Записки цисковода: 2009

Прикручивание bluetooth-гарнитуры к Skype в Ubuntu 9.04 amd64

static route-leaking между VRF

Надо было организовать обмен трафиком между двумя хостами в разных vrf...
!
ip vrf VPN1
rd 200:202
route-target export 200:202
route-target import 200:255
route-target import 200:300
!
ip vrf VPN2
rd 200:251
route-target export 200:251
route-target import 200:300
!
ip route vrf VPN1 192.168.50.12 255.255.255.255 Vlan902 192.168.50.12
!
ip route vrf VPN2 192.168.150.132 255.255.255.255 Vlan697 192.168.150.132
!
!
interface Vlan902
description VPN2_Servers
ip vrf forwarding VPN2
ip address 192.168.50.1 255.255.255.128
!
interface Vlan697
description VPN1_Servers
ip vrf forwarding VPN1
ip address 192.168.150.129 255.255.255.224
!

ipsec VPN между cisco и linux через crypto profile (без crypto-map)

Стянуто отсюда:
http://community.livejournal.com/cisco_ru/239812.html

На кошке

crypto isakmp key 185d088b5c71daaab829c012f1ee1076 address 80.249.178.146

crypto ipsec transform-set 3DES.MD5.HMAC esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile VPN
set transform-set 3DES.MD5.HMAC
!
interface Tunnel3
description Tunnel to ep-gw
ip address 192.168.100.13 255.255.255.252
ip mtu 1400
shutdown
tunnel source FastEthernet0/0
tunnel destination 80.249.178.146
tunnel protection ipsec profile VPN
!
ip route 192.168.11.0 255.255.255.0 192.168.100.14

На линухе (debian)

/etc/network/interfaces

auto tun0
iface tun0 inet static
address 192.168.100.14
netmask 255.255.255.252
broadcast 192.168.100.15
up ifconfig tun0 multicast
pre-up ip tunnel add tun0 mode gre local 80.249.178.146 remote 80.249.xxx.194 ttl 255
pointopoint 192.168.100.1
post-up ip r a 192.168.1.0/24 via 192.168.100.1
pre-down ip r d 192.168.1.0/24 via 192.168.100.1
post-down ip link set tun0 down
post-down ip tunnel del tun0

/etc/ipsec-tools.conf

#!/usr/sbin/setkey -f
flush;
spdflush;

spdadd 80.249.178.146 80.249.xxx.194 gre -P out ipsec
esp/transport/80.249.178.146-80.249.xxx.194/require;

spdadd 80.249.xxx.194 80.249.178.146 gre -P in ipsec
esp/transport/80.249.xxx.194-80.249.178.146/require;

/etc/racoon/racoon.conf

remote 80.249.xxx.194 {
my_identifier address 80.249.178.146;
exchange_mode main,aggressive;
doi ipsec_doi;
proposal_check obey;

proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group modp1024;
lifetime time 3600 sec;
}
}
sainfo anonymous {
pfs_group 2;
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
lifetime time 3600 sec;

}

Карта покрытия Йоты

ПыСы: Если подвигать туда-сюда, есть также С-Пб и Уфа.

PPPoE и WiFi на cisco 871w

Такой вот конфиг на память...


!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname c871w
!
boot-start-marker
boot-end-marker
!
enable secret 5 ***********
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local 
!
!
aaa session-id common
clock timezone MSK 3
clock summer-time MSD recurring last Sun Mar 2:00 last Sun Oct 2:00
!
!
!
dot11 ssid wifi
   vlan 10
   authentication open 
   authentication key-management wpa
   guest-mode
   wpa-psk ascii 0 ***********
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.220.1 192.168.220.100
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool DCHP-POOL-1
   import all
   network 192.168.220.0 255.255.255.0
   default-router 192.168.220.1 
   netbios-name-server 192.168.100.254 
   dns-server 192.168.220.1 
   lease 0 1
!
ip dhcp pool DCHP-POOL-WiFi
   import all
   network 10.10.10.0 255.255.255.0
   default-router 10.10.10.1 
   dns-server 10.10.10.1 
   lease 0 1
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip domain name test.ru
!
!
!
username admin privilege 15 secret 5 ***********
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key *********** address 1.1.1.1 no-xauth
crypto isakmp key *********** address 2.2.2.2 no-xauth
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 periodic
crypto isakmp xauth timeout 90

!
!
crypto ipsec transform-set T2 esp-3des esp-sha-hmac 
 mode transport
!
crypto ipsec profile P2
 set transform-set T2 
!
!
archive
 log config
  hidekeys
!
!
ip ssh maxstartups 5
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
!
!
interface Tunnel0
 ip address 192.168.10.22 255.255.255.252
 ip mtu 1250
 ip tcp adjust-mss 1100
 tunnel source 3.3.3.3
 tunnel destination 2.2.2.2
 tunnel protection ipsec profile P2
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 ip address dhcp
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface Dot11Radio0
 no ip address
 !
 encryption mode ciphers tkip 
 !
 encryption vlan 10 mode ciphers tkip 
 !
 broadcast-key change 60
 !
 !
 ssid wifi
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
!
interface Dot11Radio0.10
 encapsulation dot1Q 10 native
 ip address 10.10.10.1 255.255.255.0
 ip access-group Deny-Our-Net-From-Wi-Fi in
 ip nat inside
 ip virtual-reassembly
 rate-limit input 512000 8000 8000 conform-action transmit exceed-action drop
 rate-limit output 512000 8000 8000 conform-action transmit exceed-action drop
 ip tcp adjust-mss 1400
 no cdp enable
!
interface Vlan1
 description LAN
 ip address 192.168.220.1 255.255.255.0
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1400
!
interface Dialer0
 ip address negotiated
 ip access-group From-INTERNET in
 ip mtu 1450
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname pukulya
 ppp chap password 0 toshibaa
 ppp ipcp dns accept
!
router rip
 version 2
 passive-interface default
 no passive-interface Tunnel0
 network 192.168.10.0
 network 192.168.220.0
!         
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip flow-cache timeout active 5
ip flow-export source Tunnel0
ip flow-export version 5
ip flow-export destination 192.168.100.242 9999
!
no ip http server
no ip http secure-server
ip dns server
ip nat inside source route-map nonat interface Dialer0 overload
!
ip access-list standard SNMP_ACCESS
 permit 192.168.100.241
!
ip access-list extended Deny-Our-Net-From-Wi-Fi
 deny   ip 10.10.10.0 0.0.0.255 192.168.0.0 0.0.255.255
 permit ip 10.10.10.0 0.0.0.255 any
ip access-list extended FOR-NAT-ACL
 permit ip 192.168.220.0 0.0.0.255 any
 permit ip 10.10.10.0 0.0.0.255 any
ip access-list extended From-INTERNET
 deny   ip 172.16.0.0 0.15.255.255 any
 deny   ip 192.168.0.0 0.0.255.255 any
 deny   ip 127.0.0.0 0.255.255.255 any
 deny   ip host 255.255.255.255 any
 deny   ip host 0.0.0.0 any
 deny   udp any any eq 5060
 deny   tcp any any eq 5060
 deny   tcp any any eq 2000
 deny   udp any any eq 1720
 deny   tcp any any eq 1720
 permit ip any any
!
logging origin-id hostname
logging server-arp
logging 192.168.100.241
snmp-server community public RO SNMP_ACCESS
snmp-server ifindex persist
snmp-server location ARCH-1
snmp-server contact admin@test.ru
snmp-server chassis-id c871w
snmp-server host 192.168.100.241 public 
no cdp run
!
!
route-map nonat permit 10
 match ip address FOR-NAT-ACL
!
!
control-plane
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 transport input ssh
!         
scheduler max-task-time 5000
ntp clock-period 17175124
ntp master
ntp server 213.41.245.21
ntp server 216.58.31.84
ntp server 216.52.237.153
end

Стрельбище МВД в Приветненском

Просмотреть увеличенную карту

PPtP Client на Cisco 87x

Суть истории: наш склад переехал на новую точку, где нельзя получить нормальный канал с публичным адресом. Однако интернет имеется у соседей, и складские компы включили в их сетку. Однако их мегароутер "Planet" не позволяет более одной PPtP сессии, и Cisco VPN Client через него тоже не работает. Поставили туда 87x кошку, которая получает по дхцп приватный адрес от планета и строит PPtP туннель к нам в головной офис, с нормальным роутингом через него.

П.С. Не верьте сказкам, что PPtP клиента на циске нет! Есть волшебная команда service internal, которая позволяет его использовать. Использовалась версия ИОСа c870-advsecurityk9-mz.124-15.T5

Конфиг 871-ой кошки:


!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service internal
!
hostname c871spb-rzevka
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local 
!
!
aaa session-id common
clock timezone MSK 3
clock summer-time MSD recurring last Sun Mar 2:00 last Sun Oct 2:00
!
!
dot11 syslog
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.214.1 192.168.214.10
!
ip dhcp pool DCHP-POOL-1
   import all
   network 192.168.214.0 255.255.255.0
   default-router 192.168.214.1 
   netbios-name-server 192.168.0.171 
   dns-server 192.168.214.1 192.168.100.254 
   lease 0 1
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip domain list bla-bla.local
ip domain name bla-bla.ru
ip host server2.bla-bla.local 192.168.0.171
ip host _ldap._tcp.dc._msdcs.bla-bla.local srv 1 1 389 server2.bla-bla.local
ip host vm-termserver.bla-bla.local 192.168.0.160
!
vpdn enable
!
vpdn-group 1
 request-dialin
  protocol pptp
  pool-member 1
 initiate-to ip aaa.aaa.aaa.226 
!
!
!
username admin privilege 15 secret ********************
! 
!
archive
 log config
  hidekeys
!
!
ip ssh maxstartups 5
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description TO_ISP
 ip address dhcp
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface Vlan1
 description Internal_LAN
 ip address 192.168.214.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
interface Dialer0
 mtu 1450
 ip address 192.168.111.222 255.255.255.0
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer idle-timeout 0
 dialer string 123
 dialer vpdn
 dialer-group 1
 no cdp enable
 ppp pfc local request
 ppp pfc remote apply
 ppp encrypt mppe auto
 ppp chap hostname username1
 ppp chap password 0 userpass1
!
ip forward-protocol nd
ip route 192.168.0.0 255.255.0.0 192.168.111.1
ip flow-cache timeout active 5
ip flow-export version 5
ip flow-export destination 192.168.100.242 9910
!
no ip http server
no ip http secure-server
ip dns server
ip nat inside source route-map nonat interface FastEthernet4 overload
!
ip access-list standard SNMP_ACCESS
 permit 192.168.100.241
!
ip access-list extended FOR-NAT-ACL
 permit ip 192.168.214.0 0.0.0.255 any
ip access-list extended From-INTERNET
 deny   ip 172.16.0.0 0.15.255.255 any
 deny   ip 192.168.0.0 0.0.255.255 any
 deny   ip 127.0.0.0 0.255.255.255 any
 deny   ip host 255.255.255.255 any
 deny   ip host 0.0.0.0 any
 deny   udp any any eq 5060
 deny   tcp any any eq 5060
 deny   tcp any any eq 2000
 deny   udp any any eq 1720
 deny   tcp any any eq 1720
 permit ip any any
!
ip sla 10
 icmp-echo 192.168.111.1 source-interface Dialer0
 timeout 3000
 threshold 500
 frequency 5
ip sla schedule 10 life forever start-time now
logging origin-id hostname
logging server-arp
logging 192.168.100.241
dialer-list 1 protocol ip permit
snmp-server community public RO SNMP_ACCESS
snmp-server ifindex persist
snmp-server location SPB-Rjevka
snmp-server contact admin@bla-bla.ru
snmp-server chassis-id c871
snmp-server host 192.168.100.241 public 
no cdp run
!
!
route-map nonat permit 10
 match ip address FOR-NAT-ACL
!
!
control-plane
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 transport input ssh
!
scheduler max-task-time 5000
ntp clock-period 17174962
ntp master
ntp server 213.41.245.21
ntp server 216.58.31.84
ntp server 216.52.237.153
end

Аццкий конфиг с кошки, много всякого...


!
version 12.4
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
service sequence-numbers
!
hostname c2821
!
boot-start-marker
boot-end-marker
!
card type e1 0 0
logging buffered 4096
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login user_auth group radius local
aaa authentication ppp default group radius local
aaa authorization exec default local none 
aaa authorization network default group radius local 
aaa authorization network group_author local 
aaa accounting delay-start 
aaa accounting update periodic 1
aaa accounting network default start-stop group radius
!
aaa server radius dynamic-author
 client 192.168.100.242 server-key XXXXXXXXXXXXXX
 auth-type any
 ignore session-key
!
aaa session-id unique
clock timezone MSK 3
clock summer-time MSD recurring last Sun Mar 2:00 last Sun Oct 2:00
network-clock-participate wic 0 
dot11 syslog
ip wccp web-cache redirect-list REDIRECT_HTTP password XXXXXXXXXXXXXX
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.30.1 192.168.30.10
ip dhcp excluded-address 192.168.110.1
!
ip dhcp pool SRST-Pool
   network 192.168.30.0 255.255.255.0
   default-router 192.168.30.1 
   option 150 ip 192.168.30.2 
   dns-server 192.168.100.254 80.250.191.18 
   option 66 ip 192.168.30.2 
!
ip dhcp pool WiFi-Pool
   network 192.168.110.0 255.255.255.0
   default-router 192.168.110.1 
   dns-server 192.168.100.254 
!
ip dhcp pool WiFi-AP-Pool
   host 192.168.110.2 255.255.255.0
   client-identifier 0100.1bd5.bdf2.b4
   default-router 192.168.110.1 
!
!
ip domain name bla-bla.ru
ip name-server xxx.xxx.65.9
ip name-server xxx.xxx.66.253
ip name-server xxx.xxx.192.2
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
login block-for 300 attempts 3 within 60
login delay 3
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
 accept-dialin
  protocol pptp
  virtual-template 1
 local name Cisco_VPN_PPTP_server
 ip mtu adjust
!
isdn switch-type primary-net5
!
!
trunk group  CO
 carrier-id YYYYYYY
!
voice-card 0
 dspfarm
 dsp services dspfarm
!
!
!
voice service voip 
 allow-connections h323 to h323
 allow-connections h323 to sip
 allow-connections sip to h323
 allow-connections sip to sip
 fax protocol t38 ls-redundancy 0 hs-redundancy 0 fallback pass-through g711alaw
 sip
  registrar server expires max 600 min 60
  no update-callerid
!
!
voice class codec 15
 codec preference 1 g711ulaw
 codec preference 2 g711alaw
 codec preference 3 g729r8
 codec preference 4 ilbc
!
!
!
!
!
!
!
!
!
!
!
voice register pool  10
 id network 192.168.30.0 mask 255.255.255.0
 application sip.app
 preference 2
 proxy 192.168.30.2 preference 1 monitor probe icmp-ping
 dtmf-relay rtp-nte
 voice-class codec 15
!
!
voice translation-rule 10
 rule 1 /\(^.+\)/ /9\1/
!
!
voice translation-profile world-to-me
 translate calling 10
!
!
!
application
  service ivrtest flash://its-CISCO.2.0.2.0.tcl
  paramspace english index 0
  paramspace english language en
  paramspace english location flash:
  param aa-pilot YYYYYYY
  paramspace english prefix en
  param operator 2001
  !
  global
  service alternate DEFAULT
 !
!
!
!
!
!
username admin privilege 15 secret XXXXXXXXXXXXXX
username admin-vpn password XXXXXXXXXXXXXX
archive
 log config
  hidekeys
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key XXXXXXXXXXXXXX address 1.1.1.1 no-xauth
crypto isakmp key XXXXXXXXXXXXXX address 2.2.2.2 no-xauth
crypto isakmp key XXXXXXXXXXXXXX address 3.3.3.3 no-xauth
crypto isakmp key XXXXXXXXXXXXXX address 4.4.4.4 no-xauth
crypto isakmp key XXXXXXXXXXXXXX address 5.5.5.5 no-xauth
crypto isakmp key XXXXXXXXXXXXXX address 6.6.6.6 no-xauth
crypto isakmp key XXXXXXXXXXXXXX address 7.7.7.7 no-xauth
crypto isakmp key XXXXXXXXXXXXXX address 8.8.8.8 no-xauth
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 periodic
crypto isakmp xauth timeout 90

!
crypto isakmp client configuration group mobile
 key XXXXXXXXXXXXXX
 dns 192.168.100.254 80.250.191.18
 pool PPTP_VPN
 max-users 250
 netmask 255.255.255.0
crypto isakmp profile mobile_users
   match identity group mobile
   client authentication list user_auth
   isakmp authorization list group_author
   client configuration address respond
   client configuration group mobile
   accounting default
   virtual-template 2
!
!
crypto ipsec transform-set ESP-3DES-SHA0 esp-3des esp-sha-hmac 
crypto ipsec transform-set T2 esp-3des esp-sha-hmac 
 mode transport
!
crypto ipsec profile P2
 set transform-set T2 
!
crypto ipsec profile mobile_users_ipsec
 set transform-set ESP-3DES-SHA0 
 set isakmp-profile mobile_users
!
!
crypto map temp local-address Vlan50
crypto map temp client configuration address respond
crypto map temp 1 ipsec-isakmp 
 description to_Archangelsk
 set peer 1.1.1.1
 set transform-set ESP-3DES-SHA0 
 match address VPN-Archangelsk
crypto map temp 2 ipsec-isakmp 
 description to_Intersol
 set peer 5.5.5.5
 set transform-set ESP-3DES-SHA0 
 match address VPN-Intersol
!
!
!
controller E1 0/0/0
 pri-group timeslots 1-31
 description PSTN-Voice-Trunk-E1
!
ip tcp path-mtu-discovery
ip ssh maxstartups 5
ip ssh time-out 60
ip ssh version 2
no ip rcmd domain-lookup
!
track 10 rtr 10 reachability
 delay down 15 up 10
!
track 20 rtr 20 reachability
 delay down 15 up 10
!
policy-map out-policy-128k
 class class-default
   police cir 128000 bc 8000 be 8000
     exceed-action drop 
policy-map in-policy-128k
 class class-default
   police cir 128000 bc 8000 be 8000
     exceed-action drop 
!
!
!
!
bba-group pppoe TEST
 virtual-template 1
!
!
interface Loopback10
 description Loopback-For-VPN-Users
 ip address 192.168.111.1 255.255.255.255
!
interface Loopback20
 description Loopback-For-WiFi-Net
 ip address 192.168.110.1 255.255.255.255
!
interface Tunnel1
 description tun-to-c871spb-novg12
 bandwidth 256
 ip address 192.168.10.1 255.255.255.252
 ip mtu 1250
 ip tcp adjust-mss 1100
 tunnel source aaa.aaa.aaa.226
 tunnel destination 2.2.2.2
 tunnel protection ipsec profile P2
!
interface Tunnel2
 description tun-to-c877-msk-1
 bandwidth 256
 ip address 192.168.10.5 255.255.255.252
 ip mtu 1250
 ip tcp adjust-mss 1100
 tunnel source aaa.aaa.aaa.226
 tunnel destination 4.4.4.4
 tunnel protection ipsec profile P2
!
interface Tunnel3
 description tun-to-c851-novosib-1
 bandwidth 256
 ip address 192.168.10.9 255.255.255.252
 ip mtu 1250
 ip tcp adjust-mss 1100
 tunnel source aaa.aaa.aaa.226
 tunnel destination 3.3.3.3
 tunnel protection ipsec profile P2
!
interface Tunnel4
 description tun-to-c857-murmansk
 bandwidth 256
 ip address 192.168.10.13 255.255.255.252
 ip mtu 1226
 ip tcp adjust-mss 1100
 tunnel source aaa.aaa.aaa.226
 tunnel destination 8.8.8.8
 tunnel protection ipsec profile P2
!
interface Tunnel5
 description tun-to-c2811-msk-2
 bandwidth 256
 ip address 192.168.10.17 255.255.255.252
 ip mtu 1250
 ip tcp adjust-mss 1100
 tunnel source aaa.aaa.aaa.226
 tunnel destination 7.7.7.7
 tunnel protection ipsec profile P2
!
interface Tunnel6
 description tun-to-c871-spb-rzevka
 bandwidth 256
 ip address 192.168.10.21 255.255.255.252
 ip mtu 1250
 ip tcp adjust-mss 1100
 tunnel source aaa.aaa.aaa.226
 tunnel destination 6.6.6.6
 tunnel protection ipsec profile P2
!
interface GigabitEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
 no ip address
 duplex auto
 speed auto
!
interface GigabitEthernet0/0.20
 description TESTLAB
 encapsulation dot1Q 20
 ip address 192.168.4.1 255.255.255.0
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly
 no cdp enable
!
interface GigabitEthernet0/0.30
 description Voice_LAN
 encapsulation dot1Q 30
 ip address 192.168.30.1 255.255.255.0
 ip wccp web-cache redirect in
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly
 ntp broadcast
!
interface GigabitEthernet0/0.40
 description Data_LAN
 encapsulation dot1Q 40
 ip address 192.168.0.90 255.255.255.0 secondary
 ip address 192.168.40.1 255.255.255.0
 ip helper-address 192.168.100.254
 ip wccp web-cache redirect in
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly
!
interface GigabitEthernet0/0.100
 description Servers
 encapsulation dot1Q 100
 ip address 192.168.100.1 255.255.255.0
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly
 no cdp enable
!
interface GigabitEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
 no cdp enable
!
interface FastEthernet0/1/0
 description To-WiFi-AP-WithoutEncryption
 switchport access vlan 70
!
interface FastEthernet0/1/1
 description ISP-1
 switchport access vlan 50
 no cdp enable
!
interface FastEthernet0/1/2
 description ISP-2
 switchport access vlan 60
 no cdp enable
!
interface FastEthernet0/1/3
 switchport access vlan 60
 no cdp enable
!
interface Serial0/0/0:15
 description PSTN-Voice-Trunk-E1
 no ip address
 encapsulation hdlc
 no logging event link-status
 isdn switch-type primary-net5
 isdn timer T310 60000
 isdn incoming-voice voice
 no cdp enable
!
interface Virtual-Template1 
 description Tunnel-Template-For-PPTP-Users
 ip unnumbered Loopback10
 ip verify unicast reverse-path
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1460
 autodetect encapsulation ppp
 no snmp trap link-status
 peer default ip address pool PPTP_VPN
 no keepalive
 ppp mtu adaptive
 ppp encrypt mppe 128 passive
 ppp authentication ms-chap-v2
 ppp ipcp dns 192.168.100.254 217.195.65.9
 ppp ipcp wins 192.168.100.254
!
interface Virtual-Template2 type tunnel
 description Tunnel-Template-For-VPNC-Users
 bandwidth 1024
 ip unnumbered Loopback10
 ip nat inside
 ip virtual-reassembly
 load-interval 30
 no snmp trap link-status
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile mobile_users_ipsec
 tunnel bandwidth transmit 1024
 tunnel bandwidth receive 1024
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan50
 description ISP2
 bandwidth 10000
 ip address aaa.aaa.aaa.226 255.255.255.224
 ip access-group From-INTERNET in
 ip nat outside
 ip virtual-reassembly
 crypto map temp
!
interface Vlan60
 description to ISP1
 bandwidth 10000
 ip address bbb.bbb.bbb.18 255.255.255.248
 ip access-group From-INTERNET in
 ip nat outside
 ip virtual-reassembly
!
interface Vlan70
 description to WiFi-AP
 ip unnumbered Loopback20
 ip access-group WiFi-Net-Inp in
 ip access-group WiFi-Net-Out out
 ip virtual-reassembly
!
router rip
 version 2
 passive-interface default
 no passive-interface Tunnel1
 no passive-interface Tunnel2
 no passive-interface Tunnel3
 no passive-interface Tunnel4
 no passive-interface Tunnel5
 no passive-interface Tunnel6
 network 192.168.0.0
 network 192.168.10.0
 network 192.168.40.0
 network 192.168.100.0
 network 192.168.111.0
!
ip local pool PPTP_VPN 192.168.111.100 192.168.111.254
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 aaa.aaa.aaa.225 track 10
ip route 0.0.0.0 0.0.0.0 bbb.bbb.bbb.17 5 track 20
ip route 172.16.10.0 255.255.255.0 192.168.100.111 name TEST-route-forISG
ip route 172.16.20.0 255.255.255.0 192.168.100.111 name TEST-route-forISG
ip route 192.168.101.0 255.255.255.0 192.168.100.111 name TEST-route-forISG
!
ip flow-cache timeout active 5
ip flow-export source Loopback10
ip flow-export version 5
ip flow-export interface-names
ip flow-export destination 192.168.100.242 9996
!
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat translation timeout 20
ip nat translation tcp-timeout 120
ip nat translation udp-timeout 60
ip nat translation dns-timeout 80
ip nat translation icmp-timeout 10
ip nat pool POOL-Prometey-1 aaa.aaa.aaa.226 aaa.aaa.aaa.226 netmask 255.255.255.224
ip nat pool POOL-Prometey-2 aaa.aaa.aaa.227 aaa.aaa.aaa.227 netmask 255.255.255.224
ip nat pool POOL-Petrstar-1 bbb.bbb.bbb.18 bbb.bbb.bbb.18 netmask 255.255.255.248
ip nat pool POOL-Petrstar-2 bbb.bbb.bbb.19 bbb.bbb.bbb.19 netmask 255.255.255.248
ip nat inside source route-map For-NAT-1 pool POOL-Prometey-1 overload
ip nat inside source route-map For-NAT-2 pool POOL-Prometey-2 overload
ip nat inside source route-map For-Reserve-NAT-1 pool POOL-Petrstar-1 overload
ip nat inside source route-map For-Reserve-NAT-2 pool POOL-Petrstar-2 overload
ip nat inside source static tcp 192.168.100.253 25 aaa.aaa.aaa.227 25 extendable
ip nat inside source static tcp 192.168.100.253 80 aaa.aaa.aaa.227 80 extendable
ip nat inside source static tcp 192.168.100.253 110 aaa.aaa.aaa.227 110 extendable
ip nat inside source static tcp 192.168.100.248 20 aaa.aaa.aaa.228 20 extendable
ip nat inside source static tcp 192.168.100.248 21 aaa.aaa.aaa.228 21 extendable
ip nat inside source static tcp 192.168.100.248 22 aaa.aaa.aaa.228 22 extendable
!
ip access-list standard SNMP_ACCESS
 permit 192.168.100.241
ip access-list standard VTY_ACCESS
 permit 192.168.40.0 0.0.0.255
!
ip access-list extended For-NAT-1
 deny   ip 192.168.0.0 0.0.255.255 192.168.200.0 0.0.0.255
 deny   ip 192.168.0.0 0.0.255.255 192.168.220.0 0.0.0.255
 deny   ip 192.168.0.0 0.0.255.255 192.168.221.0 0.0.0.255
 permit udp host 192.168.100.254 any eq domain
 permit tcp host 192.168.100.254 any eq domain
 permit ip host 192.168.100.100 any
 permit ip host 192.168.100.111 any
 permit ip host 192.168.100.247 any
 permit ip host 192.168.100.248 any
 permit ip host 192.168.100.249 any
 permit ip host 192.168.100.251 any
 permit ip host 192.168.100.244 any
 permit ip host 192.168.30.100 any
 permit ip host 192.168.50.100 any
 permit ip 192.168.0.0 0.0.0.255 any
 permit ip 192.168.40.0 0.0.0.255 any
 permit ip 192.168.111.0 0.0.0.255 any
 permit ip 172.16.10.0 0.0.0.255 any
 permit ip 172.16.20.0 0.0.0.255 any
ip access-list extended For-NAT-2
 deny   ip 192.168.100.0 0.0.0.255 192.168.0.0 0.0.255.255
 permit ip 192.168.30.0 0.0.0.255 any
 permit ip host 192.168.100.210 any
 permit ip host 192.168.100.220 any
 permit ip host 192.168.100.225 any
 permit ip host 192.168.100.235 any
 permit ip host 192.168.100.239 any
 permit ip host 192.168.100.240 any
 permit ip host 192.168.100.241 any
 permit ip host 192.168.100.242 any
 permit ip host 192.168.100.243 any
 permit ip host 192.168.100.245 any
 permit ip host 192.168.100.246 any
 permit ip host 192.168.100.250 any
 permit ip host 192.168.100.253 any
 permit ip host 192.168.99.242 any
 permit ip host 192.168.4.32 any
 permit ip host 192.168.0.251 any
 permit ip host 192.168.100.165 any
ip access-list extended From-INTERNET
 deny   ip 172.16.0.0 0.15.255.255 any
 deny   ip 192.168.0.0 0.0.255.255 any
 deny   ip 127.0.0.0 0.255.255.255 any
 deny   ip host 255.255.255.255 any
 deny   ip host 0.0.0.0 any
 deny   udp any any eq 5060
 deny   tcp any any eq 5060
 deny   tcp any any eq 2000
 deny   udp any any eq 1720
 deny   tcp any any eq 1720
 permit ip any any
ip access-list extended Kill-SMB-in
 deny   tcp any any eq 139
 permit ip any any
ip access-list extended Kill-SMB-out
 deny   tcp any eq 139 any
 permit ip any any
ip access-list extended REDIRECT_HTTP
 deny   tcp 192.168.40.0 0.0.0.255 192.168.100.0 0.0.0.255 eq www
 deny   tcp 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255 eq www
 deny   tcp host 192.168.40.37 any eq www
 permit tcp 192.168.0.0 0.0.0.255 any eq www
 permit tcp 192.168.40.0 0.0.0.255 any eq www
 permit tcp 192.168.30.0 0.0.0.255 any eq www
ip access-list extended VPN-Archangelsk
 permit ip 192.168.0.0 0.0.255.255 192.168.220.0 0.0.0.255
ip access-list extended VPN-Intersol
 permit ip 192.168.0.0 0.0.255.255 192.168.200.0 0.0.0.255
ip access-list extended WiFi-Net-Inp
 permit esp 192.168.110.0 0.0.0.255 any
 permit udp any eq bootpc any eq bootps
 permit udp 192.168.110.0 0.0.0.255 any eq domain
 permit udp 192.168.110.0 0.0.0.255 any eq isakmp
 permit tcp host 192.168.110.2 any established
 permit icmp 192.168.110.0 0.0.0.255 host 192.168.110.1
ip access-list extended WiFi-Net-Out
 permit esp any 192.168.110.0 0.0.0.255
 permit udp any eq domain 192.168.110.0 0.0.0.255
 permit tcp any host 192.168.110.2 eq 22 telnet
 permit icmp host 192.168.110.1 192.168.110.0 0.0.0.255
ip access-list extended remote_access
 permit ip 192.168.40.0 0.0.0.255 any
 permit ip 192.168.100.0 0.0.0.255 any
!
ip radius source-interface GigabitEthernet0/0.100 
ip sla 10
 icmp-echo aaa.aaa.aaa.225 source-ip aaa.aaa.aaa.226
 timeout 2000
 threshold 400
 frequency 5
ip sla schedule 10 life forever start-time now
ip sla 11
 icmp-echo 198.41.0.4 source-ip aaa.aaa.aaa.226
 timeout 2000
 threshold 400
 frequency 5
ip sla schedule 11 life forever start-time now
ip sla 20
 icmp-echo bbb.bbb.bbb.17 source-ip bbb.bbb.bbb.18
 timeout 2000
 threshold 400
 frequency 5
ip sla schedule 20 life forever start-time now
ip sla 21
 icmp-echo 198.41.0.4 source-ip bbb.bbb.bbb.18
 timeout 2000
 threshold 400
 frequency 5
ip sla schedule 21 life forever start-time now
logging origin-id hostname
logging server-arp
logging 192.168.100.241
snmp-server community public RO SNMP_ACCESS
snmp-server ifindex persist
snmp-server location bla-bla_main
snmp-server contact admin@bla-bla.ru
snmp-server chassis-id c2821
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps vrrp
snmp-server enable traps ds1
snmp-server enable traps tty
snmp-server enable traps eigrp
snmp-server enable traps xgcp
snmp-server enable traps flash insertion removal
snmp-server enable traps ds3
snmp-server enable traps envmon
snmp-server enable traps icsudsu
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps isdn ietf
snmp-server enable traps ds0-busyout
snmp-server enable traps ds1-loopback
snmp-server enable traps ethernet cfm cc mep-up mep-down cross-connect loop config
snmp-server enable traps ethernet cfm crosscheck mep-missing mep-unknown service-up
snmp-server enable traps disassociate
snmp-server enable traps deauthenticate
snmp-server enable traps authenticate-fail
snmp-server enable traps dot11-qos
snmp-server enable traps switch-over
snmp-server enable traps rogue-ap
snmp-server enable traps wlan-wep
snmp-server enable traps aaa_server
snmp-server enable traps atm subif
snmp-server enable traps bgp
snmp-server enable traps bstun
snmp-server enable traps bulkstat collection transfer
snmp-server enable traps memory bufferpeak
snmp-server enable traps cnpd
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps dial
snmp-server enable traps dlsw
snmp-server enable traps dsp card-status
snmp-server enable traps dsp oper-state
snmp-server enable traps entity
snmp-server enable traps fru-ctrl
snmp-server enable traps resource-policy
snmp-server enable traps event-manager
snmp-server enable traps frame-relay multilink bundle-mismatch
snmp-server enable traps frame-relay
snmp-server enable traps frame-relay subif
snmp-server enable traps hsrp
snmp-server enable traps ipmobile
snmp-server enable traps ipmulticast
snmp-server enable traps mpls ldp
snmp-server enable traps mpls traffic-eng
snmp-server enable traps mpls vpn
snmp-server enable traps msdp
snmp-server enable traps mvpn
snmp-server enable traps ospf state-change
snmp-server enable traps ospf errors
snmp-server enable traps ospf retransmit
snmp-server enable traps ospf lsa
snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
snmp-server enable traps ospf cisco-specific state-change shamlink interface-old
snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
snmp-server enable traps ospf cisco-specific errors
snmp-server enable traps ospf cisco-specific retransmit
snmp-server enable traps ospf cisco-specific lsa
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps pppoe
snmp-server enable traps cpu threshold
snmp-server enable traps rsvp
snmp-server enable traps ipsla
snmp-server enable traps stun
snmp-server enable traps syslog
snmp-server enable traps l2tun session
snmp-server enable traps l2tun pseudowire status
snmp-server enable traps vsimaster
snmp-server enable traps vtp
snmp-server enable traps pw vc
snmp-server enable traps director server-up server-down
snmp-server enable traps firewall serverstatus
snmp-server enable traps isakmp policy add
snmp-server enable traps isakmp policy delete
snmp-server enable traps isakmp tunnel start
snmp-server enable traps isakmp tunnel stop
snmp-server enable traps ipsec cryptomap add
snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec cryptomap attach
snmp-server enable traps ipsec cryptomap detach
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
snmp-server enable traps ipsec too-many-sas
snmp-server enable traps rf
snmp-server enable traps ccme
snmp-server enable traps srst
snmp-server enable traps voice
snmp-server enable traps dnis
snmp-server host 192.168.100.241 public 
!
!
!
route-map For-NAT-1 permit 1
 match ip address For-NAT-1
 match interface Vlan50
!
route-map For-NAT-2 permit 1
 match ip address For-NAT-2
 match interface Vlan50
!
route-map For-Reserve-NAT-1 permit 1
 match ip address For-NAT-1
 match interface Vlan60
!
route-map For-Reserve-NAT-2 permit 1
 match ip address For-NAT-2
 match interface Vlan60
!
!
!
radius-server attribute 44 include-in-access-req
radius-server attribute 44 extend-with-addr
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 32 include-in-access-req 
radius-server attribute nas-port format d
radius-server dead-criteria time 5 tries 3
radius-server configure-nas
radius-server host 192.168.100.242 auth-port 1812 acct-port 1813 key XXXXXXXXXXXXXX
radius-server deadtime 5
!
control-plane
!
call fallback active
!
!
voice-port 0/0/0:15
 translation-profile incoming world-to-me
 input gain 4
 local-alerting
 cptone RU
 timeouts interdigit 20
 timeouts call-disconnect 3
 timeouts wait-release 10
!
voice-port 0/2/0
 trunk-group CO
 translation-profile incoming world-to-me
 supervisory disconnect dualtone mid-call
 output attenuation 0
 cptone RU
 timeouts call-disconnect 1
 timeouts ringing 20
 timeouts wait-release 1
 timing hookflash-out 300
 connection plar opx YYYYYYY
 station-id name CO-0
 caller-id enable
!
voice-port 0/2/1
 trunk-group CO
 translation-profile incoming world-to-me
 supervisory disconnect dualtone mid-call
 output attenuation 0
 cptone RU
 timeouts call-disconnect 1
 timeouts ringing 20
 timeouts wait-release 1
 timing hookflash-out 300
 connection plar opx YYYYYYY
 station-id name CO-1
 caller-id enable
!
!
!
sccp local GigabitEthernet0/0.30
sccp ccm 192.168.30.2 identifier 1 priority 1 
sccp
!
sccp ccm group 1
 bind interface GigabitEthernet0/0.30
 associate ccm 1 priority 1
 associate profile 1 register IOSconfBR
 associate profile 2 register IOStranscoder
!
dspfarm profile 2 transcode
 codec g711ulaw
 codec g711alaw
 codec g729ar8
 codec g729abr8
 codec g729br8
 codec g729r8
 associate application SCCP
 shutdown
!
dspfarm profile 1 conference
 codec g711ulaw
 codec g711alaw
 codec g729ar8
 codec g729abr8
 codec g729r8
 codec g729br8
 associate application SCCP
 shutdown
!
dial-peer cor custom
 name IVR
 name LOCAL
!
!
dial-peer cor list IVRCalls
 member IVR
!
dial-peer cor list LOCALCalls
 member LOCAL
!
!
dial-peer voice 2000 voip
 description CCM1
 destination-pattern 2...
 voice-class codec 15
 session protocol sipv2
 session target ipv4:192.168.30.2:5060
 dtmf-relay rtp-nte
 no vad
!
dial-peer voice 9020 pots
 trunkgroup CO
 corlist outgoing LOCALCalls
 preference 2
 destination-pattern 9T
!
dial-peer voice 9000 pots
 corlist outgoing LOCALCalls
 preference 1
 destination-pattern 9T
 port 0/0/0:15
!
dial-peer voice 4020 pots
 corlist incoming IVRCalls
 service ivrtest
 incoming called-number YYYYYYY
 port 0/2/0
!
dial-peer voice 4021 pots
 corlist incoming IVRCalls
 service ivrtest
 incoming called-number YYYYYYY
 port 0/2/1
!
dial-peer voice 4000 pots
 corlist incoming IVRCalls
 service ivrtest
 incoming called-number YYYYYYY
 port 0/0/0:15
!
!
!
!
call-manager-fallback
 max-conferences 8 gain -6
 transfer-system full-consult
 user-locale RU
 limit-dn 7910 2
 limit-dn 7935 2
 limit-dn 7940 2
 limit-dn 7960 2
 limit-dn 7970 2
 ip source-address 192.168.30.1 port 2000
 max-ephones 50
 max-dn 100 dual-line preference 1
 transfer-pattern 2...
!
banner login 
-----------------------------------------------------------------------
bla-bla-bla Corporate router. No unautorized access allowed.
-----------------------------------------------------------------------

!
line con 0
line aux 0
line vty 0 4
 exec-timeout 0 0
 privilege level 15
 absolute-timeout 1440
 transport input ssh
line vty 5 15
 access-class VTY_ACCESS in
 exec-timeout 120 0
 privilege level 15
 absolute-timeout 1440
 transport input telnet
!
scheduler allocate 20000 1000
ntp clock-period 17180159
ntp master
ntp server 213.41.245.21
ntp server 216.58.31.84
ntp server 216.52.237.153
!
end

Использование Cisco ISG в резевированной конфигурации с авторизацией абонентов по dhcp opt.82

Тестовая топология (логическая схема):

Тестовая топология в GNS3:

Конфигурации:


# Dynamips #
autostart = False
[localhost:7202]
    workingdir = /home/mavrichev/Desktop/homenet/Tech-tests/2xISG1xBR
    udp = 10200
    [[7200]]
        image = /home/mavrichev/Desktop/homenet/Tech-tests/2xISG1xBR/c7200-k91p-mz.122-31.SB14.bin.unpacked
        idlepc = 0x60a24168
    [[ROUTER isg2]]
        console = 2012
        cnfg = /home/mavrichev/Desktop/homenet/Tech-tests/2xISG1xBR/isg2.cfg
        f0/0 = nio_linux_eth:eth4
        f0/1 = SW1 2
        slot1 = PA-2FE-TX
        f1/0 = isg1 f1/0
        f1/1 = isg1 f1/1
        x = 108.0
        y = 16.0
[localhost:7201]
    workingdir = /home/mavrichev/Desktop/homenet/Tech-tests/2xISG1xBR
    udp = 10100
    [[7200]]
        image = /home/mavrichev/Desktop/homenet/Tech-tests/2xISG1xBR/c7200-k91p-mz.122-31.SB14.bin.unpacked
        idlepc = 0x61141480
    [[ROUTER isg1]]
        console = 2011
        cnfg = /home/mavrichev/Desktop/homenet/Tech-tests/2xISG1xBR/isg1.cfg
        f0/0 = nio_linux_eth:eth1
        f0/1 = SW1 1
        slot1 = PA-2FE-TX
        f1/0 = isg2 f1/0
        f1/1 = isg2 f1/1
        x = -134.0
        y = 20.0
    [[ETHSW SW1]]
        1 = access 101
        2 = access 102
        3 = dot1q 1 nio_linux_eth:eth5
        x = -11.5
        y = -97.0
[GNS3-DATA]
    [[Cloud acc-net]]
        x = -61.5
        y = 184.0
        connections = isg2:f0/0:nio_linux_eth:eth4 isg1:f0/0:nio_linux_eth:eth1 
    [[Cloud out-net]]
        x = 38.5
        y = -224.0
        connections = SW1:3:nio_linux_eth:eth5 
################################################################################################

!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ACC-SW1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
system mtu routing 1500
ip subnet-zero
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
interface FastEthernet0/1
 switchport access vlan 10
 spanning-tree portfast
!
interface FastEthernet0/2
 switchport access vlan 20
 spanning-tree portfast
!
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
 switchport mode trunk
!
interface GigabitEthernet0/2
!
interface Vlan1
 ip address dhcp
 no ip route-cache
!
no ip http server
no ip http secure-server
!
control-plane
!
!
line con 0
line vty 5 15
!
end

################################################################################################

AGREG-SW#sh start
Using 5748 out of 524288 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone
no service password-encryption
!
hostname AGREG-SW
!
boot-start-marker
boot-end-marker
!
logging buffered 16386
logging rate-limit 100 except warnings
no logging monitor
!
no aaa new-model
system mtu routing 1500
vtp mode transparent
ip subnet-zero
ip routing
ip cef load-sharing algorithm original
no ip domain-lookup
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.200.1
!
ip dhcp pool for-management-for-acc-sw-pool
   network 192.168.200.0 255.255.255.0
   default-router 192.168.200.1
   domain-name manage.local
!
!
ip dhcp snooping vlan 10-20
ip dhcp snooping information option format remote-id string ag-sw001
ip dhcp snooping
ip vrf Clients
 rd 192.168.111.2:10
 route-target export 192.168.111.2:10
 route-target import 192.168.111.2:10
!
ip vrf Clients-2
 rd 192.168.111.2:30
 route-target export 192.168.111.2:30
 route-target import 192.168.111.2:30
!
ip vrf Outside
 rd 192.168.111.2:20
 route-target export 192.168.111.2:20
 route-target import 192.168.111.2:20
!
!
!
!
!
!
!
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
no spanning-tree vlan 21-4094
!
!
vlan access-map FILTER-Unwanted 20
 action forward
 match ip address VLAN-MAP-ACL-1
!
vlan filter FILTER-Unwanted vlan-list 10-20
vlan internal allocation policy ascending
!
vlan 10-20,101-102,201-204
!
!
!
!
interface Loopback10
 description For-OSPF-Router-id
 ip vrf forwarding Outside
 ip address 192.168.101.20 255.255.255.255
!
interface Loopback20
 description DefGW-for-Clients-VRF
 ip vrf forwarding Clients
 ip address 172.16.10.1 255.255.255.255
!
interface Loopback30
 description DefGW-for-Clients-2-VRF
 ip vrf forwarding Clients-2
 ip address 172.16.20.1 255.255.255.255
!
interface FastEthernet0/1
 description To-Access-switches
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,10-20
 switchport mode trunk
 ip dhcp snooping limit rate 100
!
interface FastEthernet0/2
 description To-Access-switches
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,10-20
 switchport mode trunk
 ip dhcp snooping limit rate 100
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
 description To-SW1
 switchport trunk encapsulation dot1q
 switchport mode trunk
 speed 10
 duplex half
!
interface FastEthernet0/6
 description To-Outside-Net
 no switchport
 ip vrf forwarding Outside
 ip address 192.168.100.111 255.255.255.0
!
interface FastEthernet0/7
 description To-ISG1-fa0/0
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,201,203
 switchport mode trunk
 speed 10
 duplex half
 ip dhcp snooping trust
!
interface FastEthernet0/8
 description To-ISG2-fa0/0
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,202,204
 switchport mode trunk
 speed 10
 duplex half
 ip dhcp snooping trust
!
interface GigabitEthernet0/1
!
interface Vlan1
 description for-management-for-acc-sw
 ip address 192.168.200.1 255.255.255.0
!
interface Vlan10
 ip vrf forwarding Clients
 ip unnumbered Loopback20
 ip helper-address 192.168.101.23
!
interface Vlan20
 ip vrf forwarding Clients-2
 ip unnumbered Loopback30
 ip helper-address 192.168.101.23
!
interface Vlan101
 description To-ISG1
 ip vrf forwarding Outside
 ip address 192.168.101.14 255.255.255.252
 ip ospf network point-to-point
!
interface Vlan102
 description To-ISG2
 ip vrf forwarding Outside
 ip address 192.168.101.18 255.255.255.252
 ip ospf network point-to-point
!
interface Vlan201
 description To-ISG1
 ip vrf forwarding Clients
 ip address 192.168.101.6 255.255.255.252
 ip ospf network point-to-point
!
interface Vlan202
 description To-ISG2
 ip vrf forwarding Clients
 ip address 192.168.101.2 255.255.255.252
 ip ospf network point-to-point
 ip ospf cost 1000
!
interface Vlan203
 description To-ISG1
 ip vrf forwarding Clients-2
 ip address 192.168.101.30 255.255.255.252
 ip ospf network point-to-point
 ip ospf cost 1000
!
interface Vlan204
 description To-ISG2
 ip vrf forwarding Clients-2
 ip address 192.168.101.34 255.255.255.252
 ip ospf network point-to-point
!
router ospf 10 vrf Clients
 router-id 172.16.10.1
 log-adjacency-changes
 summary-address 172.16.10.0 255.255.255.0
 redistribute static metric-type 1 subnets
 passive-interface default
 no passive-interface Vlan201
 no passive-interface Vlan202
 network 172.16.10.1 0.0.0.0 area 0
 network 192.168.101.2 0.0.0.0 area 0
 network 192.168.101.6 0.0.0.0 area 0
!
router ospf 20 vrf Outside
 router-id 192.168.101.20
 log-adjacency-changes
 passive-interface default
 no passive-interface Vlan101
 no passive-interface Vlan102
 network 192.168.101.14 0.0.0.0 area 0
 network 192.168.101.18 0.0.0.0 area 0
 network 192.168.101.20 0.0.0.0 area 0
 default-information originate always metric 1000 metric-type 1
!
router ospf 30 vrf Clients-2
 router-id 172.16.20.1
 log-adjacency-changes
 summary-address 172.16.20.0 255.255.255.0
 redistribute static metric-type 1 subnets
 passive-interface default
 no passive-interface Vlan203
 no passive-interface Vlan204
 network 172.16.20.1 0.0.0.0 area 0
 network 192.168.101.30 0.0.0.0 area 0
 network 192.168.101.34 0.0.0.0 area 0
!
ip classless
ip route vrf Outside 0.0.0.0 0.0.0.0 192.168.100.1
no ip http server
no ip http secure-server
!
!
ip access-list extended VLAN-MAP-ACL-1
 permit udp any eq bootpc any eq bootps
 permit udp host 172.16.10.1 eq bootps any eq bootpc
 permit udp host 172.16.20.1 eq bootps any eq bootpc
 deny   udp any eq bootps any eq bootpc
 permit ip any any
!
ip access-list logging interval 10
!
control-plane
!
!
line con 0
 exec-timeout 0 0
line vty 0 4
 login
line vty 5 15
 login
!
end

AGREG-SW#

################################################################################################

!
! No configuration change since last restart
! NVRAM config last updated at 18:16:35 MSK Mon Mar 16 2009 by mavrichev
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname isg1
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa group server radius AAA-RADIUS-SERVERS
 server 192.168.100.242 auth-port 1812 acct-port 1813
!
aaa authentication login default local
aaa authorization exec default local none 
aaa authorization network SUBS-AUTHORIZE-LIST group AAA-RADIUS-SERVERS 
aaa authorization subscriber-service default local group AAA-RADIUS-SERVERS 
aaa accounting delay-start
aaa accounting update periodic 1
aaa accounting network AAA-MLIST start-stop group AAA-RADIUS-SERVERS
!
!
!
aaa server radius dynamic-author
 client 192.168.100.242
 server-key TESTKEY
 auth-type any
 ignore session-key
!
aaa session-id unique
clock timezone MSK 3
clock summer-time MSD recurring last Sun Mar 2:00 last Sun Oct 2:00
ip subnet-zero
ip cef
!
!
no ip domain lookup
no ip dhcp use vrf connected
ip dhcp excluded-address 172.16.10.1
ip dhcp excluded-address 172.16.20.1
!
ip dhcp pool Pool-For-Clients-on-AGG-SW1
   network 172.16.10.0 255.255.255.0
   default-router 172.16.10.1 
   domain-name test.local
   dns-server 192.168.100.254 
   lease 0 0 2
!
ip dhcp pool Pool-For-Clients-2-on-AGG-SW1
   network 172.16.20.0 255.255.255.0
   default-router 172.16.20.1 
   domain-name test.local
   dns-server 192.168.100.254 
   lease 0 0 2
!
!
!
!
subscriber service password servpasswd
redirect server-group PORTAL
 server ip 192.168.100.242
!
call rsvp-sync
!
!
!
!
!
!
!
no file verify auto
username mavrichev privilege 15 secret 5 xxxxxxxxxxxxxxxxxx
!
class-map type traffic match-any For-Open-Garden
 match access-group output name OUT-OG
 match access-group input name IN-OG
!
class-map type traffic match-any PORTAL
 match access-group output name From-PORTAL
 match access-group input name To-PORTAL
!
class-map type control match-all IP-UNAUTH-COND
 match timer IP-UNAUTH-TIMER 
 match authen-status unauthenticated 
!
policy-map type service unauth-subscr-redir
 service local
 class type traffic PORTAL
  redirect to group PORTAL
 !
 class type traffic default in-out
  drop
 !
!
policy-map type service unauth-subscr-open-garden
 service local
 class type traffic For-Open-Garden
  police input 8000 1000 1000
  police output 8000 1000 1000
 !
!
policy-map type control SUBSCRIBER_RULE
 class type control IP-UNAUTH-COND event timed-policy-expiry
  10 service disconnect
 !
 class type control always event session-start
  20 authorize aaa list SUBS-AUTHORIZE-LIST password TESTPASSWD identifier circuit-id 
  25 service-policy type service name unauth-subscr-open-garden
  30 service-policy type service name unauth-subscr-redir
  40 set-timer IP-UNAUTH-TIMER 5
 !
 class type control always event session-restart
  20 authorize aaa list SUBS-AUTHORIZE-LIST password TESTPASSWD identifier circuit-id 
  25 service-policy type service name unauth-subscr-open-garden
  30 service-policy type service name unauth-subscr-redir
  40 set-timer IP-UNAUTH-TIMER 5
 !
!
!
!
interface Loopback10
 description For-OSPF-Router-id
 ip address 192.168.101.21 255.255.255.255
!
interface Loopback100
 description For-IP-Helper-Address
 ip address 192.168.101.23 255.255.255.255
!
interface Port-channel1
 description to-ISG-2
 ip address 192.168.101.9 255.255.255.252
 ip ospf network point-to-point
 snmp trap link-status
 hold-queue 150 in
!
interface FastEthernet0/0
 description to AGREG-SW-Link-Fa0/7
 no ip address
 speed 10
 duplex half
!
interface FastEthernet0/0.201
 description to AGREG-SW-Link-Fa0/7-vl-201
 encapsulation dot1Q 201
 ip address 192.168.101.5 255.255.255.252
 ip ospf network point-to-point
 service-policy type control SUBSCRIBER_RULE
 ip subscriber routed
  initiator dhcp
!
interface FastEthernet0/0.203
 description to AGREG-SW-Link-Fa0/7-vl-203
 encapsulation dot1Q 203
 ip address 192.168.101.29 255.255.255.252
 ip ospf network point-to-point
 ip ospf cost 1000
 service-policy type control SUBSCRIBER_RULE
 ip subscriber routed
  initiator dhcp
!
interface FastEthernet0/1
 description to-SW1-Port2
 ip address 192.168.101.13 255.255.255.252
 ip ospf network point-to-point
 speed 10
 duplex half
!
interface FastEthernet1/0
 description to-ISG-2
 no ip address
 speed 10
 duplex half
 channel-group 1
!
interface FastEthernet1/1
 description to-ISG-2
 no ip address
 speed 10
 duplex half
 channel-group 1
!
router ospf 1
 router-id 192.168.101.21
 log-adjacency-changes
 passive-interface default
 no passive-interface FastEthernet0/0.201
 no passive-interface FastEthernet0/0.203
 no passive-interface FastEthernet0/1
 no passive-interface Port-channel1
 network 192.168.101.5 0.0.0.0 area 0
 network 192.168.101.9 0.0.0.0 area 0
 network 192.168.101.13 0.0.0.0 area 0
 network 192.168.101.21 0.0.0.0 area 0
 network 192.168.101.23 0.0.0.0 area 0
 network 192.168.101.29 0.0.0.0 area 0
!
ip classless
!
no ip http server
!
!
!
ip access-list extended From-PORTAL
 permit tcp any any
ip access-list extended IN-OG
 permit udp any host 192.168.100.254 eq domain
 permit icmp any 192.168.100.0 0.0.0.255
ip access-list extended OUT-OG
 permit udp host 192.168.100.254 eq domain any
 permit icmp 192.168.100.0 0.0.0.255 any
ip access-list extended To-PORTAL
 permit tcp any any
ip radius source-interface Loopback10
access-list 199 permit ip any any
!
!
radius-server attribute 44 include-in-access-req
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 32 include-in-access-req 
radius-server attribute 32 include-in-accounting-req 
radius-server attribute 55 include-in-acct-req
radius-server attribute 55 access-request include
radius-server attribute 4 192.168.101.21
radius-server host 192.168.100.242 auth-port 1812 acct-port 1813 key radsecret
radius-server retransmit 10
radius-server vsa send accounting
!
control-plane
!
!
!
dial-peer cor custom
!
!
!
!
line con 0
 exec-timeout 0 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 exec-timeout 0 0
 privilege level 15
 transport input ssh
!
ntp clock-period 17179814
ntp master
ntp server 213.41.245.21
ntp server 216.58.31.84
ntp server 216.52.237.153
end

################################################################################################

!
! No configuration change since last restart
! NVRAM config last updated at 18:16:33 MSK Mon Mar 16 2009 by mavrichev
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname isg2
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa group server radius AAA-RADIUS-SERVERS
 server 192.168.100.242 auth-port 1812 acct-port 1813
!
aaa authentication login default local
aaa authorization exec default local none 
aaa authorization network SUBS-AUTHORIZE-LIST group AAA-RADIUS-SERVERS 
aaa authorization subscriber-service default local group AAA-RADIUS-SERVERS 
aaa accounting delay-start
aaa accounting update periodic 1
aaa accounting network AAA-MLIST start-stop group AAA-RADIUS-SERVERS
!
!
!
aaa server radius dynamic-author
 client 192.168.100.242
 server-key TESTKEY
 auth-type any
 ignore session-key
!
aaa session-id unique
clock timezone MSK 3
clock summer-time MSD recurring last Sun Mar 2:00 last Sun Oct 2:00
ip subnet-zero
ip cef
!
!
no ip domain lookup
no ip dhcp use vrf connected
ip dhcp excluded-address 172.16.10.1
ip dhcp excluded-address 172.16.20.1
!
ip dhcp pool Pool-For-Clients-on-AGG-SW1
   network 172.16.10.0 255.255.255.0
   default-router 172.16.10.1 
   domain-name test.local
   dns-server 192.168.100.254 
   lease 0 0 2
!
ip dhcp pool Pool-For-Clients-2-on-AGG-SW1
   network 172.16.20.0 255.255.255.0
   default-router 172.16.20.1 
   domain-name test.local
   dns-server 192.168.100.254 
   lease 0 0 2
!
!
!
!
subscriber service password servpasswd
redirect server-group PORTAL
 server ip 192.168.100.242
!
call rsvp-sync
!
!
!
!
!
!
!
no file verify auto
username mavrichev privilege 15 secret 5 xxxxxxxxxxxxxxxxxx
!
class-map type traffic match-any PORTAL
 match access-group input name To-PORTAL
 match access-group output name From-PORTAL
!
class-map type traffic match-any For-Open-Garden
 match access-group input name IN-OG
 match access-group output name OUT-OG
!
class-map type control match-all IP-UNAUTH-COND
 match timer IP-UNAUTH-TIMER 
 match authen-status unauthenticated 
!
policy-map type service unauth-subscr-redir
 service local
 class type traffic PORTAL
  redirect to group PORTAL
 !
 class type traffic default in-out
  drop
 !
!
policy-map type service unauth-subscr-open-garden
 service local
 class type traffic For-Open-Garden
  police input 8000 1000 1000
  police output 8000 1000 1000
 !
!
policy-map type control SUBSCRIBER_RULE
 class type control IP-UNAUTH-COND event timed-policy-expiry
  10 service disconnect
 !
 class type control always event session-start
  20 authorize aaa list SUBS-AUTHORIZE-LIST password TESTPASSWD identifier circuit-id 
  25 service-policy type service name unauth-subscr-open-garden
  30 service-policy type service name unauth-subscr-redir
  40 set-timer IP-UNAUTH-TIMER 5
 !
 class type control always event session-restart
  20 authorize aaa list SUBS-AUTHORIZE-LIST password TESTPASSWD identifier circuit-id 
  25 service-policy type service name unauth-subscr-open-garden
  30 service-policy type service name unauth-subscr-redir
  40 set-timer IP-UNAUTH-TIMER 5
 !
!
!
!
interface Loopback10
 description For-OSPF-Router-id
 ip address 192.168.101.22 255.255.255.255
!
interface Loopback100
 description For-IP-Helper-Address
 ip address 192.168.101.23 255.255.255.255
!
interface Port-channel1
 description to-ISG-1
 ip address 192.168.101.10 255.255.255.252
 ip ospf network point-to-point
 snmp trap link-status
 hold-queue 150 in
!
interface FastEthernet0/0
 description to AGREG-SW-Link-Fa0/8
 no ip address
 speed 10
 duplex half
!
interface FastEthernet0/0.202
 description to AGREG-SW-Link-Fa0/8-vl-202
 encapsulation dot1Q 202
 ip address 192.168.101.1 255.255.255.252
 ip ospf network point-to-point
 ip ospf cost 1000
 service-policy type control SUBSCRIBER_RULE
 ip subscriber routed
  initiator dhcp
!
interface FastEthernet0/0.204
 description to AGREG-SW-Link-Fa0/8-vl-204
 encapsulation dot1Q 204
 ip address 192.168.101.33 255.255.255.252
 ip ospf network point-to-point
 service-policy type control SUBSCRIBER_RULE
 ip subscriber routed
  initiator dhcp
!
interface FastEthernet0/1
 description to-SW1-Port2
 ip address 192.168.101.17 255.255.255.252
 ip ospf network point-to-point
 speed 10
 duplex half
!
interface FastEthernet1/0
 description to-ISG-1
 no ip address
 speed 10
 duplex half
 channel-group 1
!
interface FastEthernet1/1
 description to-ISG-1
 no ip address
 speed 10
 duplex half
 channel-group 1
!
router ospf 1
 router-id 192.168.101.22
 log-adjacency-changes
 passive-interface default
 no passive-interface FastEthernet0/0.202
 no passive-interface FastEthernet0/0.204
 no passive-interface FastEthernet0/1
 no passive-interface Port-channel1
 network 192.168.101.1 0.0.0.0 area 0
 network 192.168.101.10 0.0.0.0 area 0
 network 192.168.101.17 0.0.0.0 area 0
 network 192.168.101.22 0.0.0.0 area 0
 network 192.168.101.23 0.0.0.0 area 0
 network 192.168.101.33 0.0.0.0 area 0
!
ip classless
!
no ip http server
!
!
!
ip access-list extended From-PORTAL
 permit tcp any any
ip access-list extended IN-OG
 permit udp any host 192.168.100.254 eq domain
 permit icmp any 192.168.100.0 0.0.0.255
ip access-list extended OUT-OG
 permit udp host 192.168.100.254 eq domain any
 permit icmp 192.168.100.0 0.0.0.255 any
ip access-list extended To-PORTAL
 permit tcp any any
ip radius source-interface Loopback10
access-list 199 permit ip any any
!
!
radius-server attribute 44 include-in-access-req
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 32 include-in-access-req 
radius-server attribute 32 include-in-accounting-req 
radius-server attribute 55 include-in-acct-req
radius-server attribute 55 access-request include
radius-server attribute 4 192.168.101.22
radius-server host 192.168.100.242 auth-port 1812 acct-port 1813 key radsecret
radius-server retransmit 10
radius-server vsa send accounting
!
control-plane
!
!
!
dial-peer cor custom
!
!
!
!
line con 0
 exec-timeout 0 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 exec-timeout 0 0
 privilege level 15
 transport input ssh
!
ntp clock-period 17179814
ntp master
ntp server 213.41.245.21
ntp server 216.58.31.84
ntp server 216.52.237.153
end

################################################################################################

RADIUS:
Work#2 -------- With L4Redirect
###Service-Profile###
Tariff l4r-Attr
username l4r passwd servpasswd
Session-Timeout=600, Cisco-AVPair +="ip:l4redirect=redirect list 199 to group PORTAL",

###User-Profile###
Tariff ISG-REDIR
username 0004000a0102 passwd TESTPASSWD
Cisco-Account-Info="Al4r", Session-Timeout=6000,
Work#2-end




Work#3 -------- With Policing
###Service-Profile###
Tariff isg-128K-Attr
username isg-128k passwd servpasswd
Cisco-Service-Info ="isg-128k", Cisco-Service-Info ="QU;128000;16000;32000;D;128000;16000;32000",

###User-Profile###
Tariff ISG-128K
username 0004000a0102 passwd TESTPASSWD
Cisco-Account-Info="Aisg-128k",
Work#3-end




Work#4 -------- With Accounting
###Service-Profile###
Tariff isg-256k-Attr
username isg-256k passwd servpasswd
Cisco-Service-Info ="isg-256k", Cisco-Service-Info ="QU;256000;32000;64000;D;256000;32000;64000",

###User-Profile###
Tariff isg-256k
username 0004000a0102 passwd TESTPASSWD
Cisco-Account-Info="Aisg-256k", Cisco-AVPair +="accounting-list=AAA-MLIST",
Work#4-end

################################################################################################

Использование Cisco ISG в провайдерских сетях

Наконец то нашёл время повозиться с ISG. Собрал стенд, см. картинку:

Есть интересная, ранее не встречавшаяся придумка - использовать на всех коммутаторах доступа один и тот же конфиг по VLAN-per-port. Это позволит сократить число используемых SVI на свиче аггрегации.
Авторизация пользователей - по DHCP opt.82 (remote-id=string;circuit-id=vlan-mod-port) через ISG.

Конфигурации:


#########################################################################
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Test-ISG
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa group server radius AAA-RADIUS-SERVERS
 server 192.168.100.242 auth-port 1812 acct-port 1813
!
aaa authentication login default local
aaa authorization exec default local none 
aaa authorization network SUBS-AUTHORIZE-LIST group AAA-RADIUS-SERVERS 
aaa authorization subscriber-service default local group AAA-RADIUS-SERVERS 
aaa accounting delay-start
aaa accounting update periodic 1
aaa accounting network AAA-MLIST start-stop group AAA-RADIUS-SERVERS
!
!
!
aaa server radius dynamic-author
 client 192.168.100.242
 server-key TESTKEY
 auth-type any
 ignore session-key
!
aaa session-id unique
clock timezone MSK 3
clock summer-time MSD recurring last Sun Mar 2:00 last Sun Oct 2:00
ip subnet-zero
ip cef
!
!
no ip domain lookup
no ip dhcp use vrf connected
ip dhcp excluded-address 172.16.10.1
!
ip dhcp pool Pool-For-Clients-on-AGG-SW1
   network 172.16.10.0 255.255.255.0
   default-router 172.16.10.1 
   domain-name test.local
   dns-server 192.168.100.254 
   lease 0 0 2
!
!
!
!
subscriber service password servpasswd
redirect server-group PORTAL
 server ip 192.168.100.242
!
call rsvp-sync
!
!
!
!
!
!
!
no file verify auto
username mavrichev privilege 15 secret 5 *************
!
class-map type traffic match-any PORTAL
 match access-group input name To-PORTAL
 match access-group output name From-PORTAL
!
class-map type traffic match-any For-Open-Garden
 match access-group input name IN-OG
 match access-group output name OUT-OG
!
class-map type control match-all IP-UNAUTH-COND
 match timer IP-UNAUTH-TIMER 
 match authen-status unauthenticated 
!
policy-map type service unauth-subscr-redir
 service local
 class type traffic PORTAL
  redirect to group PORTAL
 !
 class type traffic default in-out
  drop
 !
!
policy-map type service unauth-subscr-open-garden
 service local
 class type traffic For-Open-Garden
  police input 8000 1000 1000
  police output 8000 1000 1000
 !
!
policy-map type control SUBSCRIBER_RULE
 class type control IP-UNAUTH-COND event timed-policy-expiry
  10 service disconnect
 !
 class type control always event session-start
  20 authorize aaa list SUBS-AUTHORIZE-LIST password TESTPASSWD identifier circuit-id 
  25 service-policy type service name unauth-subscr-open-garden
  30 service-policy type service name unauth-subscr-redir
  40 set-timer IP-UNAUTH-TIMER 5
 !
 class type control always event session-restart
  20 authorize aaa list SUBS-AUTHORIZE-LIST password TESTPASSWD identifier circuit-id 
  25 service-policy type service name unauth-subscr-open-garden
  30 service-policy type service name unauth-subscr-redir
  40 set-timer IP-UNAUTH-TIMER 5
 !
!
!
!
interface Loopback10
 ip address 192.168.111.1 255.255.255.255
!
interface FastEthernet0/0
 description to AGREG-SW-Link-Fa0/7
 ip address 192.168.101.5 255.255.255.252
 speed 10
 duplex half
 service-policy type control SUBSCRIBER_RULE
 ip subscriber routed
  initiator dhcp
!
interface FastEthernet0/1
 description to-SRV-Network
 ip address 192.168.100.111 255.255.255.0
 speed auto
 duplex auto
!
interface FastEthernet1/0
 description to AGREG-SW-Link-Fa0/8
 ip address 192.168.101.1 255.255.255.252
 speed 10
 duplex half
 service-policy type control SUBSCRIBER_RULE
 ip subscriber routed
  initiator dhcp
!
interface FastEthernet1/1
 description NOT-Connected
 no ip address
 shutdown
 speed auto
 duplex auto
!
router ospf 1
 router-id 192.168.111.1
 log-adjacency-changes
 redistribute connected subnets
 passive-interface default
 no passive-interface FastEthernet0/0
 no passive-interface FastEthernet1/0
 network 192.168.101.1 0.0.0.0 area 0
 network 192.168.101.5 0.0.0.0 area 0
 default-information originate always
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.100.1
!
no ip http server
!
!
!
ip access-list extended From-PORTAL
 permit tcp any any
ip access-list extended IN-OG
 permit udp any host 192.168.100.254 eq domain
 permit icmp any 192.168.100.0 0.0.0.255
ip access-list extended OUT-OG
 permit udp host 192.168.100.254 eq domain any
 permit icmp 192.168.100.0 0.0.0.255 any
ip access-list extended To-PORTAL
 permit tcp any any
ip radius source-interface FastEthernet0/1
access-list 199 permit ip any any
!
!
radius-server attribute 44 include-in-access-req
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 32 include-in-access-req 
radius-server attribute 32 include-in-accounting-req 
radius-server attribute 55 include-in-acct-req
radius-server attribute 55 access-request include
radius-server attribute 4 192.168.100.111
radius-server host 192.168.100.242 auth-port 1812 acct-port 1813 key radsecret
radius-server retransmit 10
radius-server vsa send accounting
!
control-plane
!
!
!
dial-peer cor custom
!
!
!
banner login C
-----------------------------------------------------------------------
TEST-ISG System. No unautorized access allowed.
-----------------------------------------------------------------------

!
line con 0
 exec-timeout 0 0
 absolute-timeout 1440
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 exec-timeout 0 0
 privilege level 15
 absolute-timeout 1440
 transport input ssh
!
ntp clock-period 17179814
ntp master
ntp server 213.41.245.21
ntp server 216.58.31.84
ntp server 216.52.237.153
end

############################################################################################

RADIUS:
Work#2 -------- With L4Redirect
###Service-Profile###
Tariff l4r-Attr
username l4r passwd servpasswd
Session-Timeout=600, Cisco-AVPair +="ip:l4redirect=redirect list 199 to group PORTAL",

###User-Profile###
Tariff ISG-REDIR
username 0004000a0102 passwd TESTPASSWD
Cisco-Account-Info="Al4r", Session-Timeout=6000,
Work#2-end




Work#3 -------- With Policing
###Service-Profile###
Tariff isg-128K-Attr
username isg-128k passwd servpasswd
Cisco-Service-Info ="isg-128k", Cisco-Service-Info ="QU;128000;16000;32000;D;128000;16000;32000",

###User-Profile###
Tariff ISG-128K
username 0004000a0102 passwd TESTPASSWD
Cisco-Account-Info="Aisg-128k",
Work#3-end




Work#4 -------- With Accounting
###Service-Profile###
Tariff isg-256k-Attr
username isg-256k passwd servpasswd
Cisco-Service-Info ="isg-256k", Cisco-Service-Info ="QU;256000;32000;64000;D;256000;32000;64000",

###User-Profile###
Tariff isg-256k
username 0004000a0102 passwd TESTPASSWD
Cisco-Account-Info="Aisg-256k", Cisco-AVPair +="accounting-list=AAA-MLIST",
Work#4-end
#################################################################################################

AGREG-SW#sh run
Building configuration...

Current configuration : 3383 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone
no service password-encryption
!
hostname AGREG-SW
!
boot-start-marker
boot-end-marker
!
logging buffered 16386
logging rate-limit 100 except warnings
no logging console
no logging monitor
!
no aaa new-model
system mtu routing 1500
vtp mode transparent
ip subnet-zero
ip routing
no ip domain-lookup
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.200.1
!
ip dhcp pool for-management-for-acc-sw-pool
   network 192.168.200.0 255.255.255.0
   default-router 192.168.200.1
   domain-name manage.local
!
!
ip dhcp snooping vlan 10-20
ip dhcp snooping information option format remote-id hostname
ip dhcp snooping
ip vrf Clients
 rd 192.168.111.2:10
 route-target export 192.168.111.2:10
 route-target import 192.168.111.2:10
!
!
!
!
!
!
!
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
no spanning-tree vlan 21-4094
!
!
vlan access-map FILTER-Unwanted 20
 action forward
 match ip address VLAN-MAP-ACL-1
!
vlan filter FILTER-Unwanted vlan-list 10-20
vlan internal allocation policy ascending
!
vlan 10-20
!
!
!
!
interface Loopback10
 description For-OSPF-Router-id
 ip vrf forwarding Clients
 ip address 192.168.111.2 255.255.255.255
!
interface Loopback20
 description DefGW-for-Clients-VRF
 ip vrf forwarding Clients
 ip address 172.16.10.1 255.255.255.0
!
interface FastEthernet0/1
 description To-Access-switches
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,10-20
 switchport mode trunk
 ip dhcp snooping limit rate 100
!
interface FastEthernet0/2
 description To-Access-switches
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,10-20
 switchport mode trunk
 ip dhcp snooping limit rate 100
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
 description Test-ISG-Link-Fa0/0
 no switchport
 ip vrf forwarding Clients
 ip address 192.168.101.6 255.255.255.252
!
interface FastEthernet0/8
 description Test-ISG-Link-Fa1/0
 no switchport
 ip vrf forwarding Clients
 ip address 192.168.101.2 255.255.255.252
!
interface GigabitEthernet0/1
!
interface Vlan1
 description for-management-for-acc-sw
 ip address 192.168.200.1 255.255.255.0
!
interface Vlan10
 ip vrf forwarding Clients
 ip unnumbered Loopback20
 ip helper-address global 192.168.111.1
 ip helper-address 192.168.111.1
!
interface Vlan20
 ip vrf forwarding Clients
 ip unnumbered Loopback20
 ip helper-address global 192.168.111.1
 ip helper-address 192.168.111.1
!
router ospf 10 vrf Clients
 router-id 192.168.111.2
 log-adjacency-changes
 summary-address 172.16.10.0 255.255.255.0
 redistribute connected
 redistribute static subnets
 passive-interface default
 no passive-interface FastEthernet0/7
 no passive-interface FastEthernet0/8
 network 172.16.10.1 0.0.0.0 area 0
 network 192.168.101.2 0.0.0.0 area 0
 network 192.168.101.6 0.0.0.0 area 0
!
ip classless
no ip http server
no ip http secure-server
!
!
ip access-list extended VLAN-MAP-ACL-1
 permit udp any eq bootpc any eq bootps
 permit udp host 172.16.10.1 eq bootps any eq bootpc
 deny   udp any eq bootps any eq bootpc
 permit ip any any
!
ip access-list logging interval 10
!
control-plane
!
!
line con 0
line vty 0 4
 login
line vty 5 15
 login
!
end

AGREGSW##################################################################################

ACC-SW1##################################################################################
Building configuration...

Current configuration : 1392 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ACC-SW1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
system mtu routing 1500
ip subnet-zero
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
interface FastEthernet0/1
 switchport access vlan 10
 spanning-tree portfast
!
interface FastEthernet0/2
 switchport access vlan 20
 spanning-tree portfast
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
 switchport mode trunk
!
interface GigabitEthernet0/2
!
interface Vlan1
 ip address dhcp
 no ip route-cache
!
ip http server
ip http secure-server
!
control-plane
!
!
line con 0
line vty 5 15
!
end

ACC-SW1################################################################################
ACC-SW2################################################################################

Current configuration:
!
version 12.0
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname ACC-SW2
!
!
!
!
!
!
!
ip subnet-zero
!
!
!
interface FastEthernet0/1
 switchport access vlan 10
 spanning-tree portfast
!
interface FastEthernet0/2
 switchport access vlan 20
 spanning-tree portfast
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface VLAN1
 no ip directed-broadcast
 no ip route-cache
!
!
line con 0
 transport input none
 stopbits 1
line vty 5 15
!
end

ACC-SW2##############################################################

Записки цисковода