[c-nsp] DHCP per user features
Radu-Adrian FEURDEAN
cisco-nsp at radu-adrian.feurdean.net
Thu Mar 7 08:36:28 EST 2019
On Wed, Mar 6, 2019, at 22:08, Mike wrote:
> I have ASR1000 and am terminating subscriber access PPPoE sessions
> on it. I am making a move twords supporting DHCP for subscriber access
> and I am trying to envision how to support the same subscriber features
> I am using under PPPoE.
>
>
> For PPPoE, the magic happens in radius. The three primary features I
> support are:
>
> Per-user firewall - a configurable packet filter choice (in
> practice, three choices - no, medium, or high filtering)
>
> Per-user rate limits - Policing to enforce upload/download speed limits
>
> Per-user ip assignment - assigning fixed ip address / subnets
You can do more or less the same thing with DHCP *and* RADIUS. On Cisco A1K this is awkward (if possible at all - it definitely is on A9K), but the possibility does generally exist. You just need a device that integrates "IPoE subscriber management" (A9K does, A1K should, everything else - doesn't)
> For a DHCP access model, I know I can do magic-foo with my dhcp
> server using option 82 or circuit-id arguments to select the right
That usually supposes the use of internal DHCP, that in turn gets some of the information from RADIUS AAA reply.
> values. But these other two features (firewall and ratelimiting) I have
> no clue how to get this programmed in for the subscriber session. I have
This should be applied directly to the subscriber independently of the DHCP part, but related to the AAA part.
> difficult and I find no real examples for same. It also states per-user
> firewall is not supported nor is policing.
If these are not supported, that must be on the A1K family. There still is A9K, as well as other vendors that should be able to do this.
For complex stuff, PPPoE still looks the way to go for me.
--
R.-A. Feurdean
More information about the cisco-nsp
mailing list