Problema con Reliable Static Routing Backup Using Object Tra
Inviato: lun 29 ott , 2007 6:36 pm
salve a tutti,
stò provando a configurare il Reliable Static Routing Backup Using Object Tracking per avere la possibilità di utilizzare, in caso di guato , una seconda linea ADSL..
quello che accade è che se attivo l'ultimo comanda che abilita l'Object Tracking , il ip sla monitor schedule 1 life forever start- time now, e faccio un show ip route, noto che il mio default gateway passa dal defoult primario al secondario (quello in tracking) per 1,2 secodi e viceversa...
in pratica faccio up e down sulle due default route..
qualcono saprebbe dirmi cosa sbaglio ?
grazie mille.
ALLEGO LA CONFIGURAZIONE...
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime localtime service password-encryption service sequence-numbers
!
hostname TEST-GW
!
boot-start-marker
boot-end-marker
!
logging buffered 16000 informational
enable password 7xxxxxxxxxxxxxxxxxxxxxx
!
no aaa new-model
!
resource policy
!
clock timezone CET 1
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00 clock save interval 8 no network-clock-participate slot 1 no network-clock-participate wic 0 ip subnet-zero no ip source-route ip cef !
!
ip inspect name FW tcp
ip inspect name FW udp
ip inspect name FW icmp
!
!
no ip bootp server
ip name-server 192.168.20.4
ip sla monitor 1
type echo protocol ipIcmpEcho 151.1.1.1
timeout 1000
threshold 2
frequency 3
!
!
ip sla monitor schedule 1
life forever start-time now
track 123 rtr 1 reachability
!
!
crypto isakmp policy 1
authentication pre-share
group 2
crypto isakmp key test address 0.0.0.0 0.0.0.0
crypto isakmp invalid-spi-recovery
crypto isakmp nat keepalive 20
!
crypto ipsec transform-set cii esp-des
!
crypto ipsec profile VPN
set transform-set test
interface Tunnel0
bandwidth 1000
ip address 10.0.0.1 255.255.255.0
no ip redirects
ip mtu 1416
ip nhrp authentication xxxxxx
ip nhrp map multicast dynamic
ip nhrp network-id 100000
ip nhrp holdtime 300
no ip route-cache cef
no ip route-cache
no ip split-horizon eigrp 100
no ip mroute-cache
delay 1000
tunnel source FastEthernet0/0.2
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile VPN
!
interface Null0
no ip unreachables
!
interface FastEthernet0/0
bandwidth 1600000
no ip address
no ip route-cache cef
no ip route-cache
no ip mroute-cache
load-interval 30
speed auto
full-duplex
no cdp enable
!
interface FastEthernet0/0.1
bandwidth 1600000
encapsulation dot1Q 30 native
no ip route-cache
no ip mroute-cache
no snmp trap link-status
no cdp enable
!
interface FastEthernet0/0.2
bandwidth 1600000
encapsulation dot1Q 2
ip address 151.99.125.1 255.255.255.252
ip access-group 190 in
ip nat outside
ip virtual-reassembly
no ip route-cache
no ip mroute-cache
no snmp trap link-status
no cdp enable !
interface FastEthernet0/0.3
bandwidth 1600000
encapsulation dot1Q 3
ip address 151.1.1.1 255.255.255.252
ip access-group 190 in
ip nat outside
ip virtual-reassembly
no ip route-cache
no ip mroute-cache
no snmp trap link-status
no cdp enable
!
interface FastEthernet0/1
bandwidth 1600000
no ip address
no ip route-cache cef
no ip route-cache
no ip mroute-cache
load-interval 30
speed auto
full-duplex
no cdp enable
!
interface FastEthernet0/1.1
bandwidth 1600000
encapsulation dot1Q 30 native
no ip route-cache
no ip mroute-cache
no snmp trap link-status
no cdp enable
!
interface FastEthernet0/1.2
bandwidth 1600000
encapsulation dot1Q 10
ip address 172.30.0.1 255.255.0.0
ip inspect FW in
ip nat inside
ip virtual-reassembly
no ip route-cache
no ip mroute-cache
no snmp trap link-status
no cdp enable
!
interface FastEthernet0/1.3
bandwidth 1600000
encapsulation dot1Q 1
ip address 192.168.20.254 255.255.255.0
ip inspect FW in
no ip route-cache
no ip mroute-cache
no snmp trap link-status
no cdp enable
router eigrp 100
passive-interface FastEthernet0/0
passive-interface FastEthernet0/0.1
passive-interface FastEthernet0/0.2
passive-interface FastEthernet0/0.3
passive-interface FastEthernet0/1
network 10.0.0.0
network 192.168.20.0
no auto-summary
!
ip local policy route-map TEST
ip classless
ip route 0.0.0.0 0.0.0.0 151.1.1.2 track 123
ip route 0.0.0.0 0.0.0.0 151.99.125.2
!
no ip http server
no ip http secure-server
ip nat pool FASTWEB 151.99.125.1 151.99.125.1 netmask 255.255.255.252
ip nat pool TELECOM 151.1.1.1 151.1.1.1 netmask 255.255.255.252
ip nat inside source list 140 pool FASTWEB overload
ip nat inside source list 141 pool TELECOM overload
ip nat inside source static tcp 172.30.0.2 20 151.99.125.1 20 extendable
ip nat inside source static tcp 172.30.0.2 21 151.99.125.1 21 extendable
ip nat inside source static tcp 172.30.0.2 22 151.99.125.1 22 extendable
ip nat inside source static tcp 172.30.0.2 25 151.99.125.1 25 extendable
ip nat inside source static tcp 172.30.0.2 80 151.99.125.1 80 extendable
ip nat inside source static tcp 172.30.0.2 110 151.99.125.1 110 extendable
ip nat inside source static tcp 172.30.0.2 443 151.99.125.1 443 extendable
ip nat inside source static tcp 172.30.0.2 1723 151.99.125.1 1723 extendable
!
logging facility local0
logging 192.168.20.18
access-list 30 remark###################################################
access-list 30 remark #ACCESS-LIST PER ACCESSO AL CISCO VIATELNET #
access-list 30 remark---------------------------------------------------
access-list 30 remark Access list per Telnet in sul router
access-list 30 permit 192.168.20.0 0.0.0.255
access-list 30 deny any log
access-list 30 remark===================================================
access-list 100 remark###################################################
access-list 100 remark #ACCESS-LIST FORZARE IP-ICMP SU LINEAFASTWEB #
access-list 100 remark---------------------------------------------------
access-list 100 permit icmp any host 151.1.1.1 echo log
access-list 100 remark ===================================================
access-list 140 remar ###################################################
access-list 140 remark #ACCESS-LIST PER NAT OVERLOAD CON ESCLUSIONE IPSEC#
access-list 140 remark---------------------------------------------------
access-list 140 deny esp any any
access-list 140 deny gre any any
access-list 140 deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 log
access-list 140 deny ip 192.168.20.0 0.0.0.255 192.168.21.0 0.0.0.255 log
access-list 140 deny ip 192.168.20.0 0.0.0.255 192.168.22.0 0.0.0.255 log
access-list 140 deny ip 192.168.20.0 0.0.0.255 192.168.23.0 0.0.0.255 log
access-list 140 permit icmp any any
access-list 140 permit ip any any
access-list 140 remark===================================================
access-list 141 remark###################################################
access-list 141 remark #ACCESS-LIST PER NAT OVERLOAD CON ESCLUSIONE IPSEC#
access-list 141 remark---------------------------------------------------
access-list 141 deny esp any any
access-list 141 deny gre any any
access-list 141 deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 log
access-list 141 deny ip 192.168.20.0 0.0.0.255 192.168.21.0 0.0.0.255 log
access-list 141 deny ip 192.168.20.0 0.0.0.255 192.168.22.0 0.0.0.255 log
access-list 141 deny ip 192.168.20.0 0.0.0.255 192.168.23.0 0.0.0.255 log
access-list 141 deny icmp any host 151.1.1.1 echo
access-list 141 permit icmp any any
access-list 141 permit ip any any
access-list 141 remark ===================================================
access-list 190 remark ###################################################
access-list 190 remark # ACCESS-LIST FIREWALLCBAC #
access-list 190 remark #IN ENTRATA DA INTERNET PER SERVIZIPUBBLICATI #
access-list 190 remark---------------------------------------------------
access-list 190 permit icmp any any
access-list 190 permit udp any any eq isakmp
access-list 190 permit esp any any
access-list 190 permit gre any any
access-list 190 permit tcp any any eq ftp-data
access-list 190 permit tcp any any eq ftp
access-list 190 permit tcp any any eq 22
access-list 190 permit tcp any any eq smtp
access-list 190 permit tcp any any eq www
access-list 190 permit tcp any any eq pop3
access-list 190 permit tcp any any eq 443
access-list 190 permit tcp any any eq 1723
access-list 190 remark ===================================================
dialer-list 2 protocol ip list 101
no cdp run
route-map TEST permit 10
match ip address 100
set ip next-hop 151.99.125.2
set interface null 0
!
!
control-plane
line con 0
line aux 0
line vty 0 4
session-timeout 28800
password xxxxxxxxxxxxxx
absolute-timeout 480
logging synchronous level all
login
!
ntp master
ntp server 193.204.114.232 source FastEthernet0/0
time-range workingdays
periodic weekdays 5:00 to 16:00
stò provando a configurare il Reliable Static Routing Backup Using Object Tracking per avere la possibilità di utilizzare, in caso di guato , una seconda linea ADSL..
quello che accade è che se attivo l'ultimo comanda che abilita l'Object Tracking , il ip sla monitor schedule 1 life forever start- time now, e faccio un show ip route, noto che il mio default gateway passa dal defoult primario al secondario (quello in tracking) per 1,2 secodi e viceversa...
in pratica faccio up e down sulle due default route..
qualcono saprebbe dirmi cosa sbaglio ?
grazie mille.
ALLEGO LA CONFIGURAZIONE...
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime localtime service password-encryption service sequence-numbers
!
hostname TEST-GW
!
boot-start-marker
boot-end-marker
!
logging buffered 16000 informational
enable password 7xxxxxxxxxxxxxxxxxxxxxx
!
no aaa new-model
!
resource policy
!
clock timezone CET 1
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00 clock save interval 8 no network-clock-participate slot 1 no network-clock-participate wic 0 ip subnet-zero no ip source-route ip cef !
!
ip inspect name FW tcp
ip inspect name FW udp
ip inspect name FW icmp
!
!
no ip bootp server
ip name-server 192.168.20.4
ip sla monitor 1
type echo protocol ipIcmpEcho 151.1.1.1
timeout 1000
threshold 2
frequency 3
!
!
ip sla monitor schedule 1
life forever start-time now
track 123 rtr 1 reachability
!
!
crypto isakmp policy 1
authentication pre-share
group 2
crypto isakmp key test address 0.0.0.0 0.0.0.0
crypto isakmp invalid-spi-recovery
crypto isakmp nat keepalive 20
!
crypto ipsec transform-set cii esp-des
!
crypto ipsec profile VPN
set transform-set test
interface Tunnel0
bandwidth 1000
ip address 10.0.0.1 255.255.255.0
no ip redirects
ip mtu 1416
ip nhrp authentication xxxxxx
ip nhrp map multicast dynamic
ip nhrp network-id 100000
ip nhrp holdtime 300
no ip route-cache cef
no ip route-cache
no ip split-horizon eigrp 100
no ip mroute-cache
delay 1000
tunnel source FastEthernet0/0.2
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile VPN
!
interface Null0
no ip unreachables
!
interface FastEthernet0/0
bandwidth 1600000
no ip address
no ip route-cache cef
no ip route-cache
no ip mroute-cache
load-interval 30
speed auto
full-duplex
no cdp enable
!
interface FastEthernet0/0.1
bandwidth 1600000
encapsulation dot1Q 30 native
no ip route-cache
no ip mroute-cache
no snmp trap link-status
no cdp enable
!
interface FastEthernet0/0.2
bandwidth 1600000
encapsulation dot1Q 2
ip address 151.99.125.1 255.255.255.252
ip access-group 190 in
ip nat outside
ip virtual-reassembly
no ip route-cache
no ip mroute-cache
no snmp trap link-status
no cdp enable !
interface FastEthernet0/0.3
bandwidth 1600000
encapsulation dot1Q 3
ip address 151.1.1.1 255.255.255.252
ip access-group 190 in
ip nat outside
ip virtual-reassembly
no ip route-cache
no ip mroute-cache
no snmp trap link-status
no cdp enable
!
interface FastEthernet0/1
bandwidth 1600000
no ip address
no ip route-cache cef
no ip route-cache
no ip mroute-cache
load-interval 30
speed auto
full-duplex
no cdp enable
!
interface FastEthernet0/1.1
bandwidth 1600000
encapsulation dot1Q 30 native
no ip route-cache
no ip mroute-cache
no snmp trap link-status
no cdp enable
!
interface FastEthernet0/1.2
bandwidth 1600000
encapsulation dot1Q 10
ip address 172.30.0.1 255.255.0.0
ip inspect FW in
ip nat inside
ip virtual-reassembly
no ip route-cache
no ip mroute-cache
no snmp trap link-status
no cdp enable
!
interface FastEthernet0/1.3
bandwidth 1600000
encapsulation dot1Q 1
ip address 192.168.20.254 255.255.255.0
ip inspect FW in
no ip route-cache
no ip mroute-cache
no snmp trap link-status
no cdp enable
router eigrp 100
passive-interface FastEthernet0/0
passive-interface FastEthernet0/0.1
passive-interface FastEthernet0/0.2
passive-interface FastEthernet0/0.3
passive-interface FastEthernet0/1
network 10.0.0.0
network 192.168.20.0
no auto-summary
!
ip local policy route-map TEST
ip classless
ip route 0.0.0.0 0.0.0.0 151.1.1.2 track 123
ip route 0.0.0.0 0.0.0.0 151.99.125.2
!
no ip http server
no ip http secure-server
ip nat pool FASTWEB 151.99.125.1 151.99.125.1 netmask 255.255.255.252
ip nat pool TELECOM 151.1.1.1 151.1.1.1 netmask 255.255.255.252
ip nat inside source list 140 pool FASTWEB overload
ip nat inside source list 141 pool TELECOM overload
ip nat inside source static tcp 172.30.0.2 20 151.99.125.1 20 extendable
ip nat inside source static tcp 172.30.0.2 21 151.99.125.1 21 extendable
ip nat inside source static tcp 172.30.0.2 22 151.99.125.1 22 extendable
ip nat inside source static tcp 172.30.0.2 25 151.99.125.1 25 extendable
ip nat inside source static tcp 172.30.0.2 80 151.99.125.1 80 extendable
ip nat inside source static tcp 172.30.0.2 110 151.99.125.1 110 extendable
ip nat inside source static tcp 172.30.0.2 443 151.99.125.1 443 extendable
ip nat inside source static tcp 172.30.0.2 1723 151.99.125.1 1723 extendable
!
logging facility local0
logging 192.168.20.18
access-list 30 remark###################################################
access-list 30 remark #ACCESS-LIST PER ACCESSO AL CISCO VIATELNET #
access-list 30 remark---------------------------------------------------
access-list 30 remark Access list per Telnet in sul router
access-list 30 permit 192.168.20.0 0.0.0.255
access-list 30 deny any log
access-list 30 remark===================================================
access-list 100 remark###################################################
access-list 100 remark #ACCESS-LIST FORZARE IP-ICMP SU LINEAFASTWEB #
access-list 100 remark---------------------------------------------------
access-list 100 permit icmp any host 151.1.1.1 echo log
access-list 100 remark ===================================================
access-list 140 remar ###################################################
access-list 140 remark #ACCESS-LIST PER NAT OVERLOAD CON ESCLUSIONE IPSEC#
access-list 140 remark---------------------------------------------------
access-list 140 deny esp any any
access-list 140 deny gre any any
access-list 140 deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 log
access-list 140 deny ip 192.168.20.0 0.0.0.255 192.168.21.0 0.0.0.255 log
access-list 140 deny ip 192.168.20.0 0.0.0.255 192.168.22.0 0.0.0.255 log
access-list 140 deny ip 192.168.20.0 0.0.0.255 192.168.23.0 0.0.0.255 log
access-list 140 permit icmp any any
access-list 140 permit ip any any
access-list 140 remark===================================================
access-list 141 remark###################################################
access-list 141 remark #ACCESS-LIST PER NAT OVERLOAD CON ESCLUSIONE IPSEC#
access-list 141 remark---------------------------------------------------
access-list 141 deny esp any any
access-list 141 deny gre any any
access-list 141 deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 log
access-list 141 deny ip 192.168.20.0 0.0.0.255 192.168.21.0 0.0.0.255 log
access-list 141 deny ip 192.168.20.0 0.0.0.255 192.168.22.0 0.0.0.255 log
access-list 141 deny ip 192.168.20.0 0.0.0.255 192.168.23.0 0.0.0.255 log
access-list 141 deny icmp any host 151.1.1.1 echo
access-list 141 permit icmp any any
access-list 141 permit ip any any
access-list 141 remark ===================================================
access-list 190 remark ###################################################
access-list 190 remark # ACCESS-LIST FIREWALLCBAC #
access-list 190 remark #IN ENTRATA DA INTERNET PER SERVIZIPUBBLICATI #
access-list 190 remark---------------------------------------------------
access-list 190 permit icmp any any
access-list 190 permit udp any any eq isakmp
access-list 190 permit esp any any
access-list 190 permit gre any any
access-list 190 permit tcp any any eq ftp-data
access-list 190 permit tcp any any eq ftp
access-list 190 permit tcp any any eq 22
access-list 190 permit tcp any any eq smtp
access-list 190 permit tcp any any eq www
access-list 190 permit tcp any any eq pop3
access-list 190 permit tcp any any eq 443
access-list 190 permit tcp any any eq 1723
access-list 190 remark ===================================================
dialer-list 2 protocol ip list 101
no cdp run
route-map TEST permit 10
match ip address 100
set ip next-hop 151.99.125.2
set interface null 0
!
!
control-plane
line con 0
line aux 0
line vty 0 4
session-timeout 28800
password xxxxxxxxxxxxxx
absolute-timeout 480
logging synchronous level all
login
!
ntp master
ntp server 193.204.114.232 source FastEthernet0/0
time-range workingdays
periodic weekdays 5:00 to 16:00