通过 Easy IP 与 DHCP 服务器实现按需拨号路由 (DDR)

简介

本文档介绍Cisco IOS^®软件Easy IP功能的使用，该功能在整个站点通过仅为整个远程站点分配一个IP地址的互联网服务提供商(ISP)连接到互联网时非常有用。Easy IP路由器拨打服务提供商的网络接入服务器(NAS)，并协商其自己的WAN IP地址。然后，路由器通过此协商地址和端口地址转换(PAT)使用网络地址转换(NAT)为内部客户端提供外部访问。Easy IP路由器的另一个可选功能是充当LAN内部客户端的动态主机配置协议(DHCP)服务器。此配置类型中通常使用思科小型办公室家庭办公室(SOHO)路由器。

先决条件

要求

本文档没有任何特定的前提条件。

使用的组件

本文档中的信息基于以下软件和硬件版本：

• Easy IP路由器 — Cisco 3620，带有运行Cisco IOS软件版本12.0(7)XK2的4个以太网和8个BRI接口。

• 接入服务器 — 运行Cisco IOS软件版本12.1(7)的Cisco AS5300，带一个以太网、一个快速以太网和四个信道化T1/PRI端口。

本文档中的信息都是基于特定实验室环境中的设备创建的。本文档中使用的所有设备最初均采用原始（默认）配置。如果您是在真实网络上操作，请确保您在使用任何命令前已经了解其潜在影响。

规则

有关文档规则的详细信息，请参阅 Cisco 技术提示规则。

背景信息

Easy IP 的组成

• 点对点协议(PPP)/IP控制协议(IPCP):这在RFC 1332中定义 。IPCP提供通过PPP动态配置IP地址的功能。Cisco IOS Easy IP路由器使用PPP/IPCP从中央接入服务器或DHCP服务器动态协商其自己的注册WAN接口IP地址。

• NAT:在将两个或多个网络连接在一起的路由器上运行。在Easy IP中，至少其中一个网络（指定为“内部”或“LAN”）使用私有地址进行寻址，这些私有地址必须转换为注册地址，才能将数据包转发到另一个注册网络（指定为“外部”或“WAN”）。 在Easy IP环境中，端口地址转换(PAT)用于将所有内部私有地址转换为单个外部注册IP地址。

• LAN客户端的DHCP:这是Cisco Easy IP路由器的可选功能，可用于为内部LAN客户端分配IP地址。也可使用为客户端分配IP地址的其他方法，如静态分配或使用DHCP PC服务器。

Easy IP 工作原理逐步说明

1. 如果Easy IP路由器配置为DHCP服务器，则LAN内部客户端在通电时会从其接收私有IP地址。如果未进行此配置，客户端必须以其他方式为其分配IP地址。

2. 当LAN内部客户端生成拨号的“相关”流量（由访问控制列表定义）时，Easy IP路由器通过PPP/IPCP从中心站点的接入服务器拨打并请求一个注册的IP地址。建立此连接后，其他LAN内部客户端可以使用此电路，如步骤4所述。

3. 中心站点接入服务器从本地IP地址池回复动态全局地址，该地址池分配给Easy IP路由器的WAN接口。

4. Easy IP路由器使用PAT自动创建转换，将WAN接口的注册IP地址与LAN内部客户端的私有IP地址关联，并建立到中心站点接入服务器的连接。

有关Easy IP的更详细了解，请参阅白皮书 — Cisco IOS Easy IP。

配置

本部分提供有关如何配置本文档所述功能的信息。

网络图

本文档使用下图所示的网络设置。

配置

本文档使用以下配置：

EasyIP#show running-config
Building configuration...

Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname EasyIP
!
username ISP-AS password 0 ipnegotiate

! --- Username for remote router (ISP-AS) and shared secret. ! --- Shared secret(used for CHAP) must be the same on both sides.

ip subnet-zero
no ip domain-lookup
no ip dhcp conflict logging

! --- Disable the recording of DHCP address conflicts on the DHCP server.

ip dhcp excluded-address 10.0.0.1

! --- Specifies a IP address that the DHCP server should not assign to clients.

ip dhcp pool soho

! --- Configure the DHCP address pool name and enter DHCP pool configuration mode.

 network 10.0.0.0 255.0.0.0

 ! --- Specifies the subnet network number and mask of the DHCP address pool.

 default-router 10.0.0.1

 ! --- Specifies the IP address of the default router for a DHCP clients.
 
 lease infinite

 ! --- Specifies the duration of the lease.

!
isdn switch-type basic-5ess
isdn voice-call-failure 0
!
interface Ethernet0/0
 ip address 10.0.0.1 255.0.0.0

 ! --- IP address for the Ethernet interface. 

 no ip directed-broadcast
 ip nat inside

! --- Defines the interface as internal for network address translation.

!

! Unused ethernet interfaces omitted for brevity

!
interface BRI1/0
 ip address negotiated

! --- Enables PPP/IPCP negotiation for this interface.

 no ip directed-broadcast
 ip nat outside

! --- Defines the interface as external for network address translation.

 encapsulation ppp
 dialer idle-timeout 60

! --- Idle timeout(in seconds)for this BRI interface.

 dialer string 97771200

! --- Specifies the telephone number required to reach the central access server.

 dialer-group 1

! --- Apply interesting traffic defined in dialer-list 1.

 isdn switch-type basic-5ess
 ppp authentication chap
!

!-- Unused BRI interfaces omitted for brevity.

!
ip nat inside source list 100 interface BRI1/0 overload 

! --- Establishes dynamic source translation (with PAT) for addresses which are ! --- identified by the access list 100.

ip classless
ip route 0.0.0.0 0.0.0.0 BRI1/0 permanent

! --- Default route is via BRI1/0.

no ip http server
!
access-list 100 permit ip 10.0.0.0 0.255.255.255 any

! --- Defines an access list permitting those addresses that are to be translated.

dialer-list 1 protocol ip permit

! --- Interesting traffic is defined by dialer-list1. ! --- This is applied to BRI1/0 using dialer-group 1.

line con 0
 transport input none
line aux 0
line vty 0 4
 login
!         
end

验证

本部分所提供的信息可用于确认您的配置是否正常工作。

显示命令

输出解释器工具支持某些 show 命令（只限于注册用户），通过它可以查看 show 命令输出的分析。

• show ip interface brief — 显示接口状态和接口上配置的IP地址。

• show interfaces — 提供有关特定接口的接口状态的高级信息。

• show ip nat statistics — 显示网络地址转换(NAT)统计信息。

• show ip nat translations — 显示活动NAT转换。

• show isdn status — 显示每个ISDN层的状态。检验ISDN第1层和第2层是否正常工作。有关进一步的故障排除信息，请参阅文档使用show isdn status命令进行BRI故障排除。

• show dialer — 显示拨号器信息。

show 输出示例

在Easy IP路由器启动到中央站点接入服务器的拨号连接之前，以下show命令输出显示BRI1/0接口已打开且没有IP地址，但IP地址将使用IPCP协商。

EasyIP#show ip interface brief
Interface                  IP-Address      OK? Method Status                Prol
Ethernet0/0                10.0.0.1        YES manual up                    up  
Ethernet0/1                unassigned      YES manual administratively down dow 
Ethernet0/2                unassigned      YES manual administratively down dow 
Ethernet0/3                unassigned      YES manual administratively down dow 
BRI1/0                     unassigned      YES IPCP   up                    up

! -- Interface is Up, but no IP Address is assigned since it is not connected

BRI1/0:1                   unassigned      YES unset  down                  dow 
BRI1/0:2                   unassigned      YES unset  down                  dow 

! -- Both B-channels are down

BRI1/1                     unassigned      YES manual administratively down dow 
BRI1/1:1                   unassigned      YES unset  administratively down dow 
BRI1/1:2                   unassigned      YES unset  administratively down dow

EasyIP#show interfaces bri1/0
BRI1/0 is up, line protocol is up (spoofing)
  Hardware is BRI with integrated NT1
Internet address will be negotiated using IPCP
  MTU 1500 bytes, BW 64 Kbit, DLY 20000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
Encapsulation PPP, loopback not set
   .
   .
EasyIP#

以下show命令输出显示BRI1/0接口已通过PPP/IPCP从中心站点接入服务器收到其IP地址200.1.0.3，在Easy IP路由器启动与中心站点接入服务器的拨号连接后执行。

EasyIP#show ip interface brief 
Interface                  IP-Address      OK? Method Status                Prorocol
Ethernet0/0                10.0.0.1        YES manual up                    up  
Ethernet0/1                unassigned      YES manual administratively down dow 
Ethernet0/2                unassigned      YES manual administratively down dow 
Ethernet0/3                unassigned      YES manual administratively down dow 
BRI1/0                     200.1.0.3       YES IPCP   up                    up  

! -- Int BRI1/0 has a registers IP address assigned after connection is up

BRI1/0:1                   unassigned      YES unset  up                    up  
BRI1/0:2                   unassigned      YES unset  down                  dow 

! -- 1st B-channel (BRI1/0:1) is UP

BRI1/1                     unassigned      YES manual administratively down dow 
BRI1/1:1                   unassigned      YES unset  administratively down dow 
BRI1/1:2                   unassigned      YES unset  administratively down dow
EasyIP#show interfaces bri1/0
BRI1/0 is up, line protocol is up (spoofing)
  Hardware is BRI with integrated NT1
Internet address is 200.1.0.3/32
  MTU 1500 bytes, BW 64 Kbit, DLY 20000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
Encapsulation PPP, loopback not set
  .
  . 
  EasyIP#

我们需要检查内部专用网络主机是否能够连接到中心站点接入服务器，以及NAT功能是否正常运行。这可以通过使用扩展ping实用程序来实现。在EasyIP路由器上，对中心站点接入服务器的以太网接口执行ping操作，并将ping的源指定为EasyIP路由器的LAN（私有）地址。这可确保数据包由PAT处理，并且LAN上的客户端可以与中心站点网络通信。

EasyIP#ping
Protocol [ip]: 
Target IP address: 192.168.16.1

! -- Ethernet interface IP address of the Central Site Access Server.

Repeat count [5]: 10
Datagram size [100]: 
Timeout in seconds [2]: 
Extended commands [n]: y
Source address or interface: 10.0.0.1

! --Ethernet interface IP address (private) of the Easy IP router.

Type of service [0]: 
Set DF bit in IP header? [no]: 
Validate reply data? [no]: 
Data pattern [0xABCD]: 
Loose, Strict, Record, Timestamp, Verbose[none]: 
Sweep range of sizes [n]: 
Type escape sequence to abort.
Sending 10, 100-byte ICMP Echos to 192.168.16.1, timeout is 2 seconds:
!!!!!!!!!!
Success rate is 100 percent (10/10), round-trip min/avg/max = 32/34/36 ms

上述输出显示成功率为100%，这意味着NAT功能运行正常，SOHO主机能够与中心站点接入服务器通信。我们可以从以下show命令输出中获取有关NAT转换的更详细信息。

EasyIP#show ip nat statistics 
Total active translations: 10 (0 static, 10 dynamic; 10 extended)
Outside interfaces:
  BRI1/0, BRI1/0:1, BRI1/0:2
Inside interfaces: 
  Ethernet0/0
Hits: 169  Misses: 185
Expired translations: 175
Dynamic mappings:
-- Inside Source
access-list 100 interface BRI1/0 refcount 10

EasyIP#show ip nat translations 
Pro Inside global      Inside local       Outside local      Outside global
icmp 200.1.0.3:32      10.0.0.1:32        192.168.16.1:32    192.168.16.1:32
icmp 200.1.0.3:33      10.0.0.1:33        192.168.16.1:33    192.168.16.1:33
icmp 200.1.0.3:34      10.0.0.1:34        192.168.16.1:34    192.168.16.1:34
icmp 200.1.0.3:35      10.0.0.1:35        192.168.16.1:35    192.168.16.1:35
icmp 200.1.0.3:36      10.0.0.1:36        192.168.16.1:36    192.168.16.1:36
icmp 200.1.0.3:37      10.0.0.1:37        192.168.16.1:37    192.168.16.1:37
icmp 200.1.0.3:38      10.0.0.1:38        192.168.16.1:38    192.168.16.1:38
icmp 200.1.0.3:39      10.0.0.1:39        192.168.16.1:39    192.168.16.1:39
icmp 200.1.0.3:40      10.0.0.1:40        192.168.16.1:40    192.168.16.1:40
icmp 200.1.0.3:41      10.0.0.1:41        192.168.16.1:41    192.168.16.1:41
EasyIP#

以下show isdn status命令输出显示每个ISDN层的状态。检验第1层和第2层是否如示例所示

EasyIP#show isdn status 
Global ISDN Switchtype = basic-5ess
ISDN BRI1/0 interface
        dsl 8, interface ISDN Switchtype = basic-5ess
    Layer 1 Status:
        ACTIVE
    Layer 2 Status:
        TEI = 64, Ces = 1, SAPI = 0, State = MULTIPLE_FRAME_ESTABLISHED
    Layer 3 Status:
        1 Active Layer 3 Call(s)
    Activated dsl 8 CCBs = 1
        CCB:callid=8098, sapi=0, ces=1, B-chan=1, calltype=DATA
    The Free Channel Mask:  0x80000002

有关进一步的故障排除信息，请参阅文档使用show isdn status命令进行BRI故障排除。

以下show dialer输出显示拨号由内部专用网络IP地址（例如10.0.0.1）发起。

EasyIP#show dialer 

BRI1/0 - dialer type = ISDN

Dial String      Successes   Failures    Last DNIS   Last status
97771200                23          0    00:02:02       successful   Default
0 incoming call(s) have been screened.
0 incoming call(s) rejected for callback.

BRI1/0:1 - dialer type = ISDN
Idle timer (120 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is data link layer up
Dial reason: ip (s=10.0.0.1, d=192.168.16.1)
Time until disconnect 36 secs
Current call connected 00:02:03
Connected to 97771200 (ISP-AS)

BRI1/0:2 - dialer type = ISDN
Idle timer (120 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is idle

故障排除

调试命令

注意：在发出debug命令之前，请参阅有关Debug命令的重要信息。

• debug ppp negotiation — 提供有关PPP协议协商过程的信息。debug ip nat — 提供信息

• debug ip nat — 提供有关通过IP网络地址转换(NAT)功能转换的IP数据包的信息。

• debug isdn q921 — 提供q.921消息的数据链路层调试。

• debug isdn q931 — 提供q.931消息的网络层调试。

• debug dialer — 提供出站呼叫的DDR信息。

调试输出示例

以下debug ppp negotiation输出显示PPP/IPCP协议协商过程。

EasyIP#debug ppp negotiation 
PPP protocol negotiation debugging is on
.
.

2d07h: BR1/0:1 IPCP: O CONFREQ [Closed] id 223 len 10
2d07h: BR1/0:1 IPCP:    Address 0.0.0.0 (0x030600000000)
2d07h: BR1/0:1 CDPCP: O CONFREQ [Closed] id 63 len 4
2d07h: BR1/0:1 IPCP: I CONFREQ [REQsent] id 47 len 10
2d07h: BR1/0:1 IPCP:    Address 200.1.0.1 (0x0306C8010001)
2d07h: BR1/0:1 IPCP: O CONFACK [REQsent] id 47 len 10
2d07h: BR1/0:1 IPCP:    Address 200.1.0.1 (0x0306C8010001)
2d07h: BR1/0:1 CDPCP: I CONFREQ [REQsent] id 41 Len 4
2d07h: BR1/0:1 CDPCP: O CONFACK [REQsent] id 41 Len 4
2d07h: BR1/0:1 IPCP: I CONFNAK [ACKsent] id 223 Len 10
2d07h: BR1/0:1 IPCP:    Address 200.1.0.3 (0x0306C8010003)
2d07h: BR1/0:1 IPCP: O CONFREQ [ACKsent] id 224 Len 10
2d07h: BR1/0:1 IPCP:    Address 200.1.0.3 (0x0306C8010003)
2d07h: BR1/0:1 CDPCP: I CONFACK [ACKsent] id 63 Len 4
2d07h: BR1/0:1 CDPCP: State is Open
2d07h: BR1/0:1 IPCP: I CONFACK [ACKsent] id 224 Len 10
2d07h: BR1/0:1 IPCP:    Address 200.1.0.3 (0x0306C8010003)
2d07h: BR1/0:1 IPCP: State is Open
2d07h: BR1/0 IPCP: Install negotiated IP interface address 200.1.0.3

! -- The EasyIP router will install the negotiated WAN IP address.

2d07h: BR1/0 IPCP: Install route to 200.1.0.1

! -- A route to the Central Site Access Server is installed.

2d07h: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI1/0:1, changed state Up
2d07h: %ISDN-6-CONNECT: Interface BRI1/0:1 is now connected to 97771200 ISP-AS
EasyIP#

debug ip nat输出显示有关通过IP网络地址转换(NAT)功能转换的IP数据包的信息。

EasyIP#debug ip nat detailed 
IP NAT detailed debugging is on
.
.
2d00h: NAT: o: icmp (10.0.0.1, 2015) -> (192.168.16.1, 2015) [909]
2d00h: NAT: i: icmp (10.0.0.1, 2015) -> (192.168.16.1, 2015) [909]
2d00h: NAT: ipnat_allocate_port: wanted 2015 got 2015
2d00h: NAT*: o: icmp (192.168.16.1, 2015) -> (200.1.0.3, 2015) [909]
2d00h: NAT: o: icmp (10.0.0.1, 2016) -> (192.168.16.1, 2016) [910]
2d00h: NAT: i: icmp (10.0.0.1, 2016) -> (192.168.16.1, 2016) [910]
2d00h: NAT: ipnat_allocate_port: wanted 2016 got 2016
2d00h: NAT*: o: icmp (192.168.16.1, 2016) -> (200.1.0.3, 2016) [910]
2d00h: NAT: o: icmp (10.0.0.1, 2017) -> (192.168.16.1, 2017) [911]
2d00h: NAT: i: icmp (10.0.0.1, 2017) -> (192.168.16.1, 2017) [911]
2d00h: NAT: ipnat_allocate_port: wanted 2017 got 2017
2d00h: NAT*: o: icmp (192.168.16.1, 2017) -> (200.1.0.3, 2017) [911]
2d00h: NAT: o: icmp (10.0.0.1, 2018) -> (192.168.16.1, 2018) [912]
2d00h: NAT: i: icmp (10.0.0.1, 2018) -> (192.168.16.1, 2018) [912]
.
.

EasyIP#undebug all 
All possible debugging has been turned off

相关信息

• 使用 show isdn status 命令用于 BRI 故障排除
• 验证 NAT 的运行和基本的 NAT 故障排除
• NAT 支持页
• 拨号和接入技术支持
• 技术支持和文档 - Cisco Systems