PPPoE multiple profiles for VPDN

Answered Question
Jun 29th, 2008
User Badges:

I'm trying to set up a single router to terminate PPPoE connections and offer different rates using virtual templates. All the documentation seems to be focused on LAC/LNS installs. In this case we effectively just have a single router performing both functions.

RADIUS will be used for AAA.

Correct Answer by mohammedmahmoud about 8 years 11 months ago

Hi David,


Nice document, enjoy :) And please keep us updated.


By the way, since IOS 12.4(2)T:


cisco-avpair = "ip:sub-policy-In=in-policy-name"

cisco-avpair = "ip:sub-policy-Out=out-policy-name"


Are replaced with the following new attributes:


cisco-avpair = "ip:sub-qos-policy-in=in-policy-name"

cisco-avpair = "ip:sub-qos-policy-out=out-policy-name"


But anyway as per Cisco, the replaced attributes will be supported for several more software releases, but profiles should be updated with the new attributes as soon as it is feasible to do so.


http://www.cisco.com/en/US/docs/ios/12_4t/12_4t2/htipmaaa.html


BR,

Mohammed Mahmoud.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
mohammedmahmoud Sun, 06/29/2008 - 23:42
User Badges:
  • Green, 3000 points or more

Hi,


It should look something like this:



aaa authentication ppp vpdn group radius

aaa authorization network vpdn group radius

aaa accounting network vpdn start-stop group radius


!

bba-group pppoe VPDN1

virtual-template 10

sessions auto cleanup

!

bba-group pppoe VPDN2

virtual-template 20

sessions auto cleanup

!


!

interface GigabitEthernet0/1.10

encapsulation dot1Q 10

ip unnumbered Loopback0

pppoe enable group VPDN1

!

interface GigabitEthernet0/1.20

encapsulation dot1Q 20

ip unnumbered Loopback0

pppoe enable group VPDN2


!

interface Virtual-Template10

description VPDN1

ip unnumbered Loopback0

ppp authentication pap vpdn

ppp authorization vpdn

ppp accounting vpdn


!

interface Virtual-Template10

description VPDN2

ip unnumbered Loopback0

ppp authentication pap vpdn

ppp authorization vpdn

ppp accounting vpdn


radius-server host




And you can do whatever you want under each virtual-template.


BR,

Mohammed Mahmoud.

dataylor Sun, 06/29/2008 - 23:48
User Badges:

This is similar to the sample configs I've been looking at however I can't see how service is differentiated based on login details. I would appear to differentiate based on the incoming VLAN.


What I'm trying to do is have a user login using PPPoE and be given a virtual template based on their RADIUS profile. The idea being that I can a embed QoS policing policy in the virtual template to provide different service levels to customers.

mohammedmahmoud Sun, 06/29/2008 - 23:54
User Badges:
  • Green, 3000 points or more

Hi,


AFAIK, to apply a different virtual-template you need to apply a different bba-group, and to apply a different bba-group you need to use VLANs and subinterfaces - i think that you can work around and use this model.


Another prospective to think with, is that you can search if what you require to do can be sent by the RADIUS as a Cisco RADIUS AV Pair according to the customer profile.



BR,

Mohammed Mahmoud.

dataylor Sun, 06/29/2008 - 23:56
User Badges:

I understand that it is a RADIUS AVP, the question being how to apply it.


D

mohammedmahmoud Mon, 06/30/2008 - 00:04
User Badges:
  • Green, 3000 points or more

Hi,


Fine, this doesn't mean that you'll apply a different virtual-template per each class, what you are going to do is to apply a Cisco AVP per customer profile to be used to clone the virtual-access.


cisco-avpair = "ip:sub-qos-policy-in=in-policy-name"


cisco-avpair = "ip:sub-qos-policy-out=out-policy-name"



BR,

Mohammed Mahmoud.

Correct Answer
mohammedmahmoud Mon, 06/30/2008 - 00:22
User Badges:
  • Green, 3000 points or more

Hi David,


Nice document, enjoy :) And please keep us updated.


By the way, since IOS 12.4(2)T:


cisco-avpair = "ip:sub-policy-In=in-policy-name"

cisco-avpair = "ip:sub-policy-Out=out-policy-name"


Are replaced with the following new attributes:


cisco-avpair = "ip:sub-qos-policy-in=in-policy-name"

cisco-avpair = "ip:sub-qos-policy-out=out-policy-name"


But anyway as per Cisco, the replaced attributes will be supported for several more software releases, but profiles should be updated with the new attributes as soon as it is feasible to do so.


http://www.cisco.com/en/US/docs/ios/12_4t/12_4t2/htipmaaa.html


BR,

Mohammed Mahmoud.

Actions

This Discussion