ISG нет аккаунтинга входящего трафика

megahertz0

Posted August 23, 2012

Есть брас на циске 7206. Прикручен к биллингу для реализации фич ISG.

Конфиг:

Building configuration...

Current configuration : 7883 bytes
!
! Last configuration change at 12:30:56 MSK Tue Aug 21 2012 by megahertz
! NVRAM config last updated at 11:15:13 MSK Mon Aug 20 2012 by megahertz
!
version 12.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime
service timestamps log datetime localtime
service password-encryption
service sequence-numbers
!
hostname bras1
!
boot-start-marker
boot system flash disk2:c7200-adventerprisek9-mz.122-33.SRE5.bin
boot-end-marker
!
!
aaa new-model
!
!
aaa group server tacacs+ tac-int
server 10.201.0.4
!
aaa group server radius ISG-RADIUS
server 10.254.241.1 auth-port 1812 acct-port 1813
!
aaa authentication login admin group tac-int local
aaa authentication login ISG-AUTH-1 group ISG-RADIUS
aaa authorization console
aaa authorization exec admin group tac-int local
aaa authorization commands 15 admin group tac-int local
aaa authorization network ISG-AUTH-1 group ISG-RADIUS
aaa authorization subscriber-service default local group ISG-RADIUS
aaa accounting delay-start
aaa accounting update newinfo periodic 1
aaa accounting network ISG-AUTH-1
action-type start-stop
group ISG-RADIUS
!
aaa accounting network ISG-RADIUS
action-type start-stop
group ISG-RADIUS
!
!
!
!
!
aaa server radius dynamic-author
client 10.254.241.1 server-key 7 08701E1D
auth-type any
!
aaa session-id common
clock timezone MSK 4
no ip subnet-zero
no ip source-route
ip icmp rate-limit unreachable 1000
ip icmp rate-limit unreachable DF 1000
ip cef
!
!
!
!
ip domain name tvintel.local
ip name-server xx.xx.xx.xx
no ipv6 cef
!
!
service-policy type control ISG-CUSTOMERS-POLICY
redirect server-group REDIRECT_NOPAY
server ip 10.20.1.1 port 80
!
multilink bundle-name authenticated
!
!
archive
log config
 hidekeys
path ftp://cisco:xxxxxx@10.201.0.3/config-backups/msk20-bras1
write-memory
username varg privilege 15 secret 5 xxxxxxxx
!
!
ip tcp selective-ack
ip tcp timestamp
ip tcp path-mtu-discovery
ip ssh version 2
class-map type traffic match-any CLASS-TO-REDIRECT
match access-group output 197
match access-group input 197
!
class-map type traffic match-any CLASS-TRUSTED
match access-group output 198
match access-group input 198
!
class-map type control match-all ISG-IP-UNAUTH
match timer UNAUTH-TIMER
match authen-status unauthenticated
!
policy-map type service LOCAL_L4R
1 class type traffic CLASS-TO-REDIRECT
 redirect to group REDIRECT_NOPAY
!
class type traffic default input
 drop
!
!
policy-map type service SERVICE-TRUSTED
1 class type traffic CLASS-TRUSTED
 police input 64000 8000 16000
 police output 64000 8000 16000
!
!
policy-map type control ISG-CUSTOMERS-POLICY
class type control ISG-IP-UNAUTH event timed-policy-expiry
 1 service disconnect
!
class type control always event session-start
 10 authorize aaa list ISG-AUTH-1 password ISG identifier source-ip-address
 20 set-timer UNAUTH-TIMER 1
 30 service-policy type service name SERVICE-TRUSTED
 40 service-policy type service name LOCAL_L4R
!
class type control always event access-reject
 1 service-policy type service name SERVICE-TRUSTED
 2 service-policy type service name LOCAL_L4R
!
class type control always event radius-timeout
 1 service-policy type service name SERVICE-TRUSTED
 2 service-policy type service name LOCAL_L4R
!
!
!
!
!
!
!
!
interface GigabitEthernet0/1
no ip address
media-type rj45
speed auto
duplex auto
negotiation auto
!
interface GigabitEthernet0/2
no ip address
media-type rj45
speed auto
duplex auto
no negotiation auto
!
interface GigabitEthernet0/2.10
encapsulation dot1Q 10
ip address 10.254.241.12 255.255.248.0
!
interface GigabitEthernet0/2.11
encapsulation dot1Q 11
ip address 10.252.0.2 255.255.240.0
!
interface GigabitEthernet0/2.17
description Redirect_iface
encapsulation dot1Q 17
ip address 10.20.1.62 255.255.255.192
!
interface GigabitEthernet0/2.200
encapsulation dot1Q 200
ip address 10.200.0.6 255.255.0.0
!
interface GigabitEthernet0/3
no ip address
media-type rj45
speed auto
duplex auto
no negotiation auto
!
interface GigabitEthernet0/3.8
encapsulation dot1Q 8
ip address 10.20.0.2 255.255.255.0
ip access-group Ipoe-Subnets in
service-policy type control ISG-CUSTOMERS-POLICY
ip subscriber routed
 initiator unclassified ip-address
!
!
router eigrp 43544
default-metric 1000 100 250 100 200
network 10.20.0.0 0.0.0.255
redistribute connected
neighbor 10.20.0.1 GigabitEthernet0/3.8
passive-interface default
no passive-interface GigabitEthernet0/3.8
eigrp router-id 10.20.0.2
!
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.252.0.1
ip route 10.0.100.0 255.255.255.0 10.200.0.1
ip route 10.21.0.0 255.255.0.0 10.20.0.1
ip route 10.201.0.0 255.255.255.0 10.200.0.1
!
ip access-list extended Subnets-isg
permit ip 10.21.0.0 0.0.255.255 any
deny   ip any any
ip access-list extended Tvintel-Subnets
permit ip 10.0.0.0 0.255.255.255 any
permit ip xx.xx.xx.0 0.0.3.255 any
deny   ip any any
ip access-list extended nb-drop
deny   udp any any eq netbios-ns
deny   udp any any eq netbios-dgm
deny   udp any any eq netbios-ss
permit tcp any any
permit udp any any
permit ip any any
!
logging 10.201.0.5
access-list 11 permit 10.201.0.2
access-list 11 permit 10.200.0.0 0.0.255.255
access-list 11 permit 10.0.100.0 0.0.0.255
access-list 11 deny   any log
access-list 102 permit tcp any any
access-list 195 permit ip host 10.21.0.33 host 10.20.1.9
access-list 195 permit ip host 10.20.1.9 host 10.21.0.33
access-list 196 deny   ip host xx.xx.xx.200 any
access-list 196 deny   ip any host xx.xx.xx.200
access-list 196 permit ip any any
access-list 197 permit tcp any any eq www
access-list 197 permit tcp any eq www any
access-list 197 deny   ip any any
access-list 198 permit udp any any eq domain
access-list 198 permit udp any eq domain any
access-list 198 permit tcp any host xx.xx.xx.200 eq www
access-list 198 permit tcp any host xx.xx.xx.200 eq 443
access-list 198 permit icmp any any
access-list 198 deny   ip any any
!
snmp-server community nexus RO 11
snmp-server community puGAMtZCiw RW 11
snmp-server system-shutdown
snmp-server enable traps snmp coldstart warmstart
snmp-server enable traps envmon fan shutdown supply temperature status
snmp-server host 10.201.0.2 nexus
!
tacacs-server host 10.201.0.4 key 7 xxxxxxxxxx
tacacs-server directed-request
radius-server attribute 44 include-in-access-req
radius-server attribute 44 extend-with-addr
radius-server attribute 8 include-in-access-req
radius-server attribute 32 include-in-accounting-req
radius-server attribute 55 include-in-acct-req
radius-server attribute 31 mac format unformatted
radius-server host 10.254.241.1 auth-port 1812 acct-port 1813 key 7 xxxxxxxxxxxxx
radius-server vsa send cisco-nas-port
radius-server vsa send accounting
radius-server vsa send authentication
!
control-plane
!
!
line con 0
session-timeout 15
exec-timeout 0 0
authorization commands 15 admin
authorization exec admin
accounting commands 15 admin
login authentication admin
stopbits 1
line aux 0
stopbits 1
line vty 0 4
session-timeout 15
access-class 11 in
exec-timeout 0 0
authorization commands 15 admin
authorization exec admin
accounting commands 15 admin
login authentication admin
transport input telnet ssh
line vty 5 15
session-timeout 15
access-class 11 in
exec-timeout 5 0
authorization commands 15 admin
authorization exec admin
accounting commands 15 admin
login authentication admin
transport input telnet ssh
!
ntp clock-period 17179779
ntp server 10.200.0.1
end

Клиенты терминируются на л3-свитчах, дальше трафик заворачивается в ядро и оттуда в БРАС. С браса отполисеный трафик уходит в тазик с натом на линуксе. GigabitEthernet0/3.8 смотрит в ядро, GigabitEthernet0/2.11 - в НАТ.

Все работает хорошо, трафих нормально ходит и полисится. Но есть олин неприятный момент - нет аккунтинга входящего (для абонента) трафика. При этом трафик у абонента есть. Исходящий трафик аккаунтится нормально.

Сервис у абонентся выглядит вот как:

002047: Aug 23 22:33:55.179: RADIUS: Received from id 1646/235 10.254.241.1:1813, Accounting-response, len 20
002048: Aug 23 22:33:55.179: RADIUS:  authenticator FF EF 35 67 E2 08 56 FE - D4 D2 00 CE DE 67 81 D9
002049: Aug 23 22:33:56.235: RADIUS/ENCODE(0000038B):Orig. component type = Iedge IP SIP
002050: Aug 23 22:33:56.235: RADIUS(0000038B): Config NAS IP: 0.0.0.0
002051: Aug 23 22:33:56.235: RADIUS(0000038B): Config NAS IP: 0.0.0.0
002052: Aug 23 22:33:56.235: RADIUS(0000038B): sending
002053: Aug 23 22:33:56.235: RADIUS/ENCODE: Best Local IP-Address 10.254.241.12 for Radius-Server 10.254.241.1
002054: Aug 23 22:33:56.235: RADIUS(0000038B): Send Accounting-Request to 10.254.241.1:1813 id 1646/236, len 270
002055: Aug 23 22:33:56.235: RADIUS:  authenticator 4B CC 8D 1E 96 D7 7E B9 - 4C 99 D6 07 23 7D 71 3D
002056: Aug 23 22:33:56.235: RADIUS:  Acct-Session-Id     [44]  18  "0AFEF10C00000673"
002057: Aug 23 22:33:56.235: RADIUS:  Framed-IP-Address   [8]   6   10.21.0.195
002058: Aug 23 22:33:56.235: RADIUS:  Framed-Protocol     [7]   6   PPP                       [1]
002059: Aug 23 22:33:56.235: RADIUS:  User-Name           [1]   13  "10.21.0.195"
002060: Aug 23 22:33:56.235: RADIUS:  Vendor, Cisco       [26]  32
002061: Aug 23 22:33:56.235: RADIUS:   Cisco AVpair       [1]   26  "connect-progress=Call Up"
002062: Aug 23 22:33:56.235: RADIUS:  Vendor, Cisco       [26]  20
002063: Aug 23 22:33:56.235: RADIUS:   ssg-control-info   [253] 14  "I0;347130822"
002064: Aug 23 22:33:56.235: RADIUS:  Vendor, Cisco       [26]  12
002065: Aug 23 22:33:56.235: RADIUS:   ssg-control-info   [253] 6   "O0;0"
002066: Aug 23 22:33:56.235: RADIUS:  Acct-Session-Time   [46]  6   1263
002067: Aug 23 22:33:56.235: RADIUS:  Acct-Input-Octets   [42]  6   347129356
002068: Aug 23 22:33:56.235: RADIUS:  Acct-Output-Octets  [43]  6   0
002069: Aug 23 22:33:56.235: RADIUS:  Acct-Input-Packets  [47]  6   239747
002070: Aug 23 22:33:56.235: RADIUS:  Acct-Output-Packets [48]  6   0
002071: Aug 23 22:33:56.235: RADIUS:  Acct-Authentic      [45]  6   Local                     [2]
002072: Aug 23 22:33:56.235: RADIUS:  Acct-Status-Type    [40]  6   Watchdog                  [3]
002073: Aug 23 22:33:56.235: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
002074: Aug 23 22:33:56.235: RADIUS:  Vendor, Cisco       [26]  15
002075: Aug 23 22:33:56.235: RADIUS:   cisco-nas-port     [2]   9   "0/0/3/8"
002076: Aug 23 22:33:56.235: RADIUS:  NAS-Port            [5]   6   0
002077: Aug 23 22:33:56.235: RADIUS:  NAS-Port-Id         [87]  9   "0/0/3/8"
002078: Aug 23 22:33:56.235: RADIUS:  Class               [25]  10
002079: Aug 23 22:33:56.235: RADIUS:   30 30 30 31 31 37 32 33          [ 00011723]
002080: Aug 23 22:33:56.235: RADIUS:  Service-Type        [6]   6   Framed                    [2]
002081: Aug 23 22:33:56.235: RADIUS:  NAS-IP-Address      [4]   6   10.254.241.12
002082: Aug 23 22:33:56.235: RADIUS:  Ascend-Session-Svr-K[151] 10
002083: Aug 23 22:33:56.235: RADIUS:   41 43 41 33 37 37 46 33          [ ACA377F3]
002084: Aug 23 22:33:56.235: RADIUS:  Event-Timestamp     [55]  6   1345746836
002085: Aug 23 22:33:56.235: RADIUS:  Nas-Identifier      [32]  21  "bras1.tvintel.local"
002086: Aug 23 22:33:56.235: RADIUS:  Acct-Delay-Time     [41]  6   0

Соответственно сессия выглядит вот так:

bras1#sh sss session uid 1053 det
Unique Session ID: 1053
Identifier: 10.21.1.211
SIP subscriber access type(s): IP
Current SIP options: Req Fwding/Req Fwded
Session Up-time: 00:50:26, Last Changed: 00:50:26

Policy information:
 Context 2083A230: Handle 2600043C
 AAA_id 0000037F: Flow_handle 0
 Authentication status: authen
 Downloaded User profile, excluding services:
   timeout              3600 (0xE10)
   service-type         5 [Outbound]
   ssg-account-info     "QU;2048000;256000;768000;D;2048000;256000;768000"
   accounting-list      "ISG-RADIUS"
 Downloaded User profile, including services:
   timeout              3600 (0xE10)
   service-type         5 [Outbound]
   ssg-account-info     "QU;2048000;256000;768000;D;2048000;256000;768000"
   accounting-list      "ISG-RADIUS"
 Config history for session (recent to oldest):
   Access-type: IP Client: SM
    Policy event: Service Selection Request
     Profile name: 10.21.1.211, 2 references
       timeout              3600 (0xE10)
       service-type         5 [Outbound]
       ssg-account-info     "QU;2048000;256000;768000;D;2048000;256000;768000"
       accounting-list      "ISG-RADIUS"
 Rules, actions and conditions executed:
   subscriber rule-map ISG-CUSTOMERS-POLICY
     condition always event session-start
       10 authorize aaa list ISG-AUTH-1 identifier source-ip-address

Session inbound features:
Feature: Session accounting
 Method List: ISG-RADIUS
 Packets = 39619, Bytes = 4100486

Feature: Policing
Upstream Params:
Average rate = 2048000, Normal burst = 256000, Excess burst = 768000
Config level = Per-user

Session outbound features:
Feature: Session accounting
 Method List: ISG-RADIUS
 Packets = 0, Bytes = 0

Feature: Policing
Dnstream Params:
Average rate = 2048000, Normal burst = 256000, Excess burst = 768000
Config level = Per-user

Non-datapath features:
Feature: Session Timeout
 Timeout value is 3600 seconds
 Time remaining is 00:09:33
Configuration sources associated with this session:
Interface: GigabitEthernet0/3.8, Active Time = 00:50:26

Как видно, аккаунтинг навешен на сессию, но там по нулям.

Подскажите куда копать.

Share this post

Link to post

Share on other sites

megahertz0

Posted August 24, 2012

И самое интересное, что входящий трафик тоже не полисится....

Sign In

megahertz0

Share this post

Link to post

Share on other sites

megahertz0

Share this post

Link to post

Share on other sites

Join the conversation