megahertz0 Posted June 6, 2012 Posted June 6, 2012 Есть 7206VXR NPE-G1. Пытаюсь на ней затестить ISG. IOS: c7200-spservicesk9-mz.122-33.SRE1.bin На интерфейс GigabitEthernet0/2.713 пытаюсь повесть ip subscriber routed initiator unclassified ip-address В итоге циска говорит, что такой команды не знает. Хотя фиченавигатор говорит, что ISG в этом IOS поддерживается, в частности фича ISG:Session: Creation: IP Session. На NPE-G2 с c7200p-adventerprisek9_sna-mz.122-33.SRC.bin команда проходит. Как мне инициировать сессию по трафику от клиента? Что я делаю не так именно на NPE-G1? Конфиг: version 12.2 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime service timestamps log datetime localtime service password-encryption service sequence-numbers ! hostname bras1 ! boot-start-marker boot system flash disk2:c7200-spservicesk9-mz.122-33.SRE1.bin boot-end-marker ! ! aaa new-model ! ! aaa group server tacacs+ tac-int server 10.201.0.4 ! aaa group server radius ISG-RADIUS server 10.254.241.1 auth-port 1812 acct-port 1813 ! aaa authentication login admin group tac-int local aaa authentication login ISG-AUTH-1 group ISG-RADIUS aaa authorization console aaa authorization exec admin group tac-int local aaa authorization commands 15 admin group tac-int local aaa authorization network ISG-AUTH-1 group ISG-RADIUS aaa authorization subscriber-service default local group ISG-RADIUS aaa accounting delay-start aaa accounting update newinfo periodic 1 aaa accounting network ISG-AUTH-1 action-type start-stop group ISG-RADIUS ! ! ! ! ! ! aaa session-id common clock timezone MSK 4 no ip subnet-zero no ip source-route ip icmp rate-limit unreachable 1000 ip icmp rate-limit unreachable DF 1000 ip cef ! ! ! ! ip domain name tvintel.local ip name-server 10.200.0.1 no ipv6 cef ! ! multilink bundle-name authenticated ! ! archive log config hidekeys path ftp://cisco:xxx@10.201.0.3/config-backups/msk20-bras1 write-memory username varg privilege 15 secret 5 xxx ! ! ip tcp selective-ack ip tcp timestamp ip tcp path-mtu-discovery ip ssh version 2 class-map type traffic match-any CLASS-TO-REDIRECT match access-group output 197 match access-group input 197 ! class-map type control match-all ISG-IP-UNAUTH match timer UNAUTH-TIMER match authen-status unauthenticated ! policy-map type control ISG-CUSTOMERS-POLICY class type control ISG-IP-UNAUTH event timed-policy-expiry 1 service disconnect ! class type control always event quota-depleted 1 set-param drop-traffic FALSE ! class type control always event credit-exhausted 1 service-policy type service name LOCAL_L4R ! class type control always event session-start 10 authorize aaa list ISG-AUTH-1 password ISG identifier source-ip-address 20 set-timer UNAUTH-TIMER 1 30 service-policy type service name SERVICE_L4R ! ! ! ! ! ! ! ! interface GigabitEthernet0/1 no ip address media-type rj45 speed auto duplex auto negotiation auto ! interface GigabitEthernet0/2 no ip address media-type rj45 speed auto duplex auto no negotiation auto ! interface GigabitEthernet0/2.10 encapsulation dot1Q 10 ip address 10.254.241.12 255.255.248.0 ! interface GigabitEthernet0/2.200 encapsulation dot1Q 200 ip address 10.200.0.6 255.255.0.0 ! interface GigabitEthernet0/2.713 description ISG_test encapsulation dot1Q 713 ip address xx.xx.xx.xx 255.255.255.252 ! interface GigabitEthernet0/3 no ip address media-type rj45 speed auto duplex auto no negotiation auto ! interface GigabitEthernet0/3.9 encapsulation dot1Q 9 ip address yy.yy.yy.yy 255.255.255.128 ! ! router eigrp xyz default-metric 1000 100 250 100 200 network yy.yy.yy.yy 0.0.0.127 redistribute connected redistribute static auto-summary neighbor yy.yy.yy.yy GigabitEthernet0/3.9 passive-interface default no passive-interface GigabitEthernet0/3.9 eigrp router-id yy.yy.yy.yy ! no ip http server no ip http secure-server ! ! ip route 10.0.100.0 255.255.255.0 10.200.0.1 ip route 10.201.0.0 255.255.255.0 10.200.0.1 ! ip access-list extended nb-drop deny udp any any eq netbios-ns deny udp any any eq netbios-dgm deny udp any any eq netbios-ss permit tcp any any permit udp any any permit ip any any ! logging 10.201.0.5 ! access-list 11 permit 10.200.0.0 0.0.255.255 access-list 11 permit 10.0.100.0 0.0.0.255 access-list 11 deny any log access-list 100 permit tcp any eq www any access-list 100 permit tcp any eq domain any access-list 100 permit icmp any any access-list 101 permit udp any any access-list 102 permit tcp any any access-list 196 deny ip host zz.zz.zz.zz any access-list 196 deny ip any host zz.zz.zz.zz access-list 196 permit ip any any access-list 197 permit tcp any any eq www access-list 197 permit tcp any eq www any ! snmp-server community xx RO 11 snmp-server community yy RW 11 snmp-server system-shutdown snmp-server enable traps snmp coldstart warmstart snmp-server enable traps envmon fan shutdown supply temperature status snmp-server host 10.201.0.2 xx ! tacacs-server host 10.201.0.4 key 7 xxx tacacs-server directed-request radius-server attribute 44 include-in-access-req radius-server attribute 44 extend-with-addr radius-server attribute 8 include-in-access-req radius-server attribute 32 include-in-accounting-req radius-server attribute 55 include-in-acct-req radius-server attribute 31 mac format unformatted radius-server host 10.254.241.1 auth-port 1812 acct-port 1813 key 7 xxx radius-server vsa send cisco-nas-port radius-server vsa send accounting radius-server vsa send authentication ! control-plane ! ! line con 0 session-timeout 15 exec-timeout 0 0 authorization commands 15 admin authorization exec admin accounting commands 15 admin login authentication admin stopbits 1 line aux 0 stopbits 1 line vty 0 4 session-timeout 15 access-class 11 in exec-timeout 0 0 authorization commands 15 admin authorization exec admin accounting commands 15 admin login authentication admin transport input telnet ssh line vty 5 15 session-timeout 15 access-class 11 in exec-timeout 5 0 authorization commands 15 admin authorization exec admin accounting commands 15 admin login authentication admin transport input telnet ssh ! ntp clock-period 17179762 ntp server 10.200.0.1 end Вставить ник Quote
megahertz0 Posted June 6, 2012 Author Posted June 6, 2012 Вопрос снимается, дело было в ИОСе. SPSERVICES не имеет поддержки ISG. Обновился c7200-adventerprisek9-mz.122-33.SRE5.bin, все появилось. Вставить ник Quote
.png.5d2afa2996cc6a85d0f2c09b92dd0a28.png)
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.