Restricting CPE routing by cable modem policy?

Tim Bowser · ‎12-15-2008

Moved from wrong forum:

Summary first: we are trying to limit a customer's CPE routing to a single IP, a "walled garden" or "penalty box" if you may, based on the cable modem's assigned policy.

We are using Cisco CNR 6.2 to assign and control the cable modems and attached CPE devices on our network. What we are trying to do is control the CPE policy assigned to a cable modem, based on the cable modem's class of service. If an unknown cable modem attempts to come online, we would like to allow it a baseline class of service to stop it from endlessly ranging, then assign it a specific CPE policy that directs to an information server with no other internet access allowed.

Unless I've missed something, there seems to be no way to directly specify a CPE policy to be used, based on the cable modem policy.

mchin345 · ‎12-19-2008

For the CPE policy, remove all options from the Active list except the dhcp-lease-time and the routers options.

To do so, select the property to delete in the Active list and click the Remove button.

For further information click this link.

http://www.cisco.com/en/US/products/sw/netmgtsw/ps1982/products_configuration_example09186a00800943e1.shtml

Tim Bowser · ‎12-19-2008

Tried that, didn't work.

Our standard CNR service flows seem to be two-tracked, and neither one knows what the other does.

Cable modems range in on the CMTS, DHCP is transferred to the CNR via the CMTS' giaddr policy statement and shows up on the 10.x.x.x net. CNR knows this is a cable modem, sorts policy based on cable modem client-class and away they go. Cable modem is now effectively a bridge device for the CPE devices.

CPE devices now attempt to get their public IP addresses (we do not use proxy). This is where the disconnect occurs in our current setup. Aside from the specific IP pools and their router/gateway statements, there is effectively one policy. CPE asks, CNR looks at the available address pool and hands back an assignment. It doesn't know that the modem is a business class, gamer class, websurfing mom, it just throws an address, and that's my problem.

How do you influence the CPE policy assignment based on the CM? We created a specific CPE policy, call it "lockdown", but we haven't found how to bond it to a specific cable modem via client-class or policy.

Tim Bowser · ‎03-18-2009

OK, here is what I've found so far, and where I am really getting stuck.

Looking in the expanded logs at the CPE DHCP request packet, I see the CPE device MAC as 'chaddr', and further on in the packet comes Option 82 "relay-agent-info" suboption 2 "remote-id", the cable modem MAC.

BINGO, the clue I need to select a DHCP pool for this CPE device.

TAC keeps throwing manual pages at me, without any pertinent examples of what I'm trying to do. I need to build an expression script / scripts to process the following, and the manual is not forthcoming on how to get some of these results. The flow is this:

CPE DHCPREQUEST packet comes in.

Sanity check: compare 'chaddr' to 'Option 82 2'; if equal, then exit script, else continue.

Get the client-class result of (concat "1,6," (to-string (request option "relay-agent-info" "remote-id"))) <- this gives a string value of the modem's DHCP client database entry (1,6,00:01:02:03:04:05)

If the modem's client-class = "Cutoff", then set the policy selection-criteria / client-class for the CPE request as "Lockdown", otherwise pass a response to allow normal 'round-robin' assignment processing.

Any ideas?

Thanks again for looking.