NPE-G1, ISG, l2 connected subscriber и per-user static route

Bushi

Posted May 27, 2016

Понадобилась абонентам выдавать подсети. Для этого при авторизации сессии передаю по протоколу radius циске атрибут Framed-Route="192.168.101.0/24 192.168.193.226", где 192.168.193.226 - адрес абонента, 192.168.101.0/24 - адрес сети абонента. После установки сессии имеем:

sh ip route static 
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
      D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
      N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
      E1 - OSPF external type 1, E2 - OSPF external type 2
      i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS leve18l-2
      ia - IS-IS inter area, * - candidate default, U - per-user static route
      o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
      + - replicated route, % - next hop override

Gateway of last resort is 10.242.27.254 to network 0.0.0.0
...
S        192.168.193.226 is directly connected, GigabitEthernet0/0.100
U     192.168.101.0/24 [1/0] via 192.168.193.226

Адрес 192.168.193.226 пингуется, но с циски сеть 192.168.101.0/24 недоступна. При попытке пропинговать с циски хосты сети 192.168.101.0/24 пакеты уходят на абонентский роутер, хосты отвечают, icmp reply уходят на циску, но та их обрасывает. Блокируется весь входящий трафик на циску из сети 192.168.101.0/24.

Конфигурация абонентского интерфейса:

interface GigabitEthernet0/0.100
encapsulation dot1Q 100
ip dhcp relay information option-insert 
ip dhcp relay information policy-action replace
ip unnumbered Loopback0
ip helper-address 192.168.195.254
arp authorized
service-policy type control ISGsubscribers
ip subscriber l2-connected
 initiator dhcp class-aware
end

Сессия:

#sh subscriber session detailed 
Current Subscriber Information: Total sessions 1
--------------------------------------------------
Type: DHCP/IP, UID: 1, State: authen, Identity: 0000.abfa.1a00
IPv4 Address: 192.168.193.226 
Session Up-time: 01:33:07, Last Changed: 01:33:07
Switch-ID: 4097

Policy information:
 Context 6823B1EC: Handle 66000001
 AAA_id 0000000C: Flow_handle 0
 Authentication status: authen
 Downloaded User profile, excluding services:
   service-type         0   5 [Outbound]
   accounting-list      0   "BILLACC"
   addr                 0   192.168.193.226
   route                0   "192.168.101.0 255.255.255.0  192.168.193.226"
 Downloaded User profile, including services:
   service-type         0   5 [Outbound]
   accounting-list      0   "BILLACC"
   addr                 0   192.168.193.226
   route                0   "192.168.101.0 255.255.255.0  192.168.193.226"
 Config history for session (recent to oldest):
   Access-type: DHCP Client: SM
    Policy event: Service Selection Request
     Profile name: 0000.abfa.1a00, 2 references 
       service-type         0   5 [Outbound]
       accounting-list      0   "BILLACC"
       addr                 0   192.168.193.226
       route                0   "192.168.101.0 255.255.255.0  192.168.193.226"
 Rules, actions and conditions executed:
   subscriber rule-map ISGsubscribers
     condition always event session-start
       30 authorize aaa list BILLAUTH identifier mac-address

Classifiers:
Class-id    Dir   Packets    Bytes                  Pri.  Definition
0           In    857        68331                  0    Match Any
1           Out   820        57406                  0    Match Any

Features:

Static Routes:
Class-id  Configuration Status           Source
0          This feature is enabled       Peruser

Accounting:
Class-id   Dir  Packets    Bytes                 Source
0          In   857        68331                 Peruser
1          Out  820        57406                 Peruser

Configuration Sources:
Type  Active Time  AAA Service ID  Name
USR   01:33:07     -               Peruser

Как можно решить проблему?

Sign In

Bushi

Share this post

Link to post

Share on other sites

Create an account or sign in to comment

Create an account

Sign in