Fixed access sessions

Learn about the key identifiers for fixed access sessions, IBCP tunnels, MAG-u selection, limits on the number of sessions, and the IPoE setup flows.

Layer 2 circuit

The Layer 2 circuit (l2-circuit) is the combination of the Layer 2 access ID and the VLAN parameters.

Fixed access sessions have direct Ethernet connectivity from the client device to the BNG. The cMAG-c assumes that the Ethernet connectivity is configured and makes an abstraction of the underlying technology and topology. The cMAG-c only needs the opaque Layer 2 access ID (l2-access-id) that uniquely identifies the access context of a session. The access context can be a port, a LAG, a pseudowire, an EVPN service, or anything that provides Ethernet connectivity. The MAG-u defines the content of the l2-access-id. The cMAG-c does not interpret it.

The l2-access-id is called the logical port in BBF TR-459. The cMAG-c is aware of all Ethernet parameters such as MAC address, S-VLAN, and C-VLAN. Nokia uses the l2-circuit for the combination of the l2-access-id and VLAN parameters.

In-band control plane and MAG-u selection

The cMAG-c creates IBCP tunnels per Layer 2 access ID for messages between the MAG-u and cMAG-c. Initial packets use these per-Layer 2 access ID tunnels. At session creation, the cMAG-c sets up a per-session tunnel. The MAG-u selection is based on the per-Layer 2 access ID tunnel used for the triggering packet.

Fixed access sessions send in-band cMAG-c messages over the connection to the MAG-u. As defined in BBF TR-459, the cMAG-c creates GTP-U tunnels (called IBCP tunnels) between the MAG-u and the cMAG-c to forward in-band cMAG-c messages.

The initial cMAG-c packets of a fixed access session are sent over the per-Layer 2 access ID IBCP tunnel associated with the Layer 2 access ID where that packet is received by the MAG-u. The cMAG-c automatically sets up the per-Layer 2 access ID IBCP tunnels for all learned Layer 2 access IDs of an existing PFCP association. Layer 2 access IDs are learned in the following way:

From the l2-access-id configuration in the following context.
```
subscriber-management ref-points up group
```
From health reports sent by the MAG-u. See MAG-u health determination for more information.

When a Layer 2 access ID is no longer configured and not seen in consecutive health reports, the per-Layer 2 access ID tunnel is automatically removed by the cMAG-c.

Packets sent over the per-Layer 2 access ID tunnel signal metadata like the Layer 2 access ID itself, the local MAG-u MAC address, and the MAG-u node ID to the cMAG-c in an NSH header (as defined in BBF TR-459). The cMAG-c matches packets coming in over the per-Layer 2 access ID tunnel against a UP group and subsequently to an entry point (EP). The following applies:

The UP group identifies interconnected UPs on which resiliency is available. This step is optional and if no UP group is matched, the session is set up only in the context of the UP associated with the incoming IBCP tunnel.
The EP acts as a gateway mechanism and provides basic setup parameters. It is mandatory for a packet to match an EP.

The cMAG-c can instruct the MAG-u to forward only specified packet triggers over the IBCP tunnels and to ignore other triggers. For example, ignore IPoE triggers if only PPPoE is deployed or the other way around.

Configure the EP and triggers using the following commands.

subscriber-management ref-points up fixed-access entry-point
subscriber-management ref-points up fixed-access ibcp-triggers

The following example shows IBCP configuration that matches only IPoE control plane packets and matches them against an EP named fixed-access.

# info from running /subscriber-management ref-points up fixed-access
    subscriber-management {
        ref-points {
            up {
                fixed-access {
                    entry-point fixed-access
                    ibcp-triggers {
                        ipoe-dhcp true
                        ipoe-dhcpv6 true
                        ipoe-router-solicit true
                    }
                }
            }
        }
    }

The cMAG-c sets up a per-session tunnel at session creation.

To get IBCP statistics for both the per-Layer 2 access ID tunnel and the per-session tunnel, use the following state tree.

subscriber-management ref-points up statistics ibcp

To clear the IBCP statistics, use the following command.

tools subscriber-management statistics clear ref-points up ibcp

When multiple MAG-u devices are managed by the same cMAG-c, each MAG-u has its own set of per-Layer 2 access ID tunnels. At session creation, the MAG-u selection is based on the triggering packet, as follows:

If the triggering packet matches a UP group, the session is tied to an FSG of that UP group. The cMAG-c creates the session on the active (and optionally standby) MAG-u of the FSG.
If the triggering packet does not match a UP group, the cMAG-c installs the session on the MAG-u that corresponds with the per-Layer 2 access ID tunnel on which the packet was received.

Session keys and anti-spoofing

Session keys identify and match data traffic to specific sessions, using different keys for IPoE and PPPoE sessions. The cMAG-c creates sessions and maps keys to ensure packets from different UPs match the same session.

The cMAG-c creates a session when receiving the initial triggering packet for a specific session type. Fixed access sessions are, by default, identified by the key <UP, Layer 2 circuit, MAC address>, for IPoE and PPPoE. In case a session is set up in the context of a resilient UP group, the UP and Layer 2 circuit keys are internally mapped to a common key based on the UP group configuration. This guarantees that packets coming from different UPs within the same UP group match the same session.

Data plane rules on the MAG-u use the following keys to match data traffic to a specific session:

IPoE: <l2-circuit, source MAC address> or <l2-circuit, source MAC address, source IP address>
PPPoE: <l2-circuit, source MAC address, session ID> or <l2-circuit, source MAC address, session ID, source IP address>

To add the source IP address to the key, set the following command to true.

subscriber-management authentication-database entry ip-anti-spoof

If not explicitly specified, the ip-anti-spoof command is enabled for all sessions.

Subscriber identification

The subscriber identification is equal to the session key..

For fixed access sessions, the BNG subscriber key is by default equal to the session key, that is, there is a single session per subscriber.

Session limits

The cMAG-c enforces limits on the number of sessions. These limits can be configured within a specific scope; for example, per Layer 2 access ID.

The cMAG-c supports limits on the number of sessions within a specific scope; for example, per Layer 2 access ID. The session limits are applied when the session is created, before authentication. Changing a session limit only affects new sessions. Existing sessions are not removed to align with new session limits.

Use the commands in the following context to configure the session limits.

subscriber-management entry-point entry

The cMAG-c enforces session limits in the following order:

per Layer 2 access ID
Use the session-limits per-l2-access-id command to set a limit for the maximum number of sessions per Layer 2 access ID (l2-access-id). The system limits the maximum number of sessions per Layer 2 access ID (for example, port) and the associated MAG-u. By default, two sessions with the same Layer 2 access ID on two different MAG-u nodes do not count for the same session limit. However, if sessions are set up in the context of a UP group, the system maintains the limit per UP group and Layer 2 access ID combination. In this case, two sessions with the same Layer 2 access ID on different MAG-u nodes in the same UP group count for the same session limit.
per Layer 2 circuit
Use the session-limits per-l2-circuit command to set a limit for the maximum number of sessions per Layer 2 circuit (l2-circuit). The system limits the maximum number of sessions per Layer 2 circuit and the associated MAG-u. By default, two sessions with the same Layer 2 circuit on two different MAG-u nodes do not count for the same session limit. However, if sessions are set up in the context of a UP group, the system maintains the limit per UP group and Layer 2 circuit ID combination. In this case, two sessions with the same Layer 2 circuit ID on different MAG-u nodes in the same UP group count for the same session limit.
per UP
Use the session-limits per-up command to set a limit for the maximum number of sessions per MAG-u. When the sessions are set up in the context of a UP group, this limit applies to the UP group instead because sessions can dynamically move between MAG-u nodes in one UP group.

It is possible to configure conflicting limits for the same context. For example, two sessions with the same Layer 2 access ID can match two different BNG EP entries. Both entries can have a different session limit. The enforced limit at session creation is the limit that is configured in the matching BNG EP entry.

Limits enforced for nonresilient contexts and resilient UP group contexts are never mixed. For example, if a BNG EP is configured with a per-UP session limit of 100, the system allows up to 100 nonresilient sessions on that MAG-u, and another 100 resilient sessions on any UP group linked to that MAG-u.

IPoE

IPoE does not involve a lower-layer connectivity protocol. Address assignment protocols and upstream data packets directly trigger IPoE sessions. The cMAG-c supports DHCP, DHCPv6, and ICMPv6 RS as triggering protocols.

The following figure shows an example of an IPoE session setup flow with DHCP as triggering protocol.

Figure 1. IPoE session setup with RADIUS authentication

When the cMAG-c receives the initial triggering packet over the per-Layer 2 access ID IBCP tunnel, the following actions are executed:

The cMAG-c matches the triggering packet with an EP, and creates an IPoE session using the configured keys. The cMAG-c assigns the EP and an IPoE profile. The IPoE profile defines the following behavior of the cMAG-c:
- The cMAG-c sets dot1p and DSCP values in Ethernet and IP headers of CP messages to the IPoE client.
- For packets that trigger session creation, the cMAG-c verifies the DHCP client Ethernet address (chaddr field). If the DHCP client Ethernet address does not equal the Ethernet source MAC address, the packet is dropped and no session is created.
Use the following command to create an IPoE profile.
```
subscriber-management profiles ipoe-profile
```
Use the following command to assign an IPoE profile to a session matching an EP entry.
```
subscriber-management entry-point entry ipoe profile
```
Note: If no IPoE profile is provisioned for a session, setup continues as if an IPoE profile with default values was provisioned.
The cMAG-c assigns a single authentication flow to the session and starts the authentication. Subsequent triggers for the same IPoE session do not trigger re-authentication.
The cMAG-c allocates addresses for the session.
The cMAG-c creates data plane rules and per-session IBCP tunnels on the MAG-u.
The cMAG-c assigns addresses over the per-session IBCP tunnel.
If accounting is provisioned, the cMAG-c starts accounting for the session.

The events in the following non-exhaustive list cause deletion of an IPoE session:

The AAA triggers a failure; for example, RADIUS-initiated disconnect.
An operator gives an explicit clear command for the session.
No more DHCP or DHCPv6 lease is running; for example, because of a lease timeout or an explicit release message. Because of the lack of client-generated messages, SLAAC-assigned addresses are not tracked independently and require an active DHCP or DHCPv6 lease in the IPoE session.
A session timeout has occurred.

SHCV

Subscriber Host Connectivity Verification (SHCV) monitors the connection status of IPoE sessions and removes the appropriate stacks if a session is no longer connected while generating a log event.

The cMAG-c performs SHCV by instructing the user plane function (UPF) at the start of an IPoE session to periodically send ARP requests or Neighbor Solicitations (NS) to end devices. In the case of an IPv4 stack, an ARP request is sent to the device's assigned IPv4 address, whereas for IPv6 stack, an NS is sent to the device's link-local address. If there is no response and all retries fail, SHCV removes the appropriate stack and generates a log event in the syslog server.

Note: SHCV does not anticipate the IPv6 link-local address of end devices to change during an IPoE session. In case of such a change, the session must be re-established for SHCV to target the new address.

To configure how often (in minutes) SHCV checks for disconnected IPoE sessions, use the following command.

subscriber-management profiles shcv-profile periodic interval

The default is 30 minutes.

To configure how many times SHCV retries to get a response from an end device, use the following command.

subscriber-management profiles shcv-profile periodic retries

The default is two retries, in addition to the initial ARP request or NS.

Note: Because the initial ARP request or NS does not count as retrying, two retries means that an end device must fail to respond three times before the appropriate session is considered disconnected.

To configure how long (in seconds) SHCV waits for an end device's response to an ARP request or NS, use the following command.

subscriber-management profiles shcv-profile periodic timeout

The default is 10 seconds.

Changes in the SHCV configuration do not affect existing IPoE sessions.