Topic: 有冇cisco人? |
 Print this page
|
| 有冇cisco人? | Copy to clipboard |
|
Posted by: iczfirz Posted on: 2003-09-29 01:34 有冇人幫下眼? 有冇咩要改同有乜漏洞? [code] ip nat pool net-pub 202.123.165.25 202.123.165.25 netmask 255.255.255.252 ip nat pool real-hosts 10.0.1.130 10.0.1.138 prefix-length 28 type rotary ip nat inside source list 1 pool net-pub overload ip nat inside destination list 2 pool real-hosts ! ! interface Ethernet0 ip address 10.0.1.254 255.255.255.0 no ip redirects ip nat inside no ip route-cache no ip mroute-cache standby 1 timers 5 15 standby 1 priority 110 standby 1 preempt standby 1 authentication denmark standby 1 ip 10.0.1.1 ! interface Serial0 ip address 202.123.165.31 255.255.255.128 ip nat outside no ip route-cache no ip mroute-cache ! ip classless ip route 0.0.0.0 0.0.0.0 Serial0 ip route 202.123.165.24 255.255.255.248 Serial0 ! access-list 1 permit 10.0.1.0 0.0.0.255 access-list 2 permit 202.123.165.26 [/code] | |
| 回覆: 有冇cisco人? | Copy to clipboard |
|
Posted by: LP Posted on: 2003-09-29 16:30 standby 1 timers 5 15 standby 1 priority 110 standby 1 preempt standby 1 authentication denmark standby 1 ip 10.0.1.1 What are the purposes for doing these commands? | |
| 回覆: 有冇cisco人? | Copy to clipboard |
|
Posted by: ellis Posted on: 2003-09-29 17:50 Hi KK, I think you want to do something about TCP traffic load distribution from outside source to your local destination host. right? Could you please summarize your problem, I heard you said something cannot ping... Thanks wai. | |
| 回覆: 有冇cisco人? | Copy to clipboard |
|
Posted by: iczfirz Posted on: 2003-09-29 22:36 唔該兩位大佬先:P LP.. 果幾句係HSRP... 所有係ethernet 0 既機會係default 去10.0.1.1 ellis... 全中... 其實ping唔ping到都係小事... 問題係我未知點令10.0.1.0內既機都可以用個 real-hosts ip 去做load dist. | |
| 回覆: 有冇cisco人? | Copy to clipboard |
|
Posted by: LP Posted on: 2003-09-30 00:42 sounds quite hard to do that bor... |) never see this case before , i just know two leased line to do load balancing only~~ good assignment...let me try to do some rearch sin~~:D any findings in cisco homepage? | |
| 回覆: 回覆: 有冇cisco人? | Copy to clipboard |
|
Posted by: franng Posted on: 2003-09-30 00:56 ellis wrote: Hi KK, I think you want to do something about TCP traffic load distribution from outside source to your local destination host. right? Could you please summarize your problem, I heard you said something cannot ping... Thanks wai. 死仔cow cow . 上到來又唔話我知. | |
| 回覆: 回覆: 有冇cisco人? | Copy to clipboard |
|
Posted by: iczfirz Posted on: 2003-09-30 01:22 LP wrote: sounds quite hard to do that bor... |) never see this case before , i just know two leased line to do load balancing only~~ good assignment...let me try to do some rearch sin~~:D any findings in cisco homepage? no la... 搵唔到有 nat overload + load dist. 家陣我得五粒可用ip.. 所以唯有自己nat overload再load dist. 今日買左兩件2514.. 新既config係咁... 未加入hsrp. 外係202.123.165.24/248 內係private ip 1.0.0.x.. 哥仔你地點睇.. 點先可以搞埋內部1.0.0.x可以自己有自己load dist? [code] interface Ethernet0 ip address 202.123.165.26 255.255.255.128 ip nat outside ! interface Ethernet1 ip address 1.0.0.1 255.255.255.0 ip nat inside ! ip nat pool net-27 202.123.165.27 202.123.165.27 netmask 255.255.255.128 ip nat pool www1 1.0.0.130 1.0.0.131 prefix-length 28 type rotary ip nat inside source list 1 pool net-27 overload ip nat inside destination list 2 pool www1 no ip classless ip route 0.0.0.0 0.0.0.0 202.123.165.25 ip route 202.123.165.27 255.255.255.255 Ethernet1 no ip http server ip pim bidir-enable ! access-list 1 permit 1.0.0.0 0.0.0.255 access-list 2 permit 202.123.165.27 [/code] | |
| 回覆: 回覆: 回覆: 有冇cisco人? | Copy to clipboard |
|
Posted by: ellis Posted on: 2003-09-30 12:47 franng wrote: ellis wrote: Hi KK, I think you want to do something about TCP traffic load distribution from outside source to your local destination host. right? Could you please summarize your problem, I heard you said something cannot ping... Thanks wai. 死仔cow cow . 上到來又唔話我知. I don't know you have register here ma... | |
| 回覆: 有冇cisco人? | Copy to clipboard |
|
Posted by: franng Posted on: 2003-09-30 13:01 o i c.. welcome u.. kee kee | |
| 回覆: 回覆: 回覆: 有冇cisco人? | Copy to clipboard |
|
Posted by: ellis Posted on: 2003-09-30 15:30 iczfirz wrote: LP wrote: sounds quite hard to do that bor... |) never see this case before , i just know two leased line to do load balancing only~~ good assignment...let me try to do some rearch sin~~:D any findings in cisco homepage? no la... 搵唔到有 nat overload + load dist. 家陣我得五粒可用ip.. 所以唯有自己nat overload再load dist. 今日買左兩件2514.. 新既config係咁... 未加入hsrp. 外係202.123.165.24/248 內係private ip 1.0.0.x.. 哥仔你地點睇.. 點先可以搞埋內部1.0.0.x可以自己有自己load dist? [code] interface Ethernet0 ip address 202.123.165.26 255.255.255.128 ip nat outside ! interface Ethernet1 ip address 1.0.0.1 255.255.255.0 ip nat inside ! ip nat pool net-27 202.123.165.27 202.123.165.27 netmask 255.255.255.128 ip nat pool www1 1.0.0.130 1.0.0.131 prefix-length 28 type rotary ip nat inside source list 1 pool net-27 overload ip nat inside destination list 2 pool www1 no ip classless ip route 0.0.0.0 0.0.0.0 202.123.165.25 ip route 202.123.165.27 255.255.255.255 Ethernet1 no ip http server ip pim bidir-enable ! access-list 1 permit 1.0.0.0 0.0.0.255 access-list 2 permit 202.123.165.27 [/code] seems impossible: 1. When internal hosts communicate with your real host, it will not pass via the router or default gateway. It will contact real host directly. 2. According to Cisco docs, TCP load dist is one way communication. "nat inside' will repsonse to 'nat outside', your internal host cannot perform anymore NAT to your real hosts. Two possible way: 1. assign public IP for your real host, assign one virual public IP for public load sharing to your real host. assign private IP for your real host for internal load sharing. map private IP to real host ( public IP )Some modification in router is need to do load sharing. 2. If you have two 2514, let say R1 and R2, make you real hosts a seperate segment between R1 and R2, say 20.20.20.x. public load sharing will do the same as you configure, also configure a internal load sharing in R1. Then it will looks like the as follow: R1--Real Host segement -- R2 R1 for internal segment, R2 for public segment. But you will lost HSRP for this option, or you need get one more 2514 or others. Two options above need to test, but conceptually, option 2 will work. But there is a most easlier way to do internal load distribution. If you have internal DNS, why not just enable the load balancing fuction for your internal real hosts, then DNS will serve as round robin basis for real hosts to internal hosts This is the most fast way to configure and for sure should work. wai. | |
| 回覆: 有冇cisco人? | Copy to clipboard |
|
Posted by: iczfirz Posted on: 2003-10-01 01:46 偉兄.. 第一種方法我睇唔明:P 第二種你都講左係冇hsrp或要加多隻... dns round robin 其實唔係唔好.. 不過感覺上過唔到自己果關... 又會花network traffic.. ;) | |
| 回覆: 回覆: 有冇cisco人? | Copy to clipboard |
|
Posted by: ellis Posted on: 2003-10-02 22:45 iczfirz wrote: 偉兄.. 第一種方法我睇唔明:P 第二種你都講左係冇hsrp或要加多隻... dns round robin 其實唔係唔好.. 不過感覺上過唔到自己果關... 又會花network traffic.. ;) Sorry for my late reply as I busy on my work. There is a method below, it use for NAT on a single interface. Just like you want NAT for your internal host ( NAT inside ) and the same interface for outgoing (NAT outside). ======================== interface Ethernet0 ip address 202.123.165.26 255.255.255.128 ip nat outside ! interface Ethernet1 ip address 1.0.0.1 255.255.255.0 ip nat inside ip policy route-map INTERNAL ! interface loopback0 ip address 5.5.5.1 255.255.255.0 ip nat outside ! ip nat pool net-27 202.123.165.27 202.123.165.27 netmask 255.255.255.128 ip nat pool www1 1.0.0.130 1.0.0.131 prefix-length 28 type rotary ip nat inside source list 1 pool net-27 overload ip nat inside destination list 2 pool www1 ip nat inside destination list 3 pool www1 ! ip classless ip route 0.0.0.0 0.0.0.0 202.123.165.25 ip route 202.123.165.27 255.255.255.255 Ethernet1 no ip http server ip pim bidir-enable ! router eigrp 1 network 5.5.5.0 0.0.0.255 network 1.0.0.0 0.0.0.255 ! access-list 1 permit 1.0.0.0 0.0.0.255 access-list 2 permit 202.123.165.27 access-list 3 permit 1.1.1.254 <virtual ip of internal real host> access-list 101 permit ip 1.0.0.0 0.0.0.255 host 1.1.1.254 ! route-map INTERNAL permit 10 match ip address 101 set ip next-hop 5.5.5.2 ======================= set ip next-hop 5.5.5.2 use for packet to be route out from loopback interface. you may need to have some modification above to suit you need. | |
| 回覆: 有冇cisco人? | Copy to clipboard |
|
Posted by: iczfirz Posted on: 2003-10-02 23:44 偉哥... 比多個難題你:P [code] ip host host-29 202.123.165.29 ! ! ! ! interface Ethernet0 ip address 202.123.165.30 255.255.255.248 ip nat outside no mop enabled ! interface Ethernet1 ip address 1.0.0.1 255.255.255.0 ip nat inside no mop enabled ! ip nat pool host-29 202.123.165.29 202.123.165.29 netmask 255.255.255.248 ip nat pool service-11 1.0.0.11 1.0.0.11 prefix-length 28 type rotary ip nat inside source list 1 pool host-29 overload ip nat inside destination list 10 pool service-11 ip classless ip route 0.0.0.0 0.0.0.0 202.123.165.25 no ip http server ip pim bidir-enable ! access-list 1 permit 1.0.0.0 0.0.0.255 access-list 10 permit 202.123.165.29 ! [/code] 上面係得既... 做到load distribution.. 但我要做埋睇到咩port 就用乜server pool.. 所以我改上面果兩句為下面咁... 希望睇到係telnet就比佢入 pool service-11... 其它port就去service-12 13 14... 但.... [code] ip nat inside destination list 10 pool service-11 >>>> ip nat inside destination list 199 pool service-11 access-list 10 permit 202.123.165.29 >>>> access-list 199 permit 23 host 202.123.165.29 any [/code] 但就唔work.. debug nat都直頭睇唔到有反應 ... 即係個acl 199唔work.. 你有乜idea? | |
| 回覆: 有冇cisco人? | Copy to clipboard |
|
Posted by: iczfirz Posted on: 2003-10-03 00:04 其實我最大既難題係... 我有.. 1* ip 1* 2514 dual ethernet 4* server (4* web, 1* ftp, 1* sendmail, 4* imap) 如果係NAT load distribution... 咁我1*ip round robin呢4* server就好頭痕... 因為router會下下都RR呢4*server.. 但我又唔係部部server都行晒sendmail同ftp.. 所以我諗住開4* RR pool.. 睇下咩port黎就行邊個邊個pool... 但最後就做到上面段config就行唔到... 但其實我手頭有2*2514... 兩隻serial 0 cross埋再加下面段野就做到我要做既野... 但用兩隻實在太笨... 但上面個post果段又唔work..我功力又未夠... 唯手咁頂住先.. :( 近public果隻... (先nat去另一set ip... 會係 1.0."public last octal"."port") [code] interface Ethernet0 ip address 202.123.165.30 255.255.255.248 ip nat outside ! interface Serial0 ip address 1.0.1.1 255.255.255.0 ip nat inside no ip mroute-cache clockrate 4000000 dce-terminal-timing-enable ! ip nat inside source list 1 interface Ethernet0 overload ip nat inside source static tcp 1.0.29.21 21 202.123.165.29 21 extendable ip nat inside source static tcp 1.0.29.23 23 202.123.165.29 23 extendable ip nat inside source static tcp 1.0.29.25 25 202.123.165.29 25 extendable ip nat inside source static tcp 1.0.29.21 20 202.123.165.29 20 extendable ip classless ip route 0.0.0.0 0.0.0.0 202.123.165.25 ip route 1.0.0.0 255.255.0.0 Serial0 ip http server ip pim bidir-enable ! access-list 1 permit 1.0.0.0 0.0.255.255 [/code] 近private 果隻.. (基於上面既nat去入自己個RR pool) [code] ! interface Ethernet1 ip address 1.0.0.1 255.255.255.0 ip nat inside ! interface Serial0 ip address 1.0.1.2 255.255.255.0 ip nat outside no ip mroute-cache no fair-queue compress stac ! interface Serial1 no ip address shutdown ! ip nat pool service-29-23 1.0.0.11 1.0.0.11 prefix-length 28 type rotary ip nat pool service-29-25 1.0.0.11 1.0.0.12 prefix-length 28 type rotary ip nat pool service-29-21 1.0.0.11 1.0.0.12 prefix-length 28 type rotary ip nat inside source list 1 interface Serial0 overload ip nat inside destination list 2 pool service-29-23 ip nat inside destination list 3 pool service-29-25 ip nat inside destination list 4 pool service-29-21 ip classless ip route 0.0.0.0 0.0.0.0 1.0.1.1 ip http server ip pim bidir-enable ! access-list 1 permit 1.0.0.0 0.0.0.255 access-list 2 permit 1.0.29.23 access-list 3 permit 1.0.29.25 access-list 4 permit 1.0.29.21 [/code] 其實... 有冇計仔可以一個2514自己loop自己個serial 行兩次nat呢? 等你救命... 記得屈番franng請你食飯喎:P | |
| 回覆: 回覆: 有冇cisco人? | Copy to clipboard |
|
Posted by: ellis Posted on: 2003-10-03 00:12 iczfirz wrote: 偉哥... 比多個難題你:P [code] ip host host-29 202.123.165.29 ! ! ! ! interface Ethernet0 [$nbsp][$nbsp]ip address 202.123.165.30 255.255.255.248 [$nbsp][$nbsp]ip nat outside [$nbsp][$nbsp]no mop enabled ! interface Ethernet1 [$nbsp][$nbsp]ip address 1.0.0.1 255.255.255.0 [$nbsp][$nbsp]ip nat inside [$nbsp][$nbsp]no mop enabled ! ip nat pool host-29 202.123.165.29 202.123.165.29 netmask 255.255.255.248 ip nat pool service-11 1.0.0.11 1.0.0.11 prefix-length 28 type rotary ip nat inside source list 1 pool host-29 overload ip nat inside destination list 10 pool service-11 ip classless ip route 0.0.0.0 0.0.0.0 202.123.165.25 no ip http server ip pim bidir-enable ! access-list 1 permit 1.0.0.0 0.0.0.255 access-list 10 permit 202.123.165.29 ! [/code] 上面係得既... 做到load distribution.. 但我要做埋睇到咩port 就用乜server pool.. 所以我改上面果兩句為下面咁... 希望睇到係telnet就比佢入 pool service-11... 其它port就去service-12 13 14... 但.... [code] ip nat inside destination list 10 pool service-11 >>>> ip nat inside destination list 199 pool service-11 access-list 10 permit 202.123.165.29 >>>> access-list 199 permit 23 host 202.123.165.29 any [/code] 但就唔work.. debug nat都直頭睇唔到有反應 ... 即係個acl 199唔work.. 你有乜idea? try sh access-list or show ip access-list to check is there any match entries for access list 199. anyway, there is some error of the access-list 199, is it should be look like this: access-list 199 permit tcp host 202.123.165.29 eq telnet any eq telnet or access-list 199 permit tcp host 202.123.165.29 eq telnet host 1.0.0.11 eq telnet | |
| 回覆: 有冇cisco人? | Copy to clipboard |
|
Posted by: iczfirz Posted on: 2003-10-03 00:23 你比我兩兩句我都之前試過... 都係唔work... 其實你覺得我應點去砌呢壇野好呀 ?:( | |
| 回覆: 有冇cisco人? | Copy to clipboard |
|
Posted by: iczfirz Posted on: 2003-10-03 00:27 好似買左六合彩咁... 想中都難 ... [code] BACK#show ip access-lists Standard IP access list 1 permit 1.0.0.0, wildcard bits 0.0.0.255 check=13 Extended IP access list 199 permit tcp host 202.123.165.29 eq telnet any eq telnet [/code] | |
| 回覆: 回覆: 有冇cisco人? | Copy to clipboard |
|
Posted by: franng Posted on: 2003-10-03 00:39 iczfirz wrote: 其實我最大既難題係... 我有.. 1* ip 1* 2514 dual ethernet 4* server (4* web, 1* ftp, 1* sendmail, 4* imap) 如果係NAT load distribution... 咁我1*ip round robin呢4* server就好頭痕... 因為router會下下都RR呢4*server.. 但我又唔係部部server都行晒sendmail同ftp.. 所以我諗住開4* RR pool.. 睇下咩port黎就行邊個邊個pool... 但最後就做到上面段config就行唔到... 但其實我手頭有2*2514... 兩隻serial 0 cross埋再加下面段野就做到我要做既野... 但用兩隻實在太笨... 但上面個post果段又唔work..我功力又未夠... 唯手咁頂住先.. :( 近public果隻... (先nat去另一set ip... 會係 1.0."public last octal"."port") [code] interface Ethernet0 ip address 202.123.165.30 255.255.255.248 ip nat outside ! interface Serial0 ip address 1.0.1.1 255.255.255.0 ip nat inside no ip mroute-cache clockrate 4000000 dce-terminal-timing-enable ! ip nat inside source list 1 interface Ethernet0 overload ip nat inside source static tcp 1.0.29.21 21 202.123.165.29 21 extendable ip nat inside source static tcp 1.0.29.23 23 202.123.165.29 23 extendable ip nat inside source static tcp 1.0.29.25 25 202.123.165.29 25 extendable ip nat inside source static tcp 1.0.29.21 20 202.123.165.29 20 extendable ip classless ip route 0.0.0.0 0.0.0.0 202.123.165.25 ip route 1.0.0.0 255.255.0.0 Serial0 ip http server ip pim bidir-enable ! access-list 1 permit 1.0.0.0 0.0.255.255 [/code] 近private 果隻.. (基於上面既nat去入自己個RR pool) [code] ! interface Ethernet1 ip address 1.0.0.1 255.255.255.0 ip nat inside ! interface Serial0 ip address 1.0.1.2 255.255.255.0 ip nat outside no ip mroute-cache no fair-queue compress stac ! interface Serial1 no ip address shutdown ! ip nat pool service-29-23 1.0.0.11 1.0.0.11 prefix-length 28 type rotary ip nat pool service-29-25 1.0.0.11 1.0.0.12 prefix-length 28 type rotary ip nat pool service-29-21 1.0.0.11 1.0.0.12 prefix-length 28 type rotary ip nat inside source list 1 interface Serial0 overload ip nat inside destination list 2 pool service-29-23 ip nat inside destination list 3 pool service-29-25 ip nat inside destination list 4 pool service-29-21 ip classless ip route 0.0.0.0 0.0.0.0 1.0.1.1 ip http server ip pim bidir-enable ! access-list 1 permit 1.0.0.0 0.0.0.255 access-list 2 permit 1.0.29.23 access-list 3 permit 1.0.29.25 access-list 4 permit 1.0.29.21 [/code] 其實... 有冇計仔可以一個2514自己loop自己個serial 行兩次nat呢? 等你救命... 記得屈番franng請你食飯喎:P 嘩...........咁我米要請KK, 同ELLIS 食飯???? 我頂................. | |
| 回覆: 回覆: 回覆: 有冇cisco人? | Copy to clipboard |
|
Posted by: iczfirz Posted on: 2003-10-03 02:27 ellis wrote: try sh access-list or show ip access-list to check is there any match entries for access list 199. anyway, there is some error of the access-list 199, is it should be look like this: access-list 199 permit tcp host 202.123.165.29 eq telnet any eq telnet or access-list 199 permit tcp host 202.123.165.29 eq telnet host 1.0.0.11 eq telnet 捉晒蟲... 呢幾日對住個router多過對魚... 最後原來係... access-list 199 permit tcp any host 202.123.165.29 eq telnet 先至岩... 終於收得工:}) | |
| 回覆: 回覆: 回覆: 回覆: 有冇cisco人? | Copy to clipboard |
|
Posted by: ellis Posted on: 2003-10-03 10:50 iczfirz wrote: ellis wrote: try sh access-list or show ip access-list to check is there any match entries for access list 199. anyway, there is some error of the access-list 199, is it should be look like this: access-list 199 permit tcp host 202.123.165.29 eq telnet any eq telnet or access-list 199 permit tcp host 202.123.165.29 eq telnet host 1.0.0.11 eq telnet 捉晒蟲... 呢幾日對住個router多過對魚... 最後原來係... access-list 199 permit tcp any host 202.123.165.29 eq telnet 先至岩... 終於收得工:}) oh..yes. 202.123.165.29 is inside of your NAT router. | |
| 回覆: 回覆: 有冇cisco人? | Copy to clipboard |
|
Posted by: ellis Posted on: 2003-10-03 17:25 iczfirz wrote: 其實我最大既難題係... 我有.. 1* ip 1* 2514 dual ethernet 4* server (4* web, 1* ftp, 1* sendmail, 4* imap) 如果係NAT load distribution... 咁我1*ip round robin呢4* server就好頭痕... 因為router會下下都RR呢4*server.. 但我又唔係部部server都行晒sendmail同ftp.. 所以我諗住開4* RR pool.. 睇下咩port黎就行邊個邊個pool... 但最後就做到上面段config就行唔到... 但其實我手頭有2*2514... 兩隻serial 0 cross埋再加下面段野就做到我要做既野... 但用兩隻實在太笨... 但上面個post果段又唔work..我功力又未夠... 唯手咁頂住先.. :( 近public果隻... (先nat去另一set ip... 會係 1.0."public last octal"."port") [code] interface Ethernet0 ip address 202.123.165.30 255.255.255.248 ip nat outside ! interface Serial0 ip address 1.0.1.1 255.255.255.0 ip nat inside no ip mroute-cache clockrate 4000000 dce-terminal-timing-enable ! ip nat inside source list 1 interface Ethernet0 overload ip nat inside source static tcp 1.0.29.21 21 202.123.165.29 21 extendable ip nat inside source static tcp 1.0.29.23 23 202.123.165.29 23 extendable ip nat inside source static tcp 1.0.29.25 25 202.123.165.29 25 extendable ip nat inside source static tcp 1.0.29.21 20 202.123.165.29 20 extendable ip classless ip route 0.0.0.0 0.0.0.0 202.123.165.25 ip route 1.0.0.0 255.255.0.0 Serial0 ip http server ip pim bidir-enable ! access-list 1 permit 1.0.0.0 0.0.255.255 [/code] 近private 果隻.. (基於上面既nat去入自己個RR pool) [code] ! interface Ethernet1 ip address 1.0.0.1 255.255.255.0 ip nat inside ! interface Serial0 ip address 1.0.1.2 255.255.255.0 ip nat outside no ip mroute-cache no fair-queue compress stac ! interface Serial1 no ip address shutdown ! ip nat pool service-29-23 1.0.0.11 1.0.0.11 prefix-length 28 type rotary ip nat pool service-29-25 1.0.0.11 1.0.0.12 prefix-length 28 type rotary ip nat pool service-29-21 1.0.0.11 1.0.0.12 prefix-length 28 type rotary ip nat inside source list 1 interface Serial0 overload ip nat inside destination list 2 pool service-29-23 ip nat inside destination list 3 pool service-29-25 ip nat inside destination list 4 pool service-29-21 ip classless ip route 0.0.0.0 0.0.0.0 1.0.1.1 ip http server ip pim bidir-enable ! access-list 1 permit 1.0.0.0 0.0.0.255 access-list 2 permit 1.0.29.23 access-list 3 permit 1.0.29.25 access-list 4 permit 1.0.29.21 [/code] 其實... 有冇計仔可以一個2514自己loop自己個serial 行兩次nat呢? 等你救命... 記得屈番franng請你食飯喎:P did you try to create a virual interface, it use for single interface NAT | |
| 回覆: 有冇cisco人? | Copy to clipboard |
|
Posted by: iczfirz Posted on: 2003-10-03 17:47 偉哥 ... 我玩unix出身... cisco野我好好好好小小小小掂... 所以 ... 起到隻野行都叫做過到自己架啦... 我諗我做完成壇野先會正正式式去學... virtual interface.. 同 loopback.. 我都未知有乜作用 ... :I | |
| 回覆: 回覆: 有冇cisco人? | Copy to clipboard |
|
Posted by: ellis Posted on: 2003-10-04 00:38 iczfirz wrote: 偉哥 ... 我玩unix出身... cisco野我好好好好小小小小掂... 所以 ... 起到隻野行都叫做過到自己架啦... 我諗我做完成壇野先會正正式式去學... virtual interface.. 同 loopback.. 我都未知有乜作用 ... :I This is a good practice la.. in generic name call virtual interface, more specific name is loopback interface. It is a non-exist interface and always up. Its function may vary, depends on how do you use it. In switch, it can use as Vlan interface to route traffic. In router it can provide load balance/resilient link by specific loopback as next hop address instead of serial/ethernet interface. In protocol, it use as router ID..etc. In your previous example, you also lose HSRP. Why don't get a load balancer such as foundry serveriron, it just cost around 6k for 8 ports in ebay. | |
| 回覆: 有冇cisco人? | Copy to clipboard |
|
Posted by: iczfirz Posted on: 2003-10-04 01:16 冇睇其它load balancer呀.. 因為呢...一隻就話六千姐... 依家兩隻都係四千有找喎... hsrp仲未做... 搞清左個config先...唔係費是佢係咁switch黎switch 去.. | |
| 回覆: 有冇cisco人? | Copy to clipboard |
|
Posted by: LP Posted on: 2003-10-05 16:43 u guys are so good in cisco and better teach me more!!!! I want to get CCIP and do u guys have past exam papers and notes? KK did u find a job yet? i think u can apply for the position of network engineer~~ u can replace me~~~ | |
| 回覆: 有冇cisco人? | Copy to clipboard |
|
Posted by: iczfirz Posted on: 2003-10-05 17:27 我係六年前掂過下公司部2511比自己dial上網... 之後五年都冇再掂過... 我都想搵下d paper黎睇... | |
| 回覆: 回覆: 有冇cisco人? | Copy to clipboard |
|
Posted by: ellis Posted on: 2003-10-06 16:45 LP wrote: u guys are so good in cisco and better teach me more!!!! I want to get CCIP and do u guys have past exam papers and notes? KK did u find a job yet? i think u can apply for the position of network engineer~~ u can replace me~~~ I will suggest you to get some book for CCIP, there has some chinese copy version books for CCIP in SSP. | |
| 回覆: 有冇cisco人? | Copy to clipboard |
|
Posted by: iczfirz Posted on: 2003-10-13 11:04 [code] ip nat translation timeout 600 ip nat translation tcp-timeout 600 ip nat translation udp-timeout 15 ip nat translation dns-timeout 600 ip nat translation port-timeout tcp 22 86400 ip nat translation port-timeout tcp 23 3600 ip nat translation port-timeout tcp 3223 3600 ip nat translation max-entries 1000 ip nat pool RR-1 1.0.0.31 1.0.0.31 netmask 255.255.255.0 type rotary ip nat pool IP-30 202.123.165.30 202.123.165.30 netmask 255.255.255.248 ip nat inside source list 5 pool IP-30 overload ip nat inside destination list 111 pool RR-1 ! ip classless ip route 0.0.0.0 0.0.0.0 202.123.165.25 ! access-list 5 permit 1.0.0.0 0.0.0.255 access-list 111 permit tcp any host 202.123.165.28 eq www access-list 111 permit tcp any host 202.123.165.28 eq [/code] RR-1暫時只有一部server. server bootup IP: 1.0.0.10 sevice (alias) IP: 1.0.0.31 古怪左部router行唔多個一日就會自己除時唔曉再做nat load balancing. 但nat overload就仲做到.. 點解? 當做唔到load balancing時我比條 ip nat inside source static 1.0.0.31 202.123.165.28 extendable 佢再即時no番佢佢又會再行番.. 但都係過唔到一日... | |
| 回覆: 有冇cisco人? | Copy to clipboard |
|
Posted by: iczfirz Posted on: 2003-10-13 12:04 仲有... CPU utilization for five seconds: 25%/4%; one minute: 33%; five minutes: 16% Total active translations: 139 (0 static, 139 dynamic; 139 extended) 隻router都行得好好地...何解會忽忽地? | |
| 回覆: 回覆: 有冇cisco人? | Copy to clipboard |
|
Posted by: ellis Posted on: 2003-10-13 22:12 iczfirz wrote: [code] ip nat translation timeout 600 ip nat translation tcp-timeout 600 ip nat translation udp-timeout 15 ip nat translation dns-timeout 600 ip nat translation port-timeout tcp 22 86400 ip nat translation port-timeout tcp 23 3600 ip nat translation port-timeout tcp 3223 3600 ip nat translation max-entries 1000 ip nat pool RR-1 1.0.0.31 1.0.0.31 netmask 255.255.255.0 type rotary ip nat pool IP-30 202.123.165.30 202.123.165.30 netmask 255.255.255.248 ip nat inside source list 5 pool IP-30 overload ip nat inside destination list 111 pool RR-1 ! ip classless ip route 0.0.0.0 0.0.0.0 202.123.165.25 ! access-list 5 permit 1.0.0.0 0.0.0.255 access-list 111 permit tcp any host 202.123.165.28 eq www access-list 111 permit tcp any host 202.123.165.28 eq [/code] RR-1暫時只有一部server. server bootup IP: 1.0.0.10 sevice (alias) IP: 1.0.0.31 古怪左部router行唔多個一日就會自己除時唔曉再做nat load balancing. 但nat overload就仲做到.. 點解? 當做唔到load balancing時我比條 ip nat inside source static 1.0.0.31 202.123.165.28 extendable 佢再即時no番佢佢又會再行番.. 但都係過唔到一日... 我諗不如唔好行 ip nat translation o個 d timeout option 先, 因為會影響 dynamic translation. | |
| 回覆: 回覆: 回覆: 有冇cisco人? | Copy to clipboard |
|
Posted by: ellis Posted on: 2003-10-13 22:19 ellis wrote: iczfirz wrote: [code] ip nat translation timeout 600 ip nat translation tcp-timeout 600 ip nat translation udp-timeout 15 ip nat translation dns-timeout 600 ip nat translation port-timeout tcp 22 86400 ip nat translation port-timeout tcp 23 3600 ip nat translation port-timeout tcp 3223 3600 ip nat translation max-entries 1000 ip nat pool RR-1 1.0.0.31 1.0.0.31 netmask 255.255.255.0 type rotary ip nat pool IP-30 202.123.165.30 202.123.165.30 netmask 255.255.255.248 ip nat inside source list 5 pool IP-30 overload ip nat inside destination list 111 pool RR-1 ! ip classless ip route 0.0.0.0 0.0.0.0 202.123.165.25 ! access-list 5 permit 1.0.0.0 0.0.0.255 access-list 111 permit tcp any host 202.123.165.28 eq www access-list 111 permit tcp any host 202.123.165.28 eq [/code] RR-1暫時只有一部server. server bootup IP: 1.0.0.10 sevice (alias) IP: 1.0.0.31 古怪左部router行唔多個一日就會自己除時唔曉再做nat load balancing. 但nat overload就仲做到.. 點解? 當做唔到load balancing時我比條 ip nat inside source static 1.0.0.31 202.123.165.28 extendable 佢再即時no番佢佢又會再行番.. 但都係過唔到一日... 我諗不如唔好行 ip nat translation o個 d timeout option 先, 因為會影響 dynamic translation. 補充一點, ip nat translation timeout 會影響 dynamic translation ( rotary translation) 其他會影響 overload translation. | |
| 回覆: 有冇cisco人? | Copy to clipboard |
|
Posted by: iczfirz Posted on: 2003-10-13 22:26 但偉兄你有冇見過有人會行overload+rotary? 我係internet找左好耐都冇人講... 重有... 似乎係我係server用左ip alias先會出現問題.. 如果唔用alias既 ip 就冇乜事 我開頭試過唔用ip nat tran.. 但因為呢度有好多http同mysql connection.. 隻router會因為有太多nat translation行到死.. 唉... 不知點算好.. | |
| 回覆: 回覆: 有冇cisco人? | Copy to clipboard |
|
Posted by: ellis Posted on: 2003-10-14 00:17 iczfirz wrote: 但偉兄你有冇見過有人會行overload+rotary? 我係internet找左好耐都冇人講... 重有... 似乎係我係server用左ip alias先會出現問題.. 如果唔用alias既 ip 就冇乜事 我開頭試過唔用ip nat tran.. 但因為呢度有好多http同mysql connection.. 隻router會因為有太多nat translation行到死.. 唉... 不知點算好.. 唔係咁多人用rotary 就真...因好少人用隻router load balance traffic, 反而用 dns round robin 就好多, hotmail d mail server 就係好例子. ip alias? 點解仲要alias? .....可以既話, 寫個script, 定時login 去 router 行 "clear ip nat translation *", 如果唔係....味諗到有咩計...( 不如買隻load balancer...) | |
| 回覆: 有冇cisco人? | Copy to clipboard |
|
Posted by: iczfirz Posted on: 2003-10-14 00:33 偉兄... 見佢有咪用下咁囉... 估唔到咁鬼頭痕... 如果過多排都係冇solution.. 我九成會用番dns load balance.. ip alias係方便d cluster service 周圍走嘛... :I | |
即時聊天廣播.
All Rights Reserved.
[Processing Time] User:2.59, System:0.26, Children of user:0.04, Children of system:0.08
請大家技持更換新主機啦, 多謝!