Доброое время суток
Помогите снять netflow с интерфейса на котором терминируется ppptp.
На Virual-Template прописал следующее:
ip flow ingress
ip flow egress
ip route-cache flow
и на интерфейсе который смотрит во внешний мир:
ip route-cache flowПри этом поступает информация только о входящих пакетов, а исходящих пакетов нет.
вот часть конфига Циски (7200):
boot system flash bootflash:c7200p-advipservicesk9-mz.124-4.XD10.bin
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
interface GigabitEthernet0/1
ip address 84.53.173.90 255.255.255.248
ip access-group anti-spoofing in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
rate-limit output access-group 2020 3000000 512000 786000 conform-action transmit exceed-action drop
duplex auto
speed auto
media-type rj45
negotiation auto
no cdp enable
no mop enabled
interface GigabitEthernet0/2
no ip address
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
rate-limit output access-group 2020 3000000 512000 786000 conform-action transmit exceed-action drop
duplex auto
speed auto
media-type rj45
negotiation auto
no cdp enable
no mop enabled
!
interface GigabitEthernet0/2.1
description Radius
encapsulation dot1Q 2
ip address 192.168.2.1 255.255.255.0
ip access-group base-firewall in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
rate-limit output access-group 2020 3000000 512000 786000 conform-action transmit exceed-action drop
no snmp trap link-status
no cdp enable
!
interface GigabitEthernet0/2.2
description pptp server
encapsulation dot1Q 3
ip address 192.168.1.1 255.255.255.0
ip access-group base-firewall in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
rate-limit output access-group 2020 3000000 512000 786000 conform-action transmit exceed-action drop
no snmp trap link-status
pppoe enable group global
no cdp enable
interface Virtual-Template1
ip unnumbered GigabitEthernet0/2.2
ip access-group base-firewall in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
rate-limit output access-group 2020 3000000 512000 786000 conform-action transmit exceed-action drop
ip route-cache policy
ip route-cache flow
autodetect encapsulation ppp
ppp encrypt mppe auto
ppp authentication ms-chap-v2
!
ip classless
ip route 0.0.0.0 0.0.0.0 84.53.203.217
no ip http server
no ip http secure-server
!
ip flow-export source GigabitEthernet0/2.1
ip flow-export version 5
ip flow-export destination 192.168.2.2 9996
!
ip nat inside source list NAT_LAN_Staff interface GigabitEthernet0/1 overload
!
ip access-list extended NAT_LAN_Staff
permit ip 10.115.200.0 0.0.0.255 any
permit ip 10.200.0.0 0.0.255.255 any
deny ip any any
ip access-list extended anti-spoofing
deny ip 192.168.0.0 0.0.255.255 any
deny ip 0.0.0.0 0.255.255.255 any
deny ip host 255.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 224.0.0.0 15.255.255.255 any
deny ip 240.0.0.0 7.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
permit ip host 172.18.20.39 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 169.254.0.0 0.0.255.255 any
deny udp any any eq 445
deny udp any any eq 4444
deny tcp any any eq 135
deny tcp any any eq 445
deny tcp any any eq 4444
deny tcp any any eq 139
deny udp any any eq 135
deny udp any any eq netbios-ss
deny udp any any eq netbios-ns
deny udp any any eq netbios-dgm
permit ip any any
ip access-list extended base-firewall
deny udp any any eq 445
deny udp any any eq 4444
deny tcp any any eq 135
deny tcp any any eq 445
deny tcp any any eq 4444
deny tcp any any eq 139
deny udp any any eq 135
deny udp any any eq netbios-ss
deny udp any any eq netbios-ns
deny udp any any eq netbios-dgm
permit ip any any
!
ip radius source-interface GigabitEthernet0/2.1
logging alarm informational
access-list 99 permit 10.115.200.0 0.0.0.255
access-list 99 deny any
access-list 2020 permit icmp any any echo-reply
no cdp run
!
radius-server configure-nas
radius-server host 192.168.2.2 auth-port 1812 acct-port 1813
radius-server timeout 30
radius-server key 7 15000A080D3F38
#show ip cache flow
Gi0/1 212.34.121.157 Local 84.53.203.218 06 0697 6A8B 3
Gi0/1 212.34.99.41 Local 84.53.203.218 06 0E2A 6A8B 3
Gi0/1 66.102.9.147 Null 10.200.0.1 06 0050 0697 9
Gi0/1 212.34.116.179 Local 84.53.203.218 06 0EBD 6A8B 3
Gi0/1 212.34.119.165 Local 84.53.203.218 06 0AA7 6A8B 3