Managed SAPs with Routed CO
This chapter provides information about Managed SAPs with Routed CO.
Topics in this chapter include:
Applicability
This chapter is applicable to SR OS routers and was initially written for Release 8.0.R1. The CLI in this edition corresponds to Release 15.0.R2.
Overview
Managed SAPs (MSAP) are SAPs dynamically created after the reception of a trigger packet on a capture SAP. The creation of the MSAP is controlled through an MSAP policy, which is defined during the authentication phase along with the subscriber host parameters required for host instantiation.
Following trigger packet types can lead to the creation of an MSAP:
arp
dhcp
dhcp6
rtr-solicit
pppoe
ppp
data
Multiple trigger packet types can be enabled for a single capture SAP.
MSAP creation takes several steps:
Reception of a trigger packet on the capture SAP.
Authentication, for example via RADIUS, LUDB, NASREQ, etc.
Authentication provides the MSAP policy and the target service context required in the next step.
The actual creation of the MSAP in the service defined during the authentication step, taking the MSAP policy into account.
MSAPs are supported in the Bridged Central Office model and the Routed Central Office (RCO) model. For the bridged model, the service context returned by authentication is the service ID of a VPLS. For the routed model, the service context is the service ID of a routed service (IES or VPRN) plus the name of a group-interface in the target service. Only the RCO model is explained in this chapter.
The capture SAP receives trigger packets and initiates authentication. The capture SAP is defined in a VPLS, and does not forward traffic.
The MSAP is created in the target service, and the VLAN of the MSAP is the same as the VLAN of the trigger packet. The MSAP behaves as a regular SAP, but its configuration is not user editable and not maintained in the configuration file. The MSAP remains active as long as the session is active. MSAPs and regular SAPs can co-exist on the same port and in the same service.
MSAPs can be created in a wholesale VPRN service while the corresponding subscriber host or session is terminated in a retail VPRN or IES service. Both wholesale MSAP data (service, group-interface, and policy) and retail service id must be provided during authentication.
Knowledge of TPSDA (Triple Play Service Delivery Architecture) and functionality is assumed throughout this chapter.
Capture SAP
The IOM classifies traffic based on the tags present in the incoming packets, and sends traffic to existing SAPs if the tag or tag combination in the incoming packet is known to the IOM.
The capture SAP is used if a more specific match for the Q or Q-in-Q tags is not found by the traffic classification on the IOM.
Trigger packets received on the capture SAP are sent to the CPM, non-trigger packets received on the capture SAP are dropped.
Following formats are allowed on the capture SAP:
SAP 1/2/2:* |
for dot1Q |
SAP 1/2/2:*.* |
for QinQ |
SAP 1/2/2:Q1.* |
for QinQ |
SAP 1/2/2:*.Q1 |
for QinQ (inverse capture SAP) |
By default, the MSAP created will have one q-tag (for dot1q) or two q-tags (for qinq), and these are taken from the original trigger packet. The optional allow-dot1q-msaps command additionally enables single tagged trigger packet support for QinQ capture SAPs. See the user manual for a full description.
MSAP with Redundant Configurations
MSAPs are High Availability (HA) enabled (there is no service impact following a CPM failover). In addition, the MSAPs are also stored in the subscriber management persistence file (if enabled), allowing the MSAPs to be recreated after a reboot.
MSAPs can be used in dual-homed BNG scenarios with multi-chassis LAG, multi-chassis ring and subscriber router redundancy protocol.
RADIUS Authentication and Vendor Specific Attributes (VSAs) for MSAP
The Alc-MSAP-Serv-Id attribute returned by the RADIUS server defines the service in which the MSAP must be created.
In the RCO scenario, the MSAP is created in a group-interface context. The Alc-MSAP-Interface attribute returned by the RADIUS server defines the group-interface where the MSAP must be installed, and must exist in the target service.
The Alc-MSAP-Policy attribute returned by the RADIUS server defines the MSAP parameters required for creating the MSAP.
Topology
The network topology is displayed in Network Topology. This chapter uses the RCO model with PPPoE, IPv4, and RADIUS authentication for demonstrating MSAPs.
Configuration
RADIUS
In this chapter the management router is used for RADIUS communication, and the configuration used is as follows:
configure
router "management"
radius-server
server "radius-138.203.10.250" address 172.31.117.84
secret vsecret1 create
description "Management router is used for RADIUS"
accept-coa
exit
exit
exit
exit
configure
aaa
radius-server-policy "rad-serv-pol-1" create
servers
router "management"
source-address 172.31.117.75
server 1 name "radius-172.31.117.84"
exit
exit
exit
exit
configure
subscriber-mgmt
authentication-policy "authentication-1" create
description "RADIUS authentication policy"
password "letmein"
pppoe-access-method pap-chap
include-radius-attribute
remote-id
nas-identifier
mac-address
exit
radius-server-policy "rad-serv-pol-1"
exit
exit
exit
The value of the secret is defined as vsecret1. The secret is a case sensitive character string of 20 characters maximum, which must be configured in the clients.conf file on the RADIUS server.
The management routing instance with the out-of-band 172.31.117.75 IP address is used as the source to communicate authentication messages between the BNG and the RADIUS server. The RADIUS server IP address is 172.31.117.84. Up to sixteen servers can be configured in the RADIUS server policy. When multiple servers are defined, the access algorithm can be set to direct, or round-robin.
The authentication method used in this example is PAP/CHAP, so the pap-chap value is used for the pppoe-access-method.
The user’s remote-id and mac-address are included with the nas-identifier into the access request message sent to the RADIUS.
QoS SAP Policies
The following QoS SAP ingress and egress policies are used later in this chapter. The dot1p and dscp values used are examples:
configure
qos
sap-ingress 20 create
description "64K_upstream"
queue 1 create
rate 64
exit
queue 11 multipoint create
exit
exit
---snip---
sap-egress 50 create
description "2M_downstream"
queue 1 create
rate 2048
exit
fc be create
queue 1
dot1p 3
dscp cs1
exit
exit
exit
exit
Enhanced Subscriber Management Parameters
SLA profiles are configured where the downstream speed is four times the upstream speed and the SLA profile will be named with the downstream speed. A subscriber profile is configured to initiate RADIUS accounting. A subscriber identification profile is configured for direct mapping subscriber and SLA profiles, as follows:
configure
subscriber-mgmt
sla-profile "sla-profile-1M" create
ingress
qos 40 shared-queuing
exit
exit
egress
qos 40
exit
no qos-marking-from-sap
exit
exit
---snip---
sub-profile "sub-profile-default" create
radius-accounting
policy "accounting-11"
exit
sla-profile-map
use-direct-map-as-default
exit
exit
sub-ident-policy "sub-id-default" create
sub-profile-map
use-direct-map-as-default
exit
sla-profile-map
use-direct-map-as-default
exit
exit
MSAP Policy
MSAP policies contain the parameters which are used for MSAP creation and the information required to complete the subscriber identification process.
Creation of an MSAP requires an MSAP policy. The MSAP policy to be used can be defined during authentication. If authentication does not return an MSAP policy, then the default MSAP policy configured in the capture-sap as msap-defaults is used instead.
configure
subscriber-mgmt
msap-policy "msap-ISP1" create
sub-sla-mgmt
def-sub-id use-sap-id
def-sub-profile "sub-profile-default"
def-sla-profile "sla-profile-512K"
sub-ident-policy "sub-id-default"
single-sub-parameters
profiled-traffic-only
exit
exit
exit
msap-policy "msap-default" create
sub-sla-mgmt
def-sub-id use-sap-id
def-sub-profile "sub-profile-default"
def-sla-profile "sla-profile-256K"
sub-ident-policy "sub-id-default"
single-sub-parameters
profiled-traffic-only
exit
exit
exit
exit
exit
If managed routes are required for some subscribers, then the anti-spoof command is required in the msap-policy. The default value for anti-spoof is ip-mac. Managed routes are out of the scope of this chapter.
configure
subscriber-mgmt
msap-policy "msap-ISP1" create
ies-vprn-only-sap-parameters
anti-spoof nh-mac
exit
exit
exit
exit
VPLS Service with a Capture SAP
Configure a VPLS service with capture SAP and define the triggering packet types. The trigger-packet is mandatory. In case of RADIUS authentication, an authentication-policy is required. Additionally, the cpu-protection command can be added to enable CPU protection policies, as follows:
configure
service
vpls 1 customer 1 create
description "VPLS for Capture SAPs"
stp
shutdown
exit
sap 1/2/2:* capture-sap create
description "capture SAP for MSAP creation on port 1/2/2"
trigger-packet arp dhcp pppoe
msap-defaults
policy "msap-default"
exit
authentication-policy "authentication-1"
exit
no shutdown
exit
exit
exit
Verify the details of capture SAP:
*A:BNG-1# show service id 1 sap 1/2/2:* detail
===============================================================================
Service Access Points(SAP)
===============================================================================
Service Id : 1
SAP : 1/2/2:* Encap : q-tag
Description : capture SAP for MSAP creation on port 1/2/2
Admin State : Up Oper State : Up
Flags : None
Multi Svc Site : None
Last Status Change : 05/18/2017 15:44:05
Last Mgmt Change : 05/22/2017 15:38:49
Sub Type : capture
Triggers : arp dhcp pppoe
Dot1Q Ethertype : 0x8100 QinQ Ethertype : 0x8100
Split Horizon Group: (Not Specified)
---snip---
Auth Policy : authentication-1
DHCP User Db : None
PPP Policy : None
PPP User Db : None
PPPoE Policy : default
PPPoE User Db : None
DHCPv6 User Db : None
IPoE Policy : None
IPoE User Db : None
Rtr-Sol User Db : None
DHCP Python policy : None
DHCP6 Python policy: None
PPPoE Python policy: None
Diameter auth plcy : None
Dynamic svc plcy : None
Allow dot1q msap : Disabled
DestMac Rewrite : Disabled
SendBvplsEvpnFlush : Enabled
---snip---
-------------------------------------------------------------------------------
Sap Statistics
-------------------------------------------------------------------------------
Last Cleared Time : N/A
Packets Octets
CPM Ingress : 474539 33476253
Forwarding Engine Stats
Dropped : 9 842
DHCP Capture Stats
Received : 0
Redirected : 0
Dropped : 0
PPPoE Capture Stats
Received : 406735
Redirected : 0
Dropped : 0
ARP Capture Stats
Received : 0
Redirected : 0
Dropped : 0
DHCP6 Capture Stats
Received : 0
Redirected : 0
Dropped : 0
PPP Capture Stats
Received : 0
Redirected : 0
Dropped : 0
Rtr-Sol Capture Stats
Received : 0
Redirected : 0
Dropped : 0
Unknown Capture Stats
Received : 0
Redirected : 0
Dropped : 0
-------------------------------------------------------------------------------
Sap per Queue stats
-------------------------------------------------------------------------------
Packets Octets
No entries found
===============================================================================
* indicates that the corresponding row element may have been truncated.
*A:BNG-1#
The Sap Statistics section provides statistics for the capture SAP per trigger type, which can help troubleshooting the service. The dropped packet counter indicates the amount of non triggering packets received on the capture SAP. No SAP queues are instantiated for a capture SAP.
VPRN Service - VLAN-Per-Subscriber (PPPOE)
The following output shows an RCO configuration example. No static SAPs are defined in this example, but it is allowed.
configure
service
vprn 2 customer 1 create
route-distinguisher 64496:2
subscriber-interface "sub-int-1" create
address 10.255.255.254/8
group-interface "grp-int-1" create
description "ROUTED CO MSAP VLAN X"
authentication-policy "authentication-1"
pppoe
session-limit 2000
no shutdown
exit
exit
exit
no shutdown
exit
exit
exit
Initially, no MSAPs are present, so the operational state of both the subscriber interface and group interface context are down.
*A:BNG-1# show router 2 interface
===============================================================================
Interface Table (Service: 2)
===============================================================================
Interface-Name Adm Opr(v4/v6) Mode Port/SapId
IP-Address PfxState
-------------------------------------------------------------------------------
grp-int-1 Up Down/Down VPRN G* n/a
sub-int-1 Up Down/Down VPRN S* subscriber
10.255.255.254/8 n/a
-------------------------------------------------------------------------------
Interfaces : 2
===============================================================================
* indicates that the corresponding row element may have been truncated.
*A:BNG-1#
To allow the subscriber interface to consider this group interface to be operationally enabled without any active MSAPs, the following command can be added to the configuration (this would be useful in order to propagate the subnet interface address into a routing protocol):
configure
service
vprn 2
subscriber-interface "sub-int-1"
group-interface "grp-int-1"
oper-up-while-empty
exit
exit
exit
exit
exit
The status of the interfaces then is as follows:
*A:BNG-1# show router 2 interface
===============================================================================
Interface Table (Service: 2)
===============================================================================
Interface-Name Adm Opr(v4/v6) Mode Port/SapId
IP-Address PfxState
-------------------------------------------------------------------------------
grp-int-1 Up Down/Down VPRN G* n/a
sub-int-1 Up Up/Down VPRN S* subscriber
10.255.255.254/8 n/a
-------------------------------------------------------------------------------
Interfaces : 2
===============================================================================
* indicates that the corresponding row element may have been truncated.
*A:BNG-1#
Check the status of the group interface once the first MSAP is created.
RADIUS User File
The following entry is an example of a user entry in the RADIUS users file for the FreeRadius server:
"user1@ISP1.com" Cleartext-Password := "letmein"
Alc-Subsc-ID-Str := "%{ADSL-Agent-Remote-Id}",
Alc-SLA-Prof-Str == "sla-profile-2M",
Alc-MSAP-Serv-ID = 2,
Alc-MSAP-Policy == "msap-ISP1",
Alc-MSAP-Interface == "grp-int-1",
Framed-IP-Address = 10.255.0.1,
Alc-Primary-DNS = 172.31.31.31,
Alc-Secondary-DNS = 172.31.31.32,
So when the PPPoE user sends the correct username and password, the RADIUS accepts the access message and returns the correct VPRN service id 2, the correct group interface group-int-1, the MSAP policy to use msap-ISP1.
In case no MSAP policy is returned by the RADIUS server, the default MSAP policy msap-default under the capture SAP is used instead.
In the preceding entry, the PPPoE user will have its IP address and DNS assigned by RADIUS as well.
Connect PPPoE user
Connect PPPoE user user1, initiate a PPPoE session on VLAN 1, and verify PPPoE session establishment.
*A:BNG-1# show service id 2 pppoe session
===============================================================================
PPPoE sessions for svc-id 2
===============================================================================
Sap Id Mac Address Sid Up Time Type
IP/L2TP-Id/Interface-Id MC-Stdby
-------------------------------------------------------------------------------
[1/2/2:1] 00:00:00:01:01:01 1 0d 00:01:12 local
10.255.0.1
-------------------------------------------------------------------------------
Number of sessions : 1
===============================================================================
*A:BNG-1#
The PPPoE session is established successfully and the IP address and subscriber strings obtained from the RADIUS server are used.
In order to differentiate between the MSAP and the normal SAP, the MSAP will be shown between square brackets [1/2/2:1] in the show commands.
Verify Subscriber Values
Verify subscriber values returned from RADIUS for user1.
*A:BNG-1# show service id 2 pppoe session ip-address 10.255.0.1 detail
===============================================================================
PPPoE sessions for svc-id 2
===============================================================================
Sap Id Mac Address Sid Up Time Type
IP/L2TP-Id/Interface-Id MC-Stdby
-------------------------------------------------------------------------------
[1/2/2:1] 00:00:00:01:01:01 1 0d 00:00:51 local
10.255.0.1
LCP State : Opened
IPCP State : Opened
IPv6CP State : Closed
PPP MTU : 1492
PPP Auth-Protocol : CHAP
PPP User-Name : user1@ISP1.com
Subscriber-interface : sub-int-1
Group-interface : grp-int-1
IP Origin : radius
DNS Origin : radius
NBNS Origin : none
Subscriber : "user1"
Sub-Profile-String : ""
SLA-Profile-String : "sla-profile-2M"
ANCP-String : ""
Int-Dest-Id : ""
App-Profile-String : ""
Category-Map-Name : ""
Acct-Session-Id : "14F2FF00000006591EA903"
Sap-Session-Index : 1
IP Address : 10.255.0.1/32
Primary DNS : 172.31.31.31
Secondary DNS : 172.31.31.32
Primary NBNS : N/A
Secondary NBNS : N/A
Address-Pool : N/A
IPv6 Prefix : N/A
IPv6 Prefix Origin : none
IPv6 Prefix Pool : ""
IPv6 Del.Pfx. : N/A
IPv6 Del.Pfx. Origin : none
IPv6 Del.Pfx. Pool : ""
IPv6 Address : N/A
IPv6 Address Origin : none
IPv6 Address Pool : ""
Primary IPv6 DNS : N/A
Secondary IPv6 DNS : N/A
Router adv. policy : N/A
Ignoring DF bit : false
Radius sub-if prefix : N/A
Circuit-Id : DSLAM1_1/1/1/1:0.35
Remote-Id : user1
Radius Session-TO : N/A
Radius Class :
Radius User-Name : user1@ISP1.com
Logical-Line-Id :
Service-Name :
-------------------------------------------------------------------------------
Number of sessions : 1
===============================================================================
*A:BNG-1#
Check Actual Values
Check the actual values used by user1, including the subscriber profile, SLA profile, VPRN and group interface association, the subscriber queues statistics and others.
*A:BNG-1# show service active-subscribers subscriber "user1" detail
===============================================================================
Active Subscribers
===============================================================================
-------------------------------------------------------------------------------
Subscriber user1 (sub-profile-default)
-------------------------------------------------------------------------------
I. Sched. Policy : N/A
E. Sched. Policy : N/A E. Agg Rate Limit: Max
I. Policer Ctrl. : N/A
E. Policer Ctrl. : N/A
I. vport-hashing : Disabled
I. sec-sh-hashing: Disabled
Q Frame-Based Ac*: Disabled
Acct. Policy : N/A Collect Stats : Disabled
ANCP Pol. : N/A
HostTrk Pol. : N/A
IGMP Policy : N/A
MLD Policy : N/A
PIM Policy : N/A
Sub. MCAC Policy : N/A
NAT Policy : N/A
Firewall Policy : N/A
UPnP Policy : N/A
NAT Prefix List : N/A
Def. Encap Offset: none Encap Offset Mode: none
Avg Frame Size : N/A
Vol stats type : full
Preference : 5
LAG hash class : 1
LAG hash weight : 1
Sub. ANCP-String : "user1"
Sub. Int Dest Id : ""
Igmp Rate Adj : N/A
RADIUS Rate-Limit: N/A
Oper-Rate-Limit : Maximum
-------------------------------------------------------------------------------
Radius Accounting
-------------------------------------------------------------------------------
Policy : accounting-1
Session Opti.Stop: False
* indicates that the corresponding row element may have been truncated.
-------------------------------------------------------------------------------
(1) SLA Profile Instance
- sap:[1/2/2:1] (VPRN 2 - grp-int-1)
- sla:sla-profile-2M
-------------------------------------------------------------------------------
Description : (Not Specified)
Host Limits : No Limit
Egr Sched-Policy : N/A
Ingress Qos-Policy : 50 Egress Qos-Policy : 50
Ingress Queuing Type : Shared-queuing (Not Applicable to Policer)
Ingr IP Fltr-Id : N/A Egr IP Fltr-Id : N/A
Ingr IPv6 Fltr-Id : N/A Egr IPv6 Fltr-Id : N/A
Ingress Report-Rate : Maximum
Egress Report-Rate : Maximum
Egress Remarking : from SLA Profile Qos
Credit Control Pol. : N/A
Category Map : (Not Specified)
Use ing L2TP DSCP : false
Hs-Agg-Rate-Limit : Maximum
Hs-Oper-Rate-Limit : Maximum
Egr hqos mgmt status : disabled
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
IP Address
MAC Address Session Origin Svc Fwd
-------------------------------------------------------------------------------
10.255.0.1
00:00:00:01:01:01 PPP 1 IPCP 2 Y
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
SLA Profile Instance statistics
-------------------------------------------------------------------------------
Packets Octets
Off. HiPrio : 0 0
Off. LowPrio : 0 0
Off. Uncolor : 0 0
Off. Managed : 0 0
Queueing Stats (Ingress QoS Policy 50)
Dro. HiPrio : 0 0
Dro. LowPrio : 0 0
For. InProf : 0 0
For. OutProf : 0 0
Queueing Stats (Egress QoS Policy 50)
Dro. In/InplusProf : 0 0
Dro. Out/ExcProf : 0 0
For. In/InplusProf : 0 0
For. Out/ExcProf : 2 128
-------------------------------------------------------------------------------
SLA Profile Instance per Queue statistics
-------------------------------------------------------------------------------
Packets Octets
Ingress Queue 1 (Unicast) (Priority)
Off. HiPrio : 0 0
Off. LowPrio : 0 0
Dro. HiPrio : 0 0
Dro. LowPrio : 0 0
For. InProf : 0 0
For. OutProf : 0 0
Egress Queue 1
Dro. In/InplusProf : 0 0
Dro. Out/ExcProf : 0 0
For. In/InplusProf : 0 0
For. Out/ExcProf : 2 128
===============================================================================
*A:BNG-1#
Where, the subscriber id is user1, and the subscriber profile is sub-profile-default.
Because the RADIUS server did not return a subscriber profile string, the system uses the def-sub-profile configured under the msap-policy msap-ISP1.
Another command can also be used to show less detail in a hierarchical form.
*A:BNG-1# show service active-subscribers hierarchy subscriber "user1"
===============================================================================
Active Subscribers Hierarchy
===============================================================================
-- user1 (sub-profile-default)
|
+-- sap:[1/2/2:1] - sla:sla-profile-2M
|
+-- PPP-session - mac:00:00:00:01:01:01 - sid:1 - svc:2
| circuit-id:DSLAM1_1/1/1/1:0.35
| remote-id:user1
|
+-- 10.255.0.1 - IPCP
===============================================================================
*A:BNG-1#
Verify that the IPv4 state of the group interface now is up, as follows:
*A:BNG-1# show router 2 interface
===============================================================================
Interface Table (Service: 2)
===============================================================================
Interface-Name Adm Opr(v4/v6) Mode Port/SapId
IP-Address PfxState
-------------------------------------------------------------------------------
grp-int-1 Up Up/Down VPRN G* 1/2/2
sub-int-1 Up Up/Down VPRN S* subscriber
10.255.255.254/8 n/a
-------------------------------------------------------------------------------
Interfaces : 2
===============================================================================
* indicates that the corresponding row element may have been truncated.
*A:BNG-1#
The MSAP details display the capture service id, capture SAP and MSAP policy, as follows:
*A:BNG-1# show service id 2 sap 1/2/2:1 detail
===============================================================================
Service Access Points(SAP)
===============================================================================
Service Id : 2
SAP : 1/2/2:1 Encap : q-tag
Description : Managed SAP - Capture Svc 1 1/2/2:*
Admin State : Up Oper State : Up
Flags : None
Multi Svc Site : None
Last Status Change : 05/18/2017 15:43:43
Last Mgmt Change : 05/19/2017 10:12:51
Sub Type : managed
Capture Service Id : 1 Capture SAP : 1/2/2:*
MSAP Policy : msap-ISP1
Idle : no Sticky : no
Dot1Q Ethertype : 0x8100 QinQ Ethertype : 0x8100
Split Horizon Group: (Not Specified)
---snip---
-------------------------------------------------------------------------------
Sap per Queue stats
-------------------------------------------------------------------------------
Packets Octets
No entries found
===============================================================================
* indicates that the corresponding row element may have been truncated.
*A:BNG-1#
The Sub Type shows ‟managed” for MSAPs, or ‟regular” for normal SAPs (a SAP created manually under a group-interface).
MSAP QoS
By default an MSAP is created with default QoS policies.
*A:BNG-1# show service id 2 sap 1/2/2:1 detail
===============================================================================
Service Access Points(SAP)
===============================================================================
Service Id : 2
SAP : 1/2/2:1 Encap : q-tag
Description : Managed SAP - Capture Svc 1 1/2/2:*
Admin State : Up Oper State : Up
---snip---
-------------------------------------------------------------------------------
QOS
-------------------------------------------------------------------------------
Ingress qos-policy : 1 Egress qos-policy : 1
Ingress FP QGrp : (none) Egress Port QGrp : (none)
Ing FP QGrp Inst : (none) Egr Port QGrp Inst: (none)
Shared Q plcy : default Multipoint shared : Disabled
I. Sched Pol : (Not Specified)
E. Sched Pol : (Not Specified)
I. Policer Ctl Pol : (Not Specified)
E. Policer Ctl Pol : (Not Specified)
E. HS Sec. Shaper : (Not Specified)
I. QGrp Redir. List: (Not Specified)
E. QGrp Redir. List: (Not Specified)
-------------------------------------------------------------------------------
Subscriber Management
-------------------------------------------------------------------------------
Admin State : Up MAC DA Hashing : False
Def Sub-Id : Use sap-id (1/2/2:1)
Def Sub-Profile : sub-profile-default
Def SLA-Profile : sla-profile-512K
Def Inter-Dest-Id : None
Def App-Profile : None
Sub-Ident-Policy : sub-id-default
---snip---
===============================================================================
* indicates that the corresponding row element may have been truncated.
*A:BNG-1#
The default QoS policy associated with MSAPs can be changed:
To save queue resources when profiled-traffic-only cannot be used, for example when more than one subscriber is active on an MSAP. See further.
To provide adequate QoS treatment for multicast traffic in a per MSAP replication mode.
Egress multicast traffic in per MSAP replication mode is forwarded via the MSAP queues or policers. Multicast traffic can be mapped into a dedicated queue or policer. The MSAP queue can be port-parented to provide scheduling priority at port level. The QoS policies associated with an MSAP are configured in the MSAP policy.
QoS Egress Remarking
For remarking to apply to MSAP egress traffic the SLA profile must include the no qos-marking-from-sap command, as follows:
configure
subscriber-mgmt
sla-profile "sla-profile-512K" create
---snip---
egress
qos 30
exit
no qos-marking-from-sap
exit
exit
exit
exit
By default, the egress QoS marking for subscriber-host traffic is derived from the SAP-egress QoS policy associated with the corresponding SAP rather than the SLA profile associated with the corresponding subscriber-host. As a consequence, no egress QoS marking (for example, dot1p marking was set to 0, DSCP/PREC field is unchanged) is performed for traffic transmitted on an MSAP because by default, SAP-egress policy one (1) was attached to every MSAP.
MSAP Queue Optimization
For single subscriber SAPs, where the multi-sub-sap limit equals 1, the SAP queues will not be instantiated when using the profiled-traffic-only option in the msap-policy. This parameter is ignored when the multi-sub-sap limit is different from 1.
configure
subscriber-mgmt
msap-policy "msap-ISP1" create
sub-sla-mgmt
def-sub-id use-sap-id
def-sub-profile "sub-profile-default"
def-sla-profile "sla-profile-512K"
sub-ident-policy "sub-id-default"
single-sub-parameters
profiled-traffic-only
exit
exit
exit
exit
exit
For multi subscriber MSAPs, a QoS policy can be associated with an MSAP in which all forwarding classes are mapped to a policer. In that case, a single ingress and egress policer is instantiated per MSAP (instead of ingress and egress queues). QoS policies associated with an MSAP are configured in the MSAP policy:
configure
subscriber-mgmt
msap-policy "msap-ISP2" create
ies-vprn-only-sap-parameters
egress
qos 10
exit
ingress
qos 10 shared-queuing
exit
exit
exit
exit
exit
Troubleshooting
The authentication policy used on the capture SAP must be the same as the policy used on the managed SAP.
The managed SAP will not be created if the authentication policy on the group-interface is different from the authentication policy defined on the capture SAP.
configure
service
vpls 1
---snip---
sap 1/2/2:* capture-sap create
---snip---
authentication-policy "authentication-1"
exit
no shutdown
exit
configure
service
vprn 2
subscriber-interface "sub-int-1"create
---snip---
group-interface "group-int-1" create
authentication-policy "authentication-2"
---snip---
exit
exit
no shutdown
exit
This can be seen in log 99:
*A:BNG-1# show log log-id 99
8 2017/05/19 10:50:43.70 CEST MINOR: SVCMGR #2214 Base Managed SAP creation failure
"The system could not create Managed SAP:1/2/2:1, MAC:00:00:00:01:01:01, Capturing
SAP:1/2/2:*, Service:1. Description: MSAP group-interface "grp-int-1" RADIUS auth
-policy "authentication-2" differs from capture SAP"
7 2017/05/19 10:50:30.28 CEST WARNING: SVCMGR #2501 Base Subscriber deleted
"Subscriber user1 has been removed from the system"
6 2017/05/19 10:50:29.68 CEST WARNING: SNMP #2004 vprn2 sub-int-1
"Interface sub-int-1 is not operational"
---snip---
*A:BNG-1#
Enable debug for PPPoE and RADIUS packets for troubleshooting purposes:
debug
router "management"
radius
packet-type authentication accounting coa
detail-level medium
exit
exit
service
id 1
ppp
packet
mode egr-ingr-and-dropped
detail-level medium
discovery
ppp
exit
exit
exit
id 2
ppp
packet
mode egr-ingr-and-dropped
detail-level medium
discovery
ppp
dhcp-client
exit
exit
exit
exit
exit
configure
log
log-id 1
from debug-trace
to session
exit
exit
exit
Disconnect/connect user1, then check the RADIUS access request/accept and accounting messages from the debug output.
11 2017/05/19 10:58:55.13 CEST MINOR: DEBUG #2001 management RADIUS
"RADIUS: Transmit
Access-Request(1) 172.31.117.84:1812 id 202 len 174 vrid 4095 pol authenticat
ion-1
USER NAME [1] 14 user1@ISP1.com
NAS IP ADDRESS [4] 4 172.31.117.75
SERVICE TYPE [6] 4 Framed(2)
FRAMED PROTOCOL [7] 4 PPP(1)
CHAP PASSWORD [3] 17 1 0x39721157837095dd2dc4a9351670e543
CHAP CHALLENGE [60] 39 0x9e0eb2baf4c436f2f9a364ac0eb43cc6446943f5912d2c96570
ffd572732b245416501b5a9b6a8
VSA [26] 7 DSL(3561)
AGENT REMOTE ID [2] 5 user1
NAS PORT TYPE [61] 4 PPPoEoVLAN(33)
NAS PORT ID [87] 7 1/2/2:1
NAS IDENTIFIER [32] 5 BNG-1
VSA [26] 19 Nokia(6527)
CHADDR [27] 17 00:00:00:01:01:01
"
12 2017/05/19 10:58:55.14 CEST MINOR: DEBUG #2001 management RADIUS
"RADIUS: Receive
Access-Accept(2) id 202 len 131 from 172.31.117.84:1812 vrid 4095 pol authent
ication-1
VSA [26] 7 Nokia(6527)
SUBSC ID STR [11] 5 user1
VSA [26] 16 Nokia(6527)
SLA PROF STR [13] 14 sla-profile-2M
VSA [26] 6 Nokia(6527)
MSAP SERVICE ID [31] 4 2
VSA [26] 11 Nokia(6527)
MSAP POLICY [32] 9 msap-ISP1
VSA [26] 11 Nokia(6527)
MSAP INTERFACE [33] 9 grp-int-1
FRAMED IP ADDRESS [8] 4 10.255.0.1
VSA [26] 6 Nokia(6527)
PRIMARY DNS [9] 4 172.31.31.31
VSA [26] 6 Nokia(6527)
SECONDARY DNS [10] 4 172.31.31.32
"
The MSAP policies can be checked as follows:
*A:BNG-1# show subscriber-mgmt msap-policy
===============================================================================
Managed SAP Policies
===============================================================================
Name Num Description
MSAPs
-------------------------------------------------------------------------------
msap-ISP1 1 (Not Specified)
msap-default 0 (Not Specified)
-------------------------------------------------------------------------------
Number of MSAP Policies : 2
Number of MSAPs : 1
===============================================================================
*A:BNG-1#
The MSAP policy associations can be checked as follows:
*A:BNG-1# show subscriber-mgmt msap-policy "msap-ISP1" association
===============================================================================
MSAP Policy Associations
===============================================================================
Service-Id : 2 (VPRN)
- SAP : [1/2/2:1]
-------------------------------------------------------------------------------
Number of associated MSAPs: 1
Flags: (I) = Idle MSAP
===============================================================================
*A:BNG-1#
All MSAPs created and associations with the services can be checked as follows:
*A:BNG-1# show service sap-using msap
===============================================================================
Service Access Points
===============================================================================
PortId SvcId Ing. Ing. Egr. Egr. Adm Opr
QoS Fltr QoS Fltr
-------------------------------------------------------------------------------
[1/2/2:1] 2 1 none 1 none Up Up
-------------------------------------------------------------------------------
Number of SAPs : 1
-------------------------------------------------------------------------------
Number of Managed SAPs : 1, indicated by [<sap-id>]
Flags : (I) = Idle MSAP
-------------------------------------------------------------------------------
===============================================================================
*A:BNG-1#
It is possible to use a tools command to update an existing MSAP when a specific msap-policy has changed.
*A:BNG-1# tools perform subscriber-mgmt eval-msap ?
- eval-msap { policy <msap-policy-name> | msap <sap-id> }
<msap-policy-name> : [32 chars max]
<sap-id> : dot1q - <port-id|lag-id>:qtag1
qtag1 - [0..4094]
qinq - <port-id|lag-id>:qtag1.qtag2
qtag1 - [0..4094]
qtag2 - [0..4094]
atm - <port-id>:vpi/vci
vpi - [0..4095] (NNI)
[0..255] (UNI)
vci - [1..65535]
port-id - slot/mda/port
lag-id - lag-<id>
lag - keyword
id - [1..800]
*A:BNG-1#
An MSAP can be deleted as follows:
*A:BNG-1# clear service id 2 msap 1/2/2:1
This event is recorded in log 99 as follows:
*A:BNG-1# show log log-id 99
===============================================================================
Event Log 99
===============================================================================
Description : Default System Log
Memory Log contents [size=500 next event=55 (not wrapped)]
54 2017/05/19 11:24:04.29 CEST WARNING: SVCMGR #2501 Base Subscriber deleted
"Subscriber user1 has been removed from the system"
53 2017/05/19 11:24:04.03 CEST INDETERMINATE: LOGGER #2010 Base Clear SVCMGR
"Clear function clearSvcIdMsap has been run with parameters: svc-id="2" sap-id="1/2
/2:1". The completion result is: success. Additional error text, if any, is: "
---snip---
*A:BNG-1#
To delete all MSAPs associated with a certain MSAP policy use the following command:
*A:BNG-1# clear service id 2 msap-policy msap-ISP1
This event is recorded in log 99 as follows:
*A:BNG-1# show log log-id 99
===============================================================================
Event Log 99
===============================================================================
Description : Default System Log
Memory Log contents [size=500 next event=74 (not wrapped)]
67 2017/05/19 11:29:15.28 CEST WARNING: SVCMGR #2501 Base Subscriber deleted
"Subscriber user1 has been removed from the system"
66 2017/05/19 11:29:14.54 CEST INDETERMINATE: LOGGER #2010 Base Clear SVCMGR
"Clear function clearSvcIdMsapPlcy has been run with parameters: svc-id="2" policy
-name="msap-ISP1". The completion result is: success. Additional error text, if any,
is: "
65 2017/05/19 11:29:14.54 CEST MINOR: SVCMGR #2213 vprn2 MSAP delete
"Managed SAP, 1/2/2:1 in service 2, has been deleted."
---snip---
*A:BNG-1#
Conclusion
MSAP allows dynamic creation of SAPs which results in:
Less provisioning.
Less possibility for introducing provisioning errors.
Reduced configuration file size.