Всем привет, имеем на одном конце VTI тунеля 2811 с aim vpn EPII plus, на другом 1841.Конфиг с 1841
Building configuration...
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname vrh.c1841
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 warnings
no logging console
no logging monitor
enable secret 5 $1$ecOd$.noqOSFisnTJ01D93Vauq.
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login console local
aaa accounting send stop-record authentication failure
!
aaa session-id common
clock timezone MSK 3
clock summer-time MSK_Summer recurring last Sun Mar 2:00 last Sun Oct 3:00
no ip source-route
no ip gratuitous-arps
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.25.3
!
ip dhcp pool dhcppoolSTAFF
import all
network 172.23.0.0 255.255.255.0
default-router 172.23.0.1
dns-server 172.16.0.11
option 176 ascii L2QVLAN=30,HTTPSRVR=172.16.0.23,HTTPDIR=/46xx/,MCIPADD=172.16.0.90
option 242 ascii L2QVLAN=30,HTTPSRVR=172.16.0.23,HTTPDIR=/46xx/,MCIPADD=172.16.0.90
!
ip dhcp pool dhcppoolVOIP
import all
network 172.23.1.0 255.255.255.0
default-router 172.23.1.1
dns-server 172.16.0.11
option 242 ascii L2QVLAN=30,HTTPSRVR=172.16.0.23,HTTPDIR=/46xx/,MCIPADD=172.16.0.90
option 176 ascii L2QVLAN=30,HTTPSRVR=172.16.0.23,HTTPDIR=/46xx/,MCIPADD=172.16.0.90
!
!
no ip bootp server
ip inspect name firewall cuseeme
ip inspect name firewall dns
ip inspect name firewall ftp
ip inspect name firewall h323
ip inspect name firewall https
ip inspect name firewall icmp
ip inspect name firewall imap
ip inspect name firewall pop3
ip inspect name firewall netshow
ip inspect name firewall rcmd
ip inspect name firewall realaudio
ip inspect name firewall rtsp
ip inspect name firewall esmtp
ip inspect name firewall sqlnet
ip inspect name firewall streamworks
ip inspect name firewall tftp
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall vdolive
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip ips sdf location flash://128MB.sdf
ip ips signature 4620 0 disable
ip ips signature 2156 0 disable
ip ips name ips_rule
!
!
archive
path tftp://172.16.0.23/vrh.c1841/
write-memory
!
!
ip ssh version 2
!
class-map match-all voip
match access-group 150
!
!
policy-map voip_prio
class voip
priority 9000
class class-default
fair-queue
random-detect
policy-map total
class class-default
shape average 10000000
service-policy voip_prio
!
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key nhytne address
crypto isakmp key neytkne address
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 20 periodic
!
!
crypto ipsec transform-set fox esp-3des esp-sha-hmac
!
crypto ipsec profile foxprof
set transform-set fox
!
!
!
!
interface Tunnel2
ip address 10.1.2.126 255.255.255.252
load-interval 30
keepalive 10 3
tunnel source FastEthernet0/0
tunnel destination 8
tunnel mode ipsec ipv4
tunnel protection ipsec profile foxprof
service-policy output total
!
interface Tunnel3
ip address 10.1.1.126 255.255.255.252
ip ospf cost 20100
keepalive 10 3
tunnel source FastEthernet0/0
tunnel destination 8
tunnel mode ipsec ipv4
tunnel protection ipsec profile foxprof
service-policy output total
!
interface FastEthernet0/0
ip address 8
ip access-group 103 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface FastEthernet0/1
no ip address
no ip proxy-arp
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1.1
description #voip#
encapsulation dot1Q 30
ip address 172.23.1.1 255.255.255.0
no cdp enable
!
interface FastEthernet0/1.2
description #management#
encapsulation dot1Q 20
ip address 172.23.2.1 255.255.255.240
no cdp enable
!
interface FastEthernet0/1.3
description #Staff#
encapsulation dot1Q 10
ip address 172.23.0.1 255.255.255.0
ip access-group 100 in
no ip proxy-arp
ip nat inside
ip virtual-reassembly
no cdp enable
!
router ospf 1
log-adjacency-changes
passive-interface FastEthernet0/1
passive-interface FastEthernet0/1.1
passive-interface FastEthernet0/1.2
passive-interface FastEthernet0/1.3
network 10.1.1.124 0.0.0.3 area 0
network 10.1.2.124 0.0.0.3 area 0
network 172.23.0.0 0.0.0.255 area 40
network 172.23.1.0 0.0.0.255 area 40
network 172.23.2.0 0.0.0.15 area 40
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 8
!
!
no ip http server
ip http authentication local
no ip http secure-server
!
ip access-list standard vty_in
permit 172.16.0.29
permit 172.22.1.0 0.0.0.255
permit 83.242.184.144 0.0.0.7
deny any
!
logging 172.16.0.29
snmp-server community bublik RO
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps vrrp
snmp-server enable traps ds1
snmp-server enable traps tty
snmp-server enable traps eigrp
snmp-server enable traps envmon
snmp-server enable traps flash insertion removal
snmp-server enable traps icsudsu
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps isdn ietf
snmp-server enable traps ds0-busyout
snmp-server enable traps ds1-loopback
snmp-server enable traps aaa_server
snmp-server enable traps atm subif
snmp-server enable traps bgp
snmp-server enable traps bulkstat collection transfer
snmp-server enable traps cnpd
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps dsp card-status
snmp-server enable traps entity
snmp-server enable traps event-manager
snmp-server enable traps frame-relay
snmp-server enable traps frame-relay subif
snmp-server enable traps hsrp
snmp-server enable traps ipmobile
snmp-server enable traps ipmulticast
snmp-server enable traps msdp
snmp-server enable traps mvpn
snmp-server enable traps ospf state-change
snmp-server enable traps ospf errors
snmp-server enable traps ospf retransmit
snmp-server enable traps ospf lsa
snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
snmp-server enable traps ospf cisco-specific state-change shamlink interface-old
snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
snmp-server enable traps ospf cisco-specific errors
snmp-server enable traps ospf cisco-specific retransmit
snmp-server enable traps ospf cisco-specific lsa
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps pppoe
snmp-server enable traps cpu threshold
snmp-server enable traps rsvp
snmp-server enable traps rtr
snmp-server enable traps syslog
snmp-server enable traps l2tun session
snmp-server enable traps vtp
snmp-server enable traps isakmp policy add
snmp-server enable traps isakmp policy delete
snmp-server enable traps isakmp tunnel start
snmp-server enable traps isakmp tunnel stop
snmp-server enable traps ipsec cryptomap add
snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec cryptomap attach
snmp-server enable traps ipsec cryptomap detach
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
snmp-server enable traps ipsec too-many-sas
!
end
вот ненмого подрезал )не обращайте внимание на инспекты, и наты, они отключены.
Так вот 12 человек сосут по тунелю траф
Service-policy output: total
Class-map: class-default (match-any)
82236817 packets, 48323505192 bytes
30 second offered rate 7491000 bps, drop rate 0 bps
Match: any
Traffic Shaping
Target/Average Byte Sustain Excess Interval Increment
Rate Limit bits/int bits/int (ms) (bytes)
10000000/10000000 62500 250000 250000 25 31250
Adapt Queue Packets Bytes Packets Bytes Shaping
Active Depth Delayed Delayed Active
- 0 82193704 889838205 34673 36096166 no
Service-policy : voip_prio
Class-map: voip (match-all)
3702213 packets, 235637454 bytes
30 second offered rate 0 bps, drop rate 0 bps
Match: access-group 150
Queueing
Strict Priority
Output Queue: Conversation 264
Bandwidth 9000 (kbps) Burst 225000 (Bytes)
(pkts matched/bytes matched) 863/51534
(total drops/bytes drops) 0/0
а вот и проблема:
787655565599999999999999999999999999999999986666666655669985
828394385536597755678577946665666977997856482057514489893443
100 **##********** ***********#****
90 *##############*##*###########*#** **
80 *** *##############*#################* *#*
70 #*# * #################################* *** **##*
60 ####* ***##########################################**####*
50 ##########################################################**
40 ###########################################################*
30 ###########################################################*
20 ############################################################
10 ############################################################
0....5....1....1....2....2....3....3....4....4....5....5....6
0 5 0 5 0 5 0 5 0 5 0
CPU% per minute (last 60 minutes)
* = maximum CPU% # = average CPU%
Это нормально? При 7491000 бит/с , это я еще на 50 не разогнал )
По поводу Qos ... можно и GRE шейпить, но мне удобнее мой вариант.
2811 грузится до 60% при наличии только ЭТОГО трафа.
добавлю что sh proc cpu sorted | exc 0.0 не дает результатов