...
| Раскрыть |
|---|
|
| Без форматирования |
|---|
#!/usr/bin/clish
#18
hostname Alfa
object-group network gre_termination
ip prefix 192.168.200.48/28
exit
object-group network mgmt_AP
ip prefix 198.18.128.0/21
ip prefix 198.18.192.0/19
ip prefix 100.64.0.56/30
ip prefix 198.19.0.0/19
exit
object-group network clients_AP
ip prefix 198.18.192.0/19
ip prefix 198.18.128.0/21
exit
object-group network clients_dpi
ip prefix 198.19.0.0/19
exit
object-group network SoftWLC
ip prefix 100.123.0.0/24
exit
ip vrf dpi
ip protocols bgp max-routes 250
exit
radius-server retransmit 2
radius-server host 100.123.0.2
key ascii-text testing123
timeout 5
priority 20
source-address 198.18.128.2
auth-port 31812
acct-port 31813
dead-interval 10
exit
aaa radius-profile PCRF
radius-server host 100.123.0.2
exit
das-server COA
key ascii-text testing123
port 3799
clients object-group SoftWLC
exit
aaa das-profile COA
das-server COA
exit
vlan 3
force-up
exit
vlan 10
force-up
exit
vlan 12
force-up
exit
vlan 101
force-up
exit
vlan 9,92
exit
security zone trusted
exit
security zone untrusted
exit
security zone gre
exit
security zone sidelinkneighbour
exit
security zone user
exit
security zone trusted_dpi
ip vrf forwarding dpi
exit
security zone untrusted_dp
ip vrf forwarding dpi
exit
security zone sidelinkneighbour_dpi
ip vrf forwarding dpi
exit
security zone user_dpi
ip vrf forwarding dpi
exit
route-map out_BGP_GRE
rule 1
match ip address object-group gre_termination
action set as-path prepend 64603 track 1
action set metric bgp 1000 track 1
action permit
exit
exit
route-map out_BGP_AP
rule 1
match ip address object-group mgmt_AP
action set as-path prepend 64603 track 1
action set metric bgp 1000 track 1
action permit
exit
exit
route-map out_BGP_NAT
rule 1
match ip address object-group clients_AP
action set as-path prepend 64603 track 1
action set metric bgp 1000 track 1
action permit
exit
exit
route-map in_PREF
rule 1
action set local-preference 90
action permit
exit
exit
route-map out_BGP_DPI
rule 1
match ip address object-group clients_dpi
action set as-path prepend 64603 track 1
action set metric bgp 1000 track 1
action permit
exit
exit
router bgp 64603
neighbor 100.64.0.33
remote-as 65001
update-source 100.64.0.34
address-family ipv4 unicast
route-map out_BGP_GRE out
enable
exit
enable
exit
neighbor 100.64.0.41
remote-as 65001
update-source 100.64.0.42
address-family ipv4 unicast
route-map out_BGP_AP out
enable
exit
enable
exit
neighbor 100.64.0.49
remote-as 65001
update-source 100.64.0.50
address-family ipv4 unicast
route-map out_BGP_NAT out
enable
exit
enable
exit
neighbor 100.64.0.58
remote-as 64603
update-source 100.64.0.57
address-family ipv4 unicast
route-map in_PREF in
next-hop-self
enable
exit
enable
exit
address-family ipv4 unicast
redistribute connected
redistribute static
exit
enable
vrf dpi
neighbor 100.64.0.73
remote-as 65001
update-source 100.64.0.74
address-family ipv4 unicast
route-map out_BGP_DPI out
enable
exit
enable
exit
neighbor 100.64.0.98
remote-as 64603
update-source 100.64.0.97
address-family ipv4 unicast
route-map in_PREF in
next-hop-self
enable
exit
enable
exit
address-family ipv4 unicast
redistribute connected
exit
enable
exit
exit
tracking 1
vrrp 3 not state master
enable
exit
bridge 1
description "GRE_termination"
vlan 101
security-zone gre
ip address 192.168.200.51/28
vrrp id 1
vrrp ip 192.168.200.49/32
vrrp ip 192.168.200.50/32 secondary
vrrp priority 200
vrrp group 1
vrrp preempt disable
vrrp preempt delay 150
vrrp timers garp delay 1
vrrp timers garp repeat 10
vrrp
protected-ports local
protected-ports exclude vlan
ports vrrp filtering enable
ports vrrp filtering exclude vlan
enable
exit
bridge 3
description "mgmt_AP"
vlan 3
security-zone trusted
ip address 198.18.128.2/21
ip helper-address 100.123.0.2
ip helper-address 100.123.0.3
ip helper-address vrrp-group 1
vrrp id 3
vrrp ip 198.18.128.1/32
vrrp priority 200
vrrp group 1
vrrp preempt disable
vrrp preempt delay 150
vrrp timers garp delay 1
vrrp timers garp repeat 10
vrrp
ip tcp adjust-mss 1400
protected-ports local
protected-ports exclude vlan
ports vrrp filtering enable
ports vrrp filtering exclude vlan
enable
exit
bridge 9
description "SideLinkneighbour"
vlan 9
security-zone sidelinkneighbour
ip address 100.64.0.57/30
ip tcp adjust-mss 1400
enable
exit
bridge 10
description "data1_AP"
vlan 10
unknown-unicast-forwarding disable
security-zone user
ip address 198.18.192.2/19
ip helper-address 100.123.0.2
ip helper-address vrrp-group 1
vrrp id 10
vrrp ip 198.18.192.1/32
vrrp priority 200
vrrp group 1
vrrp preempt disable
vrrp preempt delay 150
vrrp timers garp delay 1
vrrp timers garp repeat 10
vrrp
ip tcp adjust-mss 1400
location data10
protected-ports radius
protected-ports exclude vlan
enable
exit
bridge 12
ip vrf forwarding dpi
vlan 12
unknown-unicast-forwarding disable
security-zone user_dpi
ip address 198.19.0.2/19
ip helper-address 100.123.0.2
ip helper-address vrrp-group 1
vrrp id 12
vrrp ip 198.19.0.1/32
vrrp priority 200
vrrp group 1
vrrp preempt disable
vrrp preempt delay 150
vrrp timers garp delay 1
vrrp timers garp repeat 10
vrrp
ip tcp adjust-mss 1400
location data12
protected-ports radius
protected-ports exclude vlan
ports vrrp filtering enable
ports vrrp filtering exclude vlan
enable
exit
bridge 92
ip vrf forwarding dpi
description "SideLinkneighbour for VRF dpi"
vlan 92
security-zone sidelinkneighbour_dpi
ip address 100.64.0.97/30
ip tcp adjust-mss 1400
enable
exit
interface gigabitethernet 1/0/1
description "UpLink"
mode hybrid
exit
interface gigabitethernet 1/0/1.206
description "VRF_AP"
security-zone gre
ip address 100.64.0.34/30
exit
interface gigabitethernet 1/0/1.208
description "VRF_BACKBONECORE"
security-zone trusted
ip address 100.64.0.42/30
ip tcp adjust-mss 1400
exit
interface gigabitethernet 1/0/1.210
description "VRF_NAT"
security-zone untrusted
ip address 100.64.0.50/30
ip tcp adjust-mss 1400
exit
interface gigabitethernet 1/0/1.214
ip vrf forwarding dpi
description "br12_vrf"
security-zone untrusted_dp
ip address 100.64.0.74/30
ip tcp adjust-mss 1400
exit
interface gigabitethernet 1/0/2
description "SideLinkneighbour"
mode hybrid
switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 3,9-10,12,92,101 tagged
exit
tunnel lt 1
peer lt 2
security-zone trusted
ip address 10.200.200.1/30
enable
exit
tunnel lt 2
peer lt 1
ip vrf forwarding dpi
security-zone trusted_dpi
ip address 10.200.200.2/30
enable
exit
tunnel softgre 1
description "mgmt"
mode management
local address 192.168.200.49
default-profile
enable
exit
tunnel softgre 1.1
bridge-group 3
enable
exit
tunnel softgre 2
description "data"
mode data
local address 192.168.200.50
default-profile
enable
exit
snmp-server
snmp-server system-shutdown
snmp-server community "public11" ro
snmp-server community "private1" rw
snmp-server host 100.123.0.2
source-address 198.18l.128.2
exit
snmp-server enable traps config
snmp-server enable traps config commit
snmp-server enable traps config confirm
snmp-server enable traps environment
snmp-server enable traps environment pwrin
snmp-server enable traps environment pwrin-insert
snmp-server enable traps environment fan
snmp-server enable traps environment fan-speed-changed
snmp-server enable traps environment fan-speed-high
snmp-server enable traps environment memory-flash-critical-low
snmp-server enable traps environment memory-flash-low
snmp-server enable traps environment memory-ram-critical-low
snmp-server enable traps environment memory-ram-low
snmp-server enable traps environment cpu-load
snmp-server enable traps environment cpu-dp-critical-temp
snmp-server enable traps environment cpu-dp-overheat-temp
snmp-server enable traps environment cpu-dp-supercooling-temp
snmp-server enable traps environment cpu-mgmt-critical-temp
snmp-server enable traps environment cpu-mgmt-overheat-temp
snmp-server enable traps environment cpu-mgmt-supercooling-temp
snmp-server enable traps environment board-overheat-temp
snmp-server enable traps environment board-supercooling-temp
snmp-server enable traps environment sfp-overheat-temp
snmp-server enable traps environment sfp-supercooling-temp
snmp-server enable traps environment switch-overheat-temp
snmp-server enable traps environment switch-supercooling-temp
snmp-server enable traps wifi
snmp-server enable traps wifi wifi-tunnels-number-in-bridge-high
snmp-server enable traps wifi wifi-tunnels-operation
snmp-server enable traps file-operations
snmp-server enable traps file-operations successful
snmp-server enable traps file-operations failed
snmp-server enable traps file-operations canceled
snmp-server enable traps interfaces
snmp-server enable traps interfaces rx-utilization-high
snmp-server enable traps interfaces tx-utilization-high
snmp-server enable traps interfaces number-high
snmp-server enable traps screen
snmp-server enable traps screen dest-limit
snmp-server enable traps screen source-limit
snmp-server enable traps screen icmp-threshold
snmp-server enable traps screen udp-threshold
snmp-server enable traps screen syn-flood
snmp-server enable traps screen land
snmp-server enable traps screen winnuke
snmp-server enable traps screen icmp-frag
snmp-server enable traps screen udp-frag
snmp-server enable traps screen icmp-large
snmp-server enable traps screen syn-frag
snmp-server enable traps screen unknown-proto
snmp-server enable traps screen ip-frag
snmp-server enable traps screen port-scan
snmp-server enable traps screen ip-sweep
snmp-server enable traps screen syn-fin
snmp-server enable traps screen fin-no-ack
snmp-server enable traps screen no-flag
snmp-server enable traps screen spoofing
snmp-server enable traps screen reserved
snmp-server enable traps screen quench
snmp-server enable traps screen echo-request
snmp-server enable traps screen time-exceeded
snmp-server enable traps screen unreachable
snmp-server enable traps screen tcp-all-flags
snmp-server enable traps entity
snmp-server enable traps entity config-change
snmp-server enable traps entity-sensor
snmp-server enable traps entity-sensor threshold
snmp-server enable traps envmon
snmp-server enable traps envmon fan
snmp-server enable traps envmon shutdown
snmp-server enable traps envmon supply
snmp-server enable traps envmon temperature
snmp-server enable traps flash
snmp-server enable traps flash insertion
snmp-server enable traps flash removal
snmp-server enable traps snmp
snmp-server enable traps snmp authentication
snmp-server enable traps snmp coldstart
snmp-server enable traps snmp linkdown
snmp-server enable traps snmp linkup
snmp-server enable traps syslog
security passwords history 0
ip dhcp-relay
ip route vrf dpi 100.123.0.0/24 10.200.200.1
ip route 198.19.0.0/19 10.200.200.2
wireless-controller
peer-address 100.64.0.58
nas-ip-address 198.18.128.2
vrrp-group 1
data-tunnel configuration radius
keepalive mode reactive
aaa das-profile COA
aaa radius-profile PCRF
enable
exit
ip telnet server
ip ssh server
ntp enable
ntp server 100.123.0.2
exit
|
|
...
| Раскрыть |
|---|
|
| Без форматирования |
|---|
#!/usr/bin/clish
#18
hostname Beta
object-group network gre_termination
ip prefix 192.168.200.48/28
exit
object-group network mgmt_AP
ip prefix 198.18.128.0/21
ip prefix 198.18.192.0/19
ip prefix 100.64.0.56/30
ip prefix 198.19.0.0/19
exit
object-group network clients_AP
ip prefix 198.18.192.0/19
ip prefix 198.18.128.0/21
exit
object-group network clients_dpi
ip prefix 198.19.0.0/19
exit
object-group network SoftWLC
ip prefix 100.123.0.0/24
exit
ip vrf dpi
ip protocols bgp max-routes 250
exit
radius-server retransmit 2
radius-server host 100.123.0.2
key ascii-text testing123
timeout 11
source-address 198.18.128.3
auth-port 31812
acct-port 31813
retransmit 2
dead-interval 10
exit
aaa radius-profile PCRF
radius-server host 100.123.0.2
exit
das-server COA
key ascii-text testing123
port 3799
clients object-group SoftWLC
exit
aaa das-profile COA
das-server COA
exit
vlan 3
force-up
exit
vlan 10
force-up
exit
vlan 12
force-up
exit
vlan 101
force-up
exit
vlan 9,92
exit
security zone trusted
exit
security zone untrusted
exit
security zone gre
exit
security zone sidelinkneighbour
exit
security zone user
exit
security zone trusted_dpi
ip vrf forwarding dpi
exit
security zone untrusted_dp
ip vrf forwarding dpi
exit
security zone sidelinkneighbour_dpi
ip vrf forwarding dpi
exit
security zone user_dpi
ip vrf forwarding dpi
exit
route-map out_BGP_GRE
rule 1
match ip address object-group gre_termination
action set as-path prepend 64603 track 1
action set metric bgp 1000 track 1
action permit
exit
exit
route-map out_BGP_AP
rule 1
match ip address object-group mgmt_AP
action set as-path prepend 64603 track 1
action set metric bgp 1000 track 1
action permit
exit
exit
route-map out_BGP_NAT
rule 1
match ip address object-group clients_AP
action set as-path prepend 64603 track 1
action set metric bgp 1000 track 1
action permit
exit
exit
route-map in_PREF
rule 1
action set local-preference 20
action permit
exit
exit
route-map out_BGP_DPI
rule 1
match ip address object-group clients_dpi
action set as-path prepend 64603 track 1
action set metric bgp 1000 track 1
action permit
exit
exit
router bgp 64603
neighbor 100.64.0.37
remote-as 65001
update-source 100.64.0.38
address-family ipv4 unicast
route-map out_BGP_GRE out
enable
exit
enable
exit
neighbor 100.64.0.45
remote-as 65001
update-source 100.64.0.46
address-family ipv4 unicast
route-map out_BGP_AP out
enable
exit
enable
exit
neighbor 100.64.0.53
remote-as 65001
update-source 100.64.0.54
address-family ipv4 unicast
route-map out_BGP_NAT out
enable
exit
enable
exit
neighbor 100.64.0.57
remote-as 64603
update-source 100.64.0.58
address-family ipv4 unicast
route-map in_PREF in
next-hop-self
enable
exit
enable
exit
address-family ipv4 unicast
redistribute connected
redistribute static
exit
enable
vrf dpi
neighbor 100.64.0.77
remote-as 65001
update-source 100.64.0.78
address-family ipv4 unicast
route-map out_BGP_DPI out
enable
exit
enable
exit
neighbor 100.64.0.97
remote-as 64603
update-source 100.64.0.98
address-family ipv4 unicast
route-map in_PREF in
next-hop-self
enable
exit
enable
exit
address-family ipv4 unicast
redistribute connected
exit
enable
exit
exit
tracking 1
vrrp 3 not state master
enable
exit
bridge 1
description "GRE_termination"
vlan 101
security-zone gre
ip address 192.168.200.52/28
vrrp id 1
vrrp ip 192.168.200.49/32
vrrp ip 192.168.200.50/32 secondary
vrrp priority 190
vrrp group 1
vrrp preempt disable
vrrp preempt delay 150
vrrp timers garp delay 1
vrrp timers garp repeat 10
vrrp
enable
exit
bridge 3
description "mgmt_AP"
vlan 3
security-zone trusted
ip address 198.18.128.3/21
ip helper-address 100.123.0.2
ip helper-address vrrp-group 1
vrrp id 3
vrrp ip 198.18.128.1/32
vrrp priority 190
vrrp group 1
vrrp preempt disable
vrrp preempt delay 150
vrrp timers garp delay 1
vrrp timers garp repeat 10
vrrp
ip tcp adjust-mss 1400
protected-ports local
protected-ports exclude vlan
ports vrrp filtering enable
ports vrrp filtering exclude vlan
enable
exit
bridge 9
description "SideLinkneighbour"
vlan 9
security-zone sidelinkneighbour
ip address 100.64.0.58/30
ip tcp adjust-mss 1400
enable
exit
bridge 10
description "data1_AP"
vlan 10
unknown-unicast-forwarding disable
security-zone user
ip address 198.18.192.3/19
ip helper-address 100.123.0.2
ip helper-address vrrp-group 1
vrrp id 10
vrrp ip 198.18.192.1/32
vrrp priority 190
vrrp group 1
vrrp preempt disable
vrrp preempt delay 150
vrrp timers garp delay 1
vrrp timers garp repeat 10
vrrp
ip tcp adjust-mss 1400
location data10
protected-ports radius
protected-ports exclude vlan
ports vrrp filtering enable
ports vrrp filtering exclude vlan
enable
exit
bridge 12
ip vrf forwarding dpi
vlan 12
unknown-unicast-forwarding disable
security-zone user_dpi
ip address 198.19.0.3/19
ip helper-address 100.123.0.2
ip helper-address vrrp-group 1
vrrp id 12
vrrp ip 198.19.0.1/32
vrrp priority 190
vrrp group 1
vrrp preempt disable
vrrp preempt delay 150
vrrp timers garp delay 1
vrrp timers garp repeat 10
vrrp
ip tcp adjust-mss 1400
location data12
protected-ports radius
protected-ports exclude vlan
ports vrrp filtering enable
ports vrrp filtering exclude vlan
enable
exit
bridge 92
ip vrf forwarding dpi
description "SideLinkneighbour for VRF dpi"
vlan 92
security-zone sidelinkneighbour_dpi
ip address 100.64.0.98/30
ip tcp adjust-mss 1400
enable
exit
interface gigabitethernet 1/0/1
mode hybrid
switchport forbidden default-vlan
exit
interface gigabitethernet 1/0/1.207
description "VRF_AP"
security-zone gre
ip address 100.64.0.38/30
exit
interface gigabitethernet 1/0/1.209
description "VRF_BACKBONECORE"
security-zone trusted
ip address 100.64.0.46/30
ip tcp adjust-mss 1400
exit
interface gigabitethernet 1/0/1.211
description "VRF_NAT"
security-zone untrusted
ip address 100.64.0.54/30
ip tcp adjust-mss 1400
exit
interface gigabitethernet 1/0/1.215
ip vrf forwarding dpi
description "dpi_vrf"
security-zone untrusted_dp
ip address 100.64.0.78/30
ip tcp adjust-mss 1400
exit
interface gigabitethernet 1/0/2
description "SideLinkneighbour"
mode hybrid
switchport forbidden default-vlan
switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 3,9-10,12,92,101 tagged
exit
tunnel lt 1
peer lt 2
security-zone trusted
ip address 10.200.200.5/30
enable
exit
tunnel lt 2
peer lt 1
ip vrf forwarding dpi
ip address 10.200.200.6/30
enable
exit
tunnel softgre 1
description "mgmt"
mode management
local address 192.168.200.49
default-profile
enable
exit
tunnel softgre 1.1
bridge-group 3
enable
exit
tunnel softgre 2
description "data"
mode data
local address 192.168.200.50
default-profile
enable
exit
snmp-server
snmp-server community "public11" ro
snmp-server community "private1" rw
snmp-server host 100.123.0.2
source-address 198.18.128.3
exit
snmp-server enable traps config
snmp-server enable traps config commit
snmp-server enable traps config confirm
snmp-server enable traps environment
snmp-server enable traps environment pwrin
snmp-server enable traps environment pwrin-insert
snmp-server enable traps environment fan
snmp-server enable traps environment fan-speed-changed
snmp-server enable traps environment fan-speed-high
snmp-server enable traps environment memory-flash-critical-low
snmp-server enable traps environment memory-flash-low
snmp-server enable traps environment memory-ram-critical-low
snmp-server enable traps environment memory-ram-low
snmp-server enable traps environment cpu-load
snmp-server enable traps environment cpu-dp-critical-temp
snmp-server enable traps environment cpu-dp-overheat-temp
snmp-server enable traps environment cpu-dp-supercooling-temp
snmp-server enable traps environment cpu-mgmt-critical-temp
snmp-server enable traps environment cpu-mgmt-overheat-temp
snmp-server enable traps environment cpu-mgmt-supercooling-temp
snmp-server enable traps environment board-overheat-temp
snmp-server enable traps environment board-supercooling-temp
snmp-server enable traps environment sfp-overheat-temp
snmp-server enable traps environment sfp-supercooling-temp
snmp-server enable traps environment switch-overheat-temp
snmp-server enable traps environment switch-supercooling-temp
snmp-server enable traps wifi
snmp-server enable traps wifi wifi-tunnels-number-in-bridge-high
snmp-server enable traps wifi wifi-tunnels-operation
snmp-server enable traps file-operations
snmp-server enable traps file-operations successful
snmp-server enable traps file-operations failed
snmp-server enable traps file-operations canceled
snmp-server enable traps interfaces
snmp-server enable traps interfaces rx-utilization-high
snmp-server enable traps interfaces tx-utilization-high
snmp-server enable traps interfaces number-high
snmp-server enable traps screen
snmp-server enable traps screen dest-limit
snmp-server enable traps screen source-limit
snmp-server enable traps screen icmp-threshold
snmp-server enable traps screen udp-threshold
snmp-server enable traps screen syn-flood
snmp-server enable traps screen land
snmp-server enable traps screen winnuke
snmp-server enable traps screen icmp-frag
snmp-server enable traps screen udp-frag
snmp-server enable traps screen icmp-large
snmp-server enable traps screen syn-frag
snmp-server enable traps screen unknown-proto
snmp-server enable traps screen ip-frag
snmp-server enable traps screen port-scan
snmp-server enable traps screen ip-sweep
snmp-server enable traps screen syn-fin
snmp-server enable traps screen fin-no-ack
snmp-server enable traps screen no-flag
snmp-server enable traps screen spoofing
snmp-server enable traps screen reserved
snmp-server enable traps screen quench
snmp-server enable traps screen echo-request
snmp-server enable traps screen time-exceeded
snmp-server enable traps screen unreachable
snmp-server enable traps screen tcp-all-flags
snmp-server enable traps entity
snmp-server enable traps entity config-change
snmp-server enable traps entity-sensor
snmp-server enable traps entity-sensor threshold
snmp-server enable traps envmon
snmp-server enable traps envmon fan
snmp-server enable traps envmon shutdown
snmp-server enable traps envmon supply
snmp-server enable traps envmon temperature
snmp-server enable traps flash
snmp-server enable traps flash insertion
snmp-server enable traps flash removal
snmp-server enable traps snmp
snmp-server enable traps snmp authentication
snmp-server enable traps snmp coldstart
snmp-server enable traps snmp linkdown
snmp-server enable traps snmp linkup
snmp-server enable traps syslog
security passwords history 0
ip dhcp-relay
ip route vrf dpi 100.123.0.0/24 10.200.200.5
ip route 198.19.0.0/19 10.200.200.6
wireless-controller
peer-address 100.64.0.57
nas-ip-address 198.18.128.3
vrrp-group 1
data-tunnel configuration radius
aaa das-profile COA
aaa radius-profile PCRF
enable
exit
ip telnet server
ip ssh server
ntp enable
ntp server 100.123.0.2
exit
|
|
...
| Раскрыть |
|---|
| title | Alfa/Beta security zone |
|---|
|
| Без форматирования |
|---|
security zone trusted
exit
security zone untrusted
exit
security zone gre
exit
security zone sidelinkneighbour
exit
security zone user
exit
security zone trusted_dpi
ip vrf forwarding dpi
exit
security zone untrusted_dp
ip vrf forwarding dpi
exit
security zone sidelinkneighbour_dpi
ip vrf forwarding dpi
exit
security zone user_dpi
ip vrf forwarding dpi
exit |
|
Создадим object-group, для использования в правилах файрвола. Они будут одинаковые, за исключением адресов BGP-соседей. Будут приведены object-group network BGPneighbours cross с указанием для Alfa или для Beta предназначена настройка.
| Раскрыть |
|---|
| title | Alfa/Beta object-group |
|---|
|
| Без форматирования |
|---|
object-group service dhcp_server
port-range 67
exit
object-group service dhcp_client
port-range 68
exit
object-group service redirect
port-range 3128-3142
port-range 3143-3157
exit
object-group service bgp
port-range 179
exit
object-group service dns
port-range 53
exit
object-group network Admnet
ip prefix 100.123.0.0/24
ip prefix 192.168.0.0/16
exit
#Alfa
object-group network BGPneighbourscross
ip address-range 100.64.0.33
ip address-range 100.64.0.41
ip address-range 100.64.0.49
ip address-range 100.64.0.58
ip address-range 100.64.0.73
ip address-range 100.64.0.98
exit
#Beta
object-group network BGPneighbourscross
ip address-range 100.64.0.37
ip address-range 100.64.0.45
ip address-range 100.64.0.53
ip address-range 100.64.0.57
ip address-range 100.64.0.77
ip address-range 100.64.0.97
exit
object-group network PrivateNetsnets
ip prefix 10.0.0.0/8
ip prefix 192.168.0.0/16
ip prefix 172.16.0.0/12
ip prefix 100.64.0.0/10
exit |
|
...
| Раскрыть |
|---|
| title | Alfa/Beta security-zone pair VRF default |
|---|
|
| Без форматирования |
|---|
security zone-pair gre self
rule 1
action permit
match protocol gre
enable
exit
rule 2
action permit
match protocol vrrp
enable
exit
rule 3
action permit
match protocol icmp
enable
exit
rule 4
action permit
match protocol tcp
match source-address BGPneighbourscross
match destination-port bgp
enable
exit
exit
security zone-pair gre gre
rule 1
action permit
enable
exit
exit
security zone-pair trusted self
rule 1
action permit
match protocol vrrp
enable
exit
rule 2
action permit
match protocol udp
match source-port dhcp_server
match destination-port dhcp_server
enable
exit
rule 3
action permit
match protocol udp
match source-port dhcp_client
match destination-port dhcp_server
enable
exit
rule 4
action permit
match protocol icmp
enable
exit
rule 5
action permit
match source-address SoftWLC
enable
exit
rule 6
action permit
match source-address Admnet
enable
exit
rule 7
action permit
match protocol tcp
match source-address BGPneighbourscross
match destination-port bgp
enable
exit
exit
security zone-pair trusted trusted
rule 1
action permit
enable
exit
exit
security zone-pair trusted user
rule 1
action permit
enable
exit
exit
security zone-pair trusted untrusted
rule 1
action permit
enable
exit
exit
security zone-pair trusted gre
rule 1
action permit
enable
exit
exit
security zone-pair trusted sidelinkneighbour
rule 1
action permit
enable
exit
exit
security zone-pair user self
rule 1
action permit
match protocol icmp
enable
exit
rule 2
action permit
match protocol udp
match source-port dhcp_client
match destination-port dhcp_server
enable
exit
rule 3
action permit
match protocol tcp
match destination-port redirect
enable
exit
rule 4
action permit
match protocol vrrp
enable
exit
rule 5
action permit
match protocol udp
match source-port dhcp_server
match destination-port dhcp_server
enable
exit
exit
security zone-pair user untrusted
rule 1
action permit
enable
exit
exit
security zone-pair user trusted
rule 1
action permit
match protocol udp
match source-port dhcp_client
match destination-port dhcp_server
enable
exit
rule 2
action permit
match protocol udp
match destination-port dns
enable
exit
exit
security zone-pair user sidelinkneighbour
rule 1
action permit
match protocol udp
match destination-port dns
enable
exit
rule 2
action permit
match not source-address PrivateNetsnets
enable
exit
exit
security zone-pair untrusted self
rule 1
action permit
match protocol tcp
match source-address BGPneighbourscross
match destination-port bgp
enable
exit
exit
security zone-pair sidelinkneighbour self
rule 1
action permit
match protocol tcp
match destination-port bgp
enable
exit
rule 2
action permit
match protocol gre
enable
exit
rule 3
action permit
match protocol icmp
enable
exit
rule 4
action permit
match protocol udp
match source-port dhcp_client
match destination-port dhcp_server
enable
exit
rule 5
action permit
match protocol udp
match source-port dhcp_server
match destination-port dhcp_server
enable
exit
rule 6
action permit
match source-address SoftWLC
enable
exit
rule 7
action permit
match source-address Admnet
enable
exit
security zone-pair sidelinkneighbour trusted
rule 1
action permit
enable
exit
exit
security zone-pair sidelinkneighbour untrusted
rule 1
action permit
enable
exit
exit
security zone-pair sidelinkneighbour gre
rule 1
action permit
enable
exit
exit
security zone-pair sidelinkneighbour user
rule 11
action permit
enable
exit
exit
|
|
...
| Раскрыть |
|---|
| title | Alfa/Beta security zone-pair VRF dpi |
|---|
|
| Без форматирования |
|---|
security zone-pair trusted_dpi self
rule 1
action permit
enable
exit
exit
security zone-pair trusted_dpi user_dpi
rule 1
action permit
enable
exit
exit
security zone-pair trusted_dpi sidelinkneighbour_dpi
rule 1
action permit
enable
exit
exit
security zone-pair user_dpi self
rule 1
action permit
match protocol icmp
enable
exit
rule 2
action permit
match protocol udp
match source-port dhcp_client
match destination-port dhcp_server
enable
exit
rule 3
action permit
match protocol tcp
match destination-port redirect
enable
exit
rule 4
action permit
match protocol vrrp
enable
exit
rule 5
action permit
match protocol udp
match source-port dhcp_server
match destination-port dhcp_server
enable
exit
exit
security zone-pair user_dpi untrusted_dp
rule 1
action permit
enable
exit
exit
security zone-pair user_dpi trusted_dpi
rule 1
action permit
match protocol udp
match source-port dhcp_client
match destination-port dhcp_server
enable
exit
rule 1
action permit
match protocol udp
match source-port dhcp_server
match destination-port dhcp_server
enable
exit
exit
security zone-pair user_dpi sidelinkneighbour_dpi
rule 1
action permit
match protocol udp
match destination-port dns
enable
exit
rule 2
action permit
match not source-address PrivateNetsnets
enable
exit
exit
security zone-pair untrusted_dp self
rule 1
action permit
match protocol tcp
match source-address BGPneighbourscross
match destination-port bgp
enable
exit
exit
security zone-pair sidelinkneighbour_dpi self
rule 1
action permit
match protocol tcp
match destination-port bgp
enable
exit
rule 2
action permit
match protocol gre
enable
exit
rule 3
action permit
match protocol icmp
enable
exit
rule 4
action permit
match protocol udp
match source-port dhcp_client
match destination-port dhcp_server
enable
exit
rule 5
action permit
match protocol udp
match source-port dhcp_server
match destination-port dhcp_server
enable
exit
rule 6
action permit
match source-address SoftWLC
enable
exit
rule 7
action permit
match source-address Admnet
enable
exit
security zone-pair sidelinkneighbour_dpi trusted_dpi
rule 1
action permit
enable
exit
exit
security zone-pair sidelinkneighbour_dpi untrusted_dp
rule 1
action permit
enable
exit
exit
security zone-pair sidelinkneighbour_dpi user_dpi
rule 11
action permit
enable
exit
exit |
|
...