Enhanced IP Allocation in Cisco Prime Access Registrar
This chapter describes the enhanced IP allocation feature in Cisco Prime Access Registrar (Prime Access Registrar).
In the previous versions of Prime Access Registrar, IP allocation happens internally based on a specific range of IPs configured. If there are multiple Prime Access Registrars in a deployment, each Prime Access Registrar server will have different range of IPs configured and can allocate/de-allocate IPs only within that specific range. Prime Access Registrar cannot allocate IPs from a common pool. This is addressed by the enhanced IP allocation feature.
With this feature, IP ranges will be read from the configuration and the common IP pools will be maintained in a centralized Mongo Database (MongoDB). Any Prime Access Registrar server which is connected to the DB can allocate an available IP for a user from the common IP pools. When the user disconnects, the IP is released back to the pool again. Along with the IP pools, the user sessions will also be maintained in centralized MongoDB.
The MongoDB version used for this feature is 3.6.2.
With the enhanced IP allocation feature, IPV6 address allocation is also supported.
Note This feature is supported only in CLI.
This chapter contains the following sections:
MongoDB Support
This section describes the MongoDB server features:
- The centralized DB can be a single MongoDB server, a MongoDB replica set, or a MongoDB shard.
- Replica set has one primary server and two or more secondary servers. The secondary servers acts as backup servers. Prime Access Registrar supports MongoDB cluster setup, that contains multiple shards (multiple replica sets).
- MongoDB has automatic failover mechanism. If the primary goes down, the election process is triggered among the available secondary servers. The new primary is elected and it starts processing the traffic.
- The secondary DB servers can be placed in the primary DB site as well as in the geographically distant failover sites for local DB failover and site failover.
IP Allocation Methodology
With the enhanced IP allocation feature, Prime Access Registrar provides the following support:
- Dynamic allocation of IPv4 and IPv6 addresses from the common IP pool information kept in Mongo DB.
- Multiple IP pools, each with a maximum size of 16 million IPs, can be configured in Mongo DB.
- Prime Access Registrar allocates IPs from the IP pool in a fail-over manner for the incoming RADIUS and Diameter requests.
- It is possible to select and allocate IPs from one particular IP pool using the scripting point.
- Multiple Prime Access Registrar servers can be connected to the Mongo DB for the IP allocation based on the requirement.
- IP allocation/de-allocation requests can be load-balanced to any Prime Access Registrar.
- Prime Access Registrar uses compressed format to store and retrieve the IPs from DB for effective use of DB resources.
- Prime Access Registrar supports MongoDB cluster deployments to meet higher scalability needs.
- MongoDB replica set provides fail-over capabilities with the primary and secondary nodes.
- Framed-IP-Address attribute holds the allocated IP address in the Access-Accept message.
Configuration Details
In Prime Access Registrar, a new type of session manager is introduced to support this feature. This session manager can handle both RADIUS/Diameter requests coming from the RADIUS/Diameter clients respectively. All the Prime Access Registrar servers connected to the same MongoDB/MongoDB replica set/MongoDB cluster must have the same session manager configuration.
Sample IPv6 Configuration:
DefaultAuthenticationService~ = null
DefaultAuthorizationService~ = null
DefaultAccountingService~ = local-file
DefaultSessionManager~ = MongoSessionManager
--> cd IPAddressAllocators/
[ //localhost/Radius/IPAddressAllocators ]
Entries 1 to 1 from 1 total entries
[ //localhost/Radius/IPAddressAllocators/allocator1 ]
[ //localhost/Radius/IPAddressAllocators/allocator1/IPAddressPools ]
Entries 1 to 1 from 1 total entries
[ //localhost/Radius/IPAddressAllocators/allocator1/IPAddressPools/P1 ]
StartIPv6 = 2025::20c:29ff:fe65:9802
EndIPv6 = 2025::20c:29ff:feff:ffff
--> cd /r/SessionManagers/MongoSessionManager/
[ //localhost/Radius/SessionManagers/MongoSessionManager ]
Name = MongoSessionManager
AllowAccountingStartToCreateSession = FALSE
[ //localhost/Radius/SessionManagers/MongoSessionManager/ResourceManagers ]
--> cd /r/ResourceManagers/
[ //localhost/Radius/ResourceManagers ]
Entries 1 to 6 from 6 total entries
[ //localhost/Radius/ResourceManagers/ipv6 ]
ReuseIPForSameSessionKeyAndUser = TRUE
Sample IPv4 Configuration:
[ //localhost/Radius/IPAddressAllocators/allocator1 ]
[ //localhost/Radius/IPAddressAllocators/allocator1/IPAddressPools ]
Entries 1 to 4 from 4 total entries
[ //localhost/Radius/IPAddressAllocators/allocator1/IPAddressPools ]
Entries 1 to 4 from 4 total entries
[ //localhost/Radius/ResourceManagers ]
Entries 1 to 8 from 8 total entries
[ //localhost/Radius/ResourceManagers/ipv4 ]
ReuseIPForSameSessionKeyAndUser = FALSE
[ //localhost/Radius/SessionManagers/MongoSessionManager ]
Name = MongoSessionManager
AllowAccountingStartToCreateSession = FALSE
SessionCreationCmdList = 265
SessionDeletionCmdList = 275
SessionRestorationTimeOut =
[ //localhost/Radius/SessionManagers/MongoSessionManager/ResourceManagers ]
--> cd /r/advanced/remotemongosessionServer/
[ //localhost/Radius/Advanced/RemoteMongoSessionServer ]
ReactivateTimerInterval = 300000
MongoActiveConnetionThresholdCount = 4
MongoConnectionReactivationInterval = 3000
DataSourceConnections = 4
KeepAliveTimerInterval = 0
[ //localhost/Radius/Advanced/ODBCDataSources/mongo ]
Server = 10.126.246.113:27017
DBReadPreference = Nearest
Table 11-1 lists the attributes added under /RADIUS/Advanced for the IP Allocation feature.
Table 11-1 /RADIUS/Advanced Attributes added for IP Allocation Feature
|
|
IPDataBackingStoreSyncInterval |
Interval at which the IP data is written to the backing store. |
IPDataBackingStorePruneInterval |
The sleep time interval of the IP data backing store pruning thread. The recommended and default value is six hours, but you can modify this based on the traffic patterns you experience. With IPDataBackingStorePruneInterval set to six hours, pruning will occur six hours after you restart or reload the Prime Access Registrar server and recur every six hours. You can set a very low value for this property to make pruning continuous, but there might not be enough data accumulated for the pruning to occur and pruning might be less effective compared to the default setting. |
IPDataBackingStoreDiscThreshold |
Maximum size limit of any IP data log files generated; the default is 10 gigabytes. The value of IPDataBackingStoreDiscThreshold is made up of a number of units which can be K, kilobyte, or kilobytes, M, megabyte, or megabytes, or G, gigabyte, or gigabytes. |
IPDataPurgeInterval |
The interval in which Prime Access Registrar must check for timed-out IP records. |
IPDocumentTimeOut |
If there is any document in locked state for this timeout period, then those documents will be released/unlocked during the purge operation. |
Configuration Steps
Setting Up Remote Mongo Session Server
To set up a new remote Mongo session server:
Step 1 Log into aregcmd.
cd /r/Advanced/RemoteMongoSessionServer pears
Step 2 Specify the relevant details. Table 11-2 lists the remote Mongo session server properties.
Table 11-2 Remote Mongo Session Server Properties
|
|
ReactivateTimerInterval |
Required; time interval (in milliseconds) to activate an inactive server; default value is 300,000 ms. |
Timeout |
Required; time interval (in seconds) to wait for Mongo operation to complete; default value is 15 seconds. |
DataSourceConnections |
Required; number of connections to be established; default value is 8. |
DataSource |
Required; name of the mongoc DataSource to use from the list of mongoc datasources configured under /Radius/Ad- vanced/ODBCDataSources. |
KeepAliveTimerInterval |
Required; time interval (in milliseconds) to send a keepalive to keep the idle connection active; default value is zero (0) meaning the option is disabled. |
SNMPTrapPort |
The SNMP trap port for the remote mongo session server; default value is 1521. |
SNMPTrapIP |
The SNMP trap IP for the remote mongo session server. Prime Access Registrar supports IPv4 and IPv6 addresses for the SNMP trap IP. |
MongoTimeOutCount |
Required; continuous timeout count to disconnect the selected connection. Default value is 10. |
MongoConnectionReactivationInterval |
Required; time interval for attempting to reconnect the disconnected Mongo remote server session. Default value is 3000 ms. |
MongoActiveConnectionThresholdCount |
Required; threshold count of disconnections after which Prime Access Registrar will mark the remote server as down and try to reactivate it. Default value is 4. |
Step 3 Save and reload.
Upon successful creation of the remote Mongo session server, a success message is displayed in the logs.
Adding ODBC Data Source
To add a ODBC data source:
Step 1 Log into aregcmd.
cd /r/Advanced/odbcdatasources
Step 2 Enter the relevant details. Table 11-3 lists the ODBC data source properties.
Table 11-3 ODBC Data Source Properties
|
|
Name |
Name of the ODBC data source. |
Description |
Optional; description of the ODBC data source. |
Type |
Required; type of the ODBC data source, which must be “mongoc”. |
IsReplicaSet |
Optional; set to TRUE if MongoDB replica set is used. The replica set name must be given in the ReplicaSetName attribute. |
UserID |
Required; database user name. |
Password |
Required; database user password; shown encrypted. |
DataBase |
Required; Mongo database name, in which sessions are stored. |
Server |
Set the IP and port of the MongoDB server in IP:Port format. Example: In case of single DB, 10.126.246.112:27017, where 27017 is the port in which MongoDB runs. In case of replica set, IP1:Port1,IP2:Port2,IP3:Port3, and so on. In case of shard, the IP should be mongos (query router) IP. |
DBReadPreference |
Indicates how to route the read operation to the appropriate member in a replica set when the DBs are geographically situated. Could be one of the following:
- Primary
- PrimaryPreferred
- Secondary
- SecondaryPreferred
- Nearest
Default value is Nearest. |
Step 3 Save and reload.
Adding Mongo Session Manager
To add a Mongo session manager:
Step 1 Log into aregcmd.
cd /r/SessionManagers/MongoSessionManager/
Step 2 Enter the relevant details. Table 11-4 lists the Mongo session manager properties.
Table 11-4 Mongo Session Manager Properties
|
|
Name |
Required; must be unique in the session managers list. |
Description |
Optional description of the session manager. |
Type |
Required; The Mongo session manager works with the Mongo database and maintains the sessions in the Mongo DB. |
EnableDiameter |
Optional; Set to TRUE if you want to use the session manager for Diameter services. |
SessionKey |
This parameter is used to set the sessionkey value for the Session Manager. The Session Manager checks whether the environmental variable Session-Key is set or not. If the environmental variable is set, the server uses it as the sessionkey. Otherwise, the value set in this field is used. SessionKey can be a combination of attributes separated by a colon. The values for those attributes are obtained from the RequestDictionary. If any one of the attributes configured for the sessionkey is not present in the RequestDictionary, Prime Access Registrar drops the request. However, if Session-Key is not set, SessionManager uses NAS-Identifier and NAS-Port to create the sessionkey. An example configuration:
--> set SessionKey "User-Name:NAS-Port"
The following shows a sample configuration of sessionkey for Session Manager:
[ //localhost/Radius/SessionManagers/session-mgr-1 ] Name = session-mgr-1
Description = Type = local
AllowAccountingStartToCreateSession = TRUE
|
AllowAccountingStartToCreateSession |
Set to TRUE by default; to start the session when the Prime Access Registrar server receives an Access Accept or an Accounting-Start. Set to FALSE, to start the session when the Prime Access Registrar server receives an Access Accept. |
IncomingScript |
Optional; name of the script to run when the service starts. This script is run as soon as the session is acquired in Prime Access Registrar. |
OutgoingScript |
Optional; name of the script to run just before the session is written to backing store. |
SessionTimeOut |
Optional; no value for this property indicates that the session timeout feature is disabled for the Session Manager. Used in conjunction with /Radius/Advanced/SessionPurgeInterval for the session timeout feature. If the parameter is set to a value, all sessions that belong to that session manager are checked for timeouts at each SessionPurgeInterval. If any of the sessions have timed out, they are released, and all resources associated with those sessions are also released. If the time difference between the current time and the last update time is greater than this value, the session is considered to be stale. The last update time of the session is the time at which the session was created or updated. The SessionTimeOut value comprises a number and a units indicator, where the unit could be minutes, hours, days, or weeks. The default unit is days. |
PhantomSessionTimeOut |
Optional; no value for this property indicates that the phantom session timeout feature is disabled. Used in conjunction with /Radius/Advanced/SessionPurgeInterval. If the parameter is set to a value, all sessions that belong to that session manager are checked for receipt of an Accounting-Start packet. Sessions that do not receive an Accounting-Start packet from creation until its timeout are released. The PhantomSessionTimeOut value comprises a number and a units indicator, where the unit could be minutes, hours, days, or weeks. The default unit is days. |
SessionCreationCmdList |
Available only if EnableDiameter is set to TRUE; session created for the configured application, command code, and AVP. |
SessionDeletionCmdList |
Available only if EnableDiameter is set to TRUE; session deleted for the configured application, command code, and AVP. |
Resource Managers List |
Ordered list of Resource Managers. The resource managers supported with geo session manager are geo-ipv4-dynamic, geo-ipv6-dynamic, geo-user-session-limit, and geo-session-cache |
Step 3 Save and reload.
Server Monitoring for IP Allocation
Prime Access Registrar supports server monitoring for the IP allocation feature, using which high and low IP thresholds can be monitored. The following attributes are added to support this functionality:
- IPHighThreshold—Absolute integer value that indicates the maximum number of IPs that can be allocated by the server. Default is 0. When the number of IPs exceeds the given high threshold value, Prime Access Registrar generates a carIPCapacityFull trap.
- IPLowThreshold—Absolute integer value that indicates the minimum number of IPs that can be allocated by the server. Default is 0. After reaching the high threshold, if the number of IPs drops below a low threshold value, Prime Access Registrar generates a carIPCapacityNotFull trap.
For details about the carIPCapacityFull and carIPCapacityNotFull traps, refer to the “Using SNMP” chapter of the Cisco Prime Access Registrar 9.1 User Guide.
Common Configuration Setup
If there are multiple Prime Access Registrar servers in a deployment, common configuration must be maintained across all the servers. To maintain consistency with the configuration of all the Prime Access Registrar servers, a Python tool is developed and shipped with the Prime Access Registrar installation package. After installation, this Python tool (e.g. main.py) will be present in the /cisco-ar/bin/ directory.
Note The Python tool will not work properly, if there is a CLI access from multiple terminals.
Note Also, ensure that the correct system time is maintained across all the Prime Access Registrar servers in a deployment.
After installing Prime Access Registrar in all the identified servers, follow the below steps to maintain common configuration across all Prime Access Registrar servers:
Step 1 Set the attribute IsMaster under /r/advanced in aregcmd to TRUE.
Step 2 Perform the IP allocation configuration through aregcmd CLI interface in any one of the Prime Access Registrar servers.
Step 3 Execute SAVE from aregcmd. This creates an XML file.
Following is a sample XML file.
<?xml version="1.0" encoding="UTF-8"?>
<sessionmanager ismodified = "-1" name = "geoSes" type = "geo" enablediameter = "FALSE" incomingscript = "" outgoingscript = "" allowaccountingstarttocreatesession = "FALSE" sessiontimeout = "" phantomsessiontimeout = "" sessionkey = "" sessioncreationcommandlist = "" sessiondeletioncommandlist = ""/>
<rm name = "geo-per-user" index = "1"/>
<resourcemanager ismodified = "-1" name = "geo-ipv4" type = "geo-ipv4-dynamic" netmask = "255.0.0.0" ipv6prefix = "" reuseipforsamesessionkeyanduser = "FALSE" ipallocator = "A1"/>
<resourcemanager ismodified = "-1" name = "geo-per-user" type = "geo-user-session-limit" usersessionlimit = "1"/>
<allocator ismodified = "-1" name = "A1" type = "mongo" ipallocationtype = "IPv4"/>
<ipallocationpool allocator = "A1" name = "P1" identifier = "10" type = "ipv4" netmask = "255.0.0.0" start = "10.0.0.0" end = "10.255.255.255"/>
<ipallocationpool allocator = "A1" name = "P2" identifier = "20" type = "ipv4" netmask = "255.0.0.0" start = "11.0.0.0" end = "11.255.255.255"/>
<ipallocationpool allocator = "A1" name = "P3" identifier = "30" type = "ipv4" netmask = "255.0.0.0" start = "12.0.0.0" end = "12.255.255.255"/>
<ipallocationpool allocator = "A1" name = "P4" identifier = "40" type = "ipv4" netmask = "255.0.0.0" start = "13.0.0.0" end = "13.255.255.255"/>
Step 4 Run the Python tool:
- python /cisco-ar/bin/main.py
The tool will do the following:
– Prompt for the total number of Prime Access Registrar servers connected to the DB. Enter hte number.
– Convert the generated XML into a.rc file.
Following is a sample.rc file.
delete /Radius/SessionManagers/MongoSession
add /Radius/SessionManagers/MongoSession
set /Radius/SessionManagers/MongoSession/type geo
set /Radius/SessionManagers/MongoSession/enablediameter FALSE
set /Radius/SessionManagers/MongoSession/incomingscript skip
set /Radius/SessionManagers/MongoSession/allowaccountingstarttocreatesession FALSE
set /Radius/SessionManagers/MongoSession/sessionkey User-Name:Nas-Port
add /Radius/SessionManagers/geoSes
set /Radius/SessionManagers/geoSes/type geo
set /Radius/SessionManagers/geoSes/enablediameter FALSE
set /Radius/SessionManagers/geoSes/allowaccountingstarttocreatesession FALSE
set /Radius/SessionManagers/MongoSession/ResourceManagers/1 geo-ipv4
set /Radius/SessionManagers/geoSes/ResourceManagers/1 geo-per-user
add /Radius/ResourceManagers/geo-ipv4 "" geo-ipv4-dynamic
set /Radius/ResourceManagers/geo-ipv4/netmask 255.0.0.0
set /Radius/ResourceManagers/geo-ipv4/reuseipforsamesessionkeyanduser FALSE
set /Radius/ResourceManagers/geo-ipv4/ipallocator A1
add /Radius/ResourceManagers/geo-per-user "" geo-user-session-limit 1
Step 5 Restart Prime Access Registrar. This will initialize and create the following:
– Collections in the MongoDB—These are the names of the configured session managers. These collections are created inside the DB, which is configured in mongoc data source configuration in aregcmd.
Note Make sure you do not delete the database name and collections to avoid possible data inconsistency issue.
– Required indexes in all the collections for faster access
– The DB named IPProvisioning.
Note Both the IPProvisioning database and the database configured under mongoc data source in aregcmd must have the same credentials.
– Pools in the IPProvisioning DB based on the IPAddressAllocators configuration
Step 6 Once initialization is done, the Python tool resets the IsMaster attribute to FALSE in aregcmd and prompts for the IP, credentials, etc., of the next Prime Access Registrar server. Provide the required details in the tool.
Step 7 After getting the credentials, the Python tool logs in to the new Prime Access Registrar server and dumps the.rc file generated. It also prompts you to restart the Prime Access Registrar server.
Step 8 Enter Yes and restart the Prime Access Registrar server.
Step 9 Repeat the above three steps for all the Prime Access Registrar servers. This way, configuration is maintained consistently across all individual Prime Access Registrar servers.
Sample IP Allocation Traces
Following are the sample IPv4 allocation and de-allocation traces:
Enhanced IP Allocation – Sample IPv4 Allocation Traces
01/15/2019 18:47:10.572: P78: SessionManager MongoSessionManager created Session S2
01/15/2019 18:47:10.572: P78: Session S2, Session-Start-Time: 01/15/2019 18:47:10, NAS: localhost, NAS-Port: 1, User-Name: bob, Session-Key: bob
01/15/2019 18:47:10.572: P78: ResourceManager ipv4: Requesting allocator allocator2 to allocate an ipv4 address
01/15/2019 18:47:10.572: P78: MongoIPAllocator allocator2: address not available in local store P2
01/15/2019 18:47:10.572: P78: MongoIPAllocator allocator2: sending request to the RemoteMongoServer Internal-Mongo-Server
01/15/2019 18:47:10.573: P78: MonogIPAllocator allocator2: Database returned Bitmap:0 Index:0
01/15/2019 18:47:10.573: P78: MonogIPAllocator allocator2: Successfully stored the bitmap in the localstore P2
01/15/2019 18:47:10.573: P78: MonogIPAllocator allocator2: Allocating IP from Bitmap:0 Index:0
01/15/2019 18:47:10.593: P78: MongoIPAllocator allocator2: Successfully allocated an ip address from pool P2
01/15/2019 18:47:10.593: P78: MongoIPAllocator allocator2:Allocation completed and Need to update to database01/15/2019 18:47:10.594: P78: MongoIPAllocator allocator2: Successfully allocated IPAddress
01/15/2019 18:47:10.594: P78: IPResourcManager ipv4:Allocator returned success for ipv4 address allocation request
01/15/2019 18:47:10.594: P78: ResourceManager ipv4 allocated a resource to Session S2: Allocated IP Address 10.0.0.0
01/15/2019 18:47:10.594: P78: Writing Session S2(bob) to the mongo database.
01/15/2019 18:47:10.594: P78: Session Count Update 0
01/15/2019 18:47:10.594: P78: The collection name is MongoSessionManager
01/15/2019 18:47:10.594: Log: Collection handle created : MongoSessionManager
01/15/2019 18:47:10.594: Remote Mongo Session Server (Connection 10): MongoActiveConnectionCount = 32 and ConnectionTimedOutCount = 0
01/15/2019 18:47:10.595: Running AddSession Script:
01/15/2019 18:47:10.595: P78: Releasing acquired Session S2(bob)
01/15/2019 18:47:10.595: P78: SessionManager MongoSessionManager done with packet
01/15/2019 18:47:10.595: P78: Trace of Access-Accept packet
01/15/2019 18:47:10.595: P78: identifier = 1
01/15/2019 18:47:10.595: P78: length = 32
01/15/2019 18:47:10.595: P78: respauth = d3:5c:cc:73:7d:6b:17:fd:f1:0e:21:9d:90:bc:83:1f
01/15/2019 18:47:10.595: P78: Framed-IP-Address = 10.0.0.0
01/15/2019 18:47:10.595: P78: Framed-IP-Netmask = 255.0.0.0
01/15/2019 18:47:10.595: P78: Sending response to 127.0.0.1
01/15/2019 18:47:10.595: P78: Packet successfully removed
01/15/2019 18:47:10.595: P78: Packet Deleted
Enhanced IP Allocation – Sample IPv4 De-Allocation Traces
01/15/2019 18:49:09.741: R2: ResourceManager ipv4 allocated a resource to Session S2: Resurrected session with IP Address 10.0.0.0
01/15/2019 18:49:09.741: P80: Acquiring session for bob..., the request is from localhost:1
01/15/2019 18:49:09.741: P80: Session S2(bob) acquired...
01/15/2019 18:49:09.741: P80: SessionManager MongoSessionManager decremented the Accounting Counter for Session S2(bob), now -1
01/15/2019 18:49:09.741: P80: SessionManager MongoSessionManager is deleting Session S2(bob)
01/15/2019 18:49:09.741: P80: Releasing Geo Resources
01/15/2019 18:49:09.741: P80: Entered releaseGeoResource
01/15/2019 18:49:09.741: P80: MongoAllocator allocator2: Releasing ip address 10.0.0.0 in the mongodb
01/15/2019 18:49:09.741: P80: MongoIPAllocator allocator2: sending request to the RemoteMongoServer Internal-Mongo-Server
01/15/2019 18:49:09.741: Log: Collection handle created : P2
01/15/2019 18:49:09.742: Remote Mongo Session Server (Connection 28): MongoActiveConnectionCount = 32 and ConnectionTimedOutCount = 0
01/15/2019 18:49:09.742: P80: ResourceManager ipv4 released a resource from Session S2: Released IP address 10.0.0.0
01/15/2019 18:49:09.742: P80: The collection name is MongoSessionManager
01/15/2019 18:49:09.742: Log: Collection handle created : MongoSessionManager
01/15/2019 18:49:09.742: Remote Mongo Session Server (Connection 25): MongoActiveConnectionCount = 32 and ConnectionTimedOutCount = 0
01/15/2019 18:49:09.742: P80: Trace of Accounting-Response packet
01/15/2019 18:49:09.742: P80: identifier = 2
01/15/2019 18:49:09.742: P80: length = 20
01/15/2019 18:49:09.742: P80: respauth = 37:07:c1:12:8f:28:ec:3e:9f:a1:df:cd:f1:99:92:65
01/15/2019 18:49:09.742: P80: Sending response to 127.0.0.1