LinuxLoader

Странно то, что clips lg id 31 vlan-id 2319 clip 00:0c:42:a8:71:df xxxxxx(AUTHENTICATING) sh sub act 00:0c:42:a8:71:df Session state Authenticated Circuit lg id 31 vlan-id 2319 clips 412304

Проблем в тот что сеанса клиента, когда он был он clips lacp ( link-group access economical ) нет времени начнется, (и у них есть все необходимые правила QoS/IP/если нужна http-redirect, но не время начала), тот же простой dot1q pvc работает без проблем.

Тестовая конфигурация клипы + радиус auth при нормальных порта работает правилна , если LACP не все работает правильн . Сесий up ип ест , qos ну какга изполнит командой show subscriber нет старт тиме. Здрес конфиг ааа + lacp aaa authentication administrator local aaa authentication subscriber radius aaa accounting subscriber radius attribute-guided aaa accounting reauthorization subscriber radius aaa update subscriber 11 aaa accounting event dhcp aaa accounting event reauthorization aaa accounting event ancp aaa reauthorization bulk radius aaa hint ip-address link-group CLIPS access encapsulation dot1q dot1q pvc 870 encapsulation 1qtunnel dot1q pvc 870:555 service clips dhcp context xxxxxx dot1q pvc 2319 service clips dhcp context xxxxxx maximum-links 2 lacp active sh sub clips lg id 30 vlan-id 870:555 c 70:54:f5:7d:e9:be xxxxx (AUTHENTICATING clips lg id 30 vlan-id 2319 clip 00:0c:42:a8:71:df xxxxx (AUTHENTICATING 00:0c:42:a8:71:df Session state Authenticated Circuit lg id 30 vlan-id 2319 clips 521800 Internal Circuit 255/22:1:31/7/2/60167 Interface bound vlan-multibind Current port-limit unlimited Protocol Stack not set dhcp max-addrs 1 (applied) dhcp option client id 0x3d0701000c42a871df (applied) dhcp option hostname 0x0c114d696b726f74696b426c61636b54657374 (applied) qos-metering-policy outbound-radius (applied) qos-policing-policy inbound-radius (applied) qos rate inbound rate 5120 burst 1000000 (applied) qos rate outbound rate 5120 burst 1000000 (applied) forward policy in captive-portal-redirect-inetgrp [svc mask: 0x0001] (applied) http-redirect-url http://xxxxx:4040/ [svc mask: 0x0001] (applied) ip access-group in captive-redirect-inetgrp [svc mask: 0x0001] (applied) service (applied) [svc id: 0] inetgrp-redirect (acct enabled) service-parameter (applied) [svc id: 0] redirect-url=http://xxxxx:4040/ [svc id: 0] portal-ip=xxxxxx [svc id: 0] portal-port=4040 [svc id: 0] tcp-port=www,443,4040,8080 dynamic policy acl [svc mask: 0x0001] (applied in: fwd) [svc id: 0] ip in forward dstip 178.169.169.218/16 tcp dstport = 4040 class portal fwd [svc id: 0] ip in forward tcp dstport = www class redirect-inetgrp fwd [svc id: 0] ip in forward tcp dstport = 443 class redirect-inetgrp fwd [svc id: 0] ip in forward tcp dstport = 4040 class redirect-inetgrp fwd [svc id: 0] ip in forward tcp dstport = 8080 class redirect-inetgrp fwd service-acct (in) [svc mask: 0x0001] (applied) [svc id: 0] fwd class-mask 0x01 service-abs-timeout [svc mask: 0x0001] (applied) [svc id: 0] 2147483647 service-interim-acct-interval [svc mask: 0x0001] (applied) [svc id: 0] 900 IP host entries installed by DHCP: (max_addr 1 cur_entries 1) 178.169.174.29 00:0c:42:a8:71:df ICMP is permited and ping is going perfect . any ideas ?

Here is the config for the SE600 radius service profile redirect parameter value redirect-url parameter value portal-ip parameter value portal-port 80 parameter list tcp-port accounting in fwd captive-portal-redirect seq 10 attribute Forward-Policy in captive-portal-redirect seq 20 attribute HTTP-Redirect-url $redirect-url seq 30 attribute Service-Timeout 2147483647 seq 50 attribute Dynamic-Policy-Filter "ip in forward dstip $portal-ip tcp dstport = $portal-port class portal fwd" seq 60 foreach tcp-port seq 70 attribute Dynamic-Policy-Filter "ip in forward tcp dstport = $tcp-port class redirect fwd" exit seq 80 attribute Filter-Id in captive-redirect seq 90 attribute Service-Interim-Accounting 900 forward policy captive-portal-redirect radius-guided access-group captive-policy copper class captive-portal-redirect redirect destination local class captive-portal from the radius server we send and the redirect-url address . Here and the subscriber look like 0:21:27:f5:5d:ad Session state Up Circuit 2/2 vlan-id 1275 clips 405893 Internal Circuit 2/2:1023:63/7/2/300770 Interface bound vlan-multibind Current port-limit unlimited Protocol Stack IPV4 dns primary x (applied from sub_default) dns secondary x (applied from sub_default) dhcp max-addrs 1 (applied) dhcp vendor class id MSFT 98 (applied) dhcp option client id 0x3d0701002127f55dad (applied) dhcp option hostname 0x0c094e6174526f75746572 (applied) qos-metering-policy outbound-radius (applied) qos-policing-policy inbound-radius (applied) qos rate inbound rate 5120 burst 1000000 (applied) qos rate outbound rate 5120 burst 1000000 (applied) forward policy in captive-portal-redirect [svc mask: 0x0001] (applied) http-redirect-url http://x:4040 [svc mask: 0x0001] (applied) ip access-group in captive-redirect [svc mask: 0x0001] (applied) service (applied) [svc id: 0] copper-redirect (acct enabled) service-parameter (applied) [svc id: 0] redirect-url=http://xxxx114:4040 [svc id: 0] portal-ip=xxxx.114/32 [svc id: 0] portal-port=4040 [svc id: 0] tcp-port=www,443,4040,8080 dynamic policy acl [svc mask: 0x0001] (applied in: fwd) [svc id: 0] ip in forward dstip x/32 tcp dstport = 4040 class portal fwd [svc id: 0] ip in forward tcp dstport = www class redirect fwd [svc id: 0] ip in forward tcp dstport = 443 class redirect fwd [svc id: 0] ip in forward tcp dstport = 4040 class redirect fwd [svc id: 0] ip in forward tcp dstport = 8080 class redirect fwd service-acct (in) [svc mask: 0x0001] (applied) [svc id: 0] fwd class-mask 0x01 service-abs-timeout [svc mask: 0x0001] (applied) [svc id: 0] 2147483647 service-interim-acct-interval [svc mask: 0x0001] (applied) [svc id: 0] 900 IP host entries installed by DHCP: (max_addr 1 cur_entries 1) xxxx.82 00:21:27:f5:5d:ad

Для получения информации о тех, кто будет играть в будущем, положив счет может быть сделано только в CoA, а не access-request .Если вы поместите правил в оригинальном разрешении они не применяются правильно (не сделал необходимые classification class-id) и, таким образом перенаправить портал и не работают.

Basic idea is auth depending on the circuit-id , and service-profile from the radius based on the subscriber circuit-id ( with one circuit there can be multiple subscribers with different mac addresses ) .All that thing i was doing with redback SE600 with different context depends of the type of the circuit-id ( huawei , nsn, zyxel pon have a diffent circuit-id format ) . Now i must implement ASR1K . Whit this config , when service is applying from the radius there are no classification in the Classifiers: Class-id . ACL are applied and the policy-map is applied , but in subscriber session there is no classification ...... , but if i apply both policy map without auth all is fine ! ... acl are same policy-map are same and there is classification . Just see the difference in the sessions and you will see the difference.

Я также хотел бы пройти все услуги только в радиусе, но, когда они проходят, следовательно, не применяются Classifiers: Class-id. Обратите внимание на разницу в две сессии для конфигурации, это именно проблема для меня

Прежде всего я хочу извиниться за плохой русский. Железа ASR1006 Cisco IOS Software, IOS-XE Software (X86_64_LINUX_IOSD-ADVIPSERVICESK9-M), Version 15.2(2)S, RELEASE SOFTWARE (fc1) IOS XE Version: 03.06.00.S NAME: "module 0", DESCR: "Cisco ASR1000 SPA Interface Processor 40" Идея состоит в том , чтобы знать в зависимости от клиента( based on circuit-id) и работать в Интернет с определенными параметрами или отправить портал Проблема в том, что при размещении вручную поставить policy-map type service L4REDIRECT_SERVICE+OPENGARDEN все ваши классы и другие трафик и перенаправлять работ. Но когда я утверждаю, радиус ЭВМ не работает. Здесь конфигурации маршрутизатора version 15.2 service timestamps debug datetime localtime service timestamps log datetime localtime service password-encryption service unsupported-transceiver no platform punt-keepalive disable-kernel-core ! hostname ASR1006-VT1 ! boot-start-marker boot system flash bootflash:/asr1000rp2-advipservicesk9.03.06.00.S.152-2.S.bin boot-end-marker ! ! vrf definition Mgmt-intf ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! logging userinfo logging buffered 400000 enable secret 4 MwiIOyhbTdyB8ClOX4xeYduphxrQGmVjVXFM2w9JXZc enable password 7 070C285F4D065700011D450E03 ! aaa new-model ! ! aaa group server radius RADIUS_GR server 85.*.*.135 auth-port 1812 acct-port 1813 ip radius source-interface Loopback0 ! aaa authentication login TAL_AUTHEN_LIST group RADIUS_GR aaa authorization network TAL_AUTHEN_LIST group RADIUS_GR aaa authorization network SERVICE group RADIUS_GR aaa authorization subscriber-service default local group RADIUS_GR aaa authorization subscriber-service RADIUS_GR group RADIUS_GR aaa accounting delay-start all aaa accounting update periodic 3 aaa accounting include auth-profile framed-ip-address aaa accounting network default start-stop group RADIUS_GR aaa accounting network CISCO_ISG_SESSION_ACCNT_LIST start-stop group RADIUS_GR aaa accounting network TAL_AUTHEN_LIST start-stop group RADIUS_GR ! ! ! ! aaa server radius dynamic-author client 85.*.*.135 server-key 7 130E120B4509122565262F client 85.*.*.114 server-key 7 050003166F495806570710 port 8899 auth-type any ignore session-key ignore server-key ! aaa session-id unique ! transport-map type persistent ssh sshhandler authentication-retries 5 rsa keypair-name evo.bg connection wait allow interruptible ! clock timezone EET 2 0 clock summer-time EET recurring last Sun Mar 2:00 last Sun Oct 4:00 clock save interval 16 ! ! ! no ip domain lookup ip name-server 87.*.*9 ip name-server 85.*.*.241 ip dhcp relay information option ip dhcp relay information policy keep no ip dhcp relay information check ip dhcp relay information trust-all ! ip dhcp pool DHCP_POOL_DEFAULT relay source 87.*.*.0 255.255.255.0 relay destination 85.*.*.102 ! ! ! ! ! subscriber service password 7 141C171242013C246A2A34 subscriber service multiple-accept subscriber service session-accounting subscriber service accounting interim-interval 15 subscriber redundancy dynamic periodic-update interval 10 subscriber authorization enable ! redirect server-group ISG_GROUP server ip 87.*.*.114 port 4040 ! redirect session-limit 128 mpls label protocol ldp multilink bundle-name authenticated ! ! class-map type traffic match-any CLASS-10_20 match access-group input 10 match access-group output 20 ! class-map type traffic match-any ISG_OPENGARDEN match access-group output name ACL_OUT_OPENGARDEN match access-group input name ACL_IN_OPENGARDEN ! class-map type traffic match-any L4REDIRECT match access-group input name ACL_IN_L4REDIRECT ! ! class-map match-any CLASS_TRAFFIC_BG match qos-group 11 match access-group name LOCAL_PREFIXES class-map match-all CLASS_TRAFFIC_INTERNATIONAL match qos-group 10 policy-map type service OPENGARDEN_SERVICE 20 class type traffic ISG_OPENGARDEN ! ! policy-map type service L4REDIRECT_SERVICE 10 class type traffic L4REDIRECT accounting aaa list CISCO_ISG_SESSION_ACCNT_LIST redirect to group ISG_GROUP ! class type traffic default input drop ! ! policy-map type control ISG_IPOE_SESSION_RULE1 class type control always event session-start 10 authorize aaa list TAL_AUTHEN_LIST password AAACISCO identifier circuit-id plus mac-address separator # ! class type control always event account-logon 10 authenticate aaa list TAL_AUTHEN_LIST ! ! interface Loopback0 ip address 87.*.*.80 255.255.255.255 ! interface Loopback6 no ip address ! interface Loopback555 ip address 87.*.*.1 255.255.255.0 ! interface TenGigabitEthernet0/0/0 no ip address logging event link-status logging event subif-link-status ! interface TenGigabitEthernet0/0/0.31 ! interface TenGigabitEthernet0/0/0.359 encapsulation dot1Q 359 ip address 85.*.*.66 255.255.255.252 ! interface TenGigabitEthernet0/0/0.360 description up2se600-int encapsulation dot1Q 360 ip address 85.*.*.70 255.255.255.252 bgp-policy destination ip-qos-map ! interface TenGigabitEthernet0/0/0.361 description up2huawei-ont encapsulation dot1Q 361 ip unnumbered Loopback555 service-policy type control ISG_IPOE_SESSION_RULE1 ip subscriber l2-connected initiator dhcp class-aware ! interface GigabitEthernet0 vrf forwarding Mgmt-intf no ip address negotiation auto ! router ospf 200 router-id 87.*.*.80 redistribute connected subnets network 85.*.*.64 0.0.0.3 area 359 ! router bgp 24964 table-map SET_TRAFFIC_GROUP bgp router-id 87.*.*80 bgp log-neighbor-changes redistribute connected neighbor 8.8.8.65 remote-as 24964 neighbor 8.8.8.65 soft-reconfiguration inbound neighbor 8.8.8.65 route-map BGP_BG_IN in neighbor 8.8.8.69 remote-as 24964 neighbor 8.8.8.69 soft-reconfiguration inbound neighbor 8.8.8.69 prefix-list EVO-OUT-BG out neighbor 8.8.8.69 route-map BGP_INT_IN in ! ip forward-protocol nd ! ip bgp-community new-format no ip http server no ip http secure-server ip route 0.0.0.0 0.0.0.0 8.8.8.69 ! ip access-list extended ACL_IN_L4REDIRECT deny tcp any host 87.*.*114 eq 4040 deny tcp any host 87.*.*114 deny udp any any eq domain permit icmp any any permit tcp any any eq www permit tcp any any eq 443 ip access-list extended ACL_IN_OPENGARDEN permit ip any host 87.*.*114 permit udp any any eq domain permit udp any eq domain any permit icmp any any ip access-list extended ACL_OUT_OPENGARDEN permit ip host 87.*.*114 any permit udp any any eq domain permit udp any eq domain any permit icmp any any ip access-list extended LOCAL_PREFIXES permit ip any 8.8.8.0 0.0.63.255 deny ip any any ! ip radius source-interface Loopback0 logging 8.8.8.102 access-list 10 permit any access-list 20 permit any ! ! radius-server attribute 44 include-in-access-req default-vrf radius-server attribute 218 mandatory radius-server attribute 6 on-for-login-auth radius-server attribute 6 support-multiple radius-server attribute 8 include-in-access-req radius-server attribute 32 include-in-access-req radius-server attribute 32 include-in-accounting-req radius-server attribute 55 include-in-acct-req radius-server attribute 55 access-request include radius-server attribute 25 access-request include radius-server attribute 4 87.*.*80 radius-server host 85.*.*.135 auth-port 1812 acct-port 1813 key 7 1436332A2F2D19080B radius-server key 7 132436332825370904 radius-server vsa send accounting radius-server vsa send authentication ! ! control-plane ! ! ! ! alias exec sbsa show subscriber session all ! line con 0 stopbits 1 line vty 0 4 transport input telnet ssh line vty 5 15 transport input telnet ssh ! ntp server 8.8.8.102 ! end Вот то, что в задней части радиус сервер. "Cisco-AVPair", "subscriber:service-name=L4REDIRECT_SERVICE "Cisco-AVPair", "subscriber:command=activate-service" "Cisco-AVPair", "subscriber:service-name=OPENGARDEN_SERVICE" "Cisco-AVPair", "subscriber:command=activate-service" "Cisco-AVPair", "ip:traffic-class=in default drop" "Cisco-AVPair", "ip:traffic-class=in access-group name ACL_IN_L4REDIRECT priority 30" "Cisco-AVPair", "ip:traffic-class=out default drop" "Cisco-Account-Info","QU;512000;256000;D;512000;256000" "Cisco-AVPair","subscriber:accounting-list=CISCO_ISG_SESSION_ACCNT_LIST" Вот самое интересное. Здесь все работает и L4REDIRECT и OPENGARDEN_SERVICE ну если рул 2 и 3 становиться 20 и 30 не работает. Здес сессий когда не работает Type: IP, UID: 975, State: authen, Identity: 10.*.*.2 xpon 0/5/5:8.361.1#d4ca.6d45.4ed2 IPv4 Address: 87.*.*.10 Session Up-time: 00:00:07, Last Changed: 00:00:06 Switch-ID: 6137 Policy information: Context 7F0F3D0BA270: Handle 3400052C AAA_id 0000042E: Flow_handle 0 Authentication status: authen Downloaded User profile, excluding services: service-type 0 2 [Framed] accounting-list 0 "CISCO_ISG_SESSION_ACCNT_LIST" service-name 0 "OPENGARDEN_SERVICE" command 0 "activate-service" traffic-class 0 "in access-group name ACL_IN_OPENGARDEN priority 30" traffic-class 0 "in default drop" traffic-class 0 "out access-group name ACL_OUT_OPENGARDEN priority 30" traffic-class 0 "out default drop" clid-mac-addr 0 D4 CA 6D 45 4E D2 addr 0 87.*.*.10 netmask 0 255.255.255.255 config-source-dpm 0 True circuit-id-tag 0 "10.250.83.2 xpon 0/5/5:8.361.1" Downloaded User profile, including services: service-type 0 2 [Framed] accounting-list 0 "CISCO_ISG_SESSION_ACCNT_LIST" service-name 0 "OPENGARDEN_SERVICE" command 0 "activate-service" traffic-class 0 "in access-group name ACL_IN_OPENGARDEN priority 30" traffic-class 0 "in default drop" traffic-class 0 "out access-group name ACL_OUT_OPENGARDEN priority 30" traffic-class 0 "out default drop" clid-mac-addr 0 D4 CA 6D 45 4E D2 addr 0 87.*.*.10 netmask 0 255.255.255.255 config-source-dpm 0 True circuit-id-tag 0 "10.*.*.2 xpon 0/5/5:8.361.1" Config history for session (recent to oldest): Access-type: IP Client: DHCP Policy event: Session-Update Profile name: apply-config-only, 2 references clid-mac-addr 0 D4 CA 6D 45 4E D2 addr 0 87.*.*.10 netmask 0 255.255.255.255 config-source-dpm 0 True circuit-id-tag 0 "10.*.*.2 xpon 0/5/5:8.361.1" Access-type: IP Client: SM Policy event: Service Selection Request Profile name: 10.*.*.2 xpon 0/5/5:8.361.1#d4ca.6d45.4ed2, 2 references service-type 0 2 [Framed] accounting-list 0 "CISCO_ISG_SESSION_ACCNT_LIST" service-name 0 "OPENGARDEN_SERVICE" command 0 "activate-service" traffic-class 0 "in access-group name ACL_IN_OPENGARDEN priority 30" traffic-class 0 "in default drop" traffic-class 0 "out access-group name ACL_OUT_OPENGARDEN priority 30" traffic-class 0 "out default drop" Rules, actions and conditions executed: subscriber rule-map ISG_IPOE_SESSION_RULE1 condition always event session-start 10 authorize aaa list TAL_AUTHEN_LIST identifier circuit-id#mac-address Classifiers: Class-id Dir Packets Bytes Pri. Definition 0 In 2 252 0 Match Any 1 Out 0 0 0 Match Any Features: Accounting: Class-id Dir Packets Bytes Source 0 In 2 234 Peruser 1 Out 0 0 Peruser Configuration Sources: Type Active Time AAA Service ID Name USR 00:00:07 - Peruser INT 00:00:07 - TenGigabitEthernet0/0/0.361 А здес сесий когда редирект работает. Type: IP, UID: 977, State: authen, Identity: 10.*.*.2 xpon 0/5/5:8.361.1#d4ca.6d45.4ed2 IPv4 Address: 87.*.*10 Session Up-time: 00:00:23, Last Changed: 00:00:23 Switch-ID: 6148 Policy information: Context 7F0F3D0BA270: Handle AA00052E AAA_id 00000430: Flow_handle 0 Authentication status: authen Downloaded User profile, excluding services: service-type 0 2 [Framed] accounting-list 0 "CISCO_ISG_SESSION_ACCNT_LIST" service-name 0 "L4REDIRECT_SERVICE" command 0 "activate-service" traffic-class 0 "in default drop" traffic-class 0 "in access-group name ACL_IN_L4REDIRECT priority 30" traffic-class 0 "out access-group name ACL_OUT_L4REDIRECT priority 30" traffic-class 0 "out default drop" ssg-account-info 0 "QU;512000;256000;D;512000;256000" clid-mac-addr 0 D4 CA 6D 45 4E D2 addr 0 87.*.*10 netmask 0 255.255.255.255 config-source-dpm 0 True circuit-id-tag 0 "10.*.*.2 xpon 0/5/5:8.361.1" Downloaded User profile, including services: l4redirect 0 "redirect to group ISG_GROUP" username 0 "OPENGARDEN_SERVICE" service-type 0 2 [Framed] accounting-list 0 "CISCO_ISG_SESSION_ACCNT_LIST" service-name 0 "L4REDIRECT_SERVICE" command 0 "activate-service" traffic-class 0 "in default drop" traffic-class 0 "in access-group name ACL_IN_L4REDIRECT priority 30" traffic-class 0 "out access-group name ACL_OUT_L4REDIRECT priority 30" traffic-class 0 "out default drop" ssg-account-info 0 "QU;512000;256000;D;512000;256000" clid-mac-addr 0 D4 CA 6D 45 4E D2 addr 0 87.*.*10 netmask 0 255.255.255.255 config-source-dpm 0 True circuit-id-tag 0 "10.*.*.2 xpon 0/5/5:8.361.1" Config history for session (recent to oldest): Access-type: IP Client: DHCP Policy event: Session-Update Profile name: apply-config-only, 2 references clid-mac-addr 0 D4 CA 6D 45 4E D2 addr 0 87.*.*10 netmask 0 255.255.255.255 config-source-dpm 0 True circuit-id-tag 0 "10.*.*.2 xpon 0/5/5:8.361.1" Access-type: IP Client: SM Policy event: Service Selection Request Profile name: 10.*.*.2 xpon 0/5/5:8.361.1#d4ca.6d45.4ed2, 2 references service-type 0 2 [Framed] accounting-list 0 "CISCO_ISG_SESSION_ACCNT_LIST" service-name 0 "L4REDIRECT_SERVICE" command 0 "activate-service" traffic-class 0 "in default drop" traffic-class 0 "in access-group name ACL_IN_L4REDIRECT priority 30" traffic-class 0 "out access-group name ACL_OUT_L4REDIRECT priority 30" traffic-class 0 "out default drop" ssg-account-info 0 "QU;512000;256000;D;512000;256000" Access-type: IP Client: SM Policy event: Service Selection Request (Service) Profile name: OPENGARDEN_SERVICE, 3 references password 0 <hidden> username 0 "OPENGARDEN_SERVICE" traffic-class 0 "output access-group name ACL_OUT_OPENGARDEN priority 20" traffic-class 0 "input access-group name ACL_IN_OPENGARDEN priority 20" Access-type: IP Client: SM Policy event: Service Selection Request (Service) Profile name: L4REDIRECT_SERVICE, 3 references password 0 <hidden> username 0 "L4REDIRECT_SERVICE" traffic-class 0 "input access-group name ACL_IN_L4REDIRECT priority 10" l4redirect 0 "redirect to group ISG_GROUP" accounting-list 0 "CISCO_ISG_SESSION_ACCNT_LIST" traffic-class 0 "input default drop" traffic-class 0 "output default drop" Active services associated with session: name "OPENGARDEN_SERVICE", applied before account logon name "L4REDIRECT_SERVICE", applied before account logon Rules, actions and conditions executed: subscriber rule-map ISG_IPOE_SESSION_RULE1 condition always event session-start 2 service-policy type service name L4REDIRECT_SERVICE 3 service-policy type service name OPENGARDEN_SERVICE 10 authorize aaa list TAL_AUTHEN_LIST identifier circuit-id#mac-address Classifiers: Class-id Dir Packets Bytes Pri. Definition 0 In 1 117 0 Match Any 1 Out 0 0 0 Match Any 334 In 0 0 10 Match ACL ACL_IN_L4REDIRECT 336 In 0 0 20 Match ACL ACL_IN_OPENGARDEN 337 Out 0 0 20 Match ACL ACL_OUT_OPENGARDEN 4294967294 In 1 117 - Drop Features: Accounting: Class-id Dir Packets Bytes Source 0 In 0 0 Peruser 1 Out 0 0 Peruser 334 In 0 0 L4REDIRECT_SERVICE L4 Redirect: Class-id Rule cfg Definition Source 334 #1 SVC to group ISG_GROUP L4REDIRECT_SERVICE Policing: Class-id Dir Avg. Rate Normal Burst Excess Burst Source 0 In 512000 256000 0 Peruser 1 Out 512000 256000 0 Peruser Configuration Sources: Type Active Time AAA Service ID Name SVC 00:00:23 3372220429 L4REDIRECT_SERVICE SVC 00:00:23 - OPENGARDEN_SERVICE USR 00:00:23 - Peruser INT 00:00:23 - TenGigabitEthernet0/0/0.361 То есть именно там, где я вижу разницы Classifiers: Class-id Dir Packets Bytes Pri. Definition 0 In 1 117 0 Match Any 1 Out 0 0 0 Match Any 334 In 0 0 10 Match ACL ACL_IN_L4REDIRECT 336 In 0 0 20 Match ACL ACL_IN_OPENGARDEN 337 Out 0 0 20 Match ACL ACL_OUT_OPENGARDEN 4294967294 In 1 117 - Drop Features: Accounting: Class-id Dir Packets Bytes Source 0 In 0 0 Peruser 1 Out 0 0 Peruser 334 In 0 0 L4REDIRECT_SERVICE L4 Redirect: Class-id Rule cfg Definition Source 334 #1 SVC to group ISG_GROUP L4REDIRECT_SERVICE Policing: Class-id Dir Avg. Rate Normal Burst Excess Burst Source 0 In 512000 256000 0 Peruser 1 Out 512000 256000 0 Peruser Configuration Sources: Type Active Time AAA Service ID Name SVC 00:00:23 3372220429 L4REDIRECT_SERVICE SVC 00:00:23 - OPENGARDEN_SERVICE USR 00:00:23 - Peruser INT 00:00:23 - TenGigabitEthernet0/0/0.361