Cisco ASR-1002-x BRAS (pppoe server) – Mehdi Sadighian (مهدی صدیقیان)

Cisco ASR-1002-X bras (pppoe server) configuration
Building configuration...

Current configuration : 6995 bytes
!
! Last configuration change at 04:13:34 IRI Sun Oct 22 2017
!
version 16.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no platform punt-keepalive disable-kernel-core

! increase router throuphut
platform hardware throughput level 36000000
!
hostname Cisco-ASR-1002-X-BRAS
!
boot-start-marker
boot system flash
boot system flash asr1002x-universalk9.16.03.02.SPA.bin
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 5 *************
!
aaa new-model
!
! define radius server aaa
aaa authentication ppp default group radius
aaa authorization network default group radius
aaa authorization subscriber-service default local group radius
aaa accounting delay-start
aaa accounting update periodic 10
aaa accounting network default
action-type start-stop
group radius
!
!
aaa nas port extended
!
!
! define radius server for COA requests
aaa server radius dynamic-author
client x.x.x.x server-key 7 *************
auth-type any
!
aaa session-id unique
clock timezone IRI 3 30
clock summer-time IRI recurring
!
!
ip name-server 8.8.8.8

no ip domain lookup
ip domain name test.com
ip multicast-routing distributed
ip accounting-threshold 200000
!
!
!
!
no subscriber templating
!
!
!
multilink bundle-name authenticated
vpdn enable
!

!
license udi pid ASR1002-X sn *************

! accept and activate license, if you don't activate this license 
!pppoe users will connect but no internet or route 
!is available (no ping) -- do not forgo to to write 
!and reload for activating the Eval license
license accept end user agreement
license boot level adventerprise
!
spanning-tree extend system-id
diagnostic bootup level minimal
!
!
username admin password 7 ************
!
redundancy
mode none
!
!
!
!some policies in case radius server sends policy name instead of rate-limit

policy-map Unlimited
policy-map 1024
class class-default
police 1024000
policy-map 128
class class-default
police 128000
policy-map 64
class class-default
police 64000
policy-map 2560
class class-default
police 2560000
policy-map 8192
class class-default
police 8192000
!
!
!
! configure pppoe server and set max numbers to 64000 
!because their default on Cisco ASR is 100 and without 
!increasing the max, you can only accept 100 pppoe sessions per vlan
bba-group pppoe global
virtual-template 1
sessions max limit 64000
sessions per-vc limit 64000
sessions per-mac limit 64000
sessions per-vlan limit 64000 inner 64000
sessions auto cleanup
!
!
!
interface Loopback0
no ip address
!


!
interface GigabitEthernet0/0/0
ip address 192.168.200.2 255.255.255.252
negotiation auto

pppoe enable group global
!
interface GigabitEthernet0/0/1
no ip address
negotiation auto
!
interface GigabitEthernet0/0/2
no ip address
no negotiation auto
!
interface GigabitEthernet0/0/3
no ip address
negotiation auto
!
interface GigabitEthernet0/0/4
no ip address
negotiation auto
!
interface GigabitEthernet0/0/5
no ip address
negotiation auto
!
interface TenGigabitEthernet0/1/0
description internet
bandwidth 10000000
ip address x.x.x.x 255.255.255.252
!
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
interface Virtual-Template1
mtu 1460
ip unnumbered GigabitEthernet0/0/0
ip access-group adsl-src in
ip access-group adsl-dst out
ip tcp adjust-mss 1320
ip policy route-map failed-users
no logging event link-status
peer default ip address pool DefaultPool
keepalive 60
ppp authentication chap pap default
ppp authorization default
ppp accounting default
ppp ipcp dns 8.8.8.8
!
ip local pool DefaultPool x.x.x.1 x.x.x.254
ip local pool Failed 172.16.0.1 172.16.0.254
ip default-gateway x.x.x.x
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip tftp blocksize 8192
ip route 0.0.0.0 0.0.0.0 x.x.x.x
ip ssh version 2
!

! protect user's ADSL modem from tr069 attacks
ip access-list extended adsl-dst
deny   tcp any any eq telnet
deny   tcp any any eq 7547
deny   udp any any eq 7547
deny   tcp any any eq 5555
deny   udp any any eq 5555
permit ip any any
ip access-list extended adsl-src
deny   tcp any eq 7547 any 
deny   tcp any eq 5555 any 
deny   udp any eq 7547 any 
deny   udp any eq 5555 any 
permit ip any any
ip access-list extended failed-users
permit ip 172.16.0.0 0.0.0.255 any
deny   ip any any
!

! access list for SNMP
access-list 99 permit x.x.x.x
access-list 99 permit x.x.x.x
access-list 99 deny   any
!
!failed users is sort of users that expired or credit finished,
!so i will assign them an invalid ip address to redirect them 
!to billing web page
route-map failed-users permit 10
match ip address failed-users
set ip next-hop 192.168.200.1
!
snmp-server community ************ RO
snmp-server location HERE
snmp-server contact mehdi.sadighian@hotmail.com
!
!
radius-server attribute 44 include-in-access-req default-vrf
radius-server source-ports extended
radius-server retransmit 2
radius-server timeout 3
radius-server unique-ident 27
radius-server key 7 **************
!
radius server default
address ipv4 x.x.x.x auth-port 1812 acct-port 1813
key 7 ***********
!
!
control-plane
!
!
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
transport input all
line vty 5 15
transport input all
!
!
!
!
end
By: Mehdi Sadighian
Contact: mehdi.sadighian@hotmail.com telegram:http://t.me/mehdi_sadighian
TAG: cisco,asr,asr1k,asr 1000,asr1002,asr1002-x,bba-group,vpdn,pppoe server,bras