09-19-2011 08:08 PM
Dear All,
I have some problems on implementing per-session VRF for MPLS on ADSL/ADSL2 services.
We are ISP, our LNS routers (Cisco ESR 10000) receive PPP sessions via L2TP tunnels from our infrastructure providers. Each ADSL/ADSL2 session is terminated on our LNS as Virtual-access interface which is copied from a virtual-template. This is typical ISP setup.
I am trying to use Radius Attribute to assign different VRFs to different ADSL/ADSL2 virtual-access interfaces, so that they can be added to MPLS VPN.
I have tried a few different Radius Attributes after reading some documents online. But none of them worked. Here is what I have tried:
cisco-avpair = "lcp:interface-config#1=ip vrf forwarding TST\nip unnumbered loopback999"
Cisco-avpair = "ip:ip-vrf-id=TST",
Cisco-avpair = "ip:ip unnumbered=Loopback999"
cisco-avpair += "ip:vrf-id=TST"
cisco-avpair += "ip:ip-unnumbered=loopback999"
I am not sure if I need to do some config on the LNS routers or if there is something needs to be done on LACs.
Could anyone please help me with this problem?
It would be great if anyone can post a working radius config.
Thanks a lot in advance.
Jing
Solved! Go to Solution.
09-26-2011 06:13 AM
Dear Jing,
Have you tried the options described at http://www.cisco.com/en/US/docs/routers/10000/10008/configuration/guides/broadband/scaling.html#wp1082084 ?
The recommended cisco-avpairs are ip:vrf-id and ip:ip-unnumbered, as described at http://www.cisco.com/en/US/docs/routers/10000/10008/configuration/guides/broadband/scaling.html#wp1048836
Cheers, Gustavo
09-20-2011 02:57 AM
Dear Jing,
We use this config:
cpe-xxxxxx User-Password := "xxxx"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 172.y.y.y,
Framed-IP-Netmask = 255.255.255.252,
Cisco-AVPair = "lcp:interface-config#1=ip vrf forwarding CustA",
Cisco-AVPair += "lcp:interface-config#2=ip address 172.x.x.x 255.255.255.252",
Cisco-AVPair += "lcp:interface-config#3=rate-limit input 2048000 384000 512000 conform-action transmit exceed-action drop",
Cisco-AVPair += "lcp:interface-config#4=rate-limit output 2048000 384000 512000 conform-action transmit exceed-action drop",
Cisco-AVPair += "ip:route=1.0.0.0 255.255.255.0 172.y.y.y"
09-20-2011 06:20 AM
Dear Anazarenko
Thank you very much for your reply. It is really helpful.
I actually tried the following before I see your reply today.
Cisco-AVPair = "lcp:interface-config#1=ip vrf forwarding CustA"
The virtual-access was successfully put into the specified VRF. But there was no IP address on the virtual-interface nor a /32 host route in the VRF routing table. I realised that it requires one more command to configure the IP address after I read your reply. However, I still have some questions.
Base on your config, I can see you use a /30 between the LNS router and customer's CPE. But, what we normally do is assign a /32 to the customer's CPE, and a /32 host route is injected into the routing table of LNS router. Is that still possible, would the following radius config work?
Framed-IP-Address = 172.y.y.y,
Framed-IP-Netmask = 255.255.255.255,
Cisco-AVPair = "lcp:interface-config#1=ip vrf forwarding CustA",
Cisco-AVPair += "lcp:interface-config#2=ip address 172.y.y.y 255.255.255.255",
I will try this tomorrow anyway, and I will post what I find.
I read something about using "lcp" is not the most efficient way, as it creates a separate virtual interface for every single session. The best way of doing this is using something like the following
cisco-avpair += "ip:vrf-id=TST"
cisco-avpair += "ip:ip-unnumbered=loopback999"
In stead of creating new interface, it creates a sub-interface, which saves router resource. Have you ever tried this way?
I actually did my testing on a 7204, not ESR 10000, I assume it will work on 10000 as well?
Thanks again for your reply.
Cheers
Jing
09-25-2011 09:58 PM
Dear All,
The following works on 7204 and 7301, but not on Cisco ESR 10000. It assigns /32 to CPE router, it also injects host route in the VRF routing table on PE router.
Cisco-AVPair = "lcp:interface-config#1=ip vrf forwarding TST\nip unnumbered Loopback999"
Framed-IP-Address = "172.16.172.2"
I couldn't make it working on ESR 10000, I am not sure if it is an IOS issue. We are running 12.2(31)SB11.
Does anyone know what need to do for ESR 10000 to be working?
Thanks a lot in advance.
Cheers
Jing
09-26-2011 06:13 AM
Dear Jing,
Have you tried the options described at http://www.cisco.com/en/US/docs/routers/10000/10008/configuration/guides/broadband/scaling.html#wp1082084 ?
The recommended cisco-avpairs are ip:vrf-id and ip:ip-unnumbered, as described at http://www.cisco.com/en/US/docs/routers/10000/10008/configuration/guides/broadband/scaling.html#wp1048836
Cheers, Gustavo
10-23-2011 03:30 PM
Dear All,
After opening a TAC case, we found the problem on Cisco 10K by having TAC assistant.
The problem was that we had route-map applied on the Virtual-template. TAC support engineer found that "route-maps (PBR) and VRF can have issues interoperating and are not supported in some situations", and suggested removing it from the virtual-template.
We removed it and problem fixed.
PS: we don't really need that route-map.
Here is the radius config:
Cisco-AVPair += "lcp:interface-config#1=ip vrf forwarding TST"
Cisco-AVPair += "lcp:interface-config#2=ip unnumbered Loopback999"
Loopback999 is assigned to VRF TST.
Apply "aaa policy interface-config allow-subinterface" on the router to get the router to create subinterface, which saves router memory.
Thanks a lot again for everyone's help.
Regards,
Jing
05-17-2017 01:25 AM
i use
cisco-avpair += "ip:vrf-id=TST"
cisco-avpair += "ip:ip-unnumbered=loopback999"
work find,
thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide