В рамках данного руководства на сервисных маршрутизаторах ESR настраивается ряд сервисов, обеспечивающих работу каналов связи между офисами. Рассмотрим конкретные команды просмотра оперативной информации, которые могут быть полезны при мониторинге и отладке собранной схемы сети.
Просмотр оперативной информации о состоянии модема
Команда «show cellular status modem» отображает состояние подключенных модемов. Команда «show cellular status modem 1» отображает детальную информацию о состоянии «1» сконфигурированного модема:
esr# show cellular status modem
Number USB port Manufacturer Model Current state Inteface Link
device state
------ -------- ------------ ---------- ------------- --------------- -----
1 3-1 huawei E8372 connected modem1 Up
esr#
esr# show cellular status modem 1
Device '1' status information:
USB device: 3-1
Inteface: modem1
Link state: Up
Mode: stick
Manufacturer: huawei
Model: E8372
Revision: 21.329.63.00.778
IMEI: 866649043430427
Status SIM lock: --
Status unlock retries: sim-pin (3) sim-pin2 (3) sim-puk (10) sim-puk2 (10)
Current state: connected
Access tech: UMTS
Signal level: 54
Support modes:
allowed 2G; preferred none;
allowed 3G; preferred none;
allowed 4G; preferred none;
allowed 2G 3G 4G; preferred none;
Allowed modes: 2G 3G 4G
Preferred modes: none
Type IP: IPv4
Operator name: MegaFon
Registration: home
--------------------------------------------------------------------------------
esr# |
Просмотр оперативной информации о туннелях IPsec
Команда «show security ike proposal» отображает настроенные в конфигурации наборы криптографических алгоритмов, используемые при построении сессий протокола IKE. Указание имени набора отобразит более подробную информацию о содержимом набора:
RT-HUB-1# show security ike proposal Name Enc. alg. DH Auth. alg. ------------ ---------------- -- ---------- DMVPN_IKE_PR aes256 19 sha2-256 OP_1 RT-HUB-1# |
RT-HUB-1# show security ike proposal DMVPN_IKE_PROP_1 Description: DMVPN | IKE proposal #1 Encryption algorithm: aes256 Diffie-Hellman group: 19 Authentication algorithm: sha2-256 RT-HUB-1# |
Команда «show security ike policy» отображает настроенные в конфигурации политики IKE. Указание имени политики отобразит более подробную информацию о содержимом политики:
RT-HUB-1# show security ike policy
Name Description Mode Auth. Proposal
method
-------------------- ------------------- ---------- ------- -----------------------------------
DMVPN_IKE_POL DMVPN | IKE policy main keyring DMVPN_IKE_PROP_1
RT-HUB-1#
|
RT-HUB-1# show security ike policy DMVPN_IKE_POL
Description: DMVPN | IKE policy
Mode: main
Authentication method: keyring
Lifetime seconds: 86400s
Proposal:
DMVPN_IKE_PROP_1
RT-HUB-1# |
Команда «show security ike gateway» отображает настроенные в конфигурации криптошлюзы IKE. Указание имени криптошлюза отобразит более подробную информацию о настройках криптошлюза:
RT-HUB-1# show security ike gateway Name Description IKE Policy ---------------- ------------------------------ ----------------------------------- DMVPN_IKE_GW DMVPN | IKE gateway DMVPN_IKE_POL RT-HUB-1# |
RT-HUB-1# show security ike gateway DMVPN_IKE_GW
Description: DMVPN | IKE gateway
IKE Policy: DMVPN_IKE_POL
IKE Version: v2-only
Mode: policy-based
Binding interface: --
IKE Dead Peer Detection:
Action: clear
Interval: 40
Timeout: 160
RT-HUB-1#
|
Команда «show security ipsec proposal» отображает настроенные в конфигурации наборы криптографических алгоритмов, используемые при построении сессий протоколов AH или ESP. Указание имени набора отобразит более подробную информацию о содержимом набора:
RT-HUB-1# show security ipsec proposal Name Prot Enc. alg. Auth. alg. PFS dh-group --------------------- ---- ---------------- ---------- ------------ DMVPN_IPSEC_PROP_1 esp aes256 sha2-256 19 RT-HUB-1# |
RT-HUB-1# show security ipsec proposal DMVPN_IPSEC_PROP_1 Description: DMVPN | IPsec proposal #1 Protocol: esp Encryption algorithm: aes256 Authentication algorithm: sha2-256 PFS dh-group: 19 RT-HUB-1# |
Команда «show security ipsec policy» отображает настроенные в конфигурации политики для сессии протоколов AH или ESP. Указание имени политики отобразит более подробную информацию о содержимом политики:
RT-HUB-1# show security ipsec policy
Name Description Proposal
-------------------- ------------------- -----------------------------------
DMVPN_IPSEC_POL DMVPN | IPsec DMVPN_IPSEC_PROP_1
policy
RT-HUB-1#
|
RT-HUB-1# show security ipsec policy DMVPN_IPSEC_POL
Description: DMVPN | IPsec policy
Lifetime seconds: 28800s
Lifetime packets: --
Lifetime kilobytes: 4608000
Proposal:
DMVPN_IPSEC_PROP_1
RT-HUB-1# |
Команда «show security ipsec vpn configuration» отображает настроенные в конфигурации VPN-профили. Указание имени VPN-профиля отобразит более подробную информацию о настройках VPN-профиля:
RT-HUB-1# show security ipsec vpn configuration Name Description State ---------------- ------------------------------ -------- DMVPN_IPSEC_VPN DMVPN | IPsec VPN profile Enabled RT-HUB-1# |
RT-HUB-1# show security ipsec vpn configuration DMVPN_IPSEC_VPN
VRF: ISP_1
Description: DMVPN | IPsec VPN profile
State: Enabled
IKE:
Establish tunnel: route
IPsec policy: DMVPN_IPSEC_POL
IKE gateway: DMVPN_IKE_GW
IKE DSCP: 63
IKE idle-time: 0s
IKE rekeying: Enabled
Margin time: 3600s
Margin kilobytes: 86400
Margin packets: 0
Randomization: 100%
RT-HUB-1#
|
Команда «show security ipsec vpn status» отображает активные IPsec-туннели. Указание имени VPN-профиля отобразит более подробную информацию об IPsec-туннелях, построенных на базе этого VPN-профиля. Для отображения активных туннелей в VRF необходимо добавить соответствующий модификатор:
RT-HUB-1# show security ipsec vpn status vrf ISP_1 Name Local host Remote host Initiator spi Responder spi State ------------------------------- --------------- --------------- ------------------ ------------------ ----------- DMVPN_IPSEC_VPN 10.0.0.2 203.0.115.2 0x060c25afd64b4af9 0xe098c56c4fbcc90d Established DMVPN_IPSEC_VPN 10.0.0.2 203.0.114.2 0x7be4dd13b45a79de 0x7cc308ff27b8bb02 Established DMVPN_IPSEC_VPN 10.0.0.2 203.0.114.130 0x933d1a3ef9ecdd68 0xa23c893323d42ee1 Established RT-HUB-1# |
RT-HUB-1# show security ipsec vpn status vrf ISP_1 DMVPN_IPSEC_VPN
Currently active IKE SA:
Name: DMVPN_IPSEC_VPN
State: Established
Version: v2-only
Unique ID: 60
Local host: 10.0.0.2
Remote host: 203.0.115.2
Role: Responder
Initiator spi: 0x060c25afd64b4af9
Responder spi: 0xe098c56c4fbcc90d
Encryption algorithm: aes256
Authentication algorithm: sha2-256
Diffie-Hellman group: 19
Established (d,h:m:s): 00,02:58:39 ago
Rekey time (d,h:m:s): 00,00:00:00
Reauthentication time (d,h:m:s): 00,19:33:51
Child IPsec SAs:
Name: DMVPN_IPSEC_VPN-161
State: Installed
Protocol: esp
Mode: Transport
Encryption algorithm: aes256
Authentication algorithm: sha2-256
Rekey time (d,h:m:s): 00,03:20:28
Life time (d,h:m:s): 00,05:01:21
Established (d,h:m:s): 00,02:58:39 ago
Traffic statistics:
Input bytes: 819517
Output bytes: 822697
Input packets: 13507
Output packets: 13509
-------------------------------------------------------------
Currently active IKE SA:
Name: DMVPN_IPSEC_VPN
State: Established
Version: v2-only
Unique ID: 62
Local host: 10.0.0.2
Remote host: 203.0.114.2
Role: Responder
Initiator spi: 0x7be4dd13b45a79de
Responder spi: 0x7cc308ff27b8bb02
Encryption algorithm: aes256
Authentication algorithm: sha2-256
Diffie-Hellman group: 19
Established (d,h:m:s): 00,02:55:31 ago
Rekey time (d,h:m:s): 00,00:00:00
Reauthentication time (d,h:m:s): 00,19:52:09
Child IPsec SAs:
Name: DMVPN_IPSEC_VPN-163
State: Installed
Protocol: esp
Mode: Transport
Encryption algorithm: aes256
Authentication algorithm: sha2-256
Rekey time (d,h:m:s): 00,03:27:35
Life time (d,h:m:s): 00,05:04:29
Established (d,h:m:s): 00,02:55:31 ago
Traffic statistics:
Input bytes: 809459
Output bytes: 810061
Input packets: 13312
Output packets: 13281
-------------------------------------------------------------
Currently active IKE SA:
Name: DMVPN_IPSEC_VPN
State: Established
Version: v2-only
Unique ID: 63
Local host: 10.0.0.2
Remote host: 203.0.114.130
Role: Responder
Initiator spi: 0x933d1a3ef9ecdd68
Responder spi: 0xa23c893323d42ee1
Encryption algorithm: aes256
Authentication algorithm: sha2-256
Diffie-Hellman group: 19
Established (d,h:m:s): 00,01:09:08 ago
Rekey time (d,h:m:s): 00,00:00:00
Reauthentication time (d,h:m:s): 00,21:39:03
Child IPsec SAs:
Name: DMVPN_IPSEC_VPN-164
State: Installed
Protocol: esp
Mode: Transport
Encryption algorithm: aes256
Authentication algorithm: sha2-256
Rekey time (d,h:m:s): 00,04:56:06
Life time (d,h:m:s): 00,06:50:52
Established (d,h:m:s): 00,01:09:08 ago
Traffic statistics:
Input bytes: 315018
Output bytes: 315097
Input packets: 5206
Output packets: 5200
-------------------------------------------------------------
RT-HUB-1# |
Команда «show security ipsec vpn authentication» отображает для активных IPsec-туннелей селекторы трафика, которые должен попадать в туннель, и используемый механизм аутентификации. Для отображения информации об IPsec-туннелях в VRF необходимо добавить соответствующий модификатор:
RT-HUB-1# show security ipsec vpn authentication vrf ISP_1 DMVPN_IPSEC_VPN Local host Remote host Local subnet Remote subnet Authentication State --------------- --------------- ------------------- ------------------- ----------------------------------------- ----------- 10.0.0.2 203.0.115.2 10.0.0.2/32 203.0.115.2/32 Pre-shared key Established 10.0.0.2 203.0.114.2 10.0.0.2/32 203.0.114.2/32 Pre-shared key Established 10.0.0.2 203.0.114.130 10.0.0.2/32 203.0.114.130/32 Pre-shared key Established RT-HUB-1# |
Просмотр оперативной информации о туннелях GRE
Команда «show tunnels status» с модификатором «gre» отображает состояние настроенных в конфигурации туннелей GRE. Указание номера GRE-туннеля отобразит более подробную информацию о GRE-туннеле:
RT-OFFICE-1# show tunnels status gre
Tunnel Admin Link MTU Local IP Remote IP Last change
state state (d,h:m:s)
---------------- ----- ----- ------ ---------------- ---------------- -------------
gre 11 Up Up 1400 203.0.114.2 -- 00,03:21:16
gre 12 Up Up 1400 203.0.114.2 -- 00,03:21:16
RT-OFFICE-1# |
RT-OFFICE-1# show tunnels status gre 11 Tunnel 'gre 11' status information: Description: DMVPN | Cloud 1 Administrative state: Up Operational state: Up Supports broadcast: No Supports multicast: Yes MTU: 1400 Last change (d,h:m:s):00,03:23:41 RT-OFFICE-1# |
Команда «show tunnels configuration» с модификатором «gre» отображает параметры настроенных в конфигурации туннелей GRE. Указание номера GRE-туннеля отобразит более подробную информацию о GRE-туннеле:
RT-OFFICE-1# show tunnels configuration gre Tunnel State Description ---------------- -------- ------------------------------ gre 11 Enabled DMVPN | Cloud 1 gre 12 Enabled DMVPN | Cloud 2 RT-OFFICE-1# |
RT-OFFICE-1# show tunnels configuration gre 11
State: Enabled
Description: DMVPN | Cloud 1
Mode: ip
Bridge group: --
VRF: --
Local interface: gigabitethernet 1/0/1
Remote address: --
Calculates checksums for outgoing GRE packets: No
Requires that all input GRE packets were checksum: No
key: 1000
TTL: 64
DSCP: Inherit
MTU: 1400
Path MTU discovery: Enabled
Don't fragment bit suppression: Disabled
Security zone: DMVPN_NET
Multipoint mode: Enabled
Keepalive:
State: Disabled
Timeout: 10
Retries: 6
Destination address: --
RT-OFFICE-1# |
Команда «show tunnels counters» с модификатором «gre» отображает счетчики настроенных в конфигурации туннелей GRE. Указание номера GRE-туннеля отобразит более подробную статистику о GRE-туннеле:
RT-OFFICE-1# show tunnels counters gre Tunnel Packets recv Bytes recv Errors recv MC recv ---------------- -------------- -------------- -------------- -------------- gre 11 16906 935037 0 0 gre 12 15604 820817 0 0 Tunnel Packets sent Bytes sent Errors sent ---------------- -------------- -------------- -------------- gre 11 16964 935255 0 gre 12 15638 821396 0 RT-OFFICE-1# |
RT-OFFICE-1# show tunnels counters gre 11
Tunnel 'gre 11' counters:
Packets received: 16906
Bytes received: 935037
Dropped on receive: 0
Receive errors: 0
Multicasts received: 0
Receive length errors: 0
Receive buffer overflow errors: 0
Receive CRC errors: 0
Receive frame errors: 0
Receive FIFO errors: 0
Receive missed errors: 0
Receive compressed: 0
Packets transmitted: 16964
Bytes transmitted: 935255
Dropped on transmit: 0
Transmit errors: 0
Transmit aborted errors: 0
Transmit carrier errors: 0
Transmit FIFO errors: 0
Transmit heartbeat errors: 0
Transmit window errors: 0
Transmit comressed: 0
Collisions: 0
RT-OFFICE-1# |
Просмотр оперативной информации о протоколе NHRP
Команда «show ip nhrp peers» отображает информацию об известных NHRP-соседях. Указание модификатора «detailed» отобразит более подробную информацию о NHRP-соседях:
RT-OFFICE-1# show ip nhrp peers
Flags: E - unique, R - nhs, U - used, L - lower-up
C - connected, G - group, Q - qos, N - nat
P - protected, I - Redirect-ignored, X - undefined
Tunnel address NBMA address Tunnel Expire Created Type Flags
(h:m:s) (d,h:m:s)
-------------------- ---------------- --------- --------- -------------- --------------- ----------
172.16.1.1 203.0.113.4 gre 11 -- 00,00:00:50 static RULCN
172.16.2.1 203.0.113.132 gre 12 -- 00,00:00:50 static RULCN
RT-OFFICE-1# |
RT-OFFICE-1# show ip nhrp peers detailed Tunnel: gre 11 Type: static Tunnel address: 172.16.1.1 NBMA address: 203.0.113.4 NAT-OA address: 10.0.0.2 Flags: nhs, used, lower-up, connected, nat Created (d,h:m:s): 00,00:00:52 Expire (h:m:s): -- Re-registration in (h:m:s): 00:02:28 IPsec protection: Disabled Group: -- QoS policy output: -- Tunnel: gre 12 Type: static Tunnel address: 172.16.2.1 NBMA address: 203.0.113.132 NAT-OA address: 10.0.0.10 Flags: nhs, used, lower-up, connected, nat Created (d,h:m:s): 00,00:00:52 Expire (h:m:s): -- Re-registration in (h:m:s): 00:02:28 IPsec protection: Disabled Group: -- QoS policy output: -- RT-OFFICE-1# |
Команда «show ip nhrp peers» отображает информацию о созданных временных маршрутах до локальных сетей за удаленным NHRP-соседом. Появление данных маршрутов возможно в третьей фазе DMVPN при построении Spoke-to-Spoke туннелей:
RT-OFFICE-1# show ip nhrp shortcut-routes
Network Nexthop Tunnel Expire Created
(h:m:s) (d,h:m:s)
-------------------- ---------------- --------- --------- --------------
192.168.12.0/24 172.16.1.12 gre 11 00:09:39 00,00:00:20
192.168.13.0/24 172.16.1.13 gre 11 00:09:52 00,00:00:07
RT-OFFICE-1# |
Команда «show ip route» с модификатором «nhrp» отображает все маршруты, добавленные в результате работы протокола NHRP:
RT-OFFICE-1# show ip route nhrp H * 172.16.1.1/32 [20/0] dev gre 11 [nhrp 06:34:49] H * 172.16.2.1/32 [20/0] dev gre 12 [nhrp 06:34:49] H * 172.16.1.13/32 [20/0] dev gre 11 [nhrp 10:16:43] H * 192.168.12.0/24 [20/0] via 172.16.1.12 on gre 11 [nhrp 10:16:29] H * 192.168.13.0/24 [20/0] via 172.16.1.13 on gre 11 [nhrp 10:16:43] H * 172.16.1.12/32 [20/0] dev gre 11 [nhrp 10:16:29] RT-OFFICE-1# |
Просмотр оперативной информации о протоколе BGP
Команда «show bgp summary» отображает краткую информацию об установленных BGP-соседствах, а также объемах анонсируемой и принимаемой маршрутной информации:
RT-HUB-1# show bgp summary
2025-06-10 10:35:44
BGP router identifier 10.0.0.19, local AS number 65001
BGP activity 5/12 prefixes
Neighbor AS MsgRcvd MsgSent Up/Down St/PfxRcd
(d,h:m:s)
---------------------- ------------- ---------- ---------- ---------- ------------
10.0.0.18 65500 2137 2179 01,06:56:47 1
10.0.0.17 65500 2114 2154 01,06:44:22 1
172.16.1.13 65000 285 283 00,04:04:03 1
172.16.1.12 65000 281 282 00,04:03:52 1
172.16.1.11 65000 276 276 00,04:00:43 1
RT-HUB-1# |
Команда «show bgp neighbors» отображает подробную информацию о BGP-соседях:
RT-HUB-1# show bgp neighbors
BGP neighbor is 10.0.0.17
Description: DMZ | RT-GW-1
BGP state: Established
Type: Static neighbor
Neighbor address: 10.0.0.17
Neighbor AS: 65500
Neighbor ID: 10.0.0.1
Neighbor caps: refresh enhanced-refresh restart-aware AS4
Session: external AS4
Source address: 10.0.0.19
Weight: 0
Hold timer: 111/180
Keepalive timer: 12/60
Peer group: DMVPN_LAN
RR client: No
Address family ipv4 unicast:
Send-label: No
Default originate: No
Default information originate: No
Outgoing route-map: DMVPN_LAN_OUT
Preference: 170
Remove private AS: No
Next-hop self: No
Next-hop unchanged: No
Uptime (d,h:m:s): 01,06:44:34
BFD address: 10.0.0.17
BFD state: Up
BFD interval: 1.000 s
BFD timeout: 8.000 s
BGP neighbor is 10.0.0.18
Description: DMZ | RT-GW-2
BGP state: Established
Type: Static neighbor
Neighbor address: 10.0.0.18
Neighbor AS: 65500
Neighbor ID: 10.0.0.9
Neighbor caps: refresh enhanced-refresh restart-aware AS4
Session: external AS4
Source address: 10.0.0.19
Weight: 0
Hold timer: 100/180
Keepalive timer: 52/60
Peer group: DMVPN_LAN
RR client: No
Address family ipv4 unicast:
Send-label: No
Default originate: No
Default information originate: No
Outgoing route-map: DMVPN_LAN_OUT
Preference: 170
Remove private AS: No
Next-hop self: No
Next-hop unchanged: No
Uptime (d,h:m:s): 01,06:56:59
BFD address: 10.0.0.18
BFD state: Up
BFD interval: 1.000 s
BFD timeout: 8.000 s
BGP neighbor is 172.16.1.13
BGP state: Established
Type: Dynamic neighbor
Listen range prefix: 172.16.1.0/24
Neighbor address: 172.16.1.13
Neighbor AS: 65000
Neighbor ID: 172.16.1.13
Neighbor caps: refresh enhanced-refresh restart-aware AS4
Session: external AS4
Source address: 172.16.1.1
Weight: 0
Hold timer: 157/180
Keepalive timer: 19/60
Peer group: DMVPN_NET_1
RR client: No
Address family ipv4 unicast:
Send-label: No
Default originate: Yes
Default information originate: No
Outgoing route-map: DMVPN_NET_1_OUT
Preference: 170
Remove private AS: No
Next-hop self: No
Next-hop unchanged: No
Uptime (d,h:m:s): 00,04:04:15
BFD address: 172.16.1.13
BFD state: Up
BFD interval: 1.000 s
BFD timeout: 8.000 s
BGP neighbor is 172.16.1.12
BGP state: Established
Type: Dynamic neighbor
Listen range prefix: 172.16.1.0/24
Neighbor address: 172.16.1.12
Neighbor AS: 65000
Neighbor ID: 172.16.1.12
Neighbor caps: refresh enhanced-refresh restart-aware AS4
Session: external AS4
Source address: 172.16.1.1
Weight: 0
Hold timer: 94/180
Keepalive timer: 4/60
Peer group: DMVPN_NET_1
RR client: No
Address family ipv4 unicast:
Send-label: No
Default originate: Yes
Default information originate: No
Outgoing route-map: DMVPN_NET_1_OUT
Preference: 170
Remove private AS: No
Next-hop self: No
Next-hop unchanged: No
Uptime (d,h:m:s): 00,04:04:04
BFD address: 172.16.1.12
BFD state: Up
BFD interval: 1.000 s
BFD timeout: 8.000 s
BGP neighbor is 172.16.1.11
BGP state: Established
Type: Dynamic neighbor
Listen range prefix: 172.16.1.0/24
Neighbor address: 172.16.1.11
Neighbor AS: 65000
Neighbor ID: 172.16.1.11
Neighbor caps: refresh enhanced-refresh restart-aware AS4
Session: external AS4
Source address: 172.16.1.1
Weight: 0
Hold timer: 123/180
Keepalive timer: 32/60
Peer group: DMVPN_NET_1
RR client: No
Address family ipv4 unicast:
Send-label: No
Default originate: Yes
Default information originate: No
Outgoing route-map: DMVPN_NET_1_OUT
Preference: 170
Remove private AS: No
Next-hop self: No
Next-hop unchanged: No
Uptime (d,h:m:s): 00,04:00:55
BFD address: 172.16.1.11
BFD state: Up
BFD interval: 1.000 s
BFD timeout: 8.000 s
RT-HUB-1# |
Команда «show bgp ipv4 unicast» отображает состояние RIB протокола BGP:
RT-HUB-1# show bgp ipv4 unicast
Status codes: u - unicast, b - broadcast, m - multicast, a - anycast
* - valid, > - best
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> u 0.0.0.0/0 10.0.0.17 100 100 0 65500 i
* u 0.0.0.0/0 10.0.0.18 200 100 0 65500 i
*> u 192.168.11.0/24 172.16.1.11 -- 100 0 65000 i
*> u 192.168.12.0/24 172.16.1.12 -- 100 0 65000 i
*> u 192.168.13.0/24 172.16.1.13 -- 100 0 65000 i
RT-HUB-1# |
Команда «show bgp ipv4 unicast neighbor <IP-ADDRESS> routes» отображает принятые от BGP-соседа маршруты:
RT-HUB-1# show bgp ipv4 unicast neighbor 172.16.1.11 routes
Status codes: u - unicast, b - broadcast, m - multicast, a - anycast
* - valid, > - best
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> u 192.168.11.0/24 172.16.1.11 -- 100 0 65000 i
RT-HUB-1# |
Команда «show bgp ipv4 unicast neighbor <IP-ADDRESS> advertise-routes» отображает анонсируемые BGP-соседу маршруты:
RT-HUB-1# show bgp ipv4 unicast neighbor 172.16.1.11 advertise-routes
Status codes: u - unicast, b - broadcast, m - multicast, a - anycast
* - valid, > - best
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> u 0.0.0.0/0 172.16.1.1 100 -- -- 65001 i
RT-HUB-1# |
Команда «show ip route» с модификатором «bgp» отображает все маршруты, добавленные в результате работы протокола BGP:
RT-HUB-1# show ip route bgp B * 0.0.0.0/0 [170] via 10.0.0.17 on po1.300 [bgp65001 2025-06-09] (AS65500i) B 0.0.0.0/0 [170] via 10.0.0.18 on po1.300 [bgp65001 2025-06-09] (AS65500i) B * 192.168.11.0/24 [170] via 172.16.1.11 on gre 10 [bgp65001 06:35:01] (AS65000i) B * 192.168.12.0/24 [170] via 172.16.1.12 on gre 10 [bgp65001 06:31:52] (AS65000i) B * 192.168.13.0/24 [170] via 172.16.1.13 on gre 10 [bgp65001 06:31:41] (AS65000i) RT-HUB-1# |
Просмотр оперативной информации о протоколе BFD
Команда «show bfd neighbors» отображает актуальных BFD-соседей. Указание IP-адреса BFD-соседа отобразит более подробную информацию о BFD-соседе:
RT-HUB-1# show bfd neighbors Neighbor Discriminator State Interface --------------------------------------- ------------- --------- ---------------- 10.0.0.18 1981074375 Up po1.300 172.16.1.13 1317697778 Up gre 10 172.16.1.12 2842746174 Up gre 10 172.16.1.11 4248109158 Up gre 10 10.0.0.17 4277650140 Up po1.300 RT-HUB-1# |
RT-HUB-1# show bfd neighbors 172.16.1.11
Neighbor address: 172.16.1.11
Local address: 172.16.1.1
Interface: gre 10
Remote discriminator: 4248109158
Local discriminator: 2527420142
State: Up
Session type: Control
Session mode: Single-hop
Local diagnostic code: No Diagnostic
Remote diagnostic code: No Diagnostic
Minimal Tx Interval: 1000 ms
Minimal Rx Interval: 1000 ms
Multiplier: 8
Actual Tx Interval: 1000 ms
Actual Detection Interval: 8000 ms
Number of transmitted packets: 17983
Number of received packets: 17971
Uptime (d,h:m:s): 00,04:07:20
Client: BGP
Last received packet:
Desired Min Tx Interval: 1000 ms
Required Min Rx Interval: 1000 ms
Multiplier: 8
RT-HUB-1# |
Просмотр оперативной информации о состоянии Zone-Based Firewall
Команда «show security zone» отображает список настроенных зон безопасности:
RT-GW-1# show security zone Zone name Interfaces ------------- ------------------------------------------ UNTRUSTED gi1/0/1 MGMT po1.250 CUSTOMER po1.100 DMVPN_ISP_1 po1.210 DMVPN_LAN po1.300 RT-GW-1# |
Команда «show security zone-pair» отображает список настроенных пар зон безопасности:
RT-GW-1# show security zone-pair From zone To zone VRF Description ------------- ------------- -------------------------------- ------------------------------------------- MGMT self -- -- CUSTOMER self -- -- CUSTOMER UNTRUSTED -- -- DMVPN_ISP_1 self -- -- UNTRUSTED DMVPN_ISP_1 -- -- DMVPN_ISP_1 UNTRUSTED -- -- DMVPN_LAN self -- -- DMVPN_LAN CUSTOMER -- -- CUSTOMER DMVPN_LAN -- -- DMVPN_LAN UNTRUSTED -- -- RT-GW-1# |
Команда «show security zone-pair configuration <LEFT> <RIGHT>» отображает список правил firewall для указанной пары зон безопасности:
RT-GW-1# show security zone-pair configuration DMVPN_LAN self
Order: 10
Description: Permit | ICMP | From ANY | To ANY
Matching pattern:
Protocol: ICMP(1)
Fragment: --
IP options: --
Source MAC: any
Destination MAC: any
ICMP type: any
ICMP code: any
Source address: any
Destination address: any
Destination NAT: --
Application: --
Action: Permit
Status: Enabled
--------------------------------------------------------------------------------
Order: 20
Description: Permit | BGP | From ANY | To ANY
Matching pattern:
Protocol: TCP(6)
Fragment: --
IP options: --
Source MAC: any
Destination MAC: any
Source address: any
Source port: any
Destination address: any
Destination port: 179
Destination NAT: --
Application: --
Action: Permit
Status: Enabled
--------------------------------------------------------------------------------
Order: 30
Description: Permit | BFD | From ANY | To ANY
Matching pattern:
Protocol: UDP(17)
Fragment: --
IP options: --
Source MAC: any
Destination MAC: any
Source address: any
Source port: any
Destination address: any
Destination port: 3784
Destination NAT: --
Application: --
Action: Permit
Status: Enabled
--------------------------------------------------------------------------------
RT-GW-1# |
Команда «show ip firewall counters» отображает статистику срабатывания правил firewall:
RT-GW-1# show ip firewall counters
Zone-pair Rule Action Pkts Bytes Description
------------------------------ ---------- --------------- ---------- ---------- --------------------
CUSTOMER/UNTRUSTED 10 permit 1 92 Permit | ANY | From
CUSTOMER | To ISP-1
CUSTOMER/self 10 permit 0 0 Permit | ICMP |
From ANY | To ANY
CUSTOMER/self 20 permit 1 40 Permit | VRRP |
From ANY | To ANY
DMVPN_ISP_1/UNTRUSTED 10 permit 0 0 Permit | ICMP |
From ANY | To ANY
DMVPN_ISP_1/UNTRUSTED 20 permit 58 27086 Permit | IKE/IPsec
| From RT-HUB-1 |
To ISP-1
DMVPN_ISP_1/self 10 permit 0 0 Permit | ICMP |
From ANY | To ANY
DMVPN_LAN/self 10 permit 0 0 Permit | ICMP |
From ANY | To ANY
DMVPN_LAN/self 20 permit 151 9060 Permit | BGP | From
ANY | To ANY
DMVPN_LAN/self 30 permit 271569 14121588 Permit | BFD | From
ANY | To ANY
MGMT/self 10 permit 0 0 Permit | ICMP |
From ANY | To ANY
UNTRUSTED/DMVPN_ISP_1 10 permit 0 0 Permit | ICMP |
From ANY | To ANY
UNTRUSTED/DMVPN_ISP_1 20 permit 59 13788 Permit | IKE/IPsec
| From ISP-1 | To
RT-HUB-1
any/any default deny 3 252 --
CUSTOMER/DMVPN_LAN 10 permit 28 2576 Permit | ANY | From
CUSTOMER | To DMVPN
Cloud
DMVPN_LAN/CUSTOMER 10 permit 18 1656 Permit | ANY | From
DMVPN Cloud | To
CUSTOMER
DMVPN_LAN/UNTRUSTED 10 permit 14 1288 Permit | ANY | From
DMVPN Cloud | To
ISP-1
RT-GW-1# |
Команда «show ip firewall sessions» отображает список отслеживаемых firewall сетевых сессий:
RT-GW-1# show ip firewall sessions
Codes: E - expected, U - unreplied,
A - assured, C - confirmed
Prot Aging Inside source Inside destination Outside source Outside destination Pkts Bytes Status
----- ---------- --------------------- --------------------- --------------------- --------------------- ---------- ---------- ------
tcp 99 10.0.0.19:54300 10.0.0.17:179 10.0.0.19:54300 10.0.0.17:179 -- -- AC
udp 179 203.0.114.130:4500 10.0.0.2:4500 203.0.114.130:4500 203.0.113.4:4500 -- -- AC
tcp 113 10.0.0.20:52247 10.0.0.17:179 10.0.0.20:52247 10.0.0.17:179 -- -- AC
udp 179 203.0.115.2:5064 10.0.0.2:4500 203.0.115.2:5064 203.0.113.4:4500 -- -- AC
icmp 22 203.0.113.2 8.8.4.4 203.0.113.2 8.8.4.4 -- -- C
udp 29 10.0.0.19:49171 10.0.0.17:3784 10.0.0.19:49171 10.0.0.17:3784 -- -- UC
udp 28 10.0.0.17:49152 10.0.0.20:3784 10.0.0.17:49152 10.0.0.20:3784 -- -- UC
udp 29 10.0.0.17:49152 10.0.0.19:3784 10.0.0.17:49152 10.0.0.19:3784 -- -- UC
vrrp 59 10.100.0.253 224.0.0.18 10.100.0.253 224.0.0.18 -- -- UC
udp 29 10.0.0.20:49163 10.0.0.17:3784 10.0.0.20:49163 10.0.0.17:3784 -- -- UC
udp 179 203.0.114.2:4500 10.0.0.2:4500 203.0.114.2:4500 203.0.113.4:4500 -- -- AC
icmp 24 203.0.113.2 77.88.44.242 203.0.113.2 77.88.44.242 -- -- C
RT-GW-1# |
Просмотр оперативной информации о состоянии NAT
Команда «show ip nat proxy-arp» отображает список интерфейсов, на которых включена функция ARP-proxy, и для каких IP-адресов она будет срабатывать:
RT-GW-1# show ip nat proxy-arp Interface IP address range ----------- --------------------------------------------- gi1/0/1 203.0.113.3, 203.0.113.4 RT-GW-1# |
Команда «show ip nat source pools» отображает список настроенных пулов IP-адресов и портов, используемых в правилах Source NAT:
RT-GW-1# show ip nat source pools
Name IP address Port Description Persi
range stent
--------------------- ----------------- ------- ----------- -----
CUSTOMER_PUBLIC_IP 203.0.113.3 - -- No
RT-GW-1# |
Команда «show ip nat source rulesets» отображает список настроенных наборов правил Source NAT. Указание имени набора отобразит список правил Source NAT этого набора:
RT-GW-1# show ip nat source rulesets Name To Description -------------------------------- ------------------ ----------------- SNAT zone 'UNTRUSTED' -- RT-GW-1# |
RT-GW-1# show ip nat source rulesets SNAT
Description: --
VRF: --
To: zone 'UNTRUSTED'
Rules:
------
Order: 10
Description: Source | CUSTOMER
Matching pattern:
Protocol: any
Source address: 10.100.0.0/24
Destination address: any
Action: pool CUSTOMER_PUBLIC_IP
Status: Enabled
--------------------------------------------------------------------------------
Order: 20
Description: Static | RT-HUB-1
Matching pattern:
Protocol: any
Source address: 10.0.0.2/32
Destination address: any
Action: netmap 203.0.113.4/32
Status: Enabled
--------------------------------------------------------------------------------
Order: 30
Description: Source | DMVPN Cloud
Matching pattern:
Protocol: any
Source address: 192.168.11.0/24, 192.168.12.0/24, 192.168.13.0/24
Destination address: any
Action: pool CUSTOMER_PUBLIC_IP
Status: Enabled
--------------------------------------------------------------------------------
RT-GW-1# |
Команда «show ip nat translations» отображает список текущих отслеживаемых NAT-сессий:
RT-GW-1# show ip nat translations Prot Inside source Inside destination Outside source Outside destination Pkts Bytes ---- --------------------- --------------------- --------------------- --------------------- ---------- ---------- udp 203.0.114.130:4500 10.0.0.2:4500 203.0.114.130:4500 203.0.113.4:4500 -- -- udp 203.0.115.2:5064 10.0.0.2:4500 203.0.115.2:5064 203.0.113.4:4500 -- -- udp 203.0.114.2:4500 10.0.0.2:4500 203.0.114.2:4500 203.0.113.4:4500 -- -- RT-GW-1# |