version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ISG-1
!
boot-start-marker
boot-end-marker
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 5 XXXXXX
!
aaa new-model
!
!
#С этих радиусов авторизовываются клиенты
aaa group server radius RG-ISG-AUTH
server-private 172.22.2.24 auth-port 1812 acct-port 1813 key 7 XXXXXX
server-private 172.22.2.25 auth-port 1812 acct-port 1813 key 7 XXXXXX
ip vrf forwarding radius
!
#Для аккаунтинга клиентов
aaa group server radius RG-ISG-ACC
server-private 172.22.2.26 auth-port 1812 acct-port 1813 key 7 XXXXXX
ip vrf forwarding radius
!
#С этих радиусов авторизовываются сервисы
aaa group server radius RG-ISG-SRV
server-private 172.22.2.24 auth-port 1814 acct-port 1815 key 7 XXXXXX
server-private 172.22.2.25 auth-port 1814 acct-port 1815 key 7 XXXXXX
ip vrf forwarding radius
!
#С этих радиусов авторизовываются администраторы
aaa group server radius ADMIN-AUTH
server-private 172.22.2.4 auth-port 1812 acct-port 1813 key 7 XXXXXX#Взаимодействие с радиус серверами идет в отдельном vrf
ip vrf forwarding radius
!
aaa authentication login default local group ADMIN-AUTH
aaa authentication login console none
aaa authentication login ISG-AUTH group RG-ISG-AUTH
aaa authorization network ISG-AUTH group RG-ISG-AUTH
aaa authorization subscriber-service default local group RG-ISG-SRV
aaa accounting network Account start-stop group RG-ISG-ACC
!
!
!
!
aaa server radius dynamic-author
client 195.1.226.59 server-key 7 XXXXXX
auth-type any
ignore session-key
ignore server-key
!
aaa session-id common
clock timezone MSK 3
clock summer-time MSD recurring last Sun Mar 2:00 last Sun Oct 2:00
no ip source-route
ip vrf DNAT
rd 8580:30
!
ip vrf SNAT
rd 1111:40
!
ip vrf mgmt
rd 1111:10
!
ip vrf radius
!
!
!
ip domain name sci-nnov.ru
ip name-server 195.1.226.2
ip name-server 195.1.226.1
!
!
!
!
subscriber service multiple-accept
!
redirect server-group PORTAL
server ip 195.1.226.13
!
multilink bundle-name authenticated
!
!
!
!
!
!
redundancy
mode none
!
!
class-map type traffic match-any PORTAL
match access-group input name PORTAL-TO
match access-group output name PORTAL-FROM
!
class-map type traffic match-any WORD-NIGHT
match access-group input name WORD-NIGHT
match access-group output name WORD-NIGH
!
class-map type traffic match-any REDIRECT
match access-group input 100
match access-group output 100
!
class-map type traffic match-any OPENGARDEN
match access-group output name PORTAL-FROM
match access-group input name PORTAL-TO
!
class-map type traffic match-any WORD
match access-group output 101
match access-group input 101
!
class-map type traffic match-any IX
match access-group input name IX-FROM
match access-group output name IX-TO
!
class-map type control match-all IP-UNAUTH-COND
match timer IP-UNAUTH-TIMER
match authen-status unauthenticated
!
class-map type control match-all IP-AUTH-COND
match timer IP-SESSION-TIMEOUT
match authen-status authenticated
!
policy-map type service UNAUTHORIZED_REDIRECT_SVC
!
policy-map type service PORTAL
400 class type traffic PORTAL
police input 128000 256000 256000
police output 128000 256000 256000
!
class type traffic default in-out
!
!
policy-map type service L4REDIRECTOR
30 class type traffic REDIRECT
redirect to group PORTAL
!
class type traffic default input
drop
!
sg-service-type secondary
!
policy-map type service WORD-NIGHT
105 class type traffic WORD-NIGHT
police input 256000 256000 256000
police output 256000 256000 256000
!
!
policy-map type service OPENGARDEN
20 class type traffic OPENGARDEN
police input 128000 256000 256000
police output 128000 256000 256000
!
class type traffic default in-out
drop
!
!
policy-map type service SNAT
ip vrf forwarding SNAT
sg-service-type primary
!
policy-map type service NAT
ip vrf forwarding DNAT
sg-service-type primary
!
policy-map type service log-off-tst
class type traffic OPENGARDEN
!
class type traffic default in-out
!
!
policy-map type control UNAUTHEN_REDIRECT
class type control always event session-start
10 service-policy type service name PORTAL
20 service-policy type service name UNAUTHORIZED_REDIRECT_SVC
!
!
policy-map type control HN-SERVICE
class type control always event session-start
1 set-timer IP-SESSION-TIMEOUT 1440
10 authorize aaa list ISG-AUTH password cisco identifier source-ip-address
!
class type control always event access-reject
1 service-policy type service name OPENGARDEN
2 service-policy type service name L4REDIRECTOR
3 set-timer IP-UNAUTH-TIMER 10
30 service-policy type service name NAT
!
class type control always event radius-timeout
1 service-policy type service name OPENGARDEN
10 service-policy type service name EXTERNAL-2048-2048
20 set-timer IP-UNAUTH-TIMER 3
30 service-policy type service name NAT
!
class type control always event timed-policy-expiry
1 service disconnect
!
!
policy-map type control B2B-service
class type control always event session-start
1 set-timer IP-SESSION-TIMEOUT 1440
10 authorize aaa list ISG-AUTH password cisco identifier source-ip-address
!
class type control always event access-reject
1 service-policy type service name OPENGARDEN
2 service-policy type service name L4REDIRECTOR
3 set-timer IP-UNAUTH-TIMER 3
!
class type control always event radius-timeout
1 service-policy type service name OPENGARDEN
10 service-policy type service name EXTERNAL-2048-2048
20 set-timer IP-UNAUTH-TIMER 3
!
class type control always event timed-policy-expiry
1 service disconnect
!
!
!
!
!
!
interface Loopback1
ip address 172.22.1.5 255.255.255.255
!
interface GigabitEthernet0/0/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/1
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/2
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/3
no ip address
shutdown
negotiation auto
!
interface TenGigabitEthernet0/2/0
no ip address
cdp enable
!
interface TenGigabitEthernet0/2/0.13
description radius-servers
encapsulation dot1Q 13
ip vrf forwarding radius
ip address 172.22.2.253 255.255.255.0
!
interface TenGigabitEthernet0/2/0.39
description ISG to dynNAT
encapsulation dot1Q 39
ip vrf forwarding DNAT
ip address 10.0.2.19 255.255.255.224
!
interface TenGigabitEthernet0/2/0.196
description p2p-oka-1-isg-1
encapsulation dot1Q 196
ip address 2.2.2.2 255.255.255.252
ip ospf network point-to-point
!
interface TenGigabitEthernet0/2/0.197
description GRT ISG
encapsulation dot1Q 197
ip address 195.1.225.57 255.255.255.252
service-policy type control B2B-service
ip subscriber routed
initiator unclassified ip-address
!
interface TenGigabitEthernet0/2/0.281
description BRAS
encapsulation dot1Q 281
ip address 10.0.0.21 255.255.255.224
service-policy type control HN-SERVICE
ip subscriber routed
initiator unclassified ip-address
!
interface TenGigabitEthernet0/2/0.502
description ISG-NATS
encapsulation dot1Q 502
ip vrf forwarding SNAT
ip address 10.0.2.99 255.255.255.224
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
interface multiservice1
ip vrf forwarding SNAT
ip address 10.0.2.69 255.255.255.252
ip policy route-map toNATS
no keepalive
!
interface multiservice2
ip vrf forwarding DNAT
ip address 10.0.2.69 255.255.255.252
ip policy route-map toNAT
no keepalive
!
router ospf 1
log-adjacency-changes
redistribute connected subnets route-map ospf
redistribute static subnets route-map ospf
passive-interface default
no passive-interface TenGigabitEthernet0/2/0.196
network 2.2.2.0 0.0.0.255 area 0
network 172.22.1.0 0.0.0.255 area 0
!
!
no ip http server
ip route 10.0.0.0 255.0.0.0 10.0.0.1
ip route vrf DNAT 0.0.0.0 0.0.0.0 10.0.2.11
ip route vrf DNAT 10.0.0.0 255.0.0.0 10.0.0.1 global
!
ip access-list standard EMC-SMARTS
!
ip access-list extended ACRT-NIGHT
permit ip any any time-range NIGHT
deny ip any any
ip access-list extended IX-FROM
permit ip 195.98.32.0 0.0.31.255 any
permit ip 212.92.128.0 0.0.63.255 any
permit ip 217.118.93.0 0.0.0.255 any
permit ip 92.242.64.0 0.0.31.255 any
permit ip 88.81.32.0 0.0.31.255 any
permit ip 89.189.0.0 0.0.31.255 any
permit ip 46.251.64.0 0.0.31.255 any
permit ip 92.246.128.0 0.0.31.255 any
permit ip 212.67.0.0 0.0.31.255 any
permit ip 81.19.128.0 0.0.1.255 any
permit ip 81.19.130.0 0.0.0.255 any
permit ip 82.208.64.0 0.0.63.255 any
permit ip 213.177.96.0 0.0.31.255 any
permit ip 89.109.0.0 0.0.63.255 any
permit ip 79.126.0.0 0.0.63.255 any
permit ip 79.126.64.0 0.0.63.255 any
permit ip 95.37.0.0 0.0.127.255 any
permit ip 195.82.136.0 0.0.0.255 any
permit ip 195.82.137.0 0.0.0.255 any
permit ip 95.37.128.0 0.0.127.255 any
permit ip 93.120.128.0 0.0.127.255 any
permit ip 109.184.0.0 0.0.255.255 any
permit ip 217.23.16.0 0.0.15.255 any
permit ip 78.40.184.0 0.0.7.255 any
permit ip 78.40.188.0 0.0.0.255 any
permit ip 94.25.78.0 0.0.0.255 any
permit ip 85.143.0.0 0.0.15.255 any
permit ip 89.28.199.0 0.0.0.255 any
permit ip 213.190.224.0 0.0.31.255 any
permit ip 217.25.80.0 0.0.3.255 any
permit ip 85.91.192.0 0.0.15.255 any
permit ip 91.223.224.0 0.0.0.255 any
deny ip any any
ip access-list extended IX-FROM-NIGHT
permit ip 195.98.32.0 0.0.31.255 any time-range NIGHT
permit ip 212.92.128.0 0.0.63.255 any time-range NIGHT
permit ip 217.118.93.0 0.0.0.255 any time-range NIGHT
permit ip 92.242.64.0 0.0.31.255 any time-range NIGHT
permit ip 88.81.32.0 0.0.31.255 any time-range NIGHT
permit ip 89.189.0.0 0.0.31.255 any time-range NIGHT
permit ip 46.251.64.0 0.0.31.255 any time-range NIGHT
permit ip 92.246.128.0 0.0.31.255 any time-range NIGHT
permit ip 212.67.0.0 0.0.31.255 any time-range NIGHT
permit ip 81.19.128.0 0.0.1.255 any time-range NIGHT
permit ip 81.19.130.0 0.0.0.255 any time-range NIGHT
permit ip 82.208.64.0 0.0.63.255 any time-range NIGHT
permit ip 213.177.96.0 0.0.31.255 any time-range NIGHT
permit ip 89.109.0.0 0.0.63.255 any time-range NIGHT
permit ip 79.126.0.0 0.0.63.255 any time-range NIGHT
permit ip 79.126.64.0 0.0.63.255 any time-range NIGHT
permit ip 95.37.0.0 0.0.127.255 any time-range NIGHT
permit ip 195.82.136.0 0.0.0.255 any time-range NIGHT
permit ip 195.82.137.0 0.0.0.255 any time-range NIGHT
permit ip 95.37.128.0 0.0.127.255 any time-range NIGHT
permit ip 93.120.128.0 0.0.127.255 any time-range NIGHT
permit ip 109.184.0.0 0.0.255.255 any time-range NIGHT
permit ip 217.23.16.0 0.0.15.255 any time-range NIGHT
permit ip 78.40.184.0 0.0.7.255 any time-range NIGHT
permit ip 78.40.188.0 0.0.0.255 any time-range NIGHT
permit ip 94.25.78.0 0.0.0.255 any time-range NIGHT
permit ip 85.143.0.0 0.0.15.255 any time-range NIGHT
permit ip 89.28.199.0 0.0.0.255 any time-range NIGHT
permit ip 213.190.224.0 0.0.31.255 any time-range NIGHT
permit ip 217.25.80.0 0.0.3.255 any time-range NIGHT
permit ip 85.91.192.0 0.0.15.255 any time-range NIGHT
permit ip 91.223.224.0 0.0.0.255 any time-range NIGHT
deny ip any any
ip access-list extended IX-TO
permit ip any 195.98.32.0 0.0.31.255
permit ip any 212.92.128.0 0.0.63.255
permit ip any 217.118.93.0 0.0.0.255
permit ip any 92.242.64.0 0.0.31.255
permit ip any 88.81.32.0 0.0.31.255
permit ip any 89.189.0.0 0.0.31.255
permit ip any 46.251.64.0 0.0.31.255
permit ip any 92.246.128.0 0.0.31.255
permit ip any 212.67.0.0 0.0.31.255
permit ip any 81.19.128.0 0.0.1.255
permit ip any 81.19.130.0 0.0.0.255
permit ip any 82.208.64.0 0.0.63.255
permit ip any 213.177.96.0 0.0.31.255
permit ip any 89.109.0.0 0.0.63.255
permit ip any 79.126.0.0 0.0.63.255
permit ip any 79.126.64.0 0.0.63.255
permit ip any 95.37.0.0 0.0.127.255
permit ip any 195.82.136.0 0.0.0.255
permit ip any 195.82.137.0 0.0.0.255
permit ip any 95.37.128.0 0.0.127.255
permit ip any 93.120.128.0 0.0.127.255
permit ip any 109.184.0.0 0.0.255.255
permit ip any 217.23.16.0 0.0.15.255
permit ip any 78.40.184.0 0.0.7.255
permit ip any 78.40.188.0 0.0.0.255
permit ip any 94.25.78.0 0.0.0.255
permit ip any 85.143.0.0 0.0.15.255
permit ip any 89.28.199.0 0.0.0.255
permit ip any 213.190.224.0 0.0.31.255
permit ip any 217.25.80.0 0.0.3.255
permit ip any 85.91.192.0 0.0.15.255
permit ip any 91.223.224.0 0.0.0.255
deny ip any any
ip access-list extended IX-TO-NIGHT
permit ip any 195.98.32.0 0.0.31.255 time-range NIGHT
permit ip any 212.92.128.0 0.0.63.255 time-range NIGHT
permit ip any 217.118.93.0 0.0.0.255 time-range NIGHT
permit ip any 92.242.64.0 0.0.31.255 time-range NIGHT
permit ip any 88.81.32.0 0.0.31.255 time-range NIGHT
permit ip any 89.189.0.0 0.0.31.255 time-range NIGHT
permit ip any 46.251.64.0 0.0.31.255 time-range NIGHT
permit ip any 92.246.128.0 0.0.31.255 time-range NIGHT
permit ip any 212.67.0.0 0.0.31.255 time-range NIGHT
permit ip any 81.19.128.0 0.0.1.255 time-range NIGHT
permit ip any 81.19.130.0 0.0.0.255 time-range NIGHT
permit ip any 82.208.64.0 0.0.63.255 time-range NIGHT
permit ip any 213.177.96.0 0.0.31.255 time-range NIGHT
permit ip any 89.109.0.0 0.0.63.255 time-range NIGHT
permit ip any 79.126.0.0 0.0.63.255 time-range NIGHT
permit ip any 79.126.64.0 0.0.63.255 time-range NIGHT
permit ip any 95.37.0.0 0.0.127.255 time-range NIGHT
permit ip any 195.82.136.0 0.0.0.255 time-range NIGHT
permit ip any 195.82.137.0 0.0.0.255 time-range NIGHT
permit ip any 95.37.128.0 0.0.127.255 time-range NIGHT
permit ip any 93.120.128.0 0.0.127.255 time-range NIGHT
permit ip any 109.184.0.0 0.0.255.255 time-range NIGHT
permit ip any 217.23.16.0 0.0.15.255 time-range NIGHT
permit ip any 78.40.184.0 0.0.7.255 time-range NIGHT
permit ip any 78.40.188.0 0.0.0.255 time-range NIGHT
permit ip any 94.25.78.0 0.0.0.255 time-range NIGHT
permit ip any 85.143.0.0 0.0.15.255 time-range NIGHT
permit ip any 89.28.199.0 0.0.0.255 time-range NIGHT
permit ip any 213.190.224.0 0.0.31.255 time-range NIGHT
permit ip any 217.25.80.0 0.0.3.255 time-range NIGHT
permit ip any 85.91.192.0 0.0.15.255 time-range NIGHT
permit ip any 91.223.224.0 0.0.0.255 time-range NIGHT
deny ip any any
ip access-list extended LOCAL-FROM
deny ip any any
ip access-list extended LOCAL-TO
deny ip any any
ip access-list extended PORTAL-FROM
deny ip any any
ip access-list extended PORTAL-TO
deny ip any any
ip access-list extended WORD-NIGHT
permit ip any any time-range NIGHT
deny ip any any
ip access-list extended toNAT-1
permit ip 10.83.0.0 0.0.127.255 any
permit ip 10.137.0.0 0.0.255.255 any
permit ip 10.84.0.0 0.0.255.255 any
permit ip 10.90.0.0 0.0.255.255 any
ip access-list extended toNAT-2
permit ip 10.128.64.0 0.0.3.255 any
permit ip 10.17.0.0 0.0.1.255 any
permit ip 10.82.0.0 0.0.127.255 any
ip access-list extended toNAT-3
permit ip 10.17.0.0 0.0.127.255 any
permit ip 10.100.0.0 0.0.255.255 any
permit ip 10.87.0.0 0.0.255.255 any
ip access-list extended toNAT-4
permit ip 10.136.0.0 0.0.255.255 any
permit ip 10.8.0.0 0.0.255.255 any
permit ip 10.88.0.0 0.0.255.255 any
permit ip 10.16.0.0 0.0.255.255 any
permit ip 10.4.0.0 0.0.255.255 any
ip access-list extended toNAT-5
permit ip 10.200.0.0 0.0.255.255 any
permit ip 10.128.0.0 0.0.255.255 any
!
ip radius source-interface TenGigabitEthernet0/2/0.13
logging trap warnings
access-list 3 permit 172.22.0.0 0.0.255.255
access-list 99 permit any
access-list 100 permit tcp any any eq www
access-list 100 permit tcp any eq www any
access-list 101 permit ip any any
access-list 102 permit ip any any
cdp run
!
route-map ospf deny 5
match interface Null0
!
route-map ospf permit 10
match ip address 1 2
!
route-map toNATS permit 10
set ip default vrf SNAT next-hop 10.0.2.98
!
route-map toNAT permit 10
match ip address toNAT-1
set ip default vrf DNAT next-hop 10.0.2.11
!
route-map toNAT permit 20
match ip address toNAT-2
set ip default vrf DNAT next-hop 10.0.2.10
!
route-map toNAT permit 30
match ip address toNAT-3
set ip default vrf DNAT next-hop 10.0.2.12
!
route-map toNAT permit 40
match ip address toNAT-4
set ip default vrf DNAT next-hop 10.0.2.17
!
route-map toNAT permit 50
match ip address toNAT-5
set ip default vrf DNAT next-hop 10.0.2.8
!
route-map toNAT permit 999
set ip default vrf DNAT next-hop 10.0.2.11
!
snmp-server community XXXXXX RO
snmp-server community XXXXXX RW
snmp-server community XXXXXX RO
snmp-server community XXXXXX RO EMC-SMARTS
snmp-server enable traps config
snmp-server host 195.1.226.27 XXXXXX
snmp ifmib ifindex persist
!
radius-server attribute 44 include-in-access-req
radius-server attribute 8 include-in-access-req
radius-server attribute 32 include-in-accounting-req
radius-server attribute 55 include-in-acct-req
radius-server host 172.22.2.24 auth-port 1812 acct-port 1813 key 7 XXXXXX
radius-server host 172.22.2.24 auth-port 1814 acct-port 1815 key 7 XXXXXX
radius-server host 172.22.2.25 auth-port 1812 acct-port 1813 key 7 XXXXXX
radius-server host 172.22.2.25 auth-port 1814 acct-port 1815 key 7 XXXXXX
radius-server host 172.22.2.4 auth-port 1812 acct-port 1813 key 7 XXXXXX
radius-server retransmit 2
radius-server timeout 3
radius-server vsa send accounting
radius-server vsa send authentication
!
control-plane
!
!
!
alias exec ssss sh sss session identifier authenticated-username
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
!
ntp server 172.22.1.1
time-range NIGHT
periodic daily 1:00 to 9:00
!
end
Некоторые вещи в конфиге сознательно удалены, либо изменены для того, чтобы не палить ISP.
ОтветитьУдалитьМогу я задать вопрос?
УдалитьЯ настроил это так:
Удалитьinterface GigabitEthernet1/0.501
description TO_SUBSCRIBERS
encapsulation dot1Q 501
ip address 10.200.100.1 255.255.255.252
service-policy type control IPOE_COSTUMERS
ip subscriber routed
initiator unclassified ip-address
interface GigabitEthernet2/0.401
description Beeline
encapsulation dot1Q 401
ip vrf forwarding beeline
ip address 213.33.186.134 255.255.255.252
interface multiservice1
ip vrf forwarding beeline
ip address 10.10.100.1 255.255.255.252
no keepalive
ip route vrf beeline 0.0.0.0 0.0.0.0 213.33.186.133
Radius :
Cisco-AVPair += 'ip:vrf-id=beeline'
все работает но трафик из интернета не возвращается через интерфейс multiservice1 к абоненту...
эта команда работает:
ping vrf beeline "ip абонента"...(трафик уходит с IP-адреса интерфейса multiservice1 )
что я сделал не так?
Nice Article! Thanks for sharing with us.
ОтветитьУдалитьBasic IP Traffic Management with Access lists
You're welcome!
ОтветитьУдалитьконфиг до сих пор актуально боевой ? :)
ОтветитьУдалитьНе работаю уже более 2-х лет где оно стоит, но думаю что до сих пор конфиг примерно такой же
Удалитьух-ты! Долго искал что-то подобное.
ОтветитьУдалитьА оно раздает IPoE?
Да
УдалитьПриветствую!
ОтветитьУдалитьНе понятно про политики. Что на радиус сервер отправляется? Соответственно какой биллинг и что он шлет на ASR?
лучше поздно., чем никогда)
Удалитьпро тарифы:http://tsolodov.blogspot.ru/2011/02/isg.html
Подскажите - IPoE сессия при "входящем" к пользователю траффике стартовала успешно?
УдалитьВ качестве User-Name выступал ip-dst = ip пользователя?
class-map type control match-all ISG-IP-UNAUTH
Удалитьmatch timer UNAUTH-TIMER
match authen-status unauthenticated
policy-map type control ISG-RADIUS-PROFILES
class type control ISG-IP-UNAUTH event timed-policy-expiry
1 service disconnect
!
class type control always event session-start
10 authorize aaa list IPoE identifier source-ip-address
20 service-policy type service name OG_SRV
30 service-policy type service name L4R_SRV
40 set-timer UNAUTH-TIMER 1
!
class type control always event session-restart
10 authorize aaa list IPoE identifier source-ip-address
20 service-policy type service name OG_SRV
30 service-policy type service name L4R_SRV
40 set-timer UNAUTH-TIMER 1
В правилах биллинга стоит логин: IP
Тимур, как можно с Вами связаться? пожалуйста если вы еще тут, добавьте меня в skype: Abbosovich, есть пару вопросов и нюансов. буду блогодарен. спасибо.
ОтветитьУдалитьОтправил запрос
ОтветитьУдалитьNice post thank you Derek
ОтветитьУдалить