Configuring Virtual Profiles

First Published: December 15, 1997

Last Updated: November 20, 2014

A virtual profile is a unique application that can create and configure a virtual access interface dynamically when a dial-in call is received and that can tear down the interface dynamically when the call ends.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the “Feature Information for Configuring Virtual Profiles” section.

Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Contents

Prerequisites for Configuring Virtual Profiles

Cisco recommends that unnumbered addresses be used in virtual template interfaces to ensure that duplicate network addresses are not created on virtual access interfaces (VAIs).

Restrictions for Configuring Virtual Profiles

The virtual-profile command was removed from Cisco IOS Release 12.2(34)SB and 12.2(33)XNE, because Cisco 10000 series routers do not support the full VAIs these releases create and configuration errors could occur.

Information About Configuring Virtual Profiles

This section provides information about virtual profiles for use with virtual access interfaces and how virtual profiles work. Virtual profiles run on all Cisco IOS platforms that support Multilink PPP (MLP). Virtual profiles interoperate with Cisco dial-on-demand routing (DDR), MLP, and dialers such as ISDN. To configure virtual profiles, you should understand the following concepts:

Virtual Profiles Overview

Virtual profiles support these encapsulation methods:

  • PPP
  • MLP
  • High-Level Data Link Control (HDLC)
  • Link Access Procedure, Balanced (LAPB)
  • X.25
  • Frame Relay

Any commands for these encapsulations that can be configured under a serial interface can be configured under a virtual profile stored in a user file on an authentication, authorization, and accounting (AAA) server and a virtual profile virtual template configured locally. The AAA server daemon downloads them as text to the network access server and is able to handle multiple download attempts.

The configuration information for a virtual profiles virtual access interface can come from a virtual template interface or from user-specific configuration stored on a AAA server, or both.

If a B interface is bound by the calling line identification (CLID) to a created virtual access interface cloned from a virtual profile or a virtual template interface, only the configuration from the virtual profile or the virtual template takes effect. The configuration on the D interface is ignored unless successful binding occurs by PPP name. Both the link and network protocols run on the virtual access interface instead of the B channel, unless the encapsulation is PPP.

Moreover, in previous releases of Cisco IOS software, downloading a profile from an AAA server and creating and cloning a virtual access interface was always done after the PPP call answer and link control protocol (LCP) up processes. The AAA download is part of authorization. But in the current release, these operations must be performed before the call is answered and the link protocol goes up. This restriction is a new AAA nonauthenticated authorization step. The virtual profile code handles multiple download attempts and identifies whether a virtual access interface was cloned from a downloaded virtual profile.

When a successful download is done through nonauthenticated authorization and the configuration on the virtual profile has encapsulation PPP and PPP authentication, authentication is negotiated as a separate step after LCP comes up.

The per-user configuration feature also uses configuration information gained from a AAA server. However, per-user configuration uses network configurations (such as access lists and route filters) downloaded during Network Control Protocol (NCP) negotiations.

Two rules govern virtual access interface configuration by virtual profiles, virtual template interfaces, and AAA configurations:

  • Each virtual access application can have at most one template to clone from but can have multiple AAA configurations to clone from (virtual profiles AAA information and AAA per-user configuration, which in turn might include configuration for multiple protocols).
  • When virtual profiles are configured by virtual template, its template has higher priority than any other virtual template.

DDR Configuration of Physical Interfaces

Virtual profiles fully interoperate with physical interfaces in the following DDR configuration states when no other virtual access interface application is configured:

  • Dialer profiles are configured for the interface—The dialer profile is used instead of the virtual profiles configuration.
  • DDR is not configured on the interface—Virtual profiles overrides the current configuration.
  • Legacy DDR is configured on the interface—Virtual profiles overrides the current configuration.

Note If a dialer interface is used (including any ISDN dialer), its configuration is used on the physical interface instead of the virtual profiles configuration.

Multilink PPP Effect on Virtual Access Interface Configuration

As shown in Table 1 , exactly how a virtual access interface will be configured depends on the following three factors:

  • Whether virtual profiles are configured by a virtual template, by AAA, by both, or by neither. In the table, these states are shown as “VP VT only,” “VP AAA only,” “VP VT and VP AAA,” and “No VP at all,” respectively.
  • The presence or absence of a dialer interface.
  • The presence or absence of MLP. The column label “MLP” is a stand-in for any virtual access feature that supports MLP and clones from a virtual template interface.

In Table 1 , “(Multilink VT)” means that a virtual template interface is cloned if one is defined for MLP or a virtual access feature that uses MLP.

 

Table 1 Virtual Profiles Configuration Cloning Sequence
Virtual Profiles Configuration
MLP
No Dialer
MLP
Dialer
No MLP
No Dialer
No MLP
Dialer

VP VT only

VP VT

VP VT

VP VT

VP VT

VP AAA only

(Multilink VT)
VP AAA

(Multilink VT)
VP AAA

VP AAA

VP AAA

VP VT and VP AAA

VP VT
VP AAA

VP VT
VP AAA

VP VT
VP AAA

VP VT
VP AAA

No VP at all

(Multilink VT)1

Dialer2

No virtual access interface is created.

No virtual access interface is created.

1.The multilink bundle virtual access interface is created and uses the default settings for MLP or the relevant virtual access feature that uses MLP.

2.The multilink bundle virtual access interface is created and cloned from the dialer interface configuration.

The order of items in any cell of the table is important. Where VP VT is shown above VP AAA, it means that first the virtual profile virtual template is cloned on the interface, and then the AAA interface configuration for the user is applied to it. The user-specific AAA interface configuration adds to the configuration and overrides any conflicting physical interface or virtual template configuration commands.

Interoperability with Other Features That Use Virtual Templates

Virtual profiles also interoperate with virtual access applications that clone a virtual template interface. Each virtual access application can have at most one template to clone from but can clone from multiple AAA configurations.

The interaction between virtual profiles and other virtual template applications is as follows:

  • If virtual profiles are enabled and a virtual template is defined for it, the virtual profile virtual template is used.
  • If virtual profiles are configured by AAA alone (no virtual template is defined for virtual profiles), the virtual template for another virtual access application (virtual private dialup networks or VPDNs, for example) can be cloned onto the virtual access interface.
  • A virtual template, if any, is cloned to a virtual access interface before the virtual profiles AAA configuration or AAA per-user configuration. AAA per-user configuration, if used, is applied last.

How Virtual Profiles Work—Four Configuration Cases

This section describes virtual profiles and the various ways that they can work with virtual template interfaces, user-specific AAA interface configuration, and MLP or another feature that requires MLP.

Virtual profiles separate configuration information into two logical parts:

  • Generic—Common configuration for dial-in users plus other router-dependent configuration. This common and router-dependent information can define a virtual template interface stored locally on the router. The generic virtual template interface is independent of and can override the configuration of the physical interface on which a user dialed in.
  • User-specific interface information—Interface configuration stored in a user file on an AAA server; for example, the authentication requirements and specific interface settings for a specific user. The settings are sent to the router in the response to the request from the router to authenticate the user, and the settings can override the generic configuration. This process is explained more in the section “Virtual Profiles Configured by AAA” later in this chapter.

These logical parts can be used separately or together. Four separate cases are possible:

Note All cases assume that AAA is configured globally on the router, that the user has configuration information in the user file on the AAA server, that PPP authentication and authorization proceed as usual, and that the AAA server sends user-specific configuration information in the authorization approval response packet to the router.

The cases also assume that AAA works as designed and that the AAA server sends configuration information for the dial-in user to the router, even when virtual profiles by virtual template are configured.

Case 1: Virtual Profiles Configured by Virtual Template

In the case of virtual profiles configured by virtual template, the software functions as follows:

  • If the physical interface is configured for dialer profiles (a DDR feature), the router looks for a dialer profile for the specific user.
  • If a dialer profile is found, it is used instead of virtual profiles.
  • If a dialer profile is not found for the user, or legacy DDR is configured, or DDR is not configured at all, virtual profiles create a virtual access interface for the user.

The router applies the configuration commands that are in the virtual template interface to create and configure the virtual profile. The template includes generic interface information and router-specific information, but no user-specific information. No matter whether a user dialed in on a synchronous serial, an asynchronous serial, or an ISDN interface, the dynamically created virtual profile for the user is configured as specified in the virtual template.

Then the router interprets the lines in the AAA authorization approval response from the server as Cisco IOS commands to apply to the virtual profile for the user.

Data flows through the virtual profile, and the higher layers treat it as the interface for the user.

For example, if a virtual template included only the three commands ip unnumbered ethernet 0, encapsulation ppp, and ppp authentication chap, the virtual profile for any dial-in user would include those three commands.

In Figure 1, the dotted box represents the virtual profile configured with the commands that are in the virtual template, no matter which interface the call arrives on.

Figure 1 Virtual Profiles by Virtual Template

 

See the “Configuring Virtual Profiles by Virtual Template” section for configuration tasks for this case.

Case 2: Virtual Profiles Configured by AAA

In this case, no dialer profile (a DDR feature) is defined for the specific user and no virtual template for virtual profiles is defined, but virtual profiles by AAA are enabled on the router.

During the PPP authorization phase for the user, the AAA server responds as usual to the router. The authorization approval contains configuration information for the user. The router interprets each of the lines in the AAA response from the server as Cisco IOS commands to apply to the virtual profile for the user.

Note If MLP is negotiated, the MLP virtual template is cloned first (this is the second row), and then interface-specific commands included in the AAA response from the server for the user are applied. The MLP virtual template overrides any conflicting interface configuration, and the AAA interface configuration overrides any conflicting configuration from both the physical interface and the MLP virtual template.

The router applies all the user-specific interface commands received from the AAA server.

Suppose, for example, that the router interpreted the response by the AAA server as including only the following two commands for this user:

ip address 10.10.10.10 255.255.255.255
keepalive 30
 

In Figure 2, the dotted box represents the virtual profile configured only with the commands received from the AAA server, no matter which interface the incoming call arrived on. On the AAA RADIUS server, the attribute-value (AV) pair might have read as follows, where “\n” means to start a new command line:

cisco-avpair = “lcp:interface-config=ip address 10.10.10.10 255.255.255.0\nkeepalive 30”,

Figure 2 Virtual Profiles by AAA Configuration

 

See the “Configuring Virtual Profiles by AAA Configuration” section for configuration tasks for this case.

Case 3: Virtual Profiles Configured by Virtual Template and AAA Configuration

In this case, no DDR dialer profile is defined for the specific user, a virtual template for virtual profiles is defined, virtual profiles by AAA is enabled on the router, the router is configured for AAA, and a user-specific interface configuration for the user is stored on the AAA server.

The router performs the following tasks in order:

1. Dynamically creates a virtual access interface cloned from the virtual template defined for virtual profiles.

2. Applies the user-specific interface configuration received from the AAA server.

If any command in the user’s configuration conflicts with a command on the original interface or a command applied by cloning the virtual template, the user-specific command overrides the other command.

Suppose that the router had the virtual template as defined in Case 1 and the AAA user configuration as defined in Case 2. In Figure 3 the dotted box represents the virtual profile configured with configuration information from both sources, no matter which interface the incoming call arrived on. The ip address command has overridden the ip unnumbered command.

Figure 3 Virtual Profiles by Both Virtual Template and AAA Configuration

 

See the “Configuring Virtual Profiles by Both Virtual Template and AAA Configuration” section for configuration tasks for this case.

Case 4: Virtual Profiles Configured by AAA, and a Virtual Template Defined by Another Application

In this case, no DDR dialer profile is defined for the specific user, virtual profiles by AAA are configured on the router but no virtual template is defined for virtual profiles, and a user-specific interface configuration is stored on the AAA server. In addition, a virtual template is configured for some other virtual access application (a VPDN, for example).

The router performs the following tasks in order:

1. Dynamically creates a virtual access interface and clones the virtual template from the other virtual access application onto it.

2. Applies the user-specific interface configuration received from the AAA server.

If any command in the virtual template conflicts with a command on the original interface, the template overrides it.

If any command in the AAA interface configuration for the user conflicts with a command in the virtual template, the user AAA interface configuration conflicts will override the virtual template.

If per-user configuration is also configured on the AAA server, that network protocol configuration is applied to the virtual access interface last.

The result is a virtual interface unique to that user.

How to Configure Virtual Profiles

To configure virtual profiles for dial-in users, perform the tasks in one of the first three sections and then troubleshoot the configuration by performing the tasks in the last section:

Note Do not define a DDR dialer profile for a user if you intend to define virtual profiles for the user.

Configuring Virtual Profiles by Virtual Template

To configure virtual profiles by virtual template, complete these two tasks:

Note The order in which these tasks is performed is not crucial. However, both tasks must be completed before virtual profiles are used.

Creating and Configuring a Virtual Template Interface

Because a virtual template interface is a serial interface, all the configuration commands that apply to serial interfaces can also be applied to virtual template interfaces, except shutdown and dialer commands.

To create and configure a virtual template interface, use the following commands:

 

Command
Purpose

Step 1

Router(config)# interface virtual-template number

Creates a virtual template interface and enters interface configuration mode.

Step 2

Router(config-if)# ip unnumbered ethernet 0

Enables IP without assigning a specific IP address on the LAN.

Step 3

Router(config-if)# encapsulation ppp

Enables PPP encapsulation on the virtual template interface.

Other optional PPP configuration commands can be added to the virtual template configuration. For example, you can add the ppp authentication chap command.

Specifying a Virtual Template Interface for Virtual Profiles

To specify a virtual template interface as the source of information for virtual profiles, use the following command:

 

Command
Purpose

Router(config)# virtual-profile virtual-template number

Specifies the virtual template interface as the source of information for virtual profiles.

Virtual template numbers range from 1 to 25.

Configuring Virtual Profiles by AAA Configuration

To configure virtual profiles by AAA only, complete these three tasks in any order. All tasks must be completed before virtual profiles are used.

  • On the AAA server, create user-specific interface configurations for each of the specific users to use this method. See your AAA server documentation for more detailed configuration information about your AAA server.
  • Configure AAA on the router, as described in the Cisco IOS Security Configuration Guide.
  • Specify AAA as the source of information for virtual profiles.

To specify AAA as the source of information for virtual profiles, use the following command:

 

Command
Purpose

Router(config)# virtual-profile aaa

 

Note Effective with Cisco IOS Release 12.2(34)SB and 12.2(33)XNE, the virtual-profile aaa command is not available in Cisco IOS software. In releases later than Cisco IOS Release 12.2, the router automatically creates virtual profiles when AAA attributes require a profile.

Specifies AAA as the source of user-specific interface configuration.

If you also want to use per-user configuration for network protocol access lists or route filters for individual users, see the chapter “Configuring Per-User Configuration” in this publication. In this case, no virtual template interface is defined for virtual profiles.

Configuring Virtual Profiles by Both Virtual Template and AAA Configuration

Use of user-specific AAA interface configuration information with virtual profiles requires the router to be configured for AAA and requires the AAA server to have user-specific interface configuration AV pairs. The relevant AV pairs (on a RADIUS server) begin as follows:

cisco-avpair = “lcp:interface-config=...”,
 

The information that follows the equal sign (=) could be any Cisco IOS interface configuration command. For example, the line might be the following:

cisco-avpair = “lcp:interface-config=ip address 192.168.200.200 255.255.255.0”,
 

Use of a virtual template interface with virtual profiles requires a virtual template to be defined specifically for virtual profiles.

To configure virtual profiles by both virtual template interface and AAA configuration, complete the following tasks in any order. All tasks must be completed before virtual profiles are used.

  • On the AAA server, create user-specific interface configurations for each of the specific users to use this method. See your AAA server documentation for more detailed configuration information about your AAA server.
  • Configure AAA on the router, as described in the Cisco IOS Security Configuration Guide publication.
  • Creating and configuring a virtual template interface, described later in this chapter.
  • Specifying virtual profiles by both virtual templates and AAA, described later in this chapter.

Creating and Configuring a Virtual Template Interface

To create and configure a virtual template interface, use the following commands:

 

Command
Purpose

Step 1

Router(config)# interface virtual-template number

Creates a virtual template interface and enters interface configuration mode.

Step 2

Router(config-if)# ip unnumbered ethernet 0

Enables IP without assigning a specific IP address on the LAN.

Step 3

Router(config-if)# encapsulation ppp

Enables PPP encapsulation on the virtual template interface.

Because the software treats a virtual template interface as a serial interface, all the configuration commands that apply to serial interfaces can also be applied to virtual template interfaces, except shutdown and dialer commands. Other optional PPP configuration commands can also be added to the virtual template configuration. For example, you can add the ppp authentication chap command.

Specifying Virtual Profiles by Both Virtual Templates and AAA

To specify both the virtual template interface and the AAA per-user configuration as sources of information for virtual profiles, use the following commands:

 

Command
Purpose

Step 1

Router(config)# virtual-profile virtual-template number

Defines the virtual template interface as the source of information for virtual profiles.

Step 2

Router(config)# virtual-profile aaa

Specifies AAA as the source of user-specific configuration for virtual profiles.

If you also want to use per-user configuration for network protocol access lists or route filters for individual users, see the Configuring per-User Configuration feature.

Troubleshooting Virtual Profile Configurations

To troubleshoot the virtual profiles configurations, use any of the following debug commands:

 

Command
Purpose

Router# debug dialer

Displays information about dial calls and negotiations and virtual profile events.

Router# debug aaa per-user

Displays information about the per-user configuration downloaded from the AAA server.

Router# debug vtemplate cloning

Displays cloning information for a virtual access interface from the time it is cloned from a virtual template to the time it comes down.

Configuration Examples for Virtual Profiles

The following sections provide examples for the four cases described in this chapter:

In these examples, BRI 0 is configured for legacy DDR, and interface BRI 1 is configured for dialer profiles. Note that interface dialer 0 is configured for legacy DDR. Interface dialer 1 is a dialer profile.

The intention of the examples is to show how to configure virtual profiles. In addition, the examples show the interoperability of DDR and dialer profiles in the respective cases with various forms of virtual profiles.

The same user names (User1 and User2) occur in all these examples. Note the different configuration allowed to them in each of the four examples.

User1 is a normal user and can dial in to BRI 0 only. User2 is a privileged user who can dial in to BRI 0 and BRI 1. If User2 dials into BRI 1, the dialer profile will be used. If User2 dials into BRI 0, virtual profiles will be used. Because User1 does not have a dialer profile, only virtual profiles can be applied to User1.

To see an example of a configuration using virtual profiles and the Dynamic Multiple Encapsulations feature, see the “Multiple Encapsulations over ISDN” example in the chapter “Configuring Peer-to-Peer DDR with Dialer Profiles.”

Virtual Profiles Configured by Virtual Templates: Example

The following example shows a router configured for virtual profiles by virtual template. (Virtual profiles do not have any interface-specific AAA configuration.) Comments in the example draw attention to specific features or ignored lines.

In this example, the same virtual template interface applies to both users; they have the same interface configurations.

Router Configuration

! Enable AAA on the router.
aaa new-model
aaa authentication ppp default radius
! The following command is required.
aaa authorization network radius
enable secret 5 $1$koOn$/1QAylov6JFAElxRCrL.o/
enable password lab
!
! Specify configuration of virtual profiles by virtual template.
! This is the key command for this example.
virtual-profile virtual-template 1
!
! Define the virtual template.
interface Virtual-Template 1
ip unnumbered ethernet 0
encapsulation ppp
ppp authentication chap
!
switch-type basic-dms100
interface BRI 0
description Connected to 103
encapsulation ppp
no ip route-cache
dialer rotary-group 0
ppp authentication chap
!
interface BRI 1
description Connected to 104
encapsulation ppp
! Disable fast switching.
no ip route-cache
dialer pool-member 1
ppp authentication chap
!
! Configure dialer interface 0 for DDR for User1 and User2.
interface dialer 0
ip address 10.1.1.1 255.255.255.0
encapsulation ppp
! Enable legacy DDR.
dialer in-band
! Disable fast switching.
no ip route-cache
dialer map ip 10.1.1.2 name User1 1111
dialer map ip 10.1.1.3 name User2 2222
dialer-group 1
ppp authentication chap
!
! Configure dialer interface 1 for DDR to dial out to User2.
interface dialer 1
ip address 10.2.2.2 255.255.255.0
encapsulation ppp
dialer remote-name User2
dialer string 3333
dialer pool 1
dialer-group 1
! Disable fast switching.
no ip route-cache
ppp authentication chap
dialer-list 1 protocol ip permit

Virtual Profiles Configured by AAA Configuration: Example

The following example shows the router configuration for virtual profiles by AAA and the AAA server configuration for user-specific interface configurations. User1 and User2 have different IP addresses.

In the AAA configuration cisco-avpair lines, “\n” is used to indicate the start of a new Cisco IOS command line.

AAA Configuration for User1 and User2

User1 Password = "welcome"
User-Service-Type = Framed-User,
Framed-Protocol = PPP,
cisco-avpair = "lcp:interface-config=keepalive 75\nip address 192.16.100.100 255.255.255.0",
User2 Password = "emoclew"
User-Service-Type = Framed-User,
Framed-Protocol = PPP,
cisco-avpair = "lcp:interface-config=keepalive 100\nip address 192.168.200.200 255.255.255.0"

Router Configuration

! Enable AAA on the router.
aaa new-model
aaa authentication ppp default radius
! This is a key command for this example.
aaa authorization network radius
enable secret 5 $1$koOn$/1QAylov6JFAElxRCrL.o/
enable password lab
!
! Specify configuration of virtual profiles by aaa.
! This is a key command for this example.
virtual-profiles aaa
!
! Interface BRI 0 is configured for legacy DDR.
interface BRI 0
description Connected to 103
encapsulation ppp
no ip route-cache
dialer rotary-group 0
ppp authentication chap
!
! Interface BRI 1 is configured for dialer profiles.
interface BRI 1
description Connected to 104
encapsulation ppp
! Disable fast switching.
no ip route-cache
dialer pool-member 1
ppp authentication chap
!
! Configure dialer interface 0 for DDR for User1 and User2.
interface dialer 0
ip address 10.1.1.1 255.255.255.0
encapsulation ppp
! Enable legacy DDR.
dialer in-band
! Disable fast switching.
no ip route-cache
dialer map ip 10.1.1.2 name User1 1111
dialer map ip 10.1.1.3 name User2 2222
dialer-group 1
ppp authentication chap
!
! Configure dialer interface 1 for DDR to dial out to User2.
interface dialer 1
ip address 10.2.2.2 255.255.255.0
encapsulation ppp
dialer remote-name User2
dialer string 3333
dialer pool 1
dialer-group 1
! Disable fast switching.
no ip route-cache
ppp authentication chap
dialer-list 1 protocol ip permit

Virtual Profiles Configured by Virtual Templates and AAA Configuration: Example

The following example shows how virtual profiles can be configured by both virtual templates and AAA configuration. User1 and User2 can dial in from anywhere and have their same keepalive settings and their own IP addresses.

The remaining AV pair settings are not used by virtual profiles. They are the network protocol access lists and route filters used by AAA-based per-user configuration.

In the AAA configuration cisco-avpair lines, “\n” is used to indicate the start of a new Cisco IOS command line.

AAA Configuration for User1 and User2

User1 Password = “welcome”
User-Service-Type = Framed-User,
Framed-Protocol = PPP,
cisco-avpair = “lcp:interface-config=keepalive 75\nip address 10.16.100.100 255.255.255.0”,
cisco-avpair = “ip:rte-fltr-out#0=router igrp 60”,
cisco-avpair = “ip:rte-fltr-out#3=deny 172.16.0.0 0.255.255.255”,
cisco-avpair = “ip:rte-fltr-out#4=deny 172.17.0.0 0.255.255.255”,
cisco-avpair = “ip:rte-fltr-out#5=permit any”
User2 Password = “emoclew”
User-Service-Type = Framed-User,
Framed-Protocol = PPP,
cisco-avpair = “lcp:interface-config=keepalive 100\nip address 192.168.200.200 255.255.255.0”,
cisco-avpair = “ip:inacl#3=permit ip any any precedence immediate”,
cisco-avpair = “ip:inacl#4=deny igrp 10.0.1.2 255.255.0.0 any”,
cisco-avpair = “ip:outacl#2=permit ip any any precedence immediate”,
cisco-avpair = “ip:outacl#3=deny igrp 10.0.9.10 255.255.0.0 any”

Router Configuration

! Enable AAA on the router.
aaa new-model
aaa authentication ppp default radius
! This is a key command for this example.
aaa authorization network radius
enable secret 5 $1$koOn$/1QAylov6JFAElxRCrL.o/
enable password lab
!
! Specify use of virtual profiles and a virtual template.
! The following two commands are key for this example.
virtual-profile virtual-template 1
virtual-profile aaa
!
! Define the virtual template.
interface Virtual-Template 1
ip unnumbered ethernet 0
encapsulation ppp
ppp authentication chap
!
! Interface BRI 0 is configured for legacy DDR.
interface BRI 0
description Connected to 103
encapsulation ppp
no ip route-cache
dialer rotary-group 0
ppp authentication chap
!
! Interface BRI 1 is configured for dialer profiles.
interface BRI 1
description Connected to 104
encapsulation ppp
! Disable fast switching.
no ip route-cache
dialer pool-member 1
ppp authentication chap
!
! Configure dialer interface 0 for DDR to dial out to User1 and User2.
interface dialer 0
ip address 10.1.1.1 255.255.255.0
encapsulation ppp
dialer in-band
! Disable fast switching.
no ip route-cache
dialer map ip 10.1.1.2 name User1 1111
dialer map ip 10.1.1.3 name User2 2222
dialer-group 1
ppp authentication chap
!
! Configure dialer interface 0 for DDR to dial out to User2.
interface dialer 1
ip address 10.2.2.2 255.255.255.0
encapsulation ppp
dialer remote-name User2
dialer string 3333
dialer pool 1
dialer-group 1
! Disable fast switching.
no ip route-cache
ppp authentication chap
!
dialer-list 1 protocol ip permit

Virtual Profiles Configured by AAA Plus a VPDN Virtual Template on a VPDN Home Gateway: Example

Like the virtual profiles configured by AAA example earlier in this section, the following example shows the router configuration for virtual profiles by AAA. The user file on the AAA server also includes interface configuration for User1 and User2, the two users. Specifically, User1 and User2 each have their own IP addresses when they are in privileged mode.

In this case, however, the router is also configured as the VPDN home gateway. It clones the VPDN virtual template interface first and then clones the virtual profiles AAA interface configuration. If per-user configuration were configured on this router and the user file on the AAA server had network protocol information for the two users, that information would be applied to the virtual access interface last.

In the AAA configuration cisco-avpair lines, “\n” is used to indicate the start of a new Cisco IOS command line.

AAA Configuration for User1 and User2

User1 Password = "welcome"
User-Service-Type = Framed-User,
Framed-Protocol = PPP,
cisco-avpair = "lcp:interface-config=keepalive 75\nip address 10.100.100.100 255.255.255.0",
User2 Password = "emoclew"
User-Service-Type = Framed-User,
Framed-Protocol = PPP,
cisco-avpair = "lcp:interface-config=keepalive 100\nip address 192.168.200.200 255.255.255.0"

Router Configuration

!Configure the router as the VPDN home gateway.
!
!Enable VPDN and specify the VPDN virtual template to use on incoming calls from the
!network access server.
vpdn enable
vpdn incoming dallas_wan go_blue virtual-template 6
!
!Configure the virtual template interface for VPDN.
interface virtual template 6
ip unnumbered ethernet 0
encapsulation ppp
ppp authentication chap
!
!Enable AAA on the router.
aaa new-model
aaa authentication ppp default radius
aaa authorization network radius
enable secret 5 $1$koOn$/1QAylov6JFAElxRCrL.o/
enable password lab
!
!Specify configuration of virtual profiles by aaa.
virtual-profiles aaa
!
!Configure the physical synchronous serial 0 interface.
interface Serial 0
description Connected to 101
encapsulation ppp
!Disable fast switching.
no ip route-cache
ppp authentication chap
!
!Configure serial interface 1 for DDR. S1 uses dialer rotary group 0, which is
!defined on BRI interface 0.
interface serial 1
description Connected to 102
encapsulation ppp
dialer in-band
! Disable fast switching.
no ip route-cache
dialer rotary-group 0
ppp authentication chap
!
interface BRI 0
description Connected to 103
encapsulation ppp
no ip route-cache
dialer rotary-group 0
ppp authentication chap
!
interface BRI 1
description Connected to 104
encapsulation ppp
!Disable fast switching.
no ip route-cache
dialer pool-member 1
ppp authentication chap
!
!Configure dialer interface 0 for DDR to call and receive calls from User1 and User2.
interface dialer 0
ip address 10.1.1.1 255.255.255.0
encapsulation ppp
!Enable legacy DDR.
dialer in-band
!Disable fast switching.
no ip route-cache
dialer map ip 10.1.1.2 name User1 1111
dialer map ip 10.1.1.3 name User2 2222
dialer-group 1
ppp authentication chap
!
!Configure dialer interface 1 for DDR to dial out to User2.
interface dialer 1
ip address 10.2.2.2 255.255.255.0
encapsulation ppp
dialer remote-name User2
dialer string 3333
dialer pool 1
dialer-group 1
!Disable fast switching.
no ip route-cache
ppp authentication chap
dialer-list 1 protocol ip permit
 

Additional References

The following sections provide references related to configuring virtual profiles.

Related Documents

Related Topic
Document Title

Cisco IOS commands

Cisco IOS Master Commands List, All Releases

Dial commands

Cisco IOS Dial Command Reference

Standards

Standard
Title

None

MIBs

MIB
MIBs Link

None

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs

RFCs

RFC
Title

None

Technical Assistance

Description
Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http://www.cisco.com/cisco/web/support/index.html

Feature Information for Configuring Virtual Profiles

Table 2 lists the features in this module and provides links to specific configuration information.

Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.

Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Note Table 2 lists only the Cisco IOS software release that introduced support for a given feature in a given Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS software release train also support that feature.

 

Table 2 Feature Information for Configuring Virtual Profiles

Feature Name
Releases
Feature Information

Configuring Virtual Profiles

11.3

A virtual profile is a unique application that can create and configure a virtual access interface dynamically when a dial-in call is received and that can tear down the interface dynamically when the call ends.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

© 1997–2010 Cisco Systems, Inc. All rights reserved.