[c-nsp] cisco BRAS operational questions

Patrick Cole z at amused.net
Thu Jan 19 17:54:48 EST 2012


Thu, Jan 19, 2012 at 12:23:53PM -0800, Mike wrote:

> Hello,
> 
> 	I am considering going to a cisco 7201 for PPPoE subscriber 
> termination, and I am trying to figure out how I would duplicate some 
> features of my current (linux based) pppoe solution. I use radius and am 
> certain %85 of what I do is stock-and-trade for the cisco solution, the 
> devil is in some custom things we've come to depend on.
> 
> 	* per-customer ip filtering

Cisco AVpair attributes ip:inacl or ip:outacl or lcp:interface-config with
"ip access-group ...."
 
> 	Most customers have a default ip filter which drops all rfc1918 
> addresses, invalid source addresses, and prevents direct-to-smtp 
> connections other than to our mail hosts. A very small subset of 
> subscribers have a slightly modified filter which permits 
> smtp-to-anywhere. I want to be able to set this via radius attributes 
> but have no clue how I'd give any given subscriber one filter list vs 
> another. The filter rules themselves could certainly be pretty static 
> and not changing often, I just need to be able to tell the box which set 
> of rules should apply per customer.
> 
> 	* captive portal / source routing

Radius attribute 104 allows you to specify private routes for a subscriber.
Effectively like they're in their own private routing table.  Use GRE tunnels 
and policy route maps to send traffic to your captive portal server and redirect 
traffic to a web page as required.
 
> 	Certain customers may need to have different routing than the 
> 	default 'to internet' gateway. For example, I have a captive portal system 
> that works by returing custom web pages for any request that gets routed to 
> it, such as if you make this box's ip the 'default gateway' used by a 
> customer. I would need to be able to tell the cisco to route all packets 
> from some given customer - either by source ip address or, preferably, 
> by interface - down to this alternate gateway.
> 
> 	* diagnostic intercept
>
> 	For troubleshooting purposes, we find it helpful to be able to use 
> tcpdump to capture packets. We do it by mac address and sometimes by 
> customer PPP interface. Aside from having a span port on the switch, is 
> there any way we could get a feed from the 7201 for this purpose?
 
You should be able to do with with the IOS images that have lawful intercept.
I am not sure if there is another way I don't know about.
 
Patrick


More information about the cisco-nsp mailing list