Использование Cisco ISG в резевированной конфигурации с авторизацией абонентов по dhcp opt.82

Тестовая топология (логическая схема):


Тестовая топология в GNS3:


Конфигурации:

# Dynamips #
autostart = False
[localhost:7202]
workingdir = /home/mavrichev/Desktop/homenet/Tech-tests/2xISG1xBR
udp = 10200
[[7200]]
image = /home/mavrichev/Desktop/homenet/Tech-tests/2xISG1xBR/c7200-k91p-mz.122-31.SB14.bin.unpacked
idlepc = 0x60a24168
[[ROUTER isg2]]
console = 2012
cnfg = /home/mavrichev/Desktop/homenet/Tech-tests/2xISG1xBR/isg2.cfg
f0/0 = nio_linux_eth:eth4
f0/1 = SW1 2
slot1 = PA-2FE-TX
f1/0 = isg1 f1/0
f1/1 = isg1 f1/1
x = 108.0
y = 16.0
[localhost:7201]
workingdir = /home/mavrichev/Desktop/homenet/Tech-tests/2xISG1xBR
udp = 10100
[[7200]]
image = /home/mavrichev/Desktop/homenet/Tech-tests/2xISG1xBR/c7200-k91p-mz.122-31.SB14.bin.unpacked
idlepc = 0x61141480
[[ROUTER isg1]]
console = 2011
cnfg = /home/mavrichev/Desktop/homenet/Tech-tests/2xISG1xBR/isg1.cfg
f0/0 = nio_linux_eth:eth1
f0/1 = SW1 1
slot1 = PA-2FE-TX
f1/0 = isg2 f1/0
f1/1 = isg2 f1/1
x = -134.0
y = 20.0
[[ETHSW SW1]]
1 = access 101
2 = access 102
3 = dot1q 1 nio_linux_eth:eth5
x = -11.5
y = -97.0
[GNS3-DATA]
[[Cloud acc-net]]
x = -61.5
y = 184.0
connections = isg2:f0/0:nio_linux_eth:eth4 isg1:f0/0:nio_linux_eth:eth1
[[Cloud out-net]]
x = 38.5
y = -224.0
connections = SW1:3:nio_linux_eth:eth5
################################################################################################

!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ACC-SW1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
system mtu routing 1500
ip subnet-zero
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
interface FastEthernet0/1
switchport access vlan 10
spanning-tree portfast
!
interface FastEthernet0/2
switchport access vlan 20
spanning-tree portfast
!
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
switchport mode trunk
!
interface GigabitEthernet0/2
!
interface Vlan1
ip address dhcp
no ip route-cache
!
no ip http server
no ip http secure-server
!
control-plane
!
!
line con 0
line vty 5 15
!
end

################################################################################################

AGREG-SW#sh start
Using 5748 out of 524288 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone
no service password-encryption
!
hostname AGREG-SW
!
boot-start-marker
boot-end-marker
!
logging buffered 16386
logging rate-limit 100 except warnings
no logging monitor
!
no aaa new-model
system mtu routing 1500
vtp mode transparent
ip subnet-zero
ip routing
ip cef load-sharing algorithm original
no ip domain-lookup
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.200.1
!
ip dhcp pool for-management-for-acc-sw-pool
network 192.168.200.0 255.255.255.0
default-router 192.168.200.1
domain-name manage.local
!
!
ip dhcp snooping vlan 10-20
ip dhcp snooping information option format remote-id string ag-sw001
ip dhcp snooping
ip vrf Clients
rd 192.168.111.2:10
route-target export 192.168.111.2:10
route-target import 192.168.111.2:10
!
ip vrf Clients-2
rd 192.168.111.2:30
route-target export 192.168.111.2:30
route-target import 192.168.111.2:30
!
ip vrf Outside
rd 192.168.111.2:20
route-target export 192.168.111.2:20
route-target import 192.168.111.2:20
!
!
!
!
!
!
!
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
no spanning-tree vlan 21-4094
!
!
vlan access-map FILTER-Unwanted 20
action forward
match ip address VLAN-MAP-ACL-1
!
vlan filter FILTER-Unwanted vlan-list 10-20
vlan internal allocation policy ascending
!
vlan 10-20,101-102,201-204
!
!
!
!
interface Loopback10
description For-OSPF-Router-id
ip vrf forwarding Outside
ip address 192.168.101.20 255.255.255.255
!
interface Loopback20
description DefGW-for-Clients-VRF
ip vrf forwarding Clients
ip address 172.16.10.1 255.255.255.255
!
interface Loopback30
description DefGW-for-Clients-2-VRF
ip vrf forwarding Clients-2
ip address 172.16.20.1 255.255.255.255
!
interface FastEthernet0/1
description To-Access-switches
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,10-20
switchport mode trunk
ip dhcp snooping limit rate 100
!
interface FastEthernet0/2
description To-Access-switches
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,10-20
switchport mode trunk
ip dhcp snooping limit rate 100
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
description To-SW1
switchport trunk encapsulation dot1q
switchport mode trunk
speed 10
duplex half
!
interface FastEthernet0/6
description To-Outside-Net
no switchport
ip vrf forwarding Outside
ip address 192.168.100.111 255.255.255.0
!
interface FastEthernet0/7
description To-ISG1-fa0/0
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,201,203
switchport mode trunk
speed 10
duplex half
ip dhcp snooping trust
!
interface FastEthernet0/8
description To-ISG2-fa0/0
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,202,204
switchport mode trunk
speed 10
duplex half
ip dhcp snooping trust
!
interface GigabitEthernet0/1
!
interface Vlan1
description for-management-for-acc-sw
ip address 192.168.200.1 255.255.255.0
!
interface Vlan10
ip vrf forwarding Clients
ip unnumbered Loopback20
ip helper-address 192.168.101.23
!
interface Vlan20
ip vrf forwarding Clients-2
ip unnumbered Loopback30
ip helper-address 192.168.101.23
!
interface Vlan101
description To-ISG1
ip vrf forwarding Outside
ip address 192.168.101.14 255.255.255.252
ip ospf network point-to-point
!
interface Vlan102
description To-ISG2
ip vrf forwarding Outside
ip address 192.168.101.18 255.255.255.252
ip ospf network point-to-point
!
interface Vlan201
description To-ISG1
ip vrf forwarding Clients
ip address 192.168.101.6 255.255.255.252
ip ospf network point-to-point
!
interface Vlan202
description To-ISG2
ip vrf forwarding Clients
ip address 192.168.101.2 255.255.255.252
ip ospf network point-to-point
ip ospf cost 1000
!
interface Vlan203
description To-ISG1
ip vrf forwarding Clients-2
ip address 192.168.101.30 255.255.255.252
ip ospf network point-to-point
ip ospf cost 1000
!
interface Vlan204
description To-ISG2
ip vrf forwarding Clients-2
ip address 192.168.101.34 255.255.255.252
ip ospf network point-to-point
!
router ospf 10 vrf Clients
router-id 172.16.10.1
log-adjacency-changes
summary-address 172.16.10.0 255.255.255.0
redistribute static metric-type 1 subnets
passive-interface default
no passive-interface Vlan201
no passive-interface Vlan202
network 172.16.10.1 0.0.0.0 area 0
network 192.168.101.2 0.0.0.0 area 0
network 192.168.101.6 0.0.0.0 area 0
!
router ospf 20 vrf Outside
router-id 192.168.101.20
log-adjacency-changes
passive-interface default
no passive-interface Vlan101
no passive-interface Vlan102
network 192.168.101.14 0.0.0.0 area 0
network 192.168.101.18 0.0.0.0 area 0
network 192.168.101.20 0.0.0.0 area 0
default-information originate always metric 1000 metric-type 1
!
router ospf 30 vrf Clients-2
router-id 172.16.20.1
log-adjacency-changes
summary-address 172.16.20.0 255.255.255.0
redistribute static metric-type 1 subnets
passive-interface default
no passive-interface Vlan203
no passive-interface Vlan204
network 172.16.20.1 0.0.0.0 area 0
network 192.168.101.30 0.0.0.0 area 0
network 192.168.101.34 0.0.0.0 area 0
!
ip classless
ip route vrf Outside 0.0.0.0 0.0.0.0 192.168.100.1
no ip http server
no ip http secure-server
!
!
ip access-list extended VLAN-MAP-ACL-1
permit udp any eq bootpc any eq bootps
permit udp host 172.16.10.1 eq bootps any eq bootpc
permit udp host 172.16.20.1 eq bootps any eq bootpc
deny udp any eq bootps any eq bootpc
permit ip any any
!
ip access-list logging interval 10
!
control-plane
!
!
line con 0
exec-timeout 0 0
line vty 0 4
login
line vty 5 15
login
!
end

AGREG-SW#

################################################################################################

!
! No configuration change since last restart
! NVRAM config last updated at 18:16:35 MSK Mon Mar 16 2009 by mavrichev
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname isg1
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa group server radius AAA-RADIUS-SERVERS
server 192.168.100.242 auth-port 1812 acct-port 1813
!
aaa authentication login default local
aaa authorization exec default local none
aaa authorization network SUBS-AUTHORIZE-LIST group AAA-RADIUS-SERVERS
aaa authorization subscriber-service default local group AAA-RADIUS-SERVERS
aaa accounting delay-start
aaa accounting update periodic 1
aaa accounting network AAA-MLIST start-stop group AAA-RADIUS-SERVERS
!
!
!
aaa server radius dynamic-author
client 192.168.100.242
server-key TESTKEY
auth-type any
ignore session-key
!
aaa session-id unique
clock timezone MSK 3
clock summer-time MSD recurring last Sun Mar 2:00 last Sun Oct 2:00
ip subnet-zero
ip cef
!
!
no ip domain lookup
no ip dhcp use vrf connected
ip dhcp excluded-address 172.16.10.1
ip dhcp excluded-address 172.16.20.1
!
ip dhcp pool Pool-For-Clients-on-AGG-SW1
network 172.16.10.0 255.255.255.0
default-router 172.16.10.1
domain-name test.local
dns-server 192.168.100.254
lease 0 0 2
!
ip dhcp pool Pool-For-Clients-2-on-AGG-SW1
network 172.16.20.0 255.255.255.0
default-router 172.16.20.1
domain-name test.local
dns-server 192.168.100.254
lease 0 0 2
!
!
!
!
subscriber service password servpasswd
redirect server-group PORTAL
server ip 192.168.100.242
!
call rsvp-sync
!
!
!
!
!
!
!
no file verify auto
username mavrichev privilege 15 secret 5 xxxxxxxxxxxxxxxxxx
!
class-map type traffic match-any For-Open-Garden
match access-group output name OUT-OG
match access-group input name IN-OG
!
class-map type traffic match-any PORTAL
match access-group output name From-PORTAL
match access-group input name To-PORTAL
!
class-map type control match-all IP-UNAUTH-COND
match timer IP-UNAUTH-TIMER
match authen-status unauthenticated
!
policy-map type service unauth-subscr-redir
service local
class type traffic PORTAL
redirect to group PORTAL
!
class type traffic default in-out
drop
!
!
policy-map type service unauth-subscr-open-garden
service local
class type traffic For-Open-Garden
police input 8000 1000 1000
police output 8000 1000 1000
!
!
policy-map type control SUBSCRIBER_RULE
class type control IP-UNAUTH-COND event timed-policy-expiry
10 service disconnect
!
class type control always event session-start
20 authorize aaa list SUBS-AUTHORIZE-LIST password TESTPASSWD identifier circuit-id
25 service-policy type service name unauth-subscr-open-garden
30 service-policy type service name unauth-subscr-redir
40 set-timer IP-UNAUTH-TIMER 5
!
class type control always event session-restart
20 authorize aaa list SUBS-AUTHORIZE-LIST password TESTPASSWD identifier circuit-id
25 service-policy type service name unauth-subscr-open-garden
30 service-policy type service name unauth-subscr-redir
40 set-timer IP-UNAUTH-TIMER 5
!
!
!
!
interface Loopback10
description For-OSPF-Router-id
ip address 192.168.101.21 255.255.255.255
!
interface Loopback100
description For-IP-Helper-Address
ip address 192.168.101.23 255.255.255.255
!
interface Port-channel1
description to-ISG-2
ip address 192.168.101.9 255.255.255.252
ip ospf network point-to-point
snmp trap link-status
hold-queue 150 in
!
interface FastEthernet0/0
description to AGREG-SW-Link-Fa0/7
no ip address
speed 10
duplex half
!
interface FastEthernet0/0.201
description to AGREG-SW-Link-Fa0/7-vl-201
encapsulation dot1Q 201
ip address 192.168.101.5 255.255.255.252
ip ospf network point-to-point
service-policy type control SUBSCRIBER_RULE
ip subscriber routed
initiator dhcp
!
interface FastEthernet0/0.203
description to AGREG-SW-Link-Fa0/7-vl-203
encapsulation dot1Q 203
ip address 192.168.101.29 255.255.255.252
ip ospf network point-to-point
ip ospf cost 1000
service-policy type control SUBSCRIBER_RULE
ip subscriber routed
initiator dhcp
!
interface FastEthernet0/1
description to-SW1-Port2
ip address 192.168.101.13 255.255.255.252
ip ospf network point-to-point
speed 10
duplex half
!
interface FastEthernet1/0
description to-ISG-2
no ip address
speed 10
duplex half
channel-group 1
!
interface FastEthernet1/1
description to-ISG-2
no ip address
speed 10
duplex half
channel-group 1
!
router ospf 1
router-id 192.168.101.21
log-adjacency-changes
passive-interface default
no passive-interface FastEthernet0/0.201
no passive-interface FastEthernet0/0.203
no passive-interface FastEthernet0/1
no passive-interface Port-channel1
network 192.168.101.5 0.0.0.0 area 0
network 192.168.101.9 0.0.0.0 area 0
network 192.168.101.13 0.0.0.0 area 0
network 192.168.101.21 0.0.0.0 area 0
network 192.168.101.23 0.0.0.0 area 0
network 192.168.101.29 0.0.0.0 area 0
!
ip classless
!
no ip http server
!
!
!
ip access-list extended From-PORTAL
permit tcp any any
ip access-list extended IN-OG
permit udp any host 192.168.100.254 eq domain
permit icmp any 192.168.100.0 0.0.0.255
ip access-list extended OUT-OG
permit udp host 192.168.100.254 eq domain any
permit icmp 192.168.100.0 0.0.0.255 any
ip access-list extended To-PORTAL
permit tcp any any
ip radius source-interface Loopback10
access-list 199 permit ip any any
!
!
radius-server attribute 44 include-in-access-req
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 32 include-in-access-req
radius-server attribute 32 include-in-accounting-req
radius-server attribute 55 include-in-acct-req
radius-server attribute 55 access-request include
radius-server attribute 4 192.168.101.21
radius-server host 192.168.100.242 auth-port 1812 acct-port 1813 key radsecret
radius-server retransmit 10
radius-server vsa send accounting
!
control-plane
!
!
!
dial-peer cor custom
!
!
!
!
line con 0
exec-timeout 0 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
exec-timeout 0 0
privilege level 15
transport input ssh
!
ntp clock-period 17179814
ntp master
ntp server 213.41.245.21
ntp server 216.58.31.84
ntp server 216.52.237.153
end

################################################################################################

!
! No configuration change since last restart
! NVRAM config last updated at 18:16:33 MSK Mon Mar 16 2009 by mavrichev
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname isg2
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa group server radius AAA-RADIUS-SERVERS
server 192.168.100.242 auth-port 1812 acct-port 1813
!
aaa authentication login default local
aaa authorization exec default local none
aaa authorization network SUBS-AUTHORIZE-LIST group AAA-RADIUS-SERVERS
aaa authorization subscriber-service default local group AAA-RADIUS-SERVERS
aaa accounting delay-start
aaa accounting update periodic 1
aaa accounting network AAA-MLIST start-stop group AAA-RADIUS-SERVERS
!
!
!
aaa server radius dynamic-author
client 192.168.100.242
server-key TESTKEY
auth-type any
ignore session-key
!
aaa session-id unique
clock timezone MSK 3
clock summer-time MSD recurring last Sun Mar 2:00 last Sun Oct 2:00
ip subnet-zero
ip cef
!
!
no ip domain lookup
no ip dhcp use vrf connected
ip dhcp excluded-address 172.16.10.1
ip dhcp excluded-address 172.16.20.1
!
ip dhcp pool Pool-For-Clients-on-AGG-SW1
network 172.16.10.0 255.255.255.0
default-router 172.16.10.1
domain-name test.local
dns-server 192.168.100.254
lease 0 0 2
!
ip dhcp pool Pool-For-Clients-2-on-AGG-SW1
network 172.16.20.0 255.255.255.0
default-router 172.16.20.1
domain-name test.local
dns-server 192.168.100.254
lease 0 0 2
!
!
!
!
subscriber service password servpasswd
redirect server-group PORTAL
server ip 192.168.100.242
!
call rsvp-sync
!
!
!
!
!
!
!
no file verify auto
username mavrichev privilege 15 secret 5 xxxxxxxxxxxxxxxxxx
!
class-map type traffic match-any PORTAL
match access-group input name To-PORTAL
match access-group output name From-PORTAL
!
class-map type traffic match-any For-Open-Garden
match access-group input name IN-OG
match access-group output name OUT-OG
!
class-map type control match-all IP-UNAUTH-COND
match timer IP-UNAUTH-TIMER
match authen-status unauthenticated
!
policy-map type service unauth-subscr-redir
service local
class type traffic PORTAL
redirect to group PORTAL
!
class type traffic default in-out
drop
!
!
policy-map type service unauth-subscr-open-garden
service local
class type traffic For-Open-Garden
police input 8000 1000 1000
police output 8000 1000 1000
!
!
policy-map type control SUBSCRIBER_RULE
class type control IP-UNAUTH-COND event timed-policy-expiry
10 service disconnect
!
class type control always event session-start
20 authorize aaa list SUBS-AUTHORIZE-LIST password TESTPASSWD identifier circuit-id
25 service-policy type service name unauth-subscr-open-garden
30 service-policy type service name unauth-subscr-redir
40 set-timer IP-UNAUTH-TIMER 5
!
class type control always event session-restart
20 authorize aaa list SUBS-AUTHORIZE-LIST password TESTPASSWD identifier circuit-id
25 service-policy type service name unauth-subscr-open-garden
30 service-policy type service name unauth-subscr-redir
40 set-timer IP-UNAUTH-TIMER 5
!
!
!
!
interface Loopback10
description For-OSPF-Router-id
ip address 192.168.101.22 255.255.255.255
!
interface Loopback100
description For-IP-Helper-Address
ip address 192.168.101.23 255.255.255.255
!
interface Port-channel1
description to-ISG-1
ip address 192.168.101.10 255.255.255.252
ip ospf network point-to-point
snmp trap link-status
hold-queue 150 in
!
interface FastEthernet0/0
description to AGREG-SW-Link-Fa0/8
no ip address
speed 10
duplex half
!
interface FastEthernet0/0.202
description to AGREG-SW-Link-Fa0/8-vl-202
encapsulation dot1Q 202
ip address 192.168.101.1 255.255.255.252
ip ospf network point-to-point
ip ospf cost 1000
service-policy type control SUBSCRIBER_RULE
ip subscriber routed
initiator dhcp
!
interface FastEthernet0/0.204
description to AGREG-SW-Link-Fa0/8-vl-204
encapsulation dot1Q 204
ip address 192.168.101.33 255.255.255.252
ip ospf network point-to-point
service-policy type control SUBSCRIBER_RULE
ip subscriber routed
initiator dhcp
!
interface FastEthernet0/1
description to-SW1-Port2
ip address 192.168.101.17 255.255.255.252
ip ospf network point-to-point
speed 10
duplex half
!
interface FastEthernet1/0
description to-ISG-1
no ip address
speed 10
duplex half
channel-group 1
!
interface FastEthernet1/1
description to-ISG-1
no ip address
speed 10
duplex half
channel-group 1
!
router ospf 1
router-id 192.168.101.22
log-adjacency-changes
passive-interface default
no passive-interface FastEthernet0/0.202
no passive-interface FastEthernet0/0.204
no passive-interface FastEthernet0/1
no passive-interface Port-channel1
network 192.168.101.1 0.0.0.0 area 0
network 192.168.101.10 0.0.0.0 area 0
network 192.168.101.17 0.0.0.0 area 0
network 192.168.101.22 0.0.0.0 area 0
network 192.168.101.23 0.0.0.0 area 0
network 192.168.101.33 0.0.0.0 area 0
!
ip classless
!
no ip http server
!
!
!
ip access-list extended From-PORTAL
permit tcp any any
ip access-list extended IN-OG
permit udp any host 192.168.100.254 eq domain
permit icmp any 192.168.100.0 0.0.0.255
ip access-list extended OUT-OG
permit udp host 192.168.100.254 eq domain any
permit icmp 192.168.100.0 0.0.0.255 any
ip access-list extended To-PORTAL
permit tcp any any
ip radius source-interface Loopback10
access-list 199 permit ip any any
!
!
radius-server attribute 44 include-in-access-req
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 32 include-in-access-req
radius-server attribute 32 include-in-accounting-req
radius-server attribute 55 include-in-acct-req
radius-server attribute 55 access-request include
radius-server attribute 4 192.168.101.22
radius-server host 192.168.100.242 auth-port 1812 acct-port 1813 key radsecret
radius-server retransmit 10
radius-server vsa send accounting
!
control-plane
!
!
!
dial-peer cor custom
!
!
!
!
line con 0
exec-timeout 0 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
exec-timeout 0 0
privilege level 15
transport input ssh
!
ntp clock-period 17179814
ntp master
ntp server 213.41.245.21
ntp server 216.58.31.84
ntp server 216.52.237.153
end

################################################################################################

RADIUS:
Work#2 -------- With L4Redirect
###Service-Profile###
Tariff l4r-Attr
username l4r passwd servpasswd
Session-Timeout=600, Cisco-AVPair +="ip:l4redirect=redirect list 199 to group PORTAL",

###User-Profile###
Tariff ISG-REDIR
username 0004000a0102 passwd TESTPASSWD
Cisco-Account-Info="Al4r", Session-Timeout=6000,
Work#2-end




Work#3 -------- With Policing
###Service-Profile###
Tariff isg-128K-Attr
username isg-128k passwd servpasswd
Cisco-Service-Info ="isg-128k", Cisco-Service-Info ="QU;128000;16000;32000;D;128000;16000;32000",

###User-Profile###
Tariff ISG-128K
username 0004000a0102 passwd TESTPASSWD
Cisco-Account-Info="Aisg-128k",
Work#3-end




Work#4 -------- With Accounting
###Service-Profile###
Tariff isg-256k-Attr
username isg-256k passwd servpasswd
Cisco-Service-Info ="isg-256k", Cisco-Service-Info ="QU;256000;32000;64000;D;256000;32000;64000",

###User-Profile###
Tariff isg-256k
username 0004000a0102 passwd TESTPASSWD
Cisco-Account-Info="Aisg-256k", Cisco-AVPair +="accounting-list=AAA-MLIST",
Work#4-end

################################################################################################

Комментариев нет:

Отправить комментарий