Managed SAPs with Routed CO

This chapter provides information about Managed SAPs with Routed CO.

Topics in this chapter include:

Applicability

This chapter is applicable to SR OS routers and was initially written for Release 8.0.R1. The CLI in this edition corresponds to Release 15.0.R2.

Overview

Managed SAPs (MSAP) are SAPs dynamically created after the reception of a trigger packet on a capture SAP. The creation of the MSAP is controlled through an MSAP policy, which is defined during the authentication phase along with the subscriber host parameters required for host instantiation.

Following trigger packet types can lead to the creation of an MSAP:

  • arp

  • dhcp

  • dhcp6

  • rtr-solicit

  • pppoe

  • ppp

  • data

Multiple trigger packet types can be enabled for a single capture SAP.

MSAP creation takes several steps:

  • Reception of a trigger packet on the capture SAP.

  • Authentication, for example via RADIUS, LUDB, NASREQ, etc.

    Authentication provides the MSAP policy and the target service context required in the next step.

  • The actual creation of the MSAP in the service defined during the authentication step, taking the MSAP policy into account.

MSAPs are supported in the Bridged Central Office model and the Routed Central Office (RCO) model. For the bridged model, the service context returned by authentication is the service ID of a VPLS. For the routed model, the service context is the service ID of a routed service (IES or VPRN) plus the name of a group-interface in the target service. Only the RCO model is explained in this chapter.

The capture SAP receives trigger packets and initiates authentication. The capture SAP is defined in a VPLS, and does not forward traffic.

The MSAP is created in the target service, and the VLAN of the MSAP is the same as the VLAN of the trigger packet. The MSAP behaves as a regular SAP, but its configuration is not user editable and not maintained in the configuration file. The MSAP remains active as long as the session is active. MSAPs and regular SAPs can co-exist on the same port and in the same service.

MSAPs can be created in a wholesale VPRN service while the corresponding subscriber host or session is terminated in a retail VPRN or IES service. Both wholesale MSAP data (service, group-interface, and policy) and retail service id must be provided during authentication.

Knowledge of TPSDA (Triple Play Service Delivery Architecture) and functionality is assumed throughout this chapter.

Capture SAP

The IOM classifies traffic based on the tags present in the incoming packets, and sends traffic to existing SAPs if the tag or tag combination in the incoming packet is known to the IOM.

The capture SAP is used if a more specific match for the Q or Q-in-Q tags is not found by the traffic classification on the IOM.

Trigger packets received on the capture SAP are sent to the CPM, non-trigger packets received on the capture SAP are dropped.

Following formats are allowed on the capture SAP:

SAP 1/2/2:*

for dot1Q

SAP 1/2/2:*.*

for QinQ

SAP 1/2/2:Q1.*

for QinQ

SAP 1/2/2:*.Q1

for QinQ (inverse capture SAP)

By default, the MSAP created will have one q-tag (for dot1q) or two q-tags (for qinq), and these are taken from the original trigger packet. The optional allow-dot1q-msaps command additionally enables single tagged trigger packet support for QinQ capture SAPs. See the user manual for a full description.

MSAP with Redundant Configurations

MSAPs are High Availability (HA) enabled (there is no service impact following a CPM failover). In addition, the MSAPs are also stored in the subscriber management persistence file (if enabled), allowing the MSAPs to be recreated after a reboot.

MSAPs can be used in dual-homed BNG scenarios with multi-chassis LAG, multi-chassis ring and subscriber router redundancy protocol.

RADIUS Authentication and Vendor Specific Attributes (VSAs) for MSAP

The Alc-MSAP-Serv-Id attribute returned by the RADIUS server defines the service in which the MSAP must be created.

In the RCO scenario, the MSAP is created in a group-interface context. The Alc-MSAP-Interface attribute returned by the RADIUS server defines the group-interface where the MSAP must be installed, and must exist in the target service.

The Alc-MSAP-Policy attribute returned by the RADIUS server defines the MSAP parameters required for creating the MSAP.

Topology

The network topology is displayed in Network Topology. This chapter uses the RCO model with PPPoE, IPv4, and RADIUS authentication for demonstrating MSAPs.

Figure 1. Network Topology

Configuration

RADIUS

In this chapter the management router is used for RADIUS communication, and the configuration used is as follows:

configure
    router "management"
        radius-server
            server "radius-138.203.10.250" address 172.31.117.84
                                                secret vsecret1 create
                description "Management router is used for RADIUS"
                accept-coa
            exit
        exit
    exit
exit
configure
    aaa
        radius-server-policy "rad-serv-pol-1" create
            servers
                router "management"
                source-address 172.31.117.75
                server 1 name "radius-172.31.117.84"
            exit
        exit
    exit
exit
configure
    subscriber-mgmt
        authentication-policy "authentication-1" create
            description "RADIUS authentication policy"
            password "letmein"
            pppoe-access-method pap-chap
            include-radius-attribute
                remote-id
                nas-identifier
                mac-address
            exit
            radius-server-policy "rad-serv-pol-1"
        exit
    exit
exit

The value of the secret is defined as vsecret1. The secret is a case sensitive character string of 20 characters maximum, which must be configured in the clients.conf file on the RADIUS server.

The management routing instance with the out-of-band 172.31.117.75 IP address is used as the source to communicate authentication messages between the BNG and the RADIUS server. The RADIUS server IP address is 172.31.117.84. Up to sixteen servers can be configured in the RADIUS server policy. When multiple servers are defined, the access algorithm can be set to direct, or round-robin.

The authentication method used in this example is PAP/CHAP, so the pap-chap value is used for the pppoe-access-method.

The user’s remote-id and mac-address are included with the nas-identifier into the access request message sent to the RADIUS.

QoS SAP Policies

The following QoS SAP ingress and egress policies are used later in this chapter. The dot1p and dscp values used are examples:

configure
    qos
        sap-ingress 20 create
            description "64K_upstream"
            queue 1 create
                rate 64
            exit
            queue 11 multipoint create
            exit
        exit
        ---snip---
        sap-egress 50 create
            description "2M_downstream"
            queue 1 create
                rate 2048
            exit
            fc be create
                queue 1
                dot1p 3
                dscp cs1
            exit 
        exit
    exit
exit

Enhanced Subscriber Management Parameters

SLA profiles are configured where the downstream speed is four times the upstream speed and the SLA profile will be named with the downstream speed. A subscriber profile is configured to initiate RADIUS accounting. A subscriber identification profile is configured for direct mapping subscriber and SLA profiles, as follows:

configure
    subscriber-mgmt
        sla-profile "sla-profile-1M" create
            ingress
                qos 40 shared-queuing
                exit
            exit
            egress
                qos 40 
                exit
                no qos-marking-from-sap
            exit
        exit
        ---snip---
        sub-profile "sub-profile-default" create
            radius-accounting
                policy "accounting-11"
            exit
            sla-profile-map
                use-direct-map-as-default
            exit
        exit
        sub-ident-policy "sub-id-default" create
            sub-profile-map
                use-direct-map-as-default
            exit
            sla-profile-map
                use-direct-map-as-default
            exit
        exit

MSAP Policy

MSAP policies contain the parameters which are used for MSAP creation and the information required to complete the subscriber identification process.

Creation of an MSAP requires an MSAP policy. The MSAP policy to be used can be defined during authentication. If authentication does not return an MSAP policy, then the default MSAP policy configured in the capture-sap as msap-defaults is used instead.

configure
    subscriber-mgmt
        msap-policy "msap-ISP1" create
            sub-sla-mgmt
                def-sub-id use-sap-id
                def-sub-profile "sub-profile-default"
                def-sla-profile "sla-profile-512K"
                sub-ident-policy "sub-id-default"
                single-sub-parameters
                    profiled-traffic-only
                exit
            exit
        exit
        msap-policy "msap-default" create
            sub-sla-mgmt
                def-sub-id use-sap-id
                def-sub-profile "sub-profile-default"
                def-sla-profile "sla-profile-256K"
                sub-ident-policy "sub-id-default"
                single-sub-parameters
                    profiled-traffic-only
                exit
            exit
        exit
    exit
exit

If managed routes are required for some subscribers, then the anti-spoof command is required in the msap-policy. The default value for anti-spoof is ip-mac. Managed routes are out of the scope of this chapter.

configure
    subscriber-mgmt
        msap-policy "msap-ISP1" create
            ies-vprn-only-sap-parameters
                anti-spoof nh-mac
            exit
        exit
    exit
exit

VPLS Service with a Capture SAP

Configure a VPLS service with capture SAP and define the triggering packet types. The trigger-packet is mandatory. In case of RADIUS authentication, an authentication-policy is required. Additionally, the cpu-protection command can be added to enable CPU protection policies, as follows:

configure
    service
        vpls 1 customer 1 create
            description "VPLS for Capture SAPs"
            stp
                shutdown
            exit
            sap 1/2/2:* capture-sap create
                description "capture SAP for MSAP creation on port 1/2/2"
                trigger-packet arp dhcp pppoe
                msap-defaults
                    policy "msap-default"
                exit
                authentication-policy "authentication-1"
            exit
            no shutdown
        exit
    exit
exit

Verify the details of capture SAP:

*A:BNG-1# show service id 1 sap 1/2/2:* detail
 
===============================================================================
Service Access Points(SAP)
===============================================================================
Service Id         : 1
SAP                : 1/2/2:*                  Encap             : q-tag
Description        : capture SAP for MSAP creation on port 1/2/2
Admin State        : Up                       Oper State        : Up
Flags              : None
Multi Svc Site     : None
Last Status Change : 05/18/2017 15:44:05
Last Mgmt Change   : 05/22/2017 15:38:49
Sub Type           : capture
Triggers           : arp dhcp pppoe
Dot1Q Ethertype    : 0x8100                   QinQ Ethertype    : 0x8100
Split Horizon Group: (Not Specified)
 
---snip---
 
Auth Policy        : authentication-1
DHCP User Db       : None
PPP Policy         : None
PPP User Db        : None
PPPoE Policy       : default
PPPoE User Db      : None
DHCPv6 User Db     : None
IPoE Policy        : None
IPoE User Db       : None
Rtr-Sol User Db    : None
DHCP Python policy : None
DHCP6 Python policy: None
PPPoE Python policy: None
Diameter auth plcy : None
Dynamic svc plcy   : None
Allow dot1q msap   : Disabled
DestMac Rewrite    : Disabled
SendBvplsEvpnFlush : Enabled
 
---snip---
 
-------------------------------------------------------------------------------
Sap Statistics
-------------------------------------------------------------------------------
Last Cleared Time     : N/A
 
                        Packets                 Octets
CPM Ingress           : 474539                  33476253
 
Forwarding Engine Stats
Dropped               : 9                       842
 
DHCP Capture Stats
Received              : 0
Redirected            : 0
Dropped               : 0
 
PPPoE Capture Stats
Received              : 406735
Redirected            : 0
Dropped               : 0
 
ARP Capture Stats
Received              : 0
Redirected            : 0
Dropped               : 0
 
DHCP6 Capture Stats
Received              : 0
Redirected            : 0
Dropped               : 0
 
PPP Capture Stats
Received              : 0
Redirected            : 0
Dropped               : 0
 
Rtr-Sol Capture Stats
Received              : 0
Redirected            : 0
Dropped               : 0
 
Unknown Capture Stats
Received              : 0
Redirected            : 0
Dropped               : 0
-------------------------------------------------------------------------------
Sap per Queue stats
-------------------------------------------------------------------------------
                        Packets                 Octets
No entries found
===============================================================================
* indicates that the corresponding row element may have been truncated.
*A:BNG-1#

The Sap Statistics section provides statistics for the capture SAP per trigger type, which can help troubleshooting the service. The dropped packet counter indicates the amount of non triggering packets received on the capture SAP. No SAP queues are instantiated for a capture SAP.

VPRN Service - VLAN-Per-Subscriber (PPPOE)

The following output shows an RCO configuration example. No static SAPs are defined in this example, but it is allowed.

configure
    service
        vprn 2 customer 1 create
            route-distinguisher 64496:2
            subscriber-interface "sub-int-1" create
                address 10.255.255.254/8
                group-interface "grp-int-1" create
                    description "ROUTED CO MSAP VLAN X"
                    authentication-policy "authentication-1"
                    pppoe
                        session-limit 2000
                        no shutdown
                    exit
                exit
            exit
            no shutdown
        exit
    exit
exit

Initially, no MSAPs are present, so the operational state of both the subscriber interface and group interface context are down.

*A:BNG-1# show router 2 interface
  
===============================================================================
Interface Table (Service: 2)
===============================================================================
Interface-Name                   Adm       Opr(v4/v6)  Mode    Port/SapId
   IP-Address                                                  PfxState
-------------------------------------------------------------------------------
grp-int-1                        Up        Down/Down   VPRN G* n/a
sub-int-1                        Up        Down/Down   VPRN S* subscriber
   10.255.255.254/8                                            n/a
-------------------------------------------------------------------------------
Interfaces : 2
===============================================================================
* indicates that the corresponding row element may have been truncated.
*A:BNG-1#

To allow the subscriber interface to consider this group interface to be operationally enabled without any active MSAPs, the following command can be added to the configuration (this would be useful in order to propagate the subnet interface address into a routing protocol):

configure 
    service 
        vprn 2 
            subscriber-interface "sub-int-1"
                group-interface "grp-int-1"
                    oper-up-while-empty
                exit
            exit
        exit
    exit
exit

The status of the interfaces then is as follows:

*A:BNG-1# show router 2 interface
  
===============================================================================
Interface Table (Service: 2)
===============================================================================
Interface-Name                   Adm       Opr(v4/v6)  Mode    Port/SapId
   IP-Address                                                  PfxState
-------------------------------------------------------------------------------
grp-int-1                        Up        Down/Down   VPRN G* n/a
sub-int-1                        Up        Up/Down     VPRN S* subscriber
   10.255.255.254/8                                            n/a
-------------------------------------------------------------------------------
Interfaces : 2
===============================================================================
* indicates that the corresponding row element may have been truncated.
*A:BNG-1#

Check the status of the group interface once the first MSAP is created.

RADIUS User File

The following entry is an example of a user entry in the RADIUS users file for the FreeRadius server:

"user1@ISP1.com" Cleartext-Password := "letmein"
        Alc-Subsc-ID-Str := "%{ADSL-Agent-Remote-Id}",
        Alc-SLA-Prof-Str == "sla-profile-2M",
        Alc-MSAP-Serv-ID = 2,
        Alc-MSAP-Policy == "msap-ISP1",
        Alc-MSAP-Interface == "grp-int-1",
        Framed-IP-Address = 10.255.0.1,
        Alc-Primary-DNS = 172.31.31.31,
        Alc-Secondary-DNS = 172.31.31.32,

So when the PPPoE user sends the correct username and password, the RADIUS accepts the access message and returns the correct VPRN service id 2, the correct group interface group-int-1, the MSAP policy to use msap-ISP1.

In case no MSAP policy is returned by the RADIUS server, the default MSAP policy msap-default under the capture SAP is used instead.

In the preceding entry, the PPPoE user will have its IP address and DNS assigned by RADIUS as well.

Connect PPPoE user

Connect PPPoE user user1, initiate a PPPoE session on VLAN 1, and verify PPPoE session establishment.

*A:BNG-1# show service id 2 pppoe session
  
===============================================================================
PPPoE sessions for svc-id 2
===============================================================================
Sap Id              Mac Address       Sid    Up Time         Type
    IP/L2TP-Id/Interface-Id                                      MC-Stdby
-------------------------------------------------------------------------------
[1/2/2:1]           00:00:00:01:01:01 1      0d 00:01:12     local
    10.255.0.1
-------------------------------------------------------------------------------
Number of sessions   : 1
===============================================================================
*A:BNG-1#

The PPPoE session is established successfully and the IP address and subscriber strings obtained from the RADIUS server are used.

In order to differentiate between the MSAP and the normal SAP, the MSAP will be shown between square brackets [1/2/2:1] in the show commands.

Verify Subscriber Values

Verify subscriber values returned from RADIUS for user1.

*A:BNG-1# show service id 2 pppoe session ip-address 10.255.0.1 detail
  
===============================================================================
PPPoE sessions for svc-id 2
===============================================================================
Sap Id              Mac Address       Sid    Up Time         Type
    IP/L2TP-Id/Interface-Id                                      MC-Stdby
-------------------------------------------------------------------------------
[1/2/2:1]           00:00:00:01:01:01 1      0d 00:00:51     local
    10.255.0.1
  
  
LCP State            : Opened
IPCP State           : Opened
IPv6CP State         : Closed
PPP MTU              : 1492
PPP Auth-Protocol    : CHAP
PPP User-Name        : user1@ISP1.com
  
Subscriber-interface : sub-int-1
Group-interface      : grp-int-1
  
IP Origin            : radius
DNS Origin           : radius
NBNS Origin          : none
  
Subscriber           : "user1"
Sub-Profile-String   : ""
SLA-Profile-String   : "sla-profile-2M"
ANCP-String          : ""
Int-Dest-Id          : ""
App-Profile-String   : ""
Category-Map-Name    : ""
Acct-Session-Id      : "14F2FF00000006591EA903"
Sap-Session-Index    : 1
  
IP Address           : 10.255.0.1/32
Primary DNS          : 172.31.31.31
Secondary DNS        : 172.31.31.32
Primary NBNS         : N/A
Secondary NBNS       : N/A
Address-Pool         : N/A
  
IPv6 Prefix          : N/A
IPv6 Prefix Origin   : none
IPv6 Prefix Pool     : ""
IPv6 Del.Pfx.        : N/A
IPv6 Del.Pfx. Origin : none
IPv6 Del.Pfx. Pool   : ""
IPv6 Address         : N/A
IPv6 Address Origin  : none
IPv6 Address Pool    : ""
Primary IPv6 DNS     : N/A
Secondary IPv6 DNS   : N/A
Router adv. policy   : N/A
  
Ignoring DF bit      : false
Radius sub-if prefix : N/A
  
Circuit-Id           : DSLAM1_1/1/1/1:0.35
Remote-Id            : user1
  
Radius Session-TO    : N/A
Radius Class         :
Radius User-Name     : user1@ISP1.com
Logical-Line-Id      :
Service-Name         :
-------------------------------------------------------------------------------
Number of sessions   : 1
===============================================================================
*A:BNG-1#

Check Actual Values

Check the actual values used by user1, including the subscriber profile, SLA profile, VPRN and group interface association, the subscriber queues statistics and others.

*A:BNG-1# show service active-subscribers subscriber "user1" detail
  
===============================================================================
Active Subscribers
===============================================================================
-------------------------------------------------------------------------------
Subscriber user1 (sub-profile-default)
-------------------------------------------------------------------------------
I. Sched. Policy : N/A
E. Sched. Policy : N/A                              E. Agg Rate Limit: Max
I. Policer Ctrl. : N/A
E. Policer Ctrl. : N/A
I. vport-hashing : Disabled
I. sec-sh-hashing: Disabled
Q Frame-Based Ac*: Disabled
Acct. Policy     : N/A                              Collect Stats    : Disabled
ANCP Pol.        : N/A
HostTrk Pol.     : N/A
IGMP Policy      : N/A
MLD Policy       : N/A
PIM Policy       : N/A
Sub. MCAC Policy : N/A
NAT Policy       : N/A
Firewall Policy  : N/A
UPnP Policy      : N/A
NAT Prefix List  : N/A
Def. Encap Offset: none                             Encap Offset Mode: none
Avg Frame Size   : N/A
Vol stats type   : full
Preference       : 5
LAG hash class   : 1
LAG hash weight  : 1
Sub. ANCP-String : "user1"
Sub. Int Dest Id : ""
Igmp Rate Adj    : N/A
RADIUS Rate-Limit: N/A
Oper-Rate-Limit  : Maximum
-------------------------------------------------------------------------------
Radius Accounting
-------------------------------------------------------------------------------
Policy           : accounting-1
Session Opti.Stop: False
* indicates that the corresponding row element may have been truncated.
-------------------------------------------------------------------------------
(1) SLA Profile Instance
    - sap:[1/2/2:1] (VPRN 2 - grp-int-1)
    - sla:sla-profile-2M
-------------------------------------------------------------------------------
Description          : (Not Specified)
Host Limits          : No Limit
Egr Sched-Policy     : N/A
Ingress Qos-Policy   : 50                     Egress Qos-Policy : 50
Ingress Queuing Type : Shared-queuing (Not Applicable to Policer)
Ingr IP Fltr-Id      : N/A                    Egr IP Fltr-Id    : N/A
Ingr IPv6 Fltr-Id    : N/A                    Egr IPv6 Fltr-Id  : N/A
Ingress Report-Rate  : Maximum
Egress Report-Rate   : Maximum
Egress Remarking     : from SLA Profile Qos
Credit Control Pol.  : N/A
Category Map         : (Not Specified)
Use ing L2TP DSCP    : false
Hs-Agg-Rate-Limit    : Maximum
Hs-Oper-Rate-Limit   : Maximum
Egr hqos mgmt status : disabled
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
IP Address
                MAC Address          Session        Origin       Svc        Fwd
-------------------------------------------------------------------------------
10.255.0.1
                00:00:00:01:01:01    PPP 1          IPCP         2          Y
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
SLA Profile Instance statistics
-------------------------------------------------------------------------------
                        Packets                 Octets
  
Off. HiPrio           : 0                       0
Off. LowPrio          : 0                       0
Off. Uncolor          : 0                       0
Off. Managed          : 0                       0
  
Queueing Stats (Ingress QoS Policy 50)
Dro. HiPrio           : 0                       0
Dro. LowPrio          : 0                       0
For. InProf           : 0                       0
For. OutProf          : 0                       0
  
Queueing Stats (Egress QoS Policy 50)
Dro. In/InplusProf    : 0                       0
Dro. Out/ExcProf      : 0                       0
For. In/InplusProf    : 0                       0
For. Out/ExcProf      : 2                       128
  
-------------------------------------------------------------------------------
SLA Profile Instance per Queue statistics
-------------------------------------------------------------------------------
                        Packets                 Octets
  
Ingress Queue 1 (Unicast) (Priority)
Off. HiPrio           : 0                       0
Off. LowPrio          : 0                       0
Dro. HiPrio           : 0                       0
Dro. LowPrio          : 0                       0
For. InProf           : 0                       0
For. OutProf          : 0                       0
  
Egress Queue 1
Dro. In/InplusProf    : 0                       0
Dro. Out/ExcProf      : 0                       0
For. In/InplusProf    : 0                       0
For. Out/ExcProf      : 2                       128
  
  
===============================================================================
*A:BNG-1#

Where, the subscriber id is user1, and the subscriber profile is sub-profile-default.

Because the RADIUS server did not return a subscriber profile string, the system uses the def-sub-profile configured under the msap-policy msap-ISP1.

Another command can also be used to show less detail in a hierarchical form.

*A:BNG-1# show service active-subscribers hierarchy subscriber "user1"
  
===============================================================================
Active Subscribers Hierarchy
===============================================================================
-- user1 (sub-profile-default)
   |
   +-- sap:[1/2/2:1] - sla:sla-profile-2M
       |
       +-- PPP-session - mac:00:00:00:01:01:01 - sid:1 - svc:2
           |   circuit-id:DSLAM1_1/1/1/1:0.35
           |   remote-id:user1
           |
           +-- 10.255.0.1 - IPCP
  
===============================================================================
*A:BNG-1#

Verify that the IPv4 state of the group interface now is up, as follows:

*A:BNG-1# show router 2 interface
  
===============================================================================
Interface Table (Service: 2)
===============================================================================
Interface-Name                   Adm       Opr(v4/v6)  Mode    Port/SapId
   IP-Address                                                  PfxState
-------------------------------------------------------------------------------
grp-int-1                        Up        Up/Down     VPRN G* 1/2/2
sub-int-1                        Up        Up/Down     VPRN S* subscriber
   10.255.255.254/8                                            n/a
-------------------------------------------------------------------------------
Interfaces : 2
===============================================================================
* indicates that the corresponding row element may have been truncated.
*A:BNG-1#

The MSAP details display the capture service id, capture SAP and MSAP policy, as follows:

*A:BNG-1# show service id 2 sap 1/2/2:1 detail
  
===============================================================================
Service Access Points(SAP)
===============================================================================
Service Id         : 2
SAP                : 1/2/2:1                  Encap             : q-tag
Description        : Managed SAP - Capture Svc 1 1/2/2:*
Admin State        : Up                       Oper State        : Up
Flags              : None
Multi Svc Site     : None
Last Status Change : 05/18/2017 15:43:43
Last Mgmt Change   : 05/19/2017 10:12:51
Sub Type           : managed
Capture Service Id : 1                        Capture SAP       : 1/2/2:*
MSAP Policy        : msap-ISP1
Idle               : no                       Sticky            : no
Dot1Q Ethertype    : 0x8100                   QinQ Ethertype    : 0x8100
Split Horizon Group: (Not Specified)
  
---snip---
  
-------------------------------------------------------------------------------
Sap per Queue stats
-------------------------------------------------------------------------------
                        Packets                 Octets
No entries found
===============================================================================
* indicates that the corresponding row element may have been truncated.
*A:BNG-1#

The Sub Type shows ‟managed” for MSAPs, or ‟regular” for normal SAPs (a SAP created manually under a group-interface).

MSAP QoS

By default an MSAP is created with default QoS policies.

*A:BNG-1# show service id 2 sap 1/2/2:1 detail
  
===============================================================================
Service Access Points(SAP)
===============================================================================
Service Id         : 2
SAP                : 1/2/2:1                  Encap             : q-tag
Description        : Managed SAP - Capture Svc 1 1/2/2:*
Admin State        : Up                       Oper State        : Up
  
---snip---
  
-------------------------------------------------------------------------------
QOS
-------------------------------------------------------------------------------
Ingress qos-policy : 1                        Egress qos-policy : 1
Ingress FP QGrp    : (none)                   Egress Port QGrp  : (none)
Ing FP QGrp Inst   : (none)                   Egr Port QGrp Inst: (none)
Shared Q plcy      : default                  Multipoint shared : Disabled
I. Sched Pol       : (Not Specified)
E. Sched Pol       : (Not Specified)
I. Policer Ctl Pol : (Not Specified)
E. Policer Ctl Pol : (Not Specified)
E. HS Sec. Shaper  : (Not Specified)
I. QGrp Redir. List: (Not Specified)
E. QGrp Redir. List: (Not Specified)
-------------------------------------------------------------------------------
Subscriber Management
-------------------------------------------------------------------------------
Admin State        : Up                       MAC DA Hashing    : False
Def Sub-Id         : Use sap-id (1/2/2:1)
Def Sub-Profile    : sub-profile-default
Def SLA-Profile    : sla-profile-512K
Def Inter-Dest-Id  : None
Def App-Profile    : None
Sub-Ident-Policy   : sub-id-default
   
---snip---
   
===============================================================================
* indicates that the corresponding row element may have been truncated.
*A:BNG-1#

The default QoS policy associated with MSAPs can be changed:

  • To save queue resources when profiled-traffic-only cannot be used, for example when more than one subscriber is active on an MSAP. See further.

  • To provide adequate QoS treatment for multicast traffic in a per MSAP replication mode.

    Egress multicast traffic in per MSAP replication mode is forwarded via the MSAP queues or policers. Multicast traffic can be mapped into a dedicated queue or policer. The MSAP queue can be port-parented to provide scheduling priority at port level. The QoS policies associated with an MSAP are configured in the MSAP policy.

QoS Egress Remarking

For remarking to apply to MSAP egress traffic the SLA profile must include the no qos-marking-from-sap command, as follows:

configure 
    subscriber-mgmt
        sla-profile "sla-profile-512K" create
            ---snip---
            egress
                qos 30
                exit
                no qos-marking-from-sap
            exit
        exit
    exit
exit

By default, the egress QoS marking for subscriber-host traffic is derived from the SAP-egress QoS policy associated with the corresponding SAP rather than the SLA profile associated with the corresponding subscriber-host. As a consequence, no egress QoS marking (for example, dot1p marking was set to 0, DSCP/PREC field is unchanged) is performed for traffic transmitted on an MSAP because by default, SAP-egress policy one (1) was attached to every MSAP.

MSAP Queue Optimization

For single subscriber SAPs, where the multi-sub-sap limit equals 1, the SAP queues will not be instantiated when using the profiled-traffic-only option in the msap-policy. This parameter is ignored when the multi-sub-sap limit is different from 1.

configure
    subscriber-mgmt
        msap-policy "msap-ISP1" create
            sub-sla-mgmt
                def-sub-id use-sap-id
                def-sub-profile "sub-profile-default"
                def-sla-profile "sla-profile-512K"
                sub-ident-policy "sub-id-default"
                single-sub-parameters
                    profiled-traffic-only
                exit
            exit
        exit
    exit
exit

For multi subscriber MSAPs, a QoS policy can be associated with an MSAP in which all forwarding classes are mapped to a policer. In that case, a single ingress and egress policer is instantiated per MSAP (instead of ingress and egress queues). QoS policies associated with an MSAP are configured in the MSAP policy:

configure
    subscriber-mgmt
        msap-policy "msap-ISP2" create
            ies-vprn-only-sap-parameters
                egress
                    qos 10
                exit
                ingress
                    qos 10 shared-queuing
                exit
            exit
        exit
    exit
exit

Troubleshooting

The authentication policy used on the capture SAP must be the same as the policy used on the managed SAP.

The managed SAP will not be created if the authentication policy on the group-interface is different from the authentication policy defined on the capture SAP.

configure 
    service 
        vpls 1
            ---snip---
            sap 1/2/2:* capture-sap create
                ---snip---
                authentication-policy "authentication-1"
            exit
            no shutdown
        exit

configure 
    service 
        vprn 2
            subscriber-interface "sub-int-1"create
                ---snip---
                group-interface "group-int-1" create
                    authentication-policy "authentication-2"
                    ---snip---
                exit
            exit
            no shutdown
        exit

This can be seen in log 99:

*A:BNG-1# show log log-id 99
  
8 2017/05/19 10:50:43.70 CEST MINOR: SVCMGR #2214 Base Managed SAP creation failure
"The system could not create Managed SAP:1/2/2:1, MAC:00:00:00:01:01:01, Capturing
 SAP:1/2/2:*, Service:1. Description: MSAP group-interface "grp-int-1" RADIUS auth
-policy "authentication-2" differs from capture SAP"
  
7 2017/05/19 10:50:30.28 CEST WARNING: SVCMGR #2501 Base Subscriber deleted
"Subscriber user1 has been removed from the system"
  
6 2017/05/19 10:50:29.68 CEST WARNING: SNMP #2004 vprn2 sub-int-1
"Interface sub-int-1 is not operational"
  
---snip---
  
*A:BNG-1#

Enable debug for PPPoE and RADIUS packets for troubleshooting purposes:

debug
    router "management"
        radius
            packet-type authentication accounting coa 
            detail-level medium
        exit
    exit
    service
        id 1
            ppp
                packet
                    mode egr-ingr-and-dropped
                    detail-level medium
                    discovery
                    ppp
                exit
            exit
        exit
        id 2
            ppp
                packet
                    mode egr-ingr-and-dropped
                    detail-level medium
                    discovery
                    ppp
                    dhcp-client
                exit
            exit
        exit
    exit
exit
configure 
    log 
        log-id 1
            from debug-trace
            to session
        exit
    exit
exit

Disconnect/connect user1, then check the RADIUS access request/accept and accounting messages from the debug output.

11 2017/05/19 10:58:55.13 CEST MINOR: DEBUG #2001 management RADIUS
"RADIUS: Transmit
  Access-Request(1) 172.31.117.84:1812 id 202 len 174 vrid 4095 pol authenticat
ion-1
    USER NAME [1] 14 user1@ISP1.com
    NAS IP ADDRESS [4] 4 172.31.117.75
    SERVICE TYPE [6] 4 Framed(2)
    FRAMED PROTOCOL [7] 4 PPP(1)
    CHAP PASSWORD [3] 17 1 0x39721157837095dd2dc4a9351670e543
    CHAP CHALLENGE [60] 39 0x9e0eb2baf4c436f2f9a364ac0eb43cc6446943f5912d2c96570
ffd572732b245416501b5a9b6a8
    VSA [26] 7 DSL(3561)
      AGENT REMOTE ID [2] 5 user1
    NAS PORT TYPE [61] 4 PPPoEoVLAN(33)
    NAS PORT ID [87] 7 1/2/2:1
    NAS IDENTIFIER [32] 5 BNG-1
    VSA [26] 19 Nokia(6527)
      CHADDR [27] 17 00:00:00:01:01:01
"
12 2017/05/19 10:58:55.14 CEST MINOR: DEBUG #2001 management RADIUS
"RADIUS: Receive
  Access-Accept(2) id 202 len 131 from 172.31.117.84:1812 vrid 4095 pol authent
ication-1
    VSA [26] 7 Nokia(6527)
      SUBSC ID STR [11] 5 user1
    VSA [26] 16 Nokia(6527)
      SLA PROF STR [13] 14 sla-profile-2M
    VSA [26] 6 Nokia(6527)
      MSAP SERVICE ID [31] 4 2
    VSA [26] 11 Nokia(6527)
      MSAP POLICY [32] 9 msap-ISP1
    VSA [26] 11 Nokia(6527)
      MSAP INTERFACE [33] 9 grp-int-1
    FRAMED IP ADDRESS [8] 4 10.255.0.1
    VSA [26] 6 Nokia(6527)
      PRIMARY DNS [9] 4 172.31.31.31
    VSA [26] 6 Nokia(6527)
      SECONDARY DNS [10] 4 172.31.31.32
"

The MSAP policies can be checked as follows:

*A:BNG-1# show subscriber-mgmt msap-policy
  
===============================================================================
Managed SAP Policies
===============================================================================
Name                             Num    Description
                                 MSAPs
-------------------------------------------------------------------------------
msap-ISP1                        1      (Not Specified)
msap-default                     0      (Not Specified)
-------------------------------------------------------------------------------
Number of MSAP Policies : 2
Number of MSAPs         : 1
===============================================================================
*A:BNG-1#

The MSAP policy associations can be checked as follows:

*A:BNG-1# show subscriber-mgmt msap-policy "msap-ISP1" association

===============================================================================
MSAP Policy Associations
===============================================================================
Service-Id : 2 (VPRN)
 - SAP : [1/2/2:1]
-------------------------------------------------------------------------------
Number of associated MSAPs: 1
Flags: (I) = Idle MSAP
===============================================================================
*A:BNG-1#

All MSAPs created and associations with the services can be checked as follows:

*A:BNG-1# show service sap-using msap
  
===============================================================================
Service Access Points
===============================================================================
PortId                          SvcId      Ing.  Ing.    Egr.  Egr.   Adm  Opr
                                           QoS   Fltr    QoS   Fltr
-------------------------------------------------------------------------------
[1/2/2:1]                       2          1     none    1     none   Up   Up
-------------------------------------------------------------------------------
Number of SAPs : 1
-------------------------------------------------------------------------------
Number of Managed SAPs : 1, indicated by [<sap-id>]
Flags : (I) = Idle MSAP
-------------------------------------------------------------------------------
===============================================================================
*A:BNG-1#

It is possible to use a tools command to update an existing MSAP when a specific msap-policy has changed.

*A:BNG-1# tools perform subscriber-mgmt eval-msap ?
  - eval-msap { policy <msap-policy-name> | msap <sap-id> }
  
 <msap-policy-name>   : [32 chars max]
 <sap-id>             : dot1q          - <port-id|lag-id>:qtag1
                          qtag1          - [0..4094]
                        qinq           - <port-id|lag-id>:qtag1.qtag2
                          qtag1          - [0..4094]
                          qtag2          - [0..4094]
                        atm            - <port-id>:vpi/vci
                          vpi            - [0..4095] (NNI)
                                           [0..255]  (UNI)
                          vci            - [1..65535]
                        port-id        - slot/mda/port
                        lag-id         - lag-<id>
                          lag            - keyword
                          id             - [1..800]
  
*A:BNG-1#

An MSAP can be deleted as follows:

*A:BNG-1# clear service id 2 msap 1/2/2:1

This event is recorded in log 99 as follows:

*A:BNG-1# show log log-id 99
 
===============================================================================
Event Log 99
===============================================================================
Description : Default System Log
Memory Log contents  [size=500   next event=55  (not wrapped)]
 
54 2017/05/19 11:24:04.29 CEST WARNING: SVCMGR #2501 Base Subscriber deleted
"Subscriber user1 has been removed from the system"
 
53 2017/05/19 11:24:04.03 CEST INDETERMINATE: LOGGER #2010 Base Clear SVCMGR
"Clear function clearSvcIdMsap has been run with parameters: svc-id="2" sap-id="1/2
/2:1".  The completion result is: success.  Additional error text, if any, is: "
 
---snip---
 
*A:BNG-1#

To delete all MSAPs associated with a certain MSAP policy use the following command:

*A:BNG-1# clear service id 2 msap-policy msap-ISP1

This event is recorded in log 99 as follows:

*A:BNG-1# show log log-id 99
 
===============================================================================
Event Log 99
===============================================================================
Description : Default System Log
Memory Log contents  [size=500   next event=74  (not wrapped)]
 
67 2017/05/19 11:29:15.28 CEST WARNING: SVCMGR #2501 Base Subscriber deleted
"Subscriber user1 has been removed from the system"
 
66 2017/05/19 11:29:14.54 CEST INDETERMINATE: LOGGER #2010 Base Clear SVCMGR
"Clear function clearSvcIdMsapPlcy has been run with parameters: svc-id="2" policy
-name="msap-ISP1".  The completion result is: success.  Additional error text, if any,
 is: "
 
65 2017/05/19 11:29:14.54 CEST MINOR: SVCMGR #2213 vprn2 MSAP delete
"Managed SAP, 1/2/2:1 in service 2, has been deleted."
 
---snip---
 
*A:BNG-1#

Conclusion

MSAP allows dynamic creation of SAPs which results in:

  • Less provisioning.

  • Less possibility for introducing provisioning errors.

  • Reduced configuration file size.