Anda di halaman 1dari 71

Comunidade de Suporte da Cisco Webcast ao Vivo:

ASR 9000
BNG Concept and Configuration
Bruno Novais
High Touch Engineer
CCIE R&S# 37673

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

Webcast com Especialistas em


Tecnologia da Comunidade Cisco
Especialista de hoje:
Bruno Novais, High Touch Engineer na Cisco do Brasil

Bruno Novais

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

Webcast com Especialistas em


Tecnologia da Comunidade Cisco
Especialista ajudante de hoje:
Gustavo Coutinho, Engenheiro de Suporte da Cisco do Brasil

Gustavo Coutinho

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

Obrigado por estar com a gente hoje!


Durante a apresentao, sero feitas
algumas perguntas para o pblico.
D suas respostas, participe!

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

Obrigado por estar com a gente hoje!


Se voc quiser baixar uma cpia da apresentao de hoje, basta
clicar no link abaixo ou ir at a Comunidade de Suporte e buscar
este webcast na aba Canto dos especialistas.
Atualizar

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

Primeira Pergunta
Qual sua experincia com BNG?
a)

Bsica. J tive alguns contatos, porm no entendo


muito sobre a soluo em si.

b)

Eu tenho conhecimento avanado

c)

Estou em processo de aprendizado.

d)

No conheo esta soluo.

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

ASR 9000
BNG Concept and Configuration
Bruno Novais
High Touch Engineer
CCIE R&S# 37673

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

History of Broadband: Recap


ASR 9000 BNG Overview
Configuration
Example: PPPoE Subscriber
Example: IPoE Subscriber
Troubleshooting

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

History of Broadband: Recap


ASR 9000 BNG Overview
Configuration
Example: PPPoE Subscriber
Example: IPoE Subscriber
Troubleshooting

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

Broadband ForumProvider
Networks Segmentation

POP

Point
Of
Presence

Content
Providers

ISP

Corporate
Networks

Broadband Forum
Divides Networks
Entities in Three
Groups

Presentation_ID

Customer
Premises

NAP

Network
Access
Provider

Provides connectivity to
Service Providers
Encompasses:
Access network (DSL or else)
Aggregation and core networks

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

Network
NSP Service
Provider
Implements services:
Internet Connectivity
Business Access
Application specific
content hosting
Handles authentication
and address assignment

Can Be Same Operator

10

Broadband.Once Upon a Time


Content
Providers
ISP
BRAS

Corporate
Networks

PVC
PPP

L2TP
ATMoDSL

ATM

PPPoA

PPP

ATM or FR or IP
PPPoA/L2TP/IP
IP

PPP

PPP/IP

NAP core network can be ATM end to end or a combination of ATM and IP based
interfaces toward NSPs (ATM VC terminated on a Broadband Access Server (BAS)
in NAP)
PPP is subscriber access protocol with PPPoA stack
ATM VC (typically PVC) required for each subscriber PPP session toward a NSP service

PPP can be terminated at NSP or inside NAP network depending on architecture


Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

11

Point To Point Protocol (PPP)


Defined in RFC1661
PPP

What is PPP?
Its a Data Link protocol originally designed to operate over point to point
serial links. Extended to operate in Broadband Environments with PPPoX
protocols (PPPoE, PPPoA)
Why is it special?
It natively embeds functionalities like:
Keepalives
Reliable link
Maximum Receive Unit (MRU) negotiation
Compression
Authentication, Authorization, Accounting
Link aggregation and fragmentation
Multi Protocol Support
Peer address assignment
...more...
Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

Appealing from a subscriber


management perspective

12

Broadband Architecture Evolution


Aggregation
IP
Ethernet
ATMoDSL,
EFM

BNG

Ethernet (.1Q,
QnQ,.1ad), EoMPLS

Eth, FR, POS

PPPoE
L2TP, VPN, Vlan
PPP

Adoption of PPPoE, as replacement of


PPPoA, as subscriber access protocol
PPPoE can multiplex several PPP sessions
over any point to point or multipoint transport
Each End Client Station can start PPP
session (CPE in bridged mode)
=> Simultaneous Multi Provider access
supported
PPPoE session can also be started by CPE
(CPE in routed mode)

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Ethernet in First Mile and Aggregation


network
Optimized multicast distribution and QoS in
aggregation network
distributed Service Insertion (Multi Edge)
Virtualized Layer-2 Services
(with VLANs)

From BRAS to Broadband Network


Gateway (BNG) at IP Edge

Cisco Confidential

13

PPP over Ethernet - PPPoE


Defined in RFC2516
Access

Aggregation

Same or Different interface per CPE


PPPoE flavor depends on interface type
ATM interface:
PPPoEoA
Main Ethernet:
PPPoEoE
dot1Q Eth. Subintf: PPPoEoVLAN
QnQ Subintf:
PPPoEoQnQ

Ethernet

or ATM

PPPoE supports multiple access


technologies
Access Technology can still be
DSL
Aggregation is ATM or Ethernet

PPP session started by CPE or end user


CPE can operate in routed or bridge mode
CPE in routed mode: runs NAT to support multiple
users

PPP assumes Point to Point connectivity Ethernet is a broadcast Technology


PPPoE provides tools required to carry PPP over a broadcast network
PPPoE requires a discovery phase before PPP negotiation can start
Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

14

PPPoE Discovery

Several PPP edge


devices may be present

Host sends a PPPoE Active Discovery


Initiation (PADI)

PADI

PADI is MAC broadcast frame

Edge device(s) sends a PPPoE Active


Discovery Offering (PADI)

PADO

PADO is MAC unicast Frame to originating


station
Host selects an edge device and sends it a
PPPoE Active Discovery Request

PADR

PADR is MAC unicast to selected edge


device
Edge devices allocates a unique SessionID
and sends it to host via PPPoE Active
Discovery Session-confirmation (PADS)

PADS

PADS is MAC unicast to selected edge


device
Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

15

Segunda Pergunta
Qual o 1 pacote utilizado no PPPoE
Discovery?
a)

PADI

b)

PADR

c)

DHCP

d)

Discovery.

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

16

PPP Operations
PPP Session Establishment

PPP is comprised of three main


components:

Configure Request
Configure Ack/Nack

A Link Control Protocol (LCP) for


establishing, configuring, and testing data-link
(or subscriber) connection

LCP
phase

Configure Request
Configuration Ack/Nack

...
(Authentication Phase)

- authentication (if required) also part of LCP

LCP is Open

A family of Network Control Protocols (NCPs)


for establishing and configuring different
network-layer protocols

NCP
phase

Negotiation of data link


parameters: MRU,
Authentication, keepalives,
compression...
Optional: Only performed if
authentication negotiated during
configuration exchange

IPCP Configure Request


IPCP Configure Ack/Nack

Activation of all supported


Network Protocols

IPCP Configure Request


IPCP Configuration Ack/Nack

Each protocol will have its


<prot>CP phase (e.g. IP)

...

For IP, IPCP phase includes peer


address assignment, if negotiated

IPCP is Open
A method for encapsulating multi-protocol
datagrams -> based on HDLC
Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Data Exchange
Cisco Confidential

Link is established
Data exchange can start
17

Evolution to all IPoE

Access Node
becomes Ethernet
aware even on first
mile

Aggregation
IP

Subscriber IP traffic
carried over Ethernet
end to end

Ethernet BNG

Subscriber Access
Protocol Dependent
Protocol Stack
Access Technology
Dependent
Protocol Stack

IP
PPP
PPPoE
Ethernet
RFC2684
ATM

IP
PPP
PPPoE
Ethernet

IP
Ethernet

DSL

EFM Phy

EFM Phy

Access Technology

ATM o DSL

EFM (EoDSL, PON, PTP)

EFM (EoDSL, PON, PTP)

Subscriber Access
Protocol

PPP

IP

PPP

First time introduction of Ethernet as L2 Protocol over DSL


Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

18

PPP to IP Session comparison .

Requirements Mapped to PPP and IP-Sessions


Session Requirement

PPP / PPPoE - Session

IP-Session

Subscriber Session Endpoint

PPPoE/PPP client

Multiple Options Common: Device


(see also Identification)

Subscriber Authentication
(Authentication Protocol Selection)

PPP LCP Auth.Phase


(PAP, CHAP,..)

MAC/Line-Authentication,
Portal solutions, DHCP-Auth

Subscriber Isolation

Per-Session PPP encap

L3: Session Controller, ACLs, VRFs


L2: VLAN, private VLAN

Subscriber/Session Identification

Session ID

Multiple Options
(Interface, MAC, IP-address,)

IP-Addressing

PPP NCP

DHCP, static,

Session Health - Keepalive

PPP LCP

Multiple Options
(ARP ping, ICMP ping, )

Start/Stop Session

PPP LCP

Multiple Options
(Packet arrivals, DHCP,)

Traffic Encapsulation

PPPoE, PPP encap

none

Traffic Forwarding

Point to Point

Point to Point & Multipoint

Wholesale

PPP/L2TP

Subscriber Mobility/Nomadism

Reestablish PPP-Session

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

L3: VRF
L2: VLAN, EoMPLS PW
Transparent Autologon,
Portal solutions
19

History of Broadband
ASR 9000 BNG Overview
Configuration
Example: PPPoE Subscriber
Example: IPoE Subscriber
Troubleshooting

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

20

Hardware Support
RSP:

RSP440-SE (NG RSP only)

Chassis:

ASR9006, ASR9010
ASR9001 (4.2.1)
ASR9922 (4.2.2)

Access Facing
Linecards (BNG):

X-Men (aka Typhoon) Service Edge


Optimized Linecards only:
Weapon-X-SE with:
A9K-MPA-2x10GE
A9K-MPA-4x10GE
A9K-MPA-20x1GE

Core Facing

Any Trident or Typhoon based Linecard

Linecards

SIP 700 supported for not L2TP based


applications only

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

21

Scale and Performance (4.2.0)


Metric

Per Port/NPU

Per LC

Per System

8k/32k

32k

64k

n/a

n/a

10k

IPoE sessions

8k/32k

32k

64k

QOS policies

n/a

1000

2000

VLANs (non
Ambiguous)

8k/8k

8k

8k

Ave. #classes per


policy

4/4

Bundles

n/a

n/a

250

Members per bundle

n/a

n/a

64

Calls per second

na

100

100

PPPoE sessions
(LAC or PTA)

LAC tunnels

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

22

BNGs Place in the Network


Subscriber Policy Layer
AAA
Server

Policy
Server

Web
Portal

DHCP
Server

Internet/Core

Guest
Portal
Open Garden

Video
Audio
Servers
Walled Garden

Deployed at access or
service edge

Subscriber Identification

Communicates with other


devices to control all aspects of
subscriber access in the network

Subscriber Policies Determination


and Enforcement

Single point of contact


Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Subscriber Authentication

Dynamic policy update


Cisco Confidential

23

BNG Key Functions


There are 3
subscribers connected
through G0/1.10

Subscriber
Identification

Create a per subscriber


construct over a shared
interface

G0/1.10

Subscriber
Authentication
and
Authorization

John
Mike
Ted
John
Mike
Ted

John
Mike
Ted

Presentation_ID

John and Mike are


HSI users, Ted is
VoIP user

Uniquely establish
subscriber identity and
determine subscribers
policies

Subscribers
addresses should
be:
10.1.1.10 John
10.1.1.20 Mike
10.1.1.30 Ted

Assign a unique IP
address to each
subscriber based on
provider domain

G0/1.10
10.1.1.10 John
10.1.1.20 Mike
10.1.1.30 Ted

Subscriber
Address
Management

Subscribers are
John, Mike and Ted.

G0/1.10

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

24

Subscriber Policy Layer


Subscriber Policy Layer
AAA
Server

Policy
Server

Web
Portal

DHCP
Server

AAA Server

Subscriber Authentication/Authorization
Internet/Core
User and Service Profile Repository
Accounting
Front-end toward billing system

Policy Server

AudioTrigger)
Dynamic
Policy Push (Application Level
Portal

Video

Guest
Open Garden

Servers
Walled Garden

Web Portal

Front end toward the subscriber for:


Self Subscription
Web Logon
Service Selection (Application Level Trigger)

DHCP Server

Hand over of addresses to subscribers

Note: AAA Server, Policy Server, Web Portal can co-reside in the same appliance
Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

25

Dynamic Policy Activation


Dynamic Policy Pull
(e.g. Automatic Service-Profile
Download on Session
Establishment)

Dynamic Policy Push


(e.g. Turbo Button)
Application/
Service Layer event

Subscriber Policy Layer


DHCP Web
Policy AAA
Server Portal Server Server

Subscriber Policy Layer


DHCP Web Policy AAA
Server Portal Server Server

Network
Layer
Event

Guest
Portal
Open Garden

Presentation_ID

Guest
Portal
Walled Garden

2010 Cisco and/or its affiliates. All rights reserved.

Open Garden

Cisco Confidential

Walled Garden

26

Northbound Interfaces
Subscriber Policy Layer
AAA
Server

Policy
Server

Web
Portal

DHCP
Server

Internet/Core

Guest
Portal
Open Garden

Video
Audio
Servers
Walled Garden

RADIUS Interface, for subscriber AAA functionalities and


service download

Policy
PULL

RADIUS Extensions (RFC 3576) Open Interface, for


dynamic, administrator or subscriber driven, session and Policy
PUSH
service management functions
Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

27

The Subscriber Session


Subscriber Policy Layer
AAA
Server

Policy
Server

Web
Portal

DHCP
Server

Subscriber 1

Subscriber 1
session

Subscriber 2

Internet/Core

Video
Audio
Servers
Walled Garden

Guest
Portal

Subscriber 3

Open Garden

Subscriber 2
session
Subscriber 3
session

Construct that represents a subscriber


subscriber: billable entity and/or an entity that should be authenticated/authorize

Common context on which subscriber policies are activated


Created at first sign of peer activity (FSOL = First Sign Of Life)
Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

28

Deployment Models
PPP Sessions

IP Sessions
IPLayer2 Connected

PTA

L3 fwd

L3 fwd

internet

internet

Retailer

.1Q,QnQ.1ad

.1Q,QnQ.1ad

Native IP,
VRF Lite
MPLS
MPLS VPNs

IP

IP
PPP
PPPoE
.1Q QnQ
Eth
Phy

LAC

IP
.1Q QnQ
Eth
Phy

Native IP,
VRF Lite
MPLS
MPLS VPNS

IPLayer2 Connected
L2 brdg
Retailer X VRF
.1Q,QnQ.1ad
.1Q,QnQ.1ad

IP
PPP
PPPoE
.1Q QnQ
Eth
Phy

Wholesale

IP
PPP
L2TP
IP/UDP

L2TP over:
Native IP,
VRF Lite
MPLS VPNs

IP

VRF Lite
MPLS VPNs

L3 fwd

L3 fwd
Retailer X VRF
.1Q,QnQ.1ad
IP
.1Q QnQ
Eth
Phy

IP

VRF Lite
MPLS VPNs

Retailer X VRF
.1Q,QnQ.1ad

PTA
Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

= BNG enabled interface (access-interface)


4.2.x: Must be a Bundle-Ethernet subintf
29

Converged Access
PPPoE

internet

Native IP,
VRF Lite
MPLS
MPLS VPNs

IP wholesale (IP and PPP)

Retailer X VRF

VRF Lite
MPLS VPNs

IPoE
Access Interface

L2TP wholesale (PPP only)

Physical Port

Retailer X VRF

All models and subscriber types are supported over same


access-interface
Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

L2TP over:
Native IP,
VRF Lite
MPLS VPNs
30

Session Authentication
Authentication: Allow Access to Network
Resources Only to Recognized Users
Authentication models supported:
Access Protocol Native Authentication:
PPP: CHAP/PAP

Transparent Authorization:
Authenticates using subscriber related
network identifiers
e.g. MAC/IP address, DHCP Option 82, DHCP
Option60 (4.2.1), NAS-Port-ID (4.2.1),
PPPoE Tags...

Web Logon

Authentication Is Not Mandatory on a Session,


but Used in Most Situations
Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

31

Session AuthenticationPPP Retailer


PPP - common scenarios
+

PPP CHAP/PAP

Deployment likelihood

AAA
Server

PPP CHAP/PAP

AAA
Server

TAL: PPPoE Tag


PPPoE Ctrl Msg

AN/CPE inserts
PPPoE tags
CircuitID/RemoteID

Web Logon (Direct)

RADIUS
Username:
RemoteID:CircuitID
Pwd: Shared PPP

Web
Portal

AAA
Server

RADIUS
Username/Pwd:
WebLogon

Presentation_ID

Uses legacy PPP authentication protocols

RADIUS
Username:
PPP Username
Pwd: PPP pwd

2010 Cisco and/or its affiliates. All rights reserved.

AccessNode/CPE inserts PPPoE Intermediate


Agent tags (Circuit and Remote ID)
BNG performs authentication using a
combination of Circuit and RemoteID as
username
flexible and customizable username
format

User Logs to a Web Portal to enter credentials


(username and password)
User Credentials propagated to BNG
BNG uses credentials to authenticate user with
AAA
4.2.0 only supports direct portal access
HTTP Redirect in 4.2.1

Cisco Confidential

32

Session AuthenticationPPP Wholesaler


Domain based authentication

AAA
Server
RADIUS
Username: Domain
Pwd: shared password

PPP CHAP/PAP

(L2TP tunnel to ISP)

PPP authentication used to collect subscriber username


Username must be in FQDN format (Fully Qualified Domain Name)
Username portion of FQDN stripped
Domain portion of FQDN used to authenticate user and determine ISP
Password is shared password defined on box

ALTERNATE METHOD
Authenticate user based on FQDN username and line password

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

33

Session AuthenticationIP Retailer


IP common scenarios

Web
Portal

Web Logon (Direct)

AAA
Server

RADIUS
Username: WebLogon
Username

Data Traffic

Deployment likelihood

redirection

TAL: Option82 Auth


DHCP exchange

AAA
Server

RADIUS
Username:
MAC:RemoteID:CircuitID

Access SW inserts Option 82


CircuitID/RemoteID

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

User logs to Web Portal to enter credentials


User Credentials propagated to BNG
BNG uses credentials to authenticate user with
AAA server
4.2.0 only supports direct portal access
HTTP Redirect in 4.2.1
L4 Redirect beyond 4.2.1

Access Switch/DSLAM inserts Option82


Circuit and Remote ID in DHCP Requests
BNG performs authentication using a
combination of Circuit and RemoteID as
username
MAC address can also be used
4.2.1 adds support for Option 60
Customizable username format

Cisco Confidential

34

Session AuthenticationWebLogon with


HTTP redirect (4.2.1)
Web Logon
Portal

Client

Internet
WebSite

HTTP TCP SYN


HTTP TCP SYN ACK
HTTP TCP ACK
HTTP GET
HTTP 302 (redirect URL)
HTTP session establishment

Web Logon

BNG intercepts TCP exchange for HTTP session establishment toward a internet
website and completes establishment
BNG returns HTTP 302 with Redirect URL pointing to Web Logon Portal
Client opens HTTP session with Web Logon Portal and enters credentials
Regular Web Logon procedures between Portal and BNG
Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

35

RADIUS InterfaceAccess Request


Policy PULL
Access Request
Access Accept
Access Reject
Access Challenge

Access Request is used for

Access Accept is used to return

Session Authentication

Credential Verification Notification

Session Authorization

User profile and associated services

Service Authentication

Service Profile Download

Service Profile Download

Access Reject is used for


Credential Verification
Failure Notification
Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Access Challenge is used for


PPP CHAP Authentication

Cisco Confidential

36

RADIUS Interface Extensions

Policy PUSH

CoA Request
CoA ACK
CoA NAK

ASR9000 supports RADIUS


Extensions as defined in
RFC3576
Facilitates dynamic session
control from a Policy server.
Proprietary CoA Extensions:

Standard primitives include:

Account Logon
Account Logoff
Account Update
Service Activate
Service De-activate

Disconnect Messages (DM or aka


as PoD)
Change of Authorization (CoA)

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

37

How Attributes Are Applied


on a Session?
During Subscriber
Authentication/
Authorization

Via an External Policy


Manager/Web Portal

from
external PM

Administrator
Subscriber Policy Layer

Subscriber
Subscriber is successfully
authenticated
RADIUS Response includes a list
of attributes to apply on Session
(from UserProfile)

Service Activate
Account Update

Control Policy
plane plane

RADIUS
CoA

RADIUS
Acc-accept

from
data
plane

actions

Data
plane

DHCP Web Portal / AAA


Server Policy Server Server

events

Subscriber Policy Layer

DHCP Web Portal / AAA


Server Policy Server Server

RADIUS
Acc-req

Via the On-Box Control


Policy

Subscriber
Service Activation or Account
Update request sent by External
Policy Managers via a RADIUS
CoA
Service-Activate:
Attributes applied as part of a template

Account-Update:
Presentation_ID
2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
Attributes
applied individually
Attributes applied individually

Policy Plane determines what actions to


take on session based on events
actions *include* applying a template
Control Plane ensures actions are taken
i.e. provisions the data plane
Data Plane enforces traffic conditioning
policies to the session

Attributes applied as part of a template


38

Session Termination
IPoE(*) and PPPoE Sessions
RADIUS PoD (Packet of Disconnect)

Web Logoff

Policy
Manager

Web
Portal/PM

RADIUS CoA

RADIUS PoD

Account-Logoff

+ CLI clear command


PPPoE Sessions Exclusively

IPoE Sessions Exclusively

Absolute Timeouts/Timer Expiry

DHCP

OR DHCP
lease expiry

DHCP Release

PPP and PPPoX protocol events

ppp disconnect; ppp keepalives or L2TP


hellos failure
PADT sent to terminate individual PPP sessions when L2TP tunnel goes down
Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

(*) IPoE Session is deleted


DHCP binding flagged (See next slide)
Cisco Confidential

39

History of Broadband
ASR 9000 BNG Overview
Configuration
Example: PPPoE Subscriber
Example: IPoE Subscriber
Troubleshooting

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

40

Dynamic Session Initiation


Subscriber sessions are initiated at the First Sign of Life (FSOL)
FSOL depends on the Session Type

PPP Sessions - FSOL

IP Sessions - FSOL

PPPoE Call Request (PADx)

DHCP Discover

PADR receipt
Session-start event
2 stage session establishment
Session-start
Session-activate

Subscriber identified by MAC + PPP


session ID

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

DHCP Discover message


Session-start event
Single stage session establishment
Subscriber identified by MAC address
BNG must be DHCP Proxy
DHCP proxy = DHCP relay that:
1. creates and maintains DHCP bindings
2. Impersonates server from client
standpoint

Cisco Confidential

41

Terceira Pergunta
Qual o FSOL em IPoE com DHCP?
a)

PADI

b)

Primeiro pacote IP

c)

Qualquer broadcast L2

d)

DHCP Discovery

e)

DHCP Request

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

42

Dynamic Session Initiation


Subscriber sessions are initiated at the First Sign of Life (FSOL)
FSOL depends on the Session Type

PPP Sessions - FSOL

IP Sessions - FSOL

PPPoE Call Request (PADx)

DHCP Discover

pppoe bba-group default


service selection disable
!
interface Bundle-Ether10.50
service-policy type control subscriber
PPP_PM
encapsulation dot1q 50
pppoe enable bba-group default
!

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

dhcp ipv4
profile DHCP_B10_60_PF proxy
helper-address vrf default 1.86.19.19 giaddr 60.1.1.1
!
interface Bundle-Ether10.60 proxy profile DHCP_10_60
!
interface Bundle-Ether10.60
ipv4 point-to-point
ipv4 unnumbered Loopback1060
service-policy type control subscriber IP_PM
encapsulation dot1q 60
ipsubscriber ipv4 l2-connected
initiator dhcp
!
Cisco Confidential

43

Session Authentication
Customizable Username format
Step1: Define username format
aaa attribute format USERNAME_FORMAT
remote-id plus circuit-id plus mac-address separator !
aaa attribute format USERNAME_FORMAT1
mac-address plus circuit-id separator |
!

Step2: Specify desired username format and password to use for authorization
<snip>
20 authorize aaa list default format USERNAME_FORMAT password <pwd>
<snip>

4.2.1 introduces username definition based on arbitrary string:


aaa attribute format USERNAME_FORMAT_SUPER_FLEXIBLE
format-string %s:%s:%s@bng.cisco.com remote-id circuit-id vendor-class-id
!
User defined string

From
DHCP Option 82
OR
PPPoE Tags

Additional options: phy-slot, phy-subslot, phy-port, outer-vlan-Id, inner-vlan-id


Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

From
DHCP Option 60

<- Allow for NAS-Port-ID


based username
creation
44

Subscriber Templates Definition


Location

Download
1

AAA Server
Defined as Subscriber/Service
Profiles
Standard and Vendor Specific RADIUS
attributes used
On demand download on a
need basis
Control policy action:
activate dynamic template
<name> aaa list <list name>
<template pwd> NOT configurable
Defaults to cisco
Only supported when templates are
activated via control-policy (4.2.0)

Premium HSI service


should be activated
on the session
No definition yet
available
Service Activated on session
Service Stored in local cache
while in use by at least 1 sessions

RADIUS Access-request
Username: Premium_HSI
Password: <template pwd>

3 RADIUS Access-accept
Features associated w/ template

BNG
Dynamic Templates pre-configured
using CLI
Defined as Dynamic Subscriber/
Service Templates:

Services permanently stored


in local database

dynamic-template type { ppp |


ipsubscriber | service } <name>

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

45

Dynamic Templates on Box Definition


dynamic-template type { ppp | ipsubscriber | service } <tmpl_name>
<attribute-list>
!

3 types:
ppp: for configuration on PPP sessions (both PTA and LAC)
ipsubscriber: for configuration on IpoE sessions
service: contains configuration commands for all types of sessions

Dynamic templates allow for inline modifications


Changes take effect immediately on all sessions using template.
Exception: unmutable config options (e.g session IP address)

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

46

Session

Control Policy (4.2.0)


Control
policy-map

Conditional
events

Actions
action1
action2

condition 1
policy-map type
control subscriber
<name>

event 1
event <event type>
<match policy>

class type control


<name> <action
execution policy>

.......

more actions for event and condition


.......

more conditions

event 2 + conditions

.......
more events

Applied on accessinterface
Defines all aspects of
session processing
No in-place
modifications

Identified by their event type


Configurable and non configurable
Configurable event types:
Session-start: New session initiated (PPPoE and IPoE)
Session-activate: LCP has started (PPPoE only)
Authentication/Authorization failure: Authentication failed(*)
Authentication/Authorization no response. Authentication is
inconclusive for lack of answer from server
Service-stop: Req. to deactivate a service from external
source

Event actions are executed only if


<conditions> are met for the event

Different set of actions per {event,


condition}
Actions are in a ordered list
Executed in based on execution policy:
do-all
do-until-failure
do-until-success

Common action types:


Activate: Enables a new dynamic template
Deactivate: Terminates an active dynamic template
Authenticate: Authenticates a session using
subscribers credentials
Authorize: Authenticates a session using one or more
network identifiers (TAL)

Conditions account for other aspects surrounding event


Different set of actions for same event type
Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

Single or multiple matches (match-first or match-all)

(*) 4.2.0 CLI available but not supported

47

Defining a Control Policy

Session

policy-map type control


Control Policy

Condition

Event

Associate Events and Conditions to an ordered list of Actions


Condition

Event

Control Class:
List of Actions
1. Disable Service B
2. Enable Service A

Condition

Event

Control Class:
List of Actions
1. Enable Service X
2. Enable Service Y
3. Take Action R

Condition

Event

Control Class:
List of Actions
1. Enable Service
2. Take action AAA

policy-map type control SUBSCRIBER_RULE


event session-start match-first
class type control subscriber PPP_SUB do-all
10 activate dynamic-template PPP_BASE_TMPL
20 authorize aaa list default format PPP_UNAME passw cisco
!
class type control subscriber IP_SUB do-all
10 activate dynamic-template IP_BASE_TMPL
20 authorize aaa list default format IP_UNAME passw cisco
!
event session-activate match-first
class type control subscriber PPP_SUB do-all
10 authenticate aaa list default
<- in 4.2.1
event account-logon match-first
class type control subscriber IP_SUB do-all
10 authenticate aaa list default

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

48

Defining a Control Policy

Session

policy-map type control


Condition

Control policy name:


Used to reference control policy when applied to
access-interface
Event being handled
Control class match-policy:
match-first: evaluate control classes until first match
match-all: evaluate all control classes
Control class used to qualify event
Defines conditions for which event is actionable
Action execution policy:
do-all: execute all actions
do-until-failure: execute actions until one fails
do-until-success execute action until one succeeds

Event

policy-map type control SUBSCRIBER_RULE


event session-start match-first
class type control subscriber PPP_SUB do-all
10 activate dynamic-template PPP_BASE_TMPL
20 authorize aaa list default format PPP_UNAME passw cisco
!
class type control subscriber IP_SUB do-all
10 activate dynamic-template IP_BASE_TMPL
20 authorize aaa list default format IP_UNAME passw cisco
!
event session-activate match-first
class type control subscriber PPP_SUB do-all
10 authenticate aaa list default
<- in 4.2.1
event account-logon match-first
class type control subscriber IP_SUB do-all
10 authenticate aaa list default

List of actions
Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

49

Defining Control Classes

Session

class-map type control

Examples

class-map type control subscriber match-any IP_SUB


match protocol dhcpv4
!
class-map type control subscriber match-any PPP_SUB
match protocol ppp
!

Match Criteria:

match-policy:

Domain name: domain <string>

match-any: match any of clauses

Protocol: protocol { dhcpv4 | ppp }

match-all: match all clauses

Source address: source-address { ipv4 | mac }


User name: username <string>
Authentication Status: authen-status { authenticated | unauthenticated }
To negate match criteria: not <>

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

50

History of Broadband
ASR 9000 BNG Overview
Configuration
Example: PPPoE Subscriber
Example: IPoE Subscriber
Troubleshooting

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

51

Putting all together Basic Example


pppoe bba-group PPPOE-USERS [BBA group defines PPPoE discovery config/throttling]
service selection disable
dynamic-template defines configuration applied to subscriber session
type ppp PPP_TEMPLATE
ppp authentication pap
ipv4 unnumbered Loopback65

interface Bundle-Ether333.6
description "Subscriber VLAN 6 - PPPoE subscribers"
service-policy type control subscriber PPP_SUBS_CONTROL policy affecting subs
pppoe enable bba-group PPPOE-USERS enables PPPoE processing on interface
encapsulation dot1q 6
class-map type control subscriber match-any PPP_SUBS
match protocol ppp
end-class-map
policy-map type control subscriber PPP_SUBS_CONTROL
event session-start match-first session-start events trigger upon FSOL - PADI
class type control subscriber PPP_SUBS do-until-failure
5 activate dynamic-template PPP_TEMPLATE calls previously-configured template
!
!
event session-activate match-first session-activate triggers upon LCP nego
class type control subscriber PPP_SUBS do-until-failure
5 activate dynamic-template PPP_TEMPLATE calls previously-configured template
10 authenticate aaa list RSIM will auth w/ PPP username/pass to AAA list RSIM
!
!
end-policy-map
Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

52

History of Broadband
ASR 9000 BNG Overview
Configuration
Example: PPPoE Subscriber
Example: IPoE Subscriber
Troubleshooting

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

53

Putting all together Basic Example


dhcp ipv4
profile IP_SUBSCRIBERS proxy
limit lease per-circuit-id 2
lease proxy client-lease-time 1500
helper-address vrf default 14.2.3.60 giaddr 64.40.64.1 Helper is address of external DHCP server, giaddr is local
address to inject in relayed DHCP messages
relay information option
relay information policy keep preserve received DHCP option 82 info
relay information option allow-untrusted
!
interface Bundle-Ether333.5 proxy profile IP_SUBSCRIBERS associates Bundle-E333.5 with proxy profile
!
dynamic-template
type ipsubscriber IPSUB_TEMPLATE
ipv4 unnumbered Loopback64
!
interface Bundle-Ether333.5
description "Subscriber VLAN 5 - IPoE subscribers"
ipv4 point-to-point
ipv4 unnumbered Loopback64
service-policy type control subscriber IP_SUBS_CONTROL policy to affect subs upon FSOL
encapsulation dot1q 5
ipsubscriber ipv4 l2-connected defines that subscribers are downstream from this interface
initiator dhcp FSOL is configured as receiving DHCPDISCOVER from a subscriber
!
class-map type control subscriber match-any DHCP_TEST
match protocol dhcpv4
end-class-map
!
policy-map type control subscriber IP_SUBS_CONTROL
event session-start match-first session-start events will trigger upon FSOL - DHCPDISCOVER
class type control subscriber DHCP_TEST do-until-failure
5 activate dynamic-template IPSUB_TEMPLATE
10 authorize aaa list RSIM identifier circuit-id password cisco defines sub identity to be circuit-id field from
DHCP option 82 info, will send to radius for auth
Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

54

Quarta Pergunta
PPPoE e IPoE necessitam de um dynamictemplate com o evento "session-start".
a)

Verdadeiro

b)

Falso

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

55

History of Broadband
ASR 9000 BNG Overview
Configuration
Example: PPPoE Subscriber
Example: IPoE Subscriber
Troubleshooting

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

56

Useful show/debug commands


show tech [ipsubscriber | pppoe | dhcp ipv4 | dhcp ipv6]
show subscriber session all summary
show subscriber session all
show subscriber session filter [username | ipv4-address | etc] $filter detail
show subscriber manager statistics summary total

show ipsubscriber summary


show pppoe [summary | statistics]
show radius authentication
show subscriber manager trace [event | error | more...]
debug subscriber manager session next-subscriber
debug radius [detail]
debug aaa-subscriber [all | authent | author | more...]
debug pppoe [protocol | packet]
debug ppp [negotiation | aauthentication]

show dhcp ipv4 proxy [binding | stat | stat raw]


show dhcp ipv4 trace

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

57

Troubleshooting Questions

What kind of subscribers are we dealing with?

What is the expected session establishment call-flow?

Presentation_ID

If auth is involved, how are they being authenticated/authorized?

How is address allocation handled for the subscribers?

What other services/features are applied to the session? [How? RADIUS


attributes, or on the dynamic-template?]

Where in the above call-flow is session establishment failing?


Has this ever worked? [Be skeptical! Make sure we have a
compelling reason to believe it should work confirm support!]

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

58

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

59

Perguntas e Respostas

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

60

Queremos sua opinio!


Para fazer a avaliao, por favor, clique
no endereo fornecido no chat ou no
pop-up quando o evento terminar.

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

61

Evento Pergunte aos Especialistas


com Bruno Novais
Se voc quiser tirar mais dvidas com o nosso especialista, ele
estar respondendo a perguntas entre os dias 14 e 24 de Janeiro
neste link:
https://supportforums.cisco.com/thread/2260873
O vdeo, a apresentao e as perguntas e respostas sero
disponibilizados at a tera-feira da semana que vem no link:

https://supportforums.cisco.com/community/portuguese/canto-dosespecialistas/webcasts

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

62

Pergunte ao Especialista (em Portugus)


Tema: Migrao, configurao e suporte do ASA Services Module (ASA-SM)
Com o especialista Cisco: Itzcoatl Espinosa
Termina em 17 de Janeiro de 2014

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

63

Pergunte ao Especialista (em Espanhol)


Tema: QoS en Routers
Com o especialista Cisco: Hector Carranza Contreras
Termina em 22 de Janeiro de 2014

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

64

Pergunte ao Especialista (em Ingls)


Tema: Understanding and Managing Cisco Unified Communications Manager
Certificates
Com o especialista Cisco: Akhil Behl
Termina em 17 de Janeiro de 2014

Tema: Cisco Unified Computing System Director


Com o especialista Cisco: Andrew Nam
Termina em 17 de Janeiro de 2014

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

65

Pergunte ao Especialista (em Ingls)


Tema: Cisco Catalyst 6800 Series Switches
Com o especialista Cisco: Amer Atout
Termina em 17 de Janeiro de 2014

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

66

Qualifique o contedo da Cisco Support


Community em Portugus

Agora possvel qualificar discusses,


documentos, blogs e videos!!!

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

67

Spotlight Awards (Prmio Participantes


em Detaque)

O prmio participantes em destaque foi criado em 2012 na comunidade global


da Cisco e usado para reconhecer queles membros que do um
contribuio significativa para a comunidade de suporte da Cisco e que alm de
tudo exercem um papel de liderana dentro da comunidade em distintas
categorias
Foi lanado na comunidade em portugus, em 1 de dezembro de 2013 e conta
com a categoria O Novato.

Mais detalhes sobre o premio, podem ser consutados no link:


https://supportforums.cisco.com/community/portuguese/principaiscolaboradores/participantes_em_destaque

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

68

Convidamos voc a participar da CSC em


portugus e em nossas redes sociais
https://supportforums.cisco.com/community/portuguese
Portugal: http://www.facebook.com/ciscoportugal
Brasil: http://www.facebook.com/CiscoDoBrasil
Portugal: https://twitter.com/CiscoPortugal
Brasil: http://twitter.com/CiscoDoBrasil
Portugal: http://www.youtube.com /user/ciscoportugal

Brasil: http://www.youtube.com/user/ciscoDoBrasilTV
Portugal: http://ciscoportugalblog.wordpress.com/

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

69

Muito Obrigado
por assistir.
Por favor complete o formulrio de avaliao e d
sugestes de temas para os prximos webcasts!

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

70

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

71