Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1114
Views
0
Helpful
7
Replies

PPPoE multiple profiles for VPDN

Go to solution
dataylor
Level 1
Level 1

‎06-29-2008 10:55 PM

I'm trying to set up a single router to terminate PPPoE connections and offer different rates using virtual templates. All the documentation seems to be focused on LAC/LNS installs. In this case we effectively just have a single router performing both functions.

RADIUS will be used for AAA.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mohammedmahmoud
Level 11
Level 11
In response to dataylor

‎06-30-2008 12:22 AM

Hi David,

Nice document, enjoy :) And please keep us updated.

By the way, since IOS 12.4(2)T:

cisco-avpair = "ip:sub-policy-In=in-policy-name"

cisco-avpair = "ip:sub-policy-Out=out-policy-name"

Are replaced with the following new attributes:

cisco-avpair = "ip:sub-qos-policy-in=in-policy-name"

cisco-avpair = "ip:sub-qos-policy-out=out-policy-name"

But anyway as per Cisco, the replaced attributes will be supported for several more software releases, but profiles should be updated with the new attributes as soon as it is feasible to do so.

http://www.cisco.com/en/US/docs/ios/12_4t/12_4t2/htipmaaa.html

BR,

Mohammed Mahmoud.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
mohammedmahmoud
Level 11
Level 11

‎06-29-2008 11:42 PM

Hi,

It should look something like this:

aaa authentication ppp vpdn group radius

aaa authorization network vpdn group radius

aaa accounting network vpdn start-stop group radius

!

bba-group pppoe VPDN1

virtual-template 10

sessions auto cleanup

!

bba-group pppoe VPDN2

virtual-template 20

sessions auto cleanup

!

!

interface GigabitEthernet0/1.10

encapsulation dot1Q 10

ip unnumbered Loopback0

pppoe enable group VPDN1

!

interface GigabitEthernet0/1.20

encapsulation dot1Q 20

ip unnumbered Loopback0

pppoe enable group VPDN2

!

interface Virtual-Template10

description VPDN1

ip unnumbered Loopback0

ppp authentication pap vpdn

ppp authorization vpdn

ppp accounting vpdn

!

interface Virtual-Template10

description VPDN2

ip unnumbered Loopback0

ppp authentication pap vpdn

ppp authorization vpdn

ppp accounting vpdn

radius-server host

And you can do whatever you want under each virtual-template.

BR,

Mohammed Mahmoud.

0 Helpful

Go to solution
dataylor
Level 1
Level 1
In response to mohammedmahmoud

‎06-29-2008 11:48 PM

This is similar to the sample configs I've been looking at however I can't see how service is differentiated based on login details. I would appear to differentiate based on the incoming VLAN.

What I'm trying to do is have a user login using PPPoE and be given a virtual template based on their RADIUS profile. The idea being that I can a embed QoS policing policy in the virtual template to provide different service levels to customers.

0 Helpful

Go to solution
mohammedmahmoud
Level 11
Level 11
In response to dataylor

‎06-29-2008 11:54 PM

Hi,

AFAIK, to apply a different virtual-template you need to apply a different bba-group, and to apply a different bba-group you need to use VLANs and subinterfaces - i think that you can work around and use this model.

Another prospective to think with, is that you can search if what you require to do can be sent by the RADIUS as a Cisco RADIUS AV Pair according to the customer profile.

BR,

Mohammed Mahmoud.

0 Helpful

Go to solution
dataylor
Level 1
Level 1
In response to mohammedmahmoud

‎06-29-2008 11:56 PM

I understand that it is a RADIUS AVP, the question being how to apply it.

D

0 Helpful

Go to solution
mohammedmahmoud
Level 11
Level 11
In response to dataylor

‎06-30-2008 12:04 AM

Hi,

Fine, this doesn't mean that you'll apply a different virtual-template per each class, what you are going to do is to apply a Cisco AVP per customer profile to be used to clone the virtual-access.

cisco-avpair = "ip:sub-qos-policy-in=in-policy-name"

cisco-avpair = "ip:sub-qos-policy-out=out-policy-name"

BR,

Mohammed Mahmoud.

0 Helpful

Go to solution
dataylor
Level 1
Level 1
In response to mohammedmahmoud

‎06-30-2008 12:12 AM

Ok, so single bba group with a single virtual template on a single interface.

Then a policy map for each user grouping.

I found this document which looks like it has most of the info I need.

http://www-europe.cisco.com/univercd/cc/td/doc/product/aggr/10000/swconfig/cfggdes/qoscf/10qrad.htm

Once I have it sussed I'll post the final config snippet

0 Helpful

Go to solution
mohammedmahmoud
Level 11
Level 11
In response to dataylor

‎06-30-2008 12:22 AM

Hi David,

Nice document, enjoy :) And please keep us updated.

By the way, since IOS 12.4(2)T:

cisco-avpair = "ip:sub-policy-In=in-policy-name"

cisco-avpair = "ip:sub-policy-Out=out-policy-name"

Are replaced with the following new attributes:

cisco-avpair = "ip:sub-qos-policy-in=in-policy-name"

cisco-avpair = "ip:sub-qos-policy-out=out-policy-name"

But anyway as per Cisco, the replaced attributes will be supported for several more software releases, but profiles should be updated with the new attributes as soon as it is feasible to do so.

http://www.cisco.com/en/US/docs/ios/12_4t/12_4t2/htipmaaa.html

BR,

Mohammed Mahmoud.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents