forum.opennet.ru

Составление сообщения

Исходное сообщение

"ISG, policy-map  и глюк ACL !!! help"
Отправлено ATeam, 29-Ноя-07 13:56

Всем доброго времени суток.
Есть стенд с ISG.
есть правило -
policy-map type control RULE-401a-1
class type control IP_UNAUTH_COND event timed-policy-expiry
  1 service disconnect
  !
class type control always event session-start
  1 service-policy type service name PBHK_SERVICE
  2 authorize aaa password lab123 identifier nas-port
  3 service-policy type service name L4_REDIRECT_SERVICE
  4 set-timer IP_UNAUTH_TIMER 5
!
class type control always event account-logon
  1 authenticate aaa list BH_WEB_LOGON
  2 service-policy type service unapply name L4_REDIRECT_SERVICE
!
class type control always event account-logoff
  1 service disconnect delay 5
!
class type control always event session-restart
  1 service-policy type service name PBHK_SERVICE
  3 service-policy type service name L4_REDIRECT_SERVICE
  4 set-timer IP_UNAUTH_TIMER 5
!
class type control always event credit-exhausted
  1 service-policy type service name SERVICE_403_L4R_TC

Пользователю разрешаются сервисы  -
nas-port:172.16.4.4:0/0/1/100.4000 Password = "lab123",
    User-Service-Type = Login-User,
    NAS-Port-Type = PPPoEoQinQ,
    cisco-avpair = "subscriber:accounting-list=BH_ACCNT_LIST",
    cisco-avpair = "ssg-account-info=ASERVICE_401_INTERNET",
Разрешается сервис - SERVICE_401_INTERNET  ---
SERVICE_401_INTERNET Password = "cisco",
    User-Name = "0/0/1/100.4000",
    cisco-avpair = "subscriber:accounting-list=BH_ACCNT_LIST",
    cisco-avpair = "ip:traffic-class=in access-group name  ACL_IN_INT priority 6",
    cisco-avpair = "ip:traffic-class=in default drop",
    cisco-avpair = "ip:traffic-class=out access-group name  ACL_OUT_INT priority 6",
    cisco-avpair = "ip:traffic-class=out default drop",
    Service-Info = "QD;1024000;1024000",
    Service-Info = "QU:512000;512000",
    Service-Info = "ISERVICE_401_INTERNET",
    cisco-avpair = "prepaid-config=default",
Вот его ACL -
Extended IP access list ACL_IN_INT
    10 deny ip 10.0.0.0 0.255.255.255 any
    20 deny ip 192.168.0.0 0.0.255.255 any
    30 permit ip any any (577 matches)
Extended IP access list ACL_OUT_INT
    10 deny ip 10.0.0.0 0.255.255.255 any
    20 deny ip 192.168.0.0 0.0.255.255 any
    30 permit ip any any (126 matches)
, при работающем сервисе трафик бегает в Инет , всё нормально ...
Однако так как включена функция - PREPAID - , то по истечению квоты -
Control-Info = "QT0",
Idle-Timeout = "1000",
весь трафик дропается на этом сервисе пока идёт время Idle-Timeout
и загружается сервис - SERVICE_403_L4R_TC

SERVICE_403_L4R_TC Password = "cisco",
    cisco-avpair = "ip:traffic-class=out access-group name ACL_OUT_L4R priority 1",
    cisco-avpair = "ip:traffic-class=in access-group name ACL_IN_L4R priority 1",
        cisco-avpair = "ip:l4redirect=redirect to group PERIODIC_L4R",

Вот его ACL -
Extended IP access list ACL_IN_L4R
    10 deny ip any host 172.16.5.57 (55 matches)
    20 permit tcp any any eq www (137 matches)
    30 permit tcp any any eq 8001
    40 deny udp any any eq domain (37 matches)
Extended IP access list ACL_OUT_L4R
    10 permit ip any any (2 matches)

Вот данные по сессии -
outer#sh sss session  detailed | i ACL
    traffic-class        "out access-group name ACL_OUT_L4R priority 1"
    traffic-class        "in access-group name ACL_IN_L4R priority 1"
        traffic-class        "out access-group name ACL_OUT_L4R priority 1"
        traffic-class        "in access-group name ACL_IN_L4R priority 1"
        traffic-class        "out access-group name ACL_OUT_L4R priority 1"
        traffic-class        "in access-group name ACL_IN_L4R priority 1"
        traffic-class        "out access-group name ACL_OUT_L4R priority 1"
        traffic-class        "in access-group name ACL_IN_L4R priority 1"
        traffic-class        "out access-group name ACL_OUT_L4R priority 1"
        traffic-class        "in access-group name ACL_IN_L4R priority 1"
        traffic-class        "out access-group name ACL_OUT_L4R priority 1"
        traffic-class        "in access-group name ACL_IN_L4R priority 1"
        traffic-class        "in access-group name  ACL_IN_INT priority 6"
        traffic-class        "out access-group name  ACL_OUT_INT priority 6"
   ACL Name: ACL_IN_INT, Packets = 215, Bytes = 22837
   ACL Name: ACL_IN_L4R, Packets = 0, Bytes = 0
   ACL Name: ACL_OUT_INT, Packets = 17, Bytes = 1925
   ACL Name: ACL_OUT_L4R, Packets = 0, Bytes = 0
    traffic-class        "in access-group name  ACL_IN_INT priority 6"
    traffic-class        "out access-group name  ACL_OUT_INT priority 6"
        traffic-class        "in access-group name  ACL_IN_INT priority 6"
        traffic-class        "out access-group name  ACL_OUT_INT priority 6"
Router#

Traffic classes:
  Traffic class session ID: 37
   ACL Name: ACL_IN_INT, Packets = 215, Bytes = 22837
  Traffic class session ID: 40
   ACL Name: ACL_IN_L4R, Packets = 0, Bytes = 0
Default traffic is dropped
Unmatched Packets (dropped) = 0, Re-classified packets (redirected) = 0
Feature: Portbundle Hostkey
Portbundle IP = 172.16.4.4     Bundle Number = 74
Session outbound features:
Feature: Session accounting
  Method List: BH_ACCNT_LIST
  Packets = 19, Bytes = 2125
Traffic classes:
  Traffic class session ID: 37
   ACL Name: ACL_OUT_INT, Packets = 17, Bytes = 1925
  Traffic class session ID: 40
   ACL Name: ACL_OUT_L4R, Packets = 0, Bytes = 0
Default traffic is dropped
Unmatched Packets (dropped) = 0, Re-classified packets (redirected) = 0
Configuration sources associated with this session:
Service: SERVICE_403_L4R_TC, Active Time = 00:05:15
Service: SERVICE_401_INTERNET, Active Time = 00:39:28
  AAA Service ID = 66876644
Service: PBHK_SERVICE, Active Time = 00:39:28
Interface: GigabitEthernet0/1.4000100, Active Time = 00:39:28

Весть трафик должен редиректиться на портал -
redirect server-group PERIODIC_L4R
server ip 172.16.5.57 port 8001

И циска отображает , что трафик редиректиться ...
но реально не кидает на портал ...
хотя в остальных обычных случаях (например не авторизирован пользователь) все редиректы работают ...
Кто сталкивался с такой фигнёй ?(
Может есть где то примеры ?
Все доки по этому поводу уже перерыл в доль и поперёк (( все по примерам делаю ... но не бегает ((
хотя по приоритетам всё правильно для ACL поставлено ((

Исходное сообщение
"ISG, policy-map и глюк ACL !!! help" Отправлено ATeam, 29-Ноя-07 13:56
Всем доброго времени суток. Есть стенд с ISG. есть правило - policy-map type control RULE-401a-1 class type control IP_UNAUTH_COND event timed-policy-expiry 1 service disconnect ! class type control always event session-start 1 service-policy type service name PBHK_SERVICE 2 authorize aaa password lab123 identifier nas-port 3 service-policy type service name L4_REDIRECT_SERVICE 4 set-timer IP_UNAUTH_TIMER 5 ! class type control always event account-logon 1 authenticate aaa list BH_WEB_LOGON 2 service-policy type service unapply name L4_REDIRECT_SERVICE ! class type control always event account-logoff 1 service disconnect delay 5 ! class type control always event session-restart 1 service-policy type service name PBHK_SERVICE 3 service-policy type service name L4_REDIRECT_SERVICE 4 set-timer IP_UNAUTH_TIMER 5 ! class type control always event credit-exhausted 1 service-policy type service name SERVICE_403_L4R_TC Пользователю разрешаются сервисы - nas-port:172.16.4.4:0/0/1/100.4000 Password = "lab123", User-Service-Type = Login-User, NAS-Port-Type = PPPoEoQinQ, cisco-avpair = "subscriber:accounting-list=BH_ACCNT_LIST", cisco-avpair = "ssg-account-info=ASERVICE_401_INTERNET", Разрешается сервис - SERVICE_401_INTERNET --- SERVICE_401_INTERNET Password = "cisco", User-Name = "0/0/1/100.4000", cisco-avpair = "subscriber:accounting-list=BH_ACCNT_LIST", cisco-avpair = "ip:traffic-class=in access-group name ACL_IN_INT priority 6", cisco-avpair = "ip:traffic-class=in default drop", cisco-avpair = "ip:traffic-class=out access-group name ACL_OUT_INT priority 6", cisco-avpair = "ip:traffic-class=out default drop", Service-Info = "QD;1024000;1024000", Service-Info = "QU:512000;512000", Service-Info = "ISERVICE_401_INTERNET", cisco-avpair = "prepaid-config=default", Вот его ACL - Extended IP access list ACL_IN_INT 10 deny ip 10.0.0.0 0.255.255.255 any 20 deny ip 192.168.0.0 0.0.255.255 any 30 permit ip any any (577 matches) Extended IP access list ACL_OUT_INT 10 deny ip 10.0.0.0 0.255.255.255 any 20 deny ip 192.168.0.0 0.0.255.255 any 30 permit ip any any (126 matches) , при работающем сервисе трафик бегает в Инет , всё нормально ... Однако так как включена функция - PREPAID - , то по истечению квоты - Control-Info = "QT0", Idle-Timeout = "1000", весь трафик дропается на этом сервисе пока идёт время Idle-Timeout и загружается сервис - SERVICE_403_L4R_TC SERVICE_403_L4R_TC Password = "cisco", cisco-avpair = "ip:traffic-class=out access-group name ACL_OUT_L4R priority 1", cisco-avpair = "ip:traffic-class=in access-group name ACL_IN_L4R priority 1", cisco-avpair = "ip:l4redirect=redirect to group PERIODIC_L4R", Вот его ACL - Extended IP access list ACL_IN_L4R 10 deny ip any host 172.16.5.57 (55 matches) 20 permit tcp any any eq www (137 matches) 30 permit tcp any any eq 8001 40 deny udp any any eq domain (37 matches) Extended IP access list ACL_OUT_L4R 10 permit ip any any (2 matches) Вот данные по сессии - outer#sh sss session detailed \| i ACL traffic-class "out access-group name ACL_OUT_L4R priority 1" traffic-class "in access-group name ACL_IN_L4R priority 1" traffic-class "out access-group name ACL_OUT_L4R priority 1" traffic-class "in access-group name ACL_IN_L4R priority 1" traffic-class "out access-group name ACL_OUT_L4R priority 1" traffic-class "in access-group name ACL_IN_L4R priority 1" traffic-class "out access-group name ACL_OUT_L4R priority 1" traffic-class "in access-group name ACL_IN_L4R priority 1" traffic-class "out access-group name ACL_OUT_L4R priority 1" traffic-class "in access-group name ACL_IN_L4R priority 1" traffic-class "out access-group name ACL_OUT_L4R priority 1" traffic-class "in access-group name ACL_IN_L4R priority 1" traffic-class "in access-group name ACL_IN_INT priority 6" traffic-class "out access-group name ACL_OUT_INT priority 6" ACL Name: ACL_IN_INT, Packets = 215, Bytes = 22837 ACL Name: ACL_IN_L4R, Packets = 0, Bytes = 0 ACL Name: ACL_OUT_INT, Packets = 17, Bytes = 1925 ACL Name: ACL_OUT_L4R, Packets = 0, Bytes = 0 traffic-class "in access-group name ACL_IN_INT priority 6" traffic-class "out access-group name ACL_OUT_INT priority 6" traffic-class "in access-group name ACL_IN_INT priority 6" traffic-class "out access-group name ACL_OUT_INT priority 6" Router# Traffic classes: Traffic class session ID: 37 ACL Name: ACL_IN_INT, Packets = 215, Bytes = 22837 Traffic class session ID: 40 ACL Name: ACL_IN_L4R, Packets = 0, Bytes = 0 Default traffic is dropped Unmatched Packets (dropped) = 0, Re-classified packets (redirected) = 0 Feature: Portbundle Hostkey Portbundle IP = 172.16.4.4 Bundle Number = 74 Session outbound features: Feature: Session accounting Method List: BH_ACCNT_LIST Packets = 19, Bytes = 2125 Traffic classes: Traffic class session ID: 37 ACL Name: ACL_OUT_INT, Packets = 17, Bytes = 1925 Traffic class session ID: 40 ACL Name: ACL_OUT_L4R, Packets = 0, Bytes = 0 Default traffic is dropped Unmatched Packets (dropped) = 0, Re-classified packets (redirected) = 0 Configuration sources associated with this session: Service: SERVICE_403_L4R_TC, Active Time = 00:05:15 Service: SERVICE_401_INTERNET, Active Time = 00:39:28 AAA Service ID = 66876644 Service: PBHK_SERVICE, Active Time = 00:39:28 Interface: GigabitEthernet0/1.4000100, Active Time = 00:39:28 Весть трафик должен редиректиться на портал - redirect server-group PERIODIC_L4R server ip 172.16.5.57 port 8001 И циска отображает , что трафик редиректиться ... но реально не кидает на портал ... хотя в остальных обычных случаях (например не авторизирован пользователь) все редиректы работают ... Кто сталкивался с такой фигнёй ?( Может есть где то примеры ? Все доки по этому поводу уже перерыл в доль и поперёк (( все по примерам делаю ... но не бегает (( хотя по приоритетам всё правильно для ACL поставлено ((

Ваше сообщение
Имя*:
EMail:	Для отправки новых сообщений в текущей нити на email укажите знак ! перед адресом, например, !user@host.ru (!! - не показывать email). Более тонкая настройка отправки ответов производится в профиле зарегистрированного участника форума.
Заголовок*:
Сообщение*:	> Всем доброго времени суток. > Есть стенд с ISG. > есть правило - > policy-map type control RULE-401a-1 > class type control IP_UNAUTH_COND event timed-policy-expiry > 1 service disconnect > ! > class type control always event session-start > 1 service-policy type service name PBHK_SERVICE > 2 authorize aaa password lab123 identifier nas-port > 3 service-policy type service name L4_REDIRECT_SERVICE > 4 set-timer IP_UNAUTH_TIMER 5 > ! > class type control always event account-logon > 1 authenticate aaa list BH_WEB_LOGON > 2 service-policy type service unapply name L4_REDIRECT_SERVICE > ! > class type control always event account-logoff > 1 service disconnect delay 5 > ! > class type control always event session-restart > 1 service-policy type service name PBHK_SERVICE > 3 service-policy type service name L4_REDIRECT_SERVICE > 4 set-timer IP_UNAUTH_TIMER 5 > ! > class type control always event credit-exhausted > 1 service-policy type service name SERVICE_403_L4R_TC > Пользователю разрешаются сервисы - > nas-port:172.16.4.4:0/0/1/100.4000 Password = "lab123", > User-Service-Type = Login-User, > NAS-Port-Type = PPPoEoQinQ, > cisco-avpair = "subscriber:accounting-list=BH_ACCNT_LIST", > cisco-avpair = "ssg-account-info=ASERVICE_401_INTERNET", > Разрешается сервис - SERVICE_401_INTERNET --- > SERVICE_401_INTERNET Password = "cisco", > User-Name = "0/0/1/100.4000", > cisco-avpair = "subscriber:accounting-list=BH_ACCNT_LIST", > cisco-avpair = "ip:traffic-class=in access-group name ACL_IN_INT priority 6", > cisco-avpair = "ip:traffic-class=in default drop", > cisco-avpair = "ip:traffic-class=out access-group name ACL_OUT_INT priority 6", > cisco-avpair = "ip:traffic-class=out default drop", > Service-Info = "QD;1024000;1024000", > Service-Info = "QU:512000;512000", > Service-Info = "ISERVICE_401_INTERNET", > cisco-avpair = "prepaid-config=default", > Вот его ACL - > Extended IP access list ACL_IN_INT > 10 deny ip 10.0.0.0 0.255.255.255 any > 20 deny ip 192.168.0.0 0.0.255.255 any > 30 permit ip any any (577 matches) > Extended IP access list ACL_OUT_INT > 10 deny ip 10.0.0.0 0.255.255.255 any > 20 deny ip 192.168.0.0 0.0.255.255 any > 30 permit ip any any (126 matches) > , при работающем сервисе трафик бегает в Инет , всё нормально ... > Однако так как включена функция - PREPAID - , то по истечению > квоты - > Control-Info = "QT0", > Idle-Timeout = "1000", > весь трафик дропается на этом сервисе пока идёт время Idle-Timeout > и загружается сервис - SERVICE_403_L4R_TC > SERVICE_403_L4R_TC Password = "cisco", > cisco-avpair = "ip:traffic-class=out access-group name ACL_OUT_L4R priority 1", > cisco-avpair = "ip:traffic-class=in access-group name ACL_IN_L4R priority 1", > cisco-avpair = "ip:l4redirect=redirect to > group PERIODIC_L4R", > Вот его ACL - > Extended IP access list ACL_IN_L4R > 10 deny ip any host 172.16.5.57 (55 matches) > 20 permit tcp any any eq www (137 > matches) > 30 permit tcp any any eq 8001 > 40 deny udp any any eq domain (37 > matches) > Extended IP access list ACL_OUT_L4R > 10 permit ip any any (2 matches) > Вот данные по сессии - > outer#sh sss session detailed \| i ACL > traffic-class > "out access-group name ACL_OUT_L4R priority 1" > traffic-class > "in access-group name ACL_IN_L4R priority 1" > traffic-class > "out access-group name ACL_OUT_L4R priority 1" > traffic-class > "in access-group name ACL_IN_L4R priority 1" > traffic-class > "out access-group name ACL_OUT_L4R priority 1" > traffic-class > "in access-group name ACL_IN_L4R priority 1" > traffic-class > "out access-group name ACL_OUT_L4R priority 1" > traffic-class > "in access-group name ACL_IN_L4R priority 1" > traffic-class > "out access-group name ACL_OUT_L4R priority 1" > traffic-class > "in access-group name ACL_IN_L4R priority 1" > traffic-class > "out access-group name ACL_OUT_L4R priority 1" > traffic-class > "in access-group name ACL_IN_L4R priority 1" > traffic-class > "in access-group name ACL_IN_INT priority 6" > traffic-class > "out access-group name ACL_OUT_INT priority 6" > ACL Name: ACL_IN_INT, Packets = 215, Bytes = 22837 > ACL Name: ACL_IN_L4R, Packets = 0, Bytes = 0 > ACL Name: ACL_OUT_INT, Packets = 17, Bytes = 1925 > ACL Name: ACL_OUT_L4R, Packets = 0, Bytes = 0 > traffic-class > "in access-group name ACL_IN_INT priority 6" > traffic-class > "out access-group name ACL_OUT_INT priority 6" > traffic-class > "in access-group name ACL_IN_INT priority 6" > traffic-class > "out access-group name ACL_OUT_INT priority 6" > Router# > Traffic classes: > Traffic class session ID: 37 > ACL Name: ACL_IN_INT, Packets = 215, Bytes = 22837 > Traffic class session ID: 40 > ACL Name: ACL_IN_L4R, Packets = 0, Bytes = 0 > Default traffic is dropped > Unmatched Packets (dropped) = 0, Re-classified packets (redirected) = 0 > Feature: Portbundle Hostkey > Portbundle IP = 172.16.4.4 Bundle Number = > 74 > Session outbound features: > Feature: Session accounting > Method List: BH_ACCNT_LIST > Packets = 19, Bytes = 2125 > Traffic classes: > Traffic class session ID: 37 > ACL Name: ACL_OUT_INT, Packets = 17, Bytes = 1925 > Traffic class session ID: 40 > ACL Name: ACL_OUT_L4R, Packets = 0, Bytes = 0 > Default traffic is dropped > Unmatched Packets (dropped) = 0, Re-classified packets (redirected) = 0 > Configuration sources associated with this session: > Service: SERVICE_403_L4R_TC, Active Time = 00:05:15 > Service: SERVICE_401_INTERNET, Active Time = 00:39:28 > AAA Service ID = 66876644 > Service: PBHK_SERVICE, Active Time = 00:39:28 > Interface: GigabitEthernet0/1.4000100, Active Time = 00:39:28 > Весть трафик должен редиректиться на портал - > redirect server-group PERIODIC_L4R > server ip 172.16.5.57 port 8001 > И циска отображает , что трафик редиректиться ... > но реально не кидает на портал ... > хотя в остальных обычных случаях (например не авторизирован пользователь) все редиректы > работают ... > Кто сталкивался с такой фигнёй ?( > Может есть где то примеры ? > Все доки по этому поводу уже перерыл в доль и поперёк (( > все по примерам делаю ... но не бегает (( > хотя по приоритетам всё правильно для ACL поставлено ((
	Введите код, изображенный на картинке:

При общении не допускается: неуважительное отношение к собеседнику, хамство, унизительное обращение, ненормативная лексика, переход на личности, агрессивное поведение, обесценивание собеседника, провоцирование флейма голословными и заведомо ложными заявлениями. Не отвечайте на сообщения, явно нарушающие правила - удаляются не только сами нарушения, но и все ответы на них. Лог модерирования.

Партнёры:

Хостинг:

Закладки на сайте
Проследить за страницей

Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру