Professional Documents
Culture Documents
Modem
RADIUS
tyler@isp1.com
Routers ISP1
RAS
PPP Session
Modem
RADIUS ISP2
paul@isp2.com
In the remote access world of yesterday, relatively slow speed connections were made
using a dedicated POTS line. These connections, with speeds from 28.8 kbps to 56 kbps,
were one to one in nature. One PC, one phone line. This scenario worked relatively well
for the home environment when most families were lucky to have one PC. In this
scenario, the phone lines were terminated in a Remote Access Server (RAS), which also
terminated the PPP session and handled, in conjunction with RADIUS, all the
authentication work. From the RAS, the packets were sent on to the appropriate routers.
However, times have changed and needs have changed. More and more often, families
have more than one PC, yet only have one additional phone line to use for connectivity. In
addition, more and more users are demanding higher access rates. There must be a
better solution.
Routed 1483
DSLAM xDSL
DSLAM Concentrator
Customer U
ATM
DSL Switch
Customer Router RADIUS
Network
DHCP
We just covered the first two B-RAS connection types, Bridged 1483 and Routed 1483.
These connection types are always on and do not provide any centralized user
authentication an authorization.
The second category of B-RAS connections attempts to maintain the current dial-up
model, complete with centralized user authentication and authorization. The DSL users
are still always on, but initially the users must authenticate through a RADIUS server.
They will also obtain their IP address from RADIUS or DHCP. This approach is often
referred to as PPP over ATM for a single user environment or PPP over Ethernet for a
multi-user environment.
With this approach, the customer can be billed based on usage if RADIUS accounting is
implemented.
DSL
Modem
PPP Session
tyler@isp1.com
ISP1
U
DSL
Modem
tyler@isp1.com
192.168.1.2
Internet
DSL
Modem
gary@isp1.com U
192.168.1.6
DSL
Modem
IP Addresses on the ERX
PVC to tyler = 192.168.1.1/30
rich@isp1.com ERX PVC to gary = 192.168.1.5/30
192.168.1.10
PVC to rich = 192.168.1.9/30
The ERX views all ATM PVCs as simple point-to-point IP interfaces. Each PVC is an
interface, and each interface is assigned an IP address.
In a PPP over ATM environment, IP addressing can be approached two ways. The first
way is to view each ATM PVC as a unique, point-to-point network. With this approach,
each PVC would be assigned a unique subnet. This approach is very straight-forward,
easy to manage, but it burns or uses up IP addresses quickly.
192.168.1.3
DSL
Modem
rich@isp1.com ERX
192.168.1.4
With the second approach to IP address assignment in a PPP over ATM environment, the
ATM cloud is viewed as a large LAN. From the ERX’s perspective, a single subnet is
assigned to the group of xDSL users. Each DSL user is assigned a numbered IP address
from the subnet. On the ERX, a loopback interface is created and assigned an IP address
from the same subnet. The ATM PVCs on the ERX are not assigned numbered IP
addresses. Instead, the PVCs are configured as unnumbered IP interfaces, and reference
the loopback interface created with the IP address from the same subnet. This approach
conserves valuable IP address space.
In a PPP over ATM environment, the DSL users will typically obtain their IP addresses
dynamically. They may or may not obtain the same IP address every time they connect to
the network. In addition, this IP address must be inserted into the ERX’s routing table, tied
to the appropriate ATM PVC. To have the ERX automatically insert the DSL users host
route into the routing table, use the configuration command ip access-routes for each IP
interface.
IP Datagram
PPP
DSL
Modem
RFC 2364 PPP
tyler@isp1.com
PPP Client ATM
ATM NIC
ISP1
U
ATM RADIUS
DSL
Customer Router PPP
Network over
ATM
DSLAM Switch ATM ERX
DSL
Modem
ISP2
paul@isp2.com RADIUS
PPP Client
DSL
Modem 2 -PPP LCP default
Tyler@isp1.com Request - Chap
ISP1
AAA
PPP Process
over RADIUS
ATM
VR2
PVC
per
DSLAM Modem
DSL
Modem
ISP2
Paul@isp2.com
ERX RADIUS
Let’s take a look at the details of the configuration as well as how a user’s session will be
established using this configuration.
The ERX has been configured for 2 Virtual routers. ISP1 is using the default virtual router
and ISP2 is using the Virtual router VR2.
Tyler@isp1.com (the PPP client) initiates a network connection via PPP LCP to the ERX.
LCP Negotiation occurs. The ERX can negotiate the following LCP options: MRU, Magic
Number (for loopback detection), and authentication protocol (PAP or CHAP).
VR2 RADIUS
DSLAM
DSL
Modem
ISP2
Paul@isp2.com
ERX
RADIUS
During authentication, the user will send his login, Tyler@isp1.com. On the ERX, the AAA server or
process handles all of the Authentication, Authorization, Accounting and Address Assignment.
The AAA process on the ERX will parse this login for the user’s realm or domain name. The ERX will
use the string after the @ sign as the domain name. This process receives the request, searches the
Domain Map, determines which virtual router the user will authenticate through, and forwards the
request to the appropriate virtual router
The Domain Map is manually configured on the ERX. This global or box-wide table simply lists the
valid domains and which virtual router they are associated with. This table is used initially to
determine which Authentication server to use.
Based on a match, the ERX will use the RADIUS Authentication server configured in this virtual router.
In this example, the ERX searches the Domain Map for isp1.com. The ERX determines that isp1.com
uses the RADIUS server configured in the default virtual router.
If no entries were in the Domain Map, all requests would be sent to the RADIUS Authentication server
configured in the default virtual router.
If there is no match in the Domain Map, the request is sent to the RADIUS Authentication server listed
in the default virtual router. For example, Diane@isp3.com tries to login using this configuration.
What would happen? Since there is no match in the Domain Map , the request is sent to the RADIUS
server listed in the default virtual router. One can override this behavior using a domain name of
“default” in the Domain Map .
If there is no domain in the login, Tyler, without a domain name, the ERX will also use the RADIUS
server listed in the default virtual router. One can override this behavior using a domain name of
“NONE” in the Domain Map .
Tyler@isp1.com
VR2
IP=192.168.1.10
RADIUS=2.2.2.1
UDP=1645
DSLAM key=training
DSL RADIUS
Modem
ISP2 2.2.2.1
Paul@isp2.com
ERX
The ERX looks at the default router configuration and determines the IP address of the RADIUS
server used for authentication and authorization. Note that the RADIUS server configuration is
per virtual router, whereas the domain map information is global or “box-wide” and not tied to a
virtual router.
By default, the ERX uses UDP port 1812 for the RADIUS authentication server per the RFC. If
your RADIUS server is using a different UDP port, explicitly configure the ERX to use that port,
i.e. UDP port 1645.
It will be necessary to configure the radius key to match the RADIUS server configuration. This
is used to encrypt the password sent from the ERX to the RADIUS server.
The ERX is a RADIUS client and forwards the authentication request or Access-Request to the
RADIUS server, 1.1.1.1. This access-request may include checklist attributes: user name, PAP
user password or CHAP Password / Challenge, framed protocol, and the ERX IP Address.
The RADIUS server will issue a deny or Access-Reject if Tyler@isp1.com is not found on the
server or the passwords are incorrect, respectively.
The RADIUS server will issue a grant or Access-Accept if Tyler@isp1.com is found on the server
and the password or challenge response is correct, respectively.
In addition, the grant may include return list attributes which the ERX will apply to the user’s
session. These attributes may include the IP address, subnet mask, IP routes for security
purposes, session timeout, and idle timeout. In the above diagram, the RADIUS server has
returned an IP address from a pool configured on the server.
The RADIUS server can also be configured with Unisphere Networks Vendor Specific Attributes.
We will expand on these attributes and how they are used later in the unit.
DSL RADIUS
Modem default 1.1.1.1
Tyler@isp1.com
Tyler@isp1.com
RADIUS=1.1.1.1 ISP1
UDP=1645
key=training
Tyler@isp1.com
VR2 IP=192.168.1.10
RADIUS=2.2.2.1
UDP=1645
DSLAM key=training
DSL RADIUS
Modem
ISP2 2.2.2.1
Paul@isp2.com
ERX
• Retransmit Value
• Timeout Value
• Deadtime
• Max-sessions
1.1.1.1
DSL Access Request
Modem default DA = 1.1.1.1 RADIUS
Tyler@isp1.com Router ID= SA = 192.168.1.1
172.10.1.1
Loopback1=
192.168.1.1
RADIUS=1.1.1.1 ISP1 Access Accept
DA = 192.168.1.1
SA = 1.1.1.1
VR2
Router ID=
10.1.1.1
DSLAM Loopback 1=
DSL
172.16.1.1 2.2.2.1
Modem RADIUS=2.2.2.1
ISP2 RADIUS
Paul@isp2.com
ERX
By default, the ERX will use the ERX’s Router ID (ip router-id) as the source IP address
for all packets sent to the RADIUS server. Unfortunately, the RADIUS server may not
have a route to this IP address.
It is possible to control which IP address the ERX will use as the source IP address for all
packets sent to the RADIUS server. To force the ERX to use a specific IP address for all
RADIUS packets, use the radius update-source-addr a.b.c.d command, where a.b.c.d is
the source IP address the ERX should use when communicating with a specific RADIUS
server. Note that this command is per virtual router.
The RADIUS server must have a route to this IP address on the ERX in order to reply to
the requests.
Note that it is also possible to configure the ERX’s router ID using the ip router-id a.b.c.d
command, which may accomplish the same goal.
DSL RADIUS
Modem default 1.1.1.1
Tyler@isp1.com
RADIUS=1.1.1.1 ISP1 RADIUS
RADIUS=1.1.1.2 1.1.1.2
RADIUS=1.1.1.3
VR2
RADIUS
1.1.1.3
RADIUS=2.2.2.1
DSLAM RADIUS=2.2.2.2
DSL RADIUS
Modem
ISP2 2.2.2.1
Paul@isp2.com
ERX
RADIUS
2.2.2.2
• Direct Mode
• Round Robin
Multiple RADIUS servers can be configured on the ERX. The RADIUS servers will be
used in the order in which they are configured.
Use the show radius authentication server command to view the order being used by
the ERX at any point in time.
The RADIUS servers can be configured to use one of two server selection algorithms:
Direct (default) - This algorithm essentially implements a primary/backup scenario for
multiple RADIUS servers. Using this algorithm, requests are only sent to the first RADIUS
server listed in the configuration. If this RADIUS server does not respond to requests
(based on the timeout value and the retransmit interval), start sending requests to the
second RADIUS server listed in the configuration file. The first server will not be used for
the configured deadtime.
After the deadtime timer expires, the RADIUS server is reinstated on the active server list.
Round Robin - This algorithm will send out RADIUS requests to all active RADIUS
servers, in the order listed in the configuration file. In the above diagram, the first request
is sent to the first server, the second request to the second server, the third request is sent
to the first server, and so on. In this case, the primary server changes with each request.
This mode will effectively use all configured RADIUS servers equally, in a round robin
fashion.
The RADIUS algorithm is configured using the following configuration command:
erx2(config)#radius algorithm ?
direct Configure RADIUS client to use the list of servers in configured order
round-robin Configure RADIUS client to use the list of servers in round-robin order
RADIUS=2.2.2.1
UDP=1645
DSLAM key=training
DSL RADIUS
Modem
ISP2 2.2.2.1
Paul@isp2.com
ERX
• RADIUS Server
• Local IP Address Pool on the ERX
• DHCP Proxy Client
The user can obtain an IP address in three different ways. In the previous example, the
RADIUS server can returned Tyler’s IP address.
If the RADIUS server returns a value or 255.255.255.254, 0.0.0.0 or no address, the ERX
will obtain an IP address for the remote user using the local address pools defined on the
ERX.
As of release 1.3, the ERX can also provide DHCP proxy services for the workstation and
obtain the workstation’s IP address from a DHCP server.
In this example, the RADIUS server returned an IP address from a pool configured on the
RADIUS server. This IP address will be assigned to Tyler’s PC during the IP NCP
negotiation process.
RADIUS=2.2.2.1
UDP=1645
DSLAM key=training
DSL RADIUS
Modem
ISP2 2.2.2.1
Paul@isp2.com
ERX
Local Address Pools can also be configured on the ERX. Local address pools are
configured on the ERX by issuing the ip address-pool local command. Next, an IP
address range would be configured by issuing the command
ip local pool <poolname> <ip address start range> <ip address end range>.
Local Address Pools are configured per virtual router.
If the RADIUS server returns an IP address of 255.255.255.254, 0.0.0.0 or no address, as
is the case here, the ERX determines if any IP address pool information has been
configured. In this case, a local IP address pool has been configured and the ERX will
obtain an IP address for the user from the available addresses in that virtual router’s
address pool.
The ERX will associate this user with this IP address until the session is disconnected and
the address is released.
If there are no addresses available, the ERX will fail the request.
There is no concept of ‘leasing’ an address as with DHCP. The address is allocated to
that user until the user’s session disconnects.
DSL DHCP
Modem default 1.1.2.1
Tyler@isp1.com ip address-pool
dhcp ISP1
ip dhcp-server
Tyler@isp1.com
1.1.2.1
255.255.255.254
VR2
RADIUS=2.2.2.1
UDP=1645
DSLAM key=training
DSL RADIUS
Modem
ISP2 2.2.2.1
Paul@isp2.com
ERX
DHCP Proxy provides the ability to dynamically assign IP addresses to clients even
though the clients are PPP clients, not DHCP clients. The ERX acts as a DHCP client on
behalf of the PPP client and negotiates the allocation of an IP address with one or more
DHCP servers on the network. The ERX maintains the address for the client by renewing
the lease on the address until the client terminates the connection and releases the
address back to the server that provided it.
The DHCP proxy client is configured on the ERX by issuing the ip address-pool dhcp
command. Next, the IP addresses of the DHCP servers would be configured using the
command ip dhcp-server <ip address of dhcp server>.
The ERX DHCP Proxy client is configured and operates per virtual router.
If the RADIUS server returns an IP address of 0.0.0.0, no address or 255.255.255.254, as
is the case here, the ERX determines if any IP address pool information has been
configured. In this case, DHCP has been configured for the local address pool. The ERX
will obtain an IP address for the user from one of the DHCP servers configured.
In a DHCP Proxy environment, the ERX maintains the DHCP leases. For each client, the
ERX records the lease time provided by the DHCP server. When 50% of the lease time
has passed, the DHCP Proxy will attempt to renew the lease. If the server renews the
lease, the new lease time is recorded and the procedure repeats. If the server denies the
renewal, the DHCP Proxy alerts the AAA server that the address renewal failed. The AAA
server would then terminate the PPP session and issue a release of the IP address.
Up to 5 DHCP servers can be configured. The DHCP servers can be the same ones used
with Bridged 1483 or they can be completely different DHCP server. Therefore, Bridged
1483 can support 5 DHCP servers and DHCP proxy can support an additional 5 DHCP
servers. If multiple DHCP servers are configured, the address request will be sent to all
configured servers.
VR2
Loopback 1
DSLAM 172.16.1.1/16
RADIUS
2.2.2.1
DSL
Modem
ISP2
Paul@isp2.com
ERX
• Unnumbered interfaces associated with a loopback interface
• Loopbacks are IP Interfaces configured per virtual router
• Which Virtual Router should be used?
- Domain Map
- RADIUS Vendor Specific Attribute
- Profile
Once the ERX has obtained an IP address for the remote user, the next step is to perform
PPP IP NCP negotiations. Typically, the ERX will use an unnumbered interface for this
PPP session. Each unnumbered interface has an associated loopback interface. If the
ERX is using an unnumbered interface, the IP address supplied to the user during IP NCP
negotiation will be the IP address of the associated loopback interface configured on the
ERX.
This presents a challenge: Which loopback address should be used? Remember that all
layer 1 and layer 2 information is global or “box-wide” in nature and is not tied to a specific
virtual router. Layer 3 information, specifically IP interfaces, is directly tied to a specific
virtual router. Therefore, at this point in time, the ERX must determine to which virtual
router this IP interface will belong. The ERX will then use the IP address of the loopback
interface in that particular virtual router for IP NCP negotiation.
Which virtual router is this IP interface going to use? The virtual router can be determined
by three methods
•The Domain Map can specify which virtual router and which Loopback interface
to use.
•Using the Unisphere Networks RADIUS Vendor Specific Attributes (VSA), the
RADIUS server can return the user’s virtual router in the Access-accept message
and the loopback interface.
•A Profile can also specify which Virtual Router this interface is going to use.
More on Profiles later in this unit.
VR2
Loopback 1
172.16.1.1/16
IPConf Ack 192.168.1.10
RADIUS
2.2.2.1
IPConf Req 192.168.1.1
ISP2
IPConf Ack 192.168.1.1 ERX
Now the ERX knows the IP address of the user (either from RADIUS, a local address pool
or DHCP), the virtual router this IP interface is going to use, and the appropriate IP
address to use during IPCP negotiation. The ERX and the user will now perform standard
IP NCP negotiations.
In the above diagram, isp1.com is listed in the Domain Map. Therefore, all IP interfaces
for isp1.com will be created in the router specified in the domain map. In this example,
tyler’s IP interface will be created in the default virtual router. In addition, the ERX will use
192.168.1.1, the loopback interface specified in the domain map, during IP NCP
negotiations.
If there were no entry in the domain map for isp1.com, the ERX would determine if
RADIUS returned the VSA virtual router and loopback interface information needed for IP
interface creation and negotiation. If RADIUS did not return this information, the ERX
would determine if this information was listed in the profile specified for this interface. If
the virtual router and/or loopback interface information is not specified in one of these
three places, the IP interface will not be created.
If the ip access-routes configuration command was included with the IP Interface
definition, the ERX will install the user’s IP host route into the appropriate virtual router’s
routing table. In this case, Tyler’s IP Address, 192.168.1.10, will be installed in the default
router’s IP routing table as a 32-bit host route.
VR2
DNS/WINS
1.1.1.11
RADIUS=2.2.2.1
DSLAM
DSL RADIUS
Modem
ISP2 2.2.2.1
Paul@isp2.com
ERX
• DNS/WINS
• Obtained two different ways:
- RADIUS
- Configured on ERX per virtual router
The name server configuration operates similar to the IP address configuration. The user
can obtain the IP addresses of the name servers (DNS and WINS) two different ways.
1) RADIUS can return the IP addresses of the name servers using a Vendor Specific
Attribute or VSA.
2) The name servers can be configured on the ERX.
Name servers are configured on the ERX per virtual router.
In this example, RADIUS did not return the IP address of the name servers. The ERX will
supply the addresses of the name server based on the configuration in the default virtual
router.
Per the RFC, the ERX supports a primary and secondary name server.
DSL RADIUS
Modem default 1.1.1.1
Tyler@isp1.com
RADIUS=1.1.1.1 ISP1
UDP=1646
key=training
VR2
RADIUS=2.2.2.1
UDP=1646
DSLAM key=training
DSL RADIUS
Modem
ISP2 2.2.2.1
Paul@isp2.com
ERX
As with RADIUS authentication servers, RADIUS accounting servers are also configured
per virtual router. At this point in time, the ERX will determine the IP address of the
RADIUS Accounting server for the default virtual router and send a RADIUS accounting
start record for Tyler@isp1.com. Accounting is maintained per user.
Recall that there are two basic RADIUS accounting records: RADIUS accounting start and
RADIUS accounting stop records.
Remember that ISP1 is wholesaling services to ISP2 using this ERX. If Paul@isp2.com
logged on, a RADIUS accounting start record would normally be sent to the RADIUS
accounting server in VR2. The RADIUS accounting server for ISP2 might be located in
ISP2’s domain. However, ISP1 may want to know some of the details of ISP2’s traffic. To
accomplish this task, it is possible to configure the ERX to send duplicate accounting start
and stop messages. Messages would be sent to the RADIUS accounting server at ISP2
as well as the RADIUS accounting server at ISP1. This option is configured using the aaa
accounting duplication configuration command.
At this point, Tyler has successfully established a PPP over ATM session with the RX and
is ready to ‘surf the web!’
Slot/Port
Framing ATM Interface
# VC per VP (UT3 or UE3)
The UT3/UE3 controller, ATM Interface, ATM Subinterface, and PPP interface are
statically defined on the ERX. Recall that in a PPP over ATM environment, each modem
supports just one user. Therefore, on the ERX, an ATM subinterface or PVC and PPP
interface will be statically created for each user.
In a B-RAS environment, IP Interfaces can be dynamically created and assigned to the
appropriate virtual router when the user logs on. The user could obtain a different IP
address each time he logs on to the ERX. After successful completion of IPCP
negotiation, the users IP address must be installed as a 32-bit host route in the routing
table of the appropriate virtual router. When the user logs off, the route must be deleted
and the IP Interface dynamically removed from the configuration.
To facilitate this dynamic creation and deletion of IP interfaces, the ERX uses a
mechanism called Profiles.
Recall that the IP interface configuration command ip access-routes automatically inserts
and deletes the host route in the ERX’s routing table.
If the users IP interface is NOT ALWAY going to be in the same virtual router, it is not
possible to statically configure the IP interface, assign it an address (numbered or
unnumbered) and specify the ip access-route command. Entering these commands
would lock the interface column into the virtual router the CLI was associated with when
the commands are entered. In order to dynamically create IP interfaces and bind them to
virtual routers when the customer logs in, it is necessary to use IP Profiles.
If the user’s IP Interface is always going to be assigned to the same virtual router, it is
possible to statically define the IP interface (numbered or unnumbered) in the appropriate
virtual router and specify the ip access-routes command for each interface. The ip
access-routes command instructs the ERX to automatically cache the user’s assigned
host route in the routing table and therefore bind it with the appropriate ATM subinterface.
It is also possible to use Profiles to dynamically create these IP interfaces, but not
necessary.
Static
Configuration ATM Interface
UT3 / UE3
OC3c
Remember that all layer 1 and layer 2 information (UT3/UE3/OC3c, ATM Interfaces and Subinterfaces,
PPP Interfaces) are global in nature or independent of the VR configuration. The only part of the
protocol stack or interface column that is specific to a virtual router is the IP Interface.
A Profile defines properties or behaviors of an IP interface, such as the MTU size, the option to cache
the host route in the routing table, or assigning the IP interface to specific virtual router. A Profile is
created or defined once globally on the ERX, and then applied to as many interfaces as desired.
For example, assume ISP2 wants to support 2,000 users or 2,000 IP Interfaces. The ISP wants all of
these IP interfaces to have the same behavior and characteristics, specifically that each host route will
be cached in the VR2 routing table and that each interface will have an MTU of 1500 bytes. A Profile
will be created globally in the ERX. For example:
host8(config)#profile isp2
erx5:vr2(config-profile)#ip ?
access-routes Enable the creation of host access routes on this interface.
address Configure an IP address on an interface
directed-broadcast Enable directed broadcast forwarding
ignore-df-bit Ignore DF bit
mtu Configure the maximum transmission unit for this network
policy Attach/Remove a policy to/from an interface
redirects Enable transmission of ICMP redirect messages
sa-validate Enable source address validation
unnumbered Configure IP on this interface without a specific address
virtual-router Specify a virtual router for the profile
This profile will then be assigned to all PPP interfaces configured for this ISP. The profile is also the
mechanism or trigger to dynamically create the IP interface in the appropriate virtual router.
The configuration steps for Tyler@isp1.com: The configuration steps for Paul@isp2.com:
RX-0-9-D0(config)#controller t3 5/1 RX-0-9-D0:vr2(config)#interface atm 5/1.2
RX-0-9-D0(config-controll)#no shutdown RX-0-9-D0:vr2(config-if)#atm pvc 2 0 102 aal5snap
RX-0-9-D0(config)#interface atm 5/1 RX-0-9-D0:vr2(config-if)#encapsulation ppp
RX-0-9-D0:vr2(config-if)#ppp authentication chap
RX-0-9-D0(config-if)#interface atm 5/1.1
RX-0-9-D0:vr2(config-if)#profile generic
RX-0-9-D0(config-if)#atm pvc 1 0 101 aal5snap
RX-0-9-D0:vr2(config-if)#interface atm 5/1.3
RX-0-9-D0(config-if)#encapsulation ppp
RX-0-9-D0:vr2(config-if)#atm pvc 3 0 103 aal5snap
RX-0-9-D0(config-if)#ppp authentication chap RX-0-9-D0:vr2(config-if)#encapsulation ppp
RX-0-9-D0(config-if)#profile generic RX-0-9-D0:vr2(config-if)#ppp authentication chap
NOTE: Profiles are required when the IP Interface RX-0-9-D0:vr2(config-if)#profile generic
will be created dynamically. If the user may log into RX-0-9-D0:vr2(config-if)#exit
different domains and therefor may be connected to NOTE: Since Paul’s service allows him flexibility in service
virtual routers for different logins, use a Profile. provider selection, his IP interface must be dynamic. His
Profiles are NOT required when the IP interface will interface will be located in virtual router VR2 when he is using
always be created in the same virtual router. If the IP isp2 and the default virtual router when he is using isp1. Profiles
interface will always reside in the same virtual router, are required to provide this flexibility.
use the following commands INSTEAD of the Profile NOTE: The same profile can be used for both isp1.com and
command: isp2.com since it is only specifying the ip access routes
command and NOT specifying virtual router assignment.
RX-0-9-D0(config)#interface atm 5/1
RX-0-9-D0(config-if)#interface atm 5/1.1
RX-0-9-D0(config-if)#atm pvc 1 0 101 aal5snap
RX-0-9-D0(config-if)#encapsulation ppp
RX-0-9-D0(config-if)#ppp authentication chap
RX-0-9-D0(config-if)#ip unnumbered loopback 1
RX-0-9-D0(config-if)#ip access-routes
Use the show log configuration CLI command to view the current ERX logging
configuration. This example is the default log configuration and only shows a subset of
the categories.
Notice the three log destinations:
•console - Currently, only log messages that have severity levels 0-4 will be sent to the
console.
•nv-file - This destination refers to the the file system.log found on the flash card. Only
severity levels 0-2 or EMERGENCY, ALERT and CRITICAL log messages will be stored
in system.log. It is not possible to store ERROR, WARNING, NOTICE, INFO or DEBUG
messages in the file system.log.
•syslog - The IP address of the syslog host is configured as well as a severity level of
DEBUG.
By default, all log categories are assigned a severity of ERROR or 3 and a verbosity level
of low. An exception to this rule is the category os which has a severity of NOTICE. In
addition, no interfaces or connections have logging associated with them. One must
explicitly configure ERX logging on specific interfaces or connections.
Note: The documentation includes a complete list of categories and the messages
available at each severity level.
In this example, we are going to configure the ERX to log PPP packets on a specific PPP interface,
5/1.1. We are going to configure the pppPacket category, specify a severity of DEBUG and
specify the PPP interface, 5/1.1. All logging configuration is done in global configuration mode.
When a specific interface or connection is specified for logging, the ERX considers it a log filter.
Specific log filters are always listed at the bottom of the log configuration display. As of release 3.2
the Notes column has been added. This column will indicate a note number next to the categories
where the severity has been modified from its default value. The associated note and number will
be displayed at the end (or bottom of the screen) of the command just as the filter is.
ERX1(config)#log ?
destination Configure logging destinations
engineering Enable engineering logs
fields Select optional log fields to display
here Enable this terminal as a log console
severity Configure log severities and/or filters
verbosity Configure the verbosity level
ERX1(config)#log severity debug ?
aaaServerGeneral AAA Server General logs
addressServerGeneral Address Server General logs
atm ATM
…….
ppp Point-to-Point Protocol Layer
pppPacket PPP packet capture
pppStateMachine PPP state machine trace
pppoe Point-to-Point Over Ethernet Layer
ERX1(config)#log severity debug pppPacket ?
atm Specify an ATM PPP interface
pos Specify a POS PPP interface
serial Specify a serial PPP interface
<cr>
ERX1(config)#log severity debug pppPacket atm
INTERFACE The atm interface identifier
ERX1(config)#log severity debug pppPacket atm 5/1.1
DEBUG 11/28/2001 12:46:35 pppPacket (interface atm 5/1.1): time: 0.00, tx lcp confReq, id = 40, length = 19, mru = 9178, authentication =
chap MD5, magicNumber = 0x070c43db
DEBUG 11/28/2001 12:46:35 pppPacket (interface atm 5/1.1): time: 0.00, rx lcp confReq, id = 60, length = 14, mru = 9178, magicNumber =
0x7553a501
DEBUG 11/28/2001 12:46:35 pppPacket (interface atm 5/1.1): time: 0.00, tx lcp confAck, id = 60, length = 14, mru = 9178, magicNumber =
0x7553a501
DEBUG 11/28/2001 12:46:35 pppPacket (interface atm 5/1.1): time: 0.00, rx lcp confAck, id = 40, length = 19, mru = 9178, authentication =
chap MD5, magicNumber = 0x070c43db
DEBUG 11/28/2001 12:46:35 pppPacket (interface atm 5/1.1): time: 0.00, tx chap challenge, id = 172, length = 39, challenge length = 30,
challenge = 6e c0 41 2a 50 7a 23 60 8f 43 b5 0b 8f 9e 90 29 72 ae c0 6c cb f6 ef 2e 01 ab 99 3b c8 6d, name = 'ERX6' 45 52 58 36
DEBUG 11/28/2001 12:46:35 pppPacket (interface atm 5/1.1): time: 0.01, rx chap response, id = 172, length = 35, response length = 16,
response = 5d ed 51 8c 0b aa 4c 03 d2 69 b4 d2 4a b9 49 1e, name = 'tyler@isp1.com' 74 79 6c 65 72 40 69 73 70 31 2e 63 6f 6d
DEBUG 11/28/2001 12:46:35 pppPacket (interface atm 5/1.1): time: 0.86, tx chap
success, id = 172, length = 4
In this example, the PPP interface is ‘bounced’. By default, these pppPacket log messages will
go to volatile memory as well as syslog. They will not be directed to the console since the
console’s severity level is still set to WARNING and these messages are DEBUG.
To view the log messages stored in volatile memory, use the show log data command. There are
several options that can be used to view the log data stored in volatile memory, including severity
levels and categories.
erx1#show log data
erx1#show log data ?
category Limit the display to a specific log category
nv-file Display the nv-file log
severity Specify the minimum severity to display
| Filter output using the CLI Filtering feature
<cr>
erx1#show log data category pppPacket ?
severity Specify the minimum severity to display
| Filter output using the CLI Filtering feature
<cr>
erx1#show log data category pppPacket severity ?
<0 - 7> The minimum severity to display
alert immediate action needed (1)
critical critical conditions exist (2)
debug debug messages (7)
emergency system unusable (0)
error error conditions (3)
info informational messages (6)
notice normal but significant conditions (5)
warning warning conditions (4)
erx1#show log data category pppPacket severity debug ?
| Filter output using the CLI Filtering feature
<cr>
DEBUG 11/28/2001 12:46:35 pppPacket (interface atm 5/1.1): time: 0.86, tx ipNcp
confReq, id = 244, length = 10, ipAddress = 192.168.1.1
DEBUG 11/28/2001 12:46:35 pppPacket (interface atm 5/1.1): time: 0.87, rx ipNcp
confReq, id = 96, length = 10, ipAddress = 0.0.0.0
DEBUG 11/28/2001 12:46:35 pppPacket (interface atm 5/1.1): time: 0.87, tx ipNcp
confNak, id = 96, length = 10, ipAddress = 192.168.1.2
DEBUG 11/28/2001 12:46:35 pppPacket (interface atm 5/1.1): time: 0.87, rx ipNcp
confAck, id = 244, length = 10, ipAddress = 192.168.1.1
DEBUG 11/28/2001 12:46:35 pppPacket (interface atm 5/1.1): time: 0.87, rx ipNcp
confReq, id = 97, length = 10, ipAddress = 192.168.1.2
DEBUG 11/28/2001 12:46:35 pppPacket (interface atm 5/1.1): time: 0.87, tx ipNcp
confAck, id = 97, length = 10, ipAddress = 192.168.1.2
A sample configuration file is located in the back of the PPP over ATM lab.
To view the pppPacket DEBUG log messages in real-time on the console, use the
configuration command log destination console severity debug. DEBUG messages
will only be sent to the console session directly attached to the ERX.
By default, log messages are not directed to Telnet/SSH sessions. Once the console is
configured to support debug messages, use the log here configuration command from the
Telnet/SSH session to direct log messages to the Telnet/SSH session. At this point,
pppPacket trace log messages will be directed to both the Telnet/SSH session as well as
the directly connected console session.
To stop directing log messages to a specific console or Telnet/SSH session, use the no
log here configuration command. In a troubleshooting situation, log messages could be
directed to a Telnet/SSH session using the log here option and the directly attached
console session could be used for other troubleshooting commands using the no log here
option.
To turn off logging to all console sessions, use the log destination console off
configuration command. This command disables logging to both Telnet/SSH and directly
attached console sessions.
To scale down the amount of log messages being sent to the console or Telnet/SSH
session, use the log destination console severity warning configuration command.
As of release 3.2 you can baseline log data using the baseline log command. Use the
optional delta keyword with the show log data command to specify that baselined
messages are not to be shown.
• pppPacket
• aaaUserAccess
• radiusAttributes
• radiusClient