6. IPoE v4 Configuration¶
6.1. License¶
For each VSR node of this setup, you must follow the Getting Started guide to provide a minimal Day-1 configuration and install a valid and relevant license.
A valid Virtual Service Router Network License is also required. Using show license, make sure it is
well activated, otherwise features like the fast path, PPP Server and IPoE Server
won’t function.
vsr> show license
Active perpetual license for Virtual Service Router
License tokens 10
Current activations 1/10
Connected to license server (last contact 2024-06-04 16:49:23)
Lease is valid until 2024-06-25 12:49:23
Serial number is XXXXXXXXXX
Computer ID is nFtc6ebng2xuRTg6Sa/M
License was activated online
Support is valid until 2026-06-03 05:00:00 (standard mode)
Max throughput 100.0G (moving average 0.0G)
BNG IPoE activated for 100000 sessions (currently used 0)
BNG PPPoE activated for 100000 sessions (currently used 0)
CG-NAT activated for 30000000 conntracks (currently used 0)
DDoS protection activated
FP firewall activated for 30000000 conntracks (currently used 0)
GTP activated for 1000000 tunnels (currently used 0)
IPsec activated for 100000 tunnels (currently used 0)
vsr>
Repeat this step for all your routers in this setup.
For the IPoE BNG use case, you must make sure that your license shows “BNG IPoE Activated”.
6.2. Hostname¶
Using the VSR CLI, let us start with setting the hostname and then getting the interfaces configured.
To set the VSR hostname, proceed as follows:
vsr> edit running
vsr running config# system hostname bng-ipoe
vsr running config# commit
bng-ipoe running config#
Repeat this step for all your routers in this setup
The following configurations are more specific to the BNG-IPoE router or IPoE functionality.
6.3. Interfaces¶
Allocate the ports that will be involved in data plane processing into the fast path:
bng-ipoe running config# / system fast-path
bng-ipoe running fast-path#! port pci-b0s4
bng-ipoe running fast-path# port pci-b0s5
bng-ipoe running fast-path# port pci-b0s6
bng-ipoe running fast-path# port pci-b0s7
All physical and logical interfaces are configured under the ‘main’ VRF in this example.
bng-ipoe running fast-path# / vrf main
Create Ethernet interfaces and attach them to a port of a NIC:
bng-ipoe running vrf main# interface physical dhcp
bng-ipoe running physical dhcp#! port pci-b0s6
bng-ipoe running physical dhcp# description "bng-ipoe_to-DHCP"
bng-ipoe running physical dhcp# ipv4 address 172.20.1.254/24
bng-ipoe running physical dhcp# ..
bng-ipoe running interface# physical access
bng-ipoe running physical access#! port pci-b0s4
bng-ipoe running physical radius# description "bng-ipoe_to-CPEs"
bng-ipoe running physical access# ..
bng-ipoe running interface# physical internet
bng-ipoe running physical internet#! port pci-b0s5
bng-ipoe running physical internet# description "bng-ipoe_to-Internet"
bng-ipoe running physical internet# ipv4 address 109.254.1.1/24
bng-ipoe running physical internet# ipv6 address 2001:db8::1/64
bng-ipoe running physical internet# ..
Add VLANs towards the CPE networks:
bng-ipoe running interface# vlan vlan10
bng-ipoe running vlan vlan10# description "To-CPE"
bng-ipoe running vlan vlan10# vlan-id 10
bng-ipoe running vlan vlan10# link-interface access
bng-ipoe running vlan vlan10# ..
Add a loopback interface to be used for the local DNS definition:
bng-ipoe running interface# loopback dns
bng-ipoe running loopback dns# ipv4 address 1.1.1.1/32
bng-ipoe running loopback dns# ipv6 address 1::1/128
bng-ipoe running loopback dns# ..
Add the DNS configuration and enable the DNS records for both IPv4 and IPv6:
bng-ipoe running vrf main# dns-server use-system-servers false
bng-ipoe running dns-server# record bng.com 8.8.8.8
bng-ipoe running dns-server# record bngv6.com 8888::8888
bng-ipoe running dns-server# ..
Repeat this step for all your routers in this setup and only with the relevant interfaces
Specifically on the CPEs we shall configure a IPoE interface that would connect through DHCP request towards the BNG-IPoE router, the main wan interface shall only bind the physical port
CPE3 running interface# physical wan
CPE3 running physical wan#! port pci-b0s4
CPE3 running physical wan# ..
[....]
CPE3 running interface# vlan wan.100
CPE3 running vlan wan.100#! link-interface wan
CPE3 running vlan wan.100# vlan-id 100
CPE3 running vlan wan.100# ipv4 dhcp
CPE3 running vlan wan.100# ..
Review the respective configuration on each router and commit it:
bng-ipoe running config# show config nodefault
interface
physical access
port pci-b0s4
[...]
bng-ipoe running config# commit
Configuration committed.
See also
See the VSR User’s Guide for more information regarding:
At this point of the implementation, connectivity would still not be established, the next steps would be to configure the BNG-IPoE with the IPoE Server functionality and the required DHCP relay parameters that were described in the IPoE use case description section.
The configuration for the IPoE Server used in this setup is listed hereafter.
First we would need to configure the physical or virtual interface connected to the CPEs and who would be requesting a DHCP offer for the IPoE addresses. The BNG-IPoE acts as a DHCP Relay and the DHCP Server can be co-located in the network or residing in a different domain.
For simplicity, we have directly attached the DHCP server, which is a 6WIND VSR, to the BNG-IPoE router, however if required, you need to make sure of your reachability and proper routing configuration if the DHCP relay server is configured in a different subnet or network domain.
Within the interface configuration, we would need to provide the related agent information, router and server functionalities as described in the IPoE usecase description section.
bng-ipoe running config# vrf main ipoe-server
bng-ipoe running ipoe-server# enabled true
bng-ipoe running ipoe-server# log-level error
bng-ipoe running ipoe-server# dhcp-relay
bng-ipoe running dhcp-relay# interface ipoe.100
bng-ipoe running interface ipoe.100# agent-information
bng-ipoe running agent-information# relay-address 109.254.1.1
bng-ipoe running agent-information# trusted-circuit false
bng-ipoe running agent-information# remote-id global test123
bng-ipoe running agent-information# link-selection 100.100.0.1
bng-ipoe running agent-information# ..
bng-ipoe running interface ipoe.100# router 100.100.0.1
bng-ipoe running interface ipoe.100# ..
bng-ipoe running dhcp-relay# offer-timeout 10
bng-ipoe running dhcp-relay# server-timeout 3
bng-ipoe running dhcp-relay# server-retransmit 3
bng-ipoe running dhcp-relay# server 109.254.1.2
Following this configuration you should configure your DHCP server to allocate the IPoE sessions IPv4 addresses. In our setup, the DHCP server is directly connected to the BNG-IPoE router as previously mentioned, and we will list hereafter the content of the configuration that is required for the IP addresses attribution process.
Note
For info, we have used a 6WIND VSR as a DHCP server, but you can use any product you are mostly familiar with. The same VSR would also contain the internet configuration parameters as seen later.
See also
More details about the 6WIND IPoE server functionality can be found here: IPoE Server
The following classical DHCP server configuration is used in our setup:
dhcp running config# vrf main dhcp server
dhcp running server# dhcp-options domain-name-server 109.254.1.1
dhcp running server# subnet 100.100.0.0/24
dhcp running subnet 100.100.0.0/24# interface bng-ipoe
dhcp running subnet 100.100.0.0/24# default-gateway 100.100.0.1
dhcp running subnet 100.100.0.0/24# range 100.100.0.100 100.100.0.200
After this step you will be able to verify the IPoE sessions are well established and active See the Troubleshoot IPoE Sessions section below.
6.4. DHCP Services for end hosts¶
For simplicity, we have opted to configure a DHCP server on the CPEs in order to allocate private host addresses.
The following configuration can be used, given we want to allocate the 192.168.1.0/24 subnet to our end users.
CPE1 running config# vrf main dhcp server
CPE1 running server# subnet 192.168.1.0/24
CPE1 running subnet 192.168.1.0/24# interface lan
CPE1 running subnet 192.168.1.0/24# default-gateway 192.168.1.1
CPE1 running subnet 192.168.1.0/24# range 192.168.1.10 192.168.1.100
CPE1 running subnet 192.168.1.0/24# dhcp-options domain-name-server 192.168.1.1
Remember that the DNS has already been included in the PPPoE request using the
request domain-name-servers command option under the PPPoE interface configuration.
6.5. NAT Services for end hosts¶
Further, source NAT will be used in order to simplify the routing on the CPEs and the BNG-IPoE router.
On the CPE device the configuration would look like this:
CPE1 running config# vrf main nat
CPE1 running nat# source-rule 1 outbound-interface pppoe-wan translate-to output-address
Similarly, on the BNG IPoE side we would configure the following:
bng-ipoe running config# vrf main nat
bng-ipoe running nat# source-rule 1 outbound-interface internet translate-to output-address
Note
For large scale deployments, we would recommend using the 6WIND CG-NAT capabilities (requires an additional license), hence leveraging the high performance and scalability that we could offer.
See also
More details about 6WIND’s CG-NAT capabilities can be found here: CG-NAT basics
6.6. eBGP¶
Finally, we would configure eBGP as our exterior routing protocol. It will be used to peer with the internet router that would act as the gateway for our DNS services: The configuration is pretty straightforward by enabling both IPv4 and IPv6 address families, hence allowing the end-hosts to reach those simulated internet addresses.
bng-ipoe running vrf main# routing bgp
bng-ipoe running bgp# as 65222
bng-ipoe running bgp# ebgp-requires-policy false
bng-ipoe running bgp# address-family ipv4-unicast redistribute static
bng-ipoe running bgp# address-family ipv6-unicast redistribute connected
bng-ipoe running bgp# neighbor 109.254.1.2
bng-ipoe running neighbor 109.254.1.2# remote-as 65123
bng-ipoe running neighbor 109.254.1.2# address-family ipv4-unicast enabled true
bng-ipoe running neighbor 109.254.1.2# address-family ipv6-unicast enabled false
bng-ipoe running neighbor 109.254.1.2# ..
bng-ipoe running bgp# neighbor 2001:db8::2
bng-ipoe running neighbor 2001:db8::2# remote-as 65123
bng-ipoe running neighbor 2001:db8::2# address-family ipv4-unicast enabled false
bng-ipoe running neighbor 2001:db8::2# address-family ipv6-unicast enabled true
bng-ipoe running neighbor 2001:db8::2# ..
bng-ipoe running bgp#
At this time, it would be a good idea to check the eBGP adjacencies are up and routes are advertised, then ping the defined internet addresses from the host routers to validate end-to-end connectivity.
See the Troubleshoot IPoE Sessions section below.
6.7. HTB IPoE QoS Configuration¶
The following configuration has been used to define the 6WIND-qos-template used in our setup.
6.7.1. Configure a base static scheduler¶
bng-ipoe running config# qos
bng-ipoe running qos# scheduler scheduler-1
bng-ipoe running scheduler scheduler-1# htb
bng-ipoe running htb# queue 1
bng-ipoe running queue1#! bandwidth 40G
bng-ipoe running queue1# ceiling 40G
bng-ipoe running queue1#! child-queue 2
bng-ipoe running queue1#! child-queue 3
bng-ipoe running queue1#! child-queue 4
bng-ipoe running queue1#! ..
bng-ipoe running htb# queue 2
bng-ipoe running queue2#! description "This is the static parent queue for premium subscribers queues"
bng-ipoe running queue2#! bandwidth 30G
bng-ipoe running queue2#! ceiling 40G
bng-ipoe running queue2#! ..
bng-ipoe running htb#! queue 3
bng-ipoe running queue3#! description "This is the static parent queue for non-premium subscribers queues"
bng-ipoe running queue3#! bandwidth 10G
bng-ipoe running queue3#! ceiling 40G
bng-ipoe running queue3#! ..
bng-ipoe running htb#! queue 4
bng-ipoe running queue4#! description "This is the default queue"
bng-ipoe running queue4#! bandwidth 10K
bng-ipoe running queue4# ceiling 40G
bng-ipoe running queue4# ceiling-priority 9
bng-ipoe running queue4# ..
bng-ipoe running htb# default-queue 4
6.7.2. Add the base-scheduler to the IPoE server interface¶
bng-pppoe running config# vrf main interface vlan vlan10 qos egress scheduler scheduler-1
6.7.3. Configure the Templates locally¶
Note
By default queues have the higher priority value, that is 0, configure explicitly the
ceiling-priority for queues with a lower priority.
Note
The ceiling-priority attribute should be set on qos template queues to be applied.
bng-ipoe running config# / vrf main ipoe-server qos
bng-ipoe running qos# template premium-subscribers scheduler-interface vlan10
bng-ipoe running qos# template premium-subscribers queue prem static-parent 2
bng-ipoe running qos# template premium-subscribers queue prem bandwidth 7M
bng-ipoe running qos# template premium-subscribers queue prem ceiling 2G
bng-ipoe running qos# template premium-subscribers queue prem-voip dynamic-parent prem
bng-ipoe running qos# template premium-subscribers queue prem-voip bandwidth 5M
bng-ipoe running qos# template premium-subscribers queue prem-voip ceiling 2G
bng-ipoe running qos# template premium-subscribers queue prem-voip mark 0x1
bng-ipoe running qos# template premium-subscribers queue prem-data dynamic-parent prem
bng-ipoe running qos# template premium-subscribers queue prem-data bandwidth 2M
bng-ipoe running qos# template premium-subscribers queue prem-data ceiling 2G
bng-ipoe running qos# template premium-subscribers queue prem-data mark 0x0
bng-ipoe running qos# template non-premium-subscribers scheduler-interface vlan10
bng-ipoe running qos# template non-premium-subscribers queue non-prem static-parent 3
bng-ipoe running qos# template non-premium-subscribers queue non-prem bandwidth 4M
bng-ipoe running qos# template non-premium-subscribers queue non-prem ceiling 1G
bng-ipoe running qos# template non-premium-subscribers queue non-prem-voip dynamic-parent non-prem
bng-ipoe running qos# template non-premium-subscribers queue non-prem-voip bandwidth 3M
bng-ipoe running qos# template non-premium-subscribers queue non-prem-voip ceiling 1G
bng-ipoe running qos# template non-premium-subscribers queue non-prem-voip ceiling-priority 1
bng-ipoe running qos# template non-premium-subscribers queue non-prem-voip mark 0x1
bng-ipoe running qos# template non-premium-subscribers queue non-prem-data dynamic-parent non-prem
bng-ipoe running qos# template non-premium-subscribers queue non-prem-data bandwidth 1M
bng-ipoe running qos# template non-premium-subscribers queue non-prem-data ceiling 1G
bng-ipoe running qos# template non-premium-subscribers queue non-prem-data ceiling-priority 1
bng-ipoe running qos# template non-premium-subscribers queue non-prem-data mark 0x0
bng-ipoe running qos# default-template non-premium-subscribers
Once the configuration is in place, the RADIUS setup of a user should include its QoS template name, for instance, for a premium user the attribute is: (/etc/freeradius/3.0/users)
6WIND-qos-template-name = premium-subscribers
If no attribute can be retrieved from the RADIUS server, the default template is used (non-premium-subscribers).
6.7.4. Configure QoS marking¶
In this implementation, the VOIP traffic is marked with 0x1. The other traffic has the mark 0x0 (equivalent to no mark). The marking can be done using the IP Packet Filtering context.
Below we’ll see an example of traffic marking using the standard Virtual Service Router firewall. Keep in mind that this mark is purely local to the Virtual Service Router, as a metadata to the packets, and won’t be replicated once the packet has left the system.
First lets assume you have a standard SIP VOIP traffic on TCP 5060/5061 ports, coming from your customers without any DSCP marking.
We need to mark packets as soon as they arrive on the interface, so they’ll be handled correctly, consequently we’ll use the PREROUTING target in the mangle table which is the dedicated table to alter packets with such marking.
bng-ipoe running qos# / vrf main firewall ipv4 mangle prerouting
bng-ipoe running qos# rule 1 protocol tcp destination port-range 5060-5061 action mark 0x1
bng-ipoe running qos#
The mark 0x1 will be catched by the QoS mechanism and packets will be sent to the right queue according your template.
6.7.5. Protecting control plane packet¶
By default the control plane traffic is not processed differently than the dataplane traffic in the QoS. There is no security to protect control packets from being dropped at QoS enqueue. To protect them you can configure a queue dedicated to control plane packets with a guarantee bandwidth.
vsr running config# / qos class cp-traffic cp true
vsr running config# / qos scheduler scheduler-1 htb queue 5 bandwidth 1M
vsr running config# / qos scheduler scheduler-1 htb queue 5 class cp-traffic
Now you are sure that a bandwidth of 1 Mbps is reserved for control plane packets only.