newbiegb Posted December 9, 2010 Posted December 9, 2010 (edited) Поставили cisco 7301 в качестве PPPoE терминатора и немного разочаровались в не ахти какой производительности. Конкретнее - при трафике 30 in / 25 out на 1 интерфейсе и противоположно на другом, 7kpss на одном и 7 на другом видим загрузку cpu 95-99%. Сессий в этот момент где-то в районе 100. При этом начинаются потери на интерфейсах, соответственно юзвери ноют. На ней крутится весь набор сервера доступа - pppoe, netflow, dynamic acl, nat, ripv2. Я так понимаю необходимо выносить NAT на отдельный писюк? Поможет ли это общей картине? Конфиг циски: version 12.4 service timestamps debug datetime msec service timestamps log datetime localtime no service password-encryption ! hostname vpn-15 ! boot-start-marker boot-end-marker ! logging console emergencies enable password pass ! aaa new-model ! ! aaa authentication ppp default group radius aaa authorization network default group radius aaa accounting delay-start aaa accounting network default start-stop group radius ! aaa session-id common clock timezone MSK 3 no ip rcmd domain-lookup ip rcmd rcp-enable ip rcmd rsh-enable ip rcmd remote-host netup 10.0.7.100 root enable ip rcmd remote-host netup 10.0.7.100 netup enable ip rcmd remote-host backup 10.0.7.7 root enable ip flow-cache timeout inactive 10 ip flow-cache timeout active 1 ! ! ip cef ip ftp username backup ip ftp password pass ip domain name blablabla ip name-server 10.0.7.1 ! ! ! ! key chain ripkey key 1 key-string ripkey ! ! ! ! ! ! ! ! ! ! username root privilege 15 password 0 pass username netup privilege 8 password 0 pass ! ! ! bba-group pppoe PPPoE virtual-template 1 sessions per-mac limit 1 sessions per-vlan limit 1000 sessions auto cleanup ! ! interface Loopback0 description PPPoE users ip address 192.168.101.1 255.255.255.0 ip nat inside ip virtual-reassembly ! interface GigabitEthernet0/0 ip address 10.0.7.15 255.255.255.0 ip rip send version 2 ip rip receive version 2 ip rip authentication mode md5 ip rip authentication key-chain ripkey duplex auto speed 1000 media-type rj45 no negotiation auto no cdp enable ! interface GigabitEthernet0/0.10 encapsulation dot1Q 10 no ip redirects no ip proxy-arp ip virtual-reassembly pppoe enable group PPPoE no cdp enable ! interface GigabitEthernet0/1 ip address *.*.*.* 255.255.255.192 ip rip send version 2 ip rip receive version 2 ip rip authentication mode md5 ip rip authentication key-chain ripkey ip nat outside ip virtual-reassembly ip route-cache flow duplex auto speed 1000 media-type rj45 no negotiation auto no cdp enable ! interface GigabitEthernet0/2 no ip address shutdown duplex auto speed auto media-type rj45 no negotiation auto ! interface Virtual-Template1 mtu 1492 ip unnumbered Loopback0 ip access-group 105 in ip access-group 106 out ip flow ingress ip flow egress ip nat inside ip virtual-reassembly no peer default ip address ppp authentication ms-chap-v2 chap ! router rip version 2 redistribute connected network 10.0.0.0 network *.*.0.0 neighbor *.*.*.* distribute-list 10 out GigabitEthernet0/1 distribute-list 1301 in no auto-summary ! ip default-gateway *.*.*.* ip route 0.0.0.0 0.0.0.0 *.*.*.* ip route *.*.*.0 255.255.255.0 Null0 254 ip route *.*.*.0 255.255.255.0 Null0 254 ip route *.*.*.0 255.255.255.0 Null0 254 ip route *.*.*.0 255.255.255.0 Null0 254 ip flow-export version 5 ip flow-export destination 10.0.7.100 9996 ! no ip http server ! ip nat inside source list 1 interface GigabitEthernet0/1 overload ! ! ip access-list standard TELNET permit 10.0.7.7 permit 10.0.7.1 permit 10.11.1.83 permit 10.22.6.66 permit 10.0.7.100 ip radius source-interface GigabitEthernet0/0 access-list 1 permit 192.168.96.0 0.0.31.255 access-list 10 permit any access-list 1301 permit 10.0.0.0 0.255.255.255 access-list 1301 permit *.*.*.* 0.0.3.255 access-list 1301 deny any access-list 105 dynamic test1 permit ip any any access-list 106 dynamic test2 permit ip any any access-list 135 deny ip 10.0.0.0 0.255.255.255 any access-list 135 deny ip any 10.0.0.0 0.255.255.255 access-list 135 deny ip 172.16.0.0 0.15.255.255 any access-list 135 deny ip any 172.16.0.0 0.15.255.255 access-list 135 permit ip any any snmp-server community community RO snmp-server location ciscovpn snmp-server contact admin@blablabla.ru snmp-server host 10.0.7.7 community ! ! ! radius-server attribute 44 include-in-access-req radius-server attribute 6 on-for-login-auth radius-server attribute 8 include-in-access-req radius-server attribute nas-port format e UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU radius-server attribute 31 mac format ietf radius-server configure-nas radius-server host 10.0.7.100 auth-port 1812 acct-port 1813 key rfwpassword radius-server retransmit 0 radius-server timeout 15 radius-server key rfwpassword radius-server vsa send accounting radius-server vsa send authentication ! control-plane ! ! ! ! ! gatekeeper shutdown ! privilege exec level 8 access-template privilege exec level 8 clear access-template privilege exec level 8 clear ! line con 0 stopbits 1 line aux 0 stopbits 1 line vty 0 4 access-class TELNET in exec-timeout 5 0 password blablabla line vty 5 15 access-class TELNET in exec-timeout 5 0 password blablabla ! ntp clock-period 17179745 ntp server 10.0.7.1 ! end Edited December 9, 2010 by newbiegb Вставить ник Quote
pliskinsad Posted December 9, 2010 Posted December 9, 2010 ip nat inside source list 1 interface GigabitEthernet0/1 overload натит оно херова... Выности Вставить ник Quote
.png.5d2afa2996cc6a85d0f2c09b92dd0a28.png)
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.