VPN access to PE routers from Marcin Zgola on 2010-10-29 (Ccielab archives 10/2010)

From: Marcin Zgola <MZgola_at_netrixllc.com>
Date: Fri, 29 Oct 2010 15:18:24 +0000

I have setup VPN access to PE routers to manage different VRFs, and it works
great. Here is my question.

I have to have one isakmp profile per vrf , and with 3 VRFs is pretty straight
forward, but what about if number of VRF increases can I have VRF assignment
controlled by ACS server.

Part of my config which works:

I need "vrf N-IPT" to be sent from ACS as radius attribute. Lets say I would
have different usernames that will have access to different VRFs. When cisco
vpn client connects, based on the username is entered different VRF access wil
be granted

Any ideas???

crypto isakmp profile N-IPT-VPN
   vrf N-IPT
   self-identity address
   match identity group N-IPT-VPN
   match identity group N-IPT-MGMT
   client authentication list VPN-N-IPT
   isakmp authorization list VPN-N-IPT
   client configuration address initiate
   client configuration address respond
   keepalive 10 retry 3
   local-address Loopback0

Marcin Zgola
Internetwork Lead
CCIE #18676
Netrix, LLC
http://www.netrixllc.com
Ph. 847-964-5300
Fax.: 847-964-5350

Blogs and organic groups at http://www.ccie.net
Received on Fri Oct 29 2010 - 15:18:24 ART

This archive was generated by hypermail 2.2.0 : Mon Nov 01 2010 - 06:42:06 ART