cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Walled Garden for service providers using Cisco ASR9006

243
Views
0
Helpful
0
Comments
dakotacole
Beginner

Service Provider Walled Garden

Without the use of radius or PPPOE for account authentication, Iv found its difficult to find a solution for Walled Garaden. Since that is the case in my situation I came up with a rather unique way to satisfy the need to capture payment by walling in the customers service rather then simply turning off their service. This improved after hours reconnect service orders and reduced phone calls to reconnect service.

 

If you are unsure what a walled garden is in the SP industry use this link to wikipedia

Protocols used:
DNS (Efficient IP)
DHCP
TLD
Apache
HTTP
ACL
BVI
VLAN
SIS
CMS

 

Deployment

First, I created a separate IP network that would become my walled network, in this case 192.168.255.0/24. This network is setup and a BVI (Bridged Virtual Interface) so that I can span it across multiple broadcast domains and routers without building separate ACL(s) and DHCP pools, I then attached the BVI to a vlan (999) on the OLT. I then created a DHCP pool (250 IPs) with a 5 minute lease time that hands our DNS servers as the DNS option in the lease (Cache1 – 172.20.206.83, Cache2 – 172.20.10.91)

 

Second, I built a view in the Efficient IP DNS caching server (smart). Views essentially can be configured to look at source host IP and treat them differently then the other DNS traffic, by giving them different results to queries. If you don't use Efficient IP for DNS you can use BIND on Linux and deploy a dedicated DNS server to do this function. Then in that new view (Elevate_Walled) I was able to high jack the TLDs (top level domains) and setup an A record wildcard in each TLD to point to my Apache server that then performs a meta redirect to smart hub (our pay portal) immediately. Then I created an ACL that walls the user in to only talk to the DNS server, DHCP server, Apache server and smart hub but no where else.

 

Third, I setup the Apache web server (172.20.206.15) using some http it then performs a meta redirect to pay payyourbill.com You will also need to setup a redirect match rule in Apache that can grab any domain and redirect it. For example google.com/search/images/dogs Apache grabs that http get request and strips off the trailer directories and forces it into the TLD in this case google.com and then the redirects take over from there to deliver the user always to payyourbill.com

 

Fourth, in sis (billing/provisioning system) when a DNP (did not pay) is performed, SIS re-provisions the RG (router gateway) service to the @Walled tag action in CMS (Calix Management System) that puts the RG service on VLAN 999 until the user logs in and pays their bill at that time SIS reprovisions the RG service back to the previous service tag action.

 

Testing, I set myself up as a client in the @walled tag action and did some testing. I got a DHCP address from the DHCP server that delivered the unique IPs of the modified DNS servers, I was able get a query hit on any TLD that resolved any to the Apachae web server. Of coarse browser caching will be a nuisance but Iv got 100% positive results from my testings.

 

Here is my example configs.

interface BVI999
description DNP:WALLED-GARDEN vrf wld
bandwidth 4294967295
vrf wld
ipv4 address 192.168.255.1 255.255.255.0

!

Build the DHCP relay profile

profile WALLED-GARDEN-DHCP relay
helper-address vrf mgmt 172.20.206.46 giaddr 192.168.255.1
helper-address vrf mgmt 172.20.10.12 giaddr 192.168.255.1
relay information option
relay information option allow-untrusted

!

interface BVI999 relay profile WALLED-GARDEN-DHCP

!

Build the ACL (you may have to do a PCAP to get the IP of the legit destinations)

ipv4 access-list walled-garden
10 permit tcp any host 172.20.206.15 <Apache server running meta redirect as index.html>
20 permit udp any host 172.20.206.83 <DNS Cache 1 with modified zone file>
30 permit udp any host 172.20.10.91 <DNS Cache 2 with modified zone file>
40 permit tcp any host 66.97.237.35 <payyourbill.com>
41 permit tcp any host 66.97.237.194 <payyourbill.com payment processing>
42 permit tcp any host 192.124.249.2 <payyourbill.com payment processing 2>
50 permit ipv4 host 172.20.206.46 any <DHCP Server 1>
60 permit ipv4 host 172.20.10.12 any <DHCP Server 1>
100 deny ipv4 any any

!

Apply the ACL to the client interface's

interface Bundle-Ether8.999 l2transport
description DNP:WALLED-GARDEN
encapsulation dot1q 999
rewrite ingress tag pop 1 symmetric
l2protocol cpsv reverse-tunnel
ipv4 access-group walled-garden ingress

!

L2vpn

bridge group WALLED
bridge-domain WALLED
!
interface Bundle-Ether8.999
!
!
routed interface BVI999

 

Apache config

contents of file /var/www/html/index.html

<!DOCTYPE html>
<html>
<head>
   <!-- HTML meta refresh URL redirection -->
   <meta http-equiv="refresh"
   content="0;url=https://payyourbill.com/non-pay-notice-reconnect-service">
</head>

</body>
</html>

 

Efficient IP DNS Walled Garden View (zone file)

If your not sure how to create a view and match on host IP, click on the attached SOLIDserver administration guide at the bottom of this post. 

2020-05-11 17_15_27-Alienware Command Center.png

Repeat creation of resource records for .com .net .org .ca .edu .gov .help .us .uk,

 

Don't forget to put in your legitimate destinations, payyourbill.com - 66.97.237.35

2020-05-11 17_22_26-Window.png

 

When querying the DNS cache you should see a response such as below.

dig @172.20.206.83 cnn.com

; <<>> DiG 9.10.3-P4-Debian <<>> @172.20.206.83 cnn.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21900
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;cnn.com.                       IN      A

;; ANSWER SECTION:
cnn.com.                3600    IN      A       172.20.206.15

;; Query time: 0 msec
;; SERVER: 172.20.206.83#53(172.20.206.83)
;; WHEN: Mon May 11 17:43:36 MDT 2020
;; MSG SIZE  rcvd: 52

dig @172.20.206.83 google.com

; <<>> DiG 9.10.3-P4-Debian <<>> @172.20.206.83 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21900
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;google.com.                       IN      A

;; ANSWER SECTION:
google.com.                3600    IN      A       172.20.206.15

;; Query time: 0 msec
;; SERVER: 172.20.206.83#53(172.20.206.83)
;; WHEN: Mon May 11 17:43:36 MDT 2020
;; MSG SIZE  rcvd: 52

 

Conclusion 

It works!

2020-05-11 17_49_32-Non-Pay Notice to Reconnect Service _ Elevate.png

I hope this helps inspire creative thinking in your networks to achieve a goal.