wannabecool
Зарегистрирован: 30 окт 2017, 09:10 Сообщения: 10
|
Доброго времени суток! Столкнулся с проблемой при настройке ISG на ASR 1001-X. Заключается в том что после поднятия сессии и успешной авторизации абоненту не режется скорость.
При этом на радиусе скоростя отдаются:
rad_recv: Access-Request packet from host 10.88.88.2 port 1645, id=2, length=58 User-Password = "cisco" User-Name = "TP_138" Service-Type = Outbound-User NAS-IP-Address = 10.88.88.2
Sending Access-Accept of id 2 to 10.88.88.2 port 1645 Acct-Interim-Interval = 600 Cisco-Service-Info = "QU;20480000;2560000;5120000;D;20480000;2560000;5120000" Cisco-AVPair += "ip:traffic-class=in access-group 196 priority 6" Cisco-AVPair += "ip:traffic-class=out access-group 196 priority 6" Cisco-AVPair += "ip:traffic-class=out default drop" Cisco-AVPair += "ip:traffic-class=in default drop" Cisco-AVPair += "subscriber:accounting-list=ISG-AUTH-1" На циске в этот момент вижу следущее: *Dec 21 12:32:25: RADIUS(00000000): Send Access-Request to 10.88.88.1:1912 id 1645/2, len 58 *Dec 21 12:32:25: RADIUS: authenticator 78 C2 05 75 47 88 CC 31 - A6 35 D0 DA A9 05 6C 6C *Dec 21 12:32:25: RADIUS: User-Password [2] 18 * *Dec 21 12:32:25: RADIUS: User-Name [1] 8 "TP_138" *Dec 21 12:32:25: RADIUS: Service-Type [6] 6 Outbound [5] *Dec 21 12:32:25: RADIUS: NAS-IP-Address [4] 6 10.88.88.2 *Dec 21 12:32:25: RADIUS(00000000): Sending a IPv4 Radius Packet *Dec 21 12:32:25: RADIUS(00000000): Started 5 sec timeout *Dec 21 12:32:25: RADIUS: Received from id 1645/2 10.88.88.1:1912, Access-Accept, len 325 *Dec 21 12:32:25: RADIUS: authenticator AF 91 D1 17 AF 3D 31 87 - A8 4A 86 0A 48 01 1E C3 *Dec 21 12:32:25: RADIUS: Acct-Interim-Interva[85] 6 600 *Dec 21 12:32:25: RADIUS: Vendor, Cisco [26] 62 *Dec 21 12:32:25: RADIUS: ssg-service-info [251] 56 "QU;20480000;2560000;5120000;D;20480000;2560000;5120000" *Dec 21 12:32:25: RADIUS: Vendor, Cisco [26] 55 *Dec 21 12:32:25: RADIUS: Cisco AVpair [1] 49 "ip:traffic-class=in access-group 196 priority 6" *Dec 21 12:32:25: RADIUS: Vendor, Cisco [26] 56 *Dec 21 12:32:25: RADIUS: Cisco AVpair [1] 50 "ip:traffic-class=out access-group 196 priority 6" *Dec 21 12:32:25: RADIUS: Vendor, Cisco [26] 41 *Dec 21 12:32:25: RADIUS: Cisco AVpair [1] 35 "ip:traffic-class=out default drop" *Dec 21 12:32:25: RADIUS: Vendor, Cisco [26] 40 *Dec 21 12:32:25: RADIUS: Cisco AVpair [1] 34 "ip:traffic-class=in default drop" *Dec 21 12:32:25: RADIUS: Vendor, Cisco [26] 45 *Dec 21 12:32:25: RADIUS: Cisco AVpair [1] 39 "subscriber:accounting-list=ISG-AUTH-1" *Dec 21 12:32:25: RADIUS/DECODE(00000000): There is no General DB. Reply server details may not be recorded *Dec 21 12:32:25: RADIUS(00000000): Received from id 1645/2 *Dec 21 12:32:25: SSS AAA AUTHOR [uid:1][AAA ID:0]: Received an AAA pass Initial attr acct-interval 0 600 (0x258) Initial attr ssg-service-info 0 "QU;20480000;2560000;5120000;D;20480000;2560000;5120000" Initial attr traffic-class 0 "in access-group 196 priority 6" Initial attr traffic-class 0 "out access-group 196 priority 6" Initial attr traffic-class 0 "out default drop" Initial attr traffic-class 0 "in default drop" Initial attr accounting-list 0 "ISG-AUTH-1" *Dec 21 12:32:25: SSS PM [uid:1][7F37831288A8][AAA ID:83]: policy key list doesn't have IPv4 address *Dec 21 12:32:25: SSS AAA AUTHOR [uid:1][AAA ID:0]: Parsed AAA interim interval = 600 *Dec 21 12:32:25: SSS PM: PARAMETERIZED-QoS: QOS parameters *Dec 21 12:32:25: SSS PM [uid:1][7F37831288A8][AAA ID:83]: RULE: VRF Parsing routine: ssg-service-info 0 "QU;20480000;2560000;5120000;D;20480000;2560000;5120000" traffic-class 0 "in access-group 196 priority 6" traffic-class 0 "out access-group 196 priority 6" traffic-class 0 "out default drop" traffic-class 0 "in default drop" accounting-list 0 "ISG-AUTH-1"
В деталях сессии вижу, что полисинг применился:
show sss sess uid 2 detail Type: IPv4, UID: 2, State: authen, Identity: bro IPv4 Address: 75.47.55.3 Session Up-time: 00:04:33, Last Changed: 00:04:33 Switch-ID: 4101
Policy information: Context 7FFD9D0A1BD0: Handle 8C000004 AAA_id 0000001D: Flow_handle 0 Authentication status: authen Downloaded User profile, excluding services: ssg-account-info 0 "ATP_138" accounting-list 0 "ISG-AUTH-1" service-type 0 5 [Outbound] addr 0 75.47.55.3 idletime 0 120 (0x78) username 0 "bro" Downloaded User profile, including services: ssg-account-info 0 "ATP_138" accounting-list 0 "ISG-AUTH-1" service-type 0 5 [Outbound] addr 0 75.47.55.3 idletime 0 120 (0x78) username 0 "bro" ssg-service-info 0 "QU;20480000;2560000;5120000;D;20480000;2560000;5120000" traffic-class 0 "in access-group 196 priority 6" traffic-class 0 "out access-group 196 priority 6" traffic-class 0 "out default drop" traffic-class 0 "in default drop" Config history for session (recent to oldest): Access-type: Web-service-logon Client: SM Policy event: Service Selection Request (Service) Profile name: TP_138, 3 references ssg-service-info 0 "QU;20480000;2560000;5120000;D;20480000;2560000;5120000" traffic-class 0 "in access-group 196 priority 6" traffic-class 0 "out access-group 196 priority 6" traffic-class 0 "out default drop" traffic-class 0 "in default drop" accounting-list 0 "ISG-AUTH-1" Access-type: IP Client: SM Policy event: Service Selection Request Profile name: 75.47.55.3, 2 references ssg-account-info 0 "ATP_138" accounting-list 0 "ISG-AUTH-1" service-type 0 5 [Outbound] addr 0 75.47.55.3 idletime 0 120 (0x78) username 0 "bro" Active services associated with session: name "TP_138", applied before account logon Rules, actions and conditions executed: subscriber rule-map ISG-CUSTOMERS-POLICY condition always event session-start 10 authorize aaa list ISG-AUTH-1 identifier source-ip-address subscriber rule-map default-internal-rule condition always event service-start 1 service-policy type service identifier service-name
Classifiers: Class-id Dir Packets Bytes Pri. Definition 0 In 2149 345224 0 Match Any 1 Out 541 245300 0 Match Any 2 In 2149 345224 6 Match ACL 196 3 Out 541 245300 6 Match ACL 196 4294967294 In 0 0 - Drop 4294967275 Out 0 0 - Drop
Template Id : 1
Features:
Idle Timeout: Class-id Dir Timeout value Idle-Time Source 1 Out 120 00:00:19 Peruser
Accounting: Class-id Dir Packets Bytes Source 0 In 2149 345224 Peruser 1 Out 541 245300 Peruser 2 In 2149 345224 TP_138 3 Out 541 245300 TP_138
Policing: Class-id Dir Avg. Rate Normal Burst Excess Burst Source 2 In 20480000 2560000 5120000 TP_138 3 Out 20480000 2560000 5120000 TP_138
Configuration Sources: Type Active Time AAA Service ID Name SVC 00:04:33 2399141890 TP_138 USR 00:04:33 - Peruser INT 00:04:33 - GigabitEthernet0/0/1.700
Конфиг циски (прошивка universalk9.03.13.02.S.154-3.S2-ext.SPA.bin):
aaa group server radius ISG-RADIUS server name TEST_RAD ip radius source-interface GigabitEthernet0/0/1.888 ! aaa authentication login ISG-AUTH-1 group ISG-RADIUS aaa authorization network ISG-AUTH-1 group ISG-RADIUS aaa authorization subscriber-service default local group ISG-RADIUS aaa accounting delay-start aaa accounting jitter maximum 0 aaa accounting update periodic 1 aaa accounting network ISG-AUTH-1 start-stop group ISG-RADIUS ! ! aaa server radius dynamic-author client 10.88.88.1 server-key secretkey auth-type any ! aaa session-id common ! ip dhcp relay information policy keep ip dhcp relay information trust-all ! ! subscriber templating subscriber authorization enable service-policy type control ISG-CUSTOMERS-POLICY ! multilink bundle-name authenticated ! redirect server-group REDIRECT_NOPAY server ip 71.223.48.27 port 80 ! ! class-map type traffic match-any CLASS-TO-REDIRECT match access-group input 197 match access-group output 197 ! class-map type traffic match-any CLASS-TRUSTED match access-group input 198 match access-group output 198 ! class-map type control match-all ISG-IP-UNAUTH match timer UNAUTH-TIMER match authen-status unauthenticated ! policy-map type service LOCAL_L4R ip access-group 197 in ip access-group 197 out 1 class type traffic CLASS-TO-REDIRECT redirect to group REDIRECT_NOPAY ! ! policy-map type service SERVICE_L4R 1 class type traffic CLASS-TRUSTED police input 64000 8000 16000 police output 64000 8000 16000 ! class type traffic default in-out drop ! ! policy-map type control ISG-CUSTOMERS-POLICY class type control ISG-IP-UNAUTH event timed-policy-expiry 1 service disconnect ! class type control always event quota-depleted 1 set-param drop-traffic FALSE ! class type control always event credit-exhausted 1 service-policy type service name LOCAL_L4R ! class type control always event session-start 10 authorize aaa list ISG-AUTH-1 password ISG identifier source-ip-address 20 set-timer UNAUTH-TIMER 1 30 service-policy type service name SERVICE_L4R ! class type control always event session-restart 10 authorize aaa list ISG-AUTH-1 password ISG identifier source-ip-address 20 set-timer UNAUTH-TIMER 1 30 service-policy type service name SERVICE_L4R ! class type control always event account-logon 10 authenticate aaa list ISG-AUTH-1 20 service-policy type service unapply name SERVICE_L4R ! interface GigabitEthernet0/0/1 no ip address negotiation auto ! interface GigabitEthernet0/0/1.2 description inet encapsulation dot1Q 2 ip address 71.223.48.2 255.255.255.224 ! interface GigabitEthernet0/0/1.700 description customer encapsulation dot1Q 700 ip dhcp relay information trusted ip address 75.47.55.1 255.255.255.248 ip helper-address 71.223.48.27 service-policy type control ISG-CUSTOMERS-POLICY ip subscriber routed initiator unclassified ip-address ! interface GigabitEthernet0/0/1.888 description radius encapsulation dot1Q 888 ip address 10.88.88.2 255.255.255.0 ! ip route 0.0.0.0 0.0.0.0 71.223.48.29 ! access-list 195 permit ip host 71.223.48.27 any access-list 195 permit ip any host 71.223.48.27 access-list 195 deny ip any any access-list 196 deny ip host 71.223.48.27 any access-list 196 deny ip any host 71.223.48.27 access-list 196 permit ip any any access-list 197 permit tcp any any eq www access-list 197 permit tcp any eq www any access-list 197 permit udp any any eq domain access-list 197 permit udp any eq domain any access-list 197 deny ip any any access-list 198 permit tcp any any eq www access-list 198 permit tcp any eq www any access-list 198 permit udp any any eq domain access-list 198 permit udp any eq domain any access-list 198 permit tcp any any eq 9447 access-list 198 permit tcp any eq 9447 any access-list 198 permit icmp any any access-list 198 deny ip any any ! ! ! radius-server attribute 44 include-in-access-req default-vrf radius-server attribute 44 extend-with-addr radius-server attribute 8 include-in-access-req radius-server attribute 32 include-in-accounting-req radius-server attribute 55 include-in-acct-req radius-server attribute 31 mac format unformatted radius-server vsa send cisco-nas-port ! radius server TEST_RAD address ipv4 10.88.88.1 auth-port 1912 acct-port 1913 key AhjkyuisadWPALi02nwxG2 !
Подскажите, почему скорость может не резаться, если полисинг к сессии применился
|