|
|
请高手分析要不要换个路由器,需要换个什么样的路由器比较好。
我现在的网络环境是这样的。
一。小区现在网络结构
1.小区总出口接入为电信50M城域网
2.出口网关设备为cisco 2811的路由器,在e0口做了NAT转换,下面电脑均通过该设备的e1口为网关接入internet,仅做了几条ACL控制一些端口。大部分服务端口的数据都是
允许进出的,未做过度限制。
3.cisco 2811 的e1口(LAN口)接入到一华为的s3952p-ei 48口主交换机,该交换机的四个光纤口分别用过光纤连接到各楼的主交换机(型号为s3928p-ei),各楼层交换机(型号:华为
S2403H-EI)和该搂主交换相联.
4.逻辑网络划分方面,在中心机房的s3952p-ei 48口主交换机上划分了4个Vlan.
5.终端电脑大概接入了有三四百台电脑,同时在线上网的大概一百多台吧。考虑到随后用户的增加应该也不会太多。
二。现出现的网络问题
1.某些终端电脑会出现无法上网的情况,在清空cisco 2811的NAT表项和重启与该电脑相连的交换机端口后,该终端电脑才会恢复网络。
2.有时会出现我们在公司无法远程telnet到该小区的cisco 2811上,但大部分小区的终端用户是可以上网,那些不能上网的电脑必须去机房重新启动路由器后才可以恢复网络,在无法
telnet到e0口时,我们可以在该小区内部网络telnet到该路由器的e1口上去。
3.在我们无法telnet到cisco 2811上的时候,我们做的一个基于snmp协议做的网络监控软件系统也无法探测到该线路的流量情况。
4.出现我方telnet的时候,我们观察了他之前的流量,总带宽也没有占满50M,大概18M左右,有时候在10M左右的流量的时候也会出现无法telnet,看来也并不是因为流量满而出现问
题的。
鉴于以上情况,我感觉到该设备用来做NAT转换较吃力,NAT表项过大,需要定时的手工清空NAT表项,并且会出现在外部无法telnet到路由器的e0(WAN口)口,看样子象是处理不过来死机而了一样,就上述情况,请高手分析要不要换个路由器,需要换个什么样的路由器比较好。
附路由器的配置表(由于是真实IP,所以我在IP上面加了*)
Current configuration : 2930 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname DiWang
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$k8rW$P9hHpre9jH.Of0/CK/Bhs.
enable password 7 01100E05550C070122455D0A165540435A5D
!
no aaa new-model
!
resource policy
!
ip subnet-zero
!
!
ip cef
!
!
no ip domain lookup
ip name-server *.*.*.*
!
!
!
class-map match-all bt
!
!
!
interface FastEthernet0/0
ip address *.*.*.* 255.255.255.240
ip nat outside
load-interval 30
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0/1
description TO LAN
ip address 192.168.1.1 255.255.255.0
ip nat inside
load-interval 30
duplex auto
speed auto
no cdp enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 *.*.*.*
ip route 10.0.0.0 255.0.0.0 Null0
ip route 172.16.0.0 255.255.0.0 Null0
ip route 192.168.0.0 255.255.0.0 Null0
ip route 192.168.50.0 255.255.255.0 192.168.1.2
ip route 192.168.85.0 255.255.255.0 192.168.1.2
ip route 192.168.100.0 255.255.255.0 192.168.1.2
ip route 192.168.150.0 255.255.255.0 192.168.1.2
ip route 192.168.160.0 255.255.255.0 192.168.1.2
ip route 192.168.170.0 255.255.255.0 192.168.1.2
ip route 192.168.180.0 255.255.255.0 192.168.1.2
ip route 192.168.185.0 255.255.255.0 192.168.1.2
ip route 192.168.200.0 255.255.255.0 192.168.1.2
!
no ip http server
ip nat translation timeout 2400
ip nat translation tcp-timeout 1800
ip nat translation udp-timeout 50
ip nat translation finrst-timeout 30
ip nat translation syn-timeout 10
ip nat translation dns-timeout 10
ip nat translation icmp-timeout 5
ip nat translation port-timeout tcp 80 180
ip nat translation port-timeout tcp 443 100
ip nat pool out *.*.*.* *.*.*.* netmask 255.255.255.240
ip nat inside source list 99 pool out overload
!
access-list 1 permit *.*.*.*
access-list 1 permit 192.168.1.2
access-list 1 permit *.*.*.*
access-list 1 permit *.*.*.*
access-list 99 permit 192.168.0.0 0.0.255.255
access-list 151 deny icmp any any
access-list 151 deny tcp any any eq 135
access-list 151 deny tcp any any eq 137
access-list 151 deny tcp any any eq 138
access-list 151 deny tcp any any eq 139
access-list 151 deny tcp any any eq 445
access-list 151 deny tcp any any eq 593
access-list 151 deny tcp any any eq 1433
access-list 151 deny tcp any any eq 1434
access-list 151 deny tcp any any eq 3127
access-list 151 deny tcp any any eq 4004
access-list 151 deny tcp any any eq 4444
access-list 151 deny tcp any any eq 5554
access-list 151 deny tcp any any eq 9995
access-list 151 deny tcp any any eq 9996
access-list 151 deny udp any any eq netbios-ns
access-list 151 permit ip any any
snmp-server community qinling RO
no cdp run
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
access-class 1 in
exec-timeout 0 0
password 7 05080E0E2F4B4F071A0C0411045C537B7A75
login
!
scheduler allocate 20000 1000
!
end |
|
发表于 2010-10-15 12:53:14