ASR1001X. Не работают белые списки.

amorting

Posted August 17, 2015

Добрый день!

Помогите найти причину проблемы.

Используем ASR1001X как BRAS/IPoE.

Soft: asr1001x-universalk9.03.13.02.S.154-3.S2-ext.SPA.bin

License Level: adventerprise

Для переадресации абонентов на страницу блокировки с открытым доступом в "Личный кабинет" используется следующая конструкция:

!
redirect server-group RSG_BLOCKED_REDIRECT
server ip 10.10.10.10 port 444

!
class-map type traffic match-any CLS_BLOCKED_REDIRECT
match access-group input name ACL_BLOCKED_REDIRECT
!
class-map type traffic match-any CLS_BLOCKED_TRUSTED
match access-group input name ACL_BLOCKED_TRUSTED
match access-group output name ACL_BLOCKED_TRUSTED
!
policy-map type service FWPOL_BLOCKED_TRUSTED
service local
class type traffic CLS_BLOCKED_TRUSTED
!
!
policy-map type service FWPOL_BLOCKED_REDIRECT
service local
class type traffic CLS_BLOCKED_REDIRECT
 redirect to group RSG_BLOCKED_REDIRECT
!
class type traffic default in-out
 drop
!
!
policy-map type control CTRL_IPOE
class type control always event timed-policy-expiry
 1 service disconnect
!
class type control always event account-logoff
 1 service disconnect
!
class type control always event radius-timeout
 10 set-timer TIMER_UNAUTH 10
 20 service-policy type service name FWPOL_DEFAULT
!
class type control always event session-start
 10 set-timer TIMER_AUTH 10080
 20 authorize aaa list AAA_LIST_IPOE password servicemode identifier source-ip-address
 30 set-timer TIMER_UNAUTH 5
 40 service-policy type service name FWPOL_BLOCKED_TRUSTED
 50 service-policy type service name FWPOL_BLOCKED_REDIRECT
!
ip access-list extended ACL_BLOCKED_REDIRECT
permit tcp any any eq www
deny   ip any any
!
ip access-list extended ACL_BLOCKED_TRUSTED
permit udp any any eq domain
permit ip any host 10.10.10.10
permit ip host 10.10.10.10 any
!

10.10.10.10:80 - личный кабинет

10.10.10.10:444 - страница блокировки

Переадресация при этом происходит, но она так же происходит при переходе на адрес личного кабинета, при том что доступ на DNS открыт по белому списку и работает.

Т.е. белые списки не работают.

Кто сталкивался с подобной проблемой можете поделиться решением ?

Share this post

Link to post

Share on other sites

mikezzzz

Posted August 17, 2015

я бы для начала переписал полисеры с указанием приоритета, не помню как они там по дефолту работают..

policy-map type service FWPOL_BLOCKED_TRUSTED

service local

<PRIORITY> class type traffic CLS_BLOCKED_TRUSTED

!

policy-map type service FWPOL_BLOCKED_REDIRECT

service local

<PRIORITY> class type traffic CLS_BLOCKED_REDIRECT

redirect to group RSG_BLOCKED_REDIRECT

!

class type traffic default in-out

drop

!

чем ниже приоритет - тем он выше ))

Share this post

Link to post

Share on other sites

amorting

Posted August 17, 2015

Без изменений. И сдаётся мне, что это приоритеты классов внутри сервисного полисера. А вот приоритет самих сервисных полисеров указан в control полисере и там белый список четко перед редиректом.

policy-map type control CTRL_IPOE
class type control always event timed-policy-expiry
 1 service disconnect
!
class type control always event account-logoff
 1 service disconnect
!
class type control always event radius-timeout
 10 set-timer TIMER_UNAUTH 10
 20 service-policy type service name FWPOL_DEFAULT
!
class type control always event session-start
 10 set-timer TIMER_AUTH 10080
 20 authorize aaa list AAA_LIST_IPOE password servicemode identifier source-ip-address 
 30 set-timer TIMER_UNAUTH 5
 40 service-policy type service name FWPOL_BLOCKED_TRUSTED
 50 service-policy type service name FWPOL_BLOCKED_REDIRECT
!

Share this post

Link to post

Share on other sites

mikezzzz

Posted August 17, 2015

внутри сервисных полисеров не может быть несколько классов (class-default не в счет)

в контрол полисерсе это просто action, ну как номер ACE в ACL.

чего говорит show subscriber sesion uid xxx ?

посмотреть бы вывод чего там навешивается

Share this post

Link to post

Share on other sites

ShyLion

Posted August 17, 2015 (edited)

Рабочий конфиг

class-map type traffic match-any CM_T_NoMoney_PASS
match access-group input name CM_T_NoMoney_PASS
match access-group output name CM_T_NoMoney_PASS
!
class-map type traffic match-any CM_T_NoMoney_REDIRECT_WWW
match access-group input name CM_T_NoMoney_REDIRECT_WWW
!
class-map type traffic match-any CM_T_NoMoney_REDIRECT_DNS
match access-group input name CM_T_NoMoney_REDIRECT_DNS
!
class-map type traffic match-any CM_ANY
match access-group input name CM_T_ANY
match access-group output name CM_T_ANY
!
class-map type traffic match-any CM_ANY6
match access-group input name CM_T_ANY6
match access-group output name CM_T_ANY6
!
class-map type traffic match-any CM_T_NoMoney_PASS_HTTPS
match access-group input name CM_T_NoMoney_PASS_HTTPS
match access-group output name CM_T_NoMoney_PASS_HTTPS
!
class-map type control match-all CM_C_IPoE_RTIMEOUT_REAUTH
match timer IPoE_RTIMEOUT_REAUTH
match authen-status unauthenticated
!
class-map type control match-all CM_C_IPoE_REJECT_REAUTH
match timer IPoE_REJECT_REAUTH
match authen-status unauthenticated
!
policy-map type service NoMoney10
10 class type traffic CM_T_NoMoney_PASS
!
class type traffic default in-out
 drop
!
!
policy-map type service NoMoney500
500 class type traffic CM_T_NoMoney_REDIRECT_WWW
 redirect to group NoMoney
!
class type traffic default in-out
 drop
!
!
policy-map type service NoMoney510
510 class type traffic CM_T_NoMoney_REDIRECT_DNS
 redirect to group NoMoneyDNS
!
class type traffic default in-out
 drop
!
!
policy-map type service Internet
100 class type traffic CM_ANY
!
class type traffic default in-out
 drop
!
!
!
policy-map type service NoMoney400
400 class type traffic CM_T_NoMoney_PASS_HTTPS
 police input 128000
 police output 128000
!
class type traffic default in-out
 drop
!
policy-map type control IPoE
class type control CM_C_IPoE_RTIMEOUT_REAUTH event timed-policy-expiry
 1 service disconnect
!
class type control CM_C_IPoE_REJECT_REAUTH event timed-policy-expiry
 1 service disconnect
!
class type control always event session-start
 10 authorize aaa list IPOE password ciscoo identifier source-ip-address
 20 set-timer IPoE_REJECT_REAUTH 1
 30 service-policy type service aaa list IPOE name NoMoney10
 34 service-policy type service aaa list IPOE name NoMoney400
 40 service-policy type service aaa list IPOE name NoMoney500
 50 service-policy type service aaa list IPOE name NoMoney510
!
class type control always event service-stop
 1 service-policy type service unapply identifier service-name
!
class type control always event session-restart
 10 authorize aaa list IPOE password ciscoo identifier source-ip-address
 20 set-timer IPoE_REJECT_REAUTH 1
 30 service-policy type service aaa list IPOE name NoMoney10
 34 service-policy type service aaa list IPOE name NoMoney400
 40 service-policy type service aaa list IPOE name NoMoney500
 50 service-policy type service aaa list IPOE name NoMoney510
!
class type control always event radius-timeout
 1 set-timer IPoE_RTIMEOUT_REAUTH 1
 10 service-policy type service aaa list IPOE name NoMoney10
 14 service-policy type service aaa list IPOE name NoMoney400
 20 service-policy type service aaa list IPOE name NoMoney500
 30 service-policy type service aaa list IPOE name NoMoney510
!
!

Edited August 17, 2015 by ShyLion

Share this post

Link to post

Share on other sites

zhenya`

Posted August 17, 2015

В полиси мапе сервиса цифра возле класса приоритет. Сессию покажите

Share this post

Link to post

Share on other sites

amorting

Posted August 17, 2015

В полиси мапе сервиса цифра возле класса приоритет. Сессию покажите

Вот:

l3.asr1001-x.1#show subscriber session uid 582
Type: IPv4, UID: 582, State: authen, Identity: 10.27.1.27
IPv4 Address: 10.27.1.27
Session Up-time: 06:23:26, Last Changed: 06:23:25
Switch-ID: 6422 

Policy information:
 Authentication status: authen
 Active services associated with session:
   name "FWPOL_BLOCKED_TRUSTED", applied before account logon
   name "FWPOL_BLOCKED_REDIRECT", applied before account logon
 Rules, actions and conditions executed:
   subscriber rule-map CTRL_IPOE
     condition always event session-start
       10 set-timer TIMER_AUTH 10080
       20 authorize aaa list AAA_LIST_IPOE identifier source-ip-address
   subscriber rule-map default-internal-rule
     condition always event service-start
       1 service-policy type service identifier service-name
   subscriber rule-map default-internal-rule
     condition always event service-start
       1 service-policy type service identifier service-name
   subscriber rule-map default-internal-rule
     condition always event service-start
       1 service-policy type service identifier service-name
   subscriber rule-map default-internal-rule
     condition always event service-start
       1 service-policy type service identifier service-name
   subscriber rule-map default-internal-rule
     condition always event service-stop
       1 service-policy type service unapply identifier service-name
   subscriber rule-map default-internal-rule
     condition always event service-stop
       1 service-policy type service unapply identifier service-name
Classifiers:
Class-id    Dir   Packets    Bytes                  Pri.  Definition
0           In    1437       365508                 0    Match Any
1           Out   691        591049                 0    Match Any
402         In    64         8052                   0    Match ACL ACL_BLOCKED_REDIRECT
404         In    274        23400                  0    Match ACL ACL_BLOCKED_TRUSTED
405         Out   595        579029                 0    Match ACL ACL_BLOCKED_TRUSTED
4294967294  In    1099       334056                 -    Drop

Template Id : 210

Features:

Accounting:
Class-id   Dir  Packets    Bytes                 Source
0          In   338        31452                 Peruser
1          Out  691        591049                Peruser

L4 Redirect:
Class-id   Rule cfg  Definition                               Source
402        #1   SVC  to group RSG_BLOCKED_REDIRECT            FWPOL_BLOCKED_REDIRECT

Policing:
Class-id   Dir  Avg. Rate   Normal Burst  Excess Burst Source
0          In   5120000     960000        1920000      Peruser
1          Out  5120000     960000        1920000      Peruser

Configuration Sources:
Type  Active Time  AAA Service ID  Name
SVC   06:23:26     -               FWPOL_BLOCKED_REDIRECT
SVC   06:23:26     -               FWPOL_BLOCKED_TRUSTED
USR   06:23:26     -               Peruser
INT   06:23:26     -               TenGigabitEthernet0/0/0.6

Share this post

Link to post

Share on other sites

zhenya`

Posted August 18, 2015

class type traffic CLS_BLOCKED_REDIRECT

поменяйте на

100 class type traffic CLS_BLOCKED_REDIRECT

а class type traffic CLS_BLOCKED_TRUSTED

на

90 class type traffic CLS_BLOCKED_TRUSTED

Когда будете делать сервисы для интернетов делайте что-нить меньше 90.. (если пиринговая зона есть, ей допутим 10, а интернету 20).

Share this post

Link to post

Share on other sites

mikezzzz

Posted August 18, 2015

обратите внимание на секцию

Classifiers:
Class-id    Dir   Packets    Bytes                  Pri.  Definition
0           In    1437       365508                 0    Match Any
1           Out   691        591049                 0    Match Any
402         In    64         8052                   0    Match ACL ACL_BLOCKED_REDIRECT
404         In    274        23400                  0    Match ACL ACL_BLOCKED_TRUSTED
405         Out   595        579029                 0    Match ACL ACL_BLOCKED_TRUSTED
4294967294  In    1099       334056                 -    Drop

в колонке Pri. указаны приоритеты сервисов при поиске совпадений трафика, в таком видно они все равны и хз как он там производит Match сервиса.

Share this post

Link to post

Share on other sites

tehmeh

Posted August 18, 2015

Там есть для show subscriber session detail графа Config history for session (recent to oldest).

В ней от последнего примененного сервиса к первому.

Share this post

Link to post

Share on other sites

amorting

Posted August 22, 2015

обратите внимание на секцию
Classifiers:
Class-id    Dir   Packets    Bytes                  Pri.  Definition
0           In    1437       365508                 0    Match Any
1           Out   691        591049                 0    Match Any
402         In    64         8052                   0    Match ACL ACL_BLOCKED_REDIRECT
404         In    274        23400                  0    Match ACL ACL_BLOCKED_TRUSTED
405         Out   595        579029                 0    Match ACL ACL_BLOCKED_TRUSTED
4294967294  In    1099       334056                 -    Drop
в колонке Pri. указаны приоритеты сервисов при поиске совпадений трафика, в таком видно они все равны и хз как он там производит Match сервиса.

Спасибо!

Выставил приоритеты классам и всё заработало, клиссификаторы имеют теперь такой вид:

Classifiers:
Class-id    Dir   Packets    Bytes                  Pri.  Definition
0           In    20843      1955239                0    Match Any
1           Out   54020      71227045               0    Match Any
22          In    8          440                    100  Match ACL ACL_BLOCKED_TRUSTED
23          Out   13         3797                   100  Match ACL ACL_BLOCKED_TRUSTED
24          In    13         4143                   500  Match ACL ACL_BLOCKED_REDIRECT
4294967294  In    59         3326                   -    Drop

Большое спасибо всем !!!

Sign In

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Join the conversation