[c-nsp] Radius & vrf attributes
Dennis Peng
dpeng at cisco.com
Mon Dec 6 15:18:14 EST 2004
In 12.3(7)XI, you can use "ip:vrf-id=<vrf>" and
"ip:ip-unnumbered=<interface>" which allow you to use vaccess
sub-interfaces instead of full vaccess interfaces (full vaccess
interfaces are required whenever you use the lcp:interface-config
atribute).
There is also a somewhat related feature that can be used in 12.3:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t13/ftvrfaaa.htm#1056126
Dennis
Chris Roberts [croberts at bongle.co.uk] wrote:
> Following on to this, can anyone find the page on www.cisco.com about the
> specific RADIUS attributes to replace 'ip vrf forwarding', which is supposed
> to greatly improve the memory utilisation on LNS'? It used to be there, but
> a Google and Cisco search didn't bring me up much useful, just some 12.2
> release notes with no implementation notes on Cisco-AVPair="ip:vrf-id ...".
> It was there before with the values you need to add to your dictionary file.
>
> Am I going mad?
>
> Cheers,
> Chris.
>
> > -----Original Message-----
> > From: cisco-nsp-bounces at puck.nether.net
> > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jon Lewis
> > Sent: 06 December 2004 17:19
> > To: M.Palis
> > Cc: cisco-nsp at puck.nether.net
> > Subject: Re: [c-nsp] Radius & vrf attributes
> >
> > We do plenty of this. Here's an actual working entry from
> > our radius config with just a bit of obfuscation to anonymize
> > the entry (username, framed-IP, and vrfname replaced).
> >
> > someusername Auth-Type = System
> > Service-Type = Framed-User,
> > Framed-Protocol = PPP,
> > Framed-IP-Address= a.b.c.d,
> > Framed-IP-Netmask= 255.255.255.255,
> > Framed-MTU = 1500,
> > Idle-Timeout = 0,
> > Session-Timeout = 0,
> > Port-Limit = 1,
> > cisco-avpair = "lcp:interface-config#1=ip vrf
> > forwarding somevrf\nip unnumbered lo1023",
> > cisco-avpair = "ip:route=vrf somevrf 10.100.10.0
> > 255.255.255.0 a.b.c.d 1"
> >
> > lo1023 is the loopback interface in vrf somevrf. We
> > typically put a loopback interface on each PE router in each
> > vrf for which that router is a PE.
> >
> > On Mon, 6 Dec 2004, M.Palis wrote:
> >
> > > It is not working.. It is very strange actually. Radius accepts the
> > > command and it starts normally but IP route does not shown
> > in the vrf
> > > routing table of the router.
> > >
> > > Are you using the command?
> > > ----- Original Message -----
> > > From: "Dennis Peng" <dpeng at cisco.com>
> > > To: "M.Palis" <security at cytanet.com.cy>
> > > Cc: <cisco-nsp at puck.nether.net>
> > > Sent: Friday, December 03, 2004 6:39 PM
> > > Subject: Re: [c-nsp] Radius & vrf attributes
> > >
> > >
> > > > M.Palis [security at cytanet.com.cy] wrote:
> > > > > Hello all..
> > > > >
> > > > > I am trying to configure Radius to send ip route /vrf
> > to the user
> > > > > as
> > > below.
> > > > >
> > > > > Cisco-AVpair = "ip:route = vrf test 0.0.0.0 0.0.0.0 10.10.1.254"
> > > > ^ ^
> > > > | |
> > > > +-+--- remove these spaces.
> > > >
> > > > And try again please.
> > > >
> > > > Dennis
> > > >
> > > > > Radius accept the above but when I do show ip route on
> > the router,
> > > > > it
> > > seems
> > > > > that the route is not inserted in the routing table.
> > Any help will
> > > > > be appreciated. Below is the radius config for the users
> > > > >
> > > > >
> > > > >
> > > > > test Auth-Type := MS-CHAP, Password == "!test"
> > > > > Service-Type = Framed-User,
> > > > > Framed-Protocol = PPP,
> > > > > Cisco-AVPair = "lcp:interface-config=ip vrf forwarding
> > > > > test \n
> > > peer
> > > > > default ip address pool test \n ip unnumbered loopback3",
> > > > >
> > > > > Cisco-AVpair = "ip:route = vrf test 0.0.0.0 0.0.0.0
> > 10.10.1.254"
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > _______________________________________________
> > > > > cisco-nsp mailing list cisco-nsp at puck.nether.net
> > > > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > >
> > > _______________________________________________
> > > cisco-nsp mailing list cisco-nsp at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > >
> >
> > ----------------------------------------------------------------------
> > Jon Lewis | I route
> > Senior Network Engineer | therefore you are
> > Atlantic Net |
> > _________ http://www.lewis.org/~jlewis/pgp for PGP public
> > key_________ _______________________________________________
> > cisco-nsp mailing list cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> > ---
> > Incoming mail is certified Virus Free.
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.799 / Virus Database: 543 - Release Date: 19/11/2004
> >
> >
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.799 / Virus Database: 543 - Release Date: 19/11/2004
>
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list