{ Useful stuff for System and Network Admins }: Конфиг боевого BRAS CISCO ASR 1002 ISG


version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ISG-1
!
boot-start-marker
boot-end-marker
!
vrf definition Mgmt-intf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
enable secret 5 XXXXXX
!
aaa new-model
!
!

#С этих радиусов авторизовываются клиенты
aaa group server radius RG-ISG-AUTH
 server-private 172.22.2.24 auth-port 1812 acct-port 1813 key 7 XXXXXX
 server-private 172.22.2.25 auth-port 1812 acct-port 1813 key 7 XXXXXX
 ip vrf forwarding radius
!

#Для аккаунтинга клиентовaaa group server radius RG-ISG-ACC
 server-private 172.22.2.26 auth-port 1812 acct-port 1813 key 7 XXXXXX
 ip vrf forwarding radius
!

#С этих радиусов авторизовываются сервисыaaa group server radius RG-ISG-SRV
 server-private 172.22.2.24 auth-port 1814 acct-port 1815 key 7 XXXXXX
 server-private 172.22.2.25 auth-port 1814 acct-port 1815 key 7 XXXXXX
 ip vrf forwarding radius
!

#С этих радиусов авторизовываются администраторыaaa group server radius ADMIN-AUTH
 server-private 172.22.2.4 auth-port 1812 acct-port 1813 key 7 XXXXXX#Взаимодействие с радиус серверами идет в отдельном vrf
 ip vrf forwarding radius
!
aaa authentication login default local group ADMIN-AUTH
aaa authentication login console none
aaa authentication login ISG-AUTH group RG-ISG-AUTH
aaa authorization network ISG-AUTH group RG-ISG-AUTH 
aaa authorization subscriber-service default local group RG-ISG-SRV 
aaa accounting network Account start-stop group RG-ISG-ACC
!
!
!
!
aaa server radius dynamic-author
 client 195.1.226.59 server-key 7 XXXXXX
 auth-type any
 ignore session-key
 ignore server-key
!
aaa session-id common
clock timezone MSK 3
clock summer-time MSD recurring last Sun Mar 2:00 last Sun Oct 2:00
no ip source-route
ip vrf DNAT
 rd 8580:30
!
ip vrf SNAT
 rd 1111:40
!
ip vrf mgmt
 rd 1111:10
!
ip vrf radius
!
!
!
ip domain name sci-nnov.ru
ip name-server 195.1.226.2
ip name-server 195.1.226.1
!
!
!
!
subscriber service multiple-accept
!
redirect server-group PORTAL
 server ip 195.1.226.13
!
multilink bundle-name authenticated
!
!
!
!
!
!
redundancy
 mode none
!
!
class-map type traffic match-any PORTAL
 match access-group input name PORTAL-TO
 match access-group output name PORTAL-FROM
!
class-map type traffic match-any WORD-NIGHT
 match access-group input name WORD-NIGHT
 match access-group output name WORD-NIGH
!
class-map type traffic match-any REDIRECT
 match access-group input 100
 match access-group output 100
!
class-map type traffic match-any OPENGARDEN
 match access-group output name PORTAL-FROM
 match access-group input name PORTAL-TO
!
class-map type traffic match-any WORD
 match access-group output 101
 match access-group input 101
!
class-map type traffic match-any IX
 match access-group input name IX-FROM
 match access-group output name IX-TO
!
class-map type control match-all IP-UNAUTH-COND
 match timer IP-UNAUTH-TIMER 
 match authen-status unauthenticated 
!
class-map type control match-all IP-AUTH-COND
 match timer IP-SESSION-TIMEOUT 
 match authen-status authenticated 
!
policy-map type service UNAUTHORIZED_REDIRECT_SVC
!
policy-map type service PORTAL
 400 class type traffic PORTAL
  police input 128000 256000 256000
  police output 128000 256000 256000
 !
 class type traffic default in-out
 !
!
policy-map type service L4REDIRECTOR
 30 class type traffic REDIRECT
  redirect to group PORTAL
 !
 class type traffic default input
  drop
 !
 sg-service-type secondary
!
policy-map type service WORD-NIGHT
 105 class type traffic WORD-NIGHT
  police input 256000 256000 256000
  police output 256000 256000 256000
 !
!
policy-map type service OPENGARDEN
 20 class type traffic OPENGARDEN
  police input 128000 256000 256000
  police output 128000 256000 256000
 !
 class type traffic default in-out
  drop
 !
!
policy-map type service SNAT
 ip vrf forwarding SNAT
 sg-service-type primary
!
policy-map type service NAT
 ip vrf forwarding DNAT
 sg-service-type primary
!
policy-map type service log-off-tst
 class type traffic OPENGARDEN
 !
 class type traffic default in-out
 !
!
policy-map type control UNAUTHEN_REDIRECT
 class type control always event session-start
  10 service-policy type service name PORTAL
  20 service-policy type service name UNAUTHORIZED_REDIRECT_SVC
 !
!
policy-map type control HN-SERVICE
 class type control always event session-start
  1 set-timer IP-SESSION-TIMEOUT 1440
  10 authorize aaa list ISG-AUTH password cisco identifier source-ip-address
 !
 class type control always event access-reject
  1 service-policy type service name OPENGARDEN
  2 service-policy type service name L4REDIRECTOR
  3 set-timer IP-UNAUTH-TIMER 10
  30 service-policy type service name NAT
 !
 class type control always event radius-timeout
  1 service-policy type service name OPENGARDEN
  10 service-policy type service name EXTERNAL-2048-2048
  20 set-timer IP-UNAUTH-TIMER 3
  30 service-policy type service name NAT
 !
 class type control always event timed-policy-expiry
  1 service disconnect
 !
!
policy-map type control B2B-service
 class type control always event session-start
  1 set-timer IP-SESSION-TIMEOUT 1440
  10 authorize aaa list ISG-AUTH password cisco identifier source-ip-address
 !
 class type control always event access-reject
  1 service-policy type service name OPENGARDEN
  2 service-policy type service name L4REDIRECTOR
  3 set-timer IP-UNAUTH-TIMER 3
 !
 class type control always event radius-timeout
  1 service-policy type service name OPENGARDEN
  10 service-policy type service name EXTERNAL-2048-2048
  20 set-timer IP-UNAUTH-TIMER 3
 !
 class type control always event timed-policy-expiry
  1 service disconnect
 !
!
!
!
!
!
interface Loopback1
 ip address 172.22.1.5 255.255.255.255
!
interface GigabitEthernet0/0/0
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0/0/1
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0/0/2
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0/0/3
 no ip address
 shutdown
 negotiation auto
!
interface TenGigabitEthernet0/2/0
 no ip address
 cdp enable
!
interface TenGigabitEthernet0/2/0.13
 description radius-servers
 encapsulation dot1Q 13
 ip vrf forwarding radius
 ip address 172.22.2.253 255.255.255.0
!
interface TenGigabitEthernet0/2/0.39
 description ISG to dynNAT
 encapsulation dot1Q 39
 ip vrf forwarding DNAT
 ip address 10.0.2.19 255.255.255.224
!
interface TenGigabitEthernet0/2/0.196
 description p2p-oka-1-isg-1
 encapsulation dot1Q 196
 ip address 2.2.2.2 255.255.255.252
 ip ospf network point-to-point
!
interface TenGigabitEthernet0/2/0.197
 description GRT ISG
 encapsulation dot1Q 197
 ip address 195.1.225.57 255.255.255.252
 service-policy type control B2B-service
 ip subscriber routed
  initiator unclassified ip-address
!
interface TenGigabitEthernet0/2/0.281
 description BRAS
 encapsulation dot1Q 281
 ip address 10.0.0.21 255.255.255.224
 service-policy type control HN-SERVICE
 ip subscriber routed
  initiator unclassified ip-address
!
interface TenGigabitEthernet0/2/0.502
 description ISG-NATS
 encapsulation dot1Q 502
 ip vrf forwarding SNAT
 ip address 10.0.2.99 255.255.255.224
!
interface GigabitEthernet0
 vrf forwarding Mgmt-intf
 no ip address
 shutdown
 negotiation auto
!
interface multiservice1
 ip vrf forwarding SNAT
 ip address 10.0.2.69 255.255.255.252
 ip policy route-map toNATS
 no keepalive
!
interface multiservice2
 ip vrf forwarding DNAT
 ip address 10.0.2.69 255.255.255.252
 ip policy route-map toNAT
 no keepalive
!
router ospf 1
 log-adjacency-changes
 redistribute connected subnets route-map ospf
 redistribute static subnets route-map ospf
 passive-interface default
 no passive-interface TenGigabitEthernet0/2/0.196
 network 2.2.2.0 0.0.0.255 area 0
 network 172.22.1.0 0.0.0.255 area 0
!
!
no ip http server
ip route 10.0.0.0 255.0.0.0 10.0.0.1
ip route vrf DNAT 0.0.0.0 0.0.0.0 10.0.2.11
ip route vrf DNAT 10.0.0.0 255.0.0.0 10.0.0.1 global
!
ip access-list standard EMC-SMARTS
!
ip access-list extended ACRT-NIGHT
 permit ip any any time-range NIGHT
 deny   ip any any
ip access-list extended IX-FROM
 permit ip 195.98.32.0 0.0.31.255 any
 permit ip 212.92.128.0 0.0.63.255 any
 permit ip 217.118.93.0 0.0.0.255 any
 permit ip 92.242.64.0 0.0.31.255 any
 permit ip 88.81.32.0 0.0.31.255 any
 permit ip 89.189.0.0 0.0.31.255 any
 permit ip 46.251.64.0 0.0.31.255 any
 permit ip 92.246.128.0 0.0.31.255 any
 permit ip 212.67.0.0 0.0.31.255 any
 permit ip 81.19.128.0 0.0.1.255 any
 permit ip 81.19.130.0 0.0.0.255 any
 permit ip 82.208.64.0 0.0.63.255 any
 permit ip 213.177.96.0 0.0.31.255 any
 permit ip 89.109.0.0 0.0.63.255 any
 permit ip 79.126.0.0 0.0.63.255 any
 permit ip 79.126.64.0 0.0.63.255 any
 permit ip 95.37.0.0 0.0.127.255 any
 permit ip 195.82.136.0 0.0.0.255 any
 permit ip 195.82.137.0 0.0.0.255 any
 permit ip 95.37.128.0 0.0.127.255 any
 permit ip 93.120.128.0 0.0.127.255 any
 permit ip 109.184.0.0 0.0.255.255 any
 permit ip 217.23.16.0 0.0.15.255 any
 permit ip 78.40.184.0 0.0.7.255 any
 permit ip 78.40.188.0 0.0.0.255 any
 permit ip 94.25.78.0 0.0.0.255 any
 permit ip 85.143.0.0 0.0.15.255 any
 permit ip 89.28.199.0 0.0.0.255 any
 permit ip 213.190.224.0 0.0.31.255 any
 permit ip 217.25.80.0 0.0.3.255 any
 permit ip 85.91.192.0 0.0.15.255 any
 permit ip 91.223.224.0 0.0.0.255 any
 deny   ip any any
ip access-list extended IX-FROM-NIGHT
 permit ip 195.98.32.0 0.0.31.255 any time-range NIGHT
 permit ip 212.92.128.0 0.0.63.255 any time-range NIGHT
 permit ip 217.118.93.0 0.0.0.255 any time-range NIGHT
 permit ip 92.242.64.0 0.0.31.255 any time-range NIGHT
 permit ip 88.81.32.0 0.0.31.255 any time-range NIGHT
 permit ip 89.189.0.0 0.0.31.255 any time-range NIGHT
 permit ip 46.251.64.0 0.0.31.255 any time-range NIGHT
 permit ip 92.246.128.0 0.0.31.255 any time-range NIGHT
 permit ip 212.67.0.0 0.0.31.255 any time-range NIGHT
 permit ip 81.19.128.0 0.0.1.255 any time-range NIGHT
 permit ip 81.19.130.0 0.0.0.255 any time-range NIGHT
 permit ip 82.208.64.0 0.0.63.255 any time-range NIGHT
 permit ip 213.177.96.0 0.0.31.255 any time-range NIGHT
 permit ip 89.109.0.0 0.0.63.255 any time-range NIGHT
 permit ip 79.126.0.0 0.0.63.255 any time-range NIGHT
 permit ip 79.126.64.0 0.0.63.255 any time-range NIGHT
 permit ip 95.37.0.0 0.0.127.255 any time-range NIGHT
 permit ip 195.82.136.0 0.0.0.255 any time-range NIGHT
 permit ip 195.82.137.0 0.0.0.255 any time-range NIGHT
 permit ip 95.37.128.0 0.0.127.255 any time-range NIGHT
 permit ip 93.120.128.0 0.0.127.255 any time-range NIGHT
 permit ip 109.184.0.0 0.0.255.255 any time-range NIGHT
 permit ip 217.23.16.0 0.0.15.255 any time-range NIGHT
 permit ip 78.40.184.0 0.0.7.255 any time-range NIGHT
 permit ip 78.40.188.0 0.0.0.255 any time-range NIGHT
 permit ip 94.25.78.0 0.0.0.255 any time-range NIGHT
 permit ip 85.143.0.0 0.0.15.255 any time-range NIGHT
 permit ip 89.28.199.0 0.0.0.255 any time-range NIGHT
 permit ip 213.190.224.0 0.0.31.255 any time-range NIGHT
 permit ip 217.25.80.0 0.0.3.255 any time-range NIGHT
 permit ip 85.91.192.0 0.0.15.255 any time-range NIGHT
 permit ip 91.223.224.0 0.0.0.255 any time-range NIGHT
 deny   ip any any
ip access-list extended IX-TO
 permit ip any 195.98.32.0 0.0.31.255
 permit ip any 212.92.128.0 0.0.63.255
 permit ip any 217.118.93.0 0.0.0.255
 permit ip any 92.242.64.0 0.0.31.255
 permit ip any 88.81.32.0 0.0.31.255
 permit ip any 89.189.0.0 0.0.31.255
 permit ip any 46.251.64.0 0.0.31.255
 permit ip any 92.246.128.0 0.0.31.255
 permit ip any 212.67.0.0 0.0.31.255
 permit ip any 81.19.128.0 0.0.1.255
 permit ip any 81.19.130.0 0.0.0.255
 permit ip any 82.208.64.0 0.0.63.255
 permit ip any 213.177.96.0 0.0.31.255
 permit ip any 89.109.0.0 0.0.63.255
 permit ip any 79.126.0.0 0.0.63.255
 permit ip any 79.126.64.0 0.0.63.255
 permit ip any 95.37.0.0 0.0.127.255
 permit ip any 195.82.136.0 0.0.0.255
 permit ip any 195.82.137.0 0.0.0.255
 permit ip any 95.37.128.0 0.0.127.255
 permit ip any 93.120.128.0 0.0.127.255
 permit ip any 109.184.0.0 0.0.255.255
 permit ip any 217.23.16.0 0.0.15.255
 permit ip any 78.40.184.0 0.0.7.255
 permit ip any 78.40.188.0 0.0.0.255
 permit ip any 94.25.78.0 0.0.0.255
 permit ip any 85.143.0.0 0.0.15.255
 permit ip any 89.28.199.0 0.0.0.255
 permit ip any 213.190.224.0 0.0.31.255
 permit ip any 217.25.80.0 0.0.3.255
 permit ip any 85.91.192.0 0.0.15.255
 permit ip any 91.223.224.0 0.0.0.255
 deny   ip any any
ip access-list extended IX-TO-NIGHT
 permit ip any 195.98.32.0 0.0.31.255 time-range NIGHT
 permit ip any 212.92.128.0 0.0.63.255 time-range NIGHT
 permit ip any 217.118.93.0 0.0.0.255 time-range NIGHT
 permit ip any 92.242.64.0 0.0.31.255 time-range NIGHT
 permit ip any 88.81.32.0 0.0.31.255 time-range NIGHT
 permit ip any 89.189.0.0 0.0.31.255 time-range NIGHT
 permit ip any 46.251.64.0 0.0.31.255 time-range NIGHT
 permit ip any 92.246.128.0 0.0.31.255 time-range NIGHT
 permit ip any 212.67.0.0 0.0.31.255 time-range NIGHT
 permit ip any 81.19.128.0 0.0.1.255 time-range NIGHT
 permit ip any 81.19.130.0 0.0.0.255 time-range NIGHT
 permit ip any 82.208.64.0 0.0.63.255 time-range NIGHT
 permit ip any 213.177.96.0 0.0.31.255 time-range NIGHT
 permit ip any 89.109.0.0 0.0.63.255 time-range NIGHT
 permit ip any 79.126.0.0 0.0.63.255 time-range NIGHT
 permit ip any 79.126.64.0 0.0.63.255 time-range NIGHT
 permit ip any 95.37.0.0 0.0.127.255 time-range NIGHT
 permit ip any 195.82.136.0 0.0.0.255 time-range NIGHT
 permit ip any 195.82.137.0 0.0.0.255 time-range NIGHT
 permit ip any 95.37.128.0 0.0.127.255 time-range NIGHT
 permit ip any 93.120.128.0 0.0.127.255 time-range NIGHT
 permit ip any 109.184.0.0 0.0.255.255 time-range NIGHT
 permit ip any 217.23.16.0 0.0.15.255 time-range NIGHT
 permit ip any 78.40.184.0 0.0.7.255 time-range NIGHT
 permit ip any 78.40.188.0 0.0.0.255 time-range NIGHT
 permit ip any 94.25.78.0 0.0.0.255 time-range NIGHT
 permit ip any 85.143.0.0 0.0.15.255 time-range NIGHT
 permit ip any 89.28.199.0 0.0.0.255 time-range NIGHT
 permit ip any 213.190.224.0 0.0.31.255 time-range NIGHT
 permit ip any 217.25.80.0 0.0.3.255 time-range NIGHT
 permit ip any 85.91.192.0 0.0.15.255 time-range NIGHT
 permit ip any 91.223.224.0 0.0.0.255 time-range NIGHT
 deny   ip any any
ip access-list extended LOCAL-FROM
  deny   ip any any
ip access-list extended LOCAL-TO
 deny   ip any any
ip access-list extended PORTAL-FROM
 deny   ip any any
ip access-list extended PORTAL-TO
 deny   ip any any
ip access-list extended WORD-NIGHT
 permit ip any any time-range NIGHT
 deny   ip any any
ip access-list extended toNAT-1
 permit ip 10.83.0.0 0.0.127.255 any
 permit ip 10.137.0.0 0.0.255.255 any
 permit ip 10.84.0.0 0.0.255.255 any
 permit ip 10.90.0.0 0.0.255.255 any
ip access-list extended toNAT-2
 permit ip 10.128.64.0 0.0.3.255 any
 permit ip 10.17.0.0 0.0.1.255 any
 permit ip 10.82.0.0 0.0.127.255 any
ip access-list extended toNAT-3
 permit ip 10.17.0.0 0.0.127.255 any
 permit ip 10.100.0.0 0.0.255.255 any
 permit ip 10.87.0.0 0.0.255.255 any
ip access-list extended toNAT-4
 permit ip 10.136.0.0 0.0.255.255 any
 permit ip 10.8.0.0 0.0.255.255 any
 permit ip 10.88.0.0 0.0.255.255 any
 permit ip 10.16.0.0 0.0.255.255 any
 permit ip 10.4.0.0 0.0.255.255 any
ip access-list extended toNAT-5
 permit ip 10.200.0.0 0.0.255.255 any
 permit ip 10.128.0.0 0.0.255.255 any
!
ip radius source-interface TenGigabitEthernet0/2/0.13 
logging trap warnings
access-list 3 permit 172.22.0.0 0.0.255.255
access-list 99 permit any
access-list 100 permit tcp any any eq www
access-list 100 permit tcp any eq www any
access-list 101 permit ip any any
access-list 102 permit ip any any
cdp run
!
route-map ospf deny 5
 match interface Null0
!
route-map ospf permit 10
 match ip address 1 2
!
route-map toNATS permit 10
 set ip default vrf SNAT next-hop 10.0.2.98
!
route-map toNAT permit 10
 match ip address toNAT-1
 set ip default vrf DNAT next-hop 10.0.2.11
!
route-map toNAT permit 20
 match ip address toNAT-2
 set ip default vrf DNAT next-hop 10.0.2.10
!
route-map toNAT permit 30
 match ip address toNAT-3
 set ip default vrf DNAT next-hop 10.0.2.12
!
route-map toNAT permit 40
 match ip address toNAT-4
 set ip default vrf DNAT next-hop 10.0.2.17
!
route-map toNAT permit 50
 match ip address toNAT-5
 set ip default vrf DNAT next-hop 10.0.2.8
!
route-map toNAT permit 999
 set ip default vrf DNAT next-hop 10.0.2.11
!
snmp-server community XXXXXX RO
snmp-server community XXXXXX RW
snmp-server community XXXXXX RO
snmp-server community XXXXXX RO EMC-SMARTS
snmp-server enable traps config
snmp-server host 195.1.226.27 XXXXXX 
snmp ifmib ifindex persist
!
radius-server attribute 44 include-in-access-req
radius-server attribute 8 include-in-access-req
radius-server attribute 32 include-in-accounting-req 
radius-server attribute 55 include-in-acct-req
radius-server host 172.22.2.24 auth-port 1812 acct-port 1813 key 7 XXXXXX
radius-server host 172.22.2.24 auth-port 1814 acct-port 1815 key 7 XXXXXX
radius-server host 172.22.2.25 auth-port 1812 acct-port 1813 key 7 XXXXXX
radius-server host 172.22.2.25 auth-port 1814 acct-port 1815 key 7 XXXXXX
radius-server host 172.22.2.4 auth-port 1812 acct-port 1813 key 7 XXXXXX
radius-server retransmit 2
radius-server timeout 3
radius-server vsa send accounting
radius-server vsa send authentication
!
control-plane
!
!
!
alias exec ssss sh sss session identifier authenticated-username
!
line con 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
!
ntp server 172.22.1.1
time-range NIGHT
 periodic daily 1:00 to 9:00
!
end

16 комментариев:

Timur29 сентября 2011 г. в 10:13
Некоторые вещи в конфиге сознательно удалены, либо изменены для того, чтобы не палить ISP.
ОтветитьУдалить
Ответы
Unknown6 октября 2012 г. в 10:19
Nice Article! Thanks for sharing with us.
Basic IP Traffic Management with Access lists
ОтветитьУдалить
Ответы
Timur8 октября 2012 г. в 16:33
You're welcome!
ОтветитьУдалить
Ответы
Dushes12 февраля 2014 г. в 13:53
конфиг до сих пор актуально боевой ? :)
ОтветитьУдалить
Ответы
Unknown22 марта 2014 г. в 21:58
ух-ты! Долго искал что-то подобное.

А оно раздает IPoE?
ОтветитьУдалить
Ответы
Trider27 октября 2014 г. в 09:36
Приветствую!

Не понятно про политики. Что на радиус сервер отправляется? Соответственно какой биллинг и что он шлет на ASR?
ОтветитьУдалить
Ответы
Unknown10 февраля 2017 г. в 15:24
Тимур, как можно с Вами связаться? пожалуйста если вы еще тут, добавьте меня в skype: Abbosovich, есть пару вопросов и нюансов. буду блогодарен. спасибо.
ОтветитьУдалить
Ответы
Timur11 февраля 2017 г. в 00:03
Отправил запрос
ОтветитьУдалить
Ответы
Анонимный28 мая 2023 г. в 10:52
Nice post thank you Derek
ОтветитьУдалить
Ответы

Добавить комментарий

{ Useful stuff for System and Network Admins }

Поиск по этому блогу

четверг, 29 сентября 2011 г.

Конфиг боевого BRAS CISCO ASR 1002 ISG

16 комментариев:

Ярлыки

Обо мне

Поиск по этому блогу

четверг, 29 сентября 2011 г.

Конфиг боевого BRAS CISCO ASR 1002 ISG

16 комментариев:

четверг, 29 сентября 2011 г.