I have not played around with the Firewall on the CPE enough to see how this would work. Without me having a CPE in my hands right now, are there specific settings I can tell the WISP to set on the CPE Firewall?
Craig, One creative way might be to add a classification rule based on a destination address. When it's time to disconnect the user, update his service flows to include the classification rule. The destination rule should be the outside address of the NOC's firewall. This will allow management of the SM, but the customer can't send traffic anywhere but the firewall. Changing the password in the AAA is the easy way, but it won't allow SM management. As for truck roll, when it's to reconnect the user just correct the password. No truck roll needed. Walled garden is the ultimate. You'll be able to do that once the PMP320 supports layer 2. Vern
Thanks Drew, This is for the 320 platform so the BAM would not apply. The WISP want's to cut off the customer from being able to communicate at all and once the bill is paid, the WISP turns them back on. I think they are looking for a button on the Administrator log-in on the CPE that would cut the wireline side off completely. I don't have my 320 CPE in my hands right now so I cant really play around with it to see what I can come up with.
"remove the CPE from the AAA". Meaning change the Authentication User Name/Password on the CPE? Then how would you log back into the CPE without a truck roll? And if you set up a profile in AAA for non-payers with limited bandwidth that still gives the customer bandwidth to the internet. It would be really nice if the wireline could be cut off so the user couldn't get past the user side of the CPE and the WISP could still see the Administrator side of the CPE without changing the network/RF/IR settings...
Craig - the graceful solution is a traffic stream redirect to a walled garden with links to an online billpay system, or at least a splash page giving them a friendly reminder to pay their bill....there are lots of COTS solutions out there that offer this sort of backoffice functionality - there may still be a list of partners that provide such billing mediation solutions in the Canopy space at Motorola.com
A less graceful solution would be to just block all internet bound traffic sourced from that subscriber's CPE at the router closest to his node just to keep his TCP traffic from busying up core resources. This would require a fairly robust network configuration change management scheme, and someone to staff that role unless you're talking about a modestly sized network...
There are also fairly inexpensive flow management appliances that replicate the old BAM functionality to provide different grades of service to tiered service customers. One of these could be tweaked to provide very low throughput to non-payers, so they can at least receive and reply to the nastigram emails.
7 Replies
Create a firewall filter that will DENY all Ethernet traffic to the CPE...
I have not played around with the Firewall on the CPE enough to see how this would work. Without me having a CPE in my hands right now, are there specific settings I can tell the WISP to set on the CPE Firewall?
Craig, One creative way might be to add a classification rule based on a destination address. When it's time to disconnect the user, update his service flows to include the classification rule. The destination rule should be the outside address of the NOC's firewall. This will allow management of the SM, but the customer can't send traffic anywhere but the firewall. Changing the password in the AAA is the easy way, but it won't allow SM management. As for truck roll, when it's to reconnect the user just correct the password. No truck roll needed. Walled garden is the ultimate. You'll be able to do that once the PMP320 supports layer 2. Vern
Thanks Drew, This is for the 320 platform so the BAM would not apply. The WISP want's to cut off the customer from being able to communicate at all and once the bill is paid, the WISP turns them back on. I think they are looking for a button on the Administrator log-in on the CPE that would cut the wireline side off completely. I don't have my 320 CPE in my hands right now so I cant really play around with it to see what I can come up with.
You could remove the CPE from the AAA and then force a de-registration.
"remove the CPE from the AAA". Meaning change the Authentication User Name/Password on the CPE? Then how would you log back into the CPE without a truck roll? And if you set up a profile in AAA for non-payers with limited bandwidth that still gives the customer bandwidth to the internet. It would be really nice if the wireline could be cut off so the user couldn't get past the user side of the CPE and the WISP could still see the Administrator side of the CPE without changing the network/RF/IR settings...
Craig - the graceful solution is a traffic stream redirect to a walled garden with links to an online billpay system, or at least a splash page giving them a friendly reminder to pay their bill....there are lots of COTS solutions out there that offer this sort of backoffice functionality - there may still be a list of partners that provide such billing mediation solutions in the Canopy space at Motorola.com
A less graceful solution would be to just block all internet bound traffic sourced from that subscriber's CPE at the router closest to his node just to keep his TCP traffic from busying up core resources. This would require a fairly robust network configuration change management scheme, and someone to staff that role unless you're talking about a modestly sized network...
There are also fairly inexpensive flow management appliances that replicate the old BAM functionality to provide different grades of service to tiered service customers. One of these could be tweaked to provide very low throughput to non-payers, so they can at least receive and reply to the nastigram emails.
Drew M. Mooney
Western Region Pre-Sales T.A.
Motorola ACES
940-595-4761 [m]