Jump to content
Калькуляторы

Приходит пакетов в два раза больше чем потребляем Циско7204

друзья, прикиньте:

есть маршрутизатор, две дырки: Интернет––>вход–––>NAT––>выход––>локальная сеть

 

и вот такая херня:

c7204#sh int gi0/1

GigabitEthernet0/1 is up, line protocol is up

Hardware is BCM1250 Internal MAC, address is 001c.b13c.7c1b (bia 001c.b13c.7c1 b)

Description: INET

 

30 second input rate 55756000 bits/sec, 22230 packets/sec

30 second output rate 22952000 bits/sec, 20316 packets/sec

 

 

c7204#sh int gi0/2

GigabitEthernet0/2 is up, line protocol is up

Hardware is BCM1250 Internal MAC, address is 001c.b13c.7c1a (bia 001c.b13c.7c1 a)

Description: LAN

30 second input rate 15592000 bits/sec, 8455 packets/sec

30 second output rate 48432000 bits/sec, 10432 packets/sec

 

 

это почему такое может быть? почему у меня на внешнем интерфейс в два раза больше пакетов? м?

 

 

c7204#sh run int gi0/1

Building configuration…

 

Current configuration : 336 bytes!

interface GigabitEthernet0/1

description —

bandwidth 56000

ip address 92.92.92.92 255.255.255.252

ip access–group NO_PRIV out

ip flow ingress

ip nat outside

ip virtual–reassembly

ip route–cache policy

ip tcp adjust–mss 1436

load–interval 30

duplex auto

speed auto

media–type rj45

no negotiation auto

fair–queue

end

 

sh run int gi0/2

Building configuration…

 

Current configuration : 304 bytes!

interface GigabitEthernet0/2

description LAN

bandwidth 60000

ip address 192.168.99.199 255.255.255.0

ip access–group TRAP in

ip nat inside

ip virtual–reassembly

ip route–cache policy

load–interval 30

duplex auto

speed 100

media–type rj45

no negotiation auto

fair–queue

no cdp enable

end

 

 

#sh access–lists NO_PRIV

Extended IP access list NO_PRIV

10 deny ip 10.0.0.0 0.255.255.255 any (2 matches)

20 deny ip 192.168.0.0 0.0.255.255 any (9 matches)

70 permit ip any any (12579912 matches)

 

 

c7204#sh access–lists TRAP

Extended IP access list TRAP

100 deny tcp any any eq 445

110 deny tcp any any eq 135

120 permit ip 10.1.0.0 0.0.255.255 any (822302 matches)

130 permit ip 10.2.0.0 0.0.255.255 any (943491 matches)

140 permit ip 10.3.0.0 0.0.255.255 any (811462 matches)

150 permit ip 10.4.0.0 0.0.255.255 any (536763 matches)

160 permit ip 10.5.0.0 0.0.255.255 any (551573 matches)

170 permit ip 10.6.0.0 0.0.255.255 any (479398 matches)

180 permit ip 192.168.0.0 0.0.255.255 any (115565 matches)

190 permit ip 10.0.0.0 0.255.255.255 any (24349 matches)

200 permit ip any any (76278 matches)

 

 

возникли предположения, которые я отработал:

1. Флуд и паразитный трафик.

2. reassemble пакетов из–за разных размеров window–size на интерфейсах.

 

1. повесил на внешний интерфейс ip access–group SEPUKA in

в нём:

пермит для нашего трафика.

пермит для любого трафика

 

счётчик для любого трафика не крутится.

 

делаю вывод, что весь этот трафик пришёл в NAT, а дальше уже по каким–то причинам половина его откинулась

 

2. c7204#ping ПРОВАЙДЕР size 1500

 

Type escape sequence to abort.

Sending 5, 1500–byte ICMP Echos to ПРОВАЙДЕР, timeout is 2 seconds:!!!!!

 

и там и там полторы тысячи МТУ

Share this post


Link to post
Share on other sites
друзья, прикиньте:

есть маршрутизатор, две дырки: Интернет––>вход–––>NAT––>выход––>локальная сеть

 

и вот такая херня:

c7204#sh int gi0/1

GigabitEthernet0/1 is up, line protocol is up

Hardware is BCM1250 Internal MAC, address is 001c.b13c.7c1b (bia 001c.b13c.7c1 b)

Description: INET

 

30 second input rate 55756000 bits/sec, 22230 packets/sec

30 second output rate 22952000 bits/sec, 20316 packets/sec

 

 

c7204#sh int gi0/2

GigabitEthernet0/2 is up, line protocol is up

Hardware is BCM1250 Internal MAC, address is 001c.b13c.7c1a (bia 001c.b13c.7c1 a)

Description: LAN

30 second input rate 15592000 bits/sec, 8455 packets/sec

30 second output rate 48432000 bits/sec, 10432 packets/sec

 

 

это почему такое может быть? почему у меня на внешнем интерфейс в два раза больше пакетов? м?

 

 

c7204#sh run int gi0/1

Building configuration…

 

Current configuration : 336 bytes!

interface GigabitEthernet0/1

description —

bandwidth 56000

ip address 92.92.92.92 255.255.255.252

ip access–group NO_PRIV out

ip flow ingress

ip nat outside

ip virtual–reassembly

ip route–cache policy

ip tcp adjust–mss 1436

load–interval 30

duplex auto

speed auto

media–type rj45

no negotiation auto

fair–queue

end

 

sh run int gi0/2

Building configuration…

 

Current configuration : 304 bytes!

interface GigabitEthernet0/2

description LAN

bandwidth 60000

ip address 192.168.99.199 255.255.255.0

ip access–group TRAP in

ip nat inside

ip virtual–reassembly

ip route–cache policy

load–interval 30

duplex auto

speed 100

media–type rj45

no negotiation auto

fair–queue

no cdp enable

end

 

 

#sh access–lists NO_PRIV

Extended IP access list NO_PRIV

10 deny ip 10.0.0.0 0.255.255.255 any (2 matches)

20 deny ip 192.168.0.0 0.0.255.255 any (9 matches)

70 permit ip any any (12579912 matches)

 

 

c7204#sh access–lists TRAP

Extended IP access list TRAP

100 deny tcp any any eq 445

110 deny tcp any any eq 135

120 permit ip 10.1.0.0 0.0.255.255 any (822302 matches)

130 permit ip 10.2.0.0 0.0.255.255 any (943491 matches)

140 permit ip 10.3.0.0 0.0.255.255 any (811462 matches)

150 permit ip 10.4.0.0 0.0.255.255 any (536763 matches)

160 permit ip 10.5.0.0 0.0.255.255 any (551573 matches)

170 permit ip 10.6.0.0 0.0.255.255 any (479398 matches)

180 permit ip 192.168.0.0 0.0.255.255 any (115565 matches)

190 permit ip 10.0.0.0 0.255.255.255 any (24349 matches)

200 permit ip any any (76278 matches)

 

 

возникли предположения, которые я отработал:

1. Флуд и паразитный трафик.

2. reassemble пакетов из–за разных размеров window–size на интерфейсах.

 

1. повесил на внешний интерфейс ip access–group SEPUKA in

в нём:

пермит для нашего трафика.

пермит для любого трафика

 

счётчик для любого трафика не крутится.

 

делаю вывод, что весь этот трафик пришёл в NAT, а дальше уже по каким–то причинам половина его откинулась

 

2. c7204#ping ПРОВАЙДЕР size 1500

 

Type escape sequence to abort.

Sending 5, 1500–byte ICMP Echos to ПРОВАЙДЕР, timeout is 2 seconds:!!!!!

 

и там и там полторы тысячи МТУ

Пингуете неправильно, без DF-бита пакеты будут фрагментироваться и вы ничего не увидите.

 

Да, и конфиг целиком покажите. И выводы sh int тоже.

Share this post


Link to post
Share on other sites
Пингуете неправильно, без DF-бита пакеты будут фрагментироваться и вы ничего не увидите.

 

Да, и конфиг целиком покажите. И выводы sh int тоже.

 

просто скопипастил не то

c7204#ping 82.112.0.1 size 1500 df-bit

 

Type escape sequence to abort.

Sending 5, 1500-byte ICMP Echos to 82.112.0.1, timeout is 2 seconds:

Packet sent with the DF bit set

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 212/216/224 ms

 

 

 

 

весь конфиг:

c7204#sh run

Building configuration...

 

Current configuration : 23751 bytes

!

upgrade fpd auto

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname c7204

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

 

!

no aaa new-model

clock timezone HNM 5

clock summer-time HNM recurring

no ip source-route

no ip icmp rate-limit unreachable DF

ip cef

!

!

!

!

no ip bootp server

no ip domain lookup

 

ip name-server 192.168.99.200

ip name-server 192.168.99.180

no ipv6 cef

!

multilink bundle-name authenticated

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

memory-size iomem 0

 

archive

log config

logging enable

notify syslog contenttype plaintext

hidekeys

path disk2:$h

write-memory

time-period 1440

!

!

!

!

!

ip rcmd rsh-enable

ip rcmd remote-host seven 192.168.99.186 root enable

ip rcmd remote-host seven 192.168.99.179 root enable

ip rcmd remote-host admin 192.168.99.179 root enable

!

!

!

!

interface GigabitEthernet0/1

description --

bandwidth 56000

ip address 82.62.176.118 255.255.255.252

ip access-group SEPUKA in

ip access-group NO_PRIV out

ip flow ingress

ip nat outside

ip virtual-reassembly

ip route-cache policy

load-interval 30

duplex auto

speed auto

media-type rj45

no negotiation auto

fair-queue

!

interface GigabitEthernet0/2

description LAN

bandwidth 60000

ip address 192.168.99.199 255.255.255.0

ip access-group TRAP in

ip nat inside

ip virtual-reassembly

ip route-cache policy

load-interval 30

duplex auto

speed 100

media-type rj45

no negotiation auto

fair-queue

no cdp enable

!

interface GigabitEthernet0/3

description INTERNET-LAND

bandwidth 2000

no ip address

ip virtual-reassembly

ip route-cache policy

shutdown

duplex auto

speed auto

media-type rj45

no negotiation auto

fair-queue

no cdp enable

!

router rip

network 192.168.99.0

no auto-summary

!

ip local pool setup_pool 192.168.99.201 192.168.99.231

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 82.62.176.117

ip route 10.0.0.0 255.0.0.0 192.168.99.159

ip route 192.168.0.0 255.255.0.0 192.168.99.159

ip route 212.220.123.12 255.255.255.255 82.62.176.117

no ip http server

no ip http secure-server

!

ip flow-export version 5

ip flow-export destination 192.168.99.179 9996

ip flow-top-talkers

top 10

sort-by bytes

!

ip nat translation tcp-timeout 3600

ip nat translation max-entries all-host 4000

no ip nat service skinny tcp port 2000

no ip nat service H225

ip nat pool LINKZ1 82.62.179.65 82.62.179.65 prefix-length 24

ip nat pool LINKZ2 82.62.179.66 82.62.179.66 prefix-length 24

ip nat pool LINKZ3 82.62.179.67 82.62.179.67 prefix-length 24

ip nat pool LINKZ4 82.62.179.68 82.62.179.68 prefix-length 24

ip nat pool LINKZ5 82.62.179.69 82.62.179.69 prefix-length 24

ip nat pool LINKZ6 82.62.179.70 82.62.179.70 prefix-length 24

ip nat pool LINK_LOW 82.62.179.72 82.62.179.72 prefix-length 27

ip nat pool LINK_IP 82.62.182.10 82.62.182.252 prefix-length 24

ip nat pool LINKZ 82.62.179.71 82.62.179.71 prefix-length 24

ip nat inside source list 101 pool LINKZ1 overload

ip nat inside source list 102 pool LINKZ2 overload

ip nat inside source list 103 pool LINKZ3 overload

ip nat inside source list 104 pool LINKZ4 overload

ip nat inside source list 105 pool LINKZ5 overload

ip nat inside source list 106 pool LINKZ6 overload

ip nat inside source list LINK pool LINK_LOW overload

ip nat inside source static 10.3.9.200 82.62.179.73

ip nat inside source static 192.168.99.185 82.62.179.74

ip nat inside source static 192.168.156.3 82.62.179.75

ip nat inside source static 192.168.156.2 82.62.179.76

ip nat inside source static 10.1.100.182 82.62.179.77

ip nat inside source static 192.168.114.3 82.62.179.79

ip nat inside source static 10.1.19.252 82.62.179.80

ip nat inside source static 10.1.19.249 82.62.179.81

ip nat inside source static 10.1.11.22 82.62.179.82

ip nat inside source static 192.168.153.2 82.62.179.83

ip nat inside source static 10.1.15.32 82.62.179.84

ip nat inside source static 10.2.21.29 82.62.179.85

ip nat inside source static 10.1.19.53 82.62.179.86

ip nat inside source static 192.168.105.2 82.62.179.87

ip nat inside source static 10.3.1.22 82.62.179.88

ip nat inside source static 192.168.128.2 82.62.179.89

ip nat inside source static 192.168.99.203 82.62.179.90

ip nat inside source static 10.1.19.251 82.62.182.6

ip nat inside source static 10.5.16.14 82.62.182.7

ip nat inside source static 192.168.99.244 82.62.182.8

ip nat inside source static 192.168.152.2 82.62.182.235

ip nat inside source static 10.2.21.34 82.62.182.236

ip nat inside source static 10.5.2.58 82.62.182.237

ip nat inside source static 10.4.23.34 82.62.182.238

ip nat inside source static 10.1.17.50 82.62.182.239

ip nat inside source static 10.2.1.225 82.62.182.240

ip nat inside source static 10.3.9.37 82.62.182.241

ip nat inside source static 192.168.160.242 82.62.182.242

ip nat inside source static 192.168.160.243 82.62.182.243

ip nat inside source static 192.168.160.244 82.62.182.244

ip nat inside source static 192.168.160.245 82.62.182.245

ip nat inside source static 192.168.160.246 82.62.182.246

ip nat inside source static 192.168.160.247 82.62.182.247

ip nat inside source static 192.168.160.248 82.62.182.248

ip nat inside source static 192.168.160.249 82.62.182.249

ip nat inside source static 192.168.160.250 82.62.182.250

ip nat inside source static 10.5.2.31 82.62.182.251

ip nat inside source static 10.5.9.32 82.62.182.252

ip nat inside source static 10.3.9.210 82.62.182.253

ip nat inside source static 10.1.100.100 82.62.182.254

!

ip access-list extended LINK

permit ip 192.168.0.0 0.0.255.255 any

permit ip 10.0.0.0 0.255.255.255 any

ip access-list extended LINK_IP

permit ip host 10.1.3.19 any

permit ip host 10.5.14.12 any

permit ip host 10.1.14.42 any

permit ip host 10.1.1.22 any

permit ip host 10.2.1.123 any

permit ip host 10.2.25.109 any

permit ip host 10.5.4.37 any

permit ip host 10.5.11.24 any

permit ip host 10.3.4.32 any

permit ip host 10.4.18.20 any

permit ip host 10.1.3.25 any

permit ip host 10.2.3.16 any

permit ip host 10.4.18.17 any

permit ip host 10.4.18.18 any

permit ip host 10.2.9.28 any

permit ip host 10.6.10.12 any

permit ip host 10.6.9.12 any

permit ip host 10.2.23.29 any

permit ip host 10.1.7.49 any

permit ip host 10.4.7.18 any

permit ip host 10.5.22.49 any

permit ip host 10.2.30.17 any

permit ip host 10.2.12.13 any

permit ip host 10.6.2.12 any

permit ip host 10.2.1.109 any

permit ip host 10.2.14.18 any

permit ip host 10.2.23.25 any

permit ip host 10.2.3.119 any

permit ip host 10.1.0.19 any

permit ip host 10.2.23.13 any

permit ip host 10.6.13.30 any

permit ip host 10.4.3.43 any

permit ip host 10.2.3.15 any

permit ip host 10.2.3.204 any

permit ip host 10.1.19.55 any

permit ip host 10.6.4.18 any

permit ip host 10.6.1.19 any

permit ip host 10.1.7.13 any

permit ip host 10.4.7.14 any

permit ip host 10.2.31.13 any

permit ip host 10.2.12.30 any

permit ip host 10.1.17.15 any

permit ip host 10.6.16.13 any

permit ip host 10.1.15.39 any

permit ip host 10.5.15.12 any

permit ip host 10.3.5.31 any

permit ip host 10.2.20.32 any

permit ip host 10.6.5.22 any

permit ip host 10.2.25.27 any

permit ip host 10.5.11.25 any

permit ip host 10.1.100.10 any

permit ip host 10.1.19.239 any

permit ip host 10.1.18.2 any

permit ip host 10.1.15.28 any

permit ip host 10.2.7.114 any

ip access-list extended LOCAL-NET

permit ip any 192.168.0.0 0.0.255.255

permit ip any 10.0.0.0 0.255.255.255

permit ip host 192.168.99.35 any

ip access-list extended NAT

permit gre 192.168.0.0 0.0.255.255 any

permit ipinip 192.168.0.0 0.0.255.255 any

permit ip 192.168.0.0 0.0.255.255 any

permit ip 10.1.0.0 0.0.255.255 any

permit ip 10.2.0.0 0.0.255.255 any

permit ip 10.3.0.0 0.0.255.255 any

permit ip 10.4.0.0 0.0.255.255 any

permit ip 10.5.0.0 0.0.255.255 any

permit ip 10.6.0.0 0.0.255.255 any

permit ip host 10.0.15.250 any

ip access-list extended NO_PRIV

remark deny private subnets

deny ip 10.0.0.0 0.255.255.255 any

deny ip 192.168.0.0 0.0.255.255 any

permit ip any any

ip access-list extended PRIORITY

permit ip any host 192.168.99.160

ip access-list extended SEPUKA

permit tcp any any established

permit udp any any

permit tcp any 82.62.182.0 0.0.0.255

permit tcp any 82.62.179.64 0.0.0.31

permit ip any 82.62.182.0 0.0.0.255

permit ip any 82.62.179.64 0.0.0.31

permit ip any any

 

 

 

ip access-list extended TRAP

permit ip host 82.62.182.128 any

permit ip host 82.62.179.66 any

permit ip host 10.1.14.13 any

permit ip host 10.6.11.30 any

permit ip any host 10.6.11.30

deny udp host 10.6.1.34 any log

deny ip host 192.168.46.38 any

permit icmp any host 192.168.99.186 log

deny icmp host 10.2.10.54 any

deny tcp any any eq 445

deny tcp any any eq 135

permit ip 10.1.0.0 0.0.255.255 any

permit ip 10.2.0.0 0.0.255.255 any

permit ip 10.3.0.0 0.0.255.255 any

permit ip 10.4.0.0 0.0.255.255 any

permit ip 10.5.0.0 0.0.255.255 any

permit ip 10.6.0.0 0.0.255.255 any

permit ip 192.168.0.0 0.0.255.255 any

permit ip 10.0.0.0 0.255.255.255 any

permit ip any any

ip access-list extended inb

deny tcp any any eq 135

deny tcp any any eq 17300

deny tcp any any eq 1025

deny tcp any any eq 6588

deny tcp any any eq 4899

deny tcp any any eq 11758

deny tcp any any eq ident

deny tcp any any eq 5000

deny tcp any any eq 1433

deny tcp any any eq 1434

deny tcp any any eq 139

deny tcp any any eq 137

deny tcp any any eq 445

deny tcp any any eq 65005

deny tcp any any eq 12345

deny tcp any any eq 49624

deny tcp any any eq 61523

deny tcp any any eq 20168

deny tcp any any eq 58506

deny tcp any any eq 9898

deny tcp any any eq 2745

deny tcp any any eq 6129

deny tcp any any eq 5554

deny tcp any any eq 55551

deny tcp any any eq 58120

deny tcp any any eq 60689

deny tcp any any eq 59654

deny tcp any any eq 51765

deny tcp any any eq 56631

deny tcp any any eq 54099

deny tcp any any eq 57505

deny tcp any any eq 52659

deny tcp any any eq 65388

permit ip any any

ip access-list extended spam_out

deny ip host 10.1.19.198 any

permit tcp host 82.112.7.200 any

permit tcp any host 193.138.89.2 eq smtp

permit tcp any host 212.96.192.5 eq smtp

permit ip host 10.5.16.14 any

permit tcp any host 195.128.78.3 eq smtp

permit tcp host 192.168.99.186 any

permit tcp any host 82.116.3.42 eq smtp

permit tcp host 192.168.99.180 any eq smtp

permit tcp host 192.168.99.181 any eq smtp

permit tcp host 192.168.99.191 any eq smtp

permit tcp host 192.168.99.200 any eq smtp

permit tcp any host 89.111.176.249 eq smtp

permit tcp any host 89.111.179.17 eq smtp

permit tcp any host 82.204.219.251 eq smtp

permit tcp any host 87.226.173.3 eq smtp

permit tcp any host 81.200.29.222 eq smtp

permit tcp any host 87.251.138.2 eq smtp

permit tcp any host 213.85.107.237 eq smtp

permit tcp any host 84.204.97.106 eq smtp

permit tcp any host 85.21.97.66 eq smtp

permit tcp any host 212.76.171.18 eq smtp

permit tcp any host 194.67.23.114 eq smtp

permit tcp any host 213.180.204.38 eq smtp

permit tcp any host 194.67.23.111 eq smtp

permit tcp any host 81.19.66.20 eq smtp

permit tcp any host 217.16.16.82 eq smtp

permit tcp any host 217.197.114.135 eq smtp

permit tcp any host 195.128.76.166 eq smtp

permit tcp any host 212.38.99.196 eq smtp

permit tcp any host 195.239.148.164 eq smtp

permit tcp any host 209.85.135.27 eq smtp

permit tcp host 10.2.16.126 any eq smtp

permit tcp any 62.105.8.0 0.0.0.255 eq smtp

permit tcp host 10.2.16.125 any eq smtp

deny tcp any any eq smtp

permit ip host 10.1.11.200 any time-range OVO

permit ip any host 10.1.11.200 time-range OVO

permit ip host 10.6.0.12 any

permit ip any host 212.220.123.11

permit ip host 192.168.139.2 any

permit ip host 192.168.99.203 any

permit ip host 10.6.17.59 any

permit ip host 10.2.16.118 any

permit ip host 10.2.16.119 any

permit ip host 10.2.16.120 any

permit ip host 10.2.16.121 any

permit ip host 10.2.16.122 any

permit ip host 10.2.16.123 any

permit ip host 10.2.16.124 any

permit ip host 10.2.16.125 any

permit ip host 10.2.16.126 any

permit ip host 10.2.16.127 any

permit ip host 10.2.16.128 any

permit ip host 10.2.16.116 any

permit ip host 10.2.16.130 any

permit ip host 192.168.99.243 any

permit ip host 10.2.16.129 any

permit ip host 192.168.99.202 any

permit ip host 192.168.99.249 any

permit ip host 192.168.99.180 any

permit ip host 192.168.99.200 any

permit ip host 10.1.4.32 any

permit tcp any any eq 7777

permit tcp any any eq 2106

permit tcp any any eq 29000

permit ip any host 87.242.73.152

permit ip any host 87.242.73.93

permit ip host 10.1.19.252 any

permit ip host 192.168.130.4 any

permit ip 192.168.136.0 0.0.0.255 any

permit ip 10.1.18.0 0.0.0.255 any

permit ip host 10.1.19.33 any

permit ip 10.1.19.0 0.0.0.255 any

permit ip any any

!

logging alarm informational

logging trap debugging

logging source-interface GigabitEthernet0/2

logging 192.168.99.179

access-list 62 deny 0.0.0.0 log

access-list 62 deny 172.16.82.0 log

access-list 62 permit any

access-list 82 deny 0.0.0.0 log

access-list 82 deny 172.16.62.0 log

access-list 82 permit any

access-list 90 permit any

access-list 99 permit 212.248.28.200

access-list 99 permit 192.168.99.0 0.0.0.255

access-list 1301 permit 10.1.0.0 0.0.0.255

access-list 1302 permit 10.1.1.0 0.0.0.255

access-list 1303 permit 10.1.2.0 0.0.0.255

access-list 1304 permit 10.1.3.0 0.0.0.255

access-list 1305 permit 10.1.4.0 0.0.0.255

access-list 1306 permit 10.1.5.0 0.0.0.255

access-list 1307 permit 10.1.6.0 0.0.0.255

access-list 1308 permit 10.1.7.0 0.0.0.255

access-list 1309 permit 10.1.8.0 0.0.0.255

access-list 1310 permit 10.1.9.0 0.0.0.255

access-list 1311 permit 10.1.10.0 0.0.0.255

access-list 1312 permit 10.1.11.0 0.0.0.255

access-list 1313 permit 10.1.12.0 0.0.0.255

access-list 1314 permit 10.1.13.0 0.0.0.255

access-list 1315 permit 10.1.14.0 0.0.0.255

access-list 1316 permit 10.1.15.0 0.0.0.255

access-list 1317 permit 10.1.16.0 0.0.0.255

access-list 1318 permit 10.1.17.0 0.0.0.255

access-list 1319 permit 10.1.18.0 0.0.0.255

access-list 1320 permit 10.1.19.0 0.0.0.255

access-list 1321 permit 10.1.20.0 0.0.0.255

access-list 1322 permit 10.2.0.0 0.0.0.255

access-list 1323 permit 10.2.1.0 0.0.0.255

access-list 1324 permit 10.2.2.0 0.0.0.255

access-list 1325 permit 10.2.3.0 0.0.0.255

access-list 1326 permit 10.2.4.0 0.0.0.255

access-list 1327 permit 10.2.5.0 0.0.0.255

access-list 1328 permit 10.2.6.0 0.0.0.255

access-list 1329 permit 10.2.7.0 0.0.0.255

access-list 1330 permit 10.2.8.0 0.0.0.255

access-list 1331 permit 10.2.9.0 0.0.0.255

access-list 1332 permit 10.2.10.0 0.0.0.255

access-list 1333 permit 10.2.11.0 0.0.0.255

access-list 1334 permit 10.2.12.0 0.0.0.255

access-list 1335 permit 10.2.13.0 0.0.0.255

access-list 1336 permit 10.2.14.0 0.0.0.255

access-list 1337 permit 10.2.15.0 0.0.0.255

access-list 1338 permit 10.2.16.0 0.0.0.255

access-list 1339 permit 10.2.17.0 0.0.0.255

access-list 1340 permit 10.2.18.0 0.0.0.255

access-list 1341 permit 10.2.19.0 0.0.0.255

access-list 1342 permit 10.2.20.0 0.0.0.255

access-list 1343 permit 10.2.21.0 0.0.0.255

access-list 1344 permit 10.2.22.0 0.0.0.255

access-list 1345 permit 10.2.23.0 0.0.0.255

access-list 1346 permit 10.2.24.0 0.0.0.255

access-list 1347 permit 10.2.25.0 0.0.0.255

access-list 1348 permit 10.2.26.0 0.0.0.255

access-list 1349 permit 10.2.27.0 0.0.0.255

access-list 1350 permit 10.2.28.0 0.0.0.255

access-list 1351 permit 10.2.29.0 0.0.0.255

access-list 1352 permit 10.2.30.0 0.0.0.255

access-list 1353 permit 10.2.31.0 0.0.0.255

access-list 1354 permit 10.3.0.0 0.0.0.255

access-list 1355 permit 10.3.1.0 0.0.0.255

access-list 1356 permit 10.3.2.0 0.0.0.255

access-list 1357 permit 10.3.3.0 0.0.0.255

access-list 1358 permit 10.3.4.0 0.0.0.255

access-list 1359 permit 10.3.5.0 0.0.0.255

access-list 1360 permit 10.3.6.0 0.0.0.255

access-list 1361 permit 10.3.7.0 0.0.0.255

access-list 1362 permit 10.3.8.0 0.0.0.255

access-list 1363 permit 10.3.9.0 0.0.0.255

access-list 1364 permit 10.3.10.0 0.0.0.255

access-list 1365 permit 10.3.11.0 0.0.0.255

access-list 1366 permit 10.3.12.0 0.0.0.255

access-list 1367 permit 10.3.13.0 0.0.0.255

access-list 1368 permit 10.3.14.0 0.0.0.255

access-list 1369 permit 10.3.15.0 0.0.0.255

access-list 1370 permit 10.3.16.0 0.0.0.255

access-list 1371 permit 10.3.17.0 0.0.0.255

access-list 1372 permit 10.3.18.0 0.0.0.255

access-list 1373 permit 10.4.0.0 0.0.0.255

access-list 1374 permit 10.4.1.0 0.0.0.255

access-list 1375 permit 10.4.2.0 0.0.0.255

access-list 1376 permit 10.4.3.0 0.0.0.255

access-list 1377 permit 10.4.4.0 0.0.0.255

access-list 1378 permit 10.4.5.0 0.0.0.255

access-list 1379 permit 10.4.6.0 0.0.0.255

access-list 1380 permit 10.4.7.0 0.0.0.255

access-list 1381 permit 10.4.8.0 0.0.0.255

access-list 1382 permit 10.4.9.0 0.0.0.255

access-list 1383 permit 10.4.10.0 0.0.0.255

access-list 1384 permit 10.4.11.0 0.0.0.255

access-list 1385 permit 10.4.12.0 0.0.0.255

access-list 1386 permit 10.4.13.0 0.0.0.255

access-list 1387 permit 10.4.14.0 0.0.0.255

access-list 1388 permit 10.4.15.0 0.0.0.255

access-list 1389 permit 10.4.16.0 0.0.0.255

access-list 1390 permit 10.4.17.0 0.0.0.255

access-list 1391 permit 10.4.18.0 0.0.0.255

access-list 1392 permit 10.4.19.0 0.0.0.255

access-list 1393 permit 10.4.20.0 0.0.0.255

access-list 1394 permit 10.4.21.0 0.0.0.255

access-list 1395 permit 10.4.22.0 0.0.0.255

access-list 1396 permit 10.4.23.0 0.0.0.255

access-list 1397 permit 10.5.0.0 0.0.0.255

access-list 1398 permit 10.5.1.0 0.0.0.255

access-list 1399 permit 10.5.2.0 0.0.0.255

access-list 1400 permit 10.5.3.0 0.0.0.255

access-list 1401 permit 10.5.4.0 0.0.0.255

access-list 1402 permit 10.5.5.0 0.0.0.255

access-list 1403 permit 10.5.6.0 0.0.0.255

access-list 1404 permit 10.5.7.0 0.0.0.255

access-list 1405 permit 10.5.8.0 0.0.0.255

access-list 1406 permit 10.5.9.0 0.0.0.255

access-list 1407 permit 10.5.10.0 0.0.0.255

access-list 1408 permit 10.5.11.0 0.0.0.255

access-list 1409 permit 10.5.12.0 0.0.0.255

access-list 1410 permit 10.5.13.0 0.0.0.255

access-list 1411 permit 10.5.14.0 0.0.0.255

access-list 1412 permit 10.5.15.0 0.0.0.255

access-list 1413 permit 10.5.16.0 0.0.0.255

access-list 1414 permit 10.5.17.0 0.0.0.255

access-list 1415 permit 10.5.18.0 0.0.0.255

access-list 1416 permit 10.5.19.0 0.0.0.255

access-list 1417 permit 10.5.20.0 0.0.0.255

access-list 1418 permit 10.5.21.0 0.0.0.255

access-list 1419 permit 10.5.22.0 0.0.0.255

access-list 1420 permit 10.6.0.0 0.0.0.255

access-list 1421 permit 10.6.1.0 0.0.0.255

access-list 1422 permit 10.6.10.0 0.0.0.255

access-list 1423 permit 10.6.11.0 0.0.0.255

access-list 1424 permit 10.6.12.0 0.0.0.255

access-list 1425 permit 10.6.13.0 0.0.0.255

access-list 1426 permit 10.6.14.0 0.0.0.255

access-list 1427 permit 10.6.15.0 0.0.0.255

access-list 1428 permit 10.6.16.0 0.0.0.255

access-list 1429 permit 10.6.17.0 0.0.0.255

access-list 1430 permit 10.6.2.0 0.0.0.255

access-list 1431 permit 10.6.3.0 0.0.0.255

access-list 1432 permit 10.6.4.0 0.0.0.255

access-list 1433 permit 10.6.5.0 0.0.0.255

access-list 1434 permit 10.6.6.0 0.0.0.255

access-list 1435 permit 10.6.7.0 0.0.0.255

access-list 1436 permit 10.6.8.0 0.0.0.255

access-list 1437 permit 10.6.9.0 0.0.0.255

access-list 102 permit ip 10.2.0.0 0.0.255.255 any

access-list 103 permit ip 10.3.0.0 0.0.255.255 any

access-list 104 permit ip 10.4.0.0 0.0.255.255 any

access-list 105 permit ip 10.5.0.0 0.0.255.255 any

access-list 106 permit ip 10.6.0.0 0.0.255.255 any

access-list 111 permit ip host 192.168.99.160 any

access-list 160 permit ip any 192.168.0.0 0.0.255.255

access-list 161 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

access-list 161 permit ip 172.16.0.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 161 permit ip 192.168.0.0 0.0.255.255 172.16.0.0 0.0.0.255

access-list 161 permit ip 192.168.0.0 0.0.255.255 10.0.0.0 0.255.255.255

access-list 161 permit ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255

access-list 171 permit ip host 192.168.99.146 any

access-list 172 permit ip any host 192.168.99.146

access-list 173 permit ip any host 212.42.38.82

access-list 173 permit ip host 212.42.38.82 any

access-list 2248 permit ip any host 10.2.14.27

no cdp run

 

!

!

!

!

!

route-map link-map permit 10

description LINK personal IP map

match ip address LINK_IP

set ip next-hop 82.62.176.117

!

!

snmp-server community dliamrtg view v1default RO

snmp-server enable traps tty

!

control-plane

!

!

!

mgcp fax t38 ecm

!

!

!

!

gatekeeper

shutdown

!

alias exec whatsnew show archive config differences nvram:startup-config system:running-config

alias exec topsat sh ip flow top 10 aggregate destination-address sorted-by bytes descending match source-interface tun 82

alias exec polic sh policy-map interface gi0/2

alias exec topiland sh ip flow top 10 aggregate source-address sorted-by bytes descending match destination-interface tun 62

alias exec topisat sh ip flow top 10 aggregate source-address sorted-by bytes descending match destination-interface tun 82

alias exec topsat100 sh ip flow top 100 aggregate destination-address sorted-by bytes descending match source-interface tun 82

alias exec topland100 sh ip flow top 100 aggregate destination-address sorted-by bytes descending match source-interface tun 62

alias exec topisat100 sh ip flow top 100 aggregate source-address sorted-by bytes descending match destination-interface tun82

alias exec topland sh ip flow top 10 aggregate destination-address sorted-by bytes descending match source-interface tun 62

alias exec topilink sh ip flow top 10 aggregate source-address sorted-by bytes descending match destination-interface gi0/2.1

alias exec topilink100 sh ip flow top 100 aggregate source-address sorted-by bytes descending match destination-interface gi0/2.1

alias exec toplink100 sh ip flow top 100 aggregate destination-address sorted-by bytes descending match source-interface gi0/2.1

alias exec topilink25 sh ip flow top 25 aggregate source-address sorted-by bytes ^ descending match destination-interface gi0/2.1

alias exec toplink25 sh ip flow top 25 aggregate destination-address sorted-by bytes descending match source-interface gi0/2.1

alias exec toplink sh ip flow top 10 aggregate destination-address sorted-by bytes descending match source-interface gi0/1

!

line con 0

stopbits 1

line aux 0

stopbits 1

line vty 0 4

access-class 99 in

login local

transport input telnet

line vty 5 15

session-timeout 600

access-class 99 in

exec-timeout 600 0

login local

transport input ssh

!

time-range OVO

periodic daily 8:00 to 20:00

!

end

 

 

c7204# sh int

GigabitEthernet0/1 is up, line protocol is up

Hardware is BCM1250 Internal MAC, address is 001c.b13c.7c1b (bia 001c.b13c.7c1b)

Description: --

Internet address is 82.62.176.118/30

MTU 1500 bytes, BW 56000 Kbit/sec, DLY 100 usec,

reliability 255/255, txload 116/255, rxload 247/255

Encapsulation ARPA, loopback not set

Keepalive set (10 sec)

Full-duplex, 100Mb/s, media type is RJ45

output flow-control is XON, input flow-control is XON

ARP type: ARPA, ARP Timeout 04:00:00

Last input 00:00:00, output 00:00:00, output hang never

Last clearing of "show interface" counters never

Input queue: 3/75/0/373534 (size/max/drops/flushes); Total output drops: 8836

Queueing strategy: weighted fair

Output queue: 0/1000/64/2451 (size/max total/threshold/drops)

Conversations 0/251/256 (active/max active/max total)

Reserved Conversations 0/0 (allocated/max allocated)

Available Bandwidth 42000 kilobits/sec

30 second input rate 54348000 bits/sec, 27725 packets/sec

30 second output rate 25613000 bits/sec, 26329 packets/sec

110977788 packets input, 2269470781 bytes, 0 no buffer

Received 6271 broadcasts, 0 runts, 0 giants, 0 throttles

289 input errors, 0 CRC, 0 frame, 289 overrun, 0 ignored

0 watchdog, 2106 multicast, 0 pause input

0 input packets with dribble condition detected

4157706692 packets output, 3528575350 bytes, 0 underruns

9 output errors, 0 collisions, 5 interface resets

0 unknown protocol drops

0 unknown protocol drops

0 babbles, 0 late collision, 0 deferred

9 lost carrier, 0 no carrier, 0 pause output

0 output buffer failures, 0 output buffers swapped out

 

GigabitEthernet0/1.1 is deleted, line protocol is down

Hardware is BCM1250 Internal MAC, address is 001c.b13c.7c1b (bia 001c.b13c.7c1b)

MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,

reliability 255/255, txload 116/255, rxload 247/255

Encapsulation ARPA

ARP type: ARPA, ARP Timeout 04:00:00

Last clearing of "show interface" counters never

 

 

GigabitEthernet0/2 is up, line protocol is up

Hardware is BCM1250 Internal MAC, address is 001c.b13c.7c1a (bia 001c.b13c.7c1a)

Description: LAN

Internet address is 192.168.99.199/24

MTU 1500 bytes, BW 60000 Kbit/sec, DLY 100 usec,

reliability 255/255, txload 179/255, rxload 57/255

Encapsulation ARPA, loopback not set

Keepalive set (10 sec)

Full-duplex, 100Mb/s, media type is RJ45

output flow-control is XON, input flow-control is XON

ARP type: ARPA, ARP Timeout 04:00:00

Last input 00:00:00, output 00:00:00, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/29394/4807825 (size/max/drops/flushes); Total output drops: 8567

Queueing strategy: weighted fair

Output queue: 0/1000/64/3929 (size/max total/threshold/drops)

Conversations 0/104/256 (active/max active/max total)

Reserved Conversations 0/0 (allocated/max allocated)

Available Bandwidth 45000 kilobits/sec

30 second input rate 13417000 bits/sec, 7075 packets/sec

30 second output rate 42180000 bits/sec, 8467 packets/sec

2268335917 packets input, 2966837109 bytes, 0 no buffer

Received 2588 broadcasts, 0 runts, 0 giants, 0 throttles

1 input errors, 0 CRC, 0 frame, 1 overrun, 0 ignored

0 watchdog, 0 multicast, 0 pause input

0 input packets with dribble condition detected

2514329602 packets output, 3265283656 bytes, 0 underruns

7 output errors, 0 collisions, 5 interface resets

0 unknown protocol drops

0 unknown protocol drops

0 babbles, 0 late collision, 0 deferred

7 lost carrier, 0 no carrier, 0 pause output

0 output buffer failures, 0 output buffers swapped out

 

GigabitEthernet0/2.1 is deleted, line protocol is down

Hardware is BCM1250 Internal MAC, address is 001c.b13c.7c1a (bia 001c.b13c.7c1a)

MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,

reliability 255/255, txload 179/255, rxload 57/255

Encapsulation ARPA

ARP type: ARPA, ARP Timeout 04:00:00

Last clearing of "show interface" counters never

 

GigabitEthernet0/3 is administratively down, line protocol is down

Hardware is BCM1250 Internal MAC, address is 001c.b13c.7c19 (bia 001c.b13c.7c19)

Description: INTERNET-LAND

MTU 1500 bytes, BW 2000 Kbit/sec, DLY 10 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation ARPA, loopback not set

Keepalive set (10 sec)

Auto-duplex, Auto Speed, media type is RJ45

output flow-control is unsupported, input flow-control is unsupported

ARP type: ARPA, ARP Timeout 04:00:00

Last input never, output never, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: weighted fair

Output queue: 0/1000/64/0 (size/max total/threshold/drops)

Conversations 0/0/256 (active/max active/max total)

Reserved Conversations 0/0 (allocated/max allocated)

Available Bandwidth 1500 kilobits/sec

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

0 packets input, 0 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

0 watchdog, 0 multicast, 0 pause input

0 input packets with dribble condition detected

0 packets output, 0 bytes, 0 underruns

1 output errors, 0 collisions, 0 interface resets

0 unknown protocol drops

0 unknown protocol drops

0 babbles, 0 late collision, 0 deferred

1 lost carrier, 0 no carrier, 0 pause output

0 output buffer failures, 0 output buffers swapped out

 

NVI0 is administratively down, line protocol is down

Hardware is NVI

MTU 1514 bytes, BW 56 Kbit/sec, DLY 5000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation UNKNOWN, loopback not set

Last input never, output never, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

0 packets input, 0 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 packets output, 0 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 unknown protocol drops

0 unknown protocol drops

0 output buffer failures, 0 output buffers swapped out

 

SSLVPN-VIF0 is up, line protocol is up

Hardware is SSLVPN_VIF

Interface is unnumbered. Using address of SSLVPN-VIF0 (0.0.0.0)

MTU 1406 bytes, BW 56 Kbit/sec, DLY 5000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation UNKNOWN, loopback not set

Last input never, output never, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

0 packets input, 0 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 packets output, 0 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 unknown protocol drops

0 unknown protocol drops

0 output buffer failures, 0 output buffers swapped out

Edited by В Густелёв

Share this post


Link to post
Share on other sites

То есть сети 82.62.179.x/y 82.62.182.0/24 на вашей стороне только в pool-ах ната, а у вышестоящего провайдера зарулены к вам статикой ?

Если да, то вам нужно прописать маршрут на эти сети в Null0. Иначе, при не нахождении подходящей сессии (трансляции) для пакетика, он будет гоняться между вашим роутером и аплинком до исчерпания ttl.

Проматчить такой трафик можно аццеслистом матчащим на выходе пакетеки, которые должны приходить к вам.

Что-то вроде:

ip access-list extended TRAP2
permit ip any 82.62.182.0 0.0.0.255
permit ip any any
int Gi0/2
ip access-group TRAP2 out

 

Share this post


Link to post
Share on other sites
То есть сети 82.62.179.x/y 82.62.182.0/24 на вашей стороне только в pool-ах ната, а у вышестоящего провайдера зарулены к вам статикой ?

Если да, то вам нужно прописать маршрут на эти сети в Null0. Иначе, при не нахождении подходящей сессии (трансляции) для пакетика, он будет гоняться между вашим роутером и аплинком до исчерпания ttl.

Проматчить такой трафик можно аццеслистом матчащим на выходе пакетеки, которые должны приходить к вам.

Что-то вроде:

ip access-list extended TRAP2
permit ip any 82.62.182.0 0.0.0.255
permit ip any any
int Gi0/2
ip access-group TRAP2 out

и у нас есть победитель дракона!

 

 

Share this post


Link to post
Share on other sites

Так выше уже же написали:

То есть сети 82.62.179.x/y 82.62.182.0/24 на вашей стороне только в pool-ах ната, а у вышестоящего провайдера зарулены к вам статикой ?

Если да, то вам нужно прописать маршрут на эти сети в Null0. Иначе, при не нахождении подходящей сессии (трансляции) для пакетика, он будет гоняться между вашим роутером и аплинком до исчерпания ttl.

Share this post


Link to post
Share on other sites

Да, классическая беда.

Лучше всего, первым делом, получив сеть любого размера, зароутить ее целиком в null, с большой метрикой.

Чтоб потом не беспокоиться.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this