...
Drawio |
---|
border | true |
---|
viewerToolbar | true |
---|
| |
---|
fitWindow | false |
---|
diagramName | main-scheme-vrrp-3-bgp |
---|
simpleViewer | false |
---|
width | |
---|
diagramWidth | 1052 |
---|
revision | 23 |
---|
|
Рис. 1 Схема организации связи.
...
Раскрыть |
---|
|
Без форматирования |
---|
hostname Alfa
security zone trusted
exit
security zone untrusted
exit
security zone gre
exit
security zone sidelinkneighbour
exit
security zone user
exit
interface gigabitethernet 1/0/1.206
description "VRF_AP"
security-zone gre
ip firewall disable
ip address 100.64.0.34/30
exit
interface gigabitethernet 1/0/1.208
description "VRF_BACKBONECORE"
security-zone trusted
ip firewall disable
ip address 100.64.0.42/30
exit
interface gigabitethernet 1/0/1.210
description "VRF_NAT"
security-zone untrusted
ip firewall disable
ip address 100.64.0.50/30
exit
ip telnet server
ip ssh server
|
|
...
Раскрыть |
---|
|
Без форматирования |
---|
hostname Beta
security zone trusted
exit
security zone untrusted
exit
security zone gre
exit
security zone sidelinkneighbour
exit
security zone user
exit
interface gigabitethernet 1/0/1.207
description "VRF_AP"
security-zone gre
ip firewall disable
ip address 100.64.0.38/30
exit
interface gigabitethernet 1/0/1.209
description "VRF_BACKBONECORE"
security-zone trusted
ip firewall disable
ip address 100.64.0.46/30
exit
interface gigabitethernet 1/0/1.211
description "VRF_NAT"
security-zone untrusted
ip firewall disable
ip address 100.64.0.54/30
exit
ip telnet server
ip ssh server |
|
...
Раскрыть |
---|
|
Без форматирования |
---|
vlan 3
force-up
exit
vlan 10
force-up
exit
vlan 101
force-up
exit
vlan 9
exit
bridge 1
description "GRE_termination"
vlan 101
security-zone gre
ip firewall disable
ip address 192.168.200.51/28
vrrp id 1
vrrp ip 192.168.200.49/32
vrrp ip 192.168.200.50/32 secondary
vrrp priority 200
vrrp group 1
vrrp preempt disable
vrrp preempt delay 180
vrrp
enable
exit
bridge 3
description "mgmt_AP"
vlan 3
security-zone trusted
ip firewall disable
ip address 198.18.128.2/21
ip helper-address 100.123.0.2
ip helper-address vrrp-group 1
vrrp id 3
vrrp ip 198.18.128.1/32
vrrp priority 200
vrrp group 1
vrrp preempt disable
vrrp preempt delay 180
vrrp
protected-ports local
protected-ports exclude vlan
ports vrrp filtering enable
ports vrrp filtering exclude vlan
enable
exit
bridge 9
description "SideLinkneighbour"
vlan 9
security-zone sidelinkneighbour
ip firewall disable
ip address 100.64.0.57/30
enable
exit
bridge 10
description "data_AP"
vlan 10
security-zone user
ip firewall disable
ip address 198.18.136.2/22
ip helper-address 100.123.0.2
ip helper-address vrrp-group 1
vrrp id 10
vrrp ip 198.18.136.1/32
vrrp priority 200
vrrp group 1
vrrp preempt disable
vrrp preempt delay 180
vrrp
location data10
protected-ports local
protected-ports exclude vlan
ports vrrp filtering enable
ports vrrp filtering exclude vlan
enable
exit
interface gigabitethernet 1/0/2
description "SideLinkneighbour"
mode switchport
switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 3,9-10,101 tagged
exit |
|
...
Раскрыть |
---|
|
Без форматирования |
---|
vlan 3
force-up
exit
vlan 10
force-up
exit
vlan 101
force-up
exit
vlan 9
exit
bridge 1
description "GRE_termination"
vlan 101
security-zone gre
ip firewall disable
ip address 192.168.200.52/28
vrrp id 1
vrrp ip 192.168.200.49/32
vrrp ip 192.168.200.50/32 secondary
vrrp priority 20
vrrp group 1
vrrp preempt disable
vrrp preempt delay 180
vrrp
enable
exit
bridge 3
description "mgmt_AP"
vlan 3
security-zone trusted
ip firewall disable
ip address 198.18.128.3/21
ip helper-address 100.123.0.2
ip helper-address vrrp-group 1
vrrp id 3
vrrp ip 198.18.128.1/32
vrrp priority 20
vrrp group 1
vrrp preempt disable
vrrp preempt delay 180
vrrp
protected-ports local
protected-ports exclude vlan
ports vrrp filtering enable
ports vrrp filtering exclude vlan
enable
exit
bridge 9
description "SideLinkneighbour"
vlan 9
security-zone sidelinkneighbour
ip firewall disable
ip address 100.64.0.58/30
enable
exit
bridge 10
description "data_AP"
vlan 10
security-zone user
ip firewall disable
ip address 198.18.136.2/22
ip helper-address 100.123.0.2
ip helper-address vrrp-group 1
vrrp id 10
vrrp ip 198.18.136.1/32
vrrp priority 20
vrrp group 1
vrrp preempt disable
vrrp preempt delay 180
vrrp
location data10
protected-ports local
protected-ports exclude vlan
ports vrrp filtering enable
ports vrrp filtering exclude vlan
enable
exit
interface gigabitethernet 1/0/2
description "SideLinkneighbour"
mode switchport
switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 3,9-10,101 tagged
exit |
|
...
- Из зоны trusted разрешаем весь трафик к зонам self и trusted со стороны подсети комплекса SoftWLC.
- Разрешаем трафик BGP в зону self для всех стыковых интерфейсов.
- Из зоны gre разрешаем весь трафик GRE к ESR.
- Из зоны user в зону trusted и self разрешаем DHCP пакеты (и при необходимости DNS).
- Из зоны user в зону untrusted разрешаем весь трафик.
- В направлении user sidelink neighbour разрешаем трафик DNS и любой трафик, который не направлен к приватным подсетям (для того, что бы обеспечить доступ к сети Интернет через перемычку и не пустить пользователей к адресам внутренних подсетей).
- Для направления sidelink neighbour self разрешаем работу протокола BGP.
- В направлении sidelink neighbour untrusted разрешаем весь трафик.
...
Раскрыть |
---|
title | Настройки файрвола на ESR 1 Alfa / ESR 2 Beta |
---|
|
Без форматирования |
---|
object-group service telnet
port-range 23
exit
object-group service ssh
port-range 22
exit
object-group service dhcp_server
port-range 67
exit
object-group service dhcp_client
port-range 68
exit
object-group service bgp
port-range 179
exit
object-group service dns
port-range 53
exit
object-group network PrivateNetsnets
ip prefix 10.0.0.0/8
ip prefix 192.168.0.0/16
ip prefix 172.16.0.0/12
exit
security zone-pair gre self
rule 1
action permit
match protocol gre
enable
exit
rule 2
action permit
match protocol vrrp
enable
exit
rule 3
action permit
match protocol icmp
enable
exit
rule 4
action permit
match protocol tcp
match destination-port bgp
enable
exit
exit
security zone-pair trusted self
rule 1
action permit
match protocol vrrp
enable
exit
rule 2
action permit
match protocol udp
match source-port dhcp_server
match destination-port dhcp_server
enable
exit
rule 3
action permit
match protocol udp
match source-port dhcp_client
match destination-port dhcp_server
enable
exit
rule 4
action permit
match protocol icmp
enable
exit
rule 5
action permit
match source-address SoftWLC
enable
exit
rule 6
action permit
match protocol tcp
match destination-port bgp
enable
exit
exit
security zone-pair trusted trusted
rule 1
action permit
enable
exit
exit
security zone-pair user untrusted
rule 1
action permit
enable
exit
exit
security zone-pair user self
rule 1
action permit
match protocol udp
match source-port dhcp_client
match destination-port dhcp_server
enable
exit
rule 2
action permit
match protocol vrrp
enable
exit
exit
security zone-pair user trusted
rule 1
action permit
match protocol udp
match source-port dhcp_client
match destination-port dhcp_server
enable
exit
rule 2
action permit
match protocol udp
match destination-port dns
enable
exit
exit
security zone-pair trusted user
rule 1
action permit
enable
exit
exit
security zone-pair trusted untrusted
rule 1
action permit
enable
exit
exit
security zone-pair gre gre
rule 1
action permit
enable
exit
exit
security zone-pair sidelinkneighbour self
rule 1
action permit
match protocol tcp
match destination-port bgp
enable
exit
rule 2
action permit
match protocol gre
enable
exit
rule 3
action permit
match protocol icmp
enable
exit
rule 4
action permit
match protocol udp
match source-port dhcp_server
match destination-port dhcp_server
enable
exit
rule 5
action permit
match protocol udp
match source-port dhcp_client
match destination-port dhcp_server
enable
exit
rule 6
action permit
match source-address SoftWLC
enable
exit
rule 7
action permit
match protocol tcp
match destination-port telnet
enable
exit
rule 7
action permit
match protocol tcp
match destination-port ssh
enable
exit
exit
security zone-pair sidelinkneighbour trusted
rule 10
action permit
enable
exit
exit
security zone-pair sidelinkneighbour untrusted
rule 10
action permit
enable
exit
exit
security zone-pair sidelinkneighbour gre
rule 10
action permit
enable
exit
exit
security zone-pair sidelinkneighbour user
rule 10
action permit
enable
exit
exit
security zone-pair trusted sidelinkneighbour
rule 10
action permit
enable
exit
exit
security zone-pair gre sidelinkneighbour
rule 10
action permit
enable
exit
exit
security zone-pair user sidelinkneighbour
rule 1
action permit
match protocol udp
match source-port dhcp_client
match destination-port dhcp_server
enable
exit
rule 2
action permit
match protocol udp
match destination-port dns
enable
exit
rule 10
action permit
match not destination-address PrivateNetsnets
enable
exit
exit
security zone-pair untrusted self
rule 10
action permit
match protocol tcp
match destination-port bgp
enable
exit
exit |
|
...
Раскрыть |
---|
|
Без форматирования |
---|
#!/usr/bin/clish
#18
#1.11.x
#07/05/2020
#20:46:29
hostname Alfa
object-group service telnet
port-range 23
exit
object-group service ssh
port-range 22
exit
object-group service dhcp_server
port-range 67
exit
object-group service dhcp_client
port-range 68
exit
object-group service bgp
port-range 179
exit
object-group service dns
port-range 53
exit
object-group network gre_termination
ip prefix 192.168.200.48/28
exit
object-group network mgmt_AP
ip prefix 198.18.128.0/21
ip prefix 198.18.136.0/22
ip prefix 100.64.0.56/30
exit
object-group network clients_AP
ip prefix 198.18.136.0/22
exit
object-group network SoftWLC
ip prefix 100.123.0.0/24
exit
object-group network PrivateNetsnets
ip prefix 10.0.0.0/8
ip prefix 192.168.0.0/16
ip prefix 172.16.0.0/12
exit
radius-server retransmit 2
radius-server host 100.123.0.2
key ascii-text encrypted 88B11079B9014FAAF7B9
timeout 5
source-address 198.18.128.2
auth-port 31812
acct-port 31813
dead-interval 10
exit
aaa radius-profile PCRF
radius-server host 100.123.0.2
exit
das-server COA
key ascii-text encrypted 88B11079B9014FAAF7B9
port 3799
clients object-group SoftWLC
exit
aaa das-profile COA
das-server COA
exit
vlan 3
force-up
exit
vlan 10
force-up
exit
vlan 101
force-up
exit
vlan 9
exit
security zone trusted
exit
security zone untrusted
exit
security zone gre
exit
security zone sidelinkneighbour
exit
security zone user
exit
route-map out_BGP_GRE
rule 10
match ip address object-group gre_termination
action permit
exit
exit
route-map out_BGP_AP
rule 10
match ip address object-group mgmt_AP
action permit
exit
exit
route-map out_BGP_NAT
rule 10
match ip address object-group clients_AP
action permit
exit
exit
route-map in_PREF
rule 10
action set local-preference 20
action permit
exit
exit
router bgp 64603
neighbor 100.64.0.33
remote-as 65001
update-source 100.64.0.34
address-family ipv4 unicast
route-map out_BGP_GRE out
enable
exit
enable
exit
neighbor 100.64.0.41
remote-as 65001
update-source 100.64.0.42
address-family ipv4 unicast
route-map out_BGP_AP out
enable
exit
enable
exit
neighbor 100.64.0.49
remote-as 65001
update-source 100.64.0.50
address-family ipv4 unicast
route-map out_BGP_NAT out
enable
exit
enable
exit
neighbor 100.64.0.58
remote-as 64603
update-source 100.64.0.57
address-family ipv4 unicast
route-map in_PREF in
next-hop-self
enable
exit
enable
exit
address-family ipv4 unicast
redistribute connected
redistribute static
exit
enable
exit
snmp-server
snmp-server system-shutdown
snmp-server community "public11" ro
snmp-server community "private1" rw
snmp-server host 100.123.0.2
exit
snmp-server enable traps
snmp-server enable traps config
snmp-server enable traps config commit
snmp-server enable traps config confirm
snmp-server enable traps environment
snmp-server enable traps environment pwrin
snmp-server enable traps environment pwrin-insert
snmp-server enable traps environment fan
snmp-server enable traps environment fan-speed-changed
snmp-server enable traps environment fan-speed-high
snmp-server enable traps environment memory-flash-critical-low
snmp-server enable traps environment memory-flash-low
snmp-server enable traps environment memory-ram-critical-low
snmp-server enable traps environment memory-ram-low
snmp-server enable traps environment cpu-load
snmp-server enable traps environment cpu-critical-temp
snmp-server enable traps environment cpu-overheat-temp
snmp-server enable traps environment cpu-supercooling-temp
snmp-server enable traps environment board-overheat-temp
snmp-server enable traps environment board-supercooling-temp
snmp-server enable traps environment sfp-overheat-temp
snmp-server enable traps environment sfp-supercooling-temp
snmp-server enable traps environment switch-overheat-temp
snmp-server enable traps environment switch-supercooling-temp
snmp-server enable traps wifi
snmp-server enable traps wifi wifi-tunnels-number-in-bridge-high
snmp-server enable traps file-operations
snmp-server enable traps file-operations successful
snmp-server enable traps file-operations failed
snmp-server enable traps file-operations canceled
snmp-server enable traps interfaces
snmp-server enable traps interfaces rx-utilization-high
snmp-server enable traps interfaces tx-utilization-high
snmp-server enable traps interfaces number-high
snmp-server enable traps bras
snmp-server enable traps bras sessions-number-high
snmp-server enable traps screen
snmp-server enable traps screen dest-limit
snmp-server enable traps screen source-limit
snmp-server enable traps screen icmp-threshold
snmp-server enable traps screen udp-threshold
snmp-server enable traps screen syn-flood
snmp-server enable traps screen land
snmp-server enable traps screen winnuke
snmp-server enable traps screen icmp-frag
snmp-server enable traps screen udp-frag
snmp-server enable traps screen icmp-large
snmp-server enable traps screen syn-frag
snmp-server enable traps screen unknown-proto
snmp-server enable traps screen ip-frag
snmp-server enable traps screen port-scan
snmp-server enable traps screen ip-sweep
snmp-server enable traps screen syn-fin
snmp-server enable traps screen fin-no-ack
snmp-server enable traps screen no-flag
snmp-server enable traps screen spoofing
snmp-server enable traps screen reserved
snmp-server enable traps screen quench
snmp-server enable traps screen echo-request
snmp-server enable traps screen time-exceeded
snmp-server enable traps screen unreachable
snmp-server enable traps screen tcp-all-flags
snmp-server enable traps entity
snmp-server enable traps entity config-change
snmp-server enable traps entity-sensor
snmp-server enable traps entity-sensor threshold
snmp-server enable traps envmon
snmp-server enable traps envmon fan
snmp-server enable traps envmon shutdown
snmp-server enable traps envmon supply
snmp-server enable traps envmon temperature
snmp-server enable traps flash
snmp-server enable traps flash insertion
snmp-server enable traps flash removal
snmp-server enable traps snmp
snmp-server enable traps snmp authentication
snmp-server enable traps snmp coldstart
snmp-server enable traps snmp linkdown
snmp-server enable traps snmp linkup
snmp-server enable traps syslog
bridge 1
description "GRE_termination"
vlan 101
security-zone gre
ip address 192.168.200.51/28
vrrp id 1
vrrp ip 192.168.200.49/32
vrrp ip 192.168.200.50/32 secondary
vrrp priority 200
vrrp group 1
vrrp preempt disable
vrrp preempt delay 180
vrrp
enable
exit
bridge 3
description "mgmt_AP"
vlan 3
security-zone trusted
ip address 198.18.128.2/21
ip helper-address 100.123.0.2
ip helper-address vrrp-group 1
vrrp id 3
vrrp ip 198.18.128.1/32
vrrp priority 200
vrrp group 1
vrrp preempt disable
vrrp preempt delay 180
vrrp
protected-ports local
protected-ports exclude vlan
ports vrrp filtering enable
ports vrrp filtering exclude vlan
enable
exit
bridge 9
description "SideLinkneighbour"
vlan 9
security-zone sidelinkneighbour
ip address 100.64.0.57/30
enable
exit
bridge 10
description "data_AP"
vlan 10
security-zone user
ip address 198.18.136.2/22
ip helper-address 100.123.0.2
ip helper-address vrrp-group 1
vrrp id 10
vrrp ip 198.18.136.1/32
vrrp priority 200
vrrp group 1
vrrp preempt disable
vrrp preempt delay 180
vrrp
location data10
protected-ports local
protected-ports exclude vlan
ports vrrp filtering enable
ports vrrp filtering exclude vlan
enable
exit
interface gigabitethernet 1/0/1.206
description "VRF_AP"
security-zone gre
ip address 100.64.0.34/30
exit
interface gigabitethernet 1/0/1.208
description "VRF_BACKBONECORE"
security-zone trusted
ip address 100.64.0.42/30
exit
interface gigabitethernet 1/0/1.210
description "VRF_NAT"
security-zone untrusted
ip address 100.64.0.50/30
exit
interface gigabitethernet 1/0/2
description "SideLinkneighbour"
mode switchport
switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 3,9-10,101 tagged
exit
tunnel softgre 1
mode management
local address 192.168.200.49
default-profile
enable
exit
tunnel softgre 1.1
bridge-group 3
enable
exit
tunnel softgre 2
mode data
local address 192.168.200.50
default-profile
enable
exit
security zone-pair gre self
rule 1
action permit
match protocol gre
enable
exit
rule 2
action permit
match protocol vrrp
enable
exit
rule 3
action permit
match protocol icmp
enable
exit
rule 4
action permit
match protocol tcp
match destination-port bgp
enable
exit
exit
security zone-pair trusted self
rule 1
action permit
match protocol vrrp
enable
exit
rule 2
action permit
match protocol udp
match source-port dhcp_server
match destination-port dhcp_server
enable
exit
rule 3
action permit
match protocol udp
match source-port dhcp_client
match destination-port dhcp_server
enable
exit
rule 4
action permit
match protocol icmp
enable
exit
rule 5
action permit
match source-address SoftWLC
enable
exit
rule 6
action permit
match protocol tcp
match destination-port bgp
enable
exit
exit
security zone-pair trusted trusted
rule 1
action permit
enable
exit
exit
security zone-pair user untrusted
rule 1
action permit
enable
exit
exit
security zone-pair user self
rule 1
action permit
match protocol udp
match source-port dhcp_client
match destination-port dhcp_server
enable
exit
rule 2
action permit
match protocol vrrp
enable
exit
exit
security zone-pair user trusted
rule 1
action permit
match protocol udp
match source-port dhcp_client
match destination-port dhcp_server
enable
exit
rule 2
action permit
match protocol udp
match destination-port dns
enable
exit
exit
security zone-pair trusted user
rule 1
action permit
enable
exit
exit
security zone-pair trusted untrusted
rule 1
action permit
enable
exit
exit
security zone-pair gre gre
rule 1
action permit
enable
exit
exit
security zone-pair sidelinkneighbour self
rule 1
action permit
match protocol tcp
match destination-port bgp
enable
exit
rule 2
action permit
match protocol gre
enable
exit
rule 3
action permit
match protocol icmp
enable
exit
rule 4
action permit
match protocol udp
match source-port dhcp_server
match destination-port dhcp_server
enable
exit
rule 5
action permit
match protocol udp
match source-port dhcp_client
match destination-port dhcp_server
enable
exit
rule 6
action permit
match source-address SoftWLC
enable
exit
rule 7
action permit
match protocol tcp
match destination-port ssh
enable
exit
exit
security zone-pair sidelinkneighbour trusted
rule 10
action permit
enable
exit
exit
security zone-pair sidelinkneighbour untrusted
rule 10
action permit
enable
exit
exit
security zone-pair sidelinkneighbour gre
rule 10
action permit
enable
exit
exit
security zone-pair sidelinkneighbour user
rule 10
action permit
enable
exit
exit
security zone-pair trusted sidelinkneighbour
rule 10
action permit
enable
exit
exit
security zone-pair gre sidelinkneighbour
rule 10
action permit
enable
exit
exit
security zone-pair user sidelinkneighbour
rule 1
action permit
match protocol udp
match source-port dhcp_client
match destination-port dhcp_server
enable
exit
rule 2
action permit
match protocol udp
match destination-port dns
enable
exit
rule 10
action permit
match not destination-address PrivateNetsnets
enable
exit
exit
security zone-pair untrusted self
rule 10
action permit
match protocol tcp
match destination-port bgp
enable
exit
exit
wireless-controller
peer-address 100.64.0.58
nas-ip-address 198.18.128.2
vrrp-group 1
data-tunnel configuration radius
aaa das-profile COA
aaa radius-profile PCRF
enable
exit
ip telnet server
ip ssh server |
|
...
Раскрыть |
---|
|
Без форматирования |
---|
#!/usr/bin/clish
#18
#1.11.x
#07/05/2020
#20:46:29
hostname Beta
object-group service telnet
port-range 23
exit
object-group service ssh
port-range 22
exit
object-group service dhcp_server
port-range 67
exit
object-group service dhcp_client
port-range 68
exit
object-group service bgp
port-range 179
exit
object-group service dns
port-range 53
exit
object-group network gre_termination
ip prefix 192.168.200.48/28
exit
object-group network mgmt_AP
ip prefix 198.18.128.0/21
ip prefix 198.18.136.0/22
ip prefix 100.64.0.56/30
exit
object-group network clients_AP
ip prefix 198.18.136.0/22
exit
object-group network SoftWLC
ip prefix 100.123.0.0/24
exit
object-group network PrivateNetsnets
ip prefix 10.0.0.0/8
ip prefix 192.168.0.0/16
ip prefix 172.16.0.0/12
exit
radius-server retransmit 2
radius-server host 100.123.0.2
key ascii-text encrypted 88B11079B9014FAAF7B9
timeout 5
source-address 198.18.128.3
auth-port 31812
acct-port 31813
dead-interval 10
exit
aaa radius-profile PCRF
radius-server host 100.123.0.2
exit
das-server COA
key ascii-text encrypted 88B11079B9014FAAF7B9
port 3799
clients object-group SoftWLC
exit
aaa das-profile COA
das-server COA
exit
vlan 3
force-up
exit
vlan 10
force-up
exit
vlan 101
force-up
exit
vlan 9
exit
security zone trusted
exit
security zone untrusted
exit
security zone gre
exit
security zone sidelinkneighbour
exit
security zone user
exit
route-map out_BGP_GRE
rule 10
match ip address object-group gre_termination
action permit
exit
exit
route-map out_BGP_AP
rule 10
match ip address object-group mgmt_AP
action permit
exit
exit
route-map out_BGP_NAT
rule 10
match ip address object-group clients_AP
action permit
exit
exit
route-map in_PREF
rule 10
action set local-preference 20
action permit
exit
exit
router bgp 64603
neighbor 100.64.0.37
remote-as 65001
update-source 100.64.0.38
address-family ipv4 unicast
route-map out_BGP_GRE out
enable
exit
enable
exit
neighbor 100.64.0.45
remote-as 65001
update-source 100.64.0.46
address-family ipv4 unicast
route-map out_BGP_AP out
enable
exit
enable
exit
neighbor 100.64.0.53
remote-as 65001
update-source 100.64.0.54
address-family ipv4 unicast
route-map out_BGP_NAT out
enable
exit
enable
exit
neighbor 100.64.0.57
remote-as 64603
update-source 100.64.0.58
address-family ipv4 unicast
route-map in_PREF in
next-hop-self
enable
exit
enable
exit
address-family ipv4 unicast
redistribute connected
redistribute static
exit
enable
exit
snmp-server
snmp-server system-shutdown
snmp-server community "public11" ro
snmp-server community "private1" rw
snmp-server host 100.123.0.2
exit
snmp-server enable traps
snmp-server enable traps config
snmp-server enable traps config commit
snmp-server enable traps config confirm
snmp-server enable traps environment
snmp-server enable traps environment pwrin
snmp-server enable traps environment pwrin-insert
snmp-server enable traps environment fan
snmp-server enable traps environment fan-speed-changed
snmp-server enable traps environment fan-speed-high
snmp-server enable traps environment memory-flash-critical-low
snmp-server enable traps environment memory-flash-low
snmp-server enable traps environment memory-ram-critical-low
snmp-server enable traps environment memory-ram-low
snmp-server enable traps environment cpu-load
snmp-server enable traps environment cpu-critical-temp
snmp-server enable traps environment cpu-overheat-temp
snmp-server enable traps environment cpu-supercooling-temp
snmp-server enable traps environment board-overheat-temp
snmp-server enable traps environment board-supercooling-temp
snmp-server enable traps environment sfp-overheat-temp
snmp-server enable traps environment sfp-supercooling-temp
snmp-server enable traps environment switch-overheat-temp
snmp-server enable traps environment switch-supercooling-temp
snmp-server enable traps wifi
snmp-server enable traps wifi wifi-tunnels-number-in-bridge-high
snmp-server enable traps file-operations
snmp-server enable traps file-operations successful
snmp-server enable traps file-operations failed
snmp-server enable traps file-operations canceled
snmp-server enable traps interfaces
snmp-server enable traps interfaces rx-utilization-high
snmp-server enable traps interfaces tx-utilization-high
snmp-server enable traps interfaces number-high
snmp-server enable traps bras
snmp-server enable traps bras sessions-number-high
snmp-server enable traps screen
snmp-server enable traps screen dest-limit
snmp-server enable traps screen source-limit
snmp-server enable traps screen icmp-threshold
snmp-server enable traps screen udp-threshold
snmp-server enable traps screen syn-flood
snmp-server enable traps screen land
snmp-server enable traps screen winnuke
snmp-server enable traps screen icmp-frag
snmp-server enable traps screen udp-frag
snmp-server enable traps screen icmp-large
snmp-server enable traps screen syn-frag
snmp-server enable traps screen unknown-proto
snmp-server enable traps screen ip-frag
snmp-server enable traps screen port-scan
snmp-server enable traps screen ip-sweep
snmp-server enable traps screen syn-fin
snmp-server enable traps screen fin-no-ack
snmp-server enable traps screen no-flag
snmp-server enable traps screen spoofing
snmp-server enable traps screen reserved
snmp-server enable traps screen quench
snmp-server enable traps screen echo-request
snmp-server enable traps screen time-exceeded
snmp-server enable traps screen unreachable
snmp-server enable traps screen tcp-all-flags
snmp-server enable traps entity
snmp-server enable traps entity config-change
snmp-server enable traps entity-sensor
snmp-server enable traps entity-sensor threshold
snmp-server enable traps envmon
snmp-server enable traps envmon fan
snmp-server enable traps envmon shutdown
snmp-server enable traps envmon supply
snmp-server enable traps envmon temperature
snmp-server enable traps flash
snmp-server enable traps flash insertion
snmp-server enable traps flash removal
snmp-server enable traps snmp
snmp-server enable traps snmp authentication
snmp-server enable traps snmp coldstart
snmp-server enable traps snmp linkdown
snmp-server enable traps snmp linkup
snmp-server enable traps syslog
bridge 1
description "GRE_termination"
vlan 101
security-zone gre
ip address 192.168.200.52/28
vrrp id 1
vrrp ip 192.168.200.49/32
vrrp ip 192.168.200.50/32 secondary
vrrp priority 20
vrrp group 1
vrrp preempt disable
vrrp preempt delay 180
vrrp
enable
exit
bridge 3
description "mgmt_AP"
vlan 3
security-zone trusted
ip address 198.18.128.3/21
ip helper-address 100.123.0.2
ip helper-address vrrp-group 1
vrrp id 3
vrrp ip 198.18.128.1/32
vrrp priority 20
vrrp group 1
vrrp preempt disable
vrrp preempt delay 180
vrrp
protected-ports local
protected-ports exclude vlan
ports vrrp filtering enable
ports vrrp filtering exclude vlan
enable
exit
bridge 9
description "SideLinkneighbour"
vlan 9
security-zone sidelinkneighbour
ip address 100.64.0.58/30
enable
exit
bridge 10
description "data_AP"
vlan 10
security-zone user
ip address 198.18.136.2/22
ip helper-address 100.123.0.2
ip helper-address vrrp-group 1
vrrp id 10
vrrp ip 198.18.136.1/32
vrrp priority 20
vrrp group 1
vrrp preempt disable
vrrp preempt delay 180
vrrp
location data10
protected-ports local
protected-ports exclude vlan
ports vrrp filtering enable
ports vrrp filtering exclude vlan
enable
exit
interface gigabitethernet 1/0/1.207
description "VRF_AP"
security-zone gre
ip address 100.64.0.38/30
exit
interface gigabitethernet 1/0/1.209
description "VRF_BACKBONECORE"
security-zone trusted
ip address 100.64.0.46/30
exit
interface gigabitethernet 1/0/1.211
description "VRF_NAT"
security-zone untrusted
ip address 100.64.0.54/30
exit
interface gigabitethernet 1/0/2
description "SideLinkneighbour"
mode switchport
switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 3,9-10,101 tagged
exit
tunnel softgre 1
mode management
local address 192.168.200.49
default-profile
enable
exit
tunnel softgre 1.1
bridge-group 3
enable
exit
tunnel softgre 2
mode data
local address 192.168.200.50
default-profile
enable
exit
security zone-pair gre self
rule 1
action permit
match protocol gre
enable
exit
rule 2
action permit
match protocol vrrp
enable
exit
rule 3
action permit
match protocol icmp
enable
exit
rule 4
action permit
match protocol tcp
match destination-port bgp
enable
exit
exit
security zone-pair trusted self
rule 1
action permit
match protocol vrrp
enable
exit
rule 2
action permit
match protocol udp
match source-port dhcp_server
match destination-port dhcp_server
enable
exit
rule 3
action permit
match protocol udp
match source-port dhcp_client
match destination-port dhcp_server
enable
exit
rule 4
action permit
match protocol icmp
enable
exit
rule 5
action permit
match source-address SoftWLC
enable
exit
rule 6
action permit
match protocol tcp
match destination-port bgp
enable
exit
exit
security zone-pair trusted trusted
rule 1
action permit
enable
exit
exit
security zone-pair user untrusted
rule 1
action permit
enable
exit
exit
security zone-pair user self
rule 1
action permit
match protocol udp
match source-port dhcp_client
match destination-port dhcp_server
enable
exit
rule 2
action permit
match protocol vrrp
enable
exit
exit
security zone-pair user trusted
rule 1
action permit
match protocol udp
match source-port dhcp_client
match destination-port dhcp_server
enable
exit
rule 2
action permit
match protocol udp
match destination-port dns
enable
exit
exit
security zone-pair trusted user
rule 1
action permit
enable
exit
exit
security zone-pair trusted untrusted
rule 1
action permit
enable
exit
exit
security zone-pair gre gre
rule 1
action permit
enable
exit
exit
security zone-pair sidelinkneighbour self
rule 1
action permit
match protocol tcp
match destination-port bgp
enable
exit
rule 2
action permit
match protocol gre
enable
exit
rule 3
action permit
match protocol icmp
enable
exit
rule 4
action permit
match protocol udp
match source-port dhcp_server
match destination-port dhcp_server
enable
exit
rule 5
action permit
match protocol udp
match source-port dhcp_client
match destination-port dhcp_server
enable
exit
rule 6
action permit
match source-address SoftWLC
enable
exit
rule 7
action permit
match protocol tcp
match destination-port ssh
enable
exit
exit
security zone-pair sidelinkneighbour trusted
rule 10
action permit
enable
exit
exit
security zone-pair sidelinkneighbour untrusted
rule 10
action permit
enable
exit
exit
security zone-pair sidelinkneighbour gre
rule 10
action permit
enable
exit
exit
security zone-pair sidelinkneighbour user
rule 10
action permit
enable
exit
exit
security zone-pair trusted sidelinkneighbour
rule 10
action permit
enable
exit
exit
security zone-pair gre sidelinkneighbour
rule 10
action permit
enable
exit
exit
security zone-pair user sidelinkneighbour
rule 1
action permit
match protocol udp
match source-port dhcp_client
match destination-port dhcp_server
enable
exit
rule 2
action permit
match protocol udp
match destination-port dns
enable
exit
rule 10
action permit
match not destination-address PrivateNetsnets
enable
exit
exit
security zone-pair untrusted self
rule 10
action permit
match protocol tcp
match destination-port bgp
enable
exit
exit
wireless-controller
peer-address 100.64.0.57
nas-ip-address 198.18.128.3
vrrp-group 1
data-tunnel configuration radius
aaa das-profile COA
aaa radius-profile PCRF
enable
exit
ip telnet server
ip ssh server
|
|
...