Поиск по этому блогу

четверг, 29 сентября 2011 г.

Конфиг боевого BRAS CISCO ASR 1002 ISG


version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ISG-1
!
boot-start-marker
boot-end-marker
!
vrf definition Mgmt-intf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
enable secret 5 XXXXXX
!
aaa new-model
!
!
#С этих радиусов авторизовываются клиенты
aaa group server radius RG-ISG-AUTH
 server-private 172.22.2.24 auth-port 1812 acct-port 1813 key 7 XXXXXX
 server-private 172.22.2.25 auth-port 1812 acct-port 1813 key 7 XXXXXX
 ip vrf forwarding radius
!
#Для аккаунтинга клиентов
aaa group server radius RG-ISG-ACC server-private 172.22.2.26 auth-port 1812 acct-port 1813 key 7 XXXXXX ip vrf forwarding radius !
#С этих радиусов авторизовываются сервисы
aaa group server radius RG-ISG-SRV server-private 172.22.2.24 auth-port 1814 acct-port 1815 key 7 XXXXXX server-private 172.22.2.25 auth-port 1814 acct-port 1815 key 7 XXXXXX ip vrf forwarding radius !
#С этих радиусов авторизовываются администраторы
aaa group server radius ADMIN-AUTH server-private 172.22.2.4 auth-port 1812 acct-port 1813 key 7 XXXXXX#Взаимодействие с радиус серверами идет в отдельном vrf ip vrf forwarding radius ! aaa authentication login default local group ADMIN-AUTH aaa authentication login console none aaa authentication login ISG-AUTH group RG-ISG-AUTH aaa authorization network ISG-AUTH group RG-ISG-AUTH aaa authorization subscriber-service default local group RG-ISG-SRV aaa accounting network Account start-stop group RG-ISG-ACC ! ! ! ! aaa server radius dynamic-author client 195.1.226.59 server-key 7 XXXXXX auth-type any ignore session-key ignore server-key ! aaa session-id common clock timezone MSK 3 clock summer-time MSD recurring last Sun Mar 2:00 last Sun Oct 2:00 no ip source-route ip vrf DNAT rd 8580:30 ! ip vrf SNAT rd 1111:40 ! ip vrf mgmt rd 1111:10 ! ip vrf radius ! ! ! ip domain name sci-nnov.ru ip name-server 195.1.226.2 ip name-server 195.1.226.1 ! ! ! ! subscriber service multiple-accept ! redirect server-group PORTAL server ip 195.1.226.13 ! multilink bundle-name authenticated ! ! ! ! ! ! redundancy mode none ! ! class-map type traffic match-any PORTAL match access-group input name PORTAL-TO match access-group output name PORTAL-FROM ! class-map type traffic match-any WORD-NIGHT match access-group input name WORD-NIGHT match access-group output name WORD-NIGH ! class-map type traffic match-any REDIRECT match access-group input 100 match access-group output 100 ! class-map type traffic match-any OPENGARDEN match access-group output name PORTAL-FROM match access-group input name PORTAL-TO ! class-map type traffic match-any WORD match access-group output 101 match access-group input 101 ! class-map type traffic match-any IX match access-group input name IX-FROM match access-group output name IX-TO ! class-map type control match-all IP-UNAUTH-COND match timer IP-UNAUTH-TIMER match authen-status unauthenticated ! class-map type control match-all IP-AUTH-COND match timer IP-SESSION-TIMEOUT match authen-status authenticated ! policy-map type service UNAUTHORIZED_REDIRECT_SVC ! policy-map type service PORTAL 400 class type traffic PORTAL police input 128000 256000 256000 police output 128000 256000 256000 ! class type traffic default in-out ! ! policy-map type service L4REDIRECTOR 30 class type traffic REDIRECT redirect to group PORTAL ! class type traffic default input drop ! sg-service-type secondary ! policy-map type service WORD-NIGHT 105 class type traffic WORD-NIGHT police input 256000 256000 256000 police output 256000 256000 256000 ! ! policy-map type service OPENGARDEN 20 class type traffic OPENGARDEN police input 128000 256000 256000 police output 128000 256000 256000 ! class type traffic default in-out drop ! ! policy-map type service SNAT ip vrf forwarding SNAT sg-service-type primary ! policy-map type service NAT ip vrf forwarding DNAT sg-service-type primary ! policy-map type service log-off-tst class type traffic OPENGARDEN ! class type traffic default in-out ! ! policy-map type control UNAUTHEN_REDIRECT class type control always event session-start 10 service-policy type service name PORTAL 20 service-policy type service name UNAUTHORIZED_REDIRECT_SVC ! ! policy-map type control HN-SERVICE class type control always event session-start 1 set-timer IP-SESSION-TIMEOUT 1440 10 authorize aaa list ISG-AUTH password cisco identifier source-ip-address ! class type control always event access-reject 1 service-policy type service name OPENGARDEN 2 service-policy type service name L4REDIRECTOR 3 set-timer IP-UNAUTH-TIMER 10 30 service-policy type service name NAT ! class type control always event radius-timeout 1 service-policy type service name OPENGARDEN 10 service-policy type service name EXTERNAL-2048-2048 20 set-timer IP-UNAUTH-TIMER 3 30 service-policy type service name NAT ! class type control always event timed-policy-expiry 1 service disconnect ! ! policy-map type control B2B-service class type control always event session-start 1 set-timer IP-SESSION-TIMEOUT 1440 10 authorize aaa list ISG-AUTH password cisco identifier source-ip-address ! class type control always event access-reject 1 service-policy type service name OPENGARDEN 2 service-policy type service name L4REDIRECTOR 3 set-timer IP-UNAUTH-TIMER 3 ! class type control always event radius-timeout 1 service-policy type service name OPENGARDEN 10 service-policy type service name EXTERNAL-2048-2048 20 set-timer IP-UNAUTH-TIMER 3 ! class type control always event timed-policy-expiry 1 service disconnect ! ! ! ! ! ! interface Loopback1 ip address 172.22.1.5 255.255.255.255 ! interface GigabitEthernet0/0/0 no ip address shutdown negotiation auto ! interface GigabitEthernet0/0/1 no ip address shutdown negotiation auto ! interface GigabitEthernet0/0/2 no ip address shutdown negotiation auto ! interface GigabitEthernet0/0/3 no ip address shutdown negotiation auto ! interface TenGigabitEthernet0/2/0 no ip address cdp enable ! interface TenGigabitEthernet0/2/0.13 description radius-servers encapsulation dot1Q 13 ip vrf forwarding radius ip address 172.22.2.253 255.255.255.0 ! interface TenGigabitEthernet0/2/0.39 description ISG to dynNAT encapsulation dot1Q 39 ip vrf forwarding DNAT ip address 10.0.2.19 255.255.255.224 ! interface TenGigabitEthernet0/2/0.196 description p2p-oka-1-isg-1 encapsulation dot1Q 196 ip address 2.2.2.2 255.255.255.252 ip ospf network point-to-point ! interface TenGigabitEthernet0/2/0.197 description GRT ISG encapsulation dot1Q 197 ip address 195.1.225.57 255.255.255.252 service-policy type control B2B-service ip subscriber routed initiator unclassified ip-address ! interface TenGigabitEthernet0/2/0.281 description BRAS encapsulation dot1Q 281 ip address 10.0.0.21 255.255.255.224 service-policy type control HN-SERVICE ip subscriber routed initiator unclassified ip-address ! interface TenGigabitEthernet0/2/0.502 description ISG-NATS encapsulation dot1Q 502 ip vrf forwarding SNAT ip address 10.0.2.99 255.255.255.224 ! interface GigabitEthernet0 vrf forwarding Mgmt-intf no ip address shutdown negotiation auto ! interface multiservice1 ip vrf forwarding SNAT ip address 10.0.2.69 255.255.255.252 ip policy route-map toNATS no keepalive ! interface multiservice2 ip vrf forwarding DNAT ip address 10.0.2.69 255.255.255.252 ip policy route-map toNAT no keepalive ! router ospf 1 log-adjacency-changes redistribute connected subnets route-map ospf redistribute static subnets route-map ospf passive-interface default no passive-interface TenGigabitEthernet0/2/0.196 network 2.2.2.0 0.0.0.255 area 0 network 172.22.1.0 0.0.0.255 area 0 ! ! no ip http server ip route 10.0.0.0 255.0.0.0 10.0.0.1 ip route vrf DNAT 0.0.0.0 0.0.0.0 10.0.2.11 ip route vrf DNAT 10.0.0.0 255.0.0.0 10.0.0.1 global ! ip access-list standard EMC-SMARTS ! ip access-list extended ACRT-NIGHT permit ip any any time-range NIGHT deny ip any any ip access-list extended IX-FROM permit ip 195.98.32.0 0.0.31.255 any permit ip 212.92.128.0 0.0.63.255 any permit ip 217.118.93.0 0.0.0.255 any permit ip 92.242.64.0 0.0.31.255 any permit ip 88.81.32.0 0.0.31.255 any permit ip 89.189.0.0 0.0.31.255 any permit ip 46.251.64.0 0.0.31.255 any permit ip 92.246.128.0 0.0.31.255 any permit ip 212.67.0.0 0.0.31.255 any permit ip 81.19.128.0 0.0.1.255 any permit ip 81.19.130.0 0.0.0.255 any permit ip 82.208.64.0 0.0.63.255 any permit ip 213.177.96.0 0.0.31.255 any permit ip 89.109.0.0 0.0.63.255 any permit ip 79.126.0.0 0.0.63.255 any permit ip 79.126.64.0 0.0.63.255 any permit ip 95.37.0.0 0.0.127.255 any permit ip 195.82.136.0 0.0.0.255 any permit ip 195.82.137.0 0.0.0.255 any permit ip 95.37.128.0 0.0.127.255 any permit ip 93.120.128.0 0.0.127.255 any permit ip 109.184.0.0 0.0.255.255 any permit ip 217.23.16.0 0.0.15.255 any permit ip 78.40.184.0 0.0.7.255 any permit ip 78.40.188.0 0.0.0.255 any permit ip 94.25.78.0 0.0.0.255 any permit ip 85.143.0.0 0.0.15.255 any permit ip 89.28.199.0 0.0.0.255 any permit ip 213.190.224.0 0.0.31.255 any permit ip 217.25.80.0 0.0.3.255 any permit ip 85.91.192.0 0.0.15.255 any permit ip 91.223.224.0 0.0.0.255 any deny ip any any ip access-list extended IX-FROM-NIGHT permit ip 195.98.32.0 0.0.31.255 any time-range NIGHT permit ip 212.92.128.0 0.0.63.255 any time-range NIGHT permit ip 217.118.93.0 0.0.0.255 any time-range NIGHT permit ip 92.242.64.0 0.0.31.255 any time-range NIGHT permit ip 88.81.32.0 0.0.31.255 any time-range NIGHT permit ip 89.189.0.0 0.0.31.255 any time-range NIGHT permit ip 46.251.64.0 0.0.31.255 any time-range NIGHT permit ip 92.246.128.0 0.0.31.255 any time-range NIGHT permit ip 212.67.0.0 0.0.31.255 any time-range NIGHT permit ip 81.19.128.0 0.0.1.255 any time-range NIGHT permit ip 81.19.130.0 0.0.0.255 any time-range NIGHT permit ip 82.208.64.0 0.0.63.255 any time-range NIGHT permit ip 213.177.96.0 0.0.31.255 any time-range NIGHT permit ip 89.109.0.0 0.0.63.255 any time-range NIGHT permit ip 79.126.0.0 0.0.63.255 any time-range NIGHT permit ip 79.126.64.0 0.0.63.255 any time-range NIGHT permit ip 95.37.0.0 0.0.127.255 any time-range NIGHT permit ip 195.82.136.0 0.0.0.255 any time-range NIGHT permit ip 195.82.137.0 0.0.0.255 any time-range NIGHT permit ip 95.37.128.0 0.0.127.255 any time-range NIGHT permit ip 93.120.128.0 0.0.127.255 any time-range NIGHT permit ip 109.184.0.0 0.0.255.255 any time-range NIGHT permit ip 217.23.16.0 0.0.15.255 any time-range NIGHT permit ip 78.40.184.0 0.0.7.255 any time-range NIGHT permit ip 78.40.188.0 0.0.0.255 any time-range NIGHT permit ip 94.25.78.0 0.0.0.255 any time-range NIGHT permit ip 85.143.0.0 0.0.15.255 any time-range NIGHT permit ip 89.28.199.0 0.0.0.255 any time-range NIGHT permit ip 213.190.224.0 0.0.31.255 any time-range NIGHT permit ip 217.25.80.0 0.0.3.255 any time-range NIGHT permit ip 85.91.192.0 0.0.15.255 any time-range NIGHT permit ip 91.223.224.0 0.0.0.255 any time-range NIGHT deny ip any any ip access-list extended IX-TO permit ip any 195.98.32.0 0.0.31.255 permit ip any 212.92.128.0 0.0.63.255 permit ip any 217.118.93.0 0.0.0.255 permit ip any 92.242.64.0 0.0.31.255 permit ip any 88.81.32.0 0.0.31.255 permit ip any 89.189.0.0 0.0.31.255 permit ip any 46.251.64.0 0.0.31.255 permit ip any 92.246.128.0 0.0.31.255 permit ip any 212.67.0.0 0.0.31.255 permit ip any 81.19.128.0 0.0.1.255 permit ip any 81.19.130.0 0.0.0.255 permit ip any 82.208.64.0 0.0.63.255 permit ip any 213.177.96.0 0.0.31.255 permit ip any 89.109.0.0 0.0.63.255 permit ip any 79.126.0.0 0.0.63.255 permit ip any 79.126.64.0 0.0.63.255 permit ip any 95.37.0.0 0.0.127.255 permit ip any 195.82.136.0 0.0.0.255 permit ip any 195.82.137.0 0.0.0.255 permit ip any 95.37.128.0 0.0.127.255 permit ip any 93.120.128.0 0.0.127.255 permit ip any 109.184.0.0 0.0.255.255 permit ip any 217.23.16.0 0.0.15.255 permit ip any 78.40.184.0 0.0.7.255 permit ip any 78.40.188.0 0.0.0.255 permit ip any 94.25.78.0 0.0.0.255 permit ip any 85.143.0.0 0.0.15.255 permit ip any 89.28.199.0 0.0.0.255 permit ip any 213.190.224.0 0.0.31.255 permit ip any 217.25.80.0 0.0.3.255 permit ip any 85.91.192.0 0.0.15.255 permit ip any 91.223.224.0 0.0.0.255 deny ip any any ip access-list extended IX-TO-NIGHT permit ip any 195.98.32.0 0.0.31.255 time-range NIGHT permit ip any 212.92.128.0 0.0.63.255 time-range NIGHT permit ip any 217.118.93.0 0.0.0.255 time-range NIGHT permit ip any 92.242.64.0 0.0.31.255 time-range NIGHT permit ip any 88.81.32.0 0.0.31.255 time-range NIGHT permit ip any 89.189.0.0 0.0.31.255 time-range NIGHT permit ip any 46.251.64.0 0.0.31.255 time-range NIGHT permit ip any 92.246.128.0 0.0.31.255 time-range NIGHT permit ip any 212.67.0.0 0.0.31.255 time-range NIGHT permit ip any 81.19.128.0 0.0.1.255 time-range NIGHT permit ip any 81.19.130.0 0.0.0.255 time-range NIGHT permit ip any 82.208.64.0 0.0.63.255 time-range NIGHT permit ip any 213.177.96.0 0.0.31.255 time-range NIGHT permit ip any 89.109.0.0 0.0.63.255 time-range NIGHT permit ip any 79.126.0.0 0.0.63.255 time-range NIGHT permit ip any 79.126.64.0 0.0.63.255 time-range NIGHT permit ip any 95.37.0.0 0.0.127.255 time-range NIGHT permit ip any 195.82.136.0 0.0.0.255 time-range NIGHT permit ip any 195.82.137.0 0.0.0.255 time-range NIGHT permit ip any 95.37.128.0 0.0.127.255 time-range NIGHT permit ip any 93.120.128.0 0.0.127.255 time-range NIGHT permit ip any 109.184.0.0 0.0.255.255 time-range NIGHT permit ip any 217.23.16.0 0.0.15.255 time-range NIGHT permit ip any 78.40.184.0 0.0.7.255 time-range NIGHT permit ip any 78.40.188.0 0.0.0.255 time-range NIGHT permit ip any 94.25.78.0 0.0.0.255 time-range NIGHT permit ip any 85.143.0.0 0.0.15.255 time-range NIGHT permit ip any 89.28.199.0 0.0.0.255 time-range NIGHT permit ip any 213.190.224.0 0.0.31.255 time-range NIGHT permit ip any 217.25.80.0 0.0.3.255 time-range NIGHT permit ip any 85.91.192.0 0.0.15.255 time-range NIGHT permit ip any 91.223.224.0 0.0.0.255 time-range NIGHT deny ip any any ip access-list extended LOCAL-FROM deny ip any any ip access-list extended LOCAL-TO deny ip any any ip access-list extended PORTAL-FROM deny ip any any ip access-list extended PORTAL-TO deny ip any any ip access-list extended WORD-NIGHT permit ip any any time-range NIGHT deny ip any any ip access-list extended toNAT-1 permit ip 10.83.0.0 0.0.127.255 any permit ip 10.137.0.0 0.0.255.255 any permit ip 10.84.0.0 0.0.255.255 any permit ip 10.90.0.0 0.0.255.255 any ip access-list extended toNAT-2 permit ip 10.128.64.0 0.0.3.255 any permit ip 10.17.0.0 0.0.1.255 any permit ip 10.82.0.0 0.0.127.255 any ip access-list extended toNAT-3 permit ip 10.17.0.0 0.0.127.255 any permit ip 10.100.0.0 0.0.255.255 any permit ip 10.87.0.0 0.0.255.255 any ip access-list extended toNAT-4 permit ip 10.136.0.0 0.0.255.255 any permit ip 10.8.0.0 0.0.255.255 any permit ip 10.88.0.0 0.0.255.255 any permit ip 10.16.0.0 0.0.255.255 any permit ip 10.4.0.0 0.0.255.255 any ip access-list extended toNAT-5 permit ip 10.200.0.0 0.0.255.255 any permit ip 10.128.0.0 0.0.255.255 any ! ip radius source-interface TenGigabitEthernet0/2/0.13 logging trap warnings access-list 3 permit 172.22.0.0 0.0.255.255 access-list 99 permit any access-list 100 permit tcp any any eq www access-list 100 permit tcp any eq www any access-list 101 permit ip any any access-list 102 permit ip any any cdp run ! route-map ospf deny 5 match interface Null0 ! route-map ospf permit 10 match ip address 1 2 ! route-map toNATS permit 10 set ip default vrf SNAT next-hop 10.0.2.98 ! route-map toNAT permit 10 match ip address toNAT-1 set ip default vrf DNAT next-hop 10.0.2.11 ! route-map toNAT permit 20 match ip address toNAT-2 set ip default vrf DNAT next-hop 10.0.2.10 ! route-map toNAT permit 30 match ip address toNAT-3 set ip default vrf DNAT next-hop 10.0.2.12 ! route-map toNAT permit 40 match ip address toNAT-4 set ip default vrf DNAT next-hop 10.0.2.17 ! route-map toNAT permit 50 match ip address toNAT-5 set ip default vrf DNAT next-hop 10.0.2.8 ! route-map toNAT permit 999 set ip default vrf DNAT next-hop 10.0.2.11 ! snmp-server community XXXXXX RO snmp-server community XXXXXX RW snmp-server community XXXXXX RO snmp-server community XXXXXX RO EMC-SMARTS snmp-server enable traps config snmp-server host 195.1.226.27 XXXXXX snmp ifmib ifindex persist ! radius-server attribute 44 include-in-access-req radius-server attribute 8 include-in-access-req radius-server attribute 32 include-in-accounting-req radius-server attribute 55 include-in-acct-req radius-server host 172.22.2.24 auth-port 1812 acct-port 1813 key 7 XXXXXX radius-server host 172.22.2.24 auth-port 1814 acct-port 1815 key 7 XXXXXX radius-server host 172.22.2.25 auth-port 1812 acct-port 1813 key 7 XXXXXX radius-server host 172.22.2.25 auth-port 1814 acct-port 1815 key 7 XXXXXX radius-server host 172.22.2.4 auth-port 1812 acct-port 1813 key 7 XXXXXX radius-server retransmit 2 radius-server timeout 3 radius-server vsa send accounting radius-server vsa send authentication ! control-plane ! ! ! alias exec ssss sh sss session identifier authenticated-username ! line con 0 stopbits 1 line aux 0 stopbits 1 line vty 0 4 ! ntp server 172.22.1.1 time-range NIGHT periodic daily 1:00 to 9:00 ! end

16 комментариев:

  1. Некоторые вещи в конфиге сознательно удалены, либо изменены для того, чтобы не палить ISP.

    ОтветитьУдалить
    Ответы
    1. Я настроил это так:



      interface GigabitEthernet1/0.501
      description TO_SUBSCRIBERS
      encapsulation dot1Q 501
      ip address 10.200.100.1 255.255.255.252
      service-policy type control IPOE_COSTUMERS
      ip subscriber routed
      initiator unclassified ip-address



      interface GigabitEthernet2/0.401
      description Beeline
      encapsulation dot1Q 401
      ip vrf forwarding beeline
      ip address 213.33.186.134 255.255.255.252


      interface multiservice1
      ip vrf forwarding beeline
      ip address 10.10.100.1 255.255.255.252
      no keepalive



      ip route vrf beeline 0.0.0.0 0.0.0.0 213.33.186.133



      Radius :

      Cisco-AVPair += 'ip:vrf-id=beeline'

      все работает но трафик из интернета не возвращается через интерфейс multiservice1 к абоненту...



      эта команда работает:

      ping vrf beeline "ip абонента"...(трафик уходит с IP-адреса интерфейса multiservice1 )



      что я сделал не так?

      Удалить
  2. конфиг до сих пор актуально боевой ? :)

    ОтветитьУдалить
    Ответы
    1. Не работаю уже более 2-х лет где оно стоит, но думаю что до сих пор конфиг примерно такой же

      Удалить
  3. ух-ты! Долго искал что-то подобное.

    А оно раздает IPoE?

    ОтветитьУдалить
  4. Приветствую!

    Не понятно про политики. Что на радиус сервер отправляется? Соответственно какой биллинг и что он шлет на ASR?

    ОтветитьУдалить
    Ответы
    1. лучше поздно., чем никогда)


      про тарифы:http://tsolodov.blogspot.ru/2011/02/isg.html

      Удалить
    2. Подскажите - IPoE сессия при "входящем" к пользователю траффике стартовала успешно?
      В качестве User-Name выступал ip-dst = ip пользователя?

      Удалить
    3. class-map type control match-all ISG-IP-UNAUTH
      match timer UNAUTH-TIMER
      match authen-status unauthenticated

      policy-map type control ISG-RADIUS-PROFILES
      class type control ISG-IP-UNAUTH event timed-policy-expiry
      1 service disconnect
      !
      class type control always event session-start
      10 authorize aaa list IPoE identifier source-ip-address
      20 service-policy type service name OG_SRV
      30 service-policy type service name L4R_SRV
      40 set-timer UNAUTH-TIMER 1
      !
      class type control always event session-restart
      10 authorize aaa list IPoE identifier source-ip-address
      20 service-policy type service name OG_SRV
      30 service-policy type service name L4R_SRV
      40 set-timer UNAUTH-TIMER 1

      В правилах биллинга стоит логин: IP

      Удалить
  5. Тимур, как можно с Вами связаться? пожалуйста если вы еще тут, добавьте меня в skype: Abbosovich, есть пару вопросов и нюансов. буду блогодарен. спасибо.

    ОтветитьУдалить
  6. Nice post thank you Derek

    ОтветитьУдалить