[cisco-bba] feature or bug?

Félix Izquierdo fizquierdo at l3consulting.com
Wed Feb 11 06:18:30 EST 2004 

It's the traditional behaviour with vaccess cloned from vtemplates. If 
you change the vtemplate configuration, the change is applied to all the 
vaccess cloned from this vtemplate, overriding also any per-user aaa 
configuration. The vaccess mechanism has some side effect like this. The 
best is to mantain vtemplate with the mininal and non-conflictive with 
the radius profiles configuration.

I've lived a similar ( and terrible ) side effect with vaccess using the 
virtual-profiles pre-cloning feature: Using pre-cloning the vaccess is 
not destroyed after user disconnects, and the problem was that the 
special configuration of vpn users ( ip vrf forwarding and interface ip 
address ) remained applied, then the vaccess wasn't usable if the next 
user was an Internet ( non-vpn ) user.

Cheers.

Félix




Tassos Chatzithomaoglou wrote:

> 7200 (12.3.5)
> -------------
> 
> Router is used as LNS.
> 
> VT acls
> -------
> Virtual-Template1 is down, line protocol is down
>   Outgoing access list is 160
>   Inbound  access list is 120
> 
> User (31) with no acl through radius
> -------------------------------
> Virtual-Access31 is up, line protocol is up
>   Outgoing access list is 160
>   Inbound  access list is 120
> 
> User (61) with IN/OUT acl through radius
> ---------------------------------------
> Virtual-Access61 is up, line protocol is up
>   Outgoing access list is Virtual-Access61#19637982, default is 160
>   Inbound  access list is Virtual-Access30#19644751, default is 120
> 
> 
> If i remove acl 120/160 from VT1 and then put it back i have:
> 
> User (61) with IN/OUT acl through radius
> ---------------------------------------
> Virtual-Access61 is up, line protocol is up
>   Outgoing access list is 160
>   Inbound  access list is 120
> 
> which means that the va acl is erased from user's va interface and the 
> default is applied again.
> 
> Is this how it's supposed to happen? If yes, i believe it shouldn't, 
> since that way all our per-user acls get "erased" after we change the 
> default acl, so we have to disconnect them in order to connect again 
> (and get their own acls).
>

More information about the cisco-bba mailing list