Configurando a redundância de IPSec sobre o ISDN usando o Dialer Watch
Índice
Introdução
Este documento fornece uma configuração de exemplo como cifrar o tráfego da rede atrás do roteador1 à rede atrás do roteador2 (o laço de retorno 0s é usado como redes neste exemplo). Se o link principal (Ethernet) entre o roteador1 e o roteador2 vai para baixo, o tráfego da Segurança IP (IPsec) continua a correr através do enlace secundário (ISDN). Há diversas maneiras de conseguir este objetivo; você pode usar o Dialer Watch, a Interface de backup, o circuito da procura, e a estática flutuante. Esse exemplo de configuração demonstra o mecanismo do relógio do discador. Para obter informações sobre outros recursos, consulte Avaliando interfaces de backup, rotas estáticas flutuantes e relógio de discador para backup de DDR.
Pré-requisitos
Requisitos
Não existem requisitos específicos para este documento.
Componentes Utilizados
As informações neste documento são baseadas nestas versões de software e hardware:
-
Cisco 2621 e 3640 Routers
-
Software Release 12.3(3) de Cisco IOS®
As informações neste documento foram criadas a partir de dispositivos em um ambiente de laboratório específico. Todos os dispositivos utilizados neste documento foram iniciados com uma configuração (padrão) inicial. Se sua rede está viva, certifique-se de que você compreende o impacto potencial do comando any antes que você o use.
Convenções
Para obter mais informações sobre convenções de documento, consulte as Convenções de dicas técnicas Cisco.
Configurar
Nesta seção, você encontrará informações para configurar os recursos descritos neste documento.
Note: Para localizar informações adicionais sobre os comandos usados neste documento, utilize a Ferramenta Command Lookup (somente clientes registrados).
Diagrama de Rede
Este documento usa a instalação de rede mostrada no diagrama aqui:
Configurações
Este documento usa as configurações mostradas aqui:
| Roteador 1 (2621) |
|---|
r1#show running-config Building configuration... Current configuration : 2244 bytes ! version 12.3 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname r1 ! boot-start-marker boot-end-marker ! ! username r2 password 0 cisco !--- This is the username for remote router (Router 2) !--- and shared secret. Shared secret (used for Challenge Handshake !--- Authentication Protocol [CHAP]) must be the same on both sides. no aaa new-model ip subnet-zero ip tcp synwait-time 5 ! ! no ip domain lookup ! ip audit notify log ip audit po max-events 100 ip ssh break-string no ftp-server write-enable ! ! ! crypto isakmp policy 10 hash md5 authentication pre-share crypto isakmp key cisco address 222.222.222.222 ! ! crypto ipsec transform-set abc esp-des esp-md5-hmac ! crypto map cisco local-address Loopback1 crypto map cisco 10 ipsec-isakmp set peer 222.222.222.222 !--- Peer address, Loopback 1 of Router 2 set transform-set abc match address 101 !--- Networks to encrypt (Loopback 0 on both ends) ! isdn switch-type basic-ts013 ! ! ! ! ! ! ! ! ! no voice hpi capture buffer no voice hpi capture destination ! ! ! ! ! ! interface Loopback0 !--- Network to encrypt ip address 11.11.11.11 255.255.255.0 ! interface Loopback1 !--- Used for peer address for IPSec ip address 111.111.111.111 255.255.255.0 ! interface FastEthernet0/0 !--- Primary link ip address 10.1.1.1 255.255.255.0 no ip route-cache !--- Enable process switching no ip mroute-cache duplex auto speed auto crypto map cisco !--- Apply crypto map on primary interface ! interface BRI0/0 no ip address encapsulation ppp no ip route-cache no ip mroute-cache dialer pool-member 1 isdn switch-type basic-ts013 no cdp enable ! interface Dialer1 !--- Backup link ip address 20.1.1.1 255.255.255.0 encapsulation ppp no ip route-cache !--- Enable process switching ip ospf cost 9999 !--- Increase the cost so that when primary comes up again, !--- Open Shortest Path First (OSPF) routes are !--- preferred using the primary link (due to better cost). no ip mroute-cache dialer idle-timeout 180 dialer pool 1 dialer string 94134028 dialer watch-group 1 !--- Enable dialer watch on this backup interface. !--- Watch the route specified with the dialer watch-list 1 command. dialer-group 1 !--- Apply interesting traffic defined in dialer list 1. no peer neighbor-route ppp authentication chap crypto map cisco !--- Apply crypto map on backup interface. ! router ospf 1 !--- OSPF advertising Loopback 0, Loopback 1, !--- primary, and secondary links. log-adjacency-changes network 10.1.1.0 0.0.0.255 area 0 network 11.11.11.0 0.0.0.255 area 0 network 20.1.1.0 0.0.0.255 area 0 network 111.111.111.0 0.0.0.255 area 0 ! ip http server no ip http secure-server ip classless ! ! access-list 101 permit ip host 11.11.11.11 host 22.22.22.22 !--- Access control list (ACL) 101 is the !--- IPSec traffic used in match address. access-list 110 deny ip any any !--- ACL 110 is for the dialer list to mark !--- all IP traffic uninteresting. The dialer watch will !--- trigger the ISDN backup when the route is lost. dialer watch-list 1 ip 222.222.222.222 255.255.255.255 !--- This defines the route(s) to be watched. !--- This exact route (including subnet mask) !--- must exist in the routing table. !--- Use the dialer watch-group 1 command to apply this !--- list to the backup interface. dialer watch-list 1 delay route-check initial 10 dialer-list 1 protocol ip list 110 !--- Interesting traffic is defined by ACL 110. !--- This is applied to Dialer1 using dialer group 1. ! ! ! dial-peer cor custom ! ! ! ! ! line con 0 exec-timeout 0 0 logging synchronous escape-character 27 line aux 0 line vty 0 4 login ! end |
| Roteador 2 (3640) |
|---|
r2#show running-config Building configuration... Current configuration : 2311 bytes ! version 12.3 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname r2 ! boot-start-marker boot-end-marker ! username r1 password 0 cisco !--- This is the username for remote router (Router 1) !--- and shared secret. Shared secret (used for CHAP) !--- must be the same on both sides. no aaa new-model ip subnet-zero ip tcp synwait-time 5 ! ! no ip domain lookup ! ip audit notify log ip audit po max-events 100 ip ssh break-string no ftp-server write-enable ! ! ! crypto isakmp policy 10 hash md5 authentication pre-share crypto isakmp key cisco address 111.111.111.111 ! ! crypto ipsec transform-set abc esp-des esp-md5-hmac ! ! crypto map cisco local-address Loopback1 crypto map cisco 10 ipsec-isakmp set peer 111.111.111.111 !--- Peer address, Loopback 1 of Router 1 set transform-set abc match address 101 !--- Networks to encrypt (Loopback 0 on both ends) ! isdn switch-type basic-ts013 ! ! ! ! ! ! ! ! ! no voice hpi capture buffer no voice hpi capture destination ! ! ! ! ! ! interface Loopback0 ip address 22.22.22.22 255.255.255.0 !--- Network to encrypt ! interface Loopback1 ip address 222.222.222.222 255.255.255.0 !--- Used for peer address for IPSec. ! interface BRI0/0 no ip address encapsulation ppp no ip route-cache no ip mroute-cache dialer pool-member 1 isdn switch-type basic-ts013 ! interface Ethernet0/0 !--- Primary link ip address 10.1.1.2 255.255.255.0 no ip route-cache !--- Enable process switching. no ip mroute-cache half-duplex crypto map cisco !--- Apply crypto map on primary interface. ! interface Dialer1 ip address 20.1.1.2 255.255.255.0 encapsulation ppp no ip route-cache ip ospf cost 9999 no ip mroute-cache dialer pool 1 dialer idle-timeout 600 dialer remote-name r1 !--- Dialer for the BRI interface of the remote router !--- without a dial string. dialer-group 1 !--- Apply interesting traffic defined in dialer list 1. ppp authentication chap crypto map cisco !--- Apply crypto map on backup interface. ! router ospf 1 log-adjacency-changes network 10.1.1.0 0.0.0.255 area 0 network 20.1.1.0 0.0.0.255 area 0 network 22.22.22.0 0.0.0.255 area 0 network 222.222.222.0 0.0.0.255 area 0 ! no ip http server no ip http secure-server ip classless ! ! access-list 101 permit ip host 22.22.22.22 host 11.11.11.11 access-list 110 deny ospf any any !--- Mark OSPF as uninteresting. !--- This will not allow OSPF hellos !--- to try to bring the link up. access-list 110 permit ip any any dialer-list 1 protocol ip list 110 !--- Interesting traffic is defined by ACL 110. !--- This is applied to Dialer1 using dialer group 1. ! line con 0 exec-timeout 0 0 logging synchronous escape-character 27 line aux 0 line vty 0 4 login ! end |
Verificar
Esta seção fornece a informação que você pode se usar para confirmar se sua configuração funciona corretamente.
Exemplo de saída do comando
A Output Interpreter Tool (somente clientes registrados) oferece suporte a determinados comandos show, o que permite exibir uma análise da saída do comando show.
-
Tabela de roteamento do link principal do roteador1 (2621) — acima
r1#show ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 I - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area, * - candidate default, U - per-user static route, o - ODR, P - periodic downloaded static route Gateway of last resort is not set 222.222.222.0/32 is subnetted, 1 subnets O 222.222.222.222 [110/2] via 10.1.1.2, 00:00:25, FastEthernet0/0 20.0.0.0/24 is subnetted, 1 subnets C 20.1.1.0 is directly connected, Dialer1 22.0.0.0/32 is subnetted, 1 subnets O 22.22.22.22 [110/2] via 10.1.1.2, 00:00:25, FastEthernet0/0 111.0.0.0/24 is subnetted, 1 subnets C 111.111.111.0 is directly connected, Loopback1 10.0.0.0/24 is subnetted, 1 subnets C 10.1.1.0 is directly connected, FastEthernet0/0 11.0.0.0/24 is subnetted, 1 subnets C 11.11.11.0 is directly connected, Loopback0 -
Tabela de roteamento do link principal do roteador2 (3640) — acima
r2#show ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 I - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area, * - candidate default, U - per-user static route, o - ODR, P - periodic downloaded static route Gateway of last resort is not set. C 222.222.222.0/24 is directly connected, Loopback1 20.0.0.0/24 is subnetted, 1 subnets C 20.1.1.0 is directly connected, Dialer1 22.0.0.0/24 is subnetted, 1 subnets C 22.22.22.0 is directly connected, Loopback0 111.0.0.0/32 is subnetted, 1 subnets O 111.111.111.111 [110/11] via 10.1.1.1, 00:06:22, Ethernet0/0 10.0.0.0/24 is subnetted, 1 subnets C 10.1.1.0 is directly connected, Ethernet0/0 11.0.0.0/32 is subnetted, 1 subnets O 11.11.11.11 [110/11] via 10.1.1.1, 00:06:23, Ethernet0/0 -
Vizinho de OSPF do link principal do roteador1 (2621) — acima
r1#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 222.222.222.222 1 FULL/DR 00:00:33 10.1.1.2 FastEthernet0/0
-
Vizinho OSPF do Roteador 2 (3640)—link primário ativo
r2#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 111.111.111.111 1 FULL/BDR 00:00:31 10.1.1.1 Ethernet0/0
-
Tabela de roteamento do link principal do roteador1 (2621) — para baixo
r1#show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP I - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area, * - candidate default, U - per-user static route, o - ODR, P - periodic downloaded static route Gateway of last resort is not set. 222.222.222.0/32 is subnetted, 1 subnets O 222.222.222.222 [110/10000] via 20.1.1.2, 00:00:09, Dialer1 20.0.0.0/24 is subnetted, 1 subnets C 20.1.1.0 is directly connected, BRI0/0 20.0.0.0/24 is subnetted, 1 subnets C 20.1.1.0 is directly connected, Dialer1 22.0.0.0/32 is subnetted, 1 subnets O 22.22.22.22 [110/10000] via 20.1.1.2, 00:00:09, Dialer1 111.0.0.0/24 is subnetted, 1 subnets C 111.111.111.0 is directly connected, Loopback1 10.0.0.0/24 is subnetted, 1 subnets O 10.1.1.0 [110/10009] via 20.1.1.2, 00:00:09, Dialer1 11.0.0.0/24 is subnetted, 1 subnets C 11.11.11.0 is directly connected, Loopback0 -
Tabela de roteamento do link principal do roteador2 (3640) — para baixo
r2#show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP I - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area, * - candidate default, U - per-user static route, o - ODR, P - periodic downloaded static route Gateway of last resort is not set. C 222.222.222.0/24 is directly connected, Loopback1 20.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 20.1.1.0/24 is directly connected, Dialer1 C 20.1.1.1/32 is directly connected, Dialer1 22.0.0.0/24 is subnetted, 1 subnets C 22.22.22.0 is directly connected, Loopback0 111.0.0.0/32 is subnetted, 1 subnets O 111.111.111.111 [110/10000] via 20.1.1.1, 00:00:07, Dialer1 10.0.0.0/24 is subnetted, 1 subnets C 10.1.1.0 is directly connected, Ethernet0/0 11.0.0.0/32 is subnetted, 1 subnets O 11.11.11.11 [110/10000] via 20.1.1.1, 00:00:08, Dialer1 -
Vizinho de OSPF do link principal do roteador1 (2621) — para baixo
r1#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 222.222.222.222 0 FULL/ - 00:00:32 20.1.1.2 Dialer1
-
Vizinho de OSPF do link principal do roteador2 (3640) — para baixo
r2#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 111.111.111.111 0 FULL/ - 00:00:31 20.1.1.1 Dialer1
O debug dialer e diversos show command outputs (resultado do comando show) indicados aqui mostram o link principal como a rota perdida recognizesthe falhada, e do Dialer Watch. O roteador inicia então o link de backup e o OSPF convirge através do enlace secundário. Sempre que o timeout de ociosidade expira, o roteador verifica se o enlace principal está inativo. Se o link principal é encontrado para estar acima, o Dialer Watch desliga o link de backup depois que o temporizador do desabilitação expira e rasga para baixo o atendimento, e o OSPF convirge pelo link principal como de costume.
Estas são as saídas do comando debug and show do roteador um (2621), quando o link principal vai para baixo e é trazido acima outra vez.
r1#show debug
Dial on demand:
Dial on demand events debugging is on
r1#
03:00:21: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0,
changed state to down
!--- Primary link was brought down manually when you disable the switch ports.
03:00:21: %OSPF-5-ADJCHG: Process 1, Nbr 222.222.222.222 on FastEthernet0/0
from FULL to DOWN, Neighbor Down: Interface down or detached
!--- Primary link goes down. !--- OSPF loses neighbor adjacency.
r1#
!--- Dialer watch kicks in.
03:00:21: DDR: Dialer Watch: watch-group = 1
03:00:21: DDR: network 222.222.222.222/255.255.255.255 DOWN,
03:00:21: DDR: primary DOWN
03:00:21: DDR: Dialer Watch: Dial Reason: Primary of group 1 DOWN
03:00:21: DDR: Dialer Watch: watch-group = 1,
03:00:21: BR0/0 DDR: rotor dialout [best]
least recent failure is also most recent failure
03:00:21: BR0/0 DDR: rotor dialout [best] also has most recent failure
03:00:21: BR0/0 DDR: rotor dialout [best]
03:00:21: DDR: dialing secondary by dialer string 94134028 on Di1
03:00:21: BR0/0 DDR: Attempting to dial 94134028
03:00:21: DDR: Dialer Watch: watch-group = 1
r1#
03:00:21: DDR: network 222.222.222.222/255.255.255.255 DOWN,
03:00:21: DDR: primary DOWN
03:00:21: DDR: Dialer Watch: Dial Reason: Secondary of group 1 AVAILABLE
03:00:21: DDR: Dialer Watch: watch-group = 1,
03:00:21: DDR: Dialer Watch: watch-group = 1
03:00:21: DDR: network 222.222.222.222/255.255.255.255 DOWN,
03:00:21: DDR: primary DOWN
03:00:21: DDR: Dialer Watch: Dial Reason: Secondary of group 1 AVAILABLE
03:00:21: DDR: Dialer Watch: watch-group = 1,
03:00:21: %ISDN-6-LAYER2UP: Layer 2 for Interface BR0/0, TEI 82 changed to up
03:00:94489280514: %LINK-3-UPDOWN: Interface BRI0/0:1, changed state to up
03:00:94489280516: BR0/0:1 DDR: Dialer Watch: resetting call in progress
03:00:94489280512: BR0/0:1: interface must be fifo queue, force fifo
03:00:94489280512: %DIALER-6-BIND: Interface BR0/0:1 bound to profile Di1
r1#
03:00:22: BR0/0:1 DDR: Remote name for r2
03:00:22: BR0/0:1 DDR: dialer protocol up
03:00:23: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0/0:1,
changed state to up
r1#
03:00:28: %ISDN-6-CONNECT: Interface BRI0/0:1 is now connected to 94134028 r2
!--- Backup link is now connected to Router 2.
r1#
03:00:31: %OSPF-5-ADJCHG: Process 1, Nbr 222.222.222.222 on Dialer1
from LOADING to FULL, Loading Done
!--- OSPF converges over the backup link.
r1#
r1#show dialer
BRI0/0 - dialer type = ISDN
Dial String Successes Failures Last DNIS Last status
0 incoming call(s) have been screened.
0 incoming call(s) rejected for callback.
BRI0/0:1 - dialer type = ISDN
Idle timer (180 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is data link layer up
Dial reason: Dialing on watched route loss
!--- Dial reason is the lost route.
Interface bound to profile Di1
Time until disconnect 154 secs
!--- Idle timeout is ticking.
Current call connected 00:00:25
Connected to 94134028 (r2)
BRI0/0:2 - dialer type = ISDN
Idle timer (120 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is idle
Di1 - dialer type = DIALER PROFILE
Idle timer (180 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is data link layer up
Number of active calls = 1
Dial String Successes Failures Last DNIS Last status
94134028 45 24 00:00:27 successful Default
r1#show isdn active
-----------------------------------------------------------------------------
ISDN ACTIVE CALLS
-----------------------------------------------------------------------------
Call Calling Called Remote Seconds Seconds Seconds Charges
Type Number Number Name Used Left Idle Units/Currency
-----------------------------------------------------------------------------
Out ---N/A--- 94134028 r2 37 142 37 0
-----------------------------------------------------------------------------
r1#show dialer
BRI0/0 - dialer type = ISDN
Dial String Successes Failures Last DNIS Last status
0 incoming call(s) have been screened.
0 incoming call(s) rejected for callback.
BRI0/0:1 - dialer type = ISDN
Idle timer (180 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is data link layer up
Dial reason: Dialing on watched route loss
Interface bound to profile Di1
Time until disconnect 47 secs
!--- Idle timeout is ticking.
Current call connected 00:02:12
Connected to 94134028 (r2)
BRI0/0:2 - dialer type = ISDN
Idle timer (120 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is idle
Di1 - dialer type = DIALER PROFILE
Idle timer (180 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is data link layer up
Number of active calls = 1
Dial String Successes Failures Last DNIS Last status
94134028 45 24 00:02:14 successful Default
r1#show dialer
BRI0/0 - dialer type = ISDN
Dial String Successes Failures Last DNIS Last status
0 incoming call(s) have been screened.
0 incoming call(s) rejected for callback.
BRI0/0:1 - dialer type = ISDN
Idle timer (180 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is data link layer up
Dial reason: Dialing on watched route loss
Interface bound to profile Di1
Time until disconnect 0 secs
!--- Idle timeout is ticking.
Current call connected 00:02:59
Connected to 94134028 (r2)
BRI0/0:2 - dialer type = ISDN
Idle timer (120 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is idle
Di1 - dialer type = DIALER PROFILE
Idle timer (180 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is data link layer up
Number of active calls = 1
Dial String Successes Failures Last DNIS Last status
94134028 45 24 00:03:05 successful Default
r1#
03:03:22: BR0/0:1 DDR: idle timeout
!--- Idle timed out. !--- Dialer watch checks lost routes !--- again and reset the idle time since primary is not up yet.
03:03:22: DDR: Dialer Watch: watch-group = 1
03:03:22: DDR: network 222.222.222.222/255.255.255.255 UP,
03:03:22: DDR: primary DOWN
!--- Primary link is still down.
r1#
r1#show dialer
BRI0/0 - dialer type = ISDN
Dial String Successes Failures Last DNIS Last status
0 incoming call(s) have been screened.
0 incoming call(s) rejected for callback.
BRI0/0:1 - dialer type = ISDN
Idle timer (180 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is data link layer up
Dial reason: Dialing on watched route loss
Interface bound to profile Di1
Time until disconnect 154 secs
!--- Idle timeout was reset by dialer watch.
Current call connected 00:03:25
Connected to 94134028 (r2)
BRI0/0:2 - dialer type = ISDN
Idle timer (120 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is idle
Di1 - dialer type = DIALER PROFILE
Idle timer (180 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is data link layer up
Number of active calls = 1
Dial String Successes Failures Last DNIS Last status
94134028 45 24 00:03:28 successful Default
r1#
03:04:59: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0,
changed state to up
!--- Primary link was brought up manually when the switch ports are enabled.
r1#
r1#
03:05:50: %OSPF-5-ADJCHG: Process 1, Nbr 222.222.222.222 on FastEthernet0/0
from LOADING to FULL, Loading Done
r1#
r1#show ip ospf neigh
Neighbor ID Pri State Dead Time Address Interface
222.222.222.222 0 FULL/ - 00:00:02 20.1.1.2 Dialer1
!--- OSPF over secondary link is still up because !--- the call is not terminated yet, waiting for idle timeout.
222.222.222.222 1 FULL/DR 00:00:38 10.1.1.2 FastEthernet0/0
!--- OSPF is now starts to converge over primary link.
r1#
r1#show ip route 222.222.222.222
!--- The watched route is now learned through the primary link. !--- Check the cost.
Routing entry for 222.222.222.222/32
Known via "ospf 1", distance 110, metric 2, type intra area
Last update from 10.1.1.2 on FastEthernet0/0, 00:00:16 ago
Routing Descriptor Blocks:
* 10.1.1.2, from 222.222.222.222, 00:00:16 ago, via FastEthernet0/0
Route metric is 2, traffic share count is
r1#
03:06:22: BR0/0:1 DDR: idle timeout
!--- Idle timed out. !--- Dialer watch checks lost routes. Since primary is up, !--- it tears down the call.
03:06:22: DDR: Dialer Watch: watch-group = 1
03:06:22: DDR: network 222.222.222.222/255.255.255.255 UP,
03:06:22: DDR: primary UP
03:06:22: BR0/0:1 DDR: disconnecting call
03:06:22: BR0/0:1 DDR: Dialer Watch: resetting call in progress
03:06:22: DDR: Dialer Watch: watch-group = 1
03:06:22: DDR: network 222.222.222.222/255.255.255.255 UP,
03:06:22: DDR: primary UP
03:06:22: %ISDN-6-DISCONNECT: Interface BRI0/0:1
disconnected from 94134028 r2,
call lasted 360 seconds
03:06:96677768412: %LINK-3-UPDOWN: Interface BRI0/0:1, changed state to down
03:06:94489281195: BR0/0 DDR: has total 0 call(s), dial_out 0, dial_in 0
r1#
03:06:94489280544: %DIALER-6-UNBIND: Interface BR0/0:1
unbound from profile Di1
03:06:23: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0/0:1,
changed state to down
r1#
03:06:37: %ISDN-6-LAYER2DOWN: Layer 2 for Interface BR0/0,
TEI 82 changed to down
r1#
03:07:01: %OSPF-5-ADJCHG: Process 1, Nbr 222.222.222.222 on Dialer1
from FULL to DOWN, Neighbor Down: Dead timer expired
!--- OSPF neighbor is down because the secondary link is down. !--- Dead timer has expired.
r1#
r1#show ip ospf neigh
Neighbor ID Pri State Dead Time Address Interface
222.222.222.222 1 FULL/DR 00:00:38 10.1.1.2 FastEthernet0/0
!--- OSPF neighbor is through the primary link only.
r1#u all
All possible debugging has been turned off
r1#
Troubleshooting
Esta seção fornece informações que podem ser usadas para o troubleshooting da sua configuração. Para obter informações sobre como solucionar problemas gerais com as Camadas 1, 2 e 3 do ISDN, consulte Using the show isdn status Command for BRI Troubleshooting.
Comandos para Troubleshooting
A Output Interpreter Tool (somente clientes registrados) oferece suporte a determinados comandos show, o que permite exibir uma análise da saída do comando show.
Note: Antes de emitir comandos de depuração, consulte Informações Importantes sobre Comandos de Depuração.
Estes comandos debug podem ser executados em ambos os ipsec peer.
-
debug crypto isakmp — Exibe erros durante a Fase 1.
-
debug crypto ipsec — Exibe erros durante a Fase 2.
-
debug crypto engine — Exibe informações a partir do cripto mecanismo.
Estes comandos show podem ser executados em ambos os ipsec peer.
-
mostre isakmp cripto sa — Indica todas as associações de segurança atuais do Internet Key Exchange (IKE) (SA) em um par.
-
mostre IPsec cripto sa — Indica os ajustes usados pelo [IPSec] atual SA.
-
active do show crypto engine connections — Conexões atual e informação dos indicadores em relação aos pacotes criptografado e decriptografado.
Estes comandos clear podem ser usados para cancelar SA.
-
cancele o isakmp cripto — Cancela as associações de segurança fase um.
-
cancele o sa cripto — Cancela as associações de segurança da fase dois.
Informações Relacionadas
- Página de suporte do IPSec
- Configurando e Troubleshooting de Backup DDR
- Avaliando a interface da cópia de segurança, rotas estáticas flutuantes e relógio de discador para backup DDR
- Configurando o backup de discagem com o relógio de discador
- Usando o Comando show isdn status para Troubleshooting de BRI
- Suporte Técnico - Cisco Systems
FeedbackDeixe-nos ajudar
- Abrir um caso de suporte
- (É necessário um Contrato de Serviço da Cisco)