1. Overview of RtBrick Reference Design
The RtBrick Reference Design document provides a blueprint for Consolidated-BNG (C-BNG) implementation to enable IPoE subscribers.
RtBrick provides validated reference design architectures which have been designed and validated with the in-house testing tools and methods. This document provides information to validate RBFS C-BNG with IPoE implementation use case.
1.1. About this Guide
The solution design document provides guidance to validate IPoE implementation using RBFS C-BNG. The guide contains quick information about general platform configuration, configuration of various Access and Routing protocols, Subscriber Management, Quality of Service and troubleshooting. The document presents a single use case scenario and provides information specifically on how to validate this particular implementation and for more information on any specific application, refer to https://documents.rtbrick.com/.
This guide is not intended to be an exhaustive guide of all RBFS features and does not provide information on features such as Multicast, Lawful Intercept etc.
1.2. About the RBFS Consolidated BNG
The RtBrick C-BNG is delivered as a container, running on Open Network Linux (ONL) provided by the hardware ODM manufacturers. Platforms that support C-BNG include Edgecore AGR 400, CSR 320, and UfiSpace S9600. The RtBrick C-BNG software runs on powerful bare-metal switches as an open BNG.
The BNG is designed to dynamically deliver the following services:
-
Discovering and managing subscriber sessions for both PPPoE and IPoE subscribers
-
Providing authentication, authorization and accounting (AAA)
-
Providing multicast-based IPTV services
The basic C-BNG architecture for IPoE subscribers is shown in Fig. 1.
Fig. 1: Topology setup with cbng1 as a DUT (device under test) connected to R1 and R2 and BNG blaster.
The topology consists of:
-
RBFS on bare metal switch as
cbng1, the DUT, having two interfaces connected to:-
Router R2 and R1, which are connected to each other and to BNG Blaster.
-
cbng1is also connected to TACACS+ server (192.168.45.45) and RADIUS server (192.168.121.2). -
Interface of the DUT connected to BNG blaster through the interface
ifp-0/1/29.
-
-
Rtbrick’s home grown BNG blaster test suite service node (SN) that emulates both the routing and access functions and, in effect, tests the DUT.
-
The topology emulates IPoE subscribers and traffic between RBFS switch and the core network.
-
The objective of this topology is to demonstrate complete IPoE subscriber emulating and service along with routing to connect to the network uplink.
1.3. Deployment
A C-BNG provides BNG functionality on a single bare-metal switch and eliminates the need to have a chassis based system. It provides a low footprint and optimal power consumption based on BRCM chipsets, a compelling value proposition that has complete BNG and routing feature support.
C-BNG runs on small form-factor temperature hardened hardware that allows deployments in street site cabinets.
The rtbrick-toolkit is a meta package that can be used to install all the tools needed to work with RBFS images (container or ONL installer) and the RBFS APIs.
For more information, see RBFS and Tools Installation, and RBFS Licensing Guide.
1.4. Using the RBFS CLI
An administrator can enter commands using the RBFS command line interface, which runs on top of the Ubuntu shell. RBFS CLI has three modes: Configuration mode, Operation mode, and Debug mode.
Once login to the system with the credentials provided, user has to switch the CLI mode to 'configuration mode' to execute various configurations. After specifying the configuration changes, user can then execute the commit command to commit the configurations.
Enter the switch-mode command to change the CLI mode.
supervisor@rtbrick>cbng1.rtbrick.net: op> supervisor@rtbrick>LEAF01: op> switch-mode config
To commit the configurations, use the commit command.
supervisor@rtbrick>cbng1.rtbrick.net: op> switch-mode config supervisor@rtbrick>cbng1.rtbrick.net: cfg> <cli command goes here> supervisor@rtbrick>cbng1.rtbrick.net: cfg> commit
For more information on how to use the RBFS CLI, see the RBFS CLI User Guide.
2. Getting Started
2.1. Platform Configuration and Settings
This section provides information about the platform and how to set various required configurations for the platform.
2.1.1. Know your Device
The configurations provided in this reference design document (C-BNG IPoE implementation) are generated on the UfiSpace S9600-72XC platform.
The UfiSpace S9600-72XC is a multi-function, disaggregated white box aggregation routing platform that is equipped with Broadcom’s Qumran2c chipset. It features 64x25GE and 8x100GE high speed ports with a switching capacity of up to 2.4Tbs.
The RBFS C-BNG software is installed on top of the UfiSpace S9600-72XC.
For more information, see Hardware Specification.
2.1.2. Prerequisites
-
Access to BNG Blaster, an open-source network testing platform for access and routing protocols. For information on obtaining and building BNG Blaster, see https://rtbrick.github.io/bngblaster/
-
Access to FreeRADIUS, a free RADIUS suite. For accessing FreeRADIUS, see https://freeradius.org/.
-
Access to NTP server
-
Access TACACS+ server
2.2. General Configuration
To enable testing some basic primitives need to be configured. These general configurations include Loopback Interface for identifying and accessing the device on network, NTP for setting accurate time across a whole network of devices, TACACS+ for user authentication, user management for user configuration, license for accessing RBFS, Resmon for resource monitoring, and Graylog configurations for exporting the log message to the external log management server.
2.2.1. Configure License
With a license key installed on the system, user can use and evaluate the full functionalities of RBFS. The following steps provide the commands to install an RBFS license key. For more information about license configuration, see Installing License.
Install the license encrypted string (that is received from RtBrick) using the RBFS CLI.
supervisor@rtbrick>cbng1.rtbrick.net: cfg> set system license <license-key>
RBFS license configuration is shown below:
supervisor@rtbrick>cbng1.rtbrick.net: cfg> show config set system license AAAAWsfg&jdkfs4D34H5@2evf...
2.2.2. Configure Loopback Interface
Loopback Interface configuration is required as it is the best way to identify a device on the network and it is always reachable. Also, protocols use the loopback address to determine protocol-specific properties for the device.
The following steps provide the commands to configure the loopback interface. For more information about Loopback Interface configuration, see Interfaces User Guide.
Configure loopback interface on the device.
set interface lo-0/0/0 set interface lo-0/0/0 unit 10 set interface lo-0/0/0 unit 10 address ipv4 192.168.0.2/32 set interface lo-0/0/0 unit 10 address ipv6 192:168::2/128
Loopback Interface configuration is shown below:
supervisor@rtbrick>cbng1.rtbrick.net: cfg> show config interface lo-0/0/0
{
"rtbrick-config:interface": [
{
"name": "lo-0/0/0",
"unit": [
{
"unit-id": 10,
"address": {
"ipv4": [
{
"prefix4": "192.168.0.2/32"
}
],
"ipv6": [
{
"prefix6": "192:168::2/128"
}
]
}
}
]
}
]
}
2.2.3. Configure NTP
Configuring NTP (Network Time Protocol) provides time synchronization across a whole network of devices. An NTP network consists devices (clients) which are to be synchronized with the NTP server that provides accurate time to the client devices.
The following steps provide the commands to configure Network Time Protocol (NTP) for the device. For more information about NTP configuration, see NTP User Guide.
Enabling NTP Service:
To access the NTP service running in the ONL, this service has to be enabled in inband-management. On configuring this, the hosts reachable in inband instance via the physical interface can access this service.
Configure NTP server and NTP service on the device.
set system ntp server srv1 set system ntp server srv1 ipv4-address 192.168.200.10 set inband-management instance inband_mgmt set inband-management instance inband_mgmt ntp true
NTP configuration is shown below:
supervisor@rtbrick>cbng1.rtbrick.net: cfg> show config inband-management
{
"rtbrick-config:inband-management": {
"instance": [
{
"name": "inband_mgmt",
"ntp": "true"
}
]
}
}
supervisor@rtbrick>cbng1.rtbrick.net: cfg> show config system ntp
{
"rtbrick-config:ntp": {
"server": [
{
"server-name": "srv1",
"ipv4-address": "192.168.200.10"
}
]
}
}
2.2.4. User Authentication
RBFS supports user authentication through a centralized TACACS+ server and with a local authentication system. The following authentication process typically occurs when a user attempts to access the network.
-
When a user logs in through
SSH, the SSH Daemon (sshd) invokes the Pluggable Authentication Module (PAM) to trigger authentication process. -
PAM requests TACACS+ authentication (except for the user with the
supervisorprivileges). -
TACACS+ server provides 'grant access' node if the user authentication is successful.
-
If the user is not allowed using the TACACS+ authentication, it is required to undergo an additional authentication phase. PAM looks up local users. Upon successful authentication, PAM generates RTB PAM token; includes user role in 'scope'.
2.2.4.1. Define Users on TACACS+ Server
Administrator needs to define users and associate them with the predefined roles on the TACACS+ server. Optionally, RBFS CLI commands can be restricted using the rtb-allow-cmds and rtb-deny-cmds.
The tac_plus.conf file contains configuration information for the tac_plus(tacacs+) daemon. This file is stored at the following location:
/etc/tacacs+/tac_plus.conf
For more information about TACACS+ server configuration, see
This Design document uses the default local user supervisor for the configurations, whereas other users, defined in the TACACS server, can log into RBFS by using their usernames and passwords.
The following TACACS+ configuration shows the details of the user bob who belongs to the group Network_Operator.
accounting file = /var/log/tac_plus.acct
key = RtBrick_Little_Secret
user = bob {
name = "remote"
login = cleartext "bob"
member = Network_Operator
}
<...>
Validating TACACS+ authentication
The following scenario shows a successful authentication for the user bob.
~$ ssh bob@cbng1.rtbrick.net bob@cbng1.rtbrick.net's password: Last login: Mon Jan 23 16:13:40 2023 from cbng1.rtbrick.net bob@rtbrick>cbng1.rtbrick.net: op>
The following scenario shows an unsuccessful password authentication for the user bob.
~$ ssh bob@rtbrick>cbng1.rtbrick.net: bob@cbng1.rtbrick.net's password: Permission denied, please try again. bob@cbng1.rtbrick.net's password:
The following scenario shows an unsuccessful authentication for an undefined user frank.
~$ ssh frank@rtbrick>cbng1.rtbrick.net: frank@cbng1.rtbrick.net's password: Permission denied, please try again. frank@cbng1.rtbrick.net's password: accounting file = /var/log/tac_plus.acct key = RtBrick_Little_Secret
2.2.4.2. Configure TACACS+ on RBFS
After defining the users on the TACACS+ server, configure the TACACS+ server on C-BNG. This configuration allows the remote TACACS+ server to communicate with the C-BNG and to validate user access on the network.
The following steps provide the commands to configure TACACS+. For more information about TACACS+ configuration, see Configure TACACS+ on RBFS.
Enabling TACACS+ service:
To access the TACACS+ service running in the ONL, this service has to be enabled in inband management. On configuring this, the hosts reachable in inband instance via the physical interface can access this service.
set system secure-management-status true set system authorization tacacs 192.168.45.45 inband secret-plain-text RtBrick_Little_Secret set inband-management instance core tacacs true
In the above configuration, the command set inband-management instance core tacacs true is used to enable TACACS+ under the instance called core.
TACACS+ configuration is shown below:
{
"rtbrick-config:system": {
"authorization": {
"tacacs": [
{
"ipv4-address": "192.168.45.45",
"type": "inband",
"secret-plain-text": "RtBrick_Little_Secret"
}
]
}
}
}
Configuration for enabling TACACS+ under the instance core is shown below:
"rtbrick-config:inband-management": {
"instance": [
{
"name": "inband_mgmt",
"tacacs": "true"
}
]
},
2.2.4.3. Configure User Management
Configuring Local User Management enables administrators to create, manage, and secure the users and groups. It allows creation of privileges that are configurable for user-defined and predefined roles.
The following steps provide the commands to configure user management. For more information about license configuration, see Local User Management.
-
To create a role, configure the RBAC privilege and the command privilege. To configure the RBAC privilege for both table and object:
set system user admin role supervisor set system user admin shell /bin/bash set system user admin password-hashed-text $6$XNkmuMRI.5.R/NBJ$XDfZec7gEM3z/3lYn8mDDWimRZ/68xawia.pTMdrGqoYHEE3nWHB08DeaPNQTwHW6WjB1aX6.xjYjh8CNCy4g1
For information about Configuring hashed password, see Configure Hashed Password.
Authentication configuration of a password hashed text and an SSH public key is shown below:
{
"ietf-restconf:data": {
"rtbrick-config:system": {
"user": [
{
"username": "admin",
"shell": "/usr/local/bin/cli",
"password-hashed-text": "$5$L2DaOYYuddhBV$9RA5MX9RQzLC9fIKJzbnoFBb88w9rkSXl7GVrVJ9PY7",
"ssh-pub-key": [
"ssh-rsa AAAAWsfg&jdkfs4D34H5@2evf....."
]
}
]
}
}
}
2.2.5. Configure Graylog
RBFS supports sending log messages to Graylog, a log management software. One needs to specify the Graylog endpoint in CtrlD and specify the alias name for that particular endpoint.
Configure BDS logging for bgp and specify Graylog as external log management platform.
set log module bgp plugin-alias alias-name graylog set log module bgp plugin-alias level info
Configuration for Graylog as endpoint in CTRLD is as shown below:
{
"graylog_enable": true,
"graylog_url": "http://10.200.32.49:12201/gelf",
"graylog_endpoints": [
{
"name": "graylog",
"url": "http://192.168.202.46:12201/gelf"
}
]
}
For information about enabling Graylog as the log management software, see the CTRLD User Guide.
2.2.6. Monitor Resources (Resmon)
Resource monitoring enables administrators to collect and analyze the health information and usage data of various hardware resources such as CPU, memory, processes, disks, sensors, optics, and so on.
The show cpu summary command displays system CPU details:
supervisor@rtbrick>cbng1.rtbrick.net: cfg> show cpu summary CPU_0 Vendor : GenuineIntel Model : Intel(R) Xeon(R) D-2145NT CPU @ 1.90GHz Architecture : x86_64 Serial No : 54 06 05 00 FF FB EB BF Clock(MHz) : 2499.999 BogoMIPS : 3800.00 Physical cores : 8 Logical cores : 16 Endian : True Cache alignment : 64 Bytes L1 data cache : 32768 Bytes L1 instruction cache : 32768 Bytes L2 unified cache : 1048576 Bytes L3 unified cache : 11534336 Bytes L4 unified cache : 0 Bytes
The show command can also be used to view other resource details. For information about the resmon configuration and operational commands, see the RBFS Resource Monitoring Guide.
3. Protocol Configurations
This validated solution design topology uses ISIS as the interior gateway protocol to distribute IP routing information among the routers in an AS. The Label Distribution Protocol (LDP) is used to exchange label mapping information for MPLS traffic. And, iBGP is used for exchanging routing and reachability information among ASs.
One thus needs to configure the following protocols:
-
IS-IS : To ensure IP connectivity on the core network.
-
LDP : To establish MPLS LSP tunnels for MPLS data transmission on the network.
-
iBGP: To exchange routing information within an AS.
3.1. Configure IS-IS
The following steps provide the commands to execute various ISIS protocol functionalities. For more detailed information about ISIS configuration, see IS-IS User Guide
-
IS-IS needs to be configured only on the core routing interfaces. Configure IP addresses on the
ifp-0/1/30,ifp-0/1/70andlo-0/0/0interfaces.
set interface ifp-0/1/30 set interface ifp-0/1/30 unit 10 set interface ifp-0/1/30 unit 10 address ipv4 192.168.24.1/24 set interface ifp-0/1/30 unit 10 address ipv6 192:168:24::1/64 set interface ifp-0/1/70 set interface ifp-0/1/70 unit 10 set interface ifp-0/1/70 unit 10 address ipv4 192.168.12.2/24 set interface ifp-0/1/70 unit 10 address ipv6 192:168:12::2/64 set interface lo-0/0/0 set interface lo-0/0/0 unit 10 set interface lo-0/0/0 unit 10 address ipv4 192.168.0.2/32 set interface lo-0/0/0 unit 10 address ipv6 192:168::2/128
-
Configure IS-IS system-id and area.
set instance default protocol isis system-id 1921.6800.1002 set instance default protocol isis area 49.0002/24
IS-IS instance configuration on interface is shown below:
supervisor@rtbrick>cbng1.rtbrick.net: cfg> show config instance default protocol isis
{
"rtbrick-config:isis": {
"system-id": "1921.6800.1002",
"area": [
"49.0002/24"
]
}
}
-
Configure authentication method for IS-IS.
set instance default protocol isis authentication level-1 type md5 set instance default protocol isis authentication level-1 key1-plain-text Rtbrick_Little_Secret
IS-IS authentication configuration is shown below:
supervisor@rtbrick>cbng1.rtbrick.net: cfg> show config instance default protocol isis authentication
{
"rtbrick-config:authentication": {
"level-1": {
"type": "md5",
"key1-encrypted-text": "$23a2acca12a3fa68780db026b64daf3bb"
}
}
}
-
To redistribute the routes (belonging to a specific source) into IS-IS, execute the following command. The following command redistributes
directroutes into IS-IS.
set instance default protocol isis level-1 address-family ipv4 unicast redistribute direct
Configuration for redistribution from other sources into IS-IS.
supervisor@rtbrick>cbng1.rtbrick.net: cfg> show config instance default protocol isis level-1 address-family
{
"rtbrick-config:address-family": [
{
"afi": "ipv4",
"safi": "unicast",
"redistribute": [
{
"source": "direct"
}
}
]
}
-
Configure the IS-IS interface for IS-IS L1 adjacency formation.
set instance default protocol isis interface ifl-0/1/30/10 set instance default protocol isis interface ifl-0/1/30/10 type point-to-point set instance default protocol isis interface ifl-0/1/30/10 level-2 adjacency-disable true set instance default protocol isis interface ifl-0/1/70/10 set instance default protocol isis interface ifl-0/1/70/10 type point-to-point set instance default protocol isis interface ifl-0/1/70/10 level-2 adjacency-disable true set instance default protocol isis interface lo-0/0/0/10 set instance default protocol isis interface lo-0/0/0/10 type point-to-point set instance default protocol isis interface lo-0/0/0/10 passive true
IS-IS interface configuration for IS-IS adjacency formation is shown below:
supervisor@rtbrick>cbng1.rtbrick.net: cfg> show config instance default protocol isis interface
{
"rtbrick-config:interface": [
{
"name": "ifl-0/1/30/10",
"type": "point-to-point",
"level-2": {
"adjacency-disable": "true"
}
},
{
"name": "ifl-0/1/70/10",
"type": "point-to-point",
"level-2": {
"adjacency-disable": "true"
}
},
{
"name": "lo-0/0/0/10",
"type": "point-to-point",
"passive": "true"
}
]
}
3.2. Configure LDP on the Interfaces
The following steps provide the commands to execute various LDP functionalities. For more detailed information about LDP configuration, see LDP User Guide.
-
Configure LDP on the router interface.
set instance default protocol ldp router-id 192.168.0.2 set instance default protocol ldp interface ifl-0/1/30/10 set instance default protocol ldp interface ifl-0/1/70/10 set instance default protocol ldp interface lo-0/0/0/10
Configuration for LDP on the interface is shown below:
supervisor@rtbrick>cbng1.rtbrick.net: cfg> show config instance default protocol ldp
{
"rtbrick-config:ldp": {
"router-id": "192.168.0.2",
"interface": [
{
"name": "ifl-0/1/30/10"
},
{
"name": "ifl-0/1/70/10"
},
{
"name": "lo-0/0/0/10"
}
]
}
}
3.3. Configure BGP
The following steps provide the commands to execute the various BGP functionalities quickly. For more detailed information about BGP configuration, see BGP User Guide.
-
Configure BGP local AS, domain name, and hostname
set instance default protocol bgp local-as 4200000001 set instance default protocol bgp router-id 192.168.0.2
-
Enable the IPv4 and IPv6 address families which are to be supported on the specific BGP instance.
set instance default protocol bgp address-family ipv4 unicast set instance default protocol bgp address-family ipv6 unicast set instance default protocol bgp address-family ipv6 labeled-unicast
BGP local AS, domain name, hostname and address family configurations are shown below:
supervisor@rtbrick>cbng1.rtbrick.net: cfg> show config instance default protocol bgp
{
"rtbrick-config:bgp": {
"domain-name": "CBNG2",
"hostname": "CBNG2",
"local-as": 4200000001,
"router-id": "192.168.0.2",
"address-family": [
{
"afi": "ipv4",
"safi": "unicast",
"resolve-nexthop": {
"safi": "labeled-unicast"
},
"redistribute": [
{
"source": "static"
}
]
},
{
"afi": "ipv6",
"safi": "labeled-unicast"
},
{
"afi": "ipv6",
"safi": "unicast",
"resolve-nexthop": {
"safi": "labeled-unicast"
},
"redistribute": [
{
"source": "static"
}
]
}
],
<...>
-
Create the peer group (to be attached with the peer later) with the specific remote AS configurations and the address families to be negotiated with the peer. The following command redistributes static routes into BGP.
set instance default protocol bgp address-family ipv4 unicast redistribute static set instance default protocol bgp address-family ipv6 unicast redistribute static
BGP redistribution configuration is shown below:
supervisor@rtbrick>cbng1.rtbrick.net: cfg> show config instance default protocol bgp address-family ipv4 unicast redistribute
{
"rtbrick-config:redistribute": [
{
"source": "static"
}
]
}
-
Set the resolve-nexthop, if the BGP nexthop attribute of the BGP routes needs to be resolved under ipv4/ipv6 labeled-unicast routing table. It configures only resolve-nexthop safi. Based on the nexthop-type (ipv4 or ipv6), it gets looked up into either IPv4 labeled-unicast or IPv6 labeled-unicast.
set instance default protocol bgp address-family ipv4 unicast resolve-nexthop safi labeled-unicast
Resolve nexthop configuration is shown below:
supervisor@rtbrick>cbng1.rtbrick.net: cfg> show config instance default protocol bgp address-family ipv4 unicast resolve-nexthop
{
"rtbrick-config:resolve-nexthop": {
"safi": "labeled-unicast"
}
}
-
Create the peer group with the specific remote AS configurations and the address family that is to be negotiated with the peer which will be attached to the peer group later.
set instance default protocol bgp peer-group reflector set instance default protocol bgp peer-group reflector remote-as 4200000001 set instance default protocol bgp peer-group reflector address-family ipv4 unicast set instance default protocol bgp peer-group reflector address-family ipv6 unicast
-
Configure the IPv6 unicast address family with
send-labelas true, then address-family IPv6 labeled-unicast gets negotiated with the peer.
set instance default protocol bgp peer-group reflector address-family ipv6 unicast send-label true set instance default protocol bgp peer-group reflector address-family ipv6 labeled-unicast
Configuration for peer group, address family, and IPv6 unicast address family is shown below:
supervisor@rtbrick>cbng1.rtbrick.net: cfg> show config instance default protocol bgp peer-group
{
"rtbrick-config:peer-group": [
{
"pg-name": "reflector",
"remote-as": 4200000001,
"address-family": [
{
"afi": "ipv4",
"safi": "unicast"
},
{
"afi": "ipv6",
"safi": "labeled-unicast"
},
{
"afi": "ipv6",
"safi": "unicast",
"send-label": "true"
}
]
}
]
}
-
Add a BGP peer and associate it with the specific peer group.
set instance default protocol bgp peer ipv4 192.168.0.51 192.168.0.2 set instance default protocol bgp peer ipv4 192.168.0.51 192.168.0.2 peer-group reflector
Configuration for adding a BGP peer and associating it with a peer group is shown below:
supervisor@rtbrick>cbng1.rtbrick.net: cfg> show config instance default protocol bgp peer ipv4
{
"rtbrick-config:peer": {
"ipv4": [
{
"peer-address": "192.168.0.51",
"update-source": "192.168.0.2",
"peer-group": "reflector"
}
]
}
}
3.4. BNG Blaster Configuration for Protocols
BNG Blaster is an open-source network testing platform for access and routing protocols. It can emulate massive PPPoE and IPoE (DHCP) subscribers including IPTV, and L2TP (LNS). There are various routing protocols supported such as ISIS and BGP. So, one can use this platform for end-to-end BNG and non-BNG router testing. For more information about BNG Blaster, see https://github.com/rtbrick/bngblaster
With BNG blaster, one can test protocols such as IS-IS and BGP as well as set up PPPoE/L2TP/IPoE subscribers and validate traffic streams.
The following is a configuration file that is used in BNG Blaster for validating BGP, ISIS, and LDP.
{
"interfaces": {
"tx-interval": 1,
"rx-interval": 1,
"network": [
{
"interface": "SN-15-R1",
"address": "192.168.36.2/24",
"gateway": "192.168.36.1",
"isis-instance-id": 1,
"ldp-instance-id": 1,
"isis-level": 1
},
{
"interface": "SN-17-R2",
"address": "192.168.46.2/24",
"gateway": "192.168.46.1",
"isis-instance-id": 2,
"ldp-instance-id": 2,
"isis-level": 1
},
{
"interface": "SN-19-RR",
"address": "192.168.131.2/24",
"gateway": "192.168.131.1",
"address-ipv6": "fc66:1337:7331::2",
"gateway-ipv6": "fc66:1337:7331::1",
"isis-instance-id": 3,
"ldp-instance-id": 3,
"isis-level": 1
}
],
"access": [
{
"interface": "SN-11-C2",
"type": "ipoe",
"outer-vlan-min": 1001,
"outer-vlan-max": 1100,
"inner-vlan-min": 1001,
"inner-vlan-max": 1100
}
]
},
"sessions": {
"count": 10,
"session-time": 0,
"max-outstanding": 800,
"start-rate": 400,
"stop-rate": 100
},
"access-line": {
"agent-remote-id": "DEU.RTBRICK.{session-global}",
"agent-circuit-id": "0.0.0.0/0.0.0.0 eth 0:{session-global}",
"rate-up": 2000,
"rate-down": 16384,
"dsl-type": 5
},
"dhcp": {
"enable": true
},
"dhcpv6": {
"enable": true
},
"session-traffic": {
"ipv4-pps": 1,
"autostart": true
},
"isis": [
{
"instance-id": 1,
"area": [
"49.0002/24"
],
"system-id": "0204.0000.0001",
"router-id": "192.168.0.36",
"hostname": "BBL-LSR1",
"hello-padding": true,
"teardown-time": 30,
"external": {
"mrt-file": "/home/supervisor/isis.mrt",
"connections": [
{
"system-id": "1921.6800.1003",
"l1-metric": 10
}
]
}
},
{
"instance-id": 2,
"area": [
"49.0002/24"
],
"system-id": "0204.0000.0002",
"router-id": "192.168.0.46",
"hostname": "BBL-LSR2",
"hello-padding": true,
"teardown-time": 30,
"external": {
"mrt-file": "/home/supervisor/isis.mrt",
"connections": [
{
"system-id": "1921.6800.1004",
"l1-metric": 10
}
]
}
},
{
"instance-id": 3,
"area": [
"49.0002/24"
],
"system-id": "0204.0000.0003",
"router-id": "192.168.0.56",
"hostname": "BBL-RR",
"hello-padding": true,
"teardown-time": 30,
"external": {
"mrt-file": "/home/supervisor/isis.mrt",
"connections": [
{
"system-id": "1921.6800.1005",
"l1-metric": 10
}
]
}
}
],
"ldp": [
{
"instance-id": 1,
"lsr-id": "192.168.0.36",
"raw-update-file": "/home/supervisor/out.ldp"
},
{
"instance-id": 2,
"lsr-id": "192.168.0.46",
"raw-update-file": "/home/supervisor/out.ldp"
},
{
"instance-id": 3,
"lsr-id": "192.168.0.56",
"raw-update-file": "/home/supervisor/out.ldp"
}
],
"bgp": [
{
"__comment__": "RR-IPv4",
"network-interface": "SN-19-RR",
"local-ipv4-address": "192.168.0.56",
"peer-ipv4-address": "192.168.0.51",
"raw-update-file": "/home/supervisor/ipv4_nlri.bgp",
"local-as": 4200000001,
"peer-as": 4200000001
},
{
"__comment__": "RR-IPv6",
"network-interface": "SN-19-RR",
"local-ipv4-address": "192.168.0.56",
"peer-ipv4-address": "192.168.0.52",
"raw-update-file": "/home/supervisor/ipv6_nlri.bgp",
"local-as": 4200000001,
"peer-as": 4200000001
}
]
}
3.5. Validating Reachability
The following command line string shows how to start a BNG Blaster instance:
sudo bngblaster -C <filename> -I -c5000
3.5.1. Validating IS-IS Adjacency, Routes and Reachability
Run the following command to show IS-IS adjacency.
supervisor@rtbrick>cbng1.rtbrick.net: op> show isis neighbor Instance: default Interface System Level State Type Up since Expires ifl-0/1/30/10 1921.6800.1004.00 L1 Up P2P Wed Jan 25 11:25:08 in 24s 188435us ifl-0/1/70/10 1921.6800.1003.00 L1 Up P2P Wed Jan 25 11:25:10 in 27s 167063us
After configuring IS-IS protocol, check the IPv4 unicast routes, populated by IS-IS using the following command:
supervisor@rtbrick>cbng1.rtbrick.net: op> show route ipv4 unicast source isis instance default
Instance: default, AFI: ipv4, SAFI: unicast
Prefix/Label Source Pref Next Hop Interface
192.168.0.3/32 isis 15 192.168.13.2 ifl-0/1/30/10
192.168.0.4/32 isis 15 192.168.13.2 ifl-0/1/30/10
192.168.12.2 ifl-0/1/70/10
192.168.0.36/32 isis 15 192.168.13.2 ifl-0/1/30/10
192.168.0.46/32 isis 15 192.168.13.2 ifl-0/1/30/10
192.168.12.2 ifl-0/1/70/10
192.168.0.51/32 isis 15 192.168.13.2 ifl-0/1/30/10
192.168.0.56/32 isis 15 192.168.13.2 ifl-0/1/30/10
192.168.24.0/24 isis 15 192.168.12.2 ifl-0/1/70/10
192.168.34.0/24 isis 15 192.168.13.2 ifl-0/1/30/10
192.168.35.0/24 isis 15 192.168.13.2 ifl-0/1/30/10
192.168.36.0/24 isis 15 192.168.13.2 ifl-0/1/30/10
192.168.45.0/24 isis 15 192.168.13.2 ifl-0/1/30/10
192.168.12.2 ifl-0/1/70/10
192.168.46.0/24 isis 15 192.168.13.2 ifl-0/1/30/10
192.168.12.2 ifl-0/1/70/10
192.168.131.0/24 isis 15 192.168.13.2 ifl-0/1/30/10
Ping the address 192.68.0.3 as follows:
supervisor@rtbrick>cbng1.rtbrick.net: op> ping 192.168.0.3 68 bytes from 192.168.0.3: icmp_seq=1 ttl=64 time=.6654 ms 68 bytes from 192.168.0.3: icmp_seq=2 ttl=64 time=2.5200 ms 68 bytes from 192.168.0.3: icmp_seq=3 ttl=64 time=5.6248 ms 68 bytes from 192.168.0.3: icmp_seq=4 ttl=64 time=.5053 ms 68 bytes from 192.168.0.3: icmp_seq=5 ttl=64 time=3.9981 ms Statistics: 5 sent, 5 received, 0% packet loss
3.5.2. Validating LDP Adjacency, Routes and Reachability
Run the following commands to show LDP neighbor and LDP session.
supervisor@rtbrick>cbng1.rtbrick.net: op> show ldp neighbor Instance: default Interface LDP ID Transport IP Up Since Expires ifl-0/1/30/10 192.168.0.4:0 192.168.0.4 Wed Jan 25 11:24:58 in 14s ifl-0/1/70/10 192.168.0.3:0 192.168.0.3 Wed Jan 25 11:25:00 in 11s
supervisor@rtbrick>cbng1.rtbrick.net: op> show ldp session Instance: default LDP ID Peer IP State Up/Down FECRcvd FECSent 192.168.0.3:0 192.168.0.3 Operational 0d:00h:10m:17s 1006 1006 192.168.0.3:0 192.168.0.4 Operational 0d:00h:10m:15s 1006 1006
After configuring the LDP protocol, check the IPv4 labeled unicast routes, populated by LDP using the following command:
supervisor@rtbrick>cbng1.rtbrick.net: op> show route ipv4 labeled-unicast source ldp
Instance: default, AFI: ipv4, SAFI: labeled-unicast
Prefix/Label Source Pref Next Hop Interface Label
192.168.0.3/32 ldp 9 192.168.13.2 ifl-0/1/30/10 -
192.168.0.4/32 ldp 9 192.168.13.2 ifl-0/1/30/10 20003
192.168.12.2 ifl-0/1/70/10 20003
192.168.0.51/32 ldp 9 192.168.13.2 ifl-0/1/30/10 20002
Ping the labeled unicast address 192.168.0.4 as follows:
supervisor@rtbrick>cbng1.rtbrick.net: op> ping 192.168.0.4 instance default afi ipv4 safi labeled-unicast 68 bytes from 192.168.0.4: icmp_seq=1 ttl=254 time=.8209 ms 68 bytes from 192.168.0.4: icmp_seq=2 ttl=254 time=3.8667 ms 68 bytes from 192.168.0.4: icmp_seq=3 ttl=254 time=5.5854 ms 68 bytes from 192.168.0.4: icmp_seq=4 ttl=254 time=.8076 ms 68 bytes from 192.168.0.4: icmp_seq=5 ttl=254 time=4.4001 ms Statistics: 5 sent, 5 received, 0% packet loss
|
The command argument labeled-unicast takes the ICMP requests through a labeled path while validating IP connectivity and hence, it prepends an MPLS label.
|
3.5.3. Validating BGP Adjacency, Routes and Reachability
Run the following commands to show BGP session and state.
supervisor@rtbrick>cbng1.rtbrick.net: op> show bgp peer Instance: default Peer Remote AS State Up/Down Time PfxRcvd PfxSent 192.168.0.51 4200000001 Established 0d:00h:07m:10s 11500000 0
After configuring BGP, check the IPv4 unicast routes, populated by BGP using the following command:
supervisor@rtbrick>cbng1.rtbrick.net: op> show route ipv4 unicast source bgp instance default Instance: default, AFI: ipv4, SAFI: unicast Prefix/Label Source Pref Next Hop Interface 77.1.0.0/24 bgp 200 192.168.0.51 ifl-0/1/16/10 77.1.1.0/24 bgp 200 192.168.0.51 ifl-0/1/16/10 77.1.2.0/24 bgp 200 192.168.0.51 ifl-0/1/16/10 77.1.3.0/24 bgp 200 192.168.0.51 ifl-0/1/16/10 77.1.4.0/24 bgp 200 192.168.0.51 ifl-0/1/16/10 77.1.5.0/24 bgp 200 192.168.0.51 ifl-0/1/16/10 77.1.6.0/24 bgp 200 192.168.0.51 ifl-0/1/16/10 77.1.7.0/24 bgp 200 192.168.0.51 ifl-0/1/16/10 77.1.8.0/24 bgp 200 192.168.0.51 ifl-0/1/16/10 77.1.9.0/24 bgp 200 192.168.0.51 ifl-0/1/16/10 77.1.10.0/24 bgp 200 192.168.0.51 ifl-0/1/16/10 77.1.11.0/24 bgp 200 192.168.0.51 ifl-0/1/16/10 77.1.12.0/24 bgp 200 192.168.0.51 ifl-0/1/16/10 77.1.13.0/24 bgp 200 192.168.0.51 ifl-0/1/16/10 77.1.14.0/24 bgp 200 192.168.0.51 ifl-0/1/16/10 77.1.15.0/24 bgp 200 192.168.0.51 ifl-0/1/16/10 77.1.16.0/24 bgp 200 192.168.0.51 ifl-0/1/16/10 77.1.17.0/24 bgp 200 192.168.0.51 ifl-0/1/16/10 77.1.18.0/24 bgp 200 192.168.0.51 ifl-0/1/16/10 77.1.19.0/24 bgp 200 192.168.0.51 ifl-0/1/16/10 77.1.20.0/24 bgp 200 192.168.0.51 ifl-0/1/16/10 77.1.21.0/24 bgp 200 192.168.0.51 ifl-0/1/16/10 <...>
Pinging an IPv4 route (source: bgp) from the CBNGs
supervisor@rtbrick>cbng1.rtbrick.net: op> ping 77.1.9.1 68 bytes from 77.1.9.1: icmp_seq=1 ttl=62 time=10.3916 ms 68 bytes from 77.1.9.1: icmp_seq=2 ttl=62 time=4.2540 ms 68 bytes from 77.1.9.1: icmp_seq=3 ttl=62 time=8.1773 ms 68 bytes from 77.1.9.1: icmp_seq=4 ttl=62 time=3.8388 ms 68 bytes from 77.1.9.1: icmp_seq=5 ttl=62 time=5.1436 ms Statistics: 5 sent, 5 received, 0% packet loss
Check the IPv6 unicast routes, populated by BGP using the following command:
supervisor@rtbrick>cbng1.rtbrick.net: op> show route ipv6 unicast source bgp instance default Instance: default, AFI: ipv6, SAFI: unicast Prefix/Label Source Pref Next Hop Interface 2004::/48 bgp 200 192.168.0.51 ifl-0/1/16/10 2004:0:1::/48 bgp 200 192.168.0.51 ifl-0/1/16/10 2004:0:2::/48 bgp 200 192.168.0.51 ifl-0/1/16/10 2004:0:3::/48 bgp 200 192.168.0.51 ifl-0/1/16/10 2004:0:4::/48 bgp 200 192.168.0.51 ifl-0/1/16/10 2004:0:5::/48 bgp 200 192.168.0.51 ifl-0/1/16/10 2004:0:6::/48 bgp 200 192.168.0.51 ifl-0/1/16/10 2004:0:7::/48 bgp 200 192.168.0.51 ifl-0/1/16/10 2004:0:8::/48 bgp 200 192.168.0.51 ifl-0/1/16/10 2004:0:9::/48 bgp 200 192.168.0.51 ifl-0/1/16/10 2004:0:a::/48 bgp 200 192.168.0.51 ifl-0/1/16/10 2004:0:b::/48 bgp 200 192.168.0.51 ifl-0/1/16/10 2004:0:c::/48 bgp 200 192.168.0.51 ifl-0/1/16/10 2004:0:d::/48 bgp 200 192.168.0.51 ifl-0/1/16/10 <...>
Pinging an IPv6 route (source: bgp) from the C-BNG.
supervisor@rtbrick>cbng1.rtbrick.net: op> ping 2004:0:1:: 68 bytes from 2004:0:1::: icmp_seq=1 ttl=253 time=10.0398 ms 68 bytes from 2004:0:1::: icmp_seq=2 ttl=253 time=2.9673 ms 68 bytes from 2004:0:1::: icmp_seq=3 ttl=253 time=6.2365 ms 68 bytes from 2004:0:1::: icmp_seq=4 ttl=253 time=7.9022 ms 68 bytes from 2004:0:1::: icmp_seq=5 ttl=253 time=1.5511 ms Statistics: 5 sent, 5 received, 0% packet loss
4. IPoE Subscriber Management Configuration
IP-over-Ethernet (IPoE) is an access technology that uses DHCP for IPv4 and DHCPv6 for IPv6 where both protocols are handled in the IPoE daemon (ipoed). IPoE subscribers are identified by IFP, VLANs and client MAC addresses.
The dynamic creation of IPoE subscribers is triggered by DHCPv4 discover or DHCPv6 solicit request from the subscriber. Response is postponed until the subscriber is successfully authenticated using the known authentication methods such as local or RADIUS, however authentication is not mandatory. After the authentication phase, IPv4/IPv6/IPv6-PD address is allocated to the subscriber either from the local pool or from RADIUS.
For IPoE Subscriber Management, the following configurations are mandatory:
-
Access Interface Configuration
-
Access Profile Configuration
-
AAA (Authentication, Authorization and Accounting) Profile Configuration. Based on the authentication requirement, configure any one of the following:
-
Local Authentication
-
Pool Configuration
-
User Profile Configuration
-
-
RADIUS Authentication
-
RADIUS Profile Configuration
-
RADIUS Server Configuration
-
-
This solution section discusses RADIUS authentication.
NOTES:
-
Access interfaces can be configured without VLAN tags (untagged) and with one (single tagged) or two (double tagged) VLAN tags.
-
There can be more than one interface configured for subscriber management and each interface can reference the same profile.
4.1. Configuring IPoE Subscriber Management
For detailed information about the subscriber configuration options, see the Subscriber Management Configuration Guide.
-
Configure the access interface. Double-tagged interface is configured in this case as the access interface (
ifp-0/1/29). The interface configuration assigns the access type, access profile, AAA profile, and further optional attributes like service-profile to the specified access interface.
set access interface double-tagged ifp-0/1/29 1001 1100 1001 1100 set access interface double-tagged ifp-0/1/29 1001 1100 1001 1100 access-type IPoE set access interface double-tagged ifp-0/1/29 1001 1100 1001 1100 access-profile-name ipoe set access interface double-tagged ifp-0/1/29 1001 1100 1001 1100 aaa-profile-name ipoe-aaa set access interface double-tagged ifp-0/1/29 1001 1100 1001 1100 gateway-ifl lo-0/0/0/10
The double-tagged access interface configuration is shown below.
supervisor@rtbrick>cbng1.rtbrick.net: op> show config access interface
{
"rtbrick-config:interface": {
"double-tagged": [
{
"interface-name": "ifp-0/1/29",
"outer-vlan-min": 1001,
"outer-vlan-max": 1100,
"inner-vlan-min": 1001,
"inner-vlan-max": 1100,
"access-type": "IPoE",
"access-profile-name": "ipoe",
"aaa-profile-name": "ipoe-aaa",
"gateway-ifl": "lo-0/0/0/10"
}
]
}
-
Configure the access profile
ipoe.
set access access-profile ipoe set access access-profile ipoe protocol dhcp enable true set access access-profile ipoe protocol dhcp lease-time 60 set access access-profile ipoe protocol dhcpv6 enable true set access access-profile ipoe protocol dhcpv6 lifetime 60 set access access-profile ipoe address-family ipv4 enable true set access access-profile ipoe address-family ipv4 pool-name pool1 set access access-profile ipoe address-family ipv4 instance default set access access-profile ipoe address-family ipv6 enable true set access access-profile ipoe address-family ipv6 pool-name pool1 set access access-profile ipoe address-family ipv6 prefix-delegation-pool-name pool2 set access access-profile ipoe address-family ipv6 instance default
The access profile configuration is shown below.
supervisor@rtbrick>cbng1.rtbrick.net: op> show config access access-profile
{
"rtbrick-config:access-profile": [
{
"profile-name": "ipoe",
"protocol": {
"dhcp": {
"enable": "true",
"lease-time": 60
},
"dhcpv6": {
"enable": "true",
"lifetime": 60
}
},
"address-family": {
"ipv4": {
"enable": "true",
"pool-name": "pool1",
"instance": "default"
},
"ipv6": {
"enable": "true",
"pool-name": "pool1",
"prefix-delegation-pool-name": "pool2",
"instance": "default"
}
}
}
]
}
supervisor@rtbrick>cbng1.rtbrick.net: op>
-
Configure the Authentication and Accounting (AAA) profile for
ipoe-aaa.
set access aaa-profile ipoe-aaa set access aaa-profile ipoe-aaa session-timeout 0 set access aaa-profile ipoe-aaa idle-timeout 0 set access aaa-profile ipoe-aaa aaa-radius-profile aaa-radius1 set access aaa-profile ipoe-aaa authentication order RADIUS set access aaa-profile ipoe-aaa accounting order RADIUS set access aaa-profile ipoe-aaa accounting interim-interval 30 set access aaa-profile ipoe-aaa accounting session-id-format DEFAULT
The access AAA configuration is shown below.
supervisor@rtbrick>cbng1.rtbrick.net: op> show config access aaa-profile
{
"rtbrick-config:aaa-profile": [
{
"profile-name": "ipoe-aaa",
"session-timeout": 0,
"idle-timeout": 0,
"aaa-radius-profile": "aaa-radius1",
"authentication": {
"order": "RADIUS"
},
"accounting": {
"order": "RADIUS",
"interim-interval": 30,
"session-id-format": "DEFAULT"
}
}
]
}
supervisor@rtbrick>cbng1.rtbrick.net: op>
-
In this solution, we configure AAA authentication and accounting with RADIUS. To use RADIUS authentication and accounting both the RADIUS profile and RADIUS server configurations (see below) must be configured.
-
Configure RADIUS profile
aaa-radius1.
set access radius-profile aaa-radius1 set access radius-profile aaa-radius1 nas-identifier 192.168.0.2 set access radius-profile aaa-radius1 nas-port-type Ethernet set access radius-profile aaa-radius1 authentication radius-server-profile-name radius-srv1 set access radius-profile aaa-radius1 accounting radius-server-profile-name radius-srv1
The RADIUS profile configuration is shown below.
supervisor@rtbrick>cbng1.rtbrick.net: op> show config access radius-profile aaa-radius1
{
"rtbrick-config:radius-profile": [
{
"profile-name": "aaa-radius1",
"nas-identifier": "192.168.0.2",
"nas-port-type": "Ethernet",
"authentication": {
"radius-server-profile-name": [
"radius-srv1"
]
},
"accounting": {
"radius-server-profile-name": [
"radius-srv1"
]
}
}
]
}
supervisor@rtbrick>cbng1.rtbrick.net: op>
-
Configure the RADIUS
server radius-srv1.
set access radius-server radius-srv1 set access radius-server radius-srv1 address 192.168.121.2 set access radius-server radius-srv1 source-address 192.168.0.2 set access radius-server radius-srv1 secret-encrypted-text $2b2feb12f730107454b1be6a0f8242b0f set access radius-server radius-srv1 routing-instance default set access radius-server radius-srv1 authentication enable true set access radius-server radius-srv1 authentication timeout 10 set access radius-server radius-srv1 accounting enable true set access radius-server radius-srv1 accounting timeout 10 set access radius-server radius-srv1 coa enable true
The RADIUS server configuration is shown below.
supervisor@rtbrick>cbng1.rtbrick.net: cfg> show config access radius-server radius-srv1
{
"rtbrick-config:radius-server": [
{
"server-name": "radius-srv1",
"address": "192.168.121.2",
"source-address": "192.168.0.2",
"secret-encrypted-text": "$2b2feb12f730107454b1be6a0f8242b0f",
"routing-instance": "default",
"authentication": {
"enable": "true",
"timeout": 10
},
"accounting": {
"enable": "true",
"timeout": 10
},
"coa": {
"enable": "true"
}
}
]
}
supervisor@rtbrick>cbng1.rtbrick.net: cfg>
-
Configure the IPv4 and IPv6 access pools.
set access pool pool1 set access pool pool1 ipv4-address low 192.168.100.1 set access pool pool1 ipv4-address high 192.168.200.1 set access pool pool1 ipv6-prefix low 2001:DB8:1:1::1/128 set access pool pool1 ipv6-prefix high 2001:DB8:1:2::5555/128 set access pool pool2 set access pool pool2 ipv6-prefix low 2001:DB9:1::/56 set access pool pool2 ipv6-prefix high 2001:DB9:5000::/56
The access pool configuration is shown below.
supervisor@rtbrick>cbng1.rtbrick.net: cfg> show config access pool
{
"rtbrick-config:pool": [
{
"pool-name": "pool1",
"ipv4-address": {
"low": "192.168.100.1",
"high": "192.168.200.1"
},
"ipv6-prefix": {
"low": "2001:DB8:1:1::1/128",
"high": "2001:DB8:1:2::5555/128"
}
},
{
"pool-name": "pool2",
"ipv6-prefix": {
"low": "2001:DB9:1::/56",
"high": "2001:DB9:5000::/56"
}
}
]
}
4.2. IPoE Quality of Service (QoS) Configuration
|
|
The QoS model explained in this document uses a complex HQoS model with the intent to showcase the complete range of QoS features available in RBFS. However, it may not be needed or desirable for all deployments. In such a case it should be possible to conceive of a simple QoS model as required by simplifying the provided QoS model. |
Following are the steps involved in configuring and verifying IPoE QoS:
-
Configuring service profile to enable QoS on IPoE subscriber
-
Configuring downstream QoS
-
Configuring upstream QoS
-
Configuring QoS remarking
-
Configuring IPoE subscriber accounting for upstream and downstream traffic
-
Configuring IPoE subscribers QoS on BNG Blaster
-
Validating IPoE QoS on BNG Blaster
The figure below shows how QoS is configured for ingress and egress traffic.
Fig. 2: Hierarchical Quality of Service primitives
For detailed information about the QoS configuration options, see the HQoS Configuration Guide.
4.2.1. Configure Service Profile
Service profile configuration in subscriber management allows to assign QoS configurations to a subscriber.
-
Configure the service profile to enable QoS. The service profile defined to enable Quality of Service with profile name is
subs-triple-play.
set access service-profile qos_service qos profile subs-triple-play
The configuration of the service profile named subs-triple-play is shown below.
supervisor@rtbrick>cbng1.rtbrick.net: cfg> show config access service-profile qos_service
{
"rtbrick-config:service-profile": [
{
"profile-name": "qos_service",
"qos": {
"profile": "subs-triple-play"
}
}
]
}
-
Enable QoS on IPoE subscriber access interface (
ifp-0/1/29) to enable QoS for IPoE subscriber.
set access interface double-tagged ifp-0/1/29 1001 1100 1001 1100 service-profile-name qos_service
Below is the double-tagged access interface on which the service profile qos_service is configured.
supervisor@rtbrick>cbng1.rtbrick.net: cfg> show config access interface double-tagged ifp-0/1/29 1001 1100 1001 1100
{
"rtbrick-config:double-tagged": [
{
"interface-name": "ifp-0/1/29",
"outer-vlan-min": 1001,
"outer-vlan-max": 1100,
"inner-vlan-min": 1001,
"inner-vlan-max": 1100,
"access-type": "IPoE",
"access-profile-name": "ipoe",
"service-profile-name": "qos_service",
"aaa-profile-name": "ipoe-aaa",
"gateway-ifl": "lo-0/0/0/10"
}
]
}
-
Configure QoS profile to enable on IPoE subscriber.
set forwarding-options class-of-service profile subs-triple-play set forwarding-options class-of-service profile subs-triple-play classifier-name subs-pbit-class set forwarding-options class-of-service profile subs-triple-play class-queue-map-name subs-4queues set forwarding-options class-of-service profile subs-triple-play remark-map-name subs-remarking-triple-play set forwarding-options class-of-service profile subs-triple-play class-policer-map-name policer-map-residential set forwarding-options class-of-service profile subs-triple-play policer-name policer-residential set forwarding-options class-of-service profile subs-triple-play scheduler-map-name subs-4queues-triple-play
The QoS Profile with all the primitives needed to enable traffic profiles on IPoE Subscribers is as follows:
supervisor@rtbrick>cbng1.rtbrick.net: cfg> show config forwarding-options class-of-service profile subs-triple-play
{
"rtbrick-config:profile": [
{
"profile-name": "subs-triple-play",
"classifier-name": "subs-pbit-class",
"class-queue-map-name": "subs-4queues",
"remark-map-name": "subs-remarking-triple-play",
"class-policer-map-name": "policer-map-residential",
"policer-name": "policer-residential",
"scheduler-map-name": "subs-4queues-triple-play"
}
]
}
4.2.2. Configure Downstream QoS
Downstream Quality of Service (QoS) is used to prioritize network traffic from the Internet to subscribers.
-
Enable global classification for downstream traffic.
set forwarding-options class-of-service global multifield-classifier-name global_mfc
Below is the multi-field-classifier (MFC) based classifier for global enabling of downstream traffic classification.
supervisor@rtbrick>cbng1.rtbrick.net: cfg> show config forwarding-options class-of-service global multifield-classifier-name
{
"rtbrick-config:multifield-classifier-name": "global_mfc"
}
-
Configure the MFC-based classifier with qualifiers and actions.
set forwarding-options class-of-service multifield-classifier acl l3v4 rule global_mfc set forwarding-options class-of-service multifield-classifier acl l3v4 rule global_mfc ordinal 1001 set forwarding-options class-of-service multifield-classifier acl l3v4 rule global_mfc ordinal 1001 match ipv4-tos 128 set forwarding-options class-of-service multifield-classifier acl l3v4 rule global_mfc ordinal 1001 match source-ipv4-prefix 192.168.131.2/32 set forwarding-options class-of-service multifield-classifier acl l3v4 rule global_mfc ordinal 1001 action forward-class class-0 set forwarding-options class-of-service multifield-classifier acl l3v4 rule global_mfc ordinal 1002 set forwarding-options class-of-service multifield-classifier acl l3v4 rule global_mfc ordinal 1002 match ipv4-tos 160 set forwarding-options class-of-service multifield-classifier acl l3v4 rule global_mfc ordinal 1002 match source-ipv4-prefix 192.168.131.2/32 set forwarding-options class-of-service multifield-classifier acl l3v4 rule global_mfc ordinal 1002 action forward-class class-1 set forwarding-options class-of-service multifield-classifier acl l3v4 rule global_mfc ordinal 1003 set forwarding-options class-of-service multifield-classifier acl l3v4 rule global_mfc ordinal 1003 match ipv4-tos 192 set forwarding-options class-of-service multifield-classifier acl l3v4 rule global_mfc ordinal 1003 match source-ipv4-prefix 192.168.131.2/32 set forwarding-options class-of-service multifield-classifier acl l3v4 rule global_mfc ordinal 1003 action forward-class class-2 set forwarding-options class-of-service multifield-classifier acl l3v4 rule global_mfc ordinal 1004 set forwarding-options class-of-service multifield-classifier acl l3v4 rule global_mfc ordinal 1004 match ipv4-tos 224 set forwarding-options class-of-service multifield-classifier acl l3v4 rule global_mfc ordinal 1004 match source-ipv4-prefix 192.168.131.2/32 set forwarding-options class-of-service multifield-classifier acl l3v4 rule global_mfc ordinal 1004 action forward-class class-3
The configuration of the QoS MFC-based Classifier for classification of downstream traffic from the core towards IPoE Subscriber is shown below.
supervisor@rtbrick>cbng1.rtbrick.net: cfg> show config forwarding-options class-of-service multifield-classifier acl l3v4 rule global_mfc
{
"rtbrick-config:rule": [
{
"rule-name": "global_mfc",
"ordinal": [
{
"ordinal-value": 1001,
"match": {
"ipv4-tos": 128,
"source-ipv4-prefix": "192.168.131.2/32"
},
"action": {
"forward-class": "class-0"
}
},
{
"ordinal-value": 1002,
"match": {
"ipv4-tos": 160,
"source-ipv4-prefix": "192.168.131.2/32"
},
"action": {
"forward-class": "class-1"
}
},
{
"ordinal-value": 1003,
"match": {
"ipv4-tos": 192,
"source-ipv4-prefix": "192.168.131.2/32"
},
"action": {
"forward-class": "class-2"
}
},
{
"ordinal-value": 1004,
"match": {
"ipv4-tos": 224,
"source-ipv4-prefix": "192.168.131.2/32"
},
"action": {
"forward-class": "class-3"
}
}
]
}
]
}
-
Enqueue classified traffic to different queues using class-to-queue mapping.
set forwarding-options class-of-service queue-group subs-4queues queue-numbers 4
Below is the QoS class-queue mapping configuration:
supervisor@rtbrick>cbng1.rtbrick.net: cfg> show config forwarding-options class-of-service class-queue-map subs-4queues class
{
"rtbrick-config:class": [
{
"class-type": "class-0",
"queue-name": "BE_SUBS"
},
{
"class-type": "class-1",
"queue-name": "LD_SUBS"
},
{
"class-type": "class-2",
"queue-name": "LL_SUBS"
},
{
"class-type": "class-3",
"queue-name": "VO_SUBS"
}
]
}
-
Configure the queues needed for enqueuing and dequeuing traffic streams.
set forwarding-options class-of-service queue BE_SUBS set forwarding-options class-of-service queue BE_SUBS queue-size 375000 set forwarding-options class-of-service queue BE_SUBS header-compensation bytes 22 set forwarding-options class-of-service queue BE_SUBS header-compensation decrement true set forwarding-options class-of-service queue LD_SUBS set forwarding-options class-of-service queue LD_SUBS queue-size 625000 set forwarding-options class-of-service queue LD_SUBS header-compensation bytes 22 set forwarding-options class-of-service queue LD_SUBS header-compensation decrement true set forwarding-options class-of-service queue LL_SUBS set forwarding-options class-of-service queue LL_SUBS queue-size 625000 set forwarding-options class-of-service queue LL_SUBS header-compensation bytes 22 set forwarding-options class-of-service queue LL_SUBS header-compensation decrement true set forwarding-options class-of-service queue VO_SUBS set forwarding-options class-of-service queue VO_SUBS queue-size 156250 set forwarding-options class-of-service queue VO_SUBS shaper-name shaper_VO set forwarding-options class-of-service queue VO_SUBS header-compensation bytes 22 set forwarding-options class-of-service queue VO_SUBS header-compensation decrement true
The queue Configuration is shown below.
supervisor@rtbrick>cbng1.rtbrick.net: cfg> show config forwarding-options class-of-service queue
{
"rtbrick-config:queue": [
{
"queue-name": "BE_SUBS",
"queue-size": 375000,
"header-compensation": {
"bytes": 22,
"decrement": "true"
}
},
{
"queue-name": "LD_SUBS",
"queue-size": 625000,
"header-compensation": {
"bytes": 22,
"decrement": "true"
}
},
{
"queue-name": "LL_SUBS",
"queue-size": 625000,
"header-compensation": {
"bytes": 22,
"decrement": "true"
}
},
{
"queue-name": "VO_SUBS",
"queue-size": 156250,
"shaper-name": "shaper_VO",
"header-compensation": {
"bytes": 22,
"decrement": "true"
}
}
]
}
-
Configure the scheduler needed by Subscriber/Session scheduler-map and OLT scheduler-map.
set forwarding-options class-of-service scheduler pon0 set forwarding-options class-of-service scheduler pon0 type fair_queueing set forwarding-options class-of-service scheduler subs-4queues set forwarding-options class-of-service scheduler subs-4queues shaper-name shaper_session set forwarding-options class-of-service scheduler subs-4queues type strict_priority set forwarding-options class-of-service scheduler subs-4queues composite false
The configuration of the scheduler-map and OLT scheduler-map is shown below.
supervisor@rtbrick>cbng1.rtbrick.net: cfg> show config forwarding-options class-of-service scheduler
{
"rtbrick-config:scheduler": [
{
"scheduler-name": "pon0",
"type": "fair_queueing"
},
{
"scheduler-name": "subs-4queues",
"shaper-name": "shaper_session",
"type": "strict_priority",
"composite": "false"
}
]
}
-
Configure the session/subscriber scheduler mapping for dequeuing traffic based on scheduler type for each queue:
set forwarding-options class-of-service scheduler-map subs-4queues-triple-play set forwarding-options class-of-service scheduler-map subs-4queues-triple-play queue-group-name subs-4queues set forwarding-options class-of-service scheduler-map subs-4queues-triple-play queue-group-name subs-4queues queue-name BE_SUBS set forwarding-options class-of-service scheduler-map subs-4queues-triple-play queue-group-name subs-4queues queue-name BE_SUBS parent-flow high-flow set forwarding-options class-of-service scheduler-map subs-4queues-triple-play queue-group-name subs-4queues queue-name BE_SUBS parent-scheduler-name subs-4queues set forwarding-options class-of-service scheduler-map subs-4queues-triple-play queue-group-name subs-4queues queue-name BE_SUBS connection-point strict_priority_3 set forwarding-options class-of-service scheduler-map subs-4queues-triple-play queue-group-name subs-4queues queue-name LD_SUBS set forwarding-options class-of-service scheduler-map subs-4queues-triple-play queue-group-name subs-4queues queue-name LD_SUBS parent-flow high-flow set forwarding-options class-of-service scheduler-map subs-4queues-triple-play queue-group-name subs-4queues queue-name LD_SUBS parent-scheduler-name subs-4queues set forwarding-options class-of-service scheduler-map subs-4queues-triple-play queue-group-name subs-4queues queue-name LD_SUBS connection-point strict_priority_1 set forwarding-options class-of-service scheduler-map subs-4queues-triple-play queue-group-name subs-4queues queue-name LL_SUBS set forwarding-options class-of-service scheduler-map subs-4queues-triple-play queue-group-name subs-4queues queue-name LL_SUBS parent-flow high-flow set forwarding-options class-of-service scheduler-map subs-4queues-triple-play queue-group-name subs-4queues queue-name LL_SUBS parent-scheduler-name subs-4queues set forwarding-options class-of-service scheduler-map subs-4queues-triple-play queue-group-name subs-4queues queue-name LL_SUBS connection-point strict_priority_2 set forwarding-options class-of-service scheduler-map subs-4queues-triple-play queue-group-name subs-4queues queue-name VO_SUBS set forwarding-options class-of-service scheduler-map subs-4queues-triple-play queue-group-name subs-4queues queue-name VO_SUBS parent-flow high-flow set forwarding-options class-of-service scheduler-map subs-4queues-triple-play queue-group-name subs-4queues queue-name VO_SUBS parent-scheduler-name subs-4queues set forwarding-options class-of-service scheduler-map subs-4queues-triple-play queue-group-name subs-4queues queue-name VO_SUBS connection-point strict_priority_0 set forwarding-options class-of-service scheduler-map subs-4queues-triple-play scheduler-name subs-4queues set forwarding-options class-of-service scheduler-map subs-4queues-triple-play scheduler-name subs-4queues port-connection scheduler_to_port
The QoS Subscriber/Session Scheduler-Map configuration is shown below:
supervisor@rtbrick>cbng1.rtbrick.net: cfg> show config forwarding-options class-of-service scheduler-map subs-4queues-triple-play
{
"rtbrick-config:scheduler-map": [
{
"scheduler-map-name": "subs-4queues-triple-play",
"queue-group-name": [
{
"group-name": "subs-4queues",
"queue-name": [
{
"name": "BE_SUBS",
"parent-flow": "high-flow",
"parent-scheduler-name": "subs-4queues",
"connection-point": "strict_priority_3"
},
{
"name": "LD_SUBS",
"parent-flow": "high-flow",
"parent-scheduler-name": "subs-4queues",
"connection-point": "strict_priority_1"
},
{
"name": "LL_SUBS",
"parent-flow": "high-flow",
"parent-scheduler-name": "subs-4queues",
"connection-point": "strict_priority_2"
},
{
"name": "VO_SUBS",
"parent-flow": "high-flow",
"parent-scheduler-name": "subs-4queues",
"connection-point": "strict_priority_0"
}
]
}
],
"scheduler-name": [
{
"name": "subs-4queues",
"port-connection": "scheduler_to_port"
}
]
}
]
}
-
Configure the OLT scheduler-mapping for each PON to be scheduled according to the scheduler type.
set forwarding-options class-of-service scheduler-map schedmap-olt set forwarding-options class-of-service scheduler-map schedmap-olt scheduler-name pon0 set forwarding-options class-of-service scheduler-map schedmap-olt scheduler-name pon0 port-connection scheduler_to_port
The OLT Scheduler-Map configuration is shown below:
supervisor@rtbrick>cbng1.rtbrick.net: cfg> show config forwarding-options class-of-service scheduler-map schedmap-olt
{
"rtbrick-config:scheduler-map": [
{
"scheduler-map-name": "schedmap-olt",
"scheduler-name": [
{
"name": "pon0",
"port-connection": "scheduler_to_port"
}
]
}
]
}
-
Configure downstream traffic shaping for both session schedulers and queues.
|
|
Queue Shaping is only on VO_SUBS Queue. |
set forwarding-options class-of-service shaper shaper_VO set forwarding-options class-of-service shaper shaper_VO shaping-rate-high 2000 set forwarding-options class-of-service shaper shaper_VO shaping-rate-low 0 set forwarding-options class-of-service shaper shaper_session set forwarding-options class-of-service shaper shaper_session shaping-rate-high 10000 set forwarding-options class-of-service shaper shaper_session shaping-rate-low 100
The shaping Configuration is shown below.
supervisor@rtbrick>cbng1.rtbrick.net: cfg> show config forwarding-options class-of-service shaper
{
"rtbrick-config:shaper": [
{
"shaper-name": "shaper_VO",
"shaping-rate-high": 2000,
"shaping-rate-low": 0
},
{
"shaper-name": "shaper_session",
"shaping-rate-high": 10000,
"shaping-rate-low": 100
}
]
}
4.2.3. Configure Upstream QoS
-
Configure the BA Classifier for the classification of multiple traffic streams targeted at IPoE subscribers:
set forwarding-options class-of-service classifier subs-pbit-class set forwarding-options class-of-service classifier subs-pbit-class match-type ieee-802.1 set forwarding-options class-of-service classifier subs-pbit-class match-type ieee-802.1 codepoint 1 set forwarding-options class-of-service classifier subs-pbit-class match-type ieee-802.1 codepoint 1 class class-0 set forwarding-options class-of-service classifier subs-pbit-class match-type ieee-802.1 codepoint 2 set forwarding-options class-of-service classifier subs-pbit-class match-type ieee-802.1 codepoint 2 class class-1 set forwarding-options class-of-service classifier subs-pbit-class match-type ieee-802.1 codepoint 3 set forwarding-options class-of-service classifier subs-pbit-class match-type ieee-802.1 codepoint 3 class class-2 set forwarding-options class-of-service classifier subs-pbit-class match-type ieee-802.1 codepoint 4 set forwarding-options class-of-service classifier subs-pbit-class match-type ieee-802.1 codepoint 4 class class-3
The configuration of the QoS BA-based Classifier for classification of upstream traffic towards IPoE Subscriber is shown below.
supervisor@rtbrick>cbng1.rtbrick.net: cfg> show config forwarding-options class-of-service classifier subs-pbit-class
{
"rtbrick-config:classifier": [
{
"classifier-name": "subs-pbit-class",
"match-type": [
{
"match-type": "ieee-802.1",
"codepoint": [
{
"codepoint": 1,
"class": "class-0"
},
{
"codepoint": 2,
"class": "class-1"
},
{
"codepoint": 3,
"class": "class-2"
},
{
"codepoint": 4,
"class": "class-3"
}
]
}
]
}
]
}
-
Configure multi-level policer to police 4-Level traffic.
set forwarding-options class-of-service policer policer-residential set forwarding-options class-of-service policer policer-residential level1-rates cir 2000 set forwarding-options class-of-service policer policer-residential level1-rates cbs 1000 set forwarding-options class-of-service policer policer-residential level1-rates pir 2500 set forwarding-options class-of-service policer policer-residential level1-rates pbs 1000 set forwarding-options class-of-service policer policer-residential level2-rates cir 3000 set forwarding-options class-of-service policer policer-residential level2-rates cbs 1000 set forwarding-options class-of-service policer policer-residential level2-rates pir 3500 set forwarding-options class-of-service policer policer-residential level2-rates pbs 1000 set forwarding-options class-of-service policer policer-residential level3-rates cir 4000 set forwarding-options class-of-service policer policer-residential level3-rates cbs 1000 set forwarding-options class-of-service policer policer-residential level3-rates pir 4500 set forwarding-options class-of-service policer policer-residential level3-rates pbs 1000 set forwarding-options class-of-service policer policer-residential level4-rates cir 1000 set forwarding-options class-of-service policer policer-residential level4-rates cbs 1000 set forwarding-options class-of-service policer policer-residential level4-rates pir 1500 set forwarding-options class-of-service policer policer-residential level4-rates pbs 1000 set forwarding-options class-of-service policer policer-residential levels 4 set forwarding-options class-of-service policer policer-residential type two-rate-three-color
The multi-level policer configuration is shown below:
supervisor@rtbrick>cbng1.rtbrick.net: cfg> show config forwarding-options class-of-service policer policer-residential
{
"rtbrick-config:policer": [
{
"policer-name": "policer-residential",
"level1-rates": {
"cir": 2000,
"cbs": 1000,
"pir": 2500,
"pbs": 1000
},
"level2-rates": {
"cir": 3000,
"cbs": 1000,
"pir": 3500,
"pbs": 1000
},
"level3-rates": {
"cir": 4000,
"cbs": 1000,
"pir": 4500,
"pbs": 1000
},
"level4-rates": {
"cir": 1000,
"cbs": 1000,
"pir": 1500,
"pbs": 1000
},
"levels": 4,
"type": "two-rate-three-color"
}
]
}
-
Map the classified traffic streams to different policer levels using class-to-policer mapping:
set forwarding-options class-of-service class-policer-map policer-map-residential class class-0 set forwarding-options class-of-service class-policer-map policer-map-residential class class-0 policer-level level-1 set forwarding-options class-of-service class-policer-map policer-map-residential class class-1 set forwarding-options class-of-service class-policer-map policer-map-residential class class-1 policer-level level-2 set forwarding-options class-of-service class-policer-map policer-map-residential class class-2 set forwarding-options class-of-service class-policer-map policer-map-residential class class-2 policer-level level-3 set forwarding-options class-of-service class-policer-map policer-map-residential class class-3 set forwarding-options class-of-service class-policer-map policer-map-residential class class-3 policer-level level-4
The class-policer-map configuration is shown below:
supervisor@rtbrick>cbng1.rtbrick.net: cfg> show config forwarding-options class-of-service class-policer-map policer-map-residential class
{
"rtbrick-config:class": [
{
"class": "class-0",
"policer-level": "level-1"
},
{
"class": "class-1",
"policer-level": "level-2"
},
{
"class": "class-2",
"policer-level": "level-3"
},
{
"class": "class-3",
"policer-level": "level-4"
}
]
}
4.2.4. Configure QoS Remarking
-
Remark downstream traffic egressing from subscriber interface (egress remarking).
set forwarding-options class-of-service remark-map subs-remarking-triple-play set forwarding-options class-of-service remark-map subs-remarking-triple-play remark-type ieee-802.1 set forwarding-options class-of-service remark-map subs-remarking-triple-play remark-type ieee-802.1 match-codepoint 128 set forwarding-options class-of-service remark-map subs-remarking-triple-play remark-type ieee-802.1 match-codepoint 128 color all set forwarding-options class-of-service remark-map subs-remarking-triple-play remark-type ieee-802.1 match-codepoint 128 color all remark-codepoint 6 set forwarding-options class-of-service remark-map subs-remarking-triple-play remark-type ieee-802.1 match-codepoint 160 set forwarding-options class-of-service remark-map subs-remarking-triple-play remark-type ieee-802.1 match-codepoint 160 color all set forwarding-options class-of-service remark-map subs-remarking-triple-play remark-type ieee-802.1 match-codepoint 160 color all remark-codepoint 6 set forwarding-options class-of-service remark-map subs-remarking-triple-play remark-type ieee-802.1 match-codepoint 192 set forwarding-options class-of-service remark-map subs-remarking-triple-play remark-type ieee-802.1 match-codepoint 192 color all set forwarding-options class-of-service remark-map subs-remarking-triple-play remark-type ieee-802.1 match-codepoint 192 color all remark-codepoint 6 set forwarding-options class-of-service remark-map subs-remarking-triple-play remark-type ieee-802.1 match-codepoint 224 set forwarding-options class-of-service remark-map subs-remarking-triple-play remark-type ieee-802.1 match-codepoint 224 color all set forwarding-options class-of-service remark-map subs-remarking-triple-play remark-type ieee-802.1 match-codepoint 224 color all remark-codepoint 6
The remarking configuration is shown below:
supervisor@rtbrick>cbng1.rtbrick.net: cfg> show config forwarding-options class-of-service remark-map subs-remarking-triple-play
{
"rtbrick-config:remark-map": [
{
"remark-map-name": "subs-remarking-triple-play",
"remark-type": [
{
"remark-type": "ieee-802.1",
"match-codepoint": [
{
"match-codepoint": 128,
"color": [
{
"color": "all",
"remark-codepoint": 6
}
]
},
{
"match-codepoint": 160,
"color": [
{
"color": "all",
"remark-codepoint": 6
}
]
},
{
"match-codepoint": 192,
"color": [
{
"color": "all",
"remark-codepoint": 6
}
]
},
{
"match-codepoint": 224,
"color": [
{
"color": "all",
"remark-codepoint": 6
}
]
}
]
}
]
}
]
}
-
Validate the downstream traffic remarking.
|
|
This validation requires mirroring the subscriber access interface on the C-BNG device. |
supervisor@rtbrick>cbng1.rtbrick.net: cfg> show config forwarding-options mirror
{
"rtbrick-config:mirror": [
{
"name": "m1",
"destination": {
"interface": "cpu-0/0/200"
},
"source": {
"direction": "egress",
"interface": "ifp-0/1/29"
}
}
]
}
The capture mirroring can be performed as shown below.
supervisor@rtbrick>cbng1.rtbrick.net: cfg> capture mirror
2022-12-07T09:42:52.360141+0000 e8:c5:7a:8f:77:56 > 02:00:00:00:00:01, ethertype 802.1Q (0x8100), length 1022: vlan 1001, p 6, ethertype 802.1Q, vlan 1001, p 6, ethertype IPv4, (tos 0xa0, ttl 254, id 0, offset 0, flags [DF], proto UDP (17), length 1000)
192.168.131.2.65056 > 10.100.128.5.65056: UDP, length 972
2022-12-07T09:42:52.360194+0000 e8:c5:7a:8f:77:56 > 02:00:00:00:00:01, ethertype 802.1Q (0x8100), length 1022: vlan 1001, p 6, ethertype 802.1Q, vlan 1001, p 6, ethertype IPv4, (tos 0xa0, ttl 254, id 0, offset 0, flags [DF], proto UDP (17), length 1000)
192.168.131.2.65056 > 10.100.128.5.65056: UDP, length 972
2022-12-07T09:42:52.360260+0000 e8:c5:7a:8f:77:56 > 02:00:00:00:00:01, ethertype 802.1Q (0x8100), length 1022: vlan 1001, p 6, ethertype 802.1Q, vlan 1001, p 6, ethertype IPv4, (tos 0xa0, ttl 254, id 0, offset 0, flags [DF], proto UDP (17), length 1000)
192.168.131.2.65056 > 10.100.128.5.65056: UDP, length 972
2022-12-07T09:42:52.360317+0000 e8:c5:7a:8f:77:56 > 02:00:00:00:00:01, ethertype 802.1Q (0x8100), length 1022: vlan 1001, p 6, ethertype 802.1Q, vlan 1001, p 6, ethertype IPv4, (tos 0xa0, ttl 254, id 0, offset 0, flags [DF], proto UDP (17), length 1000)
192.168.131.2.65056 > 10.100.128.5.65056: UDP, length 972
-
Remark upstream traffic ingressing to a subscriber’s interface [ingress remarking]
|
|
In the below upstream traffic classifier configuration, remarking of all traffic streams with code point '7' is done. |
set forwarding-options class-of-service classifier subs-pbit-class set forwarding-options class-of-service classifier subs-pbit-class match-type ieee-802.1 set forwarding-options class-of-service classifier subs-pbit-class match-type ieee-802.1 codepoint 1 set forwarding-options class-of-service classifier subs-pbit-class match-type ieee-802.1 codepoint 1 class class-0 set forwarding-options class-of-service classifier subs-pbit-class match-type ieee-802.1 codepoint 1 remark-codepoint 7 set forwarding-options class-of-service classifier subs-pbit-class match-type ieee-802.1 codepoint 2 set forwarding-options class-of-service classifier subs-pbit-class match-type ieee-802.1 codepoint 2 class class-1 set forwarding-options class-of-service classifier subs-pbit-class match-type ieee-802.1 codepoint 2 remark-codepoint 7 set forwarding-options class-of-service classifier subs-pbit-class match-type ieee-802.1 codepoint 3 set forwarding-options class-of-service classifier subs-pbit-class match-type ieee-802.1 codepoint 3 class class-2 set forwarding-options class-of-service classifier subs-pbit-class match-type ieee-802.1 codepoint 3 remark-codepoint 7 set forwarding-options class-of-service classifier subs-pbit-class match-type ieee-802.1 codepoint 4 set forwarding-options class-of-service classifier subs-pbit-class match-type ieee-802.1 codepoint 4 class class-3 set forwarding-options class-of-service classifier subs-pbit-class match-type ieee-802.1 codepoint 4 remark-codepoint 7
Below is the remarking configuration:
supervisor@rtbrick>cbng1.rtbrick.net: cfg> show config forwarding-options class-of-service classifier subs-pbit-class
{
"rtbrick-config:classifier": [
{
"classifier-name": "subs-pbit-class",
"match-type": [
{
"match-type": "ieee-802.1",
"codepoint": [
{
"codepoint": 1,
"class": "class-0",
"remark-codepoint": 7
},
{
"codepoint": 2,
"class": "class-1",
"remark-codepoint": 7
},
{
"codepoint": 3,
"class": "class-2",
"remark-codepoint": 7
},
{
"codepoint": 4,
"class": "class-3",
"remark-codepoint": 7
}
]
}
]
}
]
}
-
Validate the upstream traffic remarking.
|
|
Mirror the core facing port on the C-BNG device as shown below. |
supervisor@rtbrick>cbng1.rtbrick.net: cfg> show config forwarding-options mirror m1
{
"rtbrick-config:mirror": [
{
"name": "m1",
"destination": {
"interface": "cpu-0/0/200"
},
"source": {
"direction": "egress",
"interface": "ifp-0/1/23"
}
}
]
}
The capture mirroring can be performed as shown below. It confirms all four traffic streams noted with codepoint=7.
supervisor@rtbrick>cbng1.rtbrick.net: cfg> capture mirror
2022-12-07T09:20:00.589238+0000 e8:c5:7a:8f:77:53 > 7a:07:dc:c0:00:00, ethertype IPv4 (0x0800), length 1014: (tos 0x7,CE, ttl 254, id 0, offset 0, flags [DF], proto UDP (17), length 1000)
10.100.128.5.65056 > 192.168.131.2.65056: UDP, length 972
2022-12-07T09:20:00.589292+0000 e8:c5:7a:8f:77:53 > 7a:07:dc:c0:00:00, ethertype IPv4 (0x0800), length 1014: (tos 0x7,CE, ttl 254, id 0, offset 0, flags [DF], proto UDP (17), length 1000)
10.100.128.5.65056 > 192.168.131.2.65056: UDP, length 972
2022-12-07T09:20:00.589434+0000 e8:c5:7a:8f:77:53 > 7a:07:dc:c0:00:00, ethertype IPv4 (0x0800), length 1014: (tos 0x7,CE, ttl 254, id 0, offset 0, flags [DF], proto UDP (17), length 1000)
10.100.128.5.65056 > 192.168.131.2.65056: UDP, length 972
2022-12-07T09:20:00.589492+0000 e8:c5:7a:8f:77:53 > 7a:07:dc:c0:00:00, ethertype IPv4 (0x0800), length 1014: (tos 0x7,CE, ttl 254, id 0, offset 0, flags [DF], proto UDP (17), length 1000)
10.100.128.5.65056 > 192.168.131.2.65056: UDP, length 972
2022-12-07T09:20:00.589545+0000 e8:c5:7a:8f:77:53 > 7a:07:dc:c0:00:00, ethertype IPv4 (0x0800), length 1014: (tos 0x7,CE, ttl 254, id 0, offset 0, flags [DF], proto UDP (17), length 1000)
10.100.128.5.65056 > 192.168.131.2.65056: UDP, length 972
2022-12-07T09:20:00.589602+0000 e8:c5:7a:8f:77:53 > 7a:07:dc:c0:00:00, ethertype IPv4 (0x0800), length 1014: (tos 0x7,CE, ttl 254, id 0, offset 0, flags [DF], proto UDP (17), length 1000)
10.100.128.5.65056 > 192.168.131.2.65056: UDP, length 972
2022-12-07T09:20:00.589656+0000 e8:c5:7a:8f:77:53 > 7a:07:dc:c0:00:00, ethertype IPv4 (0x0800), length 1014: (tos 0x7,CE, ttl 254, id 0, offset 0, flags [DF], proto UDP (17), length 1000)
10.100.128.5.65056 > 192.168.131.2.65056: UDP, length 9
4.3. Configure FreeRADIUS Server
FreeRADIUS server can be installed on any Linux OS distribution. Once the FreeRadius is installed, perform the following steps to make the server operational.
Files Configuration
mods-config/files/authorize
Using the following command, one can view the authorize file in its default location.
~:/etc/freeradius/3.0 # cat mods-config/files/authorize
The following parameter shall be configured in the authorize file:
$INCLUDE /etc/freeradius/3.0/ipoe_qos_dhcpv4_dhcpv6_radius_users
The authorize file can be downloaded from the appendix section of this guide and replaced with the /etc/freeradius/3.0/mods-config/files/authorize file.
Users File
Users file includes subscriber profile parameters as shown below.
"02:00:00:00:00:01@ipoe" Cleartext-Password := "ipoe"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Class = "02:00:00:00:00:01@ipoe",
Framed-IP-Address = 10.100.128.0,
Framed-IP-Netmask = 255.255.255.255,
RtBrick-DNS-Primary = 10.0.0.3,
RtBrick-DNS-Secondary = 10.0.0.4,
Framed-IPv6-Prefix = fc67:1001:1::1/128,
Delegated-IPv6-Prefix = fc67:1001::/56,
RtBrick-DNS-Primary-IPv6 = fc66:0::3,
RtBrick-DNS-Secondary-IPv6 = fc66:0::4,
Session-Timeout = 0,
Idle-Timeout = 0,
Acct-Interim-Interval = 60,
RtBrick-QoS-Profile = "subs-triple-play",
RtBrick-QoS-Parent-Scheduler = "pon0",
RtBrick-QoS-Shaper = "name=shaper_session,high=10m,low=100;name=shaper_VO,high=2m,low=100;",
RtBrick-QoS-Policer = "1,2m,1000;2,1m,1000;3,1m,1000;4,1500,1000",
RtBrick-QoS-MFC = "subs-triple-play",
RtBrick-LI-Action = 1,
RtBrick-LI-Direction = 1,
RtBrick-LI-MED-Instance = "li_default",
RtBrick-LI-MED-IP = 172.16.0.2,
RtBrick-LI-MED-Port = 65001,
RtBrick-IGMP-Status = ENABLED,
RtBrick-IGMP-Status = ENABLED,
RtBrick-IGMP-Profile = "iptv_default",
RtBrick-IGMP-Max-Members = 10,
In the appendix section of this guide, you can download the users_file file for creating the FreeRADIUS users_file (/etc/freeradius/3.0/users_file).
Clients.conf
Clients.conf file shall be configured with the expected RADIUS client IP address and secret.
~:/etc/freeradius/3.0 # cat clients.conf
client rtbrick {
ipaddr = 192.168.0.2
secret = testing123
shortname = rtbrick
nas_type = other
require_message_authenticator = no
}
The clients.conf file (/etc/freeradius/3.0/clients.conf) used for this reference design can be downloaded from the appendix section of this guide.
RtBrick RADIUS Dictionary
Add the RtBrick RADIUS dictionary to /usr/share/freeradius/dictionary.rtbrick and include it in` /usr/share/freeradius/dictionary`.
Stopping and Starting the FreeRADIUS Server for any Changes
For any changes, stop and restart the FreeRADIUS server.
To stop the server, enter the following command:
sudo service freeradius stop
To start the server, enter the following command:
sudo service freeradius start
The FreeRadius server is now ready to provide AAA (Authentication, Accounting & Authorization) services to logging in subscribers.
4.4. Validating IPoE Subscriber Bring-Up
Using traffic streams on both upstream and downstream directions with traffic packets and bytes statistics, IPoE Subscriber sessions can be "ESTABLISHED".
The validation can be performed in two steps:
-
Establishing the IPoE subscriber
-
Pinging the subscriber IPv4/IPv6 address
4.4.1. BNG Blaster - IPoE Subscribers with Traffic Streams
Using BNG Blaster, which emulates IPoE clients and traffic streams witn different code points, one can test IPoE subscriber management feature.
supervisor@SN-STD-27-119820607:~ $ cat blaster_qos.json
{
"interfaces": {
"tx-interval": 1,
"rx-interval": 1,
"network": [
{
"interface": "SN-15-R1",
"address": "36.1.1.2/24",
"gateway": "36.1.1.1",
"isis-instance-id": 1,
"ldp-instance-id": 1,
"isis-level": 1
},
{
"interface": "SN-17-R2",
"address": "46.1.1.2/24",
"gateway": "46.1.1.1",
"isis-instance-id": 2,
"ldp-instance-id": 2,
"isis-level": 1
},
{
"interface": "SN-19-RR",
"address": "192.168.131.2/24",
"gateway": "192.168.131.1",
"address-ipv6": "fc66:1337:7331::2",
"gateway-ipv6": "fc66:1337:7331::1",
"isis-instance-id": 3,
"ldp-instance-id": 3,
"isis-level": 1
}
],
"access": [
{
"interface": "SN-5-C1",
"type": "ipoe",
"stream-group-id": 1,
"outer-vlan-min": 1001,
"outer-vlan-max": 1100,
"inner-vlan-min": 1001,
"inner-vlan-max": 1100
}
]
},
"sessions": {
"count": 10,
"session-time": 0,
"max-outstanding": 800,
"start-rate": 400,
"stop-rate": 100
},
"access-line": {
"agent-remote-id": "DEU.RTBRICK.{session-global}",
"agent-circuit-id": "0.0.0.0/0.0.0.0 eth 0:{session-global}",
"rate-up": 2000,
"rate-down": 16384,
"dsl-type": 5
},
"dhcp": {
"enable": true
},
"dhcpv6": {
"enable": true
},
"session-traffic": {
"ipv4-pps": 10,
"ipv6-pps": 10,
"ipv6pd-pps": 10,
"autostart": true
},
"streams": [
{
"name": "BE",
"stream-group-id": 1,
"type": "ipv4",
"direction": "both",
"network-ipv4-address": "192.168.131.2",
"network-interface": "SN-19-RR",
"vlan-priority": 1,
"priority": 128,
"length": 1000,
"pps": 2000
},
{
"name": "LowDelay",
"stream-group-id": 1,
"type": "ipv4",
"direction": "both",
"network-ipv4-address": "192.168.131.2",
"network-interface": "SN-19-RR",
"vlan-priority": 2,
"priority": 160,
"length": 1000,
"pps": 2000
},
{
"name": "LowLoss",
"stream-group-id": 1,
"type": "ipv4",
"direction": "both",
"network-ipv4-address": "192.168.131.2",
"network-interface": "SN-19-RR",
"vlan-priority": 3,
"priority": 192,
"length": 1000,
"pps": 2000
},
{
"name": "VoIP",
"stream-group-id": 1,
"type": "ipv4",
"direction": "both",
"network-ipv4-address": "192.168.131.2",
"network-interface": "SN-19-RR",
"vlan-priority": 4,
"priority": 224,
"length": 1000,
"pps": 2000
}
],
"ldp": [
{
"instance-id": 1,
"lsr-id": "192.1.0.36",
"keepalive-time": 30,
"raw-update-file": "ldp_1000.ldp"
},
{
"instance-id": 2,
"lsr-id": "192.1.0.46",
"keepalive-time": 30,
"raw-update-file": "ldp_1000.ldp"
},
{
"instance-id": 3,
"lsr-id": "192.1.0.56",
"keepalive-time": 30,
"raw-update-file": "ldp_1000.ldp"
},
],
"isis": [
{
"instance-id": 1,
"area": [
"49.0002/24"
],
"system-id": "0204.0000.0001",
"router-id": "192.1.0.36",
"hostname": "BBL-LSR1",
"hello-padding": true,
"teardown-time": 30,
"external": {
"mrt-file": "/home/supervisor/isis.mrt",
"connections": [
{
"system-id": "1921.6800.1003",
"l1-metric": 10
}
]
}
},
{
"instance-id": 2,
"area": [
"49.0002/24"
],
"system-id": "0204.0000.0002",
"router-id": "192.1.0.46",
"hostname": "BBL-LSR2",
"hello-padding": true,
"teardown-time": 30,
"external": {
"mrt-file": "/home/supervisor/isis.mrt",
"connections": [
{
"system-id": "1921.6800.1004",
"l1-metric": 10
}
]
}
},
{
"instance-id": 3,
"area": [
"49.0002/24"
],
"system-id": "0204.0000.0003",
"router-id": "192.1.0.56",
"hostname": "BBL-RR",
"hello-padding": true,
"teardown-time": 30,
"external": {
"mrt-file": "/home/supervisor/isis.mrt",
"connections": [
{
"system-id": "1921.6800.1005",
"l1-metric": 10
}
]
}
}
],
"bgp": [
{
"__comment__": "RR-IPv4",
"network-interface": "SN-19-RR",
"local-ipv4-address": "192.1.0.56",
"peer-ipv4-address": "192.1.0.51",
"raw-update-file": "/home/supervisor/ipv4_nlri.bgp",
"local-as": 3330,
"peer-as": 3320
},
{
"__comment__": "RR-IPv6",
"network-interface": "SN-19-RR",
"local-ipv4-address": "192.1.0.56",
"peer-ipv4-address": "192.1.0.52",
"raw-update-file": "/home/supervisor/ipv6_nlri.bgp",
"local-as": 3330,
"peer-as": 3320
}
]
}
supervisor@SN-STD-27-119820607:~ $
Validating the IPoE Session on BNG Blaster
Using the following command, IPoE subscribers are brought up and traffic flows are validated in both upstream and downstream directions.
supervisor@rtbrick:~ $ sudo bngblaster -C ipoe.json -S run.sock -I -c 10
In the image below, one can see the details of the established session (i.e. the sessions of 10 subscribers).
Fig 3: BNG Blaster terminal view
Visit the following URL for more information on BNG Blaster:
Viewing the Subscribers and the Subscriber Details
Enter the following command to view the list of subscribers.
supervisor@rtbrick>cbng1.rtbrick.net: cfg> show subscriber Subscriber-Id Interface VLAN Type State 1369375761697341447 ifp-0/1/29 1009:1019 IPoE ESTABLISHED 1369375761697341448 ifp-0/1/29 1009:1014 IPoE ESTABLISHED 1369375761697341449 ifp-0/1/29 1009:1009 IPoE ESTABLISHED 1369375761697341450 ifp-0/1/29 1009:1004 IPoE ESTABLISHED 1369375761697341451 ifp-0/1/29 1009:1020 IPoE ESTABLISHED 1369375761697341452 ifp-0/1/29 1009:1025 IPoE ESTABLISHED 1369375761697341453 ifp-0/1/29 1009:1026 IPoE ESTABLISHED 1369375761697341454 ifp-0/1/29 1009:1027 IPoE ESTABLISHED 1369375761697341455 ifp-0/1/29 1009:1028 IPoE ESTABLISHED 1369375761697341456 ifp-0/1/29 1009:1029 IPoE ESTABLISHED supervisor@rtbrick>cbng1.rtbrick.net: cfg>
Enter the following command to view the details of the subscriber with ID 1369375761697341454.
supervisor@rtbrick>cbng1.rtbrick.net: cfg> show subscriber 1369375761697341454 detail
Subscriber-Id: 1369375761697341454
Type: IPoE
State: ESTABLISHED
Created: Fri Dec 02 08:28:54 GMT +0000 2022
Interface: ifp-0/1/29
Outer VLAN: 1009
Inner VLAN: 1027
Client MAC: 02:00:00:00:03:3b
Server MAC: a8:b5:7e:8f:66:43
IFL: ipoe-0/1/29/1369375761697341454
Username: 02:00:00:00:03:3b@ipoe
Agent-Remote-Id: DEU.RTBRICK.827
Agent-Circuit-Id: 0.0.0.0/0.0.0.0 eth 0:827
Access-Profile: ipoe
AAA-Profile: ipoe-aaa
Reply-Message: FOOBAR Internet
Session-Timeout: 0 (disabled)
Idle-Timeout: 0 (disabled)
MTU: 1500 Profile: N/A
IPv4:
Instance: default
Address: 10.100.128.14/255.255.255.255
Address Active: True
Primary DNS: 10.0.0.3
Secondary DNS: 10.0.0.4
IPv6:
Instance: default
RA Prefix: fc55:100:1:1::e/128
RA Prefix Active: True
Delegated Prefix (DHCPv6): fc56:100:1:d00::/56
Delegated Prefix Active: True
Primary DNS: fc66::3
Secondary DNS: fc66::4
Accounting:
Session-Id: 1369375761697341454:1669969734
Start-Time: 2022-12-02T08:28:55.245914+0000
Interims Interval: 900 seconds
supervisor@rtbrick>cbng1.rtbrick.net: cfg>
Pinging the Subscriber (source: IPOE) from C-BNG
Before pinging a subscriber, use the show route <…> command to display the subscriber IPs at the CBNGs.
supervisor@rtbrick>cbng1.rtbrick.net: cfg> show route ipv4 unicast source ipoe Instance: default, AFI: ipv4, SAFI: unicast Prefix/Label Source Pref Next Hop Interface 10.100.128.1/32 ipoe 7 - ipoe-0/1/29/1369375761697341471 10.100.128.2/32 ipoe 7 - ipoe-0/1/29/1369375761697341474 10.100.128.3/32 ipoe 7 - ipoe-0/1/29/1369375761697341473 10.100.128.4/32 ipoe 7 - ipoe-0/1/29/1369375761697341472 10.100.128.5/32 ipoe 7 - ipoe-0/1/29/1369375761697341475 10.100.128.6/32 ipoe 7 - ipoe-0/1/29/1369375761697341478 10.100.128.7/32 ipoe 7 - ipoe-0/1/29/1369375761697341476 10.100.128.8/32 ipoe 7 - ipoe-0/1/29/1369375761697341479 10.100.128.9/32 ipoe 7 - ipoe-0/1/29/1369375761697341477 10.100.128.10/32 ipoe 7 - ipoe-0/1/29/1369375761697341480 supervisor@rtbrick>cbng1.rtbrick.net: cfg>
From the above list, ping 10.100.128.9 as shown below.
supervisor@rtbrick>cbng1.rtbrick.net: cfg> ping 10.100.128.9 68 bytes from 10.100.128.9: icmp_seq=1 ttl=64 time=9.4346 ms 68 bytes from 10.100.128.9: icmp_seq=2 ttl=64 time=2.5892 ms 68 bytes from 10.100.128.9: icmp_seq=3 ttl=64 time=5.1383 ms 68 bytes from 10.100.128.9: icmp_seq=4 ttl=64 time=8.6419 ms 68 bytes from 10.100.128.9: icmp_seq=5 ttl=64 time=1.6199 ms Statistics: 5 sent, 5 received, 0% packet loss supervisor@rtbrick>cbng1.rtbrick.net: cfg>
Validating Traffic Streams
Traffic streams can be used to perform various forwarding verifications.
For upstream traffic capture, enter the following command:
capture interface ifp-0/1/29 direction in
For downstream traffic capture, enter the following command:
capture interface ifp-0/1/29 direction out
Here, ifp-0/1/29 refers to the access interface.
Validating Upstream Traffic for IPv4
2022-12-01T12:11:52.357415+0000 02:00:00:00:00:08 > a8:b5:7e:8f:66:43, ethertype 802.1Q (0x8100), length 98: vlan 1001, p 0, ethertype 802.1Q, vlan 1008, p 0, ethertype IPv4, (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto UDP (17), length 76)
10.100.128.4.65056 > 192.168.131.2.65056: UDP, length 48
Validating Downstream Traffic for IPv4, IPv6, DHCPv6PD Streams
2022-12-01T12:11:53.351763+0000 a8:b5:7e:8f:66:43 > 02:00:00:00:00:08, ethertype 802.1Q (0x8100), length 98: vlan 1001, p 0, ethertype 802.1Q, vlan 1008, p 0, ethertype IPv4, (tos 0x0, ttl 254, id 0, offset 0, flags [none], proto UDP (17), length 76)
192.168.131.2.65056 > 10.100.128.4.65056: UDP, length 48
4.4.2. Validating the IPoE QoS on BNG Blaster
Using the following command, IPoE subscribers are brought up and traffic flows are validated in both upstream and downstream directions.
supervisor@rtbrick:~ $ sudo bngblaster -C blaster_qos.json -S run.sock -I -c 1
Fig 4: Reading output from BNG Blaster
As shown in the above image, the VoIP downstream traffic has been shaped (session shaping) to 2Mbps. Similarly, the total subscriber traffic has been shaped approximately to 10Mbps.
Following are the upstream traffic rates of different policer levels:
-
Level-1 Rates ~=2.5Mbps
-
Level-2 Rates ~=3.5Mbps
-
Level-3 Rates ~=4.5Mbps
-
Level-4 Rates ~=1.5Mbps
4.5. IPoE Subscriber Accounting for Upstream and Downstream Traffic
Run the "show subscriber" command to view the list of subscribers.
supervisor@rtbrick>cbng1.rtbrick.net: cfg> show subscriber Subscriber-Id Interface VLAN Type State 1369375761697341447 ifp-0/1/29 1001:1001 IPoE ESTABLISHED supervisor@rtbrick>cbng1.rtbrick.net: cfg>
Specify the Subscriber-ID to find the specific subscriber’s accounting details:
supervisor@rtbrick>cbng1.rtbrick.net: cfg> show subscriber 1369375761697341447 accounting
Subscriber-Id: 1369375761697341447
IFL: ipoe-0/1/29/1369375761697341447
Start Timestamp: Wed Dec 07 08:04:56 GMT +0000 2022
Idle Timestamp: Wed Dec 07 09:29:54 GMT +0000 2022
Session-Timeout: 0 seconds
Idle-Timeout: 0 seconds
Session Statistics:
Ingress: 0 packets 0 bytes
Egress: 0 packets 0 bytes
LIF Statistics:
Ingress: 0 packets 0 bytes
Egress: 0 packets 0 bytes
Egress Class (Queue) Statistics:
class-0: 3539909 packets 3603627362 bytes dropped: 6907398 packets 7031731164 bytes
class-1: 4899881 packets 4988078858 bytes dropped: 5088649 packets 5180244682 bytes
class-2: 5778003 packets 5882007054 bytes dropped: 4210527 packets 4286316486 bytes
class-3: 1243731 packets 1266118158 bytes dropped: 8897726 packets 9057885068 bytes
class-4: 0 packets 0 bytes dropped: 0 packets 0 bytes
class-5: 0 packets 0 bytes dropped: 0 packets 0 bytes
class-6: 0 packets 0 bytes dropped: 0 packets 0 bytes
class-7: 0 packets 0 bytes dropped: 0 packets 0 bytes
Ingress Policer Statistics:
Level 1: 10182079 packets 10222571382 bytes dropped: 8614199 packets 8648511916 bytes
Level 2: 10181612 packets 10222338448 bytes dropped: 8005859 packets 8037882436 bytes
Level 3: 10181613 packets 10222339452 bytes dropped: 7359795 packets 7389234180 bytes
Level 4: 10181769 packets 10222496076 bytes dropped: 9240981 packets 9277944924 bytes
supervisor@rtbrick>cbng1.rtbrick.net: cfg>
4.6. Configuring Lawful Intercept (LI)
|
|
This section is still a work in progress. |
Lawful Intercept (LI) is used to mirror datastreams of any specific end user in both upstream and downstream directions, and direct them towards a mediation device.
Whether a specific subscriber needs to be mirrored or not can be controlled by specifying the following LI attributes in the RADIUS file.
In the configuration below, the user with username "user1@rtbrick.com" is mirrored whenever the user logs in.
"user1@rtbrick.com" Cleartext-Password := "RtBrick_Little_Secret"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Class = "useri@rtbrick.com",
RtBrick-LI-Identifier = 4191001,
Framed-IP-Address = 10.100.128.11,
Framed-IP-Netmask = 255.255.255.255,
RtBrick-DNS-Primary = 10.0.0.3,
RtBrick-DNS-Secondary = 10.0.0.4,
Framed-IPv6-Prefix = fc68:100:1:1::/64,
RtBrick-DNS-Primary-IPv6 = fc66:0::3,
RtBrick-DNS-Secondary-IPv6 = fc66:0::4,
Session-Timeout = 0,
Idle-Timeout = 0,
Acct-Interim-Interval = 900,
RtBrick-QoS-Profile = "pta-triple-play-8queues",
RtBrick-QoS-Shaper = "name=shaper_session,high=15m, low=1m;name=shaper_VO,high=2m;",
RtBrick-QoS-Policer = "1,2m,200;2,1m,300;3,1m,400;4,0,400",
RtBrick-QoS-Parent-Scheduler = "pon0",
RtBrick-QoS-MFC = "pta-triple-play-8queues",
RtBrick-IGMP-Status = ENABLED,
RtBrick-IGMP-Profile = "iptv",
RtBrick-IGMP-Max-Members = 10,
RtBrick-IGMP-Version = V3,
RtBrick-LI-Action = 1,
RtBrick-LI-Direction = 3,
RtBrick-LI-MED-Instance = "ipoe-li",
RtBrick-LI-MED-IP = 192.168.10.2,
RtBrick-LI-MED-Port 65001
5. Appendixes
5.1. Appendix A: RBFS Configuration
The RBFS configuration file (cbng-ipoe-config.json) can be downloaded from here.
Click 
to download the cbng1 configuration file.
5.2. Appendix B: TACACS+ Server Configuration
The TACACS+ server configuration file (tac_plus.conf) can be downloaded from here.
Click to download the TACACS+ server configuration file.
5.3. Appendix C: RADIUS Server Configuration
The RADIUS server configuration files (radius_config.zip) can be downloaded from here. The zip archive contains the set of configuration files needed to configure the RADIUS server.
Click to download the RADIUS server configuration files.
5.4. Appendix D: BNG Blaster Configuration
The BNG Blaster configuration files (bng_blaster_config.zip) can be downloaded from here. The zip archive contains the set of configuration files needed to configure BNG Blaster.
Click to download the BNG Blaster configuration files.
©Copyright 2023 RtBrick, Inc. All rights reserved. The information contained herein is subject to change without notice. The trademarks, logos and service marks ("Marks") displayed in this documentation are the property of RtBrick in the United States and other countries. Use of the Marks are subject to RtBrick’s Term of Use Policy, available at https://www.rtbrick.com/privacy. Use of marks belonging to other parties is for informational purposes only.