[c-nsp] Radius & vrf attributes

Dennis Peng dpeng at cisco.com
Mon Dec 6 15:35:38 EST 2004


BTW, I should mention there are currently no plans to port the
"ip:vrf-id" and "ip:ip-unnumbered" attribute support in 12.3(7)XI to
12.3T/12.4T. This means you'll have to use a full virtual-access
interface instead of a sub-interface. If you are interested in having
support for this feature and are willing to open up a TAC case to
document this request, let me know privately. Thanks.

Dennis

Dennis Peng [dpeng at cisco.com] wrote:
> In 12.3(7)XI, you can use "ip:vrf-id=<vrf>" and
> "ip:ip-unnumbered=<interface>" which allow you to use vaccess
> sub-interfaces instead of full vaccess interfaces (full vaccess
> interfaces are required whenever you use the lcp:interface-config
> atribute).
> 
> There is also a somewhat related feature that can be used in 12.3:
> 
> http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t13/ftvrfaaa.htm#1056126
> 
> Dennis
> 
> Chris Roberts [croberts at bongle.co.uk] wrote:
> > Following on to this, can anyone find the page on www.cisco.com about the
> > specific RADIUS attributes to replace 'ip vrf forwarding', which is supposed
> > to greatly improve the memory utilisation on LNS'? It used to be there, but
> > a Google and Cisco search didn't bring me up much useful, just some 12.2
> > release notes with no implementation notes on Cisco-AVPair="ip:vrf-id ...".
> > It was there before with the values you need to add to your dictionary file.
> > 
> > Am I going mad?
> > 
> > Cheers,
> > Chris.
> > 
> > > -----Original Message-----
> > > From: cisco-nsp-bounces at puck.nether.net 
> > > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jon Lewis
> > > Sent: 06 December 2004 17:19
> > > To: M.Palis
> > > Cc: cisco-nsp at puck.nether.net
> > > Subject: Re: [c-nsp] Radius & vrf attributes
> > > 
> > > We do plenty of this.  Here's an actual working entry from 
> > > our radius config with just a bit of obfuscation to anonymize 
> > > the entry (username, framed-IP, and vrfname replaced).
> > > 
> > > someusername Auth-Type = System
> > >         Service-Type = Framed-User,
> > >         Framed-Protocol = PPP,
> > >         Framed-IP-Address= a.b.c.d,
> > >         Framed-IP-Netmask= 255.255.255.255,
> > >         Framed-MTU = 1500,
> > >         Idle-Timeout = 0,
> > >         Session-Timeout = 0,
> > >         Port-Limit = 1,
> > >         cisco-avpair = "lcp:interface-config#1=ip vrf 
> > > forwarding somevrf\nip unnumbered lo1023",
> > >         cisco-avpair = "ip:route=vrf somevrf 10.100.10.0 
> > > 255.255.255.0 a.b.c.d 1"
> > > 
> > > lo1023 is the loopback interface in vrf somevrf.  We 
> > > typically put a loopback interface on each PE router in each 
> > > vrf for which that router is a PE.
> > > 
> > > On Mon, 6 Dec 2004, M.Palis wrote:
> > > 
> > > > It is not working.. It is very strange actually. Radius accepts the 
> > > > command and it starts normally but IP route does not shown 
> > > in the vrf 
> > > > routing table of the router.
> > > >
> > > > Are you using the command?
> > > > ----- Original Message -----
> > > > From: "Dennis Peng" <dpeng at cisco.com>
> > > > To: "M.Palis" <security at cytanet.com.cy>
> > > > Cc: <cisco-nsp at puck.nether.net>
> > > > Sent: Friday, December 03, 2004 6:39 PM
> > > > Subject: Re: [c-nsp] Radius & vrf attributes
> > > >
> > > >
> > > > > M.Palis [security at cytanet.com.cy] wrote:
> > > > > > Hello all..
> > > > > >
> > > > > >  I am trying to configure Radius to send ip route /vrf 
> > > to the user 
> > > > > > as
> > > > below.
> > > > > >
> > > > > > Cisco-AVpair = "ip:route = vrf test 0.0.0.0 0.0.0.0 10.10.1.254"
> > > > >                           ^ ^
> > > > >                           | |
> > > > >                           +-+--- remove these spaces.
> > > > >
> > > > > And try again please.
> > > > >
> > > > > Dennis
> > > > >
> > > > > > Radius accept the above but when I do show ip route on 
> > > the router, 
> > > > > > it
> > > > seems
> > > > > > that the route is not inserted in the routing table. 
> > > Any help will 
> > > > > > be appreciated. Below is the radius config for the users
> > > > > >
> > > > > >
> > > > > >
> > > > > > test Auth-Type := MS-CHAP, Password == "!test"
> > > > > >         Service-Type = Framed-User,
> > > > > >         Framed-Protocol = PPP,
> > > > > >         Cisco-AVPair = "lcp:interface-config=ip vrf forwarding 
> > > > > > test \n
> > > > peer
> > > > > > default ip address pool test \n ip unnumbered loopback3",
> > > > > >
> > > > > >     Cisco-AVpair = "ip:route = vrf test 0.0.0.0 0.0.0.0 
> > > 10.10.1.254"
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > _______________________________________________
> > > > > > cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> > > > > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > > > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > > >
> > > > _______________________________________________
> > > > cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> > > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > > >
> > > 
> > > ----------------------------------------------------------------------
> > >  Jon Lewis                   |  I route
> > >  Senior Network Engineer     |  therefore you are
> > >  Atlantic Net                |
> > > _________ http://www.lewis.org/~jlewis/pgp for PGP public 
> > > key_________ _______________________________________________
> > > cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > > 
> > > ---
> > > Incoming mail is certified Virus Free.
> > > Checked by AVG anti-virus system (http://www.grisoft.com).
> > > Version: 6.0.799 / Virus Database: 543 - Release Date: 19/11/2004
> > >  
> > > 
> > 
> > ---
> > Outgoing mail is certified Virus Free.
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.799 / Virus Database: 543 - Release Date: 19/11/2004
> >  
> > 
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list