Configuring Virtual Template Interfaces

Virtual Template Interface Service Overview

Features that Apply Virtual Template Interfaces

Selective Virtual Access Interface Creation

Configuring a Virtual Template Interface

Monitoring and Maintaining a Virtual Access Interface

Virtual Template Interface Configuration Examples

Basic PPP Virtual Template Interface

Virtual Template Interface

Selective Virtual Access Interface

RADIUS per-User and Virtual Profiles

TACACS+ per-User and Virtual Profiles

Configuring Virtual Template Interfaces

This chapter describes how to configure virtual template interfaces. It includes the following main sections:

The following template and virtual interface limitations apply:

Although a system can have as many as 25 virtual template interfaces, one template for each virtual access application is a more realistic limit.
When in use, each virtual access interface cloned from a template requires the same amount of memory as a serial interface. Cisco routers support a maximum of 300 virtual interfaces.
Virtual access interfaces are not directly configurable by users, except by configuring a virtual template interface or including the configuration information of the user (through virtual profiles or per-user configuration) on an authentication, authorization, and accounting (AAA) server. However, information about an in-use virtual access interface can be displayed and the virtual access interface can be cleared.
Virtual interface templates provide no direct value to users; they must be applied to or associated with a virtual access feature by use of a command with the virtual-template keyword.

: For example, the interface virtual-template command creates the virtual template interface and the multilink virtual-template command applies the virtual template to a multilink stack group. The virtual-profile virtual-template command specifies that a virtual template interface will be used as a source of configuration information for virtual profiles.

For a complete description of the virtual template interface commands mentioned in this chapter, see the Cisco IOS Dial Services Command Reference publication. To locate documentation of other commands that appear in this chapter, use the command reference master index or search online.

Virtual Template Interface Service Overview

The Virtual Template Interface Service feature provides a generic service that can be used to apply predefined interface configurations (virtual template interfaces) in creating and freeing virtual access interfaces dynamically, as needed.

Virtual template interfaces can be configured independently of any physical interface and applied dynamically, as needed, to create virtual access interfaces. When a user dials in, a predefined configuration template is used to configure a virtual access interface; when the user is done, the virtual access interface goes down and the resources are freed for other dial-in uses.

A virtual template interface is a logical entity---a configuration for a serial-interface but not tied to a physical interface---that can be applied dynamically as needed. Virtual access interfaces are virtual interfaces that are created, configured dynamically (for example, by cloning a virtual template interface), used, and then freed when no longer needed.

Virtual template interfaces are one possible source of configuration information for a virtual access interface.

Each virtual access interface can clone from only one template. But some applications can take configuration information from multiple sources; for example, virtual profiles can take configuration information from a virtual template interface, or from interface-specific configuration information stored from a user on a AAA server, or from network protocol configuration from a user stored on a AAA server, or all three. The result of using template and AAA configuration sources is a virtual access interface uniquely configured for a specific dial-in user.

Figure 3 illustrates that a router can create a virtual access interface by first using the information from a virtual template interface (if any is defined for the application) and then using the information in a per-user configuration (if AAA is configured on the router and virtual profiles or per-user configuration or both are defined for the specific user).

Figure 3: Possible Configuration Sources for Virtual Access Interfaces

The virtual template interface service is intended primarily for customers with large numbers of dial-in users and provides the following benefits:

For easier maintenance, allows customized configurations to be predefined and then applied dynamically when the specific need arises.
For scalability, allows interface configuration to be separated from physical interfaces. Virtual interfaces can share characteristics, no matter what specific type of interface the user called on.
For consistency and configuration ease, allows the same predefined template to be used for all users dialing in for a specific application.
For efficient router operation, frees the virtual access interface memory for another dial-in use when the call from the user ends.

Features that Apply Virtual Template Interfaces

The following features apply virtual template interfaces to create virtual access interfaces dynamically:

Virtual profiles
Virtual Private Dialup Networks (VPDN)
Multilink PPP (MLP)
Multichassis Multilink PPP (MMP)
Virtual templates for protocol translation
PPP over ATM

Virtual templates are supported on all platforms that support these features.

To create and configure a virtual template interface, compete the tasks in this chapter. To apply a virtual template interface, refer to the specific feature that applies the virtual template interface.

All prerequisites depend on the feature that is applying a virtual template interface to create a virtual access interface. Virtual template interfaces themselves have no other prerequisites.

The order in which you create virtual template interfaces and virtual profiles, and configure the features that use the templates and profiles, is not important. They must exist, however, before someone calling in can use them.

Selective Virtual Access Interface Creation

Optionally, you can configure a router to automatically determine whether to create a virtual access interface for each inbound connection. In particular, a call that is received on a physical asynchronous interface that uses a AAA per-user configuration can now be processed without a virtual access interface being created by a router that is also configured for virtual profiles.

The following three criteria determine whether a virtual access interface is created:

Is there a virtual profile AAA configuration?
Is there a AAA per-user configuration?
Does the link interface support direct per-user AAA?

A virtual access interface will be created in the following scenarios:

If there is a virtual profile AAA configuration.
If there is not a virtual profile AAA configuration, but there is a AAA per-user configuration and the link interface does not support direct per-user AAA (such as ISDN).

A virtual access interface will not be created in the following scenarios:

If there is neither a virtual profile AAA configuration nor a AAA per-user configuration.
If there is not a virtual profile AAA configuration, but there is a AAA per-user configuration and the link interface does support direct per-user AAA (such as asynchronous).

Configuring a Virtual Template Interface

To create and configure a virtual template interface, use the following commands beginning in global configuration mode:

Command Purpose

Step 1

interface virtual-template number
Creates a virtual template Interface, and enter interface configuration mode.

Step2

ip unnumbered ethernet 0
Enables IP without assigning a specific IP address on the LAN.

Step3

encapsulation ppp
Enables PPP encapsulation on the virtual template Interface.

Step4

virtual-profile if-needed
(Optional) Creates virtual-access interfaces only if the inbound connection requires one.

	Command	Purpose
Step 1	interface virtual-template number	Creates a virtual template Interface, and enter interface configuration mode.
Step2	ip unnumbered ethernet 0	Enables IP without assigning a specific IP address on the LAN.
Step3	encapsulation ppp	Enables PPP encapsulation on the virtual template Interface.
Step4	virtual-profile if-needed	(Optional) Creates virtual-access interfaces only if the inbound connection requires one.

Optionally, other PPP configuration commands can be added to the virtual template configuration. For example, you can add the ppp authentication chap command.

All configuration commands that apply to serial interfaces can also be applied to virtual template interfaces, except shutdown and dialer commands.

For virtual template interface examples, see the "Virtual Template Interface Configuration Examples" section later in this chapter.

Monitoring and Maintaining a Virtual Access Interface

When a virtual template interface or a configuration from a user on a AAA server or both are applied dynamically, a virtual access interface is created. Although a virtual access interface cannot be created and configured directly, it can be displayed and cleared.

To display or clear a specific virtual access interface, use the following commands in EXEC mode:

Command Purpose

show interfaces virtual-access number
Displays the configuration of the virtual access interface.

clear interface virtual-access number
Tears down the virtual access interface and frees the memory for other dial-in uses.

Command	Purpose
show interfaces virtual-access number	Displays the configuration of the virtual access interface.
clear interface virtual-access number	Tears down the virtual access interface and frees the memory for other dial-in uses.

Virtual Template Interface Configuration Examples

This section contains the following configuration examples:

Basic PPP Virtual Template Interface

The following example enables virtual profiles (configured only by virtual template) on straightforward PPP (no MLP), and configures a virtual template interface that can be cloned on a virtual access interface for dial-in users:

virtual-profile virtual-template 1
 
interface virtual-template 1
 ip unnumbered ethernet 0
 encapsulation ppp
 ppp authentication chap

Virtual Template Interface

The following two examples configure a virtual template interface and then display the configuration of a virtual access interface when the template interface has been applied.

This example uses a named Internet Protocol Exchange (IPX) access list:

interface virtual-template 1
 ip unnumbered Ethernet0
 ipx ppp-client Loopback2
 no cdp enable
 ppp authentication chap

This example displays the configuration of the active virtual access interface that was configured by virtual-template 1, defined in the preceding example:

Router# show interfaces virtual-access 1 configuration 
 
Virtual-Access1 is a L2F link interface
interface Virtual-Access1 configuration...
ip unnumbered Ethernet0
ipx ppp-client Loopback2
no cdp enable
ppp authentication chap

Selective Virtual Access Interface

The following example shows how to create a virtual access interface for incoming calls that require a virtual access interface:

aaa new-model
aaa authentication ppp default local radius tacacs
aaa authorization network default local radius tacacs
 
virtual-profile if-needed
virtual-profile virtual-template 1
virtual-profile aaa
!
interface Virtual-Template1
 ip unnumbered Ethernet 0
 no ip directed-broadcast
 no keepalive
 ppp authentication chap
 ppp multilink

RADIUS per-User and Virtual Profiles

The following examples show RADIUS user profiles that could be used for selective virtual access interface creation.

This example shows AAA per-user configuration for a RADIUS user profile:

RADIUS user profile:
        foo     Password = "test"
                 User-Service-Type = Framed-User,
                 Framed-Protocol = PPP,
                cisco-avpair = "ip:inacl#1=deny 10.10.10.10 0.0.0.0",
                cisco-avpair = "ip:inacl#1=permit any"

This example shows a virtual profile AAA configuration for a RADIUS user profile:

RADIUS user profile:
       foo  Password = "test"
            User-Service-Type = Framed-User,
            Framed-Protocol = PPP,
          cisco-avpair = "lcp:interface-config=keepalive 30\nppp max-bad-auth 4"

TACACS+ per-User and Virtual Profiles

The following examples show TACACS+ user profiles that could be used for selective virtual access interface creation.

This example shows AAA per-user configuration for a TACACS+ user profile:

user = foo {
                name = "foo"
                global = cleartext test
                service = PPP protocol= ip {
                        inacl#1="deny 10.10.10.10 0.0.0.0"
                        inacl#1="permit any"
                }
        }

This example shows a virtual profile AAA configuration for a TACACS+ user profile:

TACACS+ user profile:
        user = foo {
                name = "foo"
                global = cleartext test
                service = PPP protocol= lcp {
                        interface-config="keepalive 30\nppp max-bad-auth 4"
                }
                service = ppp protocol = ip {
                }
        }

Table of Contents

Configuring Virtual Template Interfaces