CPE,LAC, LNS and BRAS with CISCO ISE
Let's install a small ISP :) For this, I will use the Eve-ng emulator and Cisco 7206VXR. ISPs use BRAS for authenticating CPE devices. BRAS means Broadband Remote Access Server. Brass is an essential part of the broadband topology to control subscriber access. Also, BRAS is called BNG(Broadband Network Gateway).
There are some BNG's functions;
•Authentication, Authorization, and Accounting of subscriber sessions
•Address assignment
•Security
•Policy management
•Quality of Service(QoS).
I will just make CPE is authenticated and assign address over Mpls at this topology. I create a vrf to take CPE to different domains. We need an L2 tunnel to transport PPPoE packets to BNG over Mpls.
What type of tunnel do we need? Sure we need L2TP. L2TP does not provide any encryption and confidentiality of content by itself. It provides a tunnel for Layer2 but it may be encrypted. The tunnel may be passed over a layer 3 encryption protocol such as IPSEC.
LAC and LNS are components of the broadband topology. L2TP tunnel is created between LAC and LNS.
LAC receives packets from a remote client and forwards them to an L2TP network server (LNS) on a remote network.
LNS is the termination point that comes from PPP packets from the remote client. For more detailed information you can look at this link.
My goal is to use Cisco ISE as Bras radius for basic configuration. This post gives you a perspective on the service provider CPE structure.
Lab equipment;
EVE-ng emulator
P : 7206VXR
PE : 7206VXR
LAC : 7206VXR
LNS : 7206VXR
ISE : 2.6.0.156
CPE : I86BI_LINUX-ADVENTERPRISEK9-M
Also, You can find the full config and Eve-ng topology file at the bottom of the post.
LAC-A configuration;
hostname LAC-A
ip cef
vpdn enable
vpdn-group LAC
request-dialin
protocol l2tp
domain networktcpip.com
initiate-to ip 10.10.10.10
source-ip 10.20.20.253
local name LAC
l2tp tunnel password 0 networktcpip
bba-group pppoe networktcpip
virtual-template 1
interface Loopback0
ip address 4.4.4.4 255.255.255.255
interface Ethernet1/0
ip address 10.20.20.253 255.255.255.0
ip ospf 2 area 0
duplex full
interface Ethernet1/1
no ip address
duplex full
pppoe enable group networktcpip
!
interface Virtual-Template1
description pppoe networktcpip
no ip address
ip mtu 1400
ip tcp adjust-mss 1320
no peer default ip address
ppp mtu adaptive
ppp authentication chap
router ospf 2
end
LNS Configuration;
hostname BRAS-LNS
aaa new-model
aaa authentication ppp default group radius
aaa authorization network default group radius
aaa authorization subscriber-service default local group radius
aaa accounting delay-start
aaa accounting update periodic 10
aaa accounting network default
action-type start-stop
group radius
aaa nas port extended
aaa server radius dynamic-author
client 10.10.10.100 server-key cisco123
auth-type any
aaa session-id unique
ip domain name elma.com
ip name-server 10.10.10.200
ip cef
no ipv6 cef
vpdn enable
vpdn-group 1
accept-dialin
protocol l2tp
virtual-template 1
terminate-from hostname LAC
local name LNS
l2tp tunnel password 0 networktcpip
policy-map Unlimited
policy-map 1024
class class-default
police 1024000
policy-map 128
class class-default
police 128000
policy-map 64
class class-default
police 64000
policy-map 2048
class class-default
police 2048000
policy-map 8192
class class-default
police 8192000
interface Loopback0
ip address 5.5.5.5 255.255.255.255
interface FastEthernet0/0
ip address 10.10.10.10 255.255.255.0
ip ospf 2 area 0
duplex full
interface FastEthernet1/0
ip address 192.168.28.141 255.255.255.0
duplex full
interface Virtual-Template1
ip unnumbered Loopback0
ip mtu 1400
ip tcp adjust-mss 1320
peer default ip address pool default
ppp mtu adaptive
ppp authentication chap
router ospf 2
ip local pool default 192.168.28.240 192.168.28.245
ip local pool default2 192.168.28.230 192.168.28.235
ip nat inside source list 1 interface FastEthernet1/0 overload
ip forward-protocol nd
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.28.2
access-list 1 permit 10.1.1.0 0.0.0.255
radius server default
address ipv4 10.10.10.100 auth-port 1812 acct-port 1813
key cisco123
end
CPE-A configuration;
hostname CPE-A
ip dhcp pool CLIENT
network 10.200.56.0 255.255.255.0
default-router 10.200.56.254
dns-server 8.8.8.8
ip cef
interface Ethernet0/0
no ip address
pppoe enable group global
pppoe-client dial-pool-number 1
interface Ethernet0/1
ip address 10.200.56.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
interface Dialer0
ip address negotiated
ip mtu 1400
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1320
dialer pool 1
ppp authentication chap callin
ppp chap hostname cpe-a@networktcpip.com
ppp chap password 0 *********
no ip http server
no ip http secure-server
ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
access-list 1 permit 10.200.56.0 0.0.0.255
end
ISE Configuration;
Let's come to the most important part of this post :) First We will create username and password for CPE at ISE internal database.
Work Center>Device Administration>Identities>Add
CPE uses the PPP chap authentication type. If you wish you can change the authentication type to pap.
Now, we have to write a policy for authentication and authorization.
ISE default policy does not includes include chap authentication. We should create another allowed protocol rule.
Policy rule:
Policy>Policy Sets>click +
1. I created a rule called Bras.
2. Then click the condition. I added some conditions in Bras policy.
Frame-Protocol:ppp
NAS-Port-Type:Virtual
you can make it more specific if you want. That's enough for my sample.
3. Select PPPOE as Allowed Protocol which is created before.
4. Click > Add authorization rule.
Authorization Rules:
Authorization condition rule;
I want to assign a bandwidth limitation policy to user1: "cpe-a@networktcpip.com" for this I have to create an Authorization profile.
After creating an authorization profile. I have completed Bras Policy.
Troubleshooting:
We see the tunnel on LAC and LNS
LNS;
LAC;
CPE;
The IP address is assigned to Dialer0 from the pool
Check debug log on BRAS-LNS and see the assigned IP and policy map.
The assigned IP;
The assigned policy map;
Check the ISE log;
SpeedTest on Linux client result;
As you can see, The CPE is properly working.
Thanks for Reading.
Hi, do you have the switch and dns configs please?
This is a very great lab and thank you very much for sharing!
Great lab Celal, thanks for deatiled explanations.
great lab and explanations
Very sexy lab mate, Uldis from EVE-NG