[c-nsp] MPLS VPN with lot of PPP interfaces and central firewall

Gerald Krause gk at ax.tc
Thu Feb 18 23:09:23 EST 2010

Am 21.01.2010 10:41, Gerald Krause schrieb:
> Am 21.01.2010 08:10, Oliver Boehmer (oboehmer) schrieb:
>> you might want to look at the "Half-Duplex VRF" feature, which allows to
>> build a hub & spoke VPN setup without having to put each "branch" on the
>> same PE into a different VRF. HD VRF will assign a different VRF for
>> upstream and downstream traffic, so packets entering the LNS from the
>> branch will only see the Hub routes, and not the other branches' routes.
>> check out
>> http://www.cisco.com/en/US/docs/ios/12_3/feature/guide/ghdpvrf.html
> Ok, that sounds interesting. I'll check the docs.

I have tried it now but I'am not able to get a user authenticated when
using the "downstream ..." configuration command to enable HDVRF.

My config on the LNS (7200/NPE-G2 with 12.2(33)SRD3) looks like this:

 ip vrf VRFTEST
  rd 100:0
  route-target export 100:0
  route-target import 100:0
  rd 102:0
  route-target export 102:0
 interface Loopback102
  description VRFTEST
  ip vrf forwarding VRFTEST
  ip address

This is a excerpt from the RADIUS user profile for "cpe2-vrftest":

 Cisco-AVPair += lcp:interface-config#1=ip verify unicast
 Cisco-AVPair += lcp:interface-config#2=ip vrf forwarding VRFTEST
	downstream VRFTEST-DOWN
 Cisco-AVPair += lcp:interface-config#3=ip unnumbered Loopback102
 Framed-IP-Address =
 Framed-Protocol = PPP
 Framed-Route =
 Service-Type = Framed

I've got this error message when the authentication take place:

 %VPDN-3-NORESOURCE: L2TP LNS no resources for user cpe2-vrftest; Result
	2, Error 4, SSS Manager disconnected session

When I remove the "downstrem VRFTEST-DOWN" part from the Cisco-AVPair
the user authenticates fine and the session will be established. Can
someone point me to the right direction to solve this problem?


More information about the cisco-nsp mailing list