URL: https://www.opennet.me/cgi-bin/openforum/vsluhboard.cgi
Форум: vsluhforumID6
Нить номер: 17305
[ Назад ]

Исходное сообщение
"Cisco + Nat + Netflow"

Отправлено CarTer , 04-Окт-08 18:46 
Доброое время суток
Помогите снять netflow с интерфейса на котором терминируется ppptp.
На Virual-Template прописал следующее:
ip flow ingress
ip flow egress
ip route-cache flow
и на интерфейсе который смотрит во внешний мир:
ip route-cache flow

При этом поступает информация только о входящих пакетов, а исходящих пакетов нет.

вот часть конфига Циски (7200):
boot system flash bootflash:c7200p-advipservicesk9-mz.124-4.XD10.bin

vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1

interface GigabitEthernet0/1
ip address 84.53.173.90 255.255.255.248
ip access-group anti-spoofing in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
rate-limit output access-group 2020 3000000 512000 786000 conform-action transmit exceed-action drop
duplex auto
speed auto
media-type rj45
negotiation auto
no cdp enable
no mop enabled

interface GigabitEthernet0/2
no ip address
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
rate-limit output access-group 2020 3000000 512000 786000 conform-action transmit exceed-action drop
duplex auto
speed auto
media-type rj45
negotiation auto
no cdp enable
no mop enabled
!
interface GigabitEthernet0/2.1
description Radius
encapsulation dot1Q 2
ip address 192.168.2.1 255.255.255.0
ip access-group base-firewall in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
rate-limit output access-group 2020 3000000 512000 786000 conform-action transmit exceed-action drop
no snmp trap link-status
no cdp enable
!
interface GigabitEthernet0/2.2
description pptp server
encapsulation dot1Q 3
ip address 192.168.1.1 255.255.255.0
ip access-group base-firewall in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
rate-limit output access-group 2020 3000000 512000 786000 conform-action transmit exceed-action drop
no snmp trap link-status
pppoe enable group global
no cdp enable

interface Virtual-Template1
ip unnumbered GigabitEthernet0/2.2
ip access-group base-firewall in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
rate-limit output access-group 2020 3000000 512000 786000 conform-action transmit exceed-action drop
ip route-cache policy
ip route-cache flow
autodetect encapsulation ppp
ppp encrypt mppe auto
ppp authentication ms-chap-v2
!
ip classless
ip route 0.0.0.0 0.0.0.0 84.53.203.217
no ip http server
no ip http secure-server
!
ip flow-export source GigabitEthernet0/2.1
ip flow-export version 5
ip flow-export destination 192.168.2.2 9996
!
ip nat inside source list NAT_LAN_Staff interface GigabitEthernet0/1 overload
!
ip access-list extended NAT_LAN_Staff
permit ip 10.115.200.0 0.0.0.255 any
permit ip 10.200.0.0 0.0.255.255 any
deny ip any any
ip access-list extended anti-spoofing
deny ip 192.168.0.0 0.0.255.255 any
deny ip 0.0.0.0 0.255.255.255 any
deny ip host 255.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 224.0.0.0 15.255.255.255 any
deny ip 240.0.0.0 7.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
permit ip host 172.18.20.39 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 169.254.0.0 0.0.255.255 any
deny udp any any eq 445
deny udp any any eq 4444
deny tcp any any eq 135
deny tcp any any eq 445
deny tcp any any eq 4444
deny tcp any any eq 139
deny udp any any eq 135
deny udp any any eq netbios-ss
deny udp any any eq netbios-ns
deny udp any any eq netbios-dgm
permit ip any any
ip access-list extended base-firewall
deny udp any any eq 445
deny udp any any eq 4444
deny tcp any any eq 135
deny tcp any any eq 445
deny tcp any any eq 4444
deny tcp any any eq 139
deny udp any any eq 135
deny udp any any eq netbios-ss
deny udp any any eq netbios-ns
deny udp any any eq netbios-dgm
permit ip any any
!
ip radius source-interface GigabitEthernet0/2.1
logging alarm informational
access-list 99 permit 10.115.200.0 0.0.0.255
access-list 99 deny any
access-list 2020 permit icmp any any echo-reply
no cdp run
!
radius-server configure-nas
radius-server host 192.168.2.2 auth-port 1812 acct-port 1813
radius-server timeout 30
radius-server key 7 15000A080D3F38


#show ip cache flow
Gi0/1         212.34.121.157  Local         84.53.203.218   06 0697 6A8B     3
Gi0/1         212.34.99.41    Local         84.53.203.218   06 0E2A 6A8B     3
Gi0/1         66.102.9.147    Null          10.200.0.1      06 0050 0697     9
Gi0/1         212.34.116.179  Local         84.53.203.218   06 0EBD 6A8B     3
Gi0/1         212.34.119.165  Local         84.53.203.218   06 0AA7 6A8B     3


Содержание

Сообщения в этом обсуждении
"Cisco + Nat + Netflow"
Отправлено green79 , 05-Окт-08 15:19 
>Доброое время суток
>Помогите снять netflow с интерфейса на котором терминируется ppptp.
>На Virual-Template прописал следующее:
> ip flow ingress
> ip flow egress
> ip route-cache flow
>и на интерфейсе который смотрит во внешний мир:
> ip route-cache flow

^^^^^^^^^^^^^^^^^^^^^^ А вот это лишнее ... При использовании ip flow ingress/egress , ip route-cache flow не должно быть ваще ...

Usage Guidelines

If you configure the ip flow ingress command on a few selected subinterfaces and then configure the ip route-cache flow command on the main interface, enabling the main interface will overwrite the ip flow ingress command and data collection will start from the main interface as well as all the subinterfaces. In a scenario where you configure the ip flow ingress command and then configure the ip route-cache flow command on the main interface, you can restore subinterface data collection by using the no ip route-cache flow command. This configuration will disable data collection from the main interface and restore data collection to the subinterfaces you originally configured with the ip flow ingress command.

Вот собственно что говорит cisco.com