397 lines
7.0 KiB
Plaintext
397 lines
7.0 KiB
Plaintext
|
hostname esr-21-1
|
||
|
|
|
||
|
|
ip firewall sessions counters
|
||
|
|
object-group service ssh
|
||
|
|
port-range 22
|
||
|
|
exit
|
||
|
|
object-group service dhcp_server
|
||
|
|
port-range 67
|
||
|
|
exit
|
||
|
|
object-group service dhcp_client
|
||
|
|
port-range 68
|
||
|
|
exit
|
||
|
|
object-group service ntp
|
||
|
|
port-range 123
|
||
|
|
exit
|
||
|
|
object-group service OBJ_SVC_VPN
|
||
|
|
port-range 500
|
||
|
|
port-range 4500
|
||
|
|
exit
|
||
|
|
|
||
|
|
syslog max-files 3
|
||
|
|
syslog file-size 512
|
||
|
|
syslog sequence-numbers
|
||
|
|
syslog file tmpsys:syslog/default
|
||
|
|
severity info
|
||
|
|
exit
|
||
|
|
|
||
|
|
username admin
|
||
|
|
password encrypted $6$Yiowl5cYGbXIc3rE$LmaHnxnZCqN8uHDfytK9Mnwg3.lCIapFgP7kezlGPJX5TtdiaX4lHxEjRtvh6nXzV3bzJCa3nHPgNUhd9Dtf2.
|
||
|
|
exit
|
||
|
|
aaa authentication mode break
|
||
|
|
aaa authentication login CONSOLE radius local
|
||
|
|
aaa authentication login SSH radius local
|
||
|
|
aaa authentication enable default radius enable
|
||
|
|
radius-server host 10.4.0.248
|
||
|
|
key ascii-text encrypted A9B020579B141DFFB0269F00275C72E9
|
||
|
|
source-interface port-channel 1.300
|
||
|
|
exit
|
||
|
|
line console
|
||
|
|
login authentication CONSOLE
|
||
|
|
exit
|
||
|
|
line ssh
|
||
|
|
login authentication SSH
|
||
|
|
exit
|
||
|
|
|
||
|
|
system jumbo-frames
|
||
|
|
system config-confirm timeout 120
|
||
|
|
|
||
|
|
boot host auto-config
|
||
|
|
vlan 2,10
|
||
|
|
exit
|
||
|
|
|
||
|
|
no spanning-tree
|
||
|
|
|
||
|
|
security zone LAN
|
||
|
|
exit
|
||
|
|
security zone WAN
|
||
|
|
exit
|
||
|
|
security zone VPN
|
||
|
|
exit
|
||
|
|
|
||
|
|
ip bfd multiplier 3
|
||
|
|
route-map RM_BGP_OUT
|
||
|
|
rule 10
|
||
|
|
exit
|
||
|
|
exit
|
||
|
|
router bgp 65001
|
||
|
|
neighbor 2.2.2.2
|
||
|
|
remote-as 65002
|
||
|
|
ebgp-multihop 2
|
||
|
|
update-source 1.1.1.1
|
||
|
|
address-family ipv4 unicast
|
||
|
|
route-map RM_BGP_OUT out
|
||
|
|
enable
|
||
|
|
exit
|
||
|
|
enable
|
||
|
|
exit
|
||
|
|
address-family ipv4 unicast
|
||
|
|
network 192.168.100.0/24
|
||
|
|
exit
|
||
|
|
enable
|
||
|
|
exit
|
||
|
|
|
||
|
|
router ospf log-adjacency-changes
|
||
|
|
router ospf 555
|
||
|
|
router-id 1.1.1.1
|
||
|
|
area 0.0.0.0
|
||
|
|
network 10.255.254.0/24
|
||
|
|
network 1.1.1.1/32
|
||
|
|
enable
|
||
|
|
exit
|
||
|
|
enable
|
||
|
|
exit
|
||
|
|
|
||
|
|
bridge 1
|
||
|
|
vlan 1
|
||
|
|
security-zone WAN
|
||
|
|
ip address 11.11.11.11/24
|
||
|
|
enable
|
||
|
|
exit
|
||
|
|
|
||
|
|
interface port-channel 1
|
||
|
|
mtu 9100
|
||
|
|
exit
|
||
|
|
interface port-channel 1.300
|
||
|
|
description "MGM"
|
||
|
|
ip firewall disable
|
||
|
|
ip address 10.14.112.248/24
|
||
|
|
exit
|
||
|
|
interface port-channel 1.3
|
||
|
|
security-zone LAN
|
||
|
|
ip address 192.168.100.254/24
|
||
|
|
exit
|
||
|
|
interface gigabitethernet 1/0/1
|
||
|
|
description "WAN"
|
||
|
|
mode switchport
|
||
|
|
exit
|
||
|
|
interface gigabitethernet 1/0/2
|
||
|
|
description "WAN2"
|
||
|
|
mtu 9500
|
||
|
|
security-zone WAN
|
||
|
|
ip address 12.12.12.11/24
|
||
|
|
exit
|
||
|
|
interface gigabitethernet 1/0/2.555
|
||
|
|
shutdown
|
||
|
|
description "p2p_mpls"
|
||
|
|
mtu 9500
|
||
|
|
security-zone VPN
|
||
|
|
ip address 172.30.30.1/24
|
||
|
|
ip ospf instance 555
|
||
|
|
ip ospf mtu-ignore
|
||
|
|
ip ospf
|
||
|
|
exit
|
||
|
|
interface gigabitethernet 1/0/3
|
||
|
|
mode switchport
|
||
|
|
exit
|
||
|
|
interface gigabitethernet 1/0/4
|
||
|
|
mode switchport
|
||
|
|
exit
|
||
|
|
interface gigabitethernet 1/0/5
|
||
|
|
mode switchport
|
||
|
|
exit
|
||
|
|
interface gigabitethernet 1/0/6
|
||
|
|
mode switchport
|
||
|
|
exit
|
||
|
|
interface gigabitethernet 1/0/7
|
||
|
|
mode switchport
|
||
|
|
exit
|
||
|
|
interface gigabitethernet 1/0/8
|
||
|
|
mode switchport
|
||
|
|
channel-group 1 mode auto
|
||
|
|
exit
|
||
|
|
interface gigabitethernet 1/0/9
|
||
|
|
mode switchport
|
||
|
|
exit
|
||
|
|
interface gigabitethernet 1/0/10
|
||
|
|
mode switchport
|
||
|
|
exit
|
||
|
|
interface gigabitethernet 1/0/11
|
||
|
|
mode switchport
|
||
|
|
exit
|
||
|
|
interface gigabitethernet 1/0/12.100
|
||
|
|
exit
|
||
|
|
interface loopback 1
|
||
|
|
ip address 1.1.1.1/32
|
||
|
|
ip ospf instance 555
|
||
|
|
ip ospf mtu-ignore
|
||
|
|
ip ospf
|
||
|
|
exit
|
||
|
|
tunnel gre 101
|
||
|
|
mtu 1400
|
||
|
|
multipoint
|
||
|
|
security-zone VPN
|
||
|
|
local address 11.11.11.11
|
||
|
|
ip address 10.255.255.1/24
|
||
|
|
ip ospf instance 555
|
||
|
|
ip ospf mtu-ignore
|
||
|
|
ip ospf priority 5
|
||
|
|
ip ospf
|
||
|
|
ip bfd min-rx-interval 300
|
||
|
|
ip bfd min-tx-interval 300
|
||
|
|
ip bfd multiplier 3
|
||
|
|
ip nhrp authentication encrypted B18B2823930318AA
|
||
|
|
ip nhrp holding-time 300
|
||
|
|
ip nhrp ipsec IPSEC_VPN_HUB dynamic
|
||
|
|
ip nhrp multicast dynamic
|
||
|
|
ip nhrp enable
|
||
|
|
enable
|
||
|
|
exit
|
||
|
|
tunnel gre 102
|
||
|
|
mtu 1400
|
||
|
|
multipoint
|
||
|
|
security-zone VPN
|
||
|
|
local address 12.12.12.11
|
||
|
|
ip address 10.255.254.1/24
|
||
|
|
ip ospf instance 555
|
||
|
|
ip ospf mtu-ignore
|
||
|
|
ip ospf priority 5
|
||
|
|
ip ospf network point-to-point
|
||
|
|
ip ospf
|
||
|
|
ip nhrp authentication encrypted B18B2823930318AA
|
||
|
|
ip nhrp holding-time 300
|
||
|
|
ip nhrp ipsec IPSEC_VPN_HUB_102 dynamic
|
||
|
|
ip nhrp multicast dynamic
|
||
|
|
ip nhrp enable
|
||
|
|
exit
|
||
|
|
tunnel ip4ip4 1
|
||
|
|
exit
|
||
|
|
|
||
|
|
mpls
|
||
|
|
ldp
|
||
|
|
router-id 1.1.1.1
|
||
|
|
address-family ipv4
|
||
|
|
interface gigabitethernet 1/0/2.555
|
||
|
|
exit
|
||
|
|
exit
|
||
|
|
exit
|
||
|
|
l2vpn
|
||
|
|
pw-class L2_VPN
|
||
|
|
exit
|
||
|
|
p2p P2P_L2VPN
|
||
|
|
interface gigabitethernet 1/0/7
|
||
|
|
pw 102 2.2.2.2
|
||
|
|
pw-class L2_VPN
|
||
|
|
enable
|
||
|
|
exit
|
||
|
|
enable
|
||
|
|
exit
|
||
|
|
exit
|
||
|
|
forwarding interface gigabitethernet 1/0/2.555
|
||
|
|
exit
|
||
|
|
security zone-pair LAN VPN
|
||
|
|
rule 10
|
||
|
|
description "ANY"
|
||
|
|
action permit
|
||
|
|
enable
|
||
|
|
exit
|
||
|
|
exit
|
||
|
|
security zone-pair VPN LAN
|
||
|
|
rule 10
|
||
|
|
description "ANY"
|
||
|
|
action permit
|
||
|
|
enable
|
||
|
|
exit
|
||
|
|
exit
|
||
|
|
security zone-pair LAN self
|
||
|
|
rule 1
|
||
|
|
action permit
|
||
|
|
enable
|
||
|
|
exit
|
||
|
|
rule 2
|
||
|
|
exit
|
||
|
|
exit
|
||
|
|
security zone-pair WAN self
|
||
|
|
rule 1
|
||
|
|
description "GRE"
|
||
|
|
action permit
|
||
|
|
match protocol gre
|
||
|
|
enable
|
||
|
|
exit
|
||
|
|
rule 2
|
||
|
|
description "ISAKMP"
|
||
|
|
action permit
|
||
|
|
match protocol udp
|
||
|
|
match destination-port OBJ_SVC_VPN
|
||
|
|
enable
|
||
|
|
exit
|
||
|
|
rule 3
|
||
|
|
description "ESP"
|
||
|
|
action permit
|
||
|
|
match protocol esp
|
||
|
|
enable
|
||
|
|
exit
|
||
|
|
rule 10
|
||
|
|
description "ICMP"
|
||
|
|
action permit
|
||
|
|
match protocol icmp
|
||
|
|
enable
|
||
|
|
exit
|
||
|
|
exit
|
||
|
|
security zone-pair VPN self
|
||
|
|
rule 10
|
||
|
|
description "ANY"
|
||
|
|
action permit
|
||
|
|
enable
|
||
|
|
exit
|
||
|
|
exit
|
||
|
|
|
||
|
|
security ike proposal IKEPROP
|
||
|
|
encryption algorithm aes256
|
||
|
|
dh-group 2
|
||
|
|
exit
|
||
|
|
|
||
|
|
security ike proposal IKE_PROP_1
|
||
|
|
encryption algorithm aes128
|
||
|
|
dh-group 2
|
||
|
|
exit
|
||
|
|
|
||
|
|
security ike policy IKEPOLICY
|
||
|
|
pre-shared-key ascii-text encrypted 88B11079E15D1B
|
||
|
|
proposal IKEPROP
|
||
|
|
exit
|
||
|
|
|
||
|
|
security ike policy IKE_POL_1
|
||
|
|
pre-shared-key ascii-text encrypted 91B8083FE00447F6D804
|
||
|
|
proposal IKE_PROP_1
|
||
|
|
exit
|
||
|
|
|
||
|
|
security ike gateway IKEGW
|
||
|
|
ike-policy IKEPOLICY
|
||
|
|
local address 11.11.11.2
|
||
|
|
local network 11.11.11.2/32 protocol gre
|
||
|
|
remote address 11.11.11.1
|
||
|
|
remote network 11.11.11.1/32 protocol gre
|
||
|
|
mode policy-based
|
||
|
|
exit
|
||
|
|
|
||
|
|
security ike gateway IKE_GW_1
|
||
|
|
ike-policy IKE_POL_1
|
||
|
|
local address 11.11.11.11
|
||
|
|
local network 11.11.11.11/32 protocol gre
|
||
|
|
remote address any
|
||
|
|
remote network any
|
||
|
|
mode policy-based
|
||
|
|
exit
|
||
|
|
|
||
|
|
security ike gateway IKE_GW_2
|
||
|
|
ike-policy IKE_POL_1
|
||
|
|
local address 12.12.12.11
|
||
|
|
local network 12.12.12.11/32 protocol gre
|
||
|
|
remote address any
|
||
|
|
remote network any protocol gre
|
||
|
|
mode policy-based
|
||
|
|
exit
|
||
|
|
|
||
|
|
security ipsec proposal IPSECPROP
|
||
|
|
encryption algorithm aes128
|
||
|
|
exit
|
||
|
|
|
||
|
|
security ipsec proposal IPSEC_PROP_1
|
||
|
|
encryption algorithm aes128
|
||
|
|
exit
|
||
|
|
|
||
|
|
security ipsec policy IPSECPOLICY
|
||
|
|
proposal IPSECPROP
|
||
|
|
exit
|
||
|
|
|
||
|
|
security ipsec policy IPSEC_POL_1
|
||
|
|
proposal IPSEC_PROP_1
|
||
|
|
exit
|
||
|
|
|
||
|
|
security ipsec vpn IPSECVPN
|
||
|
|
mode ike
|
||
|
|
ike establish-tunnel route
|
||
|
|
ike gateway IKEGW
|
||
|
|
ike ipsec-policy IPSECPOLICY
|
||
|
|
enable
|
||
|
|
exit
|
||
|
|
|
||
|
|
security ipsec vpn IPSEC_VPN_HUB
|
||
|
|
mode ike
|
||
|
|
ike establish-tunnel route
|
||
|
|
ike gateway IKE_GW_1
|
||
|
|
ike ipsec-policy IPSEC_POL_1
|
||
|
|
enable
|
||
|
|
exit
|
||
|
|
|
||
|
|
security ipsec vpn IPSEC_VPN_HUB_102
|
||
|
|
mode ike
|
||
|
|
ike establish-tunnel route
|
||
|
|
ike gateway IKE_GW_2
|
||
|
|
ike ipsec-policy IPSEC_POL_1
|
||
|
|
enable
|
||
|
|
exit
|
||
|
|
|
||
|
|
security passwords default-expired
|
||
|
|
ip dhcp-server pool lan-pool
|
||
|
|
network 192.168.1.0/24
|
||
|
|
address-range 192.168.1.2-192.168.1.254
|
||
|
|
default-router 192.168.1.1
|
||
|
|
exit
|
||
|
|
|
||
|
|
ip route 0.0.0.0/0 10.14.112.254
|
||
|
|
|
||
|
|
ip ssh server
|
||
|
|
|
||
|
|
lldp enable
|
||
|
|
|
||
|
|
clock timezone gmt +4
|
||
|
|
|
||
|
|
ntp enable
|
||
|
|
ntp server 10.1.8.2
|
||
|
|
minpoll 4
|
||
|
|
exit
|
||
|
|
ntp server 10.1.8.1
|
||
|
|
minpoll 4
|
||
|
|
exit
|