Привет!
Ситуация:
Сотрудники стали жаловаться на то, что не могут скачать объемные файлы (>1Гб) с сайта b2b-center.ru. Запускают закачку, файл вроде начинает качаться на предельной скорости, но через несколько секунд падает до 20-50КбБайт, а потом может вообще завершиться с ошибкой. С файлообменников (Яндекс, Майл и т.д.) качает нормально, скорость не падает.
Топология сети:
Firepower<--->
Cisco 2921<--->
Стек коммутаторов Cisco 2960<--->Хосты.
Cisco 2921 используется как CUBE для CUCM и маршрутизатор для не скольких подсетей.
Тестирование:
Как выяснил что проблема в маршрутизаторе.
По мимо локального сегмента сети, в организации есть сеть DMZ, которая организована следующим образом.
Firepower<--->
Стек коммутаторов Cisco 2960<--->
Хосты.
На одном из свободных интерфейсов Firepower создан VLAN это порт с коммутирован в стек коммутаторов.
В итоге тестирование показало что загрузка из сети DMZ идет на нормальной максимальной скорости.
Конфиг маршрутизатора:
Код:
Current configuration : 17571 bytes
!
! Last configuration change at 14:45:05 EKT Fri May 28 2021 by root14
! NVRAM config last updated at 17:54:55 EKT Fri May 28 2021 by root14
!
version 15.7
service timestamps debug datetime msec
service timestamps log datetime localtime
service password-encryption
!
hostname RTR01
!
boot-start-marker
boot system flash:c2900-universalk9-mz.SPA.157-3.M3.bin
boot-end-marker
!
!
enable secret 5 $$$$$$$$$$$$$$$$$$
!
aaa new-model
!
!
!
!
!
!
!
!
aaa session-id common
clock timezone EKT 5 0
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip dhcp excluded-address 10.6.248.100 10.6.248.250
ip dhcp excluded-address 10.6.248.1
!
ip dhcp pool PHONE
network 10.6.248.0 255.255.252.0
option 150 ip 10.6.248.100
dns-server 10.6.248.1
default-router 10.6.248.1
!
!
!
ip domain name group.loc
ip name-server 10.6.0.3
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
template 10
!
!
cts logging verbose
!
crypto pki trustpoint TP-self-signed-732317511
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-732317511
revocation-check none
rsakeypair TP-self-signed-732317511
!
crypto pki trustpoint test_trustpoint_config_created_for_sdm
subject-name e=sdmtest@sdmtest.com
revocation-check crl
!
!
crypto pki certificate chain TP-self-signed-732317511
certificate self-signed 01
quit
crypto pki certificate chain test_trustpoint_config_created_for_sdm
voice-card 0
dspfarm
dsp services dspfarm
!
!
no voice hunt unassigned-number
!
voice service pots
!
voice service voip
ip address trusted list
ipv4 10.66.228.43
ipv4 10.66.228.250
ipv4 10.66.251.97
ipv4 172.30.255.174
ipv4 10.66.251.194
ipv4 10.66.251.195
ipv4 10.66.161.162
ipv4 10.66.251.37
ipv4 10.66.251.38
ipv4 10.66.228.131
ipv4 10.223.41.40
ipv4 10.56.82.34
ipv4 10.16.32.201
ipv4 10.16.32.202
ipv4 10.6.248.100
ipv4 10.8.250.0 255.255.255.0
ipv4 10.8.250.1
ipv4 192.168.56.1
allow-connections sip to sip
no supplementary-service sip moved-temporarily
no supplementary-service sip refer
no supplementary-service sip handle-replaces
redirect ip2ip
fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback none
no fax-relay sg3-to-g3
sip
bind media source-interface GigabitEthernet0/0.250
min-se 300
registrar server expires max 600 min 60
no update-callerid
no silent-discard untrusted
sip-profiles 100
no call service stop
!
!
voice class uri 2 sip
host ipv4:10.6.248.100
voice class codec 1
codec preference 1 g711ulaw
codec preference 2 g711alaw
codec preference 3 g729br8
video codec h264
!
!
voice class sip-profiles 10
request INVITE sip-header From modify "From: (.*<)" "From: \"39391\""
!
voice class sip-profiles 100
request ANY sip-header From modify "<sip:XXXXX76226@(.*)>" "<sip:XXXXX76226@10.56.82.34>"
request REGISTER sip-header From modify "<sip:XXXXX76226@(.*)>" "<sip:XXXXX76226@10.56.82.34>"
request ANY sip-header To modify "<sip:XXXXX76226@(.*)>" "<sip:XXXXX76226@10.56.82.34>"
request ANY sip-header From modify "<sip:XXXXX76387@(.*)>" "<sip:XXXXX76387@10.56.82.34>"
request REGISTER sip-header From modify "<sip:XXXXX76387@(.*)>" "<sip:XXXXX76387@10.56.82.34>"
request ANY sip-header To modify "<sip:XXXXX76387@(.*)>" "<sip:XXXXX76387@10.56.82.34>"
!
!
voice class sip-options-keepalive 1
!
!
voice iec syslog
!
!
voice translation-rule 1
rule 1 /.*/ /39391/
rule 2 /6001/ /39392/
!
voice translation-rule 2
rule 1 /39391/ /6111/
rule 2 /39392/ /6001/
!
voice translation-rule 3
rule 1 /XXXXX76387/ /6001/
rule 2 /XXXXX76226/ /6111/
!
voice translation-rule 4
rule 1 /.*/ /XXXXX76226/
!
voice translation-rule 5
rule 1 /^98/ //
!
voice translation-rule 6
rule 1 /^9/ //
!
!
voice translation-profile 39391
translate called 2
!
voice translation-profile 76226
translate called 3
!
voice translation-profile BeelineSIP
translate calling 1
!
voice translation-profile ReservTSP
translate calling 4
translate called 5
!
voice translation-profile ReservTSP_Mobile
translate called 6
!
!
!
!
application
service its flash0:/its.tcl
param aa-pilot 6111
param queue-manager-debugs 1
param operator 6000
!
!
no vxml logging-tag
license udi pid CISCO2921/K9 sn FCZ1850706F
license boot module c2900 technology-package securityk9
license boot module c2900 technology-package uck9
license boot module c2900 technology-package datak9
hw-module pvdm 0/0
!
!
!
file privilege 0
username root14 privilege 15 secret 5 $1$efgQ$zhm8O6dHV73Mqprj.7XeQ1
username socar privilege 15 secret 5 $1$fwnn$U62ql7ViWPuOm2GJREO1u0
!
redundancy
!
!
!
!
!
!
class-map match-any voice-control
match protocol sip
class-map match-any ssh
match protocol ssh
class-map match-any video
match protocol rtp video
class-map match-any audio
match protocol rtp audio
!
policy-map voip
class audio
priority percent 25
class video
bandwidth remaining percent 10
class ssh
bandwidth remaining percent 4
class voice-control
priority percent 4
class class-default
fair-queue
!
!
!
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
!
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/0.10
description MGMT
encapsulation dot1Q 10
ip address 10.6.10.254 255.255.255.0
ip nbar protocol-discovery ipv4
!
interface GigabitEthernet0/0.20
description USR
encapsulation dot1Q 20
ip address 10.6.20.1 255.255.255.0
!
interface GigabitEthernet0/0.150
description SKUD
encapsulation dot1Q 150
ip address 10.6.150.1 255.255.255.0
!
interface GigabitEthernet0/0.250
description VOICE
encapsulation dot1Q 250
ip address 10.6.248.1 255.255.252.0
ip nbar protocol-discovery ipv4
!
interface GigabitEthernet0/0.260
description SIP Vimpelkom
encapsulation dot1Q 260
ip address 192.168.56.166 255.255.255.252
ip nbar protocol-discovery ipv4
!
interface GigabitEthernet0/0.270
description SIP MTS
encapsulation dot1Q 270
ip address 10.223.44.142 255.255.255.252
ip nbar protocol-discovery ipv4
!
interface GigabitEthernet0/0.1000
description SRV
encapsulation dot1Q 1000
ip address 10.6.0.1 255.255.255.0
!
interface GigabitEthernet0/1
description SIP-OUTSIDE
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/2
ip address 172.31.6.2 255.255.255.252
ip nbar protocol-discovery ipv4
duplex auto
speed auto
!
!
ip forward-protocol nd
!
no ip http server
ip http authentication local
ip http secure-server
ip http path flash:/CME/GUI
!
ip route 0.0.0.0 0.0.0.0 172.31.6.1
ip route 10.6.99.0 255.255.255.0 172.31.6.1
ip route 10.56.82.0 255.255.255.0 10.223.44.141
ip route 10.66.161.162 255.255.255.255 10.66.228.97
ip route 10.66.228.43 255.255.255.255 10.66.228.97
ip route 10.66.228.79 255.255.255.255 10.66.228.97
ip route 10.66.228.250 255.255.255.255 10.66.228.97
ip route 10.66.248.131 255.255.255.255 10.66.228.97
ip route 10.66.251.37 255.255.255.255 10.66.228.97
ip route 10.66.251.38 255.255.255.255 10.66.228.97
ip route 10.66.251.97 255.255.255.255 10.66.228.97
ip route 10.66.251.194 255.255.255.255 10.66.228.97
ip route 10.66.251.195 255.255.255.255 10.66.228.97
ip route 10.223.41.0 255.255.255.0 10.223.44.141
ip route 192.168.56.1 255.255.255.255 192.168.56.165
ip route 192.168.56.2 255.255.255.255 192.168.56.165
!
ip access-list standard SSH
permit 10.6.20.90
permit 10.6.99.11
permit 10.6.20.149
deny any log
ip access-list standard TFTP
permit 0.0.0.0 255.255.252.0
deny any log
!
ip access-list extended voice_traffic
permit ip host 10.6.248.1 host 10.66.228.107
permit ip host 10.66.228.107 host 10.6.248.1
!
ip sla responder
ipv6 ioam timestamp
!
!
!
!
!
control-plane
!
!
voice-port 0/0/0
compand-type a-law
cptone RU
!
voice-port 0/0/1
compand-type a-law
cptone RU
!
voice-port 0/0/2
!
voice-port 0/0/3
!
!
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
dspfarm profile 1 transcode universal
codec g729abr8
codec g729ar8
codec g711alaw
codec g711ulaw
codec g729r8
maximum sessions 12
associate application CUBE
!
dial-peer voice 8 voip
description To_Beeline
translation-profile outgoing BeelineSIP
destination-pattern 8..........
session protocol sipv2
session target ipv4:192.168.56.1
voice-class codec 1
voice-class sip dtmf-relay force rtp-nte
no voice-class sip outbound-proxy
voice-class sip early-offer forced
voice-class sip bind control source-interface GigabitEthernet0/0.260
voice-class sip bind media source-interface GigabitEthernet0/0.260
dtmf-relay rtp-nte
clid strip name
!
dial-peer voice 1 voip
description *Incoming Call from BeeLine*
translation-profile incoming 39391
session protocol sipv2
session target ipv4:192.168.56.1
incoming called-number 39391
voice-class codec 1
voice-class sip dtmf-relay force rtp-nte
no voice-class sip outbound-proxy
no voice-class sip early-offer forced
voice-class sip bind control source-interface GigabitEthernet0/0.260
voice-class sip bind media source-interface GigabitEthernet0/0.260
dtmf-relay rtp-nte
!
dial-peer voice 6111 voip
service its
destination-pattern 6111
redirect ip2ip
session protocol sipv2
session target ipv4:10.6.248.1
incoming called-number 6111
voice-class sip bind control source-interface GigabitEthernet0/0.250
voice-class sip bind media source-interface GigabitEthernet0/0.250
dtmf-relay sip-notify
codec g711ulaw
no vad
!
dial-peer voice 6001 pots
destination-pattern 6001
fax rate voice
port 0/0/0
no sip-register
!
dial-peer voice 22 voip
preference 1
destination-pattern 6[45]..
redirect ip2ip
session protocol sipv2
session target ipv4:10.8.250.1
voice-class codec 1
voice-class sip bind control source-interface GigabitEthernet0/0.250
voice-class sip bind media source-interface GigabitEthernet0/0.250
dtmf-relay sip-notify
no vad
!
dial-peer voice 70 voip
description *Incoming Call from BeeLine*
translation-profile incoming 39391
session protocol sipv2
session target sip-server
incoming called-number 39392
voice-class sip dtmf-relay force rtp-nte
voice-class sip bind control source-interface GigabitEthernet0/0.260
voice-class sip bind media source-interface GigabitEthernet0/0.260
dtmf-relay rtp-nte
!
dial-peer voice 76226 voip
description *Incoming Call from Reserv TSP*
translation-profile incoming 76226
session protocol sipv2
session target sip-server
incoming called-number XXXXX76226
voice-class sip dtmf-relay force rtp-nte
dtmf-relay rtp-nte
!
dial-peer voice 76387 voip
description *Incoming Call from Reserv TSP*
translation-profile incoming 76226
session protocol sipv2
session target sip-server
incoming called-number XXXXX76387
voice-class sip dtmf-relay force rtp-nte
!
dial-peer voice 9 voip
description To_Reserv TSP
translation-profile outgoing ReservTSP_Mobile
destination-pattern 98[9].........
session protocol sipv2
session target ipv4:10.223.41.40
voice-class sip dtmf-relay force rtp-nte
no voice-class sip outbound-proxy
voice-class sip early-offer forced
voice-class sip bind control source-interface GigabitEthernet0/0.270
voice-class sip bind media source-interface GigabitEthernet0/0.270
dtmf-relay rtp-nte
codec g711alaw
clid strip name
!
dial-peer voice 21 voip
preference 1
shutdown
destination-pattern 1...
redirect ip2ip
session protocol sipv2
session target ipv4:10.16.32.201
voice-class codec 1
voice-class sip bind control source-interface GigabitEthernet0/0.250
voice-class sip bind media source-interface GigabitEthernet0/0.250
dtmf-relay sip-notify
no vad
!
dial-peer voice 23 voip
preference 1
shutdown
destination-pattern 4...
redirect ip2ip
session protocol sipv2
session target ipv4:10.16.32.201
voice-class codec 1
voice-class sip bind control source-interface GigabitEthernet0/0.250
voice-class sip bind media source-interface GigabitEthernet0/0.250
dtmf-relay sip-notify
no vad
!
dial-peer voice 15 voip
description Incoming calls from CUCM
session protocol sipv2
session target sip-server
incoming uri via 2
voice-class codec 1
dtmf-relay sip-kpml
no vad
!
dial-peer voice 2001 voip
description Outgoing calls to CUCM
destination-pattern 2001
redirect ip2ip
session protocol sipv2
session target ipv4:10.6.248.100
incoming called-number 2001
voice-class sip bind control source-interface GigabitEthernet0/0.250
voice-class sip bind media source-interface GigabitEthernet0/0.250
dtmf-relay sip-notify
codec g711ulaw
no vad
!
dial-peer voice 24 voip
preference 2
shutdown
destination-pattern 1...
redirect ip2ip
session protocol sipv2
session target ipv4:10.16.32.202
voice-class codec 1
voice-class sip bind control source-interface GigabitEthernet0/0.250
voice-class sip bind media source-interface GigabitEthernet0/0.250
dtmf-relay sip-notify
no vad
!
dial-peer voice 25 voip
preference 2
shutdown
destination-pattern 4...
redirect ip2ip
session protocol sipv2
session target ipv4:10.16.32.202
voice-class codec 1
voice-class sip bind control source-interface GigabitEthernet0/0.250
voice-class sip bind media source-interface GigabitEthernet0/0.250
dtmf-relay sip-notify
no vad
!
dial-peer voice 26 voip
preference 1
shutdown
destination-pattern 5...
redirect ip2ip
session protocol sipv2
session target ipv4:10.16.32.201
voice-class codec 1
voice-class sip bind control source-interface GigabitEthernet0/0.250
voice-class sip bind media source-interface GigabitEthernet0/0.250
dtmf-relay sip-notify
no vad
!
dial-peer voice 27 voip
preference 2
shutdown
destination-pattern 5...
redirect ip2ip
session protocol sipv2
session target ipv4:10.16.32.202
voice-class codec 1
voice-class sip bind control source-interface GigabitEthernet0/0.250
voice-class sip bind media source-interface GigabitEthernet0/0.250
dtmf-relay sip-notify
no vad
!
dial-peer voice 2000 voip
description Outgoing calls to CUCM
destination-pattern 6[013]..
redirect ip2ip
session protocol sipv2
session target ipv4:10.6.248.100
voice-class codec 1
voice-class sip bind control source-interface GigabitEthernet0/0.250
voice-class sip bind media source-interface GigabitEthernet0/0.250
dtmf-relay rtp-nte sip-notify
no vad
!
dial-peer voice 99 voip
description To_Reserv TSP
translation-profile outgoing ReservTSP
destination-pattern 98[0-8].........
session protocol sipv2
session target ipv4:10.223.41.40
voice-class sip dtmf-relay force rtp-nte
no voice-class sip outbound-proxy
voice-class sip early-offer forced
voice-class sip bind control source-interface GigabitEthernet0/0.270
voice-class sip bind media source-interface GigabitEthernet0/0.270
dtmf-relay rtp-nte
codec g711alaw
clid strip name
!
!
presence
presence call-list
max-subscription 400
watcher all
allow subscribe
!
sip-ua
credentials number XXXXX76226 username XXXXX76226 password 7 $$$$$$$$$$$$$$$$$$$$$$ realm 10.56.82.34
credentials number XXXXX76387 username XXXXX76387 password 7 $$$$$$$$$$$$$$$$$$$$$$ realm 10.56.82.34
authentication username XXXXX76226 password 7 150B0E2E017B332B393707 realm 10.56.82.34
registrar ipv4:10.223.41.40:5060 expires 180
sip-server ipv4:192.168.56.1
connection-reuse
host-registrar
presence enable
!
!
!
gatekeeper
shutdown
!
!
vstack
alias exec ac sh call active voice brief
alias exec hi sh call hi voice brief
alias exec ca sh call active voice com
alias exec un undeb all
alias exec hid sh call hi voice id
privilege exec level 3 show startup-config
privilege exec level 3 show running-config view full
privilege exec level 3 show running-config view
privilege exec level 3 show running-config
privilege exec level 3 show
!
line con 0
exec-timeout 0 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
exec-timeout 0 0
privilege level 15
logging synchronous
transport input ssh
transport output ssh
line vty 5 15
exec-timeout 0 0
privilege level 15
transport input ssh
transport output ssh
!
scheduler allocate 20000 1000
ntp source GigabitEthernet0/0.1000
ntp master 5
ntp update-calendar
ntp server 0.pool.ntp.org minpoll 10
!
end