Hi guys, I got this simple topology on IOS 15.2 for 7200 routers:
And I have configured PPPoE on these devices. here's my configs:
aaa new-model aaa authentication ppp PPPoE_AUTHE local ! username 2221111 password 0 123 username 2221122 password 0 123 ! ip local pool PPPoE_POOL 18.104.22.168 22.214.171.124 ! interface Virtual-Template1 ip address 126.96.36.199 255.255.255.0 peer default ip address pool PPPoE_POOL ppp authentication chap PPPoE_AUTHE ! bba-group pppoe PPPoE_GROUP virtual-template 1 ! interface FastEthernet0/0 no ip address pppoe enable group PPPoE_GROUP !
R1 & R2:
! interface Dialer1 ip address negotiated encapsulation ppp dialer pool 1 ppp chap hostname 2221111 ppp chap password 0 123 ! interface FastEthernet0/0 no ip address pppoe enable pppoe-client dial-pool-number 1 !
Everything works perfectly and I got this output on ISG:
ISG#show pppoe session 2 sessions in LOCALLY_TERMINATED (PTA) State 2 sessions total
Uniq ID PPPoE RemMAC Port VT VA State SID LocMAC VA-st Type 369 369 ca00.2754.0008 Fa0/0 1 Vi1.1 PTA ca03.1014.0008 UP 370 370 ca01.2754.0008 Fa0/0 1 Vi1.2 PTA ca03.1014.0008 UP
Now, I wanna run ISG on the ISG Router I looked for many documentations and couldn't find anything except Cisco documents! They seemed pretty vague to me! I mean, I just saw some short examples about policy-map control/class-map control/service ... when I tried to implement them on my network I just stuck in the first phase (authentication via local AAA). I know that real ISG implementations definitely require separate AAA Servers (like RADIUS), but for the sake of learning, I want some simple documents and examples for ISG (specially implementations on PPPoE) Also, would someone please implement an ISG on my simple topology which does following stuff:
1- Authenticate customers via local database (local AAA) 2- if customers got authenticated, I want R1 & R2 to be authorized (via local AAA) to access R4 with speed of 128Kbps and 256 Kbps respectively (QoS rate-limiting) 3- And for accounting (using local AAA), I want the credit for R1 & R2 get finished when their only sent traffic reached 10MB.
I just wanna see the steps, I don't know where to begin Many thanks in advance.
1- Authenticate customers via local database (local AAA)
For PPPoE sessions, this is done at PPP level on the VTemplate interface. You are already doing this using list PPPoE_AUTHE 2- if customers got authenticated, I want R1 & R2 to be authorized (via local AAA) to access R4 with speed of 128Kbps and 256 Kbps respectively (QoS rate-limiting)
You can use a service with MQC on it. Check: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/isg/configuration/xe-3s/isg-xe-3s-book/isg-mqc-ip-sess.html
You can also apply the QoS policy using per-user QoS. Check: http://www.cisco.com/c/en/us/td/docs/ios/12_2sb/feature/guide/sbsbpssq.html#wp1050969
3- And for accounting (using local AAA), I want the credit for R1 & R2 get finished when their only sent traffic reached 10MB.
I'm afraid this is not possible. The only way to track quota consumption in ISG is using the pre-paid feature. This features takes care of reporting the quota to an external server and that server is responsible of providing further quota and maintain the total quota information for the subscriber. ISG only reports the consumption (based on accounting packets) and takes actions reacting based on the quota information provided by the server. Is not possible to use this feature without an external server. Check http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/isg/configuration/xe-3s/isg-xe-3s-book/isg-prepaid-bill.html
Based on your answer and also some other researches, for the last 3 months, I have been working (programming) on that accounting system you said and finally it turned out to be a full AAA server. Now I feel very comfortable with all its concepts and depending attributes and other stuff.
Today, after 3 months, I just came back to the same point:D
I built the AAA server, but I can't match it with ISG. I wrote the details in this link:
Sorry for the delay. I read your thread and it seems the issue is with the service authorization. You are expecting to see authorization request sent from ISG to radius to download the service profile but you don't see it. Correct?
I so, I would suggest to add subscriber-service authorization statement to your AAA config. Something like:
aaa authorization subscriber-service default group radius
aaa authorization subscriber-service PPPoE_AUTHO group radius
This way, ISG should send authorization requests to radius to download service profile.
Introduction: The "external-out enable" command is available for
configuration under the "router ospf process" in case of the IOS-XR
operating system. This command basically enables advertisement of
intra-area routes on the device as external routes in th...
IntroductionIn this article we'll discuss how to troubleshoot packet
loss in the asr9000 and specifically understanding the NP drop counters,
what they mean and what you can do to mitigate them. This document will
be an ongoing effort to improve troublesh...