[c-nsp] LNS av-pair vrf

Oliver Boehmer (oboehmer) oboehmer at cisco.com
Fri Nov 11 11:25:01 EST 2011 

  
> > Then you can include the below attributes to assign the user(s) to the
> > VRF:
> >
> >       Cisco-Avpair = "ip:vrf-id=<vrf-name>",
> >       Cisco-Avpair = "ip:ip-unnumbered=Loopback<n>",
> >
> > There is also the Cisco-Avpair="lcp:interface-config=ip vrf forwarding
> > ...\nip unnumbered ..." way of assigning vrf membership, but the former
> > is more effecient...
> 
> Is there a preference these days to run with the virtual-access
> sub-interface capable av-pairs:
> 
>  Cisco-Avpair = "ip:vrf-id=<vrf-name>",
>  Cisco-Avpair = "ip:ip-unnumbered=Loopback<n>",
> 
> over the classical ones using "lcp:interface-config"?

Well, with the knob "aaa policy interface-config allow-subinterface", most "lcp:interface-config" commands will no longer force a full VAI, so you can still benefit from the higher sub-VAI scalability.
But even if you use this knob, "lcp:interface-config" can be a bit slower when it comes to bringing up the session, which can be a concern when you need to bring up lots of session within a short while.

So as long as you use the knob (or lcp:interface-config allow-subinterface=yes" in the profile), scalability is quite ok.. 
BTW: I also recall that new releases actually have this knob on per default.. It's been a while since I did radius/lns stuff :-}
 
> What additional attributes are required for forward the session from
> one non-PE LNS to another PE-capable LNS for certain customers?
> Presumably it's a matter of sending back more av-pairs with additional
> tunnel forwarding information?

indeed. For that to work, I would enable

vpdn multihop
vpdn authen-before-forward
! see [1] for the 2nd cmd

and then you can include

! if you use "," instead of "/", you can load-share across addresses instead of failing over.
Cisco-AVPair = "vpdn:ip-addresses=x.x.x.x/y.y.y.y ",  
Cisco-AVPair = "vpdn:l2tp-tunnel-password=cisco",
Cisco-AVPair = "vpdn:tunnel-type=l2tp"

to forward the session to another LNS. You can also use IETF attributes (check http://www.cisco.com/en/US/docs/ios/12_0t/12_0t5/feature/guide/rad_attr.html). 

	oli


[1]  http://www.cisco.com/en/US/tech/tk801/tk703/technologies_configuration_example09186a0080094860.shtml

More information about the cisco-nsp mailing list