Solved: How to control bandwith profiles with PPPoE+radius and Cisco 7604 SIP-400/2xGE SPA

LinuxHandyman · ‎08-25-2017

Hi,

We have created an test environment with a Cisco 7604 with SIP-400 and 2xGE SPA authenticating against freeradius with radius. Customer routers are authenticating with PAP over PPPoE.

So far everything is working perfect, the only thing i can't figure out is how to control bandwith based on customer subscription with radius attributes.

I have searched the internet for hours but i can't find clu to start with.

Probably we have to create policy maps for each bandwith we want to subscribe. And give a user or group in radius some attributes.

Some additional info which might be usefull to point us the right way.

We are a small ISP serving 400 SMB customers public ipv4 adresses over VLANS with a /30 subnet, so 4 ip addresses from our RIPE space for each customer. Now you might know why we want to switch to PPPoE. xDSL is currently out of scope but also might right behind the corner (we control our network not our management team :)

Please feel free to ask some more details or to point us in a complete different direction its just a PoC we are creating.

Francesco Molino · ‎08-25-2017

Hi

I guess your poc is based on pppoe with virtual templates and not pppoeoa or pppoeovlan, right?

I'm asking because you can do the same on all of the then but the radius attribute and/or syntax changes.

For pppoe, you need to:

- create your policy-map locally on the router

- add the following Cisco av-pair attribute (26) on your user profile:

cisco-avpair = "sub-qos-policy-in/out=policy-name"

Hope that's help otherwise let me know.

Thanks

PS: Please don't forget to rate and select as validated answer if this answered your question.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎08-25-2017

Hi

I guess your poc is based on pppoe with virtual templates and not pppoeoa or pppoeovlan, right?

I'm asking because you can do the same on all of the then but the radius attribute and/or syntax changes.

For pppoe, you need to:

- create your policy-map locally on the router

- add the following Cisco av-pair attribute (26) on your user profile:

cisco-avpair = "sub-qos-policy-in/out=policy-name"

Hope that's help otherwise let me know.

Thanks

PS: Please don't forget to rate and select as validated answer if this answered your question.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

LinuxHandyman · ‎08-25-2017

Hi Francesco,

Yes Virtual-Template, i started googling last monday and piece by piece built up an PPPoE environment. Currently ATM is out of scope but what would be the advantage or disadvantage to use PPPoEoVLAN, i've have been reading about it but didn't find any pointers how to configure.

This attribute did the trick thought i allready tried but mayby had a typo in the operator column in mysql.

cisco-avpair = "sub-qos-policy-in/out=policy-name"

Current config 7604 sofar:

|-SNIP
aaa group server radius RADIUS_SERVER
 server 10.10.10.10 auth-port 1645 acct-port 1646
!
aaa authentication ppp CPE_USER group RADIUS_SERVER
aaa authorization network default group RADIUS_SERVER
!

|-SNIP

policy-map 50Mb
  class class-default
    shape average 50000000
policy-map 10Mb
  class class-default
    shape average 10000000
policy-map 50Mb-upload
  class class-default
    police cir 50000000
     exceed-action drop
policy-map 20Mb
  class class-default
    shape average 20000000
policy-map 20Mb-upload
  class class-default
    police cir 20000000
     exceed-action drop
policy-map 10Mb-upload
  class class-default
    police cir 10000000
     exceed-action drop
!
bba-group pppoe Anyinternet
 virtual-template 1
 sessions per-mac limit 2
!
interface Loopback0
 ip address 200.200.200.200 255.255.255.255
!
interface GigabitEthernet1/1
 no ip address
 shutdown
!
interface GigabitEthernet1/2
 ip address 192.168.253.10 255.255.255.0
 media-type rj45
!
interface GigabitEthernet3/0/0
 description SIP-400-Port0
 no ip address
 negotiation auto
 pppoe enable group Anyinternet
!
interface GigabitEthernet3/0/1
 no ip address
 shutdown
 speed 1000
 negotiation auto
!
interface Virtual-Template1
 ip unnumbered Loopback0
 no peer default ip address
 ppp authentication pap CPE_USER
!
interface Vlan1
 no ip address
 shutdown
!
router ospf 200
 log-adjacency-changes
 redistribute connected subnets
 network 192.168.0.0 0.0.0.255 area 200
 network 192.168.253.0 0.0.0.255 area 0
 network 200.200.200.200 0.0.0.0 area 200
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.253.254
!
ip radius source-interface GigabitEthernet1/2
!
snmp-server community public RO
!
radius-server host 10.10.10.10 auth-port 1645 acct-port 1646 key testrouter

Francesco Molino · ‎08-25-2017

Hi

Happy that worked!

You can find some links on Cisco.

Here one for pppoeovlan:

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/bbdsl/configuration/12-4/bba-12-4-book/bba-ppoe-vlan-enh.pdf

There're some restrictions compared to pppoe but some of the restrictions have been enhanced.

1 of the bigest advantage was to connect multiple clients to the same interface and making policies based on the dot1q tag. This means you were able to shape the bandwidth of your physical interface and give the right bandwidth to different clients instead of sharing this global bandwidth.

Thanks

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

toby-25087 · ‎08-13-2019

Hello Forum,

I'm currently setting up a PPPOE server (ASR1001-X) with Freeradius.
On the ASR 1001-X, the clients already connect successfully, but I have the problem that the bandwidth limitation does not work properly.

Currently I have made the following entry on the ASR 1001-X:

policy-map 50Mb-download
class class-default
shape average 50000000

policy-map 10Mb-upload
class class-default
police cir 10000000
exceed-action drop

In radius I have created the following entries:

cisco-avpair += sub-qos-policy-in=50Mb-download

cisco-avpair += sub-qos-policy-out=10Mb-upload

What works is the download with about 50 Mb but the upload is always 0 Mb if I do a speed test.

Do you have an idea what I'm doing wrong?
Please Help.