ASR 9000 Series Routers Broadband Network Gateway Configuration

Product Information

Specifications

• Product Name: Broadband Network Gateway
• Model: Cisco ASR 9000 Series Routers
• Software Version: IOS XR Release 6.2.x
• First Published: 2017-03-17
• Last Modified: 2017-07-14

Introduction

The Broadband Network Gateway is a router designed for use in
ISP networks. It provides advanced features and functionality to
manage broadband connections and network traffic. This guide
provides instructions on configuring and using the Cisco ASR 9000
Series Routers with the Broadband Network Gateway.

BNG Features

The following are the new and modified features of the Broadband
Network Gateway in IOS XR Release 6.2.x:

• Feature 1: [Description]
• Feature 2: [Description]
• …

BNG Overview

Understanding BNG

The Broadband Network Gateway (BNG) is a key component in ISP
networks. It enables the management of broadband connections and
provides advanced features for traffic control and service
provisioning.

BNG Architecture

The BNG architecture consists of multiple components,
including:

• Component 1: [Description]
• Component 2: [Description]
• …

BNG Role in ISP Network Models

The BNG plays a crucial role in different ISP network models,
such as:

• Model 1: [Description]
• Model 2: [Description]
• …

BNG Packaging

The Broadband Network Gateway is packaged as a software module
that can be installed and activated on the Cisco ASR 9000 Series
Router.

Product Usage Instructions

Installing and Activating the BNG Pie

To install and activate the Broadband Network Gateway on the
Cisco ASR 9000 Series Router, follow these steps:

1. Step 1: [Description]
2. Step 2: [Description]
3. …

BNG Configuration Process

To configure the Broadband Network Gateway on the Cisco ASR 9000
Series Router, follow these steps:

1. Step 1: [Description]
2. Step 2: [Description]
3. …

Hardware Requirements for BNG

The Broadband Network Gateway requires the following
hardware:

• Requirement 1: [Description]
• Requirement 2: [Description]
• …

BNG Interoperability

The Broadband Network Gateway is designed to be interoperable
with various networking equipment and protocols. For specific
details on interoperability, refer to the documentation provided by
Cisco.

BNG Smart Licensing

The Broadband Network Gateway supports Smart Licensing, which
enables flexible license management and activation. For more
information on Smart Licensing, refer to the documentation provided
by Cisco.

FAQ

Q: Are the IP addresses and phone numbers in the document

real?

A: No, the IP addresses and phone numbers used in the document
are not real and are intended for illustrative purposes only.

Q: Where can I find the latest version of this document?

A: The latest version of this document can be found on the Cisco
website. Please refer to the provided link for the most up-to-date
version.

Q: Are there any hardware requirements for using the Broadband

Network Gateway?

A: Yes, the Broadband Network Gateway has specific hardware
requirements. Please refer to the “Hardware Requirements for BNG”
section in this document for more information.

Broadband Network Gateway Configuration Guide for Cisco ASR 9000 Series Routers, IOS XR Release 6.2.x
First Published: 2017-03-17 Last Modified: 2017-07-14
Americas Headquarters
Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000
800 553-NETS (6387) Fax: 408 527-0883

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE- NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
All printed copies and duplicate soft copies of this document are considered uncontrolled. See the current online version for the latest version.
Cisco has more than 200 offices worldwide. Addresses and phone numbers are listed on the Cisco website at www.cisco.com/go/offices.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: https://www.cisco.com/c/en/us/about/legal/trademarks.html. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1721R)
© 2017 Cisco Systems, Inc. All rights reserved.

CONTENTS

PREFACE CHAPTER 1 CHAPTER 2
CHAPTER 3

Preface xiii Changes to This Document xiii Communications, Services, and Additional Information xiii
New and Changed BNG Features 1 BNG Features Added or Modified in IOS XR Release 6.2.x 1
Broadband Network Gateway Overview 9 Understanding BNG 10 BNG Architecture 10 BNG Role in ISP Network Models 13 BNG Packaging 14 Installing and Activating the BNG Pie on Cisco ASR 9000 Series Router 14 BNG Configuration Process 15 Hardware Requirements for BNG 16 BNG Interoperability 18 BNG Smart Licensing 19
Configuring Authentication, Authorization, and Accounting Functions 21 Configuring Authentication, Authorization, and Accounting Functions 22 AAA Overview 22 Using RADIUS Server Group 24 Configuring RADIUS Server Group 24 Specifying Method List 26 Configuring Method Lists for AAA 26 Defining AAA Attributes 28

Broadband Network Gateway Configuration Guide for Cisco ASR 9000 Series Routers, IOS XR Release 6.2.x iii

Contents

Creating Attributes of Specific Format 29 Configuring RADIUS Attribute List 34 Configuring RADIUS Attribute Format 36 Configuring RADIUS Attribute Nas-port- type 37 Configuring AAA Attribute Format Function 38 Suppressing Unassigned Attributes 39 Making RADIUS Server Settings 40 Configuring RADIUS Server Settings 41 Configuring Automated Testing 45 Setting IP DSCP for RADIUS Server 46 Balancing Transaction Load on the RADIUS Server 47 Configuring Load Balancing for Global RADIUS Server Group 48 Configuring Load Balancing for a Named RADIUS Server Group 49 Throttling of RADIUS Records 50 Configuring RADIUS Throttling Globally 51 Configuring RADIUS Throttling on a Server Group 52 RADIUS Change of Authorization (CoA) Overview 54 Multi-Action Change of Authorization 56
Generating Accounting Records 57 High Availability for MA-CoA 58 An Example with Verification Commands 58 Restrictions in Multi-Action Change of Authorization 61 User Authentication and Authorization in the Local Network 62 Policy Configurations for IPoE Sessions 63 Policy Configurations for PTA Sessions 66 Service Accounting 67 Configuring Service Accounting 68 Statistics Infrastructure 71 Configuring Statistics IDs (statsD) 71 Understanding Per-VRF AAA Function 72 RADIUS Double-Dip Feature 72 RADIUS over IPv6 73 Additional References 73

Broadband Network Gateway Configuration Guide for Cisco ASR 9000 Series Routers, IOS XR Release 6.2.x iv

Contents

CHAPTER 4 CHAPTER 5

Activating Control Policy 75 Control Policy Overview 75 Creating Class-Map 77 Configuring a Class-Map 77 Creating Policy-Map 78 Control Policy Events 79 Configuring a Policy-Map 80 Activating Policy-Map 82 Enabling a Service-Policy on a Subscriber Interface 82 Defining Dynamic Templates 83 Additional References 84
Establishing Subscriber Sessions 87 Subscriber Session Overview 88 Establishing IPoE Session 90 Enabling IPv4 or IPv6 on an Access Interface 92 Creating Dynamic Template for IPv4 or IPv6 Subscriber Session 93 Creating a Policy-Map to Run During IPoE Session 96 Enabling IPoE Subscribers on an Access Interface 97 Routed Subscriber Sessions 100 DHCP-initiated Routed Subscriber Sessions 102 Packet-triggered Routed Subscriber Sessions 104 Deployment Model for IPv6 Routed Network 104 Call Flow of IPv6 Routed Subscriber Session 105 Restrictions for Routed Subscriber Sessions 106 Configuring Routed Subscriber Sessions 107 Prevent Default ARP Entry Creation for a Subscriber Interface 109 Unconditional Proxy ARP Response 109 Establishing PPPoE Session 110 Provisioning PPP PTA Session 111 Creating PPPoE Profiles 111 Creating a PPP Dynamic-Template 113 Creating a Policy-Map to Run During PPPoE Session 114

Broadband Network Gateway Configuration Guide for Cisco ASR 9000 Series Routers, IOS XR Release 6.2.x v

Contents

Applying the PPPoE Configurations to an Access Interface 116 Provisioning PPP LAC Session 118
Configuring the VPDN Template 119 Configuring Maximum Simultaneous VPDN Sessions 121 Activating VPDN Logging 123 Configuring Options to Apply on Calling Station ID 124 Configuring L2TP Session-ID Commands 125 Configuring L2TP Class Options 126 Configuring Softshut for VPDN 129 L2TP Reassembly on LAC 130 L2TP Access Concentrator Stateful Switchover 131 Local VPDN RADIUS Enhancement 134 PPPoE Smart Server Selection 137 Configuring PADO Delay 138 PPPoE Session Limit, Throttle and In-flight-window 139 PPPoE Session Limit 139 PPPoE Session Throttle 142 PPPoE In-flight-window 144 Activating IPv6 Router Advertisement on a Subscriber Interface When IPv4 Starts 144 Creating Dynamic Template for Enabling IPv6 Router Advertisement on an IPv4 Susbscriber Interface 144 Making DHCP Settings 145 Enabling DHCP Proxy 147 Configuring DHCP IPv4 Profile Proxy Class 147 Configuring a Circuit-ID for an Interface 149 Configuring a Remote-ID 150 Configuring the Client Lease Time 151 Attaching a Proxy Profile to an Interface 152 DHCPv4 Server 153 Enabling DHCP Server 154 Configuring DHCPv4 Server Profile 154 Specifying DHCP Lease Limit 157 Specifying the Lease Limit for a Circuit-ID 157 Specifying the Lease Limit for a Remote-ID 158

Broadband Network Gateway Configuration Guide for Cisco ASR 9000 Series Routers, IOS XR Release 6.2.x vi

Specifying the Lease Limit for an Interface 160 Understanding DHCP Option-82 161
Option 82 Relay Information Encapsulation 161 Configuring DHCPv4 Class of Service (CoS) 162 Send Rich DHCP Options from RADIUS to DHCP Server 162
Configure Rich DHCP Option on RADIUS VSA 165 DHCP Option 60 Filtering 166
Configure DHCP Option 60 Filtering 167 DHCP RADIUS Proxy 168 Subscriber Session-Restart 169 DHCP Session MAC Throttle 169 Allow-move for Simple IP Sessions 170
Restrictions for Simple IP Allow-move 171 DHCP Duplicate MAC Session 171
DHCP Duplicate MAC Session With Exclude VLAN Option 171 Configure DHCP Duplicate MAC Session 173 DHCPv6 Overview 176 DHCPv6 Server and DHCPv6 Proxy 177 Enabling DHCPv6 for Different Configuration Modes 177 Setting Up DHCPv6 Parameters 181 PPP Class-based DHCPv6 Mode Selection 183 DHCPv6 Features 183 High Availability Support for DHCPv6 184 DHCPv6 Prefix Delegation 184 IPv6 IPoE Subscriber Support 184 IPv6 PPPoE Subscriber Support 192 Ambiguous VLAN Support 198 DHCPv6 Address or Prefix Pool 201 DHCPv6 Dual-Stack Lite Support 206 VRF Awareness in DHCPv6 207 DHCP Options Support for BNG DHCPv6 Proxy Mode 209 Configurable DHCPv6 Option 17 211 Rapid commit 211 Packet Handling on Subscriber Interfaces 211

Contents

Broadband Network Gateway Configuration Guide for Cisco ASR 9000 Series Routers, IOS XR Release 6.2.x vii

Contents

CHAPTER 6

IPv6 Neighbor Discovery 213 Line Card Subscribers 214
External Interaction for LC Subscribers 214 Benefits and Restrictions of Line Card Subscribers 215 High Availability for Line Card Subscribers 215 Static Sessions 216 Restrictions for static sessions 217 Subscriber Session Limit 217 BNG Subscriber Templates 218 Feature Support for Subscriber Templates 219 Restrictions for BNG Subscriber Templates 219 Verification of BNG Subscriber Templates 220 eBGP over PPPoE 220 BNG over Pseudowire Headend 221 QoS on BNG Pseudowire Headend 221 Features Supported for BNG over Pseudowire Headend 222 Unsupported Features and Restrictions for BNG over Pseudowire Headend 223 PPPoE LAC Subscriber Over PWHE 223 Additional References 224
Deploying the Quality of Service (QoS) 227 Quality of Service Overview 227 Configuring Service-policy and Applying Subscriber Settings Through RADIUS 228 Configuring Service-policy and Applying Subscriber Settings Through Dynamic Template 230 Parameterized QoS 233 Parameterized QoS Syntax 234 Configuring Parameterized QoS Policy Through RADIUS 238 Modifying Service Policy through CoA 241 Parameterized QoS for Line Card Subscribers 243 Configuring Parameterized QoS as Auto-service 243 Verifying PQoS Configuration 246 RADIUS Based Policing – QoS Shaper Parameterization 247 Sample Configuration and Use Cases for QoS Shaper Parameterization 248 Verification of QoS Shaper Parameterization Configurations 249

Broadband Network Gateway Configuration Guide for Cisco ASR 9000 Series Routers, IOS XR Release 6.2.x viii

Contents

CHAPTER 7 CHAPTER 8

Supported Scenarios of QoS Shaper Parameterization 251 Restrictions of QoS Shaper Parameterization 251 QoS Accounting 252 Configuring QoS Accounting 253 Support for Shared Policy Instance 255 Configuring a Policy with SPI in the Input or Output Direction Using Dynamic Template 256 Configuring a Policy with SPI in the Input or Output Direction Using RADIUS 259 Merging QoS Policy-maps 261 Enabling Policy-maps Merge 262 QoS Features Supported on BNG 266 VLAN Policy on Access Interface 270 Configuring Policy on S-VLAN 271 Configuring VLAN Policy on an Access Interface 272 Multiple Class Support for Ingress Policing for Subscribers 274 Group-based Grandparent Shaping 275 Additional References 276
Configuring Subscriber Features 277
BNG Geo Redundancy 353 Geo Redundancy Overview 354 Subscriber Redundancy Group (SRG) 355 Session Distribution Across SRG 356 Benefits of BNG Geo Redundancy 358 Supported Features in BNG Geo Redundancy 359 BNG Geo Redundancy Configuration Guidelines 360 Setting up BNG Subscriber Redundancy Group 362 Geographical Redundancy By Using a Session Redundancy Group (SERG) 363 Configuring and Verifying Session Redundancy for DHCPv6 Clients 365 Managing Session Redundancy Groups 372 Configuring and Verifying Session Redundancy for IPv6 ND Clients 373 Geo Redundancy for PPPoE Sessions 380 PPPoE-LAC Session Switchover 381 Verification of Geo Redundancy for PPPoE Sessions 381

Broadband Network Gateway Configuration Guide for Cisco ASR 9000 Series Routers, IOS XR Release 6.2.x ix

Contents

CHAPTER 9 APPENDIX A

BNG Geo Redundancy with Satellite 383 Configure BNG Geo Redundancy with Cisco NCS 5000 Series nV Satellite 384
Geo Redundancy Features 385 Peer Route Disable 385 Active-active Session Support for Geo Redundancy 386 State Control Route for Geo Redundancy 387 Configure State Control Route for Geo Redundancy 388 Subscriber Redundancy Group Revertive Timer 389 Subscriber Redundancy Group-aware IPv6 Neighbor Discovery 389 Peer-to-peer Traffic Flow with BNG Geo Redundancy 390 Accounting Trigger Cause for Geo Redundancy 391
Deployment Models for BNG Geo Redundancy 391
DIAMETER Support in BNG 393 DIAMETER Overview 393 DIAMETER Interface in BNG 394 Supported DIAMETER Base Messages 395 DIAMETER NASREQ Application 396 DIAMETER Accounting 398 DIAMETER Gx and Gy Applications 398 DIAMETER DCCA Application 400 BNG DIAMETER Call Flow 400 Guidelines and Restrictions for DIAMETER Support in BNG 401 Configuring DIAMETER Peer in BNG 402 Configuring AAA for DIAMETER Peer in BNG 407 Verification of DIAMETER Configurations in BNG 410 BNG DIAMETER-Geo Redundancy Interworking 415 BNG DIAMETER-Geo Redundancy Call Flow 416 Verify BNG DIAMETER-Geo Redundancy 419 Additional References 422
XML Support for BNG Features 425 AAA XML Support 425 DHCP XML Support 428

Broadband Network Gateway Configuration Guide for Cisco ASR 9000 Series Routers, IOS XR Release 6.2.x x

APPENDIX B
APPENDIX C APPENDIX D

Control Policy XML Support 431 DAPS XML Support 434 PPPoE XML Support 435 Subscriber Database XML Support 437
RADIUS Attributes 443 RADIUS IETF Attributes 443 IETF Tagged Attributes on LAC 445 RADIUS Vendor-Specific Attributes 446 Vendor-Specific Attributes for Account Operations 451 RADIUS ADSL Attributes 451 RADIUS ASCEND Attributes 452 RADIUS Microsoft Attributes 452 RADIUS Disconnect-Cause Attributes 453
Action Handlers 459
BNG Use Cases and Sample Configurations 461 BNG over Pseudowire Headend 461 Sample Topology for BNG over Pseudowire Headend 461 Deployment Models for Subscribers on Pseudowire Headend 462 Residential Subscribers on Pseudowire Headend 462 Residential and Business Subscribers on Pseudowire Headend 463 Configuration and Verification of BNG over Pseudowire Headend 464 Sample Configurations for BNG over Pseudowire Headend 466 Dual-Stack Subscriber Sessions 468 IP Address Assignment for Clients 468 Sample IPv6 Addressing and Configurations 469 IPv6 Address Mapping 469 CPE Configurations 469 DHCPv6 Server Configuration 470 Operation and Call Flow of Dual-Stack Sessions 470 Generic Call Flow of Dual-Stack Session 470 Detailed Call Flows – PPPoE Dual- Stack 471

Contents

Broadband Network Gateway Configuration Guide for Cisco ASR 9000 Series Routers, IOS XR Release 6.2.x xi

Contents

APPENDIX E

Detailed Call Flows – IPoE Dual-Stack 473 Sample Topology for Dual-Stack 474
Configuration Examples for Dual-Stack 474 Verification Steps for Dual-Stack 477 eBGP over PPPoE 477 Sample Topology for eBGP over PPPoE 477 Configuration and Verification of eBGP over PPPoE 478 Sample Configurations for eBGP over PPPoE 480 Routed Subscriber Sessions 486 Routed Subscriber Deployment Topology and Use Cases 486 Sample Configurations for Routed Subscriber Session 487 Verification of Routed Subscriber Session Configurations 489
DIAMETER Attributes 497 BNG DIAMETER Gx Application AVPs 497 BNG DIAMETER Gy Application AVPs 499 BNG DIAMETER NASREQ Application Cisco AVPs 500 DIAMETER Accounting AVP 503 DIAMETER Session-Id AVP 504 RADIUS Attributes in DIAMETER Messages 505 Sample Packets for BNG DIAMETER Messages 506

Broadband Network Gateway Configuration Guide for Cisco ASR 9000 Series Routers, IOS XR Release 6.2.x xii

Preface

Note This product has reached end-of-life status. For more information, see the End-of-Life and End-of-Sale Notices.
From Release 6.1.2 onwards, Cisco introduces support for the 64-bit Linux- based IOS XR operating system. Extensive feature parity is maintained between the 32-bit and 64-bit environments. Unless explicitly marked otherwise, the contents of this document are applicable for both the environments. For more details on Cisco IOS XR 64 bit, refer to the Release Notes for Cisco ASR 9000 Series Routers, Release 6.1.2 document.
This preface contains these sections:
· Changes to This Document, on page xiii · Communications, Services, and Additional Information, on page xiii

Changes to This Document
Date March 2017 July 2017

Summary Initial release of this document. Republished for Release 6.2.2.

Communications, Services, and Additional Information
· To receive timely, relevant information from Cisco, sign up at Cisco Profile Manager. · To get the business impact you’re looking for with the technologies that matter, visit Cisco Services. · To submit a service request, visit Cisco Support. · To discover and browse secure, validated enterprise-class apps, products, solutions and services, visit
Cisco Marketplace. · To obtain general networking, training, and certification titles, visit Cisco Press. · To find warranty information for a specific product or product family, access Cisco Warranty Finder.

Broadband Network Gateway Configuration Guide for Cisco ASR 9000 Series Routers, IOS XR Release 6.2.x xiii

Preface

Preface
Cisco Bug Search Tool Cisco Bug Search Tool (BST) is a web-based tool that acts as a gateway to the Cisco bug tracking system that maintains a comprehensive list of defects and vulnerabilities in Cisco products and software. BST provides you with detailed defect information about your products and software.

Broadband Network Gateway Configuration Guide for Cisco ASR 9000 Series Routers, IOS XR Release 6.2.x xiv

1 C H A P T E R

New and Changed BNG Features

This table summarizes the new and changed feature information for the Cisco ASR 9000 Series Aggregation Services Router Broadband Network Gateway Configuration Guide, and tells you where they are documented.
· BNG Features Added or Modified in IOS XR Release 6.2.x, on page 1

BNG Features Added or Modified in IOS XR Release 6.2.x

Feature

Description

BNG support on the Cisco This feature was ASR 9000 Series 24-Port introduced. and 48-Port Dual-Rate 10GE/1GE Line Cards

BNG Geo Redundancy This feature was

with Satellite

introduced.

Changed in Release Release 6.2.2
Release 6.2.2

Where Documented
Broadband Network Gateway Overview chapter:
Broadband Network Gateway Overview, on page 9
BNG Geo Redundancy chapter:
BNG Geo Redundancy with Satellite, on page 383
For commands, see the Subscriber and Session Redundancy Commands chapter in Cisco ASR 9000 Series Aggregation Services Router Broadband Network Gateway Command Reference.

Broadband Network Gateway Configuration Guide for Cisco ASR 9000 Series Routers, IOS XR Release 6.2.x 1

BNG Features Added or Modified in IOS XR Release 6.2.x

New and Changed BNG Features

Feature
Configurable DHCPv6 Option 17

Description
This feature was introduced.

Unconditional Proxy ARP This feature was

Response

introduced.

Changed in Release Release 6.2.1
Release 6.2.1

Where Documented
Establishing Subscriber Sessions chapter:
Configurable DHCPv6 Option 17, on page 211
See the BNG DHCP Commands chapter in Cisco ASR 9000 Series Aggregation Services Router Broadband Network Gateway Command Reference, for information on the commands related to this feature.
Establishing Subscriber Sessions chapter:
Unconditional Proxy ARP Response, on page 109
See the Subscriber and Session Redundancy Commands chapter in Cisco ASR 9000 Series Aggregation Services Router Broadband Network Gateway Command Reference, for information on the commands related to this feature.

Broadband Network Gateway Configuration Guide for Cisco ASR 9000 Series Routers, IOS XR Release 6.2.x 2

New and Changed BNG Features

BNG Features Added or Modified in IOS XR Release 6.2.x

Feature

Description

Changed in Release

IGMP QoS Correlation for IPoE Subscribers

IGMP QoS Correlation feature was extended to IPoE subscribers.

Release 6.2.1

DHCP Soft Pool Migration

This feature was introduced.

Release 6.2.1

SNMP Lawful Intercept This feature was

Using Circuit-Id

introduced.

Release 6.2.1

Where Documented
Configuring Subscriber Features chapter:
IGMP QoS Correlation for IPoE Subscribers, on page 316
See the Subscriber and Session Redundancy Commands chapter in Cisco ASR 9000 Series Aggregation Services Router Broadband Network Gateway Command Reference, for information on the commands related to this feature.
Establishing Subscriber Sessions chapter:
DHCP Soft Pool Migration, on page 204
See the Address Pool Service Commands chapter in Cisco ASR 9000 Series Aggregation Services Router Broadband Network Gateway Command Reference, for information on the commands related to this feature.
Configuring Subscriber Features chapter:
SNMP Lawful Intercept Using Circuit-Id, on page 295

Broadband Network Gateway Configuration Guide for Cisco ASR 9000 Series Routers, IOS XR Release 6.2.x 3

BNG Features Added or Modified in IOS XR Release 6.2.x

New and Changed BNG Features

Feature

Description

Multiple Class Support for Ingress Policing for Subscribers

This feature was introduced.

Controlling Subscriber Plans Using Protocol Options

This feature was introduced.

Changed in Release Release 6.2.1
Release 6.2.1

Where Documented
Deploying the Quality of Service (QoS) chapter:
Multiple Class Support for Ingress Policing for Subscribers, on page 274
See the QoS Commands chapter in Cisco ASR 9000 Series Aggregation Services Router Broadband Network Gateway Command Reference, for information on the commands related to this feature.
Configuring Subscriber Features chapter:
Controlling Subscriber Plans Using Protocol Options, on page 350
See the Subscriber and Session Redundancy Commands chapter and Control Policy Commands in Cisco ASR 9000 Series Aggregation Services Router Broadband Network Gateway Command Reference, for information on the commands related to this feature.

Broadband Network Gateway Configuration Guide for Cisco ASR 9000 Series Routers, IOS XR Release 6.2.x 4

New and Changed BNG Features

BNG Features Added or Modified in IOS XR Release 6.2.x

Feature
New MAC Address Format for RADIUS User-name Attribute

Description

Changed in Release

A new MAC address Release 6.2.1 format was introduced for RADIUS User-name Attribute.

Group-based Grand Parent Shaping

This feature was introduced.

Release 6.2.1

Where Documented
Configuring Authentication, Authorization, and Accounting Functions chapter:
Creating Attributes of Specific Format, on page 29
See the BNG AAA Commands chapter in Cisco ASR 9000 Series Aggregation Services Router Broadband Network Gateway Command Reference, for information on the commands related to this feature.
Deploying the Quality of Service (QoS) chapter:
Group-based Grandparent Shaping, on page 275
See the QoS Commands chapter in Cisco ASR 9000 Series Aggregation Services Router Broadband Network Gateway Command Reference, for information on the commands related to this feature.

Broadband Network Gateway Configuration Guide for Cisco ASR 9000 Series Routers, IOS XR Release 6.2.x 5

BNG Features Added or Modified in IOS XR Release 6.2.x

New and Changed BNG Features

Feature

Description

PPP Class-based DHCPv6 This feature was

Mode Selection

introduced.

Global PPPoE BBA-Group

This feature was introduced.

Changed in Release Release 6.2.1
Release 6.2.1

Where Documented
Establishing Subscriber Sessions chapter:
PPP Class-based DHCPv6 Mode Selection, on page 183
See the BNG DHCP Commands chapter in Cisco ASR 9000 Series Aggregation Services Router Broadband Network Gateway Command Reference, for information on the commands related to this feature.
Establishing Subscriber Sessions chapter:
PPPoE Session Limit, on page 139
See the PPPoE Commands chapter in Cisco ASR 9000 Series Aggregation Services Router Broadband Network Gateway Command Reference, for information on the commands related to this feature.

Broadband Network Gateway Configuration Guide for Cisco ASR 9000 Series Routers, IOS XR Release 6.2.x 6

New and Changed BNG Features

BNG Features Added or Modified in IOS XR Release 6.2.x

Feature

Description

Geo Redundancy using SERG for IPv6 ND Clients

This feature was introduced.

Geo Redundancy using SERG for DHCPv6 Clients

This feature was introduced.

Local VPDN for LAC This feature was introduced.

Changed in Release Release 6.2.1
Release 6.2.1
Release 6.2.1

Where Documented
BNG Geo Redundancy chapter:
Configuring and Verifying Session Redundancy for IPv6 ND Clients, on page 373
See the Subscriber and Session Redundancy Commands chapter in Cisco ASR 9000 Series Aggregation Services Router Broadband Network Gateway Command Reference, for information on the commands related to this feature.
BNG Geo Redundancy chapter:
Configuring and Verifying Session Redundancy for DHCPv6 Clients, on page 365
See the Subscriber and Session Redundancy Commands chapter in Cisco ASR 9000 Series Aggregation Services Router Broadband Network Gateway Command Reference, for information on the commands related to this feature.
Establishing Subscriber Sessions chapter:
Local VPDN RADIUS Enhancement, on page 134

Broadband Network Gateway Configuration Guide for Cisco ASR 9000 Series Routers, IOS XR Release 6.2.x 7

BNG Features Added or Modified in IOS XR Release 6.2.x

New and Changed BNG Features

Broadband Network Gateway Configuration Guide for Cisco ASR 9000 Series Routers, IOS XR Release 6.2.x 8

2 C H A P T E R

Broadband Network Gateway Overview

This chapter provides an overview of the Broadband Network Gateway (BNG) functionality implemented on the Cisco ASR 9000 Series Router.
Table 1: Feature History for Broadband Network Gateway Overview

Release Release 4.2.0 Release 5.3.3 Release 6.1.2

Modification Initial release of BNG. RSP-880 support was added. Added BNG support for these hardware:
· A9K-8X100G-LB-SE · A9K-8X100GE-SE · A9K-4X100GE-SE · A9K-MOD200-SE · A9K- MOD400-SE · A9K-MPA-1x100GE · A9K-MPA-2x100GE · A9K-MPA-20x10GE

Release 6.1.2 Release 6.1.2 Release 6.2.2 Release 6.2.2

Added BNG support for the use of Cisco NCS 5000 Series Router as a satellite.
Added BNG smart licensing feature.
Added the support for BNG Geo Redundancy over Cisco NCS 5000 Series Router satellite.
Added BNG support for the following hardware: · A9K-48X10GE-1G-SE · A9K- 24X10GE-1G-SE

Broadband Network Gateway Configuration Guide for Cisco ASR 9000 Series Routers, IOS XR Release 6.2.x 9

Understanding BNG

Broadband Network Gateway Overview

· Understanding BNG, on page 10 · BNG Architecture, on page 10 · BNG Role in ISP Network Models, on page 13 · BNG Packaging, on page 14 · BNG Configuration Process, on page 15 · Hardware Requirements for BNG, on page 16 · BNG Interoperability, on page 18 · BNG Smart Licensing, on page 19
Understanding BNG
Broadband Network Gateway (BNG) is the access point for subscribers, through which they connect to the broadband network. When a connection is established between BNG and Customer Premise Equipment (CPE), the subscriber can access the broadband services provided by the Network Service Provide (NSP) or Internet Service Provider (ISP). BNG establishes and manages subscriber sessions. When a session is active, BNG aggregates traffic from various subscriber sessions from an access network, and routes it to the network of the service provider. BNG is deployed by the service provider and is present at the first aggregation point in the network, such as the edge router. An edge router, like the Cisco ASR 9000 Series Router, needs to be configured to act as the BNG. Because the subscriber directly connects to the edge router, BNG effectively manages subscriber access, and subscriber management functions such as:
· Authentication, authorization and accounting of subscriber sessions
· Address assignment
· Security
· Policy management
· Quality of Service (QoS)
Some benefits of using BNG are: · The BNG router not only performs the routing function but also communicates with authentication, authorization, and accounting (AAA) server to perform session management and billing functions. This makes the BNG solution more comprehensive.
· Different subscribers can be provided different network services. This enables the service provider to customize the broadband package for each customer based on their needs.
BNG Architecture
The goal of the BNG architecture is to enable the BNG router to interact with peripheral devices (like CPE) and servers (like AAA and DHCP), in order to provide broadband connectivity to subscribers and manage subscriber sessions. The basic BNG architecture is shown in this figure.

Broadband Network Gateway Configuration Guide for Cisco ASR 9000 Series Routers, IOS XR Release 6.2.x 10

Broadband Network Gateway Overview Figure 1: BNG Architecture

BNG Architecture

The BNG architecture is designed to perform these tasks: · Connecting with the Customer Premise Equipment (CPE) that needs to be served broadband services. · Establishing subscriber sessions using IPoE or PPPoE protocols. · Interacting with the AAA server that authenticates subscribers, and keeps an account of subscriber sessions. · Interacting with the DHCP server to provide IP address to clients. · Advertising the subscriber routes.
The five BNG tasks are briefly explained in the following sections.
Connecting with the CPE BNG connects to the CPE through a multiplexer and Home Gateway (HG). The CPE represents the triple play service in telecommunications, namely, voice (phone), video (set top box), and data (PC). The individual subscriber devices connect to the HG. In this example, the subscriber connects to the network over a Digital Subscriber Line (DSL) connection. Therefore, the HG connects into a DSL Access Multiplexer (DSLAM). Multiple HGs can connect to a single DSLAM that sends the aggregated traffic to the BNG router. The BNG router routes traffic between the broadband remote access devices (like DSLAM or Ethernet Aggregation Switch) and the service provider network.
Establishing Subscriber Sessions Each subscriber (or more specifically, an application running on the CPE) connects to the network by a logical session. Based on the protocol used, subscriber sessions are classified into two types:
· PPPoE subscriber session–The PPP over Ethernet (PPPoE) subscriber session is established using the point-to-point (PPP) protocol that runs between the CPE and BNG.
· IPoE subscriber session–The IP over Ethernet (IPoE) subscriber session is established using IP protocol that runs between the CPE and BNG; IP addressing is done using the DHCP protocol.
Broadband Network Gateway Configuration Guide for Cisco ASR 9000 Series Routers, IOS XR Release 6.2.x 11

BNG Architecture

Broadband Network Gateway Overview

Interacting with the RADIUS Server
BNG relies on an external Remote Authentication Dial-In User Service (RADIUS) server to provide subscriber Authentication, Authorization, and Accounting (AAA) functions. During the AAA process, BNG uses RADIUS to:
· authenticate a subscriber before establishing a subscriber session
· authorize the subscriber to access specific network services or resources
· track usage of broadband services for accounting or billing
The RADIUS server contains a complete database of all subscribers of a service provider, and provides subscriber data updates to the BNG in the form of attributes within RADIUS messages. BNG, on the other hand, provides session usage (accounting) information to the RADIUS server. For more information about RADIUS attributes, see RADIUS Attributes, on page 443.
BNG supports connections with more than one RADIUS server to have fail over redundancy in the AAA process. For example, if RADIUS server A is active, then BNG directs all messages to the RADIUS server A. If the communication with RADIUS server A is lost, BNG redirects all messages to RADIUS server B.
During interactions between the BNG and RADIUS servers, BNG performs load balancing in a round-robin manner. During the load balancing process, BNG sends AAA processing requests to RADIUS server A only if it has the bandwidth to do the processing. Else, the request is send to RADIUS server B.
Interacting with the DHCP Server
BNG relies on an external Dynamic Host Configuration Protocol (DHCP) server for address allocation and client configuration functions. BNG can connect to more than one DHCP server to have fail over redundancy in the addressing process. The DHCP server contains an IP address pool, from which it allocates addresses to the CPE.
During the interaction between BNG and the DHCP server, BNG acts as a DHCP relay or DHCP proxy.
As the DHCP relay, BNG receives DHCP broadcasts from the client CPE, and forwards the request to the DHCP server.
As the DHCP proxy, BNG itself maintains the address pool by acquiring it from DHCP server, and also manages the IP address lease. BNG communicates on Layer 2 with the client Home Gateway, and on Layer 3 with the DHCP server.
The DSLAM modifies the DHCP packets by inserting subscriber identification information. BNG uses the identification information inserted by the DSLAM, as well as the address assigned by the DHCP server, to identify the subscriber on the network, and monitor the IP address lease.
Advertising Subscriber Routes
For optimal performance in design solutions where the Border Gateway Protocol (BGP) advertises the subscriber routes, the BNG advertises the entire subnet designated to the subscribers using the network command in the BGP configuration.
The BNG redistributes the individual subscriber routes only in scenarios where the Radius server assigns the IP address to a subscriber and there is no way to know to which BNG that particular subscriber will connect.

Broadband Network Gateway Configuration Guide for Cisco ASR 9000 Series Routers, IOS XR Release 6.2.x 12

Broadband Network Gateway Overview

BNG Role in ISP Network Models

BNG Role in ISP Network Models
The role of BNG is to pass traffic from the subscriber to the ISP. The manner in which BNG connects to the ISP depends on the model of the network in which it is present. There are two types of network models:
· Network Service Provider, on page 13 · Access Network Provider, on page 13
Network Service Provider The following figure shows the topology of a Network Service Provider model.
Figure 2: Network Service Provider Model

In the Network Service Provider model, the ISP (also called the retailer) directly provides the broadband connection to the subscriber. As shown in the above figure, BNG is at the edge router, and its role is to connect to the core network through uplinks.
Access Network Provider The following figure shows the topology of a Access Network Provider model.

Broadband Network Gateway Configuration Guide for Cisco ASR 9000 Series Routers, IOS XR Release 6.2.x 13

BNG Packaging Figure 3: Access Network Provider Model

Broadband Network Gateway Overview

In the Access Network Provider model, a network carrier (also called the wholesaler) owns the edge network infrastructure, and provides the broadband connection to the subscriber. However, the network carrier does not own the broadband network. Instead, the network carrier connects to one of the ISPs that manage the broadband network.
BNG is implemented by the network carrier and its role is to hand the subscriber traffic off to one of several ISPs. The hand-off task, from the carrier to the ISP, is implemented by Layer 2 Tunneling Protocol (L2TP) or Layer 3 Virtual Private Networking (VPN). L2TP requires two distinct network components:
· L2TP Access Concentrator (LAC)–The LAC is provided by the BNG.
· L2TP Network Server (LNS)–The LNS is provided by the ISP.

BNG Packaging
The BNG pie, asr9k-bng-px.pie can be installed and activated on the Cisco ASR 9000 Series Router to access the BNG features. The install, uninstall, activate and deactivate operations can be performed without rebooting the router.
It is recommended that the relevant BNG configurations be removed from the running configuration of the router, before uninstalling or deactivating the BNG pie.

Installing and Activating the BNG Pie on Cisco ASR 9000 Series Router
Perform this task to install and activate the BNG pie on the Cisco ASR 9000 Series Router:

SUMMARY STEPS

1. admin 2. install add {pie_location | source | tar}

Broadband Network Gateway Configuration Guide for Cisco ASR 9000 Series Routers, IOS XR Release 6.2.x 14

Broadband Network Gateway Overview

BNG Configuration Process

3. install activate {pie_name | id}

DETAILED STEPS

Step 1

Command or Action admin Example:

Purpose Enters the administration mode.

Step 2

RP/0/RSP0/CPU0:router# admin
install add {pie_location | source | tar} Example:

Installs the pie from the tftp location, on to the Cisco ASR 9000 Series Router.

Step 3

RP/0/RSP0/CPU0:router(admin)# install add tftp://223.255.254.254/softdir /asr9k-bng-px.pie

install activate {pie_name | id} Example:

Activates the installed pie on the Cisco ASR 9000 Series Router.

RP/0/RSP0/CPU0:router(admin)# install activate asr9k-bng-px.pie

What to do next

Note During upgrade from Release 4.2.1 to Release 4.3.0, it is recommended that the Cisco ASR 9000 base image pie (asr9k-mini-px.pie) is installed prior to installing the BNG pie (asr9k-bng-px.pie).
After BNG pie is installed, you must copy BNG related configurations from the flash or tftp location to the router. If BNG pie is deactivated and activated again, then load the removed BNG configurations by executing the load configuration removed command from the configuration terminal.

Note Most of the BNG feature configurations are moved to a new namespace partition, and hence BNG features are not available by default now. To avoid inconsistent BNG configurations before, or after installing the BNG pie, run the clear configuration inconsistency command, in EXEC mode.
BNG Configuration Process
Configuring BNG on the Cisco ASR 9000 Series Router involves these stages: · Configuring RADIUS Server–BNG is configured to interact with the RADIUS server for authentication, authorization, and accounting functions. For details, see Configuring Authentication, Authorization, and Accounting Functions, on page 21.

Broadband Network Gateway Configuration Guide for Cisco ASR 9000 Series Routers, IOS XR Release 6.2.x 15

Hardware Requirements for BNG

Broadband Network Gateway Overview

· Activating Control Policy–Control policies are activated to determine the action that BNG takes when specific events occur. The instructions for the action are provided in a policy map. For details, see Activating Control Policy, on page 75.
· Establishing Subscriber Sessions–Configurations are done to set up one or more logical sessions, from the subscriber to the network, for accessing broadband services. Each session is uniquely tracked and managed. For details, see Establishing Subscriber Sessions, on page 87.
· Deploying QoS–Quality of Service (QoS) is deployed to provide control over a variety of network applications and traffic types. For example, the service provider can have control over resources (example bandwidth) allocated to each subscriber, provide customized services, and give priority to traffic belonging to mission-critical applications. For details, see Deploying the Quality of Service (QoS), on page 227.
· Configuring Subscriber Features–Configurations are done to activate certain subscriber features that provide additional capabilities like policy based routing, access control using access list and access groups, and multicast services. For details, see Configuring Subscriber Features, on page 277.
· Verifying Session Establishment–Established sessions are verified and monitored to ensure that connections are always available for use. The verification is primarily done using “show” commands. Refer to the Cisco ASR 9000 Series Aggregation Services Router Broadband Network Gateway Command Reference guide for the list of various “show” commands.
To use a BNG command, you must be in a user group associated with a task group that includes the proper task IDs. The Cisco ASR 9000 Series Aggregation Services Router Broadband Network Gateway Command Reference guide includes the task IDs required for each command. If you suspect that the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Restriction
The Select VRF Download (SVD) must be disabled, when BNG is configured. For more information about SVD, see the Cisco IOS XR Routing Configuration Guide for the Cisco XR 12000 Series Router.

Hardware Requirements for BNG

These hardwares support BNG: · The Satellite Network Virtualization (nV) system. · The route switch processors, RSP-440, RSP-880 and RSP-880-LT-SE. · The route processor, A99-RP-SE, A99-RP2-SE, on the Cisco ASR 9912 and the Cisco ASR 9922 chassis. · The below table lists the Line Cards and Modular Port Adapters that support BNG.
Table 2: Line Cards and Modular Port Adapters Supported on BNG

Product Description
24-Port 10-Gigabit Ethernet Line Card, Service Edge Optimized
36-Port 10-Gigabit Ethernet Line Card, Service Edge Optimized

Part Number A9K-24X10GE-SE
A9K-36X10GE-SE

Broadband Network Gateway Configuration Guide for Cisco ASR 9000 Series Routers, IOS XR Release 6.2.x 16

Broadband Network Gateway Overview

Hardware Requirements for BNG

Product Description

Part Number

40-Port Gigabit Ethernet Line Card, Service Edge A9K-40GE-SE Optimized

4-Port 10-Gigabit Ethernet, 16-Port Gigabit

A9K-4T16GE-SE

Ethernet Line Card, 40G Service Edge Optimized

Cisco ASR 9000 High Density 100GE Ethernet A9K-8X100G-LB-SE

line cards:

A9K-8x100GE-SE

· Cisco ASR 9000 8-port 100GE “LAN-only” Service Edge Optimized Line Card, Requires

A9K-4x100GE-SE

CPAK optics

· Cisco ASR 9000 8-port 100GE “LAN/WAN/OTN” Service Edge Optimized Line Card, Requires CPAK optics

· Cisco ASR 9000 4-port 100GE “LAN/WAN/OTN” Service Edge Optimized Line Card, Requires CPAK optics

Cisco ASR 9000 Series 24-port dual-rate 10GE/1GE service edge­optimized line cards

A9K-24X10-1GE-SE

Cisco ASR 9000 Series 48-port dual-rate 10GE/1GE service edge­optimized line cards

A9K-48X10-1GE-SE

80 Gigabyte Modular Line Card, Service Edge A9K-MOD80-SE Optimized

160 Gigabyte Modular Line Card, Service Edge A9K-MOD160-SE Optimized

20-Port Gigabit Ethernet Modular Port Adapter A9K-MPA-20GE (MPA)

ASR 9000 200G Modular Line Card, Service Edge A9K-MOD200-SE Optimized, requires modular port adapters

ASR 9000 400G Modular Line Card, Service Edge A9K-MOD400-SE Optimized, requires modular port adapters

2-port 10-Gigabit Ethernet Modular Port Adapter A9K-MPA-2X10GE (MPA)

4-Port 10-Gigabit Ethernet Modular Port Adapter A9K-MPA-4X10GE (MPA)

ASR 9000 20-port 10-Gigabit Ethernet Modular A9K-MPA-20x10GE Port Adapter, requires SFP+ optics

2-port 40-Gigabit Ethernet Modular Port Adapter A9K-MPA-2X40GE (MPA)

Broadband Network Gateway Configuration Guide for Cisco ASR 9000 Series Routers, IOS XR Release 6.2.x 17

BNG Interoperability

Broadband Network Gateway Overview

Product Description

Part Number

1-Port 40-Gigabit Ethernet Modular Port Adapter A9K-MPA-1X40GE (MPA)

ASR 9000 1-port 100-Gigabit Ethernet Modular A9K-MPA-1x100GE Port Adapter, requires CFP2-ER4 or CPAK optics

ASR 9000 2-port 100-Gigabit Ethernet Modular A9K-MPA-2x100GE Port Adapter, requires CFP2-ER4 or CPAK optics

BNG Interoperability
The BNG interoperability allows BNG to exchange and use information with other larger heterogeneous networks. These are the key features:
· BNG Coexists with ASR9001:
ASR9001 is a standalone high processing capability router that comprises of a route switch processor (RSP), linecards (LC), and ethernet plugs (EPs). All BNG features are fully supported on the ASR9001 chassis.
· BNG Supports nV Satellite:
The only topology that is supported with BNG-nV Satellite is – bundled Ethernet ports on the CPE side of the Satellite node connected to the Cisco ASR 9000 through non-bundle configuration (static-pinning). That is,
CPE — Bundle — [Satellite] — Non Bundle ICL — ASR9K
Although the following topology is supported on Satellite nV System (from Cisco IOS XR Software Release 5.3.2 onwards), it is not supported on BNG:
· Bundled Ethernet ports on the CPE side of the satellite node, connected to the Cisco ASR 9000 through bundle Ethernet connection.
From Cisco IOS XR Software Release 6.1.2 and later, BNG supports the use of Cisco NCS 5000 Series Router as a Satellite.
From Cisco IOS XR Software Release 6.2.2 and later, the BNG geo redundancy feature is supported on the Cisco IOS XR 32 bit operating system with the Cisco NCS 5000 Series satellite. Whereas, the same remains unsupported for Cisco ASR 9000v satellite. For details, see BNG Geo Redundancy chapter in Cisco ASR 9000 Series Aggregation Services Router Broadband Network Gateway Configuration Guide.
For details on nV Satellite configuration, see nV System Configuration Guide for Cisco ASR 9000 Series Routers located here.
· BNG interoperates with Carrier Grade NAT (CGN):
To address the impending threat from IPv4 address space depletion, it is recommended that the remaining or available IPv4 addresses be shared among larger numbers of customers. This is done by using CGN, which primarily pulls the address allocation to a more centralized NAT in the service provider network. NAT44 is a technology that uses CGN and helps manage depletion issues of the IPv4 address space. BNG supports the ability to perform NAT44 translation on IPoE and PPPoE-based BNG subscriber sessions.

Broadband Network Gateway Configuration Guide for Cisco ASR 9000 Series Routers, IOS XR Release 6.2.x 18

Broadband Network Gateway Overview

BNG Smart Licensing

Note For BNG and CGN interoperability, configure the BNG interface and the application service virtual interface (SVI) on the same VRF instance.
Restrictions · Only bundle access with non-bundle ICLs are supported for BNG interfaces over Satellite nV System access interfaces.
BNG Smart Licensing
BNG supports Cisco Smart Software Licensing that provides a simplified way for the customers to purchase licenses and to manage them across their network. This provides a customizable consumption-based model that aligns to the network growth of the customer. It also provides the flexibility to quickly modify or upgrade software feature configurations to deploy new services over time. For more information about Cisco Smart Software Licensing, see Software Entitlement on the Cisco ASR 9000 Series Router chapter of System Management Configuration Guide for Cisco ASR 9000 Series Routers. For latest updates, refer the latest version of guides present in http://www.cisco.com/c/en/us/support/ ios-nx-os-software/ios-xr-software /products-installation-and-configuration-guides-list.html. BNG Smart Licensing supports Geo redundancy as well as non-Geo redundancy subscriber sessions. One license is required for every group of 8000 subscribers or a fraction of it. For example, two licenses are required for 9000 subscribers. These are the software license PIDs for BNG:
· S-A9K-BNG-LIC-8K –for non-geo redundancy sessions · S-A9K-BNG-ADV-8K –for geo redundancy sessions
You can use the show sessionmon license command to display the subscriber session statistics.

Broadband Network Gateway Configuration Guide for Cisco ASR 9000 Series Routers, IOS XR Release 6.2.x 19

BNG Smart Licensing

Broadband Network Gateway Overview

Broadband Network Gateway Configuration Guide for Cisco ASR 9000 Series Routers, IOS XR Release 6.2.x 20

3 C H A P T E R

Configuring Authentication, Authorization, and Accounting Functions

This chapter provides information about configuring authentication, authorization, and accounting (AAA) functions on the BNG router. BNG interacts with the RADIUS server to perform AAA functions. A group of RADIUS servers form a server group that is assigned specific AAA tasks. A method list defined on a server or server group lists methods by which authorization is performed. Some of the RADIUS features include creating specific AAA attribute formats, load balancing of RADIUS servers, throttling of RADIUS records, Change of Authorization (CoA), and Service Accounting for QoS.
Table 3: Feature History for Configuring Authentication, Authorization, and Accounting Functions

Release Release 4.2.0 Release 5.3.1 Release 5.3.2 Release 6.2.1
Release 6.6.3

Modification
Initial release
RADIUS over IPv6 was introduced.
Service accounting support was added for line card subscribers.
A new MAC address format was introduced for RADIUS User-name Attribute.
Dynamic Policy Download over RADIUS Interface for BNG Subscriber was introduced.

This chapter covers these topics:
· Configuring Authentication, Authorization, and Accounting Functions, on page 22 · AAA Overview, on page 22 · Using RADIUS Server Group, on page 24 · Specifying Method List, on page 26 · Defining AAA Attributes, on page 28 · Making RADIUS Server Settings, on page 40 · Balancing Transaction Load on the RADIUS Server, on page 47 · Throttling of RADIUS Records, on page 50 · RADIUS Change of Authorization (CoA) Overview, on page 54 · User Authentication and Authorization in the Local Network, on page 62 · Service Accounting, on page 67

Broadband Network Gateway Configuration Guide for Cisco ASR 9000 Series Routers, IOS XR Release 6.2.x 21

Configuring Authentication, Authorization, and Accounting Functions

Configuring Authentication, Authorization, and Accounting Functions

· Understanding Per-VRF AAA Function, on page 72 · RADIUS over IPv6, on page 73 · Additional References, on page 73

Configuring Authentication, Authorization, and Accounting Functions

This chapter provides information about configuring authentication, authorization, and accounting (AAA) functions on the BNG router. BNG interacts with the RADIUS server to perform AAA functions. A group of RADIUS servers form a server group that is assigned specific AAA tasks. A method list defined on a server or server group lists methods by which authorization is performed. Some of the RADIUS features include creating specific AAA attribute formats, load balancing of RADIUS servers, throttling of RADIUS records, Change of Authorization (CoA), and Service Accounting for QoS.
Table 4: Feature History for Configuring Authentication, Authorization, and Accounting Functions

Release Release 4.2.0 Release 5.3.1 Release 5.3.2 Release 6.2.1
Release 6.6.3

Modification
Initial release
RADIUS over IPv6 was introduced.
Service accounting support was added for line card subscribers.
A new MAC address format was introduced for RADIUS User-name Attribute.
Dynamic Policy Download over RADIUS Interface for BNG Subscriber was introduced.

This chapter covers these topics:

AAA Overview
AAA acts as a framework for effective network management and security. It helps in managing network resources, enforcing policies, auditing network usage, and providing bill-related information. BNG connects to an external RADIUS server that provides the AAA functions.
The RADIUS server performs the three independent security functions (authentication, authorization, and accounting) to secure networks against unauthorized access. The RADIUS server runs the Remote Authentication Dial-In User Service (RADIUS) protocol. (For details about RADIUS protocol, refer to RFC 2865). The RADIUS server manages the AAA process by interacting with BNG, and databases and directories containing user information.
The RADIUS protocol runs on a distributed client-server system. The RADIUS client runs on BNG (Cisco ASR 9000 Series Router) that sends authentication requests to a central RADIUS server. The RADIUS server contains all user authentication and network service access information.
The AAA processes, the role of RADIUS server during these processes, and some BNG restrictions, are explained in these sections:

Broadband Network Gateway Configuration Guide for Cisco ASR 9000 Series Routers, IOS XR Release 6.2.x 22

Configuring Authentication, Authorization, and Accounting Functions

AAA Overview

Authentication
The authentication process identifies a subscriber on the network, before granting access to the network and network services. The process of authentication works on a unique set of criteria that each subscriber has for gaining access to the network. Typically, the RADIUS server performs authentication by matching the credentials (user name and password) the subscriber enters with those present in the database for that subscriber. If the credentials match, the subscriber is granted access to the network. Otherwise, the authentication process fails, and network access is denied.
Authorization
After the authentication process, the subscriber is authorized for performing certain activity. Authorization is the process that determines what type of activities, resources, or services a subscriber is permitted to use. For example, after logging into the network, the subscriber may try to access a database, or a restricted website. The authorization process determines whether the subscriber has the authority to access these network resources.
AAA authorization works by assembling a set of attributes based on the authentication credentials provided by the subscriber. The RADIUS server compares these attributes, for a given username, with information contained in a database. The result is returned to BNG to determine the actual capabilities and restrictions that are to be applied for that subscriber.
Accounting
The accounting keeps track of resources used by the subscriber during network access. Accounting is used for billing, trend analysis, tracking resource utilization, and capacity planning activities. During the accounting process, a log is maintained for network usage statistics. The information monitored include, but are not limited to – subscriber identities, applied configurations on the subscriber, the start and stop times of network connections, and the number of packets and bytes transferred to, and from, the network.
BNG reports subscriber activity to the RADIUS server in the form of accounting records. Each accounting record comprises of an accounting attribute value. This value is analyzed and used by the RADIUS server for network management, client billing, auditing, etc.
The accounting records of the subscriber sessions may timeout if the BNG does not receive acknowledgments from the RADIUS server. This timeout can be due to RADIUS server being unreachable or due to network connectivity issues leading to slow performance of the RADIUS server. If the sessions on the BNG are not acknowledged for their Account-Start request, loss of sessions on route processor fail over (RPFO) and other critical failures are reported. It is therefore recommended that a RADIUS server deadtime be configured on the BNG, to avoid loss of sessions. Once this value is configured, and if a particular session is not receiving an accounting response even after retries, then that particular RADIUS server is considered to be non-working and further requests are not sent to that server.
The radius-server deadtime limit command can be used to configure the deadtime for RADIUS server. For details, see Configuring RADIUS Server Settings, on page 41.
Restrictions
· On session disconnect, transmission of the Accounting-Stop request to RADIUS may be delayed for a few seconds while the system waits for the “final” session statistics to be collected from the hardware. The Event-Timestamp attribute in that Accounting-Stop request should, however, reflect the time the client disconnects, and not the transmission time.

Broadband Network Gateway Configuration Guide for Cisco ASR 9000 Series Routers, IOS XR Release 6.2.x 23

Using RADIUS Server Group

Configuring Authentication, Authorization, and Accounting Functions

Using RADIUS Server Group
A RADIUS server group is a named group of one or more RADIUS servers. Each server group is used for a particular service. For example, in an AAA network configuration having two RADIUS server groups, the first server group can be assigned the authentication and authorization task, while the second group can be assigned the accounting task.
Server groups can include multiple host entries for the same server. Each entry, however, must have a unique identifier. This unique identifier is created by combining an IP address and a UDP port number. Different ports of the server, therefore, can be separately defined as individual RADIUS hosts providing a specific AAA service. In other words, this unique identifier enables RADIUS requests to be sent to different UDP ports on the same server. Further, if two different host entries on the same RADIUS server are configured for the same service (like the authentication process), then the second host entry acts as a fail-over backup for the first one. That is, if the first host entry fails to provide authentication services, BNG tries with the second host entry. (The RADIUS host entries are tried in the order in which they are created.)
For assigning specific actions to the server group, see Configuring RADIUS Server Group, on page 24.

Configuring RADIUS Server Group
Perform this task to define a named server group as the server host.

SUMMARY STEPS

1. configure 2. aaa group server radius name 3. accounting accept radius_attribute_list_name 4. authorization reply accept radius_attribute_list_name 5. deadtime limit 6. load-balance method least- outstanding batch-size size ignore-preferred-server 7. server host_name acct- port accounting_port_number auth-port authentication_port_number 8. source- interface name value 9. vrf name 10. Use the commit or end command.

DETAILED STEPS

Step 1

Command or Action configure Example:

Purpose Enters global configuration mode.

Step 2

RP/0/RSP0/CPU0:router# configure
aaa group server radius name Example:

Configures the RADIUS server group named r1.

RP/0/RSP0/CPU0:router(config)# aaa group server radius r1

Broadband Network Gateway Configuration Guide for Cisco ASR 9000 Series Routers, IOS XR Release 6.2.x 24

Configuring Authentication, Authorization, and Accounting Functions

Configuring RADIUS Server Group

Step 3 Step 4 Step 5 Step 6 Step 7
Step 8 Step 9

Command or Action accounting accept radius_attribute_list_name Example:

Purpose
Configures the radius attribute filter for the accounting process to accept only the attributes specified in the list.

RP/0/RSP0/CPU0:router(config-sg-radius)# accounting accept att_list

authorization reply accept radius_attribute_list_name Configures the radius attribute filter for the authorization

Example:

process to accept only the attributes specified in the list.

RP/0/RSP0/CPU0:router(config-sg-radius)# authorization reply accept att_list1

deadtime limit Example:

Configures the RADIUS server-group deadtime. The deadtime limit is configured in minutes. The range is from 1 to 1440, and the default is 0.

RP/0/RSP0/CPU0:router(config-sg-radius)# deadtime 40

load-balance method least-outstanding batch-size size ignore-preferred-server
Example:

Configures load balancing batch size after which the next host is picked.

RP/0/RSP0/CPU0:router(config-sg-radius)# load-balance method least-outstanding batch-size 50
ignore-preferred-server

server host_name acct-port accounting_port_number Specifies the radius server, and its IP address or host name.

auth-port authentication_port_number

Configures the UDP port for RADIUS accounting and

Example:

authentication requests. The accounting and authentication port number ranges from 0 to 65535. If no value is

specified, then the default is 1645 for auth-port, and 1646

RP/0/RSP0/CPU0:router(config-sg-radius)# server 1.2.3.4 acct-port 455 auth- port 567

for acct-port.

From Cisco IOS XR Software Release 5.3.1 and later, IPv6 address can also be configured for the RADIUS server. But, the host name option is supported only for IPv4 domain, and not for IPv6.

source-interface name value Example:

Configures the RADIUS server-group source-interface name and value for Bundle- Ether.

RP/0/RSP0/CPU0:router(config-sg-radius)# source-interface Bundle-Ether 455

vrf name Example:

Configures the vrf to which the server radius group belongs.

RP/0/RSP0/CPU0:router(config-sg-radius)# vrf vrf_1

Broadband Network Gateway Configuration Guide for Cisco ASR 9000 Series Routers, IOS XR Release 6.2.x 25

Specifying Method List

Configuring Authentication, Authorization, and Accounting Functions

Step 10

Command or Action Use the commit or end command.

Purpose
commit –Saves the configuration changes and remains within the configuration session.
end –Prompts user to take one of these actions:
· Yes — Saves configuration changes and exits the configuration session.
· No –Exits the configuration session without committing the configuration changes.
· Cancel –Remains in the configuration session, without committing the configuration changes.

Configuring Radius Server-Group: An example
configure aaa group server radius r1 accounting accept r1 r2 authorization reply accept a1 a2 deadtime 8 load-balance method least-outstanding batch-size 45 ignore-preferred-server server host_name acct-port 355 auth-port 544 source-interface Bundle-Ether100.10 vrf vrf_1 ! end

Specifying Method List
Method lists for AAA define the methods using which authorization is performed, and the sequence in which these methods are executed. Before any defined authentication method is performed, the method list must be applied to the configuration mechanism responsible for validating user-access credentials. The only exception to this requirement is the default method list (named “default”). The default method list is automatically applied if no other method list is defined. A defined method list overrides the default method list.
On BNG, you have to specify the method list and the server group that will be used for AAA services. For specifying method lists, see Configuring Method Lists for AAA, on page 26.

Configuring Method Lists for AAA
Perform this task to assign the method list to be used by the server group for subscriber authentication, authorization, and accounting.

SUMMARY STEPS

1. configure 2. aaa authentication subscriber default method-list-name group server-group-name 3. aaa authorization subscriber default method-list-name group server-group-name |radius

Broadband Network Gateway Configuration Guide for Cisco ASR 9000 Series Routers, IOS XR Release 6.2.x 26

Configuring Authentication, Authorization, and Accounting Functions

Configuring Method Lists for AAA

4. aaa accounting subscriber default method-list-name group server-group-name 5. Use the commit or end command.

DETAILED STEPS

Step 1

Command or Action configure Example:

Purpose Enters global configuration mode.

Step 2 Step 3 Step 4 Step 5

RP/0/RSP0/CPU0:router# configure

aaa authentication subscriber default method-list-name Configures the method- list which will be applied by default

group server-group-name

for subscriber authentication. You can either enter ‘default’

Example:

or a user-defined name for the AAA method-list. Also, enter the name of the server group, on which the method list is

applied.
RP/0/RSP0/CPU0:router(config)# aaa authentication

subscriber default method1 group group1 radius

group group2 group group3 …

aaa authorization subscriber default method-list-name Configures the method- list which will be applied by default

group server-group-name |radius

for subscriber authorization. You can either enter ‘default’

Example:

or a user-defined name for the AAA method-list. Also, enter the name of the server group, on which the method list is

applied.
RP/0/RSP0/CPU0:router(config)# aaa authorization

subscriber default method1 group group1 radius

group group2 group group3 …

aaa accounting subscriber default method-list-name group server-group-name
Example:
RP/0/RSP0/CPU0:router(config)# aaa accounting subscriber default method1 group group1 radius group group2 group group3 …

Configures the method-list which will be applied by default for subscriber accounting. You can either enter ‘default’ or a user-defined name for the AAA method-list. Also, enter the name of the server group, on which the method list is applied.

Use the commit or end command.

commit –Saves the configuration changes and remains within the configuration session.
end –Prompts user to take one of these actions:
· Yes — Saves configuration changes and exits the configuration session.

· No –Exits the configuration session without committing the configuration changes.

· Cancel –Remains in the configuration session, without committing the configuration changes.

Broadband Network Gateway Configuration Guide for Cisco ASR 9000 Series Routers, IOS XR Release 6.2.x 27

Defining AAA Attributes

Configuring Authentication, Authorization, and Accounting Functions

Configuring Method-list for AAA: An example
configure aaa authentication subscriber default group radius group rad2 group rad3.. aaa authorization subscriber default group radius group rad1 group rad2 group rad3.. aaa accounting subscriber default group radius group rad1 group rad2 group rad3.. ! ! end
Defining AAA Attributes
The AAA attribute is an element of RADIUS packet. A RADIUS packet transfers data between a RADIUS server and a RADIUS client. The AAA attribute parameter, and its value – form a Attribute Value Pair (AVP). The AVP carries data for both requests and responses for the AAA transaction.
The AAA attributes either can be predefined as in Internet Engineering Task Force (IETF) attributes or vendor defined as in vendor-specific attributes (VSAs). For more information about the list of BNG supported attributes, see RADIUS Attributes, on page 443.
The RADIUS server provides configuration updates to BNG in the form of attributes in RADIUS messages. The configuration updates can be applied on a subscriber during session setup through two typical methods– per-user attributes, which applies configuration on a subscriber as part of the subscriber’s authentication Access Accept, or through explicit domain, port, or service authorization Access Accepts. This is all controlled by the Policy Rule Engine’s configuration on the subscriber.
When BNG sends an authentication or an authorization request to an external RADIUS server as an Access Request, the server sends back configuration updates to BNG as part of the Access Accept. In addition to RADIUS configuring a subscriber during setup, the server can send a change of authorization (CoA) message autonomously to the BNG during the subscriber’s active session life cycle, even when the BNG did not send a request. These RADIUS CoA updates act as dynamic updates, referencing configured elements in the BNG and instructing the BNG to update a particular control policy or service policy.
BNG supports the concept of a “service”, which is a group of configured features acting together to represent that service. Services can be represented as either features configured on dynamic-templates through CLI, or as features configured as RADIUS attributes inside Radius Servers. Services are activated either directly from CLI or RADIUS through configured “activate” actions on the Policy Rule Engine, or through CoA “activate-service” requests. Services can also be deactivated directly (removing all the involved features within the named service) through configured “deactivate” action on the Policy Rule Engine or through CoA “deactivate-service” requests.
The attribute values received from RADIUS interact with the subscriber session in this way:
· BNG merges the values received in the RADIUS update with the existing values that were provisioned statically by means of CLI commands, or from prior RADIUS updates.
· In all cases, values received in a RADIUS update take precedence over any corresponding CLI provisioned values or prior RADIUS updates. Even if you reconfigured the CLI provisioned values, the system does not override session attributes or features that were received in a RADIUS update.
· Changes made to CLI provision values on the dynamic template take effect immediately on all sessions using that template, assuming the template features have not already been overridden by RADIUS. Same applies to service updates made through CoA “service-update” requests.
Broadband Network Gateway Configuration Guide for Cisco ASR 9000 Series Routers, IOS XR Release 6.2.x 28

Configuring Authentication, Authorization, and Accounting Functions

Creating Attributes of Specific Format

AAA Attribute List
An attribute list is named list that contains a set of attributes. You can configure the RADIUS server to use a particular attribute list to perform the AAA function.
To create an attribute list, see Configuring RADIUS Attribute List, on page 34.
AAA Attribute Format
It is possible to define a customized format for some attributes. The configuration syntax for creating a new format is:
aaa attribute format format-string [length] *[] where:
· format-name — Specifies the name given to the attribute format. This name is referred when the format is applied on an attribute.
· length — (Optional) Specifies the maximum length of the formatted attribute string. If the final length of the attribute string is greater than the value specified in LENGTH, it is truncated to LENGTH bytes. The maximum value allowed for LENGTH is 255. If the argument is not configured, the default is also 255.
· string — Contains regular ASCII characters that includes conversion specifiers. Only the % symbol is allowed as a conversion specifier in the STRING. The STRING value is enclosed in double quotes.
· Identity-Attribute — Identifies a session, and includes user-name, ip- address, and mac-address. A list of currently-defined identity attributes is displayed on the CLI.
Once the format is defined, the FORMAT-NAME can be applied to various AAA attributes such as username, nas-port-ID, calling-station-ID, and called- station-ID. The configurable AAA attributes that use the format capability are explained in the section Creating Attributes of Specific Format, on page 29.
To create a customized nas-port attribute and apply a predefined format to nas-port-ID attribute , see Configuring RADIUS Attribute Format, on page 36.
Specific functions can be defined for an attribute format for specific purposes. For example, if the input username is “text@abc.com”, and only the portion after “@” is required as the username, a function can be defined to retain only the portion after “@” as the username. Then, “text” is dropped from the input, and the new username is “abc.com”. To apply username truncation function to a named-attribute format, see Configuring AAA Attribute Format Function, on page 38.
Creating Attributes of Specific Format
BNG supports the use of configurable AAA attributes. The configurable AAA attributes have specific user-defined formats. The following sections list some of the configurable AAA attributes used by BNG.
Username
BNG has the ability to construct AAA username and other format-supported attributes for subscribers using MAC address, circuit-ID, remote-ID, and DHCP Option-60 (and a larger set of values available in CLI). The DHCP option-60 is one of the newer options that is communicated by the DHCP client to the DHCP server in its requests; it carries Vendor Class Identifier (VCI) of the DHCP client’s hardware.
The MAC address attribute is specified in the CLI format in either of these forms:

Broadband Network Gateway Configuration Guide for Cisco ASR 9000 Series Routers, IOS XR Release 6.2.x 29

Creating Attributes of Specific Format

Configuring Authentication, Authorization, and Accounting Functions

· mac-address: for example, 0000.4096.3e4a
· mac-address-ietf: for example, 00-00-40-96-3E-4A
· mac-address-raw: for example, 000040963e4a
· mac-address-custom1: for example, 01.23.45.67.89.AB (This particular MAC address format is available only from Cisco IOS XR Software Release 6.2.1 and later).
An example of constructing a username in the form “mac-address@vendor-class- ID” is:
aaa attribute format USERNAME-FORMAT format-string “%s@%s” mac-address dhcp- vendor-class
NAS-Port-ID The NAS-Port-ID is constructed by combining BNG port information and access-node information. The BNG port information consists of a string in this form:
“eth phy_slot/phy_subslot/phy_port:XPI.XCI”
For 802.1Q tunneling (QinQ), XPI is the outer VLAN tag and XCI is the inner VLAN tag. If the interface is QinQ, the default format of nas-port-ID includes both the VLAN tags; if the interface is single tag, it includes a single VLAN tag. In the case of a single VLAN, only the outer VLAN is configured, using this syntax: