ESMv6: IPoE Dual Stack Hosts
This chapter describes IPoE dual stack hosts for ESMv6 configurations.
Topics in this chapter include:
Applicability
This chapter describes ESMv6: IPoE dual stack hosts and is based on SR OS Release 8.0.R4. The CLI is updated to Release 15.0.R1.
This chapter focuses on IPoE IPv6. IPv4 configuration is shown for completeness and is described in more detail in IPv4 DHCP Hosts.
Prerequisites
Configuring IPoE dual stack hosts for ESMv6 are dependent on the following.
Routed CO (IES/VPRN service) with Enhanced Subscriber Management (ESM)
Routed Gateway (RG) in the home
Overview
In this chapter, the configuration, operation, and troubleshooting of IPoE dual stack hosts in a routed home gateway environment is described. The focus is on the Enhanced Subscriber Management for IPv6 (ESMv6) part where DHCPv6 is used for IPv6 address assignment. In the Broadband Network Gateway (BNG), authentication, authorization, and IPv6 prefix configuration for an IPoE IPv6 host can be done by a local user database (LUDB) or RADIUS.
IPoE Dual Stack Hosts
An IPoE dual stack subscriber may support both IPv4 and IPv6 simultaneously. The dual stack hosts share a common subscriber identification policy and have a common SLA- and Subscriber-profile.
IPoE IPv4 and IPv6 hosts operate independently because they are set up through different protocols, DHCPv4 and DHCPv6 respectively.
For a stateful IPoE dual stack subscriber, up to three different types of subscriber hosts can be instantiated.
Dual Stack IPoE Routed Gateway
In services supporting dual stack IPoE Routed Gateways, the RG in the home network obtains an IPv4 address through the DHCPv4 protocol and an IPv6 Prefix Delegation (PD) prefix and/or wan-host IPv6 address through the DHCPv6 protocol. The Broadband Network Gateway (BNG) authenticates and authorizes both sessions independently.
In the home network, the dual stack RG performs Network Address Translation (NAT) for IPv4, using the assigned IPv4 address as outside address. A globally unique IPv6 prefix per subscriber is assigned and delegated by the BNG to the RG for use in the home network. The RG can use Stateless Address Auto Configuration (SLAAC) or DHCPv6 to allocate IPv6 addresses from this so called Prefix Delegation (PD) prefix to the devices in the home network. The wan-host IPv6 address is used by the RG on the WAN side (network facing). In case of an unnumbered RG, no wan-host address is obtained.
Recap of the DHCPv6 Protocol
The Dynamic Host Configuration Protocol for IPv6 (DHCPv6) is defined in RFC 3315, Dynamic Host Configuration Protocol for IPv6 (DHCPv6). The protocol enables DHCPv6 servers to pass configuration parameters such as IPv6 network addresses to IPv6 nodes.
DHCPv6 uses the Identity Association (IA) option to assign IPv6 addresses or prefixes. Two different IA types will be used in this section:
Identity Association for Non-temporary Address (IA-NA) defined in RFC 3315. Used for wan-host IPv6 address assignment.
Option : IA_NA (3), Length : 40 IAID : 1 Time1: 1800 seconds Time2: 2880 seconds Option : IAADDR (5), Length : 24 Address : 2001:db8:b001:101::1 Preferred Lifetime : 3600 seconds Valid Lifetime : 86400 seconds
Identity Association for Prefix Delegation (IA-PD), defined in RFC 3633. Used for prefix delegation assignment (for an explanation on prefix delegation, see Prefix Delegation)
Option : IA_PD (25), Length : 41 IAID : 1 Time1: 1800 seconds Time2: 2880 seconds Option : IAPREFIX (26), Length : 25 Prefix : 2001:db8:a001:103::/56 Preferred Lifetime : 3600 seconds Valid Lifetime : 86400 seconds
The DHCPv6 lease process is outlined in DHCPv6 Lease Process (Part A) and DHCPv6 Lease Process (Part B).
A DHCPv6 client, sends a Solicit message to locate servers to the All DHCPv6 Relay Agents and Servers link-scoped multicast address (FF02::1:2), using its link-local address as source address. The DHCPv6 client includes in the Solicit message its ClientID, Identity Associations (IA) to request IPv6 address or prefix allocation and optionally an Option Request option.
Any on-link DHCPv6 server responds with a unicasted Advertise message using the link local addresses. The server includes in the Advertise message the ClientID, its ServerID, IPv6 addresses and/or prefixes in Identity Associations (IA) and options containing the requested configuration parameters.
The DHCPv6 client selects an Advertise message and sends a Request message to the All DHCPv6 Relay Agents and Servers link-scoped multicast address. It includes its ClientID, the ServerID of the corresponding DHCPv6 server, Identity Associations (IA) to request IPv6 address or prefix allocation and optionally an Option Request option.
Upon receipt of a valid Request message, the DHCPv6 server with corresponding ServerID, sends a unicast Reply message using the link local addresses. The Reply contains the ClientID and ServerID, IPv6 addresses and/or prefixes in Identity Associations (IA) and options containing the requested configuration options.
The DHCPv6 client should perform Duplicate Address Detection (DAD) on the addresses in any IA it received in the REPLY before using that address for traffic.
Upon expiration of the renew timer T1 associated with the Identity Association option, the DHCPv6 client sends a Renew to the All DHCPv6 Relay Agents and Servers link-scoped multicast address to request an extension of the lifetime of an address. It includes its ClientID, the ServerID of the DHCPv6 server that originally provided the address, and Identity Associations (IA) containing the IPv6 address or prefix for which an extension of the lifetime is requested.
Upon expiration of the rebind timer T2 associated with the Identity Association option (no response received to the Renew), the DHCPv6 client sends a Rebind to the All DHCPv6 Relay Agents and Servers link-scoped multicast address to request an extension of the lifetime of an address. It includes its ClientID and Identity Associations (IA) containing the IPv6 address or prefix for which an extension of the lifetime is requested.
If a DHCPv6 client no longer uses one or more of the assigned addresses or prefixes, it sends a Release message to the server that assigned the address or prefix. The server acknowledges with a Reply message and includes a status code (for example, success).
If the DHCPv6 server sends a Server Unicast Option, then the DHCPv6 client should unicast the Request, Renew Release, and Decline messages to the server using the IPv6 address specified in the option. The 7750 SR DHCPv6 proxy server does not include the Server Unicast Option.
The DHCPv6 client should perform Duplicate Address Detection (DAD) on each of the addresses assigned through DHCPv6, before using that address for traffic. The DHCPv6 client uses Neighbor Solicitation for this purpose as described in RFC 4862, IPv6 Stateless Address AutoConfiguration.
Unlike DHCPv4, DHCPv6 does not provide a default route. In IPv6, default routes are learned via Router Advertisements (see Enable Router Advertisements).
Prefix Delegation
Prefix Delegation (PD) is a mechanism for automated delegation of IPv6 prefixes using DHCPv6. A delegating router delegates a long-lived IPv6 prefix to a requesting router. The delegating router does not require knowledge about the topology of the links in the network to which the prefixes will be assigned.
In the context of ESM IPv6, the BNG is the delegating router (DHCPv6 server) and the Routed Gateway in the home is the requesting router (DHCPv6 client). The DHCPv6 option Identity Association for Prefix Delegation (IA-PD) (Prefix Delegation) is used to assign the IPv6 prefix.
Note that the mechanism through which a requesting router (routed gateway) assigns IPv6 addresses on its interfaces (home network) is arbitrary and can be based upon SLAAC (as shown in Prefix Delegation) or DHCPv6.
Configuration
ESMv6 for IPoE is applicable in a Routed CO environment. The two following scenarios show a minimal configuration to enable dual stack subscribers in a VPRN service context where the ESM IPv6 specific parts are highlighted. No subscriber QoS policies are defined because this is out of the scope for this chapter.
Scenario 1 - RADIUS
RADIUS is used for authentication and authorization (later referenced as RADIUS), and is configured as follows:
configure
router
radius-server
server "radius-172.16.1.2" address 172.16.1.2 secret vsecret1 create
accept-coa
exit
exit
exit
exit
configure
aaa
radius-server-policy "rsp-1" create
servers
router "Base"
source-address 192.0.2.1
server 1 name "radius-172.16.1.2"
exit
exit
exit
exit
configure
subscriber-mgmt
authentication-policy "auth-1" create
description "RADIUS authentication policy"
pppoe-access-method pap-chap
radius-server-policy "rsp-1"
password letmein
exit
exit
exit
The subscriber management profiles used in this chapter are defined as follows:
configure
subscriber-mgmt
sla-profile "sla-profile-1" create
exit
sub-profile "sub-profile-1" create
exit
sub-ident-policy "sub-ident-1" create
sub-profile-map
use-direct-map-as-default
exit
sla-profile-map
use-direct-map-as-default
exit
strings-from-option 254
exit
exit
exit
Service VPRN-1 is defined as follows:
configure
service
vprn 1 customer 1 create
dhcp
local-dhcp-server "dhcp-s1" create
use-gi-address
pool "pool-1" create
subnet 10.1.0.0/16 create
options
subnet-mask 255.255.0.0
default-router 10.1.255.254
exit
address-range 10.1.0.1 10.1.0.255
exit
exit
no shutdown
exit
exit
---snip---
interface "system" create
address 192.0.2.1/32
local-dhcp-server "dhcp-s1"
loopback
exit
subscriber-interface "sub-int-1" create
address 10.1.255.254/16
dhcp
gi-address 10.1.255.254
exit
ipv6
delegated-prefix-len 56
subscriber-prefixes
prefix 2001:db8:a001::/48 pd
prefix 2001:db8:b001:100::/56 wan-host
exit
exit
group-interface "grp-int-1" create
description "radius authentication and authorization"
ipv6
router-advertisements
managed-configuration
no shutdown
exit
dhcp6
proxy-server
no shutdown
exit
exit
exit
dhcp
proxy-server
emulated-server 10.1.255.254
no shutdown
exit
server 192.0.2.1
trusted
lease-populate 10
no shutdown
exit
authentication-policy "auth-1"
sap 1/1/1:1 create
sub-sla-mgmt
sub-ident-policy "sub-ident-1"
multi-sub-sap 10
no shutdown
exit
exit
exit
---snip---
exit
service-name "dual-stack-service"
no shutdown
exit
exit
exit
Scenario 2 - LUDB
The Local User Database used for authentication and authorization (later referenced as LUDB) is defined as follows:
configure
subscriber-mgmt
local-user-db ludb-1 create
ipoe
match-list mac
host "host-3" create
host-identification
mac 00:0c:29:00:00:23
exit
address gi-address
identification-strings 254 create
subscriber-id "sub-3"
sla-profile-string "sla-profile-1"
sub-profile-string "sub-profile-1"
exit
options
subnet-mask 255.255.0.0
default-router 10.1.255.254
exit
ipv6-address 2001:db8:b001:103::3
ipv6-delegated-prefix 2001:db8:a001:300::/56
ipv6-delegated-prefix-len 56
options6
dns-server 2001:db8:dddd:1::1 2001:db8:dddd:2::1
exit
no shutdown
exit
---snip---
exit
no shutdown
exit
exit
exit
Service VPRN-1 is extended as follows:
configure
service
vprn 1 customer 1 create
---snip---
subscriber-interface "sub-int-1" create
address 10.1.255.254/16
dhcp
gi-address 10.1.255.254
exit
ipv6
delegated-prefix-len 56
subscriber-prefixes
prefix 2001:db8:a001::/48 pd
prefix 2001:db8:b001:100::/56 wan-host
exit
exit
group-interface "grp-int-2" create
description "ludb authentication and authorization"
ipv6
router-advertisements
prefix-options
autonomous
exit
no shutdown
exit
dhcp6
user-db "ludb-1"
proxy-server
client-applications ipoe
no shutdown
exit
exit
exit
dhcp
proxy-server
emulated-server 10.1.255.254
no shutdown
exit
server 192.0.2.1
trusted
lease-populate 10
user-db "ludb-1"
no shutdown
exit
sap 1/1/1:2 create
sub-sla-mgmt
def-sub-profile "sub-profile-1"
def-sla-profile "sla-profile-1"
sub-ident-policy "sub-ident-1"
multi-sub-sap 10
no shutdown
exit
exit
exit
exit
service-name "dual-stack-service"
no shutdown
exit
exit
exit
Configuring IPv6 Subscriber Prefixes
Applies to both scenarios RADIUS and LUDB.
IPv6 subscriber prefixes must be defined at the subscriber-interface>ipv6>subscriber-prefixes context. Three types of prefixes can be configured:
wan-host — Prefix from which the IPv6 addresses are assigned that are to be used on the Routed Gateway WAN interface (network facing).
pd — Prefix from which the IPv6 Prefix Delegation prefixes are assigned that are to be used by the Routed Gateway for allocation in the home network (LAN interfaces).
pd wan-host (both) — Prefix from which both IPv6 addresses (wan-host) and IPv6 Prefix Delegation prefixes (pd) can be assigned. This requires that the delegated prefix length is set to 64 bits.
A subscriber prefix length must be between /32 and /63.
Subscriber prefixes are subnetted in fixed length subnets that are assigned to subscriber hosts:
/64 for wan-host subscriber prefixes
A /128 IPv6 address is assigned to the subscriber host. Broadband Forum standards require a /64 prefix per subscriber even when used for WAN interfaces and thus the full /64 subnet gets associated with the subscriber host [ref. WT-177 - IPv6 in the context of TR-101]. Two subscriber hosts cannot get an IPv6 address from the same /64 subnet.
/delegated-prefix-len (/48..64) for pd subscriber prefixes
The delegated prefix length is configured in the subscriber-interface>ipv6 context. The recommended value by Broadband Forum standards is /56 (default = /64) [ref. WT-177 - IPv6 in the context of TR-101]. The configured length applies to all pd subscriber prefixes on a subscriber-interface.
Applicable Subscriber-Prefix Parameters provides an overview of the subscriber-prefix parameters that apply:
Subscriber prefix type |
Subscriber prefix length |
DHCPv6 option |
Must be subnetted as |
---|---|---|---|
wan-host |
/32..63 |
IA-NA |
/64 (assigned as /128) |
pd |
/32..63 (*) |
IA-PD |
/delegated-prefix-len |
(*) must be smaller than configured delegated prefix length
Enable DHCPv6 Proxy Server
Applies to RADIUS and LUDB scenarios.
An IPv6 IPoE subscriber host initiates a DHCPv6 session to request its configuration data (IPv6 addresses and/or IPv6 PD prefixes, DNS servers). Upon receipt of a DHCPv6 Solicit message, the BNG authenticates the IPv6 subscriber host and obtains its configuration information from a RADIUS server or local user database. A DHCPv6 proxy server in the BNG maintains the DHCPv6 session with the IPv6 IPoE subscriber host.
The DHCPv6 proxy server must be enabled in the subscriber-interface>group-interface>ipv6>dhcp6>proxy-server context. The default is shutdown.
configure
service
vprn 1 customer 1 create
subscriber-interface "sub-int-1"
group-interface "grp-int-1"
ipv6
dhcp6
proxy-server
server-id duid-ll
renew-timer min 30
rebind-timer min 48
valid-lifetime days 1
preferred-lifetime hrs 1
client-applications dhcp
no shutdown
exit
exit
exit
exit
exit
exit
exit
exit
When enabled, the DHCPv6 proxy server by default allows IPv6 IPoE hosts to authenticate (configured with client-applications dhcp). Additionally, you can enable support for IPv6 PPPoE hosts. See ESMv6: PPPoE Dual Stack Hosts.
A number of timers associated with IPv6 addresses and IPv6 prefixes within DHCPv6 Identity Associations can be configured in the DHCPv6 proxy server.
RFC 4862 defines two timers associated with graceful degradation of address bindings:
Preferred lifetime — The length of time that a valid address is preferred (the time until deprecation). When the preferred lifetime expires, the address becomes deprecated and its use should be discouraged for new sessions.
Valid lifetime — The length of time an address remains in the valid state (the time until invalidation). The valid lifetime must be greater than or equal to the preferred lifetime. When the valid lifetime expires, the address becomes invalid.
RFC 3315, DHCPv6, defines two timers associated with an Identity Association (IA) option that give the servers explicit control over when a client recontacts the server about a specific IA:
T1 (renew) — The time at which the client contacts the server from which the addresses/prefix in the IA were obtained to extend the lifetimes of the addresses/prefix assigned to the IA
T2 (rebind) — The time at which the client contacts any available server to extend the lifetimes of the addresses/prefixes assigned to the IA;
These timers are common for all DHCPv6 sessions in a group-interface and cannot be configured from RADIUS or local user database.
When violating the following rule, the default timers will be used:
Timer |
Use |
Default |
Range |
---|---|---|---|
T1 |
Renew timer |
1800s (30 min) |
0..604800s (7 days) |
T2 |
Rebind timer |
2880s (48 min) |
0..1209600s (14 days) |
preferred-lifetime |
3600s (1hr) |
300..4294967295s |
|
valid-lifetime |
DHCPv6 lease time |
86400s (24 hrs) |
300..4294967295s |
If the DHCPv6 lease is not renewed by the client before the DHCPv6 lease timer expires, then the subscriber host is deleted from the system. In other words, beyond the valid lifetime, subscriber traffic from/to the associated IPv6 addresses is dropped.
Enable Router Advertisements
Applies to both scenarios RADIUS and LUDB.
In IPv6, default routes are automatically installed via the router discovery mechanism. Unsolicited Router Advertisements (RA) must explicitly be enabled on a group interface. The default is shutdown.
configure
service
vprn 1 customer 1 create
subscriber-interface "sub-int-1"
group-interface "grp-int-1"
ipv6
router-advertisements
managed-configuration
no shutdown
exit
exit
exit
exit
exit
exit
exit
The managed-configuration flag is set for consistency only. It tells the hosts that addresses can be requested using DHCPv6. However, as described in the Security section later (see Security), the host cannot rely on this flag because DHCPv6 must be initiated by the host before the BNG sends RAs.
Additional parameters that can be configured with respect to the router advertisements (defaults are shown):
configure
service
vprn 1 customer 1 create
subscriber-interface "sub-int-1"
group-interface "grp-int-1"
ipv6
router-advertisements
shutdown
current-hop-limit 64
dns-options
no include-dns
rdnss-lifetime 3600
exit
no force-mcast
no managed-configuration
max-advertisement 1800
min-advertisement 900
no mtu
no other-stateful-configuration
prefix-options
no autonomous
on-link
preferred-lifetime 3600
valid-lifetime 86400
exit
reachable-time 0
retransmit-time 0
router-lifetime 4500
exit
exit
exit
exit
exit
exit
exit
Parameter |
Description (RFC 4861, Neighbor Discovery for IP version 6 (IPv6)) |
Value Range (default) |
---|---|---|
current-hop-limit |
The default value that should be placed in the Hop Count field of the IP header for outgoing IP packets. A value of zero means unspecified (by this router); the RG picks its own value. |
0..255 (64) |
dns-options: include-dns |
Indication to include the Recursive DNS Server (RDNSS) option as defined in RFC 6106 in IPv6 RAs for DNS name resolution of IPv6 SLAAC hosts |
(no) |
dns-options: rdnss-lifetime |
Indicates the maximum time that the RDNSS address may be used for name resolution |
3600 (s) |
force-mcast |
Configures multicast router advertisements on this interface, either IP or MAC |
(no) |
managed-configuration |
Managed address configuration flag. When set, it indicates that addresses are available through DHCPv6 |
(no) |
max-advertisement |
Unsolicited Router Advertisements are not strictly periodic: the interval between subsequent transmissions is randomized to reduce the probability of synchronization with the advertisements from other routers on the same link. Whenever a multicast advertisement is sent from an interface, the timer is reset to a uniformly distributed random value between the interface's configured MinRtrAdvInterval and MaxRtrAdvInterval. |
900..1800 s (1800) |
min-advertisement |
900..1350 s (900) |
|
mtu |
Routers can advertise an MTU for hosts to use on the link. |
1280..9212 bytes (no) |
other-stateful-configuration (not applicable for IPoE) |
Other configuration flag. When set, it indicates that other configuration information is available through DHCPv6. (DNS). Can be ignored if managed address configuration flag is enabled |
(no) |
prefix-options: autonomous (not applicable for IPoE) |
Autonomous address-configuration flag. When set indicates that this prefix can be used for stateless address autoconfiguration (SLAAC) |
(no) |
prefix-options: on-link |
Indicates whether the prefix will be assigned to an interface on the specified link |
(no) |
prefix-options: preferred-lifetime (not applicable for IPoE) |
The length of time in seconds that addresses generated from the prefix via stateless address autoconfiguration (SLAAC) remain preferred |
0..4294967295 (3600) |
prefix-options: valid-lifetime (not applicable for IPoE) |
The length of time in seconds that the prefix is valid for the purpose of on-link determination. (also used by SLAAC) |
0..4294967295 (86400) |
reachable-time |
The time that a node assumes a neighbor is reachable after having received a reachability confirmation. Used by the Neighbor Unreachability Detection algorithm. A value of zero means unspecified (by this router); the RG picks its own value. |
0..3600000 ms (0) |
retransmit-time |
The time between retransmitted Neighbor Solicitation messages. Used by address resolution and the Neighbor Unreachability Detection algorithm. A value of zero means unspecified (by this router); the RG picks its own value. |
0..1800000 ms (0) |
router-lifetime |
The lifetime associated with the default router in units of seconds. |
2700..9000 s (4500) |
RADIUS Authentication and Authorization
Applies to the RADIUS scenario only.
The RADIUS authentication and authorization configuration for IPoE IPv6 subscriber host is no different from an IPv4 subscriber host:
configure
router
radius-server
server "radius-172.16.1.2" address 172.16.1.2 secret vsecret1 create
accept-coa
exit
exit
exit
exit
configure
aaa
radius-server-policy "rsp-1" create
servers
router "Base"
source-address 192.0.2.1
server 1 name "radius-172.16.1.2"
exit
exit
exit
exit
configure
subscriber-mgmt
authentication-policy "auth-1" create
description "RADIUS authentication policy"
pppoe-access-method pap-chap
radius-server-policy "rsp-1"
password letmein
exit
exit
exit
Additional RADIUS AVPs that are applicable to IPoE IPv6 subscriber hosts are listed in RADIUS AVPs.
RADIUS AVP |
Type |
Purpose |
---|---|---|
Alc-IPv6-Address [26-6527-99] |
ipv6addr |
maps to IA_NA of DHCPv6 (RG WAN interface address) |
Alc-Ipv6-Primary-Dns [26-6527-105] |
ipv6addr |
maps to DNS Recursive Name Server option (RFC 3646, DNS Configuration options for Dynamic Host Configuration Protocol for IPv6 (DHCPv6)) in DHCPv6 |
Alc-Ipv6-Secondary-Dns [26-6527-106] |
ipv6addr |
maps to DNS Recursive Name Server option (RFC 3646) in DHCPv6 |
Delegated-IPv6-Prefix [123] |
ipv6prefix |
maps to IA_PD for prefix delegation (RFC 3633, IPv6 Prefix Options for Dynamic Host Configuration Protocol (DHCP) version 6) in DHCPv6 |
A sample FreeRADIUS users record to authenticate a dual stack IPoE subscriber:
00:0c:20:00:00:21 Cleartext-Password := "letmein"
Alc-Subsc-ID-Str = "sub-1",
Alc-Subsc-Prof-Str = "sub-profile-1",
Alc-SLA-Prof-Str = "sla-profile-1",
Framed-IP-Address = 10.1.0.1,
Framed-IP-Netmask = 255.255.0.0,
Framed-Route = "172.16.11.0/24 0.0.0.0",
Alc-Ipv6-Address = 2001:db8:b001:101::1,
Delegated-IPv6-Prefix = 2001:db8:a001:100::/56,
Alc-Ipv6-Primary-Dns = 2001:db8:dddd:1::1,
Alc-Ipv6-Secondary-Dns = 2001:db8:dddd:2::1,
The FreeRADIUS Server 2.0.0 and greater has full support for both IPv6 attributes and IPv6 network packets.
The IPv6 address/prefix related timers can be configured in the dhcp6>proxy-server context (see Enable DHCPv6 Proxy Server).
Local User Database Authentication and Authorization
Applies to the LUDB scenario only.
The configuration example below focuses on the IPv6 host configuration. The details for local user database host matching and IPv4 host specific parameters are out of scope for this section.
configure
subscriber-mgmt
local-user-db "ludb-1" create
dhcp
match-list mac
host "host-1" create
host-identification
mac 00:0c:29:00:00:23
exit
address gi-address # IPv4 host
identification-strings 254 create
subscriber-id "sub-3"
sla-profile-string "sla-profile-1"
sub-profile-string "sub-profile-1"
exit
options
subnet-mask 255.255.0.0 # IPv4 host
default-router 10.1.255.254 # IPv4 host
exit
ipv6-address 2001:db8:b001:103::3 # IPv6 host
ipv6-delegated-prefix 2001:db8:a001:300::/56 # IPv6 host
options6
dns-server 2001:db8:dddd:1::1 2001:db8:dddd:2::1
exit
no shutdown
exit
exit
no shutdown
exit
exit
exit
configure
service
vprn 1 customer 1 create
subscriber-interface "sub-int-1" create
group-interface "grp-int-2" create
description "ludb authentication and authorization"
ipv6
---snip---
dhcp6
user-db "ludb-1"
proxy-server
client-applications dhcp
no shutdown
exit
exit
exit
dhcp
---snip---
server 192.0.2.1
trusted
lease-populate 10
user-db "ludb-1"
no shutdown
exit
exit
exit
exit
exit
exit
Besides the identification strings that are common to theIPv4 and IPv6 hosts, specific IPv6 host related parameters can be configured:
local-user-db CLI parameter |
Purpose |
---|---|
ipv6-address |
Maps to IA_NA of DHCPv6 (RG WAN interface address) |
ipv6-prefix |
Maps to IA_PD for prefix delegation (RFC 3633) in DHCPv6 |
options6: dns-server |
Defines the IPv6 DNS server address to be used for name resolution |
The IPv6 address/prefix related timers can be configured in the dhcp6>proxy-server context (see Enable DHCPv6 Proxy Server).
DHCP and DHCP6 Lease State
Applies to both scenarios RADIUS and LUDB.
The DHCP lease state is an internal database structure that keeps track of the DHCP host states. The DHCP lease state enables subscriber management functions (for example, per subscriber QoS and accounting) and security functions (for example, dynamic anti-spoof filtering) on the DHCP host.
The DHCP lease information for a specific host is extracted from the DHCPv4 ack message in case of DHCPv4 and from the DHCPv6 reply message in case of DHCPv6
Typical information stored in the DHCP lease state includes (partial table; additional data can be stored for managed SAPs, wholesale-retail).
Parameter |
Comment |
---|---|
Service ID |
Service where the DHCP host is connected. |
IP Address |
IPv4 or IPv6 address of the DHCP host. |
Client HW Address |
Ethernet MAC address of the DHCP host. |
Subscriber-interface (Routed CO only) |
Subscriber interface name where the DHCP host is instantiated. |
Group-interface (Routed CO only) |
Group interface name where the DHCP host is instantiated. |
SAP |
SAP where the DHCP hosts is connected. |
Remaining Lifetime |
The remaining time before the DHCP host is deleted from the system (updated each time a DHCP renew/rebind occurs). |
Persistence Key |
Lookup key for this host in the persistency file. |
Sub-Ident |
ESM: Subscriber ID of the DHCP host. |
Sub-Profile-String |
ESM: Subscriber profile string of the DHCP host. |
SLA-Profile-String |
ESM: SLA profile string of the DHCP host. |
App-Profile-String |
ESM: Application profile string of the DHCP host. |
Lease ANCP-String |
ESM: ANCP string for this DHCP host. |
Lease Int Dest Id |
ESM: Internal destination ID for this DHCP host. |
Category-Map-Name |
ESM: Volume and Time based accounting. |
Dhcp6 ClientId (DUID) |
DHCPv6 client unique identifier. |
Dhcp6 IAID |
Identity Association ID chosen by the client. |
Dhcp6 IAID Type |
Identity Association type: prefix (PD) or non-temporary (wan-host). |
Dhcp6 Client Ip |
Link local IPv6 address of the host. |
Sub-Ident origin |
ESM: Origin for the Subscriber ID for this host (None, DHCP, RADIUS). |
Strings origin |
ESM: Origin for the ESM strings for this host (None, DHCP, RADIUS). |
Lease Info origin |
ESM: Origin for the IP configuration for this host (None, DHCP, RADIUS). |
Ip-Netmask |
The IP netmask for this DHCP host. |
Broadcast-Ip-Addr |
The broadcast IP address for this host. |
Default-Router |
The default gateway for this host. |
Primary-Dns |
The primary DNS server for this host. |
Secondary-Dns |
The secondary DNS server for this host. |
Primary-Nbns |
The primary NetBIOS name server for this host. |
Secondary-Nbns |
The secondary NetBIOS name server for this host. |
ServerLeaseStart |
Time and date that the lease for this host started (first DHCP ack received). |
ServerLastRenew |
Time and date that the lease for this host was last renewed. |
ServerLeaseEnd |
Time and date that the lease for this host will expire. |
Session-Timeout |
Lease time specified by the DHCP server. |
DHCP Server Addr |
IP address of the DHCP server that allocated the lease for this host. |
Circuit Id |
DHCP Relay Agent information option 82 Circuit ID content. |
Remote Id |
DHCP Relay Agent information option 82 Remote ID content. |
RADIUS User-Name |
ESM: Username used in the RADIUS authentication access request. |
DHCPv4 lease state population is enabled by default on a group-interface with DHCP configured as no shutdown. The number of DHCPv4 leases allowed on each SAP of the group-interface must be configured with the lease-populate option (by default a single DHCPv4 host is allowed on each SAP of the group-interface).
DCHPv6 lease state population is enabled by default on a group-interface with DHCP6 proxy-server configured as no shutdown. The number of DHCPv6 leases (hosts) cannot be limited per group-interface.
configure
service
vprn 1 customer 1 create
subscriber-interface "sub-int-1" create
group-interface "grp-int-1" create
description "radius authentication and authorization"
ipv6
dhcp6
proxy-server
no shutdown
exit
exit
exit
dhcp
proxy-server
emulated-server 10.1.255.254
no shutdown
exit
server 192.0.2.1
trusted
lease-populate 10
no shutdown
exit
exit
exit
exit
exit
exit
To check the DHCPv4 or DHCPv6 lease state for a particular service, use the following commands (detailed output as well as additional output filtering is available):
*A:BNG# show service id 1 dhcp | dhcp6 lease-state ?
- lease-state [wholesaler <service-id>] [sap <sap-id>|sdp <sdp-id:vc-id>|
interface <interface-name>|ip-address <ip-address[/mask]>|chaddr
<ieee-address>|mac <ieee-address>|{[port <port-id>][no-inter-dest-id |
inter-dest-id <inter-dest-id>]}] [session {none|ipoe}] [detail]
*A:BNG# show service id 1 dhcp lease-state detail
===============================================================================
DHCP lease states for service 1
===============================================================================
Service ID : 1
IP Address : 10.1.0.1
Client HW Address : 00:0c:29:00:00:21
Subscriber-interface : sub-int-1
Group-interface : grp-int-1
SAP : 1/1/1:1
Termination Type : local
Up Time : 0d 00:58:34
Remaining Lease Time : 6d 23:01:26
Remaining SessionTime: N/A
Persistence Key : 0x00000000
Sub-Ident : "sub-1"
Sub-Profile-String : "sub-profile-1"
SLA-Profile-String : "sla-profile-1"
App-Profile-String : ""
Lease ANCP-String : ""
Lease Int Dest Id : ""
Category-Map-Name : ""
Lease Info origin : Radius
Ip-Netmask : 255.255.0.0
Broadcast-Ip-Addr : 10.1.255.255
Default-Router : N/A
Primary-Dns : N/A
Secondary-Dns : N/A
Primary-Nbns : N/A
Secondary-Nbns : N/A
ServerLeaseStart : 04/20/2017 13:01:09
ServerLastRenew : 04/20/2017 13:01:09
ServerLeaseEnd : 04/27/2017 13:01:09
Session-Timeout : N/A
IPoE|PPP session : No
Lease-Time : 7d 00:00:00
DHCP Server Addr : N/A
Radius User-Name : "00:0c:29:00:00:21"
-------------------------------------------------------------------------------
Number of lease states : 1
===============================================================================
*A:BNG#
*A:BNG# show service id 1 dhcp6 lease-state detail
===============================================================================
DHCP lease states for service 1
===============================================================================
Service ID : 1
IP Address : 2001:db8:a001:100::/56
Client HW Address : 00:0c:29:00:00:21
Subscriber-interface : sub-int-1
Group-interface : grp-int-1
SAP : 1/1/1:1
Termination Type : local
Up Time : 0d 00:55:11
Remaining Lease Time : 0d 23:34:49
Remaining SessionTime: N/A
Persistence Key : 0x0000000b
Sub-Ident : "sub-1"
Sub-Profile-String : "sub-profile-1"
SLA-Profile-String : "sla-profile-1"
App-Profile-String : ""
Lease ANCP-String : ""
Lease Int Dest Id : ""
Category-Map-Name : ""
Dhcp6 ClientId (DUID): 00010001208a25ac000c29000021
Dhcp6 IAID : 1
Dhcp6 IAID Type : prefix
Dhcp6 Client Ip : fe80::20c:29ff:fe00:21
Primary-Dns : 2001:db8:dddd:1::1
Secondary-Dns : 2001:db8:dddd:2::1
Pool Name : ""
Dhcp6 Server Addr : N/A
Dhcp6 ServerId (DUID): N/A
Dhcp6 InterfaceId : N/A
Dhcp6 RemoteId : N/A
Radius sub-if prefix : N/A
Router adv. policy : N/A
Lease Info origin : Radius
ServerLeaseStart : 04/20/2017 13:06:36
ServerLastRenew : 04/20/2017 13:36:36
ServerLeaseEnd : 04/21/2017 13:36:36
Session-Timeout : N/A
IPoE|PPP session : No
Radius User-Name : "00:0c:29:00:00:21"
-------------------------------------------------------------------------------
Service ID : 1
IP Address : 2001:db8:b001:101::1/128
Client HW Address : 00:0c:29:00:00:21
Subscriber-interface : sub-int-1
Group-interface : grp-int-1
SAP : 1/1/1:1
Termination Type : local
Up Time : 0d 00:55:11
Remaining Lease Time : 0d 23:34:49
Remaining SessionTime: N/A
Persistence Key : 0x0000000a
Sub-Ident : "sub-1"
Sub-Profile-String : "sub-profile-1"
SLA-Profile-String : "sla-profile-1"
App-Profile-String : ""
Lease ANCP-String : ""
Lease Int Dest Id : ""
Category-Map-Name : ""
Dhcp6 ClientId (DUID): 00010001208a25ac000c29000021
Dhcp6 IAID : 2
Dhcp6 IAID Type : non-temporary
Dhcp6 Client Ip : fe80::20c:29ff:fe00:21
Primary-Dns : 2001:db8:dddd:1::1
Secondary-Dns : 2001:db8:dddd:2::1
Pool Name : ""
Dhcp6 Server Addr : N/A
Dhcp6 ServerId (DUID): N/A
Dhcp6 InterfaceId : N/A
Dhcp6 RemoteId : N/A
Radius sub-if prefix : N/A
Router adv. policy : N/A
Lease Info origin : Radius
ServerLeaseStart : 04/20/2017 13:06:36
ServerLastRenew : 04/20/2017 13:36:36
ServerLeaseEnd : 04/21/2017 13:36:36
Session-Timeout : N/A
IPoE|PPP session : No
Radius User-Name : "00:0c:29:00:00:21"
-------------------------------------------------------------------------------
Number of lease states : 2
===============================================================================
*A:BNG#
Operation
An IPoE dual stack subscriber in a numbered Routed Gateway scenario consumes three subscriber host entries:
IPv4 host — DHCPv4 session based
IPv6 wan-host — DHCPv6 session based
IPv6 Prefix Delegation host — DHCPv6 session based
*A:BNG# show service active-subscribers
===============================================================================
Active Subscribers
===============================================================================
-------------------------------------------------------------------------------
Subscriber sub-1 (sub-profile-1)
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
(1) SLA Profile Instance sap:1/1/1:1 - sla:sla-profile-1
-------------------------------------------------------------------------------
IP Address
MAC Address Session Origin Svc Fwd
-------------------------------------------------------------------------------
10.1.0.1
00:0c:29:00:00:21 N/A DHCP 1 Y
2001:db8:a001:100::/56
00:0c:29:00:00:21 N/A DHCP6 1 Y
2001:db8:b001:101::1/128
00:0c:29:00:00:21 N/A DHCP6 1 Y
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Subscriber sub-3 (sub-profile-1)
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
(1) SLA Profile Instance sap:1/1/1:2 - sla:sla-profile-1
-------------------------------------------------------------------------------
IP Address
MAC Address Session Origin Svc Fwd
-------------------------------------------------------------------------------
10.1.0.8
00:0c:29:00:00:23 N/A DHCP 1 Y
2001:db8:a001:300::/56
00:0c:29:00:00:23 N/A DHCP6 1 Y
2001:db8:b001:103::3/128
00:0c:29:00:00:23 N/A DHCP6 1 Y
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Number of active subscribers : 2
===============================================================================
*A:BNG#
The optional hierarchy parameter for the active-subscribers display provides a top-down level overview for this subscriber:
*A:BNG# show service active-subscribers hierarchy
===============================================================================
Active Subscribers Hierarchy
===============================================================================
-- sub-1 (sub-profile-1)
|
+-- sap:1/1/1:1 - sla:sla-profile-1
|
|-- 10.1.0.1 - mac:00:0c:29:00:00:21 - DHCP - svc:1
|
|-- 2001:db8:a001:100::/56 - mac:00:0c:29:00:00:21 - DHCP6 - svc:1
|
+-- 2001:db8:b001:101::1/128 - mac:00:0c:29:00:00:21 - DHCP6 - svc:1
-- sub-3 (sub-profile-1)
|
+-- sap:1/1/1:2 - sla:sla-profile-1
|
|-- 10.1.0.8 - mac:00:0c:29:00:00:23 - DHCP - svc:1
|
|-- 2001:db8:a001:300::/56 - mac:00:0c:29:00:00:23 - DHCP6 - svc:1
|
+-- 2001:db8:b001:103::3/128 - mac:00:0c:29:00:00:23 - DHCP6 - svc:1
-------------------------------------------------------------------------------
Number of active subscribers : 2
Flags: (N) = the host or the managed route is in non-forwarding state
===============================================================================
*A:BNG#
The total number (sum) of IPv4 and IPv6 hosts per subscriber can be limited in the corresponding sla-profile with the host-limits parameter:
configure
subscr-mgmt
sla-profile "sla-profile-1" create
host-limits
overall 3
exit
exit
exit
exit
To display the IPv4/IPv6 routing table for dual stack hosts:
*A:BNG# show router 1 route-table ipv4 protocol sub-mgmt
===============================================================================
Route Table (Service: 1)
===============================================================================
Dest Prefix[Flags] Type Proto Age Pref
Next Hop[Interface Name] Metric
-------------------------------------------------------------------------------
10.1.0.1/32 Remote Sub Mgmt 01h05m03s 0
[grp-int-1] 0
10.1.0.8/32 Remote Sub Mgmt 00h00m49s 0
[grp-int-2] 0
-------------------------------------------------------------------------------
No. of Routes: 2
Flags: n = Number of times nexthop is repeated
B = BGP backup route available
L = LFA nexthop available
S = Sticky ECMP requested
===============================================================================
*A:BNG#
*A:BNG# show router 1 route-table ipv6 protocol sub-mgmt
===============================================================================
IPv6 Route Table (Service: 1)
===============================================================================
Dest Prefix[Flags] Type Proto Age Pref
Next Hop[Interface Name] Metric
-------------------------------------------------------------------------------
2001:db8:a001:100::/56 Remote Sub Mgmt 01h00m03s 0
[grp-int-1] 0
2001:db8:a001:300::/56 Remote Sub Mgmt 00h03m00s 0
[grp-int-2] 0
2001:db8:b001:101::1/128 Remote Sub Mgmt 01h00m03s 0
[grp-int-1] 0
2001:db8:b001:103::3/128 Remote Sub Mgmt 00h03m00s 0
[grp-int-2] 0
-------------------------------------------------------------------------------
No. of Routes: 4
Flags: n = Number of times nexthop is repeated
B = BGP backup route available
L = LFA nexthop available
S = Sticky ECMP requested
===============================================================================
*A:BNG#
Troubleshooting
Apart from the show commands in this chapter, the following additional commands can be used for troubleshooting:
Default system log
Debug
Statistics
The default system log can be shown as follows:
A:BNG-1# show log log-id 99
Use appropriate filtering to reduce the output if needed.
Debugging can be done with the definitions as follows:
debug
router "Base"
radius
packet-type authentication accounting coa
detail-level high
exit
exit
router "1"
ip
dhcp
detail-level high
mode egr-ingr-and-dropped
exit
dhcp6
mode egr-ingr-and-dropped
detail-level high
exit
icmp6
exit
local-dhcp-server "dhcp-s1"
detail-level medium
mode egr-ingr-and-dropped
exit
exit
subscriber-mgmt
local-user-db "ludb-1"
detail all
exit
exit
exit
Additional filtering (such as only DHCPv6 debug for a particular interface) may be needed to prevent a flood of debug messages.
DHCPv4 statistics can be shown as follows:
*A:BNG# show router 1 dhcp statistics
====================================================================
DHCP Global Statistics (Service: 1)
====================================================================
Rx Packets : 86
Tx Packets : 36
Rx Malformed Packets : 0
Rx Untrusted Packets : 0
Client Packets Discarded : 12
Client Packets Relayed : 46
Client Packets Snooped : 4
Client Packets Proxied (RADIUS) : 24
Client Packets Proxied (Diameter) : 0
Client Packets Proxied (User-Db) : 0
Client Packets Proxied (Lease-Split) : 0
Server Packets Discarded : 0
Server Packets Relayed : 25
Server Packets Snooped : 0
DHCP RELEASEs Spoofed : 0
DHCP FORCERENEWs Spoofed : 0
Client packets streamed : 0
====================================================================
*A:BNG#
DHCPv6 statistics can be shown as follows:
*A:BNG# show router 1 dhcp6 statistics
===========================================================================
DHCP6 statistics (Router: 1)
===========================================================================
Msg-type Rx Tx Dropped
---------------------------------------------------------------------------
1 SOLICIT 6 0 0
2 ADVERTISE 0 6 0
3 REQUEST 6 0 0
4 CONFIRM 0 0 0
5 RENEW 1 0 0
6 REBIND 0 0 0
7 REPLY 0 11 0
8 RELEASE 4 0 0
9 DECLINE 0 0 0
10 RECONFIGURE 0 0 0
11 INFO_REQUEST 0 0 0
12 RELAY_FORW 0 0 0
13 RELAY_REPLY 0 0 0
14 LEASEQUERY 0 0 0
15 LEASEQUERY_REPLY 0 0 0
---------------------------------------------------------------------------
Dhcp6 Drop Reason Counters :
---------------------------------------------------------------------------
1 Dhcp6 oper state is not Up on src itf 0
2 Dhcp6 oper state is not Up on dst itf 0
3 Relay Reply Msg on Client Itf 0
4 Hop Count Limit reached 0
5 Missing Relay Msg option, or illegal msg type 0
6 Unable to determine destination client Itf 0
7 Out of Memory 0
8 No global Pfx on Client Itf 0
9 Unable to determine src Ip Addr 0
10 No route to server 0
11 Subscr. Mgmt. Update failed 0
12 Received Relay Forw Message 0
13 Packet too small to contain valid dhcp6 msg 0
14 Server cannot respond to this message 0
15 No Server Id option in msg from server 0
16 Missing or illegal Client Id option in client msg 0
17 Server Id option in client msg 0
18 Server DUID in client msg does not match our own 0
19 Client sent message to unicast while not allowed 0
20 Client sent message with illegal src Ip address 0
21 Client message type not supported in pfx delegation 0
22 Nbr of addrs or pfxs exceeds allowed max (128) in msg 0
23 Unable to resolve client's mac address 0
24 The Client was assigned an illegal address 0
25 Illegal msg encoding 0
26 Client message not supported 0
27 IA options in info request 0
28 No IA option in client msg 0
29 No addresses in confirm msg 0
30 No relay servers configured 0
31 Blocked by host lockout 0
32 No link address available 0
33 Dropped by Python 0
34 Invalid server 0
35 Packet dropped on SRRP backup interface 0
36 DHCP transaction not found 0
37 Could not determine retail interface 0
38 Packet dropped by DHCP filter 0
39 Packet dropped because authentication failed 0
===========================================================================
*A:BNG#
RADIUS statistics can be shown as follow:
*A:BNG# show subscriber-mgmt authentication "auth-1" statistics
===============================================================================
Authentication Policy Statistics
===============================================================================
-------------------------------------------------------------------------------
Policy name : auth-1
subscriber packets authenticated : 0
subscriber packets rejected : 0
subscriber packets rejected send failed : 0
-------------------------------------------------------------------------------
===============================================================================
*A:BNG#
*A:BNG# show aaa radius-server-policy "rsp-1" statistics
===============================================================================
RADIUS server policy "rsp-1" statistics
===============================================================================
Tx transaction requests : 24
Rx transaction responses : 24
Transaction requests timed out : 0
Transaction requests send failed : 0
Packet retries : 0
Transaction requests send rejected : 0
Authentication requests failed : 4
Accounting requests failed : 0
Ratio of access-reject over auth responses : 16%
Transaction success ratio : 100%
Transaction failure ratio : 0%
Statistics last reset at : n/a
Server 1 "radius-172.16.1.2" address 172.16.1.2 auth-port 1812 acct-port 1813
-------------------------------------------------------------------------------
Tx request packets : 24
Rx response packets : 24
Request packets timed out : 0
Request packets send failed : 0
Request packets send failed (overload) : 0
Request packets waiting for reply : 0
Response packets with invalid authenticator : 0
Response packets with invalid msg authenticator : 0
Authentication packets failed : 4
Accounting packets failed : 0
Avg auth response delay (10 100 1K 10K) in ms : 1.25 168 168 168
Avg acct response delay (10 100 1K 10K) in ms : n/a
Statistics last reset at : n/a
===============================================================================
*A:BNG#
Advanced Topics
Security
Downstream Router Advertisements
When a SAP is bound to a subscriber/group-interface which has IPv6 enabled, there will be no initial downstream Router Advertisement (RA) message sent. If a SAP is shared by multiple subscribers, it would be possible for an unauthenticated host to receive the RA.
Instead the RAs are sent in unicast to allow per-host IPv6 link configuration. This requires the host information (MAC address and link-local IPv6 address) to be known. Therefore, for IPoE, until a DHCPv6 session is bound, no unsolicited or solicited RAs are sent.
Processing Neighbor Discovery Messages
Processing Neighbor Discovery messages: Neighbor Advertisements (NA), Neighbor Solicitations (NS) and Router Solicitations (RS).
Neighbor discovery messages are not processed prior to IPoE IPv6 host authentication to avoid DoS attacks consuming CPU resources. This implies that an IPoE host should initiate the DHCPv6 session without link information and knowledge of routers on the link as required by the Broadband Forum standards (ref. TR-124 issue 2 — Functional Requirements for Broadband Residential Gateway Devices). This is not a problem as the DHCPv6 solicit/request messages are sent to a well-known multicast address with direct link-layer mapping.
After DHCP host authentication, Neighbor Discovery messages will not result in a neighbor cache entry. Instead a managed neighbor cache entry is created based on the DHCPv6 lease state. This managed neighbor cache entry cannot be displayed. The above mechanism prevents DoS attacks from poisoning the neighbor cache with bogus entries.
Router advertisements in response to a router solicitation are internally throttled so that they are not sent more often than once every three seconds.
Anti-spoof Filters
For each authenticated IPoE IPv6 host, an anti-spoof filter entry is created that allows upstream traffic with exact match on the tuple {masked source IP, source MAC} to pass. Traffic from unauthenticated hosts is silently dropped.
Managed SAPs
To allow the creation of managed SAPs in a dual stack environment, both DHCPv4 discover and DHCPv6 solicit messages received on a capture SAP should trigger RADIUS authentication:
configure
service
vpls 2 customer 1 create
sap 1/1/2:* capture-sap create
trigger-packet dhcp dhcp6
authentication-policy "radius-1"
exit
no shutdown
exit
exit
exit
A full description of the managed SAP functionality is out of the scope of this chapter.
RADIUS Change of Authorization (CoA)
The only CoA action that is allowed for IPoE IPv6 hosts is a change of ESM strings (SLA-profile, subscriber-profile, application-profile, etc). Creation of a new IPv6 host or forcing a DHCPv6 renew is not supported.
Only a single address attribute (Framed-IP-Address, Delegated-IPv6-Prefix or Alc-IPv6-Address) may be given in a single request. When host-accounting is enabled, only the host specific accounting session IDs (Acct-Session-Id) can be used. This means that to change for example the sla-profile for all three hosts of a dual stack subscriber, three CoA messages should be sent.
A full description of the RADIUS CoA functionality is out of the scope of this section.
Accounting
There are no separate accounting statistics available for IPv4 and IPv6 traffic unless they are mapped in a different Forwarding Class/queue.
In RADIUS accounting, host-accounting could be enabled to see the IPv4 and IPv6 host instantiations separately: an accounting start/stop is generated for each individual subscriber host. The actual accounting data is included in the interim updates and accounting stop message for the sla-profile instance.
A full description of the accounting functionality is out of the scope of this section.
Lease State Persistency
A DHCPv4/DHCPv6 (hereafter referred to as DHCP) session does not have a keep-alive mechanism to detect unavailability. A new DHCP session set-up is only attempted after expiration of the DHCP lease time. A node reboot causing the loss of DHCP lease state and the corresponding anti-spoof filters could therefore result in unacceptable long service outages.
The DHCP lease state can be made persistent across node reboots: DHCP lease state is restored from a persistency file stored on the compact flash file system. As a result, DHCP sessions will only lose connectivity during the time of reboot without being completely disconnected.
To activate the DHCP lease state persistency:
configure
system
persistence
subscriber-mgmt
description "DHCP lease state persistency"
location cf1:
exit
exit
exit
exit
A dedicated persistency file will be created on the specified compact flash file system. The file is initialized to store the maximum number of allowed hosts; its size is fixed to avoid file system space problems during operations.
*A:BNG# file dir cf1:
Volume in drive cf1 on slot A has no label.
Volume in drive cf1 on slot A is formatted as FAT32
Directory of cf1:\
09/19/2016 04:29p <DIR> .ssh/
04/20/2017 03:02p 536871424 submgmt.012
04/20/2017 02:59p 12583424 submgmt.i12
2 File(s) 549454848 bytes.
1 Dir(s) 7464747008 bytes free.
*A:BNG#
Each time the DHCP lease is renewed, the persistency file is updated together with the lease state. If the file update fails, an event is generated to indicate that persistency cannot be guaranteed.
The format of the persistency file may vary between different SR OS software releases. When upgrading, the persistency file is automatically upgraded to the new format. To downgrade the persistency file to a lower SR OS Release version, use the following command:
*A:BNG# tools perform persistence downgrade target-version ?
- downgrade target-version <target> [reboot]
<target> : the version you want to downgrade to
submgt
14.0 (current) - cf1:\submgmt.012
13.0 - cf1:\submgmt.011
12.0 - cf1:\submgmt.010
11.0 - cf1:\submgmt.009
10.0 - cf1:\submgmt.008
9.0 - cf1:\submgmt.007
8.0 - cf1:\submgmt.006
7.0 - cf1:\submgmt.005
6.0 - cf1:\submgmt.004
5.0 - cf1:\submgmt.003
4.0 - cf1:\submgmt.pst
<reboot> : reboot system after successful conversion
*A:BNG#
The content of the persistency file can be looked at using the following commands:
*A:BNG# show service id 1 dhcp6 lease-state detail
===============================================================================
DHCP lease states for service 1
===============================================================================
Service ID : 1
IP Address : 2001:db8:a001:100::/56
Client HW Address : 00:0c:29:00:00:21
Subscriber-interface : sub-int-1
Group-interface : grp-int-1
SAP : 1/1/1:1
Termination Type : local
Up Time : 0d 00:01:49
Remaining Lease Time : 0d 23:58:11
Remaining SessionTime: N/A
Persistence Key : 0x00000002
Sub-Ident : "sub-1"
Sub-Profile-String : "sub-profile-1"
SLA-Profile-String : "sla-profile-1"
App-Profile-String : ""
Lease ANCP-String : ""
Lease Int Dest Id : ""
Category-Map-Name : ""
Dhcp6 ClientId (DUID): 00010001208a25ac000c29000021
Dhcp6 IAID : 1
Dhcp6 IAID Type : prefix
Dhcp6 Client Ip : fe80::20c:29ff:fe00:21
Primary-Dns : 2001:db8:dddd:1::1
Secondary-Dns : 2001:db8:dddd:2::1
Pool Name : ""
Dhcp6 Server Addr : N/A
Dhcp6 ServerId (DUID): N/A
Dhcp6 InterfaceId : N/A
Dhcp6 RemoteId : N/A
Radius sub-if prefix : N/A
Router adv. policy : N/A
Lease Info origin : Radius
ServerLeaseStart : 04/20/2017 14:44:01
ServerLastRenew : 04/20/2017 14:44:01
ServerLeaseEnd : 04/21/2017 14:44:01
Session-Timeout : N/A
IPoE|PPP session : No
Radius User-Name : "00:0c:29:00:00:21"
-------------------------------------------------------------------------------
Service ID : 1
IP Address : 2001:db8:a001:300::/56
Client HW Address : 00:0c:29:00:00:23
Subscriber-interface : sub-int-1
Group-interface : grp-int-2
SAP : 1/1/1:2
Termination Type : local
Up Time : 0d 00:01:36
Remaining Lease Time : 0d 23:58:24
Remaining SessionTime: N/A
Persistence Key : 0x00000005
Sub-Ident : "sub-3"
Sub-Profile-String : "sub-profile-1"
SLA-Profile-String : "sla-profile-1"
---snip---
-------------------------------------------------------------------------------
Number of lease states : 4
===============================================================================
*A:BNG#
*A:BNG# tools dump persistence submgt record 0x2
----------------------------------------
Persistence Record
----------------------------------------
Client : submgt
Persist-Key : 0x00000002
Filename : cf1:\submgmt.012
Entries : Index FedHandle Last Update Action Valid
000002 0x00000002 2017/04/20 12:45:24 (UTC) ADD Yes
Data : 366 bytes
Host Type : IpV6 node address
Service ID : 1
SAP ID : 1/1/1:1
NH MAC : 00:0c:29:00:00:21
Created : 2017/04/20 12:44:01 (UTC)
IP : 2001:db8:a001:100::/56
Srvr Last Renew: 2017/04/20 12:44:01 (UTC)
Srvr Lse End : 2017/04/21 12:44:01 (UTC)
Dhcp6 Pfx len : 56
Dhcp6 Iaid : 1
Dhcp6 Iaid Typ : 25
Dhcp6 Client Mg: fe80::20c:29ff:fe00:21
Dhcp6 Client Id: 00010001208a25ac000c29000021
RADIUS Fallback: NO
Acct-Sess-Id : 14F2FF0000003658F8AD11
Multi-Sess-Id : 14F2FF0000003458F8AD0A
Class Attr : 0 bytes
User-Name : "00:0c:29:00:00:21"
host is authenticated by radius: true
Subscriber-Id : "sub-1"
Sub-Profile-Str: "sub-profile-1"
SLA-Profile-Str: "sla-profile-1"
Ipv6 Primary Dns: 2001:db8:dddd:1::1
Ipv6 Secondary Dns: 2001:db8:dddd:2::1
Ipv6 Delegated Prefix Origin: Radius
PD Server validLifeTime: 86400
PD Server preferredLifeTime: 3600
*A:BNG#
Conclusion
This chapter provides configuration, operation, and troubleshooting commands for dual stack IPoE subscribers on Routed Gateways. Focus is on the ESMv6 part where DHCPv6 is used for IPv6 address assignment on the RG network interface (wan host) and for allocation of an IPv6 prefix delegation prefix for use in the home network (pd host). In the BNG, authentication, authorization and IPv6 prefix configuration for an IPoE IPv6 host is done by a local user database or RADIUS.