Cisco ASA traffic rate limiting (policing on interfaces)

Source

This configuration will not work as the rate limiting is not bidirectional and the other thing it should be configured on your inside interface but in your case you have rate limiting configured it on your outside  interface. If you want this to enable on your all the interface then apply service policy onto global . So that this way the policy map will be applied to all the interfaces.
To activate the policy map on one or more interfaces, enter the following command:
hostname(config)# service-policy policymap_name {global | interface interface_name}

Where global applies the policy map to all interfaces, and interface applies the policy to one interface. Only one global policy is allowed. Interface service policies take precedence over the global service policy for a given feature.
For example, if you have a global policy with inspections, and an interface policy with TCP normalization, then both inspections and TCP normalization are applied to the interface. However, if you have a global policy with inspections, and an interface policy with inspections, then only the interface policy inspections are applied to that interface.
With the new modular policy framework (MPF) introduced in ASA versions 7.x and 8.x, the firewall administrator is now able to apply policing and rate limiting to traffic passing through the ASA appliance. I got a few questions from people how this functionality works and decided to throw in a quick example below which you can easily modify accordingly to match your needs.
Scenario:
We want to rate limit a local internal host when accessing a specific external public server. The local host is 192.168.1.10 and the external public server is 100.100.100.1. We need to limit the traffic to 100kbps and burst size 8000.
Configuration Snippet:
ASA(config)#access-list rate-limit-acl extended permit ip host 192.168.1.10 host 100.100.100.1
ASA(config)#class-map rate-limit
ASA(config-cmap)#match access-list rate-limit-acl

ASA(config)#policy-map limit-policy
ASA(config-pmap)#class rate-limit
ASA(config-pmap-c)#police output 100000 8000
ASA(config)#service-policy limit-policy interface outside
For detail in this regard Kindly go through the following referencce page for all the configuration related information for Bandwidth Management(Rate Limit) Using QoS Policies
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008084de0c.shtml#rate
For configuring the rate limits through ASDM kindly go through the following link:
http://flylib.com/books.php?ln=en&n=2&p=464&c=186&p1=1&c1=1&c2=231&view=1
On Cisco ASA 8.x find th following:
http://www1.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_qos.html
http://www1.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_qos.html#wp1075478

Cisco ASA Site-to-Site VPN Configs

Source

Configurations

ASA01

object network net-local
subnet 192.168.101.0 255.255.255.0
object network net-remote
subnet 192.168.102.0 255.255.255.0
access-list outside_1_cryptomap permit ip 192.168.101.0 255.255.255.0 192.168.102.0 255.255.255.0
tunnel-group 192.168.0.12 type ipsec-l2l
tunnel-group 192.168.0.12 ipsec-attributes
pre-shared-key pass1234
isakmp keepalive threshold 10 retry 2
crypto isakmp enable outside
crypto isakmp policy 10 authentication pre-share
crypto isakmp policy 10 encrypt 3des
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 2
crypto isakmp policy 10 lifetime 86400
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 192.168.0.12
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
nat (inside,outside) 1 source static net-local net-local destination static net-remote net-remote
route outside 0 0 192.168.0.1

ASA02

object network net-local
subnet 192.168.102.0 255.255.255.0
object network net-remote
subnet 192.168.101.0 255.255.255.0
access-list outside_1_cryptomap permit ip 192.168.102.0 255.255.255.0 192.168.101.0 255.255.255.0
tunnel-group 192.168.0.11 type ipsec-l2l
tunnel-group 192.168.0.11 ipsec-attributes
pre-shared-key pass1234
isakmp keepalive threshold 10 retry 2
crypto isakmp enable outside
crypto isakmp policy 10 authentication pre-share
crypto isakmp policy 10 encrypt 3des
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 2
crypto isakmp policy 10 lifetime 86400
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 192.168.0.11
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
nat (inside,outside) 1 source static net-local net-local destination static net-remote net-remote
route outside 0 0 192.168.0.1

Output drops due to QoS on 2960/3560/3750 switches

Source, big thanks to author

Do you see incrementing output drops on some interfaces after configuring QoS on your 2960/3560/3750 switch?
Common Scenarios
• Some of the interfaces start experiencing output drops once QoS is configured on the switch.
• Specific applications may experience degraded performance after configuring QoS on the switch. Say IP phones start experiencing choppy calls.
Possible Reason
Once you enable QoS on the switch, some traffic may start getting lesser resources than before (bandwidth or buffer) and hence may get dropped on the switch.


Troubleshooting steps

Step1> Identify the interfaces which carry outgoing data for the affected application or are seeing incrementing output drops. Compare the interface output rate and the interface speed and ensure that the drops are not due to overutilization of the link.

Switch#sh int gi1/0/1
<some output ommitted>
GigabitEthernet0/1 is up, line protocol is up (connected)
  MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
  Full-duplex, 1000Mb/s, media type is 10/100/1000BaseTX

!interface speed is 1000 mbps

  input flow-control is off, output flow-control is unsupported
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 1089  <<---

!ensure these drops are incrementing

  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 4000 bits/sec, 6 packets/sec
  5 minute output rate 3009880 bits/sec, 963 packets/sec

!output rate is about 3 mbps while the interface speed is 1000 mbps.
Step2> Ensure that QoS is enabled on the switch. If it is not enabled, output drops are not related to QoS and hence further steps mentioned here are irrelevant.

Switch#sh mls qos
QoS is enabled  <<----
QoS ip packet dscp rewrite is enabled

Step3> Identify the marking of the outgoing traffic that is getting dropped on the interface.

Switch#sh mls qos int gi1/0/1 statistics

GigabitEthernet1/0/1 (All statistics are in packets)

  dscp: incoming
-------------------------------

0 -  4 :           0            0            0            0            0
5 -  9 :           0            0            0            0            0
10 - 14 :           0            0            0            0            0
15 - 19 :           0            0            0            0            0
20 - 24 :           0            0            0            0            0
25 - 29 :           0            0            0            0            0
30 - 34 :           0            0            0            0            0
35 - 39 :           0            0            0            0            0
40 - 44 :           0            0            0            0            0
45 - 49 :           0       198910            0            0            0
50 - 54 :           0            0            0            0            0
55 - 59 :           0            0            0            0            0
60 - 64 :           0            0            0            0
  dscp: outgoing
-------------------------------

0 -  4 :           0            0            0            0            0
5 -  9 :           0            0            0            0            0
10 - 14 :           0            0            0            0            0
15 - 19 :           0            0            0            0            0
20 - 24 :           0            0            0            0            0
25 - 29 :           0            0            0            0            0
30 - 34 :           0            0            0            0            0
35 - 39 :           0            0            0            0            0
40 - 44 :           0            0            0            0            0
45 - 49 :           0      248484            0            0            0
50 - 54 :           0            0            0            0            0
55 - 59 :           0            0            0            0            0
60 - 64 :           0            0            0            0
  cos: incoming
-------------------------------

  0 -  4 :           2            0            0            0            0
  5 -  7 :           0            0            0
  cos: outgoing
-------------------------------

  0 -  4 :           0            0            0            0            0
  5 -  7 :           0            0            0
  output queues enqueued:
queue:    threshold1   threshold2   threshold3
-----------------------------------------------
queue 0:           248484      0           0
queue 1:           0           0           0
queue 2:           0           0           0
queue 3:           0           0           0

  output queues dropped:
queue:    threshold1   threshold2   threshold3
-----------------------------------------------
queue 0:       1089           0           0
queue 1:           0           0           0
queue 2:           0           0           0
queue 3:           0           0           0

Policer: Inprofile:            0 OutofProfile:            0

Note: Though you see queue 0-threshold 1 dropping packets, this actually will be queue 1 in further troubleshooting as queue numbering is 1 to 4 in further outputs.


Step4> Check the marking to output-q map on the switch to determine which queue-threshold pair
maps to the marking getting dropped.

In this scenario, queue1-threshold1 is mapped to dscp 46, which is getting dropped on the interface. This means that dscp 46 traffic is being sent to queue1 and is getting dropped because that queue has insufficient buffer or lesser CPU cycles.

Switch#sh mls qos maps dscp-output-q

   Dscp-outputq-threshold map:
     d1 :d2    0     1     2     3     4     5     6     7     8     9
     ------------------------------------------------------------
      0 :    02-01 02-01 02-01 02-01 02-01 02-01 02-01 02-01 02-01 02-01
      1 :    02-01 02-01 02-01 02-01 02-01 02-01 03-01 03-01 03-01 03-01
      2 :    03-01 03-01 03-01 03-01 03-01 03-01 03-01 03-01 03-01 03-01
      3 :    03-01 03-01 04-01 04-01 04-01 04-01 04-01 04-01 04-01 04-01
      4 :    01-01 01-01 01-01 01-01 01-01 01-01 01-01 01-01 04-01 04-01
      5 :    04-01 04-01 04-01 04-01 04-01 04-01 04-01 04-01 04-01 04-01
      6 :    04-01 04-01 04-01 04-01


Step5> There are two ways to tackle these drops. First method is by changing the buffer and threshold values for the queue dropping packets. second method is to configure the scheduler so that the queue dropping packets is serviced more often than rest of the queues.
First let us see how we can change the buffer and threshold for the affected queues. Let us check the buffer and threshold values associated with the queue identified in step 4.
Note: Each queue set has the option to configure the buffer size and threshold value for the four egress queues. Then, you can apply any one of the queue sets to any of the ports. By default, all interfaces use queue-set 1 for output queues unless explicitly configured to use queue-set 2.

In this scenario queue 1 in queue-set 1 has 25% of the total buffer space and threshold 1 is set to 100%

Switch#sh mls qos queue-set
Queueset: 1
Queue     :       1       2       3       4
----------------------------------------------
buffers   :      25      25      25      25
threshold1:     100     200     100     100
threshold2:     100     200     100     100
reserved  :      50      50      50      50
maximum   :     400     400     400     400
Queueset: 2
Queue     :       1       2       3       4
----------------------------------------------
buffers   :      25      25      25      25
threshold1:     100     200     100     100
threshold2:     100     200     100     100
reserved  :      50      50      50      50
maximum   :     400     400     400     400


Step6> If you wish to change the buffer and threshold values just for the affected interface, please change queue-set 2 and configure the affected interface to use queue-set 2.

Note: You can change queue-set 1 also but as all the interfaces by default use queue-set 1, the change will be reflected to all the interfaces.

In the next step I am changing queue-set 2 so that queue 1 gets 70% of total buffer.
Switch(config)#mls qos queue-set output 2 buffers 70 10 10 10

In next step i am changing queue-set 2, queue 1 thresholds. Both Threshold 1 and Threshold 2 are mapped to 3100 so that they can pull buffer from the reserved pool if required.
Switch(config)#mls qos queue-set output 2 threshold 1 3100 3100 100 3200
Step7> Check if the changes reflect under correct queue and queue-set.

Switch#sh mls qos queue-set
Queueset: 1
Queue     :       1       2       3       4
----------------------------------------------
buffers   :      25      25      25      25
threshold1:     100     200     100     100
threshold2:     100     200     100     100
reserved  :      50      50      50      50
maximum   :     400     400     400     400
Queueset: 2
Queue     :       1       2       3       4
----------------------------------------------
buffers   :      70      10      10      10
threshold1:    3100     100     100     100
threshold2:    3100     100     100     100
reserved  :     100      50      50      50
maximum   :    3200     400     400     400


Step8> Make the affected interface use queue-set 2 so that the changes take effect on this interface.

Switch(config)#int gi1/0/1
Switch(config-if)#queue-set 2
Switch(config-if)#end

Confirm if the interface is mapped to queue-set 2
Switch#sh run int gi1/0/1
interface GigabitEthernet1/0/1
switchport mode access
mls qos trust dscp
queue-set 2
end
Check if the interface is still dropping packets.
Step9> We can also configure the scheduler to increase the rate at which queue 1 will be serviced using the share and shape options. In this example Queue 1 alone will get 50% of the total CPU cycles and rest three queues will collectively get 50% of the CPU cycles.
Switch(config-if)#srr-queue bandwidth share 1 75 25 5

Switch(config-if)#srr-queue bandwidth shape  2  0  0  0
Check if the interface is still dropping packets.
Step10> If the packets are still getting dropped, as a last resort we can enable priority queue on this interface. This will ensure that all the traffic in the priority queue to gets processed before any other queue.
Note:Priority queue is serviced until empty before the other queues are serviced.By default on 2960/3560/3750 switches, queue 1 is the priority queue.

Switch(config)#int gi1/0/1
Switch(config-if)#priority-queue out
Switch(config-if)#end
The marking getting dropped on the interface can be mapped so that it goes to queue 1, which is now the priority queue . In this way we ensure that traffic with this marking always gets processed before anything else.
Switch(config)#mls qos srr-queue output dscp-map queue 1 threshold 1 ?

Update 1 (From official documentation).

Queue Map Configuration:

Rack1SW1(config)#mls qos srr-queue output cos-map queue 1
 threshold 3 5
Rack1SW1(config)#mls qos srr-queue output cos-map queue 1
 threshold 1 2 4
Rack1SW1(config)#mls qos srr-queue output cos-map queue 2 
 threshold 2 3
Rack1SW1(config)#mls qos srr-queue output cos-map queue 2
 threshold 3 6 7
Rack1SW1(config)#mls qos srr-queue output cos-map queue 3
 threshold 3 0
Rack1SW1(config)#mls qos srr-queue output cos-map queue 4
 threshold 3 1

Rack1SW1(config)#mls qos srr-queue output dscp-map queue 1
 threshold 3  46
Rack1SW1(config)#mls qos srr-queue output dscp-map queue 2
 threshold 1  16
Rack1SW1(config)#mls qos srr-queue output dscp-map queue 2
 threshold 1  18 20 22
Rack1SW1(config)#mls qos srr-queue output dscp-map queue 2
 threshold 1  25
Rack1SW1(config)#mls qos srr-queue output dscp-map queue 2
 threshold 1  32
Rack1SW1(config)#mls qos srr-queue output dscp-map queue 2
 threshold 1  34 36 38
Rack1SW1(config)#mls qos srr-queue output dscp-map queue 2
 threshold 2  24 26
Rack1SW1(config)#mls qos srr-queue output dscp-map queue 2
 threshold 3  48 56
Rack1SW1(config)#mls qos srr-queue output dscp-map queue 3
 threshold 3  0
Rack1SW1(config)#mls qos srr-queue output dscp-map queue 4
 threshold 1  8
Rack1SW1(config)#mls qos srr-queue output dscp-map queue 4
 threshold 3  10 12 14

VPLS и AToM, участвуют Cisco ASR9001 и ASR1002

   Итак задача: организовать L2 туннель между сабинтерфейсами указанных устройств (начиная с версии IOS XE 3.10 на ASR 1000 разрешили-таки service-instance на Port-Channel интерфейсах и тогда я бы рекомендовал делать нормальный VPLS, в 3.13.2 даже пофиксили странное поведение service instants в определенных условиях).

   Очевидно, что L3 connectivity между устройствами (и loopback интерфейсами) должно присутствовать.

1. AToM.

 Конфигурация ASR9001

interface Bundle-Ether1
 description *** Uplink ***
 mtu 9000

interface Bundle-Ether1.2903
 description *** to ASR1002 ***
 ipv4 address 192.168.1.1 255.255.255.254
 encapsulation dot1q 2903
 !
 interface Bundle-Ether1.396 l2transport
  description *** test subinterface for AToM ***
  encapsulation dot1q 396
  rewrite ingress tag pop 1 symmetric <------ обратите внимание!!
  mtu 1564
 !
 mpls ldp
  router-id 192.168.10.1
  discovery targeted-hello accept
  log
  neighbor
  !
  interface Bundle-Ether1.2903
 !
 l2vpn
   logging
   pseudowire
  !
  pw-class test-atom
   encapsulation mpls
    protocol ldp
    control-word
  !
  xconnect group Test-Atom_group
   p2p asr1002
    interface Bundle-Ether1.396
    neighbor ipv4 192.168.10.2 pw-id 396
    pw-class test-atom
    !
   !
  !

   Конфигурация ASR1002

mpls label protocol ldp
mpls ldp discovery targeted-hello accept
mpls ldp router-id Loopback0 force
!
pseudowire-class test-atom
  encapsulation mpls
  control-word
!
interface Port-channel1
  description *** Uplink ***
  mtu 1546
  no ip address
    no negotiation auto
!
interface Port-channel1.2903
  description *** to ASR9001 ***
  encapsulation dot1Q 2903
  ip address 192.168.1.2 255.255.255.254
  no ip unreachables
  ip flow ingress
  ip ospf network point-to-point
  ip ospf mtu-ignore
  ip ospf cost 2
  mpls ip
  mpls label protocol ldp
  mpls mtu 1536
!
interface Port-channel1.396
  description *** test subinterface for AToM ***
  encapsulation dot1Q 396
  xconnect 192.168.10.1 396 encapsulation mpls pw-class test-atom
!

   Проверка работоспособности:

ASR1000: show mpls l2transport vc detail
ASR9001: show l2vpn xconnect detail

2. VPLS. 

Настройки интерфейсов подключения устройств и базовые настройки MPLS те же.

Вообще, VPLS в данной связке "взлетает" согласно официальным мануалам, один нюанс: после конфигурации первого VPLS на ASR1000 с ПО версии 3.10.2 устройство необходимо перезагрузить, иначе появляются фантомные глюки из серии "только что трафик ходил и вдруг перестал на некоторое время", при этом никаких ошибок сигнализации VPLS нигде не видно

Конфигурация ASR9001

interface Bundle-Ether1.51 l2transport
  encapsulation dot1q 325

!
l2vpn
  logging
  pseudowire
 !
 pw-class core-vpls
  encapsulation mpls
  protocol ldp
  !
 bridge group test-group
  bridge-domain 51
   interface Bundle-Ether1.51
   !
   vfi Inet_corp1
    neighbor 192.168.10.2 pw-id 51
    pw-class core-vpls

Конфигурация ASR1002

l2vpn vfi context Inet_corp1
  vpn id 51
  member 192.168.10.1 encapsulation mpls
!
bridge-domain 51
 member Port-channel1 service-instance 51
 member vfi Inet_corp1
!
interface Port-channel2
  description *** test ***
  mtu 1546
  no ip address
  no negotiation auto
  service instance 51 ethernet
   encapsulation dot1q 325
 !

Проверка работоспособности:

ASR1000: show mpls l2transport vc detail
ASR9001: show l2vpn bridge-domain bd-name 51 detail

Cisco catalyst 4900M, обновление IOS.

Cisco catalyst 4900M, обновление IOS.

В отличие от большинства устройств с Cisco IOS на борту, данный коммутатор имеет редкую особенность:
когда вы загрузите на flash новую версию ПО и пропишете в конфиге например:

boot system flash bootflash:cat4500e-entservices-mz.122-54.SG1.bin

затем перезагрузите коммутатор, то удивленно увидите устройство, загрузившееся с  ПО все той же старой версии. А дело в том, что на этом коммутаторе config register необходимо переписывать при каждом обновлении ПО. Т.е. кроме команды boot system.... необходимо сказать коммутатору

config-register 0x2102

после чего, сохранив конфигурацию, проверьте правильность загрузочной записи командой

 show bootvar

после перезагрузки не забудьте удостовериться в правильности версии ПО командой

sh version

Авторизация абонентов по ip адресу, ISG, Cisco BRAS

Итак, задача: обеспечение возможности авторизации абонентов по ip адресу на устройстве Cisco.
В наличии стенд в виде Cisco 7301, билинг с сервером, умеющим протокол radius для общения с BRASами и ноутбук, изображающий из себя простого абонента.

Реализация.
1) Настройки серверов radius на bras опустим (описаны в предыдущем посте).
2) Настройки политик ISG:

class-map type control match-all ISG-IP-UNAUTH
 match timer UNAUTH-TIMER
 match authen-status unauthenticated
!
!
policy-map type service OPENGV
 ip access-group OPENGV-IN in
 ip access-group OPENGV-OUT out
!
policy-map type control IP_SUBS
 class type control ISG-IP-UNAUTH event timed-policy-expiry
  1 service disconnect
 !
 class type control always event session-start
  19 authorize identifier source-ip-address
  20 set-timer UNAUTH-TIMER 1
  99 service-policy type service name OPENGV
 !
 class type control always event service-start
  35 service-policy type service identifier service-name
 !
 class type control always event service-stop
  1 service-policy type service unapply identifier service-name
 !
 class type control always event session-restart
  19 authorize identifier source-ip-address
  20 set-timer UNAUTH-TIMER 1
  99 service-policy type service name OPENGV
 !
!
ip access-list extended OPENGV-IN
 permit ip any host <личный кабинет>
 permit udp any host <DNS Server 1> eq domain
 permit udp any host <DNS Server 2> eq domain
ip access-list extended OPENGV-OUT
 permit ip host <личный кабинет> any
 permit udp host <DNS Server 1> eq domain any
 permit udp host <DNS Server 2> eq domain any

3) пример настройки интерфейса для подключения абонента:

interface GigabitEthernet0/1
 ip address <адрес шлюза для абонента> ! возможно сделать просто ip unnumbered как вариант
 ip verify unicast source reachable-via rx allow-default allow-self-ping
 ip helper-address <адрес сервера DHCP>
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 media-type rj45
 speed auto
 duplex auto
 no negotiation auto
 service-policy type control IP_SUBS
 ip subscriber routed
  initiator unclassified ip-address

4) ну и немного косметики для реализации функционала IPoE subscribers:

 ip dhcp relay information trust-all

L2TP авторизация на BRASе Cisco

В качестве стенда Cisco 7301, задача - настроить авторизацию абонентов по протоколу L2TP для одного из сегментов сети.

Поскольку инфраструктура используется с полноценной поддержкой Cisco ISG нам понадобится соответствующий IOS для 7301-й.
На просторах необъятной сети был найден 122-31.SB18 в версии enterprise (sic! в версии service provider нам не хватит функционала, внезапно там нет vpdn, вообще.) В принципе все новомодные SRC, SRD, SRE и т.д. релизы также должны подойти для решения задачи, просто исторически в нашей конторе SBшные IOSы как-то особенно хорошо прижились для задач авторизации и аккаунтинга абонентов.

Итак собственно кусочки конфига:

aaa group server radius CAR
 server 192.168.1.1 auth-port 1812 acct-port 1813
 load-balance method least-outstanding ignore-preferred-server
!
aaa authentication login default local group CAR
aaa authentication ppp default group CAR
aaa authorization exec default local group CAR
aaa authorization network default group CAR
aaa authorization auth-proxy default group CAR
aaa authorization subscriber-service default local group CAR
aaa accounting delay-start all
aaa accounting suppress null-username
aaa accounting update periodic 10
aaa accounting network default start-stop group CAR
aaa accounting network ACCNT_LIST1 start-stop group CAR

это что касалось настроек порядка авторизации и аккаутинга 
продолжим:

aaa server radius dynamic-author
 client 192.168.1.1 server-key <password>
 server-key <password>
 port 1912

это для возможности получить CoA от сервера с целью например прибития сессии абонента или изменения её параметров на лету

subscriber authorization enable
vpdn enable
 !
vpdn-group VPDN-L2TP
! Default L2TP VPDN group
 accept-dialin
  protocol l2tp
  virtual-template 2
 no l2tp tunnel authentication
!
interface Loopback0
 ip address 192.168.1.2 255.255.255.255
 no ip unreachables

!

interface Virtual-Template2
 description *** L2TP subscribers ***
 mtu 1492
 ip unnumbered Loopback0
 ip verify unicast source reachable-via rx allow-default allow-self-ping
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1492
 ip flow ingress
 ip tcp adjust-mss 1452
 no logging event link-status
 ppp authentication chap
 ppp ipcp dns 192.168.1.3 192.168.1.4
 service-policy type control L2TP

 service-policy type control нам необходимо предварительно настроить, это тема отдельной записи, т.к. там полно тонких материй работы с ISG

!
radius-server attribute 44 include-in-access-req vrf default
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 32 include-in-access-req
radius-server attribute 55 access-request include
radius-server attribute 25 access-request include
radius-server attribute nas-port format d
radius-server host 192.168.1.1 auth-port 1812 acct-port 1813 test username cisco key <passwotrd>
radius-server timeout 10
radius-server unique-ident 20
radius-server key <passwotrd>
radius-server vsa send cisco-nas-port
radius-server vsa send accounting
radius-server vsa send authentication
radius-server load-balance method least-outstanding ignore-preferred-server

косметика для правильной работы с radius серверами