theAlexis Posted January 9, 2007 Posted January 9, 2007 Господа, подскажите, удалось ли кому-нибудь подружить NAT и netflow на одной циске? Перечитал все, что смог найти по этому вопросу на сisco.com и opennet, по победить так и не получается.... Имеем роутер, IOS 12.4(10a) (ip flow ingress/egress поддерживается) ip cef, flow export destination указаны, есть 2 интерфейса: fa0/0 - внутренняя сеть (10.0.0.0/8) - nat inside se0/0 - к провайдеру (80.ЧЧ.ЧЧЧ.ЧЧЧ) - nat outside на внутренем интерфейсе: ip flow ingress ip flow egress в статистике, выдавемой netflow - лажа, а имеено - общая сумма трафика - правильная, но нет разбиения по клиентским IP, т.е. вместо своего 10.0.0.77 я вижу IP используемый в конфиге ната (80.ЧЧ.ЧЧЧ.126)... show ip cache flow (в сокращении): SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts Fa0/0 80.ЧЧ.ЧЧЧ.126 Se0/0 164.8.222.132 06 8149 1236 324 Fa0/0 80.ЧЧ.ЧЧЧ.126 Se0/0 83.26.232.144 06 CCB3 1236 301 Fa0/0 80.ЧЧ.ЧЧЧ.126 Null 88.153.201.145 06 A757 1236 1 Fa0/0 80.ЧЧ.ЧЧЧ.126 Se0/0 88.153.201.145 06 A757 1236 3 Fa0/0 80.ЧЧ.ЧЧЧ.126 Se0/0 62.43.64.198 06 D2CC 09F0 11 Fa0/0 80.ЧЧ.ЧЧЧ.126 Null 83.22.214.158 06 8976 656A 1 Fa0/0 80.ЧЧ.ЧЧЧ.126 Se0/0 83.22.214.158 06 8976 656A 14 Кто-то знает как это побороть? Буду очень признателен за любые советы..... Вставить ник Quote
Nailer Posted January 9, 2007 Posted January 9, 2007 1. Циска какая? 2. Конфиг покажите. Вставить ник Quote
theAlexis Posted January 10, 2007 Author Posted January 10, 2007 1. Циска какая? Cisco IOS Software, C1700 Software (C1700-IPBASEK9-M), Version 12.4(10a), RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright © 1986-2006 by Cisco Systems, Inc. Compiled Wed 11-Oct-06 16:26 by prod_rel_team ROM: System Bootstrap, Version 12.2(7r)XM2, RELEASE SOFTWARE (fc1) cisco1760 uptime is 4 days, 20 hours, 11 minutes System returned to ROM by reload System restarted at 13:53:11 EET Fri Jan 5 2007 System image file is "flash:c1700-ipbasek9-mz.124-10a.bin" ............. Cisco 1760 (MPC860P) processor (revision 0x300) with 58109K/7427K bytes of memory. Processor board ID FOC07210YVG (180360467), with hardware revision 0000 MPC860P processor: part number 5, mask 2 1 FastEthernet interface 2 Serial(sync/async) interfaces 32K bytes of NVRAM. 16384K bytes of processor board System flash (Read/Write) Configuration register is 0x2102 2. Конфиг покажите. cisco1760#show running-config Building configuration... Current configuration : 6085 bytes ! ! Last configuration change at 10:02:03 EET Wed Jan 10 2007 by adms ! NVRAM config last updated at 12:16:06 EET Tue Jan 9 2007 by alexis ! version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec service timestamps log datetime msec service password-encryption service sequence-numbers ! hostname cisco1760 ! boot-start-marker boot system flash flash:c1700-ipbasek9-mz.124-10a.bin boot-end-marker ! security authentication failure rate 3 log security passwords min-length 6 logging buffered 8000 debugging enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX ! aaa new-model ! ! ! aaa session-id common clock timezone EET 2 no ip source-route ip cef ip cef accounting per-prefix ! ! ip tcp synwait-time 10 ! ! ip flow-egress input-interface no ip bootp server ip domain name XXXXXXXXXXXX.kiev.ua ip ssh time-out 60 ip ssh authentication-retries 2 ! ! crypto pki trustpoint TP-self-signed-180360467 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-180360467 revocation-check none rsakeypair TP-self-signed-180360467 ! ! crypto pki certificate chain TP-self-signed-180360467 certificate self-signed 01 XXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXX quit username adms password 7 XXXXXXXXXXXXXXXXXXXXXXX username alexis privilege 15 view root secret 5 XXXXXXXXXXXXXXXXXXX ! ! ! interface Null0 no ip unreachables ! interface FastEthernet0/0 description $ETH-LAN$$FW_INSIDE$ ip address 10.1.0.2 255.0.0.0 ip access-group 100 in no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip flow egress ip nat inside ip route-cache flow speed auto no cdp enable ! interface Serial0/0 description $FW_OUTSIDE$ ip address 80.XX.XXX.126 255.255.255.252 ip access-group InternetIn in ip access-group InternetOut out no ip redirects no ip unreachables no ip proxy-arp ip nat outside encapsulation frame-relay IETF ip route-cache flow load-interval 30 frame-relay interface-dlci 440 ! interface Serial0/1 no ip address no ip redirects no ip unreachables no ip proxy-arp ip route-cache flow shutdown no cdp enable ! ip route 0.0.0.0 0.0.0.0 80.XX.XXX.125 ip flow-export version 5 ip flow-export destination 10.0.0.3 9996 ip flow-top-talkers top 15 sort-by bytes ! ip http server ip http access-class 1 no ip http secure-server ip nat inside source list NAT interface Serial0/0 overload ip nat inside source static 10.0.0.5 80.XX.XXX.178 ip nat inside source static 10.0.0.6 80.XX.XXX.179 ip nat inside source static 10.0.0.3 80.XX.XXX.180 ip nat inside source static 10.0.0.77 80.XX.XXX.181 ip nat inside source static 10.0.0.50 80.XX.XXX.182 ! ip access-list extended InternetIn permit udp any any eq domain permit tcp any any eq domain permit tcp any any eq www permit tcp any any eq ftp permit tcp any any eq ftp-data permit icmp any any echo-reply permit icmp any any echo permit tcp any host 80.XX.XXX.178 eq smtp permit tcp host 212.XX.XXX.147 host 80.XX.XXX.179 eq 1352 permit tcp host 193.XX.XXX.194 host 80.XX.XXX.179 eq 1352 permit tcp host 212.XX.XXX.134 host 80.XX.XXX.179 eq 1352 evaluate InternetTraffic deny ip any any log ip access-list extended InternetOut permit tcp any any reflect InternetTraffic permit udp any any reflect InternetTraffic permit icmp any any reflect InternetTraffic ip access-list extended NAT permit ip host 10.0.0.50 any permit ip host 10.0.0.77 any permit ip host 10.0.0.222 any permit ip host 10.0.0.5 any permit ip host 10.0.0.3 any permit ip host 10.0.0.55 any permit ip host 10.0.0.4 any permit ip host 10.0.0.107 any permit ip host 10.0.0.100 any permit ip host 10.0.30.7 any permit ip host 10.0.4.81 any permit ip host 10.0.3.12 any ! access-list 1 permit 10.0.0.50 access-list 1 permit 10.0.0.77 access-list 1 permit 10.0.0.222 access-list 100 deny tcp any any eq 881 log access-list 100 deny tcp any eq 881 any log access-list 100 deny udp any any eq 881 log access-list 100 deny udp any eq 881 any log access-list 100 permit ip any any snmp-server community public RO snmp-server host 10.1.0.222 public no cdp run ! control-plane ! banner login ^CAuthorized access only!^C ! line con 0 transport output telnet line aux 0 transport output telnet line vty 0 4 access-class 1 in transport input ssh ! scheduler allocate 4000 1000 scheduler interval 500 ntp clock-period 17208089 ntp server 10.0.0.2 source FastEthernet0/0 prefer ntp server 10.0.0.4 source FastEthernet0/0 ntp server 10.0.0.5 source FastEthernet0/0 end Вставить ник Quote
vtomachinsky Posted January 10, 2007 Posted January 10, 2007 (edited) Для того что бы правильно считались данные по трафику нужно просто его пропускать через loopback0, что позволит избежать проблемы что трафик считается для IP NATa, а не клиента. http://www.opennet.ru/base/cisco/netflow_nat.txt.html Либо вариант 2. На каждого клиента по своему NATu, но такое возможно тока при небольшом их количестве. Edited January 10, 2007 by vtomachinsky Вставить ник Quote
SergeiK Posted January 10, 2007 Posted January 10, 2007 Не-е, можно попробовать поставить на внутреннем интерфейсе ip flow ingress ip flow egress 12.4 должен уметь. По умолчанию, в netflow попадает только то, что влетает в интерфейс. Вставить ник Quote
theAlexis Posted January 10, 2007 Author Posted January 10, 2007 Не-е, можно попробовать поставить на внутреннем интерфейсе ip flow ingress ip flow egress 12.4 должен уметь. По умолчанию, в netflow попадает только то, что влетает в интерфейс. Не, в том то и дело, что при такой настройке в статистие нету ИР пользователей. Пробовал в таком варианте (в конфиге то, что имеет отношение к теме) Вариант 1, просто: ip cef ip flow-export source FastEthernet0/0 ip flow-export version 5 ip flow-export destination 10.0.0.3 9996 interface FastEthernet0/0 description $FW_INSIDE$ ip address 10.1.0.2 255.0.0.0 ip access-group 100 in no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip flow egress ip nat inside speed auto no cdp enable ! interface Serial0/0 description $FW_OUTSIDE$ ip address 80.XX.XXX.126 255.255.255.252 ip access-group InternetIn in ip access-group InternetOut out no ip redirects no ip unreachables no ip proxy-arp ip nat outside encapsulation frame-relay IETF load-interval 30 fair-queue frame-relay interface-dlci 440 ! Вариант 2 - Loopback + routemap ip cef ip flow-export source FastEthernet0/0 ip flow-export version 5 ip flow-export destination 10.0.0.3 9996 interface Loopback0 ip address 192.168.1.1 255.255.255.0 ip route-cache policy interface FastEthernet0/0 description NNG$ETH-LAN$$FW_INSIDE$ ip address 10.1.0.2 255.0.0.0 ip access-group 100 in no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip flow egress ip nat inside ip route-cache policy speed auto no cdp enable ! interface Serial0/0 description $FW_OUTSIDE$ ip address 80.XX.XXX.126 255.255.255.252 ip access-group InternetIn in ip access-group InternetOut out no ip redirects no ip unreachables no ip proxy-arp ip nat outside encapsulation frame-relay IETF ip route-cache policy ip policy route-map MAP load-interval 30 fair-queue frame-relay interface-dlci 440 ! access-list 108 permit ip any 10.0.0.0 0.0.0.255 route-map MAP permit 10 match ip address 108 set interface Loopback0 При обоих вариантах в выводе show ip cache flow вместо 10.0.*.*** видим 80.XX.XXX.126 т.е. строки типа: Fa0/0 80.XX.XXX.126 Se0/0 62.43.64.198 06 E384 09F0 7 Fa0/0 80.XX.XXX.126 Se0/0 87.110.36.175 06 A443 F2A2 1577 Вставить ник Quote
Andrei Posted September 14, 2015 Posted September 14, 2015 Столкнулся с еще более интересной ситуацией. Все настроено по мануалам из инета. По sh ip cache flow вижу серые ip: Fa1/1.502 178.248.237.93 Vi13* 172.21.40.236 06 01BB F79B 278 Fa1/1.502 178.248.237.93 Vi13* 172.21.40.236 06 01BB F79A 27 Vi149 212.57.158.10 Fa0/0 113.251.7.242 11 C6B4 0FC9 1 Vi146 172.21.40.115 Fa1/1.502 178.91.26.227 06 C35A B28B 3 Vi161 172.21.40.229 Fa1/1.502 87.250.251.179 06 0930 01BB 1 Vi149 212.57.158.10 Fa0/0 61.162.180.214 11 C6B4 E566 1 Vi51 172.21.40.49 Fa1/1.502 195.64.208.144 06 F837 7648 3 Vi161 172.21.40.229 Fa1/1.502 176.34.123.210 06 D0B8 0050 10 Vi2.4 172.21.40.188 Fa1/1.502 212.22.76.12 11 80E8 6B50 1 Fa1/1.502 178.248.237.16 Vi13* 172.21.40.236 06 01BB F7A5 30 Fa1/1.502 50.138.132.250 Vi150 62.141.99.90 11 B395 E258 444 Vi46 172.21.40.71 Null 8.8.8.8 11 9A8F 0035 1 Сливаю все это в netams, а там почему-то статистики с серыми ip нет совсем :( Т.е. сетку 172.21.40 в базе netams не видно :( Схема такова: юзеры авторизуются по pptp/ppoe на циске 7204 (c7200-ik9o3s-mz.124-25d.bin), получают серые ip и далее роутмапами разруливаются на разных магистралов: interface Loopback0 ip address 10.1.1.1 255.255.255.0 ip flow ingress ip flow egress interface FastEthernet1/0.5 encapsulation dot1Q 5 ip address 212.57.ххх.230 255.255.255.248 ip flow ingress ip flow egress ip nat outside ip virtual-reassembly no cdp enable interface FastEthernet1/1.502 encapsulation dot1Q 502 ip address 62.141.ххх.90 255.255.255.252 ip flow ingress ip flow egress ip nat outside ip virtual-reassembly max-reassemblies 100 no cdp enable interface Virtual-Template1 description PPTP VPN template interface ip unnumbered Loopback0 no ip redirects ip flow ingress ip flow egress ip nat inside ip virtual-reassembly ip policy route-map nat_to_sovintel no logging event link-status no peer default ip address keepalive 30 7 ppp authentication pap chap callin via_lb ppp authorization via_lb ppp accounting via_lb ppp ipcp dns 8.8.8.8 212.57.ххх.61 ip flow-export source FastEthernet0/0 ip flow-export version 5 ip flow-export destination 212.57.ххх.61 9996 access-list 100 permit ip 172.21.40.0 0.0.0.255 any access-list 101 deny ip any host 212.57.158.61 access-list 103 permit ip 172.21.42.0 0.0.0.255 any access-list 103 deny ip any any route-map nat_to_sovintel permit 10 match ip address 100 set ip next-hop 62.141.ххх.89 ! route-map nat_to_sovintel permit 30 match ip address 103 set ip next-hop 212.57.ххх.225 Вставить ник Quote
.png.5d2afa2996cc6a85d0f2c09b92dd0a28.png)
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.