12-11-2014 12:22 AM - edited 03-01-2019 02:50 PM
Hi,
I'm setting up an ASR1002 router as a LNS and investigating how I can configure Zero Rate (ZR) and Rate Throttling including Zero-Throttling (ZT) for Radius /CoA support.
On the larger ASR9K platform, the "dynamic-template" can be used to achieve this: -
For Example:
dynamic-template
type service s1
service-policy input i1 merge 2
service-policy output o1 merge 2
The above "dynamic-template" parameter doesn't appear to be available on the ASR1002 as oppose to the ASR9K:
ASR9K:
RP/0/RSP0/CPU0:test(config)#?
aaa Authentication, Authorization and Accounting
abort Abort this configuration session
address-family AFI/SAFI configuration
address-pool IP Local address pool lists
alias Create an alias for entity
ancp Access Node Control Protocol
apply-group Apply configuration from a group
apply-template Apply configuration from a template
aps Configure SONET Automatic Protection Switching (APS)
arp Global ARP configuration
as-format Autonomous system number format
as-path-set Define an AS-path set
banner Define a login banner
bfd Global BFD configuration commands
call-home Enter call-home configuration mode
cdp Enable CDP, or configure global CDP subcommands
cef CEF related commands
cem Configure CEM parameters
cinetd Global Cisco inetd configuration commands
class-map Configure a class-map
clear Clear the uncommitted configuration
clock Configure time-of-day clock
clock-interface Clock interface configuration commands
commit Commit the configuration changes via pseudo-atomic operation
community-set Define a community set
configuration Configuration related settings
control-plane Configure Control Plane
controller Controller configuration subcommands
crypto Global Crypto configuration command
dbgtrace Global Ucode Debug Trace(cisco-support)
describe Describe a command without taking real actions
dhcp Dynamic Host Configuration Protocol
display Configure QoS display options
do Run an exec command
domain Domain service related commands
dynamic-template Dynamically Applied Configuration Template Definition
end Exit from configure mode
error-disable Configure error-disable
ethernet Ethernet configuration commands
ethernet-services Ethernet related services
event Event related commands
--More--
RP/0/RSP0/CPU0:test(config)#=====
ASR1002: (LNS)
LNS(config)#?
Configure commands:
aaa Authentication, Authorization and Accounting.
access-list Add an access list entry
accounting Policy accounting feature
alias Create command alias
alps Configure Airline Protocol Support
ancp Configure ANCP
appfw Configure the Application Firewall policy
application Define application
archive Archive the configuration
arp Set a static ARP entry
async-bootp Modify system bootp parameters
auto Configure Automation
banner Define a login banner
bba-group Configure BBA Group
beep Configure BEEP (Blocks Extensible Exchange Protocol)
bfd BFD configuration commands
bfd-template BFD template configuration
boot Modify system boot parameters
bridge Bridge Group.
bridge-domain Bridge-domain global configuration commands
bstun BSTUN global configuration commands
buffers Adjust system buffer pool parameters
busy-message Display message when connection to host fails
call Configure Call parameters
call-home Enter call-home configuration mode
cdp Global CDP configuration subcommands
cef Cisco Express Forwarding
chat-script Define a modem chat script
class Configure cem class parameters
class-map Configure CPL Class Map
clns Global CLNS configuration subcommands
clock Configure time-of-day clock
cns CNS agents
config-register Define the configuration register
configuration Configuration access
connect cross-connect two interfaces
control-plane Configure control plane services
cops Common Open Policy Service (COPS)
crypto Encryption module
cts Cisco Trusted Security commands
default Set a command to its defaults
default-value Default character-bits values
define interface range macro definition
device-sensor IOS Sensor Commands
diagnostic Configure diagnostic information
dial-control-mib Define Dial Control Mib parameters
dial-peer Dial Map (Peer) configuration commands
dialer Dialer commands
dialer-list Create a dialer list entry
dnsix-dmdp Provide DMDP service for DNSIX
dnsix-nat Provide DNSIX service for audit trails
do-exec To run exec commands in config mode
downward-compatible-config Generate a configuration compatible with older software
dspfarm Enable the dspfarm service
dspu DownStream Physical Unit Command
eap EAP Global Configuration Commands
enable Modify enable password parameters
end Exit from configure mode
esmc Ethernet Synchronization Messaging Channel
ethernet Ethernet configuration
event Event related configuration commands
exception Exception handling
exit Exit from configure mode
facility-alarm Configure facility alarms
file Adjust file system parameters
flow Global Flow configuration subcommands
flow-sampler-map Flow sampler configuration
format Format the output
frame-relay global frame relay configuration commands
gateway Gateway
glbp Global GLBP configuration commands
global-address-family Enter address-family base routing topology mode
gw-accounting Enable voip gateway accounting.
help Description of the interactive help system
hostname Set system's network name
http HTTP Config
hw-module Control of individual components in the system
ingress-class-map Ingress Classification Class-map
interface Select an interface to configure
ip Global IP configuration subcommands
ipc Configure IPC system
ipv6 Global IPv6 configuration commands
isis Global ISIS configuration subcommands
issu ISSU config commands
ivr ivr utility command
kerberos Configure Kerberos
key Key management
kron Kron interval Facility
l2 Layer 2 configuration
l2tp Layer 2 Tunneling Protocol (L2TP) parameters
l2tp-class l2tp-class configuration
l2vpn Layer2 VPN commands
l3vpn l3vpn encapsulation ip commands
lacp LACP configuration
li-view LI View
license Configure license features
line Configure a terminal line
lnm IBM Lan Manager
load Load Protocol
locaddr-priority-list Establish queueing priorities based on LU address
location Global location configuration commands
logging Modify message logging facilities
login Enable secure login checking
login-string Define a host-specific login string
mac Global MAC configuration subcommands
map-class Configure static map class
map-list Configure static map list
media Global media configuration
memory Configure memory management
menu Define a user-interface menu
modemcap Modem Capabilities database
monitor Monitoring different system events
mpls Configure MPLS parameters
mrcp MRCP(Real Time Streaming Protocol) configuration
multilink PPP multilink global configuration
mvr Enable/Disable MVR on the switch
nat64 NAT64 configuration commands
ncia Native Client Interface Architecture
netbios NETBIOS access control filtering
netconf Configure NETCONF
network-clock Network clock config commands
nmsp NMSP configuration commands
no Negate a command or set its defaults
ntp Configure NTP
num-exp Dial Map Number Expansion configuration commands
object-group Configure ACL Object Group
otv Configure OTV information
parameter-map parameter map
parser Configure parser
password Configure encryption password (key)
per-call Per call debug
pfr Performance Routing configuration submodes
pfr-map Create pfr-map and enter pfr-map command mode
platform platform specific configuration
policy-map Configure Policy Map
policy-peer External Policy Delegation(EPD) peer parameters
port-channel EtherChannel configuration
ppp PPP global configuration
privilege Command privilege parameters
process Configure process
process-max-time Maximum time for process to run before voluntarily relinquishing processor
prompt Set system's prompt
pseudowire-class Pseudowire-class configuration
pseudowire-static-oam Static PW OAM configuration
qos Global QoS configuration subcommands
radius RADIUS server configuration command
radius-server Modify RADIUS query parameters
rbe Commands for Routing RFC 1483 Ethernet encapsulated packets
recovered-clock Clock recovery configuration commands
redirect Configure L4 redirect parameters
redundancy Enter redundancy mode
regexp regexp commands
resource Configure Embedded Resource Manager (ERM)
resource-group Configure Resource Group settings
resume-string Define a host-specific resume string
rif Source-route RIF cache
rlogin Rlogin configuration commands
rmon Remote Monitoring
route-map Create route-map or enter route-map command mode
route-tag Route Tag
router Enable a routing process
rsrb RSRB LSAP/DSAP filtering
rtsp RTSP(Real Time Streaming Protocol) configuration
sampler Define a Sampler
sap-priority-list Establish queueing priorities based on SAP and/or MAC address(es)
sasl Configure SASL
sbc Session Border Controller
sccp Enable Skinny Client Control Protocol
scheduler Scheduler parameters
scripting Configure options for scripting languages
security Infra Security CLIs
service Modify use of network based services
service-policy Configure service-policy
service-routing Configure service-routing
shell Configure shell command
sip-ua SIP User Agent (UA)
sna Network Management Physical Unit Command
snmp Modify non engine SNMP parameters
snmp-server Modify SNMP engine parameters
source-bridge Source-route bridging ring groups
spanning-tree Spanning Tree Subsystem
stacks Configure stacks
standby Global HSRP configuration commands
state-machine Define a TCP dispatch state machine
static-ipfrr Config static ip fast rerouting rules
stun STUN global configuration commands
subscriber Subscriber configuration
subscriber-policy Subscriber policy
subscription ASNL based Subscriptions configuration
tacacs TACACS server configuration command
tacacs-server Modify TACACS query parameters
template Select a template to configure
terminal-queue Terminal queue commands
tftp-server Provide TFTP service for netload requests
time-range Define time range entries
track Object tracking configuration commands
translate Translate global configuration commands
translation-rule Global digit manipulation and translation
transport Configure transport
transport-map Configure transport map
upgrade Global upgrade configuration subcommands
username Establish User Name Authentication
virtual-profile Virtual Profile configuration
virtual-template Virtual Template configuration
vlan VLAN configuration commands
voice Global voice configuration
voice-card Configure a specific voice-card
voicecap Add a voicecap entry
voip-incoming Global incoming VoIP configuration
vpdn Virtual Private Dialup Network
vpdn-group VPDN group configuration
vpdn-template vpdn-template configuration
vrf VRF commands
vrrp Global VRRP configuration commands
vrrs vrrs global command
vty-async Enable virtual async line configuration
wsma Configure Web Services Management Agents
x25 X.25 Level 3
x29 X29 commands
xconnect Xconnect config commands
xdr Configure XDR parameters
zone FW with zoning
zone-pair Zone pair command
LNS(config)#
Am I using the correct s/ware release on the LNS?
If the "dynamic-template" is not supported on the ASR1002, is there another configuration method to provide the same Raduis support for ZR/ZT etc?
The LNS is currently running the following s/w release:
==========================================================================================
LNS#sh ver (snippets)
Cisco IOS Software, IOS-XE Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.2(4)S5, RELEASE SOFTWARE (fc1)
IOS XE Version: 03.07.05.S
ROM: IOS-XE ROMMON
System image file is "bootflash:asr1002x-universalk9.03.07.05.S.152-4.S5.SPA.bin"
License Level: advipservices
License Type: Permanent
Next reload license Level: advipservices
============================================================================================
Any thoughts or pointers would be greatly appreciated.
Thanking you in advance.
Regards,
Dronic
12-11-2014 04:09 AM
Hi Dronic,
Dynamic-template is a concept particular to IOS-XR BNG. There is no such a thing on IOS/IOS-XE.
From PPPoE perspective, the equivalent for that is the virtual-template interface. Under that interface you configure IP/PPP related commands and some other things similar toy what you do with a dynamic-template type ppp in IOS-XR.
In IOS/IOS-XE, you need to use policy-map type service in order to define a service.
You can check ISG documentation for more details on that: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/isg/configuration/xe-3s/isg-xe-3s-book/isg-subscr-svcs.html
Regards
12-12-2014 04:06 PM
Hi Manuel,
Firstly, thank you for your reply and the clarification re the "dynamic templates" being only XR BNG related.
Yes I already had a "virtual-template" interface configured in association with a "vpdn-group" definition for terminating the L2TP tunnel from the LAC (which in my test scenario is a BNG!).
Both share the same basic modular QoS structure as in:
Policy Map
> Class Map
> ACL
and the policy maps can then be applied to the "dynamic-template" on the BNG and "virtual-template" (interface) for the ASR1K LNS.
However I can not find any compatible "merge" cmd in association with the ASR1K IOS-XE (perhaps there is and it is not intuitive? )
dynamic-template
type service s1
service-policy input i1 merge 2
service-policy output o1 merge 2
Any further thoughts on the "merge" functionality or potential work around for IOS-XE?
Thanking you in advance.
Regards,
Dronic
12-12-2014 10:50 PM
Hi Dronic,
Merge functionality is available on IOS-XR only as well.
Regards.
12-15-2014 10:02 PM
Hi Manuel,
How does one "link" the received RADIUS attrittibute
ie “subscriber:sa=SERVICE-POLICY-NAME”
to the LNS configuration?
Let me explain further..................
The ASR1002 is the LNS and the LAC is a BNG. A L2TP tunnel is established upon a User session request ( local RADIUS server provides the L2TP tunnel end points), and the final PPP authentication is perform by the remote RADIUS server via the L2TP tunnel.
This is shown by the following config snippets:
=======================================
## VPDN GROUP (L2TP Tunnel) ##
!
vpdn-group 1
description for L2TP Testing with BNG (LAC)
accept-dialin
protocol l2tp
virtual-template 1
terminate-from hostname BNGLAC
source-ip 10.x.x.x
local name l2tp-lns
l2tp tunnel password 7 0209144F1E15
l2tp tunnel timeout no-session never
!
!
## Virtual-template (applied to all PPPoE User Sessions) ##
!
!
interface Virtual-Template1
description Authenication using Radius Testing
mtu 1492
ip unnumbered Loopback2
peer default ip address pool LNS-TEST-INTERNET
no keepalive
ppp authentication pap chap AUTH-SVR
ppp authorization AUTH-SVR
ppp accounting ACCT-SVR
!
Once authentication is successful, the RADIUS server will push out service polices in which matches defined "policy-map type service xxxx" definitions on the LNS.
What I do not understand is how the LNS will match the RADIUS received request:
subscriber:sa=DSL-64K-ZERO-RATED
to the configured "policy-map type service..."
!
policy-map type service DSL-64K-ZERO-RATED
sg-service-type primary
service-policy input DSL-64K-ZERO-RATED-UP-P
service-policy output DSL-64K-ZERO-RATED-DN-P
!
policy-map type service DSL-64K-RATED
sg-service-type secondary
service-policy input DSL-64K-RATED-UP-P
service-policy output DSL-64K-RATED-DN-P
!
Is there something required to be configured (ie service policy type control?) under the interface virtual-template 1 to "link" the received RADIUS request to the macthing defined service policies?
Any hints would be appreciated.
Thanking you in advance.
Kind Regards
Dronic
12-15-2014 11:39 PM
Hi Dronic,
The LNS will match the services based on the "aaa authorization subscriber-service".
If you configure 'local' as method on that AAA list, the LNS will authorize (learn the service profile) from the local definition (CLI). You can also use radius and download the service definition from a radius server.
Check the command reference for more details: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/isg/command/isg-cr-book/isg_a1.html#wp2043320864
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide