Ryan, The instructions from 3Com are shown below, but seem to be very unspecific in a few places. The vague part is the VPN side...here's a situation. Remote-POP-TC-Box Remote-POP-Cisco Local-Router Local-Content-Filter-R2000 Normal User gets IP Routes to Local To the world Filter User Gets IP and needs to be pushed to the tunnel IP/IP Tunnel From ------------------------------->Tunnel Terminated 10.10.10.1/255.255.255.252 10.10.10.2/255.255.255.252 So what would I need to do to get this user to be pushed thru the tunnel? The tunnel is uni-directional. Right now, we have a special pool of Ips for filtered customers and on the Cisco we policy route those Ips thru the tunnel. I would love to be able to avoid setting up a pool of Ips just for filtered users. This sounds like a possible solution but I need some more info. Thanks, Brian 3Com Info...................... Configuring Host-based IEA Routing Follow these steps: 1 . Add an IP network on an Ethernet interface through which the VPN gateway can be reached: add ip network <name> address <ip_address> interface <interface_name> For example, to add an IP network called Lancer with an IP address of 200.0.0.2 to the eth:1 LAN interface: add ip network lancer address 200.0.0.2 interface eth:1 2 . Set the routing protocol for this network: set ip network <name> routing_protocol [none | ripv1 | ripv2 | ospf] For example, to set the routing protocol to RIPv2: set ip network lancer routing_protocol ripv2 3 . Configure RIP to send routing information, but to not listen for updates. Since RIPv1 and RIPv2 are configured to send routing information by default, you only need to configure the listening action: set ip network lancer rip_policies_update no_ripv1_receive set ip network lancer rip_policies_update no_ripv2_receive 4 . Configure a user either locally or in the RADIUS server that specifies the next hop gateway. Local configuration - Create a network user. Also, use the following command specify a next hop gateway: set network user <username> ip next_hop_gateway <ip address> RADIUS configuration - Configure a framed PPP user, also defining the VPN-Neighbor (or IEA-Next-Hop-Router) attribute. (This is USR Vendor Specific attribute which has an ID of 0x9008.The value of this attribute is an IP Address.) attribute to specify the next hop gateway. 5 . Enable IEA next hop routing using this command: enable ip iea_next_hop_routing 6 . Optional. If you want to force the router card to use only the configured next hop routing interface (causing the user connection to be dropped if the gateway is unreachable), use this command: enable ip iea_force_nexthop_routing Brian Becker President, Poplar Bluff Internet, Inc. P.O. Box 190 | Poplar Bluff, MO 63902 | 573.686.9114 Home of http://semo.net - Southeast Missouri's Online Community http://TotallyFabricated.com Total Scrutinizer - Tech Support Just Got Easier WebGabber - All-html Web Chat Software -----Original Message----- From: owner-usr-tc@lists.xmission.com [mailto:owner-usr-tc@lists.xmission.com] On Behalf Of Ryan Tucker Sent: Monday, July 23, 2001 7:42 PM To: usr-tc@lists.xmission.com Subject: Re: (usr-tc) Ascend-IP-Direct / Policy Routing Well, it turns out to be Ascend-Client-Gateway over here on our Max's... Ascend-IP-Direct didn't do it :-) But that's not your question... take a look at IEA-Next-Hop-Router. I think this will do what you need. -rt (standards -- so many to choose from) On Monday, July 23, 2001, at 01:47 , Carl Litt wrote:
Does anyone know if the RADIUS attribute "Ascend-IP-Direct" is supported by the HiPerARC? If so, what versions? Both Cisco and Nortel CVX claim to support this VSA.
From the definitions I've seen, Ascend-IP-Direct is used in an Access-Accept and tells the RAS to direct this user's packets to the provided
gateway
IP. We would be using this to provide transparent content filtering to select customers based on their RADIUS/LDAP entry.
Otherwise, is there a way to do policy routing on the ARC via RADIUS? I've looked at filters, but they don't seem to give the ability to redirect, only accept or reject. (I am running ARC V4.2.32).
Thanks, Carl Litt Network Administrator Execulink Internet
- To unsubscribe to usr-tc, send an email to "majordomo@xmission.com" with "unsubscribe usr-tc" in the body of the message. For information
on digests or retrieving files and old messages send "help" to the same address. Do not use quotes in your message.
- To unsubscribe to usr-tc, send an email to "majordomo@xmission.com" with "unsubscribe usr-tc" in the body of the message. For information on digests or retrieving files and old messages send "help" to the same address. Do not use quotes in your message. - To unsubscribe to usr-tc, send an email to "majordomo@xmission.com" with "unsubscribe usr-tc" in the body of the message. For information on digests or retrieving files and old messages send "help" to the same address. Do not use quotes in your message.