Local User Database Basics
This chapter provides information about Local User Database (LUBD) Basics.
Topics in this chapter include:
Applicability
This chapter was initially written based on SR OS Release 13.0.R1, but the information and configuration in the current edition are based on SR OS Release 16.0.R4.
Overview
A local user database (LUDB) is a data source containing a set of host entries, providing full or partial enhanced subscriber management (ESM) data so that subscribers and subscriber hosts can be instantiated when end-users connect their devices.
An LUDB can be accessed for the following applications; see LUDB applications.
To support ESM for retrieval of data to instantiate hosts and subscribers. This applies to the routed central office [CO] model only.
To support a local DHCPv4 server; for example for assigning fixed IP addresses to dedicated end-user devices.
To allow the system to provide the ESM data in case the RADIUS server referenced from the authentication policy is not available. The LUDB serves as a fallback for RADIUS authentication.
The LUDB lookup process is common to the applications shown in LUDB applications, and performs the following steps:
Applying match criteria, to select the input parameters that will be used for the lookup.
Optionally, applying a mask to one or more of the remaining input parameters.
Performing the lookup.
The LUDB lookup process translates a set of input parameters (the host identification fields) into a set of output parameters; see Processing an LUDB lookup request for the following example:
An LUDB lookup is requested for a client with MAC address and SAP as input parameters (1).
The match criteria indicate to consider the SAP only, so the MAC address is ignored (2).
The masking defines the stripping of the VLAN-tag from the SAP (3).
The lookup then uses SAP 1/1/1 and finds entry1 to be the matching entry, so the LUDB returns the SLA-profile string and the SUB-profile string together with the Gi address.
Optionally, an LUDB defines a default host entry, which is used in case none of the other entries matches the lookup request, so it serves as a wildcard (*).
Not finding any matching host entry in an LUDB results in a setup failure.
Configuration
Creating LUDBs
An LUDB is identified by a name of 32 characters maximum (Creating LUDBs and LUDB entries).
*A:BNG-1>config>subscr-mgmt# local-user-db
- local-user-db <local-user-db-name> [create]
Multiple LUDBs can be defined, and their respective names must be unique.
An LUDB can provide the data for IPoE (DHCPv4, DHCPv6, and SLAAC) as well as for PPP users.
*A:BNG-1>config>subscr-mgmt>loc-user-db$
[no] description - Description for this local user database
ipoe + Configure IPOE hosts
ppp + Configure PPP hosts
[no] shutdown - Administratively enable/disable this local user database
For an LUDB to be active, the LUDB must be in the no shutdown state.
Individual host entries in an LUDB can match single or multiple hosts.
Creating host entries
A host entry is identified by name of 32 characters maximum (Creating LUDBs and LUDB entries).
*A:BNG-1>config>subscr-mgmt>loc-user-db>ipoe$ host
- host <host-name> [create]
The name default can optionally be used as a wildcard for situations where otherwise the lookup fails to find a matching entry. A host entry belongs to either the IPoE or the PPP section of an LUDB. The name of a host entry must be unique within the section. A host entry contains two sets of fields. The first set of fields are the host-identification fields and are used for the lookup, the second set of fields are output to the lookup process.
The host-identification fields available for IPoE are, in alphabetical order:
circuit-id
derived-id, which must be defined using a Python script, which derives the value from DHCP messages
encap-tag-range
ip-prefix
mac-address
option 60
remote-id
sap-id
service-id
string
system-id
The host-identification fields available for PPP are, in alphabetical order:
circuit-id: taken from the PPPoE tags
derived-id, which must be defined using a Python script, which derives the value from PPP messages
encap-tag-range
mac
remote-id: taken from the PPPoE tags
sap-id
service-name
username
The output fields of the lookup process include the identification strings, DHCP options, IP address information, MSAP information, and so on.
Entry validation
For a host entry to be active, it must be put in the no shutdown state.
Before adding the host entry to the lookup database, the system validates the host entry:
A default host entry can be added, preferably without host identification fields.
*A:BNG-1>config>subscr-mgmt>loc-user-db>ipoe# host default create *A:BNG-1>config>subscr-mgmt>loc-user-db>ipoe>host$ no shutdown INFO: DHCPS #1138 This host will be considered as the default host *A:BNG-1>config>subscr-mgmt>loc-user-db>ipoe>host$
Defining a default host entry with identification fields is not recommended, because it would turn the default host entry into a regular entry, instead of a match all entry, when the match-list is changed.
A non default host entry without host identification fields cannot be added to the lookup database.
MINOR: DHCPS #1126 Host-identification must have at least 1 item defined
A non default host entry with none of its host identification fields in common with the match-list is added to the unmatched host list.
INFO: DHCPS #1107 Host could not be inserted in lookup database - no match values
A non default host entry is added to the lookup database when at least one of the defined host identification fields is in common with the match-list, even when some of the host identification fields are not on the match-list.
Two or more non default host entries with the same host-identification definitions are considered as duplicates. The second entry with the same host-identification definitions is not added to the lookup database; it is considered as a configuration mistake.
INFO: DHCPS #1107 Host could not be inserted in lookup database — duplicate
LUDB informational and error messages appear to be originating from the DHCPS application (DHCPS #nnn in the preceding outputs), even though the LUDB is not associated with a DHCPv4 server.
Creating a match list
Retrieving data from an LUDB requires one or more criteria to be put on a match-list. A match-list is a sequential list of parameters considered for the lookup; other parameters provided on LUDB access are ignored.
For IPoE, up to four criteria can be defined; for PPP, the maximum is three. The criteria on a match-list are processed in the order specified.
For IPoE users, the following match criteria are allowed, in alphabetical order:
circuit-id
derived-id (defined by a Python script)
dual-stack-remote-id (IPv4 and IPv6, with IPv6 enterprise-id stripped off)
encap-tag-range
ip
mac-address
option 60
remote-id (IPv4 and IPv6, including the IPv6 enterprise-id)
sap-id
service-id
string
system-id
*A:BNG-1>config>subscr-mgmt>loc-user-db>ipoe# match-list
- no match-list
- match-list <ipoe-match-type-1> [<ipoe-match-type-2>...(up to 4 max)]
<ipoe-match-type> : circuit-id|derived-id|dual-stack-remote-id|
encap-tag-range|ip|mac|option60|remote-id|sap-id|
service-id|string|system-id
*A:BNG-1>config>subscr-mgmt>loc-user-db>ipoe#
For PPP users, the following match criteria are allowed, in alphabetical order:
circuit-id
derived-id (defined by a Python script)
encap-tag-range
mac-address
remote-id (IPv4 and IPv6, including the IPv6 enterprise-id)
sap-id
service-name
username (complete username, domain part only, host part only)
*A:BNG-1>config>subscr-mgmt>loc-user-db>ppp# match-list
- no match-list
- match-list <ppp-match-type-1> [<ppp-match-type-2>...(up to 3 max)]
<ppp-match-type> : circuit-id|derived-id|mac|remote-id|sap-id|
encap-tag-range|service-name|username
*A:BNG-1>config>subscr-mgmt>loc-user-db>ppp#
Masking
Optionally, the parameters considered for the lookup can be masked.
Masking is prefix- or suffix- based, or a combination of both. A prefix or suffix string, or a prefix or suffix length, can be specified.
For PPP users, masks can be applied to the circuit-id, remote-id, sap-id, service-name, and username. For IPoE users, masks can be applied to the circuit-id, option 60, remote-id, sap-id, string, and system-id.
*A:BNG-1>config>subscr-mgmt>loc-user-db>ppp# mask ?
- mask type <ppp-match-type>
{[prefix-string <prefix-string> | prefix-length <prefix-length>]
[suffix-string <suffix-string> | suffix-length <suffix-length>]}
- no mask type <ppp-match-type>
<ppp-match-type> : circuit-id|remote-id|sap-id|service-name|username
<prefix-string> : [127 chars max] ('*' is wildcard)
<prefix-length> : [1..127]
<suffix-string> : [127 chars max] ('*' is wildcard)
<suffix-length> : [1..127]
*A:BNG-1>config>subscr-mgmt>loc-user-db>ipoe# mask ?
- mask type <ipoe-match-type>
{[prefix-string <prefix-string> | prefix-length <prefix-length>]
[suffix-string <suffix-string> | suffix-length <suffix-length>]}
- no mask type <ipoe-match-type>
<ipoe-match-type> : circuit-id|option60|remote-id|sap-id|string|system-id
<prefix-string> : [127 chars max] ('*' is wildcard)
<prefix-length> : [1..127]
<suffix-string> : [127 chars max] ('*' is wildcard)
<suffix-length> : [1..127]
The lookup occurs after applying the optional masks.
The examples in Masking examples illustrate masking. For the third example, a combination of both prefix and suffix matching is used.
Mask Type |
prefix-length |
suffix-length |
prefix-string |
suffix-string |
result |
||
---|---|---|---|---|---|---|---|
username |
circuit-id |
remote-id |
|||||
- |
- |
87654321-BSAN-1 |
9 |
- |
- |
- |
BSAN-1 |
- |
BSAN-2|1|100|1/2/1 |
- |
- |
11 |
- |
- |
BSAN-2 |
all@domain-1.com |
- |
- |
- |
- |
*@ |
.com |
domain-1 |
Lookup
The following rules apply while scanning through an LUDB in search of a single matching entry:
Only criteria on the match-list are considered.
Assume a client with MAC-address, a circuit-id, and a remote-id. If the match-list only defines the MAC-address to be used as criterion, then the circuit-id and the remote-id are ignored. Only the MAC-address is used for selecting the proper host entry.
The order of the criteria on the match-list is important.
The match-list is a sequential list, and the criteria are processed left to right.
As many of the host-identification fields as possible must be matched, while still obeying rule 1.
Only the (optionally masked) parameters from the match list are verified.
A default host is excluded from the scan, if defined.
A default host is used as a fallback when scanning through an LUDB does not provide any result.
The examples in Host matching examples and Host matching examples (continued) illustrate these rules:
Matching is based on the MAC-address only. When client-a with mac-1 connects, host ipoe-x is matched.
Matching is based on the MAC-address, circuit-id, and remote-id, in this sequence. As client-b enters with mac-1, cid-1 and rid-1, the match-list is scanned and matched left to right, so host ipoe-z is matched.
Matching is based on the MAC-address only. Even though client-c connects with mac-1, cid-1, and rid-1, the system ignores the circuit-id and the remote-id, so the matching host is ipoe-x. Note that host ipoe-y can never be matched using the match-list defined; it is on the unmatched host list.
Matching is based on the MAC-address and the circuit-id, in this sequence. Client-d connects with mac-1 and cid-2, but because the system scans the match-list left through right, the MAC-address takes priority over the circuit-id. The matching host is ipoe-x.
For the top part, matching is based on MAC-address and the circuit-id, in this sequence. When client-e connects (mac-1, cid-1, and rid-1), the system scans ludb-5-1 and matches host ipoe-x.
For the bottom part, matching is based on the circuit-id first, then the MAC-address. When client-e connects (mac-1, cid-1, and rid-1), the system scans ludb-5-2 and matches host ipoe-y.
Matching is based on MAC-address and the circuit-id, in this sequence. When client-f-1 (mac-1) connects, the matching host is ipoe-x because only the MAC-address is provided and checked. When client-f-2 (cid-1) connects, the matching host is ipoe-y because only the client-id is provided and checked. When client-f-3 (mac-1, cid-1) connects, the matching host is ipoe-z.
Matching is based on the MAC-address only. When client-g with mac-2 connects, host default is matched because there is no explicit entry matching mac-2.
As shown is these examples, the system only checks the parameters provided by the client in the sequence as defined by the match-list. Parameters not provided by a client will not be searched for.
Tools commands
The following tools command manually triggers the lookup of an IPoE host in an LUDB and is useful during commissioning, troubleshooting, and verification of the configured database, without the need for an external client.
*A:BNG-1# tools perform subscriber-mgmt local-user-db "ludb-1" ipoe host-lookup ?
- host-lookup [mac <ieee-address>] [remote-id <remote-id-ascii>]
[sap-id <sap-id>] [service-id <service-id>] [string <vso-string>]
[system-id <system-id>] [option60 <option-60-ascii>]
[circuit-id <circuit-id-ascii>] [circuit-id-hex <circuit-id-hex>]
[option60-hex <option60-hex>] [remote-id-hex <remote-id-hex>]
[derived-id <derived-id>] [ip-prefix <ip-prefix/ip-prefix-length>]
<ieee-address> : xx:xx:xx:xx:xx:xx or xx-xx-xx-xx-xx-xx
<remote-id-ascii> : [255 chars max]
<sap-id> : [255 chars max]
<service-id> : [1..2148278317]|<svc-name:64 char max>
<vso-string> : [255 chars max]
<system-id> : [255 chars max]
<option-60-ascii> : [32 chars max]
<circuit-id-ascii> : [127 chars max]
<circuit-id-hex> : [0x0..0xFFFFFFFF...(max 254 hex nibbles)]
<option60-hex> : [0x0..0xFFFFFFFF...(max 64 hex nibbles)]
<remote-id-hex> : [0x0..0xFFFFFFFF...(max 510 hex nibbles)]
<derived-id> : [255 chars max]
<ip-prefix/ip-pref*> : ipv4-prefix - a.b.c.d (host bits must be 0)
ipv4-prefix-le - [0..32]
ipv6-prefix - x:x:x:x:x:x:x:x (eight 16-bit pieces)
x:x:x:x:x:x:d.d.d.d
x - [0..FFFF]H
d - [0..255]D
ipv6-prefix-le - [0..128]
A similar command exists for the lookup of a PPP host in an LUDB.
*A:BNG-1# tools perform subscriber-mgmt local-user-db "ludb-1" ppp host-lookup ?
- host-lookup [circuit-id <circuit-id>] [circuit-id-hex <circuit-id-hex>]
[derived-id <derived-id>] [mac <ieee-address>] [remote-id <remote-id>]
[remote-id-hex <remote-id-hex>] [sap-id <sap-id>]
[service-name <service-name>] [user-name <user-name>]
<circuit-id> : [127 chars max]
<circuit-id-hex> : [0x0..0xFFFFFFFF...(max 254 hex nibbles)]
<derived-id> : [255 chars max]
<ieee-address> : xx:xx:xx:xx:xx:xx or xx-xx-xx-xx-xx-xx
<remote-id> : [255 chars max]
<remote-id-hex> : [0x0..0xFFFFFFFF...(max 510 hex nibbles)]
<sap-id> : [255 chars max]
<service-name> : [255 chars max]
<user-name> : [253 chars max]
Example 1: Single match criterion
The following shows an excerpt from ludb-1. Host entry-11 defines the parameters for an IPoE host, and host entry-55 defines the parameters for a PPPoE host. Host matching IPoE hosts is MAC-address based, whereas host matching PPP hosts is username based.
configure
subscriber-mgmt
local-user-db "ludb-1" create
description "example user-db"
ipoe
match-list mac
host "default" create
address pool "pool4-1"
no shutdown
exit
host "entry-11" create
host-identification
mac 00:00:00:11:11:11
exit
address 10.1.1.211
---snip---
no shutdown
exit
---snip---
exit
ppp
match-list username
host "entry-55" create
host-identification
username "sub55@domain1"
exit
password chap sub55
address 10.1.2.252
---snip---
no shutdown
exit
---snip---
exit
no shutdown
exit
IPoE hosts
IPoE host entry lookup using a MAC-address only is triggered with following tools command.
*A:BNG-1# tools perform subscriber-mgmt local-user-db "ludb-1" ipoe
host-lookup mac 00:00:00:11:11:11
===============================================================================
IPoE Host Lookup results
===============================================================================
Result : Success
Matched Host Name : entry-11
Admin State : Up
Last Mgmt Change : 11/20/2018 11:25:10
Host Identification
Circuit Id : N/A
Mac Address : 00:00:00:11:11:11
Remote Id : N/A
Sap Id : N/A
Service Id : N/A
String : N/A
Option 60 : N/A
System Id : N/A
Encap Tag Range : N/A
Derived Id : N/A
IP prefix : N/A
Matched Objects : mac
---snip---
===============================================================================
*A:BNG-1#
The debug output confirms the successful lookup.
1 2018/11/20 11:40:41.132 CET MINOR: DEBUG #2001 Base LUDB
"LUDB: User lookup success - host found
mac: 00:00:00:11:11:11
Host entry-11 found in user data base ludb-1"
*A:BNG-1#
The following command is using a MAC-address, a circuit-id, and a remote-id for the lookup. The output shows that only the MAC-address is used, the other input parameters are ignored (N/A) so again entry-11 is selected.
*A:BNG-1# tools perform subscriber-mgmt local-user-db "ludb-1" ipoe
host-lookup mac 00:00:00:11:11:11 circuit-id AA remote-id BB
===============================================================================
IPoE Host Lookup results
===============================================================================
Result : Success
Matched Host Name : entry-11
Admin State : Up
Last Mgmt Change : 11/20/2018 11:25:10
Host Identification
Circuit Id : N/A
Mac Address : 00:00:00:11:11:11
Remote Id : N/A
Sap Id : N/A
Service Id : N/A
String : N/A
Option 60 : N/A
System Id : N/A
Encap Tag Range : N/A
Derived Id : N/A
IP prefix : N/A
Matched Objects : mac
---snip---
===============================================================================
*A:BNG-1#
The following command triggers the lookup of a non-existing MAC-address, leading to a host not found message.
*A:BNG-1# tools perform subscriber-mgmt local-user-db "ludb-1" ipoe
host-lookup mac 00:00:00:12:34:56
===============================================================================
IPoE Host Lookup results
===============================================================================
Result : host not found
*A:BNG-1#
The host not found message is also confirmed by the debug output.
3 2018/11/20 11:43:30.351 CET MINOR: DEBUG #2001 Base LUDB
"LUDB: User lookup success - host not found
mac: 00:00:00:12:34:56
Host not found in user data base ludb-1"
To allow IPoE users with unknown MAC-addresses to successfully connect, a default host can be created, at which time an informational message is returned:
*A:BNG-1# configure subscriber-mgmt local-user-db "ludb-1" ipoe host "default" create
*A:BNG-1>config>subscr-mgmt>loc-user-db>ipoe>host# address pool pool4-1
*A:BNG-1>config>subscr-mgmt>loc-user-db>ipoe>host# no shutdown
INFO: DHCPS #1138 This host will be considered as the default host
*A:BNG-1>config>subscr-mgmt>loc-user-db>ipoe>host# exit all
*A:BNG-1#
After the previous commands are executed, devices with MAC-addresses not explicitly listed in the LUDB can also connect.
*A:BNG-1# tools perform subscriber-mgmt local-user-db "ludb-1" ipoe
host-lookup mac 00:00:00:12:34:56
===============================================================================
IPoE Host Lookup results
===============================================================================
Result : Success
Matched Host Name : default
Admin State : Up
Last Mgmt Change : 11/20/2018 11:45:02
Host Identification
Circuit Id : N/A
Mac Address : N/A
Remote Id : N/A
Sap Id : N/A
Service Id : N/A
String : N/A
Option 60 : N/A
System Id : N/A
Encap Tag Range : N/A
Derived Id : N/A
IP prefix : N/A
Matched Objects : N/A
---snip---
===============================================================================
*A:BNG-1#
PPP hosts
Manually authenticating a PPP host is done as follows.
*A:BNG-1# tools perform subscriber-mgmt local-user-db "ludb-1"
ppp authentication user-name sub55@domain1 password sub55
===============================================================================
Authentication results
===============================================================================
Result : Success
Matched Host Name : entry-55
Admin State : Up
Last Mgmt Change : 11/20/2018 11:25:10
Host Identification
Mac Address : N/A
Circuit Id : N/A
Remote Id : N/A
Sap Id : N/A
Service Name : N/A
User Name : sub55@domain1
Encap Tag Range : N/A
Derived Id : N/A
Matched Objects : userName
---snip---
===============================================================================
*A:BNG-1#
When the wrong password is provided, the following message is returned:
*A:BNG-1# tools perform subscriber-mgmt local-user-db "ludb-1"
ppp authentication user-name sub55@domain1 password sub5x
===============================================================================
Authentication results
===============================================================================
Result : invalid password
*A:BNG-1#
PPP host entry lookup is similar to the IPoE host lookup. The following example demonstrates a user-name based lookup.
*A:BNG-1# tools perform subscriber-mgmt local-user-db "ludb-1"
ppp host-lookup user-name sub55@domain1
===============================================================================
PPP host Lookup results
===============================================================================
Result : Success
Matched Host Name : entry-55
Admin State : Up
Last Mgmt Change : 11/20/2018 11:25:10
Host Identification
Mac Address : N/A
Circuit Id : N/A
Remote Id : N/A
Sap Id : N/A
Service Name : N/A
User Name : sub55@domain1
Encap Tag Range : N/A
Derived Id : N/A
Matched Objects : userName
---snip---
===============================================================================
*A:BNG-1#
The following command is using a user-name and a MAC-address for the lookup.
*A:BNG-1# tools perform subscriber-mgmt local-user-db "ludb-1"
ppp host-lookup user-name sub55@domain1 mac 00:00:00:11:11:11
===============================================================================
PPP host Lookup results
===============================================================================
Result : Success
Matched Host Name : entry-55
Admin State : Up
Last Mgmt Change : 11/20/2018 11:25:10
Host Identification
Mac Address : N/A
Circuit Id : N/A
Remote Id : N/A
Sap Id : N/A
Service Name : N/A
User Name : sub55@domain1
Encap Tag Range : N/A
Derived Id : N/A
Matched Objects : userName
---snip---
===============================================================================
*A:BNG-1#
Similar to the IPoE host lookup, the lookup of a non-existing user fails if no default entry is defined for PPP. In this case, a default host can be defined.
Example 2: Multiple match criteria
The following shows an excerpt from ludb-2, with multiple match criteria.
The match-list includes mac, circuit-id, and remote-id, in this sequence.
configure
subscriber-mgmt
local-user-db "ludb-2" create
ipoe
match-list mac circuit-id remote-id
host "entry-11" create
host-identification
mac 00:00:00:11:11:11
exit
address 10.1.1.111
---snip---
no shutdown
exit
host "entry-12" create
host-identification
circuit-id string "11"
mac 00:00:00:11:11:11
exit
address 10.1.1.112
---snip---
no shutdown
exit
host "entry-13" create
host-identification
circuit-id string "11"
mac 00:00:00:11:11:11
remote-id string "AA"
exit
address 10.1.1.113
---snip---
no shutdown
exit
host "entry-14" create
host-identification
circuit-id string "11"
remote-id string "AA"
exit
address 10.1.1.114
---snip---
no shutdown
exit
The following tools command uses a MAC-address only, with entry-11 being matched.
*A:BNG-1# tools perform subscriber-mgmt local-user-db "ludb-2"
ipoe host-lookup mac 00:00:00:11:11:11
===============================================================================
IPoE Host Lookup results
===============================================================================
Result : Success
Matched Host Name : entry-11
Admin State : Up
Last Mgmt Change : 11/20/2018 11:25:10
Host Identification
Circuit Id : N/A
Mac Address : 00:00:00:11:11:11
Remote Id : N/A
Sap Id : N/A
Service Id : N/A
String : N/A
Option 60 : N/A
System Id : N/A
Encap Tag Range : N/A
Derived Id : N/A
IP prefix : N/A
Matched Objects : mac
---snip---
===============================================================================
*A:BNG-1#
The corresponding debug output shows the parameters from the match-list and their values, in sequence. The values for the circuit-id and the remote-id are left empty as they were not provided for the lookup.
10 2018/11/20 11:52:30.777 CET MINOR: DEBUG #2001 Base LUDB
"LUDB: User lookup success - host found
mac: 00:00:00:11:11:11
circuit-id:
remote-id:
Host entry-11 found in user data base ludb-2"
The following tools command uses a circuit-id and a remote-id, with entry-14 being matched.
*A:BNG-1# tools perform subscriber-mgmt local-user-db "ludb-2"
ipoe host-lookup circuit-id 11 remote-id AA
===============================================================================
IPoE Host Lookup results
===============================================================================
Result : Success
Matched Host Name : entry-14
Admin State : Up
Last Mgmt Change : 11/20/2018 11:25:10
Host Identification
Circuit Id : 11
Mac Address : N/A
Remote Id : AA
Sap Id : N/A
Service Id : N/A
String : N/A
Option 60 : N/A
System Id : N/A
Encap Tag Range : N/A
Derived Id : N/A
IP prefix : N/A
Matched Objects : circ-id remote-id
---snip---
===============================================================================
*A:BNG-1#
The corresponding debug output shows that the original and the masked values of the circuit-id and the remote-id are the same, because no masks are applied.
11 2018/11/20 11:53:46.129 CET MINOR: DEBUG #2001 Base LUDB
"LUDB: User lookup success - host found
mac:
circuit-id:
original: 11
masked: 11
remote-id:
original: AA
masked: AA
Host entry-14 found in user data base ludb-2"
Accessing ludb-2 with a remote-id only returns a failure.
*A:BNG-1# tools perform subscriber-mgmt local-user-db "ludb-2"
ipoe host-lookup remote-id AA
===============================================================================
IPoE Host Lookup results
===============================================================================
Result : host not found
*A:BNG-1#
12 2018/11/20 11:54:44.948 CET MINOR: DEBUG #2001 Base LUDB
"LUDB: User lookup success - host not found
mac:
circuit-id:
remote-id:
original: AA
masked: AA
Host not found in user data base ludb-2"
Example 3: Masking (1)
The following shows an excerpt from ludb-3, applying masks.
The match-list includes the circuit-id and the MAC-address, in this sequence. Masking applies to the circuit-id, which has the leading 8 characters and the trailing characters (behind the last vertical bar, and including the vertical bar) stripped.
configure
subscriber-mgmt
local-user-db "ludb-3" create
description "masking example, ipoe"
ipoe
match-list circuit-id mac
mask type circuit-id prefix-length 8 suffix-string "|*"
host "entry-111" create
host-identification
circuit-id string "grp-int-1-1"
mac 00:00:00:11:11:11
exit
---snip---
no shutdown
exit
---snip---
The following tools command uses circuit-id and mac-address, matching entry-111.
*A:BNG-1# tools perform subscriber-mgmt local-user-db "ludb-3" ipoe host-lookup
mac 00:00:00:11:11:11 circuit-id "BNG-1|1|grp-int-1-1|1/1/2/1:111"
===============================================================================
IPoE Host Lookup results
===============================================================================
Result : Success
Matched Host Name : entry-111
Admin State : Up
Last Mgmt Change : 11/20/2018 11:25:11
Host Identification
Circuit Id : grp-int-1-1
Mac Address : 00:00:00:11:11:11
Remote Id : N/A
Sap Id : N/A
Service Id : N/A
String : N/A
Option 60 : N/A
System Id : N/A
Encap Tag Range : N/A
Derived Id : N/A
IP prefix : N/A
Matched Objects : circ-id mac
---snip---
===============================================================================
*A:BNG-1#
The debug output shows the values of the parameters before and after applying the mask.
13 2018/11/20 11:56:10.244 CET MINOR: DEBUG #2001 Base LUDB
"LUDB: User lookup success - host found
circuit-id:
original: BNG-1|1|grp-int-1-1|1/1/2/1:111
masked: grp-int-1-1
mac: 00:00:00:11:11:11
Host entry-111 found in user data base ludb-3"
Example 4: Masking (2)
The following shows an excerpt from ludb-4, applying masks.
The match-list includes the username, circuit-id, and remote-id, in this sequence. Masking applies to both the username and the circuit-id. The username has everything before the @-sign and the trailing .org stripped. The circuit-id has the trailing 11 characters stripped.
configure
subscriber-mgmt
local-user-db "ludb-4" create
ppp
match-list username circuit-id remote-id
mask type circuit-id suffix-length 11
mask type username prefix-string "*@" suffix-string ".org"
host "entry-11" create
host-identification
username domain1
circuit-id string "BSAN-2"
exit
address pool "pool4-1"
identification-strings 254 create
sla-profile-string "sla-prof-1"
sub-profile-string "sub-prof-2"
exit
no shutdown
exit
---snip---
exit
no shutdown
exit
---snip---
The following tools command does not result in a match, which is not the intention.
*A:BNG-1# tools perform subscriber-mgmt local-user-db "ludb-4" ppp host-lookup
user-name sub11@domain1.org circuit-id "BSAN-2|100|1/2/1:111"
===============================================================================
PPP host Lookup results
===============================================================================
Result : host not found
*A:BNG-1#
The debug output shows the original and the masked value of the user-name and the circuit-id; the remote-id was not provided.
14 2018/11/20 11:57:45.554 CET MINOR: DEBUG #2001 Base LUDB
"LUDB: User lookup success - host not found
user-name:
original: sub11@domain1.org
masked: domain1
circuit-id:
original: BSAN-2|100|1/2/1:111
masked: BSAN-2|10
remote-id:
Host not found in user data base ludb-4"
The preceding output shows that three more characters (the |10) must be stripped to have a successful lookup, and following configuration changes are needed.
configure
subscriber-mgmt
local-user-db "ludb-4" create
ppp
mask type circuit-id suffix-length 14
Modifying the mask results in host entry-11 being matched.
*A:BNG-1# tools perform subscriber-mgmt local-user-db "ludb-4" ppp host-lookup
user-name sub11@domain1.org circuit-id "BSAN-2|100|1/2/1:111"
===============================================================================
PPP host Lookup results
===============================================================================
Result : Success
Matched Host Name : entry-11
Admin State : Up
Last Mgmt Change : 11/20/2018 11:25:11
Host Identification
Mac Address : N/A
Circuit Id : BSAN-2
Remote Id : N/A
Sap Id : N/A
Service Name : N/A
User Name : domain1
Encap Tag Range : N/A
Derived Id : N/A
Matched Objects : userName circ-id
---snip---
===============================================================================
*A:BNG-1#
The debug output shows the effect of the modified mask.
15 2018/11/20 11:58:29.339 CET MINOR: DEBUG #2001 Base LUDB
"LUDB: User lookup success - host found
user-name:
original: sub11@domain1.org
masked: domain1
circuit-id:
original: BSAN-2|100|1/2/1:111
masked: BSAN-2
remote-id:
Host entry-11 found in user data base ludb-4"
Example 5: VLAN range
LUDB matching also supports the use of encap-tag-range. Host-identification then needs a start and an end for the range, which both use the following format:
dot1q - qtag1
qinq - (qtag1.qtag2 | qtag1.* | *.qtag2)
atm - (vpi/vci | vpi/* | */vci)
qtag1 - [0..4094]
qtag2 - [0..4094]
vpi - [0..4095] (NNI)
[0..255] (UNI)
vci - [1..65535]
For VLAN tagging, the Ethernet frames could be single- or dual- tagged. For ATM, a virtual path identifier (VPI) and a virtual circuit identifier (VCI) can be defined. The asterisk (*) serves as a wildcard, meaning that the parameter is ignored.
The system validates, at configuration time, the values of the start-tag and the end-tag, applying following rules:
The start-tag must be lower than the end-tag.
When using the asterisk, it should be present in both the start-tag and the end-tag, as either the inner or the outer tag:
*.10 - *.100 — the outer tag is ignored
201.* - 299.* — the inner tag is ignored
The encapsulation type for start-tag and end-tag must be the same.
Overlapping ranges (while on the same port) are not allowed.
The following shows an excerpt from ludb-5, using vlan-ranges.
configure
subscriber-mgmt
local-user-db "ludb-5" create
description "example for vlan ranges"
ipoe
match-list encap-tag-range
host "range-1" create
host-identification
encap-tag-range start-tag *.1 end-tag *.50
exit
address pool "pool4-3"
---snip---
no shutdown
exit
host "range-2" create
host-identification
encap-tag-range start-tag *.51 end-tag *.100
exit
address pool "pool4-4"
---snip---
no shutdown
exit
exit
no shutdown
exit
The following tools command specifies a sap-id including an outer and an inner tag, matching host range-1.
*A:BNG-1# tools perform subscriber-mgmt local-user-db "ludb-5"
ipoe host-lookup sap-id 1/1/1:50.4
===============================================================================
IPoE Host Lookup results
===============================================================================
Result : Success
Matched Host Name : range-1
Admin State : Up
Last Mgmt Change : 11/20/2018 11:25:11
Host Identification
Circuit Id : N/A
Mac Address : N/A
Remote Id : N/A
Sap Id : N/A
Service Id : N/A
String : N/A
Option 60 : N/A
System Id : N/A
Encap Tag Range : start-tag *.1 end-tag *.50
Derived Id : N/A
IP prefix : N/A
Matched Objects : encap-tag-range
Address : pool "pool4-3"
---snip---
===============================================================================
*A:BNG-1#
Operational considerations
Following operational considerations should be kept in mind:
Names of LUDBs and LUDB entries cannot be changed.
Modification of the host identification fields is possible only when the host-entry is put in the shutdown state. Modifying output fields does not require the host-entry to be in the shutdown state.
*A:BNG-1>config>subscr-mgmt>...>ppp>host>host-ident# circuit-id string x-y-z MINOR: DHCPS #1133 Not allowed. Host is not shutdown
Modifying a match-list requires the LUDB to be in the shutdown state.
Modifying a match-list results in a re-evaluation of all host entries of the LUDB block, so that the lookup database and the unmatched host list are re-populated.
*A:BNG-1>config>subscr-mgmt>loc-user-db>ipoe# match-list circuit-id INFO: DHCPS #1107 Host could not be inserted in lookup database - lookup database constructed, 1 hosts not inserted: 1 no match, 0 duplicate
Modifying the match-list also imposes the risk of a default entry with host-identification fields suddenly not being the fallback (default) entry anymore, which is why defining a default entry with host-identification fields is not recommended.
Modifying one or more mask types does not require the LUDB to be in the shutdown state.
Deletion of an LUDB requires that the LUDB is not referenced and the LUDB is in the shutdown state. Use caution: the status of the individual entries is not taken into account when deleting an LUDB.
*A:BNG-1>config>subscr-mgmt# no local-user-db "ludb-1" MINOR: DHCPS #1103 User data base still referenced *A:BNG-1>config>subscr-mgmt# no local-user-db "ludb-11" MINOR: DHCPS #1104 Not allowed when user db admin state is up
Troubleshooting and debugging LUDBs
The tools command can also be used for troubleshooting; the example is not repeated for brevity.
Show commands
The following command shows which LUDBs are available in the system, including the administrative state and the host count. The host count equals the total number of configured ipoe and ppp entries, regardless of their administrative state (shutdown/no shutdown).
*A:BNG-1# show subscriber-mgmt local-user-db
===============================================================================
Local User Databases
===============================================================================
Name Admin Host Description
State Count
-------------------------------------------------------------------------------
ludb-1 Up 10 example user-db
ludb-2 Up 4
ludb-22 Up 5
ludb-3 Down 5
ludb-4 Up 1
ludb-5 Up 2 example for vlan ranges
-------------------------------------------------------------------------------
Number of Local User Databases : 6 Number of Hosts : 27
===============================================================================
*A:BNG-1#
For showing the host count and the IPoE and PPP match types for a single LUDB, following command is useful.
*A:BNG-1# show subscriber-mgmt local-user-db "ludb-1"
===============================================================================
Local User Database "ludb-1"
===============================================================================
Description : example user-db
Admin State : Up
Last Mgmt Change : 11/20/2018 11:25:10
Host Count : 10
IPoE Match Types : mac
PPP Match Types : userName
===============================================================================
*A:BNG-1#
Listing all IPoE hosts in a specific LUDB is performed with the following command.
*A:BNG-1# show subscriber-mgmt local-user-db "ludb-1" ipoe-all-hosts
===============================================================================
Local User Database "ludb-1" IPoE hosts
===============================================================================
Name Admin Matched objects
State
-------------------------------------------------------------------------------
default Up -
entry-11 Up mac
---snip---
-------------------------------------------------------------------------------
Number of IPoE Hosts : 5
===============================================================================
*A:BNG-1#
A similar command lists all PPP hosts.
*A:BNG-1# show subscriber-mgmt local-user-db "ludb-1" ppp-all-hosts
===============================================================================
Local User Database "ludb-1" PPP Hosts
===============================================================================
Name Admin Matched objects
State
-------------------------------------------------------------------------------
entry-55 Up userName
---snip---
-------------------------------------------------------------------------------
Number of PPP Hosts : 5
===============================================================================
*A:BNG-1#
To find the places where a specific LUDB is applied, use the following command.
*A:BNG-1# show subscriber-mgmt local-user-db "ludb-1" association
===============================================================================
DHCP Server associations for ludb-1
===============================================================================
Server-Name Router-Name
-------------------------------------------------------------------------------
dhcp4-srv Base
-------------------------------------------------------------------------------
No. of Server(s): 1
===============================================================================
===============================================================================
DHCP client interface associations for ludb-1
===============================================================================
Interface-Name Svc-Id Type
-------------------------------------------------------------------------------
grp-int-1-1 1 IES
grp-int-1-2 1 IES
grp-int-2-1 1 IES
grp-int-2-2 1 IES
-------------------------------------------------------------------------------
No. of Interface(s): 4
===============================================================================
===============================================================================
DHCP6 interface associations for ludb-1
===============================================================================
Interface-Name Svc-Id Type
-------------------------------------------------------------------------------
grp-int-1-1 1 IES
grp-int-1-2 1 IES
grp-int-2-1 1 IES
grp-int-2-2 1 IES
-------------------------------------------------------------------------------
No. of Interface(s): 4
===============================================================================
No Router solicit interface associations found.
===============================================================================
PPP client interface associations for ludb-1
===============================================================================
Interface-Name Svc-Id Type
-------------------------------------------------------------------------------
grp-int-1-1 1 IES
grp-int-1-2 1 IES
grp-int-2-1 1 IES
grp-int-2-2 1 IES
-------------------------------------------------------------------------------
No. of Interface(s): 4
===============================================================================
No PPPoE client interface associations found.
No IPoE client interface associations found.
No capture SAP associations found.
No associated L2TP groups found.
No associated L2TP tunnels found.
No associated authentication policies found.
No WPP interface associations found.
No GTP APN policy associations found.
*A:BNG-1#
The following command is useful for displaying the details of a specific LUDB entry.
*A:BNG-1# show subscriber-mgmt local-user-db "ludb-1" ipoe-host "entry-33"
===============================================================================
IPoE Host "entry-33"
===============================================================================
Admin State : Up
Last Mgmt Change : 11/20/2018 11:25:10
Host Identification
Circuit Id : N/A
Mac Address : 00:00:00:33:33:33
---snip---
Matched Objects : mac
Address : use GI-address (scope subnet)
---snip---
IPv6 Address Pool : pool6-3
IPv6 Del Pfx Pool : pool6-3
IPv6 Slaac Pfx Pool : N/A
IPv6 Del Pfx Length : N/A
---snip---
Identification Strings (option 254)
Subscriber Id : sub-33
SLA Profile String : sla-prof-2
SPI Sharing Group Id: N/A
Sub Profile String : sub-prof-4
App Profile String : N/A
ANCP String : N/A
Inter Destination Id: N/A
Category Map Name : N/A
---snip---
Filter Overrules
Ing Ipv4 Fltr : N/A
Egr Ipv4 Fltr : N/A
Ing Ipv6 Fltr : N/A
Egr Ipv6 Fltr : N/A
===============================================================================
*A:BNG-1#
The following commands list the IPoE and the PPP host entries in a specific LUDB that are not matched. Duplicates are counted as unmatched hosts.
*A:BNG-1# show subscriber-mgmt local-user-db "ludb-22" ipoe-unmatched-hosts
===============================================================================
Local User Database "ludb-22" IPoE unmatched hosts
===============================================================================
Name Reason Duplicate Host
-------------------------------------------------------------------------------
this-is-a-no-match No match N/A
this-is-a-duplicate Duplicate entry-12
-------------------------------------------------------------------------------
Number of IPoE Unmatched Hosts : 2
===============================================================================
*A:BNG-1#
*A:BNG-1# show subscriber-mgmt local-user-db "ludb-22" ppp-unmatched-hosts
===============================================================================
Local User Database "ludb-22" PPP unmatched hosts
===============================================================================
Name Reason Duplicate Host
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
No PPP Unmatched Hosts found
===============================================================================
*A:BNG-1#
Debugging commands
The following configuration enables debugging for both ludb-1 and for ludb-2.
debug
subscriber-mgmt
local-user-db "ludb-1"
detail all
exit
local-user-db "ludb-2"
detail all
exit
exit
exit
To ensure that the debug output is sent to the console, the following additional configuration is needed.
configure
log
log-id 1
from debug-trace
to session
no shutdown
exit
exit
After the preceding configuration, debug output appears as part of the session.
2 2018/11/20 11:42:27.965 CET MINOR: DEBUG #2001 Base LUDB
"LUDB: User lookup success - host found
mac: 00:00:00:11:11:11
Host entry-11 found in user data base ludb-1"
12 2018/11/20 11:54:44.948 CET MINOR: DEBUG #2001 Base LUDB"LUDB: User lookup success - host not found
mac:
circuit-id:
remote-id:
original: AA
masked: AA
Host not found in user data base ludb-2"
37 2018/11/20 12:18:59.141 CET MINOR: DEBUG #2001 Base LUDB
"LUDB: User lookup failed
Problem: user db is shutdown"
Conclusion
In this chapter general LUDB concepts are explained. LUDBs are defined and host entries for both IPoE as well as for PPP are described. The different match criteria are explained and demonstrated by means of examples, including the use of single and multiple match criteria. Match criteria are handled left to right, in sequence, so that a natural priority is taken care of. Debugging aids are provided through show, debug and tools commands.