[cisco-bba] PPPoE Mid-session Shaping/Policing
Tom Storey
tom at snnap.net
Fri Jan 9 09:01:59 EST 2009
Does the 7206VXR terminate the sessions or forward them on?
A possible solution that springs to mind is, if the router terminates the
session (or at least for the sessions that it does terminate), create a
script that uses the "show users wide" command to build a list of
usernames and corresponding Vi interfaces. You could then configure those
Vi interfaces as per normal and apply rate-limits.
I believe this is doable, I seem to recall playing with it a while back,
but maybe Im wrong and thinking of something else - it was a couple of
years ago.
Tom
> Thanks Jeff.
>
> However, the IOS that the 7206VXR current uses does not have the ISG
> feature
> set, is there any other possible ways to achieve the same result?
>
> If not, I guess I will have to look for a new IOS that supports ISG...
>
> Patrick
>
> On Wed, Jan 7, 2009 at 5:36 PM, Jeff Hinds <gripen49 at gmail.com> wrote:
>
>> Hi Patrick
>>
>>
>> There is one possible solution that will definitely work. If you use
>> Cisco
>> ISG features on the 7206VXR you can do per-service shaping on-the-fly
>> without disconnecting the parent session. This is accomplished using
>> RADIUS
>> CoA commands. I have found that you need to unapply the original service
>> and
>> then apply a new service with the shaping attributes. Some basic starter
>> examples below:
>>
>>
>> (Normal service profile)
>>
>> PPP_SERVICE Password == "servicecisco"
>> Auth-Type = PAP,
>> Cisco-Service-Info = "QU;1024000;D;1024000",
>> Cisco-AVPair += "ip:traffic-class=in access-group name ACL_UPSTREAM_PPP
>> priority 30",
>> Cisco-AVPair += "ip:traffic-class=out access-group name
>> ACL_DOWNSTREAM_PPP priority 30",
>> Cisco-AVPair += "ip:traffic-class=in default drop",
>> Cisco-AVpair += "ip:traffic-class=out default drop",
>> Acct-Interim-Interval=900,
>> Cisco-AVPair += "subscriber:accounting-list=PPP_ACCOUNTING_LIST"
>>
>>
>> (shaped service profile)
>>
>> PPP_SERVICE_SHAPED Password == "servicecisco"
>> Auth-Type = PAP,
>> Cisco-Service-Info = "QU;64000;D;64000",
>> Cisco-AVPair = "ip:traffic-class=in access-group name ACL_UPSTREAM_PPP
>> priority 20",
>> Cisco-AVPair += "ip:traffic-class=out access-group name
>> ACL_DOWNSTREAM_PPP priority 20",
>> Cisco-AVPair += "ip:traffic-class=in default drop",
>> Cisco-AVpair += "ip:traffic-class=out default drop",
>> Cisco-AVPair += "subscriber:accounting-list=PPP_ACCOUNTING_LIST"
>>
>>
>> Note that you can specify the accounting update interval on a
>> per-service
>> basis.
>>
>>
>> I have tested the above and it works as expected on both the 7206 and
>> 10008
>> platforms. This will do what you need.
>>
>>
>> I use freeradius so my CoA command is structured as follows:
>>
>>
>> (unapply PPP_SERVICE)
>>
>> echo
>> "Cisco-Account-Info=S172.20.1.13,Cisco-Command-Code==0x0C5050505F53455256494345
>> " | /usr/bin/radclient 192.168.1.1:1812 coa isgradiussecret -x
>>
>>
>> (apply PPP_SERVICE_SHAPED)
>>
>> echo
>> "Cisco-Account-Info=S172.20.1.13,Cisco-Command-Code==0x0B5050505F534552564943455F
>> 53 48 41 50 45 44 " | /usr/bin/radclient 192.168.1.1:1812 coa
>> isgradiussecret -x
>>
>>
>> Where (for illustration only), 172.20.1.13 is the subscriber session
>> identifier (Acct-Session-Id can also be used) amd 192.168.1.1 is the IP
>> of
>> the BBA router (provided it is configured to accept RADIUS CoA using
>> "aaa
>> server radius dynamic-author"). I have used this site in the past for
>> converted service names in string format to Hex (for the CoA command):
>> http://www.easycalculation.com/ascii-hex.php
>>
>>
>> Hope this helps..
>>
>>
>> Regards,
>>
>> Jeff Hinds
>>
>>
>>
>>
>> *From:* cisco-bba-bounces at puck.nether.net [mailto:
>> cisco-bba-bounces at puck.nether.net] *On Behalf Of *Patrick Wu
>> *Sent:* Wednesday, January 07, 2009 6:37 AM
>> *To:* cisco-bba at puck.nether.net
>> *Subject:* [cisco-bba] PPPoE Mid-session Shaping/Policing
>>
>>
>>
>> Hi Everyone,
>>
>> I have a L2TP/PPPoE setup in a 7206VXR and is working fine. What I now
>> want
>> to do is to implement dynamic shaping/policing on the PPPoE services.
>> ie, I
>> would like to shape/police a PPPoE service without disconnecting the
>> session.
>>
>> I believe this can be implemented using RADIUS attributes? But not sure
>> how
>> it is done exactly if it is possible at all. I'm already using RADIUS
>> attributes to shape/police PPPoE sessions when they login initially, I
>> now
>> need to change the shaper/policer rate mid-session without
>> disconnecting.
>>
>> Any one with any info or point me in the right direction would be
>> appreciated.
>>
>> Thanks!
>>
>> Patrick
>>
>> _______________________________________________
>> cisco-bba mailing list
>> cisco-bba at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-bba
>>
> _______________________________________________
> cisco-bba mailing list
> cisco-bba at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-bba
More information about the cisco-bba
mailing list