In certain deployment scenarios, the subscriber access or subscriber interfaces are unnumbered and the associated loopback interface may have multiple secondary IP addresses. These unnumbered interfaces inherit all attributes, including the secondary IP addresses, from the loopback interface. This creates multiple local ARP entries per subscriber interface and the ARP table may extend beyond the supported scale in such scenarios. You can now prevent such default ARP entry creations by using the subscriber arp scale-mode-enable command. This functionality does not impact the existing ARP behavior for the subscribers.

Subscriber Redundancy Group (SRG) requires ARP table to be populated and is therefore incompatible with the scale-mode-enable configuration. ARP entries maintained for each subscriber interface is required to send GARP during SRG role change from standby to active.

Router(config)# subscriber arp scale-mode-enable

Unconditional proxy ARP response in BNG is an enhancement where the BNG router responds to all ARP requests coming over the subscriber interface. This feature is beneficial for scenarios like static IP subscribers, where the network operator does not intend to configure any subnet on the loopback.

Prior to this, the BNG router responded only to such ARP requests where the requested IP address was in the configured subnet of the attached loopback. This caused a lot of challenge in static IP address subscriber management and in dynamic pool migration scenarios (referDHCP Soft Pool Migration), where it was required to update the loopback for each pool migration.

Router(config)#subscriber arp uncond-proxy-arp-enable

Router# show arp traffic location 0/0/CPU0
ARP statistics:
Recv: 0 requests, 0 replies
  Sent: 0 requests, 0 replies (0 proxy, 0 local proxy, 0 gratuitous)
Subscriber Interface:
         10 requests recv, 10 replies sent, 0 gratuitous replies sent

Resolve requests rcvd: 0
  Resolve requests dropped: 0
  Errors: 0 out of memory, 0 no buffers, 0 out of sunbet
ARP cache:
  Total ARP entries in cache: 0
  Dynamic: 0, Interface: 0, Standby: 0
  Alias: 0,   Static: 0,    DHCP: 0
  IP Packet drop count for node 0/0/CPU0: 0
  Total ARP-IDB:0

In a PPP Termination and Aggregation (PTA) session, the PPP encapsulation is terminated on BNG. After it is terminated, BNG routes the traffic to the service provider using IP routing. A typical PTA session is depicted in this figure.

PPPoE session configuration information is contained in PPPoE profiles. After a profile has been defined, it can be assigned to an access interface. Multiple PPPoE profiles can be created and assigned to multiple interfaces. A global PPPoE profile can also be created; the global profile serves as the default profile for any interface that has not been assigned a specific PPPoE profile.

The PPP PTA session is typically used in the Network Service Provider (retail) model where the same service operator provides the broadband connection to the subscriber and also manages the network services.

The process of provisioning a PPP PTA session involves:

• Creating a PPPoE profile for PPPoE session. See, Creating PPPoE Profiles.

• Creating dynamic template that contains the various settings for the PPPoE sessions. See, Creating a PPP Dynamic-Template.

• Creating policy-map to activate the dynamic template. See, Creating a Policy-Map to Run During PPPoE Session.

• Enabling subscriber creation, and apply the PPPoE profile and service-policy on the access interface. See, Applying the PPPoE Configurations to an Access Interface.

  The subscriber creation function must be explicitly enabled on BNG. Unless this function is enabled, the system will not attempt subscriber classification. As a result, the packets get forwarded based on the incoming interface mode.

Note

Up to 8k PTA sessions should be configured with a 60 seconds keepalive timeout value. For every additional 8K sessions, you should increase the keepalive timeout by 60 seconds. Keepalive timeout is the multiple of keepalive interval and retry count. For example: Router(config-dynamic-template-type)# keepalive 20 3

In a PPP LAC session, the PPP session is tunneled to a remote network server by BNG, using Layer 2 Tunneling Protocol (L2TP). BNG performs the role of L2TP Access Concentrator (LAC), as it puts the subscriber session in the L2TP tunnel. The device on which the tunnel terminates is called L2TP Network Server (LNS). During a PPP LAC session, the PPPoE encapsulation terminates on BNG; however, the PPP packets travel beyond BNG to LNS through the L2TP tunnel. A typical LAC session is depicted in Figure 1.

The PPP LAC session is used in the Access Network Provider (wholesale) model, where the network service provider (NSP) is a separate entity from the local access network provider (ANP). NSPs perform access authentication, manage and provide IP addresses to subscribers, and are responsible for overall service. The ANP is responsible for providing the last-mile digital connectivity to the customer, and for passing on the subscriber traffic to the NSP. In this kind of setup, the ANP owns the LAC and the NSP owns the LNS.

A PPP LAC session establishes a virtual point-to-point connection between subscriber device and a node in the service provider network. The subscriber dials into a nearby L2TP access connector (LAC). Traffic is then securely forwarded through the tunnel to the LNS, which is present in service provider network. This overall deployment architecture is also known as Virtual Private Dial up Network (VPDN).

The process of provisioning a PPP LAC session involves:

• Defining a template with specific settings for the VPDN. See, Configuring the VPDN Template.

• Defining the maximum number of VPDN sessions that can be established simultaneously. See, Configuring Maximum Simultaneous VPDN Sessions.

• Activating the logging of VPDN event messages. See, Activating VPDN Logging.

• Specifying the method to apply calling station-ID. See, Configuring Options to Apply on Calling Station ID.

• Specifying the session-ID. See, Configuring L2TP Session-ID Commands.

• Defining specific settings for the L2TP class. See, Configuring L2TP Class Options.

• Preventing creation of additional VPDN sessions. See, Configuring Softshut for VPDN.

This is a sample user-profile for L2TP LAC:

abc_xyz@domain.com Password="abc"
    Service-Type = Outbound-User,
    Tunnel-Type = L2TP,
    Tunnel-Medium-Type = IP,
    Cisco-avpair = "vpdn:ip-addresses=3.3.3.3",
    Cisco-avpair = "vpdn:source-ip=1.1.1.1”

Note	For L2TP LAC session to be up, the user-profile coming from the RADIUS server to the BNG must have Service-Type = Outbound-User configured for the user.

A PPP LAC session supports stateful switchover (SSO) along with non-stop routing (NSR) to reduce traffic loss during RP failover. For more information, see L2TP Access Concentrator Stateful Switchover

Note	PPPoE LAC sessions are supported on LC based VLAN interfaces from Cisco IOS XR Software Release 6.4.2 onwards.

The PPPoE Smart Server Selection (PADO delay) feature in BNG allows the PPPoE client to control the selection of BNG for session establishment, in a multi-BNG setup. The feature provides the option for configuring a delay in sending PADO messages from BNG, in response to the PADI messages received from the PPPoE clients. This, in turn, helps in establishing a priority order and load balancing across all BNGs.

When establishing a PPPoE session in a multi-BNG setup, the clients broadcast their PADI messages to all BNGs. When the BNGs reply with a PADO message, the subscriber selects a BNG, and sends a PADR message to the BNG with which a session needs to be established. Most PPPoE clients send a PADR message to the BNG from which it received the first PADO message. By configuring the Smart Server Selection feature on BNG, a delay is added to the PADO messages sent from the BNG, based on the properties of the PADI messages received from the PPPoE clients. This delay in receiving the PADO packets, in turn, gives the PPPoE client the flexibility of effectively selecting the appropriate BNG to which the PADR message is to be sent.

The PPPoE Session Limit support limits the number of PPPoE sessions that can be created on a BNG router. As a result, it reduces excessive memory usage by the BNG router for virtual access.

This offers additional configuration flexibility on the BNG router by limiting the number of PPPoE sessions for each:

• Line card

• Parent interface

• Peer MAC address

• Peer MAC address under individual access interface

• Circuit-ID

• Remote-ID

• Combination of Circuit-ID and Remote ID

• Access interface using the same Inner VLAN tag

• Access interface using the same Outer VLAN tag.

• Access interface using the same Inner and Outer VLAN tags

The PPPoE Session Limit support also limits the number of Inter Working Function (IWF) sessions for each peer MAC address and for each peer MAC address under individual access interface.

From Cisco IOS XR Software Release 6.2.1 and later, you can set a global PPPoE sessions limit in a BNG router. This limit is configured under the global BBA-Group (using pppoe bba-group global command) and sets the maximum session limit on the node

Note

For RP subscribers, the node is the complete chassis. For LC subscribers, the node is the LC. For LC subscribers, each LC considers the maximum limit set by the global limit. But with multiple LC in the chassis, the session count in the chassis can be multiplied by the number of active LC. To use a BNG-wide limit for LC based subscribers, you can use either bundles or pre authentication. For a single member, when you are using bundles, the sessions are maintained on the RP and the control is moved to the RP for all sessions. The bba group limit applies to all sessions regardless to the number of line cards carrying subscribers: interface GigabitEthernet0/0/0/0 bundle id 100 mode on In a pre authentication method, when PADI is received, an authorization request is sent to AAA . An authorisation request determines the session count on radius for it to accept or reject the request. When the request is accepted, a PADO is sent. When the request is rejected the PADI is discarded and ignored.

See, Configuring PPPoE Session Limit.

The PPPoE Session Throttle support on BNG limits the number of PPPoE session requests coming to BNG within a specified period of time. This, in turn, ensures that the session establishment of other client requests coming to the BNG server is not impacted.

This offers configuration flexibility in the BNG router by throttling the number of session requests based on one of these:

• Peer MAC address

• Peer MAC address under individual access interface

• Circuit-ID

• Remote-ID

• A combination of Circuit-ID and Remote ID

• Inner VLAN tag under individual access interface

• Outer VLAN tag under individual access interface

• Inner and Outer VLAN tag under individual access interface

The PPPoE session throttle support also throttles the number of Inter Working Function (IWF) session requests for each peer MAC address under an individual access interface.

See, Configuring PPPoE Session Throttle.

PPPoE in-flight-window is an enhancement to limit the number of PPPoE sessions in BNG that are in progression towards established state. The in-flight-window option sets the PPPoE process queue to a particular limit per LC and per RP, thereby providing a better control of incoming PPPoE sessions to BNG.

To enable this feature, use pppoe in-flight-window command in the global configuration mode.

Note	The recommended in-flight-window size for RP-based subscribers is 200, and that for LC-based subscribers is 50. Values higher than these are not recommended for production deployment, as it can lead to system instability.

Router# configure
Router(config)# pppoe in-flight-window 200
Router(config)#commit

As the DHCP proxy, BNG performs all the functions of a relay and also provides some additional functions. In the proxy mode, BNG conceals DHCP server details from DHCP clients. BNG modifies the DHCP replies such that the client considers the proxy to be the server. In this state the client interacts with BNG as if it is the DHCP server.

BNG procures IP leases from the DHCP server and keeps it in its pool. When the client needs to renew its lease, it unicasts the lease renewal request directly to the BNG, assuming it to be the server. BNG renews the lease by allocating the lease from its lease pool.

The two phase lease management has these features:

• Shorter client lease times and longer proxy lease times.

• High frequency lease management (renews) at network edge.

• Low frequency lease management (renews) at centralized server.

The benefits of DHCP proxy are:

• Reduced traffic between BNG and DHCP server.

• Quicker client response to network outages.

Configuring DHCP proxy on BNG involves these phases:

• Creating a proxy profile. The profile contains various proxy settings. These settings are applied when the profile is attached to an interface. To create a proxy profile, see Configuring DHCP IPv4 Profile Proxy Class

  • Specifying client lease period. The client should renew the lease before the completion of this time period, otherwise the lease expires. To specify the client lease period within a proxy profile, see Configuring the Client Lease Time.

  • Specifying remote-ID. The remote-ID is used by the proxy to identify the host that had sent the DHCP request. To define a remote-id within a proxy profile, see Configuring a Remote-ID.

• Specifying circuit-ID for an interface. The circuit-ID is used by the proxy to identify the circuit in which the DHCP request was received. Later, DHCP proxy uses it for relaying DHCP responses back to the proper circuit. The circuit-ID is defined for an interface. To define it, see Configuring a Circuit-ID for an Interface.

• Attaching proxy profile to an interface. See, Attaching a Proxy Profile to an Interface

The DHCP lease limit feature allows you to limit the number of DHCP bindings on an interface. A binding represents the mapping between the MAC address of the client and the IP address allocated to it. The lease limit can be specified for each Circuit-ID, or Remote-ID, or interface.

The lease limit can be configured through a DHCP proxy profile. When this profile is attached to an interface, bindings up to the configured limit on that interface are allowed. For example, if a profile with a per-circuit lease limit of 10 bindings is assigned to four interfaces, then for each unique Circuit-ID, there would be 10 bindings allowed for each interface.

If the lease limit is lowered below the current number of existing bindings, then the existing bindings are allowed to persist, but no new bindings are allowed to be created until the number of bindings drops below the new lease limit.

If the lease limit is specified from the AAA server, as part of Change of Authorization (CoA) or Access-Accept message, then the DHCP lease limit configured through the proxy profile is overridden. In this case, the most recent session limit, received from the AAA server, is taken as the current lease limit for the particular Circuit-ID. The lease limit set from the AAA server is cleared when there are no more client bindings associated with the Circuit-ID for which the lease limit is applied.

To specify the lease limit, see these procedures:

• Specifying the Lease Limit for a Circuit-ID

• Specifying the Lease Limit for a Remote-ID

• Specifying the Lease Limit for an Interface

DHCP Option 82 allows the DHCP server to generate IP addresses based on the location of the client device. This option defines these sub-options:

• Agent Circuit ID Sub-option—This sub-option is inserted by DSLAM and identifies the subscriber line in the DSLAM.

• Agent Remote ID Sub-option—This sub-option is inserted by DSLAM or BNG in an l2-connected topology. It is the client MAC address, but can be overridden. With the DHCP proxy or relay, the client MAC address is lost by the time the packet gets to the DHCP server. This is a mechanism that preserves the client MAC when the packet gets to the server.

• VPN identifier sub-option—This sub-option is used by the relay agent to communicate the VPN for every DHCP request that is sent to the DHCP server, and it is also used to forward any DHCP reply that the DHCP server sends back to the relay agent.

• Subnet Selection Sub-option—This sub-option allows the separation of the subnet from the IP address and is used to communicate with the relay agent. In a DHCP processing, the gateway address specifies both the subnet on which a DHCP client resides, and the IP address that the server uses to communicate with the relay agent.

• Server Identifier Override Sub-option—This sub-option value is copied in the reply packet from the DHCP server, instead of the normal server ID address. This sub-option contains the incoming interface IP address, which is the IP address on the relay agent that is accessible from the client. Using this information, the DHCP client sends all renew and release packets to the relay agent, which in turn adds all of the VPN sub-options and forwards the renew and release packets to the original DHCP server.

Note	The VPN Identifier, Subnet Selection, and Server Identifier Override sub-options are used by DHCP relay/proxy for supporting MPLS VPNs.

BNG supports manual reset of Class of Service (CoS) value of DHCPv4 control packets sent on subscriber interfaces. By default, the outer and inner CoS values are set to 6. This feature allows to set or modify these CoS values sent by BNG.

The inner and outer Class of Service (CoS) values can be configured for DHCPv4 control packets. For broadcast packets, both the inner-cos and outer-cos commands can be used to configure CoS values. For unicast packets, the inner-cos command cannot be directly used. The outer CoS value configured using the outer-cos command is also set as the inner CoS value. Hence to avoid seeing different inner-cos and outer-cos, same values must be configured as inner-cos and outer-cos.

To reset the CoS values, use the dhcp ipv4 [inner-cos | outer-cos] value command.

For more information about configuring the CoS values, see the BNG DHCP Commands chapter in the Cisco ASR 9000 Series Aggregation Services Router Broadband Network Gateway Command Reference.

Rich DHCP options are options derived from the RADIUS and some of these options enable customisation of benefits or services available to subscribers on a per-subscriber basis.

Rich DHCP option enhances the DHCPv4 server profile whereby BNG provides subscriber-based DHCP options to the client through DHCP messages. These options are retrieved by BNG as Cisco attribute-value pairs (AVPs) from the AAA server. Cisco AVP, dhcpv4-option , is used to send various DHCPv4 option types from the AAA server to the DHCP server.

Note	Rich DHCP options are supported only on DHCP server profile and DHCP proxy profile .

Each AVP carries a generic DHCPv4 option. If DHCP server profile is configured on BNG, the per-subscriber-based DHCP options get preference over the generic DHCP options.

Apart from sending Rich DHCPv4 options, from Release 6.4.1, BNG routers acting as DHCP servers are enabled to send Rich DHCPv6 options as well through RADIUS VSA. Cisco AVP, dhcpv6-option , is used to send various DHCPv6 option types from the AAA server to the DHCP server.

The following figure illustrates that when multiple clients send DHCP requests to the DHCP server, unique and subscriber-based Rich DHCP Options are sent from the AAA server to the DHCP server.

Apart from the DHCP server profile, from Release 6.6.2, Rich DHCP options enhances the DHCPv4 and DHCPv6 proxy profiles as well whereby the BNG router acts as the DHCP proxy. DHCP proxy downloads RADIUS configured Rich options from the AAA server and appends them in the packets while forwarding them to the DHCP server.

The following figure illustrates that when multiple clients send DHCP requests to the DHCP proxy, unique and subscriber-based Rich DHCP Options are sent from the AAA server to the DHCP proxy. DHCP proxy sends the options to the DHCP server.

RADIUS sends the following DHCPv4 and DHCPv6 options to the DHCP Server and these options can influence DHCP server while allocating IP addresses to clients:

Note	The numbers mentioned in parenthesis represent Option IDs.

• DHCPv4 options

• • Relay Agent Information (82)

  • Client Id (61)

  • Address Request (50)

• DHCPv6 options

  • Subscriber-ID (38)

  • Interface-ID (18)