[c-nsp] PPPoE -> VRF Virtual Templates
Oliver Boehmer (oboehmer)
oboehmer at cisco.com
Fri Mar 3 01:51:57 EST 2006
Matthew Crocker <> wrote on Friday, March 03, 2006 12:04 AM:
Hi,
> I have a 7206VXR/NPE-G1/512MB RAM running with a PA-A3-T3 that has
> 40ish PVCs. Each PVC is carrying RFC1483 traffic with PPPoE sessions
> from subscribers. I need to be able to terminate PPPoE sessions into
> different VRFs based on login info (@domain.com) or with RADIUS
> attributes. Can anyone verify that this can be accomplished? Does
> anyone have any spare configs?
yes, this can be done, see below:
> user at crocker.com goes to VRF crocker.com and is assigned a dynamic IP
> address from the crocker.com IP pool
> user at acme.com goes to VRF acme.com and is assigned a static IP
> address from the acme.com VRF, via RADIUS
>
> VRF will have basic configs with some static routes and an OSPF
> session.
ip vrf crocker.com
...
ip vrf acme.com
..
int lo100
ip vrf forwarding crocker.com
ip address .....
int lo101
ip vrf forwarding acme.com
ip address .....
!
int virtual-template1
no ip address
no peer default ip address
ppp authentication chap pap ..
!
! you need the "group .." only when you have overlapping pool addresses
ip local pool crocker-pool <start> <end> group crocker.com
ip local pool acme-pool <start> <end> group acme.com
a Radius profile for a user would then include
Cisco-avpair = "lcp:interface-config#1=ip vrf forwarding crocker.com"
Cisco-avpair = "lcp:interface-config#2=ip unnumbered lo100"
Cisco-avpair = "ip:addr-pool=crocker-pool"
and similar for acme.
> I'm hoping that the router can preselect the VRF via the @domain.com
> part and select a radius server to authenticate off of based on the
> VRF.
This is also possible using per-vrf AAA feature, but it is more
complicated and has some restrictions as to which attributes can be
assigned from the customers' Radius server. Check out
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft
/122t/122t13/ftvrfaaa.htm for samples.
> If not, I'm hoping that the router can assign the customer to
> the VRF based on a RADIUS attribute from our proxy radius server.
If you can use a proxy, this is certainly the most flexible approach as
you can filter/add/remove attributes received from your customers'
server (obviously depends on your AAA server).
> Would I need a Virtual-Template for each VRF and then assign that
> template the user? Some PVCs are dedicated to a specific VRF, some
> of them will have customers mixed across multiple VRFs
No, as shown above. You do all of the above on a per-user level (from
the LNS' perspective, the Radius server might use the realm/domain)..
oli
More information about the cisco-nsp
mailing list