The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The ISG Dynamic VLAN Interface Provisioning feature enables the automatic creation of VLAN interfaces based on the VLAN packet trigger. The VLAN interface configuration is downloaded from the RADIUS server. This module describes how to enable ISG to dynamically configure VLAN interfaces for simple IP sessions.
 Note |
Although disabling this command avoids dropping of unknown VLAN tags, it affects other features that use VLAN filtering. For example, some QoS features like dot1p do not work when this command is disabled. |
After provisioning a DVLAN interface, it is not advised to write memory as this will disable removal of the DVLAN interface.
Note |
You can delete up to a maximum of 200 interfaces using the clear vlan-autoconfig interface command. |
Semantic errors encountered during shell-map execution are not handled.
|
Platform Scalability |
ASR 1000 RP2+ESP40 8GB RP2 |
|---|---|
|
Number of VLANs per port |
4000 |
|
Number of VLANs per SPA |
8000 32000 with VLAN unlimited |
|
Number of VLANs per system |
64000 |
|
Number of QinQ VLANs per port |
4000 |
|
Number of QinQ VLANs per SPA |
8000 32000 with VLAN unlimited |
|
Number of QinQ VLANs per system |
64000 |
Information About ISG Dynamic VLAN Interface Provisioning
This feature simplifies the VLAN sub-interface configuration by downloading the configuration details from a RADIUS-based server. These details are based on the VLAN tag of the first packet coming on the access interface. Any FSOL with a VLAN tag can bring up the dynamic VLAN interface. The configuration that is downloaded is defined in the shell map and the shell map parameters are passed through RADIUS during Access Accept. To de-provision the interface, you need to do it manually through CoA only.
Some benefits of automatically dynamic VLAN provisioning on the Cisco ISG interface are listed below:
You need not manually configure the VLAN sub-Interfaces on the device.
Dynamic VLAN provisioning reduces maintenance time due to simplified operations.
Performance is improved as the VLAN interface configurations are not included in the startup configuration.
The VLAN interface configuration for different VLANs is similar except that for the set of interface-specific parameters that need to be configured. These interface-specific parameters are downloaded from the RADIUS server.
The interface configuration commands are merged together in the IOS shell map to serve as a template. This template contains IOS CLI commands where the interface-specific parameters are replaced by shell variables. To configure a specific VLAN interface, the shell map is invoked with the appropriate parameters that replace these shell map variables.
The following steps describe how to use shell maps:
Define the IOS shell map on the router through CLI.
Configure this shell map name along with the VLAN interface configuration parameters on the RADIUS server for a specific VLAN ID.
The VLAN interface configuration module downloads the specified IOS shell map along with the appropriate VLAN interface configuration parameters from the RADIUS server.
The VLAN interface configuration module triggers the corresponding shell map with the appropriate number of parameters.
Ensure that the number of configuration parameters for a specific VLAN matches the number of variables expected by the corresponding shell map.
If the number of parameters are more, the extra parameters shall be ignored.
If the RADIUS server does not provide all the required parameters, a configuration error occurs.
If the RADIUS message carries a shell function name that does not exist on the device, a configuration error occurs.
Configure separate IOS shell maps for each VLAN.
Use the RADIUS CoA to change the VLAN interface configuration. Here, the CoA contains the IOS shell map name to be used along with the desired parameters.
The IOS shell infrastructure synchronizes the active and standby IOS shell maps.
Configuration Examples for ISG Dynamic VLAN Interface Provisioning
sh running-config
Building configuration...
Current configuration : 5262 bytes
!
! Last configuration change at 19:15:51 IST Mon Jun 30 2014
!
version 15.5
service timestamps debug uptime
service timestamps log datetime msec localtime show-timezone
no platform punt-keepalive disable-kernel-core
!
hostname UUT
!
boot-start-marker
boot system harddisk:asr1000rp2-adventerprisek9.BLD_MCP_DEV_LATEST_20140618_050043_2.bin
boot-end-marker
!
shell map PROFILE20 {
conf t
interface GigabitEthernet0/0/4.$sub_if
encapsulation dot1q $outer_vlan second-dot1q $in_vlan
ip address $ip 255.255.255.0
pppoe enable group global
end
}
shell map PROFILE33 {
conf t
interface Port-channel30.$sub_if
encap dot1q $outer_vlan second-dot1q $cvlan
ip address $ip 255.255.255.0
pppoe enable group global
end
}
shell trigger PROFILE20 PROFILE20
shell trigger PROFILE33 PROFILE33
shell trigger rate rate
aqm-register-fnf
!
aaa new-model
!
!
aaa authentication enable default none
aaa authentication ppp default group radius
aaa authorization exec default group radius
aaa authorization network default group radius
!
!
!
!
aaa server radius dynamic-author
client 9.0.0.134 server-key coa
!
aaa session-id common
clock timezone IST 5 30
!
!
!
!
!
!
!
!
!
no ip domain lookup
!
!
!
!
!
!
!
!
!
!
vlan-autoconfig authorize list default password cisco
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
hw-module subslot 0/0 ethernet vlan unlimited
spanning-tree extend system-id
!
username lab password 0 lab
username CPE password 0 lab
!
redundancy
mode sso
!
!
!
!
!
!
ip tftp source-interface GigabitEthernet0/0/0
ip tftp blocksize 8192
!
!
!
!
!
bba-group pppoe global
virtual-template 1
!
!
interface Loopback1
ip address 2.2.2.1 255.255.255.0
!
interface Port-channel30
no ip address
no negotiation auto
!
interface GigabitEthernet0/0/4
ip address 5.5.5.1 255.255.0.0
negotiation auto
vlan-autoconfig
!
interface Virtual-Template1
ip unnumbered Loopback1
peer default ip address pool pool1
ppp authentication chap
!
ip local pool pool1 2.2.2.2 2.2.2.100
ip default-gateway 9.27.0.1
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip route 9.0.0.134 255.255.255.255 9.27.0.1
ip route 10.64.67.0 255.255.255.0 9.27.0.1
ip route 10.105.37.142 255.255.255.255 10.64.67.1
ip route 202.153.144.25 255.255.255.255 9.27.0.1
!
ip access-list extended A
permit ip any any
!
access-list 10 permit any
!
!
!
radius-server host 9.0.0.134 key cisco
no radius-server vsa send accounting
no radius-server vsa send authentication
!
!
control-plane
!
!
!
!
!
!
!
!
!
alias exec svs show vlan-autoconfig summary
alias exec svv show vlan-autoconfig vlan
alias exec sva show vlan-autoconfig access
alias exec stat show vlan-autoconfig statistics
alias exec punt_pol show platform software punt-policer | i Auto
alias exec punt_infra show platform software infrastructure punt | i Auto
alias exec punt_qfp show platform hardware qfp a infrastructure punt policer
alias exec cvs clear vlan-autoconfig stat
!
line con 0
exec-timeout 0 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
transport input all
!
!
!
end
simulator radius server 10.0.1.2
Subscriber profiles for creating sub interfaces
user-name prefix Ethernet0/0:12 subscriber 26
user-name prefix Ethernet0/0:11 subscriber 25
user-name prefix Ethernet0/0:10 subscriber 24
Subscriber profile 24 25 26 are defined for creating virtual interface
simulator radius subscriber 24
vsa cisco generic 1 string "vlan-auto-config=1"
vsa cisco generic 1 string "vac-service-info=PROFILE1(vlan=10; ip=1.1.1.1)"
!
simulator radius subscriber 25
vsa cisco generic 1 string "vlan-auto-config=1"
vsa cisco generic 1 string "vac-service-info=PROFILE1(vlan=11;ip=2.2.2.2)"
!
simulator radius subscriber 26
vsa cisco generic 1 string "vlan-auto-config=1"
vsa cisco generic 1 string "vac-service-info=PROFILE1(vlan=12;ip=3.3.3.3)"
!Simulator radius subscriber 101
vsa cisco generic 1 string "vlan-auto-config=1"
vsa cisco generic 1 string "vac-subinterface-id=10"
vsa cisco generic 1 string "subscriber:command=vlan-autoconfig-delete"
attribute 87 string "Ethernet0/0"
!
simulator radius subscriber 102
vsa cisco generic 1 string "vlan-auto-config=1"
vsa cisco generic 1 string "vac-subinterface-id=11"
vsa cisco generic 1 string "subscriber:command=vlan-autoconfig-delete"
attribute 87 string "Ethernet0/0"
!
simulator radius subscriber 103
vsa cisco generic 1 string "vlan-auto-config=1"
vsa cisco generic 1 string "vac-subinterface-id=12"
vsa cisco generic 1 string "subscriber:command=vlan-autoconfig-delete"
attribute 87 string "Ethernet0/0“
Push the following subscriber profile from rsim as given below to delete a Sub interface
simulator radius request 1 coa 101
simulator radius request 1 coa 102
simulator radius request 1 coa 103|
Related Topic |
Document Title |
|---|---|
|
Cisco IOS commands |
|
|
ISG commands |
| Description | Link |
|---|---|
|
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. |
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.|
Feature Name |
Releases |
Feature Information |
|---|---|---|
|
ISG Dynamic VLAN Provisioning |
The ISG Dynamic VLAN Interface Provisioning feature enables the automatic creation of VLAN interfaces based on the VLAN packet trigger. The VLAN interface configuration is downloaded from the RADIUS server. The following command was introduced: vlan-autoconfig . |
Feedback