[c-nsp] MPLS VPN with lot of PPP interfaces and central firewall
Gerald Krause
gk at ax.tc
Thu Feb 18 23:09:23 EST 2010
Am 21.01.2010 10:41, Gerald Krause schrieb:
> Am 21.01.2010 08:10, Oliver Boehmer (oboehmer) schrieb:
...
>> you might want to look at the "Half-Duplex VRF" feature, which allows to
>> build a hub & spoke VPN setup without having to put each "branch" on the
>> same PE into a different VRF. HD VRF will assign a different VRF for
>> upstream and downstream traffic, so packets entering the LNS from the
>> branch will only see the Hub routes, and not the other branches' routes.
>>
>> check out
>> http://www.cisco.com/en/US/docs/ios/12_3/feature/guide/ghdpvrf.html
>
> Ok, that sounds interesting. I'll check the docs.
I have tried it now but I'am not able to get a user authenticated when
using the "downstream ..." configuration command to enable HDVRF.
My config on the LNS (7200/NPE-G2 with 12.2(33)SRD3) looks like this:
!
ip vrf VRFTEST
rd 100:0
route-target export 100:0
route-target import 100:0
!
ip vrf VRFTEST-DOWN
rd 102:0
route-target export 102:0
!
interface Loopback102
description VRFTEST
ip vrf forwarding VRFTEST
ip address 10.99.17.254 255.255.255.255
!
This is a excerpt from the RADIUS user profile for "cpe2-vrftest":
Cisco-AVPair += lcp:interface-config#1=ip verify unicast
reverse-path
Cisco-AVPair += lcp:interface-config#2=ip vrf forwarding VRFTEST
downstream VRFTEST-DOWN
Cisco-AVPair += lcp:interface-config#3=ip unnumbered Loopback102
Framed-IP-Address = 10.99.17.2
Framed-Protocol = PPP
Framed-Route = 10.98.2.0/24
Service-Type = Framed
I've got this error message when the authentication take place:
%VPDN-3-NORESOURCE: L2TP LNS no resources for user cpe2-vrftest; Result
2, Error 4, SSS Manager disconnected session
When I remove the "downstrem VRFTEST-DOWN" part from the Cisco-AVPair
the user authenticates fine and the session will be established. Can
someone point me to the right direction to solve this problem?
Gerald
More information about the cisco-nsp
mailing list