Thu, Jan 19, 2012 at 12:23:53PM -0800, Mike wrote: > Hello, > > I am considering going to a cisco 7201 for PPPoE subscriber > termination, and I am trying to figure out how I would duplicate some > features of my current (linux based) pppoe solution. I use radius and am > certain %85 of what I do is stock-and-trade for the cisco solution, the > devil is in some custom things we've come to depend on. > > * per-customer ip filtering
Cisco AVpair attributes ip:inacl or ip:outacl or lcp:interface-config with "ip access-group ...." > Most customers have a default ip filter which drops all rfc1918 > addresses, invalid source addresses, and prevents direct-to-smtp > connections other than to our mail hosts. A very small subset of > subscribers have a slightly modified filter which permits > smtp-to-anywhere. I want to be able to set this via radius attributes > but have no clue how I'd give any given subscriber one filter list vs > another. The filter rules themselves could certainly be pretty static > and not changing often, I just need to be able to tell the box which set > of rules should apply per customer. > > * captive portal / source routing Radius attribute 104 allows you to specify private routes for a subscriber. Effectively like they're in their own private routing table. Use GRE tunnels and policy route maps to send traffic to your captive portal server and redirect traffic to a web page as required. > Certain customers may need to have different routing than the > default 'to internet' gateway. For example, I have a captive portal > system > that works by returing custom web pages for any request that gets routed to > it, such as if you make this box's ip the 'default gateway' used by a > customer. I would need to be able to tell the cisco to route all packets > from some given customer - either by source ip address or, preferably, > by interface - down to this alternate gateway. > > * diagnostic intercept > > For troubleshooting purposes, we find it helpful to be able to use > tcpdump to capture packets. We do it by mac address and sometimes by > customer PPP interface. Aside from having a span port on the switch, is > there any way we could get a feed from the 7201 for this purpose? You should be able to do with with the IOS images that have lawful intercept. I am not sure if there is another way I don't know about. Patrick _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/