Download - CSC BNG Workshop

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 1

Comunidade de Suporte da Cisco -

Webcast ao Vivo:

ASR 9000

BNG Concept and Configuration

Bruno Novais

High Touch Engineer

CCIE R&S# 37673


Webcast com Especialistas em Tecnologia da Comunidade Cisco

Especialista de hoje:

Bruno Novais, High Touch Engineer na Cisco do Brasil

Bruno Novais


Webcast com Especialistas em Tecnologia da Comunidade Cisco

Especialista ajudante de hoje:

Gustavo Coutinho, Engenheiro de Suporte da Cisco do Brasil

Gustavo Coutinho


Obrigado por estar com a gente hoje!

Durante a apresentação, serão feitas

algumas perguntas para o público.

Dê suas respostas, participe!


Obrigado por estar com a gente hoje!

Se você quiser baixar uma cópia da apresentação de hoje, basta

clicar no link abaixo ou ir até a Comunidade de Suporte e buscar

este webcast na aba “Canto dos especialistas”.

Atualizar


Primeira Pergunta

Qual é sua experiência com BNG?

a) Básica. Já tive alguns contatos, porém não entendo muito sobre a solução em si.

b) Eu tenho conhecimento avançado

c) Estou em processo de aprendizado.

d) Não conheço esta solução.


ASR 9000 BNG Concept and Configuration Bruno Novais High Touch Engineer CCIE R&S# 37673


History of Broadband: Recap ASR 9000 BNG Overview Configuration Example: PPPoE Subscriber Example: IPoE Subscriber Troubleshooting


Broadband Forum—Provider Networks Segmentation POP

Point Of

Presence

Broadband Forum Divides Networks Entities in Three

Groups

Content Providers

ISP

Corporate Networks

Customer

Premises NAP NSP

Network

Access

Provider

Network

Service

Provider

Provides connectivity to Service Providers

Encompasses:

Access network (DSL or else)

Aggregation and core networks

Implements services:

Internet Connectivity

Business Access

Application specific content hosting

Handles authentication and address assignment

Can Be Same Operator


Broadband….Once Upon a Time…

NAP core network can be ATM end to end or a combination of ATM and IP based interfaces toward NSPs (ATM VC terminated on a Broadband Access Server (BAS) in NAP)

PPP is subscriber access protocol with PPPoA stack

ATM VC (typically PVC) required for each subscriber PPP session toward a NSP service

PPP can be terminated at NSP or inside NAP network depending on architecture

Content Providers

ISP

Corporate Networks

ATMoDSL ATM ATM or FR or IP

PVC PPP

PPPoA PPPoA/L2TP/IP

PPP PPP/IP

L2TP PPP

IP

BRAS


Point To Point Protocol (PPP)

What is PPP?

It’s a Data Link protocol originally designed to operate over point to point serial links. Extended to operate in Broadband Environments with PPPoX protocols (PPPoE, PPPoA)

Why is it special?

It natively embeds functionalities like: Keepalives

Reliable link

Maximum Receive Unit (MRU) negotiation

Compression

Authentication, Authorization, Accounting

Link aggregation and fragmentation

Multi Protocol Support

Peer address assignment

...more...

PPP

Appealing from a subscriber management perspective

Defined in RFC1661


Eth, FR, POS

Broadband Architecture Evolution

Adoption of PPPoE, as replacement of PPPoA, as subscriber access protocol

PPPoE can multiplex several PPP sessions over any point to point or multipoint transport

Each End Client Station can start PPP session (CPE in bridged mode)

=> Simultaneous Multi Provider access supported

PPPoE session can also be started by CPE (CPE in routed mode)

Ethernet in First Mile and Aggregation network

• Optimized multicast distribution and QoS in aggregation network

• distributed Service Insertion (“Multi Edge”)

• Virtualized Layer-2 Services (with VLANs)

From BRAS to Broadband Network Gateway (BNG) at IP Edge

IP

ATMoDSL, EFM

Ethernet (.1Q, QnQ,.1ad), EoMPLS

PPPoE

BNG

PPP

L2TP, VPN, Vlan

Aggregation

Ethernet


PPP over Ethernet - PPPoE

Access Aggregation

• PPP session started by CPE or end user • CPE can operate in routed or bridge mode

• CPE in routed mode: runs NAT to support multiple users

• PPPoE supports multiple access technologies

• Access Technology can still be DSL

• Aggregation is ATM or Ethernet

Defined in RFC2516

Ethernet

or ATM

PPP assumes Point to Point connectivity – Ethernet is a broadcast Technology

PPPoE provides tools required to carry PPP over a broadcast network

PPPoE requires a discovery phase before PPP negotiation can start

Same or Different interface per CPE

PPPoE flavor depends on interface type

ATM interface: PPPoEoA

Main Ethernet: PPPoEoE

dot1Q Eth. Subintf: PPPoEoVLAN

QnQ Subintf: PPPoEoQnQ


PPPoE Discovery

PADI

PADO

PADR

PADS

Host sends a PPPoE Active Discovery Initiation (PADI)

PADI is MAC broadcast frame

Edge device(s) sends a PPPoE Active Discovery Offering (PADI)

PADO is MAC unicast Frame to originating station

Several PPP edge devices may be present

Host selects an edge device and sends it a PPPoE Active Discovery Request

PADR is MAC unicast to selected edge device

Edge devices allocates a unique SessionID and sends it to host via PPPoE Active Discovery Session-confirmation (PADS)

PADS is MAC unicast to selected edge device


Segunda Pergunta

Qual é o 1º pacote utilizado no PPPoE Discovery?

a) PADI

b) PADR

c) DHCP

d) Discovery.


PPP Operations

PPP is comprised of three main components:

A Link Control Protocol (LCP) for establishing, configuring, and testing data-link (or subscriber) connection

- authentication (if required) also part of LCP

A family of Network Control Protocols (NCPs) for establishing and configuring different network-layer protocols

A method for encapsulating multi-protocol datagrams -> based on HDLC

Configure Request

Configure Ack/Nack

Configure Request

Configuration Ack/Nack

...

(Authentication Phase) Optional: Only performed if authentication negotiated during configuration exchange

LCP is Open

PPP Session Establishment

Activation of all supported Network Protocols

Each protocol will have its <prot>CP phase (e.g. IP)

For IP, IPCP phase includes peer address assignment, if negotiated

LCP phase

NCP phase

IPCP Configure Request

IPCP Configure Ack/Nack

IPCP Configure Request

IPCP Configuration Ack/Nack

...

IPCP is Open

Data Exchange Link is established

Data exchange can start

Negotiation of data link parameters: MRU, Authentication, keepalives, compression...


Evolution to all IPoE

IP

BNG

Aggregation

DSL

ATM

RFC2684

Ethernet

IP

PPPoE

PPP

EFM Phy

Ethernet

IP

PPPoE

PPP

Access Technology ATM o DSL EFM (EoDSL, PON, PTP) EFM (EoDSL, PON, PTP)

Subscriber Access Protocol

PPP IP PPP

Access Technology Dependent

Protocol Stack

Subscriber Access Protocol Dependent

Protocol Stack

First time introduction of Ethernet as L2 Protocol over DSL

Access Node becomes Ethernet aware even on first

mile

Subscriber IP traffic carried over Ethernet

end to end

Ethernet

EFM Phy

Ethernet

IP


PPP to IP Session comparison …. Requirements – Mapped to PPP and IP-Sessions

Session Requirement PPP / PPPoE - Session IP-Session

Subscriber Session Endpoint PPPoE/PPP client Multiple Options – Common: Device

(see also “Identification”)

Subscriber Authentication (Authentication Protocol Selection)

PPP LCP Auth.Phase (PAP, CHAP,..)

MAC/Line-Authentication, Portal solutions, DHCP-Auth

Subscriber Isolation Per-Session PPP encap L3: Session Controller, ACLs, VRFs

L2: VLAN, private VLAN

Subscriber/Session Identification Session ID Multiple Options

(Interface, MAC, IP-address,…)

IP-Addressing PPP NCP DHCP, static, …

Session Health - Keepalive PPP LCP Multiple Options

(ARP ping, ICMP ping, …)

Start/Stop Session PPP LCP Multiple Options

(Packet arrivals, DHCP,…)

Traffic Encapsulation PPPoE, PPP encap none

Traffic Forwarding Point to Point Point to Point & Multipoint

Wholesale PPP/L2TP L3: VRF L2: VLAN, EoMPLS PW

Subscriber Mobility/Nomadism Reestablish PPP-Session Transparent Autologon,

Portal solutions


History of Broadband ASR 9000 BNG Overview Configuration Example: PPPoE Subscriber Example: IPoE Subscriber Troubleshooting


Hardware Support

RSP: RSP440-SE (NG RSP only)

Chassis: ASR9006, ASR9010

ASR9001 (4.2.1)

ASR9922 (4.2.2)

Access Facing X-Men (aka Typhoon) Service Edge Linecards (BNG): Optimized Linecards only:

• Weapon-X-SE with:

• A9K-MPA-2x10GE

• A9K-MPA-4x10GE

• A9K-MPA-20x1GE

Core Facing Any Trident or Typhoon based Linecard

Linecards SIP 700 supported for not L2TP based applications only


Scale and Performance (4.2.0)

Metric Per Port/NPU Per LC Per System

PPPoE sessions (LAC or PTA)

8k/32k 32k 64k

LAC tunnels n/a n/a 10k

IPoE sessions 8k/32k 32k 64k

QOS policies n/a 1000 2000

VLANs (non Ambiguous)

8k/8k 8k 8k

Ave. #classes per policy

4/4 4 4

Bundles n/a n/a 250

Members per bundle n/a n/a 64

Calls per second na 100 100


BNG’s Place in the Network

Deployed at access or service edge

Communicates with other devices to control all aspects of subscriber access in the network

Single point of contact

Subscriber Identification

Subscriber Authentication

Subscriber Policies Determination and Enforcement

Dynamic policy update

Walled Garden Open Garden

Guest Portal

AAA Server

Policy Server

Web Portal

DHCP Server

Subscriber Policy Layer

Video Audio

Servers

Internet/Core


BNG Key Functions

Subscriber Identification

Subscriber Authentication

and Authorization

Subscriber Address

Management

G0/1.10

Create a per subscriber construct over a shared

interface

G0/1.10

John

Mike

Ted

John Mike Ted

Subscribers are John, Mike and Ted.

John and Mike are HSI users, Ted is

VoIP user

There are 3 subscribers connected

through G0/1.10

G0/1.10

John

John Mike Ted

Subscribers addresses should

be:

10.1.1.10 John

10.1.1.20 Mike

10.1.1.30 Ted Mike

Uniquely establish subscriber identity and determine subscriber’s

policies

10.1.1.30 10.1.1.20 10.1.1.10

Assign a unique IP address to each

subscriber based on provider domain

Ted



Internet/Core

Guest Portal


Video Audio

Servers

AAA Server

Subscriber Authentication/Authorization

User and Service Profile Repository

Accounting

Front-end toward billing system

Policy Server Dynamic Policy Push (Application Level Trigger)

Web Portal

Front end toward the subscriber for:

Self Subscription

Web Logon

Service Selection (Application Level Trigger)

DHCP Server Hand over of addresses to subscribers

AAA Server

Policy Server

Web Portal

DHCP Server


Note: AAA Server, Policy Server, Web Portal can co-reside in the same appliance



Guest Portal

DHCP Server


Dynamic Policy Activation


Guest Portal

DHCP Server

AAA Server


Dynamic Policy Push (e.g. “Turbo Button”)

Policy Server

Application/ Service Layer event

Web Portal

Dynamic Policy Pull (e.g. Automatic Service-Profile

Download on Session Establishment)

Web Portal

Policy Server

Network Layer Event

AAA Server


Northbound Interfaces

RADIUS Interface, for subscriber AAA functionalities and service download

RADIUS Extensions (RFC 3576) Open Interface, for dynamic, administrator or subscriber driven, session and

service management functions


Internet/Core

Guest Portal

AAA Server

Policy Server

Web Portal

DHCP Server


Video Audio

Servers

Policy PULL

Policy PUSH


The Subscriber Session

Construct that represents a subscriber

subscriber: billable entity and/or an entity that should be authenticated/authorize

Common context on which subscriber policies are activated

Created at first sign of peer activity (FSOL = First Sign Of Life)


Internet/Core

Guest Portal


Video Audio

Servers

Subscriber 1

Subscriber 2

Subscriber 3

Subscriber 1

session

Subscriber 2

session

Subscriber 3

session

AAA Server

Policy Server

Web Portal

DHCP Server


Retailer X VRF

internet

Deployment Models

LAC

PPP Sessions

IP

PPP

PTA

Phy Eth

IP

PPP

PPPoE .1Q QnQ

IP/UDP L2TP

IP Sessions

IP

Phy

Eth

IP–Layer2 Connected

…

Retailer

Wholesale

internet

.1Q QnQ

IP

Phy

Eth .1Q QnQ

.1Q,QnQ.1ad

Native IP, VRF Lite MPLS MPLS VPNS

VRF Lite MPLS VPNs

L3 fwd

Native IP, VRF Lite MPLS MPLS VPNs

L2TP over: Native IP, VRF Lite MPLS VPNs

Phy Eth

IP

PPP

PPPoE .1Q QnQ

Retailer X VRF

VRF Lite MPLS VPNs

PTA

L3 fwd

L3 fwd

L3 fwd

= BNG enabled interface (access-interface) 4.2.x: Must be a Bundle-Ethernet subintf

IP–Layer2 Connected

Retailer X VRF

IP

…

IP

…

L2 brdg

.1Q,QnQ.1ad

.1Q,QnQ.1ad

.1Q,QnQ.1ad .1Q,QnQ.1ad

.1Q,QnQ.1ad

IP

…


Converged Access

internet

Retailer X VRF

Retailer X VRF

L2TP wholesale (PPP only)

IP wholesale (IP and PPP)

Native IP, VRF Lite MPLS MPLS VPNs

VRF Lite MPLS VPNs

L2TP over: Native IP, VRF Lite MPLS VPNs

PPPoE

IPoE

All models and subscriber types are supported over same access-interface

Access Interface

Physical Port


Session Authentication

Authentication models supported:

Access Protocol Native Authentication:

PPP: CHAP/PAP

Transparent Authorization:

Authenticates using subscriber related network identifiers

e.g. MAC/IP address, DHCP Option 82, DHCP Option60 (4.2.1), NAS-Port-ID (4.2.1), PPPoE Tags...

Web Logon

Authentication Is Not Mandatory on a Session, but Used in Most Situations

Authentication: Allow Access to Network Resources Only to Recognized Users


Session Authentication—PPP Retailer PPP - common scenarios

Uses legacy PPP authentication protocols

AccessNode/CPE inserts PPPoE Intermediate Agent tags (Circuit and Remote ID)

BNG performs authentication using a combination of Circuit and RemoteID as username

flexible and customizable username format

AAA Server

RADIUS Username:

PPP Username Pwd: PPP pwd

PPP CHAP/PAP

PPP CHAP/PAP

RADIUS Username:

RemoteID:CircuitID Pwd: Shared PPP AN/CPE inserts

PPPoE tags CircuitID/RemoteID

AAA Server

PPPoE Ctrl Msg

TAL: PPPoE Tag

User Logs to a Web Portal to enter credentials (username and password)

User Credentials propagated to BNG

BNG uses credentials to authenticate user with AAA

4.2.0 only supports direct portal access

HTTP Redirect in 4.2.1

RADIUS

Username/Pwd:

WebLogon

AAA Server

Web Portal

Web Logon (Direct)

Dep

loym

en

t li

ke

lih

oo

d

-

+


Session Authentication—PPP Wholesaler

AAA Server

RADIUS Username: Domain

Pwd: shared password

PPP CHAP/PAP

(L2TP tunnel to ISP)

PPP authentication used to collect subscriber username

Username must be in FQDN format (Fully Qualified Domain Name)

Username portion of FQDN stripped

Domain portion of FQDN used to authenticate user and determine ISP

Password is shared password defined on box

ALTERNATE METHOD

Authenticate user based on FQDN username and line password

Domain based authentication


Access Switch/DSLAM inserts Option82 Circuit and Remote ID in DHCP Requests

BNG performs authentication using a combination of Circuit and RemoteID as username

MAC address can also be used

4.2.1 adds support for Option 60

Customizable username format

Session Authentication—IP Retailer IP – common scenarios

+ User logs to Web Portal to enter credentials

User Credentials propagated to BNG

BNG uses credentials to authenticate user with AAA server

4.2.0 only supports direct portal access

HTTP Redirect in 4.2.1

L4 Redirect beyond 4.2.1

Dep

loym

en

t li

ke

lih

oo

d

-

RADIUS Username:

MAC:RemoteID:CircuitID

AAA Server

TAL: Option82 Auth

Access SW inserts Option 82 CircuitID/RemoteID

DHCP exchange

RADIUS Username: WebLogon Username

AAA Server

Web Portal

Web Logon (Direct)

redirection

Data Traffic


Session Authentication—WebLogon with HTTP redirect (4.2.1)

Client

Internet WebSite

Web Logon Portal

HTTP TCP SYN ACK

HTTP TCP SYN

BNG intercepts TCP exchange for HTTP session establishment toward a internet website and completes establishment

BNG returns HTTP 302 with Redirect URL pointing to Web Logon Portal

Client opens HTTP session with Web Logon Portal and enters credentials

Regular Web Logon procedures between Portal and BNG

HTTP TCP ACK

HTTP GET

HTTP 302 (redirect URL)

HTTP session establishment

Web Logon


RADIUS Interface—Access Request

Access Request Access Accept Access Reject Access Challenge

Access Reject is used for

Credential Verification Failure Notification

Access Request is used for

Session Authentication

Session Authorization

Service Authentication

Service Profile Download

Access Challenge is used for

PPP CHAP Authentication

Access Accept is used to return

Credential Verification Notification

User profile and associated services

Service Profile Download

Policy PULL


RADIUS Interface Extensions

ASR9000 supports RADIUS Extensions as defined in RFC3576

Facilitates dynamic session control from a Policy server.

Standard primitives include:

Disconnect Messages (DM or aka as PoD)

Change of Authorization (CoA)

Proprietary CoA Extensions: Account Logon

Account Logoff

Account Update

Service Activate

Service De-activate

CoA Request

CoA ACK CoA NAK

Policy PUSH


How Attributes Are Applied on a Session?

AAA Server

DHCP Server


Administrator

Via an External Policy Manager/Web Portal

During Subscriber Authentication/ Authorization

Subscriber

RADIUS CoA

Service Activate Account Update

Web Portal / Policy Server

DHCP Server


Web Portal / Policy Server

Subscriber

RADIUS Acc-req

Subscriber is successfully authenticated

RADIUS Response includes a list of attributes to apply on Session (from UserProfile)

Service Activation or Account Update request sent by External Policy Managers via a RADIUS CoA

Via the On-Box Control Policy

Policy Plane determines what actions to take on session based on events

actions *include* applying a template

Control Plane ensures actions are taken – i.e. provisions the data plane

Data Plane enforces traffic conditioning policies to the session

AAA Server

RADIUS Acc-accept

Po

licy

pla

ne

C

on

trol

pla

ne

D

ata

p

lan

e

actions

eve

nts

from external PM

from data plane

Attributes applied individually

Service-Activate: Attributes applied as part of a template Account-Update: Attributes applied individually Attributes applied as part of a template


PPP and PPPoX protocol events

Session Termination

PPPoE Sessions Exclusively IPoE Sessions Exclusively

ppp disconnect; ppp keepalives or L2TP hellos failure

DHCP

DHCP Release

OR DHCP lease expiry

Web Portal/PM

Web Logoff

RADIUS CoA Account-Logoff

Policy Manager

RADIUS PoD

RADIUS PoD (Packet of Disconnect)

IPoE(*) and PPPoE Sessions

Absolute Timeouts/Timer Expiry

+ CLI clear command

(*) IPoE Session is deleted DHCP binding flagged (See next slide) PADT sent to terminate individual PPP sessions when L2TP tunnel goes down


Dynamic Session Initiation

Subscriber sessions are initiated at the First Sign of Life (FSOL)

FSOL depends on the Session Type

PPP Sessions - FSOL IP Sessions - FSOL

DHCP Discover message

Session-start event

Single stage session establishment

Subscriber identified by MAC address

BNG must be DHCP Proxy DHCP proxy = DHCP relay that:

1. creates and maintains DHCP bindings

2. Impersonates server from client standpoint

PPPoE Call Request (PADx) DHCP Discover

PADR receipt

Session-start event

2 stage session establishment Session-start

Session-activate

Subscriber identified by MAC + PPP session ID


Terceira Pergunta

Qual o FSOL em IPoE com DHCP?

a) PADI

b) Primeiro pacote IP

c) Qualquer broadcast L2

d) DHCP Discovery

e) DHCP Request


Dynamic Session Initiation

Subscriber sessions are initiated at the First Sign of Life (FSOL)

FSOL depends on the Session Type

PPP Sessions - FSOL IP Sessions - FSOL

dhcp ipv4

profile DHCP_B10_60_PF proxy

helper-address vrf default 1.86.19.19 giaddr 60.1.1.1

!

interface Bundle-Ether10.60 proxy profile DHCP_10_60

!

interface Bundle-Ether10.60

ipv4 point-to-point

ipv4 unnumbered Loopback1060

service-policy type control subscriber IP_PM

encapsulation dot1q 60

ipsubscriber ipv4 l2-connected

initiator dhcp

!

pppoe bba-group default

service selection disable

!


service-policy type control subscriber

PPP_PM


pppoe enable bba-group default

!

PPPoE Call Request (PADx) DHCP Discover


Session Authentication Customizable Username format

aaa attribute format USERNAME_FORMAT

remote-id plus circuit-id plus mac-address separator -

!

aaa attribute format USERNAME_FORMAT1

mac-address plus circuit-id separator |

!

<snip>

20 authorize aaa list default format USERNAME_FORMAT password <pwd>

<snip>

Step1: Define username format

Step2: Specify desired username format and password to use for authorization

4.2.1 introduces username definition based on arbitrary string:

aaa attribute format USERNAME_FORMAT_SUPER_FLEXIBLE

format-string “%s:%s:%[email protected]” remote-id circuit-id vendor-class-id

!

From DHCP Option 82

OR PPPoE Tags

From DHCP Option 60

User defined string

Additional options: phy-slot, phy-subslot, phy-port, outer-vlan-Id, inner-vlan-id

<- Allow for NAS-Port-ID based username creation


Subscriber Templates Definition

AAA Server

Location Download

Defined as Subscriber/Service Profiles

Standard and Vendor Specific RADIUS attributes used

On demand download on a need basis

Control policy action:

activate dynamic template

<name> aaa list <list name>

<template pwd> NOT configurable

Defaults to “cisco”

Only supported when templates are activated via control-policy (4.2.0)

RADIUS Access-request Username: Premium_HSI

Password: <template pwd>

RADIUS Access-accept Features associated w/ template

2 Premium HSI service

should be activated on the session

No definition yet available

1

Service Activated on session Service Stored in local cache

while in use by at least 1 sessions

3

4

BNG

Services permanently stored in local database

Dynamic Templates pre-configured using CLI

Defined as Dynamic Subscriber/ Service Templates:

dynamic-template type { ppp |

ipsubscriber | service } <name>


Dynamic Templates on Box Definition

3 types:

ppp: for configuration on PPP sessions (both PTA and LAC)

ipsubscriber: for configuration on IpoE sessions

service: contains configuration commands for all types of sessions

Dynamic templates allow for inline modifications

Changes take effect immediately on all sessions using template.

Exception: unmutable config options (e.g session IP address)

dynamic-template type { ppp | ipsubscriber | service } <tmpl_name>

<attribute-list>

!


Control Policy (4.2.0)

policy-map type control subscriber

<name>

event 1 event <event type>

<match policy>

action1

Conditional events

Control policy-map Actions

Applied on access-interface

Defines all aspects of session processing

No in-place modifications

....... event 2 + conditions

action2

.......

Identified by their event type

Configurable and non configurable

Configurable event types: Session-start: New session initiated (PPPoE and IPoE)

Session-activate: LCP has started (PPPoE only)

Authentication/Authorization failure: Authentication failed(*)

Authentication/Authorization no response. Authentication is inconclusive for lack of answer from server

Service-stop: Req. to deactivate a service from external source

Event actions are executed only if <conditions> are met for the event

Conditions account for other aspects surrounding event

Different set of actions for same event type

Single or multiple matches (match-first or match-all)

more events

more actions for event and condition

Different set of actions per {event, condition}

Actions are in a ordered list

Executed in based on execution policy: do-all do-until-failure do-until-success

Common action types: Activate: Enables a new dynamic template

Deactivate: Terminates an active dynamic template

Authenticate: Authenticates a session using subscriber’s credentials

Authorize: Authenticates a session using one or more network identifiers (TAL)

Session

condition 1 class type control <name> <action

execution policy> .......

more conditions

(*) 4.2.0 CLI available but not supported


Defining a Control Policy policy-map type control

Condition Event Condition Event Condition Event

Control Policy Associate Events and Conditions to an ordered list of Actions

Control Class: List of Actions

1. Enable Service X 2. Enable Service Y 3. Take Action R

1. Disable Service B 2. Enable Service A

policy-map type control SUBSCRIBER_RULE

event session-start match-first

class type control subscriber PPP_SUB do-all

10 activate dynamic-template PPP_BASE_TMPL

20 authorize aaa list default format PPP_UNAME passw cisco

!

class type control subscriber IP_SUB do-all

10 activate dynamic-template IP_BASE_TMPL

20 authorize aaa list default format IP_UNAME passw cisco

!

event session-activate match-first


10 authenticate aaa list default

event account-logon match-first



Condition Event



1. Enable Service 2. Take action AAA

Session

<- in 4.2.1

http://www.andypope.info/charts/trafficlight.zip





Defining a Control Policy policy-map type control

policy-map type control SUBSCRIBER_RULE

event session-start match-first


10 activate dynamic-template PPP_BASE_TMPL

20 authorize aaa list default format PPP_UNAME passw cisco

!


10 activate dynamic-template IP_BASE_TMPL

20 authorize aaa list default format IP_UNAME passw cisco

!

event session-activate match-first



event account-logon match-first



Condition Event

Session

<- in 4.2.1

Control class match-policy: match-first: evaluate control classes until first match match-all: evaluate all control classes

Control policy name: Used to reference control policy when applied to access-interface

Event being handled

Control class used to qualify event Defines conditions for which event is actionable

Action execution policy: do-all: execute all actions do-until-failure: execute actions until one fails do-until-success execute action until one succeeds

List of actions



Defining Control Classes class-map type control

match-policy:

match-any: match any of clauses

match-all: match all clauses

class-map type control subscriber match-any IP_SUB

match protocol dhcpv4

!

class-map type control subscriber match-any PPP_SUB

match protocol ppp

!

Examples

Match Criteria:

Domain name: domain <string>

Protocol: protocol { dhcpv4 | ppp }

Source address: source-address { ipv4 | mac }

User name: username <string>

Authentication Status: authen-status { authenticated | unauthenticated }

To negate match criteria: not <>

Session


pppoe bba-group PPPOE-USERS [BBA group defines PPPoE discovery config/throttling]

service selection disable

dynamic-template defines configuration applied to subscriber session

type ppp PPP_TEMPLATE

ppp authentication pap



description "Subscriber VLAN 6 - PPPoE subscribers"

service-policy type control subscriber PPP_SUBS_CONTROL policy affecting subs

pppoe enable bba-group PPPOE-USERS enables PPPoE processing on interface


class-map type control subscriber match-any PPP_SUBS

match protocol ppp

end-class-map

policy-map type control subscriber PPP_SUBS_CONTROL

event session-start match-first session-start events trigger upon FSOL - PADI

class type control subscriber PPP_SUBS do-until-failure

5 activate dynamic-template PPP_TEMPLATE calls previously-configured template

!

!

event session-activate match-first session-activate triggers upon LCP nego

class type control subscriber PPP_SUBS do-until-failure

5 activate dynamic-template PPP_TEMPLATE calls previously-configured template

10 authenticate aaa list RSIM will auth w/ PPP username/pass to AAA list RSIM

!

!

end-policy-map

Putting all together – Basic Example


Putting all together – Basic Example dhcp ipv4

profile IP_SUBSCRIBERS proxy

limit lease per-circuit-id 2

lease proxy client-lease-time 1500

helper-address vrf default 14.2.3.60 giaddr 64.40.64.1 Helper is address of external DHCP server, giaddr is local

address to inject in relayed DHCP messages

relay information option

relay information policy keep preserve received DHCP option 82 info

relay information option allow-untrusted

!

interface Bundle-Ether333.5 proxy profile IP_SUBSCRIBERS associates Bundle-E333.5 with proxy profile

!

dynamic-template

type ipsubscriber IPSUB_TEMPLATE


!


description "Subscriber VLAN 5 - IPoE subscribers"

ipv4 point-to-point


service-policy type control subscriber IP_SUBS_CONTROL policy to affect subs upon FSOL


ipsubscriber ipv4 l2-connected defines that subscribers are downstream from this interface

initiator dhcp FSOL is configured as receiving DHCPDISCOVER from a subscriber

!

class-map type control subscriber match-any DHCP_TEST

match protocol dhcpv4

end-class-map

!

policy-map type control subscriber IP_SUBS_CONTROL

event session-start match-first session-start events will trigger upon FSOL - DHCPDISCOVER

class type control subscriber DHCP_TEST do-until-failure

5 activate dynamic-template IPSUB_TEMPLATE

10 authorize aaa list RSIM identifier circuit-id password cisco defines sub identity to be circuit-id field from

DHCP option 82 info, will send to radius for auth


Quarta Pergunta

PPPoE e IPoE necessitam de um dynamic-template com o evento "session-start".

a) Verdadeiro

b) Falso


Useful show/debug commands

show tech [ipsubscriber | pppoe | dhcp ipv4 | dhcp ipv6]

show subscriber session all summary

show subscriber session all

show subscriber session filter [username | ipv4-address | etc] $filter detail

show subscriber manager statistics summary total

show ipsubscriber summary

show pppoe [summary | statistics]

show radius authentication

show subscriber manager trace [event | error | more...]

debug subscriber manager session next-subscriber

debug radius [detail]

debug aaa-subscriber [all | authent | author | more...]

debug pppoe [protocol | packet]

debug ppp [negotiation | aauthentication]

show dhcp ipv4 proxy [binding | stat | stat raw]

show dhcp ipv4 trace


Troubleshooting Questions

● What kind of subscribers are we dealing with?

● What is the expected session establishment call-flow?

– If auth is involved, how are they being authenticated/authorized?

– How is address allocation handled for the subscribers?

– What other services/features are applied to the session? [How? RADIUS

attributes, or on the dynamic-template?]

● Where in the above call-flow is session establishment failing?

● Has this ever worked? [Be skeptical! Make sure we have a

compelling reason to believe it should work – confirm support!]


Perguntas e Respostas


Queremos sua opinião!

Para fazer a avaliação, por favor, clique no endereço fornecido no chat ou no

pop-up quando o evento terminar.


Evento Pergunte aos Especialistas com Bruno Novais

Se você quiser tirar mais dúvidas com o nosso especialista, ele

estará respondendo a perguntas entre os dias 14 e 24 de Janeiro

neste link:

https://supportforums.cisco.com/thread/2260873

O vídeo, a apresentação e as perguntas e respostas serão

disponibilizados até a terça-feira da semana que vem no link:

https://supportforums.cisco.com/community/portuguese/canto-dos-

especialistas/webcasts

.



https://supportforums.cisco.com/community/portuguese/canto-dos-especialistas/webcasts








Pergunte ao Especialista (em Português)

Tema: Migração, configuração e suporte do ASA Services Module (ASA-SM)

Com o especialista Cisco: Itzcoatl Espinosa

Termina em 17 de Janeiro de 2014


Pergunte ao Especialista (em Espanhol)

Tema: QoS en Routers

Com o especialista Cisco: Hector Carranza Contreras



Pergunte ao Especialista (em Inglês)

Tema: Understanding and Managing Cisco Unified Communications Manager

Certificates

Com o especialista Cisco: Akhil Behl


Tema: Cisco Unified Computing System Director

Com o especialista Cisco: Andrew Nam



Pergunte ao Especialista (em Inglês)

Tema: Cisco Catalyst 6800 Series Switches

Com o especialista Cisco: Amer Atout



Qualifique o conteúdo da Cisco Support Community em Português

Agora é possível qualificar discussões, documentos, blogs e videos!!!


Spotlight Awards (Prêmio Participantes em Detaque)

O prêmio “participantes em destaque” foi criado em 2012 na comunidade global da Cisco e é usado para reconhecer àqueles membros que dão um contribuição significativa para a comunidade de suporte da Cisco e que além de tudo exercem um papel de liderança dentro da comunidade em distintas categorias

Foi lançado na comunidade em português, em 1 de dezembro de 2013 e conta com a categoria “O Novato”.

Mais detalhes sobre o premio, podem ser consutados no link: https://supportforums.cisco.com/community/portuguese/principais-colaboradores/participantes_em_destaque

https://supportforums.cisco.com/community/portuguese/principais-colaboradores/participantes_em_destaque




Convidamos você a participar da CSC em português e em nossas redes sociais

https://supportforums.cisco.com/community/portuguese

Portugal: http://www.facebook.com/ciscoportugal

Brasil: http://www.facebook.com/CiscoDoBrasil

Portugal: https://twitter.com/CiscoPortugal

Brasil: http://twitter.com/CiscoDoBrasil

Portugal: http://www.youtube.com /user/ciscoportugal

Brasil: http://www.youtube.com/user/ciscoDoBrasilTV

Portugal: http://ciscoportugalblog.wordpress.com/

https://supportforms.cisco.com/

https://supportforms.cisco.com/


Muito Obrigado por assistir.

Por favor complete o formulário de avaliação e dê sugestões de temas para os próximos webcasts!