Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
705
Views
0
Helpful
0
Replies

Bypass Traffic to or From a Local Server from Accounting - CISCO ASR

pavithran
Level 1
Level 1

‎09-10-2022 03:02 AM

Hi,

I'm using PPPoE server on CISCO ASR 1002, I've configured an IP address on Second lan Interface, which communicates to a Internal Streaming Server. The users are connected through PPPoE Sessions. The PPPoE is having one Private IP pool and source Natted with Public IP pool and one Public IP pool. We are using RADIUS for authentication, authorization and accounting. Here I'm facing the following issues. 

  1. Users connected through PPPoE sessions are with Private IP are unable to connect to the Server connected on second interface. 
  2. I don't want to calculate the traffic coming or going to Internal Streaming Server
  3. Sometimes the PPPoE users are going offline with no reason. I don't see any log.

Here is my Configuration.

Building configuration...

Current configuration : 15427 bytes
!
! Last configuration change at 20:34:08 IST Wed Aug 17 2022 by cisco
! NVRAM config last updated at 08:36:40 IST Thu Aug 18 2022 by cisco
!
version 15.4
service timestamps debug datetime msec
service timestamps log uptime
service sequence-numbers
service unsupported-transceiver
no platform punt-keepalive disable-kernel-core
platform subscriber cac mem qfp 95
!
hostname ROUTER
!
boot-start-marker
boot system bootflash:/asr1000rp1-adventerprisek9.03.12.00.S.154-2.S-std.bin
boot-end-marker
!
aqm-register-fnf
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
no logging buffered
no logging console
no logging monitor
!
aaa new-model
!
!
aaa group server radius RAD-RADIUS
server name RAD
!
aaa authentication login default local
aaa authentication login PPPoE_LIST group RAD-RADIUS
aaa authentication login AUTHEN_LIST group RAD-RADIUS
aaa authentication ppp default group radius
aaa authentication ppp PPPoE_LIST group RAD-RADIUS
aaa authorization network default group RAD-RADIUS
aaa authorization network PPPoE_LIST group RAD-RADIUS
aaa authorization network AUTHOR_LIST group RAD-RADIUS
aaa authorization subscriber-service default local group RAD-RADIUS
aaa accounting delay-start all
aaa accounting update periodic 5
aaa accounting exec default
action-type start-stop
group radius
!
aaa accounting network default start-stop group RAD-RADIUS
aaa accounting network PPPoE_LIST start-stop group RAD-RADIUS
aaa accounting network ACCNT_LIST start-stop group RAD-RADIUS
aaa accounting network AUTHOR_LIST start-stop group RAD-RADIUS
!
!
!
!
aaa server radius dynamic-author
client xxx.xxx.xxx.xxx server-key 7 135445415F59527D737D
server-key xxxxxxxx
auth-type any
ignore session-key
ignore server-key
!
aaa session-id common
aaa policy interface-config allow-subinterface
ppp packet throttle 100 10 300
no process cpu extended history
no process cpu autoprofile hog
clock timezone IST 5 30
no ip source-route
no ip icmp rate-limit unreachable
!
!
!
!
!
!
!
!
!


no ip bootp server
no ip domain lookup
ip name-server 8.8.8.8
ip name-server 1.1.1.1

!
!
!
ipv6 unicast-routing
!
!
!
!
!
!
!
subscriber service password xxxxxxx
subscriber service coa-rfc-compliant
subscriber service multiple-accept
subscriber service session-accounting
subscriber service accounting interim-interval 5
subscriber templating
subscriber authorization enable
subscriber accounting ssg
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group 1
request-dialin
protocol l2tp
!
vpdn-group MGMNT-VPN
! Default L2TP VPDN group
! Default PPTP VPDN group
accept-dialin
protocol any
virtual-template 1
!
!
!
spanning-tree extend system-id
!
!
redundancy
mode none
!
!
!
!
!
!
ip ssh version 2
!
class-map match-all 1:1
description LeasedLine
match any
!
policy-map 200M
class class-default
police rate 214952000
conform-action transmit
exceed-action drop
policy-map 5M
class class-default
police rate 5242500
conform-action transmit
exceed-action drop
policy-map 40M
class class-default
police rate 44040000
conform-action transmit
exceed-action drop
policy-map 45M
class class-default
police rate 47182500
conform-action transmit
exceed-action drop
policy-map 80M
class class-default
police rate 85983000
conform-action transmit
exceed-action drop
policy-map 90M
class class-default
police rate 96468500
conform-action transmit
exceed-action drop
policy-map 70M
class class-default
police rate 75497000
conform-action transmit
exceed-action drop
policy-map 2M
class class-default
police rate 2097000
conform-action transmit
exceed-action drop
policy-map 75M
class class-default
police rate 78637500
conform-action transmit
exceed-action drop
policy-map 175M
class class-default
police rate 183487500
conform-action transmit
exceed-action drop
policy-map 25M
class class-default
police rate 26214000
conform-action transmit
exceed-action drop
policy-map 15M
class class-default
police rate 15728500
conform-action transmit
exceed-action drop
policy-map 125M
class class-default
police rate 131062500
conform-action transmit
exceed-action drop
policy-map 30M
class class-default
police rate 36700000
conform-action transmit
exceed-action drop
policy-map 10M
class class-default
police rate 10485500
conform-action transmit
exceed-action drop
policy-map 500M
class class-default
police rate 524248000
conform-action transmit
exceed-action drop
policy-map 20M
class class-default
police rate 26214000
conform-action transmit
exceed-action drop
policy-map 100M
class class-default
police rate 110100000
conform-action transmit
exceed-action drop
policy-map 4M
class class-default
police rate 4194000
conform-action transmit
exceed-action drop
policy-map 1M
class class-default
police rate 1048500
conform-action transmit
exceed-action drop
policy-map 50M
class class-default
police rate 54525500
conform-action transmit
exceed-action drop
policy-map 60M
class class-default
police rate 65011500
conform-action transmit
exceed-action drop
policy-map 1000M
class class-default
police rate 1048576000
conform-action transmit
exceed-action drop
policy-map 6M
class class-default
police rate 6291000
conform-action transmit
exceed-action drop
policy-map 150M
class class-default
police rate 162529000
conform-action transmit
exceed-action drop
!
!
!
!
bba-group pppoe global
virtual-template 1
sessions per-mac limit 1
sessions per-vlan limit 1024
sessions per-mac throttle 30 1 30
sessions auto cleanup
!
!
interface Loopback1
ip address 20.20.0.1 255.255.240.0
!
interface Port-channel9
no ip address
no negotiation auto
arp timeout 300
no mop enabled
lacp fast-switchover
!
interface GigabitEthernet0/0/0
ip address 123.217.236.127 255.255.255.248
ip nat outside
negotiation auto
!
interface GigabitEthernet0/0/1
no ip address
negotiation auto
channel-group 9 mode active
!
interface GigabitEthernet0/0/2
descreption STREAMING_SERVER
ip address 100.20.20.7 255.255.255.240
negotiation auto
!
interface GigabitEthernet0/0/3
no ip address
negotiation auto
pppoe enable group global
arp timeout 300
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
negotiation auto
!
interface Virtual-Template1
mtu 1492
ip unnumbered Loopback1
no ip redirects
no ip unreachables
ip nat inside
ip access-group 101 in
peer default ip address pool PPPoE-Private-IPs
ppp mtu adaptive
ppp authentication pap PPPoE_LIST
ppp authorization PPPoE_LIST
ppp accounting PPPoE_LIST
ppp ipcp dns 8.8.8.8 8.8.4.4
!
ip local pool PPPoE-Private-IPs 20.20.0.2 20.20.15.254
ip local pool PPPoE-Public-IP-Pool1 123.65.203.2 123.65.203.254
ip nat settings mode cgn
no ip nat settings support mapping outside
ip nat settings pap limit 30 bpa
ip nat log translations syslog
ip nat translation timeout 120
ip nat translation tcp-timeout 120
ip nat translation udp-timeout 60
ip nat translation finrst-timeout 30
ip nat translation syn-timeout 30
ip nat translation dns-timeout 30
ip nat translation icmp-timeout 2
ip nat translation max-entries 2147483647
ip nat translation max-entries all-host 60
no ip nat service all-algs
ip nat pool NAS1 123.65.23.1 123.65.23.254 netmask 255.255.255.0
ip nat inside source route-map NAT-LOCAL-LIST pool NAS1 overload
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 123.217.236.125
!
logging trap debugging
logging facility syslog
logging host 70.36.102.5 transport udp port 4830
access-list 1 permit 20.20.0.0 0.0.15.255
access-list 101 deny tcp any eq 445 any
access-list 101 deny udp any host 255.255.255.255
access-list 101 deny udp any any range netbios-ns netbios-ss
access-list 101 deny tcp any any range 137 139
access-list 101 permit ip any any
!
route-map NAT-LOCAL-LIST permit 10
match ip address 1
!
radius-server attribute 44 include-in-access-req default-vrf
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 32 include-in-access-req
radius-server attribute 32 include-in-accounting-req
radius-server attribute 55 include-in-acct-req
radius-server attribute 55 access-request include
radius-server attribute 25 access-request include
radius-server attribute nas-port format d
radius-server attribute 61 extended
radius-server attribute 4 123.217.236.127
radius-server attribute 31 send nas-port-detail mac-only
radius-server dead-criteria tries 3
radius-server retransmit 5
radius-server timeout 10
radius-server deadtime 15
radius-server directed-request
radius-server key xxxxxxxxx
!
radius server RAD
address ipv4 xxx.xxx.xxx.xxx auth-port 1812 acct-port 1813
key xxxxxxxxx
!

 

 

Thanks in advance.

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents