Mutliple Virtual Profiles with local AAA

Discussion in 'Cisco' started by Andy Gray, Oct 17, 2003.

  1. Andy Gray

    Andy Gray Guest

    Hello all

    We have some 7200 routers running SGBP and hundreds of branch routers
    that can dial in to any of the 7200s and get a multilink connection.
    Up until now they've shared the same core configuration, with just
    different numbers of max-links in the multilink bundle depending on
    the branch type.

    The branches can broadly be categorised into two types and I've now
    been asked to find out whether it's possible to apply a queueing
    strategy over ISDN for one of the branch types but not the other.

    This would I presume require two different virtual-templates and some
    means of categorising the incoming calls. But, there is no AAA server
    I can use to do per-connection virtual profiles with.

    Can this be done solely on the 7200 routers? However it's done I don't
    really want a profile for each of the several hundred branches, just
    two different profiles and some means of grouping the branches.

    Grateful for any advice.....

    Cheers

    Andy
     
    Andy Gray, Oct 17, 2003
    #1
    1. Advertising

  2. Two questions:

    a) what do you mean by a "queueing strategy"? Why do you want
    these to be different for the different router groups? What
    are you trying to accomplish?

    b) how do you propose to distinguish between the two sets of
    branch routers? Authenticated username? DNIS? ANI?

    And a comment:

    With HUNDREDS of branch routers to manage, I personally would
    vote for using an AAA server - which should give you all
    the flexibility you require.

    Aaron

    ---

    ~ Hello all
    ~
    ~ We have some 7200 routers running SGBP and hundreds of branch routers
    ~ that can dial in to any of the 7200s and get a multilink connection.
    ~ Up until now they've shared the same core configuration, with just
    ~ different numbers of max-links in the multilink bundle depending on
    ~ the branch type.
    ~
    ~ The branches can broadly be categorised into two types and I've now
    ~ been asked to find out whether it's possible to apply a queueing
    ~ strategy over ISDN for one of the branch types but not the other.
    ~
    ~ This would I presume require two different virtual-templates and some
    ~ means of categorising the incoming calls. But, there is no AAA server
    ~ I can use to do per-connection virtual profiles with.
    ~
    ~ Can this be done solely on the 7200 routers? However it's done I don't
    ~ really want a profile for each of the several hundred branches, just
    ~ two different profiles and some means of grouping the branches.
    ~
    ~ Grateful for any advice.....
    ~
    ~ Cheers
    ~
    ~ Andy
     
    Aaron Leonard, Oct 17, 2003
    #2
    1. Advertising

  3. Andy Gray

    Scott Guest

    It is very doable using an AAA server for authentication with Cisco-AV-Pairs
    defined


    "Andy Gray" <> wrote in message
    news:...
    > Hello all
    >
    > We have some 7200 routers running SGBP and hundreds of branch routers
    > that can dial in to any of the 7200s and get a multilink connection.
    > Up until now they've shared the same core configuration, with just
    > different numbers of max-links in the multilink bundle depending on
    > the branch type.
    >
    > The branches can broadly be categorised into two types and I've now
    > been asked to find out whether it's possible to apply a queueing
    > strategy over ISDN for one of the branch types but not the other.
    >
    > This would I presume require two different virtual-templates and some
    > means of categorising the incoming calls. But, there is no AAA server
    > I can use to do per-connection virtual profiles with.
    >
    > Can this be done solely on the 7200 routers? However it's done I don't
    > really want a profile for each of the several hundred branches, just
    > two different profiles and some means of grouping the branches.
    >
    > Grateful for any advice.....
    >
    > Cheers
    >
    > Andy
     
    Scott, Oct 18, 2003
    #3
  4. Andy Gray

    Andy Gray Guest

    Aaron

    Queueing strategy was probably the wrong choice of words. What I mean
    is, on one group of branches we'd like to use Class Based Weighted
    Fair Queuing and on the other an existing Custom Queuing policy
    already in use on the fixed WAN links. The ISDN is just used for
    dial-backup, but as present we just have plain FIFO for all branches
    when up in ISDN, which is not ideal.

    I suppose I had imagined using Authenticated Username to identify the
    calling branches, but DNIS would also be fine (we already use 'ISDN
    caller' lists)

    I know this can be done with an (or ideally more than one) AAA server
    but if it can be done well without that would suit us better right
    now.

    Thanks & regards

    Andy

    Aaron Leonard <> wrote in message news:<>...
    > Two questions:
    >
    > a) what do you mean by a "queueing strategy"? Why do you want
    > these to be different for the different router groups? What
    > are you trying to accomplish?
    >
    > b) how do you propose to distinguish between the two sets of
    > branch routers? Authenticated username? DNIS? ANI?
    >
    > And a comment:
    >
    > With HUNDREDS of branch routers to manage, I personally would
    > vote for using an AAA server - which should give you all
    > the flexibility you require.
    >
    > Aaron
     
    Andy Gray, Oct 24, 2003
    #4
  5. On 24 Oct 2003 03:37:07 -0700, (Andy Gray) wrote:

    ~ Aaron
    ~
    ~ Queueing strategy was probably the wrong choice of words. What I mean
    ~ is, on one group of branches we'd like to use Class Based Weighted
    ~ Fair Queuing and on the other an existing Custom Queuing policy
    ~ already in use on the fixed WAN links. The ISDN is just used for
    ~ dial-backup, but as present we just have plain FIFO for all branches
    ~ when up in ISDN, which is not ideal.
    ~
    ~ I suppose I had imagined using Authenticated Username to identify the
    ~ calling branches, but DNIS would also be fine (we already use 'ISDN
    ~ caller' lists)

    OK. If you can use DNIS (which is CALLED, not CALLING number), then
    you could use RPM templates so that the different sets of routers
    would hit different templates which could be configured with different
    queueing configurations. Here's an example of the sort of configuration
    you might use here:
    http://www.cisco.com/univercd/cc/td...122/122newft/122t/122t11/ftprfidl.htm#1044748
    .... note that RPM is supported only on AS5000s.

    In any case, you could use dialer profiles (would need a separate
    DP for each remote router) with the queueing method configured
    as desired on each. Of course with 100's of DPs your config
    would be very bulky.

    ~ I know this can be done with an (or ideally more than one) AAA server
    ~ but if it can be done well without that would suit us better right
    ~ now.

    Yeah, with vprofiles and AAA, you can do per-user fancy queueing/qos
    configs via the interface-config cisco-avpair. However it seems
    that this only works if using MLPPP (CSCdy41179). In your case, this
    constraint should be OK if you can configure the remotes to negotiate
    MLPPP.

    Aaron

    ---


    ~ Thanks & regards
    ~
    ~ Andy
    ~
    ~ Aaron Leonard <> wrote in message news:<>...
    ~ > Two questions:
    ~ >
    ~ > a) what do you mean by a "queueing strategy"? Why do you want
    ~ > these to be different for the different router groups? What
    ~ > are you trying to accomplish?
    ~ >
    ~ > b) how do you propose to distinguish between the two sets of
    ~ > branch routers? Authenticated username? DNIS? ANI?
    ~ >
    ~ > And a comment:
    ~ >
    ~ > With HUNDREDS of branch routers to manage, I personally would
    ~ > vote for using an AAA server - which should give you all
    ~ > the flexibility you require.
    ~ >
    ~ > Aaron
     
    Aaron Leonard, Oct 27, 2003
    #5
  6. Andy Gray

    Andy Gray Guest

    Aaron Leonard <> wrote in message news:<>...
    > OK. If you can use DNIS (which is CALLED, not CALLING number), then
    > you could use RPM templates so that the different sets of routers
    > would hit different templates which could be configured with different
    > queueing configurations. Here's an example of the sort of configuration
    > you might use here:


    Sorry, being a bit dim there, we do use CLID, but not DNIS, though I
    guess DNIS could be an option if BT are able to give us multiple
    dialer numbers for the same ISDN groups
    http://www.cisco.com/univercd/cc/td...122/122newft/122t/122t11/ftprfidl.htm#1044748
    > ... note that RPM is supported only on AS5000s.

    Ah well, that kills it, we're not likely to change from 7206s.

    > In any case, you could use dialer profiles (would need a separate
    > DP for each remote router) with the queueing method configured
    > as desired on each. Of course with 100's of DPs your config
    > would be very bulky.

    No kidding, the configs are unwieldy enough with long CLID and
    username lists.

    So, AAA server it is. I believe we have one, though there's an
    understandable reluctance here to making branch dial-backup dependent
    on some external server(s).

    Thanks very much for your advice, Aaron, I appreciate it.

    Regards

    Andy
     
    Andy Gray, Oct 28, 2003
    #6
  7. In article <>,
    Andy Gray <> wrote:
    >Aaron Leonard <> wrote in message news:<>...
    >> OK. If you can use DNIS (which is CALLED, not CALLING number), then
    >> you could use RPM templates so that the different sets of routers
    >> would hit different templates which could be configured with different
    >> queueing configurations. Here's an example of the sort of configuration
    >> you might use here:

    >
    >Sorry, being a bit dim there, we do use CLID, but not DNIS, though I
    >guess DNIS could be an option if BT are able to give us multiple
    >dialer numbers for the same ISDN groups
    > http://www.cisco.com/univercd/cc/td...122/122newft/122t/122t11/ftprfidl.htm#1044748
    >> ... note that RPM is supported only on AS5000s.

    >Ah well, that kills it, we're not likely to change from 7206s.
    >
    >> In any case, you could use dialer profiles (would need a separate
    >> DP for each remote router) with the queueing method configured
    >> as desired on each. Of course with 100's of DPs your config
    >> would be very bulky.

    >No kidding, the configs are unwieldy enough with long CLID and
    >username lists.
    >
    >So, AAA server it is. I believe we have one, though there's an
    >understandable reluctance here to making branch dial-backup dependent
    >on some external server(s).
    >
    >Thanks very much for your advice, Aaron, I appreciate it.
    >
    >Regards
    >
    >Andy


    PMFJI, but if most of your branches share a common configuration with
    a manageable number of exceptions, you don't have to use RADIUS or
    TACACS. You could use a virtual profile for the common configuration
    with local AAA definitions and only have to define explicit dialer
    profiles for the exceptions. Using CHAP or PAP for authentication,
    the dialer profile selection can be done by user name (and with proper
    tricks, the same branch configuration can call multiple receiving
    routers with the same dialer, just multiple phone numbers).

    Good luck and have fun!
    --
    Vincent C Jones, Consultant Expert advice and a helping hand
    Networking Unlimited, Inc. for those who want to manage and
    Tenafly, NJ Phone: 201 568-7810 control their networking destiny
    http://www.networkingunlimited.com
     
    Vincent C Jones, Oct 29, 2003
    #7
  8. Andy Gray

    Andy Gray Guest

    l (Vincent C Jones) wrote in message news:<bnn3rc$1ga$>...
    >
    > PMFJI, but if most of your branches share a common configuration with
    > a manageable number of exceptions, you don't have to use RADIUS or
    > TACACS. You could use a virtual profile for the common configuration
    > with local AAA definitions and only have to define explicit dialer
    > profiles for the exceptions. Using CHAP or PAP for authentication,
    > the dialer profile selection can be done by user name (and with proper
    > tricks, the same branch configuration can call multiple receiving
    > routers with the same dialer, just multiple phone numbers).
    >
    > Good luck and have fun!


    Vincent, jump in, by all means.

    We do have the branch routers calling multiple receiving routers
    (using MMP/SGBP) thanks in no small part to your book and assistance
    on the newsgroups a year or so ago.

    Unfortunately we don't have a high enough standard/exception ratio,
    something like 150/60. If it were more like 200/10 I think we'd go for
    it.

    Thanks again for the advice.

    Andy
     
    Andy Gray, Oct 29, 2003
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Kevin

    aaa / local / PPP != TELNET

    Kevin, Nov 16, 2004, in forum: Cisco
    Replies:
    1
    Views:
    497
    Aaron Leonard
    Nov 16, 2004
  2. Chris_D
    Replies:
    4
    Views:
    3,470
    Chris_D
    Aug 1, 2005
  3. Zork

    Managing mutliple email accounts

    Zork, Sep 19, 2003, in forum: Computer Support
    Replies:
    0
    Views:
    474
  4. Mike
    Replies:
    2
    Views:
    1,055
  5. Mutliple IPs on a 515

    , Mar 27, 2007, in forum: Cisco
    Replies:
    7
    Views:
    511
    Lutz Donnerhacke
    Mar 30, 2007
Loading...

Share This Page