卓维乾

问题
Cisco的交换机和路由器到底有几个CPU，都分布在哪个模块上？这些是否能通过命令查出，查出来是否有问题，本文来深入分析一下。（本文参考Cisco的文档和现场实例进行编写的）
分析依据
要查Cisco交换机和路由器上的多CPU，必须有CISCO-PROCESS MIB，从该MIB中表cpmCPUTotalTable 查找到对象cpmCPUTotal5minRev（即5分钟CPU收到的占有率），通过通过这个表的CPU索引 cpmCPUTotalPhysicalIndex 找到CPU所在位置；最好后通过索引，从entPhysicalName 对象找到CPU分布在那些模块。
cpmCPUTotal5minRev的值需要确认IOS版本，再确认..

写前：
透明代理：客户端无需要手工设置代理，网络系统自动重定向到代理服务上。
WCCP协议：Cisco专有协议，在Cisco的路由器、中高端交换机、某些Cache中支持，相关厂家也支持，本文配置的Squid 软件也支持；四层交换机和普通代理服务器也可实现透明代理。
用户有这么需求，同时ASA防火墙做了NAT以后，内存占用很多，对性能要求很高，建议用透明代理增加带宽，同时配置透明代理来较少客户端的配置工作。
对Linux的Iptables了解有限，网站详细能实现的案例是在少的可怜，以下详细配置实属不易….
 
1、网络拓扑

 
 

2、环境
 
2.1 防火墙版本
InternetFireWall# sh ver
 
Cisco Adaptive Security Appliance Software Version 8.0(3)
Device Manager Version 6.0(3)
 
Compiled on Tue 06-Nov-07 22:59 by builders
System image file is "disk0:/asa803-k8.bin"
Config file at boot was "startup-config"
 
 
Hardware:   ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
2.2、Linux的版本
[admin@netproxy ~]$ uname -a
Linux netproxy 2.6.18-53.el5xen #1 SMP Wed Oct 10 17:06:12 EDT 2007 i686 i686 i386 GNU/Linux
[admin@netproxy ~]$
 
2.3、squid的版本及编译参数(没有系统自带的squid，重新安装）
[admin@netproxy sbin]$ ./squid -v
Squid Cache: Version 2.6.STABLE19
configure options:  '--prefix=/usr/local/squid' '--enable-dlmalloc' '--with-pthreads' '--enable-poll' '--disable-internal-dns' '--enable-stacktrace' '--enable-removal-policies=heap,lru' '--enable-delay-pools' '--enable-storeio=aufs,coss,diskd,ufs'
[admin@netproxy sbin]$
3、AS5 编辑
 
3.1编辑 /etc/sysctl.conf  文件
 
# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled.  See sysctl(8) and
# sysctl.conf(5) for more details.

# Controls IP packet forwarding
net.ipv4.ip_forward = 1
 
3.2 编辑 squid.conf 文件
 
/usr/local/squid/etc/squid.conf
 
http_port 3128 transparent
wccp2_router 192.168.205.1
wccp2_forwarding_method 1
wccp2_return_method 1
wccp2_assignment_method 1

#查找 acl，确保 需要上网的网段放开
acl all src 0.0.0.0/0.0.0.0
http_access allow all
 
 
建立GRE（参考资料说也可采用IP-wccp ，两者只能用一个，AS5 自带GRE模块，Ip-wccp需要在squid网站下载安装）
 
modprobe ip_gre
ifconfig gre0 127.0.0.3 up
 
iptables -t nat -A PREROUTING -s 192.168.0.0/255.255.0.0 -d ! 192.168.0.0/255.255.0.0 -i gre0 -p tcp -m tcp --dport 80 -j DNAT --to 192.168.205.4:3128
iptables -t nat -A PREROUTING -s 172.16.0.0/255.255.0.0 -d ! 172.16.0.0/255.255.0.0 -i gre0 -p tcp -m tcp --dport 80 -j DNAT --to 192.168.205.4:3128
 
[root@netproxy usr]# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:1A:64:0A:B3:98 
          inet addr:192.168.205.4  Bcast:192.168.205.7  Mask:255.255.255.248
          inet6 addr: fe80::21a:64ff:fe0a:b398/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:59335758 errors:0 dropped:0 overruns:0 frame:0
          TX packets:60489065 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1517502610 (1.4 GiB)  TX bytes:1056225077 (1007.2 MiB)

gre0      Link encap:UNSPEC  HWaddr
00-00-00-00-DA-BF-A8-35-00-00-00-00-00-00-00-00 
          inet addr:127.0.0.3  Mask:255.0.0.0
          UP RUNNING NOARP  MTU:1476  Metric:1
          RX packets:22683975 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1214455678 (1.1 GiB)  TX bytes:0 (0.0 b)
 
3.3 验证
[root@netproxy etc]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination        
DNAT       tcp  --  192.168.0.0/16        !192.168.0.0/16        tcp dpt:http
to:192.168.205.4:3128
DNAT       tcp  --  172.16.0.0/16       !172.16.0.0/16       tcp dpt:http
to:192.168.205.4:3128

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination        
MASQUERADE  all  --  192.168.122.0/24     anywhere           

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        
[root@netproxy etc]#
 
4、ASA上的配置
4.1 接口
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 61.x.x.x   255.255.255.252
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 192.168.205.1 255.255.255.248
 
4.2 NAT
global (outside) 1 1x.x.x.66-70
nat (inside) 1 0.0.0.0 0.0.0.0
 
4.3 WCCP-ACL
（注意：扩展列表，仅为www，其他不要，否则出问题，也可将UDP 8000 转过来，否则可能影响QQ）
access-list wccpacl extended permit tcp 192.168.0.0 255.255.0.0 any eq www
access-list wccpacl extended permit tcp 172.16.0.0 255.255.0.0 any eq www
 
4.4 WCCP
wccp web-cache redirect-list wccpacl
wccp interface inside web-cache redirect in
 
5、验证如下
 
InternetFireWall#   sh wccp web-cache view
 
    WCCP Routers Informed of:
        61.x.x.x
 
    WCCP Cache Engines Visible:
        192.168.205.4
 
    WCCP Cache Engines NOT Visible:
        -none-
InternetFireWall#   sh wccp web-cache service
 
WCCP service information definition:
        Type:          Standard
        Id:            0
        Priority:      240
        Protocol:      6
        Options:       0x00000512
        --------
            Hash:      DstIP
            Alt Hash:  SrcIP SrcPort
            Ports:     Destination:: 80 0 0 0 0 0 0 0
InternetFireWall#   sh wccp web-cache detail
 
WCCP Cache-Engine information:
        Web Cache ID:          192.168.205.4
        Protocol Version:      2.0
        State:                 Usable
        Initial Hash Info:     00000000000000000000000000000000
                               00000000000000000000000000000000
        Assigned Hash Info:    FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
                               FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
        Hash Allotment:        256 (100.00%)
        Packets Redirected:    363329
        Connect Time:          00:20:30
InternetFireWall# sh mem
Free memory:       207303064 bytes (39%)
Used memory:       329567848 bytes (61%)
-------------     ----------------
Total memory:      536870912 bytes (100%)
InternetFireWall# sh wccp
 
Global WCCP information:
    Router information:
        Router Identifier:                   61.x.x.x  （防火墙外口为路由标识）
        Protocol Version:                    2.0
 
    Service Identifier: web-cache
        Number of Cache Engines:             1
        Number of routers:                   1
        Total Packets Redirected:            679038
        Redirect access-list:                wccpacl
        Total Connections Denied Redirect:   0
        Total Packets Unassigned:            58
        Group access-list:                   -none-
        Total Messages Denied to Group:      0
        Total Authentication failures:       0
        Total Bypassed Packets Received:     0
InternetFireWall# sh wccp interfaces detail
 
WCCP interface configuration details:
    GigabitEthernet0/1
        Output services: 0
        Input services:  1
        Static:          Web-cache
        Dynamic:         None
        Mcast services:  0
        Exclude In:      FALSE
InternetFireWall# sh wccp web-cache view
 
    WCCP Routers Informed of:
        61.x.x.x
 
    WCCP Cache Engines Visible:
        192.168.205.4
 
    WCCP Cache Engines NOT Visible:
        -none-
InternetFireWall# sh wccp web-cache detail
 
WCCP Cache-Engine information:
        Web Cache ID:          192.168.205.4
        Protocol Version:      2.0
        State:                 Usable
        Initial Hash Info:     00000000000000000000000000000000
                               00000000000000000000000000000000
        Assigned Hash Info:    FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
                               FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
        Hash Allotment:        256 (100.00%)
        Packets Redirected:    701985
        Connect Time:          00:26:41
InternetFireWall# sh wccp web-cache b
 
WCCP hash bucket assignments:
 
        Index  Cache Engine:
          00   192.168.205.4
          FF   NOT ASSIGNED
 
        XX|  0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F
        --|-------------------------------------------------
        00| 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
        10| 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
        20| 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
        30| 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
        40| 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
        50| 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
        60| 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
        70| 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
        80| 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
        90| 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
        A0| 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
        B0| 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
        C0| 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
        D0| 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
        E0| 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
        F0| 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00

 
写后：
 
本来想在Cisco 4500 系列交换机4代引擎上实现，但是交换机上支持L2-redirect，不支持GRE，测试N多次，没有成功。
 
关于在交换机测试，还在继续，但愿哪天搞定….
 [/img]..

 
       Netflow 在6500和7209 交换机上配置和路由器上配置有所不同，在公司开发Netflow的应用上，发现现场工程师基本没有配置对，导致流量出不来。下面列出配置信息；CATOS的配置也的参考该配置
 
 
1、首先看看Netflow配置是否正常起来：
 
Switch# show mls nde
 
一般看到都是Netflow Data Export disabled  这说明Netflow都没有起来。
参看Cisco 《Configuring NetFlow Data Export》 PDf文档，默认是Disabled的
 

2、启动netflow
 
Switch..

SQL Server 同步复制测试
1.     测试环境：
操作系统 windows  Server 2003 sp1  ，两台，独立系统，不在一个信任域内（如果在同一信任域，权限操作就更简单了）。
数据库：SQL Server 2000 SP4 企业版
2.     条件准备：
1、安装好两台windows 2003 server 和Sql server 2000企业版的服务器。
2、在两台windows 2003服务器添加windows 系统用户SqlCopy ，密码相同，属于administrators 组。
3、在两台服务器的hosts文件中相互添加两条记录（参考“失败可能的问题”..

[Quidway]disp cur
#
 sysname Quidway
#
 local-user test password simple test
#
 ip pool 1 10.127.254.2 10.127.254.5
#
 aaa enable
 aaa accounting-scheme optional
 aaa authentication-scheme local-first
#
 dialer-rule 1 ip permit
#
interface Aux0
 baudrate 19200
 async mode protocol
 link-protocol ppp
 dialer enable-circular
 dialer circular-group 0
#
interface Dialer0
 link-protocol ppp
 ppp authentication-mode pap
 i..