Refer to IOX + Freeradius article that very less on Internet and lots of IOS with Freeradius, after study that, I summarized that by follow:

1: Install freeradius
You need install free radius first, ignore the part, you can check it by yourself or check my last article <RHEL7 install freeradius>

2: Config freeradius
clients.conf

[root@frank radius]# more /etc/raddb/clients.conf
client 10.x.x.x {
        secret = cisco123
        shortname = iox-5.2.2
        nas_type = cisco
}

users

Notes: as follow, we can assign a group for user “frank”, now priv5 is custom group, you can assign default group, e.g:
Cisco-avpair = “shell:task=#netadmin,#sysadmin,#cisco-support”

Btw, you can direct defined priv15 by follow:
Cisco-AVPair = “shell:priv-lvl=15”

Or direct defined cmd by follow:
Cisco-AVpair = “shell:cmd=show”

If you assign cisco-support group first, and then to limit command by “cmd=show”, cmd will unavailable; and vice versa.

[root@frank radius]# more /etc/raddb/users
frank   Cleartext-Password := "frank"
                Service-Type = NAS-Prompt-User,
                Reply-Message = "Hello!",
                Login-Service = Telnet,
                Cisco-AVPair = "shell:tasks*=#priv5,"

完整阅读

跟同事讨论了下关于*PVID_Inc的问题，收益颇丰！估计没几个人能悟出在VPLS中PVID_inc的真谛。
为了验证讨论的内容，特意做下面的实验：

Topology

天蓝色属于一个bridge-domain vplstest1000；而红色属于bridge-domain vplstest6002
本文只讨论天蓝色的bridge-domain!

测试目的

验证下为什么会有PVID_inc的问题出现，及抓包分析，用有力的证据来验证
完整阅读

Topology

天蓝色属于一个bridge-domain vplstest1000；而红色属于bridge-domain vplstest6002
本文只讨论红色的bridge-domain!

测试目的

验证下ASR9k上的mapping行为 “translate 1-to-1 dot1q”
完整阅读

对于ASR9k的split-horizon简单总结如下：

注：ASR9k不同于76，split-horizon不能disable；它一共分3组，group 0，1和2，每组的定义不一样。

• 默认所有AC都属于group 0，group 0比较特殊，其中的AC都可以互访
• 所有PW都属于group 1，group 1中的member不能互访，但能与group0或group 2互访
• 不论在AC还是PW上配置split-horizion后，都会属于group 2，group2中的member不能互访，但能与group0或group1互访

下面是Xander总结的（https://supportforums.cisco.com/thread/2213114 ）：

Three SHG groups are defined for VPLS(SHG0,SHG1 and SHG2). By default, all the 
bridge-ports( AC or PW ) come in SHG0. When a Split horizon-group is configured 
under the Bridge-port( either under AC or PW) they come in SHG2. 
PWs defined under VFI come in SHG1. 
By definition, Bridge-ports in same SHG(SHG1 and SHG2) won't talk to each 
other ( this is not applicable for SHG0 though ).

SHG0 --- > SHG0,SHG1 and SHG2
SHG1 --- > SHG0 and SHG2
SHG2 ----> SHG0 and SHG1

There have 2 path between PE. And customer found 1st path have 5G traffics, 2nd path only have 300M traffics. After checked, customer have Eompls business.

And amount of traffics belong to l2VPN. In general, Loadbalancing in an MPLS network on Cisco routers is typically based upon the data that follows the bottom MPLS label. Refer to All traffic from one PW follows the same path, so have this issue.

Workaround:
We can use Flow Aware Transport (FAT) PW feature (from 4.2.1).
http://www.cisco.com/en/US/partner/docs/routers/asr9000/software/asr9k_r5.1/lxvpn/command/reference/b_vpn_cr51xasr9k_chapter_011.html#wp3812296210
完整阅读