[ArhAngel_John]

Здравствуйте!

 

Доделываю схему доступа DLIPS+Opt82+RADIUS (LanBilling) на основе Redback SE100.

 

Схема практически полностью идентична примеру с использованием L3-Relays http://shop.nag.ru/article/clips Сценарий работы Dynamic CLIPS через L3 сеть доступа. )

Конфигурация практически абсолютно идентична примеру.

 

 

[local]Redback#show conf cont ipoe
Building configuration...

Current configuration:
!
context ipoe
! 
no ip domain-lookup
!
ip nat pool nat-pool-1 napt multibind
 address 178.212.183.250/32 port-block 1 to 15
 address 178.212.183.251/32 port-block 1 to 15
 address 178.212.183.252/32 port-block 1 to 15
!
nat policy nat-policy-1
 connections tcp maximum 2000
 connections udp maximum 2000
 connections icmp maximum 20
! Default class
 pool nat-pool-1 ipoe
 admission-control tcp
 admission-control udp
 admission-control icmp
 endpoint-independent filtering udp
 icmp-notification
!
interface MGMT
 ip address 192.168.111.5/23
  ip source-address radius 
!
interface net-10.1 multibind
 ip address 10.1.255.254/16
 dhcp proxy 65535
!
interface net-10.2 multibind
 ip address 10.2.255.254/16
 dhcp proxy 65535
!
interface net-10.3 multibind
 ip address 10.3.255.254/16
 dhcp proxy 65535
!
interface to-sw103 p2p
 ip address 31.134.47.234/30
 ip access-group acl-for-l3-relays-only in
!
interface to-sw210 p2p
 ip address 31.134.47.230/30
 ip access-group acl-for-l3-relays-only in
!
interface to-sw9 p2p
 ip address 31.134.47.238/30
 ip access-group acl-for-l3-relays-only in
no logging console
!
ip access-list acl-for-l3-relays-only
 seq 10 permit ip 10.0.0.1 0.255.255.0
 seq 20 permit ip 31.134.47.224 0.0.0.31
!
policy access-list acl-for-http-redirect
 seq 10 permit udp any host 178.212.183.244 eq domain class cls-NORMAL
 seq 20 permit udp any host 178.212.183.254 eq domain class cls-NORMAL
 seq 30 permit tcp any host 178.212.183.225 eq www class cls-NORMAL
 seq 40 permit tcp any host 178.212.183.225 eq 443 class cls-NORMAL
 seq 50 permit tcp any any eq www class cls-REDIRECT
 seq 60 permit ip any any class cls-DROP
!
ip arp 178.212.183.250 00:30:88:1c:5e:fd alias
ip arp 178.212.183.251 00:30:88:1c:5e:fe alias
ip arp 178.212.183.252 00:30:88:1c:5e:ff alias
!
http-redirect profile CABINET
 url "https://ррр.info/client2/"
!
aaa authentication administrator local  
aaa authentication administrator maximum sessions 1
aaa authentication subscriber radius  
aaa accounting subscriber radius
aaa accounting event dhcp
radius accounting server 192.168.111.3 encrypted-key ххх
radius coa server 192.168.111.3 encrypted-key ххх port 3799
!
radius server 192.168.111.3 encrypted-key ххх
radius max-retries 5
radius timeout 30
radius attribute username encaps clips strip-mac-delimiter 
!
subscriber default
  qos policy policing DEFAULT-64K-IN
  qos policy metering DEFAULT-64K-OUT
  dhcp max-addrs 1
!
ip route 0.0.0.0/0 context ironnet
ip route 10.1.0.0/16 31.134.47.237
ip route 10.2.0.0/16 31.134.47.229
ip route 10.3.0.0/16 31.134.47.233
!
dhcp relay option
dhcp relay server 192.168.111.3
!
!
!
!
end

 

 

 

Не пойму как побороть следующую ситуацию:

 

Когда клиенту прилетаю настройки, в них DHCP сервер указан 192.168.111.5, т.е. IP-адрес интерфейса, через который SE100 общается с LanBilling

Это приватные IP-адреса для сетки системных устройств и не должны быть доступны клиентам.

 

Соответственно, клиент для продолжения лизы шлёт запросы на 192.168.111.5

 

Соответственно SE100 это не нравится:

 

 

[local]Redback#Feb 20 14:52:00: [0388]: [2/2:511:63:31/1/2/12293]: %DHCP-7-PKT: Received pkt from 10.1.255.252 (dest addr 192.168.111.5).
Feb 20 14:52:00: %DHCP-7-PKT: Packet Process handler thread: Process packet
Feb 20 14:52:00: %DHCP-7-OPT: [dhcp_util_parse_options] Found client id option with len 7 type 1
Feb 20 14:52:00: %DHCP-7-OPT: [dhcp_util_parse_options] Found hostname option with len 6 hostname Office
Feb 20 14:52:00: %DHCP-7-OPT: [dhcp_util_parse_options] is_dhcp_pkt: Yes, msg_type: 3
Feb 20 14:52:00: [0388]: [2/2:511:63:31/1/2/12293]: %DHCP-7-PKT: >> Received DHCP REQUEST (len 300) from src 10.1.255.252, mac 00:9c:02:1c:cc:7b

  0    01 01 06 00 a4 61 42 3c 00 00 00 00 0a 01 ff fc
 16    00 00 00 00 00 00 00 00 00 00 00 00 00 9c 02 1c
 32    cc 7b 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 48    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

 64    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 80    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 96    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
112    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

128    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
144    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
160    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
176    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

192    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
208    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
224    00 00 00 00 00 00 00 00 00 00 00 00 63 82 53 63
240    35 01 03 3d 07 01 00 9c 02 1c cc 7b 0c 06 4f 66

256    66 69 63 65 51 09 00 00 00 4f 66 66 69 63 65 3c
272    08 4d 53 46 54 20 35 2e 30 37 0c 01 0f 03 06 2c
288    2e 2f 1f 21 79 f9 2b ff 00 00 00 00

Feb 20 14:52:00: [0388]: [2/2:511:63:31/1/2/12293]: %DHCP-7-PKT: Received DHCP REQUEST on non-multibind circuit from 00:9c:02:1c:cc:7b, xid: -1537129924
Feb 20 14:52:00: [0388]: [2/2:511:63:31/1/2/12293]: %DHCP-7-PKT_E: Packet [DHCP REQUEST] is dropped: interface 0x1005ffff is not dhcp enabled
Feb 20 14:52:00: %DHCP-7-GEN: [dhcp_pkt_packet_process_handler] Freeing DHCP pkt
Feb 20 14:52:04: [0388]: [2/2:511:63:31/1/2/12293]: %DHCP-7-PKT: Received pkt from 10.1.255.252 (dest addr 192.168.111.5).
Feb 20 14:52:04: %DHCP-7-PKT: Packet Process handler thread: Process packet
Feb 20 14:52:04: %DHCP-7-OPT: [dhcp_util_parse_options] Found client id option with len 7 type 1
Feb 20 14:52:04: %DHCP-7-OPT: [dhcp_util_parse_options] Found hostname option with len 6 hostname Office
Feb 20 14:52:04: %DHCP-7-OPT: [dhcp_util_parse_options] is_dhcp_pkt: Yes, msg_type: 3
Feb 20 14:52:04: [0388]: [2/2:511:63:31/1/2/12293]: %DHCP-7-PKT: >> Received DHCP REQUEST (len 300) from src 10.1.255.252, mac 00:9c:02:1c:cc:7b

  0    01 01 06 00 a4 61 42 3c 04 00 00 00 0a 01 ff fc
 16    00 00 00 00 00 00 00 00 00 00 00 00 00 9c 02 1c
 32    cc 7b 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 48    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

 64    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 80    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 96    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
112    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

128    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
144    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
160    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
176    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

192    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
208    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
224    00 00 00 00 00 00 00 00 00 00 00 00 63 82 53 63
240    35 01 03 3d 07 01 00 9c 02 1c cc 7b 0c 06 4f 66

256    66 69 63 65 51 09 00 00 00 4f 66 66 69 63 65 3c
272    08 4d 53 46 54 20 35 2e 30 37 0c 01 0f 03 06 2c
288    2e 2f 1f 21 79 f9 2b ff 00 00 00 00

Feb 20 14:52:04: [0388]: [2/2:511:63:31/1/2/12293]: %DHCP-7-PKT: Received DHCP REQUEST on non-multibind circuit from 00:9c:02:1c:cc:7b, xid: -1537129924
Feb 20 14:52:04: [0388]: [2/2:511:63:31/1/2/12293]: %DHCP-7-PKT_E: Packet [DHCP REQUEST] is dropped: interface 0x1005ffff is not dhcp enabled
Feb 20 14:52:04: %DHCP-7-GEN: [dhcp_pkt_packet_process_handler] Freeing DHCP pkt

 

 

 

ip source-address dhcp-server доступен только на каком-то одном интерфейсе.

 

Как правильно поступить в такой ситуации?

Изменено 20 февраля, 2014 пользователем ArhAngel_John

[irihorn95]

У нас на интерфейсе, смотрящем в сторону клиентов указан еще и ip helper address(Адрес dhcp сервера). Но у нас циско. Надеюсь Вам пригодится)

[ArhAngel_John]

У нас на интерфейсе, смотрящем в сторону клиентов указан еще и ip helper address(Адрес dhcp сервера). Но у нас циско. Надеюсь Вам пригодится)

Я так понял, что это аналог ip source-address у SE. Этот адрес в одном контексте можно повесить только на один интерфейс.

[irihorn95]

ArhAngel_John, Возможно. В Редбаках не шарю. Могу скинуть конфиг циски.

[ArhAngel_John]

А могу ли вообще на одном порту принимать VLAN с линками до L3-Relays

!
port ethernet 2/3 
auto-negotiate force enable
no shutdown
encapsulation dot1q
dot1q pvc 504 
 bind interface to-sw9 ipoe
 service clips dhcp context ipoe
dot1q pvc 505 
 bind interface to-sw103 ipoe
 service clips dhcp context ipoe
dot1q pvc 506
 bind interface to-sw210 ipoe
 service clips dhcp context ipoe 
!

И на каждый VLAN вешать service clips dhcp ?

Или мне service clips dhcp нужно вешать полностью на порт. Например вот так:

!
port ethernet 2/3 
auto-negotiate force enable
no shutdown
service clips dhcp context ipoe
encapsulation dot1q
dot1q pvc 504 
 bind interface to-sw9 ipoe
dot1q pvc 505 
 bind interface to-sw103 ipoe
dot1q pvc 506
 bind interface to-sw210 ipoe
!

Или мне нужно все 3 линка разделить по разным портам?

Как правильней?

Изменено 21 февраля, 2014 пользователем ArhAngel_John

[ArhAngel_John]

В общем сделал следующим образом:

соединил DHCP сервер и SE100 отдельным L3 линком (сеть /30)

На L3-релеях прописал маршруты до IP на SE100 (потому что именно этот IP приходит клиенту с настройками)

На DHCP сервере поправил маршруты до клиентских сетей и IP-адресов, которые висят на multibind интерфейсах через этот L3 линк.

Изменено 23 февраля, 2014 пользователем ArhAngel_John