[c-nsp] Radius & vrf attributes

Chris Roberts croberts at bongle.co.uk
Mon Dec 6 14:44:37 EST 2004


Following on to this, can anyone find the page on www.cisco.com about the
specific RADIUS attributes to replace 'ip vrf forwarding', which is supposed
to greatly improve the memory utilisation on LNS'? It used to be there, but
a Google and Cisco search didn't bring me up much useful, just some 12.2
release notes with no implementation notes on Cisco-AVPair="ip:vrf-id ...".
It was there before with the values you need to add to your dictionary file.

Am I going mad?

Cheers,
Chris.

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net 
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jon Lewis
> Sent: 06 December 2004 17:19
> To: M.Palis
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Radius & vrf attributes
> 
> We do plenty of this.  Here's an actual working entry from 
> our radius config with just a bit of obfuscation to anonymize 
> the entry (username, framed-IP, and vrfname replaced).
> 
> someusername Auth-Type = System
>         Service-Type = Framed-User,
>         Framed-Protocol = PPP,
>         Framed-IP-Address= a.b.c.d,
>         Framed-IP-Netmask= 255.255.255.255,
>         Framed-MTU = 1500,
>         Idle-Timeout = 0,
>         Session-Timeout = 0,
>         Port-Limit = 1,
>         cisco-avpair = "lcp:interface-config#1=ip vrf 
> forwarding somevrf\nip unnumbered lo1023",
>         cisco-avpair = "ip:route=vrf somevrf 10.100.10.0 
> 255.255.255.0 a.b.c.d 1"
> 
> lo1023 is the loopback interface in vrf somevrf.  We 
> typically put a loopback interface on each PE router in each 
> vrf for which that router is a PE.
> 
> On Mon, 6 Dec 2004, M.Palis wrote:
> 
> > It is not working.. It is very strange actually. Radius accepts the 
> > command and it starts normally but IP route does not shown 
> in the vrf 
> > routing table of the router.
> >
> > Are you using the command?
> > ----- Original Message -----
> > From: "Dennis Peng" <dpeng at cisco.com>
> > To: "M.Palis" <security at cytanet.com.cy>
> > Cc: <cisco-nsp at puck.nether.net>
> > Sent: Friday, December 03, 2004 6:39 PM
> > Subject: Re: [c-nsp] Radius & vrf attributes
> >
> >
> > > M.Palis [security at cytanet.com.cy] wrote:
> > > > Hello all..
> > > >
> > > >  I am trying to configure Radius to send ip route /vrf 
> to the user 
> > > > as
> > below.
> > > >
> > > > Cisco-AVpair = "ip:route = vrf test 0.0.0.0 0.0.0.0 10.10.1.254"
> > >                           ^ ^
> > >                           | |
> > >                           +-+--- remove these spaces.
> > >
> > > And try again please.
> > >
> > > Dennis
> > >
> > > > Radius accept the above but when I do show ip route on 
> the router, 
> > > > it
> > seems
> > > > that the route is not inserted in the routing table. 
> Any help will 
> > > > be appreciated. Below is the radius config for the users
> > > >
> > > >
> > > >
> > > > test Auth-Type := MS-CHAP, Password == "!test"
> > > >         Service-Type = Framed-User,
> > > >         Framed-Protocol = PPP,
> > > >         Cisco-AVPair = "lcp:interface-config=ip vrf forwarding 
> > > > test \n
> > peer
> > > > default ip address pool test \n ip unnumbered loopback3",
> > > >
> > > >     Cisco-AVpair = "ip:route = vrf test 0.0.0.0 0.0.0.0 
> 10.10.1.254"
> > > >
> > > >
> > > >
> > > >
> > > > _______________________________________________
> > > > cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> > > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> 
> ----------------------------------------------------------------------
>  Jon Lewis                   |  I route
>  Senior Network Engineer     |  therefore you are
>  Atlantic Net                |
> _________ http://www.lewis.org/~jlewis/pgp for PGP public 
> key_________ _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> ---
> Incoming mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.799 / Virus Database: 543 - Release Date: 19/11/2004
>  
> 

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.799 / Virus Database: 543 - Release Date: 19/11/2004
 



More information about the cisco-nsp mailing list