otus-networks/final/configs/LP-R1 at master · mbfx/otus-networks · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
conf t

 hostname "LP-R1"

 ipv6 unicast-routing

 interface Loopback64500
  description "loopback"
  ip address 10.0.2.1 255.255.255.255
  ip ospf authentication message-digest
  ip ospf message-digest-key 100 md5 ospfpassarea0
  ipv6 enable
  ipv6 address FD00:CCFF:200B::1/128
  ipv6 address FE80::1 link-local
  ipv6 ospf authentication ipsec spi 500 md5 1234567890abcdef1234567890abcdef
  ipv6 ospf 64500 area 0
  no shutdown
  exit

 interface Ethernet0/0
  description "to PG-R1"
  ip address 99.99.148.1 255.255.255.254
  ipv6 enable
  ipv6 address FE80::2 link-local
  ipv6 address 20FF:CCFF:FFFF:3::1/127
  no shutdown
  exit

 interface Ethernet0/1
  description "to LP-R3"
  ip address 35.11.1.1 255.255.255.0
  ip ospf authentication message-digest
  ip ospf message-digest-key 100 md5 ospfpassarea0
  ip ospf dead-interval minimal hello-multiplier 5
  ipv6 enable
  ipv6 address FE80::1 link-local
  ipv6 address 20FF:CCFF:200B:A2::1/64
  ipv6 ospf authentication ipsec spi 501 md5 1234567890abcdef1234567890abcdef
  ipv6 ospf hello-interval 1
  ipv6 ospf dead-interval 4
  ipv6 ospf 64500 area 0
  no shutdown
  exit

 interface Ethernet0/2
  description "to LP-R2"
  ip address 35.11.0.1 255.255.255.0
  ip ospf authentication message-digest
  ip ospf message-digest-key 100 md5 ospfpassarea0
  ip ospf dead-interval minimal hello-multiplier 5
  ipv6 enable
  ipv6 address FE80::1 link-local
  ipv6 address 20FF:CCFF:200B:A1::1/64
  ipv6 ospf authentication ipsec spi 502 md5 1234567890abcdef1234567890abcdef
  ipv6 ospf hello-interval 1
  ipv6 ospf dead-interval 4
  ipv6 ospf 64500 area 0
  no shutdown
  exit

 interface Ethernet0/3
  description "not used"
  no ip address
  shutdown
  exit

 ip route 0.0.0.0 0.0.0.0 99.99.148.0 30 name "to ISP"
 ipv6 route ::/0 20FF:CCFF:FFFF:3::0 30 name "to ISP"

 ip route 172.31.254.0 255.255.255.254 172.31.255.1 1 name "to GRE tunnel networks through DMVPN"
 ipv6 route FD00:CCFF:3001::/127 FE00:CCFF:3000::1 1 name "to GRE tunnel networks through DMVPN"

 ip route 35.10.0.0 255.255.0.0 172.31.255.1 1 name "to ZL-R1 through DMVPN"
 ip route 50.50.96.0 255.255.248.0 172.31.255.1 1 name "to DP-R1 through DMVPN"
 ip route 50.50.104.0 255.255.254.0 172.31.255.1 1 name "to OV-R1 through DMVPN"

 ipv6 route 20FF:CCFF:200A::/48 FE00:CCFF:3000::1 1 name "to ZL-R1 through DMVPN"
 ipv6 route 20FF:CCFF:200C::/48 FE00:CCFF:3000::1 1 name "to DP-R1 through DMVPN"
 ipv6 route 20FF:CCFF:200D::/48 FE00:CCFF:3000::1 1 name "to OV-R1 through DMVPN"

 interface Tunnel0
  description "DMVPN spoke to ZL-R1 hub"
  ip address 172.31.255.2 255.255.255.0
  ip nhrp map 172.31.255.1 99.99.144.1
  ip nhrp map multicast 99.99.144.1
  ip nhrp network-id 1
  ip nhrp nhs 172.31.255.1
  ip nhrp authentication dmvpnpas
  ip nhrp registration timeout 4
  ip nhrp shortcut
  ip nhrp redirect
  ip ospf authentication message-digest
  ip ospf message-digest-key 101 md5 ospfpassarea0dmvpn
  ip ospf network non-broadcast
  ip ospf priority 0
  ip ospf hello-interval 20
  ip ospf dead-interval 60
  tunnel source e0/0
  tunnel mode gre multipoint
  ipv6 address FE80::2 link-local
  ipv6 address FD00:CCFF:3000::2/48
  ipv6 enable
  ipv6 nhrp map FD00:CCFF:3000::1/48 99.99.144.1
  ipv6 nhrp map multicast 99.99.144.1
  ipv6 nhrp network-id 1
  ipv6 nhrp nhs FD00:CCFF:3000::1
  ipv6 nhrp authentication dmvpnpas
  ipv6 nhrp registration timeout 4
  ipv6 nhrp shortcut
  ipv6 nhrp redirect
  ipv6 ospf hello-interval 20
  ipv6 ospf dead-interval 60
  ipv6 ospf 64500 area 0
  ipv6 ospf priority 0
  ipv6 ospf network non-broadcast
  ipv6 ospf neighbor FE80::1
  exit

 router ospf 64500
  router-id 10.0.2.1
  auto-cost reference-bandwidth 1000
  area 0 authentication message-digest
  passive-interface Ethernet0/0
  passive-interface Ethernet0/3
  network 35.11.0.0 0.0.0.255 area 0
  network 35.11.1.0 0.0.0.255 area 0
  network 172.31.255.0 0.0.0.255 area 0
  network 10.0.2.1 0.0.0.0 area 0
  neighbor 172.31.255.1
  exit

 ipv6 router ospf 64500
  router-id 6.0.2.1
  auto-cost reference-bandwidth 1000
  passive-interface Ethernet0/0
  passive-interface Ethernet0/3
  exit
 exit

 ip prefix-list ONLY_DEFAULT_FROM_ISP seq 5 permit 0.0.0.0/0
 ip prefix-list ONLY_DEFAULT_FROM_ISP seq 100 deny 0.0.0.0/0 le 32

 ipv6 prefix-list ONLY_DEFAULT_FROM_ISP seq 5 permit ::/0
 ipv6 prefix-list ONLY_DEFAULT_FROM_ISP seq 100 deny ::/0 le 128

 router bgp 64500
  bgp router-id 99.99.148.1
  neighbor 99.99.148.0 remote-as 64511
  neighbor 20FF:CCFF:FFFF:3::0 remote-as 64511

  address-family ipv4
   neighbor 99.99.148.0 activate
   neighbor 99.99.148.0 prefix-list ONLY_DEFAULT_FROM_ISP in
   no neighbor 20FF:CCFF:FFFF:3::0 activate
   network 35.11.0.0 mask 255.255.255.0
   network 35.11.1.0 mask 255.255.255.0
   network 35.11.2.0 mask 255.255.255.0
   aggregate-address 35.11.0.0 255.255.252.0 summary-only
   exit-address-family

  address-family ipv6
   neighbor 20FF:CCFF:FFFF:3::0 activate
   neighbor 20FF:CCFF:FFFF:3::0 prefix-list ONLY_DEFAULT_FROM_ISP in
   network 20FF:CCFF:200B:A1::/64
   network 20FF:CCFF:200B:A2::/64
   network 20FF:CCFF:200B:A3::/64
   aggregate-address 20FF:CCFF:200B::/48 summary-only
   exit-address-family
  exit
 exit

 ip access-list standard 1
  remark "permit to NTP server access"
  10 permit 99.99.148.0 0.0.0.0
  500 deny any
  exit
 ntp access-group ipv4 peer 1

 ipv6 access-list NTPSERVER_IPV6_ACL
  remark "permit to NTP server access"
  permit ipv6 host 20FF:CCFF:FFFF:3:: any sequence 10
  deny ipv6 any any sequence 500
  exit
 ntp access-group ipv6 peer NTPSERVER_IPV6_ACL

 ntp authenticate
 ntp authentication-key 1 md5 ntpkey
 ntp trusted-key 1
 ntp update-calendar
 ntp server 99.99.148.0 prefer key 1
 ntp server 20FF:CCFF:FFFF:3:: prefer key 1

 ip access-list standard 2
  remark "permit to NTP local server"
  10 permit 35.11.0.0 0.0.3.255
  500 deny any
  exit
 ntp access-group ipv4 serve-only 2

 ipv6 access-list NTPSERVER_LAN_IPV6_ACL
  remark "permit to NTP server access"
  permit ipv6 20FF:CCFF:200B::/48 host 20FF:CCFF:200B:A1::1 sequence 10
  permit ipv6 20FF:CCFF:200B::/48 host 20FF:CCFF:200B:A2::1 sequence 20
  deny ipv6 any any sequence 500
  exit
 ntp access-group ipv6 serve-only NTPSERVER_LAN_IPV6_ACL
 clock timezone UTC 2
 ntp master 3

 ip dns server
 ip domain-lookup
 ip name-server 99.99.138.1 99.99.136.1 99.99.130.2 20FF:CCFF:FFFF:1::1 20FF:CCFF:FFFF:2::1 20FF:CCFD:FFFF:2::1
 ip domain name lp.com
 ip dns primary lp.com soa ns.lp.com admin@lp.com
 ip host lp.com ns ns.lp.com
 ip host ns.lp.com 35.11.0.1 35.11.1.1 20FF:CCFF:200B:A1::1 20FF:CCFF:200B:A2::1

 ip dhcp excluded-address 0.0.0.0 35.11.0.3
 ip dhcp excluded-address 35.11.0.254 35.11.1.2
 ip dhcp excluded-address 35.11.1.254 255.255.255.255

 service dhcp

 ip dhcp pool DHCP_POOL_1
  network 35.11.0.0 255.255.255.0
  default-router 35.11.0.1 35.11.0.2
  domain-name lp.com
  dns-server 35.11.0.1 35.11.1.1
  lease 8
  exit

 ip dhcp pool DHCP_POOL_2
  network 35.11.1.0 255.255.255.0
  default-router 35.11.1.1 35.11.1.2
  domain-name lp.com
  dns-server 35.11.1.1 35.11.0.1
  lease 8
  exit

 ipv6 dhcp pool DHCP_POOL_IPV6_1
  address prefix 20FF:CCFF:200B:A1::/64 lifetime 2073600 691200
  domain-name dp.com
  dns-server 20FF:CCFF:200B:A1::1
  exit

 ipv6 dhcp pool DHCP_POOL_IPV6_2
  address prefix 20FF:CCFF:200B:A2::/64 lifetime 2073600 691200
  domain-name dp.com
  dns-server 20FF:CCFF:200B:A2::1
  exit

 interface Ethernet0/2
  ipv6 dhcp server DHCP_POOL_IPV6_1
  ipv6 nd managed-config-flag
  exit

 interface Ethernet0/1
  ipv6 dhcp server DHCP_POOL_IPV6_2
  ipv6 nd managed-config-flag
  exit

 ip domain-name lp.com

 crypto key generate rsa label LPR1IPSECVPN modulus 2048

 crypto pki trustpoint DPR1TRP
  enrollment url http://172.31.254.1
  subject-name CN=LP-R1,OU=LP,O=lp,O=com,C=ru
  revocation-check none
  rsakeypair LPR1IPSECVPN
  exit

 crypto pki authenticate DPR1TRP
 crypto pki enroll DPR1TRP
! NOTE - NEED ENTER challenge NO SN NO IP
! ON DP-R1 - do crypto pki server DPR1PKISERVER grant all

 crypto isakmp policy 1
  authentication rsa-sig
  exit

 crypto ipsec transform-set IPSEC_TRANSF_SET_1 esp-aes esp-sha-hmac
  mode tunnel
  exit
 crypto ipsec profile IPSEC_PROFILE_1
  set transform-set IPSEC_TRANSF_SET_1
  set pfs group1
  exit

 interface Tunnel0
  tunnel protection ipsec profile IPSEC_PROFILE_1
  exit

 crypto key generate rsa usage-keys label SSH modulus 2048
 service password-encryption
 password encryption aes
 password logging

 aaa new-model
 aaa authentication login default local
 aaa authorization console
 aaa authorization exec default local

 username admin privilege 15 algorithm-type scrypt secret adminpassword
 username support privilege 1 algorithm-type scrypt secret supppass
 enable algorithm-type scrypt secret level 15 adminpassword
 enable algorithm-type scrypt secret level 1 supportassword
 enable algorithm-type scrypt secret level 2 editdesc
 privilege exec level 2 configure terminal
 privilege configure level 2 interface
 privilege interface level 2 description

 line vty 0 4
  transport input ssh
  login authentication default
  logging synchronous
  exit
 line console 0
  logging synchronous
  exit
 logging on
 logging console 3
 logging buffered 3
 logging buffered 32000
 logging trap 6
 logging facility local1
 logging host 35.11.0.3
 logging host ipv6 20FF:CCFE:200B:A1::3