[c-nsp] LNS av-pair vrf

[Ghassan.khalil]

Dears,
I have an ASR functioning as a LNS, the LNS is configured as a PE router as well.
I need to assign certain users to their proper VRF through the AAA server as it should be applied on the virtual-access interface.
So what is the av-pair syntax required to accomplish this and the configuration required from the ASR also.

Thanks,
Ghassan

_______________________________________________
cisco-nsp mailing list cisc...@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[Christian Kratzer]

Hi,

On Fri, 11 Nov 2011, Ghassan.khalil wrote:

> Dears,
> I have an ASR functioning as a LNS, the LNS is configured as a PE router as well.
> I need to assign certain users to their proper VRF through the AAA server as it should be applied on the virtual-access interface.
> So what is the av-pair syntax required to accomplish this and the configuration required from the ASR also.

I believe you would need something like:

cisco-avpair="lcp:interface-config=ip vrf forwarding VRFNAME"

google turns up this:

http://www.cisco.com/en/US/docs/routers/asr1000/configuration/guide/chassis/scaling.html

Greetings
Christian

>
> Thanks,
> Ghassan
>
> _______________________________________________
> cisco-nsp mailing list cisc...@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

--
Christian Kratzer CK Software GmbH
Email: c...@cksoft.de Wildberger Weg 24/2
Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden
Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart
Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer

[Oliver Boehmer (oboehmer)]

> I have an ASR functioning as a LNS, the LNS is configured as a PE
router as
> well.
> I need to assign certain users to their proper VRF through the AAA
server as
> it should be applied on the virtual-access interface.
> So what is the av-pair syntax required to accomplish this and the
> configuration required from the ASR also.

the VRF itself as well as an "interface Loopback <n>" belonging to this
VRF need to be defined on the ASR, and you need to nable Radius
authorization (i.e. "aaa authorization network default group radius" or
something like this). You need to define a virtual-template (I guess you
already have one for your other users).
Then you can include the below attributes to assign the user(s) to the
VRF:

Cisco-Avpair = "ip:vrf-id=<vrf-name>",
Cisco-Avpair = "ip:ip-unnumbered=Loopback<n>",

There is also the Cisco-Avpair="lcp:interface-config=ip vrf forwarding
...\nip unnumbered ..." way of assigning vrf membership, but the former
is more effecient...

oli

[Matthew Melbourne]

On 11 November 2011 08:48, <cisco-ns...@puck.nether.net> wrote:
>
> Message: 4
> Date: Fri, 11 Nov 2011 10:04:51 +0200
> From: "Ghassan.khalil" <ghassan...@gmail.com>
> To: "cisc...@puck.nether.net" <cisc...@puck.nether.net>
> Subject: [c-nsp] LNS av-pair vrf
> Message-ID: <87362FEF-35E8-4030...@gmail.com>
> Content-Type: text/plain;       charset=us-ascii
>
> Dears,

> I have an ASR functioning as a LNS, the LNS is configured as a PE router as well.
> I need to assign certain users to their proper VRF through the AAA server as it should be applied on the virtual-access interface.
> So what is the av-pair syntax required to accomplish this and the configuration required from the ASR also.

You need to pass back some cisco-avpair attributes as part of RADIUS
authorisation:

cisco-avpair = "lcp:interface-config=ip vrf forwarding CUST1"
cisco-avpair = "lcp:interface-config=ip unnumbered loopback101"

The loopback101 interface (in this instance) also needs to be placed
in the CUST1 VRF. A different loopback would be required on the LNS
for each Customer VRF.

Cheers,

Matt

--
Matthew Melbourne

[Ghassan.khalil]

Thanks,
As it seems from all the feedbacks that we need to have a dedicated loopback for each customer as this loopback is configured with the certain VRF.
By this I will need to configure more than 100 loopbacks :) is this the only way ?
It will not be a big problem as I also need to add an av-pair to those 100 users from the AAA server as well.

Ghassan

[Daniel Hooper]

Ghassan,

1 loopback per VRF.

-Dan

[Oliver Boehmer (oboehmer)]

> Thanks,
> As it seems from all the feedbacks that we need to have a dedicated
loopback
> for each customer as this loopback is configured with the certain VRF.
> By this I will need to configure more than 100 loopbacks :) is this
the only
> way ?

yes, as Daniel already mentioned. However you can assign the same IP
address to all 100+ loopbacks and don't need to burn addresses..

> It will not be a big problem as I also need to add an av-pair to those
100
> users from the AAA server as well.

not sure what you mean?

oli

[Ghassan.khalil]

Thanks Oli Matthew and Daniel,
Oli what I meant with my last paragraph was that I though that all the configuration will be on the AAA side, and the creation of the new loopback interfaces was not in my calculations :).
Anyway I will give it a try within a couple of days and give you a feedback guys.

Really thanks

[Oliver Boehmer (oboehmer)]

> Oli what I meant with my last paragraph was that I though that all the
> configuration will be on the AAA side, and the creation of the new
loopback
> interfaces was not in my calculations :).

Well, neither is the creation of the actual VRFs, so you will always
have to touch the LNS if you provision a new VRF.

[Matthew Melbourne]

On 11 November 2011 14:41, <cisco-ns...@puck.nether.net> wrote:
>
> Message: 2
> Date: Fri, 11 Nov 2011 09:58:33 +0100
> From: "Oliver Boehmer (oboehmer)" <oboe...@cisco.com>
> To: "Ghassan.khalil" <ghassan...@gmail.com>,
>        <cisc...@puck.nether.net>
> Subject: Re: [c-nsp] LNS av-pair vrf
> Message-ID:
>        <6E4D2678AC543844917C...@XMB-AMS-103.cisco.com>
> Content-Type: text/plain;       charset="us-ascii"

>
>>
> the VRF itself as well as an "interface Loopback <n>" belonging to this
> VRF need to be defined on the ASR, and you need to nable Radius
> authorization (i.e. "aaa authorization network default group radius" or
> something like this). You need to define a virtual-template (I guess you
> already have one for your other users).
> Then you can include the below attributes to assign the user(s) to the
> VRF:
>
>       Cisco-Avpair = "ip:vrf-id=<vrf-name>",
>       Cisco-Avpair = "ip:ip-unnumbered=Loopback<n>",
>
> There is also the Cisco-Avpair="lcp:interface-config=ip vrf forwarding
> ...\nip unnumbered ..." way of assigning vrf membership, but the former
> is more effecient...

Is there a preference these days to run with the virtual-access
sub-interface capable av-pairs:

Cisco-Avpair = "ip:vrf-id=<vrf-name>",
Cisco-Avpair = "ip:ip-unnumbered=Loopback<n>",

over the classical ones using "lcp:interface-config"?

What additional attributes are required for forward the session from
one non-PE LNS to another PE-capable LNS for certain customers?
Presumably it's a matter of sending back more av-pairs with additional
tunnel forwarding information?

Cheers,

Matt

--
Matthew Melbourne

_______________________________________________

[Oliver Boehmer (oboehmer)]

> > Then you can include the below attributes to assign the user(s) to the
> > VRF:
> >
> >       Cisco-Avpair = "ip:vrf-id=<vrf-name>",
> >       Cisco-Avpair = "ip:ip-unnumbered=Loopback<n>",
> >
> > There is also the Cisco-Avpair="lcp:interface-config=ip vrf forwarding
> > ...\nip unnumbered ..." way of assigning vrf membership, but the former
> > is more effecient...
>
> Is there a preference these days to run with the virtual-access
> sub-interface capable av-pairs:
>
> Cisco-Avpair = "ip:vrf-id=<vrf-name>",
> Cisco-Avpair = "ip:ip-unnumbered=Loopback<n>",
>
> over the classical ones using "lcp:interface-config"?

Well, with the knob "aaa policy interface-config allow-subinterface", most "lcp:interface-config" commands will no longer force a full VAI, so you can still benefit from the higher sub-VAI scalability.
But even if you use this knob, "lcp:interface-config" can be a bit slower when it comes to bringing up the session, which can be a concern when you need to bring up lots of session within a short while.

So as long as you use the knob (or lcp:interface-config allow-subinterface=yes" in the profile), scalability is quite ok..
BTW: I also recall that new releases actually have this knob on per default.. It's been a while since I did radius/lns stuff :-}

> What additional attributes are required for forward the session from
> one non-PE LNS to another PE-capable LNS for certain customers?
> Presumably it's a matter of sending back more av-pairs with additional
> tunnel forwarding information?

indeed. For that to work, I would enable

vpdn multihop
vpdn authen-before-forward
! see [1] for the 2nd cmd

and then you can include

! if you use "," instead of "/", you can load-share across addresses instead of failing over.
Cisco-AVPair = "vpdn:ip-addresses=x.x.x.x/y.y.y.y ",
Cisco-AVPair = "vpdn:l2tp-tunnel-password=cisco",
Cisco-AVPair = "vpdn:tunnel-type=l2tp"

to forward the session to another LNS. You can also use IETF attributes (check http://www.cisco.com/en/US/docs/ios/12_0t/12_0t5/feature/guide/rad_attr.html).

oli

[1] http://www.cisco.com/en/US/tech/tk801/tk703/technologies_configuration_example09186a0080094860.shtml