I've been working on setting up a redirect for our HFC plant, few options that I've tried to varying levels of success.
Created a interface sub-bundle, bundel1 and bundle1.1.
bundle1 is our normal bundle we use, all docsis ip's and host ip's are delivered from this, all docsis ip's are fixed address, no dynamic dhcp, all publics are dynamically assigned via DHCP, works fine in daily operation.
For example.
Cable modem ip - 10.10.1.1
Public IP - 8.8.8.9
Added bundle1.1, new private network for docsis, 10.20.1.1, new public network, I tried dynamic DHCp on bundle1.1 for 10.20.1.1, then assign 192.168.10.xx for the CPE's, works great, I can put an ACL on the CMTS to handle 192.168.10.x and redirect to my poisoned DNS, gets to my management page. But it fails, because if I kick off a customer on Bundle1, it will come up on 1.1, seems like bundle1.1 is preferred, even though their is a fixed address setup for this mac address on bundle1, CMTS doesn' t seem to care about that, so this isn't going to work. I can turn off dynamic on the second bundle and define them in a fixed manner on the private I believe that will work (didn't test). Is there any way to prefer a certain bundle somehow? Not sure how a cable modem choses the bundle interface. Any ideas would be appreciated.
Second method I tried was to create a set of filters in the Docsis config file, this all works ok, except for I can't find a way to do a redirect on the DNS traffic. I just replaced the config on a standard customer on bundle1, they get a normal public and the firewalling works, the cpe can only talk to my allowed IP's, but I have no way to redirect/identify this modem on the CMTS to redirect? Is there anything I can do here, someway to send that traffic to a machine I can mangle it with? Can I do a service class on it and do something with the service flow on the CMTS?
Please let me know if someone does this? I do this on my other technologies, trying to get it going on HFC. Fiber and PPPoE based devices work very well.
What are you trying to achieve?
Send all unprovisioned modems to a captive portal?
Yes, essentially, all cms without a defined management ip in dhcp, ie not provisioned, I want to put into a captive portal.
I was also thinking that I could maybe use L2VPN? Build a default boot file to assign to these unprovisioned users, via Dynamic DHCP on the main bundle. Except I don't exactly understand L2VPN. I presume it just sends VLAN tags out a defined NSI port on the UBR 10012, when it detects a corresponding cm with l2vpn configured and I can pick these tags up on an external device as normal dot1q tags. Or another thought is if I could somehow mark the CPE traffic in the Docsis config file, and catch that with an ACL on the Cisco (and redirect DNS there).
I did get this to work, I was able to make a docsis config file that allowed me to mark the CPE's behind it to get their DHCP lease via an option-82 widget.
Key bits for anybody else who might want to try this, I did this on a Cisco CMTS 10012, not sure if this will work for all CMTS.
- Docsis config, I call redirect.bin, in UsServiceFlow add a ServiceClassName.
ServiceClassName "captive-portal";
- Create matching service-class on CMTS
cable service class 100 name captive-portal
On our system all management IP's are fixed-address dhcp leases, CM IP's are 10.10.0.0/20 all fixed and all working modems have a fixed-lease assigned.
So I created another pool that will pass out IP's dynamically, so unprovisioned modems or deprovisioned modems will get an IP out of this pool (since no fixed-address is defined) and get my redirect.bin config file. 10.40.0.0/20
So then I can mark CPE's behind cable modems with that redirect.bin file
On our system Public IP's are passed out dynamically for CPE devices behind the Cable Modems, but I disallow all CPE's on these Public networks with the option-82 info, using captive-portal always falls in the same part of the string.
(relay-agent-information,35,14!="captive-portal")
So then I create another block of dynamics in my shared CMTS network, 10.50.0.0/20 that only accepts dhcp clients with a match, and I assign them my captive portal IP (and I have them limited to my captive portal redirect page/payment site).
(relay-agent-information,35,14="captive-portal")
So they get a 10.50 on their CPE's that is assigned my DNS which resolves all request to my captive portal page, which allows them to make payment and react the account. Seems to work fine so far.
The marking of the CPE's by the ServiceFlowClassName is really the key here, once you can mark these CPE's behind cable modems you can do anything you want as far as redirecting the CPE's where you want them.