PPP server¶

Overview
Supported services & features
Radius support
IPv6 Autoconfiguration Support
Configuration examples
- Example 1: Without a Radius server
- Example 2: With a Radius server
Quality of Service Support
PPP server state and KPIs
6WIND attributes

Overview ¶

The Point-to-Point Protocol PPP is a data link protocol commonly used in establishing a direct connection between two networking nodes. It provides a standard method for transporting multi-protocol datagrams over point-to-point links. Virtual Service Router supports PPPoE protocol.

Multiple PPP server instances can be hosted in Virtual Service Router. Using different VRs allows complete separation of those instances.

Supported services & features ¶

Multi-VRF support
Radius AAA support
User authentication
Multi-session support
IPv6 Autoconfiguration
IPv4 and IPv6 routing context
Hierarchical QoS

Radius support ¶

PPP server supports the following Radius features:

Authentication:

Using a Radius server to authenticate a user.

Accounting:

Sending user accounting information showing how much time, packets, bytes, and other resources were consumed during the session to a Radius accounting server.

Change of authorization:

The support of change of authorization is restricted to some attributes, such as Traffic Limiting IPv4 and Reverse Path Filtering. Other attributes may be added in future versions. refer to section 6WIND attributes for more details.

IPv4 network information:

PPP server accepts Radius IPv4 Framed-IP-Address and Framed-Route (RFC 2138).

Framed-Route: A static IPv4 route provided by Radius server to install in the Virtual Service Router routing table.
Framed-IP-Address: An IPv4 address provided by the Radius server to assign to the user’s PPP interface.

IPv6 network information:

PPP server accepts Radius IPv6 Framed-IPv6-Prefix, Framed-Interface-Id and Framed-IPv6-Route (RFC 3162).

Framed-Interface-Id

An IPv6 interface identifier to be configured on the user’s PPP interface.

Framed-IPv6-Prefix

An IPv6 prefix (and corresponding route) to be configured for the user. The prefix should have a 64 bit mask. For example 2001:db8:0:100::/64.

Framed-IPv6-Route

IPv6 routing information provided by Radius to be configured for the user in the Virtual Service Router routing table. It should be described as follows “PREFIX/MASK USER-IPv6-ADDRESS METRICS”. For example “2000:0:0:106::/64 2000::106:a00:20ff:fe99:a998 1”.

PREFIX/MASK is the destination prefix optionally followed by a mask.
USER-IPv6-ADDRESS is the gateway address, it should be the user’s IPv6 address. it can also be unspecified. For example, “2000:0:0:106::/64 :: 1”

IPv6 Autoconfiguration Support ¶

Currently PPP server supports IPv6 stateless autoconfiguration. Stateless means that there is no database used to keep track of what addresses have been assigned and what addresses are still available for assignment. PPP server sends a router advertisement message (as described in RFC 4861) with an IPv6 prefix and a non zero router lifetime to the user so it can create a global unicast IPv6 address through stateless autoconfiguration. DNS information such as RDNS and DNS search list can also be included in the message.

Note

An IPv6 prefix configured locally in the PPPoE configuration section of a PPP server has a higher priority over an IPv6 prefix specified by the attribute Framed-IPv6-Prefix of a Radius access-accept message.

Configuration examples ¶

By default, the PPP server is disabled. Through the CLI you can enable a PPP server over an Ethernet connection.

First, configure the Ethernet interface:

dut-vm running config# vrf main interface
dut-vm running interface# physical ntfp1
dut-vm running physical ntfp1#! port pci-b0s5
dut-vm running physical ntfp1# enabled true
dut-vm running physical ntfp1# commit
Configuration committed.

Then, enable a PPP server over an Ethernet connection using the interface ntfp1:

dut-vm running config# vrf main ppp-server instance ppp-server-1
dut-vm running instance ppp-server-1# pppoe interface ntfp1
dut-vm running interface ntfp1# commit
Configuration committed.

Example 1: Without a Radius server ¶

Here are some features configuration examples without using Radius.

Choosing an authentication method & adding a user’s authentication information:

dut-vm running instance ppp-server-1#  auth peer-auth-mode chap
dut-vm running instance ppp-server-1#  auth peer-secrets secrets john.doe password test123*

Enabling IPCP and configuring peers IPv4 address pools:

dut-vm running instance ppp-server-1# ppp ipcp allow
dut-vm running instance ppp-server-1# ip-pool default-local-ip 192.164.0.2
dut-vm running instance ppp-server-1#! ip-pool pool pool1 peer-pool 192.164.0.2/32
dut-vm running instance ppp-server-1# pppoe ip-pool pool1

Enabling IP6CP and IPv6 autoconfiguration:

dut-vm running instance ppp-server-1# ppp ipv6cp allow
dut-vm running instance ppp-server-1# ipv6-neighbor-discovery enabled true
dut-vm running instance ppp-server-1# ipv6-pool pool pool2 prefix 2001:db8:22:33::/48 prefix-len 64
dut-vm running instance ppp-server-1# pppoe ipv6-pool pool2

Adding DNS information:

dut-vm running instance ppp-server-1# dns server 8.8.8.8
dut-vm running instance ppp-server-1# dns server 2001:4860:4860::8888
dut-vm running instance ppp-server-1# dns dns-search-list google.com dns-search-list 6wind.com

Example 2: With a Radius server ¶

Here is another configuration example where a Radius server will be used for authentication, accounting and change of authorization.

First, configure the interface to use for Radius communication:

dut-vm running config# vrf main
dut-vm running vrf main# interface
dut-vm running interface# physical ntfp2
dut-vm running physical ntfp2#! port pci-b0s4
dut-vm running physical ntfp2# enabled true
dut-vm running physical ntfp2# ipv4
dut-vm running ipv4# address 10.100.0.2/24

Then, add the Radius information:

dut-vm running config# vrf main ppp-server instance ppp-server-1
dut-vm running instance ppp-server-1# auth radius enabled true
dut-vm running instance ppp-server-1#! auth radius nas ip-address 10.100.0.2 identifier vsr
dut-vm running instance ppp-server-1#! auth radius server address 10.100.0.1 auth-port 1812 acct-port 1813 secret 'test#%&123*123*'
dut-vm running instance ppp-server-1# auth radius backup-server address 10.100.1.1 auth-port 1814 acct-port 1815 secret 'test#456*123*'
dut-vm running instance ppp-server-1# auth radius default-local-ip 19.168.100.1
dut-vm running instance ppp-server-1# auth radius change-of-authorization-server secret testing123
dut-vm running instance ppp-server-1# auth radius accounting session-id-in-authentication true interim-interval 5

Quality of Service Support ¶

The Virtual Service Router provides support for multi-level hierarchical quality of service for PPPoE sessions. This feature allows latency and throughput optimization and ensures that each subscribers gets the appropriate network resources. This is achieved through classifying, policing and scheduling the traffic.

The QoS is configured in the CLI, triggered by RADIUS and dynamically applied by the PPP server for each subscriber session.

The deployment of QoS involves two main components, an HTB based scheduler and a PPP server QoS template:

The HTB scheduler:

All subscriber queues will be organized in a tree structure scheduler that determines how available bandwidth is distributed among them.

The user should first create the root queue as well as the default queue of this HTB scheduler in the global QoS context and associate it to the PPP server interface, as described in the chapter scheduling.

The user can also add inner static queues to suit his bandwidth redistribution and his different subscriber plans. This part of the scheduler is static and is called the base-scheduler.

When a PPPoE session is established, all its queues will be appended dynamically as child queues to the base-scheduler according to PPP server QoS template.
PPP server QoS template:

The PPP server QoS template is a profile that provides queue models for BNG subscribers. A queue model allows the user to configure minimum guaranteed bandwidth, maximum authorized bandwidth, priority, traffic mark and other related QoS parameters.

Once the subscriber authenticates to the network and its session is established, QoS queues will be dynamically created according to the queue models configured in its template. The template name must be received in the Radius Access-Accept packet via the 6WIND attribute 6WIND-qos-template-name. Please refer to 6WIND attributes section for more details.

Traffic classification:

Each queue can be associated with a different form of traffic like video, data, VOIP and so on. This traffic classification into the queues is achieved through the mark of the queue template. When a packet mark matches a queue mark, the packet is classified into the matching queue.

Restrictions:

Users can configure up to 255 queue marks.
Only egress is supported.
Unlike the queue configuration in the global QoS context, it’s not possible to add a policer for a queue in the PPP server QoS template.
Static inner queues can’t be assigned QoS classes.

Let’s consider the following example, where the service provider offers 2 subscriber plans premium and non-premium. Each plan provides its user with specific guaranteed bandwidth for voip and data traffic.

Step 1: Configure the static base-scheduler:

vsr running config# / qos
vsr running qos# scheduler scheduler-1
vsr running scheduler scheduler-1#! htb
vsr running htb# queue 1
vsr running queue 1#! bandwidth 40G
vsr running queue 1# ceiling 40G
vsr running queue 1# priority 1
vsr running queue 1# child-queue 2
vsr running queue 1# child-queue 3
vsr running queue 1# ..
vsr running htb# queue 2
vsr running queue 2#! bandwidth 30G
vsr running htb# queue 2 description "This is the static parent queue for premium subscriber voip and data queues"
vsr running queue 2# priority 1
vsr running queue 2# ..
vsr running htb# queue 3
vsr running queue 3#! bandwidth 10G
vsr running htb# queue 3 description "This is the static parent queue for non-premium subscriber voip and data queues"
vsr running queue 3# priority 2

Step 2: Add the base-scheduler to the PPP server interface:

vsr running config# vrf main interface physical ntfp1 qos egress scheduler scheduler-1

Step 3: Configure the templates:

vsr running config# / vrf main ppp-server instance ppp-server-1 qos
vsr running qos# template premium-subscribers base-scheduler scheduler-1
vsr running qos#! template premium-subscribers queue prem-voip static-parent 2
vsr running qos#! template premium-subscribers queue prem-voip bandwidth 5M
vsr running qos# template premium-subscribers queue prem-data static-parent 2
vsr running qos#! template premium-subscribers queue prem-data bandwidth 2M

vsr running qos# template non-premium-subscribers base-scheduler scheduler-1
vsr running qos#! template non-premium-subscribers queue non-prem-voip static-parent 3
vsr running qos#! template non-premium-subscribers queue non-prem-voip bandwidth 3M
vsr running qos# template non-premium-subscribers queue non-prem-data  static-parent 3
vsr running qos#! template non-premium-subscribers queue non-prem-data bandwidth 1M

Once the configuration in place, the Radius setup of a user should include its QoS template name, for instance, for a premium user the attribute is 6WIND-qos-template-name = premium-subscribers

PPP server state and KPIs ¶

In order to display a PPP server state use the following command:

dut-vm running vrf main# show state vrf main ppp-server instance ppp-server-1
    instance ppp-server-1
        enabled true
        single-session disable
        max-sessions 0
        max-starting 0
        log-level debug
        ppp
            verbose false
            min-mtu 100
            ipcp allow
            ipv6cp deny
            lcp
                echo-interval 0
                echo-failure 0
                ..
            ..
        pppoe
            enabled true
            verbose true
            padi-limit 0
            interface ntfp2
                padi-limit 5
                ..
            ip-pool pool1
            ip-pool pool2

The CLI also provides KPIs support via the command ppp-server-stats:

dut-vm> show ppp-server-stats vrf main name ppp-server-1
    Sessions counters
    active    : 2
    starting  : 0
    finishing : 0

    PPPoE counters
    active        : 2
    starting      : 0
    PADI received : 2
    PADI dropped  : 0
    PADO sent     : 2
    PADR received : 2
    PADS sent     : 2

    Radius counters
    Radius server 1
    IP address               : 10.100.0.1
    state                    : active
    auth sent                : 88
    acct-start-stop sent     : 2
    acct-interim-update sent : 344

6WIND attributes ¶

Radius 6WIND vendor specific attributes list:

6WIND-limit

Description

This is the Traffic Limiting IPv4 attribute, PPP server supports the basic rate-limiting QoS policy which means that if the rate-limit parameters are exceeded, the traffic is dropped. the attribute is a string with the following format “type=cir cbs eir ebs unit”.

type: can take either “in” for ingress or “out” for egress.
cir: Committed Information Rate.
cbs: Committed Burst Size.
eir: Excess Information Rate.
ebs: Excess Burst Size.
unit: in pps or bps. The unit could also be set in kilo (kbps/kpps), in mega (mpps/mbps) or in giga (gpps/gbps).

6WIND-iface-rpf

Description: This is the Reverse Path Filtering attribute. This attribute is an integer, where “0” means disabling the Reverse Path Filtering.

6WIND-qos-template-name

Description: This attribute is a string that contains the name of an hierarchical QoS template to be applied to the user.