Sei sulla pagina 1di 358

< DISCLAIMER >

The targeted audience for this PPPoE slide pack are ALU-
engineers and distribution to customers is not allowed.

TiMOS 7.0 workshop

PPPoE

Bert.Todts@alcatel-lucent.be
PPPoE – workshop
Agenda

1. Local-Access-Model versus Tunneled-Access-Model. updated

2. General PPPoE Technology overview. updated

3. 7x50 Retail PPPoE implementation. updated

4. 7x50 Wholesale-Retail via Managed-SAP aka MSAP. updated

5. 7x50 Wholesale-Retail VRF selection. new

6. General L2TP Technology overview. new

7. 7x50 Wholesale-Retail L2TP implementation. new

8. Customer cases updated

9. Scalability updated

10.Evolution. new

2 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


1 Local-Access-Model versus Tunneled-Access-Model

updated

3 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


PPPoE – workshop
Local-Access-Model versus Tunneled-Access-Model

Local-Access-Model

 In the local access model, a single network device is responsible for both
virtual circuit termination and PPP session termination. Whoever owns the
Edge device is responsible for maintaining both the underlying network and the
database of end-user information.

Tunneled Access-Model
 In the tunneled access model there is a separation between who is responsible
for the virtual circuit termination and who is responsible for the PPP session
termination.

4 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


PPPoE – workshop
Local-Access-Model versus Tunneled-Access-Model

Local-Access-Model

 Local Retail PPPoE termination. R6


 Wholesale-Retail via MSAP. R6
 Wholesale-Retail VRF selection. R7

Tunneled Access-Model
 Wholesale-Retail via L2TP (Layer 2 Tunnel Protocol). R7

5 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


7x50 Wholesale-Retail L2TP implementation.
General : Local Retail PPPoE termination

 RFC2516 PPP over Ethernet


 PADI/PAP/CHAP via LUDB/RADIUS
 IP via LUDB/RADIUS/DHCP

RADIUS
Server
P2P
ISP2

IBGP PE
user1@ISP1 PPPoE
IES/VRF ISP1

user2@ISP1
ISP3
user3@ISP1
LUDB DHCP

Access Node BNG


HOST BNG EBGP
PADI EBGP
PADO
PPPoE Discovery
PADR
PADS
LCP session stage LCP Config-req/Ack
INTERNET Web-Server
PAP/CHAP
Authentication Phase
IPCP Config-req/Ack
Network-Layer Phase

6 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


7x50 Wholesale-Retail L2TP implementation.
General : Wholesale-Retail via MSAP

 VLAN/subscriber model.
 PADI/PAP/CHAP via LUDB/RADIUS
 IP via LUDB/RADIUS/DHCP
RADIUS
Server ISP2
P2P VRF

PPPoE IBGP PE
PADI Capture
user1@ISP2 ISP1
VPLS
PPPoE
user1@ISP3 VRF VRF
VRF
VRF ISP3
user2@ISP3
LUDB DHCP
Access Node
BNG
EBGP
EBGP
HOST BNG
PADI
PADO
PPPoE Discovery
PADR
PADS INTERNET Web-Server
LCP session stage LCP Config-req/Ack
PAP/CHAP
Authentication Phase
IPCP Config-req/Ack
Network-Layer Phase

7 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


7x50 Wholesale-Retail L2TP implementation.
General : Wholesale-Retail via VRF selection

 Dynamic VRF selection over single VLAN / wholesale IP-VPN


 PADI/PAP/CHAP via LUDB/RADIUS
 IP via LUDB/RADIUS/DHCP
RADIUS
Server ISP2
P2P VRF
Alc-Retail-Serv-Id

IBGP PE
user1@ISP3 PPPoE
VRF ISP1

wholesale
VRF
user1@ISP1 VRF
VRF
VRF
user1@ISP2 ISP3

Access Node DHCP VRF


LUDB
BNG
EBGP
EBGP
HOST BNG
PADI
PADO
PPPoE Discovery
PADR
PADS INTERNET Web-Server
LCP session stage LCP Config-req/Ack
PAP/CHAP
Authentication Phase
IPCP Config-req/Ack
Network-Layer Phase

8 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


7x50 Wholesale-Retail L2TP implementation.
General : Wholesale-Retail via L2TP (Layer 2 Tunnel Protocol).

 Radius returns L2TP info for user1@ISP3 and user2@ISP3

 PPPoE packets for user1@ISP3 are tunneled in GRE-like tunnel to LNS1-ISP3 ( UDP port 1701)
L2TP tunnel1 ISP2
 SRC-IP L2TP is (hardcoded) system interface. L2TP tunnel2 ISP2 L2TP Tunnel group
L2TP tunnel3 ISP2
 Multiple bidirectional sessions (calls) may use a
single L2TP tunnel.
RADIUS
Server
P2P
LNS1 ISP2
LNS2
IBGP PE @IP/32 LNS3
PPPoE
user1@ISP1 IES/VRF ISP1

user1@ISP3 PPPoE
IES/VRF L2TP tunnel ISP3
NW-port
user2@ISP3 LNS1-ISP3 ISP3
7750 SR
Access Node
LAC P2P
EBGP
 L2TP uplinks require network ports on IOM3/IMM EBGP

 PADI/PAP/CHAP via LUDB/RADIUS


LNS
 L2TP tunnel can be pre-signaled or not. LNS
INTERNET Web-Server

9 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


7x50 Wholesale-Retail L2TP implementation.
General : Wholesale-Retail via L2TP (Layer 2 Tunnel Protocol).

 LAC functionality on 7750/7710, with forwarding in global routing table.


 A tunnel may be selected using the domain-name in Radius or in the LUDB.
 Both PADI and PAP/CHAP authentication is supported.
 Multiple tunnels may exist between a LAC/LNS pair. ( tunnel selection
mechanism required).
 A tunnel can be setup without a session-trigger by means of the parameter
tunnel Auto-establish. Every 1 minute we check if such tunnels need to be
established.
 IOM3 / IMM is required for L2TP support. (PPPoE session can still come in on IOM2)

 L2TP is HA.
 IPv6 for L2TP peer setup not supported.

 http://www.iana.org/assignments/radius-types

10 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


7x50 Wholesale-Retail L2TP implementation.
General : Wholesale-Retail via L2TP (Layer 2 Tunnel Protocol).

 PADI may be used to select the PADO delay. This requires access to the local
user database. A second user lookup may be required for Radius.

 Support for draft Mammoliti AVP’s (except ANCP).***

 OAM requirements will include L2TP keep-alive reporting and commands to


verify connectivity to the LNS .

 Ethernet on the network side only.

 We support L2TPv2 which is used for the tunnelling of PPP packets across an
intervening network is based and on RFC 2661. (Aug 1999).
 L2TPv3 not supported ( RFC 3931: IP-Tunnels other L2 protocols. (PPP, Eth, FR..)

11 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


7x50 Wholesale-Retail L2TP implementation.
General : Wholesale-Retail via L2TP (Layer 2 Tunnel Protocol).

Related supported RFC’s

 RFC 2661 : Layer Two Tunneling Protocol "L2TP“ ***


 L2TPv1 AKA 2LF RFC 2341
 L2TPv2 RFC 2661 ( tunneling of PPPoE packets)
 L2TPv3 RFC 3931 ( tunneling of any L2 protocol)
 RFC 2516 : A Method for Transmitting PPP Over Ethernet (PPPoE)

 RFC 1994 : PPP Challenge Handshake Authentication Protocol (CHAP)

 RFC 1661 : The Point-to-Point Protocol (PPP)

 RFC 2868 : RADIUS Attributes for Tunnel Protocol Support

12 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


7x50 Wholesale-Retail L2TP implementation.
General : Wholesale-Retail via L2TP (Layer 2 Tunnel Protocol).

Related Non supported RFC’s

 RFC 4951 (Fail Over Extensions for Layer 2 Tunnelling Protocol (L2TP) "failover“ )
 Protects against control channel failures only.
 On LAC side we don’t require mechanism because we sync the sequence nbrs via HA.

Ip1
LAC LNS active

HA

LAC Ip1 LNS Standby


Recovery
control
channel

13 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


7x50 Wholesale-Retail L2TP implementation.
General : Wholesale-Retail via L2TP (Layer 2 Tunnel Protocol).

Related Non supported RFC’s ERX example

 RFC 2867 (RADIUS Accounting Acct-Status-Type = Stop


User-Name = "Joe@oao1.be"
modifications for L2TP Support) Acct-Delay-Time = 0
NAS-Identifier = “ANT1.B-RAS.D2"
Acct-Session-Id = "0090180344"
 We don’t include any L2TP tunnel NAS-IP-Address = 172.19.110.128
information in the accounting User-Service = Framed-User
Framed-Protocol = PPP
records. Framed-Compression = None
Unisphere-Pppoe-Description ="pppoe 00:90:1a:41:1a:7f"
 Examples: Tunnel-Type (64) ,Tunnel- Calling-Station-Id = "ANT1.B-RAS.D2:12/1:1:50"
Tunnel-Type:0 = L2TP
Medium-Type (65) ,Tunnel-Client- Tunnel-Medium-Type:0 = IP
Endpoint (66), Tunnel-Server-Endpoint Acct-Tunnel-Client-Endpoint:0 = "10.99.99.17"
Tunnel-Client-Auth-Id:0 = “ANT1.B-RAS.D2"
(67) , Acct-Tunnel-Connection (68) Tunnel-Server-Endpoint:0 = "10.1.12.15"
Tunnel-Server-Auth-Id:0 = "HGW1.D1"
 Some other vendor do this like seen Tunnel-Assignment-Id:0 = "oao1.be"
here on the right example. Acct-Tunnel-Connection-Id:0 = "0000000241"
Connect-Info = "speed:UBR"
NAS-Port-Type = 16
NAS-Port = 3238068274
Attr-87 = "atm 12/1/1.1:1.50"
Acct-Authentic = RADIUS
Acct-Session-Time = 55
Acct-Terminate-Cause = NAS-Request

14 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


2 General PPPoE Technology overview

updated

15 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


General PPPoE Technology overview
Embedded presentation

 ~1 hour embedded TiMOS-General-PPPoE-Technology-Overview-v1.0.ppt

16 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


3 7x50 Retail PPPoE implementation

updated

17 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


PPPoE – workshop
Agenda
1. Local-Access-Model versus Tunneled-Access-Model.

2. General PPPoE Technology overview.


3. 7x50 Retail PPPoE implementation.
a) What does the 7710/7750 offers in 7.0 and LAB-setup e) Resilience / Redundancy

b) different PPPoE scenarios. f) Security

c) Accounting g) Change of Authority

d) QoS

4. 7x50 Wholesale-Retail via Managed-SAP aka MSAP


5. 7x50 Wholesale-Retail VRF selection.
6. General L2TP Technology overview.
7. 7x50 Wholesale-Retail L2TP implementation.
8. Customer cases
9. Scalability
10.Evolution.
18 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Retail PPPoE implementation
Agenda

a) What
a) Whatdoes
doesthe
the7710/7750
7710/7750offers
offers inin7.0
7.0and
andLAB-setup
LAB-setup e) Resilience / Redundancy

b) different PPPoE scenarios. f) Security

c) Accounting g) Change of Authority

d) QoS

19 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


7x50 Retail PPPoE implementation
What does the 7710/7750 offers in 7.0

 Platforms
 7710/7750 SR7/12 on IOM2/3
 Connectivity
 Supported only on Ethernet null, Dot1Q and QinQ SAPs.
– External loop or VSM required if L2 aggregation used.
 VLAN per customer
 VLAN per service
 MTU>1492 support.
 Session control capabilities
 PPPoE sessions may be limited per SAP (host limit) and per SLA-profile.
 Optional combined support of static DHCP host , DHCP and PPPoE hosts on a single SAP
 Managed SAPs (aka. Auto-VLAN):
– default SAP with auto-discovery of VLAN; valid for VLAN/sub configs

20 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


7x50 Retail PPPoE implementation
What does the 7710/7750 offers in 7.0

Authentication

 RADIUS based authentication of subscriber host interface in PADI phase.


 optional attributes include: circuit id, remote id, nas-identifier=system name, nas-
port-id = sap-id);
 MAC@ as mandatory attribute.

 Local PAP/CHAP authentication via LUDB


 Authentication on PPPoE username with or without domain, password
 Implies local configuration (no RADIUS interaction); local user database provides
configuration information.
 Radius PAP/CHAP authentication (since 6.1R1)

 Local DHCP server authentication who uses also LUDB

 Support for Framed-ip 255.255.255.254 from Radius *** (since 6.0R3)

 Support for Framed-route received via Radius (since 6.1.R1)


21 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Retail PPPoE implementation
What does the 7710/7750 offers in 7.0

 Security
 Anti-spoofing during PPP phase: IP+MAC based
 Routing in IES or VPRN context aka Routed CO.
 PPPoE capable interface can be created within a subscriber interface in both IES and
VPRN services
 QoS
 Same as for DHCP subscriber hosts; I.e. as per ESM attributes
 High Availability
 HA for PPPoE subscriber host information is fully HA.
 Miscellaneous
 Support for Framed-IP 255.255.255.254 from Radius *** (since 6.0R3)
 Support for Framed-route received via Radius (since 6.1.R1)

22 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


7x50 Retail PPPoE implementation
Port-setup Antwerp-lab 138.203.18.x

/177

DHCP-ESM 3 3 1
DHCP/RADIUS
138.203.18.79
Linux/Client
3 7 1
138.203.18.73 PE1/26
5 C1/RR1/23 PE3/182
1 5
4 21 2 2 11 8 2 1 1 2 13 1

A1/24 4
DHCP 5
6 9 3 4 6 4 3

2 A3/22

23 1 .
4

PPPoE 4 6 9 3 4 5 2 3

1 4 22 3 12 2 1
2 8 2 1 14 4

A2/181 PE2/176 PE4/179


Linux/Client C2/RR2/183
138.203.18.73 3 7

PPPoE-ESM
23 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Retail PPPoE implementation
Addressing Antwerp -lab

P-cisco/177
10.2.79.2 DHCP/RADIUS
3 138.203.18.79
10.2.79.79
Link : 172.16.10. Z / 22
Linux/Client .78
138.203.18.73
PE1/26 .77 C1/RR1/23 PE3/182

21 .2 .1 11 .26 .25 1 .37 .38 13 .45

A1/24 .9
DHCP .14
.18 .33 .42
.121
.21 .129
.49
.46 A3/22

23
.
.126

.50

PPPoE A2/181 .10


.13
.22 .17 .34 .41 .130 .122

22 .6 .5 12 .30 .29 2 .117 .118 14 .125

PE2/176
C2/RR2/183
Linux/Client
138.203.18.73

24 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


7x50 Retail PPPoE implementation
Antwerp TPSDA : Simulation of PPP users
-79
 Radius server 138.203.18.79 RADIUS

1/1/3:0.* 1/1/7
 PPPoE client on LINUX 138.203.18.73 10.2.79.79
1/1/3:21 10.2.79.2

SAP A1
 mpcsim IES 103
IES 998
VLL 999
Gi A
SAP A2 IES/
VPRN
Gi B PE1-26 -177

SAP B1

-73
Eth2
SDP 11
1/1/2:0.*
Epipe
1/1/1:999.*
IES 998
138.203.18.176
VPLS 999 SDP 12 VLL 999
999 1/1/4:999.*
A2 PE2

1/1/3:0.* 1/1/7
CE-171 A2-181
PE2-176

25 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


7x50 Retail PPPoE implementation
Agenda

a) What does the 7710/7750 offers in 7.0 and LAB-setup e) Resilience / Redundancy

b) different
b) different PPPoE
PPPoE scenarios.
scenarios. f) Security

c) Accounting g) Change of Authority

d) QoS

26 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


7x50 Retail PPPoE implementation
High level Overview

 First we do Radius or LUDB authentication ( or via DHCPs and LUDB )


 We must get back a subscriber-id if we get back any other information.
 If we don't have an IP address after the first step, we go to DHCP.
 Any other information from DHCP (subscriber-ID, ESM strings) will be added to
the information from the first step, unless information from that group was
already available. ( so append iso replace )
 If we then still don't have information for the ESM strings or Subscriber-ID, we
look at the defaults configured on the SAP and add them if applicable.

 To setup the session, we need a Subscriber-ID, a Sub-Prof , a SLA-Prof and an


IP-address. If we don't have at least these four items, the session is not setup.

Remark: DNS-info is seen as IP-info and should be retrieved from the same place as the IP-address. If this
is not true than we will send an ipcp-reject for this option. DNS-info can come from LUDB , Radius or
Local-DHCP server.

27 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


DISCOVERY
DISCOVERY
7x50 Retail PPPoE implementation LCP
LCP
AUTHENTICATION
AUTHENTICATION
Authentication overview IPCP
IPCP

 Is the user known in the system ?

 Choose between 1 or 2 or 3 for AUTH.


PADI
Phase Radius
1

PAP/CHAP PAP/CHAP
Phase User-1 Phase
6.1
LUDB Radius
2 4

DHCP DHCPS
PPPoE client
IPCP
phase LUDB User-1
3

28 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


7x50 Retail PPPoE implementation
1 Radius Authentication: IP addressing overview

 Authentication via PADI


PADI
Phase Radius  Return also IP from Radius
IP
 Cache IP until IPCP phase

PAP/CHAP
Phase

 Authentication was via PADI


DHCP DHCPS
PPPoE client Gi IP  Return IP not from Radius
IPCP Radius
phase
 Return IP via local DHCPs

 Or external DHCPs
IP Static
IP Dynamic

29 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


7x50 Retail PPPoE implementation
2 PAP/CHAP LUDB Authentication: IP addressing overview

 Authentication via LUDB


PAP/CHAP
Phase User-1
 Return also IP from LUDB during
LUDB
IP auth-phase

 Cache IP until IPCP phase.


Continue : If we did not
return IP during PAP/CHAP
phase

DHCP DHCPS  Authentication was via LUDB


PPPoE client use Gi IP
IPCP
phase  Local DHCPs does not use LUDB anymore

LUDB User-1  Local DHCPs uses Gi to find IP


IP Static
IP Dynamic

30 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


7x50 Retail PPPoE implementation
3 DHCPs via LUDB Authentication: IP addressing overview
 Authentication via DHCPs (LUDB)
DHCP DHCPS
PPPoE client  LUDB has also IP address.
IPCP
phase
 IP is returned during first look in LUDB.
LUDB User-1
IP

IP  Authentication was DHCPs (LUDB)


DHCP DHCPS
PPPoE client use LUDB  LUDB has no IP but Gi-address
IPCP
phase
 DHCPs uses again LUDB to see method Gi
LUDB User-1  IP via local DHCPs via Gi
Gi

IP  Authentication was DHCPs (LUDB)


DHCP DHCPS
PPPoE use LUDB
IPCP
client  LUDB has no IP but pool-name
phase
 DHCPs uses again LUDB to see the pool-name**
IP Static LUDB User-1
 IP via local DHCPs via pool-name
IP Dynamic pool-name

31 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


7x50 Retail PPPoE implementation
ESM-strings overview

 ESM-strings In Radius

Radius  Subscriber-id in Radius


1 Sub-id ESM-strings

LUDB
 ESM-strings LUDB
User-1
Sub-id ESM-strings
2  Subscriber-id LUDB

 ESM-strings LUDB
DHCP DHCPS
PPPoE client  Subscriber-id LUDB
LUDB
User-1
3 Sub-id ESM-strings  DHCPs gives the ESM-string to the DHCP
client via a configured DHCP option.

Sub-id ESM-strings  Fall back to default strings

32 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


7x50 Retail PPPoE implementation
Different PPPoE scenarios based on Authentication, IP, ESM

IP AUTH SUB / SLA SUB-ID

Option 1 LUDB LUDB CHAP LUDB LUDB

Option 2 LUDB LUDB PAP LUDB LUDB

Option 3 RADIUS RADIUS PADI MAC RADIUS RADIUS

Option 4 RADIUS RADIUS PADI CIRCUIT-ID RADIUS RADIUS

Option 5 DHCP DHCP MAC/CIRCUIT_ID DHCP DHCP

Option 6 DHCP LUDB CHAP LUDB LUDB

Option 7 DHCP RADIUS PADI CIRCUIT-ID RADIUS RADIUS

Option 8 RADIUS RADIUS PAP/CHAP USERNAME RADIUS RADIUS

Option 9 RADIUS RADIUS PAP/CHAP CIRCUIT-ID RADIUS RADIUS

Option 10 DHCP RADIUS PAP/CHAP CIRCUIT-ID RADIUS RADIUS

Option 11 DHCP RADIUS PAP/CHAP USERNAME RADIUS RADIUS

33 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


cf1:\pe2.ppp1.cfg pe1 N/A
7x50 Retail PPPoE implementation
Different PPPoE scenarios based on Authentication, IP, ESM

IP AUTH SUB / SLA SUB-ID

Option 1 LUDB LUDB CHAP LUDB LUDB

Option 2 LUDB LUDB PAP LUDB LUDB

Option 3 RADIUS RADIUS PADI MAC RADIUS RADIUS

Option 4 RADIUS RADIUS PADI CIRCUIT-ID RADIUS RADIUS

Option 5 DHCP DHCP MAC/CIRCUIT_ID DHCP DHCP

Option 6 DHCP LUDB CHAP LUDB LUDB

Option 7 DHCP RADIUS PADI CIRCUIT-ID RADIUS RADIUS

Option 8 RADIUS RADIUS PAP/CHAP RADIUS RADIUS


USERNAME
Option 9 RADIUS RADIUS PAP/CHAP CIRCUIT-ID RADIUS RADIUS

Option 10 DHCP RADIUS PAP/CHAP CIRCUIT-ID RADIUS RADIUS

Option 11 DHCP RADIUS PAP/CHAP RADIUS RADIUS


USERNAME

34 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


Authentication via LUDB CHAP cf1:\pe2.ppp1.cfg pe1 N/A
IP from LUDB / ESM from LUDB
RADIUS AAA DHCP
Server Server
BSAN BSR
Broadband Service Broadband Service
Access Node Router
Aggregation
network IP/MPLS
(optional)

PADI, Session ID: 0x0000 pppoe enabled under group-interface with


PPPoE tag: option: 0x101, 0x103 pap-chap-user-db . No auth-policy . No dhcp.
Discovery stage

PADO, Session ID: 0x0000


PPPoE tag: option: 0x101,0x102, 0x103, 0x104
PADR, Session ID: 0x0000
PPPoE tag: option: 0x101,0x102, 0x103, 0x104
PADS, Session ID: 0x0001
PPPoE tag: option: 0x101,0x102, 0x103, 0x104
LCP Config Request, Session ID: 0x0001, ID=191 Always first
Options: 0x1 MRU, 0x3: Auth-Protocol: CHAP, 0x5 Magic nbr
LCP session negotiation

suggest CHAP
LCP Config Request, Session ID: 0x0001,ID=64
Session stage :

Options: 0x1 MRU, 0x5 Magic number: Y


LCP Config Ack, Session ID: 0x0001.Id=64
Options: 0x1 MRU, 0x5 Magic number: Y
LCP Config Ack, Session ID: 0x0001,ID=191
Options: 0x1 MRU, 0x3: Auth-Protocol: CHAP ,0x5 Magic nbr

35 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


Authentication via LUDB CHAP cf1:\pe2.ppp1.cfg pe1 N/A
IP from LUDB / ESM from LUDB
RADIUS AAA DHCP
Server Server
BSAN BSR
Broadband Service Broadband Service
Access Node Router
Aggregation
network IP/MPLS
(optional)

CHAP Challenge , Session ID: 0x0001


CHAP authentication

Value IP address 192.168.42.1


:

CHAP Response , Session ID: 0x0001 sla-profile-string


Session stage

sub-profile-string
value , Name : user1@domain1 Local subscriber-id
user
db
dns-server
CHAP Success , Session ID: 0x0001 net-bios-name-server
message : CHAP auth. success

IPCP Configure-request, Session ID: 0x0001,ID-53 [3] IP


address: 192.168.42.254

IPCP Configure-request, Session ID: 0x0001,ID-65 , [3] IP


address: 0.0.0.0
IPCP Configure-Nack, Session ID: 0x0001, ID-65 [3] IP
address: 192.168.42.1
Session stage :

IPCP Configure-Ack, Session ID: 0x0001,ID-53 [3] IP


address: 192.168.42.254
IPCP

IPCP Configure-request, Session ID: 0x0001,ID-66 , [3] IP


address: 192.168.42.1
Install anti-spoofing
IPCP Configure-ack, Session ID: 0x0001, ID-66 [3] IP
and ESM QoS queues
address: 192.168.42.1

36 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


Authentication via LUDB CHAP *A:pe2.lab# configure subscriber-mgmt
cf1:\pe2.ppp1.cfg
sub-ident-policy "sub_ident_all" create
pe1 N/A
IP from LUDB / ESM from LUDB sub-profile-map
use-direct-map-as-default
entry key “sub1" sub-profile “sub1"
exit
*A:pe2.lab# sla-profile-map
configure service ies 998 use-direct-map-as-default
subscriber-interface "to_A2_via_hairpin" creat exit
address 192.168.42.254/24 exit
group-interface “isam-1" create
sap 1/1/7 create
*A:pe2.lab#configure subscriber-mgmt pppoe-policy default
sub-sla-mgmt
description "Default PPPoE policy"
sub-ident-policy "sub_ident_all"
no disable-cookies
no shutdown
keepalive 30 hold-up-multiplier 3 [10s..300s] [1..5]
exit
no pado-delay [1s..3s]
exit
no ppp-mtu Custom-option
[512..9212]
pppoe
max-sessions-per-mac 1 protocol> [1..63]
: lcp|ipcp
pppoe-policy "default"
no reply-on-padt option-number: [0..255]
pap-chap-user-db “ludb-1“
ppp-options ip-address> : a.b.c.d
no shutdown
exit ascii-string>: 127 chars max
exit
hex-string> : 0x0..0xFFFFFF
exit
exit *A:pe2.lab# configure subscriber-mgmt
no shutdown local-user-db “ludb-1" create
pppoe none
match-list username domain-only
host "user1" create no-domain
host-identification
 New 6.0 : use-direct-map-as-default username "user1@domain1“ none
exit
 If LUDB is used under pppoe than the match- address 192.168.42.1
list needs to be username ( pap-chap ). password chap user1
identification-strings create
 Host-identification can be username domain- subscriber-id "user1"
sla-profile-string "sla1"
only or no-domain or none( default). sub-profile-string "sub1"
exit
 PADO-delay : see Topic Resilience options
dns-server 138.203.144.51
netbios-name-server 138.203.144.51
exit
37 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
debug commands

debug
Type of debug ( packets / events ) service
id 998
pppoe
 debug service id 998 pppoe packet packet
mode dropped-only
 By default dropped-only detail-level medium
discovery
 By default detail-level medium ppp
dhcp-client
exit
 By default all ppp packets exit
– discovery [padi] [pado] [padr] [pads] [padt] exit
exit
– ppp [lcp] [pap] [chap] [ipcp] exit
 By default also dhcp-client

Extra debug filters ( on top of packet debugging ) debug


service
 debug service id 998 pppoe mac 00:00:00:00:00:01 id 998
pppoe
sap 1/1/7
 debug service id 998 pppoe sap 1/1/7 exit
exit
exit
exit

38 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


Authentication via LUDB CHAP cf1:\pe2.ppp1.cfg pe1 N/A
IP from LUDB / ESM from LUDB
PPPoE sessions for svc-id 998

 Setup user1 and Use debug to see control plane ppp. ========================================================
Sap Id Mac Address Sid Up Time IP Address
--------------------------------------------------------
1/1/7 00:00:00:00:00:01 1 2d 01:41:52 192.168.42.1
 See wire shark : control plane + ping included
LCP State : Opened
IPCP State : Opened
PPP MTU : 1000
PPP Auth-Protocol : CHAP
PPP User-Name : user1@domain1

Subscriber-interface : to_A2_via_hairpin
Group-interface : isam-1
Subscriber Origin : Local-User-Db
Subscriber Origin : Local-User-Db
Strings Origin
Strings Origin : Local-User-Db
: Local-User-Db
 Keepalives in debug ? IPCP Info Origin
IPCP Info Origin : Local-User-Db
: Local-User-Db

Subscriber : "user1"
 show service id 998 pppoe session session-id 1 statistics Sub-Profile-String
SLA-Profile-String
:
:
"sub1"
"sla1"
ANCP-String : ""
Int-Dest-Id : ""
App-Profile-String : ""
1 2008/02/29 14:06:01.42 UTC WARNING: SVCMGR #2500 Base Subscriber created
Primary DNS : 138.203.144.51
Secondary DNS : N/A
"Subscriber user1 has been created in the system" Primary NBNS : 138.203.144.51
Secondary NBNS : N/A

Circuit-Id :
Remote-Id :

Session-Timeout : N/A

39 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


7x50 Retail PPPoE implementation
useful CLI commands : non PPPoE specific
 show service subscriber-using : Gives you a quick list of all subscribers .

 show service active-subscribers

 Gives you a list of all subscribers with also the profiles used plus IP,MAC and type.
 Show service active-subscribers hierarchy

 show service id 998 subscriber-hosts [detail ]

 show filter anti-spoof

 Returns the SAP–IP–MAC combination


 show service active-subscribers subscriber user1 hierarchy

 show service active-subscribers subscriber user1 detail

 Shows also the subscriber queues


 show qos scheduler-hierarchy subscriber user1

 clear service statistics subscriber user1

 monitor service subscriber user1 sap 1/1/7 sla-profile sla1 egress-queue-id 1


40 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Retail PPPoE implementation
useful CLI commands : PPPoE specific

 show service id 998


 pppoe summary : Returns only the number of PPPoE sessions.
 pppoe session : Returns sap-id , Mac , SID , UP-time , ip@ per session
 pppoe statistics : overall statistics
 pppoe session session-id 1 mac 00:00:00:00:00:01 detail :
 pppoe session session-id 1 mac 00:00:00:00:00:01 statistics :

 tools
 dump pppoe sap 1/1/7 session-id 1 : shows the complete pppoe stack

 clear service id 998


 pppoe statistics
 pppoe session sap-id 1/1/7 session-id 1 ( ip or mac ) : Bounce a pppoe session.

41 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


7x50 Retail PPPoE implementation
useful CLI commands : PPPoE local-user-database specific

 show subscriber-mgmt
 local-user-db : returns name of ludb’s and number of configured hosts.
 local-user-db ludb-1 pppoe-all-hosts : return the name of the hosts.
 local-user-db ludb-1 pppoe-host host1
 show subscriber-mgmt local-user-db ludb-1 pppoe-unmatched-hosts : shows the hosts that
are configured in the ludb but but not installed because of not “conform”. Example :
match-list username but host uses mac as key. Also duplicates are reported.

 tools
 perform subscriber-mgmt local-user-db ludb-1 pppoe host-lookup user-name user1@domain1 :
Check if user exists in ludb.

 HW-setup with 7500 LUDB users

 CPM Switch-over

42 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


7x50 Retail PPPoE implementation
PPPoE session creation failures examples

*A:pe2.lab# show log event-control pppoe


====================================================
Application
ID# Event Name P g/s Logged
----------------------------------------------------
2001 tmnxPppoeSessionFailure WA gen 472

 User not found


1 2008/02/29 14:46:36.34 UTC WARNING: PPPOE #2001 Base PPPoE session failure
"PPPoE session failure on SAP 1/1/7 in service 998 –
[00:00:00:00:00:01,1] User-db lookup failed for "user1@domain1": user not found"

 User found , password wrong.


1 2008/02/29 14:37:46.43 UTC WARNING: PPPOE #2001 Base PPPoE session failure
"PPPoE session failure on SAP 1/1/7 in service 998 –
[00:00:00:00:00:01,1] PPP problem: peer has failed to authenticate himself"

 Not enough sessions on group-interface


configure service ies 998
. . .
10 2008/02/29 17:03:07.66 UTC WARNING: PPPOE #2001 Base PPPoE group-interface
session failure "isam-1"
"PPPoE session failure on SAP 1/1/7 in service 998 – pppoe
Reached the interface session limit (1)" session-limit [1..20000]
exit
exit
43 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Retail PPPoE implementation
PPPoE session creation failures examples

 Not enough sessions on SAP from group-interface


1 2008/02/29 17:15:06.18 UTC WARNING: PPPOE #2001 Base PPPoE session failure

"PPPoE session failure on SAP 1/1/7 in service 998 - Reached the per-SAP session limit (1)"

configure service ies 998


. . .
group-interface "isam-1"
pppoe
sap-session-limit [1..20000]
exit
exit
 multi-sub-sap limit reached

1 2008/02/29 17:50:17.33 UTC WARNING: PPPOE #2001 Base PPPoE session failure

"PPPoE session failure on SAP 1/1/7 in service 998 - Number of subscribers exceeds the configured multi-sub-sap limit (1)"

configure service ies 998


. . .
group-interface "isam-1"
sap 1/1/7
sub-sla-mgmt
multi-sub-sap [2..20000]
exit
exit

44 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


7x50 Retail PPPoE implementation
PPPoE session creation failures

 Max sessions reached for same mac address

1 2008/02/29 18:02:44.53 UTC WARNING: PPPOE #2001 Base PPPoE session failure

"PPPoE session failure on SAP 1/1/7 in service 998 - Reached the maximum number (1) of PPPoE sessions for MAC 00:00:00:00:00:02"

configure service ies 998 configure subscriber-mgmt pppoe-policy group-1


. . . max-sessions-per-mac [1.63]
group-interface "isam-1" exit
pppoe
pppoe-policy "group-1"
exit
exit

 Setup 64 sessions from same MAC 00:00:c0:01:01:02


– Maximum is 63 and trap received.

1 2008/0x/x 21:34:14.64 CEST WARNING: PPPOE #2001 Base PPPoE session failure

"PPPoE sessio failure SAP 1/1/9:998 in service 998 - Reached the maximum number (63) of PPPoE sessions for MAC 00:00:c0:01:01:02"

45 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


Different PPPoE scenarios based on :
Authentication, IP, ESM cf1:\pe2.ppp1.cfg pe1 N/A

IP AUTH SUB / SLA SUB-ID

Option 1 LUDB LUDB CHAP LUDB LUDB

Option 2 LUDB LUDB PAP LUDB LUDB

Option 3 RADIUS RADIUS PADI MAC RADIUS RADIUS

Option 4 RADIUS RADIUS PADI CIRCUIT-ID RADIUS RADIUS

Option 5 DHCP DHCP MAC/CIRCUIT_ID DHCP DHCP

Option 6 DHCP LUDB CHAP LUDB LUDB

Option 7 DHCP RADIUS PADI CIRCUIT-ID RADIUS RADIUS

Option 8 RADIUS RADIUS PAP/CHAP RADIUS RADIUS


USERNAME
Option 9 RADIUS RADIUS PAP/CHAP CIRCUIT-ID RADIUS RADIUS

Option 10 DHCP RADIUS PAP/CHAP CIRCUIT-ID RADIUS RADIUS

Option 11 DHCP RADIUS PAP/CHAP RADIUS RADIUS


USERNAME

46 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


Authentication via LUDB PAP cf1:\pe2.ppp1.cfg pe1 N/A
IP from LUDB / ESM from LUDB
RADIUS AAA DHCP
Server Server
BSAN BSR
Broadband Service Broadband Service
Access Node Router
Aggregation
network IP/MPLS
(optional)

PADI, Session ID: 0x0000 pppoe enabled under group-interface with


PPPoE tag: option: 0x101, 0x103 pap-chap-user-db . No auth-policy . No dhcp.
Discovery stage

PADO, Session ID: 0x0000


PPPoE tag: option: 0x101,0x102, 0x103, 0x104
PADR, Session ID: 0x0000
PPPoE tag: option: 0x101,0x102, 0x103, 0x104
PADS, Session ID: 0x0001
PPPoE tag: option: 0x101,0x102, 0x103, 0x104

LCP Config Request, Session ID: 0x0001, ID=188 Always first


Options: 0x1 MRU, 0x3: Auth-Protocol: CHAP, 0x5 Magic nbr
suggest CHAP
LCP Config Request, Session ID: 0x0001,ID=231
Options: 0x1 MRU, 0x5 Magic number: Y
LCP session negotiation

LCP Config Ack, Session ID: 0x0001.Id=231


Session stage :

Options: 0x1 MRU, 0x5 Magic number: Y


LCP Config NAck, Session ID: 0x0001,ID=188
Options: [3] Auth-Protocol: PAP
LCP Config Request, Session ID: 0x0001, ID=189 Fall back to
Options: 0x1 MRU, 0x3: Auth-Protocol: PAP, 0x5 Magic nbr PAP
LCP Config ACK, Session ID: 0x0001, ID=189
Options: 0x1 MRU, 0x3: Auth-Protocol: PAP, 0x5 Magic nbr
47 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Authentication via LUDB PAP cf1:\pe2.ppp1.cfg pe1 N/A
IP from LUDB / ESM from LUDB
RADIUS AAA DHCP
Server Server
BSAN BSR
Broadband Service Broadband Service
Access Node Router
Aggregation
network IP/MPLS
(optional)
PAP authentication

PAP auth-request , Session ID: 0x0001,id-232


:

Peer-id user14@domain1
Session stage

PAP in LUDB
PAP auth ack , Session ID: 0x0001,id 232 Local
Message : login ok user IP address 192.168.42.14
db sla-profile-string
sub-profile-string
subscriber-id
IPCP Configure-request, Session ID: 0x0001,ID-183 [3] IP dns-server
address: 192.168.42.254 net-bios-name-server

IPCP Configure-request, Session ID: 0x0001,ID-233 , [3] IP


address: 0.0.0.0
IPCP Configure-Nack, Session ID: 0x0001, ID-233 [3] IP
address: 192.168.42.14
Session stage :

IPCP Configure-Ack, Session ID: 0x0001,ID-183 [3] IP


address: 192.168.42.254
IPCP

IPCP Configure-request, Session ID: 0x0001,ID-234 , [3] IP


address: 192.168.42.14
Install anti-spoofing
IPCP Configure-ack, Session ID: 0x0001, ID-234 [3] IP
and ESM QoS queues
address: 192.168.42.14

48 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


Authentication via LUDB PAP *A:pe2.lab# *A:pe2.lab# configure subscriber-mgmt
cf1:\pe2.ppp1.cfg pe1 N/A
sub-ident-policy "sub_ident_all" create

IP from LUDB / ESM from LUDB sub-profile-map


use-direct-map-as-default
entry key “sub1" sub-profile “sub1"
exit
*A:pe2.lab# *A:pe2.lab# sla-profile-map
configure service ies 998 use-direct-map-as-default
subscriber-interface "to_A2_via_hairpin" create exit
address 192.168.42.254/24 exit
group-interface “isam-1" create
sap 1/1/7 create
*A:pe2.lab#configure subscriber-mgmt pppoe-policy default
sub-sla-mgmt
description "Default PPPoE policy"
sub-ident-policy "sub_ident_all"
no disable-cookies
no shutdown
keepalive 30 hold-up-multiplier 3
exit
no pado-delay
exit
no ppp-mtu
pppoe
max-sessions-per-mac 1
pppoe-policy "default"
no reply-on-padt
pap-chap-user-db “ludb-1“
ppp-options [custom-options]
no shutdown
exit
exit
exit
exit *A:pe2.lab# configure subscriber-mgmt
no shutdown local-user-db “ludb-1" create
pppoe
match-list username
host "user14" create
 Client has only PAP host-identification
username "user14@domain1"
 We use pppoe-policy “default” with ppp- exit
address 192.168.42.14
authentication default pref-chap. (We password pap user14
identification-strings 2 create
suggest CHAP but fallback to PAP). *** subscriber-id "user14"
sla-profile-string "sla1"
 LUDB has PAP as well. sub-profile-string "sub1"
exit
 AUTH ok options
dns-server 138.203.144.51
netbios-name-server 138.203.144.51
exit
49 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Authentication via LUDB PAP cf1:\pe2.ppp1.cfg pe1 N/A
IP from LUDB / ESM from LUDB
PPPoE sessions for svc-id 998

 Use debug to see control plane ppp. ========================================================


Sap Id Mac Address Sid Up Time IP Address
--------------------------------------------------------
1/1/7 00:00:00:00:00:0e 1 0d 01:41:52 192.168.42.14

LCP State : Opened


IPCP State : Opened
PPP MTU : 1000
PPP Auth-Protocol : PAP
PPP User-Name : user14@domain1

Subscriber-interface : to_A2_via_hairpin
Group-interface : isam-1
Subscriber Origin : Local-User-Db
Subscriber Origin : Local-User-Db
Strings Origin
Strings Origin : Local-User-Db
: Local-User-Db
IPCP Info Origin
IPCP Info Origin : Local-User-Db
: Local-User-Db

Subscriber : "user14"
Sub-Profile-String : "sub1"
SLA-Profile-String : "sla1"
ANCP-String : ""
Int-Dest-Id : ""
App-Profile-String : ""

Primary DNS : 138.203.144.51

 You could change LUDB to CHAP for this Secondary DNS


Primary NBNS
:
:
N/A
138.203.144.51
Secondary NBNS : N/A
user so see the behaviour. See next Circuit-Id :
Remote-Id :

Session-Timeout : N/A

50 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


7x50 Retail PPPoE implementation
PPPoE session creation failures

 Client has PAP and LUDB requires CHAP


 During LCP we suggest CHAP but fall back to PAP
 Failure on moment of PAP auth-request from client.

11 2008/03/10 17:04:40.91 UTC WARNING: PPPOE #2001 Base PPPoE session failure

"PPPoE session failure on SAP 1/1/7 in service 998 - [00:00:00:00:00:0e,1] User "user14@domain1" requires CHAP password"
PAP authentication

PAP auth-request , Session ID: 0x0001,id-232


:

Peer-id user14@domain1
Session stage

CHAP in LUDB
PAP auth Nack , Session ID: 0x0001,id 232 Local
Message : login incorrect user IP address 192.168.42.14
db sla-profile-string
sub-profile-string
subscriber-id
PADT dns-server
net-bios-name-server

51 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


Different PPPoE scenarios based on :
Authentication, IP, ESM cf1:\pe2.ppp2.cfg pe1 N/A

IP AUTH SUB / SLA SUB-ID

Option 1 LUDB LUDB CHAP LUDB LUDB

Option 2 LUDB LUDB PAP LUDB LUDB

Option 3 RADIUS RADIUS PADI MAC RADIUS RADIUS

Option 4 RADIUS RADIUS PADI CIRCUIT-ID RADIUS RADIUS

Option 5 DHCP DHCP MAC/CIRCUIT_ID DHCP DHCP

Option 6 DHCP LUDB CHAP LUDB LUDB

Option 7 DHCP RADIUS PADI CIRCUIT-ID RADIUS RADIUS

Option 8 RADIUS RADIUS PAP/CHAP RADIUS RADIUS


USERNAME
Option 9 RADIUS RADIUS PAP/CHAP CIRCUIT- RADIUS RADIUS
ID
Option 10 DHCP RADIUS PAP/CHAP CIRCUIT- RADIUS RADIUS
ID
Option 11 DHCP RADIUS PAP/CHAP RADIUS RADIUS
USERNAME

52 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


Authentication via Radius PADI with user-name-format MAC cf1:\pe2.ppp2.cfg

IP from Radius with Framed-IP / ESM from Radius


RADIUS AAA DHCP
Server Server
BSAN BSR
Broadband Service Broadband Service
Access Node Router
Aggregation
network IP/MPLS
(optional)

PADI, S-MAC 00:00:00:00:00:04,Session ID: 0x0000


,PPPoE tag: option: 0x101, 0x103 Access Request
user-name [1] 00:00:00:00:00:04
Discovery stage

MAC
Access accept User4
PADO, Session ID: 0x0000
ESM , Framed-IP ,.. Sla1
PPPoE tag: option: 0x101,0x102, 0x103, 0x104 Sub1
PADR, Session ID: 0x0000 Framed IP
PPPoE tag: option: 0x101,0x102, 0x103, 0x104
PADS, Session ID: 0x0001
PPPoE tag: option: 0x101,0x102, 0x103, 0x104
Don’t suggest
LCP Config Request, Session ID: 0x0001, ID=105
Options: 0x1 MRU, 0x5 Magic nbr PAP/CHAP anymore
LCP session negotiation

LCP Config Request, Session ID: 0x0001,ID=194


Session stage :

Options: 0x1 MRU, 0x5 Magic number: Y


LCP Config Ack, Session ID: 0x0001.Id=194
Options: 0x1 MRU, 0x5 Magic number: Y
LCP Config ACK, Session ID: 0x0001, ID=189
Options: 0x1 MRU, 0x5 Magic nbr

53 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


Authentication via Radius PADI with user-name-format MAC cf1:\pe2.ppp2.cfg

IP from Radius with Framed-IP / ESM from Radius


RADIUS AAA DHCP
Server Server
BSAN BSR
Broadband Service Broadband Service
Access Node Router
Aggregation
network IP/MPLS
(optional)

IPCP Configure-request, Session ID: 0x0001,ID-211 [3] IP


address: 192.168.42.254

IPCP Configure-request, Session ID: 0x0001,ID-195 , [3] IP


address: 0.0.0.0
IPCP Configure-Nack, Session ID: 0x0001, ID-195 [3] IP
address: 192.168.42.4
Session stage :

IPCP Configure-Ack, Session ID: 0x0001,ID-211 [3] IP


address: 192.168.42.254
IPCP

IPCP Configure-request, Session ID: 0x0001,ID-196 , [3] IP


address: 192.168.42.14
Install anti-spoofing
IPCP Configure-ack, Session ID: 0x0001, ID-196 [3] IP
and ESM QoS queues
address: 192.168.42.14

54 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


7x50 Retail PPPoE implementation
RADIUS Extensions for ESM - Authentication Extensions

.../raddb/clients.conf
How are the different ESM objects communicated by RADIUS server ?
client 172.16.0.21 {
secret = WhoIsThere
 Standard RADIUS attributes shortname = A1
nastype = other
}
 framed-ip-address [8], framed-ip-netmask [9], NAS-identifier [32], NAS-port [87] client 172.16.0.22 {
secret = WhoIsThere
shortname = A2
 Vendor specific attributes (VSAs) nastype = other
}
client 172.16.0.11 {
 Alcatel IPD – using Timetra vendor-id [6527] – see IPD RADIUS dictionary secret = WhoIsThere
shortname = PE1
 JUNIPER & REDBACK attributes – relevant VSAs to ease migration nastype = other
}
client 172.16.0.12 {
secret = WhoIsThere
/var/local/etc/raddb/dictionary shortname = PE2
nastype = other
$INCLUDE /usr/local/etc/raddb/Alcatel-Lucent_IPD_dictionary }
$INCLUDE /usr/local/etc/raddb/DSL-forum_dictionary

/var/local/etc/raddb/users

"ISAM1 eth 1/11" Auth-Type := Local, User-Password == "LetMeIn"


Alc-Subsc-ID-Str = "subscriber_1",
Alc-Subsc-Prof-Str = "Basic_3P_9M",
Alc-SLA-Prof-Str = "Basic_9M",
. . . . . . .

55 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


7x50 Retail PPPoE implementation
RADIUS Extensions for ESM - Authentication Extensions for PPPoE

 Mandatory in RADIUS ACCESS REQUEST


 User-Name, attribute 1 CLI-knob

– MAC
– Circuit-id
– Tuple ( concatenation of MAC & Circuit-id )
– Ascii-converted-circuit-id
– Ascii-converted-tuple
 User-Password, attribute 2
 NAS IP address , attribute 4
– Will be system-id of node.
 Service-Type, attribute 6
– Needs to be “Framed” if returned by Radius
 Framed-Protocol, attribute 7
– Needs to be “PPP” if returned by Radius

56 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


7x50 Retail PPPoE implementation
RADIUS Extensions for ESM - Authentication Extensions for PPPoE

 Optional in RADIUS ACCESS REQUEST CLI-knob

 Access-loop-options , DSL-forum VSA


– Actual data rate Upstream (129)
– Actual data rate Downstream (130)
– Minimum data rate Upstream (131)
– Minimum data rate Downstream (132)
– ....
– Access loop encapsulation (144)
30 PPPoA - PPP over ATM
 Circuit-id , DSL-forum VSA (2) 31 PPPoEoA - PPP over Ethernet over ATM
32 PPPoEoE - PPP over Ethernet over Ethernet
 Remote-id , DSL-forum VSA (1) 33 PPPoEoVLAN - PPP over Ethernet over VLAN
34 PPPoEoQinQ - PPP over Ethernet over 802.1QinQ
 MAC-address ,Alcatel-Lucent VSA (27)
 PPPoE-service-name , Alcatel-Lucent VSA (35)
 NAS-identifier , attribute 32
 NAS-port-id
– nas-port-id , attribute 87 (Extended nas-port-id format …next slide )
– nas-port-type , attribute 61

57 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


7x50 Retail PPPoE implementation
Extend nas-port-id format

 NAS-Port-Id (87) — this attribute can optionally be prefixed by a fixed string


and/or suffixed by the circuit-ID or remote-ID given in the PPPoE requests

 Many Legacy networks : RADIUS directories built using pre-defined nas-port-id.


 For easier migration, more flexibility in building nas-port-id is required andt
his need is addressed by extending command defining nas-port-id with
configurable string as a prefix and a suffix option to append circuit-id or
remote-id. ( example remote-id used here).

NAS IP ADDRESS [4] 4 172.30.1.33


USER NAME [1] 14 user222@idm.lb configure subscriber-mgmt authentication-policy knock-knock
SERVICE TYPE [6] 4 Framed(2) include-radius-attribute
FRAMED PROTOCOL [7] 4 PPP(1) nas-port-id prefix-string “My_String" suffix remote-id
FRAMED IP ADDRESS [8] 4 10.165.0.9
FRAMED IP NETMASK [9] 4 255.255.255.255
NAS IDENTIFIER [32] 4 PE33
SESSION ID [44] 40 000000020220800000DE00C80000000148C57258
SESSION TIMEOUT [46] 4 4686
TERMINATE CAUSE [49] 4 User Request(1)
EVENT TIMESTAMP [55] 4 1220904102
NAS PORT TYPE [61] 4 PPPoEoQinQ(34)
NAS PORT ID [87] 28 My_String 1/1/1:200.222 user222

58 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


7x50 Retail PPPoE implementation
Support of “Framed-pool” attribute from radius

 RADIUS RFC defines attribute [88] - framed-pool which is a string carrying the
ip-pool name. This provides extra flexibility in mapping different subscribers
into pools.

 Possibility to get the dhcp-pool name (pool-name) back from RADIUS in


addition to LUDB that is supported since 6.0.

 This pool is then used by the DHCP server to select the IP address pool

 Supported in 7.0 fro both PPPoE and IPoE clients.

59 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


7x50 Retail PPPoE implementation
Framed-Pool Attribute

 Radius users file Radius message to 77x0


user1@domain1" Cleartext-Password := MyPsw "RADIUS: Receive
Alc-Subsc-ID-Str == “subscriber_1” Access-Accept(2) id 163 VSA [26] 6
Alc-SLA-Prof-Str == “sub1", Alcatel(6527)
Alc-SLA-Prof-Str == “sla1", …
Framed-Pool == “MyPool-2" FRAMED POOL [88] 9 MyPool-2

configure service vprn 300


dhcp
local-dhcp-server “MyServer" create
use-gi-address
use-pool-from-client

pool “MyPool-2" create
subnet 10.164.0.0/16 create
address-range 10.164.0.2 10.164.63.254
exit
exit

 use-pool-from-client overrides use-gi-address


 Pool-name can be returned from LUDB as well

60 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


7x50 Retail PPPoE implementation
Framed-Pool Attribute

 Failure Case
 framed-pool name returned from Radius is not existing on 77x0.
 IPCP session will not be opened.

1931 2008/09/24 01:13:53.04 UTC WARNING: DHCPS #2003 vprn300 Unknown pool
"DHCP server DHCP-SERVER1 detects an unknown pool (ACH4-512).
Pool extracted from dhcp-message is unknown in the server."

61 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


7x50 Retail PPPoE implementation
RADIUS Extensions for ESM - Authentication Extensions for PPPoE
 Accepted attributes in RADIUS ACCESS ACCEPT
 Framed-IP-Address, attribute 8
 Session-Timeout, attribute 27
 PADO-delay, Alcatel-Lucent VSA 34
 Primary DNS, Alcatel-Lucent VSA 9
 Secondary DNS, Alcatel-Lucent VSA 10
 Primary NBNS, Alcatel-Lucent VSA 29
 Secondary NBNS, Alcatel-Lucent VSA 30
 Subscriber ID string, Alcatel-Lucent VSA 11
 Subscriber profile string, Alcatel-Lucent VSA 12
 SLA profile string, Alcatel-Lucent VSA 13
 ANCP string, Alcatel-Lucent VSA 16
 Intermediate Destination ID, Alcatel-Lucent VSA 28
 Application-profile string, Alcatel-Lucent VSA 45
 Service-Type, attribute 6 : ( Needs to be “Framed” if returned by Radius )
 Framed-Protocol, attribute 7 : ( Needs to be “PPP” if returned by Radius )
 PPPoE-Service-Name, Alcatel-Lucent VSA 35
 Framed-Pool, attribute 88
 Class, attribute 25

62 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


Authentication via Radius PADI with user-name-format MAC cf1:\pe2.ppp2.cfg
IP from Radius with Framed-IP / ESM from Radius

*A:pe2.lab# *A:pe2.lab# authentication-policy "knock-knock" create


configure service ies 998 description "RADIUS policy"
subscriber-interface "to_A2_via_hairpin" create password "LetMeIn"
address 192.168.42.254/24 radius-authentication-server
group-interface “isam-1" create router "Base"
authentication-policy "knock-knock" server 1 address 10.2.79.79 secret WhoIsThere
sap 1/1/7 create exit
sub-sla-mgmt user-name-format mac
sub-ident-policy "sub_ident_all“ no re-authentication
multi-sub-sap 100 pppoe-access-method padi
no shutdown no accept-authorization-change
exit include-radius-attribute
exit no circuit-id
no remote-id Not applicable for PPPoE
pppoe
pppoe-policy “group-2” nas-port-id
session-limit 100 no nas-identifier
sap-session-limit 100 no pppoe-service-name
no shutdown no dhcp-vendor-class-id
exit no access-loop-options
exit no mac-address
exit exit
no shutdown exit

 PPPoE vendor-specific tags not required on *A:pe2.lab#configure subscriber-mgmt


pppoe-policy "group-2" create
DSLAM.( because MAC is used in auth ) ppp-mtu 1100
 Authentication policy overrules ludb for max-sessions-per-mac 10
exit
authentication
 If you write pppoe-access-method none ->
than back ludb ..
 Message -> configure only the needed …

63 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


Authentication via Radius PADI with user-name-format MAC
IP from Radius with Framed-IP / ESM from Radius cf1:\pe2.ppp2.cfg

 Setup user4 with mac 00:00:00:00:00:04


*A:pe2.lab# show service id 998 pppoe session detail
====================================================
 Radius users file : 00:00:00:00:00:04 Auth-Type := local,
PPPoE
Alc-Subsc-ID-Str
User-Password
sessions for svc-id 998 == "LetMeIn"
= "user4",
====================================================
Alc-SLA-Prof-Str = "sla1",
Sap Id Mac Address Sid Up Time IP Address
----------------------------------------------------
Alc-Subsc-Prof-Str = "sub1",
1/1/7 00:00:00:00:00:04 1 0d 00:01:46 192.168.42.4
Alc-Primary-Dns = 138.203.68.208,
LCP State : Opened
Alc-Secondary-Dns
IPCP State= 138.203.68.209,
: Opened
Framed-IP-Adress
PPP MTU = 192.168.42.4,
: 1100
PPP Auth-Protocol
Framed-IP_Netmask : None
= 255.255.255.0,***
Session-Timeout = 200
Subscriber-interface : to_A2_via_hairpin
Group-interface : isam-1
Subscriber Origin : Radius
Subscriber
Strings Origin
Origin : Radius
:Radius
 Use debug to see control plane ppp. Strings Origin
IPCP
IPCPInfo
:
Origin :
Info Origin
Radius
:
RadiusRadius
Subscriber : "user4"
 See wireshark : control plane + ping included Sub-Profile-String : "sub1"
SLA-Profile-String : "sla1"
ANCP-String : ""
 Session-timeout in radius set to 200 seconds Int-Dest-Id
App-Profile-String
:
:
""
""

 Send PPP-PADT to client after timeout on which client starts again:: 138.203.68.208
Primary DNS
Secondary DNS
with PADI.
138.203.68.209
Primary NBNS : N/A

 Radius returns the DNS together with the IP-address. This DNS info will be Secondary NBNS : N/A

Circuit-Id :
returned to the PPPoE client if he asks this in hisRemote-Id
ipcp request: option 129
address 0.0.0.0. If the client did not ask this than we don’t send
Session-Timeout
it.(notes)
: 0d 00:05:00

64 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


Different PPPoE scenarios based on :
Authentication, IP, ESM cf1:\pe2.ppp2.cfg pe1 N/A

IP AUTH SUB / SLA SUB-ID

Option 1 LUDB LUDB CHAP LUDB LUDB

Option 2 LUDB LUDB PAP LUDB LUDB

Option 3 RADIUS RADIUS PADI MAC RADIUS RADIUS

Option 4 RADIUS RADIUS PADI CIRCUIT-ID RADIUS RADIUS

Option 5 DHCP DHCP MAC/CIRCUIT_ID DHCP DHCP

Option 6 DHCP LUDB CHAP LUDB LUDB

Option 7 DHCP RADIUS PADI CIRCUIT-ID RADIUS RADIUS

Option 8 RADIUS RADIUS PAP/CHAP RADIUS RADIUS


USERNAME
Option 9 RADIUS RADIUS PAP/CHAP CIRCUIT-ID RADIUS RADIUS

Option 10 DHCP RADIUS PAP/CHAP CIRCUIT-ID RADIUS RADIUS

Option 11 DHCP RADIUS PAP/CHAP RADIUS RADIUS


USERNAME

65 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


Authentication via Radius PADI with user-name-format circuit-id
IP from Radius with Framed-IP / ESM from Radius cf1:\pe2.ppp2.cfg

*A:pe2.lab# *A:pe2.lab# authentication-policy "knock-knock" create


configure service ies 998 description "RADIUS policy"
subscriber-interface "to_A2_via_hairpin" create password "LetMeIn"
address 192.168.42.254/24 radius-authentication-server
group-interface “isam-1" create router "Base"
authentication-policy "knock-knock" server 1 address 10.2.79.79 secret WhoIsThere
sap 1/1/7 create exit
sub-sla-mgmt user-name-format circuit-id
sub-ident-policy "sub_ident_all“ no re-authentication
multi-sub-sap 100 pppoe-access-method padi
no shutdown no accept-authorization-change
exit include-radius-attribute
exit no circuit-id
pppoe no remote-id
pppoe-policy “group-2” nas-port-id
session-limit 100 no nas-identifier
sap-session-limit 100 no pppoe-service-name
no shutdown no dhcp-vendor-class-id
exit no access-loop-options
exit no mac-address
exit exit
no shutdown exit

*A:pe2.lab#configure subscriber-mgmt
 Use same config as before but change mac pppoe-policy "group-2" create
ppp-mtu 1100
to circuit-id in auth policy. max-sessions-per-mac 10
exit
 PPPoE vendor-specific tags is required on
DSLAM / PPPoE intermediate Agent.

66 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


Authentication via Radius PADI with user-name-format circuit-id
IP from Radius with Framed-IP / ESM from Radius cf1:\pe2.ppp2.cfg

 Setup user5 with mac 00:00:00:00:00:05


*A:pe2.lab# show service id 998 pppoe session detail

 Radius users file : “TRE26 atm 1/1/01/22:8.35” ====================================================


Auth-Type := local, User-Password == "LetMeIn"
PPPoE sessions for svc-id 998
Alc-Subsc-ID-Str = "user5",
====================================================
Sap Id Mac Address Sid Up Time IP Address
Alc-SLA-Prof-Str = "sla1",
----------------------------------------------------
1/1/7 00:00:00:00:00:05
Alc-Subsc-Prof-Str = "sub1", 1 0d 00:01:46 192.168.42.5

Framed-IP-Adress
LCP State= 192.168.42.5,
: Opened
IPCP State : Opened
Framed-IP_Netmask
PPP MTU = 255.255.255.0
: 1100
PPP Auth-Protocol : None

 Use debug to see control plane ppp. Subscriber-interface : to_A2_via_hairpin


Group-interface : isam-1
Subscriber Origin : Radius
 No session-timeout used Subscriber Origin
Strings Origin :
Strings Origin
: Radius
Radius: Radius
IPCP
IPCPInfo Origin :
Info Origin Radius: Radius
Subscriber : "user5"
Sub-Profile-String : "sub1"
SLA-Profile-String : "sla1"
ANCP-String : ""
Int-Dest-Id : ""
App-Profile-String : ""

Primary DNS : N/A


Secondary DNS : N/A
Primary NBNS : N/A
Secondary NBNS : N/A

Circuit-Id : TRE26 atm 1/1/01/22:8.35


circuit-id ( inserted by Intermediate Agent ) Remote-Id : "03-2404011"
Session-Timeout : N/A

67 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


7x50 Retail PPPoE implementation
useful CLI commands : Radius Specific

 show subscriber-mgmt authentication


 Returns all authentication policies
 show subscriber-mgmt authentication knock-knock
 Shows all details of this policy and state of server.
 show subscriber-mgmt authentication knock-knock statistics

 tools perform security authentication-server-check server-address 10.2.79.79


user-name "TRE26 atm 1/1/01/22:8.35" password "LetMeIn" secret
"WhoIsThere“
 Simulates the authentication of a user.
– Remark : Is not updating the operational state from unknown to up.

68 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


Different PPPoE scenarios based on :
Authentication, IP, ESM cf1:\pe2.ppp3.cfg pe1 N/A

IP AUTH SUB / SLA SUB-ID

Option 1 LUDB LUDB CHAP LUDB LUDB

Option 2 LUDB LUDB PAP LUDB LUDB

Option 3 RADIUS RADIUS PADI MAC RADIUS RADIUS

Option 4 RADIUS RADIUS PADI CIRCUIT-ID RADIUS RADIUS

Option 5 DHCP DHCP MAC/CIRCUIT_ID DHCP DHCP

Option 6 DHCP LUDB CHAP LUDB LUDB

Option 7 DHCP RADIUS PADI CIRCUIT-ID RADIUS RADIUS

Option 8 RADIUS RADIUS PAP/CHAP USERNAME RADIUS RADIUS

Option 9 RADIUS RADIUS PAP/CHAP CIRCUIT-ID RADIUS RADIUS

Option 10 DHCP RADIUS PAP/CHAP CIRCUIT-ID RADIUS RADIUS

Option 11 DHCP RADIUS PAP/CHAP USERNAME RADIUS RADIUS

69 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


Authentication via local DHCP-server based on mac & circuit-id
A:pe2.lab#configure router dhcp
local-dhcp-server "server-1" create
user-db "ludb-3"
IP from local DHCP-server / ESM via DHCP frompool LUDB
"pool-1" create cf1:\pe2.ppp3.cfg
subnet 192.168.42.0/24 create
address-range 192.168.42.20 192.168.42.30
*A:pe2.lab# *A:pe2.lab# exit
configure service ies 998 exit
subscriber-interface "to_A2_via_hairpin" create no shutdown
A:pe2.lab#configure router
address 192.168.42.254/24 exit interface "system"
dhcp address 172.16.0.12/32
gi-address 192.168.42.254 local-dhcp-server "server-1"
exit exit
group-interface “isam-1" create exit
dhcp
server 172.16.0.12 *A:pe2.lab#configure subscriber-mgmt local-user-db ludb-3
client-applications pppoe pppoe
no shutdown match-list mac circuit-id
exit host "user9" create
sap 1/1/7 create host-identification
sub-sla-mgmt circuit-id string "TRE26 atm 1/1/01/25:8.35"
sub-ident-policy "sub_ident_all“ mac 00:00:00:00:00:09
multi-sub-sap 100 exit Free Option 254 used
no shutdown address pool "pool-1" in DHCP OFFER to
exit identification-strings 254 return ESM info
exit subscriber-id "user9"
pppoe sla-profile-string "sla1"
pppoe-policy “group-2” sub-profile-string "sub1"
session-limit 100 exit
sap-session-limit 100 no shutdown
no shutdown exit
exit exit
exit *A:pe2.lab# *A:pe2.lab# configure subscriber-mgmt
exit sub-ident-policy "sub_ident_all" create
no shutdown sub-profile-map
use-direct-map-as-default
 No Authentication policy.No ludb under pppoe. exit
sla-profile-map
 Suggest to use free option 254 for identification- use-direct-map-as-default
exit
strings but any free option is ok. *** strings-from-option 254
exit
70 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Authentication via local DHCP-server based on mac & circuit-id
IP from local DHCP-server / ESM via DHCP from LUDB
RADIUS AAA DHCP
Server Server
BSAN BSR
Broadband Service Broadband Service
Access Node Router
Aggregation
network IP/MPLS
(optional)

PADI, Session ID: 0x0000 pppoe under gr-itf enabled without ludb
PPPoE tag: option: 0x101, 0x103, 0x105 circuit-id No auth-policy . Dhcp server enabled
Discovery stage

PADO, Session ID: 0x0000


PPPoE tag: option: 0x101,0x102, 0x103, 0x104
PADR, Session ID: 0x0000
PPPoE tag: option: 0x101,0x102, 0x103, 0x104,0x105
PADS, Session ID: 0x0001
PPPoE tag: option: 0x101,0x102, 0x103, 0x104
LCP Config Request, Session ID: 0x0001, ID=191 Don’t suggest
Options: 0x1 MRU, 0x5 Magic nbr
LCP session negotiation

PAP/ CHAP
LCP Config Request, Session ID: 0x0001,ID=64
Session stage :

Options: 0x1 MRU, 0x5 Magic number: Y


LCP Config Ack, Session ID: 0x0001.Id=64
Options: 0x1 MRU, 0x5 Magic number: Y
LCP Config Ack, Session ID: 0x0001,ID=191
Options: 0x1 MRU, 0x3: Auth-Protocol: CHAP ,0x5 Magic nbr

71 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


Authentication via local DHCP-server based on mac & circuit-id
IP from local DHCP-server / ESM via DHCP from LUDB
RADIUS AAA DHCP
Server Server
BSAN BSR
Broadband Service Broadband Service
Access Node Router
Aggregation
network IP/MPLS
(optional)

IPCP Configure-request, Session ID: 0x0001,ID-159 [3] IP DHCP discover : MAC option 82 circuit-id remote-id
address: 192.168.42.254
DHCP Offer : mac,option 82 circuit-id remote-id
Option 254 contains user9,sla1 sub1
DHCP
Local
DHCP Request : option 82 circuit-id remote-id DHCP
client
Server
DHCP ACK : option 82 circuit-id remote-id
IPCP Configure-request, Session ID: 0x0001,ID-77 , [3] IP
Option 254 contains user9,sla1 sub1
address: 0.0.0.0
IPCP Configure-Nack, Session ID: 0x0001, ID-77 [3] IP
address: 192.168.42.23
Session stage :

IPCP Configure-Ack, Session ID: 0x0001,ID-159 [3] IP


address: 192.168.42.254
IPCP

Mac 00:00:00:00:00:09
IPCP Configure-request, Session ID: 0x0001,ID-78 , [3] IP circuit-id : TRE26 atm 1/1/01/25:8.35
address: 192.168.42.23  User9 Local
user
IPCP Configure-ack, Session ID: 0x0001, ID-78 [3] IP  Sub1 db
address: 192.168.42.23  sla1
 Address pool-1

72 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


7x50 Retail PPPoE implementation
Extra debug commands from DHCP server
debug
service
Type of debug ( packets / events ) id 998
pppoe
 debug service id 998 pppoe packet packet
mode dropped-only
detail-level medium
... discovery
ppp
 By default also DHCP-client dhcp-client
exit
exit
exit
exit
exit

 But DHCP-server can also be traced


 debug router local-dhcp-server server-1 mode egr-ingr-and-dropped
– Extra trace filter on lease-address or mac possible.
debug
router "Base"
local-dhcp-server server-1
detail-level medium
mode egr-ingr-and-dropped
exit
exit
exit

73 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


Authentication via local DHCP-server based on mac & circuit-id
IP from local DHCP-server / ESM via DHCP from LUDB cf1:\pe2.ppp3.cfg
=========================================================

 Setup user9 with mac 00:00:00:00:00:09


PPPoE sessions for svc-id 998
=========================================================
Sap Id Mac Address Sid Up Time IP Address
---------------------------------------------------------

 No Radius users file : 1/1/7 00:00:00:00:00:09 1 0d 00:02:06 192.168.42.24

LCP State : Opened


IPCP State : Opened
 Ludb-3 PPP MTU
PPP Auth-Protocol
:
:
1100
None

Subscriber-interface : to_A2_via_hairpin
 circuit-id & mac for auth Group-interface : isam-1
Subscriber Origin : DHCP
– Impossible to use pap/chap usernameStrings
for auth.
Subscriber Origin
Origin
Strings Origin
: DHCP
: DHCP
: DHCP
IPCP
IPCP Info Origin: DHCP
Info Origin : DHCP
Subscriber : "user9"
Sub-Profile-String : "sub1"
 Use debug to see control plane ppp. SLA-Profile-String
ANCP-String
:
:
"sla1"
""
Int-Dest-Id : ""
App-Profile-String : ""

Primary DNS : N/A


Secondary DNS : N/A
Primary NBNS : N/A
Secondary NBNS : N/A

Circuit-Id : TRE26 atm 1/1/01/25:8.35


Remote-Id : 03-2404015

Session-Timeout : N/A
-----------------------------------------------
Number of sessions : 1
circuit-id ( inserted by Intermediate Agent ) ==============================================
*A:pe2.lab#

74 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


7x50 Retail PPPoE implementation
PPPoE session creation failures
configure service ies 998
. . .
 PPPoE is not client from DHCP group-interface "isam-1"
dhcp
client-applications pppoe
1 2008/03/07 07:49:08.92 UTC WARNING: PPPOE #2001 Base PPPoE session failure no client-applications
exit
"PPPoE session failure on SAP 1/1/7 in service 998 – exit

[00:00:00:00:00:09,1] Cannot start DHCP client: PPPoE is not configured as DHCP relay client-application on group-interface"

– In the PPPoE -> client DHCP-discover we set always the client type
– clntType 1 = pppoE
DHCP client: Tx packet :
DHCP discover to server 172.16.0.12

 Local DHCP server uses the ciaddr: 0.0.0.0 yiaddr: 0.0.0.0


siaddr: 0.0.0.0 giaddr: 192.168.42.254
client type as selection into the LUDB. chaddr: 00:00:00:00:00:09 xid: 0x5fccdd60

DHCP options:
[82] Relay agent information: len = 48
configure subscriber-mgmt local-user-db ludb-3 [1] Circuit-id: TRE26 atm 1/1/01/25:8.35
dhcp [2] Remote-id: 03-2404015
no match-list [9] Vendor-Specific info: len = 8
no circuit-id-mask Enterprise [6527] : len = 3
exit [6] clntType: 1
pppoe [51] Lease time: 3600
no match-list [53] Message type: Discover
no circuit-id-mask [60] Class id: ALU7XXXSBM
exit [255] End

75 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


7x50 Retail PPPoE implementation
useful CLI commands : local DHCP server specific

 show router dhcp servers


 Returns all local DHCP server-names with state and also total Active Leases.
 show router dhcp local-dhcp-server server-1 summary

 show router dhcp local-dhcp-server server-1 leases

 show router dhcp local-dhcp-server server-1 leases 192.168.42.22 detail

 tools dump persistence summary :


 returns persistent entries in use.
 tools dump persistence dhcp-server record 0x00000002 :
 returns the complete persistent record.
 tools perform subscriber-mgmt local-user-db ludb-3 pppoe host-lookup mac
00:00:00:00:00:09 circuit-id "TRE26 atm 1/1/01/25:8.35"

76 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


7x50 Retail PPPoE implementation
PPPoE session creation failures

 DHCP server down during active pppoe session


– Local DHCP client will notice on next renewal that server is down.
– Send PPPoE PADT to user9

2 2008/03/07 10:31:36.11 UTC WARNING: PPPOE #2001 Base PPPoE session failure

"PPPoE session failure on SAP 1/1/7 in service 998 –

[00:00:00:00:00:09,1] Lost session with DHCP server"

3 2008/03/07 11:37:49.21 UTC WARNING: SVCMGR #2501 Base Subscriber deleted

"Subscriber user9 has been removed from the system"

77 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


7x50 Retail PPPoE implementation
DHCP-server : minimum number of leases reached
 Pool-1 has range 192.168.42.20 – 192.168.42.30 ( 11 possible leases )
 Trap generated when configured min-free leases reached.

*A:pe2.lab>

show router dhcp local-dhcp-server server-1 free-addresses pool pool-1


===============
local-dhcp-server "server-1" create
Free addresses
user-db "ludb-3"
===============
pool "pool-1" create
IP Address
min-lease-time hrs 3
--------------
options
192.168.42.20
lease-time min 10
192.168.42.21
lease-renew-time min 5
192.168.42.23
lease-rebind-time min 7
192.168.42.24
exit
192.168.42.26
subnet 192.168.42.0/24 create
192.168.42.27
minimum-free 10
192.168.42.28
address-range 192.168.42.20 192.168.42.30
192.168.42.29
exit
192.168.42.30
exit
----------------
no shutdown
No. of free addresses: 9
exit

2 2008/03/07 14:55:48.49 UTC WARNING: DHCPS #2001 Base subnet minimum reached

"The number of free addresses (9) has fallen below the desired minimum (10) in subnet 192.168.42.0/24"

78 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


Different PPPoE scenarios based on :
Authentication, IP, ESM cf1:\pe2.ppp1.cfg pe1 N/A

IP AUTH SUB / SLA SUB-ID

Option 1 LUDB LUDB CHAP LUDB LUDB

Option 2 LUDB LUDB PAP LUDB LUDB

Option 3 RADIUS RADIUS PADI MAC RADIUS RADIUS

Option 4 RADIUS RADIUS PADI CIRCUIT-ID RADIUS RADIUS

Option 5 DHCP DHCP MAC/CIRCUIT_ID DHCP DHCP

Option 6 DHCP LUDB CHAP LUDB LUDB

Option 7 DHCP RADIUS PADI CIRCUIT-ID RADIUS RADIUS

Option 8 RADIUS RADIUS PAP/CHAP USERNAME RADIUS RADIUS

Option 9 RADIUS RADIUS PAP/CHAP CIRCUIT-ID RADIUS RADIUS

Option 10 DHCP RADIUS PAP/CHAP CIRCUIT-ID RADIUS RADIUS

Option 11 DHCP RADIUS PAP/CHAP USERNAME RADIUS RADIUS

79 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


Authentication via LUDB CHAP cf1:\pe2.ppp1.cfg pe1 N/A
IP from Local-DHCP-server / ESM from LUDB
RADIUS AAA DHCP
Server Server
BSAN BSR
Broadband Service Broadband Service
Access Node Router
Aggregation
network IP/MPLS
(optional)

PADI, Session ID: 0x0000 pppoe enabled under group-interface with ludb-1
PPPoE tag: option: 0x101, 0x103 No auth-policy . dhcp server enabled
Discovery stage

PADO, Session ID: 0x0000


PPPoE tag: option: 0x101,0x102, 0x103, 0x104
PADR, Session ID: 0x0000
PPPoE tag: option: 0x101,0x102, 0x103, 0x104
PADS, Session ID: 0x0001
PPPoE tag: option: 0x101,0x102, 0x103, 0x104
LCP Config Request, Session ID: 0x0001, ID=42
Options: 0x1 MRU, 0x3 CHAP , 0x5 Magic nbr Suggest CHAP
LCP session negotiation

LCP Config Request, Session ID: 0x0001,ID=252


Session stage :

Options: 0x1 MRU, 0x5 Magic number: Y


LCP Config Ack, Session ID: 0x0001.Id=252
Options: 0x1 MRU, 0x5 Magic number: Y
LCP Config Ack, Session ID: 0x0001,ID=42
Options: 0x1 MRU, 0x3: Auth-Protocol: CHAP ,0x5 Magic nbr

80 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


Authentication via LUDB CHAP cf1:\pe2.ppp1.cfg pe1 N/A
IP from Local-DHCP-server / ESM from LUDB
RADIUS AAA DHCP
Server Server
BSAN BSR
Broadband Service Broadband Service
Access Node Router
Aggregation
network IP/MPLS
(optional)

CHAP Challenge , Session ID: 0x0001


User-name : user16@domain1
CHAP authentication

Value
Psw : user16 CHAP
:

CHAP Response , Session ID: 0x0001


Session stage

Local User16
value , Name : user1@domain1 user Sub1
db sla1 Use gi-address
CHAP Success , Session ID: 0x0001
message : CHAP auth. success address pool-1

DHCP discover : option 82 subscriber-id : user16@domain1


IPCP Configure-request, Session ID: 0x0001,ID-246 [3] IP
address: 192.168.42.254 DHCP Offer : option 82 sucbscriber-id:user16@domain1

DHCP Request : option 82 subscriber-id… Local


IPCP Configure-request, Session ID: 0x0001,ID-253 , [3] IP DHCP DHCP
address: 0.0.0.0 client Server
DHCP ACK : option 82 subscriber-id
IPCP Configure-Nack, Session ID: 0x0001, ID253 [3] IP
address: 192.168.42.31
Session stage :

IPCP Configure-Ack, Session ID: 0x0001,ID-246 [3] IP


address: 192.168.42.254
IPCP

IPCP Configure-request, Session ID: 0x0001,ID-254 , [3] IP


address: 192.168.42.31

IPCP Configure-ack, Session ID: 0x0001, ID-254 [3] IP


address: 192.168.42.31

81 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


Authentication via LUDB CHAP cf1:\pe2.ppp1.cfg pe1 N/A
IP from Local-DHCP-server / ESM from LUDB
A:pe2.lab#configure router dhcp
local-dhcp-server "server-1" create
use-gi-adress
*A:pe2.lab# *A:pe2.lab# pool "pool-1" create
configure service ies 998 subnet 192.168.42.0/24 create
subscriber-interface "to_A2_via_hairpin" exclude-addresses 192.168.42.1 192.168.42.30
address 192.168.42.254/24 exclude-addresses 192.168.42.40 192.168.42.255
dhcp address-range 192.168.42.31 192.168.42.35
gi-address 192.168.42.254 exit
exit exit
group-interface "isam-1" create no shutdown
dhcp exit
A:pe2.lab#configure router
server 172.16.0.12
interface "system"
client-applications pppoe
address 172.16.0.12/32
no shutdown
local-dhcp-server "server-1"
exit
exit
sap 1/1/7 create
exit
sub-sla-mgmt
sub-ident-policy "sub_ident_all"
multi-sub-sap 100
no shutdown
exit *A:pe2.lab# configure subscriber-mgmt
exit local-user-db “ludb-1" create
pppoe pppoe
pap-chap-user-db "ludb-1" match-list username
session-limit 100 host "user16" create
sap-session-limit 100 host-identification
no shutdown username "user16@domain1"
exit exit
exit address pool pool-1
exit password chap user16
no shutdown identification-strings 254 create
subscriber-id "user16"
sla-profile-string "sla1"
 No Radius authentication but Radius sub-profile-string "sub1"
Accounting is possible. ( not in trace ) exit
options
dns-server 138.203.144.51
netbios-name-server 138.203.144.51
82 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008 exit
Authentication via LUDB CHAP cf1:\pe2.ppp1.cfg pe1 N/A
IP from Local-DHCP-server / ESM from LUDB
PPPoE sessions for svc-id 998
===========================================================
 Setup user16 with mac 00:00:00:00:00:10 Sap Id Mac Address Sid Up Time IP Address
-----------------------------------------------------------
1/1/7 00:00:00:00:00:10 1 0d 00:00:14 192.168.42.33

 No Radius users file : LCP State


IPCP State
:
:
Opened
Opened
PPP MTU : 1000

 IP from local DHCP server based on GI PPP Auth-Protocol


PPP User-Name
:
:
CHAP
user16@domain1

Subscriber-interface : to_A2_via_hairpin
 Use debug to see client control plane ppp. Group-interface : isam-1

Subscriber Origin : Local-User-Db


Strings Origin : Local-User-Db
IPCP Info Origin : DHCP
Subscriber
Subscriber Origin
: "user16" : Local-User-DB
Strings Origin : "sub1" : Local-User-DB
Sub-Profile-String
SLA-Profile-String : "sla1"
IPCP Info Origin
ANCP-String : "" : DHCP
Int-Dest-Id : ""
App-Profile-String : ""

Primary DNS : 138.203.144.51


Secondary DNS : N/A
 Use debug to see the dhcp server control plane Primary NBNS
Secondary NBNS
:
:
138.203.144.51
N/A

Circuit-Id :
Remote-Id :

Session-Timeout : N/A
----------------------------------------------------------
Number of sessions : 1

83 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


Different PPPoE scenarios based on :
Authentication, IP, ESM cf1:\pe2.ppp3.cfg pe1 N/A

IP AUTH SUB / SLA SUB-ID

Option 1 LUDB LUDB CHAP LUDB LUDB

Option 2 LUDB LUDB PAP LUDB LUDB

Option 3 RADIUS RADIUS PADI MAC RADIUS RADIUS

Option 4 RADIUS RADIUS PADI CIRCUIT-ID RADIUS RADIUS

Option 5 DHCP DHCP MAC/CIRCUIT_ID DHCP DHCP

Option 6 DHCP LUDB CHAP LUDB LUDB

Option 7 DHCP RADIUS PADI CIRCUIT-ID RADIUS RADIUS

Option 8 RADIUS RADIUS PAP/CHAP USERNAME RADIUS RADIUS

Option 9 RADIUS RADIUS PAP/CHAP CIRCUIT-ID RADIUS RADIUS

Option 10 DHCP RADIUS PAP/CHAP CIRCUIT-ID RADIUS RADIUS

Option 11 DHCP RADIUS PAP/CHAP USERNAME RADIUS RADIUS

84 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


Authentication via Radius PADI with user-name-format circuit-id
IP from local DHCP-server / ESM from Radius cf1:\pe2.ppp3.cfg

RADIUS AAA DHCP


Server Server
BSAN BSR
Broadband Service Broadband Service
Access Node Router
Aggregation
network IP/MPLS
(optional)

PADI, ,tag0x0105 circuit-id,Session ID: 0x0000


PPPoE tag: option: 0x101, 0x103 Access Request
user-name CID. . .
Discovery stage

Circuit-id
Access accept User11
PADO, Session ID: 0x0000
ESM Sla1
PPPoE tag: option: 0x101,0x102, 0x103, 0x104 Sub1
PADR, Session ID: 0x0000 NO IP
PPPoE tag: option: 0x101,0x102, 0x103, 0x104
PADS, Session ID: 0x0001
PPPoE tag: option: 0x101,0x102, 0x103, 0x104
Don’t suggest
LCP Config Request, Session ID: 0x0001, ID=139
Options: 0x1 MRU, 0x5 Magic nbr PAP/CHAP anymore
LCP session negotiation

LCP Config Request, Session ID: 0x0001,ID=132


Session stage :

Options: 0x1 MRU, 0x5 Magic number: Y


LCP Config Ack, Session ID: 0x0001.Id=132
Options: 0x1 MRU, 0x5 Magic number: Y
LCP Config ACK, Session ID: 0x0001, ID=139
Options: 0x1 MRU, 0x5 Magic nbr

85 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


Authentication via Radius PADI with user-name-format circuit-id
IP from local DHCP-server / ESM from Radius cf1:\pe2.ppp3.cfg

RADIUS AAA DHCP


Server Server
BSAN BSR
Broadband Service Broadband Service
Access Node Router
Aggregation
network IP/MPLS
(optional)
Use gi-address

IPCP Configure-request, Session ID: 0x0001,ID-132 [3] IP DHCP discover : option 82 circuit-id
address: 192.168.42.254
DHCP Offer : ,option 82 circuit-id
Yiaddr 192.168.42.29
DHCP Local
client DHCP Request : option 82 circuit-id DHCP
Server
DHCP ACK : option 82 circuit-id Option 254
IPCP Configure-request, Session ID: 0x0001,ID-133 , [3] IP requested ip : 192.168.42.29
address: 0.0.0.0
IPCP Configure-Nack, Session ID: 0x0001, ID-133 [3] IP
address: 192.168.42.29
Session stage :

IPCP Configure-Ack, Session ID: 0x0001,ID-132 [3] IP


address: 192.168.42.254
IPCP

IPCP Configure-request, Session ID: 0x0001,ID-134 , [3] IP


address: 192.168.42.29

IPCP Configure-ack, Session ID: 0x0001, ID-134 [3] IP


address: 192.168.42.29

86 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


Authentication via Radius PADI with user-name-format circuit-id
IP from local DHCP-server / ESM from Radius cf1:\pe2.ppp3.cfg

*A:pe2.lab# A:pe2.lab#configure router dhcp


configure service ies 998 local-dhcp-server "server-1" create
subscriber-interface "to_A2_via_hairpin" use-gi-adress
address 192.168.42.254/24 pool "pool-1" create
dhcp subnet 192.168.42.0/24 create
gi-address 192.168.42.254 address-range 192.168.42.20 192.168.42.30
exit exit
group-interface "isam-1" create exit
dhcp no shutdown
A:pe2.lab#configure router
server 172.16.0.12 exit interface "system"
client-applications pppoe address 172.16.0.12/32
no shutdown local-dhcp-server "server-1"
exit exit
authentication-policy "knock-knock" exit
sap 1/1/7 create
sub-sla-mgmt
sub-ident-policy "sub_ident_all"
multi-sub-sap 100
no shutdown
exit authentication-policy "knock-knock" create
exit description "RADIUS policy"
pppoe password "LetMeIn"
session-limit 100 radius-authentication-server
sap-session-limit 100 router "Base"
no shutdown server 1 address 10.2.79.79 secret WhoIsThere
exit exit
exit user-name-format circuit-id
exit no re-authentication
no shutdown pppoe-access-method padi
no accept-authorization-change
include-radius-attribute
 Use config ppp3 but… exit
exit
 but add knock-knock !!
 Change server to use-gi-address
87 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Authentication via Radius PADI with user-name-format circuit-id
IP from local DHCP-server / ESM from Radius cf1:\pe2.ppp3.cfg
=======================================================
PPPoE sessions for svc-id 998
 Setup user11 with mac 00:00:00:00:00:0B =======================================================
Sap Id Mac Address Sid Up Time IP Address
-------------------------------------------------------
1/1/7 00:00:00:00:00:0b 1 0d 00:00:17 192.168.42.29
 Radius users file : “TRE26 atm 1/1/01/27:8.35” Auth-Type := local, User-Password == "LetMeIn"
LCP State : Opened
Alc-Subsc-ID-Str
IPCP State= "user11",
: Opened
PPP MTU : 1492
Alc-SLA-Prof-Str = "sla1",: None
PPP Auth-Protocol
Alc-Subsc-Prof-Str = "sub1",
Subscriber-interface : to_A2_via_hairpin
ALc-ANCP-Str = “ancp1”
Group-interface : isam-1
Subscriber
Subscriber Origin
Origin : Radius
: Radius
Strings Origin
Strings Origin : Radius
: Radius
 No Framed IP from Radius IPCP IPCP
InfoInfo Origin
Origin : DHCP
: DHCP
Subscriber : "user11"
Sub-Profile-String : "sub1"
 IP from local DHCP server based on gi SLA-Profile-String
ANCP-String
:
:
"sla1"
"ancp1"
Int-Dest-Id : ""

 Use debug to see control plane ppp. App-Profile-String : ""

Primary DNS : N/A


Secondary DNS : N/A
Primary NBNS : N/A
Secondary NBNS : N/A

Circuit-Id : TRE26 atm 1/1/01/27:8.35


Remote-Id :

Session-Timeout : N/A
-----------------------------------------------
Number of sessions : 1
==============================================
*A:pe2.lab#

88 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


Different PPPoE scenarios based on :
Authentication, IP, ESM cf1:\pe2.ppp3.cfg pe1 N/A

IP AUTH SUB / SLA SUB-ID

Option 1 LUDB LUDB CHAP LUDB LUDB

Option 2 LUDB LUDB PAP LUDB LUDB

Option 3 RADIUS RADIUS PADI MAC RADIUS RADIUS

Option 4 RADIUS RADIUS PADI CIRCUIT-ID RADIUS RADIUS

Option 5 DHCP DHCP MAC/CIRCUIT_ID DHCP DHCP

Option 6 DHCP LUDB CHAP LUDB LUDB

Option 7 DHCP RADIUS PADI CIRCUIT-ID RADIUS RADIUS

Option 8 RADIUS RADIUS PAP/CHAP USERNAME RADIUS RADIUS

Option 9 RADIUS RADIUS PAP/CHAP CIRCUIT-ID RADIUS RADIUS

Option 10 DHCP RADIUS PAP/CHAP CIRCUIT-ID RADIUS RADIUS

Option 11 DHCP RADIUS PAP/CHAP USERNAME RADIUS RADIUS

89 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


Authentication via Radius PAP/CHAP 6.1
IP from Radius / ESM from Radius
RADIUS AAA DHCP
Server Server
BSAN BSR
Broadband Service Broadband Service
Access Node Router
Aggregation
network IP/MPLS
(optional)

PADI, Session ID: 0x0000 pppoe enabled without ludb


PPPoE tag: option: 0x101, 0x103 auth-policy enabled with pap/chap
. dhcp server not enabled
Discovery stage

PADO, Session ID: 0x0000


PPPoE tag: option: 0x101,0x102, 0x103, 0x104
PADR, Session ID: 0x0000
PPPoE tag: option: 0x101,0x102, 0x103, 0x104
PADS, Session ID: 0x0001
PPPoE tag: option: 0x101,0x102, 0x103, 0x104
LCP Config Request, Session ID: 0x0001, ID=82
Options: 0x1 MRU, 0x3 CHAP , 0x5 Magic nbr Suggest CHAP
LCP session negotiation

LCP Config Request, Session ID: 0x0001,ID=125


Session stage :

Options: 0x1 MRU, 0x5 Magic number: Y


LCP Config Ack, Session ID: 0x0001.Id=125
Options: 0x1 MRU, 0x5 Magic number: Y
LCP Config Ack, Session ID: 0x0001,ID=82
Options: 0x1 MRU, 0x3: Auth-Protocol: CHAP ,0x5 Magic nbr

90 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


Authentication via Radius PAP/CHAP 6.1
IP from Radius / ESM from Radius
RADIUS AAA DHCP
Server Server
BSAN BSR
Broadband Service Broadband Service
Access Node Router
Aggregation
network IP/MPLS
(optional)

CHAP Challenge , Session ID: 0x0001


CHAP authentication

Value
:

CHAP Response , Session ID: 0x0001


Session stage

Access-request : username user7@domain1


value , Name : user7@domain1 User-name : user7@domain1
Chap password,
Psw : user7
CHAP Success , Session ID: 0x0001 User7
Access-accept : user7, sla1,sub1,IP Sub1
message : CHAP auth. success
Sla1
IPCP Configure-request, Session ID: 0x0001,ID-126 [3] IP Framed-ip : 192.168.42.7
address: 192.168.42.254

IPCP Configure-request, Session ID: 0x0001,ID-126 , [3] IP


address: 0.0.0.0
IPCP Configure-Nack, Session ID: 0x0001, ID126 [3] IP
address: 192.168.42.7
Session stage :

IPCP Configure-Ack, Session ID: 0x0001,ID-126 [3] IP


address: 192.168.42.254
IPCP

IPCP Configure-request, Session ID: 0x0001,ID-127 , [3] IP


address: 192.168.42.7

IPCP Configure-ack, Session ID: 0x0001, ID-127 [3] IP


address: 192.168.42.7

91 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


Authentication via Radius PAP/CHAP 6.1
IP from Radius / ESM from Radius

*A:pe2.lab# *A:pe2.lab# authentication-policy "knock-knock" create


configure service ies 998 description "RADIUS policy"
subscriber-interface "to_A2_via_hairpin" create password "LetMeIn"
address 192.168.42.254/24 radius-authentication-server
group-interface “isam-1" create router "Base"
authentication-policy "knock-knock" server 1 address 10.2.79.79 secret WhoIsThere
sap 1/1/7 create exit
sub-sla-mgmt user-name-format circuit-id
sub-ident-policy "sub_ident_all“ no re-authentication
multi-sub-sap 100 pppoe-access-method pap-chap
no shutdown no accept-authorization-change
exit include-radius-attribute
exit circuit-id
pppoe remote-id
pppoe-policy “group-2” nas-port-id
session-limit 100 no nas-identifier
sap-session-limit 100 no pppoe-service-name
no shutdown no dhcp-vendor-class-id
exit no access-loop-options
exit mac-address
exit exit
no shutdown exit

*A:pe2.lab#configure subscriber-mgmt
 User-name-format irrelevant when pppoe- pppoe-policy "group-2" create
ppp-mtu 1100
access-method pap-chap. max-sessions-per-mac 10
exit
 Username send to Radius is pap/chap user
 pppoE vendor-specific tags is optional on
DSLAM but can be send to radius as well.

92 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


Authentication via Radius PAP/CHAP 6.1
IP from Radius / ESM from Radius

 Setup user7 with mac 00:00:00:00:00:07 *A:pe2.lab# show service id 998 pppoe session detail
====================================================
PPPoE sessions for svc-id 998

 Radius users file : “user7@domain1”


====================================================
Auth-Type := local,
Sap User-Password
Id Mac Address == “user7"
Sid Up Time IP Address
----------------------------------------------------
Alc-Subsc-ID-Str = "user7",
1/1/7 00:00:00:00:00:07 1 0d 00:06:46 192.168.42.7
Alc-SLA-Prof-Str = "sla1",
LCP State : Opened
Alc-Subsc-Prof-Str
IPCP State = "sub1",
: Opened
PPP MTU : 1100
Framed-IP-Adress = 192.168.42.7,
PPP Auth-Protocol : CHAP
Framed-IP_Netmask = 255.255.255.0
PPP user-name : user7@domain1

Subscriber-interface : to_A2_via_hairpin
 Users file uses Group-interface
Subscriber Origin
: isam-1
: Radius
Subscriber
Strings Origin
Origin : Radius: Radius
 pap/chap username/psw for auth Strings Origin
IPCP
IPCPInfo
:
Origin :
Info Origin
Radius
Radius: Radius

 Ignores Agent-circuit-id for auth Subscriber


Sub-Profile-String
:
:
"user7"
"sub1"
SLA-Profile-String : "sla1"

 Use debug to see control plane ppp. ANCP-String


Int-Dest-Id
:
:
""
""
App-Profile-String : ""

Primary DNS : N/A


Secondary DNS : N/A
Primary NBNS : N/A
Secondary NBNS : N/A

Circuit-Id : TRE26 atm 1/1/01/23:8.35


Remote-Id : "03-2404012"
Session-Timeout : N/A

93 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


Different PPPoE scenarios based on :
Authentication, IP, ESM cf1:\pe2.ppp3.cfg pe1 N/A

IP AUTH SUB / SLA SUB-ID

Option 1 LUDB LUDB CHAP LUDB LUDB

Option 2 LUDB LUDB PAP LUDB LUDB

Option 3 RADIUS RADIUS PADI MAC RADIUS RADIUS

Option 4 RADIUS RADIUS PADI CIRCUIT-ID RADIUS RADIUS

Option 5 DHCP DHCP MAC/CIRCUIT_ID DHCP DHCP

Option 6 DHCP LUDB CHAP LUDB LUDB

Option 7 DHCP RADIUS PADI CIRCUIT-ID RADIUS RADIUS

Option 8 RADIUS RADIUS PAP/CHAP USERNAME RADIUS RADIUS

Option 9 RADIUS RADIUS PAP/CHAP CIRCUIT-ID RADIUS RADIUS

Option 10 DHCP RADIUS PAP/CHAP CIRCUIT-ID RADIUS RADIUS

Option 11 DHCP RADIUS PAP/CHAP USERNAME RADIUS RADIUS

94 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


Authentication via Radius PAP/CHAP 6.1
IP from Radius / ESM from Radius

 Setup user8 with mac 00:00:00:00:00:08


======================================================
 Radius users file : PPPoE1/1/01/24:8.35",
DEFAULT Agent-Circuit-Id == "TRE26 atm sessions for svc-id Auth-Type
998 := Accept
======================================================
Alc-Subsc-ID-Str
Sap Id =Mac
"user8",
Address Sid Up Time IP Address
------------------------------------------------------
Alc-Subsc-Prof-Str
1/1/7 = "sub1",
00:00:00:00:00:08 1 0d 00:00:31
192.168.42.8
Alc-SLA-Prof-Str = "sla1",
Framed-IP-Address = 192.168.42.8,
LCP State : Opened
IPCP State : Opened
Framed-IP-Netmask
PPP MTU = 255.255.255.0
: 1100
PPP Auth-Protocol : CHAP

 Users file uses PPP User-Name : dummy@dummy

Subscriber-interface : to_A2_via_hairpin
Group-interface : isam-1
 Agent-circuit-id for auth Subscriber Origin
Subscriber Origin : Radius
: Radius
Strings Origin :
Strings Origin :
Radius Radius
 Ignores pap/chap username IPCP
IPCPInfo Origin :
Info Origin :
Radius Radius
Subscriber : "user8"
 More heavy for radius as DB can not be indexed anymore on username
Sub-Profile-String : "sub1"
SLA-Profile-String : "sla1"
ANCP-String : ""
 Use debug to see control plane ppp. Int-Dest-Id
App-Profile-String
:
:
""
""

Primary DNS : N/A


Secondary DNS : N/A
Primary NBNS : N/A
Secondary NBNS : N/A

Circuit-Id : TRE26 atm 1/1/01/24:8.35


Remote-Id : 03-2404013

Session-Timeout : N/A
------------------------------------------------------
Number of sessions : 1

95 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


Different PPPoE scenarios based on :
Authentication, IP, ESM cf1:\pe2.ppp3.cfg pe1 N/A

IP AUTH SUB / SLA SUB-ID

Option 1 LUDB LUDB CHAP LUDB LUDB

Option 2 LUDB LUDB PAP LUDB LUDB

Option 3 RADIUS RADIUS PADI MAC RADIUS RADIUS

Option 4 RADIUS RADIUS PADI CIRCUIT-ID RADIUS RADIUS

Option 5 DHCP DHCP MAC/CIRCUIT_ID DHCP DHCP

Option 6 DHCP LUDB CHAP LUDB LUDB

Option 7 DHCP RADIUS PADI CIRCUIT-ID RADIUS RADIUS

Option 8 RADIUS RADIUS PAP/CHAP USERNAME RADIUS RADIUS

Option 9 RADIUS RADIUS PAP/CHAP CIRCUIT-ID RADIUS RADIUS

Option 10 DHCP RADIUS PAP/CHAP CIRCUIT-ID RADIUS RADIUS

Option 11 DHCP RADIUS PAP/CHAP USERNAME RADIUS RADIUS

96 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


Authentication via Radius PAP/CHAP
IP from Local DHCP-server / ESM from Radius
RADIUS AAA DHCP
Server Server
BSAN BSR
Broadband Service Broadband Service
Access Node Router
Aggregation
network IP/MPLS
(optional)

PADI, Session ID: 0x0000 pppoe enabled without ludb


PPPoE tag: option: 0x101, 0x103.Agent-circuit-id auth-policy enabled with pap/chap
. dhcp server enabled
Discovery stage

PADO, Session ID: 0x0000


PPPoE tag: option: 0x101,0x102, 0x103, 0x104
PADR, Session ID: 0x0000
PPPoE tag: option: 0x101,0x102, 0x103, 0x104
PADS, Session ID: 0x0001
PPPoE tag: option: 0x101,0x102, 0x103, 0x104
LCP Config Request, Session ID: 0x0001, ID=247
Options: 0x1 MRU, 0x3 CHAP , 0x5 Magic nbr Suggest CHAP
LCP session negotiation

LCP Config Request, Session ID: 0x0001,ID=202


Session stage :

Options: 0x1 MRU, 0x5 Magic number: Y


LCP Config Ack, Session ID: 0x0001.Id=202
Options: 0x1 MRU, 0x5 Magic number: Y
LCP Config Ack, Session ID: 0x0001,ID=247
Options: 0x1 MRU, 0x3: Auth-Protocol: CHAP ,0x5 Magic nbr

97 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


Authentication via Radius PAP/CHAP
IP from Local DHCP-server / ESM from Radius
RADIUS AAA DHCP
Server Server
BSAN BSR
Broadband Service Broadband Service
Access Node Router
Aggregation
network IP/MPLS
(optional)

CHAP Challenge , Session ID: 0x0001


CHAP authentication

Value
:

CHAP Response , Session ID: 0x0001


Session stage

Access-request : username dummy@dummy


value , Name : dummy@dummy Agent-circuit-id ,
Chap password, Agent-circuit-id
username=accept
CHAP Success , Session ID: 0x0001 User12
Access-accept : user12, sla1,sub1,IP Sub1
message : CHAP auth. success
Sla1
IPCP Configure-request, Session ID: 0x0001,ID-185 [3] IP NO Framed-ip
address: 192.168.42.254
Use gi-address
IPCP Configure-request, Session ID: 0x0001,ID-203 , [3] IP DHCP discover : option 82 subscriber-id=dummy
address: 0.0.0.0 Circuit-id,remote-id
IPCP Configure-Nack, Session ID: 0x0001, ID-203 [3] IP DHCP Offer : ,option 82 …..
address: 192.168.42.22 Yiaddr 192.168.42.22
Session stage :

IPCP Configure-Ack, Session ID: 0x0001,ID-185 [3] IP


CLIENT DHCP Request : option 82 …. Local
address: 192.168.42.254
IPCP

DHCP
IPCP Configure-request, Session ID: 0x0001,ID-204 , [3] IP Server
DHCP ACK : option 82 circuit-id Option 254
address: 192.168.42.22
yiaddr : 192.168.42.22
IPCP Configure-ack, Session ID: 0x0001, ID-204 [3] IP
address: 192.168.42.22

98 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


Authentication via Radius PAP/CHAP
IP from Local DHCP-server / ESM from Radius

*A:pe2.lab# *A:pe2.lab# A:pe2.lab#configure router dhcp


configure service ies 998 local-dhcp-server "server-1" create
subscriber-interface "to_A2_via_hairpin" use-gi-adress
address 192.168.42.254/24 pool "pool-1" create
dhcp subnet 192.168.42.0/24 create
gi-address 192.168.42.254 address-range 192.168.42.20 192.168.42.30
exit exit
group-interface "isam-1" create exit
dhcp no shutdown
A:pe2.lab#configure router
server 172.16.0.12 exit interface "system"
client-applications pppoe address 172.16.0.12/32
no shutdown local-dhcp-server "server-1"
exit exit
authentication-policy "knock-knock" exit
sap 1/1/7 create
sub-sla-mgmt
sub-ident-policy "sub_ident_all"
multi-sub-sap 100
no shutdown
exit authentication-policy "knock-knock" create
exit description "RADIUS policy"
pppoe password "LetMeIn"
session-limit 100 radius-authentication-server
sap-session-limit 100 router "Base"
no shutdown server 1 address 10.2.79.79 secret WhoIsThere
exit exit
exit user-name-format circuit-id
exit no re-authentication
no shutdown pppoe-access-method pap-chap
no accept-authorization-change
include-radius-attribute
circuit-id
remote-id
 User-name-format N/A when pap/chap exit
exit

99 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008


Authentication via Radius PAP/CHAP
=======================================================
IP from Local DHCP-server / ESM from Radius
PPPoE sessions for svc-id 998
======================================================
Sap Id Mac Address Sid Up Time IP Address
 Setup user12 with mac 00:00:00:00:00:0C -------------------------------------------------------
1/1/7 00:00:00:00:00:0c 1 0d 00:00:35 192.168.42.22

 Radius users file : LCP State


DEFAULT Agent-Circuit-Id
IPCP== State
: Opened
"TRE26 atm 1/1/01/28:8.35",
: Opened Auth-Type := Accept
PPP MTU : 1492
Alc-Subsc-ID-Str = "user12",
PPP Auth-Protocol : CHAP
Alc-Subsc-Prof-Str = "sub1",
PPP User-Name : dummy@dummy
Alc-SLA-Prof-Str = "sla1",

 Users file uses Subscriber-interface : to_A2_via_hairpin


Group-interface : isam-1

 Agent-circuit-id for auth Subscriber


SubscriberOrigin
Origin ::Radius
Radius
Strings
StringsOrigin
Origin ::Radius
Radius
IPCP InfoOrigin
Origin ::DHCP
 No framed-ip from radius IPCP Info DHCP
Subscriber : "user12"
 Ignores pap/chap username Sub-Profile-String : "sub1"
SLA-Profile-String : "sla1"
 More heavy for radius as DB can not be indexed anymore on username
ANCP-String : ""
Int-Dest-Id : ""
App-Profile-String : ""
 Use debug to see control plane ppp.
Primary DNS : N/A
Secondary DNS : N/A
Primary NBNS : N/A
Secondary NBNS : N/A

Circuit-Id : TRE26 atm 1/1/01/28:8.35


Remote-Id : 03-2404017

Session-Timeout : N/A
-------------------------------------------------------
Number of sessions : 1

100 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Different PPPoE scenarios based on :
Authentication, IP, ESM cf1:\pe2.ppp3.cfg pe1 N/A

IP AUTH SUB / SLA SUB-ID

Option 1 LUDB LUDB CHAP LUDB LUDB

Option 2 LUDB LUDB PAP LUDB LUDB

Option 3 RADIUS RADIUS PADI MAC RADIUS RADIUS

Option 4 RADIUS RADIUS PADI CIRCUIT-ID RADIUS RADIUS

Option 5 DHCP DHCP MAC/CIRCUIT_ID DHCP DHCP

Option 6 DHCP LUDB CHAP LUDB LUDB

Option 7 DHCP RADIUS PADI CIRCUIT-ID RADIUS RADIUS

Option 8 RADIUS RADIUS PAP/CHAP USERNAME RADIUS RADIUS

Option 9 RADIUS RADIUS PAP/CHAP CIRCUIT-ID RADIUS RADIUS

Option 10 DHCP RADIUS PAP/CHAP CIRCUIT-ID RADIUS RADIUS

Option 11 DHCP RADIUS PAP/CHAP USERNAME RADIUS RADIUS

101 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Authentication via Radius PAP/CHAP =======================================================
PPPoE sessions for svc-id 998
IP from Local DHCP-server / ESM from======================================================
Radius
Sap Id Mac Address Sid Up Time IP Address
-------------------------------------------------------
 Setup user13 with mac 00:00:00:00:00:0D 1/1/7 00:00:00:00:00:0d 1 0d 00:00:39 192.168.42.21

LCP State : Opened


 Radius users file : “user13@domain1” IPCP State : Opened
Auth-Type := local, User-Password == “user13"
PPP MTU : 1492
Alc-Subsc-ID-Str = "user13",
PPP Auth-Protocol : CHAP
Alc-SLA-Prof-Str: =user13@domain1
PPP User-Name "sla1",
Alc-Subsc-Prof-Str = "sub1",
Subscriber-interface : to_A2_via_hairpin
 Users file uses Group-interface : isam-1

Subscriber
Subscriber Origin: Radius
Origin : Radius
 No framed-ip from radius Strings Origin
Strings Origin : Radius
: Radius
IPCP Info Origin : DHCP
IPCP Info Origin : DHCP
 pap/chap username
Subscriber : "user13"
Sub-Profile-String : "sub1"
 Use debug to see control plane ppp. SLA-Profile-String : "sla1"
ANCP-String : ""
Int-Dest-Id : ""
App-Profile-String : ""

Primary DNS : N/A


Secondary DNS : N/A
Primary NBNS : N/A
Secondary NBNS : N/A

Circuit-Id : TRE26 atm 1/1/01/29:8.35


Remote-Id : 03-2404018

Session-Timeout : N/A
------------------------------------------------------
Number of sessions : 1

102 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Retail PPPoE implementation
Agenda

a) What does the 7710/7750 offers in 7.0 and LAB-setup e) Resilience / Redundancy

b) different PPPoE scenarios. f) Security

c) Accounting
c) Accounting g) Change of Authority

d) QoS

103 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Retail PPPoE implementation
Accounting methods

 Radius accounting

 Local file/XML accounting

104 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Retail PPPoE implementation
The interval at which accounting data of tha
Radius accounting policy configuration subscriber host will be updated

 Interval 10-1800 minutes


to identify a subscriber-host in the accounting
#--------------------------------------------------
messages, different RADIUS attributes can be
echo "Subscriber-mgmt Configuration"
included in the accounting-start and
#--------------------------------------------------
accounting-stop messages.
subscriber-mgmt
radius-accounting-policy "GiveMeTheMoney"
description "Radius is counting . . ."
update-interval 10
include-radius-attribute Send accounting information in
framed-ip-addr Specifies the format for standard accounting attributes iso
framed-ip-netmask acct-session-id attribute in a VSA’s.
subscriber-id RADIUS accounting request:
circuit-id description (default) or
remote-id number
nas-port-id
nas-identifier
sub-profile
sla-profile Optional source address. The src-ip determines the RADIUS
exit client (NAS) ID:
no session-id-format •Used as src-ip
no use-std-acct-aatributes •Used in NAS-IP attribute
radius-accounting-server If not specified, the system-ip is used for inband and the
no access-algorithm BOF management ip is used for out-of-band connectivity
no retry
no timeout Radius server address, shared secret and udp
no source-address port number for this Radius client
router "Base" Up to 5 servers can be provisioned for each
server 1 address 10.2.79.79 secret WhoIsThere authentication policy. The access-algorithm
exit will determine how the list is handled (round-
exit robin or direct)
105 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Retail PPPoE implementation
Accounting messages

 Accounting-start
 Send at the creation of a subscriber-host
 Describes the subscriber-host
 Accounting-stop
Accounting-Request(4) 10.2.79.79:1813 id 167 len 173
 Interim-update STATUS TYPE [40] 4 Start(1)
NAS IP ADDRESS [4] 4 172.16.0.12
FRAMED IP ADDRESS [8] 4 192.168.42.28
 Accounting-on FRAMED IP NETMASK [9] 4 255.255.255.255
NAS IDENTIFIER [32] 7 pe2.lab
 Accounting-off SESSION ID [44] 36 user9@1/1/7@sla1_2008/03/22 07:14:30
NAS PORT TYPE [61] 4 PPPoEoE(32)
NAS PORT ID [87] 5 1/1/7
VSA [26] 38 DSL(3561)
AGENT CIRCUIT ID [1] 24 TRE26 atm 1/1/01/25:8.35
AGENT REMOTE ID [2] 10 03-2404015
VSA [26] 19 Alcatel(6527)
SUBSC ID STR [11] 5 user9
SUBSC PROF STR [12] 4 sub1
SLA PROF STR [13] 4 sla1

106 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Retail PPPoE implementation
Accounting messages

 Accounting-start

 Accounting-stop
 Send at the termination of the subscriber-host session
 Includes accounting statistics for the given subscriber-host
 Includes the termination cause. (RADIUS RFC 2865 defines a number of values for this
RADIUS attribute [49] *** See Notes
 Interim-update Accounting-Request(4) 172.30.1.43:1813 id 246 len 252
STATUS TYPE [40] 4 Stop(2)
 Accounting-on NAS IP ADDRESS [4] 4 172.30.1.33
USER NAME [1] 14 user9@idm.lb
SERVICE TYPE [6] 4 Framed(2)
 Accounting-off FRAMED PROTOCOL [7] 4 PPP(1)
FRAMED IP ADDRESS [8] 4 10.192.0.7
FRAMED IP NETMASK [9] 4 255.255.255.255
NAS IDENTIFIER [32] 4 pe2.lab
SESSION ID [44] 40 0000000602208000006F00C80000000348C55AE2
SESSION TIMEOUT [46] 4 458
TERMINATE CAUSE [49] 4 User Request(1)
EVENT TIMESTAMP [55] 4 1220893868

107 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Retail PPPoE implementation
Accounting messages

 Accounting-start
Accounting-Request(4) 172.30.1.43:1813 id 225
 Accounting-stop STATUS TYPE [40] 4 Interim-Update(3)
NAS IP ADDRESS [4] 4 172.30.1.33
USER NAME [1] 14 user111@idm.lb
 Interim-update SERVICE TYPE [6] 4 Framed(2)
FRAMED PROTOCOL [7] 4 PPP(1)
 Send interim-accounting messages to FRAMED IP ADDRESS [8] 4 10.192.0.9
NAS IDENTIFIER [32] 4 PE33
provide an update for every SESSION ID [44] 46user111@1/1/1...
subscriber-host. (configurable SESSION TIME [46] 4 77245
update-interval). EVENT TIMESTAMP [55] 4 1226945667
NAS PORT TYPE [61] 4 PPPoEoQinQ(34)
 Include acct-session-time [46] also in NAS PORT ID [87] 13 1/1/1:300.300
VSA [26] 15 Alcatel(6527)
interim-updates iso only in SUBSC ID STR [11] 7 user111
accounting stop messages. SLA PROF STR [13] 4 512K
INPUT PACKETS [47] 4 0
 Accounting-on INPUT OCTETS [42] 4 0
OUTPUT PACKETS [48] 4 1286
OUTPUT OCTETS [43] 4 82304
 Accounting-off

108 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Retail PPPoE implementation
Accounting messages

 Accounting-start

 Accounting-stop

 Interim-update

 Accounting-on
 When a given radius-accounting-policy is applied to a given interface/sap/subscriber-
profile, or the first server is defined in context of already applied policy.
 Sent also after a re-boot of the node.
 Accounting-off
Accounting-Request(4) 10.2.79.79:1813 id 160 len 59
STATUS TYPE [40] 4 Accounting-On(7)
NAS IP ADDRESS [4] 4 172.16.0.12
NAS IDENTIFIER [32] 7 pe2.lab
EVENT TIMESTAMP [55] 4 1206168839
VSA [26] 6 Alcatel(6527)
SUBSC PROF STR [12] 4 sub1

109 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Retail PPPoE implementation
Accounting messages

 Accounting-start Accounting-Request(4) 10.2.79.79:1813 id 163 len 65


STATUS TYPE [40] 4 Accounting-Off(8)
 Accounting-stop NAS IP ADDRESS [4] 4 172.16.0.12
NAS IDENTIFIER [32] 7 pe2.lab
TERMINATE CAUSE [49] 4 NAS Request(10)
 Interim-update EVENT TIMESTAMP [55] 4 1206169403
VSA [26] 6 Alcatel(6527)
 Accounting-on SUBSC PROF STR [12] 4 sub1

 Accounting-off
 When accounting policy has been removed from sap/interface/sub-profile
 Service which is transporting accounting information has been shutdown.
 The last RADIUS accounting server has been removed from already applied accounting
policy
 Termination cause included.

110 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Retail PPPoE implementation
Accounting messages : Some Acct-Terminate-Cause examples

 Admin Reset Accounting-Request(4) 172.30.1.43:1813 id 240


STATUS TYPE [40] 4 Stop(2)
NAS IP ADDRESS [4] 4 172.30.1.33
 Via “clear” command or RADIUS USER NAME [1] 14 user111@idm.lb
Disconnect Request. SERVICE TYPE [6] 4 Framed(2)
FRAMED PROTOCOL [7] 4 PPP(1)
FRAMED IP ADDRESS [8] 4 10.192.0.6
FRAMED IP NETMASK [9] 4 255.255.255.255
NAS IDENTIFIER [32] 4 PE33
SESSION ID [44] 40 0000000602208000006…
SESSION TIMEOUT [46] 4 81
TERMINATE CAUSE [49] 4 Admin Reset(6)
EVENT TIMESTAMP [55] 4 1220893404

 User Request Accounting-Request(4) 172.30.1.43:1813 id 246


STATUS TYPE [40] 4 Stop(2)
 User disconnects the session NAS IP ADDRESS [4] 4 172.30.1.33
USER NAME [1] 14 user111@idm.lb
SERVICE TYPE [6] 4 Framed(2)
FRAMED PROTOCOL [7] 4 PPP(1)
FRAMED IP ADDRESS [8] 4 10.192.0.7
FRAMED IP NETMASK [9] 4 255.255.255.255
NAS IDENTIFIER [32] 4 PE33
SESSION ID [44] 40 0000000602208000006F0…
SESSION TIMEOUT [46] 4 458
TERMINATE CAUSE [49] 4 User Request(1)
EVENT TIMESTAMP [55] 4 1220893868

111 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Retail PPPoE implementation
Accounting messages : Some Acct-Terminate-Cause examples

 PPPoE keepalive T.0 1 2001/01/1 16:10:52.36 UTC MINOR: DEBUG #2001 Base RADIUS
"RADIUS: Transmit Accounting-Request(4) 10.2.79.79:1813 id 5
STATUS TYPE [40] 4 Stop(2)
NAS IP ADDRESS [4] 4 172.16.0.12
FRAMED IP ADDRESS [8] 4 192.168.42.5
FRAMED IP NETMASK [9] 4 255.255.255.255
NAS IDENTIFIER [32] 7 pe2.lab
SESSION ID [44] 40 000000010223800000000000000…
SESSION TIMEOUT [46] 4 135
TERMINATE CAUSE [49] 4 Lost Carrier(2)
NAS PORT TYPE [61] 4 PPPoEoE(32)
. . .

112 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Retail PPPoE implementation
Attributes : Accounting information

 Accounting information can be send via VSA or Standard Attributes.

 Selection between these two is done via the following parameter.


subscriber-mgmt
radius-accounting-policy "GiveMeTheMoney"
[no] use-std-acct-attributes
exit

 The main difference when using standard based accounting attributes is that
there is no separation between in-profile and out-profile counters. Therefore,
when standards based attributes are used, these counters will be accumulated.

113 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Retail PPPoE implementation
Attributes : Accounting information

 Accounting information in VSA accounting attributes

 No use-std-acct-attributes
1023 2008/09/08 18:29:36.38 UTC MINOR: DEBUG #2001 Base RADIUS
"RADIUS: Accounting Request
policy GiveMeTheMoney"
radius-accounting-policy "GiveMeTheMoney" create 1024 2008/09/08 18:29:36.38 UTC MINOR: DEBUG #2001 Base RADIUS
description "Radius is counting . . . "RADIUS: Transmit
update-interval 10 Accounting-Request(4) 172.30.1.43:1813 id 76 len 312
STATUS TYPE [40] 4 Interim-Update(3)
include-radius-attribute NAS IP ADDRESS [4] 4 172.30.1.33
framed-ip-addr USER NAME [1] 14 user666@idm.lb
framed-ip-netmask SERVICE TYPE [6] 4 Framed(2)
subscriber-id FRAMED PROTOCOL [7] 4 PPP(1)
FRAMED IP ADDRESS [8] 4 10.165.0.66
circuit-id FRAMED IP NETMASK [9] 4 255.255.255.255
remote-id NAS IDENTIFIER [32] 4 PE33
nas-port-id SESSION ID [44] 40 0000000602208000029A00C80000000248C56C85
nas-identifier EVENT TIMESTAMP [55] 4 1220898576
NAS PORT TYPE [61] 4 PPPoEoQinQ(34)
sub-profil NAS PORT ID [87] 13 1/1/1:200.666
sla-profile VSA [26] 27 DSL(3561)
exit AGENT CIRCUIT ID [1] 16 ATM 1/1/4/6:8:35
session-id-format number AGENT REMOTE ID [2] 7 user666
VSA [26] 126 Alcatel(6527)
no use-std-acct-attributes SUBSC ID STR [11] 13 1/1/1:200.666
radius-accounting-server SUBSC PROF STR [12] 7 initial
source-address 172.30.1.33 SLA PROF STR [13] 4 128K
server 1 address 172.30.1.43 secret WhoIsThere INPUT_INPROF_OCTETS_64 [19] 10 0x00010000000000000000
INPUT_OUTPROF_OCTETS_64 [20] 10 0x000100000000000002ec
exit INPUT_INPROF_PACKETS_64 [23] 10 0x00010000000000000000
exit INPUT_OUTPROF_PACKETS_64 [24] 10 0x0001000000000000000b
OUTPUT_INPROF_OCTETS_64 [21] 10 0x000100000000000003de
OUTPUT_OUTPROF_OCTETS_64 [22] 10 0x00010000000000000000
OUTPUT_INPROF_PACKETS_64 [25] 10 0x0001000000000000000b
OUTPUT_OUTPROF_PACKETS_64 [26] 10 0x00010000000000000000
"

114 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Retail PPPoE implementation
Attributes : Accounting information

 Accounting information in VSA accounting attributes


 Standard defined RADIUS attributes do not have any provisions to indicate queue-id
 Repeating of such RADIUS attributed is not supported
VSA = [26-VendorID-AttributeNr] Description
[26-6527-19] alc-acct-input-inprof-octets-64 ingress-in-profile-forwarded-bytes
[26-6527-20] alc-acct-input-outprof-octets-64 ingress-out-of-profile-forwarded-bytes
[26-6527-23] alc-acct-input-inprof-packets-64 ingress-in-profile-forwarded-packets
[26-6527-24] alc-acct-input-outprof-packets-64 ingress-out-of-profile-forwarded-packets
[26-6527-21] alc-acct-output-inprof-octets-64 egress-in-profile-forwarded-bytes
[26-6527-22] alc-acct-output-outprof-octets-64 egress-out-of-profile-forwarded-bytes
[26-6527-25] alc-acct-output-inprof-packets-64 egress-in-profile-forwarded-packets
[26-6527-26] alc-acct-output-outprof-packets-64 egress-out-of-profile-forwarded-packets

0 0 0 0 0 0 0 0 0 1
1 2 3 4 5 6 7 8 9 0
Format: 10 byte word +---+---+---+---+---+---+---+---+---+---+
| queue | counter level |
| -id | |
+---+---+---+---+---+---+---+---+---+---+

115 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Retail PPPoE implementation
Attributes : Accounting information

 Accounting information in standard accounting attributes

 use-std-acct-attributes
radius-accounting-policy "GiveMeTheMoney" create
description "Radius is counting . . .
update-interval 10 1072 2008/09/08 18:39:44.38 UTC MINOR: DEBUG #2001 Base RADIUS
include-radius-attribute "RADIUS: Accounting Request
policy GiveMeTheMoney"
framed-ip-addr
1073 2008/09/08 18:39:44.38 UTC MINOR: DEBUG #2001 Base RADIUS
framed-ip-netmask "RADIUS: Transmit
subscriber-id Accounting-Request(4) 172.30.1.43:1813 id 84 len 240
circuit-id STATUS TYPE [40] 4 Interim-Update(3)
NAS IP ADDRESS [4] 4 172.30.1.33
remote-id
USER NAME [1] 14 user666@idm.lb
nas-port-id SERVICE TYPE [6] 4 Framed(2)
nas-identifier FRAMED PROTOCOL [7] 4 PPP(1)
sub-profil FRAMED IP ADDRESS [8] 4 10.165.0.66
FRAMED IP NETMASK [9] 4 255.255.255.255
sla-profile
NAS IDENTIFIER [32] 4 PE33
exit SESSION ID [44] 40 0000000602208000029A00C80000000248C56C85
session-id-format number EVENT TIMESTAMP [55] 4 1220899184
use-std-acct-attributes NAS PORT TYPE [61] 4 PPPoEoQinQ(34)
NAS PORT ID [87] 13 1/1/1:200.666
radius-accounting-server
VSA [26] 27 DSL(3561)
source-address 172.30.1.33 AGENT CIRCUIT ID [1] 16 ATM 1/1/4/6:8:35
server 1 address 172.30.1.43 secret WhoIsThere AGENT REMOTE ID [2] 7 user666
exit VSA [26] 30 Alcatel(6527)
SUBSC ID STR [11] 13 1/1/1:200.666
exit
SUBSC PROF STR [12] 7 initial
SLA PROF STR [13] 4 128K
INPUT PACKETS [47] 4 21
INPUT OCTETS [42] 4 1428
OUTPUT PACKETS [48] 4 21
OUTPUT OCTETS [43] 4 1890
"

116 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Retail PPPoE implementation
Attributes : CLASS attribute

 RADIUS CLASS Attrib [25]


 Can be used for user identification.
 Correlate RADIUS accounting messages with given user.
 Radius Authentication Access-Accept can contain the Class Attribute.
 NAS needs in this case to echo this attribute back in all Accounting Messages.

Accounting-Request(4) 172.30.1.43:1813 id 230


STATUS TYPE [40] 4 Start(1)
NAS IP ADDRESS [4] 4 172.30.1.33
USER NAME [1] 14 user666@idm.lb
UTC MINOR: DEBUG #2001 management RADIUS SERVICE TYPE [6] 4 Framed(2)
"RADIUS: Receive Access-Accept(2) FRAMED PROTOCOL [7] 4 PPP(1)
VSA [26] 6 Alcatel(6527) FRAMED IP ADDRESS [8] 4 10.165.0.4
MSAP SERVICE ID [31] 4 301 CLASS [25] 12 0x4573687461205961206d616e
VSA [26] 7 Alcatel(6527) NAS IDENTIFIER [32] 4 PE33
MSAP POLICY [32] 5 ISP-1 SESSION ID [44] 55 1/1/1:300.300@1/1/1:…
VSA [26] 5 Alcatel(6527) EVENT TIMESTAMP [55] 4 1226947466
MSAP INTERFACE [33] 3 NH2 NAS PORT TYPE [61] 4 PPPoEoQinQ(34)
CLASS [25] 12 0x4573687461205961206d616e NAS PORT ID [87] 13 1/1/1:300.300
FRAMED IP ADDRESS [8] 4 10.165.0.4 VSA [26] 24 Alcatel(6527)
SUBSC ID STR [11] 13 1/1/1:300.300
SLA PROF STR [13] 7 default

117 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Retail PPPoE implementation
useful CLI commands : Radius Accounting specific

 show subscriber-mgmt radius-accounting-policy


 Returns all radius accounting polices by name.

 show subscriber-mgmt radius-accounting-policy GiveMeTheMoney statistics

 show subscriber-mgmt radius-accounting-policy GiveMeTheMoney


 Returns all details of this specific policy ( also the state ).

118 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Retail PPPoE implementation
Accounting methods

 Radius accounting

 Local file/XML accounting

119 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Retail PPPoE implementation
Local file/XML accounting

 Standard XML accounting


 Interval 5-1800 minutes
– Compared to min 10 min interval for Radius Accounting
 An accounting file is provided on the local disk which supplies the accounting
information for the Client’s session information

120 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Retail PPPoE implementation
Agenda

a) What does the 7710/7750 offers in 7.0 and LAB-setup e) Resilience / Redundancy

b) different PPPoE scenarios. f) Security

c) Accounting g) Change of Authority

d) QoS
d) QoS

121 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Retail PPPoE implementation
QoS

 Generic
 Well known QoS sap-ingress / sap-egress policies used.

 PPP specific
 Downstream dot1p can be set for PPPoE control traffic
 Dynamic QoS adaptation
– Access-loop-options

122 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Retail PPPoE implementation
Dot1P settings for PPPoE generated traffic

 Downstream dot1p can be set for PPPoE control traffic [ default 7 ]


 configure router sgt-qos application pppoe dot1p 5 [0..7]
 configure service vprn <service-id> sgt-qos application pppoe dot1p5 [0..7]

*A:pe2.lab# show router sgt-qos application


=========================================================
Dot1p Application Values
==========================================================
Application Dot1p Value Default Dot1p Value
-----------------------------------------------------------
arp none none
isis none none
pppoe 5 none

*A:pe2.lab# show router 200 gt-qos application


==========================================================
Dot1p Application Values
==========================================================
Application Dot1p Value Default Dot1p Value
-----------------------------------------------------------
arp none none
isis none none
pppoe 5 none

123 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Retail PPPoE implementation
Agenda

a) What does the 7710/7750 offers in 7.0 and LAB-setup e)


e) Resilience
Resilience // Redundancy
Redundancy

b) different PPPoE scenarios. f) Security

c) Accounting g) Change of Authority

d) QoS

124 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Retail PPPoE implementation
PE resiliency

 PPPoE subscriber state is not synched between PE’s


 Compared to DHCP subscriber state that is synced via SRRP.
 PPPoE Sunets on pe1 and pe2 can not be overlapping.
 Care should be taken if support for DHCP and PPPoE is required on same interface with
dual homed PE’s.
– SRRP requires same subnet ( DHCP ) pe1
– PPPoE requires different subnet subnet-1
PPPoE session

SRRP

subnet-2
pe2
 configure system persistence subscriber-mgmt
 Will create a file submgmt.004 on flash (67109888 bytes ) (used only for DHCP clients)
 Not persistant for PPPoE because
– the client will break down the session anyway due to the short keepalive.

125 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Retail PPPoE implementation
PE resiliency CON’T

PADO delay timers create a ACT/STDBY situation. Sessions need to be setup


again after boot Active PE

 Configurable delay on PE routers before sending back PADO.


 Makes PE1 ACT and PE2 standby
pe1

session Pado-delay = 0

Pado-delay = 1
configure subscriber-mgmt
pe2 pppoe-policy group-1
pado-delay [1..30] deci-sec
 Configurable delay on Radius server
 Example : Based on NAS-IP address
pe1

session If NAS-IP PE1


=> Pado-delay = 0
Alc-PPPoE-PADO-Delay
Ifo-delay =1
NAS-IP PE2
RADIUS
=> Pado-delay=1s

pe2

126 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Retail PPPoE implementation
PE resiliency : Conclusion

Single homed PE

 PPPoE and DHCP clients can share same IP subnet

 Same static IP mapping for clients supported.

Dual homed PE

 Interface supports only PPPoE users


 Different subnets on pe1 and pe2
 Same static IP mapping for PPPoE not users supported. ( pe1 & pe2 server diff subnet )
 Dual homing is supported for PPPoE clients in an act/standby model ( PADO-delay )
 Interface supports DHCP and PPPoE users
 DHCP clients use same subnet on pe1 and pe2 with SRRP.
 PPPoE clients can not share same subnet as the above.

Full dual homing for PPPoE clients ala DHCP-model would be nice for the future.

127 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Retail PPPoE implementation
Agenda

a) What does the 7710/7750 offers in 7.0 and LAB-setup e) Resilience / Redundancy

b) different PPPoE scenarios. f) Security


f) Security

c) Accounting g) Change of Authority

d) QoS

128 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Retail PPPoE implementation
Security

 Securing the Control Plane:


 configure system security cpu-protection

 See TiMOS-6.0_TPSDA_v1.1.ppt : CPU protection


 http://aww.quickplace.alcatel.be/QuickPlace/ipdrsces/PageLibraryC125716800326CF8
.nsf/h_Toc/7A689CC2E1B54877C125742F00426CAE/?OpenDocument

129 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Retail PPPoE implementation
Agenda

a) What does the 7710/7750 offers in 7.0 and LAB-setup e) Resilience / Redundancy

b) different PPPoE scenarios. f) Security

c) Accounting g)Change
g) Changeof
ofAuthority
Authority

d) QoS

130 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Retail PPPoE implementation
How to deal with Change of Authority ?

 PPP session is « wired » so no possibility to refresh/update session parameters


through protocol itself during the life of a session.
 PPPoE keep alive . (re-authentication N/A) can not be compared with a DHCP renew.
 7710/7750 can not reset ipcp without terminating the PPPoE session.

 Solutions with and without PPPoE session termination possible


 Radius can update the ESM strings.
 New sla-profile that include http-redirect policy for ingress.

131 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Retail PPPoE implementation
How to deal with Change of Authority ? Continued

Solutions with PPP session termination


 1) Radius Session-timeout
 Session-timeout only associated with Radius SLA profile.( standard attribute 27 )
 PADT send by 7710/7750 after timeout .
 Possible application :
 Assign IP address via pool and use session-timeout value= 1 day to be sure that user
gets resetted and gets a new IP address .

132 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Retail PPPoE implementation
How to deal with Change of Authority ? Continued

NAS-port-Id = "1/1/7"
Solutions with PPP session termination Framed-IP-Address = 192.168.42.5

 2) Radius Disconnect-request
/usr/local/etc/raddb #

 Framed-IP is mandatory. radclient -x -d /usr/local/etc/raddb –f disconnect_msg.txt


172.16.0.12:3799 disconnect WhoIsThere
 By default not accepted.
+----------+ Disconnect-Request +----------+
configure subscriber-mgmt | | <-------------------- | |
authentication-policy knock-knock | RADIUS | | RADIUS |
no accept-authorization-change | Client | Disconnect-Reject | Server |
| | ---------------------> | |
+----------+ +----------+

2 2008/03/11 09:47:47.12 UTC WARNING: SVCMGR #2509 Base Radius CoA Error "Problem encountered in Subscriber
Management, while processing a Disconnect request on SAP 1/1/7 in service 998 from a Radius server: authentication
policy "knock-knock" doesn't allow Disconnects"

 accept-authorization-change
+----------+ Disconnect-Request +----------+
configure subscriber-mgmt | | <------------------- | |
authentication-policy knock-knock | RADIUS | | RADIUS |
accept-authorization-change | Client | Disconnect-Ack | Server |
| | ---------------------> | |
+----------+ +----------+
 Disconnect Ack to server and PADT to client
 Statistics under show subscriber-mgmt authentication coa-statistics
– Display command updated in >6.0

133 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Retail PPPoE implementation
How to deal with Change of Authority ? Continued

Solutions without PPP session termination


NAS-port-Id = "1/1/7"
Framed-IP-Address = 192.168.42.5
1. Change of Authorization (CoA) from Radius.
*A:pe2.lab# show service id 998 pppoe session detail
Alc-SLA-Prof-Str="http-redirect”
============================================================
PPPoE sessions for svc-id 998
 Session stays up ( see uptime ) ===========================================================
Sap Id Mac Address Sid Up Time IP Address
------------------------------------------------------------
 Accounting stop and start again 1/1/7 00:00:00:00:00:05 1 2d 00:25:36 192.168.42.5

LCP State : Opened


IPCP State : Opened
/usr/local/etc/raddb # PPP MTU : 1100
PPP Auth-Protocol : None
radclient -x -d /usr/local/etc/raddb –f coa_msg.txt
Subscriber-interface : to_A2_via_hairpin
172.16.0.12:3799 coa WhoIsThere Group-interface : isam-1

Subscriber Origin : Radius


+----------+ Coa-Request +----------+Strings Origin : Mid-Session-Change
| | <-------------------- | |IPCP Info Origin : Radius

| RADIUS | | RADIUS |Subscriber : "user5"


| Client | Coa-Ack | Server |Sub-Profile-String : "sub1"
| | ---------------------> | |SLA-Profile-String : "http-redirect"
+----------+ +----------+ANCP-String : ""
Int-Dest-Id : ""
RADIUS-CoA-REQUEST App-Profile-String : ""
ESM
update RADIUS-CoA-ACK Primary DNS : N/A
Secondary DNS : N/A
Primary NBNS : N/A
Secondary NBNS : N/A

Circuit-Id
RADIUS : TRE26 atm 1/1/01/22:8.35
Remote-Id : 03-2404011
BSAN BSA
BSR Session-Timeout : N/A
---------------------------------------------------
Number of sessions : 1
===================================================

134 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Retail PPPoE implementation
How to deal with Change of Authority ? Continued

Solutions without PPP session termination


 ANCP
 Issue 1: add another « control plane » to manage subscriber sessions
 Issue 2: dependency on DSLAM

135 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
4 7x50 Wholesale-Retail via MSAP

updated

136 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail via MSAP

 See TiMOS-6.0_TPSDA_v1.1.ppt : MSAP in general


 http://aww.quickplace.alcatel.be/QuickPlace/ipdrsces/PageLibraryC125716800326CF8
.nsf/h_Toc/7A689CC2E1B54877C125742F00426CAE/?OpenDocument

 See TiMOS-6.1-PPPoE_v2.0.ppt : MSAP PPPoE example


 http://aww.quickplace.alcatel.be/QuickPlace/ipdrsces/PageLibraryC125716800326CF8
.nsf/h_Toc/732CCEA3F49D60F7C1257505006D4A08/?OpenDocument

137 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
5 7x50 Wholesale-Retail VRF selection

new

138 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail VRF selection

 See TiMOS-7.0_PPPoE_VRF_selection_TPSDA_enh_<version>_<date>.ppt

139 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
6 General L2TP Technology overview

new

140 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
General L2TP Technology overview
Embedded presentation

 ~ 1 Hour embedded general LT2P Technology Overview.

141 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7 7x50 Wholesale-Retail L2TP implementation

new

142 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation
Agenda

7. 7x50 Wholesale-Retail L2TP implementation.


a) General
b) CLI changes on LUDB/PPPoE/PPPoE-Policy
c) Tunnel configuration possibilities + LAB
a) LUDB and configured L2TP group
a) Clear / Tools /Hello/idle-timeout drain commands

b) Tunnel selection / load balancing


c) Understanding tunnel-id/session-id
d) Security [tunnel-auth/AVP-hiding/anti-spoof/cpm-protection]
b) RADIUS
a) Radius returns tunnel-group that points to CLI configuration
b) Radius returns all parameters to setup tunnel
d) Miscellaneous (Wireshark , N2X , ….)

143 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation.
General : L2TP and related RFC’s

 L2TP used for the tunnelling of PPP packets across an intervening network is
based on RFC 2661. (Aug 1999)

 L2TP uses the destination UDP port 1701.The entire L2TP packet, including
payload and L2TP header, is sent within a UDP datagram. The source UDP port
may or may not be 1701.

 Related RFC’s and info.


 RFC 2516 : A Method for Transmitting PPP Over Ethernet (PPPoE)
 RFC 1994 : PPP Challenge Handshake Authentication Protocol (CHAP)
 RFC 1661 : The Point-to-Point Protocol (PPP)
 RFC 2868 : RADIUS Attributes for Tunnel Protocol Support
 RFC 4951 Fail Over Extensions for Layer 2 Tunnelling Protocol (L2TP) "failover“
– Not supported for 7.0R1
 L2TP-parameter types ( complete list of possible parameters…just for info )
 http://www.iana.org/assignments/radius-types

144 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation.
General : RFC 2661 supported message types.

 Control Connection Management


0 (reserved)
1 (SCCRQ) Start-Control-Connection-Request
2 (SCCRP) Start-Control-Connection-Reply
3 (SCCCN) Start-Control-Connection-Connected
4 (StopCCN) Stop-Control-Connection-Notification
5 (reserved)
6 (HELLO) Hello

 Call Management
7 (OCRQ) Outgoing-Call-Request***
8 (OCRP) Outgoing-Call-Reply
9 (OCCN) Outgoing-Call-Connected
10 (ICRQ) Incoming-Call-Request
11 (ICRP) Incoming-Call-Reply
12 (ICCN) Incoming-Call-Connected
13 (reserved)
14 (CDN) Call-Disconnect-Notify

 Error Reporting 15 (WEN) WAN-Error-Notify

 PPP Session Control 16 (SLI) Set-Link-info

145 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation
General : 7x50 L2TP Simplified State-Diagram

 Tunnel setup can be triggered by :


 Tools command
Client-trigger
 Auto-establish Auto-establish
 PPPoE client trigger Tools cmd start
SCCRQ
 LNS initiated SCCRQ
wait-reply
 SESSION setup can be only via PPPoE client SCCRP

establishedIdle
ICRQ CLI Timer-ex Session-
Idle-timeout
ICRQ/ICRP/ICCN
established
wait-reply stopCC
ICRP/ICCN

closedByPeer
established stopCC
CDN

closed
closed

Figure : SESSION state-diagram Figure : TUNNEL state-diagram

146 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation
R&D CONFIDENTIAL – internal use only
PADI LUDB + PRE-Authentication in 7.0

Auth-method
= none

PADI LUDB New 7.0

Pre-Auth
New 7.0 Retail
147 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation
Agenda

7. 7x50 Wholesale-Retail L2TP implementation.


a) General
b) CLI changes on LUDB/PPPoE/PPPoE-Policy
c) Tunnel configuration possibilities + LAB
a) LUDB and configured L2TP group
a) Tools / clear / drain commands /Hello/idle-timeout

b) Tunnel selection / load balancing


c) Understanding tunnel-id/session-id
d) Security [tunnel-auth/AVP-hiding/anti-spoof/cpm-protection]
b) RADIUS
a) Radius returns tunnel-group that points to CLI configuration
b) Radius returns all parameters to setup tunnel
d) Miscellaneous (Wireshark , N2X , Nice-to-Know)

148 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation
CLI Changes : LUDB for PPPoE
service-name is 255 chars max
 Removed and added parameters in LUDB Optional Service-name in pppoE PADI
can be used for match condition.
local-user-db "my_ludb"
pppoe
no mask
mask type <type>
match-list pppoe-match-type Radius policy Knock-knock is added
circuit-id | remote-id in LUDB. Can be used after a pre-
no circuit-id-mask
service-name | username authentication is done on PADI .
host "host1" create
…followed by Example : pado-delay
host-identification
no circuit-id
<prefix-string>: ('*' is wildcard) no mac
<prefix-length>: [1..127] no remote-id PADO delay can now come
<suffix-string>: ('*' is wildcard) no service-name from Radius , pppoe-policy or
<suffix-length>: [1..127] LUDB.
no username
exit
no auth-policy
no address
Corresponds with the tunnel- no pado-delay
group-name ( max 63 chars ) no password
configured under “configure no identification-strings
router x l2tp group group- l2tp
name” no group
exit Service-id for wholesale/retail aka
options vrf-selection.
Fallback host “default” : exit
Strings taken from this host incase
no retail-service-id
host not found in Ludb.
exit
host “default" create

149 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation
CLI Changes : pap-chap ludb

 Removed and added parameters in LUDB

 Pap-chap-user-db is now renamed to user-db

configure services ies/vprn


subscriber-interface my_subscriber_itf1
group-interface my_grp_itf1
pppoe
pap-chap-user-db local-user-db-name Configure the local user database to
user-db local-user-db-name use for authentication.
exit
exit User-database could be used for PPPoE
exit only for pap-chap before and can now
exit be used for PADI authentication.
Therefore the name is changed to
simple user-db iso pap-chap-user-db

150 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation
CLI Changes : pppoe-policy

 Removed and added parameters in pppoe-policy

 pref-chap is default and has same behaviour as before ( Release < 7.0R1 )

configure subscriber-mgmt pppoe-policy


default description "Default PPPoE policy"
no disable-cookies pap : pap only , no alternative chap
keepalive 30 hold-up-multiplier 3 chap : chap only , no alternative
no pado-delay pref-chap : first chap with pap as alternative.
no ppp-mtu
max-sessions-per-mac 1
no reply-on-padt
ppp-authentication pref-chap

ppp-chap-challenge-length min 32 max 64


ppp-options Min [8..64] and max [8..64]
exit

 pppoe chap-challenge (client-LAC) is by default a value between 32-64 and was


never a problem for clients. ( different to challenge for tunnel authentication)

 The same challenge will be send to the LNS if we have proxy-authentication and
some LNS’s don’t support big challenges. Don’t CHANGE this values unless
required due to interoperable cases.
151 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation
Agenda

7. 7x50 Wholesale-Retail L2TP implementation.


a) General
b) CLI changes on LUDB/PPPoE/PPPoE-Policy
c) Tunnel configuration possibilities + LAB
a) LUDB and configured L2TP group
a) Clear / Tools /Hello/idle-timeout drain commands

b) Tunnel selection / load balancing


c) Understanding tunnel-id/session-id
d) Security [tunnel-auth/AVP-hiding/anti-spoof/cpm-protection]
b) RADIUS
a) Radius returns tunnel-group that points to CLI configuration
b) Radius returns all parameters to setup tunnel
d) Miscellaneous (Wireshark , N2X , ….)

153 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation
Tunnel Configuration : Several possibilities

1. LUDB points to a CLI created L2TP group.

2. RADIUS returns tunnel-group that points to a CLI created L2TP group.

3. RADIUS returns all required parameters without tunnel-group.


 Operational TG created with name equal to “default_radius_group”
4. RADIUS returns all required parameters without tunnel-group +
 Operational TG created with name equal to the Radius standard attribute Tunnel-
Assignment-Id:0 ( 7.0R2)

Remark :
• When Radius returns the tunnel-group it should always point to a CLI created group and
any other Radius returned L2TP parameters is ignored. All other required info to setup the
tunnel should come than from CLI.

154 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation
Tunnel Configuration : LUDB points to a CLI created L2TP group

1) LUDB points to a CLI created L2TP group.

 The LUDB could return on match a L2TP group-name


local-user-db "MyLudb1" create
pppoe
host "host1"
l2tp
group "MyProvider1"
exit
exit

 The minimum required configuration is an LNS end-point called peer ***


configure router l2tp Tunnels are configured
group "MyProvider1" create always under a tunnel group
tunnel "MyTunnel1" create
peer 192.168.4.2
no shutdown
exit MyTunnel1 has LNS end point 192.168.4.2.
tunnel "MyTunnel2" create The source of the tunnel is always are own system interface
peer 192.168.5.2
no shutdown
exit
no shutdown
exit
exit

155 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation
Tunnel Configuration : RADIUS points to a CLI created L2TP group

2) RADIUS points to a CLI created L2TP group.

 RADIUS returns on match a L2TP group-name

user10&skynet.be Auth-Type := Local, User-Password == “password10"


Alc-Tunnel-Group = "MyProvider1",

 The minimum required configuration is an LNS end-point called peer.


 Limitation : The peer address may never be an address of a direct connected interface

configure router l2tp Tunnels are configured


group "MyProvider1" create always under a tunnel group
tunnel "MyTunnel1" create
peer 192.168.4.2
no shutdown
exit MyTunnel1 has LNS end point 192.168.4.2.
tunnel "MyTunnel2" create The source of the tunnel is always are own system interface
peer 192.168.5.2
no shutdown
exit
no shutdown
exit
exit

156 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation
Tunnel Configuration : RADIUS returns all required parameters without TG

3) RADIUS returns all required parameters without tunnel-group

user10&skynet.be Auth-Type := Local, User-Password == “password10"

Tunnel-Assignment-Id:1 = MyTunnel1
Tunnel-Server-Endpoint:1 = 192.168.4.2
Tunnel-Assignment-Id:2 = MyTunnel2
Tunnel-Server-Endpoint:2 = 192.168.5.2

 Nothing in CLI required

 CLI assigns an operational Tunnel-group with the name “default_radius_group”


 Not intuitive when show commands are done… so there for next slide
show router l2tp group
=============================================================
L2TP Groups
=============================================================
Group Name State Tunnels Sessions
-------------------------------------------------------------
MyProvider1 active 2 0
default_radius_group active 2 0

157 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation
Tunnel Configuration : RADIUS returns all required parameters without TG

4) RADIUS returns all info without TG but + Tunnel-Assignment-Id:0 (7.0R2)

user10&skynet.be Auth-Type := Local, User-Password == “password10"


Tunnel-Assignment-Id:0 = MyProvider1_that_is_not_in_CLI
Tunnel-Assignment-Id:1 = MyTunnel1
Tunnel-Server-Endpoint:1 = 192.168.4.2
Tunnel-Assignment-Id:2 = MyTunnel2
Tunnel-Server-Endpoint:2 = 192.168.5.2

 Nothing in CLI required

 Tunnel-group name becomes the Tunnel-Assignment-Id:0 name

158 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation
LAB

 Embedded L2TP lab-exercise executed on mobile lab.

 LAB1 : user1-5
 LAB2 : user 6-10

 LAB3 : user11-15

159 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation
Agenda

7. 7x50 Wholesale-Retail L2TP implementation.


a) General
b) CLI changes on LUDB/PPPoE/PPPoE-Policy
c) Tunnel configuration possibilities
a) LUDB and configured L2TP group
a) Clear / Tools / drain commands /Hello/idle-timeout

b) Tunnel selection / load balancing


c) Understanding tunnel-id/session-id
d) Security [tunnel-auth/AVP-hiding/anti-spoof/cpm-protection]
b) RADIUS
a) Radius returns tunnel-group that points to CLI configuration
b) Radius returns all parameters to setup tunnel
d) Miscellaneous (Wireshark , N2X , ….)

160 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation
Tunnel Configuration : LUDB points to a CLI created L2TP group

 configure router l2tp level


 Max box-wide number of L2TP sessions will be 128K

Total number of L2TP


sessions [1..131071]

Configure router ltp


no session-limit

No session-limit is the default


value and corresponds with
131071 or 128K-1

161 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation
Tunnel Configuration : LUDB points to a CLI created L2TP group
 configure router l2tp : group parameters Send AVP’s encrypted iso clear text.
No | sensitive | always
group "MyProvider1" create Default no : never
L2TP hello-keepalive
[ 60 – 3600s] | no no avp-hiding Enable MD5 tunnel authentication
Default no : infinite no challenge No | always
no description Default no : never
no destruct-timeout
Idle-timeout Keep tunnel/session information
[ 0 – 3600s] | no no hello-interval
during this configured timeout on
Default no : infinite no idle-timeout the moment of failure : debugging
no local-name purposes. [15s – 86400s] | no
Used in host-name AVP no max-retries-estab* Default no : 15s
in SCCRQ . Default is no max-retries-not-estab*
system name On session setup timeout retry by
no password
default 5 times [2..7] | no
no session-assign-method Default no: 5
no session-limit
MD5 password used for tunnel "MyTunnel1" create
tunnel authentication On tunnel setup timeout retry by
and AVP-hiding secret
exit default 5 times [2..7] | no
tunnel "MyTunnel2" create Default no : 5
exit
Maximum created tunnel "MyTunnel31" create Tunnel selection mechanism
tunnels/group is 31 incase we have more than one
exit
exit tunnel in this group
No | weighted
Maximum created group "MyProvider2" create
Default no = existing-first
groups is unlimited ? exit
group "MyProviderx" create Session-limit per group [1..131071] | no
Default no : 131071
162 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation
Tunnel Configuration : CLI

 configure router l2tp : group parameters


 Use the following command (7.0R2) to see these default values
 Group name is currently mandatory for detail info

show router l2tp group MyProvider1 detail


===============================================================================
Group Name : MyProvider1
Description : N/A
Local Name : N/A

Admin State : inService Operational State : active

Hello Interval (s): infinite Session Assignment: existing-first


Idle TO (s) : infinite Destruct TO (s) : 15
Max Retr Estab : 5 Max Retr Not Estab: 5
Session Limit : 131071 AVP Hiding : never
Time Last Mgmt Ch.: 03/15/2009 14:59:11 Challenge : never

163 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation Check every 1 minute if we have to
initiate tunnels ourselves and this
Tunnel Configuration : CLI without a trigger from the PPPoE
client side.
 configure router l2tp : tunnel parameters Tunnel state = EstablishedIdle when
tunnel is setup without sessions.
L2TP hello-keepalive
No | [ 60 – 3600s] | infinite
Default : no : take from Send AVP’s encrypted iso clear text.
group -> infinite No | never| sensitive | always
tunnel "MyTunnel1" create Default no : Take from group-> never
no auto-establish
A tunnel with sessions=0 no avp-hiding
Enable MD5 tunnel authentication
will be stopped when this no challenge No | never | always
configured timer expires : no description Default no : Take from group-> never
no | [0..3600s] | infinite no destruct-timeout
Default no : Take from
no hello-interval Keep tunnel/session information
group -> default infinite
no idle-timeout during this configured timeout on
no local-name the moment of failure : debugging
timeout retry : no | [2..7] no max-retries-estab purposes. [15s – 86400s] | no
Default no: taken from Default no : Take from group -> 15s
no max-retries-not-estab
group equal to 5
no peer
no preference Tunnel preference between no
| [0..16777215] where the lowest
Peer-address of LNS no remote-name number is more preferred.
Max number of CLI no password Default no preference = 50
checked is 16K today no session-limit
no shutdown If remote-name configured than it
Session-limit per tunnel exit needs to correspond with the
[1..65535] | no returned host-name AVP in the
Default no : 32767 SCCRP on tunnel setup.

164 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation
Tunnel Configuration : CLI

 configure router l2tp : tunnel parameters


 Use the following command to see these default values
show router l2tp tunnel detail
Number of session per tunnel was tested until 32K and
Connection ID : 944308224 is blocked in 7.0R1 to this value. CLI was not lined up
State : establishedIdle for this and values above 32K are accepted in CLI but
IP : 172.16.0.12 are topped at 32K in application.
Peer IP : 192.4.1.2 7.0R3 will be targeted at 64K/ tunnel and internal
Name : MyLac1 restriction will be removed.
Remote Name : MyRemoteLns1
Assignment ID : MyTunnel1
Group Name : MyProvider1
Error Message : N/A

Remote Conn ID : 4294180864


Tunnel ID : 14409 Remote Tunnel ID : 65524
UDP Port : 1701 Remote UDP Port : 1701
Preference : 50
Hello Interval (s): infinite
Idle TO (s) : infinite Destruct TO (s) : 15
Max Retr Estab : 5 Max Retr Not Estab: 5
Session Limit : 32767 AVP Hiding : never
Transport Type : udpIp Challenge : never
Time Started : 03/15/2009 15:00:15 Time Idle : N/A
Time Established : 03/15/2009 15:00:15 Time Closed : N/A
Stop CCN Result : noError General Error : noError

165 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation
Tunnel Configuration : debugging L2TP

Packets and Events can be debugged on different levels.


 L2TP level ( For all as seen on the here)
 Group level ( group name) debug
router "Base"
l2tp
 Peer level ( peer address) event
call-disconnect-notification
 assignment-id ( tunnel-name) finite-state-machine
stop-control-connection-notification
 Tunnel (connection-id) exit
packet direction both detail-level high
exit

exit

 Debug output example shows (0,7)


3 2009/03/12 10:23:19.58 GMT MINOR: DEBUG #2001 Base L2TP(v2, control)
"L2TP(v2, control): egress
UDP src 172.16.0.12:1701 dst 192.4.1.2:17*
tunnel 0 session 0, ns 0 nr 0, flags:, reserved=0 0: vendor-id and vendor-id
AVP MessageType(0,0), flags: mandatory, reserved=0 zero means that we have
StartControlConnectionRequest(1) standard AVP’s
AVP ProtocolVersion(0,2), flags: mandatory, reserved=0
version=1, revision=0
7: AVP nbr
AVP HostName(0,7), flags: mandatory, reserved=0
"MyLac1"

166 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation
Tunnel Configuration :

 LUDB

Description

Option 1A Service-name in LUDB : 1 Subscriber-id per LNS

Option 1B Full username in LUDB : LUDB requires all users !! (LNS does not used Proxy info)

Option 1C Domain-only in LUDB : 1 Subscriber-id per LNS

Option 1D Full username in LUDB : LUDB requires all users !! (LNS uses Proxy info)

Option 1E Full username in LUDB variant where LNS renegotiates CHAP iso received PAP

Next

167 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Tunnel Configuration
1) LUDB points to a CLI created L2TP group
Option 1A : Tunnel selection via LUDB : match service-name

pe2_l2tp_2.cfg
168 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail
Lab setup
MyProvider1

 General Lab setup with N2X as Client and LNS LNS 203/4 POOL
192.168.60.1
192.4.1.2
192.168.70.1
192.4.2.2
C2/RR2/ PE4
PE2 192.168.80.1
138.203.18.183 138.203.18.179
138.203.18.176 192.4.3.2
192.168.90.1
192.4.4.2
LAC
PPPoE client
IES
99999 1/1/2 1/1/1
1/1/1 1/1/8
203/1 MyProvider2
LUDB
LNS 203/4 POOL
192.168.160.1
OPTION-1A user2@skynet.be 192.5.1.2
192.168.170.1
192.5.2.2
192.168.180.1
192.5.3.2
192.168.190.1
192.5.4.2

169 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail OPION-1A *A:pe2.lab# configure subscriber-mgmt
local-user-db "MyLudb1" create
LUDB : match service-name description "Add text"
pppoe
match-list service-name
host "host1" create
 LUDB : 1 Entry per LNS host-identification
service-name "MyProvider1"
exit
 Service-name as match-condition identification-strings 254 create
subscriber-id "MySubMyProvider1"
*A:pe2.lab# sla-profile-string "DefSlaProfile"
configure service ies 99999 sub-profile-string "DefSubProfile"
subscriber-interface "MySubItf1" create exit
address 192.168.50.254/24 l2tp
group-interface "MyGrpItf1" create group "MyProvider1"
sap 1/1/1:1 create exit
sub-sla-mgmt options
def-sub-profile "DefSubProfile" dns-server 138.203.144.51
def-sla-profile "DefSlaProfile" exit
sub-ident-policy "sub_ident_all" no shutdown
multi-sub-sap 2000 exit
no shutdown host "host2" create
exit host-identification
exit service-name "MyProvider2"
pppoe exit
session-limit 10 identification-strings 254 create
sap-session-limit 10 subscriber-id "MySubMyProvider2"
user-db "MyLudb1" sla-profile-string "DefSlaProfile"
no shutdown sub-profile-string "DefSubProfile"
exit exit
exit l2tp
exit group "MyProvider2"
no shutdown Configure router l2tp exit
group "MyProvider1" create options
tunnel "MyTunnel1" create dns-server 138.203.144.51
auto-establish exit
peer 192.4.1.2 no shutdown
no shutdown exit
exit exit
exit no shutdown
exit exit
170 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail
Option-1A : Tunnel selection via LUDB : match service-name
 Setup N2X OPTION-1A user2@skynet.be

171 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail
Option-1A : Tunnel selection via LUDB : match service-name

PAP PAP
LAC RADIUS
Aggregation LNS
network IP/MPLS Internet
(optional)
BSAN

PADI, S-MAC 00:00:64:06:02:02,Session ID: 0x0000


,PPPoE tag: option: 0x101, 0x103
LUDB
PADO, Session ID: 0x0000
 L2TP Group
PPPoE tag: option: 0x101,0x102, 0x103, 0x104
 MySubProvider1 Remark :
Discovery stage

PADR, Session ID: 0x0000 Session-Setup-Flow


PPPoE tag: option: 0x101,0x102, 0x103, 0x104
accounting Request : start
accounting Response
ICRQ
PADS, Session ID: 0x0001 ICRP
PPPoE tag: option: 0x101,0x102, 0x103, 0x104
ZLB
ICCN
LCP session negotiation

ZLB
LCP Configuration Request
Session stage :

LCP Configuration Request : Auth protocol PAP


LCP Configuration Ack
PAP Authentication request
PAP Authentication Ack

172 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail
Option-1A : Tunnel selection via LUDB : match service-name
PAP
LAC RADIUS

PAP Aggregation LNS


network IP/MPLS Internet
(optional)
BSAN
IPCP Configure-request IP address: 192.168.60.1

IPCP Configure-request IP address: 0.0.0.0


IPCP Configure-Ack IP address: 192.168.60.1
Session stage :

IPCP Configure-Nack IP address: 192.168.60.2


IPCP

IPCP Configure-request IP address: 192.168.60.2


IPCP Configure-ack IP address: 192.168.60.2

LCP Echo Request


Keep-alive

LCP Echo Reply


Optional

LCP Echo Request

LCP Echo Reply

LCP Terminate Request


LCP Terminate Ack

CDN ( call Disconnect-Notification) + error code


PADT
Terminate
session

PADT
ZLB

accounting Request : stop


accounting Response

173 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail
Option-1A : Tunnel selection via LUDB : match service-name

show service id 99999 pppoe session detail  Setup N2X user2


=========================================================
PPPoE sessions for svc-id 99999
=========================================================  Radius users file : N/A
Sap Id Mac Address Sid Up Time IP/L2TP-Id Type
---------------------------------------------------------
1/1/1:1 00:00:64:06:02:02 1 0d 00:00:40 289112470 L2TP  30s E2E PPP keep alive used.
PPP User-Name : (Not Specified)
 Use debug ( user2 traced)
Subscriber-interface : MySubItf1
Group-interface : MyGrpItf1
 1 Subscriber with many hosts
Subscriber Origin : Local-User-Db
Strings Origin : Local-User-Db

Subscriber : "MySubMyProvider1"
Sub-Profile-String : "DefSubProfile"
SLA-Profile-String : "DefSlaProfile"
ANCP-String : "" show service active-subscribers
Int-Dest-Id : "" ======================================================
App-Profile-String : "" Active Subscribers
Category-Map-Name : "" ======================================================
Subscriber MySubMyProvider1 (DefSubProfile)
L2TP Group Name : MyProvider1 ------------------------------------------------------
L2TP Assignment ID : MyTunnel1 (1) SLA Profile Instance sap:1/1/1:1 - sla:DefSlaProfile
------------------------------------------------------
Circuit-Id : IP Address MAC Address PPPoE-SID Origin
Remote-Id : ------------------------------------------------------
Service-Name : MyProvider1 0.0.0.0 00:00:64:06:01:02 1 PPPoE
0.0.0.0 00:00:64:06:02:02 1 PPPoE
Session-Timeout : N/A
hosts ------------------------------------------------------
Radius Class : Number of active subscribers : 1
Radius User-Name :

174 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail
Option-1A : setup 1000 on sims

 Setup N2X user1-1000

 Radius users file : N/A

 30s E2E PPP keep alive used.

 Don’t judge the setup rate on SIM’s

*A:pe2.lab# show router l2tp peer *A:pe2.lab# show router l2tp statistics
==================================
=============================================
L2TP Peers L2TP Statistics
================================== ==============================================
Peer IP Role Tunnels Sessions Tunnels Sessions
----------------------------------- ---------------------------------------------
192.4.1.2 LAC 1 1000
192.5.1.2 LAC 1 0
Total : 290 Total : 16638
----------------------------------- Failed : 139 Failed : 4590
No. of peers: 2 Failed Aut : 0
Active : 2 Active : 1000
============================================

175 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Tunnel Configuration
1) LUDB points to a CLI created L2TP group
Option 1B : Tunnel selection via LUDB : match username

LNS does NOT uses LAC Proxy CONFREQ info

pe2_l2tp_2.cfg
176 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail: LNS does NOT uses LAC Proxy CONFREQ info
Option-1B : Tunnel selection via LUDB : match username

 LUDB : 1 Entry per User *A:pe2.lab# configure subscriber-mgmt


local-user-db "MyLudb2" create
description "Add text"
 User-name as match-condition pppoe
match-list username
host "host1" create
 pppoe-policy -> ppp-authentication pref-chap host-identification
username "user1@skynet.be"
exit
*A:pe2.lab#
password pap password1
configure service ies 99999
identification-strings 254 create
subscriber-interface "MySubItf1" create
subscriber-id "user1@skynet.be"
address 192.168.50.254/24
sla-profile-string "DefSlaProfile"
group-interface "MyGrpItf1" create
sub-profile-string "DefSubProfile"
sap 1/1/1:1 create
exit
sub-sla-mgmt
l2tp
def-sub-profile "DefSubProfile"
group "MyProvider1"
def-sla-profile "DefSlaProfile"
exit
sub-ident-policy "sub_ident_all"
no shutdown
multi-sub-sap 2000
exit
no shutdown
host "host2" create
exit
host-identification
exit
username "user2@skynet.be"
pppoe
exit
session-limit 10
password pap password1
sap-session-limit 10
identification-strings 254 create
user-db "MyLudb2"
subscriber-id "user2@skynet.be"
pppoe-policy default
sla-profile-string "DefSlaProfile"
no shutdown
sub-profile-string "DefSubProfile"
exit
exit
exit
l2tp
exit
group "MyProvider1"
no shutdown
exit
no shutdown
exit

177 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail: LNS does NOT uses LAC Proxy CONFREQ info
Option-1B : Tunnel selection via LUDB : match username
 Setup N2X OPTION-1A user2@skynet.be

178 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail: LNS does NOT uses LAC Proxy CONFREQ info
Option-1B : Tunnel selection via LUDB : match username

PAP PAP
LAC RADIUS
Aggregation LNS
network IP/MPLS Internet
(optional)
BSAN

PADI, S-MAC 00:00:64:06:02:02,Session ID: 0x0000


,PPPoE tag: option: 0x101, 0x103
LUDB
PADO, Session ID: 0x0000
 L2TP Group
Discovery stage

PPPoE tag: option: 0x101,0x102, 0x103, 0x104


 pap
PADR, Session ID: 0x0000 pppoe-policy default
PPPoE tag: option: 0x101,0x102, 0x103, 0x104 => ppp-authentication pref-chap
PADS, Session ID: 0x0001
PPPoE tag: option: 0x101,0x102, 0x103, 0x104

LCP Configuration Request : CHAP

LCP Configuration Request

LCP Configuration Nack : PAP


LCP session negotiation

LCP Configuration Ack


Session stage :

LCP Configuration Request : PAP

LCP Configuration Ack

179 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail: LNS does NOT uses LAC Proxy CONFREQ info
Option-1B : Tunnel selection via LUDB : match username

PAP
LAC RADIUS

PAP Aggregation LNS


network IP/MPLS Internet
(optional)
BSAN

PPP PAP authentication-Request


accounting Request : start
Discovery stage

accounting Response
Initial Received LCP Confreq
Last Received LCP Confreq ICRQ
Proxy Auth type ICRP
Proxy Auth name
ZLB
Proxy Auth ID
Proxy Auth Response ICCN
ZLB
LCP Configuration Request : Auth protocol PAP
START AGAIN LCP phase

LCP Configuration Ack


LCP Configuration Request
LCP Configuration Ack

PPP PAP authentication-Request


PPP PAP authentication-Ack

LNS-N2X does not support today PAP proxy-LCP-Confreq


and starts LCP config phase again.

180 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail: LNS does NOT uses LAC Proxy CONFREQ info
Option-1B : Tunnel selection via LUDB : match username
PAP
LAC RADIUS

PAP Aggregation LNS


network IP/MPLS Internet
(optional)
BSAN
IPCP Configure-request IP address: 192.168.60.1

IPCP Configure-request IP address: 0.0.0.0


IPCP Configure-Ack IP address: 192.168.60.1
Session stage :

IPCP Configure-Nack IP address: 192.168.60.7


IPCP

IPCP Configure-request IP address: 192.168.60.7


IPCP Configure-ack IP address: 192.168.60.7

LCP Echo Request


Keep-alive

LCP Echo Reply


Optional

LCP Echo Request

LCP Echo Reply

LCP Terminate Request


LCP Terminate Ack

CDN ( call Disconnect-Notification) + error code


PADT
Terminate
session

PADT
ZLB

accounting Request : stop


accounting Response

181 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail: LNS does NOT uses LAC Proxy CONFREQ info
Option-1B : Tunnel selection via LUDB : match username

show service id 99999 pppoe session detail  Setup N2X user2


=========================================================
PPPoE sessions for svc-id 99999
=========================================================  Radius users file : N/A
Sap Id Mac Address Sid Up Time IP/L2TP-Id Type
---------------------------------------------------------
1/1/1:1 00:00:64:06:02:02 1 0d 00:03:47 798065074 L2TP  30s E2E PPP keep alive used.
PPP User-Name : user2@skynet.be
 Use debug ( user2 traced)
Subscriber-interface : MySubItf1
Group-interface : MyGrpItf1 *A:pe2.lab# show service active-subscribers
==================================================
Subscriber Origin : Local-User-Db Active Subscribers
Strings Origin : Local-User-Db ==================================================
Subscriber user1@skynet.be (DefSubProfile)
Subscriber : "user2@skynet.be" --------------------------------------------------
Sub-Profile-String : "DefSubProfile" (1) SLA Profile Instance sap:1/1/1:1 -
SLA-Profile-String : "DefSlaProfile" sla:DefSlaProfile
ANCP-String : "" -------------------------------------------------
Int-Dest-Id : "" IP Address MAC Address PPPoE-SID Origin
App-Profile-String : "" --------------------------------------------------
Category-Map-Name : "" 0.0.0.0 00:00:64:06:01:02 1 PPPoE
--------------------------------------------------
L2TP Group Name : MyProvider1 Subscriber user2@skynet.be (DefSubProfile)
L2TP Assignment ID : MyTunnel1 -------------------------------------------------
(1) SLA Profile Instance sap:1/1/1:1 -
Circuit-Id : sla:DefSlaProfile
Remote-Id : --------------------------------------------------
Service-Name : MyProvider1 IP Address MAC Address PPPoE-SID Origin
--------------------------------------------------
Session-Timeout : N/A 0.0.0.0 00:00:64:06:02:02 1 PPPoE
Radius Class : --------------------------------------------------
Radius User-Name : Number of active subscribers : 2

182 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Tunnel Configuration
1) LUDB points to a CLI created L2TP group
Option 1C : Tunnel selection via LUDB : username domain only

LNS does NOT uses LAC Proxy CONFREQ info

pe2_l2tp_2.cfg
183 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail: LNS does NOT uses LAC Proxy CONFREQ info
Option-1C : Tunnel selection via LUDB : match username domain-only

 LUDB : 1 Entry per LNS *A:pe2.lab# configure subscriber-mgmt


local-user-db "MyLudb3" create
description "Add text"
 Domain as match-condition pppoe
match-list username
host "host1" create
 Ignore password host-identification
username skynet.be domain-only
exit
*A:pe2.lab#
password ignore
configure service ies 99999
identification-strings 254 create
subscriber-interface "MySubItf1" create
subscriber-id “MySubProvider1”
address 192.168.50.254/24
sla-profile-string "DefSlaProfile"
group-interface "MyGrpItf1" create
sub-profile-string "DefSubProfile"
sap 1/1/1:1 create
exit
sub-sla-mgmt
l2tp
def-sub-profile "DefSubProfile"
group "MyProvider1"
def-sla-profile "DefSlaProfile"
exit
sub-ident-policy "sub_ident_all"
no shutdown
multi-sub-sap 2000
exit
no shutdown
host "host2" create
exit
host-identification
exit
username “Belgacom.be” domain-only
pppoe
exit
session-limit 10
password ignore
sap-session-limit 10
identification-strings 254 create
user-db "MyLudb3"
subscriber-id “MySubProvider2”
pppoe-policy default
sla-profile-string "DefSlaProfile"
no shutdown
sub-profile-string "DefSubProfile"
exit
exit
exit
l2tp
exit
group "MyProvider2"
no shutdown
exit
no shutdown
exit

184 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail
Lab setup
MyProvider1

 General Lab setup with N2X as Client and LNS LNS 203/4 POOL
user1@skynet.be 192.168.60.1
 4 users , 2 domains user2@skynet.be 192.4.1.2
192.168.70.1
192.4.2.2
C2/RR2/ PE4
PE2 192.168.80.1
138.203.18.183 138.203.18.179
138.203.18.176 192.4.3.2
192.168.90.1
192.4.4.2
LAC
PPPoE client
IES
99999 1/1/2 1/1/1
1/1/1 1/1/8
203/1 MyProvider2
LUDB
user1@skynet.be LNS 203/4 POOL
192.168.160.1
user2@skynet.be 192.5.1.2
192.168.170.1
user100@Belgacom.be 192.5.2.2
192.168.180.1
user101@Belgacom.be user100@Belgacom.be
192.5.3.2
user101@Belgacom.be
192.168.190.1
192.5.4.2

185 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail: LNS does NOT uses LAC Proxy CONFREQ info
Option-1C : Tunnel selection via LUDB : match username domain-only

show service id 99999 pppoe session detail  Setup 2 users per domain
==========================================================
PPPoE sessions for svc-id 99999
==========================================================  Radius users file : N/A
Sap Id Mac Address Sid Up Time IP/L2TP-Id Type
----------------------------------------------------------
1/1/1:1 00:00:64:07:01:02 1 0d 00:20:26 1039365142 L2TP  30s E2E PPP keep alive used.

PPP User-Name : user100@Belgacom.be


 Use debug : same as option-1B
Subscriber-interface : MySubItf1
Group-interface : MyGrpItf1
show service active-subscribers
=========================================================
Subscriber Origin : Local-User-Db
Active Subscribers
Strings Origin : Local-User-Db
=========================================================
Subscriber MySubMyProvider1 (DefSubProfile)
Subscriber : "MySubMyProvider2"
----------------------------------------------------------
Sub-Profile-String : "DefSubProfile"
(1) SLA Profile Instance sap:1/1/1:1 - sla:DefSlaProfile
SLA-Profile-String : "DefSlaProfile"
----------------------------------------------------------
ANCP-String : ""
IP Address MAC Address PPPoE-SID Origin
Int-Dest-Id : ""
-------------------------------------------------------
App-Profile-String : ""
0.0.0.0 00:00:64:06:01:02 1 PPPoE
Category-Map-Name : ""
0.0.0.0 00:00:64:06:02:02 1 PPPoE
---------------------------------------------------------
L2TP Group Name : MyProvider2
Subscriber MySubMyProvider2 (DefSubProfile)
L2TP Assignment ID : MyTunnel1
--------------------------------------------------------
(1) SLA Profile Instance sap:1/1/1:1 - sla:DefSlaProfile
Circuit-Id :
---------------------------------------------------------
Remote-Id :
IP Address MAC Address PPPoE-SID Origin
Service-Name : MyProvider2
-------------------------------------------------------
0.0.0.0 00:00:64:07:01:02 1 PPPoE
Session-Timeout : N/A
0.0.0.0 00:00:64:07:02:02 1 PPPoE
Radius Class :
---------------------------------------------------------
Radius User-Name :
Number of active subscribers : 2

186 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail: LNS does NOT uses LAC Proxy CONFREQ info
Option-1C : Tunnel selection via LUDB : match username domain-only

 4 sessions where setup on previous slide.

show router l2tp session


===============================================================================
L2TP Session Summary
===============================================================================
ID Control Conn ID Tunnel-ID Session-ID State
-------------------------------------------------------------------------------
366026664 366018560 5585 8104 established
366068006 366018560 5585 49446 established
1039365142 1039335424 15859 29718 established
1039372620 1039335424 15859 37196 established
-------------------------------------------------------------------------------
No. of sessions: 4

187 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Tunnel Configuration
1) LUDB points to a CLI created L2TP group
Option 1D : Tunnel selection via LUDB : username

LNS uses LAC Proxy CONFREQ info

pe2_l2tp_2.cfg
188 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail: LNS uses LAC Proxy CONFREQ info
Option-1D : Tunnel selection via LUDB : match username

 LUDB : 1 Entry per User *A:pe2.lab# configure subscriber-mgmt


local-user-db "MyLudb2" create
description "Add text"
 User-name as match-condition pppoe
match-list username
host "host1" create
 pppoe-policy -> ppp-authentication pref-chap host-identification
username "user1@skynet.be"
exit
*A:pe2.lab#
password pap password1
configure service ies 99999
identification-strings 254 create
subscriber-interface "MySubItf1" create
subscriber-id "user1@skynet.be"
address 192.168.50.254/24
sla-profile-string "DefSlaProfile"
group-interface "MyGrpItf1" create
sub-profile-string "DefSubProfile"
sap 1/1/1:1 create
exit
sub-sla-mgmt
l2tp
def-sub-profile "DefSubProfile"
group "MyProvider1"
def-sla-profile "DefSlaProfile"
exit
sub-ident-policy "sub_ident_all"
no shutdown
multi-sub-sap 2000
exit
no shutdown
host "host2" create
exit
host-identification
exit
username "user2@skynet.be"
pppoe
exit
session-limit 10
password pap password1
sap-session-limit 10
identification-strings 254 create
user-db "MyLudb2"
subscriber-id "user2@skynet.be"
pppoe-policy default
sla-profile-string "DefSlaProfile"
no shutdown
sub-profile-string "DefSubProfile"
exit
exit
exit
l2tp
exit
group "MyProvider1"
no shutdown
exit
no shutdown
exit

189 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail: LNS uses LAC Proxy CONFREQ info
Option-1D : Tunnel selection via LUDB : match username

PAP
LAC RADIUS

PAP Aggregation LNS


network IP/MPLS Internet
(optional)
BSAN

PADI, S-MAC 00:00:64:06:02:02,Session ID: 0x0000


,PPPoE tag: option: 0x101, 0x103
LUDB
PADO, Session ID: 0x0000
 L2TP Group
Discovery stage

PPPoE tag: option: 0x101,0x102, 0x103, 0x104


 pap
PADR, Session ID: 0x0000 pppoe-policy default
PPPoE tag: option: 0x101,0x102, 0x103, 0x104 => ppp-authentication pref-chap
PADS, Session ID: 0x0001
PPPoE tag: option: 0x101,0x102, 0x103, 0x104

LCP Configuration Request : CHAP

LCP Configuration Request

LCP Configuration Nack : PAP


LCP session negotiation

LCP Configuration Ack


Session stage :

LCP Configuration Request : PAP

LCP Configuration Ack

190 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail: LNS uses LAC Proxy CONFREQ info
Option-1D : Tunnel selection via LUDB : match username

PAP
LAC RADIUS

PAP Aggregation LNS


network IP/MPLS Internet
(optional)
BSAN

PPP PAP authentication-Request


accounting Request : start
Discovery stage

accounting Response
Initial Received LCP Confreq
Last Received LCP Confreq ICRQ
Proxy Auth type ICRP
Proxy Auth name
ZLB
Proxy Auth ID
Proxy Auth Response ICCN
ZLB
LCP Configuration Request : Auth protocol PAP

That’s how it should work but N2X does not


N2X dos not support this support this
currently
PPP PAP authentication-Ack

191 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail: LNS uses LAC Proxy CONFREQ info
Option-1D : Tunnel selection via LUDB : match username
PAP
LAC RADIUS

PAP Aggregation LNS


network IP/MPLS Internet
(optional)
BSAN
IPCP Configure-request IP address: 192.168.60.1

IPCP Configure-request IP address: 0.0.0.0


IPCP Configure-Ack IP address: 192.168.60.1
Session stage :

IPCP Configure-Nack IP address: 192.168.60.7


IPCP

IPCP Configure-request IP address: 192.168.60.7


IPCP Configure-ack IP address: 192.168.60.7

LCP Echo Request


Keep-alive

LCP Echo Reply


Optional

LCP Echo Request

LCP Echo Reply

LCP Terminate Request


LCP Terminate Ack

CDN ( call Disconnect-Notification) + error code


PADT
Terminate
session

PADT
ZLB

accounting Request : stop


accounting Response

192 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Tunnel Configuration
1) LUDB points to a CLI created L2TP group
Option 1E : Tunnel selection via LUDB : username

LNS uses CHAP where LAC used PAP

pe2_l2tp_2.cfg
193 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail: LNS uses CHAP where LAC used PAP
Option-1E : Tunnel selection via LUDB : match username

 LUDB : 1 Entry per User *A:pe2.lab# configure subscriber-mgmt


local-user-db "MyLudb2" create
description "Add text"
 User-name as match-condition pppoe
match-list username
host "host1" create
 pppoe-policy -> ppp-authentication pap host-identification
username "user1@skynet.be"
exit
*A:pe2.lab#
password pap password1
configure service ies 99999
identification-strings 254 create
subscriber-interface "MySubItf1" create
subscriber-id "user1@skynet.be"
address 192.168.50.254/24
sla-profile-string "DefSlaProfile"
group-interface "MyGrpItf1" create
sub-profile-string "DefSubProfile"
sap 1/1/1:1 create
exit
sub-sla-mgmt
l2tp
def-sub-profile "DefSubProfile"
group "MyProvider1"
def-sla-profile "DefSlaProfile"
exit
sub-ident-policy "sub_ident_all"
no shutdown
multi-sub-sap 2000
exit
no shutdown
host "host2" create
exit
host-identification
exit
username "user2@skynet.be"
pppoe
exit
session-limit 10
password pap password1
sap-session-limit 10
identification-strings 254 create
user-db "MyLudb2"
subscriber-id "user2@skynet.be"
pppoe-policy MyPolicy1
sla-profile-string "DefSlaProfile"
no shutdown
sub-profile-string "DefSubProfile"
exit
exit
exit
l2tp
exit
group "MyProvider1"
no shutdown
exit
no shutdown
exit

194 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail: LNS uses CHAP where LAC used PAP
Option-1E : Tunnel selection via LUDB : match username
 Setup N2X user1@skynet.be

195 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail: LNS uses CHAP where LAC used PAP
Option-1E : Tunnel selection via LUDB : match username
PAP or CHAP PAP CHAP

LAC RADIUS
Aggregation LNS
network IP/MPLS Internet
(optional)
BSAN

PADI, S-MAC 00:00:64:06:02:02,Session ID: 0x0000


,PPPoE tag: option: 0x101, 0x103
LUDB
PADO, Session ID: 0x0000
 L2TP Group
Discovery stage

PPPoE tag: option: 0x101,0x102, 0x103, 0x104


 pap
PADR, Session ID: 0x0000 pppoe-policy default
PPPoE tag: option: 0x101,0x102, 0x103, 0x104 => ppp-authentication pref-chap
PADS, Session ID: 0x0001
PPPoE tag: option: 0x101,0x102, 0x103, 0x104

LCP Configuration Request : PAP

LCP Configuration Request


LCP Configuration Ack
LCP Configuration Ack
LCP session negotiation
Session stage :

196 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail: LNS uses CHAP where LAC used PAP
Option-1E : Tunnel selection via LUDB : match username

PAP
LAC RADIUS

PAP Aggregation LNS


network IP/MPLS Internet
(optional)
BSAN

PPP PAP authentication-Request


accounting Request : start
Discovery stage

accounting Response
Initial Received LCP Confreq
Last Sent LCP Confreq ICRQ
Last Received LCP Confreq ICRP
Proxy Auth type
ZLB
Proxy Auth name
Proxy Auth ID ICCN
Proxy Auth Response ZLB
LCP Configuration Request : Auth protocol CHAP
LCP Configuration Ack
LCP Configuration Request
LCP Configuration Ack

PPP CHAP Challence


PPP CHAP response

PPP CHAP success

197 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail: LNS uses CHAP where LAC used PAP
Option-1E : Tunnel selection via LUDB : match username
PAP
LAC RADIUS

PAP Aggregation LNS


network IP/MPLS Internet
(optional)
BSAN
IPCP Configure-request IP address: 192.168.60.1

IPCP Configure-request IP address: 0.0.0.0


IPCP Configure-Ack IP address: 192.168.60.1
Session stage :

IPCP Configure-Nack IP address: 192.168.60.7


IPCP

IPCP Configure-request IP address: 192.168.60.7


IPCP Configure-ack IP address: 192.168.60.7

LCP Echo Request


Keep-alive

LCP Echo Reply


Optional

LCP Echo Request

LCP Echo Reply

LCP Terminate Request


LCP Terminate Ack

CDN ( call Disconnect-Notification) + error code


PADT
Terminate
session

PADT
ZLB

accounting Request : stop


accounting Response

198 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail: LNS uses CHAP where LAC used PAP
Option-1E : Tunnel selection via LUDB : match username

show service id 99999 pppoe session detail  Setup N2X user1


=========================================================
PPPoE sessions for svc-id 99999
=========================================================  Radius users file : N/A
Sap Id Mac Address Sid Up Time IP/L2TP-Id Type
---------------------------------------------------------
1/1/1:1 00:00:64:06:01:02 1 0d 00:03:47 798065074 L2TP  30s E2E PPP keep alive used.
PPP User-Name : user1@skynet.be

Subscriber-interface : MySubItf1
Group-interface : MyGrpItf1

Subscriber Origin : Local-User-Db


Strings Origin : Local-User-Db

Subscriber : "user1@skynet.be"
Sub-Profile-String : "DefSubProfile"
SLA-Profile-String : "DefSlaProfile"
ANCP-String : ""
Int-Dest-Id : "" *A:pe2.lab# show service active-subscribers
App-Profile-String : "" ==================================================
Category-Map-Name : "" Active Subscribers
==================================================
L2TP Group Name : MyProvider1 Subscriber user1@skynet.be (DefSubProfile)
L2TP Assignment ID : MyTunnel1 --------------------------------------------------
(1) SLA Profile Instance sap:1/1/1:1 -
Circuit-Id : sla:DefSlaProfile
Remote-Id : -------------------------------------------------
Service-Name : MyProvider1 IP Address MAC Address PPPoE-SID Origin
--------------------------------------------------
Session-Timeout : N/A 0.0.0.0 00:00:64:06:01:02 1 PPPoE
Radius Class : --------------------------------------------------
Radius User-Name :

199 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation
Agenda

7. 7x50 Wholesale-Retail L2TP implementation.


a) General
b) CLI changes on LUDB/PPPoE/PPPoE-Policy
c) Tunnel configuration possibilities
a) LUDB and configured L2TP group
a) Clear / Tools /Hello/idle-timeout/drain commands

b) Tunnel selection / load balancing


c) Understanding tunnel-id/session-id
d) Security [tunnel-auth/AVP-hiding/anti-spoof/cpm-protection]
b) RADIUS
a) Radius returns tunnel-group that points to CLI configuration
b) Radius returns all parameters to setup tunnel
d) Miscellaneous (Wireshark , N2X , ….)

200 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation
CLI : L2TP Clear commands are always related to statistics.

 Example : Clear counters and initiate 1 tunnel. show router l2tp tunnel statistics detail
L2TP Tunnel Statistics
===========================================
Connection ID: 712704000
 clear router l2tp tunnel 712704000 statistics -------------------------------------------
Attempts Failed Active Total
 show router l2tp tunnel statistics detail  -------------------------------------------
Sessions 0 0 0 0
SCCRQ -------------------------------------------
SCCRP Rx Tx
Does not show Tx-Rx ----------------------------
SCCCN Ctrl Packets 2 2
counters but number of
ZLB Ctrl Octets 76 125
tunnels / sessions Error Packets 0 0

 clear router l2tp statistics  clear router l2tp group MyProvider1 statistics
show router l2tp statistics show router l2tp group MyProvider1 statistics

L2TP Statistics Group Name: MyProvider1


==================================== --------------------------------------------------------
Tunnels Sessions Attempts Failed Failed-Aut Active Total
------------------------------------ --------------------------------------------------------
Total : 1 Total : 0 Tunnels 1 0 0 1 1
Failed : 0 Failed : 0 Sessions 0 0 N/A 0 0
Failed Auth : 0 --------------------------------------------------------
Active : 1 Active : 1 Pkt-Ctl Pkt-Err Octets
-------------------------------------------------
Rx 2 0 76
 Remark : No individual statistics Tx 2 0 125

per control message ***

201 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation
CLI : Clear commands for sessions .

How can we clear a session?


*A:pe2.lab# show service id 99999 pppoe session type l2tp

===============================================================================
PPPoE sessions for svc-id 99999
===============================================================================
Sap Id Mac Address Sid Up Time IP/L2TP-Id Type
-------------------------------------------------------------------------------
1/1/1:1 00:00:64:06:02:02 1 0d 00:10:44 396919486 L2TP**
-------------------------------------------------------------------------------
Number of sessions : 1

 clear service id 99999 pppoe session mac 00:00:64:06:01:02 sap-id 1/1/1:1 session-id 1

 clear service id 99999 pppoe session all

 clear service id 99999 pppoe session sap-id 1/1/1:1 type l2tp

Remark : OR … stop a tunnel with the tools command … next slide

202 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation
Tool commands: start/stop/drain

 Trigger an attempt to start / stop the control connection for this L2TP tunnel.
 Start: Useful test command for L2TP tunnel which are not auto-established.
tools perform router l2tp group my_group1 tunnel my_tunnel1 start

 Stop : Tunnel and all related sessions will be removed ( send stopCCN + PADT/session)

tools perform router l2tp tunnel <connection-id> stop ***

 Trigger an attempt to drain this L2TP tunnel group or L2TP peer


 Don’t create new sessions for a destination but the leave the current ones intact.
 Elaborate later on this.
tools perform router l2tp group my_group1 drain

tools perform router l2tp peer a.b.c.d drain

203 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation
PPPoE session creation failures example-1

Example of Unsuccessful tunnel setup because LNS does not reply.

 Use tools command to trigger setup ( send StartControlConnectionRequest )


tools perform router l2tp group my_group1 tunnel my_tunnel1 start

 Debug info** : Retry max-retries-not-estab ( default 5 ) if no reply from LNS.

7 2000/01/01 19:48:35.93 GMT MINOR: DEBUG #2001 Base L2TP(v2)


"L2TP(v2): UDP src 0.0.0.0:1701 dst 192.4.1.2:1701
connection 496697344 (tunnel-id 7579)
result-code=generalError error-code=vendorSpecificErrorInLac
error-msg=connection with peer lost"
Configure router l2tp
group "MyProvider1" create
tunnel "MyTunnel1" create
max-retries-not-estab[2..7]
peer 192.4.1.2
 Log-id 99 info : Trap shows the state-machine no shutdown
exit

2 2000/01/01 19:54:41.80 GMT WARNING: SYSTEM #2006 Base L2TP


"State of L2TP tunnel 1:249954304 changed to waitReply configuration modified"

3 2000/01/01 19:55:13.03 GMT WARNING: SYSTEM #2006 Base L2TP


"State of L2TP tunnel 1:249954304 changed to closed configuration modified"

204 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation
PPPoE session creation failures example-2

 Tunnel group in shutdown.

086 2009/02/03 13:23:03.36 GMT WARNING: PPPOE #2001 Base PPPoE session failure

"PPPoE session failure on SAP 1/1/1:1 in service 99999 - Cannot connect L2TP: configuredTunnelGroupIsShutdown"

configure router l2tp group MyProvider2 no shutdown

Remark
 Tunnel in shutdown when new session is setup.
– Failure code returned is “L2TP invalid parameter”
– Will be changed in upcoming maintenance release to more intuitive error.
 Tools tunnel Stop <> tunnel shutdown . Shutdown on a configured tunnel indicates that
the configured tunnel should not be taken to create new instances. It doesn’t have
influence on existing tunnel instances ( sessions).

205 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail
L2TP : Hello-timer
 RFC : A keep-alive mechanism is employed by L2TP in order to differentiate
tunnel outages from extended periods of no control or data activity on a
tunnel.

 RFC: Accomplished by injecting Hello control messages after a specified period


of time has elapsed since the last data or control message (ZLB not included)
was received on a tunnel. LNS
Hello
 Hello packets are used as L2TP tunnel keep-alive packets ZLB
Hello
 Default : No hello. ZLB Example

1s
Hello
Example ZLB
Overwrites group level
Configure router l2tp 60s
timer of 3333 and send Hello
group "MyProvider1" every 60 seconds a ZLB
hello-interval 3333 hello
tunnel "MyTunnel1"
Hello
hello-interval 60
ZLB

 7x50 will use optimisation as in the RFC and will not initiate hello’s if
session control traffic is handled over this tunnel.***
206 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail
L2TP : idle-timeout

Question :

 Can we setup a tunnel prior without a trigger from a client?

 Yes , we can use a tools command or auto-establish command.

Question :
 What happens if the last session of a tunnel is removed?
Configure router l2tp
1. The tunnel stays up but goes to state established-idle group "MyProvider1"
=> Default configuration idle-timeout infinite

Configure router l2tp


2. The tunnel is brought down immediately group "MyProvider1"
idle-timeout 0

Configure router l2tp


3. The tunnel stays up for well defined time of max 1H group "MyProvider1"
idle-timeout 3600

207 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail
L2TP : idle-timeout

 Example idle-time-out 10s Configure router l2tp


group "MyProvider1"
idle-timeout 10

show router l2tp tunnel detail


===============================================================================
L2TP Tunnel Status
===============================================================================
Connection ID : 512294912
State : closed
IP : 0.0.0.0
Peer IP : 192.4.1.2
Name : MyLac1
Remote Name : MyRemoteLns1
Assignment ID : MyTunnel1
Group Name : MyProvider1
Error Message : idle timeout (10 seconds) expired

Remote Conn ID : 4294836224


Tunnel ID : 7817 Remote Tunnel ID : 65534
UDP Port : 1701 Remote UDP Port : 1701
Preference : 50
Hello Interval (s): 3333
Idle TO (s) : 10 Destruct TO (s) : 15
Max Retr Estab : 7 Max Retr Not Estab: 5
Session Limit : 65535 AVP Hiding : never
Transport Type : udpIp Challenge : never
Time Started : 02/20/2009 15:11:30 Time Idle : N/A
Time Established : 02/20/2009 15:11:30 Time Closed : 02/20/2009 15:11:40
Stop CCN Result : generalReq General Error : noError

208 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation
1) Drain peer

Purpose : Don’t create new sessions for a destination but the leave the current
sessions intact. 192.4.1.2
tunnel group MyProvider1
Example : Maintenance required on MyTunnel1 2 stable sessions
LAC
 Tunnel group MyProvider1 has 2 peers. Provider1

 2 sessions are setup over MyTunnel1 MyTunnel2


192.4.2.2

group "MyProvider1" create


tunnel "MyTunnel1"
show router l2tp tunnel auto-establish
========================================================= peer 192.4.1.2
Conn ID Loc-Tu-ID Rem-Tu-ID State Sessions
no shutdown
Group
Assignment exit
--------------------------------------------------------- tunnel "MyTunnel2"
700645376 10691 65534 established 2 auto-establish
MyProvider1 peer 192.4.2.2
MyTunnel1 no shutdown
81461248 1243 65533 establishedIdle 0
exit
MyProvider1
MyTunnel2

209 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation
1) Drain peer CON’T

 Put Mytunnel1 in drain so NO new sessions will be selected over MyTunnel1

tools perform router l2tp peer 192.4.1.2 [no] drain


192.4.1.2
tunnel group MyProvider1
2 stable sessions
LAC
Provider1
MyTunnel2

 The extra session will select now MyTunnel2 new sessions


192.4.2.2
show router l2tp tunnel
=========================================================
Conn ID Loc-Tu-ID Rem-Tu-ID State Sessions
Group
Assignment
---------------------------------------------------------
700645376 10691 65534 draining 2
MyProvider1
MyTunnel1 State will change to drained
81461248 1243 65533 established 1 after all sessions are
MyProvider1 released over this peer
MyTunnel2 192.4.1.2

210 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation
1) Drain peer CON’T

 Draining indication in command show router l2tp peer 192.4.1.2


show router l2tp peer 192.4.1.2
 New session over other =====================================================
Peer IP: 192.4.1.2
tunnel not shown here. =====================================================
Role : LAC Draining : true
Tunnels : 1 Tunnels Active : 1
Sessions : 2 Sessions Active : 2
Unreachable : false Time Unreachable : N/A
Remark =====================================================
Conn ID Loc-Tu-ID Rem-Tu-ID State Sessions
 Drained peer is not Group
Assignment
selected as last resort in -----------------------------------------------------
700645376 0691 65534 draining 2
case MyTunnel2 is not MyProvider1
available. MyTunnel1
-----------------------------------------------------
No. of tunnels: 1

2 2009/02/04 12:20:09.93 GMT WARNING: PPPOE #2001 Base PPPoE session failure

"PPPoE session failure on SAP 1/1/1:1 in service 99999 - [00:00:64:06:03:02,1,user3@skynet.be] L2TP session
closed: noTunnelAvailable"

211 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation
2) Drain Tunnel group

Purpose : Don’t create new sessions for a complete tunnel group but the leave
the current sessions intact. 192.4.1.2
tunnel group MyProvider1
Example : 2 stable sessions
LAC
 Tunnel group MyProvider1 has 2 peers. Provider1

 2 sessions are setup over MyTunnel1 MyTunnel2


192.4.2.2

group "MyProvider1" create


tunnel "MyTunnel1"
show router l2tp tunnel auto-establish
========================================================= peer 192.4.1.2
Conn ID Loc-Tu-ID Rem-Tu-ID State Sessions
no shutdown
Group
Assignment exit
--------------------------------------------------------- tunnel "MyTunnel2"
700645376 10691 65534 established 2 auto-establish
MyProvider1 peer 192.4.2.2
MyTunnel1 no shutdown
81461248 1243 65533 establishedIdle 0
exit
MyProvider1
MyTunnel2

212 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation
2) Drain Tunnel group CON’T

 Put group MyProvider1 in drain so no new sessions will be selected to this ISP.
tools perform router l2tp group MyProvider1 [no] drain
192.4.1.2
tunnel group MyProvider1
 Impossible to create NEW sessions anymore
2 stable sessions
towards Provider1. LAC
Provider1
 Question : When will this be used ? MyTunnel2

show router l2tp group 192.4.2.2


======================================== NO new sessions
L2TP Groups
========================================
Group Name State Tunnels Sessions
----------------------------------------
MyProvider1
drain 2 2
MyProvider2 State will change to drained
active 0 0 after all sessions are
--------------------------------------- released over this peer
No. of L2TP Groups: 2 192.4.1.2

213 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation
Agenda

7. 7x50 Wholesale-Retail L2TP implementation.


a) General
b) CLI changes on LUDB/PPPoE/PPPoE-Policy
c) Tunnel configuration possibilities + LAB
a) LUDB and configured L2TP group
a) Clear / Tools /Hello/idle-timeout drain commands

b) Tunnel selection / load balancing


c) Understanding tunnel-id/session-id
d) Security [tunnel-auth/AVP-hiding/anti-spoof/cpm-protection]
b) RADIUS
a) Radius returns tunnel-group that points to CLI configuration
b) Radius returns all parameters to setup tunnel
d) Miscellaneous (Wireshark , N2X , ….)

215 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation.
Tunnel selection aka tunnel loadbalancing

 Find a Tunnel-group.

 Connect to a tunnel in the tunnel-group with the numeric lowest preference.

 If more than one tunnel with same preference exists than 2 CLI options :

1) session-assign-method (Alc-Tunnel-Algorithm ) = existing-first ( DEFAULT )


Configure router l2tp
group "MyProvider1” RADIUS users
session-assign-method existing-first
tunnel "MyTunnel1" Tunnel-Server-Endpoint = 192.4.1.2,
peer 192.4.1.2 Alc-Tunnel-Algorithm = existing-first
exit
tunnel "MyTunnel2“

2) session-assign-method (Alc-Tunnel-Algorithm ) = weighted


Configure router l2tp
group "MyProvider1” RADIUS users
session-assign-method weighted
tunnel "MyTunnel1" Tunnel-Server-Endpoint = 192.4.1.2,
peer 192.4.1.2 Alc-Tunnel-Algorithm = weighed-access
exit
tunnel "MyTunnel2“

216 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation.
Tunnel selection aka tunnel loadbalancing

1. session-assign-method (Alc-Tunnel-Algorithm ) = existing-first (DEFAULT)


 If a tunnel already exists and is not full then this one is taken.
 else select next tunnel that already and is not full
 else select not pre-signaled that is not full yet.
 else move to next lower preference level and repeat steps ( higher preference value).
 Example next slide.
2. session-assign-method (Alc-Tunnel-Algorithm ) = weighted
 If for one of destinations no tunnel exists yet : this one is tried first.
 else select pre-signaled tunnel which has the lowest relative filling level.
 else move to next lower preference level and repeat steps ( higher preference value).
 Example next slide

!!! Tunnel 5min* removed from selection on unsuccessful setup. (Unreachable)

217 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Tunnel selection aka tunnel load balancing auto-establish

No auto-establish
1) session-assign-method existing-first

 Animation example Preference 10 Pools


MyTunnel1 session-limit=2 192.168.60.2
MyTunnel2 session-limit=1 192.168.70.2
MyTunnel3 session-limit=2 192.168.80.2
MyTunnel4 session-limit=2 192.168.90.2
Preference 20
L2TP group MyProvider1

3)Conn
1)Conn
0)Conn
2)Conn ID
4)Conn
5)Conn
6)Conn ID Loc-Tu-ID Rem-Tu-ID
Loc-Tu-ID Rem-Tu-ID State
State Sessions
Sessions
Group
Group
 Show router l2tp Assignment
Assignment
tunnel --------------------------------------------------------
--------------------------------------------------------
-------------------------------------------------------
402980864
402980864 6149
6149 65534
65534 established
established
establishedIdle 2
1
0
2
6149 65534 established
MyProvider1
MyProvider1
MyTunnel1
MyTunnel1
181796864
181796864 2774
2774 65534
65534 establishedIdle
established
established 0
1
MyProvider1
MyProvider1
MyTunnel2
MyTunnel2
350027776 5341
5341 65534
65534 established
established 1
2
MyProvider1
MyTunnel3
926744576 14141 65534 established 1
MyProvider1
MyTunnel4 Animated
slide

218 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Tunnel selection aka tunnel load balancing auto-establish

No auto-establish
2) session-assign-method weighted

 Animation example Preference 10 Pools


MyTunnel1 session-limit=2 192.168.60.2
MyTunnel2 session-limit=1 192.168.70.2
MyTunnel3 session-limit=2 192.168.80.2
MyTunnel4 session-limit=2 192.168.90.2
Preference 20
L2TP group MyProvider1

4)Conn
1)Conn
5)Conn
Conn
6)Conn
2)Conn
3)ConnIDID Loc-Tu-ID Rem-Tu-ID
Rem-Tu-ID
Loc-Tu-ID State
State Sessions
Sessions
Sessions
 Show router l2tp Group
Assignment
Assignment
tunnel -----------------------------------------------------
441712640 6740 65525 established
establishedIdle 12
0
MyProvider1
MyProvider1
MyTunnel1
542310400 8275 65525 establishedIdle 1
established 0
MyProvider1
MyProvider1
MyTunnel2
260636672 3977 65531 established 2
1
MyProvider1
MyProvider1
MyTunnel3
367198208 5603 65531 established 1
MyProvider1 Animated
MyTunnel4 slide

219 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Tunnel selection aka tunnel load balancing
Conclusion : existing-first versus weighted Animated slide

Preference 50
Preference 50
 4 tunnels with same pref. MyTunnel1 session-limit
session-limit=4000
MyTunnel1 1000

 1000 sessions MyTunnel2 session-limit


MyTunnel2 session-limit=3000
1000
x1000
x1000
MyTunnel3 session-limit
MyTunnel3 session-limit=2000
1000
 Compare
MyTunnel4 session-limit
MyTunnel4 session-limit=1000
1000
 Excisting-first <> weighted

Excisting-first : fill tunnel until the maximum. Weighted : loadbalance in a weighted fashion
1)Conn ID Loc-Tu-ID Rem-Tu-ID State Sessions 1)Conn ID Loc-Tu-ID Rem-Tu-ID State Sessions
Group Group
Assignment Assignment
--------------------------------------------------- -----------------------------------------------
441712640 6740 65525 established 1000 441712640 6740 65525 established 400
250
MyProvider1 MyProvider1
MyTunnel1 MyTunnel1
542310400 8275 65525 establishedIdle 0 542310400 8275 65525 established 300
250
MyProvider1 MyProvider1
MyTunnel2 MyTunnel2
260636672 3977 65531 establishedIdle 0 260636672 3977 65531 established 200
250
MyProvider1 MyProvider1
MyTunnel3 MyTunnel3
367198208 5603 65531 establishedIdle 0 367198208 5603 65531 established 100
250
MyProvider1 MyProvider1
MyTunnel4 MyTunnel4

220 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation
Agenda

7. 7x50 Wholesale-Retail L2TP implementation.


a) General
b) CLI changes on LUDB/PPPoE/PPPoE-Policy
c) Tunnel configuration possibilities
a) LUDB and configured L2TP group
a) Tools / clear / drain commands /Hello/idle-timeout

b) Tunnel selection / load balancing


c) Understanding tunnel-id/session-id
d) Security [tunnel-auth/AVP-hiding/anti-spoof/cpm-protection]
b) RADIUS
a) Radius returns tunnel-group that points to CLI configuration
b) Radius returns all parameters to setup tunnel
d) Miscellaneous (Wireshark , N2X , ….)

221 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation.
Understanding Tunnel-id / Session-id

 L2TPv2 Sending PPP frames over L2TP tunnels


0 8 16 31

T L x x S x O P x x x x Ver Lenght

16-bit Tunnel-ID 16-bit Session-ID

Ns Nr

Offset Size Offset Pad…

 L2TPv3
 Transition from a 16-bit Session ID and Tunnel ID to a 32-bit Session ID and
Control Connection ID, respectively. ( 32-bit session-id not shown here).
0 8 16 31

32-bit Control Connection ID

222 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation.
Understanding Tunnel-id / Session-id CON’T

 The L2TP header contains a 16bit tunnel-id and a 16bit session-id

 Random generated on setup and communicated via the tunnel/session AVP.


L2TP LAC LNS
Assigned tunnel-id AVP SessionId TunnelId SCCRQ L2TP
2086 0000 0000

TunnelId SessionId Assigned tunnel-id AVP


L2TP SCCRP
2086 0000 65532

AVP’s SessionId TunnelId SCCCN


0000 65532

L2TP

Assigned sessionl AVP SessionId TunnelId


47516 0000 65532
ICRQ L2TP

TunnelId SessionId Assigned session AVP


L2TP ICRP 2086 47516 65532

AVP’s SessionId TunnelId


ICCN
65532 65532

Assigned tunnel-id 2086 Assigned tunnel-id 65532


Assigned session-id 47516 Assigned session-id 65532

223 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
LAC
7x50 Wholesale-Retail L2TP implementation. Assigned tunnel-id 2086
Assigned session-id 47516
Understanding Tunnel-id / Session-id CON’T
LNS
Assigned tunnel-id 65532
 LAC tunnel display command Assigned session-id 65532

show router l2tp tunnel


===================================================
Conn ID Loc-Tu-ID Rem-Tu-ID State Sessions
Group
Assignment
---------------------------------------------------show router l2tp tunnel detail
136708096 2086 65532 established 1 ========================================================
MyProvider1 L2TP Tunnel Status
MyTunnel1 ========================================================
Connection ID : 136708096
State : established

Remote Conn ID : 4294705152
Tunnel ID : 2086 Remote Tunnel ID : 65532

 LAC session display command

show router l2tp session


================================================================
show router l2tp session detail
L2TP Session Summary
============================================================
================================================================
L2TP Session Status
ID Control Conn ID Tunnel-ID Session-ID State
============================================================
---------------------------------------------------------------
Connection ID : 136755612
136755612 136708096 2086 47516 established
State : established

Control Conn ID : 136708096 Remote Conn ID : 4294770684
Tunnel ID : 2086 Remote Tunnel ID : 65532
Session ID : 47516 Remote Session ID : 65532

224 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation.
Understanding Tunnel-id / Session-id CON’T

 Log 99 uses the 32 Bit Connection-ID’s

24 2000/12/17 08:19:05.46 GMT WARNING: SVCMGR #2500 Base Subscriber created


"Subscriber MySubMyProvider1 has been created in the system“

25 2000/12/17 08:19:05.46 GMT WARNING: SYSTEM #2006 Base L2TP


"State of L2TP session 1:136755612 changed to waitTunnel configuration modified“

26 2000/12/17 08:19:05.46 GMT WARNING: SYSTEM #2006 Base L2TP


"State of L2TP tunnel 1:136708096 changed to waitReply configuration modified“

27 2000/12/17 08:19:05.48 GMT WARNING: SYSTEM #2006 Base L2TP


"State of L2TP tunnel 1:136708096 changed to established configuration modified“

28 2000/12/17 08:19:05.48 GMT WARNING: SYSTEM #2006 Base L2TP


"State of L2TP session 1:136755612 changed to waitReply configuration modified“

29 2000/12/17 08:19:05.50 GMT WARNING: SYSTEM #2006 Base L2TP


"State of L2TP session 1:136755612 changed to established configuration modified"

225 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
LAC
7x50 Wholesale-Retail L2TP implementation. Assigned tunnel-id 2086
Assigned session-id 47516
Understanding Tunnel-id / Session-id CON’T
LNS
Assigned tunnel-id 65532
show router l2tp tunnel Assigned session-id 65532

 (Remote) Tunnel-ID --> (Remote) Tunnel Connection ID


 2086 * 65536 = 136708096 (Remote) : 65532 * 65536 = 4294705152
31 16 15 0 31 16 15 0

Tunnel-ID 2086 Conn ID 2086

show router l2tp session

 Tunnel-ID -> Control Connection ID


 2086*65536 = 136708096
 (Remote) Connection ID = (Remote) Control Connection ID + (Remote) Session-ID
 ( 2086 * 65536) + 47516 = 136755612 (Remote): The same…
31 16 15 0

Conn ID 2086 47516

226 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
LAC
7x50 Wholesale-Retail L2TP implementation. Assigned tunnel-id 2086
Assigned session-id 47516
Understanding Tunnel-id / Session-id CON’T
LNS
Assigned tunnel-id 65532
show router l2tp tunnel Assigned session-id 65532

 Conn ID = 16bit Tunnel-ID converted to 32bit. (x65536)

show router l2tp tunnel detail

 Remote Conn ID = 16bit remote Tunnel-ID converted to 32bit. (x65536)

show router l2tp session

 ID = Control Conn ID + Session-ID

 Control Conn ID = 16bit Tunnel-id converted to 32bit (x65536)

show router l2tp session detail

 Connection ID = Control Conn ID + Session-ID

 Control Conn ID = 16bit Tunnel-id converted to 32bit (x65536)


 Remote Conn ID = (16bit remote Tunnel-ID converted to
32bit(x65536)) + remote session ID

227 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation
Agenda

7. 7x50 Wholesale-Retail L2TP implementation.


a) General
b) CLI changes on LUDB/PPPoE/PPPoE-Policy
c) Tunnel configuration possibilities + LAB
a) LUDB and configured L2TP group
a) Tools / clear / drain commands /Hello/idle-timeout

b) Tunnel selection / load balancing


c) Understanding tunnel-id/session-id
d) Security [tunnel-auth/AVP-hiding/anti-spoof/cpm-protection]
b) RADIUS
a) Radius returns tunnel-group that points to CLI configuration
b) Radius returns all parameters to setup tunnel
d) Miscellaneous (Wireshark , N2X , ….)

228 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation.
Security : Tunnel Authentication : Shared Secret : Successful

 L2TP authentication is optional.

 There are 2 ways to be sure that we setup the tunnel to the desired LNS.
 Shared Secret ( based on CHAP RFC 1994)
 Hostname Check

1) Shared secret between LAC and LNS


Configure router l2tp
group MyProvider1
Group level challenge always [no] challenge always*
password MySecret
tunnel "MyTunnel1"
challenge always [no] challenge always | never
Tunnel level password MySecret

Radius Attributes

Tunnel-Password MySecret
Alc-Tunnel-Challenge always

229 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation.
Security : Tunnel Authentication : Shared Secret : Successful

 Trace example with uni-directional Challenge from LAC


 N2X currently does not support the sending of a Challenge.

LAC LNS

Challenge-1
SCCRQ
MySecret
Challenge AVP

MySecret MD5

MD5
Hash= Challenge response

SCCRP
Hash = ? Challenge response AVP Challenge-2
Challenge AVP
MySecret MySecret

MD5 SCCCN MD5

Challenge response AVP


Hash= Challenge response Hash = ?

230 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation.
Security : Tunnel Authentication : Host-name : Successful

2) Hostname Check
 If remote-name is configured and the hostname-AVP is received from the
LNS than it should be the same to authenticate tunnel.

MyLac1 SCCRQ AVP Hostname MyRemoteLns1


MyLac1

SCCRP
AVP Hostname
Configure router l2tp MyRemoteLns1
group MyProvider1
local-name "MyLac1"
tunnel "MyTunnel1"
local-name "MyLac1" Show router l2tp tunnel … detail
remote-name MyRemoteLns1
Connection ID : 555679744
State : establishedIdle
Radius Attributes IP : 0.0.0.0
Peer IP : 192.4.1.2
Tunnel-Client-Auth-Id MyLAC1 Name : MyLac1
Remote Name : MyRemoteLns1
Tunnel-Server-Auth-Id MyRemoteLns1 Assignment ID : MyTunnel1
Group Name : MyProvider1
Error Message : N/A

231 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation.
Security : Tunnel Authentication : Unsuccessful

 No difference in error-code if shared secret or remote-name is wrong.

 STOPCCN : requestorIsNotAuthorized
MyWrongSecret
MySecret
MyWrongRemoteLns2
MyLac1 SCCRQ
AVP Challenge
Configure router l2tp Value-a
group MyProvider1 AVP Hostname
tunnel "MyTunnel1" MyLac1
challenge always
secret password MySecret SCCRP
local-name "MyLac1" AVP ChallengeResponse
Value-b
remote-name MyRemoteLns2
AVP Hostname
MyWrongRemoteLns2

StopCCN
AVP ResultCode
requestorIsNotAuthorized

ZLB

 Can we debug only STOPCCN’s ? Next …

232 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation.
Security : Tunnel Authentication : Unsuccessful …End

Debugging

 debug router l2tp event stop-control-connection-notification


215 2000/12/16 09:20:08.45 GMT MINOR: DEBUG #2001 Base L2TP(v2)
"L2TP(v2): UDP src 172.16.0.12:1701 dst 192.4.2.2:1701
connection 872480768 (tunnel-id 13313)
result-code=requestorIsNotAuthorized"

 Log 99
Log 99
2 2000/12/16 09:17:05.95 GMT WARNING: SYSTEM #2006 Base L2TP
"State of L2TP tunnel 1:305987584 changed to waitReply configuration modified"

3 2000/12/16 09:17:05.96 GMT WARNING: SYSTEM #2006 Base L2TP


"State of L2TP tunnel 1:305987584 changed to closed configuration modified"

 Tunnel statistics
show router l2tp statistics


Failed Auth : 1

233 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation.
Security : AVP hiding

What are Attribute Value Pairs : AVP

 To maximize extensibility while still permitting interoperability, a uniform


method for encoding message types and bodies is used throughout L2TP.

 AVP header Format


Mandatory (M) bit : If the M bit is set on an unrecognized AVP within a message associated
with a particular session, the session associated with this message MUST be terminated.

Hidden (H) bit: Identifies the hiding of data in the Attribute Value field of an AVP. This capability
can be used to avoid the passing of sensitive data, such as user passwords, as cleartext in an AVP.
The H bit MUST only be set if a shared secret exists between the LAC and LNS. The shared secret is
the same secret that is used for tunnel authentication.
If the H bit is set in any AVP(s) in a given control message, a Random Vector AVP must also be
present in the message and MUST precede the first AVP having an H bit of 1.

Any vendor wishing to implement their own L2TPextensions can use their own Vendor ID
along with private Attribute values. Vendor-ID=0 means that the standard AVP’s are used.
0 6 16 31

M H rsvd Length Vendor ID


Attribute Type Attribute Value

http://www.iana.org/assignments/l2tp-parameters

234 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation.
Security : AVP hiding Con’t
• challenge response
 CLI related * • assigned session-id
• called number
• calling number
• None of the AVP’s gets hidden. • ALL LCP AVP’s
• All proxy authenticate related AVP’s

configure router l2tp


group MyProvider1
[no] avp-hiding sensitive | always • All AVP’s that ,
tunnel MyTunnel1 [no] avp-hiding never|sensitive|always according RFC 2661
can be hidden, are
hidden.

 Radius
Radius Attribute ( 7.0R2 naming)
Alc-Tunnel-AVP-Hiding-Level nothing(0) , sensitive(1) , always(2)

 Remark : Enabling of AVP-hding without password configured is rejected.


config router l2tp group MyProvider1 tunnel MyTunnel1 avp-hiding always
MINOR: L2TP #4003 password is required

235 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation.
Security : AVP hiding …End

M H RSVD Length Vendor-ID Type Value

M H RSVD Length Vendor-ID Type Length Value +padding

LAC LNS Encrypted


Random-vector
MySecret MySecret
Attribute-nbr

MD5
- Random-vector
- Hidden AVP
Hash

Unhidden-AVP
Length + value XOR Hash

236 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail
Security : IP-FILTERS …End

 All IP type filters are extended with protocol l2tp


 management-access-filter
 ip-filter
 cpm-filter

entry 1 create
action drop
match protocol udp
dst-port 1701 65535
src-port 1701 65535
exit
exit

entry 1 create
action drop
match protocol l2tp
exit
exit

237 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail
Security : Anti-spoof table …End

 “show filter anti-spoof” replaced by “show service id <svc-id> subscriber-hosts”

 Anti-spoof is based on MAC Address and PPPoE-SID ( iso IP) for L2TP

show service id 99999 subscriber-hosts


===============================================================================
Subscriber Host table
===============================================================================
Sap IP Address MAC Address PPPoE-SID Origin
Subscriber Fwding state
-------------------------------------------------------------------------------
1/1/1:1 0.0.0.0 00:00:64:06:01:02 1 PPPoE
user1@skynet.be Fwding
1/1/1:1 0.0.0.0 00:00:64:06:02:02 1 PPPoE
user2@skynet.be Fwding

show service id 99999 pppoe session


===============================================================================
PPPoE sessions for svc-id 99999
===============================================================================
Sap Id Mac Address Sid Up Time IP/L2TP-Id Type
-------------------------------------------------------------------------------
1/1/1:1 00:00:64:06:01:02 1 0d 00:09:12 78194530 L2TP
1/1/1:1 00:00:64:06:02:02 1 0d 00:09:12 78248330 L2TP
-------------------------------------------------------------------------------
Number of sessions : 2

238 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation
Security : HW Requirements

IOM3 required for L2TP support : Outgoing traffic

 If Next-Hop interface of L2TP peer is a port that is not part of an iom3-xp or


IMM.

1223 2000/01/01 15:40:04.75 GMT WARNING: PORT #2036 Base Port


"A functionality is required from port 1/1/9 that it cannot support - next-hop of
192.4.1.2 is not on an IOM that supports L2TP"

show log event-control port


=======================================================================
Log Events
=======================================================================
Application
ID# Event Name P g/s Logged Dropped
-----------------------------------------------------------------------

2036 tmnxPortUnsupportedFunction WA gen 1 0

239 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation
Security : HW Requirements

IOM3 required for L2TP support : Incoming traffic

 If there is a rerouting in the network which forces incoming traffic on an NON-


IOM3 card than all this traffic ( control and data ) is forwarded to the CPM.

 Configure router L2TP no shutdown will populate L2TP capable and non-capable
interfaces. This list will be consulted from the moment we enable protocol
protection.
configure system security cpu-protection protocol-protection

show system security cpu-protection protocol-protection

===========================================================
Interfaces where packets are dropped by protocol-protection
===========================================================
Interface-name Router-Name Drop-Count
-----------------------------------------------------------
Non-iom3-to-lns base 1001

 Not possible to check on non-distributed SIM setup.

240 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation
QoS: Source-Generated-Traffic settings for PPPoE / L2TP … End

 Downstream dot1p can be set for PPPoE control traffic [ default 7 ]


 configure router sgt-qos application pppoe dot1p 5 [0..7]
 configure service vprn <service-id> sgt-qos application pppoe dot1p5 [0..7]

*A:pe2.lab# show router sgt-qos application


=================================================
Dot1p Application Values 6.0
=================================================
Application Dot1p Value Default Dot1p Value
-------------------------------------------------
arp none none
isis none none
pppoe 5 none

 L2TP control traffic.


 configure router sgt-qos application l2tp dscp x (default DSCP = 0x30 nc6)

 P-bit used in L2TP header is currently not used and always set to zero.

241 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation
Agenda

7. 7x50 Wholesale-Retail L2TP implementation.


a) General
b) CLI changes on LUDB/PPPoE/PPPoE-Policy
c) Tunnel configuration possibilities + LAB
a) LUDB and configured L2TP group
a) Tools / clear / drain commands /Hello/idle-timeout

b) Tunnel selection / load balancing


c) Understanding tunnel-id/session-id
d) Security [tunnel-auth/AVP-hiding/anti-spoof/cpm-protection]
b) RADIUS
a) Radius returns tunnel-group that points to CLI configuration
b) Radius returns all parameters to setup tunnel
d) Miscellaneous (Wireshark , N2X , ….) Miscellaneous (Wireshark , N2X , ….)

242 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation
RADIUS Extensions for ESM - Authentication Extensions

.../raddb/clients.conf
How are the different ESM objects communicated by RADIUS client 172.16.0.21 {
server ? secret = WhoIsThere
shortname = A1
nastype = other
 Standard RADIUS attributes }
client 172.16.0.22 {
secret = WhoIsThere
 framed-ip-address [8], framed-ip-netmask [9], NAS-identifier shortname = A2
nastype = other
[32], NAS-port [87] }
client 172.16.0.11 {
 Vendor specific attributes (VSAs) secret = WhoIsThere
shortname = PE1
nastype = other
 Alcatel IPD – using Timetra vendor-id [6527] – see IPD RADIUS }
client 172.16.0.12 {
dictionary secret = WhoIsThere
shortname = PE2
 JUNIPER & REDBACK attributes – relevant VSAs to ease migration nastype = other
}

/var/local/etc/raddb/dictionary

$INCLUDE /usr/local/etc/raddb/dictionary
$INCLUDE /usr/local/etc/raddb/DSL-forum_dictionary

/var/local/etc/raddb/users

"ISAM1 eth 1/11" Auth-Type := Local, User-Password == "LetMeIn"


. . . . . . .

243 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation
RADIUS Extensions for ESM - Authentication Extensions

 Mandatory in RADIUS ACCESS REQUEST (as in previous Releases)


 User-Name, attribute 1 CLI-knob

– MAC
– Circuit-id
– Tuple ( concatenation of MAC & Circuit-id )
– Ascii-converted-circuit-id
– Ascii-converted-tuple
 User-Password, attribute 2
 NAS IP address , attribute 4
– Will be system-id of node.
 Service-Type, attribute 6
– Needs to be “Framed” if returned by Radius
 Framed-Protocol, attribute 7
– Needs to be “PPP” if returned by Radius

244 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation
RADIUS Extensions for ESM - Authentication Extensions

 Optional in RADIUS ACCESS REQUEST CLI-knob

 Access-loop-options , DSL-forum VSA


– Actual data rate Upstream (129)
– Actual data rate Downstream (130)
– Minimum data rate Upstream (131)
– Minimum data rate Downstream (132)
– ....
– Access loop encapsulation (144) 30 PPPoA - PPP over ATM
31 PPPoEoA - PPP over Ethernet over ATM
 Circuit-id , DSL-forum VSA (2) 32 PPPoEoE - PPP over Ethernet over Ethernet
33 PPPoEoVLAN - PPP over Ethernet over VLAN
 Remote-id , DSL-forum VSA (1) 34 PPPoEoQinQ - PPP over Ethernet over 802.1QinQ
 MAC-address ,Alcatel-Lucent VSA (27)
 PPPoE-service-name , Alcatel-Lucent VSA (35)
 NAS-identifier , attribute 32
 NAS-port-id
– nas-port-id , attribute 87 (with possible extended nas-port-id format)
– nas-port-type , attribute 61
 DHCP-vendor-class-id
 Calling-station-id ( Any 64 chars string configured under the SAP )

245 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation
RADIUS Extensions for ESM - Authentication Extensions

Optional Radius returned attribute “user-name” now correct accepted.

 This user-name is optional forwarded to accounting.

 Users file : user1@skynet.be Auth-Type := Local, User-password == "password13"

user-name = "USER1@SKYNET",

Alc-Subsc-ID-Str = “My Subscriber1",


show service id 99999 pppoe session detail
=================================================
Sap Id Mac Address Sid
-------------------------------------------------
1/1/1:1 00:00:64:09:01:04 1

PPP User-Name : user1@skynet.be

Subscriber-interface : MySubItf1
Group-interface : MyGrpItf1

Subscriber Origin : Radius


Strings Origin : None 647 2009/03/20 12:59:32.21 Base RADIUS
"RADIUS: Transmit
Accounting-Request(4) 10.2.79.79:1813
Subscriber : “My Subscriber1" STATUS TYPE [40] 4 Interim-Update(3)
….. NAS IP ADDRESS [4] 4 172.16.0.12
Radius User-Name : USER1@SKYNET.BE USER NAME [1] 16 USER13@SKYNET.BE

246 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation
Radius Tunnel Configuration : Several possibilities

1. RADIUS returns tunnel-group that points to a CLI created L2TP group.

2. RADIUS returns all required parameters without tunnel-group.


 Operational TG created with name equal to “default_radius_group”
3. RADIUS returns all required parameters + Tunnel-Assignment-Id:0 (7.0R2)
 Operational TG created with name equal to the Radius standard attribute Tunnel-
Assignment-Id:0 ( 7.0R2)

Remark :
• When Radius returns the tunnel-group it should always point to a CLI created group and
any other Radius returned L2TP parameters is ignored. All other required info to setup the
tunnel should come than from CLI.

247 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation
Agenda

7. 7x50 Wholesale-Retail L2TP implementation.


a) General
b) CLI changes on LUDB/PPPoE/PPPoE-Policy
c) Tunnel configuration possibilities
a) LUDB and configured L2TP group
a) Tools / clear / drain commands /Hello/idle-timeout

b) Tunnel selection / load balancing


c) Understanding tunnel-id/session-id
d) Security [tunnel-auth/AVP-hiding/anti-spoof/cpm-protection]
b) RADIUS
a) Radius returns tunnel-group that points to CLI configuration
b) Radius returns all parameters to setup tunnel
d) Miscellaneous (Wireshark , N2X , ….) Miscellaneous (Wireshark , N2X , ….)

248 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation
Radius Tunnel Configuration : Several possibilities

1. RADIUS returns tunnel-group that points to a CLI created L2TP group.

Description

Option 2A RADIUS PADI CIRCUIT-ID

Option 2B RADIUS PADI MAC

Option 2C RADIUS PAP/CHAP

Option 2D RADIUS PAP/CHAP + LUDB PRE-AUTHENTICATION

Next

249 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Option 2A : RADIUS PADI
Radius returns to a CLI created LT2P group

250 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail
option 2A PADI + circuit-id

 Auth policy added.

 Radius : circuit0 Auth-Type := Local, User-Password == "LetMeIn"


Alc-Tunnel-Group = "MyProvider1",
Alc-Subsc-ID-Str = "Radius-MySubMyProvider1"

*A:pe2.lab# authentication-policy "knock-knock" create


configure service ies 99999 description "RADIUS policy"
subscriber-interface "MySubItf1" create password "LetMeIn"
address 192.168.50.254/24 radius-authentication-server
group-interface "MyGrpItf1" create router "Base"
authentication-policy "knock-knock" server 1 address 10.2.79.79 secret WhoIsThere
sap 1/1/1:1 create exit
sub-sla-mgmt user-name-format circuit-id
def-sub-profile "DefSubProfile" pppoe-access-method padi
def-sla-profile "DefSlaProfile" include-radius-attribute
sub-ident-policy "sub_ident_all" circuit-id
multi-sub-sap 2000 remote-id
no shutdown nas-port-id
exit nas-identifier
calling-station-id "MyCallingStationId" pppoe-service-name
exit dhcp-vendor-class-id
pppoe access-loop-options
session-limit 10 mac-address
sap-session-limit 10 calling-station-id
user-db "MyLudb1" exit
no shutdown exit
exit
exit
exit
no shutdown
251 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail
option 2A PADI + circuit-id

 N2X does not support the ADSL forum attributes !!


PAP
LAC RADIUS

PAP Aggregation LNS


network IP/MPLS Internet
(optional)
BSAN

PADI, S-MAC 00:00:64:06:03:02,Session ID: 0x0000


,PPPoE tag: option: 0x101, 0x103 ,0x108 cid=circuit0 Access Request
user-name [1] circuit0 cidentry
 Alc-Tunnel-Group
PADO, Session ID: 0x0000 Access accept  Alc-Subsc-ID-Str
PPPoE tag: option: 0x101,0x102, 0x103, 0x104
Discovery stage

PADR, Session ID: 0x0000


PPPoE tag: option: 0x101,0x102, 0x103, 0x104,0x108
accounting Request : start
accounting Response
Assigned session ICRQ
Call Srial Number
Calling Number CDN
Vendor ADSL Forum : AgentcCircuitId ZLB
PADT

show router l2tp statistics result-code: "disconnectedSeeErrorCode“


======================================== error-code: "vendorSpecificErrorInLac error-msg: "Bad ICRQ Packet“
Tunnels Sessions
----------------------------------------
Total : 3 Total : 4
Failed : 0 Failed : 4
Failed Auth : 0
Active : 1 Active : 0

252 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail
option 2A PADI + circuit-id
 Setup N2X user3 temporary with cid “circuit0” to show failure case.

 PPPoE client LNS

253 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Option 2B : RADIUS PADI
Radius returns to a CLI created LT2P group

254 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail
Option-2B : Authentication via Radius PADI with user-name-format MAC

PAP
LAC RADIUS

PAP Aggregation LNS


network IP/MPLS Internet
(optional)
BSAN

PADI, S-MAC 00:00:64:06:01:02,Session ID: 0x0000


,PPPoE tag: option: 0x101, 0x103 Access Request
user-name [1] 00:00:64:06:01:02 MAC-entry
 Alc-Tunnel-Group
PADO, Session ID: 0x0000 Access accept  Alc-Subsc-ID-Str
PPPoE tag: option: 0x101,0x102, 0x103, 0x104
Discovery stage

PADR, Session ID: 0x0000


PPPoE tag: option: 0x101,0x102, 0x103, 0x104
accounting Request : start
accounting Response
ICRQ
PADS, Session ID: 0x0001 ICRP
PPPoE tag: option: 0x101,0x102, 0x103, 0x104
ZLB
ICCN
LCP session negotiation

ZLB
LCP Configuration Request
Session stage :

LCP Configuration Request : Auth protocol PAP


LCP Configuration Ack
PAP Authentication request
PAP Authentication Ack

255 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail
Option-2B : Authentication via Radius PADI with user-name-format MAC
PAP
LAC RADIUS

PAP Aggregation LNS


network IP/MPLS Internet
(optional)
BSAN
IPCP Configure-request IP address: 192.168.60.1

IPCP Configure-request IP address: 0.0.0.0


IPCP Configure-Ack IP address: 192.168.60.1
Session stage :

IPCP Configure-Nack IP address: 192.168.60.2


IPCP

IPCP Configure-request IP address: 192.168.60.2


IPCP Configure-ack IP address: 192.168.60.2

LCP Echo Request


Keep-alive

LCP Echo Reply


Optional

LCP Echo Request

LCP Echo Reply

LCP Terminate Request


LCP Terminate Ack

CDN ( call Disconnect-Notification) + error code


PADT
Terminate
session

PADT
ZLB

accounting Request : stop


accounting Response

256 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail
Option-2B : Authentication via Radius PADI with user-name-format MAC

 Authentication policy under the


group interface. *A:pe2.lab#
configure service ies 99999
subscriber-interface "MySubItf1" create

 No LUDB under PPPOE address 192.168.50.254/24


group-interface "MyGrpItf1" create
authentication-policy "knock-knock"
sap 1/1/1:1 create
sub-sla-mgmt
def-sub-profile "DefSubProfile"
def-sla-profile "DefSlaProfile"
sub-ident-policy "sub_ident_all"
multi-sub-sap 2000
no shutdown
exit
exit
pppoe
session-limit 10
sap-session-limit 10

no shutdown
exit
exit
exit
no shutdown

257 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail
Option-2B : Authentication via Radius PADI with user-name-format MAC
authentication-policy "knock-knock" create
 LT2P group MyProvider1 description "RADIUS policy"
password "LetMeIn"
radius-authentication-server
 Authentication policy router "Base"
server 1 address 10.2.79.79 secret WhoIsThere
exit
 Accounting policy user-name-format mac
pppoe-access-method padi
include-radius-attribute
circuit-id
remote-id
nas-port-id
radius-accounting-policy "GiveMeTheMoney" create nas-identifier
update-interval 5 pppoe-service-name
include-radius-attribute dhcp-vendor-class-id
framed-ip-addr access-loop-options
framed-ip-netmask mac-address
subscriber-id exit
circuit-id exit
remote-id
nas-port-id
nas-identifier
sub-profile
Configure router l2tp
sla-profile
group "MyProvider1" create
calling-station-id
tunnel "MyTunnel1" create
user-name
auto-establish
exit
peer 192.4.1.2
session-id-format number
no shutdown
use-std-acct-attributes
exit
radius-accounting-server
exit
server 1 address 10.2.79.79 secret WhoIsThere
exit
exit
exit

258 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail
Option-2B : Authentication via Radius PADI with user-name-format MAC

 Tools RADIUS USER CHECK user 00:00:64:06:01:02

 Radius user file 00:00:64:06:01:02 Auth-Type := Local, User-Password == "LetMeIn"


Alc-Tunnel-Group = "MyProvider1",
Alc-Subsc-ID-Str = "Radius-MySubMyProvider1"

 tools perform security authentication-server-check server-address


10.2.79.79 user-name “00:00:64:06:01:02”user10@skynet.be
secret "WhoIsThere" password “LetmeIn"
32 2009/03/20 09:37:43.38 GMT MINOR: DEBUG #2001 Base RADIUS
"RADIUS: Transmit
Access-Request(1) 10.2.79.79:1812 id 1 len 63
USER NAME [1] 17 00:00:64:06:01:02
PASSWORD [2] 16 QwF2nHZUV5/AjzFDsVZWhE
NAS IP ADDRESS [4] 4 172.16.0.12
"

33 2009/03/20 09:37:43.43 GMT MINOR: DEBUG #2001 Base RADIUS


"RADIUS: Receive
Access-Accept(2) id 1 len 70 from 10.2.79.79:1812
VSA [26] 13 Alcatel(6527)
TUNNEL GROUP [46] 11 MyProvider1
VSA [26] 25 Alcatel(6527)
SUBSC ID STR [11] 23 Radius-MySubMyProvider1
"
SUCCESS: Request validated by radius.

259 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail
Option-2B : Authentication via Radius PADI with user-name-format MAC

 Setup N2X user with mac 00:00:64:06:01:02


show service id 99999 pppoe session detail
==========================================================
PPPoE sessions for svc-id 99999
 All subscribers on first stage radius ==========================================================
Sap Id Mac Address Sid Up Time P/L2TP-Id Type
----------------------------------------------------------
 Radius users file : 1/1/1:1 00:00:64:06:01:02 1 0d 00:00:32 279467900 L2TP

00:00:64:06:01:02 PPP User-Name


Auth-Type := Local, User-Password == "LetMeIn" : (Not Specified)
Alc-Tunnel-Group = "MyProvider1",
Subscriber-interface : MySubItf1
Alc-Subsc-ID-Str = "Radius-MySubMyProvider1"
Group-interface : MyGrpItf1

Subscriber Origin : Radius


Strings Origin : None
 30s E2E PPP keep alive used.
Subscriber : "Radius-MySubMyProvider1"
Sub-Profile-String : ""
 Use debug SLA-Profile-String : ""
ANCP-String : ""
Int-Dest-Id : ""
App-Profile-String : ""
Category-Map-Name : ""

L2TP Group Name : MyProvider1


L2TP Assignment ID : MyTunnel1

Circuit-Id :
Remote-Id :
Service-Name : MyProvider1

Session-Timeout : N/A
Radius Class :
Radius User-Name : 00:00:64:06:01:02
------------------------------------------------------
Number of sessions : 1
260 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail
Option-2B : Authentication via Radius PADI with user-name-format MAC
 Setup N2X user with mac 00:00:64:06:01:02

 PPPoE client LNS

261 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Option 2C : RADIUS PAP-CHAP
Radius returns to a CLI created LT2P group

262 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail
Option-2C : Authentication via Radius PAP-CHAP

CHAP
LAC RADIUS

PAP/CHAP Aggregation LNS


network IP/MPLS Internet
(optional)
BSAN

PADI, S-MAC 00:00:64:06:08:02,Session ID: 0x0000


,PPPoE tag: option: 0x101, 0x103
PADO, Session ID: 0x0000
Discovery stage

PPPoE tag: option: 0x101,0x102, 0x103, 0x104


PADR, Session ID: 0x0000
PPPoE tag: option: 0x101,0x102, 0x103, 0x104
PADS, Session ID: 0x0001
PPPoE tag: option: 0x101,0x102, 0x103, 0x104

LCP Configuration Request : CHAP


LCP session negotiation

LCP Configuration Request


Session stage :

LCP Configuration Ack

LCP Configuration Ack

PPP CHAP Challenge

PPP CHAP response


Access-Request entry
 Alc-Tunnel-Group
Access-accept
 Alc-Subsc-ID-Str
Lookup CLI for returned
Tunnel Group name

263 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail
Option-2C : Authentication via Radius PAP-CHAP

CHAP

LAC RADIUS
PAP/CHAP
Aggregation LNS
network IP/MPLS Internet
(optional)
BSAN

accounting Request : start


accounting Response
Initial Received LCP Confreq
Last Sent LCP confreq ICRQ
Last Received LCP Confreq ICRP
Proxy Auth type
ZLB
Proxy Auth name
Proxy Auth Challenge ICCN
Proxy Auth ID ZLB
Proxy Auth Response

PPP CHAP Success

extra AVP because CHAP and


not PAP

264 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail
Option-2C : Authentication via Radius PAP-CHAP
CHAP
LAC RADIUS
PAP/CHAP Aggregation LNS
network IP/MPLS Internet
(optional)
BSAN
IPCP Configure-request IP address: 192.168.60.1

IPCP Configure-request IP address: 0.0.0.0


IPCP Configure-Ack IP address: 192.168.60.1
Session stage :

IPCP Configure-Nack IP address: 192.168.60.3


IPCP

IPCP Configure-request IP address: 192.168.60.3


IPCP Configure-ack IP address: 192.168.60.3

LCP Echo Request


Keep-alive

LCP Echo Reply


Optional

LCP Echo Request

LCP Echo Reply

LCP Terminate Request


LCP Terminate Ack

CDN ( call Disconnect-Notification) + error code


PADT
Terminate
session

PADT
ZLB

accounting Request : stop


accounting Response

265 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail
Option-2C : Authentication via Radius PAP-CHAP

 Authentication policy under the *A:pe2.lab#


group interface. configure service ies 99999
subscriber-interface "MySubItf1" create
address 192.168.50.254/24
 No LUDB under PPPOE group-interface "MyGrpItf1" create
authentication-policy "knock-knock"
sap 1/1/1:1 create
sub-sla-mgmt
def-sub-profile "DefSubProfile"
def-sla-profile "DefSlaProfile"
sub-ident-policy "sub_ident_all"
multi-sub-sap 2000
no shutdown
exit
exit
pppoe
session-limit 10
sap-session-limit 10

no shutdown
exit
exit
exit
no shutdown

266 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail
Option-2C : Authentication via Radius PAP-CHAP
authentication-policy "knock-knock" create
 LT2P group MyProvider1 description "RADIUS policy"
no password
radius-authentication-server
 Authentication policy router "Base"
server 1 address 10.2.79.79 secret WhoIsThere
exit
 Accounting policy pppoe-access-method pap-chap
include-radius-attribute
circuit-id
 User name format N/A remote-id
nas-port-id
nas-identifier
radius-accounting-policy "GiveMeTheMoney" create pppoe-service-name
update-interval 5 dhcp-vendor-class-id
include-radius-attribute access-loop-options
framed-ip-addr mac-address
framed-ip-netmask exit
subscriber-id exit
circuit-id
remote-id
nas-port-id
nas-identifier
sub-profile
Configure router l2tp
sla-profile
group "MyProvider1" create
calling-station-id
tunnel "MyTunnel1" create
user-name
auto-establish
exit
peer 192.4.1.2
session-id-format number
no shutdown
use-std-acct-attributes
exit
radius-accounting-server
exit
server 1 address 10.2.79.79 secret WhoIsThere
exit
exit
exit

267 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail
Option-2C : LUDB PRE-AUTH + Radius AUTH PAP-CHAP

 Tools RADIUS USER CHECK user10@skynet.be

 Radius user file user10&skynet.be Auth-Type := Local, User-Password == “password10"


Alc-Tunnel-Group = "MyProvider1",
 tools perform security authentication-server-check Alc-Subsc-ID-Str = "Radius-MySubMyProvider1"

server-address 10.2.79.79 user-name user10@skynet.be


secret "WhoIsThere" password "password10"

29 2009/03/20 09:33:20.40 GMT MINOR: DEBUG #2001 Base RADIUS


"RADIUS: Transmit
Access-Request(1) 10.2.79.79:1812 id 1 len 62
USER NAME [1] 16 user10@skynet.be
PASSWORD [2] 16 JoRD21.DSJ.46n/cvpMfZE
NAS IP ADDRESS [4] 4 172.16.0.12
"

30 2009/03/20 09:33:20.52 GMT MINOR: DEBUG #2001 Base RADIUS


"RADIUS: Receive
Access-Accept(2) id 1 len 70 from 10.2.79.79:1812
VSA [26] 25 Alcatel(6527)
SUBSC ID STR [11] 23 Radius-MySubMyProvider1
VSA [26] 13 Alcatel(6527)
TUNNEL GROUP [46] 11 MyProvider1
"
SUCCESS: Request validated by radius.

268 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail
Option-2C : Authentication via Radius PAP-CHAP

 Setup N2X option2C user10@skynet.be


show service id 99999 pppoe session detail
==========================================================
PPPoE sessions for svc-id 99999
 Radius users file : ==========================================================
Sap Id Mac Address Sid Up Time P/L2TP-Id Type
----------------------------------------------------------
user10&skynet.be Auth-Type := Local, User-Password == “password10"
1/1/1:1 00:00:64:06:08:02 1 0d 00:00:32 911374952 L2TP
Alc-Tunnel-Group = "MyProvider1",
PPP User-Name : user10@skynet.be
Alc-Subsc-ID-Str = "Radius-MySubMyProvider1"
Subscriber-interface : MySubItf1
Group-interface : MyGrpItf1
 30s E2E PPP keep alive used.
Subscriber Origin : Radius
Strings Origin : None
 Use debug
Subscriber : "Radius-MySubMyProvider1"
Sub-Profile-String : ""
SLA-Profile-String : ""
ANCP-String : ""
Int-Dest-Id : ""
App-Profile-String : ""
Category-Map-Name : ""

L2TP Group Name : MyProvider1


L2TP Assignment ID : MyTunnel1

Circuit-Id :
Remote-Id :
Service-Name : MyProvider1

Session-Timeout : N/A
Radius Class :
Radius User-Name : user10&skynet.be
------------------------------------------------------
Number of sessions : 1
269 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail
Option-2C : Authentication via Radius PAP-CHAP
 Setup N2X option2C user10@skynet.be

270 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Option 2D : LUDB PRE-AUTH +RADIUS PAP-CHAP
Radius returns to a CLI created LT2P group

271 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail
Option-2D : LUDB PRE-AUTH + Radius AUTH PAP-CHAP

6.0

 The pado-delay timer part of the pppoe-policy.


 The pppoe-policy sits under the group-interface
 All PPPoE sessions under this group-interface get the same PADO-delay

pe1

Pado-delay = 0 configure subscriber-mgmt


session
pppoe-policy group-1
pado-delay [1..30] deci-sec

Pado-delay = 30

pe2

7.0

 Requirement of having a PADO-delay per user allowing another load sharing.

272 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail
Option-2D : LUDB PRE-AUTH + Radius AUTH PAP-CHAP

7.0

 Requirement of having a PADO-delay per user allowing another load sharing.

 Add pado-delay in LUDB and use it in pre-authentication.

local-user-db "MyLudb4" create


pppoe
match-list circuit-id
host "host1" create
host-identification
Circuit-id-A pe1 circuit-id circuit-id-A
exit
session authentication-policy "knock-knock"
pado-delay 30

host "host1" create


Circuit-id-B host-identification
circuit-id circuit-id-A
pe2 exit
authentication-policy "knock-knock"
pado-delay 0
Opposite configuration
required on pe2

Extra mask type circuit-id can be used

273 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail
Option-2D : LUDB PRE-AUTH + Radius AUTH PAP-CHAP
CHAP
LAC RADIUS

PAP/CHAP Aggregation LNS


network IP/MPLS Internet
(optional)
BSAN

PADI, S-MAC 00:00:64:06:08:02,Session ID: 0x0000


,PPPoE tag: option: 0x101, 0x103 LUDB
PADI, S-MAC 00:00:64:06:08:02,Session ID: 0x0000  match on
Discovery stage

,PPPoE tag: option: 0x101, 0x103  pado delay 3s


PADI, S-MAC 00:00:64:06:08:02,Session ID: 0x0000
X
,PPPoE tag: option: 0x101, 0x103
PADO, Session ID: 0x0000 X Silently drop
PPPoE tag: option: 0x101,0x102, 0x103, 0x104
PADR, Session ID: 0x0000
PPPoE tag: option: 0x101,0x102, 0x103, 0x104
PADS, Session ID: 0x0001
PPPoE tag: option: 0x101,0x102, 0x103, 0x104

LCP Configuration Request : CHAP


From here scenario
LCP session negotiation

LCP Configuration Request is as 0ption-2c


Session stage :

LCP Configuration Ack

LCP Configuration Ack

PPP CHAP Challenge

PPP CHAP response


Access-Request entry
 Alc-Tunnel-Group
Access-accept
 Alc-Subsc-ID-Str

274 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail
Option-2D : LUDB PRE-AUTH + Radius AUTH PAP-CHAP

CHAP

LAC RADIUS
PAP/CHAP
Aggregation LNS
network IP/MPLS Internet
(optional)
BSAN

accounting Request : start


accounting Response
Initial Received LCP Confreq
Last Sent LCP confreq ICRQ
Last Received LCP Confreq ICRP
Proxy Auth type
ZLB
Proxy Auth name
Proxy Auth Challenge ICCN
Proxy Auth ID ZLB
Proxy Auth Response

PPP CHAP Success

275 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail
Option-2D : LUDB PRE-AUTH + Radius AUTH PAP-CHAP
CHAP
LAC RADIUS
PAP/CHAP Aggregation LNS
network IP/MPLS Internet
(optional)
BSAN
IPCP Configure-request IP address: 192.168.60.1

IPCP Configure-request IP address: 0.0.0.0


IPCP Configure-Ack IP address: 192.168.60.1
Session stage :

IPCP Configure-Nack IP address: 192.168.60.3


IPCP

IPCP Configure-request IP address: 192.168.60.3


IPCP Configure-ack IP address: 192.168.60.3

LCP Echo Request


Keep-alive

LCP Echo Reply


Optional

LCP Echo Request

LCP Echo Reply

LCP Terminate Request


LCP Terminate Ack

CDN ( call Disconnect-Notification) + error code


PADT
Terminate
session

PADT
ZLB

accounting Request : stop


accounting Response

276 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail
Option-2D : LUDB PRE-AUTH + Radius AUTH PAP-CHAP

 No Authentication policy under MyGrpItf1 *A:pe2.lab#


configure service ies 99999
 LUDB under PPPOE subscriber-interface "MySubItf1" create
address 192.168.50.254/24
group-interface "MyGrpItf1" create
1
 Authentication policy in LUDB no authentication-policy
sap 1/1/1:1 create
sub-sla-mgmt
 LUDB only used for pre-auth. def-sub-profile "DefSubProfile"
def-sla-profile "DefSlaProfile"
sub-ident-policy "sub_ident_all"
multi-sub-sap 2000
no shutdown
exit
exit
*A:pe2.lab# configure subscriber-mgmt pppoe
local-user-db "MyLudb4" create session-limit 10
description "Add text" sap-session-limit 10
pppoe user-db MyLudb4
match-list circuit-id 2 no shutdown
host "host1" create exit
host-identification exit
circuit-id circuit0 exit
exit no shutdown
3 auth-policy knock-knock
pado-delay 30 (ms)
no shutdown
exit Only if match-list is different to username
no shutdown because username will trigger auth-1 and we
exit
can not trigger a second auth via the auth-
policy

277 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail
Option-2D : LUDB PRE-AUTH + Radius AUTH PAP-CHAP
authentication-policy "knock-knock" create
 LT2P group MyProvider1 description "RADIUS policy"
no password
radius-authentication-server
 Authentication policy router "Base"
server 1 address 10.2.79.79 secret WhoIsThere
exit
 Accounting policy pppoe-access-method pap-chap
include-radius-attribute
circuit-id
remote-id
nas-port-id
nas-identifier
radius-accounting-policy "GiveMeTheMoney" create pppoe-service-name
update-interval 5 dhcp-vendor-class-id
include-radius-attribute access-loop-options
framed-ip-addr mac-address
framed-ip-netmask exit
subscriber-id exit
circuit-id
remote-id
nas-port-id
nas-identifier
sub-profile
Configure router l2tp
sla-profile
group "MyProvider1" create
calling-station-id
tunnel "MyTunnel1" create
user-name
auto-establish
exit
peer 192.4.1.2
session-id-format number
no shutdown
use-std-acct-attributes
exit
radius-accounting-server
exit
server 1 address 10.2.79.79 secret WhoIsThere
exit
exit
exit

278 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail
Option-2D : LUDB PRE-AUTH + Radius AUTH PAP-CHAP

 Tools RADIUS USER CHECK user10@skynet.be

 Radius user file user10&skynet.be Auth-Type := Local, User-Password == “password10"


Alc-Tunnel-Group = "MyProvider1",
 tools perform security authentication-server-check Alc-Subsc-ID-Str = "Radius-MySubMyProvider1"

server-address 10.2.79.79 user-name user10@skynet.be


secret "WhoIsThere" password "password10"

29 2009/03/20 09:33:20.40 GMT MINOR: DEBUG #2001 Base RADIUS


"RADIUS: Transmit
Access-Request(1) 10.2.79.79:1812 id 1 len 62
USER NAME [1] 16 user10@skynet.be
PASSWORD [2] 16 JoRD21.DSJ.46n/cvpMfZE
NAS IP ADDRESS [4] 4 172.16.0.12
"

30 2009/03/20 09:33:20.52 GMT MINOR: DEBUG #2001 Base RADIUS


"RADIUS: Receive
Access-Accept(2) id 1 len 70 from 10.2.79.79:1812
VSA [26] 25 Alcatel(6527)
SUBSC ID STR [11] 23 Radius-MySubMyProvider1
VSA [26] 13 Alcatel(6527)
TUNNEL GROUP [46] 11 MyProvider1
"
SUCCESS: Request validated by radius.

279 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail
Option-2D : LUDB PRE-AUTH + Radius AUTH PAP-CHAP

 Setup N2X option2C user10@skynet.be


show service id 99999 pppoe session detail
==========================================================
PPPoE sessions for svc-id 99999
 Radius users file : ==========================================================
Sap Id Mac Address Sid Up Time P/L2TP-Id Type
----------------------------------------------------------
user10&skynet.be Auth-Type := Local, User-Password == “password10"
1/1/1:1 00:00:64:06:08:02 1 0d 00:00:32 911374952 L2TP
Alc-Tunnel-Group = "MyProvider1",
PPP User-Name : user10@skynet.be
Alc-Subsc-ID-Str = "Radius-MySubMyProvider1"
Subscriber-interface : MySubItf1
Group-interface : MyGrpItf1
 30s E2E PPP keep alive used.
Subscriber Origin : Radius
Strings Origin : None
 Use debug
Subscriber : "Radius-MySubMyProvider1"
Sub-Profile-String : ""
SLA-Profile-String : ""
ANCP-String : ""
Int-Dest-Id : ""
App-Profile-String : ""
Category-Map-Name : ""

L2TP Group Name : MyProvider1


L2TP Assignment ID : MyTunnel1

Circuit-Id :
Remote-Id :
Service-Name : MyProvider1

Session-Timeout : N/A
Radius Class :
Radius User-Name : user10&skynet.be
------------------------------------------------------
Number of sessions : 1
280 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail
Option-2D : LUDB PRE-AUTH + Radius AUTH PAP-CHAP
 Setup N2X user10

281 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation
Agenda

7. 7x50 Wholesale-Retail L2TP implementation.


a) General
b) CLI changes on LUDB/PPPoE/PPPoE-Policy
c) Tunnel configuration possibilities
a) LUDB and configured L2TP group
a) Tools / clear / drain commands /Hello/idle-timeout

b) Tunnel selection / load balancing


c) Understanding tunnel-id/session-id
d) Security [tunnel-auth/AVP-hiding/anti-spoof/cpm-protection]
b) RADIUS
a) Radius returns tunnel-group that points to CLI configuration
b) Radius returns all parameters to setup tunnel
d) Miscellaneous (Wireshark , N2X , ….) Miscellaneous (Wireshark , N2X , ….)

282 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation
Radius Tunnel Configuration : Several possibilities

2. RADIUS

Description

Option 4A RADIUS returns all required parameters without tunnel-group

3. RADIUS

Description

Option 5A RADIUS returns all required parameters + Tunnel-Assignment-Id:0

Next

283 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Option 4A : RADIUS PAP-CHAP
Radius returns all required parameters without tunnel-group
=> default_radius_group created

284 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail
Option-4A : Authentication via Radius PAP-CHAP : No CLI L2TP configuration

CHAP
LAC RADIUS

PAP/CHAP Aggregation LNS


network IP/MPLS Internet
(optional)
BSAN

PADI, S-MAC 00:00:64:08:01:02,Session ID: 0x0000


,PPPoE tag: option: 0x101, 0x103
PADO, Session ID: 0x0000
Discovery stage

PPPoE tag: option: 0x101,0x102, 0x103, 0x104


PADR, Session ID: 0x0000
PPPoE tag: option: 0x101,0x102, 0x103, 0x104
PADS, Session ID: 0x0001
PPPoE tag: option: 0x101,0x102, 0x103, 0x104

LCP Configuration Request : CHAP


LCP session negotiation

LCP Configuration Request


Session stage :

LCP Configuration Ack

LCP Configuration Ack


entry
PPP CHAP Challenge  NO Alc-Tunnel-Group
 Alc-Subsc-ID-Str
PPP CHAP response
Access-Request  Tunnel-Type:1 : …
Access-accept Tunnel-Medium-Type:1
Node creates automaticly L2TP Group Tunnel-Server-Endpoint:1
name “default_radius_group” Tunnel-Assignment-Id:1

285 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail
Option-4A : Authentication via Radius PAP-CHAP : No CLI L2TP configuration

CHAP

LAC RADIUS
PAP/CHAP
Aggregation LNS
network IP/MPLS Internet
(optional)
BSAN

Select valid tunnel in


“default_radius_group” accounting Request : start
accounting Response
SCCRQ
SCCRP
SCCCN
Initial Received LCP Confreq
Last Sent LCP confreq
Last Received LCP Confreq ICRQ
Proxy Auth type
Proxy Auth name ZLB
Proxy Auth Challenge ICRP
Proxy Auth ID
Proxy Auth Response ZLB
ICCN
ZLB

PPP CHAP Success

286 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail
Option-4A : Authentication via Radius PAP-CHAP : No CLI L2TP configuration
CHAP
LAC RADIUS
PAP/CHAP Aggregation LNS
network IP/MPLS Internet
(optional)
BSAN
IPCP Configure-request IP address: 192.168.60.1

IPCP Configure-request IP address: 0.0.0.0


IPCP Configure-Ack IP address: 192.168.60.1
Session stage :

IPCP Configure-Nack IP address: 192.168.60.4


IPCP

IPCP Configure-request IP address: 192.168.60.4


IPCP Configure-ack IP address: 192.168.60.4

LCP Echo Request


Keep-alive

LCP Echo Reply


Optional

LCP Echo Request

LCP Echo Reply

LCP Terminate Request


LCP Terminate Ack

CDN ( call Disconnect-Notification) + error code


PADT
Terminate
session

PADT
ZLB

accounting Request : stop


accounting Response

287 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail
Option-4A : Authentication via Radius PAP-CHAP : No CLI L2TP configuration

 Authentication policy under the *A:pe2.lab#


group interface. configure service ies 99999
subscriber-interface "MySubItf1" create
address 192.168.50.254/24
 No LUDB under PPPOE group-interface "MyGrpItf1" create
authentication-policy "knock-knock"
sap 1/1/1:1 create
sub-sla-mgmt
def-sub-profile "DefSubProfile"
def-sla-profile "DefSlaProfile"
sub-ident-policy "sub_ident_all"
multi-sub-sap 2000
no shutdown
exit
exit
pppoe
session-limit 10
sap-session-limit 10

no shutdown
exit
exit
exit
no shutdown

288 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail
Option-4A : Authentication via Radius PAP-CHAP : No CLI L2TP configuration
authentication-policy "knock-knock" create
 Authentication policy description "RADIUS policy"
no password
radius-authentication-server
 Accounting policy router "Base"
server 1 address 10.2.79.79 secret WhoIsThere
exit
pppoe-access-method pap-chap
include-radius-attribute
circuit-id
remote-id
nas-port-id
nas-identifier
radius-accounting-policy "GiveMeTheMoney" create pppoe-service-name
update-interval 5 dhcp-vendor-class-id
include-radius-attribute access-loop-options
framed-ip-addr mac-address
framed-ip-netmask exit
subscriber-id exit
circuit-id
remote-id
nas-port-id
nas-identifier
sub-profile
Configure router l2tp
sla-profile
no shutdown
calling-station-id
exit
user-name
exit
session-id-format number
use-std-acct-attributes
radius-accounting-server
server 1 address 10.2.79.79 secret WhoIsThere
exit
exit

289 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail
Option-4A : Authentication via Radius PAP-CHAP : No CLI L2TP configuration

 Tools RADIUS USER CHECK user12@skynet.be

 Radius user file user12@skynet.be Auth-Type := Local, User-password == "password12"


Alc-Subsc-ID-Str = "Radius-user12",
 tools perform security authentication-server-check no Alc-Tunnel-Group
Tunnel-Type:1 = L2TP,
server-address 10.2.79.79 user-name user12@skynet.be Tunnel-Medium-Type:1 = IP,
secret "WhoIsThere" password "password12" Tunnel-Server-Endpoint:1 = 192.4.1.2,
Tunnel-Assignment-Id:1 = MyTunnel1,
Authentication-server-check
=============================================================
23 2009/03/20 09:22:52.77 GMT MINOR: DEBUG #2001 Base RADIUS
"RADIUS: Transmit
Access-Request(1) 10.2.79.79:1812 id 1 len 62
USER NAME [1] 16 user12@skynet.be
PASSWORD [2] 16 mvXhBjjEpxshYzek1V7xzE
NAS IP ADDRESS [4] 4 172.16.0.12
"
24 2009/03/20 09:22:52.81 GMT MINOR: DEBUG #2001 Base RADIUS
"RADIUS: Receive
Access-Accept(2) id 1 len 77 from 10.2.79.79:1812
VSA [26] 15 Alcatel(6527)
SUBSC ID STR [11] 13 Radius-user12
TUNNEL TYPE [64] 4 1 L2TP(3)
TUNNEL MEDIUM TYPE [65] 4 1 IPv4(1)
TUNNEL SERVER ENDPOINT [67] 10 1 192.4.1.2
TUNNEL ASSIGNMENT ID [82] 10 1 MyTunnel1
"
SUCCESS: Request validated by radius.

290 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail
Option-4A : Authentication via Radius PAP-CHAP : No CLI L2TP configuration

 Setup N2X option4A user12@skynet.be show service id 99999 pppoe session detail
===================================================
user12@skynet.be PPPoE sessions for svc-id 99999
Auth-Type := Local, User-password == "password12"
===================================================
Alc-Subsc-ID-Str = "Radius-user12", Sap Id Mac Address Sid Up Time IP/L2TP-Id
no Alc-Tunnel-Group ---------------------------------------------------
Tunnel-Type:1 = L2TP, 1/1/1:1 00:00:64:09:01:03 1 0d 00:00:34 188312955
Tunnel-Medium-Type:1 = IP, PPP User-Name : user12@skynet.be
Tunnel-Server-Endpoint:1 = 192.4.1.2,
Tunnel-Assignment-Id:1 = MyTunnel1, Subscriber-interface : MySubItf1
Group-interface : MyGrpItf1

Subscriber Origin : Radius


Strings Origin : None

Subscriber : "Radius-user12"
Sub-Profile-String : ""
SLA-Profile-String : ""
ANCP-String : ""
Int-Dest-Id : ""
App-Profile-String : ""

TG with name L2TP Group Name : default_radius_group


L2TP Assignment ID : MyTunnel1
“default_radius_group created”
Circuit-Id :
Remote-Id :
Service-Name : MyProvider1

 Use debug Session-Timeout : N/A


Radius Class :
Radius User-Name : user12@skynet.be

291 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail
Option-4A : Authentication via Radius PAP-CHAP : No CLI L2TP configuration

 Setup N2X option4A user12@skynet.be

 Group name default_radius_group was automatically created.


show router l2tp tunnel detail
===============================================================================
L2TP Tunnel Status
===============================================================================

Connection ID : 188284928
State : established
IP : 0.0.0.0
Peer IP : 192.4.1.2
Name : pe2.lab
Remote Name : MyRemoteLns1
Assignment ID : MyTunnel1
Group Name : default_radius_group
Error Message : N/A

Remote Conn ID : 4294574080


Tunnel ID : 2873 Remote Tunnel ID : 65530
UDP Port : 1701 Remote UDP Port : 1701
Preference : 50
Hello Interval (s): infinite
Idle TO (s) : infinite Destruct TO (s) : 15
Max Retr Estab : 5 Max Retr Not Estab: 5
Session Limit : 32767 AVP Hiding : never
Transport Type : udpIp Challenge : never
Time Started : 03/18/2009 20:21:44 Time Idle : N/A
Time Established : 03/18/2009 20:21:44 Time Closed : N/A
Stop CCN Result : noError General Error : noError

292 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail
Option-4A : Authentication via Radius PAP-CHAP : No CLI L2TP configuration
 Setup N2X option4A user12@skynet.be

LNS

Selected by LAC

293 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail
Option-4A : Authentication via Radius PAP-CHAP : No CLI L2TP configuration
 Problem
 What if tunnel names ( tunnel-Assignment-Id) for different users are not unique ?

user12@skynet.be Auth-Type := Local, User-password == "password12"


no Alc-Tunnel-Group
Tunnel-Type:1 = L2TP,
Tunnel-Medium-Type:1 = IP,
Tunnel-Server-Endpoint:1 = 192.4.1.2,
Tunnel-Assignment-Id:1 = MyTunnel1,

user13@skynet.be Auth-Type := Local, User-password == "password13"


no Alc-Tunnel-Group
Tunnel-Type:1 = L2TP,
Tunnel-Medium-Type:1 = IP,
Tunnel-Server-Endpoint:1 = 192.5.1.2,
Tunnel-Assignment-Id:1 = MyTunnel1,

 Under the group default_radius_group tunnel MyTunnel1 is added ( which one)


 Always use unique Tunnel-Assignments when Radius TG not used.
 Use Special tag 0 for Tunnel-Assignment-Id that becomes the TG. ( 7.0R2 )

294 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation
Radius Tunnel Configuration : Several possibilities

2. RADIUS

Description

Option 4A RADIUS returns all required parameters without tunnel-group

3. RADIUS

Description

Option 5A RADIUS returns all required parameters + Tunnel-Assignment-Id:0

Next

295 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7.0R2

Option 5A : RADIUS PAP-CHAP


Radius returns all required parameters without tunnel-group
=> Tunnel-Assignment-Id 0 used in Radius

296 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail 7.0R2

Option-5A : Authentication via Radius PAP-CHAP : Tunnel-Assignment-Id:0

CHAP
LAC RADIUS

PAP/CHAP Aggregation LNS


network IP/MPLS Internet
(optional)
BSAN

PADI, S-MAC 00:00:64:09:01:04,Session ID: 0x0000


,PPPoE tag: option: 0x101, 0x103
PADO, Session ID: 0x0000
Discovery stage

PPPoE tag: option: 0x101,0x102, 0x103, 0x104


PADR, Session ID: 0x0000
PPPoE tag: option: 0x101,0x102, 0x103, 0x104
PADS, Session ID: 0x0001
PPPoE tag: option: 0x101,0x102, 0x103, 0x104

LCP Configuration Request : CHAP


LCP session negotiation

LCP Configuration Request


Session stage :

LCP Configuration Ack

LCP Configuration Ack


entry
PPP CHAP Challenge  Tunnel-Assignment-Id:0 name
 Alc-Subsc-ID-Str
PPP CHAP response
Access-Request  Tunnel-Type:1 : …
Access-accept  Tunnel-Medium-Type:1
Node creates automaticly L2TP Group  Tunnel-Server-Endpoint:1
name equal to the name from Tunnel-  Tunnel-Assignment-Id:1
Assignment-Id:0

297 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail 7.0R2

Option-5A : Authentication via Radius PAP-CHAP : Tunnel-Assignment-Id:0

CHAP

LAC RADIUS
PAP/CHAP
Aggregation LNS
network IP/MPLS Internet
(optional)
BSAN

Select valid tunnel in


group name equal accounting Request : start
tunnel-assignment:0 accounting Response
SCCRQ
SCCRP
SCCCN
Initial Received LCP Confreq
Last Sent LCP confreq
Last Received LCP Confreq ICRQ
Proxy Auth type
Proxy Auth name ZLB
Proxy Auth Challenge ICRP
Proxy Auth ID
Proxy Auth Response ZLB
ICCN
ZLB

PPP CHAP Success

298 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail 7.0R2

Option-5A : Authentication via Radius PAP-CHAP : Tunnel-Assignment-Id:0


CHAP
LAC RADIUS
PAP/CHAP Aggregation LNS
network IP/MPLS Internet
(optional)
BSAN
IPCP Configure-request IP address: 192.168.90.1

IPCP Configure-request IP address: 0.0.0.0


IPCP Configure-Ack IP address: 192.168.90.1
Session stage :

IPCP Configure-Nack IP address: 192.16.90.4


IPCP

IPCP Configure-request IP address: 192.168.90.14


IPCP Configure-ack IP address: 192.168.90.4

LCP Echo Request


Keep-alive

LCP Echo Reply


Optional

LCP Echo Request

LCP Echo Reply

LCP Terminate Request


LCP Terminate Ack

CDN ( call Disconnect-Notification) + error code


PADT
Terminate
session

PADT
ZLB

accounting Request : stop


accounting Response

299 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail 7.0R2

Option-5A : Authentication via Radius PAP-CHAP : Tunnel-Assignment-Id:0

 Authentication policy under the *A:pe2.lab#


group interface. configure service ies 99999
subscriber-interface "MySubItf1" create
address 192.168.50.254/24
 No LUDB under PPPOE group-interface "MyGrpItf1" create
authentication-policy "knock-knock"
sap 1/1/1:1 create
sub-sla-mgmt
def-sub-profile "DefSubProfile"
def-sla-profile "DefSlaProfile"
sub-ident-policy "sub_ident_all"
multi-sub-sap 2000
no shutdown
exit
exit
pppoe
session-limit 10
sap-session-limit 10

no shutdown
exit
exit
exit
no shutdown

300 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail 7.0R2

Option-5A : Authentication via Radius PAP-CHAP : Tunnel-Assignment-Id:0


authentication-policy "knock-knock" create
 Authentication policy description "RADIUS policy"
no password
radius-authentication-server
 Accounting policy router "Base"
server 1 address 10.2.79.79 secret WhoIsThere
exit
pppoe-access-method pap-chap
include-radius-attribute
circuit-id
remote-id
nas-port-id
nas-identifier
radius-accounting-policy "GiveMeTheMoney" create pppoe-service-name
update-interval 5 dhcp-vendor-class-id
include-radius-attribute access-loop-options
framed-ip-addr mac-address
framed-ip-netmask exit
subscriber-id exit
circuit-id
remote-id
nas-port-id
nas-identifier
sub-profile
Configure router l2tp
sla-profile
no shutdown
calling-station-id
exit
user-name
exit
session-id-format number
use-std-acct-attributes
radius-accounting-server
server 1 address 10.2.79.79 secret WhoIsThere
exit
exit

301 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail 7.0R2

Option-5A : Authentication via Radius PAP-CHAP : Tunnel-Assignment-Id:0

 Tools RADIUS USER CHECK 499 2009/03/20 12:05:41.24 GMT MINOR: DEBUG #2001 Base RADIUS
"RADIUS: Transmit….
user13@skynet.be
500 2009/03/20 12:05:41.32 GMT MINOR: DEBUG #2001 Base RADIUS
"RADIUS: Receive
 Radius user file Access-Accept(2) id 1 len 310 from 10.2.79.79:1812
USER NAME [1] 16 USER13@SKYNET.BE
VSA [26] 24 Alcatel(6527)
 tools perform security authentication- SUBSC ID STR [11] 22 Radius-MySubMyProvider
TUNNEL ASSIGNMENT ID [82] 26 MyProvider1_based_on_tag_0
server-check server-address 10.2.79.79 VSA [26] 6 Alcatel(6527)
TUNNEL DESTRUCT TIMEOUT [51] 4 0 60
user-name user13@skynet.be secret TUNNEL CLIENT AUTH ID [90] 26 Radius-returned-local-name
VSA [26] 6 Alcatel(6527)
"WhoIsThere" password "password13“ TUNNEL HELLO INTERVAL [50] 4 0 60
VSA [26] 6 Alcatel(6527)
TUNNEL MAX RETRIES NOT ESTAB [53] 4 0 2
VSA [26] 6 Alcatel(6527)
TUNNEL MAX SESSIONS [48] 4 0 100
TUNNEL TYPE [64] 4 1 L2TP(3)
 Radius users file contained several TUNNEL MEDIUM TYPE [65] 4 1 IPv4(1)
TUNNEL SERVER ENDPOINT [67] 10 1 192.4.1.2
other attributes. TUNNEL TYPE [64] 4 2 L2TP(3)
TUNNEL MEDIUM TYPE [65] 4 2 IPv4(1)
TUNNEL SERVER ENDPOINT [67] 10 2 192.4.2.2
TUNNEL ASSIGNMENT ID [82] 10 2 MyTunnel2
TUNNEL TYPE [64] 4 3 L2TP(3)
TUNNEL MEDIUM TYPE [65] 4 3 IPv4(1)
TUNNEL SERVER ENDPOINT [67] 10 3 192.4.3.2
TUNNEL ASSIGNMENT ID [82] 10 3 MyTunnel3
TUNNEL TYPE [64] 4 4 L2TP(3)
TUNNEL MEDIUM TYPE [65] 4 4 IPv4(1)
TUNNEL SERVER ENDPOINT [67] 10 4 192.4.4.2
TUNNEL PREFERENCE [83] 4 4 10
TUNNEL ASSIGNMENT ID [82] 10 4 MyTunnel4

302 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail 7.0R2

Option-5A : Authentication via Radius PAP-CHAP : Tunnel-Assignment-Id:0

 Setup N2X option5A user13@skynet.be


user13@skynet.be Auth-Type := Local, User-password == "password13"
user-name = "USER13@SKYNET.BE",
show service id 99999 pppoe session detail
Alc-Subsc-ID-Str = "Radius-MySubMyProvider", =========================================
Tunnel-Assignment-Id:0 = "MyProvider1_based_on_tag_0", PPPoE sessions for svc-id 99999
Alc-Tunnel-Destruct-Timeout:0 = 60, =========================================
Sap Id Mac Address Sid IP/L2TP-Id
Tunnel-Client-Auth-Id:0 = Radius-returned-local-name, -----------------------------------------
Alc-Tunnel-Hello-Interval:0 = 60, 1/1/1:1 00:00:64:09:01:04 1 188312955
Alc-Tunnel-Max-Retries-Not-Estab = 2,
PPP User-Name : user13@skynet.be
Alc-Tunnel-Max-Sessions = 100,
Tunnel-Type:1 = L2TP, Subscriber-interface : MySubItf1
Tunnel-Medium-Type:1 = IP, Group-interface : MyGrpItf1
Tunnel-Server-Endpoint:1 = 192.4.1.2, Subscriber Origin : Radius
Tunnel-Assignment-Id:1 = MyTunnel1, Strings Origin : None
Tunnel-Type:2 += L2TP,
Subscriber : "Radius-MySubMyProvider"
Tunnel-Medium-Type:2 += IP, Sub-Profile-String : ""
Tunnel-Server-Endpoint:2 += 192.4.2.2, SLA-Profile-String : ""
Tunnel-Assignment-Id:2 += MyTunnel2, ANCP-String : ""
Int-Dest-Id : ""
Tunnel-Type:3 += L2TP, App-Profile-String : ""
Tunnel-Medium-Type:3 += IP, Category-Map-Name : ""
Tunnel-Server-Endpoint:3 += 192.4.3.2,
L2TP Group Name : MyProvider1_based_on_tag_0
Tunnel-Assignment-Id:3 += MyTunnel3, L2TP Assignment ID : MyTunnel4
Tunnel-Type:4 += L2TP,
Tunnel-Medium-Type:4 += IP, Session-Timeout : N/A
Radius Class :
Tunnel-Server-Endpoint:4 += 192.4.4.2, Radius User-Name : USER13@SKYNET.BE
Tunnel-Preference:4 += 10,
Tunnel-Assignment-Id:4 += MyTunnel4
303 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail 7.0R2

Option-5A : Authentication via Radius PAP-CHAP : Tunnel-Assignment-Id:0

 Setup N2X option5A user13@skynet.be

 Group name MyProvider1_based_on_tag_0 was automatically created.


show router l2tp tunnel detail
===============================================================================
L2TP Tunnel Status
===============================================================================

Connection ID : 555483136
State : established
IP : 172.16.0.12
Peer IP : 192.4.4.2
Name : Radius-returned-local-name
Remote Name : MyRemoteLns4
Assignment ID : MyTunnel4
Group Name : MyProvider1_based_on_tag_0
Error Message : N/A

Remote Conn ID : 4294049792


Tunnel ID : 8476 Remote Tunnel ID : 65522
UDP Port : 1701 Remote UDP Port : 1701
Preference : 10
Hello Interval (s): 60
Idle TO (s) : infinite Destruct TO (s) : 60
Max Retr Estab : 5 Max Retr Not Estab: 2
Session Limit : 32767 AVP Hiding : never
Transport Type : udpIp Challenge : never
Time Started : 03/20/2009 15:06:55 Time Idle : N/A
Time Established : 03/20/2009 15:06:55 Time Closed : N/A
Stop CCN Result : noError General Error : noError

304 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail 7.0R2

Option-5A : Authentication via Radius PAP-CHAP : Tunnel-Assignment-Id:0


 Setup N2X option4A user12@skynet.be

LNS

Selected by LAC

Because the lower preference

305 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation
CLI –RADIUS Overview

CLI L2TP Group Tunnel 7.0R1 radius-name Beta 7.0R1 7.0R2


session-limit √ - - N/A N/A N/A N/A
group-name - √ - Alc-Tunnel-Group U U U
avp-hiding - √ √ Alc-Tunnel-AVP-Hidingsensitive-o T:n Blocked T:0 & T:n
challenge √ √ Alc-Tunnel-Challenge T:n Blocked T:0 & T:n
description - √ √ N/A N/A N/A N/A
destruct-timeout - √ √ Alc-Tunnel-Destruct-Timeout U Blocked T:0 & T:n
hello-interval - √ √ Alc-Tunnel-Hello-Interval U Blocked T:0 & T:n
idle-timeout - √ √ Alc-Tunnel-Idle-Timeout U Blocked T:0 & T:n
local-name - √ √ Tunnel-Client-Auth-Id T:n T:n T:0 & T:n
max-retries-estab - √ √ Alc-Tunnel-Max-Retries-Estab** U Blocked T:0 & T:n
max-retries-not-estab - √ √ Alc-Tunnel-Max-Retries-Not-Estab** U Blocked T:0 & T:n
password - √ √ Tunnel-Password T:n T:n T:0 & T:n
session-assign-method - √ Alc-Tunnel-Algorithm U U U
session-limit - √ √ Alc-Tunnel-Max-Sessions T:n Blocked T:0 & T:n
tunnel-name - - √ Tunnel-Assignment-Id T:n T:n T:n
auto-establish - - √ N/A N/A N/A N/A
peer - - √ Tunnel-Server-Endpoint T:n T:n T:n
preference - - √ Tunnel-Preference T:n T:n T:n
remote-name - - √ Tunnel-Server-Auth-Id T:n T:n T:n

306 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation
Redback-Juniper VSA’s End

 Supported Redback ( vendor-id 2352) and Juniper ( vendor-id 4874) VSA’s


Redback VSA's:

#define PW_REDBACK_PRIMARY_DNS 1 ipaddr

#define PW_REDBACK_SECONDARY_DNS 2 ipaddr

#define PW_REDBACK_TUNNEL_MAX_SESSIONS 21 integer

#define PW_REDBACK_ADDRESS_POOL 36 string

#define PW_REDBACK_PRIMARY_NBNS 99 ipaddr

#define PW_REDBACK_SECONDARY_NBNS 100 ipaddr

Juniper VSA's:

#define PW_JUNIPER_ADDRESS_POOL 2 string

#define PW_JUNIPER_PRIMARY_DNS 4 ipaddr

#define PW_JUNIPER_SECONDARY_DNS 5 ipaddr

#define PW_JUNIPER_PRIMARY_WINS 6 ipaddr

#define PW_JUNIPER_SECONDARY_WINS 7 ipaddr

#define PW_JUNIPER_TUNNEL_MAX_SESSIONS 33 integer

#define PW_JUNIPER_TUNNEL_GROUP 64 string

307 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation
Agenda

7. 7x50 Wholesale-Retail L2TP implementation.


a) General
b) CLI changes on LUDB/PPPoE/PPPoE-Policy
c) Tunnel configuration possibilities
a) LUDB and configured L2TP group
a) Tools / clear / drain commands /Hello/idle-timeout

b) Tunnel selection / load balancing


c) Understanding tunnel-id/session-id
d) Security [tunnel-auth/AVP-hiding/anti-spoof/cpm-protection]
b) RADIUS
a) Radius returns tunnel-group that points to CLI configuration
b) Radius returns all parameters to setup tunnel
d) Miscellaneous (Wireshark , N2X , ….)

308 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation
Wire shark example

 Mirror all Client  LAC and LAC  LNS packets

 Install filter on Wireshark to see only packets related to the PPP protocol.

309 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation
CONFIDENTIAL – internal use only
N2X : Nice to Know

6.11 N2X LNS does not support PPPoE circuit-id / remote-id in ICRQ

 Sends an CDN with error code: bad ICRQ packet

 The circuit-id & remote-id are NOT Vendor specific AVP’s but ADSL forum AVP’s.

 Wire shark trace from ICRQ and CDN

310 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation
CONFIDENTIAL – internal use only
N2X : Nice to Know

6.11 N2X LNS sends a stop CCN when last PPPoE session is terminated on this tunnel.

 Reply from N2X


 The RFC states : Session teardown may be initiated by either the LAC or LNS and is
accomplished by sending a CDN control message. After the last session is cleared, the
control connection MAY be torn down as well (and typically is).
 Right now, N2X does not allow user-control for whether or not the control connection is
torn down after the last session close.

311 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation
CONFIDENTIAL – internal use only
N2X : Nice to Know

6.11 N2X LNS can not authenticate the tunnel.

 N2X can configure secret but does not include challenge in SCCRQ or SCCRP.

6.11 N2X LNS does not support AVP-hiding


 No current plan to add this on N2X

312 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation
CONFIDENTIAL – internal use only
N2X : Nice to Know

6.11 N2X LNS does not support PAP proxy authentication

 The problem is that when PAP authentication is used, we do not recognize the
proxy values in the ICCN message. Instead of replying with a PAP authentication
message we initiate the LCP negotiation again.

 For proxy authentication the only workaround at the moment is to use CHAP.

 Solved in N2X 6.12

313 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation
CONFIDENTIAL – internal use only
L2TP and LDP-shortcuts : Nice to Know

PTS 554357 ( DTS-RFE 79751)


 L2TP over LDP is currently not supported.

 Routing table towards LNS


IES/VRF IBGP lo=172.16.0.4
FIB Display
=====================================
IES/VRF L2TP tunnel ISP3 ISP3
Prefix Protocol
NextHop LDP LNS3
------------------------------------- 7750 SR PE-edge
192.4.1.2/32 BGP LAC
172.16.0.14 (Transport:LDP) LNS=192.4.1.2
@IP-LNS3/32 ( IBGP) @IP-LNS3/32(BGP

1621 2009/03/10 05:19:33.16 GMT WARNING: PORT #2036 Base Port


"A functionality is required from port /0 that it cannot support -
next-hop of 192.4.1.2 is not on a network interface"

 Design workaround :
 Redistribute on PE-edge the /32 LNS in IGP (OSPF/ISIS).
 Disable LDP-shortcuts on LAC ( if possible).

314 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation
CONFIDENTIAL – internal use only
Receive OCRQ : Nice to Know

DTS 78621
 On reception of an unsupported OCRQ we should send back a CDN

 Today we send back a STOPcc instead.

DTS 79617

 L2TP: downstream data path breaks after applying an egress ip-filter log in the
SLA profile.
 Workaround in 7.0R1 : don’t apply ip-filter in sla-profile for L2TP subscriber.
 Solution in 7.0 maintenance release.

315 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation
CONFIDENTIAL – internal use only
Nice to Know

 Does the NW-side for the Next-Hop towards the l2TP peer needs to be a
network port?
 Yes and the LNS may not be directly connected.

 Can the NW-side also be an IES service and incase yes do we support that this
IES uses spoke-SDP’s to connect the core?
 No
 Is it correct that we cannot setup a tunnel within a VPRN?
 Yes , we can not.
 If the above is correct why do we have in CLI “configure router 200 sgt-qos
application l2tp dscp”.
 CLI is currently not making a distinction between the base router and a VPRN router
instance

316 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
8 Customer cases

updated

317 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Customer cases
CONFIDENTIAL – internal use only
Overview

RADIUS LUDB Wholesale Testing Deployed


Customer Country PADI PAP/CHAP PADI PAP/CHAP Retail LAC LNS MSAP VRF-selection
Arcor Germany - √ - - - √ √ - √ - -
Brazil Telecom Brazil - √ - - - - - - - - -
Belgacom Belgium - - - - - √ - - √ - -
BT UK - - - - - - - - - - -
BTC Bulgaria. Bulgaria - √ - - - - - - √ √ -
CMCC (China Mobile) China - √ - - √ √ √ √ - √ -
CT (China Telecom) China - √ - - √ √ √ √ - √ -
CU (China Unicom) China - - - - √ √ √ √ - √ -
Etisalat UAE - - - - - - - - - - -
GDS-Libanon Libanon - √ - - - - - √ √ - √
eircom Ireland - √ - - √ √ √ - - - -
Iceland Telecom (Siminn) Iceland - √ - - √ √ - - - - -
Inexus UK - √ √ - √ - - - - - √
MTNL India - √ - - √ √ - - - - -
Oi Brazil - √ - - - - - - - - -
Orange UK - √ - - - - - - - - -
PT lux Luxemburg - √ - - - √ - - - - -
RomTelecom Servie - - - - - √ - - - - -
RpskeTelecom Servie - √ - - - - - - - - -
SrbijaTelecom Servie - √ - - - √ √ - - - -
Telefonica LATAM LATAM - √ - - - - - - - - -
TurkTelecom Turkey - √ - - - √ - - - - -
Unidate Italy - √ - - - √ √ - √ - -
VF-GR Greece - - - - - - √ - - - -

Please mail any updates/remarks on this page to bert.todts@alcatel-lucent.be

318 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
9 scalability

updated

319 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation.
Scalability : Number of tunnels per domain aka l2tp group

 L2TP group/domain can have maximum 31 tunnel destinations

group "MyProviderScale1”
tunnel group MyProviderScale1
tunnel "MyTunnel1"
local-address 172.16.0.12
local-name "MyLac1"
peer 192.6.1.2 Provider1
exit
....
tunnel "MyTunnel31"
local-address 172.16.0.12
LAC
local-name "MyLac1"
peer 192.6.31.2
exit
tunnel group MyProviderScale2
group "MyProviderScale2” Provider2
group "MyProviderScale3”
group "MyProviderScale4”

*A:pe2.lab>config>router>l2tp>group# tunnel MyTunnel32


MINOR: L2TP #1001 The maximum number of instances already exist - (max 31 tunnels in group)

320 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation.
CONFIDENTIAL – internal use only
Scalability :

 Internal info
Values are correct for local sessions in 7.0R1
Tunneled sessions in 7.0R1 is 32K
Tunneled sessions in 7.0R3 SR-7 is 64K target
Tunneled sessions in 7.0R3 SR-12 is 128K target

SR1 SR7/SR-12 c4/c12

7.0R1 : N/A
7.0R2 : 1K target
7.0R1 : 1K tunnels
7.0R2 : 4K tunnels 7.0R1 : 32K
7.0R3 : 16K tunnels target No current Plans to increase

321 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
10 Evolution

new

322 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
CONFIDENTIAL – internal use only
PPPoE evolution in future releases

 LNS

 LTS ( LNS Tunnel Switch )

 L2TP setup in VPRN context.

 Authentication Fallback scenario( s) when Radius server not available.

 Extendable Authentication Protocol ( EAP) in pass through mode to RADIUS.

 RFC 3579: RADIUS support for EAP

 It is not the idea to locally terminate EAP on the box.

323 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation.
Conclusion

 PADI/PAP/CHAP authentication via LUDB/RADIUS ( service-name/ domain-only …)

 PPPoE Retail
 PPPoE wholesale LAC functionality
 PPPoE wholesale LNS ( Future Release)
 L2TP uplinks require network ports on IOM3/IMM
 L2TP IP-routed ( GRE like) in Base instance.
 L2TP tunnel can be pre-signaled ( auto-establish / tools command)
 L2TP tunnel selection mechanism ( existing-first <> weighted)
 AVP-hiding level configurable.
 Tag:0 for tunnel-assignment supported from Radius (group-name) (7.0R2)
 Setup rates and scaling numbers can compete with the other BRAS vendors.

 Ready for customer deployments !!!!!

324 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Thank You
www.alcatel-lucent.com

325 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
PPPoE Related CLI commando’s

 show service id 998 pppoe summary


– Returns only the number of sessions

===============================================================================
PPPoE Summary info for IES svc-id 998
===============================================================================
Number of sessions : 1
===============================================================================

326 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
PPPoE Related CLI commando’s

 show service id 998 pppoe session


– Returns sap-id , Mac , SID , UP-time , ip@ per session

A:pe2.lab# show service id 998 pppoe session

===============================================================================
PPPoE sessions for svc-id 998
===============================================================================
Sap Id Mac Address Sid Up Time IP Address
-------------------------------------------------------------------------------
1/1/7 00:00:00:00:00:01 1 0d 00:02:21 192.168.42.1
-------------------------------------------------------------------------------
Number of sessions : 1
===============================================================================

327 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
PPPoE Related CLI commando’s

 show service id 998 pppoe statistics


A:pe2.lab# show service id 998 pppoe statistics

===============================================================================
PPPoE statistics for IES service 998
===============================================================================
Packet Type Received Transmitted
-------------------------------------------------------------------------------
PADI 1 -
PADO - 1
PADR 1 -
PADS - 1
PADT 0 0
session 9 10
-------------------------------------------------------------------------------
Drop Counters
-------------------------------------------------------------------------------
Rx Invalid Version : 0
Rx Invalid Type : 0
Rx Invalid Code : 0
Rx Invalid Session : 0
Rx Invalid Length : 0
Rx Invalid Tags : 0
Rx Invalid AC-Cookie : 0
Rx Dropped : 0
===============================================================================

328 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
PPPoE Related CLI commando’s

 show service id 998 pppoe session session-id 1 mac 00:00:00:00:00:01 detail


PPPoE sessions for svc-id 998
===============================================================================
Sap Id Mac Address Sid Up Time IP Address
-------------------------------------------------------------------------------
1/1/7 00:00:00:00:00:01 1 0d 00:05:32 192.168.42.1

LCP State : Opened


IPCP State : Opened
PPP MTU : 1000
PPP Auth-Protocol : CHAP
PPP User-Name : user1@domain1
Subscriber-interface : to_A2_via_hairpin
Group-interface : isam-1
Subscriber Origin : Local-User-Db
Strings Origin : Local-User-Db
IPCP Info Origin : Local-User-Db

Subscriber : "user1"
Sub-Profile-String : "sub1"
SLA-Profile-String : "sla1"
ANCP-String : ""
Int-Dest-Id : ""
App-Profile-String : ""
Primary DNS : 138.203.144.51
Secondary DNS : N/A
Primary NBNS : 138.203.144.51
Secondary NBNS : N/A
Circuit-Id :
Remote-Id :
Session-Timeout : N/A
-------------------------------------------------------------------------------
Number of sessions : 1
329 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
PPPoE Related CLI commando’s

 show service id 998 pppoe session session-id 1 mac 00:00:00:00:00:01 statistics


PPPoE sessions for svc-id 998
===============================================================================
Sap Id Mac Address Sid Up Time IP Address
-------------------------------------------------------------------------------
1/1/7 00:00:00:00:00:01 1 0d 00:09:32 192.168.42.1
Packet Type Received Transmitted
-------------------------------------------------------------------------------
LCP Configure-Request 1 1
LCP Configure-Ack 1 1
LCP Configure-Nak 0 0
Note :
LCP Configure-Reject 0 0
LCP Terminate-Request 0 0 Notice that the 7750 has a LCP echo-request = 0 .
LCP Terminate-Ack 0 0 This means that only the client sends keep alives.
LCP Code-Reject 0 0
LCP Echo-Request 57 0 7750/7710 will rely on the keeplalive from the client
LCP Echo-Reply 0 57
LCP Protocol-Reject 0 0
incase the LCP echo-request from the client comes
LCP Discard-Request 0 0 faster than the configured keepalive transmit (
keepalive/hold-up-multiplier). Optimisation.
-------------------------------------------------------------------------------
PAP Authenticate-Request 0 -
PAP Authenticate-Ack - 0
PAP Authenticate-Nak - 0
-------------------------------------------------------------------------------
CHAP Challenge - 1
CHAP Response 1 -
CHAP Success - 1
CHAP Failure - 0
-------------------------------------------------------------------------------
IPCP Configure-Request 2 1
IPCP Configure-Ack 1 1
IPCP Configure-Nak 0 1
IPCP Configure-Reject 0 0
IPCP Terminate-Request 0 0
IPCP Terminate-Ack 0 0
IPCP Code-Reject 0 0
-------------------------------------------------------------------------------
Unknown Protocol 0 -
-------------------------------------------------------------------------------
330 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
PPPoE Related CLI commando’s

 tools dump pppoe sap 1/1/7 session-id 1


==============================================================================
Id : 998,1/1/7,00:00:00:00:00:01,1 ppp unit : 5
==============================================================================
looped back : no dbgMask : 0x0
------------------------------------------------------------------------------
LCP
------------------------------------------------------------------------------
phase : NETWORK state : OPENED
passive : off silent : off
restart : off

mru : 1000 mtu : 1002


ack'd peer mru : 1492
local magic : 0x199cf0b7 peer magic : 0x0

options mru asyncMap upap chap magic pfc


we negotiate Yes No Yes Yes Yes No
peer ack'd Yes No Yes Yes Yes No
we allow Yes No No No Yes No
we ack'd Yes No No No No No

options acfc lqr mrru shortSeq endPoint mlhdrfmt


we negotiate No No No No No No
peer ack'd No No No No No No
we allow No No No No No No
we ack'd No No No No No No

… CONTNUE ON NEXT SLIDE

331 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
PPPoE Related CLI commando’s

 tools dump pppoe sap 1/1/7 session-id 1

------------------------------------------------------------------------------
IPCP
------------------------------------------------------------------------------
active : yes state : OPENED

local ip : 192.168.42.254 peer ip : 192.168.42.1


local pri DNS : 0.0.0.0 peer pri DNS : 0.0.0.0
local sec DNS : 0.0.0.0 peer sec DNS : 0.0.0.0
local pri NBNS : 0.0.0.0 peer pri NBNS : 0.0.0.0
local sec NBNS : 0.0.0.0 peer sec NBNS : 0.0.0.0

options addr oldAddr reqAddr vj oldVJ


we negotiate Yes No Yes No No
peer ack'd Yes No Yes No No
we allow Yes No No No No
we ack'd Yes No No No No

options priDns secDns priNbns secNbns


we negotiate No No No No
peer ack'd No No No No
we allow Yes No Yes No
we ack'd No No No No

332 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
PPPoE Related CLI commando’s
 tools perform subscriber-mgmt local-user-db ludb-1 pppoe host-lookup user-name user1@domain1
A:pe2.lab# tools perform subscriber-mgmt local-user-db ludb-1 pppoe host-lookup
user-name user1@domain1

===============================================================================
PPPoE host Lookup results
===============================================================================
Result : Success
Matched Host Name : host1

Admin State : enabled


User Name Format : full
PPPoE User Name : user1@domain1

Password Type : chap


Password hash2 : 3wKFRgNfgW.0oL11a5vZ8ZzQ4/uBFHPQ
Subscriber : user1
SLA-Profile-String: sla1
Sub-Profile-String: sub1
IP Address : 192.168.42.1
===============================================================================

A:pe2.lab# tools perform subscriber-mgmt local-user-db ludb-1 pppoe host-lookup


user-name user1@domain2

===============================================================================
PPPoE host Lookup results
===============================================================================
Result : host not found
===============================================================================
333 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
PPPoE Related CLI commando’s

 Ludb-1 uses match-list username but host200 has host-identification MAC


*A:pe2.lab# show subscriber-mgmt local-user-db ludb-1 pppoe-unmatched-hosts

==============================================================================
Local User Database "ludb-1" PPPoE unmatched hosts
==============================================================================
Name Reason Duplicate Host
------------------------------------------------------------------------------
host200 No match N/A
------------------------------------------------------------------------------
Number of PPPoE Unmatched Hosts : 1

 Ludb-1 uses match-list username and host200 uses username of host1

*A:pe2.lab# show subscriber-mgmt local-user-db ludb-1 pppoe-unmatched-hosts

==============================================================================
Local User Database "ludb-1" PPPoE unmatched hosts
==============================================================================
Name Reason Duplicate Host
------------------------------------------------------------------------------
host200 Duplicate host1
------------------------------------------------------------------------------
Number of PPPoE Unmatched Hosts : 1
==============================================================================

334 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
PPPoE Related CLI commando’s

 show subscriber-mgmt local-user-db

A:pe2.lab# show subscriber-mgmt local-user-db

===============================================================================
Local User Databases
===============================================================================
Name Admin Host Description
State Count
-------------------------------------------------------------------------------
ludb-1 Up 5
ludb-2 Up 1
-------------------------------------------------------------------------------
Number of Local User Databases : 2 Number of Hosts : 6
===============================================================================

335 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
PPPoE Related CLI commando’s
• show subscriber-mgmt local-user-db ludb-1 pppoe-all-hosts

A:pe2.lab# show subscriber-mgmt local-user-db ludb-1 pppoe-all-hosts

===============================================================================
Local User Database "ludb-1" PPPoE hosts
===============================================================================
Name Admin Matched objects
State
-------------------------------------------------------------------------------
host1 Up userName
host2 Up userName
host3 Up userName
host14 Up userName
host253 Up userName
-------------------------------------------------------------------------------
Number of PPPoE Hosts : 5
===============================================================================

336 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
PPPoE Related CLI commando’s

 show subscriber-mgmt local-user-db ludb-1 pppoe-host host1


A:pe2.lab# show subscriber-mgmt local-user-db ludb-1 pppoe-host host1

===============================================================================
PPPoE Host "host1"
===============================================================================
Admin State : Up
Last Mgmt Change : 03/16/2008 09:29:58

Host Indentification
Mac Address : N/A
Circuit Id : N/A
Remote Id : N/A
User Name : user1@domain1

Matched Objects : userName

Address : 192.168.42.1
Password Type : CHAP

Identification Strings (option 2)


Subscriber Id : user1
SLA Profile String : sla1
Sub Profile String : sub1
App Profile String : N/A
ANCP String : N/A
Inter Destination Id: N/A

337 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Radius Related CLI commando’s
• Returns all authentication policies.

*A:pe2.lab# show subscriber-mgmt authentication

===============================================================================
Authentication Policies
===============================================================================
Name Description
-------------------------------------------------------------------------------
knock-knock RADIUS policy
-------------------------------------------------------------------------------
Number of Authentication Policies : 1
===============================================================================

338 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Radius Related CLI commando’s
• Oper-state “unknown” until first access-request to server via this policy.

A:pe2.lab# show subscriber-mgmt authentication knock-knock

===============================================================================
Authentication Policy knock-knock
===============================================================================
Description : RADIUS policy
Re-authentication : No Username Format : Circuit-id
PPPoE Access Method : PADI
Last Mgmt Change : 03/18/2008 13:10:42
-------------------------------------------------------------------------------
Include Radius Attributes
-------------------------------------------------------------------------------
Remote Id : No Circuit Id : No
NAS Port Id : Yes NAS Identifier : No
PPPoE Service Name : Yes DHCP Vendor Class Id : No
Access Loop Options : No MAC Address : No
-------------------------------------------------------------------------------
Radius Servers
-------------------------------------------------------------------------------
Router : Base Source Address : N/A
Access Algorithm : Direct Retry : 3
Timeout : 5
-------------------------------------------------------------------------------
Index IP Address Port Oper State
Status is unknown until
-------------------------------------------------------------------------------
1 10.2.79.79 1812 Unknown first request is send for this policy
===============================================================================
339 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Radius Related CLI commando’s
• subscriber packets rejected increased after retries reached

*A:pe2.lab# show subscriber-mgmt authentication knock-knock statistics

===============================================================================
Authentication Policy Statistics
===============================================================================
-------------------------------------------------------------------------------
Policy name : knock-knock
subscriber packets authenticated : 1
subscriber packets rejected : 2
-------------------------------------------------------------------------------
radius server requests requests requests requests requests requests
idx IP-address accepted rejected no reply md5 failed pending send failed
-------------------------------------------------------------------------------
1 10.2.79.79 1 0 6 0 1 0
===============================================================================

340 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Radius Related CLI commando’s

• Does not influences the operational state of the server


A:pe2.lab# tools perform security authentication-server-check server-address 10.2.79.79
user-name "TRE26 atm 1/1/01/22:8.35" password "LetMeIn" secret "WhoIsThere"
===============================================================================
Authentication-server-check
===============================================================================
SUCCESS: Request validated by radius.
447 2008/03/18 13:07:05.19 UTC MINOR: DEBUG #2001 Base RADIUS
"RADIUS: Access-Request
user TRE26 atm 1/1/01/22:8.35

448 2008/03/18 13:07:05.19 UTC MINOR: DEBUG #2001 Base RADIUS


"RADIUS: Transmit
Access-Request(1) 10.2.79.79:1812 id 1 len 70
USER NAME [1] 24 TRE26 atm 1/1/01/22:8.35
PASSWORD [2] 16 hTR6boA9DwzV3BzJwgRvh.
NAS IP ADDRESS [4] 4 172.16.0.12

449 2008/03/18 13:07:05.21 UTC MINOR: DEBUG #2001 Base RADIUS


"RADIUS: Receive
Access-Accept(2) id 1 len 81 from 10.2.79.79:1812
VSA [26] 7 Alcatel(6527)
SUBSC ID STR [11] 5 user5
VSA [26] 6 Alcatel(6527)
SUBSC PROF STR [12] 4 sub1
VSA [26] 6 Alcatel(6527)
SLA PROF STR [13] 4 sla1
FRAMED IP ADDRESS [8] 4 192.168.42.5
FRAMED IP NETMASK [9] 4 255.255.255.0
341 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Radius Accounting Related CLI commando’s

show subscriber-mgmt radius-accounting-policy

===============================================================================
Radius Accounting Policies
===============================================================================
Name Description
-------------------------------------------------------------------------------
GiveMeTheMoney
-------------------------------------------------------------------------------
Number of Radius Accounting Policies : 1
===============================================================================

342 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Radius Accounting Related CLI commando’s

*A:pe2.lab# show subscriber-mgmt radius-accounting-policy GiveMeTheMoney statistics

===============================================================================
Radius Accounting Policy GiveMeTheMoney Statistics
===============================================================================
Tx Requests : 3 Rx Responses : 2
Request Timeouts : 0 Send Retries : 0
Send Failed : 1
-------------------------------------------------------------------------------
Radius Servers
-------------------------------------------------------------------------------
Index IP Address Tx Reqs Rx Resps Req Timeouts Req Send Failed
-------------------------------------------------------------------------------
1 10.2.79.79 2 2 0 1
===============================================================================

343 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Radius Accounting Related CLI commando’s

show subscriber-mgmt radius-accounting-policy GiveMeTheMoney


===============================================================================
Radius Accounting Policy GiveMeTheMoney
===============================================================================
Update Interval : 10 Session-id Format : Description
Last Mgmt Change : 04/07/2008 14:32:10
-------------------------------------------------------------------------------
Include Radius Attributes
-------------------------------------------------------------------------------
Framed IP Address : Yes Framed Ip Netmask : Yes
Subscriber Id : Yes Circuit Id : Yes
Remote Id : Yes NAS Port Id : Yes
NAS Identifier : Yes Sub-Profile : Yes
SLA-Profile : Yes
-------------------------------------------------------------------------------
Radius Servers
-------------------------------------------------------------------------------
Router : Base Source Address : 172.16.0.12 State updated when first client
Access Algorithm : Direct Retry :3 uses this account server
Timeout :5
-------------------------------------------------------------------------------
Index IP Address Port Oper State
-------------------------------------------------------------------------------
1 10.2.79.79 1813 unknown ->Up
927 2008/0x/0x 15:12:13.51 UTC MINOR: SVCMGR #2506 Base
===============================================================================
"Subscriber Accounting RADIUS server 10.2.79.79 operational
status changed to inService."

344 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
DHCP and PPPoE clients on same interface

 Lets assume following Case :


authentication-policy "knock-knock" create
 DHCP and PPPoE on same interface description "RADIUS policy"
password "LetMeIn"
radius-authentication-server
 PPPoE wants PAP/CHAP LUDB AUTH router "Base"
server 1 address 10.2.79.79 secret . .
 DHCP wants AUTH via RADIUS exit
pppoe-access-method none
. . .
exit

 Configure both pap-chap-user-db and


*A:pe2.lab# *A:pe2.lab#
authentication-policy. configure service ies 998
subscriber-interface "to_A2_via_hairpin" create
address 192.168.42.254/24
 Configure pppoe-access-method none group-interface “isam-1" create
authentication-policy "knock-knock"
sap 1/1/7 create
 Result sub-sla-mgmt
sub-ident-policy "sub_ident_all“
 PPPoE looks first to auth-policy but falls no shutdown
exit
back to LUDB because of none : OK exit
pppoe
 DHCP looks first to auth-policy : OK pap-chap-user-db "ludb-1"
no shutdown
exit
exit
exit
no shutdown

345 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Customer cases : INEXUS

A:GLB1-01-01-7750-01# show service id 100 pppoe session

Sap Id Mac Address Sid Up Time IP Address


-------------------------------------------------------------------------------
2/1/1:12 00:1b:2f:48:55:29 1 2d 15:14:54 62.208.235.75
LCP State : Opened
IPCP State : Opened
PPP MTU : 1492
PPP Auth-Protocol : CHAP
PPP User-Name : test@seethelight.co.uk

Subscriber-interface : GPON-7342-1
Group-interface : interface_1
A:GLB1-01-01-7750-01#
==============================
Subscriber Origin : Local-User-Db
Leases for DHCP server
Strings Origin : Local-User-Db
===============================
IPCP Info Origin : DHCP
IP Address
PPPoE user name
Subscriber : "user1"
User-db-hostname State mac Type
Sub-Profile-String : "sub1"
------------------------------------------------
SLA-Profile-String : "sla1"
62.208.235.75 stable 00:1b:2f:48:55:29 pppoe
ANCP-String : ""
test@seethelight.co.uk
Int-Dest-Id : ""
business1
App-Profile-String : ""

Primary DNS : 141.1.1.1


Secondary DNS : 212.80.175.1

Circuit-Id : CRD1-01-7342-01 PON 1/1/01/01:1.1.1


346 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Max number of sessions per MAC
show service id 998 pppoe session Sap Id Mac Address Sid Up Time IP Address
----------------------------------------------------------------------------
Sap Id Mac Address Sid Up Time IP Address
1/1/9:998 00:00:c0:01:01:02 32 0d 00:35:01 192.168.42.32
-------------------------------------------------------------------------------
1/1/9:998 00:00:c0:01:01:02 1 0d 00:35:00 192.168.42.1 1/1/9:998 00:00:c0:01:01:02 33 0d 00:35:01 192.168.42.33
1/1/9:998 00:00:c0:01:01:02 2 0d 00:35:00 192.168.42.2 1/1/9:998 00:00:c0:01:01:02 34 0d 00:35:01 192.168.42.34
1/1/9:998 00:00:c0:01:01:02 3 0d 00:35:00 192.168.42.3 1/1/9:998 00:00:c0:01:01:02 35 0d 00:35:01 192.168.42.35
1/1/9:998 00:00:c0:01:01:02 4 0d 00:35:00 Session-id 1
192.168.42.4 1/1/9:998 00:00:c0:01:01:02 36 0d 00:35:01 192.168.42.36
1/1/9:998 00:00:c0:01:01:02 5 0d 00:35:00 192.168.42.5 1/1/9:998 00:00:c0:01:01:02 37 0d 00:35:01 192.168.42.37
1/1/9:998 00:00:c0:01:01:02 6 0d 00:35:00 192.168.42.6 1/1/9:998 00:00:c0:01:01:02 38 0d 00:35:01 192.168.42.38
1/1/9:998 00:00:c0:01:01:02 7 0d 00:35:00 192.168.42.7 1/1/9:998 00:00:c0:01:01:02 39 0d 00:35:01 192.168.42.39
1/1/9:998 00:00:c0:01:01:02 8 0d 00:35:00 192.168.42.8 1/1/9:998 00:00:c0:01:01:02 40 0d 00:35:01 192.168.42.40
1/1/9:998 00:00:c0:01:01:02 9 0d 00:35:00 192.168.42.9 1/1/9:998 00:00:c0:01:01:02 41 0d 00:35:01 192.168.42.41
1/1/9:998 00:00:c0:01:01:02 10 0d 00:35:00 192.168.42.10 1/1/9:998 00:00:c0:01:01:02 42 0d 00:35:01 192.168.42.42
1/1/9:998 00:00:c0:01:01:02 11 0d 00:35:00 192.168.42.11 1/1/9:998 00:00:c0:01:01:02 43 0d 00:35:01 192.168.42.43
1/1/9:998 00:00:c0:01:01:02 12 0d 00:35:00 192.168.42.12 1/1/9:998 00:00:c0:01:01:02 44 0d 00:35:01 192.168.42.44
1/1/9:998 00:00:c0:01:01:02 13 0d 00:35:00 192.168.42.13 1/1/9:998 00:00:c0:01:01:02 45 0d 00:35:01 192.168.42.45
1/1/9:998 00:00:c0:01:01:02 14 0d 00:35:00 192.168.42.14 1/1/9:998 00:00:c0:01:01:02 46 0d 00:35:01 192.168.42.46
1/1/9:998 00:00:c0:01:01:02 15 0d 00:35:00 192.168.42.15 1/1/9:998 00:00:c0:01:01:02 47 0d 00:35:01 192.168.42.47
1/1/9:998 00:00:c0:01:01:02 16 0d 00:35:00 192.168.42.16 1/1/9:998 00:00:c0:01:01:02 48 0d 00:35:01 192.168.42.48
1/1/9:998 00:00:c0:01:01:02 17 0d 00:35:01 192.168.42.17 1/1/9:998 00:00:c0:01:01:02 49 0d 00:35:01 192.168.42.49
1/1/9:998 00:00:c0:01:01:02 18 0d 00:35:01 192.168.42.18 1/1/9:998 00:00:c0:01:01:02 50 0d 00:35:01 192.168.42.50
1/1/9:998 00:00:c0:01:01:02 19 0d 00:35:01 192.168.42.19 1/1/9:998 00:00:c0:01:01:02 51 0d 00:35:00 192.168.42.51
1/1/9:998 00:00:c0:01:01:02 20 0d 00:35:01 192.168.42.20 1/1/9:998 00:00:c0:01:01:02 52 0d 00:35:00 192.168.42.52
1/1/9:998 00:00:c0:01:01:02 21 0d 00:35:01 192.168.42.21 1/1/9:998 00:00:c0:01:01:02 53 0d 00:35:00 192.168.42.53
1/1/9:998 00:00:c0:01:01:02 22 0d 00:35:01 192.168.42.22 1/1/9:998 00:00:c0:01:01:02 54 0d 00:35:00 192.168.42.54
1/1/9:998 00:00:c0:01:01:02 23 0d 00:35:01 192.168.42.23 1/1/9:998 00:00:c0:01:01:02 55 0d 00:35:00 192.168.42.55
1/1/9:998 00:00:c0:01:01:02 24 0d 00:35:01 192.168.42.24 1/1/9:998 00:00:c0:01:01:02 56 0d 00:35:00 192.168.42.56
1/1/9:998 00:00:c0:01:01:02 25 0d 00:35:01 192.168.42.25 1/1/9:998 00:00:c0:01:01:02 57 0d 00:35:00 192.168.42.57
1/1/9:998 00:00:c0:01:01:02 26 0d 00:35:01 192.168.42.26 1/1/9:998 00:00:c0:01:01:02 58 0d 00:35:00 192.168.42.58
1/1/9:998 00:00:c0:01:01:02 27 0d 00:35:01 192.168.42.27 1/1/9:998 00:00:c0:01:01:02 59 0d 00:35:00 192.168.42.59
Same MAC
1/1/9:998 00:00:c0:01:01:02 28 0d 00:35:01 192.168.42.28 1/1/9:998 00:00:c0:01:01:02
Session-id 63 60 0d 00:35:00 192.168.42.60
1/1/9:998 00:00:c0:01:01:02 29 0d 00:35:01 192.168.42.29 1/1/9:998 00:00:c0:01:01:02 61 0d 00:35:00 192.168.42.61
1/1/9:998 00:00:c0:01:01:02 30 0d 00:35:01 192.168.42.30 1/1/9:998 00:00:c0:01:01:02 62 0d 00:35:00 192.168.42.62
1/1/9:998 00:00:c0:01:01:02 31 0d 00:35:01 192.168.42.31 1/1/9:998 00:00:c0:01:01:02 63 0d 00:35:01 192.168.42.63

347 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
show service active-subscribers hierarchy

A:pe2.lab# show service active-subscribers hierarchy


 Links the following ==============================================
Active Subscriber hierarchy
==============================================
 Subscriber-id -- Ahola.Hannu (sub1)
|
 SUB-profile |-- sap:1/1/7 - sla:sla1
| |
 SLS-profile | |-- 192.168.42.106 - 00:00:00:00:01:07 (PPPoE)
| |
 SAP
-- Alarcon.Anabel (sub1)
 IP |
|-- sap:1/1/7 - sla:sla1
 MAC | |
| |-- 192.168.42.124 - 00:00:00:00:02:09 (PPPoE)
 Client type | |

-- Bagri.Erdinc (sub1)
|
|-- sap:1/1/7 - sla:sla1
| |
| |-- 192.168.42.100 - 00:00:00:00:01:01 (PPPoE)
| |
-- Barata.Helder (sub1)
|
|-- sap:1/1/7 - sla:sla1
| |
| |-- 192.168.42.122 - 00:00:00:00:02:07 (PPPoE)
| |

348 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
HW setup

 ~ 7500 PPPoE traffic


138.203.15.111
traffic traffic

 N2X Traffic
104/2
 CPM-swap 104/1

 admin redundancy force-switchover now

1/1/9:998 DHCP Server-1


250
gi 192.168.42.254 192.168.42.254/24 Use-gi-address
GR-ITF-1 192.168.43.254/24
192.168.44.254/24 subnet 192.168.42.0/24
1/1/9:999
192.168.45.254/24 subnet 192.168.43.0/24
250 gi 192.168.43.254
GR-ITF-2 SUB-ITF-1 subnet 192.168.44.0/24
subnet 192.168.45.0/24
1/1/9:1000 subnet 192.169.0.0/16
250 gi 192.168.44.254
GR-ITF-3 IES
1/1/9:1001 998
250
gi 192.168.45.254
GR-ITF-4
1/1/9:1002
6500 192.169.30.2/16
gi 192.169.30.2
GR-ITF-5 SUB-ITF-2

349 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
www.alcatel-lucent.com
www.alcatel-lucent.com

350 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Backup

351 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
PPP/DHCP solution comparison
PPP DHCP (MPSDA)
Authentication LCP extension provides user identification User authentication based on option82

Authorization Supplied to BBNG by RADIUS based on user identity Supplied by Alcatel 5750 Subscriber Services Controller

(SSC), RADIUS-based AAA

Accounting Supplied by BBNG, collected via RADIUS-based system Supplied by Alcatel 7x50, collected via the 5750 SSC

/RADIUS

State fullness State kept by PPP keep-alive State kept by ARP keep-alive (SHCV)

Multicast Inefficient multicast replication; PPP is point-to-point Efficient multicast replication

in nature

PC support Requires third-party SW, unless OS <4 years old Available on any device

Client support Not supported on VoIP/STB devices Supported on any device

Femto support Extra overhead, QoS differentiation difficult No additional overhead, QoS differentiation
Customer service
Provides feedback on connectivity; third-party SW Provides feedback on connectivity via ARP/ping
support
hard to troubleshoot mechanism
Redundancy No box redundancy, no full in-box redundancy Full box/in-box redundancy through High Availability
provided

Wholesale L2TP 802.1x w/ L3VPN/L2VPN


352 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
PPP/DHCP solution comparison

 When we compare DHCP versus PPP the following design guidelines can be
followed
 Video: requires DHCP for efficient multicast distribution
 Femto: requires DHCP/IPoE for optimal overhead and QoS differentiation
 Voice/HSI: introduce them on DHCP when possible, mainly depending on legacy
environment
 PPP required when:
 Wholesale support and authentication is superior due to L2TP and
username/password/domain name support in PPPoE/L2TP
 DHCP extensions with EAP are being worked on in DSL Forum/IETF

Video subscribers move typically to DHCP and legacy HSI is typically kept in legacy BRAS
platforms, although multiple providers are looking to migrate to full DHCP

353 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation.
Slow-start and congestion avoidance

 For your info


 Although each side has indicated the maximum size of its receive window, it is
recommended that a slow start and congestion avoidance method be used to transmit
control packets. The methods described here are based upon the TCP congestion
avoidance algorithm as described in section 21.6 of TCP/IP Illustrated, Volume I, by W.
Richard Stevens [STEVENS].

 Before the introduction of the L2TP Congestion Avoidance feature, the window size
used to send packets between the network access server (NAS) and the tunnel server
was set to the value advertised by the peer endpoint and was never changed.
Configuring the L2TP Congestion Avoidance feature allows the L2TP packet window to
be dynamically resized using a sliding window mechanism. The window size grows
larger when packets are delivered successfully, and is reduced when dropped packets
must be retransmitted

SCCRQ
SCCRP
SCCCN
Window size avp=4
ZLB

354 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
7x50 Wholesale-Retail L2TP implementation.
Session setup message flow

 Session setup documented mostly in following way : LAC LNS


ICRQ
ICRP
ICCN
ZLB

 7x50 Session setup flow slightly different LAC LNS


ICRQ
 Still correct according RFC ICRP
Data path ZLB
stitch ICCN
ZLB

 Ask PPPoE to stitch data path to PPPoE session.


 ICCN is only returned when data path stitch done.
 This prevents having the possibility that first LCP message from LNS downstream can
get lost because stitch not made yet.

355 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail OPTION-1A
LUDB : fallback “default” host
 Add host “default” without host-identification
14 2009/03/25 20:58:51.96 GMT MINOR: DEBUG #2001
 User has wrong service name Base LUDB
"LUDB: User lookup success - host found
pppoe-service-name:
 debug subscriber-mgmt local-user-db MyLudb1 original: MyProvider1-wrong
masked: MyProvider1-wrong
*A:pe2.lab# configure subscriber-mgmt
local-user-db "MyLudb1" create Host default found in user data base MyLudb1"
description "Add text"
pppoe
match-list service-name show service id 99999 pppoe session detail
host "host1" create ==========================================
host-identification PPPoE sessions for svc-id 99999
service-name "MyProvider1" ================================
exit
identification-strings 254 create PPP User-Name : (Not Specified)
--snip--
exit Subscriber-interface : MySubItf1
1 l2tp Group-interface : MyGrpItf1
group "MyProvider1"
exit Subscriber Origin : Local-User-Db
no shutdown Strings Origin : Local-User-Db
exit
host “default" create Subscriber : "default_from_ludb"
identification-strings 254 create Sub-Profile-String : "DefSubProfile"
subscriber-id “default_from-ludb" 2 SLA-Profile-String : "DefSlaProfile"
sla-profile-string "DefSlaProfile" --snip--
sub-profile-string "DefSubProfile"
exit Service-Name : MyProvider1-wrong
no shutdown Session-Timeout : N/A
exit Radius Class :
exit Radius User-Name :

356 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
LUDB default” host APPLICATION

Problem Description

 Assume that you have a local-DHCP server with a pool-1 with 3 subnets.
 gi-address is 10.2.0.254
local-dhcp-server "server-2" create
use-gi-address
pool "pool-1" create
subnet 10.2.0.0/24 create
address-range 10.2.0.1 10.2.0.253
exit
subnet 10.2.1.0/24 create
address-range 10.2.1.1 10.2.1.253
exit
subnet 10.2.2.0/24 create
address-range 10.2.2.1 10.2.2.253
exit
exit…

 If the assigned gi-address is 10.2.0.254 for a PPPoE session than this PPPoE
client can never search in the two other subnets from pool-1 (if pool-1 was
not returned from Radius for example.

357 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
LUDB default” host APPLICATION-I ( With Radius after pre-auth)

 An other solution (than use-gi-address ) for PPPoE dynamic address


assignment is use-pool-from-client in DHCP server
 Radius returns pool-name .. OK
 Or LUDB via default user returns pool-name
*A:pe2.lab# configure subscriber-mgmt local-dhcp-server "server-2" create
local-user-db "ludb-2" create no use-gi-address (Fallback if user not found
pppoe use-pool-from-client
match-list mac ## dummy match pool "pool-1" create
host "default" create subnet 10.2.0.0/24 create
auth-policy "authentication-2" address-range 10.2.0.1 10.2.0.253
address pool "pool-1" exit
no shutdown subnet 10.2.1.0/24 create
exit address-range 10.2.1.1 10.2.1.253
exit exit
no shutdown subnet 10.2.2.0/24 create
exit address-range 10.2.2.1 10.2.2.253
… exit
exit…

Match masks could be used also to Normal Radius authentication


assign different pool-names after ludb pre-authentication

 Current pre-authentication configurations via LUDB reject Radius COA’s


– High profile DTS 88621 / PTS 570601

358 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
LUDB default” host APPLICATION-II ( Without Radius )

 An other solution (than use-gi-address ) for PPPoE dynamic address


assignment is user-db in DHCP-server
local-dhcp-server "server-2" create
*A:pe2.lab# configure subscriber-mgmt no use-gi-address (Fallback if user not found
local-user-db "ludb-2" create no use-pool-from-client
pppoe user-db ludb-2
match-list mac ## dummy match pool "pool-1" create
host "default" create subnet 10.2.0.0/24 create
address pool "pool-1" address-range 10.2.0.1 10.2.0.253
no shutdown exit
exit subnet 10.2.1.0/24 create
exit address-range 10.2.1.1 10.2.1.253
no shutdown exit
exit subnet 10.2.2.0/24 create
… address-range 10.2.2.1 10.2.2.253
exit
exit…

 Current pre-authentication configurations via LUDB reject Radius COA’s


– High profile DTS 88621 / PTS 570601

359 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008
Wholesale-retail OPION-1A
LUDB : mask type examples

 Allowed mask types are : service-name / username/ circuit-id/remote-id


 Allowed masks are : prefix-length/suffix-length/prefix-string/suffix-string.
 For prefix-strings and suffix-strings we allow the wildcard *
Mask type prefix- suffix- prefix- suffix- Result

length length string string


Service-name username Circuit-id Remote-id
Host =
- - - 03-7123886-Node2 11 - - - Node2

- - 7450-ESS-1|100|1/2/1 - - 10 - - 7450-ESS-1

- all_users@skynet.be - - - - *@ .be skynet

all_users@belgacom.com - - - - - *@ .com belgacom

 Above some example illustrations (debug subscriber-mgmt local-user-db MyLudb5detail all )

7 2009/03/27 14:18:14.46 GMT MINOR: DEBUG #2001 Base LUDB


"LUDB: User lookup success - host found
pppoe-service-name:
original: all_users@belgacom.be
masked: belgacom

Host host1 found in user data base MyLudb5"

360 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008