Сообщения без ответов | Активные темы Текущее время: 29 мар 2024, 18:37



Ответить на тему  [ 1 сообщение ] 
Cisco ISG ASR-1001 проблемы с Policing не режется скорость 
Автор Сообщение

Зарегистрирован: 30 окт 2017, 09:10
Сообщения: 10
Доброго времени суток! Столкнулся с проблемой при настройке ISG на ASR 1001-X. Заключается в том что после поднятия сессии и успешной авторизации абоненту не режется скорость.

При этом на радиусе скоростя отдаются:

rad_recv: Access-Request packet from host 10.88.88.2 port 1645, id=2, length=58
User-Password = "cisco"
User-Name = "TP_138"
Service-Type = Outbound-User
NAS-IP-Address = 10.88.88.2

Sending Access-Accept of id 2 to 10.88.88.2 port 1645
Acct-Interim-Interval = 600
Cisco-Service-Info = "QU;20480000;2560000;5120000;D;20480000;2560000;5120000"
Cisco-AVPair += "ip:traffic-class=in access-group 196 priority 6"
Cisco-AVPair += "ip:traffic-class=out access-group 196 priority 6"
Cisco-AVPair += "ip:traffic-class=out default drop"
Cisco-AVPair += "ip:traffic-class=in default drop"
Cisco-AVPair += "subscriber:accounting-list=ISG-AUTH-1"

На циске в этот момент вижу следущее:

*Dec 21 12:32:25: RADIUS(00000000): Send Access-Request to 10.88.88.1:1912 id 1645/2, len 58
*Dec 21 12:32:25: RADIUS: authenticator 78 C2 05 75 47 88 CC 31 - A6 35 D0 DA A9 05 6C 6C
*Dec 21 12:32:25: RADIUS: User-Password [2] 18 *
*Dec 21 12:32:25: RADIUS: User-Name [1] 8 "TP_138"
*Dec 21 12:32:25: RADIUS: Service-Type [6] 6 Outbound [5]
*Dec 21 12:32:25: RADIUS: NAS-IP-Address [4] 6 10.88.88.2
*Dec 21 12:32:25: RADIUS(00000000): Sending a IPv4 Radius Packet
*Dec 21 12:32:25: RADIUS(00000000): Started 5 sec timeout
*Dec 21 12:32:25: RADIUS: Received from id 1645/2 10.88.88.1:1912, Access-Accept, len 325
*Dec 21 12:32:25: RADIUS: authenticator AF 91 D1 17 AF 3D 31 87 - A8 4A 86 0A 48 01 1E C3
*Dec 21 12:32:25: RADIUS: Acct-Interim-Interva[85] 6 600
*Dec 21 12:32:25: RADIUS: Vendor, Cisco [26] 62
*Dec 21 12:32:25: RADIUS: ssg-service-info [251] 56 "QU;20480000;2560000;5120000;D;20480000;2560000;5120000"
*Dec 21 12:32:25: RADIUS: Vendor, Cisco [26] 55
*Dec 21 12:32:25: RADIUS: Cisco AVpair [1] 49 "ip:traffic-class=in access-group 196 priority 6"
*Dec 21 12:32:25: RADIUS: Vendor, Cisco [26] 56
*Dec 21 12:32:25: RADIUS: Cisco AVpair [1] 50 "ip:traffic-class=out access-group 196 priority 6"
*Dec 21 12:32:25: RADIUS: Vendor, Cisco [26] 41
*Dec 21 12:32:25: RADIUS: Cisco AVpair [1] 35 "ip:traffic-class=out default drop"
*Dec 21 12:32:25: RADIUS: Vendor, Cisco [26] 40
*Dec 21 12:32:25: RADIUS: Cisco AVpair [1] 34 "ip:traffic-class=in default drop"
*Dec 21 12:32:25: RADIUS: Vendor, Cisco [26] 45
*Dec 21 12:32:25: RADIUS: Cisco AVpair [1] 39 "subscriber:accounting-list=ISG-AUTH-1"
*Dec 21 12:32:25: RADIUS/DECODE(00000000): There is no General DB. Reply server details may not be recorded
*Dec 21 12:32:25: RADIUS(00000000): Received from id 1645/2
*Dec 21 12:32:25: SSS AAA AUTHOR [uid:1][AAA ID:0]: Received an AAA pass
Initial attr acct-interval 0 600 (0x258)
Initial attr ssg-service-info 0 "QU;20480000;2560000;5120000;D;20480000;2560000;5120000"
Initial attr traffic-class 0 "in access-group 196 priority 6"
Initial attr traffic-class 0 "out access-group 196 priority 6"
Initial attr traffic-class 0 "out default drop"
Initial attr traffic-class 0 "in default drop"
Initial attr accounting-list 0 "ISG-AUTH-1"
*Dec 21 12:32:25: SSS PM [uid:1][7F37831288A8][AAA ID:83]:
policy key list doesn't have IPv4 address
*Dec 21 12:32:25: SSS AAA AUTHOR [uid:1][AAA ID:0]: Parsed AAA interim interval = 600
*Dec 21 12:32:25: SSS PM: PARAMETERIZED-QoS: QOS parameters
*Dec 21 12:32:25: SSS PM [uid:1][7F37831288A8][AAA ID:83]: RULE: VRF Parsing routine:
ssg-service-info 0 "QU;20480000;2560000;5120000;D;20480000;2560000;5120000"
traffic-class 0 "in access-group 196 priority 6"
traffic-class 0 "out access-group 196 priority 6"
traffic-class 0 "out default drop"
traffic-class 0 "in default drop"
accounting-list 0 "ISG-AUTH-1"



В деталях сессии вижу, что полисинг применился:

show sss sess uid 2 detail
Type: IPv4, UID: 2, State: authen, Identity: bro
IPv4 Address: 75.47.55.3
Session Up-time: 00:04:33, Last Changed: 00:04:33
Switch-ID: 4101

Policy information:
Context 7FFD9D0A1BD0: Handle 8C000004
AAA_id 0000001D: Flow_handle 0
Authentication status: authen
Downloaded User profile, excluding services:
ssg-account-info 0 "ATP_138"
accounting-list 0 "ISG-AUTH-1"
service-type 0 5 [Outbound]
addr 0 75.47.55.3
idletime 0 120 (0x78)
username 0 "bro"
Downloaded User profile, including services:
ssg-account-info 0 "ATP_138"
accounting-list 0 "ISG-AUTH-1"
service-type 0 5 [Outbound]
addr 0 75.47.55.3
idletime 0 120 (0x78)
username 0 "bro"
ssg-service-info 0 "QU;20480000;2560000;5120000;D;20480000;2560000;5120000"
traffic-class 0 "in access-group 196 priority 6"
traffic-class 0 "out access-group 196 priority 6"
traffic-class 0 "out default drop"
traffic-class 0 "in default drop"
Config history for session (recent to oldest):
Access-type: Web-service-logon Client: SM
Policy event: Service Selection Request (Service)
Profile name: TP_138, 3 references
ssg-service-info 0 "QU;20480000;2560000;5120000;D;20480000;2560000;5120000"
traffic-class 0 "in access-group 196 priority 6"
traffic-class 0 "out access-group 196 priority 6"
traffic-class 0 "out default drop"
traffic-class 0 "in default drop"
accounting-list 0 "ISG-AUTH-1"
Access-type: IP Client: SM
Policy event: Service Selection Request
Profile name: 75.47.55.3, 2 references
ssg-account-info 0 "ATP_138"
accounting-list 0 "ISG-AUTH-1"
service-type 0 5 [Outbound]
addr 0 75.47.55.3
idletime 0 120 (0x78)
username 0 "bro"
Active services associated with session:
name "TP_138", applied before account logon
Rules, actions and conditions executed:
subscriber rule-map ISG-CUSTOMERS-POLICY
condition always event session-start
10 authorize aaa list ISG-AUTH-1 identifier source-ip-address
subscriber rule-map default-internal-rule
condition always event service-start
1 service-policy type service identifier service-name

Classifiers:
Class-id Dir Packets Bytes Pri. Definition
0 In 2149 345224 0 Match Any
1 Out 541 245300 0 Match Any
2 In 2149 345224 6 Match ACL 196
3 Out 541 245300 6 Match ACL 196
4294967294 In 0 0 - Drop
4294967275 Out 0 0 - Drop

Template Id : 1

Features:

Idle Timeout:
Class-id Dir Timeout value Idle-Time Source
1 Out 120 00:00:19 Peruser

Accounting:
Class-id Dir Packets Bytes Source
0 In 2149 345224 Peruser
1 Out 541 245300 Peruser
2 In 2149 345224 TP_138
3 Out 541 245300 TP_138

Policing:
Class-id Dir Avg. Rate Normal Burst Excess Burst Source
2 In 20480000 2560000 5120000 TP_138
3 Out 20480000 2560000 5120000 TP_138

Configuration Sources:
Type Active Time AAA Service ID Name
SVC 00:04:33 2399141890 TP_138
USR 00:04:33 - Peruser
INT 00:04:33 - GigabitEthernet0/0/1.700


Конфиг циски (прошивка universalk9.03.13.02.S.154-3.S2-ext.SPA.bin):

aaa group server radius ISG-RADIUS
server name TEST_RAD
ip radius source-interface GigabitEthernet0/0/1.888
!
aaa authentication login ISG-AUTH-1 group ISG-RADIUS
aaa authorization network ISG-AUTH-1 group ISG-RADIUS
aaa authorization subscriber-service default local group ISG-RADIUS
aaa accounting delay-start
aaa accounting jitter maximum 0
aaa accounting update periodic 1
aaa accounting network ISG-AUTH-1 start-stop group ISG-RADIUS
!
!
aaa server radius dynamic-author
client 10.88.88.1
server-key secretkey
auth-type any
!
aaa session-id common
!
ip dhcp relay information policy keep
ip dhcp relay information trust-all
!
!
subscriber templating
subscriber authorization enable
service-policy type control ISG-CUSTOMERS-POLICY
!
multilink bundle-name authenticated
!
redirect server-group REDIRECT_NOPAY
server ip 71.223.48.27 port 80
!
!
class-map type traffic match-any CLASS-TO-REDIRECT
match access-group input 197
match access-group output 197
!
class-map type traffic match-any CLASS-TRUSTED
match access-group input 198
match access-group output 198
!
class-map type control match-all ISG-IP-UNAUTH
match timer UNAUTH-TIMER
match authen-status unauthenticated
!
policy-map type service LOCAL_L4R
ip access-group 197 in
ip access-group 197 out
1 class type traffic CLASS-TO-REDIRECT
redirect to group REDIRECT_NOPAY
!
!
policy-map type service SERVICE_L4R
1 class type traffic CLASS-TRUSTED
police input 64000 8000 16000
police output 64000 8000 16000
!
class type traffic default in-out
drop
!
!
policy-map type control ISG-CUSTOMERS-POLICY
class type control ISG-IP-UNAUTH event timed-policy-expiry
1 service disconnect
!
class type control always event quota-depleted
1 set-param drop-traffic FALSE
!
class type control always event credit-exhausted
1 service-policy type service name LOCAL_L4R
!
class type control always event session-start
10 authorize aaa list ISG-AUTH-1 password ISG identifier source-ip-address
20 set-timer UNAUTH-TIMER 1
30 service-policy type service name SERVICE_L4R
!
class type control always event session-restart
10 authorize aaa list ISG-AUTH-1 password ISG identifier source-ip-address
20 set-timer UNAUTH-TIMER 1
30 service-policy type service name SERVICE_L4R
!
class type control always event account-logon
10 authenticate aaa list ISG-AUTH-1
20 service-policy type service unapply name SERVICE_L4R
!
interface GigabitEthernet0/0/1
no ip address
negotiation auto
!
interface GigabitEthernet0/0/1.2
description inet
encapsulation dot1Q 2
ip address 71.223.48.2 255.255.255.224
!
interface GigabitEthernet0/0/1.700
description customer
encapsulation dot1Q 700
ip dhcp relay information trusted
ip address 75.47.55.1 255.255.255.248
ip helper-address 71.223.48.27
service-policy type control ISG-CUSTOMERS-POLICY
ip subscriber routed
initiator unclassified ip-address
!
interface GigabitEthernet0/0/1.888
description radius
encapsulation dot1Q 888
ip address 10.88.88.2 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 71.223.48.29
!
access-list 195 permit ip host 71.223.48.27 any
access-list 195 permit ip any host 71.223.48.27
access-list 195 deny ip any any
access-list 196 deny ip host 71.223.48.27 any
access-list 196 deny ip any host 71.223.48.27
access-list 196 permit ip any any
access-list 197 permit tcp any any eq www
access-list 197 permit tcp any eq www any
access-list 197 permit udp any any eq domain
access-list 197 permit udp any eq domain any
access-list 197 deny ip any any
access-list 198 permit tcp any any eq www
access-list 198 permit tcp any eq www any
access-list 198 permit udp any any eq domain
access-list 198 permit udp any eq domain any
access-list 198 permit tcp any any eq 9447
access-list 198 permit tcp any eq 9447 any
access-list 198 permit icmp any any
access-list 198 deny ip any any
!
!
!
radius-server attribute 44 include-in-access-req default-vrf
radius-server attribute 44 extend-with-addr
radius-server attribute 8 include-in-access-req
radius-server attribute 32 include-in-accounting-req
radius-server attribute 55 include-in-acct-req
radius-server attribute 31 mac format unformatted
radius-server vsa send cisco-nas-port
!
radius server TEST_RAD
address ipv4 10.88.88.1 auth-port 1912 acct-port 1913
key AhjkyuisadWPALi02nwxG2
!

Подскажите, почему скорость может не резаться, если полисинг к сессии применился


22 дек 2017, 16:38
Профиль
Показать сообщения за:  Поле сортировки  
Ответить на тему   [ 1 сообщение ] 

Кто сейчас на конференции

Сейчас этот форум просматривают: нет зарегистрированных пользователей и гости: 77


Вы не можете начинать темы
Вы не можете отвечать на сообщения
Вы не можете редактировать свои сообщения
Вы не можете удалять свои сообщения
Вы не можете добавлять вложения

Найти:
Перейти:  
Создано на основе phpBB® Forum Software © phpBB Group
Designed by ST Software for PTF.
Русская поддержка phpBB