Форум системных администраторов
IT => Networks => Тема начата: Cool_andy от 10 января 2020, 12:58:46
-
Доброго дня! Извиняюсь, если данная тема уже существует.
Проблема такая:
Пропадает соединение с интернетом. Восстановить его помогает shutdown - no shutdown. При этом, локальная сеть исправно работает. Состояние порта на момент "отваливания" up up.
Сейчас переключился на резервную циску, точно такую же, с тем же конфигом, НО с обновленной прошивкой. Тестирую.
Вот конф. Сразу говорю, оборудование досталось в наследство, поэтому не рубите с плеча Very Happy аддресацию перепил, поэтому могут быть не состыковки.
!
interface Tunnel0
ip address X.X.X.X 255.255.255.252
tunnel source GigabitEthernet0/2
tunnel destination X.X.X.X
!
interface Tunnel4
description tunnel to office
ip address X.X.X.X 255.255.255.252
tunnel source GigabitEthernet0/2
tunnel protection ipsec profile DC-P3
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 192.168.X.X 255.255.254.0
ip access-group gi0/0_in in
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/0.1
description vlan2 10g
encapsulation dot1Q 2
ip address 172.16.X.X 255.255.255.0
ip access-group vlan in
ip helper-address 192.168.X.X
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/0.2
description vlan3 blockhosts
encapsulation dot1Q 3
ip address 192.168.X.X 255.255.255.0
ip access-group blockhost192 in
ip helper-address 192.168.X.X
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1
description DMZ
ip address 192.168.X.X 255.255.255.0
ip access-group DMZ in
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/2
ip address 91.188.X.X 255.255.255.240 secondary
ip address 91.188.X.X 255.255.255.240
ip nat outside
ip inspect INSPECT in
ip virtual-reassembly in
duplex auto
speed auto
!
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0/2
tunnel mode ipsec ipv4
tunnel protection ipsec profile AES256
!
interface Virtual-Template10
ip unnumbered GigabitEthernet0/2
!
!
router eigrp 1
network X.X.X.X 0.0.0.3
network 192.168.X.X 0.0.1.255
!
ip local pool VP X.X.X.X 10.20.10.254
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
Так же не совсем понимаю почему настроили статический НАТ, если уже есть РАТ
ip nat inside source list LAN interface GigabitEthernet0/2 overload
ip nat inside source static 192.168.X.X 91.188.X.X extendable
ip nat inside source static tcp 192.168.X.X 15555 91.188.X.X 15555 extendable
ip nat inside source static tcp 192.168.X.X 15556 91.188.X.X 15556 extendable
ip nat inside source static udp 192.168.X.X 18479 91.188.X.X 18479 extendable
ip nat inside source static tcp 192.168.X.X 30000 91.188.X.X 30000 extendable
ip nat inside source static tcp 192.168.X.X 30001 91.188.X.X 30001 extendable
ip nat inside source static tcp 192.168.X.X 30002 91.188.X.X 30002 extendable
ip nat inside source static tcp 192.168.X.X 30003 91.188.X.X 30003 extendable
ip nat inside source static tcp 192.168.X.X 30004 91.188.X.X 30004 extendable
ip nat inside source static tcp 192.168.X.X 30005 91.188.X.X 30005 extendable
ip nat inside source static tcp 192.168.X.X 30006 91.188.X.X 30006 extendable
************ и т.д.
ip route 0.0.0.0 0.0.0.0 91.188.X.X
ip route 172.25.X.X 255.255.255.0 Tunnel4
ip route 192.168.X.X 255.255.255.0 Tunnel4
Бывают моменты, что проц грузится, то скачками, то какое-то длительное время. Но повторюсь, что внутри сети все в норме без тормозов.
Буду благодарен за помощь.
-
Допустил ошибку в посте. Процессор у циски сильно грузится. На протяжении дня меньше 50% не наблюдал. А так и под 100% фигачит. Что причина, не понятно....
-
show processes cpu
-
cod-gw#sh proc cpu
CPU utilization for five seconds: 99%/22%; one minute: 98%; five minutes: 97%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
1 1132 1707 663 0.00% 0.00% 0.00% 0 Chunk Manager
2 143892 362432 397 0.00% 0.00% 0.00% 0 Load Meter
3 2284 151 15125 6.65% 0.53% 0.11% 388 SSH Process
4 0 1 0 0.00% 0.00% 0.00% 0 EDDRI_MAIN
5 0 1 0 0.00% 0.00% 0.00% 0 RO Notify Timers
6 3490616 324784 10747 0.00% 0.12% 0.11% 0 Check heaps
7 5148 31835 161 0.00% 0.00% 0.00% 0 Pool Manager
8 0 1 0 0.00% 0.00% 0.00% 0 DiscardQ Backgro
9 0 2 0 0.00% 0.00% 0.00% 0 Timers
10 76 1862 40 0.00% 0.00% 0.00% 0 WATCH_AFS
11 0 1 0 0.00% 0.00% 0.00% 0 License Client N
12 0 1 0 0.00% 0.00% 0.00% 0 Image License br
13 2977956 30149 98774 0.00% 0.07% 0.09% 0 Licensing Auto U
14 4 12 333 0.00% 0.00% 0.00% 0 RF Slave Main Th
15 0 1 0 0.00% 0.00% 0.00% 0 RMI RM Notify Wa
16 1856052 1788967 1037 0.64% 0.11% 0.06% 0 Environmental mo
17 1604 361133 4 0.00% 0.00% 0.00% 0 IPC Event Notifi
18 408 30149 13 0.00% 0.00% 0.00% 0 IPC Dynamic Cach
19 0 1 0 0.00% 0.00% 0.00% 0 IPC Session Serv
20 0 1 0 0.00% 0.00% 0.00% 0 IPC Zone Manager
21 9152 1750396 5 0.00% 0.00% 0.00% 0 IPC Periodic Tim
22 8640 1750398 4 0.00% 0.00% 0.00% 0 IPC Deferred Por
23 0 1 0 0.00% 0.00% 0.00% 0 IPC Process leve
24 0 1 0 0.00% 0.00% 0.00% 0 IPC Seat Manager
25 404 103484 3 0.00% 0.00% 0.00% 0 IPC Check Queue
26 0 1 0 0.00% 0.00% 0.00% 0 IPC Seat RX Cont
27 0 1 0 0.00% 0.00% 0.00% 0 IPC Seat TX Cont
28 1628 181220 8 0.00% 0.00% 0.00% 0 IPC Keep Alive M
--More--
-
твет от 8.8.8.8: число байт=32 время=41мс TTL=45
Ответ от 8.8.8.8: число байт=32 время=22мс TTL=45
Ответ от 8.8.8.8: число байт=32 время=27мс TTL=45
Ответ от 8.8.8.8: число байт=32 время=24мс TTL=45
Ответ от 8.8.8.8: число байт=32 время=29мс TTL=45
Ответ от 8.8.8.8: число байт=32 время=151мс TTL=45
Ответ от 8.8.8.8: число байт=32 время=47мс TTL=45
пинги просто лютые как во внешку, так и внутри сети. На железке есть NAT.
-
sh proc cpu sorted 5min
-
sh proc cpu sorted 5min
cod-gw#sh proc cpu sorted 5min
CPU utilization for five seconds: 99%/22%; one minute: 93%; five minutes: 95%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
174 8965952 15024774 596 75.29% 69.11% 68.51% 0 IP Input
281 6325856 3502039 1806 0.00% 5.39% 5.40% 0 Inspect process
429 3610960 3718452 971 0.00% 0.82% 1.18% 0 SSLVPN_PROCESS
60 26120 187793 139 0.00% 0.47% 0.25% 0 Net Background
418 495120 211798780 2 0.31% 0.20% 0.20% 0 NBAR timer tick
6 3493576 325093 10746 0.00% 0.19% 0.12% 0 Check heaps
13 2980280 30179 98753 0.00% 0.15% 0.11% 0 Licensing Auto U
428 2595840 963894 2693 0.00% 0.06% 0.10% 0 DNS Server Input
427 2374492 2905981 817 0.00% 0.06% 0.08% 0 DNS Server
422 254496 54564447 4 0.15% 0.07% 0.07% 0 PPP manager
170 151916 53862895 2 0.07% 0.06% 0.07% 0 IPAM Manager
130 194972 27310536 7 0.07% 0.05% 0.07% 0 VRRS Main thread
35 1029908 6114410 168 0.00% 0.05% 0.06% 0 ARP Input
16 1857724 1790677 1037 0.55% 0.10% 0.06% 0 Environmental mo
423 158788 54564446 2 0.07% 0.03% 0.05% 0 PPP Events
436 93520 651300 143 0.00% 0.06% 0.03% 0 EIGRP-IPv4
93 257064 1819619 141 0.07% 0.04% 0.02% 0 Per-Second Jobs
125 265108 3587408 73 0.07% 0.02% 0.01% 0 BPSM stat Proces
33 6668 2633 2532 0.07% 0.05% 0.01% 389 SSH Process
396 189396 3496493 54 0.00% 0.02% 0.01% 0 IP NAT Ager
21 9172 1752090 5 0.07% 0.00% 0.00% 0 IPC Periodic Tim
244 49964 336584 148 0.07% 0.01% 0.00% 0 TCP Protocols
398 639564 1114134 574 0.07% 0.01% 0.00% 0 Syslog
90 157352 7070698 22 0.07% 0.00% 0.00% 0 Net Input
63 141440 1790675 78 0.07% 0.02% 0.00% 0 TTY Background
217 201740 1780488 113 0.07% 0.01% 0.00% 0 ADJ background
437 129696 1814901 71 0.00% 0.01% 0.00% 0 EIGRP-IPv4 Hello
28 1628 181401 8 0.00% 0.00% 0.00% 0 IPC Keep Alive M
--More--
-
IP Input, коммутация всё выжрала.
show interfaces switching
show ip interface
-
IP Input, коммутация всё выжрала.
show interfaces switching
show ip interface
cod-gw#sh interfaces switchi
cod-gw#sh interfaces switching
Interface Embedded-Service-Engine0/0 is disabled
GigabitEthernet0/0
Throttle count 9
Drops RP 17 SP 0
SPD Flushes Fast 285829 SSE 0
SPD Aggress Fast 0
SPD Priority Inputs 2262385 Drops 0
Protocol IP
Switching path Pkts In Chars In Pkts Out Chars Out
Process 31270879 2516039837 13428767 228793894
Cache misses 0 - - -
Fast 1920594036 1051086982 1654466725 1513244178
Auton/SSE 0 0 0 0
Protocol DEC MOP
Switching path Pkts In Chars In Pkts Out Chars Out
Process 0 0 3010 231770
Cache misses 0 - - -
Fast 0 0 0 0
Auton/SSE 0 0 0 0
Protocol ARP
Switching path Pkts In Chars In Pkts Out Chars Out
Process 1795825 107749500 1066445 64610128
Cache misses 0 - - -
Fast 0 0 0 0
Auton/SSE 0 0 0 0
Protocol CDP
Switching path Pkts In Chars In Pkts Out Chars Out
Process 30175 6185955 33659 13229428
Cache misses 0 - - -
Fast 0 0 0 0
Auton/SSE 0 0 0 0
Protocol Other
Switching path Pkts In Chars In Pkts Out Chars Out
Process 7222809 433368540 181002 10860120
Cache misses 0 - - -
Fast 0 0 0 0
Auton/SSE 0 0 0 0
NOTE: all counts are cumulative and reset only after a reload.
GigabitEthernet0/1 DMZ
Throttle count 0
Drops RP 0 SP 0
SPD Flushes Fast 3965 SSE 0
SPD Aggress Fast 0
SPD Priority Inputs 23219 Drops 0
Protocol IP
Switching path Pkts In Chars In Pkts Out Chars Out
Process 2440269 208715042 1592149 135877631
Cache misses 0 - - -
Fast 17727446 4204310422 17570284 1113499249
Auton/SSE 0 0 0 0
Protocol DEC MOP
Switching path Pkts In Chars In Pkts Out Chars Out
Process 0 0 2953 227381
Cache misses 0 - - -
Fast 0 0 0 0
Auton/SSE 0 0 0 0
Protocol ARP
Switching path Pkts In Chars In Pkts Out Chars Out
Process 23219 1393140 23255 1395300
Cache misses 0 - - -
Fast 0 0 0 0
Auton/SSE 0 0 0 0
Protocol CDP
Switching path Pkts In Chars In Pkts Out Chars Out
Process 0 0 33041 13090552
Cache misses 0 - - -
Fast 0 0 0 0
Auton/SSE 0 0 0 0
Protocol Other
Switching path Pkts In Chars In Pkts Out Chars Out
Process 0 0 177586 10655160
Cache misses 0 - - -
Fast 0 0 0 0
Auton/SSE 0 0 0 0
NOTE: all counts are cumulative and reset only after a reload.
GigabitEthernet0/2
Throttle count 1
Drops RP 1 SP 0
SPD Flushes Fast 236080 SSE 0
SPD Aggress Fast 0
SPD Priority Inputs 4805434 Drops 0
Protocol IP
Switching path Pkts In Chars In Pkts Out Chars Out
Process 10710292 1037343019 34877060 3886289838
Cache misses 0 - - -
Fast 921315055 2051050400 1184356313 2178569559
Auton/SSE 0 0 0 0
Protocol DEC MOP
Switching path Pkts In Chars In Pkts Out Chars Out
Process 0 0 2953 227381
Cache misses 0 - - -
Fast 0 0 0 0
Auton/SSE 0 0 0 0
Protocol ARP
Switching path Pkts In Chars In Pkts Out Chars Out
Process 4795985 287759100 273801 16428060
Cache misses 0 - - -
Fast 0 0 0 0
Auton/SSE 0 0 0 0
Protocol CDP
Switching path Pkts In Chars In Pkts Out Chars Out
Process 55659 6233808 59089 23183614
Cache misses 0 - - -
Fast 0 0 0 0
Auton/SSE 0 0 0 0
Protocol Other
Switching path Pkts In Chars In Pkts Out Chars Out
Process 0 0 177575 10654500
Cache misses 0 - - -
Fast 0 0 0 0
Auton/SSE 0 0 0 0
NOTE: all counts are cumulative and reset only after a reload.
NVI0
All statistics for this interface are zero.
Tunnel0
Protocol IP
Switching path Pkts In Chars In Pkts Out Chars Out
Process 324172 19487203 386275 32551492
Cache misses 0 - - -
Fast 26157047 2979877754 43972043 1635166935
Auton/SSE 0 0 0 0
NOTE: all counts are cumulative and reset only after a reload.
Tunnel4 tunnel to office
All statistics for this interface are zero.
Virtual-Access1
All statistics for this interface are zero.
Virtual-Access2 ***Internally created by SSLVPN context CON1***
Protocol IP
Switching path Pkts In Chars In Pkts Out Chars Out
Process 14 1036 0 0
Cache misses 0 - - -
Fast 700553 39215875 0 0
Auton/SSE 0 0 0 0
NOTE: all counts are cumulative and reset only after a reload.
Virtual-Template1
All statistics for this interface are zero.
Virtual-Template10
All statistics for this interface are zero.
cod-gw#
_____________________________________________________________________
cod-gw#sh ip int
Embedded-Service-Engine0/0 is administratively down, line protocol is down
Internet protocol processing disabled
GigabitEthernet0/0 is up, line protocol is up
Internet address is 192.168.X.X/23
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Multicast reserved groups joined: 224.0.0.10
Outgoing access list is not set
Inbound access list is gi0/0_in
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is disabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP CEF switching is disabled
IP Null turbo vector
IP multicast fast switching is disabled
IP multicast distributed fast switching is disabled
IP route-cache flags are None
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is enabled, interface in domain inside
BGP Policy Mapping is disabled
Input features: Common Flow Table, Stateful Inspection, Virtual Fragment Reassembly, Access List, Virtual Fragment Reassembly After IPSec Decryption, MCI Check
Output features: NAT Inside, Common Flow Table, Stateful Inspection, Firewall (NAT), Firewall (inspect), NAT ALG proxy
IPv4 WCCP Redirect outbound is disabled
IPv4 WCCP Redirect inbound is disabled
IPv4 WCCP Redirect exclude is disabled
GigabitEthernet0/0.1 is up, line protocol is up
Internet address is 172.16.X.X/24
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is 192.168.X.X
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is vlan
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is disabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP CEF switching is disabled
IP Null turbo vector
IP multicast fast switching is disabled
IP multicast distributed fast switching is disabled
IP route-cache flags are None
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is enabled, interface in domain inside
BGP Policy Mapping is disabled
Input features: Common Flow Table, Stateful Inspection, Virtual Fragment Reassembly, Access List, Virtual Fragment Reassembly After IPSec Decryption, MCI Check
Output features: NAT Inside, Common Flow Table, Stateful Inspection, Firewall (NAT), Firewall (inspect), NAT ALG proxy
IPv4 WCCP Redirect outbound is disabled
IPv4 WCCP Redirect inbound is disabled
IPv4 WCCP Redirect exclude is disabled
GigabitEthernet0/0.2 is up, line protocol is up
Internet address is 192.168.102.1/24
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is 192.168.X.X
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is blockhost192
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is disabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP CEF switching is disabled
IP Null turbo vector
IP multicast fast switching is disabled
IP multicast distributed fast switching is disabled
IP route-cache flags are None
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is enabled, interface in domain inside
BGP Policy Mapping is disabled
Input features: Common Flow Table, Stateful Inspection, Virtual Fragment Reassembly, Access List, Virtual Fragment Reassembly After IPSec Decryption, MCI Check
Output features: NAT Inside, Common Flow Table, Stateful Inspection, Firewall (NAT), Firewall (inspect), NAT ALG proxy
IPv4 WCCP Redirect outbound is disabled
IPv4 WCCP Redirect inbound is disabled
IPv4 WCCP Redirect exclude is disabled
GigabitEthernet0/1 is up, line protocol is up
Internet address is 192.168.X.X/24
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is DMZ
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is disabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP CEF switching is disabled
IP Null turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is enabled, interface in domain inside
BGP Policy Mapping is disabled
Input features: Common Flow Table, Stateful Inspection, Virtual Fragment Reassembly, Access List, Virtual Fragment Reassembly After IPSec Decryption, MCI Check
Output features: NAT Inside, Common Flow Table, Stateful Inspection, Firewall (NAT), Firewall (inspect), NAT ALG proxy
IPv4 WCCP Redirect outbound is disabled
IPv4 WCCP Redirect inbound is disabled
IPv4 WCCP Redirect exclude is disabled
GigabitEthernet0/2 is up, line protocol is up
Internet address is 91.188.X.X/28
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Secondary address 91.188.X.X/28
Outgoing access list is not set
Inbound access list is WAN_access_in
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is disabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is disabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP CEF switching is disabled
IP Null turbo vector
IP multicast fast switching is disabled
IP multicast distributed fast switching is disabled
IP route-cache flags are None
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is enabled, interface in domain outside
BGP Policy Mapping is disabled
Input features: Common Flow Table, Stateful Inspection, Virtual Fragment Reassembly, Access List, Virtual Fragment Reassembly After IPSec Decryption, NAT Outside, MCI Check
Output features: Post-routing NAT Outside, Common Flow Table, Stateful Inspection, Firewall (NAT), Firewall (inspect), NAT ALG proxy
IPv4 WCCP Redirect outbound is disabled
IPv4 WCCP Redirect inbound is disabled
IPv4 WCCP Redirect exclude is disabled
Inbound inspection rule is INSPECT
NVI0 is up, line protocol is up
Interface is unnumbered. Using address of GigabitEthernet0/0 (192.X.X.X)
Broadcast address is 255.255.255.255
MTU is 1514 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Multicast reserved groups joined: 224.0.0.10
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is disabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP CEF switching is disabled
IP Null turbo vector
IP Null turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is disabled
BGP Policy Mapping is disabled
Input features: MCI Check
Output features: Post-routing NAT NVI Output, Firewall (NAT), Firewall (inspect)
IPv4 WCCP Redirect outbound is disabled
IPv4 WCCP Redirect inbound is disabled
IPv4 WCCP Redirect exclude is disabled
Tunnel0 is up, line protocol is up
Internet address is 10.X.X.X/30
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1476 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Multicast reserved groups joined: 224.0.0.10
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is disabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP CEF switching is disabled
IP Null turbo vector
IP Null turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is disabled
BGP Policy Mapping is disabled
Input features: MCI Check
Output features: Firewall (NAT), Firewall (inspect)
IPv4 WCCP Redirect outbound is disabled
IPv4 WCCP Redirect inbound is disabled
IPv4 WCCP Redirect exclude is disabled
Tunnel4 is up, line protocol is down
Internet address is 10.X.X.X/30
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1476 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is disabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP CEF switching is disabled
IP Null turbo vector
IP Null turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is disabled
BGP Policy Mapping is disabled
Input features: MCI Check
Output features: Firewall (NAT), Firewall (inspect)
IPv4 WCCP Redirect outbound is disabled
IPv4 WCCP Redirect inbound is disabled
IPv4 WCCP Redirect exclude is disabled
Virtual-Access1 is down, line protocol is down
Internet protocol processing disabled
Virtual-Access2 is up, line protocol is up
Interface is unnumbered. Using address of GigabitEthernet0/2 (91.188.X.X)
Broadcast address is 255.255.255.255
MTU is 1406 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is disabled
IP fast switching on the same interface is enabled
IP Flow switching is disabled
IP CEF switching is disabled
IP Null turbo vector
IP Null turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is disabled
BGP Policy Mapping is disabled
Input features: MCI Check
Output features: Firewall (NAT), Firewall (inspect)
IPv4 WCCP Redirect outbound is disabled
IPv4 WCCP Redirect inbound is disabled
IPv4 WCCP Redirect exclude is disabled
Virtual-Template1 is up, line protocol is down
Interface is unnumbered. Using address of GigabitEthernet0/2 (91.188.X.X)
Broadcast address is 255.255.255.255
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is disabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP CEF switching is disabled
IP Null turbo vector
IP Null turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is disabled
BGP Policy Mapping is disabled
Input features: MCI Check
Output features: Firewall (NAT), Firewall (inspect)
Post encapsulation features: IPSEC Post-encap output classification
IPv4 WCCP Redirect outbound is disabled
IPv4 WCCP Redirect inbound is disabled
IPv4 WCCP Redirect exclude is disabled
Virtual-Template10 is down, line protocol is down
Interface is unnumbered. Using address of GigabitEthernet0/2 (91.188.X.X)
Broadcast address is 255.255.255.255
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is disabled
IP fast switching on the same interface is enabled
IP Flow switching is disabled
IP CEF switching is disabled
IP Null turbo vector
IP Null turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is disabled
BGP Policy Mapping is disabled
Input features: MCI Check
Output features: Firewall (NAT), Firewall (inspect)
IPv4 WCCP Redirect outbound is disabled
IPv4 WCCP Redirect inbound is disabled
IPv4 WCCP Redirect exclude is disabled
cod-gw#
-
И я вот смотрю это весь конфиг, там что вообще acl нет? я уже даже вангую что всё засралось спуфингом или широковещалкой.
Updated: 14 January 2020, 17:51:17
Ну что вижу, fast sw выключен, acl нет, cef нет,
вариант тут один сесть взять мануалы и написать конфиг заново, или по моему исключительно скромному мнению... похоронить этот анахронизм попросив денег на mikrotik, если там тонели не какие то совсем хитрые. да и опять же можно сервисы один за другим перетягивать на микрота.
-
И я вот смотрю это весь конфиг, там что вообще acl нет? я уже даже вангую что всё засралось спуфингом или широковещалкой.
Да вообще есть.
Этот на внешнем проту Gi0/2
Extended IP access list WAN_access_in
10 deny tcp any any eq 445 (5446 matches)
20 deny udp any any eq 445 (26 matches)
30 permit ip any any (871460123 matches)
Этот на внутреннем локальном Gi0/0
Extended IP access list gi0/0_in
10 deny ip host 192.168.x.x any (967040 matches)
20 permit ip host 192.168.x.x any log (162153 matches)
30 permit ip any any (630766345 matches)
И третий порт Gi0/1 на отдельную железку ДМЗ
Extended IP access list DMZ
10 permit tcp host 192.168.x.x eq 587 any
20 permit tcp host 192.168.x.x eq 50389 any
30 permit tcp host 192.168.x.x eq 50636 any (430076 matches)
40 permit tcp host 192.168.x.x eq 465 any
50 permit tcp host 192.168.x.x eq 995 any
60 permit tcp host 192.168.x.x eq 443 any (605059 matches)
70 permit tcp host 192.168.x.x eq pop3 any
80 permit tcp host 192.168.x.x eq 993 any
90 permit ip host 192.168.x.x 10.0.0.0 0.255.255.255 (23500 matches)
100 permit tcp host 192.168.x.x any eq smtp (1913304 matches)
110 permit tcp host 192.168.x.x any eq domain (1005 matches)
120 permit udp host 192.168.x.x any eq domain (941705 matches)
130 permit tcp host 192.168.x.x eq smtp any (87653 matches)
140 permit ip host 192.168.x.x 192.168.0.0 0.0.255.255 (2299793 matches)
150 deny ip any any (2792511 matches)
Не знаю на сколько тут все имеет место быть. Подарок достался в наследство :(
-
команда sh ip cef показывает:
Prefix Next Hop Interface
0.0.0.0/0 91.x.x.x GigabitEthernet0/2
0.0.0.0/8 drop
0.0.0.0/32 receive
10.0.x.x/30 attached Tunnel0
10.0.x.x/32 receive Tunnel0
10.0.x.x/32 receive Tunnel0
10.0.x.x/32 receive Tunnel0
46.21.252.41/32 91.x.x.x GigabitEthernet0/2
91.188.x.x/28 attached GigabitEthernet0/2
91.188.x.x/32 receive GigabitEthernet0/2
91.188.x.x/32 attached GigabitEthernet0/2
91.188.x.x/32 receive GigabitEthernet0/2
91.188.x.x/32 receive GigabitEthernet0/2
91.188.x.x/28 attached GigabitEthernet0/2
91.188.x.x/32 receive GigabitEthernet0/2
91.188.x.x/32 attached GigabitEthernet0/2
и т.д. Как понимаю cef включен.
Так же вычитал про кэширование, даже попытался включить его, но результат команды выдает пустоту:
sh ip cache
IP routing cache 0 entries, 0 bytes
0 adds, 0 invalidates, 0 refcounts
Minimum invalidation interval 2 seconds, maximum interval 5 seconds,
quiet interval 3 seconds, threshold 0 requests
Invalidation rate 0 in last second, 0 in last 3 seconds
Prefix/Length Age Interface Next Hop
-
show cef interface для каждого активного посмотри.
Updated: 14 January 2020, 18:56:50
sh ip int
И посмотри на состояние IP CEF switching
Updated: 14 January 2020, 18:58:52
Ну и да интерыейс передергивать надо.
-
show cef interface для каждого активного посмотри.
Updated: 14 January 2020, 18:56:50
sh ip int
И посмотри на состояние IP CEF switching
Updated: 14 January 2020, 18:58:52
Ну и да интерыейс передергивать надо.
cod-gw#sh cef interface gi0/0
GigabitEthernet0/0 is up (if_number 3)
Corresponding hwidb fast_if_number 3
Corresponding hwidb firstsw->if_number 3
Internet address is 192.168.100.1/23
ICMP redirects are always sent
Per packet load-sharing is disabled
IP unicast RPF check is disabled
Input features: Common Flow Table, Stateful Inspection, Ingress-NetFlow, Virtual Fragment Reassembly, Access List, Virtual Fragment Reassembly After IPSec Decryption
Output features: Common Flow Table, Stateful Inspection, Firewall (NAT), Firewall (inspect), Post-Ingress-NetFlow, Egress-Netflow
IP policy routing is disabled
BGP based policy accounting on input is disabled
BGP based policy accounting on output is disabled
Hardware idb is GigabitEthernet0/0
Fast switching type 1, interface type 27
IP CEF switching enabled
IP CEF switching turbo vector
IP prefix lookup IPv4 mtrie 8-8-8-8 optimized
Input fast flags 0x400060, Output fast flags 0x10100
ifindex 3(3)
Slot Slot unit 0 VC -1
IP MTU 1500
_________________________________________
cod-gw#sh ip int gi0/0
GigabitEthernet0/0 is up, line protocol is up
Internet address is 192.168.100.1/23
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Multicast reserved groups joined: 224.0.0.10
Outgoing access list is not set
Inbound access list is gi0/0_in
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is enabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is enabled, interface in domain inside
BGP Policy Mapping is disabled
Input features: Common Flow Table, Stateful Inspection, Ingress-NetFlow, Virtual Fragment Reassembly, Access List, Virtual Fragment Reassembly After IPSec Decryption, MCI Check
Output features: NAT Inside, Common Flow Table, Stateful Inspection, Firewall (NAT), Firewall (inspect), NAT ALG proxy, Post-Ingress-NetFlow, Egress-Netflow
IPv4 WCCP Redirect outbound is disabled
IPv4 WCCP Redirect inbound is disabled
IPv4 WCCP Redirect exclude is disabled
_____________________________________________
IP CEF switching везде вроде как enable
-
Воспользовался sh top talkers. В пик загрузки один из хостов почти 4 гига через сеть тянет. Это у меня монтажник с схд видео материал себе качает. Получается циска плохо справляется?
А что по инету, пока решаю вопрос с провайдерами. Заметил, что инет почти в одно и то же время падает.
-
ЕМНИП в маршрутизации она 35 Mbps, дальше ей становится грустно, откуда куда он его тащит? За NAT?