Есть Cisco 1841 в качестве nat для выпуска нескольких vlan в глобальную сеть. Иногда популярные сайты начинают плохо работать — некоторые фотографии показываются только частично, страницы не отображаются до конца, обрываются загрузки онлайн видео.
Начал разбираться, вот что увидел:
Пингуем сервер популярной соц.сети с ПК во внутренней сети: потери пакетов 50% через один, продолжаем пинговать. Заходим на роутер и пингуем тот же сервер с роутера — потерь пакетов нет! В этот же момент с компьютера пинг тоже нормализуется. Опять начать косячить может через день или 2.
Сеть используется для доступа в интернет по Wi-Fi на территории санатория, к маршрутизатору подключен DSLAM, модемы в разных vlan с разными ip пулами.
В какую сторону копать? Arp?
Вот важные части конфига:
version 12.4
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
service sequence-numbers
!
hostname sanatory-IP
!
boot-start-marker
boot system flash c1841-ipbase-mz.124-1b.bin
boot-end-marker
!
logging buffered 12000 informational
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
ip icmp rate-limit unreachable 1
ip cef
!
!
ip dhcp database flash:dhcp-database
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.2.245 192.168.2.254
ip dhcp excluded-address 192.168.10.245 192.168.10.254
ip dhcp excluded-address 192.168.11.245 192.168.11.254
ip dhcp excluded-address 192.168.12.245 192.168.12.254
ip dhcp excluded-address 192.168.13.245 192.168.13.254
ip dhcp excluded-address 192.168.14.245 192.168.14.254
ip dhcp excluded-address 192.168.15.245 192.168.15.254
ip dhcp excluded-address 192.168.16.245 192.168.16.254
!
ip dhcp pool Guests_with_Inet
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 192.168.10.1
!
ip dhcp pool Special_VIP_GUESTs_Inet
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 192.168.2.1
!
ip dhcp pool GUESTs_zone_11
network 192.168.11.0 255.255.255.0
default-router 192.168.11.1
dns-server 192.168.11.1
!
ip dhcp pool GUESTs_zone_12
network 192.168.12.0 255.255.255.0
default-router 192.168.12.1
dns-server 192.168.12.1
!
ip dhcp pool GUESTs_zone_13
network 192.168.13.0 255.255.255.0
default-router 192.168.13.1
dns-server 192.168.13.1
!
ip dhcp pool GUESTs_zone_14
network 192.168.14.0 255.255.255.0
default-router 192.168.14.1
dns-server 192.168.14.1
!
ip dhcp pool GUESTs_zone_15
network 192.168.15.0 255.255.255.0
default-router 192.168.15.1
dns-server 192.168.15.1
!
ip dhcp pool GUESTs_zone_16
network 192.168.16.0 255.255.255.0
default-router 192.168.16.1
dns-server 192.168.16.1
!
!
ip flow-cache entries 65000
ip flow-cache timeout inactive 120
ip flow-cache timeout active 10
no ip bootp server
ip name-server 217.8.235.81
ip name-server 217.8.235.82
!
!
!
controller E1 0/0/0
channel-group 0 timeslots 1-12
description ### to MMX-4, port 3.3
!
!
interface Tunnel0
ip address 192.168.255.1 255.255.255.252
no ip proxy-arp
ip mtu 1400
no ip route-cache cef
no ip route-cache
no snmp trap link-status
tunnel source 10.x.x.x
tunnel destination 10.x.x.x
tunnel mode ipip
!
interface FastEthernet0/0
description ### to IES-1000, AAM1212-1, port 1 ###
no ip address
ip route-cache flow
duplex auto
speed auto
!
interface FastEthernet0/0.2
encapsulation dot1Q 2
ip address 192.168.2.1 255.255.255.0
ip access-group GUESTS-in in
no ip proxy-arp
ip flow ingress
ip flow egress
ip pim sparse-dense-mode
ip nat inside
no snmp trap link-status
!
interface FastEthernet0/0.10
encapsulation dot1Q 10
ip address 192.168.10.1 255.255.255.0
ip access-group GUESTS-in in
no ip proxy-arp
ip flow ingress
ip flow egress
ip pim sparse-dense-mode
ip nat inside
no snmp trap link-status
!
interface FastEthernet0/0.11
encapsulation dot1Q 11
ip address 192.168.11.1 255.255.255.0
ip access-group GUESTS-in in
no ip proxy-arp
ip flow ingress
ip flow egress
ip pim sparse-dense-mode
ip nat inside
no snmp trap link-status
!
interface FastEthernet0/0.12
encapsulation dot1Q 12
ip address 192.168.12.1 255.255.255.0
ip access-group GUESTS-in in
no ip proxy-arp
ip flow ingress
ip flow egress
ip pim sparse-dense-mode
ip nat inside
no snmp trap link-status
!
interface FastEthernet0/0.13
encapsulation dot1Q 13
ip address 192.168.13.1 255.255.255.0
ip access-group GUESTS-in in
no ip proxy-arp
ip flow ingress
ip flow egress
ip pim sparse-dense-mode
ip nat inside
no snmp trap link-status
!
interface FastEthernet0/0.14
encapsulation dot1Q 14
ip address 192.168.14.1 255.255.255.0
ip access-group GUESTS-in in
no ip proxy-arp
ip flow ingress
ip flow egress
ip pim sparse-dense-mode
ip nat inside
no snmp trap link-status
!
interface FastEthernet0/0.15
encapsulation dot1Q 15
ip address 192.168.15.1 255.255.255.0
ip access-group GUESTS-in in
no ip proxy-arp
ip flow ingress
ip flow egress
ip pim sparse-dense-mode
ip nat inside
no snmp trap link-status
!
interface FastEthernet0/0.16
encapsulation dot1Q 16
ip address 192.168.16.1 255.255.255.0
ip access-group GUESTS-in in
no ip proxy-arp
ip flow ingress
ip flow egress
ip pim sparse-dense-mode
ip nat inside
no snmp trap link-status
!
interface FastEthernet0/0.50
encapsulation dot1Q 50
ip address 192.168.60.1 255.255.255.0 secondary
ip address 192.168.50.1 255.255.255.0
ip access-group DMZ_in in
ip access-group DMZ_out out
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat inside
no snmp trap link-status
!
interface FastEthernet0/0.100
encapsulation dot1Q 100
ip address 192.168.100.254 255.255.255.0
no ip proxy-arp
ip flow ingress
ip flow egress
no snmp trap link-status
arp timeout 100
!
interface FastEthernet0/0.111
encapsulation dot1Q 111
ip address 192.168.111.1 255.255.255.0
ip access-group Inside_F0/0.111_in in
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat inside
no snmp trap link-status
!
interface FastEthernet0/0.244
encapsulation dot1Q 244
ip address 10.132.255.11 255.255.255.224
ip access-group spd-in in
ip access-group spd-out out
no snmp trap link-status
!
interface FastEthernet0/1
ip address 213.87.x.x 255.255.255.252
ip access-group Ints_InterNet_in in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
duplex auto
speed auto
no cdp enable
arp timeout 100
!
interface Serial0/0/0:0
ip address 80.89.x.x 255.255.255.252
ip access-group Ints_InterNet_in in
no ip redirects
no ip unreachables
no ip proxy-arp
!
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
ip route 10.0.0.0 255.0.0.0 10.132.255.1
ip route 83.246.135.100 255.255.255.255 Serial0/0/0:0
ip dns server
ip flow-export source FastEthernet0/0.244
ip flow-export version 5
!
no ip http server
ip http authentication local
ip nat translation tcp-timeout 300
ip nat translation udp-timeout 45
ip nat translation max-entries all-host 2000
ip nat inside source list 10 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.50.x yyy interface FastEthernet0/1 xxx
ip nat inside source static tcp 192.168.50.y yyy interface FastEthernet0/1 xxx
ip nat inside source static tcp 192.168.50.z yyy interface FastEthernet0/1 xxx
9
!
ip access-list standard R0
!
ip access-list extended DMZ_in
permit ip any host 8.8.8.8
permit ip any host 8.8.4.4
permit icmp any host 192.168.50.1
permit udp any host 192.168.50.1 eq ntp
permit ip any host 192.168.111.xx
permit ip any host 192.168.10.xxx
deny ip any 192.168.0.0 0.0.255.255
permit icmp any any echo
permit tcp host 192.168.50.xxx eq www host 80.89.xxx.xxx log
permit tcp host 192.168.50.xxx eq 554 host 80.89.xxx.xxx
permit udp host 192.168.50.xx any eq xxx
permit tcp host 192.168.50.xxx eq xxx any
deny ip any any
ip access-list extended DMZ_out
permit ip host 8.8.8.8 any
permit ip host 8.8.4.4 any
permit icmp host 192.168.50.xxx any
permit udp host 192.168.50.xxx eq ntp any
permit ip host 192.168.111.xxx any
permit ip host 192.168.10.xxx any
deny ip 192.168.0.0 0.0.255.255 any
permit icmp any any echo-reply
permit tcp host 80.89.xxx.xxx host 192.168.50.xxx eq xxx
permit tcp host 80.89.xxx.xxx host 192.168.50.xxx eq xxx
permit udp any eq xxx host 192.168.50.xxx
permit tcp any host 192.168.50.xxx eq xxx
deny ip any any log
permit ip any host 192.168.111.xxx
ip access-list extended GUESTS-in
permit udp host 0.0.0.0 eq bootpc host 255.255.255.255 eq bootps
permit ip host 192.168.10.xxx any
permit ip host 192.168.12.xxx any
permit ip host 192.168.13.xxx any
permit ip host 192.168.14.xxx any
permit ip host 192.168.15.xxx any
permit ip host 192.168.16.xxx any
permit ip host 192.168.2.xxx any
remark
deny tcp any any eq telnet
deny tcp any any eq 4899
deny tcp any any eq 310
deny tcp any any range 135 139
deny udp any any range 135 netbios-ss
deny udp any range 135 netbios-ss any
deny ip any 192.168.111.0 0.0.0.255
deny ip any 192.168.100.0 0.0.0.255
permit ip any 192.168.0.0 0.0.255.255
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 127.0.0.0 0.255.255.255
permit icmp any any
permit udp any any eq echo
permit tcp any any eq domain
permit udp any any eq domain
permit tcp any any eq www
permit tcp any any eq ftp
permit tcp any any eq ftp-data
permit tcp any any eq smtp
permit tcp any any eq pop3
permit tcp any any eq nntp
permit tcp any any eq 443
permit tcp any any eq 5222
permit tcp any any eq daytime
permit tcp any any eq 465
permit tcp any any eq 995
permit tcp any any eq 9000
permit tcp any host 80.89.131.170 eq 1935
permit ip host 192.168.11.xxx any
permit ip host 192.168.111.xxx any
deny ip any any
ip access-list extended Inside_F0/0.111_in
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 127.0.0.0 0.255.255.255
permit ip any any
ip access-list extended Ints_InterNet_in
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip host 255.255.255.255 any
deny ip host 0.0.0.0 any
permit udp any any eq ntp
permit tcp any any eq domain
permit udp any any eq domain
permit icmp host 213.87.xxx.xxx host 213.87.xx.xxx
permit icmp host 80.89.xxx.xxx host 80.89.xxx.xxx
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any unreachable
permit icmp any any traceroute
permit icmp any any reassembly-timeout
deny icmp any any
permit tcp host 80.89.140.xxx host 213.87.116.xxx eq telnet
permit tcp host 80.89.140.xxx host 80.89.140.xxx eq telnet
deny tcp any any lt 1024
deny udp any any lt 1024
permit ip any any
ip access-list extended spd-in
permit ip 0.0.0.0 255.255.255.128 host 10.132.255.11
permit ip host 10.132.232.50 host 10.132.255.11
permit ip host 10.132.79.205 host 10.132.255.11
permit tcp host 10.132.207.7 host 10.132.255.11 eq telnet
permit ip host 10.132.227.251 any
permit tcp host 10.132.227.7 host 10.132.255.11 eq telnet
deny ip any any
ip access-list extended spd-out
deny ip any any
!
access-list 10 permit 192.168.0.0 0.0.255.255
snmp-server community public RO
disable-eadi
!
control-plane
!
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
exec-timeout 0 0
login local
line vty 5 10
exec-timeout 0 0
login local
!
scheduler allocate 20000 1000
ntp clock-period 17178295
ntp server 194.25.115.122
ntp server 89.108.81.77 prefer
end
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
Я не спец по цискам, но искал я именно эту строку.
Использование интерфейса в качестве дефолт-гейтвея — плохо — начинается переполнение ARP-кэша.
Пропишите вместо имени интерфейса его IP
Помимо этого: посмотрел на версию иоса, ужаснулся. Bug toolkit указывает на множественные проблемы с утечками памяти в NAT, на работу различных методов туннелирования через него. И:
CSCso19662
Router crashes while clearing ip nat translations
CSCek77424
Bus error crash in NAT code
Если железка глючит как чёрт — имеет смысл обновиться. Например, на весьма стабильный 12.4.15T17. Можно вообще 15-й софт поставить (15.1.4M4), он тоже вполне надежен.
Простой
Сложный
Простой
