Dual-Stack Support for Simple IP Subscriber Sessions

The Dual-Stack Support for Simple IP Subscriber Sessions feature enables L2-connected, dual-stack IP over Ethernet (IPoE) sessions to be provisioned on the Cisco Intelligent Services Gateway (ISG). This module describes how to configure ISG to support IPv6 L2-connected sessions and dual-stack IP sessions.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Prerequisites for Dual-Stack Support for Simple IP Subscriber Sessions

  • The subscriber must be Layer 2-connected.
  • The web or portal server should be a dual-stack host.
  • The ipv6 unicast-routing command needs to be enabled on the ISG to enable dual-stack sessions.
  • Either the IPv6 pool has to be configured in the ISG or the framed IPv6 prefix needs to be downloaded from RADIUS.
  • The ISG has to be configured with the respective TCs or services to ensure proper web or portal access.
  • You should be familiar with the concepts and tasks described in the “Configuring ISG Control Policies” module.

Restrictions for Dual Stack Support for Simple IP Subscriber Sessions

  • EoGRE or walkby is not supported for dual stack.
  • WebAuth is supported only on IPv4.
  • The IPv6 local pool cannot be associated to a VRF. So, the address space is defined globally. This requires that the IPv6 address is not defined under the multi-service interface associated to a VRF. Also, non-VRF subscribers get the IPv6 prefix from the IPv6 pool defined for VRF subscribers. So, an IPv6 pool name has to be specified as a mandatory parameter in the auth profile as well as for unauth clients and radius-timeout scenarios.
  • IPv6 prefix assigned via an auth profile should not overlap with that of a locally defined IPv6 pool. If the IPv6 prefix from local pool is assigned via an auth profile, ISG does not consider it as assigned. This may lead to the same prefix being allocated to another subscriber.
  • The VRF service has to be defined in AAA or RADIUS only as it cannot be defined locally in ISG and assigned via a service-policy map.
  • PBHK is not supported for IPv6 traffic. So, the IPv6 VRF client cannot access the portal in the global domain.
  • DNS info cannot be sent to a VRF client using the DHCPv6 server in ISG.
  • Dual stack session information cannot be queried through SNMP.
  • Overlapping address spaces are supported only for DHCP-initiated-VRF sessions and not for unclassified-MAC-VRF sessions.
  • The DHCP session restart does not work for VRF sessions with DHCP RENEW.
  • Data traffic is dropped when the access and service VRFs are different.
  • Each dual stack session supports up to a maximum of 3 traffic classes.

Information About Dual Stack Support for Simple IP Subscriber Sessions

Features supporting Dual Stack simple IP sessions

The following ISG features support dual stack implementation:

  • Per-user and Per-Flow Postpaid Accounting
  • Per-user and Per-Flow Idle Timeout
  • Dynamic Rate Limiting (DRL)
  • Traffic Class and layer 4 redirect (L4R)

How to Configure Dual Stack Support for Simple IP Subscriber Sessions

Configuring Dual Stack Support on ISG

Dual stack can be configured in ISG for both MAC TAL and WebAuth subscribers.

To configure dual stack for MAC TAL users, perform the following actions:

  • Configure the class map
  • Define the services
  • Associate the service to the control policy

To configure dual stack for WebAuth users, perform the following actions:

  • Configure the ACL
  • Configure the class map
  • Define the services
  • Associate the service to the control policy

Verifying Dual Stack Support on ISG

To verify the dual stack configuration on an ISG device, use any of the following show commands, in any order, in privileged EXEC mode.

SUMMARY STEPS

    1.    show subscriber session detail

    2.    show ip subscriber detail


DETAILED STEPS
    Step 1   show subscriber session detail


    Example: 
    #---------------------------
#  IPV4/IPv6 Session
#---------------------------
 
ISG#show subscriber session detail
Current Subscriber Information: Total sessions 1
--------------------------------------------------
Type: IPv4/IPv6, UID: 256, State: authen, Identity: aaaa.bbbb.cccc
IPv4 Address: 11.11.11.2 
IPv6 Address: 5001::
Session Up-time: 00:00:26, Last Changed: 00:00:09
Switch-ID: 5015
 
Policy information:
  Context 7F0D2045B278: Handle 4A0001BB
  AAA_id 0000010C: Flow_handle 0
  Authentication status: authen
  Downloaded User profile, excluding services:
    service-type         0   2 [Framed]
  Downloaded User profile, including services:
    service-type         0   2 [Framed]
  Config history for session (recent to oldest):
    Access-type: IP Client: SM
     Policy event: Service Selection Request
      Profile name: aaaa.bbbb.cccc, 2 references 
        service-type         0   2 [Framed]
  Rules, actions and conditions executed:
    subscriber rule-map TAL
      condition always event session-start
        10 authorize identifier mac-address
 
Classifiers:
Class-id    Dir   Packets    Bytes                  Pri.  Definition
0           In    10         1112                   0    Match Any
1           Out   9          1026                   0    Match Any
 
Configuration Sources:
Type  Active Time  AAA Service ID  Name
USR   00:00:26     -               Peruser
INT   00:00:26     -               FastEthernet0/0/2
 
#--------------------------- 
#  DHCPV4/IPv6 Session
#---------------------------

ISG#show subscriber session detail
Current Subscriber Information: Total sessions 1
--------------------------------------------------
Type: DHCPv4/IPv6, UID: 256, State: authen, Identity: aaaa.bbbb.cccc
IPv4 Address: 11.11.11.2 
IPv6 Address: 5001::
Session Up-time: 00:00:26, Last Changed: 00:00:09
Switch-ID: 5015
 
Policy information:
  Context 7F0D2045B278: Handle 4A0001BB
  AAA_id 0000010C: Flow_handle 0
  Authentication status: authen
  Downloaded User profile, excluding services:
    service-type         0   2 [Framed]
  Downloaded User profile, including services:
    service-type         0   2 [Framed]
  Config history for session (recent to oldest):
    Access-type: IP Client: SM
     Policy event: Service Selection Request
      Profile name: aaaa.bbbb.cccc, 2 references 
        service-type         0   2 [Framed]
  Rules, actions and conditions executed:
    subscriber rule-map TAL
      condition always event session-start
        10 authorize identifier mac-address
 
Classifiers:
Class-id    Dir   Packets    Bytes                  Pri.  Definition
0           In    10         1112                   0    Match Any
1           Out   9          1026                   0    Match Any
 
Configuration Sources:
Type  Active Time  AAA Service ID  Name
USR   00:00:26     -               Peruser
INT   00:00:26     -               FastEthernet0/0/2

    Step 2   show ip subscriber detail


    Example: 
    ISG#show ip subscriber detail
IP subscriber: 0019.aa9f.6619, type connected, status up
  display uid: 196, aaa uid: 1229
  segment id: 38589, session hdl: 0x71000296, shdb: 0x8000162
  session initiator: unclassified traffic dhcp discovery
  access interface: GigabitEthernet0/2/0
  access address: 2001::
  service address: 2001::
  access address: 12.1.1.27
  service address: 12.1.1.27
  status: IPv4 - Up  IPv6 - Up
  conditional debug flag: 0x0
  control plane state: connected, start time: 00:03:01
  data plane state: connected, start time: 00:03:01
  arp entry: 12.1.1.27, GigabitEthernet0/2/0
  route: 2001::/64 -> GigabitEthernet0/2/0
  forwarding statistics:
    packets total: received 0, sent 0
    bytes total: received 0, sent 0
    packets dropped: 0, bytes dropped: 0
  hardware forwarding statistics:
    packets total: received 2, sent 0
    bytes total: received 164, sent 0

    Verifying L2 Roaming on ISG

    Use the show ip subscriber detail command to verify that the ISG subscriber has successfully roamed to a new interface. On comparing the outputs of this command before and after roaming, you will notice that UID and AAA UID remain the same even after the access interface is changed.

    SUMMARY STEPS

      1.    show ip subscriber detail (Before roaming)

      2.    show ip subscriber detail (After roaming)


    DETAILED STEPS
       Command or ActionPurpose
      Step 1show ip subscriber detail (Before roaming)

      Example: 
      #------------------------------
# Command output before roaming
#------------------------------
IP subscriber: aabb.cc01.9000, type connected, status up
  display uid: 1, aaa uid: 12					                            # Note UID and AAA UID
  segment id: 4098, session hdl: 0xF4000001, shdb: 0x3E000001
  session initiator: unclassified traffic
  access interface: Ethernet0/0.10				                        # Note access interface
  access address: 1.1.1.2	
  service address: 1.1.1.2
  status: IPv4 - Up  IPv6 - Down
  conditional debug flag: 0x0
  control plane state: connected, start time: 00:00:04
  data plane state: connected, start time: 00:00:04
  arp entry: 1.1.1.2, Ethernet0/0.10
  forwarding statistics:
    packets total: received 8, sent 7
    bytes total: received 944, sent 798
    packets dropped: 0, bytes dropped: 0
  hardware forwarding statistics:
    packets total: received 0, sent 0
    bytes total: received 0, sent 0
       

       

      Step 2show ip subscriber detail (After roaming)

      Example: 
      #-----------------------------
# Command output after roaming
#-----------------------------
IP subscriber: aabb.cc01.9000, type connected, status up
  display uid: 1, aaa uid: 12					                      # No change in UID and AAA UID
  segment id: 4098, session hdl: 0xF4000001, shdb: 0x3E000001
  session initiator: unclassified traffic
  access interface: Ethernet0/0.20					                 # Change in access interface
  access address: ::
  service address: ::
  access address: 1.1.1.2
  service address: 1.1.1.2
  status: IPv4 - Up  IPv6 - Down
  conditional debug flag: 0x0
  control plane state: connected, start time: 00:00:52
  data plane state: connected, start time: 00:00:52
  arp entry: 1.1.1.2, Ethernet0/0.20
  route: 1.1.1.2 -> Ethernet0/0.20
  forwarding statistics:
    packets total: received 18, sent 17
    bytes total: received 2124, sent 1938
    packets dropped: 0, bytes dropped: 0
  hardware forwarding statistics:
    packets total: received 0, sent 0
    bytes total: received 0, sent 0
       

       

      Configuration Examples for Dual Stack Support for Simple IP Subscriber Sessions

      Example: Configuring Simple IP Dual Stack with MAC TAL

      #-----------------------------
# Configure the IPv6 pool
#-----------------------------
!
access-list 101 permit ip host 22.22.22.1 any
access-list 101 permit icmp host 22.22.22.1 any
ipv6 route 2001:420:54FF:4::400:0/119 2001:420:54FF:4::400:1
ipv6 local pool FIRST 9999::/48 64   ---> To support ipv6 on the existing v4 box
ipv6 local pool RED 6868::/48 64
!
!
!
#-----------------------------
# Enable IPv6 on the interface
#-----------------------------
!
interface GigabitEthernet0/0/0                 #Configuring the core interface
 ip address 9.27.52.4 255.255.0.0
 ip portbundle outside
 negotiation auto
 ipv6 enable
!
interface GigabitEthernet0/0/1                 #Configuring the access interface
 ip unnumbered Loopback68
 negotiation auto
 ipv6 enable
 service-policy type control START_WEB
 ip subscriber l2-connected
  initiator unclassified mac-address
  initiator dhcp
!

      Example: Configuring Simple IP Dual Stack with Web Auth

      #-----------------------------
# Configure the IPv6 pool
#-----------------------------
!
access-list 101 permit ip host 22.22.22.1 any
access-list 101 permit icmp host 22.22.22.1 any
ipv6 route 2001:420:54FF:4::400:0/119 2001:420:54FF:4::400:1
ipv6 local pool FIRST 9999::/48 64   ---> To support ipv6 on the existing v4 box
ipv6 local pool RED 6868::/48 64
!
!
!
#-----------------------------
# Enable IPv6 on the interface
#-----------------------------
!
interface GigabitEthernet0/0/0                 #Configuring the core interface
 ip address 9.27.52.4 255.255.0.0
 ip portbundle outside
 negotiation auto
 ipv6 enable
!
interface GigabitEthernet0/0/1                 #Configuring the access interface
 ip unnumbered Loopback68
 negotiation auto
 ipv6 enable
 service-policy type control START_WEB
 ip subscriber l2-connected
  initiator unclassified mac-address
  initiator dhcp
!
#-----------------------------
# Configure policy
#-----------------------------
!
ipv6 access-list TCPv6                         #Configuring IPv6 ACL
 permit tcp any any
!
ipv6 access-list TCPv6_ALL
 permit tcp any any
!
class-map type traffic match-any TCPv6         #Configuring the class map for IPv6 traffic
 match access-group input name TCPv6
 match access-group output name TCPv6
!
class-map type traffic match-any TCPv4
 match access-group input name TCPv4
 match access-group output name TCPv4
!
policy-map type service L4Rv4
 class type traffic TCPv4
  redirect to ip 18.18.18.18 port 8080
 !
!
policy-map type service L4Rv6                  #Service definition for IPv6
 class type traffic TCPv6
  redirect to ip 1818::1818 port 80
 !
!
policy-map type control START_WEB
 class type control UNAUTH_COND event timed-policy-expiry
  10 service disconnect
 !
 class type control always event session-start
  8 service-policy type service name PBHK
  9 authorize identifier mac-address 
  11 service-policy type service name L4Rv6    #Associating the service to the control policy
  12 service-policy type service name L4Rv4
  15 set-timer UNAUTH_TIMER 10
 !
 class type control always event session-restart
  8 service-policy type service name PBHK
  9 authorize identifier mac-address 
  11 service-policy type service name L4Rv6
  12 service-policy type service name L4Rv4
  15 set-timer UNAUTH_TIMER 10
 !
 class type control always event account-logon
  2 authenticate aaa list List1 
  14 service-policy type service unapply name L4Rv6
  15 service-policy type service unapply name L4Rv4
 !
!

      Additional References

      Related Documents

      Related Topic

      Document Title

      Cisco IOS commands

      Master Command List, All Releases

      ISG commands

      ISG Command Reference

      Dual stack for mobile IP subscriber sessions

      Dual Stack Support for PMIPv6 and GTP

      Call flows for dual stack mobile IP subscriber sessions

      Call Flows for Dual-Stack PMIPv6 and GTP

      ISG Access for IP Subscriber Sessions

      "Configuring ISG Access for IP Subscriber Sessions" module in the Intelligent Services Gateway Configuration Guide

      Standards and RFCs

      Standard/RFC Title

      RFC 4241

      A Model of IPv6/IPv4 Dual Stack

      Technical Assistance

      Description Link

      The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

      To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

      Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

      http:/​/​www.cisco.com/​support

      Feature Information for Dual Stack Support for Simple IP Subscriber Sessions

      The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

      Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

      Table 1 Feature Information for Dual Stack Support for Simple IP Subscriber Sessions

      Feature Name

      Releases

      Feature Information

      Dual Stack Support for Simple IP Subscriber Sessions

      Cisco IOS XE Release 3.11S

      The Dual Stack Support for Simple IP Subscriber Sessions enables L2-connected, dual-stack IP over Ethernet (IPoE) sessions to be provisioned on the Cisco Intelligent Services Gateway (ISG).

      The following command was modified: initiator unclassified mac-address.