Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Cisco>
  3. BBA
PPPoE Mid-session Shaping/Policing
pwu828 at gmail
Jan 6, 2009, 8:36 PM
Post #1 of 4 (6100 views)
Permalink
Hi Everyone,

I have a L2TP/PPPoE setup in a 7206VXR and is working fine. What I now want
to do is to implement dynamic shaping/policing on the PPPoE services. ie, I
would like to shape/police a PPPoE service without disconnecting the
session.

I believe this can be implemented using RADIUS attributes? But not sure how
it is done exactly if it is possible at all. I'm already using RADIUS
attributes to shape/police PPPoE sessions when they login initially, I now
need to change the shaper/policer rate mid-session without disconnecting.

Any one with any info or point me in the right direction would be
appreciated.

Thanks!

Patrick
Re: PPPoE Mid-session Shaping/Policing [ In reply to ]
gripen49 at gmail
Jan 6, 2009, 10:36 PM
Post #2 of 4 (5929 views)
Permalink
Hi Patrick


There is one possible solution that will definitely work. If you use Cisco
ISG features on the 7206VXR you can do per-service shaping on-the-fly
without disconnecting the parent session. This is accomplished using RADIUS
CoA commands. I have found that you need to unapply the original service and
then apply a new service with the shaping attributes. Some basic starter
examples below:


(Normal service profile)

PPP_SERVICE Password == "servicecisco"
Auth-Type = PAP,
Cisco-Service-Info = "QU;1024000;D;1024000",
Cisco-AVPair += "ip:traffic-class=in access-group name ACL_UPSTREAM_PPP
priority 30",
Cisco-AVPair += "ip:traffic-class=out access-group name ACL_DOWNSTREAM_PPP
priority 30",
Cisco-AVPair += "ip:traffic-class=in default drop",
Cisco-AVpair += "ip:traffic-class=out default drop",
Acct-Interim-Interval=900,
Cisco-AVPair += "subscriber:accounting-list=PPP_ACCOUNTING_LIST"


(shaped service profile)

PPP_SERVICE_SHAPED Password == "servicecisco"
Auth-Type = PAP,
Cisco-Service-Info = "QU;64000;D;64000",
Cisco-AVPair = "ip:traffic-class=in access-group name ACL_UPSTREAM_PPP
priority 20",
Cisco-AVPair += "ip:traffic-class=out access-group name ACL_DOWNSTREAM_PPP
priority 20",
Cisco-AVPair += "ip:traffic-class=in default drop",
Cisco-AVpair += "ip:traffic-class=out default drop",
Cisco-AVPair += "subscriber:accounting-list=PPP_ACCOUNTING_LIST"


Note that you can specify the accounting update interval on a per-service
basis.


I have tested the above and it works as expected on both the 7206 and 10008
platforms. This will do what you need.


I use freeradius so my CoA command is structured as follows:


(unapply PPP_SERVICE)

echo
"Cisco-Account-Info=S172.20.1.13,Cisco-Command-Code==0x0C5050505F53455256494345
" | /usr/bin/radclient 192.168.1.1:1812 coa isgradiussecret -x


(apply PPP_SERVICE_SHAPED)

echo
"Cisco-Account-Info=S172.20.1.13,Cisco-Command-Code==0x0B5050505F534552564943455F
53 48 41 50 45 44 " | /usr/bin/radclient 192.168.1.1:1812 coa
isgradiussecret -x


Where (for illustration only), 172.20.1.13 is the subscriber session
identifier (Acct-Session-Id can also be used) amd 192.168.1.1 is the IP of
the BBA router (provided it is configured to accept RADIUS CoA using "aaa
server radius dynamic-author"). I have used this site in the past for
converted service names in string format to Hex (for the CoA command):
http://www.easycalculation.com/ascii-hex.php


Hope this helps..


Regards,

Jeff Hinds




*From:* cisco-bba-bounces@puck.nether.net [mailto:
cisco-bba-bounces@puck.nether.net] *On Behalf Of *Patrick Wu
*Sent:* Wednesday, January 07, 2009 6:37 AM
*To:* cisco-bba@puck.nether.net
*Subject:* [cisco-bba] PPPoE Mid-session Shaping/Policing



Hi Everyone,

I have a L2TP/PPPoE setup in a 7206VXR and is working fine. What I now want
to do is to implement dynamic shaping/policing on the PPPoE services. ie, I
would like to shape/police a PPPoE service without disconnecting the
session.

I believe this can be implemented using RADIUS attributes? But not sure how
it is done exactly if it is possible at all. I'm already using RADIUS
attributes to shape/police PPPoE sessions when they login initially, I now
need to change the shaper/policer rate mid-session without disconnecting.

Any one with any info or point me in the right direction would be
appreciated.

Thanks!

Patrick
Re: PPPoE Mid-session Shaping/Policing [ In reply to ]
pwu828 at gmail
Jan 7, 2009, 3:11 PM
Post #3 of 4 (5934 views)
Permalink
Thanks Jeff.

However, the IOS that the 7206VXR current uses does not have the ISG feature
set, is there any other possible ways to achieve the same result?

If not, I guess I will have to look for a new IOS that supports ISG...

Patrick

On Wed, Jan 7, 2009 at 5:36 PM, Jeff Hinds <gripen49@gmail.com> wrote:

> Hi Patrick
>
>
> There is one possible solution that will definitely work. If you use Cisco
> ISG features on the 7206VXR you can do per-service shaping on-the-fly
> without disconnecting the parent session. This is accomplished using RADIUS
> CoA commands. I have found that you need to unapply the original service and
> then apply a new service with the shaping attributes. Some basic starter
> examples below:
>
>
> (Normal service profile)
>
> PPP_SERVICE Password == "servicecisco"
> Auth-Type = PAP,
> Cisco-Service-Info = "QU;1024000;D;1024000",
> Cisco-AVPair += "ip:traffic-class=in access-group name ACL_UPSTREAM_PPP
> priority 30",
> Cisco-AVPair += "ip:traffic-class=out access-group name
> ACL_DOWNSTREAM_PPP priority 30",
> Cisco-AVPair += "ip:traffic-class=in default drop",
> Cisco-AVpair += "ip:traffic-class=out default drop",
> Acct-Interim-Interval=900,
> Cisco-AVPair += "subscriber:accounting-list=PPP_ACCOUNTING_LIST"
>
>
> (shaped service profile)
>
> PPP_SERVICE_SHAPED Password == "servicecisco"
> Auth-Type = PAP,
> Cisco-Service-Info = "QU;64000;D;64000",
> Cisco-AVPair = "ip:traffic-class=in access-group name ACL_UPSTREAM_PPP
> priority 20",
> Cisco-AVPair += "ip:traffic-class=out access-group name
> ACL_DOWNSTREAM_PPP priority 20",
> Cisco-AVPair += "ip:traffic-class=in default drop",
> Cisco-AVpair += "ip:traffic-class=out default drop",
> Cisco-AVPair += "subscriber:accounting-list=PPP_ACCOUNTING_LIST"
>
>
> Note that you can specify the accounting update interval on a per-service
> basis.
>
>
> I have tested the above and it works as expected on both the 7206 and 10008
> platforms. This will do what you need.
>
>
> I use freeradius so my CoA command is structured as follows:
>
>
> (unapply PPP_SERVICE)
>
> echo
> "Cisco-Account-Info=S172.20.1.13,Cisco-Command-Code==0x0C5050505F53455256494345
> " | /usr/bin/radclient 192.168.1.1:1812 coa isgradiussecret -x
>
>
> (apply PPP_SERVICE_SHAPED)
>
> echo
> "Cisco-Account-Info=S172.20.1.13,Cisco-Command-Code==0x0B5050505F534552564943455F
> 53 48 41 50 45 44 " | /usr/bin/radclient 192.168.1.1:1812 coa
> isgradiussecret -x
>
>
> Where (for illustration only), 172.20.1.13 is the subscriber session
> identifier (Acct-Session-Id can also be used) amd 192.168.1.1 is the IP of
> the BBA router (provided it is configured to accept RADIUS CoA using "aaa
> server radius dynamic-author"). I have used this site in the past for
> converted service names in string format to Hex (for the CoA command):
> http://www.easycalculation.com/ascii-hex.php
>
>
> Hope this helps..
>
>
> Regards,
>
> Jeff Hinds
>
>
>
>
> *From:* cisco-bba-bounces@puck.nether.net [mailto:
> cisco-bba-bounces@puck.nether.net] *On Behalf Of *Patrick Wu
> *Sent:* Wednesday, January 07, 2009 6:37 AM
> *To:* cisco-bba@puck.nether.net
> *Subject:* [cisco-bba] PPPoE Mid-session Shaping/Policing
>
>
>
> Hi Everyone,
>
> I have a L2TP/PPPoE setup in a 7206VXR and is working fine. What I now want
> to do is to implement dynamic shaping/policing on the PPPoE services. ie, I
> would like to shape/police a PPPoE service without disconnecting the
> session.
>
> I believe this can be implemented using RADIUS attributes? But not sure how
> it is done exactly if it is possible at all. I'm already using RADIUS
> attributes to shape/police PPPoE sessions when they login initially, I now
> need to change the shaper/policer rate mid-session without disconnecting.
>
> Any one with any info or point me in the right direction would be
> appreciated.
>
> Thanks!
>
> Patrick
>
> _______________________________________________
> cisco-bba mailing list
> cisco-bba@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-bba
>
Re: PPPoE Mid-session Shaping/Policing [ In reply to ]
tom at snnap
Jan 9, 2009, 6:01 AM
Post #4 of 4 (5903 views)
Permalink
Does the 7206VXR terminate the sessions or forward them on?

A possible solution that springs to mind is, if the router terminates the
session (or at least for the sessions that it does terminate), create a
script that uses the "show users wide" command to build a list of
usernames and corresponding Vi interfaces. You could then configure those
Vi interfaces as per normal and apply rate-limits.

I believe this is doable, I seem to recall playing with it a while back,
but maybe Im wrong and thinking of something else - it was a couple of
years ago.

Tom

> Thanks Jeff.
>
> However, the IOS that the 7206VXR current uses does not have the ISG
> feature
> set, is there any other possible ways to achieve the same result?
>
> If not, I guess I will have to look for a new IOS that supports ISG...
>
> Patrick
>
> On Wed, Jan 7, 2009 at 5:36 PM, Jeff Hinds <gripen49@gmail.com> wrote:
>
>> Hi Patrick
>>
>>
>> There is one possible solution that will definitely work. If you use
>> Cisco
>> ISG features on the 7206VXR you can do per-service shaping on-the-fly
>> without disconnecting the parent session. This is accomplished using
>> RADIUS
>> CoA commands. I have found that you need to unapply the original service
>> and
>> then apply a new service with the shaping attributes. Some basic starter
>> examples below:
>>
>>
>> (Normal service profile)
>>
>> PPP_SERVICE Password == "servicecisco"
>> Auth-Type = PAP,
>> Cisco-Service-Info = "QU;1024000;D;1024000",
>> Cisco-AVPair += "ip:traffic-class=in access-group name ACL_UPSTREAM_PPP
>> priority 30",
>> Cisco-AVPair += "ip:traffic-class=out access-group name
>> ACL_DOWNSTREAM_PPP priority 30",
>> Cisco-AVPair += "ip:traffic-class=in default drop",
>> Cisco-AVpair += "ip:traffic-class=out default drop",
>> Acct-Interim-Interval=900,
>> Cisco-AVPair += "subscriber:accounting-list=PPP_ACCOUNTING_LIST"
>>
>>
>> (shaped service profile)
>>
>> PPP_SERVICE_SHAPED Password == "servicecisco"
>> Auth-Type = PAP,
>> Cisco-Service-Info = "QU;64000;D;64000",
>> Cisco-AVPair = "ip:traffic-class=in access-group name ACL_UPSTREAM_PPP
>> priority 20",
>> Cisco-AVPair += "ip:traffic-class=out access-group name
>> ACL_DOWNSTREAM_PPP priority 20",
>> Cisco-AVPair += "ip:traffic-class=in default drop",
>> Cisco-AVpair += "ip:traffic-class=out default drop",
>> Cisco-AVPair += "subscriber:accounting-list=PPP_ACCOUNTING_LIST"
>>
>>
>> Note that you can specify the accounting update interval on a
>> per-service
>> basis.
>>
>>
>> I have tested the above and it works as expected on both the 7206 and
>> 10008
>> platforms. This will do what you need.
>>
>>
>> I use freeradius so my CoA command is structured as follows:
>>
>>
>> (unapply PPP_SERVICE)
>>
>> echo
>> "Cisco-Account-Info=S172.20.1.13,Cisco-Command-Code==0x0C5050505F53455256494345
>> " | /usr/bin/radclient 192.168.1.1:1812 coa isgradiussecret -x
>>
>>
>> (apply PPP_SERVICE_SHAPED)
>>
>> echo
>> "Cisco-Account-Info=S172.20.1.13,Cisco-Command-Code==0x0B5050505F534552564943455F
>> 53 48 41 50 45 44 " | /usr/bin/radclient 192.168.1.1:1812 coa
>> isgradiussecret -x
>>
>>
>> Where (for illustration only), 172.20.1.13 is the subscriber session
>> identifier (Acct-Session-Id can also be used) amd 192.168.1.1 is the IP
>> of
>> the BBA router (provided it is configured to accept RADIUS CoA using
>> "aaa
>> server radius dynamic-author"). I have used this site in the past for
>> converted service names in string format to Hex (for the CoA command):
>> http://www.easycalculation.com/ascii-hex.php
>>
>>
>> Hope this helps..
>>
>>
>> Regards,
>>
>> Jeff Hinds
>>
>>
>>
>>
>> *From:* cisco-bba-bounces@puck.nether.net [mailto:
>> cisco-bba-bounces@puck.nether.net] *On Behalf Of *Patrick Wu
>> *Sent:* Wednesday, January 07, 2009 6:37 AM
>> *To:* cisco-bba@puck.nether.net
>> *Subject:* [cisco-bba] PPPoE Mid-session Shaping/Policing
>>
>>
>>
>> Hi Everyone,
>>
>> I have a L2TP/PPPoE setup in a 7206VXR and is working fine. What I now
>> want
>> to do is to implement dynamic shaping/policing on the PPPoE services.
>> ie, I
>> would like to shape/police a PPPoE service without disconnecting the
>> session.
>>
>> I believe this can be implemented using RADIUS attributes? But not sure
>> how
>> it is done exactly if it is possible at all. I'm already using RADIUS
>> attributes to shape/police PPPoE sessions when they login initially, I
>> now
>> need to change the shaper/policer rate mid-session without
>> disconnecting.
>>
>> Any one with any info or point me in the right direction would be
>> appreciated.
>>
>> Thanks!
>>
>> Patrick
>>
>> _______________________________________________
>> cisco-bba mailing list
>> cisco-bba@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-bba
>>
> _______________________________________________
> cisco-bba mailing list
> cisco-bba@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-bba


_______________________________________________
cisco-bba mailing list
cisco-bba@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-bba

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal