Jump to content
Калькуляторы

Prepaid-тарифы на Cisco ISG

Возникли трудности с ISG на Cisco.

 

Проблема в следующем, на prepaid-тарифах есть постоянный перерасход трафика.

 

Может работал кто-нибудь плотно с данной тематикой?

Конфиг на ISG вообщем-то стандартный.

 

Платформа:

System image file is "disk0:/c7200p-advipservicesk9-mz.122-33.SRE9.bin"

Cisco 7201 (c7201) processor (revision B) with 917504K/65536K bytes of memory.

 

На описанный BUG CSCei41904 не похоже.

Во первых софт не тот, в которых обнаружен данный bug, во вторых - убирал полисинг, безрезультатно.

 

Хотя проблему с софтом не исключаю - поэтому, если кто-нибудь поднимал ISG на 7201 с положительным результатом, прошу сообщить версию IOS.

 

Спасибо.

Share this post


Link to post
Share on other sites

Добавлю кусок конфига, касаемо ISG.

Никаких изысков нет, сервисы падают с radius-сервера.

 

aaa group server radius ISG-RADIUS

server "IP RADIUS-сервера" auth-port 1645 acct-port 1646

ip radius source-interface "GigabitEthernetX.X"

 

aaa authentication login ISG-AUTH-1 group ISG-RADIUS

aaa authorization network ISG-AUTH-1 group ISG-RADIUS

aaa authorization subscriber-service default local group ISG-RADIUS

aaa accounting delay-start all

aaa accounting jitter maximum 0

aaa accounting update periodic 15

 

aaa accounting network ISG-AUTH-1

action-type start-stop

group ISG-RADIUS

 

aaa server radius dynamic-author

client "IP RADIUS-сервера" server-key cisco

 

subscriber feature prepaid default

threshold time 60 seconds

threshold volume 1 Mbytes

interim-interval 1 minutes

method-list author ISG-AUTH-1

method-list accounting ISG-AUTH-1

password cisco

 

subscriber service password cisco

subscriber authorization enable

service-policy type control ISG-CUSTOMERS-POLICY

 

redirect server-group REDIRECT-CAB

server ip "IP личного кабинета" port 80

 

class-map type traffic match-any CLASS-PASSTHROUGH

match access-group input name ACL-PASSTHROUGH

match access-group output name ACL-PASSTHROUGH

 

class-map type traffic match-any CLASS-REDIRECT

match access-group output name ACL-REDIRECT

match access-group input name ACL-REDIRECT

 

class-map type traffic match-any CLASS-TRUSTED

match access-group output name ACL-TRUSTED

match access-group input name ACL-TRUSTED

 

class-map type control match-all ISG-IP-UNAUTH

match authen-status unauthenticated

match timer UNAUTH-TIMER

 

policy-map type service LOCAL_L4R

10 class type traffic CLASS-REDIRECT

redirect to group REDIRECT-CAB

 

class type traffic default input

drop

 

policy-map type service SERVICE-TRUSTED

10 class type traffic CLASS-TRUSTED

 

class type traffic default input

drop

 

policy-map type service SERVICE-PASSTHROUGH

10 class type traffic CLASS-PASSTHROUGH

 

class type traffic default input

drop

 

policy-map type control ISG-CUSTOMERS-POLICY

class type control ISG-IP-UNAUTH event timed-policy-expiry

1 service disconnect

 

class type control always event session-start

10 authorize aaa list ISG-AUTH-1 identifier source-ip-address

20 set-timer UNAUTH-TIMER 5

25 service-policy type service name SERVICE-PASSTHROUGH

30 service-policy type service name SERVICE-TRUSTED

40 service-policy type service name LOCAL_L4R

 

class type control always event service-start

1 service-policy type service unapply name LOCAL_L4R

20 service-policy type service identifier service-name

 

class type control always event service-stop

1 service-policy type service unapply identifier service-name

20 service-policy type service name LOCAL_L4R

 

class type control always event quota-depleted

1 set-param drop-traffic FALSE

 

class type control always event credit-exhausted

1 service-policy type service name LOCAL_L4R

 

class type control always event account-logon

10 authenticate aaa list ISG-AUTH-1

20 service-policy type service unapply name LOCAL_L4R

 

interface GigabitEthernetY/Y

service-policy type control ISG-CUSTOMERS-POLICY

ip subscriber routed

initiator unclassified ip-address

 

ip access-list extended ACL-Internet

remark --- Internet ACL for ISG ---

permit ip any any

 

ip access-list extended ACL-PASSTHROUGH

remark --- Passthrough ACL for ISG ---

permit ip any 10.0.0.0 0.255.255.255

permit ip 10.0.0.0 0.255.255.255 any

deny ip any any log

 

ip access-list extended ACL-REDIRECT

remark --- Redirect to LC ACL for ISG ---

permit tcp any any eq www

deny ip any any

 

ip access-list extended ACL-TRUSTED

remark --- Trusted ACL for ISG ---

permit ip any host "DNS1"

permit ip any host "DNS2"

permit ip any host "BILLING"

permit ip host "DNS1" any

permit ip host "DNS2" any

permit ip host "BILLING" any

deny ip any any

 

radius-server attribute 44 include-in-access-req

radius-server attribute 6 on-for-login-auth

radius-server attribute 8 include-in-access-req

radius-server attribute 55 include-in-acct-req

radius-server attribute 55 access-request include

radius-server attribute 25 access-request include

radius-server attribute nas-port format c

radius-server host "IP RADIUS-сервера" auth-port 1645 acct-port 1646 key cisco

radius-server unique-ident 10

radius-server vsa send cisco-nas-port

radius-server vsa send accounting

radius-server vsa send authentication

Share this post


Link to post
Share on other sites

А какие вы сервисы высылаете клиенту при аутентификации?

Есть ли там для сервиса указанный Prepaid профиль?

http://www.cisco.com/en/US/docs/ios/isg/configuration/guide/isg_suprt_ppaid_blng.html#wp1078903

 

Да, безусловно.

 

Атрибуты, передаваемые радиусом для одного из рабочих сервисов:

 

Cisco-AVPair prepaid-config=default

Cisco-AVPair ip:traffic-class=in default drop

Cisco-AVPair ip:traffic-class=out default drop

Cisco-AVPair ip:traffic-class=in access-group name ACL-Internet priority 100

Cisco-AVPair ip:traffic-class=out access-group name ACL-Internet priority 100

Cisco-Service-Info Iinternet1024/16384

Cisco-Service-Info R0.0.0.0;0.0.0.0

Cisco-Service-Info QU;1024000;D;16384000

Service-Type Outbound-User

 

По дефолту всем прописанным в биллинге пользователям вещается локальный сервис, который ограничивает скорость и дает доступ только к локальным ресурсам.

 

SIP subscriber access type(s): IP

Current SIP options: Req Fwding/Req Fwded

Session Up-time: 16:22:55, Last Changed: 16:22:55

 

Policy information:

Context 06DD132C: Handle C5000085

AAA_id 00000030: Flow_handle 0

Authentication status: authen

Downloaded User profile, excluding services:

timeout 604800 (0x93A80)

accounting-list "ISG-AUTH-1"

ssg-account-info "Aisg_local"

netmask 255.255.255.255

service-type 2 [Framed]

Downloaded User profile, including services:

timeout 604800 (0x93A80)

accounting-list "ISG-AUTH-1"

ssg-account-info "Aisg_local"

netmask 255.255.255.255

service-type 2 [Framed]

traffic-class "out access-group name ACL-TRUSTED priority 100"

traffic-class "in access-group name ACL-TRUSTED priority 100"

ssg-service-info "R0.0.0.0;0.0.0.0"

ssg-service-info "QU;128000;D;128000"

traffic-class "out default drop"

ssg-service-info "Ilocal"

traffic-class "in default drop"

Config history for session (recent to oldest):

Access-type: Web-service-logon Client: SM

Policy event: Apply Config Success (Service)

Profile name: isg_local, 4 references

timeout 604800 (0x93A80)

traffic-class "out access-group name ACL-TRUSTED priority 100"

traffic-class "in access-group name ACL-TRUSTED priority 100"

ssg-service-info "R0.0.0.0;0.0.0.0"

ssg-service-info "QU;128000;D;128000"

traffic-class "out default drop"

service-type 5 [Outbound]

ssg-service-info "Ilocal"

traffic-class "in default drop"

Access-type: IP Client: SM

Policy event: Service Selection Request

Profile name: x.x.x.x, 2 references

timeout 604800 (0x93A80)

accounting-list "ISG-AUTH-1"

ssg-account-info "Aisg_local"

netmask 255.255.255.255

service-type 2 [Framed]

Active services associated with session:

name "isg_local"

Rules, actions and conditions executed:

subscriber rule-map ISG-CUSTOMERS-POLICY

condition always event session-start

10 authorize aaa list ISG-AUTH-1 identifier source-ip-address

subscriber rule-map ISG-CUSTOMERS-POLICY

condition always event service-start

1 service-policy type service unapply name LOCAL_L4R

20 service-policy type service identifier service-name

 

Session inbound features:

Traffic classes:

Traffic class session ID: 209

ACL Name: ACL-TRUSTED, Packets = 413, Bytes = 25598

Default traffic is dropped

Unmatched Packets = 683, Re-classified packets (redirected) = 0

 

Feature: Session accounting

Method List: ISG-AUTH-1

Packets = 413, Bytes = 25598

 

Session outbound features:

Traffic classes:

Traffic class session ID: 209

ACL Name: ACL-TRUSTED, Packets = 408, Bytes = 32412

Default traffic is dropped

Unmatched Packets = 349, Re-classified packets (redirected) = 0

 

Feature: Session accounting

Method List: ISG-AUTH-1

Packets = 408, Bytes = 32412

 

Non-datapath features:

Feature: Session Timeout

Timeout value is 604800 seconds

Time remaining is 6d07h

Configuration sources associated with this session:

Service: isg_local, Active Time = 16:22:55

AAA Service ID = 754974721

Interface: GigabitEthernet0/2, Active Time = 16:22:55

 

При активации услуги вешаются рабочие сервисы.

В зависимости от услуг варьируется скорость, vrf и пр.

 

SIP subscriber access type(s): IP

Current SIP options: Req Fwding/Req Fwded

Session Up-time: 00:01:09, Last Changed: 00:01:09

 

Policy information:

Context 07577EC4: Handle 25000853

AAA_id 00055D73: Flow_handle 0

Authentication status: authen

Downloaded User profile, excluding services:

timeout 390297 (0x5F499)

accounting-list "ISG-AUTH-1"

ssg-account-info "Ainet_1024_16384"

netmask 255.255.255.255

service-type 2 [Framed]

Downloaded User profile, including services:

timeout 390297 (0x5F499)

accounting-list "ISG-AUTH-1"

ssg-account-info "Ainet_1024_16384"

netmask 255.255.255.255

service-type 2 [Framed]

ssg-service-info "QU;1024000;D;16384000"

ssg-service-info "R0.0.0.0;0.0.0.0"

ssg-service-info "Iinternet1024/16384"

traffic-class "out access-group name ACL-Internet priority 100"

traffic-class "in access-group name ACL-Internet priority 100"

traffic-class "out default drop"

traffic-class "in default drop"

Config history for session (recent to oldest):

Access-type: Web-service-logon Client: SM

Policy event: Apply Config Success (Service)

Profile name: inet_1024_16384, 4 references

timeout 604800 (0x93A80)

ssg-service-info "QU;1024000;D;16384000"

service-type 5 [Outbound]

ssg-service-info "R0.0.0.0;0.0.0.0"

ssg-service-info "Iinternet1024/16384"

traffic-class "out access-group name ACL-Internet priority 100"

traffic-class "in access-group name ACL-Internet priority 100"

traffic-class "out default drop"

traffic-class "in default drop"

Access-type: IP Client: SM

Policy event: Service Selection Request

Profile name: x.x.x.x, 2 references

timeout 390297 (0x5F499)

accounting-list "ISG-AUTH-1"

ssg-account-info "Ainet_1024_16384"

netmask 255.255.255.255

service-type 2 [Framed]

Active services associated with session:

name "inet_1024_16384"

Rules, actions and conditions executed:

subscriber rule-map ISG-CUSTOMERS-POLICY

condition always event session-start

10 authorize aaa list ISG-AUTH-1 identifier source-ip-address

subscriber rule-map ISG-CUSTOMERS-POLICY

condition always event service-start

1 service-policy type service unapply name LOCAL_L4R

20 service-policy type service identifier service-name

 

Session inbound features:

Traffic classes:

Traffic class session ID: 500

ACL Name: ACL-Internet, Packets = 167, Bytes = 11091

Default traffic is dropped

Unmatched Packets = 0, Re-classified packets (redirected) = 0

 

Feature: Session accounting

Method List: ISG-AUTH-1

Packets = 167, Bytes = 11091

 

Session outbound features:

Traffic classes:

Traffic class session ID: 500

ACL Name: ACL-Internet, Packets = 158, Bytes = 14256

Default traffic is dropped

Unmatched Packets = 0, Re-classified packets (redirected) = 0

 

Feature: Session accounting

Method List: ISG-AUTH-1

Packets = 158, Bytes = 14256

 

Non-datapath features:

Feature: Session Timeout

Timeout value is 390297 seconds

Time remaining is 4d12h

Configuration sources associated with this session:

Service: inet_1024_16384, Active Time = 00:01:09

AAA Service ID = 2

Interface: GigabitEthernet0/2, Active Time = 00:01:09

Edited by master_kka

Share this post


Link to post
Share on other sites

Хотя надо сказать, что в выводе отсутствует

 

Prepaid context: default

 

и это странно.

 

Если у кого есть возможность, покажите вывод живой сессии с prepaid по команде:

 

sh sss session detailed | begin ID: "номер сессии"

 

или

 

sh subscriber session uid "номер сессии" detailed

Edited by master_kka

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this