подсчет трафика и cisco

Ответить
ppe
Сообщения: 50
Зарегистрирован: Чт авг 09, 2007 11:35 am

подсчет трафика и cisco

Сообщение ppe »

Столкнулся с проблемой. После отключения пользователя счетчики сохраняются (virtual-access переходит в состояние down, но не уничтожается). И при подключение нового пользователя на это же интерфейс он получает "наследство" от своего предшественника. Может это даже больше вопрос по конфигурированию cisco. Перерыл конфиг, перечитал кучу всего (может что-то и пропустил), пробовал прикрутить clear counters. Все равно периодически выскакивает "левый" трафик. Даже не знаю в какую сторону смотреть уже...

Код: Выделить всё

! Last configuration change at 19:51:15 UA Sat May 3 2008 by root
! NVRAM config last updated at 21:07:45 UA Sat May 3 2008
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname firewall
!
aaa new-model
aaa authentication ppp default group radius
aaa authorization network default group radius 
aaa accounting delay-start
aaa accounting update periodic 1
aaa accounting network default start-stop group radius
enable secret 5 **************
!
username ******* password 7 *************
username ******  privilege 15 password 7 ***********
clock timezone UA 2
ip subnet-zero
ip icmp rate-limit unreachable 1000
no ip rcmd domain-lookup
ip rcmd rcp-enable
ip rcmd rsh-enable
ip rcmd remote-host ********* 192.168.20.4 ******** enable
ip rcmd remote-host ********* 192.168.20.1 ******** enable
ip rcmd remote-host ********* 192.168.20.1 ******** enable
ip cef
ip ftp username ***************
ip ftp password 7 **************
ip domain-name lutacom.net
ip name-server 192.168.20.1
!
virtual-profile virtual-template 2
virtual-profile aaa
vpdn enable
vpdn aaa attribute nas-ip-address vpdn-nas
vpdn aaa attribute nas-port vpdn-nas
!
vpdn-group pptp
! Default PPTP VPDN group
 accept-dialin
  protocol pptp
  virtual-template 2
 ip mtu adjust
!
!
interface Loopback0
 ip address 192.168.4.1 255.255.255.255
 ip nat inside
!
interface Ethernet0
 ip address 195.64.142.30 255.255.255.252
 ip access-group inet_in in
 ip verify unicast reverse-path
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 rate-limit output access-group 2020 8000 1500 2000 conform-action transmit exceed-action drop
 ip route-cache same-interface
 media-type 10BaseT
 snmp ifindex persist
 traffic-shape rate 10000000 250000 250000 1000
!
interface Virtual-Template2
 ip unnumbered Loopback0
 ip access-group 2000 in
 ip access-group 2001 out
 ip verify unicast reverse-path
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 rate-limit output access-group 2020 8000 1500 2000 conform-action transmit exceed-action drop
 ip route-cache flow
 peer default ip address pool pptp_client
 ppp authentication ms-chap chap
!
interface FastEthernet0
 ip address 192.168.20.2 255.255.255.0
 no ip proxy-arp
 ip nat inside
 ip route-cache same-interface
 half-duplex
 snmp ifindex persist
!
interface FastEthernet1
 ip address 192.168.30.8 255.255.254.0
 ip access-group access_30 in
 ip verify unicast reverse-path
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 rate-limit output access-group 2020 128000 1500 2000 conform-action transmit exceed-action drop
 full-duplex
 snmp ifindex persist
 traffic-shape rate 10000000 250000 250000 1000
!
ip local pool pptp_client 192.168.4.2 192.168.5.254
ip nat translation timeout 180
ip nat inside source route-map to_inet interface Ethernet0 overload
ip nat inside source static tcp 192.168.20.4 80 interface Ethernet0 80
ip nat inside source static tcp 192.168.20.1 25 interface Ethernet0 25
ip nat inside source static udp 192.168.20.1 53 interface Ethernet0 53
ip nat inside source static tcp 192.168.20.1 53 interface Ethernet0 53
ip classless
ip route 0.0.0.0 0.0.0.0 195.64.142.29
no ip http server
!
!
ip access-list extended access_30
 permit tcp any host 192.168.30.8 eq 1723
 permit gre any host 192.168.30.8
 permit tcp any host 192.168.30.8 eq 22
 permit ip host 192.168.30.2 any
 permit icmp 192.168.30.0 0.0.1.255 host 192.168.30.8 echo log
 permit icmp 192.168.30.0 0.0.1.255 host 192.168.30.8 unreachable log
 permit icmp 192.168.30.0 0.0.1.255 host 192.168.30.8 source-quench log
 permit icmp 192.168.30.0 0.0.1.255 host 192.168.30.8 echo-reply
ip access-list extended from_20
 permit ip host 192.168.20.248 any log
 permit ip any any
ip access-list extended inet_in
 permit tcp any host 195.64.142.30 gt 1023 established
 permit tcp any host 195.64.142.30 eq www
 permit tcp any host 195.64.142.30 eq smtp
 permit tcp any host 195.64.142.30 eq domain
 permit udp any host 195.64.142.30 eq domain
 permit udp any eq ntp host 195.64.142.30 eq ntp
 permit ip any 194.116.195.208 0.0.0.15
 permit icmp any host 195.64.142.30 echo
 permit icmp any host 195.64.142.30 unreachable
 permit icmp any host 195.64.142.30 source-quench
 permit icmp any host 195.64.142.30 echo-reply
 permit udp any eq 28960 host 195.64.142.30
 permit tcp any eq 28960 host 195.64.142.30 established
 permit udp any eq domain host 195.64.142.30
ip access-list extended to_20
 deny   ip 192.168.4.0 0.0.1.255 192.168.20.0 0.0.0.255
 permit ip host 192.168.30.2 192.168.20.0 0.0.0.255
 deny   ip 192.168.30.0 0.0.1.255 192.168.20.0 0.0.0.255
 permit ip any any
ip access-list extended to__inet
 deny   tcp 192.168.4.0 0.0.1.255 any eq smtp
 deny   ip any host 255.255.255.255
 deny   ip any 192.168.0.0 0.0.255.255
 deny   ip any 194.116.195.208 0.0.0.15
 permit tcp 192.168.4.0 0.0.1.255 any
 permit udp 192.168.4.0 0.0.1.255 any
 permit tcp 192.168.20.0 0.0.0.255 any
 permit udp 192.168.20.0 0.0.0.255 any
 permit icmp 192.168.4.0 0.0.1.255 any
 permit icmp 192.168.20.0 0.0.0.255 any
ip radius source-interface FastEthernet0
access-list 2 permit 192.168.20.4
access-list 2 permit 192.168.20.1
access-list 2000 deny   ip any 192.168.0.0 0.0.255.255
access-list 2000 deny   ip any 194.116.195.208 0.0.0.15
access-list 2000 deny   tcp any any eq smtp
access-list 2000 deny   ip any 192.168.4.0 0.0.1.255
access-list 2000 deny   ip any host 192.168.5.255
access-list 2000 deny   ip any host 255.255.255.255
access-list 2000 permit ip 194.116.195.208 0.0.0.15 any
access-list 2000 permit ip 192.168.4.0 0.0.1.255 any
access-list 2001 deny   ip 192.168.0.0 0.0.255.255 any
access-list 2001 deny   ip 194.116.195.208 0.0.0.15 any
access-list 2001 deny   tcp any eq smtp any
access-list 2001 permit ip any 192.168.4.0 0.0.1.255
access-list 2001 permit ip any 194.116.195.208 0.0.0.15
access-list 2001 deny   ip any any
access-list 2020 permit icmp any any echo-reply
access-list 2020 permit icmp any any log
access-list 2100 permit tcp host 195.64.142.30 eq www any
route-map to_inet permit 10
 match ip address to__inet
!
snmp-server community public RO
snmp-server community private RW 2
snmp-server ifindex persist
snmp-server location Firewall 
snmp-server enable traps tty
snmp-server manager
radius-server configure-nas
radius-server host 192.168.20.4 auth-port 1812 acct-port 1813 key 7 ***********************
radius-server attribute 32 include-in-access-req 
radius-server attribute 44 include-in-access-req
!
line con 0
line aux 0
line vty 0 4
!
ntp clock-period 17179976
ntp server 213.41.245.21
ntp server 62.66.254.154
ntp server 210.64.9.140
ntp server 85.25.252.58
ntp server 195.234.188.26
ntp server 76.169.239.34
ntp server 80.96.148.132
ntp server 88.191.21.6
ntp server 134.99.176.3
ntp server 138.236.128.117
ntp server 128.10.252.10
ntp server 69.182.190.97
end
[/code]
Вернуться к началу
Ответить

Вернуться в «Сообщения об ошибках и поддержка»