...
| Раскрыть | ||
|---|---|---|
| ||
hostname ESR10-OTT-default object-group network SoftWLC line console security zone trusted snmp-server snmp-server host 192.168.42.178 snmp-server enable traps bridge 1 interface gigabitethernet 1/0/1 security zone-pair untrusted self access profile acc_p security ike proposal ike_prop security ike policy ike_pol security ike gateway ike_gw security ipsec proposal ipsec_prop security ipsec policy ipsec_pol
ip ssh server |
...
| Раскрыть | ||
|---|---|---|
| ||
hostname ESR10-OTT-of1 object-group service dns object-group network natpool radius-server timeout 10 domain lookup enable security zone trusted ip access-list extended WELCOME ip access-list extended INTERNET ip access-list extended unauthUSER subscriber-control filters-server-url http://192.168.42.178:7070/filters/file snmp-server host 192.168.42.178 snmp-server enable traps bridge 1 interface gigabitethernet 1/0/1 security zone-pair untrusted self access profile acc_p security ike proposal ike_prop security ike policy ike_pol security ike gateway ike_gw security ipsec proposal ipsec_prop security ipsec policy ipsec_pol security ipsec vpn ipsec_vpn nat source ip dhcp-server ip ssh server clock timezone gmt +7 ntp enable |
...
snmp-server enable traps
snmp-server enable traps links
snmp-server enable traps links status
snmp-server enable traps config
snmp-server enable traps config commit
snmp-server enable traps config confirm
snmp-server enable traps environment
snmp-server enable traps environment memory-flash-critical-low
snmp-server enable traps environment memory-flash-low
snmp-server enable traps environment memory-ram-critical-low
snmp-server enable traps environment memory-ram-low
snmp-server enable traps environment cpu-load
snmp-server enable traps environment cpu-critical-temp
snmp-server enable traps environment cpu-overheat-temp
snmp-server enable traps environment cpu-supercooling-temp
snmp-server enable traps file-operations
snmp-server enable traps file-operations successful
snmp-server enable traps file-operations failed
snmp-server enable traps file-operations canceled
snmp-server enable traps interfaces
snmp-server enable traps interfaces rx-utilization-high
snmp-server enable traps interfaces tx-utilization-high
snmp-server enable traps interfaces number-high
snmp-server enable traps screen
snmp-server enable traps screen dest-limit
snmp-server enable traps screen source-limit
snmp-server enable traps screen icmp-threshold
snmp-server enable traps screen udp-threshold
snmp-server enable traps screen syn-flood
snmp-server enable traps screen land
snmp-server enable traps screen winnuke
snmp-server enable traps screen icmp-frag
snmp-server enable traps screen udp-frag
snmp-server enable traps screen icmp-large
snmp-server enable traps screen syn-frag
snmp-server enable traps screen unknown-proto
snmp-server enable traps screen ip-frag
snmp-server enable traps screen port-scan
snmp-server enable traps screen ip-sweep
snmp-server enable traps screen syn-fin
snmp-server enable traps screen fin-no-ack
snmp-server enable traps screen no-flag
snmp-server enable traps screen spoofing
snmp-server enable traps screen reserved
snmp-server enable traps screen quench
snmp-server enable traps screen echo-request
snmp-server enable traps screen time-exceeded
snmp-server enable traps screen unreachable
snmp-server enable traps screen tcp-all-flags
snmp-server enable traps entity
snmp-server enable traps entity config-change
snmp-server enable traps entity-sensor
snmp-server enable traps entity-sensor threshold
snmp-server enable traps envmon
snmp-server enable traps envmon shutdown
snmp-server enable traps envmon temperature
snmp-server enable traps flash
snmp-server enable traps flash insertion
snmp-server enable traps flash removal
snmp-server enable traps snmp
snmp-server enable traps snmp authentication
snmp-server enable traps snmp coldstart
snmp-server enable traps snmp linkdown
snmp-server enable traps snmp linkup
snmp-server enable traps syslog
bridge 1 #bridge 1 всегда будет использоваться для управления, настройки всегда должны быть таким
security-zone trusted
ip address dhcp
ip dhcp client ignore router
enable
exit
interface gigabitethernet 1/0/1 #Интерфейс gi1/0/1 всегда будет использоваться как аплинк, настройки всегда должны быть такими
description "UPLink"
ip address dhcp
security-zone untrusted
exit
interface gigabitethernet 1/0/2
shutdown
exit
interface gigabitethernet 1/0/3
shutdown
exit
interface gigabitethernet 1/0/4
shutdown
exit
interface gigabitethernet 1/0/5
shutdown
exit
interface gigabitethernet 1/0/6
shutdown
exit
interface loopback 1
exit
tunnel gre 1 #Номер GRE тунеля зарезервирован - изменять нельзя
mtu 1356 #не указываем - получим от SA (ipsec gre-mtu-offset)
keepalive retries 3 #не указыаем - получим от SA (ipsec gre-ping-counter)
keepalive dst-address 10.2.0.1 #не указываем - получим по DHCP в 43 опции 15 подопции
keepalive dhcp dependent-interface bridge 1
keepalive dhcp dependent-interface gi1/0/1
keepalive enable #не указыаем - GRE keepalive будет включен автоматически. при получении по DHCP в 43 опции 15 подопции
mode ethernet
local address xauth ipsec_vpn #адрес будет получен по mode-cfg при установке IPsec соединения, имя IPsec VPN зарезервировано и его изменять нельзя
remote address xauth ipsec_vpn management-ip #адрес будет получен по mode-cfg при установке IPsec соединения, имя IPsec VPN зарезервировано и его изменять нельзя
enable
exit
tunnel gre 1.1 #Номер sub-GRE тунеля зарезервирован - изменять нельзя
bridge-group 1
mtu 1352 #не указываем - получим от SA (ipsec gre-mtu-offset)
snmp init-trap
enable
exit
security zone-pair untrusted self
rule 1
action permit
match protocol icmp
enable
exit
exit
security zone-pair trusted self
rule 1
action permit
match source-address SoftWLC
enable
exit
exit
access profile acc_p #имя зарезервировано, изменять нельзя
user a8:f9:4b:ab:81:20 #не указываем - получим от SA (ipsec xauth-user)
password ascii-text encrypted 9FB30B49E43D47FAC32E0994C89C75B81313F0F038CC02FC # не указываем - получим от SA (ipsec xauth-password)
exit
exit
security ike proposal ike_prop #имя зарезервировано, изменять нельзя
authentication algorithm md5 #не указываем - получим от SA (ipsec auth-alg)
encryption algorithm aes128 #не указываем - получим от SA (ipsec encrypt-alg)
dh-group 1 #не указываем - получим от SA (ipsec dh-group)
exit
security ike policy ike_pol #имя зарезервировано, изменять нельзя
lifetime seconds 86400 #не указываем - получим от SA (ipsec lifetime)
pre-shared-key ascii-text testing123 #не указываем - получим от SA (ipsec password)
authentication method xauth-psk-key
authentication mode client
proposal ike_prop
exit
security ike gateway ike_gw #имя зарезервировано, изменять нельзя
ike-policy ike_pol
assign-interface loopback 1
local interface gigabitethernet 1/0/1
remote address 100.64.0.1 #не указываем - получим от SA (ipsec remote-gateway)
remote network dynamic client
mode policy-based
dead-peer-detection action restart
dead-peer-detection interval 10
dead-peer-detection timeout 60 #не указываем - получим от SA (ipsec dpd-delay)
xauth access-profile acc_p client a8:f9:4b:ab:81:20 #не указываем - будет сформировано на основе полученного от SA xauth-user
exit
security ipsec proposal ipsec_prop #имя зарезервировано, изменять нельзя
authentication algorithm md5 #не указываем - получим от SA (ipsec sa-auth-alg)
encryption algorithm aes128 #не указываем - получим от SA (ipsec sa-encrypt-alg)
exit
security ipsec policy ipsec_pol #имя зарезервировано, изменять нельзя
lifetime seconds 3600 #не указываем - получим от SA (ipsec sa-lifetime)
proposal ipsec_prop
exit
...
| Раскрыть | ||
|---|---|---|
| ||
hostname ESR10-OTT line console aaa disable exit
snmp-server source-interface bridge 1
security ipsec vpn ipsec_vpn mode ike ike establish-tunnel immediate ike gateway ike_gw ike ipsec-policy ipsec_pol enable exit ip ssh server |
...
| Раскрыть | ||
|---|---|---|
| ||
hostname ESR10-OTT-BR-1 ip firewall sessions classification enable object-group network natpool radius-server timeout 10 line console domain lookup enable security zone trusted ip access-list extended WELCOME ip access-list extended INTERNET ip access-list extended unauthUSER subscriber-control filters-server-url http://192.168.42.178:7070/filters/file snmp-server host 192.168.42.178 snmp-server enable traps bridge 1 interface gigabitethernet 1/0/1 security zone-pair untrusted self access profile acc_p security ike proposal ike_prop security ike policy ike_pol security ike gateway ike_gw security ipsec proposal ipsec_prop security ipsec policy ipsec_pol security ipsec vpn ipsec_vpn nat source enable ip dhcp-server ip ssh server clock timezone gmt +7 ntp enable |
...
| Раскрыть | ||
|---|---|---|
| ||
| hostname ESR10-OTT-BR ip firewall sessions classification enable root login enable tech-support login enable object-group service dns port-range 53 exit object-group service dhcp_server port-range 67 exit object-group service dhcp_client port-range 68 exit object-group service redirect port-range 3128-3129 port-range 3130-3131 exit object-group network natpool ip prefix 198.19.253.0/24 exit object-group network SoftWLC ip address-range 192.168.42.178 exit vlan 701 exit radius-server timeout 10 radius-server retransmit 5 radius-server host 192.168.42.178 key ascii-text encrypted 88B11079B9014FAAF7B9 timeout 11 priority 20 source-interface bridge 1 auth-port 31812 acct-port 31813 retransmit 10 dead-interval 10 exit aaa radius-profile PCRF radius-server host 192.168.42.178 exit das-server COA key ascii-text encrypted 88B11079B9014FAAF7B9 port 3799 clients object-group SoftWLC exit aaa das-profile COA das-server COA exit line console aaa disable exit domain lookup enable security zone trusted exit security zone untrusted exit security zone user exit ip access-list extended WELCOME rule 1 action permit match protocol tcp match destination-port 443 enable exit rule 2 action permit match protocol tcp match destination-port 8443 enable exit rule 3 action permit match protocol tcp match destination-port 80 enable exit rule 4 action permit match protocol tcp match destination-port 8080 enable exit exit ip access-list extended INTERNET rule 1 action permit enable exit exit ip access-list extended unauthUSER rule 1 action permit match protocol udp match source-port 68 match destination-port 67 enable exit rule 2 action permit match protocol udp match destination-port 53 enable exit exit subscriber-control filters-server-url http://192.168.42.178:7070/filters/file subscriber-control aaa das-profile COA aaa sessions-radius-profile PCRF aaa services-radius-profile PCRF nas-interface bridge 1 session mac-authentication bypass-traffic-acl unauthUSER default-service class-map unauthUSER filter-name remote gosuslugi filter-action permit default-action redirect http://192.168.42.178:8080/eltex_portal/ session-timeout 600 exit enable exit snmp-server snmp-server system-shutdown snmp-server community "public11" ro snmp-server community "private1" rw snmp-server host 192.168.42.178 source-interface bridge 1 exit snmp-server enable traps snmp-server enable traps links snmp-server enable traps links status snmp-server enable traps config snmp-server enable traps config commit snmp-server enable traps config confirm snmp-server enable traps environment snmp-server enable traps environment memory-flash-critical-low snmp-server enable traps environment memory-flash-low snmp-server enable traps environment memory-ram-critical-low snmp-server enable traps environment memory-ram-low snmp-server enable traps environment cpu-load snmp-server enable traps environment cpu-critical-temp snmp-server enable traps environment cpu-overheat-temp snmp-server enable traps environment cpu-supercooling-temp snmp-server enable traps file-operations snmp-server enable traps file-operations successful snmp-server enable traps file-operations failed snmp-server enable traps file-operations canceled snmp-server enable traps interfaces snmp-server enable traps interfaces rx-utilization-high snmp-server enable traps interfaces tx-utilization-high snmp-server enable traps interfaces number-high snmp-server enable traps bras snmp-server enable traps bras sessions-number-high snmp-server enable traps screen snmp-server enable traps screen dest-limit snmp-server enable traps screen source-limit snmp-server enable traps screen icmp-threshold snmp-server enable traps screen udp-threshold snmp-server enable traps screen syn-flood snmp-server enable traps screen land snmp-server enable traps screen winnuke snmp-server enable traps screen icmp-frag snmp-server enable traps screen udp-frag snmp-server enable traps screen icmp-large snmp-server enable traps screen syn-frag snmp-server enable traps screen unknown-proto snmp-server enable traps screen ip-frag snmp-server enable traps screen port-scan snmp-server enable traps screen ip-sweep snmp-server enable traps screen syn-fin snmp-server enable traps screen fin-no-ack snmp-server enable traps screen no-flag snmp-server enable traps screen spoofing snmp-server enable traps screen reserved snmp-server enable traps screen quench snmp-server enable traps screen echo-request snmp-server enable traps screen time-exceeded snmp-server enable traps screen unreachable snmp-server enable traps screen tcp-all-flags snmp-server enable traps entity snmp-server enable traps entity config-change snmp-server enable traps entity-sensor snmp-server enable traps entity-sensor threshold snmp-server enable traps envmon snmp-server enable traps envmon shutdown snmp-server enable traps envmon temperature snmp-server enable traps flash snmp-server enable traps flash insertion snmp-server enable traps flash removal snmp-server enable traps snmp snmp-server enable traps snmp authentication snmp-server enable traps snmp coldstart bridge 1 security-zone trusted ip address dhcp ip dhcp client ignore dns-nameserver ip dhcp client ignore router enable exit bridge 2 vlan 701 security-zone user ip address 198.19.253.1/24 service-subscriber-control any location SSID12 enable exit interface gigabitethernet 1/0/1 description "UPLink" ip address dhcp security-zone untrusted service-policy dynamic all exit interface gigabitethernet 1/0/2.702 bridge-group 2 exit interface gigabitethernet 1/0/3 mode switchport switchport access vlan 701 exit interface gigabitethernet 1/0/4 shutdown exit interface gigabitethernet 1/0/5 shutdown exit interface gigabitethernet 1/0/6 shutdown exit interface loopback 1 exit tunnel gre 1 keepalive retries 3 keepalive dhcp dependent-interface bridge 1 keepalive dhcp dependent-interface gi1/0/1 mode ethernet local address xauth ipsec_vpn remote address xauth ipsec_vpn management-ip enable exit tunnel gre 1.1 bridge-group 1 snmp init-trap enable exit security zone-pair untrusted self rule 1 action permit match protocol icmp enable exit exit security zone-pair trusted self rule 1 action permit enable exit exit security zone-pair user untrusted rule 10 action permit enable exit exit security zone-pair user self rule 10 action permit match protocol udp match source-port dhcp_client match destination-port dhcp_server enable exit rule 20 action permit match protocol tcp match destination-port redirect enable exit rule 30 action permit match protocol udp match destination-port dns enable exit exit access profile acc_p exit security ike proposal ike_prop exit security ike policy ike_pol authentication method xauth-psk-key authentication mode client proposal ike_prop exit security ike gateway ike_gw ike-policy ike_pol assign-interface loopback 1 local interface gigabitethernet 1/0/1 remote network dynamic client mode policy-based dead-peer-detection action restart dead-peer-detection interval 10 dead-peer-detection timeout 60 exit security ipsec proposal ipsec_prop exit security ipsec policy ipsec_pol proposal ipsec_prop exit security ipsec vpn ipsec_vpn mode ike ike establish-tunnel immediate ike gateway ike_gw ike ipsec-policy ipsec_pol enable exit nat source ruleset NAT to interface gigabitethernet 1/0/1 rule 10 match source-address natpool action source-nat interface enable exit exit exit ip dhcp-server ip dhcp-server pool lan network 198.19.253.0/24 max-lease-time 000:00:20 default-lease-time 000:00:10 address-range 198.19.253.2-198.19.253.254 default-router 198.19.253.1 dns-server 198.19.253.1 exit ip telnet server ip ssh server clock timezone gmt +7 ntp enable ntp server 192.168.42.178 exit |
...