有冇cisco人? - 鬧市冰室

» 鬧市冰室 » Other Discussion◇其他討論◇ 顯示適合列印的版本寄給朋友

作者

有冇cisco人?

iczfirz

"challenge"

文章: 14186
來自: 我回來了

1 于 2003-09-29 01:34

有冇人幫下眼? 有冇咩要改同有乜漏洞?

 ip nat pool net-pub 202.123.165.25 202.123.165.25 netmask 255.255.255.252 
 ip nat pool real-hosts 10.0.1.130 10.0.1.138 prefix-length 28 type rotary 
 ip nat inside source list 1 pool net-pub overload 
 ip nat inside destination list 2 pool real-hosts 
 ! 
 ! 
 interface Ethernet0 
  ip address 10.0.1.254 255.255.255.0 
  no ip redirects 
  ip nat inside 
  no ip route-cache 
  no ip mroute-cache 
  standby 1 timers 5 15 
  standby 1 priority 110 
  standby 1 preempt 
  standby 1 authentication denmark 
  standby 1 ip 10.0.1.1 
 ! 
 interface Serial0 
  ip address 202.123.165.31 255.255.255.128 
  ip nat outside 
  no ip route-cache 
  no ip mroute-cache 
 ! 
 ip classless 
 ip route 0.0.0.0 0.0.0.0 Serial0 
 ip route 202.123.165.24 255.255.255.248 Serial0 
 ! 
 access-list 1 permit 10.0.1.0 0.0.0.255 
 access-list 2 permit 202.123.165.26

^{問題或承受過不相信拋下過最後決定一雙肩膊別太肩膊
三十一畫：此數大吉，名利雙收，漸進向上，大業成就。（吉）}

文章: 63

2 于 2003-09-29 16:30

standby 1 timers 5 15
standby 1 priority 110
standby 1 preempt
standby 1 authentication denmark
standby 1 ip 10.0.1.1

What are the purposes for doing these commands?

ellis

文章: 13

3 于 2003-09-29 17:50

Hi KK,

I think you want to do something about TCP traffic load distribution from outside source to your local destination host. right?

Could you please summarize your problem, I heard you said something
cannot ping...
Thanks

wai.

iczfirz

"challenge"

文章: 14186
來自: 我回來了

4 于 2003-09-29 22:36

唔該兩位大佬先

LP.. 果幾句係HSRP... 所有係ethernet 0 既機會係default 去10.0.1.1

ellis... 全中... 其實ping唔ping到都係小事... 問題係我未知點令10.0.1.0內既機都可以用個 real-hosts ip 去做load dist.

^{問題或承受過不相信拋下過最後決定一雙肩膊別太肩膊
三十一畫：此數大吉，名利雙收，漸進向上，大業成就。（吉）}

文章: 63

5 于 2003-09-30 00:42

sounds quite hard to do that bor...

never see this case before , i just know two leased line to do load balancing only~~ good assignment...let me try to do some rearch sin~~

any findings in cisco homepage?

franng

文章: 1633

6 于 2003-09-30 00:56

ellis wrote:
Hi KK,

I think you want to do something about TCP traffic load distribution from outside source to your local destination host. right?

Could you please summarize your problem, I heard you said something
cannot ping...
Thanks

wai.

死仔cow cow . 上到來又唔話我知.

franng 修改于 2003-09-30 00:58

iczfirz

"challenge"

文章: 14186
來自: 我回來了

7 于 2003-09-30 01:22

LP wrote:
sounds quite hard to do that bor...
never see this case before , i just know two leased line to do load balancing only~~ good assignment...let me try to do some rearch sin~~ any findings in cisco homepage?

no la... 搵唔到有 nat overload + load dist. 家陣我得五粒可用ip.. 所以唯有自己nat overload再load dist. 今日買左兩件2514.. 新既config係咁... 未加入hsrp. 外係202.123.165.24/248 內係private ip 1.0.0.x.. 哥仔你地點睇.. 點先可以搞埋內部1.0.0.x可以自己有自己load dist?

 
 interface Ethernet0 
  ip address 202.123.165.26 255.255.255.128 
  ip nat outside 
 ! 
 interface Ethernet1 
  ip address 1.0.0.1 255.255.255.0 
  ip nat inside 
 ! 
 ip nat pool net-27 202.123.165.27 202.123.165.27 netmask 255.255.255.128 
 ip nat pool www1 1.0.0.130 1.0.0.131 prefix-length 28 type rotary 
 ip nat inside source list 1 pool net-27 overload 
 ip nat inside destination list 2 pool www1 
 no ip classless 
 ip route 0.0.0.0 0.0.0.0 202.123.165.25 
 ip route 202.123.165.27 255.255.255.255 Ethernet1 
 no ip http server 
 ip pim bidir-enable 
 !          
 access-list 1 permit 1.0.0.0 0.0.0.255 
 access-list 2 permit 202.123.165.27

^{問題或承受過不相信拋下過最後決定一雙肩膊別太肩膊
三十一畫：此數大吉，名利雙收，漸進向上，大業成就。（吉）}

ellis

文章: 13

8 于 2003-09-30 12:47

franng wrote:

ellis wrote:
Hi KK,

I think you want to do something about TCP traffic load distribution from outside source to your local destination host. right?

Could you please summarize your problem, I heard you said something
cannot ping...
Thanks

wai.

死仔cow cow . 上到來又唔話我知.

I don't know you have register here ma...

franng

文章: 1633

9 于 2003-09-30 13:01

o i c.. welcome u.. kee kee

ellis

文章: 13

10 于 2003-09-30 15:30

iczfirz wrote:

LP wrote:
sounds quite hard to do that bor...
never see this case before , i just know two leased line to do load balancing only~~ good assignment...let me try to do some rearch sin~~ any findings in cisco homepage?

no la... 搵唔到有 nat overload + load dist. 家陣我得五粒可用ip.. 所以唯有自己nat overload再load dist. 今日買左兩件2514.. 新既config係咁... 未加入hsrp. 外係202.123.165.24/248 內係private ip 1.0.0.x.. 哥仔你地點睇.. 點先可以搞埋內部1.0.0.x可以自己有自己load dist?

interface Ethernet0
ip address 202.123.165.26 255.255.255.128
ip nat outside
!
interface Ethernet1
ip address 1.0.0.1 255.255.255.0
ip nat inside
!
ip nat pool net-27 202.123.165.27 202.123.165.27 netmask 255.255.255.128
ip nat pool www1 1.0.0.130 1.0.0.131 prefix-length 28 type rotary
ip nat inside source list 1 pool net-27 overload
ip nat inside destination list 2 pool www1
no ip classless
ip route 0.0.0.0 0.0.0.0 202.123.165.25
ip route 202.123.165.27 255.255.255.255 Ethernet1
no ip http server
ip pim bidir-enable
!
access-list 1 permit 1.0.0.0 0.0.0.255
access-list 2 permit 202.123.165.27

seems impossible:
1. When internal hosts communicate with your real host, it will not pass via
the router or default gateway. It will contact real host directly.
2. According to Cisco docs, TCP load dist is one way communication. "nat inside' will repsonse to 'nat outside', your internal host cannot perform anymore NAT to your real hosts.

Two possible way:
1. assign public IP for your real host, assign one virual public IP for public load sharing to your real host.
assign private IP for your real host for internal load sharing. map private IP to real host ( public IP )Some modification in router is need to do load sharing.
2. If you have two 2514, let say R1 and R2, make you real hosts a seperate
segment between R1 and R2, say 20.20.20.x.
public load sharing will do the same as you configure, also configure a internal load sharing in R1. Then it will looks like the as follow:
R1--Real Host segement -- R2
R1 for internal segment, R2 for public segment.
But you will lost HSRP for this option, or you need get one more 2514 or others.

Two options above need to test, but conceptually, option 2 will work.
But there is a most easlier way to do internal load distribution. If you have
internal DNS, why not just enable the load balancing fuction for your
internal real hosts, then DNS will serve as round robin basis for real hosts to internal hosts
This is the most fast way to configure and for sure should work.

wai.

iczfirz

"challenge"

文章: 14186
來自: 我回來了

11 于 2003-10-01 01:46

偉兄..
第一種方法我睇唔明

第二種你都講左係冇hsrp或要加多隻...

dns round robin 其實唔係唔好.. 不過感覺上過唔到自己果關... 又會花network traffic..

^{問題或承受過不相信拋下過最後決定一雙肩膊別太肩膊
三十一畫：此數大吉，名利雙收，漸進向上，大業成就。（吉）}

ellis

文章: 13

12 于 2003-10-02 22:45

iczfirz wrote:
偉兄..
第一種方法我睇唔明
第二種你都講左係冇hsrp或要加多隻...

dns round robin 其實唔係唔好.. 不過感覺上過唔到自己果關... 又會花network traffic..

Sorry for my late reply as I busy on my work.
There is a method below, it use for NAT on a single interface.
Just like you want NAT for your internal host ( NAT inside ) and the same interface for outgoing (NAT outside).

========================
interface Ethernet0
   ip address 202.123.165.26 255.255.255.128
   ip nat outside
!
interface Ethernet1
   ip address 1.0.0.1 255.255.255.0
   ip nat inside
   ip policy route-map INTERNAL
!
interface loopback0
   ip address 5.5.5.1 255.255.255.0
   ip nat outside
!
  ip nat pool net-27 202.123.165.27 202.123.165.27 netmask 255.255.255.128
  ip nat pool www1 1.0.0.130 1.0.0.131 prefix-length 28 type rotary
  ip nat inside source list 1 pool net-27 overload
  ip nat inside destination list 2 pool www1
  ip nat inside destination list 3 pool www1
!
ip classless
  ip route 0.0.0.0 0.0.0.0 202.123.165.25
  ip route 202.123.165.27 255.255.255.255 Ethernet1
  no ip http server ip pim bidir-enable
!
router eigrp 1
  network 5.5.5.0 0.0.0.255
  network 1.0.0.0 0.0.0.255
!
access-list 1 permit 1.0.0.0 0.0.0.255
access-list 2 permit 202.123.165.27
access-list 3 permit 1.1.1.254 <virtual ip of internal real host>
access-list 101 permit ip 1.0.0.0 0.0.0.255 host 1.1.1.254
!
route-map INTERNAL permit 10
  match ip address 101
  set ip next-hop 5.5.5.2

=======================
set ip next-hop 5.5.5.2 use for packet to be route out from loopback interface.
you may need to have some modification above to suit you need.

iczfirz

"challenge"

文章: 14186
來自: 我回來了

13 于 2003-10-02 23:44

偉哥... 比多個難題你

 
 ip host host-29 202.123.165.29  
  !  
  !  
  !  
  !  
  interface Ethernet0  
   ip address 202.123.165.30 255.255.255.248  
   ip nat outside  
   no mop enabled  
  !  
  interface Ethernet1  
   ip address 1.0.0.1 255.255.255.0  
   ip nat inside  
   no mop enabled 
 !  
  ip nat pool host-29 202.123.165.29 202.123.165.29 netmask 255.255.255.248  
  ip nat pool service-11 1.0.0.11 1.0.0.11 prefix-length 28 type rotary  
  ip nat inside source list 1 pool host-29 overload  
  ip nat inside destination list 10 pool service-11  
  ip classless  
  ip route 0.0.0.0 0.0.0.0 202.123.165.25  
  no ip http server  
  ip pim bidir-enable  
  !  
  access-list 1 permit 1.0.0.0 0.0.0.255  
  access-list 10 permit 202.123.165.29  
  !

上面係得既... 做到load distribution..

但我要做埋睇到咩port 就用乜server pool.. 所以我改上面果兩句為下面咁... 希望睇到係telnet就比佢入 pool service-11... 其它port就去service-12 13 14... 但....

 
  ip nat inside destination list 10 pool service-11  
 >>>> 
  ip nat inside destination list 199 pool service-11  
  
  access-list 10 permit 202.123.165.29  
 >>>> 
  access-list 199 permit 23 host 202.123.165.29 any

但就唔work.. debug nat都直頭睇唔到有反應 ... 即係個acl 199唔work.. 你有乜idea?

^{問題或承受過不相信拋下過最後決定一雙肩膊別太肩膊
三十一畫：此數大吉，名利雙收，漸進向上，大業成就。（吉）}

iczfirz

"challenge"

文章: 14186
來自: 我回來了

14 于 2003-10-03 00:04

其實我最大既難題係...

我有..
1* ip
1* 2514 dual ethernet
4* server (4* web, 1* ftp, 1* sendmail, 4* imap)

如果係NAT load distribution... 咁我1*ip round robin呢4* server就好頭痕... 因為router會下下都RR呢4*server.. 但我又唔係部部server都行晒sendmail同ftp..

所以我諗住開4* RR pool.. 睇下咩port黎就行邊個邊個pool... 但最後就做到上面段config就行唔到...

但其實我手頭有2*2514... 兩隻serial 0 cross埋再加下面段野就做到我要做既野... 但用兩隻實在太笨... 但上面個post果段又唔work..我功力又未夠... 唯手咁頂住先..

近public果隻... (先nat去另一set ip... 會係 1.0."public last octal"."port")

 
 interface Ethernet0 
  ip address 202.123.165.30 255.255.255.248 
  ip nat outside 
 ! 
 interface Serial0 
  ip address 1.0.1.1 255.255.255.0 
  ip nat inside 
  no ip mroute-cache 
  clockrate 4000000 
  dce-terminal-timing-enable 
 ! 
 ip nat inside source list 1 interface Ethernet0 overload 
 ip nat inside source static tcp 1.0.29.21 21 202.123.165.29 21 extendable 
 ip nat inside source static tcp 1.0.29.23 23 202.123.165.29 23 extendable 
 ip nat inside source static tcp 1.0.29.25 25 202.123.165.29 25 extendable 
 ip nat inside source static tcp 1.0.29.21 20 202.123.165.29 20 extendable 
 ip classless 
 ip route 0.0.0.0 0.0.0.0 202.123.165.25 
 ip route 1.0.0.0 255.255.0.0 Serial0 
 ip http server 
 ip pim bidir-enable 
 ! 
 access-list 1 permit 1.0.0.0 0.0.255.255

近private 果隻.. (基於上面既nat去入自己個RR pool)

 
 ! 
 interface Ethernet1 
  ip address 1.0.0.1 255.255.255.0 
  ip nat inside 
 ! 
 interface Serial0 
  ip address 1.0.1.2 255.255.255.0 
  ip nat outside 
  no ip mroute-cache 
  no fair-queue 
  compress stac 
 ! 
 interface Serial1 
  no ip address 
  shutdown 
 ! 
 ip nat pool service-29-23 1.0.0.11 1.0.0.11 prefix-length 28 type rotary 
 ip nat pool service-29-25 1.0.0.11 1.0.0.12 prefix-length 28 type rotary 
 ip nat pool service-29-21 1.0.0.11 1.0.0.12 prefix-length 28 type rotary 
 ip nat inside source list 1 interface Serial0 overload 
 ip nat inside destination list 2 pool service-29-23 
 ip nat inside destination list 3 pool service-29-25 
 ip nat inside destination list 4 pool service-29-21 
 ip classless 
 ip route 0.0.0.0 0.0.0.0 1.0.1.1 
 ip http server 
 ip pim bidir-enable 
 ! 
 access-list 1 permit 1.0.0.0 0.0.0.255 
 access-list 2 permit 1.0.29.23 
 access-list 3 permit 1.0.29.25 
 access-list 4 permit 1.0.29.21

其實... 有冇計仔可以一個2514自己loop自己個serial 行兩次nat呢?

等你救命... 記得屈番franng請你食飯喎

^{問題或承受過不相信拋下過最後決定一雙肩膊別太肩膊
三十一畫：此數大吉，名利雙收，漸進向上，大業成就。（吉）}

ellis

文章: 13

15 于 2003-10-03 00:12

iczfirz wrote:
偉哥... 比多個難題你

 
 ip host host-29 202.123.165.29  
  !  
  !  
  !  
  !  
  interface Ethernet0  
   ip address 202.123.165.30 255.255.255.248  
   ip nat outside  
   no mop enabled  
  !  
  interface Ethernet1  
   ip address 1.0.0.1 255.255.255.0  
   ip nat inside  
   no mop enabled 
 !  
  ip nat pool host-29 202.123.165.29 202.123.165.29 netmask 255.255.255.248  
  ip nat pool service-11 1.0.0.11 1.0.0.11 prefix-length 28 type rotary  
  ip nat inside source list 1 pool host-29 overload  
  ip nat inside destination list 10 pool service-11  
  ip classless  
  ip route 0.0.0.0 0.0.0.0 202.123.165.25  
  no ip http server  
  ip pim bidir-enable  
  !  
  access-list 1 permit 1.0.0.0 0.0.0.255  
  access-list 10 permit 202.123.165.29  
  !

 
  ip nat inside destination list 10 pool service-11  
 >>>> 
  ip nat inside destination list 199 pool service-11  
  
  access-list 10 permit 202.123.165.29  
 >>>> 
  access-list 199 permit 23 host 202.123.165.29 any

但就唔work.. debug nat都直頭睇唔到有反應 ... 即係個acl 199唔work.. 你有乜idea?

try sh access-list or show ip access-list to check is there any match
entries for access list 199.
anyway, there is some error of the access-list 199, is it should be look like this:

access-list 199 permit tcp host 202.123.165.29 eq telnet any eq telnet
or
access-list 199 permit tcp host 202.123.165.29 eq telnet host 1.0.0.11 eq telnet

» 鬧市冰室 » Other Discussion◇其他討論◇ 顯示適合列印的版本寄給朋友

看過的文章

新的文章

被刪除的文章

跳轉到

我地有在新的聊天室
即時聊天廣播.

[Processing Time] User:1.54, System:0.16, Children of user:0.03, Children of system:0.09

請大家技持更換新主機啦, 多謝!