The OpenNET Project / Index page

[ новости /+++ | форум | теги | ]

форумы  помощь  поиск  регистрация  майллист  вход/выход  слежка  RSS
"2801 и два PPPOE"
Вариант для распечатки  
Пред. тема | След. тема 
Форумы Маршрутизаторы CISCO и др. оборудование. (Public)
Изначальное сообщение [ Отслеживать ]

"2801 и два PPPOE"  +/
Сообщение от Astore (ok) on 29-Сен-09, 17:14 
Привет,
как говорится Данила, нид хэлп
Не роутится второе PPPOE соединение на cisco 2801
Киска - гейтвей для сети, на ней поднято pppoe к прову, по нему идет дефалтный роут.
Когда поднимаю второе pppoe к гостевым ресурсам этого же прова и прописываю роуты получается вот что:
второе pppoe поднимается и с циски можно пинговать внутренние ресурсы, но трэйсроут не делает полного трэйса маршрута (притом так обстаят дела как с поднятым dialer2 и выключенным dialer1, так и когда оба соединения подняты) С локальной сети, с машины на которой ip киски установлен шлюзом внутренние ресурсы провайдера (т.е. все что идет через dialer 2)не пингуются, трэйс только до киски.

Вот конфиг


version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec

!

!
boot-start-marker
boot-end-marker
!

!
no aaa new-model
ip cef
!
!
!
vpdn enable
!
!
!
voice-card 0
!
!
!
class-map match-any http
match protocol http
class-map match-any ftp
match protocol ftp
class-map match-any ssh
match protocol ssh
class-map match-any gre
match protocol gre
class-map match-any voice
match protocol rtp
match protocol skinny
match protocol h323
match protocol sip
!
!
policy-map qos-mapFa01
class ssh
  priority 164
class class-default
  shape average 1000000
policy-map qos-mapFa00
class ssh
  priority 624
class class-default
  shape average 1000000
!
!
!


!
!
interface Tunnel1

...................
!
interface Tunnel2

................
!
interface Tunnel3
...................
!
interface FastEthernet0/0
ip address 192.168.1.250 255.255.255.0
ip broadcast-address 192.168.1.255
ip access-group 103 in
ip access-group 103 out
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
duplex auto
speed auto
no snmp ifindex persist
service-policy output qos-mapFa00
!
interface FastEthernet0/1
ip address 192.168.250.250 255.255.255.0
ip broadcast-address 192.168.250.255
ip access-group 103 in
ip access-group 103 out
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 3
pppoe-client dial-pool-number 1
no cdp enable
service-policy output qos-mapFa01
!
interface Dialer1
ip address negotiated
ip broadcast-address 1111.1111.1111.1111
ip mtu 1492
ip nbar protocol-discovery
ip nat outside
ip virtual-reassembly max-reassemblies 32
encapsulation ppp
no ip mroute-cache
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname login
ppp chap password 0 pass
!

!
interface Dialer3
description internal PPPOE TO PROV
ip address 222.333.222.222 255.128.0.0
ip broadcast-address 222.333.255.255
ip nbar protocol-discovery
ip virtual-reassembly
encapsulation ppp
dialer pool 3
dialer-group 3
no cdp enable
ppp authentication chap callin
ppp chap hostname login_guest
ppp chap password 0 pass_guest
!
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 444.444.444.32 255.255.255.224 Dialer3

!
ip flow-export version 9
!
no ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip nat inside source list NetNat interface Dialer1 overload
ip nat inside source list NetNatINT interface Dialer3 overload

!
ip access-list extended NetNat
deny   ip host 111.111.111.111 192.168.1.0 0.0.0.255
deny   ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
permit ip 192.168.250.0 0.0.0.255 any
deny   ip any any
ip access-list extended NetNatINT
deny   ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
permit ip 192.168.250.0 0.0.0.255 any
deny   ip any any

!
...............
access-list 103 permit ip 444.444.444.32 0.0.0.31 any
access-list 103 permit ip any 444.444.444.32 0.0.0.31
access-list 103 permit ip 10.0.0.0 0.127.255.255 any
access-list 103 permit ip any 10.0.0.0 0.127.255.255
................
!

dialer-list 1 protocol ip permit
dialer-list 3 protocol ip permit
priority-list 1 protocol ip high tcp 22
priority-list 1 default low
priority-list 3 protocol ip high tcp 22
priority-list 3 default low
snmp-server community stat RW
snmp-server ifindex persist
no cdp run
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
.................
!
scheduler allocate 20000 1000
end

Вот пинг и трэйс когда оба дилера подняты


o#ping 444.444.444.61

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 444.444.444.61, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/21/28 ms
belarus-cisco#trceroute 444.444.444.61

belarus-cisco#traceroute 444.444.444.61

Type escape sequence to abort.
Tracing the route to issa.telecom.by (444.444.444.61)

  1 host1.com (444.444.444.18) 20 msec 16 msec 20 msec
  2 host2.com (444.444.444.13) 20 msec 20 msec 20 msec
  3  *  *  *
  4  *  *  *
  5  *  *  *
  6  *  *  *
  7  *  *  *
  8  *  *  *
  9  *  *  *
10  *  *  *

show ip route


Gateway of last resort is 0.0.0.0 to network 0.0.0.0

    444.444.444.0/24 is variably subnetted, 2 subnets, 2 masks
C       444.444.444.18/32 is directly connected, Dialer1
                          is directly connected, Dialer3
S       444.444.444.32/27 is directly connected, Dialer3
C    192.168.250.0/24 is directly connected, FastEthernet0/1
     10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C       222.333.222.222/32 is directly connected, Dialer3
     111.1111.111.0/32 is subnetted, 1 subnets
C       111.111.111.111 is directly connected, Dialer1
C    192.168.1.0/24 is directly connected, FastEthernet0/0
S*   0.0.0.0/0 is directly connected, Dialer1


Когда опущен dialer1 все тож самое с той разницей
C       444.444.444.18/32 is directly connected, Dialer3
                                      is directly connected, Dialer3 (???? пояляется при влючении di1 и di3 вместе )
S       444.444.444.32/27 is directly connected, Dialer3
Пинги и трэйсы те же самые, не могу показать так как не могу опустить сейчас dialer1, но проверял.

Подскажите куда копать ?
В сторону файрволла ? но с выключенным dialer2 он пускает к внутренним ресурсам
а с поднятым  dialer2 счетчики правил показывют что пакет к прову ушел, а обратно нет

Или в сторону ната ?
Или у прова что то не дружит с кисками судя по трэйсам


#sh ver
Cisco IOS Software, 2801 Software (C2801-ADVIPSERVICESK9-M), Version 12.4(16), RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Wed 20-Jun-07 09:14 by prod_rel_team

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

belarus-cisco uptime is 5 days, 23 minutes
System returned to ROM by power-on
System image file is "flash:c2801.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco 2801 (revision 7.0) with 116736K/14336K bytes of memory.
Processor board ID FCZ114511D2
2 FastEthernet interfaces
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity disabled.
191K bytes of NVRAM.
62720K bytes of ATA CompactFlash (Read/Write)

Configuration register is 0x7922



sh log
Syslog logging: enabled (11 messages dropped, 1 messages rate-limited,
                0 flushes, 0 overruns, xml disabled, filtering disabled)
    Console logging: level debugging, 243 messages logged, xml disabled,
                     filtering disabled
    Monitor logging: level debugging, 0 messages logged, xml disabled,
                     filtering disabled
    Buffer logging: level warnings, 61 messages logged, xml disabled,
                    filtering disabled
    Logging Exception size (4096 bytes)
    Count and timestamp logging messages: disabled

No active filter modules.

    Trap logging: level informational, 223 message lines logged

Log Buffer (51200 bytes):

*Sep 24 12:12:36.103: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up
*Sep 24 12:12:42.043: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
*Sep 24 12:12:42.043: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to up
*Sep 24 13:15:34.871: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down
*Sep 24 13:16:31.771: %LINK-3-UPDOWN: Interface Dialer3, changed state to up
*Sep 24 13:16:37.543: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
*Sep 24 13:20:50.055: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down
*Sep 24 13:20:59.103: %LINK-3-UPDOWN: Interface Dialer3, changed state to up
*Sep 24 13:21:12.303: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
*Sep 24 13:33:37.031: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down
*Sep 24 13:35:17.747: %LINK-3-UPDOWN: Interface Dialer3, changed state to up
*Sep 24 13:35:20.195: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
*Sep 24 13:37:42.587: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down
*Sep 24 13:47:28.975: %LINK-3-UPDOWN: Interface Dialer3, changed state to up
*Sep 24 13:47:31.143: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
*Sep 24 14:29:08.307: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down
*Sep 24 14:29:19.711: %LINK-3-UPDOWN: Interface Dialer3, changed state to up
*Sep 24 14:29:30.431: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
*Sep 24 15:08:59.379: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down
*Sep 25 07:23:30.127: %LINK-3-UPDOWN: Interface Dialer3, changed state to up
*Sep 25 07:23:33.755: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
*Sep 25 09:22:14.522: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down
*Sep 25 09:32:21.142: %LINK-3-UPDOWN: Interface Dialer3, changed state to up
*Sep 25 09:32:23.246: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
*Sep 25 09:33:18.058: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down
*Sep 25 09:36:21.730: %LINK-3-UPDOWN: Interface Dialer3, changed state to up
*Sep 25 09:36:22.134: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
*Sep 25 10:03:09.634: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down
*Sep 25 10:44:10.050: %LINK-3-UPDOWN: Interface Dialer3, changed state to up
*Sep 25 10:44:11.818: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
*Sep 25 11:04:06.362: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down
*Sep 25 11:38:22.138: %LINK-3-UPDOWN: Interface Dialer3, changed state to up
*Sep 25 11:38:32.302: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
*Sep 25 12:03:49.858: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down
*Sep 25 14:32:56.553: %LINK-3-UPDOWN: Interface Dialer3, changed state to up
*Sep 25 14:33:11.901: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
*Sep 25 14:44:31.021: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down
*Sep 25 14:44:41.561: %LINK-3-UPDOWN: Interface Dialer3, changed state to up
*Sep 25 14:44:53.521: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
*Sep 25 14:48:17.205: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down
*Sep 25 14:48:24.053: %LINK-3-UPDOWN: Interface Dialer3, changed state to up
*Sep 25 14:48:39.313: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
*Sep 28 15:19:49.759: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to down
*Sep 28 15:20:13.167: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down
*Sep 28 15:20:19.839: %LINK-3-UPDOWN: Interface Dialer3, changed state to up
*Sep 28 15:20:35.263: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to up
*Sep 28 15:22:04.727: %LINK-3-UPDOWN: Interface Dialer1, changed state to up
*Sep 28 15:22:13.355: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
*Sep 28 15:27:00.191: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to down
*Sep 28 15:27:08.391: %LINK-3-UPDOWN: Interface Dialer3, changed state to up
*Sep 28 15:27:22.371: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to up
*Sep 28 15:27:29.287: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down
*Sep 28 15:30:22.503: %LINK-3-UPDOWN: Interface Dialer1, changed state to up
*Sep 28 15:30:33.211: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
*Sep 28 15:37:14.567: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to down
*Sep 28 15:37:23.643: %LINK-3-UPDOWN: Interface Dialer3, changed state to up
*Sep 28 15:37:36.659: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to up
*Sep 28 15:48:01.019: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up


Высказать мнение | Ответить | Правка | Cообщить модератору

Оглавление

Сообщения по теме [Сортировка по времени | RSS]


1. "2801 и два PPPOE"  +/
Сообщение от blank (ok) on 30-Сен-09, 12:57 
>[оверквотинг удален]
> ip broadcast-address 222.333.255.255
> ip nbar protocol-discovery
> ip virtual-reassembly
> encapsulation ppp
> dialer pool 3
> dialer-group 3
> no cdp enable
> ppp authentication chap callin
> ppp chap hostname login_guest
> ppp chap password 0 pass_guest

interface Dialer3
ip nat outside
?

Высказать мнение | Ответить | Правка | Наверх | Cообщить модератору

2. "2801 и два PPPOE"  +/
Сообщение от Astore (ok) on 30-Сен-09, 13:34 
>[оверквотинг удален]
>> dialer pool 3
>> dialer-group 3
>> no cdp enable
>> ppp authentication chap callin
>> ppp chap hostname login_guest
>> ppp chap password 0 pass_guest
>
>interface Dialer3
> ip nat outside
>?

да добавил и еще
no ip mroute-cache
ip mtu 1492

эффект тот же

di3 выглядит вот так теперь
interface Dialer3
ip address negotiated
ip broadcast-address 222.333.255.255
ip mtu 1492
ip nbar protocol-discovery
ip nat outside
ip virtual-reassembly
encapsulation ppp
no ip mroute-cache
dialer pool 3
dialer-group 3
no cdp enable
ppp authentication chap callin
ppp chap hostname guest
ppp chap password 0 pass

Высказать мнение | Ответить | Правка | Наверх | Cообщить модератору

3. "2801 и два PPPOE"  +/
Сообщение от blank (ok) on 30-Сен-09, 14:39 
смущает вот это
ip access-list extended NetNat
deny   ip host 111.111.111.111 192.168.1.0 0.0.0.255
deny   ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
permit ip 192.168.250.0 0.0.0.255 any
deny   ip any any
ip access-list extended NetNatINT
deny   ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
permit ip 192.168.250.0 0.0.0.255 any
deny   ip any any
как циска поймет куда натить если ACL у вас одинаковые?
в акцессе для иннета запрещаете адреса к лок ресурсам, акцесс для лок ресурсов соответственно наоборот.

Высказать мнение | Ответить | Правка | Наверх | Cообщить модератору

4. "2801 и два PPPOE"  +/
Сообщение от Astore (ok) on 30-Сен-09, 15:03 
>[оверквотинг удален]
> permit ip 192.168.250.0 0.0.0.255 any
> deny   ip any any
>ip access-list extended NetNatINT
> deny   ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
> permit ip 192.168.1.0 0.0.0.255 any
> permit ip 192.168.250.0 0.0.0.255 any
> deny   ip any any
>как циска поймет куда натить если ACL у вас одинаковые?
>в акцессе для иннета запрещаете адреса к лок ресурсам, акцесс для лок
>ресурсов соответственно наоборот.

Да вы были правы все заработало!
привожу access lists для сл поколений!

belarus-cisco#show ip access-lists NetNatINT

Extended IP access list NetNatINT
    6 permit ip any 444.444.444.32 0.0.0.31
    8 permit ip any 222.333.222.222 0.127.255.255
    10 deny ip host 111.111.111.111 192.168.1.0 0.0.0.255
    20 deny ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
    30 permit ip 192.168.1.0 0.0.0.255 any
    40 permit ip 192.168.250.0 0.0.0.255 any
    50 deny ip any any (44522 matches)

belarus-cisco#show ip access-lists NetNat
Extended IP access list NetNat
    6 deny ip any 444.444.444.32 0.0.0.31
    8 deny ip any 222.333.222.222 0.127.255.255
    10 deny ip host 111.111.111.111 192.168.1.0 0.0.0.255
    20 deny ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
    30 permit ip 192.168.1.0 0.0.0.255 any (104226 matches)
    40 permit ip 192.168.250.0 0.0.0.255 any (331570 matches)
    50 deny ip any any (57704 matches)

Огромное вам человеческое СПАСИБО!!!!

Высказать мнение | Ответить | Правка | Наверх | Cообщить модератору

Архив | Удалить

Индекс форумов | Темы | Пред. тема | След. тема




Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру