03-29-2017 11:46 PM
Dear All,
I am trying to implement a policy map PBR at ASR 9010 BNG to block all the traffic/services to invalid subscribers, reason I am applying QOS via COA instead of sending POD to avoid a situation where invalid users keep on sending PADI and keep the BNG resources occupied. Currently, I have configured a QOS policy map to block all the traffic via below config which is successfully implemented and working, however, we want add a http redirect feature so that user should be aware about blocked services which can only be possible via policy-map PBR instead of policy-map QOS (default) I believe.
CONFIG
#sh running-config policy-map NB-Block
Thu Mar 30 11:28:50.083 PKT
policy-map Block-User
class deny-any
police rate 64 kbps
conform-action drop
!
!
class class-default
!
end-policy-map
!
#sh running-config class-map deny-any
Thu Mar 30 11:28:58.816 PKT
class-map match-any deny-any
match access-group ipv4 deny-all
end-class-map
!
#sh access-lists deny-all
Thu Mar 30 11:29:03.029 PKT
ipv4 access-list deny-all
10 permit ipv4 any any
Please suggest a way out or any other we can achieve this objective.
Thanks & Regards.
03-30-2017 02:30 AM
Hi Erik,
using redirect is a good idea. You could redirect the invalid subscribers to a portal with an informational message for them.
Check out this link. I did write a possible solution but read the comment from Xander about the OpenGarden_ACL
https://supportforums.cisco.com/document/9875666/asr9000xr-bng-vsas-vendor-specific-attributes-and-services#comment-11706186
04-01-2017 02:05 PM
yeah you can either accept the session and apply an http redirect on it instructing the user to pay their bill or whatever is required :) the other option is if you dont want to commit to the session but you want to "penalize" constant connection attempts is to use either mac/rid+cid throttling. this is done at the control plane (pppoe process) but it will allow you to rate limit the session from becoming embryonic (eg entering/completing the discovery phase for pppoe and calling the control policy and its associated actions).
Another option is to use the elephant flow trap, this will rate limit in hardware obscure mac's from those subscribers that you dont want to see punted traffic for for a period of time.
From a user's perspective, I think the "nicest" is to accept the session but with limited service such as a restrictive ACL and using the redirect as you propose as that allows you to give the user some instructions as to why they have the reduced connectivity and likely reducing the calls to your helpdesk.
The "drawback" is here that the redirect only works for non https. For an https-redirect a-like, you'd need to redirect the user offbox to say a raspberry pi running apache SSL server for the page to be displayed. This will still generate a "security" violation when they want to go to https://whateveritis.com and get redirected to your portal, but it allows for the instruction as we are discussing here.
The config you have is effectively the same as an ACL that does a deny any, it wouldn't redirect the user.
If you like to set up "true" http redirect by intercepting the user and move him over to another page, check out this reference that may help.
cheers!
xander
10-15-2017 08:20 AM
Hi Xander,
Thanks for the response. I've successfully implemented the HTTP redirect feature to inactive users but as you stated the only and major constraint I am facing is to redirect the non HTTP traffic and more specifically HTTPS traffic, as most of the famous websites have been moved to HTTPS like google, facebook and many other so it's merely of no use if doesn't work for HTTPS.
From your previous response I have few queries to get this implemented for HTTPS:
"The "drawback" is here that the redirect only works for non https. For an https-redirect a-like, you'd need to redirect the user offbox to say a raspberry pi running apache SSL server for the page to be displayed. This will still generate a "security" violation when they want to go to https://whateveritis.com and get redirected to your portal, but it allows for the instruction as we are discussing here."
1. Is there config change required over BNG for HTTPS to work?
2. Can you explain above highlighted part in more detail, as I understand a HTTPS server with running apache SSL is required to in order to redirect the HTTPS traffic towards that server. Please comment.
3. How the BNG will intercept the HTTPS traffic because so far what I've tested only port 80 is being matched and rest other traffic was not match though I have mentioned port 443 in the same ACL in order to redirect HTTP traffic. I can share the config if required.
Once again thanks alot for you assistance.
Regards,
Erik
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide