mrwho.ru homepage

Столкнулся с проблемой на Cisco, когда при стандартном развороте трафика через Loopback,

что бы он попадал в статистику netflow, загрузка на самой циске прыгает до 100%

Не долгим гуглеванием нашел другой способ. Гораздо менее гиморный.

надо сделать вот что,

conf t

ip flow-export source FastEthernet0/0 !Внутренний интерфейс, с которого собирать траффик

interface FastEthernet0/0  !Внутренний интерфейс
 ip flow ingress
 ip flow egress

exit

Так вот сохраню на всякий случай; мало ли понадобится когда нибудь

В этом конфиге все готово.

!
! Last configuration change at 06:53:43 UTC Fri Apr 10 2009 by mrwho
! NVRAM config last updated at 06:53:44 UTC Fri Apr 10 2009 by mrwho
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Cisco-Test
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
clock timezone MSK 3
ip cef
!
!
!
!
no ip domain lookup
ip domain name yourdomain.com
!
!
ip rcmd rcp-enable
ip rcmd rsh-enable
ip rcmd remote-host mngr 10.20.20.20 root enable
!
!
interface FastEthernet0/0
 description INSIDE
 ip address 192.168.0.1 255.255.255.0
 ip flow ingress
 ip flow egress
 ip nat inside
 ip route-cache policy
 no ip route-cache cef
 ip route-cache flow
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description OUTSIDE
 ip address 10.10.10.10 255.255.255.252
 ip nat outside
 ip route-cache policy
 ip route-cache flow
 no ip mroute-cache
 speed auto
 duplex auto
!
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.10.10.9
ip flow-export source FastEthernet0/0
ip flow-export version 5
ip flow-export destination 192.168.0.2 7223
!
no ip http server
ip http access-class 23
ip http authentication local
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat pool NatPool 10.10.10.10 10.10.10.10 netmask 255.255.255.252
ip nat inside source list 1 pool NatPool overload
ip nat inside source static tcp 192.168.0.2 22 213.243.91.70 22 extendable
ip nat inside source static tcp 192.168.0.2 80 213.243.91.70 80 extendable
ip nat inside source static tcp 192.168.0.2 3306 213.243.91.70 3306 extendable
!
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 110 permit tcp any any eq www
access-list 110 permit tcp any any eq ftp
access-list 110 permit tcp any any eq ftp-data
access-list 110 deny   tcp any any eq 135
access-list 110 deny   tcp any any eq 137
access-list 110 deny   tcp any any eq 138
access-list 110 deny   tcp any any eq 445
access-list 110 deny   tcp any any eq 1433
access-list 110 deny   tcp any any eq 1434
access-list 110 deny   udp any any eq 135
access-list 110 deny   udp any any eq netbios-ns
access-list 110 deny   udp any any eq netbios-dgm
access-list 110 deny   udp any any eq 445 log-input
access-list 110 deny   udp any any eq 1433 log-input
access-list 110 deny   udp any any eq 1434 log-input
access-list 110 permit ip any any
access-list 123 permit tcp any any eq www
access-list 123 permit tcp any any eq ftp
access-list 123 permit tcp any any eq ftp-data
access-list 123 deny   tcp any any eq smtp
access-list 123 deny   tcp any any eq 135
access-list 123 deny   tcp any any eq 137
access-list 123 deny   tcp any any eq 138
access-list 123 deny   tcp any any eq 445
access-list 123 deny   udp any any eq 135
access-list 123 deny   udp any any eq netbios-ns
access-list 123 deny   udp any any eq netbios-dgm
access-list 123 deny   udp any any eq 445 log-input
access-list 123 permit ip any any
snmp-server community xamlo RO 11
snmp-server ifindex persist
snmp-server enable traps tty
!
!
control-plane
!
banner login 
                             _                         _
                            |_|                       |_|
                            | |         /^^^\         | |
                           _| |_      (| "o" |)      _| |_
                          | | | | _    (_---_)    _ | | | |_
                        | | | | |' |    _| |_    | `| | | | |
                        |          |   /     \   |          |
                         \        /  / /(. .)\ \  \        /
                           \    /  / /  | . |  \ \  \    /
                             \  \/ /    ||Y||    \ \/  /
                              \__/      || ||      \__/
                                        () ()
                                        || ||
                                       ooO Ooo

!
line con 0
 login local
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet
line vty 5 15
 access-class 23 in
 privilege level 15
 login local
 transport input telnet
!
scheduler allocate 20000 1000
ntp clock-period 17178321
ntp server 195.2.64.5 version 2
ntp server 194.186.254.22 version 2
end