[cisco-bba] VRFs, VPDN and Virtual Access Interfaces

Fri Aug 10 07:48:22 EDT 2007

Hi,

I'm new to the list so I apologise in advance if any of the questions
that I am asking have been asked and answered ad nausea. In my defence,
I did search the archives first and have already found answers to other
questions that I had.

I'm doing some testing with L2TP-based VPDNs and VRFs for a future L3VPN
product. My goal is to switch certain users into a VRF configured on the
LNS and to continue to allow other users access to the internet. I have
this working but I do have some questions about my implementation.

My main issue is that all of the VRF users are given a Virtual Access
interface and not a Virtual Access sub-interface. I know why this is
happening - I am using RADIUS to send "lcp:interface-config= ... "
attributes back for the VRF users. However, I also know that Virtual
Access interfaces have a larger memory/CPU overhead than VA
sub-interfaces. 

To mitigate against this I can pre-clone the VAIs but my understanding
is that if there are pre-cloned VAIs, none of my users will be allocated
VA sub-interfaces and I would like to avoid this if possible. I don't
want to use VAIs unless absolutely necessary and my assumption is that
if I were to pre-clone 50 VAIs, only 50 users would be allowed online at
a given time. Obviously the answer is to pre-clone as many VAIs as
possible but again, I'm concerned about the overhead of doing this.

Instead of using RADIUS attributes to create a user-specific VAI, is
there anyway that I could use them to force the VPDN session to use a
Virtual-Template interface that already has the correct config on it?

The router is a 7301 with 1GB memory. My RADIUS attributes for the VRF
users are:

Cisco-AVPair := lcp:interface-config=ip vrf forwarding customer_alpha
Cisco-AVPair += lcp:interface-config=peer default ip address pool
ALPHA_POOL Cisco-AVPair += lcp:interface-config=ip unnumbered Loopback
100

My VPDN config looks like this:

vpdn-group TEST
! Default L2TP VPDN group
 accept-dialin
  protocol l2tp
  virtual-template 1
 source-ip a.b.c.d
 lcp renegotiation always
 no l2tp tunnel authentication
!
interface Loopback10
 description "The Internet"
 ip address 192.168.100.1 255.255.255.0
!
interface Loopback100
 description "Customer Alpha"
 ip vrf forwarding customer_alpha
 ip address 192.168.110.1 255.255.255.0 secondary  ip address 4.0.4.1
255.255.255.0 !
interface Virtual-Template1
 ip unnumbered Loopback10
 ip mtu 1492
 peer default ip address pool ADDR
 ppp authentication chap

I would appreciate any pointers or information that the list can give
me.

Regards,

Dermot Williams

Senior Network Engineer
Irish Broadband Internet Services

Mobile: 	+353 86 3887961
DDI: 	+353 1 4818481

Note: 
This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Irish Broadband and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity.


Irish Broadband Internet Services Ltd, Registered in Ireland, Number: 357181, Registered Office: Burton Court, Burton Hall Road, Sandyford Industrial Estate, Dublin 18.<o:p></o:p>