Subnets.ru blog

Добро пожаловать в блог! Надеемся, что Вы еще вернетесь.

Ссылка на новость: http://uinc.ru/news/sn22174.html

Попытки решить проблемы с нехваткой IPv4 адресов поставили Всемирную Сеть перед новой значительной проблемой — переполнением глобальной таблицы BGP-маршрутов. В настоящее время глобальная таблица маршрутов BGP на некоторых системах преодолела отметку в 512 тысяч записей, что начало приводить к разнообразным локальным проблемам со связностью. Ожидается, что своего пика проблема достигнет на следующей неделе, когда с переполнением столкнётся большинство провайдеров. Суть проблемы в том, что в процессе оптимизации пространства IPv4-адресов, провайдерам стали выделяться небольшие подсети, что привело к росту размера глобальной таблицы маршрутов BGP. При этом во многих устаревших, но ещё находящихся в эксплуатации, маршрутизаторах Cisco и некоторых других производителей для BGP-таблицы глобальных маршрутов IPv4 по умолчанию установлено ограничение в 512K элементов, что обусловлено размером TCAM-памяти, в которой размещается таблица маршрутов. Например, проблеме подвержены серии Cisco 7600, Cisco ASR 9000 с картами Trident, Cisco ASR 1000 с 4GB ОЗУ, Cisco Catalyst 6500. В зависимости от используемого маршрутизатора переполнение таблицы может привести к разным эффектам, от краха маршрутизатора до выпадания маршрутов и других проблем со связностью. В основном пострадают операторы связи, вынужденные использовать устаревшее оборудование. Крупные провайдеры уже перешли на современные модели маршрутизаторов, которые избавлены от упомянутых ограничений. Проблема также не повлияет на стабильность глобальной системы маршрутизации и будет ограничена только локальными проблемами со связностью у операторов, использующих устаревшие маршрутизаторы. Проблема уже привела к простою в работе таких компаний, как eBay, Comcast, Time-Warner, LastPass, Liquid Web. Так как TCAM-память разделена для таблиц IPv4 и IPv6, одним из решений является выделение дополнительной памяти для таблицы IPv4 за счёт урезания размера таблицы IPv6, но данная манипуляция («mls cef maximum-routes ip 1000») требует перезагрузки маршрутизатора. В настоящее время размер таблицы для IPv6 составляет менее 20 тысяч записей. 

В продолжение статей (AS5350 в качестве VoIP-шлюза и Cisco AS5350 и RADIUS) о настройке Cisco AS5350 рассказываем решение по ограничению длительности вызовов, проходящих через Cisco AS5350.

После нахождения очередного зависшего вызова (такое случается уже не часто, но тем не менее бывает) было решено попробовать ввести ограничение максимальной длительности вызова. Использование этого функционала возможно, начиная с  Cisco IOS Release 12.4(4)T.

Активируем данную фичу, дав команды в режиме глобальной конфигурации:

application
package callfeature

Ограничиваем макисмальную длительность вызова 60 минутами:
param long-dur-duration 60

По достижении максимальной длительности вызова завершаем его:

param long-dur-action disconnnect

Помимо завершения доступны еще действия: ignore и syslog.

Включаем режим определения длительности вызова:
param long-dur-call-mon enable

Код причины завершения вызова — «прерывание» (передается в Radius, м.б. полезно для последующей выборки завершенных звонков):
long-dur-disc-cause 8

В логах фиксируется завершенный вызов:

show logging
Mar 23 2011 17:49:43.372 MSK: %SIP-6-LONG_DUR_CALL_DETECTED: Long Duration Call is detected on call with CallId 1011872, GUID 76CC44C1-549311E03/23/2011 17:49:43, Calling number 8499678xxxx, Called Number 89104xxxxxx, at 03/23/2011 17:49:43.372, Duration: 60 min, RTP Media:Active; Control:Inactive.

Mar 23 2011 17:49:43.372 MSK: %VTSP-6-LONG_DUR_CALL_DETECTED: Long Duration Call is detected for call with CallId 1011873, GUID 76CC44C1-549311E0-9E4EECE1-281A6C12, CIC 3/1.31, Calling number 8499678xxxx, CalledNumber 89104xxxxxx, at 03/23/2011 17:49:43.372, Duration: 60 min, RTP media status = N/A

Благодарю Сергея Бабичева (aka zaikini) за наводку на документацию производителя оборудования по этому вопросу.

P.S. На IOS 12.4(15)T11 (на других версиях не проверялось в силу их отсутствия) обнаружилось следующее:

при заданных глобальных настройках ограничения длительности вызовов и указанных в диалпире кастомных настройках, например:

dial-peer voice 46 voip
paramspace callfeature long-dur-duration 1
paramspace callfeature long-dur-action disconnect
paramspace callfeature long-dur-call-mon enable

имеем следующее:

1. заданной в диалпире длительностью ограничиваются вызовы, не попадающие под данный диалпир (но не все вызовы, закономерности выявить не смог).
2. у вызова, попадающего под данный диалпир, длительность ограничивается только если это вызов в ТфОП, исходящий ИЗ SIP, если же идет вызов из ТфОП В SIP, то ограничение на него не действует.

P.P.S. Т.к. в закладках периодически «протухают» линки на коды завершения вызовов согласно рекомендации ITU-T Q.850, то я решил их «увековечить» в нашем блоге (будьте внимательны — коды даны в десятичном представлении, а в radius’e и дебаге cisco они фигурируют в шестнадцатиричном представлении) :

ISDN Cause Codes (Источник)

Cause No. 0
This is usually given by the router when none of the other codes apply. This cause usually occurs in the same type of situations as cause 1, cause 88, and cause 100.

Cause No. 1 — Unallocated (unassigned) number.
This cause indicates that the destination requested by the calling user cannot be reached because, although the number is in a valid format, it is not currently assigned (allocated).
What it usually means:
The SPIDS may be incorrectly entered in the router or the Telco switch, giving a SPID failure in the router logs.
The ISDN phone number being dialed by the router is invalid and the telco switch cannot locate the number to complete the call, as it is invalid.
On long distance calls, the call cannot be properly routed to its destination.

Cause No. 2 — No route to specified transit network (national use).
This cause indicates that the equipment sending this cause has received a request to route the call through a particular transit network which it does not recognize. The equipment sending this cause does not recognize the transit network either because the transit network does not exist or because that particular transit network not serve the equipment which is sending this cause.

Cause No. 3 — No route to destination.
This cause indicates that the called party cannot be reached because the network through which the call has been routed does not serve the destination desired. This cause is supported on a network dependent basis.

Cause No. 4 — send special information tone.
This cause indicates that the called party cannot be reached for reasons that are of a long term nature and that the special information tone should be returned to the calling party.

Cause No. 5 — misdialed trunk prefix (national use).
This cause indicates the erroneous inclusion of a trunk prefix in the called party number. This number is to sniped from the dialed number being sent to the network by the customer premises equipment.

Cause No. 6 — channel unacceptable.
This cause indicates that the channel most recently identified is not acceptable to the sending entity for use in this call.

Cause No. 7 — call awarded. being delivered in an established channel.
This cause indicates that the user has been awarded the incoming call and that the incoming call is being connected to a channel already established to that user for similar calls (e.g. packet-mode x.25 virtual calls).

Cause No. 8 — preemption.
This cause indicates the call is being preempted.

Cause No. 9 — preemption — circuit reserved for reuse.
This cause indicates that the call is being preempted and the circuit is reserved for reuse by the preempting exchange.

Cause No. 16 — normal call clearing.
This cause indicates that the call is being cleared because one of the users involved in the call has requested that the call be cleared.
What it means:
This could be almost anything; it is the vaguest of the cause codes. The call comes down normally, but the reasons for it could be:
— Bad username or password
— Router’s settings do not match what is expected by the remote end.
— Telephone line problems.
— Hung session on remote end.

Cause No. 17 — user busy.
This cause is used to indicate that the called party is unable to accept another call because the user busy condition has been encountered. This cause value may be generated by the called user or by the network. In the case of user determined user busy it is noted that the user equipment is compatible with the call.
What is means:
Calling end is busy.

Cause No. 18 — no user responding.
This cause is used when a called party does not respond to a call establishment message with either an alerting or connect indication within the prescribed period of time allocated.
What it means:
The equipment on the other end does not answer the call. Usually this is a misconfiguration on the equipment being called.

Cause No. 19 — no answer from user (user alerted).
This cause is used when the called party has been alerted but does not respond with a connect indication within a prescribed period of time. Note — This cause is not necessarily generated by Q.931 procedures but may be generated by internal network timers.

Cause No. 20 — subscriber absent.
This cause value is used when a mobile station has logged off. Radio contact is not obtained with a mobile station or if a personal telecommunication user is temporarily not addressable at any user-network interface.

Cause No. 21 — call rejected.
This cause indicates that the equipment sending this cause does not wish to accept this call. although it could have accepted the call because the equipment sending this cause is neither busy nor incompatible. This cause may also be generated by the network, indicating that the call was cleared due to a supplementary service constraint. The diagnostic field may contain additional information about the supplementary service and reason for rejection.
What it means:
This is usually a telco issue. The call never reaches the final destination, which can be caused by a bad switch translation, or a misconfiguration on the equipment being called.

Cause No. 22 — number changed.
This cause is returned to a calling party when the called party number indicated by the calling party is no longer assigned. The new called party number may optionally be included in the diagnostic field. If a network does not support this cause, cause no. 1, unallocated (unassigned) number shall be used.

Cause No. 26 — non-selected user clearing.
This cause indicates that the user has not been awarded the incoming call.

Cause No. 27 — destination out of order.
This cause indicates that the destination indicated by the user cannot be reached because the interface to the destination is not functioning correctly. The term «not functioning correctly» indicates that a signal message was unable to be delivered to the remote party; e.g., a physical layer or data link layer failure at the remote party or user equipment off-line.

Cause No. 28 — invalid number format (address incomplete).
This cause indicates that the called party cannot be reached because the called party number is not in a valid format or is not complete.

Cause No. 29 — facilities rejected.
This cause is returned when a supplementary service requested by the user cannot be provide by the network.

Cause No. 30 — response to STATUS INQUIRY.
This cause is included in the STATUS message when the reason for generating the STATUS message was the prior receipt of a STATUS INQUIRY.

Cause No. 31 — normal. unspecified.
This cause is used to report a normal event only when no other cause in the normal class applies.

Cause No. 34 — no circuit/channel available.
This cause indicates that there is no appropriate circuit/channel presently available to handle the call.
What it means:
There is no place on the Public Telephone network to place the call; the call never gets to its destiation. This is usually a temporary problem.

Cause No. 35 — Call Queued.

Cause No. 38 — network out of order.
This cause indicates that the network is not functioning correctly and that the condition is likely to last a relatively long period of time e.g., immediately re-attempting the call is not likely to be successful.

Cause No. 39 — permanent frame mode connection out-of-service.
This cause is included in a STATUS message to indicate that a permanently established frame mode connection is out-of-service (e.g. due to equipment or section failure)

Cause No. 40 — permanent frame mode connection operational.
This cause is included in a STATUS message to indicate that a permanently established frame mode connection is operational and capable of carrying user information.

Cause No. 41 — temporary failure.
This cause indicates that the network is not functioning correctly and that the condition is no likely to last a long period of time; e.g., the user may wish to try another call attempt almost immediately.
What it means:
This means that there is a temporary failure at the physical layer on the ISDN network. If you remove the ISDN cable from the Netopia, you would see this. It’s usually temporary.

Cause No. 42 — switching equipment congestion.
This cause indicates that the switching equipment generating this cause is experiencing a period of high traffic.
What it means:
Just too much going on at this point on the ISDN network to get the call through to its destination.

Cause No. 43 — access information discarded.
This cause indicates that the network could not deliver access information to the remote user as requested. i.e., user-to-user information, low layer compatibility, high layer compatibility or sub-address as indicated in the diagnostic. It is noted that the particular type of access information discarded is optionally included in the diagnostic.

Cause No. 44 — requested circuit/channel not available.
This cause is returned when the circuit or channel indicated by the requesting entity cannot be provided by the other side of the interface.

Cause No. 46 — precedence call blocked.
This cause indicates that there are no predictable circuits or that the called user is busy with a call of equal or higher preventable level.

Cause No. 47 — resource unavailable, unspecified.
This cause is used to report a resource unavailable event only when no other cause in the resource unavailable class applies.

Cause No. 49 — Quality of Service not available.
This cause is used to report that the requested Quality of Service, as defined in Recommendation X.213. cannot be provided (e.g., throughput of transit delay cannot be supported).

Cause No. 50 — requested facility not subscribed.
This cause indicates that the user has requested a supplementary service which is implemented by the equipment which generated this cause but the user is not authorized to use.
What it means:
The switch looks at the number being dialed and thinks it is for another service rather than ISDN. If the phone number is put in the correct format, the call should be placed properly. There are no standards for this, all Telcos have their own system for programming the number formats that the switches will recognize. Some systems want to see 7 digits, some 10, and others 11.

Cause No. 52 — outgoing calls barred.

Cause No. 53 — outgoing calls barred within CUG.
This cause indicates that although the calling party is a member of the CUG for the outgoing CUG call. Outgoing calls are not allowed for this member of the CUG.

Cause No. 54 — incoming calls barred

Cause No. 55 — incoming calls barred within CUG.
This cause indicates that although the calling party is a member of the CUG for the incoming CUG call. Incoming calls are not allowed for this member of the CUG.

Cause No. 57 — bearer capability not authorized.
This cause indicates that the user has requested a bearer capability which is implemented by the equipment which generated this cause but the user is not authorized to use.

Cause No. 58 — bearer capability not presently available.
This cause indicates that the user has requested a bearer capability which is implemented by the equipment which generated this cause but which is not available at this time.

Cause No. 62 — inconsistency in outgoing information element.
This cause indicates an inconsistency in the designated outgoing access information and subscriber class.

Cause No. 63 — service or option not available. unspecified.
This cause is used to report a service or option not available event only when no other cause in the service or option not available class applies.

Cause No. 65 — bearer capability not implemented.
This cause indicates that the equipment sending this cause does not support the bearer capability requested.
What it means:
In most cases, the number being called is not an ISDN number but an analog destination.
The equipment is dialing at a faster rate than the circuitry allows, for example, dialing at 64K when only 56K is supported.

Cause No. 66 — channel type not implemented.
This cause indicates that the equipment sending this cause does not support the channel type requested.

Cause No. 69 — requested facility not implemented.
This cause indicates that the equipment sending this cause does not support the requested supplementary services.

Cause No. 70 — only restricted digital information bearer capability is available.
This cause indicates that the calling party has requested an unrestricted bearer service but the equipment sending this cause only supports the restricted version of the requested bearer capability.

Cause No. 79 — service or option not implemented unspecified.
This cause is used to report a service or option not implemented event only when no other cause in the service or option not implemented class applies.

Cause No. 81 — invalid call reference value.
This cause indicates that the equipment sending this cause has received a message with a call reference which is not currently in use on the user-network interface.

Cause No. 82 — identified channel does not exist.
This cause indicates that the equipment sending this cause has received a request to use a channel not activated on the interface for a call. For example, if a user has subscribed to those channels on a primary rate interface numbered from l to 12 and the user equipment or the network attempts to use channels 3 through 23, this cause is generated.

Cause No. 83 — a suspended call exists, but this call identify does not.
This cause indicates that a call resume has been attempted with a call identity which differs from that in use for any presently suspended call(s).

Cause No. 84 — call identity in use.
This cause indicates that the network has received a call suspended request containing a call identity (including the null call identity) which is already in use for a suspended call within the domain of interfaces over which the call might be resumed.

Cause No. 85 — no call suspended.
This cause indicates that the network has received a call resume request containing a call identity information element which presently does not indicate any suspended call within the domain of interfaces over which calls may be resumed.

Cause No. 86 — call having the requested call identity has been cleared.
This cause indicates that the network has received a call resume request containing a call identity information element indicating a suspended call that has in the meantime been cleared while suspended (either by network time-out or by the remote user).

Cause No. 87 — user not a member of CUG.
This cause indicates that the called user for the incoming CUG call is not a member of the specified CUG or that the calling user is an ordinary subscriber calling a CUG subscriber.

Cause No. 88 — incompatible destination.
This cause indicates that the equipment sending this cause has received a request to establish a call which has low layer compatibility. high layer compatibility or other compatibility attributes (e.g., data rate) which cannot be accommodated.
What it means:
This usually means that the Number To Dial in the Connection Profile is in the wrong format. You may need to dial a 10 or 11 digit number, or dial a 9 in front of the number if it is a Centrex line.
This problem may also give a Cause 111.
Dialing at the wrong line speed can also give this Cause.

Cause No. 90 — non-existent CUG.
This cause indicates that the specified CUG does not exist.

Cause No. 91 — invalid transit network selection (national use).
This cause indicates that a transit network identification was received which is of an incorrect format as defined in Annex C/Q.931

Cause No. 95 — invalid message, unspecified.
This cause is used to report an invalid message event only when no other cause in the invalid message class applies.

Cause No. 96 — mandatory information element is missing.
This cause indicates that the equipment sending this cause has received a message which is missing an information element which must be present in the message before that message can be processed.
What it means:
This is rarely seen in North America but usually means that the number that is being dialed is in the wrong format, (similar to cause 88). Some part of the format being used is not understood by either the remote side equipment or the switching equipment between the source and destination of the call.

Cause No. 97 — message type non-existent or not implemented.
This cause indicates that the equipment sending this cause has received a message with a message type it does not recognize either because this is a message not defined of defined but not implemented by the equipment sending this cause.

Cause No. 98 — message not compatible with call state or message type non-existent.
This cause indicates that the equipment sending this cause has received a message such that the procedures do not indicate that this is a permissible message to receive while in the call state, or a STATUS message was received indicating an incompatible call state.

Cause No. 99 — Information element / parameter non-existent or not implemented.
This cause indicates that the equipment sending this cause has received a message which includes information element(s)/parameter(s) not recognized because the information element(s)/parameter name(s) are not defined or are defined but not implemented by the equipment sending the cause. This cause indicates that the information element(s)/parameter(s) were discarded. However, the information element is not required to be present in the message in order for the equipment sending the cause to process the message.

Cause No. 100 — Invalid information element contents.
This cause indicates that the equipment sending this cause has received and information element which it has implemented; however, one or more of the fields in the information element are coded in such a way which has not been implemented by the equipment sending this cause.
What it means:
Like cause 1 and cause 88, this usually indicates that the ISDN number being dialed is in a format that is not understood by the equipment processing the call. SPIDs will sometimes fail to initialize with a Cause 100, or a call will fail with this cause.

Cause No. 101 — message not compatible with call state.
This cause indicates that a message has been received which is incompatible with the call state.

Cause No. 102 — recovery on timer expiry.
This cause indicates that a procedure has been initiated by the expiration of a timer in association with error handling procedures.
What it means:
his is seen in situations where ACO (Alternate Call Offering) is being used. With this type of call pre-emption, the Telco switch operates a timer. For example, when an analog call is placed to a Netopia router that has two B Data Channels in place, the router relinquishes the second channel, but if it doesn’t happen in the time allotted by the switch programming, the call will not ring through and will be discarded by the switch.

Cause No. 103 — parameter non-existent or not implemented — passed on (national use).
This cause indicates that the equipment sending this cause has received a message which includes parameters not recognized because the parameters are not defined or are defined but not implemented by the equipment sending this cause. The cause indicates that the parameter(s) were ignored. In addition, if the equipment sending this cause is an intermediate point, then this cause indicates that the parameter(s) were passed unchanged.

Cause No. 110 — message with unrecognized parameter discarded.
This cause indicates that the equipment sending this cause has discarded a received message which includes a parameter that is not recognized.

Cause No. 111 — protocol error, unspecified.
This cause is used to report a protocol error event only when no other cause in the protocol error class applies.

Cause No. 127 — Intel-working, unspecified.
This cause indicates that an interworking call (usually a call to 5W56 service) has ended.
Notes about Cause Codes over 128
Cause code values of 128 and higher aren’t sent over the network. A terminal displaying a value 128 or higher and claiming it is a cause code arguably has a bug or is implementing some proprietary diagnostic code (not necessarily bad). Some commendation has cause codes listed with numbers higher than 128, but at this time they are proprietary in nature.
The PRI equipment vendors are the most likely to use these codes as they have been using proprietary messages in the facilities data link for some time now (there is an as yet undefined area in the FDL which is big enough to carry small datagrams or messages). It is typically used to pass proprietary control or maintenance messages between multiplexers.

При копировании статьи ссылка на источник ОБЯЗАТЕЛЬНА ! Пожалуйста, уважайте чужой труд.

Автор: Панфилов Алексей (lehis (at) subnets.ru)

Топология

В качестве бордера c7206-npe-g1, на него принимаю 2 фул от ISP1 и ISP2.
Один из клиентов , со своей AS ходит через меня анонсами в обоих аплинков…
Каналы на аплинков разной толщины :

• ISP1 — 200 мб/с
• ISP2 — 155 мб/с

Описание поставленной задачи

Клиент подписал договор со следующими условиями:

• при нормальной работе обоих аплинков клиент работает только через ISP1
• при падении ISP1 клиент работает через ISP2

При этом чтобы клиент не ел полосу у ISP2 я решил его туда не анонсировать пока не упадет ISP1 …

Решение

router bgp OurAS
~skip~
neighbor Peering_IP_Customer remote-as CustomerAS
neighbor Peering_IP_Customer update-source GigabitEthernet0/3
neighbor Peering_IP_Customer fall-over
neighbor Peering_IP_ISP2 remote-as ISP2AS
neighbor Peering_IP_ISP2 update-source POS1/0
neighbor Peering_IP_ISP1 remote-as ISP2AS
neighbor Peering_IP_ISP1 update-source GigabitEthernet0/2
neighbor Peering_IP_ISP1 fall-over
!
address-family ipv4
~skip~

описываем пир с абонентом

neighbor Peering_IP_Customer activate
neighbor Peering_IP_Customer default-originate
neighbor Peering_IP_Customer prefix-list Customer_in in
neighbor Peering_IP_Customer prefix-list Customer_out out

описываем пир с ISP2, юзаем Advertise Condition Т.е. пока есть маршрут полученный через ISP1 сети 217.150.32.0/19 не анонсировать сеть абонента

neighbor Peering_IP_ISP2 activate
neighbor  Peering_IP_ISP2 advertise-map Cus2ISP2 non-exist-map NON-EXIST

при этом в любом случае анонсировать свои сети

neighbor Peering_IP_ISP2 route-map ISP2-in in
neighbor Peering_IP_ISP2 route-map ISP2-out out

описываем пир с ISP1

neighbor Peering_IP_ISP1 activate
neighbor Peering_IP_ISP1 route-map ISP1-in in
neighbor Peering_IP_ISP1 route-map ISP1-out out
~skip~
exit-address-family
!

собственно роутмапы
выпускаем только наши сети + абонент и режем то, что может не дай бог вылететь не нужное

!
route-map ISP1-out deny 5
match ip address prefix-list lan
!
route-map ISP1-out permit 10
match ip address prefix-list ourAS.all
!
route-map ISP1-out permit 20
match ip address prefix-list CustomerAS
!

тоже самое на второго апстрима

route-map ISP2-out deny 5
match ip address prefix-list lan
!
route-map ISP2-out permit 10
match ip address prefix-list ourAS.all CustomerAS
!

роутмап для определения есть ли анонс интересующей нас сети через первый апстрим

route-map NON-EXIST permit 10
match ip address prefix-list ISP1-in-net
match as-path 1
!

собственно роутмап анонса клиента

route-map Cus2ISP2 deny 5
match ip address prefix-list lan
!
route-map Cus2ISP2 permit 10
match ip address prefix-list CustomerAS
!

префикс листы

ip prefix-list ourAS.all seq 5 permit our_net1/21 le 24
ip prefix-list ourAS.all seq 10 permit our_net2/21 le 24
!
ip prefix-list CustomerAS seq 5 permit customer_net/22
!

собственно сеть которую мониторим

ip prefix-list ISP1-in-net seq 5 permit 217.150.32.0/19
!

так как на этом роутере у нас используются дополнительные демоны динамической маршрутизации (eigrp + ospf), в случае ошибки эти сети !не будут анонсированы нашим апстримам и абоненту

ip prefix-list lan seq 5 permit 0.0.0.0/0
ip prefix-list lan seq 10 permit 10.0.0.0/8 le 32
ip prefix-list lan seq 15 permit 172.16.0.0/12 le 32
ip prefix-list lan seq 20 permit 192.168.0.0/16 le 32
!

as-path лист для фильтра номера автономки ISP1

ip as-path access-list 1 permit ^AS_ISP1_NUM$
!

Результат

При такой настройке получаем:

1. наши сети анонсятся через обоих апстримов
2. абонент анонсится
   • при нормальной работе ISP1 только через него
   • при падении ISP1 идет анонс через ISP2

При этом вы могли заметить что на ISP2 прописано анонсить route-map ISP2-out в данный роут-мап входит и подсеть абонента.
Но она не будет анонсироваться пока не выполниться условие advertise-map Cus2ISP2 non-exist-map NON-EXIST, что нам и требовалось.
З.Ы. При копировании статьи ссылка на источник ОБЯЗАТЕЛЬНА !

Автор: Green

Дано:

• маршрутизатор Cisco 2801, IOS 12.4(13)
• приходит два канала Интернет от двух разных ISP

Необходимо организовать резервирование Интернет канала. Если живы оба провайдера, то выпускаем через ISP#1, соответственно, если ISP#1 упал, выходим через IPS#2.

Схема:

Затем появилась ещё одна задача:

• Выпустить в Интернет офис №2 и учесть резервирование

Новая схема:

Конфигурация Cisco 1841:

!
track 123 ip sla 1 reachability
!
interface FastEthernet0/0
description ISP#1
ip address 85.0.0.242 255.255.255.248
ip nat outside
!
interface FastEthernet0/1
description ISP#2
ip address 84.0.0.242 255.255.255.248
ip nat outside
!
interface FastEthernet0/3/0
description OFFICE#1
switchport access vlan 10
!
interface FastEthernet0/3/1
switchport access vlan 20
!
interface FastEthernet0/3/2
switchport access vlan 30
!
!
interface Vlan10
description OFFICE#1
ip address 192.168.168.29 255.255.255.0
ip nat inside
!
interface Vlan20
description Link-to-Office#2-primary
ip address 192.168.0.2 255.255.255.248
ip nat inside
!
interface Vlan30
description Link-to-Office#2-backup
ip address 10.10.10.2 255.255.255.248
ip nat inside
!
ip local policy route-map LocalPolicy
ip route 0.0.0.0 0.0.0.0 85.0.0.241 track 123
ip route 0.0.0.0 0.0.0.0 84.0.0.241 254
!
ip nat inside source route-map ISP#1 interface FastEthernet0/0 overload
ip nat inside source route-map ISP#2 interface FastEthernet0/1 overload
!
ip sla 1
icmp-echo 85.0.0.241 source-interface FastEthernet0/0
timeout 1000
threshold 40
frequency 3
ip sla schedule 1 life forever start-time now
!
ip access-list extended PingISP#1
permit icmp host 85.0.0.242 host 85.0.0.241
!
access-list 104 remark OFFICE#1
access-list 104 permit ip 192.168.168.0 0.0.0.255 any
access-list 104 permit ip host 192.168.0.2 any
access-list 104 permit ip host 10.10.10.2 any
access-list 104 deny ip any any
!
route-map ISP#1 permit 10
match ip address 104
match interface FastEthernet0/0
!
route-map ISP#2 permit 10
match ip address 104
match interface FastEthernet0/1
!
route-map LocalPolicy permit 10
match ip address PingISP#1
set ip next-hop 85.0.0.241
set interface FastEthernet0/0
!

Конфигирация Cisco 870:

!
ip sla 1
icmp-echo 192.168.0.2 source-ip 192.168.0.4
timeout 1000
threshold 40
frequency 3
ip sla schedule 1 life forever start-time now
!
track 123 rtr 1 reachability
!
interface FastEthernet0
description Link-to-Office#1-primary
switchport access vlan 20
!
interface FastEthernet1
description Link-to-Office#1-backup
switchport access vlan 30
!
interface FastEthernet3
switchport access vlan 10
!
interface Vlan10
description OFFICE#2
ip address 192.168.123.29 255.255.255.0
!
interface Vlan20
ip address 192.168.0.4 255.255.255.248
!
interface Vlan30
ip address 10.10.10.4 255.255.255.248
!
ip route 0.0.0.0 0.0.0.0 192.168.0.2 track 123
ip route 0.0.0.0 0.0.0.0 10.10.10.2 254
!

Обсуждалось тут: subnets.ru/forum

Автор:  msergey

Коммутатор и Access Lists

Для фильтрации трафика коммутатор может использовать следующие типы ACL:

• Router ACL
• Port ACL
• VLAN ACL
• MAC ACL

Router ACL

Как и подразумевается в названии, Router ACL подобны на IOS ACL и используются для фильтрации сетевого трафика на SVI (интерфейсы SVI это Layer 3 на VLAN, физические Layer 3 интерфейсы и Layer 3 интерфейсы EtherChannel). Поддерживаются как стандартные, так и расширенные ACL. Для получения более детальной информации по Router ACL, обратитесь к соответствующей документации.

Port ACL

Port ACL подобны Router ACL, но работают на физических интерфейсах и интерфейсах Layer 2 коммутатора. Port ACL поддерживают фильтрацию только входящего трафика. Port ACL могут быть расширенного, стандартного и MAC-extended типа.

Обработка Port ACL подобна Router ACL: коммутатор проверяет ACL, назначенный данному интерфейсу и разрешает или блокирует пакет.

Когда ACL наложен на транковый порт, проверяется трафик всех проходящих через транк VLAN-ов — как данные, так и голос.

Основная прелесть Port ACL состоит в том, что может фильтроваться как IP трафик (используя IP access lists) так и non-IP трафик (используя MAC access list).

Внимание: Port ACLs не поддерживается на интерфейсах EtherChannel.

VLAN ACL (VACL)

VLAN ACL (так же известные как VLAN map) осуществляют пакетную фильтрацию всех типов трафика внутри VLAN или входящих/выходящих из него. В отличие от Router ACL, VACL не определяет направление трафика (input или output). Все пакеты находящиеся в VLAN (маршрутизируемые или внутренние) проверяются VACL. Для пакетной фильтрации в зависимости от направления трафика есть возможность использовать комбинацию VACL и Private VLAN.

VACL обрабатываются на аппаратном уровне, не оказывая влияния на производительность коммутатора. Производительность так же не зависит от объема VACL. Поэтому они упоминаются также как wire-speed ACL.

VACL на порту Layer 2

На рисунке ниже показана работа VACL на briged интерфейсе для Host A в VLAN 5 передающего данные на Host B в VLAN 10.

VACL маршрутизируемом порту

На рисунке ниже показана работа IOS ACL и VACL на маршрутизируемом интерфейсе. Порядок выполнения определяется следующим образом:

1. VACL для input VLAN
2. Input IOS ACL
3. Output IOS AC
4. VACL для output VLAN

Конфигурирование VACL

Для конфигурирования VACL (VLAN access map) необходимо выполнить следующие действия:

1. Определить стандартный или расширенный ACL, который будет использоваться на VACL.
2. Определить VLAN access map.
3. Описать критерий попадания
4. Описать выполняемое действие при попадании
5. Наложить VLAN access map на соответствующий VLAN.
6. Посмотреть, а что же у нас получилось?

В данном примере мы определяем и накладываем VACL, который будет отбрасывать пакеты, попадающие в access list 1 из сети 192.168.1.0/24, при этом все остальные пакеты, попадающие в access list 2 будут переданы. VACL применяется к VLAN-ам с 5 по 10.

Switch(config)#access-list 1 permit 192.168.1.0 0.0.0.255
Switch(config)#access-list 2 permit any
Switch(config)#vlan access-map mymap 10
Switch(config-access-map)#match ip address 1
Switch(config-access-map)#action drop
Switch(config-access-map)#exit
Switch(config)#vlan access-map mymap 20
Switch(config-access-map)#match ip address 2
Switch(config-access-map)#action forward
Switch(config-access-map)#exit
Switch(config)# vlan filter mymap vlan-list 5-10
Switch(config-access-map)#end

Switch# show vlan access-map
Vlan access-map «mymap» 10
Match clauses:
ip address: 1
Action:
drop
Vlan access-map «mymap» 20
Match clauses:
ip address: 2
Action:
Forward

Switch# show vlan filter
VLAN Map mymap is filtering VLANs:
5-10

MAC ACL

MAC ACL, также известный как Ethernet ACL предназначен для фильтрации non-IP трафика на VLAN или физических интерфейсах Layer 2 используя MAC адреса в именованном расширенном MAC extended ACL.

Шаги по конфигурации MAC ACL подобны обычным именованным расширенным ACL. MAC ACL могут применяться только для фильтрации входящего трафика.

Для определения MAC Extended ACL используется команда mac access-list extended.

После того, как MAC ACL будет создан, его необходимо наложить на интерфейс Layer 2 используя команду mac access-group [acl-name] in

В примере ниже мы покажем, как создать и применить MAC ACL для блокировки всех пакетов AppleTalk Address Resolution Protocol (AARP), пропуская отсальной трафик

Switch(config)# mac access-list extended my-mac-acl
Switch(config-ext-macl)# deny any any aarp
Switch(config-ext-macl)# permit any any
Switch(config-ext-macl)# exit
Switch(config)# interface Fastethernet0/10
Switch(config-if)# mac access-group my-mac-acl in
Switch(config-if)# end
Switch#

Оригинал:   http://dreamcatcher.ru/cisco/003_switches.html

Ссылки:

• Configuring IP Access Lists