Configuring the CNR LEG and the SM

This module explains how to configure the CNR LEG and to configure the Subscriber Manager to use the CNR LEG module.

Information About Configuring the CNR LEG

The CNR configuration file offers the following configuration options to the user:

•

Subscriber mode—The subscriber entity to be used by the LEG: CM as subscriber (default) or CPE as subscriber

•

Lease time option—The DHCP option number from which to extract the lease expiration time that is to be sent to the SM

•

Attack filter parameters—Defines whether the DHCP DoS attack protection is on and defines how to perform the filtering

Information About Setting the SM IP Address and Port

Setting the SM IP Address and Port

The default PRPC TCP port number generally does not need to be changed. The SM port default is TCP 14374.

The SM PRPC port can be retrieved from the SM configuration file. For additional information, see the "Configuration File Options" module of the Cisco SCMS Subscriber Manager User Guide .

SM IP Address and Port Example

The following example is a portion of a sample CNR configuration file showing how to configure the SM IP address and port:

Information About Setting the Subscriber Mode

Setting the Subscriber Mode

•

CM as Subscriber—Each CPE login/logout/lease extension triggers a logon operation to the SM using the corresponding CM MAC as the subscriber ID.

•

CPE as Subscriber—Each CPE is a separate subscriber entity. Each CPE login/logout/lease extension triggers a logon operation to the SM using both the CPE MAC and the CM MAC as the subscriber ID.

Subscriber Mode Example

The following example is a portion of a sample CNR configuration file showing how to configure the Subscriber Mode:

•

[general]
# defines who is the subscriber to refer to the CM or the CPE.
# default: cm_as_subscriber optional  values: cm_as_subscriber \
# cpe_as_subscriber
subscriber_mode=cm_as_subscriber

•

[general]
# defines who is the subscriber to refer to the CM or the CPE.
# default: cm_as_subscriber optional  values: cm_as_subscriber \
# cpe_as_subscriber
subscriber_mode=cpe_as_subscriber

Information About Setting the Attack Filter Parameters

Setting the Attack Filter Parameters

To enable the DHCP Denial of Service (DoS) attack protection, the enabled option must be set. The attack filter has two parameters that define its operation:

•

The timeout parameter defines the minimal interval in seconds between identical DHCP requests (login/renew transactions). If two identical requests reach the CNR within the time interval specified in this parameter, the LEG ignores the second request. The CNR does not trigger the second login to the SM.

•

The num_of_entries parameter defines the number of DHCP transaction information entries that the attack filter can hold at any given time. This parameter affects the amount of memory allocated by the LEG for the DoS attack protection filter. Change this parameter only if the LEG supports a high transaction rate.

Attack Filter Example

The following example is a portion of a sample CNR configuration file showing how to configure the attack filter parameters:

[attack filter] 
# enable or disable the attack filtering mechanism in the LEG 
# can be set to true or false. default true. 
enabled=true 
# minimum time in seconds between DHCP login/renew transactions of 
# the same subscriber with the same IP. default = 10 seconds 
timeout=10 
# the number of attack transactions detected on this user that  
# should generate a log message. setting 0 disables this logging. 
# note: the first attack detection is always logged (unless  
# logging is disabled) 
# default: log every 100 attack transactions. 
log_interval=100

Information About Setting the Lease Time Option

Setting the Lease Time Option

To enable subscriber auto-logout at lease time expirationon the SM, the lease_time option must be set. The CNR LEG can extract the IP address lease expiration from one of the following DHCP option numbers:

Lease Time Option Example

The following example is a portion of a sample CNR configuration file showing how to configure the lease time option:

Information About Configuring the SM

Use the SM configuration file to configure the Subscriber Manager. For additional information, see the "Configuration File Options" module of the Cisco SCMS Subscriber Manager User Guide .

Information About Configuring SM-LEG Failure Handling

Note It is important to properly configure SM-LEG failure handling on the SM before continuing with the CNR LEG configuration. For information about configuring the SM, See the "Configuration File Options" module of the Cisco SCMS Subscriber Manager User Guide .

In order to configure the failure handling, you must do the following in the configuration file:

Information About Activating SM-LEG Failure Handling

By default, SM-LEG failure handling is not activated. In order to activate it you must set the clear_all_mappings parameter to true. If required, you can also change the timeout value.

The following example is a portion of a sample p3sm.cfg configuration file showing how to configure SM-LEG failure handling:

[SM-LEG Failure Handling] 
# The following parameter defines the behavior of the SM in case of 
# LEG-SM connection failure. 
# This parameter is relevant only for cases SM and LEG are running 
# on different machines. 
# Note that this parameter defines a behavior that is similar for 
# ALL connected LEGs. If the parameter is set to true then in case 
# of LEG-SM connection failure that is not recovered within the 
# defined timeout, the mappings of all subscribers in the domains 
# defined in the 'LEG-Domains Association' section for the LEG 
# that was disconnected, will be removed. 
# 
# IMPORTANT: LEG Domains must be defined in the following section 
# in case this parameter is set to 'true'. 
# 
# Optional values: [true/false]. Default: false. 
clear_all_mappings=true 
# The following parameter defines the time in seconds from a LEG-SM 
# connection failure until clearing the mappings in the SM database. 
# Default value: 60. 
timeout=60

Information About Setting LEG-Domains Associations

You must set LEG-Domains associations in order for the SM-LEG failure handling to work. The CNR-LEG name to be used in this section is a concatenation of the hostname of the machine on which the LEG is installed and the suffix " .CNR.LEG ".

An alternate way to retrieve the CNR-LEG name is by using the p3rpc utility. This utility displays all clients currently connected to the PRPC server, including the CNR.

If the hostname of the machine on which the LEG is installed is netserv5 , use netserv5.CNR.LEG for the LEG name in the configuration file. The following example assumes that the name of the subscriber domain associated with the CNR LEG is subscribers.

The following example is a portion of a sample p3sm.cfg configuration file showing how to set LEG-Domains associations.

[LEG-Domains Association] 
# The following parameter defines domains that the mapping of all 
# subscribers that belong to them will be cleared on LEG-SM 
# connection failure. The key is the LEG NAME and the value is a 
# comma separated list of domain names. 
# A value of * in domain names stands for all the subscriber domains 
# in the system. 
# A value of * in LEG name means all the LEGs that are connected to 
# the SM. 
# LEG NAME1 = domain_name1,domain_name2 
# LEG NAME2 = domain_name2,domain_name3 
netserv5.CNR.LEG=subscribers

Information About Setting Domain Aliases

Setting Domain Aliases

The CNR LEG uses the CMTS IP address for the subscriber domain name. You should make sure that all the CMTS IP addresses appear as an alias to exactly one subscriber domain. Use the SM configuration file to configure domain aliases.

Note You do not have to configure domain aliases in those cases where each CMTS updates a single subscriber domain and you have configured the subscriber domain names in the SM to be the IP address of the matching CMTS.

Domain Aliases Example

The following example is a portion of a sample p3sm.cfg configuration file showing how to configure the domain aliases.

[Domain.subscribers] 
# The following parameter defines domain aliases. When subscriber 
# information is received from the LEG with certain alias the 
# information will be distributed to the domain that matches this 
# alias - domain that contains this alias in its aliases list. 
# 
# A typical alias could be a network device IP address. For example, 
# each string in the values can be the IP address of a NAS or a 
# CMTS. 
# 
# In order to distribute all subscriber operations on all unmapped 
# domains to a certain domain use aliases=*. Note that only one 
# domain section may include this alias. 
aliases=209.247.228.201,209.247.228.202,69.42.72.147,69.42.72.148

Information About Configuring Auto-logout

Configuring Auto-logout

To automatically log out subscribers when their lease time expires, you must configure the SM auto-logout interval. After every auto-logout interval time, the SM checks which subscriber IP addresses have a lease time that has expired and begins to automatically remove these IP addresses from the system.

Lease time is the timeout defined by the LEG during the login operation of each IP address, based on the lease-time option. All subscriber login events will start a timer of lease_time seconds. When the timer expires and the grace_period , which is another configuration parameter, has also passed, the subscriber's IP addresses are removed causing the subscriber to be removed from the SCE platform database. If the subscriber logs on with an existing IP address during the countdown period, the timer is reset and the countdown period restarts.

If the auto-logout value is set to zero (0), the SM's auto-logout mechanism is disabled.

If the auto-logout interval is set to a value greater than zero, the SM's auto-logout mechanism is enabled.

Note The subscriber record (with no mappings) remains in the SM database, preserving the subscriber state.

Auto-logout Example

The following example is a portion of a sample p3sm.cfg configuration file showing how to configure the auto-logout interval to 6 minutes:

[Auto Logout] 
# The following parameter configures the time between each run of 
# the auto-logout mechanism. After every "auto-logout" time 
# interval, the SM checks which subscriber IP addresses have a lease 
# time that has expired, and begins to automatically remove these IP 
# addresses from the system (causing it to be removed from the SCE 
# platform's database). 
# Auto-logout should be activated when the LEG/API cannot provide 
# logout indications. 
auto_logout_interval=360 
# The following parameter defines the grace period in seconds for 
# subscriber auto logout. A subscriber will be logged out only after 
# timeout period + grace period seconds. 
grace_period=10 
# The following parameter defines the maximum rate (logouts per 
# second) that the auto-logout task will perform logouts from the 
# system. This enables to spread the load of the logout operations 
# over time, and reduce the performance impact on other operations. 
# the value should be calculated so it spreads the logouts over at 
# least half of 'auto_logout_interval' time. (default 50) 
max_rate=50

Configuring the PRPC Server

To enable the CNR LEG to communicate with the SM, the PRPC server must be up and running. The RPC server is started by default, therefore it does not require special configuration.

The following example is a portion of a sample p3sm.cfg configuration file showing the PRPC server configuration:

Table Of Contents