Контроль дропов трафика на cisco АСЕ при превышении pps

Если вторая цифирка в Packet drop не равна 0, значит обманентам плохо...
Для подсчёта, насколько плохо - надо сложить результаты по np1 и np_2. Это и будет тот pps, который до юзеров не дошёл.


ACE-2/Admin# sh np 1 me-stats -sreceive
Receive Statistics: (Current)
------------------
Idle: 2138198165 83976
Frames Received: 99991846 369645
Control Frames Received: 3290216984 18043
Forward Buffered: 99991845 369644
Post stalls: 3506589 0
Packet drops: 3506589 0

ACE-2/Admin# sh np 2 me-stats -sreceive
Receive Statistics: (Current)
------------------
Idle: 2465320651 83579
Frames Received: 1332254728 365847
Control Frames Received: 1023946169 9221
Forward Buffered: 1332254728 365848
Post stalls: 5158547 0
Packet drops: 5158547 0

ACE-2/Admin#

ACE-1/Admin# sh np 1 me-stats -sreceive
Receive Statistics: (Current)
------------------
Idle: 3584761190 73432
Frames Received: 2293087969 581640
Control Frames Received: 3839212508 26861
Forward Buffered: 2293087968 581639
Post stalls: 112917235 0
Packet drops: 112917235 0

ACE-1/Admin# sh np 2 me-stats -sreceive
Receive Statistics: (Current)
------------------
Idle: 4231896532 73768
Frames Received: 1131339942 568290
Control Frames Received: 759502510 13373
Forward Buffered: 1131339942 568290
Post stalls: 101927534 0
Packet drops: 101927534 0

ACE-1/Admin#

ACE-3/Admin# sh np 1 me-stats -sreceive
Receive Statistics: (Current)
------------------
Idle: 3406596389 100325
Frames Received: 314104969 49276
Control Frames Received: 3905008643 18725
Forward Buffered: 314104969 49276
Post stalls: 1051729 0
Packet drops: 339718 0

ACE-3/Admin# sh np 2 me-stats -sreceive
Receive Statistics: (Current)
------------------
Idle: 3985229044 100414
Frames Received: 4034515952 40901
Control Frames Received: 30840757 11218
Forward Buffered: 4034515952 40901
Post stalls: 922235 0
Packet drops: 922235 0

ACE-3/Admin#

ACE-4/Admin# sh np 1 me-stats -sreceive
Receive Statistics: (Current)
------------------
Idle: 3795226185 100421
Frames Received: 3577208145 44379
Control Frames Received: 176413510 12523
Forward Buffered: 3577208145 44379
Post stalls: 768404 0
Packet drops: 199498 0

ACE-4/Admin# sh np 2 me-stats -sreceive
Receive Statistics: (Current)
------------------
Idle: 4170201652 100511
Frames Received: 4163859453 39179
Control Frames Received: 159185538 7237
Forward Buffered: 4163859453 39179
Post stalls: 601197 0
Packet drops: 601197 0

ACE-4/Admin#


"sometimes you gotta take stuff down to let people know who's boss :)"

Ребята из RIPE решили поэспериментировать:

----------------------------------------------------------------------
Dear Colleagues,

On Friday 27 August, from 08:41 to 09:08 UTC, the RIPE NCC Routing
Information Service (RIS) announced a route with an experimental BGP
attribute. During this announcement, some Internet Service Providers
reported problems with their networking infrastructure.

Investigation
--------------

Immediately after discovering this, we stopped the announcement and
started investigating the problem. Our investigation has shown that the
problem was likely to have been caused by certain router types
incorrectly modifying the experimental attribute and then further
announcing the malformed route to their peers. The announcements sent
out by the RIS were correct and complied to all standards.

The experimental attribute was part of an experiment conducted in
collaboration with a group from Duke University. This involved
announcing a large (3000 bytes) optional transitive attribute, using a
modified version of Quagga. The attribute used type code 99. The data
consisted of zeros. We used the prefix 93.175.144.0/24 for this and
announced from AS 12654 on AMS-IX, NL-IX and GN-IX to all our peers.

Reports from affected ISPs showed that the length of the attribute in
the attribute header, as seen by their routers, was not correct. The
header stated 233 bytes and the actual data in their samples was 237
bytes. This caused some routers to drop the session with the peer that
announced the route.

We have built a test set-up which is running identical software and
configurations to the live set-up. From this set-up, and the BGP packet
dumps as made by the RIS, we have determined that the length of the data
in the attribute as sent out by the RIS was indeed 3000 bytes and that
all lengths recorded in the headers of the BGP updates were correct.

Beyond the RIS systems, we can only do limited diagnosis. One possible
explanation is that the affected routers did not correctly use the
extended length flag on the attribute. This flag is set when the length
of the attribute exceeds 255 bytes i.e. when two octets are needed to
store the length.

It may be that the routers may not add the higher octet of the length to
the total length, which would lead, in our test set-up, to a total
packet length of 236 bytes. If, in addition, the routers also
incorrectly trim the attribute length, the problem could occur as
observed. It is worth noting that the difference between the reported
233 and 237 bytes is the size of the flags, type code and length in the
attribute.

We will be further investigating this problem and will report any
findings. We regret any inconvenience caused.

Kind regards,

Erik Romijn

Information Services
RIPE NCC
_______________________________________________
tech-l mailing list
tech-l@ams-ix.net
http://melix.ams-ix.net/mailman/listinfo/tech-l


В результате у многих кое-что немножно упало...
http://www.cisco.com/en/US/products/products_security_advisory09186a0080b4411f.shtml

CRSы в частности немножко рвали iBGP сессии с пирами :) В общем было весело...

Cisco ezvpn client на роутере

Cisco ezvpn client на роутере - весьма полезная штука, как оказалось. Например, позволят подключить
"внезапно" перехавший офис к корпоративной сети через временный канал с динамическими адресами.

На VPN-сервере нужно сконфигурячить что-то вроде этого (всё также, как и в случае обычного впн-клиента):

crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 periodic
crypto isakmp xauth timeout 90
!
crypto isakmp client configuration group VPN2Off
key ******
dns *.*.*.43
domain *.ru
pool pool_VPN_Office
acl acl_VPN_Office
save-password
!
crypto isakmp profile VPN_Office
match identity group VPN2Off
client authentication list userauthen_Off
isakmp authorization list groupauthor_Off
client configuration address respond
virtual-template 2
!
crypto ipsec transform-set ESP-3DES-MD5-HMAC esp-3des esp-md5-hmac
!
crypto ipsec profile VPNUser
set transform-set ESP-3DES-MD5-HMAC
!
interface Virtual-Template2 type tunnel
ip vrf forwarding Office
ip unnumbered GigabitEthernet0/1.155
ip virtual-reassembly
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPNUser

На клиенте:

!
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 periodic
crypto isakmp xauth timeout 90
!
crypto ipsec transform-set ESP-3DES-MD5-HMAC esp-3des esp-md5-hmac
!
crypto ipsec profile VPNUser
set transform-set ESP-3DES-MD5-HMAC
!
crypto ipsec client ezvpn ToCenter
connect auto
group VPN2Off key ******
mode network-extension
peer х.х.х.10
virtual-interface 1
username off password ******
xauth userid mode local
!
!
interface GigabitEthernet0/0
description =To WiMax bridge=
ip address dhcp
duplex auto
speed auto
crypto ipsec client ezvpn ToCenter
!
!
interface GigabitEthernet0/1.40
description === Off-Users ===
encapsulation dot1Q 40
ip address 10.x.x.1 255.255.255.192
crypto ipsec client ezvpn ToCenter inside
!
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0/0
ip mtu 1300
tunnel source GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPNUser
!
ip route 0.0.0.0 0.0.0.0 dhcp
!

Сети, на которых со стороны клиента указан "ezvpn inside" на VPN-сервере видны как статик роуты через Virtual-Access, и соответственно редистрибуюцируются в нужный протокол маршрутизации.

Немного о NATe на Cisco АСЕ...

Долгие пляски с бубном привели примерно к такой конфигурации:

!логгирование разного:
logging enable
logging standby
logging timestamp
logging trap 6
logging buffered 6
logging facility 19
logging device-id context-name
logging host 192.168.150.220 udp/514
!обрубаем ненужное:
no logging message 302022
no logging message 302023
no logging message 302024
no logging message 302025
no logging message 302026
no logging message 302027
no logging message 106023
no logging message 305011
no logging message 305012
no logging message 313004

object-group network Network-Monitor
host 192.168.150.198
host 192.168.150.199

!тута АЦЛки всякие:
access-list ANY line 10 extended permit ip any any

access-list FINBLOCK_ACCESS line 100 extended permit ip y.y.0.0 255.254.0.0 any

access-list FULL_ACCESS line 110 extended permit ip y.x.0.0 255.254.0.0 any
access-list FULL_ACCESS line 112 extended permit ip x.x.0.0 255.255.0.0 any
access-list FULL_ACCESS line 114 extended permit ip z.x.0.0 255.255.0.0 any

access-list GUEST_ACCESS line 100 extended permit ip z.z.0.0 255.240.0.0 any
access-list GUEST_ACCESS line 110 extended permit ip y.z.2.0 255.255.255.240 any

access-list ICMP line 10 extended permit icmp any any
access-list INSIDE line 100 extended permit ip any any
access-list IP_Time line 7 extended deny tcp any any
access-list IP_Time line 8 extended deny udp any any
access-list IP_Time line 9 extended deny icmp any any
access-list IP_Time line 16 extended permit ip any any

access-list OUTSIDE line 10 extended permit icmp any any unreachable
access-list OUTSIDE line 20 extended permit icmp any any time-exceeded
access-list OUTSIDE line 30 extended permit ip any xx.xx.xx.16 255.255.255.240
access-list OUTSIDE line 40 extended deny ip any any

access-list StaticNAT-10 line 8 extended permit ip host 192.168.153.48 any
access-list StaticNAT-20 line 8 extended permit ip host 192.168.150.220 any
access-list StaticNAT-30 line 8 extended permit ip host 192.168.153.34 any

access-list TCP line 5 extended deny tcp any any range 21 23
access-list TCP line 6 extended deny tcp any any eq 3389
access-list TCP line 7 extended deny tcp any any eq pptp
access-list TCP line 10 extended permit tcp any any

access-list UDP line 10 extended permit udp any any

access-list server_NAT line 10 extended permit ip host 192.168.131.138 any
access-list server_NAT line 11 extended permit ip host 192.168.131.152 any
access-list server_NAT line 20 extended permit ip host 192.168.131.202 any

!задаём параметры, которые применяются на сессии:
parameter-map type connection ICMP-timeout
set timeout inactivity 4
parameter-map type connection TCP-timeout
set timeout inactivity 120
set tcp timeout half-closed 60
set tcp window-scale 4
tcp-options selective-ack allow
tcp-options timestamp allow
tcp-options window-scale allow
exceed-mss allow
parameter-map type connection Timeouts
set timeout inactivity 120
parameter-map type connection UDP-timeout
set timeout inactivity 30

class-map match-all ANY
2 match any

!классы для статик ната и всякого другого:
class-map match-any Class-StaticNAT-10
2 match access-list StaticNAT-10
class-map match-any Class-StaticNAT-20
2 match access-list StaticNAT-20
class-map match-any Class-StaticNAT-30
2 match access-list StaticNAT-30
class-map match-any FULL_NAT
2 match access-list FULL_ACCESS
class-map match-all ICMP
2 match access-list ICMP
class-map match-any IP_Time
2 match access-list IP_Time
class-map type management match-any REMOTE_ACCESS
4 match protocol icmp any
6 match protocol snmp source-address 192.168.150.203 255.255.255.255
class-map match-any SERVER_NAT
2 match access-list server_NAT
class-map match-all TCP
2 match access-list TCP
class-map match-all UDP
2 match access-list UDP

policy-map type management first-match REMOTE_ACCESS_POLICY
class REMOTE_ACCESS
permit

! полиси что б пинги ходили и трейсы правильные были:
policy-map multi-match ICMP
class ICMP
inspect icmp error

! полиси для статик нат
policy-map multi-match StaticNAT
class Class-StaticNAT-10
nat static xx.xx.xx.27 netmask 255.255.255.255 vlan 14
class Class-StaticNAT-20
nat static xx.xx.xx.20 netmask 255.255.255.255 vlan 14
class Class-StaticNAT-30
nat static xx.xx.xx.22 netmask 255.255.255.255 vlan 14

! полиси для применения параметров на трафик:
policy-map multi-match TIMERS
class UDP
connection advanced-options UDP-timeout
class ICMP
connection advanced-options ICMP-timeout
class IP_Time
connection advanced-options Timeouts
class TCP
connection advanced-options TCP-timeout

! полиси для ната
policy-map multi-match ABON_NAT
class FULL_NAT
nat dynamic 1 vlan 14
class SERVER_NAT
nat dynamic 3 vlan 14
timeout xlate 60

!это внутренний интерфейс
interface vlan 13
description NAT_in
ip address 192.168.255.51 255.255.255.248
alias 192.168.255.49 255.255.255.248
peer ip address 192.168.255.50 255.255.255.248
mtu 1500
!вырубает сборку фрагментированых пакетов:
fragment chain 1
access-group input ANY
service-policy input ICMP
service-policy input REMOTE_ACCESS_POLICY
service-policy input StaticNAT
service-policy input ABON_NAT
service-policy input TIMERS
no shutdown

!это внешний интерфейс
interface vlan 14
description NAT_out
ip address 192.168.255.59 255.255.255.248
alias 192.168.255.57 255.255.255.248
peer ip address 192.168.255.58 255.255.255.248
mtu 1500
fragment chain 1
access-group input OUTSIDE
nat-pool 1 xx.xx.yy.1 xx.xx.yy.30 netmask 255.255.255.224 pat
nat-pool 1 zz.zz.224.1 zz.zz.255.254 netmask 255.255.224.0
nat-pool 4 xx.xx.xy.2 xx.xx.xy.2 netmask 255.255.255.255 pat
service-policy input ICMP
service-policy input TIMERS
no shutdown

!роуты внутрь и наружу:
ip route 0.0.0.0 0.0.0.0 192.168.255.60
ip route 192.168.0.0 255.255.0.0 192.168.255.52

!снмп-ишные дела:
snmp-server community kldjsifu84rjr894group Network-Monitor

snmp-server host 192.168.150.203 traps version 2c kldjsifu84rjr894


Пы.Сы.: АСЕ штука конечно хорошая, но есть две "небольших проблемки": на НАТе тянет не более 1.1Мппс, после чего начинает дропать трафик, и иногда, при пока не выясненных обстоятельствах дропает трафик для некоторых адресов по якобы неверной чексумме. Будем надеяться, что вылечат.... Когда нибудь... Софт был А2(3.0).

Антикризисный вариант "правильной" сети доступа для домашнего ISP

Предыдущий вариант (http://ciscovod.blogspot.com/2009/03/cisco-isg-dhcp-opt82.html) был раскритикован коллегами - мол дорого :)
Так что работа мысли продолжилась:



Шассик 6509 в набивке с суп2 и фабрикой, двумя Б.П по 2500Вт, и 6х16 GBIC + 16GE(TX) обойдётся в 7680$ по shop.nag.ru (без модулей GBIC). 1 такого узла хватит на ~1800 абонентов при заполнении 0.8

SCE1010 - стоит 30K$ по GPL.