Home Agent Accounting
This chapter discusses concepts related to Accounting on the Cisco Mobile Wireless Home Agent, and provides details about how to configure this feature.
This chapter includes the following sections:
•Overview of HA Accounting
•Single IP Home Agent Accounting Support
•Per Domain Accounting
•Accounting Interim Sync
•Basic Accounting Messages
•System Accounting in HA
•Messages Not Sent By Mobile IP Home Agent
•Configuring HA Accounting
•HA Accounting Configuration Examples
Overview of HA Accounting
This feature is primarily developed to allow the HA to interoperate with the Service Selection Gateway (SSG) in the CMX solution. However, this feature can also be used without SSG interaction.
This release supports the following Accounting features:
• Home Agent Accounting in a Redundant Setup
• Packet count and Byte count in Accounting Records
•Additional Attributes in the Accounting Records
•Additional Accounting Methods—Interim Accounting is Supported.
As byte count and packet count is performed on the HA, this accounting feature does not need the SSG in the network to generate full accounting information.
The HA Accounting feature includes the following activities:
• HA will send Accounting Start record when the first binding for a mobile is created
•HA will send Accounting Stop record when the last binding for a mobile is deleted
•HA will send Accounting Update when Handoff occurs
•Start-stop, and Interim accounting methods will be supported
•When a mobileip registration reply with an error code is sent for an authenticated NAI (due and if a binding does not exit for the NAI), an accounting stop record will be sent.
•A Watchdog message will be sent with an appropriate reject code for an authenticated NAI if Re-registration fails for an existing binding.
The following attributes are sent in Accounting Records:
•NAI in Username attribute (1)
•MN IP Address in Framed IP Address attribute (8)
•Home Agent IP Address (26/7, 3gpp2 attribute)
•Care-of-address in Tunnel End Point (66)
•Network Access Server (NAS) IP Address attribute (4)
•Accounting Status Type attribute (40)
•Accounting Session ID (44)
•Accounting Terminate Cause (49) - only in accounting stop
•Accounting Delay Time (41)
•Acct-Input-Octets (42)
•Acct-Output-Octets (43)
•Acct-Input-Packets (47)
•Acct-Output-Packets (48)
•Acct-Input-Gigawords (52)
•Acct-Output-Gigawords (53)
•Registration flags in "mobileip-mn-flags" cisco-avpair attribute
•Vrf name in "mobileip:ip-vrf" cisco-avpair attribute
Single IP Home Agent Accounting Support
The Single IP Home Agent design supports the underlying ability to run AAA services on the Traffic Processor of the Single IP model. For accounting services, the Radius Accounting executes on the traffic processors. Each traffic processor uses a unique UDP source port when originating Radius traffic. The Radius response has this port as the UDP destination port which is used to identify the Traffic Processor that originated the Radius message.
These messages include Start, Update and Stop.
This feature is only supported on the Cisco 7600 Switch with SAMI blade.
To configure the Single IP HA Accounting support, perform the following tasks:
|
|
|
Step 1 |
Router(config)# sami balance ports start-port end-port |
This configuration is effective after reload only. It configures the port for a particular processor and sets a port to send accounting messages to AAA. If this command is not configured, then the default ports from 45000 to 46535 get set for the card. The range mentioned in this command should be a multiple of six. Note We recommend that you use the default configuration. |
Step 2 |
router#show sami port-range |
This show command displays the port range that is currently configured. It also shows the port range that will be effective after reload. |
Step 3 |
router#debug radius |
This debug enables the radius debugs to check whether the accounting packets are being sent to AAA on the desired port. |
Step 4 |
router#debug aaa accounting |
Enables accounting debug messages. |
Here are some configuration examples:
Slot4#show sami port-range
Current Start Port range 30000 End port range 35999 Range Per PPC 1000
Processor 3: 30000 to 30999
Processor 4: 31000 to 31999
Processor 5: 32000 to 32999
Processor 6: 33000 to 33999
Processor 7: 34000 to 34999
Processor 8: 35000 to 35999
After Reload Start Port range 30000 End port range 35999 Range Per PPC 1000
aaa authentication login default local
aaa authentication ppp default group radius
aaa authorization ipmobile default group radius
aaa authorization network default group radius
aaa accounting update periodic 1
aaa accounting network default start-stop group radius
ip local pool fasim-pool-82 16.82.0.1 16.82.100.254
ip mobile home-agent revocation
ip mobile home-agent dynamic-address 48.48.48.48
ip mobile home-agent accounting default
ip mobile host nai @fasim48.com address pool local fasim-pool-82 virtual-network
16.82.0.0 255.255.0.0 aaa load-sa lifetime 7400
radius-server host 12.1.3.2 auth-port 1645 acct-port 1646 key lab
radius-server vsa send accounting
Per Domain Accounting
The Home Agent VRF feature allows you to configure accounting groups, authentication groups and whether accounting is enabled or not as part of the VRF definition. In Cisco Mobile Wireless Home Agent Release 5.0 it is now possible to define the accounting interim update interval timer as part of the per-realm configuration within a VRF.
To enable this feature, perform the following tasks:
|
|
|
Step 1 |
Router(config)#ip mobile realm @xyz.com ha-addr ip-address [aaa-group [accounting aaa-acct-group | authentication aaa-auth-group]] periodic minutes |
Enables a per-realm configuration independent of VRF. |
Step 2 |
Router(config)#ip mobile realm @xyz.com vrf vrf-name ha-addr ip-address [aaa-group [accounting aaa-acct-group | authentication aaa-auth-group]] periodic minutes |
The VRF configuration command is enhanced to include accounting support. The periodic keyword defines how interim accounting records are sent at an interval corresponding to the minutes value. |
Note The per-VRF configuration takes precedence over per-realm configuration, which takes precedence over aaa accounting update periodic configuration
The show command now includes the periodic minutes parameters in addition to those previously displayed.
Here is an example router configuration for per Domain Accounting:
ip mobile host nai @yahoo.com address pool local mypool virtual-network 60.0.0.0
255.255.0.0 aaa load-sa
ip mobile host nai @cisco.com address pool local hapool virtual-network 65.0.0.0
255.255.0.0 aaa load-sa
ip mobile host nai @xyz.com address pool local nextpool virtual-network 61.0.0.0
255.255.0.0 aaa load-sa
ip mobile host nai @abc.com address pool local vrf-pool1 virtual-network 55.1.1.0
255.255.255.0 aaa load-sa
ip mobile realm @yahoo.com aaa-group accounting mylist authentication mylist periodic 2 accounting
Accounting Interim Sync
In Home Agent Release 5.0, the following per-session fields are periodically synchronized to the standby Home Agent.
•Input octets
•Output octets
•Input bytes
•Output bytes
•Input octets gigawords
•Output octets gigawords
•Input packet gigawords
•Output packet gigawords
•Data Path Idle Timer
The update interval is configurable in minutes, and is independent of the configuration to send interim accounting update Radius messages.
The information is only sent to the standby if there is a change in value for any of the Input/Output counts.
To enable this feature, perform the following tasks:
|
|
|
Step 1 |
Router(config)# redundancy periodic-sync interval minutes limit cpu Percentage cpu Threshold rate rate# |
Enables periodic updates between the active and standby for accounting counters, and is used to spread the sync messages and uniformly distribute the load over a configured period of time. The default value is 5 minutes. Entering 0 minutes causes redundancy sync to be disabled. When the CPU threshold exceeds the CPU limit, HA will start throttling by sending 500 bindings every 5 seconds. The default threshold is 70 %. It is possible that the rate specified cannot be met due to CPU load or memory thresholds being exceeded. We recommend that you choose an interval that matches well with the max bindings in order to be able to achieve the default sync rate. So choosing 1 minute interval for 500K bindings will not be honored in the calculated rate (the required rate is 8500/s, but max is 5000/s) unless a rate is also specified in the CLI. |
Step 2 |
Router# show redundancy inter-device |
Displays redundancy statisitics, including •Input octets •Output octets •Input bytes •Output bytes •Input octets gigawords •Output octets gigawords •Input packet gigawords •Output packet gigawords •Data Path Idle Timer |
Step 3 |
Router#debug redundancy periodic-sync |
Displays Mobile IP stateful session redundancy related periodic-sync debugging information. |
Basic Accounting Messages
Home Agent Release 2.1 and above supports the Cisco Service Selection Gateway (SSG). In this release, the HA sends only three accounting messages without statistics information. The SSG is designed and deployed in such a way that all the network traffic passes through it.
Since all the traffic passes through the SSG, it has all of the statistical information; however, it does not have Mobile IP session information. The Home Agent has the Mobile IP session information, and sends that information to the SSG.
The HA sends the following messages to the SSG/AAA server:
•Accounting Start: The HA sends this message to the SSG/AAA server when:
–A MN successfully registers for the first time. This indicates the start of new Mobile IP session for a MN.
–In case of redundant HA configuration, a stand-by HA will send Accounting Start message only when it becomes active and it does not have any prior bindings. This allows the SSG to maintain host objects for MNs on failed HA. However, redundancy is not supported in Phase-1.
•Accounting Update: The HA generates an Accounting Update message, if periodic accounting update message is configured, and when the mobile node changes its point of attachment (POA). For a Mobile IP session, this corresponds to a successful re-registration from a mobile node when it changes its care-of address (CoA). The CoA is the current location of the mobile node on the foreign network. Additionally, the HA sends an accounting update message with correct reject code when re-registration fails for an existing binding.
•Accounting Stop: The HA sends an Accounting Stop message when RRP with error code is sent for an authenticated NAI (except for MobileIP error code 136), due and if binding does not exist for the NAI.
All the messages contain the following information:
•Network Access Identifier (NAI): This is the MN's name. It looks something like abc@service_provider1.com
•Network Access Server (NAS) IP: This is the accounting node's IP address. Since HA is the accounting node, this field carries the HA address.
•Framed IP Address: This is the IP address of the MN. Typically the HA will allot an IP address to a MN after successful registration.
•Point Of Attachment (POA): This field indicates the Point of attachment for the MN on the network. For Mobile IP session, this is MN's Care-Of-Address (COA).
System Accounting in HA
An accounting-on is sent while a home agent is brought into the service (in other words, at the time of initialization after reloading a box), and if there is no active home agent at that time.
An accounting-off could be sent when the active home agent is taken out of service (graceful or otherwise), and if there is no standby home agent to provide the home agent service. Note that, accounting-off is not guaranteed.
An accounting-off is not sent when the standby home agent is taken out of service (graceful or otherwise).
Messages Not Sent By Mobile IP Home Agent
The following messages are not sent by Mobile IP Home Agent:
•Accounting On Message (Acct-Status-Type=Accounting-On) when the HA box comes online or boots up: This message is a global entity for the platform, irrespective of Mobile IP configuration. This message is typically implemented by the platform code during initialization, and not by a service such as Mobile IP.
•Accounting Off Message (Acct-Status-Type=Accounting-Off) when the HA box is shutdown: This message is also a global entity for the platform, irrespective of Mobile IP configuration. This message is typically implemented by the platform code during reboot, and not by a service such as Mobile IP.
Configuring HA Accounting
Mobile IP currently uses AAA commands to configure authorization parameters. All of the following commands are required. By default, the HA Accounting feature will be disabled; the HA will not send accounting messages to the AAA server unless configured. To enable the HA Accounting feature, perform the following tasks:
|
|
|
Step 1 |
Router(config)# ip mobile home-agent accounting list |
Enables HA accounting, and applies the previously defined accounting method list for Home Agent. list is the AAA Accounting method used to generate HA accounting records. |
Step 2 |
Router(config)# redundancy periodic-sync interval |
Controls the periodic sync of binding statistics and remaining idle time for the bindings in a redundancy setup (between the active and standby). |
Step 3 |
Router(config)# aaa accounting network method list name start-stop group group name |
Sends a "start" accounting notice at the beginning of a process, and a "stop" accounting notice at the end of a process. The "start" accounting record is sent in the background. The requested user process begins regardless of whether the "start" accounting notice was received by the accounting server. |
Step 4 |
Router(config)# aaa accounting update newinfo |
Enables an interim accounting record to be sent to the accounting server whenever there is new accounting information to report relating to the user in question. |
Step 5 |
Router(config)# aaa accounting system default start-stop group radius |
Enables the HA to send system messages. |
Step 6 |
Router(config)# ip mobile homeagent switchover aaa swact-notification |
Sends Switchover-Action (swact) Notification after a switchover in Accounting watchdog/stop messages for each MIP session |
Step 7 |
Router# debug aaa accounting |
Enables debugging of HA Accounting messages. |
Step 8 |
Router# debug radius Router# debug tacacs |
Enables debugging of security protocol specific messages. |
Step 9 |
Router# debug ip mobile |
Enable Mobile IP related debug messages. Accounting will print debug messages only in case of errors. |
HA Accounting Configuration Examples
The first block of commands are AAA configurations. An accounting method list (mylist) is created for network accounting. Start-Stop keywords imply that HA will send Start and Stop records. For detailed information, see the IOS Security Configuration Guide.
The Second line instructs the HA to send accounting Update records, whenever there is a change in Care-Of-Address (COA).
ip mobile home-agent accounting mylist address 10.3.3.1
ip mobile host 10.3.3.2 3.3.3.5 interface Ethernet2/2
ip mobile secure host 10.3.3.2 spi 1000 key ascii test algorithm md5 mode prefix-suffix
These are Mobile IP commands. On the first line, accounting method list mylist is applied on the Home Agent, thus enabling HA Accounting.
radius-server host 172.16.162.173 auth-port 1645 acct-port 1646
radius-server retransmit 3
!
These are RADIUS commands. The first line specifies the RADIUS server address. Make sure the HA can reach AAA server and has proper access privileges.
Here is a sample HA Accounting configuration:
ACTIVE HA:
Building configuration...
Current configuration : 4927 bytes
! Last configuration change at 05:12:03 UTC Thu Oct 13 2005
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
aaa authentication ppp default local group radius
aaa authorization config-commands
aaa authorization ipmobile default group radius
aaa authorization network default local group radius
aaa authorization configuration default group radius
aaa accounting update newinfo periodic 2
aaa accounting network mylist start-stop group radius
aaa accounting system default start-stop group radius
no ip dhcp use vrf connected
ip dhcp-server 99.107.0.13
! Default L2TP VPDN group
! Default PPTP VPDN group
username cisco7600 password 0 cisco
ip address 11.0.0.1 255.0.0.0
interface FastEthernet0/0
description "LINK TO HAAA................!"
ip address 150.2.13.40 255.255.0.0
standby 4 preempt delay reload 300
interface FastEthernet1/0
interface FastEthernet2/0
description "LINK TO PDSN................!"
ip address 7.0.0.10 255.0.0.0
standby 2 preempt delay reload 300
interface FastEthernet3/0
bridge-group 4 spanning-disabled
description ""LINK TO REFLECTOR...."
ip address 99.107.0.19 255.255.0.0
standby 3 ip 99.107.89.67
standby 3 preempt delay reload 300
description "LINK TO TFTP....."
ip address 1.7.130.10 255.255.0.0
interface Virtual-Template1
ip local pool LNS-Pool 8.3.0.1 8.3.0.100
ip local pool ispabc-pool 40.0.0.101 40.0.0.255
ip default-gateway 10.1.2.13
ip route 8.0.0.1 255.255.255.255 7.0.0.1
ip route 9.0.0.1 255.255.255.255 7.0.0.1
ip mobile home-agent accounting mylist broadcast
ip mobile home-agent ip mobile home-agent redundancy
ip mobile virtual-network 40.0.0.0 255.0.0.0
ip mobile host nai @ispxyz.com address pool local ispabc-pool virtual-network 40.0.0.0
255.0.0.0 aaa lifetime 250
ip mobile secure home-agent 7.0.0.2 spi 1001 key ascii cisco algorithm md5 mode
prefix-suffix
ip mobile secure home-agent 7.0.0.67 spi 1001 key ascii cisco algorithm md5 mode
prefix-suffix
ip radius source-interface Loopback1
access-list 120 deny ip 40.0.0.0 0.255.255.255 40.0.0.0 0.255.255.255
access-list 120 permit ip any any
dialer-list 1 protocol ip permit
radius-server host 150.2.0.2 auth-port 1645 acct-port 1646
radius-server vsa send accounting
radius-server vsa send accounting 3gpp2
radius-server vsa send authentication 3gpp2
alias exec shb sh ip mob bin
alias exec shr sh ip route
alias exec sht sh ip mob tun
alias exec shh sh ip mob host
alias exec clr clear ip mob bin all
no scheduler max-task-time
STANDBY HA:
Building configuration...
Current configuration : 3995 bytes
! No configuration change since last restart
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
boot system tftp /auto/tftpboot-users/tennis/c7600-h1is-mz.123-3.8.PI2 171.69.1.129
enable password 7 00445566
aaa authentication ppp default local group radius
aaa authorization config-commands
aaa authorization ipmobile default group radius
aaa authorization network default local group radius
aaa authorization configuration default group radius
aaa accounting update newinfo periodic 2
aaa accounting network mylist start-stop group radius
aaa accounting system default start-stop group radius
ip ftp username pdsn-team
ip ftp password 7 pdsneng
ip host PAGENT-SECURITY-V3 32.68.10.4 38.90.0.0
ip name-server 11.69.2.133
no ip dhcp use vrf connected
vpdn ip udp ignore checksum
! Default L2TP VPDN group
! Default PPTP VPDN group
username mwt13-7600b password 0 cisco
ip address 11.0.0.1 255.0.0.0
interface FastEthernet0/0
ip address 4.0.10.2 255.0.0.0
interface FastEthernet1/0
interface FastEthernet2/0
description "LINK TO HAAA................!"
ip address 15.2.13.20 255.255.0.0
interface FastEthernet5/0
description "LINK TO PDSN................!"
ip address 7.0.0.67 255.0.0.0
description "LINK TO REFLECTOR....!"
ip address 22.107.0.12 255.255.0.0
standby 3 ip 22.107.89.67
description "LINK TO TFTP....."
ip address 1.7.130.2 255.255.0.0
ip local pool LNS-Pool 8.3.0.1 8.3.0.100
ip local pool ispabc-pool 40.0.0.101 40.0.0.255
ip default-gateway 10.1.2.13
ip route 8.0.0.1 255.255.255.255 7.0.0.1
ip route 9.0.0.1 255.255.255.255 7.0.0.1
ip mobile home-agent accounting mylist broadcast
ip mobile home-agent ip mobile home-agent redundancy
ip mobile virtual-network 40.0.0.0 255.0.0.0
ip mobile host nai @ispxyz.com address pool local ispabc-pool virtual-network 40.0.0.0
255.0.0.0 aaa lifetime 250
ip mobile secure home-agent 7.0.0.2 spi 1001 key ascii cisco algorithm md5 mode
prefix-suffix
ip mobile secure home-agent 7.0.0.10 spi 1001 key ascii cisco algorithm md5 mode
prefix-suffix
ip radius source-interface Loopback1
dialer-list 1 protocol ip permit
radius-server host 150.2.0.2 auth-port 1645 acct-port 1646
radius-server vsa send accounting
radius-server vsa send accounting 3gpp2
radius-server vsa send authentication 3gpp2
alias exec shb sh ip mob bin
alias exec shr sh ip route
alias exec sht sh ip mob tun
alias exec shh sh ip mob host
alias exec clr clear ip mob bin all
no scheduler max-task-time
Verifying HA Accounting Setup
The HA Accounting status can be verified by issuing the show ip mobile global command. The current accounting status is displayed as shown below:
router# sh ip mobile global
IP Mobility global information:
Registration lifetime: 10:00:00 (36000 secs)
Replay protection time: 7 secs
HA Accounting enabled using method list: mylist
NAT UDP Tunneling support enabled
Forced UDP Tunneling disabled
cisco (virtual network - address 7.0.0.2)
Foreign Agent is not enabled, no care-of address
0 interfaces providing service
Encapsulations supported: IPIP and GRE
Tunnel fast switching enabled, cef switching enabled
Tunnel path MTU discovery aged out after 10 min
Radius Disconnect Capability disabled
router#