...
Drawio | ||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Рис. 3.1.
При настройке ESR следует придерживаться следующих принципов:
...
Без форматирования |
---|
security zone trusted exit security zone untrusted exit security zone users exit bridge 10 description "users" security-zone users ip firewall disable ip address 192.168.132.1/22 ip helper-address 100.123.0.2 enable exit interface gigabitethernet 1/0/1.773500 description "UpLink" security-zone untrusted ip address 172.31.240.3/29 exit interface gigabitethernet 1/0/1.2300 description "mgmt" security-zone trusted ip firewall disable ip address 100.123.0.176/24 exit interface gigabitethernet 1/0/1.2336 bridge-group 10 exit interface gigabitethernet 1/0/1.2337 bridge-group 10 exit ip dhcp-relay ip route 0.0.0.0/0 172.31.240.1 ip telnet server ip ssh server |
...
Bridge 10 - зона users.
Предупреждение Важно! Саб-интерфейсы gi1/0/1.2336 и gi1/0/1.2337 включены в bridge 10, своих ip адресов не имеют и поэтому трафик приходящий через эти интерфейсы считается приходящим из зоны users. Настраивать security-zone на этих интерфейсах нет необходимости;
Gi1/0/1.77 3500 - зона untrusted, т.к. этот интерфейс смотрит в сторону сети Интернет;
- Gi1/0/1.2300 - зона trusted, т.к. это интерфейс используется для управления и смотрит в ядро сети оператора;
- Все адреса, настроенные непосредственно на ESR считаются находящимися в зоне self.
...
Без форматирования |
---|
bridge 10 no ip firewall disable exit interface gigabitethernet 1/0/1.773500 no ip firewall disable exit interface gigabitethernet 1/0/1.2300 no ip firewall disable exit |
...
Без форматирования |
---|
object-group service dhcp_server port-range 67 exit object-group service dhcp_client port-range 68 exit object-group service dns port-range 53 exit object-group service redirect port-range 3128-3131 exit object-group network users ip prefix 192.168.132.0/22 exit object-group network SoftWLC ip address-range 100.123.0.2 exit radius-server timeout 10 radius-server retransmit 5 radius-server host 100.123.0.2 key ascii-text encrypted 88B11079B9014FAAF7B9 timeout 11 priority 20 source-address 100.123.0.176 auth-port 31812 acct-port 31813 retransmit 10 dead-interval 10 exit aaa radius-profile PCRF radius-server host 100.123.0.2 exit das-server COA key ascii-text encrypted 88B11079B9014FAAF7B9 port 3799 clients object-group SoftWLC exit aaa das-profile COA das-server COA exit security zone trusted exit security zone untrusted exit security zone users exit ip access-list extended WELCOME rule 1 action permit match protocol tcp match destination-port 443 enable exit rule 2 action permit match protocol tcp match destination-port 8443 enable exit rule 3 action permit match protocol tcp match destination-port 80 enable exit rule 4 action permit match protocol tcp match destination-port 8080 enable exit exit ip access-list extended INTERNET rule 1 action permit enable exit exit ip access-list extended unauthUSER rule 1 action permit match protocol udp match source-port 68 match destination-port 67 enable exit rule 2 action permit match protocol udp match destination-port 53 enable exit exit subscriber-control filters-server-url http://100.123.0.2:7070/filters/file subscriber-control aaa das-profile COA aaa sessions-radius-profile PCRF aaa services-radius-profile PCRF nas-ip-address 100.123.0.176 session mac-authentication bypass-traffic-acl unauthUSER default-service class-map unauthUSER filter-name remote gosuslugi filter-action permit default-action redirect http://100.123.0.2:8080/eltex_portal/ exit enable exit snmp-server snmp-server system-shutdown snmp-server community "private1" rw snmp-server community "public11" ro snmp-server host 100.123.0.2 source-address 100.123.0.176 exit bridge 10 description "users" security-zone users ip address 192.168.132.1/22 ip helper-address 100.123.0.2 service-subscriber-control any location data10 enable exit interface gigabitethernet 1/0/1.773500 description "UpLink" security-zone untrusted ip address 172.31.240.3/29 exit interface gigabitethernet 1/0/1.2300 description "mgmt" security-zone trusted ip address 100.123.0.176/24 exit interface gigabitethernet 1/0/1.2336 bridge-group 10 exit interface gigabitethernet 1/0/1.2337 exit security zone-pair users untrusted rule 1 action permit enable exit exit security zone-pair trusted self rule 1 action permit enable exit exit security zone-pair trusted users rule 1 action permit enable exit exit security zone-pair users self rule 1 action permit match protocol udp match source-port dhcp_client match destination-port dhcp_server enable exit rule 2 action permit match protocol tcp match destination-port redirect enable exit exit security zone-pair users trusted rule 1 action permit match protocol udp match source-port dhcp_client match destination-port dhcp_server enable exit rule 2 action permit match protocol udp match destination-port dns enable exit exit nat source pool nat_addr ip address-range 172.31.240.3 exit ruleset nat_source to zone untrusted rule 1 match source-address users action source-nat pool nat_addr enable exit exit exit ip dhcp-relay ip route 0.0.0.0/0 172.31.240.1 ip telnet server ip ssh server clock timezone gmt +7 ntp enable ntp server 100.123.0.2 exit |
...