|
|
This document includes the following sections:
The Selective Virtual-Access Interface Creation feature enables a router to automatically determine whether or not to create a virtual-access interface for each inbound connection. In particular, a call that is received on a physical asynchronous interface that uses an Authentication, Authorization, and Accounting (AAA) per-user configuration can now be processed without creating a virtual-access interface by a router that is also configured for virtual profiles.
The following three criteria determine whether or not a virtual-access interface is created:
This feature enables you to enjoy the simpler configurations of virtual profiles and virtual-access interfaces without wasting resources by creating virtual-access interfaces for connections that do not require them.
For more information about virtual-access interfaces, see the following:
For more information about AAA per-user configurations, see the following:
None
For descriptions of supported MIBs and how to use MIBs, see the Cisco MIB web site on CCO at http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml.
None
None
See the following sections for configuration tasks for the Selective Virtual-Access Interface Creation feature. Each task in the list indicates if the task is optional or required.
| Command | Purpose |
|---|---|
Router(config)#virtual-profile if-needed | Creates virtual-access interfaces only if the inbound connection requires one. |
Step 1 Enable the debug vtemplate command.
Step 2 Establish a PPP link between the router and a client.
Step 3 View the debug output to see whether or not a virtual-access interface is created.
This section contains the following configuration examples:
When a router is configured as follows, it will only create a virtual-access interface for incoming calls that require a virtual-access interface:
aaa new-model aaa authentication ppp default local radius tacacs aaa authorization network default local radius tacacs virtual-profile if-needed virtual-profile virtual-template 1 virtual-profile aaa ! interface Virtual-Template1 ip unnumbered Ethernet 0 no ip directed-broadcast no keepalive ppp authentication chap ppp multilink
The following is a sample AAA per-user configuration for a RADIUS user profile:
RADIUS user profile:
foo Password = "test"
User-Service-Type = Framed-User,
Framed-Protocol = PPP,
cisco-avpair = "ip:inacl#1=deny 10.10.10.10 0.0.0.0",
cisco-avpair = "ip:inacl#1=permit any"
The following is a sample Virtual Profile AAA configuration for a RADIUS user profile:
RADIUS user profile:
foo Password = "test"
User-Service-Type = Framed-User,
Framed-Protocol = PPP,
cisco-avpair = "lcp:interface-config=keepalive 30\nppp max-bad-auth 4"
The following is a sample AAA per-user configuration for a TACACS+ user profile:
user = foo {
name = "foo"
global = cleartext test
service = PPP protocol= ip {
inacl#1="deny 10.10.10.10 0.0.0.0"
inacl#1="permit any"
}
}
The following is a sample Virtual Profile AAA configuration for a TACACS+ user profile:
TACACS+ user profile:
user = foo {
name = "foo"
global = cleartext test
service = PPP protocol= lcp {
interface-config="keepalive 30\nppp max-bad-auth 4"
}
service = ppp protocol = ip {
}
}
This section documents new commands. All other commands used with this feature are documented in the Cisco IOS Release 12.0 command reference publication.
To specify that a virtual profile be used to create a virtual-access interface only if the inbound connection requires a virtual-access interface, use the virtual-profile if-needed global configuration command. Use the no form of this command to create virtual-access interfaces for every inbound connection.
virtual-profile if-neededThis command has no keywords nor arguments.
Disabled
Global configuration
| Release | Modification |
|---|---|
12.0(5)T | This command was introduced. |
This command is intended to prevent the creating of virtual-access interfaces for inbound calls on physical interfaces that do not require virtual-access interfaces.
This command is compatible with local, RADIUS, and TACACS+ AAA.
The following example enables selective virtual-access interface creation:
virtual-profile if-needed
| Command | Description |
interface virtual-template | Creates a virtual template that virtual profiles use to create virtual-access interfaces. |
virtual-profile virtual-template | Specifies a virtual template as the source of information for virtual profiles. |
virtual-profile aaa | Specifies AAA as the source of information for virtual profiles. |
Posted: Thu Aug 5 09:26:32 PDT 1999
Copyright 1989-1999©Cisco Systems Inc.