[c-nsp] DHCP per user features

Nathan Ward cisco-nsp at daork.net
Wed Mar 6 18:54:10 EST 2019 

Hi,

This is a very common deployment.

You have some questions you need to understand about your product/solution - some examples:
 - are you using IP pools on the BNG, or in the RADIUS server?
 - how will you identify users? Option 82 - if so Remote ID or Circuit ID? MAC?
 - what parameters do you want to push to your users?
 - do your users come in on a VLAN per subscriber, or are your users all on one VLAN?
(I don’t need answers to these, you’ll need these when reading the following links)

Typically, the RADIUS auth for DHCP uses whatever you set for the “username” - i.e. the Option 82 info, or whatever, and the password is static for all users. You trust that the username is correct - the customer can’t set it if it’s option 82 set by your access network, for example.

ISG is what you generally use to push policy etc. to subscribers as they arrive, with PPPoE as well. There’s a section on Option 82 and Option 60, start there:
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/isg/configuration/xe-16/isg-xe-16-book.html <https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/isg/configuration/xe-16/isg-xe-16-book.html>

Here’s some high level slides to help:
https://www.cisco.com/c/dam/global/en_ca/assets/plus/assets/pdf/CiscoPlus-BKRISHNAN-TLE.pdf <https://www.cisco.com/c/dam/global/en_ca/assets/plus/assets/pdf/CiscoPlus-BKRISHNAN-TLE.pdf>

You can do lots with DHCP and RADIUS too:
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_dhcp/configuration/xe-16/dhcp-xe-16-book.html <https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_dhcp/configuration/xe-16/dhcp-xe-16-book.html>

> On 7/03/2019, at 11:19 AM, Maile Halatuituia <maile.halatuituia at tcc.to> wrote:
> 
> Hi Mike
> I hope someone would able to provide the clue as I am looking for the same thing as well.
> At least my issue is how can I authenticate a DHCP client before ip address is being assigned, as in PPPoE ... I understand DHCP lack that but I hope someone would have some working clue.
> 
> -----Original Message-----
> From: cisco-nsp <cisco-nsp-bounces at puck.nether.net> On Behalf Of Mike
> Sent: Thursday, 7 March 2019 10:08 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] DHCP per user features
> 
> Hello,
> 
> 
>    I have ASR1000 and am terminating subscriber access PPPoE sessions on it. I am making a move twords supporting DHCP for subscriber access and I am trying to envision how to support the same subscriber features I am using under PPPoE.
> 
> 
>    For PPPoE, the magic happens in radius. The three primary features I support are:
> 
>    Per-user firewall - a configurable packet filter choice (in practice, three choices - no, medium, or high filtering)
> 
>    Per-user rate limits - Policing to enforce upload/download speed limits
> 
>    Per-user ip assignment - assigning fixed ip address / subnets
> 
> 
>    For a DHCP access model, I know I can do magic-foo with my dhcp server using option 82 or circuit-id arguments to select the right values. But these other two features (firewall and ratelimiting) I have no clue how to get this programmed in for the subscriber session. I have tried reading up on 'isg subscriber sessions' which seems to indicate it can do something with dhcp subscribers, but the documentation is really difficult and I find no real examples for same. It also states per-user firewall is not supported nor is policing.
> 
> 
>    Any clues would be most appreciated....
> 
> Mike-
> 
> 
> 
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> Confidentiality Notice: This email (including any attachment) is intended for internal use only. Any unauthorized use, dissemination or copying of the content is prohibited. If you are not the intended recipient and have received this e-mail in error, please notify the sender by email and delete this email and any attachment.
> Confidentiality Notice: This email (including any attachment) is intended for internal use only. Any unauthorized use, dissemination or copying of the content is prohibited. If you are not the intended recipient and have received this e-mail in error, please notify the sender by email and delete this email and any attachment.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list