Статья приведена в качестве примера. Копирование точь в точь не гарантирует работу.
Настройка EVENT_INC.SH
LOG_LEVEL=ALL SENDER=$1; shift EVENT=$1; shift DATA=$@ for VAR in $DATA; do [[ "$VAR" = *"="* ]] && eval ${VAR%%=*}=\'${VAR#*=}\' done do_policy_neg(){ LOG INFO "do do_policy_neg: $EVENT $DATA" echo "Acct-Session-Id=\"$acct_session_id\",HTTP-Redirect-Profile-Name=\"NOAUTH\",Forward-Policy=\"in:redirect\"" | radclient -x $nas_ip:1700 coa $coa_psw 2>&1 } do_policy_pos(){ LOG INFO "do do_policy_pos: $EVENT $DATA" echo "Acct-Session-Id=\"$acct_session_id\",Forward-Policy = \"in:\"" | radclient -x $nas_ip:1700 coa $coa_psw 2>&1 } do_disconnect(){ LOG INFO "do_disconnect: $EVENT $DATA" echo "Acct-Session-Id=\"$acct_session_id\"" | radclient -x $nas_ip:1700 disconnect $coa_psw 2>&1 # LOG INFO "do do_disconnect: $EVENT $DATA" # echo "Acct-Session-Id=\"$acct_session_id\",HTTP-Redirect-Profile-Name=\"DOREBOOT\",Forward-Policy=\"in:redirect\"" | radclient -x $nas_ip:1700 coa $coa_psw 2>&1 } do_policy_reboot(){ LOG INFO "do_policy_reboot: $EVENT $DATA" echo "Acct-Session-Id=\"$acct_session_id\",HTTP-Redirect-Profile-Name=\"DOREBOOT\",Forward-Policy=\"in:redirect\"" | radclient -x $nas_ip:1700 coa $coa_psw 2>&1 } do_policy_accept(){ if [ "$over_limit" = "0" ]; then do_policy_pos else do_policy_neg fi } do_policy_drop(){ LOG INFO "do do_policy_drop: $EVENT $DATA" echo "Acct-Session-Id=\"$acct_session_id\",HTTP-Redirect-Profile-Name=\"DISABED\",Forward-Policy=\"in:redirect\"" | radclient -x $nas_ip:1700 coa $coa_psw 2>&1 } do_policy_own_disabled(){ LOG INFO "do do_policy_drop: $EVENT $DATA" echo "Acct-Session-Id=\"$acct_session_id\",HTTP-Redirect-Profile-Name=\"BLOCK\",Forward-Policy=\"in:redirect\"" | radclient -x $nas_ip:1700 coa $coa_psw 2>&1 } #[ "$id" != 714 ] && exit 0 [ "$EVENT" != 'rad_acc_update' ] && LOG INFO "$SENDER $EVENT $DATA" do_check(){ if [ "$enabled" = "1" ]; then [ "$over_limit" = 1 ] && do_policy_neg [ "$over_limit" = 0 ] && do_policy_pos else if [ "$own_disabled_end" = "-1" ]; then do_policy_drop else do_policy_own_disabled fi fi } case "$EVENT" in web_do_disconnect) do_disconnect ;; rad_acc_start|balance_negative|balance_positive|own_disabled) do_check ;; # todo перейти на rad6 и убрать logout # Убрать через 20 минут kolya_rad_acc_update) do_check ;; # radius_update_err # logout # rad_acc_timeout radius_update_err\ |logout|rad_acc_timeout) LOG INFO "LOG_DO_REBOOT: $EVENT $DATA" ;; user_data_changed\ |user_disconnect|get_info_fail\ |try_double_login|try_double_acc|rad_acc_stop) do_policy_reboot ;; "rate_set") LOG INFO "event type: $EVENT $DATA" ;; "period_closed") LOG INFO "event type: $EVENT $DATA" ;; *) : ;; esac
Конфигурация оборудования Redback
!
aaa global authentication subscriber radius context local
aaa last-resort context local
!
service multiple-contexts
!
service inter-context routing
!
!
flow ip profile p1
active-timeout 1000
inactive-timeout 10
aggregation-cache-size 8192
!
flow ip profile p2
active-timeout 1000
inactive-timeout 10
aggregation-cache-size 8192
!
dpi traffic-management protocol http escape-conversion
!
context local
domain domain.ru
!
no ip domain-lookup
!
ip nat pool NAT napt multibind
address 169.1.1.1 to 169.1.1.1
!
nat policy NAT
connections tcp maximum 2000
connections udp maximum 2000
connections icmp maximum 20
! Default class
ignore
timeout tcp 14400
timeout udp 90
timeout fin-reset 60
timeout icmp 30
timeout syn 60
admission-control tcp
admission-control udp
admission-control icmp
endpoint-independent filtering udp
icmp-notification
! Named classes
access-group nat
class NAT
pool NAT local
timeout tcp 18000
timeout udp 60
timeout fin-reset 60
timeout icmp 30
timeout syn 60
admission-control tcp
admission-control udp
admission-control icmp
endpoint-independent filtering udp
icmp-notification
class NATLESS
ignore
icmp-notification
!
nat policy USER_TEST
connections tcp maximum 2000
connections udp maximum 2000
connections icmp maximum 20
! Default class
ignore
icmp-notification
! Named classes
access-group nat_2
class NAT
pool TEST local
icmp-notification
class NATLESS
ignore
icmp-notification
!
interface Carbon
ip address 169.1.1.1/30
!
interface Inet
ip address 169.1.1.1/30
ip mtu 1500
ip icmp suppress packet-too-big
ip arp proxy-arp
!
interface L3_net
ip address 10.0.3.5/30
!
interface mgt
ip address 172.16.1.1/24
!
interface server
ip address 172.17.1.1/24
ip source-address radius dhcp-server
!
interface subnet-10.2.1.1/16 multibind
ip address 10.2.255.254/16
dhcp proxy 65535
!
interface subnet-office multibind
ip address 10.1.255.254/16
dhcp proxy 65535
!
interface subnet-static multibind
ip address 169.1.1.1/28
dhcp proxy 14
!
interface subnet-test multibind
!
interface to_l3
ip address 10.0.3.1/30
logging console
!
policy access-list Crash-Redirect
seq 10 permit tcp any any eq www class DROP
!
policy access-list acl-classess-in
seq 10 permit ip 10.0.0.0 0.255.255.255 any class cls-Local
seq 20 permit ip 172.17.0.0 0.0.255.255 class cls-Local
seq 30 permit ip any any class cls-Inet
!
policy access-list acl-classess-out
condition 1 time-range
periodic weekend weekdays 00:00 to 08:00 class Night
seq 10 permit ip 10.0.0.0 0.255.255.255 any class cls-Local
seq 20 permit ip 172.17.0.0 0.0.255.255 class cls-Local
seq 30 permit ip any any class cls-Inet condition 1
!
policy access-list nat_2
seq 10 permit ip 10.0.0.0 0.255.255.255 host 10.128.0.0 class NATLESS
seq 20 permit ip 10.0.0.0 0.255.255.255 any class NAT
!
policy access-list redirect
seq 10 permit ip any host 8.8.8.8 class CLS-NORMAL
seq 20 permit tcp any host 10.128.0.0 eq www class CLS-NORMAL
seq 30 permit tcp any any eq www class CLS-REDIRECT
seq 40 permit ip any any class CLS-DROP
!
ip arp 169.1.1.1 FF:36:18:1c:fe:e5 alias
ip arp 169.1.1.1 FF:36:18:1c:fe:e5 alias
ip arp 169.1.1.1 FF:36:18:1c:fe:e5 alias
!
http-redirect profile CRASH
url "http://10.128.0.0/cabinet"
!
http-redirect profile NOAUTH
url "http://10.128.0.0/negbal"
!
enable encrypted 1 $1$........$S1sTRC1cXsuQoD82Ux6lC/
enable authentication local
!
aaa authentication administrator local
aaa authentication administrator maximum sessions 5
aaa authentication subscriber global
aaa accounting subscriber radius
aaa update subscriber 10
aaa accounting event dhcp
aaa accounting suppress-acct-on-fail
radius accounting server 172.17.1.254 encrypted-key 42B45TRTGD11B03D4
radius coa server 172.17.1.254 encrypted-key 42B45TRTGD11B03D4 port 1700!
administrator liarcat encrypted 1 $1$........$Ru/wd0TX4HJy38tgRvOz5xlj1
privilege start 15
privilege max 15
no timeout session idle
administrator trn encrypted 1 $1$........$XBRGCCjO4cIl.0sdf72fFGU0
privilege start 15
privilege max 15
no timeout session idle
!
radius server 172.17.1.254 encrypted-key 42B6BB07D11B03D4
radius timeout 30
radius attribute nas-ip-address interface server
radius attribute calling-station-id separator #
radius attribute nas-port format session-info
radius attribute nas-port-id format all
radius attribute acct-status-type RFC
radius attribute nas-identifier SmartEdge
!
subscriber profile base-profile-1M
qos policy policing 1M-in
qos policy metering 1M-out
subscriber profile 4M
qos policy policing 4M-in
qos policy metering 4M-out
dhcp max-addrs 1
flow apply ip profile p1 both
subscriber profile 256kb
qos policy policing 256kb-in
qos policy metering 256kb-out
dhcp max-addrs 1
flow apply ip profile p1 both
subscriber profile 3M
qos policy policing 3M-in
qos policy metering 3M-out
dhcp max-addrs 1
flow apply ip profile p1 both
subscriber profile 1M
qos policy policing 1M-in
qos policy metering 1M-out
dhcp max-addrs 1
flow apply ip profile p1 both
subscriber profile 5M
qos policy policing 5M-in
qos policy metering 5M-out
dhcp max-addrs 1
flow apply ip profile p1 both
!
radius service profile service4096
accounting in qos "cls-Local cls-Inet"
accounting out qos "cls-Local cls-Inet"
seq 10 attribute Dynamic-Policy-Filter "ip in forward class cls-Inet qos"
seq 20 attribute Dynamic-Policy-Filter "ip out forward class cls-Inet qos"
seq 30 attribute Dynamic-Policy-Filter "ip in forward class cls-Local qos"
seq 40 attribute Dynamic-Policy-Filter "ip out forward class cls-Local qos"
seq 50 attribute Dynamic-Qos-Parameter "meter-class-rate cls-Inet rate-absolute 4000"
seq 60 attribute Dynamic-Qos-Parameter "meter-class-burst cls-Inet 500000"
seq 70 attribute Dynamic-Qos-Parameter "meter-class-excess-burst cls-Inet 1000000"
seq 80 attribute Dynamic-Qos-Parameter "police-class-rate cls-Inet rate-absolute 4000"
seq 90 attribute Dynamic-Qos-Parameter "police-class-burst cls-Inet 500000"
seq 100 attribute Dynamic-Qos-Parameter "police-class-excess-burst cls-Inet 1000000"
seq 110 attribute Dynamic-Qos-Parameter "meter-class-rate cls-Local rate-absolute 50000"
seq 120 attribute Dynamic-Qos-Parameter "meter-class-burst cls-Local 6250000"
seq 130 attribute Dynamic-Qos-Parameter "meter-class-excess-burst cls-Local 125000000"
seq 140 attribute Dynamic-Qos-Parameter "police-class-rate cls-Local rate-absolute 50000"
seq 150 attribute Dynamic-Qos-Parameter "police-class-burst cls-Local 6250000"
seq 160 attribute Dynamic-Qos-Parameter "police-class-excess-burst cls-Local 125000000"
seq 170 attribute Service-Interim-Accounting 1200
!
ip route 0.0.0.0/0 169.1.1.1
ip route 10.0.1.0/24 10.0.3.2
ip route 10.9.0.0/16 10.0.3.2
ip route 10.128.0.0/32 172.17.1.254
ip route 169.1.1.1/32 context Andrew
ip route 172.20.255.0/24 context Andrew
!
dhcp relay option hostname format lg-name
dhcp relay server 172.17.1.254
!
!
flow collector Statistic
ip-address 10.1.254.252
port 9996
export-version v5
transport-protocol udp
ip profile p2
!
flow collector Carbon
ip-address 172.17.1.254 context local
port 9996
export-version v5
ip profile p1
!
!
!
context Andrew
!
no ip domain-lookup
!
interface trn
ip address 169.1.1.1/30
!
ip route 0.0.0.0/0 context local
!
logging tdm console
logging active
logging standby short
!
qos policy 10M-in policing
ip access-group acl-classess-in local
class cls-Local
rate 100000 burst 12500000
class cls-Inet
rate 10240 burst 1280000 excess-burst 2000000
!
qos policy 10M-out metering
ip access-group acl-classess-out local
class cls-Local
rate 100000 burst 12500000
class cls-Inet
rate 10240 burst 1280000 excess-burst 2000000
!
qos policy 12M-in policing
ip access-group acl-classess-in local
class cls-Local
rate 100000 burst 12500000
class cls-Inet
rate 12000 burst 1500000 excess-burst 2250000
class Night
rate 15360 burst 1920000
!
qos policy 12M-out metering
ip access-group acl-classess-out local
class cls-Local
rate 100000 burst 12500000
class cls-Inet
rate 12000 burst 1500000 excess-burst 2250000
class Night
rate 15360 burst 1920000
!
qos policy 15M-in policing
ip access-group acl-classess-in local
class cls-Local
rate 100000 burst 12500000
class cls-Inet
rate 15360 burst 1920000 excess-burst 2500000
!
qos policy 15M-out metering
ip access-group acl-classess-out local
class cls-Local
rate 100000 burst 12500000
class cls-Inet
rate 15360 burst 1920000 excess-burst 2500000
!
qos policy 1M-in policing
rate 1000 burst 125000
ip access-group acl-classess-in local
class cls-Local
rate 100000 burst 12500000
class cls-Inet
rate 1024 burst 12800 excess-burst 24000
!
qos policy 1M-out metering
rate 1000 burst 125000
ip access-group acl-classess-out local
class cls-Local
rate 100000 burst 12500000
class cls-Inet
rate 1024 burst 12800 excess-burst 24000
!
qos policy 20M-in policing
ip access-group acl-classess-in local
class cls-Local
rate 100000 burst 12500000
class cls-Inet
rate 20480 burst 2560000 excess-burst 3000000
!
qos policy 20M-out metering
ip access-group acl-classess-out local
class cls-Local
rate 100000 burst 12500000
class cls-Inet
rate 20480 burst 2560000 excess-burst 3000000
!
qos policy 256kb-in policing
ip access-group acl-classess-in local
class cls-Local
rate 100000 burst 12500000
class cls-Inet
rate 240 burst 24000 excess-burst 45000
!
qos policy 256kb-out metering
ip access-group acl-classess-out local
class cls-Local
rate 100000 burst 12500000
class cls-Inet
rate 240 burst 24000 excess-burst 45000
!
qos policy 25M-in policing
ip access-group acl-classess-in local
class cls-Local
rate 100000 burst 12500000
class cls-Inet
rate 25600 burst 3200000 excess-burst 4000000
!
qos policy 25M-out metering
ip access-group acl-classess-out local
class cls-Local
rate 100000 burst 12500000
class cls-Inet
rate 25600 burst 3200000 excess-burst 4000000
!
qos policy 2M-in policing
ip access-group acl-classess-in local
class cls-Local
rate 100000 burst 12500000
class cls-Inet
rate 2000 burst 250000 excess-burst 375000
!
qos policy 2M-out metering
ip access-group acl-classess-out local
class cls-Local
rate 100000 burst 12500000
class cls-Inet
rate 2000 burst 250000 excess-burst 375000
class Night
rate 4096 burst 512000
!
qos policy 3M-in policing
ip access-group acl-classess-in local
class cls-Local
rate 100000 burst 12500000
class cls-Inet
rate 3072 burst 384000 excess-burst 500000
!
qos policy 3M-out metering
ip access-group acl-classess-out local
class cls-Local
rate 100000 burst 12500000
class cls-Inet
rate 3072 burst 384000 excess-burst 500000
!
qos policy 4M-in policing
ip access-group acl-classess-in local
class cls-Local
rate 100000 burst 12500000
class cls-Inet
rate 4000 burst 500000 excess-burst 750000
class Night
rate 8192 burst 1024000
!
qos policy 4M-out metering
ip access-group acl-classess-out local
class cls-Local
rate 100000 burst 12500000
class cls-Inet
rate 4000 burst 500000 excess-burst 750000
class Night
rate 8192 burst 1024000
!
qos policy 50M-in policing
ip access-group acl-classess-in local
class cls-Local
rate 100000 burst 12500000
class cls-Inet
rate 51200 burst 6400000 excess-burst 80000000
!
qos policy 50M-out metering
ip access-group acl-classess-out local
class cls-Local
rate 1000000 burst 12500000
class cls-Inet
rate 51200 burst 64000000 excess-burst 80000000
!
qos policy 5M-in policing
ip access-group acl-classess-in local
class cls-Local
rate 100000 burst 12500000
class cls-Inet
rate 5120 burst 640000 excess-burst 1000000
!
qos policy 5M-out metering
ip access-group acl-classess-out local
class cls-Local
rate 100000 burst 12500000
class cls-Inet
rate 5120 burst 640000 excess-burst 1000000
!
qos policy 8M-in policing
ip access-group acl-classess-in local
class cls-Local
rate 100000 burst 12500000
class cls-Inet
rate 8000 burst 1000000 excess-burst 1500000
class Night
rate 10240 burst 1280000
!
qos policy 8M-out metering
ip access-group acl-classess-out local
class cls-Local
rate 100000 burst 12500000
class cls-Inet
rate 8000 burst 1000000 excess-burst 1500000
class Night
rate 10240 burst 1280000
!
forward policy redirect
ip access-group redirect local
class CLS-NORMAL
class CLS-REDIRECT
redirect destination local
class CLS-DROP
drop
!
system clock timezone MSK 4 0 local
!
http-redirect server
port 80
!
port ethernet 1/1
! XCRP management port on slot 1
no shutdown
bind interface mgt local
!
card carrier 2
mic 1 ge-2-port
mic 2 ge-2-port
!
port ethernet 2/1
no auto-negotiate
no shutdown
medium-type copper
bind interface server local
!
port ethernet 2/2
no auto-negotiate
no shutdown
medium-type copper
bind interface Carbon local
!
port ethernet 2/3
no shutdown
encapsulation dot1q
dot1q pvc 3
bind interface to_l3 local
dot1q pvc 101
service clips dhcp context local
dot1q pvc 102
service clips dhcp context local
!
port ethernet 2/4
shutdown
!
port ethernet 2/16
no auto-negotiate
no shutdown
bind interface Inet local
flow apply ip profile p2 both
!
system hostname domain
!
no service console-break
!
service crash-dump-dram
!
no service auto-system-recovery
!
netop
!
end
Конфигурация коммутатора SNR2950
no service password-encryption ! hostname SNR_ROUTER ! authorization line console exec local ! clock timezone Msk add 4 0 ! logging 192.4.254.252 level debugging ! ssh-server enable ! ip http secure-server ! web language english ! snmp-server enable snmp-server securityip 192.4.254.252 snmp-server securityip 192.1.1.250 snmp-server host 192.4.254.252 v1 test snmp-server host 192.1.1.250 v1 test snmp-server community ro 0 test snmp-server enable traps ! service dhcp ! ip forward-protocol udp bootps ip dhcp server relay information enable ip dhcp relay information option ip dhcp relay information option self-defined subscriber-id vlan port ip dhcp relay information option self-defined remote-id string 192.1.1.182 ip dhcp relay share-vlan 2 sub-vlan 100-110;200 ! ip dhcp snooping enable ip dhcp snooping vlan 101-110;200 ip dhcp snooping binding enable ! ip dhcp snooping information enable ip dhcp snooping information option allow-untrusted ip dhcp snooping information option remote-id 192.1.1.182 ip dhcp snooping information option self-defined subscriber-id vlan port ! sflow version 0 ! vlan 1-2;101-110;200 ! webportal enable ! gvrp ! Interface Ethernet1/1 switchport mode trunk switchport trunk native vlan 2 gvrp ip dhcp snooping trust ! Interface Ethernet1/2 switchport access vlan 200 ! Interface Ethernet1/3 switchport access vlan 109 ! Interface Ethernet1/4 description Intro switchport access vlan 109 ! Interface Ethernet1/5 switchport access vlan 109 ! Interface Ethernet1/6 ! Interface Ethernet1/25 negotiation off speed-duplex force1g-full switchport mode trunk gvrp ip dhcp snooping trust ! Interface Ethernet1/26 negotiation off speed-duplex force1g-full switchport mode trunk gvrp ip dhcp snooping trust ! interface Vlan2 ip address 192.1.1.182 255.255.255.0 ! ip default-gateway 192.1.1.4 ! ! no login ! ! end