ISGv2 Control policies: различия между версиями

Материал из noname.com.ua
Перейти к навигацииПерейти к поиску
 
(не показано 14 промежуточных версий этого же участника)
Строка 21: Строка 21:
 
* Новый пул адресов, на который только планируется миграция <code>100.64.128.0/20</code>
  
* Новый пул адресов, на который только планируется миграция <code>100.64.128.0/20</code>
 
* Реальные адреса заменены на сеть 100.127.252.0/22
  
* Реальные адреса заменены на сеть 100.127.252.0/22
 
 
<PRE>
  
no ip access-list extended FROM_PAID_CUSTOMERS
  
ip access-list extended FROM_PAID_CUSTOMERS
  
remark From Paid customers, old and new IP ranges
  
100 permit ip 192.168.128.0 0.0.15.255 any
  
200 permit ip 100.64.128.0 0.0.15.255 any
  
10000 deny ip any any
  
exit
  
</PRE>
  
 
<PRE>
  
no ip access-list extended TO_PAID_CUSTOMERS
  
ip access-list extended TO_PAID_CUSTOMERS
  
100 permit ip any 192.168.128.0 0.0.15.255
  
200 permit ip any 100.64.128.0 0.0.15.255
  
10000 deny ip any any
  
deny ip any any
  
exit
  
</PRE>
  
   
 
==Диапазон "неплатильщиков"==
  
==Диапазон "неплатильщиков"==
Строка 73: Строка 52:
 
no ip access-list extended FROM_NOT_PAID_CUSTOMERS_TO_INET
  
no ip access-list extended FROM_NOT_PAID_CUSTOMERS_TO_INET
 
ip access-list extended FROM_NOT_PAID_CUSTOMERS_TO_INET
  
ip access-list extended FROM_NOT_PAID_CUSTOMERS_TO_INET
remark From Not-Paid Customers to inet except our network
 +
remark From Not-Paid Customers to internet except our network
100 deny ip 10.3.0.0 0.0.255.255 10.2.0.0 0.0.255.255
 +
100 deny ip 10.3.0.0 0.0.255.255 10.0.0.0 0.255.255.255
100 deny ip 10.3.0.0 0.0.255.255 10.3.0.0 0.0.255.255
 +
200 deny ip 10.3.0.0 0.0.255.255 192.168.0.0 0.0.255.255
100 deny ip 10.3.0.0 0.0.255.255 192.168.128.0 0.0.15.255
 +
300 deny ip 10.3.0.0 0.0.255.255 172.16.0.0 0.15.255.255
100 deny ip 10.3.0.0 0.0.255.255 100.64.128.0 0.0.15.255
 +
400 deny ip 10.3.0.0 0.0.255.255 100.64.128.0 0.0.15.255
100 deny ip 10.3.0.0 0.0.255.255 100.127.255.0 0.0.0.255
 +
500 deny ip 10.3.0.0 0.0.255.255 100.127.252.0 0.0.3.255
100 deny ip 10.3.0.0 0.0.255.255 10.3.0.0 0.0.255.255
 +
600 permit ip 10.3.0.0 0.0.255.255 any
  +
10000 deny ip any any
  +
exit
  +
</PRE>
   
  +
<PRE>
100 permit ip 10.3.0.0 0.0.255.255 any
  
  +
no ip access-list extended FROM_NOT_PAID_CUSTOMERS_TO_LOCAL
  +
ip access-list extended FROM_NOT_PAID_CUSTOMERS_TO_LOCAL
  +
remark From Not-Paid Customers to internet except our network
  +
100 permit ip 10.3.0.0 0.0.255.255 10.0.0.0 0.255.255.255
  +
200 permit ip 10.3.0.0 0.0.255.255 192.168.0.0 0.0.255.255
  +
300 permit ip 10.3.0.0 0.0.255.255 172.16.0.0 0.15.255.255
  +
400 permit ip 10.3.0.0 0.0.255.255 100.64.128.0 0.0.15.255
  +
500 permit ip 10.3.0.0 0.0.255.255 100.127.252.0 0.0.3.255
  +
10000 deny ip any any
  +
exit
  +
</PRE>
  +
  +
<PRE>
  +
no ip access-list extended FROM_LOCAL_TO_NOT_PAID_CUSTOMERS
  +
ip access-list extended FROM_NOT_PAID_CUSTOMERS_TO_LOCAL
  +
remark From Not-Paid Customers to internet except our network
  +
100 permit ip 10.0.0.0 0.255.255.255 10.3.0.0 0.0.255.255
  +
200 permit ip 192.168.0.0 0.0.255.255 10.3.0.0 0.0.255.255
  +
300 permit ip 172.16.0.0 0.15.255.255 10.3.0.0 0.0.255.255
  +
400 permit ip 100.64.128.0 0.0.15.255 10.3.0.0 0.0.255.255
  +
500 permit ip 100.127.252.0 0.0.3.255 10.3.0.0 0.0.255.255
 
10000 deny ip any any
  
10000 deny ip any any
 
exit
  
exit
Строка 98: Строка 101:
   
 
<PRE>
  
<PRE>
no class-map type traffic match-any CLASS_MAP_NOT_PAID_CUSTOMERS_TO_
 +
no class-map type traffic match-any CLASS_MAP_NOT_PAID_CUSTOMERS_TO_LOCAL
class-map type traffic match-any CLASS_MAP_NOT_PAID_CUSTOMERS
 +
class-map type traffic match-any CLASS_MAP_NOT_PAID_CUSTOMERS_TO_LOCAL
match access-group input name FROM_NOT_PAID_CUSTOMERS
 +
match access-group input name FROM_NOT_PAID_CUSTOMERS_TO_LOCAL
match access-group output name TO_NOT_PAID_CUSTOMERS
 +
match access-group output name FROM_LOCAL_TO_NOT_PAID_CUSTOMERS
 
exit
  
exit
 
</PRE>
  
</PRE>
Строка 107: Строка 110:
 
==Диапазон "неавторизованных"==
  
==Диапазон "неавторизованных"==
 
Те абоненты что только что включились, но еще не ввели свой логин и пароль получают адреса из диапазона <code>10.2.0.0/16</code>
  
Те абоненты что только что включились, но еще не ввели свой логин и пароль получают адреса из диапазона <code>10.2.0.0/16</code>
  +
  +
=Тестовый сервис=
   
 
<PRE>
  
<PRE>
  +
no policy-map type service POLICY_MAP_SERVICE_NOT_PAID_CUSTOMERS_TO_LOCAL
no ip access-list extended FROM_NOT_AUTH_CUSTOMERS
  
  +
policy-map type service POLICY_MAP_SERVICE_NOT_PAID_CUSTOMERS_TO_LOCAL
ip access-list extended FROM_NOT_AUTH_CUSTOMERS
  
  +
100 class type traffic CLASS_MAP_NOT_PAID_CUSTOMERS_TO_LOCAL
remark From Not-Auth Customers
  
  +
police input 8000
100 permit ip 10.2.0.0 0.0.255.255 any
  
  +
police output 8000
10000 deny ip any any
  
 
exit
  
exit
 
</PRE>
  
</PRE>
   
  +
<PRE>
  
  +
no policy-map type service POLICY_MAP_SERVICE_NOT_PAID_CUSTOMERS_TO_LOCAL1
no ip access-list extended TO_NOT_AUTH_CUSTOMERS
  
  +
policy-map type service POLICY_MAP_SERVICE_NOT_PAID_CUSTOMERS_TO_LOCAL1
ip access-list extended TO_NOT_AUTH_CUSTOMERS
  
  +
class type traffic CLASS_MAP_NOT_PAID_CUSTOMERS_TO_LOCAL
remark TO Not-Auth Customers
  
  +
police input 8000
100 permit ip any 10.2.0.0 0.0.255.255
  
  +
police output 8000
10000 deny ip any any
  
  +
exit
deny ip any any
  
 
exit
  
exit
  +
</PRE>
  
  +
=999=
   
 
<PRE>
  
<PRE>
no class-map type control match-all CLASS_MAP_NOT_AUTH_CUSTOMERS
 +
no class-map type control match-all CLASS_MAP_CONTROL_TIMER_FOR_NOT_PAID
class-map type control match-all CLASS_MAP_NOT_AUTH_CUSTOMERS
 +
class-map type control match-all CLASS_MAP_CONTROL_TIMER_FOR_NOT_PAID
  +
match authen-status unauthenticated
match source-ip-address 10.2.0.0 255.255.0.0
  
  +
match timer TIMER_NOT_PAID
  +
match source-ip-address 10.3.0.0 255.255.0.0
 
exit
  
exit
  +
!
 
</PRE>
  
</PRE>
 
 
<PRE>
  
<PRE>
no class-map type traffic match-any CLASS_MAP_NOT_AUTH_CUSTOMERS
  
class-map type traffic match-any CLASS_MAP_NOT_AUTH_CUSTOMERS
  
match access-group input name FROM_NOT_AUTH_CUSTOMERS
  
match access-group output name TO_NOT_AUTH_CUSTOMERS
  
exit
  
</PRE>
  
   
  +
policy-map type control ISG-CUSTOMERS-POLICY
=Тестовый сервис=
  
  +
class type control CLASS_MAP_CONTROL_TIMER_FOR_NOT_PAID event timed-policy-expiry
 
  +
10 service disconnect
<PRE>
  
  +
!
no policy-map type service POLICY_MAP_SERVICE_NOT_PAID_CUSTOMERS
  
  +
class type control CLASS_MAP_NOT_PAID_CUSTOMERS event session-start
policy-map type service POLICY_MAP_SERVICE_NOT_PAID_CUSTOMERS
  
  +
20 set-timer TIMER_NOT_PAID 5
100 class type traffic CLASS_MAP_NOT_PAID_CUSTOMERS
  
  +
30 service-policy type service name POLICY_MAP_SERVICE_NOT_PAID_CUSTOMERS_TO_LOCAL
police input 8000
  
  +
exit
police output 8000
  
 
exit
  
exit
  +
!
 
</PRE>
  
</PRE>
   
=999=
 +
=999999=
 
<PRE>
  
<PRE>
 
policy-map type control ISG-CUSTOMERS-POLICY
  
policy-map type control ISG-CUSTOMERS-POLICY

Текущая версия на 09:59, 10 мая 2023


Control policies

Политики управляют всей логикой

1

Что хочется получить

  • Для всех пользователей проверять скорость из радиуса и выставлять соответвующую скорость
    • Скорость пользователя в биллинге произвольна и нет заранее предопределенных тарифов
  • Если радиус не ответил (тайм-аут) то для пользователей из разрешенного диапазона адресов разрешать доступ в интернет (без ограничения скорости)
  • Если радиус ответил Reject то для разрешенного диапазона разрешать работу а для запрещенного диапазона - делать редирект

Определить диапазона адресов

"Нормальные" платящие абоненты

Три диапазона (в примере только два)

  • "Старый" пул адресов 192.168.128.0/20
  • Новый пул адресов, на который только планируется миграция 100.64.128.0/20
  • Реальные адреса заменены на сеть 100.127.252.0/22

Диапазон "неплатильщиков"

Абонентам у которых образовалась задолженность, выдаются адреса из диапазона 10.3.0.0/16 


no ip access-list extended FROM_NOT_PAID_CUSTOMERS
ip access-list extended FROM_NOT_PAID_CUSTOMERS
 remark From Not-Paid Customers
 100   permit ip 10.3.0.0  0.0.255.255 any
 10000 deny   ip any any
exit

no ip access-list extended TO_NOT_PAID_CUSTOMERS
ip access-list extended TO_NOT_PAID_CUSTOMERS
 remark TO Not-Paid Customers
 100   permit ip any 10.3.0.0  0.0.255.255
 10000 deny   ip any any
 deny   ip any any
exit




no ip access-list extended FROM_NOT_PAID_CUSTOMERS_TO_INET
ip access-list extended FROM_NOT_PAID_CUSTOMERS_TO_INET
 remark From Not-Paid Customers to internet except our network
 100   deny   ip 10.3.0.0  0.0.255.255 10.0.0.0       0.255.255.255
 200   deny   ip 10.3.0.0  0.0.255.255 192.168.0.0    0.0.255.255
 300   deny   ip 10.3.0.0  0.0.255.255 172.16.0.0     0.15.255.255
 400   deny   ip 10.3.0.0  0.0.255.255 100.64.128.0   0.0.15.255
 500   deny   ip 10.3.0.0  0.0.255.255 100.127.252.0  0.0.3.255
 600   permit ip 10.3.0.0  0.0.255.255 any
 10000 deny   ip any any
exit

no ip access-list extended FROM_NOT_PAID_CUSTOMERS_TO_LOCAL
ip access-list extended FROM_NOT_PAID_CUSTOMERS_TO_LOCAL
 remark From Not-Paid Customers to internet except our network
 100   permit ip 10.3.0.0  0.0.255.255 10.0.0.0       0.255.255.255
 200   permit ip 10.3.0.0  0.0.255.255 192.168.0.0    0.0.255.255
 300   permit ip 10.3.0.0  0.0.255.255 172.16.0.0     0.15.255.255
 400   permit ip 10.3.0.0  0.0.255.255 100.64.128.0   0.0.15.255
 500   permit ip 10.3.0.0  0.0.255.255 100.127.252.0  0.0.3.255
 10000 deny   ip any any
exit

no ip access-list extended FROM_LOCAL_TO_NOT_PAID_CUSTOMERS
ip access-list extended FROM_NOT_PAID_CUSTOMERS_TO_LOCAL
 remark From Not-Paid Customers to internet except our network
 100   permit ip 10.0.0.0       0.255.255.255 10.3.0.0  0.0.255.255
 200   permit ip 192.168.0.0    0.0.255.255   10.3.0.0  0.0.255.255
 300   permit ip 172.16.0.0     0.15.255.255  10.3.0.0  0.0.255.255
 400   permit ip 100.64.128.0   0.0.15.255    10.3.0.0  0.0.255.255
 500   permit ip 100.127.252.0  0.0.3.255     10.3.0.0  0.0.255.255
 10000 deny   ip any any
exit




no class-map type control match-all CLASS_MAP_NOT_PAID_CUSTOMERS
class-map type control match-all CLASS_MAP_NOT_PAID_CUSTOMERS
 match source-ip-address 10.3.0.0 255.255.0.0
exit



no class-map type traffic match-any CLASS_MAP_NOT_PAID_CUSTOMERS_TO_LOCAL
class-map type traffic match-any CLASS_MAP_NOT_PAID_CUSTOMERS_TO_LOCAL
 match access-group input  name FROM_NOT_PAID_CUSTOMERS_TO_LOCAL
 match access-group output name FROM_LOCAL_TO_NOT_PAID_CUSTOMERS
exit

Диапазон "неавторизованных"

Те абоненты что только что включились, но еще не ввели свой логин и пароль получают адреса из диапазона 10.2.0.0/16

Тестовый сервис

no policy-map type service POLICY_MAP_SERVICE_NOT_PAID_CUSTOMERS_TO_LOCAL
policy-map type service POLICY_MAP_SERVICE_NOT_PAID_CUSTOMERS_TO_LOCAL
 100 class type traffic CLASS_MAP_NOT_PAID_CUSTOMERS_TO_LOCAL
  police input 8000
  police output 8000
exit


no policy-map type service POLICY_MAP_SERVICE_NOT_PAID_CUSTOMERS_TO_LOCAL1 policy-map type service POLICY_MAP_SERVICE_NOT_PAID_CUSTOMERS_TO_LOCAL1 

class type traffic CLASS_MAP_NOT_PAID_CUSTOMERS_TO_LOCAL
 police input 8000
 police output 8000
 exit

exit

999

no class-map type control match-all CLASS_MAP_CONTROL_TIMER_FOR_NOT_PAID
class-map type control match-all CLASS_MAP_CONTROL_TIMER_FOR_NOT_PAID
 match authen-status unauthenticated
 match timer TIMER_NOT_PAID
 match source-ip-address 10.3.0.0 255.255.0.0
exit
!


policy-map type control ISG-CUSTOMERS-POLICY
 class type control CLASS_MAP_CONTROL_TIMER_FOR_NOT_PAID event timed-policy-expiry
  10 service disconnect
 !
 class type control CLASS_MAP_NOT_PAID_CUSTOMERS event session-start
  20 set-timer TIMER_NOT_PAID 5
  30 service-policy type service name POLICY_MAP_SERVICE_NOT_PAID_CUSTOMERS_TO_LOCAL
  exit
exit
 !

999999

policy-map type control ISG-CUSTOMERS-POLICY
 class type control ISG-IP-UNAUTH event timed-policy-expiry
  1 service disconnect
 !
 class type control always event session-start
  10 authorize aaa list AAA-LIST-ISG-AUTH password secret identifier source-ip-address
  20 set-timer UNAUTH-TIMER 5
  30 service-policy type service name POLICY_MAP_SERVICE_ON_SESSION_START_
 !
 class type control always event session-restart
  10 authorize aaa list AAA-LIST-ISG-AUTH password secret identifier source-ip-address
  20 set-timer UNAUTH-TIMER 5
  30 service-policy type service name POLICY_MAP_SERVICE_ON_SESSION_RESTART_
 !
 class type control always event service-stop
  1 service-policy type service unapply identifier service-name
  10 service-policy type service unapply identifier service-name
  20 log-session-state
 !
 class type control always event radius-timeout
  20 set-timer UNAUTH-TIMER 60
  30 service-policy type service name POLICY_MAP_SERVICE_ON_SESSION_RADIUS_TIMEOUT_
 !
 class type control always event access-reject
  20 set-timer UNAUTH-TIMER 60
  30 service-policy type service name ALLOW_172_31_100_2
  40 service-policy type service name ALLOW_172_31_100_3_SPEED_8k
  50 service-policy type service name NO_SERVICE
 !
Источник — https://noname.com.ua/mediawiki/index.php?title=ISGv2_Control_policies&oldid=11491