Download PDF
Home

1. Overview of RtBrick Reference Design

The RtBrick Reference Design document provides a blueprint for Consolidated-BNG (C-BNG) implementation to enable IPoE subscribers.

RtBrick provides validated reference design architectures which have been designed and validated with the in-house testing tools and methods. This document provides information to validate RBFS C-BNG with IPoE implementation use case.

1.1. About this Guide

The solution design document provides guidance to validate IPoE implementation using RBFS C-BNG. The guide contains quick information about general platform configuration, configuration of various Access and Routing protocols, Subscriber Management, Quality of Service and troubleshooting. The document presents a single use case scenario and provides information specifically on how to validate this particular implementation and for more information on any specific application, refer to https://documents.rtbrick.com/.

This guide is not intended to be an exhaustive guide of all RBFS features and does not provide information on features such as Multicast, Lawful Intercept etc.

1.2. About the RBFS Consolidated BNG

The RtBrick C-BNG is delivered as a container, running on Open Network Linux (ONL) provided by the hardware ODM manufacturers. Platforms that support C-BNG include Edgecore AGR 400, CSR 320, and UfiSpace S9600. The RtBrick C-BNG software runs on powerful bare-metal switches as an open BNG.

The BNG is designed to dynamically deliver the following services:

  1. Discovering and managing subscriber sessions for both PPPoE and IPoE subscribers

  2. Providing authentication, authorization and accounting (AAA)

  3. Providing multicast-based IPTV services

The basic C-BNG architecture for IPoE subscribers is shown in Fig. 1.

disignoverview

Fig. 1: Topology setup with cbng1 as a DUT (device under test) connected to R1 and R2 and BNG blaster.

The topology consists of:

  1. RBFS on bare metal switch as cbng1, the DUT, having two interfaces connected to:

    1. Router R2 and R1, which are connected to each other and to BNG Blaster.

    2. cbng1 is also connected to TACACS+ server (192.168.45.45) and RADIUS server (192.168.121.2).

    3. Interface of the DUT connected to BNG blaster through the interface ifp-0/1/29.

  2. Rtbrick’s home grown BNG blaster test suite service node (SN) that emulates both the routing and access functions and, in effect, tests the DUT.

  3. The topology emulates IPoE subscribers and traffic between RBFS switch and the core network.

  4. The objective of this topology is to demonstrate complete IPoE subscriber emulating and service along with routing to connect to the network uplink.

1.3. Deployment

A C-BNG provides BNG functionality on a single bare-metal switch and eliminates the need to have a chassis based system. It provides a low footprint and optimal power consumption based on BRCM chipsets, a compelling value proposition that has complete BNG and routing feature support.

C-BNG runs on small form-factor temperature hardened hardware that allows deployments in street site cabinets.

The rtbrick-toolkit is a meta package that can be used to install all the tools needed to work with RBFS images (container or ONL installer) and the RBFS APIs.

1.4. Using the RBFS CLI

An administrator can enter commands using the RBFS command line interface, which runs on top of the Ubuntu shell. RBFS CLI has three modes: Configuration mode, Operation mode, and Debug mode. Once login to the system with the credentials provided, user has to switch the CLI mode to 'configuration mode' to execute various configurations. After specifying the configuration changes, user can then execute the commit command to commit the configurations.

Enter the switch-mode command to change the CLI mode.

supervisor@rtbrick>cbng1.rtbrick.net: op>
supervisor@rtbrick>LEAF01: op> switch-mode config

To commit the configurations, use the commit command.

supervisor@rtbrick>cbng1.rtbrick.net: op> switch-mode config
supervisor@rtbrick>cbng1.rtbrick.net: cfg> <cli command goes here>
supervisor@rtbrick>cbng1.rtbrick.net: cfg> commit

For more information on how to use the RBFS CLI, see the RBFS CLI User Guide.

2. Getting Started

2.1. Platform Configuration and Settings

This section provides information about the platform and how to set various required configurations for the platform.

2.1.1. Know your Device

The configurations provided in this reference design document (C-BNG IPoE implementation) are generated on the UfiSpace S9600-72XC platform.

The UfiSpace S9600-72XC is a multi-function, disaggregated white box aggregation routing platform that is equipped with Broadcom’s Qumran2c chipset. It features 64x25GE and 8x100GE high speed ports with a switching capacity of up to 2.4Tbs.

The RBFS C-BNG software is installed on top of the UfiSpace S9600-72XC.

For more information, see Hardware Specification.

2.1.2. Prerequisites

  • Access to BNG Blaster, an open-source network testing platform for access and routing protocols. For information on obtaining and building BNG Blaster, see https://rtbrick.github.io/bngblaster/

  • Access to FreeRADIUS, a free RADIUS suite. For accessing FreeRADIUS, see https://freeradius.org/.

  • Access to NTP server

  • Access TACACS+ server

2.2. General Configuration

To enable testing some basic primitives need to be configured. These general configurations include Loopback Interface for identifying and accessing the device on network, NTP for setting accurate time across a whole network of devices, TACACS+ for user authentication, user management for user configuration, license for accessing RBFS, Resmon for resource monitoring, and Graylog configurations for exporting the log message to the external log management server.

2.2.1. Configure License

With a license key installed on the system, user can use and evaluate the full functionalities of RBFS. The following steps provide the commands to install an RBFS license key. For more information about license configuration, see Installing License.

Install the license encrypted string (that is received from RtBrick) using the RBFS CLI.

supervisor@rtbrick>cbng1.rtbrick.net: cfg> set system license <license-key>

RBFS license configuration is shown below:

supervisor@rtbrick>cbng1.rtbrick.net: cfg> show config set system license
AAAAWsfg&jdkfs4D34H5@2evf...

2.2.2. Configure Loopback Interface

Loopback Interface configuration is required as it is the best way to identify a device on the network and it is always reachable. Also, protocols use the loopback address to determine protocol-specific properties for the device.

The following steps provide the commands to configure the loopback interface. For more information about Loopback Interface configuration, see Interfaces User Guide.

Configure loopback interface on the device.

set interface lo-0/0/0
set interface lo-0/0/0 unit 10
set interface lo-0/0/0 unit 10 address ipv4 192.168.0.2/32
set interface lo-0/0/0 unit 10 address ipv6 192:168::2/128

Loopback Interface configuration is shown below:

supervisor@rtbrick>cbng1.rtbrick.net: cfg> show config interface lo-0/0/0
{
    "rtbrick-config:interface": [
      {
        "name": "lo-0/0/0",
        "unit": [
          {
            "unit-id": 10,
            "address": {
              "ipv4": [
                {
                  "prefix4": "192.168.0.2/32"
                }
              ],
              "ipv6": [
                {
                  "prefix6": "192:168::2/128"
                }
              ]
            }
          }
        ]
      }
    ]
  }

2.2.3. Configure NTP

Configuring NTP (Network Time Protocol) provides time synchronization across a whole network of devices. An NTP network consists devices (clients) which are to be synchronized with the NTP server that provides accurate time to the client devices.

The following steps provide the commands to configure Network Time Protocol (NTP) for the device. For more information about NTP configuration, see NTP User Guide.

Enabling NTP Service:

To access the NTP service running in the ONL, this service has to be enabled in inband-management. On configuring this, the hosts reachable in inband instance via the physical interface can access this service.

Configure NTP server and NTP service on the device.

set system ntp server srv1
set system ntp server srv1 ipv4-address 192.168.200.10
set inband-management instance inband_mgmt
set inband-management instance inband_mgmt ntp true

NTP configuration is shown below:

supervisor@rtbrick>cbng1.rtbrick.net: cfg> show config inband-management
{
    "rtbrick-config:inband-management": {
      "instance": [
        {
          "name": "inband_mgmt",
          "ntp": "true"
        }
      ]
    }
  }
supervisor@rtbrick>cbng1.rtbrick.net: cfg> show config system ntp
{
    "rtbrick-config:ntp": {
      "server": [
        {
          "server-name": "srv1",
          "ipv4-address": "192.168.200.10"
        }
      ]
    }
  }

2.2.4. User Authentication

RBFS supports user authentication through a centralized TACACS+ server and with a local authentication system. The following authentication process typically occurs when a user attempts to access the network.

  1. When a user logs in through SSH, the SSH Daemon (sshd) invokes the Pluggable Authentication Module (PAM) to trigger authentication process.

  2. PAM requests TACACS+ authentication (except for the user with the supervisor privileges).

  3. TACACS+ server provides 'grant access' node if the user authentication is successful.

  4. If the user is not allowed using the TACACS+ authentication, it is required to undergo an additional authentication phase. PAM looks up local users. Upon successful authentication, PAM generates RTB PAM token; includes user role in 'scope'.

2.2.4.1. Define Users on TACACS+ Server

Administrator needs to define users and associate them with the predefined roles on the TACACS+ server. Optionally, RBFS CLI commands can be restricted using the rtb-allow-cmds and rtb-deny-cmds.

The tac_plus.conf file contains configuration information for the tac_plus(tacacs+) daemon. This file is stored at the following location:

/etc/tacacs+/tac_plus.conf

For more information about TACACS+ server configuration, see

This Design document uses the default local user supervisor for the configurations, whereas other users, defined in the TACACS server, can log into RBFS by using their usernames and passwords.

The following TACACS+ configuration shows the details of the user bob who belongs to the group Network_Operator.

accounting file = /var/log/tac_plus.acct
key = RtBrick_Little_Secret

user = bob {
name = "remote"
login = cleartext "bob"
member = Network_Operator

}

<...>

Validating TACACS+ authentication

The following scenario shows a successful authentication for the user bob.

~$ ssh bob@cbng1.rtbrick.net
bob@cbng1.rtbrick.net's password:
Last login: Mon Jan 23 16:13:40 2023 from cbng1.rtbrick.net
bob@rtbrick>cbng1.rtbrick.net: op>

The following scenario shows an unsuccessful password authentication for the user bob.

~$ ssh bob@rtbrick>cbng1.rtbrick.net:
bob@cbng1.rtbrick.net's password:
Permission denied, please try again.
bob@cbng1.rtbrick.net's password:

The following scenario shows an unsuccessful authentication for an undefined user frank.

~$ ssh frank@rtbrick>cbng1.rtbrick.net:
frank@cbng1.rtbrick.net's password:
Permission denied, please try again.
frank@cbng1.rtbrick.net's password:
accounting file = /var/log/tac_plus.acct
key = RtBrick_Little_Secret
2.2.4.2. Configure TACACS+ on RBFS

After defining the users on the TACACS+ server, configure the TACACS+ server on C-BNG. This configuration allows the remote TACACS+ server to communicate with the C-BNG and to validate user access on the network.

The following steps provide the commands to configure TACACS+. For more information about TACACS+ configuration, see Configure TACACS+ on RBFS.

Enabling TACACS+ service:

To access the TACACS+ service running in the ONL, this service has to be enabled in inband management. On configuring this, the hosts reachable in inband instance via the physical interface can access this service.

set system secure-management-status true
set system authorization tacacs 192.168.45.45 inband secret-plain-text RtBrick_Little_Secret
set inband-management instance core tacacs true

In the above configuration, the command set inband-management instance core tacacs true is used to enable TACACS+ under the instance called core.

TACACS+ configuration is shown below:

{
  "rtbrick-config:system": {
    "authorization": {
      "tacacs": [
        {
          "ipv4-address": "192.168.45.45",
          "type": "inband",
          "secret-plain-text": "RtBrick_Little_Secret"
        }
      ]
    }
  }
}

Configuration for enabling TACACS+ under the instance core is shown below:

"rtbrick-config:inband-management": {
      "instance": [
        {
          "name": "inband_mgmt",
          "tacacs": "true"
        }
      ]
    },
2.2.4.3. Configure User Management

Configuring Local User Management enables administrators to create, manage, and secure the users and groups. It allows creation of privileges that are configurable for user-defined and predefined roles.

The following steps provide the commands to configure user management. For more information about license configuration, see Local User Management.

  1. To create a role, configure the RBAC privilege and the command privilege. To configure the RBAC privilege for both table and object:

set system user admin role supervisor
set system user admin shell /bin/bash
set system user admin password-hashed-text $6$XNkmuMRI.5.R/NBJ$XDfZec7gEM3z/3lYn8mDDWimRZ/68xawia.pTMdrGqoYHEE3nWHB08DeaPNQTwHW6WjB1aX6.xjYjh8CNCy4g1

For information about Configuring hashed password, see Configure Hashed Password.

Authentication configuration of a password hashed text and an SSH public key is shown below:

{
  "ietf-restconf:data": {
    "rtbrick-config:system": {
      "user": [
        {
          "username": "admin",
          "shell": "/usr/local/bin/cli",
          "password-hashed-text": "$5$L2DaOYYuddhBV$9RA5MX9RQzLC9fIKJzbnoFBb88w9rkSXl7GVrVJ9PY7",
          "ssh-pub-key": [
            "ssh-rsa AAAAWsfg&jdkfs4D34H5@2evf....."
            ]
        }
      ]
    }
  }
}

2.2.5. Configure Graylog

RBFS supports sending log messages to Graylog, a log management software. One needs to specify the Graylog endpoint in CtrlD and specify the alias name for that particular endpoint.

Configure BDS logging for bgp and specify Graylog as external log management platform.

set log module bgp plugin-alias alias-name graylog
set log module bgp plugin-alias level info

Configuration for Graylog as endpoint in CTRLD is as shown below:

{
  "graylog_enable": true,
  "graylog_url": "http://10.200.32.49:12201/gelf",
  "graylog_endpoints": [
    {
      "name": "graylog",
      "url": "http://192.168.202.46:12201/gelf"
    }
  ]
}

For information about enabling Graylog as the log management software, see the CTRLD User Guide.

2.2.6. Monitor Resources (Resmon)

Resource monitoring enables administrators to collect and analyze the health information and usage data of various hardware resources such as CPU, memory, processes, disks, sensors, optics, and so on.

The show cpu summary command displays system CPU details:

supervisor@rtbrick>cbng1.rtbrick.net: cfg> show cpu summary
CPU_0
  Vendor               : GenuineIntel
  Model                : Intel(R) Xeon(R) D-2145NT CPU @ 1.90GHz
  Architecture         : x86_64
  Serial No            : 54 06 05 00 FF FB EB BF
  Clock(MHz)           : 2499.999
  BogoMIPS             : 3800.00
  Physical cores       : 8
  Logical cores        : 16
  Endian               : True
  Cache alignment      : 64 Bytes
  L1 data cache        : 32768 Bytes
  L1 instruction cache : 32768 Bytes
  L2 unified cache     : 1048576 Bytes
  L3 unified cache     : 11534336 Bytes
  L4 unified cache     : 0 Bytes

The show command can also be used to view other resource details. For information about the resmon configuration and operational commands, see the RBFS Resource Monitoring Guide.

3. Protocol Configurations

This validated solution design topology uses ISIS as the interior gateway protocol to distribute IP routing information among the routers in an AS. The Label Distribution Protocol (LDP) is used to exchange label mapping information for MPLS traffic. And, iBGP is used for exchanging routing and reachability information among ASs.

One thus needs to configure the following protocols:

  • IS-IS : To ensure IP connectivity on the core network.

  • LDP : To establish MPLS LSP tunnels for MPLS data transmission on the network.

  • iBGP: To exchange routing information within an AS.

3.1. Configure IS-IS

The following steps provide the commands to execute various ISIS protocol functionalities. For more detailed information about ISIS configuration, see IS-IS User Guide

  1. IS-IS needs to be configured only on the core routing interfaces. Configure IP addresses on the ifp-0/1/30, ifp-0/1/70 and lo-0/0/0 interfaces.

set interface ifp-0/1/30
set interface ifp-0/1/30 unit 10
set interface ifp-0/1/30 unit 10 address ipv4 192.168.24.1/24
set interface ifp-0/1/30 unit 10 address ipv6 192:168:24::1/64

set interface ifp-0/1/70
set interface ifp-0/1/70 unit 10
set interface ifp-0/1/70 unit 10 address ipv4 192.168.12.2/24
set interface ifp-0/1/70 unit 10 address ipv6 192:168:12::2/64

set interface lo-0/0/0
set interface lo-0/0/0 unit 10
set interface lo-0/0/0 unit 10 address ipv4 192.168.0.2/32
set interface lo-0/0/0 unit 10 address ipv6 192:168::2/128
  1. Configure IS-IS system-id and area.

set instance default protocol isis system-id 1921.6800.1002
set instance default protocol isis area 49.0002/24

IS-IS instance configuration on interface is shown below:

supervisor@rtbrick>cbng1.rtbrick.net: cfg> show config instance default protocol isis
{
    "rtbrick-config:isis": {
      "system-id": "1921.6800.1002",
      "area": [
        "49.0002/24"
        ]
       }
}
  1. Configure authentication method for IS-IS.

set instance default protocol isis authentication level-1 type md5
set instance default protocol isis authentication level-1 key1-plain-text Rtbrick_Little_Secret

IS-IS authentication configuration is shown below:

supervisor@rtbrick>cbng1.rtbrick.net: cfg> show config instance default protocol isis authentication
{
    "rtbrick-config:authentication": {
      "level-1": {
        "type": "md5",
        "key1-encrypted-text": "$23a2acca12a3fa68780db026b64daf3bb"
      }
    }
  }
  1. To redistribute the routes (belonging to a specific source) into IS-IS, execute the following command. The following command redistributes direct routes into IS-IS.

set instance default protocol isis level-1 address-family ipv4 unicast redistribute direct

Configuration for redistribution from other sources into IS-IS.

supervisor@rtbrick>cbng1.rtbrick.net: cfg> show config instance default protocol isis level-1 address-family
{
    "rtbrick-config:address-family": [
      {
        "afi": "ipv4",
        "safi": "unicast",
        "redistribute": [
          {
          "source": "direct"
          }
      }
    ]
  }
  1. Configure the IS-IS interface for IS-IS L1 adjacency formation.

set instance default protocol isis interface ifl-0/1/30/10
set instance default protocol isis interface ifl-0/1/30/10 type point-to-point
set instance default protocol isis interface ifl-0/1/30/10 level-2 adjacency-disable true
set instance default protocol isis interface ifl-0/1/70/10
set instance default protocol isis interface ifl-0/1/70/10 type point-to-point
set instance default protocol isis interface ifl-0/1/70/10 level-2 adjacency-disable true
set instance default protocol isis interface lo-0/0/0/10
set instance default protocol isis interface lo-0/0/0/10 type point-to-point
set instance default protocol isis interface lo-0/0/0/10 passive true

IS-IS interface configuration for IS-IS adjacency formation is shown below:

supervisor@rtbrick>cbng1.rtbrick.net: cfg> show config instance default protocol isis interface
{
    "rtbrick-config:interface": [
      {
        "name": "ifl-0/1/30/10",
        "type": "point-to-point",
        "level-2": {
          "adjacency-disable": "true"
        }
      },
      {
        "name": "ifl-0/1/70/10",
        "type": "point-to-point",
        "level-2": {
          "adjacency-disable": "true"
        }
      },
      {
        "name": "lo-0/0/0/10",
        "type": "point-to-point",
        "passive": "true"
      }
    ]
  }

3.2. Configure LDP on the Interfaces

The following steps provide the commands to execute various LDP functionalities. For more detailed information about LDP configuration, see LDP User Guide.

  1. Configure LDP on the router interface.

set instance default protocol ldp router-id 192.168.0.2
set instance default protocol ldp interface ifl-0/1/30/10
set instance default protocol ldp interface ifl-0/1/70/10
set instance default protocol ldp interface lo-0/0/0/10

Configuration for LDP on the interface is shown below:

supervisor@rtbrick>cbng1.rtbrick.net: cfg> show config instance default protocol ldp
{
    "rtbrick-config:ldp": {
      "router-id": "192.168.0.2",
      "interface": [
        {
          "name": "ifl-0/1/30/10"
        },
        {
          "name": "ifl-0/1/70/10"
        },
        {
          "name": "lo-0/0/0/10"
        }
      ]
    }
  }

3.3. Configure BGP

The following steps provide the commands to execute the various BGP functionalities quickly. For more detailed information about BGP configuration, see BGP User Guide.

  1. Configure BGP local AS, domain name, and hostname

set instance default protocol bgp local-as 4200000001
set instance default protocol bgp router-id 192.168.0.2
  1. Enable the IPv4 and IPv6 address families which are to be supported on the specific BGP instance.

set instance default protocol bgp address-family ipv4 unicast
set instance default protocol bgp address-family ipv6 unicast
set instance default protocol bgp address-family ipv6 labeled-unicast

BGP local AS, domain name, hostname and address family configurations are shown below:

supervisor@rtbrick>cbng1.rtbrick.net: cfg> show config instance default protocol bgp
{
    "rtbrick-config:bgp": {
      "domain-name": "CBNG2",
      "hostname": "CBNG2",
      "local-as": 4200000001,
      "router-id": "192.168.0.2",
      "address-family": [
        {
          "afi": "ipv4",
          "safi": "unicast",
          "resolve-nexthop": {
            "safi": "labeled-unicast"
          },
          "redistribute": [
            {
              "source": "static"
            }
          ]
        },
        {
          "afi": "ipv6",
          "safi": "labeled-unicast"
        },
        {
          "afi": "ipv6",
          "safi": "unicast",
          "resolve-nexthop": {
            "safi": "labeled-unicast"
          },
          "redistribute": [
            {
              "source": "static"
            }
          ]
        }
      ],
<...>
  1. Create the peer group (to be attached with the peer later) with the specific remote AS configurations and the address families to be negotiated with the peer. The following command redistributes static routes into BGP.

set instance default protocol bgp address-family ipv4 unicast redistribute static
set instance default protocol bgp address-family ipv6 unicast redistribute static

BGP redistribution configuration is shown below:

supervisor@rtbrick>cbng1.rtbrick.net: cfg> show config instance default protocol bgp address-family ipv4 unicast redistribute
{
    "rtbrick-config:redistribute": [
      {
        "source": "static"
      }
    ]
  }
  1. Set the resolve-nexthop, if the BGP nexthop attribute of the BGP routes needs to be resolved under ipv4/ipv6 labeled-unicast routing table. It configures only resolve-nexthop safi. Based on the nexthop-type (ipv4 or ipv6), it gets looked up into either IPv4 labeled-unicast or IPv6 labeled-unicast.

set instance default protocol bgp address-family ipv4 unicast resolve-nexthop safi labeled-unicast

Resolve nexthop configuration is shown below:

supervisor@rtbrick>cbng1.rtbrick.net: cfg> show config instance default protocol bgp address-family ipv4 unicast resolve-nexthop
{
    "rtbrick-config:resolve-nexthop": {
      "safi": "labeled-unicast"
    }
  }
  1. Create the peer group with the specific remote AS configurations and the address family that is to be negotiated with the peer which will be attached to the peer group later.

set instance default protocol bgp peer-group reflector
set instance default protocol bgp peer-group reflector remote-as 4200000001
set instance default protocol bgp peer-group reflector address-family ipv4 unicast
set instance default protocol bgp peer-group reflector address-family ipv6 unicast
  1. Configure the IPv6 unicast address family with send-label as true, then address-family IPv6 labeled-unicast gets negotiated with the peer.

set instance default protocol bgp peer-group reflector address-family ipv6 unicast send-label true
set instance default protocol bgp peer-group reflector address-family ipv6 labeled-unicast

Configuration for peer group, address family, and IPv6 unicast address family is shown below:

supervisor@rtbrick>cbng1.rtbrick.net: cfg>  show config instance default protocol bgp peer-group
{
    "rtbrick-config:peer-group": [
      {
        "pg-name": "reflector",
        "remote-as": 4200000001,
        "address-family": [
          {
            "afi": "ipv4",
            "safi": "unicast"
          },
          {
            "afi": "ipv6",
            "safi": "labeled-unicast"
          },
          {
            "afi": "ipv6",
            "safi": "unicast",
            "send-label": "true"
          }
        ]
      }
    ]
  }
  1. Add a BGP peer and associate it with the specific peer group.

set instance default protocol bgp peer ipv4 192.168.0.51 192.168.0.2
set instance default protocol bgp peer ipv4 192.168.0.51 192.168.0.2 peer-group reflector

Configuration for adding a BGP peer and associating it with a peer group is shown below:

supervisor@rtbrick>cbng1.rtbrick.net: cfg> show config instance default protocol bgp peer ipv4
{
    "rtbrick-config:peer": {
      "ipv4": [
        {
          "peer-address": "192.168.0.51",
          "update-source": "192.168.0.2",
          "peer-group": "reflector"
        }
      ]
    }
  }

3.4. BNG Blaster Configuration for Protocols

BNG Blaster is an open-source network testing platform for access and routing protocols. It can emulate massive PPPoE and IPoE (DHCP) subscribers including IPTV, and L2TP (LNS). There are various routing protocols supported such as ISIS and BGP. So, one can use this platform for end-to-end BNG and non-BNG router testing. For more information about BNG Blaster, see https://github.com/rtbrick/bngblaster

With BNG blaster, one can test protocols such as IS-IS and BGP as well as set up PPPoE/L2TP/IPoE subscribers and validate traffic streams.

The following is a configuration file that is used in BNG Blaster for validating BGP, ISIS, and LDP.

{
  "interfaces": {
    "tx-interval": 1,
    "rx-interval": 1,
    "network": [
      {
        "interface": "SN-15-R1",
        "address": "192.168.36.2/24",
        "gateway": "192.168.36.1",
        "isis-instance-id": 1,
        "ldp-instance-id": 1,
        "isis-level": 1
      },
      {
        "interface": "SN-17-R2",
        "address": "192.168.46.2/24",
        "gateway": "192.168.46.1",
        "isis-instance-id": 2,
        "ldp-instance-id": 2,
        "isis-level": 1
      },
      {
        "interface": "SN-19-RR",
        "address": "192.168.131.2/24",
        "gateway": "192.168.131.1",
        "address-ipv6": "fc66:1337:7331::2",
        "gateway-ipv6": "fc66:1337:7331::1",
        "isis-instance-id": 3,
        "ldp-instance-id": 3,
        "isis-level": 1
      }
    ],
    "access": [
      {
        "interface": "SN-11-C2",
        "type": "ipoe",
        "outer-vlan-min": 1001,
        "outer-vlan-max": 1100,
        "inner-vlan-min": 1001,
        "inner-vlan-max": 1100
      }
    ]
  },
  "sessions": {
     "count": 10,
     "session-time": 0,
     "max-outstanding": 800,
     "start-rate": 400,
     "stop-rate": 100
  },
  "access-line": {
     "agent-remote-id": "DEU.RTBRICK.{session-global}",
     "agent-circuit-id": "0.0.0.0/0.0.0.0 eth 0:{session-global}",
     "rate-up": 2000,
     "rate-down": 16384,
     "dsl-type": 5
  },
  "dhcp": {
     "enable": true
  },
  "dhcpv6": {
     "enable": true
  },
  "session-traffic": {
      "ipv4-pps": 1,
      "autostart": true
  },
  "isis": [
    {
      "instance-id": 1,
      "area": [
        "49.0002/24"
      ],
      "system-id": "0204.0000.0001",
      "router-id": "192.168.0.36",
      "hostname": "BBL-LSR1",
      "hello-padding": true,
      "teardown-time": 30,
      "external": {
        "mrt-file": "/home/supervisor/isis.mrt",
        "connections": [
          {
            "system-id": "1921.6800.1003",
            "l1-metric": 10
          }
        ]
      }
    },
    {
      "instance-id": 2,
      "area": [
        "49.0002/24"
      ],
      "system-id": "0204.0000.0002",
      "router-id": "192.168.0.46",
      "hostname": "BBL-LSR2",
      "hello-padding": true,
      "teardown-time": 30,
      "external": {
        "mrt-file": "/home/supervisor/isis.mrt",
        "connections": [
          {
            "system-id": "1921.6800.1004",
            "l1-metric": 10
          }
        ]
      }
    },
    {
      "instance-id": 3,
      "area": [
        "49.0002/24"
      ],
      "system-id": "0204.0000.0003",
      "router-id": "192.168.0.56",
      "hostname": "BBL-RR",
      "hello-padding": true,
      "teardown-time": 30,
      "external": {
        "mrt-file": "/home/supervisor/isis.mrt",
        "connections": [
          {
            "system-id": "1921.6800.1005",
            "l1-metric": 10
          }
        ]
      }
    }
  ],
  "ldp": [
    {
      "instance-id": 1,
      "lsr-id": "192.168.0.36",
      "raw-update-file": "/home/supervisor/out.ldp"
    },
    {
      "instance-id": 2,
      "lsr-id": "192.168.0.46",
      "raw-update-file": "/home/supervisor/out.ldp"
    },
    {
      "instance-id": 3,
      "lsr-id": "192.168.0.56",
      "raw-update-file": "/home/supervisor/out.ldp"
    }
  ],
    "bgp": [
      {
        "__comment__": "RR-IPv4",
        "network-interface": "SN-19-RR",
        "local-ipv4-address": "192.168.0.56",
        "peer-ipv4-address": "192.168.0.51",
        "raw-update-file": "/home/supervisor/ipv4_nlri.bgp",
        "local-as": 4200000001,
        "peer-as": 4200000001
      },
      {
        "__comment__": "RR-IPv6",
        "network-interface": "SN-19-RR",
        "local-ipv4-address": "192.168.0.56",
        "peer-ipv4-address": "192.168.0.52",
        "raw-update-file": "/home/supervisor/ipv6_nlri.bgp",
        "local-as": 4200000001,
        "peer-as": 4200000001
      }
    ]
}

3.5. Validating Reachability

The following command line string shows how to start a BNG Blaster instance:

sudo bngblaster -C <filename> -I -c5000

3.5.1. Validating IS-IS Adjacency, Routes and Reachability

Run the following command to show IS-IS adjacency.

supervisor@rtbrick>cbng1.rtbrick.net: op> show isis neighbor
Instance: default
  Interface          System             Level   State   Type    Up since                Expires
  ifl-0/1/30/10           1921.6800.1004.00  L1      Up      P2P     Wed Jan 25 11:25:08     in 24s 188435us
  ifl-0/1/70/10           1921.6800.1003.00  L1      Up      P2P     Wed Jan 25 11:25:10     in 27s 167063us

After configuring IS-IS protocol, check the IPv4 unicast routes, populated by IS-IS using the following command:

supervisor@rtbrick>cbng1.rtbrick.net: op> show route ipv4 unicast source isis instance default
Instance: default, AFI: ipv4, SAFI: unicast
Prefix/Label                             Source            Pref    Next Hop                                 Interface
192.168.0.3/32                           isis              15      192.168.13.2                             ifl-0/1/30/10
192.168.0.4/32                           isis              15      192.168.13.2                             ifl-0/1/30/10
                                                                   192.168.12.2                             ifl-0/1/70/10
192.168.0.36/32                          isis              15      192.168.13.2                             ifl-0/1/30/10
192.168.0.46/32                          isis              15      192.168.13.2                             ifl-0/1/30/10
                                                                   192.168.12.2                             ifl-0/1/70/10
192.168.0.51/32                          isis              15      192.168.13.2                             ifl-0/1/30/10
192.168.0.56/32                          isis              15      192.168.13.2                             ifl-0/1/30/10
192.168.24.0/24                          isis              15      192.168.12.2                             ifl-0/1/70/10
192.168.34.0/24                          isis              15      192.168.13.2                             ifl-0/1/30/10
192.168.35.0/24                          isis              15      192.168.13.2                             ifl-0/1/30/10
192.168.36.0/24                          isis              15      192.168.13.2                             ifl-0/1/30/10
192.168.45.0/24                          isis              15      192.168.13.2                             ifl-0/1/30/10
                                                                   192.168.12.2                             ifl-0/1/70/10
192.168.46.0/24                          isis              15      192.168.13.2                             ifl-0/1/30/10
                                                                   192.168.12.2                             ifl-0/1/70/10
192.168.131.0/24                         isis              15      192.168.13.2                             ifl-0/1/30/10

Ping the address 192.68.0.3 as follows:

supervisor@rtbrick>cbng1.rtbrick.net: op> ping 192.168.0.3
68 bytes from 192.168.0.3: icmp_seq=1 ttl=64 time=.6654 ms
68 bytes from 192.168.0.3: icmp_seq=2 ttl=64 time=2.5200 ms
68 bytes from 192.168.0.3: icmp_seq=3 ttl=64 time=5.6248 ms
68 bytes from 192.168.0.3: icmp_seq=4 ttl=64 time=.5053 ms
68 bytes from 192.168.0.3: icmp_seq=5 ttl=64 time=3.9981 ms
Statistics: 5 sent, 5 received, 0% packet loss

3.5.2. Validating LDP Adjacency, Routes and Reachability

Run the following commands to show LDP neighbor and LDP session.

supervisor@rtbrick>cbng1.rtbrick.net: op> show ldp neighbor
Instance: default
  Interface           LDP ID              Transport IP  Up Since                  Expires
  ifl-0/1/30/10            192.168.0.4:0         192.168.0.4     Wed Jan 25 11:24:58       in 14s
  ifl-0/1/70/10            192.168.0.3:0         192.168.0.3     Wed Jan 25 11:25:00       in 11s
supervisor@rtbrick>cbng1.rtbrick.net: op> show ldp session
Instance: default
  LDP ID            Peer IP           State             Up/Down           FECRcvd   FECSent
  192.168.0.3:0       192.168.0.3         Operational       0d:00h:10m:17s       1006      1006
  192.168.0.3:0       192.168.0.4         Operational       0d:00h:10m:15s       1006      1006

After configuring the LDP protocol, check the IPv4 labeled unicast routes, populated by LDP using the following command:

supervisor@rtbrick>cbng1.rtbrick.net: op> show route ipv4 labeled-unicast source ldp
Instance: default, AFI: ipv4, SAFI: labeled-unicast
Prefix/Label                             Source            Pref    Next Hop                                 Interface                      Label
192.168.0.3/32                           ldp               9       192.168.13.2                             ifl-0/1/30/10                  -
192.168.0.4/32                           ldp               9       192.168.13.2                             ifl-0/1/30/10                  20003
                                                                   192.168.12.2                             ifl-0/1/70/10                  20003
192.168.0.51/32                          ldp               9       192.168.13.2                             ifl-0/1/30/10                  20002

Ping the labeled unicast address 192.168.0.4 as follows:

supervisor@rtbrick>cbng1.rtbrick.net: op> ping 192.168.0.4 instance default afi ipv4 safi labeled-unicast
68 bytes from 192.168.0.4: icmp_seq=1 ttl=254 time=.8209 ms
68 bytes from 192.168.0.4: icmp_seq=2 ttl=254 time=3.8667 ms
68 bytes from 192.168.0.4: icmp_seq=3 ttl=254 time=5.5854 ms
68 bytes from 192.168.0.4: icmp_seq=4 ttl=254 time=.8076 ms
68 bytes from 192.168.0.4: icmp_seq=5 ttl=254 time=4.4001 ms
Statistics: 5 sent, 5 received, 0% packet loss
Note The command argument labeled-unicast takes the ICMP requests through a labeled path while validating IP connectivity and hence, it prepends an MPLS label.

3.5.3. Validating BGP Adjacency, Routes and Reachability

Run the following commands to show BGP session and state.

supervisor@rtbrick>cbng1.rtbrick.net: op> show bgp peer
Instance: default
  Peer                                     Remote AS    State         Up/Down Time               PfxRcvd              PfxSent
  192.168.0.51                             4200000001   Established   0d:00h:07m:10s             11500000              0

After configuring BGP, check the IPv4 unicast routes, populated by BGP using the following command:

supervisor@rtbrick>cbng1.rtbrick.net: op> show route ipv4 unicast source bgp instance default
Instance: default, AFI: ipv4, SAFI: unicast
Prefix/Label                             Source            Pref    Next Hop                                 Interface
77.1.0.0/24                              bgp               200     192.168.0.51                             ifl-0/1/16/10
77.1.1.0/24                              bgp               200     192.168.0.51                             ifl-0/1/16/10
77.1.2.0/24                              bgp               200     192.168.0.51                             ifl-0/1/16/10
77.1.3.0/24                              bgp               200     192.168.0.51                             ifl-0/1/16/10
77.1.4.0/24                              bgp               200     192.168.0.51                             ifl-0/1/16/10
77.1.5.0/24                              bgp               200     192.168.0.51                             ifl-0/1/16/10
77.1.6.0/24                              bgp               200     192.168.0.51                             ifl-0/1/16/10
77.1.7.0/24                              bgp               200     192.168.0.51                             ifl-0/1/16/10
77.1.8.0/24                              bgp               200     192.168.0.51                             ifl-0/1/16/10
77.1.9.0/24                              bgp               200     192.168.0.51                             ifl-0/1/16/10
77.1.10.0/24                             bgp               200     192.168.0.51                             ifl-0/1/16/10
77.1.11.0/24                             bgp               200     192.168.0.51                             ifl-0/1/16/10
77.1.12.0/24                             bgp               200     192.168.0.51                             ifl-0/1/16/10
77.1.13.0/24                             bgp               200     192.168.0.51                             ifl-0/1/16/10
77.1.14.0/24                             bgp               200     192.168.0.51                             ifl-0/1/16/10
77.1.15.0/24                             bgp               200     192.168.0.51                             ifl-0/1/16/10
77.1.16.0/24                             bgp               200     192.168.0.51                             ifl-0/1/16/10
77.1.17.0/24                             bgp               200     192.168.0.51                             ifl-0/1/16/10
77.1.18.0/24                             bgp               200     192.168.0.51                             ifl-0/1/16/10
77.1.19.0/24                             bgp               200     192.168.0.51                             ifl-0/1/16/10
77.1.20.0/24                             bgp               200     192.168.0.51                             ifl-0/1/16/10
77.1.21.0/24                             bgp               200     192.168.0.51                             ifl-0/1/16/10

<...>

Pinging an IPv4 route (source: bgp) from the CBNGs

supervisor@rtbrick>cbng1.rtbrick.net: op> ping 77.1.9.1
68 bytes from 77.1.9.1: icmp_seq=1 ttl=62 time=10.3916 ms
68 bytes from 77.1.9.1: icmp_seq=2 ttl=62 time=4.2540 ms
68 bytes from 77.1.9.1: icmp_seq=3 ttl=62 time=8.1773 ms
68 bytes from 77.1.9.1: icmp_seq=4 ttl=62 time=3.8388 ms
68 bytes from 77.1.9.1: icmp_seq=5 ttl=62 time=5.1436 ms
Statistics: 5 sent, 5 received, 0% packet loss

Check the IPv6 unicast routes, populated by BGP using the following command:

supervisor@rtbrick>cbng1.rtbrick.net: op> show route ipv6 unicast source bgp instance default
Instance: default, AFI: ipv6, SAFI: unicast
Prefix/Label                             Source            Pref    Next Hop                                 Interface
2004::/48                                bgp               200     192.168.0.51                             ifl-0/1/16/10
2004:0:1::/48                            bgp               200     192.168.0.51                             ifl-0/1/16/10
2004:0:2::/48                            bgp               200     192.168.0.51                             ifl-0/1/16/10
2004:0:3::/48                            bgp               200     192.168.0.51                             ifl-0/1/16/10
2004:0:4::/48                            bgp               200     192.168.0.51                             ifl-0/1/16/10
2004:0:5::/48                            bgp               200     192.168.0.51                             ifl-0/1/16/10
2004:0:6::/48                            bgp               200     192.168.0.51                             ifl-0/1/16/10
2004:0:7::/48                            bgp               200     192.168.0.51                             ifl-0/1/16/10
2004:0:8::/48                            bgp               200     192.168.0.51                             ifl-0/1/16/10
2004:0:9::/48                            bgp               200     192.168.0.51                             ifl-0/1/16/10
2004:0:a::/48                            bgp               200     192.168.0.51                             ifl-0/1/16/10
2004:0:b::/48                            bgp               200     192.168.0.51                             ifl-0/1/16/10
2004:0:c::/48                            bgp               200     192.168.0.51                             ifl-0/1/16/10
2004:0:d::/48                            bgp               200     192.168.0.51                             ifl-0/1/16/10

<...>

Pinging an IPv6 route (source: bgp) from the C-BNG.

supervisor@rtbrick>cbng1.rtbrick.net: op> ping 2004:0:1::
68 bytes from 2004:0:1::: icmp_seq=1 ttl=253 time=10.0398 ms
68 bytes from 2004:0:1::: icmp_seq=2 ttl=253 time=2.9673 ms
68 bytes from 2004:0:1::: icmp_seq=3 ttl=253 time=6.2365 ms
68 bytes from 2004:0:1::: icmp_seq=4 ttl=253 time=7.9022 ms
68 bytes from 2004:0:1::: icmp_seq=5 ttl=253 time=1.5511 ms
Statistics: 5 sent, 5 received, 0% packet loss

4. IPoE Subscriber Management Configuration

IP-over-Ethernet (IPoE) is an access technology that uses DHCP for IPv4 and DHCPv6 for IPv6 where both protocols are handled in the IPoE daemon (ipoed). IPoE subscribers are identified by IFP, VLANs and client MAC addresses.

The dynamic creation of IPoE subscribers is triggered by DHCPv4 discover or DHCPv6 solicit request from the subscriber. Response is postponed until the subscriber is successfully authenticated using the known authentication methods such as local or RADIUS, however authentication is not mandatory. After the authentication phase, IPv4/IPv6/IPv6-PD address is allocated to the subscriber either from the local pool or from RADIUS.

For IPoE Subscriber Management, the following configurations are mandatory:

  1. Access Interface Configuration

  2. Access Profile Configuration

  3. AAA (Authentication, Authorization and Accounting) Profile Configuration. Based on the authentication requirement, configure any one of the following:

    1. Local Authentication

      1. Pool Configuration

      2. User Profile Configuration

    2. RADIUS Authentication

      1. RADIUS Profile Configuration

      2. RADIUS Server Configuration

This solution section discusses RADIUS authentication.

NOTES:

  • Access interfaces can be configured without VLAN tags (untagged) and with one (single tagged) or two (double tagged) VLAN tags.

  • There can be more than one interface configured for subscriber management and each interface can reference the same profile.

4.1. Configuring IPoE Subscriber Management

For detailed information about the subscriber configuration options, see the Subscriber Management Configuration Guide.

  1. Configure the access interface. Double-tagged interface is configured in this case as the access interface (ifp-0/1/29). The interface configuration assigns the access type, access profile, AAA profile, and further optional attributes like service-profile to the specified access interface.

set access interface double-tagged ifp-0/1/29 1001 1100 1001 1100
set access interface double-tagged ifp-0/1/29 1001 1100 1001 1100 access-type IPoE
set access interface double-tagged ifp-0/1/29 1001 1100 1001 1100 access-profile-name ipoe
set access interface double-tagged ifp-0/1/29 1001 1100 1001 1100 aaa-profile-name ipoe-aaa
set access interface double-tagged ifp-0/1/29 1001 1100 1001 1100 gateway-ifl lo-0/0/0/10

The double-tagged access interface configuration is shown below.

supervisor@rtbrick>cbng1.rtbrick.net: op> show config access interface
{
    "rtbrick-config:interface": {
      "double-tagged": [
   {
  "interface-name": "ifp-0/1/29",
  "outer-vlan-min": 1001,
  "outer-vlan-max": 1100,
  "inner-vlan-min": 1001,
  "inner-vlan-max": 1100,
  "access-type": "IPoE",
  "access-profile-name": "ipoe",
  "aaa-profile-name": "ipoe-aaa",
  "gateway-ifl": "lo-0/0/0/10"
  }
 ]
}
  1. Configure the access profile ipoe.

set access access-profile ipoe
set access access-profile ipoe protocol dhcp enable true
set access access-profile ipoe protocol dhcp lease-time 60
set access access-profile ipoe protocol dhcpv6 enable true
set access access-profile ipoe protocol dhcpv6 lifetime 60
set access access-profile ipoe address-family ipv4 enable true
set access access-profile ipoe address-family ipv4 pool-name pool1
set access access-profile ipoe address-family ipv4 instance default
set access access-profile ipoe address-family ipv6 enable true
set access access-profile ipoe address-family ipv6 pool-name pool1
set access access-profile ipoe address-family ipv6 prefix-delegation-pool-name pool2
set access access-profile ipoe address-family ipv6 instance default

The access profile configuration is shown below.

supervisor@rtbrick>cbng1.rtbrick.net: op> show config access access-profile
{
    "rtbrick-config:access-profile": [
      {
        "profile-name": "ipoe",
        "protocol": {
          "dhcp": {
            "enable": "true",
            "lease-time": 60
          },
          "dhcpv6": {
            "enable": "true",
            "lifetime": 60
          }
        },
        "address-family": {
          "ipv4": {
            "enable": "true",
            "pool-name": "pool1",
            "instance": "default"
          },
          "ipv6": {
            "enable": "true",
            "pool-name": "pool1",
            "prefix-delegation-pool-name": "pool2",
            "instance": "default"
          }
        }
      }
    ]
  }
supervisor@rtbrick>cbng1.rtbrick.net: op>
  1. Configure the Authentication and Accounting (AAA) profile for ipoe-aaa.

set access aaa-profile ipoe-aaa
set access aaa-profile ipoe-aaa session-timeout 0
set access aaa-profile ipoe-aaa idle-timeout 0
set access aaa-profile ipoe-aaa aaa-radius-profile aaa-radius1
set access aaa-profile ipoe-aaa authentication order RADIUS
set access aaa-profile ipoe-aaa accounting order RADIUS
set access aaa-profile ipoe-aaa accounting interim-interval 30
set access aaa-profile ipoe-aaa accounting session-id-format DEFAULT

The access AAA configuration is shown below.

supervisor@rtbrick>cbng1.rtbrick.net: op> show config access aaa-profile
{
    "rtbrick-config:aaa-profile": [
      {
        "profile-name": "ipoe-aaa",
        "session-timeout": 0,
        "idle-timeout": 0,
        "aaa-radius-profile": "aaa-radius1",
        "authentication": {
          "order": "RADIUS"
        },
        "accounting": {
          "order": "RADIUS",
          "interim-interval": 30,
          "session-id-format": "DEFAULT"
        }
      }
    ]
  }
supervisor@rtbrick>cbng1.rtbrick.net: op>
  1. In this solution, we configure AAA authentication and accounting with RADIUS. To use RADIUS authentication and accounting both the RADIUS profile and RADIUS server configurations (see below) must be configured.

  1. Configure RADIUS profile aaa-radius1.

set access radius-profile aaa-radius1
set access radius-profile aaa-radius1 nas-identifier 192.168.0.2
set access radius-profile aaa-radius1 nas-port-type Ethernet
set access radius-profile aaa-radius1 authentication radius-server-profile-name radius-srv1
set access radius-profile aaa-radius1 accounting radius-server-profile-name radius-srv1

The RADIUS profile configuration is shown below.

supervisor@rtbrick>cbng1.rtbrick.net: op> show config access radius-profile aaa-radius1
{
    "rtbrick-config:radius-profile": [
      {
        "profile-name": "aaa-radius1",
        "nas-identifier": "192.168.0.2",
        "nas-port-type": "Ethernet",
        "authentication": {
          "radius-server-profile-name": [
            "radius-srv1"
            ]
        },
        "accounting": {
          "radius-server-profile-name": [
            "radius-srv1"
            ]
        }
      }
    ]
  }
supervisor@rtbrick>cbng1.rtbrick.net: op>
  1. Configure the RADIUS server radius-srv1.

set access radius-server radius-srv1
set access radius-server radius-srv1 address 192.168.121.2
set access radius-server radius-srv1 source-address 192.168.0.2
set access radius-server radius-srv1 secret-encrypted-text $2b2feb12f730107454b1be6a0f8242b0f
set access radius-server radius-srv1 routing-instance default
set access radius-server radius-srv1 authentication enable true
set access radius-server radius-srv1 authentication timeout 10
set access radius-server radius-srv1 accounting enable true
set access radius-server radius-srv1 accounting timeout 10
set access radius-server radius-srv1 coa enable true

The RADIUS server configuration is shown below.

supervisor@rtbrick>cbng1.rtbrick.net: cfg> show config access radius-server radius-srv1
{
    "rtbrick-config:radius-server": [
      {
        "server-name": "radius-srv1",
        "address": "192.168.121.2",
        "source-address": "192.168.0.2",
        "secret-encrypted-text": "$2b2feb12f730107454b1be6a0f8242b0f",
        "routing-instance": "default",
        "authentication": {
          "enable": "true",
          "timeout": 10
        },
        "accounting": {
          "enable": "true",
          "timeout": 10
        },
        "coa": {
          "enable": "true"
        }
      }
    ]
  }
supervisor@rtbrick>cbng1.rtbrick.net: cfg>
  1. Configure the IPv4 and IPv6 access pools.

set access pool pool1
set access pool pool1 ipv4-address low 192.168.100.1
set access pool pool1 ipv4-address high 192.168.200.1
set access pool pool1 ipv6-prefix low 2001:DB8:1:1::1/128
set access pool pool1 ipv6-prefix high 2001:DB8:1:2::5555/128
set access pool pool2
set access pool pool2 ipv6-prefix low 2001:DB9:1::/56
set access pool pool2 ipv6-prefix high 2001:DB9:5000::/56

The access pool configuration is shown below.

supervisor@rtbrick>cbng1.rtbrick.net: cfg> show config access pool
{
    "rtbrick-config:pool": [
      {
        "pool-name": "pool1",
        "ipv4-address": {
          "low": "192.168.100.1",
          "high": "192.168.200.1"
        },
        "ipv6-prefix": {
          "low": "2001:DB8:1:1::1/128",
          "high": "2001:DB8:1:2::5555/128"
        }
      },
      {
        "pool-name": "pool2",
        "ipv6-prefix": {
          "low": "2001:DB9:1::/56",
          "high": "2001:DB9:5000::/56"
        }
      }
    ]
  }

4.2. IPoE Quality of Service (QoS) Configuration

Note The QoS model explained in this document uses a complex HQoS model with the intent to showcase the complete range of QoS features available in RBFS. However, it may not be needed or desirable for all deployments. In such a case it should be possible to conceive of a simple QoS model as required by simplifying the provided QoS model.

Following are the steps involved in configuring and verifying IPoE QoS:

  1. Configuring service profile to enable QoS on IPoE subscriber

  2. Configuring downstream QoS

  3. Configuring upstream QoS

  4. Configuring QoS remarking

  5. Configuring IPoE subscriber accounting for upstream and downstream traffic

  6. Configuring IPoE subscribers QoS on BNG Blaster

  7. Validating IPoE QoS on BNG Blaster

The figure below shows how QoS is configured for ingress and egress traffic.

qos design

Fig. 2: Hierarchical Quality of Service primitives

For detailed information about the QoS configuration options, see the HQoS Configuration Guide.

4.2.1. Configure Service Profile

Service profile configuration in subscriber management allows to assign QoS configurations to a subscriber.

  1. Configure the service profile to enable QoS. The service profile defined to enable Quality of Service with profile name is subs-triple-play.

set access service-profile qos_service qos profile subs-triple-play

The configuration of the service profile named subs-triple-play is shown below.

supervisor@rtbrick>cbng1.rtbrick.net: cfg> show config access service-profile qos_service
{
    "rtbrick-config:service-profile": [
      {
        "profile-name": "qos_service",
        "qos": {
          "profile": "subs-triple-play"
        }
      }
    ]
  }
  1. Enable QoS on IPoE subscriber access interface (ifp-0/1/29) to enable QoS for IPoE subscriber.

set access interface double-tagged ifp-0/1/29 1001 1100 1001 1100 service-profile-name qos_service

Below is the double-tagged access interface on which the service profile qos_service is configured.

supervisor@rtbrick>cbng1.rtbrick.net: cfg> show config access interface double-tagged ifp-0/1/29 1001 1100 1001 1100
{
    "rtbrick-config:double-tagged": [
      {
        "interface-name": "ifp-0/1/29",
        "outer-vlan-min": 1001,
        "outer-vlan-max": 1100,
        "inner-vlan-min": 1001,
        "inner-vlan-max": 1100,
        "access-type": "IPoE",
        "access-profile-name": "ipoe",
        "service-profile-name": "qos_service",
        "aaa-profile-name": "ipoe-aaa",
        "gateway-ifl": "lo-0/0/0/10"
      }
    ]
  }
  1. Configure QoS profile to enable on IPoE subscriber.

set forwarding-options class-of-service profile subs-triple-play
set forwarding-options class-of-service profile subs-triple-play classifier-name subs-pbit-class
set forwarding-options class-of-service profile subs-triple-play class-queue-map-name subs-4queues
set forwarding-options class-of-service profile subs-triple-play remark-map-name subs-remarking-triple-play
set forwarding-options class-of-service profile subs-triple-play class-policer-map-name policer-map-residential
set forwarding-options class-of-service profile subs-triple-play policer-name policer-residential
set forwarding-options class-of-service profile subs-triple-play scheduler-map-name subs-4queues-triple-play

The QoS Profile with all the primitives needed to enable traffic profiles on IPoE Subscribers is as follows:

supervisor@rtbrick>cbng1.rtbrick.net: cfg> show config forwarding-options class-of-service profile subs-triple-play
{
    "rtbrick-config:profile": [
      {
        "profile-name": "subs-triple-play",
        "classifier-name": "subs-pbit-class",
        "class-queue-map-name": "subs-4queues",
        "remark-map-name": "subs-remarking-triple-play",
        "class-policer-map-name": "policer-map-residential",
        "policer-name": "policer-residential",
        "scheduler-map-name": "subs-4queues-triple-play"
      }
    ]
  }

4.2.2. Configure Downstream QoS

Downstream Quality of Service (QoS) is used to prioritize network traffic from the Internet to subscribers.

  1. Enable global classification for downstream traffic.

set forwarding-options class-of-service global multifield-classifier-name global_mfc

Below is the multi-field-classifier (MFC) based classifier for global enabling of downstream traffic classification.

supervisor@rtbrick>cbng1.rtbrick.net: cfg> show config forwarding-options class-of-service global multifield-classifier-name
{
    "rtbrick-config:multifield-classifier-name": "global_mfc"
  }
  1. Configure the MFC-based classifier with qualifiers and actions.

set forwarding-options class-of-service multifield-classifier acl l3v4 rule global_mfc
set forwarding-options class-of-service multifield-classifier acl l3v4 rule global_mfc ordinal 1001
set forwarding-options class-of-service multifield-classifier acl l3v4 rule global_mfc ordinal 1001 match ipv4-tos 128
set forwarding-options class-of-service multifield-classifier acl l3v4 rule global_mfc ordinal 1001 match source-ipv4-prefix 192.168.131.2/32
set forwarding-options class-of-service multifield-classifier acl l3v4 rule global_mfc ordinal 1001 action forward-class class-0
set forwarding-options class-of-service multifield-classifier acl l3v4 rule global_mfc ordinal 1002
set forwarding-options class-of-service multifield-classifier acl l3v4 rule global_mfc ordinal 1002 match ipv4-tos 160
set forwarding-options class-of-service multifield-classifier acl l3v4 rule global_mfc ordinal 1002 match source-ipv4-prefix 192.168.131.2/32
set forwarding-options class-of-service multifield-classifier acl l3v4 rule global_mfc ordinal 1002 action forward-class class-1
set forwarding-options class-of-service multifield-classifier acl l3v4 rule global_mfc ordinal 1003
set forwarding-options class-of-service multifield-classifier acl l3v4 rule global_mfc ordinal 1003 match ipv4-tos 192
set forwarding-options class-of-service multifield-classifier acl l3v4 rule global_mfc ordinal 1003 match source-ipv4-prefix 192.168.131.2/32
set forwarding-options class-of-service multifield-classifier acl l3v4 rule global_mfc ordinal 1003 action forward-class class-2
set forwarding-options class-of-service multifield-classifier acl l3v4 rule global_mfc ordinal 1004
set forwarding-options class-of-service multifield-classifier acl l3v4 rule global_mfc ordinal 1004 match ipv4-tos 224
set forwarding-options class-of-service multifield-classifier acl l3v4 rule global_mfc ordinal 1004 match source-ipv4-prefix 192.168.131.2/32
set forwarding-options class-of-service multifield-classifier acl l3v4 rule global_mfc ordinal 1004 action forward-class class-3

The configuration of the QoS MFC-based Classifier for classification of downstream traffic from the core towards IPoE Subscriber is shown below.

supervisor@rtbrick>cbng1.rtbrick.net: cfg> show config forwarding-options class-of-service multifield-classifier acl l3v4 rule global_mfc
{
    "rtbrick-config:rule": [
      {
        "rule-name": "global_mfc",
        "ordinal": [
          {
            "ordinal-value": 1001,
            "match": {
              "ipv4-tos": 128,
              "source-ipv4-prefix": "192.168.131.2/32"
            },
            "action": {
              "forward-class": "class-0"
            }
          },
          {
            "ordinal-value": 1002,
            "match": {
              "ipv4-tos": 160,
              "source-ipv4-prefix": "192.168.131.2/32"
            },
            "action": {
              "forward-class": "class-1"
            }
          },
          {
            "ordinal-value": 1003,
            "match": {
              "ipv4-tos": 192,
              "source-ipv4-prefix": "192.168.131.2/32"
            },
            "action": {
              "forward-class": "class-2"
            }
          },
          {
            "ordinal-value": 1004,
            "match": {
              "ipv4-tos": 224,
              "source-ipv4-prefix": "192.168.131.2/32"
            },
            "action": {
              "forward-class": "class-3"
            }
          }
        ]
      }
    ]
  }
  1. Enqueue classified traffic to different queues using class-to-queue mapping.

set forwarding-options class-of-service queue-group subs-4queues queue-numbers 4

Below is the QoS class-queue mapping configuration:

supervisor@rtbrick>cbng1.rtbrick.net: cfg> show config forwarding-options class-of-service class-queue-map subs-4queues class
{
    "rtbrick-config:class": [
      {
        "class-type": "class-0",
        "queue-name": "BE_SUBS"
      },
      {
        "class-type": "class-1",
        "queue-name": "LD_SUBS"
      },
      {
        "class-type": "class-2",
        "queue-name": "LL_SUBS"
      },
      {
        "class-type": "class-3",
        "queue-name": "VO_SUBS"
      }
    ]
  }
  1. Configure the queues needed for enqueuing and dequeuing traffic streams.

set forwarding-options class-of-service queue BE_SUBS
set forwarding-options class-of-service queue BE_SUBS queue-size 375000
set forwarding-options class-of-service queue BE_SUBS header-compensation bytes 22
set forwarding-options class-of-service queue BE_SUBS header-compensation decrement true
set forwarding-options class-of-service queue LD_SUBS
set forwarding-options class-of-service queue LD_SUBS queue-size 625000
set forwarding-options class-of-service queue LD_SUBS header-compensation bytes 22
set forwarding-options class-of-service queue LD_SUBS header-compensation decrement true
set forwarding-options class-of-service queue LL_SUBS
set forwarding-options class-of-service queue LL_SUBS queue-size 625000
set forwarding-options class-of-service queue LL_SUBS header-compensation bytes 22
set forwarding-options class-of-service queue LL_SUBS header-compensation decrement true
set forwarding-options class-of-service queue VO_SUBS
set forwarding-options class-of-service queue VO_SUBS queue-size 156250
set forwarding-options class-of-service queue VO_SUBS shaper-name shaper_VO
set forwarding-options class-of-service queue VO_SUBS header-compensation bytes 22
set forwarding-options class-of-service queue VO_SUBS header-compensation decrement true

The queue Configuration is shown below.

supervisor@rtbrick>cbng1.rtbrick.net: cfg> show config forwarding-options class-of-service queue
{
    "rtbrick-config:queue": [
      {
        "queue-name": "BE_SUBS",
        "queue-size": 375000,
        "header-compensation": {
          "bytes": 22,
          "decrement": "true"
        }
      },
      {
        "queue-name": "LD_SUBS",
        "queue-size": 625000,
        "header-compensation": {
          "bytes": 22,
          "decrement": "true"
        }
      },
      {
        "queue-name": "LL_SUBS",
        "queue-size": 625000,
        "header-compensation": {
          "bytes": 22,
          "decrement": "true"
        }
      },
      {
        "queue-name": "VO_SUBS",
        "queue-size": 156250,
        "shaper-name": "shaper_VO",
        "header-compensation": {
          "bytes": 22,
          "decrement": "true"
        }
      }
    ]
  }
  1. Configure the scheduler needed by Subscriber/Session scheduler-map and OLT scheduler-map.

set forwarding-options class-of-service scheduler pon0
set forwarding-options class-of-service scheduler pon0 type fair_queueing
set forwarding-options class-of-service scheduler subs-4queues
set forwarding-options class-of-service scheduler subs-4queues shaper-name shaper_session
set forwarding-options class-of-service scheduler subs-4queues type strict_priority
set forwarding-options class-of-service scheduler subs-4queues composite false

The configuration of the scheduler-map and OLT scheduler-map is shown below.

supervisor@rtbrick>cbng1.rtbrick.net: cfg> show config  forwarding-options class-of-service scheduler
{
    "rtbrick-config:scheduler": [
      {
        "scheduler-name": "pon0",
        "type": "fair_queueing"
      },
      {
        "scheduler-name": "subs-4queues",
        "shaper-name": "shaper_session",
        "type": "strict_priority",
        "composite": "false"
      }
    ]
  }
  1. Configure the session/subscriber scheduler mapping for dequeuing traffic based on scheduler type for each queue:

set forwarding-options class-of-service scheduler-map subs-4queues-triple-play
set forwarding-options class-of-service scheduler-map subs-4queues-triple-play queue-group-name subs-4queues
set forwarding-options class-of-service scheduler-map subs-4queues-triple-play queue-group-name subs-4queues queue-name BE_SUBS
set forwarding-options class-of-service scheduler-map subs-4queues-triple-play queue-group-name subs-4queues queue-name BE_SUBS parent-flow high-flow
set forwarding-options class-of-service scheduler-map subs-4queues-triple-play queue-group-name subs-4queues queue-name BE_SUBS parent-scheduler-name subs-4queues
set forwarding-options class-of-service scheduler-map subs-4queues-triple-play queue-group-name subs-4queues queue-name BE_SUBS connection-point strict_priority_3
set forwarding-options class-of-service scheduler-map subs-4queues-triple-play queue-group-name subs-4queues queue-name LD_SUBS
set forwarding-options class-of-service scheduler-map subs-4queues-triple-play queue-group-name subs-4queues queue-name LD_SUBS parent-flow high-flow
set forwarding-options class-of-service scheduler-map subs-4queues-triple-play queue-group-name subs-4queues queue-name LD_SUBS parent-scheduler-name subs-4queues
set forwarding-options class-of-service scheduler-map subs-4queues-triple-play queue-group-name subs-4queues queue-name LD_SUBS connection-point strict_priority_1
set forwarding-options class-of-service scheduler-map subs-4queues-triple-play queue-group-name subs-4queues queue-name LL_SUBS
set forwarding-options class-of-service scheduler-map subs-4queues-triple-play queue-group-name subs-4queues queue-name LL_SUBS parent-flow high-flow
set forwarding-options class-of-service scheduler-map subs-4queues-triple-play queue-group-name subs-4queues queue-name LL_SUBS parent-scheduler-name subs-4queues
set forwarding-options class-of-service scheduler-map subs-4queues-triple-play queue-group-name subs-4queues queue-name LL_SUBS connection-point strict_priority_2
set forwarding-options class-of-service scheduler-map subs-4queues-triple-play queue-group-name subs-4queues queue-name VO_SUBS
set forwarding-options class-of-service scheduler-map subs-4queues-triple-play queue-group-name subs-4queues queue-name VO_SUBS parent-flow high-flow
set forwarding-options class-of-service scheduler-map subs-4queues-triple-play queue-group-name subs-4queues queue-name VO_SUBS parent-scheduler-name subs-4queues
set forwarding-options class-of-service scheduler-map subs-4queues-triple-play queue-group-name subs-4queues queue-name VO_SUBS connection-point strict_priority_0
set forwarding-options class-of-service scheduler-map subs-4queues-triple-play scheduler-name subs-4queues
set forwarding-options class-of-service scheduler-map subs-4queues-triple-play scheduler-name subs-4queues port-connection scheduler_to_port

The QoS Subscriber/Session Scheduler-Map configuration is shown below:

supervisor@rtbrick>cbng1.rtbrick.net: cfg> show config forwarding-options class-of-service scheduler-map subs-4queues-triple-play
{
    "rtbrick-config:scheduler-map": [
      {
        "scheduler-map-name": "subs-4queues-triple-play",
        "queue-group-name": [
          {
            "group-name": "subs-4queues",
            "queue-name": [
              {
                "name": "BE_SUBS",
                "parent-flow": "high-flow",
                "parent-scheduler-name": "subs-4queues",
                "connection-point": "strict_priority_3"
              },
              {
                "name": "LD_SUBS",
                "parent-flow": "high-flow",
                "parent-scheduler-name": "subs-4queues",
                "connection-point": "strict_priority_1"
              },
              {
                "name": "LL_SUBS",
                "parent-flow": "high-flow",
                "parent-scheduler-name": "subs-4queues",
                "connection-point": "strict_priority_2"
              },
              {
                "name": "VO_SUBS",
                "parent-flow": "high-flow",
                "parent-scheduler-name": "subs-4queues",
                "connection-point": "strict_priority_0"
              }
            ]
          }
        ],
        "scheduler-name": [
          {
            "name": "subs-4queues",
            "port-connection": "scheduler_to_port"
          }
        ]
      }
    ]
  }
  1. Configure the OLT scheduler-mapping for each PON to be scheduled according to the scheduler type.

set forwarding-options class-of-service scheduler-map schedmap-olt
set forwarding-options class-of-service scheduler-map schedmap-olt scheduler-name pon0
set forwarding-options class-of-service scheduler-map schedmap-olt scheduler-name pon0 port-connection scheduler_to_port

The OLT Scheduler-Map configuration is shown below:

supervisor@rtbrick>cbng1.rtbrick.net: cfg> show config forwarding-options class-of-service scheduler-map schedmap-olt
{
    "rtbrick-config:scheduler-map": [
      {
        "scheduler-map-name": "schedmap-olt",
        "scheduler-name": [
          {
            "name": "pon0",
            "port-connection": "scheduler_to_port"
          }
        ]
      }
    ]
  }
  1. Configure downstream traffic shaping for both session schedulers and queues.

Note Queue Shaping is only on VO_SUBS Queue.
set forwarding-options class-of-service shaper shaper_VO
set forwarding-options class-of-service shaper shaper_VO shaping-rate-high 2000
set forwarding-options class-of-service shaper shaper_VO shaping-rate-low 0
set forwarding-options class-of-service shaper shaper_session
set forwarding-options class-of-service shaper shaper_session shaping-rate-high 10000
set forwarding-options class-of-service shaper shaper_session shaping-rate-low 100

The shaping Configuration is shown below.

supervisor@rtbrick>cbng1.rtbrick.net: cfg> show config forwarding-options class-of-service shaper
{
    "rtbrick-config:shaper": [
      {
        "shaper-name": "shaper_VO",
        "shaping-rate-high": 2000,
        "shaping-rate-low": 0
      },
      {
        "shaper-name": "shaper_session",
        "shaping-rate-high": 10000,
        "shaping-rate-low": 100
      }
    ]
  }

4.2.3. Configure Upstream QoS

  1. Configure the BA Classifier for the classification of multiple traffic streams targeted at IPoE subscribers:

set forwarding-options class-of-service classifier subs-pbit-class
set forwarding-options class-of-service classifier subs-pbit-class match-type ieee-802.1
set forwarding-options class-of-service classifier subs-pbit-class match-type ieee-802.1 codepoint 1
set forwarding-options class-of-service classifier subs-pbit-class match-type ieee-802.1 codepoint 1 class class-0
set forwarding-options class-of-service classifier subs-pbit-class match-type ieee-802.1 codepoint 2
set forwarding-options class-of-service classifier subs-pbit-class match-type ieee-802.1 codepoint 2 class class-1
set forwarding-options class-of-service classifier subs-pbit-class match-type ieee-802.1 codepoint 3
set forwarding-options class-of-service classifier subs-pbit-class match-type ieee-802.1 codepoint 3 class class-2
set forwarding-options class-of-service classifier subs-pbit-class match-type ieee-802.1 codepoint 4
set forwarding-options class-of-service classifier subs-pbit-class match-type ieee-802.1 codepoint 4 class class-3

The configuration of the QoS BA-based Classifier for classification of upstream traffic towards IPoE Subscriber is shown below.

 supervisor@rtbrick>cbng1.rtbrick.net: cfg> show config forwarding-options class-of-service classifier subs-pbit-class
{
    "rtbrick-config:classifier": [
      {
        "classifier-name": "subs-pbit-class",
        "match-type": [
          {
            "match-type": "ieee-802.1",
            "codepoint": [
              {
                "codepoint": 1,
                "class": "class-0"
              },
              {
                "codepoint": 2,
                "class": "class-1"
              },
              {
                "codepoint": 3,
                "class": "class-2"
              },
              {
                "codepoint": 4,
                "class": "class-3"
              }
            ]
          }
        ]
      }
    ]
  }
  1. Configure multi-level policer to police 4-Level traffic.

set forwarding-options class-of-service policer policer-residential
set forwarding-options class-of-service policer policer-residential level1-rates cir 2000
set forwarding-options class-of-service policer policer-residential level1-rates cbs 1000
set forwarding-options class-of-service policer policer-residential level1-rates pir 2500
set forwarding-options class-of-service policer policer-residential level1-rates pbs 1000
set forwarding-options class-of-service policer policer-residential level2-rates cir 3000
set forwarding-options class-of-service policer policer-residential level2-rates cbs 1000
set forwarding-options class-of-service policer policer-residential level2-rates pir 3500
set forwarding-options class-of-service policer policer-residential level2-rates pbs 1000
set forwarding-options class-of-service policer policer-residential level3-rates cir 4000
set forwarding-options class-of-service policer policer-residential level3-rates cbs 1000
set forwarding-options class-of-service policer policer-residential level3-rates pir 4500
set forwarding-options class-of-service policer policer-residential level3-rates pbs 1000
set forwarding-options class-of-service policer policer-residential level4-rates cir 1000
set forwarding-options class-of-service policer policer-residential level4-rates cbs 1000
set forwarding-options class-of-service policer policer-residential level4-rates pir 1500
set forwarding-options class-of-service policer policer-residential level4-rates pbs 1000
set forwarding-options class-of-service policer policer-residential levels 4
set forwarding-options class-of-service policer policer-residential type two-rate-three-color

The multi-level policer configuration is shown below:

supervisor@rtbrick>cbng1.rtbrick.net: cfg> show config forwarding-options class-of-service policer policer-residential
{
    "rtbrick-config:policer": [
      {
        "policer-name": "policer-residential",
        "level1-rates": {
          "cir": 2000,
          "cbs": 1000,
          "pir": 2500,
          "pbs": 1000
        },
        "level2-rates": {
          "cir": 3000,
          "cbs": 1000,
          "pir": 3500,
          "pbs": 1000
        },
        "level3-rates": {
          "cir": 4000,
          "cbs": 1000,
          "pir": 4500,
          "pbs": 1000
        },
        "level4-rates": {
          "cir": 1000,
          "cbs": 1000,
          "pir": 1500,
          "pbs": 1000
        },
        "levels": 4,
        "type": "two-rate-three-color"
      }
    ]
  }
  1. Map the classified traffic streams to different policer levels using class-to-policer mapping:

set forwarding-options class-of-service class-policer-map policer-map-residential class class-0
set forwarding-options class-of-service class-policer-map policer-map-residential class class-0 policer-level level-1
set forwarding-options class-of-service class-policer-map policer-map-residential class class-1
set forwarding-options class-of-service class-policer-map policer-map-residential class class-1 policer-level level-2
set forwarding-options class-of-service class-policer-map policer-map-residential class class-2
set forwarding-options class-of-service class-policer-map policer-map-residential class class-2 policer-level level-3
set forwarding-options class-of-service class-policer-map policer-map-residential class class-3
set forwarding-options class-of-service class-policer-map policer-map-residential class class-3 policer-level level-4

The class-policer-map configuration is shown below:

supervisor@rtbrick>cbng1.rtbrick.net: cfg> show config forwarding-options class-of-service class-policer-map policer-map-residential class
{
    "rtbrick-config:class": [
      {
        "class": "class-0",
        "policer-level": "level-1"
      },
      {
        "class": "class-1",
        "policer-level": "level-2"
      },
      {
        "class": "class-2",
        "policer-level": "level-3"
      },
      {
        "class": "class-3",
        "policer-level": "level-4"
      }
    ]
  }

4.2.4. Configure QoS Remarking

  1. Remark downstream traffic egressing from subscriber interface (egress remarking).

set forwarding-options class-of-service remark-map subs-remarking-triple-play
set forwarding-options class-of-service remark-map subs-remarking-triple-play remark-type ieee-802.1
set forwarding-options class-of-service remark-map subs-remarking-triple-play remark-type ieee-802.1 match-codepoint 128
set forwarding-options class-of-service remark-map subs-remarking-triple-play remark-type ieee-802.1 match-codepoint 128 color all
set forwarding-options class-of-service remark-map subs-remarking-triple-play remark-type ieee-802.1 match-codepoint 128 color all remark-codepoint 6
set forwarding-options class-of-service remark-map subs-remarking-triple-play remark-type ieee-802.1 match-codepoint 160
set forwarding-options class-of-service remark-map subs-remarking-triple-play remark-type ieee-802.1 match-codepoint 160 color all
set forwarding-options class-of-service remark-map subs-remarking-triple-play remark-type ieee-802.1 match-codepoint 160 color all remark-codepoint 6
set forwarding-options class-of-service remark-map subs-remarking-triple-play remark-type ieee-802.1 match-codepoint 192
set forwarding-options class-of-service remark-map subs-remarking-triple-play remark-type ieee-802.1 match-codepoint 192 color all
set forwarding-options class-of-service remark-map subs-remarking-triple-play remark-type ieee-802.1 match-codepoint 192 color all remark-codepoint 6
set forwarding-options class-of-service remark-map subs-remarking-triple-play remark-type ieee-802.1 match-codepoint 224
set forwarding-options class-of-service remark-map subs-remarking-triple-play remark-type ieee-802.1 match-codepoint 224 color all
set forwarding-options class-of-service remark-map subs-remarking-triple-play remark-type ieee-802.1 match-codepoint 224 color all remark-codepoint 6

The remarking configuration is shown below:

supervisor@rtbrick>cbng1.rtbrick.net: cfg> show config forwarding-options class-of-service remark-map subs-remarking-triple-play
{
    "rtbrick-config:remark-map": [
      {
        "remark-map-name": "subs-remarking-triple-play",
        "remark-type": [
          {
            "remark-type": "ieee-802.1",
            "match-codepoint": [
              {
                "match-codepoint": 128,
                "color": [
                  {
                    "color": "all",
                    "remark-codepoint": 6
                  }
                ]
              },
              {
                "match-codepoint": 160,
                "color": [
                  {
                    "color": "all",
                    "remark-codepoint": 6
                  }
                ]
              },
              {
                "match-codepoint": 192,
                "color": [
                  {
                    "color": "all",
                    "remark-codepoint": 6
                  }
                ]
              },
              {
                "match-codepoint": 224,
                "color": [
                  {
                    "color": "all",
                    "remark-codepoint": 6
                  }
                ]
              }
            ]
          }
        ]
      }
    ]
  }
  1. Validate the downstream traffic remarking.

Note This validation requires mirroring the subscriber access interface on the C-BNG device.
supervisor@rtbrick>cbng1.rtbrick.net: cfg> show config forwarding-options mirror
{
    "rtbrick-config:mirror": [
      {
        "name": "m1",
        "destination": {
          "interface": "cpu-0/0/200"
        },
        "source": {
          "direction": "egress",
          "interface": "ifp-0/1/29"
        }
      }
    ]
  }

The capture mirroring can be performed as shown below.

supervisor@rtbrick>cbng1.rtbrick.net: cfg> capture mirror

2022-12-07T09:42:52.360141+0000 e8:c5:7a:8f:77:56 > 02:00:00:00:00:01, ethertype 802.1Q (0x8100), length 1022: vlan 1001, p 6, ethertype 802.1Q, vlan 1001, p 6, ethertype IPv4, (tos 0xa0, ttl 254, id 0, offset 0, flags [DF], proto UDP (17), length 1000)
    192.168.131.2.65056 > 10.100.128.5.65056: UDP, length 972

2022-12-07T09:42:52.360194+0000 e8:c5:7a:8f:77:56 > 02:00:00:00:00:01, ethertype 802.1Q (0x8100), length 1022: vlan 1001, p 6, ethertype 802.1Q, vlan 1001, p 6, ethertype IPv4, (tos 0xa0, ttl 254, id 0, offset 0, flags [DF], proto UDP (17), length 1000)
    192.168.131.2.65056 > 10.100.128.5.65056: UDP, length 972

2022-12-07T09:42:52.360260+0000 e8:c5:7a:8f:77:56 > 02:00:00:00:00:01, ethertype 802.1Q (0x8100), length 1022: vlan 1001, p 6, ethertype 802.1Q, vlan 1001, p 6, ethertype IPv4, (tos 0xa0, ttl 254, id 0, offset 0, flags [DF], proto UDP (17), length 1000)
    192.168.131.2.65056 > 10.100.128.5.65056: UDP, length 972

2022-12-07T09:42:52.360317+0000 e8:c5:7a:8f:77:56 > 02:00:00:00:00:01, ethertype 802.1Q (0x8100), length 1022: vlan 1001, p 6, ethertype 802.1Q, vlan 1001, p 6, ethertype IPv4, (tos 0xa0, ttl 254, id 0, offset 0, flags [DF], proto UDP (17), length 1000)
    192.168.131.2.65056 > 10.100.128.5.65056: UDP, length 972
  1. Remark upstream traffic ingressing to a subscriber’s interface [ingress remarking]

Note In the below upstream traffic classifier configuration, remarking of all traffic streams with code point '7' is done.
set forwarding-options class-of-service classifier subs-pbit-class
set forwarding-options class-of-service classifier subs-pbit-class match-type ieee-802.1
set forwarding-options class-of-service classifier subs-pbit-class match-type ieee-802.1 codepoint 1
set forwarding-options class-of-service classifier subs-pbit-class match-type ieee-802.1 codepoint 1 class class-0
set forwarding-options class-of-service classifier subs-pbit-class match-type ieee-802.1 codepoint 1 remark-codepoint 7
set forwarding-options class-of-service classifier subs-pbit-class match-type ieee-802.1 codepoint 2
set forwarding-options class-of-service classifier subs-pbit-class match-type ieee-802.1 codepoint 2 class class-1
set forwarding-options class-of-service classifier subs-pbit-class match-type ieee-802.1 codepoint 2 remark-codepoint 7
set forwarding-options class-of-service classifier subs-pbit-class match-type ieee-802.1 codepoint 3
set forwarding-options class-of-service classifier subs-pbit-class match-type ieee-802.1 codepoint 3 class class-2
set forwarding-options class-of-service classifier subs-pbit-class match-type ieee-802.1 codepoint 3 remark-codepoint 7
set forwarding-options class-of-service classifier subs-pbit-class match-type ieee-802.1 codepoint 4
set forwarding-options class-of-service classifier subs-pbit-class match-type ieee-802.1 codepoint 4 class class-3
set forwarding-options class-of-service classifier subs-pbit-class match-type ieee-802.1 codepoint 4 remark-codepoint 7

Below is the remarking configuration:

supervisor@rtbrick>cbng1.rtbrick.net: cfg> show config forwarding-options class-of-service classifier subs-pbit-class
{
    "rtbrick-config:classifier": [
      {
        "classifier-name": "subs-pbit-class",
        "match-type": [
          {
            "match-type": "ieee-802.1",
            "codepoint": [
              {
                "codepoint": 1,
                "class": "class-0",
                "remark-codepoint": 7
              },
              {
                "codepoint": 2,
                "class": "class-1",
                "remark-codepoint": 7
              },
              {
                "codepoint": 3,
                "class": "class-2",
                "remark-codepoint": 7
              },
              {
                "codepoint": 4,
                "class": "class-3",
                "remark-codepoint": 7
              }
            ]
          }
        ]
      }
    ]
  }
  1. Validate the upstream traffic remarking.

Note Mirror the core facing port on the C-BNG device as shown below.
supervisor@rtbrick>cbng1.rtbrick.net: cfg> show config forwarding-options mirror m1
{
    "rtbrick-config:mirror": [
      {
        "name": "m1",
        "destination": {
          "interface": "cpu-0/0/200"
        },
        "source": {
          "direction": "egress",
          "interface": "ifp-0/1/23"
        }
      }
    ]
  }

The capture mirroring can be performed as shown below. It confirms all four traffic streams noted with codepoint=7.

supervisor@rtbrick>cbng1.rtbrick.net: cfg> capture mirror

2022-12-07T09:20:00.589238+0000 e8:c5:7a:8f:77:53 > 7a:07:dc:c0:00:00, ethertype IPv4 (0x0800), length 1014: (tos 0x7,CE, ttl 254, id 0, offset 0, flags [DF], proto UDP (17), length 1000)
    10.100.128.5.65056 > 192.168.131.2.65056: UDP, length 972

2022-12-07T09:20:00.589292+0000 e8:c5:7a:8f:77:53 > 7a:07:dc:c0:00:00, ethertype IPv4 (0x0800), length 1014: (tos 0x7,CE, ttl 254, id 0, offset 0, flags [DF], proto UDP (17), length 1000)
    10.100.128.5.65056 > 192.168.131.2.65056: UDP, length 972

2022-12-07T09:20:00.589434+0000 e8:c5:7a:8f:77:53 > 7a:07:dc:c0:00:00, ethertype IPv4 (0x0800), length 1014: (tos 0x7,CE, ttl 254, id 0, offset 0, flags [DF], proto UDP (17), length 1000)
    10.100.128.5.65056 > 192.168.131.2.65056: UDP, length 972

2022-12-07T09:20:00.589492+0000 e8:c5:7a:8f:77:53 > 7a:07:dc:c0:00:00, ethertype IPv4 (0x0800), length 1014: (tos 0x7,CE, ttl 254, id 0, offset 0, flags [DF], proto UDP (17), length 1000)
    10.100.128.5.65056 > 192.168.131.2.65056: UDP, length 972

2022-12-07T09:20:00.589545+0000 e8:c5:7a:8f:77:53 > 7a:07:dc:c0:00:00, ethertype IPv4 (0x0800), length 1014: (tos 0x7,CE, ttl 254, id 0, offset 0, flags [DF], proto UDP (17), length 1000)
    10.100.128.5.65056 > 192.168.131.2.65056: UDP, length 972

2022-12-07T09:20:00.589602+0000 e8:c5:7a:8f:77:53 > 7a:07:dc:c0:00:00, ethertype IPv4 (0x0800), length 1014: (tos 0x7,CE, ttl 254, id 0, offset 0, flags [DF], proto UDP (17), length 1000)
    10.100.128.5.65056 > 192.168.131.2.65056: UDP, length 972

2022-12-07T09:20:00.589656+0000 e8:c5:7a:8f:77:53 > 7a:07:dc:c0:00:00, ethertype IPv4 (0x0800), length 1014: (tos 0x7,CE, ttl 254, id 0, offset 0, flags [DF], proto UDP (17), length 1000)
    10.100.128.5.65056 > 192.168.131.2.65056: UDP, length 9

4.3. Configure FreeRADIUS Server

FreeRADIUS server can be installed on any Linux OS distribution. Once the FreeRadius is installed, perform the following steps to make the server operational.

Files Configuration

mods-config/files/authorize

Using the following command, one can view the authorize file in its default location.

~:/etc/freeradius/3.0 # cat mods-config/files/authorize

The following parameter shall be configured in the authorize file:

$INCLUDE /etc/freeradius/3.0/ipoe_qos_dhcpv4_dhcpv6_radius_users

The authorize file can be downloaded from the appendix section of this guide and replaced with the /etc/freeradius/3.0/mods-config/files/authorize file.

Users File

Users file includes subscriber profile parameters as shown below.

"02:00:00:00:00:01@ipoe" Cleartext-Password := "ipoe"
    Service-Type = Framed-User,
    Framed-Protocol = PPP,
    Class = "02:00:00:00:00:01@ipoe",
    Framed-IP-Address = 10.100.128.0,
    Framed-IP-Netmask = 255.255.255.255,
    RtBrick-DNS-Primary = 10.0.0.3,
    RtBrick-DNS-Secondary  = 10.0.0.4,
    Framed-IPv6-Prefix = fc67:1001:1::1/128,
    Delegated-IPv6-Prefix = fc67:1001::/56,
    RtBrick-DNS-Primary-IPv6  = fc66:0::3,
    RtBrick-DNS-Secondary-IPv6 = fc66:0::4,
    Session-Timeout = 0,
    Idle-Timeout = 0,
    Acct-Interim-Interval = 60,
    RtBrick-QoS-Profile = "subs-triple-play",
    RtBrick-QoS-Parent-Scheduler = "pon0",
    RtBrick-QoS-Shaper = "name=shaper_session,high=10m,low=100;name=shaper_VO,high=2m,low=100;",
    RtBrick-QoS-Policer = "1,2m,1000;2,1m,1000;3,1m,1000;4,1500,1000",
    RtBrick-QoS-MFC = "subs-triple-play",
    RtBrick-LI-Action = 1,
    RtBrick-LI-Direction = 1,
    RtBrick-LI-MED-Instance = "li_default",
    RtBrick-LI-MED-IP = 172.16.0.2,
    RtBrick-LI-MED-Port = 65001,
    RtBrick-IGMP-Status = ENABLED,
    RtBrick-IGMP-Status = ENABLED,
    RtBrick-IGMP-Profile = "iptv_default",
    RtBrick-IGMP-Max-Members = 10,

In the appendix section of this guide, you can download the users_file file for creating the FreeRADIUS users_file (/etc/freeradius/3.0/users_file).

Clients.conf

Clients.conf file shall be configured with the expected RADIUS client IP address and secret.

~:/etc/freeradius/3.0 # cat clients.conf
client rtbrick {
        ipaddr          = 192.168.0.2
        secret          = testing123
        shortname       = rtbrick
        nas_type	= other
        require_message_authenticator = no
}

The clients.conf file (/etc/freeradius/3.0/clients.conf) used for this reference design can be downloaded from the appendix section of this guide.

RtBrick RADIUS Dictionary

Add the RtBrick RADIUS dictionary to /usr/share/freeradius/dictionary.rtbrick and include it in` /usr/share/freeradius/dictionary`.

Stopping and Starting the FreeRADIUS Server for any Changes

For any changes, stop and restart the FreeRADIUS server.

To stop the server, enter the following command:

sudo service freeradius stop

To start the server, enter the following command:

sudo service freeradius start

The FreeRadius server is now ready to provide AAA (Authentication, Accounting & Authorization) services to logging in subscribers.

4.4. Validating IPoE Subscriber Bring-Up

Using traffic streams on both upstream and downstream directions with traffic packets and bytes statistics, IPoE Subscriber sessions can be "ESTABLISHED".

The validation can be performed in two steps:

  1. Establishing the IPoE subscriber

  2. Pinging the subscriber IPv4/IPv6 address

4.4.1. BNG Blaster - IPoE Subscribers with Traffic Streams

Using BNG Blaster, which emulates IPoE clients and traffic streams witn different code points, one can test IPoE subscriber management feature.

supervisor@SN-STD-27-119820607:~ $ cat blaster_qos.json
{
  "interfaces": {
    "tx-interval": 1,
    "rx-interval": 1,
    "network": [
      {
        "interface": "SN-15-R1",
        "address": "36.1.1.2/24",
        "gateway": "36.1.1.1",
        "isis-instance-id": 1,
        "ldp-instance-id": 1,
        "isis-level": 1
      },
      {
        "interface": "SN-17-R2",
        "address": "46.1.1.2/24",
        "gateway": "46.1.1.1",
        "isis-instance-id": 2,
        "ldp-instance-id": 2,
        "isis-level": 1
      },
      {
        "interface": "SN-19-RR",
        "address": "192.168.131.2/24",
        "gateway": "192.168.131.1",
        "address-ipv6": "fc66:1337:7331::2",
        "gateway-ipv6": "fc66:1337:7331::1",
        "isis-instance-id": 3,
        "ldp-instance-id": 3,
        "isis-level": 1
      }
    ],
    "access": [
      {
        "interface": "SN-5-C1",
        "type": "ipoe",
        "stream-group-id": 1,
        "outer-vlan-min": 1001,
        "outer-vlan-max": 1100,
        "inner-vlan-min": 1001,
        "inner-vlan-max": 1100
      }
    ]
  },
  "sessions": {
    "count": 10,
    "session-time": 0,
    "max-outstanding": 800,
    "start-rate": 400,
    "stop-rate": 100
  },
  "access-line": {
    "agent-remote-id": "DEU.RTBRICK.{session-global}",
    "agent-circuit-id": "0.0.0.0/0.0.0.0 eth 0:{session-global}",
    "rate-up": 2000,
    "rate-down": 16384,
    "dsl-type": 5
  },
  "dhcp": {
    "enable": true
  },
  "dhcpv6": {
    "enable": true
  },
  "session-traffic": {
    "ipv4-pps": 10,
    "ipv6-pps": 10,
    "ipv6pd-pps": 10,
    "autostart": true
  },
    "streams": [
      {
        "name": "BE",
        "stream-group-id": 1,
        "type": "ipv4",
        "direction": "both",
        "network-ipv4-address": "192.168.131.2",
        "network-interface": "SN-19-RR",
        "vlan-priority": 1,
        "priority": 128,
        "length": 1000,
        "pps": 2000
      },
      {
        "name": "LowDelay",
        "stream-group-id": 1,
        "type": "ipv4",
        "direction": "both",
        "network-ipv4-address": "192.168.131.2",
        "network-interface": "SN-19-RR",
        "vlan-priority": 2,
        "priority": 160,
        "length": 1000,
        "pps": 2000
      },
      {
        "name": "LowLoss",
        "stream-group-id": 1,
        "type": "ipv4",
        "direction": "both",
        "network-ipv4-address": "192.168.131.2",
        "network-interface": "SN-19-RR",
        "vlan-priority": 3,
        "priority": 192,
        "length": 1000,
        "pps": 2000
      },
      {
        "name": "VoIP",
        "stream-group-id": 1,
        "type": "ipv4",
        "direction": "both",
        "network-ipv4-address": "192.168.131.2",
        "network-interface": "SN-19-RR",
        "vlan-priority": 4,
        "priority": 224,
        "length": 1000,
        "pps": 2000
      }
    ],
  "ldp": [
     {
         "instance-id": 1,
         "lsr-id": "192.1.0.36",
         "keepalive-time": 30,
         "raw-update-file": "ldp_1000.ldp"
        },
         {
         "instance-id": 2,
         "lsr-id": "192.1.0.46",
         "keepalive-time": 30,
         "raw-update-file": "ldp_1000.ldp"
     },
     {
         "instance-id": 3,
         "lsr-id": "192.1.0.56",
         "keepalive-time": 30,
         "raw-update-file": "ldp_1000.ldp"
    },
  ],
  "isis": [
    {
      "instance-id": 1,
      "area": [
        "49.0002/24"
      ],
      "system-id": "0204.0000.0001",
      "router-id": "192.1.0.36",
      "hostname": "BBL-LSR1",
      "hello-padding": true,
      "teardown-time": 30,
      "external": {
        "mrt-file": "/home/supervisor/isis.mrt",
        "connections": [
          {
            "system-id": "1921.6800.1003",
            "l1-metric": 10
          }
        ]
      }
    },
    {
      "instance-id": 2,
      "area": [
        "49.0002/24"
      ],
      "system-id": "0204.0000.0002",
      "router-id": "192.1.0.46",
      "hostname": "BBL-LSR2",
      "hello-padding": true,
      "teardown-time": 30,
      "external": {
        "mrt-file": "/home/supervisor/isis.mrt",
        "connections": [
          {
            "system-id": "1921.6800.1004",
            "l1-metric": 10
          }
        ]
      }
    },
    {
      "instance-id": 3,
      "area": [
        "49.0002/24"
      ],
      "system-id": "0204.0000.0003",
      "router-id": "192.1.0.56",
      "hostname": "BBL-RR",
      "hello-padding": true,
      "teardown-time": 30,
      "external": {
        "mrt-file": "/home/supervisor/isis.mrt",
        "connections": [
          {
            "system-id": "1921.6800.1005",
            "l1-metric": 10
          }
        ]
      }
    }
  ],
  "bgp": [
    {
      "__comment__": "RR-IPv4",
      "network-interface": "SN-19-RR",
      "local-ipv4-address": "192.1.0.56",
      "peer-ipv4-address": "192.1.0.51",
      "raw-update-file": "/home/supervisor/ipv4_nlri.bgp",
      "local-as": 3330,
      "peer-as": 3320
    },
    {
      "__comment__": "RR-IPv6",
      "network-interface": "SN-19-RR",
      "local-ipv4-address": "192.1.0.56",
      "peer-ipv4-address": "192.1.0.52",
      "raw-update-file": "/home/supervisor/ipv6_nlri.bgp",
      "local-as": 3330,
      "peer-as": 3320
    }
  ]
}
supervisor@SN-STD-27-119820607:~ $

Validating the IPoE Session on BNG Blaster

Using the following command, IPoE subscribers are brought up and traffic flows are validated in both upstream and downstream directions.

supervisor@rtbrick:~ $ sudo bngblaster -C ipoe.json -S run.sock -I -c 10

In the image below, one can see the details of the established session (i.e. the sessions of 10 subscribers).

image

Fig 3: BNG Blaster terminal view

Visit the following URL for more information on BNG Blaster:

Viewing the Subscribers and the Subscriber Details

Enter the following command to view the list of subscribers.

supervisor@rtbrick>cbng1.rtbrick.net: cfg>  show subscriber
Subscriber-Id          Interface        VLAN      Type   State
1369375761697341447    ifp-0/1/29       1009:1019 IPoE   ESTABLISHED
1369375761697341448    ifp-0/1/29       1009:1014 IPoE   ESTABLISHED
1369375761697341449    ifp-0/1/29       1009:1009 IPoE   ESTABLISHED
1369375761697341450    ifp-0/1/29       1009:1004 IPoE   ESTABLISHED
1369375761697341451    ifp-0/1/29       1009:1020 IPoE   ESTABLISHED
1369375761697341452    ifp-0/1/29       1009:1025 IPoE   ESTABLISHED
1369375761697341453    ifp-0/1/29       1009:1026 IPoE   ESTABLISHED
1369375761697341454    ifp-0/1/29       1009:1027 IPoE   ESTABLISHED
1369375761697341455    ifp-0/1/29       1009:1028 IPoE   ESTABLISHED
1369375761697341456    ifp-0/1/29       1009:1029 IPoE   ESTABLISHED
supervisor@rtbrick>cbng1.rtbrick.net: cfg>

Enter the following command to view the details of the subscriber with ID 1369375761697341454.

supervisor@rtbrick>cbng1.rtbrick.net: cfg> show subscriber 1369375761697341454 detail
Subscriber-Id: 1369375761697341454
    Type: IPoE
    State: ESTABLISHED
    Created: Fri Dec 02 08:28:54 GMT +0000 2022
    Interface: ifp-0/1/29
    Outer VLAN: 1009
    Inner VLAN: 1027
    Client MAC: 02:00:00:00:03:3b
    Server MAC: a8:b5:7e:8f:66:43
    IFL: ipoe-0/1/29/1369375761697341454
    Username: 02:00:00:00:03:3b@ipoe
    Agent-Remote-Id: DEU.RTBRICK.827
    Agent-Circuit-Id: 0.0.0.0/0.0.0.0 eth 0:827
    Access-Profile: ipoe
    AAA-Profile: ipoe-aaa
    Reply-Message: FOOBAR Internet
    Session-Timeout: 0 (disabled)
    Idle-Timeout: 0 (disabled)
    MTU: 1500 Profile: N/A
    IPv4:
        Instance: default
        Address: 10.100.128.14/255.255.255.255
        Address Active: True
        Primary DNS: 10.0.0.3
        Secondary DNS: 10.0.0.4
    IPv6:
        Instance: default
        RA Prefix: fc55:100:1:1::e/128
        RA Prefix Active: True
        Delegated Prefix (DHCPv6): fc56:100:1:d00::/56
        Delegated Prefix Active: True
        Primary DNS: fc66::3
        Secondary DNS: fc66::4
    Accounting:
        Session-Id: 1369375761697341454:1669969734
        Start-Time: 2022-12-02T08:28:55.245914+0000
        Interims Interval: 900 seconds
supervisor@rtbrick>cbng1.rtbrick.net: cfg>

Pinging the Subscriber (source: IPOE) from C-BNG

Before pinging a subscriber, use the show route <…​> command to display the subscriber IPs at the CBNGs.

supervisor@rtbrick>cbng1.rtbrick.net: cfg> show route ipv4 unicast source ipoe
Instance: default, AFI: ipv4, SAFI: unicast
Prefix/Label                             Source            Pref    Next Hop                                 Interface
10.100.128.1/32                          ipoe              7       -                                        ipoe-0/1/29/1369375761697341471
10.100.128.2/32                          ipoe              7       -                                        ipoe-0/1/29/1369375761697341474
10.100.128.3/32                          ipoe              7       -                                        ipoe-0/1/29/1369375761697341473
10.100.128.4/32                          ipoe              7       -                                        ipoe-0/1/29/1369375761697341472
10.100.128.5/32                          ipoe              7       -                                        ipoe-0/1/29/1369375761697341475
10.100.128.6/32                          ipoe              7       -                                        ipoe-0/1/29/1369375761697341478
10.100.128.7/32                          ipoe              7       -                                        ipoe-0/1/29/1369375761697341476
10.100.128.8/32                          ipoe              7       -                                        ipoe-0/1/29/1369375761697341479
10.100.128.9/32                          ipoe              7       -                                        ipoe-0/1/29/1369375761697341477
10.100.128.10/32                         ipoe              7       -                                        ipoe-0/1/29/1369375761697341480
supervisor@rtbrick>cbng1.rtbrick.net: cfg>

From the above list, ping 10.100.128.9 as shown below.

supervisor@rtbrick>cbng1.rtbrick.net: cfg> ping 10.100.128.9
68 bytes from 10.100.128.9: icmp_seq=1 ttl=64 time=9.4346 ms
68 bytes from 10.100.128.9: icmp_seq=2 ttl=64 time=2.5892 ms
68 bytes from 10.100.128.9: icmp_seq=3 ttl=64 time=5.1383 ms
68 bytes from 10.100.128.9: icmp_seq=4 ttl=64 time=8.6419 ms
68 bytes from 10.100.128.9: icmp_seq=5 ttl=64 time=1.6199 ms
Statistics: 5 sent, 5 received, 0% packet loss
supervisor@rtbrick>cbng1.rtbrick.net: cfg>

Validating Traffic Streams

Traffic streams can be used to perform various forwarding verifications.

For upstream traffic capture, enter the following command:

capture interface ifp-0/1/29 direction in

For downstream traffic capture, enter the following command:

capture interface ifp-0/1/29 direction out

Here, ifp-0/1/29 refers to the access interface.

Validating Upstream Traffic for IPv4

2022-12-01T12:11:52.357415+0000 02:00:00:00:00:08 > a8:b5:7e:8f:66:43, ethertype 802.1Q (0x8100), length 98: vlan 1001, p 0, ethertype 802.1Q, vlan 1008, p 0, ethertype IPv4, (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto UDP (17), length 76)
    10.100.128.4.65056 > 192.168.131.2.65056: UDP, length 48

Validating Downstream Traffic for IPv4, IPv6, DHCPv6PD Streams

2022-12-01T12:11:53.351763+0000 a8:b5:7e:8f:66:43 > 02:00:00:00:00:08, ethertype 802.1Q (0x8100), length 98: vlan 1001, p 0, ethertype 802.1Q, vlan 1008, p 0, ethertype IPv4, (tos 0x0, ttl 254, id 0, offset 0, flags [none], proto UDP (17), length 76)
    192.168.131.2.65056 > 10.100.128.4.65056: UDP, length 48

4.4.2. Validating the IPoE QoS on BNG Blaster

Using the following command, IPoE subscribers are brought up and traffic flows are validated in both upstream and downstream directions.

supervisor@rtbrick:~ $ sudo bngblaster -C blaster_qos.json -S run.sock -I -c 1

Blaster Upstream Downstream QoSValidation

Fig 4: Reading output from BNG Blaster

As shown in the above image, the VoIP downstream traffic has been shaped (session shaping) to 2Mbps. Similarly, the total subscriber traffic has been shaped approximately to 10Mbps.

Following are the upstream traffic rates of different policer levels:

  • Level-1 Rates ~=2.5Mbps

  • Level-2 Rates ~=3.5Mbps

  • Level-3 Rates ~=4.5Mbps

  • Level-4 Rates ~=1.5Mbps

4.5. IPoE Subscriber Accounting for Upstream and Downstream Traffic

Run the "show subscriber" command to view the list of subscribers.

supervisor@rtbrick>cbng1.rtbrick.net: cfg> show subscriber
Subscriber-Id          Interface        VLAN      Type   State
1369375761697341447    ifp-0/1/29       1001:1001 IPoE   ESTABLISHED
supervisor@rtbrick>cbng1.rtbrick.net: cfg>

Specify the Subscriber-ID to find the specific subscriber’s accounting details:

supervisor@rtbrick>cbng1.rtbrick.net: cfg> show subscriber 1369375761697341447 accounting
Subscriber-Id: 1369375761697341447
    IFL: ipoe-0/1/29/1369375761697341447
    Start Timestamp: Wed Dec 07 08:04:56 GMT +0000 2022
    Idle Timestamp: Wed Dec 07 09:29:54 GMT +0000 2022
    Session-Timeout: 0 seconds
    Idle-Timeout: 0 seconds
    Session Statistics:
        Ingress: 0 packets 0 bytes
        Egress: 0 packets 0 bytes
    LIF Statistics:
        Ingress: 0 packets 0 bytes
        Egress: 0 packets 0 bytes
    Egress Class (Queue) Statistics:
        class-0: 3539909 packets 3603627362 bytes dropped: 6907398 packets 7031731164 bytes
        class-1: 4899881 packets 4988078858 bytes dropped: 5088649 packets 5180244682 bytes
        class-2: 5778003 packets 5882007054 bytes dropped: 4210527 packets 4286316486 bytes
        class-3: 1243731 packets 1266118158 bytes dropped: 8897726 packets 9057885068 bytes
        class-4: 0 packets 0 bytes dropped: 0 packets 0 bytes
        class-5: 0 packets 0 bytes dropped: 0 packets 0 bytes
        class-6: 0 packets 0 bytes dropped: 0 packets 0 bytes
        class-7: 0 packets 0 bytes dropped: 0 packets 0 bytes
    Ingress Policer Statistics:
        Level 1: 10182079 packets 10222571382 bytes dropped: 8614199 packets 8648511916 bytes
        Level 2: 10181612 packets 10222338448 bytes dropped: 8005859 packets 8037882436 bytes
        Level 3: 10181613 packets 10222339452 bytes dropped: 7359795 packets 7389234180 bytes
        Level 4: 10181769 packets 10222496076 bytes dropped: 9240981 packets 9277944924 bytes
supervisor@rtbrick>cbng1.rtbrick.net: cfg>

4.6. Configuring Lawful Intercept (LI)

Note This section is still a work in progress.

Lawful Intercept (LI) is used to mirror datastreams of any specific end user in both upstream and downstream directions, and direct them towards a mediation device.

Whether a specific subscriber needs to be mirrored or not can be controlled by specifying the following LI attributes in the RADIUS file.

RtBrick-LI-Action = 1,

RtBrick-LI-Direction = 3,

RtBrick-LI-Identifier = 4191001,

RtBrick-LI-MED-Instance = "ipoe-li",

RtBrick-LI-MED-IP = 192.168.10.2,

RtBrick-LI-MED-Port = 65001

In the configuration below, the user with username "user1@rtbrick.com" is mirrored whenever the user logs in.

"user1@rtbrick.com" Cleartext-Password := "RtBrick_Little_Secret"
    Service-Type = Framed-User,
    Framed-Protocol = PPP,
    Class = "useri@rtbrick.com",
    RtBrick-LI-Identifier = 4191001,
    Framed-IP-Address = 10.100.128.11,
    Framed-IP-Netmask = 255.255.255.255,
    RtBrick-DNS-Primary = 10.0.0.3,
    RtBrick-DNS-Secondary = 10.0.0.4,
    Framed-IPv6-Prefix = fc68:100:1:1::/64,
    RtBrick-DNS-Primary-IPv6 = fc66:0::3,
    RtBrick-DNS-Secondary-IPv6 = fc66:0::4,
    Session-Timeout = 0,
    Idle-Timeout = 0,
    Acct-Interim-Interval = 900,
    RtBrick-QoS-Profile = "pta-triple-play-8queues",
    RtBrick-QoS-Shaper = "name=shaper_session,high=15m, low=1m;name=shaper_VO,high=2m;",
    RtBrick-QoS-Policer = "1,2m,200;2,1m,300;3,1m,400;4,0,400",
    RtBrick-QoS-Parent-Scheduler = "pon0",
    RtBrick-QoS-MFC = "pta-triple-play-8queues",
    RtBrick-IGMP-Status = ENABLED,
    RtBrick-IGMP-Profile = "iptv",
    RtBrick-IGMP-Max-Members = 10,
    RtBrick-IGMP-Version = V3,
    RtBrick-LI-Action = 1,
    RtBrick-LI-Direction = 3,
    RtBrick-LI-MED-Instance = "ipoe-li",
    RtBrick-LI-MED-IP = 192.168.10.2,
    RtBrick-LI-MED-Port 65001

5. Appendixes

5.1. Appendix A: RBFS Configuration

The RBFS configuration file (cbng-ipoe-config.json) can be downloaded from here.

arrow right Click filedownload to download the cbng1 configuration file.

5.2. Appendix B: TACACS+ Server Configuration

The TACACS+ server configuration file (tac_plus.conf) can be downloaded from here.

arrow right Click filedownload to download the TACACS+ server configuration file.

5.3. Appendix C: RADIUS Server Configuration

The RADIUS server configuration files (radius_config.zip) can be downloaded from here. The zip archive contains the set of configuration files needed to configure the RADIUS server.

arrow right Click filedownload to download the RADIUS server configuration files.

5.4. Appendix D: BNG Blaster Configuration

The BNG Blaster configuration files (bng_blaster_config.zip) can be downloaded from here. The zip archive contains the set of configuration files needed to configure BNG Blaster.

arrow right Click filedownload to download the BNG Blaster configuration files.


©Copyright 2023 RtBrick, Inc. All rights reserved. The information contained herein is subject to change without notice. The trademarks, logos and service marks ("Marks") displayed in this documentation are the property of RtBrick in the United States and other countries. Use of the Marks are subject to RtBrick’s Term of Use Policy, available at https://www.rtbrick.com/privacy. Use of marks belonging to other parties is for informational purposes only.