Сравнение версий

Старая версия 25

changes.mady.by.user Отдел Документации

Сохранено

по сравнению с

Новая версия 26

changes.mady.by.user Городской Илья Сергеевич

Сохранено

Ключ

  • Эта строка добавлена.
  • Эта строка удалена.
  • Изменено форматирование.

...

Раскрыть
Блок кода
cluster
  cluster-interface bridge 1
  unit 1
    mac-address e4:5a:d4:a0:be:35
  exit
  unit 2
    mac-address a8:f9:4b:af:35:84
  exit
  enable
exit

hostname wlc-1 
hostname wlc-1 unit 1
hostname wlc-2 unit 2

object-group service airtune
  port-range 8099
exit
object-group service dhcp_client
  port-range 68
exit
object-group service dhcp_server
  port-range 67
exit
object-group service dns
  port-range 53
exit
object-group service netconf
  port-range 830
exit
object-group service ntp
  port-range 123
exit
object-group service radius_auth
  port-range 1812
exit
object-group service sa
  port-range 8043-8044
exit
object-group service ssh
  port-range 22
exit
object-group service sync
  port-range 873
exit
object-group service journal_sync
  port-range 5432
exit

syslog max-files 3
syslog file-size 512
syslog file tmpsys:syslog/default
  severity info
exit

radius-server local
  nas ap
    key ascii-text password
    network 192.168.1.0/24
  exit
  nas local
    key ascii-text password
    network 127.0.0.1/32
  exit
  domain default
    user test
      password ascii-text password1
    exit
  exit
  virtual-server default
    enable
  exit
  enable
exit
radius-server host 127.0.0.1
  key ascii-text password
exit
aaa radius-profile default_radius
  radius-server host 127.0.0.1
exit

boot host auto-config
boot host auto-update

vlan 3
  force-up
exit
vlan 2449
  force-up
exit
vlan 2
exit

no spanning-tree

domain lookup enable

security zone trusted
exit
security zone untrusted
exit
security zone users
exit
security zone SYNC
exit

bridge 1
  vlan 1
  security-zone SYNC
  ip address 198.51.100.254/24 unit 1
  ip address 198.51.100.253/24 unit 2
  vrrp id 1
  vrrp ip 198.51.100.1/24
  vrrp group 1
  vrrp
  enable
exit
bridge 2
  vlan 2
  security-zone untrusted
  ip address dhcp
  no spanning-tree
  enable
exit
bridge 3
  vlan 3
  mtu 1458
  security-zone users
  ip address 192.168.2.1/24
  no spanning-tree
  enable
exit
bridge 5
  vlan 2449
  security-zone trusted
  ip address 192.168.1.3/24 unit 1
  ip address 192.168.1.2/24 unit 2
  vrrp id 2
  vrrp ip 192.168.1.1/32
  vrrp group 1
  vrrp
  no spanning-tree
  enable
exit
interface gigabitethernet 1/0/1
  mode switchport
  switchport access vlan 2
exit
interface gigabitethernet 1/0/2
  description "Local"
  mode switchport
  switchport mode trunk
  switchport trunk allowed vlan add 3,2449
exit
interface gigabitethernet 1/0/3
  mode switchport
  spanning-tree disable
exit
interface gigabitethernet 1/0/4
  mode switchport
exit
interface tengigabitethernet 1/0/1
  mode switchport
  switchport access vlan 2
exit
interface tengigabitethernet 1/0/2
  mode switchport
exit
interface gigabitethernet 2/0/1
  mode switchport
  switchport access vlan 2
exit
interface gigabitethernet 2/0/2
  description "Local"
  mode switchport
  switchport mode trunk
  switchport trunk allowed vlan add 3,2449
exit
interface gigabitethernet 2/0/3
  mode switchport
  spanning-tree disable
exit
interface gigabitethernet 2/0/4
  mode switchport
exit
interface tengigabitethernet 2/0/1
  mode switchport
  switchport access vlan 2
exit
interface tengigabitethernet 2/0/2
  mode switchport
exit

tunnel softgre 1
  mode data
  local address 192.168.1.1
  default-profile
  enable
exit

security zone-pair trusted self
  rule 10
    action permit
    match protocol tcp
    match destination-port object-group ssh
    enable
  exit
  rule 20
    action permit
    match protocol icmp
    enable
  exit
  rule 30
    action permit
    match protocol udp
    match source-port object-group dhcp_client
    match destination-port object-group dhcp_server
    enable
  exit
  rule 40
    action permit
    match protocol udp
    match destination-port object-group ntp
    enable
  exit
  rule 50
    action permit
    match protocol tcp
    match destination-port object-group dns
    enable
  exit
  rule 60
    action permit
    match protocol udp
    match destination-port object-group dns
    enable
  exit
  rule 70
    action permit
    match protocol tcp
    match destination-port object-group netconf
    enable
  exit
  rule 80
    action permit
    match protocol tcp
    match destination-port object-group sa
    enable
  exit
  rule 90
    action permit
    match protocol udp
    match destination-port object-group radius_auth
    enable
  exit
  rule 100
    action permit
    match protocol gre
    enable
  exit
  rule 110
    action permit
    match protocol tcp
    match destination-port object-group airtune
    enable
  exit
exit
security zone-pair trusted trusted
  rule 1
    action permit
    enable
  exit
exit
security zone-pair trusted untrusted
  rule 1
    action permit
    enable
  exit
exit
security zone-pair untrusted self
  rule 1
    action permit
    match protocol udp
    match source-port object-group dhcp_server
    match destination-port object-group dhcp_client
    enable
  exit
exit
security zone-pair users self
  rule 10
    action permit
    match protocol icmp
    enable
  exit
  rule 20
    action permit
    match protocol udp
    match source-port object-group dhcp_client
    match destination-port object-group dhcp_server
    enable
  exit
  rule 30
    action permit
    match protocol tcp
    match destination-port object-group dns
    enable
  exit
  rule 40
    action permit
    match protocol udp
    match destination-port object-group dns
    enable
  exit
exit
security zone-pair users untrusted
  rule 1
    action permit
    enable
  exit
exit
security zone-pair SYNC self
  rule 1
    action permit
    match protocol icmp
    enable
  exit
  rule 2
    action permit
    match protocol vrrp
    enable
  exit
  rule 3
    action permit
    match protocol ah
    enable
  exit
exit

security passwords default-expired

nat source
  ruleset factory
    to zone untrusted
    rule 10
      description "replace 'source ip' by outgoing interface ip address"
      action source-nat interface
      enable
    exit
  exit
exit

ip dhcp-server
ip dhcp-server pool ap-pool
  network 192.168.1.0/24
  address-range 192.168.1.4-192.168.1.254
  default-router 192.168.1.1
  dns-server 192.168.1.1
  option 42 ip-address 192.168.1.1
  vendor-specific
    suboption 12 ascii-text "192.168.1.1"
    suboption 15 ascii-text "https://192.168.1.1:8043"
  exit
exit
ip dhcp-server pool users-pool
  network 192.168.2.0/24
  address-range 192.168.2.4-192.168.2.254
  default-router 192.168.2.1
  dns-server 192.168.2.1
exit

softgre-controller
  nas-ip-address 127.0.0.1
  data-tunnel configuration wlc
  aaa radius-profile default_radius
  keepalive-disable
  service-vlan add 3
  enable
exit

wlc
  outside-address 192.168.1.1
  service-activator
    aps join auto
  exit
  airtune
    enable
  exit
  ap-location default-location
    description "default-location"
    mode tunnel
    ap-profile default-ap
    ssid-profile default-ssid
  exit
  ssid-profile default-ssid
    description "default-ssid"
    ssid "default-ssid"
    radius-profile default-radius
    vlan-id 3
    security-mode WPA2_1X
    802.11kv
    band 2g
    band 5g
    enable
  exit
  ap-profile default-ap
    password ascii-text password
  exit
  radius-profile default-radius
    auth-address 192.168.1.1
    auth-password ascii-text password
    domain default
  exit
  ip-pool default-ip-pool
    description "default-ip-pool"
    ap-location default-location
  exit
  enable
exit

ip ssh server

clock timezone gmt +7

ntp enable
ntp server 100.110.0.65
  minpoll 1
  maxpoll 4
exit

...

Создайте object-group для открытия портов в настройках Firewall, через которые синхронизируются журналы WLC:

Блок кода
titleWLC-1
wlc-1(config)# object-group service journal_sync

Укажите порт, который используется для синхронизации журналов WLC:

Блок кода
titleWLC-1
wlc-1(config-object-group-service)# port-range 5432
wlc-1(config-object-group-service)# exit

Создайте object-group для открытия портов в настройках Firewall, через которые синхронизируются туннели SoftGRE:

Блок кода
titleWLC-1
wlc-1(config)# object-group service softgre_controller

...

Блок кода
titleWLC-1
wlc-1(config-security-zone-pair-rule)# match protocol vrrp

Включите правило:

Блок кода
titleWLC-1
wlc-1(config-security-zone-pair-rule)# enable
wlc-1(config-security-zone-pair-rule)# exit

Создайте правило:

Блок кода
titleWLC-1
wlc-1(config-security-zone-pair)# rule 12

Укажите действие правила разрешение:

Блок кода
titleWLC-1
wlc-1(config-security-zone-pair-rule)# action permit

Укажите совпадение по протоколу TCP:

Блок кода
titleWLC-1
wlc-1(config-security-zone-pair-rule)# match protocol tcp

Scroll Pagebreak

Укажите совпадение по порту назначения, в качестве которого выступает object-group:

Блок кода
titleWLC-1
wlc-1(config-security-zone-pair-rule)# match destination-port object-group sync

Включите правило:

Блок кода
titleWLC-1
wlc-1(config-security-zone-pair-rule)# enable
wlc-1(config-security-zone-pair-rule)# exit)# exit
wlc-1(config-security-zone-pair)# exit

Перейдите в конфигурацию security-zone и откройте порты для синхронизации сертификатов, SoftGRE-туннелей и журналов WLC:

Блок кода
titleWLC-1
wlc-1(config)# security zone-pair SYNC self

Создайте новое правилоСоздайте правило:

Блок кода
titleWLC-1
wlc-1(config-security-zone-pair)# rule 124

Укажите действие правила разрешение:

...

Блок кода
titleWLC-1
wlc-1(config-security-zone-pair-rule)# match protocol tcp

Scroll Pagebreak

Укажите совпадение по порту назначения, в качестве которого выступает object-group:

Блок кода
titleWLC-1
wlc-1(config-security-zone-pair-rule)# match destination-port object-group syncsoftgre_controller

Scroll Pagebreak

Включите правило:

Блок кода
titleWLC-1
wlc-1(config-security-zone-pair-rule)# enable
wlc-1(config-security-zone-pair-rule)# exit
wlc-1(config-security-zone-pair)# exit

Перейдите в конфигурацию security-zone и откройте порты для синхронизации сертификатов и SoftGRE-туннелей:

Блок кода
titleWLC-1
wlc-1(config)# security zone-pair SYNC self

Создайте новое правило:

Блок кода
titleWLC-1
wlc-1(config-security-zone-pair)# rule 410

Укажите действие правила разрешение:

...

Блок кода
titleWLC-1
wlc-1(config-security-zone-pair-rule)# match destination-port object-group softgrejournal_controllersync

Scroll Pagebreak

Включите правило:

...

Раскрыть
Блок кода
cluster
  cluster-interface bridge 1
  unit 1
    mac-address e4:5a:d4:a0:be:35
  exit
  unit 2
    mac-address a8:f9:4b:af:35:84
  exit
  enable
exit

hostname wlc-1 
hostname wlc-1 unit 1
hostname wlc-2 unit 2

object-group service airtune
  port-range 8099
exit
object-group service dhcp_client
  port-range 68
exit
object-group service dhcp_server
  port-range 67
exit
object-group service dns
  port-range 53
exit
object-group service netconf
  port-range 830
exit
object-group service ntp
  port-range 123
exit
object-group service radius_auth
  port-range 1812
exit
object-group service sa
  port-range 8043-8044
exit
object-group service ssh
  port-range 22
exit
object-group service sync
  port-range 873
exit
object-group service journal_sync
  port-range 5432
exit
object-group service softgre_controller
  port-range 1337
exit
object-group service FAILOVER
  port-range 9999
exit
object-group network SYNC_SRC
  ip address-range 198.51.100.254 unit 1
  ip address-range 198.51.100.253 unit 2
exit
object-group network SYNC_DST
  ip address-range 198.51.100.253 unit 1
  ip address-range 198.51.100.254 unit 2
exit

syslog max-files 3
syslog file-size 512
syslog file tmpsys:syslog/default
  severity info
exit

radius-server local
  nas ap
    key ascii-text password
    network 192.168.1.0/24
  exit
  nas local
    key ascii-text password
    network 127.0.0.1/32
  exit
  domain default
    user test
      password ascii-text password1
    exit
  exit
  virtual-server default
    enable
  exit
  enable
exit
radius-server host 127.0.0.1
  key ascii-text password
exit
aaa radius-profile default_radius
  radius-server host 127.0.0.1
exit

boot host auto-config
boot host auto-update

vlan 3
  force-up
exit
vlan 2449
  force-up
exit
vlan 2
exit

no spanning-tree

domain lookup enable

security zone trusted
exit
security zone untrusted
exit
security zone users
exit
security zone SYNC
exit

bridge 1
  vlan 1
  security-zone SYNC
  ip address 198.51.100.254/24 unit 1
  ip address 198.51.100.253/24 unit 2
  vrrp id 1
  vrrp ip 198.51.100.1/24
  vrrp group 1
  vrrp
  enable
exit
bridge 2
  vlan 2
  security-zone untrusted
  ip address dhcp
  no spanning-tree
  enable
exit
bridge 3
  vlan 3
  mtu 1458
  security-zone users
  ip address 192.168.2.3/24 unit 1
  ip address 192.168.2.2/24 unit 2
  vrrp id 3
  vrrp ip 192.168.2.1/32
  vrrp group 1
  vrrp
  no spanning-tree
  enable
exit
bridge 5
  vlan 2449
  security-zone trusted
  ip address 192.168.1.3/24 unit 1
  ip address 192.168.1.2/24 unit 2
  vrrp id 2
  vrrp ip 192.168.1.1/32
  vrrp group 1
  vrrp
  no spanning-tree
  enable
exit
interface gigabitethernet 1/0/1
  mode switchport
  switchport access vlan 2
exit
interface gigabitethernet 1/0/2
  mode switchport
  switchport mode trunk
  switchport trunk allowed vlan add 3,2449
exit
interface gigabitethernet 1/0/3
  mode switchport
  spanning-tree disable
exit
interface gigabitethernet 1/0/4
  mode switchport
exit
interface tengigabitethernet 1/0/1
  mode switchport
  switchport access vlan 2
exit
interface tengigabitethernet 1/0/2
  mode switchport
exit
interface gigabitethernet 2/0/1
  mode switchport
  switchport access vlan 2
exit
interface gigabitethernet 2/0/2
  mode switchport
  switchport mode trunk
  switchport trunk allowed vlan add 3,2449
exit
interface gigabitethernet 2/0/3
  mode switchport
  spanning-tree disable
exit
interface gigabitethernet 2/0/4
  mode switchport
exit
interface tengigabitethernet 2/0/1
  mode switchport
  switchport access vlan 2
exit
interface tengigabitethernet 2/0/2
  mode switchport
exit

tunnel softgre 1
  mode data
  local address 192.168.1.1
  default-profile
  enable
exit

ip failover
  local-address object-group SYNC_SRC
  remote-address object-group SYNC_DST
  vrrp-group 1
exit

security zone-pair trusted self
  rule 10
    action permit
    match protocol tcp
    match destination-port object-group ssh
    enable
  exit
  rule 11
    action permit
    match protocol vrrp
    enable
  exit
  rule 12
    action permit
    match protocol tcp
    match destination-port object-group sync
    enable
  exit
  rule 20
    action permit
    match protocol icmp
    enable
  exit
  rule 30
    action permit
    match protocol udp
    match source-port object-group dhcp_client
    match destination-port object-group dhcp_server
    enable
  exit
  rule 40
    action permit
    match protocol udp
    match destination-port object-group ntp
    enable
  exit
  rule 50
    action permit
    match protocol tcp
    match destination-port object-group dns
    enable
  exit
  rule 60
    action permit
    match protocol udp
    match destination-port object-group dns
    enable
  exit
  rule 70
    action permit
    match protocol tcp
    match destination-port object-group netconf
    enable
  exit
  rule 80
    action permit
    match protocol tcp
    match destination-port object-group sa
    enable
  exit
  rule 90
    action permit
    match protocol udp
    match destination-port object-group radius_auth
    enable
  exit
  rule 100
    action permit
    match protocol gre
    enable
  exit
  rule 110
    action permit
    match protocol tcp
    match destination-port object-group airtune
    enable
  exit
exit
security zone-pair trusted trusted
  rule 1
    action permit
    enable
  exit
exit
security zone-pair trusted untrusted
  rule 1
    action permit
    enable
  exit
exit
security zone-pair untrusted self
  rule 1
    action permit
    match protocol udp
    match source-port object-group dhcp_server
    match destination-port object-group dhcp_client
    enable
  exit
exit
security zone-pair users self
  rule 10
    action permit
    match protocol icmp
    enable
  exit
  rule 11
    action permit
    match protocol vrrp
    enable
  exit
  rule 20
    action permit
    match protocol udp
    match source-port object-group dhcp_client
    match destination-port object-group dhcp_server
    enable
  exit
  rule 30
    action permit
    match protocol tcp
    match destination-port object-group dns
    enable
  exit
  rule 40
    action permit
    match protocol udp
    match destination-port object-group dns
    enable
  exit
exit
security zone-pair users untrusted
  rule 1
    action permit
    enable
  exit
exit
security zone-pair SYNC self
  rule 1
    action permit
    match protocol icmp
    enable
  exit
  rule 2
    action permit
    match protocol vrrp
    enable
  exit
  rule 3
    action permit
    match protocol ah
    enable
  exit
  rule 4
    action permit
    match protocol tcp
    match destination-port object-group softgre_controller
    enable 
  exit
  rule 5
    action permit
    match protocol udp
    match destination-port object-group FAILOVER
    enable
  exit
 rule 10
    action permit
    match protocol tcp
    match destination-port object-group journal_sync
    enable
  exit
exit

security passwords default-expired

nat source
  ruleset factory
    to zone untrusted
    rule 10
      description "replace 'source ip' by outgoing interface ip address"
      action source-nat interface
      enable
    exit
  exit
exit

ip dhcp-server
ip dhcp-server pool ap-pool
  network 192.168.1.0/24
  address-range 192.168.1.4-192.168.1.254
  default-router 192.168.1.1
  dns-server 192.168.1.1
  option 42 ip-address 192.168.1.1
  vendor-specific
    suboption 12 ascii-text "192.168.1.1"
    suboption 15 ascii-text "https://192.168.1.1:8043"
  exit
exit
ip dhcp-server pool users-pool
  network 192.168.2.0/24
  address-range 192.168.2.4-192.168.2.254
  default-router 192.168.2.1
  dns-server 192.168.2.1
exit
ip dhcp-server failover
  mode active-standby
  enable
exit

softgre-controller
  nas-ip-address 127.0.0.1
  failover
  data-tunnel configuration wlc
  aaa radius-profile default_radius
  keepalive-disable
  service-vlan add 3
  enable
exit

wlc
  outside-address 192.168.1.1
  service-activator
    aps join auto
  exit
  airtune
    enable
  exit
  failover
  ap-location default-location
    description "default-location"
    mode tunnel
    ap-profile default-ap
    ssid-profile default-ssid
  exit
  ssid-profile default-ssid
    description "default-ssid"
    ssid "default-ssid"
    radius-profile default-radius
    vlan-id 3
    security-mode WPA2_1X
    802.11kv
    band 2g
    band 5g
    enable
  exit
  ap-profile default-ap
    password ascii-text password
  exit
  radius-profile default-radius
    auth-address 192.168.1.1
    auth-password ascii-text password
    domain default
  exit
  ip-pool default-ip-pool
    description "default-ip-pool"
    ap-location default-location
  exit
  enable
exit

ip ssh server

clock timezone gmt +7

ntp enable
ntp server 100.110.0.65
  minpoll 1
  maxpoll 4
exit

crypto-sync
  remote-delete
  enable
exit

...

Раскрыть
Блок кода
cluster
  cluster-interface bridge 1
  unit 1
    mac-address e4:5a:d4:a0:be:35
  exit
  unit 2
    mac-address a8:f9:4b:af:35:84
  exit
  enable
exit

hostname wlc-1 
hostname wlc-1 unit 1
hostname wlc-2 unit 2

object-group service airtune
  port-range 8099
exit
object-group service dhcp_client
  port-range 68
exit
object-group service dhcp_server
  port-range 67
exit
object-group service dns
  port-range 53
exit
object-group service netconf
  port-range 830
exit
object-group service ntp
  port-range 123
exit
object-group service radius_auth
  port-range 1812
exit
object-group service sa
  port-range 8043-8044
exit
object-group service ssh
  port-range 22
exit
object-group service sync
  port-range 873
exit
object-group service journal_sync
  port-range 5432
exit
object-group service softgre_controller
  port-range 1337
exit
object-group network SYNC_SRC
  ip address-range 198.51.100.254 unit 1
  ip address-range 198.51.100.253 unit 2
exit
object-group network SYNC_DST
  ip address-range 198.51.100.253 unit 1
  ip address-range 198.51.100.254 unit 2
exit

syslog max-files 3
syslog file-size 512
syslog file tmpsys:syslog/default
  severity info
exit

radius-server local
  nas ap
    key ascii-text password
    network 192.168.1.0/24
  exit
  nas local
    key ascii-text password
    network 127.0.0.1/32
  exit
  domain default
    user test
      password ascii-text password1
    exit
  exit
  virtual-server default
    enable
  exit
  enable
exit
radius-server host 127.0.0.1
  key ascii-text password
exit
aaa radius-profile default_radius
  radius-server host 127.0.0.1
exit

boot host auto-config
boot host auto-update

vlan 3
  force-up
exit
vlan 2449
  force-up
exit
vlan 2
exit
vlan 20
exit

no spanning-tree

domain lookup enable

security zone trusted
exit
security zone untrusted
exit
security zone users
exit
security zone SYNC
exit

bridge 1
  vlan 1
  security-zone SYNC
  ip address 198.51.100.254/24 unit 1
  ip address 198.51.100.253/24 unit 2
  vrrp id 1
  vrrp ip 198.51.100.1/24
  vrrp group 1
  vrrp
  enable
exit
bridge 2
  description "ISP1_ISP2"
  vlan 2
  security-zone untrusted
  ip address 192.0.3.4/24 unit 1
  ip address 192.0.3.3/24 unit 2
  vrrp id 4
  vrrp ip 192.0.3.2/24
  vrrp group 1
  vrrp
  no spanning-tree
  enable 
exit
bridge 3
  vlan 3
  mtu 1458
  security-zone users
  ip address 192.168.2.3/24 unit 1
  ip address 192.168.2.2/24 unit 2
  vrrp id 3
  vrrp ip 192.168.2.1/32
  vrrp group 1
  vrrp
  no spanning-tree
  enable
exit
bridge 5
  vlan 2449
  security-zone trusted
  ip address 192.168.1.3/24 unit 1
  ip address 192.168.1.2/24 unit 2
  vrrp id 2
  vrrp ip 192.168.1.1/32
  vrrp group 1
  vrrp
  no spanning-tree
  enable
exit
 bridge 20
  description "ISP1_ISP2"
  vlan 20
  security-zone untrusted
  ip address 192.0.4.4/24 unit 1
  ip address 192.0.4.3/24 unit 2
  vrrp id 4
  vrrp ip 192.0.4.2/32
  vrrp group 1
  vrrp
  no spanning-tree
  enable  
exit

interface gigabitethernet 1/0/1
  mode switchport
  switchport trunk allowed vlan add 2,20
exit
interface gigabitethernet 1/0/2
  mode switchport
  switchport mode trunk
  switchport trunk allowed vlan add 3,2449
exit
interface gigabitethernet 1/0/3
  mode switchport
  spanning-tree disable
exit
interface gigabitethernet 1/0/4
  mode switchport
exit
interface tengigabitethernet 1/0/1
  mode switchport
  switchport access vlan 2
exit
interface tengigabitethernet 1/0/2
  mode switchport
exit
interface gigabitethernet 2/0/1
  mode switchport
  switchport trunk allowed vlan add 2,20
exit
interface gigabitethernet 2/0/2
  mode switchport
  switchport mode trunk
  switchport trunk allowed vlan add 3,2449
exit
interface gigabitethernet 2/0/3
  mode switchport
  spanning-tree disable
exit
interface gigabitethernet 2/0/4
  mode switchport
exit
interface tengigabitethernet 2/0/1
  mode switchport
  switchport access vlan 2
exit
interface tengigabitethernet 2/0/2
  mode switchport
exit

tunnel softgre 1
  mode data
  local address 192.168.1.1
  default-profile
  enable
exit

ip failover
  local-address object-group SYNC_SRC
  remote-address object-group SYNC_DST
  vrrp-group 1
exit

security zone-pair trusted self
  rule 10
    action permit
    match protocol tcp
    match destination-port object-group ssh
    enable
  exit
  rule 11
    action permit
    match protocol vrrp
    enable
  exit
  rule 12
    action permit
    match protocol tcp
    match destination-port object-group softgre_controller
    enable
  exit
  rule 13
    action permit
    match protocol tcp
    match destination-port object-group sync
    enable
  exit
  rule 20
    action permit
    match protocol icmp
    enable
  exit
  rule 30
    action permit
    match protocol udp
    match source-port object-group dhcp_client
    match destination-port object-group dhcp_server
    enable
  exit
  rule 40
    action permit
    match protocol udp
    match destination-port object-group ntp
    enable
  exit
  rule 50
    action permit
    match protocol tcp
    match destination-port object-group dns
    enable
  exit
  rule 60
    action permit
    match protocol udp
    match destination-port object-group dns
    enable
  exit
  rule 70
    action permit
    match protocol tcp
    match destination-port object-group netconf
    enable
  exit
  rule 80
    action permit
    match protocol tcp
    match destination-port object-group sa
    enable
  exit
  rule 90
    action permit
    match protocol udp
    match destination-port object-group radius_auth
    enable
  exit
  rule 100
    action permit
    match protocol gre
    enable
  exit
  rule 110
    action permit
    match protocol tcp
    match destination-port object-group airtune
    enable
  exit
exit
security zone-pair trusted trusted
  rule 1
    action permit
    enable
  exit
exit
security zone-pair trusted untrusted
  rule 1
    action permit
    enable
  exit
exit
security zone-pair untrusted self
  rule 1
    action permit
    match protocol udp
    match source-port object-group dhcp_server
    match destination-port object-group dhcp_client
    enable
  exit
exit
security zone-pair users self
  rule 10
    action permit
    match protocol icmp
    enable
  exit
  rule 11
    action permit
    match protocol vrrp
    enable
  exit
  rule 20
    action permit
    match protocol udp
    match source-port object-group dhcp_client
    match destination-port object-group dhcp_server
    enable
  exit
  rule 30
    action permit
    match protocol tcp
    match destination-port object-group dns
    enable
  exit
  rule 40
    action permit
    match protocol udp
    match destination-port object-group dns
    enable
  exit
exit
security zone-pair users untrusted
  rule 1
    action permit
    enable
  exit
exit
security zone-pair SYNC self
  rule 1
    action permit
    match protocol icmp
    enable
  exit
  rule 2
    action permit
    match protocol vrrp
    enable
  exit
  rule 3
    action permit
    match protocol ah protocol ah
    enable
  exit
exit
 rule 10
    action permit
    match protocol tcp
    match destination-port object-group journal_sync
    enable
  exit
exit

security passwords default-expired

nat source
  ruleset factory
    to zone untrusted
    rule 10
      description "replace 'source ip' by outgoing interface ip address"
      action source-nat interface
      enable
    exit
  exit
exit

ip dhcp-server
ip dhcp-server pool ap-pool
  network 192.168.1.0/24
  address-range 192.168.1.4-192.168.1.254
  default-router 192.168.1.1
  dns-server 192.168.1.1
  option 42 ip-address 192.168.1.1
  vendor-specific
    suboption 12 ascii-text "192.168.1.1"
    suboption 15 ascii-text "https://192.168.1.1:8043"
  exit
exit
ip dhcp-server pool users-pool
  network 192.168.2.0/24
  address-range 192.168.2.4-192.168.2.254
  default-router 192.168.2.1
  dns-server 192.168.2.1
exit
ip dhcp-server failover
  mode active-standby
  enable
exit

softgre-controller
  nas-ip-address 127.0.0.1
  failover
  data-tunnel configuration wlc
  aaa radius-profile default_radius
  keepalive-disable
  service-vlan add 3
  enable
exit

wlc
  outside-address 192.168.1.1
  service-activator
    aps join auto
  exit
  airtune
    enable
  exit
  failover
  ap-location default-location
    description "default-location"
    mode tunnel
    ap-profile default-ap
    ssid-profile default-ssid
  exit
  ssid-profile default-ssid
    description "default-ssid"
    ssid "default-ssid"
    radius-profile default-radius
    vlan-id 3
    security-mode WPA2_1X
    802.11kv
    band 2g
    band 5g
    enable
  exit
  ap-profile default-ap
    password ascii-text password
  exit
  radius-profile default-radius
    auth-address 192.168.1.1
    auth-password ascii-text password
    domain default
  exit
  ip-pool default-ip-pool
    description "default-ip-pool"
    ap-location default-location
  exit
  enable
exit

ip ssh server

clock timezone gmt +7

ntp enable
ntp server 100.110.0.65
  minpoll 1
  maxpoll 4
exit

crypto-sync
  remote-delete
  enable
exit

...

Раскрыть
Блок кода
cluster
  cluster-interface bridge 1
  unit 1
    mac-address e4:5a:d4:a0:be:35
  exit
  unit 2
    mac-address a8:f9:4b:af:35:84
  exit
  enable
exit

hostname wlc-1 
hostname wlc-1 unit 1
hostname wlc-2 unit 2

object-group service airtune
  port-range 8099
exit
object-group service dhcp_client
  port-range 68
exit
object-group service dhcp_server
  port-range 67
exit
object-group service dns
  port-range 53
exit
object-group service netconf
  port-range 830
exit
object-group service ntp
  port-range 123
exit
object-group service radius_auth
  port-range 1812
exit
object-group service sa
  port-range 8043-8044
exit
object-group service ssh
  port-range 22
exit
object-group service sync
  port-range 873
exit
object-group service journal_sync
  port-range 5432
exit
object-group service softgre_controller
  port-range 1337
exit
object-group network SYNC_SRC
  ip address-range 198.51.100.254 unit 1
  ip address-range 198.51.100.253 unit 2
exit
object-group network SYNC_DST
  ip address-range 198.51.100.253 unit 1
  ip address-range 198.51.100.254 unit 2
exit

syslog max-files 3
syslog file-size 512
syslog file tmpsys:syslog/default
  severity info
exit

radius-server local
  nas ap
    key ascii-text password
    network 192.168.1.0/24
  exit
  nas local
    key ascii-text password
    network 127.0.0.1/32
  exit
  domain default
    user test
      password ascii-text password1
    exit
  exit
  virtual-server default
    enable
  exit
  enable
exit
radius-server host 127.0.0.1
  key ascii-text password
exit
aaa radius-profile default_radius
  radius-server host 127.0.0.1
exit

boot host auto-config
boot host auto-update

vlan 3
  force-up
exit
vlan 2449
  force-up
exit
vlan 2
exit

no spanning-tree

domain lookup enable

security zone trusted
exit
security zone untrusted
exit
security zone users
exit
security zone SYNC
exit

bridge 1
  vlan 1
  security-zone SYNC
  ip address 198.51.100.254/24 unit 1
  ip address 198.51.100.253/24 unit 2
  vrrp id 1
  vrrp ip 198.51.100.1/24
  vrrp group 1
  vrrp
  enable
exit
bridge 2
  vlan 2
  security-zone untrusted
  ip address 192.0.3.2/24 unit 1
  ip address 192.0.3.1/24 unit 2
  vrrp id 4
  vrrp ip 203.0.113.252/32
  vrrp group 1
  vrrp
  no spanning-tree
  enable 
exit
bridge 3
  vlan 3
  mtu 1458
  security-zone users
  ip address 192.168.2.3/24 unit 1
  ip address 192.168.2.2/24 unit 2
  vrrp id 3
  vrrp ip 192.168.2.1/32
  vrrp group 1
  vrrp
  no spanning-tree
  enable
exit
bridge 5
  vlan 2449
  security-zone trusted
  ip address 192.168.1.3/24 unit 1
  ip address 192.168.1.2/24 unit 2
  vrrp id 2
  vrrp ip 192.168.1.1/32
  vrrp group 1
  vrrp
  no spanning-tree
  enable
exit
interface gigabitethernet 1/0/1
  mode switchport
  switchport access vlan 2
exit
interface gigabitethernet 1/0/2
  mode switchport
  switchport mode trunk
  switchport trunk allowed vlan add 3,2449
exit
interface gigabitethernet 1/0/3
  mode switchport
  spanning-tree disable
exit
interface gigabitethernet 1/0/4
  mode switchport
exit
interface tengigabitethernet 1/0/1
  mode switchport
  switchport access vlan 2
exit
interface tengigabitethernet 1/0/2
  mode switchport
exit
interface gigabitethernet 2/0/1
  mode switchport
  switchport access vlan 2
exit
interface gigabitethernet 2/0/2
  mode switchport
  switchport mode trunk
  switchport trunk allowed vlan add 3,2449
exit
interface gigabitethernet 2/0/3
  mode switchport
  spanning-tree disable
exit
interface gigabitethernet 2/0/4
  mode switchport
exit
interface tengigabitethernet 2/0/1
  mode switchport
  switchport access vlan 2
exit
interface tengigabitethernet 2/0/2
  mode switchport
exit

tunnel softgre 1
  mode data
  local address 192.168.1.1
  default-profile
  enable
exit

ip failover
  local-address object-group SYNC_SRC
  remote-address object-group SYNC_DST
  vrrp-group 1
exit

security zone-pair trusted self
  rule 10
    action permit
    match protocol tcp
    match destination-port object-group ssh
    enable
  exit
  rule 11
    action permit
    match protocol vrrp
    enable
  exit
  rule 12
    action permit
    match protocol tcp
    match destination-port object-group softgre_controller
    enable
  exit
  rule 13
    action permit
    match protocol tcp
    match destination-port object-group sync
    enable
  exit
  rule 20
    action permit
    match protocol icmp
    enable
  exit
  rule 30
    action permit
    match protocol udp
    match source-port object-group dhcp_client
    match destination-port object-group dhcp_server
    enable
  exit
  rule 40
    action permit
    match protocol udp
    match destination-port object-group ntp
    enable
  exit
  rule 50
    action permit
    match protocol tcp
    match destination-port object-group dns
    enable
  exit
  rule 60
    action permit
    match protocol udp
    match destination-port object-group dns
    enable
  exit
  rule 70
    action permit
    match protocol tcp
    match destination-port object-group netconf
    enable
  exit
  rule 80
    action permit
    match protocol tcp
    match destination-port object-group sa
    enable
  exit
  rule 90
    action permit
    match protocol udp
    match destination-port object-group radius_auth
    enable
  exit
  rule 100
    action permit
    match protocol gre
    enable
  exit
  rule 110
    action permit
    match protocol tcp
    match destination-port object-group airtune
    enable
  exit
exit
security zone-pair trusted trusted
  rule 1
    action permit
    enable
  exit
exit
security zone-pair trusted untrusted
  rule 1
    action permit
    enable
  exit
exit
security zone-pair untrusted self
  rule 1
    action permit
    match protocol udp
    match source-port object-group dhcp_server
    match destination-port object-group dhcp_client
    enable
  exit
exit
security zone-pair users self
  rule 10
    action permit
    match protocol icmp
    enable
  exit
  rule 11
    action permit
    match protocol vrrp
    enable
  exit
  rule 20
    action permit
    match protocol udp
    match source-port object-group dhcp_client
    match destination-port object-group dhcp_server
    enable
  exit
  rule 30
    action permit
    match protocol tcp
    match destination-port object-group dns
    enable
  exit
  rule 40
    action permit
    match protocol udp
    match destination-port object-group dns
    enable
  exit
exit
security zone-pair users untrusted
  rule 1
    action permit
    enable
  exit
exit
security zone-pair SYNC self
  rule 1
    action permit
    match protocol icmp
    enable
  exit
  rule 2
    action permit
    match protocol vrrp
    enable
  exit
  rule 3
    action permit
    match protocol ah
    enable
  exit
 rule 10
    action permit
    match protocol tcp
    match destination-port object-group journal_sync
    enable
  exit
exit

security passwords default-expired

nat source
  ruleset factory
    to zone untrusted
    rule 10
      description "replace 'source ip' by outgoing interface ip address"
      action source-nat interface
      enable
    exit
  exit
exit

ip dhcp-server
ip dhcp-server pool ap-pool
  network 192.168.1.0/24
  address-range 192.168.1.4-192.168.1.254
  default-router 192.168.1.1
  dns-server 192.168.1.1
  option 42 ip-address 192.168.1.1
  vendor-specific
    suboption 12 ascii-text "192.168.1.1"
    suboption 15 ascii-text "https://192.168.1.1:8043"
  exit
exit
ip dhcp-server pool users-pool
  network 192.168.2.0/24
  address-range 192.168.2.4-192.168.2.254
  default-router 192.168.2.1
  dns-server 192.168.2.1
exit
ip dhcp-server failover
  mode active-standby
  enable
exit

softgre-controller
  nas-ip-address 127.0.0.1
  failover
  data-tunnel configuration wlc
  aaa radius-profile default_radius
  keepalive-disable
  service-vlan add 3
  enable
exit

wlc
  outside-address 192.168.1.1
  service-activator
    aps join auto
  exit
  airtune
    enable
  exit
  failover
  ap-location default-location
    description "default-location"
    mode tunnel
    ap-profile default-ap
    ssid-profile default-ssid
  exit
  ssid-profile default-ssid
    description "default-ssid"
    ssid "default-ssid"
    radius-profile default-radius
    vlan-id 3
    security-mode WPA2_1X
    802.11kv
    band 2g
    band 5g
    enable
  exit
  ap-profile default-ap
    password ascii-text password
  exit
  radius-profile default-radius
    auth-address 192.168.1.1
    auth-password ascii-text password
    domain default
  exit
  ip-pool default-ip-pool
    description "default-ip-pool"
    ap-location default-location
  exit
  enable
exit

ip ssh server

clock timezone gmt +7

ntp enable
ntp server 100.110.0.65
  minpoll 1
  maxpoll 4
exit

crypto-sync
  remote-delete
  enable
exit

...

Раскрыть
Блок кода
cluster
  cluster-interface bridge 1
  unit 1
    mac-address e4:5a:d4:a0:be:35
  exit
  unit 2
    mac-address a8:f9:4b:af:35:84
  exit
  enable
exit

hostname wlc-1 
hostname wlc-1 unit 1
hostname wlc-2 unit 2

object-group service airtune
  port-range 8099
exit
object-group service dhcp_client
  port-range 68
exit
object-group service dhcp_server
  port-range 67
exit
object-group service dns
  port-range 53
exit
object-group service netconf
  port-range 830
exit
object-group service ntp
  port-range 123
exit
object-group service radius_auth
  port-range 1812
exit
object-group service sa
  port-range 8043-8044
exit
object-group service ssh
  port-range 22
exit
object-group service sync
  port-range 873
exit
object-group service journal_sync
  port-range 5432
exit
object-group service softgre_controller
  port-range 1337
exit
object-group network SYNC_SRC
  ip address-range 198.51.100.254 unit 1
  ip address-range 198.51.100.253 unit 2
exit
object-group network SYNC_DST
  ip address-range 198.51.100.253 unit 1
  ip address-range 198.51.100.254 unit 2
exit

syslog max-files 3
syslog file-size 512
syslog file tmpsys:syslog/default
  severity info
exit

radius-server local
  nas ap
    key ascii-text password
    network 192.168.1.0/24
  exit
  nas local
    key ascii-text password
    network 127.0.0.1/32
  exit
  domain default
    user test
      password ascii-text password1
    exit
  exit
  virtual-server default
    enable
  exit
  enable
exit
radius-server host 127.0.0.1
  key ascii-text password
exit
aaa radius-profile default_radius
  radius-server host 127.0.0.1
exit

boot host auto-config
boot host auto-update

vlan 3
  force-up
exit
vlan 2449
  force-up
exit
vlan 2
exit

no spanning-tree

domain lookup enable

security zone trusted
exit
security zone untrusted
exit
security zone users
exit
security zone SYNC
exit

bridge 1
  vlan 1
  security-zone SYNC
  ip address 198.51.100.254/24 unit 1
  ip address 198.51.100.253/24 unit 2
  vrrp id 1
  vrrp ip 198.51.100.1/24
  vrrp group 1
  vrrp
  enable
exit
bridge 2
  vlan 2
  security-zone untrusted
  ip address dhcp
  no spanning-tree
  enable
exit
bridge 3
  vlan 3
  mtu 1458
  security-zone users
  ip address 192.168.2.3/24 unit 1
  ip address 192.168.2.2/24 unit 2
  vrrp id 3
  vrrp ip 192.168.2.1/32
  vrrp group 1
  vrrp
  no spanning-tree
  enable
exit
bridge 5
  vlan 2449
  security-zone trusted
  ip address 192.168.1.3/24 unit 1
  ip address 192.168.1.2/24 unit 2
  vrrp id 2
  vrrp ip 192.168.1.1/32
  vrrp group 1
  vrrp
  no spanning-tree
  enable
exit
interface gigabitethernet 1/0/1
  mode switchport
  switchport access vlan 2
exit
interface gigabitethernet 1/0/2
  mode switchport
  switchport mode trunk
  switchport trunk allowed vlan add 3,2449
exit
interface gigabitethernet 1/0/3
  mode switchport
  spanning-tree disable
exit
interface gigabitethernet 1/0/4
  mode switchport
exit
interface tengigabitethernet 1/0/1
  mode switchport
  switchport access vlan 2
exit
interface tengigabitethernet 1/0/2
  mode switchport
exit
interface gigabitethernet 2/0/1
  mode switchport
  switchport access vlan 2
exit
interface gigabitethernet 2/0/2
  mode switchport
  switchport mode trunk
  switchport trunk allowed vlan add 3,2449
exit
interface gigabitethernet 2/0/3
  mode switchport
  spanning-tree disable
exit
interface gigabitethernet 2/0/4
  mode switchport
exit
interface tengigabitethernet 2/0/1
  mode switchport
  switchport access vlan 2
exit
interface tengigabitethernet 2/0/2
  mode switchport
exit

tunnel softgre 1
  mode data
  local address 192.168.1.1
  default-profile
  enable
exit

ip failover
  local-address object-group SYNC_SRC
  remote-address object-group SYNC_DST
  vrrp-group 1
exit

security zone-pair trusted self
  rule 10
    action permit
    match protocol tcp
    match destination-port object-group ssh
    enable
  exit
  rule 11
    action permit
    match protocol vrrp
    enable
  exit
  rule 12
    action permit
    match protocol tcp
    match destination-port object-group softgre_controller
    enable
  exit
  rule 13
    action permit
    match protocol tcp
    match destination-port object-group sync
    enable
  exit
  rule 20
    action permit
    match protocol icmp
    enable
  exit
  rule 30
    action permit
    match protocol udp
    match source-port object-group dhcp_client
    match destination-port object-group dhcp_server
    enable
  exit
  rule 40
    action permit
    match protocol udp
    match destination-port object-group ntp
    enable
  exit
  rule 50
    action permit
    match protocol tcp
    match destination-port object-group dns
    enable
  exit
  rule 60
    action permit
    match protocol udp
    match destination-port object-group dns
    enable
  exit
  rule 70
    action permit
    match protocol tcp
    match destination-port object-group netconf
    enable
  exit
  rule 80
    action permit
    match protocol tcp
    match destination-port object-group sa
    enable
  exit
  rule 90
    action permit
    match protocol udp
    match destination-port object-group radius_auth
    enable
  exit
  rule 100
    action permit
    match protocol gre
    enable
  exit
  rule 110
    action permit
    match protocol tcp
    match destination-port object-group airtune
    enable
  exit
exit
security zone-pair trusted trusted
  rule 1
    action permit
    enable
  exit
exit
security zone-pair trusted untrusted
  rule 1
    action permit
    enable
  exit
exit
security zone-pair untrusted self
  rule 1
    action permit
    match protocol udp
    match source-port object-group dhcp_server
    match destination-port object-group dhcp_client
    enable
  exit
exit
security zone-pair users self
  rule 10
    action permit
    match protocol icmp
    enable
  exit
  rule 11
    action permit
    match protocol vrrp
    enable
  exit
  rule 20
    action permit
    match protocol udp
    match source-port object-group dhcp_client
    match destination-port object-group dhcp_server
    enable
  exit
  rule 30
    action permit
    match protocol tcp
    match destination-port object-group dns
    enable
  exit
  rule 40
    action permit
    match protocol udp
    match destination-port object-group dns
    enable
  exit
exit
security zone-pair users untrusted
  rule 1
    action permit
    enable
  exit
exit
security zone-pair SYNC self
  rule 1
    action permit
    match protocol icmp
    enable
  exit
  rule 2
    action permit
    match protocol vrrp
    enable
  exit
  rule 3
    action permit
    match protocol ah
    enable
  exit
 rule 10
    action permit
    match protocol tcp
    match destination-port object-group journal_sync
    enable
  exit
exit

security passwords default-expired

nat source
  ruleset factory
    to zone untrusted
    rule 10
      description "replace 'source ip' by outgoing interface ip address"
      action source-nat interface
      enable
    exit
  exit
exit

ip dhcp-server
ip dhcp-server pool ap-pool
  network 192.168.1.0/24
  address-range 192.168.1.4-192.168.1.254
  default-router 192.168.1.1
  dns-server 192.168.1.1
  option 42 ip-address 192.168.1.1
  vendor-specific
    suboption 12 ascii-text "192.168.1.1"
    suboption 15 ascii-text "https://192.168.1.1:8043"
  exit
exit
ip dhcp-server pool users-pool
  network 192.168.2.0/24
  address-range 192.168.2.4-192.168.2.254
  default-router 192.168.2.1
  dns-server 192.168.2.1
exit
ip dhcp-server failover
  mode active-standby
  enable
exit

softgre-controller
  nas-ip-address 127.0.0.1
  failover
  data-tunnel configuration wlc
  aaa radius-profile default_radius
  keepalive-disable
  service-vlan add 3
  enable
exit

wlc
  outside-address 192.168.1.1
  service-activator
    aps join auto
  exit
  airtune
    enable
  exit
  failover
  ap-location default-location
    description "default-location"
    mode tunnel
    ap-profile default-ap
    ssid-profile default-ssid
  exit
  ssid-profile default-ssid
    description "default-ssid"
    ssid "default-ssid"
    radius-profile default-radius
    vlan-id 3
    security-mode WPA2_1X
    802.11kv
    band 2g
    band 5g
    enable
  exit
  ap-profile default-ap
    password ascii-text password
  exit
  radius-profile default-radius
    auth-address 192.168.1.1
    auth-password ascii-text password
    domain default
  exit
  ip-pool default-ip-pool
    description "default-ip-pool"
    ap-location default-location
  exit
  enable
exit

ip ssh server

clock timezone gmt +7

ntp enable
ntp server 100.110.0.65
  minpoll 1
  maxpoll 4
exit

crypto-sync
  remote-delete
  enable
exit

...

Раскрыть
Блок кода
cluster
  cluster-interface bridge 1
  unit 1
    mac-address e4:5a:d4:a0:be:35
  exit
  unit 2
    mac-address a8:f9:4b:af:35:84
  exit
  enable
exit

hostname wlc-1 
hostname wlc-1 unit 1
hostname wlc-2 unit 2

object-group service airtune
  port-range 8099
exit
object-group service dhcp_client
  port-range 68
exit
object-group service dhcp_server
  port-range 67
exit
object-group service dns
  port-range 53
exit
object-group service netconf
  port-range 830
exit
object-group service ntp
  port-range 123
exit
object-group service radius_auth
  port-range 1812
exit
object-group service sa
  port-range 8043-8044
exit
object-group service ssh
  port-range 22
exit
object-group service sync
  port-range 873
exit
object-group service journal_sync
  port-range 5432
exit
object-group service softgre_controller
  port-range 1337
exit
object-group network SYNC_SRC
  ip address-range 198.51.100.254 unit 1
  ip address-range 198.51.100.253 unit 2
exit
object-group network SYNC_DST
  ip address-range 198.51.100.253 unit 1
  ip address-range 198.51.100.254 unit 2
exit

syslog max-files 3
syslog file-size 512
syslog file tmpsys:syslog/default
  severity info
exit

radius-server local
  nas ap
    key ascii-text password
    network 192.168.1.0/24
  exit
  nas local
    key ascii-text password
    network 127.0.0.1/32
  exit
  domain default
    user test
      password ascii-text password1
    exit
  exit
  virtual-server default
    enable
  exit
  enable
exit
radius-server host 127.0.0.1
  key ascii-text password
exit
aaa radius-profile default_radius
  radius-server host 127.0.0.1
exit

boot host auto-config
boot host auto-update

vlan 3
  force-up
exit
vlan 2449
  force-up
exit
vlan 2
exit

no spanning-tree

domain lookup enable

security zone trusted
exit
security zone untrusted
exit
security zone users
exit
security zone SYNC
exit

bridge 1
  vlan 1
  security-zone SYNC
  ip address 198.51.100.254/24 unit 1
  ip address 198.51.100.253/24 unit 2
  vrrp id 1
  vrrp ip 198.51.100.1/24
  vrrp group 1
  vrrp
  enable
exit
bridge 2
  vlan 2
  security-zone untrusted
  ip address dhcp
  no spanning-tree
  enable
exit
bridge 3
  vlan 3
  mtu 1458
  security-zone users
  ip address 192.168.2.3/24 unit 1
  ip address 192.168.2.2/24 unit 2
  vrrp id 3
  vrrp ip 192.168.2.1/32
  vrrp group 1
  vrrp
  no spanning-tree
  enable
exit
bridge 5
  vlan 2449
  security-zone trusted
  ip address 192.168.1.3/24 unit 1
  ip address 192.168.1.2/24 unit 2
  vrrp id 2
  vrrp ip 192.168.1.1/32
  vrrp group 1
  vrrp
  no spanning-tree
  enable
exit
interface gigabitethernet 1/0/1
  mode switchport
  switchport access vlan 2
exit
interface gigabitethernet 1/0/2
  mode switchport
  switchport mode trunk
  switchport trunk allowed vlan add 3,2449
exit
interface gigabitethernet 1/0/3
  mode switchport
  spanning-tree disable
exit
interface gigabitethernet 1/0/4
  mode switchport
exit
interface tengigabitethernet 1/0/1
  mode switchport
  switchport access vlan 2
exit
interface tengigabitethernet 1/0/2
  mode switchport
exit
interface gigabitethernet 2/0/1
  mode switchport
  switchport access vlan 2
exit
interface gigabitethernet 2/0/2
  mode switchport
  switchport mode trunk
  switchport trunk allowed vlan add 3,2449
exit
interface gigabitethernet 2/0/3
  mode switchport
  spanning-tree disable
exit
interface gigabitethernet 2/0/4
  mode switchport
exit
interface tengigabitethernet 2/0/1
  mode switchport
  switchport access vlan 2
exit
interface tengigabitethernet 2/0/2
  mode switchport
exit

tunnel softgre 1
  mode data
  local address 192.168.1.1
  default-profile
  enable
exit

ip failover
  local-address object-group SYNC_SRC
  remote-address object-group SYNC_DST
  vrrp-group 1
exit

security zone-pair trusted self
  rule 10
    action permit
    match protocol tcp
    match destination-port object-group ssh
    enable
  exit
  rule 11
    action permit
    match protocol vrrp
    enable
  exit
  rule 12
    action permit
    match protocol tcp
    match destination-port object-group softgre_controller
    enable
  exit
  rule 13
    action permit
    match protocol tcp
    match destination-port object-group sync
    enable
  exit
  rule 20
    action permit
    match protocol icmp
    enable
  exit
  rule 30
    action permit
    match protocol udp
    match source-port object-group dhcp_client
    match destination-port object-group dhcp_server
    enable
  exit
  rule 40
    action permit
    match protocol udp
    match destination-port object-group ntp
    enable
  exit
  rule 50
    action permit
    match protocol tcp
    match destination-port object-group dns
    enable
  exit
  rule 60
    action permit
    match protocol udp
    match destination-port object-group dns
    enable
  exit
  rule 70
    action permit
    match protocol tcp
    match destination-port object-group netconf
    enable
  exit
  rule 80
    action permit
    match protocol tcp
    match destination-port object-group sa
    enable
  exit
  rule 90
    action permit
    match protocol udp
    match destination-port object-group radius_auth
    enable
  exit
  rule 100
    action permit
    match protocol gre
    enable
  exit
  rule 110
    action permit
    match protocol tcp
    match destination-port object-group airtune
    enable
  exit
exit
security zone-pair trusted trusted
  rule 1
    action permit
    enable
  exit
exit
security zone-pair trusted untrusted
  rule 1
    action permit
    enable
  exit
exit
security zone-pair untrusted self
  rule 1
    action permit
    match protocol udp
    match source-port object-group dhcp_server
    match destination-port object-group dhcp_client
    enable
  exit
exit
security zone-pair users self
  rule 10
    action permit
    match protocol icmp
    enable
  exit
  rule 11
    action permit
    match protocol vrrp
    enable
  exit
  rule 20
    action permit
    match protocol udp
    match source-port object-group dhcp_client
    match destination-port object-group dhcp_server
    enable
  exit
  rule 30
    action permit
    match protocol tcp
    match destination-port object-group dns
    enable
  exit
  rule 40
    action permit
    match protocol udp
    match destination-port object-group dns
    enable
  exit
exit
security zone-pair users untrusted
  rule 1
    action permit
    enable
  exit
exit
security zone-pair SYNC self
  rule 1
    action permit
    match protocol icmp
    enable
  exit
  rule 2
    action permit
    match protocol vrrp
    enable
  exit
  rule 3
    action permit
    match protocol ah
    enable
  exit
exit

security passwords default-expired

nat source
  ruleset factory
    to zone untrusted
    rule 10
      description "replace 'source ip' by outgoing interface ip address"
      action source-nat interface
      enable
    exit
  exit
exit

ip dhcp-server
ip dhcp-server pool ap-pool
  network 192.168.1.0/24
  address-range 192.168.1.4-192.168.1.254
  default-router 192.168.1.1
  dns-server 192.168.1.1
  option 42 ip-address 192.168.1.1
  vendor-specific
    suboption 12 ascii-text "192.168.1.1"
    suboption 15 ascii-text "https://192.168.1.1:8043"
  exit
exit
ip dhcp-server pool users-pool
  network 192.168.2.0/24
  address-range 192.168.2.4-192.168.2.254
  default-router 192.168.2.1
  dns-server 192.168.2.1
exit

softgre-controller
  nas-ip-address 127.0.0.1
  failover
  data-tunnel configuration wlc
  aaa radius-profile default_radius
  keepalive-disable
  service-vlan add 3
  enable
exit

wlc
  outside-address 192.168.1.1
  service-activator
    aps join auto
  exit
  airtune
    enable
  exit
  failover
  ap-location default-location
    description "default-location"
    mode tunnel
    ap-profile default-ap
    ssid-profile default-ssid
  exit
  ssid-profile default-ssid
    description "default-ssid"
    ssid "default-ssid"
    radius-profile default-radius
    vlan-id 3
    security-mode WPA2_1X
    802.11kv
    band 2g
    band 5g
    enable
  exit
  ap-profile default-ap
    password ascii-text password
  exit
  radius-profile default-radius
    auth-address 192.168.1.1
    auth-password ascii-text password
    domain default
  exit
  ip-pool default-ip-pool
    description "default-ip-pool"
    ap-location default-location
  exit
  enable
exit

ip ssh server

clock timezone gmt +7

ntp enable
ntp server 100.110.0.65
  minpoll 1
  maxpoll 4
exit

crypto-sync
  remote-delete
  enable
exit

...

Раскрыть
Блок кода
cluster
  cluster-interface bridge 1
  unit 1
    mac-address e4:5a:d4:a0:be:35
  exit
  unit 2
    mac-address a8:f9:4b:af:35:84
  exit
  enable
exit

hostname wlc-1 
hostname wlc-1 unit 1
hostname wlc-2 unit 2

object-group service airtune
  port-range 8099
exit
object-group service dhcp_client
  port-range 68
exit
object-group service dhcp_server
  port-range 67
exit
object-group service dns
  port-range 53
exit
object-group service netconf
  port-range 830
exit
object-group service ntp
  port-range 123
exit
object-group service radius_auth
  port-range 1812
exit
object-group service sa
  port-range 8043-8044
exit
object-group service ssh
  port-range 22
exit
object-group service sync
  port-range 873
exit
object-group service journal_sync
  port-range 5432
exit
object-group service softgre_controller
  port-range 1337
exit
object-group network SYNC_SRC
  ip address-range 198.51.100.254 unit 1
  ip address-range 198.51.100.253 unit 2
exit
object-group network SYNC_DST
  ip address-range 198.51.100.253 unit 1
  ip address-range 198.51.100.254 unit 2
exit

syslog max-files 3
syslog file-size 512
syslog file tmpsys:syslog/default
  severity info
exit

radius-server local
  nas ap
    key ascii-text password
    network 192.168.1.0/24
  exit
  nas local
    key ascii-text password
    network 127.0.0.1/32
  exit
  domain default
    user test
      password ascii-text password1
    exit
  exit
  virtual-server default
    enable
  exit
  enable
exit
radius-server host 127.0.0.1
  key ascii-text password
exit
aaa radius-profile default_radius
  radius-server host 127.0.0.1
exit

boot host auto-config
boot host auto-update

vlan 3
  force-up
exit
vlan 2449
  force-up
exit
vlan 2
exit

no spanning-tree

domain lookup enable

security zone trusted
exit
security zone untrusted
exit
security zone users
exit
security zone SYNC
exit

bridge 1
  vlan 1
  security-zone SYNC
  ip address 198.51.100.254/24 unit 1
  ip address 198.51.100.253/24 unit 2
  vrrp id 1
  vrrp ip 198.51.100.1/24
  vrrp group 1
  vrrp
  enable
exit
bridge 2
  vlan 2
  security-zone untrusted
  ip address dhcp
  no spanning-tree
  enable
exit
bridge 3
  vlan 3
  mtu 1458
  security-zone users
  ip address 192.168.2.3/24 unit 1
  ip address 192.168.2.2/24 unit 2
  vrrp id 3
  vrrp ip 192.168.2.1/32
  vrrp group 1
  vrrp
  no spanning-tree
  enable
exit
bridge 5
  vlan 2449
  security-zone trusted
  ip address 192.168.1.3/24 unit 1
  ip address 192.168.1.2/24 unit 2
  vrrp id 2
  vrrp ip 192.168.1.1/32
  vrrp group 1
  vrrp
  no spanning-tree
  enable
exit
interface gigabitethernet 1/0/1
  mode switchport
  switchport access vlan 2
exit
interface gigabitethernet 1/0/2
  mode switchport
  switchport mode trunk
  switchport trunk allowed vlan add 3,2449
exit
interface gigabitethernet 1/0/3
  mode switchport
  spanning-tree disable
exit
interface gigabitethernet 1/0/4
  mode switchport
exit
interface tengigabitethernet 1/0/1
  mode switchport
  switchport access vlan 2
exit
interface tengigabitethernet 1/0/2
  mode switchport
exit
interface gigabitethernet 2/0/1
  mode switchport
  switchport access vlan 2
exit
interface gigabitethernet 2/0/2
  mode switchport
  switchport mode trunk
  switchport trunk allowed vlan add 3,2449
exit
interface gigabitethernet 2/0/3
  mode switchport
  spanning-tree disable
exit
interface gigabitethernet 2/0/4
  mode switchport
exit
interface tengigabitethernet 2/0/1
  mode switchport
  switchport access vlan 2
exit
interface tengigabitethernet 2/0/2
  mode switchport
exit

tunnel softgre 1
  mode data
  local address 192.168.1.1
  default-profile
  enable
exit

ip failover
  local-address object-group SYNC_SRC
  remote-address object-group SYNC_DST
  vrrp-group 1
exit

security zone-pair trusted self
  rule 10
    action permit
    match protocol tcp
    match destination-port object-group ssh
    enable
  exit
  rule 11
    action permit
    match protocol vrrp
    enable
  exit
  rule 12
    action permit
    match protocol tcp
    match destination-port object-group softgre_controller
    enable
  exit
  rule 13
    action permit
    match protocol tcp
    match destination-port object-group sync
    enable
  exit
  rule 20
    action permit
    match protocol icmp
    enable
  exit
  rule 30
    action permit
    match protocol udp
    match source-port object-group dhcp_client
    match destination-port object-group dhcp_server
    enable
  exit
  rule 40
    action permit
    match protocol udp
    match destination-port object-group ntp
    enable
  exit
  rule 50
    action permit
    match protocol tcp
    match destination-port object-group dns
    enable
  exit
  rule 60
    action permit
    match protocol udp
    match destination-port object-group dns
    enable
  exit
  rule 70
    action permit
    match protocol tcp
    match destination-port object-group netconf
    enable
  exit
  rule 80
    action permit
    match protocol tcp
    match destination-port object-group sa
    enable
  exit
  rule 90
    action permit
    match protocol udp
    match destination-port object-group radius_auth
    enable
  exit
  rule 100
    action permit
    match protocol gre
    enable
  exit
  rule 110
    action permit
    match protocol tcp
    match destination-port object-group airtune
    enable
  exit
exit
security zone-pair trusted trusted
  rule 1
    action permit
    enable
  exit
exit
security zone-pair trusted untrusted
  rule 1
    action permit
    enable
  exit
exit
security zone-pair untrusted self
  rule 1
    action permit
    match protocol udp
    match source-port object-group dhcp_server
    match destination-port object-group dhcp_client
    enable
  exit
exit
security zone-pair users self
  rule 10
    action permit
    match protocol icmp
    enable
  exit
  rule 11
    action permit
    match protocol vrrp
    enable
  exit
  rule 20
    action permit
    match protocol udp
    match source-port object-group dhcp_client
    match destination-port object-group dhcp_server
    enable
  exit
  rule 30
    action permit
    match protocol tcp
    match destination-port object-group dns
    enable
  exit
  rule 40
    action permit
    match protocol udp
    match destination-port object-group dns
    enable
  exit
exit
security zone-pair users untrusted
  rule 1
    action permit
    enable
  exit
exit
security zone-pair SYNC self
  rule 1
    action permit
    match protocol icmp
    enable
  exit
  rule 2
    action permit
    match protocol vrrp
    enable
  exit
  rule 3
    action permit
    match protocol ah
    enable
  exit
exit

security passwords default-expired

nat source
  ruleset factory
    to zone untrusted
    rule 10
      description "replace 'source ip' by outgoing interface ip address"
      action source-nat interface
      enable
    exit
  exit
exit

ip dhcp-server
ip dhcp-server pool ap-pool
  network 192.168.1.0/24
  address-range 192.168.1.4-192.168.1.254
  default-router 192.168.1.1
  dns-server 192.168.1.1
  option 42 ip-address 192.168.1.1
  vendor-specific
    suboption 12 ascii-text "192.168.1.1"
    suboption 15 ascii-text "https://192.168.1.1:8043"
  exit
exit
ip dhcp-server pool users-pool
  network 192.168.2.0/24
  address-range 192.168.2.4-192.168.2.254
  default-router 192.168.2.1
  dns-server 192.168.2.1
exit
ip dhcp-server failover
  mode active-standby
  enable
exit

softgre-controller
  nas-ip-address 127.0.0.1
  failover
  data-tunnel configuration wlc
  aaa radius-profile default_radius
  keepalive-disable
  service-vlan add 3
  enable
exit

wlc
  outside-address 192.168.1.1
  service-activator
    aps join auto
  exit
  airtune
    enable
  exit
  failover
  ap-location default-location
    description "default-location"
    mode tunnel
    ap-profile default-ap
    ssid-profile default-ssid
  exit
  ssid-profile default-ssid
    description "default-ssid"
    ssid "default-ssid"
    radius-profile default-radius
    vlan-id 3
    security-mode WPA2_1X
    802.11kv
    band 2g
    band 5g
    enable
  exit
  ap-profile default-ap
    password ascii-text password
  exit
  radius-profile default-radius
    auth-address 192.168.1.1
    auth-password ascii-text password
    domain default
  exit
  ip-pool default-ip-pool
    description "default-ip-pool"
    ap-location default-location
  exit
  enable
exit

ip ssh server

clock timezone gmt +7

ntp enable
ntp server 100.110.0.65
  minpoll 1
  maxpoll 4
exit

crypto-sync
  remote-delete
  enable
exit

...

Раскрыть
Блок кода
cluster
  cluster-interface bridge 1
  unit 1
    mac-address e4:5a:d4:a0:be:35
  exit
  unit 2
    mac-address a8:f9:4b:af:35:84
  exit
  enable
exit

hostname wlc-1 
hostname wlc-1 unit 1
hostname wlc-2 unit 2

object-group service airtune
  port-range 8099
exit
object-group service dhcp_client
  port-range 68
exit
object-group service dhcp_server
  port-range 67
exit
object-group service dns
  port-range 53
exit
object-group service netconf
  port-range 830
exit
object-group service ntp
  port-range 123
exit
object-group service radius_auth
  port-range 1812
exit
object-group service sa
  port-range 8043-8044
exit
object-group service ssh
  port-range 22
exit
object-group service sync
  port-range 873
exit
object-group service journal_sync
  port-range 5432
exit
object-group service softgre_controller
  port-range 1337
exit
object-group network SYNC_SRC
  ip address-range 198.51.100.254 unit 1
  ip address-range 198.51.100.253 unit 2
exit
object-group network SYNC_DST
  ip address-range 198.51.100.253 unit 1
  ip address-range 198.51.100.254 unit 2
exit

syslog max-files 3
syslog file-size 512
syslog file tmpsys:syslog/default
  severity info
exit

radius-server local
  nas ap
    key ascii-text password
    network 192.168.1.0/24
  exit
  nas local
    key ascii-text password
    network 127.0.0.1/32
  exit
  domain default
    user test
      password ascii-text password1
    exit
  exit
  virtual-server default
    enable
  exit
  enable
exit
radius-server host 127.0.0.1
  key ascii-text password
exit
aaa radius-profile default_radius
  radius-server host 127.0.0.1
exit

boot host auto-config
boot host auto-update

vlan 3
  force-up
exit
vlan 2449
  force-up
exit
vlan 2
exit

no spanning-tree

domain lookup enable

security zone trusted
exit
security zone untrusted
exit
security zone users
exit
security zone SYNC
exit

bridge 1
  vlan 1
  security-zone SYNC
  ip address 198.51.100.254/24 unit 1
  ip address 198.51.100.253/24 unit 2
  vrrp id 1
  vrrp ip 198.51.100.1/24
  vrrp group 1
  vrrp
  enable
exit
bridge 2
  vlan 2
  security-zone untrusted
  ip address dhcp
  no spanning-tree
  enable
exit
bridge 3
  vlan 3
  mtu 1458
  security-zone users
  ip address 192.168.2.3/24 unit 1
  ip address 192.168.2.2/24 unit 2
  vrrp id 3
  vrrp ip 192.168.2.1/32
  vrrp group 1
  vrrp
  no spanning-tree
  enable
exit
bridge 5
  vlan 2449
  security-zone trusted
  ip address 192.168.1.3/24 unit 1
  ip address 192.168.1.2/24 unit 2
  vrrp id 2
  vrrp ip 192.168.1.1/32
  vrrp group 1
  vrrp
  no spanning-tree
  enable
exit
interface gigabitethernet 1/0/1
  mode switchport
  switchport access vlan 2
exit
interface gigabitethernet 1/0/2
  mode switchport
  switchport mode trunk
  switchport trunk allowed vlan add 3,2449
exit
interface gigabitethernet 1/0/3
  mode switchport
  spanning-tree disable
exit
interface gigabitethernet 1/0/4
  mode switchport
exit
interface tengigabitethernet 1/0/1
  mode switchport
  switchport access vlan 2
exit
interface tengigabitethernet 1/0/2
  mode switchport
exit
interface gigabitethernet 2/0/1
  mode switchport
  switchport access vlan 2
exit
interface gigabitethernet 2/0/2
  mode switchport
  switchport mode trunk
  switchport trunk allowed vlan add 3,2449
exit
interface gigabitethernet 2/0/3
  mode switchport
  spanning-tree disable
exit
interface gigabitethernet 2/0/4
  mode switchport
exit
interface tengigabitethernet 2/0/1
  mode switchport
  switchport access vlan 2
exit
interface tengigabitethernet 2/0/2
  mode switchport
exit

tunnel softgre 1
  mode data
  local address 192.168.1.1
  default-profile
  enable
exit

ip failover
  local-address object-group SYNC_SRC
  remote-address object-group SYNC_DST
  vrrp-group 1
exit

security zone-pair trusted self
  rule 10
    action permit
    match protocol tcp
    match destination-port object-group ssh
    enable
  exit
  rule 11
    action permit
    match protocol vrrp
    enable
  exit
  rule 12
    action permit
    match protocol tcp
    match destination-port object-group softgre_controller
    enable
  exit
  rule 13
    action permit
    match protocol tcp
    match destination-port object-group sync
    enable
  exit
  rule 20
    action permit
    match protocol icmp
    enable
  exit
  rule 30
    action permit
    match protocol udp
    match source-port object-group dhcp_client
    match destination-port object-group dhcp_server
    enable
  exit
  rule 40
    action permit
    match protocol udp
    match destination-port object-group ntp
    enable
  exit
  rule 50
    action permit
    match protocol tcp
    match destination-port object-group dns
    enable
  exit
  rule 60
    action permit
    match protocol udp
    match destination-port object-group dns
    enable
  exit
  rule 70
    action permit
    match protocol tcp
    match destination-port object-group netconf
    enable
  exit
  rule 80
    action permit
    match protocol tcp
    match destination-port object-group sa
    enable
  exit
  rule 90
    action permit
    match protocol udp
    match destination-port object-group radius_auth
    enable
  exit
  rule 100
    action permit
    match protocol gre
    enable
  exit
  rule 110
    action permit
    match protocol tcp
    match destination-port object-group airtune
    enable
  exit
exit
security zone-pair trusted trusted
  rule 1
    action permit
    enable
  exit
exit
security zone-pair trusted untrusted
  rule 1
    action permit
    enable
  exit
exit
security zone-pair untrusted self
  rule 1
    action permit
    match protocol udp
    match source-port object-group dhcp_server
    match destination-port object-group dhcp_client
    enable
  exit
exit
security zone-pair users self
  rule 10
    action permit
    match protocol icmp
    enable
  exit
  rule 11
    action permit
    match protocol vrrp
    enable
  exit
  rule 20
    action permit
    match protocol udp
    match source-port object-group dhcp_client
    match destination-port object-group dhcp_server
    enable
  exit
  rule 30
    action permit
    match protocol tcp
    match destination-port object-group dns
    enable
  exit
  rule 40
    action permit
    match protocol udp
    match destination-port object-group dns
    enable
  exit
exit
security zone-pair users untrusted
  rule 1
    action permit
    enable
  exit
exit
security zone-pair SYNC self
  rule 1
    action permit
    match protocol icmp
    enable
  exit
  rule 2
    action permit
    match protocol vrrp
    enable
  exit
  rule 3
    action permit
    match protocol ah
    enable
  exit
exit

security passwords default-expired

nat source
  ruleset factory
    to zone untrusted
    rule 10
      description "replace 'source ip' by outgoing interface ip address"
      action source-nat interface
      enable
    exit
  exit
exit

ip dhcp-server
ip dhcp-server pool ap-pool
  network 192.168.1.0/24
  address-range 192.168.1.4-192.168.1.254
  default-router 192.168.1.1
  dns-server 192.168.1.1
  option 42 ip-address 192.168.1.1
  vendor-specific
    suboption 12 ascii-text "192.168.1.1"
    suboption 15 ascii-text "https://192.168.1.1:8043"
  exit
exit
ip dhcp-server pool users-pool
  network 192.168.2.0/24
  address-range 192.168.2.4-192.168.2.254
  default-router 192.168.2.1
  dns-server 192.168.2.1
exit
ip dhcp-server failover
  mode active-standby
  enable
exit

softgre-controller
  nas-ip-address 127.0.0.1
  failover
  data-tunnel configuration wlc
  aaa radius-profile default_radius
  keepalive-disable
  service-vlan add 3
  enable
exit

wlc
  outside-address 192.168.1.1
  service-activator
    aps join auto
  exit
  airtune
    enable
  exit
  failover
  ap-location default-location
    description "default-location"
    mode tunnel
    ap-profile default-ap
    ssid-profile default-ssid
  exit
  ssid-profile default-ssid
    description "default-ssid"
    ssid "default-ssid"
    radius-profile default-radius
    vlan-id 3
    security-mode WPA2_1X
    802.11kv
    band 2g
    band 5g
    enable
  exit
  ap-profile default-ap
    password ascii-text password
  exit
  radius-profile default-radius
    auth-address 192.168.1.1
    auth-password ascii-text password
    domain default
  exit
  ip-pool default-ip-pool
    description "default-ip-pool"
    ap-location default-location
  exit
  enable
exit

ip ssh server

clock timezone gmt +7

ntp enable
ntp server 100.110.0.65
  minpoll 1
  maxpoll 4
exit

crypto-sync
  remote-delete
  enable
exit

...

Раскрыть
Блок кода
cluster
  cluster-interface bridge 1
  unit 1
    mac-address e4:5a:d4:a0:be:35
  exit
  unit 2
    mac-address a8:f9:4b:af:35:84
  exit
  enable
exit

hostname wlc-1 
hostname wlc-1 unit 1
hostname wlc-2 unit 2

object-group service airtune
  port-range 8099
exit
object-group service dhcp_client
  port-range 68
exit
object-group service dhcp_server
  port-range 67
exit
object-group service dns
  port-range 53
exit
object-group service netconf
  port-range 830
exit
object-group service ntp
  port-range 123
exit
object-group service radius_auth
  port-range 1812
exit
object-group service sa
  port-range 8043-8044
exit
object-group service ssh
  port-range 22
exit
object-group service sync
  port-range 873
exit
object-group service journal_sync
  port-range 5432
exit
object-group service softgre_controller
  port-range 1337
exit
object-group network SYNC_SRC
  ip address-range 198.51.100.254 unit 1
  ip address-range 198.51.100.253 unit 2
exit
object-group network SYNC_DST
  ip address-range 198.51.100.253 unit 1
  ip address-range 198.51.100.254 unit 2
exit

syslog max-files 3
syslog file-size 512
syslog file tmpsys:syslog/default
  severity info
exit

radius-server local
  nas ap
    key ascii-text password
    network 192.168.1.0/24
  exit
  nas local
    key ascii-text password
    network 127.0.0.1/32
  exit
  domain default
    user test
      password ascii-text password1
    exit
  exit
  virtual-server default
    enable
  exit
  enable
exit
radius-server host 127.0.0.1
  key ascii-text password
exit
aaa radius-profile default_radius
  radius-server host 127.0.0.1
exit

boot host auto-config
boot host auto-update

vlan 3
  force-up
exit
vlan 2449
  force-up
exit
vlan 2
exit

no spanning-tree

domain lookup enable

security zone trusted
exit
security zone untrusted
exit
security zone users
exit
security zone SYNC
exit

bridge 1
  vlan 1
  security-zone SYNC
  ip address 198.51.100.254/24 unit 1
  ip address 198.51.100.253/24 unit 2
  vrrp id 1
  vrrp ip 198.51.100.1/24
  vrrp group 1
  vrrp
  enable
exit
bridge 2
  vlan 2
  security-zone untrusted
  ip address 192.0.3.2/24 unit 1
  ip address 192.0.3.1/24 unit 2
  vrrp id 4
  vrrp ip 203.0.113.252/32
  vrrp group 1
  vrrp
  no spanning-tree
  enable
exit
bridge 3
  vlan 3
  mtu 1458
  security-zone users
  ip address 192.168.2.3/24 unit 1
  ip address 192.168.2.2/24 unit 2
  vrrp id 3
  vrrp ip 192.168.2.1/32
  vrrp group 1
  vrrp
  no spanning-tree
  enable
exit
bridge 5
  vlan 2449
  security-zone trusted
  ip address 192.168.1.3/24 unit 1
  ip address 192.168.1.2/24 unit 2
  vrrp id 2
  vrrp ip 192.168.1.1/32
  vrrp group 1
  vrrp
  no spanning-tree
  enable
exit
interface gigabitethernet 1/0/1
  mode switchport
  switchport access vlan 2
exit
interface gigabitethernet 1/0/2
  mode switchport
  switchport mode trunk
  switchport trunk allowed vlan add 3,2449
exit
interface gigabitethernet 1/0/3
  mode switchport
  spanning-tree disable
exit
interface gigabitethernet 1/0/4
  mode switchport
exit
interface tengigabitethernet 1/0/1
  mode switchport
  switchport access vlan 2
exit
interface tengigabitethernet 1/0/2
  mode switchport
exit
interface gigabitethernet 2/0/1
  mode switchport
  switchport access vlan 2
exit
interface gigabitethernet 2/0/2
  mode switchport
  switchport mode trunk
  switchport trunk allowed vlan add 3,2449
exit
interface gigabitethernet 2/0/3
  mode switchport
  spanning-tree disable
exit
interface gigabitethernet 2/0/4
  mode switchport
exit
interface tengigabitethernet 2/0/1
  mode switchport
  switchport access vlan 2
exit
interface tengigabitethernet 2/0/2
  mode switchport
exit

tunnel softgre 1
  mode data
  local address 192.168.1.1
  default-profile
  enable
exit

ip failover
  local-address object-group SYNC_SRC
  remote-address object-group SYNC_DST
  vrrp-group 1
exit

security zone-pair trusted self
  rule 10
    action permit
    match protocol tcp
    match destination-port object-group ssh
    enable
  exit
  rule 11
    action permit
    match protocol vrrp
    enable
  exit
  rule 12
    action permit
    match protocol tcp
    match destination-port object-group softgre_controller
    enable
  exit
  rule 13
    action permit
    match protocol tcp
    match destination-port object-group sync
    enable
  exit
  rule 20
    action permit
    match protocol icmp
    enable
  exit
  rule 30
    action permit
    match protocol udp
    match source-port object-group dhcp_client
    match destination-port object-group dhcp_server
    enable
  exit
  rule 40
    action permit
    match protocol udp
    match destination-port object-group ntp
    enable
  exit
  rule 50
    action permit
    match protocol tcp
    match destination-port object-group dns
    enable
  exit
  rule 60
    action permit
    match protocol udp
    match destination-port object-group dns
    enable
  exit
  rule 70
    action permit
    match protocol tcp
    match destination-port object-group netconf
    enable
  exit
  rule 80
    action permit
    match protocol tcp
    match destination-port object-group sa
    enable
  exit
  rule 90
    action permit
    match protocol udp
    match destination-port object-group radius_auth
    enable
  exit
  rule 100
    action permit
    match protocol gre
    enable
  exit
  rule 110
    action permit
    match protocol tcp
    match destination-port object-group airtune
    enable
  exit
exit
security zone-pair trusted trusted
  rule 1
    action permit
    enable
  exit
exit
security zone-pair trusted untrusted
  rule 1
    action permit
    enable
  exit
exit
security zone-pair untrusted self
  rule 1
    action permit
    match protocol udp
    match source-port object-group dhcp_server
    match destination-port object-group dhcp_client
    enable
  exit
exit
security zone-pair users self
  rule 10
    action permit
    match protocol icmp
    enable
  exit
  rule 11
    action permit
    match protocol vrrp
    enable
  exit
  rule 20
    action permit
    match protocol udp
    match source-port object-group dhcp_client
    match destination-port object-group dhcp_server
    enable
  exit
  rule 30
    action permit
    match protocol tcp
    match destination-port object-group dns
    enable
  exit
  rule 40
    action permit
    match protocol udp
    match destination-port object-group dns
    enable
  exit
exit
security zone-pair users untrusted
  rule 1
    action permit
    enable
  exit
exit
security zone-pair SYNC self
  rule 1
    action permit
    match protocol icmp
    enable
  exit
  rule 2
    action permit
    match protocol vrrp
    enable
  exit
  rule 3
    action permit
    match protocol ah
    enable
  exit
exit

security passwords default-expired

nat source
  ruleset factory
    to zone untrusted
    rule 10
      description "replace 'source ip' by outgoing interface ip address"
      action source-nat interface
      enable
    exit
  exit
exit

ip dhcp-server
ip dhcp-server pool ap-pool
  network 192.168.1.0/24
  address-range 192.168.1.4-192.168.1.254
  default-router 192.168.1.1
  dns-server 192.168.1.1
  option 42 ip-address 192.168.1.1
  vendor-specific
    suboption 12 ascii-text "192.168.1.1"
    suboption 15 ascii-text "https://192.168.1.1:8043"
  exit
exit
ip dhcp-server pool users-pool
  network 192.168.2.0/24
  address-range 192.168.2.4-192.168.2.254
  default-router 192.168.2.1
  dns-server 192.168.2.1
exit
ip dhcp-server failover
  mode active-standby
  enable
exit

softgre-controller
  nas-ip-address 127.0.0.1
  failover
  data-tunnel configuration wlc
  aaa radius-profile default_radius
  keepalive-disable
  service-vlan add 3
  enable
exit

wlc
  outside-address 192.168.1.1
  service-activator
    aps join auto
  exit
  airtune
    enable
  exit
  failover
  ap-location default-location
    description "default-location"
    mode tunnel
    ap-profile default-ap
    ssid-profile default-ssid
  exit
  ssid-profile default-ssid
    description "default-ssid"
    ssid "default-ssid"
    radius-profile default-radius
    vlan-id 3
    security-mode WPA2_1X
    802.11kv
    band 2g
    band 5g
    enable
  exit
  ap-profile default-ap
    password ascii-text password
  exit
  radius-profile default-radius
    auth-address 192.168.1.1
    auth-password ascii-text password
    domain default
  exit
  ip-pool default-ip-pool
    description "default-ip-pool"
    ap-location default-location
  exit
  enable
exit

ip ssh server

clock timezone gmt +7

ntp enable
ntp server 100.110.0.65
  minpoll 1
  maxpoll 4
exit

crypto-sync
  remote-delete
  enable
exit

...