...
| Drawio |
|---|
| border | true |
|---|
| viewerToolbar | true |
|---|
| |
|---|
| fitWindow | false |
|---|
| diagramName | ESR-cfg-general |
|---|
| simpleViewer | false |
|---|
| width | |
|---|
| diagramWidth | 1025 |
|---|
| revision | 12 |
|---|
|
Рис. 3.
Адресация и её назначение приведены в таблице ниже (таблица 1):
...
| Блок кода |
|---|
object-group network clients_ISP2
ip prefix 198.18.156.0/22
exit
route-map out_BGP_ISP2
rule 1
match ip address object-group clients_ISP2
action permit
exit
exit
router bgp 64603
address-family ipv4 vrf ISP2
redistribute connected
neighbor 100.64.0.73
remote-as 1238965001
route-map out_BGP_ISP2 out
update-source 100.64.0.74
enable
exit
neighbor 100.64.0.98
remote-as 64603
route-map in_PREF in
next-hop-self
update-source 100.64.0.97
enable
exit
enable
exit
exit |
...
| Блок кода |
|---|
object-group network clients_ISP2
ip prefix 198.18.156.0/22
exit
route-map out_BGP_ISP2
rule 1
match ip address object-group clients_ISP2
action permit
exit
exit
router bgp 64603
address-family ipv4 vrf ISP2
redistribute connected
neighbor 100.64.0.77
remote-as 1238965001
route-map out_BGP_ISP2 out
update-source 100.64.0.78
enable
exit
neighbor 100.64.0.97
remote-as 64603
route-map in_PREF in
next-hop-self
update-source 100.64.0.98
enable
exit
enable
exit
exit |
...
| Раскрыть |
|---|
|
| Блок кода |
|---|
#!/usr/bin/clish
#14
hostname ESR-1
ip firewall sessions allow-unknown
object-group service telnet
port-range 23
exit
object-group service ssh
port-range 22
exit
object-group service dhcp_server
port-range 67
exit
object-group service dhcp_client
port-range 68
exit
object-group service ntp
port-range 123
exit
object-group service snmp
port-range 161-162
exit
object-group service COA
port-range 3799
port-range 31812-31813
exit
object-group service bgp
port-range 179
exit
object-group service dns
port-range 53
exit
object-group service sunctun
port-range 1337
exit
object-group service firewall_failover
port-range 3333
exit
object-group network SoftWLC
ip prefix 100.123.0.0/24
exit
object-group network gre_termination
ip prefix 192.168.200.48/28
exit
object-group network mgmt_AP
ip prefix 198.18.128.0/21
ip prefix 198.18.136.0/22
ip prefix 198.18.140.0/22
ip prefix 100.64.0.56/30
ip prefix 198.18.144.0/22
ip prefix 198.18.156.0/22
exit
object-group network clients_AP
ip prefix 198.18.136.0/22
ip prefix 198.18.140.0/22
ip prefix 198.18.128.0/21
ip prefix 198.18.144.0/22
exit
object-group network Admnet
ip prefix 100.123.0.0/24
ip prefix 100.110.0.0/23
ip prefix 192.168.200.48/28
ip prefix 100.64.0.40/30
exit
object-group network PrivateNets
ip prefix 10.0.0.0/8
ip prefix 192.168.0.0/16
ip prefix 172.16.0.0/12
exit
object-group network BGPneighbours
ip prefix 100.64.0.32/30
ip prefix 100.64.0.40/30
ip prefix 100.64.0.48/30
ip prefix 100.64.0.56/30
exit
object-group network DNS
ip prefix 100.123.0.0/24
exit
object-group network CoA_servers
ip prefix 100.123.0.0/24
exit
object-group network clients_ISP2
ip prefix 198.18.156.0/22
exit
ip vrf ISP2
ip protocols bgp max-routes 250
exit
radius-server timeout 10
radius-server retransmit 5
radius-server host 100.123.0.2
key ascii-text encrypted 88B11079B9014FAAF7B9
timeout 11
priority 20
source-address 198.18.128.2
auth-port 31812
acct-port 31813
retransmit 10
dead-interval 10
exit
aaa radius-profile PCRF
radius-server host 100.123.0.2
exit
das-server COA
key ascii-text encrypted 88B11079B9014FAAF7B9
port 3799
clients object-group SoftWLC
exit
aaa das-profile COA
das-server COA
exit
vlan 3
force-up
exit
vlan 10
force-up
exit
vlan 11
force-up
exit
vlan 12
force-up
exit
vlan 101
force-up
exit
vlan 9,92
exit
security zone trusted
exit
security zone untrusted
exit
security zone gre
exit
security zone sidelink
exit
security zone user
exit
security zone untrusted_ISP2
ip vrf forwarding ISP2
exit
security zone user_ISP2
ip vrf forwarding ISP2
exit
security zone sidelink_ISP2
ip vrf forwarding ISP2
exit
security zone trusted_ISP2
ip vrf forwarding ISP2
exit
route-map out_BGP_GRE
rule 10
match ip address object-group gre_termination
action permit
exit
exit
route-map out_BGP_AP
rule 10
match ip address object-group mgmt_AP
action permit
exit
exit
route-map out_BGP_NAT
rule 10
match ip address object-group clients_AP
action permit
exit
exit
route-map in_PREF
rule 10
action permit
exit
exit
route-map out_BGP_ISP2
rule 1
match ip address object-group clients_ISP2
action permit
exit
exit
router bgp 64603
address-family ipv4
redistribute connected
redistribute static
neighbor 100.64.0.33
remote-as 1238965001
route-map out_BGP_GRE out
update-source 100.64.0.34
enable
exit
neighbor 100.64.0.41
remote-as 1238965001
route-map out_BGP_AP out
update-source 100.64.0.42
enable
exit
neighbor 100.64.0.49
remote-as 1238965001
route-map out_BGP_NAT out
update-source 100.64.0.50
enable
exit
neighbor 100.64.0.58
remote-as 64603
route-map in_PREF in
next-hop-self
update-source 100.64.0.57
enable
exit
enable
exit
address-family ipv4 vrf ISP2
redistribute connected
neighbor 100.64.0.73
remote-as 1238965001
route-map out_BGP_ISP2 out
update-source 100.64.0.74
enable
exit
neighbor 100.64.0.98
remote-as 64603
route-map in_PREF in
next-hop-self
update-source 100.64.0.97
enable
exit
enable
exit
exit
snmp-server
snmp-server community "public11" ro
snmp-server community "private1" rw
snmp-server host 100.123.0.2
exit
snmp-server enable traps
snmp-server enable traps config
snmp-server enable traps config commit
snmp-server enable traps config confirm
snmp-server enable traps environment
snmp-server enable traps environment pwrin
snmp-server enable traps environment pwrin-insert
snmp-server enable traps environment fan
snmp-server enable traps environment fan-speed-changed
snmp-server enable traps environment fan-speed-high
snmp-server enable traps environment memory-flash-critical-low
snmp-server enable traps environment memory-flash-low
snmp-server enable traps environment memory-ram-critical-low
snmp-server enable traps environment memory-ram-low
snmp-server enable traps environment cpu-load
snmp-server enable traps environment cpu-critical-temp
snmp-server enable traps environment cpu-overheat-temp
snmp-server enable traps environment cpu-supercooling-temp
snmp-server enable traps environment board-overheat-temp
snmp-server enable traps environment board-supercooling-temp
snmp-server enable traps environment sfp-overheat-temp
snmp-server enable traps environment sfp-supercooling-temp
snmp-server enable traps environment switch-overheat-temp
snmp-server enable traps environment switch-supercooling-temp
snmp-server enable traps wifi
snmp-server enable traps wifi wifi-tunnels-number-in-bridge-high
snmp-server enable traps file-operations
snmp-server enable traps file-operations successful
snmp-server enable traps file-operations failed
snmp-server enable traps file-operations canceled
snmp-server enable traps interfaces
snmp-server enable traps interfaces rx-utilization-high
snmp-server enable traps interfaces tx-utilization-high
snmp-server enable traps interfaces number-high
snmp-server enable traps bras
snmp-server enable traps bras sessions-number-high
snmp-server enable traps screen
snmp-server enable traps screen dest-limit
snmp-server enable traps screen source-limit
snmp-server enable traps screen icmp-threshold
snmp-server enable traps screen udp-threshold
snmp-server enable traps screen syn-flood
snmp-server enable traps screen land
snmp-server enable traps screen winnuke
snmp-server enable traps screen icmp-frag
snmp-server enable traps screen udp-frag
snmp-server enable traps screen icmp-large
snmp-server enable traps screen syn-frag
snmp-server enable traps screen unknown-proto
snmp-server enable traps screen ip-frag
snmp-server enable traps screen port-scan
snmp-server enable traps screen ip-sweep
snmp-server enable traps screen syn-fin
snmp-server enable traps screen fin-no-ack
snmp-server enable traps screen no-flag
snmp-server enable traps screen spoofing
snmp-server enable traps screen reserved
snmp-server enable traps screen quench
snmp-server enable traps screen echo-request
snmp-server enable traps screen time-exceeded
snmp-server enable traps screen unreachable
snmp-server enable traps screen tcp-all-flags
snmp-server enable traps entity
snmp-server enable traps entity config-change
snmp-server enable traps entity-sensor
snmp-server enable traps entity-sensor threshold
snmp-server enable traps envmon
snmp-server enable traps envmon fan
snmp-server enable traps envmon shutdown
snmp-server enable traps envmon supply
snmp-server enable traps envmon temperature
snmp-server enable traps flash
snmp-server enable traps flash insertion
snmp-server enable traps flash removal
snmp-server enable traps snmp
snmp-server enable traps snmp authentication
snmp-server enable traps snmp coldstart
snmp-server enable traps snmp linkdown
snmp-server enable traps snmp linkup
snmp-server enable traps syslog
bridge 1
description "GRE_termination"
vlan 101
security-zone gre
ip address 192.168.200.51/28
vrrp id 1
vrrp ip 192.168.200.49/32
vrrp ip 192.168.200.50/32 secondary
vrrp priority 200
vrrp group 1
vrrp preempt delay 150
vrrp
protected-ports
protected-ports exclude vlan
ports vrrp filtering enable
ports vrrp filtering exclude vlan
enable
exit
bridge 3
description "mgmt_AP"
vlan 3
security-zone trusted
ip address 198.18.128.2/21
ip helper-address 100.123.0.2
ip helper-address vrrp-group 1
vrrp id 3
vrrp ip 198.18.128.1/32
vrrp priority 200
vrrp group 1
vrrp preempt delay 150
vrrp
ip tcp adjust-mss 1458
protected-ports
protected-ports exclude vlan
ports vrrp filtering enable
ports vrrp filtering exclude vlan
enable
exit
bridge 9
description "SideLink"
vlan 9
security-zone sidelink
ip address 100.64.0.57/30
enable
exit
bridge 10
description "data1_AP"
vlan 10
security-zone user
ip address 198.18.136.2/22
ip helper-address 100.123.0.2
ip helper-address vrrp-group 1
vrrp id 10
vrrp ip 198.18.136.1/32
vrrp priority 200
vrrp group 1
vrrp preempt delay 150
vrrp
location data10
protected-ports
protected-ports exclude vlan
ports vrrp filtering enable
ports vrrp filtering exclude vlan
enable
exit
bridge 12
ip vrf forwarding ISP2
vlan 12
security-zone user_ISP2
ip address 198.18.156.2/22
ip helper-address 100.123.0.2
ip helper-address vrrp-group 1
vrrp id 12
vrrp ip 198.18.156.1/32
vrrp priority 200
vrrp group 1
vrrp preempt delay 150
vrrp
ip tcp adjust-mss 1458
location data12
protected-ports
protected-ports exclude vlan
ports vrrp filtering enable
ports vrrp filtering exclude vlan
enable
exit
bridge 92
ip vrf forwarding ISP2
description "SideLink for VRF ISP2"
vlan 92
security-zone sidelink_ISP2
ip address 100.64.0.97/30
enable
exit
interface gigabitethernet 1/0/1.206
description "VRF_AP"
security-zone gre
ip address 100.64.0.34/30
exit
interface gigabitethernet 1/0/1.208
description "VRF_BACKBONE"
security-zone trusted
ip address 100.64.0.42/30
exit
interface gigabitethernet 1/0/1.210
description "VRF_NAT"
security-zone untrusted
ip address 100.64.0.50/30
exit
interface gigabitethernet 1/0/1.214
ip vrf forwarding ISP2
description "ISP2_vrf"
security-zone untrusted_ISP2
ip address 100.64.0.74/30
ip tcp adjust-mss 1458
exit
interface gigabitethernet 1/0/2
description "SideLink"
mode hybrid
switchport forbidden default-vlan
switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 3,9-12,92,101 tagged
exit
tunnel lt 1
peer lt 2
security-zone trusted
ip address 10.200.200.1/30
enable
exit
tunnel lt 2
peer lt 1
ip vrf forwarding ISP2
security-zone trusted_ISP2
ip address 10.200.200.2/30
enable
exit
tunnel softgre 1
description "mgmt"
mode management
local address 192.168.200.49
default-profile
enable
exit
tunnel softgre 1.1
bridge-group 3
enable
exit
tunnel softgre 2
description "data"
mode data
local address 192.168.200.50
default-profile
enable
exit
security zone-pair gre self
rule 1
action permit
match protocol gre
enable
exit
rule 2
action permit
match protocol vrrp
enable
exit
rule 3
action permit
match protocol tcp
match destination-port sunctun
enable
exit
rule 4
action permit
match protocol icmp
enable
exit
rule 10
action permit
match protocol tcp
match source-address BGPneighbours
match source-port bgp
match destination-port bgp
enable
exit
exit
security zone-pair trusted self
rule 1
action permit
match protocol vrrp
enable
exit
rule 2
action permit
match protocol udp
match source-port dhcp_server
match destination-port dhcp_server
enable
exit
rule 3
action permit
match protocol udp
match source-port dhcp_client
match destination-port dhcp_server
enable
exit
rule 4
action permit
match protocol icmp
enable
exit
rule 10
action permit
match source-address SoftWLC
enable
exit
rule 11
action permit
match source-address Admnet
enable
exit
rule 20
action permit
match protocol tcp
match source-address BGPneighbours
match source-port bgp
match destination-port bgp
enable
exit
exit
security zone-pair trusted trusted
rule 1
action permit
enable
exit
exit
security zone-pair user untrusted
rule 1
action permit
enable
exit
exit
security zone-pair user self
rule 1
action permit
match protocol icmp
enable
exit
rule 2
action permit
match protocol udp
match source-port dhcp_client
match destination-port dhcp_server
enable
exit
rule 4
action permit
match protocol vrrp
enable
exit
rule 5
action permit
match protocol udp
match source-port dhcp_server
match destination-port dhcp_server
enable
exit
exit
security zone-pair user trusted
rule 1
action permit
match protocol udp
match source-port dhcp_client
match destination-port dhcp_server
enable
exit
rule 2
action permit
match protocol udp
match destination-address DNS
match destination-port dns
enable
exit
exit
security zone-pair trusted user
rule 1
action permit
match protocol udp
match source-port dhcp_server
match destination-port dhcp_client
enable
exit
rule 2
action permit
match protocol udp
match source-port dhcp_server
match destination-port dhcp_server
enable
exit
rule 3
action permit
match protocol icmp
enable
exit
exit
security zone-pair trusted untrusted
rule 1
action permit
enable
exit
exit
security zone-pair gre gre
rule 1
action permit
enable
exit
exit
security zone-pair sidelink self
rule 2
action permit
match protocol tcp
match destination-port bgp
enable
exit
rule 3
action permit
match protocol udp
match destination-port firewall_failover
enable
exit
rule 4
action permit
match protocol udp
match source-port dhcp_server
exit
rule 10
action permit
match protocol gre
enable
exit
rule 20
action permit
match protocol icmp
enable
exit
rule 30
action permit
match protocol vrrp
enable
exit
rule 40
action permit
match protocol udp
match source-port dhcp_server
match destination-port dhcp_server
enable
exit
rule 50
action permit
match protocol udp
match source-port dhcp_client
match destination-port dhcp_server
enable
exit
rule 60
action permit
match source-address SoftWLC
enable
exit
rule 80
action permit
match source-address Admnet
enable
exit
rule 90
action permit
match protocol tcp
match destination-port sunctun
enable
exit
rule 100
action permit
match protocol tcp
match destination-port telnet
enable
exit
exit
security zone-pair sidelink trusted
rule 10
action permit
enable
exit
exit
security zone-pair sidelink untrusted
rule 10
action permit
enable
exit
exit
security zone-pair sidelink gre
rule 10
action permit
enable
exit
exit
security zone-pair sidelink user
rule 10
action permit
match protocol udp
match source-port dhcp_server
match destination-port dhcp_client
enable
exit
exit
security zone-pair trusted sidelink
rule 10
action permit
enable
exit
exit
security zone-pair gre sidelink
rule 10
action permit
enable
exit
exit
security zone-pair user sidelink
rule 10
action permit
match protocol udp
match destination-port dns
enable
exit
rule 20
action permit
match not source-address PrivateNets
enable
exit
exit
security zone-pair untrusted self
rule 10
action permit
match protocol tcp
match source-address BGPneighbours
match source-port bgp
match destination-port bgp
enable
exit
exit
security zone-pair user_ISP2 self
rule 1
action permit
match protocol icmp
enable
exit
rule 2
action permit
match protocol udp
match source-port dhcp_client
match destination-port dhcp_server
enable
exit
rule 4
action permit
match protocol vrrp
enable
exit
rule 5
action permit
match protocol udp
match source-port dhcp_server
match destination-port dhcp_server
enable
exit
exit
security zone-pair user_ISP2 untrusted_ISP2
rule 10
action permit
enable
exit
exit
security zone-pair user_ISP2 trusted_ISP2
rule 10
action permit
match protocol udp
match source-port dhcp_client
match destination-port dhcp_server
enable
exit
rule 11
action permit
match protocol udp
match source-port dhcp_server
match destination-port dhcp_server
enable
exit
exit
security zone-pair user_ISP2 sidelink_ISP2
rule 10
action permit
match protocol udp
match destination-port dns
enable
exit
rule 20
action permit
match not source-address PrivateNets
enable
exit
exit
security zone-pair trusted_ISP2 self
rule 10
action permit
enable
exit
exit
security zone-pair trusted_ISP2 user_ISP2
rule 10
action permit
enable
exit
exit
security zone-pair untrusted_ISP2 self
rule 10
action permit
match protocol icmp
enable
exit
exit
security zone-pair untrusted_ISP2 user_ISP2
rule 10
action permit
match protocol icmp
enable
exit
rule 100
action permit
enable
exit
exit
security zone-pair sidelink_ISP2 self
rule 2
action permit
match protocol tcp
match destination-port bgp
enable
exit
exit
security zone-pair sidelink_ISP2 untrusted_ISP2
rule 10
action permit
enable
exit
exit
security passwords history 0
ip firewall failover sync-type unicast
ip firewall failover source-address 100.64.0.57
ip firewall failover destination-address 100.64.0.58
ip firewall failover port 3333
ip firewall failover vrrp-group 1
ip firewall failover
ip dhcp-relay
ip route vrf ISP2 100.123.0.0/24 10.200.200.1
ip route 198.18.156.0/22 10.200.200.2
wireless-controller
peer-address 100.64.0.58
nas-ip-address 198.18.128.2
vrrp-group 1
data-tunnel configuration radius
aaa das-profile COA
aaa radius-profile PCRF
enable
exit
ip telnet server
ip ssh server
clock timezone gmt +7
ntp enable
ntp server 100.123.0.2
exit |
|
...
| Раскрыть |
|---|
|
| Блок кода |
|---|
#!/usr/bin/clish
#14
hostname ESR-2
ip firewall sessions allow-unknown
object-group service telnet
port-range 23
exit
object-group service ssh
port-range 22
exit
object-group service dhcp_server
port-range 67
exit
object-group service dhcp_client
port-range 68
exit
object-group service ntp
port-range 123
exit
object-group service snmp
port-range 161-162
exit
object-group service COA
port-range 3799
port-range 31812-31813
exit
object-group service bgp
port-range 179
exit
object-group service dns
port-range 53
exit
object-group service sunctun
port-range 1337
exit
object-group service firewall_failover
port-range 3333
exit
object-group network SoftWLC
ip prefix 100.123.0.0/24
exit
object-group network gre_termination
ip prefix 192.168.200.48/28
exit
object-group network mgmt_AP
ip prefix 198.18.128.0/21
ip prefix 198.18.136.0/22
ip prefix 198.18.140.0/22
ip prefix 100.64.0.56/30
ip prefix 198.18.144.0/22
ip prefix 198.18.156.0/22
exit
object-group network clients_AP
ip prefix 198.18.136.0/22
ip prefix 198.18.140.0/22
ip prefix 198.18.128.0/21
ip prefix 198.18.144.0/22
exit
object-group network Admnet
ip prefix 100.123.0.0/24
ip prefix 100.110.0.0/23
ip prefix 192.168.200.48/28
ip prefix 100.64.0.44/30
exit
object-group network PrivateNets
ip prefix 10.0.0.0/8
ip prefix 192.168.0.0/16
ip prefix 172.16.0.0/12
exit
object-group network BGPneighbours
ip prefix 100.64.0.36/30
ip prefix 100.64.0.44/30
ip prefix 100.64.0.52/30
ip prefix 100.64.0.56/30
exit
object-group network DNS
ip address-range 8.8.8.8
ip prefix 100.123.0.0/24
exit
object-group network CoA_servers
ip prefix 100.123.0.0/24
exit
object-group network clients_ISP2
ip prefix 198.18.156.0/22
exit
ip vrf ISP2
ip protocols bgp max-routes 250
exit
radius-server timeout 10
radius-server retransmit 5
radius-server host 100.123.0.2
key ascii-text encrypted 88B11079B9014FAAF7B9
timeout 11
priority 20
source-address 198.18.128.3
auth-port 31812
acct-port 31813
retransmit 10
dead-interval 10
exit
aaa radius-profile PCRF
radius-server host 100.123.0.2
exit
das-server COA
key ascii-text encrypted 88B11079B9014FAAF7B9
port 3799
clients object-group SoftWLC
exit
aaa das-profile COA
das-server COA
exit
vlan 3
force-up
exit
vlan 10
force-up
exit
vlan 11
force-up
exit
vlan 12
force-up
exit
vlan 101
force-up
exit
vlan 9,92
exit
security zone trusted
exit
security zone untrusted
exit
security zone gre
exit
security zone sidelink
exit
security zone user
exit
security zone untrusted_ISP2
ip vrf forwarding ISP2
exit
security zone user_ISP2
ip vrf forwarding ISP2
exit
security zone sidelink_ISP2
ip vrf forwarding ISP2
exit
security zone trusted_ISP2
ip vrf forwarding ISP2
exit
route-map out_BGP_GRE
rule 10
match ip address object-group gre_termination
action permit
exit
exit
route-map out_BGP_AP
rule 10
match ip address object-group mgmt_AP
action permit
exit
exit
route-map out_BGP_NAT
rule 10
match ip address object-group clients_AP
action permit
exit
exit
route-map in_PREF
rule 10
action permit
exit
exit
route-map out_BGP_ISP2
rule 1
match ip address object-group clients_ISP2
action permit
exit
exit
router bgp 64603
address-family ipv4
redistribute connected
redistribute static
neighbor 100.64.0.37
remote-as 1238965001
route-map out_BGP_GRE out
update-source 100.64.0.38
enable
exit
neighbor 100.64.0.45
remote-as 1238965001
route-map out_BGP_AP out
update-source 100.64.0.46
enable
exit
neighbor 100.64.0.53
remote-as 1238965001
route-map out_BGP_NAT out
update-source 100.64.0.54
enable
exit
neighbor 100.64.0.57
remote-as 64603
route-map in_PREF in
next-hop-self
update-source 100.64.0.58
enable
exit
enable
exit
address-family ipv4 vrf ISP2
redistribute connected
neighbor 100.64.0.77
remote-as 1238965001
route-map out_BGP_ISP2 out
update-source 100.64.0.78
enable
exit
neighbor 100.64.0.97
remote-as 64603
route-map in_PREF in
next-hop-self
update-source 100.64.0.98
enable
exit
enable
exit
exit
snmp-server
snmp-server community "public11" ro
snmp-server community "private1" rw
snmp-server host 100.123.0.2
exit
snmp-server enable traps
snmp-server enable traps config
snmp-server enable traps config commit
snmp-server enable traps config confirm
snmp-server enable traps environment
snmp-server enable traps environment pwrin
snmp-server enable traps environment pwrin-insert
snmp-server enable traps environment fan
snmp-server enable traps environment fan-speed-changed
snmp-server enable traps environment fan-speed-high
snmp-server enable traps environment memory-flash-critical-low
snmp-server enable traps environment memory-flash-low
snmp-server enable traps environment memory-ram-critical-low
snmp-server enable traps environment memory-ram-low
snmp-server enable traps environment cpu-load
snmp-server enable traps environment cpu-critical-temp
snmp-server enable traps environment cpu-overheat-temp
snmp-server enable traps environment cpu-supercooling-temp
snmp-server enable traps environment board-overheat-temp
snmp-server enable traps environment board-supercooling-temp
snmp-server enable traps environment sfp-overheat-temp
snmp-server enable traps environment sfp-supercooling-temp
snmp-server enable traps environment switch-overheat-temp
snmp-server enable traps environment switch-supercooling-temp
snmp-server enable traps wifi
snmp-server enable traps wifi wifi-tunnels-number-in-bridge-high
snmp-server enable traps file-operations
snmp-server enable traps file-operations successful
snmp-server enable traps file-operations failed
snmp-server enable traps file-operations canceled
snmp-server enable traps interfaces
snmp-server enable traps interfaces rx-utilization-high
snmp-server enable traps interfaces tx-utilization-high
snmp-server enable traps interfaces number-high
snmp-server enable traps bras
snmp-server enable traps bras sessions-number-high
snmp-server enable traps screen
snmp-server enable traps screen dest-limit
snmp-server enable traps screen source-limit
snmp-server enable traps screen icmp-threshold
snmp-server enable traps screen udp-threshold
snmp-server enable traps screen syn-flood
snmp-server enable traps screen land
snmp-server enable traps screen winnuke
snmp-server enable traps screen icmp-frag
snmp-server enable traps screen udp-frag
snmp-server enable traps screen icmp-large
snmp-server enable traps screen syn-frag
snmp-server enable traps screen unknown-proto
snmp-server enable traps screen ip-frag
snmp-server enable traps screen port-scan
snmp-server enable traps screen ip-sweep
snmp-server enable traps screen syn-fin
snmp-server enable traps screen fin-no-ack
snmp-server enable traps screen no-flag
snmp-server enable traps screen spoofing
snmp-server enable traps screen reserved
snmp-server enable traps screen quench
snmp-server enable traps screen echo-request
snmp-server enable traps screen time-exceeded
snmp-server enable traps screen unreachable
snmp-server enable traps screen tcp-all-flags
snmp-server enable traps entity
snmp-server enable traps entity config-change
snmp-server enable traps entity-sensor
snmp-server enable traps entity-sensor threshold
snmp-server enable traps envmon
snmp-server enable traps envmon fan
snmp-server enable traps envmon shutdown
snmp-server enable traps envmon supply
snmp-server enable traps envmon temperature
snmp-server enable traps flash
snmp-server enable traps flash insertion
snmp-server enable traps flash removal
snmp-server enable traps snmp
snmp-server enable traps snmp authentication
snmp-server enable traps snmp coldstart
snmp-server enable traps snmp linkdown
snmp-server enable traps snmp linkup
snmp-server enable traps syslog
bridge 1
description "GRE_termination"
vlan 101
security-zone gre
ip address 192.168.200.52/28
vrrp id 1
vrrp ip 192.168.200.49/32
vrrp ip 192.168.200.50/32 secondary
vrrp priority 190
vrrp group 1
vrrp preempt delay 150
vrrp
protected-ports
protected-ports exclude vlan
ports vrrp filtering enable
ports vrrp filtering exclude vlan
enable
exit
bridge 3
description "mgmt_AP"
vlan 3
security-zone trusted
ip address 198.18.128.3/21
ip helper-address 100.123.0.2
ip helper-address vrrp-group 1
vrrp id 3
vrrp ip 198.18.128.1/32
vrrp priority 190
vrrp preempt delay 150
vrrp
protected-ports
protected-ports exclude vlan
ports vrrp filtering enable
ports vrrp filtering exclude vlan
enable
exit
bridge 9
description "SideLink"
vlan 9
security-zone sidelink
ip address 100.64.0.58/30
enable
exit
bridge 10
description "data1_AP"
vlan 10
security-zone user
ip address 198.18.136.3/22
ip helper-address 100.123.0.2
ip helper-address vrrp-group 1
vrrp id 10
vrrp ip 198.18.136.1/32
vrrp priority 190
vrrp group 1
vrrp preempt delay 150
vrrp
location data10
protected-ports
protected-ports exclude vlan
ports vrrp filtering enable
ports vrrp filtering exclude vlan
enable
exit
bridge 12
ip vrf forwarding ISP2
vlan 12
security-zone user_ISP2
ip address 198.18.156.3/22
ip helper-address 100.123.0.2
ip helper-address vrrp-group 1
vrrp id 12
vrrp ip 198.18.156.1/32
vrrp priority 190
vrrp group 1
vrrp preempt delay 150
vrrp
ip tcp adjust-mss 1458
location data12
protected-ports
protected-ports exclude vlan
ports vrrp filtering enable
ports vrrp filtering exclude vlan
enable
exit
bridge 92
ip vrf forwarding ISP2
description "SideLink for VRF ISP2"
vlan 92
security-zone sidelink_ISP2
ip address 100.64.0.98/30
enable
exit
interface gigabitethernet 1/0/1.207
description "VRF_AP"
security-zone gre
ip address 100.64.0.38/30
ip tcp adjust-mss 1458
exit
interface gigabitethernet 1/0/1.209
description "VRF_BACKBONE"
security-zone trusted
ip address 100.64.0.46/30
ip tcp adjust-mss 1458
exit
interface gigabitethernet 1/0/1.211
description "VRF_NAT"
security-zone untrusted
ip address 100.64.0.54/30
ip tcp adjust-mss 1458
exit
interface gigabitethernet 1/0/1.215
ip vrf forwarding ISP2
description "ISP2_vrf"
security-zone untrusted_ISP2
ip address 100.64.0.78/30
ip tcp adjust-mss 1458
exit
interface gigabitethernet 1/0/2
description "SideLink"
mode hybrid
switchport forbidden default-vlan
switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 3,9-12,92,101 tagged
exit
tunnel lt 1
peer lt 2
security-zone trusted
ip address 10.200.200.5/30
enable
exit
tunnel lt 2
peer lt 1
ip vrf forwarding ISP2
security-zone trusted_ISP2
ip address 10.200.200.6/30
enable
exit
tunnel softgre 1
description "mgmt"
mode management
local address 192.168.200.49
default-profile
enable
exit
tunnel softgre 1.1
bridge-group 3
enable
exit
tunnel softgre 2
description "data"
mode data
local address 192.168.200.50
default-profile
enable
exit
security zone-pair gre self
rule 1
action permit
match protocol gre
enable
exit
rule 2
action permit
match protocol vrrp
enable
exit
rule 3
action permit
match protocol tcp
match destination-port sunctun
enable
exit
rule 4
action permit
match protocol icmp
enable
exit
rule 10
action permit
match protocol tcp
match source-address BGPneighbours
match source-port bgp
match destination-port bgp
enable
exit
exit
security zone-pair trusted self
rule 1
action permit
match protocol vrrp
enable
exit
rule 2
action permit
match protocol udp
match source-port dhcp_server
match destination-port dhcp_server
enable
exit
rule 3
action permit
match protocol udp
match source-port dhcp_client
match destination-port dhcp_server
enable
exit
rule 4
action permit
match protocol icmp
enable
exit
rule 10
action permit
match source-address SoftWLC
enable
exit
rule 11
action permit
match source-address Admnet
enable
exit
rule 20
action permit
match protocol tcp
match source-address BGPneighbours
match source-port bgp
match destination-port bgp
enable
exit
exit
security zone-pair trusted trusted
rule 1
action permit
enable
exit
exit
security zone-pair user untrusted
rule 1
action permit
enable
exit
exit
security zone-pair user self
rule 1
action permit
match protocol icmp
enable
exit
rule 2
action permit
match protocol udp
match source-port dhcp_client
match destination-port dhcp_server
enable
exit
rule 4
action permit
match protocol vrrp
enable
exit
rule 5
action permit
match protocol udp
match source-port dhcp_server
match destination-port dhcp_server
enable
exit
exit
security zone-pair user trusted
rule 1
action permit
match protocol udp
match source-port dhcp_client
match destination-port dhcp_server
enable
exit
rule 2
action permit
match protocol udp
match destination-address DNS
match destination-port dns
enable
exit
exit
security zone-pair trusted user
rule 1
action permit
match protocol udp
match source-port dhcp_server
match destination-port dhcp_client
enable
exit
rule 2
action permit
match protocol udp
match source-port dhcp_server
match destination-port dhcp_server
enable
exit
rule 3
action permit
match protocol icmp
enable
exit
exit
security zone-pair trusted untrusted
rule 1
action permit
enable
exit
exit
security zone-pair gre gre
rule 1
action permit
enable
exit
exit
security zone-pair sidelink self
rule 2
action permit
match protocol tcp
match destination-port bgp
enable
exit
rule 3
action permit
match protocol udp
match destination-port firewall_failover
enable
exit
rule 4
action permit
match protocol udp
match source-port dhcp_server
exit
rule 10
action permit
match protocol gre
enable
exit
rule 20
action permit
match protocol icmp
enable
exit
rule 30
action permit
match protocol vrrp
enable
exit
rule 40
action permit
match protocol udp
match source-port dhcp_server
match destination-port dhcp_server
enable
exit
rule 50
action permit
match protocol udp
match source-port dhcp_client
match destination-port dhcp_server
enable
exit
rule 60
action permit
match source-address SoftWLC
enable
exit
rule 80
action permit
match source-address Admnet
enable
exit
rule 90
action permit
match protocol tcp
match destination-port sunctun
enable
exit
rule 100
action permit
match protocol tcp
match destination-port telnet
enable
exit
exit
security zone-pair sidelink trusted
rule 10
action permit
enable
exit
exit
security zone-pair sidelink untrusted
rule 10
action permit
enable
exit
exit
security zone-pair sidelink gre
rule 10
action permit
enable
exit
exit
security zone-pair sidelink user
rule 10
action permit
match protocol udp
match source-port dhcp_server
match destination-port dhcp_client
enable
exit
exit
security zone-pair trusted sidelink
rule 10
action permit
enable
exit
exit
security zone-pair gre sidelink
rule 10
action permit
enable
exit
exit
security zone-pair user sidelink
rule 10
action permit
match protocol udp
match destination-port dns
enable
exit
rule 20
action permit
match not source-address PrivateNets
enable
exit
exit
security zone-pair untrusted self
rule 10
action permit
match protocol tcp
match source-address BGPneighbours
match source-port bgp
match destination-port bgp
enable
exit
exit
security zone-pair user_ISP2 self
rule 1
action permit
match protocol icmp
enable
exit
rule 2
action permit
match protocol udp
match source-port dhcp_client
match destination-port dhcp_server
enable
exit
rule 4
action permit
match protocol vrrp
enable
exit
rule 5
action permit
match protocol udp
match source-port dhcp_server
match destination-port dhcp_server
enable
exit
exit
security zone-pair user_ISP2 untrusted_ISP2
rule 10
action permit
enable
exit
exit
security zone-pair user_ISP2 trusted_ISP2
rule 10
action permit
match protocol udp
match source-port dhcp_client
match destination-port dhcp_server
enable
exit
rule 11
action permit
match protocol udp
match source-port dhcp_server
match destination-port dhcp_server
enable
exit
exit
security zone-pair user_ISP2 sidelink_ISP2
rule 10
action permit
match protocol udp
match destination-port dns
enable
exit
rule 20
action permit
match not source-address PrivateNets
enable
exit
exit
security zone-pair trusted_ISP2 self
rule 10
action permit
enable
exit
exit
security zone-pair trusted_ISP2 user_ISP2
rule 10
action permit
enable
exit
exit
security zone-pair untrusted_ISP2 self
rule 10
action permit
match protocol icmp
enable
exit
exit
security zone-pair untrusted_ISP2 user_ISP2
rule 10
action permit
match protocol icmp
enable
exit
rule 100
action permit
enable
exit
exit
security zone-pair sidelink_ISP2 self
rule 2
action permit
match protocol tcp
match destination-port bgp
enable
exit
exit
security zone-pair sidelink_ISP2 untrusted_ISP2
rule 10
action permit
enable
exit
exit
security passwords history 0
ip firewall failover sync-type unicast
ip firewall failover source-address 100.64.0.58
ip firewall failover destination-address 100.64.0.57
ip firewall failover port 3333
ip firewall failover vrrp-group 1
ip firewall failover
ip dhcp-relay
ip route vrf ISP2 100.123.0.0/24 10.200.200.5
ip route 198.18.156.0/22 10.200.200.6
wireless-controller
peer-address 100.64.0.57
nas-ip-address 198.18.128.3
vrrp-group 1
data-tunnel configuration radius
aaa das-profile COA
aaa radius-profile PCRF
enable
exit
ip telnet server
ip ssh server
clock timezone gmt +7
ntp enable
ntp server 100.123.0.2
exit |
|
...