Per Session Queueing and Shaping for PPPoEoVLAN Using RADIUS

The Per Session Queueing and Shaping for PPPoEoVLAN Using RADIUS feature enables you to shape PPP over Ethernet over VLAN sessions to a user-specified rate. The router shapes the sum of all of the traffic to the PPPoE session so that the subscriber’s connection to the digital subscriber line access multiplexer (DSLAM) does not become congested. Queueing-related functionality provides different levels of service to the various applications that execute over the PPPoE session.

A nested, two-level hierarchical service policy is used to configure session shaping directly on the router using the modular quality of service command-line interface (MQC). The RADIUS server applies the service policy to a particular PPPoE session by downloading a RADIUS attribute to the router. This attribute specifies the policy map name to apply to the session. RADIUS notifies the router to apply the specified policy to the session. Because the service policy contains queueing-related actions, the router sets up the appropriate class queues and creates a separate versatile traffic management and shaping (VTMS) system link dedicated to the PPPoE session.

Restrictions for Per Session Queueing and Shaping for PPPoEoVLAN Using RADIUS

  • Each PPPoE over VLAN session for which per session queueing and shaping is configured has its own set of queues and its own VTMS link. Therefore, these PPPoE sessions do not inherit policies unless you remove the service policy applied to the session or you do not configure a policy for the session.

  • The router supports per session queueing and shaping on PPPoE terminated sessions and on an IEEE 802.1Q VLAN tagged subinterfaces for outbound traffic only.

  • The router does not support per session queueing and shaping for PPPoE over VLAN sessions using RADIUS on inbound interfaces.

  • The router does not support per session queueing and shaping for layer 2 access concentrator (LAC) sessions.

  • The statistics related to quality of service (QoS) that are available using the show policy-map interface command are not available using RADIUS.

  • The router does not support using a virtual template interface to apply a service policy to a session.

  • You can apply per session queueing and shaping policies only as output service policies. The router supports input service policies on sessions for other existing features, but not for per session queueing and shaping for PPPoE over VLAN using RADIUS.

  • During periods of congestion, the router does not provide specific scheduling between the various PPPoE sessions. If the entire port becomes congested, the scheduling that results has the following effects:
    • The amount of bandwidth that each session receives of the entire port’s capacity is not typically proportionally fair share.
    • The contribution of each class queue to the session’s total bandwidth might not degrade proportionally.
  • The PRE2 does not support ATM overhead accounting for egress packets with Ethernet encapsulations. Therefore, the router does not consider ATM overhead calculations when determining that the shaping rate conforms to contracted subscriber rates.

  • The router does not support the configuration of the policy map using RADIUS. You must use the MQC to configure the policy map on the router.

Information About Per Session Queueing and Shaping for PPPoEoVLAN Using RADIUS

The router allows you to apply QoS policy maps using RADIUS. The actual configuration of the policy map occurs on the router using the MQC.

How Routers Apply QoS Policy to Sessions

The router can apply the QoS policy to sessions using attributes defined in one of the following RADIUS profiles:

  • User Profile--The user profile on the RADIUS server contains an entry that identifies the policy map name applicable to the user. The policy map name is the service that RADIUS downloads to the router after a session is authorized.

  • Service Profile--The service profile on the RADIUS server specifies a session identifier and an attribute-value (AV) pair. The session identifier might be, for example, the IP address of the session. The AV-pair defines the service (policy map name) to which the user belongs.

The following AV-pairs define the QoS policy to be applied dynamically to the session:

"ip:sub-qos-policy-in=<name of the QoS policy in ingress direction>"

"ip:sub-qos-policy-out=<name of egress policy>"

When RADIUS gets a service-logon request from the policy server, it sends a change of authorization (CoA) request to the router to activate the service for the subscriber, who is already logged in.

If the authorization succeeds, the router downloads the name of the policy map from RADIUS using the above attribute and applies the QoS policy to the session.


Note


Although the router also supports the RADIUS VSA 38, Cisco-Policy-Down and Cisco-Policy-Up, we recommend that you use the above attributes for QoS policy definitions.


How RADIUS Uses VSA 38 in User Profiles

The RADIUS VSA 38 is used for downstream traffic going toward a subscriber. The service (policy map name) to which the user session belongs resides on the RADIUS server. The router downloads the name of the policy map from RADIUS using VSA 38 in the user profile and then applies the policy to the session.

To set up RADIUS for per session queueing and shaping for PPPoE over VLAN support, enter the following VSA in the user profile on the RADIUS server:


Cisco:Cisco-Policy-Down = <service policy name>

The actual configuration of the policy map occurs on the router. The user profile on the RADIUS service contains an entry that identifies the policy map name applicable to the user. This policy map name is the service RADIUS downloads to the router using VSA 38.


Note


Although the router also supports RADIUS VSA 38, Cisco-Policy-Down and Cisco-Policy-Up, we recommend that you use the attributes described in the How Routers Apply QoS Policy to Sessions for QoS policy definitions.


Commands Used to Define QoS Actions

When you configure queueing and shaping for PPPoE over VLAN sessions, the child policy of a nested hierarchical service policy defines QoS actions using any of the following QoS commands:

  • priority command--Assigns priority to a traffic class and gives preferential treatment to the class.

  • bandwidth command--Enables class-based fair queueing and creates multiple class queues based on bandwidth.

  • queue-limit command--Specifies the maximum number of packets that a particular class queue can hold.

  • police command--Regulates traffic based on bits per second (bps), using the committed information rate (CIR) and the peak information rate, or on the basis of a percentage of bandwidth available on an interface.

  • random-detect command--Drops packets based on a specified value to control congestion before a queue reaches its queue limit. The drop policy is based on IP precedence, differentiated services code point (DSCP), or the discard-class.

  • set ip precedence command--Marks a packet with the IP precedence level you specify.

  • set dscp command--Marks a packet with the DSCP you specify.

  • set cos command--Sets the IEEE 802.1Q class of service bits in the user priority field.

The parent policy contains only the class-default class with the shape command configured. This command shapes traffic to the specified bit rate, according to a specific algorithm.

The router allows you to apply QoS policy maps using RADIUS. The actual configuration of the policy map occurs on the router using the MQC. The router can apply the QoS policy to sessions using attributes defined in one of the following RADIUS profiles:

  • User Profile--The user profile on the RADIUS server contains an entry that identifies the policy map name applicable to the user. The policy map name is the service that RADIUS downloads to the router after a session is authorized.

  • Service Profile--The service profile on the RADIUS server specifies a session identifier and an attribute-value (AV) pair. The session identifier might be, for example, the IP address of the session. The AV-pair defines the service (policy map name) to which the user belongs.

The following AV-pairs define the QoS policy to be applied dynamically to the session:

"ip:sub-qos-policy-in=<name of the QoS policy in ingress direction>"

"ip:sub-qos-policy-out=<name of egress policy>"

When RADIUS gets a service-logon request from the policy server, it sends a change of authorization (CoA) request to the router to activate the service for the subscriber, who is already logged in.

If the authorization succeeds, the router downloads the name of the policy map from RADIUS using the above attribute and applies the QoS policy to the session.


Note


Although the router also supports the RADIUS vendor specific attribute (VSA) 38, Cisco-Policy-Down and Cisco-Policy-Up, we recommend that you use the above attributes for QoS policy definitions.


How to Use the Per Session Queueing and Shaping for PPPoEoVLAN Using RADIUS Feature

Configuring a Per Session Queueing and Shaping Policy on the Router

To configure a per session queueing and shaping policy on the router for PPPoE over VLAN sessions using RADIUS, you must complete the following steps.

SUMMARY STEPS

  1. policy-map policy-map-name
  2. class
  3. bandwidth {bandwidth-kbps | percent percentage | remaining percent percentage } account {{qinq | dot1q } {aal5 | aal3 } {subscriber-encapsulation }} | {user-defined offset [atm ]}}
  4. exit
  5. policy-map policy-map-name
  6. class class-default
  7. shape rate account {{{qinq | dot1q } {aal5 | aal3 } {subscriber-encapsulation }} | {user-defined offset [atm ]}}
  8. service-policy policy-map-name

DETAILED STEPS

  Command or Action Purpose

Step 1

policy-map policy-map-name

Example:


Router(config)# policy-map policy-map-name

Creates or modifies the bottom-level child policy.

  • policy-map-name is the name of the child policy map. The name can be a maximum of 40 alphanumeric characters.

Step 2

class

Example:


Router(config-pmap)# class class-map-name 

Assigns the traffic class you specify to the policy map. Enters policy-map class configuration mode.

  • class-map-name is the name of a previously configured class map and is the traffic class for which you want to define QoS actions.

  • Repeat Steps 2 and 3 for each traffic class you want to include in the policy map.

Step 3

bandwidth {bandwidth-kbps | percent percentage | remaining percent percentage } account {{qinq | dot1q } {aal5 | aal3 } {subscriber-encapsulation }} | {user-defined offset [atm ]}}

Example:


Router(config-pmap-c)# bandwidth {bandwidth-kbps | percent percentage | remaining percent percentage} account {{qinq | dot1q} {aal5 | aal3} subscriber-encapsulation | user-defined offset [atm]} 

Enables class-based fair queueing.

  • bandwidth-kbps specifies or modifies the minimum bandwidth allocated for a class belonging to a policy map. Valid values are from 8 to 2488320, which represents from 1 to 99 percent of the link bandwidth.

  • percent percentage specifies or modifies the minimum percentage of the link bandwidth allocated for a class belonging to a policy map. Valid values are from 1 to 99.

  • remaining percent percentage specifies or modifies the minimum percentage of unused link bandwidth allocated for a class belonging to a policy map. Valid values are from 1 to 99.

  • account enables ATM overhead accounting. For more information, see the " ATM Overhead Accounting " section of the "Configuring Dynamic Subscriber Services" chapter of the Cisco 10000 Series Router Quality of Service Configuration Guide.

  • qinq specifies queue-in-queue encapsulation as the broadband aggregation system-DSLAM encapsulation type.

  • dot1q specifies IEEE 802.1Q VLAN encapsulation as the broadband aggregation system-DSLAM encapsulation type.

  • aal5 specifies the ATM Adaptation Layer 5 that supports connection-oriented variable bit rate (VBR) services. You must specify either aal5 or aal3.

  • aal3 specifies the ATM Adaptation Layer 5 that supports both connectionless and connection-oriented links. You must specify either aal3 or aal5 .

  • subscriber-encapsulation specifies the encapsulation type at the subscriber line.

  • user-defined indicates that the router is to use the offset you specify when calculating ATM overhead.

  • offset specifies the offset size the router is to use when calculating ATM overhead. Valid values are from -63 to 63 bytes.

Note

 

The router configures the offset size if you do not specify the offset option.

  • atm applies ATM cell tax in the ATM overhead calculation.

Step 4

exit

Example:


Router(config-pmap-c)# exit

Exits policy-map class configuration mode.

Step 5

policy-map policy-map-name

Example:


Router(config-pmap)# policy-map policy-map-name

Creates or modifies the parent policy.

  • policy-map-name is the name of the parent policy map. The name can be a maximum of 40 alphanumeric characters.

Step 6

class class-default

Example:


Router(config-pmap)# class class-default 

Configures or modifies the parent class-default class.

Note

 

You can configure only the class-default class in a parent policy. Do not configure any other traffic class.

Step 7

shape rate account {{{qinq | dot1q } {aal5 | aal3 } {subscriber-encapsulation }} | {user-defined offset [atm ]}}

Example:


Router(config-pmap-c)# shape rate account {qinq | dot1q} {aal5 | aal3} subscriber-encapsulation | {user-defined offset [atm]} 

Shapes traffic to the indicated bit rate and enables ATM overhead accounting.

  • rate is the bit-rate used to shape the traffic, expressed in kilobits per second.

  • account enables ATM overhead accounting.

  • qinq specifies queue-in-queue encapsulation as the broadband aggregation system-DSLAM encapsulation type.

  • dot1q specifies IEEE 802.1Q VLAN encapsulation as the broadband aggregation system-DSLAM encapsulation type.

  • aal5 specifies the ATM Adaptation Layer 5 that supports connection-oriented VBR services. You must specify either aal5 or aal3 .

  • aal3 specifies the ATM Adaptation Layer 5 that supports both connectionless and connection-oriented links. You must specify either aal3 or aal5 .

  • subscriber-encapsulation specifies the encapsulation type at the subscriber line.

  • user-defined indicates that the router is to use the offset you specify when calculating ATM overhead.

  • offset specifies the offset size the router is to use when calculating ATM overhead. Valid values are from -63 to 63 bytes.

Note

 

The router configures the offset size if you do not specify the user-defined offset option.

  • atm applies ATM cell tax in the ATM overhead calculation.

Step 8

service-policy policy-map-name

Example:


Router(config-pmap-c)# service-policy  policy-map-name 

Applies a bottom-level child policy to the top-level parent class-default class.

  • policy-map-name is the name of the previously configured child policy map.

Verifying Per Session Queueing

To display the configuration of per session queueing and shaping policies for PPPoE over VLAN, enter any of the following commands in privileged EXEC mode:

Command

Purpose


Router# show policy-map interface interface 

Displays information about the policy map attached to the interface you specify. If you do not specify an interface, it displays information about all of the policy maps configured on the router.

  • interface specifies the virtual-access interface and number the router created for the session (for example, virtual-access 1).


Router# show policy-map session uid  uid-number

Displays the session QoS counters for the subscriber session you specify.

  • uid uid-number defines a unique session ID. Valid values for uid-number are from 1 to 65535.


Router# show running-config 

Displays the running configuration on the router. The output shows the AAA setup and the configuration of the policy map, ATM VC, PPPoA, dynamic bandwidth selection, virtual template, and RADIUS server.

Configuration Examples for Per Session Queueing and Shaping Policies

Configuring a Per Session Queueing and Shaping Policy on the Router Example

The following example shows

The example creates two traffic classes: Voice and Video. The router classifies traffic that matches IP precedence 5 as Voice traffic and traffic that matches IP precedence 3 as Video traffic. The Child policy map gives priority to Voice traffic and polices traffic at 2400 kbps. The Video class is allocated 80 percent of the remaining bandwidth and has ATM overhead accounting enabled. The Child policy is applied to the class-default class of the Parent policy map, which receives 20 percent of the remaining bandwidth and shapes traffic to 10,000 bps, and has ATM overhead accounting enabled.


Router(config)# class-map Voice
Router(config-cmap)# match ip precedence 5
Router(config-cmap)# class-map Video
Router(config-cmap)# match ip precedence 3
!
Router(config)# policy-map Child
Router(config-pmap)# class Voice
Router(config-pmap-c)# priority
Router(config-pmap-c)# police 2400 9216 0 conform-action transmit exceed-action drop violate-action drop
Router(config-pmap-c)# class video
Router(config-pmap-c)# bandwidth remaining percent 80 account aal5 snap-dot1q-rbe
Router(config-pmap-c)# exit
Router(config-pmap)# exit
Router(config)# policy-map Parent
Router(config-pmap)# class class-default
Router(config-pmap-c)# shape 10000 account dot1q snap-dot1q-rbe
Router(config-pmap-c)# service-policy Child

Setting Up RADIUS for Per Session Queueing and Shaping Example

The following are example configurations for the Merit RADIUS server and the associated Layer 2 network server (LNS). In the example, the Cisco-Policy-Down attribute indicates the name of the policy map to be downloaded, which in this example is rad-output-policy. The RADIUS dictionary file includes an entry for Cisco VSA 38.


example.com Password = "cisco123"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Cisco:Cisco-Policy-Down = rad-output-policy

Cisco.attr Cisco-Policy-Up 37 string (*, *)

Cisco.attr Cisco-Policy-Down 38 string (*, *)

Verifying Per Session Queueing and Shaping Policies Examples

This example shows sample output for the show policy-map interface command


Router# show policy-map interface virtual-access 1
!
!
Service-policy output: TEST
Class-map: class-default (match-any)
100 packets, 1000 bytes
30 second offered rate 800 bps, drop rate 0 bps
Match: any
shape (average) cir 154400, bc 7720, be 7720
target shape rate 154400
overhead accounting: enabled
bandwidth 30% (463 kbps)
overhead accounting: disabled
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 100/1000

This example shows sample output from the show policy-map session command and show policy-map session uid command, based on a nested hierarchical policy.


Router# show subscriber session
Current Subscriber Information: Total sessions 1
Uniq ID Interface  State         Service      Identifier           Up-time
36      Vi2.1      authen        Local Term   peapen@cisco.com     00:01:36
Router# show policy-map parent
  Policy Map parent
    Class class-default
      Average Rate Traffic Shaping
      cir 10000000 (bps)
      service-policy child
Router# show policy-map child
 
  Policy Map child
    Class voice
      priority
      police 8000 9216 0 
       conform-action transmit
       exceed-action drop
       violate-action drop
    Class video
      bandwidth remaining 80 (%)
Router# show policy-map session uid 36
 SSS session identifier 36 -
 SSS session identifier 36 -
  Service-policy output: parent
    Class-map: class-default (match-any)
      0 packets, 0 bytes
      30 second offered rate 0 bps, drop rate 0 bps
      Match: any 
        0 packets, 0 bytes
        30 second rate 0 bps
      Queueing
      queue limit 250 packets
      (queue depth/total drops/no-buffer drops) 0/0/0
      (pkts output/bytes output) 0/0
      shape (average) cir 10000000, bc 40000, be 40000
      target shape rate 10000000
      Service-policy : child
        queue stats for all priority classes:
          Queueing
          queue limit 16 packets
          (queue depth/total drops/no-buffer drops) 0/0/0
          (pkts output/bytes output) 0/0
        Class-map: voice (match-all)
          0 packets, 0 bytes
          30 second offered rate 0 bps, drop rate 0 bps
          Match: ip precedence 5 
          Priority: Strict, burst bytes 1500, b/w exceed drops: 0
          
          Police:
            8000 bps, 9216 limit, 0 extended limit
            conformed 0 packets, 0 bytes; action: 
            transmit
            exceeded 0 packets, 0 bytes; action: 
            drop
            violated 0 packets, 0 bytes; action: 
            drop
        Class-map: video (match-all)
          0 packets, 0 bytes
          30 second offered rate 0 bps, drop rate 0 bps
          Match: ip precedence 3 
          Queueing
          queue limit 250 packets
          (queue depth/total drops/no-buffer drops) 0/0/0
          (pkts output/bytes output) 0/0
          bandwidth remaining 80% (7993 kbps)
        Class-map: class-default (match-any)
          0 packets, 0 bytes
          30 second offered rate 0 bps, drop rate 0 bps
          Match: any 
            0 packets, 0 bytes
            30 second rate 0 bps
          queue limit 250 packets
          (queue depth/total drops/no-buffer drops) 0/0/0
          (pkts output/bytes output) 2/136

Additional References

The following sections provide references related to the Per Session Queueing and Shaping for PPPoEoVLAN Using RADIUS feature.

Standards

Standard

Title

No new or modified standards are supported, and support for existing standards has not been modified.

--

MIBs

MIB

MIBs Link

No new or modified MIBs are supported, and support for existing MIBs has not been modified.

To locate and download MIBs for selected platforms, Cisco IOS XE software releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs

RFCs

RFC

Title

No new or modified RFCs are supported, and support for existing RFCs has not been modified.

--

Technical Assistance

Description

Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http://www.cisco.com/techsupport

Feature Information for Per Session Queueing and Shaping for PPPoEoVLAN Using RADIUS

The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 1. Feature Information for Per Session Queueing and Shaping for PPPoE over VLAN Using RADIUS

Feature Name

Releases

Feature Information

Per Session Queueing and Shaping for PPPoE over VLAN Using RADIUS

Cisco IOS XE Release 2.1

This feature enables you to shape PPPoE over VLAN sessions to a user-specified rate. The Per Session Queueing and Shaping for PPPoE over VLAN Support Using RADIUS feature was introduced on the PRE2 to enable dynamic queueing and shaping policies on PPPoEoVLAN session.

This feature was integrated into Cisco IOS XE Release 2.1.