| Copyright |
© Ericsson AB 2009–2011. All rights reserved. No part of this document may be reproduced in any form without the written permission of the copyright owner. | ||||||
| Disclaimer |
The contents of this document are subject to revision without notice due to continued progress in methodology, design and manufacturing. Ericsson shall have no liability for any error or damage of any kind resulting from the use of this document. | ||||||
| Trademark List |
|
1 Overview
This document describes how to configure, monitor, and administer clientless IP service selection (CLIPS). With CLIPS, multiple sessions are possible from a single customer site. When the subscriber is authenticated, a virtual circuit is created for each medium access control (MAC) address based on the subscriber profile stored in a Remote Authentication Dial-In User Service (RADIUS) server database.
The SmartEdge® OS supports two types of CLIPS circuits—static and dynamic. Both types of circuits allow incoming packets on an clear-channel source, such as an Ethernet port, an 802.1Q permanent virtual circuit (PVC), or an Asynchronous Transfer Mode (ATM) PVC, to be treated as if they came from a channelized source.
By channelizing the port or PVC, packets from an individual subscriber are treated as if they are on a virtual subscriber circuit, which can be bound to an interface in a specific context. The system treats this virtual subscriber circuit as it would any other circuit; for example, you can attach a quality of service (QoS) policy, an access control list (ACL), or an HTTP redirect policy to it.
Another advantage to using CLIPS is that there is no need for client software, other than Dynamic Host Configuration Protocol (DHCP) client software to support dynamic CLIPS sessions on the subscriber’s PC. CLIPS is extensible and can be used as more complex configurations are required for new services. A sample of current applications includes aggregated cable modem, digital subscriber line (DSL), wireless, and Ethernet-to-the-home environments.
For information about how to troubleshoot CLIPS, see the BRAS Troubleshooting Guide.
1.1 Requirements and Restrictions
- Static CLIPS
You configure a static CLIPS circuit on a physical circuit and bind it to a specific interface. The static CLIPS circuit uses the IP address that you specify in the subscriber record.
- Dynamic CLIPS
The SmartEdge OS creates a dynamic CLIPS circuit on a port or PVC that you have configured for dynamic CLIPS service when a subscriber initiates a session. At that time, the Dynamic Host Configuration Protocol (DHCP) assigns the IP address for the session. (You must configure a DHCP server in the same context for which the subscriber is authenticated.)
The SmartEdge router supports residential gateways (RGs) with DHCP relay capability to be used as dynamic CLIPS clients that can then function as DHCP relay agents for the home network devices connected to them. (An RG connects network-enabled devices on a home network to the Internet.) Without this function, you would be required to configure each RG by manually assigning it an IP address to enable it to be used as a DHCP relay agent. For the SmartEdge router to support this function, you must configure the RG as a DHCP client before using this function. After the RG is assigned an IP address from a DHCP server, the RG must then operate as a DHCP relay agent for this function to work. After the CLIPS session for an RG is established, the home network devices can then establish their own CLIPS sessions using the DHCP relay agent. The CLIPS sessions for the home network devices are independent of the CLIPS session for the RG.
- Note:
- In this configuration, the DHCP server assigns the IP addresses to the RG and the home network devices on the same subnet.
- Dynamic CLIPS on dot1q On-Demand PVCs
You can configure a QoS policy on the parent CCOD circuit, which gets inherited to the subscriber or by applying the QoS policy directly under the subscriber record by using CLI or RADIUS.
Here are the following guidelines for QoS support for dot1q on-demand circuits:
- You can configure QoS policing and metering policies at the parent CCOD circuit by using the inherit or hierarchical keyword, which results in the subscriber getting a QoS policy.
- The inherit keyword results in a subscriber circuit provision with the parent QoS policy if the subscriber circuit does not have a policy of its own.
- The hierarchical keyword results in the CLIPS subscriber circuit being provisioned to the parent QoS policing and metering policy in addition to its own policy if it has any.
- A QoS queuing policy configured on the parent CCOD circuit is inherited by the CLIPS subscriber circuit if it does not have its own queuing policy.
- A QoS queuing policy configured under the subscriber record results in all the subscriber traffic using the queues configured in the direct queuing policy.
- Features like propagate qos to and from, overhead profile have the same syntax as applicable PPPoE subscriber circuits.
- The qos priority and rate-circuit commands, which are supported on static PVCs, are not supported on CCOD circuits.
- Note:
- When a new QoS policy binding configuration under the on
demand dot1q pvc or range is applied, the configuration is applied
only to new CCOD circuits and subscribers coming up. There is no impact
to existing CCOD circuits and subscribers.
When you remove the QoS configuration from the dot1 pvc on-demand configuration, there is no impact to existing CCOD circuits and CLIPS subscriber circuits. New CCOD circuits or CLIPS subscriber circuits coming up use the existing QoS bindings on the parent CCOD circuit.
The following access control list (ACL) features are supported:
- IPv4 ACL IP Filtering - applied to subscriber
- IPv4 ACL Policy Filtering - Used by QoS
- IPv4 ACL Policy Filtering - Used by Forwarding policy on subscriber
- IPv4 ACL Policy Filtering - Used by NAT policy on subscriber
Regular and on-demand PVCs with the same dot1q PVC id are supported. However, regular dot1q PVC configuration takes precedence over on-demand PVC configuration.
The following are not supported:
- CLIPS over ATM on-demand PVCs
- CCOD for both CLIPS SVLAN and CVLAN at the same time.
- Static CLIPS subscribers over dot1q on-demand PVCs
- Netop for configuring CLIPS over on-demand dot1q PVCs.
- Bind interface configuration for dot1q on-demand PVCs
- The range over on-demand dot1q PVCs is not displayed in the show configuration port command.
- CLIPS support on CCOD is not provided when the aaa context ctx-name and its attributes are enabled on the dot1q on-demand PVC. The aaa context ctx-name is used as an alternative mechanism of retrieving the encapsulation type, username, context and other binding attributes from RADIUS, instead of using the configuration.
The following CLI commands, which are supported on static PVCs, are not supported on CCOD circuits:
- qos priority
- rate-circuit
- circuit-group-member
- forward policy
- forward output
- service clips exclude
- service clips group
- CLIPS PVCs are not supported by on-demand ATM or 802.1Q PVCs.
- CLIPS groups:
You can create groups of ports and PVCs on which dynamic CLIPS circuits are created. These CLIPS groups provide port and PVC redundancy for the subscriber sessions initiated on those ports and PVCs. If a port or PVC that is a member of a CLIPS group becomes inoperable, traffic on its dynamic CLIPS circuits is not disrupted, but is moved to another port or PVC that is a member of the group.
CLIPS group supports intra-card, inter-port redundancy, but not inter-card redundancy
Members of CLIPS groups can include Ethernet or Gigabit Ethernet ports, or 802.1Q PVCs configured on those ports.
Members of CLIPS groups can also include Ethernet or Gigabit Ethernet ports and 802.1Q PVCs configured as members of access link groups. See the Configuring Link Aggregation document for further information.
- CLIPS exclusion
CLIPS exclusion allows you to configure a port or PVC to support both dynamic CLIPS sessions and DHCP sessions. With CLIPS exclusion, you can specify which sessions are DHCP hosts; all other sessions are dynamic CLIPS sessions. You must configure a DHCP internal or relay server in each context in which a CLIPS subscriber is bound.
- Unless otherwise noted, the SmartEdge 100 router supports all commands and features described in this document.
2 Configuration Tasks
To configure CLIPS circuits, perform the tasks described in the following sections:
- Note:
- To configure any CLIPS circuit, you must have enabled the software license for active subscribers; CLIPS dynamic circuits also require a license for dynamic services.
For information about how to troubleshoot CLIPS, see the BRAS Troubleshooting Guide.
2.1 Configuring CLIPS Static Circuits
To configure one or more CLIPS static circuits on an Ethernet port, 802.1Q PVC, or ATM PVC, perform the tasks described in Table 1. Enter all commands in CLIPS PVC configuration mode, unless otherwise noted.
|
Step |
Task |
Root |
Notes |
|---|---|---|---|
|
1. |
Enable the CLIPS feature for static CLIPS PVCs. |
Enter this command in ATM PVC, dot1q PVC, link group, link PVC, or port configuration mode. | |
|
2. |
Create one or more CLIPS static circuits on an Ethernet port, 802.1Q PVC, or ATM PVC, and access CLIPS PVC configuration mode. |
Enter this command in ATM PVC, dot1q PVC, link group, link PVC, or port configuration mode. CLIPS PVCs are not supported by on-demand ATM or 802.1Q PVCs. | |
|
3. |
Create a static binding, using one of the following commands: | ||
|
A single CLIPS PVC. |
Enter this command in CLIPS PVC configuration mode | ||
|
A range of CLIPS PVCs. |
Enter this command in CLIPS PVC configuration mode | ||
|
4. |
Disable a CLIPS PVC (stop operations on it) until you are ready to begin operations on it. |
By default, all circuits are enabled (operational). | |
2.2 Configuring Dynamic CLIPS Circuits
To configure dynamic CLIPS circuits, perform the tasks described in Table 2.
For information about the DHCP commands, and the vendor-specific attributes (VSAs) provided by Ericsson AB, see Configuring DHCP and RADIUS Attributes documents.
|
Step |
Task |
Root |
Notes |
|---|---|---|---|
|
1. |
Configure the IP address of a reachable DHCP server. |
Enter this command in context configuration mode. | |
|
2. |
Configure one or more DHCP proxy interfaces in the context in which the subscriber circuit is to be bound. |
Enter this command in interface configuration mode. | |
|
3. |
Configure hosts to use DHCP to dynamically acquire address information for a subscriber’s circuit and to set the maximum number of IP addresses that can be assigned to hosts associated with the circuit. |
Enter this command in subscriber configuration mode. The subscriber record or profile must have no IP address configured; enter 1 as the value for the max-num argument. You can configure this information in the subscriber record with the RADIUS database instead of with this command. Use the vendor-specific attributes (VSAs) 3 provided by Ericsson AB, DHCP-Max-Leases attribute. | |
|
4. |
Configure the subscriber password. |
Enter this command in subscriber configuration mode. Enter Redback as the value for the passwd argument. You can configure this information in the subscriber record with the RADIUS database instead of with this command. By default, the SmartEdge OS authenticates subscribers through the local configuration. | |
|
5. |
Enable dynamic CLIPS service. |
Enter this command in ATM PVC, dot1q PVC, link group, link group PVC, or port configuration mode. |
2.3 Configure Dynamic CLIPS on dot1q On-Demand PVCs
To configure dynamic CLIPS on dot1q on-demand PVCs, perform the tasks described in Table 3.
To view a configuration example, see Section 3.4.
|
Step |
Task |
Root |
Notes |
|---|---|---|---|
|
1. |
Configure the IP address of a reachable DHCP server. |
Enter this command in context configuration mode. | |
|
2. |
Configure one or more DHCP proxy interfaces in the context in which the subscriber circuit is to be bound. |
Enter this command in interface configuration mode. | |
|
3. |
Configure hosts to use DHCP to dynamically acquire address information for a subscriber’s circuit and to set the maximum number of IP addresses that can be assigned to hosts associated with the circuit. |
Enter this command in subscriber configuration mode. The subscriber record or profile must have no IP address configured; enter 1 as the value for the max-num argument. You can configure this information in the subscriber record with the RADIUS database instead of with this command. Use the vendor-specific attributes (VSAs) 3 provided by Ericsson AB, DHCP-Max-Leases attribute. | |
|
4. |
Configure the subscriber password. |
Enter this command in subscriber configuration mode. Enter Redback as the value for the passwd argument. You can configure this information in the subscriber record with the RADIUS database instead of with this command. By default, the SmartEdge OS authenticates subscribers through the local configuration. | |
|
5. |
Enable dynamic CLIPS service for on-demand circuits. |
Enter this command in dot1q PVC or link group PVC configuration mode. |
2.4 Configuring a CLIPS Group
To configure a CLIPS group and assign a port or 802.1Q PVC to it, perform the tasks described in Table 4.
- Note:
- CLIPS groups are available only for Ethernet and Gigabit Ethernet ports and 802.1Q PVCs that are configured on them.
|
Step |
Task |
Root |
Notes |
|---|---|---|---|
|
1. |
Configure the IP address of a reachable DHCP server. |
Enter this command in context configuration mode. | |
|
2. |
Configure one or more DHCP proxy interfaces in the context in which the subscriber circuit is to be bound. |
Enter this command in interface configuration mode. | |
|
3. |
Configure hosts to use DHCP to dynamically acquire address information for a subscriber’s circuit and to set the maximum number of IP addresses that can be assigned to hosts associated with the circuit. |
Enter this command in subscriber configuration mode. The subscriber record or profile must have no IP address configured; enter 1 as the value for the max-num argument. You can configure this information in the subscriber record with the RADIUS database instead of with this command. Use vendor VSA 3 provided by Ericsson AB, DHCP-Max-Leases attribute. | |
|
4. |
Configure the subscriber password. |
Enter this command in subscriber configuration mode. Enter Redback as the value for the passwd argument. You can configure this information in the subscriber record with the RADIUS database instead of with this command. By default, the SmartEdge OS authenticates subscribers through the local configuration. | |
|
5. |
Create the CLIPS group. |
Enter this command in global configuration mode. | |
|
6. |
Assign a port or 802.1Q PVC to the CLIPS group. |
Enter this command in port or dot1q PVC configuration mode for each port and PVC to be assigned to the group. |
2.5 Configuring CLIPS Exclusion
To configure CLIPS exclusion for a port or PVC, perform the tasks described in Table 5.
- Note:
- CLIPS exclusion is available only for ports and PVCs that are configured for dynamic CLIPS service; you must configure the external DHCP relay or internal DHCP server and subscribers in the same context for which you configure the subscribers, as described in Table 5.
|
Step |
Task |
Root |
Notes |
|---|---|---|---|
|
1. |
Configure the IP address of a reachable DHCP server. |
Enter this command in context configuration mode. | |
|
2. |
Configure one or more DHCP proxy interfaces in the context in which the subscriber circuit is to be bound. |
Enter this command in interface configuration mode. | |
|
3. |
Configure hosts to use DHCP to dynamically acquire address information for a subscriber’s circuit and to set the maximum number of IP addresses that can be assigned to hosts associated with the circuit. |
Enter this command in subscriber configuration mode. The subscriber record or profile must have no IP address configured; enter 1 as the value for the max-num argument. You can configure this information in the subscriber record with the RADIUS database instead of with this command. Use vendor VSA 3 provided by Ericsson AB, DHCP-Max-Leases attribute. | |
|
4. |
Configure the subscriber password. |
Enter this command in subscriber configuration mode. Enter Redback as the value for the passwd argument. You can configure this information in the subscriber record with the RADIUS database instead of with this command. By default, the SmartEdge OS authenticates subscribers through the local configuration. | |
|
5. |
Enable CLIPS service. |
Enter this command in ATM PVC, dot1q PVC, or port configuration mode. | |
|
6. |
Specify an exclusion condition for DHCP hosts on an ATM PVC, dot1q PVC, or Ethernet port. Base the exclusion on the host's vendor class or user class. |
service clips-exclude vendor-class-id |
Enter this command in ATM PVC, dot1q PVC, or port configuration mode. |
2.6 Configuring CLIPS to Use the Vendor-Class-Identifier
This procedure, in which CLIPS service is configured to use the vendor-class-identifier, assumes that a RADIUS server has been configured. Only the configuration steps specifically used in setting and verifying the use of the vendor-class-identifier, are described.
When CLIPS service is configured to use the vendor-class-identifier, the username format of CLIPS subscribers sent in RADIUS access requests and accounting packets is changed to MAC-address@vendor-class-identifier.
To configure CLIPS to use the vendor-class-identifier:
- Enter the service clips dhcp command with
the vendor-class-id keyword. Optionally specify the
argument [default default-id].
- The vendor-class-id keyword configures the system to use the vendor-class-identifier from the DHCP packet for context selection.
- The argument [default default-id] specifies the default vendor-class-identifier if one is not received in the DHCP packet.
- Enter the show subscribers active command to display and verify the use of the vendor-class-identifiers received in DHCP packets from the CPEs are as you expected. See the dhcp vendor class id field.
- Enter the show clips counters detail command
and check CLIPS operation. Examine the number of sessions that have
failed to come up because of problems associated with use of the vendor-class-identifier.
Examine the following fields:
- The No Vendor-class field counts the number of sessions that have not come up because there is no vendor-class-identifier to use, either from the DHCP packet or from the configuration determined by the service clips dhcp command.
- The Vendor-class len field counts the number of sessions that have not come up because the length of the vendor-class-identifier is greater than 48 characters.
2.7 Controlling Username Formatting
This configuration controls the format of the username sent to RADIUS in Access-Request and accounting messages.
Only the configuration steps specifically used in managing user name formatting are described. All commands are optional:
- Enter the radius attribute username encaps clips command. Use the following options to control username formatting:
- The strip-mac-delimiter keyword strips the delimiter characters from the username sent to RADIUS in Access-Request and accounting messages.
- The prefix and suffix arguments append prefixes and suffixes to the username.
- Enter the radius strip-domain command to strip the domain from the username sent to RADIUS.
3 Configuration Examples
This section provides examples of configuring a static CLIPS circuit for a single PVC, static CLIPS for a range of PVCs, static CLIPS circuits using an IP address pool, dynamic CLIPS circuits using local authentication, dynamic CLIPS using RADIUS authentication, a CLIPS group and CLIPS exclusion. For information about how to troubleshoot CLIPS, see the BRAS Troubleshooting Guide.
3.1 Static CLIPS Circuit for a Single PVC
The following example shows how to configure a CLIPS static circuit on a single PVC:
[local]Redback(config)#service multiple-contexts [local]Redback(config)#context c1 [local]Redback(config-ctx)#interface i1 multibind [local]Redback(config-if)#ip address 10.1.1.254/24 [local]Redback(config-if)#exit [local]Redback(config-ctx)#subscriber name s1 [local]Redback(config-sub)#ip address 10.1.1.1 [local]Redback(config-ctx)#exit [local]Redback(config)#card ge-5-port 9 [local]Redback(config-card)#exit [local]Redback(config)#port ethernet 9/1 [local]Redback(config-port)#no shutdown [local]Redback(config-port)#service clips [local]Redback(config-port)#clips pvc 1 [local]Redback(config-clips-pvc)#bind subscriber s1@c1
3.2 Static CLIPS for a Range of PVCs
The following example shows how to configure 10 static CLIPS circuits on an Ethernet port:
[local]Redback(config)#service multiple-contexts [local]Redback(config)#context c1 [local]Redback(config-ctx)#interface i1 multibind [local]Redback(config-if)#ip address 10.1.1.254/24 [local]Redback(config-if)#exit [local]Redback(config-ctx)#subscriber name s1 [local]Redback(config-if)#ip address 10.1.1.1 [local]Redback(config-if)#exit [local]Redback(config-ctx)#subscriber name s2 [local]Redback(config-sub)#ip address 10.1.1.2 [local]Redback(config)#subscriber name s3 [local]Redback(config-sub)#ip address 10.1.1.3 [local]Redback(config-sub)#exit [local]Redback(config-ctx)#subscriber name s4 [local]Redback(config-sub)#ip address 10.1.1.4 [local]Redback(config-sub)#exit [local]Redback(config-ctx)#subscriber name s5 [local]Redback(config-sub)#ip address 10.1.1.5 [local]Redback(config-sub)#exit [local]Redback(config-ctx)#subscriber name s6 [local]Redback(config-sub)#ip address 10.1.1.6 [local]Redback(config-sub)#exit [local]Redback(config-ctx)#subscriber name s7 [local]Redback(config-sub)#ip address 10.1.1.7 [local]Redback(config-sub)#exit [local]Redback(config-ctx)#subscriber name s8 [local]Redback(config-sub)#ip address 10.1.1.8 [local]Redback(config-sub)#exit [local]Redback(config-ctx)#subscriber name s9 [local]Redback(config-sub)#ip address 10.1.1.9 [local]Redback(config-sub)#exit [local]Redback(config-ctx)#subscriber name s10 [local]Redback(config-sub)#ip address 10.1.1.10 [local]Redback(config-sub)#exit [local]Redback(config-ctx)#exit [local]Redback(config)#card ge-5-port 9 [local]Redback(config-card)#exit [local]Redback(config)#port ethernet 9/1 [local]Redback(config-port)#no shutdown [local]Redback(config-port)#service clips [local]Redback(config-port)#clips pvc 1 through 10 [local]Redback(config-pvc-clips)#bind auto-subscriber s c1
3.3 Static CLIPS Circuits Using an IP Address Pool
The following example automatically configures static CLIPS circuits for subscribers 1 through 253 on an Ethernet port, and assigns each subscriber an IP address from the IP pool, pool1:
[local]Redback(config)#context BASIC [local]Redback(config-ctx)#interface ingress [local]Redback(config-if)#ip address 200.1.1.1/24 [local]Redback(config-if)#exit [local]Redback(config-ctx)#interface pool1 multibind [local]Redback(config-if)#ip address 20.1.1.253/24 [local]Redback(config-if)#ip pool 20.1.1.0/24 [local]Redback(config-if)#exit [local]Redback(config-ctx)#subscriber default [local]Redback(config-sub)#ip address pool name pool1 [local]Redback(config-sub)#exit [local]Redback(config-ctx)#exit [local]Redback(config)#port ethernet 9/2 [local]Redback(config-port)#no shutdown [local]Redback(config-port)#bind interface ingress BASIC [local]Redback(config-port)#service clips [local]Redback(config-port)#clips pvc 1 through 253 [local]Redback(config-pvc-clips)#bind auto-subscriber subscriber BASIC
3.4 Configure Dynamic CLIPS on dot1q On-Demand PVCs
The following example shows how to configure dynamic CLIPS on dot1q On-Demand PVCs.
To view the configuration tasks, see Section 2.3.
Configure the system for an external DHCP server [local]Redback(config)#service multiple-contexts [local]Redback(config)#context c1 ! [local]Redback(config-ctx)#dhcp relay server 10.2.1.1 [local]Redback(config-dhcp-relay)#exit Configure an interface for ports and PVCs with dynamic CLIPS circuits using the DHCP proxy server [local]Redback(config-ctx)#interface i1 multibind [local]Redback(config-if)#ip address 10.1.255.254/16 [local]Redback(config-if)#dhcp proxy 65535 [local]Redback(config-if)#exit Configure an interface to communicate with the external DHCP server [local]Redback(config-ctx)#interface dhcp-server [local]Redback(config-if)#ip address 10.2.1.2/24 [local]Redback(config-if)#exit Configure the subscriber default profile for the DHCP proxy server [local]Redback(config-ctx)#subscriber default [local]Redback(config-sub)#dhcp max-addrs 1 [local]Redback(config-sub)#exit [local]Redback(config-ctx)#subscriber name 02:dd:00:00:00:01 [local]Redback(config-sub)#password Redback [local]Redback(config-sub)#exit [local]Redback(config-ctx)#exit Configure Ethernet port 9/1 for dynamic CLIPS on dot1q on-demand PVCs [local]Redback(config)#card ge-5-port 9 [local]Redback(config-card)#exit [local]Redback(config)#port ethernet 9/1 [local]Redback(config-port)#no shutdown [local]Redback(config-port)#encapsulation dot1q [local]Redback(config-port)#dot1q pvc on-demand 101 [local]Redback(config-dot1q-pvc)#service clips dhcp context c1! Configure Ether port 9/2 for dynamic CLIPS on dot1q On-Demand PVC range [local]Redback(config)#card ge-5-port 9 [local]Redback(config-card)#exit [local]Redback(config)#port ethernet 9/2 [local]Redback(config-port)#no shutdown [local]Redback(config-port)#encapsulation dot1q [local]Redback(config-port)#dot1q pvc on-demand 201 through 210 [local]Redback(config-dot1q-pvc)#service clips dhcp context c1 Configure Ether port 9/3 for dynamic CLIPS on dot1q On-Demand QinQ PVC [local]Redback(config)#card ge-5-port 9 [local]Redback(config-card)#exit [local]Redback(config)#port ethernet 9/3 [local]Redback(config-port)#no shutdown [local]Redback(config-port)#encapsulation dot1q [local]Redback(config-port)#dot1q pvc 301 encapsulation 1qtunnel [local]Redback(config-port)#dot1q pvc on-demand 301:1 [local]Redback(config-dot1q-pvc)#service clips dhcp context c1 Configure Ethernet port 9/4 for dynamic CLIPS on dot1q On-Demand multi-encaps PVCs [local]Redback(config)#card ge-5-port 9 [local]Redback(config-card)#exit [local]Redback(config)#port ethernet 9/4 [local]Redback(config-port)#no shutdown [local]Redback(config-port)#encapsulation dot1q [local]Redback(config-port)#dot1q pvc on-demand 401 encapsulation multi [local]Redback(config-dot1q-pvc)#service clips dhcp context c1 [local]Redback(config-port)#circuit protocol pppoe [local]Redback(config-port)#bind authentication chap pap context a maximum 10 Configure non-economical access link group for dynamic CLIPS on dot1q on-demand PVC range [local]Redback(config)#link-group lg1 access [local]Redback(config-link-group)#encap dot1q [local]Redback(config-link-group)#dot1q pvc on-demand 501 [local]Redback(config-dot1q-pvc)#service clips dhcp context c1 [local]Redback(config-dot1q-pvc)#exit [local]Redback(config-link-group)#exit [local]Redback(config)#card ge-5-port 9 [local]Redback(config-card)#exit [local]Redback(config)#port ethernet 9/5 [local]Redback(config-port)#no shutdown [local]Redback(config-port)#link-group lg1
3.5 Dynamic CLIPS Circuits Using Local Authentication
The following example shows how to configure dynamic CLIPS circuits on an ATM PVC and an Ethernet port using local authentication and an external DHCP proxy server:
!Configure the system for an external DHCP server ! [local]Redback(config)#service multiple-contexts [local]Redback(config)#context c1 [local]Redback(config-ctx)#dhcp relay server 10.2.1.1 [local]Redback(config-dhcp-relay)#exit !Configure a DHCP proxy server interface for the ports and PVCs with dynamic CLIPS circuits ! [local]Redback(config-ctx)#interface i1 multibind [local]Redback(config-if)#ip address 10.1.255.254/16 [local]Redback(config-if)#dhcp proxy 65535 [local]Redback(config-if)#exit !Configure an interface for communicating with the external DHCP server ! [local]Redback(config-ctx)#interface dhcp-server [local]Redback(config-if)#ip address 10.2.1.2/24 [local]Redback(config-if)#exit !Configure the subscriber default profile for the DHCP proxy server ! [local]Redback(config-ctx)#subscriber default [local]Redback(config-sub)#dhcp max-addrs 1 [local]Redback(config-sub)#exit [local]Redback(config-ctx)#subscriber name 02:dd:00:00:00:01 [local]Redback(config-sub)#password Redback [local]Redback(config-sub)#exit [local]Redback(config-ctx)#exit !Configure an ATM profile for an ATM PVC for dynamic CLIPS circuits in context c1 ! [local]Redback(config)#atm profile a1 [local]Redback(config-atm-profile)#shaping ubr [local]Redback(config-atm-profile)#exit [local]Redback(config)#card atm-oc3e-8-port 1 [local]Redback(config-card)#exit [local]Redback(config)#port atm 1/1 [local]Redback(config-atm-oc)#no shutdown [local]Redback(config-atm-oc)#atm pvc 0 32 profile a1 encapsulation bridge1483 [local]Redback(config-atm-pvc)#service clips dhcp context c1 [local]Redback(config-atm-pvc)#exit [local]Redback(config-atm-oc)#exit !Configure an Ethernet port for dynamic CLIPS circuits in context c1 ! [local]Redback(config)#card ge-5-port 9 [local]Redback(config-card)#exit [local]Redback(config)#port ethernet 9/1 [local]Redback(config-port)#no shutdown [local]Redback(config-port)#service clips dhcp context c1 [local]Redback(config-port)#exit !Bind the external DHCP server interface to a port ! [local]Redback(config)#port ethernet 9/2 [local]Redback(config-port)#no shutdown [local]Redback(config-port)#bind interface dhcp-server c1 [local]Redback(config-port)#exit [local]Redback(config)#exit
3.6 Dynamic CLIPS Using Global RADIUS Authentication
The following example shows how to configure dynamic CLIPS circuits on an Ethernet port, using global RADIUS authentication and an external DHCP proxy server:
!Configure global RADIUS authentication ! [local]Redback(config)#aaa global authentication subscriber radius context local [local]Redback(config)#service multiple-contexts [local]Redback(config)#context local !Configure the RADIUS server [local]Redback(config-ctx)#radius server 10.0.154.2 key Redback !Configure an interface for circuits without dynamic CLIPS [local]Redback(config-ctx)#interface i2 [local]Redback(config-if)#ip address 10.0.154.7/24 [local]Redback(config-if)#exit [local]Redback(config-ctx)#exit !Configure RADIUS authentication for a context and an external DHCP server ! [local]Redback(config)#context c1 [local]Redback(config-ctx)#aaa authentication subscriber radius global [local]Redback(config-ctx)#dhcp relay server 10.2.1.1 !Configure a DHCP proxy server interface for the ports and PVCs with dynamic CLIPS circuits ! [local]Redback(config-ctx)#interface i1 multibind [local]Redback(config-if)#ip address 10.1.255.254/16 [local]Redback(config-if)#dhcp proxy 65535 [local]Redback(config-if)#exit !Configure an interface for communicating with the external DHCP server ! [local]Redback(config-ctx)#interface dhcp-server [local]Redback(config-if)#ip address 10.2.1.2/24 [local]Redback(config-if)#exit !Configure the subscriber default profile for the DHCP proxy server ! [local]Redback(config-ctx)#subscriber default [local]Redback(config-sub)#dhcp max-addrs 1 [local]Redback(config-sub)#exit [local]Redback(config-ctx)#exit !Configure two Ethernet ports for dynamic CLIPS service, using the DHCP proxy server ! [local]Redback(config)#card ge-5-port 9 [local]Redback(config-card)#exit [local]Redback(config)#port ethernet 9/1 [local]Redback(config-port)#no shutdown [local]Redback(config-port)#service clips dhcp context c1 [local]Redback(config-port)#exit [local]Redback(config)#port ethernet 9/2 [local]Redback(config-port)#no shutdown [local]Redback(config-port)#service clips dhcp context c1 [local]Redback(config-port)#exit !Configure an Ethernet port that does not enable dynamic CLIPS service ! [local]Redback(config)#port ethernet 9/3 [local]Redback(config-port)#no shutdown [local]Redback(config-port)#bind interface i2 local [local]Redback(config-port)#exit !Bind the external dhcp server interface to a port ! [local]Redback(config)#port ethernet 9/4 [local]Redback(config-port)#no shutdown [local]Redback(config-port)#bind interface dhcp-server c1 [local]Redback(config-port)#exit [local]Redback(config)#exit
3.7 CLIPS Group
The following example shows how to configure a CLIPS group and assign three Ethernet ports.
[local]Redback(config)#service multiple-contexts !Configure an empty CLIPS group for the c2 context ! [local]Redback(config)#clips-group dclips dhcp context c2 !Configure an external DHCP server ! [local]Redback(config)#context c2 [local]Redback(config-ctx)#dhcp relay server 10.2.1.3 !Configure an interface for the DHCP proxy server ! [local]Redback(config-ctx)#interface i2 multibind [local]Redback(config-if)#ip address 10.1.255.254/16 [local]Redback(config-if)#dhcp proxy 65535 [local]Redback(config-if)#exit !Configure an interface for the ports with dynamic CLIPS circuits ! [local]Redback(config-ctx)#interface dhcp-server [local]Redback(config-if)#ip address 10.2.1.3/24 [local]Redback(config-if)#exit !Configure the subscriber default profile for the DHCP proxy server ! [local]Redback(config-ctx)#subscriber default [local]Redback(config-sub)#dhcp max-addrs 1 [local]Redback(config-sub)#exit [local]Redback(config-ctx)#exit !Configure three Ethernet ports for dynamic CLIPS service, using the DHCP proxy server !Assign each port to the CLIPS group ! [local]Redback(config)#card ge-5-port 9 [local]Redback(config-card)#exit [local]Redback(config)#port ethernet 4/1 [local]Redback(config-port)#service clips-group dclips [local]Redback(config-port)#bind interface dhcp-server c2 [local]Redback(config-port)#no shutdown [local]Redback(config-port)#exit [local]Redback(config)#port ethernet 4/2 [local]Redback(config-port)#service clips-group dclips [local]Redback(config-port)#bind interface dhcp-server c2 [local]Redback(config-port)#no shutdown [local]Redback(config-port)#exit [local]Redback(config)#port ethernet 4/3 [local]Redback(config-port)#service clips-group dclips [local]Redback(config-port)#bind interface dhcp-server c2 [local]Redback(config-port)#no shutdown [local]Redback(config-port)#exit
3.8 Vendor Class ID Based CLIPS Exclusion
The following example shows how to specify exclusion conditions using the vendor class ID for a CLIPS group of Ethernet ports.
The example assumes that DHCP clients are connected to the SmartEdge router through a third-party relay.
[local]Redback(config)#service multiple-contexts !Configure an external DHCP server ! [local]Redback(config)#context c2 [local]Redback(config-ctx)#dhcp relay server 10.2.1.4 !Configure an interface for the DHCP proxy server ! [local]Redback(config-ctx)#interface dhcp-server [local]Redback(config-if)#ip address 10.2.1.3/24 [local]Redback(config-if)#exit !Configure an interface for the ports with dynamic CLIPS circuits ! [local]Redback(config-ctx)#interface i2 multibind [local]Redback(config-if)#ip address 10.1.255.254/16 [local]Redback(config-if)#dhcp proxy 65535 [local]Redback(config-if)#exit !Configure an interface for the DHCP relay sitting between the SE and the DHCP clients ! [local]Redback(config-ctx)#interface dhcp-relay [local]Redback(config-if)#ip address 100.1.1.1/24 [local]Redback(config-if)#exit !Configure a route to DHCP clients through DHCP relay ! Note: DHCP relay address is 100.1.1.2/24 [local]Redback(config-ctx)#ip route 10.1.0.0/16 100.1.1.2 !Configure the subscriber default profile for the DHCP proxy server ! [local]Redback(config-ctx)#subscriber default [local]Redback(config-sub)#dhcp max-addrs 1 [local]Redback(config-sub)#exit [local]Redback(config-ctx)#exit !Configure Ethernet port for CLIPS and exclude the DHCP host ! [local]Redback(config)#card ge-10-port 4 [local]Redback(config-card)#exit [local]Redback(config)#port ethernet 4/1 [local]Redback(config-port)#service clips dhcp context c2 [local]Redback(config-port)#service clips-exclude vendor-class-id vcid-123 [local]Redback(config-port)#bind interface dhcp-relay c2 [local]Redback(config-port)#no shutdown [local]Redback(config-port)#exit ! Configure port for external DHCP server connection ! [local]Redback(config)#port ethernet 4/2 [local]Redback(config-port)#bind interface dhcp-server c2 [local]Redback(config-port)#no shutdown [local]Redback(config-port)#exit
3.9 User Class ID Based CLIPS Exclusion
The following example shows how to specify exclusion conditions using the user class ID for CLIPS.
The example assumes that DHCP clients are connected to the SmartEdge router through a third-party relay.
[local]Redback(config)#service multiple-contexts !Configure an external DHCP server ! [local]Redback(config)#context c2 [local]Redback(config-ctx)#dhcp relay server 10.2.1.4 !Configure an interface for the DHCP proxy server ! [local]Redback(config-ctx)#interface dhcp-server [local]Redback(config-if)#ip address 10.2.1.3/24 [local]Redback(config-if)#exit !Configure an interface for the ports with dynamic CLIPS circuits ! [local]Redback(config-ctx)#interface i2 multibind [local]Redback(config-if)#ip address 10.1.255.254/16 [local]Redback(config-if)#dhcp proxy 65535 [local]Redback(config-if)#exit !Configure an interface for the DHCP relay sitting between the SE and the DHCP clients ! [local]Redback(config-ctx)#interface dhcp-relay [local]Redback(config-if)#ip address 100.1.1.1/24 [local]Redback(config-if)#exit !Configure a route to DHCP clients through DHCP relay ! Note: DHCP relay address is 100.1.1.2/24 [local]Redback(config-ctx)#ip route 10.1.0.0/16 100.1.1.2 !Configure the subscriber default profile for the DHCP proxy server ! [local]Redback(config-ctx)#subscriber default [local]Redback(config-sub)#dhcp max-addrs 1 [local]Redback(config-sub)#exit [local]Redback(config-ctx)#exit !Configure Ethernet port for CLIPS and exclude the DHCP host ! [local]Redback(config)#card ge-10-port 4 [local]Redback(config-card)#exit [local]Redback(config)#port ethernet 4/1 [local]Redback(config-port)#service clips dhcp context c2 [local]Redback(config-port)#service clips-exclude user-class-id ucid-123 [local]Redback(config-port)#bind interface dhcp-relay c2 [local]Redback(config-port)#no shutdown [local]Redback(config-port)#exit ! Configure port for external DHCP server connection ! [local]Redback(config)#port ethernet 4/2 [local]Redback(config-port)#bind interface dhcp-server c2 [local]Redback(config-port)#no shutdown [local]Redback(config-port)#exit