Service Control
Service control refers to the control of information about access users. The NetEngine 8000 F performs service control by backing up information about access users on the active BRAS to the standby BRAS in a real-time manner. To ensure the reliability of information backup, the NetEngine 8000 F backs up information through TCP. Table 1 lists the user attributes that can be backed up. Not all the user attributes listed in Table 1 have to be backed up. You can determine the user attributes to be backed up according to the actual services of users.
Attribute |
Description |
|---|---|
MAC |
MAC address of a user, which identifies a user in collaboration with a Session-ID. |
IP-address |
IP address of a user. |
Vlan-ID |
VLAN IDs in the inner and outer VLAN tags |
Option60 |
Option 60 carried in a user packet. |
Option82 |
Option 82 carried in a user packet |
Lease-time |
Address lease delivered by a RADIUS server |
SessionId |
Session ID of a user. The session ID of a DHCP user is always 0. |
MTU |
Maximum transmission unit (MTU) of a user packet |
Magic number |
Magic number of a user. It is used for loop detection. |
Username |
User name |
QosProfile |
Name of a QoS profile delivered by the RADIUS server. It is used to meet users' requirements for QoS. |
Up-Priority |
Priority of a user's upstream traffic delivered by the RADIUS server. |
PrimaryDNS |
Primary DNS delivered by the RADIUS server. |
SecondaryDNS |
Secondary DNS delivered by the RADIUS server. |
UCL-Group |
UCL for user group policy control delivered by the RADIUS server. |
Up-Pack |
Real-time number of upstream packets. It is used for traffic-based accounting. |
Down-Pack |
Real-time number of downstream packets. It is used for traffic-based accounting. |
Up-Byte |
Real-time number of upstream bytes. It is used for traffic-based accounting. |
Down-Byte |
Real-time number of downstream bytes. It is used for traffic-based accounting. |
Remanent-Volume |
Volume of the remaining traffic delivered by the RADIUS server. It is used to control the online traffic of users. |
Session-Timeout |
Remaining time delivered by the RADIUS server. It is used to control the online duration of users. |
Ip-Pool |
IP address pool name delivered by the RADIUS server. |
AcctSession-ID |
ID for real-time accounting. |
FramedRoute |
User route delivered by the RADIUS server. |
FramedNetMask |
Gateway address delivered by the RADIUS server. |
Up-CIR |
Upstream traffic committed information rate (CIR) delivered by the RADIUS server. |
Down-CIR |
Downstream traffic CIR delivered by the RADIUS server. |
Up-PIR |
Upstream traffic peak information rate (PIR) delivered by the RADIUS server. |
Down-PIR |
Downstream traffic PIR delivered by the RADIUS server. |
Down-Priority |
Priority of a user's downstream traffic delivered by the RADIUS server. |
Lease-time52 |
Lease agent delivered by the RADIUS server. |
Renewal-Time |
Renewed address lease delivered by the RADIUS server. |
Rebinding-Time |
Rebound address lease delivered by the RADIUS server. |
Renewal-Time52 |
Renewed lease agent delivered by the RADIUS server. |
Rebinding-Time52 |
Rebound lease agent delivered by the RADIUS server. |
Web-IpAddress |
IP address of the Web authentication server. It is used to back up information about Web authentication users. |
Web-VRF |
VPN instance of the Web authentication server. It is used to back up information about Web authentication users. |
L2TP assigned local tunnel id |
Local tunnel index assigned by L2TP. |
L2TP assigned local session id |
Local session index assigned by L2TP. |
Radius proxy IP address |
Destination IP address carried in a received RADIUS packet sent by a client when the BAS device functions as a RADIUS proxy. |
Radius client IP address |
Source IP address carried in a received RADIUS packet sent by a client when the BAS device functions as a RADIUS proxy. |
Radius client VRF |
VPN instance to which a RADIUS client belongs. |
AcctSession-ID on Radius client |
Accounting session ID of a client. |
Radius client NAS ID |
Name of the NAS of a RADIUS client. |
Called ID of Radius proxy user |
Called-Station-Id attribute of a RADIUS proxy user. |
Calling ID of Radius proxy user |
Calling-Station-Id attribute of a RADIUS proxy user. |
When backing up information about access users, you need to ensure that the configurations of the active and standby BRASs are consistent, including the IP address, VLAN, and QoS parameters. You need to ensure the consistency of common attributes. The special attributes of a user are backed up through TCP. Figure 1 shows the process of backing up the special attributes of a user. A TCP connection can be set up based on the uplinks connecting to the MAN.
The user information backup function supports backup of information about authentication, accounting, and authorization of users. The NetEngine 8000 F controls user access according to the master/backup status negotiated through VRRP. Only the active device can handle users' access requests and perform authentication, real-time accounting, and authorization for users. The standby device discards users' access requests.
After a user logs on through the active device, the active device backs up information about the user to the standby device through TCP. The standby device generates a corresponding service based on user information. This ensures that the standby device can smoothly take over services from the active device when the active device fails.
When the active device fails (for example, the system restarts), services are switched to the standby device. When the active device recovers, services need to be switched back. The active device, however, lacks information about users. Therefore, information about users on the standby device must be backed up to the active device in batch. At present, the maximum rate of information backup is 1000 pieces of information per second.
As shown in Figure 2, the entire service control process can be divided into the following phases:
Backup phase
The two NetEngine 8000 Fs negotiate the active device (Device1) and standby device (Device2) using VRRP.
A user logs on through Device1, and information about this user is backed up to Device2 in a real-time manner.
The two NetEngine 8000 Fs detect the link between them through BFD or Ethernet OAM.
Switchover phase
- For user-to-network traffic, if a link to Device 1 fails, VRRP, with the help of BFD or Ethernet OAM, rapidly switches Device 1 to the backup state and Device 2 to the master state and advertises gratuitous ARP packets to update the MAC address table on the LSW, which allows following user packets to successfully reach Device2.
- For network-to-user traffic, if a link to Device 1 fails, Device 2 forwards traffic based on the backup ARP entry, preventing traffic loss.
Switchback phase
After the link on Device1 recovers, VRRP renegotiates the active/standby status. Device1 then re-acts as the active device. In this case, if the links of the backup channels on Device1 and Device2 are also faulty and have recovered, Device2 needs to back up all user information to Device1 in batches and Device1 needs to back up all user information to Device2. User entry synchronization between the two devices is bidirectional.
Before the batch backup is completed, the VRRP switchover is not performed. At this time, Device1 is still the standby device and Device2 is still the active device. When the batch backup is completed, the VRRP switchover is performed. Device1 becomes the active device and sends a free ARP packet; Device2 becomes the standby device and completes switchback of user services.
The NetEngine 8000 F provides high reliability protection for Web authentication users. The principle of high reliability protection for Web authentication users is similar to that for ordinary access users. No special configuration is needed on the Web server.