[rbak-nsp] Static CLIPS with MAC authentication.
Илья Савин
savin at orn.ru
Fri Apr 16 08:28:31 EDT 2010
Sorry Denis, really that is some difference in configs.
Now I think that is the only way to make IP-MAC binding - static arp
entry. Ex: "ip arp 80.76.187.2 00:0c:29:84:db:13".
Thanks.
WBR,
Ilya Savin.
16 arp 2010 г. 16:17 Denis Mikhaylovskiy
<denis.mikhaylovskiy at ericsson.com> wrote:
> Hi,
> Yes, it is static clips in provided example
>
> service clips
> clips pvc 1
> bind subscriber s1 at c1
>
> But your config is not the same :)
>
> dot1q pvc 8
> bind subscriber 00:0c:29:84:db:13 at static
> service clips
> !
> end
>
> As per question below, IP-MAC demultiplexing of incoming packets possible only with DHCP.
>
>
> Regards,
> /denis
>
> -----Original Message-----
> From: redback-nsp-bounces at puck.nether.net [mailto:redback-nsp-bounces at puck.nether.net] On Behalf Of Илья Савин
> Sent: Friday, April 16, 2010 3:42 PM
> To: redback-nsp at puck.nether.net
> Subject: Re: [rbak-nsp] Static CLIPS with MAC authentication.
>
> Hi, Denis!
>
> Thanks for the answer.
>
>> Actually there is no static clips in your config J.
>>
>> It is just binding of pvc using subscriber record....
>
> It's like configuration example from User Manual:
>
> Static CLIPS Circuit for a Single PVC
> The following example shows how to configure a CLIPS static circuit on
> a single PVC:
> [local]Redback(config)#service multiple-contexts
> [local]Redback(config)#context c1
> [local]Redback(config-ctx)#interface i1 multibind
> [local]Redback(config-if)#ip address 10.1.1.254/24
> [local]Redback(config-if)#exit
> [local]Redback(config-ctx)#subscriber name s1
> [local]Redback(config-sub)#ip address 10.1.1.1
> [local]Redback(config-ctx)#exit
> [local]Redback(config)#card ether-12-port 9
> [local]Redback(config-card)#exit
> [local]Redback(config)#port ethernet 9/1
> [local]Redback(config-port)#no shutdown
> [local]Redback(config-port)#service clips
> [local]Redback(config-port)#clips pvc 1
> [local]Redback(config-clips-pvc)#bind subscriber s1 at c1
>
>> If you'd like to demultiplex incoming traffic based on MACs you then have only one option is dynamic clips (means DHCP).
>
> I already have dynamic clips (dhcp) on other context. But I don't want
> to use DHCP for some clients.
>
> Is there any other way to make IP-MAC bindng?
>
> WBR,
> Ilya Savin.
>
>
> 16 apr 2010 г. 15:24 Denis Mikhaylovskiy
> <denis.mikhaylovskiy at ericsson.com> wrote:
>>
>> Hey Ilya,
>>
>>
>>
>> Actually there is no static clips in your config J.
>>
>> It is just binding of pvc using subscriber record. But any way static clips as well as pvc binding doesn't demultiplex incoming traffic on per MAC, it does only on per source IP.
>>
>> If you'd like to demultiplex incoming traffic based on MACs you then have only one option is dynamic clips (means DHCP).
>>
>>
>>
>> P.S. You can run DHCP server on SmartEdge for instance.
>>
>>
>>
>>
>>
>> Hope it helps.
>>
>> /denis
>>
>> ________________________________
>>
>> From: redback-nsp-bounces at puck.nether.net [mailto:redback-nsp-bounces at puck.nether.net] On Behalf Of Илья Савин
>> Sent: Friday, April 16, 2010 2:54 PM
>> To: redback-nsp at puck.nether.net
>> Subject: [rbak-nsp] Static CLIPS with MAC authentication.
>>
>>
>>
>> Hi.
>>
>> I am using static clips. Here is config:
>>
>> [static]Redback#sh conf
>> Building configuration...
>>
>> Current configuration:
>> !
>> context static
>> !
>> no ip domain-lookup
>> !
>> interface lena multibind
>> ip address 80.76.187.1/24
>> !
>> subscriber name 00:0c:29:84:db:13
>> ip address 80.76.187.2
>> qos policy policing 1m_p
>> qos policy metering 1m_m
>> !
>> ip route 0.0.0.0/0 context bgp
>> !
>> ...........
>> port ethernet 2/3
>> no shutdown
>> encapsulation dot1q
>> dot1q pvc 8
>> bind subscriber 00:0c:29:84:db:13 at static
>> service clips
>> !
>> end
>>
>> So, host 80.76.187.2 gets access to the Internet with specified qos parameters. But MAC address, specified as subscriber's username, does not affect on anything. Host authenticated by IP address, not by MAC address.
>>
>> Can I authenticate subscribers by MAC address? Or at least bind MAC address to subscriber (for example, by MAC-ACL).
>>
>> WBR,
>> Ilya Savin
>
> _______________________________________________
> redback-nsp mailing list
> redback-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/redback-nsp
>
More information about the redback-nsp
mailing list