MPLS in SDN Era: прикручивание vMX (16.1r3.10) и Cisco XRv (5.3.0) к Opendaylight (0.5.2-Boron-SR2) , часть 1: Netconf

Part 1: Netconf

I have had install (probably this module is not istalled by default) odl-netconf-topology (in karaf shell: feature:install odl-netconf-topology ) and after restarting of ODL I can see PE-2 adn xrv-P1 nodes at operational datastore too. Also, I`am able to get config portions of these nodes over REST (Postman). I will try again later with latest version of Junos yang from github (for 16.1 junos release).

opendaylight-user@root>feature:list | grep odl-netconf

odl-netconf-all                                  | 1.1.2-Boron-SR2  |                           

odl-netconf-api                                 | 1.1.2-Boron-SR2  | x              

odl-netconf-mapping-api                  | 1.1.2-Boron-SR2  | x               

odl-netconf-util                                 | 1.1.2-Boron-SR2  | x               

odl-netconf-impl                               | 1.1.2-Boron-SR2  | x               

odl-config-netconf-connector           | 1.1.2-Boron-SR2  | x                 

odl-netconf-netty-util                        | 1.1.2-Boron-SR2  | x        

odl-netconf-client                              | 1.1.2-Boron-SR2  | x        

odl-netconf-monitoring                     | 1.1.2-Boron-SR2  | x        

odl-netconf-notifications-api            | 1.1.2-Boron-SR2  | x          

odl-netconf-notifications-impl          | 1.1.2-Boron-SR2  | x        

odl-netconf-ssh                                  | 1.1.2-Boron-SR2  | x        

odl-netconf-tcp                                  | 1.1.2-Boron-SR2  | x        

odl-netconf-mdsal                              | 1.4.2-Boron-SR2  |           

odl-aaa-netconf-plugin                       | 1.1.2-Boron-SR2  | x        

odl-aaa-netconf-plugin-no-cluster      | 1.1.2-Boron-SR2  |           

odl-netconf-connector-all                   | 1.1.2-Boron-SR2  | x        

odl-netconf-connector                        | 1.1.2-Boron-SR2  | x        

odl-netconf-connector-ssh                  | 1.1.2-Boron-SR2  | x        

odl-netconf-topology                          | 1.1.2-Boron-SR2  | x         

odl-netconf-clustered-topology          | 1.1.2-Boron-SR2  |           

odl-netconf-console                            | 1.1.2-Boron-SR2  |           

opendaylight-user@root>

1. Get yang model for Junos from https://forums.juniper.net/t5/Automation/Yang-Labs-Tools/ta-p/294320 (https://forums.juniper.net/jnet/attachments/jnet/Automation_Scripting/591.2/1/configuration-142.yang.txt)

2. Put it to cache/schema as configuration@2014-11-13.yang

3. Restart ODL

4. Use POSTMAN to add NetconfDevice via REST:

Junos does not list his capabilities in hello message, so add it manually:

Put node to config datastore: 

PUT http://192.168.5.199:8181/restconf/config/network-topology:network-topology/topology/topology-netconf/node/PE-2

<node xmlns="urn:TBD:params:xml:ns:yang:network-topology">

   <node-id>PE-2</node-id>

   <host xmlns="urn:opendaylight:netconf-node-topology">172.16.16.2</host>

   <port xmlns="urn:opendaylight:netconf-node-topology">830</port>

   <username xmlns="urn:opendaylight:netconf-node-topology">root</username>

   <password xmlns="urn:opendaylight:netconf-node-topology">passw0rd</password>

   <tcp-only xmlns="urn:opendaylight:netconf-node-topology">false</tcp-only>

   <keepalive-delay xmlns="urn:opendaylight:netconf-node-topology">0</keepalive-delay>

   <yang-module-capabilities xmlns="urn:opendaylight:netconf-node-topology">

    <capability>http://xml.juniper.net/xnm/1.1/xnm?module=configuration&amp;revision=2014-11-13</capability>

   </yang-module-capabilities>

</node>

XRv lists capabilities in hello, so nothing need:

PUT http://192.168.5.199:8181/restconf/config/network-topology:network-topology/topology/topology-netconf/node/xrv-P1

<node xmlns="urn:TBD:params:xml:ns:yang:network-topology">

   <node-id>xrv-P4</node-id>

   <host xmlns="urn:opendaylight:netconf-node-topology">172.16.17.4</host>

   <port xmlns="urn:opendaylight:netconf-node-topology">830</port>

   <username xmlns="urn:opendaylight:netconf-node-topology">rmavrichev</username>

   <password xmlns="urn:opendaylight:netconf-node-topology">passw0rd</password>

   <tcp-only xmlns="urn:opendaylight:netconf-node-topology">false</tcp-only>

   <keepalive-delay xmlns="urn:opendaylight:netconf-node-topology">0</keepalive-delay>

</node>

Show config datastore: 

GET http://192.168.5.199:8181/restconf/config/network-topology:network-topology/topology/topology-netconf/

{

  "topology": [

    {

      "topology-id": "topology-netconf",

      "node": [

        {

          "node-id": "xrv-P1",

          "netconf-node-topology:host": "172.16.17.1",

          "netconf-node-topology:password": "passw0rd",

          "netconf-node-topology:username": "rmavrichev",

          "netconf-node-topology:port": 830,

          "netconf-node-topology:tcp-only": false,

          "netconf-node-topology:keepalive-delay": 0

        },

        {

          "node-id": "PE-2",

          "netconf-node-topology:pass-through": {},

          "netconf-node-topology:keepalive-delay": 0,

          "netconf-node-topology:host": "172.16.16.2",

          "netconf-node-topology:password": "passw0rd",

          "netconf-node-topology:username": "root",

          "netconf-node-topology:yang-module-capabilities": {

            "override": false,

            "capability": [

              "http://xml.juniper.net/xnm/1.1/xnm?module=configuration&revision=2014-11-13"

            ]

          },

          "netconf-node-topology:port": 830,

          "netconf-node-topology:tcp-only": false

        }

      ],

      "topology-types": {

        "l3-unicast-igp-topology:l3-unicast-igp-topology": {

          "ospf-topology:ospf": {},

          "isis-topology:isis": {}

        },

        "odl-bgp-topology-types:bgp-linkstate-topology": {},

        "odl-bgp-topology-types:bgp-ipv6-reachability-topology": {},

        "odl-bgp-topology-types:bgp-ipv4-reachability-topology": {},

        "network-topology-pcep:topology-pcep": {},

        "netconf-node-topology:topology-netconf": {},

        "topology-tunnel-pcep:topology-tunnel-pcep": {},

        "topology-tunnel:topology-tunnel": {}

      }

    }

  ]

}

Operational datastore, node PE-2: 

GET http://192.168.5.199:8181/restconf/operational/network-topology:network-topology/topology/topology-netconf/node/PE-2

{

  "node": [

    {

      "node-id": "PE-2",

      "netconf-node-topology:available-capabilities": {

        "available-capability": [

          "urn:ietf:params:netconf:capability:confirmed-commit:1.0",

          "urn:ietf:params:netconf:capability:candidate:1.0",

          "urn:ietf:params:xml:ns:netconf:capability:confirmed-commit:1.0",

          "urn:ietf:params:netconf:capability:validate:1.0",

          "http://xml.juniper.net/netconf/junos/1.0",

          "urn:ietf:params:xml:ns:netconf:base:1.0",

          "urn:ietf:params:xml:ns:netconf:capability:url:1.0?protocol=http,ftp,file",

          "urn:ietf:params:netconf:base:1.0",

          "urn:ietf:params:xml:ns:netconf:capability:validate:1.0",

          "urn:ietf:params:xml:ns:netconf:capability:candidate:1.0",

          "(http://xml.juniper.net/xnm/1.1/xnm?revision=2014-11-13)configuration",

          "http://xml.juniper.net/dmi/system/1.0",

          "urn:ietf:params:netconf:capability:url:1.0?scheme=http,ftp,file"

        ]

      },

      "netconf-node-topology:host": "172.16.16.2",

      "netconf-node-topology:unavailable-capabilities": {},

      "netconf-node-topology:connection-status": "connected",

      "netconf-node-topology:port": 830

    }

  ]

}

Operational datastore, node xrv-P1: 

GET http://192.168.5.199:8181/restconf/operational/network-topology:network-topology/topology/topology-netconf/node/xrv-P1

{

  "node": [

    {

      "node-id": "xrv-P1",

      "netconf-node-topology:available-capabilities": {

        "available-capability": [

          "urn:ietf:params:netconf:capability:candidate:1.0",

          "(http://cisco.com/ns/yang/Cisco-IOS-XR-lib-keychain-cfg?revision=2013-07-22)Cisco-IOS-XR-lib-keychain-cfg",

          "(http://cisco.com/ns/yang/Cisco-IOS-XR-rgmgr-oper?revision=2013-07-22)Cisco-IOS-XR-rgmgr-oper-sub1",

-------- cut -------

          "(http://cisco.com/ns/yang/Cisco-IOS-XR-tty-server-oper?revision=2013-07-22)Cisco-IOS-XR-tty-server-oper-sub5"

        ]

      },

      "netconf-node-topology:host": "172.16.17.1",

      "netconf-node-topology:unavailable-capabilities": {},

      "netconf-node-topology:connection-status": "connected",

      "netconf-node-topology:port": 830

    }

  ]

}

Get config portion of PE-2: 

GET http://192.168.5.199:8181/restconf/config/network-topology:network-topology/topology/topology-netconf/node/PE-2/yang-ext:mount/configuration:configuration/system/services

{

  "services": {

    "ssh": {

      "protocol-version": [

        "v2"

      ]

    },

    "netconf": {

      "ssh": {

        "port": 830

      }

    }

  }

}

Get config portion of  xrv-P1: 

GET http://192.168.5.199:8181/restconf/config/network-topology:network-topology/topology/topology-netconf/node/xrv-P1/yang-ext:mount/Cisco-IOS-XR-ifmgr-cfg:interface-configurations/interface-configuration/act/Loopback0/ 

{

  "interface-configuration": [

    {

      "interface-name": "Loopback0",

      "active": "act",

      "interface-virtual": [

        null

      ],

      "Cisco-IOS-XR-ipv4-io-cfg:ipv4-network": {

        "addresses": {

          "primary": {

            "address": "172.16.17.1",

            "netmask": "255.255.255.255"

          }

        }

      },

      "description": "GRT-loopback"

    }

  ]

}

убираем флуд в логи от Nfsen

Есть чудесная утилита NFSEN (рисует красивые графика по netflow), однако сильно флудит в логи неотключаемым дебагом. Можно зафильтровать лишние сообщения на уровне rsyslog.

VPLS to L3VPN на Huawei NE40E

VPLS to L3VPN на Huawei NE40E:
Cобираем в одном бридже вместе PW, физический интерфейс, и  IP-интерфейс. Нужно для замыкания L2 колец доступа через mpls.

Использование NVI для организации NAT между VRF на Cisco ios (ISR G2)

Возникла тут необходимость запилить NAT между vrf.
Всё оказалось просто, хотя и местами не очевидно.

CME и DVTI ipsec на MPLS PE в vrf

На новой работе пришлось вспомнить давно забытое: ip-телефонию (CME), QoS на WAN-каналах , ipsec DVTI. Ну и в лучших традициях, натянул это всё на mpls между двумя (пока) железкам. Получилось интересно, может кому пригодится. Все сервисы vrf-aware, в GRT только IGP+mpls ldp+mpBGP.

Использование Seemless MPLS / Unified MPLS на сети оператора связи

В mpls-сети крупного ISP, в процессе роста, неизбежно возникает проблема масштабирования по числу igp и vpnv4 маршрутов. Однако, наши глубокоуважаемые вендоры (Cisco, Huawei... etc.) заботятся о нас :)

В частности, на ciscoexpo`12 была неплохая сессия по Unified MPLS . Аналогичные решения есть и у Huawei, отличия в незначительных деталях, например, Cisco использует level 1- level 2 is-is, a Huawei - отдельные igp-процессы c редистрибьюцией. Для нас удобнее второй вариант, т.к. существующая сеть организована как единый is-is level 2 only домен.


Србственно, захотелось пощупать это руками в динамипсе. Между СЕ1 и СЕ2 организован L2vpn+L3vpn, на СR1 и СR2 для vrf TEST осуществляется аггрегация маршрутов в сети /24, между СR1 и СR2 фильтруются все vpnv4 маршруты длиннее /24.

Конфигурации динамипса (GNS3) и роутеров под катом.

l2vpn (pw) + l3vpn over inter-AS mpls network with aggregation ipv4 vrf routes on ASBR

Может быть кому-то пригодится.

Применимость - стыковка транспорта разных ISP при объединении/поглощении, сегментация сети одного ISP для масштабирования.

Задинамисил топологию с тремя AS, и попробовал поднять на ней L2 и L3 vpn.

Для L2 - option C, для L3 - option B, на ASBR-ах  сделана суммаризация vrf-маршрутов и фильтрация неагрегированных.
Пот катом конфиги динамипса и собственно роутеров.

LTE от Yota на дачу. Линк на 20 км.

История эта началась так...

В родной конторе под списание шла кучка устаревшего Wimax железа, из тестовой лабы. Покопавшись в коробке с "высокотехнологичным мусором", обнаружил чудо девайс Yota Street ( он же "Кафель" :)) и потроха от роутера Gemtek c LTE модулем ранней ревизии, а также чудесный алюминиевый корпус, куда эти потроха отлично помещались.

И засвербило забабахать себе любимому LTE на дачу :) "Кафель" был раздраконен на панельную антенну 18dbi, а Wimax-часть отправилась обратно в мусор.

И, с помощью молотка, дрели, паяльника и такой-то матери, вся эта хрень была успешно собрана в кучу. Пришлось перепаять RF-пигтейлы на антенне:

Запихать плату в корпус и сделать ей PoE по свободным парам:
 

И в итоге, после напряженного трудового процесса, сопряжённого с пожиранием печенек:

Получилась вот такая хреновина:

Лабораторные тесты на столе прошла успешно, RSSI относительно дипольной антенны вырос с -86 до -65, при ориентации на БС в прямой видимости. Предстояли полевые испытания :)

 Изначально, рассчёт был зацепиться на БС на дальности около 10 км. Вот эту:

Однако, суровая реальность внесла свои коррективы... Порядком потрахавшись с установкой антенны на мачту и грубым прицеливанием по нужному азимуту, и точным по максимуму RSSI:

Была обнаружена совершенно другая БС! ВНЕЗАПНО, выяснилась что до неё примерно 20 км !
 

Однако, нагло воспользовавшь служебным положением, я попросил коллег внести внести небольшие изменения в радиопланирование данного сектора в части параметра CellRadius... И результат не заставил себя ждать:

Но ещё большее офигение я испытал запустив speedtest...

 Пруфпик:

Теперь и на даче можно жрать шашлык, наслаждаясь просмотром онлайн видео :)

M82A1 .50 Cal - Офигенная штуковина :)

bgp bestpath as-path multipath-relax

Есть оказывается в IOS такая скрытая команда, позволят балансить по нескольким маршрутам с разными AS-Paths. Хороший пример использования - для обеспечения балансировки по двум дефолтам (0.0.0.0) от разных провайдеров.

bgp bestpath as-path multipath-relax

Спасибо коллегам за просвящение :)

Скрипт для забора конфигов с Хуавея по ftp

Хуавей - наше фсё... Выяснилось, что эти чудесные железки не умеют отдавать конфиг по tftp, если destination в vrf. Так что пришлось взводить на каждом узле фтп сервер, и ходить на него скриптом для выгребания конфигов на NMS.


#!/bin/sh

#Start script w/o errors output:
#bash script.sh 2>/dev/null

# CFG_FILE format (remove '#' at used line):

##Comment line
##Hostname Host_Address Login Password SRC_file
# host1-ex-net 10.1.1.1 login1 passwd1 vrpcfg.zip
# host1-ex-net 10.2.2.2 login2 passwd2 vrpcfg.cfg


# Define Variables
#HOME='/home/rmavrichev/Desktop/TEST-FTP'
HOME=`pwd`
DATE=`date +%Y'-'%m'-'%d`
TIME=`date +%H'-'%M'-'%S`
CFG_FILE=`printf $HOME/host_list.txt`
LOG_FILE=`printf $HOME/script_log.log`

# Make directory of current date, make that directory local
mkdir $HOME/$DATE
cd $HOME/$DATE

#Define loop, get current host address

for HOST in `cat $CFG_FILE | grep -v '#' | awk -F" " '{print $2}'`
do

# get current variables: Hostname/login/passw/src_file

LINE=`cat $CFG_FILE | grep $HOST`
HOSTNAME=`echo $LINE | awk -F" " '{print $1}'`
USER=`echo $LINE | awk -F" " '{print $3}'`
PASSWD=`echo $LINE | awk -F" " '{print $4}'`
SRC_FILE=`echo $LINE | awk -F" " '{print $5}'`
DST_FILE=`printf $SRC_FILE`

#TEST Variables
#echo
#echo $LINE
#echo $HOSTNAME
#echo $HOST
#echo $USER
#echo $PASSWD
#echo $SRC_FILE

# Connect to FTP HOST and get File
/usr/bin/ftp -ivn $HOST <>$LOG_FILE 2>&1
quote USER $USER
quote PASS $PASSWD
bin
get $SRC_FILE $TIME-$HOSTNAME-$DST_FILE
quit
END_SCRIPT

done
exit 0




Развлекаемся с inter-AS MPLS VPN...

Возникла тут необходимость подружить два сегмента сети с разными IGP по mpls, причём и AS в сегментах тоже разные.
После внимательного вкуривания
http://http://www.cisco.com/en/US/docs/ios/12_1t/12_1t5/feature/guide/InterAS.html#wp1083643
и
http://www.cisco.com/en/US/tech/tk436/tk428/technologies_configuration_example09186a0080094472.shtml
Родилась следующая схема:



Всё оказалось весьма тривиально...
Основное - no bgp default route-target filter
Конфиги ниже.

autostart = False
[localhost:7200]
workingdir = /tmp
udp = 10000
[[7200]]
image = /home/rmavrichev/.c7200-advipservicesk9-mz.122-33.SRE2/C7200-AD.BIN
idlepc = 0x627700bc
ghostios = True
[[ROUTER isp1pe1]]
console = 2007
idlepc = 0x62771c64
f0/0 = isp1pe2 f0/0
x = -140.0
y = 114.0
[[ROUTER isp2pe1]]
console = 2011
f0/0 = isp2pe2 f0/1
x = 284.0
y = 116.0
[localhost:7201]
workingdir = /tmp
udp = 10100
[[7200]]
image = /home/rmavrichev/.c7200-advipservicesk9-mz.122-33.SRE2/C7200-AD.BIN
idlepc = 0x62771c8c
ghostios = True
[[ROUTER isp2pe2]]
console = 2009
idlepc = 0x62771000
f0/0 = isp1pe2 f0/1
f0/1 = isp2pe1 f0/0
x = 195.0
y = -30.0
[[ROUTER isp1pe2]]
console = 2008
f0/0 = isp1pe1 f0/0
f0/1 = isp2pe2 f0/0
x = -44.0
y = -29.0
[GNS3-DATA]
m11 = 1.0
m22 = 1.0
[[NOTE 1]]
text = mpBGP
x = 95.0
y = -48.5
rotate = 0
color = "#323232"
[[NOTE 2]]
text = as65535
x = 194.0
y = 84.5
rotate = 0
color = "#323232"
[[NOTE 3]]
text = as65050
x = -41.0
y = 86.5
rotate = 0
color = "#323232"
[[NOTE 4]]
text = igp1
x = -115.0
y = 10.5
rotate = 0
color = "#323232"
[[NOTE 5]]
text = igp2
x = 292.0
y = 10.5
rotate = 0
color = "#323232"
[[SHAPE 1]]
type = ellipse
x = 177.0
y = -28.0
width = 200.0
height = 200.0
rotate = 0
border_style = 2
[[SHAPE 2]]
type = ellipse
x = -161.0
y = -27.0
width = 200.0
height = 200.0
rotate = 0
border_style = 2

!
! Last configuration change at 17:33:35 UTC Tue Feb 8 2011
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname isp1pe1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip source-route
ip vrf MNGM
rd 200:700
route-target export 200:700
route-target import 200:700
route-target import 200:300
route-target import 200:301
!
!
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
!
!
mpls label protocol ldp
clns routing
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
interface Loopback0
ip address 10.98.33.1 255.255.255.255
!
interface Loopback30
description MNGM-loopback
ip vrf forwarding MNGM
ip address 172.16.16.1 255.255.255.255
!
interface FastEthernet0/0
ip address 10.2.128.1 255.255.255.252
ip router isis 1
speed auto
duplex auto
mpls ip
isis circuit-type level-2-only
isis network point-to-point
!
interface FastEthernet0/1
no ip address
speed auto
duplex auto
!
router isis 1
net 49.0010.0100.9812.8001.00
is-type level-2-only
ispf level-2
metric-style wide level-2
passive-interface Loopback0
!
router bgp 65050
template peer-policy iBGP
next-hop-self
send-community both
exit-peer-policy
!
template peer-session iBGP_new
remote-as 65050
update-source Loopback0
exit-peer-session
!
bgp router-id 10.98.33.1
no bgp default ipv4-unicast
bgp log-neighbor-changes
bgp deterministic-med
bgp update-delay 1
bgp graceful-restart restart-time 120
bgp graceful-restart stalepath-time 360
bgp graceful-restart
timers bgp 1 20
neighbor 10.98.33.2 remote-as 65050
neighbor 10.98.33.2 inherit peer-session iBGP_new
!
address-family ipv4
no synchronization
redistribute connected
no auto-summary
exit-address-family
!
address-family vpnv4
neighbor 10.98.33.2 activate
neighbor 10.98.33.2 send-community extended
neighbor 10.98.33.2 inherit peer-policy iBGP
exit-address-family
!
address-family ipv4 vrf MNGM
no synchronization
redistribute connected
exit-address-family
!
!
!
no ip http server
no ip http secure-server
!
!
!
!
control-plane
!
!
line con 0
stopbits 1
line aux 0
line vty 0 4
!
end

!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname isp1pe2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip source-route
ip vrf MNGM
rd 200:700
route-target export 200:700
route-target import 200:700
route-target import 200:300
route-target import 200:301
!
!
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
!
!
mpls label protocol ldp
clns routing
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
interface Loopback0
ip address 10.98.33.2 255.255.255.255
!
interface Loopback30
description MNGM-loopback
ip vrf forwarding MNGM
ip address 172.16.16.2 255.255.255.255
!
interface FastEthernet0/0
ip address 10.2.128.2 255.255.255.252
ip router isis 1
speed auto
duplex auto
mpls ip
isis circuit-type level-2-only
isis network point-to-point
!
interface FastEthernet0/1
descr To-ISP2-PE2
ip address 192.168.0.1 255.255.255.252
speed auto
duplex auto
!
router isis 1
net 49.0010.0100.9812.8002.00
is-type level-2-only
ispf level-2
metric-style wide level-2
passive-interface Loopback0
!
router bgp 65050
template peer-policy iBGP
next-hop-self
send-community both
exit-peer-policy
!
template peer-session iBGP_new
remote-as 65050
update-source Loopback0
exit-peer-session
!
bgp router-id 10.98.33.2
no bgp default ipv4-unicast
no bgp default route-target filter
bgp log-neighbor-changes
bgp deterministic-med
bgp update-delay 1
bgp graceful-restart restart-time 120
bgp graceful-restart stalepath-time 360
bgp graceful-restart
timers bgp 1 20
neighbor 10.98.33.1 remote-as 65050
neighbor 10.98.33.1 inherit peer-session iBGP_new
neighbor 192.168.0.2 remote-as 65535
!
address-family ipv4
no synchronization
redistribute connected
no auto-summary
exit-address-family
!
address-family vpnv4
neighbor 10.98.33.1 activate
neighbor 10.98.33.1 send-community extended
neighbor 10.98.33.1 inherit peer-policy iBGP
neighbor 192.168.0.2 activate
neighbor 192.168.0.2 send-community extended
exit-address-family
!
address-family ipv4 vrf MNGM
no synchronization
redistribute connected
exit-address-family
!
!
!
no ip http server
no ip http secure-server
!
!
!
!
control-plane
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
!
end

!
! Last configuration change at 17:50:48 UTC Tue Feb 8 2011
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname isp2pe1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip source-route
ip vrf MNGM
rd 200:700
route-target export 200:700
route-target import 200:700
route-target import 200:300
route-target import 200:301
!
!
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
!
!
mpls label protocol ldp
clns routing
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
interface Loopback0
ip address 10.97.33.1 255.255.255.255
!
interface Loopback30
description MNGM-loopback
ip vrf forwarding MNGM
ip address 172.17.17.1 255.255.255.255
!
interface FastEthernet0/0
ip address 10.2.128.1 255.255.255.252
ip router isis 1
speed auto
duplex auto
mpls ip
isis circuit-type level-2-only
isis network point-to-point
!
interface FastEthernet0/1
no ip address
speed auto
duplex auto
!
router isis 1
net 49.0010.0100.9712.8001.00
is-type level-2-only
ispf level-2
metric-style wide level-2
passive-interface Loopback0
!
router bgp 65535
template peer-policy iBGP
next-hop-self
send-community both
exit-peer-policy
!
template peer-session iBGP_new
remote-as 65535
update-source Loopback0
exit-peer-session
!
bgp router-id 10.97.33.1
no bgp default ipv4-unicast
bgp log-neighbor-changes
bgp deterministic-med
bgp update-delay 1
bgp graceful-restart restart-time 120
bgp graceful-restart stalepath-time 360
bgp graceful-restart
timers bgp 1 20
neighbor 10.97.33.2 remote-as 65535
neighbor 10.97.33.2 inherit peer-session iBGP_new
!
address-family ipv4
no synchronization
redistribute connected
no auto-summary
exit-address-family
!
address-family vpnv4
neighbor 10.97.33.2 activate
neighbor 10.97.33.2 send-community extended
neighbor 10.97.33.2 inherit peer-policy iBGP
exit-address-family
!
address-family ipv4 vrf MNGM
no synchronization
redistribute connected
exit-address-family
!
!
!
no ip http server
no ip http secure-server
!
!
!
!
control-plane
!
!
line con 0
stopbits 1
line aux 0
line vty 0 4
!
end

!
! Last configuration change at 17:50:54 UTC Tue Feb 8 2011
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname isp2pe2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip source-route
ip vrf MNGM
rd 200:700
route-target export 200:700
route-target import 200:700
route-target import 200:300
route-target import 200:301
!
!
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
!
!
mpls label protocol ldp
clns routing
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
interface Loopback0
ip address 10.97.33.2 255.255.255.255
!
interface Loopback30
description MNGM-loopback
ip vrf forwarding MNGM
ip address 172.17.17.2 255.255.255.255
!
interface FastEthernet0/0
descr To-ISP1-PE2
ip address 192.168.0.2 255.255.255.252
speed auto
duplex auto
!
interface FastEthernet0/1
ip address 10.2.128.2 255.255.255.252
ip router isis 1
speed auto
duplex auto
mpls ip
isis circuit-type level-2-only
isis network point-to-point
!
router isis 1
net 49.0010.0100.9712.8002.00
is-type level-2-only
ispf level-2
metric-style wide level-2
passive-interface Loopback0
!
router bgp 65535
template peer-policy iBGP
next-hop-self
send-community both
exit-peer-policy
!
template peer-session iBGP_new
remote-as 65535
update-source Loopback0
exit-peer-session
!
bgp router-id 10.97.33.2
no bgp default ipv4-unicast
no bgp default route-target filter
bgp log-neighbor-changes
bgp deterministic-med
bgp update-delay 1
bgp graceful-restart restart-time 120
bgp graceful-restart stalepath-time 360
bgp graceful-restart
timers bgp 1 20
neighbor 10.97.33.1 remote-as 65535
neighbor 10.97.33.1 inherit peer-session iBGP_new
neighbor 192.168.0.1 remote-as 65050
!
address-family ipv4
no synchronization
redistribute connected
no auto-summary
exit-address-family
!
address-family vpnv4
neighbor 10.97.33.1 activate
neighbor 10.97.33.1 send-community extended
neighbor 10.97.33.1 inherit peer-policy iBGP
neighbor 192.168.0.1 activate
neighbor 192.168.0.1 send-community extended
exit-address-family
!
address-family ipv4 vrf MNGM
no synchronization
redistribute connected
exit-address-family
!
!
!
no ip http server
no ip http secure-server
!
!
!
!
control-plane
!
!
line con 0
stopbits 1
line aux 0
line vty 0 4
!
end



Контроль дропов трафика на cisco АСЕ при превышении pps

Если вторая цифирка в Packet drop не равна 0, значит обманентам плохо...
Для подсчёта, насколько плохо - надо сложить результаты по np1 и np_2. Это и будет тот pps, который до юзеров не дошёл.


ACE-2/Admin# sh np 1 me-stats -sreceive
Receive Statistics: (Current)
------------------
Idle: 2138198165 83976
Frames Received: 99991846 369645
Control Frames Received: 3290216984 18043
Forward Buffered: 99991845 369644
Post stalls: 3506589 0
Packet drops: 3506589 0

ACE-2/Admin# sh np 2 me-stats -sreceive
Receive Statistics: (Current)
------------------
Idle: 2465320651 83579
Frames Received: 1332254728 365847
Control Frames Received: 1023946169 9221
Forward Buffered: 1332254728 365848
Post stalls: 5158547 0
Packet drops: 5158547 0

ACE-2/Admin#

ACE-1/Admin# sh np 1 me-stats -sreceive
Receive Statistics: (Current)
------------------
Idle: 3584761190 73432
Frames Received: 2293087969 581640
Control Frames Received: 3839212508 26861
Forward Buffered: 2293087968 581639
Post stalls: 112917235 0
Packet drops: 112917235 0

ACE-1/Admin# sh np 2 me-stats -sreceive
Receive Statistics: (Current)
------------------
Idle: 4231896532 73768
Frames Received: 1131339942 568290
Control Frames Received: 759502510 13373
Forward Buffered: 1131339942 568290
Post stalls: 101927534 0
Packet drops: 101927534 0

ACE-1/Admin#

ACE-3/Admin# sh np 1 me-stats -sreceive
Receive Statistics: (Current)
------------------
Idle: 3406596389 100325
Frames Received: 314104969 49276
Control Frames Received: 3905008643 18725
Forward Buffered: 314104969 49276
Post stalls: 1051729 0
Packet drops: 339718 0

ACE-3/Admin# sh np 2 me-stats -sreceive
Receive Statistics: (Current)
------------------
Idle: 3985229044 100414
Frames Received: 4034515952 40901
Control Frames Received: 30840757 11218
Forward Buffered: 4034515952 40901
Post stalls: 922235 0
Packet drops: 922235 0

ACE-3/Admin#

ACE-4/Admin# sh np 1 me-stats -sreceive
Receive Statistics: (Current)
------------------
Idle: 3795226185 100421
Frames Received: 3577208145 44379
Control Frames Received: 176413510 12523
Forward Buffered: 3577208145 44379
Post stalls: 768404 0
Packet drops: 199498 0

ACE-4/Admin# sh np 2 me-stats -sreceive
Receive Statistics: (Current)
------------------
Idle: 4170201652 100511
Frames Received: 4163859453 39179
Control Frames Received: 159185538 7237
Forward Buffered: 4163859453 39179
Post stalls: 601197 0
Packet drops: 601197 0

ACE-4/Admin#


"sometimes you gotta take stuff down to let people know who's boss :)"

Ребята из RIPE решили поэспериментировать:

----------------------------------------------------------------------
Dear Colleagues,

On Friday 27 August, from 08:41 to 09:08 UTC, the RIPE NCC Routing
Information Service (RIS) announced a route with an experimental BGP
attribute. During this announcement, some Internet Service Providers
reported problems with their networking infrastructure.

Investigation
--------------

Immediately after discovering this, we stopped the announcement and
started investigating the problem. Our investigation has shown that the
problem was likely to have been caused by certain router types
incorrectly modifying the experimental attribute and then further
announcing the malformed route to their peers. The announcements sent
out by the RIS were correct and complied to all standards.

The experimental attribute was part of an experiment conducted in
collaboration with a group from Duke University. This involved
announcing a large (3000 bytes) optional transitive attribute, using a
modified version of Quagga. The attribute used type code 99. The data
consisted of zeros. We used the prefix 93.175.144.0/24 for this and
announced from AS 12654 on AMS-IX, NL-IX and GN-IX to all our peers.

Reports from affected ISPs showed that the length of the attribute in
the attribute header, as seen by their routers, was not correct. The
header stated 233 bytes and the actual data in their samples was 237
bytes. This caused some routers to drop the session with the peer that
announced the route.

We have built a test set-up which is running identical software and
configurations to the live set-up. From this set-up, and the BGP packet
dumps as made by the RIS, we have determined that the length of the data
in the attribute as sent out by the RIS was indeed 3000 bytes and that
all lengths recorded in the headers of the BGP updates were correct.

Beyond the RIS systems, we can only do limited diagnosis. One possible
explanation is that the affected routers did not correctly use the
extended length flag on the attribute. This flag is set when the length
of the attribute exceeds 255 bytes i.e. when two octets are needed to
store the length.

It may be that the routers may not add the higher octet of the length to
the total length, which would lead, in our test set-up, to a total
packet length of 236 bytes. If, in addition, the routers also
incorrectly trim the attribute length, the problem could occur as
observed. It is worth noting that the difference between the reported
233 and 237 bytes is the size of the flags, type code and length in the
attribute.

We will be further investigating this problem and will report any
findings. We regret any inconvenience caused.

Kind regards,

Erik Romijn

Information Services
RIPE NCC
_______________________________________________
tech-l mailing list
tech-l@ams-ix.net
http://melix.ams-ix.net/mailman/listinfo/tech-l


В результате у многих кое-что немножно упало...
http://www.cisco.com/en/US/products/products_security_advisory09186a0080b4411f.shtml

CRSы в частности немножко рвали iBGP сессии с пирами :) В общем было весело...

Cisco ezvpn client на роутере

Cisco ezvpn client на роутере - весьма полезная штука, как оказалось. Например, позволят подключить
"внезапно" перехавший офис к корпоративной сети через временный канал с динамическими адресами.

На VPN-сервере нужно сконфигурячить что-то вроде этого (всё также, как и в случае обычного впн-клиента):

crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 periodic
crypto isakmp xauth timeout 90
!
crypto isakmp client configuration group VPN2Off
key ******
dns *.*.*.43
domain *.ru
pool pool_VPN_Office
acl acl_VPN_Office
save-password
!
crypto isakmp profile VPN_Office
match identity group VPN2Off
client authentication list userauthen_Off
isakmp authorization list groupauthor_Off
client configuration address respond
virtual-template 2
!
crypto ipsec transform-set ESP-3DES-MD5-HMAC esp-3des esp-md5-hmac
!
crypto ipsec profile VPNUser
set transform-set ESP-3DES-MD5-HMAC
!
interface Virtual-Template2 type tunnel
ip vrf forwarding Office
ip unnumbered GigabitEthernet0/1.155
ip virtual-reassembly
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPNUser

На клиенте:

!
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 periodic
crypto isakmp xauth timeout 90
!
crypto ipsec transform-set ESP-3DES-MD5-HMAC esp-3des esp-md5-hmac
!
crypto ipsec profile VPNUser
set transform-set ESP-3DES-MD5-HMAC
!
crypto ipsec client ezvpn ToCenter
connect auto
group VPN2Off key ******
mode network-extension
peer х.х.х.10
virtual-interface 1
username off password ******
xauth userid mode local
!
!
interface GigabitEthernet0/0
description =To WiMax bridge=
ip address dhcp
duplex auto
speed auto
crypto ipsec client ezvpn ToCenter
!
!
interface GigabitEthernet0/1.40
description === Off-Users ===
encapsulation dot1Q 40
ip address 10.x.x.1 255.255.255.192
crypto ipsec client ezvpn ToCenter inside
!
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0/0
ip mtu 1300
tunnel source GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPNUser
!
ip route 0.0.0.0 0.0.0.0 dhcp
!

Сети, на которых со стороны клиента указан "ezvpn inside" на VPN-сервере видны как статик роуты через Virtual-Access, и соответственно редистрибуюцируются в нужный протокол маршрутизации.

Немного о NATe на Cisco АСЕ...

Долгие пляски с бубном привели примерно к такой конфигурации:

!логгирование разного:
logging enable
logging standby
logging timestamp
logging trap 6
logging buffered 6
logging facility 19
logging device-id context-name
logging host 192.168.150.220 udp/514
!обрубаем ненужное:
no logging message 302022
no logging message 302023
no logging message 302024
no logging message 302025
no logging message 302026
no logging message 302027
no logging message 106023
no logging message 305011
no logging message 305012
no logging message 313004

object-group network Network-Monitor
host 192.168.150.198
host 192.168.150.199

!тута АЦЛки всякие:
access-list ANY line 10 extended permit ip any any

access-list FINBLOCK_ACCESS line 100 extended permit ip y.y.0.0 255.254.0.0 any

access-list FULL_ACCESS line 110 extended permit ip y.x.0.0 255.254.0.0 any
access-list FULL_ACCESS line 112 extended permit ip x.x.0.0 255.255.0.0 any
access-list FULL_ACCESS line 114 extended permit ip z.x.0.0 255.255.0.0 any

access-list GUEST_ACCESS line 100 extended permit ip z.z.0.0 255.240.0.0 any
access-list GUEST_ACCESS line 110 extended permit ip y.z.2.0 255.255.255.240 any

access-list ICMP line 10 extended permit icmp any any
access-list INSIDE line 100 extended permit ip any any
access-list IP_Time line 7 extended deny tcp any any
access-list IP_Time line 8 extended deny udp any any
access-list IP_Time line 9 extended deny icmp any any
access-list IP_Time line 16 extended permit ip any any

access-list OUTSIDE line 10 extended permit icmp any any unreachable
access-list OUTSIDE line 20 extended permit icmp any any time-exceeded
access-list OUTSIDE line 30 extended permit ip any xx.xx.xx.16 255.255.255.240
access-list OUTSIDE line 40 extended deny ip any any

access-list StaticNAT-10 line 8 extended permit ip host 192.168.153.48 any
access-list StaticNAT-20 line 8 extended permit ip host 192.168.150.220 any
access-list StaticNAT-30 line 8 extended permit ip host 192.168.153.34 any

access-list TCP line 5 extended deny tcp any any range 21 23
access-list TCP line 6 extended deny tcp any any eq 3389
access-list TCP line 7 extended deny tcp any any eq pptp
access-list TCP line 10 extended permit tcp any any

access-list UDP line 10 extended permit udp any any

access-list server_NAT line 10 extended permit ip host 192.168.131.138 any
access-list server_NAT line 11 extended permit ip host 192.168.131.152 any
access-list server_NAT line 20 extended permit ip host 192.168.131.202 any

!задаём параметры, которые применяются на сессии:
parameter-map type connection ICMP-timeout
set timeout inactivity 4
parameter-map type connection TCP-timeout
set timeout inactivity 120
set tcp timeout half-closed 60
set tcp window-scale 4
tcp-options selective-ack allow
tcp-options timestamp allow
tcp-options window-scale allow
exceed-mss allow
parameter-map type connection Timeouts
set timeout inactivity 120
parameter-map type connection UDP-timeout
set timeout inactivity 30

class-map match-all ANY
2 match any

!классы для статик ната и всякого другого:
class-map match-any Class-StaticNAT-10
2 match access-list StaticNAT-10
class-map match-any Class-StaticNAT-20
2 match access-list StaticNAT-20
class-map match-any Class-StaticNAT-30
2 match access-list StaticNAT-30
class-map match-any FULL_NAT
2 match access-list FULL_ACCESS
class-map match-all ICMP
2 match access-list ICMP
class-map match-any IP_Time
2 match access-list IP_Time
class-map type management match-any REMOTE_ACCESS
4 match protocol icmp any
6 match protocol snmp source-address 192.168.150.203 255.255.255.255
class-map match-any SERVER_NAT
2 match access-list server_NAT
class-map match-all TCP
2 match access-list TCP
class-map match-all UDP
2 match access-list UDP

policy-map type management first-match REMOTE_ACCESS_POLICY
class REMOTE_ACCESS
permit

! полиси что б пинги ходили и трейсы правильные были:
policy-map multi-match ICMP
class ICMP
inspect icmp error

! полиси для статик нат
policy-map multi-match StaticNAT
class Class-StaticNAT-10
nat static xx.xx.xx.27 netmask 255.255.255.255 vlan 14
class Class-StaticNAT-20
nat static xx.xx.xx.20 netmask 255.255.255.255 vlan 14
class Class-StaticNAT-30
nat static xx.xx.xx.22 netmask 255.255.255.255 vlan 14

! полиси для применения параметров на трафик:
policy-map multi-match TIMERS
class UDP
connection advanced-options UDP-timeout
class ICMP
connection advanced-options ICMP-timeout
class IP_Time
connection advanced-options Timeouts
class TCP
connection advanced-options TCP-timeout

! полиси для ната
policy-map multi-match ABON_NAT
class FULL_NAT
nat dynamic 1 vlan 14
class SERVER_NAT
nat dynamic 3 vlan 14
timeout xlate 60

!это внутренний интерфейс
interface vlan 13
description NAT_in
ip address 192.168.255.51 255.255.255.248
alias 192.168.255.49 255.255.255.248
peer ip address 192.168.255.50 255.255.255.248
mtu 1500
!вырубает сборку фрагментированых пакетов:
fragment chain 1
access-group input ANY
service-policy input ICMP
service-policy input REMOTE_ACCESS_POLICY
service-policy input StaticNAT
service-policy input ABON_NAT
service-policy input TIMERS
no shutdown

!это внешний интерфейс
interface vlan 14
description NAT_out
ip address 192.168.255.59 255.255.255.248
alias 192.168.255.57 255.255.255.248
peer ip address 192.168.255.58 255.255.255.248
mtu 1500
fragment chain 1
access-group input OUTSIDE
nat-pool 1 xx.xx.yy.1 xx.xx.yy.30 netmask 255.255.255.224 pat
nat-pool 1 zz.zz.224.1 zz.zz.255.254 netmask 255.255.224.0
nat-pool 4 xx.xx.xy.2 xx.xx.xy.2 netmask 255.255.255.255 pat
service-policy input ICMP
service-policy input TIMERS
no shutdown

!роуты внутрь и наружу:
ip route 0.0.0.0 0.0.0.0 192.168.255.60
ip route 192.168.0.0 255.255.0.0 192.168.255.52

!снмп-ишные дела:
snmp-server community kldjsifu84rjr894group Network-Monitor

snmp-server host 192.168.150.203 traps version 2c kldjsifu84rjr894


Пы.Сы.: АСЕ штука конечно хорошая, но есть две "небольших проблемки": на НАТе тянет не более 1.1Мппс, после чего начинает дропать трафик, и иногда, при пока не выясненных обстоятельствах дропает трафик для некоторых адресов по якобы неверной чексумме. Будем надеяться, что вылечат.... Когда нибудь... Софт был А2(3.0).

Антикризисный вариант "правильной" сети доступа для домашнего ISP

Предыдущий вариант (http://ciscovod.blogspot.com/2009/03/cisco-isg-dhcp-opt82.html) был раскритикован коллегами - мол дорого :)
Так что работа мысли продолжилась:



Шассик 6509 в набивке с суп2 и фабрикой, двумя Б.П по 2500Вт, и 6х16 GBIC + 16GE(TX) обойдётся в 7680$ по shop.nag.ru (без модулей GBIC). 1 такого узла хватит на ~1800 абонентов при заполнении 0.8

SCE1010 - стоит 30K$ по GPL.

Прикручивание bluetooth-гарнитуры к Skype в Ubuntu 9.04 amd64

static route-leaking между VRF

Надо было организовать обмен трафиком между двумя хостами в разных vrf...
!
ip vrf VPN1
rd 200:202
route-target export 200:202
route-target import 200:255
route-target import 200:300
!
ip vrf VPN2
rd 200:251
route-target export 200:251
route-target import 200:300
!
ip route vrf VPN1 192.168.50.12 255.255.255.255 Vlan902 192.168.50.12
!
ip route vrf VPN2 192.168.150.132 255.255.255.255 Vlan697 192.168.150.132
!
!
interface Vlan902
description VPN2_Servers
ip vrf forwarding VPN2
ip address 192.168.50.1 255.255.255.128
!
interface Vlan697
description VPN1_Servers
ip vrf forwarding VPN1
ip address 192.168.150.129 255.255.255.224
!

ipsec VPN между cisco и linux через crypto profile (без crypto-map)

Стянуто отсюда:
http://community.livejournal.com/cisco_ru/239812.html

На кошке

crypto isakmp key 185d088b5c71daaab829c012f1ee1076 address 80.249.178.146

crypto ipsec transform-set 3DES.MD5.HMAC esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile VPN
set transform-set 3DES.MD5.HMAC
!
interface Tunnel3
description Tunnel to ep-gw
ip address 192.168.100.13 255.255.255.252
ip mtu 1400
shutdown
tunnel source FastEthernet0/0
tunnel destination 80.249.178.146
tunnel protection ipsec profile VPN
!
ip route 192.168.11.0 255.255.255.0 192.168.100.14


На линухе (debian)

/etc/network/interfaces

auto tun0
iface tun0 inet static
address 192.168.100.14
netmask 255.255.255.252
broadcast 192.168.100.15
up ifconfig tun0 multicast
pre-up ip tunnel add tun0 mode gre local 80.249.178.146 remote 80.249.xxx.194 ttl 255
pointopoint 192.168.100.1
post-up ip r a 192.168.1.0/24 via 192.168.100.1
pre-down ip r d 192.168.1.0/24 via 192.168.100.1
post-down ip link set tun0 down
post-down ip tunnel del tun0

/etc/ipsec-tools.conf

#!/usr/sbin/setkey -f
flush;
spdflush;

spdadd 80.249.178.146 80.249.xxx.194 gre -P out ipsec
esp/transport/80.249.178.146-80.249.xxx.194/require;

spdadd 80.249.xxx.194 80.249.178.146 gre -P in ipsec
esp/transport/80.249.xxx.194-80.249.178.146/require;

/etc/racoon/racoon.conf

remote 80.249.xxx.194 {
my_identifier address 80.249.178.146;
exchange_mode main,aggressive;
doi ipsec_doi;
proposal_check obey;

proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group modp1024;
lifetime time 3600 sec;
}
}
sainfo anonymous {
pfs_group 2;
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
lifetime time 3600 sec;

}

Карта покрытия Йоты

ПыСы: Если подвигать туда-сюда, есть также С-Пб и Уфа.

PPPoE и WiFi на cisco 871w

Такой вот конфиг на память...

!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname c871w
!
boot-start-marker
boot-end-marker
!
enable secret 5 ***********
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
aaa session-id common
clock timezone MSK 3
clock summer-time MSD recurring last Sun Mar 2:00 last Sun Oct 2:00
!
!
!
dot11 ssid wifi
vlan 10
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 0 ***********
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.220.1 192.168.220.100
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool DCHP-POOL-1
import all
network 192.168.220.0 255.255.255.0
default-router 192.168.220.1
netbios-name-server 192.168.100.254
dns-server 192.168.220.1
lease 0 1
!
ip dhcp pool DCHP-POOL-WiFi
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 10.10.10.1
lease 0 1
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip domain name test.ru
!
!
!
username admin privilege 15 secret 5 ***********
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key *********** address 1.1.1.1 no-xauth
crypto isakmp key *********** address 2.2.2.2 no-xauth
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 periodic
crypto isakmp xauth timeout 90

!
!
crypto ipsec transform-set T2 esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile P2
set transform-set T2
!
!
archive
log config
hidekeys
!
!
ip ssh maxstartups 5
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
!
!
interface Tunnel0
ip address 192.168.10.22 255.255.255.252
ip mtu 1250
ip tcp adjust-mss 1100
tunnel source 3.3.3.3
tunnel destination 2.2.2.2
tunnel protection ipsec profile P2
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
ip address dhcp
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface Dot11Radio0
no ip address
!
encryption mode ciphers tkip
!
encryption vlan 10 mode ciphers tkip
!
broadcast-key change 60
!
!
ssid wifi
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Dot11Radio0.10
encapsulation dot1Q 10 native
ip address 10.10.10.1 255.255.255.0
ip access-group Deny-Our-Net-From-Wi-Fi in
ip nat inside
ip virtual-reassembly
rate-limit input 512000 8000 8000 conform-action transmit exceed-action drop
rate-limit output 512000 8000 8000 conform-action transmit exceed-action drop
ip tcp adjust-mss 1400
no cdp enable
!
interface Vlan1
description LAN
ip address 192.168.220.1 255.255.255.0
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1400
!
interface Dialer0
ip address negotiated
ip access-group From-INTERNET in
ip mtu 1450
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname pukulya
ppp chap password 0 toshibaa
ppp ipcp dns accept
!
router rip
version 2
passive-interface default
no passive-interface Tunnel0
network 192.168.10.0
network 192.168.220.0
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip flow-cache timeout active 5
ip flow-export source Tunnel0
ip flow-export version 5
ip flow-export destination 192.168.100.242 9999
!
no ip http server
no ip http secure-server
ip dns server
ip nat inside source route-map nonat interface Dialer0 overload
!
ip access-list standard SNMP_ACCESS
permit 192.168.100.241
!
ip access-list extended Deny-Our-Net-From-Wi-Fi
deny ip 10.10.10.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip 10.10.10.0 0.0.0.255 any
ip access-list extended FOR-NAT-ACL
permit ip 192.168.220.0 0.0.0.255 any
permit ip 10.10.10.0 0.0.0.255 any
ip access-list extended From-INTERNET
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip host 255.255.255.255 any
deny ip host 0.0.0.0 any
deny udp any any eq 5060
deny tcp any any eq 5060
deny tcp any any eq 2000
deny udp any any eq 1720
deny tcp any any eq 1720
permit ip any any
!
logging origin-id hostname
logging server-arp
logging 192.168.100.241
snmp-server community public RO SNMP_ACCESS
snmp-server ifindex persist
snmp-server location ARCH-1
snmp-server contact admin@test.ru
snmp-server chassis-id c871w
snmp-server host 192.168.100.241 public
no cdp run
!
!
route-map nonat permit 10
match ip address FOR-NAT-ACL
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
transport input ssh
!
scheduler max-task-time 5000
ntp clock-period 17175124
ntp master
ntp server 213.41.245.21
ntp server 216.58.31.84
ntp server 216.52.237.153
end


Стрельбище МВД в Приветненском

Просмотреть увеличенную карту

PPtP Client на Cisco 87x

Суть истории: наш склад переехал на новую точку, где нельзя получить нормальный канал с публичным адресом. Однако интернет имеется у соседей, и складские компы включили в их сетку. Однако их мегароутер "Planet" не позволяет более одной PPtP сессии, и Cisco VPN Client через него тоже не работает. Поставили туда 87x кошку, которая получает по дхцп приватный адрес от планета и строит PPtP туннель к нам в головной офис, с нормальным роутингом через него.

П.С. Не верьте сказкам, что PPtP клиента на циске нет! Есть волшебная команда service internal, которая позволяет его использовать. Использовалась версия ИОСа c870-advsecurityk9-mz.124-15.T5

Конфиг 871-ой кошки:

!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service internal
!
hostname c871spb-rzevka
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
aaa session-id common
clock timezone MSK 3
clock summer-time MSD recurring last Sun Mar 2:00 last Sun Oct 2:00
!
!
dot11 syslog
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.214.1 192.168.214.10
!
ip dhcp pool DCHP-POOL-1
import all
network 192.168.214.0 255.255.255.0
default-router 192.168.214.1
netbios-name-server 192.168.0.171
dns-server 192.168.214.1 192.168.100.254
lease 0 1
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip domain list bla-bla.local
ip domain name bla-bla.ru
ip host server2.bla-bla.local 192.168.0.171
ip host _ldap._tcp.dc._msdcs.bla-bla.local srv 1 1 389 server2.bla-bla.local
ip host vm-termserver.bla-bla.local 192.168.0.160
!
vpdn enable
!
vpdn-group 1
request-dialin
protocol pptp
pool-member 1
initiate-to ip aaa.aaa.aaa.226
!
!
!
username admin privilege 15 secret ********************
!
!
archive
log config
hidekeys
!
!
ip ssh maxstartups 5
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description TO_ISP
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Vlan1
description Internal_LAN
ip address 192.168.214.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Dialer0
mtu 1450
ip address 192.168.111.222 255.255.255.0
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer string 123
dialer vpdn
dialer-group 1
no cdp enable
ppp pfc local request
ppp pfc remote apply
ppp encrypt mppe auto
ppp chap hostname username1
ppp chap password 0 userpass1
!
ip forward-protocol nd
ip route 192.168.0.0 255.255.0.0 192.168.111.1
ip flow-cache timeout active 5
ip flow-export version 5
ip flow-export destination 192.168.100.242 9910
!
no ip http server
no ip http secure-server
ip dns server
ip nat inside source route-map nonat interface FastEthernet4 overload
!
ip access-list standard SNMP_ACCESS
permit 192.168.100.241
!
ip access-list extended FOR-NAT-ACL
permit ip 192.168.214.0 0.0.0.255 any
ip access-list extended From-INTERNET
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip host 255.255.255.255 any
deny ip host 0.0.0.0 any
deny udp any any eq 5060
deny tcp any any eq 5060
deny tcp any any eq 2000
deny udp any any eq 1720
deny tcp any any eq 1720
permit ip any any
!
ip sla 10
icmp-echo 192.168.111.1 source-interface Dialer0
timeout 3000
threshold 500
frequency 5
ip sla schedule 10 life forever start-time now
logging origin-id hostname
logging server-arp
logging 192.168.100.241
dialer-list 1 protocol ip permit
snmp-server community public RO SNMP_ACCESS
snmp-server ifindex persist
snmp-server location SPB-Rjevka
snmp-server contact admin@bla-bla.ru
snmp-server chassis-id c871
snmp-server host 192.168.100.241 public
no cdp run
!
!
route-map nonat permit 10
match ip address FOR-NAT-ACL
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
transport input ssh
!
scheduler max-task-time 5000
ntp clock-period 17174962
ntp master
ntp server 213.41.245.21
ntp server 216.58.31.84
ntp server 216.52.237.153
end


Аццкий конфиг с кошки, много всякого...


!
version 12.4
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
service sequence-numbers
!
hostname c2821
!
boot-start-marker
boot-end-marker
!
card type e1 0 0
logging buffered 4096
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login user_auth group radius local
aaa authentication ppp default group radius local
aaa authorization exec default local none
aaa authorization network default group radius local
aaa authorization network group_author local
aaa accounting delay-start
aaa accounting update periodic 1
aaa accounting network default start-stop group radius
!
aaa server radius dynamic-author
client 192.168.100.242 server-key XXXXXXXXXXXXXX
auth-type any
ignore session-key
!
aaa session-id unique
clock timezone MSK 3
clock summer-time MSD recurring last Sun Mar 2:00 last Sun Oct 2:00
network-clock-participate wic 0
dot11 syslog
ip wccp web-cache redirect-list REDIRECT_HTTP password XXXXXXXXXXXXXX
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.30.1 192.168.30.10
ip dhcp excluded-address 192.168.110.1
!
ip dhcp pool SRST-Pool
network 192.168.30.0 255.255.255.0
default-router 192.168.30.1
option 150 ip 192.168.30.2
dns-server 192.168.100.254 80.250.191.18
option 66 ip 192.168.30.2
!
ip dhcp pool WiFi-Pool
network 192.168.110.0 255.255.255.0
default-router 192.168.110.1
dns-server 192.168.100.254
!
ip dhcp pool WiFi-AP-Pool
host 192.168.110.2 255.255.255.0
client-identifier 0100.1bd5.bdf2.b4
default-router 192.168.110.1
!
!
ip domain name bla-bla.ru
ip name-server xxx.xxx.65.9
ip name-server xxx.xxx.66.253
ip name-server xxx.xxx.192.2
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
login block-for 300 attempts 3 within 60
login delay 3
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
local name Cisco_VPN_PPTP_server
ip mtu adjust
!
isdn switch-type primary-net5
!
!
trunk group CO
carrier-id YYYYYYY
!
voice-card 0
dspfarm
dsp services dspfarm
!
!
!
voice service voip
allow-connections h323 to h323
allow-connections h323 to sip
allow-connections sip to h323
allow-connections sip to sip
fax protocol t38 ls-redundancy 0 hs-redundancy 0 fallback pass-through g711alaw
sip
registrar server expires max 600 min 60
no update-callerid
!
!
voice class codec 15
codec preference 1 g711ulaw
codec preference 2 g711alaw
codec preference 3 g729r8
codec preference 4 ilbc
!
!
!
!
!
!
!
!
!
!
!
voice register pool 10
id network 192.168.30.0 mask 255.255.255.0
application sip.app
preference 2
proxy 192.168.30.2 preference 1 monitor probe icmp-ping
dtmf-relay rtp-nte
voice-class codec 15
!
!
voice translation-rule 10
rule 1 /\(^.+\)/ /9\1/
!
!
voice translation-profile world-to-me
translate calling 10
!
!
!
application
service ivrtest flash://its-CISCO.2.0.2.0.tcl
paramspace english index 0
paramspace english language en
paramspace english location flash:
param aa-pilot YYYYYYY
paramspace english prefix en
param operator 2001
!
global
service alternate DEFAULT
!
!
!
!
!
!
username admin privilege 15 secret XXXXXXXXXXXXXX
username admin-vpn password XXXXXXXXXXXXXX
archive
log config
hidekeys
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key XXXXXXXXXXXXXX address 1.1.1.1 no-xauth
crypto isakmp key XXXXXXXXXXXXXX address 2.2.2.2 no-xauth
crypto isakmp key XXXXXXXXXXXXXX address 3.3.3.3 no-xauth
crypto isakmp key XXXXXXXXXXXXXX address 4.4.4.4 no-xauth
crypto isakmp key XXXXXXXXXXXXXX address 5.5.5.5 no-xauth
crypto isakmp key XXXXXXXXXXXXXX address 6.6.6.6 no-xauth
crypto isakmp key XXXXXXXXXXXXXX address 7.7.7.7 no-xauth
crypto isakmp key XXXXXXXXXXXXXX address 8.8.8.8 no-xauth
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 periodic
crypto isakmp xauth timeout 90

!
crypto isakmp client configuration group mobile
key XXXXXXXXXXXXXX
dns 192.168.100.254 80.250.191.18
pool PPTP_VPN
max-users 250
netmask 255.255.255.0
crypto isakmp profile mobile_users
match identity group mobile
client authentication list user_auth
isakmp authorization list group_author
client configuration address respond
client configuration group mobile
accounting default
virtual-template 2
!
!
crypto ipsec transform-set ESP-3DES-SHA0 esp-3des esp-sha-hmac
crypto ipsec transform-set T2 esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile P2
set transform-set T2
!
crypto ipsec profile mobile_users_ipsec
set transform-set ESP-3DES-SHA0
set isakmp-profile mobile_users
!
!
crypto map temp local-address Vlan50
crypto map temp client configuration address respond
crypto map temp 1 ipsec-isakmp
description to_Archangelsk
set peer 1.1.1.1
set transform-set ESP-3DES-SHA0
match address VPN-Archangelsk
crypto map temp 2 ipsec-isakmp
description to_Intersol
set peer 5.5.5.5
set transform-set ESP-3DES-SHA0
match address VPN-Intersol
!
!
!
controller E1 0/0/0
pri-group timeslots 1-31
description PSTN-Voice-Trunk-E1
!
ip tcp path-mtu-discovery
ip ssh maxstartups 5
ip ssh time-out 60
ip ssh version 2
no ip rcmd domain-lookup
!
track 10 rtr 10 reachability
delay down 15 up 10
!
track 20 rtr 20 reachability
delay down 15 up 10
!
policy-map out-policy-128k
class class-default
police cir 128000 bc 8000 be 8000
exceed-action drop
policy-map in-policy-128k
class class-default
police cir 128000 bc 8000 be 8000
exceed-action drop
!
!
!
!
bba-group pppoe TEST
virtual-template 1
!
!
interface Loopback10
description Loopback-For-VPN-Users
ip address 192.168.111.1 255.255.255.255
!
interface Loopback20
description Loopback-For-WiFi-Net
ip address 192.168.110.1 255.255.255.255
!
interface Tunnel1
description tun-to-c871spb-novg12
bandwidth 256
ip address 192.168.10.1 255.255.255.252
ip mtu 1250
ip tcp adjust-mss 1100
tunnel source aaa.aaa.aaa.226
tunnel destination 2.2.2.2
tunnel protection ipsec profile P2
!
interface Tunnel2
description tun-to-c877-msk-1
bandwidth 256
ip address 192.168.10.5 255.255.255.252
ip mtu 1250
ip tcp adjust-mss 1100
tunnel source aaa.aaa.aaa.226
tunnel destination 4.4.4.4
tunnel protection ipsec profile P2
!
interface Tunnel3
description tun-to-c851-novosib-1
bandwidth 256
ip address 192.168.10.9 255.255.255.252
ip mtu 1250
ip tcp adjust-mss 1100
tunnel source aaa.aaa.aaa.226
tunnel destination 3.3.3.3
tunnel protection ipsec profile P2
!
interface Tunnel4
description tun-to-c857-murmansk
bandwidth 256
ip address 192.168.10.13 255.255.255.252
ip mtu 1226
ip tcp adjust-mss 1100
tunnel source aaa.aaa.aaa.226
tunnel destination 8.8.8.8
tunnel protection ipsec profile P2
!
interface Tunnel5
description tun-to-c2811-msk-2
bandwidth 256
ip address 192.168.10.17 255.255.255.252
ip mtu 1250
ip tcp adjust-mss 1100
tunnel source aaa.aaa.aaa.226
tunnel destination 7.7.7.7
tunnel protection ipsec profile P2
!
interface Tunnel6
description tun-to-c871-spb-rzevka
bandwidth 256
ip address 192.168.10.21 255.255.255.252
ip mtu 1250
ip tcp adjust-mss 1100
tunnel source aaa.aaa.aaa.226
tunnel destination 6.6.6.6
tunnel protection ipsec profile P2
!
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/0.20
description TESTLAB
encapsulation dot1Q 20
ip address 192.168.4.1 255.255.255.0
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
no cdp enable
!
interface GigabitEthernet0/0.30
description Voice_LAN
encapsulation dot1Q 30
ip address 192.168.30.1 255.255.255.0
ip wccp web-cache redirect in
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
ntp broadcast
!
interface GigabitEthernet0/0.40
description Data_LAN
encapsulation dot1Q 40
ip address 192.168.0.90 255.255.255.0 secondary
ip address 192.168.40.1 255.255.255.0
ip helper-address 192.168.100.254
ip wccp web-cache redirect in
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
!
interface GigabitEthernet0/0.100
description Servers
encapsulation dot1Q 100
ip address 192.168.100.1 255.255.255.0
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
no cdp enable
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0/1/0
description To-WiFi-AP-WithoutEncryption
switchport access vlan 70
!
interface FastEthernet0/1/1
description ISP-1
switchport access vlan 50
no cdp enable
!
interface FastEthernet0/1/2
description ISP-2
switchport access vlan 60
no cdp enable
!
interface FastEthernet0/1/3
switchport access vlan 60
no cdp enable
!
interface Serial0/0/0:15
description PSTN-Voice-Trunk-E1
no ip address
encapsulation hdlc
no logging event link-status
isdn switch-type primary-net5
isdn timer T310 60000
isdn incoming-voice voice
no cdp enable
!
interface Virtual-Template1
description Tunnel-Template-For-PPTP-Users
ip unnumbered Loopback10
ip verify unicast reverse-path
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1460
autodetect encapsulation ppp
no snmp trap link-status
peer default ip address pool PPTP_VPN
no keepalive
ppp mtu adaptive
ppp encrypt mppe 128 passive
ppp authentication ms-chap-v2
ppp ipcp dns 192.168.100.254 217.195.65.9
ppp ipcp wins 192.168.100.254
!
interface Virtual-Template2 type tunnel
description Tunnel-Template-For-VPNC-Users
bandwidth 1024
ip unnumbered Loopback10
ip nat inside
ip virtual-reassembly
load-interval 30
no snmp trap link-status
tunnel mode ipsec ipv4
tunnel protection ipsec profile mobile_users_ipsec
tunnel bandwidth transmit 1024
tunnel bandwidth receive 1024
!
interface Vlan1
no ip address
shutdown
!
interface Vlan50
description ISP2
bandwidth 10000
ip address aaa.aaa.aaa.226 255.255.255.224
ip access-group From-INTERNET in
ip nat outside
ip virtual-reassembly
crypto map temp
!
interface Vlan60
description to ISP1
bandwidth 10000
ip address bbb.bbb.bbb.18 255.255.255.248
ip access-group From-INTERNET in
ip nat outside
ip virtual-reassembly
!
interface Vlan70
description to WiFi-AP
ip unnumbered Loopback20
ip access-group WiFi-Net-Inp in
ip access-group WiFi-Net-Out out
ip virtual-reassembly
!
router rip
version 2
passive-interface default
no passive-interface Tunnel1
no passive-interface Tunnel2
no passive-interface Tunnel3
no passive-interface Tunnel4
no passive-interface Tunnel5
no passive-interface Tunnel6
network 192.168.0.0
network 192.168.10.0
network 192.168.40.0
network 192.168.100.0
network 192.168.111.0
!
ip local pool PPTP_VPN 192.168.111.100 192.168.111.254
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 aaa.aaa.aaa.225 track 10
ip route 0.0.0.0 0.0.0.0 bbb.bbb.bbb.17 5 track 20
ip route 172.16.10.0 255.255.255.0 192.168.100.111 name TEST-route-forISG
ip route 172.16.20.0 255.255.255.0 192.168.100.111 name TEST-route-forISG
ip route 192.168.101.0 255.255.255.0 192.168.100.111 name TEST-route-forISG
!
ip flow-cache timeout active 5
ip flow-export source Loopback10
ip flow-export version 5
ip flow-export interface-names
ip flow-export destination 192.168.100.242 9996
!
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat translation timeout 20
ip nat translation tcp-timeout 120
ip nat translation udp-timeout 60
ip nat translation dns-timeout 80
ip nat translation icmp-timeout 10
ip nat pool POOL-Prometey-1 aaa.aaa.aaa.226 aaa.aaa.aaa.226 netmask 255.255.255.224
ip nat pool POOL-Prometey-2 aaa.aaa.aaa.227 aaa.aaa.aaa.227 netmask 255.255.255.224
ip nat pool POOL-Petrstar-1 bbb.bbb.bbb.18 bbb.bbb.bbb.18 netmask 255.255.255.248
ip nat pool POOL-Petrstar-2 bbb.bbb.bbb.19 bbb.bbb.bbb.19 netmask 255.255.255.248
ip nat inside source route-map For-NAT-1 pool POOL-Prometey-1 overload
ip nat inside source route-map For-NAT-2 pool POOL-Prometey-2 overload
ip nat inside source route-map For-Reserve-NAT-1 pool POOL-Petrstar-1 overload
ip nat inside source route-map For-Reserve-NAT-2 pool POOL-Petrstar-2 overload
ip nat inside source static tcp 192.168.100.253 25 aaa.aaa.aaa.227 25 extendable
ip nat inside source static tcp 192.168.100.253 80 aaa.aaa.aaa.227 80 extendable
ip nat inside source static tcp 192.168.100.253 110 aaa.aaa.aaa.227 110 extendable
ip nat inside source static tcp 192.168.100.248 20 aaa.aaa.aaa.228 20 extendable
ip nat inside source static tcp 192.168.100.248 21 aaa.aaa.aaa.228 21 extendable
ip nat inside source static tcp 192.168.100.248 22 aaa.aaa.aaa.228 22 extendable
!
ip access-list standard SNMP_ACCESS
permit 192.168.100.241
ip access-list standard VTY_ACCESS
permit 192.168.40.0 0.0.0.255
!
ip access-list extended For-NAT-1
deny ip 192.168.0.0 0.0.255.255 192.168.200.0 0.0.0.255
deny ip 192.168.0.0 0.0.255.255 192.168.220.0 0.0.0.255
deny ip 192.168.0.0 0.0.255.255 192.168.221.0 0.0.0.255
permit udp host 192.168.100.254 any eq domain
permit tcp host 192.168.100.254 any eq domain
permit ip host 192.168.100.100 any
permit ip host 192.168.100.111 any
permit ip host 192.168.100.247 any
permit ip host 192.168.100.248 any
permit ip host 192.168.100.249 any
permit ip host 192.168.100.251 any
permit ip host 192.168.100.244 any
permit ip host 192.168.30.100 any
permit ip host 192.168.50.100 any
permit ip 192.168.0.0 0.0.0.255 any
permit ip 192.168.40.0 0.0.0.255 any
permit ip 192.168.111.0 0.0.0.255 any
permit ip 172.16.10.0 0.0.0.255 any
permit ip 172.16.20.0 0.0.0.255 any
ip access-list extended For-NAT-2
deny ip 192.168.100.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip 192.168.30.0 0.0.0.255 any
permit ip host 192.168.100.210 any
permit ip host 192.168.100.220 any
permit ip host 192.168.100.225 any
permit ip host 192.168.100.235 any
permit ip host 192.168.100.239 any
permit ip host 192.168.100.240 any
permit ip host 192.168.100.241 any
permit ip host 192.168.100.242 any
permit ip host 192.168.100.243 any
permit ip host 192.168.100.245 any
permit ip host 192.168.100.246 any
permit ip host 192.168.100.250 any
permit ip host 192.168.100.253 any
permit ip host 192.168.99.242 any
permit ip host 192.168.4.32 any
permit ip host 192.168.0.251 any
permit ip host 192.168.100.165 any
ip access-list extended From-INTERNET
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip host 255.255.255.255 any
deny ip host 0.0.0.0 any
deny udp any any eq 5060
deny tcp any any eq 5060
deny tcp any any eq 2000
deny udp any any eq 1720
deny tcp any any eq 1720
permit ip any any
ip access-list extended Kill-SMB-in
deny tcp any any eq 139
permit ip any any
ip access-list extended Kill-SMB-out
deny tcp any eq 139 any
permit ip any any
ip access-list extended REDIRECT_HTTP
deny tcp 192.168.40.0 0.0.0.255 192.168.100.0 0.0.0.255 eq www
deny tcp 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255 eq www
deny tcp host 192.168.40.37 any eq www
permit tcp 192.168.0.0 0.0.0.255 any eq www
permit tcp 192.168.40.0 0.0.0.255 any eq www
permit tcp 192.168.30.0 0.0.0.255 any eq www
ip access-list extended VPN-Archangelsk
permit ip 192.168.0.0 0.0.255.255 192.168.220.0 0.0.0.255
ip access-list extended VPN-Intersol
permit ip 192.168.0.0 0.0.255.255 192.168.200.0 0.0.0.255
ip access-list extended WiFi-Net-Inp
permit esp 192.168.110.0 0.0.0.255 any
permit udp any eq bootpc any eq bootps
permit udp 192.168.110.0 0.0.0.255 any eq domain
permit udp 192.168.110.0 0.0.0.255 any eq isakmp
permit tcp host 192.168.110.2 any established
permit icmp 192.168.110.0 0.0.0.255 host 192.168.110.1
ip access-list extended WiFi-Net-Out
permit esp any 192.168.110.0 0.0.0.255
permit udp any eq domain 192.168.110.0 0.0.0.255
permit tcp any host 192.168.110.2 eq 22 telnet
permit icmp host 192.168.110.1 192.168.110.0 0.0.0.255
ip access-list extended remote_access
permit ip 192.168.40.0 0.0.0.255 any
permit ip 192.168.100.0 0.0.0.255 any
!
ip radius source-interface GigabitEthernet0/0.100
ip sla 10
icmp-echo aaa.aaa.aaa.225 source-ip aaa.aaa.aaa.226
timeout 2000
threshold 400
frequency 5
ip sla schedule 10 life forever start-time now
ip sla 11
icmp-echo 198.41.0.4 source-ip aaa.aaa.aaa.226
timeout 2000
threshold 400
frequency 5
ip sla schedule 11 life forever start-time now
ip sla 20
icmp-echo bbb.bbb.bbb.17 source-ip bbb.bbb.bbb.18
timeout 2000
threshold 400
frequency 5
ip sla schedule 20 life forever start-time now
ip sla 21
icmp-echo 198.41.0.4 source-ip bbb.bbb.bbb.18
timeout 2000
threshold 400
frequency 5
ip sla schedule 21 life forever start-time now
logging origin-id hostname
logging server-arp
logging 192.168.100.241
snmp-server community public RO SNMP_ACCESS
snmp-server ifindex persist
snmp-server location bla-bla_main
snmp-server contact admin@bla-bla.ru
snmp-server chassis-id c2821
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps vrrp
snmp-server enable traps ds1
snmp-server enable traps tty
snmp-server enable traps eigrp
snmp-server enable traps xgcp
snmp-server enable traps flash insertion removal
snmp-server enable traps ds3
snmp-server enable traps envmon
snmp-server enable traps icsudsu
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps isdn ietf
snmp-server enable traps ds0-busyout
snmp-server enable traps ds1-loopback
snmp-server enable traps ethernet cfm cc mep-up mep-down cross-connect loop config
snmp-server enable traps ethernet cfm crosscheck mep-missing mep-unknown service-up
snmp-server enable traps disassociate
snmp-server enable traps deauthenticate
snmp-server enable traps authenticate-fail
snmp-server enable traps dot11-qos
snmp-server enable traps switch-over
snmp-server enable traps rogue-ap
snmp-server enable traps wlan-wep
snmp-server enable traps aaa_server
snmp-server enable traps atm subif
snmp-server enable traps bgp
snmp-server enable traps bstun
snmp-server enable traps bulkstat collection transfer
snmp-server enable traps memory bufferpeak
snmp-server enable traps cnpd
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps dial
snmp-server enable traps dlsw
snmp-server enable traps dsp card-status
snmp-server enable traps dsp oper-state
snmp-server enable traps entity
snmp-server enable traps fru-ctrl
snmp-server enable traps resource-policy
snmp-server enable traps event-manager
snmp-server enable traps frame-relay multilink bundle-mismatch
snmp-server enable traps frame-relay
snmp-server enable traps frame-relay subif
snmp-server enable traps hsrp
snmp-server enable traps ipmobile
snmp-server enable traps ipmulticast
snmp-server enable traps mpls ldp
snmp-server enable traps mpls traffic-eng
snmp-server enable traps mpls vpn
snmp-server enable traps msdp
snmp-server enable traps mvpn
snmp-server enable traps ospf state-change
snmp-server enable traps ospf errors
snmp-server enable traps ospf retransmit
snmp-server enable traps ospf lsa
snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
snmp-server enable traps ospf cisco-specific state-change shamlink interface-old
snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
snmp-server enable traps ospf cisco-specific errors
snmp-server enable traps ospf cisco-specific retransmit
snmp-server enable traps ospf cisco-specific lsa
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps pppoe
snmp-server enable traps cpu threshold
snmp-server enable traps rsvp
snmp-server enable traps ipsla
snmp-server enable traps stun
snmp-server enable traps syslog
snmp-server enable traps l2tun session
snmp-server enable traps l2tun pseudowire status
snmp-server enable traps vsimaster
snmp-server enable traps vtp
snmp-server enable traps pw vc
snmp-server enable traps director server-up server-down
snmp-server enable traps firewall serverstatus
snmp-server enable traps isakmp policy add
snmp-server enable traps isakmp policy delete
snmp-server enable traps isakmp tunnel start
snmp-server enable traps isakmp tunnel stop
snmp-server enable traps ipsec cryptomap add
snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec cryptomap attach
snmp-server enable traps ipsec cryptomap detach
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
snmp-server enable traps ipsec too-many-sas
snmp-server enable traps rf
snmp-server enable traps ccme
snmp-server enable traps srst
snmp-server enable traps voice
snmp-server enable traps dnis
snmp-server host 192.168.100.241 public
!
!
!
route-map For-NAT-1 permit 1
match ip address For-NAT-1
match interface Vlan50
!
route-map For-NAT-2 permit 1
match ip address For-NAT-2
match interface Vlan50
!
route-map For-Reserve-NAT-1 permit 1
match ip address For-NAT-1
match interface Vlan60
!
route-map For-Reserve-NAT-2 permit 1
match ip address For-NAT-2
match interface Vlan60
!
!
!
radius-server attribute 44 include-in-access-req
radius-server attribute 44 extend-with-addr
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 32 include-in-access-req
radius-server attribute nas-port format d
radius-server dead-criteria time 5 tries 3
radius-server configure-nas
radius-server host 192.168.100.242 auth-port 1812 acct-port 1813 key XXXXXXXXXXXXXX
radius-server deadtime 5
!
control-plane
!
call fallback active
!
!
voice-port 0/0/0:15
translation-profile incoming world-to-me
input gain 4
local-alerting
cptone RU
timeouts interdigit 20
timeouts call-disconnect 3
timeouts wait-release 10
!
voice-port 0/2/0
trunk-group CO
translation-profile incoming world-to-me
supervisory disconnect dualtone mid-call
output attenuation 0
cptone RU
timeouts call-disconnect 1
timeouts ringing 20
timeouts wait-release 1
timing hookflash-out 300
connection plar opx YYYYYYY
station-id name CO-0
caller-id enable
!
voice-port 0/2/1
trunk-group CO
translation-profile incoming world-to-me
supervisory disconnect dualtone mid-call
output attenuation 0
cptone RU
timeouts call-disconnect 1
timeouts ringing 20
timeouts wait-release 1
timing hookflash-out 300
connection plar opx YYYYYYY
station-id name CO-1
caller-id enable
!
!
!
sccp local GigabitEthernet0/0.30
sccp ccm 192.168.30.2 identifier 1 priority 1
sccp
!
sccp ccm group 1
bind interface GigabitEthernet0/0.30
associate ccm 1 priority 1
associate profile 1 register IOSconfBR
associate profile 2 register IOStranscoder
!
dspfarm profile 2 transcode
codec g711ulaw
codec g711alaw
codec g729ar8
codec g729abr8
codec g729br8
codec g729r8
associate application SCCP
shutdown
!
dspfarm profile 1 conference
codec g711ulaw
codec g711alaw
codec g729ar8
codec g729abr8
codec g729r8
codec g729br8
associate application SCCP
shutdown
!
dial-peer cor custom
name IVR
name LOCAL
!
!
dial-peer cor list IVRCalls
member IVR
!
dial-peer cor list LOCALCalls
member LOCAL
!
!
dial-peer voice 2000 voip
description CCM1
destination-pattern 2...
voice-class codec 15
session protocol sipv2
session target ipv4:192.168.30.2:5060
dtmf-relay rtp-nte
no vad
!
dial-peer voice 9020 pots
trunkgroup CO
corlist outgoing LOCALCalls
preference 2
destination-pattern 9T
!
dial-peer voice 9000 pots
corlist outgoing LOCALCalls
preference 1
destination-pattern 9T
port 0/0/0:15
!
dial-peer voice 4020 pots
corlist incoming IVRCalls
service ivrtest
incoming called-number YYYYYYY
port 0/2/0
!
dial-peer voice 4021 pots
corlist incoming IVRCalls
service ivrtest
incoming called-number YYYYYYY
port 0/2/1
!
dial-peer voice 4000 pots
corlist incoming IVRCalls
service ivrtest
incoming called-number YYYYYYY
port 0/0/0:15
!
!
!
!
call-manager-fallback
max-conferences 8 gain -6
transfer-system full-consult
user-locale RU
limit-dn 7910 2
limit-dn 7935 2
limit-dn 7940 2
limit-dn 7960 2
limit-dn 7970 2
ip source-address 192.168.30.1 port 2000
max-ephones 50
max-dn 100 dual-line preference 1
transfer-pattern 2...
!
banner login 
-----------------------------------------------------------------------
bla-bla-bla Corporate router. No unautorized access allowed.
-----------------------------------------------------------------------

!
line con 0
line aux 0
line vty 0 4
exec-timeout 0 0
privilege level 15
absolute-timeout 1440
transport input ssh
line vty 5 15
access-class VTY_ACCESS in
exec-timeout 120 0
privilege level 15
absolute-timeout 1440
transport input telnet
!
scheduler allocate 20000 1000
ntp clock-period 17180159
ntp master
ntp server 213.41.245.21
ntp server 216.58.31.84
ntp server 216.52.237.153
!
end