Wednesday, October 19, 2011

Typical configuration for Branch side router with one leased line and isdn connection (MSR 20 -11 configuration for Branch router)

MSR 20 -11 configuration for Branch router

[anoopp3com@gmail.com]                      dis cu 
#
 version 5.20, Release 2104P02
#
 sysname cb0659
#
 clock timezone 1 add 17:18:40
#
 super password level 3 simple cisco
#
 firewall enable
#
 domain default enable system
#
 telnet server enable                -----------------For telnet service
#
 ip ttl-expires enable
 ip unreachables enable
#
 ip count enable         -------- ip accounting
 ip count interior-threshold 1000
 ip count exterior-threshold 200
 ip count timeout 1440
 ip count rule 172.16.0.0 255.255.0.0
  ---- More ---- [16D                [16D ip count rule 172.17.0.0 255.255.255.0
 ip count rule 10.0.0.0 255.0.0.0
#
 standby routing-rule 100 ip 202.177.132.2 255.255.255.255
#
 dar p2p signature-file flash:/p2p_default.mtd
#
 qos pql 1 queue top queue-length 50            -----------------qos
 qos pql 1 queue bottom queue-length 100
 qos pql 1 protocol ip acl 3010 queue top
 qos pql 1 protocol ip acl 3011 queue bottom
#
 port-security enable
#
acl number 3001                   Acl configuration
 rule 0 permit ip source 172.17.0.134 0
 rule 1 permit ip source 172.16.187.198 0
 rule 2 permit ip source 172.16.69.198 0
 rule 3 permit ip source 172.16.172.7 0
 rule 4 permit ip source 172.16.108.6 0
 rule 5 permit ip source 172.16.28.6 0
 rule 6 permit ip source 172.16.220.6 0
 rule 7 permit ip source 172.16.92.17 0
  ---- More ---- [16D                [16D rule 8 permit ip source 172.17.131.118 0
 rule 9 permit ip source 172.16.188.6 0
 rule 10 permit ip source 172.16.124.6 0
 rule 11 permit ip source 172.16.204.6 0
 rule 59 permit tcp source-port eq 139
 rule 60 permit tcp source-port eq 522
 rule 61 permit udp source-port eq 522
 rule 62 permit ip source 172.16.8.91 0
 rule 63 permit ip source 172.16.8.92 0
 rule 64 permit ip source 172.16.8.93 0
 rule 65 permit ip source 172.16.8.94 0
 rule 67 permit ip source 172.16.8.95 0
 rule 69 permit ip source 10.10.25.136 0
 rule 70 permit ip source 172.16.39.170 0
 rule 71 permit ip source 10.21.1.45 0
 rule 72 permit ip source 10.35.1.45 0
 rule 73 permit ip source 10.35.1.43 0
 rule 74 permit ip source 10.35.1.143 0
 rule 75 permit ip source 10.42.1.59 0
 rule 76 permit ip source 10.21.1.38 0
 rule 77 permit ip source 10.24.1.45 0
 rule 78 permit ip source 10.28.1.45 0
 rule 79 permit ip source 10.29.1.45 0
  ---- More ---- [16D                [16D rule 80 permit ip source 10.24.1.38 0
 rule 81 permit ip source 172.16.44.100 0
 rule 82 permit ip source 172.16.44.240 0
 rule 83 permit ip source 172.16.58.188 0
 rule 84 permit ip source 172.16.39.69 0
 rule 85 permit ip source 172.16.39.136 0
 rule 86 permit ip source 172.16.58.155 0
 rule 87 permit ip source 10.0.67.177 0
 rule 88 permit tcp source-port eq 48100
 rule 89 permit udp source-port eq 48100
 rule 90 permit tcp source-port eq 48009
 rule 91 permit udp source-port eq 48009
 rule 92 permit tcp source-port eq 135
 rule 100 permit icmp
 rule 101 permit tcp source-port eq 161
 rule 102 permit udp source-port eq snmp
 rule 103 permit ip source 10.10.3.0 0.0.0.255
 rule 104 permit ip source 172.16.39.128 0.0.0.63
acl number 3002
 rule 1 permit ip source 172.16.241.1 0
 rule 2 permit ip source 172.16.0.0 0.0.0.255
acl number 3010
 description for PQ_in dialer2 interface
  ---- More ---- [16D                [16D rule 0 permit ip source 172.16.241.1 0
 rule 1 permit ip source 172.16.0.0 0.0.255.255
acl number 3011
 rule 51 permit tcp source-port eq smtp
 rule 52 permit udp source-port eq netbios-ssn
 rule 53 permit udp source-port eq netbios-ns
 rule 54 permit udp source-port range 666 765
 rule 55 permit tcp source-port eq 707
 rule 56 permit tcp source-port eq 69
 rule 57 permit tcp source-port eq 593
 rule 58 permit tcp source-port eq 445
 rule 59 permit tcp source-port eq 139
 rule 60 permit tcp source-port eq 522
 rule 61 permit udp source-port eq 522
acl number 3100
 rule 0 deny ospf
 rule 5 deny udp
 rule 10 deny ip
acl number 3199
 rule 0 deny ospf
 rule 5 deny udp
 rule 10 permit ip
#
  ---- More ---- [16D                [16Dvlan 1
#
domain system
 access-limit disable
 state active
 idle-cut disable
 self-service-url disable
#
user-group system
#
local-user admin                    Local user in router
 password simple cisco
 authorization-attribute level 3     -------admin user level will be 3 in hp devices (cisco it will be level 15)
 service-type telnet
local-user bangalore-2
 password simple cisco
 service-type ppp
#
cwmp
 undo cwmp enable
#
interface Aux0
 async mode flow
  ---- More ---- [16D                [16D link-protocol ppp
#
interface Cellular0/0
 async mode protocol
 link-protocol ppp
#
interface Bri1/0
 description ### Connected to bangalore DC2 Name ###
 link-protocol ppp
 ppp authentication-mode chap
 dialer enable-circular
 dialer-group 1
 dialer circular-group 2
#
interface Dialer2        for isdn
 link-protocol ppp
 ppp authentication-mode chap
 ppp chap user xxxxx
 ppp chap password simple cisco
 ip address 12.16.1.1 255.255.255.252
 dialer enable-circular
 dialer-group 1
 dialer timer idle 180
 dialer route ip 72.16.13.10 user cbbb broadcast 0800999999
 qos pq pql 1   ----------- for qos
#
interface Ethernet0/0
 port link-mode route
 firewall packet-filter 3001 inbound              acl applyed on interface
 firewall packet-filter 3001 outbound
 ip address 172.16.9.65 255.255.255.192
 ip count inbound-packets
  ---- More ---- [16D                [16D ip count outbound-packets
 ip netstream inbound
 ip netstream outbound
#
interface Serial0/0
 link-protocol ppp
 ip address 192.168.186.177 255.255.255.252
#
interface NULL0
#
interface LoopBack0
 ip address 172.16.14.40 255.255.255.255
#
interface LoopBack1
 ip address 192.168.251.144 255.255.255.255
#
interface LoopBack2
 ip address 202.177.132.27 255.255.255.255
#
interface LoopBack500
 ip address 10.161.3.45 255.255.255.255
#
interface Ethernet0/1
   port link-mode bridge
#
interface Ethernet0/2
 port link-mode bridge
#
interface Ethernet0/3
 port link-mode bridge
#
interface Ethernet0/4
 port link-mode bridge
#
ospf 1     --------------OSPF configuration   in hp devices ospf is having AD of 10
 import-route static
 area 0.0.0.1
  network 10.161.0.0 0.0.31.255
  network 172.16.9.64 0.0.0.63
  network 172.16.14.40 0.0.0.0
  network 192.168.251.144 0.0.0.0
  network 202.177.132.27 0.0.0.0
  network 172.16.13.148 0.0.0.3
  stub
#
 ip route-static 0.0.0.0 0.0.0.0 Serial0/0 preference 1 description MPLS_LINK
  ip route-static 0.0.0.0 0.0.0.0 Dialer2 preference 200


(By default static routes having a AD of 60 in hp devices )
#
 snmp-agent
 snmp-agent local-engineid 800063A2033CE5A6CF4ECD
 snmp-agent community write cb@@@@@
snmp-agent community read cb@@@@@
snmp-agent sys-info version all
 snmp-agent target-host trap address udp-domain 2.16.7.2 params securityname cb@@@@
 snmp-agent target-host trap address udp-domain 2.1.5.4 params securityname cb@@@@@
 snmp-agent target-host trap address udp-domain 2.17.1.37 params securityname cb@@@@@
snmp-agent trap source LoopBack500
#
 ntp-service source-interface LoopBack500
 ntp-service unicast-server 12.16.22.41
#
 dialer-rule 1 acl 3100
 dialer-rule 2 acl 3199
#
 load xml-configuration
#
 load tr069-configuration
#
user-interface tty 12
 user-interface aux 0
user-interface vty 0 4
 acl 3002 inbound
 authentication-mode scheme
 user privilege level 3
 set authentication password simple cisco
#
return
[anoopp3com@gmail.com]                                            
By -
Labels:

Optimization of fortigate IPS

IPS signature need select according to infrastructure environment  Eg:-  if  we are not have Linux servers this ips signature can disable (d...