Cisco ASR 9000 Series Configuration Manual page 92

Subscriber Session Overview
When packets arrive on an access interface, an attempt is made to link that packet to a subscriber context.
Note
• For PPPoE sessions the Source MAC of the CPE, Access interface and PPPoE Session ID are used
to match the remote peer to a subscriber interface.
• For IPoE sessions the Source MAC, Access interface and IP address are verified against the DHCP
binding to find a matching subscriber interface.
If there is no match, the packet is mapped against the access (sub-)interface. Considering that the access
interface in IPoE designs is IP enabled (eg via an IP-Unnumbered configuration) that packets are processed
like regular IP. In order to secure your BNG access interface, you will want to apply either uRPF or an
Access-List blocking everything but DHCP incoming on the access interface to limit remote subscribers
for which we don't have an interface created from accessing network resources.
• Establishing a connection—in this phase CPE finds the BNG with which to communicate.
• Authenticating and authorizing the subscriber—in this phase, BNG authenticates the subscribers and
authorizes them to use the network. This phase is performed with the help of the RADIUS server.
• Giving subscriber an identity—in this phase, the subscriber is assigned an identity, the IP address.
• Monitoring the session—in this phase, BNG ascertains that the session is up and running.
The subscribers are not configured directly on BNG. Instead, a framework is created on which subscriber
features and subscriber sessions are started and stopped dynamically. The framework consists of control
policies and dynamic templates, which perform these functions:
• Control policy determines the action BNG takes when specific events, such as receipt of a session start
request, or failure of authentication, occurs. The action is determined by the class-map defined in the
control policy. The action involves activating dynamic templates.
• Dynamic template contains a set of CLI commands that are applied to a subscriber session. Multiple
dynamic templates can be activated, one at a time, on the same subscriber interface. Also, the same
dynamic template can be activated on multiple subscriber interfaces through different control policies.
Service providers can deploy subscribers over VLAN in these ways:
• 1:1 VLAN model—This model depicts a scenario where one dedicated VLAN is available for each
customer. Each VLAN is an q-in-q VLAN where the inner VLAN tag represents the subscriber and the
outer VLAN tag represents the DSLAM.
• N:1 VLAN model—This model depicts a scenario where multiple subscribers are available on a shared
VLAN. The VLAN tags represent the DSLAM or the aggregation device.
• Ambiguous VLANs —This model allows the operator to specify a large number of VLANs in a single
CLI line. Using ambiguous VLAN, a range of inner or outer tags (or both) can be configured on a VLAN
sub-interface. This is particularly useful for the 1:1 model, where every subscriber has a unique value
for the set of VLAN tags. For more information about ambiguous VLANs, see
Ambiguous VLANs , on page
The subscriber sessions are established over the subscriber interfaces, which are virtual interfaces. It is possible
to create only one interface for each subscriber session. A port can contain multiple VLANs, each of which
can support multiple subscribers. BNG creates subscriber interfaces for each kind of session. These interfaces
Cisco ASR 9000 Series Aggregation Services Router Broadband Network Gateway Configuration Guide,
Release 4.3.x
80
232.
Establishing Subscriber Sessions
Subscriber Session on
OL-28375-03