NPE-G1, ISG, l2 connected subscriber и per-user static route

[Bushi]

Понадобилась абонентам выдавать подсети. Для этого при авторизации сессии передаю по протоколу radius циске атрибут Framed-Route="192.168.101.0/24 192.168.193.226", где 192.168.193.226 - адрес абонента, 192.168.101.0/24 - адрес сети абонента. После установки сессии имеем:

 

sh ip route static 
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
      D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
      N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
      E1 - OSPF external type 1, E2 - OSPF external type 2
      i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS leve18l-2
      ia - IS-IS inter area, * - candidate default, U - per-user static route
      o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
      + - replicated route, % - next hop override

Gateway of last resort is 10.242.27.254 to network 0.0.0.0
...
S        192.168.193.226 is directly connected, GigabitEthernet0/0.100
U     192.168.101.0/24 [1/0] via 192.168.193.226

 

Адрес 192.168.193.226 пингуется, но с циски сеть 192.168.101.0/24 недоступна. При попытке пропинговать с циски хосты сети 192.168.101.0/24 пакеты уходят на абонентский роутер, хосты отвечают, icmp reply уходят на циску, но та их обрасывает. Блокируется весь входящий трафик на циску из сети 192.168.101.0/24.

 

Конфигурация абонентского интерфейса:

interface GigabitEthernet0/0.100
encapsulation dot1Q 100
ip dhcp relay information option-insert 
ip dhcp relay information policy-action replace
ip unnumbered Loopback0
ip helper-address 192.168.195.254
arp authorized
service-policy type control ISGsubscribers
ip subscriber l2-connected
 initiator dhcp class-aware
end

 

Сессия:

#sh subscriber session detailed 
Current Subscriber Information: Total sessions 1
--------------------------------------------------
Type: DHCP/IP, UID: 1, State: authen, Identity: 0000.abfa.1a00
IPv4 Address: 192.168.193.226 
Session Up-time: 01:33:07, Last Changed: 01:33:07
Switch-ID: 4097

Policy information:
 Context 6823B1EC: Handle 66000001
 AAA_id 0000000C: Flow_handle 0
 Authentication status: authen
 Downloaded User profile, excluding services:
   service-type         0   5 [Outbound]
   accounting-list      0   "BILLACC"
   addr                 0   192.168.193.226
   route                0   "192.168.101.0 255.255.255.0  192.168.193.226"
 Downloaded User profile, including services:
   service-type         0   5 [Outbound]
   accounting-list      0   "BILLACC"
   addr                 0   192.168.193.226
   route                0   "192.168.101.0 255.255.255.0  192.168.193.226"
 Config history for session (recent to oldest):
   Access-type: DHCP Client: SM
    Policy event: Service Selection Request
     Profile name: 0000.abfa.1a00, 2 references 
       service-type         0   5 [Outbound]
       accounting-list      0   "BILLACC"
       addr                 0   192.168.193.226
       route                0   "192.168.101.0 255.255.255.0  192.168.193.226"
 Rules, actions and conditions executed:
   subscriber rule-map ISGsubscribers
     condition always event session-start
       30 authorize aaa list BILLAUTH identifier mac-address

Classifiers:
Class-id    Dir   Packets    Bytes                  Pri.  Definition
0           In    857        68331                  0    Match Any
1           Out   820        57406                  0    Match Any

Features:

Static Routes:
Class-id  Configuration Status           Source
0          This feature is enabled       Peruser

Accounting:
Class-id   Dir  Packets    Bytes                 Source
0          In   857        68331                 Peruser
1          Out  820        57406                 Peruser

Configuration Sources:
Type  Active Time  AAA Service ID  Name
USR   01:33:07     -               Peruser

 

Как можно решить проблему?