwarded and dropped counters are reported in
When a queue or policer is configured in stat-mode v4-v6, existing VSA’s are re-used in RADIUS detailed per queue or per policer accounting (configure subscriber-mgmt radius-accounting-policy <name> include-radius-attribute detailed-acct-attributes):
In addition the [26-6527-107] Alc-Acct-I-statmode / [26-6527-127] Alc-Acct-O-statmode is sent with value set to “v4-v6”.
Optionally a set of VSA's can be included in RADIUS accounting to report the aggregate IPv6 forwarded octets and packets of queues and policers with stat-mode v4-v6 enabled (configure subscriber-mgmt radius-accounting-policy <name> include-radius-attribute detailed-acct-attributes v6-aggregate-stats):
[26-6527-194] Alc-IPv6-Acct-Input-Packets
[26-6527-195] Alc-IPv6-Acct-Input-Octets
[26-6527-196] Alc-IPv6-Acct-Input-GigaWords
[26-6527-197] Alc-IPv6-Acct-Output-Packets
[26-6527-198] Alc-IPv6-Acct-Output-Octets
[26-6527-199] Alc-IPv6-Acct-Output-Gigawords
Refer to the 7750 SR and VSR RADIUS Attributes Reference Guide for a detailed description of all counter attributes.
The complete-subscriber-ingress-egress and custom-record-subscriber XML records use following fields to represent IPv4 and IPv6 forwarded/dropped octets and packets for queues or policers with stat-mode v4-v6 enabled:
v4po - IPv4PktsOffered (policer only)
v4oo - IPv4OctetsOffered (policer only)
v6po - IPv6PktsOffered (policer only)
v6oo - IPv6OctetsOffered (policer only)
v4pf - IPv4PktsForwarded
v6pf - IPv6PktsForwarded
v4pd - IPv4PktsDropped
v6pd - IPv4PktsDropped
v4of - IPv4OctetsForwarded
v6of - IPv6OctetsForwarded
v4od - IPv4OctetsDropped
v6od - IPv4OctetsDropped
For custom records, the following CLI is re-used to include v4/v6 counters if the queue is configured in stat-mode v4-v6:
i-counters
all-packets-offered-count # n/a
all-octets-offered-count # n/a
high-packets-offered-count # n/a
low-packets-offered-count # n/a
uncoloured-packets-offered-count # n/a
high-octets-offered-count # n/a
low-octets-offered-count # n/a
uncoloured-octets-offered-count # n/a
all-packets-offered-count # n/a
all-octets-offered-count # n/a
high-packets-discarded-count # IPv4
low-packets-discarded-count # IPv6
high-octets-discarded-count # IPv4
low-octets-discarded-count # IPv6
in-profile-packets-forwarded-count # IPv4
out-profile-packets-forwarded-count # IPv6
in-profile-octets-forwarded-count # IPv4
out-profile-octets-forwarded-count # IPv6
e-counters
in-profile-packets-forwarded-count # IPv4
in-profile-packets-discarded-count # IPv4
out-profile-packets-forwarded-count # IPv6
out-profile-packets-discarded-count # IPv6
in-profile-octets-forwarded-count # IPv4
in-profile-octets-discarded-count # IPv4
out-profile-octets-forwarded-count # IPv6
out-profile-octets-discarded-count # IPv6
Access Control Lists (ACLs) for subscriber traffic are defined as IP and IPv6 filter policies and are configured in the SLA-profile associated with the subscriber. For information about IP and IPv6 filter policy configurations, refer to the 7450 ESS, 7750 SR, 7950 XRS, and VSR Router Configuration Guide.
Traffic from different subscriber hosts or sessions of a single subscriber and associated with the same sla-profile instance, is subject to the filter policies defined in the SLA profile.
Changing the IPv4 filter policy in an SLA profile in use by an active subscriber is allowed in the CLI, but not recommended. Changing the IPv6 filter policy in an SLA profile in use by an active subscriber is prevented in the CLI.
The IP or IPv6 filter policy configuration of subscriber hosts can be dynamically updated using the mechanisms described in the next sections.
Refer to the 7750 SR and VSR RADIUS Attributes Reference Guide for a detailed description of the RADIUS attributes format.
Refer to the 7750 SR and VSR Gx AVPs Reference Guide for a detailed description of the Diameter AVP’s format.
Changing the SLA profile of a subscriber host or session, implicitly changes its associated IP and IPv6 filter policies. An SLA profile change can be done by, for example, a RADIUS CoA or Diameter Gx RAR message. As the SLA profile also defines the QoS configuration for the subscriber hosts, this change may result in a discontinuity in accounting.
The ingress and egress IP and IPv6 filter policies can be overridden per subscriber host or session at creation time or mid-session:
Notes:
A subscriber host specific entry is a filter entry where the match criteria is automatically extended with the subscriber host IP or IPv6 address as source (ingress) or destination (egress) IP. They represent a per host customization of a generic filter policy: only traffic to or from the subscriber host that match against these entries.
A subscriber host specific entry is dynamically created from
The format used to specify host specific filter entries ([92] NAS-Filter-Rule format or [26.6527.159] Alc-Ascend-Data-Filter-Host-Spec format) cannot change during the lifetime of the subscriber host. A RADIUS message can only contain a single format for host specific filter entries.US message can only contain a single format for host specific filter entries.
Up to 10 host-specific filter rules can be specified in a single RADIUS or Diameter message. Each new RADIUS CoA or Diameter CCA/RAR message containing host specific filter attributes overwrites the previous subscriber host-specific filter entries for that host if there are enough free entries in the reserved range.
Subscriber host-specific filter entries can be removed with a [92] NAS-Filter-Rule attribute value equal to 0x00 or “ “(a space).
When the subscriber host session terminates or is disconnected, then the corresponding subscriber host-specific filter entries are also deleted.
Note that subscriber host-specific filter entries are moved if the subscriber host filter policy is changed (new SLA profile or IP filter policy override) and the new filter policy contains enough free reserved entries (sub-insert-radius).
A range of entries must be reserved for subscriber host specific entries in a filter policy:
High and low watermarks can be configured to raise an event when the thresholds of free entries in the reserved range are reached:
The target application for shared filter entries is operators that have a predefined limited number of different filter lists that each are shared with multiple subscriber hosts or sessions and that are to be managed and activated from RADIUS or Diameter at authentication.
A local configured IP or IPv6 filter associated with a host or session (sla-profile or ip filter override) can be enhanced with dynamic filter entries that can be shared with multiple subscriber hosts or sessions. The shared dynamic filter entries are inserted with:
For each unique set of dynamic filter entries received per type (IPv4 or IPv6) and direction (ingress or egress), a copy is made of the local filter with the dynamic entries included at a preconfigured insert point. If the same set of dynamic filter entries is sent to subscriber hosts or sessions that have the same associated local filter, then they share the same filter copy. When there are no more subscriber hosts associated with a filter copy, then the filter copy is deleted. A filter copy is identified as local filter id:number. For example: show filter ip 10:2.
Shared filter entries are moved if the subscriber host filter policy is changed (new SLA profile or ip filter policy override) and if the new filter policy contains enough free reserved entries.
A range of entries must be reserved for shared entries in a filter policy:
High and low watermarks can be configured to raise an event when the thresholds of dynamic filter copies are reached:
The format used to specify shared filter entries ([26.6527.158] Alc-Nas-Filter-Rule-Shared format or [26.529.242] Ascend-Data-Filter format) cannot change during the lifetime of the subscriber host or session. A RADIUS message can only contain a single format for shared filter entries.
Shared filter entries can be removed with [26.6527.158] Alc-Nas-Filter-Rule-Shared attribute value equal to 0x00 or “ “ (a space).
Use following show commands to check filter policy details and the filter configuration for a subscriber host:
Figure 93 shows the configuration under which synchronization of subscriber management information is performed. As depicted, a single access node aggregating several subscriber lines is dual- homed to redundant-pair of nodes.
Enabling subscriber management features (whether basic subscriber-management (BSM) or enhanced subscriber management (ESM)) causes the node to create and maintain state information related to a given subscriber-host. This information is synchronized between redundant-pair nodes to secure non-stop service delivery in case of the switchover.
The synchronization process provides the means to manage distributed database (the Multi-Chassis Synchronization (MCS) database), which contains the dynamic state information created on any of the nodes by any application using its services. The individual entries in the MCS database are always paired by peering-relation, sync-tag and application-id. At any time the given entry is related to the single redundant-pair objects (two SAPs on two different nodes) and hence stored in a local MCS database of the respective nodes.
Internally, peering-relation and sync-tag are translated into a port and encapsulation value identifying the object (SAP) that the given entry is associated with. The application-id then identifies the application which created the entry on one of the nodes. There are three basic operations that the application can perform on MCS database. The MCS database always synchronizes these operations with its respective peer for the given entry.
The following principles apply:
The choice of the operation in corresponding situation is driven by the application. The following general guidelines are observed:
As previously stated, the MCS process automatically synchronizes any database operation with the corresponding peer. During this time, the MCS process maintains state per peer indicating to the applications (and network operator) the current status, such as in-sync, synchronizing or sync_down. These states are indicated by corresponding traps.
Each time the connection between the redundant pair nodes is established or re-established, the MCS database is re-synchronized. There are several levels of connectivity loss that can have different effects on amount of data lost. To prevent massive retransmissions when the synchronization connection experiences loss or excessive delay, the MCS process implementation takes provisions to ensure following:
SRRP uses the same messaging format as VRRP with slight modifications. The source IP address is derived from the system IP address assigned to the local router. The destination IP address and IP protocol are the same as VRRP (224.0.0.18 and 112, respectively).
The message type field is set to 1 (advertisement) and the protocol version is set to 8 to differentiate SRRP message processing from VRRP message processing.
The vr-id field has been expanded to support an SRRP instance ID of 32 bits.
Due to the large number of subnets backed up by SRRP, only one message every minute carries the gateway IP addresses associated with the SRRP instance. These gateway addresses are stored by the local SRRP instance and are compared with the gateway addresses associated with the local subscriber IP interface.
Unlike VRRP, only two nodes may participate in an SRRP instance due the explicit association between the SRRP instance group IP interface, the associated redundant IP interface and the multi-chassis synchronization (MCS) peering. Since only two nodes are participating, the VRRP skew timer is not utilized when waiting to enter the master state. Also, SRRP always preempts when the local priority is better than the current master and the backup SRRP instance always inherits the master’s advertisement interval from the SRRP advertisement messaging.
SRRP advertisement messages carry a becoming-master indicator flag. The becoming-master flag is set by a node that is attempting to usurp the master state from an existing SRRP master router. When receiving an SRRP advertisement message with a better priority and with the becoming-master flag set, the local master initiates the becoming-backup state, stops routing with the SRRP gateway MAC and sends an SRRP advertisement message with a priority set to zero. The new master continues to send SRRP advertisement messages with the becoming-master flag set until it either receives a return priority zero SRRP advertisement message from the previous master or its becoming-master state timer expires. The new backup node continues to send zero priority SRRP advertisement messages every time it receives an SRRP advertisement message with the becoming-master flag set. After the new master either receives the old master’s priority zero SRRP advertisement message or the become-master state timer expires, it enters the master state. The become-master state timer is set to 10 seconds upon entering the become-master state.
The SRRP advertisement message is always evaluated to see if it has higher priority than the SRRP advertisement that would be sent by the local node. If the advertised priority is equal to the current local priority, the source IP address of the received SRRP advertisement is used as a tie breaker. The node with the lowest IP address is considered to have the highest priority.
The SRRP instance maintains the source IP address of the current master. If an advertisement is received with the current master’s source IP address and the local priority is higher priority than the masters advertised priority, the local node immediately enters the becoming-master state unless the advertised priority is zero. If the advertised priority is zero, the local node bypasses the becoming-master state and immediately enters the master state. Priority zero is a special case and is sent when an SRRP instance is relinquishing the master state.
To take full advantage of SRRP resiliency and diagnostic capabilities, the SRRP instance should be tied to a MCS peering that terminates on the redundant node. The SRRP instance is tied to the peering using the srrp srrp-id command within the appropriate MCS peering configuration. Once the peering is associated with the SRRP instance, MCS synchronizes the local information about the SRRP instance with the neighbor router. MCS automatically derives the MCS key for the SRRP instance based on the SRRP instance ID. For example, an SRRP instance ID of 1 would appear in the MCS peering database with a MCS-key srrp-0000000001.
The SRRP instance information stored and sent to the neighbor router consists of:
The SRRP instance uses the received information to verify provisioning and obtain operational status of the SRRP instance on the neighboring router.
The SRRP instance MCS key ties the received MCS information to the local SRRP instance with the same MCS key. If the received key does not match an existing SRRP instance, the MCS information associated with the key is ignored. Once an SRRP instance is created and mapped to an MCS peering, the SRRP instance evaluates received information with the same MCS key to verify it corresponds to the same peering. If the received MCS key is on a different peering than the local MCS key an SRRP peering mismatch event is generated detailing the SRRP instance ID, the IP address of the peering the MCS key is received on and the IP address to which the local MCS key is mapped. If the peering association mismatch is corrected, an SRRP peering mismatch clear event is generated.
The Containing Service Type is the service type (IES or VPRN) that contains the local SRRP instance. The Containing Service ID is the service ID of that service. This information is supplied for troubleshooting purposes only and is not required to be the same on both nodes.
The containing subscriber IP interface name is the subscriber IP interface name that contains the SRRP instance and its group IP interface. This information is supplied for troubleshooting purposes only and is not required to be the same on both nodes.
The subscriber subnet information includes all subscriber subnets backed up by the SRRP instance. The information for each subnet includes the Owned IP address, the mask and the gateway IP address. If the received subscriber subnet information does not match the local subscriber subnet information, an SRRP Subscriber Subnet Mismatch event is generated describing the SRRP instance ID and the local and remote node IP addresses. Once the subscriber subnet information matches, an SRRP Subscriber Subnet Mismatch Clear event is generated.
The containing group IP interface information is the information about the group IP interface that contains the SRRP instance. The information includes the name of the group IP interface, the list of all SAPs created on the group IP interface, the administrative and operational state of each SAP and the MCS key and the peering destination IP address associated with each SAP. To obtain the MCS information, the SRRP instance queries MCS to determine the peering association of the SRRP instance and then queries MCS for each SAP on the group IP interface. If the local SRRP instance is associated with a different MCS peering than any of the SAPs or if one or more SAPs are not tied to an MCS peering, an SRRP group interface SAP peering mismatch event is generated detailing the SRRP instance ID, and the group IP interface name.
When receiving the remote containing group IP interface information, the local node compares the received SAP information with the local group IP interface SAP information. If a local SAP is not included in the SAP information or a remote SAP is not included in the local group IP interface, an SRRP Remote SAP mismatch event is generated detailing the SRRP instance ID and the local and remote group IP interface names. If a received SAP’s MCS key does not match a local SAP's MCS Key, an SRRP SAP MCS key mismatch event is generated detailing the SRRP instance ID, the local and remote group IP interface names, the SAP-ID and the local and remote MCS keys.
If the group IP remote redundant IP interface address space does not exist, is not within the local routing context for the SRRP instances group IP interface or is not on a redundant IP interface, the local node sends redundant IP interface unavailable to prevent the remote neighbor from using its redundant IP interface. An SRRP redundant IP interface mismatch event is generated for the SRRP instance detailing the SRRP instance, the local and remote system IP addresses, the local and remote group IP interface names and the local and remote redundant IP interface names and IP addresses and masks. The local redundant IP interface may still be used if the remote node is not sending redundant IP interface unavailable.
If the remote node is sending redundant IP interface unavailable, the local node treats the local redundant IP interface associated with the SRRP instances group IP interface as down. A Local Redundant IP Interface Unavailable event is generated detailing the SRRP instance ID, the local and remote system IP addresses, the local group IP interface name, the local redundant IP interface name and the redundant IP interface IP address and mask.
If the remote node’s SRRP advertisement SAP does not exist on the local SRRP instances group IP interface, the local node sends local receive SRRP advertisement SAP unavailable to the remote node. An SRRP receive advertisement SAP non-existent event is generated detailing the SRRP instance ID, the local and remote system IP addresses, the local group IP interface name and the received remote SRRP advertisement SAP. Since SRRP advertisement messages cannot be received, the local node immediately becomes master if it has the lower system IP address.
If the local node is receiving local receive SRRP advertisements stating that the SAP is unavailable from the remote node, an SRRP Remote Receive advertisement SAP Unavailable event is generated. This details the SRRP instance ID, the local and remote system IP addresses, the remote group IP interface name and the local SRRP advertisement SAP. Since the remote node cannot receive SRRP advertisement messages, the local node immediately becomes master if it has the lower system IP address.
If the local SRRP state is master and the remote SRRP state is master, an SRRP dual master event is generated detailing the SRRP instance ID and the local, remote system IP addresses and the local and remote group IP interface names and port numbers.
In order for the network to reliably reach the owned IP addresses on a subscriber subnet, the owning node must advertise the IP addresses as /32 host routes into the core. This is important since the subscriber subnet is advertised into the core by multiple routers and the network follows the shortest path to the closest available router which may not own the IP address if the /32 is not advertised within the IGP.
The SRRP gateway IP addresses on the subscriber subnets cannot be advertised as /32 host routes since they may be active (master) on multiple group IP interfaces on multiple SRRP routers. Without a /32 host route path, the network forwards any packet destined to an SRRP gateway IP address to the closest router advertising the subscriber subnet. While a case may be made that only a node that is currently forwarding for the gateway IP address in a master state should respond to ping or other diagnostic messages, the distribution of the subnet and the case of multiple masters make any resulting response or non-response inconclusive at best. To provide some ability to ping the SRRP gateway address from the network side reliably, any node receiving the ICMP ping request responds if the gateway IP address is defined on its subscriber subnet.
The group IP interface SAPs are designed to support subscriber hosts and perform an ingress anti-spoof function that ensures that any IP packet received on the group IP interface is coming in the correct SAP with the correct MAC address. If the IP and MAC are not registered as valid subscriber hosts on the SAP, the packet is silently discarded. Since the SRRP advertisement source IP addresses are not subscriber hosts, an anti-spoof entry cannot exist and SRRP advertisement messages would normally be silently discarded. To avoid this issue, when a group IP interface SAP is configured to send and receive SRRP advertisement messages, anti-spoof processing on the SAP is disabled. This precludes subscriber host management on the SRRP messaging SAP.
This feature minimizes the downtime for PPPoE clients in an ESM environment when a single node fails.
But it is not necessary that an entire BNG fails before it triggers the corrective action. The solution outlined in this document includes protection against interfaces and line card failures within the BNG. The redundant (protective) entity, however, does not reside within the same BNG on which the failure occurs but instead it is on a separate BNG node.
The PPPoE MC Redundancy is based on SRRP and MC-LAG because SRRP is already established in ESM providing IPoE MC Redundancy. With some modifications, SRRP approach is adopted to PPPoE deployments.
SRRP is based on VRRP whose purpose is to provide a default gateway redundancy for clients sharing the transport medium such as Ethernet. IPoE would be a typical example of this where IPoE clients use a virtual IP and MAC address that is shared between two default gateway nodes in the Master/Backup configuration. SRRP supports only two nodes in a cluster but VRRP allows multiple nodes to be configured in a cluster with a priority that determines which node assumes Mastership. Although it is mandatory for the proper operation of IPoE clients that the same SRRP IP address is shared between the two BNG nodes providing redundancy, having the same SRRP IP address is not necessary for the operation of SRRP itself. In other words, SRRP itself (Master or Backup states) works with different SRRP IP addresses on each node. Same is valid for MAC addressing. It is possible by configuration that the redundant BNG nodes use different IP/MAC addresses on a pair of SRRP instances.
Upon a switchover, a gratuitous ARP is sent from a newly selected active node so that each IPoE client can update the ARP table, if the MAC address has indeed changed (it does not have to). More importantly, if an Layer 2 aggregation network is in place between the BNG and the IPoE client, all intermediate Layer 2 devices must update their port-to-mac mappings (Layer 2 FDB). The above described process ensures proper packet addressing on the IPoE client side as well as the proper forwarding path through Layer 2 aggregation network to the newly activated BNG.
When considering PPPoE in conjunction with SRRP, keep in mind that PPP protocol (point-to-point protocol) is adopted for the Ethernet (shared medium) by enabling an extra Ethernet related layer in PPP that allows sharing of point-to-point sessions over Ethernet (shared medium). The result is a PPPoE protocol designed to ‘tunnel’ each PPP session over Ethernet.
PPPoE is not aware of ARP (Address Resolution Protocol) and it does not react to gratuitous ARP packets sent by a newly active BNG. The destination MAC address that PPPoE clients use when sending traffic is determined not by ARP but by the PPPoE Discovery phase at the beginning of the session establishment. This originally discovered destination MAC is used throughout the lifetime of the session. This has a couple of consequences:
PPPoE sessions are synchronized between the redundant BNG nodes. The subscriber synchronization is achieved through Multi-Chassis Synchronization (MCS) protocol in a similar way it is performed for IPoE.
Two keywords, ipoe and pppoe enable a more granular control over which type of subscribers the MCS should be enabled.
Subscriber synchronization is important for following reasons:
PPPoE MCS model is based on SRRP synchronization and can be used in a centralized or distributed environment with or without Layer 2 aggregation network in-between DSLAMs and BNG nodes. The failure detection speed is dependent on SRRP timers. Traffic load can be balanced per SRRP group over the two links. In this model (Figure 94), PPPoE states are synchronized between the redundant BNG nodes. If one BNG fails, the newly activated BNG sends out a ‘MAC update’ (gratuitous ARP) message prompting the intermediate Layer 2 nodes to update their forwarding tables so that forwarding can resume. The SRRP timers can be configured in the sub-second range. In reality, the limiting factor for timer values is the scale of the deployment, in particular the number of SRRP groups per node.
To preserve QoS and Accounting, subscriber’s traffic must flow in both directions through the Master BNG node.
In the upstream direction, this is always true as traffic is steered to the master SRRP node just by the virtue of SRRP operation.
In the downstream direction which represents bulk of traffic, SRRP cannot be relied up on to steer traffic through the Master node. This poses a problem in a very common environment where IP subnets are shared over multiple group interfaces with SRRP enabled. A particular subnet is advertised to the network side from both BNG nodes, Master and Backup. Natural routing on the network side determines which BNG node receives subscriber’s traffic in the downstream direction. If the Backup SRRP node receives the traffic, it cannot simply send the traffic directly to the access network where the subscriber resides by just inserting the source MAC address of the SRRP instance in the outgoing packet. This would break the operation of SRRP. Instead, the Backup BNG node must send the traffic to the Master BNG node through a redundant-interface. The Master SRRP node would then forward traffic directly to the subscriber. Source MAC address of this traffic would then be the MAC address of SRRP instance. This traffic shunting over the redundant interface can result in a substantial load on the link between the two BNG nodes.
The increase in shunted traffic can quickly become an issue if the redundant BNG nodes that are not collocated. To minimize the shunt traffic, more granular routing information must be presented to the network core. This would lead to more optimal routing where downstream subscriber traffic would be directed towards the Master BNG node, without the need to cross the redundant interface. The downside of this approach is that this would further fragment the IP address space within the network core. In the extreme case where /32 (subscriber) IP addresses are advertised, the churn that /32s can cause in the core routing would most likely be unsustainable. In this case, routing updates in the core would be triggered by subscribers coming on/off-line.
Optimal operation would call for the shunt traffic to be eliminated and at the same time, a high IP route aggregation on the network side is achieved. The existence of the shunt traffic stems from the fact that routing protocols advertise subscriber subnets into the network with no awareness of the SRRP activity state (Master/Standby). To address this problem along with better aggregation of advertised subnets, two SRRP enhancements are introduced:
Both of these concepts are described in SRRP Enhancement.
Traffic destined to or from the subscriber is forwarded under the condition that the subscriber-interface is operationally UP. This applies also to shunting of downstream subscriber traffic from the STANDBY to MASTER node. It is always necessary to keep the subscriber-interface operationally UP by configuring a dummy group interface with a oper-up-while-empty command under it. This is especially true for the MC-LAG which causes the messaging SAP on the STANDBY node always to be in the INIT state. In case that MSAPs are used on such group interfaces, the group interfaces would be also operationally DOWN, causing the subscriber-interface to be operationally DOWN.
A single IP subnet is used for all subscribers terminated within the redundant BNG nodes. The upside of the Option ‘A’ is that it offers aggregated IP addressing in the network core per pair of redundant BNG nodes. The downside is that the subscriber termination point (active BNG for the SRRP group) is hidden from the network core. Since both BNG nodes share the same IP subnet for the subscribers, the natural routing can cause downstream traffic to be sent to the standby BNG which must shunt the traffic to the active BNG. It is likely that half of the traffic is shunted over the redundant-interface with this approach. This scenario is shown in Figure 95.
With the option B, an IP address pool (or subnet) can be allocated per group of SRRP instances that are in the Master state. The routing decision on the network side is further influenced by the static increase of the metric of the advertised route on the BNG node hosting the active SRRP groups (Figure 96).
This approach would cause greater IP space segmentation in the network core, but at the same time, it would indirectly provide more information about the subscriber whereabouts and thus minimize or eliminate the shunt traffic during the normal operation. However, if an SRRP switchover occurs, the shunt traffic would ensue. The amount of the shunted traffic would depend on the scale of the failure. From the configuration displayed in Figure 96, it can be concluded that:
As per RFC 2516, A Method for Transmitting PPP Over Ethernet (PPPoE), this has the implications on the operation of the capture SAP. In an IPoE environment, the initial DHCP traffic related to host establishment uses its native MAC of the physical port on the router. Once the group interface is learned (later in the process, by RADIUS or msap-policy), the MAC address is switched to SRRP MAC address (virtual MAC). The IPoE client adapts easily to this change. On the contrary, for the proper operation of PPPoE with SRRP, the initial destination MAC address learned by the PPPoE client does not change during the lifetime of the session.
This is ensured by indirectly referencing the grp-if under the capture SAP:
With this approach the grp-if is nailed during the session initiation phase by referencing the SRRP instance in track-srrp statement (SRRP is a group interface-wide concept). RADIUS returned grp-if name must match the one on which referenced SRRP instance runs.
The capture SAP of the form
assumes that there is only one grp-if associated with all MSAPs under this capture SAP.
A check is put in place to make sure that the MAC addresses associated with the SRRP instance is the same as the MAC address of the associated capture SAP. A log is raised if there is a discrepancy between the MAC addresses while the grp-if is operationally UP. If there is a MAC address change (user misconfiguration) then the existing PPPoE sessions time out and the new sessions fail to establish until the condition is corrected.
For unnumbered subscriber-interface support in PPPoE, the gateway IP address that is used to send gratuitous ARP is not available. For this reason, the system IP address is used to send gratuitous ARPs. Gratuitous ARP is used to update the Layer 2 network forwarding path towards the BNG node in the upstream direction.
The system IP address is used automatically if the subscriber interface is unnumbered.
SRRP for PPPoE works in an environment where MC-LAG is enabled. For example, the standby LAG link automatically puts the SRRP node in a Backup state and the SRRP becomes master on the active MC-LAG link. It is important that the SRRP on the standby leg of the MC-LAG is forced into a Backup state, or any new state that forces the downstream traffic to use the redundant interface.
Traffic destined to/from the subscriber is forwarded under the condition that the subscriber-interface is operationally UP. This applies also to shunting of downstream subscriber traffic from the STANDBY to MASTER node. It is always necessary to keep the subscriber-interface operationally UP by configuring a dummy group interface with a oper-up-while-empty command under it. This is especially true for the MC-LAG which causes the messaging SAP on the STANDBY node always to be in the INIT state. If MSAPs are used on such group interfaces, the group interfaces would be also operationally DOWN, causing the subscriber-interface to be operationally DOWN.
Prerequisite for MC IPv6 Redundancy is to synchronize PPPoEv6 and IPoEv6 subscribers between the nodes by MCS.
In PPPoE environment, SRRP is used to refresh the forwarding path (MAC addresses) in the access aggregation network (by gratuitous ARP). SRRP ensures that the upstream traffic is steered to the Master BNG node. In the downstream direction, the Backup BNG directs traffic over to the Master BNG node by a redundant-interface.
The IPv6 functionality currently relies on IPv4 based SRRP and IPv4 based redundant-interface. In other words, IPv4 is required to run on the access side as well as on the redundant-interface.
The redundant-interface is used in the downstream direction. Traffic arriving on the network links on the Standby node is shunted over to the Master node over the redundant-interface. This is required to ensure consistent QoS and accounting functionality across the nodes (upstream and downstream traffic on the access links for a subscriber must traverse the same BNG node). There is no IPv6 related CLI associated with the redundant-interface.
All IPv6 subscriber traffic that arrives on the Standby node in the downstream direction is automatically shunted over the IPv4 redundant-interface to the Master node. When IPv6 traffic arrives over the redundant-interface on the Master node, it is either PPPoEv6 encapsulated or left as plain IPoEv6 before it is forwarded to the subscriber.
In the upstream direction (AN->BNG) the behavior is the following:
Note that the current version of SRRP relies only on IPv4 routes. The connection between SRRP and IPv4 routes is done with the subnets with gw IP addresses defined under the subscriber-interfaces in the ESM context. This connection is needed so that SRRP can send Gratuitous ARP properly.
These are the cases for PPPoEv6 MC Redundancy that are supported:
numbered IPv6 only subscriber-interfaces (config>service>sub-if>ipv6 hierarchy) is not supported
When local DHCP Server redundancy/synchronization is used, using address-range failover local | remote, in conjunction with PPPoE in multi-chassis environment, both DHCP servers must be referenced under the corresponding group interface on each node. For address-range failover access-driven configurations only one DHCP server must be referenced.
Otherwise, the PPPoE clients are not synchronized by MCS.
This is not the requirement in the IPoE environment. In the IPoE environment, it is enough that the DHCP server points to the IP address of the local DHCP server. If the IP lease is originally assigned by the peer DHCP server, the request for renewal is automatically forwarded to the remote DHCP server by the virtue of the IP address of the original DHCP server that is included in the renewal request.
It is necessary for the successful renewal of the IP address on the remote DHCP server, that the remote DHCP server has a valid return path back to the gi-address of the forwarder of the renewal request.
In PPPoE dual-chassis environment without the redundant-interface in place, SRRP aware routing should always be used. Otherwise, if the downstream traffic arrives on the backup node, it is forwarded directly to the client over the access network (assuming that the access network is operational) with the source MAC address of the group interface (instead of gw-mac). This grp-if MAC address is different from the MAC address (gw-mac) negotiated during the initial PPPoE phase, and therefore, this traffic is dropped by the client. It must be ensured that the downstream traffic is always attracted to the Master node in the absence of redundant.
On regular interfaces in an IES or VPRN service, only one SAP can be associated. A group interface allows multiple SAPs to be configured as part of a single interface. All SAPs in a single group interface must be within the same port. Since broadcast is not allowed in this mode, forwarding to the subscriber is based on IP/MAC addresses information gathered by the subscriber management module and stored in the subscriber management table. These entries are based on both static and dynamic DHCP hosts. Routed CO must be used with standard subscriber management or enhanced subscriber management. DSLAMs are typically deployed with Ethernet interfaces.
This model is a combination of two key technologies, subscriber interfaces and group interfaces. While the subscriber interface define the subscriber subnets, the group interfaces are responsible for aggregating the SAPs.
As depicted in Figure 97, an operator can create a new subscriber interface in the IES or VPRN service. A subscriber interface allows for the creation of multiple group interfaces. The IP space is defined by the subnets of the subscriber interface’s addresses. Figure 98 shows the details of group interface A.
Figure 99 shows a network diagram where the DSLAM are connected directly to a Broadband Service Router (BSR) providing access to an IP subnet. Subscribers from multiple DSLAMs can be part of the same subnet. Note that BSR is also referred to as Broadband Network Gateway (BNG).
The BSR can be configured with multiple subnets, allowing subscribers to be part of a single subnet as well as providing mechanisms for re-addressing or expanding existing services without affecting existing users.
Figure 100 shows a detailed view of a router and the configuration objects implemented to support Layer 3 subscriber interfaces.
The individual features related to subscribers, such as DHCP relay, DHCP snooping and anti-spoofing filters, are enabled at group interface level. For a Routed CO model of subscriber management, and when enhanced subscriber management (if sub-sla-mgmt is configured). Then, hashing is based on an internally assigned subscriber-ID. Having a unique subscriber ID configured in CLI ensures that each subscriber is assigned a unique internal subscriber ID.
It is assumed that individual end-user devices (further referred to as subscriber hosts) get their IP address assigned through either DHCP or static configuration. The management of individual subscriber hosts (such as creation, queue allocation, and so on) is performed by Enhanced Subscriber Management.
The operator can provision how the system advertises routes. While most deployments advertise the full subnet it is possible to have the system advertise only the active, discovered or static host routes.
The distribution of this information into routing protocols is driven by import/export route policies configured by the operator.
The DHCP relay process has been enhanced to record incoming DHCP discover and request messages. Since forwarding to the SAPs is done by the information in the subscriber management table and multiple SAPs are allowed in one interface it was impossible to know which SAP is used to forward the DHCP replies. The node maintains a cache of the DHCP requests. The cache can be viewed using the tools>dump>router>dhcp>group-if-mapping command. The cache holds an entry for 30 seconds. If an ACK/NAK packet was not received from the server within the timeout the node discards the cache entry. The node can use the Option 82 circuit-id field as part of the temporary host entry. If used, the ACK must contain the same circuit-id field in Option 82 to be found in the cache only if the match-circuit-id is specified at the DHCP level of the group- interface. When the match-circuit-id command is enabled a check is performed for option 82 circuit-id.
The routed CO model depends on subscriber management to maintain the subscriber host information. To create a group interface the operator must first create a subscriber interface within the service (config>service>ies>subscriber-interface ip-int-name). The subscriber interface maintains up to 256 subscriber subnets and is configured with a host address for each subnet.
When a DHCP ACK is received the IP address provided to the client is verified to be in one of the subscriber subnets associated with the egress SAP. When DHCP snooping is enabled for regular IES interfaces the same rule applies.
The subscriber interface is an internal loopback interface. The operational state is driven from the child’s group interface states and the configuration of an address in the RTM.
The group interface is an unnumbered interface. The interface is operationally up if it is in the no shutdown state and if at least one SAP has been defined and is up and the parent subscriber interface is administratively up. The first SAP defined determines the port for the group interface. If the user attempts to define a subsequent SAP that is on a different port results in an error. When the subscriber-interface or the group interface is in a shut down state no packets are delivered or received to or from the subscriber hosts but the subscriber hosts, both dynamic and static, are maintained based on the lease time.
In the routed CO model, the router acts as a DHCP relay agent and also serves as the subscriber- identification agent. The DHCP actions are defined in the group interface. All SAPs in that interface inherit these definitions. The group interface DHCP definition are a template for all SAPs.
Lease-populate is enabled by default with the number-of-entries set to 1. This enables DHCP lease state for each SAP in the group interface.
Since the group interface can aggregate subscribers in different subnets a GI address must be defined for the DHCP relay process. The address must be in one of the host addresses defined for the subscriber interface. The GI address can be defined at the subscriber interface level which causes all child group interface to inherit that route. The GI address can then be overridden at the group interface level. A GI address must be defined in order for DHCP relay to function.
Because of the nature of the group interface, local-proxy-arp, as well as arp-populate, should be enabled. This would allow the system to respond to subscriber ARP requests if the ARP request contains an IP address which is in the same subnet as one of the subscriber interface subnets.
When an authentication policy is specified for a SAP under a group interface, DHCP intercepts DHCP discover messages for RADIUS authentication. If the system is a DHCP-relay defined in a group interface and the GI address was not configured, the operational state of DHCP is down.
Much like in Routed CO for IES service, the Routed CO model for VPRN depends on subscriber management to maintain the subscriber host information. To create a group interface, the operator must first create a subscriber interface in the config>service>vprn context. The subscriber interface can maintain up to 256 subscriber subnets and can be configured with a host address for each subnet. The host IP address can be installed as a result of both relaying to a DHCP server and proxy to a RADIUS server. In both cases the host IP address must be in the subnet defined by the VPRN’s subscriber interface.
Basic subscriber management is allowed only in a subscriber/SAP model and can be used only in a dedicated VPRN architecture. A RADIUS service selection (using Managed SAPs) requires Enhanced Subscriber Management. The subscriber interface’s subnets are allowed to be advertised to both IGPs and BGP within a VPRN.
When an authentication policy is specified for a group interface, DHCP snooping must be enabled to intercept DHCP discover and renew messages for RADIUS authentication. Subscriber management RADIUS extensions are allowed if the operator chooses to have the RADIUS server return the subscriber identification, subscriber profile and sla-profile strings using RADIUS.
The node can be defined with both a DHCP relay or proxy function. If the user configures a DHCP relay, the local-proxy-server command enables DHCP split leases. In that configuration the node provides the configured DHCP lease to the client using either RADIUS or the real DHCP server as the source of the IP address to be provided.
The RADIUS server can send a Change of Authorization (CoA) message containing the DHCP FORCERENEW VSA which prompts the local-proxy-server to send a FORCERENEW message to the client. The node ACKs when the FORCERENEW messages has been sent, regardless of whether the subscriber responds. If the client fails to respond or if a new session cannot be established due to resource management issues or otherwise the node must respond with a NACK to the RADIUS server.
If the CoA message contains an IP address that is different than the configured IP address (when RADIUS was providing IP addresses) the node must send a FORCERENEW message to the client and NAK the request and provide a new IP address. If the node fails to receive a request, the CoA is ACK’d when the FORCERENEW message has been sent.
The operational state of group and subscriber interfaces are dependent on the state of active SAPs. A group interface can become operationally up only if at least one SAP is configured and is in an operationally up state. A subscriber interface becomes operationally up if at least one group interface is operationally up or the associated wholesale forwarding interface is operationally up. This ensures that, in a failure scenario that affects all group interfaces in a given subscriber subnet, the node stops advertising the subnet to the network. The SRRP state affects this behavior as well and can cause the subnet to be removed if all group interfaces (and SRRP instances) are in backup state.
VPRN Routed CO allows a provider to resell wholesaler services (from a carrier) while providing direct DSLAM connectivity. An operator can create a VPRN service for the retailer and configure the access from subscribers as well as to the retailer network. Any further action acts as if the VPRN is a standalone router running the Routed CO model. All forwarding to these servers must be done within the VPRN service. The operator can leak routes from the base routing instance. In this model, the operator can use RADIUS for subscriber host authentication, DHCP relay and DHCP proxy. This provides maximum flexibility to the retailer while minimizing the involvement of the wholesaler. Access cannot be shared among retailers unless a subscriber SAP is used. This requires that the wholesaler maintain a different access node (DSLAM) for each retailer that does not scale well. The wholesale retail model described in this section overcomes these limitations.
In the wholesale retail model (Figure 101), the wholesaler instance connections that are common to the access nodes are distributed to many retail instances. A subscriber host attached to an access node connected in the wholesaler service can be instantiated in a retail service and obtain IP addresses from the retailers address space. The service context of the retailer is determined during the subscriber host authentication phase (for example, by the Alc-Retail-Serv-Id attribute in RADIUS or the retail-service-id CLI in the local user database).
Upstream subscriber traffic ingresses into the wholesaler instance and after identification is then forwarded into the retail instance. The reverse occurs for traffic in the downstream direction.
In a wholesale retail model, two subscriber interfaces must be configured and linked together: one in the wholesale VPRN and one in the retail service.
The wholesale subscriber interface defines the IP subnets and host specific configuration parameters for subscriber hosts belonging to the wholesaler. There are associated group interfaces that contain the SAPs which connect to the access nodes.
The retail subscriber interface defines the IP subnets and host specific configuration parameters for subscriber hosts belonging to the retailer. The retail subscriber interface is linked to a wholesale subscriber interface for forwarding by explicit configuration. There are no associated group interfaces.
For example:
A retail subscriber interface can be linked to a single wholesale subscriber interface and context only. Subscriber interface chaining (linking a retail subscriber interface to another retail subscriber interface) is not supported. Multiple retail subscriber interfaces belonging to different retail contexts can be associated with a single wholesale subscriber interface. When a retail subscriber interface is linked to a wholesale context, all other retail subscriber interfaces from the same retailer must be linked to the same wholesale context.
As explained in the previous section, the wholesale retail model is provisioned with the linking of a subscriber interface in a retail service to a subscriber interface in the wholesale VPRN service.
Because a retail subscriber interface does not have a group interface context, some group interface-specific CLI parameters such as to configure dhcp relay are made available at the retail subscriber interface level. Other CLI parameters such as to provision RADIUS or local user database authentication are configured at the wholesale subscriber or group interface and apply to both wholesale and retail subscriber hosts.
The DHCP lease-populate configuration is special in wholesale retail as it is configured in both wholesale and retail context. The lease-populate value in the wholesale group-interface dhcp context controls the per SAP limits while the lease-populate value configured in the retail subscriber interface dhcp context controls the limits for the retailer subscriber interface. Both limits must be satisfied before a new subscriber host can be instantiated.
The sample configurations below enable dual-stack IPoE devices to connect to wholesale service VPRN 4000 and retail service VPRN 4001. Hosts connected in VPRN 4000 get their IP address assigned from RADIUS, hence the proxy server configuration. Hosts connected in VPRN 4001 get their IP address from a DHCP server, hence the DHCP relay configuration.
Only the service configurations are shown. They have to be completed with authentication policies and subscriber management configuration such as radius-server-policies, sub- and sla-profiles, and so on.
Sample configuration – Wholesale VPRN Service:
Sample configuration – Retail VPRN Service:
The wholesale retail model applies to all IPoE, PPPoE PTA, IPv4 and IPv6 host types.
The wholesale service type must be VPRN. For IPoEv4 hosts, the retail service type must be a VPRN. For all other host types, the retail service type can be IES or VPRN.
Multicast-per-host replication can be enabled without support for multi-chassis redundancy.
The wholesale retail model can be deployed in combination with managed SAPs.
Overlapping subscriber subnets and prefixes in retail VPRN services associated with the same wholesale forwarding service are supported for PPPoE (IPv4 and IPv6) and IPoE (IPv4 and IPv6). This support is enabled by configuring private retail subnets on the retail subscriber interface. Private retail subnets are supported when multi-chassis redundancy is needed.
In some cases, hub-and-spoke-type forwarding is needed for the retailer’s VPRN. When the retailer expects all subscriber traffic to reach its router (for accounting, monitoring, wiretapping, and so on) normal best-hop behavior within the retailer VPRN is not desired. Any subscriber-to-subscriber traffic is forwarded within the VPRN preventing the retailer from receiving these packets. To force all subscriber packets to the retailer network, a new type of hub-and-spoke topology is defined: type subscriber-split-horizon. It can be used to force all subscriber traffic (upstream) to the retailer’s network. The system requires that the operator shut down the VPRN service to enable this flag.
With retail VPRN type configured to subscriber-split-horizon, routes learned from MBGP, IGP through a regular interface, static routes through regular interfaces and locally attached regular interface routes are considered hub routes and are used for upstream traffic forwarding. Subscriber subnets cannot be used for upstream traffic forwarding. Downstream traffic uses routes in both hub and spoke routing instances.
Figure 102 shows user-to-user traffic forwarding for both retail VPRN types: regular and subscriber-split-horizon.
Hub-and-spoke forwarding can also be used in combination with wholesale unicast RPF (uRPF) check. The uRPF is performed on upstream traffic on spoke routes (subscriber subnets) and the forwarding uses hub routes only.
A routed subscriber host associated route, as shown in Figure 103, is a global routable subnet/prefix behind a routed CPE or Home Gateway. The routed CPE is identified in the BNG as an ESM subscriber host: QoS, accounting and anti-spoofing is enforced per CPE. The associated routes are installed in the BNG route table with next-hop pointing to the routed subscriber host’s WAN address.
Routed subscriber host associated routes are supported on IES/VPRN subscriber interfaces in a routed CO configuration. To put a SAP or MSAP in routed subscriber mode, the anti-spoof type for the SAP or MSAP must be configured to nh-mac:
There are three ways to learn about a routed subscriber host associated IPv4 route:
A routed subscriber host associated IPv6 route can only be learned with the RADIUS [99] Framed-IPv6-Route attribute.
The routes associated with a static host are populated in the routing table as “Remote Managed” routes. Up to sixteen managed routes can be configured for a static host.
To display the managed routes associated with a routed subscriber host, use following commands:
show service id service-id static-host detail
The routes associated with a static host are populated in the routing table as “Remote Managed” routes. Up to sixteen managed routes can be configured for a static host.
To display the managed routes associated with a routed subscriber host, use the show>service>id service-id>static-host detail command.
Routed subscriber host associated IPv4 routes can be learned over a dynamic BGP IPv4 peer that is automatically set up when a subscriber host is instantiated. The parameters for the BGP peer are configured in a BGP peering policy or obtained in Radius VSA attributes. The subscriber-host IPv4 address is used as the BGP peer IP address. The BGP peering is torn down and the associated routes removed from the routing table as soon as the subscriber-host is removed.
Dynamic BGP peering is supported for routed subscriber hosts terminated in a VPRN service and is not supported for routed subscriber hosts terminated in an IES service. The BGP learned routes scaling is limited by the BGP scaling limits. The routes learned by a dynamic BGP peer are populated in the routing table as “Remote BGP” routes.
To display the BGP learned routes associated with a routed subscriber host, use the regular BGP commands. For example:
show router service-id bgp neighbor ip-address received-routes
An ESM dynamic BGP group must be configured in the BGP cli context of the VPRN service where the subscriber host is started:
config>service>vprn>bgp
The BGP peering policy to be used must be configured in the subscriber-mgmt CLI context:
An ESM dynamic BGP peer is established for a subscriber host if the RADIUS attribute [26-6527-55] “Alc-BGP-Policy” returned in the Access-Accept contains the name of a local configured bgp-peering-policy and if an ESM dynamic peer group is configured in the VPRN BGP context.
BGP peering parameters can be specified from multiple sources:
The import and export policies to be used for the dynamic bgp peer are determined in following priority order:
Table 26 details the RADIUS VSA attributes that can be used to setup dynamic BGP peering.
Attribute-ID | Attribute Name | Description |
26-6527-55 | Alc-BGP-Policy | Mandatory attribute to setup a dynamic BGP peer. References a bgp peering policy configured in the “configure subscriber-mgmt bgp-peering-policy <policy-name>” CLI context. |
26-6527-56 | Alc-BGP-Auth-Keychain | Optional. References a keychain configured in the “configure system security keychain <keychain-name> “ CLI context. |
26-6527-57 | Alc-BGP-Auth-Key | Optional. The MD5 authentication key used between BGP peers for BGP session establishment. |
26-6527-58 | Alc-BGP-Export-Policy | Optional. References a pre-configured BGP export routing policy. |
26-6527-59 | Alc-BGP-Import-Policy | Optional. References a pre-configured BGP import routing policy. |
26-6527-60 | Alc-BGP-PeerAS | Optional. Specifies the Autonomous System number for the remote peer |
If a routed subscriber host is associated with a RIP policy, the host’s IPv4 routes can be learned over RIP. The BNG only supports RIP listener and does not support sending RIP routes to subscribers. To enable RIP for a subscriber, the subscriber must first be associated with a rip-policy. The group interface of the subscriber must also be configured as a RIP neighbor. The RIP policy can be associated to the subscriber during authentication from LUDB or by RADIUS. It can also be configured directly for static hosts. The RIP routes learned from a subscriber is removed as a subscriber is purged or shut down from the system. RIP listening for ESM host is supported on both IES and VPRN.
To display the RIP learned routes associated with a routed subscriber host, use the RIP commands. For example:
The group interface must be configured in the RIP CLI context of the routed instance where the subscriber host is created:
The RIP policy is configured in the subscriber-mgmt CLI context:
A RIP neighbor is established for a subscriber host if the RADIUS attribute [26-6527-207] “Alc-RIP-Policy” is returned in the Access-Accept or in LUDB. RIP parameters such as authentication key and type can be specified in the RIP policy.
For more information about RIP, refer to the 7450 ESS, 7750 SR, 7950 XRS, and VSR Unicast Routing Protocols Guide.
RADIUS attribute [22] Framed-Route can be specified in a RADIUS Access-Accept message to associate an IPv4 route with an IPv4 routed subscriber host and Radius attribute [99] Framed-IPv6-Route can be used to associate an IPv6 route with an IPv6 routed subscriber wan host (DHCPv6 IA-NA or SLAAC). These routes are populated in the routing table as “Remote Managed” routes. Up to sixteen managed routes can be installed for a routed subscriber host; this corresponds with up to sixteen Framed-Routes and sixteen Framed-IPv6-Routes for a dual-stack routed subscriber. Framed-IPv6-Routes cannot be associated with a Prefix Delegation host (DHCP IA-PD).
The Framed-Route and Framed-IPv6-Route attributes should be formatted as:
"<ip-prefix>[/<prefix-length>] <space> <gateway-address> [<space> <metric>] [<space> tag <space> <tag-value>] [<space> pref <space> <preference-value>]”
where:
<space> — is a white space or blank character.
<ip-prefix>[/prefix-length] — is the managed route to be associated with the routed subscriber host. The prefix-length is optional for an IPv4 managed route. When not specified, a class-full class A,B or C subnet is assumed. The prefix-length is mandatory for an IPv6 managed route.
<gateway-address> — must be the routed subscriber host IP address. “0.0.0.0” is automatically interpreted as the host IPv4 address for managed IPv4 routes.
“::” and “0:0:0:0:0:0:0:0” are automatically interpreted as the wan-host IPv6 address for managed IPv6 routes.
[<metric>] — Optional. Installed in the routing table as the metric of the managed route. If not specified, metric zero is used. Value = [0 to 65535].
[tag <tag-value>] — Optional. The managed route is tagged for use in routing policies. If not specified, or tag-value = 0, then the route is not tagged. Value = [0 to 4294967295].
[pref <preference-value>] — Optional. Installed in the routing table as protocol preference for this managed route. If not specified, preference zero is used. Value = [0..255].
If the optional metrics (metric, tag and/or preference) are specified in a wrong format or with out of range values, then the defaults are used for all metrics: metric=0, no tag and preference=0. No event is logged.
If the Framed-Route or Framed-IPv6-Route is invalid (for example because the gateway address specified does not match the host wan IP address or because the host bits are not zero) then the routed subscriber host is instantiated without the ill-defined managed route. An event is logged in this case.
Equal Cost Multi-Path (ECMP) is supported for Framed-Route and Framed-IPv6-Route:
The maximum number of equal cost paths in a routing instance is configured with:
If an identical managed route is associated with different routed subscriber hosts in the context of the same IES/VPRN service, up to <max-ecmp-routes> managed routes are installed in the routing table. Candidate ECMP Framed-Routes/Framed-IPv6-Routes have:
A tie breaker determines if more candidate ECMP Framed-Routes/Framed-IPv6-Routes are available than the configured <max-ecmp-routes> is: Lowest ip next-hop.
Other identical managed routes are shadowed and an event is logged.
Note that Candidate ECMP Framed-Routes/Framed-IPv6-Routes can belong to hosts of the same or different subscriber.
Valid Framed-Routes and Framed-IPv6-Routes are persistent (stored in the persistency file for recovery after reboot) and synchronized in a Multi-Chassis Redundancy configuration.
RADIUS-learned Framed-Route/Framed-IPv6-Route and static host associated managed routes that are installed in the routing table can be identified in routing policies for redistribution as protocol “managed”.
To display the managed routes associated with a routed subscriber host, use following commands:
show service id service-id dhcp lease-state detail
show service id service-id dhcp6 lease-state detail
show service id service-id slaac host detail
show service id service-id ppp session detail
show service id service-id pppoe session detail
show service id service-id arp-host detail
Valid RADIUS-learned managed routes can be included in RADIUS accounting messages with the following configuration:
Associated managed routes for an instantiated routed subscriber host are included in RADIUS accounting messages independent of the state of the managed route (Installed, Shadowed, HostInactive, and so on).
For a PPP session, when a Framed-Route or Framed-IPv6-Route is available while the corresponding routed subscriber host is not yet instantiated, the managed route is in the state “notYetInstalled” and is not included in RADIUS accounting messages.
This section describes VPRN leaking and GRT lookup and routed CO in a VPRN.
Subscriber prefixes and prefix delegation, RADIUS, RIP, and BGP-managed routes with a subscriber prefix as next-hop can be leaked between VPRN services on the same router using MP-BGP import and export policies.
VPRN leaking enables the support of extranet topologies including hub-and-spoke for business services using residential access.
GRT lookup allows routing from a VPRN to the GRT, and GRT leaking allows routing from the GRT to a VPRN. These features are particularly useful when VPRNs require routing to the Internet and the GRT already contains the Internet routing table. Wholesale/retail VPRNs and the routed CO VPRN have both GRT lookup and GRT leaking support.
The config>service>vprn>grt-lookup>export-grt command exports subscriber-related routes and protocols to the GRT. This allows traffic arriving from the network port to be routed downstream to the subscriber. The following configurations are supported in the downstream direction.
GRT lookup supports traffic from the subscriber to be routed upstream to the GRT. The following configurations are supported in an upstream direction:
Not Supported
All residential networks are based on two models: Layer 2 CO and Layer 3 CO. Dual homing methods for Layer 2 CO include MC-LAG and MC-Ring. Dual homing for Layer 3 CO is based on SRRP and can be done in ring-topologies (l3-mc-ring or with directly attached nodes. All methods use multi-chassis synchronization protocol to sync subscriber state.
Figure 104 depicts dual-homing to two different PE nodes. The actual architecture can be based on a single DSLAM having two connections to two different PEs (using MC-LAG) or ring of DSLAMs dual-connected to redundant pair of PEs.
Similarly to previous configuration, both aggregation models (VLAN-per-subscriber or VLAN-per-service) are applicable.
Configurations include:
Figure 105 shows a typical configuration of network model based on Layer 2 CO model. Individual rings of access nodes are aggregated at BSA level in one (or multiple) VPLS services. At higher aggregation levels (the BSR), individual BSAs are connected to Layer 3 interfaces (IES or VPRN) by spoke SDP termination. Every Layer 3 interface at BSR level aggregates all subscribers in one subnet.
Typically, BTV service distribution is implemented in a separate VPLS service with a separate SAP per access-node. This extra VPLS is not explicitly indicated in Figure 105 (and subsequent figures) but the descriptions refer to its presence.
From a configuration point of view in this model, it is assumed that all subscriber management features are enabled at the BSA level and that synchronization of the information (using multi-chassis synchronization) is configured between redundant pair nodes (BSA-1 and BSA-2 shown in Layer 2 CO Dual Homing - Network Diagram). The multi-chassis synchronization connection is used only for synchronizing active subscriber host database and operates independently from dual-homing connectivity control. At the BSR level, there are no subscriber management features enabled.
The operation of redundancy at the BSR level through VRRP is the same as dual homing based on MC-LAG. The operation of dual homing at BSA level is based on two mechanisms. Ring control connection between two BSAs have two components, in-band and out-of-band communication. With in-band communication, BFD session between BSA-1 and BSA-2 running through the access ring and using dedicated IES/VPRN interface configured on both nodes. This connection uses a separate VLAN throughout the ring. The access nodes provides transparent bridging for this VLAN. The BFD session is used to continuously verify the integrity of the ring and to detect a failure somewhere in the ring.
With out-of-band communication, the communication channel is used by BSA nodes to exchange information about the reachability of individual access nodes as well as basic configurations to verify the consistency of the ring. The configuration information is synchronized through multi-chassis synchronization and therefore it is mandatory to enable multi-chassis synchronization between two nodes using the multi-chassis-ring concept.
In addition, the communication channel used by MC-LAG or MC-APS control protocol is used to exchange some event information. The use of this channel is transparent to the user.
Ring node connectivity check continuously checks the reachability of individual access nodes in the ring. The session carrying the connection is conducted on separate VLAN, typically common for all access nodes. SHCV causes no interoperability problems.
Figure 106 illustrates the operation of the dual-homed ring. The steady state is achieved when both nodes are configured in a consistent way and the peering relation is up. The multi-chassis ring must be provisioned consistently between two nodes.
In-Band Ring Control Connection (IB-RCC) is in operational UP state. Note that this connection is set up using a bi-directional forwarding session between IP interfaces on BSA-1 and BSA-2.
In Figure 106, the ring is fully closed and every access node has two possible paths towards the VPLS core. Figure 106 refers to these as path-a and path-b. To avoid the loop created by the ring, only one of the paths can be used by any given ring node for any given VLAN. The assignment of the individual VLANs to path-a or path-b, respectively, has to be provisioned on both BSAs.
The selection of the BSA master for both paths is based on the IP address of the interface used for IB-RCC communication (bi-directional forwarding session). The BSA with the lower IP address of the interface used as IB-RCC channel becomes master for ring nodes and their respective VLANs assigned to path-a. The master of path-b is the other BSA.
In this example, each path in the ring has a master and standby BSA. The functionality of both devices in steady state are as follows:
In the master BSA:
In the standby BSA:
All SAPs that belong to a BSA’s path, the standby is operationally down and all FDB entries of subscriber hosts associated with those SAPs point towards the SDP connecting to the master BSA (also called a shunt SDP).
In both BSAs:
Figure 107 illustrates the model with a broken ring (link failure or ring node failure). This state is reached in following conditions:
In this scenario, every ring node has only one access path towards the VPLS core and hence, the Path-a and Path-b notion has no meaning in this situation.
Functionally, both BSAs are now the master for the reachable ring nodes and act as described in Steady-State Operation of Dual-homed Ring. For all hosts behind the unreachable ring nodes, the corresponding subscriber host FDB entries point to the shunt SDP.
The mapping of individual subscriber hosts into the individual ring nodes is complicated, especially in the VLAN-per-service model where a single SAP can represent all nodes on the ring. In this case, a given BSA can have subscriber hosts associated with the given SAP that are behind reachable ring nodes as well as subscriber hosts behind un-reachable ring nodes. This means that the given SAP cannot be placed in an operationally down state (as in a closed ring state), but rather, selectively re-direct unreachable subscriber states to the shunt SDP.
All SAPs remain in an operationally up state if the ring remains broken. This mainly applies for BTV SAPs that do not have any subscriber hosts associated with and do not belong to any particular ring node.
To make the mapping of the subscriber-hosts on the given ring node automatically provisioned, the ring node identity is extracted during subscriber authentication process from RADIUS or from a Python script. The subscriber hosts which are mapped to non-existing ring node remain attached to the SAP.
At the time both BSA detect the break in IB-RCC communication (if BFD session goes down) following actions are taken:
By its definition, the multi-chassis ring operates in a revertive mode. This means that whenever the ring connectivity is restored, the BSA with lower IP address in the IB-RCC communication channel become masters of the path-a and vice versa for path-b.
After restoration of BFD session, the master functionality, as described in Steady-State Operation of Dual-homed Ring, is assumed by respective BSAs. The FDB tables are updated according to the master/standby role of the given BSA and FDB population messages is sent accordingly.
The multi-chassis ring can operate only if both nodes similarly configured. The peering relation must be configured and both nodes must be reachable at IP level. The multi-chassis ring with a corresponding sync-tag as a ring-name identifying a local port ID must be provision on both nodes. And, BFD session and corresponding interfaces needs to be configured in a consistent way.
In case the multi-chassis rings are not provisioned consistently, the ring does not become operational and the SAP managed by it is in an operationally up state on both nodes.
The assignment of individual SAPs to path-a and path-b is controlled by configuration of VLAN ranges according to the following rules:
Figure 108 depicts a single DSLAM dual-homed to two BSRs.
To provide dual-homing in the context of subscriber interfaces, the following items must be configured on both BSRs:
During the operation, BSR-1 and BSR-2 resolves master-backup relations and populates respective FDBs in such a way that at master side, subscriber-host entries point to corresponding group interface while at the back-up side, subscriber-host entries point to the redundant interface. Note that the logical operation of the ring in the Layer 3 CO model is driven by SRRP. For more details on SRRP operation, see the Subscriber Routed Redundancy Protocol (SRRP) chapter.
The typical implementation of MC services at the network level is shown in Figure 109.
The IGMP is used to register joins and leaves of the user. IGMP messaging between BSRs is used to determine which router performs the querier role (BSR2 in Figure 109). PIM is used to determine which router is the designated router and the router that sends MC streams on the ring.
The access nodes have IGMP snooping enabled and from IGMP messaging between BSR, they are aware which router is the querier. In the most generic case, IGMP snooping agents (in access nodes) send the IGMP-joins messages only to IGMP-querier. The synchronization of the IGMP entries can be then be performed through MCS. In some cases, access nodes can be configured in such a way that both ring ports are considered as m-router ports and IGMP joins are sent in both directions.
All of the above is a steady state operation which is transparent to the topology used in a Layer 2 domain.
A ring-broken state is shown in Figure 110.
In this case, IGMP and PIM messaging between BSRs is broken and both router assume role of querier and role of designated router. By the virtue of ring topology, both routers see only IGMP joins and leaves generated by host attached to a particular “half” of the ring. This means that both routers have “different” views on the dynamic IGMP state.
In principle, MCS could be used to synchronize both routers, but in case of a Layer 2 ring, the implementation sends all IGMP messages to a “ring-master: which then performs IGMP processing and consequently, MCS sync. As a result, any race conditions are avoided.
Another ring-specific aspect is related to ring healing. The ring continuity check is driven by BFD which then drives SRRP and PIM messaging. BFD is optimized for fast detection of ring-down events while ring-up events are announced more slowly. There is a time window when routers are not aware that the ring is recovered. In the case of MC, this means traffic is duplicated on the ring.
To avoid this, the implementation of BFD provides a “raw mode” which provides visibility on “ring-up” events. The protocols, such as SRRP and PIM, use this raw mode rather than the BFD API.
Routed CO dual homing is a solution that allows seamless failover between nodes for all models of routed CO. In the dual homed environment, only one node forwards downstream traffic to a given subscriber at a time. Dual homing involves several components:
Routed CO dual homing can be configured for both wholesaling models. Dual homing is configured by creating a redundant interface that is associated with the protected group interfaces. The failure detection mechanism can be SRRP. If SRRP is used, each node monitors the SRRP state to determine the priority of its own interface.
Dual homing is used to aggregate a large number of subscribers to support a redundancy mechanism that allows a seamless failover between nodes. Because of the Layer 3 nature of the model, forwarding is performed for the full subscriber subnet.
In dual homing, a redundant interface must be created. A redundant interface is a Layer 3 spoke SDP-based interface that allows delivery of packets between the two nodes. The redundant interface is required to allow a node with a failed link to deliver packets destined to subscribers behind that link to the redundant node. Since subscriber subnets can span multiple ports it is not possible to stop advertising the subnet, thus, without this interface the node would black hole.
The redundant interface is associated with one or more group interfaces. An interface in backup state uses the redundant interface to send traffic to the active interface (in the active node). The SAP structure under the group interface must be the same on both nodes as the synchronization of subscriber information is enabled on a group interface basis. Traffic can be forwarded through the redundant interface during normal operation even when there are no failed paths. See Figure 111.
Subscriber Router Redundancy Protocol (SRRP) allows two separate connections to a DSLAM to operate in an active/standby fashion similar to how VRRP interfaces operate. Since the SRRP state is associated with the group interface, multiple group interfaces may be created for a given port so some of the SAPs are active in one node and others active on the other node. While each SRRP pair is still allowed to be active/backup, the described configuration is allowed for load balancing between the nodes. In a failure scenario, subscriber bandwidth is affected. For more information about SRRP, see the Subscriber Routed Redundancy Protocol (SRRP) chapter.
If SRRP is configured before the redundant interface is up, and in backup state the router forwards packets to the access node using the backup interface but does not use the gateway MAC address. This applies to failures in the redundant interface as well. If the redundant interface exists and up the router sends downstream packets to the redundant interface and not use the backup group interface.
In a dual homing architecture the nodes must be configured with SRRP to support redundant paths to the access node. The nodes must also be configured to synchronize subscriber data and IGMP state. To facilitate data forwarding between the nodes in case some of the ports in a given subscriber subnet are affected a redundant interface must be created and configured with a spoke. The redundant interface is associated with one or more group interfaces.
The service IDs for both the wholesale VPRN and the retailer VPRN must be the same in both nodes.
An interface in a backup state uses the redundant interface to send traffic to the active interface (in the active node). The SAP structure under the group interface must be the same on both nodes as the synchronization of subscriber information is enabled on a group interface basis.
SRRP is associated a group interface. Multiple group interfaces can be created for a specific port so that some of the SAPs are active in one node and others active on the other node. While every SRRP pair is still allowed to be active or backup the described configuration allows for load balancing between the nodes. In a failure scenario, subscriber bandwidth is affected.
To establish subscriber state the nodes must synchronize subscriber information. Refer to the 7450 ESS, 7750 SR, 7950 XRS, and VSR Basic System Configuration Guide for multi-chassis synchronization configuration information. The operator must complete the configuration and the system must have data synchronized before the backup node may deliver downstream packets to the subscriber.
If dual homing is used with regular interfaces that run IGMP the nodes must be configured to synchronize the Layer 3 IGMP state.
The service IDs for both the wholesale VPRN and the retailer VPRN must be the same in both nodes.
Multi-Chassis Redundancy for a retail service is enabled with the SRRP and redundant interface configuration on the wholesale group interface parented by the forwarding subscriber interface. The multi-chassis state (active or standby) of the retail subscriber host is determined from the SRRP state (master/non-master) of the group interface that parents the SAP of the retail subscriber host. The retail service id must be equal on both nodes.
Sample wholesale service configuration:
Sample retail service configuration:
Retail unnumbered host routes must be leaked in the wholesale service. Retail subscriber subnets and prefixes leaked in the wholesale service are needed to forward downstream shunted traffic over the redundant interface.
Downstream traffic arriving on an SRRP non-master node must be shunted over the redundant interface. Downstream traffic shunting can be reduced by advertising the retail subscriber subnets and prefixes from the master SRRP node with a more favorable metric using routing policies. To make retail subscriber subnets and prefixes SRRP state-aware, they have to be configured to track an SRRP instance that is active on a group interface of the connected wholesale subscriber interface:
Multi-chassis redundancy is supported for IPoE (IPv4 and IPv6) and PPPoE (IPv4 and IPv6) retail subscriber hosts and sessions.
Overlapping addresses on retail subscriber interfaces (enabled with private-retail-subnets) can be used in combination with multi-chassis redundancy.
When the private-retail-subnets command is enabled, downstream traffic arriving at retail services on SRRP non-master node is shunted over the redundant interface on a wholesale service. On a redundant interface, the service that each frame belongs to is identified by the source MAC address of the frame that includes service ID of a retailer service.
The service ID of each retailer service is synchronized over MCS. Therefore, service IDs for the retailer VPRN must be the same in both nodes.
Traffic shunting in the overlapping address scenario is supported for downstream traffic only.
To take full advantage of SRRP resiliency and diagnostic capabilities, the SRRP instance is tied to a MCS peering that terminates on the redundant node. Once the peering is associated with the SRRP instance, MCS synchronizes the local information about the SRRP instance with the neighbor router. MCS automatically derives the MCS key for the SRRP instance based on the SRRP instance ID. An SRRP instance ID of 1 would appear in the MCS peering database with a MCS-key srrp-0000000001.
The SRRP instance information stored and sent to the neighbor router contains the following:
The routers provide a feature related to exchange of control information between DSLAM and BRAS (BSA is described in this model). This exchange of information is implemented by in-band control connection between DSLAM and BSA, also referred to as ANCP connection.
In case of dual homing, two separate connections are set. As a consequence, there is no need to provide synchronization of ANCP state. Instead every node of the redundant-pair obtains this information from the DSLAM and creates corresponding an ANCP state independently.
The SRRP enhancements addressed in this section is to reduce the need for redundant-interface between the pair of redundant nodes without sacrificing the subnet aggregation on the back-end.
Redundant BNG nodes are not always collocated. This means that the logical link associated with the redundant (shunt) interfaces is taking the uplink path thus wasting valuable bandwidth (downstream traffic that arrives to the Standby node is routed by uplinks for the second time over to the Master node).
To meet the requirement to reduce the existence of shunted traffic only to the short transitioning period between SRRP switchovers while the routing on the network side is converging, the following was required (referring to Figure 112):
SRRP Fate Sharing is a concept in which a group of SRRP instances track a single operational-object comprised of SRRP messaging SAPs. The SRRP instances behave as one (in the single failure case) with regards to SRRP mastership. The group of SRRP instances that are sharing fate on a paired node are referred as a Fate Sharing Group (FSG).
Transition of a single messaging SAP within the FSG into a DOWN state forces the SRRP instance on top of it into the INIT state. Consequently, all other SRRP instances within the same FSG transitions into a Backup state. In other words, SRRP instances within the FSG all share the same fate as the failed SRRP instance as shown in Figure 113. SRRP Fate Sharing provides optimal protection in the context of a single failure in the network.
In the event of multiple network failures, the concept of the FSG breaks as there is a possibility that a ‘FSG’ contains SRRP instances that are in any of the three possible SRRP states: Master, Backup, or Init. This Fate Sharing feature may not provide optimal protection when there are multiple network failures distributed over both redundant nodes.
The whereabouts of the failure in the network path that SRRP is designed to monitor are not always clearly reflected through SRRP states. For example, if the network failure is somewhere in the aggregation network beyond the direct reach of our BNG, SRRP assumes Mastership on both BNG nodes. This is a faulty condition and the reason why solely monitoring of the SRRP states is not enough to protect against failures. On the other hand, the SRRP messaging SAP states are more indicative of the network failure since they can be tied into Eth-OAM.
Once a single network failure is detected and as a result an SRRP instance transitions into a non-Master state, the remaining SRRP instances in the FSG are forced into a Backup state. This is achieved by changing the priority of each individual SRRP instance in the FSG.
When there are simultaneous multiple failures (multiple ports fail at the same time), it is possible that the SRRP instances within the FSG settle in any of the three possible SRRP states: Master, Backup, or Init. In such scenario, shunted traffic ensues.
In the premise of SRRP Fate Sharing, the network failure is reflected in the operational state of the messaging SAP over which SRRP runs. This is the case if the failure is localized to the BNG (somewhere on the directly connected link). In the case of non-localized failure (beyond the direct reach of the BNG node), Eth-OAM might be needed in to detect the remote end failure and consequently bring the SAP operationally into a DOWN state.
Once the single network failure is detected, all instance within the FSG transitions into a non-Master state.
If there are no failures in the network, all SAPs are UP and SRRP instances within the FSG are in a homogeneous and deterministic state based on their configured priorities.
Failure Detection in a Fate Sharing Group
Fate Sharing Group (FSG) is relaying on tracking the state of messaging SAPs over which SRRP instances run. An SRRP instance with the messaging SAP operationally DOWN transitions into the Init state.
The transitioning of any messaging SAP in a FSG into an UP/DOWN state triggers SRRP priority adjustment within the FSG. The SRRP priorities should be chosen carefully to achieve the desired behavior. They are modified dynamically as the SAP states change. The range in which SRRP priorities can be modified is from 1 to the SRRP priority that is initially configured under the SRRP node. Here are some general guidelines for choosing SRRP priorities in a FSG:
The priorities can never be less than 1 or greater than initially configured SRRP priority.
Example scenarios:
Assume 3 SRRP instances in a FSG. The SRRP instances in the FSG-1 on BNG 1 have the priority of 100, while the SRRP instances in the FSG-2 on BNG 2 have the priority of 95. The priority-step is 6. The SRRP instances and underlying messaging SAPs are referred to as SRRP 1, 2, 3 and SAP 1,2,3, respectively.
Initialization:
Scenario 1 – all SAPs are operationally UP.
BNG 1 boots up and all messaging SAPs transition into the UP state. When the first SRRP instance in FSG-1 comes up, it looks under the FSG to finds out how many messaging SAPs are operationally UP. Since all messaging SAPs are operationally UP, this first SRRP instance assumes its initially configured priority of 100. The other two SRRP instances in the same FSG follows the same sequence of events.
BNG 2 follows the same flow of events. As a result, BNG 1 assumes mastership over BNG 1 for all SRRP instances within the corresponding FSG.
Scenario 2 – messaging SAP 1 is operationally DOWN on BNG 1, the rest of the messaging SAPs are operationally UP.
SRRP 2 and 3, during the initialization, pick up SRRP priority of 94 (100 – 1*priority-step).
On BNG 2, all messaging SAPs are UP and consequently all SRRP instances within the FSG on BNG 2 have SRRP priority of 95. The SRRP instances on BNG 2 assumes Mastership.
Scenario 3 – Continuing from scenario 2, the SAP 1 on BNG 1 transitions into the UP state. SRRP priority of each SRRP instance in FSG-1 is increased by 6, bringing it to 100, enough to assume Mastership.
Adding a New Instance into an FSG
To introduce minimal network disruption, first create messaging SAPs in both BNG nodes and ensure that both SAPs are operationally UP. Then a new SRRP 4 instance should be created on both BNG nodes. The next step would be to include this new messaging SAP into a SAP monitoring group. And finally, the SRRP-4 is added into the FSG (1 and 2). This triggers the recalculation of SRRP priorities for the existing FSG-1 and FSG-2. Since all SRRP priorities are at the max (initially configured priority), nothing changes.
There are more disruptive ways of adding an SRRP instance into a FSG. One such example would be in the case where SRRP priorities are not at their maximum (initially configured) priority. If an SRRP instance is first added into an FSG that is in a Backup state, this would increase the FSG priority and potentially cause a switchover. If the SRRP instances is then added in a FSG on the peer BNG (previously Master), the priority of this FSG would be increased again and the switchover would unnecessarily occur for the second time. The new SRRP instances, once operational, should always be added in the Master FSG first.
SRRP priority re-calculation within the FSG is triggered by the following events:
This priority calculation looks into how many SAPs are in the DOWN state within the monitored SAP group. Based on this number, the priority is calculated as follows:
SRRP priority = configured-priority – priority-step * num_down_SAPs.
There are three cases that need to be covered, each case with its own specifics:
Depending on the route type, the action is to either modify the route metric based on the SRRP state that the route is tracking, or to advertise/withdraw the route based on the SRRP state that the route is tracking. The action is defined in the routing policy and it is based on the new attributes with which the routes are associated.
To achieve a better granularity of the routes that are advertised, an origin attribute is added to the subscriber management routes (/32 IPv4 routes and IPv6 PD wan-host) with three possible values:
aaa
IPv4
subscriber-management /32 host routes that are originated through RADIUS framed-ip-address VSA other than 255.255.255.254. The 255.255.255.254 returned by the RADIUS indicates that the BNG (NAS) should assign an IP address from its own pool.
IPv6
subscriber-management routes that are originated through framed-ipv6-prefix (SLAAC), delegated-ipv6-prefix (IA_PD) or alc-ipv6-address (IA_NA) RADIUS attributes. This is valid for IPoE and PPPoE type host.
dynamic
IPv4
subscriber-management /32 host routes that are originated through the DHCP server (local or remote) and also RADIUS framed-ip-address=255.255.255.254 (RFC 2865).
IPv6
subscriber-management routes that are assigned through the local DHCPv6 server pools whose name is obtained through Alc-Delegated-IPv6-Pool (PD pool) and Framed-IPv6-Pool (NA pool) RADIUS attributes. This is valid for IPoE and PPPoE type hosts.
In addition, for IPoEv6 only, the pool name can be also obtained through the ipv6-delegated-prefix-pool (PD pool) and ipv6-wan-address-pool (NA pool) from LUDB.
static
IPv4
subscriber-management /32 host routes that are originated through LUDB. This also covers RADIUS fallback category (RADIUS falls back to system-defaults or to LUDB).
IPv6
subscriber-management routes obtained from LUDB through the ipv6-address (IA_NA) or ipv6-prefix (IA_PD). This is supported only for IPoE.
Overall, the following new route attribute is added:
state: srrp-master, srrp-non-master
The existing origin attribute is expanded to contain the following values:
origin: aaa, dynamic, static
These two attribute types are applied in the following fashion:
The state attribute is applied to all three route types: subscriber interface routes, managed routes and subscriber management routes. Each route listens to the SRRP state.
If an attribute is defined in the routing policy as a match condition (from statement) but the route itself does not have this attribute, the route is evaluated into a non-match condition.
The origin attribute is always applied only to subscriber management routes. No additional statement is needed to explicitly apply this attribute as it may be the case for the state attribute.
Every time there is a change in the attribute associated with the route, the route is re-evaluated in the RTM by the routing policy and corresponding action is taken.
Optimized routing and elimination of downstream shunt traffic during normal operation can be achieved by statically favoring the routes on the network side that are advertised with an increased metric by Master SRRP nodes.
The downside of this static approach is that during the port or card failure and consequently a SRRP switchover, the node with the failed port or card continues to advertise routes with the same high metric if the subscriber interface is in the ‘UP’ state (or a single SAP under it). That is, the network side is not aware of the switchover. It continues to forward traffic to the standby node, and as a result, heavy shunt traffic ensues. To effectively deal with this, the network side must be aware of the routing change that occurred in the access layer.
When failure is detected, the metric for the route is changed automatically based on the following configuration:
This configuration ensures that the route metric is changed for the subscriber interface routes based on the SRRP state while the other, non-subscriber directly attached routes are unaffected by SRRP.
The Route Advertisement based on SRRP State requirement is applicable to BGP (IPv4, IPv4-IP-VPN) and IGP.
The routing policy also provides the flexibility to prevent route advertisement (action reject) instead of changing the route metric.
Although this feature is designed to minimize or eliminate the use of the redundant-interface, it is important to note that the redundant-interfaces would still be used in the case of transient conditions. An example of such condition would be:
Only the state attribute is applicable to managed routes, and only to the ones that are synchronized (static and RADIUS obtained – framed-route and framed-ipv6-route). The managed routes obtained by BGP are not synchronized and this feature is not applicable to them.
Based on the SRRP state, the managed route can be either advertised with a modified metric or be withdrawn altogether.
For example:
Managed routes that are tracking SRRP state are only advertised from the Master node and denied from Backup node. All other managed routes that are not tracking SRRP state are advertised regardless of the SRRP state.
Both attributes (state and origin) are applicable to the subscriber management routes.
For Example:
A Service Provider wants to advertise only subscriber-management routes with the origin dynamic and AAA from the Master node. Routes with the LUDB origin are not advertised. Standby node is not advertising any /32 subscriber management routes.
Default action is reject.
The SRRP state tracking by routes is turned on only when desired.
For subscriber-interface routes (IPv4 and IPv6), this is performed explicitly.
For managed and subscriber management routes, this is explicitly enabled under the group interface:
In certain cases, subscriber traffic is terminated on the BNG by an Epipe. In this case, the subscriber traffic can be offloaded onto a plain Ethernet port by a VSM module (a ‘loop’) so that it can be terminated in ESM. Epipes can be configured in A/S configuration and terminated on two BNG nodes in multihomed environment.
In such multi-homed environment with Epipes and ‘loops’, the ESM itself would be detached from the Epipe, which brings the subscriber traffic to the BNG. Because of that, the ESM would not know if the PW’s state is Active or Standby. As a result, in the downstream direction, traffic could end up being forwarded towards the Standby PW, effectively being black-holed.
To overcome this, SRRP can be used in conjunction with an additional mechanism to help monitor the activity of the PWs. This monitoring mechanism is very similar to Fate-sharing. The difference in this case is that the messaging SAP (instead of SRRP instance) is monitoring the activity of the PW. As a result, the SRRP messaging SAP reflects the state of the PW. For example, the PW in a Standby mode would cause the messaging SAP to be in the DOWN state while the PW Active state would cause the messaging SAP to be in the UP state. That is, the SRRP instance reflects the operational state of the messaging SAP. SRRP is indirectly tied into PW state.
Modifying the priority of SRRP instance based on PW’s state as a mean of mapping the Master SRRP into the Active PW would not help here as SRRP messages are not flowing over standby PWs. This is why SRRP state must be enforced by the messaging SAP.
Fate-sharing for PW termination in conjunction with SRRP is not supported.
Metric adjustment for the subscriber routes is supported. Once the tracked SRRP instance transitions into a non-Master state, the state attribute of the route changes and the appropriate action defined in the routing policy is taken.
The failure detection mechanism to trigger an action within FSG relies on the operational state of the messaging SAP. Such failure detection mechanism is referred as a group monitor.
Group monitor can also be used to detect the state change of the PW. PW state change is reflected in the messaging SAP which in turn triggers the state change of an SRRP instance.
All this is implemented through an oper-group object which is described in the 7450 ESS, 7750 SR, 7950 XRS, and VSR Layer 3 Services Guide: IES and VPRN. All entities that needs to be monitored (messaging SAPs and PWs) are associated with this oper-group object. Finally, an SRRP instance (in case of FSG) or a messaging SAP (in case of PW) is instructed to monitor the entities in the oper-group object. State transitions of objects in a oper-group object trigger state transitions of entities that are monitoring them (messaging SAPs and SRRP instances). State transitions of monitored objects in a oper-group cause the following actions:
This is an overview of the CLI syntax showing the principles of how this should work (for exact description of commands and full syntax, see the command reference section):
A hold timer is provided within the oper-group command to suppress flapping of the monitored object (SAP or pseudowire).
Figure 120 shows an example with ESM over pseudowire through a VSM loop.
Subscriber QoS overrides enable per-subscriber and per-SLA Profile Instance QoS parameter customization to reduce the amount of sub-profiles and sla-profiles that must be configured on the router to cover all needed service level combinations.
Subscriber QoS overrides can be installed at subscriber host or session creation:
Note: To use the APN-Aggregate-Max-Bitrate-DL and APN-Aggregate-Max-Bitrate-UL AVPs for QoS overrides, a corresponding 3gpp-qos-mapping must be configured in the DIAMETER Gx application policy: >config>subscr-mgmt>diam-appl-plcy>gx>3gpp-qos-mapping> [no] apn-ambr-dl - Configure the APN-AMBR mapping for the downlink [no] apn-ambr-ul - Configure the APN-AMBR mapping for the uplink |
Subscriber QoS overrides can be installed, updated or removed in a mid-session change with a RADIUS CoA, a DIAMETER Gx RAR or a DIAMETER Gx CCA message using the same attributes as for a subscriber host or session creation.
Subscriber QoS overrides can also be activated using subscriber services. See QoS Override-Based Subscriber Service for details.
The format of the [26.6527.126] Alc-Subscriber-QoS-Override VSA is described in the 7750 SR and VSR RADIUS Attributes Reference Guide.
The format of QoS Overrides AVP's in the 3GPP-1016 QoS-Information AVP are described in the 7750 SR Gx AVPs Reference Guide.
The following SLA Profile Instance QoS parameters can be overridden:
The following subscriber QoS parameters can be overridden:
The operational value of some of the QoS parameters can be derived from different sources.
For queue and policer QoS parameters, the following hierarchy applies (highest priority is listed first):
For scheduler and arbiter overrides, the following hierarchy applies:
Up to 18 QoS overrides can be installed per subscriber host or session. A new set of QoS overrides received using a mid-session change replaces the previous set of QoS overrides.
QoS overrides are always stored as part of the subscriber host or session data but are only applied when the override is valid in the active QoS configuration. For example:
RADIUS or DIAMETER Gx initiated QoS overrides can be displayed with the following show commands:
Subscriber services initiated QoS overrides can be displayed with:
The active QoS overrides per-subscriber and per-SLA Profile Instance can be displayed with:
The number of allocated and free Subscriber SLA Profile Instance QoS overrides, QoS Intermediate Arbiter Overrides and QoS User Scheduler Overrides per-line card can be monitored with the tools dump resource-usage card CLI command.
Subscriber QoS overrides are synchronized through MCS in a dual-homing environment. QoS overrides are not stored in the subscriber-mgmt application persistence file.
The DS-Lite feature is supported on the 7710 SR-Series in combination with the MS-ISA to function as a DS-Lite Address Family Transition Router (AFTR).
DS-Lite is an IPv6 transition technique that allows tunneling of IPv4 traffic across an IPv6-only network. Dual-stack IPv6 transition strategies allow service providers to offer IPv4 and IPv6 services and save on OPEX by allowing the use of a single IPv6 access network instead of running concurrent IPv6 and IPv4 access networks. DS-Lite has two components: the client in the customer network, known as the Basic Bridging BroadBand element (B4) and an Address Family Transition Router (AFTR) deployed in the service provider network.
DS-Lite leverages a network address and port translation (NAPT) function in the service-provider AFTR element to translate traffic tunneled from the private addresses in the home network into public addresses maintained by the service provider. On the 7750 SR, this is facilitated through the Carrier Grade NAT function.
As shown in Figure 121, DS-Lite has two components, a softwire initiator in the RG and a softwire concentrator, deployed in the service provider network, where control-less IP-in-IP (using protocol 4 - IPv4 in IPv6) is used for tunneling. When using control-less protocol, packets are sent on the wire for the remote softwire endpoint without prior setup of a tunnel.
The softwire initiator in the home network is combined with a routing function, where the default route is passed to the softwire pseudo-interface. Note that there is no NAT function, therefor, the private IP addresses of the home network are encapsulated without source address modification, and forwarded to the softwire concentrator where all NAT is performed. The softwire pseudo-interface unicasts all IPv4 traffic to the IPv6 address of the softwire concentrator, which was pre-configured.
When encapsulated traffic reaches the softwire concentrator, the device treats the source-IP of the tunnel to represent a unique subscriber. The softwire concentrator performs IPv4 network address and port translation on the embedded packet by re-using Large Scale NAT and L2-Aware NAT concepts.
As shown in Figure 122, IP-in-IP uses IP protocol 4 (IPv4) to encapsulate IPv4 traffic from the home network across an IPv6 access network. The IPv4 traffic tunneling is treated as best-effort with no subscriber management or policy, and does not use ESM. The scale is dependent only on the internal structures of the MS-ISA and CPM, that is, the IP-in-IP model can support more subscribers than an ESM-based approach.
DS-Lite IP-in-IP is configured through the existing nat command that is inside the CLI statements that are within the base router or VPRN. A service performing large scale NAT supports DS-Lite.
DS-Lite expects a routing (non-NATing) gateway in the home, where many different IPv4 inside addresses exist for each subscriber. These inside addresses may overlap other subscriber’s address, especially given the heavy use of RFC 1918 address space.
The lack of control of protocol for the IP-in-IP tunnels simplifies the functional model, since any received IPv4 packet to the ISA DS-Lite address can simply be:
Note that the inside IP address in the NAT, tables must not be the IPv6 address of the tunnel, but the true IPv4 address of any host within the home. The subscriber-id must be the literal IPv6 address (appreciating this may be 34 characters in length).
DS-Lite is configured on an inside service and uses the existing Large Scale NAT policies and outside pools. DS-Lite and NAT44 Large Scale NAT can operate concurrently on the same inside and outside services.
DS-Lite is configured with the following CLI:
In this mode, L2TP provides the transport for IPv4 that allows full ESM capabilities on the 7750 SR. From the node’s perspective, the L2TP tunnel is no different in capability to those already supported. Only the underlying transport (IPv6 instead of IPv4) distinguishes this approach.
To support legacy IPv4 access, L2TP over IPv6 is combined with the existing L2-Aware NAT feature as shown in Figure 123.
As ESM is used, scale is limited by the number of ESM hosts supported on a chassis and any associated resources like queues.
L2TP LNS over IPv6 is supported in both the base routing instance and VPRN that has 6VPE configured.
Like the LNS implementation, tunnels are terminated on any routing interface, including loopback, SAP, or network port. A single interface simultaneously supports IPv4 and IPv6 L2TP tunnel termination by having two different addresses configured.
For greater scalability, L2TP tunnel and session count per chassis are increased to allow 1 tunnel per session.
NAT capabilities are supported by existing L2-Aware NAT methods. Note that the L2TP LNS over IPv6 may be used without NAT as well and the L2TP sessions may be either IPv6-only or dual-stack.
Call trace is an enhanced debugging feature that allows control plane messages for a single session to be monitored. When call trace is enabled, all protocols related to this session are captured. Operators can use this information to easily debug entire problematic sessions instead of debugging and verifying separate protocols such as DHCP, ARP, or RADIUS.
Call trace also logs some events that are not directly associated to a protocol, such as LUDB access.
Call trace can present the captured packets for further processing in one of the following ways:
Generated traces contain the original packets, encapsulated in a custom header that contains metadata. To decode the metadata and extract the packet, a Nokia-specific Wireshark plug-in is required. Contact the Nokia Technical Assistance Center (TAC) for information.
In general, call trace does not include packets that are common between sessions. Where it is necessary to indicate failure or progress, an event is generated. This is done to guarantee consistency between session traces, independent of timing or session setup order. For example, for PPPoE LAC sessions, L2TP tunnel setup messages are not reflected in call trace, but an event is generated to indicate whether an L2TP tunnel was set up successfully. Subsequent L2TP session setup messages are traced in context of the PPPoE LAC session.
When storing call trace results on a compact flash, files are not automatically synchronized to the standby CPM.
Call trace distinguishes between traces and trace jobs. A trace consists of a set of matching criteria and additional parameters such as a trace profile and a name. Each session that matches a trace creates a trace job if system resources are available. Trace jobs can either be stopped individually or by removing the original trace. By default, existing sessions do not create a trace job when a new trace is enabled; this functionality must be explicitly enabled.
When L2TP tunnel accounting is enabled, except for host or sla-profile-based accounting packets and attributes, the following are additional accounting packets and attributes:
These attributes were added into current account-start/stop/interim-update packets (host accounting/sla-profile accounting).
Tunnel level accounting and session level accounting can be enabled or disabled independently.
New accounting packets and related RADIUS attribute list are described in Table 27.
Some considerations of RADIUS attributes are described in RADIUS Attributes Value Considerations.
Table 27 describes L2TP tunnel accounting behavior along with some key RADIUS attributes (apply for both LAC and LNS):
Act-Packet | When | Key Attributes | Remark |
Tunnel-Start | A new L2TP tunnel is created | Acct-Session-ID | — |
Event-Timestamp | — | ||
Tunnel-Type:0 | — | ||
Tunnel-Medium-Type:0 | — | ||
Tunnel-Assignment-Id:0 | — | ||
Tunnel-Client-Endpoint:0 | — | ||
Tunnel-Client-Auth-Id:0 | — | ||
Tunnel-Server-Endpoint:0 | — | ||
Tunnel-Server-Auth-Id:0 | — | ||
Tunnel-Reject | A new L2TP tunnel creation failed | Acct-Session-Id | — |
Event-Timestamp | — | ||
Tunnel-Type:0 | — | ||
Tunnel-Medium-Type:0 | — | ||
Tunnel-Assignment-Id:0 | — | ||
Tunnel-Client-Endpoint:0 | — | ||
Tunnel-Client-Auth-Id:0 | — | ||
Tunnel-Server-Endpoint:0 | — | ||
Acct-Terminate-Cause | — | ||
Tunnel-Stop | An established L2TP tunnel is removed | Acct-Session-Id | — |
Event-Timestamp | — | ||
Tunnel-Type:0 | — | ||
Tunnel-Medium-Type:0 | — | ||
Tunnel-Assignment-Id:0 | — | ||
Tunnel-Client-Endpoint:0 | — | ||
Tunnel-Client-Auth-Id:0 | — | ||
Tunnel-Server-Endpoint:0 | — | ||
Tunnel-Server-Auth-Id:0 | — | ||
Acct-Session-Time | — | ||
Acct-Input-Gigawords | — | ||
Acct-Input-Octets | — | ||
Acct-Output-Gigawords | — | ||
Acct-Output-Octets | — | ||
Acct-Input-Packets | — | ||
Acct-Output-Packets | — | ||
Acct-Terminate-Cause | — | ||
Tunnel-Link-Start | An L2TP session is created | User-Name | — |
Acct-Session-Id | This is the same as Acct-Session-id in access-request of host auth | ||
Event-Timestamp | — | ||
Service-Type | Framed | ||
Class | — | ||
Tunnel-Type:0 | — | ||
Tunnel-Medium-Type:0 | — | ||
Tunnel-Assignment-Id:0 | — | ||
Tunnel-Client-Endpoint:0 | — | ||
Tunnel-Client-Auth-Id:0 | — | ||
Tunnel-Server-Endpoint:0 | — | ||
Tunnel-Server-Auth-Id:0 | — | ||
Acct-Tunnel-Connection | |||
Tunnel-Link-Reject | A new L2TP session creation is failed | Acct-Session-Id | Should be as same as Acct-Session-id in access-request of host auth |
Event-Timestamp | — | ||
Tunnel-Type:0 | — | ||
Tunnel-Medium-Type:0 | — | ||
Tunnel-Assignment-Id:0 | — | ||
Tunnel-Client-Endpoint:0 | — | ||
Tunnel-Client-Auth-Id:0 | — | ||
Tunnel-Server-Endpoint:0 | — | ||
Acct-Terminate-Cause | — | ||
Acct-Tunnel-Connection | — | ||
Tunnel-Link-Stop
| A established L2TP session is removed | User-Name | — |
Acct-Session-Id | Should be as same as Acct-Session-id in access-request of host auth | ||
Event-Timestamp | — | ||
Service-Type | Framed | ||
Class | — | ||
Tunnel-Type:0 | — | ||
Tunnel-Medium-Type:0 | — | ||
Tunnel-Assignment-Id:0 | — | ||
Tunnel-Client-Endpoint:0 | — | ||
Tunnel-Client-Auth-Id:0 | — | ||
Tunnel-Server-Endpoint:0 | — | ||
Tunnel-Server-Auth-Id:0 | — | ||
Acct-Tunnel-Connection | — | ||
Acct-Session-Time | — | ||
Acct-Input-Gigawords | — | ||
Acct-Input-Octets | — | ||
Acct-Output-Gigawords | — | ||
Acct-Output-Octets | — | ||
Acct-Input-Packets | — | ||
Acct-Output-Packets | — | ||
Acct-Tunnel-Packets-Lost | — | ||
Acct-Terminate-Cause | — |
Notes:
Table 28 lists the optional attributes that could be optionally included in tunnel accounting packet, some of them are applied for link level accounting only.
Attribute | Tunnel/Link |
nas-identifier | Both |
nas-port | Link level only |
nas-port-id | Link level only |
nas-port-type | Link level only |
To support pure RADIUS-enabled L2TP tunnel accounting on LAC side, the following RADIUS VSA are supported:
VSA | Type | Value |
Alc-Tunnel-Acct-Policy | String | Policy-name; if the name is disable then this means L2TP tunnel accounting is disabled for this tunnel |
The Alc-Tunnel-Acct-Policy takes precedence over what is defined in CLI when Alc-Tunnel-Group is also returned.
With MLPPP, the counter on LNS side is only available for the bundle, not for each link, so the SR OS’s behavior is:
The RADIUS route download mechanism periodically polls a RADIUS server for routes to download. The main objective of this feature is to download, in advance, customer-assigned subnets so that they can be re-advertised to the corresponding routing protocols. In this way, subscriber bring up can potentially be done faster (as the routes are already in place and advertised) and, most importantly, reduce the routing protocol churn as subscribers connect and disconnect. The routes being learned through this mechanism could be both managed routes/delegated prefixes as well as the WAN IP assigned to the subscriber in the case PPPoE and un-numbered interfaces are being used.
The route download process requests the routes to a configured RADIUS server by triggering an access-request message. The key identifier for this message is the username, which is a combination of the system’s name (or an optionally configured value), appended by a dash ( “-”) and then a monotonically increasing integer. The download process sends an access request starting with 1 (such as “hostname-1”) and the RADIUS server replies with an access-accept message and a number of routes embedded within the message. The system then increases the counter and sends another access request (this time being hostname-2) and receive a reply with the next batch of routes to download. The process continues, incrementing the counter by 1 each time until the system gets an access-reject or the maximum number of routes that can be downloaded is reached.
The routes to be accepted are in the following format:
[vrf {vprn-name | vprn-service-id}] prefix-mask {null0 | null 0 | black-hole} [metric] [tag tag-value]
The prefix-mask could be in any form as ‘prefix/length’, ‘prefix mask’ or ‘prefix’ (in the latter case, for IPv4 routes, the mask shall be derived from the IP class of the prefix).
The route formats are supported:
IPv6 routes are also supported. The format is based on using the IETF-defined IPv6 Framed-IPv6-Route (attribute 99). The following text shows the supported formats.
All the routes downloaded are a new protocol type “periodic”. The download process re-starts the AAA requests after a given interval (a configurable value but target refresh rate is 15 minutes) and routes shall be updated according to the following process:
Subscriber sessions are created on a subscriber SAP. For a shared VLAN deployment model, these SAPs are usually statically configured as the limited number of VLANs are known. For a VLAN per-subscriber deployment model, it is advantageous that the subscriber SAPs are automatically created and deleted when subscriber sessions connect or disconnect. These are called Managed SAPs (MSAPs).
The reception of a valid trigger packet on a capture SAP initiates a RADIUS, DIAMETER, or local user database authentication to provide the service context where the MSAP should be created. The VLAN of the created MSAP is the same as the authenticated trigger packet. An MSAP functions like a regular SAP but its configuration is not user editable and not maintained in the configuration file. By default, an MSAP is deleted from the system when the last subscriber session active on the MSAP disconnects.
The following trigger types are supported on a capture SAP:
Multiple trigger types can be enabled on a single capture SAP. The data and arp trigger types are mutually exclusive.
A capture SAP is created in a VPLS service by specifying the capture-sap parameter. A capture SAP does not forward traffic but captures received trigger packets for authentication. Similar to a default SAP, at least one of the qtags of a capture SAP must be a wildcard *, meaning any tag value. See the following example configuration.
A capture SAP and default SAP cannot be configured simultaneously on a dot1q- encapsulated port. A capture SAP and default SAP cannot be configured simultaneously on a qinq-encapsulated port when the outer tag is the same.
A SAP lookup based on the outer and inner tags is performed when a packet is received on a port. When no corresponding SAP or MSAP is found, the packet is handled by the capture SAP, meaning that the trigger packets are sent to the CPM and all other packets are dropped.
An ingress VLAN ID (VID) type mac filter can be configured on a capture SAP to have additional control on the VLANs that are allowed to initiate a host setup. Other filter types are not supported on a capture SAP.
For a capture SAP on a dot1q encapsulated port:
For a capture SAP on a qinq-encapsulated port:
To enable the creation of single-tagged and double-tagged MSAPs by a qinq encapsulated capture SAP, enable the allow-dot1q-msap command in the capture SAP context:
In addition, the new-qinq-untagged-sap command should be configured for scenarios as explained previously:
Be aware that enabling the new-qinq-untagged-sap command affects the behavior of existing <port-id>:tag1.0 SAPs.
Valid single-tagged trigger packets result in the creation of a <port-id>:tag.0 MSAP. With the encap-tag-range matching in a local user database, it is possible to specify different MSAP defaults for single or double tagged MSAPs. For example:
A set of mandatory parameters must be provisioned for MSAP creation:
MSAP parameters can be obtained from multiple sources with the following order of preference:
The local user database should be configured at the capture SAP and group interface context. For example:
When RADIUS or DIAMETER authentication is also required after local user database authentication, then the authentication policy must be specified in the local user database. In this case, no authentication policy can be configured at the group-interface context. For example:
The MSAP parameters are configured at the local user database host context. For example:
When RADIUS or DIAMETER authentication is required to return the MSAP parameters without prior local user database authentication, then the authentication policy should be configured at the capture SAP context. In a Bridged CO model, the authentication policy specified in the capture SAP is also used for the MSAP in the VPLS service. In a Routed CO model, the same authentication policy must also be configured at the group-interface context. For example:
The MSAP is not created if the group interface name returned from RADIUS or DIAMETER has a different authentication policy than the authentication policy configured at the capture SAP.
Table 30 lists the RADIUS attributes (VSAs) and DIAMETER AVPs required to obtain MSAP parameters in the authentication phase.
Attribute Name | Type | Purpose and Format |
Alc-MSAP-Serv-Id [26-6527-31] | Integer | The service ID of the service context in which the MSAP is created. |
Alc-MSAP-Policy [26-6527-32] | String | The name of the policy that defines the MSAP parameters. |
Alc-MSAP-Interface [26-6527-33] | String | The name of the group interface context in which the MSAP is created. |
MSAP parameters that are not obtained from a local user database lookup, and that are not returned from RADIUS or DIAMETER can be specified in the msap-defaults section of the capture SAP context (this is a last resort scenario):
MSAPs can be created in IES or VPRN group interfaces (Routed CO model) and in a VPLS service (Bridged CO model).
An MSAP is persistent when subscriber-mgmt persistence is enabled. The MSAP parameters are part of the subscriber record.
If local user database, RADIUS, or DIAMETER authentication did not provide all the required information to create the subscriber host or session (no IP address for example), then the MSAP is created with a short timer while waiting for the host to acquire the missing information. If no host is instantiated when the timer expires, the MSAP is deleted.
Multiple subscribers, subscriber hosts or sessions can share a single MSAP. The MSAP is created with the first instantiated subscriber host or session and deleted when the last associated subscriber host or session is removed from the system. Note that only a single MSAP policy can be specified for a given MSAP. An attempt to change the MSAP policy by a new subscriber host or session for an existing MSAP results in a host or session setup failure.
MSAPs can be created in a wholesale VPRN service while the corresponding subscriber host or session is terminated in a retail VPRN or IES service. Both wholesale MSAP parameters (service, group interface, and policy) and the retail service ID must be provided during authentication.
MSAPs are always used in combination with subscriber management. Subscriber traffic QoS models are defined in policies associated with the sla-profile and sub-profile and result in the instantiation of subscriber queues and policers used for subscriber traffic forwarding. The default QoS policies associated with MSAPs instantiate a single ingress and a single egress queue per MSAP for IES and VPRN services. For VPLS services, an additional ingress multi-point queue is instantiated per MSAP.
These MSAP queues have limited use and can be suppressed in most cases. For single-subscriber MSAPs, the MSAP queues can be suppressed with the sub-sla-mgmt single-sub-parameters profiled-traffic-only CLI command.
The default QoS policy associated with MSAPs may need to be changed to accommodate different scenarios. For example:
The QoS policies associated with an MSAP are configured in the MSAP policy.
After a subscriber session ends, the MSAP is removed from the system and the historical data of the subscriber is deleted. Sticky MSAP allows the MSAP to remain even when the subscriber session ends. This feature is only recommended for service providers who do not oversubscribe MSAPs in the network.
Sticky MSAP provides the following benefits.
The MSAP is only be eligible for stickiness if it was successfully created. The sticky MSAP introduces a new state: idle. An idle MSAP indicates that the subscriber on the MSAP has disconnected and the MSAP is ready for a new subscriber connection. An example is shown below:
There are two ways to remove sticky MSAPs from the system:
The clear service id id msap command removes MSAPs.
Note:
|
Providers migrating from Basic Subscriber Management (BSM) can assign a subscriber to a SAP. The SAP ID ESM identifier makes the transition easier by allowing the operator to continue using the sap-id as a subscriber-ID.
An ESM SAP ID provides the system the ability to:
A DSLAM ID provides the system the ability to define a DSLAM-ID string provided through the Python script, RADIUS, or local user database. If the DSLAM-ID was provided, but the subscriber host is instantiated on a regular MDA, the DSLAM-ID is ignored.
The ability to aggregate subscribers into DSLAMs for the purpose of QoS, can use the SAP ID to identify subscribers and associated DSLAMs.
This feature provides a default subscriber definition under the SAP. If the object was configured the operator may use ESM without enabling a processing script or a RADIUS authentication policy. In the event both have been disabled any host that was installed for the SAP is installed with the configured default subscriber ID. If a RADIUS policy was used or if a script was enabled but a subscriber ID was not returned the default subscriber ID is used.
This section describes mirroring based on a subscriber match. Enhanced subscriber management provides the mechanism to associate subscriber hosts with queuing and filtering resources in a shared SAP environment. Mirroring used in subscriber aggregation networks for lawful intercept and debugging is required. With this feature, the mirroring capability allows the match criteria to include a subscriber-id.
Subscriber mirroring provides the ability to create a mirror source with subscriber information as match criteria. Specific subscriber packets can be mirrored mirror when using ESM with a shared SAP without prior knowledge of their IP or MAC addresses and without concern that they may change. The subscriber mirroring decision is more specific than a SAP. If a SAP (or port) is placed in a mirror and a subscriber host of which a mirror was configured is mirrored on that SAP, packets matching the subscriber host are mirrored to the subscriber mirror destination.
The mirroring configuration can be limited to specific forwarding classes used by the subscriber. When a forwarding class (FC) map is placed on the mirror only packets that match the specified FCs are mirrored. A subscriber can be referenced in maximum 2 different mirror-destinations: 1 for ingress and 1 for egress.
The multicast-management CLI node contains the bandwidth-policy and multicast-info-policy definitions. The bandwidth-policy is used to manage the ingress multicast paths into the switch fabric. The multicast-info-policy is used to define how each multicast channel is handled by the system. The policy may be used by the ingress multicast bandwidth manager, the ECMP path manager and the egress multicast CAC manager.
Volume and time-based accounting includes the following components:
Metering represents the core of time and volume-based accounting. Service usage is typically measured by performing an accounting of the traffic passing through corresponding subscriber-host queues (volume usage) or by keeping lease-state while the given subscriber-host is connected to the network (time usage).
This feature introduces a new object category-map which defines individual aggregates (such as data in and out, video and data, and so on) and their mapping to individual forwarding queues.
The following output depicts a category-map configured in the subscriber management context.
Based on a category-map the system gathers usage information (volume/time) on a per-sla-instance-per-category basis. To do so, statistics of all queues and/or policers forming the category of the given sla-instance are aggregated.
The per-category usage gathered as described above is compared with per-subscriber-host-per-category credit and when credit is exhausted several actions can be taken.
There are several category-maps pre-configured on the system. The category-map applicable to a given subscriber-host is derived at the host creation from the RADIUS VSA in an authentication-response, Python script, or static configuration in the local-user-database. All subscriber-hosts belonging to the same subscriber and created on the same SAP (hence, sharing the same sla-instance) must use the same category-map. In case of conflict, (an existing subscriber host has a different category-map than the one derived for the new host) the category-map of the last host is applied to a given sla-instance. As a consequence, all previous information related to the status of the credit is lost.
There can be multiple queues and/or policers aggregated into one category. There can be up to sixteen categories in a category map.
There are two types of quota (credit), volume and time. In volume usage monitoring, the system accumulates byte counters per category-sla-instance and compares it with the assigned quota. Once the credit is exhausted (or threshold for renewal is met) the system attempts to renew it with corresponding management system.
In time-based credit, the distinction between active-usage and active-connection is made by defining an activity-threshold, where an object defines an average data rate under which the subscriber-host is considered silent.
If the effective rate of the application usage does not exceed the rate defined by the activity-threshold, the given subscriber host is considered silent and its corresponding credit is not used. If the application usage exceeds the rate, the application-credit is consumed (in terms of time).
The minimum credit control quota values are one second for time quota and one byte for volume quota. These minimum values are not realistic deployment values for multiple reasons such as effective sampling periods, statistics processing time, RADIUS message load, subscriber scale, and so on.
For typical deployment scenarios it is not recommended to implement Credit Control quota values smaller than 60 seconds for time quota and for volume quota the volume that can be consumed in 60 seconds for that category (function of number of queues/policers monitored and their respective rates).
The quota in the RADIUS VSA Credit-Control-Quota uses this fixed format:
Alc-Credit-Control-Quota = “<volume quota>|<time quota>|<category name>”
Both volume and time quota should be specified in the attribute but only one credit type (volume or time) is applied per category. The credit-type of a category is configured in the category-map CLI context.
For example, use Alc-Credit-Control-Quota = “0|1h30m|cat1” to grant time quota and Alc-Credit-Control-Quota = “1G|0|cat2” to grant volume quota.
The per-subscriber per-category credit can be obtained by several ways:
Credit can be expressed by either
The renewal of the credit using RADIUS authentication is triggered by credit exhaustion or (if configured) by depletion of the credit to exhausted-credit-threshold level. If this occurs, the system sends a RADIUS authentication message indicating the corresponding category and usage. The following are several possibilities for the RADIUS server response (as shown in Figure 126):
To identify that the given RADIUS-auth request is related to credit renewal rather than to plain authentication, the node includes empty credit VSAs, depending on categories which has been exhausted. The RADIUS server can identify which category has requested credit renewal.
System supports configurable actions once the credit for given subscriber is exhausted:
During credit negotiation, the number of errors can occur which can lead to a given subscriber-host category with no new credit renewed. This is different from credit exhaustion where a separate configurable action is taken. The following occurs:
Volume and time-based accounting are applicable to the ESM mode of operation only. Using credit control concept is not mutually exclusive with other accounting methods. In many network implementations the more traditional accounting methods such as XML file or RADIUS accounting is still used in a combination with the credit concept but with larger intervals. This is helpful when providing overviews of the average usage and service utilization.
An idle timeout is the maximum time that a subscriber session can be idle before the session is terminated or a connectivity check is started. Idle timeout applies to PPPoE and IPoE hosts.
The time/volume based accounting model is used to configure an idle timeout:
The following in an example of a category map configuration:
In the sla-profile, associate the category-map and optionally define
Attribute ID | Attribute name | Type | Limits | Purpose and Format |
28 | Idle-Timeout | integer | 60 to 15552000 seconds | 0 = infinite (no idle-timeout) 60 to 15552000, in seconds For example: Idle-Timeout = 3600 |
Example
At host instantiation, a timer is initialized to the idle-timeout value (one timer per sla-profile instance). Each queue or policer in the category is monitored for activity over a fixed polling interval:
When the timer becomes zero, the idle-timeout-action is performed for all hosts associated with the SLA-profile-instance (all hosts from a subscriber on a single sap and that share the same sla-profile).
A captive portal service can be created with an HTTP redirect action in an IP filter. The customer’s request to the intended recipient is blocked and the customer is forced to connect to the service’s portal server. Refer to HTTP-redirect (Captive Portal) in the 7450 ESS, 7750 SR, 7950 XRS, and VSR Router Configuration Guide for details.
With this feature enabled, after an ESM host is created, only the FIRST HTTP request from the host is redirected to a configured URL with specified parameters. Subsequent HTTP requests go through without being redirected.
This feature could be used by service providers to push a web-page to broadband users for purpose of advertisement, announcements, and such.
A one-time-http-redirection filter could be configured in sla-profile, this filter is replaced by an ingress filter in sla-profile after the first HTTP request is redirected. There is also a RADIUS VSA (Alc-Onetime-Http-Redirection-Filter-Id) that could be included in access-accept or CoA request to override CLI configuration. The format of Alc-Onetime-Http-Redirection-Filter-Id is:
Ingr-v4:filter-id; for example, Ingr-v4:1000. If the filter-id is 0, then the system replaces the current one-time-http-redirection filter with ingress filter.
In case of CoA, if the host’s one-time-http-filter has already been replaced then system ignores the Alc-Onetime-Http-Redirection-Filter-Id.
If a 7750 SR receives filter insertion by CoA or access-accept when one-time-http-redirection filter is still active, then the received filter entries are only applied to the ingress filter. And after first HTTP redirection, the updated ingress filter replaces the one-time-http-redirection filter.
This feature only supports IPv4 filters.
The Web Authentication Protocol (WPP) is a protocol running between a BNG and a Web portal server. WPP is used for web portal authentication of WLAN users (DHCP Host). It can function like a web portal that can trigger BNG to perform RADIUS authentication for WLAN users, or send user disconnection notification to BNG.
The Figure 127 illustrates high level of call flow of WPP authentication.
The following describes WPP authentication call flow:
A minimal WPP configurations must include the following:
The following is an example configuration:
In some cases, a 7750 SR can sit behind a Layer 3 device (such as an CMTS), where the router does not participate in client’s DHCP process. Such a use case is different from a normal WPP use case where the routers rely on getting client’s DHCP request to create an initial ESM host.
This feature allows the system to create an ESM host upon successful WPP authentication without creating an initial host.
In the above use case (behind a Layer 3 device) the user also needs to configure one or more default hosts on the SAP to allow HTTP redirection without an ESM host. The default-host subnet is the user’s source subnet and the next hop address is the Layer 3 device’s interface address that connect to the SAP. Users also need to configure the lease-populate l2-header command in the grp-if>dhcp context to make HTTP redirection with default-host work. The grp-if>dhcp context could be shut down in the meantime.
This feature does not work with wholesale/retail.
The SR OS supports LUDB lookup for WPP authentication. Users can optionally configure LUDB using the grp-if>wpp context to return the WPP-related configuration attributes (such as a portal name, initial-sla-profile, initial-sub-profile, and so on) for an IPoE host. The system can access LUDB when creating the initial host before WPP authentication. The LUDB returned attribute overrides the corresponding configuration under the group-interface context.
A LUDB lookup is performed by the system in the following cases.
If the WPP LUDB lookup returns an authentication policy, it is used for WPP RADIUS authentication. When WPP LUDB is configured, the authentication policy on group-interface is optional and only used by the WPP if there is no authentication policy returned from the WPP LUDB lookup.
The SR OS supports multi-chassis redundancy to WPP. This can be achieved by doing following:
A WPP portal group allows users to configure up to eight WPP portals in a portal group. The system can receive portal-initiated WPP request packets from any configured portal in the portal group. When the system must initiate a WPP NTF_LOGOUT message, it sends a NTF_LOGOUT message to all configured portals in the portal group, and the first received ACK_LOGOUT stops retransmission of the NTF_LOGOUT message.
A WPP portal group can be used to achieve WPP portal redundancy:
This feature is also supported for WPP triggered hosts and SRRP/MCS.
WPP support for IPv6 includes the following:
This feature allows IPoE and PPPoE (terminated or L2TP tunneled) subscriber sessions to be backhauled through an Ethernet aggregation network using MPLS pseudowires terminating directly on the BNG. The MPLS pseudowire originates from the first hop aggregation PE (referred to as access PE) upstream of the Access-Node (or directly from a multi-service AN), and terminates on the BNG. Multiple subscriber sessions from a given access-port on the Access-PE can be backhauled over a single P2P MPLS pseudowire towards the BNG. This capability allows the network to scale and does not require a MPLS pseudowire per subscriber between Access-PE and the BNG. The access-port on the Access-PE can be dot1q, q-in-q, or NULL encapsulated. The BNG terminates the MPLS pseudowire, decapsulates the received frames, and provides ESM functions including HQoS, without requiring an internal or external loopback. Each MPLS pseudowire is represented on the BNG as a “PW port” for which SAPs are created. A PW port can be configured with capture SAP. Both static and managed SAPs are supported. The underlying Ethernet port is required to be in hybrid mode. The feature set is supported for FP3 and later. This feature is supported on the 7750 SR and 7450 ESS.
The subscriber frame encapsulated within the pseudowire is shown in Figure 130. Optional control word is not supported. The SDP could be LDP, RSVP or LDP over RSVP. Hash labels are not supported. SDP is bound to a port or a LAG. In case the SDP is re-routed, the corresponding PW ports are operationally brought down. The PW ports are associated with the SDP by configuration.
In BNG deployments, PWs are typically terminated on PW ports where payload is extracted and processed by ESM on PW-SAPs. There are two modes of operation for PW ports in SR OS:
The router supports the MPLS entropy label (as specified in RFC6790, The Use of Entropy Labels in MPLS Forwarding) on fixed PW ports. This allows LSR nodes in a network to load-balance labeled packets in a more granular fashion than allowed by simply hashing on the standard label stack. For more information, see the 7450 ESS, 7750 SR, 7950 XRS, and VSR MPLS Guide, Entropy Label.
QoS is supported for ESM over PW SAPs as with ESM over regular SAPs, and includes currently supported models.
Bandwidth control per PW port (per AN or per AN/ per service) by Vport.
The following output displays a dynamic Vport selection based on an inter-dest-id configuration.
The following output displays a static assignment of PW port to Vport configuration.
With normal Ethernet aggregation in the next-mile, when last-mile shaping is on, fixed encapsulation-offset is calculate based on the last-mile encapsulation type and the next-mile encapsulation (26 Bytes with qinq). This offset is applied to the frame, and the ATM overhead is then dynamically calculated on the adjusted size. The resulting dynamically calculated overhead in the data-path is then applied to the queue-rates and the subscriber aggregate-rate.
With this feature of backhauling subscriber sessions using MPLS PW in the aggregation network. The last mile does not see any MPLS PW overhead. The next-mile includes overhead due to the PW encapsulation shown in Figure 130. Therefore, when last mile shaping is enabled, the fixed encapsulation-offset is calculated based on the difference between last-mile encapsulation type and next-mile encapsulation. The next-mile encapsulation considers the additional PW overhead, which includes:
14B Ethernet header + [4B] (optional network interface Q-tag) + MPLS Labels (variable)
In the data-path the actual PW encapsulation overhead, considering the MPLS labels which could be variable (with FRR or PHP) is tracked, and is applied to the computed “encapsulation offset”. This adjusted “encapsulation offset” is applied to the frame. The ATM overhead is then dynamically calculated on the adjusted size and applied for last mile shaping (to queue-rates and subscriber-aggregate-rate). Note that there is no change from ESM over normal SAPs, in how last-mile shaping is triggered or how the last mile encapsulation type is determined (by configuration in the egress context of the subscriber profile or dynamically learned from Access-Loop-Encapsulation sub-TLV in vendor specific PPPoE tags).
This feature provides support for stateful BNG redundancy (when the far-end aggregation PE (A-PE) is dual-homed to two BNGs terminating subscriber sessions over MPLS pseudowires (PWs) that are initiated from the A-PE and provides ESM). Subscriber state between BNGs is synced using MCS.
For an Epipe based aggregation service, the redundancy is based on active/standby PWs from A-PE to dual BNGs. A-PE signals active and standby pseudowire status to peer BNGs. An SRRP instance per PW port (group interface) is required on the BNG with messaging SAP on each PW port. BNG terminating active PW assumes the mastership for the SRRP instance on the corresponding PW port. SRRP state is tied to the state of the messaging SAP. The messaging SAP goes down when the underlying PW port goes down, based on PW status bit signaled by the A-PE.
In this model, there is no SRRP message exchange between the two BNGs, as there is no Layer 2 path between the BNGs. The purpose of SRRP is to get SRRP-aware routing for subscriber routes and managed routes, and/or to be able to use the redundant (shunt) interface. Downstream traffic for a subscriber that ingresses the backup BNG can only be shunted to the active BNG, if the corresponding subscriber-interface on the backup BNG is operationally UP. This can be achieved by creating a second empty group-interface (without SAPs) on the same subscriber-interface with the knob 'oper-up-while-empty' configured. Multiple PWs with endpoint configuration is not supported on the BNG.
Sample Configuration on Master BNG
Sample Configuration on Slave BNG
With VPLS based aggregation service from A-PE, normal SRRP message exchange can take place between the primary and backup BNGs. Master-ship decision and switch-over is based on SRRP. SRRP instance is configured per group-interface corresponding to PW port. Fate-sharing groups (FSG) can be configured for a set of SRRP instances (for example, SRRP instances corresponding to PW ports sharing the same subnet). A standard oper-group grp-id should be configured with messaging SAPs for all PW ports that are in the same FSG, and monitor-oper-group grp-id should be configured under each SRRP instance in same FSG. Existing SRRP support defined in Triple-play services guide for ESM over regular group-interfaces and subscriber SAPs is applicable identically to ESM over PW ports and PW SAPs.
With PW over ESM, redundancy in the aggregation network based on MC-LAG between A-PE and dual BNGs is not supported.
The following example shows SRRP status, subscriber host, and routing information on master BNG:
The following shows SRRP status, subscriber host, and routing info in slave BNG:
This section provides an example on how to configure PW port based capture SAP that is used in ESM. For more information on PXC Based PW ports, refer to the 7450 ESS, 7750 SR, 7950 XRS, and VSR Layer 2 Services and EVPN Guide: VLL, VPLS, PBB, and EVPN.
PXC Configuration
The following is a PXC configuration example:
With this configuration, ports 1/1/1 and 2/1/1 are auto-provisioned in hybrid mode operating as individual loopback ports. The SR OS system automatically creates a pair of sub-ports per PXC. Those sub-ports are by default in shutdown state:
For redundancy purposes and/or increased bandwidth, the PXC sub-ports are aggregated in a LAG:
FPE Configuration
A PW port is associated with PXC by an FPE configuration. FPE configuration facilitates creation of an internal tunnel over PXC. This tunnel is used to map the external PW to the PW port. For more information on FPE, refer to 7450 ESS, 7750 SR, 7950 XRS, and VSR Interface Configuration Guide.
The following is an FPE configuration example:
The association between xc-a/b (cross-connects) and LAG IDs is performed arbitrarily by the operator. For example, it can associate xc-a with lag-id 2 (which includes PXC sub-ports on the .b side) and xc-b with lag-id 1 (which includes PXC sub-ports on the .a side). However, the FPE always assigns the .a side of the pxc sub-ports to the transit side of the cross-connect, while the .b side of the pxc subport is assigned to the termination side of the cross-connect. Refer to the PXC Based PW port sections in the 7450 ESS, 7750 SR, 7950 XRS, and VSR Layer 2 Services and EVPN Guide: VLL, VPLS, PBB, and EVPN, for further information about transit/termination side of the cross-connect.
PW port creation — The PW port must be explicitly created in the SR OS, before mapping between PW and PW port can be performed.
SDP Creation for the External PW — The following displays an SDP configuration for the external PW.
The PW can be static or dynamically signaled, with MPLS or GRE transport.
Mapping Between the External PW and the PW port — The stitching of the external PW and PW port is configured through an Epipe in vc-switching mode.
Capture PW-SAP Creation — PW-SAPs can be configured as capture SAPs. In this example, a capture PW-SAP with s-tag 3 is created on the pw-port 100.
From here, ESM functionality is applied to the PW-SAP in the same manner as on any other regular SAP.
Cross-Connecting SAPs to PW ports — In addition to PW termination, a PW port can become a terminating point for a regular SAP. For example:
In this example, the outer VLAN tag 10 in the payload is removed on ingress and the payload is delivered to the PW port where it can be mapped to a capture PW-SAP. This scenario allows traffic distribution from a single I/O port to different EMS termination points (anchor line cards) based on outer VLANs.
This feature enables service providers to track subscribers based on a virtual-port known as logical line ID (LLID). The LLID (an alphanumeric string) is a logical identification of a subscriber line. Mapping of physical line of a subscriber to LLID is performed by pre-authentication with a separate AAA server than the AAA server used for authenticating the subscriber session during normal access authentication.
LLID serves the purpose of abstracting the physical line of the user from the ISP. If the user moves to a new physical line, the RADIUS server database maintaining the physical line of the subscriber to LLID is updated. Because a subscriber’s LLID remains same regardless of subscriber’s physical location, using LLID gives service provider a stable and secure identifier for tracking subscriber.
The local user database assigned to the PPPoE node under the group interface can have both a pre-authentication policy and an authentication policy. The purpose of the pre-authentication policy is to retrieve the LLID from the AAA server. The pre-authentication only extracts the calling-station-id attribute (0x31) which is used as the LLID, anything else returned during pre-authentication are simply ignored. If the pre-authentication is missing the LLID, the session moves on to the authentication policy. In the authentication policy that follows, it is possible to use the LLID as the calling-station ID.
It is possible to convey LLID from the LAC to the LNS. The LLID is retrieved through PPPoE pre-authentication where the returned RADIUS attribute calling station ID is used as the LLID. This LLID is selectable attribute in L2TP as a calling-number (AVP 22) to be passed from LAC to LNS. At the LNS, the subscriber calling station number is retrieved from AVP 22 and can be included as an attribute during authentication.
The PADI Authentication Policy feature enables PADI authentication that retrieves MSAP parameters before pre-authentication and PPPoE authentication.
With this feature, authentication occurs in the following manner.
Figure 133 shows triple authentication with MSAP authentication policy.
The CLI command config>subscr-mgmt>loc-user-db>ppp>host>padi-auth-policy configures a PADI authentication policy used for PADI authentication with MSAP authorization as shown in the CLI example below:
ESM parameters (ESM strings and other IP parameters) obtained during authentication and re-authentication phases are combined from various sources with a specific preference order as follows:
For example, if the same ESM parameter is provided through both authentication sources, LUDB and RADIUS, the ESM parameter from LUDB always overrides the ESM parameter obtained from RADIUS.
SR OS allows the priority of LUDB and RADIUS sources to be reversed. This prioritization of authentication sources, where RADIUS is given priority over LUDB, ensures that parameters from LUDB are used as a backup, only in cases where the same ESM parameters are not provided by RADIUS.
The settings that allow swapping of the LUDB and RADIUS priorities as authentication sources are configured on the system level as follows.
Classic CLI:
The only accepted configuration option is id 3 and RADIUS as the source string. This configuration moves RADIUS to position 3 and shifts everything from the previous position 3 downward.
The defaults are restored by using the no form of the priority command.
The active order of priorities can be displayed in the output of the show>subscr-mgmt>authentication-origin command:
The following describes the configuration logic where both LUDB and RADIUS are accessed during authentication phase:
With this approach, LUDB is accessed first and subscribers can be authenticated based on generic criteria, such as a range of VLANs or a default user. The ESM parameters obtained in this step are stored.
After LUDB authentication, RADIUS is accessed when authentication on subscriber-specific authentication fields is performed (for example, based on a username, circuit-id, MAC address, and so on). During this RADIUS authentication phase, another set of ESM parameters more tailored for the specific user is obtained, effectively overriding the overlapping parameters from LUDB.
For IPoE host-based deployments, such as when the ipoe-session is disabled (meaning that clients are treated as hosts instead of sessions), the re-authentication option in the authentication policy must be enabled when RADIUS is prioritized over LUDB as the authentication source. Enabling re-authentication is only required in IPoE host-based deployments and not required for IPoE or PPPoE sessions.
IPoE and PPPoE v4/v6 hosts on static SAPs can be instantiated without the need to access LUDB or RADIUS server. In this case, the default subscriber host parameters (sla-profile, sub-profile, subscriber-id) must be provisioned statically under the SAP. The IP address assignment is provided by internal or external DHCP server. The IP address selection on the router based DHCP server is based on the gi-address while third party DHCP servers may provide additional means to select the IP address (mac-address, circuit-id, and so on).
A DHCP pool name cannot be provided by an SR-series router DHCP relay agent, since the LUDB and/or RADIUS are not utilized.
This model does not support IP address delegation by DHCP Proxy function since there is no LUDB or RADIUS server available that can supply pre-configured IP address.
Host instantiation without LUDB or RADIUS access on dynamic VLANs (capture SAP and consequently mSAP) is not supported.
Subscriber-host authentication, identification and IP address assignment can be performed by LUDB without the need to access the RADIUS server.
The LUDB is normally configured under the group-interface>ppp/dhcp hierarchy and can provide subscriber-identification parameters as well as IP addressing parameters:
Pool names for DHCP relay function (IPv4, IPv6 IA-NA, IPv6 IA-PD)
Fixed IP addresses – IPv4, IPv6 IA-NA, IPv6 IA-PD and IPv6 SLAAC prefix.
In case of capture SAP, the LUDB name configured under the capture SAP must match the LUDB name under the group-interface>dhcp/ppp hierarchy. If the LUDB names do not match, the subscriber-host instantiation fails.
If the IPv4 addressing assignment is facilitated by the DHCPv4 relay and an internal DHCPv4 server, the DHCPv4 server itself can query the LUDB for IPv4 address information. LUDB can provide a v4 pool name and IPv4 DHCP options to the DHCPv4 server or it can instruct it to use the gi-address as the IPv4 address selection mechanism.
ESM strings can also be provided by LUDB queried by the DHCPv4 server.
If LUDB access by DHCPv4 server is provided in addition to other authentication means (another LUDB under the group-interface, or RADIUS server), the ESM strings from the LUDB under the grp-interface or from the RADIUS server has priority over the ESM strings configured under the LUDB accessed by the DHCPv4 server. On the other hand, the IPv4 addressing information has the highest priority from the LUDB accessed directly by the DHCPv4 server.
Accessing LUDB directly by DHCPv4 server should be used in rare and exceptional cases.
LUDB access under the group-interface, possibly complemented by the RADIUS server provides necessary means for subscriber-host instantiation in majority of use cases.
Like LUDB-only access, RADIUS server can provide all the necessary information for subscriber-host instantiation, including the IP addressing parameters (pool names or IP addresses/prefixes). Authentication-policy which defines the RADIUS access must be applied to the group-interface.
In case of capture SAP, the authentication policy must be applied under the capture SAP. This authentication policy name must match the authentication policy name that is configured under the group-interface. Otherwise, the host instantiation fails.
LUDB and RADIUS access can be combined during subscriber-host instantiation phase.
Configuration-wise, LUDB must be referenced under the group-interface>dhcp/ppp/pppoe hierarchy (and possibly under the capture SAP), while the authentication-policy is specified within the LUDB. In this fashion, LUDB access is followed by RADIUS access. The subscriber-host parameters retrieved from both sources are combined with LUDB parameters being prioritized over RADIUS parameters in case that both sources return the same parameters.
If LUDB and authentication policy are configured simultaneously under the group-interface (and possibly under the capture SAP), the RADIUS authentication policy evaluates and LUDB is ignored.
If RADIUS server is not accessible (non-responsive), the host instantiation phase can be:
The fallback action takes effect once the preconfigured RADIUS timeout period expires.
RADIUS fallback is not supported for DHCPv6 hosts for non-IPoE sessions but is supported for IPoE sessions.
Subscriber host — A representation of an external host requesting a service. Each such host is fully instantiated within the 7450 ESS and 7750 SR for the purpose of providing traffic control and billing services (for example, QoS, filtering, antispoofing, accounting). The external hosts may represent variety of devices such as regular PCs, STBs, residential gateways, CPEs, VoIP devices. In most cases, the external host runs a DHCPv4/v6 or PPPoEv4/v6 client. DHCP and PPPoE initiation messages from such clients triggers host instantiation within the router. For this the subscriber host term can be interchangeably used with a term DHCP client or PPPoE client.
In certain wholesale or retail environments, the wholesale provider that own the 7450 ESS and 7750 SR BNG does not know the IP addresses that the retailers assigns to their clients in advance. For this reason, wholesaler’s BNG must accept any IP address from retailers and consequently pass it to the client during subscriber-host initiation phase.
Figure 134 shows a use case for flexible IP addressing mode.
Flexible addressing of the subscriber-interface assumes two deployment scenarios:
In scenarios where subscriber host IPv4 address lies within the configured subscriber-interface subnet, the default-gw IPv4 address for the host is one of the subscriber-interface IPv4 addresses. In this case, the service provider is aware of the IPv4 addressing scheme in the BNG and supplies the DHCP client with the appropriate default-gw IPv4 address by LUDB, RADIUS or DHCP server (in that order of priority).
In scenarios where the retail service provider wants to maintain independence from the IPv4 addressing scheme deployed in the BNG (that is controlled by wholesaler), the retailer can always supply its own IPv4 address, the subnet mask and the default-gw IPv4 address. But if the default-gw IPv4 address and/or subnet mask is not supplied by the retailer, then they are auto-generated by the BNG. Once the default-gw IPv4 address is auto-generated, it is sent to the requesting DHCP client by DHCP offer in option 3 (RFC 2132, Router Option, section 3.5). There is no additional configuration needed for this action. The BNG automatically detects whether the default-gw IPv4 address is supplied by LUDB, RADIUS or DHCP server and acts correspondingly.
The default-gw IPv4 address is auto-generated based on the assigned IPv4 address/mask by setting the last bit of the assigned host IPv4 address to binary 01 or binary 10. For example if the subscriber host’s assigned IPv4 address is 10.10.10.10 255.255.255.0, then the default-gw IPv4 address is set to 10.10.10.1. If the assigned IPv4 address is 10.10.10.1 255.255.255.0, then the auto-generated default gateway IPv4 is set to 10.10.10.2.
The default gateway IPv4 address always must to be within the subscriber’s subnet. If it is not, the behavior might be inconsistent. For example:
The subscriber is successfully instantiated in the BNG, but the client may not ARP for a default-gw outside of its configured subnet. Whether the client does or does not ARP for a default-gw outside of its configured subnet depends on the implementation in the RG and CPE.
Flexible IPv4 addressing with auto-generated default-gw is supported only in Routed Central Office (RCO) model with routed residential gateways (RGs) or CPEs. In RCO model with bridged residential gateways or CPEs, the default-gw IPv4 addresses and the assigned IPv4 addresses may overlap. Once the IPv4 address of the default-gw is auto-generated, it is possible that the second host behind the bridged residential gateway or CPE is assigned the same IPv4 address as the IPv4 address of the default gateway of the first host. Such hosts would not be able to communicate with outside world.
For example:
RADIUS or DHCP server assigns IPv4 address and subnet mask to the first host in a bridged environment:
IP1: 10.10.10.1
Auto-generated default-gw IPv4 address: 10.10.10.2
Since the RADIUS and DHCP Server are not aware of the auto-generated default-gw, they may assign the following IPv4 address to the second host that comes on-line:
IP 2: 10.10.10.2 (same IPv4 address as the default-gw IPv4 address of the first host)
Auto-generated default-gw IPv4 address: 10.10.10.1
Now the first host forwards all traffic outside of the configured subnet to the second hosts which discards this traffic, effectively rendering this operation model non-deployable. And vice versa.
Subnet sharing between the hosts in flexible IPv4 addressing model is supported. In other words, in flexible IPv4 addressing model the operator can assign all IPv4 addresses (minus one, the default-we IPv4 address) from a given subnet. In this fashion, all subscribers (routed RGs or CPEs) within a single subnet can share the same default gateway.
For example, if the operator owns the IPv4 subnet 10.10.10.0/24, then one IPv4 address can be set aside for the default-gw (for example 10.10.10.254) and the remaining addresses can be assigned to the subscriber (routed RGs or CPEs). An example would be:
RG1: IP=10.10.10.1/24 def-gw 10.10.10.254
RG2: IP=10.10.10.2/24 def-gw 10.10.10.254
RG3: IP=10.10.10.3/24 def-gw 10.10.10.254
:
RG100: IP=10.10.10.100/24 def-gw 10.10.10.254
The subnet sharing is also supported in conjunction with auto-generated default-gw IPv4 address. The implication of this is that the IPv4 address of the default-gw can collide with the same IPv4 address already assigned to an existing subscriber. This is not an issue for routed RGs or CPEs since the BNG always answers ARPs for the IPv4 address of the default-gw with its own MAC address. However, local-proxy ARP functionality in the 7450 ESS and 7750 SR BNG must be enabled to support this.
This behavior can be further clarified with the following example.
Let’s assume that we have scenario with two routed RGs:
RG-1, IP=10.10.10.0/24, default-gw IP=10.10.10.1
RG-2, IP=10.10.10.1/24, default-gw IP=10.10.10.0
Once RG-1 ARPs for its default gateway of 10.10.10.1, the BNG replies with its own MAC address.
Now that host RG-1 has resolved ARP for it default-gw (MAC address pointing to the router), it can send traffic to the outside world by the BNG. When such traffic arrives to the router, the destination IPv4 address of the received packet determines the forwarding decision within the router. If the destination IPv4 address matches the IPv4 address of any subscriber (RG) instantiated within the system, the traffic is forwarded to the that RG. This also includes the case where the destination IPv4 address is the default-gw IPv4 address (10.10.10.1), which represents just another RG within the router. The traffic is consequently passed from RG-1 by 7450 ESS and 7750 SR to RG-2.
The subnet mask corresponding to the IPv4 address assigned to the subscriber is auto-generated in case that the IPv4 addressing authority (LUDB, RADIUS or DHCP Server) does not supply it. The subnet mask is derived from the IPv4 address of the subscriber and possibly the default-gw IPv4 address and it is the smallest subnet that contains both, the IPv4 address of the subscriber and the default-gw.
For example, if the RADIUS received IPv4 address is 10.10.10.138 and the received default –gw IPv4 address is 10.10.10.170, then the subnet mask is auto-generated and set to 255.255.255.192 (/26).
138 = 10001010
170 = 10101010
192 = 11000000
In case that neither the subnet mask nor the default-gw are returned, then both would be auto-generated:
In cases where the host IPv4 address and the default-gw are directly supplied by the addressing authority but the subnet mask is missing, the subnet mask auto-generation may cause the host part of the default-gw IPv4 address to become a broadcast IPv4 address. If this is an issue, then it can be avoided by directly providing the subnet mask by the addressing authority.
Local-proxy-arp and arp-populate are two commands that are relevant only to IPoEv4 hosts.
The local-proxy-arp command ensures that the router answers ARP Requests with its own MAC address for any active IPv4 address under the subnet on which the ARP request arrived. The active IPv4 address is considered the one that is assigned to an already instantiated hosts or the default-gw (even auto-generated).
In absence of local-proxy-arp command, the only ARP Request that the router’s answer is the one for the statically configured IPv4 addresses of the subscriber-interface. In flexible IPv4 addressing, the IPv4 address of the default-gw does not necessarily match any of the configured subscriber-interface IPv4 addresses. The ARP Request for such default-gw IPv4 address would go unanswered. Consequently, the subscriber hosts would not be able to communicate with outside world. Therefore, the flexible IPv4 addressing requires that the local-proxy-arp command is configured.
The arp-populate command disables dynamic learning of ARP entries (IPv4<->MAC mapping) on an interface based on the ARP protocol. In this case, the ARP table is populated based on the DHCPv4 lease state table which contains IPv4<->MAC mappings obtained through DHCP processing during the host instantiation phase. Arp-populate functionality is highly desirable in case of flexible IPv4 addressing.
When the arp-populate command is disabled the ARP entries are dynamically learned based on the ARP protocol. This, in conjunction with flexible IPv4 addressing may cause certain issues. Consider the following example:
In this case, downstream traffic towards the subscriber host triggers the router to send ARP Request for the subscriber host IPv4 address. The router needs to know the MAC address of the subscriber-host to forward traffic. Since the subscriber-interface is unnumbered, the source IPv4 address of the ARP request is unknown and consequently, the ARP request are not sent. As a result, downstream traffic is dropped.
However, the above example is an unlikely scenario. If the subscriber host sends the ARP request for the default-gw first, the router would create an entry in the ARP table for it and the issue would be resolved. This is the most likely outcome since the subscriber host always tries to initiate communication with the outside and therefor ARP for the IPv4 address of the default-gw (which is a 7450 ESS and 7750 SR).
With flexible IPv4 address assignment, the gi-address can be configured as any IPv4 address that is already assigned to an interface (loopback interface, regular interface attached to physical port or subscriber interface) within the same routing instance (VRF or GRT).
PPPoE subscriber hosts do not have the concept of default-gw. Consequently, the default-gw auto-generation concept does not apply to PPPoE hosts.
The default-gw for IPoEv6 hosts is link-local IPv6 address. Since this address is always present, there is no need for auto-generation during the subscriber instantiation time.
SLAAC hosts are installed as /64 entries, the length of the installed DHCP-PD prefix is dictated by the prefix-length and the DHCP-NA hosts are installed as /128 entries.
Flexible IP addressing for IPoE/PPPoE v4 and v6 hosts is by default disabled. In other words, the subscriber hosts are instantiated in the BNG with ability to forward traffic only if their assigned IP addresses belong to one of the configured subnets/prefixes that are associated with the subscriber-interfaces. IPv4 and IPv6 cases are be examined separately:
IPv4:
By default, IPoE and PPPoE subscriber host creation fails in the following two cases:
Subscriber host instantiation and forwarding can be explicitly enabled for both cases above with flexible IP addressing functionality.
For case 1, this can be achieved by borrowing an IP address for the subscriber-interface from any interface that is operationally up within the given routing context. This functionality can be enabled with the configure service ies | vprn <service-id>>subscriber-interface <ip-int-name> unnumbered <ip-int-name | ip-address> command.
To enable forwarding for the subscribers whose IP address falls outside of the configured subnet under the subscriber-interface (case 2), the configure service ies | vprn <service-id> subscriber-interface <ip-int-name> allow-unmatching-subnets command must be entered.
The above commands (unnumbered and allow-unmatching-subnets) are mutually exclusive. In addition, the unnumbered command can be configured only if the subscriber interface does not have an IP address already configured. Otherwise the execution of this command fails.
In both of these cases the host is installed in the routing table as /32.
IPv6:
For IPv6 there is a single command that enables flexible IP addressing for both cases:
This single command is configure service ies | vprn <service-id> subscriber-interface <ip-int-name> ipv6 allow-unmatching-prefixes.
To summarize, the following scenarios are possible:
Like the PPPoE case above.
uRPF is supported for IPv4 and IPv6 dual-stack subscribers with framed routes.
For IPv4, uRPF is supported on group interfaces using anti-spoofing filters. A group interface configured for NATed subscribers is configured with MAC/IP/PPPoE Session-ID anti-spoofing filters.
IPv6 subscribers, which are non-NAT, are always treated as being on a local subnet. For such subscribers, a BNG installs an FDB entry for local routes that match either the wan-host prefix, or the delegated prefix, or both. In strict mode for IPv6 ESM, the uRPF check checks not just that the route matching the SA (which should be a local route, such as a subnet) would route the packet back out of the interface it came in on, but in addition that we would route the packet out to the same SAP it was received on.
SR OS supports the ability to configure a NH-MAC anti-spoof type for non-NATed subscribers. When configured, the datapath performs ingress anti-spoofing based on source MAC address and egress anti-spoof (also referred to as egress subscriber-host look-up) based on the nh-ip address.
The NH-MAC anti-spoof type is configured under the following context:
config>service>vprn>if>sap
config>service>ies>sub-if>grp-if>sap
config>service>vprn>sub-if>grp-if>sap
config>subscr-mgmt>msap-policy
A uRPF check is also performed that prefixes delegated to a subscriber on that MAC address exist in the FDB.
The IP stacks of dual-stack IPoE devices are set up and configured independently using different protocols such as DHCPv4, DHCPv6 or SLAAC. As opposed to PPPoE, there is no single protocol that binds the IP stacks from a single end device together.
To facilitate subscriber management of dual-stack IPoE devices as a single entity similar as for PPPoE sessions instead of handling individual IPoE subscriber hosts, there is a need for a logical IPoE session construct. An IPoE session enables single authentication, session accounting and policy management (mid-session changes) for dual-stack IPoE devices.
An IPoE session is a logical grouping of IPoEv4 and IPoEv6 subscriber hosts that represent the different IP stacks of a single end device and that share authentication data such as subscriber id, subscriber and SLA profile, session-timeout, and so on. The grouping of subscriber hosts in an IPoE session is based on a configurable session key per group-interface. The IPoE session key includes by default the SAP identifier and MAC address and can be extended with Circuit-Id/Interface-Id or Remote-Id. For DHCPv6 Remote-Id, the enterprise number is excluded from the session-key. Circuit-id/Interface-Id or Remote-id should only be used in the IPoE session key if all subscriber host associated with the IPoE session have this field in their protocol trigger packets. The IPoE session creation (Figure 135) or subscriber host association to an IPoE session fails if the Circuit-Id/Interface-Id or Remote-id is not present in a trigger packet while the field is part of the session-key.
An IPoE session represents a single end device and can have following associated IP stacks:
A violation of the above rules results in a setup failure of the subscriber host when an attempt is made to associate it to the IPoE session.
IPoE sessions are supported in a Routed CO environment with Enhanced Subscriber Management (ESM) enabled. To enable the IPoE session instantiation, the ipoe-session CLI context on the capture SAP (managed SAP scenario) and/or group-interface must be configured to no shutdown. See also the configuration steps below.
Important Notes:
If there are active IPoE sessions on the group-interface, be aware that disabling IPoE sessions on the group-interface results in service impact for those sessions.
A single authentication is performed for all subscriber hosts that belong to the same IPoE session. Table 32 lists the packets that trigger an IPoE session authentication.
IP stack | Trigger packets |
IPv4 | DHCPv4 Discover |
DHCPv4 Request | |
IPv6 WAN | DHCPv6 Solicit |
DHCPv6 Request | |
DHCPv6 Relay Forward (Solicit) | |
DHCPv6 Relay Request (Solicit) | |
Router Solicitation | |
IPv6 PD | DHCPv6 Solicit |
DHCPv6 Request | |
DHCPv6 Relay Forward (Solicit) | |
DHCPv6 Relay Request (Solicit) |
When a trigger packet is received on a capture SAP or group-interface with IPoE sessions enabled, an IPoE session lookup is performed based on the configured IPoE session key:
Re-authentication is by default disabled for IPoE sessions. To enable re-authentication, a minimum authentication interval must be configured. The min-auth-interval CLI parameter configures the maximum frequency of re-authentications by specifying a minimum interval between two non-forced authentications for the same IPoE session. A re-authentication is triggered by the renewal of any host belonging to the IPoE session. Setting the min-auth-interval to zero seconds, always re-authenticates on each trigger packet. The re-authentication command in a RADIUS authentication policy is ignored for IPoE session authentication.
A forced authentication is performed when the Circuit-Id/Interface-Id or Remote-Id in the trigger packet has changed. An empty or absent Circuit-Id/Interface-Id or Remote-Id is not considered as a change. The default forced authentication behavior is changed with the force-auth command in the group-interface>ipoe-session context: only force authenticate on Circuit-Id/Interface-Id change or only force authenticate on Remote-Id change or disable forced authentications.
A new local user database config in the ipoe-session CLI context on a capture SAP or group interface ensures that all subscriber hosts associated with an IPoE session are using the same database and therefore common match criteria. The per subscriber host type user-db configurations, such as ipv6 dhcp6 user-db, dhcp user-db and rtr-solicit-user-db are ignored when IPoE sessions are enabled.
All RADIUS accounting modes can be enabled for IPoE sessions: queue instance accounting, host accounting or session accounting.
With session accounting, a RADIUS accounting start is generated when the first host of the session is created and an accounting stop when the last host of the session is deleted. The generation and interval of periodic interim updates can be configured. Optionally, triggered interim update messages can be generated when a host is deleted from the session or an additional host is associated.
A unique accounting session id is generated for the IPoE session and is used in RADIUS session accounting. The IPoE session accounting session id can be included in the RADIUS Access Request message the config>subscr-mgmt>auth-plcy# include-radius-attribute acct-session-id session command.
This accounting session ID can also be used in RADIUS CoA or Disconnect Messages to target the IPoE session.
Mid-session changes such as those initiated by RADIUS CoA or Diameter Gx RAR are applied to all hosts associated with the IPoE session.
A RADIUS CoA message targeting any host of an IPoE session has the same effect as a Radius CoA message targeting the IPoE session using the IPoE session Acct-Session-Id as key: all host of the session are targeted and the session state is updated with the new data.
The following tools commands are available to manually enforce a mid-session change:
When the last subscriber host associated with an IPoE session is deleted from the system, then the IPoE session is also deleted.
An IPoE session and all associated subscriber hosts can be deleted by the following:
See Limiting Subscribers, Hosts, and Sessions for a detailed description of the configuration options to use to limit the number of IPoE sessions per SAP, per group-interface, per SLA profile instance, or per subscriber.
The system keeps track of the number of IPoE sessions active on a given SAP and assign a per SAP session index to each so that the lowest free index is always assigned to the next active IPoE session. When RADIUS authentication is used, the SAP session index can be sent to, and received from, the RADIUS server using the [26-6527-180] Alc-SAP-Session-Index attribute.
It should only be used in a subscriber per VLAN model as the session index is per SAP.
The SAP session index allows IPoE sessions in a bridged RG environment to have their own set of queues for QoS and accounting purposes when using the same SLA profile name received from a RADIUS server. See Subscriber per PPPoE Session Index for further details.
Alternatively, this can be achieved by configuring per-session SPI sharing in the SLA profile as described in SLA Profile Instance Sharing.
For non-redundant BNG deployments, the IPoE session state is stored in the subscriber-mgmt persistency file for recovery from Compact Flash after a node maintenance operation or failure. This is configured at the system persistence CLI context.
For multi chassis redundancy scenarios, the IPoE session state is synchronized by the “sub-mgmt ipoe” Multi Chassis Synchronization (MCS) application.
To create an IPoE session policy:
Enable IPoE sessions on the capture SAP and/or group interface.
If IPoE sessions is enabled on a capture-sap, then it must also be enabled on the target group-interface. If an IPoE session local user database lookup is configured at the capture-sap, then the same local user database lookup must be configured at the target group-interface.
To display the IPoE session state, use following command:
This section is only applicable when enabling IPoE sessions on a group interface with active subscriber hosts. When there are no active subscriber hosts on a group interface, there is no need for a migration. Use one of the following CLI commands to determine if there are active hosts on a group interface:
By default, IPoE sessions are disabled on a group interface (ipoe-session shutdown). Enabling IPoE sessions on a group interface with active subscriber hosts starts a migration process and should be planned carefully to allow a seamless migration.
A migration is required due to the nature of IPoE sessions: a single authentication is performed for all hosts (IP stacks) of a dual-stack end device. All hosts (IP stacks) in an IPoE session share the same MAC address, SAP, and optionally Circuit-ID / Interface-ID or Remote-ID which are configured as the session-key in the ipoe-session-policy. To determine if hosts (IP stacks) belong to a single session, a new trigger packet is required to obtain the session key.
To guarantee a correct IPoE session configuration and a correct authentication database, the migration is performed when the host state is renewed, and a new trigger packet is received:
The duration of a migration is therefore dependent on the lease times for DHCPv4 and DHCPv6 hosts and for IPoE linked SLAAC hosts. If possible, the lease times could temporarily be reduced to a couple of hours to facilitate the migration process.
The actual migration is started by the arrival of a new trigger packet of an IP stack (host) that is not associated with an IPoE session. The IPoE session key is composed of the data in the trigger packet (MAC address and SAP, by default). If an IPoE session exists for the obtained IPoE session key, the corresponding session data is used for authentication. If no IPoE session exists for the obtained IPoE session key, authentication is performed, and based on the result, a new IPoE session is created. The old host state is deleted from the system and a trap is sent to indicate that this host is being migrated. A new host (IP stack) is created and associated with the IPoE session. When RADIUS accounting is enabled, this may result in an accounting start and stop depending on the accounting mode. For host accounting, an accounting stop is followed immediately by an accounting start. For queue instance accounting, an accounting stop is generated when the last host associated with the queue instance is migrated. An accounting start is generated when the first host is associated with the IPoE session.
The following notes must be considered for the migration procedure:
Example high-level migration steps.
Important Notes
During the migration of an IPv4 host as a control channel for Dynamic Data Services to an IPoE session as a control channel, the associated dynamic data services are deleted and recreated based on the IPoE session authentication data.
When IPoE sessions are enabled on the group interface, at the next DHCPv4 renew or rebind:
This feature allows the creation of ESM subscribers and hosts based on the receipt of upstream data packets.
Data-triggered host creation does not rely on protocol triggers (DHCP, PPPoE) or management triggers (static hosts) to create each host, and is especially useful in the following cases:
BNG authenticates, creates, and deletes subscriber hosts as follows:
Note: Data-triggered ESM is supported only with IPoE sessions. |
Note: There are no automatic triggers to delete a host if session-timeout or idle-timeout and SHCV are not configured. |
Data-triggered ESM can be enabled on a group interface. The following displays a sample configuration of data-triggered ESM:
An IPoE session and ARP population are mandatory when configuring data-triggered ESM.
The following packets can start data-trigger processing:
To terminate IPv6 hosts that send neighbor RS/NS before sending data packets, auto-reply must be configured:
For MSAP, the “data” trigger packet type can accept data triggers:
Authentication of a data trigger can use LUDB configured in an IPoE session statement under a group interface.
To identify the source IPv4/IPv6 address of data-trigger packets, the IP prefix in the local user database can be configured with host-identification:
Note: Only one IP prefix can be configured for each host. A dual-stack host requires two local user database host entries if the IP prefix needs to be used for host identification. |
For RADIUS authentication, the circuit ID includes the source IPv4/IPv6 address of the data-trigger packet:
If IPoE session policy uses circuit ID to identify each session, a new IPoE session is created for each source IPv4/IPv6 address. However, RADIUS can return the circuit ID to merge multiple IPoE sessions with the same SAP, MAC, and circuit ID into a single session.
A host is created using the IPv4/IPv6 source address of the data trigger (a /32 address for IPv4 or a /128 address for IPv6), but IPv6 data-triggered hosts can be created as an IPv6 prefix by configuring ipv6-delegated-address in the local user database host entry.
RADIUS can return the following AVPs to model the address/prefix of the data-triggered host:
Information about multiple hosts can be returned in a single Access-Accept message when the nh-mac anti-spoof command is configured. This is mandatory when provisioning dual-stack hosts with the same SAP and MAC addresses with nh-mac anti-spoof configured but is mutually exclusive with the CID key in the IPoE session policy.
To authenticate data triggers, only the first packet is used for further processing. Subsequent packets from the same source are discarded until ESM host creation.
Data trigger packets are classified as all-unspecified protocol by Distributed CPU Protection (DCP).
DHCP promotion allows data-triggered subscriber hosts to become DHCP hosts.
After a data-triggered host is created, DHCP packets sent by the client starts the DHCP promotion process as follows:
Data-triggered hosts can be promoted to DHCP proxy hosts by default. To promote data-triggered hosts using DHCP relay to an internal or external DHCP server, the Alc-Force-DHCP-Relay VSA is included in Access-Accept messages to authenticate data-triggered hosts.
Figure 136 shows DHCP promotion with DHCP relay.
Note: DHCP relay promotion is only supported when using RADIUS. LUDB and NASreq is not supported. |
A SLAAC host can be created instead of a data-triggered host on data-triggered authentication when the Framed-IPv6-Prefix is returned from the LUDB or AAA server and the IPv6 prefix in the AVP value matches the source address of the data-trigger.
The following process describes how data-triggered subscriber management works with LAA for SLAAC, configured in the config>service>ies | vprn>sub-if>grp-if>lcl-addr-assign>ipv6>client-application ipoe-slaac contexts.
LAA for ipoe-wan and data-triggered subscriber management cannot co-exist on the same SAP. Data-triggered subscriber management, in the config>service>ies | vprn>sub-if>grp-if>data-trigger>no shutdown context, and LAA commands, in the config>service>ies | vprn>sub-if>grp-if>lcl-addr-assign>ipv6>ipoe-wan context, are mutually exclusive.
Data-triggered subscriber hosts can be protected with stateful multi-chassis redundancy. Subscriber management MCS applications, under config>redundancy>multi-chassis>peer>sync>sub-mgmt also include data-triggered subscriber host information.
Stateless redundancy uses SRRP in the same form as the current implementation for master/standby selection and peer liveness detection, but does not need subscriber state synchronization using MCS that requires CPM/IOM resources to be on standby node.
Stateless redundancy has the following characteristics:
Figure 137 shows an example of stateless multi-chassis redundancy.
Stateless redundancy does not have information on MSAP because MCS is not used for synchronizing subscriber host information.
Static SAPs must be configured to rewrite FDBs on Layer 2 switches with G-ARP in access or aggregation networks.
Use the following CLI commands to rewrite FDBs with G-ARP.
This requires the aggregation network to re-learn MAC for multiple C-VLANs using a single G-ARP from a specific C-VLAN.
Two typical scenarios are supported:
IPv6 prefix learning enables the creation of data-triggered IPv6 prefix-based hosts by learning prefixes from source IPv6 addresses of data-trigger packets where the prefix lengths are specified in LUDB or AAA.
IPv6 prefix learning is enabled with the following LUDB configuration conditions.
IP prefix learning from AAA is enabled with the following conditions.
DHCP promotion is also supported on the data-triggered host created with IPv6 prefix learning.
RADIUS subscriber services enable the activation and deactivation of subscriber functions by RADIUS Access-Accept or CoA messages. Each subscriber service can have its own RADIUS accounting session.
The subscriber service functionality is built using the flexible RADIUS Python script interface to populate the subscriber service data structure using a parameter list received in subscriber service-specific RADIUS Vendor Specific Attributes (VSAs). The format and content of the VSA parameter list is defined by the operator. An accounting start/stop is sent when the subscriber service is activated/deactivated. Optionally, interim updates can be sent in intervals that can be specified per subscriber service instance. Accounting interim updates and stop messages contain the subscriber service-related statistics (time or volume and time).
Subscriber services can be activated on a single-stack or dual-stack PPPoE or IPoE session or on a single-stack IPv4 host.
Subscriber service functionality can be built with:
Figure 138 shows the building blocks required to activate or deactivate a subscriber service.
Each of the building blocks is described in the following sections.
A subscriber service instance is activated from the RADIUS server by an Access-Accept or CoA message for a PPPoE or IPoE session. Deactivation of a subscriber service instance can be achieved by a RADIUS CoA message or is implicit when the associated subscriber session terminates.
To activate a subscriber service, the Alc-Sub-Serv-Activate (VSA) is used, and to deactivate a subscriber service, the Alc-Sub-Serv-Deactivate VSA is used. The formats of the Alc-Sub-Serv-Activate and Alc-Sub-Serv-Deactivate VSAs can be freely defined by the operator if they match with the Python script that is used to commit the subscriber service instance activation or deactivation.
For example, to change the upstream and downstream bandwidth of an IPoE session, the following format can be defined:
To activate a subscriber service with an upstream bandwidth of 5 Mb/s and a downstream rate of 50 Mb/s, the following VSA can then be included in a RADIUS Access-Accept or CoA message:
To deactivate the same subscriber service and revert to the initial bandwidth, the following VSA can be included in a RADIUS CoA message:
To deactivate a subscriber service instance, its unique name must be used. In the example above, the name equals “rate-limit;5120;30720”.
To start an accounting session when the subscriber service instance is activated, the following attributes can be included in the Access-Accept or CoA message:
For example, the Alc-Sub-Serv-Acct-Stats-Type attribute value is set to “volume-time” to include both the session time for time-based billing and standard counters for volume statistics collection. The Alc-Sub-Serv-Acct-Interim-Ivl attribute sets the interval for interim updates of the subscriber service instance accounting.
See the Subscriber Services RADIUS VSAs section for details on RADIUS attributes.
See the Subscriber Service RADIUS Accounting section for details on subscriber service instance accounting.
The SR OS RADIUS Python interface is used to interpret the parameters specified in the subscriber service-specific VSAs and to generate an internal proprietary format VSA representing the subscriber service instance to activate or deactivate, as shown in Figure 139.
The SR OS only requires the Alc-Sub-Serv-Internal VSA [26-6527-155] to activate or deactivate the subscriber service. Subscriber service-specific VSAs [26-6527-151..154] are available to be used in the subscriber service Python script but are ignored in the SR OS.
See the Python Script section for details on the subscriber services Python script functions and operation.
A Python script must be configured for RADIUS Access-Accept and CoA messages; for example:
The Python policy must then be applied to the radius-server-policy to pass the Access-Accept messages to the Python script and to the RADIUS server to pass the CoA messages to the Python script; for example:
The RADIUS Access-Accept and CoA messages are passed to the configured RADIUS Python scripts. As shown in Figure 140, the function of the subscriber service Python script is to interpret the subscriber service-specific VSAs that contain the subscriber service instance parameters and to generate a new Alc-Sub-Serv-Internal VSA containing the information required to activate the actual subscriber service on the PPPoE or IPoE session.
This section covers the basics to understand the functionality of a subscriber service Python script. See the Subscriber Services Python API section for a detailed description of the alc.sub_svc Python module containing functions and data structures used to define and activate a subscriber service instance.
The alc.sub_svc Python module contains the required functions and data structure to commit a subscriber service, including:
In this section an example of a Python script is explained that enables the activation or deactivation of a subscriber service.
In the example, it is assumed that only a single subscriber service is activated and/or deactivated per RADIUS message (no tagged VSAs are used) and that only a single Alc-Sub-Serv-Activate or Alc-Sub-Serv-Deactivate VSA is present (no concatenation of VSAs is required).
To change the upstream root arbiter rate and downstream aggregate rate bandwidth of an IPoE session, send the following parameters in the subscriber service activate VSA:
During the bandwidth change, the traffic should be accounted for in a separate accounting session.
To import the required modules in the Python script:
The alc.radius module provides the API access to the RADIUS VSAs in Access-Accept and CoA messages.
The alc.sub_svc module allows the API to activate and deactivate subscriber services.
The struct module is a Python module used in the example to convert data obtained from the RADIUS API as a string into Python integer values.
The following constants are used in the script:
The main flow in a subscriber service Python script is to first process the subscriber service deactivations, followed by the subscriber service activations. Optionally, the subscriber service-specific VSAs can be removed from the RADIUS message as they are not required for further processing in the SR OS:
The function to deactivate a subscriber service executes the following steps:
The function to activate a subscriber service executes the following steps:
The result of the sub_svc.commit_service() function is an Alc-Sub-Serv-Internal VSA [26-6527-155] that contains the required data for the SR OS to activate the corresponding subscriber services.
When the SR OS receives an Alc-Sub-Serv-Internal VSA [26-6527-155] in an Access-Accept or CoA message as a result of the Python script sub_svc.commit_service() function, the corresponding subscriber services are activated and/or deactivated. Optionally, an accounting session can be started for each subscriber service instance.
The following is an example of the show service sub-services command.
The following rules apply for a subscriber service instance.
Subscriber services VSAs 26-6527-151..154 are used as inputs for the subscriber service Python script and are ignored by the SR OS.
The subscriber service VSAs can be tagged to allow activation and deactivation of multiple subscriber service instances with a single RADIUS Access-Accept or CoA message.
Table 33 lists the subscriber services RADIUS VSAs. See the RADIUS Attributes Reference Guide for a complete description of the subscriber services VSAs.
Attribute ID | Attribute Name | Description |
26-6527-151 | Alc-Sub-Serv-Activate (string) | Activate a subscriber service. The attribute contains parameters as input for the subscriber service Python script to define and activate a subscriber service. Multiple VSAs can be included per message if the parameter list does not fit in a single attribute. |
26-6527-152 | Alc-Sub-Serv-Deactivate (string) | Deactivate a subscriber service. The attribute contains parameters as input for the subscriber service Python script to deactivate a subscriber service. Multiple VSAs can be included per message if the parameter list does not fit in a single attribute. |
26-6527-153 | Alc-Sub-Serv-Acct-Stats-Type (integer) | Enable or disable subscriber service accounting and specify the statistics type: volume and time or time only. Values: 1=off, 2=volume-time and 3=time |
26-6527-154 | Alc-Sub-Serv-Acct-Interim-Ivl (integer) | The interim accounting interval in seconds at which Acct-Interim-Update messages should be generated for subscriber service accounting. A value of 0 (zero) corresponds to no interim update messages. The maximum value is 300 seconds (values 1 to 300). |
26-6527-155 | Alc-Sub-Serv-Internal | For internal use only. Its value is the result of the subscriber service commit function in Python. (sub_svc.commit_service). |
The configuration for subscriber service instance accounting sessions is obtained from the RADIUS accounting policies configured in the subscriber profile of the parent subscriber:
If the parent subscriber has no RADIUS accounting policy configured, subscriber service instance accounting cannot be enabled.
If the parent subscriber has a RADIUS accounting policy configured, subscriber service instance accounting can be disabled by setting the sub_svc.acct_stats_type TLV in the subscriber service Python script to 1 (Off):
Each subscriber service instance has a unique accounting session ID included as [44] Acct-Session-Id. The [50] Acct-Multi-Session-Id contains the accounting session ID of the parent PPPoE or IPoE session as shown in Table 34.
Subscriber Service Parent | [50] Acct-Multi-Session-Id |
PPPoE session | Session Acct-Session-Id of the PPPoE session: show service id <service-id> pppoe session detail |
IPoE session | Session Acct-Session-Id of the IPoE session: show service id <service-id> ipoe session detail |
IPoEv4 host | Host Acct-Session-Id of the IPoEv4 host: show service id <service-id> subscriber-hosts detail |
The content of the volume counters when the subscriber service accounting statistics type equals volume-time is determined by the subscriber service action. For details, see the subscriber service sections that follow.
An accounting-only subscriber service has no specific action such as qos-override or pccrule defined and has subscriber service instance accounting enabled.
An example of when an accounting-only subscriber service would be used is if additional accounting data is needed for a specific time period in the lifetime of a PPPoE or IPoE session.
The sub_svc.acct_stats_type TLV in the subscriber services Python script must be set to a value different from 1 (Off) to enable subscriber service instance accounting. For example:
The volume counters for subscriber service statistics type volume-time contain the aggregate forwarded octets and packets of the parent PPPoE or IPoE session sla-profile instance since the start of the subscriber service.
A subscriber service instance with a qos-override action overrides queue or policer parameters (CIR, PIR, CBS, MBS) configured at the sla-profile level and hierarchical QoS parameters (aggregate rate, scheduler rate, or root and intermediate arbiter rate) configured at the sub-profile level.
An example of when a QoS override-based subscriber service would be used is to temporarily offer higher bandwidth and charge for the volume consumed during this period. Figure 141 shows the volume statistics that are reported for the PPPoE or IPoE session accounting and for each of the subscriber service instances accounting sessions that were activated and deactivated.
The sub_svc.qos_override TLV in the subscriber services Python script adds a qos-override action. For example:
Actual values are used to populate the subscriber service data structure in this example; typically, these values are sent as parameters in subscriber service-specific VSAs.
Although a QoS override-based subscriber service instance is activated for a PPPoE or IPoE session, the overrides are applied at the SLA profile instance and/or subscriber level.
QoS override-based subscriber services have precedence over dynamic QoS overrides (RADIUS Alc-Subscriber-QoS-Override VSA or Gx Charging-Rule-Definition with QoS-Information) on the PPPoE or IPoE session.
The installed QoS override actions can be verified in the output of the show service active-subscribers detail CLI command.
The volume counters for subscriber service statistics type volume-time contain the aggregate forwarded octets and packets of the parent PPPoE or IPoE session sla-profile instance since the start of the subscriber service.
QoS override-based subscriber services are stored in the subscriber-mgmt persistency file.
Policy and Charging Control (PCC) rules are defined in the 3GPP PCC architecture and used in the Diameter Gx application as a collection of parameters that enable IP traffic flows to be identified, QoS parameters and filtering actions to be applied to these flows, and charging to be performed on them. The use of PCC rules in policy management by the Diameter Gx interface is described in the PCC Rules.
The same PCC rule construct is used in RADIUS subscriber services to enable IP flow-based actions and accounting.
IP flow-based accounting is one use for a subscriber service using PCC rules. Activated by a self-service portal or as part of an Internet subscription package, applications identified by a 5-tuple receive specific treatment, such as bandwidth increase, expedited forwarding, or zero rating. Volume and time statistics for the application data are available in the subscriber service RADIUS accounting session. This is shown in Figure 142.
A PCC rule is a unidirectional set of IP flows sharing a same set of actions. IPv4 and IPv6 flows can be combined within the same PCC rule.
A PCC rule name must be unique for each rule applied on a single PPPoE or IPoE session. For optimal PCC rule sharing, it is recommended that the same PCC rule name be used when its content is the same (that is, the same set of flows and same set of actions).
An IP flow is identified by a combination of:
The CLI equivalent is:
Supported actions include forward, drop, redirect to ip next hop, redirect to a routing instance, HTTP redirect, forwarding class change, rate-limit, and account.
With a specified set of actions, PCC rules are instantiated in the SR OS by IP criteria or IPv6 criteria entries in SAP ingress or SAP egress QoS polices and/or in IP or IPv6 filter entries. A PCC rule precedence value determines the relative order of different PCC rules when inserted in the QoS or filter policy: a rule with a lower precedence value is be applied before a rule with a higher precedence value. Rules with the same precedence can be automatically optimized; the relative order in which they are applied is determined by the system for optimal sharing. Rules with no precedence are applied at the end and are also automatically optimized.
Table 35 and Table 36 provide an overview of the PCC rule actions and where they apply.
Action | Direction | Description |
Forwarding Class (FC) change | Ingress/Egress | changes the QoS forwarding class CLI equivalent: config>qos sap-ingress | sap-egress <id> create ip-criteria | ipv6-criteria entry <id> create match <5-tuple | dscp> exit action fc <fc> exit exit |
Rate-limit (PIR/CIR) | Ingress/Egress | rate-limit traffic matching the specified flows
The forwarded octets and packets statistics of the dynamic policer are included in subscriber service accounting. CLI equivalent: config>qos sap-ingress | sap-egress <id> create policer 1 # dynamic policer rate <pir> cir <cir> exit ip-criteria | ipv6-criteria entry <id> create match <5-tuple | dscp> exit action policer 1 exit exit |
Account | Ingress / Egress | counts traffic matching the specified flows:
The forwarded octets and packets statistics of the dynamic policer are included in subscriber service accounting. CLI equivalent: config>qos sap-ingress | sap-egress <id> create policer 1 # dynamic policer rate max cir max exit ip-criteria | ipv6-criteria entry <id> create match <5-tuple | dscp> exit action policer 1 exit exit |
Forward | Ingress/Egress | Creates an entry in the QoS policy to forward the traffic without explicit QoS action. Matching traffic does not match on the next entry (match and exit behavior). In case of overlapping flows, such as account all traffic except flow 1 and flow 2, the more specific flows must be explicitly forwarded. CLI equivalent: config>qos sap-ingress | sap-egress <id> create ip-criteria | ipv6-criteria entry <id> create match <5-tuple | dscp> exit action exit exit |
Action | Direction | Description |
Forward/Drop | Ingress/Egress | Creates a filter entry to forward or drop the traffic CLI equivalent: config>filter ip-filter | ipv6-filter <id> create entry <id> create match <5-tuple | dscp> exit action forward | drop exit exit exit |
Redirect to an IP next-hop | Ingress | redirect the traffic to the specified IP next-hop CLI equivalent: config>filter ip-filter | ipv6-filter <id> create entry <id> create match <5-tuple | dscp> exit action forward next-hop <ip-address> exit exit exit |
Redirect to a routing instance | Ingress | redirect the traffic to the specified routing instance CLI equivalent: config>filter ip-filter | ipv6-filter <id> create entry <id> create match <5-tuple | dscp> exit action forward router <router-instance> exit exit exit |
HTTP redirect | Ingress | HTTP redirection to the specified URL CLI equivalent: config>filter ip-filter | ipv6-filter <id> create entry <id> create match <5-tuple | dscp> exit action http-redirect <rdr-url-string> exit exit exit |
Figure 143 and Figure 144 show the actions that can be combined in a single ingress or egress PCC rule.
Notes:
A PCC rule can result in one or more IPv4/IPv6 filter and/or QoS policy IPv4/IPv6 criteria entries. This is transparent to the operator.
The following initial configuration is required prior to activating PCC rule-based subscriber services.
Although a PCC rule-based subscriber service is activated on a PPPoE or IPoE session, the actions are applied at the SLA profile instance and/or subscriber host level.
A PCC rule with flow match criteria that are not explicitly IPv4 or IPv6 results in both IPv4 and IPv6 match criteria being installed; for example, destination address = any.
Filter actions are executed before QoS actions. If an IP flow is rate-limited, it should pass the IPv4 or IPv6 filter first. Adding a QoS action rate limit to a PCC rule does not automatically insert a corresponding forward entry in an IP filter. When needed, this must be done explicitly by the operator with a filter forward action. For example, an IP filter with the default action drop and several explicit forward entries is applied to an IPoE session. A new IP flow must be rate-limited and accounted for. The PCC rule should include match criteria for the IP flow and a QoS action rate limit, QoS action account, and filter action forward. Without the filter action forward, the IP flow would be dropped by the default action in the filter policy.
The example below shows a pseudo-language representation of PCC rules in a subscriber service.
The sub_svc.pccrule TLV in the subscriber services Python script adds a PCC rule to the subscriber service, as shown in the output example below:
Actual values are used to populate the subscriber service data structure in this example; typically, these values are sent as parameters in subscriber service-specific VSAs.
In the above subscriber service example, two PCC rules are installed, each with one flow:
Subscriber service instance volume-time accounting is enabled. The volume counters include the forwarded octets and packets of the dynamic policers installed for the above rules and count the traffic matching the flows.
The counters reported in PCC rule-based subscriber services RADIUS accounting are determined by the PCC rule QoS account action.
PCC rule-based subscriber services are not stored in the subscriber-mgmt persistency file.
PCC rule-based subscriber services with QoS actions interact with the classification and QoS forwarding mechanisms. This section describes how this affects the parent RADIUS accounting volume counters.
For subscriber service PCC rule QoS actions that do not result in the instantiation of a dynamic policer (such as a change of forwarding class or forward), the PCC rule matched traffic is included in the parent accounting session volume counters. This is shown in Figure 145, where the forwarding class is mapped to a subscriber queue, and in Figure 146 where the forwarding class is mapped to a subscriber policer.
For subscriber service PCC rule QoS actions that result in the instantiation of a dynamic policer (such as rate-limit or account), the dynamic policer counters are not included in the aggregate counters nor are they reported as separate detailed policer statistics. Instead, the traffic matching the PCC rules is counted in the output queues that correspond to the forwarding class of the packets.
PCC rule-based subscriber service activation failures can be categorized as failures detected in the subscriber services Python script as runtime errors (see Table 37) and failures detected in the Enhanced Subscriber Management (ESM) processing (see Table 38).
Python Runtime Errors |
Pcc rule name type must be a string |
Pcc rule name value too long |
Pcc rule qos action account value must be True(1) or False(0) |
Pcc rule filter action redirect to nexthop_v4/v6 type must be a string |
Pcc rule filter action redirect to nexthop_v4/v6 value must be a valid IPv4/v6 address |
Pcc rule filter action http redirect value is not a valid URL |
Pcc rule filter action http redirect type must be a string |
Pcc rule filter action http redirect value too long (> 255) |
Pcc rule qos action fwd class change value is invalid |
Pcc rule qos action rate limit type must be an int |
Pcc rule precedence type must be an int |
Pcc rule flow dscp match type must be a string |
Pcc rule flow dscp match value is invalid |
Pcc rule flow src/dst_ip match type must be a string: <ipv4-address>|<ipv6-address>|any |
Pcc rule flow src/dst_ip match value is not a valid IP address: <ipv4-address>|<ipv6-address>|any |
Pcc rule flow port match type must be a string: <port>[-<port>] with port [0..65535] |
Pcc rule flow protocol match type must be an int |
Pcc rule flow protocol match value must be less than 255 |
Pcc rule must have a name |
ESM Failures |
ESM —RADIUS Decoding Failures |
The PCC rule precedence must be in the range 0 to 65535. |
The PCC rule name has a maximum of 100 displayable characters. |
The PCC rule redirect URL has a maximum of 255 displayable characters. |
All flows in a PCC rule must have the same direction (ingress or egress). |
A PCC rule has a maximum of 128 flows. |
A PCC rule name can occur only once in a RADIUS message. |
A flow in a PCC rule cannot have a mix of IPv4 and IPv6 addresses (for example src-ip and dst-ip). |
ESM—Processing Failures |
If a PCC rule contains a direction-specific action (such as a redirect), it must contain at least one flow in that direction. |
If a PCC rule contains only IPv4 actions (such as a redirect to an IPv4 next hop), it must contain at least one IPv4 flow. This also applies to IPv6. |
The combinations of PCC rule actions must be supported (see Figure 143 and Figure 144). |
There must be at least one flow and at least one action per PCC rule. |
There is a maximum of 64 PCC rules per host or session. |
There are not enough filter or QoS resources to create policy clones or apply them to the host or session. |
The filter or QoS policy clone cannot be created (for example, the redirect service does not exist). |
Simultaneous provisioning of PCC rules from Gx and RADIUS is operationally blocked per subscriber session/host. |
A subscriber service instance can be built with a combination of QoS override actions and PCC rules. In this case, the reported volume counters for subscriber service statistics type volume-time are determined by the PCC rule account action, as shown in Table 39.
QoS Override | PCC Rule | Reported Volume Counters |
No | No | Aggregated SLA profile queue and policer statistics |
Yes | No | Aggregated SLA profile queue and policer statistics |
No | Yes, “pccrule.qos_action_account = False” for all PCC rules | Aggregated SLA profile queue and policer statistics |
No | Yes, “pccrule.qos_action_account = True” for at least one PCC rule | Dynamic policer statistics for PCC rules with “pccrule.qos_action_account = True” |
Yes | Yes, “pccrule.qos_action_account = False” for all PCC rules | Aggregated SLA profile queue and policer statistics |
Yes | Yes, “pccrule.qos_action_account = True” for at least one PCC rule | Dynamic policer statistics for PCC rules with “pccrule.qos_action_account = True” |
The SR OS alc.sub_svc Python module offers functions and data structures to describe, activate, and deactivate a subscriber service.
Table 40 lists the subscriber service functions in the alc.sub_svc module.
sub_svc Functions | Description |
sub_svc.add_to_service (svc, sub_svc TLV, value) | Appends a TLV to the service list. The service list describes the subscriber service and should be passed to the sub_svc.commit_service() to activate or deactivate the subscriber service. Parameters: svc (type = list): service list that describes the subscriber service. sub_svc TLVs are appended to this list with the sub_svc.add_to_service() function. sub_svc TLV (type int): TLV that is appended to the service list value (type as defined for the sub_svc TLV): the value of the sub_svc TLV that is appended to the service list |
sub_svc.commit_service (svc) | Creates the required internal VSAs based on the TLVs provided in the svc list. Parameters: svc (type = list): service list that describes the subscriber service. sub_svc TLVs are appended to this list with the sub_svc.add_to_service() function. The service list should be passed to sub_svc.commit_service() to activate or deactivate the subscriber service. |
Table 41 lists the subscriber service TLVs in the alc.sub_svc module.
sub_svc TLV | Activate/ Deactivate | TLV Details | |
name (string) | M/M | Purpose | The unique subscriber service instance identifier (key). This field is matched for a subscriber service deactivate request. This field could, for example, be populated with the service-name and corresponding parameter list. This value is also echoed in the Alc-Sub-Serv-Session attribute in accounting messages. When not specified, the subscriber service activation fails and an event log is generated: WARNING: SVCMGR #2511 Base RADIUS CoA Error “Problem encountered in Subscriber Management, while processing a CoA request from a RADIUS server: Could not decode RADIUS Attribute “Sub Service””. |
Value | Free format string (max. length = 1000 bytes) | ||
Default | Empty string | ||
operation (int) | M/O | Purpose | Specifies if the referenced subscriber service should be activated or deactivated |
Value | operation_add (1): activate the subscriber service instance operation_del (2): deactivate the subscriber service instance | ||
Default | operation_del | ||
acct_stats_type (int) | O/n.a. | Purpose | Defines if RADIUS accounting should be enabled for this subscriber service instance. If enabled, the accounting mode (Time or Volume and Time) is specified. Values as defined for Alc-Sub-Serv-Acct-Interim-Ivl VSA |
Value | Off (1) Volume-time (2) Time (3) | ||
Default | Off | ||
acct_interval (int) | O/n.a. | Purpose | Defines the RADIUS interim accounting update interval for this subscriber service instance Values as defined for Alc-Sub-Serv-Acct-Interim-Ivl VSA |
Value | 0 (no interim updates) 1 to 299 (rounded to a maximum 300 seconds) 300 to 15552000 (override the local configured update-interval for this subscriber service instance) | ||
Default | Update interval from the parent subscriber RADIUS accounting policy | ||
type (string) | O/n.a. | Purpose | Grouping of subscriber service instances that belong to the same PPPoE or IPoE session |
Value | Free format string (max. length = 255 bytes) | ||
Default | empty string | ||
type_conflict_action (int) | O/n.a. | Purpose | Defines the action when another subscriber service instance of the same type is already activated for the same PPPoE or IPoE session. |
Value | type_conflict_action_keep_old (1): reject the new subscriber service instance type_conflict_action_keep_new (2): deactivate the old and activate the new subscriber service instance type_conflict_action_none (3): allow multiple subscriber service instances of this type | ||
Default | type_conflict_action_none |
Note: M=Mandatory, O=Optional, n.a.=ignored
Table 42 lists the QoS override TLVs in the alc.sub_svc module.
sub_svc TLV | Activate/ Deactivate | TLV Details | |
qos_override (string) | O/n.a. | Purpose | Adds a QoS override to the subscriber service. Multiple qos_override TLVs can be added in a single subscriber service instance. |
Value | As defined for the RADIUS Alc-Subscriber-QoS-Override VSA [26-6527-126]. Refer to the 7750 SR and VSR RADIUS Attributes Reference Guide for details. | ||
Default | Not included |
Note: M=Mandatory, O=Optional, n.a.=ignored
Table 43 lists the PCC rule PLVs in the alc.sub_svc module.
sub_svc TLV | Activate/ Deactivate | TLV Details | |
pccrule (list) | O/n.a. | Purpose | Adds a PCC rule to the subscriber service. Multiple PCC rule TLVs can be added in a single subscriber service instance. |
Value | A PCC rule list describing the PCC rule with PCC rule TLVs such as name, precedence, direction, flows, and actions PCC rule TLVs are appended to the PCC rule list with the sub_svc.pccrule.add_to_pccrule() function. | ||
Default | Not included |
Note: M=Mandatory, O=Optional, n.a.=ignored
Table 44 lists the alc.sub_svc.pccrule function.
alc.sub_svc.pccrule Function | Description |
sub_svc.pccrule.add_to_pccrule (pccrule, pccrule TLV, value) | Appends a PCC rule TLV such as name, precedence, flow, or action to the PCC rule list. The PCC rule list describes the PCC rule and can be added to a subscriber service with the sub_svc.add_to_service() function. Parameters: pccrule (type = list): PCC rule list that describes the PCC rule. PCC rule TLVs are appended to this list with the sub_svc.pccrule.add_to_pccrule() function. pccrule TLV (type int): PCC rule TLV that is appended to the PCC rule list value (type as defined for the PCC rule TLV): the value of the PCC rule TLV that is appended to the PCC rule list |
Table 45 lists the PCC rules TLVs in the alc.sub_svc.pccrule module.
PCC Rule TLV | M|O | TLV Details | |
pccrule.name (String) | M | Purpose | Specifies the name of the PCC rule A PCC rule with the same name and same or different content can only be applied once on a single parent PPPoE or IPoE session. A PCC rule with the same name and same or different content can be applied on different parent PPPoE or IPoE sessions. Rules with the same name but different content gets a different PCC rule identifier (rule id). |
pccrule.precedence (Integer) | O | Purpose | Specifies the precedence value for the PCC rule. The precedence defines a relative order of the different PCC rules: a rule with a lower precedence value is applied before a rule with a higher precedence value. Rules with the same precedence and rules without precedence can be automatically optimized; the relative order in which they are applied is determined by the system for optimal sharing. |
Value | 0 to 65535 | ||
Default | n/a These rules are applied at the end. | ||
pccrule.direction (Integer) | M | Purpose | Specifies the direction of the PCC rule: ingress or egress |
Value | direction_ingress (1) | ||
direction_egress (2) | |||
Default | n/a | ||
pccrule.flow (list) | M | Purpose | Adds a flow to the PCC rule. At least one flow must be added to a PCC rule. Multiple flow TLVs can be added to a PCC rule. |
Value | A flow list describing the flow with flow TLVs such as dscp, protocol, src-ip, dst-ip, src-port, and dts-port Flow TLVs are appended to the flow list with the sub_svc.flow.add_to_flow() function. | ||
Default | Not included | ||
pccrule.qos_action_ account (Boolean) | O (1) | Purpose | PCC rule action: account Can be applied on ingress and egress Results in IPv4 and/or IPv6 criteria entry in QoS policies. When set to True: if no rate-limit action is specified, a dynamic policer with pir=cir=max is instantiated for all flows in the PCC rule CLI equivalent: policer 1 # dynamic policer rate max cir max exit entry 10 create match … exit action policer 1 exit The forwarded octets and packets statistics of the dynamic policer associated with this PCC rule are included in subscriber service accounting. |
Value | True (1) False (0) | ||
Default | False | ||
pccrule.qos_action_ change_fc (string) | O (1) | Purpose | PCC rule action: change the forwarding class Can be applied on ingress and egress. Results in IPv4 and/or IPv6 criteria entry in QoS policies CLI equivalent: entry 10 create match … exit action fc <fc-name> exit |
Value | String with fixed format forwarding class name: “be”, “l2”, “af”, “l1”, “h2”, “ef”, “h1” or “nc” | ||
Default | n/a | ||
pccrule.qos_action_ rate_limit_cir (Integer) | O (1) | Purpose | PCC rule action: rate-limit CIR
Can be applied on ingress and egress. Results in IPv4 and/or IPv6 criteria entry in QoS policies CLI equivalent: policer 1 # dynamic policer rate … cir <cir> exit entry 10 create match … exit action policer 1 exit |
Value | 0 to 2000000000 kb/s | ||
Default | n/a | ||
pccrule.qos_action_ rate_limit_pir (integer) | O (1) | Purpose | PCC rule action: rate-limit PIR
Can be applied on ingress and egress. Results in IPv4 and/or IPv6 criteria entry in QoS policies. CLI equivalent: policer 1 # dynamic policer rate <pir> exit entry 10 create match … exit action policer 1 exit |
Value | 1 to 2000000000 kb/s | ||
Default | None | ||
pccrule.qos_action (integer) | O (1) | Purpose | PCC rule action: QoS forward Can be applied on ingress and egress Results in IPv4 and/or IPv6 criteria entry in QoS policies CLI equivalent: entry 10 create match … exit action exit |
Value | pccrule.qos_action_forward (1) | ||
Default | n/a | ||
pccrule.filter_action_http_redirect (string) | O (1) | Purpose | PCC rule action: http-redirect Can be applied on ingress only Results in an IPv4 and/or IPv6 filter entry CLI equivalent: entry 10 create match next-header tcp ... exit action http-redirect <rdr-url-string> exit exit |
Value | http-redirect URL string (maximum 255 characters) | ||
Default | n/a | ||
pccrule.filter_action_ redirect_to_nexthop_v4 (string) | O (1) | Purpose | PCC rule action: redirect to a next-hop IPv4 address Can be applied on ingress only Results in an IPv4 filter entry CLI equivalent: entry 10 create match ... exit action forward next-hop <ip-address> exit exit |
Value | IPv4 address | ||
Default | n/a | ||
pccrule.filter_action_ redirect_to_nexthop_v6 (string) | O (1) | Purpose | PCC rule action: redirect to a next-hop IPv6 address Can be applied on ingress only Results in an IPv6 filter entry. CLI equivalent: entry 10 create match ... exit action forward next-hop <ipv6-address> exit exit |
Value | IPv6 address | ||
Default | None | ||
pccrule.filter_action_ redirect_to_router_v4 (integer) | O (1) | Purpose | PCC rule action: redirect to a routing instance Can be applied on ingress only Results in an IPv4 filter entry CLI equivalent: entry 10 create match ... exit action forward router <router-instance> exit exit |
Value | service-id | ||
Default | n/a | ||
pccrule.filter_action_ redirect_to_router_v6 (Integer) | O (1) | Purpose | PCC rule action: redirect to a routing instance Can be applied on ingress only Results in an IPv6 filter entry CLI equivalent: entry 10 create match ... exit action forward router <router-instance> exit exit |
Value | service-id | ||
Default | n/a | ||
pccrule.filter_action (Integer) | O (1) | Purpose | PCC rule action: Filter forward or drop Can be applied on ingress and egress Results in an IPv4 and/or IPv6 filter entry CLI equivalent: entry 10 create match ... exit action forward | drop exit exit |
Value | pccrule.filter_action_forward (1) pccrule.filter_action_drop (2) | ||
Default | n/a | ||
pccrule.policer_parent_arbiter (String) | O | Purpose | Specifies the dynamic policer parent arbiter name for this PCC rule. The reserved value “_tmnx_no_parent” sets no arbiter parent for the dynamic policer used in this PCC rule. Overrides the dynamic policer value configured in the sap-ingress or sap-egress QoS policy. |
Value | Free format string (maximum length = 32 bytes) “_tmnx_no_parent” sets no parent arbiter | ||
Default | None | ||
pccrule.policer_parent_level (Integer) | O | Purpose | Specifies the dynamic policer parent level for this PCC rule. Overrides the dynamic policer value configured in the sap-ingress or sap-egress QoS policy. |
Value | 1 to 8 | ||
Default | None | ||
pccrule.policer_parent_weight (Integer) | O | Purpose | Specifies the dynamic policer parent weight for this PCC rule. Overrides the dynamic policer value configured in the sap-ingress or sap-egress QoS policy. |
Value | 1 to 100 | ||
Default | None | ||
pccrule.policer_mbs (Integer) | O | Purpose | Specifies the dynamic policer MBS value in bytes or reset to the default MBS value for this PCC rule. Overrides the dynamic policer value configured in the sap-ingress or sap-egress QoS policy. |
Value | 0 to 16777216 -1 sets the default MBS | ||
Default | None | ||
pccrule.policer_cbs (Integer) | O | Purpose | Specifies the dynamic policer CBS value in bytes or resets to the default CBS value for this PCC rule. Overrides the dynamic policer value configured in the sap-ingress or sap-egress QoS policy. |
Value | 0 to16777216 -1 sets the default CBS | ||
Default | None | ||
pccrule.policer_stat_mode (Integer) | O | Purpose | Specifies the dynamic policer stat-mode for this PCC rule. Overrides the dynamic policer value configured in the sap-ingress or sap-egress QoS policy. |
Value | Note that integer values are mapped to each of the stats-mode. ingress: 0 = pccrule.ingress_stat_mode_no_stats 1 = pccrule.ingress_stat_mode_minimal 2 = pccrule.ingress_stat_mode_offered_profile_no_cir 3 = pccrule.ingress_stat_mode_offered_total_cir 4 = pccrule.ingress_stat_mode_offered_priority_no_cir 5 = pccrule.ingress_stat_mode_offered_profile_cir 6 = pccrule.ingress_stat_mode_offered_priority_cir 7 = pccrule.ingress_stat_mode_offered_limited_profile_cir 8 = pccrule.ingress_stat_mode_offered_profile_capped_cir 9 = pccrule.ingress_stat_mode_offered_limited_capped_cir egress: 0 = pccrule.egress_stat_mode_no_stats 1 = pccrule.egress_stat_mode_minimal 2 = pccrule.egress_stat_mode_offered_profile_no_cir 3 = pccrule.egress_stat_mode_offered_total_cir 4 = pccrule.egress_stat_mode_offered_profile_cir 5 = pccrule.egress_stat_mode_offered_limited_capped_cir 6 = pccrule.egress_stat_mode_offered_profile_capped_cir 8 = pccrule.egress_stat_mode_offered_total_cir_exceed 9 = pccrule.egress_stat_mode_offered_four_profile_no_cir 10 = pccrule.egress_stat_mode_offered_total_cir_four_profile | ||
Default | None | ||
pccrule.policer_packet_byte_offset (Integer) | O | Purpose | Specifies the dynamic policer packet-byte-offset for this PCC rule. Setting the value to zero (0) sets no packet-byte-offset. Overrides the dynamic policer value configured in the sap-ingress or sap-egress QoS policy. |
Value | ingress: -32 to +31 egress: -64 to +31 | ||
Default | None |
Notes:
Table 46 lists the alc.sub_svc.flow function.
alc.sub_svc.flow Functions | Description |
sub_svc.flow.add_to_flow (flow, flow TLV, value) | Appends a flow TLV such as dscp, protocol, src-ip, dst-ip, src-port, or dst-port to the flow list. The flow list defines matching criteria for an IP flow and can be added to a PCC rule with the sub_svc.pccrule.add_to_pccrule() function. Parameters: flow (type = list): list containing the match criteria (DSP, 5-tuple) that describes an IP flow. Flow TLVs are appended to this list with the sub_svc.flow.add_to_flow() function. The flow is added to a PCC rule with the sub_svc.pccrule.add_to_pccrule() function. flow TLV (type int): Flow TLV that is appended to the flow list. value (type as defined for the flow TLV): the value of the flow TLV that is appended to the flow list |
Table 47 lists the PCC Rule TLVs alc.sub_svc.flow Module.
Flow TLV | M|O | TLV Details | |
flow.dscp (string) | O | Purpose | Specifies a DSCP flow match criterion |
Value | Fixed DSCP name strings as in the output of show qos dscp-table; for example, “be” or “ef”. The DSCP name must be specified in lower case. | ||
Default | n/a | ||
flow.protocol (integer) | O | Purpose | Specifies a protocol number match criterion |
Value | 0 to 255 | ||
Default | n/a | ||
flow.dst-ip (string) | O | Purpose | Specify a destination IPv4 or IPv6 match criterion |
Value | ipv4-address | ipv6-address | any where ipv4-address: d.d.d.d[/m] d [0 to 255] m [0 to 32] ipv6-address: x:x:x:x:x:x:x:x[/preflen] x: [0 to FFFF] preflen: 0 to 128 | ||
Default | any | ||
flow.dst-port (string) | O | Purpose | Specify a destination port match criterion |
Value | port or port range: port[-port] where port: 0 to 65535 | ||
Default | n/a | ||
flow.src-ip (string) | O | Purpose | Specify a source IP or IPv6 match criterion |
Value | ipv4-address | ipv6-address | any where ipv4-address: d.d.d.d[/m] d [0 to 255] m [0 to 2] ipv6-address: x:x:x:x:x:x:x:x[/preflen] x: [0 to FFFF] preflen: 0 to 128 | ||
Default | any | ||
flow.src-port (string) | O | Purpose | Specifies a source port match criterion |
Value | port or port range: port[-port] where port: 0 to 65535 | ||
Default | n/a |
To display the active subscriber services in the system, use the show service sub-services CLI command. The sub-service-name filter is a longest match.
Sample output:
To display the active PCC rules in the system, use the show service active-subscribers pcc-rule CLI command. A PCC rule can be inactive when, for example, a PCC rule with filter actions on IPv6 flows is activated on an IPv4single-stack PPPoE or IPoE session.
Sample output:
Use the following alternative command to check the PCC rules in the system:
The statistics of dynamic policers can be displayed with:
The details of the cloned QoS and filter policies as a result of PCC rule activation can be displayed with the following show commands:
There are no specific RADIUS subscriber services debug commands. The debugging is part of the RADIUS and Python debug output; for example:
For information on resource monitoring, see PCC Rules and Capacity Planning and PCC Rule Scaling Example.
The following CLI command provides an overview of the resource usage per line card, such as the number of ACL and ACL QoS entries, Filters, QoS policies, dynamic policers, and QoS overrides:
These resource counters are available in SNMP and can be used in RMON to trigger threshold crossing alarms; for example:
The summary output of the show subscriber-mgmt pcc-rule command lists the number of active PCC rules and the number of active combinations:
Residential gateway (RG) replacements are performed for a variety of reasons such as upgrading hardware, replacing broken equipment, or relocating to a new home. However, the BNG’s anti-spoof filter and host-limit features can sometime prevent immediate RG replacement. In some cases, a subscriber must wait for an old DHCP lease to expire before a new RG can connect to the BNG. For example, some service providers assign an IP address and/or prefix based on physical line, SAP-id, circuit-id, or interface-id. Therefore, a home is always assigned the same IP address and/or prefix. On the BNG, an anti-spoof mechanism prevents different MAC addresses from using the same IP address. As a result, the new RG fails the anti-spoof filter and is denied an IP address and/or prefix. The subscriber in this case must wait for the DHCP lease of the RG to time out for the anti-spoof filter to remove its entry.
Two features, lease-override and shcv-policy, may help improve the RG replacement process. These features focus on minimizing service interruption and enhancing the end subscriber experience. RGs, in general, have no mechanisms to inform the BNG or the DHCP server that they have been disconnected from the network. Even if the BNG has periodic SHCV enabled, the detection might take some time. Often, when a subscriber plugs in a new RG, the BNG still has the old RG registered as a host. This has two consequences. First, if the new RG is assigned the same IP address as the old RG, then an IP-conflict occurs and fails the anti-spoof filter. Second, if the SAP has a host limit or a session limit provisioned, then exceeding the limit prevents the new RG from receiving an IP address or prefix.
Starting in Release 13.0R4, if an IP conflict occurs on the same SAP, then by default the new RG (MAC) immediately overrides the DHCP lease of the old device. This is known as lease-override. This is applicable to DHCP relay and proxy for both IPv4 and IPv6 hosts. Prior to Release 13.0.R4, lease-override only occurred for DHCPv4 relay. The lease-override is performed only when an IP conflict occurs within the same SAP.
The other option is to use trigger SHCV to check the connectivity status of the old RG before removing it and its lease. This is known as the ip-conflict-triggered SHCV under the SHCV policy. The SHCV is sent only when the BNG detects an IP address conflict on DHCP discovery. If the host does not respond within the configured timeout, both the host and lease are removed from the BNG. The new RG is required to perform a subsequent DHCP discovery or request to install a host. SHCV can help prevent malicious RGs from spoofing another RG IP address. Trigger SHCV for IP-conflict is available for DHCPv4/v6 relay and proxy, as well as ARP hosts. The following table specifies when the SHCV is sent for IP-conflict.
Configuration on group interface | Triggered on |
DHCPv4 proxy | DHCP Discovery |
DHCPv4 relay | DHCP Request |
DHCPv6 proxy | DHCP Advertisement |
DHCPv6 relay | DHCP Advertisement |
ARP-host | Host’s initial ARP |
It is also possible that new RGs are denied service as a consequence of a set of host limits against the subscriber including sla-profile host-limits and session-limits, sub-profile host-limits and session-limits, ipoe session-limit, and ipoe sap-session limits. For example, setting a host limit of overall 1 can ensure that each home only takes one IP address. As mentioned before, RGs do not inform the BNG of a disconnect. If SHCV is enabled, it might take some time before the BNG is informed of the disconnect. Therefore, when a new RG connects to the BNG, the BNG performs a host-limit check (if configured) against the subscriber. If the old host still has an entry on the BNG and there is a host-limit of overall 1, the new RG is denied an IP address and/or prefix assignment because it has exceeded the host limit. A trigger SHCV, “host-limit-exceeded” inside the SHCV policy can be configured against a group interface. This SHCV is triggered when an over limit is detected. If the existing host registered on the BNG does not respond within the configured timeout, both the host and its lease are removed from the BNG. The SHCV can only remove hosts from the BNG and the new RG is still required to perform a subsequent DHCP discoveries or requests to obtain an IP address.
By providing lease-override and various SHCV triggers in the SHCV policy, service providers have a variety of options to allow subscribers to perform quick and seamless RG replacements.
It is possible to use the host-connectivity check without the SHCV policy. The main function of the host-connectivity check is for periodic check. The trigger functions are performed through the SHCV policy.
Network operators are sometimes unable to turn on debug to troubleshoot customers issues on a live production network. Turning on debug might affect the BNG performance, and some support technicians may not have access to debug and configuration commands.
The show subscriber-mgmt errors command is a show command that captures detailed ESM errors. This command helps diagnose problems immediately without the need to turn on the debug function. Only DHCPv4 and PPPv4 supports this command; some support details are provided below. This command does not compromise the BNG performance and does not require debug or configuration commands.
IPv6 host setup errors may be captured in error logs.
All subscriber problems are first stored in a main circular buffer. The main circular buffer is then fed into smaller circular buffers, organized by MAC addresses. When the buffer is full, the first circular buffer purges the oldest message to make room for the newest message. The smaller circular buffers (one per MAC address) store a limited number of messages per MAC. Again, the smaller buffer deletes the oldest to make room for the newest. The circular buffer, per MAC, prevents one device from holding all the error messages in the buffer. The main circular buffer can hold 5,000 errors in total, while the smaller buffer can hold 10 log entries per MAC. The circular buffer supports CPM3 and higher.
The show command allows sorting by MAC, subscriber SAP, SDP, and unknown-origin (unknown SAP or SDP). The show command allows the input of a specific MAC, SAP, or SDP to directly search for particular subscriber issues or problems.
The circular buffer only logs drop reasons for DHCPv4 and PPPoEv4. Non-error reasons are never logged; for example, a drop due to being in SRRP standby is not logged. The circular buffer has a timestamp associated with each error and the errors are listed beginning with the most recent. Error logs are lost on a HA switchover, and persistency is not supported. There is no throttling mechanism for the same errors; it is possible to fill the circular buffer with the same error message from different MAC addresses.
The accumulated statistics policy defines which statistics for queues and policers of a particular subscriber should be collected and stored in memory. At the end of the subscriber session, the queue and policer statistics are added to the statistics already stored in memory from previous sessions. This enables operators to view queue and policer statistics even if the subscriber is offline.
The accumulated statistics policy supports up to four ingress and four egress entries. For queue statistics, v4-v6 mode is not supported, where v4 and v6 statistics are always aggregated. For policer statistics, only min-mode is supported.
When a single subscriber has a list of bridge hosts, all hosts are forced to use the same statistics policy. If hosts use a different SLA profile and the operator wants to collect the statistics for all hosts, the statistics policy must encompass all queues and policers for various SLA profiles. If there are multiple SLA profile instances for the same subscriber, the statistics are summed up for each instance on a per policer or queue basis. These statistics are not exchanged between MCS peers. Therefore, for dual-homed hosts, the statistics need to be gathered from all the nodes and then summed up. If a queue or a policer is missing from the accumulated statistics policy in the current subscriber session and offline statistics exist for that entity from previous sessions, these offline stats are lost when the current subscriber session ends.
Cumulative statistics for a subscriber are not persistent; they are only stored in memory and are lost after node reboot (the statistics start at zero).
The show subscriber-mgmt accu-stats subscriber command displays the cumulative statistics for a subscriber. If the subscriber is online, the cumulative statistics consist of the sum of both the subscriber statistics while online and the offline statistics. If the subscriber is offline, the last subscriber session statistics are added to the offline statistics. Cumulative statistics for a subscriber are not persistent. They are only stored in memory and are lost after a node reboot (the statistics start at zero).
When the accumulated statistics policy changes through a subscriber profile override, either through the tools command or through RADIUS, the stored statistics can be affected. If the new SLA profile uses the same queues and policers already stored in memory, these statistics continue to accumulate. Only queues and policers that differ are added and start from zero.
If resources for capturing offline statistics are full, a trap is generated in log 99 to warn the operator. The command show subscriber-mgmt status system shows the number of subscribers using these accumulated statistics and a flag in this command shows whether the usage is at its peak value.
In the show subscriber-mgmt accu-stats-subscribers command, active subscribers with an accumulated statistics policy configured have both the sub-profile-name and accu-stats-policy fields populated. Active subscribers that are no longer associated with an accumulated statistics policy have accu-stats-policy populated with “Unknown”. Inactive subscribers have “Unknown” for both the sub-profile-name and the accu-stats-policy fields. This command is useful when combined with the CLI match command, to search for subscribers with certain properties. For example, match “Unknown” displays the list of subscribers that are no longer associated to any accumulative statistics policy.
It is possible for an active subscriber to have offline statistics without an accumulated statistics policy if the accu-stats-policy was removed from the sub-profile.
When the active subscriber has an accumulated statistics policy, the subscriber’s offline statistics can be deleted using the following command.
clear subscriber-mgmt accu-stats subscriber subscriber-id
The show subscriber-mgmt accu-stats subscriber subscriber-id command then displays only the subscriber’s current statistics as no statistics remain in the offline storage.
If an active subscriber does not have an accumulated statistics policy, the subscriber’s offline statistics can be deleted in one of the following ways.
To remove the offline statistics for all active subscribers that are no longer associated with an accumulated statistics policy, the following command can be used.
clear subscriber-mgmt accu-stats active-subs no-accu-stats-policy
To remove the offline statistics for a group of active subscribers that is no longer associated to an accumulated statistics policy and that has a defined subscriber profile (for example, if the accumulated statistics policy has been removed from the subscriber profile), the following command can be used.
clear subscriber-mgmt accu-stats active-subs sub-profile profile-name
It is also possible to remove the offline statistics for an inactive (offline) subscriber. To remove offline statistics for all inactive subscribers, use the following command.
clear subscriber-mgmt accu-stats inactive-subs
To remove offline statistics for a specific inactive subscriber, use the following command.
clear subscriber-mgmt accu-stats subscriber subscriber-id
In a hybrid access deployment, a home’s residential gateway (RG) is connected to the network by both a wired and a wireless link. Traffic can be split over these links by various mechanisms such as per-flow hashing, flow policies, or MP-TCP. Both access connections must be terminated in a common endpoint called the Hybrid Access Gateway (HAG). This gateway provides Internet connectivity to the home.
SR OS TPSDA supports hybrid access deployments where the BNG acts as a Serving Gateway (SGW), PDN Gateway (PGW), and HAG. In this model, both the fixed access and wireless access links share the same Layer 3 IP/IPv6 address. The RG/HAG determines which Layer 2 connection should be used. To support this model, SR OS supports GTP termination and ESM connection bonding. The BNG is the Layer 3 gateway in this model and attracts all IP traffic. Multicast traffic is supported.
Figure 151 shows a sample Hybrid Access deployment with a BNG-based HAG.
SR OS TPSDA supports hybrid access deployments where a PGW acts as a HAG. In this model, both the fixed access and wireless access links share the same Layer 3 IP/IPv6 address. The RG/HAG determines which Layer 2 connection should be used. To support this model, SR OS IPoE session and PPPoE session functionality is extended to connect to a GTP uplink. When this uplink is active, all unicast traffic is forwarded by a GTP tunnel between the BNG and PGW. This way, the PGW acts as the Layer 3 gateway and the BNG does not attract subscriber traffic by regular routing. Multicast traffic is not supported and should be handled out-of-band.
Figure 152 shows a sample Hybrid Access deployment with a PGW-based HAG.
For more details on GTP uplinks, see the GTP section.
ESM connection bonding allows two Layer 2 access connections, for example, GTP and PPPoE, to combine to share a single Layer 3 IP connection. This allows the seamless use of two connections for additional bandwidth or resiliency without the need to manage multiple IP addresses.
SR OS spreads downstream traffic, either based on fixed weights, a filter decision, a pure active/standby, or dynamic load-balancing that attempts to saturate one link before using another link. Upstream traffic can enter through either connection, but it is recommended to keep flows identified by 5-tuple on the same link to avoid reordering.
Connection bonding requires an FPE type of sub-mgmt-extensions.
During normal authentication, access connections can indicate they are part of a common bonding context by specifying a bonding identifier. When the first connect is set up, an additional authentication phase is started for the bonding context itself. Figure 153 shows RADIUS-based authentication for bonding of an IPoE and GTP access connection. For simplicity, all access nodes, such as the residential gateway, MSAN, eNodeB, and MME have been identified as a single entity.
All address assignments and Layer 3 parameters are shared between the access connections and are therefore handled in the bonding context. The system supports either Local Address Assignment or AAA-provisioned IP addresses. Access connections cannot use any DHCPv6 relay or client mechanisms.
After the setup is complete, ESM subscriber resources are created for each context as follows.
All access and bonding ESM contexts need to be present in distinct VRFs. The bonding context must be created in a special group interface of type bonding. This group interface is not linked to any SAPs, however, an FPE construct ensures the link between the access and bonding context.
By default, downstream packets are hashed over two connections on a per-flow basis, allowing packets of the same flow to follow the same path and avoid reordering issues. Flows are identified by the 5-tuple <src-ip, dst-ip, protocol, src-port, dst-port>. The hash weights of each connection are configurable. An IP-filter based selection can be used to override the hash-based connection selection.
The initial hash weights can also be dynamically adapted based on the load on the primary connection. The IOM periodically measures how much traffic is sent over the primary connection, comparing it to a predefined saturation rate. When the connection is saturated, the hash weights automatically change to send more traffic over the alternate link. Similarly, if the total rate of traffic decreases, the hashing weights change to send more traffic over the primary connection.
For dynamic load-balancing, the following must be defined:
When only a single connection is active, all traffic is sent to this connection, regardless of hashing weights or filters.
If one of the two access connections is idle, then the system activates this connection prior to changing hashing weights. This sequence allows the system to avoid overflowing the packet buffer of the idle connection. For example, for an idle S11 GTP connection, the system reactivates the connection through a network-triggered service request before changing weights.
Regular ESM QoS is supported in both the access and bonding contexts; however, there is no direct feedback mechanism between the two contexts. Therefore, if an access connection drops a packet, it is not reflected in bonding statistics, nor does it cause backpressure on the bonding QoS algorithm.
When traffic passes over the FPE from the bonding context to the access context or from the access context to the bonding context, the system keeps the traffic classification and the in- and out-profile markings. Although this occurs automatically, bonding subscriber policies for ingress and egress should consider the following recommendations.
FC | dot1p |
be | 0 |
l2 | 1 |
af | 2 |
l1 | 3 |
h2 | 4 |
ef | 5 |
h1 | 6 |
nc | 7 |
To support load-balancing in the bonding context, the configured stat-mode of any egress policer in the bonding context is ignored. Instead, an internal stat-mode is used, which uses two counters (one per access connection), which is reflected in the in- and out-of-profile statistics.
Multicast replication is supported in context of the access connections. By default, multicast streams are replicated in the connection where the corresponding IGMP/MLD join is received; however, this can be overridden to always force a specific connection.
When one connection fails, multicast replication automatically sets up in the alternate connection and does not require a new IGMP/MLD packet to arrive.
MCAC bandwidths must be configured equally on both access connections; otherwise, there may be unexpected drops of (S,G) pairs.
If a multicast stream is forwarded over the primary connection and egress-rate-modify is in use, any potential change of the reference rate is taken into consideration by the load-balancing mechanism for unicast traffic as described in Downstream Load-Balancing. When using per-host replication for a bonded host, similar adaptations are made based on channel definitions in applicable MCAC policies.
Ethernet satellite (ESAT) ports in the host node are logical ports (for example, esat-1/1/1) that represent physical ports on the remote (satellite) node. ESM in the host node treats ESAT ports similarly to all other physical ports in the system, even without knowing that those ports reside in a remote chassis. An example of an Ethernet satellite configuration is shown in Figure 154.
An SR OS ESAT complex (an SR OS host node with satellite nodes) supports multiple pairs of active and standby uplinks. The supported topologies are outlined in the following sections.
The following describes a single host and a single satellite topology.
Ports | Active | Standby |
esat-1/1/u1 | satellite ports 1-12 | satellite ports 13-24 |
esat-1/1/u2 | satellite ports 13-24 | satellite ports 1-12 |
Figure 155 displays an example of an SR OS host, satellite node and access node.
The following describes a single host and dual satellite topology.
Figure 156 displays an example of an SR OS host, satellite node, and access node.
Queues and policers in ESM are created on a per SLA profile instance in the host node. A subscriber host resides in a host node on a SAP that is associated with a logical port (mapped to a user port on the satellite node) which is then associated with the physical uplink.
Subscriber aggregate rate and subscriber level schedulers are subscriber-level configurations and therefore, are independent of the ports. However, port schedulers and Vports (agg-rate-limit or port-scheduler) are port level features. They are also created in the host node, on a per-user-port basis (user ports are in the host node represented by a logical ports). They must be manually created per logical port in the host even though those ports may be LAG members.
Buffer pools are the only QoS configurations that are created on a per-physical uplink basis.
ESM accounting is based on queue and policer statistics. Consider that queues are recreated and remapped every time a logical port (satellite port) or an uplink for the subscriber is changed, expect that the ESM accounting can be affected by this. If the new uplink is on the same FP as the old, then statistics are preserved. Otherwise, statistics are lost.
The following section describes multi-chassis synchronization of RADIUS usage counters.
SR OS supports synchronization of usage counters that can be reported through RADIUS accounting in a dual-homed BNG scenario.
The master SRRP node keeps the total number of statistics that are reported. The master synchronizes those statistics in regular intervals with MCS to the standby node. This way, the master copy of the total statistics is maintained on both nodes and failure cases of link, node, and so on, these statistics can be recovered from the surviving node.
The statistics are synchronized at preconfigured intervals (the MCS interval) which are independent of interim-update intervals using the config>subscr-mgmt>acct-plcy>mcs-interval minutes | use-update-interval command. The MCS minutes interval value can also be the same as the interim-update-interval use-update-interval.
If there are multiple RADIUS accounting policies in a subscriber profile, the minimum value of all the configured MCS intervals in these RADIUS accounting policies is used for usage counter synchronization.
The following SPI-level counters are synchronized:
INPUT OCTETS [42]
OUTPUT OCTETS [43]
ACCT-INPUT-GIGAWORDS [52]
ACCT-OUTPUT-GIGAWORDS [53]
Alc-IPv6-Acct-Input-Octets [26-6527-195]
Alc-IPv6-Acct-Output-Octets [26-6527-198]
Alc-IPv6-Acct-Input-Gigawords [26-6527-196]
Alc-IPv6-Acct-Output-Gigawords [26-6527-199]
In addition to aggregate accounting counters, detailed per queue and policer counters are also synchronized.
The following accounting attributes are synchronized per queue and policer:
Alc-Acct-I-Inprof-Octets-64 [26-6527-19]
Alc-Acct-I-Outprof-Octets-64 [26-6527-20]
Alc-Acct-O-Inprof-Octets-64 [26-6527-21]
Alc-Acct-O-Outprof-Octets-64 [26-6527-22]
Once the mcs-interval is configured, statistics are collected or baselined on the CPM even if the configuration to synchronize statistics is not complete (no peer, no sync tag, and so on).
In misconfiguration scenarios when two nodes use different queues or policers, the local configuration wins and decides those queues that are stored or baselined on the CPM.
The following are switchover scenarios.