PPPoE R7.0 v1.7

< DISCLAIMER >
The targeted audience for this PPPoE slide pack are ALU-
engineers and distribution to customers is not allowed.
TiMOS 7.0 workshop
PPPoE
Bert.Todts@alcatel-lucent.be
PPPoE – workshop
Agenda
1. Local-Access-Model versus Tunneled-Access-Model. updated
2. General PPPoE Technology overview. updated
3. 7x50 Retail PPPoE implementation. updated
4. 7x50 Wholesale-Retail via Managed-SAP aka MSAP. updated
5. 7x50 Wholesale-Retail VRF selection. new
6. General L2TP Technology overview. new
7. 7x50 Wholesale-Retail L2TP implementation. new
8. Customer cases updated
9. Scalability updated
10.Evolution. new
2 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008

1 Local-Access-Model versus Tunneled-Access-Model
updated

PPPoE – workshop
Local-Access-Model versus Tunneled-Access-Model
Local-Access-Model
 In the local access model, a single network device is responsible for both
virtual circuit termination and PPP session termination. Whoever owns the
Edge device is responsible for maintaining both the underlying network and the
database of end-user information.
Tunneled Access-Model
 In the tunneled access model there is a separation between who is responsible
for the virtual circuit termination and who is responsible for the PPP session
termination.

PPPoE – workshop
Local-Access-Model versus Tunneled-Access-Model
Local-Access-Model
 Local Retail PPPoE termination. R6

 Wholesale-Retail via MSAP. R6
 Wholesale-Retail VRF selection. R7
Tunneled Access-Model
 Wholesale-Retail via L2TP (Layer 2 Tunnel Protocol). R7

7x50 Wholesale-Retail L2TP implementation.
General : Local Retail PPPoE termination
 RFC2516 PPP over Ethernet

 PADI/PAP/CHAP via LUDB/RADIUS
 IP via LUDB/RADIUS/DHCP
RADIUS
Server
P2P
ISP2
IBGP PE
user1@ISP1 PPPoE
IES/VRF ISP1
user2@ISP1
ISP3
user3@ISP1
LUDB DHCP
Access Node BNG

HOST BNG EBGP
PADI EBGP
PADO
PPPoE Discovery
PADR
PADS
LCP session stage LCP Config-req/Ack
INTERNET Web-Server
PAP/CHAP
Authentication Phase
IPCP Config-req/Ack
Network-Layer Phase

General : Wholesale-Retail via MSAP
 VLAN/subscriber model.
RADIUS
Server ISP2
P2P VRF
PPPoE IBGP PE
PADI Capture
user1@ISP2 ISP1
VPLS
PPPoE
user1@ISP3 VRF VRF
VRF
VRF ISP3
user2@ISP3
LUDB DHCP
Access Node
BNG
EBGP
EBGP
HOST BNG
PADI
PADO
PPPoE Discovery
PADR
PADS INTERNET Web-Server
PAP/CHAP
IPCP Config-req/Ack
Network-Layer Phase

General : Wholesale-Retail via VRF selection
 Dynamic VRF selection over single VLAN / wholesale IP-VPN

RADIUS
Server ISP2
P2P VRF
Alc-Retail-Serv-Id
IBGP PE
user1@ISP3 PPPoE
VRF ISP1
wholesale
VRF
user1@ISP1 VRF
VRF
VRF
user1@ISP2 ISP3
Access Node DHCP VRF

LUDB
BNG
EBGP
EBGP
HOST BNG
PADI
PADO
PPPoE Discovery
PADR
PADS INTERNET Web-Server
PAP/CHAP
IPCP Config-req/Ack
Network-Layer Phase

General : Wholesale-Retail via L2TP (Layer 2 Tunnel Protocol).
 Radius returns L2TP info for user1@ISP3 and user2@ISP3
 PPPoE packets for user1@ISP3 are tunneled in GRE-like tunnel to LNS1-ISP3 ( UDP port 1701)
L2TP tunnel1 ISP2
 SRC-IP L2TP is (hardcoded) system interface. L2TP tunnel2 ISP2 L2TP Tunnel group
L2TP tunnel3 ISP2
 Multiple bidirectional sessions (calls) may use a
single L2TP tunnel.
RADIUS
Server
P2P
LNS1 ISP2
LNS2
IBGP PE @IP/32 LNS3
PPPoE
user1@ISP1 IES/VRF ISP1
user1@ISP3 PPPoE
IES/VRF L2TP tunnel ISP3
NW-port
user2@ISP3 LNS1-ISP3 ISP3
7750 SR
Access Node
LAC P2P
EBGP
 L2TP uplinks require network ports on IOM3/IMM EBGP

LNS
 L2TP tunnel can be pre-signaled or not. LNS
INTERNET Web-Server

 LAC functionality on 7750/7710, with forwarding in global routing table.

 A tunnel may be selected using the domain-name in Radius or in the LUDB.
 Both PADI and PAP/CHAP authentication is supported.
 Multiple tunnels may exist between a LAC/LNS pair. ( tunnel selection
mechanism required).
 A tunnel can be setup without a session-trigger by means of the parameter
tunnel Auto-establish. Every 1 minute we check if such tunnels need to be
established.
 IOM3 / IMM is required for L2TP support. (PPPoE session can still come in on IOM2)
 L2TP is HA.
 IPv6 for L2TP peer setup not supported.
 http://www.iana.org/assignments/radius-types

 PADI may be used to select the PADO delay. This requires access to the local
user database. A second user lookup may be required for Radius.
 Support for draft Mammoliti AVP’s (except ANCP).***
 OAM requirements will include L2TP keep-alive reporting and commands to

verify connectivity to the LNS .
 Ethernet on the network side only.
 We support L2TPv2 which is used for the tunnelling of PPP packets across an
intervening network is based and on RFC 2661. (Aug 1999).
 L2TPv3 not supported ( RFC 3931: IP-Tunnels other L2 protocols. (PPP, Eth, FR..)

Related supported RFC’s
 RFC 2661 : Layer Two Tunneling Protocol "L2TP“ ***

 L2TPv1 AKA 2LF RFC 2341
 L2TPv2 RFC 2661 ( tunneling of PPPoE packets)
 L2TPv3 RFC 3931 ( tunneling of any L2 protocol)
 RFC 2516 : A Method for Transmitting PPP Over Ethernet (PPPoE)
 RFC 1994 : PPP Challenge Handshake Authentication Protocol (CHAP)
 RFC 1661 : The Point-to-Point Protocol (PPP)
 RFC 2868 : RADIUS Attributes for Tunnel Protocol Support

Related Non supported RFC’s
 RFC 4951 (Fail Over Extensions for Layer 2 Tunnelling Protocol (L2TP) "failover“ )
 Protects against control channel failures only.
 On LAC side we don’t require mechanism because we sync the sequence nbrs via HA.
Ip1
LAC LNS active
HA
LAC Ip1 LNS Standby

Recovery
control
channel

Related Non supported RFC’s ERX example
 RFC 2867 (RADIUS Accounting Acct-Status-Type = Stop

User-Name = "Joe@oao1.be"
modifications for L2TP Support) Acct-Delay-Time = 0
NAS-Identifier = “ANT1.B-RAS.D2"
Acct-Session-Id = "0090180344"
 We don’t include any L2TP tunnel NAS-IP-Address = 172.19.110.128
information in the accounting User-Service = Framed-User
Framed-Protocol = PPP
records. Framed-Compression = None
Unisphere-Pppoe-Description ="pppoe 00:90:1a:41:1a:7f"
 Examples: Tunnel-Type (64) ,Tunnel- Calling-Station-Id = "ANT1.B-RAS.D2:12/1:1:50"
Tunnel-Type:0 = L2TP
Medium-Type (65) ,Tunnel-Client- Tunnel-Medium-Type:0 = IP
Endpoint (66), Tunnel-Server-Endpoint Acct-Tunnel-Client-Endpoint:0 = "10.99.99.17"
Tunnel-Client-Auth-Id:0 = “ANT1.B-RAS.D2"
(67) , Acct-Tunnel-Connection (68) Tunnel-Server-Endpoint:0 = "10.1.12.15"
Tunnel-Server-Auth-Id:0 = "HGW1.D1"
 Some other vendor do this like seen Tunnel-Assignment-Id:0 = "oao1.be"
here on the right example. Acct-Tunnel-Connection-Id:0 = "0000000241"
Connect-Info = "speed:UBR"
NAS-Port-Type = 16
NAS-Port = 3238068274
Attr-87 = "atm 12/1/1.1:1.50"
Acct-Authentic = RADIUS
Acct-Session-Time = 55
Acct-Terminate-Cause = NAS-Request

2 General PPPoE Technology overview
updated

General PPPoE Technology overview
Embedded presentation
 ~1 hour embedded TiMOS-General-PPPoE-Technology-Overview-v1.0.ppt

3 7x50 Retail PPPoE implementation
updated

PPPoE – workshop
Agenda
1. Local-Access-Model versus Tunneled-Access-Model.
2. General PPPoE Technology overview.

3. 7x50 Retail PPPoE implementation.
a) What does the 7710/7750 offers in 7.0 and LAB-setup e) Resilience / Redundancy
b) different PPPoE scenarios. f) Security
c) Accounting g) Change of Authority
d) QoS
4. 7x50 Wholesale-Retail via Managed-SAP aka MSAP

5. 7x50 Wholesale-Retail VRF selection.
6. General L2TP Technology overview.
7. 7x50 Wholesale-Retail L2TP implementation.
8. Customer cases
9. Scalability
10.Evolution.
7x50 Retail PPPoE implementation
Agenda
a) What
a) Whatdoes
doesthe
the7710/7750
7710/7750offers
offers inin7.0
7.0and
andLAB-setup
LAB-setup e) Resilience / Redundancy
d) QoS

What does the 7710/7750 offers in 7.0
 Platforms
 7710/7750 SR7/12 on IOM2/3
 Connectivity
 Supported only on Ethernet null, Dot1Q and QinQ SAPs.
– External loop or VSM required if L2 aggregation used.
 VLAN per customer
 VLAN per service
 MTU>1492 support.
 Session control capabilities
 PPPoE sessions may be limited per SAP (host limit) and per SLA-profile.
 Optional combined support of static DHCP host , DHCP and PPPoE hosts on a single SAP
 Managed SAPs (aka. Auto-VLAN):
– default SAP with auto-discovery of VLAN; valid for VLAN/sub configs

Authentication
 RADIUS based authentication of subscriber host interface in PADI phase.

 optional attributes include: circuit id, remote id, nas-identifier=system name, nas-
port-id = sap-id);
 MAC@ as mandatory attribute.
 Local PAP/CHAP authentication via LUDB

 Authentication on PPPoE username with or without domain, password
 Implies local configuration (no RADIUS interaction); local user database provides
configuration information.
 Radius PAP/CHAP authentication (since 6.1R1)
 Local DHCP server authentication who uses also LUDB
 Support for Framed-ip 255.255.255.254 from Radius *** (since 6.0R3)
 Support for Framed-route received via Radius (since 6.1.R1)

 Security
 Anti-spoofing during PPP phase: IP+MAC based
 Routing in IES or VPRN context aka Routed CO.
 PPPoE capable interface can be created within a subscriber interface in both IES and
VPRN services
 QoS
 Same as for DHCP subscriber hosts; I.e. as per ESM attributes
 High Availability
 HA for PPPoE subscriber host information is fully HA.
 Miscellaneous
 Support for Framed-IP 255.255.255.254 from Radius *** (since 6.0R3)
 Support for Framed-route received via Radius (since 6.1.R1)

Port-setup Antwerp-lab 138.203.18.x
/177
DHCP-ESM 3 3 1
DHCP/RADIUS
138.203.18.79
Linux/Client
3 7 1
138.203.18.73 PE1/26
5 C1/RR1/23 PE3/182
1 5
4 21 2 2 11 8 2 1 1 2 13 1
A1/24 4
DHCP 5
6 9 3 4 6 4 3
2 A3/22
23 1 .
4
PPPoE 4 6 9 3 4 5 2 3
1 4 22 3 12 2 1
2 8 2 1 14 4
A2/181 PE2/176 PE4/179

Linux/Client C2/RR2/183
138.203.18.73 3 7
PPPoE-ESM
Addressing Antwerp -lab
P-cisco/177
10.2.79.2 DHCP/RADIUS
3 138.203.18.79
10.2.79.79
Link : 172.16.10. Z / 22
Linux/Client .78
138.203.18.73
PE1/26 .77 C1/RR1/23 PE3/182
21 .2 .1 11 .26 .25 1 .37 .38 13 .45
A1/24 .9
DHCP .14
.18 .33 .42
.121
.21 .129
.49
.46 A3/22
23
.
.126
.50
PPPoE A2/181 .10

.13
.22 .17 .34 .41 .130 .122
22 .6 .5 12 .30 .29 2 .117 .118 14 .125
PE2/176
C2/RR2/183
Linux/Client
138.203.18.73

Antwerp TPSDA : Simulation of PPP users
-79
 Radius server 138.203.18.79 RADIUS
1/1/3:0.* 1/1/7
 PPPoE client on LINUX 138.203.18.73 10.2.79.79
1/1/3:21 10.2.79.2
SAP A1
 mpcsim IES 103
IES 998
VLL 999
Gi A
SAP A2 IES/
VPRN
Gi B PE1-26 -177
SAP B1
-73
Eth2
SDP 11
1/1/2:0.*
Epipe
1/1/1:999.*
IES 998
138.203.18.176
VPLS 999 SDP 12 VLL 999
999 1/1/4:999.*
A2 PE2
1/1/3:0.* 1/1/7
CE-171 A2-181
PE2-176

Agenda
b) different
b) different PPPoE
PPPoE scenarios.
scenarios. f) Security
d) QoS

High level Overview
 First we do Radius or LUDB authentication ( or via DHCPs and LUDB )

 We must get back a subscriber-id if we get back any other information.
 If we don't have an IP address after the first step, we go to DHCP.
 Any other information from DHCP (subscriber-ID, ESM strings) will be added to
the information from the first step, unless information from that group was
already available. ( so append iso replace )
 If we then still don't have information for the ESM strings or Subscriber-ID, we
look at the defaults configured on the SAP and add them if applicable.
 To setup the session, we need a Subscriber-ID, a Sub-Prof , a SLA-Prof and an

IP-address. If we don't have at least these four items, the session is not setup.
Remark: DNS-info is seen as IP-info and should be retrieved from the same place as the IP-address. If this
is not true than we will send an ipcp-reject for this option. DNS-info can come from LUDB , Radius or
Local-DHCP server.

DISCOVERY
DISCOVERY
7x50 Retail PPPoE implementation LCP
LCP
AUTHENTICATION
AUTHENTICATION
Authentication overview IPCP
IPCP
 Is the user known in the system ?
 Choose between 1 or 2 or 3 for AUTH.

PADI
Phase Radius
1
PAP/CHAP PAP/CHAP
Phase User-1 Phase
6.1
LUDB Radius
2 4
DHCP DHCPS
PPPoE client
IPCP
phase LUDB User-1
3

1 Radius Authentication: IP addressing overview
 Authentication via PADI

PADI
Phase Radius  Return also IP from Radius
IP
 Cache IP until IPCP phase
PAP/CHAP
Phase
 Authentication was via PADI

DHCP DHCPS
PPPoE client Gi IP  Return IP not from Radius
IPCP Radius
phase
 Return IP via local DHCPs
 Or external DHCPs
IP Static
IP Dynamic

2 PAP/CHAP LUDB Authentication: IP addressing overview
 Authentication via LUDB

PAP/CHAP
Phase User-1
 Return also IP from LUDB during
LUDB
IP auth-phase
 Cache IP until IPCP phase.

Continue : If we did not
return IP during PAP/CHAP
phase
DHCP DHCPS  Authentication was via LUDB

PPPoE client use Gi IP
IPCP
phase  Local DHCPs does not use LUDB anymore
LUDB User-1  Local DHCPs uses Gi to find IP

IP Static
IP Dynamic

3 DHCPs via LUDB Authentication: IP addressing overview
 Authentication via DHCPs (LUDB)
DHCP DHCPS
PPPoE client  LUDB has also IP address.
IPCP
phase
 IP is returned during first look in LUDB.
LUDB User-1
IP
IP  Authentication was DHCPs (LUDB)

DHCP DHCPS
PPPoE client use LUDB  LUDB has no IP but Gi-address
IPCP
phase
 DHCPs uses again LUDB to see method Gi
LUDB User-1  IP via local DHCPs via Gi
Gi
IP  Authentication was DHCPs (LUDB)

DHCP DHCPS
PPPoE use LUDB
IPCP
client  LUDB has no IP but pool-name
phase
 DHCPs uses again LUDB to see the pool-name**
IP Static LUDB User-1
 IP via local DHCPs via pool-name
IP Dynamic pool-name

ESM-strings overview
 ESM-strings In Radius
Radius  Subscriber-id in Radius

1 Sub-id ESM-strings
LUDB
 ESM-strings LUDB
User-1
Sub-id ESM-strings
2  Subscriber-id LUDB
 ESM-strings LUDB
DHCP DHCPS
PPPoE client  Subscriber-id LUDB
LUDB
User-1
3 Sub-id ESM-strings  DHCPs gives the ESM-string to the DHCP
client via a configured DHCP option.
Sub-id ESM-strings  Fall back to default strings

Different PPPoE scenarios based on Authentication, IP, ESM
IP AUTH SUB / SLA SUB-ID
Option 1 LUDB LUDB CHAP LUDB LUDB
Option 2 LUDB LUDB PAP LUDB LUDB
Option 3 RADIUS RADIUS PADI MAC RADIUS RADIUS
Option 4 RADIUS RADIUS PADI CIRCUIT-ID RADIUS RADIUS
Option 5 DHCP DHCP MAC/CIRCUIT_ID DHCP DHCP
Option 6 DHCP LUDB CHAP LUDB LUDB
Option 7 DHCP RADIUS PADI CIRCUIT-ID RADIUS RADIUS
Option 8 RADIUS RADIUS PAP/CHAP USERNAME RADIUS RADIUS
Option 9 RADIUS RADIUS PAP/CHAP CIRCUIT-ID RADIUS RADIUS
Option 10 DHCP RADIUS PAP/CHAP CIRCUIT-ID RADIUS RADIUS
Option 11 DHCP RADIUS PAP/CHAP USERNAME RADIUS RADIUS

cf1:\pe2.ppp1.cfg pe1 N/A
Different PPPoE scenarios based on Authentication, IP, ESM
Option 8 RADIUS RADIUS PAP/CHAP RADIUS RADIUS

USERNAME
Option 11 DHCP RADIUS PAP/CHAP RADIUS RADIUS

USERNAME

Authentication via LUDB CHAP cf1:\pe2.ppp1.cfg pe1 N/A
IP from LUDB / ESM from LUDB
RADIUS AAA DHCP
Server Server
BSAN BSR
Broadband Service Broadband Service
Access Node Router
Aggregation
network IP/MPLS
(optional)
PADI, Session ID: 0x0000 pppoe enabled under group-interface with

PPPoE tag: option: 0x101, 0x103 pap-chap-user-db . No auth-policy . No dhcp.
Discovery stage
PADO, Session ID: 0x0000

PPPoE tag: option: 0x101,0x102, 0x103, 0x104
PADR, Session ID: 0x0000
PADS, Session ID: 0x0001
LCP Config Request, Session ID: 0x0001, ID=191 Always first
Options: 0x1 MRU, 0x3: Auth-Protocol: CHAP, 0x5 Magic nbr
LCP session negotiation
suggest CHAP
LCP Config Request, Session ID: 0x0001,ID=64
Session stage :
Options: 0x1 MRU, 0x5 Magic number: Y

LCP Config Ack, Session ID: 0x0001.Id=64
LCP Config Ack, Session ID: 0x0001,ID=191
Options: 0x1 MRU, 0x3: Auth-Protocol: CHAP ,0x5 Magic nbr

RADIUS AAA DHCP
Server Server
BSAN BSR
Access Node Router
Aggregation
network IP/MPLS
(optional)
CHAP Challenge , Session ID: 0x0001

CHAP authentication
Value IP address 192.168.42.1

:
CHAP Response , Session ID: 0x0001 sla-profile-string

Session stage
sub-profile-string
value , Name : user1@domain1 Local subscriber-id
user
db
dns-server
CHAP Success , Session ID: 0x0001 net-bios-name-server
message : CHAP auth. success
IPCP Configure-request, Session ID: 0x0001,ID-53 [3] IP

address: 192.168.42.254
IPCP Configure-request, Session ID: 0x0001,ID-65 , [3] IP

address: 0.0.0.0
IPCP Configure-Nack, Session ID: 0x0001, ID-65 [3] IP
address: 192.168.42.1
Session stage :
IPCP Configure-Ack, Session ID: 0x0001,ID-53 [3] IP

address: 192.168.42.254
IPCP

address: 192.168.42.1
Install anti-spoofing
IPCP Configure-ack, Session ID: 0x0001, ID-66 [3] IP
and ESM QoS queues
address: 192.168.42.1

Authentication via LUDB CHAP *A:pe2.lab# configure subscriber-mgmt
cf1:\pe2.ppp1.cfg
sub-ident-policy "sub_ident_all" create
pe1 N/A
IP from LUDB / ESM from LUDB sub-profile-map
use-direct-map-as-default
entry key “sub1" sub-profile “sub1"
exit
*A:pe2.lab# sla-profile-map
configure service ies 998 use-direct-map-as-default
subscriber-interface "to_A2_via_hairpin" creat exit
address 192.168.42.254/24 exit
group-interface “isam-1" create
sap 1/1/7 create
*A:pe2.lab#configure subscriber-mgmt pppoe-policy default
sub-sla-mgmt
description "Default PPPoE policy"
sub-ident-policy "sub_ident_all"
no disable-cookies
no shutdown
keepalive 30 hold-up-multiplier 3 [10s..300s] [1..5]
exit
no pado-delay [1s..3s]
exit
no ppp-mtu Custom-option
[512..9212]
pppoe
max-sessions-per-mac 1 protocol> [1..63]
: lcp|ipcp
pppoe-policy "default"
no reply-on-padt option-number: [0..255]
pap-chap-user-db “ludb-1“
ppp-options ip-address> : a.b.c.d
no shutdown
exit ascii-string>: 127 chars max
exit
hex-string> : 0x0..0xFFFFFF
exit
exit *A:pe2.lab# configure subscriber-mgmt
no shutdown local-user-db “ludb-1" create
pppoe none
match-list username domain-only
host "user1" create no-domain
host-identification
 New 6.0 : use-direct-map-as-default username "user1@domain1“ none
exit
 If LUDB is used under pppoe than the match- address 192.168.42.1
list needs to be username ( pap-chap ). password chap user1
identification-strings create
 Host-identification can be username domain- subscriber-id "user1"
sla-profile-string "sla1"
only or no-domain or none( default). sub-profile-string "sub1"
exit
 PADO-delay : see Topic Resilience options
dns-server 138.203.144.51
netbios-name-server 138.203.144.51
exit
debug commands
debug
Type of debug ( packets / events ) service
id 998
pppoe
 debug service id 998 pppoe packet packet
mode dropped-only
 By default dropped-only detail-level medium
discovery
 By default detail-level medium ppp
dhcp-client
exit
 By default all ppp packets exit
– discovery [padi] [pado] [padr] [pads] [padt] exit
exit
– ppp [lcp] [pap] [chap] [ipcp] exit
 By default also dhcp-client
Extra debug filters ( on top of packet debugging ) debug

service
 debug service id 998 pppoe mac 00:00:00:00:00:01 id 998
pppoe
sap 1/1/7
 debug service id 998 pppoe sap 1/1/7 exit
exit
exit
exit

PPPoE sessions for svc-id 998
 Setup user1 and Use debug to see control plane ppp. ========================================================
Sap Id Mac Address Sid Up Time IP Address
--------------------------------------------------------
1/1/7 00:00:00:00:00:01 1 2d 01:41:52 192.168.42.1
 See wire shark : control plane + ping included
LCP State : Opened
IPCP State : Opened
PPP MTU : 1000
PPP Auth-Protocol : CHAP
PPP User-Name : user1@domain1
Subscriber-interface : to_A2_via_hairpin
Group-interface : isam-1
Subscriber Origin : Local-User-Db
Strings Origin
Strings Origin : Local-User-Db
: Local-User-Db
 Keepalives in debug ? IPCP Info Origin
IPCP Info Origin : Local-User-Db
: Local-User-Db
Subscriber : "user1"
 show service id 998 pppoe session session-id 1 statistics Sub-Profile-String
SLA-Profile-String
:
:
"sub1"
"sla1"
ANCP-String : ""
Int-Dest-Id : ""
App-Profile-String : ""
1 2008/02/29 14:06:01.42 UTC WARNING: SVCMGR #2500 Base Subscriber created
Primary DNS : 138.203.144.51
Secondary DNS : N/A
"Subscriber user1 has been created in the system" Primary NBNS : 138.203.144.51
Secondary NBNS : N/A
Circuit-Id :
Remote-Id :
Session-Timeout : N/A

useful CLI commands : non PPPoE specific
 show service subscriber-using : Gives you a quick list of all subscribers .
 show service active-subscribers
 Gives you a list of all subscribers with also the profiles used plus IP,MAC and type.
 Show service active-subscribers hierarchy
 show service id 998 subscriber-hosts [detail ]
 show filter anti-spoof
 Returns the SAP–IP–MAC combination

 show service active-subscribers subscriber user1 hierarchy
 show service active-subscribers subscriber user1 detail
 Shows also the subscriber queues

 show qos scheduler-hierarchy subscriber user1
 clear service statistics subscriber user1
 monitor service subscriber user1 sap 1/1/7 sla-profile sla1 egress-queue-id 1

useful CLI commands : PPPoE specific
 show service id 998

 pppoe summary : Returns only the number of PPPoE sessions.
 pppoe session : Returns sap-id , Mac , SID , UP-time , ip@ per session
 pppoe statistics : overall statistics
 pppoe session session-id 1 mac 00:00:00:00:00:01 detail :
 pppoe session session-id 1 mac 00:00:00:00:00:01 statistics :
 tools
 dump pppoe sap 1/1/7 session-id 1 : shows the complete pppoe stack
 clear service id 998

 pppoe statistics
 pppoe session sap-id 1/1/7 session-id 1 ( ip or mac ) : Bounce a pppoe session.

useful CLI commands : PPPoE local-user-database specific
 show subscriber-mgmt
 local-user-db : returns name of ludb’s and number of configured hosts.
 local-user-db ludb-1 pppoe-all-hosts : return the name of the hosts.
 local-user-db ludb-1 pppoe-host host1
 show subscriber-mgmt local-user-db ludb-1 pppoe-unmatched-hosts : shows the hosts that
are configured in the ludb but but not installed because of not “conform”. Example :
match-list username but host uses mac as key. Also duplicates are reported.
 tools
 perform subscriber-mgmt local-user-db ludb-1 pppoe host-lookup user-name user1@domain1 :
Check if user exists in ludb.
 HW-setup with 7500 LUDB users
 CPM Switch-over

PPPoE session creation failures examples
*A:pe2.lab# show log event-control pppoe

====================================================
Application
ID# Event Name P g/s Logged
----------------------------------------------------
2001 tmnxPppoeSessionFailure WA gen 472
 User not found

1 2008/02/29 14:46:36.34 UTC WARNING: PPPOE #2001 Base PPPoE session failure
"PPPoE session failure on SAP 1/1/7 in service 998 –
[00:00:00:00:00:01,1] User-db lookup failed for "user1@domain1": user not found"
 User found , password wrong.

[00:00:00:00:00:01,1] PPP problem: peer has failed to authenticate himself"
 Not enough sessions on group-interface

configure service ies 998
. . .
10 2008/02/29 17:03:07.66 UTC WARNING: PPPOE #2001 Base PPPoE group-interface
session failure "isam-1"
"PPPoE session failure on SAP 1/1/7 in service 998 – pppoe
Reached the interface session limit (1)" session-limit [1..20000]
exit
exit
PPPoE session creation failures examples
 Not enough sessions on SAP from group-interface

"PPPoE session failure on SAP 1/1/7 in service 998 - Reached the per-SAP session limit (1)"

. . .
group-interface "isam-1"
pppoe
sap-session-limit [1..20000]
exit
exit
 multi-sub-sap limit reached
"PPPoE session failure on SAP 1/1/7 in service 998 - Number of subscribers exceeds the configured multi-sub-sap limit (1)"

. . .
group-interface "isam-1"
sap 1/1/7
sub-sla-mgmt
multi-sub-sap [2..20000]
exit
exit

PPPoE session creation failures
 Max sessions reached for same mac address
"PPPoE session failure on SAP 1/1/7 in service 998 - Reached the maximum number (1) of PPPoE sessions for MAC 00:00:00:00:00:02"
configure service ies 998 configure subscriber-mgmt pppoe-policy group-1

. . . max-sessions-per-mac [1.63]
group-interface "isam-1" exit
pppoe
pppoe-policy "group-1"
exit
exit
 Setup 64 sessions from same MAC 00:00:c0:01:01:02

– Maximum is 63 and trap received.
1 2008/0x/x 21:34:14.64 CEST WARNING: PPPOE #2001 Base PPPoE session failure
"PPPoE sessio failure SAP 1/1/9:998 in service 998 - Reached the maximum number (63) of PPPoE sessions for MAC 00:00:c0:01:01:02"

Different PPPoE scenarios based on :
Authentication, IP, ESM cf1:\pe2.ppp1.cfg pe1 N/A

USERNAME

USERNAME

Authentication via LUDB PAP cf1:\pe2.ppp1.cfg pe1 N/A
RADIUS AAA DHCP
Server Server
BSAN BSR
Access Node Router
Aggregation
network IP/MPLS
(optional)
PADI, Session ID: 0x0000 pppoe enabled under group-interface with

PPPoE tag: option: 0x101, 0x103 pap-chap-user-db . No auth-policy . No dhcp.
Discovery stage

LCP Config Request, Session ID: 0x0001, ID=188 Always first

Options: 0x1 MRU, 0x3: Auth-Protocol: CHAP, 0x5 Magic nbr
suggest CHAP

Session stage :

LCP Config NAck, Session ID: 0x0001,ID=188
Options: [3] Auth-Protocol: PAP
LCP Config Request, Session ID: 0x0001, ID=189 Fall back to
Options: 0x1 MRU, 0x3: Auth-Protocol: PAP, 0x5 Magic nbr PAP
LCP Config ACK, Session ID: 0x0001, ID=189
Options: 0x1 MRU, 0x3: Auth-Protocol: PAP, 0x5 Magic nbr
RADIUS AAA DHCP
Server Server
BSAN BSR
Access Node Router
Aggregation
network IP/MPLS
(optional)
PAP authentication
PAP auth-request , Session ID: 0x0001,id-232

:
Peer-id user14@domain1
Session stage
PAP in LUDB
PAP auth ack , Session ID: 0x0001,id 232 Local
Message : login ok user IP address 192.168.42.14
db sla-profile-string
sub-profile-string
subscriber-id
IPCP Configure-request, Session ID: 0x0001,ID-183 [3] IP dns-server
address: 192.168.42.254 net-bios-name-server

address: 0.0.0.0
address: 192.168.42.14
Session stage :

address: 192.168.42.254
IPCP

address: 192.168.42.14
and ESM QoS queues
address: 192.168.42.14

Authentication via LUDB PAP *A:pe2.lab# *A:pe2.lab# configure subscriber-mgmt
cf1:\pe2.ppp1.cfg pe1 N/A
sub-ident-policy "sub_ident_all" create
IP from LUDB / ESM from LUDB sub-profile-map

entry key “sub1" sub-profile “sub1"
exit
*A:pe2.lab# *A:pe2.lab# sla-profile-map
configure service ies 998 use-direct-map-as-default
subscriber-interface "to_A2_via_hairpin" create exit
address 192.168.42.254/24 exit
group-interface “isam-1" create
sap 1/1/7 create
*A:pe2.lab#configure subscriber-mgmt pppoe-policy default
sub-sla-mgmt
description "Default PPPoE policy"
no disable-cookies
no shutdown
keepalive 30 hold-up-multiplier 3
exit
no pado-delay
exit
no ppp-mtu
pppoe
max-sessions-per-mac 1
pppoe-policy "default"
no reply-on-padt
pap-chap-user-db “ludb-1“
ppp-options [custom-options]
no shutdown
exit
exit
exit
no shutdown local-user-db “ludb-1" create
pppoe
match-list username
host "user14" create
 Client has only PAP host-identification
username "user14@domain1"
 We use pppoe-policy “default” with ppp- exit
address 192.168.42.14
authentication default pref-chap. (We password pap user14
identification-strings 2 create
suggest CHAP but fallback to PAP). *** subscriber-id "user14"
 LUDB has PAP as well. sub-profile-string "sub1"
exit
 AUTH ok options
dns-server 138.203.144.51
exit
 Use debug to see control plane ppp. ========================================================

--------------------------------------------------------
1/1/7 00:00:00:00:00:0e 1 0d 01:41:52 192.168.42.14
LCP State : Opened

IPCP State : Opened
PPP MTU : 1000
PPP Auth-Protocol : PAP
Strings Origin
: Local-User-Db
IPCP Info Origin
: Local-User-Db
Sub-Profile-String : "sub1"
SLA-Profile-String : "sla1"
ANCP-String : ""
Int-Dest-Id : ""
Primary DNS : 138.203.144.51
 You could change LUDB to CHAP for this Secondary DNS

Primary NBNS
:
:
N/A
138.203.144.51
user so see the behaviour. See next Circuit-Id :
Remote-Id :

 Client has PAP and LUDB requires CHAP

 During LCP we suggest CHAP but fall back to PAP
 Failure on moment of PAP auth-request from client.
"PPPoE session failure on SAP 1/1/7 in service 998 - [00:00:00:00:00:0e,1] User "user14@domain1" requires CHAP password"
PAP authentication
PAP auth-request , Session ID: 0x0001,id-232

:
Peer-id user14@domain1
Session stage
CHAP in LUDB
PAP auth Nack , Session ID: 0x0001,id 232 Local
Message : login incorrect user IP address 192.168.42.14
db sla-profile-string
sub-profile-string
subscriber-id
PADT dns-server
net-bios-name-server


USERNAME
Option 9 RADIUS RADIUS PAP/CHAP CIRCUIT- RADIUS RADIUS
ID
Option 10 DHCP RADIUS PAP/CHAP CIRCUIT- RADIUS RADIUS
ID
USERNAME

Authentication via Radius PADI with user-name-format MAC cf1:\pe2.ppp2.cfg
IP from Radius with Framed-IP / ESM from Radius

RADIUS AAA DHCP
Server Server
BSAN BSR
Access Node Router
Aggregation
network IP/MPLS
(optional)
PADI, S-MAC 00:00:00:00:00:04,Session ID: 0x0000

,PPPoE tag: option: 0x101, 0x103 Access Request
user-name [1] 00:00:00:00:00:04
Discovery stage
MAC
Access accept User4
ESM , Framed-IP ,.. Sla1
PPPoE tag: option: 0x101,0x102, 0x103, 0x104 Sub1
PADR, Session ID: 0x0000 Framed IP
Don’t suggest
LCP Config Request, Session ID: 0x0001, ID=105
Options: 0x1 MRU, 0x5 Magic nbr PAP/CHAP anymore

Session stage :

Options: 0x1 MRU, 0x5 Magic nbr


RADIUS AAA DHCP
Server Server
BSAN BSR
Access Node Router
Aggregation
network IP/MPLS
(optional)

address: 192.168.42.254

address: 0.0.0.0
address: 192.168.42.4
Session stage :

address: 192.168.42.254
IPCP

address: 192.168.42.14
and ESM QoS queues
address: 192.168.42.14

RADIUS Extensions for ESM - Authentication Extensions
.../raddb/clients.conf
How are the different ESM objects communicated by RADIUS server ?
client 172.16.0.21 {
secret = WhoIsThere
 Standard RADIUS attributes shortname = A1
nastype = other
}
 framed-ip-address [8], framed-ip-netmask [9], NAS-identifier [32], NAS-port [87] client 172.16.0.22 {
secret = WhoIsThere
shortname = A2
 Vendor specific attributes (VSAs) nastype = other
}
client 172.16.0.11 {
 Alcatel IPD – using Timetra vendor-id [6527] – see IPD RADIUS dictionary secret = WhoIsThere
shortname = PE1
 JUNIPER & REDBACK attributes – relevant VSAs to ease migration nastype = other
}
client 172.16.0.12 {
secret = WhoIsThere
/var/local/etc/raddb/dictionary shortname = PE2
nastype = other
$INCLUDE /usr/local/etc/raddb/Alcatel-Lucent_IPD_dictionary }
$INCLUDE /usr/local/etc/raddb/DSL-forum_dictionary
/var/local/etc/raddb/users
"ISAM1 eth 1/11" Auth-Type := Local, User-Password == "LetMeIn"

Alc-Subsc-ID-Str = "subscriber_1",
Alc-Subsc-Prof-Str = "Basic_3P_9M",
Alc-SLA-Prof-Str = "Basic_9M",
. . . . . . .

RADIUS Extensions for ESM - Authentication Extensions for PPPoE
 Mandatory in RADIUS ACCESS REQUEST

 User-Name, attribute 1 CLI-knob
– MAC
– Circuit-id
– Tuple ( concatenation of MAC & Circuit-id )
– Ascii-converted-circuit-id
– Ascii-converted-tuple
 User-Password, attribute 2
 NAS IP address , attribute 4
– Will be system-id of node.
 Service-Type, attribute 6
– Needs to be “Framed” if returned by Radius
 Framed-Protocol, attribute 7
– Needs to be “PPP” if returned by Radius

 Optional in RADIUS ACCESS REQUEST CLI-knob
 Access-loop-options , DSL-forum VSA

– Actual data rate Upstream (129)
– Actual data rate Downstream (130)
– Minimum data rate Upstream (131)
– Minimum data rate Downstream (132)
– ....
– Access loop encapsulation (144)
30 PPPoA - PPP over ATM
 Circuit-id , DSL-forum VSA (2) 31 PPPoEoA - PPP over Ethernet over ATM
32 PPPoEoE - PPP over Ethernet over Ethernet
 Remote-id , DSL-forum VSA (1) 33 PPPoEoVLAN - PPP over Ethernet over VLAN
34 PPPoEoQinQ - PPP over Ethernet over 802.1QinQ
 MAC-address ,Alcatel-Lucent VSA (27)
 PPPoE-service-name , Alcatel-Lucent VSA (35)
 NAS-identifier , attribute 32
 NAS-port-id
– nas-port-id , attribute 87 (Extended nas-port-id format …next slide )
– nas-port-type , attribute 61

Extend nas-port-id format
 NAS-Port-Id (87) — this attribute can optionally be prefixed by a fixed string

and/or suffixed by the circuit-ID or remote-ID given in the PPPoE requests
 Many Legacy networks : RADIUS directories built using pre-defined nas-port-id.

 For easier migration, more flexibility in building nas-port-id is required andt
his need is addressed by extending command defining nas-port-id with
configurable string as a prefix and a suffix option to append circuit-id or
remote-id. ( example remote-id used here).
NAS IP ADDRESS [4] 4 172.30.1.33

USER NAME [1] 14 user222@idm.lb configure subscriber-mgmt authentication-policy knock-knock
SERVICE TYPE [6] 4 Framed(2) include-radius-attribute
FRAMED PROTOCOL [7] 4 PPP(1) nas-port-id prefix-string “My_String" suffix remote-id
FRAMED IP ADDRESS [8] 4 10.165.0.9
FRAMED IP NETMASK [9] 4 255.255.255.255
NAS IDENTIFIER [32] 4 PE33
SESSION ID [44] 40 000000020220800000DE00C80000000148C57258
SESSION TIMEOUT [46] 4 4686
TERMINATE CAUSE [49] 4 User Request(1)
EVENT TIMESTAMP [55] 4 1220904102
NAS PORT TYPE [61] 4 PPPoEoQinQ(34)
NAS PORT ID [87] 28 My_String 1/1/1:200.222 user222

Support of “Framed-pool” attribute from radius
 RADIUS RFC defines attribute [88] - framed-pool which is a string carrying the
ip-pool name. This provides extra flexibility in mapping different subscribers
into pools.
 Possibility to get the dhcp-pool name (pool-name) back from RADIUS in

addition to LUDB that is supported since 6.0.
 This pool is then used by the DHCP server to select the IP address pool
 Supported in 7.0 fro both PPPoE and IPoE clients.

Framed-Pool Attribute
 Radius users file Radius message to 77x0

user1@domain1" Cleartext-Password := MyPsw "RADIUS: Receive
Alc-Subsc-ID-Str == “subscriber_1” Access-Accept(2) id 163 VSA [26] 6
Alc-SLA-Prof-Str == “sub1", Alcatel(6527)
Alc-SLA-Prof-Str == “sla1", …
Framed-Pool == “MyPool-2" FRAMED POOL [88] 9 MyPool-2
configure service vprn 300

dhcp
local-dhcp-server “MyServer" create
use-gi-address
use-pool-from-client
…
pool “MyPool-2" create
subnet 10.164.0.0/16 create
address-range 10.164.0.2 10.164.63.254
exit
exit
 use-pool-from-client overrides use-gi-address

 Pool-name can be returned from LUDB as well

Framed-Pool Attribute
 Failure Case
 framed-pool name returned from Radius is not existing on 77x0.
 IPCP session will not be opened.
1931 2008/09/24 01:13:53.04 UTC WARNING: DHCPS #2003 vprn300 Unknown pool
"DHCP server DHCP-SERVER1 detects an unknown pool (ACH4-512).
Pool extracted from dhcp-message is unknown in the server."

 Accepted attributes in RADIUS ACCESS ACCEPT
 Framed-IP-Address, attribute 8
 Session-Timeout, attribute 27
 PADO-delay, Alcatel-Lucent VSA 34
 Primary DNS, Alcatel-Lucent VSA 9
 Secondary DNS, Alcatel-Lucent VSA 10
 Primary NBNS, Alcatel-Lucent VSA 29
 Secondary NBNS, Alcatel-Lucent VSA 30
 Subscriber ID string, Alcatel-Lucent VSA 11
 Subscriber profile string, Alcatel-Lucent VSA 12
 SLA profile string, Alcatel-Lucent VSA 13
 ANCP string, Alcatel-Lucent VSA 16
 Intermediate Destination ID, Alcatel-Lucent VSA 28
 Application-profile string, Alcatel-Lucent VSA 45
 Service-Type, attribute 6 : ( Needs to be “Framed” if returned by Radius )
 Framed-Protocol, attribute 7 : ( Needs to be “PPP” if returned by Radius )
 PPPoE-Service-Name, Alcatel-Lucent VSA 35
 Framed-Pool, attribute 88
 Class, attribute 25

*A:pe2.lab# *A:pe2.lab# authentication-policy "knock-knock" create

configure service ies 998 description "RADIUS policy"
subscriber-interface "to_A2_via_hairpin" create password "LetMeIn"
address 192.168.42.254/24 radius-authentication-server
group-interface “isam-1" create router "Base"
authentication-policy "knock-knock" server 1 address 10.2.79.79 secret WhoIsThere
sap 1/1/7 create exit
sub-sla-mgmt user-name-format mac
sub-ident-policy "sub_ident_all“ no re-authentication
multi-sub-sap 100 pppoe-access-method padi
no shutdown no accept-authorization-change
exit include-radius-attribute
exit no circuit-id
no remote-id Not applicable for PPPoE
pppoe
pppoe-policy “group-2” nas-port-id
session-limit 100 no nas-identifier
sap-session-limit 100 no pppoe-service-name
no shutdown no dhcp-vendor-class-id
exit no access-loop-options
exit no mac-address
exit exit
no shutdown exit
 PPPoE vendor-specific tags not required on *A:pe2.lab#configure subscriber-mgmt

pppoe-policy "group-2" create
DSLAM.( because MAC is used in auth ) ppp-mtu 1100
 Authentication policy overrules ludb for max-sessions-per-mac 10
exit
authentication
 If you write pppoe-access-method none ->
than back ludb ..
 Message -> configure only the needed …

Authentication via Radius PADI with user-name-format MAC
IP from Radius with Framed-IP / ESM from Radius cf1:\pe2.ppp2.cfg
 Setup user4 with mac 00:00:00:00:00:04

*A:pe2.lab# show service id 998 pppoe session detail
====================================================
 Radius users file : 00:00:00:00:00:04 Auth-Type := local,
PPPoE
Alc-Subsc-ID-Str
User-Password
sessions for svc-id 998 == "LetMeIn"
= "user4",
====================================================
Alc-SLA-Prof-Str = "sla1",
----------------------------------------------------
Alc-Subsc-Prof-Str = "sub1",
1/1/7 00:00:00:00:00:04 1 0d 00:01:46 192.168.42.4
Alc-Primary-Dns = 138.203.68.208,
LCP State : Opened
Alc-Secondary-Dns
IPCP State= 138.203.68.209,
: Opened
Framed-IP-Adress
PPP MTU = 192.168.42.4,
: 1100
PPP Auth-Protocol
Framed-IP_Netmask : None
= 255.255.255.0,***
Session-Timeout = 200
Subscriber Origin : Radius
Subscriber
Strings Origin
Origin : Radius
:Radius
 Use debug to see control plane ppp. Strings Origin
IPCP
IPCPInfo
:
Origin :
Info Origin
Radius
:
RadiusRadius
 See wireshark : control plane + ping included Sub-Profile-String : "sub1"
ANCP-String : ""
 Session-timeout in radius set to 200 seconds Int-Dest-Id
App-Profile-String
:
:
""
""
 Send PPP-PADT to client after timeout on which client starts again:: 138.203.68.208
Primary DNS
Secondary DNS
with PADI.
138.203.68.209
Primary NBNS : N/A
 Radius returns the DNS together with the IP-address. This DNS info will be Secondary NBNS : N/A
Circuit-Id :
returned to the PPPoE client if he asks this in hisRemote-Id
ipcp request: option 129
address 0.0.0.0. If the client did not ask this than we don’t send
Session-Timeout
it.(notes)
: 0d 00:05:00


USERNAME

USERNAME

Authentication via Radius PADI with user-name-format circuit-id

sub-sla-mgmt user-name-format circuit-id
multi-sub-sap 100 pppoe-access-method padi
exit no circuit-id
pppoe no remote-id
exit no mac-address
exit exit
no shutdown exit
*A:pe2.lab#configure subscriber-mgmt
 Use same config as before but change mac pppoe-policy "group-2" create
ppp-mtu 1100
to circuit-id in auth policy. max-sessions-per-mac 10
exit
 PPPoE vendor-specific tags is required on
DSLAM / PPPoE intermediate Agent.


 Radius users file : “TRE26 atm 1/1/01/22:8.35” ====================================================

Auth-Type := local, User-Password == "LetMeIn"
Alc-Subsc-ID-Str = "user5",
====================================================
----------------------------------------------------
1/1/7 00:00:00:00:00:05
Alc-Subsc-Prof-Str = "sub1", 1 0d 00:01:46 192.168.42.5
Framed-IP-Adress
LCP State= 192.168.42.5,
: Opened
IPCP State : Opened
Framed-IP_Netmask
PPP MTU = 255.255.255.0
: 1100
PPP Auth-Protocol : None
 Use debug to see control plane ppp. Subscriber-interface : to_A2_via_hairpin

 No session-timeout used Subscriber Origin
Strings Origin :
Strings Origin
: Radius
Radius: Radius
IPCP
IPCPInfo Origin :
Info Origin Radius: Radius
ANCP-String : ""
Int-Dest-Id : ""
Primary DNS : N/A

Secondary DNS : N/A
Primary NBNS : N/A
Circuit-Id : TRE26 atm 1/1/01/22:8.35

circuit-id ( inserted by Intermediate Agent ) Remote-Id : "03-2404011"

useful CLI commands : Radius Specific
 show subscriber-mgmt authentication

 Returns all authentication policies
 show subscriber-mgmt authentication knock-knock
 Shows all details of this policy and state of server.
 show subscriber-mgmt authentication knock-knock statistics
 tools perform security authentication-server-check server-address 10.2.79.79

user-name "TRE26 atm 1/1/01/22:8.35" password "LetMeIn" secret
"WhoIsThere“
 Simulates the authentication of a user.
– Remark : Is not updating the operational state from unknown to up.


Authentication via local DHCP-server based on mac & circuit-id
A:pe2.lab#configure router dhcp
local-dhcp-server "server-1" create
user-db "ludb-3"
IP from local DHCP-server / ESM via DHCP frompool LUDB
"pool-1" create cf1:\pe2.ppp3.cfg
address-range 192.168.42.20 192.168.42.30
*A:pe2.lab# *A:pe2.lab# exit
configure service ies 998 exit
subscriber-interface "to_A2_via_hairpin" create no shutdown
A:pe2.lab#configure router
address 192.168.42.254/24 exit interface "system"
dhcp address 172.16.0.12/32
gi-address 192.168.42.254 local-dhcp-server "server-1"
exit exit
group-interface “isam-1" create exit
dhcp
server 172.16.0.12 *A:pe2.lab#configure subscriber-mgmt local-user-db ludb-3
client-applications pppoe pppoe
no shutdown match-list mac circuit-id
exit host "user9" create
sap 1/1/7 create host-identification
sub-sla-mgmt circuit-id string "TRE26 atm 1/1/01/25:8.35"
sub-ident-policy "sub_ident_all“ mac 00:00:00:00:00:09
multi-sub-sap 100 exit Free Option 254 used
no shutdown address pool "pool-1" in DHCP OFFER to
exit identification-strings 254 return ESM info
exit subscriber-id "user9"
pppoe sla-profile-string "sla1"
pppoe-policy “group-2” sub-profile-string "sub1"
session-limit 100 exit
sap-session-limit 100 no shutdown
no shutdown exit
exit exit
exit *A:pe2.lab# *A:pe2.lab# configure subscriber-mgmt
exit sub-ident-policy "sub_ident_all" create
no shutdown sub-profile-map
 No Authentication policy.No ludb under pppoe. exit
sla-profile-map
 Suggest to use free option 254 for identification- use-direct-map-as-default
exit
strings but any free option is ok. *** strings-from-option 254
exit
IP from local DHCP-server / ESM via DHCP from LUDB
RADIUS AAA DHCP
Server Server
BSAN BSR
Access Node Router
Aggregation
network IP/MPLS
(optional)
PADI, Session ID: 0x0000 pppoe under gr-itf enabled without ludb
PPPoE tag: option: 0x101, 0x103, 0x105 circuit-id No auth-policy . Dhcp server enabled
Discovery stage

PPPoE tag: option: 0x101,0x102, 0x103, 0x104,0x105
LCP Config Request, Session ID: 0x0001, ID=191 Don’t suggest
PAP/ CHAP
Session stage :


IP from local DHCP-server / ESM via DHCP from LUDB
RADIUS AAA DHCP
Server Server
BSAN BSR
Access Node Router
Aggregation
network IP/MPLS
(optional)
IPCP Configure-request, Session ID: 0x0001,ID-159 [3] IP DHCP discover : MAC option 82 circuit-id remote-id
address: 192.168.42.254
DHCP Offer : mac,option 82 circuit-id remote-id
Option 254 contains user9,sla1 sub1
DHCP
Local
DHCP Request : option 82 circuit-id remote-id DHCP
client
Server
DHCP ACK : option 82 circuit-id remote-id
Option 254 contains user9,sla1 sub1
address: 0.0.0.0
address: 192.168.42.23
Session stage :

address: 192.168.42.254
IPCP
Mac 00:00:00:00:00:09
IPCP Configure-request, Session ID: 0x0001,ID-78 , [3] IP circuit-id : TRE26 atm 1/1/01/25:8.35
address: 192.168.42.23  User9 Local
user
IPCP Configure-ack, Session ID: 0x0001, ID-78 [3] IP  Sub1 db
address: 192.168.42.23  sla1
 Address pool-1

Extra debug commands from DHCP server
debug
service
Type of debug ( packets / events ) id 998
pppoe
 debug service id 998 pppoe packet packet
mode dropped-only
detail-level medium
... discovery
ppp
 By default also DHCP-client dhcp-client
exit
exit
exit
exit
exit
 But DHCP-server can also be traced

 debug router local-dhcp-server server-1 mode egr-ingr-and-dropped
– Extra trace filter on lease-address or mac possible.
debug
router "Base"
local-dhcp-server server-1
detail-level medium
mode egr-ingr-and-dropped
exit
exit
exit

IP from local DHCP-server / ESM via DHCP from LUDB cf1:\pe2.ppp3.cfg
=========================================================

=========================================================
---------------------------------------------------------
 No Radius users file : 1/1/7 00:00:00:00:00:09 1 0d 00:02:06 192.168.42.24
LCP State : Opened

IPCP State : Opened
 Ludb-3 PPP MTU
PPP Auth-Protocol
:
:
1100
None
 circuit-id & mac for auth Group-interface : isam-1
Subscriber Origin : DHCP
– Impossible to use pap/chap usernameStrings
for auth.
Subscriber Origin
Origin
Strings Origin
: DHCP
: DHCP
: DHCP
IPCP
IPCP Info Origin: DHCP
Info Origin : DHCP
 Use debug to see control plane ppp. SLA-Profile-String
ANCP-String
:
:
"sla1"
""
Int-Dest-Id : ""
Primary DNS : N/A

Secondary DNS : N/A
Primary NBNS : N/A

Remote-Id : 03-2404015
-----------------------------------------------
Number of sessions : 1
circuit-id ( inserted by Intermediate Agent ) ==============================================
*A:pe2.lab#

. . .
 PPPoE is not client from DHCP group-interface "isam-1"
dhcp
client-applications pppoe
1 2008/03/07 07:49:08.92 UTC WARNING: PPPOE #2001 Base PPPoE session failure no client-applications
exit
"PPPoE session failure on SAP 1/1/7 in service 998 – exit
[00:00:00:00:00:09,1] Cannot start DHCP client: PPPoE is not configured as DHCP relay client-application on group-interface"
– In the PPPoE -> client DHCP-discover we set always the client type
– clntType 1 = pppoE
DHCP client: Tx packet :
DHCP discover to server 172.16.0.12
 Local DHCP server uses the ciaddr: 0.0.0.0 yiaddr: 0.0.0.0

siaddr: 0.0.0.0 giaddr: 192.168.42.254
client type as selection into the LUDB. chaddr: 00:00:00:00:00:09 xid: 0x5fccdd60
DHCP options:
[82] Relay agent information: len = 48
configure subscriber-mgmt local-user-db ludb-3 [1] Circuit-id: TRE26 atm 1/1/01/25:8.35
dhcp [2] Remote-id: 03-2404015
no match-list [9] Vendor-Specific info: len = 8
no circuit-id-mask Enterprise [6527] : len = 3
exit [6] clntType: 1
pppoe [51] Lease time: 3600
no match-list [53] Message type: Discover
no circuit-id-mask [60] Class id: ALU7XXXSBM
exit [255] End

useful CLI commands : local DHCP server specific
 show router dhcp servers

 Returns all local DHCP server-names with state and also total Active Leases.
 show router dhcp local-dhcp-server server-1 summary
 show router dhcp local-dhcp-server server-1 leases
 show router dhcp local-dhcp-server server-1 leases 192.168.42.22 detail
 tools dump persistence summary :

 returns persistent entries in use.
 tools dump persistence dhcp-server record 0x00000002 :
 returns the complete persistent record.
 tools perform subscriber-mgmt local-user-db ludb-3 pppoe host-lookup mac
00:00:00:00:00:09 circuit-id "TRE26 atm 1/1/01/25:8.35"

 DHCP server down during active pppoe session

– Local DHCP client will notice on next renewal that server is down.
– Send PPPoE PADT to user9
[00:00:00:00:00:09,1] Lost session with DHCP server"
3 2008/03/07 11:37:49.21 UTC WARNING: SVCMGR #2501 Base Subscriber deleted
"Subscriber user9 has been removed from the system"

DHCP-server : minimum number of leases reached
 Pool-1 has range 192.168.42.20 – 192.168.42.30 ( 11 possible leases )
 Trap generated when configured min-free leases reached.
*A:pe2.lab>
show router dhcp local-dhcp-server server-1 free-addresses pool pool-1

===============
Free addresses
user-db "ludb-3"
===============
pool "pool-1" create
IP Address
min-lease-time hrs 3
--------------
options
192.168.42.20
lease-time min 10
192.168.42.21
lease-renew-time min 5
192.168.42.23
lease-rebind-time min 7
192.168.42.24
exit
192.168.42.26
192.168.42.27
minimum-free 10
192.168.42.28
address-range 192.168.42.20 192.168.42.30
192.168.42.29
exit
192.168.42.30
exit
----------------
no shutdown
No. of free addresses: 9
exit
2 2008/03/07 14:55:48.49 UTC WARNING: DHCPS #2001 Base subnet minimum reached
"The number of free addresses (9) has fallen below the desired minimum (10) in subnet 192.168.42.0/24"


IP from Local-DHCP-server / ESM from LUDB
RADIUS AAA DHCP
Server Server
BSAN BSR
Access Node Router
Aggregation
network IP/MPLS
(optional)
PADI, Session ID: 0x0000 pppoe enabled under group-interface with ludb-1
PPPoE tag: option: 0x101, 0x103 No auth-policy . dhcp server enabled
Discovery stage

Options: 0x1 MRU, 0x3 CHAP , 0x5 Magic nbr Suggest CHAP

Session stage :


RADIUS AAA DHCP
Server Server
BSAN BSR
Access Node Router
Aggregation
network IP/MPLS
(optional)

User-name : user16@domain1
CHAP authentication
Value
Psw : user16 CHAP
:
CHAP Response , Session ID: 0x0001

Session stage
Local User16
value , Name : user1@domain1 user Sub1
db sla1 Use gi-address
CHAP Success , Session ID: 0x0001
message : CHAP auth. success address pool-1
DHCP discover : option 82 subscriber-id : user16@domain1

address: 192.168.42.254 DHCP Offer : option 82 sucbscriber-id:user16@domain1
DHCP Request : option 82 subscriber-id… Local

IPCP Configure-request, Session ID: 0x0001,ID-253 , [3] IP DHCP DHCP
address: 0.0.0.0 client Server
DHCP ACK : option 82 subscriber-id
IPCP Configure-Nack, Session ID: 0x0001, ID253 [3] IP
address: 192.168.42.31
Session stage :

address: 192.168.42.254
IPCP

address: 192.168.42.31

address: 192.168.42.31

A:pe2.lab#configure router dhcp
use-gi-adress
*A:pe2.lab# *A:pe2.lab# pool "pool-1" create
configure service ies 998 subnet 192.168.42.0/24 create
subscriber-interface "to_A2_via_hairpin" exclude-addresses 192.168.42.1 192.168.42.30
address 192.168.42.254/24 exclude-addresses 192.168.42.40 192.168.42.255
dhcp address-range 192.168.42.31 192.168.42.35
gi-address 192.168.42.254 exit
exit exit
group-interface "isam-1" create no shutdown
dhcp exit
server 172.16.0.12
interface "system"
client-applications pppoe
address 172.16.0.12/32
no shutdown
local-dhcp-server "server-1"
exit
exit
sap 1/1/7 create
exit
sub-sla-mgmt
multi-sub-sap 100
no shutdown
exit local-user-db “ludb-1" create
pppoe pppoe
pap-chap-user-db "ludb-1" match-list username
session-limit 100 host "user16" create
sap-session-limit 100 host-identification
no shutdown username "user16@domain1"
exit exit
exit address pool pool-1
exit password chap user16
no shutdown identification-strings 254 create
subscriber-id "user16"
 No Radius authentication but Radius sub-profile-string "sub1"
Accounting is possible. ( not in trace ) exit
options
dns-server 138.203.144.51
82 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008 exit
===========================================================
 Setup user16 with mac 00:00:00:00:00:10 Sap Id Mac Address Sid Up Time IP Address
-----------------------------------------------------------
1/1/7 00:00:00:00:00:10 1 0d 00:00:14 192.168.42.33
 No Radius users file : LCP State

IPCP State
:
:
Opened
Opened
PPP MTU : 1000
 IP from local DHCP server based on GI PPP Auth-Protocol

PPP User-Name
:
:
CHAP
user16@domain1
 Use debug to see client control plane ppp. Group-interface : isam-1

IPCP Info Origin : DHCP
Subscriber
Subscriber Origin
: "user16" : Local-User-DB
Strings Origin : "sub1" : Local-User-DB
Sub-Profile-String
IPCP Info Origin
ANCP-String : "" : DHCP
Int-Dest-Id : ""
Primary DNS : 138.203.144.51

Secondary DNS : N/A
 Use debug to see the dhcp server control plane Primary NBNS
Secondary NBNS
:
:
138.203.144.51
N/A
Circuit-Id :
Remote-Id :
----------------------------------------------------------


IP from local DHCP-server / ESM from Radius cf1:\pe2.ppp3.cfg
RADIUS AAA DHCP

Server Server
BSAN BSR
Access Node Router
Aggregation
network IP/MPLS
(optional)
PADI, ,tag0x0105 circuit-id,Session ID: 0x0000

PPPoE tag: option: 0x101, 0x103 Access Request
user-name CID. . .
Discovery stage
Circuit-id
Access accept User11
ESM Sla1
PPPoE tag: option: 0x101,0x102, 0x103, 0x104 Sub1
PADR, Session ID: 0x0000 NO IP
Don’t suggest
Options: 0x1 MRU, 0x5 Magic nbr PAP/CHAP anymore

Session stage :


RADIUS AAA DHCP

Server Server
BSAN BSR
Access Node Router
Aggregation
network IP/MPLS
(optional)
Use gi-address
IPCP Configure-request, Session ID: 0x0001,ID-132 [3] IP DHCP discover : option 82 circuit-id
address: 192.168.42.254
DHCP Offer : ,option 82 circuit-id
Yiaddr 192.168.42.29
DHCP Local
client DHCP Request : option 82 circuit-id DHCP
Server
DHCP ACK : option 82 circuit-id Option 254
IPCP Configure-request, Session ID: 0x0001,ID-133 , [3] IP requested ip : 192.168.42.29
address: 0.0.0.0
address: 192.168.42.29
Session stage :

address: 192.168.42.254
IPCP

address: 192.168.42.29

address: 192.168.42.29

*A:pe2.lab# A:pe2.lab#configure router dhcp

configure service ies 998 local-dhcp-server "server-1" create
subscriber-interface "to_A2_via_hairpin" use-gi-adress
address 192.168.42.254/24 pool "pool-1" create
dhcp subnet 192.168.42.0/24 create
gi-address 192.168.42.254 address-range 192.168.42.20 192.168.42.30
exit exit
group-interface "isam-1" create exit
dhcp no shutdown
server 172.16.0.12 exit interface "system"
client-applications pppoe address 172.16.0.12/32
no shutdown local-dhcp-server "server-1"
exit exit
authentication-policy "knock-knock" exit
sap 1/1/7 create
sub-sla-mgmt
multi-sub-sap 100
no shutdown
exit authentication-policy "knock-knock" create
exit description "RADIUS policy"
pppoe password "LetMeIn"
session-limit 100 radius-authentication-server
sap-session-limit 100 router "Base"
no shutdown server 1 address 10.2.79.79 secret WhoIsThere
exit exit
exit user-name-format circuit-id
exit no re-authentication
no shutdown pppoe-access-method padi
no accept-authorization-change
include-radius-attribute
 Use config ppp3 but… exit
exit
 but add knock-knock !!
 Change server to use-gi-address
=======================================================
 Setup user11 with mac 00:00:00:00:00:0B =======================================================
-------------------------------------------------------
1/1/7 00:00:00:00:00:0b 1 0d 00:00:17 192.168.42.29
 Radius users file : “TRE26 atm 1/1/01/27:8.35” Auth-Type := local, User-Password == "LetMeIn"
LCP State : Opened
Alc-Subsc-ID-Str
IPCP State= "user11",
: Opened
PPP MTU : 1492
Alc-SLA-Prof-Str = "sla1",: None
PPP Auth-Protocol
ALc-ANCP-Str = “ancp1”
Subscriber
Subscriber Origin
Origin : Radius
: Radius
Strings Origin
Strings Origin : Radius
: Radius
 No Framed IP from Radius IPCP IPCP
InfoInfo Origin
Origin : DHCP
: DHCP
 IP from local DHCP server based on gi SLA-Profile-String
ANCP-String
:
:
"sla1"
"ancp1"
Int-Dest-Id : ""
 Use debug to see control plane ppp. App-Profile-String : ""
Primary DNS : N/A

Secondary DNS : N/A
Primary NBNS : N/A

Remote-Id :
-----------------------------------------------
==============================================
*A:pe2.lab#


Authentication via Radius PAP/CHAP 6.1
IP from Radius / ESM from Radius
RADIUS AAA DHCP
Server Server
BSAN BSR
Access Node Router
Aggregation
network IP/MPLS
(optional)
PADI, Session ID: 0x0000 pppoe enabled without ludb

PPPoE tag: option: 0x101, 0x103 auth-policy enabled with pap/chap
. dhcp server not enabled
Discovery stage


Session stage :


RADIUS AAA DHCP
Server Server
BSAN BSR
Access Node Router
Aggregation
network IP/MPLS
(optional)

CHAP authentication
Value
:

Session stage
Access-request : username user7@domain1

value , Name : user7@domain1 User-name : user7@domain1
Chap password,
Psw : user7
CHAP Success , Session ID: 0x0001 User7
Access-accept : user7, sla1,sub1,IP Sub1
Sla1
IPCP Configure-request, Session ID: 0x0001,ID-126 [3] IP Framed-ip : 192.168.42.7
address: 192.168.42.254

address: 0.0.0.0
IPCP Configure-Nack, Session ID: 0x0001, ID126 [3] IP
address: 192.168.42.7
Session stage :

address: 192.168.42.254
IPCP

address: 192.168.42.7

address: 192.168.42.7


multi-sub-sap 100 pppoe-access-method pap-chap
exit circuit-id
pppoe remote-id
exit mac-address
exit exit
no shutdown exit
*A:pe2.lab#configure subscriber-mgmt
 User-name-format irrelevant when pppoe- pppoe-policy "group-2" create
ppp-mtu 1100
access-method pap-chap. max-sessions-per-mac 10
exit
 Username send to Radius is pap/chap user
 pppoE vendor-specific tags is optional on
DSLAM but can be send to radius as well.

 Setup user7 with mac 00:00:00:00:00:07 *A:pe2.lab# show service id 998 pppoe session detail
====================================================
 Radius users file : “user7@domain1”

====================================================
Auth-Type := local,
Sap User-Password
Id Mac Address == “user7"
Sid Up Time IP Address
----------------------------------------------------
1/1/7 00:00:00:00:00:07 1 0d 00:06:46 192.168.42.7
LCP State : Opened
Alc-Subsc-Prof-Str
IPCP State = "sub1",
: Opened
PPP MTU : 1100
Framed-IP-Adress = 192.168.42.7,
Framed-IP_Netmask = 255.255.255.0
PPP user-name : user7@domain1
 Users file uses Group-interface
Subscriber Origin
: isam-1
: Radius
Subscriber
Strings Origin
Origin : Radius: Radius
 pap/chap username/psw for auth Strings Origin
IPCP
IPCPInfo
:
Origin :
Info Origin
Radius
Radius: Radius
 Ignores Agent-circuit-id for auth Subscriber

Sub-Profile-String
:
:
"user7"
"sub1"
 Use debug to see control plane ppp. ANCP-String

Int-Dest-Id
:
:
""
""
Primary DNS : N/A

Secondary DNS : N/A
Primary NBNS : N/A

Remote-Id : "03-2404012"



======================================================
 Radius users file : PPPoE1/1/01/24:8.35",
DEFAULT Agent-Circuit-Id == "TRE26 atm sessions for svc-id Auth-Type
998 := Accept
======================================================
Alc-Subsc-ID-Str
Sap Id =Mac
"user8",
Address Sid Up Time IP Address
------------------------------------------------------
Alc-Subsc-Prof-Str
1/1/7 = "sub1",
00:00:00:00:00:08 1 0d 00:00:31
192.168.42.8
Framed-IP-Address = 192.168.42.8,
LCP State : Opened
IPCP State : Opened
Framed-IP-Netmask
PPP MTU = 255.255.255.0
: 1100
 Users file uses PPP User-Name : dummy@dummy
 Agent-circuit-id for auth Subscriber Origin
: Radius
Strings Origin :
Strings Origin :
Radius Radius
 Ignores pap/chap username IPCP
IPCPInfo Origin :
Info Origin :
Radius Radius
 More heavy for radius as DB can not be indexed anymore on username
ANCP-String : ""
 Use debug to see control plane ppp. Int-Dest-Id
App-Profile-String
:
:
""
""
Primary DNS : N/A

Secondary DNS : N/A
Primary NBNS : N/A

Remote-Id : 03-2404013
------------------------------------------------------


Authentication via Radius PAP/CHAP
IP from Local DHCP-server / ESM from Radius
RADIUS AAA DHCP
Server Server
BSAN BSR
Access Node Router
Aggregation
network IP/MPLS
(optional)
PADI, Session ID: 0x0000 pppoe enabled without ludb

PPPoE tag: option: 0x101, 0x103.Agent-circuit-id auth-policy enabled with pap/chap
. dhcp server enabled
Discovery stage


Session stage :


RADIUS AAA DHCP
Server Server
BSAN BSR
Access Node Router
Aggregation
network IP/MPLS
(optional)

CHAP authentication
Value
:

Session stage
Access-request : username dummy@dummy

value , Name : dummy@dummy Agent-circuit-id ,
Chap password, Agent-circuit-id
username=accept
CHAP Success , Session ID: 0x0001 User12
Access-accept : user12, sla1,sub1,IP Sub1
Sla1
IPCP Configure-request, Session ID: 0x0001,ID-185 [3] IP NO Framed-ip
address: 192.168.42.254
Use gi-address
IPCP Configure-request, Session ID: 0x0001,ID-203 , [3] IP DHCP discover : option 82 subscriber-id=dummy
address: 0.0.0.0 Circuit-id,remote-id
IPCP Configure-Nack, Session ID: 0x0001, ID-203 [3] IP DHCP Offer : ,option 82 …..
address: 192.168.42.22 Yiaddr 192.168.42.22
Session stage :

CLIENT DHCP Request : option 82 …. Local
address: 192.168.42.254
IPCP
DHCP
IPCP Configure-request, Session ID: 0x0001,ID-204 , [3] IP Server
DHCP ACK : option 82 circuit-id Option 254
address: 192.168.42.22
yiaddr : 192.168.42.22
address: 192.168.42.22

*A:pe2.lab# *A:pe2.lab# A:pe2.lab#configure router dhcp

configure service ies 998 local-dhcp-server "server-1" create
subscriber-interface "to_A2_via_hairpin" use-gi-adress
address 192.168.42.254/24 pool "pool-1" create
dhcp subnet 192.168.42.0/24 create
gi-address 192.168.42.254 address-range 192.168.42.20 192.168.42.30
exit exit
group-interface "isam-1" create exit
dhcp no shutdown
server 172.16.0.12 exit interface "system"
client-applications pppoe address 172.16.0.12/32
no shutdown local-dhcp-server "server-1"
exit exit
authentication-policy "knock-knock" exit
sap 1/1/7 create
sub-sla-mgmt
multi-sub-sap 100
no shutdown
exit authentication-policy "knock-knock" create
exit description "RADIUS policy"
pppoe password "LetMeIn"
session-limit 100 radius-authentication-server
sap-session-limit 100 router "Base"
no shutdown server 1 address 10.2.79.79 secret WhoIsThere
exit exit
exit user-name-format circuit-id
exit no re-authentication
no shutdown pppoe-access-method pap-chap
no accept-authorization-change
circuit-id
remote-id
 User-name-format N/A when pap/chap exit
exit

=======================================================
======================================================
 Setup user12 with mac 00:00:00:00:00:0C -------------------------------------------------------
1/1/7 00:00:00:00:00:0c 1 0d 00:00:35 192.168.42.22
 Radius users file : LCP State

DEFAULT Agent-Circuit-Id
IPCP== State
: Opened
"TRE26 atm 1/1/01/28:8.35",
: Opened Auth-Type := Accept
PPP MTU : 1492
PPP User-Name : dummy@dummy
 Users file uses Subscriber-interface : to_A2_via_hairpin

 Agent-circuit-id for auth Subscriber

SubscriberOrigin
Origin ::Radius
Radius
Strings
StringsOrigin
Origin ::Radius
Radius
IPCP InfoOrigin
Origin ::DHCP
 No framed-ip from radius IPCP Info DHCP
 Ignores pap/chap username Sub-Profile-String : "sub1"
 More heavy for radius as DB can not be indexed anymore on username
ANCP-String : ""
Int-Dest-Id : ""
 Use debug to see control plane ppp.
Primary DNS : N/A
Secondary DNS : N/A
Primary NBNS : N/A

Remote-Id : 03-2404017
-------------------------------------------------------
Authentication via Radius PAP/CHAP =======================================================
IP from Local DHCP-server / ESM from======================================================
Radius
-------------------------------------------------------
 Setup user13 with mac 00:00:00:00:00:0D 1/1/7 00:00:00:00:00:0d 1 0d 00:00:39 192.168.42.21
LCP State : Opened

 Radius users file : “user13@domain1” IPCP State : Opened
Auth-Type := local, User-Password == “user13"
PPP MTU : 1492
Alc-SLA-Prof-Str: =user13@domain1
PPP User-Name "sla1",
 Users file uses Group-interface : isam-1
Subscriber
Subscriber Origin: Radius
Origin : Radius
 No framed-ip from radius Strings Origin
Strings Origin : Radius
: Radius
 pap/chap username
 Use debug to see control plane ppp. SLA-Profile-String : "sla1"
ANCP-String : ""
Int-Dest-Id : ""
Primary DNS : N/A

Secondary DNS : N/A
Primary NBNS : N/A

Remote-Id : 03-2404018
------------------------------------------------------
Agenda
c) Accounting
d) QoS
Accounting methods
 Radius accounting
 Local file/XML accounting
The interval at which accounting data of tha
Radius accounting policy configuration subscriber host will be updated
 Interval 10-1800 minutes

to identify a subscriber-host in the accounting
#--------------------------------------------------
messages, different RADIUS attributes can be
echo "Subscriber-mgmt Configuration"
included in the accounting-start and
#--------------------------------------------------
accounting-stop messages.
subscriber-mgmt
radius-accounting-policy "GiveMeTheMoney"
description "Radius is counting . . ."
update-interval 10
include-radius-attribute Send accounting information in
framed-ip-addr Specifies the format for standard accounting attributes iso
framed-ip-netmask acct-session-id attribute in a VSA’s.
subscriber-id RADIUS accounting request:
circuit-id description (default) or
remote-id number
nas-port-id
nas-identifier
sub-profile
sla-profile Optional source address. The src-ip determines the RADIUS
exit client (NAS) ID:
no session-id-format •Used as src-ip
no use-std-acct-aatributes •Used in NAS-IP attribute
radius-accounting-server If not specified, the system-ip is used for inband and the
no access-algorithm BOF management ip is used for out-of-band connectivity
no retry
no timeout Radius server address, shared secret and udp
no source-address port number for this Radius client
router "Base" Up to 5 servers can be provisioned for each
server 1 address 10.2.79.79 secret WhoIsThere authentication policy. The access-algorithm
exit will determine how the list is handled (round-
exit robin or direct)
Accounting messages
 Accounting-start
 Send at the creation of a subscriber-host
 Describes the subscriber-host
 Accounting-stop
Accounting-Request(4) 10.2.79.79:1813 id 167 len 173
 Interim-update STATUS TYPE [40] 4 Start(1)
NAS IP ADDRESS [4] 4 172.16.0.12
 Accounting-on FRAMED IP NETMASK [9] 4 255.255.255.255
NAS IDENTIFIER [32] 7 pe2.lab
 Accounting-off SESSION ID [44] 36 user9@1/1/7@sla1_2008/03/22 07:14:30
NAS PORT TYPE [61] 4 PPPoEoE(32)
NAS PORT ID [87] 5 1/1/7
VSA [26] 38 DSL(3561)
AGENT CIRCUIT ID [1] 24 TRE26 atm 1/1/01/25:8.35
AGENT REMOTE ID [2] 10 03-2404015
VSA [26] 19 Alcatel(6527)
SUBSC ID STR [11] 5 user9
SUBSC PROF STR [12] 4 sub1
SLA PROF STR [13] 4 sla1
Accounting messages
 Accounting-stop
 Send at the termination of the subscriber-host session
 Includes accounting statistics for the given subscriber-host
 Includes the termination cause. (RADIUS RFC 2865 defines a number of values for this
RADIUS attribute [49] *** See Notes
 Interim-update Accounting-Request(4) 172.30.1.43:1813 id 246 len 252
STATUS TYPE [40] 4 Stop(2)
 Accounting-on NAS IP ADDRESS [4] 4 172.30.1.33
USER NAME [1] 14 user9@idm.lb
SERVICE TYPE [6] 4 Framed(2)
 Accounting-off FRAMED PROTOCOL [7] 4 PPP(1)
SESSION ID [44] 40 0000000602208000006F00C80000000348C55AE2
Accounting messages
Accounting-Request(4) 172.30.1.43:1813 id 225
 Accounting-stop STATUS TYPE [40] 4 Interim-Update(3)
NAS IP ADDRESS [4] 4 172.30.1.33
 Interim-update SERVICE TYPE [6] 4 Framed(2)
FRAMED PROTOCOL [7] 4 PPP(1)
 Send interim-accounting messages to FRAMED IP ADDRESS [8] 4 10.192.0.9
provide an update for every SESSION ID [44] 46user111@1/1/1...
subscriber-host. (configurable SESSION TIME [46] 4 77245
update-interval). EVENT TIMESTAMP [55] 4 1226945667
 Include acct-session-time [46] also in NAS PORT ID [87] 13 1/1/1:300.300
interim-updates iso only in SUBSC ID STR [11] 7 user111
accounting stop messages. SLA PROF STR [13] 4 512K
INPUT PACKETS [47] 4 0
 Accounting-on INPUT OCTETS [42] 4 0
OUTPUT PACKETS [48] 4 1286
OUTPUT OCTETS [43] 4 82304
 Accounting-off
Accounting messages
 Accounting-stop
 Interim-update
 Accounting-on
 When a given radius-accounting-policy is applied to a given interface/sap/subscriber-
profile, or the first server is defined in context of already applied policy.
 Sent also after a re-boot of the node.
 Accounting-off
Accounting-Request(4) 10.2.79.79:1813 id 160 len 59
STATUS TYPE [40] 4 Accounting-On(7)
NAS IP ADDRESS [4] 4 172.16.0.12
Accounting messages
 Accounting-start Accounting-Request(4) 10.2.79.79:1813 id 163 len 65

STATUS TYPE [40] 4 Accounting-Off(8)
 Accounting-stop NAS IP ADDRESS [4] 4 172.16.0.12
TERMINATE CAUSE [49] 4 NAS Request(10)
 Interim-update EVENT TIMESTAMP [55] 4 1206169403
 Accounting-on SUBSC PROF STR [12] 4 sub1
 Accounting-off
 When accounting policy has been removed from sap/interface/sub-profile
 Service which is transporting accounting information has been shutdown.
 The last RADIUS accounting server has been removed from already applied accounting
policy
 Termination cause included.
Accounting messages : Some Acct-Terminate-Cause examples
 Admin Reset Accounting-Request(4) 172.30.1.43:1813 id 240

NAS IP ADDRESS [4] 4 172.30.1.33
 Via “clear” command or RADIUS USER NAME [1] 14 user111@idm.lb
Disconnect Request. SERVICE TYPE [6] 4 Framed(2)
SESSION ID [44] 40 0000000602208000006…
TERMINATE CAUSE [49] 4 Admin Reset(6)
 User Request Accounting-Request(4) 172.30.1.43:1813 id 246

 User disconnects the session NAS IP ADDRESS [4] 4 172.30.1.33
SERVICE TYPE [6] 4 Framed(2)
SESSION ID [44] 40 0000000602208000006F0…
Accounting messages : Some Acct-Terminate-Cause examples
 PPPoE keepalive T.0 1 2001/01/1 16:10:52.36 UTC MINOR: DEBUG #2001 Base RADIUS
"RADIUS: Transmit Accounting-Request(4) 10.2.79.79:1813 id 5
NAS IP ADDRESS [4] 4 172.16.0.12
SESSION ID [44] 40 000000010223800000000000000…
TERMINATE CAUSE [49] 4 Lost Carrier(2)
NAS PORT TYPE [61] 4 PPPoEoE(32)
. . .
Attributes : Accounting information
 Accounting information can be send via VSA or Standard Attributes.
 Selection between these two is done via the following parameter.

subscriber-mgmt
radius-accounting-policy "GiveMeTheMoney"
[no] use-std-acct-attributes
exit
 The main difference when using standard based accounting attributes is that
there is no separation between in-profile and out-profile counters. Therefore,
when standards based attributes are used, these counters will be accumulated.
 Accounting information in VSA accounting attributes
 No use-std-acct-attributes
1023 2008/09/08 18:29:36.38 UTC MINOR: DEBUG #2001 Base RADIUS
"RADIUS: Accounting Request
policy GiveMeTheMoney"
radius-accounting-policy "GiveMeTheMoney" create 1024 2008/09/08 18:29:36.38 UTC MINOR: DEBUG #2001 Base RADIUS
description "Radius is counting . . . "RADIUS: Transmit
update-interval 10 Accounting-Request(4) 172.30.1.43:1813 id 76 len 312
STATUS TYPE [40] 4 Interim-Update(3)
include-radius-attribute NAS IP ADDRESS [4] 4 172.30.1.33
framed-ip-addr USER NAME [1] 14 user666@idm.lb
framed-ip-netmask SERVICE TYPE [6] 4 Framed(2)
subscriber-id FRAMED PROTOCOL [7] 4 PPP(1)
circuit-id FRAMED IP NETMASK [9] 4 255.255.255.255
remote-id NAS IDENTIFIER [32] 4 PE33
nas-port-id SESSION ID [44] 40 0000000602208000029A00C80000000248C56C85
nas-identifier EVENT TIMESTAMP [55] 4 1220898576
sub-profil NAS PORT ID [87] 13 1/1/1:200.666
sla-profile VSA [26] 27 DSL(3561)
exit AGENT CIRCUIT ID [1] 16 ATM 1/1/4/6:8:35
session-id-format number AGENT REMOTE ID [2] 7 user666
VSA [26] 126 Alcatel(6527)
no use-std-acct-attributes SUBSC ID STR [11] 13 1/1/1:200.666
radius-accounting-server SUBSC PROF STR [12] 7 initial
source-address 172.30.1.33 SLA PROF STR [13] 4 128K
server 1 address 172.30.1.43 secret WhoIsThere INPUT_INPROF_OCTETS_64 [19] 10 0x00010000000000000000
INPUT_OUTPROF_OCTETS_64 [20] 10 0x000100000000000002ec
exit INPUT_INPROF_PACKETS_64 [23] 10 0x00010000000000000000
exit INPUT_OUTPROF_PACKETS_64 [24] 10 0x0001000000000000000b
OUTPUT_INPROF_OCTETS_64 [21] 10 0x000100000000000003de
OUTPUT_OUTPROF_OCTETS_64 [22] 10 0x00010000000000000000
OUTPUT_INPROF_PACKETS_64 [25] 10 0x0001000000000000000b
OUTPUT_OUTPROF_PACKETS_64 [26] 10 0x00010000000000000000
"
 Accounting information in VSA accounting attributes

 Standard defined RADIUS attributes do not have any provisions to indicate queue-id
 Repeating of such RADIUS attributed is not supported
VSA = [26-VendorID-AttributeNr] Description
[26-6527-19] alc-acct-input-inprof-octets-64 ingress-in-profile-forwarded-bytes
[26-6527-20] alc-acct-input-outprof-octets-64 ingress-out-of-profile-forwarded-bytes
[26-6527-23] alc-acct-input-inprof-packets-64 ingress-in-profile-forwarded-packets
[26-6527-24] alc-acct-input-outprof-packets-64 ingress-out-of-profile-forwarded-packets
[26-6527-21] alc-acct-output-inprof-octets-64 egress-in-profile-forwarded-bytes
[26-6527-22] alc-acct-output-outprof-octets-64 egress-out-of-profile-forwarded-bytes
[26-6527-25] alc-acct-output-inprof-packets-64 egress-in-profile-forwarded-packets
[26-6527-26] alc-acct-output-outprof-packets-64 egress-out-of-profile-forwarded-packets
0 0 0 0 0 0 0 0 0 1
1 2 3 4 5 6 7 8 9 0
Format: 10 byte word +---+---+---+---+---+---+---+---+---+---+
| queue | counter level |
| -id | |
+---+---+---+---+---+---+---+---+---+---+
 Accounting information in standard accounting attributes
 use-std-acct-attributes
radius-accounting-policy "GiveMeTheMoney" create
description "Radius is counting . . .
update-interval 10 1072 2008/09/08 18:39:44.38 UTC MINOR: DEBUG #2001 Base RADIUS
include-radius-attribute "RADIUS: Accounting Request
policy GiveMeTheMoney"
framed-ip-addr
framed-ip-netmask "RADIUS: Transmit
subscriber-id Accounting-Request(4) 172.30.1.43:1813 id 84 len 240
circuit-id STATUS TYPE [40] 4 Interim-Update(3)
NAS IP ADDRESS [4] 4 172.30.1.33
remote-id
nas-port-id SERVICE TYPE [6] 4 Framed(2)
nas-identifier FRAMED PROTOCOL [7] 4 PPP(1)
sub-profil FRAMED IP ADDRESS [8] 4 10.165.0.66
sla-profile
exit SESSION ID [44] 40 0000000602208000029A00C80000000248C56C85
session-id-format number EVENT TIMESTAMP [55] 4 1220899184
use-std-acct-attributes NAS PORT TYPE [61] 4 PPPoEoQinQ(34)
NAS PORT ID [87] 13 1/1/1:200.666
radius-accounting-server
VSA [26] 27 DSL(3561)
source-address 172.30.1.33 AGENT CIRCUIT ID [1] 16 ATM 1/1/4/6:8:35
server 1 address 172.30.1.43 secret WhoIsThere AGENT REMOTE ID [2] 7 user666
exit VSA [26] 30 Alcatel(6527)
SUBSC ID STR [11] 13 1/1/1:200.666
exit
SUBSC PROF STR [12] 7 initial
SLA PROF STR [13] 4 128K
INPUT PACKETS [47] 4 21
INPUT OCTETS [42] 4 1428
OUTPUT PACKETS [48] 4 21
OUTPUT OCTETS [43] 4 1890
"
Attributes : CLASS attribute
 RADIUS CLASS Attrib [25]

 Can be used for user identification.
 Correlate RADIUS accounting messages with given user.
 Radius Authentication Access-Accept can contain the Class Attribute.
 NAS needs in this case to echo this attribute back in all Accounting Messages.
Accounting-Request(4) 172.30.1.43:1813 id 230

STATUS TYPE [40] 4 Start(1)
NAS IP ADDRESS [4] 4 172.30.1.33
UTC MINOR: DEBUG #2001 management RADIUS SERVICE TYPE [6] 4 Framed(2)
"RADIUS: Receive Access-Accept(2) FRAMED PROTOCOL [7] 4 PPP(1)
VSA [26] 6 Alcatel(6527) FRAMED IP ADDRESS [8] 4 10.165.0.4
MSAP SERVICE ID [31] 4 301 CLASS [25] 12 0x4573687461205961206d616e
VSA [26] 7 Alcatel(6527) NAS IDENTIFIER [32] 4 PE33
MSAP POLICY [32] 5 ISP-1 SESSION ID [44] 55 1/1/1:300.300@1/1/1:…
VSA [26] 5 Alcatel(6527) EVENT TIMESTAMP [55] 4 1226947466
MSAP INTERFACE [33] 3 NH2 NAS PORT TYPE [61] 4 PPPoEoQinQ(34)
CLASS [25] 12 0x4573687461205961206d616e NAS PORT ID [87] 13 1/1/1:300.300
FRAMED IP ADDRESS [8] 4 10.165.0.4 VSA [26] 24 Alcatel(6527)
SUBSC ID STR [11] 13 1/1/1:300.300
SLA PROF STR [13] 7 default
useful CLI commands : Radius Accounting specific
 show subscriber-mgmt radius-accounting-policy

 Returns all radius accounting polices by name.
 show subscriber-mgmt radius-accounting-policy GiveMeTheMoney statistics
 show subscriber-mgmt radius-accounting-policy GiveMeTheMoney

 Returns all details of this specific policy ( also the state ).
Accounting methods
 Radius accounting
 Local file/XML accounting
Local file/XML accounting
 Standard XML accounting

 Interval 5-1800 minutes
– Compared to min 10 min interval for Radius Accounting
 An accounting file is provided on the local disk which supplies the accounting
information for the Client’s session information
Agenda
d) QoS
d) QoS
QoS
 Generic
 Well known QoS sap-ingress / sap-egress policies used.
 PPP specific
 Downstream dot1p can be set for PPPoE control traffic
 Dynamic QoS adaptation
– Access-loop-options
Dot1P settings for PPPoE generated traffic
 Downstream dot1p can be set for PPPoE control traffic [ default 7 ]

 configure router sgt-qos application pppoe dot1p 5 [0..7]
 configure service vprn <service-id> sgt-qos application pppoe dot1p5 [0..7]
*A:pe2.lab# show router sgt-qos application

=========================================================
Dot1p Application Values
==========================================================
Application Dot1p Value Default Dot1p Value
-----------------------------------------------------------
arp none none
isis none none
pppoe 5 none
*A:pe2.lab# show router 200 gt-qos application

==========================================================
Dot1p Application Values
==========================================================
-----------------------------------------------------------
arp none none
isis none none
pppoe 5 none
Agenda
a) What does the 7710/7750 offers in 7.0 and LAB-setup e)

e) Resilience
Resilience // Redundancy
Redundancy
d) QoS
PE resiliency
 PPPoE subscriber state is not synched between PE’s

 Compared to DHCP subscriber state that is synced via SRRP.
 PPPoE Sunets on pe1 and pe2 can not be overlapping.
 Care should be taken if support for DHCP and PPPoE is required on same interface with
dual homed PE’s.
– SRRP requires same subnet ( DHCP ) pe1
– PPPoE requires different subnet subnet-1
PPPoE session
SRRP
subnet-2
pe2
 configure system persistence subscriber-mgmt
 Will create a file submgmt.004 on flash (67109888 bytes ) (used only for DHCP clients)
 Not persistant for PPPoE because
– the client will break down the session anyway due to the short keepalive.
PE resiliency CON’T
PADO delay timers create a ACT/STDBY situation. Sessions need to be setup

again after boot Active PE
 Configurable delay on PE routers before sending back PADO.

 Makes PE1 ACT and PE2 standby
pe1
session Pado-delay = 0
Pado-delay = 1
configure subscriber-mgmt
pe2 pppoe-policy group-1
pado-delay [1..30] deci-sec
 Configurable delay on Radius server
 Example : Based on NAS-IP address
pe1
session If NAS-IP PE1

=> Pado-delay = 0
Alc-PPPoE-PADO-Delay
Ifo-delay =1
NAS-IP PE2
RADIUS
=> Pado-delay=1s
pe2
PE resiliency : Conclusion
Single homed PE
 PPPoE and DHCP clients can share same IP subnet
 Same static IP mapping for clients supported.
Dual homed PE
 Interface supports only PPPoE users

 Different subnets on pe1 and pe2
 Same static IP mapping for PPPoE not users supported. ( pe1 & pe2 server diff subnet )
 Dual homing is supported for PPPoE clients in an act/standby model ( PADO-delay )
 Interface supports DHCP and PPPoE users
 DHCP clients use same subnet on pe1 and pe2 with SRRP.
 PPPoE clients can not share same subnet as the above.
Full dual homing for PPPoE clients ala DHCP-model would be nice for the future.
Agenda

f) Security
d) QoS
Security
 Securing the Control Plane:

 configure system security cpu-protection
 See TiMOS-6.0_TPSDA_v1.1.ppt : CPU protection

 http://aww.quickplace.alcatel.be/QuickPlace/ipdrsces/PageLibraryC125716800326CF8
.nsf/h_Toc/7A689CC2E1B54877C125742F00426CAE/?OpenDocument
Agenda
c) Accounting g)Change
g) Changeof
ofAuthority
Authority
d) QoS
How to deal with Change of Authority ?
 PPP session is « wired » so no possibility to refresh/update session parameters

through protocol itself during the life of a session.
 PPPoE keep alive . (re-authentication N/A) can not be compared with a DHCP renew.
 7710/7750 can not reset ipcp without terminating the PPPoE session.
 Solutions with and without PPPoE session termination possible

 Radius can update the ESM strings.
 New sla-profile that include http-redirect policy for ingress.
How to deal with Change of Authority ? Continued
Solutions with PPP session termination

 1) Radius Session-timeout
 Session-timeout only associated with Radius SLA profile.( standard attribute 27 )
 PADT send by 7710/7750 after timeout .
 Possible application :
 Assign IP address via pool and use session-timeout value= 1 day to be sure that user
gets resetted and gets a new IP address .
NAS-port-Id = "1/1/7"
Solutions with PPP session termination Framed-IP-Address = 192.168.42.5
 2) Radius Disconnect-request
/usr/local/etc/raddb #
 Framed-IP is mandatory. radclient -x -d /usr/local/etc/raddb –f disconnect_msg.txt

172.16.0.12:3799 disconnect WhoIsThere
 By default not accepted.
+----------+ Disconnect-Request +----------+
configure subscriber-mgmt | | <-------------------- | |
authentication-policy knock-knock | RADIUS | | RADIUS |
no accept-authorization-change | Client | Disconnect-Reject | Server |
| | ---------------------> | |
+----------+ +----------+
2 2008/03/11 09:47:47.12 UTC WARNING: SVCMGR #2509 Base Radius CoA Error "Problem encountered in Subscriber
Management, while processing a Disconnect request on SAP 1/1/7 in service 998 from a Radius server: authentication
policy "knock-knock" doesn't allow Disconnects"
 accept-authorization-change
+----------+ Disconnect-Request +----------+
configure subscriber-mgmt | | <------------------- | |
authentication-policy knock-knock | RADIUS | | RADIUS |
accept-authorization-change | Client | Disconnect-Ack | Server |
| | ---------------------> | |
+----------+ +----------+
 Disconnect Ack to server and PADT to client
 Statistics under show subscriber-mgmt authentication coa-statistics
– Display command updated in >6.0
Solutions without PPP session termination

NAS-port-Id = "1/1/7"
Framed-IP-Address = 192.168.42.5
1. Change of Authorization (CoA) from Radius.
Alc-SLA-Prof-Str="http-redirect”
============================================================
 Session stays up ( see uptime ) ===========================================================
------------------------------------------------------------
 Accounting stop and start again 1/1/7 00:00:00:00:00:05 1 2d 00:25:36 192.168.42.5
LCP State : Opened

IPCP State : Opened
/usr/local/etc/raddb # PPP MTU : 1100
PPP Auth-Protocol : None
radclient -x -d /usr/local/etc/raddb –f coa_msg.txt
172.16.0.12:3799 coa WhoIsThere Group-interface : isam-1

+----------+ Coa-Request +----------+Strings Origin : Mid-Session-Change
| | <-------------------- | |IPCP Info Origin : Radius
| RADIUS | | RADIUS |Subscriber : "user5"

| Client | Coa-Ack | Server |Sub-Profile-String : "sub1"
| | ---------------------> | |SLA-Profile-String : "http-redirect"
+----------+ +----------+ANCP-String : ""
Int-Dest-Id : ""
RADIUS-CoA-REQUEST App-Profile-String : ""
ESM
update RADIUS-CoA-ACK Primary DNS : N/A
Secondary DNS : N/A
Primary NBNS : N/A
Circuit-Id
RADIUS : TRE26 atm 1/1/01/22:8.35
Remote-Id : 03-2404011
BSAN BSA
BSR Session-Timeout : N/A
---------------------------------------------------
===================================================
Solutions without PPP session termination

 ANCP
 Issue 1: add another « control plane » to manage subscriber sessions
 Issue 2: dependency on DSLAM
4 7x50 Wholesale-Retail via MSAP
updated
7x50 Wholesale-Retail via MSAP
 See TiMOS-6.0_TPSDA_v1.1.ppt : MSAP in general

.nsf/h_Toc/7A689CC2E1B54877C125742F00426CAE/?OpenDocument
 See TiMOS-6.1-PPPoE_v2.0.ppt : MSAP PPPoE example

.nsf/h_Toc/732CCEA3F49D60F7C1257505006D4A08/?OpenDocument
5 7x50 Wholesale-Retail VRF selection
new
7x50 Wholesale-Retail VRF selection
 See TiMOS-7.0_PPPoE_VRF_selection_TPSDA_enh_<version>_<date>.ppt
6 General L2TP Technology overview
new
General L2TP Technology overview
Embedded presentation
 ~ 1 Hour embedded general LT2P Technology Overview.
7 7x50 Wholesale-Retail L2TP implementation
new
7x50 Wholesale-Retail L2TP implementation
Agenda

a) General
b) CLI changes on LUDB/PPPoE/PPPoE-Policy
c) Tunnel configuration possibilities + LAB
a) LUDB and configured L2TP group
a) Clear / Tools /Hello/idle-timeout drain commands
b) Tunnel selection / load balancing

c) Understanding tunnel-id/session-id
d) Security [tunnel-auth/AVP-hiding/anti-spoof/cpm-protection]
b) RADIUS
a) Radius returns tunnel-group that points to CLI configuration
b) Radius returns all parameters to setup tunnel
d) Miscellaneous (Wireshark , N2X , ….)
General : L2TP and related RFC’s
 L2TP used for the tunnelling of PPP packets across an intervening network is
based on RFC 2661. (Aug 1999)
 L2TP uses the destination UDP port 1701.The entire L2TP packet, including
payload and L2TP header, is sent within a UDP datagram. The source UDP port
may or may not be 1701.
 Related RFC’s and info.

 RFC 2516 : A Method for Transmitting PPP Over Ethernet (PPPoE)
 RFC 1994 : PPP Challenge Handshake Authentication Protocol (CHAP)
 RFC 1661 : The Point-to-Point Protocol (PPP)
 RFC 2868 : RADIUS Attributes for Tunnel Protocol Support
 RFC 4951 Fail Over Extensions for Layer 2 Tunnelling Protocol (L2TP) "failover“
– Not supported for 7.0R1
 L2TP-parameter types ( complete list of possible parameters…just for info )
 http://www.iana.org/assignments/radius-types
General : RFC 2661 supported message types.
 Control Connection Management

0 (reserved)
1 (SCCRQ) Start-Control-Connection-Request
2 (SCCRP) Start-Control-Connection-Reply
3 (SCCCN) Start-Control-Connection-Connected
4 (StopCCN) Stop-Control-Connection-Notification
5 (reserved)
6 (HELLO) Hello
 Call Management
7 (OCRQ) Outgoing-Call-Request***
8 (OCRP) Outgoing-Call-Reply
9 (OCCN) Outgoing-Call-Connected
10 (ICRQ) Incoming-Call-Request
11 (ICRP) Incoming-Call-Reply
12 (ICCN) Incoming-Call-Connected
13 (reserved)
14 (CDN) Call-Disconnect-Notify
 Error Reporting 15 (WEN) WAN-Error-Notify
 PPP Session Control 16 (SLI) Set-Link-info
General : 7x50 L2TP Simplified State-Diagram
 Tunnel setup can be triggered by :

 Tools command
Client-trigger
 Auto-establish Auto-establish
 PPPoE client trigger Tools cmd start
SCCRQ
 LNS initiated SCCRQ
wait-reply
 SESSION setup can be only via PPPoE client SCCRP
establishedIdle
ICRQ CLI Timer-ex Session-
Idle-timeout
ICRQ/ICRP/ICCN
established
wait-reply stopCC
ICRP/ICCN
closedByPeer
established stopCC
CDN
closed
closed
Figure : SESSION state-diagram Figure : TUNNEL state-diagram
R&D CONFIDENTIAL – internal use only
PADI LUDB + PRE-Authentication in 7.0
Auth-method
= none
PADI LUDB New 7.0
Pre-Auth
New 7.0 Retail
Agenda

a) General
a) Tools / clear / drain commands /Hello/idle-timeout

b) RADIUS
d) Miscellaneous (Wireshark , N2X , Nice-to-Know)
CLI Changes : LUDB for PPPoE
service-name is 255 chars max
 Removed and added parameters in LUDB Optional Service-name in pppoE PADI
can be used for match condition.
local-user-db "my_ludb"
pppoe
no mask
mask type <type>
match-list pppoe-match-type Radius policy Knock-knock is added
circuit-id | remote-id in LUDB. Can be used after a pre-
no circuit-id-mask
service-name | username authentication is done on PADI .
host "host1" create
…followed by Example : pado-delay
host-identification
no circuit-id
<prefix-string>: ('*' is wildcard) no mac
<prefix-length>: [1..127] no remote-id PADO delay can now come
<suffix-string>: ('*' is wildcard) no service-name from Radius , pppoe-policy or
<suffix-length>: [1..127] LUDB.
no username
exit
no auth-policy
no address
Corresponds with the tunnel- no pado-delay
group-name ( max 63 chars ) no password
configured under “configure no identification-strings
router x l2tp group group- l2tp
name” no group
exit Service-id for wholesale/retail aka
options vrf-selection.
Fallback host “default” : exit
Strings taken from this host incase
no retail-service-id
host not found in Ludb.
exit
host “default" create
CLI Changes : pap-chap ludb
 Removed and added parameters in LUDB
 Pap-chap-user-db is now renamed to user-db
configure services ies/vprn

subscriber-interface my_subscriber_itf1
group-interface my_grp_itf1
pppoe
pap-chap-user-db local-user-db-name Configure the local user database to
user-db local-user-db-name use for authentication.
exit
exit User-database could be used for PPPoE
exit only for pap-chap before and can now
exit be used for PADI authentication.
Therefore the name is changed to
simple user-db iso pap-chap-user-db
CLI Changes : pppoe-policy
 Removed and added parameters in pppoe-policy
 pref-chap is default and has same behaviour as before ( Release < 7.0R1 )
configure subscriber-mgmt pppoe-policy

default description "Default PPPoE policy"
no disable-cookies pap : pap only , no alternative chap
keepalive 30 hold-up-multiplier 3 chap : chap only , no alternative
no pado-delay pref-chap : first chap with pap as alternative.
no ppp-mtu
max-sessions-per-mac 1
no reply-on-padt
ppp-authentication pref-chap
ppp-chap-challenge-length min 32 max 64

ppp-options Min [8..64] and max [8..64]
exit
 pppoe chap-challenge (client-LAC) is by default a value between 32-64 and was

never a problem for clients. ( different to challenge for tunnel authentication)
 The same challenge will be send to the LNS if we have proxy-authentication and
some LNS’s don’t support big challenges. Don’t CHANGE this values unless
required due to interoperable cases.
Agenda

a) General

b) RADIUS
Tunnel Configuration : Several possibilities
1. LUDB points to a CLI created L2TP group.
2. RADIUS returns tunnel-group that points to a CLI created L2TP group.
3. RADIUS returns all required parameters without tunnel-group.

 Operational TG created with name equal to “default_radius_group”
4. RADIUS returns all required parameters without tunnel-group +
 Operational TG created with name equal to the Radius standard attribute Tunnel-
Assignment-Id:0 ( 7.0R2)
Remark :
• When Radius returns the tunnel-group it should always point to a CLI created group and
any other Radius returned L2TP parameters is ignored. All other required info to setup the
tunnel should come than from CLI.
Tunnel Configuration : LUDB points to a CLI created L2TP group
1) LUDB points to a CLI created L2TP group.
 The LUDB could return on match a L2TP group-name

local-user-db "MyLudb1" create
pppoe
host "host1"
l2tp
group "MyProvider1"
exit
exit
 The minimum required configuration is an LNS end-point called peer ***

configure router l2tp Tunnels are configured
group "MyProvider1" create always under a tunnel group
tunnel "MyTunnel1" create
peer 192.168.4.2
no shutdown
exit MyTunnel1 has LNS end point 192.168.4.2.
tunnel "MyTunnel2" create The source of the tunnel is always are own system interface
peer 192.168.5.2
no shutdown
exit
no shutdown
exit
exit
Tunnel Configuration : RADIUS points to a CLI created L2TP group
2) RADIUS points to a CLI created L2TP group.
 RADIUS returns on match a L2TP group-name
user10&skynet.be Auth-Type := Local, User-Password == “password10"

Alc-Tunnel-Group = "MyProvider1",
 The minimum required configuration is an LNS end-point called peer.

 Limitation : The peer address may never be an address of a direct connected interface
configure router l2tp Tunnels are configured

group "MyProvider1" create always under a tunnel group
peer 192.168.4.2
no shutdown
exit MyTunnel1 has LNS end point 192.168.4.2.
tunnel "MyTunnel2" create The source of the tunnel is always are own system interface
peer 192.168.5.2
no shutdown
exit
no shutdown
exit
exit
Tunnel Configuration : RADIUS returns all required parameters without TG
3) RADIUS returns all required parameters without tunnel-group
Tunnel-Assignment-Id:1 = MyTunnel1
Tunnel-Server-Endpoint:1 = 192.168.4.2
 Nothing in CLI required
 CLI assigns an operational Tunnel-group with the name “default_radius_group”

 Not intuitive when show commands are done… so there for next slide
show router l2tp group
=============================================================
L2TP Groups
=============================================================
Group Name State Tunnels Sessions
-------------------------------------------------------------
MyProvider1 active 2 0
default_radius_group active 2 0
Tunnel Configuration : RADIUS returns all required parameters without TG
4) RADIUS returns all info without TG but + Tunnel-Assignment-Id:0 (7.0R2)

Tunnel-Assignment-Id:0 = MyProvider1_that_is_not_in_CLI
 Nothing in CLI required
 Tunnel-group name becomes the Tunnel-Assignment-Id:0 name
LAB
 Embedded L2TP lab-exercise executed on mobile lab.
 LAB1 : user1-5
 LAB2 : user 6-10
 LAB3 : user11-15
Agenda

a) General
c) Tunnel configuration possibilities
a) Clear / Tools / drain commands /Hello/idle-timeout

b) RADIUS
 configure router l2tp level

 Max box-wide number of L2TP sessions will be 128K
Total number of L2TP

sessions [1..131071]
Configure router ltp

no session-limit
No session-limit is the default

value and corresponds with
131071 or 128K-1
 configure router l2tp : group parameters Send AVP’s encrypted iso clear text.
No | sensitive | always
group "MyProvider1" create Default no : never
L2TP hello-keepalive
[ 60 – 3600s] | no no avp-hiding Enable MD5 tunnel authentication
Default no : infinite no challenge No | always
no description Default no : never
no destruct-timeout
Idle-timeout Keep tunnel/session information
[ 0 – 3600s] | no no hello-interval
during this configured timeout on
Default no : infinite no idle-timeout the moment of failure : debugging
no local-name purposes. [15s – 86400s] | no
Used in host-name AVP no max-retries-estab* Default no : 15s
in SCCRQ . Default is no max-retries-not-estab*
system name On session setup timeout retry by
no password
default 5 times [2..7] | no
no session-assign-method Default no: 5
no session-limit
MD5 password used for tunnel "MyTunnel1" create
tunnel authentication On tunnel setup timeout retry by
and AVP-hiding secret
exit default 5 times [2..7] | no
tunnel "MyTunnel2" create Default no : 5
exit
Maximum created tunnel "MyTunnel31" create Tunnel selection mechanism
tunnels/group is 31 incase we have more than one
exit
exit tunnel in this group
No | weighted
Maximum created group "MyProvider2" create
Default no = existing-first
groups is unlimited ? exit
group "MyProviderx" create Session-limit per group [1..131071] | no
Default no : 131071
Tunnel Configuration : CLI
 configure router l2tp : group parameters

 Use the following command (7.0R2) to see these default values
 Group name is currently mandatory for detail info
show router l2tp group MyProvider1 detail

===============================================================================
Group Name : MyProvider1
Description : N/A
Local Name : N/A
Admin State : inService Operational State : active
Hello Interval (s): infinite Session Assignment: existing-first

Idle TO (s) : infinite Destruct TO (s) : 15
Max Retr Estab : 5 Max Retr Not Estab: 5
Session Limit : 131071 AVP Hiding : never
Time Last Mgmt Ch.: 03/15/2009 14:59:11 Challenge : never
7x50 Wholesale-Retail L2TP implementation Check every 1 minute if we have to
initiate tunnels ourselves and this
Tunnel Configuration : CLI without a trigger from the PPPoE
client side.
 configure router l2tp : tunnel parameters Tunnel state = EstablishedIdle when
tunnel is setup without sessions.
L2TP hello-keepalive
No | [ 60 – 3600s] | infinite
Default : no : take from Send AVP’s encrypted iso clear text.
group -> infinite No | never| sensitive | always
tunnel "MyTunnel1" create Default no : Take from group-> never
no auto-establish
A tunnel with sessions=0 no avp-hiding
Enable MD5 tunnel authentication
will be stopped when this no challenge No | never | always
configured timer expires : no description Default no : Take from group-> never
no | [0..3600s] | infinite no destruct-timeout
Default no : Take from
no hello-interval Keep tunnel/session information
group -> default infinite
no idle-timeout during this configured timeout on
no local-name the moment of failure : debugging
timeout retry : no | [2..7] no max-retries-estab purposes. [15s – 86400s] | no
Default no: taken from Default no : Take from group -> 15s
no max-retries-not-estab
group equal to 5
no peer
no preference Tunnel preference between no
| [0..16777215] where the lowest
Peer-address of LNS no remote-name number is more preferred.
Max number of CLI no password Default no preference = 50
checked is 16K today no session-limit
no shutdown If remote-name configured than it
Session-limit per tunnel exit needs to correspond with the
[1..65535] | no returned host-name AVP in the
Default no : 32767 SCCRP on tunnel setup.
Tunnel Configuration : CLI
 configure router l2tp : tunnel parameters

 Use the following command to see these default values
show router l2tp tunnel detail
Number of session per tunnel was tested until 32K and
Connection ID : 944308224 is blocked in 7.0R1 to this value. CLI was not lined up
State : establishedIdle for this and values above 32K are accepted in CLI but
IP : 172.16.0.12 are topped at 32K in application.
Peer IP : 192.4.1.2 7.0R3 will be targeted at 64K/ tunnel and internal
Name : MyLac1 restriction will be removed.
Remote Name : MyRemoteLns1
Assignment ID : MyTunnel1
Error Message : N/A
Remote Conn ID : 4294180864

Tunnel ID : 14409 Remote Tunnel ID : 65524
UDP Port : 1701 Remote UDP Port : 1701
Preference : 50
Hello Interval (s): infinite
Transport Type : udpIp Challenge : never
Time Started : 03/15/2009 15:00:15 Time Idle : N/A
Time Established : 03/15/2009 15:00:15 Time Closed : N/A
Stop CCN Result : noError General Error : noError
Tunnel Configuration : debugging L2TP
Packets and Events can be debugged on different levels.

 L2TP level ( For all as seen on the here)
 Group level ( group name) debug
router "Base"
l2tp
 Peer level ( peer address) event
call-disconnect-notification
 assignment-id ( tunnel-name) finite-state-machine
stop-control-connection-notification
 Tunnel (connection-id) exit
packet direction both detail-level high
exit
exit
 Debug output example shows (0,7)

3 2009/03/12 10:23:19.58 GMT MINOR: DEBUG #2001 Base L2TP(v2, control)
"L2TP(v2, control): egress
UDP src 172.16.0.12:1701 dst 192.4.1.2:17*
tunnel 0 session 0, ns 0 nr 0, flags:, reserved=0 0: vendor-id and vendor-id
AVP MessageType(0,0), flags: mandatory, reserved=0 zero means that we have
StartControlConnectionRequest(1) standard AVP’s
AVP ProtocolVersion(0,2), flags: mandatory, reserved=0
version=1, revision=0
7: AVP nbr
AVP HostName(0,7), flags: mandatory, reserved=0
"MyLac1"
…
Tunnel Configuration :
 LUDB
Description
Option 1A Service-name in LUDB : 1 Subscriber-id per LNS
Option 1B Full username in LUDB : LUDB requires all users !! (LNS does not used Proxy info)
Option 1C Domain-only in LUDB : 1 Subscriber-id per LNS
Option 1D Full username in LUDB : LUDB requires all users !! (LNS uses Proxy info)
Option 1E Full username in LUDB variant where LNS renegotiates CHAP iso received PAP
Next
Tunnel Configuration
1) LUDB points to a CLI created L2TP group
Option 1A : Tunnel selection via LUDB : match service-name
pe2_l2tp_2.cfg
Wholesale-retail
Lab setup
MyProvider1
 General Lab setup with N2X as Client and LNS LNS 203/4 POOL
192.168.60.1
192.4.1.2
192.168.70.1
192.4.2.2
C2/RR2/ PE4
PE2 192.168.80.1
138.203.18.183 138.203.18.179
138.203.18.176 192.4.3.2
192.168.90.1
192.4.4.2
LAC
PPPoE client
IES
99999 1/1/2 1/1/1
1/1/1 1/1/8
203/1 MyProvider2
LUDB
LNS 203/4 POOL
192.168.160.1
OPTION-1A user2@skynet.be 192.5.1.2
192.168.170.1
192.5.2.2
192.168.180.1
192.5.3.2
192.168.190.1
192.5.4.2
Wholesale-retail OPION-1A *A:pe2.lab# configure subscriber-mgmt
LUDB : match service-name description "Add text"
pppoe
match-list service-name
host "host1" create
 LUDB : 1 Entry per LNS host-identification
service-name "MyProvider1"
exit
 Service-name as match-condition identification-strings 254 create
subscriber-id "MySubMyProvider1"
*A:pe2.lab# sla-profile-string "DefSlaProfile"
configure service ies 99999 sub-profile-string "DefSubProfile"
subscriber-interface "MySubItf1" create exit
address 192.168.50.254/24 l2tp
group-interface "MyGrpItf1" create group "MyProvider1"
sap 1/1/1:1 create exit
sub-sla-mgmt options
def-sub-profile "DefSubProfile" dns-server 138.203.144.51
def-sla-profile "DefSlaProfile" exit
sub-ident-policy "sub_ident_all" no shutdown
multi-sub-sap 2000 exit
no shutdown host "host2" create
exit host-identification
exit service-name "MyProvider2"
pppoe exit
session-limit 10 identification-strings 254 create
sap-session-limit 10 subscriber-id "MySubMyProvider2"
user-db "MyLudb1" sla-profile-string "DefSlaProfile"
no shutdown sub-profile-string "DefSubProfile"
exit exit
exit l2tp
exit group "MyProvider2"
no shutdown Configure router l2tp exit
group "MyProvider1" create options
tunnel "MyTunnel1" create dns-server 138.203.144.51
auto-establish exit
peer 192.4.1.2 no shutdown
no shutdown exit
exit exit
exit no shutdown
exit exit
Wholesale-retail
Option-1A : Tunnel selection via LUDB : match service-name
 Setup N2X OPTION-1A user2@skynet.be
Wholesale-retail
PAP PAP
LAC RADIUS
Aggregation LNS
network IP/MPLS Internet
(optional)
BSAN

,PPPoE tag: option: 0x101, 0x103
LUDB
 L2TP Group
 MySubProvider1 Remark :
Discovery stage
PADR, Session ID: 0x0000 Session-Setup-Flow

accounting Request : start
accounting Response
ICRQ
PADS, Session ID: 0x0001 ICRP
ZLB
ICCN
ZLB
LCP Configuration Request
Session stage :
LCP Configuration Request : Auth protocol PAP

LCP Configuration Ack
PAP Authentication request
PAP Authentication Ack
Wholesale-retail
PAP
LAC RADIUS
PAP Aggregation LNS

(optional)
BSAN
IPCP Configure-request IP address: 192.168.60.1

IPCP Configure-Ack IP address: 192.168.60.1
Session stage :
IPCP Configure-Nack IP address: 192.168.60.2

IPCP

IPCP Configure-ack IP address: 192.168.60.2
LCP Echo Request

Keep-alive
LCP Echo Reply

Optional
LCP Echo Request
LCP Echo Reply
LCP Terminate Request

LCP Terminate Ack
CDN ( call Disconnect-Notification) + error code

PADT
Terminate
session
PADT
ZLB
accounting Request : stop

accounting Response
Wholesale-retail
show service id 99999 pppoe session detail  Setup N2X user2

=========================================================
=========================================================  Radius users file : N/A
Sap Id Mac Address Sid Up Time IP/L2TP-Id Type
---------------------------------------------------------
1/1/1:1 00:00:64:06:02:02 1 0d 00:00:40 289112470 L2TP  30s E2E PPP keep alive used.
PPP User-Name : (Not Specified)
 Use debug ( user2 traced)
Subscriber-interface : MySubItf1
Group-interface : MyGrpItf1
 1 Subscriber with many hosts
Subscriber : "MySubMyProvider1"
Sub-Profile-String : "DefSubProfile"
SLA-Profile-String : "DefSlaProfile"
ANCP-String : "" show service active-subscribers
Int-Dest-Id : "" ======================================================
App-Profile-String : "" Active Subscribers
Category-Map-Name : "" ======================================================
Subscriber MySubMyProvider1 (DefSubProfile)
L2TP Group Name : MyProvider1 ------------------------------------------------------
L2TP Assignment ID : MyTunnel1 (1) SLA Profile Instance sap:1/1/1:1 - sla:DefSlaProfile
------------------------------------------------------
Circuit-Id : IP Address MAC Address PPPoE-SID Origin
Remote-Id : ------------------------------------------------------
Service-Name : MyProvider1 0.0.0.0 00:00:64:06:01:02 1 PPPoE
0.0.0.0 00:00:64:06:02:02 1 PPPoE
hosts ------------------------------------------------------
Radius Class : Number of active subscribers : 1
Radius User-Name :
Wholesale-retail
Option-1A : setup 1000 on sims
 Setup N2X user1-1000
 Radius users file : N/A
 30s E2E PPP keep alive used.
 Don’t judge the setup rate on SIM’s
*A:pe2.lab# show router l2tp peer *A:pe2.lab# show router l2tp statistics
==================================
=============================================
L2TP Peers L2TP Statistics
================================== ==============================================
Peer IP Role Tunnels Sessions Tunnels Sessions
----------------------------------- ---------------------------------------------
192.4.1.2 LAC 1 1000
192.5.1.2 LAC 1 0
Total : 290 Total : 16638
----------------------------------- Failed : 139 Failed : 4590
No. of peers: 2 Failed Aut : 0
Active : 2 Active : 1000
============================================
Option 1B : Tunnel selection via LUDB : match username
LNS does NOT uses LAC Proxy CONFREQ info
pe2_l2tp_2.cfg
Wholesale-retail: LNS does NOT uses LAC Proxy CONFREQ info
Option-1B : Tunnel selection via LUDB : match username
 LUDB : 1 Entry per User *A:pe2.lab# configure subscriber-mgmt

description "Add text"
 User-name as match-condition pppoe
match-list username
host "host1" create
 pppoe-policy -> ppp-authentication pref-chap host-identification
username "user1@skynet.be"
exit
*A:pe2.lab#
password pap password1
subscriber-interface "MySubItf1" create
subscriber-id "user1@skynet.be"
address 192.168.50.254/24
sla-profile-string "DefSlaProfile"
group-interface "MyGrpItf1" create
sub-profile-string "DefSubProfile"
sap 1/1/1:1 create
exit
sub-sla-mgmt
l2tp
def-sub-profile "DefSubProfile"
group "MyProvider1"
def-sla-profile "DefSlaProfile"
exit
no shutdown
multi-sub-sap 2000
exit
no shutdown
host "host2" create
exit
host-identification
exit
pppoe
exit
session-limit 10
sap-session-limit 10
user-db "MyLudb2"
pppoe-policy default
no shutdown
exit
exit
exit
l2tp
exit
group "MyProvider1"
no shutdown
exit
no shutdown
exit
 Setup N2X OPTION-1A user2@skynet.be
PAP PAP
LAC RADIUS
Aggregation LNS
(optional)
BSAN

LUDB
 L2TP Group
Discovery stage

 pap
PADR, Session ID: 0x0000 pppoe-policy default
PPPoE tag: option: 0x101,0x102, 0x103, 0x104 => ppp-authentication pref-chap
LCP Configuration Request : CHAP
LCP Configuration Nack : PAP


Session stage :
LCP Configuration Request : PAP
PAP
LAC RADIUS
PAP Aggregation LNS

(optional)
BSAN
PPP PAP authentication-Request

Discovery stage
accounting Response
Initial Received LCP Confreq
Last Received LCP Confreq ICRQ
Proxy Auth type ICRP
Proxy Auth name
ZLB
Proxy Auth ID
Proxy Auth Response ICCN
ZLB
START AGAIN LCP phase


PPP PAP authentication-Ack
LNS-N2X does not support today PAP proxy-LCP-Confreq

and starts LCP config phase again.
PAP
LAC RADIUS
PAP Aggregation LNS

(optional)
BSAN

Session stage :

IPCP

LCP Echo Request

Keep-alive
LCP Echo Reply

Optional
LCP Echo Request
LCP Echo Reply

LCP Terminate Ack

PADT
Terminate
session
PADT
ZLB

accounting Response

=========================================================
---------------------------------------------------------
PPP User-Name : user2@skynet.be
 Use debug ( user2 traced)
Group-interface : MyGrpItf1 *A:pe2.lab# show service active-subscribers
==================================================
Subscriber Origin : Local-User-Db Active Subscribers
Strings Origin : Local-User-Db ==================================================
Subscriber user1@skynet.be (DefSubProfile)
Subscriber : "user2@skynet.be" --------------------------------------------------
Sub-Profile-String : "DefSubProfile" (1) SLA Profile Instance sap:1/1/1:1 -
SLA-Profile-String : "DefSlaProfile" sla:DefSlaProfile
ANCP-String : "" -------------------------------------------------
Int-Dest-Id : "" IP Address MAC Address PPPoE-SID Origin
App-Profile-String : "" --------------------------------------------------
Category-Map-Name : "" 0.0.0.0 00:00:64:06:01:02 1 PPPoE
--------------------------------------------------
L2TP Group Name : MyProvider1 Subscriber user2@skynet.be (DefSubProfile)
L2TP Assignment ID : MyTunnel1 -------------------------------------------------
(1) SLA Profile Instance sap:1/1/1:1 -
Circuit-Id : sla:DefSlaProfile
Remote-Id : --------------------------------------------------
Service-Name : MyProvider1 IP Address MAC Address PPPoE-SID Origin
--------------------------------------------------
Session-Timeout : N/A 0.0.0.0 00:00:64:06:02:02 1 PPPoE
Radius Class : --------------------------------------------------
Radius User-Name : Number of active subscribers : 2
Option 1C : Tunnel selection via LUDB : username domain only
LNS does NOT uses LAC Proxy CONFREQ info
pe2_l2tp_2.cfg
Option-1C : Tunnel selection via LUDB : match username domain-only
 LUDB : 1 Entry per LNS *A:pe2.lab# configure subscriber-mgmt

 Domain as match-condition pppoe
match-list username
host "host1" create
 Ignore password host-identification
username skynet.be domain-only
exit
*A:pe2.lab#
password ignore
subscriber-id “MySubProvider1”
address 192.168.50.254/24
sap 1/1/1:1 create
exit
sub-sla-mgmt
l2tp
group "MyProvider1"
exit
no shutdown
multi-sub-sap 2000
exit
no shutdown
host "host2" create
exit
host-identification
exit
username “Belgacom.be” domain-only
pppoe
exit
session-limit 10
password ignore
user-db "MyLudb3"
subscriber-id “MySubProvider2”
no shutdown
exit
exit
exit
l2tp
exit
group "MyProvider2"
no shutdown
exit
no shutdown
exit
Wholesale-retail
Lab setup
MyProvider1
 General Lab setup with N2X as Client and LNS LNS 203/4 POOL
user1@skynet.be 192.168.60.1
 4 users , 2 domains user2@skynet.be 192.4.1.2
192.168.70.1
192.4.2.2
C2/RR2/ PE4
PE2 192.168.80.1
138.203.18.183 138.203.18.179
138.203.18.176 192.4.3.2
192.168.90.1
192.4.4.2
LAC
PPPoE client
IES
99999 1/1/2 1/1/1
1/1/1 1/1/8
203/1 MyProvider2
LUDB
user1@skynet.be LNS 203/4 POOL
192.168.160.1
user2@skynet.be 192.5.1.2
192.168.170.1
user100@Belgacom.be 192.5.2.2
192.168.180.1
user101@Belgacom.be user100@Belgacom.be
192.5.3.2
user101@Belgacom.be
192.168.190.1
192.5.4.2
show service id 99999 pppoe session detail  Setup 2 users per domain
==========================================================
==========================================================  Radius users file : N/A
----------------------------------------------------------
PPP User-Name : user100@Belgacom.be

 Use debug : same as option-1B
show service active-subscribers
=========================================================
Active Subscribers
=========================================================
Subscriber : "MySubMyProvider2"
----------------------------------------------------------
(1) SLA Profile Instance sap:1/1/1:1 - sla:DefSlaProfile
----------------------------------------------------------
ANCP-String : ""
IP Address MAC Address PPPoE-SID Origin
Int-Dest-Id : ""
-------------------------------------------------------
0.0.0.0 00:00:64:06:01:02 1 PPPoE
Category-Map-Name : ""
0.0.0.0 00:00:64:06:02:02 1 PPPoE
---------------------------------------------------------
L2TP Group Name : MyProvider2
L2TP Assignment ID : MyTunnel1
--------------------------------------------------------
(1) SLA Profile Instance sap:1/1/1:1 - sla:DefSlaProfile
Circuit-Id :
---------------------------------------------------------
Remote-Id :
IP Address MAC Address PPPoE-SID Origin
Service-Name : MyProvider2
-------------------------------------------------------
0.0.0.0 00:00:64:07:01:02 1 PPPoE
0.0.0.0 00:00:64:07:02:02 1 PPPoE
Radius Class :
---------------------------------------------------------
Radius User-Name :
Number of active subscribers : 2
 4 sessions where setup on previous slide.
show router l2tp session

===============================================================================
L2TP Session Summary
===============================================================================
ID Control Conn ID Tunnel-ID Session-ID State
-------------------------------------------------------------------------------
366026664 366018560 5585 8104 established
366068006 366018560 5585 49446 established
1039365142 1039335424 15859 29718 established
1039372620 1039335424 15859 37196 established
-------------------------------------------------------------------------------
No. of sessions: 4
Option 1D : Tunnel selection via LUDB : username
LNS uses LAC Proxy CONFREQ info
pe2_l2tp_2.cfg
Wholesale-retail: LNS uses LAC Proxy CONFREQ info
Option-1D : Tunnel selection via LUDB : match username

match-list username
host "host1" create
 pppoe-policy -> ppp-authentication pref-chap host-identification
exit
*A:pe2.lab#
address 192.168.50.254/24
sap 1/1/1:1 create
exit
sub-sla-mgmt
l2tp
group "MyProvider1"
exit
no shutdown
multi-sub-sap 2000
exit
no shutdown
host "host2" create
exit
host-identification
exit
pppoe
exit
session-limit 10
user-db "MyLudb2"
no shutdown
exit
exit
exit
l2tp
exit
group "MyProvider1"
no shutdown
exit
no shutdown
exit
PAP
LAC RADIUS
PAP Aggregation LNS

(optional)
BSAN

LUDB
 L2TP Group
Discovery stage

 pap
LCP Configuration Nack : PAP


Session stage :
PAP
LAC RADIUS
PAP Aggregation LNS

(optional)
BSAN

Discovery stage
accounting Response
Proxy Auth type ICRP
Proxy Auth name
ZLB
Proxy Auth ID
Proxy Auth Response ICCN
ZLB
That’s how it should work but N2X does not

N2X dos not support this support this
currently
PPP PAP authentication-Ack
PAP
LAC RADIUS
PAP Aggregation LNS

(optional)
BSAN

Session stage :

IPCP

LCP Echo Request

Keep-alive
LCP Echo Reply

Optional
LCP Echo Request
LCP Echo Reply

LCP Terminate Ack

PADT
Terminate
session
PADT
ZLB

accounting Response
Option 1E : Tunnel selection via LUDB : username
LNS uses CHAP where LAC used PAP
pe2_l2tp_2.cfg
Wholesale-retail: LNS uses CHAP where LAC used PAP
Option-1E : Tunnel selection via LUDB : match username

match-list username
host "host1" create
 pppoe-policy -> ppp-authentication pap host-identification
exit
*A:pe2.lab#
address 192.168.50.254/24
sap 1/1/1:1 create
exit
sub-sla-mgmt
l2tp
group "MyProvider1"
exit
no shutdown
multi-sub-sap 2000
exit
no shutdown
host "host2" create
exit
host-identification
exit
pppoe
exit
session-limit 10
user-db "MyLudb2"
pppoe-policy MyPolicy1
no shutdown
exit
exit
exit
l2tp
exit
group "MyProvider1"
no shutdown
exit
no shutdown
exit
 Setup N2X user1@skynet.be
PAP or CHAP PAP CHAP
LAC RADIUS
Aggregation LNS
(optional)
BSAN

LUDB
 L2TP Group
Discovery stage

 pap

Session stage :
PAP
LAC RADIUS
PAP Aggregation LNS

(optional)
BSAN

Discovery stage
accounting Response
Last Sent LCP Confreq ICRQ
Last Received LCP Confreq ICRP
Proxy Auth type
ZLB
Proxy Auth name
Proxy Auth ID ICCN
Proxy Auth Response ZLB
LCP Configuration Request : Auth protocol CHAP
PPP CHAP Challence

PPP CHAP response
PPP CHAP success
PAP
LAC RADIUS
PAP Aggregation LNS

(optional)
BSAN

Session stage :

IPCP

LCP Echo Request

Keep-alive
LCP Echo Reply

Optional
LCP Echo Request
LCP Echo Reply

LCP Terminate Ack

PADT
Terminate
session
PADT
ZLB

accounting Response

=========================================================
---------------------------------------------------------

Subscriber : "user1@skynet.be"
ANCP-String : ""
Int-Dest-Id : "" *A:pe2.lab# show service active-subscribers
App-Profile-String : "" ==================================================
Category-Map-Name : "" Active Subscribers
==================================================
L2TP Group Name : MyProvider1 Subscriber user1@skynet.be (DefSubProfile)
L2TP Assignment ID : MyTunnel1 --------------------------------------------------
(1) SLA Profile Instance sap:1/1/1:1 -
Circuit-Id : sla:DefSlaProfile
Remote-Id : -------------------------------------------------
Service-Name : MyProvider1 IP Address MAC Address PPPoE-SID Origin
--------------------------------------------------
Session-Timeout : N/A 0.0.0.0 00:00:64:06:01:02 1 PPPoE
Radius Class : --------------------------------------------------
Radius User-Name :
Agenda

a) General
a) Clear / Tools /Hello/idle-timeout/drain commands

b) RADIUS
CLI : L2TP Clear commands are always related to statistics.
 Example : Clear counters and initiate 1 tunnel. show router l2tp tunnel statistics detail
L2TP Tunnel Statistics
===========================================
Connection ID: 712704000
 clear router l2tp tunnel 712704000 statistics -------------------------------------------
Attempts Failed Active Total
 show router l2tp tunnel statistics detail  -------------------------------------------
Sessions 0 0 0 0
SCCRQ -------------------------------------------
SCCRP Rx Tx
Does not show Tx-Rx ----------------------------
SCCCN Ctrl Packets 2 2
counters but number of
ZLB Ctrl Octets 76 125
tunnels / sessions Error Packets 0 0
 clear router l2tp statistics  clear router l2tp group MyProvider1 statistics
show router l2tp statistics show router l2tp group MyProvider1 statistics
L2TP Statistics Group Name: MyProvider1

==================================== --------------------------------------------------------
Tunnels Sessions Attempts Failed Failed-Aut Active Total
------------------------------------ --------------------------------------------------------
Total : 1 Total : 0 Tunnels 1 0 0 1 1
Failed : 0 Failed : 0 Sessions 0 0 N/A 0 0
Failed Auth : 0 --------------------------------------------------------
Active : 1 Active : 1 Pkt-Ctl Pkt-Err Octets
-------------------------------------------------
Rx 2 0 76
 Remark : No individual statistics Tx 2 0 125
per control message ***
CLI : Clear commands for sessions .
How can we clear a session?

*A:pe2.lab# show service id 99999 pppoe session type l2tp
===============================================================================
===============================================================================
-------------------------------------------------------------------------------
1/1/1:1 00:00:64:06:02:02 1 0d 00:10:44 396919486 L2TP**
-------------------------------------------------------------------------------
 clear service id 99999 pppoe session mac 00:00:64:06:01:02 sap-id 1/1/1:1 session-id 1
 clear service id 99999 pppoe session all
 clear service id 99999 pppoe session sap-id 1/1/1:1 type l2tp
Remark : OR … stop a tunnel with the tools command … next slide
Tool commands: start/stop/drain
 Trigger an attempt to start / stop the control connection for this L2TP tunnel.
 Start: Useful test command for L2TP tunnel which are not auto-established.
tools perform router l2tp group my_group1 tunnel my_tunnel1 start
 Stop : Tunnel and all related sessions will be removed ( send stopCCN + PADT/session)
tools perform router l2tp tunnel <connection-id> stop ***
 Trigger an attempt to drain this L2TP tunnel group or L2TP peer

 Don’t create new sessions for a destination but the leave the current ones intact.
 Elaborate later on this.
tools perform router l2tp group my_group1 drain
tools perform router l2tp peer a.b.c.d drain
PPPoE session creation failures example-1
Example of Unsuccessful tunnel setup because LNS does not reply.
 Use tools command to trigger setup ( send StartControlConnectionRequest )

tools perform router l2tp group my_group1 tunnel my_tunnel1 start
 Debug info** : Retry max-retries-not-estab ( default 5 ) if no reply from LNS.
7 2000/01/01 19:48:35.93 GMT MINOR: DEBUG #2001 Base L2TP(v2)

"L2TP(v2): UDP src 0.0.0.0:1701 dst 192.4.1.2:1701
connection 496697344 (tunnel-id 7579)
result-code=generalError error-code=vendorSpecificErrorInLac
error-msg=connection with peer lost"
Configure router l2tp
group "MyProvider1" create
max-retries-not-estab[2..7]
peer 192.4.1.2
 Log-id 99 info : Trap shows the state-machine no shutdown
exit
2 2000/01/01 19:54:41.80 GMT WARNING: SYSTEM #2006 Base L2TP

"State of L2TP tunnel 1:249954304 changed to waitReply configuration modified"

"State of L2TP tunnel 1:249954304 changed to closed configuration modified"
PPPoE session creation failures example-2
 Tunnel group in shutdown.
086 2009/02/03 13:23:03.36 GMT WARNING: PPPOE #2001 Base PPPoE session failure
"PPPoE session failure on SAP 1/1/1:1 in service 99999 - Cannot connect L2TP: configuredTunnelGroupIsShutdown"
configure router l2tp group MyProvider2 no shutdown
Remark
 Tunnel in shutdown when new session is setup.
– Failure code returned is “L2TP invalid parameter”
– Will be changed in upcoming maintenance release to more intuitive error.
 Tools tunnel Stop <> tunnel shutdown . Shutdown on a configured tunnel indicates that
the configured tunnel should not be taken to create new instances. It doesn’t have
influence on existing tunnel instances ( sessions).
Wholesale-retail
L2TP : Hello-timer
 RFC : A keep-alive mechanism is employed by L2TP in order to differentiate
tunnel outages from extended periods of no control or data activity on a
tunnel.
 RFC: Accomplished by injecting Hello control messages after a specified period

of time has elapsed since the last data or control message (ZLB not included)
was received on a tunnel. LNS
Hello
 Hello packets are used as L2TP tunnel keep-alive packets ZLB
Hello
 Default : No hello. ZLB Example
1s
Hello
Example ZLB
Overwrites group level
Configure router l2tp 60s
timer of 3333 and send Hello
group "MyProvider1" every 60 seconds a ZLB
hello-interval 3333 hello
tunnel "MyTunnel1"
Hello
hello-interval 60
ZLB
 7x50 will use optimisation as in the RFC and will not initiate hello’s if
session control traffic is handled over this tunnel.***
Wholesale-retail
L2TP : idle-timeout
Question :
 Can we setup a tunnel prior without a trigger from a client?
 Yes , we can use a tools command or auto-establish command.
Question :
 What happens if the last session of a tunnel is removed?
1. The tunnel stays up but goes to state established-idle group "MyProvider1"
=> Default configuration idle-timeout infinite

2. The tunnel is brought down immediately group "MyProvider1"
idle-timeout 0

3. The tunnel stays up for well defined time of max 1H group "MyProvider1"
idle-timeout 3600
Wholesale-retail
L2TP : idle-timeout
 Example idle-time-out 10s Configure router l2tp

group "MyProvider1"
idle-timeout 10

===============================================================================
L2TP Tunnel Status
===============================================================================
Connection ID : 512294912
State : closed
IP : 0.0.0.0
Peer IP : 192.4.1.2
Name : MyLac1
Error Message : idle timeout (10 seconds) expired

Preference : 50
Hello Interval (s): 3333
Idle TO (s) : 10 Destruct TO (s) : 15
Time Established : 02/20/2009 15:11:30 Time Closed : 02/20/2009 15:11:40
Stop CCN Result : generalReq General Error : noError
1) Drain peer
Purpose : Don’t create new sessions for a destination but the leave the current
sessions intact. 192.4.1.2
tunnel group MyProvider1
Example : Maintenance required on MyTunnel1 2 stable sessions
LAC
 Tunnel group MyProvider1 has 2 peers. Provider1
 2 sessions are setup over MyTunnel1 MyTunnel2

192.4.2.2

tunnel "MyTunnel1"
show router l2tp tunnel auto-establish
========================================================= peer 192.4.1.2
Conn ID Loc-Tu-ID Rem-Tu-ID State Sessions
no shutdown
Group
Assignment exit
--------------------------------------------------------- tunnel "MyTunnel2"
700645376 10691 65534 established 2 auto-establish
MyProvider1 peer 192.4.2.2
MyTunnel1 no shutdown
81461248 1243 65533 establishedIdle 0
exit
MyProvider1
MyTunnel2
1) Drain peer CON’T
 Put Mytunnel1 in drain so NO new sessions will be selected over MyTunnel1
tools perform router l2tp peer 192.4.1.2 [no] drain

192.4.1.2
2 stable sessions
LAC
Provider1
MyTunnel2
 The extra session will select now MyTunnel2 new sessions

192.4.2.2
show router l2tp tunnel
=========================================================
Group
Assignment
---------------------------------------------------------
700645376 10691 65534 draining 2
MyProvider1
MyTunnel1 State will change to drained
81461248 1243 65533 established 1 after all sessions are
MyProvider1 released over this peer
MyTunnel2 192.4.1.2
1) Drain peer CON’T
 Draining indication in command show router l2tp peer 192.4.1.2

show router l2tp peer 192.4.1.2
 New session over other =====================================================
Peer IP: 192.4.1.2
tunnel not shown here. =====================================================
Role : LAC Draining : true
Tunnels : 1 Tunnels Active : 1
Sessions : 2 Sessions Active : 2
Unreachable : false Time Unreachable : N/A
Remark =====================================================
 Drained peer is not Group
Assignment
selected as last resort in -----------------------------------------------------
700645376 0691 65534 draining 2
case MyTunnel2 is not MyProvider1
available. MyTunnel1
-----------------------------------------------------
No. of tunnels: 1
2 2009/02/04 12:20:09.93 GMT WARNING: PPPOE #2001 Base PPPoE session failure
"PPPoE session failure on SAP 1/1/1:1 in service 99999 - [00:00:64:06:03:02,1,user3@skynet.be] L2TP session
closed: noTunnelAvailable"
2) Drain Tunnel group
Purpose : Don’t create new sessions for a complete tunnel group but the leave
the current sessions intact. 192.4.1.2
Example : 2 stable sessions
LAC
 Tunnel group MyProvider1 has 2 peers. Provider1
 2 sessions are setup over MyTunnel1 MyTunnel2

192.4.2.2

tunnel "MyTunnel1"
show router l2tp tunnel auto-establish
========================================================= peer 192.4.1.2
no shutdown
Group
Assignment exit
--------------------------------------------------------- tunnel "MyTunnel2"
700645376 10691 65534 established 2 auto-establish
MyProvider1 peer 192.4.2.2
MyTunnel1 no shutdown
exit
MyProvider1
MyTunnel2
2) Drain Tunnel group CON’T
 Put group MyProvider1 in drain so no new sessions will be selected to this ISP.
tools perform router l2tp group MyProvider1 [no] drain
192.4.1.2
 Impossible to create NEW sessions anymore
2 stable sessions
towards Provider1. LAC
Provider1
 Question : When will this be used ? MyTunnel2
show router l2tp group 192.4.2.2

======================================== NO new sessions
L2TP Groups
========================================
Group Name State Tunnels Sessions
----------------------------------------
MyProvider1
drain 2 2
MyProvider2 State will change to drained
active 0 0 after all sessions are
--------------------------------------- released over this peer
No. of L2TP Groups: 2 192.4.1.2
Agenda

a) General

b) RADIUS
Tunnel selection aka tunnel loadbalancing
 Find a Tunnel-group.
 Connect to a tunnel in the tunnel-group with the numeric lowest preference.
 If more than one tunnel with same preference exists than 2 CLI options :
1) session-assign-method (Alc-Tunnel-Algorithm ) = existing-first ( DEFAULT )

group "MyProvider1” RADIUS users
session-assign-method existing-first
tunnel "MyTunnel1" Tunnel-Server-Endpoint = 192.4.1.2,
peer 192.4.1.2 Alc-Tunnel-Algorithm = existing-first
exit
tunnel "MyTunnel2“
2) session-assign-method (Alc-Tunnel-Algorithm ) = weighted

group "MyProvider1” RADIUS users
session-assign-method weighted
tunnel "MyTunnel1" Tunnel-Server-Endpoint = 192.4.1.2,
peer 192.4.1.2 Alc-Tunnel-Algorithm = weighed-access
exit
tunnel "MyTunnel2“
…
Tunnel selection aka tunnel loadbalancing
1. session-assign-method (Alc-Tunnel-Algorithm ) = existing-first (DEFAULT)

 If a tunnel already exists and is not full then this one is taken.
 else select next tunnel that already and is not full
 else select not pre-signaled that is not full yet.
 else move to next lower preference level and repeat steps ( higher preference value).
 Example next slide.
2. session-assign-method (Alc-Tunnel-Algorithm ) = weighted
 If for one of destinations no tunnel exists yet : this one is tried first.
 else select pre-signaled tunnel which has the lowest relative filling level.
 else move to next lower preference level and repeat steps ( higher preference value).
 Example next slide
!!! Tunnel 5min* removed from selection on unsuccessful setup. (Unreachable)
Tunnel selection aka tunnel load balancing auto-establish
No auto-establish
1) session-assign-method existing-first
 Animation example Preference 10 Pools

MyTunnel1 session-limit=2 192.168.60.2
Preference 20
L2TP group MyProvider1
3)Conn
1)Conn
0)Conn
2)Conn ID
4)Conn
5)Conn
6)Conn ID Loc-Tu-ID Rem-Tu-ID
Loc-Tu-ID Rem-Tu-ID State
State Sessions
Sessions
Group
Group
 Show router l2tp Assignment
Assignment
tunnel --------------------------------------------------------
--------------------------------------------------------
-------------------------------------------------------
402980864
402980864 6149
6149 65534
65534 established
established
establishedIdle 2
1
0
2
6149 65534 established
MyProvider1
MyProvider1
MyTunnel1
MyTunnel1
181796864
181796864 2774
2774 65534
65534 establishedIdle
established
established 0
1
MyProvider1
MyProvider1
MyTunnel2
MyTunnel2
350027776 5341
5341 65534
65534 established
established 1
2
MyProvider1
MyTunnel3
926744576 14141 65534 established 1
MyProvider1
MyTunnel4 Animated
slide
Tunnel selection aka tunnel load balancing auto-establish
No auto-establish
2) session-assign-method weighted
 Animation example Preference 10 Pools

Preference 20
L2TP group MyProvider1
4)Conn
1)Conn
5)Conn
Conn
6)Conn
2)Conn
3)ConnIDID Loc-Tu-ID Rem-Tu-ID
Rem-Tu-ID
Loc-Tu-ID State
State Sessions
Sessions
Sessions
 Show router l2tp Group
Assignment
Assignment
tunnel -----------------------------------------------------
441712640 6740 65525 established
establishedIdle 12
0
MyProvider1
MyProvider1
MyTunnel1
established 0
MyProvider1
MyProvider1
MyTunnel2
260636672 3977 65531 established 2
1
MyProvider1
MyProvider1
MyTunnel3
367198208 5603 65531 established 1
MyProvider1 Animated
MyTunnel4 slide
Tunnel selection aka tunnel load balancing
Conclusion : existing-first versus weighted Animated slide
Preference 50
Preference 50
 4 tunnels with same pref. MyTunnel1 session-limit
session-limit=4000
MyTunnel1 1000
 1000 sessions MyTunnel2 session-limit

MyTunnel2 session-limit=3000
1000
x1000
x1000
MyTunnel3 session-limit
1000
 Compare
MyTunnel4 session-limit
1000
 Excisting-first <> weighted
Excisting-first : fill tunnel until the maximum. Weighted : loadbalance in a weighted fashion
1)Conn ID Loc-Tu-ID Rem-Tu-ID State Sessions 1)Conn ID Loc-Tu-ID Rem-Tu-ID State Sessions
Group Group
Assignment Assignment
--------------------------------------------------- -----------------------------------------------
441712640 6740 65525 established 1000 441712640 6740 65525 established 400
250
MyProvider1 MyProvider1
MyTunnel1 MyTunnel1
542310400 8275 65525 establishedIdle 0 542310400 8275 65525 established 300
250
MyTunnel2 MyTunnel2
250
MyTunnel3 MyTunnel3
250
MyTunnel4 MyTunnel4
Agenda

a) General

b) RADIUS
Understanding Tunnel-id / Session-id
 L2TPv2 Sending PPP frames over L2TP tunnels

0 8 16 31
T L x x S x O P x x x x Ver Lenght
16-bit Tunnel-ID 16-bit Session-ID
Ns Nr
Offset Size Offset Pad…
 L2TPv3
 Transition from a 16-bit Session ID and Tunnel ID to a 32-bit Session ID and
Control Connection ID, respectively. ( 32-bit session-id not shown here).
0 8 16 31
32-bit Control Connection ID
Understanding Tunnel-id / Session-id CON’T
 The L2TP header contains a 16bit tunnel-id and a 16bit session-id
 Random generated on setup and communicated via the tunnel/session AVP.

L2TP LAC LNS
Assigned tunnel-id AVP SessionId TunnelId SCCRQ L2TP
2086 0000 0000
TunnelId SessionId Assigned tunnel-id AVP

L2TP SCCRP
2086 0000 65532
AVP’s SessionId TunnelId SCCCN

0000 65532
L2TP
Assigned sessionl AVP SessionId TunnelId

47516 0000 65532
ICRQ L2TP
TunnelId SessionId Assigned session AVP

L2TP ICRP 2086 47516 65532
AVP’s SessionId TunnelId

ICCN
65532 65532
Assigned tunnel-id 2086 Assigned tunnel-id 65532

Assigned session-id 47516 Assigned session-id 65532
LAC
7x50 Wholesale-Retail L2TP implementation. Assigned tunnel-id 2086
Assigned session-id 47516
LNS
Assigned tunnel-id 65532
 LAC tunnel display command Assigned session-id 65532
show router l2tp tunnel

===================================================
Group
Assignment
---------------------------------------------------show router l2tp tunnel detail
136708096 2086 65532 established 1 ========================================================
MyProvider1 L2TP Tunnel Status
MyTunnel1 ========================================================
State : established
…
…
 LAC session display command

================================================================
show router l2tp session detail
L2TP Session Summary
============================================================
================================================================
L2TP Session Status
ID Control Conn ID Tunnel-ID Session-ID State
============================================================
---------------------------------------------------------------
136755612 136708096 2086 47516 established
State : established
…
Control Conn ID : 136708096 Remote Conn ID : 4294770684
Session ID : 47516 Remote Session ID : 65532
…
 Log 99 uses the 32 Bit Connection-ID’s
24 2000/12/17 08:19:05.46 GMT WARNING: SVCMGR #2500 Base Subscriber created

"Subscriber MySubMyProvider1 has been created in the system“

"State of L2TP session 1:136755612 changed to waitTunnel configuration modified“

"State of L2TP tunnel 1:136708096 changed to waitReply configuration modified“

"State of L2TP tunnel 1:136708096 changed to established configuration modified“

"State of L2TP session 1:136755612 changed to waitReply configuration modified“

"State of L2TP session 1:136755612 changed to established configuration modified"
LAC
LNS
show router l2tp tunnel Assigned session-id 65532
 (Remote) Tunnel-ID --> (Remote) Tunnel Connection ID

 2086 * 65536 = 136708096 (Remote) : 65532 * 65536 = 4294705152
31 16 15 0 31 16 15 0
Tunnel-ID 2086 Conn ID 2086
 Tunnel-ID -> Control Connection ID

 2086*65536 = 136708096
 (Remote) Connection ID = (Remote) Control Connection ID + (Remote) Session-ID
 ( 2086 * 65536) + 47516 = 136755612 (Remote): The same…
31 16 15 0
Conn ID 2086 47516
LAC
LNS
show router l2tp tunnel Assigned session-id 65532
 Conn ID = 16bit Tunnel-ID converted to 32bit. (x65536)
 Remote Conn ID = 16bit remote Tunnel-ID converted to 32bit. (x65536)
 ID = Control Conn ID + Session-ID
 Control Conn ID = 16bit Tunnel-id converted to 32bit (x65536)
show router l2tp session detail
 Connection ID = Control Conn ID + Session-ID
 Control Conn ID = 16bit Tunnel-id converted to 32bit (x65536)

 Remote Conn ID = (16bit remote Tunnel-ID converted to
32bit(x65536)) + remote session ID
Agenda

a) General

b) RADIUS
Security : Tunnel Authentication : Shared Secret : Successful
 L2TP authentication is optional.
 There are 2 ways to be sure that we setup the tunnel to the desired LNS.
 Shared Secret ( based on CHAP RFC 1994)
 Hostname Check
1) Shared secret between LAC and LNS

group MyProvider1
Group level challenge always [no] challenge always*
password MySecret
tunnel "MyTunnel1"
challenge always [no] challenge always | never
Tunnel level password MySecret
Radius Attributes
Tunnel-Password MySecret
Alc-Tunnel-Challenge always
Security : Tunnel Authentication : Shared Secret : Successful
 Trace example with uni-directional Challenge from LAC

 N2X currently does not support the sending of a Challenge.
LAC LNS
Challenge-1
SCCRQ
MySecret
Challenge AVP
MySecret MD5
MD5
Hash= Challenge response
SCCRP
Hash = ? Challenge response AVP Challenge-2
Challenge AVP
MySecret MySecret
MD5 SCCCN MD5
Challenge response AVP

Hash= Challenge response Hash = ?
Security : Tunnel Authentication : Host-name : Successful
2) Hostname Check
 If remote-name is configured and the hostname-AVP is received from the
LNS than it should be the same to authenticate tunnel.
MyLac1 SCCRQ AVP Hostname MyRemoteLns1

MyLac1
SCCRP
AVP Hostname
Configure router l2tp MyRemoteLns1
group MyProvider1
local-name "MyLac1"
tunnel "MyTunnel1"
local-name "MyLac1" Show router l2tp tunnel … detail
remote-name MyRemoteLns1
State : establishedIdle
Radius Attributes IP : 0.0.0.0
Peer IP : 192.4.1.2
Tunnel-Client-Auth-Id MyLAC1 Name : MyLac1
Tunnel-Server-Auth-Id MyRemoteLns1 Assignment ID : MyTunnel1
Error Message : N/A
Security : Tunnel Authentication : Unsuccessful
 No difference in error-code if shared secret or remote-name is wrong.
 STOPCCN : requestorIsNotAuthorized
MyWrongSecret
MySecret
MyWrongRemoteLns2
MyLac1 SCCRQ
AVP Challenge
Configure router l2tp Value-a
group MyProvider1 AVP Hostname
tunnel "MyTunnel1" MyLac1
challenge always
secret password MySecret SCCRP
local-name "MyLac1" AVP ChallengeResponse
Value-b
remote-name MyRemoteLns2
AVP Hostname
MyWrongRemoteLns2
StopCCN
AVP ResultCode
requestorIsNotAuthorized
ZLB
 Can we debug only STOPCCN’s ? Next …
Security : Tunnel Authentication : Unsuccessful …End
Debugging
 debug router l2tp event stop-control-connection-notification

215 2000/12/16 09:20:08.45 GMT MINOR: DEBUG #2001 Base L2TP(v2)
"L2TP(v2): UDP src 172.16.0.12:1701 dst 192.4.2.2:1701
connection 872480768 (tunnel-id 13313)
result-code=requestorIsNotAuthorized"
 Log 99
Log 99
"State of L2TP tunnel 1:305987584 changed to waitReply configuration modified"

"State of L2TP tunnel 1:305987584 changed to closed configuration modified"
 Tunnel statistics
show router l2tp statistics
…
Failed Auth : 1
…
Security : AVP hiding
What are Attribute Value Pairs : AVP
 To maximize extensibility while still permitting interoperability, a uniform

method for encoding message types and bodies is used throughout L2TP.
 AVP header Format

Mandatory (M) bit : If the M bit is set on an unrecognized AVP within a message associated
with a particular session, the session associated with this message MUST be terminated.
Hidden (H) bit: Identifies the hiding of data in the Attribute Value field of an AVP. This capability
can be used to avoid the passing of sensitive data, such as user passwords, as cleartext in an AVP.
The H bit MUST only be set if a shared secret exists between the LAC and LNS. The shared secret is
the same secret that is used for tunnel authentication.
If the H bit is set in any AVP(s) in a given control message, a Random Vector AVP must also be
present in the message and MUST precede the first AVP having an H bit of 1.
Any vendor wishing to implement their own L2TPextensions can use their own Vendor ID
along with private Attribute values. Vendor-ID=0 means that the standard AVP’s are used.
0 6 16 31
M H rsvd Length Vendor ID

Attribute Type Attribute Value
http://www.iana.org/assignments/l2tp-parameters
Security : AVP hiding Con’t
• challenge response
 CLI related * • assigned session-id
• called number
• calling number
• None of the AVP’s gets hidden. • ALL LCP AVP’s
• All proxy authenticate related AVP’s
configure router l2tp

group MyProvider1
[no] avp-hiding sensitive | always • All AVP’s that ,
tunnel MyTunnel1 [no] avp-hiding never|sensitive|always according RFC 2661
can be hidden, are
hidden.
 Radius
Radius Attribute ( 7.0R2 naming)
Alc-Tunnel-AVP-Hiding-Level nothing(0) , sensitive(1) , always(2)
 Remark : Enabling of AVP-hding without password configured is rejected.

config router l2tp group MyProvider1 tunnel MyTunnel1 avp-hiding always
MINOR: L2TP #4003 password is required
Security : AVP hiding …End
M H RSVD Length Vendor-ID Type Value
M H RSVD Length Vendor-ID Type Length Value +padding
LAC LNS Encrypted

Random-vector
MySecret MySecret
Attribute-nbr
MD5
- Random-vector
- Hidden AVP
Hash
Unhidden-AVP
Length + value XOR Hash
Wholesale-retail
Security : IP-FILTERS …End
 All IP type filters are extended with protocol l2tp

 management-access-filter
 ip-filter
 cpm-filter
entry 1 create
action drop
match protocol udp
dst-port 1701 65535
src-port 1701 65535
exit
exit
entry 1 create
action drop
match protocol l2tp
exit
exit
Wholesale-retail
Security : Anti-spoof table …End
 “show filter anti-spoof” replaced by “show service id <svc-id> subscriber-hosts”
 Anti-spoof is based on MAC Address and PPPoE-SID ( iso IP) for L2TP
show service id 99999 subscriber-hosts

===============================================================================
Subscriber Host table
===============================================================================
Sap IP Address MAC Address PPPoE-SID Origin
Subscriber Fwding state
-------------------------------------------------------------------------------
1/1/1:1 0.0.0.0 00:00:64:06:01:02 1 PPPoE
user1@skynet.be Fwding
1/1/1:1 0.0.0.0 00:00:64:06:02:02 1 PPPoE
user2@skynet.be Fwding
show service id 99999 pppoe session

===============================================================================
===============================================================================
-------------------------------------------------------------------------------
1/1/1:1 00:00:64:06:01:02 1 0d 00:09:12 78194530 L2TP
1/1/1:1 00:00:64:06:02:02 1 0d 00:09:12 78248330 L2TP
-------------------------------------------------------------------------------
Security : HW Requirements
IOM3 required for L2TP support : Outgoing traffic
 If Next-Hop interface of L2TP peer is a port that is not part of an iom3-xp or

IMM.
1223 2000/01/01 15:40:04.75 GMT WARNING: PORT #2036 Base Port

"A functionality is required from port 1/1/9 that it cannot support - next-hop of
192.4.1.2 is not on an IOM that supports L2TP"
show log event-control port

=======================================================================
Log Events
=======================================================================
Application
ID# Event Name P g/s Logged Dropped
-----------------------------------------------------------------------
…
2036 tmnxPortUnsupportedFunction WA gen 1 0
…
Security : HW Requirements
IOM3 required for L2TP support : Incoming traffic
 If there is a rerouting in the network which forces incoming traffic on an NON-

IOM3 card than all this traffic ( control and data ) is forwarded to the CPM.
 Configure router L2TP no shutdown will populate L2TP capable and non-capable
interfaces. This list will be consulted from the moment we enable protocol
protection.
configure system security cpu-protection protocol-protection
show system security cpu-protection protocol-protection
===========================================================
Interfaces where packets are dropped by protocol-protection
===========================================================
Interface-name Router-Name Drop-Count
-----------------------------------------------------------
Non-iom3-to-lns base 1001
 Not possible to check on non-distributed SIM setup.
QoS: Source-Generated-Traffic settings for PPPoE / L2TP … End
 Downstream dot1p can be set for PPPoE control traffic [ default 7 ]

 configure router sgt-qos application pppoe dot1p 5 [0..7]
 configure service vprn <service-id> sgt-qos application pppoe dot1p5 [0..7]
*A:pe2.lab# show router sgt-qos application

=================================================
Dot1p Application Values 6.0
=================================================
-------------------------------------------------
arp none none
isis none none
pppoe 5 none
 L2TP control traffic.

 configure router sgt-qos application l2tp dscp x (default DSCP = 0x30 nc6)
 P-bit used in L2TP header is currently not used and always set to zero.
Agenda

a) General

b) RADIUS
d) Miscellaneous (Wireshark , N2X , ….) Miscellaneous (Wireshark , N2X , ….)
.../raddb/clients.conf
How are the different ESM objects communicated by RADIUS client 172.16.0.21 {
server ? secret = WhoIsThere
shortname = A1
nastype = other
 Standard RADIUS attributes }
client 172.16.0.22 {
secret = WhoIsThere
 framed-ip-address [8], framed-ip-netmask [9], NAS-identifier shortname = A2
nastype = other
[32], NAS-port [87] }
client 172.16.0.11 {
 Vendor specific attributes (VSAs) secret = WhoIsThere
shortname = PE1
nastype = other
 Alcatel IPD – using Timetra vendor-id [6527] – see IPD RADIUS }
client 172.16.0.12 {
dictionary secret = WhoIsThere
shortname = PE2
 JUNIPER & REDBACK attributes – relevant VSAs to ease migration nastype = other
}
/var/local/etc/raddb/dictionary
$INCLUDE /usr/local/etc/raddb/dictionary
$INCLUDE /usr/local/etc/raddb/DSL-forum_dictionary
/var/local/etc/raddb/users
"ISAM1 eth 1/11" Auth-Type := Local, User-Password == "LetMeIn"

. . . . . . .
 Mandatory in RADIUS ACCESS REQUEST (as in previous Releases)

 User-Name, attribute 1 CLI-knob
– MAC
– Circuit-id
– Tuple ( concatenation of MAC & Circuit-id )
– Ascii-converted-circuit-id
– Ascii-converted-tuple
 User-Password, attribute 2
 NAS IP address , attribute 4
– Will be system-id of node.
 Service-Type, attribute 6
– Needs to be “Framed” if returned by Radius
 Framed-Protocol, attribute 7
– Needs to be “PPP” if returned by Radius
 Optional in RADIUS ACCESS REQUEST CLI-knob
 Access-loop-options , DSL-forum VSA

– Actual data rate Upstream (129)
– Actual data rate Downstream (130)
– Minimum data rate Upstream (131)
– Minimum data rate Downstream (132)
– ....
– Access loop encapsulation (144) 30 PPPoA - PPP over ATM
31 PPPoEoA - PPP over Ethernet over ATM
 Circuit-id , DSL-forum VSA (2) 32 PPPoEoE - PPP over Ethernet over Ethernet
33 PPPoEoVLAN - PPP over Ethernet over VLAN
 Remote-id , DSL-forum VSA (1) 34 PPPoEoQinQ - PPP over Ethernet over 802.1QinQ
 MAC-address ,Alcatel-Lucent VSA (27)
 PPPoE-service-name , Alcatel-Lucent VSA (35)
 NAS-identifier , attribute 32
 NAS-port-id
– nas-port-id , attribute 87 (with possible extended nas-port-id format)
– nas-port-type , attribute 61
 DHCP-vendor-class-id
 Calling-station-id ( Any 64 chars string configured under the SAP )
Optional Radius returned attribute “user-name” now correct accepted.
 This user-name is optional forwarded to accounting.
 Users file : user1@skynet.be Auth-Type := Local, User-password == "password13"
user-name = "USER1@SKYNET",
Alc-Subsc-ID-Str = “My Subscriber1",

show service id 99999 pppoe session detail
=================================================
Sap Id Mac Address Sid
-------------------------------------------------
1/1/1:1 00:00:64:09:01:04 1

Strings Origin : None 647 2009/03/20 12:59:32.21 Base RADIUS
"RADIUS: Transmit
Accounting-Request(4) 10.2.79.79:1813
Subscriber : “My Subscriber1" STATUS TYPE [40] 4 Interim-Update(3)
….. NAS IP ADDRESS [4] 4 172.16.0.12
Radius User-Name : USER1@SKYNET.BE USER NAME [1] 16 USER13@SKYNET.BE
Radius Tunnel Configuration : Several possibilities
2. RADIUS returns all required parameters without tunnel-group.

 Operational TG created with name equal to “default_radius_group”
3. RADIUS returns all required parameters + Tunnel-Assignment-Id:0 (7.0R2)
 Operational TG created with name equal to the Radius standard attribute Tunnel-
Assignment-Id:0 ( 7.0R2)
Remark :
• When Radius returns the tunnel-group it should always point to a CLI created group and
any other Radius returned L2TP parameters is ignored. All other required info to setup the
tunnel should come than from CLI.
Agenda

a) General

b) RADIUS
Description
Option 2A RADIUS PADI CIRCUIT-ID
Option 2B RADIUS PADI MAC
Option 2C RADIUS PAP/CHAP
Option 2D RADIUS PAP/CHAP + LUDB PRE-AUTHENTICATION
Next
Option 2A : RADIUS PADI
Radius returns to a CLI created LT2P group
Wholesale-retail
option 2A PADI + circuit-id
 Auth policy added.
 Radius : circuit0 Auth-Type := Local, User-Password == "LetMeIn"

Alc-Subsc-ID-Str = "Radius-MySubMyProvider1"
*A:pe2.lab# authentication-policy "knock-knock" create

subscriber-interface "MySubItf1" create password "LetMeIn"
group-interface "MyGrpItf1" create router "Base"
sap 1/1/1:1 create exit
def-sub-profile "DefSubProfile" pppoe-access-method padi
def-sla-profile "DefSlaProfile" include-radius-attribute
sub-ident-policy "sub_ident_all" circuit-id
multi-sub-sap 2000 remote-id
no shutdown nas-port-id
exit nas-identifier
calling-station-id "MyCallingStationId" pppoe-service-name
exit dhcp-vendor-class-id
pppoe access-loop-options
session-limit 10 mac-address
sap-session-limit 10 calling-station-id
user-db "MyLudb1" exit
no shutdown exit
exit
exit
exit
no shutdown
Wholesale-retail
 N2X does not support the ADSL forum attributes !!

PAP
LAC RADIUS
PAP Aggregation LNS

(optional)
BSAN

,PPPoE tag: option: 0x101, 0x103 ,0x108 cid=circuit0 Access Request
user-name [1] circuit0 cidentry
 Alc-Tunnel-Group
PADO, Session ID: 0x0000 Access accept  Alc-Subsc-ID-Str
Discovery stage

PPPoE tag: option: 0x101,0x102, 0x103, 0x104,0x108
accounting Response
Assigned session ICRQ
Call Srial Number
Calling Number CDN
Vendor ADSL Forum : AgentcCircuitId ZLB
PADT
show router l2tp statistics result-code: "disconnectedSeeErrorCode“

======================================== error-code: "vendorSpecificErrorInLac error-msg: "Bad ICRQ Packet“
Tunnels Sessions
----------------------------------------
Total : 3 Total : 4
Failed : 0 Failed : 4
Failed Auth : 0
Active : 1 Active : 0
Wholesale-retail
 Setup N2X user3 temporary with cid “circuit0” to show failure case.
 PPPoE client LNS
Option 2B : RADIUS PADI
Wholesale-retail
Option-2B : Authentication via Radius PADI with user-name-format MAC
PAP
LAC RADIUS
PAP Aggregation LNS

(optional)
BSAN

,PPPoE tag: option: 0x101, 0x103 Access Request
user-name [1] 00:00:64:06:01:02 MAC-entry
PADO, Session ID: 0x0000 Access accept  Alc-Subsc-ID-Str
Discovery stage

accounting Response
ICRQ
PADS, Session ID: 0x0001 ICRP
ZLB
ICCN
ZLB
Session stage :

PAP Authentication request
PAP Authentication Ack
Wholesale-retail
PAP
LAC RADIUS
PAP Aggregation LNS

(optional)
BSAN

Session stage :

IPCP

LCP Echo Request

Keep-alive
LCP Echo Reply

Optional
LCP Echo Request
LCP Echo Reply

LCP Terminate Ack

PADT
Terminate
session
PADT
ZLB

accounting Response
Wholesale-retail
 Authentication policy under the

group interface. *A:pe2.lab#
 No LUDB under PPPOE address 192.168.50.254/24

authentication-policy "knock-knock"
sap 1/1/1:1 create
sub-sla-mgmt
multi-sub-sap 2000
no shutdown
exit
exit
pppoe
session-limit 10
no shutdown
exit
exit
exit
no shutdown
Wholesale-retail
authentication-policy "knock-knock" create
 LT2P group MyProvider1 description "RADIUS policy"
password "LetMeIn"
radius-authentication-server
 Authentication policy router "Base"
server 1 address 10.2.79.79 secret WhoIsThere
exit
 Accounting policy user-name-format mac
pppoe-access-method padi
circuit-id
remote-id
nas-port-id
radius-accounting-policy "GiveMeTheMoney" create nas-identifier
update-interval 5 pppoe-service-name
include-radius-attribute dhcp-vendor-class-id
framed-ip-addr access-loop-options
framed-ip-netmask mac-address
subscriber-id exit
circuit-id exit
remote-id
nas-port-id
nas-identifier
sub-profile
sla-profile
calling-station-id
user-name
auto-establish
exit
peer 192.4.1.2
session-id-format number
no shutdown
use-std-acct-attributes
exit
exit
exit
exit
exit
Wholesale-retail
 Tools RADIUS USER CHECK user 00:00:64:06:01:02
 Radius user file 00:00:64:06:01:02 Auth-Type := Local, User-Password == "LetMeIn"

 tools perform security authentication-server-check server-address

10.2.79.79 user-name “00:00:64:06:01:02”user10@skynet.be
secret "WhoIsThere" password “LetmeIn"
32 2009/03/20 09:37:43.38 GMT MINOR: DEBUG #2001 Base RADIUS
"RADIUS: Transmit
Access-Request(1) 10.2.79.79:1812 id 1 len 63
USER NAME [1] 17 00:00:64:06:01:02
PASSWORD [2] 16 QwF2nHZUV5/AjzFDsVZWhE
NAS IP ADDRESS [4] 4 172.16.0.12
"

"RADIUS: Receive
Access-Accept(2) id 1 len 70 from 10.2.79.79:1812
TUNNEL GROUP [46] 11 MyProvider1
SUBSC ID STR [11] 23 Radius-MySubMyProvider1
"
SUCCESS: Request validated by radius.
Wholesale-retail
 Setup N2X user with mac 00:00:64:06:01:02

==========================================================
 All subscribers on first stage radius ==========================================================
Sap Id Mac Address Sid Up Time P/L2TP-Id Type
----------------------------------------------------------
 Radius users file : 1/1/1:1 00:00:64:06:01:02 1 0d 00:00:32 279467900 L2TP
00:00:64:06:01:02 PPP User-Name

Auth-Type := Local, User-Password == "LetMeIn" : (Not Specified)

Strings Origin : None
Subscriber : "Radius-MySubMyProvider1"
Sub-Profile-String : ""
 Use debug SLA-Profile-String : ""
ANCP-String : ""
Int-Dest-Id : ""

Circuit-Id :
Remote-Id :
Radius Class :
Radius User-Name : 00:00:64:06:01:02
------------------------------------------------------
Wholesale-retail
 Setup N2X user with mac 00:00:64:06:01:02
 PPPoE client LNS
Option 2C : RADIUS PAP-CHAP
Wholesale-retail
Option-2C : Authentication via Radius PAP-CHAP
CHAP
LAC RADIUS
PAP/CHAP Aggregation LNS

(optional)
BSAN

Discovery stage



Session stage :
PPP CHAP Challenge
PPP CHAP response

Access-Request entry
Access-accept
 Alc-Subsc-ID-Str
Lookup CLI for returned
Tunnel Group name
Wholesale-retail
CHAP
LAC RADIUS
PAP/CHAP
Aggregation LNS
(optional)
BSAN

accounting Response
Last Sent LCP confreq ICRQ
Proxy Auth type
ZLB
Proxy Auth name
Proxy Auth Challenge ICCN
Proxy Auth ID ZLB
Proxy Auth Response
PPP CHAP Success
extra AVP because CHAP and

not PAP
Wholesale-retail
CHAP
LAC RADIUS
(optional)
BSAN

Session stage :

IPCP

LCP Echo Request

Keep-alive
LCP Echo Reply

Optional
LCP Echo Request
LCP Echo Reply

LCP Terminate Ack

PADT
Terminate
session
PADT
ZLB

accounting Response
Wholesale-retail
 Authentication policy under the *A:pe2.lab#

group interface. configure service ies 99999
address 192.168.50.254/24
 No LUDB under PPPOE group-interface "MyGrpItf1" create
sap 1/1/1:1 create
sub-sla-mgmt
multi-sub-sap 2000
no shutdown
exit
exit
pppoe
session-limit 10
no shutdown
exit
exit
exit
no shutdown
Wholesale-retail
no password
exit
 Accounting policy pppoe-access-method pap-chap
circuit-id
 User name format N/A remote-id
nas-port-id
nas-identifier
radius-accounting-policy "GiveMeTheMoney" create pppoe-service-name
update-interval 5 dhcp-vendor-class-id
include-radius-attribute access-loop-options
framed-ip-addr mac-address
framed-ip-netmask exit
subscriber-id exit
circuit-id
remote-id
nas-port-id
nas-identifier
sub-profile
sla-profile
calling-station-id
user-name
auto-establish
exit
peer 192.4.1.2
no shutdown
exit
exit
exit
exit
exit
Wholesale-retail
Option-2C : LUDB PRE-AUTH + Radius AUTH PAP-CHAP
 Tools RADIUS USER CHECK user10@skynet.be
 Radius user file user10&skynet.be Auth-Type := Local, User-Password == “password10"

 tools perform security authentication-server-check Alc-Subsc-ID-Str = "Radius-MySubMyProvider1"
server-address 10.2.79.79 user-name user10@skynet.be

secret "WhoIsThere" password "password10"

"RADIUS: Transmit
USER NAME [1] 16 user10@skynet.be
PASSWORD [2] 16 JoRD21.DSJ.46n/cvpMfZE
NAS IP ADDRESS [4] 4 172.16.0.12
"

"RADIUS: Receive
"
Wholesale-retail
 Setup N2X option2C user10@skynet.be

==========================================================
 Radius users file : ==========================================================
----------------------------------------------------------
1/1/1:1 00:00:64:06:08:02 1 0d 00:00:32 911374952 L2TP
 Use debug
SLA-Profile-String : ""
ANCP-String : ""
Int-Dest-Id : ""

Circuit-Id :
Remote-Id :
Radius Class :
Radius User-Name : user10&skynet.be
------------------------------------------------------
Wholesale-retail
Option 2D : LUDB PRE-AUTH +RADIUS PAP-CHAP
Wholesale-retail
Option-2D : LUDB PRE-AUTH + Radius AUTH PAP-CHAP
6.0
 The pado-delay timer part of the pppoe-policy.

 The pppoe-policy sits under the group-interface
 All PPPoE sessions under this group-interface get the same PADO-delay
pe1
Pado-delay = 0 configure subscriber-mgmt

session
pppoe-policy group-1
pado-delay [1..30] deci-sec
Pado-delay = 30
pe2
7.0
 Requirement of having a PADO-delay per user allowing another load sharing.
Wholesale-retail
7.0
 Requirement of having a PADO-delay per user allowing another load sharing.
 Add pado-delay in LUDB and use it in pre-authentication.

pppoe
match-list circuit-id
host "host1" create
host-identification
Circuit-id-A pe1 circuit-id circuit-id-A
exit
session authentication-policy "knock-knock"
pado-delay 30
host "host1" create

Circuit-id-B host-identification
circuit-id circuit-id-A
pe2 exit
pado-delay 0
Opposite configuration
required on pe2
Extra mask type circuit-id can be used
Wholesale-retail
CHAP
LAC RADIUS

(optional)
BSAN

,PPPoE tag: option: 0x101, 0x103 LUDB
PADI, S-MAC 00:00:64:06:08:02,Session ID: 0x0000  match on
Discovery stage
,PPPoE tag: option: 0x101, 0x103  pado delay 3s

X
PADO, Session ID: 0x0000 X Silently drop

From here scenario
LCP Configuration Request is as 0ption-2c

Session stage :
PPP CHAP Challenge
PPP CHAP response

Access-Request entry
Access-accept
Wholesale-retail
CHAP
LAC RADIUS
PAP/CHAP
Aggregation LNS
(optional)
BSAN

accounting Response
Last Sent LCP confreq ICRQ
Proxy Auth type
ZLB
Proxy Auth name
Proxy Auth Challenge ICCN
Proxy Auth ID ZLB
Proxy Auth Response
PPP CHAP Success
Wholesale-retail
CHAP
LAC RADIUS
(optional)
BSAN

Session stage :

IPCP

LCP Echo Request

Keep-alive
LCP Echo Reply

Optional
LCP Echo Request
LCP Echo Reply

LCP Terminate Ack

PADT
Terminate
session
PADT
ZLB

accounting Response
Wholesale-retail
 No Authentication policy under MyGrpItf1 *A:pe2.lab#

 LUDB under PPPOE subscriber-interface "MySubItf1" create
address 192.168.50.254/24
1
 Authentication policy in LUDB no authentication-policy
sap 1/1/1:1 create
sub-sla-mgmt
 LUDB only used for pre-auth. def-sub-profile "DefSubProfile"
multi-sub-sap 2000
no shutdown
exit
exit
*A:pe2.lab# configure subscriber-mgmt pppoe
local-user-db "MyLudb4" create session-limit 10
description "Add text" sap-session-limit 10
pppoe user-db MyLudb4
match-list circuit-id 2 no shutdown
host "host1" create exit
host-identification exit
circuit-id circuit0 exit
exit no shutdown
3 auth-policy knock-knock
pado-delay 30 (ms)
no shutdown
exit Only if match-list is different to username
no shutdown because username will trigger auth-1 and we
exit
can not trigger a second auth via the auth-
policy
Wholesale-retail
no password
exit
 Accounting policy pppoe-access-method pap-chap
circuit-id
remote-id
nas-port-id
nas-identifier
subscriber-id exit
circuit-id
remote-id
nas-port-id
nas-identifier
sub-profile
sla-profile
calling-station-id
user-name
auto-establish
exit
peer 192.4.1.2
no shutdown
exit
exit
exit
exit
exit
Wholesale-retail
 Radius user file user10&skynet.be Auth-Type := Local, User-Password == “password10"

 tools perform security authentication-server-check Alc-Subsc-ID-Str = "Radius-MySubMyProvider1"
server-address 10.2.79.79 user-name user10@skynet.be

secret "WhoIsThere" password "password10"

"RADIUS: Transmit
PASSWORD [2] 16 JoRD21.DSJ.46n/cvpMfZE
NAS IP ADDRESS [4] 4 172.16.0.12
"

"RADIUS: Receive
"
Wholesale-retail

==========================================================
 Radius users file : ==========================================================
----------------------------------------------------------
1/1/1:1 00:00:64:06:08:02 1 0d 00:00:32 911374952 L2TP
 Use debug
ANCP-String : ""
Int-Dest-Id : ""

Circuit-Id :
Remote-Id :
Radius Class :
Radius User-Name : user10&skynet.be
------------------------------------------------------
Wholesale-retail
 Setup N2X user10
Agenda

a) General

b) RADIUS
2. RADIUS
Description
Option 4A RADIUS returns all required parameters without tunnel-group
3. RADIUS
Description
Option 5A RADIUS returns all required parameters + Tunnel-Assignment-Id:0
Next
Option 4A : RADIUS PAP-CHAP
Radius returns all required parameters without tunnel-group
=> default_radius_group created
Wholesale-retail
Option-4A : Authentication via Radius PAP-CHAP : No CLI L2TP configuration
CHAP
LAC RADIUS

(optional)
BSAN

Discovery stage



Session stage :

entry
PPP CHAP Challenge  NO Alc-Tunnel-Group
PPP CHAP response
Access-Request  Tunnel-Type:1 : …
Access-accept Tunnel-Medium-Type:1
Node creates automaticly L2TP Group Tunnel-Server-Endpoint:1
name “default_radius_group” Tunnel-Assignment-Id:1
Wholesale-retail
CHAP
LAC RADIUS
PAP/CHAP
Aggregation LNS
(optional)
BSAN
Select valid tunnel in

“default_radius_group” accounting Request : start
accounting Response
SCCRQ
SCCRP
SCCCN
Last Sent LCP confreq
Proxy Auth type
Proxy Auth name ZLB
Proxy Auth Challenge ICRP
Proxy Auth ID
ICCN
ZLB
PPP CHAP Success
Wholesale-retail
CHAP
LAC RADIUS
(optional)
BSAN

Session stage :

IPCP

LCP Echo Request

Keep-alive
LCP Echo Reply

Optional
LCP Echo Request
LCP Echo Reply

LCP Terminate Ack

PADT
Terminate
session
PADT
ZLB

accounting Response
Wholesale-retail

address 192.168.50.254/24
sap 1/1/1:1 create
sub-sla-mgmt
multi-sub-sap 2000
no shutdown
exit
exit
pppoe
session-limit 10
no shutdown
exit
exit
exit
no shutdown
Wholesale-retail
 Authentication policy description "RADIUS policy"
no password
 Accounting policy router "Base"
exit
pppoe-access-method pap-chap
circuit-id
remote-id
nas-port-id
nas-identifier
subscriber-id exit
circuit-id
remote-id
nas-port-id
nas-identifier
sub-profile
sla-profile
no shutdown
calling-station-id
exit
user-name
exit
exit
exit
Wholesale-retail
 Radius user file user12@skynet.be Auth-Type := Local, User-password == "password12"

Alc-Subsc-ID-Str = "Radius-user12",
 tools perform security authentication-server-check no Alc-Tunnel-Group
Tunnel-Type:1 = L2TP,
server-address 10.2.79.79 user-name user12@skynet.be Tunnel-Medium-Type:1 = IP,
secret "WhoIsThere" password "password12" Tunnel-Server-Endpoint:1 = 192.4.1.2,
Tunnel-Assignment-Id:1 = MyTunnel1,
Authentication-server-check
=============================================================
"RADIUS: Transmit
PASSWORD [2] 16 mvXhBjjEpxshYzek1V7xzE
NAS IP ADDRESS [4] 4 172.16.0.12
"
"RADIUS: Receive
SUBSC ID STR [11] 13 Radius-user12
TUNNEL TYPE [64] 4 1 L2TP(3)
TUNNEL MEDIUM TYPE [65] 4 1 IPv4(1)
TUNNEL SERVER ENDPOINT [67] 10 1 192.4.1.2
TUNNEL ASSIGNMENT ID [82] 10 1 MyTunnel1
"
Wholesale-retail
 Setup N2X option4A user12@skynet.be show service id 99999 pppoe session detail
===================================================
user12@skynet.be PPPoE sessions for svc-id 99999
Auth-Type := Local, User-password == "password12"
===================================================
Alc-Subsc-ID-Str = "Radius-user12", Sap Id Mac Address Sid Up Time IP/L2TP-Id
no Alc-Tunnel-Group ---------------------------------------------------
Tunnel-Type:1 = L2TP, 1/1/1:1 00:00:64:09:01:03 1 0d 00:00:34 188312955
Tunnel-Medium-Type:1 = IP, PPP User-Name : user12@skynet.be
Tunnel-Server-Endpoint:1 = 192.4.1.2,
Tunnel-Assignment-Id:1 = MyTunnel1, Subscriber-interface : MySubItf1

Subscriber : "Radius-user12"
ANCP-String : ""
Int-Dest-Id : ""
TG with name L2TP Group Name : default_radius_group

“default_radius_group created”
Circuit-Id :
Remote-Id :
 Use debug Session-Timeout : N/A

Radius Class :
Radius User-Name : user12@skynet.be
Wholesale-retail
 Setup N2X option4A user12@skynet.be
 Group name default_radius_group was automatically created.

===============================================================================
L2TP Tunnel Status
===============================================================================
State : established
IP : 0.0.0.0
Peer IP : 192.4.1.2
Name : pe2.lab
Group Name : default_radius_group
Error Message : N/A

Preference : 50
Hello Interval (s): infinite
Wholesale-retail
LNS
Selected by LAC
Wholesale-retail
 Problem
 What if tunnel names ( tunnel-Assignment-Id) for different users are not unique ?
user12@skynet.be Auth-Type := Local, User-password == "password12"

no Alc-Tunnel-Group
Tunnel-Medium-Type:1 = IP,

no Alc-Tunnel-Group
Tunnel-Medium-Type:1 = IP,
 Under the group default_radius_group tunnel MyTunnel1 is added ( which one)

 Always use unique Tunnel-Assignments when Radius TG not used.
 Use Special tag 0 for Tunnel-Assignment-Id that becomes the TG. ( 7.0R2 )
2. RADIUS
Description
Option 4A RADIUS returns all required parameters without tunnel-group
3. RADIUS
Description
Option 5A RADIUS returns all required parameters + Tunnel-Assignment-Id:0
Next
7.0R2
Option 5A : RADIUS PAP-CHAP

Radius returns all required parameters without tunnel-group
=> Tunnel-Assignment-Id 0 used in Radius
Wholesale-retail 7.0R2
Option-5A : Authentication via Radius PAP-CHAP : Tunnel-Assignment-Id:0
CHAP
LAC RADIUS

(optional)
BSAN

Discovery stage



Session stage :

entry
PPP CHAP Challenge  Tunnel-Assignment-Id:0 name
PPP CHAP response
Access-Request  Tunnel-Type:1 : …
Access-accept  Tunnel-Medium-Type:1
Node creates automaticly L2TP Group  Tunnel-Server-Endpoint:1
name equal to the name from Tunnel-  Tunnel-Assignment-Id:1
Assignment-Id:0
CHAP
LAC RADIUS
PAP/CHAP
Aggregation LNS
(optional)
BSAN
Select valid tunnel in

group name equal accounting Request : start
tunnel-assignment:0 accounting Response
SCCRQ
SCCRP
SCCCN
Last Sent LCP confreq
Proxy Auth type
Proxy Auth name ZLB
Proxy Auth Challenge ICRP
Proxy Auth ID
ICCN
ZLB
PPP CHAP Success

CHAP
LAC RADIUS
(optional)
BSAN

Session stage :

IPCP

LCP Echo Request

Keep-alive
LCP Echo Reply

Optional
LCP Echo Request
LCP Echo Reply

LCP Terminate Ack

PADT
Terminate
session
PADT
ZLB

accounting Response

address 192.168.50.254/24
sap 1/1/1:1 create
sub-sla-mgmt
multi-sub-sap 2000
no shutdown
exit
exit
pppoe
session-limit 10
no shutdown
exit
exit
exit
no shutdown

 Authentication policy description "RADIUS policy"
no password
 Accounting policy router "Base"
exit
pppoe-access-method pap-chap
circuit-id
remote-id
nas-port-id
nas-identifier
subscriber-id exit
circuit-id
remote-id
nas-port-id
nas-identifier
sub-profile
sla-profile
no shutdown
calling-station-id
exit
user-name
exit
exit
exit
 Tools RADIUS USER CHECK 499 2009/03/20 12:05:41.24 GMT MINOR: DEBUG #2001 Base RADIUS
"RADIUS: Transmit….
user13@skynet.be
"RADIUS: Receive
 Radius user file Access-Accept(2) id 1 len 310 from 10.2.79.79:1812
USER NAME [1] 16 USER13@SKYNET.BE
 tools perform security authentication- SUBSC ID STR [11] 22 Radius-MySubMyProvider
TUNNEL ASSIGNMENT ID [82] 26 MyProvider1_based_on_tag_0
server-check server-address 10.2.79.79 VSA [26] 6 Alcatel(6527)
TUNNEL DESTRUCT TIMEOUT [51] 4 0 60
user-name user13@skynet.be secret TUNNEL CLIENT AUTH ID [90] 26 Radius-returned-local-name
"WhoIsThere" password "password13“ TUNNEL HELLO INTERVAL [50] 4 0 60
TUNNEL MAX RETRIES NOT ESTAB [53] 4 0 2
TUNNEL MAX SESSIONS [48] 4 0 100
 Radius users file contained several TUNNEL MEDIUM TYPE [65] 4 1 IPv4(1)
other attributes. TUNNEL TYPE [64] 4 2 L2TP(3)
TUNNEL PREFERENCE [83] 4 4 10

user-name = "USER13@SKYNET.BE",
Alc-Subsc-ID-Str = "Radius-MySubMyProvider", =========================================
Tunnel-Assignment-Id:0 = "MyProvider1_based_on_tag_0", PPPoE sessions for svc-id 99999
Alc-Tunnel-Destruct-Timeout:0 = 60, =========================================
Sap Id Mac Address Sid IP/L2TP-Id
Tunnel-Client-Auth-Id:0 = Radius-returned-local-name, -----------------------------------------
Alc-Tunnel-Hello-Interval:0 = 60, 1/1/1:1 00:00:64:09:01:04 1 188312955
Alc-Tunnel-Max-Retries-Not-Estab = 2,
Alc-Tunnel-Max-Sessions = 100,
Tunnel-Type:1 = L2TP, Subscriber-interface : MySubItf1
Tunnel-Medium-Type:1 = IP, Group-interface : MyGrpItf1
Tunnel-Server-Endpoint:1 = 192.4.1.2, Subscriber Origin : Radius
Tunnel-Assignment-Id:1 = MyTunnel1, Strings Origin : None
Tunnel-Type:2 += L2TP,
Subscriber : "Radius-MySubMyProvider"
Tunnel-Medium-Type:2 += IP, Sub-Profile-String : ""
Tunnel-Server-Endpoint:2 += 192.4.2.2, SLA-Profile-String : ""
Tunnel-Assignment-Id:2 += MyTunnel2, ANCP-String : ""
Int-Dest-Id : ""
Tunnel-Type:3 += L2TP, App-Profile-String : ""
Tunnel-Medium-Type:3 += IP, Category-Map-Name : ""
Tunnel-Server-Endpoint:3 += 192.4.3.2,
L2TP Group Name : MyProvider1_based_on_tag_0
Tunnel-Assignment-Id:3 += MyTunnel3, L2TP Assignment ID : MyTunnel4
Tunnel-Type:4 += L2TP,
Tunnel-Medium-Type:4 += IP, Session-Timeout : N/A
Radius Class :
Tunnel-Server-Endpoint:4 += 192.4.4.2, Radius User-Name : USER13@SKYNET.BE
Tunnel-Preference:4 += 10,
Tunnel-Assignment-Id:4 += MyTunnel4
 Group name MyProvider1_based_on_tag_0 was automatically created.

===============================================================================
L2TP Tunnel Status
===============================================================================
State : established
IP : 172.16.0.12
Peer IP : 192.4.4.2
Name : Radius-returned-local-name
Group Name : MyProvider1_based_on_tag_0
Error Message : N/A

Preference : 10
Hello Interval (s): 60

LNS
Selected by LAC
Because the lower preference
CLI –RADIUS Overview
CLI L2TP Group Tunnel 7.0R1 radius-name Beta 7.0R1 7.0R2

session-limit √ - - N/A N/A N/A N/A
group-name - √ - Alc-Tunnel-Group U U U
avp-hiding - √ √ Alc-Tunnel-AVP-Hidingsensitive-o T:n Blocked T:0 & T:n
challenge √ √ Alc-Tunnel-Challenge T:n Blocked T:0 & T:n
description - √ √ N/A N/A N/A N/A
destruct-timeout - √ √ Alc-Tunnel-Destruct-Timeout U Blocked T:0 & T:n
hello-interval - √ √ Alc-Tunnel-Hello-Interval U Blocked T:0 & T:n
idle-timeout - √ √ Alc-Tunnel-Idle-Timeout U Blocked T:0 & T:n
local-name - √ √ Tunnel-Client-Auth-Id T:n T:n T:0 & T:n
max-retries-estab - √ √ Alc-Tunnel-Max-Retries-Estab** U Blocked T:0 & T:n
max-retries-not-estab - √ √ Alc-Tunnel-Max-Retries-Not-Estab** U Blocked T:0 & T:n
password - √ √ Tunnel-Password T:n T:n T:0 & T:n
session-assign-method - √ Alc-Tunnel-Algorithm U U U
session-limit - √ √ Alc-Tunnel-Max-Sessions T:n Blocked T:0 & T:n
tunnel-name - - √ Tunnel-Assignment-Id T:n T:n T:n
auto-establish - - √ N/A N/A N/A N/A
peer - - √ Tunnel-Server-Endpoint T:n T:n T:n
preference - - √ Tunnel-Preference T:n T:n T:n
remote-name - - √ Tunnel-Server-Auth-Id T:n T:n T:n
Redback-Juniper VSA’s End
 Supported Redback ( vendor-id 2352) and Juniper ( vendor-id 4874) VSA’s

Redback VSA's:
#define PW_REDBACK_PRIMARY_DNS 1 ipaddr
#define PW_REDBACK_SECONDARY_DNS 2 ipaddr
#define PW_REDBACK_TUNNEL_MAX_SESSIONS 21 integer
#define PW_REDBACK_ADDRESS_POOL 36 string
#define PW_REDBACK_PRIMARY_NBNS 99 ipaddr
#define PW_REDBACK_SECONDARY_NBNS 100 ipaddr
Juniper VSA's:
#define PW_JUNIPER_ADDRESS_POOL 2 string
#define PW_JUNIPER_PRIMARY_DNS 4 ipaddr
#define PW_JUNIPER_SECONDARY_DNS 5 ipaddr
#define PW_JUNIPER_PRIMARY_WINS 6 ipaddr
#define PW_JUNIPER_SECONDARY_WINS 7 ipaddr
#define PW_JUNIPER_TUNNEL_MAX_SESSIONS 33 integer
#define PW_JUNIPER_TUNNEL_GROUP 64 string
Agenda

a) General

b) RADIUS
Wire shark example
 Mirror all Client  LAC and LAC  LNS packets
 Install filter on Wireshark to see only packets related to the PPP protocol.
CONFIDENTIAL – internal use only
N2X : Nice to Know
6.11 N2X LNS does not support PPPoE circuit-id / remote-id in ICRQ
 Sends an CDN with error code: bad ICRQ packet
 The circuit-id & remote-id are NOT Vendor specific AVP’s but ADSL forum AVP’s.
 Wire shark trace from ICRQ and CDN
N2X : Nice to Know
6.11 N2X LNS sends a stop CCN when last PPPoE session is terminated on this tunnel.
 Reply from N2X

 The RFC states : Session teardown may be initiated by either the LAC or LNS and is
accomplished by sending a CDN control message. After the last session is cleared, the
control connection MAY be torn down as well (and typically is).
 Right now, N2X does not allow user-control for whether or not the control connection is
torn down after the last session close.
N2X : Nice to Know
6.11 N2X LNS can not authenticate the tunnel.
 N2X can configure secret but does not include challenge in SCCRQ or SCCRP.
6.11 N2X LNS does not support AVP-hiding

 No current plan to add this on N2X
N2X : Nice to Know
6.11 N2X LNS does not support PAP proxy authentication
 The problem is that when PAP authentication is used, we do not recognize the
proxy values in the ICCN message. Instead of replying with a PAP authentication
message we initiate the LCP negotiation again.
 For proxy authentication the only workaround at the moment is to use CHAP.
 Solved in N2X 6.12
L2TP and LDP-shortcuts : Nice to Know
PTS 554357 ( DTS-RFE 79751)

 L2TP over LDP is currently not supported.
 Routing table towards LNS

IES/VRF IBGP lo=172.16.0.4
FIB Display
=====================================
IES/VRF L2TP tunnel ISP3 ISP3
Prefix Protocol
NextHop LDP LNS3
------------------------------------- 7750 SR PE-edge
192.4.1.2/32 BGP LAC
172.16.0.14 (Transport:LDP) LNS=192.4.1.2
@IP-LNS3/32 ( IBGP) @IP-LNS3/32(BGP
1621 2009/03/10 05:19:33.16 GMT WARNING: PORT #2036 Base Port

"A functionality is required from port /0 that it cannot support -
next-hop of 192.4.1.2 is not on a network interface"
 Design workaround :
 Redistribute on PE-edge the /32 LNS in IGP (OSPF/ISIS).
 Disable LDP-shortcuts on LAC ( if possible).
Receive OCRQ : Nice to Know
DTS 78621
 On reception of an unsupported OCRQ we should send back a CDN
 Today we send back a STOPcc instead.
DTS 79617
 L2TP: downstream data path breaks after applying an egress ip-filter log in the
SLA profile.
 Workaround in 7.0R1 : don’t apply ip-filter in sla-profile for L2TP subscriber.
 Solution in 7.0 maintenance release.
Nice to Know
 Does the NW-side for the Next-Hop towards the l2TP peer needs to be a
network port?
 Yes and the LNS may not be directly connected.
 Can the NW-side also be an IES service and incase yes do we support that this
IES uses spoke-SDP’s to connect the core?
 No
 Is it correct that we cannot setup a tunnel within a VPRN?
 Yes , we can not.
 If the above is correct why do we have in CLI “configure router 200 sgt-qos
application l2tp dscp”.
 CLI is currently not making a distinction between the base router and a VPRN router
instance
8 Customer cases
updated
Customer cases
Overview
RADIUS LUDB Wholesale Testing Deployed

Customer Country PADI PAP/CHAP PADI PAP/CHAP Retail LAC LNS MSAP VRF-selection
Arcor Germany - √ - - - √ √ - √ - -
Brazil Telecom Brazil - √ - - - - - - - - -
Belgacom Belgium - - - - - √ - - √ - -
BT UK - - - - - - - - - - -
BTC Bulgaria. Bulgaria - √ - - - - - - √ √ -
CMCC (China Mobile) China - √ - - √ √ √ √ - √ -
CT (China Telecom) China - √ - - √ √ √ √ - √ -
CU (China Unicom) China - - - - √ √ √ √ - √ -
Etisalat UAE - - - - - - - - - - -
GDS-Libanon Libanon - √ - - - - - √ √ - √
eircom Ireland - √ - - √ √ √ - - - -
Iceland Telecom (Siminn) Iceland - √ - - √ √ - - - - -
Inexus UK - √ √ - √ - - - - - √
MTNL India - √ - - √ √ - - - - -
Oi Brazil - √ - - - - - - - - -
Orange UK - √ - - - - - - - - -
PT lux Luxemburg - √ - - - √ - - - - -
RomTelecom Servie - - - - - √ - - - - -
RpskeTelecom Servie - √ - - - - - - - - -
SrbijaTelecom Servie - √ - - - √ √ - - - -
Telefonica LATAM LATAM - √ - - - - - - - - -
TurkTelecom Turkey - √ - - - √ - - - - -
Unidate Italy - √ - - - √ √ - √ - -
VF-GR Greece - - - - - - √ - - - -
Please mail any updates/remarks on this page to bert.todts@alcatel-lucent.be
9 scalability
updated
Scalability : Number of tunnels per domain aka l2tp group
 L2TP group/domain can have maximum 31 tunnel destinations
group "MyProviderScale1”
tunnel group MyProviderScale1
tunnel "MyTunnel1"
local-address 172.16.0.12
local-name "MyLac1"
peer 192.6.1.2 Provider1
exit
....
tunnel "MyTunnel31"
local-address 172.16.0.12
LAC
local-name "MyLac1"
peer 192.6.31.2
exit
tunnel group MyProviderScale2
group "MyProviderScale2” Provider2
*A:pe2.lab>config>router>l2tp>group# tunnel MyTunnel32

MINOR: L2TP #1001 The maximum number of instances already exist - (max 31 tunnels in group)
Scalability :
 Internal info
Values are correct for local sessions in 7.0R1
Tunneled sessions in 7.0R1 is 32K
Tunneled sessions in 7.0R3 SR-7 is 64K target
Tunneled sessions in 7.0R3 SR-12 is 128K target
SR1 SR7/SR-12 c4/c12
7.0R1 : N/A
7.0R2 : 1K target
7.0R1 : 1K tunnels
7.0R2 : 4K tunnels 7.0R1 : 32K
7.0R3 : 16K tunnels target No current Plans to increase
10 Evolution
new
PPPoE evolution in future releases
 LNS
 LTS ( LNS Tunnel Switch )
 L2TP setup in VPRN context.
 Authentication Fallback scenario( s) when Radius server not available.
 Extendable Authentication Protocol ( EAP) in pass through mode to RADIUS.
 RFC 3579: RADIUS support for EAP
 It is not the idea to locally terminate EAP on the box.
Conclusion
 PADI/PAP/CHAP authentication via LUDB/RADIUS ( service-name/ domain-only …)
 PPPoE Retail
 PPPoE wholesale LAC functionality
 PPPoE wholesale LNS ( Future Release)
 L2TP uplinks require network ports on IOM3/IMM
 L2TP IP-routed ( GRE like) in Base instance.
 L2TP tunnel can be pre-signaled ( auto-establish / tools command)
 L2TP tunnel selection mechanism ( existing-first <> weighted)
 AVP-hiding level configurable.
 Tag:0 for tunnel-assignment supported from Radius (group-name) (7.0R2)
 Setup rates and scaling numbers can compete with the other BRAS vendors.
 Ready for customer deployments !!!!!
Thank You
www.alcatel-lucent.com
PPPoE Related CLI commando’s
 show service id 998 pppoe summary

– Returns only the number of sessions
===============================================================================
PPPoE Summary info for IES svc-id 998
===============================================================================
===============================================================================
 show service id 998 pppoe session

– Returns sap-id , Mac , SID , UP-time , ip@ per session
A:pe2.lab# show service id 998 pppoe session
===============================================================================
===============================================================================
-------------------------------------------------------------------------------
1/1/7 00:00:00:00:00:01 1 0d 00:02:21 192.168.42.1
-------------------------------------------------------------------------------
===============================================================================
 show service id 998 pppoe statistics

A:pe2.lab# show service id 998 pppoe statistics
===============================================================================
PPPoE statistics for IES service 998
===============================================================================
Packet Type Received Transmitted
-------------------------------------------------------------------------------
PADI 1 -
PADO - 1
PADR 1 -
PADS - 1
PADT 0 0
session 9 10
-------------------------------------------------------------------------------
Drop Counters
-------------------------------------------------------------------------------
Rx Invalid Version : 0
Rx Invalid Type : 0
Rx Invalid Code : 0
Rx Invalid Session : 0
Rx Invalid Length : 0
Rx Invalid Tags : 0
Rx Invalid AC-Cookie : 0
Rx Dropped : 0
===============================================================================
 show service id 998 pppoe session session-id 1 mac 00:00:00:00:00:01 detail

===============================================================================
-------------------------------------------------------------------------------
1/1/7 00:00:00:00:00:01 1 0d 00:05:32 192.168.42.1
LCP State : Opened

IPCP State : Opened
PPP MTU : 1000
ANCP-String : ""
Int-Dest-Id : ""
Primary DNS : 138.203.144.51
Secondary DNS : N/A
Primary NBNS : 138.203.144.51
Circuit-Id :
Remote-Id :
-------------------------------------------------------------------------------
 show service id 998 pppoe session session-id 1 mac 00:00:00:00:00:01 statistics

===============================================================================
-------------------------------------------------------------------------------
1/1/7 00:00:00:00:00:01 1 0d 00:09:32 192.168.42.1
Packet Type Received Transmitted
-------------------------------------------------------------------------------
LCP Configure-Request 1 1
LCP Configure-Ack 1 1
LCP Configure-Nak 0 0
Note :
LCP Configure-Reject 0 0
LCP Terminate-Request 0 0 Notice that the 7750 has a LCP echo-request = 0 .
LCP Terminate-Ack 0 0 This means that only the client sends keep alives.
LCP Code-Reject 0 0
LCP Echo-Request 57 0 7750/7710 will rely on the keeplalive from the client
LCP Echo-Reply 0 57
LCP Protocol-Reject 0 0
incase the LCP echo-request from the client comes
LCP Discard-Request 0 0 faster than the configured keepalive transmit (
keepalive/hold-up-multiplier). Optimisation.
-------------------------------------------------------------------------------
PAP Authenticate-Request 0 -
PAP Authenticate-Ack - 0
PAP Authenticate-Nak - 0
-------------------------------------------------------------------------------
CHAP Challenge - 1
CHAP Response 1 -
CHAP Success - 1
CHAP Failure - 0
-------------------------------------------------------------------------------
IPCP Configure-Request 2 1
IPCP Configure-Ack 1 1
IPCP Configure-Nak 0 1
IPCP Configure-Reject 0 0
IPCP Terminate-Request 0 0
IPCP Terminate-Ack 0 0
IPCP Code-Reject 0 0
-------------------------------------------------------------------------------
Unknown Protocol 0 -
-------------------------------------------------------------------------------
 tools dump pppoe sap 1/1/7 session-id 1

==============================================================================
Id : 998,1/1/7,00:00:00:00:00:01,1 ppp unit : 5
==============================================================================
looped back : no dbgMask : 0x0
------------------------------------------------------------------------------
LCP
------------------------------------------------------------------------------
phase : NETWORK state : OPENED
passive : off silent : off
restart : off
mru : 1000 mtu : 1002

ack'd peer mru : 1492
local magic : 0x199cf0b7 peer magic : 0x0
options mru asyncMap upap chap magic pfc

we negotiate Yes No Yes Yes Yes No
peer ack'd Yes No Yes Yes Yes No
we allow Yes No No No Yes No
we ack'd Yes No No No No No
options acfc lqr mrru shortSeq endPoint mlhdrfmt

we negotiate No No No No No No
peer ack'd No No No No No No
we allow No No No No No No
we ack'd No No No No No No
… CONTNUE ON NEXT SLIDE
 tools dump pppoe sap 1/1/7 session-id 1
------------------------------------------------------------------------------
IPCP
------------------------------------------------------------------------------
active : yes state : OPENED
local ip : 192.168.42.254 peer ip : 192.168.42.1

local pri DNS : 0.0.0.0 peer pri DNS : 0.0.0.0
local sec DNS : 0.0.0.0 peer sec DNS : 0.0.0.0
local pri NBNS : 0.0.0.0 peer pri NBNS : 0.0.0.0
local sec NBNS : 0.0.0.0 peer sec NBNS : 0.0.0.0
options addr oldAddr reqAddr vj oldVJ

we negotiate Yes No Yes No No
peer ack'd Yes No Yes No No
we allow Yes No No No No
we ack'd Yes No No No No
options priDns secDns priNbns secNbns

we negotiate No No No No
peer ack'd No No No No
we allow Yes No Yes No
we ack'd No No No No
 tools perform subscriber-mgmt local-user-db ludb-1 pppoe host-lookup user-name user1@domain1
A:pe2.lab# tools perform subscriber-mgmt local-user-db ludb-1 pppoe host-lookup
user-name user1@domain1
===============================================================================
PPPoE host Lookup results
===============================================================================
Result : Success
Matched Host Name : host1
Admin State : enabled

User Name Format : full
PPPoE User Name : user1@domain1
Password Type : chap

Password hash2 : 3wKFRgNfgW.0oL11a5vZ8ZzQ4/uBFHPQ
Subscriber : user1
SLA-Profile-String: sla1
Sub-Profile-String: sub1
IP Address : 192.168.42.1
===============================================================================
A:pe2.lab# tools perform subscriber-mgmt local-user-db ludb-1 pppoe host-lookup

user-name user1@domain2
===============================================================================
PPPoE host Lookup results
===============================================================================
Result : host not found
===============================================================================
 Ludb-1 uses match-list username but host200 has host-identification MAC

*A:pe2.lab# show subscriber-mgmt local-user-db ludb-1 pppoe-unmatched-hosts
==============================================================================
Local User Database "ludb-1" PPPoE unmatched hosts
==============================================================================
Name Reason Duplicate Host
------------------------------------------------------------------------------
host200 No match N/A
------------------------------------------------------------------------------
Number of PPPoE Unmatched Hosts : 1
 Ludb-1 uses match-list username and host200 uses username of host1
*A:pe2.lab# show subscriber-mgmt local-user-db ludb-1 pppoe-unmatched-hosts
==============================================================================
Local User Database "ludb-1" PPPoE unmatched hosts
==============================================================================
Name Reason Duplicate Host
------------------------------------------------------------------------------
host200 Duplicate host1
------------------------------------------------------------------------------
Number of PPPoE Unmatched Hosts : 1
==============================================================================
 show subscriber-mgmt local-user-db
A:pe2.lab# show subscriber-mgmt local-user-db
===============================================================================
Local User Databases
===============================================================================
Name Admin Host Description
State Count
-------------------------------------------------------------------------------
ludb-1 Up 5
ludb-2 Up 1
-------------------------------------------------------------------------------
Number of Local User Databases : 2 Number of Hosts : 6
===============================================================================
• show subscriber-mgmt local-user-db ludb-1 pppoe-all-hosts
A:pe2.lab# show subscriber-mgmt local-user-db ludb-1 pppoe-all-hosts
===============================================================================
Local User Database "ludb-1" PPPoE hosts
===============================================================================
Name Admin Matched objects
State
-------------------------------------------------------------------------------
host1 Up userName
host2 Up userName
host3 Up userName
host14 Up userName
host253 Up userName
-------------------------------------------------------------------------------
Number of PPPoE Hosts : 5
===============================================================================
 show subscriber-mgmt local-user-db ludb-1 pppoe-host host1

A:pe2.lab# show subscriber-mgmt local-user-db ludb-1 pppoe-host host1
===============================================================================
PPPoE Host "host1"
===============================================================================
Admin State : Up
Last Mgmt Change : 03/16/2008 09:29:58
Host Indentification
Mac Address : N/A
Circuit Id : N/A
Remote Id : N/A
User Name : user1@domain1
Matched Objects : userName
Address : 192.168.42.1
Password Type : CHAP
Identification Strings (option 2)

Subscriber Id : user1
SLA Profile String : sla1
Sub Profile String : sub1
App Profile String : N/A
ANCP String : N/A
Inter Destination Id: N/A
Radius Related CLI commando’s
• Returns all authentication policies.
*A:pe2.lab# show subscriber-mgmt authentication
===============================================================================
Authentication Policies
===============================================================================
Name Description
-------------------------------------------------------------------------------
knock-knock RADIUS policy
-------------------------------------------------------------------------------
Number of Authentication Policies : 1
===============================================================================
• Oper-state “unknown” until first access-request to server via this policy.
A:pe2.lab# show subscriber-mgmt authentication knock-knock
===============================================================================
Authentication Policy knock-knock
===============================================================================
Description : RADIUS policy
Re-authentication : No Username Format : Circuit-id
PPPoE Access Method : PADI
Last Mgmt Change : 03/18/2008 13:10:42
-------------------------------------------------------------------------------
Include Radius Attributes
-------------------------------------------------------------------------------
Remote Id : No Circuit Id : No
NAS Port Id : Yes NAS Identifier : No
PPPoE Service Name : Yes DHCP Vendor Class Id : No
Access Loop Options : No MAC Address : No
-------------------------------------------------------------------------------
Radius Servers
-------------------------------------------------------------------------------
Router : Base Source Address : N/A
Access Algorithm : Direct Retry : 3
Timeout : 5
-------------------------------------------------------------------------------
Index IP Address Port Oper State
Status is unknown until
-------------------------------------------------------------------------------
1 10.2.79.79 1812 Unknown first request is send for this policy
===============================================================================
• subscriber packets rejected increased after retries reached
*A:pe2.lab# show subscriber-mgmt authentication knock-knock statistics
===============================================================================
Authentication Policy Statistics
===============================================================================
-------------------------------------------------------------------------------
Policy name : knock-knock
subscriber packets authenticated : 1
subscriber packets rejected : 2
-------------------------------------------------------------------------------
radius server requests requests requests requests requests requests
idx IP-address accepted rejected no reply md5 failed pending send failed
-------------------------------------------------------------------------------
1 10.2.79.79 1 0 6 0 1 0
===============================================================================
• Does not influences the operational state of the server

A:pe2.lab# tools perform security authentication-server-check server-address 10.2.79.79
user-name "TRE26 atm 1/1/01/22:8.35" password "LetMeIn" secret "WhoIsThere"
===============================================================================
Authentication-server-check
===============================================================================
"RADIUS: Access-Request
user TRE26 atm 1/1/01/22:8.35

"RADIUS: Transmit
USER NAME [1] 24 TRE26 atm 1/1/01/22:8.35
PASSWORD [2] 16 hTR6boA9DwzV3BzJwgRvh.
NAS IP ADDRESS [4] 4 172.16.0.12

"RADIUS: Receive
SUBSC ID STR [11] 5 user5
SLA PROF STR [13] 4 sla1
Radius Accounting Related CLI commando’s
show subscriber-mgmt radius-accounting-policy
===============================================================================
Radius Accounting Policies
===============================================================================
Name Description
-------------------------------------------------------------------------------
GiveMeTheMoney
-------------------------------------------------------------------------------
Number of Radius Accounting Policies : 1
===============================================================================
*A:pe2.lab# show subscriber-mgmt radius-accounting-policy GiveMeTheMoney statistics
===============================================================================
Radius Accounting Policy GiveMeTheMoney Statistics
===============================================================================
Tx Requests : 3 Rx Responses : 2
Request Timeouts : 0 Send Retries : 0
Send Failed : 1
-------------------------------------------------------------------------------
Radius Servers
-------------------------------------------------------------------------------
Index IP Address Tx Reqs Rx Resps Req Timeouts Req Send Failed
-------------------------------------------------------------------------------
1 10.2.79.79 2 2 0 1
===============================================================================
show subscriber-mgmt radius-accounting-policy GiveMeTheMoney

===============================================================================
Radius Accounting Policy GiveMeTheMoney
===============================================================================
Update Interval : 10 Session-id Format : Description
Last Mgmt Change : 04/07/2008 14:32:10
-------------------------------------------------------------------------------
Include Radius Attributes
-------------------------------------------------------------------------------
Framed IP Address : Yes Framed Ip Netmask : Yes
Subscriber Id : Yes Circuit Id : Yes
Remote Id : Yes NAS Port Id : Yes
NAS Identifier : Yes Sub-Profile : Yes
SLA-Profile : Yes
-------------------------------------------------------------------------------
Radius Servers
-------------------------------------------------------------------------------
Router : Base Source Address : 172.16.0.12 State updated when first client
Access Algorithm : Direct Retry :3 uses this account server
Timeout :5
-------------------------------------------------------------------------------
Index IP Address Port Oper State
-------------------------------------------------------------------------------
1 10.2.79.79 1813 unknown ->Up
927 2008/0x/0x 15:12:13.51 UTC MINOR: SVCMGR #2506 Base
===============================================================================
"Subscriber Accounting RADIUS server 10.2.79.79 operational
status changed to inService."
DHCP and PPPoE clients on same interface
 Lets assume following Case :

 DHCP and PPPoE on same interface description "RADIUS policy"
password "LetMeIn"
 PPPoE wants PAP/CHAP LUDB AUTH router "Base"
server 1 address 10.2.79.79 secret . .
 DHCP wants AUTH via RADIUS exit
pppoe-access-method none
. . .
exit
 Configure both pap-chap-user-db and

*A:pe2.lab# *A:pe2.lab#
authentication-policy. configure service ies 998
subscriber-interface "to_A2_via_hairpin" create
address 192.168.42.254/24
 Configure pppoe-access-method none group-interface “isam-1" create
sap 1/1/7 create
 Result sub-sla-mgmt
sub-ident-policy "sub_ident_all“
 PPPoE looks first to auth-policy but falls no shutdown
exit
back to LUDB because of none : OK exit
pppoe
 DHCP looks first to auth-policy : OK pap-chap-user-db "ludb-1"
no shutdown
exit
exit
exit
no shutdown
Customer cases : INEXUS
A:GLB1-01-01-7750-01# show service id 100 pppoe session

-------------------------------------------------------------------------------
2/1/1:12 00:1b:2f:48:55:29 1 2d 15:14:54 62.208.235.75
LCP State : Opened
IPCP State : Opened
PPP MTU : 1492
PPP User-Name : test@seethelight.co.uk
Subscriber-interface : GPON-7342-1
Group-interface : interface_1
A:GLB1-01-01-7750-01#
==============================
Leases for DHCP server
===============================
IP Address
PPPoE user name
User-db-hostname State mac Type
------------------------------------------------
62.208.235.75 stable 00:1b:2f:48:55:29 pppoe
ANCP-String : ""
test@seethelight.co.uk
Int-Dest-Id : ""
business1
Primary DNS : 141.1.1.1

Secondary DNS : 212.80.175.1
Circuit-Id : CRD1-01-7342-01 PON 1/1/01/01:1.1.1

Max number of sessions per MAC
show service id 998 pppoe session Sap Id Mac Address Sid Up Time IP Address
----------------------------------------------------------------------------
1/1/9:998 00:00:c0:01:01:02 32 0d 00:35:01 192.168.42.32
-------------------------------------------------------------------------------
1/1/9:998 00:00:c0:01:01:02 1 0d 00:35:00 192.168.42.1 1/1/9:998 00:00:c0:01:01:02 33 0d 00:35:01 192.168.42.33
1/1/9:998 00:00:c0:01:01:02 2 0d 00:35:00 192.168.42.2 1/1/9:998 00:00:c0:01:01:02 34 0d 00:35:01 192.168.42.34
1/1/9:998 00:00:c0:01:01:02 3 0d 00:35:00 192.168.42.3 1/1/9:998 00:00:c0:01:01:02 35 0d 00:35:01 192.168.42.35
1/1/9:998 00:00:c0:01:01:02 4 0d 00:35:00 Session-id 1
192.168.42.4 1/1/9:998 00:00:c0:01:01:02 36 0d 00:35:01 192.168.42.36
1/1/9:998 00:00:c0:01:01:02 5 0d 00:35:00 192.168.42.5 1/1/9:998 00:00:c0:01:01:02 37 0d 00:35:01 192.168.42.37
1/1/9:998 00:00:c0:01:01:02 6 0d 00:35:00 192.168.42.6 1/1/9:998 00:00:c0:01:01:02 38 0d 00:35:01 192.168.42.38
1/1/9:998 00:00:c0:01:01:02 7 0d 00:35:00 192.168.42.7 1/1/9:998 00:00:c0:01:01:02 39 0d 00:35:01 192.168.42.39
1/1/9:998 00:00:c0:01:01:02 8 0d 00:35:00 192.168.42.8 1/1/9:998 00:00:c0:01:01:02 40 0d 00:35:01 192.168.42.40
1/1/9:998 00:00:c0:01:01:02 9 0d 00:35:00 192.168.42.9 1/1/9:998 00:00:c0:01:01:02 41 0d 00:35:01 192.168.42.41
1/1/9:998 00:00:c0:01:01:02 10 0d 00:35:00 192.168.42.10 1/1/9:998 00:00:c0:01:01:02 42 0d 00:35:01 192.168.42.42
1/1/9:998 00:00:c0:01:01:02 11 0d 00:35:00 192.168.42.11 1/1/9:998 00:00:c0:01:01:02 43 0d 00:35:01 192.168.42.43
1/1/9:998 00:00:c0:01:01:02 12 0d 00:35:00 192.168.42.12 1/1/9:998 00:00:c0:01:01:02 44 0d 00:35:01 192.168.42.44
1/1/9:998 00:00:c0:01:01:02 13 0d 00:35:00 192.168.42.13 1/1/9:998 00:00:c0:01:01:02 45 0d 00:35:01 192.168.42.45
1/1/9:998 00:00:c0:01:01:02 14 0d 00:35:00 192.168.42.14 1/1/9:998 00:00:c0:01:01:02 46 0d 00:35:01 192.168.42.46
1/1/9:998 00:00:c0:01:01:02 15 0d 00:35:00 192.168.42.15 1/1/9:998 00:00:c0:01:01:02 47 0d 00:35:01 192.168.42.47
1/1/9:998 00:00:c0:01:01:02 16 0d 00:35:00 192.168.42.16 1/1/9:998 00:00:c0:01:01:02 48 0d 00:35:01 192.168.42.48
1/1/9:998 00:00:c0:01:01:02 17 0d 00:35:01 192.168.42.17 1/1/9:998 00:00:c0:01:01:02 49 0d 00:35:01 192.168.42.49
1/1/9:998 00:00:c0:01:01:02 18 0d 00:35:01 192.168.42.18 1/1/9:998 00:00:c0:01:01:02 50 0d 00:35:01 192.168.42.50
1/1/9:998 00:00:c0:01:01:02 19 0d 00:35:01 192.168.42.19 1/1/9:998 00:00:c0:01:01:02 51 0d 00:35:00 192.168.42.51
1/1/9:998 00:00:c0:01:01:02 20 0d 00:35:01 192.168.42.20 1/1/9:998 00:00:c0:01:01:02 52 0d 00:35:00 192.168.42.52
1/1/9:998 00:00:c0:01:01:02 21 0d 00:35:01 192.168.42.21 1/1/9:998 00:00:c0:01:01:02 53 0d 00:35:00 192.168.42.53
1/1/9:998 00:00:c0:01:01:02 22 0d 00:35:01 192.168.42.22 1/1/9:998 00:00:c0:01:01:02 54 0d 00:35:00 192.168.42.54
1/1/9:998 00:00:c0:01:01:02 23 0d 00:35:01 192.168.42.23 1/1/9:998 00:00:c0:01:01:02 55 0d 00:35:00 192.168.42.55
1/1/9:998 00:00:c0:01:01:02 24 0d 00:35:01 192.168.42.24 1/1/9:998 00:00:c0:01:01:02 56 0d 00:35:00 192.168.42.56
1/1/9:998 00:00:c0:01:01:02 25 0d 00:35:01 192.168.42.25 1/1/9:998 00:00:c0:01:01:02 57 0d 00:35:00 192.168.42.57
1/1/9:998 00:00:c0:01:01:02 26 0d 00:35:01 192.168.42.26 1/1/9:998 00:00:c0:01:01:02 58 0d 00:35:00 192.168.42.58
1/1/9:998 00:00:c0:01:01:02 27 0d 00:35:01 192.168.42.27 1/1/9:998 00:00:c0:01:01:02 59 0d 00:35:00 192.168.42.59
Same MAC
1/1/9:998 00:00:c0:01:01:02 28 0d 00:35:01 192.168.42.28 1/1/9:998 00:00:c0:01:01:02
Session-id 63 60 0d 00:35:00 192.168.42.60
1/1/9:998 00:00:c0:01:01:02 29 0d 00:35:01 192.168.42.29 1/1/9:998 00:00:c0:01:01:02 61 0d 00:35:00 192.168.42.61
1/1/9:998 00:00:c0:01:01:02 30 0d 00:35:01 192.168.42.30 1/1/9:998 00:00:c0:01:01:02 62 0d 00:35:00 192.168.42.62
1/1/9:998 00:00:c0:01:01:02 31 0d 00:35:01 192.168.42.31 1/1/9:998 00:00:c0:01:01:02 63 0d 00:35:01 192.168.42.63
show service active-subscribers hierarchy
A:pe2.lab# show service active-subscribers hierarchy

 Links the following ==============================================
Active Subscriber hierarchy
==============================================
 Subscriber-id -- Ahola.Hannu (sub1)
|
 SUB-profile |-- sap:1/1/7 - sla:sla1
| |
 SLS-profile | |-- 192.168.42.106 - 00:00:00:00:01:07 (PPPoE)
| |
 SAP
-- Alarcon.Anabel (sub1)
 IP |
|-- sap:1/1/7 - sla:sla1
 MAC | |
| |-- 192.168.42.124 - 00:00:00:00:02:09 (PPPoE)
 Client type | |
-- Bagri.Erdinc (sub1)
|
|-- sap:1/1/7 - sla:sla1
| |
| |-- 192.168.42.100 - 00:00:00:00:01:01 (PPPoE)
| |
-- Barata.Helder (sub1)
|
|-- sap:1/1/7 - sla:sla1
| |
| |-- 192.168.42.122 - 00:00:00:00:02:07 (PPPoE)
| |
HW setup
 ~ 7500 PPPoE traffic

138.203.15.111
traffic traffic
 N2X Traffic
104/2
 CPM-swap 104/1
 admin redundancy force-switchover now
1/1/9:998 DHCP Server-1

250
gi 192.168.42.254 192.168.42.254/24 Use-gi-address
GR-ITF-1 192.168.43.254/24
192.168.44.254/24 subnet 192.168.42.0/24
1/1/9:999
192.168.45.254/24 subnet 192.168.43.0/24
250 gi 192.168.43.254
GR-ITF-2 SUB-ITF-1 subnet 192.168.44.0/24
subnet 192.168.45.0/24
1/1/9:1000 subnet 192.169.0.0/16
250 gi 192.168.44.254
GR-ITF-3 IES
1/1/9:1001 998
250
gi 192.168.45.254
GR-ITF-4
1/1/9:1002
6500 192.169.30.2/16
gi 192.169.30.2
GR-ITF-5 SUB-ITF-2
Backup
PPP/DHCP solution comparison
PPP DHCP (MPSDA)
Authentication LCP extension provides user identification User authentication based on option82
Authorization Supplied to BBNG by RADIUS based on user identity Supplied by Alcatel 5750 Subscriber Services Controller
(SSC), RADIUS-based AAA
Accounting Supplied by BBNG, collected via RADIUS-based system Supplied by Alcatel 7x50, collected via the 5750 SSC
/RADIUS
State fullness State kept by PPP keep-alive State kept by ARP keep-alive (SHCV)
Multicast Inefficient multicast replication; PPP is point-to-point Efficient multicast replication
in nature
PC support Requires third-party SW, unless OS <4 years old Available on any device
Client support Not supported on VoIP/STB devices Supported on any device
Femto support Extra overhead, QoS differentiation difficult No additional overhead, QoS differentiation
Customer service
Provides feedback on connectivity; third-party SW Provides feedback on connectivity via ARP/ping
support
hard to troubleshoot mechanism
Redundancy No box redundancy, no full in-box redundancy Full box/in-box redundancy through High Availability
provided
Wholesale L2TP 802.1x w/ L3VPN/L2VPN

PPP/DHCP solution comparison
 When we compare DHCP versus PPP the following design guidelines can be
followed
 Video: requires DHCP for efficient multicast distribution
 Femto: requires DHCP/IPoE for optimal overhead and QoS differentiation
 Voice/HSI: introduce them on DHCP when possible, mainly depending on legacy
environment
 PPP required when:
 Wholesale support and authentication is superior due to L2TP and
username/password/domain name support in PPPoE/L2TP
 DHCP extensions with EAP are being worked on in DSL Forum/IETF
Video subscribers move typically to DHCP and legacy HSI is typically kept in legacy BRAS
platforms, although multiple providers are looking to migrate to full DHCP
Slow-start and congestion avoidance
 For your info

 Although each side has indicated the maximum size of its receive window, it is
recommended that a slow start and congestion avoidance method be used to transmit
control packets. The methods described here are based upon the TCP congestion
avoidance algorithm as described in section 21.6 of TCP/IP Illustrated, Volume I, by W.
Richard Stevens [STEVENS].
 Before the introduction of the L2TP Congestion Avoidance feature, the window size
used to send packets between the network access server (NAS) and the tunnel server
was set to the value advertised by the peer endpoint and was never changed.
Configuring the L2TP Congestion Avoidance feature allows the L2TP packet window to
be dynamically resized using a sliding window mechanism. The window size grows
larger when packets are delivered successfully, and is reduced when dropped packets
must be retransmitted
SCCRQ
SCCRP
SCCCN
Window size avp=4
ZLB
Session setup message flow
 Session setup documented mostly in following way : LAC LNS

ICRQ
ICRP
ICCN
ZLB
 7x50 Session setup flow slightly different LAC LNS

ICRQ
 Still correct according RFC ICRP
Data path ZLB
stitch ICCN
ZLB
 Ask PPPoE to stitch data path to PPPoE session.

 ICCN is only returned when data path stitch done.
 This prevents having the possibility that first LCP message from LNS downstream can
get lost because stitch not made yet.
Wholesale-retail OPTION-1A
LUDB : fallback “default” host
 Add host “default” without host-identification
14 2009/03/25 20:58:51.96 GMT MINOR: DEBUG #2001
 User has wrong service name Base LUDB
"LUDB: User lookup success - host found
pppoe-service-name:
 debug subscriber-mgmt local-user-db MyLudb1 original: MyProvider1-wrong
masked: MyProvider1-wrong
*A:pe2.lab# configure subscriber-mgmt
local-user-db "MyLudb1" create Host default found in user data base MyLudb1"
pppoe
match-list service-name show service id 99999 pppoe session detail
host "host1" create ==========================================
host-identification PPPoE sessions for svc-id 99999
service-name "MyProvider1" ================================
exit
identification-strings 254 create PPP User-Name : (Not Specified)
--snip--
exit Subscriber-interface : MySubItf1
1 l2tp Group-interface : MyGrpItf1
group "MyProvider1"
exit Subscriber Origin : Local-User-Db
no shutdown Strings Origin : Local-User-Db
exit
host “default" create Subscriber : "default_from_ludb"
identification-strings 254 create Sub-Profile-String : "DefSubProfile"
subscriber-id “default_from-ludb" 2 SLA-Profile-String : "DefSlaProfile"
sla-profile-string "DefSlaProfile" --snip--
exit Service-Name : MyProvider1-wrong
no shutdown Session-Timeout : N/A
exit Radius Class :
exit Radius User-Name :
…
LUDB default” host APPLICATION
Problem Description
 Assume that you have a local-DHCP server with a pool-1 with 3 subnets.
 gi-address is 10.2.0.254
use-gi-address
pool "pool-1" create
address-range 10.2.0.1 10.2.0.253
exit
address-range 10.2.1.1 10.2.1.253
exit
address-range 10.2.2.1 10.2.2.253
exit
exit…
 If the assigned gi-address is 10.2.0.254 for a PPPoE session than this PPPoE
client can never search in the two other subnets from pool-1 (if pool-1 was
not returned from Radius for example.
LUDB default” host APPLICATION-I ( With Radius after pre-auth)
 An other solution (than use-gi-address ) for PPPoE dynamic address

assignment is use-pool-from-client in DHCP server
 Radius returns pool-name .. OK
 Or LUDB via default user returns pool-name
*A:pe2.lab# configure subscriber-mgmt local-dhcp-server "server-2" create
local-user-db "ludb-2" create no use-gi-address (Fallback if user not found
pppoe use-pool-from-client
match-list mac ## dummy match pool "pool-1" create
host "default" create subnet 10.2.0.0/24 create
auth-policy "authentication-2" address-range 10.2.0.1 10.2.0.253
address pool "pool-1" exit
no shutdown subnet 10.2.1.0/24 create
exit address-range 10.2.1.1 10.2.1.253
exit exit
no shutdown subnet 10.2.2.0/24 create
… exit
exit…
Match masks could be used also to Normal Radius authentication

assign different pool-names after ludb pre-authentication
 Current pre-authentication configurations via LUDB reject Radius COA’s

– High profile DTS 88621 / PTS 570601
LUDB default” host APPLICATION-II ( Without Radius )
 An other solution (than use-gi-address ) for PPPoE dynamic address

assignment is user-db in DHCP-server
*A:pe2.lab# configure subscriber-mgmt no use-gi-address (Fallback if user not found
local-user-db "ludb-2" create no use-pool-from-client
pppoe user-db ludb-2
match-list mac ## dummy match pool "pool-1" create
host "default" create subnet 10.2.0.0/24 create
address pool "pool-1" address-range 10.2.0.1 10.2.0.253
no shutdown exit
exit subnet 10.2.1.0/24 create
no shutdown exit
exit subnet 10.2.2.0/24 create
… address-range 10.2.2.1 10.2.2.253
exit
exit…
 Current pre-authentication configurations via LUDB reject Radius COA’s

– High profile DTS 88621 / PTS 570601
Wholesale-retail OPION-1A
LUDB : mask type examples
 Allowed mask types are : service-name / username/ circuit-id/remote-id

 Allowed masks are : prefix-length/suffix-length/prefix-string/suffix-string.
 For prefix-strings and suffix-strings we allow the wildcard *
Mask type prefix- suffix- prefix- suffix- Result
length length string string

Service-name username Circuit-id Remote-id
Host =
- - - 03-7123886-Node2 11 - - - Node2
- - 7450-ESS-1|100|1/2/1 - - 10 - - 7450-ESS-1
- all_users@skynet.be - - - - *@ .be skynet
all_users@belgacom.com - - - - - *@ .com belgacom
 Above some example illustrations (debug subscriber-mgmt local-user-db MyLudb5detail all )
7 2009/03/27 14:18:14.46 GMT MINOR: DEBUG #2001 Base LUDB

"LUDB: User lookup success - host found
pppoe-service-name:
original: all_users@belgacom.be
masked: belgacom
Host host1 found in user data base MyLudb5"

PPPoE R7.0 v1.7

Caricato da

Informazioni sul documento

Descrizione:

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Descrizione:

Copyright:

Formati disponibili

PPPoE R7.0 v1.7

Caricato da

Descrizione:

Copyright:

Formati disponibili

< DISCLAIMER >

TiMOS 7.0 workshop

1. Local-Access-Model versus Tunneled-Access-Model. updated

2. General PPPoE Technology overview. updated

3. 7x50 Retail PPPoE implementation. updated

4. 7x50 Wholesale-Retail via Managed-SAP aka MSAP. updated

5. 7x50 Wholesale-Retail VRF selection. new

6. General L2TP Technology overview. new

7. 7x50 Wholesale-Retail L2TP implementation. new

8. Customer cases updated

2 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008

3 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008

4 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008

 Local Retail PPPoE termination. R6

5 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008

 RFC2516 PPP over Ethernet

Access Node BNG

6 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008

7 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008

 Dynamic VRF selection over single VLAN / wholesale IP-VPN

Access Node DHCP VRF

8 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008

 Radius returns L2TP info for user1@ISP3 and user2@ISP3

 PADI/PAP/CHAP via LUDB/RADIUS

9 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008

 LAC functionality on 7750/7710, with forwarding in global routing table.

10 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008

 Support for draft Mammoliti AVP’s (except ANCP).***

 OAM requirements will include L2TP keep-alive reporting and commands to

 Ethernet on the network side only.

11 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008

Related supported RFC’s

 RFC 2661 : Layer Two Tunneling Protocol "L2TP“ ***

 RFC 1994 : PPP Challenge Handshake Authentication Protocol (CHAP)

 RFC 1661 : The Point-to-Point Protocol (PPP)

 RFC 2868 : RADIUS Attributes for Tunnel Protocol Support

12 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008

Related Non supported RFC’s

LAC Ip1 LNS Standby

13 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008

Related Non supported RFC’s ERX example

 RFC 2867 (RADIUS Accounting Acct-Status-Type = Stop

14 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008

15 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008

 ~1 hour embedded TiMOS-General-PPPoE-Technology-Overview-v1.0.ppt

16 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008

17 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008

2. General PPPoE Technology overview.

b) different PPPoE scenarios. f) Security

c) Accounting g) Change of Authority

4. 7x50 Wholesale-Retail via Managed-SAP aka MSAP

b) different PPPoE scenarios. f) Security

c) Accounting g) Change of Authority

19 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008

20 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008

 RADIUS based authentication of subscriber host interface in PADI phase.

 Local PAP/CHAP authentication via LUDB

 Local DHCP server authentication who uses also LUDB

 Support for Framed-ip 255.255.255.254 from Radius *** (since 6.0R3)

 Support for Framed-route received via Radius (since 6.1.R1)

22 | TiMOS-7.0 workshop | April 2009 All Rights Reserved © Alcatel-Lucent 2008