Table Of Contents
Cisco ISG Design and Deployment Guide: ATM to ISG Aggregation
Designing ATM to ISG Aggregation
Deployment Model 1: Basic Internet Access Service Bundle over L2TP
Deployment Model 2: Multiservice Service Bundle over PPPoE
Deployment Model 3: Triple Play Plus Service Bundle over IP and PPPoE
Deployment Model 4: Triple Play Plus Service Bundle over IP and L2TP
Basic Internet Access Service Bundle
Triple Play Plus Service Bundle
Deploying the Cisco ISG with ATM Aggregation
Deployment Model 1: Basic Internet Access Service Bundle over L2TP
Deployment Model 2: Multiservice Service Bundle over PPPoE
Deployment Model 3: Triple Play Plus Service Bundle over IP and PPPoE
Deployment Model 4: Triple Play Plus Service Bundle over IP and L2TP
Deployment Model 1: Basic Internet Access Service Bundle over L2TP Configuration
Deployment Model 2: Multiservice Service Bundle over PPPoE
Deployment Model 3: Triple Play Plus Service Bundle over IP and PPPoE
Deployment Model 4: Triple Play Plus Service Bundle over IP and L2TP
Verifying the Cisco 7206 ISG with ATM Aggregation
ISG Configuration Information Verification
Basic ISG Operation Verification
Subscriber Service Verification
Complete Running Configurations
Deployment Model 1: Basic Internet Access Service Bundle over L2TP
Deployment Model 1: AAA Server for ISP-1
Deployment Model 1: AAA Server for ISP-2
Deployment Model 2: Multiservice Service Bundle over PPPoE
Deployment Model 2: AAA Server
Deployment Model 3: Triple Play Plus Service Bundle over IP and PPPoE
Deployment Model 3: AAA Server
Deployment Model 4: Triple Play Plus Service Bundle over IP and L2TP
Deployment Model 4: AAA Server for ISP-1
Deployment Model 4: AAA Server for ISP-2
Cisco ISG Design and Deployment Guide: ATM to ISG Aggregation
Version History
The Intelligent Service Architecture (ISA) is a Cisco IOS feature set that enables the provisioning and maintaining of broadband networks that have multiple types of edge devices, many subscribers, and many services. ISA combines real-time session and flow control with programmable, dynamic policy control to deliver flexible and highly scalable subscriber session management capabilities.
A Cisco device that is running a Cisco IOS image with ISA is called an Intelligent Service Gateway (ISG). An ISG is used to control subscriber access at the edge of an IP network. An ISG is deployed at network access control points, and subscribers access services through ISG. The role of ISA is to execute policies that identify and authenticate subscribers and provide access to the services that the subscriber is entitled to access.
This document describes how to design and deploy an ISA network using the Cisco 7200 series or 7301 as an ISG and ATM as the aggregation technology. The following four deployment models are described:
•Deployment Model 1: Basic Internet Access Service Bundle over L2TP
•Deployment Model 2: Multiservice Service Bundle over PPPoE
•Deployment Model 3: Triple Play Plus Service Bundle over IP and PPPoE
•Deployment Model 4: Triple Play Plus Service Bundle over IP and L2TP
These deployment models are designed to simulate the most common ISP deployments. They combine a specific service bundle, which is a logical combination of features, with specific network topologies. ISPs can configure a single deployment model, or any combination of the four deployment models simultaneously, depending on their needs.
This document contains the following sections:
•Designing ATM to ISG Aggregation
•Deploying the Cisco ISG with ATM Aggregation
•Verifying the Cisco 7206 ISG with ATM Aggregation
•Complete Running Configurations
Designing ATM to ISG Aggregation
The ISA network described in this document uses the Cisco 7200 series and 7301 as an ISG in a network that uses ATM aggregation. This document covers the following access technologies:
•IP sessions
•PPP over Ethernet (PPPoE) sessions
•PPPoE over L2TP session
The IP and PPPoE deployments simulate the network of a single ISP. The PPPoE over L2TP deployments simulate two ISPs working together:
•ISP-1 offers wholesale service to other ISPs.
•ISP-2 contracts with ISP-1 to receive wholesale service, which it then offers to retail customers.
The following sections describe the design of the ISA network:
Network Topology
Figure 1 shows a high-level network topology.
Figure 1 High-Level Topology
Network Elements
The following elements play key roles in the network:
•CPE
•PE
•SESM
CPE
The customer premises equipment (CPE) router is a small router (such as the Cisco 800 series) that is used either as a bridge or to initiate PPPoE connections from the customer PC to the L2TP Access Concentrator LAC.
DSLAM
The Digital Subscriber Line Access Multiplexer (DSLAM) aggregates multiple incoming DSL connections into a single ATM line. It is maintained at a point of presence (POP) separate from the ISP's central network.
Note The configuration of the DSLAM will not be discussed in this document.
ISG
An Intelligent Service Gateway (ISG) is used to control subscriber access at the edge of an IP/Multiprotocol Label Switching (MPLS) network. An ISG is deployed at network access control points, and subscribers access services through ISG. The role of ISA is to execute policies that identify and authenticate subscribers and provide access to the services that the subscriber is entitled to access. In the L2TP deployments in this document, the ISG also serves as a LAC.
ISG LAC
In the L2TP deployments in this document, the ISG also serves as a LAC. It is maintained by the ISP as part of its central network. It receives incoming sessions from the DSLAM and forwards them to the appropriate retail ISP by establishing an L2TP tunnel with the LNS. The LAC contacts the ISP's Authentication, Authorization, and Accounting (AAA) server to determine the forwarding information based on the subscriber's domain name.
ISG LNS
The ISG L2TP Network Server (LNS) is used only in the L2TP deployments. The ISG LNS terminates the L2TP tunnel from the LAC and the PPPoE session from the subscriber. It is maintained by the ISP on its central network. The ISG LNS authenticates the user by contacting the AAA server for ISP, and assigns the user a VPN routing/forwarding instance (VRF). The ISG LNS also communicates with the AAA server when the user requests additional services.
PE
The provider edge (PE) router is responsible for maintaining VRF information. It is the final endpoint on the ISP's network that terminates the user session. The ISP uses VRF to segment customers easily without having to specify different subnets for different classes of customers.
AAA Servers
In the IP and PPPoE deployments, the network utilizes a single AAA server. The AAA server maintains user authentication information as well as information on the services available to users. When the ISG receives a user's username and password, it forwards it to the AAA server for authentication. When a user activates a service, the ISG contacts the AAA server, which replies with information on the service to the ISG.
In the L2TP deployments, each ISP maintains its own AAA server:
•The AAA server for ISP-1 (known as AAA-1) maintains forwarding information for the retail ISPs. When queried by the ISG LAC, it sends forwarding information based on the user's domain name.
•The AAA server for ISP-2 (known as AAA-2) maintains user authentication information as well as information on the services available to users. When the LNS receives a user's username and password, it forwards it to AAA-2 for authentication. When a user activates a service, the LNS contacts AAA-2. AAA-2 then replies with information on the service to the LNS.
Instead of using single AAA servers, SPs can maintain multiple AAA servers to be used for separate domains, or for round robin load balancing.
SESM
The Cisco Subscriber Edge Services Manager (SESM) provides service selection and connection management in broadband and mobile wireless networks. The Cisco SESM provides a web portal for users to access services. ISPs can customize the web portal to their needs.
Note Configuring the Cisco SESM is beyond the scope of this document. A detailed Installation and Configuration Guide for the Cisco SESM is at the following URL: http://www.cisco.com/univercd/solution/sesm/sesm_320/index.htm
Billing Server
The billing server maintains user account information, including the amount of credit remaining for prepaid services. When users initiate services, the ISG contacts the billing server to determine if the user has credit available.
DHCP Server
A Dynamic Host Control Protocol (DHCP) server can be used to dynamically assign reusable IP addresses to devices in the network. Using a DHCP server can simplify device configuration and network management by centralizing network addressing. In the deployments described in this document a Cisco CNS Network Registrar (CNR) server is used as the DHCP server.
Note Configuring the Cisco CNR is beyond the scope of this document. For information on configuring the Cisco CNR, see the Cisco CNS Network Registrar, 6.1.1 documentation at the following URL: http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/ciscoasu/nr/nr611/index.htm
Deployment Models
The following sections provide an overview of the four deployment models:
•Deployment Model 1: Basic Internet Access Service Bundle over L2TP
•Deployment Model 2: Multiservice Service Bundle over PPPoE
•Deployment Model 3: Triple Play Plus Service Bundle over IP and PPPoE
•Deployment Model 4: Triple Play Plus Service Bundle over IP and L2TP
Deployment Model 1: Basic Internet Access Service Bundle over L2TP
The Basic Internet Access Service Bundle over L2TP deployment is a traditional L2TP network offering basic DSL service, with no advanced ISA services. It is used as a baseline to establish basic connectivity before deploying the ISA services. In this network ISP-2 contracts with ISP-1 to receive wholesale DSL service, which it then offers to its retail customers.
PPP is tunneled from the ISG LAC to the LNS. At the LNS, the PPP session is terminated, and the encapsulated IP traffic is routed on through the ISP's network. The identity of the customer is uniquely maintained only by the PPP session. Figure 2 shows how the PPP session is routed across the network.
In this deployment, subscribers are automatically connected to the appropriate L2TP tunnel on the basis of their domain names. The retail ISP (ISP-2) performs authentication on the far end of the L2TP tunnel.
Figure 2 Deployment Model 1 Protocol Flow
Figure 3 shows all the protocols that are active at each device in the network.
Figure 3 Deployment model 1 Protocol Stacks
Figure 4 shows all the interfaces in the network where Quality of Service (QoS) could potentially be configured. Here, "Up" refers to the upstream interface between the two devices, and "Dw" refers to the downstream interface. The interfaces in bold are where QoS is configured for this deployment.
Figure 4 QoS Interfaces
Table 1 describes the QoS strategy that is deployed on each of the interfaces shown in Figure 4.
Deployment Model 2: Multiservice Service Bundle over PPPoE
In the Multiservice Service Bundle over PPPoE deployment, an ISP expands its traditional, static DSL service by deploying the multiservice service bundle, which consists of the bandwidth-on-demand and Prepaid Services features. When customers activate these services, the network allocates additional bandwidth to them, based on either time or volume of bandwidth. The management of the available minutes will be done via a billing server external to the ISG.
This network involves a single ISP. The DSLAM delivers traffic to the ISG using PPPoE. The ISG terminates PPPoE and routes the IP traffic through the ISP network. Subscriber identities are maintained through PPPoE authentication, and the uniqueness of the DSL line is maintained by a dedicated Layer 2 path to the ISG over an ATM PVC that is cross-connected to the subscriber at the DSLAM.
It is best if services are applied at the ISG. It is possible—but more difficult—to apply services at the DSLAM; however, the services at the DSLAM are not part of the PPP link.
This deployment offers to methods for subscriber authentication. Subscribers can be authenticated based on their username on the local AAA server. Or subscribers can be automatically connected to a service domain based on the domain downloaded from an initial local AAA lookup. Subscriber authentication then takes place within the domain of the ISP by a remote AAA server lookup. Figure 5 shows how traffic is routed across the network.
Figure 5 Deployment Model 2 Protocol Flow
Figure 6 shows all of the protocols that are active at each device in the network.
Figure 6 Deployment Model 2 Traffic Flow
Figure 7 shows all the interfaces in the network where QoS could potentially be configured. Here "Up" refers to the upstream interface between the two devices, and "Dw" refers to the downstream interface. The interfaces in bold are where QoS is configured for this deployment.
Figure 7 QoS Interfaces
Table 2 describes the QoS strategy that is deployed on each of the interfaces shown in Figure 7.
Deployment Model 3: Triple Play Plus Service Bundle over IP and PPPoE
In the Triple Play Plus Service Bundle over IP and PPPoE deployment, an ISP offers the Triple Play Plus Service Bundle, which consists of advanced services designed for gaming subscribers. The services include voice over IP (VoIP), Broadcast Video, as well as prioritized traffic to the ISP's own gaming servers. This deployment involves a single ISP.
In this deployment, two peering IP interfaces are configured between the CPE and the ISG: one for IP connections and one for PPPoE connections. This configuration allows all subscribers to use PPPoE for data traffic, regardless of where they are subscribing to the basic service or to the triple-play package. This dual-purpose approach eases support and conversion issues and allows the ISP to gradually convert to a full IP Routed scheme.
This deployment supports transparent auto-login (TAL) based on the subscriber's MAC address, which requres that subscriber MAC addresses be configured manually. If MAC address-based authentication fails, subscribers are redirected to the web portal maintained by the Cisco SESM, where they can manually log in. Figure 8 shows how traffic is routed across the network.
Figure 8 Deployment Model 3 Protocol Flow
Figure 9 Deployment Model 3 Protocol Stack
Figure 10 shows all of the interfaces in the network where QoS could potentially be configured. Here, "Up" refers to the upstream interface between the two devices, and "Dw" refers to the downstream interface. The interfaces in bold are where QoS is configured for this deployment.
Figure 10 QoS Interfaces
Table 3 describes the QoS strategy that is deployed on each of the interfaces shown in Figure 10.
Deployment Model 4: Triple Play Plus Service Bundle over IP and L2TP
This deployment is very similar to Deployment Model 3: Triple Play Plus Service Bundle over IP and PPPoE. The IP segments of the two deployments are identical. The difference in this deployment is that PPPoE sessions are delivered to ISP-2's network over L2TP tunnels. Figure 11 shows how traffic is routed across the network.
Figure 11 Deployment Model 4 Protocol Flow
Deployment Model 4 QoS Strategy
The QoS strategy for the IP segment is the same as that for the IP segment of Deployment Model 3: Triple Play Plus Service Bundle over IP and PPPoE deployment model.
The QoS strategy for the PPPoE over L2TP segment of the network is the same as that for the Deployment Model 1: Basic Internet Access Service Bundle over L2TP deployment model.
Network Design Options
The following sections describe the various options the ISP must consider in deploying the network:
Aggregation Technology
ISA supports ATM for use as the aggregation technology.
Routing Technology
In all cases the DSLAM delivers traffic to the first ISG using an ATM PVC. When designing the network, you have three basic choices for how to deliver traffic from the ISG at the wholesale ISP to the retail ISP:
•IP sessions—Traffic is IP routed from the ISG to the retail ISP.
•PPP terminated—The DSLAM delivers traffic to the ISG using PPPoE. The ISG terminates the PPPoE and then IP routes traffic to the retail ISP.
•L2TP tunneled—The DSLAM delivers traffic to the ISG LAC using PPPoE. The ISG LAC then establishes an L2TP tunnel with an LNS on ISP-2's network. The LNS terminates the PPPoE, and IP is used to route the traffic in the retail ISP's network.
Service Bundles
Because of the large number of features available for ISA services, in the design and deployment guides we have grouped the features into service bundles. The following service bundles are deployed in the network:
•Basic Internet Access Service Bundle
•Triple Play Plus Service Bundle
Basic Internet Access Service Bundle
The Basic Internet Access service bundle consists of traditional Layer 3 virtual private network (VPN) access. Subscribers establish Layer 2 access connections over a Layer 3 VPN technology—in this case, an MPLS VPN. The bandwidth for all users is capped at a static 128 kbps upstream and 256 kbps downstream.
Note The specific bandwidths described in this document are only used as examples. SPs are free to configure any bandwidth levels that their service requires.
Multiservice Service Bundle
The Multiservice service bundle consists of the following features:
Layer 3 VPN Access
The default service for subscribers in the Multiservice service bundle is Layer 3 VPN access. This is the same basic DSL connectivity described above, where the bandwidth for all users is capped at a static 128 kbps upstream and 256 kbps downstream.
Bandwidth on Demand
The Bandwidth on Demand feature enables subscribers to temporarily increase their upstream and downstream bandwidths for either a set duration of time or a set volume of bandwidth. Subscribers first establish basic connectivity with a default cap on bandwidth, and then access a website (maintained by the Cisco SESM) where they trigger a request for the Bandwidth on Demand. The ISP authorizes the subscriber for the service and bills the subscriber's account. Bandwidth on Demand can be either prepaid or post-paid. The service remains active until either the subscriber deactivates the service or the subscriber terminates the session.
Prepaid Services
The Prepaid Services feature allows subscribers to debit their service against a previously credited account. The Prepaid Services payment method can be applied to Bandwidth on Demand, or any of the other ISG services. When subscribers activate a service, the billing server charges the subscriber's account based on either the time the service is active, or the bandwidth the subscriber uses. The service remains active until either the subscriber's account is depleted or the subscriber deactivates the service or terminates the session.
Triple Play Plus Service Bundle
The Triple Play Plus service bundle provides advanced QoS services. It consists of the following services:
•Basic Broadband Connectivity
•VoIP
•Video on Demand (VoD)
•Gaming
When subscribers initiate a session, they are granted basic broadband connectivity. If subscribers wish to activate one of the advanced services (VoIP, VoD and gaming), they go the web portal maintained by the Cisco SESM and select the service. The advanced services are granted a higher level of QoS to ensure that subscribers can maintain the necessary level of bandwidth for the activity they select.
Note In the deployments described in this document, the advanced services are deployed only for IP sessions; however, ISA supports these services on both IP and PPPoE.
Deploying the Cisco ISG with ATM Aggregation
The following sections describe the process of deploying the Cisco ISG with ATM aggregation:
•Verifying the Cisco 7206 ISG with ATM Aggregation
Deployment Models
The following deployment models are deployed in the network. ISPs can chose to deploy an individual deployment model or any combination of models that meet their requirements.
•Deployment Model 1: Basic Internet Access Service Bundle over L2TP
•Deployment Model 2: Multiservice Service Bundle over PPPoE
•Deployment Model 3: Triple Play Plus Service Bundle over IP and PPPoE
•Deployment Model 4: Triple Play Plus Service Bundle over IP and L2TP
Deployment Model 1: Basic Internet Access Service Bundle over L2TP
The following sections describe the deployment model:
•Basic Layer 3 VPN Access Call Flow for L2TP Sessions
•Device Characteristics Table for Deployment Model 1
Network Topology
Figure 12 shows the network topology of this deployment.
Figure 12 Deployment Model 1 Network Topology
Basic Layer 3 VPN Access Call Flow for L2TP Sessions
Figure 13 shows the call flow process that occurs when a subscriber establishes basic Layer 3 VPN access to the network.
Figure 13 Layer 3 VPN Access Call Flow
The following describes the sequence of events in Figure 13:
1. The subscriber initiates a PPPoE connection from the PC to the ISG LAC by way of the CPE.
2. The PC and the ISG LAC establish a PPP connection.
3. The ISG LAC contacts the AAA-1 server to retrieve domain authentication information for L2TP.
4. The ISG LAC establishes an L2TP tunnel with the LNS. This step is necessary only if an L2TP tunnel does not already exist.
5. The ISG LAC forwards the subscriber PPP session and associated information to the LNS.
6. The LNS contacts the AAA-2 server to authenticate the subscriber. Once the subscriber is authenticated, the LNS clones a virtual-access interface from the virtual template.
7. The LNS sends a CHAP response to the subscriber. The IP Control Protocol (IPCP) phase is performed, and the route to the LNS is installed. The PPP session now runs between the subscriber and the LNS, while the ISG forwards the PPP traffic over the L2TP tunnel.
8. The LNS sends an accounting start message to the AAA-2 server.
9. The subscriber and the LNS use IPCP to negotiate the link details, including the IP address. IPCP is responsible for configuring, enabling, and disabling the IP protocol modules on both ends of the PPP link. IPCP uses the same packet exchange mechanism as the Link Control Protocol (LCP). IPCP packets may not be exchanged until PPP has reached the Network-Layer Protocol phase.
Device Characteristics Table for Deployment Model 1
Table 4 describes details of the devices in the network.
Deployment Model 2: Multiservice Service Bundle over PPPoE
The following sections describe the deployment model:
In this deployment, the user's PC connects to a CPE, which initiates a PPPoE session to the ISG across the ATM network. The ISG then forwards the subscriber session to the PE over an MPLS VPN. The PE assigns the user a VRF and assigns the user the default service, which is a capped bandwidth of 256 kbps. The following advanced ISA services are then available to the user:
•BOD1MVOLUME: 1 Mbps downstream, 256 kbps upstream
•BOD1MTIME: 1 Mbps downstream, 256 kbps upstream
•BOD2MVOLUME: 2 Mpbs downstream, 512 kbps upstream
•BOD2MTIME: 2 Mbps downstream, 512 kbps upstream
For volume-based service, subscribers are billed according to the amount of bandwidth they use. For time-based service, subscribers are billed according to the length of time the service is active.
Note The specific bandwidths described in this document are only used as examples. SPs are free to configure any bandwidth levels that their service requires.
Note In this deployment subscribers will not be able to switch from a time-based prepaid service to a volume-based prepaid service or vice versa. In this deployment, SPs can offer both time-based and volume-based services; however, individual subscribers can access one or the other, but not both. This is done to describe the full range of ISA services available. Typically, ISPs will only deploy either time-based or volume-based services for subscribers, but not both simultaneously.
Network Topology
Figure 14 shows the network topology of this deployment.
Figure 14 Deployment Model 2 Network Topology
Call Flows
The following call flows describe the operation of the network:
•Basic Layer 3 VPN Access Call Flow for PPPoE Sessions
Basic Layer 3 VPN Access Call Flow for PPPoE Sessions
Figure 15 shows the call flow process of establishing basic Layer 3 VPN access. Every user session begins with this process before initiating advanced ISA services.
Figure 15 Layer 3 VPN Access Call Flow
The following describes the sequence of events in Figure 15:
1. The subscriber initiates a PPPoE connection from the PC to the ISG by way of the CPE.
2. The client initiates the session by sending an Access-Request message to the ISG. In this deployment, the ISG is configured for auto-domain operation, and the Access-Request is not transparently forwarded to the AAA server.
3. The ISG sends the subscriber information to the AAA server. The AAA server authenticates the user and sends the ISG the appropriate service profile to the ISG.
4. After the user has been successfully authenticated, the ISG sends an Access-Accept message to the client.
5. The ISG sends an Accounting_Start message to the AAA server.
6. When the subscriber ends the session, the client sends a PPPoE Terminate message to the ISG, and the ISG terminates the session and sends an Accounting_Stop message to the AAA server.
Prepaid Services Call Flow
Figure 16 shows the call flow process of establishing prepaid services. In this example, a subscriber initiates the BOD1MTIME service.
Figure 16 Prepaid Services Call Flow
The following describes the sequence of events in Figure 16:
1. The subscribers selects the BOD1MTIME service on the Cisco SESM web interface.
2. The Cisco SESM sends an Access-Request message to the ISG for the subscriber's information.
3. The ISG replies to the Cisco SESM with an Access-Accept message containing the subscriber's information.
4. The Cisco SESM sends an Access-Request message to the ISG requesting information about the BOD1MTIME service.
5. The ISG sends an Access-Request message to the AAA server requesting information about the BOD1MTIME service.
6. The AAA server replies to the ISG with an access-accept message containing the traffic class, BOD1MTIME profile, and the prepaid configuration.
7. The ISG sends an Access-Accept message to the AAA server containing the details of the BOD1MTIME service.
8. The ISG sends an Access-Request message to the billing server, notifying it that the subscriber has initiated the BOD1MTIME service.
9. The billing server replies with an Access-Accept message that authorizes the subscriber for a set quota of time.
10. The ISG sends an accounting request to the billing server with the subscriber's username and an event timestamp.
11. After the subscriber quota is depleted, the ISG sends a re-uthorization request to renew the quota.
12. The billing server re-authorizes the subscriber and sends a renewed quota to the ISG.
Steps 8 through 12 are repeated until either the subscriber terminates the BOD1MTIME service or the subscriber runs out of quota on the billing server.
Device Characteristics Table
Table 5 describes details of the devices in the network.
Table 5 Device Characteristics for Deployment Model 2
Device Platform SoftwareCPE
Cisco 837
12.3(2)XC2
ISG
Cisco 7206 or
Cisco 730112.2(27)SBA
PE
Cisco 6509
12.2(18)SXD1
AAA Server
UNIX server
CAR
Deployment Model 3: Triple Play Plus Service Bundle over IP and PPPoE
The following sections describe the deployment model:
Network Topology
Figure 17 shows the network topology of this deployment.
Figure 17 Deployment Model 3 Network Topology
Call Flows
The following call flows describe the operation of the network:
•Basic Layer 3 VPN Access Call Flow for PPPoE Sessions
•Basic Layer 3 VPN Access Call Flow for IP Sessions
Basic Layer 3 VPN Access Call Flow for PPPoE Sessions
For PPPoE sessions, the process of establishing basic Layer 3 VPN access is the same as the process in Deployment Model 1: Basic Internet Access Service Bundle over L2TP. For details of that process, see the "Basic Layer 3 VPN Access Call Flow for PPPoE Sessions" section.
Basic Layer 3 VPN Access Call Flow for IP Sessions
For IP Sessions, the ISA architecture supports multiple methods of authenticating the user, which lead to multiple call flows. The authentication method used depends on whether or not the ISP configures the Transparent Autologon (TAL) feature. TAL enables the ISG to authenticate subscribers on the basis either source IP address or MAC address.
Note If DHCP is used (instead of static IP addresses), TAL can only authenticate subscribers on the basis MAC address.
When TAL is not enabled, subscribers are authenticated manually. When subscribers initiate a session, the ISG sends them to the Cisco SESM (using the Layer 4 Redirect feature). Subscribers then enter their usernames and passwords.
Figure 18 shows the call flow process of establishing basic Layer 3 VPN access for IP sessions with non-TAL authentication.
Figure 18 Non-TAL Layer 3 VPN Access Call Flow for IP Sessions
The following describes the sequence of events in Figure 18:
1. The client sends a DHCP Discover message to the ISG, and the sends a DHCP Discover notify message to the DHCP server. The DHCP server then creates a session and identify the class name from a default service assigned to the session, which will be used to allocate the IP address to the client. The DHCP server then sends a start session message to the ISG.
2. The DHCP server sends a DHCP offer message to the client.
3. The client sends a DHCP request message to the DHCP server.
4. The DHCP server assigns the client an IP address and sends it in a DHCP ACK message to the client. The DHCP server sends an Ipaddress Update message to the ISG to notify it of the IP address allocation.
5. The subscriber's port is now allowed to connect only over HTTP to an IP address for the Cisco SESM. Other HTTP requests are sent to the Cisco SESM by the Layer 4 Redirect feature. The subscriber then enters username and password information.
6. The Cisco SESM sends the username and password to the ISG in an Access-Request message.
7. The ISG sends an Access-Request message to the AAA server.
8. The AAA server authenticates the subscriber and sends an Access-Accept message to the ISG.
9. The ISG sends an Access-Accept message to the Cisco SESM, authorizing it to begin service for the subscriber.
10. When the subscriber terminates the session, the client sends a DHCP Release message to the DHCP server.
11. The DHCP server responds with a DHCK ACK message.
12. The ISG sends a terminate session message to the DHCP server, and the DHCP server confirms that the session is ended by sending a session stop message to the ISG.
Figure 19 shows the call flow process of establishing basic Layer 3 VPN access for IP sessions with TAL authentication.
Figure 19 TAL-Based Layer 3 VPN Access Call Flow for IP Sessions
The following describes the sequence of events in Figure 18:
1. The client sends a DHCP Discover message to the ISG.
2. The ISG sends an Authorization Request to the AAA server.
3. The AAA server performs TAL authentication based on either the clients' IP address or MAC address and sends an Authorization Reply message to the ISG.
4. If the client is successfully authenticated, the ISG sends an Access Accept message to the Cisco SESM. If the client fails TAL authentication, the subscriber will be sent to the Cisco SESM by Layer 4 redirect to manually login.
5. The ISG sends a DHCP Discover notify message to the DHCP server. The DHCP server then creates a session and identify the class name from a default service assigned to the session, which will be used to allocate the IP address to the client. The DHCP server then sends a Start Session message to the ISG.
6. The DHCP server sends a DHCP offer message to the client.
7. The client sends a DHCP request message to the DHCP server.
8. The DHCP server assigns the client an IP address and sends it in a DHCP ACK message to the client. The DHCP server sends an Ipaddress Update message to the ISG to notify it of the IP address allocation.
9. When the subscriber terminates the session, the client sends a DHCP Release message to the DHCP server.
10. The DHCP serverresponds with a DHCP ACK message.
11. The ISG sends a terminate session message to the DHCP server, and the DHCP server confirms that the session is ended by sending a session stop message to the ISG.
Device Characteristics Table
Table 6 describes details of the devices in the network.
Table 6 Device Characteristics for Deployment Model 3
Device Platform SoftwareCPE
Cisco 837
12.3(2)XC2
ISG
Cisco 7206 or
Cisco 730112.2(27)SBA
PE
Cisco 6509
12.2(18)SXD1
AAA Server
UNIX server
CAR
Deployment Model 4: Triple Play Plus Service Bundle over IP and L2TP
The following sections describe the deployment model:
Network Topology
Figure 20 shows the network topology of this deployment.
Figure 20 Deployment Model 4 Network Topology
Call Flows
The following call flows describe the operation of the network.
Basic Layer 3 VPN Access Call Flow for IP Sessions
For IP sessions, the process of establishing basic Layer 3 VPN access is the same as the process in Deployment Model 2: Multiservice Service Bundle over PPPoE. For details of that process, see the "Basic Layer 3 VPN Access Call Flow for IP Sessions" section.
Basic Layer 3 VPN Access Call Flow for L2TP Sessions
For L2TP session, the process of establishing basic Layer 3 VPN access is the same as the process in Deployment Model 1: Basic Internet Access Service Bundle over L2TP. For details of that process, see the "Basic Layer 3 VPN Access Call Flow for L2TP Sessions" section.
Device Characteristics Table
Table 7 describes details of the devices in the network.
Configuring the Network
The configuration of this deployment is divided into the following sections:
•Deployment Model 1: Basic Internet Access Service Bundle over L2TP Configuration
•Deployment Model 2: Multiservice Service Bundle over PPPoE
•Deployment Model 3: Triple Play Plus Service Bundle over IP and PPPoE
•Deployment Model 4: Triple Play Plus Service Bundle over IP and L2TP
Prerequisites
Before the ISA configuration begins, the following baseline network operations must be configured:
•Basic IP connectivity must be established across the entire network
•L2TP must be configured between the ISG LAC and LNS
•Subscribers must be able to establish a PPPoE connection over the L2TP tunnel to the LNS.
Network administrators should be familiar with the following topics:
•CAR configuration procedure: http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cnsar/3_5/install/config.htm
•CNR configuration procedure: http://www.cisco.com/en/US/products/sw/netmgtsw/ps1982/products_user_guide_book09186a008022745c.html
•Basic broadband (PPP and L2TP) configuration:
–http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca72a.html
–http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca724.html
–http://www.cisco.com/en/US/partner/tech/tk801/tk703/technologies_configuration_example09186a0080093c2a.shtml
Baseline Configuration
The following devices are configured to enable baseline network operation. The baseline configuration establishes basic connectivity across the network and enables the user to establish basic Layer 3 VPN access.
•CPE Configuration for PPPoE Deployments
•CPE Configuration for IP Deployments
•PE
CPE Configuration for PPPoE Deployments
This configuration is for the CPE when used in the PPPoE deployments (Deployment Models 1 and 2). The following baseline configuration tasks are performed on the CPE:
•Configuring the Ethernet Interface and DHCP
•Configuring the Outbound Interface
•Configuring the Dialer Interface and NAT
Configuring the Ethernet Interface and DHCP
Interface Ethernet 0 is configured to connect to the user PC, and DHCP is enabled for incoming sessions.
interface Ethernet0ip address 10.10.10.1 255.255.255.0ip nat insideload-interval 30ip tcp adjust-mss 1452hold-queue 100 out!ip dhcp excluded-address 10.10.10.1!! DHCP configuration for interface Ethernet 0 usersip dhcp pool CLIENTimport allnetwork 10.10.10.0 255.255.255.0default-router 10.10.10.1lease 0 2Configuring the Outbound Interface
ATM interface 0.5 is configured as a PVC. This is the outbound interface from the CPE to the DSLAM.
interface ATM0.5 point-to-point! This is the PVC which is going to the ATM DSLAMpvc 5/45pppoe max-sessions 100! This associates the PVC with dialer 1pppoe-client dial-pool-number 1Configuring the Dialer Interface and NAT
Dialer interface 1 is configured to receive incoming connections from the user. CHAP is used for the CPE's username and password, and NAT is enabled for outbound traffic.
interface Dialer1ip address negotiatedip nat outside! using PPPencapsulation pppip route-cache flowdialer pool 1dialer-group 1ppp authentication chap callin!The username and password are set for CHAPppp chap hostname C73_DM1_01@L2TP_DM1_101.comppp chap password 0 lab!! Enables users on the inside of E0 to access outside using NATip nat inside source list 23 interface Dialer1 overload!ip classless! set the default gateway out the dialer 1 interfaceip route 0.0.0.0 0.0.0.0 Dialer1!! allow E0 users to be NAT translatedaccess-list 23 permit 10.10.10.0 0.0.0.255CPE Configuration for IP Deployments
The following configuration is for the CPE when used in the IP deployments (Deployment Models 3 and 4). This configures the CPE to bridge subscriber sessions from the user PC on to the DSLAM. IP routing is disabled, and a bridge group is configured on the outbound interface (interface ATM 0.3).
! Disabling IP routing instructs the CPE to bridge IP traffic.no ip routinginterface Ethernet0no ip addressno ip route-cacheload-interval 30bridge-group 1hold-queue 100 outinterface ATM0no ip addressno ip route-cacheload-interval 30no atm ilmi-keepalivedsl operating-mode auto!! This is the outbound interface to the DSLAM.interface ATM0.3 point-to-pointno ip route-cachepvc 3/43encapsulation aal5snap!!Bridge group 1 is configured on the interface.bridge-group 1!interface Dialer1ip address negotiatedip nat outsideencapsulation pppdialer pool 1dialer-group 1ppp authentication chap callinppp chap hostname C73_DM4_01@L2TP_DM4_101.comppp chap password 0 labPE
The following basic configuration is required for all four of the deployment models. First, the PE is configured to assign subscribers to a VRF and to allow users to access the Cisco SESM.
! Configures the VRF to which subscribers are assigned.ip vrf VPN10003rd 100:3route-target export 100:3route-target import 100:3!!router bgp 100no synchronizationbgp router-id 10.200.1.45bgp log-neighbor-changesredistribute connectedredistribute staticneighbor 10.200.1.41 remote-as 100neighbor 10.200.1.41 update-source Loopback0no auto-summary!!! Allows VRF routes into the BGP routing table.address-family ipv4 vrf VPN10003redistribute connectedredistribute staticno auto-summaryno synchronizationnetwork 42.2.103.0 mask 255.255.255.0aggregate-address 42.2.103.0 255.255.255.0 summary-onlyexit-address-family!!! Redistributes a route for subscribers in VRF VPN10003 from the global routing table into! the VRF routing domain. This route is used for subscribers to access the Cisco SESM.! This command is only necessary when the PBHK feature is enabled.ip route vrf VPN10003 10.100.3.34 255.255.255.255 GigabitEthernet3/14 10.100.3.34Deployment Model 1: Basic Internet Access Service Bundle over L2TP Configuration
The following devices are configured to enable the Basic Internet Access Service Bundle over L2TP deployment model:
•Deployment Model 1: AAA Server for ISP-1
•Deployment Model 1: AAA Server for ISP-2
Deployment Model 1: ISG LAC
The following baseline configuration tasks are performed on the ISG LAC:
•Configuring AAA and the Connection to the RADIUS Server
•Configuring the Connection to the LNS and PPPoE
Configuring AAA and the Connection to the RADIUS Server
A basic AAA configuration is entered, and the connection to the RADIUS server is configured, including vendor-specific attribute (VSA) accounting and authentication.
aaa new-model!! Configures the connection to the AAA server and identifies it as CAR_SERVERaaa group server radius CAR_SERVERserver 10.100.1.35 auth-port 1812 acct-port 1813!aaa authentication login default none! Configures the AAA server for authentication, authorization, and accounting.aaa authentication login IP_AUTHEN_LIST group CAR_SERVERaaa authentication ppp default group CAR_SERVERaaa authorization network default group CAR_SERVERaaa authorization subscriber-service default local group radiusaaa accounting network default start-stop group CAR_SERVER!aaa session-id common!!interface Loopback0ip address 10.200.1.53 255.255.255.255!! Use Loopback 0 to communicate with radius serverip radius source-interface Loopback0!!radius-server host 10.100.1.35 auth-port 1812 acct-port 1813 key ciscoradius-server retransmit 5radius-server timeout 15radius-server vsa send accountingradius-server vsa send authenticationConfiguring the Connection to the LNS and PPPoE
The connection to the LNS is configured. The ISG LAC uses VPDN to initiate L2TP tunnels to the LNS, which are used to carry the subscriber PPPoE sessions. An ISA control policy map is used to instruct L2TP to authenticate on the basis domain name, and a BBA group is used to configure PPPoE.
no ip dhcp use vrf connected!! This command is enabled by default. It sets the number of ISA rules that are displayed! in the show subscriber session detail command.subscriber policy recording rules limit 64subscriber authorization enable! Enables VPDN globally, which is used for PPPoE.vpdn enablevpdn ip udp ignore checksumvpdn search-order domain!no mpls traffic-eng auto-bw timers frequency 0call rsvp-sync!!! This control policy map instructs L2TP to authenticate based on domain name.policy-map type control RULE_L2TP_LM_ATM3class type control always event session-start1 collect identifier unauthenticated-domain2 authorize identifier unauthenticated-domain!!! The BBA group method is used to configure PPPoE (alternatively, the vpdn-group! method could be used).bba-group pppoe BBA_LM_ATM3virtual-template 3!! This virtual circuit (VC) class is applied to the ATM PVC.vc-class atm VC_LM_ATM3! Associates the VC class with the above bba-group.protocol pppoe group BBA_LM_ATM3! Enables dynamic bandwidth selection.dbs enable maximumencapsulation aal5snap! Applies the L2TP rule above to the VC class.service-policy type control RULE_L2TP_LM_ATM3!! Interface Gigabit Ethernet 0/3 points to the LNS.interface GigabitEthernet0/3ip address 40.40.1.53 255.255.255.0load-interval 30duplex fullspeed 1000media-type gbicnegotiation autompls mtu 1522mpls ipip rsvp bandwidth 100000!!interface ATM1/0.101 multipointdescription ATM Deployment Model 1no atm enable-ilmi-trappvc 101/41! The VC class is associated with the PVC.class-vc VC_LM_ATM3!!! The PPP CHAP configuration is entered on the virtual template.interface Virtual-Template3description VT for LM_ATM3no ip addressno peer default ip addressno keepaliveppp authentication chapppp timeout aaaDeployment Model 1: AAA Server for ISP-1
The following profile configures L2TP forwarding from the ISG LAC to the LNS. The IP address 10.200.1.56 is the address of the loopback interface on the LNS.
[ //localhost/Radius/UserLists/L2TPDOMAIN/L2TP_DM1_101.com/Attributes ]Cisco-AVpair = vpdn:tunnel-id=L2TP_DM1_101Cisco-AVpair = vpdn:l2tp-tunnel-password=ciscoCisco-AVpair = vpdn:tunnel-type=l2tpCisco-AVpair = vpdn:ip-addresses=10.200.1.56Cisco-AVpair = atm:peak-cell-rate=1024Cisco-AVpair = atm:sustainable-cell-rate=512Deployment Model 1: LNS
The following baseline configuration tasks are performed on the LNS:
•Configuring AAA and the Connection to the RADIUS Server
•Configuring PPPoE and the Connection to the ISG LAC
•Configuring Baseline ISA Subscriber Services
•Configuring Inbound and Outbound Access Lists
Configuring AAA and the Connection to the RADIUS Server
In this AAA configuration, connections to the CAR AAA server, the Cisco SESM, and two billing servers are configured. VSA accounting and authentication are enabled, and the loopback interface 0 is used for AAA communications.
aaa new-model!! Configures the AAA server group for the CAR AAA server.aaa group server radius CAR_SERVERserver 10.100.2.36 auth-port 1812 acct-port 1813!! Configures AAA for the CAR AAA server.aaa authentication login default noneaaa authentication login IP_AUTHEN_LIST group CAR_SERVERaaa authentication ppp default group CAR_SERVERaaa authorization network default group CAR_SERVERaaa authorization subscriber-service default local group radiusaaa accounting network default start-stop group CAR_SERVER! Configures the connection to the Cisco SESMaaa server radius sesmclient 10.100.4.38key ciscoport 1812message-authenticator ignore!! Loopback 0 is used for communicating with AAA, the billing servers, and SESM.interface Loopback0ip address 10.200.1.56 255.255.255.255ip router isis Remote_ISP_7301! Instructs the router to use loopback 0 to communicate with the AAA RADIUS servers.ip radius source-interface Loopback0!! The CAR AAA server.radius-server host 10.100.2.36 auth-port 1812 acct-port 1813 key Ciscoradius-server retransmit 5radius-server key ciscoradius-server vsa send accountingradius-server vsa send authenticationConfiguring PPPoE and the Connection to the ISG LAC
VPDN is configured to receive L2TP tunnels from the ISG LAC over which the PPPoE sessions are sent. A PPP local pool and MPLS virtual routing forwarding (VRF) tables are created for incoming subscribers.
no ip dhcp use vrf connected!! Globally enables MPLS VRFs for incoming subscribers.ip vrf VPN_C72_DM1_1001rd 200:1001route-target export 200:1001route-target import 200:1001!!ip cef!vpdn enablevpdn ip udp ignore checksum!! VPDN group L2TP_DM1_101 terminates PPPoE clients that come in from the ISG LAC over L2TP! tunnels.vpdn-group L2TP_DM1_101accept-dialinprotocol l2tpvirtual-template 5terminate-from hostname L2TP_DM1_101local name L2TP_DM1_101l2tp tunnel password 0 cisco!!! Gigabit Ethernet interface 0/1 points to the PE.interface GigabitEthernet0/1ip address 27.27.1.56 255.255.255.0! The PBHK feature is enabled on this interface.ip portbundle outsideip router isis Remote_ISP_7301load-interval 30duplex autospeed automedia-type gbicnegotiation autompls label protocol ldpmpls ip!! Gigabit Ethernet interface 0/2 points to the ISG LAC.interface GigabitEthernet0/2ip address 26.26.1.56 255.255.255.0ip router isis Remote_ISP_7301load-interval 30duplex autospeed automedia-type gbicnegotiation auto!! PPPoE subscribers terminated from L2TP tunnels use this virtual template.interface Virtual-Template5no ip addressload-interval 30no peer default ip addressno keepaliveppp mtu adaptiveppp authentication chap!! The DHCP pool that is assigned to subscribers.ip local pool C73_DM1_3001 1.3.1.2 1.3.255.254!Configuring Baseline ISA Subscriber Services
Basic ISA subscriber services are configured, including Layer 4 redirect to the Cisco SESM and the PBHK feature. When the PBHK feature is enabled, TCP packets from subscribers are mapped to a local IP address for the ISA gateway and a range of ports. This mapping allows the portal to identify the ISA gateway from which the session originated. The PBHK mapping only occurs when the Layer 4 traffic matches the access list configured under the ip portbundle command.
! This command is enabled by default. It sets the number of ISA rules that are displayed! in the show subscriber session detail command.subscriber policy recording rules limit 64! Configures the connection to the Cisco SESM for Layer 4 Redirect functionality.redirect server-group SESM-Serverserver ip 10.100.4.38 port 8080!!! This command is enabled by default. It sets the number of ISA rules that are displayed! in the show subscriber session detail command.subscriber policy recording rules limit 64! Enables port bundle host key (PBHK) access to the Cisco SESM. Each loopback interface! can support up to 4031 bundles. If additional capacity is required, configure additional! loopback interfaces.ip portbundlematch access-list 135! The Loopback 0 interface is used to communicate with the Cisco SESM.source Loopback0Configuring Inbound and Outbound Access Lists
Basic access lists are configured to govern subscribers' Internet access, and an access list is created for the PBHK feature.
! This access list is referenced in the AAA subscriber profile. It governs incoming! Internet traffic. The Internet access lists should prevent subscribers from accessing! the Cisco SESM and other management devices to help prevent Denial of Service attacks.!ip access-list extended Internet-in-acldeny ip any 223.0.0.0 0.255.255.255deny ip any 20.0.0.0 0.255.255.255deny ip any 40.0.0.0 0.255.255.255deny ip any 21.0.0.0 0.255.255.255deny ip any 22.0.0.0 0.255.255.255deny ip any 41.0.0.0 0.255.255.255deny ip any 80.0.0.0 0.255.255.255deny ip any 81.0.0.0 0.255.255.255deny ip any 82.0.0.0 0.255.255.255deny ip any 10.200.0.0 0.0.255.255permit ip any any!! This access list is called out in the AAA subscriber profile. It governs outgoing! Internet traffic. The Internet access lists should prevent subscribers from accessing! the Cisco SESM and other management devices to help prevent Denial of Service attacks.!ip access-list extended Internet-out-acldeny ip 223.0.0.0 0.255.255.255 anydeny ip 10.200.0.0 0.0.255.255 anydeny ip 20.0.0.0 0.255.255.255 anydeny ip 40.0.0.0 0.255.255.255 anydeny ip 21.0.0.0 0.255.255.255 anydeny ip 22.0.0.0 0.255.255.255 anydeny ip 41.0.0.0 0.255.255.255 anydeny ip 80.0.0.0 0.255.255.255 anydeny ip 81.0.0.0 0.255.255.255 anydeny ip 82.0.0.0 0.255.255.255 anypermit ip any any!! This access list is used in the ip portbundle configuration above.access-list 135 permit ip any host 10.100.4.38access-list 135 deny ip any anyDeployment Model 1: AAA Server for ISP-2
The following baseline configuration tasks are performed on the AAA server for ISP-2:
•Configuring the Basic Internet Access ISA Subscriber Service
•Configuring the Subscriber's Profile
Configuring Layer 4 Redirect
The following attribute enables the Layer 4 Redirect feature.
[ Attributes ]! Instructs Layer 4 redirect to send traffic to ACL 111 on the LNS.Cisco-AVPair = "ip:l4redirect=redirect list 111 to group SESM-Server duration 30 frequency 180"Configuring PBHK
The following attribute enable the PBHK feature on the AAA server, which enables access to the SESM by way of the PBHK feature.
[ Attributes ]Cisco-AVPair = ip:portbundle=enableConfiguring the Basic Internet Access ISA Subscriber Service
The following profile configures the basic Internet access service.
[ //localhost/Radius/UserLists/SERVICES/INTERNET_SERVICE/Attributes ]! Specifies the ACLs that govern this service.Cisco-AVPair = ip:inacl=Internet-in-aclCisco-AVPair = ip:outacl=Internet-out-acl! The "I" before "INTERNET_SERVICE" tells the Cisco SESM what the name of the service is.! The Cisco SESM will display this service by the name "INTERNET_SERVICE".Cisco-SSG-Service-Info = IINTERNET_SERVICE! The "R" in this attribute identifies this as a service to the Cisco SESM.Cisco-SSG-Service-Info = R42.1.1.0;255.255.255.0Configuring the Subscriber's Profile
This profile configures the PPP profile that is used in the subscriber's base profile.
[ //localhost/Radius/UserLists/ie2-C7301-LNS/C73_DM1_01@L2TP_DM1_101.com/Attributes ]Cisco-AVpair = "ip:ip-unnumbered=loopback 3001"Cisco-AVpair = ip:addr-pool=C73_DM1_3001Cisco-SSG-Account-Info = AINTERNET_SERVICEDeployment Model 2: Multiservice Service Bundle over PPPoE
The following devices are configured to enable Deployment Model 2: Multiservice Service Bundle over PPPoE deployment model:
•Deployment Model 2: ISG Baseline Configuration
•Deployment Model 2: ISG Configuration for ISA Services
•Deployment Model 2: AAA Server
Deployment Model 2: ISG Baseline Configuration
The following baseline configuration tasks are performed on the LNS:
•Configuring AAA and the Connection to the RADIUS Server
•Configuring PPPoE and the Connections to the CPE and PE
•Configuring Baseline ISA Subscriber Services
•Configuring Inbound and Outbound Access Lists
Configuring AAA and the Connection to the RADIUS Server
In this AAA configuration, connections to the CAR AAA server, the Cisco SESM, and two billing servers are configured. VSA accounting and authentication are enabled, and the loopback interface 0 is used for AAA communications.
aaa new-model!! Configures the AAA server group for the CAR AAA server.aaa group server radius CAR_SERVERserver 10.100.2.36 auth-port 1812 acct-port 1813!! Configures the AAA server group for the RSIM_SERVER billing server.aaa group server radius RSIM_SERVERserver 10.100.12.89 auth-port 1645 acct-port 1646! Configures AAA for the CAR AAA server.aaa authentication login default noneaaa authentication ppp default group CAR_SERVER! Configures authentication for prepaid customers on the RSIM_SERVER billing server.aaa authentication ppp PREPAID_AUTHEN_LIST group RSIM_SERVERaaa authorization network default group CAR_SERVER! Configures authorization for prepaid customers on the RSIM_SERVER billing server.aaa authorization network PREPAID_AUTHOR_LIST group RSIM_SERVERaaa authorization subscriber-service default local group radiusaaa accounting network default start-stop group CAR_SERVER! Configures accounting for prepaid customers on the RSIM_SERVER billing server.aaa accounting network PREPAID_ACCNT_LIST start-stop group RSIM_SERVER! Configures the connection to the Cisco SESMaaa server radius sesmclient 10.100.4.38key ciscoport 1812message-authenticator ignore!! Loopback 0 is used for communicating with AAA, the billing servers, and SESM.interface Loopback0ip address 10.200.1.53 255.255.255.255! Instructs the router to use loopback 0 to communicate with the AAA RADIUS servers.ip radius source-interface Loopback0!! These RADIUS attributes are required for prepaid services.radius-server attribute 44 include-in-access-reqradius-server attribute 8 include-in-access-reqradius-server attribute 55 access-request includeradius-server attribute 25 access-request include! The CAR AAA server.radius-server host 10.100.1.35 auth-port 1812 acct-port 1813 key cisco! The RSIM_SERVER billing server.radius-server host 10.100.12.89 auth-port 1645 acct-port 1646 key ciscoradius-server retransmit 5radius-server timeout 15radius-server vsa send accountingradius-server vsa send authenticationConfiguring PPPoE and the Connections to the CPE and PE
The LNS is configured to receive PPPoE sessions from the CPE by way of the DSLAM. A PPP local pool and MPLS VRF tables are created for incoming subscribers.
no ip dhcp use vrf connected!! Globally enables MPLS VRFs for incoming subscribers.ip vrf VPN10005rd 100:5route-target export 100:5route-target import 100:5!!ip cef!!! The BBA group method is used to configure PPPoE.bba-group pppoe BBA_LM_ATM5virtual-template 8sessions per-vc limit 1!! This virtual circuit (VC) class is applied to the ATM PVC.vc-class atm VC_LM_ATM8! Associates the VC class with the above bba-group.protocol pppoe group BBA_LM_ATM8! Enables dynamic bandwidth selection.dbs enable maximumencapsulation aal5snap!! Gigabit Ethernet interface 0/3 points to the PE.interface GigabitEthernet0/3ip address 40.40.1.53 255.255.255.0! The PBHK feature is enabled on this interface.ip portbundle outsideload-interval 30duplex fullspeed 1000media-type gbicnegotiation autompls mtu 1522mpls ipservice-policy output QOS_OUT_MPLS_UPLINKip rsvp bandwidth 100000!! ATM interface 1/0.105 points to the CPE.interface ATM1/0.105 point-to-pointdescription Deployment Model 2atm pppatm passiveno atm enable-ilmi-trappvc 105/45! The VC class is associated with the PVC.class-vc VC_LM_ATM8! This can be changed to restrict PPPoE sessions on the PVC.pppoe max-sessions 1!! PPPoE subscribers use this virtual template.interface Virtual-Template8description LM ATM8 PTA Subscriberno ip addressno peer default ip addressno keepaliveppp timeout authentication 100ppp timeout aaaload-interval 30ppp mtu adaptiveppp authentication chapservice-policy control RULE_PTA_LM_ATM8!! The DHCP pool that is assigned to subscribers.ip local pool cpe3_pool-53-VPN10005 200.53.3.210 200.53.3.250Configuring Baseline ISA Subscriber Services
Basic ISA subscriber services are configured, including Layer 4 redirect to the Cisco SESM and the PBHK feature. When the PBHK feature is enabled, TCP packets from subscribers are mapped to a local IP address for the ISA gateway and a range of ports. This mapping allows the portal to identify the ISA gateway from which the session originated.
! Configures the connection to the Cisco SESM for Layer 4 Redirect functionality.redirect server-group SESM-Serverserver ip 10.100.4.38 port 8080!!! Enables port bundle host key (PBHK) access to the Cisco SESM. Each loopback interface! can support up to 4031 bundles. If additional capacity is required, configure additional! loopback interfaces.ip portbundlematch access-list 135! The Loopback 0 interface is used to communicate with the Cisco SESM.source Loopback0!!! This command is enabled by default. It sets the number of ISA rules that are displayed! in the show subscriber session detail command.subscriber policy recording rules limit 64Configuring Inbound and Outbound Access Lists
Basic access lists are configured to govern subscribers' Internet access, and an access list is created for the PBHK feature.
! This access list is referenced in the AAA subscriber profile. It governs incoming! Internet traffic. The Internet access lists should prevent subscribers from accessing! the Cisco SESM and other management devices to help prevent Denial of Service attacks.!ip access-list extended Internet-in-acldeny ip any 223.0.0.0 0.255.255.255deny ip any 20.0.0.0 0.255.255.255deny ip any 40.0.0.0 0.255.255.255deny ip any 21.0.0.0 0.255.255.255deny ip any 22.0.0.0 0.255.255.255deny ip any 41.0.0.0 0.255.255.255deny ip any 80.0.0.0 0.255.255.255deny ip any 81.0.0.0 0.255.255.255deny ip any 82.0.0.0 0.255.255.255deny ip any 84.0.0.0 0.255.255.255deny ip any 10.200.0.0 0.0.255.255permit ip any any!! This access list is called out in the AAA subscriber profile. It governs outgoing! Internet traffic. The Internet access lists should prevent subscribers from accessing! the Cisco SESM and other management devices to help prevent Denial of Service attacks.!ip access-list extended Internet-out-acldeny ip 223.0.0.0 0.255.255.255 anydeny ip 10.200.0.0 0.0.255.255 anydeny ip 20.0.0.0 0.255.255.255 anydeny ip 40.0.0.0 0.255.255.255 anydeny ip 21.0.0.0 0.255.255.255 anydeny ip 22.0.0.0 0.255.255.255 anydeny ip 41.0.0.0 0.255.255.255 anydeny ip 80.0.0.0 0.255.255.255 anydeny ip 81.0.0.0 0.255.255.255 anydeny ip 82.0.0.0 0.255.255.255 anydeny ip 84.0.0.0 0.255.255.255 anypermit ip any any!! This access list is used in the ip portbundle configuration above. It only permits! traffic to the Cisco SESM.access-list 135 permit ip any host 10.100.4.38access-list 135 deny ip any anyDeployment Model 2: ISG Configuration for ISA Services
The following configuration tasks are performed on the LNS to enable the advanced ISA subscriber services:
•Configuring the Global Prepaid Services Configuration
•Configuring the BOD1MTIME Service
•Configuring the BOD2MTIME Service
•Configuring the BOD1MVOLUME Service
•Configuring the BOD2MVOLUME Service
Configuring the Global Prepaid Services Configuration
The global attributes of the prepaid services are configured for each of the two billing servers.
! This is the global configuration for the PREPAID_RSIM prepaid billing server.subscriber feature prepaid PREPAID_RSIMthreshold time 20 seconds! Specifies the size of the threshold the ISG requests from the billing server. The! threshold is an increment of the user's quota. When the threshold (in this case 1000! bytes) is exhausted, the ISG requests another 1000 bytes from the subscriber's account.! This continues until the subscriber terminates the session, or the subscriber's account! is depleted.threshold volume 1000 bytesinterim-interval 3 minutes! References the authorization list in the above AAA configuration.method-list author PREPAID_AUTHOR_LIST! References the accounting list in the above AAA configuration.method-list accounting PREPAID_ACCNT_LIST! This is the prepaid password that is configured on the billing servers.password cisco
Note If you configure only default values for a prepaid service, the configuration will not appear in show running-config command output, but the configuration will be active.
! This is the global configuration for the default prepaid service.subscriber feature prepaid defaultthreshold time 20 seconds! The quota size for this service is set at 200 bytes.threshold volume 200 bytesinterim-interval 3 minutesmethod-list author defaultmethod-list accounting defaultpassword cisco!! This command is enabled by default. It sets the number of rules that are displayed in! the show subscriber session detail command.subscriber policy recording rules limit 64subscriber authorization enable! Creates the policy map that is used for time based service.policy-map type control RULE_PTA_TIME_LM_ATM8! When a session is initiated, PBHK is applied and the subscriber is redirected to the! Cisco SESM to select a service.class type control always event session-start1 service-policy type service name PBHK_SERVICE2 service-policy type service name L4REDIRECT_SERVICE!! The quota-depleted event is triggered when either a prepaid threshold is not configured,! or if the quota is depleted before the billing server replenishes the quota.class type control always event quota-depleted! Specifies that traffic won't be dropped when the quota is depleted.1 set-param drop-traffic FALSE!! The credit-exhausted event is triggered when the subscriber's account is empty.class type control always event credit-exhausted! Redirects subscriber's whose accounts are depleted to the Cisco SESM.1 service-policy type service name L4REDIRECT_SERVICE!! Creates the policy map for volume-based service. The same global configuration is! applied as that for the time-based policy map.policy-map type control RULE_PTA_VOLUME_LM_ATM8class type control always event session-start1 service-policy type service name PBHK_SERVICE2 service-policy type service name L4REDIRECT_SERVICE!class type control always event quota-depleted1 set-param drop-traffic FALSE!class type control always event credit-exhausted1 service-policy type service name L4REDIRECT_SERVICE
Note The specific bandwidths described in this document are only used as examples. SPs are free to configure any bandwidth levels that their service requires.
Configuring the BOD1MTIME Service
For each of the additional services to be configured , a control class map is configured to define matching conditions that the policy map uses to trigger events that start and stop the service..
! This control class map defines the BOD1MTIME_CLASS service.class-map type control match-all BOD1MTIME_CLASSmatch service-name BOD1MTIME!! When subscribers start the service, the other services are unapplied.policy-map control RULE_PTA_TIME_LM_ATM8class type control BOD1MTIME_CLASS_DM2 event service-start1 service-policy type service unapply name L4REDIRECT_SERVICE2 service-policy type service unapply name BOD2MTIME_DM23 service-policy type service identifier service-name! When subscribers stop the service, it is unapplied, and Layer 4 redirect is applied to! redirect the subscriber to the Cisco SESM.class type control BOD1MTIME_CLASS_DM2 event service-stop1 service-policy type service unapply identifier service-name2 service-policy type service name L4REDIRECT_SERVICEConfiguring the BOD2MTIME Service
The same method is used as for BOD1MTTIME to configure the BOD2MTIME service.
class-map type control match-all BOD2MTIME_CLASSmatch service-name BOD2MTIME!
policy-map type control RULE_PTA_TIME_LM_ATM8class type control BOD2MTIME_CLASS_DM2 event service-start1 service-policy type service unapply name L4REDIRECT_SERVICE2 service-policy type service unapply name BOD1MTIME_DM23 service-policy type service identifier service-name!class type control BOD2MTIME_CLASS_DM2 event service-stop1 service-policy type service unapply identifier service-name2 service-policy type service name L4REDIRECT_SERVICEConfiguring the BOD1MVOLUME Service
The same method as for BOD1MTTIME is used to configure the BOD1MVOLUME service.
class-map type control match-all BOD1MVOLUME_CLASSmatch service-name BOD1MVOLUMEpolicy-map type control RULE_PTA_VOLUME_LM_ATM8class type control BOD1MVOLUME_CLASS_DM2 event service-start1 service-policy type service unapply name L4REDIRECT_SERVICE2 service-policy type service unapply name BOD2MVOLUME_DM23 service-policy type service identifier service-name!class type control BOD1MVOLUME_CLASS_DM2 event service-stop1 service-policy type service unapply identifier service-name2 service-policy type service name L4REDIRECT_SERVICEConfiguring the BOD2MVOLUME Service
The same method as for BOD1MTTIME is used to configure the BOD2MVOLUME service.
class-map type control match-all BOD2MVOLUME_CLASSmatch service-name BOD2MVOLUME!policy-map control RULE_PTA_VOLUME_LM_ATM8class type control BOD2MVOLUME_CLASS_DM2 event service-start1 service-policy type service unapply name L4REDIRECT_SERVICE2 service-policy type service unapply name BOD1MVOLUME_DM23 service-policy type service identifier service-name!class type control BOD2MVOLUME_CLASS_DM2 event service-stop1 service-policy type service unapply identifier service-name2 service-policy type service name L4REDIRECT_SERVICEDeployment Model 2: AAA Server
The following baseline configuration tasks are performed on the AAA server for ISP-2:
•Configuring the Time-Based ISA Subscriber Services
•Configuring the Volume-Based ISA Services
•Configuring User profiles for Time-Based and Volume-Based Customers
Configuring the Time-Based ISA Subscriber Services
This profile specifies the detalis of the BOD1MTIME service. For all of the ISA services, a priority level must be configured in order for the Layer 4 Redirect feature to work properly. If priority levels are not configured, when the subscriber's credit is exhausted, the Layer 4 Redirect feature is added to the subscriber's existing service (such as BOD1MTIME), but it is not applied.
[ BOD1MTIME_DM2/Attributes ]! All of the user-selectable services are given the priority level 10.Cisco-AVPair = "ip:traffic-class=in access-group name INTERNET_IN_ACL priority 10"Cisco-AVPair = "ip:traffic-class=in default drop"Cisco-AVPair = "ip:traffic-class=out access-group name INTERNET_OUT_ACL priority 10"Cisco-AVPair = "ip:traffic-class=out default drop"Cisco-AVPair = subscriber:accounting-list=PREPAID_ACCNT_LISTCisco-AVPair = prepaid-config=PREPAID_RSIMCisco-AVPair = atm:peak-cell-rate=1024Cisco-AVPair = atm:sustainable-cell-rate=1024! The "I" in the attribute tells the Cisco SESM that the name of this service is! "IBOD1MTIME".Cisco-SSG-Service-Info = IBOD1MTIME_DM2! The "R" in the attribute tells the Cisco SESM that this is a user-selectable service.Cisco-SSG-Service-Info = R42.1.1.0;255.255.255.0This profile specifies the detalis of the BOD2MTIME service.
[ BOD2MTIME_DM2/Attributes ]Cisco-AVPair = "ip:traffic-class=in access-group name INTERNET_IN_ACL priority 10"Cisco-AVPair = "ip:traffic-class=in default drop"Cisco-AVPair = "ip:traffic-class=out access-group name INTERNET_OUT_ACL priority 10"Cisco-AVPair = "ip:traffic-class=out default drop"Cisco-AVPair = subscriber:accounting-list=PREPAID_ACCNT_LISTCisco-AVPair = prepaid-config=PREPAID_RSIMCisco-AVPair = atm:peak-cell-rate=2048Cisco-AVPair = atm:sustainable-cell-rate=2048Cisco-SSG-Service-Info = IBOD2MTIME_DM2Cisco-SSG-Service-Info = R42.1.1.0;255.255.255.0Configuring the Volume-Based ISA Services
This profile specifies the detalis of the BOD1MVOLUME service.
[ BOD1MVOLUME_DM2/Attributes ]Cisco-AVPair = "ip:traffic-class=in access-group name INTERNET_IN_ACL priority 10"Cisco-AVPair = "ip:traffic-class=in default drop"Cisco-AVPair = "ip:traffic-class=out access-group name INTERNET_OUT_ACL priority 10"Cisco-AVPair = "ip:traffic-class=out default drop"Cisco-AVPair = subscriber:accounting-list=PREPAID_ACCNT_LISTCisco-AVPair = prepaid-config=PREPAID_RSIMCisco-AVPair = atm:peak-cell-rate=1024Cisco-AVPair = atm:sustainable-cell-rate=1024Cisco-SSG-Service-Info = IBOD1MVOLUME_DM2Cisco-SSG-Service-Info = R42.1.1.0;255.255.255.0This profile specifies the detalis of the BOD2MVOLUME service.
Cisco-AVPair = "ip:traffic-class=in access-group name INTERNET_IN_ACL priority 10"Cisco-AVPair = "ip:traffic-class=in default drop"Cisco-AVPair = "ip:traffic-class=out access-group name INTERNET_OUT_ACL priority 10"Cisco-AVPair = "ip:traffic-class=out default drop"Cisco-AVPair = subscriber:accounting-list=PREPAID_ACCNT_LISTCisco-AVPair = prepaid-config=PREPAID_RSIMCisco-AVPair = atm:peak-cell-rate=2048Cisco-AVPair = atm:sustainable-cell-rate=2048Cisco-SSG-Service-Info = IBOD2MVOLUME_DM2Cisco-SSG-Service-Info = R42.1.1.0;255.255.255.0Configuring Layer 4 Redirect
This attribute enables the Layer 4 Redirect feature.
[ //localhost/Radius/UserLists/SERVICES/L4REDIRECT_SERVICE/Attributes ]! The Layer 4 Redirect feature is given the priority level 5, which is a higher priority! than the user-selectable features. This ensures that subscribers are redirected when! their accounts are exhausted.Cisco-AVPair = "ip:traffic-class=in access-group name IP_REDIRECT_ACL priority 5"Cisco-AVPair = "ip:traffic-class=in default drop"Cisco-AVPair = "ip:traffic-class=out access-group name IP_REDIRECT_ACL priority 5"Cisco-AVPair = "ip:traffic-class=out default drop"Cisco-AVPair = "ip:l4redirect=redirect to group SESM_SERVER_GROUP"Cisco-SSG-Service-Info = IL4REDIRECT_SERVICEConfiguring PBHK
This profile enables the PBHK feature on the AAA server, which enables access to the SESM by way of the PBHK feature.
[ //localhost/Radius/UserLists/SERVICES/PBHK_SERVICE/Attributes ]Cisco-AVPair = ip:portbundle=enable! The "I" in the attribute tells the Cisco SESM that the name of this service is! "PBHK_SERVICE". But because there an attribute beginning with "R" is not included,! customers cannot select this service.Cisco-SSG-Service-Info = IPBHK_SERVICEConfiguring User profiles for Time-Based and Volume-Based Customers
This profile configures a user profile for time-based customers.
[ //localhost/Radius/UserLists/ie2-C7206-ATM/C72_DM2_3640/Attributes ]Cisco-AVpair = ip:vrf-id=VPN_C72_DM2_1001Cisco-AVpair = "ip:ip-unnumbered=loopback 8001"Cisco-AVpair = ip:addr-pool=C72_DM2_8001! The "N" at the beginning of these two attributes specifies that these are services that! that customers can activate. Time-based subscribers are authorized to access the! BOD1MTIME and BOD2MTTIME services.Cisco-SSG-Account-Info = NBOD1MTIME_DM2Cisco-SSG-Account-Info = NBOD2MTIME_DM2idle-timeout = 1800session-timeout = 18000This profile configures a user profile for a time-based customer with the static IP address 1.108.1.201.
[ //localhost/Radius/UserLists/ie2-C7206-ATM/C72_DM2_5640/Attributes ]Cisco-AVpair = ip:vrf-id=VPN_C72_DM2_1098Cisco-AVpair = "ip:ip-unnumbered=loopback 8002"Cisco-SSG-Account-Info = NBOD1MTIME_DM2Cisco-SSG-Account-Info = NBOD2MTIME_DM2Framed-IP-Address = 1.108.1.201idle-timeout = 1800session-timeout = 18000This profile configures a user profile for volume-based customers.
[ //localhost/Radius/UserLists/ie2-C7206-ATM/C72_DM2_4640/Attributes ]Cisco-AVpair = ip:vrf-id=VPN_C72_DM2_1001Cisco-AVpair = "ip:ip-unnumbered=loopback 8001"Cisco-AVpair = ip:addr-pool=C72_DM2_8001! The "N" at the beginning of these two attributes specifies that these are services that! these customers are authorized for. Time-based subscribers are authorized to access the! BOD1MVOLUME and BOD2MVOLUME services.Cisco-SSG-Account-Info = NBOD1MVOLUME_DM2Cisco-SSG-Account-Info = NBOD2MVOLUME_DM2idle-timeout = 1800session-timeout = 18000Deployment Model 3: Triple Play Plus Service Bundle over IP and PPPoE
The following devices are configured to enable Deployment Model 3 Triple Play Plus Service Bundle over IP and PPPoE deployment model:
•Deployment Model 3: AAA Server
Deployment Model 3: ISG
The following baseline configuration tasks are performed on the LNS:
•Configuring AAA and the Connection to the RADIUS Server
•Configuring PPPoE and the Connections to the CPE and PE
•Configuring Baseline ISA Subscriber Services
•Configuring Inbound and Outbound Access Lists
•Configuring QoS for Triple Play Plus
Configuring AAA and the Connection to the RADIUS Server
In this AAA configuration, connections to the CAR AAA server, the Cisco SESM, and two billing servers are configured. VSA accounting and authentication are enabled, and the loopback interface 0 is used for AAA communications.
aaa new-model!! Configures the AAA server group for the CAR AAA server.aaa group server radius CAR_SERVERserver 10.100.2.36 auth-port 1812 acct-port 1813!! Configures the AAA server group for the RSIM_SERVER billing server.aaa group server radius RSIM_SERVERserver 10.100.12.89 auth-port 1645 acct-port 1646! Configures AAA for the CAR AAA server.aaa authentication login default noneaaa authentication login IP_AUTHEN_LIST group CAR_SERVERaaa authentication ppp default group CAR_SERVER! Configures the connection to the Cisco SESMaaa server radius sesmclient 10.100.4.38key ciscoport 1812message-authenticator ignore!! Loopback 0 is used for communicating with AAA, the billing servers, and SESM.interface Loopback0ip address 10.200.1.53 255.255.255.255! Instructs the router to use loopback 0 to communicate with the AAA RADIUS servers.ip radius source-interface Loopback0!! These RADIUS attributes are required for prepaid services.radius-server attribute 44 include-in-access-reqradius-server attribute 8 include-in-access-reqradius-server attribute 55 access-request includeradius-server attribute 25 access-request include! The CAR AAA server.radius-server host 10.100.1.35 auth-port 1812 acct-port 1813 key cisco! The RSIM_SERVER billing server.radius-server host 10.100.12.89 auth-port 1645 acct-port 1646 key ciscoradius-server retransmit 5radius-server timeout 15radius-server vsa send accountingradius-server vsa send authenticationConfiguring PPPoE and the Connections to the CPE and PE
The ISG is configured to receive PPPoE sessions from the CPE by way of the DSLAM, and MPLS VRF tables are created for incoming subscribers.
no ip dhcp use vrf connected!! Globally enables MPLS VRFs for incoming subscribers.ip vrf VPN10003rd 100:3route-target export 100:3route-target import 100:3!ip cef!!! The BBA group method is used to configure PPPoE.bba-group pppoe BBA_LM_ATM2virtual-template 2!! This virtual circuit (VC) class is applied to the ATM PVC.vc-class atm VC_LM_ATM2! Associates the VC class with the above bba-group.protocol pppoe group BBA_LM_ATM2! Enables dynamic bandwidth selection.dbs enable maximumencapsulation aal5snapservice-policy control RULE_PTA_LM_ATM2!! Gigabit Ethernet interface 0/3 points to the PE.interface GigabitEthernet0/3ip address 40.40.1.53 255.255.255.0! The PBHK feature is enabled on this interface.ip portbundle outsideload-interval 30duplex fullspeed 1000media-type gbicnegotiation autompls mtu 1522mpls ipservice-policy output QOS_OUT_MPLS_UPLINKip rsvp bandwidth 100000!! ATM interface 1/0.103 points to the CPE.interface ATM1/0.103 point-to-pointip unnumbered Loopback3ip verify unicast reverse-pathip helper-address 10.100.1.37no ip redirectsno ip unreachablesno ip proxy-arpip subscriberinitiator dhcpatm route-bridged ipno atm enable-ilmi-trapntp disablepvc 103/43! The VC class is associated with the PVC.class-vc VC_LM_ATM2service-policy input QOS_IN_LM_ATM2service-policy output QOS_OUT_LM_ATM2service-policy control RULE_IP_LM_ATM2! PPPoE subscribers use this virtual template.interface Virtual-Template2description LM ATM2 PTA Subscriberno ip addressno peer default ip addressno keepaliveppp authentication chapppp timeout authentication 100ppp timeout aaa!! The PPPoE pool that is assigned to subscribers.ip local pool cpe3_pool-53 200.53.3.2 200.53.3.100Configuring Baseline ISA Subscriber Services
The baseline ISA services, Layer 4 redirect, ISA authentication methods, and PBHK are configured. When the PBHK feature is enabled, TCP packets from subscribers are mapped to a local IP address for the ISA gateway and a range of ports. This mapping allows the portal to identify the ISA gateway from which the session originated.
! Configures the connection to the Cisco SESM for Layer 4 Redirect functionality.redirect server-group SESM_SERVER_GROUPserver ip 10.100.3.34 port 8080!! This policy map governs authentication.policy-map control RULE_IP_LM_ATM2! Unauthenticated traffic is dropped after the timer expires.class control IP_UNAUTH_COND event timed-policy-expiry1 service disconnect!class control always event session-start! PBHK must be applied before authorization, because if subscribers are authorized first,! ISA will skip the remaining steps and PBHK won't be applied.1 service-policy service name PBHK_SERVICE! Authorizes subscribers based on their MAC address. If authorization is successful, the! remaining steps are skipped.2 authorize aaa password lab identifier mac-address! If authorization fails, subscribers are redirected to the Cisco SESM.3 service-policy service name L4REDIRECT_SERVICE! When users are redirected, the IP_UNAUTH_TIMER gives them 5 minutes to manually! authenticate at the Cisco SESM before the session is dropped.4 set-timer IP_UNAUTH_TIMER 5!class control always event account-logon! Authorization is performed based on the IP_AUTHEN_LIST.1 authenticate aaa list IP_AUTHEN_LIST! If authorization fails, users are redirected to the Cisco SESM.2 service-policy service unapply name L4REDIRECT_SERVICE!!policy-map control RULE_PTA_LM_ATM2class control always event session-start1 service-policy service name PBHK_SERVICE!!! Enables port bundle host key (PBHK) access to the Cisco SESM. Each loopback interface! can support up to 4031 bundles. If additional capacity is required, configure additional! loopback interfaces.ip portbundlematch access-list 135! The Loopback 0 interface is used to communicate with the Cisco SESM.source Loopback0!! This class map specifies that a timer is initiated for unauthenticated sessions. If the! subscriber does not authenticate before the timer expires, the session is dropped.class-map control match-all IP_UNAUTH_CONDmatch timer IP_UNAUTH_TIMERmatch authen-status unauthenticatedConfiguring Inbound and Outbound Access Lists
Basic access lists are configured to govern subscribers' Internet access, and an access list is created for the PBHK feature.
! This access list is referenced in the AAA subscriber profile. It governs incoming! Internet traffic. The Internet access lists should prevent subscribers from accessing! the Cisco SESM and other management devices to help prevent Denial of Service attacks.!ip access-list extended Internet-in-acldeny ip any 223.0.0.0 0.255.255.255deny ip any 20.0.0.0 0.255.255.255deny ip any 40.0.0.0 0.255.255.255deny ip any 21.0.0.0 0.255.255.255deny ip any 22.0.0.0 0.255.255.255deny ip any 41.0.0.0 0.255.255.255deny ip any 80.0.0.0 0.255.255.255deny ip any 81.0.0.0 0.255.255.255deny ip any 82.0.0.0 0.255.255.255deny ip any 84.0.0.0 0.255.255.255deny ip any 10.200.0.0 0.0.255.255permit ip any any!! This access list is called out in the AAA subscriber profile. It governs outgoing! Internet traffic. The Internet access lists should prevent subscribers from accessing! the Cisco SESM and other management devices to help prevent Denial of Service attacks.!ip access-list extended Internet-out-acldeny ip 223.0.0.0 0.255.255.255 anydeny ip 10.200.0.0 0.0.255.255 anydeny ip 20.0.0.0 0.255.255.255 anydeny ip 40.0.0.0 0.255.255.255 anydeny ip 21.0.0.0 0.255.255.255 anydeny ip 22.0.0.0 0.255.255.255 anydeny ip 41.0.0.0 0.255.255.255 anydeny ip 80.0.0.0 0.255.255.255 anydeny ip 81.0.0.0 0.255.255.255 anydeny ip 82.0.0.0 0.255.255.255 anydeny ip 84.0.0.0 0.255.255.255 anypermit ip any any!! This access list is used in the ip portbundle configuration above.access-list 135 permit ip any host 10.100.4.38access-list 135 deny ip any anyConfiguring QoS for Triple Play Plus
The Triple Play Plus service bundle is configured by specifying different levels of QoS for each of the user-selectable services. Three DSCP levels are configured: gaming, call control, and voice. The VoD service uses the same DSCP as the voice service. Policy maps are then used to apply this QoS configuration to the inbound and outbound interfaces.
! These class maps specify the various DSCP levels.class-map match-any QOS_GROUP_CALL_CONTROLmatch qos-group 2class-map match-any GAMINGmatch ip dscp af21class-map match-any QOS_GROUP_GAMINGmatch qos-group 3class-map match-any CALL_CONTROLmatch ip dscp cs3class-map match-any QOS_GROUP_VOICEmatch qos-group 1class-map match-any VOICEmatch ip dscp ef!!! This policy map governs QoS for the outbound interface to the CPE.policy-map QOS_OUT_LM_ATM2class VOICEpriority 128class CALL_CONTROLbandwidth percent 5class GAMINGbandwidth percent 20! This policy map governs QoS for the outbound interface to the PE.policy-map QOS_OUT_MPLS_UPLINKclass QOS_GROUP_VOICEset mpls experimental topmost 5class QOS_GROUP_CALL_CONTROLset mpls experimental topmost 3class QOS_GROUP_GAMINGset mpls experimental topmost 2class class-defaultset mpls experimental topmost 0! This policy map governs QoS for the inbound interface from the CPE.policy-map QOS_IN_LM_ATM2class VOICE! Caps bandwidth for VoIP and VoD traffic at 128 kbps.police cir 128000exceed-action dropset qos-group 1class CALL_CONTROL! Caps bandwidth for call control traffic at 12.5 kbps.police cir 12500exceed-action dropset qos-group 2class GAMING! Caps bandwidth for gaming traffic at 75 kbps.police cir 75000exceed-action dropset qos-group 3! This policy map governs QoS for the default service.policy-map QOS_IN_LM_ATM2_256Kclass class-default! Caps bandwidth for basic connectivity traffic at 256 kbps.police cir 256000exceed-action dropset qos-group 1service-policy QOS_IN_LM_ATM2Configuring Triple Play Plus Access Lists
The following access lists govern the access of subscribers who have activated the various services.
! The gaming access-lists allow gaming subscribers to access only the gaming server.ip access-list extended GAMING_IN_ACLpermit ip any 42.5.0.0 0.0.255.255deny ip any anyip access-list extended GAMING_OUT_ACLpermit ip 42.5.0.0 0.0.255.255 anydeny ip any any! The opengarden access lists govern the access of users who have not activated an! advanced service.ip access-list extended OPENGARDEN_IN_ACLpermit ip any 10.100.0.0 0.0.255.255permit ip any 42.8.0.0 0.0.255.255permit ip any 200.53.3.0 0.0.0.255ip access-list extended OPENGARDEN_OUT_ACLpermit ip 10.100.0.0 0.0.255.255 anypermit ip 42.8.0.0 0.0.255.255 anypermit ip 200.53.3.0 0.0.0.255 anyip access-list extended SESM-in-aclpermit ip any host 10.100.3.34deny ip any anyip access-list extended SESM-out-aclpermit ip host 10.100.3.34 anydeny ip any any! The VoD access lists allow VoD subscribers to access only the VoD server.ip access-list extended VOD_IN_ACLpermit ip any 42.4.0.0 0.0.255.255deny ip any anyip access-list extended VOD_OUT_ACLpermit ip 42.4.0.0 0.0.255.255 anydeny ip any any! The VoIP access lists allow VoIP subscribers to access only the VoD server.ip access-list extended VOIP_IN_ACLpermit ip any 42.3.0.0 0.0.255.255deny ip any anyip access-list extended VOIP_OUT_ACLpermit ip 42.3.0.0 0.0.255.255 anydeny ip any anyDeployment Model 3: AAA Server
The following configuration tasks are performed on the AAA server.
Configuring Layer 4 Redirect
This attribute enables the Layer 4 Redirect feature.
[ //localhost/Radius/UserLists/SERVICES/L4REDIRECT_SERVICE/Attributes ]! The Layer 4 Redirect feature is given the priority level 5, which is a higher priority! than the user-selectable features. This ensures that subscribers are redirected when! their accounts are exhausted.Cisco-AVPair = "ip:traffic-class=in access-group name IP_REDIRECT_ACL priority 5"Cisco-AVPair = "ip:traffic-class=in default drop"Cisco-AVPair = "ip:traffic-class=out access-group name IP_REDIRECT_ACL priority 5"Cisco-AVPair = "ip:traffic-class=out default drop"Cisco-AVPair = "ip:l4redirect=redirect to group SESM_SERVER_GROUP"Cisco-SSG-Service-Info = IL4REDIRECT_SERVICEConfiguring PBHK
This profile enables the PBHK feature on the AAA server, which enables access to the SESM by way of the PBHK feature.
[ //localhost/Radius/UserLists/SERVICES/PBHK_SERVICE/Attributes ]Cisco-AVPair = ip:portbundle=enable! The "I" in the attribute tells the Cisco SESM that the name of this service is! "PBHK_SERVICE". But because there an attribute beginning with "R" is not included,! customers cannot select this service.Cisco-SSG-Service-Info = IPBHK_SERVICEService Profiles
The following service profile enables the GAMING_SERVICE service.
[ //localhost/Radius/UserLists/SERVICES/GAMING_SERVICE/Attributes ]Cisco-AVPair = "ip:traffic-class=in access-group name GAMING_IN_ACL"Cisco-AVPair = "ip:traffic-class=in default drop"Cisco-AVPair = "ip:traffic-class=out access-group name GAMING_OUT_ACL"Cisco-AVPair = "ip:traffic-class=out default drop"! The "I" in the attribute tells the Cisco SESM that the name of this service is! "IGAMING_SERVICE".Cisco-SSG-Service-Info = IGAMING_SERVICE! The "R" in the attribute tells the Cisco SESM that this is a user-selectable service.Cisco-SSG-Service-Info = R42.1.1.0;255.255.255.0The following service profile enables the OPENGARDEN_SERVICE service. "Opengarden" is the SSG term for the default service, basic Internet access.
[ //localhost/Radius/UserLists/SERVICES/OPENGARDEN_SERVICE/Attributes ]Cisco-AVPair = "ip:traffic-class=in access-group name OPENGARDEN_IN_ACL"Cisco-AVPair = "ip:traffic-class=in default drop"Cisco-AVPair = "ip:traffic-class=out access-group name OPENGARDEN_OUT_ACL"Cisco-AVPair = "ip:traffic-class=out default drop"Cisco-SSG-Service-Info = IOPENGARDEN_SERVICEThe following service profile enables the VOIP_SERVICE service.
[ //localhost/Radius/UserLists/SERVICES/VOIP_SERVICE/Attributes ]Cisco-AVPair = "ip:traffic-class=in access-group name VOIP_IN_ACL"Cisco-AVPair = "ip:traffic-class=in default drop"Cisco-AVPair = "ip:traffic-class=out access-group name VOIP_OUT_ACL"Cisco-AVPair = "ip:traffic-class=out default drop"Cisco-SSG-Service-Info = IVOIP_SERVICECisco-SSG-Service-Info = R42.1.1.0;255.255.255.0The following service profile enables the VOD_SERVICE service.
[ //localhost/Radius/UserLists/SERVICES/VOD_SERVICE/Attributes ]Cisco-AVPair = "ip:traffic-class=in access-group name VOD_IN_ACL"Cisco-AVPair = "ip:traffic-class=in default drop"Cisco-AVPair = "ip:traffic-class=out access-group name VOD_OUT_ACL"Cisco-AVPair = "ip:traffic-class=out default drop"Cisco-SSG-Service-Info = IVOD_SERVICECisco-SSG-Service-Info = R42.1.1.0;255.255.255.0The following service profile enables the INTERNET_SERVICE service. Subscribers select this service to return to the default service, basic Internet access.
[ //localhost/Radius/UserLists/SERVICES/INTERNET_SERVICE/Attributes ]Cisco-AVPair = ip:inacl=Internet-in-aclCisco-AVPair = ip:outacl=Internet-out-aclCisco-SSG-Service-Info = IINTERNET_SERVICECisco-SSG-Service-Info = R42.1.1.0;255.255.255.0User Profiles
The following user profile is for IP sessions that use MAC address-based TAL:
[ //localhost/Radius/UserLists/ie2-C7206-ATM/0000.1001.1014/Attributes ]Cisco-SSG-Account-Info = AOPENGARDEN_SERVICECisco-SSG-Account-Info = AVOIP_SERVICECisco-SSG-Account-Info = AVOD_SERVICECisco-SSG-Account-Info = AGAMING_SERVICEThe following user profile is for PPPoE users:
[ //localhost/Radius/UserLists/ie2-C7206-ATM/C72_DM3_1188/Attributes ]Cisco-AVpair = ip:vrf-id=VPN_C72_DM3_2038Cisco-AVpair = "ip:ip-unnumbered=loopback 2001"Cisco-AVpair = ip:addr-pool=C72_DM3_2001Cisco-SSG-Account-Info = AINTERNET_SERVICEDeployment Model 4: Triple Play Plus Service Bundle over IP and L2TP
The following devices are configured to enable Deployment Model 4: Triple Play Plus Service Bundle over IP and L2TP deployment model:
•Deployment Model 4: AAA Server for ISP-1
•Deployment Model 4: AAA server for ISP-2
Deployment Model 4: ISG LAC
The following baseline configuration tasks are performed on the ISG LAC:
•Configuring AAA and the Connection to the RADIUS Server
•Configuring the Connection to the LNS and PPPoE
•Configuring Baseline ISA Services
•Configuring QoS for Triple Play Plus
•Configuring Triple Play Plus Access Lists
Configuring AAA and the Connection to the RADIUS Server
A basic AAA configuration is entered, and the connection to the RADIUS server is configured, including VSA accounting and authentication.
aaa new-model!! Configures the connection to the AAA server and identifies it as CAR_SERVERaaa group server radius CAR_SERVERserver 10.100.1.35 auth-port 1812 acct-port 1813!aaa authentication login default none! Configures the AAA server for authentication, authorization, and accounting.aaa authentication login IP_AUTHEN_LIST group CAR_SERVERaaa authentication ppp default group CAR_SERVERaaa authorization network default group CAR_SERVERaaa authorization subscriber-service default local group radiusaaa accounting network default start-stop group CAR_SERVER! Configures the connection to the Cisco SESMaaa server radius sesmclient 10.100.3.34key ciscoport 1812message-authenticator ignore!aaa session-id common!!interface Loopback0ip address 10.200.1.53 255.255.255.255!! Use Loopback 0 to communicate with radius serverip radius source-interface Loopback0!!radius-server attribute 44 include-in-access-reqradius-server attribute 8 include-in-access-reqradius-server attribute 55 access-request includeradius-server attribute 25 access-request includeradius-server host 10.100.1.35 auth-port 1812 acct-port 1813 key ciscoradius-server retransmit 5radius-server timeout 15radius-server vsa send accountingradius-server vsa send authenticationConfiguring the Connection to the LNS and PPPoE
The connection to the LNS is configured. The ISG LAC uses VPDN to initiate L2TP tunnels to the LNS, which are used to carry the subscriber PPPoE sessions. An ISA control policy map is used to instruct L2TP to authenticate on the basis of domain name, and a BBA group is used to configure PPPoE.
no ip dhcp use vrf connected!! This command is enabled by default. It sets the number of rules that are displayed in! the show subscriber session detail command.subscriber policy recording rules limit 64subscriber authorization enable! Enables VPDN globally, which is used for PPPoE.vpdn enablevpdn ip udp ignore checksumvpdn search-order domain!! This control policy map instructs L2TP to authenticate based on domain name.policy-map type control RULE_L2TP_LM_ATM7class type control always event session-start1 collect identifier unauthenticated-domain2 authorize identifier unauthenticated-domain!!! The BBA group method is used to configure PPPoE (alternatively, the vpdn-group! method could be used).bba-group pppoe BBA_LM_ATM7virtual-template 7!! This virtual circuit (VC) class is applied to the ATM PVC.vc-class atm VC_LM_ATM7! Associates the VC class with the above bba-group.protocol pppoe group BBA_LM_ATM7vbr-nrt 2000 2000 94encapsulation aal5snap! Applies the L2TP rule above to the VC class.service-policy type control RULE_L2TP_LM_ATM7!! Interface Gigabit Ethernet 0/3 points to the LNS.interface GigabitEthernet0/3ip address 40.40.1.53 255.255.255.0load-interval 30duplex fullspeed 1000media-type gbicnegotiation autompls mtu 1522mpls ipservice-policy output QOS_OUT_MPLS_UPLINKip rsvp bandwidth 100000!!interface ATM1/0.107 point-to-pointdescription ATM Deployment Model 4ip unnumbered Loopback7ip verify unicast reverse-pathip helper-address 10.100.1.37no ip redirectsno ip unreachablesno ip proxy-arpip subscriberidentifier ip src-addr match 107initiator dhcpatm route-bridged ipno atm enable-ilmi-trapntp disablepvc 107/47! The VC class is associated with the PVC.class-vc VC_LM_ATM7service-policy input QOS_IN_LM_ATM7service-policy output QOS_OUT_LM_ATM7service-policy control RULE_IP_LM_ATM7!!! The PPP CHAP configuration is entered on the virtual template.interface Virtual-Template7description LM ATM7 L2TP Subscriberno ip addressno peer default ip addressno keepaliveppp authentication chapppp timeout authentication 100ppp timeout aaaConfiguring Baseline ISA Services
The baseline ISA services, Layer 4 redirect, ISA authentication methods, and PBHK are configured. When the PBHK feature is enabled, TCP packets from subscribers are mapped to a local IP address for the ISA gateway and a range of ports. This mapping allows the portal to identify the ISA gateway from which the session originated.
redirect server-group SESM_SERVER_GROUPserver ip 10.100.3.34 port 8080!! TAL is configured to authenticate the subscriber static IP address 200.53.7.128.class-map control match-any TAL_STATIC_DM4match source-ip-address 200.53.7.128 255.255.255.128!! This policy map governs subscriber authentication.policy-map control RULE_IP_LM_ATM7class control TAL_STATIC_DM4 event session-start! PBHK must be applied before authorization, because if subscribers are authorized first,! ISA will skip the remaining steps and PBHK won't be applied.1 service-policy service name PBHK_SERVICE! Authorizes subscribers based on their IP address. If authorization is successful,! the remaining steps are skipped.2 authorize aaa password lab identifier source-ip-address! If authorization fails, subscribers are redirected to the Cisco SESM.3 service-policy service name L4REDIRECT_SERVICE! When users are redirected, the IP_UNAUTH_TIMER gives them 5 minutes to manually! authenticate at the Cisco SESM before the session is dropped.4 set-timer IP_UNAUTH_TIMER 5!class control IP_UNAUTH_COND event timed-policy-expiry! Unauthenticated traffic is dropped after the timer expires.1 service disconnect!class control always event session-start1 service-policy service name PBHK_SERVICE! Authorizes subscribers based on their MAC address. If authorization is successful, the! remaining steps are skipped.2 authorize aaa password lab identifier mac-address3 service-policy service name L4REDIRECT_SERVICE4 set-timer IP_UNAUTH_TIMER 5!class control always event account-logon1 authenticate aaa list IP_AUTHEN_LIST2 service-policy service unapply name L4REDIRECT_SERVICE!!! Enables port bundle host key (PBHK) access to the Cisco SESM. Each loopback interface! can support up to 4031 bundles. If additional capacity is required, configure additional! loopback interfaces.ip portbundlematch access-list 135source Loopback0!! This class map specifies that a timer is initiated for unauthenticated sessions. If the! subscriber does not authenticate before the timer expires, the session is dropped.class-map control match-all IP_UNAUTH_CONDmatch timer IP_UNAUTH_TIMERmatch authen-status unauthenticatedConfiguring QoS for Triple Play Plus
The Triple Play Plus service bundle is configured by specifying different levels of QoS for each of the user-selectable services. Three DSCP levels are configured: gaming, call control, and voice. The VoD service uses the same DSCP as the voice service. Policy maps are then used to apply this QoS configuration to the inbound and outbound interfaces.
! These class maps specify the various DSCP levels.class-map match-any QOS_GROUP_CALL_CONTROLmatch qos-group 2class-map match-any GAMINGmatch ip dscp af21class-map match-any QOS_GROUP_GAMINGmatch qos-group 3class-map match-any CALL_CONTROLmatch ip dscp cs3class-map match-any QOS_GROUP_VOICEmatch qos-group 1class-map match-any VOICEmatch ip dscp ef!!!! This policy map governs QoS for the outbound interface to the CPE.policy-map QOS_OUT_LM_ATM7class VOICEpriority 128class CALL_CONTROLbandwidth percent 5class GAMINGbandwidth percent 20! This policy map governs QoS for the outbound interface to the LNS.policy-map QOS_OUT_MPLS_UPLINKclass QOS_GROUP_VOICEset mpls experimental topmost 5class QOS_GROUP_CALL_CONTROLset mpls experimental topmost 3class QOS_GROUP_GAMINGset mpls experimental topmost 2class class-defaultset mpls experimental topmost 0! This policy map governs QoS for the inbound interface from the CPE.policy-map QOS_IN_LM_ATM7class VOICE! Caps bandwidth for VoIP and VoD traffic at 128 kbps.police cir 128000exceed-action dropset qos-group 1class CALL_CONTROL! Caps bandwidth for call control traffic at 12.5 kbps.police cir 12500exceed-action dropset qos-group 2class GAMING! Caps bandwidth for gaming traffic at 75 kbps.police cir 75000exceed-action dropset qos-group 3! This policy map governs QoS for the default service.policy-map QOS_IN_LM_ATM7_256Kclass class-default! Caps bandwidth for basic connectivity traffic at 256 kbps.police cir 256000exceed-action dropservice-policy QOS_IN_LM_ATM7Configuring Triple Play Plus Access Lists
The following access lists govern the access of subscribers who have activated the various services.
! The gaming access-lists allow gaming subscribers to access only the gaming server.ip access-list extended GAMING_IN_ACLpermit ip any 42.5.0.0 0.0.255.255deny ip any anyip access-list extended GAMING_OUT_ACLpermit ip 42.5.0.0 0.0.255.255 anydeny ip any any! The opengarden access lists govern the access of users who have not activated an! advanced service.ip access-list extended OPENGARDEN_IN_ACLpermit ip any 10.100.0.0 0.0.255.255permit ip any 42.8.0.0 0.0.255.255permit ip any 200.53.3.0 0.0.0.255ip access-list extended OPENGARDEN_OUT_ACLpermit ip 10.100.0.0 0.0.255.255 anypermit ip 42.8.0.0 0.0.255.255 anypermit ip 200.53.3.0 0.0.0.255 anyip access-list extended SESM-in-aclpermit ip any host 10.100.3.34deny ip any anyip access-list extended SESM-out-aclpermit ip host 10.100.3.34 anydeny ip any any! The VoD access lists allow VoD subscribers to access only the VoD server.ip access-list extended VOD_IN_ACLpermit ip any 42.4.0.0 0.0.255.255deny ip any anyip access-list extended VOD_OUT_ACLpermit ip 42.4.0.0 0.0.255.255 anydeny ip any any! The VoIP access lists allow VoIP subscribers to access only the VoD server.ip access-list extended VOIP_IN_ACLpermit ip any 42.3.0.0 0.0.255.255deny ip any anyip access-list extended VOIP_OUT_ACLpermit ip 42.3.0.0 0.0.255.255 anydeny ip any any! This access list is used in the ip portbundle configuration above.access-list 135 permit ip any host 10.100.4.38access-list 135 deny ip any anyDeployment Model 4: AAA Server for ISP-1
The following profile configures L2TP forwarding from the ISG LAC to the LNS. The IP address 10.200.1.56 is the address of the loopback interface on the LNS.
[ //localhost/Radius/UserLists/L2TPDOMAIN/L2TP_DM4_101.com/Attributes ]Cisco-AVpair = vpdn:tunnel-id=L2TP_DM4_101Cisco-AVpair = vpdn:l2tp-tunnel-password=ciscoCisco-AVpair = vpdn:tunnel-type=l2tpCisco-AVpair = vpdn:ip-addresses=10.200.1.56Cisco-AVpair = atm:peak-cell-rate=1024Cisco-AVpair = atm:sustainable-cell-rate=512Deployment Model 4: LNS
The following baseline configuration tasks are performed on the LNS:
•Configuring AAA and the Connection to the RADIUS Server
•Configuring PPPoE and the Connection to the ISG LAC
•Configuring Baseline ISA Subscriber Services
•Configuring Inbound and Outbound Access Lists
Configuring AAA and the Connection to the RADIUS Server
In this AAA configuration, connections to the CAR AAA server, the Cisco SESM, and two billing servers are configured. VSA accounting and authentication are enabled, and the loopback interface 0 is used for AAA communications.
aaa new-model!! Configures the AAA server group for the CAR AAA server.aaa group server radius CAR_SERVERserver 10.100.2.36 auth-port 1812 acct-port 1813!! Configures AAA for the CAR AAA server.aaa authentication login default noneaaa authentication login IP_AUTHEN_LIST group CAR_SERVERaaa authentication ppp default group CAR_SERVERaaa authorization network default group CAR_SERVERaaa authorization subscriber-service default local group radiusaaa accounting network default start-stop group CAR_SERVER! Configures the connection to the Cisco SESMaaa server radius sesmclient 10.100.4.38key ciscoport 1812message-authenticator ignore!! Loopback 0 is used for communicating with AAA, the billing servers, and SESM.interface Loopback0ip address 10.200.1.56 255.255.255.255ip router isis Remote_ISP_7301! Instructs the router to use loopback 0 to communicate with the AAA RADIUS servers.ip radius source-interface Loopback0!! These RADIUS attributes are required for prepaid services.radius-server attribute 44 include-in-access-reqradius-server attribute 8 include-in-access-reqradius-server attribute 55 include-in-acct-reqradius-server attribute 55 access-request includeradius-server attribute 25 access-request include! The CAR AAA server.radius-server host 10.100.2.36 auth-port 1812 acct-port 1813 key Ciscoradius-server retransmit 5radius-server key ciscoradius-server vsa send accountingradius-server vsa send authenticationConfiguring PPPoE and the Connection to the ISG LAC
VPDN is configured to receive L2TP tunnels from the ISG LAC over which the PPPoE sessions are sent. A PPP local pool and MPLS VRF tables are created for incoming subscribers.
no ip dhcp use vrf connected!! Globally enables MPLS VRFs for incoming subscribers.ip vrf VPN_C72_DM4_1001rd 200:71001route-target export 200:71001route-target import 200:71001!!ip cef!! This command is enabled by default. It sets the number of ISA rules that are displayed! in the show subscriber session detail command.subscriber policy recording rules limit 64vpdn enablevpdn ip udp ignore checksum!! VPDN group L2TP_DM1_101 terminates PPPoE clients that come in from the ISG LAC over L2TP! tunnels.vpdn-group L2TP_DM1_101accept-dialinprotocol l2tpvirtual-template 5terminate-from hostname L2TP_DM1_101local name L2TP_DM1_101l2tp tunnel password 0 cisco!!! Gigabit Ethernet interface 0/1 points to the PE.interface GigabitEthernet0/1ip address 27.27.1.56 255.255.255.0! The PBHK feature is enabled on this interface.ip portbundle outsideip router isis Remote_ISP_7301load-interval 30duplex autospeed automedia-type gbicnegotiation autompls label protocol ldpmpls ip!! Gigabit Ethernet interface 0/2 points to the ISG LAC.interface GigabitEthernet0/2ip address 26.26.1.56 255.255.255.0ip router isis Remote_ISP_7301load-interval 30duplex autospeed automedia-type gbicnegotiation auto!! PPPoE subscribers terminated from L2TP tunnels use this virtual template.interface Virtual-Template5no ip addressload-interval 30no peer default ip addressno keepaliveppp mtu adaptiveppp authentication chap!! Enables IS-IS routing in the network.router isis Remote_ISP_7301net 01.0011.5dd1.f01b.00redistribute connected!! The DHCP pool that is assigned to subscribers.ip local pool C73_DM4_7001 1.7.1.2 1.7.255.254!Configuring Baseline ISA Subscriber Services
Basic ISA subscriber services are configured, including Layer 4 redirect to the Cisco SESM and the PBHK feature. When the PBHK feature is enabled, TCP packets from subscribers are mapped to a local IP address for the ISA gateway and a range of ports. This mapping allows the portal to identify the ISA gateway from which the session originated.
! Configures the connection to the Cisco SESM for Layer 4 Redirect functionality.redirect server-group SESM-Serverserver ip 10.100.4.38 port 8080!!! Enables port bundle host key (PBHK) access to the Cisco SESM. Each loopback interface! can support up to 4031 bundles. If additional capacity is required, configure additional! loopback interfaces.ip portbundlematch access-list 135! The Loopback 0 interface is used to communicate with the Cisco SESM.source Loopback0Configuring Inbound and Outbound Access Lists
Basic access lists are configured to govern subscribers' Internet access, and an access list is created for the PBHK feature.
! This access list is referenced in the AAA subscriber profile. It governs incoming! Internet traffic. The Internet access lists should prevent subscribers from accessing! the Cisco SESM and other management devices to help prevent Denial of Service attacks.!ip access-list extended Internet-in-acldeny ip any 223.0.0.0 0.255.255.255deny ip any 20.0.0.0 0.255.255.255deny ip any 40.0.0.0 0.255.255.255deny ip any 21.0.0.0 0.255.255.255deny ip any 22.0.0.0 0.255.255.255deny ip any 41.0.0.0 0.255.255.255deny ip any 80.0.0.0 0.255.255.255deny ip any 81.0.0.0 0.255.255.255deny ip any 82.0.0.0 0.255.255.255deny ip any 10.200.0.0 0.0.255.255permit ip any any!! This access list is called out in the AAA subscriber profile. It governs outgoing! Internet traffic. The Internet access lists should prevent subscribers from accessing! the Cisco SESM and other management devices to help prevent Denial of Service attacks.!ip access-list extended Internet-out-acldeny ip 223.0.0.0 0.255.255.255 anydeny ip 10.200.0.0 0.0.255.255 anydeny ip 20.0.0.0 0.255.255.255 anydeny ip 40.0.0.0 0.255.255.255 anydeny ip 21.0.0.0 0.255.255.255 anydeny ip 22.0.0.0 0.255.255.255 anydeny ip 41.0.0.0 0.255.255.255 anydeny ip 80.0.0.0 0.255.255.255 anydeny ip 81.0.0.0 0.255.255.255 anydeny ip 82.0.0.0 0.255.255.255 anypermit ip any any!! This access list is used in the ip portbundle configuration above.access-list 135 permit ip any host 10.100.4.38access-list 135 deny ip any anyDeployment Model 4: AAA server for ISP-2
The following configuration tasks are performed on the AAA server for ISP-2:
•Configuring the Basic Internet Access ISA Subscriber Service
•Configuring the Subscriber's Profile
Configuring Layer 4 Redirect
This attribute enables the Layer 4 Redirect feature.
[ Attributes ]! Instructs Layer 4 redirect to send traffic to ACL 111 on the LNS.Cisco-AVPair = "ip:l4redirect=redirect list 111 to group SESM-Server duration 30 frequency 180"Configuring PBHK
This attribute enables the PBHK feature on the AAA server, which enables access to the SESM by way of the PBHK feature.
[ Attributes ]Cisco-AVPair = ip:portbundle=enableConfiguring the Basic Internet Access ISA Subscriber Service
This profile configures the basic Internet access service.
[ //localhost/Radius/UserLists/SERVICES/INTERNET_SERVICE/Attributes ]! Specifies the ACLs that govern this service.Cisco-AVPair = ip:inacl=Internet-in-aclCisco-AVPair = ip:outacl=Internet-out-acl! The "I" before "INTERNET_SERVICE" tells the Cisco SESM what the name of the service is.! The Cisco SESM will display this service by the name "INTERNET_SERVICE".Cisco-SSG-Service-Info = IINTERNET_SERVICE! The "R" in this attribute specifies that this is a subscriber-selectable service.Cisco-SSG-Service-Info = R42.1.1.0;255.255.255.0Configuring the Subscriber's Profile
This profile configures the PPP profile that is used in the subscriber's base profile.
[ //localhost/Radius/UserLists/ie2-C7301-LNS/C73_DM1_01@L2TP_DM1_101.com/Attributes ]Cisco-AVpair = "ip:ip-unnumbered=loopback 3001"Cisco-AVpair = ip:addr-pool=C73_DM1_3001Cisco-SSG-Account-Info = AINTERNET_SERVICEVerifying the Cisco 7206 ISG with ATM Aggregation
The following sections provide sample show command output:
•ISG Configuration Information Verification
•Basic ISG Operation Verification
•Subscriber Service Verification
ISG Configuration Information Verification
The show subscr policy condition command shows the number of times each policy has been executed.
ie2-C7206-ATM# show subscriber policy conditionClass-map Action Exec Hit Miss Comp--------- ------ ---- --- ---- ----match-any TAL_STATIC_DM3 match identifier source-ip-addr36131 036131 0match-any TAL_STATIC_DM3 match identifier source-ip-addr3613128932 719928932match-all IP_UNAUTH_COND match identifier timer IP_UNAUT1662416624 0 0match-all IP_UNAUTH_COND match identifier authen-status 1662454261119811198match-any TAL_STATIC_DM4 match identifier source-ip-addr23502 023502 0match-any TAL_STATIC_DM4 match identifier source-ip-addr2350222902 60022902match-all BOD2MVOLUME_CLASS_L match identifier service-name B 0 0 0 0match-all BOD1MVOLUME_CLASS_L match identifier service-name B 0 0 0 0match-all BOD2MTIME_CLASS_DM2 match identifier service-name B 1 0 1 1match-all BOD1MTIME_CLASS_DM2 match identifier service-name B4632546325 0 0Key:"Exec" - The number of times this line was executed"Hit" - The number of times this line evaluated to TRUE"Miss" - The number of times this line evaluated to FALSE"Comp" - The number of times this line completed the execution of itscondition without a need to continue on to the endThe clear subscriber policy conditions command can be used to clear the statistics of subscriber policy changes.
ie2-C7206-ATM# clear subscriber policy conditionsie2-C7206-ATM#ie2-C7206-ATM# show subscriber policy conditionsClass-map Action Exec Hit Miss Comp--------- ------ ---- --- ---- ----match-any TAL_STATIC_DM3 match identifier source-ip-addr 0 0 0 0match-any TAL_STATIC_DM3 match identifier source-ip-addr 0 0 0 0match-all IP_UNAUTH_COND match identifier timer IP_UNAUT 0 0 0 0match-all IP_UNAUTH_COND match identifier authen-status 0 0 0 0match-any TAL_STATIC_DM4 match identifier source-ip-addr 0 0 0 0match-any TAL_STATIC_DM4 match identifier source-ip-addr 0 0 0 02match-all BOD2MVOLUME_CLASS_L match identifier service-name B 0 0 0 0match-all BOD1MVOLUME_CLASS_L match identifier service-name B 0 0 0 0match-all BOD2MTIME_CLASS_DM2 match identifier service-name B 1 0 1 1match-all BOD1MTIME_CLASS_DM2 match identifier service-name B 0 0 0 0Key:"Exec" - The number of times this line was executed"Hit" - The number of times this line evaluated to TRUE"Miss" - The number of times this line evaluated to FALSE"Comp" - The number of times this line completed the execution of itscondition without a need to continue on to the endThe show subscriber service command shows details of all of the services configured on the ISG.
ie2-C7206-ATM# show subscriber serviceService "PBHK_SERVICE":Version 1:SVM ID : 47000002Locked by : SVM-Feature-Info [196]Locked by : SVM-Printer [1]Locked by : PM-Service [3626]Locked by : PM-Info [3626]Locked by : FM-Bind [3430]Profile : 21E3C738Profile name: PBHK_SERVICE, 3628 referencesportbundle "enable"ssg-service-info "IPBHK_SERVICE"Feature : Portbundle HostkeyFeature IDB type : Sub-if or not requiredService "GAMING_SERVICE":Version 1:SVM ID : 5E000003Child ID : FB000007Locked by : SVM-Feature-Info [4]Locked by : SVM-Printer [1]Locked by : PM-Service [722]Locked by : PM-Info [722]Locked by : FM-Bind [718]Locked by : TC-Child [1]Locked by : Accounting-Feature [718]Profile : 21E3AE18Profile name: GAMING_SERVICE, 1440 referencesidletime 1800 (0x708)traffic-class "in access-group name GAMING_IN_ACL priority 10"traffic-class "in default drop"traffic-class "out access-group name GAMING_OUT_ACL priority 10"traffic-class "out default drop"accounting-list "CAR_ACCNT_LIST"ssg-service-info "IGAMING_SERVICE"ssg-service-info "R42.1.1.0;255.255.255.0"Feature : TCFeature IDB type : Sub-if or not requiredFeature Data : 28 bytes:: 000000 00 00 FB 00 00 07 00 00 ........: 000008 00 0A 01 00 00 00 21 D2 ......!.: 000010 F4 F8 00 00 00 0A 01 00 ........: 000018 00 00 64 BD ..d.Version 1:SVM ID : FB000007Parent ID : 5E000003Locked by : SVM-Printer [1]Locked by : FM-Bind [719]Locked by : TC-Parent [1]Feature : Idle TimeoutFeature IDB type : Sub-if or not requiredFeature Data : 8 bytes:: 000000 00 00 00 1B 77 40 01 01 ....w@..Feature : AccountingFeature IDB type : Sub-if or not requiredFeature Data : 24 bytes:: 000000 00 00 5E 00 00 03 64 BE ..^...d.: 000008 03 B0 00 00 00 0F 00 00 ........: 000010 00 01 00 00 00 00 00 00 ........Service "VOD_SERVICE":Version 1:SVM ID : AB000004Child ID : 41000008Locked by : SVM-Feature-Info [4]Locked by : SVM-Printer [1]Locked by : PM-Service [720]Locked by : PM-Info [720]Locked by : FM-Bind [716]Locked by : TC-Child [1]Locked by : Accounting-Feature [716]Profile : 21E3AD58Profile name: VOD_SERVICE, 1442 referencesidletime 1800 (0x708)traffic-class "in access-group name VOD_IN_ACL priority 10"traffic-class "in default drop"traffic-class "out access-group name VOD_OUT_ACL priority 10"traffic-class "out default drop"accounting-list "CAR_ACCNT_LIST"ssg-service-info "IVOD_SERVICE"ssg-service-info "R42.1.1.0;255.255.255.0"Feature : TCFeature IDB type : Sub-if or not requiredFeature Data : 28 bytes:: 000000 00 00 41 00 00 08 00 00 ..a.....: 000008 00 0A 01 00 00 00 53 18 ......s.: 000010 C0 28 00 00 00 0A 01 00 .(......: 000018 00 00 53 19 ..s.Version 1:SVM ID : 41000008Parent ID : AB000004Locked by : SVM-Printer [1]Locked by : FM-Bind [716]Locked by : TC-Parent [1]Feature : Idle TimeoutFeature IDB type : Sub-if or not requiredFeature Data : 8 bytes:: 000000 00 00 00 1B 77 40 01 01 ....w@..Feature : AccountingFeature IDB type : Sub-if or not requiredFeature Data : 24 bytes:: 000000 00 00 AB 00 00 04 52 30 ......r0: 000008 4C B8 00 00 00 0F 00 00 l.......: 000010 00 01 00 00 00 00 00 00 ........Service "VOIP_SERVICE":Version 1:SVM ID : 39000005Child ID : E2000009Locked by : SVM-Feature-Info [4]Locked by : SVM-Printer [1]Locked by : PM-Service [719]Locked by : PM-Info [719]Locked by : FM-Bind [715]Locked by : TC-Child [1]Locked by : Accounting-Feature [716]Profile : 21E3AD38Profile name: VOIP_SERVICE, 1440 referencesidletime 1800 (0x708)traffic-class "in access-group name VOIP_IN_ACL priority 10"traffic-class "in default drop"traffic-class "out access-group name VOIP_OUT_ACL priority 10"traffic-class "out default drop"accounting-list "CAR_ACCNT_LIST"ssg-service-info "IVOIP_SERVICE"ssg-service-info "R42.1.1.0;255.255.255.0"Feature : TCFeature IDB type : Sub-if or not requiredFeature Data : 28 bytes:: 000000 00 00 E2 00 00 09 00 00 ........: 000008 00 0A 01 00 00 00 23 2C ......#,: 000010 33 B0 00 00 00 0A 01 00 3.......: 000018 00 00 52 0C ..r.Version 1:SVM ID : E2000009Parent ID : 39000005Locked by : SVM-Feature-Info [3]Locked by : SVM-Printer [1]Locked by : FM-Bind [716]Locked by : SM-SIP-Apply [3]Locked by : TC-Parent [1]Feature : Idle TimeoutFeature IDB type : Sub-if or not requiredFeature Data : 8 bytes:: 000000 00 00 00 1B 77 40 01 01 ....w@..Feature : AccountingFeature IDB type : Sub-if or not requiredFeature Data : 24 bytes:: 000000 00 00 39 00 00 05 51 12 ..9...q.: 000008 60 F0 00 00 00 0F 00 00 `.......: 000010 00 01 00 00 00 00 00 00 ........Service "OPENGARDEN_SERVICE":Version 1:SVM ID : 77000006Child ID : E300000ALocked by : SVM-Feature-Info [5]Locked by : SVM-Printer [1]Locked by : PM-Service [722]Locked by : PM-Info [722]Locked by : FM-Bind [717]Locked by : TC-Child [1]Profile : 21E3AD18Profile name: OPENGARDEN_SERVICE, 1446 referencestraffic-class "in access-group name OPENGARDEN_IN_ACL"traffic-class "in default drop"traffic-class "out access-group name OPENGARDEN_OUT_ACL"traffic-class "out default drop"ssg-service-info "IOPENGARDEN_SERVICE"Feature : TCFeature IDB type : Sub-if or not requiredFeature Data : 28 bytes:: 000000 00 00 E3 00 00 0A 00 00 ........: 000008 00 00 01 00 00 00 51 0F ......q.: 000010 28 C0 00 00 00 00 01 00 (.......: 000018 00 00 51 12 ..q.Version 1:SVM ID : E300000AParent ID : 77000006Locked by : SVM-Feature-Info [3]Locked by : SVM-Printer [1]Locked by : FM-Bind [717]Locked by : SM-SIP-Apply [3]Locked by : TC-Parent [1]Service "L4REDIRECT_SERVICE":Version 1:SVM ID : AC000030Child ID : 6D000031Locked by : SVM-Printer [1]Locked by : PM-Service [267]Locked by : PM-Info [2707]Locked by : FM-Bind [268]Locked by : TC-Child [1]Profile : 242C1A08Profile name: L4REDIRECT_SERVICE, 5149 referencestraffic-class "in access-group name IP_REDIRECT_ACL priority 5"traffic-class "in default drop"traffic-class "out access-group name IP_REDIRECT_ACL priority 5"traffic-class "out default drop"l4redirect "redirect to group SESM_SERVER_GROUP"ssg-service-info "IL4REDIRECT_SERVICE"Feature : TCFeature IDB type : Sub-if or not requiredFeature Data : 28 bytes:: 000000 00 00 6D 00 00 31 00 00 ..m..1..: 000008 00 05 01 00 00 00 53 B8 ......s.: 000010 CF C0 00 00 00 05 01 00 ........: 000018 00 00 24 19 ..$.Version 1:SVM ID : 6D000031Parent ID : AC000030Locked by : SVM-Printer [1]Locked by : FM-Bind [267]Locked by : TC-Parent [1]Feature : L4 RedirectFeature IDB type : Sub-if or not requiredFeature Data : 20 bytes:: 000000 00 00 64 72 B7 F8 64 72 ..dr..dr: 000008 B7 F8 00 00 00 01 00 00 ........: 000010 00 00 00 00 ....Service "BOD1MTIME_DM2":Version 1:SVM ID : 19000053Child ID : 13000054Locked by : SVM-Printer [1]Locked by : PM-Service [2440]Locked by : PM-Info [2440]Locked by : FM-Bind [2440]Locked by : TC-Child [1]Locked by : Accounting-Feature [2440]Profile : 242C1A48Profile name: BOD1MTIME_DM2, 4882 referencestraffic-class "in access-group name INTERNET_IN_ACL priority 10"traffic-class "in default drop"traffic-class "out access-group name INTERNET_OUT_ACL priority 10"traffic-class "out default drop"accounting-list "PREPAID_ACCNT_LIST"peak-cell-rate 1024 (0x400)sustainable-cell-rat 1024 (0x400)ssg-service-info "IBOD1MTIME_DM2"ssg-service-info "R42.1.1.0;255.255.255.0"Feature : TCFeature IDB type : Sub-if or not requiredFeature Data : 28 bytes:: 000000 00 00 13 00 00 54 00 00 .....t..: 000008 00 0A 01 00 00 00 56 B7 ......v.: 000010 49 80 00 00 00 0A 01 00 i.......: 000018 00 00 24 62 ..$bSIP : Info 23E85AB8 access: PPPoE info: PPPoEVersion 1:SVM ID : 13000054Parent ID : 19000053Locked by : SVM-Printer [1]Locked by : FM-Bind [2440]Locked by : TC-Parent [1]Feature : AccountingFeature IDB type : Sub-if or not requiredFeature Data : 24 bytes:: 000000 00 00 19 00 00 53 24 70 .....s$p: 000008 61 68 00 00 00 0F 00 00 ah......: 000010 00 01 00 00 00 00 00 00 ........Service "INTERNET_SERVICE":Version 1:SVM ID : EE000055Locked by : SVM-Printer [1]Locked by : PM-Service [200]Locked by : PM-Info [200]Locked by : FM-Bind [200]Profile : 21E3AC78Profile name: INTERNET_SERVICE, 402 referencesinacl "INTERNET_IN_ACL"outacl "INTERNET_OUT_ACL"ssg-service-info "IINTERNET_SERVICE"ssg-service-info "R42.1.1.0;255.255.255.0"Feature : Per-User ACLFeature IDB type : Sub-if or not requiredFeature Data : 52 bytes:: 000000 00 00 26 0C 07 A6 00 00 ..&.....: 000008 00 00 00 00 00 00 F6 01 ........: 000010 07 B3 00 00 00 00 00 00 ........: 000018 00 00 00 00 00 01 00 00 ........: 000020 00 00 00 00 00 00 00 00 ........: 000028 00 01 00 00 00 00 00 00 ........: 000030 00 00 00 00 ....The show subscriber policy rule command shows all of the rules that are configured on the ISG and the number of times they have been executed.
ie2-C7206-ATM# show subscriber policy ruleRule: internal-rule-acct-logonClass-map: always event account-logonAction: 1 authenticate aaa list defaultExecuted0Rule: RULE_L2TP_LM_ATM7Class-map: always event session-startAction: 1 collect identifier unauthenticated-domainExecuted0Action: 2 authorize identifier unauthenticated-domainExecuted0Rule: RULE_L2TP_LM_ATM3Class-map: always event session-startAction: 1 collect identifier unauthenticated-domainExecuted0Action: 2 authorize identifier unauthenticated-domainExecuted0Rule: RULE_IP_LM_ATM2Class-map: IP_UNAUTH_COND event timed-policy-expiryAction: 1 service disconnectExecuted5388Class-map: TAL_STATIC_DM3 event session-startAction: 1 service-policy type service name PBHK_SERVICEExecuted29007Action: 2 authorize identifier source-ip-addressExecuted28662Action: 3 service-policy type service name L4REDIRECT_SERVICEExecuted5588Action: 4 set-timer IP_UNAUTH_TIMER 5Executed5588Class-map: always event session-startAction: 1 service-policy type service name PBHK_SERVICEExecuted7199Action: 2 authorize identifier mac-addressExecuted6004Action: 3 service-policy type service name L4REDIRECT_SERVICEExecuted5999Action: 4 set-timer IP_UNAUTH_TIMER 5Executed5999Class-map: always event account-logonAction: 1 authenticate aaa list IP_AUTHEN_LISTExecuted0Action: 2 service-policy type service unapply name L4REDIRECT_SERVICEExecuted0Rule: RULE_PTA_LM_ATM2Class-map: always event session-startAction: 1 service-policy type service name PBHK_SERVICEExecuted0Rule: RULE_IP_LM_ATM7Class-map: TAL_STATIC_DM4 event session-startAction: 1 service-policy type service name PBHK_SERVICEExecuted22957Action: 2 authorize identifier source-ip-addressExecuted22902Action: 3 service-policy type service name L4REDIRECT_SERVICEExecuted37Action: 4 set-timer IP_UNAUTH_TIMER 5Executed37Class-map: IP_UNAUTH_COND event timed-policy-expiryAction: 1 service disconnectExecuted38Class-map: always event session-startAction: 1 service-policy type service name PBHK_SERVICEExecuted600Action: 2 authorize identifier mac-addressExecuted200Action: 3 service-policy type service name L4REDIRECT_SERVICEExecuted1Action: 4 set-timer IP_UNAUTH_TIMER 5Executed1Class-map: always event account-logonAction: 1 authenticate aaa list IP_AUTHEN_LISTExecuted0Action: 2 service-policy type service unapply name L4REDIRECT_SERVICEExecuted0Rule: RULE_PTA_TIME_LM_ATM8Class-map: BOD1MTIME_CLASS_DM2 event service-startAction: 1 service-policy type service unapply name L4REDIRECT_SERVICEExecuted47256Action: 2 service-policy type service unapply name BOD2MTIME_DM2Executed47256Action: 3 service-policy type service identifier service-nameExecuted47256Class-map: BOD2MTIME_CLASS_DM2 event service-startAction: 1 service-policy type service unapply name L4REDIRECT_SERVICEExecuted0Action: 2 service-policy type service unapply name BOD1MTIME_DM2Executed0Action: 3 service-policy type service identifier service-nameExecuted0Class-map: BOD2MTIME_CLASS_DM2 event service-stopAction: 1 service-policy type service unapply identifier service-nameExecuted0Action: 2 service-policy type service name L4REDIRECT_SERVICEExecuted0Class-map: BOD1MTIME_CLASS_DM2 event service-stopAction: 1 service-policy type service unapply identifier service-nameExecuted1Action: 2 service-policy type service name L4REDIRECT_SERVICEExecuted1Class-map: always event session-startAction: 1 service-policy type service name PBHK_SERVICEExecuted49636Action: 2 service-policy type service name L4REDIRECT_SERVICEExecuted48636Class-map: always event quota-depletedAction: 1 set-param drop-traffic FALSEExecuted0Class-map: always event credit-exhaustedAction: 1 service-policy type service name L4REDIRECT_SERVICEExecuted0Class-map: always event internal-event-cre-t-expAction: 1 service-policy type service unapply name L4REDIRECT_SERVICEExecuted0Rule: RULE_PTA_VOLUME_LM_ATM8Class-map: BOD1MVOLUME_CLASS_DM2 event service-startAction: 1 service-policy type service unapply name L4REDIRECT_SERVICEExecuted0Action: 2 service-policy type service unapply name BOD2MVOLUME_DM2Executed0Action: 3 service-policy type service identifier service-nameExecuted0Class-map: BOD2MVOLUME_CLASS_DM2 event service-startAction: 1 service-policy type service unapply name L4REDIRECT_SERVICEExecuted0Action: 2 service-policy type service unapply name BOD1MVOLUME_DM2Executed0Action: 3 service-policy type service identifier service-nameExecuted0Class-map: BOD2MVOLUME_CLASS_DM2 event service-stopAction: 1 service-policy type service unapply identifier service-nameExecuted0Action: 2 service-policy type service name L4REDIRECT_SERVICEExecuted0Class-map: BOD1MVOLUME_CLASS_DM2 event service-stopAction: 1 service-policy type service unapply identifier service-nameExecuted0Action: 2 service-policy type service name L4REDIRECT_SERVICEExecuted0Class-map: always event session-startAction: 1 service-policy type service name PBHK_SERVICEExecuted0Action: 2 service-policy type service name L4REDIRECT_SERVICEExecuted0Class-map: always event quota-depletedAction: 1 set-param drop-traffic FALSEExecuted0Class-map: always event credit-exhaustedAction: 1 service-policy type service name L4REDIRECT_SERVICEExecuted0Class-map: always event internal-event-cre-t-expAction: 1 service-policy type service unapply name L4REDIRECT_SERVICEExecuted0Key:"Exec" - The number of times this rule action line was executedie2-C7206-ATM#Basic ISG Operation Verification
The show subscriber statistics command shows a summary of the number of active sessions and a brief history of session activity.
ie2-C7206-ATM# show subscriber statisticsCurrent Subscriber Statistics:Number of sessions currently up: 3227Number of sessions currently pending: 193Number of sessions currently authenticated: 3101Number of sessions currently unauthenticated: 0Highest number of sessions ever up at one time: 3760Mean up-time duration of sessions: 00:05:12Total number of sessions up so far: 105408Mean call rate per minute: 484, per hour: 35200Number of sessions failed to come up: 3401Access type based session count:PPPoE sessions = 2640Traffic-Class sessions = 4594IP sessions = 780The show subscriber session command shows basic information for all active subscribers.
ie2-C7206-LNS# show subscriber sessionCurrent Subscriber Information: Total sessions 3370Uniq ID Interface State Service Identifier Up-time! This is the VID for the subscriber4910 Vi2.2122 authen Local Term C72_DM2_3021 00:03:41! This is the VID for the subscriber's traffic classes1748 Traffic-Cl unauthen Ltm Internal 00:04:2710709 Traffic-Cl unauthen Ltm Internal 00:04:236514 Vi2.78 authen Local Term C72_DM2_1078 00:04:555650 Traffic-Cl unauthen Ltm Internal C72_DM2_1446 00:04:463771 Traffic-Cl unauthen Ltm Internal 00:01:012601 Vi2.1558 authen Local Term C72_DM2_2097 00:04:123508 Traffic-Cl unauthen Ltm Internal 00:01:169767 Traffic-Cl unauthen Ltm Internal C72_DM2_1390 00:04:48The show ip route vrf VPN11006 command shows routing table information for the VRF. In the following output, there is one active subscriber session.
ie2-C7206-LNS# show ip route vrf VPN11006Routing Table: VPN11006Codes: C - connected, S - static, R - RIP, M - mobile, B - BGPD - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter areaN1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGPi - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2ia - IS-IS inter area, * - candidate default, U - per-user static routeo - ODR, P - periodic downloaded static routeGateway of last resort is not set84.0.0.0/24 is subnetted, 1 subnetsB 84.1.206.0 [200/0] via 10.200.1.43, 4d19h100.0.0.0/32 is subnetted, 1 subnetsC 100.6.6.6 is directly connected, Loopback1200.53.6.0/32 is subnetted, 1 subnets! This shows that the subscriber is connected and part of vrf VPN11006C 200.53.6.2 is directly connected, Virtual-Access3200.6.6.0/32 is subnetted, 1 subnetsB 200.6.6.6 [200/0] via 10.200.1.56, 4d19h10.0.0.0/32 is subnetted, 1 subnetsB 10.100.4.38 [200/0] via 10.200.1.43, 4d19hie2-C7206-LNS#Subscriber Service Verification
The show subscriber session username c72_DM2_1078 command shows detailed information for the subscriber with the username c72_DM2_1078. The following output is for a subscriber with the BOD1MTIME_DM2 service.
ie2-C7206-ATM# show subscriber session username C72_DM2_1078Unique Session ID: 6514Identifier: C72_DM2_1078SIP subscriber access type(s): PPPoE/PPPCurrent SIP options: Req Fwding/Req FwdedSession Up-time: 00:06:17, Last Changed: 00:06:17AAA unique ID: 102346Interface: Virtual-Access2.78Policy information:Context 25559F94: Handle 310104C8Authentication status: authenActive services associated with session:! Indicates the services that the subscriber is using.name "BOD1MTIME_DM2"name "PBHK_SERVICE", applied outwith active sessionRules, actions and conditions executed:subscriber rule-map RULE_PTA_TIME_LM_ATM8condition always event session-start1 service-policy type service name PBHK_SERVICE2 service-policy type service name L4REDIRECT_SERVICEsubscriber rule-map RULE_PTA_TIME_LM_ATM8condition BOD1MTIME_CLASS_DM2 event service-startsubscriber condition-map match-all BOD1MTIME_CLASS_DM2match identifier service-name BOD1MTIME_DM2 [TRUE]subscriber rule-map RULE_PTA_TIME_LM_ATM8condition BOD1MTIME_CLASS_DM2 event service-start1 service-policy type service unapply name L4REDIRECT_SERVICE2 service-policy type service unapply name BOD2MTIME_DM23 service-policy type service identifier service-nameSession inbound features:Feature: PPP Idle TimeoutTimeout value is 1800Idle time is 00:06:25Feature: Layer 4 RedirectRule table is emptyTraffic classes:Traffic class session ID: 3947ACL Name: INTERNET_IN_ACL, Packets = 0, Bytes = 0Default traffic is droppedUnmatched Packets (dropped) = 0, Re-classified packets (redirected) = 0! Portbound Hostkey information for the subscriber.Feature: Portbundle HostkeyPortbundle IP = 10.200.1.53 Bundle Number = 1229Session outbound features:Feature: PPP Idle TimeoutTimeout value is 1800Idle time is 00:06:25Traffic classes:Traffic class session ID: 3947! Identifies the ACL that restricts inbound traffic. The ACL is configured on the ISG,! and it is applied to the subscriber based on the subscriber profile on the AAA server.ACL Name: INTERNET_OUT_ACL, Packets = 0, Bytes = 0Default traffic is droppedUnmatched Packets (dropped) = 0, Re-classified packets (redirected) = 0Non-datapath features:Feature: Session TimeoutTimeout value is 18000 seconds! Indicates the amount of time remaining before the session times out.Time remaining is 04:53:33Feature: IP ConfigPeer IP Address: 0.0.0.0 (F/F)Address Pool: C72_DM2_8003 (F)Unnumbered Intf: Lo8001Configuration sources associated with this session:! Indicates how long the BOD1MTIME_DM2 service has been active.Service: BOD1MTIME_DM2, Active Time = 00:06:26AAA Service ID = 1441613880Service: PBHK_SERVICE, Active Time = 00:06:27Interface: Virtual-Template8, Active Time = 00:06:27The show subscriber session username C72_DM2_1078 detail shows further details about the subscriber's session.
ie2-C7206-ATM# show subscriber session username C72_DM2_1078 detailUnique Session ID: 6514Identifier: C72_DM2_1078SIP subscriber access type(s): PPPoE/PPPCurrent SIP options: Req Fwding/Req FwdedSession Up-time: 00:06:32, Last Changed: 00:06:32AAA unique ID: 102346Interface: Virtual-Access2.78Policy information:Context 25559F94: Handle 310104C8Authentication status: authenDownloaded User profile, excluding services:service-type 2 [Framed]Framed-Protocol 1 [PPP]routing FalseFramed-MTU 1500 (0x5DC)timeout 18000 (0x4650)idletime 1800 (0x708)! The "A" stands for auto-login, which indicates that BOD1MTIME_DM2 is the default! service.ssg-account-info "ABOD1MTIME_DM2"! The "N" indicates that the subscriber is allowed access the BOD2MTIME_DM2 service based! on the subscriber's AAA profile.ssg-account-info "NBOD2MTIME_DM2"idletime 1800 (0x708)vrf-id "VPN_C72_DM2_1003"ip-unnumbered "loopback 8001"addr-pool "C72_DM2_8003"Downloaded User profile, including services:portbundle "enable"service-type 2 [Framed]Framed-Protocol 1 [PPP]routing FalseFramed-MTU 1500 (0x5DC)timeout 18000 (0x4650)idletime 1800 (0x708)ssg-account-info "ABOD1MTIME_DM2"ssg-account-info "NBOD2MTIME_DM2"idletime 1800 (0x708)vrf-id "VPN_C72_DM2_1003"ip-unnumbered "loopback 8001"addr-pool "C72_DM2_8003"traffic-class "in access-group name INTERNET_IN_ACL priority 10"traffic-class "in default drop"traffic-class "out access-group name INTERNET_OUT_ACL priority 10"traffic-class "out default drop"accounting-list "PREPAID_ACCNT_LIST"peak-cell-rate 1024 (0x400)sustainable-cell-rat 1024 (0x400)ssg-service-info "IBOD1MTIME_DM2"ssg-service-info "R42.1.1.0;255.255.255.0"Config history for session (recent to oldest):Access-type: Web-service-logon Client: SMPolicy event: Process Config (Service)Profile name: BOD1MTIME_DM2, 4882 referencestraffic-class "in access-group name INTERNET_IN_ACL priority 10"traffic-class "in default drop"traffic-class "out access-group name INTERNET_OUT_ACL priority 10"traffic-class "out default drop"accounting-list "PREPAID_ACCNT_LIST"peak-cell-rate 1024 (0x400)sustainable-cell-rat 1024 (0x400)ssg-service-info "IBOD1MTIME_DM2"ssg-service-info "R42.1.1.0;255.255.255.0"Access-type: Max Client: SM! Describers the Layer 4 Reidrect service, which is not currently applied.Policy event: Process Config (Unapplied) (Service)Profile name: L4REDIRECT_SERVICE, 5082 referencestraffic-class "in access-group name IP_REDIRECT_ACL priority 5"traffic-class "in default drop"traffic-class "out access-group name IP_REDIRECT_ACL priority 5"traffic-class "out default drop"l4redirect "redirect to group SESM_SERVER_GROUP"ssg-service-info "IL4REDIRECT_SERVICE"Access-type: PPP Client: SMPolicy event: Process ConfigProfile name: apply-config-only, 28 referencesservice-type 2 [Framed]Framed-Protocol 1 [PPP]routing FalseFramed-MTU 1500 (0x5DC)timeout 18000 (0x4650)idletime 1800 (0x708)ssg-account-info "ABOD1MTIME_DM2"ssg-account-info "NBOD2MTIME_DM2"idletime 1800 (0x708)vrf-id "VPN_C72_DM2_1003"ip-unnumbered "loopback 8001"addr-pool "C72_DM2_8003"Access-type: PPPoE Client: SMPolicy event: Service Selection Request (Service)Profile name: L4REDIRECT_SERVICE, 5082 referencestraffic-class "in access-group name IP_REDIRECT_ACL priority 5"traffic-class "in default drop"traffic-class "out access-group name IP_REDIRECT_ACL priority 5"traffic-class "out default drop"l4redirect "redirect to group SESM_SERVER_GROUP"ssg-service-info "IL4REDIRECT_SERVICE"Access-type: PPPoE Client: SMPolicy event: Service Selection Request (Service)Profile name: PBHK_SERVICE, 3379 referencesportbundle "enable"ssg-service-info "IPBHK_SERVICE"Active services associated with session:name "BOD1MTIME_DM2"name "PBHK_SERVICE", applied outwith active sessionRules, actions and conditions executed:subscriber rule-map RULE_PTA_TIME_LM_ATM8condition always event session-start1 service-policy type service name PBHK_SERVICE2 service-policy type service name L4REDIRECT_SERVICEsubscriber rule-map RULE_PTA_TIME_LM_ATM8condition BOD1MTIME_CLASS_DM2 event service-startsubscriber condition-map match-all BOD1MTIME_CLASS_DM2! Services that are active are identified as "TRUE."match identifier service-name BOD1MTIME_DM2 [TRUE]subscriber rule-map RULE_PTA_TIME_LM_ATM8condition BOD1MTIME_CLASS_DM2 event service-start1 service-policy type service unapply name L4REDIRECT_SERVICE2 service-policy type service unapply name BOD2MTIME_DM23 service-policy type service identifier service-nameSession inbound features:Feature: PPP Idle TimeoutTimeout value is 1800Idle time is 00:06:35Feature: Layer 4 RedirectRule table is emptyTraffic classes:Traffic class session ID: 3947! Identifies the ACL that restricts inbound traffic. The ACL is configured on the ISG LNS,! and it is applied to the subscriber based on the subscriber profile on the AAA server.ACL Name: INTERNET-IN-ACL, Packets = 0, Bytes = 0Default traffic is droppedUnmatched Packets (dropped) = 0, Re-classified packets (redirected) = 0Feature: Portbundle Hostkey! Identifies the PBHK IP address and the bundle number. This information can be used to! troubleshoot PBHK with the show ip portbundle command.Portbundle IP = 10.200.1.53 Bundle Number = 1229Session outbound features:Feature: PPP Idle TimeoutTimeout value is 1800Idle time is 00:06:35Traffic classes:Traffic class session ID: 3947ACL Name: INTERNET_OUT_ACL, Packets = 0, Bytes = 0Default traffic is droppedUnmatched Packets (dropped) = 0, Re-classified packets (redirected) = 0Non-datapath features:Feature: Session TimeoutTimeout value is 18000 secondsTime remaining is 04:53:23Feature: IP ConfigPeer IP Address: 0.0.0.0 (F/F)Address Pool: C72_DM2_8003 (F)Unnumbered Intf: Lo8001Configuration sources associated with this session:Service: BOD1MTIME_DM2, Active Time = 00:06:35AAA Service ID = 1441613880Service: PBHK_SERVICE, Active Time = 00:06:36Interface: Virtual-Template8, Active Time = 00:06:36Complete Running Configurations
The following sections contain complete running configurations for the devices in the various deployments:
•Deployment Model 1: Basic Internet Access Service Bundle over L2TP
•Deployment Model 2: Multiservice Service Bundle over PPPoE
•Deployment Model 3: Triple Play Plus Service Bundle over IP and PPPoE
•Deployment Model 4: Triple Play Plus Service Bundle over IP and L2TP
Deployment Model 1: Basic Internet Access Service Bundle over L2TP
The following sections contain the complete running configurations for the devices in Deployment Model 1:
•Deployment Model 1: AAA Server for ISP-1
•Deployment Model 1: AAA Server for ISP-2
Deployment Model 1: CPE
version 12.3no service padservice timestamps debug datetime msecservice timestamps log uptimeno service password-encryption!hostname ie2-C837-CPE5!!no aaa new-modelip subnet-zerono ip domain lookupip dhcp excluded-address 10.10.10.1!ip dhcp pool CLIENTimport allnetwork 10.10.10.0 255.255.255.0default-router 10.10.10.1lease 0 2!!ip audit notify logip audit po max-events 100vpdn enable!vpdn-group ppoerequest-dialinprotocol pppoe!no ftp-server write-enable!!!!!!!interface Ethernet0ip address 10.10.10.1 255.255.255.0ip nat insideip tcp adjust-mss 1452load-interval 30hold-queue 100 out!interface ATM0no ip addressshutdownno atm ilmi-keepalivedsl operating-mode auto!interface ATM0.5 point-to-pointpvc 5/45pppoe max-sessions 100pppoe-client dial-pool-number 1!!interface FastEthernet1no ip addressduplex autospeed auto!interface Dialer1ip address negotiatedip nat outsideencapsulation pppdialer pool 1dialer-group 1ppp authentication chap callinppp chap hostname C73_DM1_01@L2TP_DM1_101.comppp chap password 0 lab!!ip nat inside source list 23 interface Dialer1 overloadip classlessip route 0.0.0.0 0.0.0.0 Dialer1ip http serverno ip http secure-server!access-list 23 permit 10.10.10.0 0.0.0.255!line con 0exec-timeout 0 0no modem enablestopbits 1line aux 0line vty 0 4access-class 23 inexec-timeout 120 0login localDeployment Model 1: ISG LAC
version 12.2no service padservice configservice timestamps debug datetime msecservice timestamps log datetime msecno service password-encryptionservice compress-config!hostname ie2-C7206-ATM!boot-start-markerboot host tftp ie2/configs/tc5xx/isg_add_tc5xx_pta.dat 223.255.12.34boot system disk2:c7200-js-mz.122-27.1.11.SIE7boot-end-marker!logging buffered 1000000 debuggingno logging consoleenable password lab!aaa new-model!!!aaa group server radius CAR_SERVERserver 10.100.1.35 auth-port 1812 acct-port 1813!aaa authentication login default noneaaa authentication login IP_AUTHEN_LIST group CAR_SERVERaaa authentication ppp default group CAR_SERVERaaa authorization network default group CAR_SERVERaaa authorization subscriber-service default local group radiusaaa accounting network default start-stop group CAR_SERVER!aaa session-id commonclock timezone Pacific -8ip subnet-zero!!ip ftp username rootip ftp password labip dhcp smart-relayip dhcp relay information option vpnip dhcp relay information optionip dhcp relay information trust-allno ip dhcp use vrf connected!ip cef!subscriber policy recording rules limit 64subscriber authorization enablevpdn enablevpdn ip udp ignore checksumvpdn search-order domain!no mpls traffic-eng auto-bw timers frequency 0call rsvp-sync!!!policy-map control RULE_L2TP_LM_ATM3class control always event session-start1 collect identifier unauthenticated-domain2 authorize identifier unauthenticated-domain!!!bba-group pppoe BBA_LM_ATM3virtual-template 3!vc-class atm VC_LM_ATM3protocol pppoe group BBA_LM_ATM3dbs enable maximumencapsulation aal5snapservice-policy control RULE_L2TP_LM_ATM3!interface Loopback0ip address 10.200.1.53 255.255.255.255!interface GigabitEthernet0/1ip address 223.255.12.53 255.255.255.0duplex autospeed automedia-type rj45no negotiation auto!interface GigabitEthernet0/3ip address 40.40.1.53 255.255.255.0load-interval 30duplex fullspeed 1000media-type gbicnegotiation autompls mtu 1522mpls ipip rsvp bandwidth 100000!interface ATM1/0no ip addressload-interval 30no atm auto-configurationno atm ilmi-keepaliveno atm address-registrationno atm ilmi-enableno atm enable-ilmi-trapbundle-enable!interface ATM1/0.101 multipointdescription ATM Deployment Model 1no atm enable-ilmi-trappvc 101/41class-vc VC_LM_ATM3!!interface Virtual-Template3description VT for LM_ATM3no ip addressno peer default ip addressno keepaliveppp authentication chapppp timeout aaa!router ospf 100router-id 10.200.1.53log-adjacency-changesarea 100 range 200.53.0.0 255.255.0.0redistribute connectedredistribute static subnetsnetwork 10.200.1.53 0.0.0.0 area 100network 20.20.1.0 0.0.0.255 area 100network 40.40.1.0 0.0.0.255 area 100network 200.53.0.0 0.0.255.255 area 100!router bgp 100no synchronizationbgp router-id 10.200.1.53bgp log-neighbor-changesnetwork 200.53.0.0 mask 255.255.0.0aggregate-address 200.53.3.0 255.255.255.0 summary-onlyredistribute connectedredistribute staticneighbor 10.200.1.41 remote-as 100neighbor 10.200.1.41 update-source Loopback0no auto-summary!address-family vpnv4neighbor 10.200.1.41 activateneighbor 10.200.1.41 send-community bothexit-address-family!!ip classless!no ip http server!!!ip radius source-interface Loopback0!radius-server host 10.100.1.35 auth-port 1812 acct-port 1813 key ciscoradius-server retransmit 5radius-server timeout 15radius-server vsa send accountingradius-server vsa send authentication!control-plane!!dial-peer cor custom!!!!gatekeepershutdown!alias exec showdb show database data IDMGR-Session-DB 2alias exec sss show subscriber sessionalias exec css clear subscriber sessionalias exec ss show subscriber statistics!line con 0exec-timeout 0 0stopbits 1line aux 0stopbits 1line vty 0 4exec-timeout 0 0!ntp clock-period 17179872ntp server 10.200.1.41 source GigabitEthernet0/3 prefer!endDeployment Model 1: LNS
version 12.2no service padservice timestamps debug datetime msec localtimeservice timestamps log datetime msecno service password-encryptionservice compress-config!hostname ie2-C7301-LNS!boot-start-markerboot host ftp://223.255.12.34/tftpboot/ie2/configs/tc5xx/isg_add_tc5xx_lns.datboot system disk0:c7301-js-mz.122-27.1.11.SIE7boot-end-marker!logging buffered 2000000 debuggingno logging consoleenable password lab!aaa new-model!!aaa group server radius CAR_SERVERserver 10.100.2.36 auth-port 1812 acct-port 1813!aaa authentication login default noneaaa authentication login IP_AUTHEN_LIST group CAR_SERVERaaa authentication ppp default group CAR_SERVERaaa authorization network default group CAR_SERVERaaa authorization subscriber-service default local group radiusaaa accounting network default start-stop group CAR_SERVERaaa server radius sesmclient 10.100.4.38key ciscoport 1812message-authenticator ignore!!aaa session-id commonclock timezone Pacific -8ip subnet-zero!!ip ftp username rootip ftp password labno ip dhcp use vrf connected!!ip cef!subscriber policy recording rules limit 64vpdn enablevpdn ip udp ignore checksum!!redirect server-group SESM-Serverserver ip 10.100.4.38 port 8080!clns routingno mpls traffic-eng auto-bw timers frequency 0mpls label protocol ldpcall rsvp-sync!ip vrf VPN_C72_DM1_1001rd 200:1001route-target export 200:1001route-target import 200:1001!vpdn-group L2TP_DM1_101accept-dialinprotocol l2tpvirtual-template 5terminate-from hostname L2TP_DM1_101local name L2TP_DM1_101l2tp tunnel password 0 cisco!!!interface Loopback0ip address 10.200.1.56 255.255.255.255ip router isis Remote_ISP_7301!!interface Loopback5001ip address 5.55.1.1 255.255.0.0!!interface GigabitEthernet0/0ip address 223.255.12.56 255.255.255.0duplex autospeed automedia-type rj45no negotiation auto!interface GigabitEthernet0/1description connection to ISP2 CORE routerip address 27.27.1.56 255.255.255.0ip portbundle outsideip router isis Remote_ISP_7301load-interval 30duplex autospeed automedia-type gbicnegotiation autompls label protocol ldpmpls ip!interface GigabitEthernet0/2description connection to ISP1 CORE routerip address 26.26.1.56 255.255.255.0ip router isis Remote_ISP_7301load-interval 30duplex autospeed automedia-type gbicnegotiation auto!interface Virtual-Template5no ip addressload-interval 30no peer default ip addressno keepaliveppp mtu adaptiveppp authentication chap!router isis Remote_ISP_7301net 01.0011.5dd1.f01b.00redistribute connected!router bgp 200no synchronizationbgp router-id 10.200.1.56bgp log-neighbor-changesnetwork 10.100.4.0 mask 255.255.255.0network 10.200.1.47 mask 255.255.255.255network 10.200.1.55 mask 255.255.255.255network 10.200.1.62 mask 255.255.255.255network 21.21.1.55 mask 255.255.255.0network 22.22.1.55 mask 255.255.255.0network 23.0.0.0network 24.0.0.0 mask 255.255.0.0network 24.5.0.0 mask 255.255.0.0redistribute connectedneighbor 10.200.1.41 remote-as 100neighbor 10.200.1.41 ebgp-multihop 2neighbor 10.200.1.41 update-source Loopback0neighbor 10.200.1.47 remote-as 200neighbor 10.200.1.47 update-source Loopback0no auto-summary!address-family vpnv4neighbor 10.200.1.47 activateneighbor 10.200.1.47 send-community bothexit-address-family!address-family ipv4 vrf VPN_C72_DM1_1001redistribute connectedredistribute staticno auto-summaryno synchronizationexit-address-family!!ip local pool C73_DM1_3001 1.3.1.2 1.3.255.254!ip portbundlematch access-list 135source Loopback0!ip classlessip route 10.200.1.41 255.255.255.255 26.26.1.41!no ip http server!!!ip access-list extended Internet-in-acldeny ip any 223.0.0.0 0.255.255.255deny ip any 20.0.0.0 0.255.255.255deny ip any 40.0.0.0 0.255.255.255deny ip any 21.0.0.0 0.255.255.255deny ip any 22.0.0.0 0.255.255.255deny ip any 41.0.0.0 0.255.255.255deny ip any 80.0.0.0 0.255.255.255deny ip any 81.0.0.0 0.255.255.255deny ip any 82.0.0.0 0.255.255.255deny ip any 10.200.0.0 0.0.255.255permit ip any anyip access-list extended Internet-out-acldeny ip 223.0.0.0 0.255.255.255 anydeny ip 10.200.0.0 0.0.255.255 anydeny ip 20.0.0.0 0.255.255.255 anydeny ip 40.0.0.0 0.255.255.255 anydeny ip 21.0.0.0 0.255.255.255 anydeny ip 22.0.0.0 0.255.255.255 anydeny ip 41.0.0.0 0.255.255.255 anydeny ip 80.0.0.0 0.255.255.255 anydeny ip 81.0.0.0 0.255.255.255 anydeny ip 82.0.0.0 0.255.255.255 anypermit ip any anyip radius source-interface Loopback0access-list 135 permit ip any host 10.100.4.38access-list 135 deny ip any any!radius-server host 10.100.2.36 auth-port 1812 acct-port 1813 key ciscoradius-server retransmit 5radius-server key ciscoradius-server vsa send accountingradius-server vsa send authentication!control-plane!!dial-peer cor custom!!!!gatekeepershutdown!alias exec sss show subscriber sessionalias exec css clear subscriber sessionalias exec ss show subscriber statistics!line con 0exec-timeout 0 0stopbits 1line aux 0stopbits 1line vty 0 4exec-timeout 0 0!ntp clock-period 17180035ntp server 10.200.1.41 preferDeployment Model 1: PE
ip vrf VPN10003rd 100:3route-target export 100:3route-target import 100:3!!router bgp 100no synchronizationbgp router-id 10.200.1.45bgp log-neighbor-changesredistribute connectedredistribute staticneighbor 10.200.1.41 remote-as 100neighbor 10.200.1.41 update-source Loopback0no auto-summary!!address-family ipv4 vrf VPN10003redistribute connectedredistribute staticno auto-summaryno synchronizationnetwork 42.2.103.0 mask 255.255.255.0aggregate-address 42.2.103.0 255.255.255.0 summary-onlyexit-address-family!!ip route vrf VPN10003 10.100.3.34 255.255.255.255 GigabitEthernet3/14 10.100.3.34Deployment Model 1: AAA Server for ISP-1
The following profile configures L2TP forwarding from the ISG LAC to the LNS.
[ //localhost/Radius/UserLists/L2TPDOMAIN/L2TP_DM1_101.com/Attributes ]Cisco-AVpair = vpdn:tunnel-id=L2TP_DM1_101Cisco-AVpair = vpdn:l2tp-tunnel-password=ciscoCisco-AVpair = vpdn:tunnel-type=l2tpCisco-AVpair = vpdn:ip-addresses=10.200.1.56Cisco-AVpair = atm:peak-cell-rate=1024Cisco-AVpair = atm:sustainable-cell-rate=512Deployment Model 1: AAA Server for ISP-2
This profile configures the basic Internet access service.
[ //localhost/Radius/UserLists/SERVICES/INTERNET_SERVICE/Attributes ]Cisco-AVPair = ip:inacl=Internet-in-aclCisco-AVPair = ip:outacl=Internet-out-aclCisco-SSG-Service-Info = IINTERNET_SERVICECisco-SSG-Service-Info = R42.1.1.0;255.255.255.0This attribute enables the Layer 4 Redirect feature.
[ Attributes ]Cisco-AVPair = "ip:l4redirect=redirect list 111 to group SESM-Server duration 30 frequency 180"This attribute enable the PBHK feature on the AAA server, which enables access to the SESM by way of the PBHK feature.
[ Attributes ]Cisco-AVPair = ip:portbundle=enableThis profile configures the PPP profile that is used in the subscriber's base profile.
[ //localhost/Radius/UserLists/ie2-C7301-LNS/C73_DM1_01@L2TP_DM1_101.com/Attributes ]Cisco-AVpair = "ip:ip-unnumbered=loopback 3001"Cisco-AVpair = ip:addr-pool=C73_DM1_3001Cisco-SSG-Account-Info = AINTERNET_SERVICEDeployment Model 2: Multiservice Service Bundle over PPPoE
The following sections contain the complete running configurations for the devices in Deployment Model 2:
•Deployment Model 2: AAA Server
Deployment Model 2: CPE
version 12.3no service padservice timestamps debug datetime msecservice timestamps log uptimeno service password-encryption!hostname ie2-C837-CPE5!!no aaa new-modelip subnet-zerono ip domain lookupip dhcp excluded-address 10.10.10.1!ip dhcp pool CLIENTimport allnetwork 10.10.10.0 255.255.255.0default-router 10.10.10.1lease 0 2!!ip audit notify logip audit po max-events 100vpdn enable!vpdn-group ppoerequest-dialinprotocol pppoe!no ftp-server write-enable!!!!!!!interface Ethernet0ip address 10.10.10.1 255.255.255.0ip nat insideip tcp adjust-mss 1452load-interval 30hold-queue 100 out!interface ATM0no ip addressshutdownno atm ilmi-keepalivedsl operating-mode auto!interface ATM0.5 point-to-pointpvc 5/45pppoe max-sessions 100pppoe-client dial-pool-number 1!!interface FastEthernet1no ip addressduplex autospeed auto!interface Dialer1ip address negotiatedip nat outsideencapsulation pppdialer pool 1dialer-group 1ppp authentication chap callinppp chap hostname C72_DM2_11111ppp chap password 0 lab!!ip nat inside source list 23 interface Dialer1 overloadip classlessip route 0.0.0.0 0.0.0.0 Dialer1ip http serverno ip http secure-server!access-list 23 permit 10.10.10.0 0.0.0.255!line con 0exec-timeout 0 0no modem enablestopbits 1line aux 0line vty 0 4access-class 23 inexec-timeout 120 0login localDeployment Model 2: ISG
version 12.2no service padservice configservice timestamps debug datetime msecservice timestamps log datetime msecno service password-encryptionservice compress-config!hostname ie2-C7206-ATM!boot-start-markerboot host tftp ie2/configs/tc5xx/isg_add_tc5xx_pta.dat 223.255.12.34boot system disk2:c7200-js-mz.122-27.1.11.SIE7boot-end-marker!logging buffered 1000000 debuggingno logging consoleenable password lab!aaa new-model!!aaa group server radius CAR_SERVERserver 10.100.1.35 auth-port 1812 acct-port 1813!aaa group server radius RSIM_SERVERserver 10.100.12.89 auth-port 1645 acct-port 1646!aaa authentication login default noneaaa authentication ppp default group CAR_SERVERaaa authentication ppp PREPAID_AUTHEN_LIST group RSIM_SERVERaaa authorization network default group CAR_SERVERaaa authorization network PREPAID_AUTHOR_LIST group RSIM_SERVERaaa authorization subscriber-service default local group radiusaaa accounting network default start-stop group CAR_SERVERaaa accounting network PREPAID_ACCNT_LIST start-stop group RSIM_SERVERaaa server radius sesmclient 10.100.3.34key ciscoport 1812message-authenticator ignore!!aaa session-id commonclock timezone Pacific -8ip subnet-zero!!ip ftp username rootip ftp password labip dhcp smart-relayip dhcp relay information option vpnip dhcp relay information optionip dhcp relay information trust-allno ip dhcp use vrf connected!ip vrf VPN10005rd 100:5route-target export 100:5route-target import 100:5!ip cef!subscriber feature prepaid PREPAID_RSIMthreshold time 20 secondsthreshold volume 5000 bytesinterim-interval 3 minutesmethod-list author PREPAID_AUTHOR_LISTmethod-list accounting PREPAID_ACCNT_LISTpassword ciscosubscriber feature prepaid defaultthreshold time 20 secondsthreshold volume 200 bytesinterim-interval 3 minutesmethod-list author defaultmethod-list accounting defaultpassword cisco!subscriber policy recording rules limit 64subscriber authorization enablevpdn enablevpdn ip udp ignore checksumvpdn search-order domain!redirect server-group SESM_SERVER_GROUPserver ip 10.100.3.34 port 8080!no mpls traffic-eng auto-bw timers frequency 0call rsvp-sync!!class-map control match-all BOD256K_CLASSmatch service-name BOD256K!class-map control match-all BOD2MVOLUME_CLASSmatch service-name BOD2MVOLUME!class-map control match-all BOD1MVOLUME_CLASSmatch service-name BOD1MVOLUME!class-map control match-all BOD2MTIME_CLASSmatch service-name BOD2MTIME!class-map control match-all BOD1MTIME_CLASSmatch service-name BOD1MTIME!!policy-map control RULE_PTA_LM_ATM8class control BOD1MVOLUME_CLASS event service-start1 service-policy service unapply name BOD256K2 service-policy service unapply name BOD2MVOLUME3 service-policy service identifier service-name!class control BOD2MVOLUME_CLASS event service-start1 service-policy service unapply name BOD256K2 service-policy service unapply name BOD1MVOLUME3 service-policy service identifier service-name!class control BOD1MTIME_CLASS event service-start1 service-policy service unapply name BOD256K2 service-policy service unapply name BOD2MTIME3 service-policy service identifier service-name!class control BOD2MTIME_CLASS event service-start1 service-policy service unapply name BOD256K2 service-policy service unapply name BOD1MTIME3 service-policy service identifier service-name!class control BOD256K_CLASS event service-start1 service-policy service unapply name BOD1MVOLUME2 service-policy service unapply name BOD2MVOLUME3 service-policy service unapply name BOD1MTIME4 service-policy service unapply name BOD2MTIME5 service-policy service identifier service-name!class control BOD2MTIME_CLASS event service-stop1 service-policy service unapply identifier service-name2 service-policy service name BOD256K!class control BOD1MTIME_CLASS event service-stop1 service-policy service unapply identifier service-name2 service-policy service name BOD256K!class control BOD2MVOLUME_CLASS event service-stop1 service-policy service unapply identifier service-name2 service-policy service name BOD256K!class control BOD1MVOLUME_CLASS event service-stop1 service-policy service unapply identifier service-name2 service-policy service name BOD256K!class control always event session-start1 service local2 service-policy service name PBHK_SERVICE!class control always event quota-depleted1 set-param drop-traffic FALSE!class control always event credit-exhausted1 service-policy service name L4REDIRECT_SERVICE!!!policy-map QOS_OUT_MPLS_UPLINKclass QOS_GROUP_VOICEset mpls experimental topmost 5class QOS_GROUP_CALL_CONTROLset mpls experimental topmost 3class QOS_GROUP_GAMINGset mpls experimental topmost 2class class-defaultset mpls experimental topmost 0!bba-group pppoe BBA_LM_ATM8virtual-template 8sessions per-vc limit 1!vc-class atm VC_LM_ATM8protocol pppoe group BBA_LM_ATM8dbs enable maximumencapsulation aal5snap!interface Loopback0ip address 10.200.1.53 255.255.255.255!interface Loopback5ip address 200.53.5.1 255.255.255.255!interface GigabitEthernet0/3ip address 40.40.1.53 255.255.255.0ip portbundle outsideload-interval 30duplex fullspeed 1000media-type gbicnegotiation autompls mtu 1522mpls ipservice-policy output QOS_OUT_MPLS_UPLINKip rsvp bandwidth 100000!interface ATM1/0no ip addressload-interval 30no atm auto-configurationno atm ilmi-keepaliveno atm address-registrationno atm ilmi-enableno atm enable-ilmi-trapbundle-enable!interface ATM1/0.105 multipointdescription Deployment Model 2atm pppatm passiveno atm enable-ilmi-trappvc 105/45class-vc VC_LM_ATM8!!!interface Virtual-Template8description LM ATM8 PTA Subscriberno ip addressno peer default ip addressno keepaliveppp timeout authentication 100ppp timeout aaaload-interval 30ppp mtu adaptiveppp authentication chapservice-policy control RULE_PTA_LM_ATM8!router ospf 100router-id 10.200.1.53log-adjacency-changesarea 100 range 200.53.0.0 255.255.0.0redistribute connectedredistribute static subnetsnetwork 10.200.1.53 0.0.0.0 area 100network 20.20.1.0 0.0.0.255 area 100network 40.40.1.0 0.0.0.255 area 100network 200.53.0.0 0.0.255.255 area 100!router bgp 100no synchronizationbgp router-id 10.200.1.53bgp log-neighbor-changesnetwork 200.53.0.0 mask 255.255.0.0aggregate-address 200.53.3.0 255.255.255.0 summary-onlyredistribute connectedredistribute staticneighbor 10.200.1.41 remote-as 100neighbor 10.200.1.41 update-source Loopback0no auto-summary!address-family vpnv4neighbor 10.200.1.41 activateneighbor 10.200.1.41 send-community bothexit-address-family!address-family ipv4 vrf VPN10005redistribute connectedredistribute staticno auto-summaryno synchronizationnetwork 200.53.0.0 mask 255.255.0.0exit-address-family!!ip local pool cpe3_pool-53-VPN10005 200.53.3.210 200.53.3.250!ip portbundlematch access-list 135source Loopback0!ip classless!no ip http server!!!ip access-list extended Internet-in-acldeny ip any 223.0.0.0 0.255.255.255deny ip any 20.0.0.0 0.255.255.255deny ip any 40.0.0.0 0.255.255.255deny ip any 21.0.0.0 0.255.255.255deny ip any 22.0.0.0 0.255.255.255deny ip any 41.0.0.0 0.255.255.255deny ip any 80.0.0.0 0.255.255.255deny ip any 81.0.0.0 0.255.255.255deny ip any 82.0.0.0 0.255.255.255deny ip any 84.0.0.0 0.255.255.255deny ip any 10.200.0.0 0.0.255.255permit ip any anyip access-list extended Internet-out-acldeny ip 223.0.0.0 0.255.255.255 anydeny ip 10.200.0.0 0.0.255.255 anydeny ip 20.0.0.0 0.255.255.255 anydeny ip 40.0.0.0 0.255.255.255 anydeny ip 21.0.0.0 0.255.255.255 anydeny ip 22.0.0.0 0.255.255.255 anydeny ip 41.0.0.0 0.255.255.255 anydeny ip 80.0.0.0 0.255.255.255 anydeny ip 81.0.0.0 0.255.255.255 anydeny ip 82.0.0.0 0.255.255.255 anydeny ip 84.0.0.0 0.255.255.255 anypermit ip any anyip radius source-interface Loopback0access-list 135 permit ip any host 10.100.4.38access-list 135 deny ip any any!!radius-server attribute 44 include-in-access-reqradius-server attribute 8 include-in-access-reqradius-server attribute 55 access-request includeradius-server attribute 25 access-request includeradius-server host 10.100.1.35 auth-port 1812 acct-port 1813 key ciscoradius-server host 10.100.12.89 auth-port 1645 acct-port 1646 key ciscoradius-server retransmit 5radius-server timeout 15radius-server vsa send accountingradius-server vsa send authentication!control-plane!!dial-peer cor custom!!alias exec showdb show database data IDMGR-Session-DB 2alias exec sss show subscriber sessionalias exec css clear subscriber sessionalias exec showpb show ip portbundle status inusealias exec ss show subscriber statistics!line con 0exec-timeout 0 0stopbits 1line aux 0stopbits 1line vty 0 4exec-timeout 0 0!ntp clock-period 17179872ntp server 10.200.1.41 source GigabitEthernet0/3 prefer!endDeployment Model 2: PE
ip vrf VPN10005rd 100:3route-target export 100:3route-target import 100:3!router bgp 100no synchronizationbgp router-id 10.200.1.45bgp log-neighbor-changesredistribute connectedredistribute staticneighbor 10.200.1.41 remote-as 100neighbor 10.200.1.41 update-source Loopback0no auto-summary!address-family ipv4 vrf VPN10005redistribute connectedredistribute staticno auto-summaryno synchronizationnetwork 42.2.103.0 mask 255.255.255.0aggregate-address 42.2.103.0 255.255.255.0 summary-onlyexit-address-family!ip route vrf VPN10005 10.100.3.34 255.255.255.255 GigabitEthernet3/14 10.100.3.34Deployment Model 2: AAA Server
This profile configures the BOD1MTIME service.
[ BOD1MTIME_DM2/Attributes ]Cisco-AVPair = "ip:traffic-class=in access-group name INTERNET_IN_ACL priority 10"Cisco-AVPair = "ip:traffic-class=in default drop"Cisco-AVPair = "ip:traffic-class=out access-group name INTERNET_OUT_ACL priority 10"Cisco-AVPair = "ip:traffic-class=out default drop"Cisco-AVPair = subscriber:accounting-list=PREPAID_ACCNT_LISTCisco-AVPair = prepaid-config=PREPAID_RSIMCisco-AVPair = atm:peak-cell-rate=1024Cisco-AVPair = atm:sustainable-cell-rate=1024Cisco-SSG-Service-Info = IBOD1MTIME_DM2Cisco-SSG-Service-Info = R42.1.1.0;255.255.255.0This profile configures the BOD2MTIME service.
[ BOD2MTIME_DM2/Attributes ]Cisco-AVPair = "ip:traffic-class=in access-group name INTERNET_IN_ACL priority 10"Cisco-AVPair = "ip:traffic-class=in default drop"Cisco-AVPair = "ip:traffic-class=out access-group name INTERNET_OUT_ACL priority 10"Cisco-AVPair = "ip:traffic-class=out default drop"Cisco-AVPair = subscriber:accounting-list=PREPAID_ACCNT_LISTCisco-AVPair = prepaid-config=PREPAID_RSIMCisco-AVPair = atm:peak-cell-rate=2048Cisco-AVPair = atm:sustainable-cell-rate=2048Cisco-SSG-Service-Info = IBOD2MTIME_DM2Cisco-SSG-Service-Info = R42.1.1.0;255.255.255.0This profile configures the BOD1MVOLUME service.
[ BOD1MVOLUME_DM2/Attributes ]Cisco-AVPair = "ip:traffic-class=in access-group name INTERNET_IN_ACL priority 10"Cisco-AVPair = "ip:traffic-class=in default drop"Cisco-AVPair = "ip:traffic-class=out access-group name INTERNET_OUT_ACL priority 10"Cisco-AVPair = "ip:traffic-class=out default drop"Cisco-AVPair = subscriber:accounting-list=PREPAID_ACCNT_LISTCisco-AVPair = prepaid-config=PREPAID_RSIMCisco-AVPair = atm:peak-cell-rate=1024Cisco-AVPair = atm:sustainable-cell-rate=1024Cisco-SSG-Service-Info = IBOD1MVOLUME_DM2Cisco-SSG-Service-Info = R42.1.1.0;255.255.255.0This profile configures the BOD2MVOLUME service.
Cisco-AVPair = "ip:traffic-class=in access-group name INTERNET_IN_ACL priority 10"Cisco-AVPair = "ip:traffic-class=in default drop"Cisco-AVPair = "ip:traffic-class=out access-group name INTERNET_OUT_ACL priority 10"Cisco-AVPair = "ip:traffic-class=out default drop"Cisco-AVPair = subscriber:accounting-list=PREPAID_ACCNT_LISTCisco-AVPair = prepaid-config=PREPAID_RSIMCisco-AVPair = atm:peak-cell-rate=2048Cisco-AVPair = atm:sustainable-cell-rate=2048Cisco-SSG-Service-Info = IBOD2MVOLUME_DM2Cisco-SSG-Service-Info = R42.1.1.0;255.255.255.0This attribute enables the Layer 4 Redirect feature.
[ //localhost/Radius/UserLists/SERVICES/L4REDIRECT_SERVICE/Attributes ]Cisco-AVPair = "ip:traffic-class=in access-group name IP_REDIRECT_ACL priority 5"Cisco-AVPair = "ip:traffic-class=in default drop"Cisco-AVPair = "ip:traffic-class=out access-group name IP_REDIRECT_ACL priority 5"Cisco-AVPair = "ip:traffic-class=out default drop"Cisco-AVPair = "ip:l4redirect=redirect to group SESM_SERVER_GROUP"Cisco-SSG-Service-Info = IL4REDIRECT_SERVICEThis profile enables the PBHK feature on the AAA server, which enables access to the SESM by way of the PBHK feature.
[ //localhost/Radius/UserLists/SERVICES/PBHK_SERVICE/Attributes ]Cisco-AVPair = ip:portbundle=enableCisco-SSG-Service-Info = IPBHK_SERVICEThis profile configures a user profile for time-based customers.
[ //localhost/Radius/UserLists/ie2-C7206-ATM/C72_DM2_3640/Attributes ]Cisco-AVpair = ip:vrf-id=VPN_C72_DM2_1001Cisco-AVpair = "ip:ip-unnumbered=loopback 8001"Cisco-AVpair = ip:addr-pool=C72_DM2_8001Cisco-SSG-Account-Info = NBOD1MTIME_DM2Cisco-SSG-Account-Info = NBOD2MTIME_DM2idle-timeout = 1800session-timeout = 18000This profile configures a user profile for a time-based customer with the static IP address 1.108.1.201.
[ //localhost/Radius/UserLists/ie2-C7206-ATM/C72_DM2_5640/Attributes ]Cisco-AVpair = ip:vrf-id=VPN_C72_DM2_1098Cisco-AVpair = "ip:ip-unnumbered=loopback 8002"Cisco-SSG-Account-Info = NBOD1MTIME_DM2Cisco-SSG-Account-Info = NBOD2MTIME_DM2Framed-IP-Address = 1.108.1.201idle-timeout = 1800session-timeout = 18000This profile configures a user profile for volume-based customers.
[ //localhost/Radius/UserLists/ie2-C7206-ATM/C72_DM2_4640/Attributes ]Cisco-AVpair = ip:vrf-id=VPN_C72_DM2_1001Cisco-AVpair = "ip:ip-unnumbered=loopback 8001"Cisco-AVpair = ip:addr-pool=C72_DM2_8001Cisco-SSG-Account-Info = NBOD1MVOLUME_DM2Cisco-SSG-Account-Info = NBOD2MVOLUME_DM2idle-timeout = 1800session-timeout = 18000Deployment Model 3: Triple Play Plus Service Bundle over IP and PPPoE
The following sections contain the complete running configurations for the devices in Deployment Model 3:
•Deployment Model 3: AAA Server
Deployment Model 3: CPE
version 12.3no service padservice timestamps debug uptimeservice timestamps log uptimeservice password-encryption!hostname ie2-C837-CPE3!enable password 7 12150415!no aaa new-modelip subnet-zerono ip routingno ip domain lookup!!ip audit notify logip audit po max-events 100no ftp-server write-enable!!!!interface Ethernet0no ip addressno ip route-cacheload-interval 30bridge-group 1hold-queue 100 out!interface ATM0no ip addressno ip route-cacheload-interval 30no atm ilmi-keepalivedsl operating-mode auto!interface ATM0.3 point-to-pointno ip route-cachepvc 3/43encapsulation aal5snap!bridge-group 1!!ip classlessip http serverno ip http secure-server!bridge 1 protocol ieee!line con 0exec-timeout 0 0no modem enablestopbits 1line aux 0line vty 0 4access-class 23 inexec-timeout 0 0login local!scheduler max-task-time 5000Deployment Model 3: ISG
version 12.2no service padservice configservice timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname ie2-C7206-ATM!boot-start-markerboot host tftp ie2/configs/tc5xx/isg_add_tc5xx_pta.dat 223.255.12.34boot system disk2:c7200-js-mz.122-27.1.11.SIE7boot-end-marker!logging buffered 1000000 debuggingno logging consoleenable password lab!aaa new-model!!aaa group server radius CAR_SERVERserver 10.100.1.35 auth-port 1812 acct-port 1813!aaa group server radius RSIM_SERVERserver 10.100.12.89 auth-port 1645 acct-port 1646!aaa authentication login default noneaaa authentication login IP_AUTHEN_LIST group CAR_SERVERaaa authentication ppp default group CAR_SERVERaaa authentication ppp PREPAID_AUTHEN_LIST group RSIM_SERVERaaa authorization network default group CAR_SERVERaaa authorization network PREPAID_AUTHOR_LIST group RSIM_SERVERaaa authorization subscriber-service default local group radiusaaa accounting network default start-stop group CAR_SERVERaaa accounting network PREPAID_ACCNT_LIST start-stop group RSIM_SERVERaaa server radius sesmclient 10.100.3.34key ciscoport 1812message-authenticator ignore!!aaa session-id commonclock timezone Pacific -8ip subnet-zero!!ip ftp username rootip ftp password labip dhcp smart-relayip dhcp relay information option vpnip dhcp relay information optionip dhcp relay information trust-allno ip dhcp use vrf connected!!ip vrf VPN10003rd 100:3route-target export 100:3route-target import 100:3!ip cef!subscriber policy recording rules limit 64subscriber authorization enablevpdn enablevpdn ip udp ignore checksumvpdn search-order domain!redirect server-group SESM_SERVER_GROUPserver ip 10.100.3.34 port 8080!no mpls traffic-eng auto-bw timers frequency 0call rsvp-sync!!!!!!class-map control match-all IP_UNAUTH_CONDmatch timer IP_UNAUTH_TIMERmatch authen-status unauthenticated!class-map match-any QOS_GROUP_CALL_CONTROLmatch qos-group 2class-map match-any GAMINGmatch ip dscp af21class-map match-any QOS_GROUP_GAMINGmatch qos-group 3class-map match-any CALL_CONTROLmatch ip dscp cs3class-map match-any QOS_GROUP_VOICEmatch qos-group 1class-map match-any VOICEmatch ip dscp ef!policy-map control RULE_IP_LM_ATM2class control IP_UNAUTH_COND event timed-policy-expiry1 service disconnect!class control always event session-start1 authorize aaa password lab identifier mac-address2 service-policy service name PBHK_SERVICE3 service-policy service name L4REDIRECT_SERVICE4 set-timer IP_UNAUTH_TIMER 5!class control always event account-logon1 authenticate aaa list IP_AUTHEN_LIST2 service-policy service unapply name L4REDIRECT_SERVICE!!policy-map control RULE_PTA_LM_ATM2class control always event session-start1 service-policy service name PBHK_SERVICE!!policy-map QOS_OUT_LM_ATM2class VOICEpriority 128class CALL_CONTROLbandwidth percent 5class GAMINGbandwidth percent 20policy-map QOS_OUT_MPLS_UPLINKclass QOS_GROUP_VOICEset mpls experimental topmost 5class QOS_GROUP_CALL_CONTROLset mpls experimental topmost 3class QOS_GROUP_GAMINGset mpls experimental topmost 2class class-defaultset mpls experimental topmost 0policy-map QOS_IN_LM_ATM2class VOICEpolice cir 128000exceed-action dropset qos-group 1class CALL_CONTROLpolice cir 12500exceed-action dropset qos-group 2class GAMINGpolice cir 75000exceed-action dropset qos-group 3policy-map QOS_IN_LM_ATM2_256Kclass class-defaultpolice cir 256000exceed-action dropset qos-group 1service-policy QOS_IN_LM_ATM2!bba-group pppoe BBA_LM_ATM2virtual-template 2!vc-class atm VC_LM_ATM2protocol pppoe group BBA_LM_ATM2dbs enable maximumencapsulation aal5snapservice-policy control RULE_PTA_LM_ATM2!interface Loopback0ip address 10.200.1.53 255.255.255.255!interface Loopback3ip address 200.53.3.1 255.255.255.0!interface GigabitEthernet0/1ip address 223.255.12.53 255.255.255.0duplex autospeed automedia-type rj45no negotiation auto!interface GigabitEthernet0/3ip address 40.40.1.53 255.255.255.0ip portbundle outsideload-interval 30duplex fullspeed 1000media-type gbicnegotiation autompls mtu 1522mpls ipservice-policy output QOS_OUT_MPLS_UPLINKip rsvp bandwidth 100000!interface ATM1/0no ip addressload-interval 30no atm auto-configurationno atm ilmi-keepaliveno atm address-registrationno atm ilmi-enableno atm enable-ilmi-trapbundle-enable!interface ATM1/0.103 point-to-pointip unnumbered Loopback3ip verify unicast reverse-pathip helper-address 10.100.1.37no ip redirectsno ip unreachablesno ip proxy-arpip subscriberinitiator dhcpatm route-bridged ipno atm enable-ilmi-trapntp disablepvc 103/43class-vc VC_LM_ATM2service-policy input QOS_IN_LM_ATM2service-policy output QOS_OUT_LM_ATM2service-policy control RULE_IP_LM_ATM2!!interface Virtual-Template2description LM ATM2 PTA Subscriberno ip addressno peer default ip addressno keepaliveppp authentication chapppp timeout authentication 100ppp timeout aaa!router ospf 100router-id 10.200.1.53log-adjacency-changesarea 100 range 200.53.0.0 255.255.0.0redistribute connectedredistribute static subnetsnetwork 10.200.1.53 0.0.0.0 area 100network 20.20.1.0 0.0.0.255 area 100network 40.40.1.0 0.0.0.255 area 100network 200.53.0.0 0.0.255.255 area 100!router bgp 100no synchronizationbgp router-id 10.200.1.53bgp log-neighbor-changesnetwork 200.53.0.0 mask 255.255.0.0aggregate-address 200.53.3.0 255.255.255.0 summary-onlyredistribute connectedredistribute staticneighbor 10.200.1.41 remote-as 100neighbor 10.200.1.41 update-source Loopback0no auto-summary!address-family vpnv4neighbor 10.200.1.41 activateneighbor 10.200.1.41 send-community bothexit-address-family!address-family ipv4 vrf VPN10003redistribute connectedredistribute staticno auto-summaryno synchronizationaggregate-address 200.53.3.0 255.255.255.0 summary-onlyexit-address-family!ip local pool cpe3_pool-53 200.53.3.2 200.53.3.100!ip portbundlematch access-list 135source Loopback0!ip classless!no ip http server!!!ip access-list extended GAMING_IN_ACLpermit ip any 42.5.0.0 0.0.255.255deny ip any anyip access-list extended GAMING_OUT_ACLpermit ip 42.5.0.0 0.0.255.255 anydeny ip any anyip access-list extended Internet-in-acldeny ip any 223.0.0.0 0.255.255.255deny ip any 20.0.0.0 0.255.255.255deny ip any 40.0.0.0 0.255.255.255deny ip any 21.0.0.0 0.255.255.255deny ip any 22.0.0.0 0.255.255.255deny ip any 41.0.0.0 0.255.255.255deny ip any 80.0.0.0 0.255.255.255deny ip any 81.0.0.0 0.255.255.255deny ip any 82.0.0.0 0.255.255.255deny ip any 84.0.0.0 0.255.255.255deny ip any 10.200.0.0 0.0.255.255permit ip any anyip access-list extended Internet-out-acldeny ip 223.0.0.0 0.255.255.255 anydeny ip 10.200.0.0 0.0.255.255 anydeny ip 20.0.0.0 0.255.255.255 anydeny ip 40.0.0.0 0.255.255.255 anydeny ip 21.0.0.0 0.255.255.255 anydeny ip 22.0.0.0 0.255.255.255 anydeny ip 41.0.0.0 0.255.255.255 anydeny ip 80.0.0.0 0.255.255.255 anydeny ip 81.0.0.0 0.255.255.255 anydeny ip 82.0.0.0 0.255.255.255 anydeny ip 84.0.0.0 0.255.255.255 anypermit ip any anyip access-list extended OPENGARDEN_IN_ACLpermit ip any 10.100.0.0 0.0.255.255permit ip any 42.8.0.0 0.0.255.255permit ip any 200.53.3.0 0.0.0.255ip access-list extended OPENGARDEN_OUT_ACLpermit ip 10.100.0.0 0.0.255.255 anypermit ip 42.8.0.0 0.0.255.255 anypermit ip 200.53.3.0 0.0.0.255 anyip access-list extended SESM-in-aclpermit ip any host 10.100.3.34deny ip any anyip access-list extended SESM-out-aclpermit ip host 10.100.3.34 anydeny ip any anyip access-list extended VOD_IN_ACLpermit ip any 42.4.0.0 0.0.255.255deny ip any anyip access-list extended VOD_OUT_ACLpermit ip 42.4.0.0 0.0.255.255 anydeny ip any anyip access-list extended VOIP_IN_ACLpermit ip any 42.3.0.0 0.0.255.255deny ip any anyip access-list extended VOIP_OUT_ACLpermit ip 42.3.0.0 0.0.255.255 anydeny ip any anyip radius source-interface Loopback0access-list 135 permit ip any host 10.100.4.38access-list 135 deny ip any any!!radius-server attribute 44 include-in-access-reqradius-server attribute 8 include-in-access-reqradius-server attribute 55 access-request includeradius-server attribute 25 access-request includeradius-server host 10.100.1.35 auth-port 1812 acct-port 1813 key ciscoradius-server host 10.100.12.89 auth-port 1645 acct-port 1646 key ciscoradius-server retransmit 5radius-server timeout 15radius-server vsa send accountingradius-server vsa send authentication!control-plane!!dial-peer cor custom!!!!!alias exec showdb show database data IDMGR-Session-DB 2alias exec sss show subscriber sessionalias exec css clear subscriber sessionalias exec showpb show ip portbundle status inusealias exec ss show subscriber statistics!line con 0exec-timeout 0 0stopbits 1line aux 0stopbits 1line vty 0 4exec-timeout 0 0!ntp clock-period 17179872ntp server 10.200.1.41 source GigabitEthernet0/3 prefer!endDeployment Model 3: PE
ip vrf VPN10003rd 100:3route-target export 100:3route-target import 100:3!router bgp 100no synchronizationbgp router-id 10.200.1.45bgp log-neighbor-changesredistribute connectedredistribute staticneighbor 10.200.1.41 remote-as 100neighbor 10.200.1.41 update-source Loopback0no auto-summary!address-family ipv4 vrf VPN10003redistribute connectedredistribute staticno auto-summaryno synchronizationnetwork 42.2.103.0 mask 255.255.255.0aggregate-address 42.2.103.0 255.255.255.0 summary-onlyexit-address-family!ip route vrf VPN10003 10.100.3.34 255.255.255.255 GigabitEthernet3/14 10.100.3.34Deployment Model 3: AAA Server
This attribute enables the Layer 4 Redirect feature.
[ //localhost/Radius/UserLists/SERVICES/L4REDIRECT_SERVICE/Attributes ]Cisco-AVPair = "ip:traffic-class=in access-group name IP_REDIRECT_ACL priority 5"Cisco-AVPair = "ip:traffic-class=in default drop"Cisco-AVPair = "ip:traffic-class=out access-group name IP_REDIRECT_ACL priority 5"Cisco-AVPair = "ip:traffic-class=out default drop"Cisco-AVPair = "ip:l4redirect=redirect to group SESM_SERVER_GROUP"Cisco-SSG-Service-Info = IL4REDIRECT_SERVICEThis profile enables the PBHK feature on the AAA server, which enables access to the SESM by way of the PBHK feature.
[ //localhost/Radius/UserLists/SERVICES/PBHK_SERVICE/Attributes ]Cisco-AVPair = ip:portbundle=enableCisco-SSG-Service-Info = IPBHK_SERVICEThe following service profile enables the GAMING_SERVICE service.
[ //localhost/Radius/UserLists/SERVICES/GAMING_SERVICE/Attributes ]Cisco-AVPair = "ip:traffic-class=in access-group name GAMING_IN_ACL"Cisco-AVPair = "ip:traffic-class=in default drop"Cisco-AVPair = "ip:traffic-class=out access-group name GAMING_OUT_ACL"Cisco-AVPair = "ip:traffic-class=out default drop"Cisco-SSG-Service-Info = IGAMING_SERVICECisco-SSG-Service-Info = R42.1.1.0;255.255.255.0The following service profible enables the OPENGARDEN_SERVICE service. "Opengarden" is the SSG term for the default service, basic Internet access.
[ //localhost/Radius/UserLists/SERVICES/OPENGARDEN_SERVICE/Attributes ]Cisco-AVPair = "ip:traffic-class=in access-group name OPENGARDEN_IN_ACL"Cisco-AVPair = "ip:traffic-class=in default drop"Cisco-AVPair = "ip:traffic-class=out access-group name OPENGARDEN_OUT_ACL"Cisco-AVPair = "ip:traffic-class=out default drop"Cisco-SSG-Service-Info = IOPENGARDEN_SERVICEThe following service profile enables the VOIP_SERVICE service.
[ //localhost/Radius/UserLists/SERVICES/VOIP_SERVICE/Attributes ]Cisco-AVPair = "ip:traffic-class=in access-group name VOIP_IN_ACL"Cisco-AVPair = "ip:traffic-class=in default drop"Cisco-AVPair = "ip:traffic-class=out access-group name VOIP_OUT_ACL"Cisco-AVPair = "ip:traffic-class=out default drop"Cisco-SSG-Service-Info = IVOIP_SERVICECisco-SSG-Service-Info = R42.1.1.0;255.255.255.0The following service profile enables the VOD_SERVICE service.
[ //localhost/Radius/UserLists/SERVICES/VOD_SERVICE/Attributes ]Cisco-AVPair = "ip:traffic-class=in access-group name VOD_IN_ACL"Cisco-AVPair = "ip:traffic-class=in default drop"Cisco-AVPair = "ip:traffic-class=out access-group name VOD_OUT_ACL"Cisco-AVPair = "ip:traffic-class=out default drop"Cisco-SSG-Service-Info = IVOD_SERVICECisco-SSG-Service-Info = R42.1.1.0;255.255.255.0The following service profile enables the INTERNET_SERVICE service.
[ //localhost/Radius/UserLists/SERVICES/INTERNET_SERVICE/Attributes ]Cisco-AVPair = ip:inacl=Internet-in-aclCisco-AVPair = ip:outacl=Internet-out-aclCisco-SSG-Service-Info = IINTERNET_SERVICECisco-SSG-Service-Info = R42.1.1.0;255.255.255.0The following user profile is for IP sessions that use MAC address-based TAL:
[ //localhost/Radius/UserLists/ie2-C7206-ATM/0000.1001.1014/Attributes ]Cisco-SSG-Account-Info = AOPENGARDEN_SERVICECisco-SSG-Account-Info = AVOIP_SERVICECisco-SSG-Account-Info = AVOD_SERVICECisco-SSG-Account-Info = AGAMING_SERVICEThe following user profile is for PPPoE users:
[ //localhost/Radius/UserLists/ie2-C7206-ATM/C72_DM3_1188/Attributes ]Cisco-AVpair = ip:vrf-id=VPN_C72_DM3_2038Cisco-AVpair = "ip:ip-unnumbered=loopback 2001"Cisco-AVpair = ip:addr-pool=C72_DM3_2001Cisco-SSG-Account-Info = AINTERNET_SERVICEDeployment Model 4: Triple Play Plus Service Bundle over IP and L2TP
The following sections contain the complete running configurations for the devices in Deployment Model 4:
•Deployment Model 4: AAA Server for ISP-1
•Deployment Model 4: AAA Server for ISP-2
Deployment Model 4: CPE
version 12.3no service padservice timestamps debug datetime msecservice timestamps log uptimeno service password-encryption!hostname ie2-C837-CPE5!!no aaa new-modelip subnet-zerono ip domain lookupip dhcp excluded-address 10.10.10.1!ip dhcp pool CLIENTimport allnetwork 10.10.10.0 255.255.255.0default-router 10.10.10.1lease 0 2!!ip audit notify logip audit po max-events 100vpdn enable!vpdn-group ppoerequest-dialinprotocol pppoe!no ftp-server write-enable!!!!!!!interface Ethernet0ip address 10.10.10.1 255.255.255.0ip nat insideip tcp adjust-mss 1452load-interval 30hold-queue 100 out!interface ATM0no ip addressshutdownno atm ilmi-keepalivedsl operating-mode auto!interface ATM0.5 point-to-pointpvc 5/45pppoe max-sessions 100pppoe-client dial-pool-number 1!!interface FastEthernet1no ip addressduplex autospeed auto!interface Dialer1ip address negotiatedip nat outsideencapsulation pppdialer pool 1dialer-group 1ppp authentication chap callinppp chap hostname C73_DM4_01@L2TP_DM4_101.comppp chap password 0 lab!!ip nat inside source list 23 interface Dialer1 overloadip classlessip route 0.0.0.0 0.0.0.0 Dialer1ip http serverno ip http secure-server!access-list 23 permit 10.10.10.0 0.0.0.255!line con 0exec-timeout 0 0no modem enablestopbits 1line aux 0line vty 0 4access-class 23 inexec-timeout 120 0login localDeployment Model 4: ISG LAC
version 12.2no service padservice configservice timestamps debug datetime msecservice timestamps log datetime msecno service password-encryptionservice compress-config!hostname ie2-C7206-ATM!boot-start-markerboot host tftp ie2/configs/tc5xx/isg_add_tc5xx_pta.dat 223.255.12.34boot system disk2:c7200-js-mz.122-27.1.11.SIE7boot-end-marker!logging buffered 1000000 debuggingno logging consoleenable password lab!aaa new-model!!aaa group server radius CAR_SERVERserver 10.100.1.35 auth-port 1812 acct-port 1813!aaa authentication login default noneaaa authentication login IP_AUTHEN_LIST group CAR_SERVERaaa authentication ppp default group CAR_SERVERaaa authorization network default group CAR_SERVERaaa authorization subscriber-service default local group radiusaaa accounting network default start-stop group CAR_SERVERaaa server radius sesmclient 10.100.3.34key ciscoport 1812message-authenticator ignore!!aaa session-id commonclock timezone Pacific -8ip subnet-zero!!ip ftp username rootip ftp password labip dhcp smart-relayip dhcp relay information option vpnip dhcp relay information optionip dhcp relay information trust-allno ip dhcp use vrf connected!!ip cef!!subscriber policy recording rules limit 64subscriber authorization enablevpdn enablevpdn ip udp ignore checksumvpdn search-order domain!redirect server-group SESM_SERVER_GROUPserver ip 10.100.3.34 port 8080!no mpls traffic-eng auto-bw timers frequency 0call rsvp-sync!!!!!!class-map control match-all IP_UNAUTH_CONDmatch timer IP_UNAUTH_TIMERmatch authen-status unauthenticated!class-map control match-any TAL_STATIC_DM4match source-ip-address 200.53.7.128 255.255.255.128!!class-map match-any QOS_GROUP_CALL_CONTROLmatch qos-group 2class-map match-any GAMINGmatch ip dscp af21class-map match-any QOS_GROUP_GAMINGmatch qos-group 3class-map match-any CALL_CONTROLmatch ip dscp cs3class-map match-any QOS_GROUP_VOICEmatch qos-group 1class-map match-any VOICEmatch ip dscp ef!!policy-map control RULE_L2TP_LM_ATM7class control always event session-start1 collect identifier unauthenticated-domain2 authorize identifier unauthenticated-domain!!policy-map control RULE_IP_LM_ATM7class control TAL_STATIC_DM4 event session-start1 authorize aaa password lab identifier source-ip-address2 service-policy service name PBHK_SERVICE3 service-policy service name L4REDIRECT_SERVICE4 set-timer IP_UNAUTH_TIMER 5!class control IP_UNAUTH_COND event timed-policy-expiry1 service disconnect!class control always event session-start1 authorize aaa password lab identifier mac-address2 service-policy service name PBHK_SERVICE3 service-policy service name L4REDIRECT_SERVICE4 set-timer IP_UNAUTH_TIMER 5!class control always event account-logon1 authenticate aaa list IP_AUTHEN_LIST2 service-policy service unapply name L4REDIRECT_SERVICE!!!policy-map QOS_OUT_LM_ATM7class VOICEpriority 128class CALL_CONTROLbandwidth percent 5class GAMINGbandwidth percent 20policy-map QOS_OUT_MPLS_UPLINKclass QOS_GROUP_VOICEset mpls experimental topmost 5class QOS_GROUP_CALL_CONTROLset mpls experimental topmost 3class QOS_GROUP_GAMINGset mpls experimental topmost 2class class-defaultset mpls experimental topmost 0policy-map QOS_IN_LM_ATM7class VOICEpolice cir 128000exceed-action dropset qos-group 1class CALL_CONTROLpolice cir 12500exceed-action dropset qos-group 2class GAMINGpolice cir 75000exceed-action dropset qos-group 3policy-map QOS_IN_LM_ATM7_256Kclass class-defaultpolice cir 256000exceed-action dropservice-policy QOS_IN_LM_ATM7!bba-group pppoe BBA_LM_ATM7virtual-template 7!vc-class atm VC_LM_ATM7protocol pppoe group BBA_LM_ATM7vbr-nrt 2000 2000 94encapsulation aal5snapservice-policy control RULE_L2TP_LM_ATM7!interface Loopback0ip address 10.200.1.53 255.255.255.255!interface Loopback7ip address 200.53.7.1 255.255.255.0!interface GigabitEthernet0/1ip address 223.255.12.53 255.255.255.0duplex autospeed automedia-type rj45no negotiation auto!interface GigabitEthernet0/3ip address 40.40.1.53 255.255.255.0ip portbundle outsideload-interval 30duplex fullspeed 1000media-type gbicnegotiation autompls mtu 1522mpls ipservice-policy output QOS_OUT_MPLS_UPLINKip rsvp bandwidth 100000!interface ATM1/0no ip addressload-interval 30no atm auto-configurationno atm ilmi-keepaliveno atm address-registrationno atm ilmi-enableno atm enable-ilmi-trapbundle-enable!!interface ATM1/0.107 point-to-pointdescription ATM DM4ip unnumbered Loopback7ip verify unicast reverse-pathip helper-address 10.100.1.37no ip redirectsno ip unreachablesno ip proxy-arpip subscriberidentifier ip src-addr match 107initiator dhcpatm route-bridged ipno atm enable-ilmi-trapntp disablepvc 107/47class-vc VC_LM_ATM8service-policy input QOS_IN_LM_ATM7service-policy output QOS_OUT_LM_ATM7service-policy control RULE_IP_LM_ATM7!!interface Virtual-Template7description LM ATM7 L2TP Subscriberno ip addressno peer default ip addressno keepaliveppp authentication chapppp timeout authentication 100ppp timeout aaa!router ospf 100router-id 10.200.1.53log-adjacency-changesarea 100 range 200.53.0.0 255.255.0.0redistribute connectedredistribute static subnetsnetwork 10.200.1.53 0.0.0.0 area 100network 20.20.1.0 0.0.0.255 area 100network 40.40.1.0 0.0.0.255 area 100network 200.53.0.0 0.0.255.255 area 100!router bgp 100no synchronizationbgp router-id 10.200.1.53bgp log-neighbor-changesnetwork 200.53.0.0 mask 255.255.0.0aggregate-address 200.53.3.0 255.255.255.0 summary-onlyredistribute connectedredistribute staticneighbor 10.200.1.41 remote-as 100neighbor 10.200.1.41 update-source Loopback0no auto-summary!address-family vpnv4neighbor 10.200.1.41 activateneighbor 10.200.1.41 send-community bothexit-address-family!!ip portbundlematch access-list 135source Loopback0!ip classless!no ip http server!!!ip access-list extended GAMING_IN_ACLpermit ip any 42.5.0.0 0.0.255.255deny ip any anyip access-list extended GAMING_OUT_ACLpermit ip 42.5.0.0 0.0.255.255 anydeny ip any anyip access-list extended OPENGARDEN_IN_ACLpermit ip any 10.100.0.0 0.0.255.255permit ip any 42.8.0.0 0.0.255.255permit ip any 200.53.3.0 0.0.0.255ip access-list extended OPENGARDEN_OUT_ACLpermit ip 10.100.0.0 0.0.255.255 anypermit ip 42.8.0.0 0.0.255.255 anypermit ip 200.53.3.0 0.0.0.255 anyip access-list extended SESM-in-aclpermit ip any host 10.100.3.34deny ip any anyip access-list extended SESM-out-aclpermit ip host 10.100.3.34 anydeny ip any anyip access-list extended VOD_IN_ACLpermit ip any 42.4.0.0 0.0.255.255deny ip any anyip access-list extended VOD_OUT_ACLpermit ip 42.4.0.0 0.0.255.255 anydeny ip any anyip access-list extended VOIP_IN_ACLpermit ip any 42.3.0.0 0.0.255.255deny ip any anyip access-list extended VOIP_OUT_ACLpermit ip 42.3.0.0 0.0.255.255 anydeny ip any anyip radius source-interface Loopback0access-list 135 permit ip any host 10.100.4.38access-list 135 deny ip any any!radius-server attribute 44 include-in-access-reqradius-server attribute 8 include-in-access-reqradius-server attribute 55 access-request includeradius-server attribute 25 access-request includeradius-server host 10.100.1.35 auth-port 1812 acct-port 1813 key ciscoradius-server retransmit 5radius-server timeout 15radius-server vsa send accountingradius-server vsa send authentication!control-plane!!dial-peer cor custom!!!!gatekeepershutdown!alias exec showdb show database data IDMGR-Session-DB 2alias exec sss show subscriber sessionalias exec css clear subscriber sessionalias exec showpb show ip portbundle status inusealias exec ss show subscriber statistics!line con 0exec-timeout 0 0stopbits 1line aux 0stopbits 1line vty 0 4exec-timeout 0 0!ntp clock-period 17179872ntp server 10.200.1.41 source GigabitEthernet0/3 prefer!endDeployment Model 4: LNS
version 12.2no service padservice timestamps debug datetime msec localtimeservice timestamps log datetime msecno service password-encryptionservice compress-config!hostname ie2-C7301-LNS!boot-start-markerboot host ftp://223.255.12.34/tftpboot/ie2/configs/tc5xx/isg_add_tc5xx_lns.datboot system disk0:c7301-js-mz.122-27.1.11.SIE7boot-end-marker!logging buffered 2000000 debuggingno logging consoleenable password lab!aaa new-model!!aaa group server radius CAR_SERVERserver 10.100.2.36 auth-port 1812 acct-port 1813!aaa authentication login default noneaaa authentication login IP_AUTHEN_LIST group CAR_SERVERaaa authentication ppp default group CAR_SERVERaaa authorization network default group CAR_SERVERaaa authorization subscriber-service default local group radiusaaa accounting network default start-stop group CAR_SERVERaaa server radius sesmclient 10.100.4.38key ciscoport 1812message-authenticator ignore!!aaa session-id commonclock timezone Pacific -8ip subnet-zero!!ip ftp username rootip ftp password labno ip dhcp use vrf connected!ip vrf VPN_C73_DM4_1001rd 200:71001route-target export 200:71001route-target import 200:71001!ip cef!subscriber policy recording rules limit 64vpdn enablevpdn ip udp ignore checksum!!redirect server-group SESM-Serverserver ip 10.100.4.38 port 8080!clns routingno mpls traffic-eng auto-bw timers frequency 0mpls label protocol ldpcall rsvp-sync!vpdn-group L2TP_DM1_101accept-dialinprotocol l2tpvirtual-template 5terminate-from hostname L2TP_DM1_101local name L2TP_DM1_101l2tp tunnel password 0 cisco!!!interface Loopback0ip address 10.200.1.56 255.255.255.255ip router isis Remote_ISP_7301!!interface Loopback5001ip address 5.55.1.1 255.255.0.0!!interface GigabitEthernet0/0ip address 223.255.12.56 255.255.255.0duplex autospeed automedia-type rj45no negotiation auto!interface GigabitEthernet0/1description connection to ISP2 CORE routerip address 27.27.1.56 255.255.255.0ip portbundle outsideip router isis Remote_ISP_7301load-interval 30duplex autospeed automedia-type gbicnegotiation autompls label protocol ldpmpls ip!interface GigabitEthernet0/2description connection to ISP1 CORE routerip address 26.26.1.56 255.255.255.0ip router isis Remote_ISP_7301load-interval 30duplex autospeed automedia-type gbicnegotiation auto!interface Virtual-Template5no ip addressload-interval 30no peer default ip addressno keepaliveppp mtu adaptiveppp authentication chap!router isis Remote_ISP_7301net 01.0011.5dd1.f01b.00redistribute connected!router bgp 200no synchronizationbgp router-id 10.200.1.56bgp log-neighbor-changesnetwork 10.100.4.0 mask 255.255.255.0network 10.200.1.47 mask 255.255.255.255network 10.200.1.55 mask 255.255.255.255network 10.200.1.62 mask 255.255.255.255network 21.21.1.55 mask 255.255.255.0network 22.22.1.55 mask 255.255.255.0network 23.0.0.0network 24.0.0.0 mask 255.255.0.0network 24.5.0.0 mask 255.255.0.0redistribute connectedneighbor 10.200.1.41 remote-as 100neighbor 10.200.1.41 ebgp-multihop 2neighbor 10.200.1.41 update-source Loopback0neighbor 10.200.1.47 remote-as 200neighbor 10.200.1.47 update-source Loopback0no auto-summary!address-family vpnv4neighbor 10.200.1.47 activateneighbor 10.200.1.47 send-community bothexit-address-family!address-family ipv4 vrf VPN_C73_DM4_1001redistribute connectedredistribute staticno auto-summaryno synchronizationexit-address-family!!ip local pool C73_DM4_7001 1.7.1.2 1.7.255.254!ip portbundlematch access-list 135source Loopback0!ip classlessip route 10.200.1.41 255.255.255.255 26.26.1.41!no ip http server!!!ip access-list extended Internet-in-acldeny ip any 223.0.0.0 0.255.255.255deny ip any 20.0.0.0 0.255.255.255deny ip any 40.0.0.0 0.255.255.255deny ip any 21.0.0.0 0.255.255.255deny ip any 22.0.0.0 0.255.255.255deny ip any 41.0.0.0 0.255.255.255deny ip any 80.0.0.0 0.255.255.255deny ip any 81.0.0.0 0.255.255.255deny ip any 82.0.0.0 0.255.255.255deny ip any 10.200.0.0 0.0.255.255permit ip any anyip access-list extended Internet-out-acldeny ip 223.0.0.0 0.255.255.255 anydeny ip 10.200.0.0 0.0.255.255 anydeny ip 20.0.0.0 0.255.255.255 anydeny ip 40.0.0.0 0.255.255.255 anydeny ip 21.0.0.0 0.255.255.255 anydeny ip 22.0.0.0 0.255.255.255 anydeny ip 41.0.0.0 0.255.255.255 anydeny ip 80.0.0.0 0.255.255.255 anydeny ip 81.0.0.0 0.255.255.255 anydeny ip 82.0.0.0 0.255.255.255 anypermit ip any anyip radius source-interface Loopback0access-list 135 permit ip any host 10.100.4.38access-list 135 deny ip any any!radius-server attribute 44 include-in-access-reqradius-server attribute 8 include-in-access-reqradius-server attribute 55 include-in-acct-reqradius-server attribute 55 access-request includeradius-server attribute 25 access-request includeradius-server host 10.100.2.36 auth-port 1812 acct-port 1813 key ciscoradius-server retransmit 5radius-server key ciscoradius-server vsa send accountingradius-server vsa send authentication!control-plane!!dial-peer cor custom!!!!gatekeepershutdown!alias exec sss show subscriber sessionalias exec css clear subscriber sessionalias exec ss show subscriber statistics!line con 0exec-timeout 0 0stopbits 1line aux 0stopbits 1line vty 0 4exec-timeout 0 0!ntp clock-period 17180035ntp server 10.200.1.41 preferDeployment Model 4: PE
ip vrf VPN_C73_DM4_1001rd 200:71001route-target export 200:71001route-target import 200:71001!router bgp 100no synchronizationbgp router-id 10.200.1.45bgp log-neighbor-changesredistribute connectedredistribute staticneighbor 10.200.1.41 remote-as 100neighbor 10.200.1.41 update-source Loopback0no auto-summary!address-family ipv4 vrf VPN_C73_DM4_1001redistribute connectedredistribute staticno auto-summaryno synchronizationnetwork 42.2.107.0 mask 255.255.255.0aggregate-address 42.2.107.0 255.255.255.0 summary-onlyexit-address-family!ip route vrf VPN_C73_DM4_1001 10.100.3.34 255.255.255.255 GigabitEthernet3/14 10.100.3.34Deployment Model 4: AAA Server for ISP-1
The following profile configures L2TP forwarding from the ISG LAC to the LNS.
[ //localhost/Radius/UserLists/L2TPDOMAIN/L2TP_DM4_101.com/Attributes ]Cisco-AVpair = vpdn:tunnel-id=L2TP_DM4_101Cisco-AVpair = vpdn:l2tp-tunnel-password=ciscoCisco-AVpair = vpdn:tunnel-type=l2tpCisco-AVpair = vpdn:ip-addresses=10.200.1.56Cisco-AVpair = atm:peak-cell-rate=1024Cisco-AVpair = atm:sustainable-cell-rate=512Deployment Model 4: AAA Server for ISP-2
This attribute enables the Layer 4 Redirect feature.
[ Attributes ]Cisco-AVPair = "ip:l4redirect=redirect list 111 to group SESM-Server duration 30 frequency 180"This attribute enable the PBHK feature on the AAA server, which enables access to the SESM by way of the PBHK feature.
[ Attributes ]Cisco-AVPair = ip:portbundle=enableThis profile configures the basic Internet access service.
[ //localhost/Radius/UserLists/SERVICES/INTERNET_SERVICE/Attributes ]Cisco-AVPair = ip:inacl=Internet-in-aclCisco-AVPair = ip:outacl=Internet-out-aclCisco-SSG-Service-Info = IINTERNET_SERVICECisco-SSG-Service-Info = R42.1.1.0;255.255.255.0This profile configures the PPP profile that is used in the subscriber's base profile.
[ //localhost/Radius/UserLists/ie2-C7301-LNS/C73_DM1_01@L2TP_DM1_101.com/Attributes ]Cisco-AVpair = "ip:ip-unnumbered=loopback 3001"Cisco-AVpair = ip:addr-pool=C73_DM1_3001Cisco-SSG-Account-Info = AINTERNET_SERVICE
Copyright © 2005 Cisco Systems, Inc. All rights reserved..