[cisco-bba] feature or bug?
Félix Izquierdo
fizquierdo at l3consulting.com
Wed Feb 11 06:18:30 EST 2004
It's the traditional behaviour with vaccess cloned from vtemplates. If
you change the vtemplate configuration, the change is applied to all the
vaccess cloned from this vtemplate, overriding also any per-user aaa
configuration. The vaccess mechanism has some side effect like this. The
best is to mantain vtemplate with the mininal and non-conflictive with
the radius profiles configuration.
I've lived a similar ( and terrible ) side effect with vaccess using the
virtual-profiles pre-cloning feature: Using pre-cloning the vaccess is
not destroyed after user disconnects, and the problem was that the
special configuration of vpn users ( ip vrf forwarding and interface ip
address ) remained applied, then the vaccess wasn't usable if the next
user was an Internet ( non-vpn ) user.
Cheers.
Félix
Tassos Chatzithomaoglou wrote:
> 7200 (12.3.5)
> -------------
>
> Router is used as LNS.
>
> VT acls
> -------
> Virtual-Template1 is down, line protocol is down
> Outgoing access list is 160
> Inbound access list is 120
>
> User (31) with no acl through radius
> -------------------------------
> Virtual-Access31 is up, line protocol is up
> Outgoing access list is 160
> Inbound access list is 120
>
> User (61) with IN/OUT acl through radius
> ---------------------------------------
> Virtual-Access61 is up, line protocol is up
> Outgoing access list is Virtual-Access61#19637982, default is 160
> Inbound access list is Virtual-Access30#19644751, default is 120
>
>
> If i remove acl 120/160 from VT1 and then put it back i have:
>
> User (61) with IN/OUT acl through radius
> ---------------------------------------
> Virtual-Access61 is up, line protocol is up
> Outgoing access list is 160
> Inbound access list is 120
>
> which means that the va acl is erased from user's va interface and the
> default is applied again.
>
> Is this how it's supposed to happen? If yes, i believe it shouldn't,
> since that way all our per-user acls get "erased" after we change the
> default acl, so we have to disconnect them in order to connect again
> (and get their own acls).
>
More information about the cisco-bba
mailing list