Revision Config
Inviato: gio 15 mar , 2012 10:11 am
ciao ragazzi,
vorrei sottoporvi questa config da rivedere, io ne sono abbastanza soddisfatto, ma c'è sempre la possibilità di migliorare. Voi che cosa cambiereste? molte cose come bgp ed ipv6 sono li per imparare e sperimentare, quindi se avete idee di cos'altro posso aggiungerci, anche solo per prova, sarei grato.
vorrei sottoporvi questa config da rivedere, io ne sono abbastanza soddisfatto, ma c'è sempre la possibilità di migliorare. Voi che cosa cambiereste? molte cose come bgp ed ipv6 sono li per imparare e sperimentare, quindi se avete idee di cos'altro posso aggiungerci, anche solo per prova, sarei grato.
Codice: Seleziona tutto
Current configuration : 12510 bytes
!
! Last configuration change at 19:22:38 ROME Wed Mar 14 2012 by anubisg1
! NVRAM config last updated at 19:25:02 ROME Wed Mar 14 2012 by anubisg1
!
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Gateway
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200
no logging console
!
aaa new-model
!
!
aaa authentication login default group radius local enable
aaa authorization exec default group radius if-authenticated
aaa accounting exec default start-stop group radius
aaa accounting system default start-stop group radius
!
!
!
!
!
aaa session-id common
!
clock timezone ROME 1 0
clock summer-time ROME recurring last Sun Mar 2:00 last Sun Oct 2:00
no dot11 syslog
no ip source-route
no ip gratuitous-arps
!
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1
!
ip dhcp pool HOUSE
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
dns-server 8.8.8.8 8.8.4.4
!
!
ip cef
no ip bootp server
ip domain name anubisg1.local
ip host R2 10.1.1.2
ip host R3 10.1.1.6
ip host R4 10.1.1.10
ip host DSW1 10.1.4.6
ip host DSW2 10.1.4.10
ip host R1 10.1.1.1
ip host WEB 209.65.200.226
ip name-server 2620:0:CCC::2
ip name-server 2620:0:CCD::2
ip ddns update method FQDN
HTTP
add http://USERNAME:[email protected]/nic/update?system=dyndns&hostname=<h>&myip=<a>
remove http://USERNAME:[email protected]/nic/update?system=dyndns&hostname=<h>&myip=<a>
!
ip ddns update method Hurricane
HTTP
add https://USERNAME:[email protected]/ipv4_end.php?tid=135978
interval maximum 0 1 0 0
!
login block-for 240 attempts 4 within 120
ipv6 host qsibrd 2001:470:XXXX:XXX::2
ipv6 unicast-routing
ipv6 cef
ipv6 dhcp pool IP6POOL
dns-server 2620:0:CCC::2
dns-server 2620:0:CCD::2
!
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint tunnelbroker
enrollment terminal pem
revocation-check none
!
!
crypto pki certificate chain tunnelbroker
certificate ca 01
308202E7 30820250 02010130 0D06092A 864886F7 0D010105 05003081 BB312430
22060355 0407131B 56616C69 43657274 2056616C 69646174 696F6E20 4E657477
6F726B31 17301506 0355040A 130E5661 6C694365 72742C20 496E632E 31353033
06035504 0B132C56 616C6943 65727420 436C6173 73203220 506F6C69 63792056
616C6964 6174696F 6E204175 74686F72 69747931 21301F06 03550403 13186874
74703A2F 2F777777 2E76616C 69636572 742E636F 6D2F3120 301E0609 2A864886
F70D0109 01161169 6E666F40 76616C69 63657274 2E636F6D 301E170D 39393036
32363030 31393534 5A170D31 39303632 36303031 3935345A 3081BB31 24302206
03550407 131B5661 6C694365 72742056 616C6964 6174696F 6E204E65 74776F72
6B311730 15060355 040A130E 56616C69 43657274 2C20496E 632E3135 30330603
55040B13 2C56616C 69436572 7420436C 61737320 3220506F 6C696379 2056616C
69646174 696F6E20 41757468 6F726974 79312130 1F060355 04031318 68747470
3A2F2F77 77772E76 616C6963 6572742E 636F6D2F 3120301E 06092A86 4886F70D
01090116 11696E66 6F407661 6C696365 72742E63 6F6D3081 9F300D06 092A8648
86F70D01 01010500 03818D00 30818902 818100CE 3A71CAE5 ABC85992 55D7ABD8
740EF9EE D9F65547 5965470E 0555DCEB 98363C5C 535DD330 CF38ECBD 4189ED25
4209246B 0A5EB37C DD522D4C E6D4D67D 5A59A965 D449132D 244D1C50 6FB5C185
543BFE71 E4D35C42 F980E091 1A0A5B39 3667F33F 557C1B3F B45F6473 34E3B412
BF8764F8 DA12FF37 27C1B343 BBEF7B6E 2E69F702 03010001 300D0609 2A864886
F70D0101 05050003 8181003B 7F506F6F 50949949 6238381F 4BF8A5C8 3EA78281
F62BC7E8 C5CEE83A 1082CB18 008E4DBD A8587FA1 7900B5BB E98DAF41 D90F34EE
218119A0 324928F4 C48E56D5 5233FD50 D57E996C 03E4C94C FCCB6CAB 66B34A21
8CE5B50C 323E10B2 CC6CA1DC 9A984C02 5BF3CEB9 9EA5720E 4AB73F3C E61668F8
BEED744C BC5BD562 1F43DD
quit
!
!
license udi pid CISCO1841 sn FCZ09403CAV
archive
log config
hidekeys
username admin privilege 15 secret 5 $1$9i2Z$XBAxP/bv8EiPbm/EF8Gd91
!
redundancy
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh version 2
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
crypto isakmp key SHARED-PASSWORD-FOR-CRYPTO address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set MINE esp-3des
!
crypto ipsec profile DMVPN
set transform-set MINE
!
!
!
!
!
!
interface Tunnel0
description IPv6 uplink to Hurricane
bandwidth 20000
no ip address
ip flow ingress
ip flow egress
ipv6 address 2001:470:XXXX:XXX::2/64
ipv6 enable
ipv6 mtu 1280
ipv6 virtual-reassembly in
tunnel source FastEthernet0/0
tunnel mode ipv6ip
tunnel destination 216.66.80.26
!
interface Tunnel1
description VPN to Brindisi
ip address 172.16.1.1 255.255.255.0
no ip redirects
ip mtu 1416
ip flow ingress
ip flow egress
ip nhrp authentication PASSWORD-FOR-NHRP
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp holdtime 100
ip nhrp registration timeout 40
keepalive 5 2
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile DMVPN
!
interface FastEthernet0/0
description Connected to cable modem
bandwidth 20000
ip ddns update hostname whatever.dyndns.org
ip ddns update FQDN
ip ddns update Hurricane
ip address dhcp client-id FastEthernet0/0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface FastEthernet0/1
description Local LAN
ip address 192.168.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
ipv6 address 2001:470:XXXX:XXX::/64 eui-64
ipv6 nd other-config-flag
ipv6 dhcp server IP6POOL rapid-commit
no mop enabled
!
interface Serial0/0/0
no ip address
encapsulation frame-relay
!
interface Serial0/0/0.12 point-to-point
ip address 10.1.1.1 255.255.255.252
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
ip ospf 1 area 12
ipv6 address 2026::12:1/122
ipv6 ospf 6 area 12
frame-relay interface-dlci 112
!
interface Serial0/0/1
ip address 209.65.200.225 255.255.255.252
!
router ospf 1
router-id 10.1.1.1
redistribute connected subnets route-map NO_WAN_OSPF
redistribute bgp 65000 subnets
default-information originate
!
router bgp 65000
bgp router-id 10.1.1.1
bgp log-neighbor-changes
neighbor 2001:470:XXXX:XXX::2 remote-as 65200
neighbor 2001:470:XXXX:XXX::2 description paolomat75 ciscoforums
neighbor 2001:470:XXXX:XXX::2 ebgp-multihop 6
neighbor 2001:470:XXXX:XXX::2 remote-as 65100
neighbor 2001:470:XXXX:XXX::2 description Router in Brindisi
neighbor 2001:470:XXXX:XXX::2 ebgp-multihop 6
neighbor 95.82.xxx.xxx remote-as 44000
neighbor 95.82.xxx.xxx description maarouf
neighbor 95.82.xxx.xxx ebgp-multihop 11
neighbor 172.16.1.2 remote-as 65100
neighbor 172.16.1.2 description Router in Brindisi vpn tunnel
neighbor 172.16.1.3 remote-as 65200
neighbor 172.16.1.3 description paolomat75 ciscoforums
neighbor 209.65.200.226 remote-as 65002
neighbor 209.65.200.226 description CCNP WAN
!
address-family ipv4
network 172.16.1.0 mask 255.255.255.0
redistribute ospf 1 match internal external 1 external 2 nssa-external 1 nssa-external 2
no neighbor 2001:470:XXXX:XXX::2 activate
no neighbor 2001:470:XXXX:XXX::2 activate
neighbor 95.82.xxx.xxx activate
neighbor 95.82.xxx.xxx soft-reconfiguration inbound
neighbor 95.82.xxx.xxx route-map filter-lab out
neighbor 172.16.1.2 activate
neighbor 172.16.1.2 soft-reconfiguration inbound
neighbor 172.16.1.2 route-map filter-lab out
neighbor 172.16.1.3 activate
neighbor 172.16.1.3 soft-reconfiguration inbound
neighbor 172.16.1.3 route-map filter-lab out
neighbor 209.65.200.226 activate
neighbor 209.65.200.226 soft-reconfiguration inbound
no auto-summary
exit-address-family
!
address-family ipv6
network 2001:470:XXXX:XXX::/64
neighbor 2001:470:XXXX:XXX::2 activate
neighbor 2001:470:XXXX:XXX::2 soft-reconfiguration inbound
neighbor 2001:470:XXXX:XXX::2 activate
neighbor 2001:470:XXXX:XXX::2 soft-reconfiguration inbound
exit-address-family
!
ip forward-protocol nd
ip http server
ip http access-class 1
ip http authentication aaa
no ip http secure-server
!
ip flow-export source FastEthernet0/1
ip flow-export version 5
ip flow-export destination 192.168.0.8 9996
ip flow-top-talkers
top 40
sort-by bytes
!
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.0.8 8080 interface FastEthernet0/0 8080
ip nat inside source static tcp 192.168.0.8 22 interface FastEthernet0/0 2202
ip route 95.82.xxx.xxx 255.255.255.255 78.102.64.1
!
!
ip sla 1
icmp-echo 2A00:1450:8007::6A source-interface Tunnel0
frequency 5
ip sla schedule 1 life forever start-time now
logging esm config
logging trap debugging
access-list 1 remark --- NAT Allowed ---
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 1 permit 10.0.0.0 0.255.255.255
access-list 20 remark --- SNMP allow only server ---
access-list 20 permit 192.168.0.8
access-list 25 remark --- BGP filter my private stuff ---
access-list 25 permit 192.168.0.0
access-list 25 permit 172.16.1.0 0.0.0.255
access-list 25 permit 78.102.xx.0 0.0.3.255
access-list 30 remark --- OSPF do not send WAN subnet ---
access-list 30 permit 78.102.xx.0 0.0.3.255
access-list 100 remark --- telnet lan only ---
access-list 100 permit tcp 10.0.0.0 0.255.255.255 any eq telnet
access-list 100 permit tcp 192.168.0.0 0.0.0.255 any eq telnet
access-list 100 permit tcp any any eq 22
access-list 100 deny tcp any any log
ipv6 route ::/0 Tunnel0
ipv6 router ospf 6
router-id 10.1.1.1
!
!
!
!
!
route-map filter-lab deny 10
match ip address 25
!
route-map filter-lab permit 20
!
route-map NO_WAN_OSPF deny 10
match ip address 30
!
route-map NO_WAN_OSPF permit 20
!
snmp-server community brno RO 20
snmp-server ifindex persist
snmp-server trap-source FastEthernet0/1
snmp-server packetsize 1000
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps ospf state-change
snmp-server enable traps ospf errors
snmp-server enable traps ospf retransmit
snmp-server enable traps ospf lsa
snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
snmp-server enable traps ospf cisco-specific state-change shamlink interface
snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
snmp-server enable traps ospf cisco-specific errors
snmp-server enable traps ospf cisco-specific retransmit
snmp-server enable traps ospf cisco-specific lsa
snmp-server enable traps envmon
snmp-server enable traps flash insertion removal
snmp-server enable traps authenticate-fail
snmp-server enable traps bgp
snmp-server enable traps config
snmp-server enable traps frame-relay multilink bundle-mismatch
snmp-server enable traps frame-relay
snmp-server enable traps frame-relay subif
snmp-server enable traps cpu threshold
snmp-server enable traps ipsla
snmp-server host 192.168.0.8 brno
!
!
radius-server host 192.168.0.8 auth-port 1812 acct-port 1813 key 7 89576FEF8E787767FE
!
control-plane
!
!
banner motd ^C
_
.::::::::::. -(_)====u .::::::::::.
.::::''''''::::. .::::''''''::::.
.:::' `::::.... ....::::' `:::.
.::' `:::::::| |:::::::' `::.
.::| |::::::|_ ___ __|::::::| |::.
`--' |::::::|_()__()_|::::::| `--'
::: |::-o::| |::o-::| :::
`::. .|::::::| |::::::|. .::'
`:::. .::\-----' `-----/::. .:::'
`::::......::::' `::::......::::'
`::::::::::' `::::::::::'
Any access is logged, if Unauthorized it
will be pursued by law. Leave now if
you are not Authorized to access this
router
^C
!
line con 0
password 7 89765346E3F6E3544356785RFR
logging synchronous
line aux 0
line vty 0 4
access-class 100 in
exec-timeout 15 0
password 7 89765346E3F6E3544356785RFR
logging synchronous
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp server 93.62.184.77
end
.
.