Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ISG, prepaid , L4 redirect & ACL trouble !!!

Hi, all.

Im sorry my bad english (

I have - 7206VXR , NPE-G2 , c7200p-a3jk91s-mz.122-31.SB9.bin

Config -

SERVICE_403_L4R_TC Password = "cisco",

cisco-avpair = "ip:traffic-class=in access-group name ACL_IN_L4R",

cisco-avpair = "ip:l4redirect=redirect list 197 to group PORTAL",

cisco-avpair = "ip:traffic-class=out access-group name ACL_OUT_L4R",

cisco-avpair = "ip:traffic-class=out default drop",

cisco-avpair = "ip:traffic-class=in default drop",

SERVICE_401_INTERNET Password = "cisco",

User-Name = "0/0/1/100.4000",

cisco-avpair = "subscriber:accounting-list=BH_ACCNT_LIST",

cisco-avpair = "ip:traffic-class=in access-group name ACL_IN_INT priority 30",

cisco-avpair = "ip:traffic-class=out access-group name ACL_OUT_INT priority 30",

cisco-avpair = "ip:traffic-class=out default drop",

Service-Info = "QD;1024000;1024000",

Service-Info = "QU:512000;512000",

Service-Info = "ISERVICE_401_INTERNET",

cisco-avpair = "prepaid-config=default",

Extended IP access list 197

10 deny tcp any host 172.16.5.57 eq www

20 permit tcp any any eq www (6 matches)

30 permit tcp any any eq 8080

40 permit tcp any any eq 8002

50 deny udp any any eq domain (127 matches)

70 permit ip any any

Extended IP access list ACL_IN_INT

10 deny ip 10.0.0.0 0.255.255.255 any

20 deny ip 192.168.0.0 0.0.255.255 any

30 permit ip any any (1676 matches)

Extended IP access list ACL_IN_L4R

10 deny ip any host 172.16.5.57 (1 match)

20 permit tcp any any eq www (25 matches)

30 permit udp any any eq domain (116 matches)

40 permit tcp any host 81.222.82.102

50 deny ip any any (108 matches)

Extended IP access list ACL_OUT_INT

10 deny ip 10.0.0.0 0.255.255.255 any

20 deny ip 192.168.0.0 0.0.255.255 any (27 matches)

30 permit tcp any 172.16.0.0 0.0.255.255 (4252 matches)

40 permit udp any 172.16.0.0 0.0.255.255 (557 matches)

50 permit ip any any (26 matches)

Extended IP access list ACL_OUT_L4R

10 permit tcp any any eq www

20 deny ip 182.168.0.0 0.0.255.255 any

30 deny ip any 192.168.0.0 0.0.255.255

40 permit ip host 172.16.5.57 any (18 matches)

50 permit udp host 81.222.xx.2 eq domain 172.16.1.0 0.0.0.255 (57 matches)

60 permit tcp host 81.222.xx.102 172.16.1.0 0.0.0.255

70 deny ip any any (64 matches)

sh sss session detailed | i ACL

ACL Name: ACL_IN_INT, Packets = 100, Bytes = 11633

ACL Name: GAM_ACL_IN, Packets = 0, Bytes = 0

ACL Name: ACL_IN_L4R, Packets = 11, Bytes = 870

ACL Name: ACL_OUT_INT, Packets = 64, Bytes = 8160

ACL Name: GAM_ACL_OUT, Packets = 0, Bytes = 0

ACL Name: ACL_OUT_L4R, Packets = 3, Bytes = 399

Uniq ID Interface State Service Identifier Up-time

48 Traffic-Cl unauthen Ltm Internal 00:01:01

34 IP authen Local Term 0/0/1/100.4000 00:37:45

36 Traffic-Cl unauthen Ltm Internal 00:37:45

35 Traffic-Cl unauthen Ltm Internal 0/0/1/100.4000 00:37:45

Trouble -

when quota is depleted active service - SERVICE_403_L4R_TC and all trafic in service - SERVICE_401_INTERNET drop, but layer4redirect dont work , but -

Router#sh redirect translations

Destination IP/port Server IP/port Prot In Flags Out Flags Timestamp

81.2xx.xx.4 80 172.16.5.57 8001 TCP Nov 30 2007 11:00:13

If in ACL - ACL_IN_INT make no 30 permit ip any any , all work , but not information accounting for inbound direction in Acc-Request.

1 REPLY
New Member

Re: ISG, prepaid , L4 redirect & ACL trouble !!!

Hi,

In order to redirect , when quota gets depleted, you must apply redirect, on event of quota depleted.

ex: policy service on event quota depleted/exhaust,

apply service name (L4_Redirect to recharge page).

971
Views
0
Helpful
1
Replies