Cisco ISG - вопросы новичка

[sirmax]

Пробую разобраться с ISG, до этого с cisco роутерами дела практически не имел, все больше со свитчами, потому вопросы возможно будут дурацкие.

 

Шаг первый (тестовый) - создать базовую конфигурацию, c 2 группами пользователей

1 - с интернетом, с заданной скоростью, точнее, с заданным сервисом.

2 - без интерента.

 

 

Собственно, тут проблем особых не возникло.

 

Вопрос - передача параметров пользователя из радиуса

Вот пример с cisco.com

SERVICE_403_INTERNET

CiscoAVPair: ip:traffic-class=in access-group name ACL_IN_INTERNET_403 priority 10  
CiscoAVPair: ip:traffic-class=in default drop  
SERVICE INFO: QD;1024000;1024000  
SERVICE INFO: QU;512000;512000  
CiscoAVPair: ip:traffic-class=out access-group name ACL_OUT_INTERNET_403 priority 10  
CiscoAVPair: prepaid-config=PREPAID_RSIM  
CiscoAVPair: subscriber:accounting-list=BH_ACCNT_LIST  
CiscoAVPair: ip:traffic-class=out default drop

Вопрос - где почитать про значения CiscoAVPair и что такое SERVICE INFO

 

Радиус - FreeRadius, еще открыт вопрос - Operation какие должны быть? "=", "+=" или что то другое?

 

Ссылки на документацию - приветсвуются, особенно с живыми примерами.

 

[sirmax]

Так, 50% вопросов отпали, читать проникновенно тут

http://www.cisco.com/en/US/docs/ios/12_2sb...e/isgcaapa.html

[sirmax]

Хм, возникла проблема с Volume-Based тарифами...

никто не заделиться примером?

[sirmax]

Хм, практически все заработало как хотелось, но остались вопросы

 

1. Что такое Port Bundle, и заачем оно нужно?

2. С препейд пакетами - возникает 2 сесии, одна с лимитом скоорости, вторая с лиситом траффика, но по исчерпании траффика

вторая сессия не обрывается... т.е. не совсем понятна логика когда у одного сабскрайбера несколько сервисов.

 

Возможно, недочитал доку, но прочел все уже раз 10, недоходит...

[ugenk]

Хм, практически все заработало как хотелось, но остались вопросы

 

1. Что такое Port Bundle, и заачем оно нужно?

PBHK нужен, когда вы используете авторизацию через web-портал.

 

По второму вопросу - наверное стоит показать конфиг и описание сервисов.

Кстати, наверное не корректно говорить "две сессии". Сессия одна, у нее два сервиса активно.

 

 

[sirmax]

ugenk

Много чего переделал, с большей частью вопросов разобрался сам

 

На данный момент сталкнулся с проблемой, описанной тут

http://www.opennet.ru/openforum/vsluhforumID6/14964.html

По симтомам похоже очень, после исчерпания лимита (QV=0) трансляция судя по дебагу начинает работать, но пакеты не уходят на портал (тспдампом не видать)

 

вот части конфига

policy-map type control ISG-CUSTOMERS-POLICY
class type control ISG-IP-UNAUTH event timed-policy-expiry
  1 service disconnect
!
# - не дропать траффик между моментом исчерпания квоты и полученем ответа от радиуса о том что квота действительно нулевая (QV=0)
class type control CLASS_PREPAID_INTERNET event quota-depleted
  1 set-param drop-traffic FALSE
!
#  при QV=0 - запросить у радиуса сервис SERVICE_L4R И применить его (дополнительно к тому что есть (?) )
class type control CLASS_PREPAID_INTERNET event credit-exhausted
  1 service-policy type service name SERVICE_L4R
!
class type control CLASS_PREPAID_INTERNET event account-logoff
  1 service disconnect

# Сделано по примеру, понимания 100%-го нет )
class type control CLASS_PREPAID_INTERNET event service-stop
  1 service-policy type service unapply identifier service-name
  10 service-policy type service unapply name PREPAID_INTERNET
  20 service-policy type service name SERVICE_L4R
!

!
!
class type control always event session-start
  10 authorize aaa list ISG-AUTH-1 password ISG identifier source-ip-address
  20 set-timer UNAUTH-TIMER 1
  30 service-policy type service name SERVICE_L4R
!
class type control always event credit-exhausted
  1 service-policy type service name SERVICE_L4R
!
class type control always event quota-depleted
  1 set-param drop-traffic TRUE
!

И соответсвующие профиля в радиусе

 

Препейд
[code]
PREPAID_INTERNET  Password == "cisco"
                Cisco-AVPair += "ip:traffic-class=in access-group name  ACL_IN_INT priority 6",
                Cisco-AVPair += "ip:traffic-class=out access-group name  ACL_OUT_INT priority 6",
                Cisco-AVPair += "ip:traffic-class=out default drop",
                Cisco-AVPair += "ip:traffic-class=in default drop",
                Cisco-AVPair += "prepaid-config=TRAFFIC_PREPAID"

 

 

Редирект

SERVICE_L4R     Password == "cisco"
                Cisco-AVPair += "ip:l4redirect=redirect list 197 to group REDIRECT_NOPAY",
                Cisco-AVpair += "traffic-class=input access-group 197",
                Cisco-AVpair += "traffic-class=output access-group 197",
                Cisco-AVPair += "ip:traffic-class=out default drop",
                Cisco-AVPair += "ip:traffic-class=in default drop"

 

 

Сам юзер в mysql

Cisco-Service-Info=NPREPAID_INTERNET
Cisco-Control-Info+=QV(вычесленное значение)
Service-Type  = Outbound-User
Cisco-Account-Info | += APREPAID_INTERNET
Cisco-Account-Info | += NPREPAID_INTERNET

 

 

[ugenk]

Так а покажи как выглядят sh sss sess det до того как квота окончится и после

 

и ксттаи может имеет смысл в class type control CLASS_PREPAID_INTERNET event credit-exhausted

сначала делать unapply PREPAID_INTERNET?

 

 

вообще, есть ощущение что ты путаешь зачем нужны service-stop и credit-exhausted

[sirmax]

ugenk

Возможно и путаю, описания событий - в каком случае какое наступает и для чего нужно - не нашел

 

Насколько я могу судить, event credit-exhausted наступает только тогда когда AAA УЖЕ ОТВЕТИЛ что квота=0 (в моем случае QV=0)

А service-stop насколько я понял - при "отлогинивании" на портале, при отсутвии такового не наступает никогда.

 

вот сессии

 

пока есть траффик

mongol#sh sss session detailed

Current Subscriber Information: Total sessions 1

--------------------------------------------------

Unique Session ID: 378

Identifier: 195.69.хх.хх

SIP subscriber access type(s): IP

Current SIP options: Req Fwding/Req Fwded

Session Up-time: 00:00:10, Last Changed: 00:00:10

 

Policy information:

Context 15034AF0: Handle 960002BE

AAA_id 00000AAE: Flow_handle 0

Authentication status: authen

Downloaded User profile, excluding services:

ssg-service-info "NPREPAID_INTERNET"

ssg-control-info "QV1000000"

service-type 5 [Outbound]

ssg-account-info "APREPAID_INTERNET"

ssg-account-info "NPREPAID_INTERNET"

idletime 120 (0x78)

Downloaded User profile, including services:

ssg-service-info "NPREPAID_INTERNET"

ssg-control-info "QV1000000"

service-type 5 [Outbound]

ssg-account-info "APREPAID_INTERNET"

ssg-account-info "NPREPAID_INTERNET"

idletime 120 (0x78)

traffic-class "in access-group name ACL_IN_INT priority 6"

traffic-class "out access-group name ACL_OUT_INT priority 6"

traffic-class "out default drop"

traffic-class "in default drop"

Config history for session (recent to oldest):

Access-type: Web-service-logon Client: SM

Policy event: Apply Config Success (Service)

Profile name: PREPAID_INTERNET, 4 references

traffic-class "in access-group name ACL_IN_INT priority 6"

traffic-class "out access-group name ACL_OUT_INT priority 6"

traffic-class "out default drop"

traffic-class "in default drop"

Access-type: IP Client: SM

Policy event: Service Selection Request

Profile name: 195.69.хх.хх, 2 references

ssg-service-info "NPREPAID_INTERNET"

ssg-control-info "QV1000000"

service-type 5 [Outbound]

ssg-account-info "APREPAID_INTERNET"

ssg-account-info "NPREPAID_INTERNET"

idletime 120 (0x78)

Active services associated with session:

name "PREPAID_INTERNET"

Rules, actions and conditions executed:

subscriber condition-map match-all CLASS_SERVICE_L4R

match identifier service-name SERVICE_L4R [FALSE]

subscriber rule-map ISG-CUSTOMERS-POLICY

condition CLASS_SERVICE_L4R event session-start

subscriber rule-map ISG-CUSTOMERS-POLICY

condition always event session-start

10 authorize aaa list ISG-AUTH-1 identifier source-ip-address

subscriber condition-map match-all CLASS_SERVICE_L4R

match identifier service-name SERVICE_L4R [FALSE]

subscriber rule-map ISG-CUSTOMERS-POLICY

condition CLASS_SERVICE_L4R event service-start

 

Session inbound features:

Traffic classes:

Traffic class session ID: 379

ACL Name: ACL_IN_INT, Packets = 1098, Bytes = 1567944

Default traffic is dropped

Unmatched Packets = 0, Re-classified packets (redirected) = 0

 

Feature: IP Idle Timeout

Timeout value is 120

Idle time is 00:00:00

Session outbound features:

Traffic classes:

Traffic class session ID: 379

ACL Name: ACL_OUT_INT, Packets = 1083, Bytes = 1546524

Default traffic is dropped

Unmatched Packets = 0, Re-classified packets (redirected) = 0

 

Configuration sources associated with this session:

Service: PREPAID_INTERNET, Active Time = 00:00:11

AAA Service ID = 654311493

Interface: GigabitEthernet0/1.613, Active Time = 00:00:11

 

--------------------------------------------------

Unique Session ID: 379

Identifier: 195.69.хх.хх

SIP subscriber access type(s): Traffic-Class

Current SIP options: None

Session Up-time: 00:00:10, Last Changed: 00:00:10

 

Policy information:

Context 15034950: Handle CD0002BF

AAA_id 00000AAE: Flow_handle 1

Authentication status: unauthen

Downloaded User profile, including services:

traffic-class "in access-group name ACL_IN_INT priority 6"

traffic-class "out access-group name ACL_OUT_INT priority 6"

traffic-class "out default drop"

traffic-class "in default drop"

Config history for session (recent to oldest):

Access-type: Web-service-logon Client: Service Command-Handler

Policy event: Service-Start (Service)

Profile name: PREPAID_INTERNET, 4 references

traffic-class "in access-group name ACL_IN_INT priority 6"

traffic-class "out access-group name ACL_OUT_INT priority 6"

traffic-class "out default drop"

traffic-class "in default drop"

Prepaid context: TRAFFIC_PREPAID

threshold time 1 seconds

threshold volume 1 bytes

method-list author ISG-AUTH-1

method-list accounting ISG-AUTH-1

password ISG

Interim 1 minutes

State PREPAID_FEATURE_RUNNING

Flow idle at last re-author ? NO

Total idle time 0 seconds

Are we accounting for time consumed ? YES

Acct start sent ? YES

 

Session inbound features:

Feature: Prepaid Idle Timeout

Timeout configuration: 120 (seconds)

Feature: Prepaid Volume Monitor

Threshold:999999 - Quota:1000000

Usage(since last update):0 - Total:0

Current states: Start

Session outbound features:

Feature: Prepaid Idle Timeout

Timeout configuration: 120 (seconds)

Feature: Prepaid Volume Monitor

Threshold:999999 - Quota:1000000

Usage(since last update):0 - Total:0

Current states: Start

Configuration sources associated with this session:

Service: PREPAID_INTERNET, Active Time = 00:00:11

 

Когда закончился

mongol#sh sss session detailed

Current Subscriber Information: Total sessions 1

--------------------------------------------------

Unique Session ID: 378

Identifier: 195.69.хх.хх

SIP subscriber access type(s): IP

Current SIP options: Req Fwding/Req Fwded

Session Up-time: 00:01:27, Last Changed: 00:00:27

 

Policy information:

Context 15034AF0: Handle 960002BE

AAA_id 00000AAE: Flow_handle 0

Authentication status: authen

Downloaded User profile, excluding services:

ssg-service-info "NPREPAID_INTERNET"

ssg-control-info "QV1000000"

service-type 5 [Outbound]

ssg-account-info "APREPAID_INTERNET"

ssg-account-info "NPREPAID_INTERNET"

idletime 120 (0x78)

Downloaded User profile, including services:

ssg-service-info "NPREPAID_INTERNET"

ssg-control-info "QV1000000"

service-type 5 [Outbound]

ssg-account-info "APREPAID_INTERNET"

ssg-account-info "NPREPAID_INTERNET"

idletime 120 (0x78)

l4redirect "redirect list 197 to group REDIRECT_NOPAY"

traffic-class "input access-group 197"

traffic-class "output access-group 197"

traffic-class "out default drop"

traffic-class "in default drop"

Config history for session (recent to oldest):

Access-type: Max Client: SM

Policy event: Apply Config Success (Service)

Profile name: SERVICE_L4R, 4 references

l4redirect "redirect list 197 to group REDIRECT_NOPAY"

traffic-class "input access-group 197"

traffic-class "output access-group 197"

traffic-class "out default drop"

traffic-class "in default drop"

Access-type: Web-service-logon Client: SM

Policy event: Apply Config Success (Service)

Profile name: PREPAID_INTERNET, 4 references

traffic-class "in access-group name ACL_IN_INT priority 6"

traffic-class "out access-group name ACL_OUT_INT priority 6"

traffic-class "out default drop"

traffic-class "in default drop"

Access-type: IP Client: SM

Policy event: Service Selection Request

Profile name: 195.69.хх.хх, 2 references

ssg-service-info "NPREPAID_INTERNET"

ssg-control-info "QV1000000"

service-type 5 [Outbound]

ssg-account-info "APREPAID_INTERNET"

ssg-account-info "NPREPAID_INTERNET"

idletime 120 (0x78)

Active services associated with session:

name "SERVICE_L4R"

name "PREPAID_INTERNET"

Rules, actions and conditions executed:

subscriber condition-map match-all CLASS_SERVICE_L4R

match identifier service-name SERVICE_L4R [FALSE]

subscriber rule-map ISG-CUSTOMERS-POLICY

condition CLASS_SERVICE_L4R event session-start

subscriber rule-map ISG-CUSTOMERS-POLICY

condition always event session-start

10 authorize aaa list ISG-AUTH-1 identifier source-ip-address

subscriber condition-map match-all CLASS_SERVICE_L4R

match identifier service-name SERVICE_L4R [FALSE]

subscriber rule-map ISG-CUSTOMERS-POLICY

condition CLASS_SERVICE_L4R event service-start

subscriber rule-map ISG-CUSTOMERS-POLICY

condition always event credit-exhausted

1 service-policy type service name SERVICE_L4R

 

Session inbound features:

Traffic classes:

Traffic class session ID: 379

ACL Name: ACL_IN_INT, Packets = 9031, Bytes = 12896268

Traffic class session ID: 380

ACL Name: 197, Packets = 0, Bytes = 0

Default traffic is dropped

Unmatched Packets = 0, Re-classified packets (redirected) = 0

 

Feature: IP Idle Timeout

Timeout value is 120

Idle time is 00:00:00

Feature: Layer 4 Redirect

Rule table is empty

Session outbound features:

Traffic classes:

Traffic class session ID: 379

ACL Name: ACL_OUT_INT, Packets = 6386, Bytes = 9119208

Traffic class session ID: 380

ACL Name: 197, Packets = 0, Bytes = 0

Default traffic is dropped

Unmatched Packets = 0, Re-classified packets (redirected) = 0

 

Configuration sources associated with this session:

Service: SERVICE_L4R, Active Time = 00:00:28

Service: PREPAID_INTERNET, Active Time = 00:01:28

AAA Service ID = 654311493

Interface: GigabitEthernet0/1.613, Active Time = 00:01:28

 

--------------------------------------------------

Unique Session ID: 380

Identifier:

SIP subscriber access type(s): Traffic-Class

Current SIP options: None

Session Up-time: 00:00:28, Last Changed: 00:00:28

 

Policy information:

Context 150347B0: Handle CA0002C1

AAA_id 00000AAE: Flow_handle 0

Authentication status: unauthen

Downloaded User profile, including services:

l4redirect "redirect list 197 to group REDIRECT_NOPAY"

traffic-class "input access-group 197"

traffic-class "output access-group 197"

traffic-class "out default drop"

traffic-class "in default drop"

Config history for session (recent to oldest):

Access-type: Max Client: Service Command-Handler

Policy event: None (Service)

Profile name: SERVICE_L4R, 4 references

l4redirect "redirect list 197 to group REDIRECT_NOPAY"

traffic-class "input access-group 197"

traffic-class "output access-group 197"

traffic-class "out default drop"

traffic-class "in default drop"

 

Session inbound features:

Feature: Layer 4 Redirect

Rule Cfg Definition

#1 SVC Redirect list 197 to group REDIRECT_NOPAY

Configuration sources associated with this session:

Service: SERVICE_L4R, Active Time = 00:00:28

 

--------------------------------------------------

Unique Session ID: 379

Identifier: 195.69.хх.хх

SIP subscriber access type(s): Traffic-Class

Current SIP options: None

Session Up-time: 00:01:28, Last Changed: 00:00:28

 

Policy information:

Context 15034950: Handle CD0002BF

AAA_id 00000AAE: Flow_handle 1

Authentication status: unauthen

Downloaded User profile, including services:

traffic-class "in access-group name ACL_IN_INT priority 6"

traffic-class "out access-group name ACL_OUT_INT priority 6"

traffic-class "out default drop"

traffic-class "in default drop"

Config history for session (recent to oldest):

Access-type: Web-service-logon Client: Service Command-Handler

Policy event: Service-Start (Service)

Profile name: PREPAID_INTERNET, 4 references

traffic-class "in access-group name ACL_IN_INT priority 6"

traffic-class "out access-group name ACL_OUT_INT priority 6"

traffic-class "out default drop"

traffic-class "in default drop"

Prepaid context: TRAFFIC_PREPAID

threshold time 1 seconds

threshold volume 1 bytes

method-list author ISG-AUTH-1

method-list accounting ISG-AUTH-1

password ISG

Interim 1 minutes

State CREDIT_EXHAUST_TIMER_RUNNING

Flow idle at last re-author ? NO

Total idle time 0 seconds

Are we accounting for time consumed ? NO

Acct start sent ? YES

 

Session inbound features:

Feature: Prepaid Idle Timeout

Timeout configuration: 0 (seconds)

Idle Timer is not running

Feature: Prepaid Absolute Time

Timeout configuration: 120 (seconds)

Feature: Prepaid Volume Monitor

Threshold:N/A - Quota:Unlimited

Usage(since last update):0 - Total:18368364

Current states: Start

Session outbound features:

Feature: Prepaid Idle Timeout

Timeout configuration: 0 (seconds)

Idle Timer is not running

Feature: Prepaid Absolute Time

Timeout configuration: 120 (seconds)

Feature: Prepaid Volume Monitor

Threshold:N/A - Quota:Unlimited

Usage(since last update):0 - Total:18368364

Current states: Start

Configuration sources associated with this session:

Service: PREPAID_INTERNET, Active Time = 00:01:28

при этом практически все верно, сервисы висят 2, если сделать пополнение (QV>0) то новая квота применится через таймаут (без CoA!) и инет заработает

но редирет - не работает

 

Хотя если делать sh redirect translations

то видно что пытается

[sirmax]

Нельзя на event credit-exhausted повесить что то кроме другого сериса

Router(config-control-policymap-class-control)# 2 ?

service-policy service-policy apply and unapply

set Set a variable

substitute Substitute a matching pattern in variable content by a rewrite pattern

 

[sirmax]

И сразу еще один вопрос

кака сделать условие "пристарте сервиса XXXX"

 

пробую так

!
class-map type control match-all CLASS_SERVICE_L4R
match service-name SERVICE_L4R
!

...


class type control CLASS_SERVICE_L4R event session-default-service
...

 

Но в дебаге вижу, что при старте SERVICE_L4R условие хоть и проверяется, но не отрабатывает,

вот часть дебага

 

1120075: Jan  5 23:14:18.170 EET: SSS PM [uid:403][15034950]: RULE:   Evaluate "ISG-CUSTOMERS-POLICY" for session-default-service
1120076: Jan  5 23:14:18.170 EET: SSS PM [uid:403][15034950]: RULE:    Wrong type "ISG-CUSTOMERS-POLICY/ISG-IP-UNAUTH event timed-policy-expiry"
1120077: Jan  5 23:14:18.170 EET: SSS PM [uid:403][15034950]: RULE:    Wrong type "ISG-CUSTOMERS-POLICY/CLASS_PREPAID_INTERNET event quota-depleted"
1120078: Jan  5 23:14:18.170 EET: SSS PM [uid:403][15034950]: RULE:    Wrong type "ISG-CUSTOMERS-POLICY/CLASS_SERVICE_L4R event service-start"
1120079: Jan  5 23:14:18.170 EET: SSS PM [uid:403][15034950]: RULE:    Wrong type "ISG-CUSTOMERS-POLICY/CLASS_SERVICE_L4R event session-start"
1120080: Jan  5 23:14:18.170 EET: SSS PM [uid:403][15034950]: RULE:    Match keys against "ISG-CUSTOMERS-POLICY":
1120081: Jan  5 23:14:18.174 EET: SSS PM [uid:403][15034950]: RULE:     Nasport = PPPoEoVLAN: slot 0 adapter 0 port 1 sub-interface 613 IP 0.0.0.0 VLAN 613
1120082: Jan  5 23:14:18.174 EET: SSS PM [uid:403][15034950]: RULE:     Authen-Status = 1 (Unauthenticated)
1120083: Jan  5 23:14:18.174 EET: SSS PM [uid:403][15034950]: RULE:     Session-Handle = 3674210708 (DB000194)
1120084: Jan  5 23:14:18.174 EET: SSS PM [uid:403][15034950]: RULE:     SVM-Handle = 4143973018 (F700029A)
1120085: Jan  5 23:14:18.174 EET: SSS PM [uid:403][15034950]: RULE:     PM-Context-Handle = 1593836271 (5F0002EF)
1120086: Jan  5 23:14:18.174 EET: SSS PM [uid:403][15034950]: RULE:     Protocol-Type = 4 (IP)
1120087: Jan  5 23:14:18.174 EET: SSS PM [uid:403][15034950]: RULE:     AAA-Flow-Id = 620757063 (25000047)
1120088: Jan  5 23:14:18.174 EET: SSS PM [uid:403][15034950]: RULE:     AAA-Attr-List = 480000B3
1120089: Jan  5 23:14:18.174 EET: SSS PM [uid:403][15034950]: RULE:       bytes_in             4235332 (0x40A044)
1120090: Jan  5 23:14:18.174 EET: SSS PM [uid:403][15034950]: RULE:       bytes_out            4167456 (0x3F9720)
1120091: Jan  5 23:14:18.174 EET: SSS PM [uid:403][15034950]: RULE:       paks_in              5051 (0x13BB)
1120092: Jan  5 23:14:18.174 EET: SSS PM [uid:403][15034950]: RULE:       paks_out             4978 (0x1372)
1120093: Jan  5 23:14:18.174 EET: SSS PM [uid:403][15034950]: RULE:       volume-quota         8402788 (0x803764)
1120094: Jan  5 23:14:18.174 EET: SSS PM [uid:403][15034950]: RULE:     Feature-PM-Notification = 26 (0000001A)
1120095: Jan  5 23:14:18.174 EET: SSS PM [uid:403][15034950]: RULE:     Logon-Service = "PREPAID_INTERNET"
1120096: Jan  5 23:14:18.174 EET: SSS PM [uid:403][15034950]: CONTROL-CLASS-MAP: : [0] match-all CLASS_SERVICE_L4R
1120097: Jan  5 23:14:18.174 EET: SSS PM [uid:403][15034950]: CONTROL-CLASS-MAP: : [0]  match identifier service-name SERVICE_L4R  [FALSE] [DONE]
1120098: Jan  5 23:14:18.174 EET: SSS PM [uid:403][15034950]: CONTROL-CLASS-MAP: : [0] match-all CLASS_SERVICE_L4R
1120099: Jan  5 23:14:18.174 EET: SSS PM [uid:403][15034950]: CONTROL-CLASS-MAP: : CLASS_SERVICE_L4R [FALSE]

 

 

 

Наверно я упустил что то важное ( Но что (