[cisco-bba] VRFs, VPDN and Virtual Access Interfaces
dermot.williams at irishbroadband.ie
Fri Aug 10 07:48:22 EDT 2007
I'm new to the list so I apologise in advance if any of the questions
that I am asking have been asked and answered ad nausea. In my defence,
I did search the archives first and have already found answers to other
questions that I had.
I'm doing some testing with L2TP-based VPDNs and VRFs for a future L3VPN
product. My goal is to switch certain users into a VRF configured on the
LNS and to continue to allow other users access to the internet. I have
this working but I do have some questions about my implementation.
My main issue is that all of the VRF users are given a Virtual Access
interface and not a Virtual Access sub-interface. I know why this is
happening - I am using RADIUS to send "lcp:interface-config= ... "
attributes back for the VRF users. However, I also know that Virtual
Access interfaces have a larger memory/CPU overhead than VA
To mitigate against this I can pre-clone the VAIs but my understanding
is that if there are pre-cloned VAIs, none of my users will be allocated
VA sub-interfaces and I would like to avoid this if possible. I don't
want to use VAIs unless absolutely necessary and my assumption is that
if I were to pre-clone 50 VAIs, only 50 users would be allowed online at
a given time. Obviously the answer is to pre-clone as many VAIs as
possible but again, I'm concerned about the overhead of doing this.
Instead of using RADIUS attributes to create a user-specific VAI, is
there anyway that I could use them to force the VPDN session to use a
Virtual-Template interface that already has the correct config on it?
The router is a 7301 with 1GB memory. My RADIUS attributes for the VRF
Cisco-AVPair := lcp:interface-config=ip vrf forwarding customer_alpha
Cisco-AVPair += lcp:interface-config=peer default ip address pool
ALPHA_POOL Cisco-AVPair += lcp:interface-config=ip unnumbered Loopback
My VPDN config looks like this:
! Default L2TP VPDN group
lcp renegotiation always
no l2tp tunnel authentication
description "The Internet"
ip address 192.168.100.1 255.255.255.0
description "Customer Alpha"
ip vrf forwarding customer_alpha
ip address 192.168.110.1 255.255.255.0 secondary ip address 22.214.171.124
ip unnumbered Loopback10
ip mtu 1492
peer default ip address pool ADDR
ppp authentication chap
I would appreciate any pointers or information that the list can give
Senior Network Engineer
Irish Broadband Internet Services
Mobile: +353 86 3887961
DDI: +353 1 4818481
<p class=MsoNormal><span lang=EN-GB style='font-size:10.0pt;font-family:"Arial","sans-serif"; color:#808080'>
This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Irish Broadband and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity.
<em><span lang=EN-GB style='font-size:7.5pt;font-family:"Arial","sans-serif"; color:#808080'>
Irish Broadband Internet Services Ltd, Registered in Ireland, Number: 357181, Registered Office: Burton Court, Burton Hall Road, Sandyford Industrial Estate, Dublin 18.</span></em><span lang=EN-GB><o:p></o:p></span></p>
More information about the cisco-bba