Subscriber Session Overview
A session represents the logical connection between the customer premise equipment (CPE) and the network resource. To enable a subscriber access the network resources, the network has to establish a session with the subscriber. Each session establishment comprises of these phases:
Note |
When packets arrive on an access interface, an attempt is made to link that packet to a subscriber context.
If there is no match, the packet is mapped against the access (sub-)interface. Considering that the access interface in IPoE designs is IP enabled (eg via an IP-Unnumbered configuration) that packets are processed like regular IP. In order to secure your BNG access interface, you will want to apply either uRPF or an Access-List blocking everything but DHCP incoming on the access interface to limit remote subscribers for which we don't have an interface created from accessing network resources. |
-
Establishing a connection—in this phase CPE finds the BNG with which to communicate.
-
Authenticating and authorizing the subscriber—in this phase, BNG authenticates the subscribers and authorizes them to use the network. This phase is performed with the help of the RADIUS server.
-
Giving subscriber an identity—in this phase, the subscriber is assigned an identity, the IP address.
-
Monitoring the session—in this phase, BNG ascertains that the session is up and running.
The subscribers are not configured directly on BNG. Instead, a framework is created on which subscriber features and subscriber sessions are started and stopped dynamically. The framework consists of control policies and dynamic templates, which perform these functions:
-
Control policy determines the action BNG takes when specific events, such as receipt of a session start request, or failure of authentication, occurs. The action is determined by the class-map defined in the control policy. The action involves activating dynamic templates.
-
Dynamic template contains a set of CLI commands that are applied to a subscriber session. Multiple dynamic templates can be activated, one at a time, on the same subscriber interface. Also, the same dynamic template can be activated on multiple subscriber interfaces through different control policies.
Service providers can deploy subscribers over VLAN in these ways:
-
1:1 VLAN model—This model depicts a scenario where one dedicated VLAN is available for each customer. Each VLAN is an q-in-q VLAN where the inner VLAN tag represents the subscriber and the outer VLAN tag represents the DSLAM.
-
N:1 VLAN model—This model depicts a scenario where multiple subscribers are available on a shared VLAN. The VLAN tags represent the DSLAM or the aggregation device.
-
Ambiguous VLANs —This model allows the operator to specify a large number of VLANs in a single CLI line. Using ambiguous VLAN, a range of inner or outer tags (or both) can be configured on a VLAN sub-interface. This is particularly useful for the 1:1 model, where every subscriber has a unique value for the set of VLAN tags. For more information about ambiguous VLANs, see Subscriber Session on Ambiguous VLANs.
The subscriber sessions are established over the subscriber interfaces, which are virtual interfaces. It is possible to create only one interface for each subscriber session. A port can contain multiple VLANs, each of which can support multiple subscribers. BNG creates subscriber interfaces for each kind of session. These interfaces are named based on the parent interface, such as bundle-ether 2.100.pppoe312. The subscribers on bundles (or bundle-VLANs) interfaces allow redundancy, and are managed on the BNG route processor (RP).
For details on subscriber session limit, see Subscriber Session Limit.
To provide network redundancy and load balancing, the service provider can deploy multiple links between the DSLAM and the BNG. The individual links can be grouped into ether-bundles, including VLANs over ether-bundles, or link aggregation groups (LAGs). The subscriber sessions can be active on any link within the bundle or group. If a BNG is deployed in a LAG configuration, all traffic for one subscriber should be configured to traverse one link of the ether-bundle. Load-balancing is achieved by putting different subscribers on different links.
There are two mechanisms to establish a subscriber session, namely, IPoE and PPPoE. These are discussed next in the next topics.
Line card (LC) subscribers are supported in BNG. For details, see Line Card Subscribers.
BNG supports interface based static sessions, where all traffic belonging to a particular VLAN sub-interface is treated as a single session. For details, see Static Sessions.
Note |
|
Restrictions
-
If the subscriber's VRF is taken from the access interface's VRF value, then the VRF, configured in the dynamic template used by the subscriber, must match. If the two VRFs do not match, then the session would not work properly.
-
ACL logging on BNG dynamic template is not supported.
-
The BNG supports various features associated with BNG subscriber sessions and are linked to a BNG subscriber session during the initiation of the session or through a Change of Authorization (CoA). These features include:
-
Dynamic templates for IP subscribers and PPP services.
-
Policies and access list bindings related to subscriber access interfaces.
-
Quality of Service and Policy-Based Routing configurations, such as class maps and policy maps.
-
Access Control Lists (ACLs) and Access Control Entries (ACEs).
-
DHCP profiles and their bindings to interfaces.
The BNG does not support modifications to these features during active BNG sessions. Any changes made during active BNG sessions may negatively impact the functionality and result in unpredictable behavior.
We recommend you avoid any actions such as enabling, disabling, or modifying these features while they are active in a subscriber session.
-