Router Cisco 857, F5 NGI 7 Mb al rallentatore.

[DavideD]

Buongiorno,
ho un router cisco configurato per una F5 NGI a 7 Mb, appena acceso il router e per qualche ora va sui 3 Mbit, per poi franare fino a rendere impossibile qualunque lavoro.

Vorrei capire se ho fatto tante vaccate, e se poteste aiutarmi a venirne fuori...

Grazie




Using 2959 out of 131072 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
service sequence-numbers
!
hostname cisco857
!
boot-start-marker
boot-end-marker
!
logging userinfo
logging buffered 32000 informational
logging console informational
logging monitor informational
enable secret 5 $1$.xyxyxyxyxyxyxyxyxyx.
enable password 7 xyxyxyxyxyxyxyxyxyxy
!
aaa new-model
!
!
!
aaa session-id common
!
resource policy
!
!
!
no ip cef
ip inspect max-incomplete high 1100
ip inspect one-minute high 1100
no ip bootp server
no ip domain lookup
ip domain name lanlocale.local
ip ssh time-out 60
ip ssh version 2
!
!
crypto pki trustpoint TP-self-signed-37373737337
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4646464646
revocation-check none
rsakeypair TP-self-signed-4646464646
!
!
crypto pki certificate chain TP-self-signed-3173212138
certificate self-signed 01 nvram:IOS-Self-Sig#3803.cer
username xyxyxyxyxxyxyx privilege 15 password 7 xuxuxuxuxuxuxuxxuxu
!
!
no crypto isakmp enable
!
!
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no ip mroute-cache
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description WAN
no snmp trap link-status
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description LAN
ip address 192.168.2.1 255.255.255.0
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
no ip mroute-cache
ntp broadcast
hold-queue 100 out
!
interface Dialer0
ip address negotiated
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp pap sent-username 1234567890 password 7 09876543210987654321
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat source static tcp 192.168.2.10 80 interface Dialer0 80
ip nat inside source list 101 interface Dialer0 overload
!
access-list 101 permit ip any any
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
access-list 103 permit ip any host 192.168.2.10
dialer-list 1 protocol ip permit
no cdp run
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 1 in
privilege level 15
password 7 888f8f8f8dfff8
transport input telnet ssh
!
scheduler max-task-time 5000
end

cisco857#

[Gianremo.Smisek]

togli il permit any any dall'ACL 101: e' troppo aperta e arriva a saturare la ram nell'allocazione della NAT table.

Posta anche uno sh dsl int atm0


ciao

[DavideD]

Grazie, intanto posto quanto richiesto:


sh dsl int atm0




ATM0
Alcatel 20190 chipset information
ATU-R (DS) ATU-C (US)
Modem Status: Showtime (DMTDSL_SHOWTIME)
DSL Mode: ITU G.992.1 (G.DMT) Annex A
ITU STD NUM: 0x03 0x2
Vendor ID: 'STMI' 'P '
Vendor Specific: 0x0000 0x0000
Vendor Country: 0x0F 0xB5
Capacity Used: 99% 83%
Noise Margin: 1.0 dB 16.0 dB
Output Power: 19.0 dBm 12.5 dBm
Attenuation: 25.0 dB 13.5 dB
Defect Status: None LCDf
Last Fail Code: None
Watchdog Counter: 0x6D
Watchdog Resets: 1
Selftest Result: 0x00
Subfunction: 0x00
Interrupts: 11489 (0 spurious)
PHY Access Err: 0
Activations: 2
LED Status: ON
LED On Time: 100
LED Off Time: 100
Init FW: embedded
Operation FW: embedded
FW Version: 2.5.42

Interleave Fast Interleave Fast
Speed (kbps): 0 6976 0 640
Cells: 0 30569917 0 2692713141
Reed-Solomon EC: 0 0 39658 22008
CRC Errors: 0 31760 31288 19142
Header Errors: 0 41407 32476 39179
Total BER: 0E-0 65535E-255
Leakage Avarage BER: 0E-0 65535E-255

LOM Monitoring : Disabled


DMT Bits Per Bin
000: 0 0 0 0 0 0 3 4 6 7 8 9 9 9 9 9
010: 9 9 9 9 9 9 9 9 8 8 7 6 5 4 2 0
020: 0 0 0 0 0 E B C B B B B B B B B
030: B B B B A A B A A A A A A A A B
040: 0 B A A A A A A B A A A A A B A
050: A A B A 2 A A A A A A A A A A A
060: A 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9
070: 9 8 9 8 8 9 9 8 8 8 8 8 8 8 8 8
080: 8 8 8 8 8 8 8 9 8 8 8 8 8 8 8 8
090: 9 9 9 9 9 9 8 9 8 9 8 8 9 8 8 8
0A0: 8 8 8 9 8 8 8 8 8 8 8 8 8 8 8 8
0B0: 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8
0C0: 8 8 8 7 8 8 7 7 8 7 8 8 8 8 8 8
0D0: 8 8 7 7 7 8 7 8 8 8 8 8 8 7 7 7
0E0: 8 7 7 8 7 7 8 7 7 7 7 7 7 7 7 7
0F0: 7 7 7 7 7 7 7 6 6 7 6 6 6 7 7 8

DSL: Training log buffer capability is not enabled

[DavideD]

Per quello che riguarda l'access-list 101, dovendo accedere al server web sull'IP 192.168.2.10 da due indirizzi IP (es aaa.bbb.ccc.ddd e qqq.www.eee.rrr), invece di mettere questo:

access-list 101 permit ip any any
access-list 101 permit ip 192.168.2.0 0.0.0.255 any

dovrei mettere

access-list 101 permit ip aaa.bbb.ccc.ddd any
access-list 101 permit ip qqq.www.eee.rrr any
access-list 101 permit ip 192.168.2.0 0.0.0.255 any

o sarebbe meglio:

access-list 101 permit tcp host aaa.bbb.ccc.ddd host 192.168.2.10 eq 80
access-list 101 permit tcp host qqq.www.eee.rrr host 192.168.2.10 eq 80
access-list 101 permit ip 192.168.2.0 0.0.0.255 any


Grazie

[Gianremo.Smisek]

access-list 101 permit ip 192.168.2.0 0.0.0.255 any

solo questa

[DavideD]

Grazie, provo subito!

[DavideD]

No, solo con quella non va.

Non riesco a capire...

EDIT:

Onde evitare di scrivere una marea di post chiedo direttamente in questo:

Come posso configurare l'accesso dall'esterno al router per un singolo IP di origine?
Mi spiego: vorrei poter configurare il router tramite il telnet anche dall'esterno, non solo dalla rete locale, quindi vorrei che dall'IP aaa.bbb.ccc.ddd se facessi "telnet ip_esterno_del_router" mi comparisse la finestra per fare login.

Rispetto all'altro problema questo é marginale.

Grazie!

[Gianremo.Smisek]

access-list 1 permit ip
line vty X Y
access-class 1 in


P.S. il nat deve funzionare. sicuramente sbagli qualcosa. riposta la cfg.

[DavideD]

Aggiorno:

ho tolto dall'interface Dialer0 questa riga:

ip access-group 101 in

e adesso navigo con questa riga soltanto:

access-list 101 permit ip 192.168.2.0 0.0.0.255 any

adesso devo vedere come pubblicare la porta 80...

[DavideD]

Attualmente navigo (anche se la velocità in upload é più bassa di quanto mi sarei aspettato, in download sono intorno ai 61xx kbs) e riesco a collegarmi al router in telnet da remoto. al momento non posso testare la pubblicazione del sito web perchè ho collegato la lan alla vecchia linea telecom per non lasciare tutti a terra, e attualmente stanno tenendo una videoconferenza.

Come ho scritto nel post precedente ho fatto una modifica alla configurazione:

ho tolto dall'interface Dialer0 questa riga:

ip access-group 101 in

e adesso navigo con questa riga soltanto:

access-list 101 permit ip 192.168.2.0 0.0.0.255 any

Mi pare che la riga ip access-group 101 in servisse per la pubblicazione, ma data la mia ignoranza non ne sono molto sicuro...

questa é la sh run come richiesto:


!
version 12.4
no service pad
service tcp-keepalives-in
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
service sequence-numbers
!
hostname cisco857
!
boot-start-marker
boot-end-marker
!
logging userinfo
logging buffered 32000 informational
logging console informational
logging monitor informational
enable secret 5 $1$.xyxyxyxyxyxyxyxyxyx.
enable password 7 xyxyxyxyxyxyxyxyxyxy
!
aaa new-model
!
!
!
aaa session-id common
!
resource policy
!
!
!
no ip cef
ip inspect max-incomplete high 1100
ip inspect one-minute high 1100
no ip bootp server
no ip domain lookup
ip domain name lanlocale.local
ip ssh time-out 60
ip ssh version 2
!
!
crypto pki trustpoint TP-self-signed-37373737337
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4646464646
revocation-check none
rsakeypair TP-self-signed-4646464646
!
!
crypto pki certificate chain TP-self-signed-3173212138
certificate self-signed 01
3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33313733 32313231 3338301E 170D3032 30343032 31383134
31395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 31373332
31323133 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100EA72 AA2FB874 21FECB31 2D40507F 9D8D3029 ACFE40E6 B7CAD9AE 80793730
DD5CB001 CC6EC099 996957A9 2286C9BD 55F7363E 45DADCAF 821ECCAD 0F1C7BF9
D272F88B 1FF12ED0 3965C917 98311342 6676F193 C34FAFC1 300460D3 E745145C
D742626D B3B81355 672702EE 56F5B726 85796D1B 7F12420D EC772E55 03083A0C
E6CD0203 010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603
551D1104 17301582 13636973 636F3835 372E7377 66732E6C 6F63616C 301F0603
551D2304 18301680 1438DC9F ABAA9E8B 39DD67EA 37043D74 E7BD5F33 42301D06
03551D0E 04160414 38DC9FAB AA9E8B39 DD67EA37 043D74E7 BD5F3342 300D0609
2A864886 F70D0101 04050003 81810080 623E84D7 D4A6A173 F83317A5 20D8164B
029AB70F 6CDD7FB1 09FDF474 62903C26 1E288341 D111A6E3 DF9598BB 49A67A66
001EA580 20474DB3 F0A6EA82 54AA8363 D59C3F64 0C5E3773 8E01C02F 03E8752C
6567D4BA 870E5C9E 80133C85 812BB97B 6910DA31 C138BB10 918F5F33 60C515A0
E0569A10 60A93A5F A5B7C7E1 0C36A0
quit
username xyxyxyxyxxyxyx privilege 15 password 7 xuxuxuxuxuxuxuxxuxu
!
!
no crypto isakmp enable
!
!
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no ip mroute-cache
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description WAN
no snmp trap link-status
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description LAN
ip address 192.168.2.1 255.255.255.0
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
no ip mroute-cache
ntp broadcast
hold-queue 100 out
!
interface Dialer0
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp pap sent-username 1234567890 password 7 09876543210987654321
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat source static tcp 192.168.2.10 80 interface Dialer0 80
ip nat inside source list 101 interface Dialer0 overload
!
access-list 1 permit "ip da cui mi collego in telnet al router"
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
access-list 103 permit ip any host 192.168.2.10
dialer-list 1 protocol ip permit
no cdp run
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 1 in
privilege level 15
password 7 888f8f8f8dfff8
transport input telnet ssh
!
scheduler max-task-time 5000
end

[Gianremo.Smisek]

...

ho tolto dall'interface Dialer0 questa riga:

ip access-group 101 in

e adesso navigo con questa riga soltanto:

access-list 101 permit ip 192.168.2.0 0.0.0.255 any
...

si beh.. avevi applicato le regole di nat anche come filtro sotto l'interfaccia. Un casino!

[DavideD]

Misteriosamente continua a bloccarsi la navigazione dopo meno di un giorno...ho fatto ricollegare la vecchia linea e non ho fatto riavviare il Cisco, dall'esterno mi sono potuto collegare in Telnet, quindi non dovrebbe essere un problema di linea, altrimenti non avrei potuto accedere... on capisco...

Allego sh run modificata


version 12.4
no service pad
service tcp-keepalives-in
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
service sequence-numbers
!
hostname cisco857
!
boot-start-marker
boot-end-marker
!
logging userinfo
logging buffered 32000 informational
logging console informational
logging monitor informational
enable secret 5 tkfkfjifikfjifkjnfjk
enable password 7 43434534535345345345
!
aaa new-model
!
!
!
aaa session-id common
!
resource policy
!
!
!
no ip cef
ip inspect max-incomplete high 1100
ip inspect one-minute high 1100
no ip bootp server
no ip domain lookup
ip domain name lanlocale.local
ip ssh time-out 60
ip ssh version 2
!
!
crypto pki trustpoint TP-self-signed-3173212138
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3173212138
revocation-check none
rsakeypair TP-self-signed-3173212138
!
!
crypto pki certificate chain TP-self-signed-3173212138
certificate self-signed 01
3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33313733 32313231 3338301E 170D3032 30343032 31383134
31395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 31373332
31323133 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100EA72 AA2FB874 21FECB31 2D40507F 9D8D3029 ACFE40E6 B7CAD9AE 80793730
DD5CB001 CC6EC099 996957A9 2286C9BD 55F7363E 45DADCAF 821ECCAD 0F1C7BF9
D272F88B 1FF12ED0 3965C917 98311342 6676F193 C34FAFC1 300460D3 E745145C
D742626D B3B81355 672702EE 56F5B726 85796D1B 7F12420D EC772E55 03083A0C
E6CD0203 010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603
551D1104 17301582 13636973 636F3835 372E7377 66732E6C 6F63616C 301F0603
551D2304 18301680 1438DC9F ABAA9E8B 39DD67EA 37043D74 E7BD5F33 42301D06
03551D0E 04160414 38DC9FAB AA9E8B39 DD67EA37 043D74E7 BD5F3342 300D0609
2A864886 F70D0101 04050003 81810080 623E84D7 D4A6A173 F83317A5 20D8164B
029AB70F 6CDD7FB1 09FDF474 62903C26 1E288341 D111A6E3 DF9598BB 49A67A66
001EA580 20474DB3 F0A6EA82 54AA8363 D59C3F64 0C5E3773 8E01C02F 03E8752C
6567D4BA 870E5C9E 80133C85 812BB97B 6910DA31 C138BB10 918F5F33 60C515A0
E0569A10 60A93A5F A5B7C7E1 0C36A0
quit
username cisco857FS privilege 15 password 7 434534534534345
!
!
no crypto isakmp enable
!
!
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no ip mroute-cache
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description WAN
no snmp trap link-status
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description LAN
ip address 192.168.2.1 255.255.255.0
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
no ip mroute-cache
ntp broadcast
hold-queue 100 out
!
interface Dialer0
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp pap sent-username 56546456456 password 7 4534435353435
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat source static tcp 192.168.2.10 80 interface Dialer0 80
ip nat inside source list 101 interface Dialer0 overload
!
access-list 1 permit aaa.bbb.ccc.ddd
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
access-list 103 permit tcp any host 192.168.2.10 eq 80
access-list 103 permit icmp any any administratively-prohibited
access-list 103 permit icmp any any echo
access-list 103 permit icmp any any echo-reply
access-list 103 permit icmp any any packet-too-big
access-list 103 permit icmp any any time-exceeded
access-list 103 permit icmp any any traceroute
access-list 103 permit icmp any any unreachable
access-list 103 deny ip any any
dialer-list 1 protocol ip permit
no cdp run
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 1 in
privilege level 15
password 7 11080A161E4A5E5B2219
transport input telnet ssh
!
scheduler max-task-time 5000
end

[DavideD]

Posto anche il risultato di sh dsl int atm0

ATM0
Alcatel 20190 chipset information
ATU-R (DS) ATU-C (US)
Modem Status: Showtime (DMTDSL_SHOWTIME)
DSL Mode: ITU G.992.1 (G.DMT) Annex A
ITU STD NUM: 0x03 0x2
Vendor ID: 'STMI' 'P '
Vendor Specific: 0x0000 0x0000
Vendor Country: 0x0F 0xB5
Capacity Used: 99% 84%
Noise Margin: 11.0 dB 16.0 dB
Output Power: 20.0 dBm 12.5 dBm
Attenuation: 25.0 dB 13.5 dB
Defect Status: None None
Last Fail Code: None
Watchdog Counter: 0x6F
Watchdog Resets: 0
Selftest Result: 0x00
Subfunction: 0x00
Interrupts: 88067 (0 spurious)
PHY Access Err: 0
Activations: 7
LED Status: ON
LED On Time: 100
LED Off Time: 100
Init FW: embedded
Operation FW: embedded
FW Version: 2.5.42

Interleave Fast Interleave Fast
Speed (kbps): 0 7712 0 640
Cells: 0 4790 0 34130188
Reed-Solomon EC: 0 0 0 0
CRC Errors: 0 1 0 1
Header Errors: 0 0 0 0
Total BER: 0E-0 3165E-13
Leakage Avarage BER: 0E-0 1193E-14

LOM Monitoring : Disabled


DMT Bits Per Bin
000: 0 0 0 0 0 0 2 4 6 7 8 8 9 A A A
010: A 9 9 9 9 9 9 8 8 7 7 6 5 4 2 0
020: 0 0 0 0 0 9 A B A B B B C B C C
030: C C C C C C C C C C B B B C B B
040: 0 B B B C C C C C C B B B B B B
050: B 2 B B B B B B B B B B B B B B
060: B B B A A A B A A A A A A A A A
070: 9 A 9 9 9 9 9 9 9 9 9 9 9 9 9 9
080: 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9
090: 9 9 9 9 9 9 A 9 9 9 9 9 9 9 9 9
0A0: 9 9 9 9 9 9 9 9 9 9 9 A 9 9 9 9
0B0: 9 9 9 9 9 9 9 9 9 9 9 9 9 8 8 8
0C0: 8 8 8 8 9 8 9 9 9 9 8 9 9 9 9 9
0D0: 9 8 9 9 8 9 9 8 8 8 8 8 8 9 8 8
0E0: 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8
0F0: 8 8 8 8 8 7 8 7 7 7 7 7 7 7 7 9

DSL: Training log buffer capability is not enabled

[Gianremo.Smisek]

sei al limite per quanto riguarda il doppino. Quando hai questi blocchi, puoi vedere se la portante rinegozia il sync? Prova a farci caso....

[DavideD]

Grazie dei consigli! devo chiamare NGI per chiedere di fare un controllo sul cavo?

Per quello che riguardala rinegoziazione, come posso vedere? Non sono costantemente in ufficio, anzi...

Quando ho parlato con il tecnico NGI mi ha detto di provare ad aggiornare l'IOS o a sostituire il router, ma se non si tratta di una cavolata che ho fatto in configurazione nè di un problema hardware la cosa non risolverebbe il problema...