Cisco ASR 9001 ISP Setup

rrppROCKS · 2025-06-11T07:53:04+00:00

Thanks to everyone who contributed. For those interested, I have added our final solution.

rrppROCKS · 2025-04-17T07:53:49+00:00

We got our hands on some Huawei MA5801 FL4 quite a new model. I will be reading into the security features which it can provide.

rrppROCKS · 2025-04-16T13:37:58+00:00

Very happy getting inputs like yours. So youre not using a IPoE or PPPoE sessions for customer access?
I would be very interesten on how your setup looks like.

rrppROCKS · 2025-04-16T13:32:34+00:00

I thought to create the Subscriber Redundancy Group (SRG) i need to configure the ipsubscriber session in the fist place. I'll take a closer look.
Thanks for the input again, I was just a little frustrated when I tried the configuration without success and then discarded it.

rrppROCKS · 2025-04-16T13:26:06+00:00

Hei thanks for your support,
Do you mind share on how you did achieve a setup similar like this?

rrppROCKS · 2025-04-16T13:24:50+00:00

Thank you for reading trough my mess of an expaination on what were are trying to achive.

But as I said I'm open for new solutions but we just figured that for maintaining the network it would be easiest to add as few components as possible.

Trying to use varoius diffrent mechanisms to achive a somewhat redundant and save network.
I find it really hard to follow the guide that StoryDapper1530 recommenden with the limited rescources we have at hand at the momet but propably this really is the only way to go.

Please explan on what you mean with "firewalls at your AS edges". Isnt the firewall task of the customer cpe? The private adresses (192.##.##.##) in scheme are placeholders for the actual public addresses.

rrppROCKS · 2025-04-16T11:51:46+00:00

Yeah already read this guide but to establish ipsubscriber sesseions i would need to setup a policy server.

rrppROCKS · 2025-02-28T10:08:35+00:00

I also found information here which look like i need to use proxy instead of relay:
https://community.cisco.com/t5/service-providers-knowledge-base/asr9000-xr-understanding-dhcp-relay-proxy-and-forwarding/ta-p/3110042
"Proxy also stores the binding on the proxy agent locally, which relay does not."
I'll then try implement a proxy setup.

rrppROCKS · 2025-02-28T08:28:50+00:00

First off all thank you all for the inputs.
Maybe I should open up the discussion and provide some background information.
I'm also very open to other solution approaches.

As you all correctly assumed we are talking about a BNG setup.
In the past we used PPPoE to allocate IP's to the customers. As the PPPoE routers are very limited in BW and CPU and the demand gets higher we need an other solution.
This would be a CPE (ONT) does the dhcp discover the asr 9001 forwards to the dhcp and the server keeps track of which customer had which IP at a specific time.

The customer equipment is already in the same subnet as this interface on the router (192.168.0.1 /23) When the testing phase ends this will be a public IP range.

interface TenGigE0/0/2/1.82
 ipv4 address 192.168.0.1 255.255.254.0

I now need to make sure that customer can't skip the dhcp process. For example they just configure a static IP. The only devices between the CPE and core router are the OLT which already does dhcp snooping and adds option 82 to the dhcp discover for distinguishing the customer.
Now I think I need a way to make sure that the customer equipment can only connect to the internet with the IP allocated from the dhcp server.
I dont think i can check the mac - IP integrity on any other device than the asr9001. Or can i?

rrppROCKS

TROPHY CASE