北京某大型網(wǎng)吧Cisco 3700系列路由器優(yōu)化方案
北京某朋友說網(wǎng)吧有點(diǎn)問題,具體情況如下:
帶寬10M獨(dú)享北京電信通接入 機(jī)器數(shù)量450臺
路由器是 Cisco 3700系列 應(yīng)用程序路由器
分配的IP地址:(為了安全起見,下面的IP地址為偽造,但是性質(zhì)相同)
60.195.11.1~ 60.195.11.254 netmask 255.255.255.0
60.195.12.1~60.195.12.63 netmask 255.255.255.0
218.247.242.93---218.247.242.99 netmask 255.255.255.224
192.168.0.1~ 192.168.0.254 netmask 255.255.255.0
其中192.168.0.1~ 192.168.0.254通過NAT出外網(wǎng),NAT地址池采用218.247.242.94---218.247.242.99 這5個地址。
這些地址都通過DHCP給客戶機(jī)分配。
故障問題1:CS無法跨網(wǎng)段互連
故障問題2:IP混亂 大量數(shù)據(jù)報文經(jīng)過路由器 路由負(fù)載很大
為了解決這個問題,我要來了他們路由器的配置表:
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
enable secret 5 (密碼部分隱蔽)!
no aaa new-model
ip subnet-zero
ip cef
!
!
!
no ip domain lookup
no ftp-server write-enable
!
!
!
!
interface FastEthernet0/0
ip address 172.30.99.222 255.255.255.252
ip access-group li in
ip access-group li out
ip accounting output-packets
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 60.195.12.1 255.255.255.0 secondary
ip address 218.247.242.93 255.255.255.224 secondary
ip address 192.168.0.1 255.255.255.0 secondary
ip address 60.195.11.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
ip nat pool wang 218.247.242.94 218.247.242.99 netmask 255.255.255.224
ip nat inside source list 120 pool wang overload
ip classless
ip route 0.0.0.0 0.0.0.0 172.30.99.221
ip http server
!
ip access-list extended li
permit icmp 60.195.11.0 0.0.0.255 host 60.194.0.1
permit icmp 60.195.12.0 0.0.0.255 host 60.194.1.1
permit icmp 172.30.99.220 0.0.0.3 172.30.99.220 0.0.0.3
deny tcp any eq 135 any
deny tcp any any eq 135
deny udp any any eq 135
deny tcp any any eq 139
deny tcp any eq 139 any
deny udp any any eq netbios-ss
deny udp any eq netbios-ns any
deny udp any any eq netbios-ns
deny udp any any eq netbios-dgm
deny udp any eq netbios-dgm any
deny tcp any eq 445 any
deny tcp any any eq 445
deny tcp any eq 4444 any
deny udp any eq 445 any
deny udp any any eq 445
deny tcp any any eq exec
deny udp any any eq 29851
permit ip any any
!
access-list 120 permit ip 192.168.0.0 0.0.0.255 any
access-list 188 permit tcp any any eq 16881
access-list 188 permit tcp any any range 6881 6890
access-list 188 permit tcp any any range 1880 1890
access-list 188 permit tcp any any range 6000 6009
access-list 188 permit tcp any any range 8000 8009
access-list 188 permit tcp any any range 8881 8890
!
從上面配置看:存在一下一些問題:
1、 地址段很混亂,網(wǎng)吧內(nèi)既有 60.195.11段,又有 60.195.12段,60.195.12段只有64個IP地址,但是配置的掩碼卻是 255.255.255.0。和另外一個網(wǎng)吧的IP地址段廣播重復(fù)。
2、 ACL表設(shè)置有不合理的地方,對標(biāo)準(zhǔn)ACL和擴(kuò)展ACL沒有正確運(yùn)用。
3、 內(nèi)部地址通過NAT可以訪問 60.195段的公網(wǎng)IP主機(jī),但是反過來,因?yàn)槠鋸?fù)用動態(tài)NAT的原因,60段IP無法回訪192段IP。
4、 Int fas 0/1 上沒有開啟route cache ,在一個接口上有多個IP段的情況下,不開啟cache的話,網(wǎng)段間互相通信會嚴(yán)重影響路由器性能。加重負(fù)載。網(wǎng)吧不同IP段內(nèi)互連CS之類游戲的話會嚴(yán)重丟包。
5、 其他一些設(shè)置:比如沒有禁止ip proxy-arp,容易被ARP欺詐攻擊。沒有禁止 http server,容易被惡意獲取最高權(quán)限。
#P#
于是,做出一個整改辦法:
我重新寫了下路由器配置:
!
version 12.3
no service timestamps debug datetime msec (沒有用,NO掉)
no service timestamps log datetime msec (沒有用,NO掉)
service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
enable secret 5 (密碼部分隱蔽)!
no aaa new-model
ip subnet-zero
ip cef
!
!
!
no ip domain lookup
no ftp-server write-enable
!
!
!
!
interface FastEthernet0/0
ip address 172.30.99.222 255.255.255.252
ip route-cache flow (根據(jù)網(wǎng)盟 yewei1012 朋友的建議增加)
no ip proxy-arp (預(yù)防ARP欺詐性攻擊)
ip access-group li in
ip access-group li out
ip accounting output-packets
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 60.195.12.1 255.255.255.0 secondary
ip address 218.247.242.93 255.255.255.224 secondary
ip address 192.168.1.1 255.255.255.0 secondary
ip address 192.168.0.1 255.255.255.0 secondary
ip address 60.195.11.1 255.255.255.0
no ip proxy-arp (預(yù)防ARP欺詐性攻擊)
ip nat inside
ip route-cache same-interface (提高跨網(wǎng)段通信速度,減輕路由負(fù)載)
duplex auto
speed auto
!
ip nat translation timeout 70
ip nat translation tcp-timeout 60
ip nat translation udp-timeout 60
ip nat translation syn-timeout 10
ip nat translation dns-timeout 5
ip nat translation icmp-timeout 5
(上面是NAT保留時間,必須加這個,這樣你可以N個月不重啟路由,路由器不會變慢,使用CISCO NAT的絕招,我的記錄是 連續(xù)運(yùn)行10個月沒有重啟)
ip nat pool wang 61.195.11.10 60.195.11.20 netmask 255.255.255.0 (重新用其他IP做NAT地址池。)
ip nat inside source list 1 pool wang overload (這里變了)
ip classless
ip route 0.0.0.0 0.0.0.0 172.30.99.221
no ip http server(no 掉!容易挨炸)
!
ip access-list extended li
permit icmp 60.195.11.0 0.0.0.255 host 60.194.0.1
permit icmp 60.195.12.0 0.0.0.255 host 60.194.1.1
permit icmp 172.30.99.220 0.0.0.3 172.30.99.220 0.0.0.3
deny tcp any eq 135 any
deny tcp any any eq 135
deny udp any any eq 135
deny tcp any any eq 139
deny tcp any eq 139 any
deny udp any any eq netbios-ss
deny udp any eq netbios-ns any
deny udp any any eq netbios-ns
deny udp any any eq netbios-dgm
deny udp any eq netbios-dgm any
deny tcp any eq 445 any
deny tcp any any eq 445
deny tcp any eq 4444 any
deny udp any eq 445 any
deny udp any any eq 445
deny tcp any any eq exec
deny udp any any eq 29851
permit ip any any
!
access-list 1 permit ip 192.168.0.0 0.0.255.255 (這是指定那些IP可以通過NAT,用標(biāo)準(zhǔn)acl省資源)
access-list 188 permit tcp any any eq 16881
access-list 188 permit tcp any any range 6881 6890
access-list 188 permit tcp any any range 1880 1890
access-list 188 permit tcp any any range 6000 6009
access-list 188 permit tcp any any range 8000 8009
access-list 188 permit tcp any any range 8881 8890
!
==========
內(nèi)部網(wǎng)絡(luò)整改方案:
1、 網(wǎng)吧內(nèi)部全部采用內(nèi)部IP,把公網(wǎng)IP給視頻區(qū)固定分配(不能打局域網(wǎng)游戲的區(qū)域),這樣可以解決使用內(nèi)部IP時,非會員QQ無法穿越防火墻 以及打聯(lián)眾無法坐到一起的問題。
2、 DHCP分配的IP地址為:192.168.0.2~ 192.168.1.254 子網(wǎng)掩碼 255.255.254.0 網(wǎng)關(guān)設(shè)置為 192.168.0.1 避免內(nèi)部通信數(shù)據(jù)走路由器接口,減少路由負(fù)載提高路由器性能
3、 給路由器NAT做優(yōu)化,提高性能。估計(jì)路由器在滿載(450臺電腦都用內(nèi)部IP)的情況下可以達(dá)到CPU負(fù)載不超過25%。
4。60.195.12.1----60.195.12.63段IP 可以暫時不用,避免與其他網(wǎng)吧沖突。
【編輯推薦】
