1. הגדרת נתבי סיסקו
נכתב על ידי אלי קנדל
INTERFACE- כולל הגדרות פיזיות על גבי הMultiLink הגדרת
controller E1 12/1/0
channel-group 0 timeslots 1-31
description !*E1 to Moked Concord|13-119-508| PP45
!
!
interface Serial12/1/0:0
description @! E1 from Vered-Sec To R-Moked-Concors-Sec 2M
bandwidth 2000
no ip address
no ip directed-broadcast
encapsulation ppp
load-interval 30
tx-queue-limit 26
ppp multilink
multilink-group 1
end
!
!
controller E1 12/1/6
channel-group 0 timeslots 1-31
description E1 to Moked Concord-sec Panel A-27
!
!
interface Serial12/1/6:0
description @! * E1 Vered-Sec To ConCord port A-27 ADM-2 TAG 21
bandwidth 2000
no ip address
no ip directed-broadcast
encapsulation ppp
load-interval 30
tx-queue-limit 26
ppp multilink
multilink-group 1
end
!
!
interface Multilink1
bandwidth 2000
ip address 10.7.140.1 255.255.255.0
no ip directed-broadcast
ip load-sharing per-packet
ip summary-address eigrp 110 0.0.0.0 0.0.0.0 200
ip route-cache flow input
2. delay 1900
ppp multilink
no ppp multilink fragmentation
multilink-group 1
no shut
end
!
################################################################
Site To Site VPN הגדרת
crypto isakmp policy 10
hash md5
group 2
authentication pre-share
lifetime 3600
!
crypto isakmp key isrlaw002 address 10.57.32.70
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set ADSL esp-des esp-md5-hmac
!
crypto map VPN_ADSL Local-address Ethernet0/1
!
crypto map VPN_ADSL 10 ipsec-isakmp
set peer 10.57.32.70
set transform-set ADSL
match address 100
!
access-list 100 permit ip 10.180.102.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 100 permit ip 10.180.102.0 0.0.0.255 192.168.0.0 0.0.255.255
!
int ethernet0/0
crypto map VPN_ADSL
!
################################################################
Easy VPN הגדרת
crypto ipsec client ezvpn vpn_store
connect auto
group vpn_store key adsl2store
mode network-extension
peer 10.57.32.70
!
interface Ethernet0
crypto ipsec client ezvpn vpn_store inside
3. !
interface Dialer0
crypto ipsec client ezvpn vpn_store
!
################################################################
Control Plan הגדרת
Control-plane Police !!!!!!!
!
access-list 140 deny tcp host 10.1.30.82 any eq telnet
access-list 140 deny tcp host 10.1.30.142 any eq telnet
access-list 140 deny tcp host 10.57.7.207 any eq telnet
access-list 140 deny tcp host 10.57.7.99 any eq telnet
access-list 140 deny tcp host 10.57.4.222 any eq telnet
access-list 140 deny tcp 10.53.102.0 0.0.0.255 any eq telnet
access-list 140 permit tcp any any eq telnet
access-list 140 remark Telnet Limit to 80K bit except the Mengment Stations
!
class-map telnet-class
description Telnet Limit to 80K bit except the Mengment Stations
match access-group 140
exit
!
!
!
no access-list 141
access-list 141 permit udp host 10.1.30.81 any eq snmp
access-list 141 permit udp host 10.1.30.82 any eq snmp
access-list 141 permit udp host 10.57.7.99 any eq snmp
access-list 141 permit udp host 10.57.4.222 any eq snmp
access-list 141 permit udp host 10.1.30.142 any eq snmp
access-list 141 permit udp host 10.57.7.207 any eq snmp
access-list 141 permit udp 10.53.102.0 0.0.0.255 any eq snmp
access-list 141 deny udp any any eq snmp
access-list 141 remark Snmp Limit to 80K bit
!
class-map snmp-class
description Snmp Limit to 80K bit To the authorized Station
match access-group 141
exit
!
!
!
no access-list 142
access-list 142 deny icmp host 10.1.30.81 any echo
access-list 142 deny icmp host 10.1.30.82 any echo
access-list 142 deny icmp host 10.1.30.142 any echo
access-list 142 deny icmp host 10.57.4.222 any echo
4. access-list 142 deny icmp host 10.57.7.99 any echo
access-list 142 deny icmp host 10.57.7.207 any echo
access-list 142 deny icmp 10.53.102.0 0.0.0.255 any port-unreachable
access-list 142 deny icmp 10.53.102.0 0.0.0.255 any echo
access-list 142 permit icmp any any port-unreachable
access-list 142 permit icmp any any echo
access-list 142 remark Drop All ICMP except the Mengment Stations
!
class-map icmp-class
description Drop All ICMP except the Mengment Stations
match access-group 142
exit
!
!
!
policy-map control-plane-policy
!
class match-any telnet-class
police 80000 conform-action transmit exceed-action drop
exit
!
class match-any snmp-class
police 80000 conform-action transmit exceed-action drop
exit
!
class match-any icmp-class
drop
exit
!
class class-default
!
!
control-plane
service-policy input control-plane-policy
exit
!
################################################################
Rotary כולל הגדרתIp Alias הגדרת
ip alias 10.202.200.41 3011
ip alias 10.202.200.42 3012
ip alias 10.202.200.51 3001
ip alias 10.202.200.52 3002
ip alias 10.202.200.136 2136
ip alias 10.202.200.137 2137
ip alias 10.202.200.138 2138
ip alias 10.202.200.139 2139
5. !
################################################################
QOS הגדרת
class-map match-any INFO_ZEN_TORMAT_110
description Traffic To INFO Cluster And TORMAT And ZEN
match access-group 110
class-map match-any LOGIN_PRINTER_120
description Traffic To LOGIN To Domain Controller And DNS And File System And Printer's
match access-group 120
class-map match-any CITRIX_ERP_100
description Traffic To CITRIX And ERP And Vantiv Application
match access-group 100
class-map match-any NICE_140
description Traffic To NICE System
match access-group 140
class-map match-any VOIP_130
description Traffic To VOIP TNN
match access-group 130
!
policy-map MAPA_OUT
class VOIP_130
priority percent 6
class CITRIX_ERP_100
bandwidth percent 35
class INFO_ZEN_TORMAT_110
bandwidth percent 35
random-detect
class LOGIN_PRINTER_120
bandwidth percent 15
!
interface Serial1/0/3:0
max-reserved-bandwidth 90
service-policy output MAPA_OUT
!
ip access-list extended CITRIX_ERP
permit icmp any any
permit ip any 10.57.14.0 0.0.0.255
permit ip any host 10.57.65.150
remark 10.57.65.150 - App Maof (virt ip), 10.57.14.0 - Citrix Network
ip access-list extended INFO_ZEN_TORMAT
permit tcp any host 10.57.65.100 eq www
permit tcp any host 10.57.66.100 eq www
permit tcp any host 10.4.10.100 eq www
remark 10.57.65.100 - info , 10.57.66.100 - zen , 10.4.10.100 - QFLOWSRV1
ip access-list extended LOGIN_PRINTER
permit ip any host 10.57.5.200
permit ip any host 10.57.5.201
permit ip any host 10.57.9.150
permit ip any host 10.57.9.151
6. permit ip any host 10.57.9.52
permit ip any host 10.57.9.53
permit tcp any host 10.57.10.62 eq 9100
permit tcp any host 10.57.10.64 eq 9100
permit tcp any host 10.1.31.111 eq 9100
permit tcp any host 10.57.9.131 eq 9100
permit tcp any host 10.57.9.132 eq 9100
permit tcp any host 10.57.9.133 eq 9100
permit tcp any host 10.57.9.134 eq 9100
permit tcp any host 10.57.9.131 eq lpd
permit tcp any host 10.57.9.132 eq lpd
permit tcp any host 10.57.9.133 eq lpd
permit tcp any host 10.57.9.134 eq lpd
remark 10.57.9.150 - NEVU-Domain Controller , 10.57.9.151 - MORPH-DC
remark 10.57.9.52 - NEO-DC+DNS , 10.57.9.53 - TRINITY-DC+DNS - LDAP+RPC+DNS+NETBIOS--
PROTOCOL
remark 10.57.5.200-201 - MF1-MF2(Home Directory O,Q,M) , Printer - 10.57.9.131-134
ip access-list extended VOIP
permit ip any host 10.61.1.50
permit ip any host 10.61.1.51
permit ip any host 10.61.1.52
!
!
################################################################
Time Range הגדרת
time-range NIGHT
periodic Friday 7:00 to 15:00
periodic Monday Tuesday Wednesday Thursday Sunday 7:00 to 20:00
!
!
################################################################
Route Map הגדרת
route-map POC-EXP-Ashdod permit 10
match ip address 151
set ip next-hop 10.5.16.15
!
access-list 151 permit ip any 10.5.16.0 0.0.0.255
!
interface Serial0/0/0:0
ip policy route-map POC-EXP-Ashdod
!
!
################################################################
Source Interface הגדרת
ip flow-export source FastEthernet0/0
ip tacacs source-interface FastEthernet0/0
ip telnet source-interface FastEthernet3/1/0
snmp-server trap-source Loopback1
7. ip tftp source-interface GigabitEthernet0/0
!
################################################################
NTP הגדרת שעון
clock timezone ISRAEL 2
ntp server 10.0.0.11 prefer
ntp server 10.0.0.12
ntp master 1
ntp source GigabitEthernet0/0
!
################################################################
Tacacs הגדרת
tacacs-server host 10.57.4.61 single-connection
tacacs-server host 10.57.4.62 single-connection
tacacs-server attempts 1
tacacs-server key ciscoVered
!
aaa new-model
aaa authentication login default tacacs+ local
aaa authorization exec default tacacs+ local
aaa authorization commands 15 default tacacs+ local
aaa accounting suppress null-username
+aaa accounting exec default start-stop tacacs
+aaa accounting commands 15 default stop-only tacacs
!
################################################################
Radius הגדרת
radius-server host 10.57.4.151 auth-port 1645 acct-port 1646
radius-server host 10.57.4.152 auth-port 1645 acct-port 1646
radius-server retransmit 1
radius-server key 7 0822455D0A1637161F0709
!
aaa group server radius ACE-SER-RAD
server 10.57.4.151 auth-port 1645 acct-port 1646
server 10.57.4.152 auth-port 1645 acct-port 1646
server 10.5.14.82 auth-port 1645 acct-port 1646
!
aaa authentication login ACE group ACS-SER-RAD local
aaa authentication ppp DIAL-PPP group ACS-SER-RAD local
aaa authorization network DIAL-PPP group ACS-SER-RAD local
aaa accounting commands 15 ADMIN start-stop group ACS-Radius-Tifuli
!
################################################################
HDCP POOL הגדרת
ip local pool RAS_Pool 10.203.200.65 10.203.200.72
ip local pool Pool_Comverse 10.203.200.245 10.203.200.254
8. ################################################################
DHCP הגדרת
ip dhcp excluded-address 10.5.14.1 10.5.14.115
ip dhcp excluded-address 10.5.14.130 10.5.14.255
!
ip dhcp pool Main-Ramle
network 10.5.14.0 255.255.255.0
default-router 10.5.14.1
netbios-name-server 10.1.30.6 10.1.30.13
netbios-node-type h-node
dns-server 10.57.9.52 10.57.9.53
"option 66 ascii "winmapa65.pelephone.co.il
bootfile boot/x86/wds/nbp.com
lease 3
!
################################################################
ISDN הגדרת
##### Configure isdn on vered-sec ##########
!
username isdn_test password sheni
!
isdn switch-type primary-net5
!
controller E1 12/1/3
pri-group timeslots 1-31
description E1 for ISDN (ALL MAPA SITE) 03-5725993 2M
!
interface Serial12/1/3:15
description E1 for ISDN (ALL MAPA SITE) 2M
bandwidth 2000
no ip address
encapsulation ppp
isdn switch-type primary-net5
isdn incoming-voice modem
no ip route-cache
no ip mroute-cache
no keepalive
no peer default ip address
dialer pool-member 1
dialer pool-member 2
no fair-queue
ppp authentication chap
ppp multilink
!
interface Dialer0
description ISDN TO ISDN_TEST 7329121 128K
ip address 10.8.15.1 255.255.255.0
encapsulation ppp
no ip route-cache
9. no ip mroute-cache
bandwidth 128
delay 40000
no keepalive
dialer remote-name isdn_test
dialer idle-timeout 360
dialer string 037329109
dialer caller 037329121
dialer pool 2
dialer-group 1
no fair-queue
ppp authentication chap
ppp multilink
pulse-time 0
!
dialer-list 1 protocol ip permit
!
!!! ip route 10.215.200.0 255.255.255.0 10.8.15.2
!
################## ISDN CONFIGURE ##############
!
username www Password xxx
!
interface BRI0
description ISDN TO xxx No.03-7329109 128K
ip address 10.8.15.2 255.255.255.0
no ip directed-broadcast
no ip mroute-cache
encapsulation ppp
no ip route-cache
bandwidth 128
delay 5000
no keepalive
dialer idle-timeout 360
dialer map ip 10.8.15.1 name www 5725993
dialer load-threshold 1 either
dialer-group 1
no fair-queue
ppp multilink
ppp authentication chap
!
ip route 10.0.0.0 255.0.0.0 10.8.15.1 250
!
dialer-list 1 protocol ip list 100
!
access-list 100 deny ip any host 255.255.255.255
access-list 100 deny ip any 0.255.255.255 255.0.0.0
access-list 100 deny ip any 0.0.255.255 255.255.0.0
access-list 100 deny ip any 0.0.0.255 255.255.255.0
10. access-list 100 deny eigrp any any
access-list 100 permit ip 10.215.200.0 0.0.0.255 any
!
line 33 62
session-timeout 15
modem Dialin
modem autoconfigure discovery
rotary 1
autocommand ppp
transport input all
autoselect during-login
autoselect ppp
!
autohangup
!
################################################################
Frame Relay הגדרת
interface Serial0
description F.R To Vendors-Pri 128K
no ip address
no ip directed-broadcast
encapsulation frame-relay
bandwidth 128
keepalive 11
no fair-queue
frame-relay lmi-type ansi
no sh
!
interface Serial0.16 point-to-point
description F.R To xxx 128K
ip address 10.176.23.2 255.255.255.0
no ip directed-broadcast
bandwidth 128
frame-relay interface-dlci 16
no sh
!
################################################################
LockAndKey הגדרת
interface Serial2/1:30
description ellular site #459
ip address 10.208.1.106 255.255.255.252
ip access-group LockAndKey in
encapsulation ppp
no cdp enable
!
ip access-list extended LockAndKey
permit tcp any any established
permit icmp any any
permit udp any any eq snmptrap
11. permit udp any eq snmp any
permit udp any eq 21 any
permit udp any eq 20 any
permit udp any eq tftp any
permit udp any any eq ntp
!
################################################################
IP PIM הגדרת
---------------------- router- primary------------------------
ip multicast-routing
ip pim autorp listener
interface FastEthernet5/0/1
ip pim sparse-mode
!
!
interface FastEthernet2/1/0
ip pim sparse-mode
!
ip pim accept-rp 10.4.10.253 8
ip pim send-rp-announce FastEthernet5/0/1 scope 16 group-list 8
ip pim send-rp-discovery scope 16
!
access-list 8 permit 225.10.10.10 0.0.0.0
!
################################################################
ברמה פיזית בכרטיסAGGRIGATION כרטיס שמבצעIMA הגדרת
!
interface ATM1/IMA2
description ATM/IMA Router Pri P.T.P 11 2M
ip address 10.xx.xx.65 255.255.255.252
no ip directed-broadcast
no atm ilmi-keepalive
pvc 2/2
protocol ip 10.xx.xx.66 broadcast
encapsulation aal5snap
no shut
!
interface ATM1/3
description E1 to Router Primary P.T.P 11 2M
no ip address
no atm ilmi-keepalive
ima-group 2
scrambling-payload
impedance 120-ohm
no shut
!
################################################################
HSRP הגדרת
interface GigabitEthernet0/0
12. standby 1 ip 212.xx.xx.137
standby 1 priority 170
standby 1 preempt
standby 1 name SURFER
standby 1 track GigabitEthernet0/1 80
standby 2 ip 212.25.81.67
standby 2 priority 105
standby 2 preempt
standby 2 name BACK_BONE
!
################################################################
RTR הגדרת
rtr 10
type echo protocol ipIcmpEcho 199.xx.xx.41
rtr schedule 10 life forever start-time now
rtr 20
type echo protocol ipIcmpEcho 212.xx.xx.129
rtr schedule 20 life forever start-time now
!
track 10 rtr 10 reachability
!
track 20 rtr 20 reachability
!
!
access-list 150 permit ip 194.xx.195.0 0.0.0.255 any
route-map www permit 10
match ip address 150
set ip next-hop verify-availability 199.xx.xx.41 10 track 10
set ip next-hop verify-availability 212.xx.xx.129 20 track 20
!
interface GigabitEthernet0/0
ip policy route-map www
!
################################################################
WCCP הגדרת
ip wccp 1 redirect-list 100 group-list 20 password 7 044B0E0A0A
ip wccp 2 redirect-list 100 group-list 20 password 7 105E0C1500
!
access-list 20 permit 10.10.10.20
access-list 100 permit ip 10.10.10.0 0.0.0.255 any
!
לפי איזה פרוטוקול שאנחנו רוצים בדוגמה לעלה מעבירים את כל התעבורהACL יכולים להגדיר
.אבל ללא ספק אפשר להעביר איזה פרוטוקולים שאנחנו רוצים
################################################################