That's the problem isn't it? Who decides what can and cant go through. I think the tier approach is better, a basic user account where everything is blocked and a Sysadmin type account where everything is open. If the price is different enough then only people who are going to use those extra ports will actually pay for it.
Scott Weeks wrote:
We need to take this off-line. All long timers are groaning, rolling their eyes and putting this in their kill file.
Are the long-timers groaning and ignoring this thread? I certainly hope not. It's threads like these that need the benefit of their experience the most. Perhaps the long-timers could recommend a better destination for queries like these because I have more questions I want to ask (my next being about walled gardens). If they're tired of answering the same threads over and over again, then the query must be common enough to warrant a BCP or at the very least a couple documents in a knowledgebase somewhere. Perhaps my Google-fu isn't what it used to be but I couldn't manage to find any relevant docs online; not even a NANOG presentation.
Try convincing your product managers to create a new product just to appease 'sysadmin types'.
We're not in the business of alienating any customers. If we can create a bundle that meets a group of potential customers' needs we will. It's just another paragraph on the sales literature that we give our CSRs and a little more work that I'll have to do in configuration. I'm planning on rolling out SOHO and Gamer packages this year. Adding a SysAdmin package wouldn't be much additional work. I predict the adoption rate to be the highest with the Gamer package, followed by the SOHO package and finally the SysAdmin package.
I hope this thread isn't destined for an untimely death. I've received a number of off-list queries for summary information because those individuals are also interested in customer-facing ACLs. The information I have to summarize at this point is brief and incomplete.
Justin
Scott Weeks wrote:
>We need to take this off-line. All long timers are groaning, rolling
>their eyes and putting this in their kill file.Are the long-timers groaning and ignoring this thread? I certainly hope
not. It's threads like these that need the benefit of their experience
the most. Perhaps the long-timers could recommend a better destination
for queries like these because I have more questions I want to ask (my
next being about walled gardens). If they're tired of answering the
same threads over and over again, then the query must be common enough
to warrant a BCP or at the very least a couple documents in a
knowledgebase somewhere. Perhaps my Google-fu isn't what it used to be
but I couldn't manage to find any relevant docs online; not even a NANOG
presentation.
*waves* hai, I'm not an old-timer, but I'm still peripherally involved in this.
As another poster pointed out, the access-list (and shaping! heh) rules
available via RADIUS Vendor AV extensions are very, very useful.
The little ISP I poke from time to time makes extensive use of them.
The accounting software has some rudimentary profile support, so there's
various "types" of customers which get certain RADIUS attributes. This allows
for "smart", "home", "business", and "adrian" users. Each gets different
ACLs and shaping rules. There's a "walled garden" subnet for clients who
haven't paid their bills.
I haven't yet sat down and figured out how to drop users into a VRF based
on something in the RADIUS reply, as this'd make for some very useful
VPN and walled garden implementations, but its certainly on my todo list.
Right after "figure out IPv6", which is next on my list.
Those running larger Cisco bbagg setups aren't rolling the old-school
RADIUS authentication; Cisco apparently have some "better" stuff available now.
I can't comment on its effectiveness for accounting/authorisation/filtering.
>Try convincing your product managers to create a new product just to
>appease 'sysadmin types'.We're not in the business of alienating any customers. If we can create
a bundle that meets a group of potential customers' needs we will. It's
just another paragraph on the sales literature that we give our CSRs and
a little more work that I'll have to do in configuration. I'm planning
on rolling out SOHO and Gamer packages this year. Adding a SysAdmin
package wouldn't be much additional work. I predict the adoption rate
to be the highest with the Gamer package, followed by the SOHO package
and finally the SysAdmin package.I hope this thread isn't destined for an untimely death. I've received
a number of off-list queries for summary information because those
individuals are also interested in customer-facing ACLs. The
information I have to summarize at this point is brief and incomplete.
I'll update the NANOG Wiki with whatever information pops up.
Amusingly, a newish WISP out here in Western Australia seems to have
not implemented this sort of stuff, and wireless clients on the same
node can see other local customers. I think their CPE device is a "bridge",
and this is about as dangerous as it sounds. It would be nice to have
a BCP or presentation covering the how's and why's for the newer entrants
into ths market.
(Although that said, why would you help them? In business, you may just
want (some of) your competitors to fail. 
Adrian