Jump to content
Калькуляторы

Cisco ISG на 7206VXR. Как обойти NAT перед редиректом на портал авторизации?

Reply to this topic

Korvet_068   

Korvet_068
Posted (edited)

Привет всем.

Имею циску с ISG-функционалом, которая перенаправляет клиентов на портал авторизации при попытке выйти куда-то в интернет. Клиенты получают по DHCP серые адреса, которые при попытке выйти в инет натятся и потому после редиректа на портал авторизации все клиенты видны под одним и тем же IP.

Как можно заставить портал видеть клиентов под их серыми адресами? Хочу поделить клиентов на пять групп по признаку айпишника.

 

Интерфейсы BVI у меня применены для резервирования линка, не смущайтесь.

 

sh run
Building configuration...

Current configuration : 23393 bytes
!
! Last configuration change at 01:00:51 MSK Tue Jul 5 2016 by stark
! NVRAM config last updated at 11:37:06 MSK Fri Jul 1 2016 by stark
!
version 12.2
no service pad
no service timestamps debug uptime
service timestamps log datetime localtime
service password-encryption
!
hostname R7206-itc-hp3
!
boot-start-marker
boot system disk2:c7200p-advipservicesk9-mz.122-33.SRD8.bin
boot-end-marker
!
logging buffered 2048000
enable secret 5 $1$fndN$KaUpu3to8WHFgJgeGj90q/
!
aaa new-model
!
!
aaa group server radius SME_AAA
server 61.159.0.119 auth-port 1645 acct-port 1646
!
aaa authentication login VTY local
aaa authentication login IP_AUTHEN_LIST group SME_AAA
aaa authentication ppp VPDN_AUTH local
aaa authorization console
aaa authorization exec VTY local 
aaa authorization network default group SME_AAA 
aaa authorization network AUTHOR_LIST1 group SME_AAA 
aaa authorization network VPDN_AUTH local 
aaa authorization network VPDN_AUTHOR none 
aaa authorization subscriber-service default local group SME_AAA 
aaa accounting delay-start vrf default
aaa accounting delay-start all
aaa accounting update periodic 1
aaa accounting network default none
aaa accounting network SME_ACCT_LIST start-stop group SME_AAA
aaa accounting network NO_ACC none
!
!
!
!
aaa server radius dynamic-author
client 61.159.0.119
client 61.159.0.120
client 61.159.0.116
client 61.159.0.122
server-key 7 0231307834250000674B10
port 1712
auth-type any
!
aaa session-id common
clock timezone MSK 3
ip subnet-zero
ip source-route
ip vrf MGT
rd 40:0
!
!
!
no ip dhcp use vrf connected
no ip dhcp conflict logging
ip dhcp excluded-address 172.19.0.1 172.19.0.20
ip dhcp excluded-address 10.40.2.251 10.40.2.255
ip dhcp excluded-address 10.45.3.250 10.45.3.254
ip dhcp excluded-address 10.40.3.250 10.40.3.254
ip dhcp excluded-address 10.45.3.1
ip dhcp excluded-address 10.40.2.1
ip dhcp excluded-address 172.16.130.1
ip dhcp excluded-address 10.45.3.251
ip dhcp excluded-address 172.16.0.1 172.16.0.10
ip dhcp excluded-address 172.16.1.1 172.16.1.10
ip dhcp excluded-address 172.16.2.1 172.16.2.10
ip dhcp excluded-address 172.16.3.1 172.16.3.10
ip dhcp excluded-address 172.16.4.1 172.16.4.10
ip dhcp excluded-address 172.16.5.1 172.16.5.10
ip dhcp excluded-address 172.16.6.1 172.16.6.10
ip dhcp excluded-address 172.19.128.1 172.19.128.10
ip dhcp excluded-address 172.19.144.1 172.19.144.10
ip dhcp excluded-address 172.19.160.1 172.19.160.10
ip dhcp excluded-address 172.19.176.1 172.19.176.10
ip dhcp excluded-address 172.19.192.1 172.19.192.10
!
ip dhcp pool VL730
  network 172.16.130.0 255.255.255.0
  default-router 172.16.130.1 
  dns-server 61.159.14.10 8.8.8.8 
  lease 0 12
!
ip dhcp pool VL710
  network 172.16.0.0 255.255.255.0
  default-router 172.16.0.1 
  dns-server 61.159.14.10 8.8.8.8 
  lease 0 12
!
ip dhcp pool VL711
  network 172.16.1.0 255.255.255.0
  default-router 172.16.1.1 
  dns-server 61.159.14.10 8.8.8.8 
  lease 0 12
!
ip dhcp pool VL712
  network 172.16.2.0 255.255.255.0
  default-router 172.16.2.1 
  dns-server 61.159.14.10 8.8.8.8 
  lease 0 12
!
ip dhcp pool VL714
  network 172.16.4.0 255.255.255.0
  default-router 172.16.4.1 
  dns-server 61.159.14.10 8.8.8.8 
  lease 0 12
!
ip dhcp pool VL715
  network 172.16.5.0 255.255.255.0
  default-router 172.16.5.1 
  dns-server 61.159.14.10 8.8.8.8 
  lease 0 12
!
ip dhcp pool VL716
  network 172.16.6.0 255.255.255.0
  default-router 172.16.6.1 
  dns-server 61.159.14.10 8.8.8.8 
  lease 0 12
!
ip dhcp pool VL713
  network 172.16.3.0 255.255.255.0
  default-router 172.16.3.1 
  dns-server 61.159.14.10 8.8.8.8 
  lease 0 12
!
ip dhcp pool VL703
  network 10.40.2.0 255.255.254.0
  default-router 10.40.2.1 
  option 43 hex f104.0a01.013d
  dns-server 61.159.14.10 
  lease 2
!
ip dhcp pool VL717
  network 172.19.0.0 255.255.128.0
  default-router 172.19.0.1 
  dns-server 61.159.14.10 8.8.8.8 
  lease 0 12
!
ip dhcp pool VL705
  network 10.45.2.0 255.255.254.0
  default-router 10.45.3.1 
  dns-server 61.159.14.10 
  option 43 hex f104.0a01.01fb
  lease 2
!
ip dhcp pool VL723
  network 172.19.128.0 255.255.240.0
  default-router 172.19.128.1 
  dns-server 61.159.14.10 8.8.8.8 
  lease 0 12
!
ip dhcp pool VL724
  network 172.19.144.0 255.255.240.0
  default-router 172.19.144.1 
  dns-server 61.159.14.10 8.8.8.8 
  lease 0 12
!
ip dhcp pool VL725
  network 172.19.160.0 255.255.240.0
  default-router 172.19.160.1 
  dns-server 61.159.14.10 8.8.8.8 
  lease 0 12
!
ip dhcp pool VL726
  network 172.19.176.0 255.255.240.0
  default-router 172.19.176.1 
  dns-server 61.159.14.10 8.8.8.8 
  lease 0 12
!
ip dhcp pool VL727
  network 172.19.192.0 255.255.240.0
  default-router 172.19.192.1 
  dns-server 61.159.14.10 8.8.8.8 
  lease 0 12
!
!
ip cef
ip flow-cache entries 8192
no ip domain lookup
ip domain name wtc.msk.ru
ip name-server 61.159.14.10
ip name-server 61.159.14.20
login delay 1
login on-failure log
!
subscriber feature prepaid default
threshold time 120 seconds
threshold volume 0 bytes
interim-interval 1 minutes
method-list author AUTHOR_LIST1
method-list accounting SME_ACCT_LIST
password WTC_PolicyKey
!
subscriber service password 7 13322331343C0B2622273118303B
redirect server-group SME_PORTAL
server ip 61.159.0.116 port 3200
!
redirect server-group TEST_PORTAL
server ip 61.159.0.120 port 3400
!
multilink bundle-name authenticated
vpdn enable
vpdn source-ip 61.159.0.114
vpdn session accounting network NO_ACC
vpdn session-limit 2
!
vpdn-group VPDN
! Default PPTP VPDN group
accept-dialin
 protocol pptp
 virtual-template 1
source-ip 61.159.0.114
!
!
crypto pki trustpoint TP-self-signed-36323601
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-36323601
revocation-check none
rsakeypair TP-self-signed-36323601
!
!
crypto pki certificate chain TP-self-signed-36323601
certificate self-signed 01
 3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
 2F312D30 2B060355 04031324 494F532D 53656C66 2D536967 6E65642D 43657274 
 69666963 6174652D 33363332 33363031 301E170D 31333038 31333039 32363330 
 5A170D32 30303130 31303030 3030305A 302F312D 302B0603 55040313 24494F53 
 2D53656C 662D5369 676E6564 2D436572 74696669 63617465 2D333633 32333630 
 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100A81A 
 C1AA88F7 E8D6EADB 30189824 87D389A6 040C428B 5D07120B CFFA8D2F BEC182CB 
 8414507E 9901AF65 1AD07C92 5C0A8C0A 350BB291 2F1A9F35 BAC9EEB8 298757C1 
 2957CC7A FC129DB5 96C19182 24AD5C68 E9C52BAD 178F0F09 979ECEFC 51029BE0 
 03F4813F 990822E2 116907AE BB8802AB 09CCF3D9 0E2189B5 6A437A7A 00EF0203 
 010001A3 78307630 0F060355 1D130101 FF040530 030101FF 30230603 551D1104 
 1C301A82 18523732 30362D69 74632D68 70332E77 74632E6D 736B2E72 75301F06 
 03551D23 04183016 8014FBB9 715B701D 1E467224 8DFF696D E55408D4 501A301D 
 0603551D 0E041604 14FBB971 5B701D1E 4672248D FF696DE5 5408D450 1A300D06 
 092A8648 86F70D01 01040500 03818100 097FCA7F E9E85FF0 489CC9B9 5A5D6AD6 
 B57356EA 4BC02FC5 CA261B05 3620E6BB B0D6FFBF 4135ED53 A73D23E0 63E58E81 
 A213A7E0 60F0C20F C0CEDEE6 DA8462BD B2E6740A BF167626 35F14695 0D0705A8 
 C0A6E705 ADA32721 4780EC0A B2B7AAAE 59DD3820 AEDD758B 2A575A27 30DBD59E 
 7CB07D78 970393C9 C1FDB8BA 64825B7E
 quit
archive
log config
 hidekeys
username crocdtk password 7 1414005B0F201E00
username vpdn1 privilege 0 password 7 02050D4808095E
!
!
ip ssh version 2
class-map type traffic match-any TC_OPENGARDEN
match access-group input name OPENGARDEN_ACL_IN
match access-group output name OPENGARDEN_ACL_OUT
!
class-map type traffic match-any TC_L4REDIRECT
match access-group input name ACL_L4REDIRECT
!
class-map type control match-all TAL_IP_BASED
match source-ip-address 0.0.0.0 0.0.0.0 
!
class-map type control match-all IP_UNAUTH_COND
match timer IP_UNAUTH_TIMER 
match authen-status unauthenticated 
!
policy-map type service OPENGARDEN_SERVICE
20 class type traffic TC_OPENGARDEN
!
!
policy-map type service SRV_L4REDIRECT
5 class type traffic TC_L4REDIRECT
 redirect to group SME_PORTAL
!
!
policy-map type service TEST_L4REDIRECT
5 class type traffic TC_L4REDIRECT
 redirect to group TEST_PORTAL
!
!
policy-map type control SME_POLICY_RULE
class type control IP_UNAUTH_COND event timed-policy-expiry
 10 service disconnect
!
class type control always event session-start
 10 service-policy type service name PBHK_SERVICE
 20 service-policy type service name SRV_L4REDIRECT
 30 service-policy type service name OPENGARDEN_SERVICE
 40 set-timer IP_UNAUTH_TIMER 600
!
class type control always event session-restart
 10 service-policy type service name PBHK_SERVICE
 20 service-policy type service name SRV_L4REDIRECT
 30 service-policy type service name OPENGARDEN_SERVICE
 40 set-timer IP_UNAUTH_TIMER 600
!
class type control always event account-logon
 10 authenticate aaa list IP_AUTHEN_LIST 
 20 service-policy type service unapply name SRV_L4REDIRECT
!
class type control always event service-start
 10 service-policy type service identifier service-name
!
class type control always event service-stop
 1 service-policy type service unapply identifier service-name
 10 service-policy type service unapply identifier service-name
!
!
policy-map type control TAL_IP_BASED
class type control TAL_IP_BASED event session-start
 5 service-policy type service name OPENGARDEN_SERVICE
 7 set-timer IP_UNAUTH_TIMER 1
 10 authorize aaa list AUTHOR_LIST1 password cisco identifier source-ip-address
!
class type control IP_UNAUTH_COND event timed-policy-expiry
 10 service disconnect
!
!
policy-map type control SME_POLICY_RULE_VPDN
class type control IP_UNAUTH_COND event timed-policy-expiry
 10 service disconnect
!
class type control always event session-start
 10 service-policy type service name PBHK_SERVICE
 20 service-policy type service name SRV_L4REDIRECT
 30 service-policy type service name OPENGARDEN_SERVICE
 40 set-timer IP_UNAUTH_TIMER 600
!
class type control always event session-restart
 10 service-policy type service name PBHK_SERVICE
 20 service-policy type service name SRV_L4REDIRECT
 30 service-policy type service name OPENGARDEN_SERVICE
 40 set-timer IP_UNAUTH_TIMER 600
!
class type control always event account-logon
 10 authenticate aaa list IP_AUTHEN_LIST 
 20 service-policy type service unapply name SRV_L4REDIRECT
!
class type control always event service-start
 10 service-policy type service name PBHK_SERVICE
 20 service-policy type service name L4REDIRECT_SERVICE
 30 service-policy type service name OPENGARDEN_SERVICE
!
class type control always event service-stop
 1 service-policy type service unapply identifier service-name
 10 service-policy type service unapply identifier service-name
!
!
policy-map type control TEST_POLICY_RULE
class type control IP_UNAUTH_COND event timed-policy-expiry
 10 service disconnect
!
class type control always event session-start
 10 service-policy type service name PBHK_SERVICE
 20 service-policy type service name TEST_L4REDIRECT
 30 service-policy type service name OPENGARDEN_SERVICE
 40 set-timer IP_UNAUTH_TIMER 600
!
class type control always event session-restart
 10 service-policy type service name PBHK_SERVICE
 20 service-policy type service name TEST_L4REDIRECT
 30 service-policy type service name OPENGARDEN_SERVICE
 40 set-timer IP_UNAUTH_TIMER 600
!
class type control always event account-logon
 10 authenticate aaa list IP_AUTHEN_LIST 
 20 service-policy type service unapply name TEST_L4REDIRECT
!
class type control always event service-start
 10 service-policy type service identifier service-name
!
class type control always event service-stop
 1 service-policy type service unapply identifier service-name
 10 service-policy type service unapply identifier service-name
!
class type control always event account-logoff
 1 service disconnect delay 3
!
!
! 
!
bridge irb
!
!
!
!
interface Loopback0
ip address 10.10.1.1 255.255.255.255
!
interface GigabitEthernet0/1
no ip address
media-type rj45
speed auto
duplex auto
negotiation auto
!
interface GigabitEthernet0/1.40
encapsulation dot1Q 40
bridge-group 40
!
interface GigabitEthernet0/1.93
encapsulation dot1Q 93
bridge-group 93
!
interface GigabitEthernet0/1.703
encapsulation dot1Q 703
bridge-group 203
!
interface GigabitEthernet0/1.705
encapsulation dot1Q 705
bridge-group 205
!
interface GigabitEthernet0/1.710
encapsulation dot1Q 710
bridge-group 210
!
interface GigabitEthernet0/1.711
encapsulation dot1Q 711
bridge-group 211
!
interface GigabitEthernet0/1.712
encapsulation dot1Q 712
bridge-group 212
!
interface GigabitEthernet0/1.713
encapsulation dot1Q 713
bridge-group 213
!
interface GigabitEthernet0/1.714
encapsulation dot1Q 714
bridge-group 214
!
interface GigabitEthernet0/1.715
encapsulation dot1Q 715
bridge-group 215
!
interface GigabitEthernet0/1.716
encapsulation dot1Q 716
bridge-group 216
!
interface GigabitEthernet0/1.717
encapsulation dot1Q 717
bridge-group 217
!
interface GigabitEthernet0/1.730
encapsulation dot1Q 730
bridge-group 130
!
interface GigabitEthernet0/1.740
encapsulation dot1Q 740
bridge-group 140
!
interface FastEthernet0/2
no ip address
shutdown
speed auto
duplex auto
!
interface GigabitEthernet0/2
no ip address
media-type rj45
speed auto
duplex auto
negotiation auto
!
interface GigabitEthernet0/2.40
encapsulation dot1Q 40
bridge-group 40
!
interface GigabitEthernet0/2.93
encapsulation dot1Q 93
bridge-group 93
!
interface GigabitEthernet0/2.703
encapsulation dot1Q 703
bridge-group 203
!
interface GigabitEthernet0/2.705
encapsulation dot1Q 705
bridge-group 205
!
interface GigabitEthernet0/2.710
encapsulation dot1Q 710
bridge-group 210
!
interface GigabitEthernet0/2.711
encapsulation dot1Q 711
bridge-group 211
!
interface GigabitEthernet0/2.712
encapsulation dot1Q 712
bridge-group 212
!
interface GigabitEthernet0/2.713
encapsulation dot1Q 713
bridge-group 213
!
interface GigabitEthernet0/2.714
encapsulation dot1Q 714
bridge-group 214
!
interface GigabitEthernet0/2.715
encapsulation dot1Q 715
bridge-group 215
!
interface GigabitEthernet0/2.716
encapsulation dot1Q 716
bridge-group 216
!
interface GigabitEthernet0/2.717
encapsulation dot1Q 717
bridge-group 217
!
interface GigabitEthernet0/2.730
encapsulation dot1Q 730
bridge-group 130
!
interface GigabitEthernet0/2.740
encapsulation dot1Q 740
bridge-group 140
!
interface GigabitEthernet0/3
no ip address
shutdown
media-type rj45
speed auto
duplex auto
negotiation auto
!
interface Virtual-Template1 
description #VPN_for_Inline-Croc
ip address 4.4.4.1 255.255.255.0
ip nat inside
peer ip address forced
peer default ip address pool VPDN_POOL
ppp authentication ms-chap-v2 chap
ppp authorization VPDN_AUTHOR
service-policy type control SME_POLICY_RULE
!
interface BVI40
description #MGT vrf for management only
ip address 10.1.1.40 255.255.255.0
ip nat outside
!
interface BVI93
description #ASR_Servers
ip address 61.159.0.114 255.255.255.240
ip access-group BVI93_IN in
ip nat outside
ip portbundle outside
!
interface BVI130
description -=LAN Users Group 730=-
ip address 172.16.130.1 255.255.255.0
ip nat inside
service-policy type control TEST_POLICY_RULE
ip subscriber routed
 initiator dhcp
!
interface BVI140
description -=Real IP LAN Users Group 740=-
ip address 61.159.0.65 255.255.255.248
service-policy type control TAL_IP_BASED
ip subscriber routed
 initiator unclassified ip-address
!
interface BVI203
description VLAN703 AP management
ip address 10.40.2.1 255.255.254.0
!
interface BVI205
description VLAN705 temporary AP managment
ip address 10.45.3.1 255.255.254.0
!
interface BVI210
description VLAN710 Users WiFi
ip address 172.16.0.1 255.255.255.0
ip nat inside
service-policy type control SME_POLICY_RULE
ip subscriber routed
 initiator dhcp
!
interface BVI211
description VLAN711 Users WiFi
ip address 172.16.1.1 255.255.255.0
ip nat inside
service-policy type control SME_POLICY_RULE
ip subscriber routed
 initiator dhcp
!
interface BVI212
description VLAN712 Users WiFi
ip address 172.16.2.1 255.255.255.0
ip nat inside
service-policy type control SME_POLICY_RULE
ip subscriber routed
 initiator dhcp
!
interface BVI213
description VLAN713 Users WiFi
ip address 172.16.3.1 255.255.255.0
ip nat inside
service-policy type control SME_POLICY_RULE
ip subscriber routed
 initiator dhcp
!
interface BVI214
description VLAN714 Users WiFi
ip address 172.16.4.1 255.255.255.0
ip nat inside
service-policy type control SME_POLICY_RULE
ip subscriber routed
 initiator dhcp
!
interface BVI215
description VLAN715 Users WiFi
ip address 172.16.5.1 255.255.255.0
ip nat inside
service-policy type control SME_POLICY_RULE
ip subscriber routed
 initiator dhcp
!
interface BVI216
description VLAN716 Users WiFi
ip address 172.16.6.1 255.255.255.0
ip nat inside
service-policy type control SME_POLICY_RULE
ip subscriber routed
 initiator dhcp
!
interface BVI217
description VLAN717 Users WiFi
ip address 172.19.0.1 255.255.128.0
ip nat inside
service-policy type control SME_POLICY_RULE
ip subscriber routed
 initiator dhcp
!
ip local pool VPDN_POOL 4.4.4.2 4.4.4.20
ip nat translation timeout 900
ip nat translation tcp-timeout 300
ip nat translation udp-timeout 60
ip nat inside source list NATBVI40 interface BVI40 overload
ip nat inside source list NATBVI93 interface BVI93 overload
!
ip portbundle
match access-list 198
source BVI93
!
ip classless
ip route 0.0.0.0 0.0.0.0 61.159.0.113
ip route vrf MGT 0.0.0.0 0.0.0.0 10.1.1.1
!
ip flow-export source BVI93
ip flow-export version 5
ip flow-export destination 61.159.0.121 9800
!
no ip http server
no ip http secure-server
!
ip access-list standard SNMP
permit 61.159.0.56
permit 61.159.0.62
permit 61.159.14.48
permit 61.159.14.19
permit 61.159.14.25
permit 61.159.14.26
permit 10.1.1.254
ip access-list standard VTY
permit 10.1.1.0 0.0.0.255
permit 61.159.14.0 0.0.0.255
permit 61.159.0.0 0.0.0.63
!
ip access-list extended ACL_L4REDIRECT
deny   ip any 61.159.0.112 0.0.0.15
deny   ip any 10.1.1.0 0.0.0.255
permit tcp any any eq www
ip access-list extended BVI93_IN
permit ip any any
ip access-list extended INTERNET_ACL_IN
permit ip any any
ip access-list extended INTERNET_ACL_OUT
permit ip any any
ip access-list extended NATBVI40
permit ip 4.4.4.0 0.0.0.255 10.1.1.0 0.0.0.255
ip access-list extended NATBVI93
deny   ip 4.4.4.0 0.0.0.255 10.1.1.0 0.0.0.255
permit ip 172.16.0.0 0.0.255.255 any
permit ip 4.4.4.0 0.0.0.255 any
permit ip 172.19.0.0 0.0.255.255 any
ip access-list extended OPENGARDEN_ACL_IN
permit ip any host 61.159.0.2
permit ip any host 61.159.1.2
permit ip any host 90.156.153.98
permit ip any 61.159.0.112 0.0.0.15
permit ip any host 61.159.14.7
permit ip any host 10.1.1.60
permit ip any host 10.1.1.61
permit ip any host 10.1.1.62
permit ip any host 93.158.134.3
permit ip any host 61.159.14.10
permit ip any host 61.159.14.20
permit ip any host 10.1.1.251
ip access-list extended OPENGARDEN_ACL_OUT
permit ip host 61.159.0.2 any
permit ip host 61.159.1.2 any
permit ip 61.159.0.112 0.0.0.15 any
permit ip host 61.159.14.7 any
permit ip host 10.1.1.60 any
permit ip host 10.1.1.61 any
permit ip host 10.1.1.62 any
permit ip host 93.158.134.3 any
permit ip host 61.159.14.10 any
permit ip host 61.159.14.20 any
permit ip host 10.1.1.251 any
ip access-list extended TAL_IPBASED
permit ip any any
!
ip radius source-interface BVI93 vrf default
ip sla 1
icmp-echo 61.159.0.113 source-ip 61.159.0.114
timeout 1000
frequency 3
ip sla schedule 1 life forever start-time now
logging trap debugging
logging facility local6
logging 61.159.0.119
access-list 100 permit ip any any
access-list 101 permit ip any any
access-list 198 permit ip any host 61.159.0.119
access-list 198 permit ip any host 61.159.0.120
access-list 198 permit ip any host 61.159.0.116
access-list 199 permit tcp any any eq www
access-list 199 permit tcp any eq www any
!
snmp-server community public RO
snmp-server location Of1 307
snmp-server contact Dmitry S. Surov
snmp-server chassis-id CISCO 7206 VXR Router
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server host 61.159.14.101 public 
!
radius-server attribute 44 include-in-access-req
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 32 include-in-access-req 
radius-server attribute 32 include-in-accounting-req 
radius-server attribute 55 include-in-acct-req
radius-server attribute 55 access-request include
radius-server attribute 61 extended
radius-server attribute 31 remote-id
radius-server host 61.159.0.119 auth-port 1645 acct-port 1646 key 7 14202628330A2F3C1629373C37002C131A
radius-server retransmit 1
radius-server timeout 3
radius-server deadtime 1
radius-server key 7 046C3F25302F49593B18011E0718270133
radius-server vsa send accounting
radius-server vsa send authentication
bridge 40 protocol ieee
bridge 40 route ip
bridge 40 priority 40000
bridge 93 protocol ieee
bridge 93 route ip
bridge 93 priority 40000
bridge 130 protocol ieee
bridge 130 route ip
bridge 130 priority 40000
bridge 140 protocol ieee
bridge 140 route ip
bridge 140 priority 40000
bridge 203 protocol ieee
bridge 203 route ip
bridge 203 priority 40000
bridge 205 protocol ieee
bridge 205 route ip
bridge 205 priority 40000
bridge 210 protocol ieee
bridge 210 route ip
bridge 210 priority 40000
bridge 211 protocol ieee
bridge 211 route ip
bridge 211 priority 40000
bridge 212 protocol ieee
bridge 212 route ip
bridge 212 priority 40000
bridge 213 protocol ieee
bridge 213 route ip
bridge 213 priority 40000
bridge 214 protocol ieee
bridge 214 route ip
bridge 214 priority 40000
bridge 215 protocol ieee
bridge 215 route ip
bridge 215 priority 40000
bridge 216 protocol ieee
bridge 216 route ip
bridge 216 priority 40000
bridge 217 protocol ieee
bridge 217 route ip
bridge 217 priority 40000
!
control-plane
!
alias exec cssa cle subsc sess all
alias exec ssa show subsc sess all
alias exec ss show subsc sess
alias exec ssb show subsc sess brief
alias exec sis show interfaces status
alias exec sins show ip nat statistics
alias exec sidb sh ip dhcp binding
alias exec sidp sh ip dhcp pool
!
line con 0
exec-timeout 0 0
authorization exec VTY
login authentication VTY
length 0
stopbits 1
line aux 0
no exec
stopbits 1
line vty 0 4
access-class VTY in
exec-timeout 0 0
authorization exec VTY
login authentication VTY
transport input ssh
!
ntp clock-period 17181006
ntp master
ntp update-calendar
ntp server 61.159.14.10 source BVI40
end

R7206-itc-hp3#

Edited by Korvet_068

Share this post

Link to post
Share on other sites

Korvet_068   

Korvet_068
Posted

Я НАТ вообще вынес на другую железку, но почему-то при редиректе серые сетки 172.19.128.... всё равно видны на сервере портала 61.159.0.120 всё равно видны под натированным адресом 61.159.0.114.

Кто натит - не пойму.

В списках трансляций адресов 172.19.128. нет!

Share this post

Link to post
Share on other sites

Korvet_068   

Korvet_068
Posted

У меня выход клиентов в инет идёт с интерфейса BVI 93.

Он помечен как ip nat outside ip bortbundle outside.

Нат отключен уже и вынесен на другую железку, портбандл может транслировать адрес?

Share this post

Link to post
Share on other sites

furai   

furai
Posted (edited)

Видимо, это у вас как раз фича идентификации абонентов - port bundle host key - натит :)

Она транслирует адреса абонентов с сервисом PBHK_SERVICE в сорс(ы), указанные в

ip portbundle

source BVI93

если трафик вылетает из роутера через интерфейс с portbundle outside и летит в сторону хоста из access-list 198.

За каждой сессией закрепляется блок из портов L4 (port bundle), идентификатор блока отправляется на radius, по нему портал опознает абонента, ЕМНИП.

UPD. О, да вы уже сами почти разобрались :)

Вот хорошая дока http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/isg/configuration/xe-3s/isg-xe-3s-book/isg-port-bundle-key.html#GUID-C2B31F61-03AB-44D2-B41C-11EABB4CA92E

Edited by furai

Share this post

Link to post
Share on other sites

Korvet_068   

Korvet_068
Posted (edited)

Как думаете - возможно ли как-то сделать так чтобы абоненты виделись на портале под серыми своими адресами?

Как-то надо портбандл подправить.

 

Можно ли задать для портбандла несколько source?

Edited by Korvet_068

Share this post

Link to post
Share on other sites

furai   

furai
Posted

Никогда не встречал в доках PBHK что-нибудь про выбор конкретного source для группы абонов. Да и необходимость этого не очень понятна, ведь source группы не дает столько данных об абоне, как AV-пара из RADIUS'a. Даже если можно задать несколько source, завтра вы можете захотеть точно опознавать абонента на портале для, например, показа баланса без ввода логина/пароля, персональных предложений, оферт.

 

Как вы сами наверное понимаете, чтобы абоненты виделись на портале под серыми адресами надо только отключить portbundle и решить где делать NAT.

 

Другое дело, что у вас уже брас (брасы?) под PBHK настроен и может быть настроен биллинг/портал.

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Followers 0
Go to topic listing Активное оборудование Ethernet, IP, MPLS, SDN/NFV...