Cisco IOS Intelligent Service Gateway Configuration Guide, Release 12.2 SB
Configuring ISG VRF Transfer (Cisco IOS Release 12.2(28)SB)
Download this chapter
Configuring ISG VRF Transfer (Cisco IOS Release 12.2(28)SB)Configuring ISG VRF Transfer (Cisco IOS Release 12.2(28)SB)
give_us_feedback

Table Of Contents

Configuring ISG VRF Transfer (Cisco IOS Release 12.2(28)SB)

Contents

Prerequisites for ISG VRF Transfer

Restrictions for ISG VRF Transfer

Information About Configuring ISG VRF Transfer

ISG VRF Transfer Overview

Benefits of ISG VRF Transfer

VRF Transfer for PPP Sessions

VRF Transfer for IP Sessions

Service Model for VRF Transfers

How to Configure ISG VRF Transfers

Specifying a VRF in a Service Policy Map

Enabling ISG VRF Transfer for PPP Sessions

Verifying VRF Transfer for PPP Sessions

Troubleshooting VRF Transfer for PPP Sessions

Enabling ISG VRF Transfer for IP Sessions Using DHCP for IP Address Assignment

Configuring VRF Autoclassify

Verifying VRF Transfer for IP Sessions

Troubleshooting VRF Transfer for IP Sessions

Configuration Examples for ISG VRF Transfers

VRF Transfer for IP Sessions Using DHCP for IP Addressing: Example

VRF Transfer for PPP Sessions Using IPCP Renegotiation: Example

Additional References

Related Documents

Technical Assistance

Feature Information for ISG VRF Transfer


Configuring ISG VRF Transfer (Cisco IOS Release 12.2(28)SB)

First Published: March 20, 2006
Last Updated: March 20, 2006

Intelligent Service Gateway (ISG) is a Cisco IOS software feature set that provides a structured framework in which edge devices can deliver flexible and scalable services to subscribers.ISG VRF transfer enables an ISG subscriber session to move from one virtual routing or forwarding instance (VRF) to another following selection of a new primary service. Once a session has transferred into the target VRF, all upstream and downstream packets are routed using the new routing table, and all subscriber features operate in the context of the new VRF.

Note This document applies to Cisco IOS Release 12.2(28)SB only. For information about configuring VRF transfer in Cisco IOS Release 12.2(31)SB2 or later releases, see the chapter "Configuring ISG Access for IP Subscriber Sessions."

Finding Feature Information in This Module

Your Cisco IOS software release may not support all features. To find information about feature support and configuration and platform requirements, use the "Feature Information for ISG VRF Transfer" section.

Contents

Prerequisites for ISG VRF Transfer

Restrictions for ISG VRF Transfer

Information About Configuring ISG VRF Transfer

How to Configure ISG VRF Transfers

Configuration Examples for ISG VRF Transfers

Additional References

Feature Information for ISG VRF Transfer

Prerequisites for ISG VRF Transfer

For information about release and platform support, see the "Feature Information for ISG VRF Transfer" section.

Restrictions for ISG VRF Transfer

ISG VRF transfer is not supported on the Cisco 10000-PRE2.

ISG VRF transfer is supported only for PPP sessions and for IP sessions that use DHCP as the method of IP address assignment.

Without PPP renegotiation, a VRF switch is not supported for PPP sessions.

ISG does not support VRF transfers for IP interface sessions and IP subnet sessions.

The Microsoft Windows XP PPPoE client does not support ISG VRF transfer.

ISG VRF transfer for PPP sessions works only with PPP clients that can restart IPCP without disconnecting the PPP/LCP session.

Information About Configuring ISG VRF Transfer

Before you configure ISG VRF transfer, you should understand the following concepts:

ISG VRF Transfer Overview

Benefits of ISG VRF Transfer

VRF Transfer for PPP Sessions

VRF Transfer for IP Sessions

Service Model for VRF Transfers

ISG VRF Transfer Overview

The ISG model stipulates that there must be a single routing or forwarding domain per subscriber. If the network service is routing, the subscriber must be assigned an address that is routable in the specified VRF.

When a subscriber session is transferred from one VRF to another, it is effectively entering a new addressing domain that may or may not overlap the subscriber's previous domain. Consequently, the subscriber's network-facing address must be altered accordingly so that packets can be correctly routed back from within the service domain.

ISG VRF transfer is necessary when a subscriber's identity and subscribed services cannot be determined without interaction with a web portal. A local routing context is required, at least initially, so that IP packets may be routed to and from the portal server. Following portal-based service selection, the subscriber would typically need to be transferred into the VRF associated with the selected service domain. Following a VRF transfer, the subscriber must also receive an address that is routable in this new domain.

Benefits of ISG VRF Transfer

The need for switching of a subscriber session between routing and forwarding domains (also called network services) occurs frequently in markets where so-called equal access networking must be supported. Equal access networking is often mandated by regulatory rules stating that an access provider should allow service providers equal access to a retail subscriber network. The ISG VRF Transfer feature facilitates equal access networking by allowing subscribers to transfer between network services.

VRF Transfer for PPP Sessions

Once a PPP session comes up with the IP address from the network access point (NAP), the subscriber can access a web portal and choose a service provider. On VRF transfers in PPP sessions, ISG must reassign the IP address from the new domain to the PPP session. In PPP sessions, the IP address is reassigned by IPCP renegotiation.

Without PPP renegotiation, VRF transfer is not supported for PPP sessions.

VRF Transfer for IP Sessions

Note VRF transfer is supported only for IP sessions that use DHCP as the method of IP address assignment.

If ISG is adjacent to the subscriber device and serves as a DHCP relay or server, DHCP can be used to assign subscribers domain-specific addresses.

In order for VRF transfers to be supported, it is strongly recommended that DHCP be configured with short initial leases. Because there is currently no provision for a forced DHCP renew function, existing subscriber addresses can only be altered once the current lease has expired. Subscribers will not have access to the selected domain before the next DHCP renew request is received. Using short initial lease times minimizes the interval between a VRF change and a DHCP renew. If long lease times are used, an out-of-band method of initiating IP address change should be implemented.

When DHCP can be used to assign a new address at the subscriber device, subnet-based VRF selection can be used to bring about the transfer. Subnet-based VRF selection (also known as VRF autoclassify) is a feature that selects the VRF at the ingress port on the basis of the source IP subnet address.

Service Model for VRF Transfers

A primary service is a service that contains a network-forwarding policy (such as a VRF) in its service definition. Only one primary service at a time can be activated for a session. A secondary service is any service that does not contain a network-forwarding policy.

When a subscriber for whom a primary service has already been activated tries to select another primary service, ISG will deactivate all current services (including the current primary service) and activate the new primary service, and hence switch the VRF.

When a subscriber for whom a primary service has already been activated tries to select a secondary service, the action taken by ISG depends on whether the secondary service is part of a service group. A service group is a grouping of services that may be simultaneously active for a given session. Typically, a service group includes one primary service and one or more secondary services. Table 26 describes the action that ISG will take when a subscriber selects a secondary service.

Table 26 ISG Activation Policy for Secondary Services

Primary Service Characteristics
Secondary Service Characteristics
Resulting Behavior at ISG

Primary service with no service group attribute

Secondary service with service group

Do not bring up the secondary service.

Secondary service with no service group

Bring up the secondary service.

Primary service with service group attribute

Secondary service with different service group

Do not bring up the secondary service.

Secondary service with same service group

Bring up the secondary service.

Secondary service with no service group

Bring up the secondary service.


How to Configure ISG VRF Transfers

This section contains the following tasks:

Specifying a VRF in a Service Policy Map

Enabling ISG VRF Transfer for PPP Sessions

Enabling ISG VRF Transfer for IP Sessions Using DHCP for IP Address Assignment

Specifying a VRF in a Service Policy Map

VRF transfer occurs when a new primary service is activated for a session, causing the session to transfer from one VRF to another. Services can be configured in service profiles on an external AAA server or they can be configured on the ISG device in service policy maps. Perform this task to configure a VRF in a service policy map on the ISG device.

SUMMARY STEPS

1. enable

2. configure terminal

3. policy-map type service policy-map-name

4. ip vrf forwarding name-of-vrf

5. sg-service-type primary

6. sg-service-group service-group-name

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

policy-map type service policy-map-name

Example:

Router(config)# policy-map type service service1

Creates or modifies a service policy map, which is used to define an ISG service.

Step 4 

ip vrf forwarding name-of-vrf

Example:

Router(config-service-policymap)# ip vrf forwarding blue

Associates the service with a VRF.

Step 5 

sg-service-type primary

Example:

Router(config-service-policymap)# sg-service-type primary

Defines the service as a primary service.

A primary service is a service that contains a network-forwarding policy. A primary service must be defined as a primary service by using the sg-service-type primary command. Any service that is not a primary service is defined as a secondary service by default.

Step 6 

sg-service-group service-group-name

Example:

Router(config-service-policymap)# sg-service-group group1

(Optional) Associates an ISG service with a service group.

A service group is a grouping of services that may be active simultaneously for a given session. Typically, a service group includes one primary service and one or more secondary services.

What to Do Next

If you are using DHCP to assign IP addresses to subscribers after switching VRFs, perform the task in the "Configuring VRF Autoclassify" section.

Enabling ISG VRF Transfer for PPP Sessions

To enable VRF transfer for PPP sessions, perform the following procedures:

1. Specify a VRF in a service policy map or service profile. See the "Specifying a VRF in a Service Policy Map" section.

2. Configure support for PPP sessions by configuring a virtual template and method of IP address allocation. Note that the original VRF, loopback interface, and IP address pool must be specified in a virtual template rather than in a user profile in order for VRF transfer to work. For information about how to configure virtual templates and support for PPP sessions, see the Cisco IOS Dial Technologies Configuration Guide.

3. Optionally, verify the configuration.

4. Troubleshoot the configuration as needed.

This section contains the following tasks:

Verifying VRF Transfer for PPP Sessions

Troubleshooting VRF Transfer for PPP Sessions

Verifying VRF Transfer for PPP Sessions

Perform this task to verify VRF transfer for PPP sessions. All of the show steps are optional and may be performed in any order.

SUMMARY STEPS

1. enable

2. show subscriber session all

3. show idmgr {service key session-handle session-handle service-key service | session key {domainip-vrf ip-address ip-address vrf-id vrf-id | ip-address ip-address | mac-address mac-address | nativeip-vrf ip-address ip-address vrf-id vrf-id | portbundle ip ip-address bundle bundle-number | session-handle session-handle}}

4. show ip route [vrf vrf-name]

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

show subscriber session all

Example:

Router# show subscriber session all

Displays information pertaining to the service chosen by the subscriber.

Step 3 

show idmgr {service key session-handle session-handle service-key service | session key {domainip-vrf ip-address ip-address vrf-id vrf-id | ip-address ip-address | mac-address mac-address | nativeip-vrf ip-address ip-address vrf-id vrf-id | portbundle ip ip-address bundle bundle-number | session-handle session-handle}}

Example:

Router# show idmgr session key ip-address 10.0.0.1

Displays information related to ISG session and service identity.

Step 4 

show ip route [vrf vrf-name]

Example:

Router# show ip route

Displays the current state of the routing table.

Troubleshooting VRF Transfer for PPP Sessions

Use the commands in this procedure when you troubleshoot VRF transfer for PPP sessions. All of the debug commands are optional and may be entered in any order.

SUMMARY STEPS

1. enable

2. debug subscriber feature name ip_config {event | error}

3. debug ppp negotiation

4. debug ip routing

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

debug subscriber feature name ip_config {event | error}

Example:

Router# debug subscriber feature name ip_config event

Displays diagnostic information about the installation and removal of the IP configuration feature on ISG subscriber sessions.

Step 3 

debug ppp negotiation

Example:

Router# debug ppp negotiation

Displays PPP packets sent during PPP startup, where PPP options are negotiated.

Step 4 

debug ip routing

Example:

Router# debug ip routing

Displays information on Routing Information Protocol (RIP) routing table updates and route cache updates.

Enabling ISG VRF Transfer for IP Sessions Using DHCP for IP Address Assignment

To enable VRF transfers for IP sessions in which ISG is adjacent to the subscriber device and DHCP can be used to influence the IP address assignment, perform the following procedures:

1. Specify a VRF in a service policy map or service profile.

2. Configure VRF autoclassify, which associates incoming packets from a subscriber with the appropriate VRF at the ingress interface so that addresses in the service domain are reachable.

3. Configure DHCP to assign subscribers IP addresses when they switch VRFs. For more information about how to configure DHCP to support ISG, see the section Assigning IP Addresses Using DHCP, in the "Managing ISG Subscriber IP Addresses (Cisco IOS Release 12.2(28)SB)" module.

4. Verify the configuration.

This section contains the following tasks:

Configuring VRF Autoclassify

Verifying VRF Transfer for IP Sessions

Configuring VRF Autoclassify

Perform this task to enable VRF autoclassify, which associates incoming packets from the subscriber with the appropriate VRF at the ingress interface so that addresses in the service domain are reachable. For more information about VRF autoclassify, see the VRF-Autoclassify release 12.2(27)SB new-feature document.

SUMMARY STEPS

1. enable

2. configure terminal

3. interface type number

4. ip vrf forwarding vrf-name

5. ip address ip-address mask [secondary[vrf vrf-name]]

6. ip vrf autoclassify source

7. end

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

interface type number

Example:

Router(config)# interface ethernet 0

Selects an interface for configuration and begins interface configuration mode.

Step 4 

ip vrf forwarding vrf-name

Example:

Router(config-if)# ip vrf forwarding blue

Associates an interface with a VRF.

The specified VRF determines the address associated with a primary and secondary IP address. However, it may be overridden per subnet for secondary addresses.

Step 5 

ip address ip-address mask [secondary] [vrf vrf-name]]

Example:

Router(config-if)# ip address 10.0.0.1 255.255.255.0

Router(config-if)# ip address 10.1.1.1 255.255.255.0 secondary vrf red

Sets a primary and secondary IP address for an interface.

secondary—Specifies that the configured address is a secondary IP address. If this keyword is omitted, the configured address is the primary IP address.

vrf—Adds a connected route for the subnet corresponding to the secondary IP address into a service provider's VRF.

Note In this configuration, you must set up a primary interface and one or more secondary VRF interfaces for VRF transfer.

Step 6 

ip vrf autoclassify source

Example:

Router(config-if)# ip vrf autoclassify source

Causes incoming packets on the interface to be marked with the VRF associated with the subnet specified by the ip address command.

Step 7 

end

Example:

Router(config-if)# end

(Optional) Returns to privileged EXEC mode.

What to Do Next

Configure DHCP to assign IP addresses to subscribers when they switch VRFs. For information about how to configure DHCP to support ISG, see the "Managing ISG Subscriber IP Addresses (Cisco IOS Release 12.2(28)SB)" module.

Verifying VRF Transfer for IP Sessions

Perform the steps in the following task as needed to verify VRF transfer for IP sessions.

SUMMARY STEPS

1. enable

2. show subscriber session uid session-identifier detail

3. show ip subscriber [vrf vrf_name]

4. show idmgr {service key session-handle session-handle service-key service | session key {domainip-vrf ip-address ip-address vrf-id vrf-id | ip-address ip-address | mac-address mac-address | nativeip-vrf ip-address ip-address vrf-id vrf-id | portbundle ip ip-address bundle bundle-number | session-handle session-handle}}

5. show ip route [vrf vrf-name]

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

show subscriber session uid session-identifier detail

Example:

Router# show subscriber uid 4 detail

Displays information about ISG subscriber sessions with a specific session identifier.

Step 3 

show ip subscriber [vrf vrf-name]

Example:

Router# show ip subscriber red

Displays information pertaining to the subscriber's VRF.

Step 4 

show idmgr {service key session-handle session-handle service-key service | session key {domainip-vrf ip-address ip-address vrf-id vrf-id | ip-address ip-address | mac-address mac-address | nativeip-vrf ip-address ip-address vrf-id vrf-id | portbundle ip ip-address bundle bundle-number | session-handle session-handle}}

Example:

Router# show idmgr session key ip-address 10.0.0.1

Displays information related to ISG session and service identity.

Step 5 

show ip route [vrf vrf-name]

Example:

Router# show ip route

Displays the current state of the routing table.

Troubleshooting VRF Transfer for IP Sessions

The commands in this procedure can be used to troubleshoot VRF transfer for IP sessions. The debug commands are not required and can be entered in any order.

SUMMARY STEPS

1. enable

2. debug subscriber {event | error | packet | policy | service}

3. debug ip subscriber {event | error | packet | fsm | all}

4. debug subscriber policy detailed dpm event

5. debug dhcp [detail]

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

debug subscriber {event | error | packet | policy | service}

Example:

Router# debug subscriber service

Displays debugging messages pertaining to subscriber policies, policy server events, and changes to service.

Step 3 

debug ip subscriber {event | error | packet| fsm | all}

Example:

Router# debug ip subscriber error

Displays debugging messages pertaining to an IP session created on the service gateway.

Step 4 

debug subscriber policy detail dpm event

Example:

Router# debug subscriber policy detail dpm event

Displays detailed diagnostic information about policy execution that is related to DHCP events.

Step 5 

debug dhcp [detail]

Example:

debug dhcp

Displays debugging information about the DHCP client activities and monitors the status of DHCP packets.

Configuration Examples for ISG VRF Transfers

This section contains the following examples:

VRF Transfer for IP Sessions Using DHCP for IP Addressing: Example

VRF Transfer for PPP Sessions Using IPCP Renegotiation: Example

VRF Transfer for IP Sessions Using DHCP for IP Addressing: Example

The following example shows how to enable VRF autoclassify: 

interface ethernet0/0

  ip vrf forwarding red

  ip address 10.0.0.1 255.255.255.0 

  ip address 20.0.0.1 255.255.255.0 secondary vrf blue

  ip address 30.0.0.1 255.255.255.0 secondary vrf green

  ip vrf auto-classify source

VRF Transfer for PPP Sessions Using IPCP Renegotiation: Example

The following examples shows a configuration that uses PPPoE to establish a session, and the RADIUS service profile that is created to associate the VRF. In this example, when a PPP session initially comes up, it belongs to the default routing table, and the IP address is assigned from the default IP address pool "DEF-POOL". When the subscriber selects the "ISP-RED" service, ISG downloads the "ISP-RED" service profile and applies it to the session. The PPP session is then transferred to VRF "RED". IPCP renegotiation occurs between the client device and the ISG device, and the subscriber is assigned a new IP address from the pool "POOL-RED". 

ip vrf RED

 rd 1:1


interface Loopback0

 ip address 10.0.0.1 255.255.255.0


interface Loopback1

 ip address 20.0.0.1 255.255.255.0

 ip vrf forwarding RED

!

interface Ethernet0/0

  pppoe enable


interface Virtual-Template1

 ip unnumbered Loopback0

 service-policy control RULE2

 peer default ip address pool DEF-POOL

 ppp authentication chap 


ip local pool DEF-POOL 172.16.5.1 172.16.5.250

ip local pool POOL-RED 172.20.5.1 172.20.5.250

Service profile for ISP RED: 

Cisco-AVpair = ip:vrf-id=RED

Cisco-AVpair = "ip:ip-unnumbered=loopback 1"

Cisco-AVpair = ip:addr-pool=POOL-RED

Cisco-AVpair = subscriber:sg-service-type=primary

Cisco-AVpair = subscriber:sg-service-group=RED-GROUP

Cisco-SSG-Service-Info = IPPPOE-RED

Cisco-SSG-Service-Info = R10.1.1.0;255.255.255.0

Framed-Protocol = PPP

Service-Type = Framed

Additional References

The following sections provide references related to ISG VRF transfer.

Related Documents

Related Topic
Document Title

ISG commands

Cisco IOS Intelligent Service Gateway Command Reference

How to configure support for PPP sessions

Cisco IOS Dial Technologies Configuration Guide

How to map packets to VRFs other than the VRF assigned to the ingress interface

VRF-Autoclassify, 12.2(28)SB new-feature document


Technical Assistance

Description
Link

Technical Assistance Center (TAC) home page, containing 30,000 pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.

http://www.cisco.com/public/support/tac/home.shtml


Feature Information for ISG VRF Transfer

Table 27 lists the features in this module and provides links to specific configuration information. Only features that were introduced or modified in Cisco IOS Release 12.2(28)SB or later releases appear in the table. If you are looking for information on a feature in this technology that is not documented here, see the "Intelligent Service Gateway Features Roadmap."

Not all commands may be available in your Cisco IOS software release. For details on when support for specific commands was introduced, see the command reference documents.

Cisco IOS software images are specific to a Cisco IOS software release, a feature set, and a platform. Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.

Note Table 27 list only the Cisco IOS software release that introduced support for a given feature in a given Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS software release train also support that feature.

Table 27 Feature Information for ISG VRF Transfer

Feature Name
Releases
Feature Configuration Information

ISG: Session: VRF Transfer

12.2(28)SB

The ISG session is the primary component used for associating services and policies with specific data flows. ISG sessions are associated with virtual routing and forwarding instances when routing is required for the network service. ISG VRF transfer provides a means to dynamically switch an active session between virtual routing domains.

The following sections provide information about this feature:

Information About Configuring ISG VRF Transfer

How to Configure ISG VRF Transfers


Copyright © 2006 Cisco Systems, Inc. All rights reserved.