解决NVI NAT端口UP生效的问题

2017-7-13 hale 技术

最近使用NVI NAT出现了一点问题,可能是一个BUG。就是启用ip nat enable的端口up了NVI NAT的映射才会生效。反之,当设备重启Dialer1口最初为down的;或者Dialer1口地址释放重新拨号后NVI NAT就会失效。

此时解决方法就是重新配置NVI NAT即可生效。但是不是权益之计。

有一个思路:就是使用EEM,当Dialer1口up的时候就对设备配置NVI NAT:

命令如下:

event manager applet nvi-fix
event syslog pattern "Interface Virtual-Access3, changed state to up"
action 1 cli command"enable"
action 2 cli command "configure terminal"
action 3 cli command "ip nat source static tcp 192.168.50.6 80 interface Dialer1 8000"
action 4 cli command "ip nat source static tcp 192.168.50.6 9527 interface Dialer1 9527"
action 5 cli command "ip nat source static udp 192.168.50.6 9527 interface Dialer1 9527"


此方法好是好,但是不够完美,需要更加或者修改映射的时候需要在全局和EEM里都要做修改。


下面使用TCL脚本完美简介。

上传TCL脚本到flash:/tcl/目录下:

#dir flash:tcl
Directory of flash:/tcl/

    2  -rw-        2438  Jul 19 2017 21:50:36 +08:00  fix_nvi.tcl

256610304 bytes total (148533248 bytes free)

然后配置如下命令:

event manager environment _internet_route_established_phrase Line protocol on Interface Virtual-Access3, changed state to up
event manager directory user policy "flash:/tcl/"
event manager policy fix_nvi.tcl
完成后即可。

经过测试非常完美。


附件fix_nvi.tcl

::cisco::eem::event_register_syslog pattern "$_internet_route_established_phrase"
::cisco::eem::description "This policy re-enters NVI PAT statements on command-line after address change on Internet facing interface in order to fix a Cisco bug affecting NVI and the global VRF"

namespace import ::cisco::lib::*
namespace import ::cisco::eem::*


## Please enter similar commands in global configuration mode to enable the script
# event manager environment _internet_route_established_phrase Dialer1 assigned DHCP address
# event manager directory user policy flash:/
# event manager policy fix_nvi.tcl
# https://github.com/vittorio88/cisco-scripts/blob/master/fix_nvi.tcl


##################
# Check for global definition of environment variables
##################

# Note: _internet_route_established_phrase should be something like: 
#  "Dialer1 assigned DHCP address"
#   or
#  "Line protocol on Interface Virtual-Access1, changed state to up"

if {![info exists _internet_route_established_phrase]} {
        set result /
        !0Policy cannot be run: variable _internet_route_established_phrase is not defined!1
        error $result $errorInfo
    }

##################
# Open CLI
##################

# open cli
if [catch {cli_open} result] {error $result $errorInfo} else {array set cli $result}
# Enable
if [catch {cli_exec $cli(fd) "enable"} result] {error $result $errorInfo}

##################
# Retrieve NVI PAT statements
##################
          

# Note: "show run | include ip nat source static" should look like: ip nat source static tcp 192.168.33.41 22 interface Dialer1 22

# Execute CLI command and store in variable
if [catch {cli_exec $cli(fd) "show run | include ip nat source static"} result] {error $result $errorInfo} else {set nvi_pat_statements $result}


##################
# Re-enter NVI PAT statements
##################
action_syslog msg "Re-entering following NVI PAT statements:\n$nvi_pat_statements"

if [catch {cli_exec $cli(fd) "configure terminal"} result] {error $result $errorInfo}
if [catch {cli_exec $cli(fd) "$nvi_pat_statements"} result] {error $result $errorInfo}
if [catch {cli_exec $cli(fd) "end"} result] {error $result $errorInfo}

##################
# Close and clean-up
##################
action_syslog msg "Finished updating NVI statements!\n (Cisco should fix this bug, so this workaround can be removed)"
cli_close $cli(fd) $cli(tty_id)

标签: NAT NVI 回流

评论:

天津网站建设
2017-08-11 18:17
看不懂代码,满满学习吧。。。

发表评论:

Powered by emlog 苏ICP备11083054号-1