2801 и два PPPOE

Astore · Непрочитанное сообщение **Astore** » 2009-09-29 16:10:28

Привет,
как говорится Данила, нид хэлп
Не роутится второе PPPOE соединение на cisco 2801
Киска - гейтвей для сети, на ней поднято pppoe к прову, по нему идет дефалтный роут.
Когда поднимаю второе pppoe к гостевым ресурсам этого же прова и прописываю роуты получается вот что:
второе pppoe поднимается и с циски можно пинговать внутренние ресурсы, но трэйсроут не делает полного трэйса маршрута (притом так обстаят дела как с поднятым dialer2 и выключенным dialer1, так и когда оба соединения подняты) С локальной сети, с машины на которой ip киски установлен шлюзом внутренние ресурсы провайдера (т.е. все что идет через dialer 2)не пингуются, трэйс только до киски.

Вот конфиг

Код: Выделить всё

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec

!

!
boot-start-marker
boot-end-marker
!

!
no aaa new-model
ip cef
!
!
!
vpdn enable
!
!
!
voice-card 0
!
!
!
class-map match-any http
 match protocol http
class-map match-any ftp
 match protocol ftp
class-map match-any ssh
 match protocol ssh
class-map match-any gre
 match protocol gre
class-map match-any voice
 match protocol rtp
 match protocol skinny
 match protocol h323
 match protocol sip
!
!
policy-map qos-mapFa01
 class ssh
  priority 164
 class class-default
  shape average 1000000
policy-map qos-mapFa00
 class ssh
  priority 624
 class class-default
  shape average 1000000
!
! 
!


!
!
interface Tunnel1
 
 ...................
!
interface Tunnel2
 
 ................
!
interface Tunnel3
 ...................
!
interface FastEthernet0/0
 ip address 192.168.1.250 255.255.255.0
 ip broadcast-address 192.168.1.255
 ip access-group 103 in
 ip access-group 103 out
 ip nbar protocol-discovery
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
 duplex auto
 speed auto
 no snmp ifindex persist
 service-policy output qos-mapFa00
!
interface FastEthernet0/1
 ip address 192.168.250.250 255.255.255.0
 ip broadcast-address 192.168.250.255
 ip access-group 103 in
 ip access-group 103 out
 ip nbar protocol-discovery
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 3
 pppoe-client dial-pool-number 1
 no cdp enable
 service-policy output qos-mapFa01
!
interface Dialer1
 ip address negotiated
 ip broadcast-address 1111.1111.1111.1111
 ip mtu 1492
 ip nbar protocol-discovery
 ip nat outside
 ip virtual-reassembly max-reassemblies 32
 encapsulation ppp
 no ip mroute-cache
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname login
 ppp chap password 0 pass
!

!
interface Dialer3
 description internal PPPOE TO PROV
 ip address 222.333.222.222 255.128.0.0
 ip broadcast-address 222.333.255.255
 ip nbar protocol-discovery
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 3
 dialer-group 3
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname login_guest
 ppp chap password 0 pass_guest
!
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 444.444.444.32 255.255.255.224 Dialer3

!
ip flow-export version 9
!
no ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip nat inside source list NetNat interface Dialer1 overload
ip nat inside source list NetNatINT interface Dialer3 overload

!
ip access-list extended NetNat
 deny   ip host 111.111.111.111 192.168.1.0 0.0.0.255
 deny   ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
 permit ip 192.168.1.0 0.0.0.255 any
 permit ip 192.168.250.0 0.0.0.255 any
 deny   ip any any
ip access-list extended NetNatINT
 deny   ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
 permit ip 192.168.1.0 0.0.0.255 any
 permit ip 192.168.250.0 0.0.0.255 any
 deny   ip any any

!
...............
access-list 103 permit ip 444.444.444.32 0.0.0.31 any
access-list 103 permit ip any 444.444.444.32 0.0.0.31
access-list 103 permit ip 10.0.0.0 0.127.255.255 any
access-list 103 permit ip any 10.0.0.0 0.127.255.255
................
!

dialer-list 1 protocol ip permit
dialer-list 3 protocol ip permit
priority-list 1 protocol ip high tcp 22
priority-list 1 default low
priority-list 3 protocol ip high tcp 22
priority-list 3 default low
snmp-server community stat RW
snmp-server ifindex persist
no cdp run
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
.................
!
scheduler allocate 20000 1000
end

Вот пинг и трэйс когда оба дилера подняты

Код: Выделить всё

o#ping 444.444.444.61

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 444.444.444.61, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/21/28 ms
belarus-cisco#trceroute 444.444.444.61

belarus-cisco#traceroute 444.444.444.61

Type escape sequence to abort.
Tracing the route to issa.telecom.by (444.444.444.61)

  1 host1.com (444.444.444.18) 20 msec 16 msec 20 msec
  2 host2.com (444.444.444.13) 20 msec 20 msec 20 msec
  3  *  *  *
  4  *  *  *
  5  *  *  *
  6  *  *  *
  7  *  *  *
  8  *  *  *
  9  *  *  *
 10  *  *  *

show ip route

Код: Выделить всё

 Gateway of last resort is 0.0.0.0 to network 0.0.0.0

    444.444.444.0/24 is variably subnetted, 2 subnets, 2 masks
C       444.444.444.18/32 is directly connected, Dialer1
                          is directly connected, Dialer3
S       444.444.444.32/27 is directly connected, Dialer3
C    192.168.250.0/24 is directly connected, FastEthernet0/1
     10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C       222.333.222.222/32 is directly connected, Dialer3
     111.1111.111.0/32 is subnetted, 1 subnets
C       111.111.111.111 is directly connected, Dialer1
C    192.168.1.0/24 is directly connected, FastEthernet0/0
S*   0.0.0.0/0 is directly connected, Dialer1

Когда опущен dialer1 все тож самое с той разницей
C 444.444.444.18/32 is directly connected, Dialer3
is directly connected, Dialer3 (???? пояляется при влючении di1 и di3 вместе )
S 444.444.444.32/27 is directly connected, Dialer3
Пинги и трэйсы те же самые, не могу показать так как не могу опустить сейчас dialer1, но проверял.

Подскажите куда копать ?
В сторону файрволла ? но с выключенным dialer2 он пускает к внутренним ресурсам
а с поднятым dialer2 счетчики правил показывют что пакет к прову ушел, а обратно нет

Или в сторону ната ?
Или у прова что то не дружит с кисками судя по трэйсам

Код: Выделить всё

#sh ver
Cisco IOS Software, 2801 Software (C2801-ADVIPSERVICESK9-M), Version 12.4(16), RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Wed 20-Jun-07 09:14 by prod_rel_team

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

belarus-cisco uptime is 5 days, 23 minutes
System returned to ROM by power-on
System image file is "flash:c2801.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco 2801 (revision 7.0) with 116736K/14336K bytes of memory.
Processor board ID FCZ114511D2
2 FastEthernet interfaces
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity disabled.
191K bytes of NVRAM.
62720K bytes of ATA CompactFlash (Read/Write)

Configuration register is 0x7922

Код: Выделить всё

sh log
Syslog logging: enabled (11 messages dropped, 1 messages rate-limited,
                0 flushes, 0 overruns, xml disabled, filtering disabled)
    Console logging: level debugging, 243 messages logged, xml disabled,
                     filtering disabled
    Monitor logging: level debugging, 0 messages logged, xml disabled,
                     filtering disabled
    Buffer logging: level warnings, 61 messages logged, xml disabled,
                    filtering disabled
    Logging Exception size (4096 bytes)
    Count and timestamp logging messages: disabled

No active filter modules.

    Trap logging: level informational, 223 message lines logged

Log Buffer (51200 bytes):

*Sep 24 12:12:36.103: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up
*Sep 24 12:12:42.043: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
*Sep 24 12:12:42.043: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to up
*Sep 24 13:15:34.871: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down
*Sep 24 13:16:31.771: %LINK-3-UPDOWN: Interface Dialer3, changed state to up
*Sep 24 13:16:37.543: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
*Sep 24 13:20:50.055: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down
*Sep 24 13:20:59.103: %LINK-3-UPDOWN: Interface Dialer3, changed state to up
*Sep 24 13:21:12.303: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
*Sep 24 13:33:37.031: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down
*Sep 24 13:35:17.747: %LINK-3-UPDOWN: Interface Dialer3, changed state to up
*Sep 24 13:35:20.195: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
*Sep 24 13:37:42.587: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down
*Sep 24 13:47:28.975: %LINK-3-UPDOWN: Interface Dialer3, changed state to up
*Sep 24 13:47:31.143: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
*Sep 24 14:29:08.307: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down
*Sep 24 14:29:19.711: %LINK-3-UPDOWN: Interface Dialer3, changed state to up
*Sep 24 14:29:30.431: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
*Sep 24 15:08:59.379: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down
*Sep 25 07:23:30.127: %LINK-3-UPDOWN: Interface Dialer3, changed state to up
*Sep 25 07:23:33.755: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
*Sep 25 09:22:14.522: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down
*Sep 25 09:32:21.142: %LINK-3-UPDOWN: Interface Dialer3, changed state to up
*Sep 25 09:32:23.246: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
*Sep 25 09:33:18.058: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down
*Sep 25 09:36:21.730: %LINK-3-UPDOWN: Interface Dialer3, changed state to up
*Sep 25 09:36:22.134: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
*Sep 25 10:03:09.634: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down
*Sep 25 10:44:10.050: %LINK-3-UPDOWN: Interface Dialer3, changed state to up
*Sep 25 10:44:11.818: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
*Sep 25 11:04:06.362: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down
*Sep 25 11:38:22.138: %LINK-3-UPDOWN: Interface Dialer3, changed state to up
*Sep 25 11:38:32.302: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
*Sep 25 12:03:49.858: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down
*Sep 25 14:32:56.553: %LINK-3-UPDOWN: Interface Dialer3, changed state to up
*Sep 25 14:33:11.901: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
*Sep 25 14:44:31.021: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down
*Sep 25 14:44:41.561: %LINK-3-UPDOWN: Interface Dialer3, changed state to up
*Sep 25 14:44:53.521: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
*Sep 25 14:48:17.205: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down
*Sep 25 14:48:24.053: %LINK-3-UPDOWN: Interface Dialer3, changed state to up
*Sep 25 14:48:39.313: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
*Sep 28 15:19:49.759: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to down
*Sep 28 15:20:13.167: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down
*Sep 28 15:20:19.839: %LINK-3-UPDOWN: Interface Dialer3, changed state to up
*Sep 28 15:20:35.263: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to up
*Sep 28 15:22:04.727: %LINK-3-UPDOWN: Interface Dialer1, changed state to up
*Sep 28 15:22:13.355: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
*Sep 28 15:27:00.191: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to down
*Sep 28 15:27:08.391: %LINK-3-UPDOWN: Interface Dialer3, changed state to up
*Sep 28 15:27:22.371: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to up
*Sep 28 15:27:29.287: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down
*Sep 28 15:30:22.503: %LINK-3-UPDOWN: Interface Dialer1, changed state to up
*Sep 28 15:30:33.211: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
*Sep 28 15:37:14.567: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to down
*Sep 28 15:37:23.643: %LINK-3-UPDOWN: Interface Dialer3, changed state to up
*Sep 28 15:37:36.659: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to up
*Sep 28 15:48:01.019: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up

Хостинг HostFood.ru · **Хостинг HostFood.ru**

Тарифы на хостинг в России, от 12 рублей: https://www.host-food.ru/tariffs/hosting/
Тарифы на виртуальные сервера (VPS/VDS/KVM) в РФ, от 189 руб.: https://www.host-food.ru/tariffs/virtualny-server-vps/
Выделенные сервера, Россия, Москва, от 2000 рублей (HP Proliant G5, Intel Xeon E5430 (2.66GHz, Quad-Core, 12Mb), 8Gb RAM, 2x300Gb SAS HDD, P400i, 512Mb, BBU):
https://www.host-food.ru/tariffs/vydelennyi-server-ds/
Недорогие домены в популярных зонах: https://www.host-food.ru/domains/

Непрочитанное сообщение **zingel** » 2009-09-30 5:12:50

в сторону ната, и схему нам дайте и

Код: Выделить всё

sh log

и

Код: Выделить всё

sh ver

Гость

спасиб, что откликнулись...
sh log и sh ver в конце моего первого поста
схема в аттаче

Гость

di 3 выглядит теперь вот так:
interface Dialer3
ip address negotiated
ip broadcast-address 222.333.255.255
ip mtu 1492
ip nbar protocol-discovery
ip nat outside
ip virtual-reassembly
encapsulation ppp
no ip mroute-cache
dialer pool 3
dialer-group 3
no cdp enable
ppp authentication chap callin
ppp chap hostname guest
ppp chap password 0 pass

Astore · Непрочитанное сообщение **Astore** » 2009-09-30 14:07:40

Все решилось, проблема действительно была в Nat'e
Cisco просто не знала через какое содинение отправлять пакеты
Вообщем внутренние сети прова нужно запретить в access-list для dialer1 и соответственно разрешить для dialer3

Код: Выделить всё


belarus-cisco#show ip access-lists NetNatINT

Extended IP access list NetNatINT
    6 permit ip any 444.444.444.32 0.0.0.31
    8 permit ip any 222.333.222.222 0.127.255.255
    10 deny ip host 111.111.111.111 192.168.1.0 0.0.0.255
    20 deny ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
    30 permit ip 192.168.1.0 0.0.0.255 any
    40 permit ip 192.168.250.0 0.0.0.255 any
    50 deny ip any any (44522 matches)

belarus-cisco#show ip access-lists NetNat
Extended IP access list NetNat
    6 deny ip any 444.444.444.32 0.0.0.31
    8 deny ip any 222.333.222.222 0.127.255.255
    10 deny ip host 111.111.111.111 192.168.1.0 0.0.0.255
    20 deny ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
    30 permit ip 192.168.1.0 0.0.0.255 any (104226 matches)
    40 permit ip 192.168.250.0 0.0.0.255 any (331570 matches)
    50 deny ip any any (57704 matches)

forum.lissyara.su

2801 и два PPPOE

2801 и два PPPOE

Услуги хостинговой компании Host-Food.ru

Re: 2801 и два PPPOE

Re: 2801 и два PPPOE

Re: 2801 и два PPPOE

Re: 2801 и два PPPOE