[c-nsp] DHCP per user features
Maile Halatuituia
maile.halatuituia at tcc.to
Wed Mar 6 20:19:19 EST 2019
Hi Nathan
Really appreciate the documentations.
Many Thanks
From: Nathan Ward <cisco-nsp at daork.net>
Sent: Thursday, 7 March 2019 12:54 PM
To: Maile Halatuituia <maile.halatuituia at tcc.to>
Cc: Mike <mike-cisconsplist at tiedyenetworks.com>; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] DHCP per user features
Hi,
This is a very common deployment.
You have some questions you need to understand about your product/solution - some examples:
- are you using IP pools on the BNG, or in the RADIUS server?
- how will you identify users? Option 82 - if so Remote ID or Circuit ID? MAC?
- what parameters do you want to push to your users?
- do your users come in on a VLAN per subscriber, or are your users all on one VLAN?
(I don’t need answers to these, you’ll need these when reading the following links)
Typically, the RADIUS auth for DHCP uses whatever you set for the “username” - i.e. the Option 82 info, or whatever, and the password is static for all users. You trust that the username is correct - the customer can’t set it if it’s option 82 set by your access network, for example.
ISG is what you generally use to push policy etc. to subscribers as they arrive, with PPPoE as well. There’s a section on Option 82 and Option 60, start there:
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/isg/configuration/xe-16/isg-xe-16-book.html
Here’s some high level slides to help:
https://www.cisco.com/c/dam/global/en_ca/assets/plus/assets/pdf/CiscoPlus-BKRISHNAN-TLE.pdf
You can do lots with DHCP and RADIUS too:
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_dhcp/configuration/xe-16/dhcp-xe-16-book.html
On 7/03/2019, at 11:19 AM, Maile Halatuituia <maile.halatuituia at tcc.to<mailto:maile.halatuituia at tcc.to>> wrote:
Hi Mike
I hope someone would able to provide the clue as I am looking for the same thing as well.
At least my issue is how can I authenticate a DHCP client before ip address is being assigned, as in PPPoE ... I understand DHCP lack that but I hope someone would have some working clue.
-----Original Message-----
From: cisco-nsp <cisco-nsp-bounces at puck.nether.net<mailto:cisco-nsp-bounces at puck.nether.net>> On Behalf Of Mike
Sent: Thursday, 7 March 2019 10:08 AM
To: cisco-nsp at puck.nether.net<mailto:cisco-nsp at puck.nether.net>
Subject: [c-nsp] DHCP per user features
Hello,
I have ASR1000 and am terminating subscriber access PPPoE sessions on it. I am making a move twords supporting DHCP for subscriber access and I am trying to envision how to support the same subscriber features I am using under PPPoE.
For PPPoE, the magic happens in radius. The three primary features I support are:
Per-user firewall - a configurable packet filter choice (in practice, three choices - no, medium, or high filtering)
Per-user rate limits - Policing to enforce upload/download speed limits
Per-user ip assignment - assigning fixed ip address / subnets
For a DHCP access model, I know I can do magic-foo with my dhcp server using option 82 or circuit-id arguments to select the right values. But these other two features (firewall and ratelimiting) I have no clue how to get this programmed in for the subscriber session. I have tried reading up on 'isg subscriber sessions' which seems to indicate it can do something with dhcp subscribers, but the documentation is really difficult and I find no real examples for same. It also states per-user firewall is not supported nor is policing.
Any clues would be most appreciated....
Mike-
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net<mailto:cisco-nsp at puck.nether.net> https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Confidentiality Notice: This email (including any attachment) is intended for internal use only. Any unauthorized use, dissemination or copying of the content is prohibited. If you are not the intended recipient and have received this e-mail in error, please notify the sender by email and delete this email and any attachment.
Confidentiality Notice: This email (including any attachment) is intended for internal use only. Any unauthorized use, dissemination or copying of the content is prohibited. If you are not the intended recipient and have received this e-mail in error, please notify the sender by email and delete this email and any attachment.
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net<mailto:cisco-nsp at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Confidentiality Notice: This email (including any attachment) is intended for internal use only. Any unauthorized use, dissemination or copying of the content is prohibited. If you are not the intended recipient and have received this e-mail in error, please notify the sender by email and delete this email and any attachment.
Confidentiality Notice: This email (including any attachment) is intended for internal use only. Any unauthorized use, dissemination or copying of the content is prohibited. If you are not the intended recipient and have received this e-mail in error, please notify the sender by email and delete this email and any attachment.
More information about the cisco-nsp
mailing list