Subscriber Manager

Feature Summary and Revision History

Summary Data

Table 1. Summary Data

Applicable Product(s) or Functional Area

cnBNG

Applicable Platform(s)

SMI

Feature Default Setting

Disabled - Configuration Required

Related Changes in this Release

Not Applicable

Related Documentation

Cloud Native BNG Control Plane Command Reference Guide

Revision History

Table 2. Revision History
Revision Details Release

First introduced.

2021.01.0

Feature Description

In the Subscriber Manager (SM) context, a subscriber is a binding between the cnBNG Control Plane (CP) and a single subscriber end device. The SM is designed to provide a generic mechanism to connect edge subscribers to services enabling features. Subscribers are identified, authenticated, authorized, and accounted for in the SM.


Note
The Subscriber Manager is also referred to as the Session Manager.

The following is a high-level list of the SM functionalities:

  • Provides a generic mechanism for different Broadband Access Protocols such as DHCP and PPPoE.

  • Provides an interface with off-box Radius servers using policy-plane to meet protocol and network provisioning requirements.

  • Supports different subscriber lifecycle events such as CoA, idle timeout processing, and periodic reauthorization.

  • Provides support for configuring subscriber lifecycle events that help customer define the subscriber behavior for the different subscriber lifecycle events.

  • Derives per subscriber configuration from multiple sources.

  • Maintains the subscriber state and subscriber configuration in a centralized session database.

  • Interacts with the User Plane (UP) for subscriber session creation and subscriber feature configurations.

Subscriber features that are configured on cnBNG enable service providers to deploy certain specific functionalities like restricting the use of certain network resources, allowing Law Enforcement Agencies (LEAs) to conduct electronic surveillance, and so on.

Subscriber Features

The cnBNG supports the following subscriber features on the UP. For details, see the latest version of the Broadband Network Gateway Configuration Guide for Cisco ASR 9000 Series Routers listed here: https://www.cisco.com/c/en/us/support/routers/asr-9000-series-aggregation-services-routers/products-installation-and-configuration-guides-list.html.

  • IPv4 or IPv6

    • Maximum Transmission Unit (MTU)

    • Unicast Reverse Path Forwarding (URPF)

    • Internet Control Message Protocol (ICMP)

  • Access Control List (ACL)

    • Input ACL (IPv4 or IPv6)

    • Output ACL (IPv4 or IPv6)

  • QoS (Quality of Service)

    • Input (policing)

    • Output (policing, shaping)

    • Policy merging (up to 6 policy maps and 10 class maps, including the default)

  • Policy-based Routing (PBR)

    • Input policy (HTTP redirect)

  • Accounting

    • Session Accounting

      • Periodic accounting

    • Service Accounting

      • Periodic accounting

To configure subscriber features, see Configuring Subscriber Manager Features.

How it Works

This section provides a brief about how the Subscriber Manager works.

The SM functionality is hosted in a SM pod having one container in it. The SM pod communicates with the BNG Ops Center, policy-plane, and PFCP-EP pods using the APP infrastructure inter-pod communication (IPC).

The Subscriber Microservices Infrastructure (SMI) instantiates the SM pod. There can be more than one SM pod in the cluster. Each SM pod instance is independent. The per subscriber data is stored in a centralized database such that any SM pod can access this data.

Configuring Subscriber Manager Features

This section describes how to configure Subscriber Manager features on the CP.

The configuration of the Subscriber Manager features involves the following procedures:


Note

Configuring the HTTPR Policy Name

Use the following commands to configure the Policy Based Routing (PBR) HTTP Redirect (HTTPR) policy name.

config 
   profile feature-template feature_template_name 
   httpr-policy httpr_policy_name 
   exit

NOTES:

  • profile feature-template feature_template_name : Specifies the profile feature template name.

  • httpr-policy httpr_policy_name : Specifies the PBR HTTPR policy name. The httpr_policy_name value can range from 1 to 128 characters.

Configuring IPv4 Options

Use the following commands to configure IPv4 options.

config 
   profile feature-template feature_template_name 
   ipv4 
      disable-unreachables 
      egress-acl string 
      ingress-acl string 
      mtu mtu_bytes 
      verify-unicast-source reachable-via-rx 
      exit

NOTES:

  • profile feature-template feature_template_name : Specifies the profile feature template name.

  • ipv4 : Enters the IPv4 Configuration mode to configure the IPv4 features.

  • disable-unreachables : Disables sending the Internet Control Message Protocol (ICMP) Unreachable messages.

  • egress-acl string : Specifies the IPv4-based egress Access Control List (ACL) list. The supported length of the string ranges from 1 to 128 characters.

  • ingress-acl string : Specifies the IPv4-based ingress ACL list. The supported length of the string ranges from 1 to 128 characters.

  • mtu mtu_bytes : Specifies the maximum transmission unit (MTU). The supported mtu_bytes value can range from 68 to 65535 bytes.

  • verify-unicast-source reachable-via-rx : Enables per packet validation for unicast. The source is reachable via the interface on which packet is received.

Configuring IPv6 Options

Use the following commands to configure IPv6 options. 

config 
   profile feature-template feature_template_name 
   ipv6 
      disable-unreachables 
      egress-acl string 
      ingress-acl string 
      mtu mtu_bytes 
      verify-unicast-source reachable-via-rx 
      exit

NOTES:

  • profile feature-template feature_template_name : Specifies the profile feature template name.

  • ipv6 : Enters the IPv6 Configuration mode to configure the IPv6 features.

  • disable-unreachables : Disables sending the Internet Control Message Protocol (ICMP) Unreachable messages.

  • egress-acl string : Specifies the IPv6-based egress Access Control List (ACL) list. The supported length of the string ranges from 1 to 128 characters.

  • ingress-acl string : Specifies the IPv6-based ingress ACL list. The supported length of the string ranges from 1 to 128 characters.

  • mtu mtu_bytes : Specifies the maximum transmission unit (MTU). The supported mtu_bytes value can range from 68 to 65535 bytes.

  • verify-unicast-source reachable-via-rx : Enables per packet validation for unicast. The source is reachable via the interface on which packet is received.

Configuring QoS Parameters

Use the following commands to configure the Quality of Service (QoS) parameters. 

config 
   profile feature-template feature_template_name 
   qos 
      in-policy qos_input_policy_name 
      merge-level integer 
      out-policy qos_output_policy_name 
      exit

NOTES:

  • profile feature-template feature_template_name : Specifies the profile feature template name.

  • qos : Enters the QoS Configuration mode to configure the parameters.

  • in-policy qos_input_policy_name : Specifies the QoS input policy name. The supported length of the qos_input_policy_name ranges from 1 to 128 characters.

  • merge-level integer : Enables or disables the merge level. A merge value of 0 disables the merge-level. Any value greater than 0, enables the merge level.

  • out-policy qos_output_policy_name : Specifies the QoS output policy name. The supported length of the qos_output_policy_name ranges from 1 to 128 characters.

Configuring the VRF Name

Use the following commands to configure the virtual routing and forwarding (VRF) name.

config 
   profile feature-template feature_template_name 
   vrf-name vrf_name 
   exit

NOTES:

  • profile feature-template feature_template_name : Specifies the profile feature template name.

  • vrf-name vrf_name : Specifies the VRF name. The supported length of the vrf_name ranges from 1 to 128 characters.

Configuring a Subscriber Profile

Use the following commands to create a subscriber profile.

config 
   profile subscriber subscriber_profile 
      aaa { authenticate aaa_profile_for_authentication 
          | authorize aaa_profile_for_authorization } 
      activate-feature-template feature_template_name 
      apply-all-class 
      class class_name  
         aaa aaa_profile_for_authentication | authorize aaa_profile_for_authorization  
         activate-feature-template feature_template_name  
         matches  
            match { protocol { dhcp | ppp } } | username  
            { ascii ascii_string | 
            regex reg-exp string } |  
            source-mac { ascii ascii_string | 
            regex reg-exp string } |  
            circuit-id { ascii  ascii_string | 
            regex reg-exp string } |  
            remote-id { ascii ascii_string |  
            regex reg-exp string } 
            match-type { all match { protocol | username | source-mac |  
            circuit-id | remote-id } | any match { protocol | username |  
            source-mac | circuit-id | remote-id } } 
            exit 
         dhcp-profile dhcp_profile_name 
         event event_name 
         pppoe-profile pppoe_profile_name 
         session-type { ipv4 | ipv4v6 | ipv6 } 
         exit 
configure 
   profile subscriber subscriber_profile  
      aaa { authenticate aaa_profile_for_authentication | 
          authorize aaa_profile_for_authorization } 
      activate-feature-template feature_template_name 
      apply-all-class 
      class class_name  
         aaa aaa_profile_for_authentication | authorize aaa_profile_for_authorization 
         activate-feature-template  feature_template_name  
         matches  
            match { protocol { dhcp | ppp } } | username { ascii 
                   ascii_string  | regex reg-exp string} 
                  | source-mac { ascii ascii_string  
                  | regex reg-exp string } | 
                  circuit-id { ascii  ascii_string  
                  | regex reg-exp string } | 
                  remote-id { ascii ascii_string 
                  | regex reg-exp string } 
                  match-type { all match { protocol | username | 
                  source-mac | circuit-id | remote-id } | any match { 
                  protocol | username | source-mac | circuit-id 
                  | remote-id } } 
            exit 
         dhcp-profile  dhcp_profile_name 
         event session-activate { aaa { authenticate | authorize } |  
                                activate-feature-templates 
                                      feature_templates_list 
                                | apply-all-class | class class_name  
                                | deactivate-feature-templates 
                                      feature_templates_list 
         pppoe-profile pppoe_profile_name  
         session-type { ipv4 | ipv4v6 | ipv6 } 
         exit

NOTES:

  • profile subscriber subscriber_profile_name : Specifies the profile subscriber name and enters the Profile Subscriber Configuraton mode.

  • aaa { authenticate aaa_profile_for_authentication | authorize aaa_profile_for_authorization } : Specifies the AAA profile to associate for authentication and authorization.

  • activate-feature-templates feature_template_name : Specifies the list of feature-templates in sequence for activation.

  • apply-all-class : Applies all classes that are enabled.

  • class class_name : Specifies the subscriber class name.

  • matches : Enters the matches Configuration sub-mode to specify the match values.

    • match { protocol { dhcp | ppp } | username { ascii ascii_string | regex reg-exp string } | source-mac { ascii ascii_string | regex reg-exp string } | { circuit-id { ascii ascii_string |regex reg-exp string } | remote-id { ascii ascii_string | regex reg-exp string } } : Specifies the list of match values.

      • match { protocol { dhcp | ppp } : Specifies the match protocol as DHCP or PPP.

      • username { ascii ascii_string | regex reg-exp string } : Specifies the username in ascii format or regular express (reg-exp) string.

      • source-mac { ascii ascii_string | regex reg-exp string } : Specifies the source MAC address in ascii format or regular express (reg-exp) string.

      • remote-id { ascii ascii_string | regex reg-exp string } : Specifies the remote identifier in ascii format or regular express (reg-exp) string.

      • circuit-id { ascii ascii_string | regex reg-exp string } : Specifies the circuit identifier in ascii format or regular express (reg-exp) string.

      • match-type { all match { protocol | username | source-mac | circuit-id | remote-id } | any match { protocol | username | source-mac | circuit-id | remote-id } } : Specifies the match key and value for matching any or all of the options: protocol, username, source-mac, circuit-id, and remote-id.

  • dhcp-profile dhcp_profile_name : Associates the DHCP first sign of life (FSOL) profile.

  • event event_list_name : Specifies the event name.

  • pppoe-profile pppoe_profile_name : Associates the PPPoE FSOL profile.

  • session-type { ipv4 | ipv4v6 | ipv6 } : Specifies the allowed session-types as IPv4, IPv4v6, and IPv6.

Subscriber Accounting Functions

Feature Description

The Accounting Manager handles the Subscriber Accounting functions in the cnBNG CP. The Accounting function includes features that track traffic either in volume or duration. It provides accounting information for subscribers on a session or per service. The Accounting function determines the length and duration of a given service that a subscriber has used. Certain regulations require service providers to account for services they provide to the subscriber.

The following figure illustrates the Accounting Manager external interfaces.



The Accounting Manager in cnBNG supports the following forms of accounting:

Service Accounting

ISPs can offer different tiered services to their subscribers with the ability to move between different tiers. Different tiers could correspond to different bandwidths offered to the subscriber. A subscriber can enable a new service that corresponds to temporarily moving from one tier of service to another. ISPs need to keep track of when a new service is enabled and how long it is active for each subscriber. Often there might be a need to count the number of packets and bytes associated with a service. Both of these forms of accountng are referred to as service accounting. When service accounting is enabled, BNG sends a Service-Start request when service is activated and a Service-Stop request when the service is deactivated. A timestamp is sent with both the actions. Service-Stop can also contain statistics associated with the service.

To configure Service Accounting, see Configuring Service Accounting.

Session Accounting

When Session Accounting is activated, an Accounting-Start request is sent to AAA when the session is started. When the session is terminated, an Accounting-Stop request is sent. The Accounting-Stop request contains the final session accounting statistics (packets, bytes in, bytes out). An “interim” session accounting can be optionally activated that sends Interim-Updates periodically while the session is active. These updates provide the current session statistics accumulated since the start of the session.

Session Accounting is configured directly on the template.

To configure Session Accounting, see Configuring Session Accounting.

Limitations and Restrictions

The Subscriber Accounting Function has the following limitation in this release:

  • An interim Interval of zero is not supported.

  • AAA profile change at service level is not supported.

  • Service-level attributes changes are not supported after service bring-up.

  • Session accounting is mandatory to enable Service accounting due to User Plane (UP) (asr9k) limitation.

  • Session and Service Accounting enable or disable is not supported after session or service is up because of UP limitations. Session Accounting must be enabled only during session bring-up.

Configuring Subscriber Accounting Functions

This section describes how to configure the Subscriber Accounting Functions.

The configuration of the Subscriber Accounting Functions involve the following procedures:

  • Configuring Service Accounting

  • Configuring Session Accounting

Configuring Service Accounting

Use the following commands to configure service accounting.

config 
   profile feature-template feature-template 
   service accounting 
      aaa-profile aaa_profile_name 
      enable 
      periodic-interval interval_in_seconds 
      exit

NOTES:

  • profile feature-template feature-template : Specifies the profile feature template name and enters Feature-Template Configuration mode.

  • service accounting : Enters the Service Configuration mode to configure service accounting for a AAA profile.

  • aaa-profile aaa_profile_name : Specifies the AAA profile to use for service accounting.

  • enable : Enables service accounting for the specified AAA profile.

  • periodic-interval interval_in_seconds : Specifies the interim interval in seconds. The valid values range from 60 to 4320000 seconds.

Configuring Session Accounting

Use the following commands to configure session accounting.


config 
   profile feature-template feature-template 
   session accounting 
      aaa-profile aaa_profile_name 
      dual-stack-delay delay_in_seconds 
      enable  
      periodic-interval interval_in_seconds 
      exit

NOTES:

  • profile feature-template feature-template : Specifies the profile feature template name and enters Feature-Template Configuration mode.

  • session accounting : Enters the Session Configuration mode to configure session accounting for a AAA profile.

  • aaa-profile aaa_profile_name : Specifies the AAA profile to use for session accounting.

  • dual-stack-delay delay_in_seconds : Specifies the dual stack set delay time in seconds. The valid values range from 1 to 30 seconds.

  • enable : Enables session accounting for the specified AAA profile.

  • periodic-interval interval_in_seconds : Specifies the interim interval in seconds. The valid values range from 60 to 4320000 seconds.