Thanks,
Ghassan
_______________________________________________
cisco-nsp mailing list cisc...@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
On Fri, 11 Nov 2011, Ghassan.khalil wrote:
> Dears,
> I have an ASR functioning as a LNS, the LNS is configured as a PE router as well.
> I need to assign certain users to their proper VRF through the AAA server as it should be applied on the virtual-access interface.
> So what is the av-pair syntax required to accomplish this and the configuration required from the ASR also.
I believe you would need something like:
cisco-avpair="lcp:interface-config=ip vrf forwarding VRFNAME"
google turns up this:
http://www.cisco.com/en/US/docs/routers/asr1000/configuration/guide/chassis/scaling.html
Greetings
Christian
>
> Thanks,
> Ghassan
>
> _______________________________________________
> cisco-nsp mailing list cisc...@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
--
Christian Kratzer CK Software GmbH
Email: c...@cksoft.de Wildberger Weg 24/2
Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden
Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart
Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer
the VRF itself as well as an "interface Loopback <n>" belonging to this
VRF need to be defined on the ASR, and you need to nable Radius
authorization (i.e. "aaa authorization network default group radius" or
something like this). You need to define a virtual-template (I guess you
already have one for your other users).
Then you can include the below attributes to assign the user(s) to the
VRF:
Cisco-Avpair = "ip:vrf-id=<vrf-name>",
Cisco-Avpair = "ip:ip-unnumbered=Loopback<n>",
There is also the Cisco-Avpair="lcp:interface-config=ip vrf forwarding
...\nip unnumbered ..." way of assigning vrf membership, but the former
is more effecient...
oli
You need to pass back some cisco-avpair attributes as part of RADIUS
authorisation:
cisco-avpair = "lcp:interface-config=ip vrf forwarding CUST1"
cisco-avpair = "lcp:interface-config=ip unnumbered loopback101"
The loopback101 interface (in this instance) also needs to be placed
in the CUST1 VRF. A different loopback would be required on the LNS
for each Customer VRF.
Cheers,
Matt
--
Matthew Melbourne
Ghassan
1 loopback per VRF.
-Dan
yes, as Daniel already mentioned. However you can assign the same IP
address to all 100+ loopbacks and don't need to burn addresses..
> It will not be a big problem as I also need to add an av-pair to those
100
> users from the AAA server as well.
not sure what you mean?
oli
Really thanks
Well, neither is the creation of the actual VRFs, so you will always
have to touch the LNS if you provision a new VRF.
Is there a preference these days to run with the virtual-access
sub-interface capable av-pairs:
Cisco-Avpair = "ip:vrf-id=<vrf-name>",
Cisco-Avpair = "ip:ip-unnumbered=Loopback<n>",
over the classical ones using "lcp:interface-config"?
What additional attributes are required for forward the session from
one non-PE LNS to another PE-capable LNS for certain customers?
Presumably it's a matter of sending back more av-pairs with additional
tunnel forwarding information?
Cheers,
Matt
--
Matthew Melbourne
_______________________________________________
Well, with the knob "aaa policy interface-config allow-subinterface", most "lcp:interface-config" commands will no longer force a full VAI, so you can still benefit from the higher sub-VAI scalability.
But even if you use this knob, "lcp:interface-config" can be a bit slower when it comes to bringing up the session, which can be a concern when you need to bring up lots of session within a short while.
So as long as you use the knob (or lcp:interface-config allow-subinterface=yes" in the profile), scalability is quite ok..
BTW: I also recall that new releases actually have this knob on per default.. It's been a while since I did radius/lns stuff :-}
> What additional attributes are required for forward the session from
> one non-PE LNS to another PE-capable LNS for certain customers?
> Presumably it's a matter of sending back more av-pairs with additional
> tunnel forwarding information?
indeed. For that to work, I would enable
vpdn multihop
vpdn authen-before-forward
! see [1] for the 2nd cmd
and then you can include
! if you use "," instead of "/", you can load-share across addresses instead of failing over.
Cisco-AVPair = "vpdn:ip-addresses=x.x.x.x/y.y.y.y ",
Cisco-AVPair = "vpdn:l2tp-tunnel-password=cisco",
Cisco-AVPair = "vpdn:tunnel-type=l2tp"
to forward the session to another LNS. You can also use IETF attributes (check http://www.cisco.com/en/US/docs/ios/12_0t/12_0t5/feature/guide/rad_attr.html).
oli
[1] http://www.cisco.com/en/US/tech/tk801/tk703/technologies_configuration_example09186a0080094860.shtml