Subscriber Manager

Feature Summary and Revision History

Summary Data

Table 1. Summary Data
Applicable Product(s) or Functional Area	cnBNG
Applicable Platform(s)	SMI
Feature Default Setting	Disabled - Configuration Required
Related Changes in this Release	Not Applicable
Related Documentation	Cloud Native BNG Control Plane Command Reference Guide

Revision History

Table 2. Revision History
Revision Details	Release
Enhancement Introduced: The Subscriber Manager feature is NSO-integrated.	2021.04.0
The following features are supported: Automatic Session Reconciliation Framed Route Support Subscriber QoS Policy	2021.03.0
First introduced.	2021.01.0

Feature Description

Note

This feature is Network Services Orchestrator (NSO) integrated.

In the Subscriber Manager (SM) context, a subscriber is a binding between the cnBNG Control Plane (CP) and a single subscriber end device. The SM is designed to provide a generic mechanism to connect edge subscribers to services enabling features. Subscribers are identified, authenticated, authorized, and accounted for in the SM.

Note

The Subscriber Manager is also referred to as the Session Manager.

The following is a high-level list of the SM functionalities:

Provides a generic mechanism for different Broadband Access Protocols such as DHCP and PPPoE.
Provides an interface with off-box Radius servers using policy-plane to meet protocol and network provisioning requirements.
Supports different subscriber lifecycle events such as CoA, idle timeout processing, and periodic reauthorization.
Provides support for configuring subscriber lifecycle events that help customer define the subscriber behavior for the different subscriber lifecycle events.
Derives per subscriber configuration from multiple sources.
Maintains the subscriber state and subscriber configuration in a centralized session database.
Interacts with the User Plane (UP) for subscriber session creation and subscriber feature configurations.

Subscriber features that are configured on cnBNG enable service providers to deploy certain specific functionalities like restricting the use of certain network resources, allowing Law Enforcement Agencies (LEAs) to conduct electronic surveillance, and so on.

Subscriber Features

The cnBNG supports the following subscriber features on the UP. For details, see the latest version of the Broadband Network Gateway Configuration Guide for Cisco ASR 9000 Series Routers listed here: https://www.cisco.com/c/en/us/support/routers/asr-9000-series-aggregation-services-routers/products-installation-and-configuration-guides-list.html.

IPv4 or IPv6
- Maximum Transmission Unit (MTU)
- Unicast Reverse Path Forwarding (URPF)
- Internet Control Message Protocol (ICMP)
Access Control List (ACL)
- Input ACL (IPv4 or IPv6)
- Output ACL (IPv4 or IPv6)
QoS (Quality of Service)
- Input (policing)
- Output (policing, shaping)
- Policy merging (up to 6 policy maps and 10 class maps, including the default)
Policy-based Routing (PBR)
- Input policy (HTTP redirect)
Accounting
- Session Accounting
  - Periodic accounting
- Service Accounting
  - Periodic accounting

To configure subscriber features, see Configuring Subscriber Manager Features.

How it Works

This section provides a brief about how the Subscriber Manager works.

The SM functionality is hosted in a SM pod having one container in it. The SM pod communicates with the BNG Ops Center, policy-plane, and PFCP-EP pods using the APP infrastructure inter-pod communication (IPC).

The Subscriber Microservices Infrastructure (SMI) instantiates the SM pod. There can be more than one SM pod in the cluster. Each SM pod instance is independent. The per subscriber data is stored in a centralized database such that any SM pod can access this data.

Configuring Subscriber Manager Features

This section describes how to configure Subscriber Manager features on the CP.

The configuration of the Subscriber Manager features involves the following procedures:

Configuring the HTTPR Policy Name
Configuring IPv4 Options
Configuring IPv6 Options
Configuring QoS Parameters
Configuring the VRF Name
Configuring a Subscriber Profile

Note

To configure PPP feature options, see Creating the PPP Feature Template
To configure service accounting, see Configuring Service Accounting
To configure session accounting, see Configuring Session Accounting

Configuring the HTTPR Policy Name

Use the following commands to configure the Policy Based Routing (PBR) HTTP Redirect (HTTPR) policy name.

config 
   profile feature-template feature_template_name 
   httpr-policy httpr_policy_name 
   exit

NOTES:

profile feature-template feature_template_name : Specifies the profile feature template name.
httpr-policy httpr_policy_name : Specifies the PBR HTTPR policy name. The httpr_policy_name value can range from 1 to 128 characters.

Configuring IPv4 Options

Use the following commands to configure IPv4 options.

config 
   profile feature-template feature_template_name 
   ipv4 
      disable-unreachables 
      egress-acl string 
      ingress-acl string 
      mtu mtu_bytes 
      verify-unicast-source reachable-via-rx 
      exit

NOTES:

profile feature-template feature_template_name : Specifies the profile feature template name.
ipv4 : Enters the IPv4 Configuration mode to configure the IPv4 features.
disable-unreachables : Disables sending the Internet Control Message Protocol (ICMP) Unreachable messages.
egress-acl string : Specifies the IPv4-based egress Access Control List (ACL) list. The supported length of the string ranges from 1 to 128 characters.
ingress-acl string : Specifies the IPv4-based ingress ACL list. The supported length of the string ranges from 1 to 128 characters.
mtu mtu_bytes : Specifies the maximum transmission unit (MTU). The supported mtu_bytes value can range from 68 to 65535 bytes.
verify-unicast-source reachable-via-rx : Enables per packet validation for unicast. The source is reachable via the interface on which packet is received.

Configuring IPv6 Options

Use the following commands to configure IPv6 options.

config 
   profile feature-template feature_template_name 
   ipv6 
      disable-unreachables 
      egress-acl string 
      ingress-acl string 
      mtu mtu_bytes 
      verify-unicast-source reachable-via-rx 
      exit

NOTES:

profile feature-template feature_template_name : Specifies the profile feature template name.
ipv6 : Enters the IPv6 Configuration mode to configure the IPv6 features.
disable-unreachables : Disables sending the Internet Control Message Protocol (ICMP) Unreachable messages.
egress-acl string : Specifies the IPv6-based egress Access Control List (ACL) list. The supported length of the string ranges from 1 to 128 characters.
ingress-acl string : Specifies the IPv6-based ingress ACL list. The supported length of the string ranges from 1 to 128 characters.
mtu mtu_bytes : Specifies the maximum transmission unit (MTU). The supported mtu_bytes value can range from 68 to 65535 bytes.
verify-unicast-source reachable-via-rx : Enables per packet validation for unicast. The source is reachable via the interface on which packet is received.

Configuring QoS Parameters

Use the following commands to configure the Quality of Service (QoS) parameters.

config 
   profile feature-template feature_template_name 
   qos 
      in-policy qos_input_policy_name 
      merge-level integer 
      out-policy qos_output_policy_name 
      exit

NOTES:

profile feature-template feature_template_name : Specifies the profile feature template name.
qos : Enters the QoS Configuration mode to configure the parameters.
in-policy qos_input_policy_name : Specifies the QoS input policy name. The supported length of the qos_input_policy_name ranges from 1 to 128 characters.
merge-level integer : Enables or disables the merge level. A merge value of 0 disables the merge-level. Any value greater than 0, enables the merge level.
out-policy qos_output_policy_name : Specifies the QoS output policy name. The supported length of the qos_output_policy_name ranges from 1 to 128 characters.

Configuring the VRF Name

Use the following commands to configure the virtual routing and forwarding (VRF) name.

config 
   profile feature-template feature_template_name 
   vrf-name vrf_name 
   exit

NOTES:

profile feature-template feature_template_name : Specifies the profile feature template name.
vrf-name vrf_name : Specifies the VRF name. The supported length of the vrf_name ranges from 1 to 128 characters.

Configuring a Subscriber Profile

Use the following commands to create a subscriber profile.

config 
   profile subscriber subscriber_profile 
      aaa { authenticate aaa_profile_for_authentication 
          | authorize aaa_profile_for_authorization } 
      activate-feature-template feature_template_name 
      apply-all-class 
      class class_name  
         aaa aaa_profile_for_authentication | authorize aaa_profile_for_authorization  
         activate-feature-template feature_template_name  
         matches  
            match { protocol { dhcp | ppp } } | username  
            { ascii ascii_string | 
            regex reg-exp string } |  
            source-mac { ascii ascii_string | 
            regex reg-exp string } |  
            circuit-id { ascii  ascii_string | 
            regex reg-exp string } |  
            remote-id { ascii ascii_string |  
            regex reg-exp string } 
            match-type { all match { protocol | username | source-mac |  
            circuit-id | remote-id } | any match { protocol | username |  
            source-mac | circuit-id | remote-id } } 
            exit 
         dhcp-profile dhcp_profile_name 
         event event_name 
         pppoe-profile pppoe_profile_name 
         session-type { ipv4 | ipv4v6 | ipv6 } 
         exit

configure 
   profile subscriber subscriber_profile  
      aaa { authenticate aaa_profile_for_authentication | 
          authorize aaa_profile_for_authorization } 
      activate-feature-template feature_template_name 
      apply-all-class 
      class class_name  
         aaa aaa_profile_for_authentication | authorize aaa_profile_for_authorization 
         activate-feature-template  feature_template_name  
         matches  
            match { protocol { dhcp | ppp } } | username { ascii 
                   ascii_string  | regex reg-exp string} 
                  | source-mac { ascii ascii_string  
                  | regex reg-exp string } | 
                  circuit-id { ascii  ascii_string  
                  | regex reg-exp string } | 
                  remote-id { ascii ascii_string 
                  | regex reg-exp string } 
                  match-type { all match { protocol | username | 
                  source-mac | circuit-id | remote-id } | any match { 
                  protocol | username | source-mac | circuit-id 
                  | remote-id } } 
            exit 
         dhcp-profile  dhcp_profile_name 
         event session-activate { aaa { authenticate | authorize } |  
                                activate-feature-templates 
                                      feature_templates_list 
                                | apply-all-class | class class_name  
                                | deactivate-feature-templates 
                                      feature_templates_list 
         pppoe-profile pppoe_profile_name  
         session-type { ipv4 | ipv4v6 | ipv6 } 
         exit

NOTES:

profile subscriber subscriber_profile_name : Specifies the profile subscriber name and enters the Profile Subscriber Configuraton mode.
aaa { authenticate aaa_profile_for_authentication | authorize aaa_profile_for_authorization } : Specifies the AAA profile to associate for authentication and authorization.
activate-feature-templates feature_template_name : Specifies the list of feature-templates in sequence for activation.
apply-all-class : Applies all classes that are enabled.
class class_name : Specifies the subscriber class name.

matches : Enters the matches Configuration sub-mode to specify the match values.

match { protocol { dhcp | ppp } | username { ascii ascii_string | regex reg-exp string } | source-mac { ascii ascii_string | regex reg-exp string } | { circuit-id { ascii ascii_string |regex reg-exp string } | remote-id { ascii ascii_string | regex reg-exp string } } : Specifies the list of match values.
- match { protocol { dhcp | ppp } : Specifies the match protocol as DHCP or PPP.
- username { ascii ascii_string | regex reg-exp string } : Specifies the username in ascii format or regular express (reg-exp) string.
- source-mac { ascii ascii_string | regex reg-exp string } : Specifies the source MAC address in ascii format or regular express (reg-exp) string.
- remote-id { ascii ascii_string | regex reg-exp string } : Specifies the remote identifier in ascii format or regular express (reg-exp) string.
- circuit-id { ascii ascii_string | regex reg-exp string } : Specifies the circuit identifier in ascii format or regular express (reg-exp) string.
- match-type { all match { protocol | username | source-mac | circuit-id | remote-id } | any match { protocol | username | source-mac | circuit-id | remote-id } } : Specifies the match key and value for matching any or all of the options: protocol, username, source-mac, circuit-id, and remote-id.

Note

By default aaa, activate-feature-templates, apply-all-class, and class are executed as part of the session bring-up. The PPPoE and DHCP access protocols use these events to create a subscriber in the SM. The operator may configure the AAA actions and activate-feature-templates, suitable for a subscriber.

dhcp-profile dhcp_profile_name : Associates the DHCP first sign of life (FSOL) profile.
event event_list_name : Specifies the event name.
event session-activate : Specifies the subscriber event to activate.

Some Access-Protocols require a two-stage session bring up. For example with PPPoE subscribers, the PPPoE Access protocol will call the Session-Start event for FSOL followed by Session-Activate during PPP negotiation and authentication. The IPoE subscribers created by DHCP will not use this event. The operator may configure authenticate, authorize AAA actions and feature templates as suitable for a subscriber.
pppoe-profile pppoe_profile_name : Associates the PPPoE FSOL profile.
session-type { ipv4 | ipv4v6 | ipv6 } : Specifies the allowed session-types as IPv4, IPv4v6, and IPv6.

Automatic Session Reconciliation

Feature Description

The Automatic Session Reconciliation feature enables reconciliation of sessions that are out of synchronization between the Control Plane (CP) and User Plane (UP).

Desynchronization of a session occurs when the transaction is successful in the UP but times out before receiving a response from the UP.

The existing transaction-id increments by 1 in every request initiated from the CP to the UP. The CDL record stores the transaction-id per session when the UP conveys a successful response to the CP. The UP also stores this transaction-id when the transaction is successful in the UP.

How it Works

This section briefly describes how the Automatic Session Reconciliation feature works.

The UP validates the transaction-id received in every request from the CP. When a received transaction-id is not incremental to the transaction-id present in UP, the UP discards the transaction and responds to the CP with a transaction-id mismatch error.

On receiving the transaction-id mismatch error, the CP discards the current transaction and initiates a new transaction to replay the complete session data to the UP. After this session replay, the session reconciles and synchronizes automatically in the CP and UP.

Framed Route Support

Feature Description

The Framed Route Support on subscriber sessions enables framed (dynamic) routes to be added for individual subscribers. Framed route per subscriber support is provided through RADIUS or Change of Authorization (CoA).

A framed route is pushed from the Control Plane (CP) to the User Plane (UP) only when the IP address is allocated for the respective address family indicator (AFI). The UP withdraws the framed route when the respective AFI goes down (for example, when an IP address is deallocated).

The configuration format of the framed route is as follows:

IPv4


Framed-Route = “[vrf <prefix VRF>] {<prefix>/<prefix_length>} [vrf <next hop vrf>] 
                [<next hop prefix>] [<metric>] [tag <tag-value>] “ 
Framed-Route = “[vrf <vrf-name>] {<prefix> <netmask>} [vrf <next hop vrf>]  
                [<next hop prefix>] 
                [<metric>] [tag <tag-value>] “ 



cisco-avpair = “[vrf <prefix VRF>] {<prefix>/<prefix_length>} [vrf <next hop vrf>] 
                [<next hop prefix>] [<metric>] [tag <tag-value>]  
cisco-avpair = “[vrf <vrf-name>] {<prefix> <netmask>} [vrf <next hop vrf>] 
                [<next hop prefix>] 
                [<metric>] [tag <tag-value>] “

IPv6


Framed-IPv6-Route = “[vrf <prefix VRF>] {<prefix>/<prefix_length>}  
                     [vrf <next hop vrf>] 
                     [<next-hop prefix>] [<metric>] [tag <tag-value>] “ 
cisco-avpair = “[vrf <prefix VRF>] {<prefix>/<prefix_length>} [vrf <next hop vrf>]  
                [<next hop prefix>][<metric>] [tag <tag-value>] “

The description of the format of the framed route is as follows:

[vrf <prefix VRF>]: This is an optional parameter. Specfies the virtual routing and forwarding (VRF ) prefix.
{<prefix>/<prefix_length>} or {<prefix> <netmask>}: This is a mandatory parameter. Specifies the prefix and prefix mask or prefix length for the destination.
[vrf <next hop vrf>]: This is an optional parameter. Specifies the next hop VRF name.
[<next hop prefix>]: This is an optional parameter. Specifies that when the next hop is specified as "0.0.0.0" for IPv4 or “::” for IPv6, the IP address of the session must be used as the next hop prefix.
[<metric>]: This is an optional parameter. Specifies the route metric.
[tag <tag-value>]: This is an optional parameter. Specifies a tag value that can be used as a match for controlling redistribution using route policies.

For information about the framed-route attributes, see Table 1 and Table 2 in the RADIUS Attributes chapter.

Implementing the framed (dynamic) route support depends on the UP. Therfore, check the UP Cloud Native BNG User Plane Configuration Guide for Cisco ASR 9000 Series Router for the following before enabling the framed route.

IPv4 and IPv6 framed route support for PPP Termination and Aggregation (PTA) and IPoE
VRF and next hop VRF support for PTA and IPoE
CoA support for framed route for PTA and IPoE
Maximum routes supported per subscriber per AFI for PTA and IPoE

Subscriber Accounting Functions

Feature Description

The Accounting Manager handles the Subscriber Accounting functions in the cnBNG CP. The Accounting function includes features that track traffic either in volume or duration. It provides accounting information for subscribers on a session or per service. The Accounting function determines the length and duration of a given service that a subscriber has used. Certain regulations require service providers to account for services they provide to the subscriber.

The following figure illustrates the Accounting Manager external interfaces.

The Accounting Manager in cnBNG supports the following forms of accounting:

Service Accounting

ISPs can offer different tiered services to their subscribers with the ability to move between different tiers. Different tiers could correspond to different bandwidths offered to the subscriber. A subscriber can enable a new service that corresponds to temporarily moving from one tier of service to another. ISPs need to keep track of when a new service is enabled and how long it is active for each subscriber. Often there might be a need to count the number of packets and bytes associated with a service. Both of these forms of accountng are referred to as service accounting. When service accounting is enabled, BNG sends a Service-Start request when service is activated and a Service-Stop request when the service is deactivated. A timestamp is sent with both the actions. Service-Stop can also contain statistics associated with the service.

To configure Service Accounting, see Configuring Service Accounting.

Session Accounting

When Session Accounting is activated, an Accounting-Start request is sent to AAA when the session is started. When the session is terminated, an Accounting-Stop request is sent. The Accounting-Stop request contains the final session accounting statistics (packets, bytes in, bytes out). An “interim” session accounting can be optionally activated that sends Interim-Updates periodically while the session is active. These updates provide the current session statistics accumulated since the start of the session.

Session Accounting is configured directly on the template.

To configure Session Accounting, see Configuring Session Accounting.

Limitations and Restrictions

The Subscriber Accounting Function has the following limitation in this release:

An interim Interval of zero is not supported.
AAA profile change at service level is not supported.
Service-level attributes changes are not supported after service bring-up.
Session accounting is mandatory to enable Service accounting due to User Plane (UP) (asr9k) limitation.
Session and Service Accounting enable or disable is not supported after session or service is up because of UP limitations. Session Accounting must be enabled only during session bring-up.

Configuring Subscriber Accounting Functions

This section describes how to configure the Subscriber Accounting Functions.

The configuration of the Subscriber Accounting Functions involve the following procedures:

Configuring Service Accounting
Configuring Session Accounting

Configuring Service Accounting

Use the following commands to configure service accounting.

config 
   profile feature-template feature-template 
   service accounting 
      aaa-profile aaa_profile_name 
      enable 
      periodic-interval interval_in_seconds 
      exit

NOTES:

profile feature-template feature-template : Specifies the profile feature template name and enters Feature-Template Configuration mode.
service accounting : Enters the Service Configuration mode to configure service accounting for a AAA profile.
aaa-profile aaa_profile_name : Specifies the AAA profile to use for service accounting.
enable : Enables service accounting for the specified AAA profile.
periodic-interval interval_in_seconds : Specifies the interim interval in seconds. The valid values range from 60 to 4320000 seconds.

Configuring Session Accounting

Use the following commands to configure session accounting.


config 
   profile feature-template feature-template 
   session accounting 
      aaa-profile aaa_profile_name 
      dual-stack-delay delay_in_seconds 
      enable  
      periodic-interval interval_in_seconds 
      exit

NOTES:

profile feature-template feature-template : Specifies the profile feature template name and enters Feature-Template Configuration mode.
session accounting : Enters the Session Configuration mode to configure session accounting for a AAA profile.
aaa-profile aaa_profile_name : Specifies the AAA profile to use for session accounting.
dual-stack-delay delay_in_seconds : Specifies the dual stack set delay time in seconds. The valid values range from 1 to 30 seconds.
enable : Enables session accounting for the specified AAA profile.
periodic-interval interval_in_seconds : Specifies the interim interval in seconds. The valid values range from 60 to 4320000 seconds.

Subscriber QoS Policy

Feature Description

The Subscriber Quality of Service (QoS) Policy feature uses the following Cisco AVPs to apply the subscriber QOS policy through RADIUS.

cisco-avpair = "subscriber:sub-qos-policy-in=<ingress qos policy name>" 
cisco-avpair = "subscriber:sub-qos-policy-out=<egress qos policy name>",

Example:

radius profile 
cisco-avpair = "subscriber:sub-qos-policy-in=qos_in_100mbps", 
cisco-avpair = "subscriber:sub-qos-policy-out=qos_out_100mbps",

"qos_in_100mbps" and "qos_out_100mbps" are the QoS policy maps that are configured in the User Plane (UP). The merge-level and accounting features are not supported through RADIUS. If unsupported features are passed from RADIUS, behaviour is undefined.

Applying QoS from profile feature-template and through RADIUS using sub-qos-policy-in or sub-qos-policy-out is not supporetd for the same subscriber. When applied, behaviour is undefined.

For information about the sub-qos-policy-in or sub-qos-policy-out attributes, see Table 2 in the RADIUS Attributes chapter.

Cloud Native BNG Control Plane Configuration Guide, Release 2022.04

Bias-Free Language

Book Title

Cloud Native BNG Control Plane Configuration Guide, Release 2022.04

Chapter Title