Minotaur

Ну если в даташите написано, что умеет BGP, значит будет. Единственное, что не сможет сделать, как правильно заметил коллега в предыдущем посте, - так это держать full-view. В таком случае принимайте от обоих аплинков только дефолт. Правда, в таком случае столкнетесь с задачей распределения исходящего трафика, которую можно попытаться решить с помощью специального Extended community bandwidth:*

ISG умеет инициализировать сессии не только по PPPoE. В Вашем случае можно использовать initiator unclassified ip-address

С этой проблемой разобрался. Очень похоже на баг. Описанная ситуация возникает в том случае, если на ISG уже есть описанный DHCP pool, даже если он не принимает никакого участия в раздаче адресов для подписчиков. Есть Workaround, посоветованный коллегой: сделать DHCP relay не через ip helper-address, а через relay pool, например так: ip dhcp pool pool-Test update arp relay source 178.214.200.0 255.255.255.0 relay destination 178.214.192.2 ! interface GigabitEthernet0/2.33 encapsulation dot1Q 33 ip dhcp relay information trusted ip dhcp relay information policy-action keep ip address 178.214.200.1 255.255.255.0 arp timeout 60 service-policy type control DHCP-Subscriber ip subscriber l2-connected initiator dhcp class-aware Так работает, но при такой конфигурации есть сложности с unnumbered на Gi0/2.33. Эта проблема описана в отдельной теме тут.

Приветствую! Дано: Cisco 7206VXR, IOS 12.2(33)SRD3. Определен пул для relay: ip dhcp pool pool-Test update arp relay source 178.214.200.0 255.255.255.0 relay destination 178.214.192.2 И сконфигурирован саб-интефейс: interface GigabitEthernet0/2.33 encapsulation dot1Q 33 ip dhcp relay information trusted ip dhcp relay information policy-action keep ip address 178.214.200.1 255.255.255.0 arp timeout 60 service-policy type control DHCP-Subscriber ip subscriber l2-connected initiator dhcp class-aware Все отлично работает, пул привязывается к интерфейсу по сети, определенной в relay source. А как привязать пул к интерфейсу, если он - ip unnumbered loopback0, а на lo0 висит адрес с маской /32 ? Спасибо.

Не будет. То, что пишут в даташитах - маркетинговое фуфло. Максимальный стек, поддерживаемый нп. 650: SummitStack512, - поддерживает 128G на одном стековом порту, но при этом нельзя объединить в стек больше двух свитчей. SummitStack128 обеспечивает 64G на порт при стеке до восьми коммутаторов. Кроме этого, у Extreme Summit имеется идиотский недостаток (один из многих, впрочем) - он не умеет отдавать по SNMP загрузку со стековых портов. По крайней мере в XOS 12.4. Лихо Вы поделили пропускную способность стека:) Посмотрите на картинке, как модуль выглядит. Маркетинговое число 512 можно поделить на 2(так как считается Rx + Tx), а не на 8. Ткните меня носом, где я разделил маркетинговое число на 8? На 4 - да, потому что оно так и есть в действительности. И да - опечатался выше, извиняюсь, вместо SummitStack128 хотел написать SummitStack256. У меня стоит два 650х, соединенных через SummitStack256: # show stacking stack-ports Stack Topology is a Ring Slot Port Node MAC Address Port State Flags Speed ---- ---- ----------------- ----------- ----- ----- *1 1 00:04:96:51:f1:b5 Operational C- 64G *1 2 00:04:96:51:f1:b5 Operational CB 64G 2 1 00:04:96:51:79:7a Operational CB 64G 2 2 00:04:96:51:79:7a Operational C- 64G * - Indicates this node Flags: (C) Control path is active, (B) Port is Blocked Да, есть два стековых порта, но они не обеспечивают того, что при стеке из > 2 свитчей у вас трафик между первым и последним будет ездить по обеим портам. Ага: # snmpwalk -v2c -c public sw2-gdr .1.3.6.1.4.1.1916.1.4.5.1.2 EXTREME-PORT-MIB::extremePortUtilizationAvgRxBw.1000 = INTEGER: 0 EXTREME-PORT-MIB::extremePortUtilizationAvgRxBw.1001 = INTEGER: 56 EXTREME-PORT-MIB::extremePortUtilizationAvgRxBw.1002 = INTEGER: 26 EXTREME-PORT-MIB::extremePortUtilizationAvgRxBw.1003 = INTEGER: 16 EXTREME-PORT-MIB::extremePortUtilizationAvgRxBw.1004 = INTEGER: 42 EXTREME-PORT-MIB::extremePortUtilizationAvgRxBw.1005 = INTEGER: 5 EXTREME-PORT-MIB::extremePortUtilizationAvgRxBw.1006 = INTEGER: 7 EXTREME-PORT-MIB::extremePortUtilizationAvgRxBw.1007 = INTEGER: 14 EXTREME-PORT-MIB::extremePortUtilizationAvgRxBw.1008 = INTEGER: 49 EXTREME-PORT-MIB::extremePortUtilizationAvgRxBw.1009 = INTEGER: 74 EXTREME-PORT-MIB::extremePortUtilizationAvgRxBw.1010 = INTEGER: 70 EXTREME-PORT-MIB::extremePortUtilizationAvgRxBw.1011 = INTEGER: 23 EXTREME-PORT-MIB::extremePortUtilizationAvgRxBw.1012 = INTEGER: 35 EXTREME-PORT-MIB::extremePortUtilizationAvgRxBw.1013 = INTEGER: 12 EXTREME-PORT-MIB::extremePortUtilizationAvgRxBw.1014 = INTEGER: 16 EXTREME-PORT-MIB::extremePortUtilizationAvgRxBw.1015 = INTEGER: 29 EXTREME-PORT-MIB::extremePortUtilizationAvgRxBw.1016 = INTEGER: 82 EXTREME-PORT-MIB::extremePortUtilizationAvgRxBw.1017 = INTEGER: 0 EXTREME-PORT-MIB::extremePortUtilizationAvgRxBw.1018 = INTEGER: 0 EXTREME-PORT-MIB::extremePortUtilizationAvgRxBw.1019 = INTEGER: 0 EXTREME-PORT-MIB::extremePortUtilizationAvgRxBw.1020 = INTEGER: 0 EXTREME-PORT-MIB::extremePortUtilizationAvgRxBw.1021 = INTEGER: 30 EXTREME-PORT-MIB::extremePortUtilizationAvgRxBw.1022 = INTEGER: 0 EXTREME-PORT-MIB::extremePortUtilizationAvgRxBw.1023 = INTEGER: 0 EXTREME-PORT-MIB::extremePortUtilizationAvgRxBw.1024 = INTEGER: 0 EXTREME-PORT-MIB::extremePortUtilizationAvgRxBw.2001 = INTEGER: 37 EXTREME-PORT-MIB::extremePortUtilizationAvgRxBw.2002 = INTEGER: 3 EXTREME-PORT-MIB::extremePortUtilizationAvgRxBw.2003 = INTEGER: 9 EXTREME-PORT-MIB::extremePortUtilizationAvgRxBw.2004 = INTEGER: 77 EXTREME-PORT-MIB::extremePortUtilizationAvgRxBw.2005 = INTEGER: 4 EXTREME-PORT-MIB::extremePortUtilizationAvgRxBw.2006 = INTEGER: 6 EXTREME-PORT-MIB::extremePortUtilizationAvgRxBw.2007 = INTEGER: 20 EXTREME-PORT-MIB::extremePortUtilizationAvgRxBw.2008 = INTEGER: 9 EXTREME-PORT-MIB::extremePortUtilizationAvgRxBw.2009 = INTEGER: 5 EXTREME-PORT-MIB::extremePortUtilizationAvgRxBw.2010 = INTEGER: 12 EXTREME-PORT-MIB::extremePortUtilizationAvgRxBw.2011 = INTEGER: 7 EXTREME-PORT-MIB::extremePortUtilizationAvgRxBw.2012 = INTEGER: 6 EXTREME-PORT-MIB::extremePortUtilizationAvgRxBw.2013 = INTEGER: 8 EXTREME-PORT-MIB::extremePortUtilizationAvgRxBw.2014 = INTEGER: 0 EXTREME-PORT-MIB::extremePortUtilizationAvgRxBw.2015 = INTEGER: 15 EXTREME-PORT-MIB::extremePortUtilizationAvgRxBw.2016 = INTEGER: 25 EXTREME-PORT-MIB::extremePortUtilizationAvgRxBw.2017 = INTEGER: 0 EXTREME-PORT-MIB::extremePortUtilizationAvgRxBw.2018 = INTEGER: 0 EXTREME-PORT-MIB::extremePortUtilizationAvgRxBw.2019 = INTEGER: 0 EXTREME-PORT-MIB::extremePortUtilizationAvgRxBw.2020 = INTEGER: 0 EXTREME-PORT-MIB::extremePortUtilizationAvgRxBw.2021 = INTEGER: 0 EXTREME-PORT-MIB::extremePortUtilizationAvgRxBw.2022 = INTEGER: 0 EXTREME-PORT-MIB::extremePortUtilizationAvgRxBw.2023 = INTEGER: 0 EXTREME-PORT-MIB::extremePortUtilizationAvgRxBw.2024 = INTEGER: 0 Стек из двух свитчей, по 24 порта в каждом. Покажите мне пожалуйста, какая из этих строчек показывает загрузку стековых портов?

Не будет. То, что пишут в даташитах - маркетинговое фуфло. Максимальный стек, поддерживаемый нп. 650: SummitStack512, - поддерживает 128G на одном стековом порту, но при этом нельзя объединить в стек больше двух свитчей. SummitStack128 обеспечивает 64G на порт при стеке до восьми коммутаторов. Кроме этого, у Extreme Summit имеется идиотский недостаток (один из многих, впрочем) - он не умеет отдавать по SNMP загрузку со стековых портов. По крайней мере в XOS 12.4.

ip dhcp relay information trust-all Написанная Вами команда есть у меня в глобальном конфиге, она выполняет то же самое, что ip dhcp relay information trusted в конфигурации интерфейса, и она никак не влияет на сессии.

Не вижу в первом дебаге даже попыток релея, а во втором - всё на месте. Можно попробовать поставить: 10 authorize aaa list DHCP-BRAS identifier mac-address В session-start и постепенно добавлять опции, до начала проблем. Я упорно не понимаю, причем тут DHCP релей и идентификатор? Клиент нормально получает IP-адрес. А IP-адрес он может получить только в случае успешной авторизации на этапе session-start. Аутентицикация была успешной, Radius отдал настройки сессии на ISG, клиент в свою очередь получил адрес. Дальше - просто не поднимается сессия. Но если Вас мучают смутные сомнения, Вот кусок из радиуса, подтверждающий нормальную авторизацию: rad_recv: Access-Request packet from host 178.214.192.68 port 1645, id=202, length=128 User-Name = "000600226b2a8d52#000400210117#0007.e90a.75b2" User-Password = "cisco" NAS-Port-Type = Virtual NAS-Port = 0 NAS-Port-Id = "0/0/2/33" Service-Type = Outbound-User NAS-IP-Address = 178.214.192.68 Acct-Session-Id = "00001283" server ISG_Authorization { # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/ISG.conf +- entering group authorize {...} ++[preprocess] returns ok ++[control] returns ok rlm_perl: Added pair NAS-Port-Type = Virtual rlm_perl: Added pair Acct-Session-Id = 00001283 rlm_perl: Added pair Service-Type = Outbound-User rlm_perl: Added pair User-Name = 000600226b2a8d52#000400210117#0007.e90a.75b2 rlm_perl: Added pair User-Password = cisco rlm_perl: Added pair NAS-Port = 0 rlm_perl: Added pair NAS-IP-Address = 178.214.192.68 rlm_perl: Added pair NAS-Port-Id = 0/0/2/33 rlm_perl: Added pair Cisco-AVPair = subscriber:keepalive=protocol ARP rlm_perl: Added pair Service-Type = Outbound-User rlm_perl: Added pair Cisco-Account-Info = Apms-1M rlm_perl: Added pair Auth-Type = Accept ++[iSG_Auth] returns ok Found Auth-Type = Accept Auth-Type = Accept, accepting the user Login OK: [000600226b2a8d52#000400210117#0007.e90a.75b2] (from client bras1-gdr port 0) WARNING: Empty post-auth section. Using default return values. } # server ISG_Authorization Sending Access-Accept of id 202 to 178.214.192.68 port 1645 Cisco-AVPair = "subscriber:keepalive=protocol ARP" Service-Type = Outbound-User Cisco-Account-Info = "Apms-1M" Finished request 44. Going to the next request Waking up in 4.9 seconds. Received DHCP-Discover of id 220c03fd from 178.214.200.1:67 to 178.214.192.2:67 DHCP-Opcode = Client-Message ... ну и дальше пошел DHCP. При session-restart происходит то же самое: rad_recv: Access-Request packet from host 178.214.192.68 port 1645, id=203, length=98 User-Name = "0007.e90a.75b2" User-Password = "cisco" NAS-Port-Type = Virtual NAS-Port = 0 NAS-Port-Id = "0/0/2/33" Service-Type = Outbound-User NAS-IP-Address = 178.214.192.68 Acct-Session-Id = "00001286" server ISG_Authorization { # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/ISG.conf +- entering group authorize {...} ++[preprocess] returns ok ++[control] returns ok rlm_perl: Added pair NAS-Port-Type = Virtual rlm_perl: Added pair Acct-Session-Id = 00001286 rlm_perl: Added pair Service-Type = Outbound-User rlm_perl: Added pair User-Name = 0007.e90a.75b2 rlm_perl: Added pair User-Password = cisco rlm_perl: Added pair NAS-Port = 0 rlm_perl: Added pair NAS-IP-Address = 178.214.192.68 rlm_perl: Added pair NAS-Port-Id = 0/0/2/33 rlm_perl: Added pair Cisco-AVPair = subscriber:keepalive=protocol ARP rlm_perl: Added pair Service-Type = Outbound-User rlm_perl: Added pair Cisco-Account-Info = Apms-1M rlm_perl: Added pair Auth-Type = Accept ++[iSG_Auth] returns ok Found Auth-Type = Accept Auth-Type = Accept, accepting the user Login OK: [0007.e90a.75b2] (from client bras1-gdr port 0) WARNING: Empty post-auth section. Using default return values. } # server ISG_Authorization Sending Access-Accept of id 203 to 178.214.192.68 port 1645 Cisco-AVPair = "subscriber:keepalive=protocol ARP" Service-Type = Outbound-User Cisco-Account-Info = "Apms-1M" Finished request 47. Going to the next request Waking up in 4.9 seconds.

Т.е. DHCP не на этой железке? Cisco ISG работает как DHCP relay. Клиенты все видны на Layer2, подключены к свитчам, которые добавляют Option 82. DHCP и авторизация отрабатывает нормально. Просто не поднимается сессия. А поток мыслей предыдущего оратора не осилил.

RADIUS не выдаёт связку IP/MASK, а вот по этому: - выдаёт. Надо смотреть/проверять запросы к RADIUS-у. Стоп. IP/MASK вообще выдается по DHCP. Данный запрос нужен только для того, чтобы сказать ISG, разрешать ли DHCP DISCOVER от этого клиента, или нет.

Вот еще один дебаг того, что происходит при попытке поднять сессию. Но он тоже пока что не особо проясняет ситуацию: bras1-gdr.ki#show debugging IP Subscriber: IP subscriber events debugging is on IP subscriber errors debugging is on IP subscriber fsm debugging is on *Feb 6 18:42:17.038: IPSUB: Create session keys from SSS key list *Feb 6 18:42:17.038: IPSUB: Mac_addr = 0007.e90a.75b2, Recvd Macaddr = 0007.e90a.75b2 *Feb 6 18:42:17.038: IPSUB: Session input interface(0x6BD31BC) = GigabitEthernet0/2.33 *Feb 6 18:42:17.038: IPSUB: Circuit_id = 000400210117 *Feb 6 18:42:17.038: IPSUB: Remote_id = 000600226b2a8d52 *Feb 6 18:42:17.038: IPSUB: Vendor_Class_id = MSFT 5.0 *Feb 6 18:42:17.042: IPSUB: Try to create a new session *Feb 6 18:42:17.042: IPSUB: [uid:0] Request to create a new session *Feb 6 18:42:17.042: IPSUB: [uid:0] Session start event for session *Feb 6 18:42:17.042: IPSUB: [uid:0] Event session start, state changed from idle to requesting *Feb 6 18:42:17.042: IPSUB: [uid:5] AAA unique ID allocated *Feb 6 18:42:17.042: IPSUB: [uid:5] Added session 0007.e90a.75b2 to L2 session table *Feb 6 18:42:17.042: IPSUB: [uid:5] Added session to session table with access session keys *Feb 6 18:42:17.042: IPSUB: [uid:5] IP session(0x130005DF) on L2 interface to be associated to Gi0/2.33, mac 0007.e90a.75b2 *Feb 6 18:42:17.042: IPSUB: [uid:5] Inserted IP session(0x130005DF) to sessions-per-interface db with interface Gi0/2.33 *Feb 6 18:42:17.058: IPSUB: [uid:5] IP session context 0x12C0BB98 available to authorize *Feb 6 18:42:17.058: IPSUB-VRFSET: [uid:5] Entered allocate feature info *Feb 6 18:42:17.058: IPSUB-VRFSET: [uid:5] Allocated sg vrfset info 0x1EA52E48 *Feb 6 18:42:17.058: IPSUB-VRFSET: [uid:5] Freeing the sg vrfset info 0x1EA52E48 *Feb 6 18:42:17.058: IPSUB: [uid:5] IP session context 0x12C0BB98 available to authorize *Feb 6 18:42:17.058: IPSUB-VRFSET: [uid:5] Entered allocate feature info *Feb 6 18:42:17.058: IPSUB-VRFSET: [uid:5] Allocated sg vrfset info 0x1EA52E48 *Feb 6 18:42:17.058: IPSUB-VRFSET: [uid:5] Freeing the sg vrfset info 0x1EA52E48 *Feb 6 18:42:17.058: IPSUB: [uid:5] Recieved Message = connect local *Feb 6 18:42:17.058: IPSUB: [uid:5] Connect Local event for session *Feb 6 18:42:17.058: IPSUB: [uid:5] Event connect local, state changed from requesting to waiting *Feb 6 18:42:17.058: IPSUB: [uid:5] Inside processing IPSIP info *Feb 6 18:42:17.058: IPSUB-ROUTE: [uid:5] Checking whether routes to be inserted/removed *Feb 6 18:42:17.058: IPSUB-ROUTE: [uid:5] Context not present, creating context *Feb 6 18:42:17.058: IPSUB-ROUTE: [uid:5] Entered the sg subrte context alloc *Feb 6 18:42:17.058: IPSUB-ROUTE: [uid:5] Returning the sg subrte context 0x198428F0 *Feb 6 18:42:17.058: IPSUB-ROUTE: [uid:5] Trying to remove Subscriber routes *Feb 6 18:42:17.058: IPSUB-ROUTE: [uid:5] Entered the plane feature context free *Feb 6 18:42:17.058: IPSUB-ROUTE: [uid:5] Freeing the sg subrte context 0x198428F0 *Feb 6 18:42:17.058: IPSUB-ROUTE: [uid:5] Removed SG SUBRTE feature *Feb 6 18:42:17.058: IPSUB-ROUTE: [uid:5] Reqd keys are not available, postponing route insert *Feb 6 18:42:17.058: IPSUB: [uid:5] Keys not changed, seg needn't be updated *Feb 6 18:42:17.058: IPSUB: [uid:5] Key list to be created to update SM *Feb 6 18:42:17.058: IPSUB: [uid:5] Created key list to update SM *Feb 6 18:42:17.074: Invalid interface number *Feb 6 18:42:17.074: Invalid interface number *Feb 6 18:42:17.074: IPSUB: [uid:5] Recieved Message = disconnect *Feb 6 18:42:17.074: IPSUB: [uid:5] SSS Manager disconnect event for session *Feb 6 18:42:17.074: IPSUB: [uid:5] Event sss mgr disc, state changed from waiting to disconnecting *Feb 6 18:42:17.074: IPSUB-VRFSET: [uid:5] Removing SG VRFSET feature *Feb 6 18:42:17.074: IPSUB-VRFSET: [uid:5] SG VRFSET context is not present *Feb 6 18:42:17.074: IPSUB-ROUTE: [uid:5] Trying to remove Subscriber routes *Feb 6 18:42:17.078: IPSUB-ROUTE: [uid:5] SG SUBRTE context is not present *Feb 6 18:42:17.078: IPSUB: [uid:5] Removed session from session table with access session keys *Feb 6 18:42:17.078: IPSUB: [uid:5] Removed session from session table with service session keys *Feb 6 18:42:17.078: IPSUB: [uid:5] Deleted session(0x130005DF) from sessions per interface db with intf: Gi0/2.33 *Feb 6 18:42:17.078: IPSUB: No IP session with handle 0x130005DF, ignore client disconnect message И все. *Feb 6 18:42:17.074: Invalid interface number *Feb 6 18:42:17.074: Invalid interface number в дебаге - смущает. Далее, при приходе первого пакета от клиента по session-restart все нормально поднимается: *Feb 6 18:44:53.642: IPSUB_DP: [uid:0] Insert new entry for mac 0007.e90a.75b2 *Feb 6 18:44:53.646: IPSUB_DP: [uid:0] Processing new in-band session request *Feb 6 18:44:53.646: IPSUB_DP: [uid:0] Delete mac entry 0007.e90a.75b2 *Feb 6 18:44:53.646: IPSUB_DP: [uid:0] In-band session request event for session *Feb 6 18:44:53.646: IPSUB_DP: [uid:0] Insert new entry for mac 0007.e90a.75b2 *Feb 6 18:44:53.646: IPSUB_DP: [uid:0] Added upstream entry into the classifier *Feb 6 18:44:53.646: IPSUB_DP: [uid:0] MAC = 0007.e90a.75b2 *Feb 6 18:44:53.646: IPSUB: Try to create a new session *Feb 6 18:44:53.646: IPSUB: IPSUB: Check IP DHCP session recovery: 178.214.200.2 Gi0/2.33 mac 0007.e90a.75b2 *Feb 6 18:44:53.646: IPSUB: Create session keys from SSS key list *Feb 6 18:44:53.646: IPSUB: Mac_addr = 0007.e90a.75b2, Recvd Macaddr = 0007.e90a.75b2 *Feb 6 18:44:53.646: IPSUB: Session input interface(0x6BD31BC) = GigabitEthernet0/2.33 *Feb 6 18:44:53.646: IPSUB: Recovery DHCP session hdl = 452986336 *Feb 6 18:44:53.646: IPSUB: IPSUB: IP DHCP session recovery started *Feb 6 18:44:53.646: IPSUB: [uid:0] Request to create a new session placeholder for session recovery *Feb 6 18:44:53.646: IPSUB: [uid:0] Session restart event for session *Feb 6 18:44:53.646: IPSUB: [uid:0] Event session restart, state changed from idle to recovery-req *Feb 6 18:44:53.646: IPSUB_DP: [uid:0] Sent message to control plane for in-band session creation *Feb 6 18:44:53.646: IPSUB_DP: [uid:0] Event inband-session, state changed from idle to intiated *Feb 6 18:44:53.646: IPSUB: Try to create a new session *Feb 6 18:44:53.646: IPSUB: Try to complete a DHCP initiated session recovery *Feb 6 18:44:53.646: IPSUB: [uid:0] Request to convert a new session placeholder and start it *Feb 6 18:44:53.646: IPSUB: [uid:0] Session start event for session *Feb 6 18:44:53.646: IPSUB: [uid:0] Event session start, state changed from recovery-req to requesting *Feb 6 18:44:53.646: IPSUB: [uid:7] AAA unique ID allocated *Feb 6 18:44:53.646: IPSUB: [uid:7] Added session 0007.e90a.75b2 to L2 session table *Feb 6 18:44:53.646: IPSUB: [uid:7] Added session to session table with access session keys *Feb 6 18:44:53.646: IPSUB: [uid:7] IP session(0x1B0005E0) on L2 interface to be associated to Gi0/2.33, mac 0007.e90a.75b2 *Feb 6 18:44:53.646: IPSUB: [uid:7] Inserted IP session(0x1B0005E0) to sessions-per-interface db with interface Gi0/2.33 *Feb 6 18:44:53.666: IPSUB: [uid:7] IP session context 0x12C0BB98 available to authorize *Feb 6 18:44:53.666: IPSUB-VRFSET: [uid:7] Entered allocate feature info *Feb 6 18:44:53.666: IPSUB-VRFSET: [uid:7] Allocated sg vrfset info 0x1EA52E48 *Feb 6 18:44:53.666: IPSUB-VRFSET: [uid:7] Freeing the sg vrfset info 0x1EA52E48 *Feb 6 18:44:53.670: IPSUB: [uid:7] IP session context 0x12C0BB98 available to authorize *Feb 6 18:44:53.670: IPSUB-VRFSET: [uid:7] Entered allocate feature info *Feb 6 18:44:53.670: IPSUB-VRFSET: [uid:7] Allocated sg vrfset info 0x1EA52E48 *Feb 6 18:44:53.670: IPSUB-VRFSET: [uid:7] Freeing the sg vrfset info 0x1EA52E48 *Feb 6 18:44:53.670: IPSUB: [uid:7] Recieved Message = connect local *Feb 6 18:44:53.670: IPSUB: [uid:7] Connect Local event for session *Feb 6 18:44:53.670: IPSUB: [uid:7] Event connect local, state changed from requesting to waiting *Feb 6 18:44:53.670: IPSUB: [uid:7] Inside processing IPSIP info *Feb 6 18:44:53.670: IPSUB-ROUTE: [uid:7] Checking whether routes to be inserted/removed *Feb 6 18:44:53.670: IPSUB-ROUTE: [uid:7] Context not present, creating context *Feb 6 18:44:53.670: IPSUB-ROUTE: [uid:7] Entered the sg subrte context alloc *Feb 6 18:44:53.670: IPSUB-ROUTE: [uid:7] Returning the sg subrte context 0x198428F0 *Feb 6 18:44:53.670: IPSUB-ROUTE: [uid:7] Trying to remove Subscriber routes *Feb 6 18:44:53.670: IPSUB-ROUTE: [uid:7] Entered the plane feature context free *Feb 6 18:44:53.670: IPSUB-ROUTE: [uid:7] Freeing the sg subrte context 0x198428F0 *Feb 6 18:44:53.670: IPSUB-ROUTE: [uid:7] Removed SG SUBRTE feature *Feb 6 18:44:53.670: IPSUB-ROUTE: [uid:7] Reqd keys are not available, postponing route insert *Feb 6 18:44:53.670: IPSUB: [uid:7] Keys not changed, seg needn't be updated *Feb 6 18:44:53.670: IPSUB: [uid:7] Key list to be created to update SM *Feb 6 18:44:53.670: IPSUB: [uid:7] Created key list to update SM *Feb 6 18:44:53.678: IPSUB: [uid:7] IP session context 0x12C0BB98 available to authorize *Feb 6 18:44:53.678: IPSUB-VRFSET: [uid:7] Entered allocate feature info *Feb 6 18:44:53.678: IPSUB-VRFSET: [uid:7] Allocated sg vrfset info 0x1EA52E48 *Feb 6 18:44:53.678: IPSUB-VRFSET: [uid:7] Freeing the sg vrfset info 0x1EA52E48 *Feb 6 18:44:53.678: IPSUB: [uid:7] IPSIP Parsing HostIP: 178.214.200.2 SubnetMask= 255.255.255.0 *Feb 6 18:44:53.678: IPSUB: [uid:7] Recieved Message = update SIP config *Feb 6 18:44:53.678: IPSUB: [uid:7] Config Update event for session *Feb 6 18:44:53.678: IPSUB: [uid:7] Event config update, state changed from waiting to waiting *Feb 6 18:44:53.678: IPSUB: [uid:7] Inside processing IPSIP info *Feb 6 18:44:53.678: IPSUB: [uid:7] Processing IPSIP info: 0x1832E3CC (APPLY) *Feb 6 18:44:53.678: IPSUB: [uid:7] Got IP address- IP:-178.214.200.2 *Feb 6 18:44:53.678: IPSUB: [uid:7] Set IP address- IP:-178.214.200.2 *Feb 6 18:44:53.678: IPSUB-VRFSET: [uid:7] Applying SG VRFSET info *Feb 6 18:44:53.678: IPSUB-VRFSET: [uid:7] DHCP Initiated session, no config, ignore *Feb 6 18:44:53.678: IPSUB-ROUTE: [uid:7] Checking whether routes to be inserted/removed *Feb 6 18:44:53.678: IPSUB-ROUTE: [uid:7] Context not present, creating context *Feb 6 18:44:53.678: IPSUB-ROUTE: [uid:7] Entered the sg subrte context alloc *Feb 6 18:44:53.678: IPSUB-ROUTE: [uid:7] Returning the sg subrte context 0x198428F0 *Feb 6 18:44:53.678: IPSUB-ROUTE: [uid:7] Installed ARP entry [DFL]: 178.214.200.2 *Feb 6 18:44:53.678: IPSUB-ROUTE: [uid:7] Both IP addresses and VRF are same, no need to add route *Feb 6 18:44:53.678: IPSUB: [uid:7] Found that seg to be updated with new session keys *Feb 6 18:44:53.678: IPSUB: [uid:7] Key list to be created to update SM *Feb 6 18:44:53.678: IPSUB: [uid:7] Update IP-Address-VRF key: 178.214.200.2:0 *Feb 6 18:44:53.678: IPSUB: [uid:7] Created key list to update SM *Feb 6 18:44:53.678: IPSUB: [uid:7] Found address change to be notified *Feb 6 18:44:53.678: IPSUB: [uid:7] Session Keys Available event for session *Feb 6 18:44:53.678: IPSUB: [uid:7] Event session keys available, state changed from waiting to provisioning *Feb 6 18:44:53.678: IPSUB: [uid:7] Added session 178.214.200.2 to L3 session table *Feb 6 18:44:53.678: IPSUB: [uid:7] Added session to session table with service session keys *Feb 6 18:44:53.686: IPSUB_DP: [uid:0] Setup event for session (session hdl 3170894932) *Feb 6 18:44:53.686: IPSUB_DP: [uid:7] Added downstream entry into the classifier *Feb 6 18:44:53.686: IPSUB_DP: [uid:7] VRF = DFL, IP = 178.214.200.2, MASK = 255.255.255.0 *Feb 6 18:44:53.686: IPSUB_DP: [uid:7] Session setup successful *Feb 6 18:44:53.686: IPSUB_DP: [uid:7] Event setup-session, state changed from intiated to established *Feb 6 18:44:53.686: IPSUB_DP: [uid:7] Sent update msg to the control plane *Feb 6 18:44:53.686: IPSUB_DP: [uid:7] Activate event for session *Feb 6 18:44:53.686: IPSUB_DP: [uid:7] Event activate-session, state changed from established to connected *Feb 6 18:44:53.686: IPSUB: [uid:7] Data plane prov successful event for session *Feb 6 18:44:53.686: IPSUB: [uid:7] Event dataplane prov successful, state changed from provisioning to connected *Feb 6 18:44:53.686: IPSUB: [uid:7] Notifying about address change: 178.214.200.2 *Feb 6 18:45:00.514: IPSUB_DP: [uid:0] Found mac entry 0007.e90a.75b2

Даю: aaa new-model ! ! aaa group server radius ISG-RADIUS server-private 178.214.192.2 auth-port 1812 acct-port 1813 key 7 08344E580F120315 ip radius source-interface Loopback0 ! subscriber authorization enable ! aaa authentication login DHCP-BRAS group ISG-RADIUS aaa authorization network DHCP-BRAS group ISG-RADIUS aaa authorization subscriber-service default local ! ! class-map type traffic match-any cmt-Any-Traffic match access-group input name acl-Any match access-group output name acl-Any ! policy-map type service pms-1M class type traffic cmt-Any-Traffic police input 1000000 187500 375000 police output 1000000 187500 375000 ! policy-map type control DHCP-Subscriber class type control always event session-start 10 authorize aaa list DHCP-BRAS identifier remote-id plus circuit-id plus mac-address separator # ! class type control always event session-restart 10 authorize aaa list DHCP-BRAS identifier mac-address ! ! interface GigabitEthernet0/2.33 encapsulation dot1Q 33 ip dhcp relay information trusted ip address 178.214.200.1 255.255.255.0 ip helper-address 178.214.192.2 ip directed-broadcast arp timeout 60 service-policy type control DHCP-Subscriber ip subscriber l2-connected initiator dhcp class-aware Смотрим следующий дебаг: bras1-gdr.ki#show debugging Subscriber Service Switch/Policy rules: Subscriber Service Switch policy rules errors debugging is on Subscriber Service Switch policy rules events debugging is on Клиент отсылает DHCP DISCOVER и на ISG возникает ивент session-start: *Feb 6 18:11:31.888: SSS PM [uid:983][12BB3658]: RULE: Looking for a rule for event session-start *Feb 6 18:11:31.888: SSS PM [uid:983][12BB3658]: RULE: Intf CloneSrc Gi0/2.33: service-rule any: DHCP-Subscriber *Feb 6 18:11:31.888: SSS PM [uid:983][12BB3658]: RULE: Evaluate "DHCP-Subscriber" for session-start *Feb 6 18:11:31.888: SSS PM [uid:983][12BB3658]: RULE: Matched "DHCP-Subscriber/always event session-start/10 authorize aaa list DHCP-BRAS identifier remote-id#cir" *Feb 6 18:11:31.888: SSS PM [uid:983][12BB3658]: RULE[0]: Start *Feb 6 18:11:31.888: SSS PM [uid:983][12BB3658]: RULE[0]: DHCP-Subscriber/always event session-start/10 authorize aaa list DHCP-BRAS identifier remote-id#circuit-id#ms *Feb 6 18:11:31.888: SSS PM [uid:983][12BB3658]: RULE[0]: Using author method AAA service *Feb 6 18:11:31.888: SSS PM [uid:983][12BB3658]: RULE[0]: Have key combo_keys *Feb 6 18:11:31.888: SSS PM [uid:983][12BB3658]: RULE[0]: Using key combo_keys *Feb 6 18:11:31.888: SSS PM [uid:983][12BB3658]: RULE[1]: Start *Feb 6 18:11:31.888: SSS PM [uid:983][12BB3658]: RULE[1]: DHCP-Subscriber/always event session-start/10 authorize aaa list DHCP-BRAS identifier remote-id#circuit-id#ms *Feb 6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE: VRF Parsing routine: keepalive "protocol ARP" service-type 5 [Outbound] ssg-account-info "Apms-1M" Т.е. радиус ответил Access-Accept'ом с тремя параметрами, включая имя сервиса. Дебаг продолжается: *Feb 6 18:11:31.900: SSS PM [12BB34B8]: RULE: Looking for a rule for event service-start *Feb 6 18:11:31.900: SSS PM [12BB34B8]: RULE: Intf CloneSrc Gi0/2.33: service-rule any: DHCP-Subscriber *Feb 6 18:11:31.900: SSS PM [12BB34B8]: RULE: Evaluate "DHCP-Subscriber" for service-start *Feb 6 18:11:31.900: SSS PM [12BB34B8]: RULE: Intf AccessIE Gi0/2.33: service-rule any: DHCP-Subscriber *Feb 6 18:11:31.900: SSS PM [12BB34B8]: RULE: Evaluate "DHCP-Subscriber" for service-start *Feb 6 18:11:31.900: SSS PM [12BB34B8]: RULE: Intf InputI/f Gi0/2.33: service-rule any: DHCP-Subscriber *Feb 6 18:11:31.900: SSS PM [12BB34B8]: RULE: Evaluate "DHCP-Subscriber" for service-start *Feb 6 18:11:31.900: SSS PM [12BB34B8]: RULE: Glob: service-rule any: None *Feb 6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE[0]: Continue *Feb 6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE[0]: DHCP-Subscriber/always event session-start/10 authorize aaa list DHCP-BRAS identifier remote-id#circuit-id#ms *Feb 6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE[0]: Author finished *Feb 6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE[1]: Continue *Feb 6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE[1]: DHCP-Subscriber/always event session-start/10 authorize aaa list DHCP-BRAS identifier remote-id#circuit-id#ms *Feb 6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE[1]: TAL authorization succesful, stop *Feb 6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE[2]: Continue *Feb 6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE[2]: DHCP-Subscriber/always event session-start/10 authorize aaa list DHCP-BRAS identifier remote-id#circuit-id#ms *Feb 6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE[2]: Give default directive *Feb 6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE[3]: Continue *Feb 6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE[3]: DHCP-Subscriber/always event session-start/10 authorize aaa list DHCP-BRAS identifier remote-id#circuit-id#ms *Feb 6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE: Looking for a rule for event session-default-service *Feb 6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE: Intf CloneSrc Gi0/2.33: service-rule any: DHCP-Subscriber *Feb 6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE: Evaluate "DHCP-Subscriber" for session-default-service *Feb 6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE: Intf AccessIE Gi0/2.33: service-rule any: DHCP-Subscriber *Feb 6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE: Evaluate "DHCP-Subscriber" for session-default-service *Feb 6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE: Intf InputI/f Gi0/2.33: service-rule any: DHCP-Subscriber *Feb 6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE: Evaluate "DHCP-Subscriber" for session-default-service *Feb 6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE: Glob: service-rule any: None *Feb 6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE: Looking for a rule for event session-service-found *Feb 6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE: Intf CloneSrc Gi0/2.33: service-rule any: DHCP-Subscriber *Feb 6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE: Evaluate "DHCP-Subscriber" for session-service-found *Feb 6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE: Intf AccessIE Gi0/2.33: service-rule any: DHCP-Subscriber *Feb 6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE: Evaluate "DHCP-Subscriber" for session-service-found *Feb 6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE: Intf InputI/f Gi0/2.33: service-rule any: DHCP-Subscriber *Feb 6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE: Evaluate "DHCP-Subscriber" for session-service-found *Feb 6 18:11:31.900: SSS PM [uid:983][12BB3658]: RULE: Glob: service-rule any: None *Feb 6 18:11:31.904: SSS PM [uid:983][12BB34B8]: RULE: VRF Parsing routine: username "pms-1M" clid-mac-addr 00 07 E9 0A 75 B2 password <hidden> traffic-class "output access-group name acl-Any" traffic-class "input access-group name acl-Any" ssg-service-info "QU;1000000;187500;375000;D;1000000;187500;375000" *Feb 6 18:11:31.904: SSS PM [uid:983][12BB34B8]: RULE: VRF Check: session logging off or not VRF dependent Все. Сессии нет. Когда клиент пускает например один исходящий ICMP-пакет, дебаг едет дальше, стартуя с ивента session-restart: *Feb 6 18:18:18.678: SSS PM [uid:989][12BB3658]: RULE: Looking for a rule for event session-restart *Feb 6 18:18:18.678: SSS PM [uid:989][12BB3658]: RULE: Intf CloneSrc Gi0/2.33: service-rule any: DHCP-Subscriber *Feb 6 18:18:18.678: SSS PM [uid:989][12BB3658]: RULE: Evaluate "DHCP-Subscriber" for session-restart *Feb 6 18:18:18.678: SSS PM [uid:989][12BB3658]: RULE: Matched "DHCP-Subscriber/always event session-restart/10 authorize aaa list DHCP-BRAS identifier mac-address" *Feb 6 18:18:18.678: SSS PM [uid:989][12BB3658]: RULE[0]: Start *Feb 6 18:18:18.678: SSS PM [uid:989][12BB3658]: RULE[0]: DHCP-Subscriber/always event session-restart/10 authorize aaa list DHCP-BRAS identifier mac-address *Feb 6 18:18:18.678: SSS PM [uid:989][12BB3658]: RULE[0]: Using author method AAA service *Feb 6 18:18:18.678: SSS PM [uid:989][12BB3658]: RULE[0]: Have key combo_keys *Feb 6 18:18:18.678: SSS PM [uid:989][12BB3658]: RULE[0]: Using key combo_keys *Feb 6 18:18:18.678: SSS PM [uid:989][12BB3658]: RULE[1]: Start *Feb 6 18:18:18.678: SSS PM [uid:989][12BB3658]: RULE[1]: DHCP-Subscriber/always event session-restart/10 authorize aaa list DHCP-BRAS identifier mac-address *Feb 6 18:18:18.682: SSS PM [uid:989][12BB3658]: RULE: VRF Parsing routine: keepalive "protocol ARP" service-type 5 [Outbound] ssg-account-info "Apms-1M" *Feb 6 18:18:18.682: SSS PM [12BB34B8]: RULE: Looking for a rule for event service-start *Feb 6 18:18:18.682: SSS PM [12BB34B8]: RULE: Intf CloneSrc Gi0/2.33: service-rule any: DHCP-Subscriber *Feb 6 18:18:18.682: SSS PM [12BB34B8]: RULE: Evaluate "DHCP-Subscriber" for service-start *Feb 6 18:18:18.682: SSS PM [12BB34B8]: RULE: Intf AccessIE Gi0/2.33: service-rule any: DHCP-Subscriber *Feb 6 18:18:18.682: SSS PM [12BB34B8]: RULE: Evaluate "DHCP-Subscriber" for service-start *Feb 6 18:18:18.682: SSS PM [12BB34B8]: RULE: Intf InputI/f Gi0/2.33: service-rule any: DHCP-Subscriber *Feb 6 18:18:18.682: SSS PM [12BB34B8]: RULE: Evaluate "DHCP-Subscriber" for service-start *Feb 6 18:18:18.682: SSS PM [12BB34B8]: RULE: Glob: service-rule any: None *Feb 6 18:18:18.682: SSS PM [uid:989][12BB3658]: RULE[0]: Continue *Feb 6 18:18:18.682: SSS PM [uid:989][12BB3658]: RULE[0]: DHCP-Subscriber/always event session-restart/10 authorize aaa list DHCP-BRAS identifier mac-address *Feb 6 18:18:18.682: SSS PM [uid:989][12BB3658]: RULE[0]: Author finished *Feb 6 18:18:18.682: SSS PM [uid:989][12BB3658]: RULE[1]: Continue *Feb 6 18:18:18.682: SSS PM [uid:989][12BB3658]: RULE[1]: DHCP-Subscriber/always event session-restart/10 authorize aaa list DHCP-BRAS identifier mac-address *Feb 6 18:18:18.686: SSS PM [uid:989][12BB3658]: RULE[1]: TAL authorization succesful, stop *Feb 6 18:18:18.686: SSS PM [uid:989][12BB3658]: RULE[2]: Continue *Feb 6 18:18:18.686: SSS PM [uid:989][12BB3658]: RULE[2]: DHCP-Subscriber/always event session-restart/10 authorize aaa list DHCP-BRAS identifier mac-address *Feb 6 18:18:18.686: SSS PM [uid:989][12BB3658]: RULE[2]: Give default directive *Feb 6 18:18:18.686: SSS PM [uid:989][12BB3658]: RULE[3]: Continue *Feb 6 18:18:18.686: SSS PM [uid:989][12BB3658]: RULE[3]: DHCP-Subscriber/always event session-restart/10 authorize aaa list DHCP-BRAS identifier mac-address *Feb 6 18:18:18.686: SSS PM [uid:989][12BB3658]: RULE: Looking for a rule for event session-default-service *Feb 6 18:18:18.686: SSS PM [uid:989][12BB3658]: RULE: Intf CloneSrc Gi0/2.33: service-rule any: DHCP-Subscriber *Feb 6 18:18:18.686: SSS PM [uid:989][12BB3658]: RULE: Evaluate "DHCP-Subscriber" for session-default-service *Feb 6 18:18:18.686: SSS PM [uid:989][12BB3658]: RULE: Intf AccessIE Gi0/2.33: service-rule any: DHCP-Subscriber *Feb 6 18:18:18.686: SSS PM [uid:989][12BB3658]: RULE: Evaluate "DHCP-Subscriber" for session-default-service *Feb 6 18:18:18.686: SSS PM [uid:989][12BB3658]: RULE: Intf InputI/f Gi0/2.33: service-rule any: DHCP-Subscriber *Feb 6 18:18:18.686: SSS PM [uid:989][12BB3658]: RULE: Evaluate "DHCP-Subscriber" for session-default-service *Feb 6 18:18:18.686: SSS PM [uid:989][12BB3658]: RULE: Glob: service-rule any: None *Feb 6 18:18:18.686: SSS PM [uid:989][12BB3658]: RULE: Looking for a rule for event session-service-found *Feb 6 18:18:18.686: SSS PM [uid:989][12BB3658]: RULE: Intf CloneSrc Gi0/2.33: service-rule any: DHCP-Subscriber *Feb 6 18:18:18.686: SSS PM [uid:989][12BB3658]: RULE: Evaluate "DHCP-Subscriber" for session-service-found *Feb 6 18:18:18.686: SSS PM [uid:989][12BB3658]: RULE: Intf AccessIE Gi0/2.33: service-rule any: DHCP-Subscriber *Feb 6 18:18:18.686: SSS PM [uid:989][12BB3658]: RULE: Evaluate "DHCP-Subscriber" for session-service-found *Feb 6 18:18:18.686: SSS PM [uid:989][12BB3658]: RULE: Intf InputI/f Gi0/2.33: service-rule any: DHCP-Subscriber *Feb 6 18:18:18.686: SSS PM [uid:989][12BB3658]: RULE: Evaluate "DHCP-Subscriber" for session-service-found *Feb 6 18:18:18.686: SSS PM [uid:989][12BB3658]: RULE: Glob: service-rule any: None *Feb 6 18:18:18.686: SSS PM [uid:989][12BB34B8]: RULE: VRF Parsing routine: username "pms-1M" clid-mac-addr 00 07 E9 0A 75 B2 password <hidden> traffic-class "output access-group name acl-Any" traffic-class "input access-group name acl-Any" ssg-service-info "QU;1000000;187500;375000;D;1000000;187500;375000" *Feb 6 18:18:18.690: SSS PM [uid:989][12BB34B8]: RULE: VRF Check: session logging off or not VRF dependent *Feb 6 18:18:18.698: SSS PM [uid:989][12BB3658]: RULE: VRF Parsing routine: clid-mac-addr 00 07 E9 0A 75 B2 addr 178.214.200.2 netmask 255.255.255.255 config-source-dpm True После этого сессия отлично поднимается. Я уже сломал мозг, но не могу понять чем отличается происходящее в session-start от происходящего в session-restart, и почему первый не поднимает сессию...

Приветствую! Коллеги, кто-то сталкивался с таким поведением ISG? Сессия инициируется по DHCP Discover, срабатывает событие session-start, пользователь успешно авторизируется через Radius, Radius отдает имя сервиса...и сессия не поднимается. Поднимается она позже только после того, как от пользователя приедет первый пакет и вызовет ивент session-restart. Это поведение можно изменить? Спасибо.

А как выставляются приоритеты сервисов?

Для каждого направления лучше делать отдельный dial peer, нп. для направления "входящие звонки через E1": dial-peer voice 11 pots permission orig description Incoming from PSTN huntstop incoming called-number <тут pattern для допустимых входящих номеров> direct-inward-dial port 0:D Далее - term dial peer для отправления звонков в сторону VoIP-коробки: dial-peer voice 28106 voip description to Asterisk huntstop destination-pattern <тут pattern, аналогичный тому, что выше> voice-class codec 711 session protocol sipv2 session target sip-server dtmf-relay rtp-nte SIPv2 в примере меняете на тот протокол, который вам нужен.