Cisco IOS Dial Technologies Configuration Guide, Release 12.4T - Configuring Virtual Template Interfaces [Cisco IOS Software Releases 12.4 T]

Table Of Contents

Configuring Virtual Template Interfaces

Virtual Template Interface Service Overview

Features that Apply Virtual Template Interfaces

Selective Virtual Access Interface Creation

How to Configure a Virtual Template Interface

Monitoring and Maintaining a Virtual Access Interface

Configuration Examples for Virtual Template Interface

Basic PPP Virtual Template Interface

Virtual Template Interface

Selective Virtual Access Interface

RADIUS Per-User and Virtual Profiles

TACACS+ Per-User and Virtual Profiles

Configuring Virtual Template Interfaces

Feature History

Release

Modification

Cisco IOS

For information about feature support in Cisco IOS software, use Cisco Feature Navigator.

Cisco IOS XE Release 2.1

This feature was introduced on Cisco ASR 1000 Series Routers.

This chapter describes how to configure virtual template interfaces. It includes the following main sections:

•Virtual Template Interface Service Overview

•How to Configure a Virtual Template Interface

•Monitoring and Maintaining a Virtual Access Interface

•Configuration Examples for Virtual Template Interface

The following template and virtual interface limitations apply:

•Although a system can generally support many virtual template interfaces, one template for each virtual access application is a more realistic limit.

•When in use, each virtual access interface cloned from a template requires the same amount of memory as a serial interface. Limits to the number of virtual access interfaces that can be configured are determined by the platform.

•When you want to re-use a virtual template, its type cannot be used. It is recommended to create a template with the required type.

•Virtual access interfaces are not directly configurable by users, except by configuring a virtual template interface or including the configuration information of the user (through virtual profiles or per-user configuration) on an authentication, authorization, and accounting (AAA) server. However, information about an in-use virtual access interface can be displayed, and the virtual access interface can be cleared.

•Virtual interface templates provide no direct value to users; they must be applied to or associated with a virtual access feature using a command with the virtual-template keyword.

For example, the interface virtual-template command creates the virtual template interface and the multilink virtual-template command applies the virtual template to a multilink stack group. The virtual-profile virtual-template command specifies that a virtual template interface will be used as a source of configuration information for virtual profiles.

To identify the hardware platform or software image information associated with a feature, use the Feature Navigator on Cisco.com to search for information about the feature or refer to the software release notes for a specific release. For more information, see the "Identifying Supported Platforms" section in the "Using Cisco IOS Software" chapter.

For a complete description of the virtual template interface commands mentioned in this chapter, refer to the Cisco IOS Dial Technologies Command Reference. To locate documentation of other commands that appear in this chapter, use the command reference master index or search online.

Virtual Template Interface Service Overview

The Virtual Template Interface Service feature provides a generic service that can be used to apply predefined interface configurations (virtual template interfaces) in creating and freeing virtual access interfaces dynamically, as needed.

Virtual template interfaces can be configured independently of any physical interface and applied dynamically, as needed, to create virtual access interfaces. When a user dials in, a predefined configuration template is used to configure a virtual access interface; when the user is done, the virtual access interface goes down and the resources are freed for other dial-in uses.

A virtual template interface is a logical entity—a configuration for a serial interface but not tied to a physical interface—that can be applied dynamically as needed. Virtual access interfaces are virtual interfaces that are created, configured dynamically (for example, by cloning a virtual template interface), used, and then freed when no longer needed.

Virtual template interfaces are one possible source of configuration information for a virtual access interface.

Each virtual access interface can clone from only one template. But some applications can take configuration information from multiple sources; for example, virtual profiles can take configuration information from a virtual template interface, or from interface-specific configuration information stored from a user on a AAA server, or from network protocol configuration from a user stored on a AAA server, or all three. The result of using template and AAA configuration sources is a virtual access interface uniquely configured for a specific dial-in user.

Figure 1 illustrates that a router can create a virtual access interface by first using the information from a virtual template interface (if any is defined for the application) and then using the information in a per-user configuration (if AAA is configured on the router and virtual profiles or per-user configuration or both are defined for the specific user).

Figure 1 Possible Configuration Sources for Virtual Access Interfaces

The virtual template interface service is intended primarily for customers with large numbers of dial-in users and provides the following benefits:

•For easier maintenance, allows customized configurations to be predefined and then applied dynamically when the specific need arises.

•For scalability, allows interface configuration to be separated from physical interfaces. Virtual interfaces can share characteristics, no matter what specific type of interface the user called on.

•For consistency and configuration ease, allows the same predefined template to be used for all users dialing in for a specific application.

•For efficient router operation, frees the virtual access interface memory for another dial-in use when the call from the user ends.

Features that Apply Virtual Template Interfaces

The following features apply virtual template interfaces to create virtual access interfaces dynamically:

•Virtual profiles

•Virtual Private Dialup Networks (VPDN)

•Multilink PPP (MLP)

•Multichassis Multilink PPP (MMP)

•Virtual templates for protocol translation

•PPP over ATM

Virtual templates are supported on all platforms that support these features.

To create and configure a virtual template interface, compete the tasks in this chapter. To apply a virtual template interface, refer to the specific feature that applies the virtual template interface.

All prerequisites depend on the feature that is applying a virtual template interface to create a virtual access interface. Virtual template interfaces themselves have no other prerequisites.

The order in which you create virtual template interfaces and virtual profiles and configure the features that use the templates and profiles is not important. They must exist, however, before someone calling in can use them.

Selective Virtual Access Interface Creation

Optionally, you can configure a router to automatically determine whether to create a virtual access interface for each inbound connection. In particular, a call that is received on a physical asynchronous interface that uses a AAA per-user configuration can now be processed without a virtual access interface being created by a router that is also configured for virtual profiles.

The following three criteria determine whether a virtual access interface is created:

•Is there a virtual profile AAA configuration?

•Is there a AAA per-user configuration?

•Does the link interface support direct per-user AAA?

A virtual access interface will be created in the following scenarios:

•If there is a virtual profile AAA configuration.

•If there is not a virtual profile AAA configuration, but there is a AAA per-user configuration and the link interface does not support direct per-user AAA (such as ISDN).

A virtual access interface will not be created in the following scenarios:

•If there is neither a virtual profile AAA configuration nor a AAA per-user configuration.

•If there is not a virtual profile AAA configuration, but there is a AAA per-user configuration and the link interface does support direct per-user AAA (such as asynchronous).

How to Configure a Virtual Template Interface

To create and configure a virtual template interface, use the following commands beginning in global configuration mode:

Command

Purpose

Step 1

Router(config)# interface virtual-template number

Creates a virtual template interface and enters interface configuration mode.

Step 2

Router(config-if)# ip unnumbered ethernet 0

Enables IP without assigning a specific IP address on the LAN.

Step 3

Router(config-if)# encapsulation ppp

Enables PPP encapsulation on the virtual template Interface.

Step 4

Router(config-if)# virtual-profile if-needed

(Optional) Creates virtual-access interfaces only if the inbound connection requires one.

Note Configuring the ip address command within a virtual template is not recommended. Configuring a specific IP address in a virtual template can result in the establishment of erroneous routes and the loss of IP packets.

Optionally, other PPP configuration commands can be added to the virtual template configuration. For example, you can add the ppp authentication chap command.

All configuration commands that apply to serial interfaces can also be applied to virtual template interfaces, except shutdown and dialer commands.

For virtual template interface examples, see the "Configuration Examples for Virtual Template Interface" section later in this chapter.

Monitoring and Maintaining a Virtual Access Interface

When a virtual template interface or a configuration from a user on a AAA server or both are applied dynamically, a virtual access interface is created. Although a virtual access interface cannot be created and configured directly, it can be displayed and cleared.

To display or clear a specific virtual access interface, use the following commands in EXEC mode:

Command

Purpose

Router> show interfaces virtual-access number

Displays the configuration of the virtual access interface.

Router> clear interface virtual-access number

Tears down the virtual access interface and frees the memory for other dial-in uses.

Configuration Examples for Virtual Template Interface

The following sections provide virtual template interface configuration examples:

•Basic PPP Virtual Template Interface

•Virtual Template Interface

•Selective Virtual Access Interface

•RADIUS Per-User and Virtual Profiles

•TACACS+ Per-User and Virtual Profiles

Basic PPP Virtual Template Interface

The following example enables virtual profiles (configured only by virtual template) on straightforward PPP (no MLP), and configures a virtual template interface that can be cloned on a virtual access interface for dial-in users:
virtual-profile virtual-template 1
interface virtual-template 1
 ip unnumbered ethernet 0
 encapsulation ppp
 ppp authentication chap
Virtual Template Interface

The following two examples configure a virtual template interface and then display the configuration of a virtual access interface when the template interface has been applied.

This example uses a named Internet Protocol Exchange (IPX) access list:
Router(config)# interface virtual-template 1
 ip unnumbered Ethernet0
 ipx ppp-client Loopback2
 no cdp enable
 ppp authentication chap
This example displays the configuration of the active virtual access interface that was configured by virtual-template 1, defined in the preceding example:

Note Effective with Cisco Release 12.4(11)T, the L2F protocol was removed in Cisco IOS software.
Router# show interfaces virtual-access 1 configuration 
Virtual-Access1 is a L2F link interface
interface Virtual-Access1 configuration...
ip unnumbered Ethernet0
ipx ppp-client Loopback2
no cdp enable
ppp authentication chap
Selective Virtual Access Interface

The following example shows how to create a virtual access interface for incoming calls that require a virtual access interface:
aaa new-model
aaa authentication ppp default local radius tacacs
aaa authorization network default local radius tacacs
virtual-profile if-needed
virtual-profile virtual-template 1
virtual-profile aaa
!
interface Virtual-Template1
 ip unnumbered Ethernet 0
 no ip directed-broadcast
 no keepalive
 ppp authentication chap
 ppp multilink
RADIUS Per-User and Virtual Profiles

The following examples show RADIUS user profiles that could be used for selective virtual access interface creation.

This example shows AAA per-user configuration for a RADIUS user profile:
RADIUS user profile:
        foo     Password = "test"
                 User-Service-Type = Framed-User,
                 Framed-Protocol = PPP,
                cisco-avpair = "ip:inacl#1=deny 10.10.10.10 0.0.0.0",
                cisco-avpair = "ip:inacl#1=permit any"
This example shows a virtual profile AAA configuration for a RADIUS user profile:
RADIUS user profile:
       foo  Password = "test"
            User-Service-Type = Framed-User,
            Framed-Protocol = PPP,
          cisco-avpair = "lcp:interface-config=keepalive 30\nppp max-bad-auth 4"
TACACS+ Per-User and Virtual Profiles

The following examples show TACACS+ user profiles that could be used for selective virtual access interface creation.

This example shows AAA per-user configuration for a TACACS+ user profile:
user = foo {
                name = "foo"
                global = cleartext test
                service = PPP protocol= ip {
                        inacl#1="deny 10.10.10.10 0.0.0.0"
                        inacl#1="permit any"
                }
        }
This example shows a virtual profile AAA configuration for a TACACS+ user profile:
TACACS+ user profile:
        user = foo {
                name = "foo"
                global = cleartext test
                service = PPP protocol= lcp {
                        interface-config="keepalive 30\nppp max-bad-auth 4"
                }
                service = ppp protocol = ip {
                }
        }
CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect, Cisco Pulse, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, and Flip Gift Card are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Fast Step, Follow Me Browsing, FormShare, GainMaker, GigaDrive, HomeLink, iLYNX, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0908R)

.Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

© 2007-2009 Cisco Systems, Inc. All rights reserved.