Есть интересная, ранее не встречавшаяся придумка - использовать на всех коммутаторах доступа один и тот же конфиг по VLAN-per-port. Это позволит сократить число используемых SVI на свиче аггрегации.
Авторизация пользователей - по DHCP opt.82 (remote-id=string;circuit-id=vlan-mod-port) через ISG.
Конфигурации:
#########################################################################
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Test-ISG
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa group server radius AAA-RADIUS-SERVERS
server 192.168.100.242 auth-port 1812 acct-port 1813
!
aaa authentication login default local
aaa authorization exec default local none
aaa authorization network SUBS-AUTHORIZE-LIST group AAA-RADIUS-SERVERS
aaa authorization subscriber-service default local group AAA-RADIUS-SERVERS
aaa accounting delay-start
aaa accounting update periodic 1
aaa accounting network AAA-MLIST start-stop group AAA-RADIUS-SERVERS
!
!
!
aaa server radius dynamic-author
client 192.168.100.242
server-key TESTKEY
auth-type any
ignore session-key
!
aaa session-id unique
clock timezone MSK 3
clock summer-time MSD recurring last Sun Mar 2:00 last Sun Oct 2:00
ip subnet-zero
ip cef
!
!
no ip domain lookup
no ip dhcp use vrf connected
ip dhcp excluded-address 172.16.10.1
!
ip dhcp pool Pool-For-Clients-on-AGG-SW1
network 172.16.10.0 255.255.255.0
default-router 172.16.10.1
domain-name test.local
dns-server 192.168.100.254
lease 0 0 2
!
!
!
!
subscriber service password servpasswd
redirect server-group PORTAL
server ip 192.168.100.242
!
call rsvp-sync
!
!
!
!
!
!
!
no file verify auto
username mavrichev privilege 15 secret 5 *************
!
class-map type traffic match-any PORTAL
match access-group input name To-PORTAL
match access-group output name From-PORTAL
!
class-map type traffic match-any For-Open-Garden
match access-group input name IN-OG
match access-group output name OUT-OG
!
class-map type control match-all IP-UNAUTH-COND
match timer IP-UNAUTH-TIMER
match authen-status unauthenticated
!
policy-map type service unauth-subscr-redir
service local
class type traffic PORTAL
redirect to group PORTAL
!
class type traffic default in-out
drop
!
!
policy-map type service unauth-subscr-open-garden
service local
class type traffic For-Open-Garden
police input 8000 1000 1000
police output 8000 1000 1000
!
!
policy-map type control SUBSCRIBER_RULE
class type control IP-UNAUTH-COND event timed-policy-expiry
10 service disconnect
!
class type control always event session-start
20 authorize aaa list SUBS-AUTHORIZE-LIST password TESTPASSWD identifier circuit-id
25 service-policy type service name unauth-subscr-open-garden
30 service-policy type service name unauth-subscr-redir
40 set-timer IP-UNAUTH-TIMER 5
!
class type control always event session-restart
20 authorize aaa list SUBS-AUTHORIZE-LIST password TESTPASSWD identifier circuit-id
25 service-policy type service name unauth-subscr-open-garden
30 service-policy type service name unauth-subscr-redir
40 set-timer IP-UNAUTH-TIMER 5
!
!
!
!
interface Loopback10
ip address 192.168.111.1 255.255.255.255
!
interface FastEthernet0/0
description to AGREG-SW-Link-Fa0/7
ip address 192.168.101.5 255.255.255.252
speed 10
duplex half
service-policy type control SUBSCRIBER_RULE
ip subscriber routed
initiator dhcp
!
interface FastEthernet0/1
description to-SRV-Network
ip address 192.168.100.111 255.255.255.0
speed auto
duplex auto
!
interface FastEthernet1/0
description to AGREG-SW-Link-Fa0/8
ip address 192.168.101.1 255.255.255.252
speed 10
duplex half
service-policy type control SUBSCRIBER_RULE
ip subscriber routed
initiator dhcp
!
interface FastEthernet1/1
description NOT-Connected
no ip address
shutdown
speed auto
duplex auto
!
router ospf 1
router-id 192.168.111.1
log-adjacency-changes
redistribute connected subnets
passive-interface default
no passive-interface FastEthernet0/0
no passive-interface FastEthernet1/0
network 192.168.101.1 0.0.0.0 area 0
network 192.168.101.5 0.0.0.0 area 0
default-information originate always
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.100.1
!
no ip http server
!
!
!
ip access-list extended From-PORTAL
permit tcp any any
ip access-list extended IN-OG
permit udp any host 192.168.100.254 eq domain
permit icmp any 192.168.100.0 0.0.0.255
ip access-list extended OUT-OG
permit udp host 192.168.100.254 eq domain any
permit icmp 192.168.100.0 0.0.0.255 any
ip access-list extended To-PORTAL
permit tcp any any
ip radius source-interface FastEthernet0/1
access-list 199 permit ip any any
!
!
radius-server attribute 44 include-in-access-req
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 32 include-in-access-req
radius-server attribute 32 include-in-accounting-req
radius-server attribute 55 include-in-acct-req
radius-server attribute 55 access-request include
radius-server attribute 4 192.168.100.111
radius-server host 192.168.100.242 auth-port 1812 acct-port 1813 key radsecret
radius-server retransmit 10
radius-server vsa send accounting
!
control-plane
!
!
!
dial-peer cor custom
!
!
!
banner login C
-----------------------------------------------------------------------
TEST-ISG System. No unautorized access allowed.
-----------------------------------------------------------------------
!
line con 0
exec-timeout 0 0
absolute-timeout 1440
stopbits 1
line aux 0
stopbits 1
line vty 0 4
exec-timeout 0 0
privilege level 15
absolute-timeout 1440
transport input ssh
!
ntp clock-period 17179814
ntp master
ntp server 213.41.245.21
ntp server 216.58.31.84
ntp server 216.52.237.153
end
############################################################################################
RADIUS:
Work#2 -------- With L4Redirect
###Service-Profile###
Tariff l4r-Attr
username l4r passwd servpasswd
Session-Timeout=600, Cisco-AVPair +="ip:l4redirect=redirect list 199 to group PORTAL",
###User-Profile###
Tariff ISG-REDIR
username 0004000a0102 passwd TESTPASSWD
Cisco-Account-Info="Al4r", Session-Timeout=6000,
Work#2-end
Work#3 -------- With Policing
###Service-Profile###
Tariff isg-128K-Attr
username isg-128k passwd servpasswd
Cisco-Service-Info ="isg-128k", Cisco-Service-Info ="QU;128000;16000;32000;D;128000;16000;32000",
###User-Profile###
Tariff ISG-128K
username 0004000a0102 passwd TESTPASSWD
Cisco-Account-Info="Aisg-128k",
Work#3-end
Work#4 -------- With Accounting
###Service-Profile###
Tariff isg-256k-Attr
username isg-256k passwd servpasswd
Cisco-Service-Info ="isg-256k", Cisco-Service-Info ="QU;256000;32000;64000;D;256000;32000;64000",
###User-Profile###
Tariff isg-256k
username 0004000a0102 passwd TESTPASSWD
Cisco-Account-Info="Aisg-256k", Cisco-AVPair +="accounting-list=AAA-MLIST",
Work#4-end
#################################################################################################
AGREG-SW#sh run
Building configuration...
Current configuration : 3383 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone
no service password-encryption
!
hostname AGREG-SW
!
boot-start-marker
boot-end-marker
!
logging buffered 16386
logging rate-limit 100 except warnings
no logging console
no logging monitor
!
no aaa new-model
system mtu routing 1500
vtp mode transparent
ip subnet-zero
ip routing
no ip domain-lookup
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.200.1
!
ip dhcp pool for-management-for-acc-sw-pool
network 192.168.200.0 255.255.255.0
default-router 192.168.200.1
domain-name manage.local
!
!
ip dhcp snooping vlan 10-20
ip dhcp snooping information option format remote-id hostname
ip dhcp snooping
ip vrf Clients
rd 192.168.111.2:10
route-target export 192.168.111.2:10
route-target import 192.168.111.2:10
!
!
!
!
!
!
!
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
no spanning-tree vlan 21-4094
!
!
vlan access-map FILTER-Unwanted 20
action forward
match ip address VLAN-MAP-ACL-1
!
vlan filter FILTER-Unwanted vlan-list 10-20
vlan internal allocation policy ascending
!
vlan 10-20
!
!
!
!
interface Loopback10
description For-OSPF-Router-id
ip vrf forwarding Clients
ip address 192.168.111.2 255.255.255.255
!
interface Loopback20
description DefGW-for-Clients-VRF
ip vrf forwarding Clients
ip address 172.16.10.1 255.255.255.0
!
interface FastEthernet0/1
description To-Access-switches
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,10-20
switchport mode trunk
ip dhcp snooping limit rate 100
!
interface FastEthernet0/2
description To-Access-switches
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,10-20
switchport mode trunk
ip dhcp snooping limit rate 100
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
description Test-ISG-Link-Fa0/0
no switchport
ip vrf forwarding Clients
ip address 192.168.101.6 255.255.255.252
!
interface FastEthernet0/8
description Test-ISG-Link-Fa1/0
no switchport
ip vrf forwarding Clients
ip address 192.168.101.2 255.255.255.252
!
interface GigabitEthernet0/1
!
interface Vlan1
description for-management-for-acc-sw
ip address 192.168.200.1 255.255.255.0
!
interface Vlan10
ip vrf forwarding Clients
ip unnumbered Loopback20
ip helper-address global 192.168.111.1
ip helper-address 192.168.111.1
!
interface Vlan20
ip vrf forwarding Clients
ip unnumbered Loopback20
ip helper-address global 192.168.111.1
ip helper-address 192.168.111.1
!
router ospf 10 vrf Clients
router-id 192.168.111.2
log-adjacency-changes
summary-address 172.16.10.0 255.255.255.0
redistribute connected
redistribute static subnets
passive-interface default
no passive-interface FastEthernet0/7
no passive-interface FastEthernet0/8
network 172.16.10.1 0.0.0.0 area 0
network 192.168.101.2 0.0.0.0 area 0
network 192.168.101.6 0.0.0.0 area 0
!
ip classless
no ip http server
no ip http secure-server
!
!
ip access-list extended VLAN-MAP-ACL-1
permit udp any eq bootpc any eq bootps
permit udp host 172.16.10.1 eq bootps any eq bootpc
deny udp any eq bootps any eq bootpc
permit ip any any
!
ip access-list logging interval 10
!
control-plane
!
!
line con 0
line vty 0 4
login
line vty 5 15
login
!
end
AGREGSW##################################################################################
ACC-SW1##################################################################################
Building configuration...
Current configuration : 1392 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ACC-SW1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
system mtu routing 1500
ip subnet-zero
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
interface FastEthernet0/1
switchport access vlan 10
spanning-tree portfast
!
interface FastEthernet0/2
switchport access vlan 20
spanning-tree portfast
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
switchport mode trunk
!
interface GigabitEthernet0/2
!
interface Vlan1
ip address dhcp
no ip route-cache
!
ip http server
ip http secure-server
!
control-plane
!
!
line con 0
line vty 5 15
!
end
ACC-SW1################################################################################
ACC-SW2################################################################################
Current configuration:
!
version 12.0
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname ACC-SW2
!
!
!
!
!
!
!
ip subnet-zero
!
!
!
interface FastEthernet0/1
switchport access vlan 10
spanning-tree portfast
!
interface FastEthernet0/2
switchport access vlan 20
spanning-tree portfast
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface VLAN1
no ip directed-broadcast
no ip route-cache
!
!
line con 0
transport input none
stopbits 1
line vty 5 15
!
end
ACC-SW2##############################################################
Комментариев нет:
Отправить комментарий