SYSTEM ADMINISTRATOR GUIDE     63/1543-CRA 119 1170/1 Uen A    

Configuring CLIPS

© Copyright Ericsson AB 2009. All rights reserved.

Disclaimer

No part of this document may be reproduced in any form without the written permission of the copyright owner. The contents of this document are subject to revision without notice due to continued progress in methodology, design and manufacturing. Ericsson shall have no liability for any error or damage of any kind resulting from the use of this document.

Trademark List

SmartEdge is a registered trademark of Telefonaktiebolaget L M Ericsson.
NetOp is a trademark of Telefonaktiebolaget L M Ericsson.

Contents

1Overview

2

Configuration Tasks
2.1Configuring CLIPS Static Circuits
2.2Configuring Dynamic CLIPS Circuits
2.3Configuring a CLIPS Group
2.4Configuring CLIPS Exclusion

3

Configuration Examples
3.1Static CLIPS Circuit for a Single PVC
3.2Static CLIPS for a Range of PVCs
3.3Static CLIPS Circuits Using an IP Address Pool
3.4Dynamic CLIPS Circuits Using Local Authentication
3.5Dynamic CLIPS Using Global RADIUS Authentication
3.6CLIPS Group
3.7CLIPS Exclusion


1   Overview

This document describes how to configure, monitor, and administer clientless IP service selection (CLIPS). With CLIPS, multiple sessions are possible from a single customer site. When the subscriber is authenticated, a virtual circuit is created for each medium access control (MAC) address based on the subscriber profile stored in a Remote Authentication Dial-In User Service (RADIUS) server database.

The SmartEdge OS supports two types of CLIPS circuits—static and dynamic; both types of circuits allow incoming packets on an clear-channel source, such as an Ethernet port, an 802.1Q permanent virtual circuit (PVC), or an Asynchronous Transfer Mode (ATM) PVC, to be treated as if they came from a channelized source.

By channelizing the port or PVC, packets from an individual subscriber are treated as if they are on a virtual subscriber circuit, which can be bound to an interface in a specific context. The system treats this virtual subscriber circuit as it would any other circuit; for example, you can attach a quality of service (QoS) policy, an access control list (ACL), or an HTTP redirect policy to it.

Another advantage to using CLIPS is that there is no need for client software, other than Dynamic Host Configuration Protocol (DHCP) client software to support dynamic CLIPS sessions on the subscriber’s PC. CLIPS is extensible and can be used as more complex configurations are required for new services. A sample of current applications includes aggregated cable modem, digital subscriber line (DSL), wireless, and Ethernet-to-the-home environments.

CLIPS features:

Note:  
Unless otherwise noted, the SmartEdge 100 router supports all commands described in this document.

2   Configuration Tasks

To configure CLIPS circuits, perform the tasks described in the following sections:

Note:  
To configure any CLIPS circuit, you must have enabled the software license for active subscribers; CLIPS dynamic circuits also require a license for dynamic services.

2.1   Configuring CLIPS Static Circuits

To configure one or more CLIPS static circuits on an Ethernet port, 802.1Q PVC, or ATM PVC, perform the tasks described in Table 1. Enter all commands in CLIPS PVC configuration mode, unless otherwise noted.

Table 1    Configure CLIPS Static Circuits

Step

Task

Root Command

Notes

1.

Enable the CLIPS feature for static CLIPS PVCs.

service clips dhcp

Enter this command in ATM PVC, dot1q PVC, link group, link PVC, or port configuration mode.

2.

Create one or more CLIPS static circuits on an Ethernet port, 802.1Q PVC, or ATM PVC, and access CLIPS PVC configuration mode.

clips pvc

Enter this command in ATM PVC, dot1q PVC, link group, link PVC, or port configuration mode.

CLIPS PVCs are not supported by on-demand ATM or 802.1Q PVCs.

3.

Create a static binding, using one of the following commands:

 

A single CLIPS PVC.

bind subscriber

Enter this command in CLIPS PVC configuration mode

 

A range of CLIPS PVCs.

bind auto-subscriber

Enter this command in CLIPS PVC configuration mode

4.

Disable a CLIPS PVC (stop operations on it) until you are ready to begin operations on it.

shutdown (PVC)

By default, all circuits are enabled (operational).

2.2   Configuring Dynamic CLIPS Circuits

To configure dynamic CLIPS circuits, perform the tasks described in Table 2. For information about the DHCP commands, and the vendor-specific attributes (VSAs) provided by Ericsson AB, see the Configuring DHCP and RADIUS Attributes documents.

Table 2    Configure Dynamic CLIPS Circuits

Step

Task

Root Command

Notes

1.

Configure the IP address of a reachable DHCP server.

dhcp relay server

Enter this command in context configuration mode.

2.

Configure one or more DHCP proxy interfaces in the context in which the subscriber circuit is to be bound.

dhcp proxy

Enter this command in interface configuration mode.

3.

Configure hosts to use DHCP to dynamically acquire address information for a subscriber’s circuit and to set the maximum number of IP addresses that can be assigned to hosts associated with the circuit.

dhcp max-addrs

Enter this command in subscriber configuration mode.

The subscriber record or profile must have no IP address configured; enter 1 as the value for the max-num argument.

You can configure this information in the subscriber record with the RADIUS database instead of with this command. Use the vendor-specific attributes (VSAs) 3 provided by Ericsson AB, DHCP-Max-Leases attribute.

4.

Configure the subscriber password.

password

Enter this command in subscriber configuration mode.

Enter Redback as the value for the passwd argument.

You can configure this information in the subscriber record with the RADIUS database instead of with this command. By default, the SmartEdge OS authenticates subscribers through the local configuration.

5.

Enable CLIPS service.

service clips dhcp

Enter this command in ATM PVC, dot1q PVC, link group, link PVC, or port configuration mode.

Enter the dhcp keyword.

2.3   Configuring a CLIPS Group

To configure a CLIPS group and assign a port or 802.1Q PVC to it, perform the tasks described in Table 3.

Note:  
CLIPS groups are available only for Ethernet and Gigabit Ethernet ports and 802.1Q PVCs that are configured on them.

Table 3    Configure a CLIPS Group

Step

Task

Root Command

Notes

1.

Configure the IP address of a reachable DHCP server.

dhcp relay server

Enter this command in context configuration mode.

2.

Configure one or more DHCP proxy interfaces in the context in which the subscriber circuit is to be bound.

dhcp proxy

Enter this command in interface configuration mode.

3.

Configure hosts to use DHCP to dynamically acquire address information for a subscriber’s circuit and to set the maximum number of IP addresses that can be assigned to hosts associated with the circuit.

dhcp max-addrs

Enter this command in subscriber configuration mode.

The subscriber record or profile must have no IP address configured; enter 1 as the value for the max-num argument.

You can configure this information in the subscriber record with the RADIUS database instead of with this command. Use vendor VSA 3 provided by Ericsson AB, DHCP-Max-Leases attribute.

4.

Configure the subscriber password.

password

Enter this command in subscriber configuration mode.

Enter Redback as the value for the passwd argument.

You can configure this information in the subscriber record with the RADIUS database instead of with this command. By default, the SmartEdge OS authenticates subscribers through the local configuration.

5.

Create the CLIPS group.

clips-group

Enter this command in global configuration mode.

6.

Assign a port or 802.1Q PVC to the CLIPS group.

service clips-group

Enter this command in port or dot1q PVC configuration mode for each port and PVC to be assigned to the group.

2.4   Configuring CLIPS Exclusion

To configure CLIPS exclusion for a port or PVC, perform the tasks described in Table 4.

Note:  
CLIPS exclusion is available only for ports and PVCs that are configured for dynamic CLIPS service; you must configure the external DHCP relay or internal DHCP server and subscribers in the same context for which you configure the subscribers, as described in Table 4.

Table 4    Configure CLIPS Exclusion

Step

Task

Root Command

Notes

1.

Configure the IP address of a reachable DHCP server.

dhcp relay server

Enter this command in context configuration mode.

2.

Configure one or more DHCP proxy interfaces in the context in which the subscriber circuit is to be bound.

dhcp proxy

Enter this command in interface configuration mode.

3.

Configure hosts to use DHCP to dynamically acquire address information for a subscriber’s circuit and to set the maximum number of IP addresses that can be assigned to hosts associated with the circuit.

dhcp max-addrs

Enter this command in subscriber configuration mode.

The subscriber record or profile must have no IP address configured; enter 1 as the value for the max-num argument.

You can configure this information in the subscriber record with the RADIUS database instead of with this command. Use vendor VSA 3 provided by Ericsson AB, DHCP-Max-Leases attribute.

4.

Configure the subscriber password.

password

Enter this command in subscriber configuration mode.

Enter Redback as the value for the passwd argument.

You can configure this information in the subscriber record with the RADIUS database instead of with this command. By default, the SmartEdge OS authenticates subscribers through the local configuration.

5.

Enable CLIPS service.

service clips dhcp

Enter this command in ATM PVC, dot1q PVC, or port configuration mode.

Enter the dhcp keyword.

6.

Specify an exclusion condition for DHCP hosts on an ATM PVC, dot1q PVC, or Ethernet port.

service clips-exclude

Enter this command in ATM PVC, dot1q PVC, or port configuration mode.

3   Configuration Examples

This section provides examples of configuring a static CLIPS circuit for a single PVC, static CLIPS for a range of PVCs, static CLIPS circuits using an IP address pool, dynamic CLIPS circuits using local authentication, dynamic CLIPS using RADIUS authentication, a CLIPS group and CLIPS exclusion.

3.1   Static CLIPS Circuit for a Single PVC

The following example shows how to configure a CLIPS static circuit on a single PVC:

[local]Redback(config)#service multiple-contexts
[local]Redback(config)#context c1
[local]Redback(config-ctx)#interface i1 multibind
[local]Redback(config-if)#ip address 10.1.1.254/24
[local]Redback(config-if)#exit
[local]Redback(config-ctx)#subscriber name s1
[local]Redback(config-sub)#ip address 10.1.1.1
[local]Redback(config-ctx)#exit
[local]Redback(config)#card ether-12-port 9
[local]Redback(config-card)#exit
[local]Redback(config)#port ethernet 9/1
[local]Redback(config-port)#no shutdown
[local]Redback(config-port)#service clips
[local]Redback(config-port)#clips pvc 1
[local]Redback(config-clips-pvc)#bind subscriber s1@c1

3.2   Static CLIPS for a Range of PVCs

The following example shows how to configure 10 static CLIPS circuits on an Ethernet port:

[local]Redback(config)#service multiple-contexts
[local]Redback(config)#context c1
[local]Redback(config-ctx)#interface i1 multibind
[local]Redback(config-if)#ip address 10.1.1.254/24
[local]Redback(config-if)#exit
[local]Redback(config-ctx)#subscriber name s1
[local]Redback(config-if)#ip address 10.1.1.1
[local]Redback(config-if)#exit
[local]Redback(config-ctx)#subscriber name s2
[local]Redback(config-sub)#ip address 10.1.1.2
[local]Redback(config)#subscriber name s3
[local]Redback(config-sub)#ip address 10.1.1.3
[local]Redback(config-sub)#exit
[local]Redback(config-ctx)#subscriber name s4
[local]Redback(config-sub)#ip address 10.1.1.4
[local]Redback(config-sub)#exit
[local]Redback(config-ctx)#subscriber name s5
[local]Redback(config-sub)#ip address 10.1.1.5
[local]Redback(config-sub)#exit
[local]Redback(config-ctx)#subscriber name s6
[local]Redback(config-sub)#ip address 10.1.1.6
[local]Redback(config-sub)#exit
[local]Redback(config-ctx)#subscriber name s7
[local]Redback(config-sub)#ip address 10.1.1.7
[local]Redback(config-sub)#exit
[local]Redback(config-ctx)#subscriber name s8
[local]Redback(config-sub)#ip address 10.1.1.8
[local]Redback(config-sub)#exit
[local]Redback(config-ctx)#subscriber name s9
[local]Redback(config-sub)#ip address 10.1.1.9
[local]Redback(config-sub)#exit
[local]Redback(config-ctx)#subscriber name s10
[local]Redback(config-sub)#ip address 10.1.1.10
[local]Redback(config-sub)#exit
[local]Redback(config-ctx)#exit
[local]Redback(config)#card ether-12-port 9
[local]Redback(config-card)#exit
[local]Redback(config)#port ethernet 9/1
[local]Redback(config-port)#no shutdown
[local]Redback(config-port)#service clips
[local]Redback(config-port)#clips pvc 1 through 10
[local]Redback(config-pvc-clips)#bind auto-subscriber s c1

3.3   Static CLIPS Circuits Using an IP Address Pool

The following example automatically configures static CLIPS circuits for subscribers 1 through 253 on an Ethernet port, and assigns each subscriber an IP address from the IP pool, pool1:

[local]Redback(config)#context BASIC
[local]Redback(config-ctx)#interface ingress
[local]Redback(config-if)#ip address 200.1.1.1/24
[local]Redback(config-if)#exit
[local]Redback(config-ctx)#interface pool1 multibind
[local]Redback(config-if)#ip address 20.1.1.253/24
[local]Redback(config-if)#ip pool 20.1.1.0/24
[local]Redback(config-if)#exit
[local]Redback(config-ctx)#subscriber default
[local]Redback(config-sub)#ip address pool name pool1
[local]Redback(config-sub)#exit
[local]Redback(config-ctx)#exit
[local]Redback(config)#port ethernet 9/2
[local]Redback(config-port)#no shutdown
[local]Redback(config-port)#bind interface ingress BASIC
[local]Redback(config-port)#service clips
[local]Redback(config-port)#clips pvc 1 through 253
[local]Redback(config-pvc-clips)#bind auto-subscriber subscriber BASIC

3.4   Dynamic CLIPS Circuits Using Local Authentication

The following example shows how to configure dynamic CLIPS circuits on an ATM PVC and an Ethernet port using local authentication and an external DHCP proxy server:

!Configure the system for an external DHCP server
!
[local]Redback(config)#service multiple-contexts
[local]Redback(config)#context c1
[local]Redback(config-ctx)#dhcp relay server 10.2.1.1
[local]Redback(config-dhcp-relay)#exit
!Configure an interface for a DHCP proxy server
!
[local]Redback(config-ctx)#interface i1 multibind
[local]Redback(config-if)#ip address 10.1.255.254/16
[local]Redback(config-if)#dhcp proxy 65535
[local]Redback(config-if)#exit
!Configure an interface for ports and PVCs with dynamic CLIPS circuits using the DHCP proxy server
!
[local]Redback(config-ctx)#interface dhcp-server
[local]Redback(config-if)#ip address 10.2.1.2/24
[local]Redback(config-if)#exit
!Configure the subscriber default profile for the DHCP proxy server
!
[local]Redback(config-ctx)#subscriber default
[local]Redback(config-sub)#dhcp max-addrs 1
[local]Redback(config-sub)#exit
[local]Redback(config-ctx)#subscriber name 02:dd:00:00:00:01
[local]Redback(config-sub)#password Redback
[local]Redback(config-sub)#exit
[local]Redback(config-ctx)#exit
!Configure an ATM profile for an ATM PVC for dynamic CLIPS circuits in context c1
!
[local]Redback(config)#atm profile a1
[local]Redback(config-atm-profile)#shaping ubr
[local]Redback(config-atm-profile)#exit
[local]Redback(config)#card atm-oc3-4-port 1
[local]Redback(config-card)#exit
[local]Redback(config)#port atm 1/1
[local]Redback(config-atm-oc)#no shutdown
[local]Redback(config-atm-oc)#atm pvc 0 32 profile a1 encapsulation bridge1483
[local]Redback(config-atm-pvc)#bind interface dhcp-server c1
[local]Redback(config-atm-pvc)#service clips dhcp context c1
[local]Redback(config-atm-pvc)#exit
[local]Redback(config-atm-oc)#exit
!Configure an Ethernet port for dynamic CLIPS circuits in context c1
!
[local]Redback(config)#card ether-12-port 9
[local]Redback(config-card)#exit
[local]Redback(config)#port ethernet 9/1
[local]Redback(config-port)#no shutdown
[local]Redback(config-port)#service clips dhcp context c1
[local]Redback(config-port)#bind interface dhcp-server c1

3.5   Dynamic CLIPS Using Global RADIUS Authentication

The following example shows how to configure dynamic CLIPS circuits on an Ethernet port, using global RADIUS authentication and an external DHCP proxy server:

!Configure global RADIUS authentication
!
[local]Redback(config)#aaa global authentication subscriber radius context local
[local]Redback(config)#service multiple-contexts
[local]Redback(config)#context local
!Configure the RADIUS server
[local]Redback(config-ctx)#radius server 10.0.154.2 key Redback
!Configure an interface for circuits without dynamic CLIPS
[local]Redback(config-ctx)#interface i2
[local]Redback(config-if)#ip address 10.0.154.7/24
[local]Redback(config-if)#exit
[local]Redback(config-ctx)#exit
!Configure RADIUS authentication for a context and an external DHCP server
!
[local]Redback(config)#context c1
[local]Redback(config-ctx)#aaa authentication subscriber radius global
[local]Redback(config-ctx)#dhcp relay server 10.2.1.1
!Configure an interface for the DHCP proxy server
!
[local]Redback(config-ctx)#interface i1 multibind
[local]Redback(config-if)#ip address 10.1.255.254/16
[local]Redback(config-if)#dhcp proxy 65535
[local]Redback(config-if)#exit
!Configure an interface for the ports and PVCs with dynamic CLIPS circuits
!
[local]Redback(config-ctx)#interface dhcp-server
[local]Redback(config-if)#ip address 10.2.1.2/24
[local]Redback(config-if)#exit
!Configure the subscriber default profile for the DHCP proxy server
!
[local]Redback(config-ctx)#subscriber default
[local]Redback(config-sub)#dhcp max-addrs 1
[local]Redback(config-sub)#exit
[local]Redback(config-ctx)#exit
!Configure two Ethernet ports for dynamic CLIPS service, using the DHCP proxy server
!
[local]Redback(config)#card ether-12-port 9
[local]Redback(config-card)#exit
[local]Redback(config)#port ethernet 9/1
[local]Redback(config-port)#no shutdown
[local]Redback(config-port)#service clips dhcp context c1
[local]Redback(config-port)#bind interface dhcp-server c1
[local]Redback(config-port)#exit
[local]Redback(config)#port ethernet 9/2
[local]Redback(config-port)#no shutdown
[local]Redback(config-port)#service clips dhcp context c1
[local]Redback(config-port)#bind interface dhcp-server c1
[local]Redback(config-port)#exit
!Configure an Ethernet port that does not enable dynamic CLIPS service
!
[local]Redback(config)#port ethernet 9/12
[local]Redback(config-port)#no shutdown
[local]Redback(config-port)#bind interface i2 local

3.6   CLIPS Group

The following example shows how to configure a CLIPS group and assign three Ethernet ports:

[local]Redback(config)#service multiple-contexts
!Configure an empty CLIPS group for the c2 context
!
[local]Redback(config)#clips-group dclips dhcp context c2
!Configure an external DHCP server
!
[local]Redback(config)#context c2
[local]Redback(config-ctx)#dhcp relay server 10.2.1.3
!Configure an interface for the DHCP proxy server
!
[local]Redback(config-ctx)#interface i2 multibind
[local]Redback(config-if)#ip address 10.1.255.254/16
[local]Redback(config-if)#dhcp proxy 65535
[local]Redback(config-if)#exit
!Configure an interface for the ports with dynamic CLIPS circuits
!
[local]Redback(config-ctx)#interface dhcp-server
[local]Redback(config-if)#ip address 10.2.1.3/24
[local]Redback(config-if)#exit
!Configure the subscriber default profile for the DHCP proxy server
!
[local]Redback(config-ctx)#subscriber default
[local]Redback(config-sub)#dhcp max-addrs 1
[local]Redback(config-sub)#exit
[local]Redback(config-ctx)#exit
!Configure three Ethernet ports for dynamic CLIPS service, using the DHCP proxy server
!Assign each port to the CLIPS group
!
[local]Redback(config)#card ether-12-port 9
[local]Redback(config-card)#exit
[local]Redback(config)#port ethernet 4/1
[local]Redback(config-port)#service clips-group dclips
[local]Redback(config-port)#bind interface dhcp-server c2
[local]Redback(config-port)#no shutdown
[local]Redback(config-port)#exit
[local]Redback(config)#port ethernet 4/2
[local]Redback(config-port)#service clips-group dclips
[local]Redback(config-port)#bind interface dhcp-server c2
[local]Redback(config-port)#no shutdown
[local]Redback(config-port)#exit
[local]Redback(config)#port ethernet 4/3
[local]Redback(config-port)#service clips-group dclips
[local]Redback(config-port)#bind interface dhcp-server c2
[local]Redback(config-port)#no shutdown
[local]Redback(config-port)#exit

3.7   CLIPS Exclusion

The following example shows how to specify exclusion conditions for a CLIPS group of Ethernet ports:

[local]Redback(config)#service multiple-contexts
!Configure an empty CLIPS group for the c2 context
!
[local]Redback(config)#clips-group dclips dhcp context c2
!Configure an external DHCP server
!
[local]Redback(config)#context c2
[local]Redback(config-ctx)#dhcp relay server 10.2.1.3
!Configure an interface for the DHCP proxy server
!
[local]Redback(config-ctx)#interface i2 multibind
[local]Redback(config-if)#ip address 10.1.255.254/16
[local]Redback(config-if)#dhcp proxy 65535
[local]Redback(config-if)#exit
!Configure an interface for the ports with dynamic CLIPS circuits
!
[local]Redback(config-ctx)#interface dhcp-server
[local]Redback(config-if)#ip address 10.2.1.3/24
[local]Redback(config-if)#exit
!Configure the subscriber default profile for the DHCP proxy server
!
[local]Redback(config-ctx)#subscriber default
[local]Redback(config-sub)#dhcp max-addrs 1
[local]Redback(config-sub)#exit
[local]Redback(config-ctx)#exit
!Configure three Ethernet ports, assign to the CLIPS group, and exclude the DHCP host
!
[local]Redback(config)#card ether-12-port 9
[local]Redback(config-card)#exit
[local]Redback(config)#port ethernet 4/1
[local]Redback(config-port)#service clips dhcp context c2
[local]Redback(config-port)#clips exclude vendor-class-id 0xAABP2798
[local]Redback(config-port)#bind interface dhcp-server c2
[local]Redback(config-port)#no shutdown
[local]Redback(config-port)#exit
[local]Redback(config)#port ethernet 4/2
[local]Redback(config-port)#service clips-group dclips
[local]Redback(config-port)#clips exclude vendor-class-id 0xAABP2798
[local]Redback(config-port)#bind interface dhcp-server c2
[local]Redback(config-port)#no shutdown
[local]Redback(config-port)#exit
[local]Redback(config)#port ethernet 4/3
[local]Redback(config-port)#service clips-group dclips
[local]Redback(config-port)#clips exclude vendor-class-id 0xAABP2798
[local]Redback(config-port)#bind interface dhcp-server c2
[local]Redback(config-port)#no shutdown
[local]Redback(config-port)#exit