четверг, 9 июня 2011 г.

Cisco Catalyst ME3400 ограничение скорости

Задача - ограничение скорости конкретного вилана на транковых портах.


Ограничение скорости на каталистах привести к общему знаменателю можно только на транковых портах.
Напрямую резать скорость для вилана невозможно. Необходимо классифицировать трафик внутри вилана и
применять ограничения к нему.

Для того чтоб ограничить общую полосу классифицируем весь IP трафик

class-map match-any IP
match access-group name IP

Затем делаем классификаторы на требуемые виланы

class-map match-any VLAN96
match vlan 96


Определаем ограничения трафика для IP класса


policy-map 82M
class IP
police cir 82000000
conform-action transmit
exceed-action drop


Создаем полиси мап для установки на интерфейс
policy-map MAIN
class VLAN96
service-policy 82M



Вешаем его на транковый интерфейс. Не забываем, что полисить можно только на input ! Так что, для того
чтобы резать скорость в двух направления, вешаем полисер на интерфейс в сторону клиента и на аплинк.

interface GigabitEthernet0/14
description CLIENT
switchport mode trunk
service-policy input MAIN

interface GigabitEthernet0/16
description UPLINK
switchport mode trunk
service-policy input MAIN

среда, 9 марта 2011 г.

Ещё одно дополнение для Cisco ISG

Список используемых radius атрибутов.


radius-server attribute 44 include-in-access-req
radius-server attribute 44 extend-with-addr
radius-server attribute 8 include-in-access-req
radius-server attribute 32 include-in-accounting-req
radius-server attribute 55 include-in-acct-req
radius-server attribute 55 access-request include
radius-server attribute nas-port format e UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
radius-server attribute 31 mac format unformatted
radius-server attribute 31 send nas-port-detail mac-only

вторник, 24 августа 2010 г.

дополнения к Cisco ISG

При старте сессии по
initiator dhcp ( получении DHCP Discover пакета )
и авторизации абонента по source-ip-address ( то бишь по IP адресу абонента ), необходимо добавление в session-start
collect identifier source-ip-address
до
authorize aaa list ISG-AUTH-1 password cisco identifier source-ip-address.
В противном случае первоначальный старт сессии будет неудачным, так как на момент старта ISG не располагает IP адресом клиента.
Примерно так должна выглядеть контрольная политика

policy-map type control ISG-IP-POLICY
class type control ISG-IP-UNAUTH event timed-policy-expiry
1 service disconnect
!
class type control always event session-start
5 collect identifier source-ip-address
10 authorize aaa list ISG-AUTH-1 password cisco identifier source-ip-address
20 set-timer UNAUTH-TIMER 1
30 service disconnect
!
class type control always event session-restart
10 authorize aaa list ISG-AUTH-1 password cisco identifier source-ip-address
20 set-timer UNAUTH-TIMER 1
!
!

Такого абонента

interface GigabitEthernet0/3.1498
encapsulation dot1Q 1498
ip unnumbered Loopback1
ip helper-address vrf v0:MANAG 10.255.15.5
service-policy type control ISG-IP-POLICY
ip subscriber routed
initiator dhcp
!

Как я писал ранее, у меня ISG является DHCP релеем и IP адрес клиенту выдается на основании DHCP Option 82.

пятница, 6 августа 2010 г.

Организация snmp управления на Edge-Core

все тестировалось на ES3528M и ES3510

тип коммутатора
на ES3528M/ES3552M
snmpget -v 2c -c [community] [ip] .1.3.6.1.4.1.259.6.10.94.1.1.5.1.0
на ES3510/ES3526XA
snmpget -v 2c -c [community] [ip] .1.3.6.1.4.1.259.8.1.5.1.1.5.1.0

работа с файлами ES3528M
указывает источник копирования 1 file, 2 runningCfg, 3 StartUpCfg, 4 tftp, 5 unit, 6 http, 7 ftp,
snmpset -v 2c -c [community] [ip] .1.3.6.1.4.1.259.6.10.94.1.24.1.1.0 i [?]
имя копируемого файла
snmpset -v 2c -c [community] [ip] .1.3.6.1.4.1.259.6.10.94.1.24.1.2.0 s [filename]
тип копируемого файла 1 opcode, 2 config, 3 bootrom, 5 loader
snmpset -v 2c -c [community] [ip] .1.3.6.1.4.1.259.6.10.94.1.24.1.5.0 i [1-6]
указываем куда копировать ( все тоже самое как и в источнике ) -
snmpset -v 2c -c [community] [ip] .1.3.6.1.4.1.259.6.10.94.1.24.1.3.0 i [1-6]
указываем с каким именем будет скопирован файл
snmpset -v 2c -c [community] [ip] .1.3.6.1.4.1.259.6.10.94.1.24.1.4.0 s [filename]
указываем tftp сервер
snmpset -v 2c -c [community] [ip] .1.3.6.1.4.1.259.6.10.94.1.24.1.6.0 a [ip]
говорим 1 некопировать, 2 копировать
snmpset -v 2c -c [community] [ip] .1.3.6.1.4.1.259.6.10.94.1.24.1.8.0 i [12]

работа с файлами ES3510

указывает источник копирования 1 file, 2 runningCfg, 3 startUpCfg, 4 tftp, 5 unit
snmpset -v 2c -c [community] [ip] .1.3.6.1.4.1.259.8.1.5.1.24.1.1.0 i [1-5]
имя копируемого файла
snmpset -v 2c -c [community] [ip] .1.3.6.1.4.1.259.8.1.5.1.24.1.2.0 s [filename]
указываем куда копируем 1 file, 2 runningCfg, 3 startUpCfg, 4 tftp, 5 unit
snmpset -v 2c -c [community] [ip] .1.3.6.1.4.1.259.8.1.5.1.24.1.3.0 i [1-5]
указываем с каким именем будет скопирован файл
snmpset -v 2c -c [community] [ip] .1.3.6.1.4.1.259.8.1.5.1.24.1.4.0 s [filename]
тип копируемого файла 1 opcode, 2 config, 3 bootrom
snmpset -v 2c -c [community] [ip] .1.3.6.1.4.1.259.8.1.5.1.24.1.5.0 i [1-3]
указываем tftp сервер
snmpset -v 2c -c [community] [ip] .1.3.6.1.4.1.259.8.1.5.1.24.1.6.0 a [ip]
говорим 1 некопировать, 2 копировать
snmpset -v 2c -c [community] [ip] .1.3.6.1.4.1.259.8.1.5.1.24.1.8.0 i [12]



Что мы должны указать для копирования running-config на tftp сервер ES3528M
snmpset -v 2c -c [community] [ip] .1.3.6.1.4.1.259.6.10.94.1.24.1.1.0 i 2
snmpset -v 2c -c [community] [ip] .1.3.6.1.4.1.259.6.10.94.1.24.1.3.0 i 4
snmpset -v 2c -c [community] [ip] .1.3.6.1.4.1.259.6.10.94.1.24.1.4.0 s dev-[ip].cfp
snmpset -v 2c -c [community] [ip] .1.3.6.1.4.1.259.6.10.94.1.24.1.6.0 a [tftp server ip]
snmpset -v 2c -c [community] [ip] .1.3.6.1.4.1.259.6.10.94.1.24.1.8.0 i 2

Что мы должны указать для копирования running-config на tftp сервер ES3510
snmpset -v 2c -c [community] [ip] .1.3.6.1.4.1.259.8.1.5.1.24.1.1.0 i 2
snmpset -v 2c -c [community] [ip] .1.3.6.1.4.1.259.8.1.5.1.24.1.3.0 i 4
snmpset -v 2c -c [community] [ip] .1.3.6.1.4.1.259.8.1.5.1.24.1.4.0 s dev-[ip].cfp
snmpset -v 2c -c [community] [ip] .1.3.6.1.4.1.259.8.1.5.1.24.1.6.0 a [tftp server ip]
snmpset -v 2c -c [community] [ip] .1.3.6.1.4.1.259.8.1.5.1.24.1.8.0 i 2


Что мы должны указать при обновлении софта ES3528M
snmpset -v 2c -c [community] [ip] .1.3.6.1.4.1.259.6.10.94.1.24.1.1.0 i 4
snmpset -v 2c -c [community] [ip] .1.3.6.1.4.1.259.6.10.94.1.24.1.2.0 s [firmware file name]
snmpset -v 2c -c [community] [ip] .1.3.6.1.4.1.259.6.10.94.1.24.1.3.0 i 1
snmpset -v 2c -c [community] [ip] .1.3.6.1.4.1.259.6.10.94.1.24.1.4.0 s [firmware file name]
snmpset -v 2c -c [community] [ip] .1.3.6.1.4.1.259.6.10.94.1.24.1.5.0 i 1
snmpset -v 2c -c [community] [ip] .1.3.6.1.4.1.259.6.10.94.1.24.1.6.0 a [tftp server ip]
snmpset -v 2c -c [community] [ip] .1.3.6.1.4.1.259.6.10.94.1.24.1.8.0 i 2
далее делаем скопированный файл стартовым
snmpset -v 2c -c [community] [ip] .1.3.6.1.4.1.259.6.10.94.1.7.1.0 s [firmware file name]
перегружаем коммутатор, опции 1 работаем, 2 горячий ребут, 3 холодный ребут
snmpset -v 2c -c [community] [ip] .1.3.6.1.4.1.259.6.10.94.1.7.3.0 i 3

Что мы должны указать при обновлении софта ES3510
snmpset -v 2c -c [community] [ip] .1.3.6.1.4.1.259.8.1.5.1.24.1.1.0 i 4
snmpset -v 2c -c [community] [ip] .1.3.6.1.4.1.259.8.1.5.1.24.1.2.0 s [firmware file name]
snmpset -v 2c -c [community] [ip] .1.3.6.1.4.1.259.8.1.5.1.24.1.3.0 i 1
snmpset -v 2c -c [community] [ip] .1.3.6.1.4.1.259.8.1.5.1.24.1.4.0 s [firmware file name]
snmpset -v 2c -c [community] [ip] .1.3.6.1.4.1.259.8.1.5.1.24.1.5.0 i 1
snmpset -v 2c -c [community] [ip] .1.3.6.1.4.1.259.8.1.5.1.24.1.6.0 a [tftp server ip]
snmpset -v 2c -c [community] [ip] .1.3.6.1.4.1.259.8.1.5.1.24.1.8.0 i 2
далее делаем скопированный файл стартовым
snmpset -v 2c -c [community] [ip] .1.3.6.1.4.1.259.8.1.5.1.7.1.0 s [firmware file name]
перегружаем коммутатор, опции 1 работаем, 2 горячий ребут, 3 холодный ребут
snmpset -v 2c -c [community] [ip] .1.3.6.1.4.1.259.8.1.5.1.7.3.0 i 3

Просмотр текущей версии софта на ES3528M
snmpget -v 2c -с [community] [ip] .1.3.6.1.4.1.259.6.10.94.1.1.5.4.0
на ES3510
snmpget -v 2c -с [community] [ip] .1.3.6.1.4.1.259.8.1.5.1.1.5.4.0

Включение выключение порта
выключение
snmpset -v 2c -c [community] [ip] .1.3.6.1.2.1.2.2.1.7.[port] i 2
включение
snmpset -v 2c -c [community] [ip] .1.3.6.1.2.1.2.2.1.7.[port] i 1

Включение выключение ip source guard на порту ES3528M
snmpset -v 2c -с [community] [ip] .1.3.6.1.4.1.259.6.10.94.1.48.1.1.2.[port] i [012]
где 0 выключено, 1 IP-SIP, 2 IP-MAC-SIP

Включение выключение ip source guard на порту ES3510
snmpset -v 2c -с [community] [ip] .1.3.6.1.4.1.259.8.1.5.1.48.1.1.2.[port] i [012]
где 0 выключено, 1 IP-SIP, 2 IP-MAC-SIP

включение выключение ip dhcp snooping ES3528M
глобальное включение ( ip dhcp snooping )
snmpset -v 2c -с [community] [ip] .1.3.6.1.4.1.259.6.10.94.1.46.1.1.0 i [12]
1 включено, 2 выключено
включение 1, выключение 2 проверки мак адреса ( no ip dhcp snooping verify mac-address ) -
snmpset -v 2c -с [community] [ip] .1.3.6.1.4.1.259.6.10.94.1.46.1.2.0 i [12]
включение 1, выключени 2 добавления option 82 -
snmpset -v 2c -с [community] [ip] .1.3.6.1.4.1.259.6.10.94.1.46.1.3.0 i [12]
отбрасывать 1, сохранять 2, заменять 3 option 82
snmpset -v 2c -с [community] [ip] .1.3.6.1.4.1.259.6.10.94.1.46.1.4.0 i [123]
установка идентификатора устройства Agent ID, mac-hex 1, mac-ascii 2, ip-hex 3, ip ascii 4, string 5
snmpset -v 2c -с [community] [ip] .1.3.6.1.4.1.259.6.10.94.1.46.1.6.0 i [12345]
включение dhcp snooping на вилане, 1 включено, 2 выключено
snmpset -v 2c -с [community] [ip] .1.3.6.1.4.1.259.6.10.94.1.46.2.1.1.2.[vlan] i [12]
делаем указанный порт доверенным 1, не доверенным 2
snmpset -v 2c -с [community] [ip] .1.3.6.1.4.1.259.6.10.94.1.46.3.1.1.2.[port] i [12]

включение выключение ip dhcp snooping ES3510
глобальное включение ( ip dhcp snooping )
snmpset -v 2c -с [community] [ip] .1.3.6.1.4.1.259.8.1.5.1.46.1.1.0 i [12]
1 включено, 2 выключено
включение 1, выключение 2 проверки мак адреса ( no ip dhcp snooping verify mac-address ) -
snmpset -v 2c -с [community] [ip] .1.3.6.1.4.1.259.8.1.5.1.46.1.2.0 i [12]
включение 1, выключени 2 добавления option 82 -
snmpset -v 2c -с [community] [ip] .1.3.6.1.4.1.259.8.1.5.1.46.1.3.0 i [12]
отбрасывать 1, сохранять 2, заменять 3 option 82
snmpset -v 2c -с [community] [ip] .1.3.6.1.4.1.259.8.1.5.1.46.1.4.0 i [123]
включение dhcp snooping на вилане, 1 включено, 2 выключено
snmpset -v 2c -с [community] [ip] .1.3.6.1.4.1.259.8.1.5.1.46.2.1.1.2.[vlan] i [12]
делаем указанный порт доверенным 1, не доверенным 2
snmpset -v 2c -с [community] [ip] .1.3.6.1.4.1.259.8.1.5.1.46.3.1.1.2.[port] i [12]

Создание вилана на коммутаторе ES3528M и ES3510M

snmpset -v 2c -c [community] [ip] 1.3.6.1.2.1.17.7.1.4.3.1.5.[vlan] i [?]
где вместо ?, 6 удалить указанный вилан, 5 создать указанный вилан
далее неоходима активация вилана
snmpset -v 2c -c [community] [ip] 1.3.6.1.2.1.17.7.1.4.3.1.5.[vlan] i [12]
где 1 активировать, 2 деактивировать
укажем имя вилана
snmpset -v 2c -c [community] [ip] 1.3.6.1.2.1.17.7.1.4.3.1.1.[vlan] s [name]
добавление тегированных портов
snmpset -v 2c -c [community] [ip] 1.3.6.1.2.1.17.7.1.4.3.1.2.[vlan] x "f0 00 00 00"
добавление нетегированных портов
snmpset -v 2c -c [community] [ip] 1.3.6.1.2.1.17.7.1.4.3.1.4.[vlan] x "f0 00 00 00"
определение нейтив вилана на порту
snmpset -v 2c -c [community] [ip] 1.3.6.1.2.1.17.7.1.4.5.1.1.[port] u [vlan]
удаление вилана с портов
snmpset -v 2c -c [community] [ip] 1.3.6.1.2.1.17.7.1.4.3.1.2.[vlan] x "00 00 00 00"

Процесс понимания, чтоб не распонять :)
Похоже Hex-STRING отдаваемая с коммутатора содержит дополнительные байты данных, в целом нас интересует только
первые 7 байт для коммутаторов с 26 и 28 портами и первый три байта для 10 портовых коммутаторов.
порты определяются блоками по 4 бита в двоичном счислении с последующим преобразованием в шестнадцатеричный формат
для коммутатора с 28 портами все порты будут выглядеть как
1111 1111 1111 1111 1111 1111 1111 = FF FF FF F0
для коммутатора с 26 портами все порты будут выглядеть как
1111 1111 1111 1111 1111 1111 1100 - FF FF FF C0
для коммутатора с 10 портами все порты будут выглядеть как
1111 1111 1100 = FF C0
в каждом блоке из 4 бит последовательно указываются порты от первого в блоке до последнего
прим. портов в блоках порт 1 dec = 1000 bin, порт 2 dec = 0100 bin, 3 dec = 0010 bin, 4 dec = 0001 bin
в одном блоке указываются от 0 до 4 портов одновременно, допустимо любое значение в диапазоне от 0000 bin
до 1111 bin.
В дальшейшем двоичное значение блока преобразуется в шестнадцатеричное для передачи на устройство.

пример создание вилана на es3528m ( добавим вилан 2 на порты 11 и 18, порт 28 аплинк, назовем Test )

snmpset -v 2c -c Qorwnm12gT 10.100.10.19 1.3.6.1.2.1.17.7.1.4.3.1.5.2 i 5
snmpset -v 2c -c Qorwnm12gT 10.100.10.19 1.3.6.1.2.1.17.7.1.4.3.1.5.2 i 1
snmpset -v 2c -c Qorwnm12gT 10.100.10.19 1.3.6.1.2.1.17.7.1.4.3.1.1.2 s Test
добавим указанный вилан на порт 28 тегированный
snmpset -v 2c -c Qorwnm12gT 10.100.10.19 1.3.6.1.2.1.17.7.1.4.3.1.2.2 x "00 00 00 10"
добавляем порты 11 18 нетегированные
snmpset -v 2c -c Qorwnm12gT 10.100.10.19 1.3.6.1.2.1.17.7.1.4.3.1.4.2 x "00 20 40 00"
определение нейтив вилана на порту
snmpset -v 2c -c Qorwnm12gT 10.100.10.19 1.3.6.1.2.1.17.7.1.4.5.1.1.11 u 2
snmpset -v 2c -c Qorwnm12gT 10.100.10.19 1.3.6.1.2.1.17.7.1.4.5.1.1.18 u 2

Cisco ISG с комментариями

Все действия выполняются на

gw-regit#sh ver
Cisco IOS Software, 7200 Software (C7200P-ADVENTERPRISEK9-M), Version 12.2(33)SRE1, RELEASE SOFTWARE (fc2)

Настройка L4 редиректа.

Разрешаем только 80 порт, правило необходимо для работы L4
редиректа на биллинг

Extended IP access list 197 (Compiled)
10 permit tcp any any eq www
20 permit tcp any eq www any
30 deny ip any any

Создаем классификатор определяющий какой трафик следует редиректить

class-map type traffic match-any CLASS-TO-REDIRECT
match access-group output 197
match access-group input 197

Создаем группу серверов для редиректа

redirect server-group REDIRECT_NOPAY
server ip [ip] port 80

Настройка Радиуса

Определяем Радиус сервер с которым мы будем работать

aaa group server radius ISG-RADIUS
server-private 10.255.15.6 auth-port 1812 acct-port 1813 key 7 бла-бла-бла
ip vrf forwarding v0:MANAG
ip radius source-interface Loopback0

В нашем случае сервер находится в vrf v0:MANAG. И для того чтоб не было разночтений при указании
NAS в настройках Радиус сервера явно указываем с какого интерфейса слать пакеты. В нашем случае это

interface Loopback0
description description ---GRT:MAIN:MGMT---
ip vrf forwarding v0:MANAG
ip address 10.255.0.1 255.255.255.255

Настройки Радиус сервера мы не рассматриваем, но в нашем случае это Lanbilling агент lbarcd.

Далее прописываем AAA

aaa authorization subscriber-service default local group ISG-RADIUS
aaa authentication login ISG-AUTH-1 group ISG-RADIUS
aaa authorization network ISG-AUTH-1 group ISG-RADIUS
aaa accounting network ISG-AUTH-1 start-stop group ISG-RADIUS

Для сервиса ISG-AUTH1 используем группу радиус серверов ISG-RADIUS
Не забываем добавить

aaa accounting update periodic 1 jitter maximum 0
aaa accounting delay-start

для посылки interim update пакетов

Интервал посылки определается на Радиус сервере в настройках сервиса, но не может быть менее 60 секунд
Для 60 секундного интервала добавляем

Acct-Interim-Interval = 60

Строка

aaa authorization subscriber-service default local group ISG-RADIUS

Определяет место расположение сервисов. В нашем случае сервисы можно определять как локально,
так и задавать на Радиус сервере.

Создание сервисов и политик

Создаем определение сервисов LOCAL и INET500
В LOCAL скорость на acl 196 ограничивается до 10000000 байт/сек
В INET500 acl 195 ограничивается скорость до 500000 байт/сек

Создаем access-list 196 и 195

Extended IP access list 196 (Compiled)
50 permit ip any any

Extended IP access list 195 (Compiled)
5 permit ip [ip] 0.0.3.255 [ip] 0.0.3.255
10 permit ip [ip] 0.0.3.255 [ip] 0.0.3.255
15 permit ip [ip] 0.0.3.255 [ip] 0.0.3.255
20 permit ip [ip] 0.0.3.255 [ip] 0.0.3.255
50 deny ip any any

В них определяем какие сети попадают под сервис.

Далее начинаем создавать упрявляющие политики

Данная политика редиректа будет применяться при проблемах у абонента :)
Хранится локально.

policy-map type service LOCAL_L4R
ip access-group 197 in
ip access-group 197 out
1 class type traffic CLASS-TO-REDIRECT
redirect to group REDIRECT_NOPAY
!
class type traffic default in-out
drop


Для последующей политики создаем требуемые класс мапы

В этот будет попадать неаудентифицированные клиенты

class-map type control match-all ISG-IP-UNAUTH
match timer UNAUTH-TIMER
match authen-status unauthenticated

Создаем две управляющии политики
первая для авторизации клиентов по IP адресам

policy-map type control ISG-IP-POLICY
class type control ISG-IP-UNAUTH event timed-policy-expiry
1 service disconnect
!
class type control always event quota-depleted
1 set-param drop-traffic FALSE
!
class type control always event credit-exhausted
1 service-policy type service name LOCAL_L4R
!
class type control always event session-start
10 authorize aaa list ISG-AUTH-1 password cisco identifier source-ip-address
20 set-timer UNAUTH-TIMER 1
30 service-policy type service name LOCAL_L4R

Вторая для авторизации на основе интерфейса

policy-map type control ISG-INTERFACE-POLICY
class type control ISG-IP-UNAUTH event timed-policy-expiry
1 service disconnect
!
class type control always event session-start
10 authorize aaa list ISG-AUTH-1 password cisco identifier nas-port
20 set-timer UNAUTH-TIMER 1
30 service-policy type service name LOCAL_L4R
!
class type control always event session-restart
10 authorize aaa list ISG-AUTH-1 password cisco identifier nas-port
20 set-timer UNAUTH-TIMER 1
30 service-policy type service name LOCAL_L4R


Разберем более подробно
1. class type control ISG-IP-UNAUTH event timed-policy-expiry
1 service disconnect
Все IP сессии ( flow ) попадающие в класс ISG-IP-UNAUTH ( то есть, неавторизованные ) рвем
2. class type control always event quota-depleted
1 set-param drop-traffic FALSE
Правило опеределяем политику поведения после наступления события quota-depleted ( исчерпания лимита трафика ),
трафик не отбрасывается, а продолжает маршрутизироваться, а вот после наступления credit-exhausted
3. class type control always event credit-exhausted
1 service-policy type service name LOCAL_L4R
выполняется редирект на quota-depleted
4. class type control always event session-start
10 authorize aaa list ISG-AUTH-1 password cisco identifier source-ip-address
20 set-timer UNAUTH-TIMER 1
30 service-policy type service name LOCAL_L4R
Тут определяем параметры инициализации сессии:
1. Производится авторизация с использованием aaa list ISG-AUTH-1 по source-ip-address
2. на случай неудачи устанавливается таймер UNAUTH-TIMER на одну минуту
3. выполняется сервис SERVICE_L4R

Пример создания сервисов в Радиусе

Создаем сервис для интернет трафика. Учитываем трафик по acl.
Передаем accounting update через 180 сек, разрываем соединение через 600 секунд
простоя. Для аккаунтинга используем группу ISG-AUTH-1.

PREPAID_INTERNET Cleartext-Password := "cisco"
Cisco-AVPair += "ip:traffic-class=in access-group 196 priority 200",
Cisco-AVPair += "ip:traffic-class=out access-group 196 priority 200",
Cisco-AVPair += "ip:traffic-class=out default drop",
Cisco-AVPair += "ip:traffic-class=in default drop",
Acct-Interim-Interval = 180,
Idle-Timeout = "600",
Cisco-AVPair += "subscriber:accounting-list=ISG-AUTH-1"

Пример сервиса для локального трафика, трафик мы не учитываем, только ограничиваем скорость по acl

LOCAL Password == "cisco"
Cisco-AVPair += "ip:traffic-class=in access-group 195",
Cisco-AVPair += "ip:traffic-class=in default drop",
Cisco-AVPair += "ip:traffic-class=out access-group 195",
Cisco-AVPair += "ip:traffic-class=out default drop",
Cisco-Service-Info += "QU;50000000;75000000;D;50000000;75000000"

Пример безлимитного интернет тарифа, полисер на 500000 бит/сек. Трафик по acl. Трафик считаем раз в 30 минут.

INET500 Password == "cisco"
Cisco-AVPair += "ip:traffic-class=in access-group 196",
Cisco-AVPair += "ip:traffic-class=in default drop",
Cisco-AVPair += "ip:traffic-class=out access-group 196",
Cisco-AVPair += "ip:traffic-class=out default drop",
Cisco-AVpair += "subscriber:accounting-list=ISG-AUTH-1",
Acct-Interim-Interval = 1800,
Cisco-Service-Info += "QU;500000;750000;D;500000;750000"


В настройках ip:traffic-class приоритет идет от большего к меньшему. В случае перекрывающихся acl назначать разные приоритеты.


Настройка сервисов локально на ISG

Опредаляем классы трафика

class-map type traffic match-any LOCAL
match access-group output 196
match access-group input 196

class-map type traffic match-any LOCAL
match access-group output 195
match access-group input 195

Создаем сами сервисы

policy-map type service LOCAL
5 class type traffic LOCAL
!
class type traffic default in-out
drop
!
!
policy-map type service INET500
200 class type traffic INET500
accounting aaa list ISG-AUTH-1
!
class type traffic default in-out
drop


Настройка freeradius для работы с ISG ( только и исключительно для тестирования )

В /etc/raddb/radiusd.conf указываем acc port, auth port
В /etc/raddb/clients.conf прописывает адрес NAS и пароль
В /etc/raddb/users создаем тестового пользователя и сервисы


[ip] Cleartext-Password := "cisco"
Framed-IP-Address = [ip],
Framed-IP-Netmask = 255.255.255.255,
Cisco-Account-Info += ALOCAL,
Cisco-Account-Info += NLOCAL,
Cisco-Account-Info += APREPAID_INTERNET



INET500 Cleartext-Password := "cisco"
Cisco-AVPair += "ip:traffic-class=in access-group 196 priority 200",
Cisco-AVPair += "ip:traffic-class=in default drop",
Cisco-AVPair += "ip:traffic-class=out access-group 196 priority 200",
Cisco-AVPair += "ip:traffic-class=out default drop",
Cisco-AVpair += "subscriber:accounting-list=ISG-AUTH-1",
Acct-Interim-Interval = 1800,
Idle-Timeout = "600" ,
Cisco-Service-Info += "QU;500000;750000;D;500000;750000"

LOCAL Cleartext-Password := "cisco"
Cisco-AVPair += "ip:traffic-class=in access-group 195 priority 5",
Cisco-AVPair += "ip:traffic-class=in default drop",
Cisco-AVPair += "ip:traffic-class=out access-group 195 priority 5",
Cisco-AVPair += "ip:traffic-class=out default drop",
Cisco-Service-Info += "QU;50000000;75000000;D;50000000;75000000"

PREPAID_INTERNET Cleartext-Password := "cisco"
Cisco-AVPair += "ip:traffic-class=in access-group 196 priority 200",
Cisco-AVPair += "ip:traffic-class=out access-group 196 priority 200",
Cisco-AVPair += "ip:traffic-class=out default drop",
Cisco-AVPair += "ip:traffic-class=in default drop",
Acct-Interim-Interval = 180,
Idle-Timeout = "600",
Cisco-AVPair += "subscriber:accounting-list=ISG-AUTH-1"


Пример создания сервиса редиректа на Радиус сервере.

SERVICE_L4R Cleartext-Password := "cisco"
Cisco-AVPair += "ip:l4redirect=redirect list 197 to group REDIRECT_NOPAY",
Cisco-AVpair += "traffic-class=input access-group 197",
Cisco-AVpair += "traffic-class=output access-group 197",
Cisco-AVPair += "ip:traffic-class=out default drop",
Cisco-AVPair += "ip:traffic-class=in default drop",
Idle-Timeout = "600"

Запускаем sudo /usr/sbin/radiusd -X

Смотрим в логи

Ready to process requests.
rad_recv: Access-Request packet from host 10.255.0.1 port 1645, id=14, length=155
User-Name = "[ip]"
User-Password = "cisco"
Framed-IP-Address = [ip]
Cisco-Account-Info = "S[ip]"
NAS-Port-Type = Virtual
Cisco-NAS-Port = "0/0/3/1499"
NAS-Port = 0
NAS-Port-Id = "0/0/3/1499"
Service-Type = Dialout-Framed-User
NAS-IP-Address = 10.255.0.1
Acct-Session-Id = "0000000000002015"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "[ip]", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry [ip] at line 87
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "cisco"
[pap] Using clear text password "cisco"
[pap] User authenticated successfully
++[pap] returns ok
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 14 to 10.255.0.1 port 1645
Framed-IP-Address = [ip]
Framed-IP-Netmask = 255.255.255.255
Cisco-Account-Info += "ALOCAL"
Cisco-Account-Info += "NLOCAL"
Cisco-Account-Info += "APREPAID_INTERNET"
Finished request 9.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.255.0.1 port 1645, id=15, length=128
User-Password = "cisco"
User-Name = "PREPAID_INTERNET"
NAS-Port-Type = Virtual
Cisco-NAS-Port = "0/0/3/1499"
NAS-Port = 0
NAS-Port-Id = "0/0/3/1499"
Service-Type = Dialout-Framed-User
NAS-IP-Address = 10.255.0.1
Acct-Session-Id = "0000000000002015"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "PREPAID_INTERNET", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry PREPAID_INTERNET at line 217
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "cisco"
[pap] Using clear text password "cisco"
[pap] User authenticated successfully
++[pap] returns ok
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 15 to 10.255.0.1 port 1645
Cisco-AVPair += "ip:traffic-class=in access-group 196 priority 200"
Cisco-AVPair += "ip:traffic-class=out access-group 196 priority 200"
Cisco-AVPair += "ip:traffic-class=out default drop"
Cisco-AVPair += "ip:traffic-class=in default drop"
Acct-Interim-Interval = 180
Idle-Timeout = 600
Cisco-AVPair += "subscriber:accounting-list=ISG-AUTH-1"
Finished request 10.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.255.0.1 port 1645, id=16, length=117
User-Password = "cisco"
User-Name = "LOCAL"
NAS-Port-Type = Virtual
Cisco-NAS-Port = "0/0/3/1499"
NAS-Port = 0
NAS-Port-Id = "0/0/3/1499"
Service-Type = Dialout-Framed-User
NAS-IP-Address = 10.255.0.1
Acct-Session-Id = "0000000000002015"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "LOCAL", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry LOCAL at line 237
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "cisco"
[pap] Using clear text password "cisco"
[pap] User authenticated successfully
++[pap] returns ok
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 16 to 10.255.0.1 port 1645
Cisco-AVPair += "ip:traffic-class=in access-group 195 priority 5"
Cisco-AVPair += "ip:traffic-class=in default drop"
Cisco-AVPair += "ip:traffic-class=out access-group 195 priority 5"
Cisco-AVPair += "ip:traffic-class=out default drop"
Cisco-Service-Info += "QU;50000000;75000000;D;50000000;75000000"
Finished request 11.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Accounting-Request packet from host 10.255.0.1 port 1646, id=46, length=224
Acct-Session-Id = "0000000000002016"
Framed-Protocol = PPP
Cisco-Service-Info = "NPREPAID_INTERNET"
Cisco-AVPair = "parent-session-id=0000000000002015"
User-Name = "[ip]"
Acct-Status-Type = Start
Framed-IP-Address = [ip]
NAS-Port-Type = Virtual
Cisco-NAS-Port = "0/0/3/1499"
NAS-Port = 0
NAS-Port-Id = "0/0/3/1499"
Service-Type = Framed-User
NAS-IP-Address = 10.255.0.1
Event-Timestamp = "Jul 22 2010 15:07:10 NOVST"
NAS-Identifier = "bla-bla"
Acct-Delay-Time = 0
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 0,Client-IP-Address = 10.255.0.1,NAS-IP-Address = 10.255.0.1,Acct-Session-Id = "0000000000002016",User-Name = "[ip]"'
[acct_unique] Acct-Unique-Session-ID = "e14be63c61da7b4a".
++[acct_unique] returns ok
[suffix] No '@' in User-Name = "[ip]", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
+- entering group accounting {...}
[detail] expand: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d -> /var/log/radius/radacct/10.255.0.1/detail-20100722
[detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radius/radacct/10.255.0.1/detail-20100722
[detail] expand: %t -> Thu Jul 22 15:07:10 2010
++[detail] returns ok
++[unix] returns ok
[radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp
[radutmp] expand: %{User-Name} -> [ip]
++[radutmp] returns ok
[attr_filter.accounting_response] expand: %{User-Name} -> [ip]
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 46 to 10.255.0.1 port 1646
Finished request 12.
Cleaning up request 12 ID 46 with timestamp +908
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 9 ID 14 with timestamp +908
Cleaning up request 10 ID 15 with timestamp +908
Cleaning up request 11 ID 16 with timestamp +908
Ready to process requests.
rad_recv: Accounting-Request packet from host 10.255.0.1 port 1646, id=47, length=289
Acct-Session-Id = "0000000000002016"
Framed-Protocol = PPP
Cisco-Service-Info = "NPREPAID_INTERNET"
Cisco-AVPair = "parent-session-id=0000000000002015"
User-Name = "[ip]"
Cisco-Control-Info = "I0;361188"
Cisco-Control-Info = "O0;5173501"
Acct-Input-Packets = 9015
Acct-Output-Packets = 9037
Acct-Input-Octets = 361188
Acct-Output-Octets = 5173501
Acct-Session-Time = 197
Acct-Status-Type = Interim-Update
Framed-IP-Address = [ip]
NAS-Port-Type = Virtual
Cisco-NAS-Port = "0/0/3/1499"
NAS-Port = 0
NAS-Port-Id = "0/0/3/1499"
Service-Type = Framed-User
NAS-IP-Address = 10.255.0.1
Event-Timestamp = "Jul 22 2010 15:10:27 NOVST"
NAS-Identifier = "bla-bla"
Acct-Delay-Time = 0
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 0,Client-IP-Address = 10.255.0.1,NAS-IP-Address = 10.255.0.1,Acct-Session-Id = "0000000000002016",User-Name = "[ip]"'
[acct_unique] Acct-Unique-Session-ID = "e14be63c61da7b4a".
++[acct_unique] returns ok
[suffix] No '@' in User-Name = "[ip]", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
+- entering group accounting {...}
[detail] expand: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d -> /var/log/radius/radacct/10.255.0.1/detail-20100722
[detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radius/radacct/10.255.0.1/detail-20100722
[detail] expand: %t -> Thu Jul 22 15:10:27 2010
++[detail] returns ok
++[unix] returns noop
[radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp
[radutmp] expand: %{User-Name} -> [ip]
++[radutmp] returns ok
[attr_filter.accounting_response] expand: %{User-Name} -> [ip]
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 47 to 10.255.0.1 port 1646
Finished request 13.
Cleaning up request 13 ID 47 with timestamp +1105
Going to the next request
Ready to process requests.


Смотрим на ISG

gw-regit#sh subscriber session detailed
Current Subscriber Information: Total sessions 1
--------------------------------------------------
Unique Session ID: 19
Identifier:
SIP subscriber access type(s): Traffic-Class
Current SIP options: None
Session Up-time: 00:06:11, Last Changed: 00:06:11

Policy information:
Context 0E3F2C34: Handle 7B0009E1
AAA_id 000008FB: Flow_handle 1
Authentication status: unauthen
Downloaded User profile, including services:
traffic-class "in access-group 196 priority 200"
traffic-class "out access-group 196 priority 200"
traffic-class "out default drop"
traffic-class "in default drop"
idletime 600 (0x258)
accounting-list "ISG-AUTH-1"
Config history for session (recent to oldest):
Access-type: Web-service-logon Client: Service Command-Handler
Policy event: Service-Start (Service)
Profile name: PREPAID_INTERNET, 4 references
traffic-class "in access-group 196 priority 200"
traffic-class "out access-group 196 priority 200"
traffic-class "out default drop"
traffic-class "in default drop"
idletime 600 (0x258)
accounting-list "ISG-AUTH-1"

Session inbound features:
Feature: Service accounting
Service: PREPAID_INTERNET
Method List: ISG-AUTH-1
Packets = 9015, Bytes = 361188

Session outbound features:
Feature: IP Idle Timeout
Timeout value is 600
Idle time is 00:03:26
Feature: Service accounting
Service: PREPAID_INTERNET
Method List: ISG-AUTH-1
Packets = 9037, Bytes = 5173501

Configuration sources associated with this session:
Service: PREPAID_INTERNET, Active Time = 00:06:11

--------------------------------------------------
Unique Session ID: 21
Identifier:
SIP subscriber access type(s): Traffic-Class
Current SIP options: None
Session Up-time: 00:06:11, Last Changed: 00:06:11

Policy information:
Context 0E3F209C: Handle 990009E2
AAA_id 000008FB: Flow_handle 0
Authentication status: unauthen
Downloaded User profile, including services:
traffic-class "in access-group 195 priority 5"
traffic-class "in default drop"
traffic-class "out access-group 195 priority 5"
traffic-class "out default drop"
ssg-service-info "QU;50000000;75000000;D;50000000;75000000"
Config history for session (recent to oldest):
Access-type: Web-service-logon Client: Service Command-Handler
Policy event: Service-Start (Service)
Profile name: LOCAL, 4 references
traffic-class "in access-group 195 priority 5"
traffic-class "in default drop"
traffic-class "out access-group 195 priority 5"
traffic-class "out default drop"
ssg-service-info "QU;50000000;75000000;D;50000000;75000000"

Session inbound features:
Feature: Policing
Upstream Params:
Average rate = 50000000, Normal burst = 75000000, Excess burst = 0
Config level = Service Profile

Session outbound features:
Feature: Policing
Dnstream Params:
Average rate = 50000000, Normal burst = 75000000, Excess burst = 0
Config level = Service Profile

Configuration sources associated with this session:
Service: LOCAL, Active Time = 00:06:11

--------------------------------------------------
Unique Session ID: 18
Identifier: [ip]
SIP subscriber access type(s): IP
Current SIP options: Req Fwding/Req Fwded
Session Up-time: 00:06:11, Last Changed: 00:06:11

Policy information:
Context 0E3F32D4: Handle FF0009E0
AAA_id 000008FB: Flow_handle 0
Authentication status: authen
Downloaded User profile, excluding services:
addr [ip]
route "[ip] 255.255.255.255"
netmask 255.255.255.255
ssg-account-info "ALOCAL"
ssg-account-info "NLOCAL"
ssg-account-info "APREPAID_INTERNET"
Downloaded User profile, including services:
addr [ip]
route "[ip] 255.255.255.255"
netmask 255.255.255.255
ssg-account-info "ALOCAL"
ssg-account-info "NLOCAL"
ssg-account-info "APREPAID_INTERNET"
idletime 600 (0x258)
accounting-list "ISG-AUTH-1"
traffic-class "in access-group 195 priority 5"
traffic-class "in default drop"
traffic-class "out access-group 195 priority 5"
traffic-class "out default drop"
ssg-service-info "QU;50000000;75000000;D;50000000;75000000"
Config history for session (recent to oldest):
Access-type: Web-service-logon Client: SM
Policy event: Apply Config Success (Service)
Profile name: LOCAL, 4 references
traffic-class "in access-group 195 priority 5"
traffic-class "in default drop"
traffic-class "out access-group 195 priority 5"
traffic-class "out default drop"
ssg-service-info "QU;50000000;75000000;D;50000000;75000000"
Access-type: Web-service-logon Client: SM
Policy event: Apply Config Success (Service)
Profile name: PREPAID_INTERNET, 4 references
traffic-class "in access-group 196 priority 200"
traffic-class "out access-group 196 priority 200"
traffic-class "out default drop"
traffic-class "in default drop"
idletime 600 (0x258)
accounting-list "ISG-AUTH-1"
Access-type: IP Client: SM
Policy event: Service Selection Request
Profile name: [ip], 2 references
addr [ip]
route "[ip] 255.255.255.255"
netmask 255.255.255.255
ssg-account-info "ALOCAL"
ssg-account-info "NLOCAL"
ssg-account-info "APREPAID_INTERNET"
Active services associated with session:
name "LOCAL"
name "PREPAID_INTERNET"
Rules, actions and conditions executed:
subscriber rule-map ISG-CUSTOMERS-POLICY
condition always event session-start
10 authorize aaa list ISG-AUTH-1 identifier source-ip-address

Session inbound features:
Traffic classes:
Traffic class session ID: 19
ACL Name: 196, Packets = 9015, Bytes = 361188
Traffic class session ID: 21
ACL Name: 195, Packets = 0, Bytes = 0
Default traffic is dropped
Unmatched Packets = 0, Re-classified packets (redirected) = 0

Session outbound features:
Traffic classes:
Traffic class session ID: 19
ACL Name: 196, Packets = 9037, Bytes = 5173501
Traffic class session ID: 21
ACL Name: 195, Packets = 0, Bytes = 0
Default traffic is dropped
Unmatched Packets = 0, Re-classified packets (redirected) = 0

Configuration sources associated with this session:
Service: LOCAL, Active Time = 00:06:11
Service: PREPAID_INTERNET, Active Time = 00:06:11
AAA Service ID = 2701131798
Interface: GigabitEthernet0/3.1499, Active Time = 00:06:11


К сожалению по истечению таймера сессия не поднимается

Active services associated with session:
name "LOCAL"
Rules, actions and conditions executed:
subscriber rule-map ISG-IP-POLICY
condition always event session-start
10 authorize aaa list ISG-AUTH-1 identifier source-ip-address
subscriber rule-map default-internal-rule
condition always event idle-timeout
1 disconnect

Возможно косяк иоса, возможно не все настроено.

Пример настройки авторизации сессии по интерфейсу

policy-map type control ISG-INTERFACE-POLICY
class type control always event session-start
10 authorize aaa list ISG-AUTH-1 password cisco identifier nas-port
20 set-timer UNAUTH-TIMER 1
30 service-policy type service name LOCAL_L4R

interface GigabitEthernet0/3.1499
description --- ISG_TEST_Subscriber ---
encapsulation dot1Q 1499
ip address [ip] 255.255.255.248
service-policy type control ISG-INTERFACE-POLICY
ip subscriber interface

в Радиусе

rad_recv: Accounting-Request packet from host 10.255.0.1 port 1646, id=79, length=333
Acct-Session-Id = "0000000000002842"
Framed-Protocol = PPP
Cisco-Service-Info = "NPREPAID_INTERNET"
Cisco-AVPair = "parent-session-id=0000000000002841"
User-Name = "nas-port:10.255.0.1:0/0/3/1499"
Cisco-Control-Info = "I0;0"
Cisco-Control-Info = "O0;0"
Acct-Input-Packets = 0
Acct-Output-Packets = 0
Acct-Input-Octets = 0
Acct-Output-Octets = 0
Acct-Session-Time = 247
Acct-Terminate-Cause = Admin-Reset
Cisco-AVPair = "disc-cause-ext=Local Admin Disc"
Acct-Status-Type = Stop
NAS-Port-Type = Ethernet
Cisco-NAS-Port = "0/0/3/1499"
NAS-Port = 10305
NAS-Port-Id = "0/0/3/1499"
Service-Type = Framed-User
NAS-IP-Address = 10.255.0.1
Event-Timestamp = "Jul 29 2010 11:34:05 NOVST"
NAS-Identifier = "bla-bla"
Acct-Delay-Time = 0
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 10305,Client-IP-Address = 10.255.0.1,NAS-IP-Address = 10.255.0.1,Acct-Session-Id = "0000000000002842",User-Name = "nas-port:10.255.0.1:0/0/3/1499"'
[acct_unique] Acct-Unique-Session-ID = "b7405bd7c4f5ffca".
++[acct_unique] returns ok
[suffix] No '@' in User-Name = "nas-port:10.255.0.1:0/0/3/1499", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
+- entering group accounting {...}
[detail] expand: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d -> /var/log/radius/radacct/10.255.0.1/detail-20100729
[detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radius/radacct/10.255.0.1/detail-20100729
[detail] expand: %t -> Thu Jul 29 11:34:05 2010
++[detail] returns ok
++[unix] returns ok
[radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp
[radutmp] expand: %{User-Name} -> nas-port:10.255.0.1:0/0/3/1499
++[radutmp] returns ok
[attr_filter.accounting_response] expand: %{User-Name} -> nas-port:10.255.0.1:0/0/3/1499
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 79 to 10.255.0.1 port 1646
Finished request 0.
Cleaning up request 0 ID 79 with timestamp +3
Going to the next request
Ready to process requests.
rad_recv: Access-Request packet from host 10.255.0.1 port 1645, id=177, length=148
User-Name = "nas-port:10.255.0.1:0/0/3/1499"
User-Password = "cisco"
NAS-Port-Type = Ethernet
Cisco-NAS-Port = "0/0/3/1499"
NAS-Port = 10310
NAS-Port-Id = "0/0/3/1499"
Service-Type = Dialout-Framed-User
NAS-IP-Address = 10.255.0.1
Acct-Session-Id = "0000000000002846"
Event-Timestamp = "Jul 29 2010 11:34:05 NOVST"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "nas-port:10.255.0.1:0/0/3/1499", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry nas-port:10.255.0.1:0/0/3/1499 at line 95
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "cisco"
[pap] Using clear text password "cisco"
[pap] User authenticated successfully
++[pap] returns ok
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 177 to 10.255.0.1 port 1645
Framed-IP-Address = [ip]
Framed-IP-Netmask = 255.255.255.255
Cisco-Account-Info += "ALOCAL"
Cisco-Account-Info += "APREPAID_INTERNET"
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.255.0.1 port 1645, id=178, length=134
User-Password = "cisco"
User-Name = "PREPAID_INTERNET"
NAS-Port-Type = Ethernet
Cisco-NAS-Port = "0/0/3/1499"
NAS-Port = 10310
NAS-Port-Id = "0/0/3/1499"
Service-Type = Dialout-Framed-User
NAS-IP-Address = 10.255.0.1
Acct-Session-Id = "0000000000002846"
Event-Timestamp = "Jul 29 2010 11:34:05 NOVST"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "PREPAID_INTERNET", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry PREPAID_INTERNET at line 222
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "cisco"
[pap] Using clear text password "cisco"
[pap] User authenticated successfully
++[pap] returns ok
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 178 to 10.255.0.1 port 1645
Cisco-AVPair += "ip:traffic-class=in access-group 196 priority 200"
Cisco-AVPair += "ip:traffic-class=out access-group 196 priority 200"
Cisco-AVPair += "ip:traffic-class=out default drop"
Cisco-AVPair += "ip:traffic-class=in default drop"
Acct-Interim-Interval = 180
Idle-Timeout = 600
Cisco-AVPair += "subscriber:accounting-list=ISG-AUTH-1"
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.255.0.1 port 1645, id=179, length=123
User-Password = "cisco"
User-Name = "LOCAL"
NAS-Port-Type = Ethernet
Cisco-NAS-Port = "0/0/3/1499"
NAS-Port = 10310
NAS-Port-Id = "0/0/3/1499"
Service-Type = Dialout-Framed-User
NAS-IP-Address = 10.255.0.1
Acct-Session-Id = "0000000000002846"
Event-Timestamp = "Jul 29 2010 11:34:05 NOVST"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "LOCAL", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry LOCAL at line 242
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "cisco"
[pap] Using clear text password "cisco"
[pap] User authenticated successfully
++[pap] returns ok
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 179 to 10.255.0.1 port 1645
Cisco-AVPair += "ip:traffic-class=in access-group 195 priority 5"
Cisco-AVPair += "ip:traffic-class=in default drop"
Cisco-AVPair += "ip:traffic-class=out access-group 195 priority 5"
Cisco-AVPair += "ip:traffic-class=out default drop"
Cisco-Service-Info += "QU;50000000;75000000;D;50000000;75000000"
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Accounting-Request packet from host 10.255.0.1 port 1646, id=80, length=234
Acct-Session-Id = "0000000000002847"
Framed-Protocol = PPP
Cisco-Service-Info = "NPREPAID_INTERNET"
Cisco-AVPair = "parent-session-id=0000000000002846"
User-Name = "nas-port:10.255.0.1:0/0/3/1499"
Acct-Status-Type = Start
NAS-Port-Type = Ethernet
Cisco-NAS-Port = "0/0/3/1499"
NAS-Port = 10310
NAS-Port-Id = "0/0/3/1499"
Service-Type = Framed-User
NAS-IP-Address = 10.255.0.1
Event-Timestamp = "Jul 29 2010 11:34:05 NOVST"
NAS-Identifier = "bla-bla"
Acct-Delay-Time = 0
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 10310,Client-IP-Address = 10.255.0.1,NAS-IP-Address = 10.255.0.1,Acct-Session-Id = "0000000000002847",User-Name = "nas-port:10.255.0.1:0/0/3/1499"'
[acct_unique] Acct-Unique-Session-ID = "6b97f5bd043f032f".
++[acct_unique] returns ok
[suffix] No '@' in User-Name = "nas-port:10.255.0.1:0/0/3/1499", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
+- entering group accounting {...}
[detail] expand: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d -> /var/log/radius/radacct/10.255.0.1/detail-20100729
[detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radius/radacct/10.255.0.1/detail-20100729
[detail] expand: %t -> Thu Jul 29 11:34:05 2010
++[detail] returns ok
++[unix] returns ok
[radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp
[radutmp] expand: %{User-Name} -> nas-port:10.255.0.1:0/0/3/1499
++[radutmp] returns ok
[attr_filter.accounting_response] expand: %{User-Name} -> nas-port:10.255.0.1:0/0/3/1499
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 80 to 10.255.0.1 port 1646
Finished request 4.
Cleaning up request 4 ID 80 with timestamp +3
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 1 ID 177 with timestamp +3
Cleaning up request 2 ID 178 with timestamp +3
Cleaning up request 3 ID 179 with timestamp +3
Ready to process requests.


Профиль абонента

nas-port:10.255.0.1:0/0/3/1499 Cleartext-Password := "cisco"
Cisco-Account-Info += ALOCAL,
Cisco-Account-Info += APREPAID_INTERNET

На ISG

gw-regit#sh subscriber session detailed
Current Subscriber Information: Total sessions 1
--------------------------------------------------
Unique Session ID: 509
Identifier:
SIP subscriber access type(s): Traffic-Class
Current SIP options: None
Session Up-time: 00:01:09, Last Changed: 00:01:10

Policy information:
Context 0E3F2C34: Handle CA000F5A
AAA_id 00000C01: Flow_handle 1
Authentication status: unauthen
Downloaded User profile, including services:
traffic-class "in access-group 196 priority 200"
traffic-class "out access-group 196 priority 200"
traffic-class "out default drop"
traffic-class "in default drop"
idletime 600 (0x258)
accounting-list "ISG-AUTH-1"
Config history for session (recent to oldest):
Access-type: Web-service-logon Client: Service Command-Handler
Policy event: Service-Start (Service)
Profile name: PREPAID_INTERNET, 4 references
traffic-class "in access-group 196 priority 200"
traffic-class "out access-group 196 priority 200"
traffic-class "out default drop"
traffic-class "in default drop"
idletime 600 (0x258)
accounting-list "ISG-AUTH-1"

Session inbound features:
Feature: Service accounting
Service: PREPAID_INTERNET
Method List: ISG-AUTH-1
Packets = 0, Bytes = 0

Session outbound features:
Feature: IP Idle Timeout
Timeout value is 600
Idle time is 00:01:09
Feature: Service accounting
Service: PREPAID_INTERNET
Method List: ISG-AUTH-1
Packets = 0, Bytes = 0

Configuration sources associated with this session:
Service: PREPAID_INTERNET, Active Time = 00:01:09

--------------------------------------------------
Unique Session ID: 511
Identifier:
SIP subscriber access type(s): Traffic-Class
Current SIP options: None
Session Up-time: 00:01:09, Last Changed: 00:01:09

Policy information:
Context 0E3F209C: Handle 7F000F5B
AAA_id 00000C01: Flow_handle 0
Authentication status: unauthen
Downloaded User profile, including services:
traffic-class "in access-group 195 priority 5"
traffic-class "in default drop"
traffic-class "out access-group 195 priority 5"
traffic-class "out default drop"
ssg-service-info "QU;50000000;75000000;D;50000000;75000000"
Config history for session (recent to oldest):
Access-type: Web-service-logon Client: Service Command-Handler
Policy event: Service-Start (Service)
Profile name: LOCAL, 4 references
traffic-class "in access-group 195 priority 5"
traffic-class "in default drop"
traffic-class "out access-group 195 priority 5"
traffic-class "out default drop"
ssg-service-info "QU;50000000;75000000;D;50000000;75000000"

Session inbound features:
Feature: Policing
Upstream Params:
Average rate = 50000000, Normal burst = 75000000, Excess burst = 0
Config level = Service Profile

Session outbound features:
Feature: Policing
Dnstream Params:
Average rate = 50000000, Normal burst = 75000000, Excess burst = 0
Config level = Service Profile

Configuration sources associated with this session:
Service: LOCAL, Active Time = 00:01:09

--------------------------------------------------
Unique Session ID: 510
Identifier: nas-port:10.255.0.1:0/0/3/1499
SIP subscriber access type(s): IP-Interface
Current SIP options: None
Session Up-time: 00:01:10, Last Changed: 00:01:09
Interface: GigabitEthernet0/3.1499

Policy information:
Context 0E3F32D4: Handle E3000F59
AAA_id 00000C01: Flow_handle 0
Authentication status: authen
Downloaded User profile, excluding services:
addr [ip]
route "[ip] 255.255.255.255"
netmask 255.255.255.255
ssg-account-info "ALOCAL"
ssg-account-info "APREPAID_INTERNET"
Downloaded User profile, including services:
addr [ip]
route "[ip] 255.255.255.255"
netmask 255.255.255.255
ssg-account-info "ALOCAL"
ssg-account-info "APREPAID_INTERNET"
idletime 600 (0x258)
accounting-list "ISG-AUTH-1"
traffic-class "in access-group 195 priority 5"
traffic-class "in default drop"
traffic-class "out access-group 195 priority 5"
traffic-class "out default drop"
ssg-service-info "QU;50000000;75000000;D;50000000;75000000"
Config history for session (recent to oldest):
Access-type: Web-service-logon Client: SM
Policy event: Apply Config Success (Service)
Profile name: LOCAL, 4 references
traffic-class "in access-group 195 priority 5"
traffic-class "in default drop"
traffic-class "out access-group 195 priority 5"
traffic-class "out default drop"
ssg-service-info "QU;50000000;75000000;D;50000000;75000000"
Access-type: Web-service-logon Client: SM
Policy event: Apply Config Success (Service)
Profile name: PREPAID_INTERNET, 4 references
traffic-class "in access-group 196 priority 200"
traffic-class "out access-group 196 priority 200"
traffic-class "out default drop"
traffic-class "in default drop"
idletime 600 (0x258)
accounting-list "ISG-AUTH-1"
Access-type: IP-Interface Client: SM
Policy event: Service Selection Request
Profile name: nas-port:10.255.0.1:0/0/3/1499, 2 references
addr [ip]
route "[ip] 255.255.255.255"
netmask 255.255.255.255
ssg-account-info "ALOCAL"
ssg-account-info "APREPAID_INTERNET"
Active services associated with session:
name "LOCAL"
name "PREPAID_INTERNET"
Rules, actions and conditions executed:
subscriber rule-map ISG-INTERFACE-POLICY
condition always event session-start
10 authorize aaa list ISG-AUTH-1 identifier nas-port

Session inbound features:
Traffic classes:
Traffic class session ID: 509
ACL Name: 196, Packets = 0, Bytes = 0
Traffic class session ID: 511
ACL Name: 195, Packets = 0, Bytes = 0
Default traffic is dropped
Unmatched Packets = 0, Re-classified packets (redirected) = 0

Session outbound features:
Traffic classes:
Traffic class session ID: 509
ACL Name: 196, Packets = 0, Bytes = 0
Traffic class session ID: 511
ACL Name: 195, Packets = 0, Bytes = 0
Default traffic is dropped
Unmatched Packets = 0, Re-classified packets (redirected) = 0

Non-datapath features:
Feature: IP Config
Peer IP Address: [ip] (F/F)
Address Pool: [None] (F)
Unnumbered Intf: [None]
Feature: Static Routes

Configuration sources associated with this session:
Service: LOCAL, Active Time = 00:01:10
Service: PREPAID_INTERNET, Active Time = 00:01:10
AAA Service ID = 2919235614
Interface: GigabitEthernet0/3.1499, Active Time = 00:01:10


Организация приема CoA пакетов от Радиус сервера

aaa server radius dynamic-author
client 10.255.15.6 vrf v0:MANAG server-key 7 01100F1758040F1C26

Первая строка указывает что использовать надо RFC 3576
Вторая данные клиента определяет.

Совместная настройка IP Unnumbered + dhcp + ISG


Необходимые параметры на ISG на релэя DHCP+opt82 на DHCP сервер.
включаем dhcp
service dhcp
включаем поддержку option82
ip dhcp relay information option
сохраняем пришедшую информацию
ip dhcp relay information policy keep
отключаем проверку пересылаемой информации, не царское это дело
no ip dhcp relay information check
не дропаем пакеты уже содержащии option82
ip dhcp relay information trust-all
Ну и на интерфейсе включаем пересылку dhcp пакетов на указанный dhcp сервер
ip helper-address vrf v0:MANAG 10.255.15.5
Необязательные параметры
не используем vrf информацию для выдачи адресов
no ip dhcp use vrf connected
через сколько секунд убивать привязку
ip dhcp binding cleanup interval 600

Естественно на ISG должны приходить DHCP запросы с option82. На коммутаторе Edge-Core ES3526 ( на ES3528M так же ) это будет выглядеть так
включаем снупинг
ip dhcp snooping
указываем с какими виланами работать
ip dhcp snooping vlan 1498
добавляем option82
ip dhcp snooping information option
сказываем что использовать в agent id
ip dhcp snooping information option remote-id ip-address
не проверять маки
no ip dhcp snooping verify mac-address
сохранять информацию option 82 если она есть
ip dhcp snooping information policy keep

Ну и разрешаем прием dhcp пакетов на интерфейсе
ip dhcp snooping trust
на аплинк порту.

После этого мы увидим
на Cisco 7201
gw-regit#sh ip dhcp binding
Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type
Hardware address/
User name
[ip] 000e.08dd.b2bf Aug 03 2010 02:09 PM Relay
на es3526
Lenina-3-0#sh ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
----------------- --------------- ---------- -------------------- ---- ---------
00-0e-08-dd-b2-bf [ip] 282 dhcp-snooping 1498 Eth 1/16

Если абонент подключенный по ip unnumbered жаждет статики без dhcp то придется прописать маршрут

gw-regit(config)#ip route [ip] 255.255.255.255 gigabitEthernet 0/3.1499

вторник, 30 июня 2009 г.

NOC for ISP

Остаются же еще великие люди в нашем государстве...
Открыл для себя проект http://www.nocproject.org/. Для ISP вещь которую очень сложно переоценить, незначительные проблемы списываются на версию 0.2.5.
На ubuntu 9.04 стала в пол пинка, вникаю...

воскресенье, 28 июня 2009 г.

Коротко

Как посмотреть количество МАК в arp таблице коммутатора Cisco -

snmpwalk -v 2c -c [community] [ip] ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaPhysAddress | wc -l

Как снять показания с карты сетевого мониторинга ИБП N-Power -

snmpwalk [ip] -c [community] -v 1 iso.3.6.1.2.1.33.1.3.3.1.3.1 текущее входное напряжение
snmpwalk [ip] -c [community] -v 1 iso.3.6.1.2.1.33.1.2.4.0 процент заряда акб
snmpwalk [ip] -c [community] -v 1 iso.3.6.1.2.1.33.1.2.5.0 нагрузка в %