[c-nsp] Radius & vrf attributes

Dennis Peng dpeng at cisco.com
Mon Dec 6 15:18:14 EST 2004


In 12.3(7)XI, you can use "ip:vrf-id=<vrf>" and
"ip:ip-unnumbered=<interface>" which allow you to use vaccess
sub-interfaces instead of full vaccess interfaces (full vaccess
interfaces are required whenever you use the lcp:interface-config
atribute).

There is also a somewhat related feature that can be used in 12.3:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t13/ftvrfaaa.htm#1056126

Dennis

Chris Roberts [croberts at bongle.co.uk] wrote:
> Following on to this, can anyone find the page on www.cisco.com about the
> specific RADIUS attributes to replace 'ip vrf forwarding', which is supposed
> to greatly improve the memory utilisation on LNS'? It used to be there, but
> a Google and Cisco search didn't bring me up much useful, just some 12.2
> release notes with no implementation notes on Cisco-AVPair="ip:vrf-id ...".
> It was there before with the values you need to add to your dictionary file.
> 
> Am I going mad?
> 
> Cheers,
> Chris.
> 
> > -----Original Message-----
> > From: cisco-nsp-bounces at puck.nether.net 
> > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jon Lewis
> > Sent: 06 December 2004 17:19
> > To: M.Palis
> > Cc: cisco-nsp at puck.nether.net
> > Subject: Re: [c-nsp] Radius & vrf attributes
> > 
> > We do plenty of this.  Here's an actual working entry from 
> > our radius config with just a bit of obfuscation to anonymize 
> > the entry (username, framed-IP, and vrfname replaced).
> > 
> > someusername Auth-Type = System
> >         Service-Type = Framed-User,
> >         Framed-Protocol = PPP,
> >         Framed-IP-Address= a.b.c.d,
> >         Framed-IP-Netmask= 255.255.255.255,
> >         Framed-MTU = 1500,
> >         Idle-Timeout = 0,
> >         Session-Timeout = 0,
> >         Port-Limit = 1,
> >         cisco-avpair = "lcp:interface-config#1=ip vrf 
> > forwarding somevrf\nip unnumbered lo1023",
> >         cisco-avpair = "ip:route=vrf somevrf 10.100.10.0 
> > 255.255.255.0 a.b.c.d 1"
> > 
> > lo1023 is the loopback interface in vrf somevrf.  We 
> > typically put a loopback interface on each PE router in each 
> > vrf for which that router is a PE.
> > 
> > On Mon, 6 Dec 2004, M.Palis wrote:
> > 
> > > It is not working.. It is very strange actually. Radius accepts the 
> > > command and it starts normally but IP route does not shown 
> > in the vrf 
> > > routing table of the router.
> > >
> > > Are you using the command?
> > > ----- Original Message -----
> > > From: "Dennis Peng" <dpeng at cisco.com>
> > > To: "M.Palis" <security at cytanet.com.cy>
> > > Cc: <cisco-nsp at puck.nether.net>
> > > Sent: Friday, December 03, 2004 6:39 PM
> > > Subject: Re: [c-nsp] Radius & vrf attributes
> > >
> > >
> > > > M.Palis [security at cytanet.com.cy] wrote:
> > > > > Hello all..
> > > > >
> > > > >  I am trying to configure Radius to send ip route /vrf 
> > to the user 
> > > > > as
> > > below.
> > > > >
> > > > > Cisco-AVpair = "ip:route = vrf test 0.0.0.0 0.0.0.0 10.10.1.254"
> > > >                           ^ ^
> > > >                           | |
> > > >                           +-+--- remove these spaces.
> > > >
> > > > And try again please.
> > > >
> > > > Dennis
> > > >
> > > > > Radius accept the above but when I do show ip route on 
> > the router, 
> > > > > it
> > > seems
> > > > > that the route is not inserted in the routing table. 
> > Any help will 
> > > > > be appreciated. Below is the radius config for the users
> > > > >
> > > > >
> > > > >
> > > > > test Auth-Type := MS-CHAP, Password == "!test"
> > > > >         Service-Type = Framed-User,
> > > > >         Framed-Protocol = PPP,
> > > > >         Cisco-AVPair = "lcp:interface-config=ip vrf forwarding 
> > > > > test \n
> > > peer
> > > > > default ip address pool test \n ip unnumbered loopback3",
> > > > >
> > > > >     Cisco-AVpair = "ip:route = vrf test 0.0.0.0 0.0.0.0 
> > 10.10.1.254"
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > _______________________________________________
> > > > > cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> > > > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > >
> > > _______________________________________________
> > > cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > >
> > 
> > ----------------------------------------------------------------------
> >  Jon Lewis                   |  I route
> >  Senior Network Engineer     |  therefore you are
> >  Atlantic Net                |
> > _________ http://www.lewis.org/~jlewis/pgp for PGP public 
> > key_________ _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > 
> > ---
> > Incoming mail is certified Virus Free.
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.799 / Virus Database: 543 - Release Date: 19/11/2004
> >  
> > 
> 
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.799 / Virus Database: 543 - Release Date: 19/11/2004
>  
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list