最近使用NVI NAT出现了一点问题,可能是一个BUG。就是启用ip nat enable的端口up了NVI NAT的映射才会生效。反之,当设备重启Dialer1口最初为down的;或者Dialer1口地址释放重新拨号后NVI NAT就会失效。
此时解决方法就是重新配置NVI NAT即可生效。但是不是权益之计。
有一个思路:就是使用EEM,当Dialer1口up的时候就对设备配置NVI NAT:
命令如下:
event manager applet nvi-fix
event syslog pattern "Interface Virtual-Access3, changed state to up"
action 1 cli command"enable"
action 2 cli command "configure terminal"
action 3 cli command "ip nat source static tcp 192.168.50.6 80 interface Dialer1 8000"
action 4 cli command "ip nat source static tcp 192.168.50.6 9527 interface Dialer1 9527"
action 5 cli command "ip nat source static udp 192.168.50.6 9527 interface Dialer1 9527"
此方法好是好,但是不够完美,需要更加或者修改映射的时候需要在全局和EEM里都要做修改。
下面使用TCL脚本完美简介。
上传TCL脚本到flash:/tcl/目录下:
#dir flash:tcl
Directory of flash:/tcl/
2 -rw- 2438 Jul 19 2017 21:50:36 +08:00 fix_nvi.tcl
256610304 bytes total (148533248 bytes free)
然后配置如下命令:
event manager environment _internet_route_established_phrase Line protocol on Interface Virtual-Access3, changed state to up
event manager directory user policy "flash:/tcl/"
event manager policy fix_nvi.tcl
完成后即可。
经过测试非常完美。
附件fix_nvi.tcl
::cisco::eem::event_register_syslog pattern "$_internet_route_established_phrase"
::cisco::eem::description "This policy re-enters NVI PAT statements on command-line after address change on Internet facing interface in order to fix a Cisco bug affecting NVI and the global VRF"
namespace import ::cisco::lib::*
namespace import ::cisco::eem::*
## Please enter similar commands in global configuration mode to enable the script
# event manager environment _internet_route_established_phrase Dialer1 assigned DHCP address
# event manager directory user policy flash:/
# event manager policy fix_nvi.tcl
# https://github.com/vittorio88/cisco-scripts/blob/master/fix_nvi.tcl
##################
# Check for global definition of environment variables
##################
# Note: _internet_route_established_phrase should be something like:
# "Dialer1 assigned DHCP address"
# or
# "Line protocol on Interface Virtual-Access1, changed state to up"
if {!} {
set result /
!0Policy cannot be run: variable _internet_route_established_phrase is not defined!1
error $result $errorInfo
}
##################
# Open CLI
##################
# open cli
if [catch {cli_open} result] {error $result $errorInfo} else {array set cli $result}
# Enable
if [catch {cli_exec $cli(fd) "enable"} result] {error $result $errorInfo}
##################
# Retrieve NVI PAT statements
##################
# Note: "show run | include ip nat source static" should look like: ip nat source static tcp 192.168.33.41 22 interface Dialer1 22
# Execute CLI command and store in variable
if [catch {cli_exec $cli(fd) "show run | include ip nat source static"} result] {error $result $errorInfo} else {set nvi_pat_statements $result}
##################
# Re-enter NVI PAT statements
##################
action_syslog msg "Re-entering following NVI PAT statements:\n$nvi_pat_statements"
if [catch {cli_exec $cli(fd) "configure terminal"} result] {error $result $errorInfo}
if [catch {cli_exec $cli(fd) "$nvi_pat_statements"} result] {error $result $errorInfo}
if [catch {cli_exec $cli(fd) "end"} result] {error $result $errorInfo}
##################
# Close and clean-up
##################
action_syslog msg "Finished updating NVI statements!\n (Cisco should fix this bug, so this workaround can be removed)"
cli_close $cli(fd) $cli(tty_id)
文章评论