CPE,LAC, LNS and BRAS with CISCO ISE
Let's install a small ISP :) For this, I will use the Eve-ng emulator and Cisco 7206VXR. ISPs use BRAS for authenticating CPE devices. BRAS means Broadband Remote Access Server. Brass is an essential part of the broadband topology to control subscriber access. Also, BRAS is called BNG(Broadband Network Gateway).
There are some BNG's functions;
•Authentication, Authorization, and Accounting of subscriber sessions
•Quality of Service(QoS).
I will just make CPE is authenticated and assign address over Mpls at this topology. I create a vrf to take CPE to different domains. We need an L2 tunnel to transport PPPoE packets to BNG over Mpls.
What type of tunnel do we need? Sure we need L2TP. L2TP does not provide any encryption and confidentiality of content by itself. It provides a tunnel for Layer2 but it may be encrypted. The tunnel may be passed over a layer 3 encryption protocol such as IPSEC.
LAC and LNS are components of the broadband topology. L2TP tunnel is created between LAC and LNS.
LAC receives packets from a remote client and forwards them to an L2TP network server (LNS) on a remote network.
LNS is the termination point that comes from PPP packets from the remote client. For more detailed information you can look at this link.
My goal is to use Cisco ISE as Bras radius for basic configuration. This post gives you a perspective on the service provider CPE structure.
P : 7206VXR
PE : 7206VXR
LAC : 7206VXR
LNS : 7206VXR
ISE : 188.8.131.52
CPE : I86BI_LINUX-ADVENTERPRISEK9-M
Also, You can find the full config and Eve-ng topology file at the bottom of the post.
hostname LAC-A ip cef vpdn enable vpdn-group LAC request-dialin protocol l2tp domain networktcpip.com initiate-to ip 10.10.10.10 source-ip 10.20.20.253 local name LAC l2tp tunnel password 0 networktcpip bba-group pppoe networktcpip virtual-template 1 interface Loopback0 ip address 184.108.40.206 255.255.255.255 interface Ethernet1/0 ip address 10.20.20.253 255.255.255.0 ip ospf 2 area 0 duplex full interface Ethernet1/1 no ip address duplex full pppoe enable group networktcpip ! interface Virtual-Template1 description pppoe networktcpip no ip address ip mtu 1400 ip tcp adjust-mss 1320 no peer default ip address ppp mtu adaptive ppp authentication chap router ospf 2 end
hostname BRAS-LNS aaa new-model aaa authentication ppp default group radius aaa authorization network default group radius aaa authorization subscriber-service default local group radius aaa accounting delay-start aaa accounting update periodic 10 aaa accounting network default action-type start-stop group radius aaa nas port extended aaa server radius dynamic-author client 10.10.10.100 server-key cisco123 auth-type any aaa session-id unique ip domain name elma.com ip name-server 10.10.10.200 ip cef no ipv6 cef vpdn enable vpdn-group 1 accept-dialin protocol l2tp virtual-template 1 terminate-from hostname LAC local name LNS l2tp tunnel password 0 networktcpip policy-map Unlimited policy-map 1024 class class-default police 1024000 policy-map 128 class class-default police 128000 policy-map 64 class class-default police 64000 policy-map 2048 class class-default police 2048000 policy-map 8192 class class-default police 8192000 interface Loopback0 ip address 220.127.116.11 255.255.255.255 interface FastEthernet0/0 ip address 10.10.10.10 255.255.255.0 ip ospf 2 area 0 duplex full interface FastEthernet1/0 ip address 192.168.28.141 255.255.255.0 duplex full interface Virtual-Template1 ip unnumbered Loopback0 ip mtu 1400 ip tcp adjust-mss 1320 peer default ip address pool default ppp mtu adaptive ppp authentication chap router ospf 2 ip local pool default 192.168.28.240 192.168.28.245 ip local pool default2 192.168.28.230 192.168.28.235 ip nat inside source list 1 interface FastEthernet1/0 overload ip forward-protocol nd no ip http server no ip http secure-server ip route 0.0.0.0 0.0.0.0 192.168.28.2 access-list 1 permit 10.1.1.0 0.0.0.255 radius server default address ipv4 10.10.10.100 auth-port 1812 acct-port 1813 key cisco123 end
hostname CPE-A ip dhcp pool CLIENT network 10.200.56.0 255.255.255.0 default-router 10.200.56.254 dns-server 18.104.22.168 ip cef interface Ethernet0/0 no ip address pppoe enable group global pppoe-client dial-pool-number 1 interface Ethernet0/1 ip address 10.200.56.254 255.255.255.0 ip nat inside ip virtual-reassembly in interface Dialer0 ip address negotiated ip mtu 1400 ip nat outside ip virtual-reassembly in encapsulation ppp ip tcp adjust-mss 1320 dialer pool 1 ppp authentication chap callin ppp chap hostname email@example.com ppp chap password 0 ********* no ip http server no ip http secure-server ip nat inside source list 1 interface Dialer0 overload ip route 0.0.0.0 0.0.0.0 Dialer0 access-list 1 permit 10.200.56.0 0.0.0.255 end
Let's come to the most important part of this post :) First We will create username and password for CPE at ISE internal database.
Work Center>Device Administration>Identities>Add
CPE uses the PPP chap authentication type. If you wish you can change the authentication type to pap.
Now, we have to write a policy for authentication and authorization.
ISE default policy does not includes include chap authentication. We should create another allowed protocol rule.
Policy>Policy Sets>click +
1. I created a rule called Bras.
2. Then click the condition. I added some conditions in Bras policy.
you can make it more specific if you want. That's enough for my sample.
3. Select PPPOE as Allowed Protocol which is created before.
4. Click > Add authorization rule.
Authorization condition rule;
I want to assign a bandwidth limitation policy to user1: "firstname.lastname@example.org" for this I have to create an Authorization profile.
After creating an authorization profile. I have completed Bras Policy.
We see the tunnel on LAC and LNS
The IP address is assigned to Dialer0 from the pool
Check debug log on BRAS-LNS and see the assigned IP and policy map.
The assigned IP;
The assigned policy map;
Check the ISE log;
SpeedTest on Linux client result;
As you can see, The CPE is properly working.
Thanks for Reading.