cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
13123
Views
0
Helpful
6
Replies
jingt0829
Beginner

Per-session VRF for MPLS VPN using Radius Attribute

Dear All,

I have some problems on implementing per-session VRF for MPLS on ADSL/ADSL2 services.

We are ISP, our LNS routers (Cisco ESR 10000) receive PPP  sessions via L2TP tunnels from our infrastructure providers. Each  ADSL/ADSL2 session is terminated on our LNS as Virtual-access interface  which is copied from a virtual-template. This is typical ISP setup.

I am trying to use Radius Attribute to assign  different VRFs to different ADSL/ADSL2 virtual-access interfaces, so that  they can be added to MPLS VPN.

I have tried a few different  Radius Attributes after reading some documents online. But none of them  worked. Here is what I have tried:

cisco-avpair = "lcp:interface-config#1=ip vrf forwarding TST\nip unnumbered loopback999"

Cisco-avpair = "ip:ip-vrf-id=TST",

Cisco-avpair = "ip:ip unnumbered=Loopback999"

cisco-avpair += "ip:vrf-id=TST"

cisco-avpair += "ip:ip-unnumbered=loopback999"

I am not sure if I need to do some config on the LNS routers or if there is something needs to be done on LACs.

Could anyone please help me with this problem?

It would be great if anyone can post a working radius config.

Thanks a lot in advance.

Jing

1 ACCEPTED SOLUTION

Accepted Solutions

6 REPLIES 6
anazarenko
Beginner

Dear Jing,

We use this config:

cpe-xxxxxx User-Password :=  "xxxx"                                                                                                                

        Service-Type = Framed-User,                                                                                                                      

        Framed-Protocol = PPP,                                                                                                                           

        Framed-IP-Address = 172.y.y.y,                                                                                                                

        Framed-IP-Netmask = 255.255.255.252,                                                                                                             

        Cisco-AVPair = "lcp:interface-config#1=ip vrf forwarding CustA",                                                                                   

        Cisco-AVPair += "lcp:interface-config#2=ip address 172.x.x.x 255.255.255.252",                                                                

        Cisco-AVPair += "lcp:interface-config#3=rate-limit input 2048000 384000 512000 conform-action transmit exceed-action drop",                      

        Cisco-AVPair += "lcp:interface-config#4=rate-limit output 2048000 384000 512000 conform-action transmit exceed-action drop",

        Cisco-AVPair += "ip:route=1.0.0.0 255.255.255.0 172.y.y.y"

Dear Anazarenko

Thank you very much for your reply. It is really helpful.

I actually tried the following before I see your reply today.

Cisco-AVPair = "lcp:interface-config#1=ip vrf forwarding CustA"

The virtual-access was successfully put into the specified VRF. But  there was no IP address on the virtual-interface nor a /32 host route in  the VRF routing table. I realised that it requires one more command to  configure the IP address after I read your reply. However, I still have  some questions.

Base on your config, I can see you use a /30 between the LNS router and  customer's CPE. But, what we normally do is assign a /32 to the  customer's CPE, and a /32 host route is injected into the routing table  of LNS router. Is that still possible, would the following  radius config work?

Framed-IP-Address = 172.y.y.y,

Framed-IP-Netmask = 255.255.255.255,

Cisco-AVPair = "lcp:interface-config#1=ip vrf forwarding CustA",

Cisco-AVPair += "lcp:interface-config#2=ip address 172.y.y.y 255.255.255.255",

I will try this tomorrow anyway, and I will post what I find.

I read something about using "lcp" is not the most efficient way, as it  creates a separate virtual interface for every single session. The best  way of doing this is using something like the following

cisco-avpair += "ip:vrf-id=TST"

cisco-avpair += "ip:ip-unnumbered=loopback999"

In stead of creating new interface, it creates a sub-interface, which saves router resource. Have you ever tried this way?

I actually did my testing on a 7204, not ESR 10000, I assume it will work on 10000 as well?

Thanks again for your reply.

Cheers

Jing

Dear All,

The following works on 7204 and 7301, but not on Cisco ESR 10000. It assigns /32 to CPE router, it also injects host route in the VRF routing table on PE router.

Cisco-AVPair = "lcp:interface-config#1=ip vrf forwarding TST\nip unnumbered Loopback999"

Framed-IP-Address = "172.16.172.2"

I couldn't make it working on ESR 10000, I am not sure if it is an IOS issue. We are running 12.2(31)SB11.

Does anyone know what need to do for ESR 10000 to be working?

Thanks a lot in advance.

Cheers

Jing

Dear Jing,

Have you tried the options described at http://www.cisco.com/en/US/docs/routers/10000/10008/configuration/guides/broadband/scaling.html#wp1082084 ?

The recommended cisco-avpairs are ip:vrf-id and ip:ip-unnumbered, as described at http://www.cisco.com/en/US/docs/routers/10000/10008/configuration/guides/broadband/scaling.html#wp1048836

Cheers, Gustavo

Dear All,

After opening a TAC case, we found the problem on Cisco 10K by having TAC assistant.

The problem was that we had route-map applied on the Virtual-template. TAC support engineer found that "route-maps (PBR)         and VRF can have issues interoperating and are not supported in         some situations", and suggested removing it from the virtual-template.

We removed it and problem fixed.

PS: we don't really need that route-map.

Here is the radius config:

Cisco-AVPair += "lcp:interface-config#1=ip vrf forwarding TST"

Cisco-AVPair += "lcp:interface-config#2=ip unnumbered Loopback999"

Loopback999 is assigned to VRF TST.

Apply "aaa policy interface-config allow-subinterface" on the router to  get the router to create subinterface, which saves router memory.

Thanks a lot again for everyone's help.

Regards,

Jing

i use 

cisco-avpair += "ip:vrf-id=TST"

cisco-avpair += "ip:ip-unnumbered=loopback999"

work find, 

thanks