使用Easy IP和DHCP伺服器的按需撥號路由(DDR)

簡介

本檔案將說明Cisco IOS^® Software Easy IP功能的用法，此功能在整個站點通過網際網路服務提供商(ISP)（該提供商為整個遠端站點僅分配一個IP地址）連線到網際網路的情況下非常有用。Easy IP路由器撥打服務提供商的網路接入伺服器(NAS)並協商自己的WAN IP地址。然後，路由器會透過此交涉位址使用網路位址轉譯(NAT)和連線埠位址轉譯(PAT)，為內部使用者端提供外部存取。Easy IP路由器的另一個可選功能是充當客戶端內部LAN的動態主機配置協定(DHCP)伺服器。此配置型別中通常使用Cisco small office， home office(SOHO)路由器。

必要條件

需求

本文件沒有特定先決條件。

採用元件

本文中的資訊係根據以下軟體和硬體版本：

• Easy IP路由器 — Cisco 3620具有四個乙太網和八個BRI介面，運行Cisco IOS軟體版本12.0(7)XK2。

• 存取伺服器 — 執行Cisco IOS軟體版本12.1(7)的Cisco AS5300，帶有一個乙太網路、一個快速乙太網路和四個通道化T1/PRI連線埠。

本文中的資訊是根據特定實驗室環境內的裝置所建立。文中使用到的所有裝置皆從已清除（預設）的組態來啟動。如果您在即時網路中工作，請確保在使用任何命令之前瞭解其潛在影響。

慣例

如需文件慣例的詳細資訊，請參閱思科技術提示慣例。

背景資訊

Easy IP的元件

• 點對點通訊協定(PPP)/IP控制通訊協定(IPCP):RFC 1332 中對此進行了定義。IPCP提供了通過PPP動態配置IP地址的功能。Cisco IOS Easy IP路由器使用PPP/IPCP從中央接入伺服器或DHCP伺服器動態協商其自己的註冊WAN介面IP地址。

• NAT:在連線兩個或多個網路的路由器上運行。在Easy IP中，這些網路至少有一個網路（指定為「內部」或「LAN」）使用私有地址定址，私有地址必須轉換為註冊地址，然後資料包才能轉發到另一個註冊網路（指定為「外部」或「WAN」）。 在Easy IP的上下文中，埠地址轉換(PAT)用於將所有內部私有地址轉換為單個外部註冊IP地址。

• DHCP到LAN客戶端：這是Cisco Easy IP路由器的一項可選功能，可用於為內部LAN客戶端分配IP地址。也可以使用其他將IP地址分配給客戶端的方法，例如靜態分配或使用DHCP PC伺服器。

Easy IP如何一步一步地工作

1. 如果Easy IP路由器配置為DHCP伺服器，則內部客戶端的LAN會在通電時從它接收私有IP地址。如果沒有進行此類配置，則客戶端必須以某種其他方式為其分配IP地址。

2. 當內部的LAN客戶端生成「感興趣」流量（由訪問控制清單定義）進行撥號時，Easy IP路由器會通過PPP/IPCP撥打中心站點的接入伺服器並請求一個註冊的IP地址。建立此連線後，其他LAN內部客戶端可以使用此電路，如步驟4所述。

3. 中央站點訪問伺服器使用本地IP地址池中的動態全域性地址進行應答，該地址池被分配到Easy IP路由器的WAN介面。

4. Easy IP路由器使用PAT自動建立轉換，該轉換將WAN介面的註冊IP地址與LAN內部客戶端的私有IP地址相關聯，並連線到中央站點訪問伺服器。

有關Easy IP的詳細說明，請參閱白皮書 — Cisco IOS Easy IP。

設定

本節提供用於設定本文件中所述功能的資訊。

網路圖表

本文檔使用下圖所示的網路設定。

組態

本檔案會使用以下設定：

EasyIP#show running-config
Building configuration...

Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname EasyIP
!
username ISP-AS password 0 ipnegotiate

! --- Username for remote router (ISP-AS) and shared secret. ! --- Shared secret(used for CHAP) must be the same on both sides.

ip subnet-zero
no ip domain-lookup
no ip dhcp conflict logging

! --- Disable the recording of DHCP address conflicts on the DHCP server.

ip dhcp excluded-address 10.0.0.1

! --- Specifies a IP address that the DHCP server should not assign to clients.

ip dhcp pool soho

! --- Configure the DHCP address pool name and enter DHCP pool configuration mode.

 network 10.0.0.0 255.0.0.0

 ! --- Specifies the subnet network number and mask of the DHCP address pool.

 default-router 10.0.0.1

 ! --- Specifies the IP address of the default router for a DHCP clients.
 
 lease infinite

 ! --- Specifies the duration of the lease.

!
isdn switch-type basic-5ess
isdn voice-call-failure 0
!
interface Ethernet0/0
 ip address 10.0.0.1 255.0.0.0

 ! --- IP address for the Ethernet interface. 

 no ip directed-broadcast
 ip nat inside

! --- Defines the interface as internal for network address translation.

!

! Unused ethernet interfaces omitted for brevity

!
interface BRI1/0
 ip address negotiated

! --- Enables PPP/IPCP negotiation for this interface.

 no ip directed-broadcast
 ip nat outside

! --- Defines the interface as external for network address translation.

 encapsulation ppp
 dialer idle-timeout 60

! --- Idle timeout(in seconds)for this BRI interface.

 dialer string 97771200

! --- Specifies the telephone number required to reach the central access server.

 dialer-group 1

! --- Apply interesting traffic defined in dialer-list 1.

 isdn switch-type basic-5ess
 ppp authentication chap
!

!-- Unused BRI interfaces omitted for brevity.

!
ip nat inside source list 100 interface BRI1/0 overload 

! --- Establishes dynamic source translation (with PAT) for addresses which are ! --- identified by the access list 100.

ip classless
ip route 0.0.0.0 0.0.0.0 BRI1/0 permanent

! --- Default route is via BRI1/0.

no ip http server
!
access-list 100 permit ip 10.0.0.0 0.255.255.255 any

! --- Defines an access list permitting those addresses that are to be translated.

dialer-list 1 protocol ip permit

! --- Interesting traffic is defined by dialer-list1. ! --- This is applied to BRI1/0 using dialer-group 1.

line con 0
 transport input none
line aux 0
line vty 0 4
 login
!         
end

驗證

本節提供的資訊可用於確認您的組態是否正常運作。

show命令

輸出直譯器工具支援某些show命令，該工具允許您檢視show命令輸出的分析。

• show ip interface brief — 顯示介面狀態和介面上設定的IP位址。

• show interfaces — 提供有關特定介面的介面狀態的高級資訊。

• show ip nat statistics — 顯示網路地址轉換(NAT)統計資訊。

• show ip nat translations — 顯示活動NAT轉換。

• show isdn status — 顯示每個ISDN層的狀態。檢驗ISDN第1層和第2層是否正常工作。如需進一步的疑難排解資訊，請參閱使用show isdn status命令進行BRI疑難排解的檔案。

• show dialer — 顯示撥號器資訊。

show輸出示例

下面的show命令輸出是在Easy IP路由器啟動與中央站點訪問伺服器的撥號連線之前完成的，它顯示BRI1/0介面已啟動，沒有IP地址，但將使用IPCP協商IP地址。

EasyIP#show ip interface brief
Interface                  IP-Address      OK? Method Status                Prol
Ethernet0/0                10.0.0.1        YES manual up                    up  
Ethernet0/1                unassigned      YES manual administratively down dow 
Ethernet0/2                unassigned      YES manual administratively down dow 
Ethernet0/3                unassigned      YES manual administratively down dow 
BRI1/0                     unassigned      YES IPCP   up                    up

! -- Interface is Up, but no IP Address is assigned since it is not connected

BRI1/0:1                   unassigned      YES unset  down                  dow 
BRI1/0:2                   unassigned      YES unset  down                  dow 

! -- Both B-channels are down

BRI1/1                     unassigned      YES manual administratively down dow 
BRI1/1:1                   unassigned      YES unset  administratively down dow 
BRI1/1:2                   unassigned      YES unset  administratively down dow

EasyIP#show interfaces bri1/0
BRI1/0 is up, line protocol is up (spoofing)
  Hardware is BRI with integrated NT1
Internet address will be negotiated using IPCP
  MTU 1500 bytes, BW 64 Kbit, DLY 20000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
Encapsulation PPP, loopback not set
   .
   .
EasyIP#

下面的show命令輸出是在Easy IP路由器啟動與中央站點訪問伺服器的撥號連線後執行的，它顯示BRI1/0介面已通過PPP/IPCP從中央站點訪問伺服器收到其IP地址200.1.0.3。

EasyIP#show ip interface brief 
Interface                  IP-Address      OK? Method Status                Prorocol
Ethernet0/0                10.0.0.1        YES manual up                    up  
Ethernet0/1                unassigned      YES manual administratively down dow 
Ethernet0/2                unassigned      YES manual administratively down dow 
Ethernet0/3                unassigned      YES manual administratively down dow 
BRI1/0                     200.1.0.3       YES IPCP   up                    up  

! -- Int BRI1/0 has a registers IP address assigned after connection is up

BRI1/0:1                   unassigned      YES unset  up                    up  
BRI1/0:2                   unassigned      YES unset  down                  dow 

! -- 1st B-channel (BRI1/0:1) is UP

BRI1/1                     unassigned      YES manual administratively down dow 
BRI1/1:1                   unassigned      YES unset  administratively down dow 
BRI1/1:2                   unassigned      YES unset  administratively down dow
EasyIP#show interfaces bri1/0
BRI1/0 is up, line protocol is up (spoofing)
  Hardware is BRI with integrated NT1
Internet address is 200.1.0.3/32
  MTU 1500 bytes, BW 64 Kbit, DLY 20000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
Encapsulation PPP, loopback not set
  .
  . 
  EasyIP#

我們需要檢查內部私有網路主機是否能夠連線到中心站點訪問伺服器，以及NAT功能是否正常工作。這可以通過使用擴展ping實用程式來實現。在EasyIP路由器上，對中央站點訪問伺服器的乙太網介面執行ping操作，並將ping的源指定為EasyIP路由器的LAN（專用）地址。這可確保PAT處理資料包，並且LAN上的客戶端可以與中心站點網路通訊。

EasyIP#ping
Protocol [ip]: 
Target IP address: 192.168.16.1

! -- Ethernet interface IP address of the Central Site Access Server.

Repeat count [5]: 10
Datagram size [100]: 
Timeout in seconds [2]: 
Extended commands [n]: y
Source address or interface: 10.0.0.1

! --Ethernet interface IP address (private) of the Easy IP router.

Type of service [0]: 
Set DF bit in IP header? [no]: 
Validate reply data? [no]: 
Data pattern [0xABCD]: 
Loose, Strict, Record, Timestamp, Verbose[none]: 
Sweep range of sizes [n]: 
Type escape sequence to abort.
Sending 10, 100-byte ICMP Echos to 192.168.16.1, timeout is 2 seconds:
!!!!!!!!!!
Success rate is 100 percent (10/10), round-trip min/avg/max = 32/34/36 ms

上面的輸出顯示成功率為100%，這表示NAT功能運行正常，並且SOHO主機能夠與中央站點訪問伺服器通訊。可以從以下show命令輸出中獲得有關NAT轉換的更多詳細資訊。

EasyIP#show ip nat statistics 
Total active translations: 10 (0 static, 10 dynamic; 10 extended)
Outside interfaces:
  BRI1/0, BRI1/0:1, BRI1/0:2
Inside interfaces: 
  Ethernet0/0
Hits: 169  Misses: 185
Expired translations: 175
Dynamic mappings:
-- Inside Source
access-list 100 interface BRI1/0 refcount 10

EasyIP#show ip nat translations 
Pro Inside global      Inside local       Outside local      Outside global
icmp 200.1.0.3:32      10.0.0.1:32        192.168.16.1:32    192.168.16.1:32
icmp 200.1.0.3:33      10.0.0.1:33        192.168.16.1:33    192.168.16.1:33
icmp 200.1.0.3:34      10.0.0.1:34        192.168.16.1:34    192.168.16.1:34
icmp 200.1.0.3:35      10.0.0.1:35        192.168.16.1:35    192.168.16.1:35
icmp 200.1.0.3:36      10.0.0.1:36        192.168.16.1:36    192.168.16.1:36
icmp 200.1.0.3:37      10.0.0.1:37        192.168.16.1:37    192.168.16.1:37
icmp 200.1.0.3:38      10.0.0.1:38        192.168.16.1:38    192.168.16.1:38
icmp 200.1.0.3:39      10.0.0.1:39        192.168.16.1:39    192.168.16.1:39
icmp 200.1.0.3:40      10.0.0.1:40        192.168.16.1:40    192.168.16.1:40
icmp 200.1.0.3:41      10.0.0.1:41        192.168.16.1:41    192.168.16.1:41
EasyIP#

以下show isdn status命令輸出會顯示每個ISDN層的狀態。驗證第1層和第2層是否如示例所示

EasyIP#show isdn status 
Global ISDN Switchtype = basic-5ess
ISDN BRI1/0 interface
        dsl 8, interface ISDN Switchtype = basic-5ess
    Layer 1 Status:
        ACTIVE
    Layer 2 Status:
        TEI = 64, Ces = 1, SAPI = 0, State = MULTIPLE_FRAME_ESTABLISHED
    Layer 3 Status:
        1 Active Layer 3 Call(s)
    Activated dsl 8 CCBs = 1
        CCB:callid=8098, sapi=0, ces=1, B-chan=1, calltype=DATA
    The Free Channel Mask:  0x80000002

如需進一步的疑難排解資訊，請參閱使用show isdn status命令進行BRI疑難排解的檔案。

以下show dialer輸出顯示撥號是由內部專用網路IP地址（例如10.0.0.1）發起的。

EasyIP#show dialer 

BRI1/0 - dialer type = ISDN

Dial String      Successes   Failures    Last DNIS   Last status
97771200                23          0    00:02:02       successful   Default
0 incoming call(s) have been screened.
0 incoming call(s) rejected for callback.

BRI1/0:1 - dialer type = ISDN
Idle timer (120 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is data link layer up
Dial reason: ip (s=10.0.0.1, d=192.168.16.1)
Time until disconnect 36 secs
Current call connected 00:02:03
Connected to 97771200 (ISP-AS)

BRI1/0:2 - dialer type = ISDN
Idle timer (120 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is idle

疑難排解

debug指令

注意：發出debug指令之前，請先參閱有關Debug指令的重要資訊。

• debug ppp negotiation — 提供有關PPP協定協商過程的資訊。debug ip nat — 提供資訊

• debug ip nat — 提供透過IP網路位址轉譯(NAT)功能轉譯的IP封包的相關資訊。

• debug isdn q921 — 提供q.921消息的資料鏈路層調試。

• debug isdn q931 — 提供q.931消息的網路層調試。

• debug dialer — 為出站呼叫提供DDR資訊。

調試輸出示例

以下debug ppp negotiation輸出顯示PPP/IPCP協定協商過程。

EasyIP#debug ppp negotiation 
PPP protocol negotiation debugging is on
.
.

2d07h: BR1/0:1 IPCP: O CONFREQ [Closed] id 223 len 10
2d07h: BR1/0:1 IPCP:    Address 0.0.0.0 (0x030600000000)
2d07h: BR1/0:1 CDPCP: O CONFREQ [Closed] id 63 len 4
2d07h: BR1/0:1 IPCP: I CONFREQ [REQsent] id 47 len 10
2d07h: BR1/0:1 IPCP:    Address 200.1.0.1 (0x0306C8010001)
2d07h: BR1/0:1 IPCP: O CONFACK [REQsent] id 47 len 10
2d07h: BR1/0:1 IPCP:    Address 200.1.0.1 (0x0306C8010001)
2d07h: BR1/0:1 CDPCP: I CONFREQ [REQsent] id 41 Len 4
2d07h: BR1/0:1 CDPCP: O CONFACK [REQsent] id 41 Len 4
2d07h: BR1/0:1 IPCP: I CONFNAK [ACKsent] id 223 Len 10
2d07h: BR1/0:1 IPCP:    Address 200.1.0.3 (0x0306C8010003)
2d07h: BR1/0:1 IPCP: O CONFREQ [ACKsent] id 224 Len 10
2d07h: BR1/0:1 IPCP:    Address 200.1.0.3 (0x0306C8010003)
2d07h: BR1/0:1 CDPCP: I CONFACK [ACKsent] id 63 Len 4
2d07h: BR1/0:1 CDPCP: State is Open
2d07h: BR1/0:1 IPCP: I CONFACK [ACKsent] id 224 Len 10
2d07h: BR1/0:1 IPCP:    Address 200.1.0.3 (0x0306C8010003)
2d07h: BR1/0:1 IPCP: State is Open
2d07h: BR1/0 IPCP: Install negotiated IP interface address 200.1.0.3

! -- The EasyIP router will install the negotiated WAN IP address.

2d07h: BR1/0 IPCP: Install route to 200.1.0.1

! -- A route to the Central Site Access Server is installed.

2d07h: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI1/0:1, changed state Up
2d07h: %ISDN-6-CONNECT: Interface BRI1/0:1 is now connected to 97771200 ISP-AS
EasyIP#

debug ip nat輸出會顯示有關IP網路位址轉譯(NAT)功能所轉換的IP封包的資訊。

EasyIP#debug ip nat detailed 
IP NAT detailed debugging is on
.
.
2d00h: NAT: o: icmp (10.0.0.1, 2015) -> (192.168.16.1, 2015) [909]
2d00h: NAT: i: icmp (10.0.0.1, 2015) -> (192.168.16.1, 2015) [909]
2d00h: NAT: ipnat_allocate_port: wanted 2015 got 2015
2d00h: NAT*: o: icmp (192.168.16.1, 2015) -> (200.1.0.3, 2015) [909]
2d00h: NAT: o: icmp (10.0.0.1, 2016) -> (192.168.16.1, 2016) [910]
2d00h: NAT: i: icmp (10.0.0.1, 2016) -> (192.168.16.1, 2016) [910]
2d00h: NAT: ipnat_allocate_port: wanted 2016 got 2016
2d00h: NAT*: o: icmp (192.168.16.1, 2016) -> (200.1.0.3, 2016) [910]
2d00h: NAT: o: icmp (10.0.0.1, 2017) -> (192.168.16.1, 2017) [911]
2d00h: NAT: i: icmp (10.0.0.1, 2017) -> (192.168.16.1, 2017) [911]
2d00h: NAT: ipnat_allocate_port: wanted 2017 got 2017
2d00h: NAT*: o: icmp (192.168.16.1, 2017) -> (200.1.0.3, 2017) [911]
2d00h: NAT: o: icmp (10.0.0.1, 2018) -> (192.168.16.1, 2018) [912]
2d00h: NAT: i: icmp (10.0.0.1, 2018) -> (192.168.16.1, 2018) [912]
.
.

EasyIP#undebug all 
All possible debugging has been turned off

相關資訊

• 使用show isdn status命令進行BRI故障排除
• 驗證 NAT 運作情形和基本 NAT 疑難排解
• NAT支援頁面
• 撥號和存取技術支援
• 技術支援與文件 - Cisco Systems