Статья приведена в качестве примера. Копирование точь в точь не гарантирует работу.
Настройка EVENT_INC.SH
LOG_LEVEL=ALL SENDER=$1; shift EVENT=$1; shift DATA=$@ for VAR in $DATA; do [[ "$VAR" = *"="* ]] && eval ${VAR%%=*}=\'${VAR#*=}\' done do_policy_neg(){ LOG INFO "do do_policy_neg: $EVENT $DATA" echo "Acct-Session-Id=\"$acct_session_id\",HTTP-Redirect-Profile-Name=\"NOAUTH\",Forward-Policy=\"in:redirect\"" | radclient -x $nas_ip:1700 coa $coa_psw 2>&1 } do_policy_pos(){ LOG INFO "do do_policy_pos: $EVENT $DATA" echo "Acct-Session-Id=\"$acct_session_id\",Forward-Policy = \"in:\"" | radclient -x $nas_ip:1700 coa $coa_psw 2>&1 } do_disconnect(){ LOG INFO "do_disconnect: $EVENT $DATA" echo "Acct-Session-Id=\"$acct_session_id\"" | radclient -x $nas_ip:1700 disconnect $coa_psw 2>&1 # LOG INFO "do do_disconnect: $EVENT $DATA" # echo "Acct-Session-Id=\"$acct_session_id\",HTTP-Redirect-Profile-Name=\"DOREBOOT\",Forward-Policy=\"in:redirect\"" | radclient -x $nas_ip:1700 coa $coa_psw 2>&1 } do_policy_reboot(){ LOG INFO "do_policy_reboot: $EVENT $DATA" echo "Acct-Session-Id=\"$acct_session_id\",HTTP-Redirect-Profile-Name=\"DOREBOOT\",Forward-Policy=\"in:redirect\"" | radclient -x $nas_ip:1700 coa $coa_psw 2>&1 } do_policy_accept(){ if [ "$over_limit" = "0" ]; then do_policy_pos else do_policy_neg fi } do_policy_drop(){ LOG INFO "do do_policy_drop: $EVENT $DATA" echo "Acct-Session-Id=\"$acct_session_id\",HTTP-Redirect-Profile-Name=\"DISABED\",Forward-Policy=\"in:redirect\"" | radclient -x $nas_ip:1700 coa $coa_psw 2>&1 } do_policy_own_disabled(){ LOG INFO "do do_policy_drop: $EVENT $DATA" echo "Acct-Session-Id=\"$acct_session_id\",HTTP-Redirect-Profile-Name=\"BLOCK\",Forward-Policy=\"in:redirect\"" | radclient -x $nas_ip:1700 coa $coa_psw 2>&1 } #[ "$id" != 714 ] && exit 0 [ "$EVENT" != 'rad_acc_update' ] && LOG INFO "$SENDER $EVENT $DATA" do_check(){ if [ "$enabled" = "1" ]; then [ "$over_limit" = 1 ] && do_policy_neg [ "$over_limit" = 0 ] && do_policy_pos else if [ "$own_disabled_end" = "-1" ]; then do_policy_drop else do_policy_own_disabled fi fi } case "$EVENT" in web_do_disconnect) do_disconnect ;; rad_acc_start|balance_negative|balance_positive|own_disabled) do_check ;; # todo перейти на rad6 и убрать logout # Убрать через 20 минут kolya_rad_acc_update) do_check ;; # radius_update_err # logout # rad_acc_timeout radius_update_err\ |logout|rad_acc_timeout) LOG INFO "LOG_DO_REBOOT: $EVENT $DATA" ;; user_data_changed\ |user_disconnect|get_info_fail\ |try_double_login|try_double_acc|rad_acc_stop) do_policy_reboot ;; "rate_set") LOG INFO "event type: $EVENT $DATA" ;; "period_closed") LOG INFO "event type: $EVENT $DATA" ;; *) : ;; esac
Конфигурация оборудования Redback
! aaa global authentication subscriber radius context local aaa last-resort context local ! service multiple-contexts ! service inter-context routing ! ! flow ip profile p1 active-timeout 1000 inactive-timeout 10 aggregation-cache-size 8192 ! flow ip profile p2 active-timeout 1000 inactive-timeout 10 aggregation-cache-size 8192 ! dpi traffic-management protocol http escape-conversion ! context local domain domain.ru ! no ip domain-lookup ! ip nat pool NAT napt multibind address 169.1.1.1 to 169.1.1.1 ! nat policy NAT connections tcp maximum 2000 connections udp maximum 2000 connections icmp maximum 20 ! Default class ignore timeout tcp 14400 timeout udp 90 timeout fin-reset 60 timeout icmp 30 timeout syn 60 admission-control tcp admission-control udp admission-control icmp endpoint-independent filtering udp icmp-notification ! Named classes access-group nat class NAT pool NAT local timeout tcp 18000 timeout udp 60 timeout fin-reset 60 timeout icmp 30 timeout syn 60 admission-control tcp admission-control udp admission-control icmp endpoint-independent filtering udp icmp-notification class NATLESS ignore icmp-notification ! nat policy USER_TEST connections tcp maximum 2000 connections udp maximum 2000 connections icmp maximum 20 ! Default class ignore icmp-notification ! Named classes access-group nat_2 class NAT pool TEST local icmp-notification class NATLESS ignore icmp-notification ! interface Carbon ip address 169.1.1.1/30 ! interface Inet ip address 169.1.1.1/30 ip mtu 1500 ip icmp suppress packet-too-big ip arp proxy-arp ! interface L3_net ip address 10.0.3.5/30 ! interface mgt ip address 172.16.1.1/24 ! interface server ip address 172.17.1.1/24 ip source-address radius dhcp-server ! interface subnet-10.2.1.1/16 multibind ip address 10.2.255.254/16 dhcp proxy 65535 ! interface subnet-office multibind ip address 10.1.255.254/16 dhcp proxy 65535 ! interface subnet-static multibind ip address 169.1.1.1/28 dhcp proxy 14 ! interface subnet-test multibind ! interface to_l3 ip address 10.0.3.1/30 logging console ! policy access-list Crash-Redirect seq 10 permit tcp any any eq www class DROP ! policy access-list acl-classess-in seq 10 permit ip 10.0.0.0 0.255.255.255 any class cls-Local seq 20 permit ip 172.17.0.0 0.0.255.255 class cls-Local seq 30 permit ip any any class cls-Inet ! policy access-list acl-classess-out condition 1 time-range periodic weekend weekdays 00:00 to 08:00 class Night seq 10 permit ip 10.0.0.0 0.255.255.255 any class cls-Local seq 20 permit ip 172.17.0.0 0.0.255.255 class cls-Local seq 30 permit ip any any class cls-Inet condition 1 ! policy access-list nat_2 seq 10 permit ip 10.0.0.0 0.255.255.255 host 10.128.0.0 class NATLESS seq 20 permit ip 10.0.0.0 0.255.255.255 any class NAT ! policy access-list redirect seq 10 permit ip any host 8.8.8.8 class CLS-NORMAL seq 20 permit tcp any host 10.128.0.0 eq www class CLS-NORMAL seq 30 permit tcp any any eq www class CLS-REDIRECT seq 40 permit ip any any class CLS-DROP ! ip arp 169.1.1.1 FF:36:18:1c:fe:e5 alias ip arp 169.1.1.1 FF:36:18:1c:fe:e5 alias ip arp 169.1.1.1 FF:36:18:1c:fe:e5 alias ! http-redirect profile CRASH url "http://10.128.0.0/cabinet" ! http-redirect profile NOAUTH url "http://10.128.0.0/negbal" ! enable encrypted 1 $1$........$S1sTRC1cXsuQoD82Ux6lC/ enable authentication local ! aaa authentication administrator local aaa authentication administrator maximum sessions 5 aaa authentication subscriber global aaa accounting subscriber radius aaa update subscriber 10 aaa accounting event dhcp aaa accounting suppress-acct-on-fail radius accounting server 172.17.1.254 encrypted-key 42B45TRTGD11B03D4 radius coa server 172.17.1.254 encrypted-key 42B45TRTGD11B03D4 port 1700! administrator liarcat encrypted 1 $1$........$Ru/wd0TX4HJy38tgRvOz5xlj1 privilege start 15 privilege max 15 no timeout session idle administrator trn encrypted 1 $1$........$XBRGCCjO4cIl.0sdf72fFGU0 privilege start 15 privilege max 15 no timeout session idle ! radius server 172.17.1.254 encrypted-key 42B6BB07D11B03D4 radius timeout 30 radius attribute nas-ip-address interface server radius attribute calling-station-id separator # radius attribute nas-port format session-info radius attribute nas-port-id format all radius attribute acct-status-type RFC radius attribute nas-identifier SmartEdge ! subscriber profile base-profile-1M qos policy policing 1M-in qos policy metering 1M-out subscriber profile 4M qos policy policing 4M-in qos policy metering 4M-out dhcp max-addrs 1 flow apply ip profile p1 both subscriber profile 256kb qos policy policing 256kb-in qos policy metering 256kb-out dhcp max-addrs 1 flow apply ip profile p1 both subscriber profile 3M qos policy policing 3M-in qos policy metering 3M-out dhcp max-addrs 1 flow apply ip profile p1 both subscriber profile 1M qos policy policing 1M-in qos policy metering 1M-out dhcp max-addrs 1 flow apply ip profile p1 both subscriber profile 5M qos policy policing 5M-in qos policy metering 5M-out dhcp max-addrs 1 flow apply ip profile p1 both ! radius service profile service4096 accounting in qos "cls-Local cls-Inet" accounting out qos "cls-Local cls-Inet" seq 10 attribute Dynamic-Policy-Filter "ip in forward class cls-Inet qos" seq 20 attribute Dynamic-Policy-Filter "ip out forward class cls-Inet qos" seq 30 attribute Dynamic-Policy-Filter "ip in forward class cls-Local qos" seq 40 attribute Dynamic-Policy-Filter "ip out forward class cls-Local qos" seq 50 attribute Dynamic-Qos-Parameter "meter-class-rate cls-Inet rate-absolute 4000" seq 60 attribute Dynamic-Qos-Parameter "meter-class-burst cls-Inet 500000" seq 70 attribute Dynamic-Qos-Parameter "meter-class-excess-burst cls-Inet 1000000" seq 80 attribute Dynamic-Qos-Parameter "police-class-rate cls-Inet rate-absolute 4000" seq 90 attribute Dynamic-Qos-Parameter "police-class-burst cls-Inet 500000" seq 100 attribute Dynamic-Qos-Parameter "police-class-excess-burst cls-Inet 1000000" seq 110 attribute Dynamic-Qos-Parameter "meter-class-rate cls-Local rate-absolute 50000" seq 120 attribute Dynamic-Qos-Parameter "meter-class-burst cls-Local 6250000" seq 130 attribute Dynamic-Qos-Parameter "meter-class-excess-burst cls-Local 125000000" seq 140 attribute Dynamic-Qos-Parameter "police-class-rate cls-Local rate-absolute 50000" seq 150 attribute Dynamic-Qos-Parameter "police-class-burst cls-Local 6250000" seq 160 attribute Dynamic-Qos-Parameter "police-class-excess-burst cls-Local 125000000" seq 170 attribute Service-Interim-Accounting 1200 ! ip route 0.0.0.0/0 169.1.1.1 ip route 10.0.1.0/24 10.0.3.2 ip route 10.9.0.0/16 10.0.3.2 ip route 10.128.0.0/32 172.17.1.254 ip route 169.1.1.1/32 context Andrew ip route 172.20.255.0/24 context Andrew ! dhcp relay option hostname format lg-name dhcp relay server 172.17.1.254 ! ! flow collector Statistic ip-address 10.1.254.252 port 9996 export-version v5 transport-protocol udp ip profile p2 ! flow collector Carbon ip-address 172.17.1.254 context local port 9996 export-version v5 ip profile p1 ! ! ! context Andrew ! no ip domain-lookup ! interface trn ip address 169.1.1.1/30 ! ip route 0.0.0.0/0 context local ! logging tdm console logging active logging standby short ! qos policy 10M-in policing ip access-group acl-classess-in local class cls-Local rate 100000 burst 12500000 class cls-Inet rate 10240 burst 1280000 excess-burst 2000000 ! qos policy 10M-out metering ip access-group acl-classess-out local class cls-Local rate 100000 burst 12500000 class cls-Inet rate 10240 burst 1280000 excess-burst 2000000 ! qos policy 12M-in policing ip access-group acl-classess-in local class cls-Local rate 100000 burst 12500000 class cls-Inet rate 12000 burst 1500000 excess-burst 2250000 class Night rate 15360 burst 1920000 ! qos policy 12M-out metering ip access-group acl-classess-out local class cls-Local rate 100000 burst 12500000 class cls-Inet rate 12000 burst 1500000 excess-burst 2250000 class Night rate 15360 burst 1920000 ! qos policy 15M-in policing ip access-group acl-classess-in local class cls-Local rate 100000 burst 12500000 class cls-Inet rate 15360 burst 1920000 excess-burst 2500000 ! qos policy 15M-out metering ip access-group acl-classess-out local class cls-Local rate 100000 burst 12500000 class cls-Inet rate 15360 burst 1920000 excess-burst 2500000 ! qos policy 1M-in policing rate 1000 burst 125000 ip access-group acl-classess-in local class cls-Local rate 100000 burst 12500000 class cls-Inet rate 1024 burst 12800 excess-burst 24000 ! qos policy 1M-out metering rate 1000 burst 125000 ip access-group acl-classess-out local class cls-Local rate 100000 burst 12500000 class cls-Inet rate 1024 burst 12800 excess-burst 24000 ! qos policy 20M-in policing ip access-group acl-classess-in local class cls-Local rate 100000 burst 12500000 class cls-Inet rate 20480 burst 2560000 excess-burst 3000000 ! qos policy 20M-out metering ip access-group acl-classess-out local class cls-Local rate 100000 burst 12500000 class cls-Inet rate 20480 burst 2560000 excess-burst 3000000 ! qos policy 256kb-in policing ip access-group acl-classess-in local class cls-Local rate 100000 burst 12500000 class cls-Inet rate 240 burst 24000 excess-burst 45000 ! qos policy 256kb-out metering ip access-group acl-classess-out local class cls-Local rate 100000 burst 12500000 class cls-Inet rate 240 burst 24000 excess-burst 45000 ! qos policy 25M-in policing ip access-group acl-classess-in local class cls-Local rate 100000 burst 12500000 class cls-Inet rate 25600 burst 3200000 excess-burst 4000000 ! qos policy 25M-out metering ip access-group acl-classess-out local class cls-Local rate 100000 burst 12500000 class cls-Inet rate 25600 burst 3200000 excess-burst 4000000 ! qos policy 2M-in policing ip access-group acl-classess-in local class cls-Local rate 100000 burst 12500000 class cls-Inet rate 2000 burst 250000 excess-burst 375000 ! qos policy 2M-out metering ip access-group acl-classess-out local class cls-Local rate 100000 burst 12500000 class cls-Inet rate 2000 burst 250000 excess-burst 375000 class Night rate 4096 burst 512000 ! qos policy 3M-in policing ip access-group acl-classess-in local class cls-Local rate 100000 burst 12500000 class cls-Inet rate 3072 burst 384000 excess-burst 500000 ! qos policy 3M-out metering ip access-group acl-classess-out local class cls-Local rate 100000 burst 12500000 class cls-Inet rate 3072 burst 384000 excess-burst 500000 ! qos policy 4M-in policing ip access-group acl-classess-in local class cls-Local rate 100000 burst 12500000 class cls-Inet rate 4000 burst 500000 excess-burst 750000 class Night rate 8192 burst 1024000 ! qos policy 4M-out metering ip access-group acl-classess-out local class cls-Local rate 100000 burst 12500000 class cls-Inet rate 4000 burst 500000 excess-burst 750000 class Night rate 8192 burst 1024000 ! qos policy 50M-in policing ip access-group acl-classess-in local class cls-Local rate 100000 burst 12500000 class cls-Inet rate 51200 burst 6400000 excess-burst 80000000 ! qos policy 50M-out metering ip access-group acl-classess-out local class cls-Local rate 1000000 burst 12500000 class cls-Inet rate 51200 burst 64000000 excess-burst 80000000 ! qos policy 5M-in policing ip access-group acl-classess-in local class cls-Local rate 100000 burst 12500000 class cls-Inet rate 5120 burst 640000 excess-burst 1000000 ! qos policy 5M-out metering ip access-group acl-classess-out local class cls-Local rate 100000 burst 12500000 class cls-Inet rate 5120 burst 640000 excess-burst 1000000 ! qos policy 8M-in policing ip access-group acl-classess-in local class cls-Local rate 100000 burst 12500000 class cls-Inet rate 8000 burst 1000000 excess-burst 1500000 class Night rate 10240 burst 1280000 ! qos policy 8M-out metering ip access-group acl-classess-out local class cls-Local rate 100000 burst 12500000 class cls-Inet rate 8000 burst 1000000 excess-burst 1500000 class Night rate 10240 burst 1280000 ! forward policy redirect ip access-group redirect local class CLS-NORMAL class CLS-REDIRECT redirect destination local class CLS-DROP drop ! system clock timezone MSK 4 0 local ! http-redirect server port 80 ! port ethernet 1/1 ! XCRP management port on slot 1 no shutdown bind interface mgt local ! card carrier 2 mic 1 ge-2-port mic 2 ge-2-port ! port ethernet 2/1 no auto-negotiate no shutdown medium-type copper bind interface server local ! port ethernet 2/2 no auto-negotiate no shutdown medium-type copper bind interface Carbon local ! port ethernet 2/3 no shutdown encapsulation dot1q dot1q pvc 3 bind interface to_l3 local dot1q pvc 101 service clips dhcp context local dot1q pvc 102 service clips dhcp context local ! port ethernet 2/4 shutdown ! port ethernet 2/16 no auto-negotiate no shutdown bind interface Inet local flow apply ip profile p2 both ! system hostname domain ! no service console-break ! service crash-dump-dram ! no service auto-system-recovery ! netop ! end
Конфигурация коммутатора SNR2950
no service password-encryption ! hostname SNR_ROUTER ! authorization line console exec local ! clock timezone Msk add 4 0 ! logging 192.4.254.252 level debugging ! ssh-server enable ! ip http secure-server ! web language english ! snmp-server enable snmp-server securityip 192.4.254.252 snmp-server securityip 192.1.1.250 snmp-server host 192.4.254.252 v1 test snmp-server host 192.1.1.250 v1 test snmp-server community ro 0 test snmp-server enable traps ! service dhcp ! ip forward-protocol udp bootps ip dhcp server relay information enable ip dhcp relay information option ip dhcp relay information option self-defined subscriber-id vlan port ip dhcp relay information option self-defined remote-id string 192.1.1.182 ip dhcp relay share-vlan 2 sub-vlan 100-110;200 ! ip dhcp snooping enable ip dhcp snooping vlan 101-110;200 ip dhcp snooping binding enable ! ip dhcp snooping information enable ip dhcp snooping information option allow-untrusted ip dhcp snooping information option remote-id 192.1.1.182 ip dhcp snooping information option self-defined subscriber-id vlan port ! sflow version 0 ! vlan 1-2;101-110;200 ! webportal enable ! gvrp ! Interface Ethernet1/1 switchport mode trunk switchport trunk native vlan 2 gvrp ip dhcp snooping trust ! Interface Ethernet1/2 switchport access vlan 200 ! Interface Ethernet1/3 switchport access vlan 109 ! Interface Ethernet1/4 description Intro switchport access vlan 109 ! Interface Ethernet1/5 switchport access vlan 109 ! Interface Ethernet1/6 ! Interface Ethernet1/25 negotiation off speed-duplex force1g-full switchport mode trunk gvrp ip dhcp snooping trust ! Interface Ethernet1/26 negotiation off speed-duplex force1g-full switchport mode trunk gvrp ip dhcp snooping trust ! interface Vlan2 ip address 192.1.1.182 255.255.255.0 ! ip default-gateway 192.1.1.4 ! ! no login ! ! end