...
Без форматирования |
---|
security zone trusted
exit
security zone untrusted
exit
security zone users
exit
bridge 10
description "users"
security-zone users
ip firewall disable
ip address 192.168.132.1/22
ip helper-address 100.123.0.2
protected-ports local
enable
exit
interface gigabitethernet 1/0/1.3500
description "UpLink"
security-zone untrusted
ip address 172.31.240.3/29
exit
interface gigabitethernet 1/0/1.2300
description "mgmt"
security-zone trusted
ip firewall disable
ip address 100.123.0.176/24
exit
interface gigabitethernet 1/0/1.2336
bridge-group 10
exit
interface gigabitethernet 1/0/1.2337
bridge-group 10
exit
ip dhcp-relay
ip route 0.0.0.0/0 172.31.240.1
ip telnet server
ip ssh server |
...
Без форматирования |
---|
object-group network bras_users
ip address-range 192.168.132.2-192.168.135.254
exit
bridge 10
description "users"
security-zone users
ip firewall disable
ip address 192.168.132.1/22
ip helper-address 100.123.0.2
service-subscriber-control object-group bras_users
location data10
protected-ports local
enable
exit
|
Примечание |
---|
Обратим внимание на настройку "service-subscriber-control object-group bras_users" - мы указали, что авторизацию будут проходить только пользователи, имеющие адреса из диапазона, указанного в группе bras_users. Это необходимо для того, что бы обеспечить беспрепятственное прохождение трафика с адреса bridge 10 и широковещательного трафика подсети. Вместо нее можно использовать настройку "service-subscriber-control any", которая заблокирует прохождение любого трафика до прохождения авторизации. |
...
Без форматирования |
---|
object-group service dhcp_server
port-range 67
exit
object-group service dhcp_client
port-range 68
exit
object-group service dns
port-range 53
exit
object-group service redirect
port-range 3128-3131
exit
object-group network users
ip prefix 192.168.132.0/22
exit
object-group network SoftWLC
ip address-range 100.123.0.2
exit
object-group network bras_users
ip address-range 192.168.132.2-192.168.135.254
exit
radius-server timeout 10
radius-server retransmit 5
radius-server host 100.123.0.2
key ascii-text testing123
timeout 11
priority 20
source-address 100.123.0.176
auth-port 31812
acct-port 31813
retransmit 10
dead-interval 10
exit
aaa radius-profile PCRF
radius-server host 100.123.0.2
exit
das-server COA
key ascii-text encrypted 88B11079B9014FAAF7B9
port 3799
clients object-group SoftWLC
exit
aaa das-profile COA
das-server COA
exit
security zone trusted
exit
security zone untrusted
exit
security zone users
exit
ip access-list extended WELCOME
rule 1
action permit
match protocol tcp
match destination-port 443
enable
exit
rule 2
action permit
match protocol tcp
match destination-port 8443
enable
exit
rule 3
action permit
match protocol tcp
match destination-port 80
enable
exit
rule 4
action permit
match protocol tcp
match destination-port 8080
enable
exit
exit
ip access-list extended INTERNET
rule 1
action permit
enable
exit
exit
ip access-list extended unauthUSER
rule 1
action permit
match protocol udp
match source-port 68
match destination-port 67
enable
exit
rule 2
action permit
match protocol udp
match destination-port 53
enable
exit
exit
subscriber-control filters-server-url http://100.123.0.2:7070/filters/file
subscriber-control
aaa das-profile COA
aaa sessions-radius-profile PCRF
aaa services-radius-profile PCRF
nas-ip-address 100.123.0.176
session mac-authentication
bypass-traffic-acl unauthUSER
default-service
class-map unauthUSER
filter-name remote gosuslugi
filter-action permit
default-action redirect http://100.123.0.2:8080/eltex_portal/
exit
enable
exit
snmp-server
snmp-server system-shutdown
snmp-server community "private1" rw
snmp-server community "public11" ro
snmp-server host 100.123.0.2
source-address 100.123.0.176
exit
bridge 10
description "users"
security-zone users
ip address 192.168.132.1/22
ip helper-address 100.123.0.2
service-subscriber-control object-group bras_users
location data10
protected-ports local
enable
exit
interface gigabitethernet 1/0/1.3500
description "UpLink"
security-zone untrusted
ip address 172.31.240.3/29
exit
interface gigabitethernet 1/0/1.2300
description "mgmt"
security-zone trusted
ip address 100.123.0.176/24
exit
interface gigabitethernet 1/0/1.2336
bridge-group 10
exit
interface gigabitethernet 1/0/1.2337
bridge-group 10
exit
security zone-pair users untrusted
rule 1
action permit
enable
exit
exit
security zone-pair trusted self
rule 1
action permit
enable
exit
exit
security zone-pair trusted users
rule 1
action permit
enable
exit
exit
security zone-pair users self
rule 1
action permit
match protocol udp
match source-port dhcp_client
match destination-port dhcp_server
enable
exit
rule 2
action permit
match protocol tcp
match destination-port redirect
enable
exit
exit
security zone-pair users trusted
rule 1
action permit
match protocol udp
match source-port dhcp_client
match destination-port dhcp_server
enable
exit
rule 2
action permit
match protocol udp
match destination-port dns
enable
exit
exit
nat source
pool nat_addr
ip address-range 172.31.240.3
exit
ruleset nat_source
to zone untrusted
rule 1
match source-address users
action source-nat pool nat_addr
enable
exit
exit
exit
ip dhcp-relay
ip route 0.0.0.0/0 172.31.240.1
ip telnet server
ip ssh server
clock timezone gmt +7
ntp enable
ntp server 100.123.0.2
exit |
...