Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss configuration and troubleshooting issues on Access Dial with Tejal Patel. Tejal is a customer support engineer at the Technical Assistance Center (TAC) at Cisco Systems, Inc. He joined Cisco in July 1999. His current responsibilities include troubleshooting complex issues, training, and authoring documentation. His areas of expertise are Telco Signaling, Configuration and Troubleshooting of Access Servers, AAA etc. Tejal is CCIE # 6619 for ISP Dial. He continually shares his expertise by speaking at the Access Design Clinic at Networkers to discuss and resolve the design related technical issues. Tejal holds a Bachelor Degree in Electronics and Telecommunication Engineering from Poona University, India. Prior to joining Cisco, Tejal was a Test Engineer at Leemah Datacom Inc. where he was responsible for functional testing of Network Access Server and RADIUS server.
Remember to use the rating system to let Tejal know if you have received an adequate response.
Tejal might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through October 22, 2010. Visit this forum often to view responses to your questions and the questions of other community members.
Actually, they both serves different purpose. Per-User ACL via RADIUS/AAA is per user as it says and it gives more control to network admin about the user's ability. ACL under the virtual-template will be applied to all the virtual-access interface for all the users and is static. Its like "one for all".
If the network design requires the use of per-user attributes like ACLs, then its the best option to download it via AAA. There will not be any performance issue for 500 users if you go for per-user ACLs from AAA. Per-user ACLs take little more CPU power and memory than configured under the interface but for 500 users it should be just fine.
If you find any document with measurements would be nice to show to my manager.
Otherwise, I would like to apply both, radius and virtual template ACL, at the same tiume for some users... and both working. I've been running some tests and what I've seen is that Radius ACL switch off the Virtual-Template ACL for that user...
Any specific configuration to combine usage of both at same time?
We do not have any specific performance docs that reports the numbers in that area because it is more or less a generic testing for the same feature.
Now, to answer your 2nd question, if the authorization is configured via RADIUS, then router will honor what is coming in from RADIUS as ACL defination. So for that user, if the ACL is coming in from AAA, it will be used compared to configured on the router as an interface, virtual-access or any, can only work with "one" ACL. That goes on to prove that network admin have more control over the user management when its managed via AAA.
Hope tat answers your question. Fire up more questions if you have.
[toc:faq]The ProblemOn traditional switches whenever we have a trunk
interface we use the VLAN tag to demultiplex the VLANs. The switch needs
to determine which MAC Address table to look in for a forwarding
decision. To do this we require the switch to do...
[toc:faq]Introduction:Netdr is a tool available on a RSP720, Sup720 or
Sup32 that allows one to capture packets on the RP or SP inband. The
netdr command can be used to capture both Tx and Rx packets in the
software switching path. This is not a substitut...
IntroductionOSPF, being a link-state protocol, allows for every router
in the network to know of every link and OSPF speaker in the entire
network. From this picture each router independently runs the Shortest
Path First (SPF) algorithm to determine the b...